Re: Yahoo sent 5.5x as much spam as any other legit provider in April
On 5/11/2011 10:58 PM, Niamh Holding wrote: Hello Ted, Wednesday, May 11, 2011, 10:21:23 PM, you wrote: TM Yes, your Honor. (eyeroll) Any intention to produce it in support of your claim? Your welcome to my exclusion list if you want it, I'm not going to post it here but anyone who wants a copy can just ask. Do you want a copy? Ted
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
On 05/11/2011 04:35 PM, Michael Scheidell wrote: if someone sends an email to 175 people, once they hit 'x' number in the first email attempt, we send '4xx too many emails' ie: ehlo *.yahoo.com mail from: some...@yahoo.com rcpt to: one 250 ok rcpt to: two 250 ok [skip to 100]. rcpt to: onehundered 4xx too many On 11.05.11 19:30, Joe Sniderman wrote: We do something similar, except that the maximum number of recipients per envelope we set at 1. The second and all subsequent get a 4yz error during RCPT. We perform this after greylisting, ie: Are you aware that this violates RFC standard? You can not expect that when you violate it, others will behave at your needs. For example, I would imediately try other MX server when sending mail and not continue with DATA. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
Hello Ted, Thursday, May 12, 2011, 7:36:01 AM, you wrote: TM Your welcome to my exclusion list if you want it, I'm not TM going to post it here but anyone who wants a copy can just ask. TM Do you want a copy? Of your exclusion list no, but I am asking you to post the evidence backing up your unsubstantiated claim to the list. -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpf9butzU7Li.pgp Description: PGP signature
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
On 5/12/2011 12:08 AM, Niamh Holding wrote: Hello Ted, Thursday, May 12, 2011, 7:36:01 AM, you wrote: TM Your welcome to my exclusion list if you want it, I'm not TM going to post it here but anyone who wants a copy can just ask. TM Do you want a copy? Of your exclusion list no, but I am asking you to post the evidence backing up your unsubstantiated claim to the list. Others have reported Yahoo doesn't handle 4xx errors properly, you apparently missed their posts? If you are a Yahoo programmer and wish to work with me to correct your servers then please e-mail me offline from your actual Yahoo corporate account, provide an office extension at Yahoo, a phone number, and I will call you to arrange to setup a test mailserver with greylist-milter and you can send test messages to it and we can log the results, and get your problem solved. But if you are not then all I'm going to say is that anyone who understands e-mail can do the appropriate whois queries that will establish what I am in charge of in less than 30 seconds, and draw their own conclusions. I have had problems with users not getting e-mail when Yahoo's IP addresses were not excluded from greylisting, I investigated and did not see retries from Yahoo's mailservers in the mail log file, I excluded Yahoo's IP ranges from greylisting, the users reported the problems went away. I have not had to exclude other mailservers on the Internet for greylisting for this reason. I HAVE excluded some other services that use server pools because not excluding them delays mail (as their pool will try different servers until all servers have been tried then start over and the transmission succeeds) but no other services have simply failed to attempt to retry as Yahoo does. Therefore I have had it proved to my satisfaction that Yahoo's mailservers do not retry when greylisted - which breaks greylisting. Maybe they retry if the 4xx is issued to them under other circumstances, but I don't care about that. Obviously, anyone else running the same greylisting as I am would have had the same experience as there is no reason Yahoo would single me out from the thousands of other ISPs out there that use greylist-milter. So they would have to also exempt Yahoo from their own greylisting. I'm sure this is a big factor in their spam source ranking. Once I learned what I learned I moved on to other things and I did not save all of the evidence just to be able to trot it out on mailing lists years in the future. Perhaps since I had that problem Yahoo has changed. But I'm not going to risk having user trouble again by removing them from the exemption list. Fool me once, shame on you, fool me twice, shame on me. Ted
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
Hello Ted, Thursday, May 12, 2011, 9:54:56 AM, you wrote: TM I investigated and did not see retries from TM Yahoo's mailservers in the mail log file Funnily enough I do see retries- 2009-10-03 02:01:32.887 tcpserver: ok 24589 mail.redbus.holtain.net:217.146.107.39:25 n10.bullet.mail.mud.yahoo.com:209.191.125.208::48678 2009-10-03 02:01:32.892 jgreylist[24589]: 209.191.125.208: GREY first time 2009-10-03 02:03:25.201 tcpserver: ok 24631 mail.redbus.holtain.net:217.146.107.39:25 n10.bullet.mail.mud.yahoo.com:209.191.125.208::20564 2009-10-03 02:03:25.206 jgreylist[24631]: 209.191.125.208: GREY too soon -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpjOdC3kMd62.pgp Description: PGP signature
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
Hello Matus, Thursday, May 12, 2011, 12:11:10 PM, you wrote: MUf Actyally, Michael Scheidell reported that yahoo miebehaves when receiving MUf 4xx response after RCPT TO: Very different from the original blanket claim that Yahoo's SMTP mailers are unable to handle a standard SMTP error 4xx, if they get one they abort the transmission and return the message to the sender -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgp9aojMF9OWV.pgp Description: PGP signature
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
Hello dar...@chaosreigns.com, Am 2011-05-11 16:01:38, hacktest Du folgendes herunter: http://www.chaosreigns.com/dnswl/dnswlabusehistory.svg Percentage of total spam from legitimate email providers in April as reported as abuse to dnswl.org: 35.5% yahoo.com Configuration option in /etc/courier/bofh would be: badfrom @yahoo.com and the problem is regulated on SMTP level without involving SA. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +49-176-86004575 office http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
Hello Matus UHLAR - fantomas, Am 2011-05-12 09:06:10, hacktest Du folgendes herunter: On 11.05.11 19:30, Joe Sniderman wrote: We do something similar, except that the maximum number of recipients per envelope we set at 1. The second and all subsequent get a 4yz error during RCPT. We perform this after greylisting, ie: Are you aware that this violates RFC standard? Which RFC? Limiting the recipients per envelope is legitim. You can not expect that when you violate it, others will behave at your needs. For example, I would imediately try other MX server when sending mail and not continue with DATA. I get per day arround 26.000.000 spams on my courier-proxys and if I do not limit the number recipients per envelope I would receive per second 300 spams. Note: 80% of the spams are rejected on SMTP Level without invoking SA. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsystems@tdnet France EURL itsystems@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +49-176-86004575 office http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
On Thu, 12 May 2011 16:00:38 +0200 Michelle Konzack linux4miche...@tamay-dogan.net wrote: Which RFC? Limiting the recipients per envelope is legitim. Limiting it to 1 is pushing it. RFC 5321 says: The minimum total number of recipients that MUST be buffered is 100 recipients. Rejection of messages (for excessive recipients) with fewer than 100 RCPT commands is a violation of this specification. Additionally, limiting it to 1 will have very undesirable side-effects. Mailman, for example, sends messages out in chunks of 30 recipients at a time by default. If all 30 recipients are on a server that only accepts one at a time and your mail server retries every 10 minutes, the last recipient will receive the message 5 hours after the first recipient. That's pretty unfriendly behaviour. Regards, David.
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
On 5/12/2011 4:49 AM, Niamh Holding wrote: Hello Matus, Thursday, May 12, 2011, 12:11:10 PM, you wrote: MUf Actyally, Michael Scheidell reported that yahoo miebehaves when receiving MUf 4xx response after RCPT TO: Very different from the original blanket claim that Yahoo's SMTP mailers are unable to handle a standard SMTP error 4xx, if they get one they abort the transmission and return the message to the sender And yet Googles server farm has no problem with greylist-milter. I mentioned that this was with greylist-milter, you are merely shifting your claim now to essentially blaming greylist-milter for not issuing a standard SMTP error 4xx. Yahoo is not the only mailserver that misbehaves with 4xx errors. As a result I have always vastly overbuilt my mailservers so that there is never a chance of them issuing a real 4xx error because they are actually too busy to accept mail. I certainly cannot trust any mailserver or mailserver farm on the Internet to handle a real 4xx error correctly, thanks to miscreants like Yahoo who apparently think it's OK to mishandle some 4xx errors and not others, and who have provided cover for the other boneheads to do the same thing. Ted
Re: Yahoo sent 5.5x as much spam as any other legit provider in April
Hello Ted, Thursday, May 12, 2011, 5:06:15 PM, you wrote: TM I mentioned that this was with greylist-milter, you are merely TM shifting your claim now to essentially blaming greylist-milter for TM not issuing a standard SMTP error 4xx. No you didn't, and no I am not casting any aspersions on any other software at all... unless you can find a message from me blaming greylist-milter- Yahoo's SMTP mailers are unable to handle a standard SMTP error 4xx, if they get one they abort the transmission and return the message to the sender No qualification at all in your original claim. I have merely provided evidence that yahoo's servers do not always abort the transmission and return the message to the sender as you claimed -- Best regards, Niamhmailto:ni...@fullbore.co.uk pgpZrH9C2Hl2U.pgp Description: PGP signature
Can I classify just a few messages from the same yahoo newsgroup?
I am using spamassassin on a email server running Scientific Linux. I download my email to my local machine which is running Fedora 14 Linux, using evolution. The spam detections is done on the server, on which I keep one file to collect messages I want to be recognized as spam and another to collect messages classified as spam which I want to be classified as non-spam. Once a day, the data in those files is used to update the spam detection algorithm. My scheme has worked quite well. Almost all the spam is detected, and only seldom are legitimate messages classified as spam. But recently I got email posted from a yahoo group which I subscribe to which contained spam. If I classify those messages as spam, will all the messages from that gorup also be classified as spam? How should I prceed to limit such spam without disrupting legitimate messages? -- View this message in context: http://old.nabble.com/Can-I-classify-just-a-few-messages-from-the-same-yahoo-newsgroup--tp31606840p31606840.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Can I classify just a few messages from the same yahoo newsgroup?
On 05/12, leonardevens wrote: But recently I got email posted from a yahoo group which I subscribe to which contained spam. If I classify those messages as spam, will all the messages from that gorup also be classified as spam? How should I prceed to limit such spam without disrupting legitimate messages? That should be fine. Assuming you're talking about training the Bayesian classifier. You could also backup your Bayesian tokens in case you don't like the results so you can restore them later. -- Democracy is the theory that the common people know what they want, and deserve to get it good and hard. - H. L. Mencken http://www.ChaosReigns.com
Re: Can I classify just a few messages from the same yahoo newsgroup?
On Thu, 12 May 2011, leonardevens wrote: But recently I got email posted from a yahoo group which I subscribe to which contained spam. If I classify those messages as spam, will all the messages from that gorup also be classified as spam? How should I prceed to limit such spam without disrupting legitimate messages? I have seen this is spam indicators in mail from Yahoo Groups before, but review of my local rules for that indicate it may be only sent to the group owner, and you're probably not the group owner. Can you post a complete spam to someplace like pastebin (include all headers, please)? There may be some Yahoo! Groups SpamGuard stuff that could be scored. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 154 days since the first successful private orbital launch (SpaceX)
Re: Can I classify just a few messages from the same yahoo newsgroup?
On Thu, 12 May 2011, leonardevens wrote: But recently I got email posted from a yahoo group which I subscribe to which contained spam. If I classify those messages as spam, will all the messages from that gorup also be classified as spam? How should I prceed to limit such spam without disrupting legitimate messages? Also train some ham messages from the same Yahoo Group. That will cause the stuff like Yahoo Groups headers to not be considered a spam sign by themselves. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 154 days since the first successful private orbital launch (SpaceX)
Re: Can I classify just a few messages from the same yahoo newsgroup?
On Thu, 12 May 2011 14:51:05 -0700 (PDT), leonardevens l...@math.northwestern.edu wrote: But recently I got email posted from a yahoo group which I subscribe to which contained spam. If I classify those messages as spam, will all the messages from that gorup also be classified as spam? How should I prceed to limit such spam without disrupting legitimate messages? make more spam rules in local.cf and awoid manuel trainning unless bayes is screwed up, if spammassassin does not do it correct it missing rules to know more about what spam is, and you know it ? :-)
Re: X-Spam-Status: Yes, score=18.4 - Still delivered.
Thanks for your responses. Sorry, forgot temporarily, that SA only classifies spam and other mechanism's control what is done to it after that. Therefore the issue lies elsewhere as you rightly say. It seems that if the sender is Exim always delivers it to the inbox, regardless of the how it was classified. Apparently this is because mailservers sending notification of undeliverable mail, identify themselves in this way (for some reason which appears a bit daft to me) and therefore, everything from is automatically delivered to the inbox. Personally, I want it to be delivered in accordance with the spam classification and will attempt to modify the Exim config files to reflect this. Regarding rejecting spam, we reject at SMTP, those who have no valid return-path or if the sending mailserver is in certain RBL's, otherwise we accept and deliver almost everything, either to the user's inbox or to their spam folder. The exception to the above is if the SA score is exceptionally high (like TEN ABOVE the spam threshold set by the client), this can only be due to significant issues in the header of the email, then it won't be delivered but silently dropped. These emails, generally have 'forged_this' and 'forged_that', no RDNS, via dynamic IP, contain masked link to russian mailserver pretending to be from Paypal, etc. What possible use could the email in question (above) be to anyone? It didn't even have any displayed content and the headers are mainly forged. We have no intention of delivering that kind of thing and even if it did have a return path, we wouldn't return it as it would probably be forged too and that would probably make us spammers. We used to deliver those too, until certain clients contacted us, saying not to deliver the obvious stuff. By not delivering that it offers them some, degree of protection against phishing and also makes checking the spam folder for ham, easier. So far no complaints, although would happily deliver even those emails for any user upon request. The BAYES databases are user trainable too, so we never get any issues. Users can control most aspects of the service, including disabling it. Thanks again. Peter Karsten Bräckelmann-2 wrote: On Tue, 2011-05-10 at 23:26 -0700, snowweb wrote: I'm getting many spams in the last few days, with spam scores far above my 4.0 threshold, which are still being delivered. Wondering if it's to do with the fact that they all seem to have no sender. Uhm, wait -- what else did you expect!? Sorry if I am mis-interpreting, but what does happen usually with mail exceeding your SA score threshold? If they are not delivered, are you rejecting them at SMTP stage, or is your mail processing chain first accepting the mail, and later *bouncing* identified spam back to the usually *forged* sender? To clarify: SA scores a mail. An estimation of how spammy it is. SA does NOT deliver or reject mail. Any action whatsoever is the duty of other tools in your mail processing chain. Whatever takes care of identified spam not being delivered is not SA, but another tool. Quarantining or proper SMTP rejecting spam would be possible with both, a sender address *and* a null sender. I can see how your tools refuse to *bounce* a mail with a null sender, but still silently doing it -- incorrectly! -- if the envelope from exists. Which appears to be the difference, why these samples do end up delivered regardless. Bouncing spam is a very bad thing to do. Back-scatter, and a disservice to other mail users. Please, do not do it! Return-path: Envelope-to: myu...@mydomain.co.uk Delivery-date: Wed, 11 May 2011 10:25:05 +0800 Received: from mail by s1.snowweb.info with spam-scanned (Exim 4.67) id 1QJz6l-0005lL-EX for myu...@mydomain.co.uk; Wed, 11 May 2011 10:25:04 +0800 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on s1.snowweb.info X-Spam-Flag: YES X-Spam-Level: ** [...] By the way, does anyone have the trim email button figured out? I pressed it Nope. No idea what you're talking about here anyway, but it's not SA. and entered the address that I wanted obfuscate, but it didn't seem to obfuscate anything, so I changed my address in the message source manually to myu...@mydomain.co.uk. Next time, please use example.com and friends for the domain part. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} -- View this message in context: http://old.nabble.com/X-Spam-Status%3A-Yes%2C-score%3D18.4---Still-delivered.-tp31591656p31608305.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.