Re: Stuff slipping through STYLE_GIBBERISH filter!

[John Hardin]

On Wed, 7 Sep 2016, Lindsay Haisley wrote:


I'm getting a _lot_ of spam slipping through the STYLE_GIBBERISH
filter, probably more than is getting caught (although some of it _is_
getting caught). An example body is

Any help on this?


I'll take a look, but as STYLE_GIBBERISH is intended to be more 
lightweight than an actual EBNF syntax verifier :) , there are limits to 
what can be done...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...wind turbines are not meant to actually be an efficient way to
  supply the power grid, rather they're prayer wheels for New Age
  iBuddhists, their whirring blades drawing white guilt from the
  atmosphere and pumping it safely underground.-- Tam
---
 10 days until the 229th anniversary of the signing of the U.S. Constitution

Stuff slipping through STYLE_GIBBERISH filter!

[Lindsay Haisley]

I'm getting a _lot_ of spam slipping through the STYLE_GIBBERISH
filter, probably more than is getting caught (although some of it _is_
getting caught). An example body is



http://82.145.55.127//ql.html?r=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln";>http://82.145.55.127//4001/pm14379ecoverage.jpg";>
http://82.145.55.127//ql.html?o=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln";>http://82.145.55.127//4001/pm14379ecoverage_uns.jpg";>
http://82.145.55.127//ql.html?u=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln";>http://82.145.55.127//cn55-1.png";>
http://82.145.55.127//ql.html?i=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln"width=1/>;
 

Re: I have some bad news

[Bill Cole]

On 6 Sep 2016, at 16:04, do...@mail.com wrote:


On Mon, 05 Sep 2016 20:17:18 "Bill Cole" wrote:

On 4 Sep 2016, at 21:11, @lbutlr wrote:


On Sep 1, 2016, at 7:41 PM, David Niklas >
<[do...@mail.com]()> wrote:


Would you like to go out to lunch?


Other than your message, that phrase does not appear in 7 years of 
my

mail.


It's in hash-buster/bayes-buster parts in 5 messages in my spam 
corpus

spread over 4 years without other obvious commonalities (other than
their use of such tactics.)


It was just an example to make a point. You would need to look at your
cool database for a non-spamy string and place it in with an equally 
spamy

one to figure out if I have found a bug in your cool program.

BTW: You never mentioned if anyone accepted your offer yet.


You seem to have me confused with Marc Perkel. I am not Marc Perkel. 
This should have been apparent from the attribution line you included in 
your message.


The point I was hoping others would infer is simply that different 
people get substantially different mail (ham and spam) which makes 
statistical approaches of all sorts increasingly ineffective as you 
increase the diversity of the recipient population. This latest FUSSP 
proposal is even more fragile to that sort of breakage because all it 
takes to completely burn a classifier token is a single appearance in 
both classes. As one grows a source corpus across a broad enough 
audience, the usable tokens trend inevitably towards zero while the 
remaining usable tokens are those which simply don't occur very often 
and so aren't operationally valuable.


Despite Mr. Perkel's extensive insistence to the contrary, his proposal 
does logically reduce to a variation on Bayesian filtering which avoids 
FPs at the cost of not being able to make any judgment at all on the 
actually difficult cases.

Re: postfix reject_unverified_recipient and Exchange 2016

[Noel]

On 9/7/2016 3:42 AM, Nicola Piazzi wrote:
>
>  
>
> I have a problem using reject_unverified_recipient to verify under
> Exchange 2016 that I don’t have with Exchange 2010
>

This is the wrong list for this question.
Please ask this on the postfix-users list for a solution.

http://www.postfix.org/documentation.html
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
http://www.postfix.org/postconf.5.html#smtp_address_verify_target

Re: postfix reject_unverified_recipient and Exchange 2016

[li...@rhsoft.net]

Am 07.09.2016 um 11:00 schrieb Nicola Piazzi:

I am off topic if you think that postfix is not spamassassin
I think that this is not a Microsoft problem because exchange answer correctly 
to unknown recipients
I suppose that there is something in the return string that postix doesn’t like


postfix don't parse strings, postfix is just interested in the 3-digit 
response code where 2xx means "OK", 4xx "temporary problem" and 5xx 
"permanent problem don't come back"


"250 2.1.5 Recipient OK" is a corret answer to unknown recipients?
since when?

Here Exchange 2016 at port 25 that verify unknown recipient at DATA
phase telnet 10.1.1.126 25
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
250 2.1.5 Recipient OK

Re: R: R: postfix reject_unverified_recipient and Exchange 2016

[Antony Stone]

On Wednesday 07 September 2016 at 11:00:57, Nicola Piazzi wrote:

> I am off topici f you think that postfix is not spamassassin

Postfix is not spamassassin.


Antony.

-- 
The Royal Society for the Prevention of Cruelty to Animals was formed in 1824.
The National Society for the Prevention of Cruelty to Children was not formed 
until 1884.
That says something about the British.

   Please reply to the list;
 please *don't* CC me.

R: R: postfix reject_unverified_recipient and Exchange 2016

[Nicola Piazzi]

I am off topici f you think that postfix is not spamassassin
I think that this is not a Microsoft problem because exchange answer correctly 
to unknown recipients
I suppose that there is something in the return string that postix doesn’t like

Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna – Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it



-Messaggio originale-
Da: Axb [mailto:axb.li...@gmail.com] 
Inviato: mercoledì 7 settembre 2016 10:59
A: users@spamassassin.apache.org
Oggetto: Re: R: postfix reject_unverified_recipient and Exchange 2016

This is totally off topic.
You are on the wrong list for these questions.
Use the MS knowledge base.

On 09/07/2016 10:56 AM, Nicola Piazzi wrote:
> It seems NOT a Microsoft problem because with "Recipient Filter Agent" 
> exchange answer "550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient 
> not found by SMTP address lookup" when a recipient is not found So I don't 
> know why when postfix get "550 5.1.10 RESOLVER.ADR.RecipientNotFound; 
> Recipient not found by SMTP address lookup" from Exchange 2016 it doesn't 
> consider unexistant that recipient Someone can write me the answer of 
> Exchange 2010 to a non existant recipient ?
>
>
>
>
>
> Nicola Piazzi
> CED - Sistemi
> COMET s.p.a.
> Via Michelino, 105 - 40127 Bologna - Italia Tel.  +39 051.6079.293 
> Cell. +39 328.21.73.470
> Web: www.gruppocomet.it
>
>
> -Messaggio originale-
> Da: li...@rhsoft.net [mailto:li...@rhsoft.net]
> Inviato: mercoledì 7 settembre 2016 10:49
> A: users@spamassassin.apache.org
> Oggetto: Re: postfix reject_unverified_recipient and Exchange 2016
>
>
>
> Am 07.09.2016 um 10:42 schrieb Nicola Piazzi:
>> I have a problem using reject_unverified_recipient to verify under 
>> Exchange 2016 that I don't have with Exchange 2010
>
> how is that a spamassassin or even postfix related problem?
>
> call the microsoft support why their stuff is playing backscatter in 
> recent versions (as you can see by all that exchange bounces flying 
> around in the web)
>
> there is nothing the delivery software can do when exchange has no 
> clue about it's valid rcpt's until it received and acknolwedged the 
> full message instead just reject the rcpt
>
> workaround: list your vaild RCPT's diretly on your inboud MX and 
> maintain it parallel to exchange
>
>> Postfix is used to send and receive mail and is between the internet 
>> and the internal Exchange Server Now, when an internet user send an 
>> email to our domain postfix verify it making an rcptto to our 
>> exchange using reject_unverified_recipient instruction This worked 
>> well with Exchange 2010 but now with Exchange 2016 doesn't work.
>> Exchange 2016 needs the installation of Recipient Filter Agent and 
>> obviously I installed it.
>> Now we have Frontend Transport that answer at port 25 and verify 
>> recipient at DATA phase and the Hub Transport that answer at port 
>> 2525 and verify recipient at RCPT TO
>>
>> Here Exchange 2016 at port 25 that verify unknown recipient at DATA 
>> phase telnet 10.1.1.126 25
>> 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me
>> 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com
>> 250 2.1.0 Sender OK
>> rcpt to:doesntex...@gruppocomet.it
>> 250 2.1.5 Recipient OK
>> data
>> 354 Start mail input; end with . some data

Re: R: postfix reject_unverified_recipient and Exchange 2016

[Axb]

This is totally off topic.
You are on the wrong list for these questions.
Use the MS knowledge base.

On 09/07/2016 10:56 AM, Nicola Piazzi wrote:

It seems NOT a Microsoft problem because with "Recipient Filter Agent" exchange answer 
"550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup" 
when a recipient is not found
So I don't know why when postfix get "550 5.1.10 RESOLVER.ADR.RecipientNotFound; 
Recipient not found by SMTP address lookup" from Exchange 2016 it doesn't consider 
unexistant that recipient
Someone can write me the answer of Exchange 2010 to a non existant recipient ?





Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it


-Messaggio originale-
Da: li...@rhsoft.net [mailto:li...@rhsoft.net]
Inviato: mercoledì 7 settembre 2016 10:49
A: users@spamassassin.apache.org
Oggetto: Re: postfix reject_unverified_recipient and Exchange 2016



Am 07.09.2016 um 10:42 schrieb Nicola Piazzi:

I have a problem using reject_unverified_recipient to verify under
Exchange 2016 that I don't have with Exchange 2010


how is that a spamassassin or even postfix related problem?

call the microsoft support why their stuff is playing backscatter in recent 
versions (as you can see by all that exchange bounces flying around in the web)

there is nothing the delivery software can do when exchange has no clue about 
it's valid rcpt's until it received and acknolwedged the full message instead 
just reject the rcpt

workaround: list your vaild RCPT's diretly on your inboud MX and maintain it 
parallel to exchange


Postfix is used to send and receive mail and is between the internet
and the internal Exchange Server Now, when an internet user send an
email to our domain postfix verify it making an rcptto to our exchange
using reject_unverified_recipient instruction This worked well with
Exchange 2010 but now with Exchange 2016 doesn't work.
Exchange 2016 needs the installation of Recipient Filter Agent and
obviously I installed it.
Now we have Frontend Transport that answer at port 25 and verify
recipient at DATA phase and the Hub Transport that answer at port 2525
and verify recipient at RCPT TO

Here Exchange 2016 at port 25 that verify unknown recipient at DATA
phase telnet 10.1.1.126 25
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
250 2.1.5 Recipient OK
data
354 Start mail input; end with . some data

R: postfix reject_unverified_recipient and Exchange 2016

[Nicola Piazzi]

It seems NOT a Microsoft problem because with "Recipient Filter Agent" exchange 
answer "550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP 
address lookup" when a recipient is not found
So I don't know why when postfix get "550 5.1.10 
RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup" 
from Exchange 2016 it doesn't consider unexistant that recipient
Someone can write me the answer of Exchange 2010 to a non existant recipient ?





Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it


-Messaggio originale-
Da: li...@rhsoft.net [mailto:li...@rhsoft.net] 
Inviato: mercoledì 7 settembre 2016 10:49
A: users@spamassassin.apache.org
Oggetto: Re: postfix reject_unverified_recipient and Exchange 2016



Am 07.09.2016 um 10:42 schrieb Nicola Piazzi:
> I have a problem using reject_unverified_recipient to verify under 
> Exchange 2016 that I don't have with Exchange 2010

how is that a spamassassin or even postfix related problem?

call the microsoft support why their stuff is playing backscatter in recent 
versions (as you can see by all that exchange bounces flying around in the web)

there is nothing the delivery software can do when exchange has no clue about 
it's valid rcpt's until it received and acknolwedged the full message instead 
just reject the rcpt

workaround: list your vaild RCPT's diretly on your inboud MX and maintain it 
parallel to exchange

> Postfix is used to send and receive mail and is between the internet 
> and the internal Exchange Server Now, when an internet user send an 
> email to our domain postfix verify it making an rcptto to our exchange 
> using reject_unverified_recipient instruction This worked well with 
> Exchange 2010 but now with Exchange 2016 doesn't work.
> Exchange 2016 needs the installation of Recipient Filter Agent and 
> obviously I installed it.
> Now we have Frontend Transport that answer at port 25 and verify 
> recipient at DATA phase and the Hub Transport that answer at port 2525 
> and verify recipient at RCPT TO
>
> Here Exchange 2016 at port 25 that verify unknown recipient at DATA 
> phase telnet 10.1.1.126 25
> 220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready helo me
> 250 GEMMA.gruppocomet.net Hello [10.2.6.4] mail from:e...@ext.com
> 250 2.1.0 Sender OK
> rcpt to:doesntex...@gruppocomet.it
> 250 2.1.5 Recipient OK
> data
> 354 Start mail input; end with . some data

Re: postfix reject_unverified_recipient and Exchange 2016

[li...@rhsoft.net]

Am 07.09.2016 um 10:42 schrieb Nicola Piazzi:

I have a problem using reject_unverified_recipient to verify under
Exchange 2016 that I don’t have with Exchange 2010


how is that a spamassassin or even postfix related problem?

call the microsoft support why their stuff is playing backscatter in 
recent versions (as you can see by all that exchange bounces flying 
around in the web)


there is nothing the delivery software can do when exchange has no clue 
about it's valid rcpt's until it received and acknolwedged the full 
message instead just reject the rcpt


workaround: list your vaild RCPT's diretly on your inboud MX and 
maintain it parallel to exchange



Postfix is used to send and receive mail and is between the internet and
the internal Exchange Server
Now, when an internet user send an email to our domain postfix verify it
making an rcptto to our exchange using reject_unverified_recipient
instruction
This worked well with Exchange 2010 but now with Exchange 2016 doesn’t work.
Exchange 2016 needs the installation of Recipient Filter Agent and
obviously I installed it.
Now we have Frontend Transport that answer at port 25 and verify
recipient at DATA phase and the Hub Transport that answer at port 2525
and verify recipient at RCPT TO

Here Exchange 2016 at port 25 that verify unknown recipient at DATA phase
telnet 10.1.1.126 25
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready
helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4]
mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
some data

postfix reject_unverified_recipient and Exchange 2016

[Nicola Piazzi]

I have a problem using reject_unverified_recipient to verify under Exchange 
2016 that I don't have with Exchange 2010

Postfix is used to send and receive mail and is between the internet and the 
internal Exchange Server
Now, when an internet user send an email to our domain postfix verify it making 
an rcpt to to our exchange using reject_unverified_recipient instruction
This worked well with Exchange 2010 but now with Exchange 2016 doesn't work.
Exchange 2016 needs the installation of Recipient Filter Agent and obviously I 
installed it.
Now we have Frontend Transport that answer at port 25 and verify recipient at 
DATA phase and the Hub Transport that answer at port 2525 and verify recipient 
at RCPT TO

Here Exchange 2016 at port 25 that verify unknown recipient at DATA phase
telnet 10.1.1.126 25
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready
helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4]
mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
some data
.
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address 
lookup


Here Exchange 2016 at port 2525 that verify unknown recipient at RCPT TO phase
telnet 10.1.1.126 2525
220 GEMMA.gruppocomet.net Microsoft ESMTP MAIL Service ready
helo me
250 GEMMA.gruppocomet.net Hello [10.2.6.4]
mail from:e...@ext.com
250 2.1.0 Sender OK
rcpt to:doesntex...@gruppocomet.it
550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address 
lookup

When I connect to a Postfix configured with reject_unverified_recipient it 
doesn't work
I tried to transport domain to Exchange at port 2525 and at port 25 using the 
parameter smtp_address_verify_target = data

Postfix answer OK at RCPT TO of 
doesntex...@gruppocomet.it and need some 
time to answer, so I suppose that it make the call to Exchange
RCPT TO is immediate if I remove reject_unverified_recipient



Nicola Piazzi
CED - Sistemi
COMET s.p.a.
Via Michelino, 105 - 40127 Bologna - Italia
Tel.  +39 051.6079.293
Cell. +39 328.21.73.470
Web: www.gruppocomet.it
[Descrizione: gc]


 

Re: new Mail-SpamAssassin-Plugin-AttachmentPresent

[Merijn van den Kroonenberg]

>> [snip]
>> body HAS_VBS_FILES eval:attachmentpresent_file_count('vbs')
>> describe HAS_VBS_FILES The e-mail has attached vbs files (or inside
>> archives)
>> score HAS_VBS_FILES 2.5
>
> This looks very interesting. The scores you've specified seem to be
> quite high, however. I'd probably make them much lower.

In our case they work good enough to push over the spam message edge cases
(new zombies etc) and its low enough for our real ham to survive.

But ofcource this is just an example, you can (or not) use it any way you
want.

>
> Is there any ability to determine if a particular attachment has a
> Word macro enclosed in addition to just having a Word document?
>

This plugin just looks at filename extensions. And the main feauture is it
also looks at files inside zip archives. So we use it to tag wsf, js, hta,
... files which get sent inside zip archives a lot.

> Thanks,
> Alex
>