Re: SPF_FAIL
On Thu, 2012-03-22 at 13:55 +, Martin Gregorie wrote: > YMMV of course, but it worked for me: when I put up an SPF record > backscatter, which had been a problem at the time, was dramatically > reduced. > > Now I don't see any backscatter except for the occasional 'mailbox full' > or 'out of office' message that arrives on a mailing list. +1 (big time) signature.asc Description: This is a digitally signed message part
Re: SPF_FAIL
Den 2012-03-22 15:05, David F. Skoll skrev: Hmm... OK. I may have been hasty. Assuming that the large providers like Google, Hotmail, and Yahoo reject SPF-failing mail during the SMTP transaction, I can see it making a measurable difference. are you saying yahoo using spf test, but not provide spf records self on there domain ? I still stand by my opinions about the lack of competence of most Microsoft Exchange admins, though. :) +1 lets have ipv6 now instaed of hearing daily is running out of ipv4 to there custommers and cliams thay now have to take money pr ipv4, there is so no intervention to go on ipv6 will only cost more money in loosed income isp wise
Re: having trouble running spamassassin from command line to test rules.
On 23/03/2012 01:40, Michael Scheidell wrote: On 3/22/12 7:15 PM, Eliezer Croitoru wrote: Hello there, i wanted to try some rules but it seems like my spamassassin is ignoring my score rules. so i wanted to test it from command line using this tool http://wiki.apache.org/spamassassin/DumpTextPlugin but every time i'm running the command as described in the web site i'm getting error: [quote] /usr/bin/spamassassin -L -t -c dumptext < spammail > /dev/null config: no rules were found! Do you need to run 'sa-update'? at /usr/bin/spamassassin line 403. first, run sa-update. second, make sure you don't have two copies of spamassassin installed. third, since you are running amavisd-new, you should run as the amavisd user su - vscan -c 'spamassassin -L -t -c dumptext < spammail ' > /dev/null ? forth, amavisd-new adds,subtracts points, so this won't really be a valid test. first thanks Michael i'v found out what my problem was... the -c thing is changing the config file loaded. i tried to scan it manually using: spamassassin -D -t Mar 23 02:03:13.623 [20357] dbg: config: fixed relative path: /var/lib/spamassassin/3.003001/custom_rules/local.cf Mar 23 02:03:13.623 [20357] dbg: config: using "/var/lib/spamassassin/3.003001/custom_rules/local.cf" for included file Mar 23 02:03:13.624 [20357] dbg: config: read file /var/lib/spamassassin/3.003001/custom_rules/local.cf [...] Content analysis details: (7.9 points, 5.0 required) [...] my local.cf file is with these lines: body LOCAL_DEMONSTRATION_RULE /p---s/ score LOCAL_DEMONSTRATION_RULE 10 describe LOCAL_DEMONSTRATION_RULE simple p---s lookup with high score. i have another issue with amavisd-new that alters the scores. but for this i will bother at the amavis list. thanks Eliezer and the score is working and marking spam as spam but not as my configurations. is there any maximum spam score? -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations elilezer ngtech.co.il
Re: having trouble running spamassassin from command line to test rules.
On 3/22/12 7:15 PM, Eliezer Croitoru wrote: Hello there, i wanted to try some rules but it seems like my spamassassin is ignoring my score rules. so i wanted to test it from command line using this tool http://wiki.apache.org/spamassassin/DumpTextPlugin but every time i'm running the command as described in the web site i'm getting error: [quote] /usr/bin/spamassassin -L -t -c dumptext < spammail > /dev/null config: no rules were found! Do you need to run 'sa-update'? at /usr/bin/spamassassin line 403. first, run sa-update. second, make sure you don't have two copies of spamassassin installed. third, since you are running amavisd-new, you should run as the amavisd user su - vscan -c 'spamassassin -L -t -c dumptext < spammail ' > /dev/null ? forth, amavisd-new adds,subtracts points, so this won't really be a valid test. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
having trouble running spamassassin from command line to test rules.
Hello there, i wanted to try some rules but it seems like my spamassassin is ignoring my score rules. so i wanted to test it from command line using this tool http://wiki.apache.org/spamassassin/DumpTextPlugin but every time i'm running the command as described in the web site i'm getting error: [quote] /usr/bin/spamassassin -L -t -c dumptext < spammail > /dev/null config: no rules were found! Do you need to run 'sa-update'? at /usr/bin/spamassassin line 403. [\quote] i'm using gentoo linux with amavisd-new and spamassassin. while amavisd is scoring the mails with a lower score then the config file i might be missing something. i have used this tutorial to configure amavis and spamassassin: http://www.gentoo.org/doc/en/mailfilter-guide.xml thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations elilezer ngtech.co.il
Re: SPF_FAIL
On 3/22/2012 4:19 AM, Martin Gregorie wrote: The only sensible use of SPF is to prevent backscatter. This seems to work well now that most domains are running SPF-aware MTAs. I don't use SPF for spam detection and can't see any benefit from doing so. Martin What site competent enough to use SPF is still going to be bouncing enough mail for it to matter? SPF (and other authentication methods) are very useful for whitelisting though since it brings back the ability to whitelist based on sending domain or address without fear spoofing. Similarly, it negates the need to manually track sender's IPs for whitelisting purposes. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
Before anyone rushes ahead and puts any time or money into this. I think it's worth establishing whether it makes any significant difference. It solves several real world problems that I'm aware of but I agree it's not going to hold up 3.4.0 or be a top priority for me. regards, KAM
Re: SPF_FAIL
On Thu, 22 Mar 2012 10:09:22 -0400 Michael Scheidell wrote: > like ip/dns that is not 'round trip' consistent :-) > host colo3.roaringpenguin.com > colo3.roaringpenguin.com has address 70.38.112.54 > host 70.38.112.54 > 54.112.38.70.in-addr.arpa domain name pointer roaringpenguin.com There's absolutely nothing wrong with that. Round-trip consistency means this: A_lookup(PTR_lookup(70.38.112.54)) == 70.38.112.54 which is indeed the case. There's *nothing* to say that PTR_lookup(A_lookup(some_hostname)) is necessarily some_hostname. Regards, David.
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
On Thu, 22 Mar 2012 07:59:39 -0400 Kevin A. McGrail wrote: > Yes and no. What you have missed is that David F Skoll is a key > author of MIMEDefang. They also publish a great COTS solution for > email filtering called CanIT. So his plugin is part of the commercial > product. AFAIK his Bayes uses word-pair tokenization, and DSPAM supports various multi-word tokenizers, so they are somewhat more susceptible to header rewriting. > > However, his idea is very elegant on tokens is an elegant idea. To > extract them, I planned on using SA's existing Bayesian framework and > deliver them to a header. What is done with the header from there is > a spam/ham delivery issue but at best sa-learn could use it. Lots of > security and privacy issues to deal with but I am just in the idea > phase. Before anyone rushes ahead and puts any time or money into this. I think it's worth establishing whether it makes any significant difference. AFAIK Bayes tokenizes after any encoding is removed so unless Exchange does something extreme like converting to unicode or rich-text format etc, I doubt it makes any difference at all to the body. I don't know how exchange mangles headers, but I'm sceptical it has much effect - if any. You'd really need to look at the details. Extra headers added after processing shouldn't be a problem, and it's easy enough to strip them if you're paranoid.
Re: SPF_FAIL
On 3/22/12 10:05 AM, David F. Skoll wrote: On Thu, 22 Mar 2012 13:55:50 + Martin Gregorie wrote: Disagreed. I don't believe SPF has cut backscatter down by more than a few percentage points. YMMV of course, but it worked for me: when I put up an SPF record backscatter, which had been a problem at the time, was dramatically reduced. Hmm... OK. I may have been hasty. Assuming that the large providers like Google, Hotmail, and Yahoo reject SPF-failing mail during the SMTP transaction, I can see it making a measurable difference. I still stand by my opinions about the lack of competence of most Microsoft Exchange admins, though. :) like ip/dns that is not 'round trip' consistent :-) host colo3.roaringpenguin.com colo3.roaringpenguin.com has address 70.38.112.54 host 70.38.112.54 54.112.38.70.in-addr.arpa domain name pointer roaringpenguin.com -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: SPF_FAIL
On Thu, 22 Mar 2012 13:55:50 + Martin Gregorie wrote: > > Disagreed. I don't believe SPF has cut backscatter down by > > more than a few percentage points. > YMMV of course, but it worked for me: when I put up an SPF record > backscatter, which had been a problem at the time, was dramatically > reduced. Hmm... OK. I may have been hasty. Assuming that the large providers like Google, Hotmail, and Yahoo reject SPF-failing mail during the SMTP transaction, I can see it making a measurable difference. I still stand by my opinions about the lack of competence of most Microsoft Exchange admins, though. :) Regards, David.
Re: SPF_FAIL
On Thu, 2012-03-22 at 07:45 -0400, David F. Skoll wrote: > Disagreed. I don't believe SPF has cut backscatter down by > more than a few percentage points. > YMMV of course, but it worked for me: when I put up an SPF record backscatter, which had been a problem at the time, was dramatically reduced. Now I don't see any backscatter except for the occasional 'mailbox full' or 'out of office' message that arrives on a mailing list. I deduce that greylisting, which my ISP uses, is quite effective at dealing with backscatter too. Martin
Re: A flood of new domains ?
Axb wrote: > On 03/22/2012 10:19 AM, Per Jessen wrote: >> Robert Schetterer wrote: >> >>> Am 22.03.2012 08:23, schrieb Per Jessen: Robert Schetterer wrote: > Am 21.03.2012 09:09, schrieb Per Jessen: >> Has anyone else noticed this stream of new spamvertized domains : >> >> http://files.jessen.ch/list-of-new-domains >> >> Typically accompanied by messages/subject lines such as: >> >> You should check your status update and see if it changed >> This method of language learning is super easy. >> Please confirm that this update is accurate. >> Teach yourself a new foreign language in 10 days >> >> Just being curious. Yesterday I got another 10 different >> domains. >> >> > > Hi Per, nothing special like that, was noticed here > Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. >>> >>> sorry i dont follow new spam domains, until there is no significant >>> rise but if grepped your domains yesterday on few servers with no >>> result >> >> I don't normally follow them either, but these are coming through to >> one >> of my personal addresses. It's also the rate of change that is >> interesting - I very rarely see two emails with the same link. > > Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ? Some are, but most are not. The new ones I get to see were not. -- Per Jessen, Zürich (14.6°C)
Re: Conflicting information about bayes database contents in lint debug output
On Wed, 21 Mar 2012 12:02:24 -0400 Kevin A. McGrail wrote: > > On 3/21/2012 11:42 AM, Adrian Gruntkowski wrote: > > Hello, > > > > I'm having problems with bayes database. When I issue "spamassassin > > --lint -D", I see a following phrase: "bayes: not available for > > scanning, only 0 spam(s) in bayes DB< 200". > > > > However, a bit further I see this: "corpus size: nspam = 59870, > > nham = 185841". What can be the cause of such behavior? Here's a > > paste of the full output: http://pastebin.com/0sVTs4Rt > > > > sa-learn does learn new messages but scanning result is always at > > BAYES_00 level. > This has me thinking this is saying you last expired your bayes > database in February of 2010 and October 2010 is your newest bayes > entry At the top it reports that there's zero spam in the database and then it says that it's syncing the journal. But further down its reporting 59870/185841 spam/ham in the database, and it still saying that the journal hasn't been synched for years > I have a feeling when you run the expire, your DB will be quite empty > and I'm *guessing* it won't use entries that old. Actually expiry has the opposite problem, you have to have the greater of 100K or 0.75*bayes_expiry_max_db_size tokens newer than 256 days or the estimation phase gives-up. I don't know what's causing the problem, but what I'd try is using sa-learn --backup to backup the database to a text file , then move the database files somewhere safe and run sa-learn --restore to recreate the database.
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
Yes and no. What you have missed is that David F Skoll is a key author of MIMEDefang. They also publish a great COTS solution for email filtering called CanIT. So his plugin is part of the commercial product. However, his idea is very elegant on tokens is an elegant idea. To extract them, I planned on using SA's existing Bayesian framework and deliver them to a header. What is done with the header from there is a spam/ham delivery issue but at best sa-learn could use it. Lots of security and privacy issues to deal with but I am just in the idea phase. Regards, KAM Per-Erik Persson wrote: Since we are on the subject of adding "magic links" to email header to make it easier for nontech staff to report spam. I don't understand how to extract the tokinzed data needed to represent the specific email. Have I missed some plugin that everyone else knows about? The rest of the problem seems trivial if you already have an infrastructure deployed with SSO and a decent webinterface. The setup with postfix facing the world, spamassassin sanitizinging it and exchange storing it is something that I see quite often nowdays.
Re: SPF_FAIL
"David F. Skoll" wrote: >On Thu, 22 Mar 2012 11:19:04 + >Martin Gregorie wrote: > >> The only sensible use of SPF is to prevent backscatter. > >Agreed. For the record, I am not promoting spf_none. I am simply answering questions and letting the admin make the choice. >There is such an incredibly deep well of ignorance and stupidity among >Microsoft administrators and software designers that it will take >many years of hard work to improve things, if it can even be done at >all. I will comment that this is also a pervasive security model issue. Microsoft and others argue that knowing the emails that work/don't is a security concern. I agree but believe backscatter is the bigger evil. I think Microsoft is in a damned if they do / don't. They have been beaten up for a lack of security and now people don't want it.
Re: SPF_FAIL
Martin Gregorie wrote: > On Thu, 2012-03-22 at 10:26 +0100, Matus UHLAR - fantomas wrote: The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: >> >> On 21.03.12 23:00, Piotr Kloc wrote: >>> I know that and I wanted to add some more score when there is no SPF record >>> its possible to do this with Spamassassin ? >> > The only sensible use of SPF is to prevent backscatter. This seems to > work well now that most domains are running SPF-aware MTAs. > what do you mean with backscatter here? SPF usually is not part of the MTA but from any kind of milter/filter add-on > I don't use SPF for spam detection and can't see any benefit from doing > so. ok but you can check if the sender is legitimate (obviously this no criteria about spam yes|no) may be you should look at SID , then together with it SPF makes much more sense of course I agree that the ~ statement in the SPF record is as good as none, so no point at all but it is up to you to configure your server as you wish, to accept a not useful statement or interpret it as fail IMO, who configures SPF with ~all is showing the bird to all ... so I take "the bird action" also on my servers if all would do so, SPF would be taken much more serious by the ~admins and life could be a little better :) Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: SPF_FAIL
On Thu, 22 Mar 2012 11:19:04 + Martin Gregorie wrote: > The only sensible use of SPF is to prevent backscatter. Agreed. > This seems to work well now that most domains are running SPF-aware > MTAs. Disagreed. I don't believe SPF has cut backscatter down by more than a few percentage points. The vast majority of Exchange installations don't even reject invalid RCPT commands (http://david.skoll.ca/blog/2010-12-29-microsoft-dumbness.html) In fact, I believe this is true even of Microsoft's Hosted Exchange offering. There is such an incredibly deep well of ignorance and stupidity among Microsoft administrators and software designers that it will take many years of hard work to improve things, if it can even be done at all. Regards, David.
Re: SPF_FAIL
I committed score 0. I posted score 1 for the example requested. Regards, KAM Michael Scheidell wrote: >> I'm going to add this to the default rules with a score 0 so you can >> then just give it a score you want. >> header SPF_NONEeval:check_for_spf_none() >> describeSPF_NONESPF sender does not publish an SPF >Record >> score SPF_NONE1 >> >score of zero? or 1?
Re: SPF_FAIL
On Thu, 2012-03-22 at 10:26 +0100, Matus UHLAR - fantomas wrote: > >> The Domain in the From in the envelope, ameriton.com, doesn't publish an > >> SPF Record: > > On 21.03.12 23:00, Piotr Kloc wrote: > >I know that and I wanted to add some more score when there is no SPF record > >its possible to do this with Spamassassin ? > The only sensible use of SPF is to prevent backscatter. This seems to work well now that most domains are running SPF-aware MTAs. I don't use SPF for spam detection and can't see any benefit from doing so. Martin
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
On Thu, 22 Mar 2012 07:51:07 +0100 Per-Erik Persson wrote: > Since we are on the subject of adding "magic links" to email header to > make it easier for nontech staff to report spam. > I don't understand how to extract the tokinzed data needed to > represent the specific email. We have an entire infrastructure built to support this. It is proprietary, however, and is not easily implemented as a SpamAssassin plugin, though the basic idea probably could be. Regards, David.
Re: A flood of new domains ?
Am 22.03.2012 10:40, schrieb Robert Schetterer: > Am 22.03.2012 10:33, schrieb Axb: >> On 03/22/2012 10:19 AM, Per Jessen wrote: >>> Robert Schetterer wrote: >>> Am 22.03.2012 08:23, schrieb Per Jessen: > Robert Schetterer wrote: > >> Am 21.03.2012 09:09, schrieb Per Jessen: >>> Has anyone else noticed this stream of new spamvertized domains : >>> >>> http://files.jessen.ch/list-of-new-domains >>> >>> Typically accompanied by messages/subject lines such as: >>> >>> You should check your status update and see if it changed >>> This method of language learning is super easy. >>> Please confirm that this update is accurate. >>> Teach yourself a new foreign language in 10 days >>> >>> Just being curious. Yesterday I got another 10 different domains. >>> >>> >> >> Hi Per, nothing special like that, was noticed here >> > > Thanks Robert - amazing that nobody else seems to have noticed. I've > added a rule to catch some of them, but yesterday I still got another > 15 brand-new such domains. sorry i dont follow new spam domains, until there is no significant rise but if grepped your domains yesterday on few servers with no result >>> >>> I don't normally follow them either, but these are coming through to one >>> of my personal addresses. It's also the rate of change that is >>> interesting - I very rarely see two emails with the same link. >> >> Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ? >> > > domain name related rbls/lists are mostly not making very much sense > also tagging by "new domains" isnt very helpfull > > that all may lead to too much false positives > > but policies like that must be decided by the postmaster > related to his local needs not tested but this looks as good choice for tagging registrars http://anonwhois.org/usage.html in pers domains Moniker was the matching one http://anonwhois.org/99_anonwhois.cf ... urirhssub ANONWHOIS_11list.anonwhois.net. A 127.0.0.11 bodyANONWHOIS_11eval:check_uridnsbl('ANONWHOIS_11') describeANONWHOIS_11Domain protected by Moniker Privacy Protection tflags ANONWHOIS_11net score ANONWHOIS_110.001 . -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Am 22.03.2012 10:33, schrieb Axb: > On 03/22/2012 10:19 AM, Per Jessen wrote: >> Robert Schetterer wrote: >> >>> Am 22.03.2012 08:23, schrieb Per Jessen: Robert Schetterer wrote: > Am 21.03.2012 09:09, schrieb Per Jessen: >> Has anyone else noticed this stream of new spamvertized domains : >> >> http://files.jessen.ch/list-of-new-domains >> >> Typically accompanied by messages/subject lines such as: >> >> You should check your status update and see if it changed >> This method of language learning is super easy. >> Please confirm that this update is accurate. >> Teach yourself a new foreign language in 10 days >> >> Just being curious. Yesterday I got another 10 different domains. >> >> > > Hi Per, nothing special like that, was noticed here > Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. >>> >>> sorry i dont follow new spam domains, until there is no significant >>> rise but if grepped your domains yesterday on few servers with no >>> result >> >> I don't normally follow them either, but these are coming through to one >> of my personal addresses. It's also the rate of change that is >> interesting - I very rarely see two emails with the same link. > > Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ? > domain name related rbls/lists are mostly not making very much sense also tagging by "new domains" isnt very helpfull that all may lead to too much false positives but policies like that must be decided by the postmaster related to his local needs -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Am 22.03.2012 10:30, schrieb xTrade Assessory: > Robert Schetterer wrote: >> one more indicate for a bright planned campaign >> what are they try to push...? > > > I guess that is easy and simple ... the more the merrier > > they are smart but we got smarter too and now it is getting harder and > harder for "them" so they switch identification as fast as possible in > order to get still to the endpoint > > > > Hans > > for small tests it seems they all use the same registrar Registrar: MONIKER however no idea what to do with this info i guess they would identify themselfes not as spammer more then a urgent product news mail pusher *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
On 03/22/2012 10:19 AM, Per Jessen wrote: Robert Schetterer wrote: Am 22.03.2012 08:23, schrieb Per Jessen: Robert Schetterer wrote: Am 21.03.2012 09:09, schrieb Per Jessen: Has anyone else noticed this stream of new spamvertized domains : http://files.jessen.ch/list-of-new-domains Typically accompanied by messages/subject lines such as: You should check your status update and see if it changed This method of language learning is super easy. Please confirm that this update is accurate. Teach yourself a new foreign language in 10 days Just being curious. Yesterday I got another 10 different domains. Hi Per, nothing special like that, was noticed here Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. sorry i dont follow new spam domains, until there is no significant rise but if grepped your domains yesterday on few servers with no result I don't normally follow them either, but these are coming through to one of my personal addresses. It's also the rate of change that is interesting - I very rarely see two emails with the same link. Aren't the URIs being detected by SBL/DBL/SURBL/URIBL ?
Re: A flood of new domains ?
Robert Schetterer wrote: > one more indicate for a bright planned campaign > what are they try to push...? I guess that is easy and simple ... the more the merrier they are smart but we got smarter too and now it is getting harder and harder for "them" so they switch identification as fast as possible in order to get still to the endpoint Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: SPF_FAIL
The Domain in the From in the envelope, ameriton.com, doesn't publish an SPF Record: On 21.03.12 23:00, Piotr Kloc wrote: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? the SPF can only give results (as FAIL, PASS, SOFT*) if SPF records are set. If they are not set, no SPF test will apply. I have no idea how to apply rule for "no SPF records on domain, and I advise you not to make any direct rule related to that. Maybe some metas, byt I doubt they will help you much. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: A flood of new domains ?
Am 22.03.2012 10:19, schrieb Per Jessen: > Robert Schetterer wrote: > >> Am 22.03.2012 08:23, schrieb Per Jessen: >>> Robert Schetterer wrote: >>> Am 21.03.2012 09:09, schrieb Per Jessen: > Has anyone else noticed this stream of new spamvertized domains : > > http://files.jessen.ch/list-of-new-domains > > Typically accompanied by messages/subject lines such as: > > You should check your status update and see if it changed > This method of language learning is super easy. > Please confirm that this update is accurate. > Teach yourself a new foreign language in 10 days > > Just being curious. Yesterday I got another 10 different domains. > > Hi Per, nothing special like that, was noticed here >>> >>> Thanks Robert - amazing that nobody else seems to have noticed. I've >>> added a rule to catch some of them, but yesterday I still got another >>> 15 brand-new such domains. >> >> sorry i dont follow new spam domains, until there is no significant >> rise but if grepped your domains yesterday on few servers with no >> result > > I don't normally follow them either, but these are coming through to one > of my personal addresses. ok , i understand , so you cant miss them *g It's also the rate of change that is > interesting - I very rarely see two emails with the same link. > one more indicate for a bright planned campaign what are they try to push...? > > -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Robert Schetterer wrote: > Am 22.03.2012 08:23, schrieb Per Jessen: >> Robert Schetterer wrote: >> >>> Am 21.03.2012 09:09, schrieb Per Jessen: Has anyone else noticed this stream of new spamvertized domains : http://files.jessen.ch/list-of-new-domains Typically accompanied by messages/subject lines such as: You should check your status update and see if it changed This method of language learning is super easy. Please confirm that this update is accurate. Teach yourself a new foreign language in 10 days Just being curious. Yesterday I got another 10 different domains. >>> >>> Hi Per, nothing special like that, was noticed here >>> >> >> Thanks Robert - amazing that nobody else seems to have noticed. I've >> added a rule to catch some of them, but yesterday I still got another >> 15 brand-new such domains. > > sorry i dont follow new spam domains, until there is no significant > rise but if grepped your domains yesterday on few servers with no > result I don't normally follow them either, but these are coming through to one of my personal addresses. It's also the rate of change that is interesting - I very rarely see two emails with the same link. -- Per Jessen, Zürich (8.7°C)
Re: A flood of new domains ?
Am 22.03.2012 09:43, schrieb xTrade Assessory: > Robert Schetterer wrote: >> spam often is very recipient related >> i.e my beloved spambot armee relocated from china/us now to india/brasil >> during last year , looks like thats trendy > > > regarding BR > > we get most from afrinic 41.0 and pakistan 182.177, and of course our > own adsl blocks > > if you like to prevent brazil origin you could block any adsl source > since this addresses are not supposed to run a valid MTA > > if you're interested you could block connection from all rDNS IPs faking > to be an MTA and resolving to domain names which follow, each at least > several /16 if not /8 blocks > > .virtua.com.br > .dsl.telesp.net.br > .gvt.net.br > .vivotorpedo.com.br > .user.veloxzone.com.br > .speedy.com.ar > .fibertel.com.ar > .adsl.terra.cl > .prima.com.ar > > > some small sub blocks may have been relocated to other services and are > still not updated because of sloppy maintenance of the telco personal > but this problem is probably not relevant for europe > > > Hans > > > > > > i ve done such for years, but i now have better mechs implemted before i.e postscreen, ( i dont like global rejects very much i.e banning geo ip blocks and/or domains ,after all, sometimes they needed ) my new implemented mech cant be used on every system its something equal like fail2ban does ( banning with firewall rules for some time ) but fail2ban wasnt quick enough for my bot bombards and i was tired of tons of logging, so i switched to something direct syslog related in combi with fail2ban and postscreen so now the over years staying bot problem went nearly null i will have some blog of this ,near future, stay tuned -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: A flood of new domains ?
Robert Schetterer wrote: > spam often is very recipient related > i.e my beloved spambot armee relocated from china/us now to india/brasil > during last year , looks like thats trendy regarding BR we get most from afrinic 41.0 and pakistan 182.177, and of course our own adsl blocks if you like to prevent brazil origin you could block any adsl source since this addresses are not supposed to run a valid MTA if you're interested you could block connection from all rDNS IPs faking to be an MTA and resolving to domain names which follow, each at least several /16 if not /8 blocks .virtua.com.br .dsl.telesp.net.br .gvt.net.br .vivotorpedo.com.br .user.veloxzone.com.br .speedy.com.ar .fibertel.com.ar .adsl.terra.cl .prima.com.ar some small sub blocks may have been relocated to other services and are still not updated because of sloppy maintenance of the telco personal but this problem is probably not relevant for europe Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
Am 22.03.2012 09:15, schrieb xTrade Assessory: > Robert Schetterer wrote: >>> >> >> however , i have a ham/spam transport learn mail address, >> nearly null users forwards something to it, no wonder >> the false positve rate is nearly null >> >> in fact , there are systems with webmail guis for classify >> spam i.e aol, reality shows users dont use it very wise >> perhaps clicking field spam and delte are to near etc or they are simply >> dummy >> >> my conclusion dont waste your time to implement complicated mechs >> for ham/spam training, work on the tagging/rejecting side to reduce >> false positive rate >> > > Hi > > I can not agree more to that ... at the end, sooner or later, you > discover having spent time on something with erroneous or no return at > all ... not even talking about the support-overhead this extra mboxes > will create > > beside the obvious you already said it is still highly questionable if a > "user" is able to classify reliable. > > also, IMO, most SPAM hits obvious account names/combinations and most > user are not affected by the problem, unless their addresses are > standard_names@ > > since years I do not care so much any more and run a pretty standard > spamassassin but I query maillog for delivering attempts to not existing > accounts. First I slow it down after 2 invalid destination addresses but > also record the sender details and block them for three month from > within access file (I run sendmail everywhere) > > that works so smooth for me, still with almost zero cpu overhead for > spamd and it is practical, easy and cheap, the result is, before I got > on certain accounts 50 SPAMS per day, now 2 maybe 3 and that numbers > are for mservers with each of them having +50.000 accounts going through > > Hans > something like http://mailfud.org/postpals/ may helpfull too at some sites i have heard amavis has some equal mech however there is lot a postmaster can do, before trusting users spam/ham classify ( i.e there is the spamassassin black and whitlist feature ) , but if somebody do so ,dont trust your users in total users train should ever be one tag out of others, so i.e it may high bayes points etc but should not to lead for high tagging over spam/ham boarder in one tag step ( this is for isp style mail systems, the policy might be other for dediacted company mail etc , but its still complicated there too) but as reality shows i.e at aol their user abuse spam reporting program is totally broken , i never had a "true spam alarm" of their users by sended mails from my systems and on the other side the aol mail systems itself are very high rate for trying deliver in spam to my servers -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
On 03/22/2012 07:59 AM, Robert Schetterer wrote: > Am 22.03.2012 07:51, schrieb Per-Erik Persson: >> Since we are on the subject of adding "magic links" to email header to >> make it easier for nontech staff to report spam. >> I don't understand how to extract the tokinzed data needed to represent >> the specific email. >> Have I missed some plugin that everyone else knows about? >> >> The rest of the problem seems trivial if you already have an >> infrastructure deployed with SSO and a decent webinterface. >> >> The setup with postfix facing the world, spamassassin sanitizinging it >> and exchange storing it is something that I see quite often nowdays. >> >> >> > however , i have a ham/spam transport learn mail address, > nearly null users forwards something to it, no wonder > the false positve rate is nearly null > > in fact , there are systems with webmail guis for classify > spam i.e aol, reality shows users dont use it very wise > perhaps clicking field spam and delte are to near etc or they are simply > dummy > > my conclusion dont waste your time to implement complicated mechs > for ham/spam training, work on the tagging/rejecting side to reduce > false positive rate > You are right about how the average user works. (Oh I am tired of the mailinglist, lets classify it as spam since I don't know how to unsubscribe) However a helpdesk and similair often get complaints about spam getting thru and it is virtually impossible to make most users cut and paste a header. But pasting a single field from the header and sending it to the right helpdeskqueue or a webinterface is probably just the right amount of work. I have a personal toolbox to sieve out the phishingemails(and false positives) and would like to make a closed loop for feeding the spamassassin without having access to the original emails.
Re: A flood of new domains ?
Am 22.03.2012 08:23, schrieb Per Jessen: > Robert Schetterer wrote: > >> Am 21.03.2012 09:09, schrieb Per Jessen: >>> Has anyone else noticed this stream of new spamvertized domains : >>> >>> http://files.jessen.ch/list-of-new-domains >>> >>> Typically accompanied by messages/subject lines such as: >>> >>> You should check your status update and see if it changed >>> This method of language learning is super easy. >>> Please confirm that this update is accurate. >>> Teach yourself a new foreign language in 10 days >>> >>> Just being curious. Yesterday I got another 10 different domains. >>> >>> >> >> Hi Per, nothing special like that, was noticed here >> > > Thanks Robert - amazing that nobody else seems to have noticed. I've > added a rule to catch some of them, but yesterday I still got another > 15 brand-new such domains. sorry i dont follow new spam domains, until there is no significant rise but if grepped your domains yesterday on few servers with no result spam often is very recipient related i.e my beloved spambot armee relocated from china/us now to india/brasil during last year , looks like thats trendy > Perhaps of interest - all of these have valid DKIM signatures. thats not so suprising, they allready often have valid spf too perhaps they wanna make sure to pass new dmarc mechs at google etc > > > perhaps , they are preparing to a bigger spam flood later and your servers are a test ballon target that happend before ,but speculation -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
Robert Schetterer wrote: >> > > however , i have a ham/spam transport learn mail address, > nearly null users forwards something to it, no wonder > the false positve rate is nearly null > > in fact , there are systems with webmail guis for classify > spam i.e aol, reality shows users dont use it very wise > perhaps clicking field spam and delte are to near etc or they are simply > dummy > > my conclusion dont waste your time to implement complicated mechs > for ham/spam training, work on the tagging/rejecting side to reduce > false positive rate > Hi I can not agree more to that ... at the end, sooner or later, you discover having spent time on something with erroneous or no return at all ... not even talking about the support-overhead this extra mboxes will create beside the obvious you already said it is still highly questionable if a "user" is able to classify reliable. also, IMO, most SPAM hits obvious account names/combinations and most user are not affected by the problem, unless their addresses are standard_names@ since years I do not care so much any more and run a pretty standard spamassassin but I query maillog for delivering attempts to not existing accounts. First I slow it down after 2 invalid destination addresses but also record the sender details and block them for three month from within access file (I run sendmail everywhere) that works so smooth for me, still with almost zero cpu overhead for spamd and it is practical, easy and cheap, the result is, before I got on certain accounts 50 SPAMS per day, now 2 maybe 3 and that numbers are for mservers with each of them having +50.000 accounts going through Hans -- XTrade Assessory International Facilitator BR - US - CA - DE - GB - RU - UK +55 (11) 4249. http://xtrade.matik.com.br
Re: A flood of new domains ?
Robert Schetterer wrote: > Am 21.03.2012 09:09, schrieb Per Jessen: >> Has anyone else noticed this stream of new spamvertized domains : >> >> http://files.jessen.ch/list-of-new-domains >> >> Typically accompanied by messages/subject lines such as: >> >> You should check your status update and see if it changed >> This method of language learning is super easy. >> Please confirm that this update is accurate. >> Teach yourself a new foreign language in 10 days >> >> Just being curious. Yesterday I got another 10 different domains. >> >> > > Hi Per, nothing special like that, was noticed here > Thanks Robert - amazing that nobody else seems to have noticed. I've added a rule to catch some of them, but yesterday I still got another 15 brand-new such domains. Perhaps of interest - all of these have valid DKIM signatures. -- Per Jessen, Zürich (6.2°C)
Re: SPF_FAIL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I would be careful about giving points to a non spf enabled site. My experience is that phishingattempts usually comes from stolen legitimate accounts on sites with spf enabled. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPas3kAAoJEOVOmoKjmKMkBdUIAJXxv/5F/mpPfCiLnxmPhRV5 91xybuyzCApA/XIx7Fw/QgcbEPBwCLKK5g+XjJ5YKp3cvzXDiG2f9Z2e1/jFmylO cnx1Kyk0pEwvX90MUEPlKki6qnGCLb4EhP7CYfyIjH0PRdlXBnzlVd/1SxKRU3GQ 6mLGbMUEBfIJZd+I5x84xyas58buFyl2iYt48KCGW6Zzbe+A+gDeJRAfVwkM0xXZ q69cm17LJOu3KA/SJFSbG0RSpcFZ7BrcPoegFSDMwKAOol0K/qWORSAbtrmiYc9b uJIaGswKYUa3i6pjY6fXhqR3PrstNyE2k6ZaBLSlZhT3eK8LmL7tuoEOzyPusPc= =929S -END PGP SIGNATURE-
Re: was: Allowing IMAP users to train spam/ham is:simplify training of misclassified emails
Am 22.03.2012 07:51, schrieb Per-Erik Persson: > Since we are on the subject of adding "magic links" to email header to > make it easier for nontech staff to report spam. > I don't understand how to extract the tokinzed data needed to represent > the specific email. > Have I missed some plugin that everyone else knows about? > > The rest of the problem seems trivial if you already have an > infrastructure deployed with SSO and a decent webinterface. > > The setup with postfix facing the world, spamassassin sanitizinging it > and exchange storing it is something that I see quite often nowdays. > > > however , i have a ham/spam transport learn mail address, nearly null users forwards something to it, no wonder the false positve rate is nearly null in fact , there are systems with webmail guis for classify spam i.e aol, reality shows users dont use it very wise perhaps clicking field spam and delte are to near etc or they are simply dummy my conclusion dont waste your time to implement complicated mechs for ham/spam training, work on the tagging/rejecting side to reduce false positive rate -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria