Re: FPs on KAM_BODY_URIBL_PCCC
On 8/13/2014 12:24 AM, Kevin A. McGrail wrote: Both of those are recent, I believe and both have reasons to blacklist. Reporting here is fine. Joe will look at moving them to our marketing list but in the end you might have to consider a custom score because we consider places with convicted spammers as suitable for listing even if there is collateral damage. Especially if they are in the bulk mailing business. Regards, KAM David B Funk wrote: We're seeing FPs on legitimate messages caused by KAM_BODY_URIBL_PCCC. It is firing on URLs from MSPs that (altho they may have some questionable clients) have legimate customers. EG: mandrillapp-dot-com and streamsend-dot-com I'm a bit suprised that this rule would have a one-shot-kill score of 5.0 (particularly in light of the FP potential). Who should I report this stuff to? Both are moved to our marketing blacklist. FYI, the samples we used as evidence to blacklist went to a feedback@ address and an address that we know never consented to receive that email.
Re: FPs on KAM_BODY_URIBL_PCCC
On August 13, 2014 4:46:31 AM David B Funk wrote: Who should I report this stuff to? add to local.cf uridnsbl_skip_domain example.com where example.com is the fp domain, or report to the uribl owner this domain is not spam
Re: Opinions needed on what to consider spam
Bowie Bailey wrote: But you still have to consider point 1. If a user starts complaining that he's getting spam from Amazon, I'm not going to mess with SA, I'm going to tell him to click the unsubscribe link at the bottom of the email. (Assuming that it actually is from Amazon, of course) Alex wrote: I don't really like the per-user control. The challenge is to build a system that requires as little maintenance as possible - that's what we're supposed to be doing, IMHO. On 12.08.14 18:11, Kris Deugau wrote: So... What do you do, when user A gets extremely mad to see $legitimatenewsletter in their Inbox, and user B gets extremely mad to see $legitimatenewsletter in their Spam folder? If you only have a global policy with no way to adjust on a per-user basis, you're going to have someone mad at you either way. call an unsubscribe-hook _and_ train as spam. Should be viable for both solicided an unsolicited mail. Or, does anyone think that unsubscribing spam is counter-productive still? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Opinions needed on what to consider spam
On 08/13/2014 04:14 PM, Matus UHLAR - fantomas wrote: Bowie Bailey wrote: But you still have to consider point 1. If a user starts complaining that he's getting spam from Amazon, I'm not going to mess with SA, I'm going to tell him to click the unsubscribe link at the bottom of the email. (Assuming that it actually is from Amazon, of course) Alex wrote: I don't really like the per-user control. The challenge is to build a system that requires as little maintenance as possible - that's what we're supposed to be doing, IMHO. On 12.08.14 18:11, Kris Deugau wrote: So... What do you do, when user A gets extremely mad to see $legitimatenewsletter in their Inbox, and user B gets extremely mad to see $legitimatenewsletter in their Spam folder? If you only have a global policy with no way to adjust on a per-user basis, you're going to have someone mad at you either way. call an unsubscribe-hook _and_ train as spam. Should be viable for both solicided an unsolicited mail. Or, does anyone think that unsubscribing spam is counter-productive still? imo, whatever you do, it can only get better :) the spammer has your addr and will persist - confirming you exist by clicking on an unsub link won't change much of the end result. the so called "legit" will set your addr flag as unsubbed - till next marketing drone bypasses that and whatever happens, they all have "valid" hi-gloss excuses...
Re: Opinions needed on what to consider spam
On Wednesday 13 August 2014 at 16:14:06 (EU time), Matus UHLAR - fantomas wrote: > >> Bowie Bailey wrote: > >>> But you still have to consider point 1. If a user starts complaining > >>> that he's getting spam from Amazon, I'm not going to mess with SA, I'm > >>> going to tell him to click the unsubscribe link at the bottom of the > >>> email. (Assuming that it actually is from Amazon, of course) > > > >Alex wrote: > >> I don't really like the per-user control. The challenge is to build a > >> system that requires as little maintenance as possible - that's what > >> we're supposed to be doing, IMHO. > > On 12.08.14 18:11, Kris Deugau wrote: > >So... What do you do, when user A gets extremely mad to see > >$legitimatenewsletter in their Inbox, and user B gets extremely mad to > >see $legitimatenewsletter in their Spam folder? If you only have a > >global policy with no way to adjust on a per-user basis, you're going to > >have someone mad at you either way. > > call an unsubscribe-hook _and_ train as spam. > Should be viable for both solicided an unsolicited mail. > > Or, does anyone think that unsubscribing spam is counter-productive still? Rejecting spam at the MTA can be good for this: - spammers who get unsubscribe responses will use that to confirm the address and send more, therefore unsubscribing to them is a bad idea - genuine newsletters (which the user might even have signed up to, and has either forgotten or just doesn't care) would respond correctly to the unsubscribe request, but will also often auto-unsubscribe addresses after a certain number of non-delivery bounces Therefore users should be encouraged to unsubscribe from things they really did subscribe to, but otherwise MTA rejection of what looks like spam should reduce the quantity of both spam mass-mailings and genuine newletters etc. Antony. -- "I estimate there's a world market for about five computers." - Thomas J Watson, Chairman of IBM Please reply to the list; please *don't* CC me.
Re: Opinions needed on what to consider spam
On Wed, 13 Aug 2014 16:43:29 +0200 Antony Stone wrote: > - spammers who get unsubscribe responses will use that to confirm > the address and send more, therefore unsubscribing to them is a bad > idea I wonder how often this happens. This implies that spammers actually care about the quality of their lists, which I don't think is true. It's so cheap to use a botnet to blast out spam that I bet most spammers keep using addresses forever and don't bother trying to validate them. > Therefore users should be encouraged to unsubscribe from things they > really did subscribe to, but otherwise MTA rejection of what looks > like spam should reduce the quantity of both spam mass-mailings and > genuine newletters etc. That's true, but a lot of users (I've done it myself) forget that they've subscribed to something, especially if it's really low-volume. Regards, David.
Re: Opinions needed on what to consider spam
On 08/13/2014 09:37 AM, Axb wrote: the so called "legit" will set your addr flag as unsubbed I see a significant amount of "spam" to my users from truly legitimate sources. Where "truly legitimate" doesn't mean that they are legitimately the USDA or Merrill Lynch. These can be fire arms ads from small companies I've never heard of, going to people whom I could already have guessed belonged to gun clubs and probably missed unticking a checkbox somewhere during sign-up. IMO, Bayes has enough attacks going on against it that we need to give it all the help it can get. And that means that when we tell it something is spam, that something really needs to be spam, by anyone's definition. When a message can't be unsubscribed from, the DNSBL's miss it, and the other rules miss it, I want a Bayes with maximum specificity. I also up the bayes scores. I believe in Bayes. But "Garbage In, Garbage Out" is particularly appropriate for Bayes' inputs and outputs.
Re: Opinions needed on what to consider spam
On Wednesday 13 August 2014 at 16:51:28 (EU time), David F. Skoll wrote: > On Wed, 13 Aug 2014 16:43:29 +0200 > > Antony Stone wrote: > > - spammers who get unsubscribe responses will use that to confirm > > the address and send more, therefore unsubscribing to them is a bad > > idea > > I wonder how often this happens. This implies that spammers actually care > about the quality of their lists, which I don't think is true. It's so > cheap to use a botnet to blast out spam that I bet most spammers keep using > addresses forever and don't bother trying to validate them. I think this goes back to the question "what is spam?" If you're talking about email promoting Viagra, Fake watches, Lottery wins, or Russian brides, then I completely agree with you. On the other hand, the mass-marketing newsletters which are selling dubious (but real) products and services are just as unwanted by the end users, but are probably trying to manage their own address lists at least slightly sensibly. I'm undecided about the Paypal / Bank / Amazon credit card number hoovering schemes - although by gut feeling is they put more effort into the comprmised websites than they do with the address lists, because if they get someone once, they've scored, they don't need to repeat to the same address. For the Nigerian 419 spam, the last thing you want to do is reply to it :) > > Therefore users should be encouraged to unsubscribe from things they > > really did subscribe to, but otherwise MTA rejection of what looks > > like spam should reduce the quantity of both spam mass-mailings and > > genuine newletters etc. > > That's true, but a lot of users (I've done it myself) forget that they've > subscribed to something, especially if it's really low-volume. Which is why we can't rely on them to unsubscribe, and need another way of stopping it coming in. Antony. -- "A person lives in the UK, but commutes to France daily for work. He belongs in the UK." - From UK Revenue & Customs notice 741, page 13, paragraph 3.5.1 - http://tinyurl.com/o7gnm4 Please reply to the list; please *don't* CC me.
Re: Opinions needed on what to consider spam
On Wednesday 13 August 2014 at 16:14:06 (EU time), Matus UHLAR - fantomas wrote: call an unsubscribe-hook _and_ train as spam. Should be viable for both solicided an unsolicited mail. Or, does anyone think that unsubscribing spam is counter-productive still? On 13.08.14 16:43, Antony Stone wrote: Rejecting spam at the MTA can be good for this: I was talking about mail that already came to the mailbox and thus can't be rejedcted anymore. - spammers who get unsubscribe responses will use that to confirm the address and send more, therefore unsubscribing to them is a bad idea It was afaik already proven that sensding "unsubscribe" mail from new address (nobody knows about) caused spam going to the address. I was asking if you find this still to be true. Therefore users should be encouraged to unsubscribe from things they really did subscribe to, but otherwise MTA rejection of what looks like spam should reduce the quantity of both spam mass-mailings and genuine newletters etc. I agree, the unsubscribe button should be shown to user whenever an unsubscribe link is detected (at least the one in List-Unsubscribe: header) Note that unsubscription confirmation request should not be tagged as spam, so the user can confirm it. I see here possibilities for some list unsubscribe rules... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
Re: Opinions needed on what to consider spam
On 08/13/2014 10:04 AM, Antony Stone wrote: Which is why we can't rely on them to unsubscribe, and need another way of stopping it coming in. When they complain, why not tell them to unsubscribe? Perhaps my view is clouded by the fact that I have 1 mail server and 100 users, and not 100 mail servers and 100,000 users. But I am a lone admin. And I tell people to unsubscribe from emails which look reasonably legit to them, and to mark the stuff that doesn't look legit as Junk (which trains SA via Dovecot-Antispam).
Re: Opinions needed on what to consider spam
On 08/13/2014 05:04 PM, Antony Stone wrote: For the Nigerian 419 spam, the last thing you want to do is reply to it :) unsubscribe doesn't mean "reply" where I sit, if you can't unsubscribe with ONE click, they get the hard block >That's true, but a lot of users (I've done it myself) forget that they've >subscribed to something, especially if it's really low-volume. Which is why we can't rely on them to unsubscribe, and need another way of stopping it coming in. Most "bulkers" have nice dedicated X headers which you can use to tag/reject
PseudoHeaders
SA provides an EnvelopeFrom pseudo header for the SMTP mail from value. Does it also provide an EnvelopeTo pseudo header?
Re: Opinions needed on what to consider spam
On Wed, 13 Aug 2014 17:11:32 +0200 Axb wrote: > On 08/13/2014 05:04 PM, Antony Stone wrote: > > For the Nigerian 419 spam, the last thing you want to do is reply > > to it :) > unsubscribe doesn't mean "reply" The point is that any unsubscribe mechanism must of necessity inform the list owner that your email address really does work. I believe that unsubscribing is safe. If the list owner is legitimate, unsubscribing will work. If the list owner is a spammer, he/she already has your email address and I don't believe spammers track the validity of addresses anyway. (Safe doesn't mean effective, of course!) The only case in which unsubscribing is dangerous is if you unsubscribe from a previously-unknown address. That'll get you added to spammers' lists. Regards, David.
Re: Opinions needed on what to consider spam
--As of August 13, 2014 11:25:26 AM -0400, David F. Skoll is alleged to have said: I believe that unsubscribing is safe. If the list owner is legitimate, unsubscribing will work. If the list owner is a spammer, he/she already has your email address and I don't believe spammers track the validity of addresses anyway. (Safe doesn't mean effective, of course!) The only case in which unsubscribing is dangerous is if you unsubscribe from a previously-unknown address. That'll get you added to spammers' lists. --As for the rest, it is mine. There is a third case I've seen on occasion, that hasn't been discussed: Unsubscribe via web. Many legitimate sites use it - to unsubscribe you click a link and go a web site, which gives some option to unsubscribe. (Often from multiple lists, or something similar.) But these are *not* safe if the mail isn't 'legitimate': I have also seen the link go to a site filled with malware; the unsubscribe link then is the real attack. I'm still split on unsubscribe-via-email, but I don't consider it actively hazardous. Unsubscribe-via-web can be. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---
Re: Opinions needed on what to consider spam
On 2014-08-13 07:14, Matus UHLAR - fantomas wrote: call an unsubscribe-hook _and_ train as spam. Should be viable for both solicided an unsolicited mail. Or, does anyone think that unsubscribing spam is counter-productive still? In short, yes, it is unproductive. The quasi-legitimate stuff does go away, but the rest doesn't. This was confirmed just recently by Laura on Word To The Wise, who posted about this just 5 days ago: https://wordtothewise.com/2014/08/unsubscribing-spam-part-3/ TL;DR: Spam load went up. Unsubscribing from each of 312 messages in one month resulted in 6 straight months of higher spam load. I've had similar results on a Gmail spamtrap I've got (an address I've never used and don't use, but happens to be a common firstname.lastname combination, so it gets tons of typo'd mail seeding the trap) -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: spamassassin at 100 percent CPU
Hi there, This is a new machine with rules copied over from another machine. How about this? I just start new. Is there a good page out that explains setting up spamassassin from scratch and getting the sa rules set up well and cleaned up nicely? I am happy to start from the beginning with best practices. Cheers, Noah On 8/11/14 4:31 PM, Karsten Bräckelmann wrote: On Mon, 2014-08-11 at 09:18 -0400, Joe Quinn wrote: Keep replies on list. Do you remember making any changes, or are you using spamassassin as it comes? What kind of email is going through your server? Very large emails can cause trouble with poorly written rules. If you can, perhaps systematically turn off things that are pushing email to that server could narrow it down to a particular type of email. On 8/9/2014 4:41 PM, Noah wrote: thanks for your response. I am not handling much email its a new server and currently the MX points to another server. What mail is it handling? Not MX, so I assume it does not receive externally generated mail at all. Which pretty much leaves us with locally generated -- cron noise and other report types. How is SA integrated? What's your message size limit (see config of the service passing mail to SA)? Are you per chance scanning multi MB text reports? A sane size limit is about 500 kB. Besides, local generated mail isn't worth processing with SA, and in the case of cron mail often harmful (think virus scanner report). How do I check the SA configuration? How do I check if I am using additional rules? By additional rules, we mean any rules or configuration that is not stock SA. Anything other than the debian package or running sa-update. Generally, anything *you* added. On 7/31/2014 3:19 PM, Noah wrote: what are some things to check with spamassassin commonly running at 100 percent? For how long does it run at CPU max? What is the actual process name? It would be rather common for the plain 'spamassassin' script to consume a couple wall-clock seconds of CPU, since it has to read and compile the full rule-set at each invocation. Unlike the 'spamd' daemon, which has that considerable overhead only once during service start. In both cases may the actual scan time with high CPU load be lower than the start-up overhead.
Re: spamassassin at 100 percent CPU
On Wed, 2014-08-13 at 11:20 -0700, Noah wrote: > This is a new machine with rules copied over from another machine. How > about this? I just start new. Is there a good page out that explains > setting up spamassassin from scratch and getting the sa rules set up > well and cleaned up nicely? I am happy to start from the beginning with > best practices. If you cannot answer our rather specific questions, you're in for a much steeper learning curve than you seem to expect... What the best way of setting up SA on a new machine is? Just install the distro provided SA packages. Getting the SA rules set up well? Same. Cleaned up? Do not copy over configuration and rules from $ome other system, unless you know what you are copying. IOW, don't. That's clean by definition. What I really don't get from your reply is this, though: A new machine, with "rules copied over". Yet, you seem to be unable to answer our questions regarding custom rules and configuration you put there. Which equals everything you "copied over" to begin with. If you did, why can't you answer our question? Or revert that "copying over", which results in the "cleaned up" state you asked for. Regardless of continuing with the current system, or setting up the whole system from scratch again -- there are important questions raised, you just didn't answer. Which, frankly, are likely to have a *much* more severe impact than removing bad, copied rules. What mail is that system handling, if it is not an MX? How large are those messages, and what's your size limit? How is SA integrated, what software is passing mail to SA? What is the actual process's name, and for how long does it run at CPU max? Without answering these (basically, get back to my previous post and actually answer all my very specific questions), there is absolutely no point in you posing more or other questions. It won't help. Reference: > On 8/11/14 4:31 PM, Karsten Bräckelmann wrote: > > On Mon, 2014-08-11 at 09:18 -0400, Joe Quinn wrote: > >> Keep replies on list. > >> > >> Do you remember making any changes, or are you using spamassassin as it > >> comes? What kind of email is going through your server? Very large > >> emails can cause trouble with poorly written rules. If you can, perhaps > >> systematically turn off things that are pushing email to that server > >> could narrow it down to a particular type of email. > >> > >> On 8/9/2014 4:41 PM, Noah wrote: > >>> thanks for your response. I am not handling much email its a new > >>> server and currently the MX points to another server. > > > > What mail is it handling? > > > > Not MX, so I assume it does not receive externally generated mail at > > all. Which pretty much leaves us with locally generated -- cron noise > > and other report types. > > > > How is SA integrated? What's your message size limit (see config of the > > service passing mail to SA)? Are you per chance scanning multi MB text > > reports? > > > > A sane size limit is about 500 kB. Besides, local generated mail isn't > > worth processing with SA, and in the case of cron mail often harmful > > (think virus scanner report). > > > > > >>> How do I check the SA configuration? How do I check if I am using > >>> additional rules? > > > > By additional rules, we mean any rules or configuration that is not > > stock SA. Anything other than the debian package or running sa-update. > > Generally, anything *you* added. > > > > > On 7/31/2014 3:19 PM, Noah wrote: > > what are some things to check with spamassassin commonly running at > > 100 percent? > > > > For how long does it run at CPU max? What is the actual process name? > > > > It would be rather common for the plain 'spamassassin' script to consume > > a couple wall-clock seconds of CPU, since it has to read and compile the > > full rule-set at each invocation. > > > > Unlike the 'spamd' daemon, which has that considerable overhead only > > once during service start. In both cases may the actual scan time with > > high CPU load be lower than the start-up overhead. > > > > -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Opinions needed on what to consider spam
On 08/13/2014 01:06 PM, Dave Warren wrote: In short, yes, it is unproductive. The quasi-legitimate stuff does go away, but the rest doesn't. This was confirmed just recently by Laura on Word To The Wise, who posted about this just 5 days ago: https://wordtothewise.com/2014/08/unsubscribing-spam-part-3/ Quote from the linked material: "During the month of November, I unsubscribed from every commercial email that came into the account." So mindlessly unsubscribing from viagra ads, with unsubscribe links, which have a load of random phrases at the bottom results in a a higher spam load later... if you are willing to accept data from an n=1 experiment with a low spam count. What if you have a larger number of accounts, and direct intelligent users to unsubscribe from emails which seem reasonably legit to them?
Re: Opinions needed on what to consider spam
On 2014-08-13 17:47, Steve Bergman wrote: On 08/13/2014 01:06 PM, Dave Warren wrote: In short, yes, it is unproductive. The quasi-legitimate stuff does go away, but the rest doesn't. This was confirmed just recently by Laura on Word To The Wise, who posted about this just 5 days ago: https://wordtothewise.com/2014/08/unsubscribing-spam-part-3/ Quote from the linked material: "During the month of November, I unsubscribed from every commercial email that came into the account." So mindlessly unsubscribing from viagra ads, with unsubscribe links, which have a load of random phrases at the bottom results in a a higher spam load later... if you are willing to accept data from an n=1 experiment with a low spam count. What if you have a larger number of accounts, and direct intelligent users to unsubscribe from emails which seem reasonably legit to them? I've performed similar experiments with my own spam-trap addresses over the years, with similar results. In my experience, it helps to keep a domain "fresh" in spammer's lists if they see periodic activity for domains that are entirely comprised of traps. I seeded one trap from scratch simply by editing/entering the address into the unsubscribe link/form of any spam "probably legitimate" spam that I received that had a form I could manipulate without revealing it's true source. The address still receives a moderate volume of spam today, mostly from very disreputable sources that likely bought the list, but not exclusively. Again, a n=1 experiment, but again, it showed that even if you're selective, there's no such thing as limiting yourself to reputable spammers. However, I don't find that it's the intelligent users who have massive spam problems to begin with, it's the ones who throw their email address into every field requesting it and pound "Next" like a monkey wanting a banana, ignoring pre-checked boxes along the way, that have the worst spam problem. In my experience, these are the types that don't do particularly well at knowing what to unsubscribe from, and what might be legitimate. You can explain the obvious viagra stuff, but their attention span is that of a gnat. But as with all things, your mileage may vary. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren