Re: SOLVED Re: malware.blocklist.cf : www.malware.com.br unavailable
On 8/9/2011 8:28 AM, Dave Wreski wrote: Hi, I noticed that the site that provided the malware.blocklist.cf has been unavailable since at least the 8th of August. URL for the file was on http://www.malware.com.br/cgi/submit?action=list_sa The FQDN no longer resolves to an address. I have tried our local DNS, Level3 4.2.2.2 and Google 8.8.4.4. Its not there :( Does anyone know why they are unavailable? (Or even, is the site available to you?) Regards, S Finally found that they changed their name a few months ago, and finally they turned off the .com.br site. http://www.malwarepatrol.net/ wget http://www.malwarepatrol.net//cgi/submit?action=list_sa; Aren't these the same rules that are already present in the sanesecurity clamav db? Sanesecurity does not distribute the MalwarePatrol blocklist, this signature file needs to be downloaded directly from their site. Bill
Microsoft brings down major fake drug spam network
No wonder I have seen such a huge drop in spam the past few days: http://timesofindia.indiatimes.com/tech/enterprise-it/security/Microsoft-brings-down-major-fake-drug-spam-network/articleshow/7734903.cms Anyone else been noticing the decrease in spam? Bill
Re: Microsoft brings down major fake drug spam network
On 3/18/2011 5:08 PM, Michelle Konzack wrote: Hello Bill Landry, Am 2011-03-18 15:11:47, hacktest Du folgendes herunter: No wonder I have seen such a huge drop in spam the past few days: ??? I get 18-26 mio spams (36 servers with 96.000 users) per day and nothing has changed. Please read the news (not only one) more carefully http://timesofindia.indiatimes.com/tech/enterprise-it/security/Microsoft-brings-down-major-fake-drug-spam-network/articleshow/7734903.cms Anyone else been noticing the decrease in spam? No, because there are ore then one Botnet of this size now... Please don't venture to assume you know anything about my spam stat numbers. I have several spamtraps and create 3rd-party ClamAV signature databases from them that are distributed via the Sanesecurity rsync mirrors. My 2-month signature database usually runs around 200,000 signatures. Now it is down to around 85,000. Obviously this is a very substantial drop. Enough said. Bill
The one year anniversary of the Spamhaus DBL brings a new zone
FYI: Spamhaus created a new URL shortener/redirector zone in the DBL. See: http://www.spamhaus.org/news.lasso?article=667 Will Spamassassin be adding support for this new DBL shortener/redirector response code?: 127.0.1.3 spammed redirector domain For details, see: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20DBL#291 Regards, Bill
Re: BOTNET rules question
On 1/5/2011 5:11 PM, Mark Martinec wrote: Combining p0f with BOTNET is indended to *reduce* the high number of false positives that BOTNET alone produces, *at least* for the non-windows machines. The windows hosts are left alone and are not protected by p0f from BOTNET FP. If someone is scoring p0f in combination with BOTNET differently, that is not advisable or intended. Btw, the BOTNET plugin also produces a FP hit for any IPv6 connection, regardless of its rDNS. If someone is interested in a quick hack patch, I can post it. Mark, please do post the patch. It's good to see that someone is supporting this plugin. Bill
Re: Spamhaus Whitelist
On 11/5/2010 11:40 PM, Dan Mahoney, System Admin wrote: All, Has anyone come up with a ruleset yet to score against the new spamhaus whitelists, and deduct points appropriately? You could try something like: header SPAMHAUS_SWL eval:check_rbl('SPAMHAUS_SWL', 'swl.spamhaus.org.') describe SPAMHAUS_SWL Sender is whitelised by Spamhaus tflags SPAMHAUS_SWL net nice scoreSPAMHAUS_SWL -2.5 urirhsbl SPAMHAUS_DWL _vouch.dwl.spamhaus.org. A body SPAMHAUS_DWL eval:check_uridnsbl('SPAMHAUS_DWL') describe SPAMHAUS_DWL Domain is whitelisted by Spamhaus tflags SPAMHAUS_DWL net nice scoreSPAMHAUS_DWL -2.5 Set the scores to your own liking. Bill
Re: Spamhaus Whitelist
On 11/6/2010 12:19 AM, Bill Landry wrote: On 11/5/2010 11:40 PM, Dan Mahoney, System Admin wrote: All, Has anyone come up with a ruleset yet to score against the new spamhaus whitelists, and deduct points appropriately? You could try something like: header SPAMHAUS_SWL eval:check_rbl('SPAMHAUS_SWL', 'swl.spamhaus.org.') describe SPAMHAUS_SWL Sender is whitelised by Spamhaus tflags SPAMHAUS_SWL net nice score SPAMHAUS_SWL -2.5 urirhsbl SPAMHAUS_DWL _vouch.dwl.spamhaus.org. A body SPAMHAUS_DWL eval:check_uridnsbl('SPAMHAUS_DWL') describe SPAMHAUS_DWL Domain is whitelisted by Spamhaus tflags SPAMHAUS_DWL net nice score SPAMHAUS_DWL -2.5 Set the scores to your own liking. You could also test the envelope sender: header SPAMHAUS_ENV eval:check_rbl_envfrom('SPAMHAUS_ENV', '_vouch.dwl.spamhaus.org.') describe SPAMHAUS_ENV Envelope sender whitelisted by Spamhaus tflags SPAMHAUS_ENV net nice score SPAMHAUS_ENV -2.5 Bill
Re: Spamhaus Whitelist
On 11/6/2010 12:50 AM, David F. Skoll wrote: On Sat, 06 Nov 2010 00:41:53 -0700 Bill Landryb...@inetmsg.com wrote: You could also test the envelope sender: header SPAMHAUS_ENV eval:check_rbl_envfrom('SPAMHAUS_ENV', '_vouch.dwl.spamhaus.org.') But that's an abuse... you should not be using Vouch-by-reference unless either DKIM or SPF returns a pass. Otherwise, you've just told spammers who they should pretend to be to get their spam in your inbox. Yep, I see that now. Guess a couple a DKIM meta rules will need to be included in this test. Bill
Re: Rules updates
On Thu, May 20, 2010 4:26 pm, Benny Pedersen wrote: On fre 21 maj 2010 00:05:26 CEST, Michael Scheidell wrote On 5/20/10 6:00 PM, Robert Palmer wrote: I am running spamassassin version 3.2.4 and notice my rules have not updated (sa-update) for many months and I have started getting a lot of nasty spam coming through. just upgrade to SA 3.3.1 only current versions of SA have current rule updates. imho 3.2.5 is still latest stable and some have posted on maillist even 3.3.1 is not being updated longer, 3.3.2 is Hmmm, 3.3.2? Who is hosting future releases? Bill
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
On Mon, March 22, 2010 9:01 am, Bill Landry wrote: On 3/22/2010 4:31 AM, Kai Schaetzl wrote: Warren Togami wrote on Sun, 21 Mar 2010 22:13:10 -0400: I highly recommend NOT building the RPM package from the spec file contained within the spamassassin tarball. It has never been tested to work on Fedora or Red Hat Enterprise Linux. Well, it works perfectly on CentOS, so I assume on RHEL as well. And it doesn't contain unwanted dependencies (like the one from rpmforge, don't know about yours) or adds spamd as a service or such that I don't want. So, it's perfect for me and it has worked for me for years and still does. So, I don't recommend not using it :-) I tried it with Fedora 12, and would *not* install/upgrade due to a number of unwanted dependencies. Thanks for providing a working RPM install/upgrade for Fedora, Warren! I seem to have pissed Warren off with this reply, so I just wanted to make sure that no one else misinterpreted my reply. What I was attempting to do was confirm what Warren had said in his original post (and direct in response to Kai's comment that the spec file works fine for him with CentOS), that the spec file included with the tar.gz distribution does not build and install without issue on Fedora 12, but that Warren's RPM build *does* install cleanly and without issue on Fedora 12. My apologies if this was not understood in my previous post. Bill
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
On Mon, March 22, 2010 10:31 am, Kai Schaetzl wrote: Bill Landry wrote on Mon, 22 Mar 2010 09:01:26 -0700: I tried it with Fedora 12 I didn't say anything about Fedora. But Warren certainly did in his original post. And BTW, he didn't say anything about CentOS is his original post, but that didn't stop you from replying. My response was to confirm Warren's original statements. Bill
Re: is this right? uribl_dbl seems to have a very odd number
On 3/3/2010 1:40 PM, Mike Cardwell wrote: On 03/03/2010 21:32, Michael Scheidell wrote: tracking down some FP's on Sa 3.3.0, they all hit URIBL_DBL. (every email hits that rule) # DBL, http://www.spamhaus.org/dbl/ . Note that hits return 127.0.1.x # A records, so we use a 32-bit mask to match that /24 range. uridnssub URIBL_DBL dbl.spamhaus.org. A 2130706688 Yeah. You shouldn't be using it like that on 3.3.0. Go to http://www.spamhaus.org/dbl and look for SpamAssassin on the FAQ page. The DBL entries were added via sa-update yesterday, not added manually - at least for me. Bill
Re: UPS Delivery problem
On Wed, March 3, 2010 5:38 am, Jari Fredriksson wrote: On 3.3.2010 15:34, Jari Fredriksson wrote: On 3.3.2010 15:22, twofers wrote: I have 52 of these sitting in my inbox this morning when I came in to work. this is just the beginning. I get literally hundreds of these a day and Spamassassin does not even check them. Thats hundreds of these every day for weeks and weeks and weeks on end. How about using amavisd-new/clamd/SaneSecurity in your system in addition to SpamAssassin. SpamAssassin is not an AntiVirus application after all. I have some SaneSecurity additions in my clamd, as they catch those new trojans better than vanilla clamd: # /etc/clamav-unofficial-sigs.conf ss_dbs= phish.ndb rogue.hdb winnow_malware.hdb winnow_malware_links.ndb spearl.ndb scamnailer.ndb Do NOT add the additional antispam databases to clamd, as they tend to be WAY too trigger happy, and SpamAssassin does not a change to do it's perfect job on spam. As the author of the script you're using, as well as the author of one of those additional antispam databases, I would have to disagree with you here. As one of the Sanesecurity rsync mirrors, I also know that there are many very large multi-national companies and large ISPs that use these additional antispam signature databases without issue. clamd is also possible to integrate to SA using the clamav plugin. That way amavisd-new is not necessary (while it is excellent) if that seem to be too much trouble. Also, if you are using amavisd-new or mime-defang, etc, then you should also be using the unofficial ClamAV signature databases in a scoring mode, rather than quarantine mode, as is recommended. This also allows SpamAssassin to see the messages and for AWL and Bayes to learn from the messages. This method also protects from potential false-positives from any one signature, as the score for a signature triggering from the unofficial signature database should not be high enough, on its own, to score the message as spam. Bill
Re: UPS Delivery problem
On Wed, March 3, 2010 5:20 pm, Karsten Bräckelmann wrote: On Wed, 2010-03-03 at 16:06 -0800, Bill Landry wrote: On Wed, March 3, 2010 5:38 am, Jari Fredriksson wrote: We're not going to re-hash one of the many discussions, err, heated flame-fests from the clamav and sanesecurity lists, are we? ;) This OP's problem is unrelated. Rejecting at a spam score threshold of 5. If we really want to go down the road of a clamav (?:SA plugin)? discussion, at the very least change the Subject... Please, don't. My comments have absolutely nothing to do with the SpamAssassin ClamAV plugin. It does not even come into play here in my recommendations. Bill
Re: Block Spammers Spoofing My Domain
On 2/28/2010 11:35 AM, Carlos Williams wrote: On Fri, Feb 26, 2010 at 4:38 PM, Benny Pedersenm...@junc.org wrote: I do the following but from my MTA. I don't know if you're using Postfix or Sendmail but I have the following 'helo_checks.pcre' in my Postfix directory: /^localhost$/ 550 Don't use my own domain (localhost)! /^ideorlando.\org$/ 550 Don't use my own domain! ups \ after dot :( I am sorry but I don't understand what 'ups' means? Can you explain please what you're saying in this message? /^216\.242\.104\.130$/ 550 Your spam was rejected because you're forging my IP. /^\[216\.242\.104\.130\]$/ 550 Your spam was rejected because you're forging my IP. /^mail\.ideorlando.\org$/ 550 Don't use my own hostname! one more error :) Where and what is the error? Can you show me what you're finding wrong in my syntax? Thanks for your help! Move the back-slash \ before the dot . (\.org) as you currently have it after the dot (.\org) Bill
Re: DNSBL mirrors
On 2/27/2010 5:35 PM, João Gouveia wrote: Hi all, we are aiming to provide free usage of our DNSBL to the general anti spam community as soon as possible. However, in order to do this we would need to deploy more DNS mirrors or we risk providing a poor service due to the amount of DNS traffic we expect to receive. If you think you are up to this (or you know someone that would be) and you have the necessary infrastructure and bandwidth to support a rbldnsd mirror, please contact me off list so we can discuss details. This DNSBL has been running for a while now, incorporated in the SpamAssassin weekly mass checks and isn't exactly new (we've been operating since Feb 2008). What's new is the free part of it. You can check the current results here (last two weeks): http://ruleqa.spamassassin.org/20100220-r912093-n/%2FRCVD http://ruleqa.spamassassin.org/20100227-r916929-n/%2FRCVD The relevant rule name is T_RCVD_IN_ANBREP_BL (aggregation of all bad reputation IP addresses). Note that both the rule name and the DNS zone in use will change to a dedicated zone (which is already up and running). If you want to test it out use this one instead: http://mailspike.org/anubis/implementation_sa.html . At the moment our goal is to get enough mirrors to provide a free sustained service and an overall good experience to SpamAssassin users, so that in the future this can be included in the SpamAssassin base rules (assuming of course SA folks would see value in it). I don't see where you have defined any of these entries that you're using in your meta rules: RCVD_IN_ANBREP_L5 RCVD_IN_ANBREP_L4 RCVD_IN_ANBREP_L3 RCVD_IN_ANBREP_Z Did you intend for these to be MSPIKE rather than ANBREP? Bill
Re: DNSBL mirrors
On 2/27/2010 6:42 PM, João Gouveia wrote: Hi Bill, - Bill Landryb...@inetmsg.com wrote: On 2/27/2010 5:35 PM, João Gouveia wrote: Hi all, we are aiming to provide free usage of our DNSBL to the general anti spam community as soon as possible. However, in order to do this we would need to deploy more DNS mirrors or we risk providing a poor service due to the amount of DNS traffic we expect to receive. If you think you are up to this (or you know someone that would be) and you have the necessary infrastructure and bandwidth to support a rbldnsd mirror, please contact me off list so we can discuss details. This DNSBL has been running for a while now, incorporated in the SpamAssassin weekly mass checks and isn't exactly new (we've been operating since Feb 2008). What's new is the free part of it. You can check the current results here (last two weeks): http://ruleqa.spamassassin.org/20100220-r912093-n/%2FRCVD http://ruleqa.spamassassin.org/20100227-r916929-n/%2FRCVD The relevant rule name is T_RCVD_IN_ANBREP_BL (aggregation of all bad reputation IP addresses). Note that both the rule name and the DNS zone in use will change to a dedicated zone (which is already up and running). If you want to test it out use this one instead: http://mailspike.org/anubis/implementation_sa.html . At the moment our goal is to get enough mirrors to provide a free sustained service and an overall good experience to SpamAssassin users, so that in the future this can be included in the SpamAssassin base rules (assuming of course SA folks would see value in it). I don't see where you have defined any of these entries that you're using in your meta rules: RCVD_IN_ANBREP_L5 RCVD_IN_ANBREP_L4 RCVD_IN_ANBREP_L3 RCVD_IN_ANBREP_Z Did you intend for these to be MSPIKE rather than ANBREP? Yes. Different zone, different rule names. But the data is the same. If you use the old zones/rules you'll get the same results, the difference being that we may eventually discontinue the old DNS zone (at least for public access). Well, currently there are name mismatches in your rules, they either all need to be MSPIKE or ANBREP, but not a combination of both - otherwise your meta rules don't make sense and will never trigger. Bill
Re: SpamAssassin 3.3.0, Botnet FP with IPv6
Mark Martinec wrote: On Thursday 28 January 2010 14:40:56 Graham Murray wrote: Since upgrading to SA 3.3.0, botnet (version 0.8) is showing a false positive on every email I receive via IPv6. Has anyone contacted the author? As most here on the list know: Good luck with that. From what I've seen botnet is an orphaned project, and the author is non-responsive to reported issues and user requests. If you really want this fixed, someone else other than the author will most likely need to provide a patch. Bill
Re: About upgrading
LuKreme wrote: On 9-Jan-2010, at 21:23, Rosenbaum, Larry M. wrote: It's the number of seconds since the epoch (Jan 1, 1970). One easy way to convert it to a readable time is # perl -e 'print scalar localtime 1263044805, \n' Sat Jan 9 08:46:45 2010 Or even simpler: perl -le 'print scalar localtime 1263049538' Sat Jan 9 05:46:45 2010 % date -r 1263044805 Sat Jan 9 06:46:45 MST 2010 On Linux based systems: date -d @1263044805 Sat Jan 9 05:46:45 PST 2010 I like this output better than the perl output because it also includes the timezone. Bill
Re: About upgrading
Rosenbaum, Larry M. wrote: -Original Message- From: Bill Landry [mailto:b...@inetmsg.com] Sent: Sunday, January 10, 2010 12:42 PM To: users@spamassassin.apache.org Subject: Re: About upgrading LuKreme wrote: On 9-Jan-2010, at 21:23, Rosenbaum, Larry M. wrote: It's the number of seconds since the epoch (Jan 1, 1970). One easy way to convert it to a readable time is # perl -e 'print scalar localtime 1263044805, \n' Sat Jan 9 08:46:45 2010 Or even simpler: perl -le 'print scalar localtime 1263049538' Sat Jan 9 05:46:45 2010 % date -r 1263044805 Sat Jan 9 06:46:45 MST 2010 On Linux based systems: date -d @1263044805 Sat Jan 9 05:46:45 PST 2010 I like this output better than the perl output because it also includes the timezone. Excellent. Is there one that works on Solaris (other than the Perl version)? Don't know about the default date utility for Solaris, but you could always use the GNU date utility on Solaris. Bill
Re: emailreg.org - tainted white list
Christian Brel, AKA rich...@buzzhost.co.uk (among other aliases), is back... Bill
Re: Regex Question
Ralf Hildebrandt wrote: * Benny Pedersen m...@junc.org: On tir 10 nov 2009 15:26:43 CET, rich...@buzzhost.co.uk wrote Please keep this in your mind in future before trotting out that tired old gas. imho Ralf have never being banned in maillist here, if you dont like his answers just unsubscribe Good point, but richard has been banned multiple times on the postfix list for asocial behaviour... Be careful, Ralf, else you risk inciting richard to reappear on the SA list as another fictitious user and start his flaming rants and raves again, as he has done in the past... Bill
[Fwd: ** IMPORTANT: Karmasphere Reputation Service End of Life ***]
Just FYI, in case you might be using the Karmasphere plug-in with Spamassassin. Bill Original Message Subject: ** IMPORTANT: Karmasphere Reputation Service End of Life *** Date: Mon, 2 Nov 2009 19:31:55 + (GMT) From: D J Stewart d...@karmasphere.com To: karmasphere-us...@v2.listbox.com CC: karmasphere-annou...@v2.listbox.com Hello, As a registered user of Karmasphere Reputation Services, we wanted to let you know that we are discontinuing the service, effective November 16, 2009. If you are using the services through DNS, BQuery or email plugins, please make plans to adjust your configurations ideally prior to November 9 and no later than November 16, 2009. On that final date, we will disable the reputation servers so that you can no longer query them. Anybody who still has not removed Karmasphere's reputation service from their mail configuration when this happens may find that their mail servers appear to slow down while they wait for their queries to Karmasphere to time out. You may be thinking why are they doing this?. The answer is that we are moving the business in a different direction. We have applied the experience gained in manipulating and analysing large data sets in reputation services into developing software that makes it easier to use Hadoop. This change in focus means that we no longer have the time nor resources to give the reputation service the attention it deserves. Rather than letting the service slowly decay, we are ending them. This end of service will proceed in the following stages. Stage 1: To November 9, 2009 Our services will continue as they have for the past 4 years. This gives you a chance to remove karmasphere's feeds and feedsets from your mail server configurations. Stage 2: November 9 - November 16, 2009 Our servers will continue to respond but our feedsets will whitelist everything. Stage 3: November 16, 2009 The reputation servers will be turned off. Thank you for using our services. The Karmasphere Team.
Re: Problems with whitelist_from_rcvd
John Hardin wrote: On Fri, 2 Oct 2009, Igor Bogomazov wrote: whitelist_from_rcvd s...@domain.mail prefix.domain.mail doesn't work. I've checked rDNS of the prefix.domain.mail with 'host' utility - it's all right. You don't check rDNS using host, you check it using dig -x host.ip.addr.here Why not, they come up with the same thing?: host 207.210.83.140 140.83.210.207.in-addr.arpa domain name pointer ga.impsec.org. dig -x 207.210.83.140 +short ga.impsec.org. Bill
Re: Moderation? (was: Drivel)
On Tue, 2009-09-15 at 18:34 -0400, Charles Gregory wrote: I had considered this, but another poster made the worthy point that the (ab)user in question was likely the sort to get another fake address just so they could keep posting their crud. Sometimes 'ignore them' is the simplest and best policcy. :) I am aware of this. There is no final way to get someone off a public mailing list. There's always the possibility to get a new address, or even a new netblock. Sounds familiar? I do agree that ignoring the offender is the best solution. I have seen this working on other lists before. So... *Please*, everyone -- don't feed the trolls. Oh, and BTW, we *are* aware he is still following. One of his identities, that is. No rocket science. Yes, the buzzard has also displayed the same abusive nature under his other email address many times in the past. He uses the same email client (X-Mailer: Evolution 2.24.3), the same reference in his Message-Id (camel), and the same source IP address (192.168.1.56), so not hard to figure out. Sorry, couldn't resist... Bill
Re: Moderation? (was: Drivel)
On Tue, 2009-09-15 at 18:34 -0400, Charles Gregory wrote: I had considered this, but another poster made the worthy point that the (ab)user in question was likely the sort to get another fake address just so they could keep posting their crud. Sometimes 'ignore them' is the simplest and best policcy. :) I am aware of this. There is no final way to get someone off a public mailing list. There's always the possibility to get a new address, or even a new netblock. Sounds familiar? I do agree that ignoring the offender is the best solution. I have seen this working on other lists before. So... *Please*, everyone -- don't feed the trolls. Oh, and BTW, we *are* aware he is still following. One of his identities, that is. No rocket science. Yes, the buzzard has also displayed the same abusive nature under his other email address many times in the past. He uses the same email client (X-Mailer: Evolution 2.24.3), the same reference in his Message-Id (camel), and the same source IP address (192.168.1.56), so not hard to figure out. Oh, and I forgot to mention that both Google and the Spamassassin list server receive deliveries from the same IP address (82.70.24.238). Bill
Re: Moderation?
Karsten Bräckelmann wrote: On Tue, 2009-09-15 at 16:36 -0700, Bill Landry wrote: Yes, the buzzard has also displayed the same abusive nature under his other email address many times in the past. He uses the same email client (X-Mailer: Evolution 2.24.3), the same reference in his Message-Id (camel), and the same source IP address (192.168.1.56), so not hard to figure out. Sorry, couldn't resist... Bill, since you mentioned it... Camel is just the Evolution Mail backend. The part after the @ in the Message-Id is much more interesting and the machine's hostname. Ah, ok, didn't know that about Evolution, but I now see that your Message-Id contains camel, as well. However, his 2 email accounts use something different after the @ in the Message-Id. One uses ca...@rubikscube and the other ca...@testicle. Wonder what the latter signifies about him...? Bill
Re: Non scoring 'Bank Deposit' spam
Clunk Werclick wrote: On Mon, 2009-09-14 at 08:05 -0600, LuKreme wrote: On 14-Sep-2009, at 05:24, --[ UxBoD ]-- wrote: If the OP cannot refrain from that sort of foul language when presented with counter arguments then please ban. The list would be far happier IMHO. Based on his reply to Matus I put him on my 'soft' kill list. (soft because all it does is mark his messages as read when they are received, so I still have them… but chances are I never see them). I did have to lookup his real address clunk.wercl...@wibblywobblyteapot.co.uk so I could mark both his throw-away gmail address and his 'real' address. I found it in my postfix spool. Still, based on his ignorance and his volatile behavior *I* certainly don't have any interest in his getting helped, and I don't have to read his xenophobic abuse ever again. Man, I'm going to lose *so* much sleep about that. From what I have read, the majority of you are a bunch of gay arse lovers up eachother. And fuckwits too boot. I hope you die ejaculating up each others arse holes. So how far does someone have to go before getting banned from the list? Is this not far enough yet? Bill
Re: .cn domain age query?
On Mon, 14 Sep 2009, Warren Togami wrote: One thing they all have in common is their registration dates are very young according to whois lookups. It seems in general if we had a reliable way to lookup domain age we might be able to differentiate spam. What's the current status of the Day Old Bread BL? Has it moved to subscription-only? Still working fine for me here, 51 hits so far today against DOB. Bill
Re: Non scoring 'Bank Deposit' spam
--[ UxBoD ]-- wrote: - Clunk Werclick mailbacku...@googlemail.com wrote: | On Mon, 2009-09-14 at 19:52 +0100, --[ UxBoD ]-- wrote: | - Benny Pedersen m...@junc.org wrote: | | | On man 14 sep 2009 16:54:39 CEST, Bill Landry wrote | | So how far does someone have to go before getting banned from | the | | list? Is this not far enough yet? | | | | he just come back with another sender email, with another | reply-to, it | | | | will be endless banning new email adresses | | | | -- | | xpoint | | | | | Blocked now @ FW .. Will contact Zen tomorrow and report as the OP | is in violation of the ISP AUP. | | go *right* ahead. Here you go: | ab...@zen.co.uk | | I guess it will take a retard like you a *whole* day to find it. | | | Best Regards, | Not at all ... If you were so kind as to have stopped the profanity and vulgarity then people would have been more approachable and helpful. It was kindly asked that you refrained from such posting yet you felt you were excempted. As I have already said the lists are here to help people and learn. We should not be exposed to such rubbish. Otherwise why have the lists in the first place? Every individual has the right to put forward their view and opinion; but when using the language you felt easy to adopt it makes a mockery. And I must say thank you for the email address; that really helps (not). A phone call is a lot easier to explain on the potential impact a ISP subscriber could be having to the providers business. You might also consider reporting his googlemail address to Google, as well, and provide proof of the denial of smtp server attack he ran against your mail server. That should get his account shutdown, as well. I believe you could put some valid viewpoints forward, and if this was done in a mature, professional manner I am sure everyone would be very pleased. Don't waste your breath (keystrokes) on this guy, he has no common sense - things like this are way beyond his comprehension level. Bill
Re: Non scoring 'Bank Deposit' spam
Clunk Werclick wrote: On Mon, 2009-09-14 at 20:38 +0100, --[ UxBoD ]-- wrote: - Clunk Werclick mailbacku...@googlemail.com wrote: | On Mon, 2009-09-14 at 19:52 +0100, --[ UxBoD ]-- wrote: | - Benny Pedersen m...@junc.org wrote: | | | On man 14 sep 2009 16:54:39 CEST, Bill Landry wrote | | So how far does someone have to go before getting banned from | the | | list? Is this not far enough yet? | | | | he just come back with another sender email, with another | reply-to, it | | | | will be endless banning new email adresses | | | | -- | | xpoint | | | | | Blocked now @ FW .. Will contact Zen tomorrow and report as the OP | is in violation of the ISP AUP. | | go *right* ahead. Here you go: | ab...@zen.co.uk | | I guess it will take a retard like you a *whole* day to find it. | | | Best Regards, | Not at all ... If you were so kind as to have stopped the profanity and vulgarity then people would have been more approachable and helpful. It was kindly asked that you refrained from such posting yet you felt you were excempted. As I have already said the lists are here to help people and learn. We should not be exposed to such rubbish. Otherwise why have the lists in the first place? Every individual has the right to put forward their view and opinion; but when using the language you felt easy to adopt it makes a mockery. And I must say thank you for the email address; that really helps (not). A phone call is a lot easier to explain on the potential impact a ISP subscriber could be having to the providers business. I believe you could put some valid viewpoints forward, and if this was done in a mature, professional manner I am sure everyone would be very pleased. Thank you for your time. Best Regards, And had you not taken to emailing me off list, you would have been spared the abuse you deserved. Grow up with your 'DoS' crap. I look forward to hearing from Zen. Keep you shitty posts *on* list in future. Are all of the list admins on vacation? This kind of crap would not be tolerated on most lists I'm subscribed to. This stuff happens way too often on this list without repercussion. If the list admins don't put a stop to these kinds of posts, expect people to start unsubscribing, as it's not just not worth the hassle. Bill
Re: Image spam is back
Giampaolo Tomassoni wrote: Are you experiencing the same? Some of them are even sleeping through FuzzyOcr. Any tuning to suggest? Yes, shake them as they are passing through FuzzyOcr, that should wake them up so that FuzzyOcr can detect them as they pass through... ;-) Bill
Re: List headers and footers [Re: Unsubscribe]
mouss wrote: Mailman has specific functionality to remove signature headers so that the message can be resigned as it's sent out. which doesn't help, because if I get mail claiming to come From: mo...@netoyen.net, yet it doesn't have a sig of mine, I don't really care if some fancy mailman owner has added his own. Huh? I really don't understand what you just wrote. Mailman is a mailing list management program (which is used to manage this list, fwiw). And the signatures I was talking about are DKIM or Domainkeys. Since Mailman adds it's own headers to the messages it processes, any existing signatures in the message are invalidated. Thus, Mailman has to remove any existing signatures and let the MTA resign the message after it's been processed. This is *not* correct. Check the headers of this message and check the SA test results. The list server added its headers, did not strip my DK DKIM signatures, and SA shows that the message contains DK DKIM signatures and that they are still valid. Headers added after signing do *not* cause a problem if they are added in the proper order, above the ones used for signing, as is the standard. Bill
Re: some URIBL accidentally listed .org?
ram wrote: On Mon, 2009-06-15 at 15:35 +1000, Con Tassios wrote: On Mon, 15 Jun 2009, Chip M. wrote: DOB (Day Old Bread) had the same problem last year: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200810.mbox/%3cva.33f1.14690...@news.conactive.com%3e With software bugs, lightning often DOES strike twice in the same spot. :) I'm quite sure 'Day Old Bread' had the same problem again in the last day or so. Is the Day Old Bread list a reliable list. I found that their DNS times out a lot of times. I'm not to sure how reliable DOB is either, as I just warned them today that they had aarp.org listed. They finally removed it, but that domain name was clearly not a recently registered domain: Created On:16-Dec-1994 05:00:00 UTC That they could make a mistake and register a 14+ year old domain of a very legitimate non-profit company seems to indicate that their listing practices are rather lackadaisical, at best. Bill
Re: [sa] Re: BOTNET timeouts?
Bill Landry a écrit : Res wrote: On Sat, 13 Jun 2009, Charles Gregory wrote: On Sun, 14 Jun 2009, Res wrote: Though now its Sunday, I have socialising to do, and none of that includes sitting on mailing lists listening to cry babies who expect people involved in OSSP's to drop everything and be their servants. So we'll just all pretend you didn't send this message. .and the one after it. :) That's perfectly acceptable, if you need help with setting me in a killfile, I'll be more than happy to assist :) Maybe you could add your email address to your outbound mail server's killfile. I know that would deprive the world of your comic relief, but it would also allow the rest of us to focus on real list related issues without unnecessary distractions, and it would give you ample time to focus on improving your grammar, spelling and people skills. Sounds like a real win/win situation to me... Bill, I think you'll agree with me that it is time to stop feeding censored/ Yes, I agree - I'm done now. Bill
Re: [sa] Re: BOTNET timeouts?
Res wrote: On Sat, 13 Jun 2009, Charles Gregory wrote: On Sun, 14 Jun 2009, Res wrote: Though now its Sunday, I have socialising to do, and none of that includes sitting on mailing lists listening to cry babies who expect people involved in OSSP's to drop everything and be their servants. So we'll just all pretend you didn't send this message. .and the one after it. :) That's perfectly acceptable, if you need help with setting me in a killfile, I'll be more than happy to assist :) Maybe you could add your email address to your outbound mail server's killfile. I know that would deprive the world of your comic relief, but it would also allow the rest of us to focus on real list related issues without unnecessary distractions, and it would give you ample time to focus on improving your grammar, spelling and people skills. Sounds like a real win/win situation to me... Bill
Re: List headers and footers [Re: Unsubscribe]
David Gibbs wrote: mouss wrote: - mail admin at example.com configures his mail system to sign all outbound mail with DKIM - he rejects any mail with a From: in his domain if it doesn't have a valid DKIM signature - j...@example.com posts to a list that appends a footer (or munges the Reply-To header, assuming this is used in the signature). - list resends the message to mx.example.com. - mail is From: j...@example.com, but it is either not signed (list removed the signature) or the sig is not valid (message altered by list). I don't think DKIM / Domainkeys will be invalidated by adding a footer ... as the footer is added to the message before it is signed and resent. This may be true if the sender were adding the footer before signing and sending the message to the list. However, not true if it's the mailing list that is adding the footer after the original sender has already signed the message. Bill
Re: List headers and footers [Re: Unsubscribe]
David Gibbs wrote: Bill Landry wrote: This may be true if the sender were adding the footer before signing and sending the message to the list. However, not true if it's the mailing list that is adding the footer after the original sender has already signed the message. As I understand it, in order for the signatures to be valid, the message has to be signed by the sender ... because most mailing list software adds headers. As long as the headers are added in the proper order, they will not break DK DKIM signing. But adding anything to the body will break the signatures, as the body is included as part of the signature. If you take a look at the headers of this message, you will see what headers I've included in my DK DKIM signatures, as well as the message body. Any changes in any of these areas will render the signature invalid. Mailman has specific functionality to remove signature headers so that the message can be resigned as it's sent out. If that happens then the message is no longer signed by the original sender, but rather by the mailing list. Probably not a big deal for a mailing list, but would be in any person-to-person communications. Bill
Re: List headers and footers [Re: Unsubscribe]
Chris Owen wrote: On Jun 14, 2009, at 8:10 PM, Bill Landry wrote: Mailman has specific functionality to remove signature headers so that the message can be resigned as it's sent out. If that happens then the message is no longer signed by the original sender, but rather by the mailing list. Probably not a big deal for a mailing list, but would be in any person-to-person communications. Why would someone wanting person-to-person communications send mail through Mailman? [replying back to the list for the benefit of others following this thread] They wouldn't. I was simply trying to illustrate a point that removing and resigning a message on a mailing list probably is not a big deal. But if, for example, a receiving MTA were to add some kind of footer to a signed message in a person-to-person communication (not a mailing list communication), then that would effectively render the DK and/or DKIM signatures invalid, as the message content would have changed. The same is true if a mailing list adds a footer to a message and does not remove the original DK and DKIM signatures, as the list recipients would receive the message with invalid signatures, and SA would report them as invalid. Bill
Re: BOTNET timeouts?
I just love these kinds of responses (talk about 5yo tantrums), as they only server to prove my point about your credibility and the value of your opinions. Thank you! :-) Bill Res wrote: On Thu, 11 Jun 2009, Bill Landry wrote: I'm sure John might be happier to stay awake later and work on it for a hour or so each night as a 'priority' *IF* Bill was willing to pay John for his time, but I suspect not somehow, as it is far easier to come on a mailing list and have a temper tantrum like an 5yo kid. Maybe your opinion would carry some weight if you had even a little bit of a clue about what you are talking about. How long have you been on this list? How much effort have you put into debugging this plugin issue? A lot longer than you might think, I don't say much here, I've used this list for years to mostly get ideas on rulesets when new spam arrives (why reinvent the wheel) to whih bTW I've envr seen anything contributing from yourself. Were you even remotely involed in the process of coming up with a patch for the issue? Do you even use the botnet plugin yourself and experienced No because I seem to have reliable DNS and have never exhibited the issue. past 2 years? How many open source projects do you support directly yourself? Are you actually giving anything back to the community that you Next time get a clue before you willy nilly jump in on a thread and start flapping about something you really know nothing about! Got more a clue then you it seems, but I have the same problems with the projects I am involved with, tantrum wanking lamers like yourself demanding we give up our lives and work JUST to satisfy something you want, it will never happen turdbreath, get used to it, if you dont like it, dont use it, nobody is holding a gun to your pathetic mutated little head making you use it. Now fuck off and go elsewhere where someone might actually want to listen to your I'm mightier than you rants, you sad sad sad pathetic excuse of man.
Re: BOTNET timeouts?
Res wrote: No because I seem to have reliable DNS and have never exhibited the issue. Oh, and if in fact you really had a clue, you would know that DNS reliability has absolutely nothing to do with this issue... ;-) Bill
Re: BOTNET timeouts?
John Rudd wrote: Further, Bill, I don't answer to you for my time constraints. Now quit your whining and put your money where your mouth is. If it's so important, then provide a fix that replaces Net::DNS with SA's internal DNS routines, and I'll use it. If it's not important enough to you to drop everything you're doing, and work on it, then you have no business trying badger me into it. No, you certainly don't answer to me for your time. And I have never expected you to drop everything and jump right on this. However, if you are willing to release something to the open source community, you should also be willing to take on the responsibility of providing ongoing support for it. Two years (bug reported 2007-06-08 - Bug-ID 5506) is too long to have not provided either a permanent fix for this issue or at least have incorporated or included the provided patch with your distribution. Currently, botnet users are left to spend time trying to figure out what is wrong with their systems whenever they opt to use the botnet plugin. Then they finally give up and come to the list for answers. This should not be the required procedure to gain proper and effective usage of your plugin. Anyway, that's all I have to say about this matter. Wherever you decide go with this from here is, as always, up to you... Bill
Re: BOTNET timeouts?
Benny Pedersen wrote: On Sat, June 13, 2009 14:31, Bill Landry wrote: However, if you are willing to release something to the open source community, you should also be willing to take on the responsibility of providing ongoing support for it. who says that ?, i have maybe missunderstod gpl licenses ?, its far long since i have seen the source here and i dont even remember what licenses it was, but one thing for sure ongoing maintance is not part of it I said willing, not required. Most people *do* commonly support their open source projects, wouldn't you agree? Bill
Re: BOTNET timeouts?
Res wrote: On Sat, 13 Jun 2009, Bill Landry wrote: I just love these kinds of responses (talk about 5yo tantrums), as they only server to prove my point about your credibility and the value of your opinions. Thank you! :-) truth hurts dont it landry, just like i tell those who demand extra capability from my projects, if you want it *right now* pay me for it and you'll get immediate attention, else tolerate what I've provided or fuck off and use something else, I lose no sleep either way, my life comes before no-life whinging fucking cry baby lamers like you. Sorry for wasting everyone time with this, but I've just got to say that the entertainment value here is simply priceless! But Res, we should probably stop now so that the list can get back to it normal business. Thanks for the laughs this morning, Res, you really made my day! :-) Bill
Re: BOTNET timeouts?
McDonald, Dan wrote: On Wed, 2009-06-10 at 21:40 -0700, John Rudd wrote: On Wed, Jun 10, 2009 at 21:11, Bill Landryb...@inetmsg.com wrote: Jake Maul wrote: Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) The patch was originally developed when SpamAssassin's resolver library was patched to shorten the timeouts. I suggested the changes to mimic the SpamAssassin code. Even though Mark Martinec had provided John Rudd with a nice, neat patch for botnet.pm well over a year ago to resolve this issue, John has not opted to take the 5 minutes that is necessary to fix botnet by applying the patch. He is no longer maintaining botnet, and it has become an orphaned plugin that is in serious need of repair. If you feel that way about it, fork it. I personally don't feel that way about John's work. That's a rather presumptuous statement to make. The plug-in works in the vast majority of cases, and I've had higher priority things to work on. But the plug-in has not been abandoned (no are you qualified to make that statement), nor is it in _serious_ need of repair. Nor do you know how much pre-release work (testing, etc.) I put into a release, whether or not that's the solution to the specific problem I want to go with, etc., Correct. A more elegant solution would be to use the parallelizing resolver library built into SpamAssassin, but that would increase the complexity significantly, and take a lot more time to get right. I know I don't have the time to do that sort of development properly, and I fully sympathize with John's priorities. John has been citing other priorities for 2 years (second verse, same as the first), and it has been even longer than that since the plugin has been updated - despite the issues that have been reported (a simple search (botnet timeout) of the mailing list archives will prove my point). You can start your search here: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5506 And the results of this effort were reported to John and summarily ignored. http://markmail.org/message/dmqjh5haffw7vbfg#query:mark%20Martinec%20botnet+page:1+mid:dmqjh5haffw7vbfg+state:results And still are ignored to date: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200901.mbox/%3c200901151806.07138.mark.martinec...@ijs.si%3e http://mail-archives.apache.org/mod_mbox/spamassassin-users/200901.mbox/%3c8b155d900901151312h6599f2e5ra2d4fe3ffd289...@mail.gmail.com%3e This issue has been unresolved for way too long. All of this, in my mind, this makes the plugin orphaned and unusable if not patched with Mark's patch. Bill
Re: BOTNET timeouts?
I've had no trouble with Botnet timeouts, but just now patched anyway, to avoid any potential trouble. I, and many others appreciate how responsive you've been with your sanesecurity work, but not everyone has the same resources. Whenever I install GNU free software, I have to remember this. If someone wants to fork Botnet, go for it! Otherwise, just patch. This isn't Microsoft, where you can sit on a serious security bug for 3 years and be held accountable... u.. nevermind. I agree that forking is an option; however, in this case the author continues to claim that he is supporting botnet, but the reality says otherwise... Bill
Re: BOTNET timeouts?
Well I suppose you could always take the product that you dislike so badly back to the store and ask for a refund of your purchase price. Sometimes it really amazes me how much, and how severely, some people will gripe about free products that exist only because other people volunteer their time to a project. Exactly! Well said. I'm sure John might be happier to stay awake later and work on it for a hour or so each night as a 'priority' *IF* Bill was willing to pay John for his time, but I suspect not somehow, as it is far easier to come on a mailing list and have a temper tantrum like an 5yo kid. Maybe your opinion would carry some weight if you had even a little bit of a clue about what you are talking about. How long have you been on this list? How much effort have you put into debugging this plugin issue? Were you even remotely involed in the process of coming up with a patch for the issue? Do you even use the botnet plugin yourself and experienced the issue? How many times have you assisted new botnet users that are facing the timeout issue and provided them a link to the patch over the past 2 years? How many open source projects do you support directly yourself? Are you actually giving anything back to the community that you gain so much benefit from, or are you just an occasional lurker that sometimes feels the need to express his opinion about something/anything (whether you actually know anything about it or not) because you have nothing better to do? Next time get a clue before you willy nilly jump in on a thread and start flapping about something you really know nothing about! Bill
Re: BOTNET timeouts?
This issue has been unresolved for way too long. All of this, in my mind, this makes the plugin orphaned and unusable if not patched with Mark's patch. Actually it's a patch by Daniel J McDonald from 2007-06-15. I just refreshed it for 0.8 and reposted it two months later. Credits where credits are due. http://marc.info/?l=spamassassin-usersm=118194701009930 http://marc.info/?l=spamassassin-usersm=118641079630268 Thanks for the clarification, Mark, and my apologies for the oversight, Dan (oh, and BTW, thanks for the original patch!). Bill
Re: BOTNET timeouts?
Jake Maul wrote: Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) Even though Mark Martinec had provided John Rudd with a nice, neat patch for botnet.pm well over a year ago to resolve this issue, John has not opted to take the 5 minutes that is necessary to fix botnet by applying the patch. He is no longer maintaining botnet, and it has become an orphaned plugin that is in serious need of repair. Bill
Re: BOTNET timeouts?
John Rudd wrote: On Wed, Jun 10, 2009 at 21:11, Bill Landryb...@inetmsg.com wrote: Jake Maul wrote: Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) Even though Mark Martinec had provided John Rudd with a nice, neat patch for botnet.pm well over a year ago to resolve this issue, John has not opted to take the 5 minutes that is necessary to fix botnet by applying the patch. He is no longer maintaining botnet, and it has become an orphaned plugin that is in serious need of repair. That's a rather presumptuous statement to make. The plug-in works in the vast majority of cases, and I've had higher priority things to work on. But the plug-in has not been abandoned (no are you qualified to make that statement), nor is it in _serious_ need of repair. Nor do you know how much pre-release work (testing, etc.) I put into a release, whether or not that's the solution to the specific problem I want to go with, etc., so you're also unqualified to state how much time it would take to resolve it. Whatever, just fix it or pull it. Bill
Interesting email...
I'm not sure the purpose is of this kind of email, as the links are not clickable, even though they appear to be. The message scored high, but wondering what others think about this one: http://pastebin.com/m74dd8503 Is it simply a poorly written piece of vbscript that could be dangerous if done right? Bill
Re: Interesting email...
Kurt Buff wrote: On Sun, May 17, 2009 at 16:23, Bill Landry b...@inetmsg.com wrote: I'm not sure the purpose is of this kind of email, as the links are not clickable, even though they appear to be. The message scored high, but wondering what others think about this one: http://pastebin.com/m74dd8503 Is it simply a poorly written piece of vbscript that could be dangerous if done right? Bill The clsid is a dead giveaway, and pretty dang old: http://isc.sans.org/diary.html?storyid=3324 Don't know why clamav didn't catch it - I know you're running that... Hey Kurt, ClamAV did catch the email, but it was with one of the 3rd-party signatures (Sanesecurity) that flagged it. I've got amavisd set to not quarantine some messages and instead pass them onto Spamassassin for scoring and bayes training. Bill
Re: EmailBL hit count
LuKreme wrote: On 17-May-2009, at 06:32, Yet Another Ninja wrote: On 5/17/2009 2:09 PM, LuKreme wrote: On 16-May-2009, at 21:25, Bill Landry wrote: LuKreme wrote: grep EMAILBL /var/log/maillog.1 | grep -v is spam | wc -l ?? How is that going to work if you are telling grep to output everything that does NOT contain is spam (-v = select non-matching lines)? Right. How many emails that were not otherwise tagged as spam flagged EMAILBL. that's up to you to figure out on your site, with your traffic. The point of the original post was to see how often it was hitting messages that were not otherwise spam on YOUR machine since you posted numbers Of the 1891 messages that hit the EMAILBL how many of those were messages that where not otherwise seen as is spam? Without that, the numbers you posted don't indicate anything since we have a range from (All 1891 messages were otherwise marked as spam) to (none of the 1891 messages were otherwise marked as spam). There seems to be a flaw in your logic. The search you did would only find messages that were flagged by EMAILBL but were not considered spam. I guess that's fine if potential FPs are what you are looking for. Bill
Re: EmailBL hit count
LuKreme wrote: On 16-May-2009, at 02:43, Yet Another Ninja wrote: On 5/13/2009 9:33 AM, Yet Another Ninja wrote: Assuming Henrik may appreciate some stats, even if minimal like below: Yesterday's hits: grep EMAILBL/var/log/maillog.1 | wc -l 1263 Friday's count: grep 'is spam'/var/log/maillog.1 | wc -l 22397 grep EMAILBL/var/log/maillog.1 | wc -l 1891 grep EMAILBL /var/log/maillog.1 | grep -v is spam | wc -l ?? How is that going to work if you are telling grep to output everything that does NOT contain is spam (-v = select non-matching lines)? Why not simply: grep -c EMAILBL /var/log/maillog.1 If all you want is the count of how many messages contained a hit from EMAILBL, the above will give you that. Bill
Re: FreeMail plugin updated
Henrik K wrote: When I run spamassassin --lint no problems are reported. Any thoughts on why this is happening only when updating the sought rules? It seems sa-update only lints the directory that it downloaded, thus no freemail_domains cf is ever seen. I've now reduced the warning when linting, v1.998 is up. Thanks Henrik, looks good now! Bill
Re: FreeMail plugin updated
Hi Henrik, I've revamped fully the old code. Works still the same, but has some new functions. It's also a bit more careful when parsing body (new parser, emails inside are ignored, as well ones inside urls etc), so it might even reduce FPs and add hits, who knows. Domains are now separated from the plugin, so you should download the default list first: http://sa.hege.li/freemail_domains.cf - don't download too often, won't be probably that much updated. Also check out: http://www.rulesemporium.com/rules/90_sare_freemail.cf http://sa.hege.li/FreeMail.pm (see inside for some documentation) http://sa.hege.li/FreeMail.cf (for some examples) I'm wondering why sa-update has no problem with: sa-update --channelfile sare-sa-update-channels.txt However, it complains when I try to update the sought rules: sa-update --channel sought.rules.yerp.org --gpgkey 6C6191E3 echo Updated no freemail_domains entries defined, disabling plugin at /etc/mail/spamassassin/FreeMail.pm line 301. no freemail_domains entries defined, disabling plugin at /etc/mail/spamassassin/FreeMail.pm line 301. Updated When I run spamassassin --lint no problems are reported. Any thoughts on why this is happening only when updating the sought rules? Thanks, Bill
Re: FreeMail plugin updated
Bill Landry wrote: Hi Henrik, I've revamped fully the old code. Works still the same, but has some new functions. It's also a bit more careful when parsing body (new parser, emails inside are ignored, as well ones inside urls etc), so it might even reduce FPs and add hits, who knows. Domains are now separated from the plugin, so you should download the default list first: http://sa.hege.li/freemail_domains.cf - don't download too often, won't be probably that much updated. Also check out: http://www.rulesemporium.com/rules/90_sare_freemail.cf http://sa.hege.li/FreeMail.pm (see inside for some documentation) http://sa.hege.li/FreeMail.cf (for some examples) I'm wondering why sa-update has no problem with: sa-update --channelfile sare-sa-update-channels.txt However, it complains when I try to update the sought rules: sa-update --channel sought.rules.yerp.org --gpgkey 6C6191E3 echo Updated no freemail_domains entries defined, disabling plugin at /etc/mail/spamassassin/FreeMail.pm line 301. no freemail_domains entries defined, disabling plugin at /etc/mail/spamassassin/FreeMail.pm line 301. Updated When I run spamassassin --lint no problems are reported. Any thoughts on why this is happening only when updating the sought rules? Oh, and I forgot to mention that the plugin seems to be working just fine: grep -c FREEMAIL_ /var/log/maillog 348 Bill
Re: Personal SPF
Ok, this horse is not only dead, but it's been totally pulverized. Can we now please kill this ridiculously drawn-out thread - or maybe it can be taken off-line by those that wish to continue this diatribe? Thanks! Bill
Re: sought.rules.yerp.org site down?
Bill Landry wrote: I do a sought rules update once per day using sa-update, but today I am seeing: http: request failed: 500 read timeout: 500 read timeout channel: could not find working mirror, channel failed I cannot access the site via web browser either. Just curious if anyone else seeing this, as well? Maybe it's just me, but sought.rules.yerp.org is gone: http: request failed: 500 Can't connect to yerp.org:80 (connect: No route to host): 500 Can't connect to yerp.org:80 (connect: No route to host) channel: could not find working mirror, channel failed dig sought.rules.yerp.org finds no A record. Although yerp.org has an A record, the site cannot be access via browser, at least not from here... Bill
Re: Why is the advertising for certain berry not caught
Igor Chudov wrote: OK, dumb question, how would I implement greylisting (I have Ubuntu) That depends on what MTA you are using. Most greylisting is performed by milters or, if using Postfix, policy delegation. Check your MTA's web site, they will usually advise you on how to implement greylisting for their MTA. Bill
Re: Pyzor ?
Matus UHLAR - fantomas wrote: On 22.04.09 13:39, Benny Pedersen wrote: still running here as server and client On 24.04.09 15:19, Matus UHLAR - fantomas wrote: client only here. searching for PYZOR string in SA logs didn't findanything for last two days (gotta re-check). seems I will turn pyzor off too... no hit for a week, at least on my employer's machines. Got some on this one. Does anyone get HITS from PYZOR? Yep, got 5 hits from pyzor in the past 10 minutes. Bill
Script Update Name Change Announcement
Hi Folks, Sorry for the cross-postings, but I wanted to try an reach as many people that uses the unofficial-clamav-sigs script as possible. I have been asked by some package and port maintainers to rename the script and tarball to better support their efforts to package the script for redistribution. The name change will facilitate finding the script when using package managers like yum, apt, pkg, etc., to install ClamAV and its supporting and complementary packages. Please be aware that if you decide to use this or any future script update, you will need to update your cron jobs to reference the new script and config file names. With that said, here's what has changed with this update (from the CHANGELOG): Version 2.7.2 (update 2009-04-23) - * ALERT - ALERT - ALERT - ALERT - ALERT - ALERT - ALERT * The script name has been changed. This has been done to facilitate packaging and redistribution of the scripts by various OS package and port maintainers. By renaming the script and tarball from unofficial-clamav-sigs to clamav-unofficial-sigs, the package will show up when using package managers like yum, apt, pkg, etc., to install ClamAV and its supporting and complementary packages. Please be sure to make the necessary changes to your cron jobs to support the new script and config file names. - Added the new Winnow (winnow_spam_complete.ndb) and SaneSecruity (jurlbl.ndb) database files. - Added a safety net to all rm commands in the script in order to prevent script config file editing errors that could potentially cause deletion of unintended files and/or directories. Thanks to Mike Cappella for suggesting this. - Modified the script's getopts section logic to make it more efficient and easier to understand. Thanks to Mike Cappella for his comments and suggestions in this area. And forgot to include this with the last script update announcement: - Added missing 'curl_proxy' variable to the SaneSecurity GPG Key download section. Steve Basford, can you update the link on your Usage page. The updated tarball can be downloaded from: http://www.inetmsg.com/pub/clamav-unofficial-sigs.tar.gz As usual, let me know if there are any issues, suggestions, or feature requests. Bill PS, Bcc to various package/port maintainers.
sought.rules.yerp.org site down?
I do a sought rules update once per day using sa-update, but today I am seeing: http: request failed: 500 read timeout: 500 read timeout channel: could not find working mirror, channel failed I cannot access the site via web browser either. Just curious if anyone else seeing this, as well? Bill
Re: sought.rules.yerp.org site down?
Karsten Bräckelmann wrote: On Wed, 2009-04-22 at 10:47 -0700, Bill Landry wrote: I do a sought rules update once per day using sa-update, but today I am seeing: http: request failed: 500 read timeout: 500 read timeout channel: could not find working mirror, channel failed Updated twice already today, scheduled, no problems. Just triggered an update manually, worked too -- that is, it actually updated the rules. I cannot access the site via web browser either. Just curious if anyone else seeing this, as well? How often did you try the update? Hmm, weird. The rules *did* update. Yet I actually can't access the server in MIRRORED.BY either. Maybe they are working on the problem, as i just tried again and am now seeing: sa-update --channel sought.rules.yerp.org --gpgkey 6C6191E3 echo Updated spamassassin --lint amavisd reload http: request failed: 500 Can't connect to yerp.org:80 (connect: Connection refused): 500 Can't connect to yerp.org:80 (connect: Connection refused) Bill
Re: sought.rules.yerp.org site down?
mouss wrote: Bill Landry a écrit : Karsten Bräckelmann wrote: On Wed, 2009-04-22 at 10:47 -0700, Bill Landry wrote: I do a sought rules update once per day using sa-update, but today I am seeing: http: request failed: 500 read timeout: 500 read timeout channel: could not find working mirror, channel failed Updated twice already today, scheduled, no problems. Just triggered an update manually, worked too -- that is, it actually updated the rules. I cannot access the site via web browser either. Just curious if anyone else seeing this, as well? How often did you try the update? Hmm, weird. The rules *did* update. Yet I actually can't access the server in MIRRORED.BY either. Maybe they are working on the problem, as i just tried again and am now seeing: sa-update --channel sought.rules.yerp.org --gpgkey 6C6191E3 echo Updated spamassassin --lint amavisd reload http: request failed: 500 Can't connect to yerp.org:80 (connect: Connection refused): 500 Can't connect to yerp.org:80 (connect: Connection refused) Don't see a problem from here. can you try a telnet test: $ telnet yerp.org 80 Trying 216.180.243.10... Connected to yerp.org. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 22 Apr 2009 20:36:32 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 PHP/5.2.4-2ubuntu5.5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g Last-Modified: Fri, 25 Jul 2008 05:20:57 GMT ETag: 14097-2d-452d256a36040 Accept-Ranges: bytes Content-Length: 45 Connection: close Content-Type: text/html htmlbodyh1It works!/h1/body/html Connection closed by foreign host. I would, but it's working fine from here now too. Seems whatever the problem was, it's now fixed. Bill
Re: spam not classified
stefan novak wrote: I've updatet the file with the headers: http://pastebin.com/m6e31520c Scored high here: Content analysis details: (32.9 points, 10.0 required) pts rule name description -- -- 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.2 TO_MALFORMED To: has a malformed address 1.0 RELAY_AR Relayed through Argentina 0.5 BOTNET_BADDNS Relay doesn't have full circle DNS [botnet_baddns,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar] 0.5 RCVD_IN_UCEPROTECT_3 RBL: Sender listed in UCEPROTECT_3 [190.51.32.122 listed in dnsbl-3.uceprotect.net] 1.0 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK [190.51.32.122 listed in hostkarma.junkemailfilter.com] 1.0 RCVD_IN_UCEPROTECT_2 RBL: Sender listed in UCEPROTECT_2 [190.51.32.122 listed in dnsbl-2.uceprotect.net] 2.0 RCVD_IN_UCEPROTECT_1 RBL: Sender listed in UCEPROTECT_1 [190.51.32.122 listed in dnsbl-1.uceprotect.net] 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [190.51.32.122 listed in zen.spamhaus.org] 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL 1.5 RCVD_IN_BARRACUDA RBL: Sender listed in Barracuda Relay Black List [190.51.32.122 listed in b.barracudacentral.org] 2.5 RCVD_IN_NERDS_AR RBL: Received from Argentina [190.51.32.122 listed in zz.countries.nerd.dk] 0.5 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,maildomain=alfa.com,baddns,client,ipinhostname] 0.5 BOTNET_IPINHOSTNAMEHostname contains its own IP address [botnet_ipinhosntame,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar] 0.5 BOTNET_CLIENT Relay has a client-like hostname [botnet_client,ip=190.51.32.122,rdns=190-51-32-122.speedy.com.ar,ipinhostname] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 1.0 LONGWORDS_15 BODY: string of 15+ random letters 1.0 GENERIC_IXHASH BODY: iXhash found @ generic.ixhash.net 1.0 NIXSPAM_IXHASH BODY: iXhash found @ ix.dnsbl.manitu.net 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 4.5 KAM_UNIV Diploma Mill Rule 2.0 BOTNET_WU BOTNET_WU 1.0 SAGREY Adds 1.0 to spam from first-time senders Might consider adding some of the available plugins and using sa-update to grab Justin's sought rules, if not already doing so. Bill
Re: Slightly OT: identifying IP source locations
John Rudd wrote: I know there used to be a nice convenient set of RBL's based upon countries, such that you could easily track an IP address back to which country it came from. But, IIRC, that RBL went under. 1) Does anyone know of a convenient command line tool (perl library being ideal) that lets you give it an IP address, and it tells you the country and/or continent (and that's it)? 2) similarly, does anyone know of a command line tool where you can give it a country and/or continent, and it will generate concise IP addresses ranges (like A.B.C.D-E.F.G.H) that have been allocated to that country/continent? (and by concise, I mean compacted into as few range statements as possible, to minimize the number of lines) (it's only slightly OT, because I plan to use this for fighting some internal spam problems we've been having; but it wouldn't be part of our spam assassin infrastructure) You might start your search here: http://software77.net/cgi-bin/ip-country/geo-ip.pl Bill
Re: Slightly OT: identifying IP source locations
John Rudd wrote: I know there used to be a nice convenient set of RBL's based upon countries, such that you could easily track an IP address back to which country it came from. But, IIRC, that RBL went under. 1) Does anyone know of a convenient command line tool (perl library being ideal) that lets you give it an IP address, and it tells you the country and/or continent (and that's it)? 2) similarly, does anyone know of a command line tool where you can give it a country and/or continent, and it will generate concise IP addresses ranges (like A.B.C.D-E.F.G.H) that have been allocated to that country/continent? (and by concise, I mean compacted into as few range statements as possible, to minimize the number of lines) (it's only slightly OT, because I plan to use this for fighting some internal spam problems we've been having; but it wouldn't be part of our spam assassin infrastructure) There is also the RelayCountry plugin (requires the IP::Country::Fast perl module). From the SpamAssassin INSTALL file: - IP::Country::Fast (from CPAN) Used by the RelayCountry plugin (not enabled by default) to determine the domain country codes of each relay in the path of an email. You might also consider the URICountry plugin. Bill
Re: SA + maildrop
alexus wrote: I have maildrop installed on my system and I was thinking to enable a global rule among of all my maildrop users where all emails that have score 5.0 and higher would move into junk e-mail folder, and rest should go to INBOX as it was in the past can someone help me out with this? Depending on how your MTA is configured, you could use something like this in your maildroprc file: USER=$1 DOMAIN=$2 VMAIL=/var/spool/vmail VDOMAIN=$VMAIL/$DOMAIN DEFAULT=$VDOMAIN/$USER # Deliver Spam to spam folder (create spam folder or maildir if it does not exist) if ( /^X-Spam-Flag: YES/:hD ) { exception { to $DEFAULT/.Spam/ } exception { `test -d $DEFAULT` if ( $RETURNCODE == 0 ) { `$MAILDIRMAKE -f Spam $DEFAULT` `echo Spam $DEFAULT/subscriptions` to $DEFAULT/.Spam/ } else { `$MAILDIRMAKE $DEFAULT` `$MAILDIRMAKE -f Spam $DEFAULT` `echo Spam $DEFAULT/subscriptions` to $DEFAULT/.Spam/ } } } Watch for wrapping. You will also need to adjust the folder paths to meet your own needs. Bill
Re: spamassassin: attempt to process a single message fails at PerMsgStatus.pm line 164.
Dennis German wrote: Attempting to see how spamassassin would score a message I tried spamassassin lottery.msg [32179] warn: config: could not find site rules directory check: no loaded plugin implements 'check_main': cannot scan! at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. message can be found at http://real-world-systems.com/mail/lottery.msg Don't forget to add the -t flag if you want to see how SA will score a message. I tested the message and got: Content analysis details: (35.1 points, 10.0 required) pts rule name description -- -- 0.5 SB_NSP_VOLUME_SPIKESenderBase: Sender IP hosted at NSP has a volume spike 3.5 RCVD_IN_NERDS_BR RBL: Received from Brazil [189.20.215.138 listed in zz.countries.nerd.dk] 1.0 RCVD_IN_JMF_BL RBL: Sender listed in JMF-BLACK [189.20.215.138 listed in hostkarma.junkemailfilter.com] 2.0 RCVD_IN_UCEPROTECT_1 RBL: Sender listed in UCEPROTECT_1 [189.20.215.138 listed in dnsbl-1.uceprotect.net] 1.5 RCVD_IN_BARRACUDA RBL: Sender listed in Barracuda Relay Black List [189.20.215.138 listed in b.barracudacentral.org] 0.5 RCVD_IN_LASHBACK RBL: Sender listed in LashBack Unsubscribe Blacklist [189.20.215.138 listed in ubl.unsubscore.com] 3.5 HK_LOTTO BODY: Lottery or games mentioned 1.0 RELAY_BR Relayed through Brazil 0.6 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.5 BOTNET_SERVERWORDS Hostname contains server-like substrings [botnet_serverwords,ip=189.20.215.138,rdns=mail.usinavale.com.br] 1.3 MISSING_HEADERSMissing To: header 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5101] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.0 KARMA_CONNECT_NEGATIVE KARMA_CONNECT_NEGATIVE 1.0 KAM_LOTTO2 Highly Likely to be a e-Lotto Scam Email 1.0 DIGEST_MULTIPLEMessage hits more than one network digest check 7.0 L_YOU_WON L_YOU_WON 1.0 HK_MUCHMONEY Message refers to hundreds of thousands or millions 4.0 HK_PRIZEWINYou won lot of money or prizes 0.5 KAM_LOTTO1 Likely to be a e-Lotto Scam Email 1.0 SAGREY Adds 1.0 to spam from first-time senders Bill
Re: cpan question
Gene Heskett wrote: Using cpan, trying to install Net::Ident (the other bits except razor were nominal from the same source) Checking for Apache.pm... not found Writing Makefile for Net::Ident cp Ident.pm blib/lib/Net/Ident.pm Manifying blib/man3/Net::Ident.3pm JPC/Net-Ident-1.20.tar.gz /usr/bin/make -- OK Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make test PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 'blib/lib', 'blib/arch') t/*.t t/0use.t Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/0use.t ok t/apache.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/apache.t .. skipped: (no reason given) t/compat.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/compat.t .. skipped: (no reason given) t/Ident.t ... Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/Ident.t ... Failed 3/8 subtests Test Summary Report --- t/Ident.t (Wstat: 0 Tests: 8 Failed: 3) Failed tests: 1-3 Files=4, Tests=9, 112 wallclock secs ( 0.04 usr 0.01 sys + 1.61 cusr 0.42 csys = 2.08 CPU) Result: FAIL Failed 1/4 test programs. 3/9 subtests failed. make: *** [test_dynamic] Error 255 JPC/Net-Ident-1.20.tar.gz /usr/bin/make test -- NOT OK //hint// to see the cpan-testers results for installing this module, try: reports JPC/Net-Ident-1.20.tar.gz Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make install make test had returned bad status, won't install without force Failed during this command: JPC/Net-Ident-1.20.tar.gz: make_test NO This YAML does not appear to be available via yum if that's important Suggestions please? Many thanks too, I forgot to add that to the other message I sent a few minutes ago. My apologies. Try cpan install YAML (yes, in all caps). Bill
Re: New version of iXhash plugin - update recommended
Dirk Bonengel wrote: Hello all, just to make it official: he iXhash plugin has now reached version 1.5.5. Recent changes are: - Adam Stephens noted that hash#3 would be checked even though it ahd not been computed in the first place. In other words: Hash #2 would be checked against twice. This should be corrected, saves a DNS query. - Above problems stem from a mis-fix of some problems discovered by Bernd Holzinger and Larry Nedry, especially with hashing routine #3 not returning a return value. - Most importantly, version 1.5.3 fixed a problem some users here recently reported with SpamAssassin/iXhash eating up CPU. Bernd Holzinger (regex Part 1) and Jan Schmidt proposed a modified regular expression that prevents Perl from sometimes excessive backtracking... All users of iXhash should update to the new version - and thanks a lot for the guys above for problem reports and fixes. Dirk Hey Dirk, Just wanted to say that the new iXhash plugin seems to have taken care of the hang problem I was seeing with the last couple of version I tried. Thanks for making it available! Bill
Re: sa-update damages existing SA installation
Rosenbaum, Larry M. wrote: From: Daryl C. W. O'Shea [mailto:spamassas...@dostech.ca] Sent: Saturday, December 20, 2008 2:48 AM On 19/12/2008 5:40 AM, Marcin Krol wrote: Daryl C. W. O'Shea wrote: do it all at once. See my SARE sa-update page for details: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Are SARE rules still being updated a bit at least / are they still working? The only one really being updated is 90_2tld.cf: What do I need to put in my sa-update channel file to get updates for 90_2tld.cf? (I can't get to the howto web page above.) Add: 90_2tld.cf.sare.sa-update.dostech.net Bill
Re: sought rules updates
LuKreme wrote: On 9-Dec-2008, at 08:15, Karsten Bräckelmann wrote: On Tue, 2008-12-09 at 08:51 +, Nigel Frankcom wrote: I haven't seen an update from sa-update in months. What version is current? Nigel, Chris wasn't talking about the stock rule-set, but the third-party JM_SOUGHT rules. The latter usually are updated multiple times a day, while the stock rules are updated very infrequently only, when needed. How does one use sa-update to find/get new 3rd party rules? As I recall, rules-du-jour was EOLed. Or do you have to get them first, then sa-update will update them? I'm thtinking the old rules like random.cf tripwire.cf 70_sc_top200.cf Botnet.pm 70_sare_uri_eng.cf etc should all be removed? Both the official SA rules and 3rd party rules can be updated via sa-update. For information and instructions, see: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Bill
Re: Bug in iXhash plugin - fixed version available
Giampaolo Tomassoni wrote: -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 12:04 AM it's WORKING Well, it hangs my SA 3.2.4 setup on waiting for a reply from ctyme.ixhash.net . The strange thing is that it consumes a lot of CPU while hanging... Some problem in the ctyme.ixhash.net side? Anybody is experiencing the same? Giampaolo Same here. I noticed that some messages would hang for up to 10 minutes on ctyme. However, when scanning the same message with the older plugin, there would be no delays. Bill
Re: Bug in iXhash plugin - fixed version available
Marc Perkel wrote: Bill Landry wrote: Giampaolo Tomassoni wrote: -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2008 12:04 AM it's WORKING Well, it hangs my SA 3.2.4 setup on waiting for a reply from ctyme.ixhash.net . The strange thing is that it consumes a lot of CPU while hanging... Some problem in the ctyme.ixhash.net side? Anybody is experiencing the same? Giampaolo Same here. I noticed that some messages would hang for up to 10 minutes on ctyme. However, when scanning the same message with the older plugin, there would be no delays. Bill I'm not sure how Dirk has the servers set up for the ctyme feed but if you substitute ixhash.junkemailfilter.com you'll get the same date just 1 minute older and I have 5 servers publishing it. bodyCTYME_IXHASH eval:ixhashtest('ixhash.junkemailfilter.com') I just tried that and still got the same hang-time. And this time I saw the same hang-time on all of the other iXhash tests, as well. So I don't think it has anything to do with your data or your site, I think there is still something awry with the plugin itself. Bill
Re: New version of iXhash plugin available
Rose, Bobby wrote: Has anyone who switched to 1.5 of iXHash received any hits? I haven't seen any since switching. One thing that I've noticed is if I pass the same message thru SA using the old iXhash, the hash is computed via Method 1 and 2, if I use 1.5 of iXhash, it's only computed using method 2 On one box I have SA with 1.5 and another I have SA and 1.01 and the box with 1.01 version has tripped about 5 messages since switching it back. I found the same to be true here (the new version of iXhash detects nothing) and have reverted back to the previous version. Bill
Re: Single URI spam not checked against URIBLs
Bill Landry wrote: mouss wrote: Bill Landry wrote: I've posted a short pharma spam message to: http://www.inetmsg.com/spam.txt and debug output to: http://www.inetmsg.com/sa-debug.txt It displays a single URI linked line in an e-mail client that only displays: Please visit our shop. There seems to be something about the URI in the message that allows it to bypass all URIBL testing by SpamAssassin. The domain is listed in the following URIBLs: URIBL_JP_SURBL URIBL_OB_SURBL dig canadiansitetable.com.multi.surbl.org +short 127.0.0.80 and URIBL_BLACK dig canadiansitetable.com.multi.uribl.com +short 127.0.0.2 Yet there were no URIBL hits. The message scored high and was tagged as spam, but I'm just curious as to what it is about this message that allowed it to bypass all SA URIBL tests? I'm running spamassassin -V SpamAssassin version 3.2.5 running on Perl version 5.8.8 And in case you're wondering, I'm not using the shortcircuit plugin. looks like a bug. it looks like in ' http://uri' the uri isn't detected (aka quoted-string). In the message, the URI is insisde quoted (the one in You'll and the one in don't). if you remove one of the quotes or if you break the line so that they aren't in the same line, the URI is detected. Thanks, I've opened up a bug report: Bug 6017. Bill This issue has been resolved. Thanks to Justin Mason and Gisle Aas (HTML::Parser guy) for finding the fix. The resolution is to update HTML::Parser to the latest version and then restart SA. Regards, Bill
Major spam source, McColo, knocked offline
Found this posted on another list, thought others here might find this of interest, as well. Major Source of Online Scams and Spams Knocked Offline: http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html SpamCop.net - Total spam report volume: http://www.spamcop.net/spamgraph.shtml?spamweek Bill
Single URI spam not checked against URIBLs
I've posted a short pharma spam message to: http://www.inetmsg.com/spam.txt and debug output to: http://www.inetmsg.com/sa-debug.txt It displays a single URI linked line in an e-mail client that only displays: Please visit our shop. There seems to be something about the URI in the message that allows it to bypass all URIBL testing by SpamAssassin. The domain is listed in the following URIBLs: URIBL_JP_SURBL URIBL_OB_SURBL dig canadiansitetable.com.multi.surbl.org +short 127.0.0.80 and URIBL_BLACK dig canadiansitetable.com.multi.uribl.com +short 127.0.0.2 Yet there were no URIBL hits. The message scored high and was tagged as spam, but I'm just curious as to what it is about this message that allowed it to bypass all SA URIBL tests? I'm running spamassassin -V SpamAssassin version 3.2.5 running on Perl version 5.8.8 And in case you're wondering, I'm not using the shortcircuit plugin. Bill
Re: Single URI spam not checked against URIBLs
mouss wrote: Bill Landry wrote: I've posted a short pharma spam message to: http://www.inetmsg.com/spam.txt and debug output to: http://www.inetmsg.com/sa-debug.txt It displays a single URI linked line in an e-mail client that only displays: Please visit our shop. There seems to be something about the URI in the message that allows it to bypass all URIBL testing by SpamAssassin. The domain is listed in the following URIBLs: URIBL_JP_SURBL URIBL_OB_SURBL dig canadiansitetable.com.multi.surbl.org +short 127.0.0.80 and URIBL_BLACK dig canadiansitetable.com.multi.uribl.com +short 127.0.0.2 Yet there were no URIBL hits. The message scored high and was tagged as spam, but I'm just curious as to what it is about this message that allowed it to bypass all SA URIBL tests? I'm running spamassassin -V SpamAssassin version 3.2.5 running on Perl version 5.8.8 And in case you're wondering, I'm not using the shortcircuit plugin. looks like a bug. it looks like in ' http://uri' the uri isn't detected (aka quoted-string). In the message, the URI is insisde quoted (the one in You'll and the one in don't). if you remove one of the quotes or if you break the line so that they aren't in the same line, the URI is detected. Thanks, I've opened up a bug report: Bug 6017. Bill
Re: Phishing rules?
Micah Anderson wrote: I keep getting hit by phishing attacks, and they aren't being stopped by anything I've thrown up in front of them: postfix is doing: reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client list.dsbl.org, I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand pulls in the 25_uribl.cf automatically, right? Or do I need to configure that? if its automatic, that pulls in SURBL phishing). I've got Botnet setup, PDFinfo and postcards, i'm using DCC and a bayesdb, i've got the hashcash, and SPF plugins loaded, imageinfo, pretty much everything I can think ofbut for some reason phishing attempts keep getting through. Sadly, I do not have an example I can share at the moment, as I typically delete them in a rage after training my bayes filter on them. However, I am looking for any suggestions of other things I can turn on... in particular, are there rules that people have created that look for certain keywords where the body is asking for your account/password information? Thanks for any ideas, micah Consider submitting them to SaneSecurity (www.sanesecurity.com) so that the signatures can be added to their phishing signature database. Bill
Re: is Pyzor worth it?
Here are some stats for this past weekend comparing Pyzor to other hash tests: 36 CTYME_IXHASH 38 HOSTEUROPE_IXHASH 92 GENERIC_IXHASH 129 NIXSPAM_IXHASH 218 RAZOR2_CF_RANGE_E4_51_100 256 PYZOR_CHECK 388 RAZOR2_CF_RANGE_E8_51_100 411 RAZOR2_CF_RANGE_51_100 418 RAZOR2_CHECK 426 DCC_CHECK The only downside to Pyzor is that it requires python rather than perl. Otherwise, it certainly helps here. Bill William Taylor wrote: Is Pyzor worth running these days? Is it still effective? Can anyone using it comment on it? Thanks, William
Re: is Pyzor worth it?
Forgot to include Karmasphere: 160 KARMA_CONTENT_NEGATIVE 210 KARMA_CONNECT_NEGATIVE Bill Bill Landry wrote: Here are some stats for this past weekend comparing Pyzor to other hash tests: 36 CTYME_IXHASH 38 HOSTEUROPE_IXHASH 92 GENERIC_IXHASH 129 NIXSPAM_IXHASH 218 RAZOR2_CF_RANGE_E4_51_100 256 PYZOR_CHECK 388 RAZOR2_CF_RANGE_E8_51_100 411 RAZOR2_CF_RANGE_51_100 418 RAZOR2_CHECK 426 DCC_CHECK The only downside to Pyzor is that it requires python rather than perl. Otherwise, it certainly helps here. Bill William Taylor wrote: Is Pyzor worth running these days? Is it still effective? Can anyone using it comment on it? Thanks, William
Re: ixhash - failed to run CYTME_IXHASH test, skipping
Chris wrote: I've changed the ixhash.cf per Dirk's instructions, the whole error is: [15617] warn: rules: failed to run CYTME_IXHASH test, skipping: [15617] warn: (Can't locate object method check_ixhash via package Mail::SpamAssassin::PerMsgStatus at (eval 1500) line 1450. [15617] warn: ) Realize it's a warning [15617] warn: rules: failed to run HOSTEUROPE_IXHASH test, skipping: [15617] warn: (Can't locate object method check_ixhash via package Mail::SpamAssassin::PerMsgStatus at (eval 1500) line 3524. [15617] warn: ) [15617] warn: rules: failed to run GENERIC_IXHASH test, skipping: [15617] warn: (Can't locate object method check_ixhash via package Mail::SpamAssassin::PerMsgStatus at (eval 1500) line 3546. [15617] warn: ) [15617] warn: rules: failed to run NIXSPAM_IXHASH test, skipping: [15617] warn: (Can't locate object method check_ixhash via package Mail::SpamAssassin::PerMsgStatus at (eval 1500) line 3595. [15617] warn: ) [ My ixhash.cf located in /etc/mail/spamassassin is: bodyGENERIC_IXHASH eval:check_ixhash('generic.ixhash.net') describeGENERIC_IXHASH iXhash found @ generic.ixhash.net tflags GENERIC_IXHASH net score GENERIC_IXHASH 4.5 bodyNIXSPAM_IXHASH eval:check_ixhash('ix.dnsbl.manitu.net') describeNIXSPAM_IXHASH iXhash found @ ix.dnsbl.manitu.net tflags NIXSPAM_IXHASH net score NIXSPAM_IXHASH 2.5 bodyCYTME_IXHASH eval:check_ixhash('cytme.ixhash.net') describeCYTME_IXHASH BiXhash found @ ctyme.ixhash.net tflags CYTME_IXHASH net score CYTME_IXHASH 2.5 bodyHOSTEUROPE_IXHASH eval:check_ixhash('hosteurope.ixhash.net') describeHOSTEUROPE_IXHASH iXhash found @ hosteurope.ixhash.net tflags HOSTEUROPE_IXHASH net score HOSTEUROPE_IXHASH 2.5 Chris, there were a few errors in the sample config (eval:check vs. ixhashtest cytme vs. ctyme). Use this instead: body GENERIC_IXHASH eval:ixhashtest('generic.ixhash.net') describe GENERIC_IXHASH iXhash found @ generic.ixhash.net tflagsGENERIC_IXHASH net score GENERIC_IXHASH 1.0 body NIXSPAM_IXHASH eval:ixhashtest('ix.dnsbl.manitu.net') describe NIXSPAM_IXHASH iXhash found @ ix.dnsbl.manitu.net tflagsNIXSPAM_IXHASH net score NIXSPAM_IXHASH 1.0 body CTYME_IXHASH eval:ixhashtest('ctyme.ixhash.net') describe CTYME_IXHASH iXhash found @ ctyme.ixhash.net tflagsCTYME_IXHASH net score CTYME_IXHASH 1.0 body HOSTEUROPE_IXHASH eval:ixhashtest('hosteurope.ixhash.net') describe HOSTEUROPE_IXHASH iXhash found @ hosteurope.ixhash.net tflagsHOSTEUROPE_IXHASH net score HOSTEUROPE_IXHASH 1.0 Bill
Re: Perl problem (Scalar::Util)
Steven Stern wrote: I'm getting the following error from various perl programs: $sa-update Use of uninitialized value in concatenation (.) or string at /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/Scalar/Util.pm line 30. OK... maybe we need an update: [EMAIL PROTECTED] ~]# perl -MCPAN -e shell cpan install Scalar::Util CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Fri, 29 Feb 2008 15:31:08 GMT Scalar::Util is up to date. Anyone have a solution? For some reason yum perl updates on Fedora 8 cause this to happen for me. Even though CPAN reports that you have the latest version of Scalar:Util, you will still need to download, compile, and install Scalar-List-Utils-1.19.tar.gz. This should resolve the issue for you, at least it has worked for me the last few perl updates. GL, Bill
Re: Top spam hosters, how to decline email mentioning them
Nigel Frankcom wrote the following on 10/21/2007 11:22 PM -0800: On Sat, 20 Oct 2007 23:27:41 -0500, Igor Chudov [EMAIL PROTECTED] wrote: I was looking at this article http://en.wikipedia.org/wiki/E-mail_spam It claims that only five countries are hosting 99.68% of the global spammer websites, of which the foremost is China, hosting 73.58% of all web sites referenced within spam.[30] I already refuse all email coming from China (and Korea). Never regretted this. Now, I also want to ignore all emails mentioning all China and Korea hosted websites (not just .cn, but also .coms and so on that have Chinese IPs). I will have to not do so with Russia hosted sites, due to me being a Russian by origin. Is there some tool that I could use to accomplish that? Perhaps it's a translation thing; but I was under the impression he wanted to drop these early, not run them through the entire mail/sa process first? (In defence of my MTA comments :-D) Nigel I don't how one could determine the IP address associated with a URL in the body of a message at the MTA level without accepting the message first for further processing. The best you could do at the MTA level is block URLs that have a certain extension like .cn, but that's not what the OP was asking for, and explicitly stated as much. Bill
Re: Top spam hosters, how to decline email mentioning them
JP Kelly wrote the following on 10/21/2007 11:41 AM -0800: this looks interesting to me as well i am a little confused about how to use/install it on the page you provided a link to it says under USAGE to add the following to your local.cf file loadplugin Mail::SpamAssassin::Plugin::URICountry uricountry URICOUNTRY_XX XX header URICOUNTRY_XX eval:check_uricountry('URICOUNTRY_XX') describeURICOUNTRY_XX Contains a URI hosted in XX tflags URICOUNTRY_XX net score URICOUNTRY_XX 2.0 Where XX is replaced with the 2 character country code of your choice. (e.g. CN, KR, RO, RU, IN etc.) that makes sense to me but after that it says THE CODE followed by a bunch of code. i am unclear on what needs to be done with this code. any light shed on this will be greatly appreciated. THE CODE will go into a file named URICountry.pm and placed in the same directory as your local.cf file (usually /etc/mail/spamassassin/). As for the rules, I prefer to create a separate .cf file for them rather than place them in local.cf (e.g., URICountry.cf), but that is simply a matter of personal preference - I just like to keep my local.cf clean of any rules and only use it for configuration settings. I disagree with placing the loadplugin line in the cf file. The proper place for this entry is in init.pre so that it gets loaded before any rulesets, and can be referenced as: loadplugin Mail::SpamAssassin::Plugin::URICountry /etc/mail/spamassassin/URICountry.pm Also, at the top of your ruleset you should add: ifplugin Mail::SpamAssassin::Plugin::URICountry and at the end: endif For example: == ifplugin Mail::SpamAssassin::Plugin::URICountry uricountry URICOUNTRY_CN CN header URICOUNTRY_CN eval:check_uricountry('URICOUNTRY_CN') describeURICOUNTRY_CN Contains a URI hosted in China tflags URICOUNTRY_CN net score URICOUNTRY_CN 2.5 uricountry URICOUNTRY_HK HK header URICOUNTRY_HK eval:check_uricountry('URICOUNTRY_HK') describeURICOUNTRY_HK Contains a URI hosted in Hong Kong tflags URICOUNTRY_HK net score URICOUNTRY_HK 2.5 uricountry URICOUNTRY_IN IN header URICOUNTRY_IN eval:check_uricountry('URICOUNTRY_IN') describeURICOUNTRY_IN Contains a URI hosted in India tflags URICOUNTRY_IN net score URICOUNTRY_IN 2.5 endif == This will allow you to comment out the URICourntry loadplugin line in your init.pre file if you should want to disable the URICourntry test without having to remove the URICounrty.cf file (it will not load the ruleset unless the plugin has been pre-loaded). Bill
Re: Top spam hosters, how to decline email mentioning them
Igor Chudov wrote the following on 10/20/2007 9:27 PM -0800: I was looking at this article http://en.wikipedia.org/wiki/E-mail_spam It claims that only five countries are hosting 99.68% of the global spammer websites, of which the foremost is China, hosting 73.58% of all web sites referenced within spam.[30] I already refuse all email coming from China (and Korea). Never regretted this. Now, I also want to ignore all emails mentioning all China and Korea hosted websites (not just .cn, but also .coms and so on that have Chinese IPs). I will have to not do so with Russia hosted sites, due to me being a Russian by origin. Is there some tool that I could use to accomplish that? Take a look at the URICountry plugin: http://wiki.apache.org/spamassassin/URICountryPlugin That should do what you want. Bill
Re: Check $HOME for an ever growing razor-agent.log
[EMAIL PROTECTED] wrote the following on 10/18/2007 11:01 PM -0800: Check your $HOME for an ever growing ~/razor-agent.log apparently brought in by sa-update two days ago, which will one day fill your disk, according to a web search. How to tell it that just like the other 99% of spamassassin, logging should be off by default? Docs not clear. Or must one rm razor-agent.log ln -s /dev/null razor-agent.log ? I'm not sure how an sa-update could have anything to do with razor logging, since it is controlled via the debuglevel setting in your razor-agent.conf file. See man razor-agent.conf for info. Bill
Re: LashBack URL / BL?
Kris Deugau wrote: Mikael Syska wrote: I'm not sure about all the diff black list options ... but I guess it would be rather easy to test it . header RCVD_IN_LASHBACK eval:check_rbl('LASHBACK','ubl.unsubscore.com') describe RCVD_IN_LASHBACK lashback tflags RCVD_IN_LASHBACK net score RCVD_IN_LASHBACK 0.0 Would this be the right text to add to local.cf ... then in a few days I can give some feedback You'd want a small, non-zero score (0.001 is usually good for this type of testing) otherwise the test is disabled. g -kgd Also, I don't know if it's required or not, but all examples I've seen of eval:check_rbl tests, the query host name is terminated with a .: header RCVD_IN_LASHBACK eval:check_rbl('LASHBACK','ubl.unsubscore.com.') Bill
Re: [sa-list] Re: Auto-RBL was: Why did this not hit more? (SPF, DKIM, Ironport,
Dan Mahoney, System Admin wrote: On Mon, 8 Oct 2007, Rob McEwen wrote: Therefore, I recommend that you re-think your choices here! Don't let your quest for guaranteed long-term perfection keep you from making **substantial** progress today! Rob, Then help rally the SA team to include those RBLs that you mentioned in the stock config. Also, rally them to update the documentation on the wiki on how to configure SA for third-party DNSBL's, because it blows (and refers to years-old versions of SA). Yes, I know the point of a wiki is that ANYONE can update it, but I'm not about to update it with information I don't understand for certain. ((Q: This documentation doesn't seem to cover how to configure dns-blocklists. It says Support for these is built-in but I can't believe that all free BL's is called each time a mail is beeing checked. There must be a way to configure which to use. A: You're right. You might look at the [WWW] Mail::SpamAssassin::Conf documentation page which I admit doesn't really say how to configure which DNSBL to use, or the rules file [WWW] 20_dnsbl_tests.cf, for internal details, but no clear examples of how to configure the inclusion of various DNSBLs either. For the latest list of DNSBLs you want to be using SpamAssassin version 2.63 or 3.0.0-pre2, for the same reason that you wouldn't use an out-of-date virus scanner, but that also doesn't really have anything to do with the question.)) Finally, rally them to pay attention to the topic I'm proposing here, which is: allow users to run their own RBL + feeder so that they can auto-rbl and floodgate themselves (and yes, it allows me to combine your corpus, plus my corpus, plus HIS corpus) in a scoring config, which is FUN...or it lets you say, quite simply SA said you sent too much spam, now sendmail won't listen for X hours per spam run. soapbox While I've had a long history of getting decent responses from the developers on this list some of the time -- nobody has managed to answer the questions I've asked in the previous thread: * can we do something with the ironport headers * can we do something with the SPF softfail which my MTA registered but SA didn't (and why didn't it?) * can we do something with the X-Originating-IP: 127:1 (is it a legit header, or is it there to evade filters?) * can we fix something about the DKIM_POLICY_SIGNSOME, * and after I changed the topic: Can we get a plugin that lets us feed our own blocklists, currently I get dictionary floods that are enough to overload SA (even right now). Why would you be accepting messages to non-existent users? If you reject these at the MTA, then SA would never see them and your MTA would not have to deal with bounces to forged sender addresses (backscatter). Bill and many is the time I've just sent an email out to this list on a given topic, seen a lack of useful answer, and shrugged it off. /soapbox -- Check it out, it's just like Christmas. Except it sucks. -Jason Seguerra, 3/2/05 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Botnet KING arrested...
Saw this posted on another list: http://sunbeltblog.blogspot.com/2007/10/botmaster-busted.html United States Attorney McGregor W. Scott announced today the arrest of GREG KING, 21, of Fairfield, California, and...
Re: is spamassassin using both processors?
Tim Litwiller wrote: We are running spamassassin on a Dual processor P4 Dell. How can I make sure that spamassassin is using both processors. Top is showing spamd using between 39% and 89% of the processor constantly. there are times during the day when we are processing 1800+ email per hour after RBLs strip off 70% of the cruft. what are some tuning tips? I don't really want to get rid of the rules I am using we are very happy with the filtering results we are getting. I just want to make sure the hardware we have is doing it's best before we look into going bigger or splitting the load. When running top, press 1 to show an expanded list of all processors rather than the default consolidated view. If that still only shows one processor, then maybe when the server was built it did not have 2 processors? If that's the case, then you will need to install the SMP kernel for your distro. Bill
Re: SPF-Compliant Spam
j o a r wrote: On 27 aug 2007, at 21.20, Kai Schaetzl wrote: That's wrong. Even if all servers in the world would check SPF you would achieve *nothing* as the big majority of mail doesn't have anything to check. Why would I, as a SPF publishing domain owner, care if they have anything else to check? As long as they reject messages that fail SPF checks for my domain, my problem is solved. I guess I don't understand where the confusion is here. As Joar states, SPF allows me to protect my domains from forgery and potential backscatter, because anyone using SPF to validate senders can appropriately detect and handle SPF failures for messages claiming to come from any of my domains that are forged. And as Graham stated, SPF is NOT a spam tool, it is an anti-forgery tool that I can use to detect forged messages coming into my mail server from any domain that publishes SPF records, and likewise, anyone using SPF can confirm whether anything coming into their mail server claiming to be from one of my domains is forged or not. That's it, nothing more, nothing less. Don't expect SPF to do more than it was designed to do, detect forged senders (originally, SPF stood for Sender Permitted From, and was later changed to Sender Policy Framework, even though the original name seems more descriptive of what SPF actually does - though that's not necessarily what the SPF FAQ claims: http://www.openspf.org/FAQ/Sender_permitted). Bill
Re: Question - How many of you run ALL your email through SA?
Marc Perkel wrote: Jo Rhett wrote: On Aug 21, 2007, at 11:17 AM, Duane Hill wrote: On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated: It seems to mostly help when it drops the message into a file for clamav to scan. Is that using the ClamAV plugin or outside of SA completely? I am currently using the ClamAV plugin with the SaneSecurity additions. I'm using Amavisd, which invokes clamav itself before calling SA. So your environment may be entirely different. Examine the process and see if/when/how it uses temporary files. It always seems to be faster using a ramdisk for the temp files. I've been using Clam but I've heard of Amavisd - do I want it? What all does it do? See: http://www.ijs.si/software/amavisd/ for details. Bill
Re: Sneaky [EMAIL PROTECTED] slipped through
Rick Zeman wrote: From: Jiyoon franc [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: The poor man' -- Koroviev let some tremor into his voice and pointed to Behemoth, who immediately concocted a woeful physiognomy - 'the poor man spends all day reparating primuses. Date: Fri, 17 Aug 2007 19:03:13 +0200 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1250 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Virus-Scanned: Maia Mailguard 1.0.2a/ClamAV X-Spam-Status: No, hits=3.512 tagged_above=-25 required=4.75 tests=BAYES_50=0.001, FRT_OPPORTUN1=1, JM_TORA_XM=2.411, RDNS_NONE=0.1 X-Spam-Level: *** H.E*R*E WE GO AGAI.N! T H'E B_I+G O+N'E BEFO*RE T*H*E SE+PTEMBER.RALL.Y! T,H-E MARK,ET IS ABOU T TO P,O-P+, A+N,D SO IS E*X_M_T-! Fir,m: EXCHA*NG,E M+OBILE T E L_E (Ot+her O_T,C-: EX*MT.PK) Ti+ck: E,X.M,T A,s-k': 0..-0_8 5.-day pote,n'tial: 0_._4,0 T.h-i-s a gr'eat op por*tunity to at le+ast doubl-e up! N+o,t o'n_l*y d+o*e_s t+h i.s f_i,r m h a-v.e gre*at fundamental_*s, b,u+t get'ting t,h'i_s opp'ortu*nity at t*h_e rig-ht t_ime, righ't befo're t*h*e rall+y is w.h.a,t make,s t,h,i_s d e-a,l so sw*eet! Wat-ch it s,o a,r+! H.i+s calculating,', s_i-deways gl.ances w+e r-e r-e.minder en*ough of t+hat, if R'a,n,d n+eeded a+n_y+. H_e,'-s d ead, a*n.d at t.h,e murdere*r'-s horse*'s ta,il, In beast-ly sor*t, dr_agg'd th_rough t-h.e s.ham+eful fiel,d. If it d*oesn't w.o_r*k it j-u-s't leav-es t+h,e fi_les alo+ne a,n-d doe,sn't rem*ove any thin g. I, w+h,o h+a,d li_ved o,u,t of t*h-e whir*l of t-h-e world., h+a+d ne-ver dr-eamed t*h,a t i't+s w*o+r+k w a,s carr-ied on in s u.c*h f-ashion. La l,*itt6rature europe.enn+e et le mo_yen-,age latin_. From this message: X-Spam-Status: No, score=-93.537 required=5 tests=[AWL=-13.845, BILLS_TEST=0.01, BILLS_TEST=0.01, BOTNET_SOHO=0.1, FRT_BEFORE=1.279, FRT_OPPORTUN1=1, J_CHICKENPOX_13=0.6, J_CHICKENPOX_14=0.6, J_CHICKENPOX_15=0.6, J_CHICKENPOX_22=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_24=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_31=0.6, J_CHICKENPOX_32=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_34=0.6, J_CHICKENPOX_36=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_42=0.6, J_CHICKENPOX_52=0.6, J_CHICKENPOX_71=0.6, L_P0F_D11=-0.3, L_P0F_Unix=-1, MANGLED_DEALS=2.3, MANGLED_FASHN=2.3, MANGLED_HERE=2.3, MANGLED_MARKET=2.3, MANGLED_SWEET=2.3, MANGLED_TIME=2.3, MANGLED_WORKS=2.3, RCVD_IN_DNSWL_MED=-4, RCVD_IN_JMFILTER_W=-1.5, RCVD_IN_MXRATE_WL=-1, RELAY_US=0.01, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] Without the SA list whitelisting, these typically score between 40 and 50 here. For example: X-Spam-Score: 41.364 X-Spam-Status: Yes, score=41.364 required=5 tests=[BAYES_99=3.5, BOTNET=2.5, BOTNET_BADDNS=0.5, BOTNET_CLIENT=0.5, BOTNET_IPINHOSTNAME=0.5, FM_NO_STYLE=0.9, FRT_BEFORE=1.279, FRT_CLICK=1.993, FRT_OPPORTUN1=1, HELO_EQ_IP_ADDR=1.119, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, J_CHICKENPOX_15=0.6, J_CHICKENPOX_22=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_24=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_32=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_36=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_42=0.6, J_CHICKENPOX_43=0.6, J_CHICKENPOX_52=0.6, J_CHICKENPOX_61=0.6, MANGLED_DEALS=2.3, MANGLED_HERE=2.3, MANGLED_MARKET=2.3, MANGLED_TIME=2.3, RCVD_IN_NERDS_MY=2.5, RCVD_IN_PBL=0.905, RCVD_IN_TQMC_DHCP=1, RCVD_IN_UCEPROTECT_2=1, RCVD_IN_UCEPROTECT_3=0.5, RCVD_NUMERIC_HELO=2.067, RELAY_MY=1, SAGREY=1] As I've posted here before, take a look at the SARE chickenpox and mangled rule sets. As you can see, they score quite nicely on these kinds of spam messages. Bill
Re: Punctuation Spam Lately
Jason Bennett wrote: Over the past few days, I’ve been seeing a ton of spam with every second letter replace with punctuation or other symbol that are getting past SA. Are there any Rulesets out there that can take care of this? I am using SARE and most of the SA plugins. You can see a sample here: http://www.gcftech.com/spam2.jpg Thanks! J. No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.476 / Virus Database: 269.11.17/951 - Release Date: 8/13/2007 10:15 AM Grab the chickenpox.cf and mangled.cf rules from: http://www.rulesemporium.com/other-rules.htm they hit quite nicely on these types of spam. Bill
Re: Solved: Was: DKIM vs DomainKeys plugins
Michael Scheidell wrote: Here is what I found out: You only need the DKIM SpamAssassin plugin activated (you don't need the DomainKeys plugin) BUT, you need BOTH Mail-DKIM ( .20) perl AND Mail-DomainKkeys perl functions loaded. I suppose the SA DKIM plugin works for both. (I am not sure that was clear on INSTALL) Thanks for everyone who sent me signed email. This is not correct. I don't have the DomainKeys perl module (Mail::DomainKeys) installed, and DK and DKIM work fine here with only the SA DKIM plugin enabled. perl -e 'use Mail::DKIM; print $Mail::DKIM::VERSION,\n' 0.26 === perl -e 'use Mail::DomainKeys; print $Mail::DomainKeys::VERSION,\n' Can't locate Mail/DomainKeys.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at -e line 1. BEGIN failed--compilation aborted at -e line 1. Bill
Re: Solved: Was: DKIM vs DomainKeys plugins
Michael Scheidell wrote: -Original Message- From: Bill Landry [mailto:[EMAIL PROTECTED] Sent: Monday, July 23, 2007 8:56 AM To: Michael Scheidell Cc: users@spamassassin.apache.org Subject: Re: Solved: Was: DKIM vs DomainKeys plugins Michael Scheidell wrote: Here is what I found out: You only need the DKIM SpamAssassin plugin activated (you don't need the DomainKeys plugin) BUT, you need BOTH Mail-DKIM ( .20) perl AND Mail-DomainKkeys perl functions loaded. I suppose the SA DKIM plugin works for both. (I am not sure that was clear on INSTALL) Thanks for everyone who sent me signed email. This is not correct. I don't have the DomainKeys perl module (Mail::DomainKeys) installed, and DK and DKIM work fine here with only the SA DKIM plugin enabled. But will it work for DomainKeys ONLY signed email? I didn't have any problem with DKIM signed email (well, except for verizon's mess) but if I remove (uninstall) Mail-DomainKeys.pm, I don't get any DKIM-SIGNED or DKIM-VERIFIED hits on any email with DomainKeys signatures only. Yes, DK only signed mail works fine, as my previous yahoo.com message sample showed. Here it is again: Test from yahoo.com (which uses DK signature only): X-Spam-Status: No, score=-4.263 required=5 tests=[AWL=0.892, BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.5, DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001, IP_NOT_FRIENDLY=0.334, L_P0F_D9=-0.4, L_P0F_Unix=-1, RCVD_IN_MXRATE_WL=-1, RELAY_US=0.01] X-Amavis-OS-Fingerprint: FreeBSD 4.7-5.2 (or MacOS X 10.2-10.4) (2) (up: 1800 hrs), (distance 9, link: ethernet/modem), [69.147.95.82] Received: from smtp119.plus.mail.sp1.yahoo.com (smtp119.plus.mail.sp1.yahoo.com [69.147.95.82]) by mail.inetmsg.com (INetMsg Mail Service) with SMTP id 980546D0C45 for [EMAIL PROTECTED]; Sat, 21 Jul 2007 13:36:17 -0700 (PDT) Received: (qmail 56102 invoked from network); 21 Jul 2007 20:36:17 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding; b=KyMFQ/KnTUWMW4INZwzDVKi1jpqcixQQiBodqZ4fnptqcvbdAXR3/R/tYDU3Lvh+dLdoRtwLWm+zXgi50Q9K9xyOhL+HdZBoNkU1Tepe5udc6yJxWdEGzLi7VQrdoUYQwM4oDH+4DrtyO2HRzE0by3OdxY53OWwSAW23ebmflvE= ; What version of Mail::DKIM are you running, as I had thought only the latest version (0.26) supported verification of both DM and DMIM keys (but I could be mistaken)? I just know that I use DKIM.pm 0.26 and it works fine for verifying both DK and DKIM signatures. Bill