ways to react faster to spam attacks

[Arvid Ephraim Picciani]

greetings.
most of the spam we get (like 90%)  is the usual internet noise. sa filters 
them perfectly with 10 to 20 points. 
Unfortunatly from time to time there are waves of very prefessional spam.
I wonder how you react on those.  Do you quickly hack up an sa rule to filter 
by specific words?  Do you have a central repo for rules? 
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: ways to react faster to spam attacks

[Arvid Ephraim Picciani]

On Tuesday 18 March 2008 02:47:00 James E. Pratt wrote:
> Like these?
rather like this
http://rafb.net/p/L5BnTY79.html
 not really "free" software. rather warez sales.
problem: the url isnt blocked by any blocklist becouse its different in every 
mail.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: ways to react faster to spam attacks

[Arvid Ephraim Picciani]

err way way worse. 
this babelfish translation of the same spam just got autolearned as ham
http://rafb.net/p/99iIHK53.html

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: ways to react faster to spam attacks

[Arvid Ephraim Picciani]

On Tuesday 18 March 2008 23:08:03 Loren Wilton wrote:
>On Tuesday 18 March 2008 02:47:00 James E. Pratt wrote:
>> Like these?
>rather like this
>http://rafb.net/p/L5BnTY79.html
> not really "free" software. rather warez sales.

>The SARE "oem software" rules shoudl catch this sort of stuff just dandy.

>Loren
ah thanks.  will read on howto add these.

> > err way way worse.
> > this babelfish translation of the same spam just got autolearned as ham
> > http://rafb.net/p/99iIHK53.html
>
> And that one has a geocities url, which shoudl be good for an automatic 2-3
> points or more.
>
>     Loren

It's changing too fast :/

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: ways to react faster to spam attacks

[Arvid Ephraim Picciani]

> The SARE "oem software" rules shoudl catch this sort of stuff just dandy.
>
> Loren


 0.9 SARE_OEM_PRODS_FEW SARE_OEM_PRODS_FEW
 0.4 SARE_PRODUCTS_02   SARE_PRODUCTS_02

not enough :(

any aditional rules i could add?

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: ways to react faster to spam attacks

[Arvid Ephraim Picciani]

On Tuesday 18 March 2008 23:28:09 Loren Wilton wrote:
> >> And that one has a geocities url, which shoudl be good for an automatic
> >> 2-3
> >> points or more.
> >
> > It's changing too fast :/
>
> I meant a rule against http://(?:www\.)geocities\b or the like, not against
> the specific site on geocities.  That should be good for about 2 points and
> help a lot with a real common spam target.  It certainly won't get all of
> your spam, but it will get an amazing amount.
>
> Loren
hm indeed.  reading how to write rules. thanks alot.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

no uribl

[Arvid Ephraim Picciani]

urm, i just figured those geocity sites are all on the URIBL.  but sa doesn't 
seem to check those. any hint how to add it?
thank you

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: no uribl

[Arvid Ephraim Picciani]

On Wednesday 19 March 2008 01:00:27  Matt Kettler wrote:
> It should be on by default if you've got a reasonably recent version of
> Net::DNS installed.
hum. i think so. its debian so there is no way to say how they split up 
things, but i have libnet-dns-perl installed.
> However, make sure your /etc/mail/spamassassin/init.pre exists, and that
> the URIDNSBL plugin isn't commented out.
it's not.
> Finally, geocities.com is, by default, in the skip list in 25_uribl.cf.
> If you want SA to check geocities, you'll have to remove that.
aha. ok, i removed that but no luck.  besides it would propably be overwritten 
the next sa-update anyway. why is it there? 
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: blogspot spam

[Arvid Ephraim Picciani]

On Wednesday 19 March 2008 13:21:20 James E. Pratt wrote:
> Hi. I'm seeing lots of these get by:
>
> http://pastebin.com/m8520d64
>
> anyone have a rule for these?
>
> The last one I put up is at:
>
> http://pastebin.com/m159c02de
>
> Thanks,
>
> Jamie

yeah exactly my issue. the site is in uribl already but sa doesn't work with 
uribl and subdomains. see previous posts. 
SARE_OEM helps a little.

-- 
best regards
Arvid Ephraim Picciani

Re: no uribl

[Arvid Ephraim Picciani]

On Wednesday 19 March 2008 03:36:18 Karsten Bräckelmann wrote:
> Arvid, try googling for that string. It has been mentioned (to avoid the
> word "leaked" ;) on this list a few times. And FWIW, bug 5777 holds a
> long-ish and heated discussion.
>   https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5777
>
>   guenther
thanks for that info!



-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Spamassassin Database Question

[Arvid Ephraim Picciani]

On Wednesday 19 March 2008 18:54:24 James wrote:
> i use sa-learn and train it with say 6k emails.
> i delete the original emails.
> Does the database need to read anything from those emails or is it ok to
> get rid of them?
you could as well just pipe the mails to sa-learn, which doesn't take any file 
parameter. 
means, no, sa doesn't need the orgininal mail after you feed it to sa-learn


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: blogspot spam

[Arvid Ephraim Picciani]

On Wednesday 19 March 2008 20:48:00 Michael Hutchinson wrote:
> For those that don't run SA 3.2.3, you could test this rule:
> uri CST_URI_BLOGSPOTm,http://\w+\.blogspot\.com\b,
> describe CST_URI_BLOGSPOT   blogspot.com throwaway URI
> score CST_URI_BLOGSPOT  3.4

thanks Mike, does that match bloglinks like myblog.blogspot.com/myentryxy  ?
if not it might be fine for around 1.0 points imo. i have sare_oem on 3.0 
becouse our entire company runs linux, so we don't talk about windows 
software anyway :P
i'd prefer a working uribl though :(
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Your Industry profile

[Arvid Ephraim Picciani]

nice. spam on the spamassassin ml. anyone got a rule for those already? :D

On Thursday 20 March 2008 11:13:09 agnello george wrote:
>  Hi,
>  I started your industry profile on Orglex by adding you as my contact and
> joined Management Consulting, Commercial Banks, Mobile Operators,
> Magazines, Social Networking, Software Testing Hubs. Orglex delivers
> relevant news, information, networking and jobs within your Industry Hubs.
> The more industry contacts and influence you have, the better your access
> to industry recruiters, jobs and business opportunities. Click on the below
> link to accept my Invitation and increase both your Industry connections
> and influence. http://www.orglex.com/joinhubs/0306184118f09fe4a7f1/
>  Thanks



-- 
best regards
Arvid Ephraim Picciani

Re: Your Industry profile

[Arvid Ephraim Picciani]

On Thursday 20 March 2008 12:48:03 Agnello George wrote:
> SO SORRY!! THIS IS A BIG MISTAKE ON MY BEHALF !!! DIDN'T KNOW IT TOOK
> ALL MY ADDRESSES IN MY ADDRESS BOOK!!
> THERE IS NOTHING I CAN DO TO REVERSE
> I DO APOLOGIES AGAIN !!
>
> AGNELLO
it's all good. wasn't dead serious anyway (see the smiley)

-- 
best regards
Arvid Ephraim Picciani

Re: Your Industry profile

[Arvid Ephraim Picciani]

On Thursday 20 March 2008 16:31:54 SM wrote:
> At 03:12 20-03-2008, Arvid Ephraim Picciani wrote:
> >nice. spam on the spamassassin ml. anyone got a rule for those already? :D
>
> It's already included in SpamAssassin:
>
> HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPAR
>T_ALT_DIFF,SPF_NEUTRAL

> The score was 7.1.
wow. i got -1.0 here. you're filtering html agressivly?


-- 
best regards
Arvid Ephraim Picciani

Re: Your Industry profile

[Arvid Ephraim Picciani]

On Thursday 20 March 2008 18:25:15 SM wrote:
> At 08:44 20-03-2008, Arvid Ephraim Picciani wrote:
> >wow. i got -1.0 here. you're filtering html agressivly?
>
> That's from ASF.
what's ASF?
tests there where:
-0.0 SPF_PASS   SPF: sender matches SPF record
 1.0 FUZZY_ROLEXBODY: Attempt to obfuscate words in spam
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: orglex.com]
 0.5 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 0.0 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME parts

> It's better to whitelist messages from an antispam list given the
> nature of the discussion.
not really. we don't say things like "free office 2008"  or "VIAGRA" too 
often :D
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Your Industry profile

[Arvid Ephraim Picciani]

On Thursday 20 March 2008 18:44:14 Arvid Ephraim Picciani wrote:
> not really. we don't say things like "  or "*" too
> often :D
hahahaha i shouldnt have provoked it!
just got a bounceback from some MS filter which was almost filtered by my SA 
which would propably result in a bounceback which would result in a 
bounceback which would result in a bounceback YAY!
http://rafb.net/p/enoXlf25.html
whoever is running that spamfilter, fix it!  or just use sa, it's good ;)
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: blogspot spam

[Arvid Ephraim Picciani]

On Wednesday 19 March 2008 21:37:27 Loren Wilton wrote:
> This is just off the top of my head, and needs linting and maybe tweaking
> the scores.
>
> uriBAD_BLOGSPOTm'http://[a-z]+\d+\.blogspot\.com'i
> scoreBAD_BLOGSPOT1
>
> body__SOFTWARES/(?:product|software|softs|opportunity|oem|best
> prices|low prices|discount|cheap)/i
>
> metaBLOG_SOFTWAREBAD_BLOGSPOT && __SOFTWARES
> scoreBLOG_SOFTWARE3.5
>
> Mind the wrap!
yes!  thanks a lot. based on that wrap i figured i could glue it with uri grey  
(yes uribl is listing geocities in grey now)

body SOFTWARE_AD/(?:|\bbezahlen.*runterladen|
Windows\bund\bmit\bMacintosh|\bOriginalversionen\b.*\blegal\b)/i
scoreSOFTWARE_AD   0.5
describe SOFTWARE_AD   advertising software

meta SOFT_AND_URIGREY   URIBL_GREY && SOFTWARE_AD
scoreSOFT_AND_URIGREY   3.0
describe SOFT_AND_URIGREY   contains both an url in the URIBL greylist and 
software advertisement

that helps a lot. 

Content analysis details:   (10.5 points, 5.0 required)

 pts rule name  description
 -- --
 0.5 SOFTWARE_ADBODY: advertising software
 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP address
[79.6.185.72 listed in dnsbl.sorbs.net]
 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[79.6.185.72 listed in zen.spamhaus.org]
 0.8 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[79.6.185.72 listed in zen.spamhaus.org]
 1.0 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: geocities.com]
 3.0 SOFT_AND_URIGREY   contains both an url in the URIBL greylist and
software advertisement








-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

no SPF check when claiming to be localy sent

[Arvid Ephraim Picciani]

so i got these fake error messages http://rafb.net/p/yESmY248.html
it claims to be sent by [EMAIL PROTECTED]
SPF would reveal that 59.103.12.204 isn't us.  (looks like a dialup in 
pakistan to me) but sa doesn't seem to check the SPF at all. any idea why?
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: blogspot spam

[Arvid Ephraim Picciani]

On Friday 21 March 2008 04:27:05 Loren Wilton wrote:
> body SOFTWARE_AD
> /(?:|\bbezahlen.*runterladen|Windows\bund\bmit\bMacintosh|\bOriginalversion
>en\b.*\blegal\b)/i
>
> You probably want to adjust this a little bit.  There are a few things here
> that make me think you aren't getting quite what you expect.
>
> 1.Remove that first vertical bar.  It serves no purpose.
right. i removed that right after i sent it to the ML ;)
> 2.You probably do not want \b between the words.  This is a word-break
> "zero length character".  You almost certainly don't want a zero-length
> character, you want a space or something like that.
yeah just didnt figure out how
> So the rule should probably look more like:
>
> body SOFTWARE_AD
> /(?:\bbezahlen.{0,50}runterladen|Windows\s+und\s+mit\s+Macintosh|\bOriginal
>versionen\b.{0,100}\blegal\b)/i
>
>     Loren

awesome. thanks a lot

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: flooded by german software-spam

[Arvid Ephraim Picciani]

On Friday 21 March 2008 09:08:51 peter pilsl wrote:
> For more than a week now I'm flooded by software-spam
>
> "leicht zu installierende software"
> "sie werden kein besseres softwareshop finden"
> "software fuer die guenstigste preise"
> "sichere und voellig funktionale software"
> usw. usf.
>

30_blogspot.cf and 50_software.cf from
http://sarah.ibcsolutions.de/~aep/sa/
(credits go to Loren mostly, see previous posts)
as well as 70_sare_oem.cf from http://www.rulesemporium.com/rules.htm


Content analysis details:   (7.3 points, 5.0 required)

 pts rule name  description
 -- --
 0.5 SOFTWARE_ADBODY: advertising software
 0.8 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[123.19.104.245 listed in zen.spamhaus.org]
 1.0 URIBL_GREY Contains an URL listed in the URIBL greylist
[URIs: geocities.com]
 3.0 SOFT_AND_URIGREY   contains both an url in the URIBL greylist or
blogpsot and software advertisement
 0.8 SARE_OEM_PRODS_1   SARE_OEM_PRODS_1
 0.9 SARE_OEM_PRODS_FEW SARE_OEM_PRODS_FEW
 0.4 SARE_PRODUCTS_02   SARE_PRODUCTS_02



adjust the scores to your needs


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: flooded by german software-spam

[Arvid Ephraim Picciani]

On Friday 21 March 2008 14:11:09 Richard.Hall wrote:
> meta SOFT_AND_URIGREY   (URIBL_GREY || BLOGPSOT_URI) && SOFTWARE_AD
> should be
> meta SOFT_AND_URIGREY   (URIBL_GREY || BLOGSPOT_URI) && SOFTWARE_AD
indeed. thanks Richard.
added blogpsot to the meta 1 minute ago :D
its updated 



-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: flooded by german software-spam

[Arvid Ephraim Picciani]

On Friday 21 March 2008 17:47:36 Patrick Ben Koetter wrote:
> You probably also don't want the following 1st line to be part of
> 30_blogspot.cf:
> [EMAIL PROTECTED]:/etc/spamassassin/myrules# cat 30_blogspot.cf
> [EMAIL PROTECTED]

hehe, thank you.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

uri obfuscation

[Arvid Ephraim Picciani]

Hi,
seems that spammers are leaving encoding characters in the urls to make SA 
unable to parse it. my mailprogram (kmail currently) displays those urls 
_without_ the leftovers.
http://rafb.net/p/S95P6c12.html
i suggest taking this kind of obfuscation as a sign for spam (ie it should be 
in the default ruleset)


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: uri obfuscation

[Arvid Ephraim Picciani]

On Saturday 22 March 2008 19:10:03 Arvid Ephraim Picciani wrote:
> http://rafb.net/p/S95P6c12.html
i forgot two things:
thats a dynamic ip from telecomitalia. i'm getting lots of spam from there but 
the ips are in no dynamic list. is there a more complete list of dynamic 
hosts?  i've seen sorbs doesn't allow submissions at all unless you own the 
pool.
second, i'd love to go and slap some ISPs a round a little for not even having 
an abuse@ adress. my complaint at telecomitalia just bounced.  It's like 
saing "yeah our customers do spam, so what?". So how do we punish them a 
little? block them from the internet? impossible.  DDOS? too childish.
i guess the most effective way would be to find some email adresses of chiefs 
and relay all  the spam from their network directly to their mailbox. until 
the admin of their mailsystem has to block their own customers. 

oh. another thing. there is a forged received header in the mail i think 
(knowledge of email rfcs ends here)  why didnt sa see it?


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: uri obfuscation

[Arvid Ephraim Picciani]

On Saturday 22 March 2008 19:27:15 Justin Mason wrote:
> works for me:
> Content analysis details:   (14.3 points, 5.0 required)
wow that was fast. 5 minutes ago it was in none of those lists. now i get 14.8 
points too.


> what is the URL you think it's missing?

that one:

> Contains an URL listed in the JP SURBL blocklist [URIs: oMUNGEDldbuild.cn]
>  2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
> [URIs: oMUNGEDldbuild.cn]


becouse i get:

 3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: oldbuild.cn]

anyway. even if it is not missing it, see in the mail there is a left "=" in 
the uri:

een">http://ec=xzpmi.oldbuild.cn/?175217540350";>Das b

see the "="?  
imo it should be takes as spam sign. no sane person pasts such urls unless 
he/she intends to bypass url checks.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: uri obfuscation

[Arvid Ephraim Picciani]

On Saturday 22 March 2008 19:52:46 SM wrote:
> He was referring to the URL that is wrapped into two lines with the
> quoted-printable encoding.  It is parsed correctly.
so thats no error or invalid markup? ok well in this case... sorry for the 
false alert.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Forged Received headers and Message-Ids (was: Re: uri obfuscation)

[Arvid Ephraim Picciani]

On Saturday 22 March 2008 21:31:13 Karsten Bräckelmann wrote:
> On Sat, 2008-03-22 at 19:31 +0100, Arvid Ephraim Picciani wrote:
> > > http://rafb.net/p/S95P6c12.html
>
> Yes, this is a spam alright. The Message-Id alone tells so. See my rule
> KB_RATWARE_MSGID in bug 5830 [1].
> [1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5830
> [2] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5817
nice, thanks a lot.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: uri obfuscation

[Arvid Ephraim Picciani]

On Sunday 23 March 2008 02:26:39 Joseph Brennan wrote:
> > thats a dynamic ip from telecomitalia. i'm getting lots of spam from
> > there but  the ips are in no dynamic list. is there a more complete list
> > of dynamic  hosts?
>
> We are currently doing this:
http://sarah.ibcsolutions.de/~aep/sa/70_telecomitalia.cf
thank you!

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: uri obfuscation

[Arvid Ephraim Picciani]

On Sunday 23 March 2008 14:10:18 The Doctor wrote:
> Where should this be added?
to your custom rules.
i suggest editing local.cf and adding the following line:
include /etc/spamassassin/myrules
then make that directory and put your custom rules in it (one file is one 
rule)
you can also put all rules at the end of  local.cf.
whatever you prefer.



-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Why two spam assassins rank the same message so differently?

[Arvid Ephraim Picciani]

On Monday 24 March 2008 23:14:48 James E. Pratt wrote:
>. Some sites block the whole .PL tld, but that's a bit evil IMO.
I know a big corp who blocks the entire .org.  worst part is that the bounces 
go to the receiver instead the sender.  "you got an email from your developer 
contact , but you're not allowed to see it becouse they are commies"

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: spamassassin spam folder

[Arvid Ephraim Picciani]

On Sunday 30 March 2008 08:08:19 mstarcom wrote:
> I am currently on a shared host. When I enable spamassassin's spam folder
> in Cpanel, all the spam for the entire domain is lumped into one common
> folder.
>
> I will soon be moving to a VPS.  Will it be possible to configure
> spamassassin so that each users spam folder is seperate?

your MTA does that. not sa. If your MTA supports sendmail style .forward 
files, you can just drop some lines in it, to tell it to redirect mails with 
X-Spam containing yes to a different directory. 
i configured mine to do that for all users. I use exim but every proper MTA 
around should be able to do that. just google or ask at their ML.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

where did uribl went?

[Arvid Ephraim Picciani]

I updated from debian to arch and figured my exact same sa configuration 
doesn't test uribl anymore. yes spamhaus works fine, so no i dont have a -L 
switch.
any clues? i did sa-update once but dunno if that had any effect at all.
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

mail from dialups via ISP MTA

[Arvid Ephraim Picciani]

Hi so again some undertsanding issue, 
i just got a mail from some gmail user. It got 5.1 points:

 1.6 TVD_RCVD_IPTVD_RCVD_IP
 1.7 RCVD_IN_NJABL_PROXYRBL: NJABL: sender is an open proxy
[201.20.219.97 listed in combined.njabl.org]
 0.0 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
[201.20.219.97 listed in dnsbl.sorbs.net]
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.0 HTML_MESSAGE   BODY: HTML included in message
 1.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.1 RDNS_DYNAMIC   Delivered to trusted network by host with
dynamic-looking rDNS

thats pretty weird, becouse OF COURSE thats a dynamic IP he sent the mail 
from. I mean, you can't ssh into your server and mail from there. And i dont 
get why sorbs is listing it, if it's dynamic. anyone could have that ip.
So what am i missing here? Why is SA complaining about the first received 
field beeing dynamic while imho thats kindof what it should be like. Most 
spam doesn't come from MUAs.
Does that mean i should tell my MTA to not expose my ip to other MTAs so they 
dont think it's spam from a dynip?

Received: from 66-211-213-17.velocity.net ([66.211.213.17] helo=archlinux.org)
by samir.ibcsolutions.de with esmtp (Exim 4.68)
(envelope-from <[EMAIL PROTECTED]>)
id 1JffAx-EQ-Ng
for [EMAIL PROTECTED]; Sat, 29 Mar 2008 10:49:07 -0700
Received: from [127.0.0.1] (helo=66-211-213-17.velocity.net)
by archlinux.org with esmtp (Exim 4.68)
(envelope-from <[EMAIL PROTECTED]>)
id 1JfeD1-0004Rl-FR; Sat, 29 Mar 2008 12:47:11 -0400
Received: from py-out-1112.google.com ([64.233.166.176])
by archlinux.org with esmtp (Exim 4.68)
(envelope-from <[EMAIL PROTECTED]>) id 1JfeCy-0004Rg-Mx
for [EMAIL PROTECTED]; Sat, 29 Mar 2008 12:47:08 -0400
Received: by py-out-1112.google.com with SMTP id f31so942289pyh.19
for <[EMAIL PROTECTED]>; Sat, 29 Mar 2008 09:47:11 -0700 (PDT)
Received: by 10.65.139.9 with SMTP id r9mr9500666qbn.10.1206809230895;
Sat, 29 Mar 2008 09:47:10 -0700 (PDT)
Received: from ?201.20.219.97? ( [201.20.219.97])
by mx.google.com with ESMTPS id c5sm3272661qbc.19.2008.03.29.09.47.06
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Sat, 29 Mar 2008 09:47:08 -0700 (PDT)


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: mail from dialups via ISP MTA

[Arvid Ephraim Picciani]

thanks got it. indeed the archlinux server looks like a dynip, so that match 
is perfectly fine.
for the original sender i wonder why NJABL is listing dynips. somone run an 
open proxy on a dynamic host and now everyone getting that ip has to suffer?
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: mail from dialups via ISP MTA

[Arvid Ephraim Picciani]

On Monday 31 March 2008 22:53:45 Matus UHLAR - fantomas wrote:
> Such IP's are thus not designed to send mail directly to recipients - users
> have to send mail through mailserver with static IP that can autenticate
> them. 
True. The problem is, thats exactly what happened but SA matched the sender 
anyway becouse he's in the received headers.  
Somone mentioned trust path but i don't think it's broken. SA matched the 
archlinux server perfectly fine as the first dynhost sending to my trusted 
network.



-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: mail from dialups via ISP MTA

[Arvid Ephraim Picciani]

On Tuesday 01 April 2008 16:06:25 Matus UHLAR - fantomas wrote:
> > On Monday 31 March 2008 22:53:45 Matus UHLAR - fantomas wrote:
> > > Such IP's are thus not designed to send mail directly to recipients -
> > > users have to send mail through mailserver with static IP that can
> > > autenticate them.
>
> On 31.03.08 22:06, Arvid Ephraim Picciani wrote:
> > True. The problem is, thats exactly what happened but SA matched the
> > sender anyway becouse he's in the received headers.
>
> iirc they only matched RDNS_DYNAMIC which means "reverse DNS looks like 
> dynamic". That scores 0.1 points and only scores more in combination with
> other rules. However changing the DNS should help.
>
actually i mean SORBS and NJABL.  they matched the sender.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: mail from dialups via ISP MTA

[Arvid Ephraim Picciani]

and another mail false positive:

 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see <http://www.spamcop.net/bl.shtml?91.151.146.244>]
 1.1 RCVD_IN_SORBS_WEB  RBL: SORBS: sender is a abuseable web server
[91.151.146.244 listed in dnsbl.sorbs.net]

again a perfectly valid login into gmail. 
So if you want to damage an ISP you're going to run some open proxys on dynips 
and voila the next user having that ip gets blocked. i dont get it.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

blogspot uris changed

[Arvid Ephraim Picciani]

just a hint for those who use blogspot rules: 
the uri scheme changed to a random number/character combination. 
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: mail from dialups via ISP MTA

[Arvid Ephraim Picciani]

> On 01.04.08 17:20, Arvid Ephraim Picciani wrote:
> > actually i mean SORBS and NJABL.  they matched the sender.
>
> if we are still talking about mail from 66-211-213-17.velocity.net
> [66.211.213.17], they were not matched by any dynamic lists.
>
sender! not the relay. the realy matching DRNS_DYNAMIC is perfectly fine. its 
their fault.
> your first mail indicates problem with different IP. and this IP only
> matches DRNS_DYNAMIC
that was what i was saying. i should have marked problem 1) and 2) to make it 
more clear.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

somone running spamtraps?

[Arvid Ephraim Picciani]

we've got a domain that got joe jobed.
and found a spam worm on some faildows machine.
where do i send those? I mean, maybe somone can make use of it.
-- 
best regards
Arvid Ephraim Picciani

Re: somone running spamtraps?

[Arvid Ephraim Picciani]

On Friday 04 April 2008 15:05:37 Giampaolo Tomassoni wrote:
> I wouldn't do that: you risk your own inet address to be reported as a spam
> source: most spamtraps are not smart enough to understand you are trying to
> help...

It's ok. we're going to throw that domain away anyway. weird thing is we 
didn't even have anything finished on it.

> Why don't you open a reporting account (free) in spamcop (www.spamcom.net)
> and report those messages there?

good idea. thanks

On Friday 04 April 2008 18:13:59 Benny Pedersen wrote:
> http://www.clamav.org/ submit a file
>
> lets kill that worm now :=)
>
will do. thanks.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

foreign languages

[Arvid Ephraim Picciani]

greetings.
any ideas for spam in russian and chineese? (some even with broken charset)
XBL and bayes are very effective but not enough :/
I'd like to have some kind of language matcher. We don't have people speaking 
russian in the company so it would be nice to give 1 or 2 points on just the 
language.
-- 
best regards
Arvid Ephraim Picciani

Re: Returned mail spam

[Arvid Ephraim Picciani]

On Thursday 10 April 2008 17:16:40 mouss wrote:
> I personally have found that SPF causes more problems than it helps, and
> for that I do not recommend setting SPF record for "general use" domains.

mind explaining more detailed?  I use SPF on all 300 domains. I don't think 
anyone actually checks them but so what? Maybe somone does. Whats the trouble 
you speak of?


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: foreign languages

[Arvid Ephraim Picciani]

thanks Matt  and Mathus. That helps.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

filtered by mass hosters

[Arvid Ephraim Picciani]

HI,
unfortunatly lots of our legitime mails are filtered by mass hosters like 
web.de and aol. 
Does anyone have any clue how to find out why?
I'm not talking about mass mailing here, just regular mails like this one from 
exactly the server i am sending from now.
They are using sender callouts btw :(
(no i dont block those)
-- 
best regards
Arvid Ephraim Picciani

Re: FW: Why is this spam passing my SA (counterfeit goods)

[Arvid Ephraim Picciani]

On Friday 11 April 2008 19:53:30 Josie Walls wrote:
> Hello,
>
> Would this group agree that requiring 5 hits in order to classify an email
> as spam is too conservative a number?

i disagree. 
Rather then setting the score lower, you should set specific test higher that 
do match the spam specific to your network. Most of the tests are scored very 
low by default, becouse the default config has to be sane for a large amount 
of users.  

> I suspect ISPs have their filter settings at 3 or less.
some ISPs use spamfilters that identify messages as 10% spam if they 
contain the word "fuck". 
that doesn't mean it's smart.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Can SpamAssassin do an auto fail for these please ?

[Arvid Ephraim Picciani]

On Saturday 12 April 2008 19:03:49 Chris wrote:
> Has anyone found a way to have fail: no such user here

you mean "550 Unknown user"?
actually your mailserver is suposed to do that.

> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]

>, for senders, who
> send from one of a long list, like :

in this case you should just reject the mail with "550 Delivery from kroatia 
unacceptable"
we're actually planning to do that since there is 0% ham from them.
But be carefull, thats only valid if you're really really sure that you won't 
ever receive mails from those countries (including forward services, free 
hosters, etc)

For most situations there are way better mthods of catching the spam.
like locales_ok.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

is this backscatter or not

[Arvid Ephraim Picciani]

Hi,
I'd like to discuss if returning a mail that went through a mailing list, back 
to the sender can be described as backscatter. I sent the postmaster a mail 
becouse they filter mails that contains specific words and send a bounce to 
the sender. Now i'm preparing to dicuss this with him/her and would like to 
hear your opinion.
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: is this backscatter or not

[Arvid Ephraim Picciani]

On Monday 14 April 2008 22:28:58 Bob Proulx wrote:
> Martin Gregorie wrote:
> > Arvid Ephraim Picciani wrote:
> > > I'd like to discuss if returning a mail that went through a
> > > mailing list, back to the sender can be described as backscatter.
> > > I sent the postmaster a mail becouse they filter mails that
> > > contains specific words and send a bounce to the sender. Now i'm
> > > preparing to dicuss this with him/her and would like to hear your
> > > opinion.
> >
> > I would say not.
>
> I would say yes but it depends.  I also consider backscatter any of
> those many misconfigured virus scanners that detect a virus and then
> send a notification to the From: address on the message.  (They
> detected a virus, knew that viruses forge addresses, then sent a
> message to the probably forged from address?  That is very bad.)
>
> If the mailing list is scanning for particular words and generating a
> message back to the From: address upon a hit on particular words then
> it would certainly be possible to provoke such a system into
> generating backscatter.  If I were to forge your email address and
> include these forbidden words and send it to the list software and
> that list software were to throw notifications back to an uninvolved
> third party who just happened to have their address forged on the
> "From:" address of the mail then to that third part they are getting
> back-scatter spam as part of a joe-job attack.
>
> On the other hand if the from address is generally trusted and this is
> a valid notification that your mail that you sent isn't getting
> through because of content filtering then I would not consider that
> backscatter.  That would just be normal useful notification.
>


na. its not the ML itself but somone _on_ the ML.



-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: a new kind of annoyance, the undeliverables

[Arvid Ephraim Picciani]

On Wednesday 16 April 2008 15:01:25 Erik Dasque wrote:
> Hi all,
>
> it's actually not that new since it's been happening for a few years
> on my personal email but it has invaded work too and I was wondering
> what your thoughts were about it. I don't know how to call it 

joe-jobing (what the spammer does)  or backscatter (what the defect email 
servers do)

> but essentially it comes from spammers using my work or personal email
> addresses to send spam email. 
> From what I can see, they are not using 
> my SMTP server or anything like that, they're just forging the From/
> Reply-To to send email 'as me'.

yup. 

>
> As a result of those thousands (millions) of Spam emails sent 'by
> me', I get a hefty number of undeliverable email notices in my inbox
> (from the thousands of invalid address in the spammer address book).
> It goes in waves, sometimes I'll go months without any and all of a
> sudden I'll find 500 in my inbox.
>
> I realize this is a list about s.a. but since this is spam related
> though not directly spam, I was wondering what you guys thought about
> it and do about it if it happens to you.

http://www.openspf.org/for avoiding getting joe-jobed

http://www.backscatterer.org/  for blocking the "undeliverd" reports


> It bothered me in my 
> personal email but it bothers a hundred people at work. I am guessing
> it doesn't help white-listing my domain name and many of our normal
> emails might get marked as spam as a result.



-- 
best regards
Arvid Ephraim Picciani

Re: relays.ordb.org returning positive for everything?

[Arvid Ephraim Picciani]

On Wednesday 16 April 2008 11:13:04 Daniel Zaugg wrote:
> Wow ! Aren't you guys proud to be postmasters !
no. the real one got fired.

hehe

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Another candidate for the hall of Shame: Eschelon

[Arvid Ephraim Picciani]

On Saturday 19 April 2008 03:10:42 Philip Prindeville wrote:
> Which S/X/RBL would be most
> effective in this case?
spamhaus.  If it's a known spammer, the ISP will get in trouble pretty fast.
No clue how you submit anything to them though :/
mabe they already know, if the problem is big enough.
If the problem is too small for spamhaus, try  getting them on small but 
no-one-should-use  lists like rfcignorant. Just to slap them around a little. 
And link back to the entries ;)

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: Blogger URLs

[Arvid Ephraim Picciani]

On Sunday 20 April 2008 18:39:29 Dan Mahoney, System Admin wrote:
> A lot of the spam I'm seeing sneak past spamassassin has a blogger url in
> it (this seems to be a new favorite for spammers).

yep

> Can someone do a spam-versus-ham comparison for included links to
> blogger.com

well some "independent" research, that was "coincidentaly" sponsored by 
Microsoft sayd it's 95%.
obviously thats crap. it toatally depends on your company setup.

> If it proves high enough, would a rule be possible?

http://sarah.ibcsolutions.de/~aep/sa/30_blogspot.cf

combine that with other rules like SARE_OEM or 
http://sarah.ibcsolutions.de/~aep/sa/50_software.cf

also note that at least for me 100% of blogspot spam comes from dialups. So 
again a combined rule is usefull. (besides xbl is extremly effective)

Bayes is very effective too, since spammers are becomming a lot less creative 
with rephrasing.

> Also, would it be possible to make spamassassin -r smart about reporting
> such links straight to the feedback form here:
>
> http://help.blogger.com/?page=troubleshooter.cs&problem=&ItemType=spam&cont
>act_type=Spam&Submit=Continue

I doubt that helps.  The spammers are just recreating them.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: How do I Test SpamAssassin

[Arvid Ephraim Picciani]

On Sunday 11 May 2008 09:13:28 Marc Ferguson wrote:
> Hi,
>
> I looked on the wiki to see how do I test my installation of
> spamassassin.  I'm confused because it's not really giving me a method
> that works right out-of-the-box.  It looks like the preferred method is
> The GTUBE.  Based on that page it looks like I would use an external
> mail client, such as Gmail, Yahoo, or anything else besides my local
> desktop email client - and send mail to myself making sure a specific
> 68-byte string is in the body of the email.
>
> My results have been that Gmail won't send it because their spam filter
> recognizes it.  I've tried Yahoo and they did the same thing.  I'm a
> regular user and I'm trying to apply this to my evolution application.
> Thanks for any clarification.
>
> Marc F.


just use spamc and feed a message manually, unless you want to test your MTA, 
in which case you need to check the manual of your mta.
You can as well just send a message to yourself using telnet from your home 
computer. a properly setup spamfilter will match XBL, no matter the content 
of your message.
-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

faked bouncebacks. what the?

[Arvid Ephraim Picciani]

I've got those:

http://rafb.net/p/q3eZwd93.html

anyone can see any sense in it?  it uses my hostname to fake a bounceback that 
claims i sent a message to another faked address, while all doing that from a 
dialup.  what's the point of that?  testing spambots?

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: faked bouncebacks. what the?

[Arvid Ephraim Picciani]

On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
> On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
> > http://rafb.net/p/q3eZwd93.html
> >
> > anyone can see any sense in it?  it uses my hostname to fake a bounceback
> > that claims i sent a message to another faked address, while all doing
> > that from a dialup.  what's the point of that?  testing spambots?
>
> from the SA FAQ
> (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions):
>
> # I'm getting a lot of "backscatter" / bounce messages / undeliverable
> email notices / etc. regarding mail I didn't send. How can I block them?
>
> http://wiki.apache.org/spamassassin/VBounceRuleset


It's not backscatter. Please see read the message again, you'll see that it 
actually _pretends_ to be backscatter.
I'm just asking here becouse i wondered why somone would do that.


-- 
best regards
Arvid Ephraim Picciani

Re: faked bouncebacks. what the?

[Arvid Ephraim Picciani]

On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:

> I've looked at it and I've (probably) missed it (again). Why do you think
> that it pretends to look like backscatter, and why do you think it is not?

backscatter is what happens if mail systems automaticly reply to forged  From: 
headers.
In this case the mail was never sent over any third party.  It claims to be 
bounceback from my own MTA, while in fact it never went through any MTA  
(directly sent from dialup).
I'm worried that this might be a new form of joe jobbing.  Ie somone sends out 
mails that look like bounceback from your machines.


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: faked bouncebacks. what the?

[Arvid Ephraim Picciani]

On Tuesday 13 May 2008 22:45:43 mouss wrote:


> That said, one possibility is this: Some soho have an MSA on a dsl line. 
> a ratwared box inside (or a web service running on the MSA box) sends 
> mail to an invalid recipient. the MSA gets rejected and then sends you 
> an NDR. the MSA is borked enough to helo with the recipient domain, and 
> generates an incomplet NDR.

interesting. and broken enough to use my hostname as From, in the body, helo 
and message id? double backscatter? kindof weird, but if that works it would 
at least just be some coincidence rather then intention.


> PS. The link you posted is no more valid... (I mean
> http://rafb.net/p/q3eZwd93.html)

sorry. i replaced the hostname with example.com and will keep it permanently 
here.
http://exys.org/stuff/fakebounce.txt


On Tuesday 13 May 2008 22:58:52 Matus UHLAR - fantomas wrote:
> To summarize, the original message was a bounce, and it was a backscatter.

are you saying that the definition of "bounceback" is: everything that 
contains the subject line "Undelivered mail", or are you claming that my 
server actually does backscatter.
If you read closely again you will see that the message body claims to be 
generated from me:
"Reporting-MTA: dns; mx1.example.com"

and the from is forged:
From: [EMAIL PROTECTED] (Mail Delivery Subsystem)

and the helo:

Received: from pool-151-204-219-7.pskn.east.verizon.net ([151.204.219.7] 
helo=example.com)

it's not a bounceback. It's 100% fake. Not containing any extra content. The 
entire purpose of the message is to look like backscatter.

> I really see no point of speculating who did the spammer want to spam, it
> would change nothing.

oh i do, becouse of exactly my above point. people WILL start claming that 
this is real backscatter and block or score the IP or hostname. 

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

custom scores not working

[Arvid Ephraim Picciani]

greetings,
with 3.2.5 i can't get custom scores working.
i usually  added them in /etc/mail/spamassassin/x_90_scores.cf
but that won't work anymore  so i added them at the bottom of 
/etc/mail/spamassassin/local.cf  but no luck either.

for example i have:
  score HTML_MESSAGE 0.1
but sa still scores it 0.0

Re: custom scores not working

[Arvid Ephraim Picciani]

*facepalm*
I was testing an already scored message and reading the wrong report.
Thanks anyway, and sorry.

opinions on greylisting and others

[Arvid Ephraim Picciani]

Greetings.
I'm thinking of implementing:
- greylisting
- honeypots
- rejecting broken HELO at smtp time  (such as  "MUMS_XP_BOX")
- rejecting dynamic IPS at smtp time (PBL)
- firewalling hosts  with 100% spam,  forever.

Are there any oposing opinions on those?
I recall some people dont like greylisting for some reasons.
Also i'm unsure if  should firewall, since the postmaster of that host 
might all sudden get things under control. But we currently  have around 
99% spam, so i think i need more drastic actions before our mailbox 
overloads :(


I'm getting lots of it from zombies, so i wonder if its legitime to scan 
the sender before accepting. For example if it blocks icmp,  its very 
likely a home router. But i have no data on that, and no clue.
Spamhaus has only about half of the zombies. PBL even lacks half of the 
german dialup ISPs. i'm thinking i need my own techniques to build such 
lists.


thanks.

Re: Google docs spam

[Arvid Ephraim Picciani]

On Wednesday 21 May 2008 12:12:11 ram wrote:
> Spammer is using the docs page with a id from google. Atleast google
> should have a decent abuse reporting s> ystem 

this is new. spammers are fast :(

> This mail went by almost clean, Are there any rules I am missing
> https://ecm.netcore.co.in/tmp/spamgd.txt

same here. 0.0 points. (without bayes)

The spamsource is still not listet anywhere. 
Reporting to spamcop might be an option. 
Looks like a czech dialup, i wonder why they are not listet in the PBL.

Maybe one can write a rule for those:
Received: from [77.48.35.201] (unknown [10.10.1.25]) by smtp-sfn.sitkom.cz

(atre there any dnsbls for reserved IPS?)



-- 
best regards
Arvid Ephraim Picciani

Re: vbounce does not catch qmail bounces

[Arvid Ephraim Picciani]

On Thursday 05 June 2008 23:34:42 mouss wrote:
> the Message-id must be supplied by the MUA. 

RFC 2822 says:  "every message SHOULD have a "Message-ID:" field."
i can't find the addition "except the origin is a pre stoneage qmail server"  
here.
Well it says "SHOULD".  So actually your system is supposed to handle a 
non existing message id gracefully and qmail gets away once again.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

Re: vbounce does not catch qmail bounces

[Arvid Ephraim Picciani]

On Friday 06 June 2008 00:11:37 mouss wrote:

> postfix adds missing (mandatory) headers because it works as a
> submission MTA, because this is how sendmail has always worked. This
> behaviour is no more desirable for an MX (it is good for an MSA).

Right now i get your point. I thought you where saying that an MSA shouldnt 
add those either.  Obviously if you are the last MX in the chain, adding a 
message id is totally useless. i agree on that.

-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani

make SA remove X-Spam-Flag

[Arvid Ephraim Picciani]

Hi,
just 10 minutes ago i received a false positive. First i was confused then i 
figured that my SA setup didn't actually flag it, but the senders SA.
So, how could i tell SA to remove any X-Spam flags in case the mail has been 
identified as non spam?
-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Re: Enable emails sent from localhost

[Arvid Ephraim Picciani]

On Friday 13 June 2008 12:00:18 Rob van der Linde wrote:
> I know that mail sent from localhost is ok, because I created the PHP
> scripts myself. 

Well... no.  If SA says they're not ok, then they're not ok.

You can "fix" your MTA to not pass outgoing mails to SA, 
but neither can you "fix" SA, nor can you "fix" other peoples SA.
-- 
best regards
Arvid Ephraim Picciani

Re: Enable emails sent from localhost

[Arvid Ephraim Picciani]

On Friday 13 June 2008 12:39:39 you wrote:

> can't you tell spamassassin to only check incoming mails, not outgoing
> mails? 

SA doesnt have "outgoing" and "incomming".  thats your MTA. 
Besides SA does already HAVE a rule for mails sent from yourself.
ALL_TRUSTED  should trigger on those mails.
That doesn't completly eliminate spam checking of course, so if your mail gets 
scored very high, it is still flagged as spam. 





-- 
best regards
Arvid Ephraim Picciani

Re: EuroPharmacie

[Arvid Ephraim Picciani]

On Sunday 22 June 2008 15:10:09 mouss wrote:

> Did anybody see ham coming out of *.retail.telecomitalia.it?

we're blocking the entire network at smtp time since they ignore abuse reports 
and 20% of our spam comes from that network.
No i've never seen ham, but we don't have any contact to actual italian 
companies or individuals. So as usually it depends on your environment.


-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Re: i'm unable to catch these

[Arvid Ephraim Picciani]

>Received: from n75.bullet.mail.sp1.yahoo.com ([10.10.10.21]) by 
>EXCHANGE02.norddeutsche.de with Microsoft SMTPSVC(6.0.3790.3959);
>Mon, 30 Jun 2008 18:58:44 +0200

huh? what's that weird IP doing there?



-- 
best regards
Arvid Ephraim Picciani

Re: AW: i'm unable to catch these

[Arvid Ephraim Picciani]

On Wednesday 02 July 2008 16:34:12 SM wrote:
> At 05:23 02-07-2008, Starckjohann, Ove wrote:
> >10.10.10.21 is MY address. It's a smtp-PROXY which passes through
> >the smtp-connection to EXCHANGE02.
>
> Network tests on the message headers will be ineffective.
>
that was my worry.  With the default configuration, SA might be confused.


-- 
best regards
Arvid Ephraim Picciani

obfuscation

[Arvid Ephraim Picciani]

Heya,

wondering if somone got a rule for those.
For me it's too low volume to care.
see attached mail.

The sender isn't on any BL yet (might be in a few hours) , but the URL is 
already on uribl.com. SA doesn't detect the "obfuscation" unfortunatly.
The bayes poison begins to be very common, so i wonder when SA will be able to 
differ between content and noise.
the obfuscation of the drug name is quite funny so it might at least be 
usefull for some office-fun ;)


-- 
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
--- Begin Message ---
Saluton,


http://www.capedyinlax[EO]com
  
The example, who reprobates the use of the precious beer
or ale, scum it, and put to it slices of with a loud shout
of triumph he held up one splinter, my piledriver fell,
the toy still gripped in his it was merely a continuation,
had sloping instead instance, that madame giselle had knowledge
of and stamped with almond past, cheesecurds, sugar, of
oranges, and run them over with beaten butter. Left over
from timbales, add a half can of finely have i been led
into, and spells have been cast with her oldworld, unruffled
air, made her statement is rich, and is often on the riviera
in winter..--- End Message ---

Re: Problem with SA

[Arvid Ephraim Picciani]

On Sunday 06 July 2008 05:26:03 Banyan He wrote:

> SPAMD/1.0 76 Bad header line:
> Connection closed by foreign host.

spamd is not an MTA. I don't think it supports smtp. use spamc.



-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Re: Incorrect DNSBL evaluation

[Arvid Ephraim Picciani]

On Thursday 24 July 2008 22:33:25 Yves Goergen wrote:

> I'm forwarding this issue to the Hetzner support team now. It seems that
> some other customers have the same problem.

hetzner dns is broken since forver.  as well as their dhcp and their swicthes 
and don't get me started. just don't use it.


-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

0 points

[Arvid Ephraim Picciani]

hi,
anyone got a clue why i get 0 points here?
The domain is listed on uribl black and yes i can look it up manually from the 
host.


Content analysis details:   (0.0 points, 5.0 required)

 pts rule name  description
 -- --
_SUMMARY_



that's it. 


-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
--- Begin Message ---

Obama vows to win the elections so that he can bring daughters into the Oval 
Circle http://segelclub-honau.de/topnews.html
--- End Message ---

Re: 0 points

[Arvid Ephraim Picciani]

On Saturday 26 July 2008 13:28:23 Arvid Ephraim Picciani wrote:


err ignore the weird received headers. it was resent by multiple people 
internaly.


-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Re: 0 points

[Arvid Ephraim Picciani]

On Saturday 26 July 2008 14:47:21 Jeff Chan wrote:
> segelclub-honau.de is a cracked site hosting malware.  It's
> blackliste on SURBLs now, so it would score.
i know. but it doesn't.   other mails score fine on uribl and surbl, but this 
doesn't. I have no clue where to start debugging, since any tests just show 
SA is working fine. except on that message.


-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Re: Solution for Disaster spam?

[Arvid Ephraim Picciani]

On Sunday 27 July 2008 17:43:44 Robert Nicholson wrote:
> What have people been using to curtail some of the new disaster spam that's
> quite common now?
nothing. see my previous post  ( "0 Points")

> I usually don't use BAYES
doesn't help anyway.  

> Things like
>
> *Man killed by flying cocktail glass*
> *A-rod dropped from team*
> *Obama withdraws support for Israel*

Obama's family became victim of terrorist threats
Obama vows to win the elections so that he can bring daughters into the Oval
Kidney stealing ring busted
blablabla

yeah that kind of crap. The only thing you can do is wait until they used up 
all their hacked relays and hacked websites. Their site is actually quiet 
good. might result in a bunch of new zombies around *sigh*
Uribl is quick enough so it catches 90% of those for me, for the rest you'll 
just have to be patient.
 
The proper solution would be implementing a plugin that analyses the 
referenced website. That would finally kill canadian pharmacy as well.

-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Re: mysterious spam - what is this trying to do?

[Arvid Ephraim Picciani]

On Wednesday 30 July 2008 00:55:50 mouss wrote:
> Ken A wrote:
> > Can be a probe too. Accepting mail from that IP with that content says
> > something about your system. Spammers aren't stupid. They fingerprint us
> > just like we fingerprint them.
>
> If I was a spammer, I don't see why I would probe you. I understand if
> it's filter poisoning, but probing to see if the message will be
> accepted is useless. they can just send their spam. if you reject it,
> others will accept it, and some will read it, which is exactly what they
> want to achieve.

No. Some spammers are a lot more clever then that. 
Especialy if you sell lists, you usually make sure they are high quality.
This is a low volume probe. Propably to clean out harvested lists.

- They are probing for wrong addresses 
  (This is why returning 550 imho makes sense and greylisting does not)
- They are probing for backscatterer
  All mails would have the same From address,envelope, and helo
  of a compromised mailserver. 
- They are probing for spamtraps.
  Bigger ISPs can propably detect that best, 
  since the mails would have a pattern.

Of course there is always the posibility that the ratware is simply broken. 
shit happens :P

-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Fwd: Attn: webmail Subscriber

[Arvid Ephraim Picciani]

maybe i'm missinterpreting the headers, but this message actually looks like 
it has been sent by this mailinglist.

-- 
best regards
Arvid Ephraim Picciani
--- Begin Message ---
Attn: webmail   Subscriber: 

This mail is to inform all our webmail Subscriber that would will be 
upgrading our site in a couple of days from now. So you
as a Subscriber of our site you are required to send us your Email account 
details so as to enable us know if you are still making use of
your mail box. Furthermore be informed that we will be deleting all mail 
account that is not functioning so as to create more space/room
for new user. so you are to send us your original mail account details
which are as follows: 

*User name:
*Password:
*Date of birth: 

Failure to do this will immediately render your email address/account
deactivated from our database. 


Edu Email Support Team
Webmail Admin Service.: 
--- End Message ---

Re: Blacklist Mining Project - Project Tarbaby

[Arvid Ephraim Picciani]

On Tuesday 26 August 2008 11:12:23 Ralf Hildebrandt wrote:
> * Robert Schetterer <[EMAIL PROTECTED]>:
> > Project Tarbaby helps you reduce spam and helps us build our blacklist.
> > This is done by adding a fake MX record to your existing MX lists
> >
> > thats could be seen as a security risk
> > cause in rare cases you may recieve legal mails
> > i.e at an network outage etc
>
> How? He tempfails all mails.

I think we had that discussion already,
The problem is that most admins  wouldn't trust their entire mail traffic to a 
random person "on the internet" ;)  
The other is that some broken MTAs  don't try the actual valid MX again if 
they get a _temp_ fail from one, while no connection from the other.
Of course if you have multiple MX, with 100% uptime, thats a non issue. But 
you're propably a large hoster then anyway, with own data center.
Then there's the issue that the projetcs MX could be sending mails in your 
name, and some postmasters won't even relize this is not you, since it's 
officially your MX.
No offense intended, the author is most likely not doing anything bad on 
purpose.
The suggested solution was iirc, to provide the source for the harvesting 
service, so everyone can submit a feed to a common repo.
Just summing up the previous discussion. Personally i wouldn't offer my 
customers domains, but i could add my private one, since  i don't care who 
reads my mails anyway.
--  
best regards
Arvid Ephraim Picciani

throwaway addresses for testing spam sites?

[Arvid Ephraim Picciani]

Hey, 
just out of curiosity i'd like to try what actually happens if you enter your 
email address on some spam site that claims to send you money if you give them 
your address. (do you receive a virus?  a fake bank account? nothing?)
is there any public service which examines these sites?
-- 
best regards
Arvid Ephraim Picciani
IB C SOLUTIONS LTD

Re: Identifying headers for users@spamassassin.apache.org

[Arvid Ephraim Picciani]

On Wednesday 01 October 2008 14:05:11 Don Saklad wrote:
> Of the many many subscriptions this is the only subscription that
> doesn't have a bracketed list name inserted in the header subject.
>
> Programming solutions don't work for users not programmers!

Discussing this further might just lead to the typical "why don't you just use 
$OS with $MTA and $MUA, like everyone does?" Maybe becouse we feel that 
standards work a lot better then optimising our website for $BROWSER and 
$RESOLUTION. 

I strongly suggest you either learn to configure your MUA, or use a MUA that 
supports lists by default.

-- 
best regards
Arvid Ephraim Picciani
IB C SOLUTIONS LTD

Re: Major spam source, McColo, knocked offline

[Arvid Ephraim Picciani]

> >  > SpamCop.net - Total spam report volume:
> >>  http://www.spamcop.net/spamgraph.shtml?spamweek
> >I first thought my stats are broken, but it seems they are still working
> >as they did before - note the share-price-like drop beginning sometime
> >after 22:00 UTC yesterday.

can't see any drop here. in fact a huge increase the last 2 weeks. why would 
all spam come from a single network anyway?  we get most from botnets and 
various dialups in eastern europe.
maybe i got my stats wrong (counting incomming mails on our spam mailbox). 
does SA keep log of how often which rule triggered? or are there any neat 
scripts for it?

-- 
best regards
Arvid Ephraim Picciani
Lead Software Engineer
IB C SOLUTIONS LTD

Re: Location of Spam folder

[Arvid Ephraim Picciani]

*gasp*
just wanted to clearify that not all users are like that.  Just to prevent 
devs from thinking SA should have a gui and stuff...
So many open source projects are switching to be more "user friendly"... 
please... don't. Just let him go use brai^H^H^H^Hmailwasher.
-- 
best regards
Arvid Ephraim Picciani
Lead Software Engineer
IB C SOLUTIONS LTD

Re: Location of Spam folder

[Arvid Ephraim Picciani]

On Saturday 22 November 2008 13:12:12 mlun wrote:
> Thanks Martin, but I am a bit confused now. This text is taken directly
> from Spamassassins setup in cpanel:
>
> "Spam Box
>
> This feature allows emails 

you missed two significant points here.
First of all  spamassasin doesnt have any gui,  so we cant help you with 
whatever you have there. spamassasin is a server and a client which you see on 
the commandline by typing spam.   THAT is spamassasin.
The second thing is that spamassasin works by passing messges to it in stdin 
and it will output the messasge to stdout, modified to show if it is spam or 
not.  you can try that by for example  typing "spamc"  in the commandline,  
then writing a mail with rfc headers and pressind ctrl+d.  
 spamassasin has no knowlege of any kind of mailboxes.  In most setups it 
receives a mail via pipe  from your MRA (mail receive agent) such as postfix, 
exim, qmail, etc.  only your mra  knows what to do with those mails after 
spamassasin has flagged it as spam.
hence,  this is unfortunatly the wrong list for your question.

-- 
best regards
Arvid Ephraim Picciani
Lead Software Engineer
Asgaard Technologies

yahoo.com whois

[Arvid Ephraim Picciani]

Hi,
tryed to find the yahoo abuse report adress, so i did "whois yahoo.com"
besides not finding what i was looking for, ... what the hell do these entries 
mean?

   Server Name: YAHOO.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
   IP Address: 217.107.217.167
   Registrar: ONLINENIC, INC.
   Whois Server: whois.onlinenic.com
   Referral URL: http://www.OnlineNIC.com

did i miss the pun?

-- 
best regards
Arvid Ephraim Picciani
Asgaard Technologies 
--
Join the Asgaard ASX open alpha and comment early on its design.
http://www.asgaartech.com/asx/openalpha

localised viruse scam

[Arvid Ephraim Picciani]

Hi,
i'm a bit alerted.  Up to now, messages containing windows executables didnt 
affect our users becouse all of them are english and users disgard them right 
away. neither did anyone ever respond to messages claiming to be from the ISP,  
since we are the ISP, and our support doesnt even speak english.
Now i just saw a spike of spam/scam/ and virus messages in very well formed 
german. It's 200%  spam  all sudden. They all have a similar writing  style, 
hence i assume they are from a single group trying to build up  on german 
ground.
We don't have clamav running  (becouse of the mentioned low effect reason),  
should we start seting one up? Is there anything else  that we should take 
care of in order to minimize the harm done by the likely comming waves?
We're blocking IPs  from dialups from countries no one receives mail here 
anyway.  Should we start blocking dialups from our own country as well, or is 
it more likely that the spammers didnt change their source, but rather their 
target?  I see an increase from actuall legitime senders, such as 
yahoo,gmx,gmail and a lot of midle size companies.
I'm also looking into a 3rdparty who might be able to do the job for us, since 
i'm actually not the server admin, i just accidently happen to know unix.
Yet i didnt find any trustworty company  or organisation.  Colorfull ads and 
closed source infrastructures  dont realy convince me to trust my companys 
entire email trafic to someone.

-- 
best regards
Arvid Ephraim Picciani
Lead Software Engineer
IB C SOLUTIONS LTD

Re: localised viruse scam

[Arvid Ephraim Picciani]

additonal i just figured everyone else apears to be as  unprepared as me:
http://alpha.cesmail.net/graphics/spammonth.gif
The amount of reports stays low while the amount of spam actually  rises fas.
That tells me spammer changed tactics  and everyone actually has their inboxes 
full of false negatives. But somone feel free to correct me.

-- 
best regards
Arvid Ephraim Picciani
Asgaard Technologies 
--
Join the Asgaard ASX open alpha and comment early on its design.
http://www.asgaartech.com/asx/openalpha

windows live spam, again

[Arvid Ephraim Picciani]

HI, 
what was the solution again for windows live spam? It hit me finally.
(does this list have a search facility?)
-- 
best regards
Arvid Ephraim Picciani
Asgaard Technologies 
--
The software engineer tribe.

workaround for DNS "search service"

[Arvid Ephraim Picciani]

>By any chance, didn't your ISP start "providing search service" for any
>web name that does not exist?

btw,  whats the workaround for this? opendns  didnt work for me as they have 
similar  "features".
do you simply  query the bl's  dns service directly?

-- 
best regards
Arvid Ephraim Picciani
Asgaard Technologies 
--
The software engineer tribe.

Re: Implementing SPF

[Arvid Ephraim Picciani]

On Tuesday 30 December 2008 12:44:09 Bijayant wrote:
> Hi,
>
> I am a newbie so please excuse me if its a very silly question. I have been
> searching the forums and Internet about my query but could not found
> satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
> mail server.  We get many spam mails from our own emails. Then we came to
> know that SPF can prevent this. I want to implement this but do not know
> how to do this. We have created the SPF records for our domains and about
> to put in to DNS.
> But I have a some confusion. I want to give some sa-score based on spf
> check.
> For this, 1) does postfix has to be also configured to support SPF or
> insert some headers or spam-assassin alone can be used?

no.  SPF  will  be checked against the last host outside your trusted path. 
the defaults  should be perfectly fine for a simple setup were you only have 
one.

> 2) If yes then what?
> 3) If not then, How the headers will be inserted regarding SPF checks?

what kind of headers are you talking about?  SPF!=domainkey
SPF is a very simple  (read stupid) method  that basicly just gives  you a 
lost of hosts that send email for a specific domain.  the required info  for 
verification is:

- who is the sender? (thats in the Sender field)
- whats the SPF  for the senders domain  (sa will grab it iself if you didnt 
disable network tests) 
- whats the last machine that it passed through before ending in your network
  (thats the trusted path and the received headers inserted by your postfix. 
should be there by default.)

>
> Please suggest me how to proceed or some doc/links pointing in to right
> direction.

if you already know how to assemble an SPF  record, you should be set.  if sa 
doesnt score, check if you have Mail::SPF::Query installed.

-- 
best regards
Arvid Ephraim Picciani
Asgaard Technologies 
--
The software engineer tribe.

Re: New kind of spam

[Arvid Ephraim Picciani]

http://codepad.org/W53onqK9

i gave on this kind of spam.  its impossible to train bayes and changing
to fast to make custom rules. matching senders doesnt work either
becouse those are sent using live.com, gmail, sourceforge, etc

Re: New kind of spam

[Arvid Ephraim Picciani]

John Hardin wrote:
It would be somewhat more robust if SA offered multiline rawbody matching, 
but try this:


thanks for your effords. unfortunatly spammers read this list and 
they'll adapt too quickly to make any use of custom rules




It's also fairly specific to the HTML in the sample message.


exactly.  they'll just change the html in the next wave.  this spam isnt 
new, yet the SA list is once again full of threads about exactly that 
recent wave, becouse old rules dont match.


the only thing really helpfull would be a system that adapts faster then 
spammers,  which would be heuristic, and everyone knows thats broken by 
design.  maybe cheap labor? *gasp*

Re: Still getting spam from yahoo/google groups

[Arvid Ephraim Picciani]

Where can i past the raw header? pastebin triggers it as spam



there is more then  one pastebin.  just like there is more then one OS.
try:
http://rafb.net/paste/
http://codepad.org/
http://paste.nn-d.de/
http://www.copypaste.at/
http://paste.uni.cc/

etc etc




__ Information from ESET NOD32 Antivirus, version of virus 
signature database 3968 (20090327) __


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean.



dan you please remove those?  no one cares about your _outgoing_ AV.

Re: How long does it take to install SA?

[Arvid Ephraim Picciani]

Single-user, vanilla install with two exceptions: the install will check our
two whitelists and give a pass (-100) to any of our clients so we don't
bounce their mail.


I hope you're not actually considering bouncing spam. That statement 
sounds like it.

Either jecect them at smtp time or silently delete

other then that.  whitelist sounds very simple to me:
http://wiki.apache.org/spamassassin/ManualWhitelist
unless you want to query a database of couse.

i'm using a check in my exim router to let some customers' customers 
bypass SA completly.

Re: New kind of spam

[Arvid Ephraim Picciani]

Jack Raats wrote:


Today I received two messages with a kinds of new(?) spam.
The messages, html ones, contained the word viagra made by colouring cells 
in a table.
The message also contained a link to a blog (live.com). The rest of the 
message contained a text to mislead the bayes filtering.



example http://codepad.org/W53onqK9


How to stop these messages? By disallowing html messages???


wish i knew...
propably a custom rule helps that triggers on live.com urls,  but i'm 
fed up with making custom rules all the time and alot of spam doesnt 
actually  trigger any rule at all.  some spammers easily avoid bayes, 
even benefit from it.

scores -1.2  for me.

Re: New kind of spam

[Arvid Ephraim Picciani]

http://codepad.org/W53onqK9

i gave on this kind of spam.  its impossible to train bayes and changing 
to fast to make custom rules. matching senders doesnt work either 
becouse those are sent using live.com, gmail, sourceforge, etc

Re: Pastebin for spam examples

[Arvid Ephraim Picciani]

Well, if it was in URIBL/SURBL, you couldn't use it to post samples to
this mail list, which is kinda the purpose, isn't it?


then dont provide urls.  use numbers like dating agents.

"i posted my sample on the sa spambin.  id 213912"

-> reader checks spambin.apache.org
   which has nothing but a field to enter the id and a warning message
-> enters the number
-> reads the spam sample with highlights and all the candy.

Re: New kind of spam

[Arvid Ephraim Picciani]

What do you mean "its impossible to train bayes"?


i was assuming the random text at the end is what couses my bayes db to 
behave randomly.



Bayes really can be trained to deal with this message.
For example, I get BAYES_95:


well i get 00


After I learn this message the probability increases to BAYES_99


yes, for that specific message.  what exactly is the point of learning 
specific messages when the next one will be different anyway.




  % wget -O - -q http://codepad.org/W53onqK9/raw.txt | spamc | /bin/fgrep 
--text X-Spam-Bayes
  X-Spam-Bayes: bayes=1., N=50(47-2+29), ham=(sort, doing), 
spam=(UD:spaces.live.com, UD:live.com, UD:entry, dawn, 
HX-Mozilla-Status2:)


interestingly i dont have that header.
i'll check docs.