[OT] RBLs
Hi, we have seen a recent upsurge in SPAM and would like to ask the community for recommendations on both free and commercial RBL offerings. We are currently using: Barracuda SpamRats JunkEmailFilter SpamEatingMonkey Plus the standard ones that are checked with SpamAssassin. We are also about to trial Invaluement. Any help is gratefully appreciated. -- Thanks, Phil
Re: [OT] RBLs
The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. Bayes is being by-passed due to the content looking valid so it is coming down to the IPs and domains. Had one yesterday where at 06:39 it was received by one of our clients and at 06:42 it appeared on one of the RBLs. I am guessing that it must have been a huge spam mailing that hit a lot of honeypots and people all at once. Downside is not a happy client ;( -- Thanks, Phil - Original Message - Am 11.01.2012 12:28, schrieb --[ UxBoD ]--: Hi, we have seen a recent upsurge in SPAM and would like to ask the community for recommendations on both free and commercial RBL offerings. We are currently using: Barracuda SpamRats JunkEmailFilter SpamEatingMonkey never used this Plus the standard ones that are checked with SpamAssassin. We are also about to trial Invaluement. Any help is gratefully appreciated. -- Thanks, Phil beside spamassassin i use this rbls with postfix reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net mostly in with some selective setup, clamav milter with sanesecurity, greylist, and some postscreen configs ix.dnsbl.manitu.net perhaps is more in interest for german/euro region that was enough ever, for most global spam, for sure you need analyse your logs an make special setups related to ips ,domains etc sometimes -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [OT] was SORBS
- Original Message - On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote: We're on a BT only exchange here so it's them or nothing, well not quite, I could go CoLo... hmmm maybe not, or satellite, I was involved in setting that up in Cyprus. Nigel Is there such a thing? I appreciate many are not unbundled, but the BTW agreement means you should have no problems getting a wires-only with someone like Zen, IDNET or Newnet. Believe me, the service just pee's over BT. I was with IDNET and they were awesome. Only reason why I moved to Xilo was to lower my monthly costs. CW unbundled has been really good. If cost is not a factor I would always recommend IDNET over anybody else! They do still manage my BT line :) -- Thanks, Phil
Re: Increase in image/zip spam?
- Original Message - Hi, Just wondering if others are also seeing an increase in image spam in the last week or so, some of which contain zip attachments? The body contains random bayes killer? text with an image or zip attachment. I can't otherwise find something to trigger on to block them reliably and bayes doesn't seem to be doing it for me... http://pastebin.com/fSarnJQy Any ideas greatly appreciated! Thanks, Alex Appears to hit a few RBLs: Content analysis details: (7.2 points, 5.0 required) pts rule name description -- -- 0.4 RCVD_IN_XBL 0.5 RCVD_IN_NIX_SPAM 3.0 RCVD_IN_BRBL 1.4 RCVD_IN_BRBL_LASTEXT -0.0 BAYES_20 1.1 DCC_CHECK 0.8 RDNS_NONE -- Thanks, Phil
Re: The Impossible Rule??? Bug???
- corpus.defero corpus.def...@idnet.com wrote: I was looking at a piece of irritating pill spam this morning ((http://pastebin.com/qzj83QKq)) and noticed this in the body, just after a random excerpt from chapter 58 of 'The Awakening': ---34AD8EF316667417464496762D36F3502061F3 Content-Type: image/bmp; name=transistor.jpg Content-Transfer-Encoding: base64 Content-Disposition: inline Having some time to play I was interested to see a slight mismatch there in the content type. Claims to be a bmp, but has a .jpg extension. Feeling it was worthy of a couple of points (it scored 0 when it first arrived) I tried to create a custom rule for it. Being in the body of the message I thought that 'rawbody' would be a good starting point but neither: rawbody RB_MFT01 /Content\-Type: image\/bmp(.{1,30})\.jpg/i score RB_MFT01 3.0 OR rawbody RB_MFT01 /Content\-Type: image\/bmp/i score RB_MFT01 3.0 Would catch on it. Examples found on the 'Content-Type' suggested it was a header, but even stripping it back to: header HD_MFT01 Content-Type =~ /image\/bmp;/ Would not catch on it. Google seemed to offer no clues other than a few suggestions for attachment filtering hacks and plugins, but they did not appear to offer the match (bmp but .jpg) that I was looking to achieve. Is this something that can't be done with Spamassassin? Is it an 'impossible rule'? Is it a bug? The documentation is not giving me any obvious tips on this? I use this one :- mimeheader __ANY_IMAGE_ATTACHContent-Type =~ /image\/(?:gif|jpe?g|png|bmp)/ mimeheader MIME_IMAGE_JPGContent-Type =~ /image\/jpg/ describe MIME_IMAGE_JPGContains wrong MIME type image\/jpg score MIME_IMAGE_JPG1.0 -- Thanks, Phil
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
- Per Jessen p...@computer.org wrote: Jonas Eckerman wrote: (And of course, if this catches on, you'll have to provide RFC style documentation.) See Justins posting from two days back: http://tools.ietf.org/draft/draft-stumpf-dns-mtamark/ http://tools.ietf.org/draft/draft-stumpf-dns-mtamark/draft-stumpf-dns-mtamark-04.txt That proposal does not appear to have caught a lot of interest in 2004/2005, but perhaps it might now. /Per Jessen, Zürich Personally I think it is a great idea and anything to help combat the spam is always a worthwhile effort. Is it possible to resurrect that proposal and worth with the original authors and perhaps combine the efforts ? Anybody who takes time to come up with ideas like this deserves the support of the community. I am all for helping, where I can, to take this forward. -- Thanks, Phil
Re: MTX plugin created (Re: Spam filtering similar to SPF, less breakage)
- dar...@chaosreigns.com wrote: http://www.chaosreigns.com/mtx/ -- Democracy is the theory that the common people know what they want, and deserve to get it good and hard. - H. L. Mencken http://www.ChaosReigns.com Like the simplicity and it does appear to be a great idea. Why do you believe SPF or DKIM generate breakage ? -- Thanks, Phil
Re: [OT?] Web Form Spam
- te...@cnysupport.com wrote: I've recently started receiving web form spam, but I'm not quite sure what to make of it. My websites contains a couple of support request forms that ask for minimal information (business name, name, phone, problem, email address). Recently, I've started receiving forms that contain random keyboard letters that look like they were typed by a person (in keyboard order like asdfghjk) and contain nothing valid except possibly the email address. The IP addresses are all from outside my country, so it's not possible they're legitimate. Normally I wouldn't care about a few spams, but these create an emergency support ticket which means that someone gets paged in the middle of the night. I just implemented a Country IP verification on the form handler to stop this, however I'm really puzzled why anybody would bother to fill out the form with random data in the first place. Anybody have any ideas what anybody would hope to accomplish with this? Terry Bayes poisoning ? Do you not have any sort of human verification on the form eg. CAPTCHA -- Thanks, Phil
Re: pill image spam learns to walk
- Mike Cardwell spamassassin-us...@lists.grepular.com wrote: | On 11/01/2010 10:22, Jason Haar wrote: | Hi there | | We've been getting a few of these leaking through in the past couple | of | weeks. | | http://pastebin.com/m574da717 | | They aren't triggering (enough) network rule matches, contain a | bayes-killer, and even FuzzyOCR can't manage the swirly image trick | they | pull. Has anyone come up with a way to fight these? (I've actually | added | all the phrases that occur in this image to FuzzyOCR - didn't help) | | I just copied and pasted that out of pastebin into a little project | I've | been working on. Here's the result: | | http://spamalyser.com/v/6xnb26gp/mime | | Unlike with pastebin, it mime decodes emails and you can see the | decoded | image at the bottom of that page. | That is awesome, Mike! really helps to visualise. -- Thanks - Phil
Re: Is this list working?
- Lars Ebeling lars.ebel...@leopg9.no-ip.org wrote: | Or am I blacklisted? | | -- | Regards | Lars Ebeling All appears okay ... -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: OT bad news
- Quanah Gibson-Mount qua...@zimbra.com wrote: | --On Monday, October 05, 2009 11:50 PM +0200 mouss | mo...@ml.netoyen.net | wrote: | | Thomas Mullins a écrit : | We have been running Spamassassin for maybe eight years now. But, | my | coworkers do not like OpenSource. So they have finally complained | enough that my boss is going to replace our reliable | FreeBSD/Spamassassin boxes. They are planning on purchasing | something | that runs ON Exchange. What a bummer. | | | | and the problem is? | | if they want exchange, give them exchange. don't fight (directly), | watch | instead. take pleasure of the situation, get fun as you can. I | personally took fun all day long in windows-only (and believe it or | not, | in linux-only) environments. | | | that said, you can still try to explain that exchange should not be | exposed to the internet. you still need a relay (such as | freebsd/postfix). | | | And once exchange falls over, show them Zimbra. ;) Which uses | postfix/SA/amavis, etc, and looks a lot like exchange... only better. | ;) | | --Quanah | Seconded :) Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
- Clunk Werclick mailbacku...@googlemail.com wrote: | On Sun, 2009-09-13 at 16:37 -0600, LuKreme wrote: | On 12-Sep-2009, at 10:27, Clunk Werclick wrote: | I disagree. It can do as much harm as good. My own view and | observation | from the past have rendered it pointless in my context. It adds | latency, | is easily poisoned and rarely makes much difference to the score. | I do | appreciate some people like it, but my own view is spam has moved | on | beyond the point of it being useful. | | Facts? we don't need no pesky facts. You are very misinformed. | Myself, I've seen some very poor Bayesian databases where users have | been allowed to categorize mail as spam-v-ham. One company who deal | with | Pharmaceuticals for famine relief in Uganda and other poor African | countries found bayes to mess with their core mail to a point that | made | it worthless in their context. | | It really comes down to the context and effort -v- the return. | No thanks, I'll pass on that. In this specific case it still would | not | have increased the score to a point where the clock cycles made it | | worth | it. | | The Bayes score ALONE would have pushed this over the spam threshold | | on my machine. | My point is the content of that mail, which has been circulating for | weeks almost unchanged, really should bite on a core rule, not rely | on | plugins and bayes to catch it. | | tangentInterestingly, It is fair to say that Jari's follow up *did* | show Bayes giving it 5 points. This was then destroyed by AWL | dropping | 4.1 off of it: | | 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% | -4.1 AWL: From: address is in the auto machine./tangent | | I've created a custom meta rule; I'm almost sorry I came here and | asked. | Some of the people here on this list are just so rude, and you sir, | are | an Arsehole! | | | | -- | --- | C Werclick .Lot | Technical incompetent | Loyal Order Of The Teapot. | | This e-mail and its attachments is intended only to be used as an | e-mail | and an attachment. Any use of it for other purposes other than as an | e-mail and an attachment will not be covered by any warranty that may | or | may not form part of this e-mail and attachment. | And that kind of post can get you banned aswell! Bayes works and any issues found are normally down to bad training. Perhaps the second line of your sig may be the reason ? ;) -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
- Clunk Werclick mailbacku...@googlemail.com wrote: | On Mon, 2009-09-14 at 11:46 +0200, Matus UHLAR - fantomas wrote: |On 12-Sep-2009, at 10:27, Clunk Werclick wrote: | I disagree. It can do as much harm as good. My own view and | observation from the past have rendered it pointless in my | context. It | adds latency, is easily poisoned and rarely makes much | difference to | the score. I do appreciate some people like it, but my own | view is | spam has moved on beyond the point of it being useful. | | On Sun, 2009-09-13 at 16:37 -0600, LuKreme wrote: |Facts? we don't need no pesky facts. You are very misinformed. | | On 14.09.09 08:48, Clunk Werclick wrote: | Myself, I've seen some very poor Bayesian databases where users | have | been allowed to categorize mail as spam-v-ham. One company who | deal with | Pharmaceuticals for famine relief in Uganda and other poor | African | countries found bayes to mess with their core mail to a point that | made | it worthless in their context. | | I would say that is a result of badly trained BAYES, not fgrom its | bad | design. | | If you insist on not using bayes, just because it can be mistrained, | better | don't use any configurable software, because _everything_ | configurable will go wrong | if miscongured. | | The *issue* with bayes is it *can* have user input. Would you trust | your | users influencing system wide policy? | | I've already stated I'll try it. So read the xx follow up before | shouting your thick foreign mouth off you stupid ! | If the OP cannot refrain from that sort of foul language when presented with counter arguments then please ban. The list would be far happier IMHO. BR, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
- Matus UHLAR - fantomas uh...@fantomas.sk wrote: | On 12-Sep-2009, at 10:27, Clunk Werclick wrote: | I disagree. It can do as much harm as good. My own view and | observation from the past have rendered it pointless in my | context. It | adds latency, is easily poisoned and rarely makes much | difference to | the score. I do appreciate some people like it, but my own | view is | spam has moved on beyond the point of it being useful. | |On Sun, 2009-09-13 at 16:37 -0600, LuKreme wrote: | Facts? we don't need no pesky facts. You are very | misinformed. | | On 14.09.09 08:48, Clunk Werclick wrote: |Myself, I've seen some very poor Bayesian databases where users | have |been allowed to categorize mail as spam-v-ham. One company who | deal with |Pharmaceuticals for famine relief in Uganda and other poor | African |countries found bayes to mess with their core mail to a point | that made |it worthless in their context. | | On Mon, 2009-09-14 at 11:46 +0200, Matus UHLAR - fantomas wrote: | I would say that is a result of badly trained BAYES, not fgrom its | bad | design. | | On 14.09.09 12:06, Clunk Werclick wrote: | The *issue* with bayes is it *can* have user input. Would you trust | your | users influencing system wide policy? | | That only happens if you allow your users to train system-wide BAYES. | However this is usually also called misconfiguration - in common | situations either users have their own bayes databases, or they can't | train | the site-wide one. | | If you insist on not using bayes, just because it can be | mistrained, | better don't use any configurable software, because _everything_ | configurable will go wrong if miscongured. | | I've already stated I'll try it. So read the fucking follow up | before | shouting your thick foreign mouth off you stupid cunt! | | I have read your previous posts, I only wanted to react on some of | your | arguments. I would post the private email I received from Clunk but I will not lower myself or expose the list to such vulgarity. BR, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
Clunk Werclick mailbacku...@googlemail.com wrote: | On Mon, 2009-09-14 at 12:24 +0100, --[ UxBoD ]-- wrote: | - Clunk Werclick mailbacku...@googlemail.com wrote: | | | On Mon, 2009-09-14 at 11:46 +0200, Matus UHLAR - fantomas wrote: | |On 12-Sep-2009, at 10:27, Clunk Werclick wrote: | | I disagree. It can do as much harm as good. My own view | and | | observation from the past have rendered it pointless in | my | | context. It | | adds latency, is easily poisoned and rarely makes much | | difference to | | the score. I do appreciate some people like it, but my | own | | view is | | spam has moved on beyond the point of it being useful. | | | | On Sun, 2009-09-13 at 16:37 -0600, LuKreme wrote: | |Facts? we don't need no pesky facts. You are very | misinformed. | | | | On 14.09.09 08:48, Clunk Werclick wrote: | | Myself, I've seen some very poor Bayesian databases where | users | | have | | been allowed to categorize mail as spam-v-ham. One company | who | | deal with | | Pharmaceuticals for famine relief in Uganda and other poor | | African | | countries found bayes to mess with their core mail to a point | that | | made | | it worthless in their context. | | | | I would say that is a result of badly trained BAYES, not fgrom | its | | bad | | design. | | | | If you insist on not using bayes, just because it can be | mistrained, | | better | | don't use any configurable software, because _everything_ | | configurable will go wrong | | if miscongured. | | | | The *issue* with bayes is it *can* have user input. Would you | trust | | your | | users influencing system wide policy? | | | | I've already stated I'll try it. So read the xx follow up | before | | shouting your thick foreign mouth off you stupid ! | | | If the OP cannot refrain from that sort of foul language when | presented with counter arguments then please ban. The list would be | far happier IMHO. | Then stop off list mailing me you thick cunt and tell someone that | fucking cares. | | BR, | Pity! all my posts have been on list - only direct one was to respond to your private message. Ho hum. Move along. -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: [sa] Re: Non scoring 'Bank Deposit' spam
- Charles Gregory cgreg...@hwcn.org wrote: | On Mon, 14 Sep 2009, Clunk Werclick wrote: | Clearly not - but then, using Spamassassin as a filter ensures just | about everything gets through CUNTFACE. | | Congratulations! You've done something I have very rarely seen | on any internet forum. You've gotten everyone to AGREE on something! | | I also agree: +1 Ban Clunk. | | - Charles | | PS When signing e-mails, leave a blank line, and also, your name | doesn't have to be in all-caps. | | -- | This message has been scanned for viruses and | dangerous content and is believed to be clean. | | SplatNIX IT Services :: Innovation through collaboration As expressed to a couple of other members, off list, the OP also launched a SMTP DoS attack against me. If anybody would like further information please let me know. Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
- Chris Owen ow...@hubris.net wrote: | On Sep 14, 2009, at 11:38 AM, LuKreme wrote: | | On 14-Sep-2009, at 10:17, jdow wrote: | :0 | * 9876543210^0 ^From: .*\mailbacku...@googlemail.com\ | * 9876543210^0 ^From:.*clunk\.wercl...@wibblywobblyteapot\.co\.uk | /dev/null | | Will work better. (and you don't need a lock on /dev/null) | | I usually also use the 'h' flag on /dev/null rules: | | :0h | | I'm sure writing to /dev/null doesn't take very long but why bother | writing the body of the message. | | Chris | | - | Chris Owen - Garden City (620) 275-1900 - Lottery (noun): | President - Wichita (316) 858-3000 -A stupidity tax | Hubris Communications Inc www.hubris.net | - | Well I happen to know the MD of my ISP so perhaps I shall have a word ... I am sure he would not want DoS going in through his network ... These things can bring a list into dis-repute. It is okay to voice one owns opinion; but without profanity and blatant disrepect to anothers resources! We all sit on these lists to help each other and learn. Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
- LuKreme krem...@kreme.com wrote: | On 14-Sep-2009, at 10:17, jdow wrote: | :0 | * 9876543210^0 ^From: .*\mailbacku...@googlemail.com\ | * 9876543210^0 ^From:.*clunk\.wercl...@wibblywobblyteapot\.co\.uk | /dev/null | | Will work better. (and you don't need a lock on /dev/null) | | -- | In England 100 miles is a long distance. In the US 100 years is a | long time | | Perhaps the OP should read the AUP ! http://www.zen.co.uk/policies/acceptable-use-policy.aspx Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: .cn domain age query?
- Bill Landry b...@inetmsg.com wrote: | On Mon, 14 Sep 2009, Warren Togami wrote: | | One thing they all have in common is their registration dates are | very | young according to whois lookups. It seems in general if we had a | reliable way to lookup domain age we might be able to | differentiate | spam. | | What's the current status of the Day Old Bread BL? Has it moved to | subscription-only? | | Still working fine for me here, 51 hits so far today against DOB. | | Bill | Not come across that RBL before! Thanks :) Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: .cn domain age query?
- Karsten Bräckelmann guent...@rudersport.de wrote: | On Mon, 2009-09-14 at 18:55 +0100, --[ UxBoD ]-- wrote: | | Still working fine for me here, 51 hits so far today against DOB. | | Not come across that RBL before! Thanks :) | | grep _DOB *.cf# Part of the stock rule-set. | | | -- | char | *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; | main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? | c=1: | (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ | putchar(t[s]);h=m;s=0; }}} | How dumb me be ;) Thanks Karsten :D Should have checked ... Been to busy defending a previous naughty OP ;) Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
- Benny Pedersen m...@junc.org wrote: | On man 14 sep 2009 16:54:39 CEST, Bill Landry wrote | So how far does someone have to go before getting banned from the | list? Is this not far enough yet? | | he just come back with another sender email, with another reply-to, it | | will be endless banning new email adresses | | -- | xpoint | | Blocked now @ FW .. Will contact Zen tomorrow and report as the OP is in violation of the ISP AUP. Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Non scoring 'Bank Deposit' spam
- Clunk Werclick mailbacku...@googlemail.com wrote: | On Mon, 2009-09-14 at 19:52 +0100, --[ UxBoD ]-- wrote: | - Benny Pedersen m...@junc.org wrote: | | | On man 14 sep 2009 16:54:39 CEST, Bill Landry wrote | | So how far does someone have to go before getting banned from | the | | list? Is this not far enough yet? | | | | he just come back with another sender email, with another | reply-to, it | | | | will be endless banning new email adresses | | | | -- | | xpoint | | | | | Blocked now @ FW .. Will contact Zen tomorrow and report as the OP | is in violation of the ISP AUP. | | go *right* ahead. Here you go: | ab...@zen.co.uk | | I guess it will take a retard like you a *whole* day to find it. | | | Best Regards, | Not at all ... If you were so kind as to have stopped the profanity and vulgarity then people would have been more approachable and helpful. It was kindly asked that you refrained from such posting yet you felt you were excempted. As I have already said the lists are here to help people and learn. We should not be exposed to such rubbish. Otherwise why have the lists in the first place? Every individual has the right to put forward their view and opinion; but when using the language you felt easy to adopt it makes a mockery. And I must say thank you for the email address; that really helps (not). A phone call is a lot easier to explain on the potential impact a ISP subscriber could be having to the providers business. I believe you could put some valid viewpoints forward, and if this was done in a mature, professional manner I am sure everyone would be very pleased. Thank you for your time. Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Flag Image SPAM
Hi, Cannot recall seeing a follow up to John H new rules; Are they available now or still under test review ? Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Barracuda RBL in first place
- Marc Perkel m...@perkel.com wrote: Aaron Wolfe wrote: On Fri, Aug 14, 2009 at 11:24 AM, Chris Owen ow...@hubris.net wrote: On Aug 14, 2009, at 10:13 AM, Mike Cardwell wrote: The comparisons on that page are useless. What matters is list policy, reliability and reputation. SpamHaus is hands down the best dnsbl. While I certainly agree that SpamHaus is very good, I would argue that Invalument is currently better. It certainly stops a lot more spam here and I think false positives are still extremely low. Invaluement lists are also the top performers at my site: Total messages: 273235355 Total blocked: 227710956 83.34% Unknown user 32.00% (32.00%)87427696 Greylisted 24.88% (16.92%)46225401 Throttled 11.03% (5.64%) 15399444 Relay access denied 0.01% (0.00%) 7034 Bogus DNS (Broadcast) 0.01% (0.00%)11692 Bogus DNS (RFC 1918 space) 0.07% (0.03%)82135 Spoofed Address 0.26% (0.12%) 319551 Unclassified Event 0.77% (0.35%) 949388 Temporary Local Problem 0.01% (0.00%) 8165 Require FQDN sender address 0.04% (0.02%)51022 Require FQDN for HELO hostname 8.97% (4.02%) 10988455 Require DNS for sender's domain 0.78% (0.32%) 870643 Require Reverse DNS 23.83% (9.65%) 26372877 Require DNS for HELO hostname 0.20% (0.06%) 165157 The Spamhaus Block List 21.87% (6.74%) 18405091 The Invaluement SIP Block List 22.14% (5.33%) 14557404 The SIP/24 Block List 3.84% (0.72%) 1965510 The Barracuda Reputation Block List 3.89% (0.70%) 1915628 (several RBLs not widely used snipped) We have several hundred domains and each can use it's own filtering options, so not all RBLs/checks are used on all mail. Checks are listed in order applied, so a message dropped by unknown user for instance is never seen by greylisted. Invalument lists block over 25% of all messages that make it past all the checks in front of them, including Spamhaus. That's massive. Barracuda is not used by a majority of clients and is used after the others, so the low number is not an indication of poor performance. I've actually had pretty good luck with it. -Aaron -- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1 URIBL_INVALUEMENT 27029 47.58 85.13 0.60 2 RCVD_IN_INVALUEMENT 26116 45.81 82.26 0.22 3 HTML_MESSAGE 25184 79.83 79.32 80.48 4 BAYES_99 23445 41.09 73.84 0.12 5 RCVD_IN_INVALUEMENT24 23290 40.85 73.35 0.18 6 URIBL_BLACK 22372 39.49 70.46 0.74 7 RCVD_IN_JMF_BL 16845 30.70 53.06 2.74 8 URIBL_JP_SURBL 15962 27.99 50.27 0.12 9 DKIM_SIGNED 12137 37.32 38.23 36.18 10 DKIM_VERIFIED 11051 33.93 34.81 32.84 Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 - A stupidity tax Hubris Communications Inc www.hubris.net - Yep Invalument is a good list. But there's no public option to compare it. What log script do you good people use to generate the list above ? Is it a home brew or one we can download so we can compare our own hits ? -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Elusive spam
- John Hardin jhar...@impsec.org wrote: On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote: Maybe this will sound dumb but wouldn't it be perfectly safe to blacklist example.com after all, that isn't a domain your ever going to get mail from. Ted That is there because Alex likely wishes to keep his real domain private. Note that the envelope TO address is @example.com, which would never be delivered, unless Alex really _does_ own the example.com domain... MySQL Student wrote: I'm having trouble catching a particular type of spam, and hoped someone had some time to take a look: http://pastebin.com/d57336542 It doesn't match RAZOR2, or any of the URI lists, and it's only BAYES_50. I have a pretty well-established BAYES db, so I'm surprised it's only BAYES_50. What can I do to block spam like this in the future? Thanks, Alex Alex, there's likely not much you can do. On a spam that short there's not a lot to work with. You could increase the score for URI_HEX. If the form of the URI is consistent, perhaps something like this would help: uri URI_NUMERIC_CCTLD m,^[a-z]+://(?:\d+\.){2,}[a-z][a-z]/,i This is really suspicious: X-Mailer: Gentoo Gentoo is an OS, not a MUA. Is that at all consistent? If so: header GENTOO_MUA X-Mailer =~ /^Gentoo$/ Or perhaps this: header MUA_ONE_WORD X-Mailer =~ /^[a-z]+$/i (all untested, sorry) Alex, Ran it through myself and got a pretty decent score so it seems to depend on whether you are checking any of the other RBLs ? Content analysis details: (20.0 points, 5.0 required) pts rule name description -- -- 3.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL [74.86.146.6 listed in b.barracudacentral.org] 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?74.86.146.6] 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [74.86.146.6 listed in zen.spamhaus.org] 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [74.86.146.6 listed in dnsbl.sorbs.net] 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: 888098.tk] 5.0 RCVD_IN_IVMSIP RBL: listed on ivmSIP found at invaluement.com [74.86.146.6 listed in sip.invaluement.com] 4.0 URIBL_IVMURI Contains a URL listed on ivmURI found at invaluement.com [URIs: 888098.tk] 0.0 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.4 URI_HEXURI: URI hostname has long hexadecimal sequence 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4553] Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: Low score
- Thomas Casartello tcasarte...@wsc.ma.edu wrote: Been getting a lot of low scoring stuff like this lately. Any suggestions? Please post the complete email to pastbin so we can run it through our own installations. It would help if you let us know which rules it actually hit on in your installation ? Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
AutoWhiteList
Hi, Where can I find sa-awlUtil as it does not appear to be in the download file ? Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
Re: Cant Post Message
- twofers twof...@yahoo.com wrote: I have a post I have tried several times over the last week to post to this forum and it never seems to get posted. I don't understand why? There is nothing exotic about it, just text, a question and email header info I pasted. Any idea whats up? Thanks, Wes obfuscate the header as it may be tripping SA :) or even better use pastebin. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
RelayCountry Check
Hi, Would somebody please let me know what is required to get it to work :) I have installed the Perl module and enabled the plugin but it never appears to hit :( Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
Re: RelayCountry Check
- Mariusz Kruk k...@epsilon.eu.org wrote: On Tue, 2009-07-28 at 11:20 +0100, --[ UxBoD ]-- wrote: Hi, Would somebody please let me know what is required to get it to work :) I have installed the Perl module and enabled the plugin but it never appears to hit :( The plugin itself only adds metadata to the message. You need to configure SA to use this metadata. http://wiki.apache.org/spamassassin/RelayCountryPlugin -- Thats the issue ... the meta-data never gets added :( I have run SA with debug and lint and the Perl module etc is loaded fine. No warnings at all. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
Re: RelayCountry Check
- Mariusz Kruk k...@epsilon.eu.org wrote: On Tue, 2009-07-28 at 11:29 +0100, --[ UxBoD ]-- wrote: - Mariusz Kruk k...@epsilon.eu.org wrote: On Tue, 2009-07-28 at 11:20 +0100, --[ UxBoD ]-- wrote: Hi, Would somebody please let me know what is required to get it to work :) I have installed the Perl module and enabled the plugin but it never appears to hit :( The plugin itself only adds metadata to the message. You need to configure SA to use this metadata. http://wiki.apache.org/spamassassin/RelayCountryPlugin -- Thats the issue ... the meta-data never gets added :( I have run SA with debug and lint and the Perl module etc is loaded fine. No warnings at all. You say that you installed the Perl module - you mean the RelayCountry plugin or the IP::Country::Fast module? (needed by the RC module) IP::Country::Fast as defined in the requirements. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
Re: RelayCountry Check
- Matus UHLAR - fantomas uh...@fantomas.sk wrote: On Tue, 2009-07-28 at 11:20 +0100, --[ UxBoD ]-- wrote: Would somebody please let me know what is required to get it to work :) I have installed the Perl module and enabled the plugin but it never appears to hit :( - Mariusz Kruk k...@epsilon.eu.org wrote: The plugin itself only adds metadata to the message. You need to configure SA to use this metadata. http://wiki.apache.org/spamassassin/RelayCountryPlugin On 28.07.09 11:29, --[ UxBoD ]-- wrote: Thats the issue ... the meta-data never gets added :( I have run SA with debug and lint and the Perl module etc is loaded fine. No warnings at all. How do you use SA? e.g. spamass-milter doesn't push all headers to message, only those it has compiled in (a bug imho)... AmavisD-new is used. I have installed other SA plugins eg. BotNet and they are working fine. Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
Re: Any one interested in using a proper forum?
- snowweb pe...@snowweb.co.uk wrote: I don't know about anyone else, but I'm getting a bit hacked of with this 1980's style forum. I'm trying to get to the bottom of an SA issue and this list/forum thing is giving me a bigger headache than SA! Spamassassin has more than one or two users now and I personally think that it should have a support forum to match the class of software, which is now world class. I know it's free and all that, but even so, if this is the only form of support they provide, I'm thinking that I'll just start an alternative support forum, using standard, full featured forum software (like SMF). Is there any support for this (I already know there will be opposition from those who are 'resident' here. Sorry guys, I just want do something to help those who just dive in when they have an urgent problem. No hard feelings I hope.) Peter Snow As a moderator for a very large forum I hope you have lined up a good group of mods to handle all the SPAM you will get ;) Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
Re: RelayCountry Check
- Stefan ste...@localside.net wrote: --[ UxBoD ]--: - Matus UHLAR - fantomas uh...@fantomas.sk wrote: On Tue, 2009-07-28 at 11:20 +0100, --[ UxBoD ]-- wrote: Would somebody please let me know what is required to get it to work :) I have installed the Perl module and enabled the plugin but it never appears to hit :( - Mariusz Kruk k...@epsilon.eu.org wrote: The plugin itself only adds metadata to the message. You need to configure SA to use this metadata. http://wiki.apache.org/spamassassin/RelayCountryPlugin On 28.07.09 11:29, --[ UxBoD ]-- wrote: Thats the issue ... the meta-data never gets added :( I have run SA with debug and lint and the Perl module etc is loaded fine. No warnings at all. How do you use SA? e.g. spamass-milter doesn't push all headers to message, only those it has compiled in (a bug imho)... AmavisD-new is used. I have installed other SA plugins eg. BotNet and they are working fine. see: http://www.mail-archive.com/amavis- u...@lists.sourceforge.net/msg11080.html Awesome! Thank you :) Best Regards, -- SplatNIX IT Services :: Innovation through collaboration
Re: Celebrity spams
look at line 55 of the pastebin ;) you can use that URL I believe. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - penny/dell [EMAIL PROTECTED] wrote: Thanks for the uribl.com info. We will be contributing to it, it's a great resource. Back to the original problem The links are inconsistent. I'll post another. http://pastebin.com/m6025c7b4 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Celebrity spams
why not :- util_rb_2tld grupogsv.com as that appears as part of the link ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - penny/dell [EMAIL PROTECTED] wrote: here is the raw body of one of the emails http://pastebin.com/m71e204d Luis Hernán Otegui wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: SpamAssassin hogs the CPU
What RBL lookup lists are you using ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - FC Mario Patty [EMAIL PROTECTED] wrote: Guys, I've followed the instruction in http://wiki.apache.org/spamassassin/FasterPerformance and run `sa-compile` (after installed re2c), but the problem still exists. Since some-one had said that it might be a DNS problem, I stopped using Mail::SpamAssassin::Plugin::DNSEval plugin (put a # character in the v320.pre file). Is there something that I can do to prevent spamd eat my CPU to 99.9%? FYI, below is how I configured spamassassin: #!/bin/sh ./configure --enable-ripmime --enable-attach=y \ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Multiple Images spam
Botnet just pushed it over for is :- Content analysis details: (8.3 points, 5.0 required) pts rule name description -- -- 3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: webuyyour.com] 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=72.46.141.7,nordns] 0.2 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5003] 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Dan Barker [EMAIL PROTECTED] wrote: I'm seeing a lot of image spam, but the images are not individually spammy. There are 5 tall, skinny images that together sell colon cleansing, or some such. Any ideas? Spam scores quite low, so far. Dan Sample: http://www.visioncomm.net/5image.txt Report: X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=5.0 tests=BAYES_60=1, HTML_IMAGE_RATIO_04=0.172,HTML_MESSAGE=0.001,URIBL_BLACK=1.955 autolearn=no version=3.2.3 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: script to send mail when error detected in log file
this link works just fine :- http://mesh.dl.sourceforge.net/sourceforge/swatch/swatch-3.2.2.tar.gz Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Agnello George [EMAIL PROTECTED] wrote: On 3/4/08, Matt Kettler [EMAIL PROTECTED] wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: What is a pid file
Process Identifier. When any process is forked (started) it will have unique number associated with it. It will also have a PPID (Parent Process Identifier) ie. what was the process that forked the child. http://en.wikipedia.org/wiki/Process_identifier Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Agnello George [EMAIL PROTECTED] wrote: while starting spamd i was recomended to use the -r switch which Write the process id to pidfile Now!! what is a pidfile ... cant find much on google can any one help me with this basic stuff !! thanks !! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: What is a pid file
Pidfile holds the PID of the forked process ie. /var/run/MailScanner.pid Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Agnello George [EMAIL PROTECTED] wrote: while starting spamd i was recomended to use the -r switch which Write the process id to pidfile Now!! what is a pidfile ... cant find much on google can any one help me with this basic stuff !! thanks !! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Too false negative
policyd works a treat :) V2 is also in development aswell. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Rocco Scappatura [EMAIL PROTECTED] wrote: What do I need to set up GL? Only the command below or there is something other parameter that I could set up (eg: the time spent before a message is accepted and so on)? of course, you need to install a policy server! Cami's policyd is a good choice (it also has other features such throttling, blacklisting, ... etc). for postfix config see below. I already sow it quickly.. I hope it usage is not too 'invasive' with my current system.. Any way I will try to use it and I let you know.. Thanks, rocsca -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Need rule for this type of spam
score here as follows :- Content analysis details: (17.1 points, 5.0 required) pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=213.189.148.42,rdns=ip-213-189-148-042.fix.magnet.ch,client,ipinhostname,clientwords] 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [213.189.148.42 listed in zen.spamhaus.org] 4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?213.189.148.42] 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5103] 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 4.0 JM_SOUGHT_3JM_SOUGHT_3 1.0 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers Jason's rules should help you :- http://wiki.apache.org/spamassassin/SoughtRules Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - jfchaput [EMAIL PROTECTED] wrote: Hi, Here http://pastebin.com/m309761a5 Thank -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Need rule for this type of spam
please post the full message via something like pastebin. we need to see the headers aswell. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - jfchaput [EMAIL PROTECTED] wrote: Hi, My spamassassin setup work great but I receive alot spam like this : Subject: M!cro soft Office_2OO7 for XP,Vis+a 79. Retail 838 -save 2466- sas jmp statistical discovery 7 - 129 use -newsoftdeal .com- |n Web Browser Erase - before you use |n Web Browser ulead photoImpact x3 - 29 intuit quickbooks premier edition 2007 - 79 intuit quicken home and business 2008 - 39 cdmenupro 6.23 biz edition - 39 alias maya 7.0 unlimited - 109 autodesk architectural studio 3.0 - 39 parallels desktop 3.0 for mac - 29 Can somebody provide me a rule for that or help to create a custom rule? Thanks -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Hotmail DCC listed ???
we would need to see the full headers. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Rejaine Monteiro [EMAIL PROTECTED] wrote: This is the rule check for a 'normal' (non-spam) e-mail become from Hotmail: pts rule name description -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Lots Of SPAM
Hi, I score it as follows :- Content analysis details: (23.1 points, 5.0 required) pts rule name description -- -- 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=121.23.229.225,nordns] 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 4.0 JM_SOUGHT_1JM_SOUGHT_1 2.5 KAM_PICShare Pictures and Chat SPAM 4.0 JM_SOUGHT_3JM_SOUGHT_3 4.0 JM_SOUGHT_2JM_SOUGHT_2 so take a look at http://wiki.apache.org/spamassassin/SoughtRules Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Tarak Ranjan [EMAIL PROTECTED] wrote: Hi List, i have posted my RAW email in http://pastebin.ca/918849 , i'm receiving 1000 to 4000 per day this king of mesages. SA also skipping this kind of mails / TArak -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Nice girl like to chat spam
Resolved. Cleared my sa-keys directory and re-imported them all. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - --[ UxBoD ]-- [EMAIL PROTECTED] wrote: sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: 6C6191E3 I recall seeing this on the list a while ago. How do you fix it ? Regards, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: telnet port 783 from external network
what does netstat -an | grep 783 show ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Agnello George [EMAIL PROTECTED] wrote: On 2/19/08, Matt Kettler [EMAIL PROTECTED] wrote: Agnello George wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Nice girl like to chat spam
sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: 6C6191E3 I recall seeing this on the list a while ago. How do you fix it ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Justin Mason [EMAIL PROTECTED] wrote: Chris writes: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Suggestions to block this spam
please post a URL to a sample message, or via pastebin so that we can run it through our installations and see what it hits. what is your SA installation hitting and scoring it as ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Kathryn Allan [EMAIL PROTECTED] wrote: Hi all, Getting tones of this sort of email through have been learning it as spam for the last few days but so far not much luck. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: flooded with jr* spam
the inline snort station should show some more detail. do you have access to your routers and switches ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Michael W Cocke [EMAIL PROTECTED] wrote: I'll trade you - somewhere in MIT (20K+ computers) is hitting me twice per second with ICMP packets, and netops can't find who I had to degrade the logging on my snort-inline because the system was drowning. Mike- On Tue, 5 Feb 2008 13:58:30 -0500, you wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: One SPAM that got through
- Matt Kettler [EMAIL PROTECTED] wrote: --[ UxBoD ]-- wrote: Hi, I just had this message get through :- snip and it only scored 5.6. These are the rules it hit :- 1.23 ADVANCE_FEE_2 0.00 BAYES_50 0.72 SARE_URGBIZ Contains urgent matter -0.00 SPF_PASS 2.08 SUBJ_ALL_CAPS 1.58 URG_BIZ Looks like you might want to do some bayes training on that message. All the capitalized text should be an easy target. I have my SA SPAM score to trigger on 6 and above. Do you think that is to high ? or anyone know of a ruleset to raise the score on these ? Too high? no. Too high to expect there to be no missed spam, yes. Raising your threshold reduces false positives (nonspam tagged as spam), but it also increases your false negatives (spam that's missed). Lowering your score threshold has the opposite effect. When picking a threshold, you're making a trade-off.. Pick one based on what's important to you. Some folks run as high as 8.0, and others as low as 2.0. Both numbers are pretty extreme, but you get the idea. For reference, in the set3 mass-checks, going from 5.0 to 6.0 more halved the FPs (down to 45% of what they were at 5.0), but also increased FNs by 78%. The default 5.0 score is already pretty biased towards favoring FPs over FN's. The score assigner tries to tune the scores so at 5.0 there's roughly 100 times more FNs than FPs, while keeping both as low as possible. In practice it's more like 50 times more, but that's what it's trying for.. to quote STATISTICS-set3.txt from SA 3.2.4: # SUMMARY for threshold 5.0: # Correctly non-spam: 67508 99.94% # Correctly spam: 117303 98.51% # False positives:42 0.06% # False negatives: 1780 1.49% Hi Matt, Many thanks, that was a very helpful description. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
One SPAM that got through
Hi, I just had this message get through :- Subject: CONTACT GLOBAL COMPANY FOR YOUR $950,000.00 My Dear Good Friend, I have Paid the fee for your Cheque Draft. But the manager of Eko Bank Benin told me that before the check will get to you that it will expire. So I told him to cash the $950,000.00. All the necessary arrangement of delivering the $950,000.00 in cash was made with GLOBAL MAX COURIER COMPANY. These are the informations they need to delivery your package to you. ATTN: DR.JOHN AGBALA EMAIL:[EMAIL PROTECTED] ) Please, Send them your contacts information to able them locate you immediately they arrived in your country with your BOX .This is what they need from you. 1. YOUR FULL NAME 2.YOUR HOME ADDRESS. 3.YOUR CURRENT HOME TELEPHONE NUMBER. 4.YOUR CURRENT OFFICE TELEPHONE. 5.A COPY OF YOUR PICTURE Please make sure you send this needed informations to the Director general of Global MAX Courier Company DR.JOHN AGBALA with the address given to you. Note. The Global Express courier company doesn't know the contents of the Box. I registered it as a Box of an Africa cloth. They don't know it contents money. This is to avoid them delaying with the Box. Don't let them know that is money that is in that Box. I am waiting for your urgent response. You can even call the Director of Global MAX Courier Company with this line +229-9300-4935. Thanks and Remain Blessed. DR. Nnoli ugo and it only scored 5.6. These are the rules it hit :- 1.23ADVANCE_FEE_2 0.00BAYES_50 0.72SARE_URGBIZ Contains urgent matter -0.00 SPF_PASS 2.08SUBJ_ALL_CAPS 1.58URG_BIZ I have my SA SPAM score to trigger on 6 and above. Do you think that is to high ? or anyone know of a ruleset to raise the score on these ? TIA Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: How install spamassassin with vhcs2
- Outlaw [EMAIL PROTECTED] wrote: How install spamassassin with vhcs2? I search in google but I found anything. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. http://vhcs.puuhis.net/wiki/index.php/Spam_/_Antivirus_filter -- Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: FuzzyOcr question
Is decoder (Chris) still developing FuzzyOCR ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: NFN Smith [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 14 January 2008 17:35:30 o'clock (GMT) Europe/London Subject: FuzzyOcr question A couple of months ago, I updated FuzzyOcr to the current package version supported in Debian Stable (2.3b-1). In the meantime, I notice that when there are hits on FuzzyOcr, the SpamAssassinReport.txt attachment is showing that I am getting hits on FuzzyOcr, and the number of points scored by hits, but in the Description, I'm getting only BODY:, and no listing of which words were actually hit. e.g., 2.0 FUZZY_OCR BODY: I'm not finding anything in docs or FuzzyOcr.cf that seems to govern this one, and for debugging purposes, I'd really like to know what terms are getting hits or not. What am I missing? Smith -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Spam Scored zero ?
Hi, I got this SPAM through this morning and it didn't trip on anything. Any ideas ? -- From: [EMAIL PROTECTED] To: undisclosed-recipients:; Sent: 11 January 2008 09:01:06 o'clock (GMT) Europe/London Subject: ATM Master CARD ATTENTION I have been waiting for you since to come down here and pick your Bank Draft but did not heard from you since that time then I went and deposited the Draft with INTERNATIONAL BANK OF BENIN here in Cotonou, Benin Republic, because I travelled to Japan to see my boss and will not come back till next month end. I have arranged with them to make your payment to you with their new ATM MASTER CARD which you can use to withdraw your money in any ATM MACHINE around the globe/world. You have to contact the International Bank of Benin with your full contact informations such as follows: 1. FULL NAME 2. ADDRESS WERE YOU WANT THEM TO SEND THE ATM CARD 3. PHONE AND FAX NUMBER 4. YOUR AGE AND CURRENT OCCUPATION 5. ATTACH COPY OF YOUR IDENTIFICATION However, Kindly contact the below person who is in position to release your ATM Master CARD. REV. DR. DUNGA OTUMBA DOUGLAS, DIRECTOR, ATM PAYMENT DEPARTMENT INTERNATIONAL BANK OF BENIN EMAIL: ([EMAIL PROTECTED]) I had paid for all the processing and delivery charges, the only money that your are going to pay to them is only $86 Dollars which they will use to open your ATM Account with the Bank and send the ATM Master CARD to your address. Try to contact them as soon as possible to quicken the process of your Card before your Draft gets Expired. Let me know as soon as you receive your ATM Master Card. Thanks. Mr.tony okou -- Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: BOTNET 0.8 + SA 3.2.3
I am running it with SA 3.2.4 with no problems at all. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 11 January 2008 10:30:48 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: BOTNET 0.8 + SA 3.2.3
Do you see if get picked up if you run a lint on your SA installation ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 09 January 2008 11:09:25 o'clock (GMT) Europe/London Subject: BOTNET 0.8 + SA 3.2.3 Hello all, I have been running SA v3.2.3 since I upgraded from 3.2.2 In October. It has only just dawned on me that since then I have had no hits from Botnet. I have checked, and I did install the Botnet.pm and Botnet.cf files in this into /etc/mail/spamassassin so I am mystified as to why it's not generating any hits. Is Botnet v0.8 incompatible with SA 3.2.3 or have I done something daft? Thanks in advance... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: BOTNET 0.8 + SA 3.2.3
Ran the same on my installation and all appears the same to me. H, very odd, do you have a email in your quarantine that got tagged before which you could pass through again to test ? [EMAIL PROTECTED] ~]# spamassassin --lint -D 21 | grep -i botnet [26067] dbg: config: read file /etc/mail/spamassassin/Botnet.cf [26067] dbg: config: fixed relative path: /etc/mail/spamassassin/Botnet.pm [26067] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [26067] dbg: Botnet: version 0.8 [26067] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0x212a2ca0) implements 'parse_config', priority 0 [26067] dbg: Botnet: setting botnet_pass_auth to 0 [26067] dbg: Botnet: setting botnet_pass_trusted to public [26067] dbg: Botnet: adding ^127\.0\.0\.1$ to botnet_skip_ip [26067] dbg: Botnet: adding ^10\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^172\.1[6789]\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^172\.2[0-9]\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^172\.3[01]\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^192\.168\..*$ to botnet_skip_ip [26067] dbg: Botnet: adding ^128\.223\.98\.16$ to botnet_pass_ip [26067] dbg: Botnet: adding (\.|\A)amazon\.com$ to botnet_pass_domains [26067] dbg: Botnet: adding (\.|\A)apple\.com$ to botnet_pass_domains [26067] dbg: Botnet: adding (\.|\A)ebay\.com$ to botnet_pass_domains [26067] dbg: Botnet: adding (\b|\d).*dsl.*(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)cable(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)catv(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)ddns(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dhcp(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dial(-?up)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dip(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)docsis(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)dyn(amic)?(ip)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)modem(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)ppp(oe)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)res(net|ident(ial)?)?(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)bredband(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)client(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)fixed(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)ip(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)pool(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)static(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)user(\b|\d) to botnet_clientwords [26067] dbg: Botnet: adding (\b|\d)e?mail(out)?(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)mta(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)mx(pool)?(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)smtp(\b|\d) to botnet_serverwords [26067] dbg: Botnet: adding (\b|\d)exch(ange)?(\b|\d) to botnet_serverwords [26067] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0x212a2ca0) implements 'parse_config', priority 0 [26067] dbg: rules: ran header rule __BOTNET_NOTRUST == got hit: negative match [26067] dbg: Botnet: starting [26067] dbg: Botnet: no trusted relays [26067] dbg: Botnet: All skipped/no untrusted [26067] dbg: Botnet: skipping [26067] dbg: check: subtests=__BOTNET_NOTRUST,__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 09 January 2008 15:15:32 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 On Wed, Jan 09, 2008 at 11:27:59AM +, UxBoD wrote: Do you see if get picked up if you run a lint on your SA installation ? How does this look to you? Thanks for your help so far... AD $ spamassassin --lint -D 21 | grep -i botnet [26514] dbg: config: read file /etc/mail/spamassassin/Botnet.cf [26514] dbg: config: fixed relative path: /etc/mail/spamassassin/Botnet.pm [26514] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [26514] dbg: Botnet: version 0.8 [26514] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0xa202954) implements 'parse_config', priority 0 [26514] dbg: Botnet: setting botnet_pass_auth to 0 [26514] dbg: Botnet: setting botnet_pass_trusted to public [26514] dbg: Botnet: adding ^127\.0\.0\.1
Re: Apache SpamAssassin 3.2.4
Is a RPM available for Centos5 yet ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - step 3.: James Lay [EMAIL PROTECTED] To: Spamassassin users@SpamAssassin.apache.org Sent: 07 January 2008 18:53:47 o'clock (GMT) Europe/London Subject: Re: Apache SpamAssassin 3.2.4 New upgrade is running GREAT here :) James -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: spamd throughput issues
would perhaps be useful to see a spamassassin -D --lint ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Philipp Snizek [EMAIL PROTECTED] To: Mark Rigby-Jones [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Monday, December 10, 2007 12:49:26 PM (GMT) Europe/London Subject: Re: spamd throughput issues You use Bayes? Have you tried turning off auto_expire? From my expierence this can cause significant performance issues. Moreover, have you tried turning off bayes? without bayes scanning too a quarter of a second per email on a 2cpu, 8GB standard i686 arch, sa compiled as 32-bit app. Philipp On 9 Dec 2007, at 21:40, Steven Stern wrote: Have you tried running a local caching name server? That can cut down on times to do repetitive name lookups. Yes indeed, it's something we've always had on mail servers even before we had SpamAssassin, for exactly that reason. Thanks, mrj -- Mark Rigby-Jones, System Operations Manager CI-Net, Network House, Langford Locks, Kidlington, OX5 1GA CI-Net is the trading name for Community Internet plc A company registered in England and Wales number 3155758 t: 01865 856009 m: 07747 862201 e: [EMAIL PROTECTED] w: www.ci-net.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: MP3 Spam
Thanks Justin. Do they all follow the same patterns ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Justin Mason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Thursday, October 18, 2007 8:24:35 PM (GMT) Europe/London Subject: Re: MP3 Spam UxBoD writes: Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ? sure: http://taint.org/x/2007/mp3spam.txt anyway, these rules catch them as far as I can tell: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n name=\[a-z]+\.mp3\$/s mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n filename=\[a-z]+\.mp3\$/s mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio\/mpeg;\n\tname=\[a-z]+\.mp3\$/s mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;\n\tfilename=\[a-z]+\.mp3\$/s meta JM_STORM_MP3 ((__CTYPE_STORM_MP3_1__CDISP_STORM_MP3_1) || (__CTYPE_STORM_MP3_2__CDISP_STORM_MP3_2)) --j. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: MP3 Spam
Hmmm, hit okay here Martin :- X-Spam-Status: Yes, score=27.6 required=10.0 tests=BAYES_99,BOTNET,CRM114_CHECK, HELO_DYNAMIC_CHELLO_NL,JM_STORM_MP3,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_DUL, RCVD_IN_XBL,RDNS_DYNAMIC,TVD_SPACE_RATIO autolearn=unavailable version=3.2.3 Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Martin.Hepworth [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, October 19, 2007 9:11:38 AM (GMT) Europe/London Subject: RE: MP3 Spam http://www.solidstatelogic.com/mp3-spam.txt -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: UxBoD [mailto:[EMAIL PROTECTED] Sent: 19 October 2007 09:01 To: Martin.Hepworth Cc: [EMAIL PROTECTED] Subject: Re: MP3 Spam Can you post a copy online Martin ? need a few examples to find the common elements. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Martin.Hepworth [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 19, 2007 9:00:39 AM (GMT) Europe/London Subject: RE: MP3 Spam Just tried this on an example we had overnight and it's didn't hit ;-( -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: UxBoD [mailto:[EMAIL PROTECTED] Sent: 19 October 2007 08:45 To: Justin Mason Cc: users@spamassassin.apache.org Subject: Re: MP3 Spam Thanks Justin. Do they all follow the same patterns ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Justin Mason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Thursday, October 18, 2007 8:24:35 PM (GMT) Europe/London Subject: Re: MP3 Spam UxBoD writes: Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ? sure: http://taint.org/x/2007/mp3spam.txt anyway, these rules catch them as far as I can tell: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n name=\[a-z]+\.mp3\$/s mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n filename=\[a-z]+\.mp3\$/s mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio\/mpeg;\n\tname=\[a-z]+\.mp3\$/s mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;\n\tfilename=\[a-z]+\.mp3\$/s meta JM_STORM_MP3 ((__CTYPE_STORM_MP3_1__CDISP_STORM_MP3_1) || (__CTYPE_STORM_MP3_2__CDISP_STORM_MP3_2)) --j. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ** -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses
Re: MP3 Spam
Can you post a copy online Martin ? need a few examples to find the common elements. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Martin.Hepworth [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 19, 2007 9:00:39 AM (GMT) Europe/London Subject: RE: MP3 Spam Just tried this on an example we had overnight and it's didn't hit ;-( -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: UxBoD [mailto:[EMAIL PROTECTED] Sent: 19 October 2007 08:45 To: Justin Mason Cc: users@spamassassin.apache.org Subject: Re: MP3 Spam Thanks Justin. Do they all follow the same patterns ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Justin Mason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Thursday, October 18, 2007 8:24:35 PM (GMT) Europe/London Subject: Re: MP3 Spam UxBoD writes: Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ? sure: http://taint.org/x/2007/mp3spam.txt anyway, these rules catch them as far as I can tell: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __CTYPE_STORM_MP3_1 Content-Type:raw =~ /^audio\/mpeg;\n name=\[a-z]+\.mp3\$/s mimeheader __CDISP_STORM_MP3_1 Content-Disposition:raw =~ /^inline;\n filename=\[a-z]+\.mp3\$/s mimeheader __CTYPE_STORM_MP3_2 Content-Type:raw =~ /^audio\/mpeg;\n\tname=\[a-z]+\.mp3\$/s mimeheader __CDISP_STORM_MP3_2 Content-Disposition:raw =~ /^attachment;\n\tfilename=\[a-z]+\.mp3\$/s meta JM_STORM_MP3 ((__CTYPE_STORM_MP3_1__CDISP_STORM_MP3_1) || (__CTYPE_STORM_MP3_2__CDISP_STORM_MP3_2)) --j. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ** -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
MP3 Spam
Does anybody have one of these, or different one, that you could upload somewhere so can do some analysis ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: OT: The Funny Side of Spam
Well done Michele :) That is pure class. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: lottery spam as .doc files
Hmmm, interesting one. I would have only just blocked that one :- Content analysis details: (8.4 points, 7.0 required) pts rule name description -- -- 1.7 SARE_FREE_WEBM_COMWALL Maybe spammer with free email 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server [88.15.90.125 listed in dnsbl.sorbs.net] 2.1 SUBJ_ALL_CAPS Subject is all capitals 1.3 MISSING_HEADERSMissing To: header -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3146] 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 WHOIS_NETSOLPR URL registered as a NetSol Private Registration [URIs: walla.com] 0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 0.2 SARE_SUB_ENC_UTF8 Message uses character set often used in spam 0.5 CRM114_CHECK CRM114: message is UNSURE with crm114-score -2.3600 Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Martin.Hepworth [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Thursday, August 9, 2007 8:33:15 AM (GMT) Europe/London Subject: RE: lottery spam as .doc files OK Here's the URL for the actual message I got...(before being SA-ed or anything.. http://www.solidstatelogic.com/1IInjp-000ENd-51.txt I'll leave this up for a couple of days and take it down after the weekend. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Martin.Hepworth [mailto:[EMAIL PROTECTED] Sent: 08 August 2007 16:50 To: [EMAIL PROTECTED] Subject: lottery spam as .doc files Heads up, the pdf stock spam has morphed to ms-word files for lottery winnings.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ** -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Number spam (paranoid guess)
This appears to work okay :- header __LOCAL_PROBE1 subject =~ /[0-9]{4,6}/i body__LOCAL_PROBE2 /([a-z|0-9]{8})/i describeLOCAL_PROBE1Daft Number Probe metaLOCAL_PROBE1(__LOCAL_PROBE1 + __LOCAL_PROBE2 1) score LOCAL_PROBE13 Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Greg Skouby [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, August 7, 2007 2:14:44 PM (GMT) Europe/London Subject: Re: Number spam (paranoid guess) On Tue, Aug 07, 2007 at 12:14:31PM +0200, Chr. v. Stuckrad wrote: My most paranoid guess is: - Cause: we have summer vacation time ... So LOTS of people are on holidays. If you use E-Mails with totally useless content which goes through all filters for a short time, you can trigger LOTS of vacation-Messages! Wouldn't that require the from info not being forged? I have gotten a couple of these and they are definately of the forged sender variety. --Greg -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Number spam (paranoid guess)
Yes I know :( has been pointed out to me so has been revised :- header __LOCAL_DIG1subject =~ /^\d[0-9]{4,6}$/ body__LOCAL_DIG2/^([a-f|0-9]{8})$/i describeLOCAL_DIG1 Daft Number Scam metaLOCAL_DIG1 __LOCAL_DIG1 __LOCAL_DIG2 score LOCAL_DIG1 3 Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Henrik Krohns [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, August 7, 2007 3:34:49 PM (GMT) Europe/London Subject: Re: Number spam (paranoid guess) On Tue, Aug 07, 2007 at 02:52:25PM +0100, UxBoD wrote: This appears to work okay :- header __LOCAL_PROBE1 subject =~ /[0-9]{4,6}/i body__LOCAL_PROBE2 /([a-z|0-9]{8})/i describeLOCAL_PROBE1Daft Number Probe metaLOCAL_PROBE1(__LOCAL_PROBE1 + __LOCAL_PROBE2 1) score LOCAL_PROBE13 Looks like nice FP generator for busy sites. PROBE2 is certain to hit almost anything and then just wait for a few digits in subject.. :) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RBL Rules Question
Hi, I have written the following ruleset for our local RBL server :- header __RCVD_IN_LRBL eval:check_rbl('LRBL','dnsrbl.local.com.') tflags __RCVD_IN_LRBL net header __RCVD_IN_LRBL_Beval:check_rbl_sub('LRBL', '127.0.0.2') tflags __RCVD_IN_LRBL_Bnet header __RCVD_IN_LRBL_Weval:check_rbl_sub('LRBL', '127.0.0.3') tflags __RCVD_IN_LRBL_Wnet metaRCVD_IN_LRBL_W (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B = 1) describeRCVD_IN_LRBL_W Local RBL Whitelist tflags RCVD_IN_LRBL_W net score RCVD_IN_LRBL_W -7 metaRCVD_IN_LRBL_B (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B = 1) describeRCVD_IN_LRBL_B Local RBL Blacklist tflags RCVD_IN_LRBL_B net score RCVD_IN_LRBL_B 7 metaRCVD_IN_LRBL_Y (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B = 2) describeRCVD_IN_LRBL_Y Local RBL Yellowlist tflags RCVD_IN_LRBL_Y net score RCVD_IN_LRBL_Y -3 But obviously it will score the whitelist and blacklist the same if the IP address appears in both lists. How can I say on the meta rule that if it *only* appears in blacklist score -7, and 7 if in whitelist, and if in both use the yellowlist ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
[RESOLVED] Re: RBL Rules Question
metaRCVD_IN_LRBL_W __RCVD_IN_LRBL_W !__RCVD_IN_LRBL_B describeRCVD_IN_LRBL_W Local RBL Whitelist tflags RCVD_IN_LRBL_W net score RCVD_IN_LRBL_W -7 metaRCVD_IN_LRBL_B !__RCVD_IN_LRBL_W __RCVD_IN_LRBL_B describeRCVD_IN_LRBL_B Local RBL Blacklist tflags RCVD_IN_LRBL_B net score RCVD_IN_LRBL_B 7 metaRCVD_IN_LRBL_Y __RCVD_IN_LRBL_W __RCVD_IN_LRBL_B describeRCVD_IN_LRBL_Y Local RBL Yellowlist tflags RCVD_IN_LRBL_Y net score RCVD_IN_LRBL_Y -3 Checked existing rules for help ;) Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: UxBoD [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, August 3, 2007 8:26:50 AM (GMT) Europe/London Subject: RBL Rules Question Hi, I have written the following ruleset for our local RBL server :- header __RCVD_IN_LRBL eval:check_rbl('LRBL','dnsrbl.local.com.') tflags __RCVD_IN_LRBL net header __RCVD_IN_LRBL_Beval:check_rbl_sub('LRBL', '127.0.0.2') tflags __RCVD_IN_LRBL_Bnet header __RCVD_IN_LRBL_Weval:check_rbl_sub('LRBL', '127.0.0.3') tflags __RCVD_IN_LRBL_Wnet metaRCVD_IN_LRBL_W (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B = 1) describeRCVD_IN_LRBL_W Local RBL Whitelist tflags RCVD_IN_LRBL_W net score RCVD_IN_LRBL_W -7 metaRCVD_IN_LRBL_B (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B = 1) describeRCVD_IN_LRBL_B Local RBL Blacklist tflags RCVD_IN_LRBL_B net score RCVD_IN_LRBL_B 7 metaRCVD_IN_LRBL_Y (__RCVD_IN_LRBL_W + __RCVD_IN_LRBL_B = 2) describeRCVD_IN_LRBL_Y Local RBL Yellowlist tflags RCVD_IN_LRBL_Y net score RCVD_IN_LRBL_Y -3 But obviously it will score the whitelist and blacklist the same if the IP address appears in both lists. How can I say on the meta rule that if it *only* appears in blacklist score -7, and 7 if in whitelist, and if in both use the yellowlist ? Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
PDFInfo
How can I get the plugin? I have emailed the webmaster a couple of times but no response :( -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Rulesemporium
Same here :( On Fri, 29 Jun 2007 11:28:51 -0400, Joe Zitnik [EMAIL PROTECTED] wrote: Is it having troubles again? I'm having problems reaching the site. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: No buffer space available
What O/S ? What kernel release ? Have you tuned any system parameters for TCP buffers ? Is there high traffic on the server ? Somebody isn't trying to DDoS your server are they ? On Tue, 12 Jun 2007 10:26:40 -0400, Mike Fahey [EMAIL PROTECTED] wrote: I am seeing this error. Any Idea how to fix this? Freebsd 6.2 SpamAssassin-3.2.0 spamd[46771]: bayes: cannot open bayes databases /usr/local/share/spamassassin/bayes_* R/W: lock failed: No buffer space available Thanks. -- With best regards, Mike Fahey - Systems Administration ENTER.NET - The Road to the Internet Starts Here! (tm) (610) 437-2221 * http://www.enter.net/ * email:[EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Holding Spam in a webmail client
mailwatch.sourceforge.net ? On Mon, 4 Jun 2007 14:51:08 -0400, Jason Holbrook [EMAIL PROTECTED] wrote: I am running SpamAssassin version 3.2.0 on Ubuntu Linux. I am using Postfix, AMAVISD -New, MailScanner and ClamAV. I use Spamassassin as a part of a SMTP Mail Gateway for and exchange server. Question, is anyone familiar with a method in which users spam can be held on the Spamassassin platform for individual users via a webmail app and users login to the webmail client and manage their own spam? Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] weblog.empoweris.com http://weblog.empoweris.com www.empoweris.com http://www.empoweris.com 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) This message is being sent by or on behalf of Empower Information Systems. It is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender: Jason Holbrook immediately by e-mail [EMAIL PROTECTED] and delete all copies of this message. Empower Information Systems operates under a zero spam policy. If you believe this message to be spam, please contact [EMAIL PROTECTED] -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Holding Spam in a webmail client
Hi Jason, Yes it will work fine. A few minor tweaks are required so nothing major. Best thing is to join the mailwatch mailing list and introduce yourself :) Regards, On Mon, 4 Jun 2007 16:03:02 -0400, Jason Holbrook [EMAIL PROTECTED] wrote: I noticed on the MailWatch site that the documentation states that supports only certain products. Two of the products in our setup PostFix and Clam AV are not listed. I did however see links to patches for these products. Are Postfix and Clam able to run within the MailWatch / MailScanner setup? Are the links from the MailWatch site the appropriate fixes that enable this to happen or do I need to modify my config? I am running MailScanner 1.14, PostFix 2.3.8 and ClamAV and SpamAssassin Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] weblog.empoweris.com www.empoweris.com 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) -Original Message- From: --[ UxBoD ]-- [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 3:26 PM To: Jason Holbrook Subject: RE: Holding Spam in a webmail client That is exactly what MailWatch will provide you with. Your user community would have their own login, and see only quarantined emails for their address. They are then able to release them if they wish. Regards, On Mon, 4 Jun 2007 15:13:33 -0400, Jason Holbrook [EMAIL PROTECTED] wrote: I like the quarantine management function. This is probably a better illustration of what I am thinking SMTP - Postfix - MailScanner - Spamassassin - Messages Queued - SPAM held on system | Clean Mail Delivered Users then would manage SPAM via some sort of web GUI like Mailwatch? I am new to both Linux and Spamassassin so forgive me any ignorance. Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] weblog.empoweris.com www.empoweris.com 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) -Original Message- From: --[ UxBoD ]-- [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 2:57 PM To: Jason Holbrook Cc: users@spamassassin.apache.org Subject: Re: Holding Spam in a webmail client mailwatch.sourceforge.net ? On Mon, 4 Jun 2007 14:51:08 -0400, Jason Holbrook [EMAIL PROTECTED] wrote: I am running SpamAssassin version 3.2.0 on Ubuntu Linux. I am using Postfix, AMAVISD -New, MailScanner and ClamAV. I use Spamassassin as a part of a SMTP Mail Gateway for and exchange server. Question, is anyone familiar with a method in which users spam can be held on the Spamassassin platform for individual users via a webmail app and users login to the webmail client and manage their own spam? Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] weblog.empoweris.com http://weblog.empoweris.com www.empoweris.com http://www.empoweris.com 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) This message is being sent by or on behalf of Empower Information Systems. It is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender: Jason Holbrook immediately by e-mail [EMAIL PROTECTED] and delete all copies of this message. Empower Information Systems operates under a zero spam policy. If you believe this message to be spam, please contact [EMAIL PROTECTED] -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc
Re: Holding Spam in a webmail client
1.14 is probably a O/S specific build release like a .deb. But you are correct though is that is the case as 4.60.8-1 is the current stable. On Mon, 04 Jun 2007 15:14:52 -0500, Richard Frovarp [EMAIL PROTECTED] wrote: You'll also probably want to join the MailScanner list as well. 1.14 is quite old. --[ UxBoD ]-- wrote: Hi Jason, Yes it will work fine. A few minor tweaks are required so nothing major. Best thing is to join the mailwatch mailing list and introduce yourself :) Regards, On Mon, 4 Jun 2007 16:03:02 -0400, Jason Holbrook [EMAIL PROTECTED] wrote: I noticed on the MailWatch site that the documentation states that supports only certain products. Two of the products in our setup PostFix and Clam AV are not listed. I did however see links to patches for these products. Are Postfix and Clam able to run within the MailWatch / MailScanner setup? Are the links from the MailWatch site the appropriate fixes that enable this to happen or do I need to modify my config? I am running MailScanner 1.14, PostFix 2.3.8 and ClamAV and SpamAssassin Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] weblog.empoweris.com www.empoweris.com 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) -Original Message- From: --[ UxBoD ]-- [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 3:26 PM To: Jason Holbrook Subject: RE: Holding Spam in a webmail client That is exactly what MailWatch will provide you with. Your user community would have their own login, and see only quarantined emails for their address. They are then able to release them if they wish. Regards, On Mon, 4 Jun 2007 15:13:33 -0400, Jason Holbrook [EMAIL PROTECTED] wrote: I like the quarantine management function. This is probably a better illustration of what I am thinking SMTP - Postfix - MailScanner - Spamassassin - Messages Queued - SPAM held on system | Clean Mail Delivered Users then would manage SPAM via some sort of web GUI like Mailwatch? I am new to both Linux and Spamassassin so forgive me any ignorance. Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] weblog.empoweris.com www.empoweris.com 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) -Original Message- From: --[ UxBoD ]-- [mailto:[EMAIL PROTECTED] Sent: Monday, June 04, 2007 2:57 PM To: Jason Holbrook Cc: users@spamassassin.apache.org Subject: Re: Holding Spam in a webmail client mailwatch.sourceforge.net ? On Mon, 4 Jun 2007 14:51:08 -0400, Jason Holbrook [EMAIL PROTECTED] wrote: I am running SpamAssassin version 3.2.0 on Ubuntu Linux. I am using Postfix, AMAVISD -New, MailScanner and ClamAV. I use Spamassassin as a part of a SMTP Mail Gateway for and exchange server. Question, is anyone familiar with a method in which users spam can be held on the Spamassassin platform for individual users via a webmail app and users login to the webmail client and manage their own spam? Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] weblog.empoweris.com http://weblog.empoweris.com www.empoweris.com http://www.empoweris.com 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) This message is being sent by or on behalf of Empower Information Systems. It is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender: Jason Holbrook immediately by e-mail [EMAIL PROTECTED] and delete all copies of this message. Empower Information Systems operates under a zero spam policy. If you believe this message to be spam, please contact [EMAIL PROTECTED] -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL
USER_IN_WHITELIST
Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: USER_IN_WHITELIST
I have just performed a brand new server install with SA 3.2.0 and I noticed a email this morning that had scored -94. I do not know the sender domain, so looked at how it had been scored and noticed that the rule USER_IN_WHITELIST had been hit with a -100. On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: --[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: USER_IN_WHITELIST
It wouldn't be if we had any user whitelists set up ! Thats the problem. This is a vanilla installation and we have no individual user preferences setup. All is controlled by a single account, as the mail is then passed onto a Notes server. I have looked at that rule and can see that it uses the function eval:check_from_in_whitelist(), but need to see how that works. On Tue, 15 May 2007 10:48:47 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: ok - not the same problem I have is -100 too high for you ? --[ UxBoD ]-- a écrit : I have just performed a brand new server install with SA 3.2.0 and I noticed a email this morning that had scored -94. I do not know the sender domain, so looked at how it had been scored and noticed that the rule USER_IN_WHITELIST had been hit with a -100. On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: --[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Cedric BUSCHINI - CARAX - IT Department Phone : + 33 1 4006 9864 fax : + 33 1 4006 9865 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: USER_IN_WHITELIST
Resolved :) Thanks. On Tue, 15 May 2007 10:48:47 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: ok - not the same problem I have is -100 too high for you ? --[ UxBoD ]-- a écrit : I have just performed a brand new server install with SA 3.2.0 and I noticed a email this morning that had scored -94. I do not know the sender domain, so looked at how it had been scored and noticed that the rule USER_IN_WHITELIST had been hit with a -100. On Tue, 15 May 2007 10:35:35 +0200, Cedric BUSCHINI [EMAIL PROTECTED] wrote: --[ UxBoD ]-- a écrit : Which rule sets this ? I have grep'd through /etc/mail/spamassassin and the variable is used but does not seem to get set anywhere ? Hi, Have a look in /usr/share/spamassassin. There is 60_whitelist.cf for rules and about scores it s in 50_scores.cf BUT it's better to overwrite these parameters upadating the local.cf instead. What is the problem ? I may have the same !! Cedric -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Cedric BUSCHINI - CARAX - IT Department Phone : + 33 1 4006 9864 fax : + 33 1 4006 9865 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
No Bayes or RBL Checks !
Hi, I am having real problems in getting SA 3.2.0 to perform Bayes or RBL checks. For some reason they just do not fire at all. If I run a lint there are no warnings and all pre-requisities are okay. What could I be doing wrong ? All worked fine on 3.1.8. I have even tried a clean install to no avail. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 845 869 2749 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: No Bayes or RBL Checks !
Have just tested with GTUBE and even that does not get picked up! G. What is happening. My config lints fine. On Sat, 12 May 2007 07:35:14 +0100 --[ UxBoD ]-- [EMAIL PROTECTED] wrote: Hi, I am having real problems in getting SA 3.2.0 to perform Bayes or RBL checks. For some reason they just do not fire at all. If I run a lint there are no warnings and all pre-requisities are okay. What could I be doing wrong ? All worked fine on 3.1.8. I have even tried a clean install to no avail. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 845 869 2749 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: No Bayes or RBL Checks !
Eureka! Found the problem at last. It is down to the updates from saupdates.openprotect.com! As soon as I deleted /var/lib/spamassassin/3.0020 directory and its contents everything works fine. I checked the .pre that is included and all the plugins were hashed out. I ran the sa-update again with --allowplugins, after removing the directory, and now the plugins get loaded. But yet again no checks are performed. Any ideas ? On Sat, 12 May 2007 08:44:53 +0100 --[ UxBoD ]-- [EMAIL PROTECTED] wrote: Have just tested with GTUBE and even that does not get picked up! G. What is happening. My config lints fine. On Sat, 12 May 2007 07:35:14 +0100 --[ UxBoD ]-- [EMAIL PROTECTED] wrote: Hi, I am having real problems in getting SA 3.2.0 to perform Bayes or RBL checks. For some reason they just do not fire at all. If I run a lint there are no warnings and all pre-requisities are okay. What could I be doing wrong ? All worked fine on 3.1.8. I have even tried a clean install to no avail. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 845 869 2749 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: No Bayes or RBL Checks !
The point is that if I use either with or without plugins using the channel breaks SA 3.2.0. On Sat, 12 May 2007 15:25:23 -0400 Daryl C. W. O'Shea [EMAIL PROTECTED] wrote: --[ UxBoD ]-- wrote: Eureka! Found the problem at last. It is down to the updates from saupdates.openprotect.com! As soon as I deleted /var/lib/spamassassin/3.0020 directory and its contents everything works fine. I checked the .pre that is included and all the plugins were hashed out. I ran the sa-update again with --allowplugins, after removing the directory, and now the plugins get loaded. But yet again no checks are performed. I wouldn't use --allowplugins, configure what plugins you want yourself in your local site config pre files, don't let the openprotect channel do it for you. Any ideas ? http://wiki.apache.org/spamassassin/RuleUpdates#head-94a60e739e7b06980a8fb8c64759653f300a0bfa Daryl -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 845 869 2749 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: No Bayes or RBL Checks !
Using both though the channel update for openprotect seems to break it. Switched to rules-du-jour and all is okay now. On Sat, 12 May 2007 15:05:20 -0400 Theo Van Dinter [EMAIL PROTECTED] wrote: On Sat, May 12, 2007 at 09:04:22AM +0100, --[ UxBoD ]-- wrote: plugins were hashed out. I ran the sa-update again with --allowplugins, after removing the directory, and now the plugins get loaded. But yet again no checks are performed. Are you getting both the SA updates and the openprotect channels? It sounds like you're only doing openprotect, which eliminates the SA rules. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 845 869 2749 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: How to use SpamAssassin from PHP?
To ensure all is working okay, why not take a existing SPAM message and construct the $message from that and test ? On Wed, 9 May 2007 14:40:52 +0530, BG Mahesh [EMAIL PROTECTED] wrote: On 5/9/07, Duncan Hill [EMAIL PROTECTED] wrote: On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working? The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? regards, -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: How to use SpamAssassin from PHP?
I ran your first sample through SA here and got the following score :- X-Spam-Status: Yes, score=6.5 required=5.0 tests=BAYES_50,FRT_PENIS1, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_DATE,MISSING_HB_SEP, MISSING_MID,NO_RECEIVED,NO_RELAYS autolearn=no version=3.2.0 Regards, On Wed, 9 May 2007 10:22:55 +0100, --[ UxBoD ]-- [EMAIL PROTECTED] wrote: To ensure all is working okay, why not take a existing SPAM message and construct the $message from that and test ? On Wed, 9 May 2007 14:40:52 +0530, BG Mahesh [EMAIL PROTECTED] wrote: On 5/9/07, Duncan Hill [EMAIL PROTECTED] wrote: On Wed, May 9, 2007 09:36, BG Mahesh wrote: We have tested this on http://cause.greynium.com/spamtest.php We have constructed a Mail header, concatenating $message to $header and passing the contents of $header to the code given above. We have installed the script from rulesemporium to update the cf files. What could we be missing? Are you saying something isn't working? The content should be reported as Spam. The score (when I run from command line is just about 1.0 and required is 5.0). The text in $message have very hardcore words. Shouldn't it be marked as spam? Are we formating the header correctly (i.e. each line is ending with \n)? regards, -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
SA 3.2.0 and Bayes
Hi, Since upgrading Bayes nolonger appears to trigger. If I run a -D --lint in the tests section at the bottom it does not report :- [18375] dbg: check: tests=BAYES_20,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE plus no RBL tests fire anymore :( I have checked the pre-requisites and that all looks fine. I have tested with a spam message and debug enabled and no errors are produced. Is there any additional debugging I can do ? TIA -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 (0) 845 869 2749 SIP: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: SA 3.2.0 and Bayes
Here is my lint :- SpamAssassin Lint[18703] dbg: logger: adding facilities: all0 [18703] dbg: logger: logging level is DBG 8E-05 [18703] dbg: generic: SpamAssassin version 3.2.03E-05 [18703] dbg: config: score set 0 chosen.0.00064 [18703] dbg: util: running in taint mode? no0.0004 [18703] dbg: dns: no ipv6 0.00452 [18703] dbg: dns: is Net::DNS::Resolver available? yes 3E-05 [18703] dbg: dns: Net::DNS version: 0.593E-05 [18703] dbg: diag: perl platform: 5.008008 linux0.17238 [18703] dbg: diag: module installed: Digest::SHA1, version 2.11 3E-05 [18703] dbg: diag: module installed: HTML::Parser, version 3.56 2E-05 [18703] dbg: diag: module installed: Net::DNS, version 0.59 2E-05 [18703] dbg: diag: module installed: MIME::Base64, version 3.05 3E-05 [18703] dbg: diag: module installed: DB_File, version 1.815 2E-05 [18703] dbg: diag: module installed: Net::SMTP, version 2.303E-05 [18703] dbg: diag: module not installed: Mail::SPF ('require' failed) 3E-05 [18703] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 3E-05 [18703] dbg: diag: module installed: IP::Country::Fast, version 604.001 3E-05 [18703] dbg: diag: module installed: Razor2::Client::Agent, version 2.82 3E-05 [18703] dbg: diag: module installed: Net::Ident, version 1.20 3E-05 [18703] dbg: diag: module installed: IO::Socket::INET6, version 2.513E-05 [18703] dbg: diag: module installed: IO::Socket::SSL, version 1.05 2E-05 [18703] dbg: diag: module installed: Compress::Zlib, version 2.001 2E-05 [18703] dbg: diag: module installed: Time::HiRes, version 1.97070.0004 [18703] dbg: diag: module installed: Mail::DomainKeys, version 1.0 2E-05 [18703] dbg: diag: module installed: Mail::DKIM, version 0.24 2E-05 [18703] dbg: diag: module installed: DBI, version 1.54 3E-05 [18703] dbg: diag: module installed: Getopt::Long, version 2.36 2E-05 [18703] dbg: diag: module installed: LWP::UserAgent, version 2.033 3E-05 [18703] dbg: diag: module installed: HTTP::Date, version 1.47 2E-05 [18703] dbg: diag: module installed: Archive::Tar, version 1.30 2E-05 [18703] dbg: diag: module installed: IO::Zlib, version 1.05 2E-05 [18703] dbg: ignore: using a test message to lint rules 3E-05 [18703] dbg: config: using /etc/mail/spamassassin for site rules pre files 3E-05 [18703] dbg: config: read file /etc/mail/spamassassin/init.pre 2E-05 [18703] dbg: config: read file /etc/mail/spamassassin/v310.pre 2E-05 [18703] dbg: config: read file /etc/mail/spamassassin/v312.pre 2E-05 [18703] dbg: config: read file /etc/mail/spamassassin/v320.pre 2E-05 [18703] dbg: config: using /var/lib/spamassassin/3.002000 for sys rules pre files 3E-05 [18703] dbg: config: read file /var/lib/spamassassin/3.002000/saupdates_openprotect_com.pre 3E-05 [18703] dbg: config: using /var/lib/spamassassin/3.002000 for default rules dir 3E-05 [18703] dbg: config: read file /var/lib/spamassassin/3.002000/saupdates_openprotect_com.cf 2E-05 [18703] dbg: config: using /etc/mail/spamassassin for site rules dir 3E-05 [18703] dbg: config: read file /etc/mail/spamassassin/Botnet.cf 0.0003 [18703] dbg: config: read file /etc/mail/spamassassin/Chinese_rules.cf 0.00146 [18703] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf 0.00044 [18703] dbg: config: read file /etc/mail/spamassassin/local.cf 9E-05 [18703] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf0.00019 [18703] dbg: config: read file /etc/mail/spamassassin/secrets.cf8E-05 [18703] dbg: config: read file /etc/mail/spamassassin/uxbod.cf 5E-05 [18703] dbg: config: using /opt/MailScanner/etc/spam.assassin.prefs.conf for user prefs file 0.00049 [18703] dbg: config: read file /opt/MailScanner/etc/spam.assassin.prefs.conf 0.00021 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 0.00225 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 0.00354 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC 0.00194 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC 0.00361 [18703] dbg: dcc: local tests only, disabling DCC 0.00461 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 0.00021 [18703] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2635010), already registered 0.00018 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 6E-05 [18703] dbg: pyzor: local tests only, disabling Pyzor 0.00185 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC 0.00014 [18703] dbg: razor2: local tests only, skipping Razor 0.00194 [18703] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC 0.00013 [18703] dbg: reporter: local tests only, disabling SpamCop
SA-Compile Error
Hi, I have just run sa-compile against my rules which ran through okay. Though when I perform a lint now I get the following error :- /usr/bin/perl: symbol lookup error: /var/lib/spamassassin/compiled/3.002000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so: undefined symbol: Mail_SpamAssassin_CompiledRegexps_body_0_scan1 Any ideas on how to resolve it ? -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // Phone: +44 845 869 2749 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: KAUF-TIPP DER WOCHE spam getting through
2) 2.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split IP) 0.0 RELAY_CHECKER_IPHOSTNAME Hostname contains IP address 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally 0.0 RELAY_CHECKER_BADDNS Doesn't have full circle DNS 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0001] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 2.0 RELAY_CHECKER Any RelayChecker rule hit On Wed, 28 Mar 2007 11:40:53 +0300, Panagiotis Christias [EMAIL PROTECTED] wrote: Hello, the last days we get a lot of spam like this: spam body begins here Words disputed interview galli provisions raise, eyebrows dead holders! KAUF-TIPP DER WOCHE LESEN SIE DIE NACHRICTEN STONEBRIDGE RES EXP Frankfurt: S3C.F Name :STONEBRIDGE RES EXP Kurzel :S3C.F WKN :A0HHEB Borsenplatz :Frankfurt Schluss-Stand 23.03.2007 :Euro 0.10 Prognose bis 02.04.2007 :Euro 0.21 Freedom hampton radical illich ivan, fontana ishiguro kazuo. Austerlitz natural history semprun. Scrfrk tue am foudy fans. Newsgroup msdn chappell app? Remote locations talk improving, access ballmer gets intense. Inert numb sensuality touch. Sum timetolive gmt indicate. Required preserve specify references interested. Brutes granta nadezhda hope, hopehope abandoned collins, harvill. Example unicode character exact numeric without decimal such numbers. Cedega natively lowlevel emulators binary gaming opengl. Investors press privacy, statement mypoints mysite, juno, photosite registered. End, dialogues spiritual renewal thames hudson chorus stones. Effective auditing procedures handy records kept propertys examined. Money resources time others, worse than no so why? Setupmore botts george ou real world wireless lan myths! Red hats expense technology, announced last year helping. Guzman writings, osip natasha mandelstam susan, griffin. spam body ends here We use rbls on our border mail servers, SA 3.1.8, sa-update and rules_du_jour to update our rule set from spamassassin and rulesemporium sites and various plugins like DCC, Razor, URIDNSBL, SPF, RelayChecker etc. Still many of those spam messages get low scores and slip through. Scores as low as -1.2 (!) like the message above which triggered the following rules: X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID autolearn=no version=3.1.8 Ideas and suggestions are welcome. Regards, Panagiotis ps. I understand that a simple rule matching something /^KAUF-TIPP DER WOCHE$/ would wipe out all of them but I am interested in a more generic/efficient way. ps2. both messages marked as spam or ham are available here: http://noc.ntua.gr/~christia/tmp/KAUF-TIPP_DER_WOCHE.gz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Big trouble
What MTA are you using ? On Wed, 28 Mar 2007 12:06:55 +0200, Rocco Scappatura [EMAIL PROTECTED] wrote: Since some day, It's increased the number of spams which SA doesn't block. Every time I'm going to analyse the message: 1) Save the message in mbox format 'message.mbox' 2) su - amavis -c spamassassin -t message.mbox And I get that the score is greater the 5.0 and often I get: 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?71.175.150.184] That is, if the message is sent just now, the message is rejected (?). So I feel that every time that I receive a spam, the system spend a period of time to 'learn' that that message is spam. If this is the truth, I would like to figure out how I can block these messages in advance.. Could someone give me an hint? TIA, rocsca -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Big trouble
If you wish to reject at MTA level then please read http://www.postfix.org/uce.html under the section Client hostname/address restrictions as you are able to specify a list of RBLs. Regards, UxBoD On Wed, 28 Mar 2007 12:20:16 +0200, Rocco Scappatura [EMAIL PROTECTED] wrote: What MTA are you using ? Postfix+MySQL+Amavisd-new rocsca -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Is Bayes Dead? Have the spammers won?
Yes image spam can be a real pain. I have just implemented a new mailserver and image spam is certainly on the increase :- mysql select count(*) from maillog; +--+ | count(*) | +--+ |15091 | +--+ 1 row in set (0.00 sec) mysql select count(*) from maillog where spamreport like '%FUZZY_OCR%'; +--+ | count(*) | +--+ | 3438 | +--+ 1 row in set (0.04 sec) mysql select count(*) from maillog where spamreport like '%FUZZY_OCR_KNOWN_HASH%'; +--+ | count(*) | +--+ | 1070 | +--+ 1 row in set (0.04 sec) On Fri, 23 Mar 2007 06:46:50 -0700, Marc Perkel [EMAIL PROTECTED] wrote: Perhaps what I need to do is to get rid of autolearn and write my own learning system that strips out the body of messages with images and just learns the headers. My problem is that when users get image spam they put it in the spam folders and they get learned. But the text in the image spam causes ham type text to be learned as spam. That causes ham to get higher scores. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Is overall spam volume down?
I only have a small installation but have seen a 50% increase in SPAM recently :( and a lot of it isn't be caught, even with splenty of rules and FuzzyOCR, due to them being very well worded emails :( :( On Sun, 04 Feb 2007 15:53:23 + Matt Richards [EMAIL PROTECTED] wrote: I would of thought that spammers would just give up and put their efforts into another form of advertising, I guess alot of spam stuff gets to alot of people :( John wrote: We're seeing the same here, however they'll probably be back shortly with double the volume ;-) On Sat, Feb 03, 2007 at 09:50:11PM +0100, Michael Beckmann wrote: Date: Sat, 03 Feb 2007 21:50:11 +0100 From: Michael Beckmann [EMAIL PROTECTED] To: Andy Figueroa [EMAIL PROTECTED], users@spamassassin.apache.org Subject: Re: Is overall spam volume down? --On Monday, 29. Januar 2007 08:28 -0500 Andy Figueroa [EMAIL PROTECTED] wrote: My overall spam volume (2 different servers) is off by 1/2 of what it was 2 weeks ago. This has been sustained for over a week. Good for you. I received about 200 Megabytes of spam in the first month of this year, this seems to be more than ever. Most was filtered out by Spamassassin of course. Michael -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Drug Spam
Sorry for asking as I am sure that it has already been covered. But if there a rule for the new spate of drug SPAM where the URL has Remove * to make the link working! in it ? Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Drug Spam
On Sat, 27 Jan 2007 12:25:12 + Nigel Frankcom [EMAIL PROTECTED] wrote: On Sat, 27 Jan 2007 11:49:03 +, --[ UxBoD ]-- [EMAIL PROTECTED] wrote: Sorry for asking as I am sure that it has already been covered. But if there a rule for the new spate of drug SPAM where the URL has Remove * to make the link working! in it ? Thanks, This was suggested to me yesterday... http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf Bayes training helps too. Kind regards Nigel I am already using KAM.cf but it has not caught one yet :( -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Bayes
IMHO I would imagine that recently, due to the SPAM changes, that your Bayes has become poisoned. But I could be well wrong. On Fri, 26 Jan 2007 06:09:24 -0500 Jack Gostl [EMAIL PROTECTED] wrote: The amount of spam getting through my filters has been steadily increasing. From a start of under two percent up to over ten percent. It was getting pretty bad, so I finally, just on a hunch, I wiped my Bayes files and rebuilt them. And, voila!, I'm now running under one percent. Has anyone else seen this? Are there any suggestions as to how to deal with this? Should I regularly rebuild the bayes files? Appreciate any advice. Jack -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Should I use greylisting
Check out http://policyd.sourceforge.net/ then as it allows you to specify Servers/IP that should not be greylisted. Works very well. On Thu, 25 Jan 2007 12:33:19 - Matthew Bickerton [EMAIL PROTECTED] wrote: Hi, I am setting up a new server, so have a chance to make big changes to my email server. I have been thinking about implementing Greylisting. However, I am worried about blocking/long delays with e-mails from mail farms (gmail, yahoo etc.) I would very much appreciate other people's recommendations on Greylisting or other approaches to reducing the load on my server by rejecting spam early. Matthew -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.