Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 17:31:19 +0100
Kai Schaetzl  wrote:

> Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +:
> 
> > But that would reject *everything* that was not authenticated or in
> > 'my networks'.
> 
> Indeed, that's the purpose. And it doesn't matter if you get the mail
> via 25 or 587. 587 is just a convenience. Any other access to use
> your server for relaying should not be allowed at all. I really
> suggest you sit back and read the postfix documentation instead of
> questioning and questioning in the blue air. It's an absolute
> standard postfix configuration that you just seem to have not been
> made aware for years.
> 
> Kai
> 


I'm confused. The mail you have just sent to the list has;
'From: Kai Schaetzl '

Yet the server is:
mail.apache.org (hermes.apache.org [140.211.11.3])
#aka a forwarder in this context#

Now, if we do as you say and you have somebody else at conactive.com
who is subscribed to the list, what happens to this mail when it comes
across: 'reject my_domains,'

Granted SPF won't help anyone here (I don't think anyone would add
an entry for 140.211.11.3 in their SPF unless they were really keen)

Re: Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 17:09:31 +0100
Per Jessen  wrote:


> > Tell you what, wouldn't it be a great idea to save all the messing
> > around and use something universal and simple for the job? Something
> > lightweight and easy to deploy. I know! What about using SPF!
> 
> Christian, I suspect we don't have quite the same understanding of
> what 'easy' means. 

I guess that is so.

Personally I find the multiple use of Postfixens trivial easy and have
it deployed that way to get over it's inability to whitelist body and
header checks {at all}. In general terms your fix may not suit
common MTA's like Exchange (I feel quite disgusted to have described
Exchange as an MTA and will now go and wash my typing fingers.)

I did find a bad place to use SPF - and that is
on a well known spam filter made by an American company. Enable it there
and watch the machine grind to a halt. 'it's a feature - not a bug'
LOL could'nt resist it... I'll get my coat..


> 
> 
> /Per Jessen, Zürich
> 

Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 14:37:49 +0100
Per Jessen  wrote:

> Christian Brel wrote:
> 
> >> > Humour me. Does this not mean a need to change the outbound to
> >> > either a different IP or port?
> >> 
> >> IP yes.  I assume your external and internal network are on
> >> different IP-ranges.
> > 
> > What about my home workers? I don't have a VPN, they hook in by DSL
> > from any number of different providers from outside using SASL/TLS.
> 
> Then presumably they submit email via port 587 after appropriate
> authentication. 
No, they submit on 25 using TLS+SASL. Would making
the changes to Firewall, MTA, plus potentially thosands of clients be
easier than SPF? Would all those angry users screaming because they
can't send mail at all be a good thing? I don't think so myself.

> > It's like you say, you were thinking out loud and I can see where
> > you are coming from, but it's not a fix for every situation.
> 
> I think it actually is.  Allow mynetworks, allow authenticated users,
> reject everything else.
But that would reject *everything* that was not authenticated or in 'my
networks'. For a single IP/Port listening to the world this does not
work. It requires multiple SMTP instances with different IP's or Ports
which may not suit the needs of the admin and the users concerned.
> 
Tell you what, wouldn't it be a great idea to save all the messing
around and use something universal and simple for the job? Something
lightweight and easy to deploy. I know! What about using SPF!

> 
> /Per Jessen, Zürich
> 
Of course, all this has very little to do with Spamassassin..

Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 13:38:55 +0200
Henrik K  wrote:

> On Wed, Feb 24, 2010 at 11:30:25AM +0000, Christian Brel wrote:
> > On Wed, 24 Feb 2010 11:39:43 +0100
> > "Rob Sterenborg"  wrote:
> > 
> > > On 2010-02-24, Kai Schaetzl wrote:
> > > 
> > > > > Postfix:  I would have two different smtpd daemons - one for
> > > 
> > > > You don't have to run two postfixes for this.
> > > 
> > > I think Per means: 2 smtpd processes, not 2 Postfixes..
> > > 
> > > 
> > > --
> > > Rob
> > > 
> > 
> > Humour me.
> 
> Please stop humouring our resident troll.
> 

That would be you then as your post has no purpose other than to
inflame. Kinda reminds me of that old saying 'takes one to know one.'

Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 12:41:29 +0100
Per Jessen  wrote:

> Christian Brel wrote:
> 
> > On Wed, 24 Feb 2010 11:39:43 +0100
> > "Rob Sterenborg"  wrote:
> > 
> >> On 2010-02-24, Kai Schaetzl wrote:
> >> 
> >> > > Postfix:  I would have two different smtpd daemons - one for
> >> 
> >> > You don't have to run two postfixes for this.
> >> 
> >> I think Per means: 2 smtpd processes, not 2 Postfixes..
> >> 
> >> 
> >> --
> >> Rob
> >> 
> > 
> > Humour me. Does this not mean a need to change the outbound to
> > either a different IP or port? 
> 
> IP yes.  I assume your external and internal network are on different
> IP-ranges. 

What about my home workers? I don't have a VPN, they hook in by DSL
from any number of different providers from outside using SASL/TLS.

It's like you say, you were thinking out loud and I can see where you
are coming from, but it's not a fix for every situation.

I'm also thinking about those forwarding services out there - does the
two SMTPd approach not break this in the same way SPF would break if
the forwarder was not permitted to send?
> 

Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 11:39:43 +0100
"Rob Sterenborg"  wrote:

> On 2010-02-24, Kai Schaetzl wrote:
> 
> > > Postfix:  I would have two different smtpd daemons - one for
> 
> > You don't have to run two postfixes for this.
> 
> I think Per means: 2 smtpd processes, not 2 Postfixes..
> 
> 
> --
> Rob
> 

Humour me. Does this not mean a need to change the outbound to either a
different IP or port? I guess you could start hashing things around
with IPTables to redirect certain requests, but once you've done all of
this, changed all the clients etc. etc, you are saying this would be
*easier* than SPF?

Sure, I get the sentiment but I don't necessarily agree that large
changes would be better than making use of a simple DNS based mechanism
that already exists. Factor in the millions of email users who
don't use Postfix and run things like Exchange and things tend to widen
up.

Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 10:28:24 +0100
Per Jessen  wrote:

> Christian Brel wrote:
> 
> > On Wed, 24 Feb 2010 09:18:38 +0100
> > Per Jessen  wrote:
> > 
> >> LuKreme wrote:
> >> 
> >> > On 23-Feb-10 14:17, Bowie Bailey wrote:
> >> >> SPF enforcement at the MTA is useless for the reasons you
> >> >> specified. The only exception is if you have a strict SPF policy
> >> >> for your own domain, you can use it to reject spam pretending to
> >> >> be from your users.
> >> > 
> >> > And that makes it worthwhile all by itself.
> >> > 
> >> 
> >> Well, I guess it depends on your point of view - how difficult is
> >> it to set up an MTA to reject mails pretending to be from
> >>  that didn't originate on your MTA?
> >> 
> >> 
> >> /Per Jessen, Zürich
> >> 
> > 
> > Good question - how would you do it?
> 
> Postfix:  I would have two different smtpd daemons - one for the local
> network, one for the external.  The external smtpd would have a
> check_sender_access along these lines (thinking out loud here):
> 
> check_sender_access = hash:/etc/postfix/reject_from_my_domain
> 
> etc/postfix/reject_from_my_domain would have:
> 
> example.com 5xx 
> 
> 
> /Per Jessen, Zürich
> 


So you would reject outbound mail from your domain? I'm sure that's a
typo. The agrovation of multi-instancing Postfix onto a different port
or IP, seeking help from their aggressive and abusive user list when it
fails to work -v- SPF. Ummm such a choice.

Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster

[Christian Brel]

On Wed, 24 Feb 2010 09:18:38 +0100
Per Jessen  wrote:

> LuKreme wrote:
> 
> > On 23-Feb-10 14:17, Bowie Bailey wrote:
> >> SPF enforcement at the MTA is useless for the reasons you
> >> specified. The only exception is if you have a strict SPF policy
> >> for your own domain, you can use it to reject spam pretending to
> >> be from your users.
> > 
> > And that makes it worthwhile all by itself.
> > 
> 
> Well, I guess it depends on your point of view - how difficult is it
> to set up an MTA to reject mails pretending to be from 
> that didn't originate on your MTA?  
> 
> 
> /Per Jessen, Zürich
> 

Good question - how would you do it?

Re: [SPAM:9.6] Re: OT::Making a PC explode (was Re: Newest spammer trick - non-blank subject lines?)

[Christian Brel]

On Wed, 10 Feb 2010 12:32:06 -0800 (PST)
John Hardin  wrote:

> On Wed, 10 Feb 2010, Bowie Bailey wrote:
> 
> > jd wrote:
> >> A lot of older people still believe that giving the PC the wrong
> >> command will cause it to explode in a shower of sparks, thanks to
> >> Hollywood. It seems that Hollywood is still doing that.
> >
> > Electronics generating sparks when overloaded?  Yes.
> >
> > Generating smoke?  Yes.
> >
> > Flames?  Yes.
> 
> http://en.wikipedia.org/wiki/Halt_and_Catch_Fire
> 

Wow, forgot about that! Thanks for the memory!

Re: [SPAM:9.6] Re: OT::Making a PC explode (was Re: Newest spammer trick - non-blank subject lines?)

[Christian Brel]

On Wed, 10 Feb 2010 12:42:46 -0500
Bowie Bailey  wrote:

> jd wrote:
> > A lot of older people still believe that giving the PC the wrong
> > command will cause it to explode in a shower of sparks, thanks to
> > Hollywood. It seems that Hollywood is still doing that.
> >   
> 
> Electronics generating sparks when overloaded?  Yes.
> 
> Generating smoke?  Yes.
> 
> Flames?  Yes.
> 
> A dynamic explosion?  No.
> 
> (Never did figure out why all the electronics consoles in movies seem
> to contain explosives...)
> 


It's a simple mistake - but the repair technician substitutes the 4700uf
smoothing caps with Le Maitre theatrical maroons (the very small
ones I hasten to add, the really big ones you put into a car a
disconnected car stereo, wired across the supply cables and leave the
car unlocked :-) If the thief is local, you'll hear the bang)

Re: [SPAM:9.5] Re: Smut spam

[Christian Brel]

On Sat, 30 Jan 2010 12:59:10 -0500
Jared Hall  wrote:


> 2) Here are some ruleset extractions that might help you get over the
> hump.  Comment if you must but be advised that I usually ignore them,
> good or bad.
> 
{snip}

Thank you for taking the time to post them here - appreciated.

Re: [SPAM:9.6] Re: Smut spam

[Christian Brel]

On Sat, 30 Jan 2010 09:32:31 +
Ned Slider  wrote:

> Christian Brel wrote:
> > 
> > header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
> > body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
> > meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
> > score HOTMAIL_SPAM_GY 0.0
> > 
> 
> If I may...
> 
> To match only Received headers:
> 
> header __HOTMAIL_SPX1Received =~ /.{1,30}hotmail\.com/i
> 
> which incidentally will also match entries from
> this-is-not-hotmail.com 
> - may or may not be what you intended.
Indeed. It's probably fair to say that anyone using
'this-is-not-hotmail' would not really fall into my 'must have mail
from' senders, but that's just a view.
> 
> There is already a "from Hotmail" rule in 20_head_tests.cf for use in 
> meta rules that may suffice?
> 
> header   __FROM_HOTMAIL_COMFrom =~ /\...@hotmail\.com\b/i
> 
> Also, you can use a uri rule for URIs, for example:
> 
> uri __HOTMAIL_SPX2   m{https?://groups\.yahoo\.com\b}
> 


It was a 'for instance' not a solid rule Ned, but as you've gone to
so much trouble please feel free to finish the job and offer the whole
rule :-)

Re: Smut spam

[Christian Brel]

On Fri, 29 Jan 2010 14:34:46 -0500
Adam Katz  wrote:

> Robert Fitzpatrick wrote:
> >>> http://mx1.webtent.net/test.msg
> > http://mx1.webtent.net/test2.msg
> 
> The first one now also hits razor ... can't say one way or another
> about how it hit earlier, but I'd suggest double-checking to ensure
> you use the plugin as it's pretty useful across the board.
> 
> 
> I suppose this is more an sa-dev question, but perhaps it might be
> worthwhile to have a freemail_networks category (much like
> trusted_networks) that would allow limited parsing beyond the freemail
> providers' networks into the system that connected to it.  This must
> not affect the last-external checks as it would then trigger all the
> dynamic rDNS detectors, and we'd also have to be wary about SPF etc,
> but it might be quite useful for DNSBL.
> 
> I'm sure the freemail plugin already does much of this work.

I'm not sure that it does - looking at the comments at the top of
the .pm it says;

"# If From-address is freemail, and Reply-To or address found in mail
body is # a different freemail address, return success."

In the context we have here, and in general terms for the variety of
spam received via Hotmail - it's a vector, but not overly useful with
this specific type of 'hotspam'.

Looking back at my Hotmail spam it consists of a 50/50ish mix of 419
(where the freemail plugin could be useful) and links. Many are to
staging posts like groups.yahoo.com and can be trivially wiped out with
stuff like:

header __HOTMAIL_SPX1 ALL =~ /Received\:.{1,30}hotmail\.com/i
body __HOTMAIL_SPX2 /http\:\/\/groups\.yahoo\.com/
meta HOTMAIL_SPAM_GY (__HOTMAIL_SPX1 && __HOTMAIL_SPX2)
score HOTMAIL_SPAM_GY 0.0

But where random, changing domain names are used this tactic will never
work. You'll spend your life writing rules.

It's not conceivable to block HOTMAIL as we have a generation of money
spending customers who use it as their primary mail. It would result in
a serious loss of genuine mail. So the vectors that can be used are
very narrow.

This brings me back to the X-Originating-IP: [x.x.x.x] header. We can't
block this on a PBL, but we *can* on a REPUTATION based list like that
offered by Barracuda. In fact one of those is catching on the BBL:
[78.175.50.246 listed in b.barracudacentral.org] - but I can't say how
long it's been on there - I've only checked it this morning.

It would also be very useful to GEO check this IP as often it's from
somewhere like Turkey, Brazil, China et al. It seems logical to extend
the functionality of the Relay Countries plugin to look for this
header - or add an 'originates from' section to it. I'm no developer so
I can't say if this would be trivial - but I feel it would be a useful
thing to do.

Re: [SPAM:9.6] Re: [SPAM:9.6] Smut spam

[Christian Brel]

On Fri, 29 Jan 2010 11:28:31 -0500
Robert Fitzpatrick  wrote:

> On Fri, 2010-01-29 at 16:19 +0000, Christian Brel wrote:
> > On Fri, 29 Jan 2010 11:09:49 -0500
> > Robert Fitzpatrick  wrote:
> > 
> > > Could I get someone to run an example of smut spam I cannot seem
> > > to block in SA 3.2.5? This is a typical message that has been
> > > hammering one or two customers and despite learning many of these
> > > messages with bayes, still they continue...
> > > 
> > > http://mx1.webtent.net/test.msg
> > > 
> > > I am using Sanesecurity as well as the saupdates.
> > > 
> > > --Robert
> > > 
> > 
> > Do the links always point to: globalnamesgroup.com or do they vary?
> 
> All different, even the content, here is another example...
> 
> http://mx1.webtent.net/test2.msg
> 

About the best I can come up with:

In both cases the originating IP header leads to a bad/listed IP:

X-Originating-IP: [78.175.50.246]

~
RUNNING REPORT
TYPE: single IP 78.175.50.246
~
78.175.50.246listed in b.barracudacentral.org. 
78.175.50.246listed in PBL (ISP) 

X-Originating-IP: [109.75.193.116]

~
RUNNING REPORT
TYPE: single IP 109.75.193.116
~
109.75.193.116   listed in PBL (SPAMHAUS) 
109.75.193.116   listed in dnsbl-2.uceprotect.net. 
109.75.193.116   listed in dnsbl-3.uceprotect.net. 

BUT!
AFAIK SA would not block on these and I guess that is because Hotmail
users tend to connect with a web browser from dynamic connections.
Therefore blocking them on an a dynamic space policy list (PBL) could
result in shed loads of FP's.

I'm not sure if the RelayCountry module would pick these up  One is
in Turkey, the other gives me an Unknown AS number or IP network error
(I have an old whois client).

This is good spam that defeats SpamAssassin pretty easily as the sender
(hotmail) is mostly globally trusted. I agree with the other poster that
the amount of Spam from Hotmail is a royal pain in the backside, but
this is a spam filter and there needs to be a way to block this kind of
stuff.

Perhaps there needs to be some meta rules such as;
'comes from hotmail, has a single link, originating IP is in a Country
that is often seen sending spam, lots of broken encoded characters
before the HTML section'. But I am to the world of writing rules what
Myra Hindley was to child care.

Re: [SPAM:9.6] Smut spam

[Christian Brel]

On Fri, 29 Jan 2010 11:09:49 -0500
Robert Fitzpatrick  wrote:

> Could I get someone to run an example of smut spam I cannot seem to
> block in SA 3.2.5? This is a typical message that has been hammering
> one or two customers and despite learning many of these messages with
> bayes, still they continue...
> 
> http://mx1.webtent.net/test.msg
> 
> I am using Sanesecurity as well as the saupdates.
> 
> --Robert
> 

Do the links always point to: globalnamesgroup.com or do they vary?

Re: [SPAM:9.6] Should I block Experian/Free Credit Report

[Christian Brel]

On Fri, 22 Jan 2010 13:58:34 -0800
Marc Perkel  wrote:

> Generally I'm paid to protect my customers from fraud scams. Does
> that include fraud scams that are advertised on TV? The Experian/Free
> Credit Report is such a scam and I was personally ripped off by them
> and I'm thinking about blocking their email. What they do isn't any
> different than a 419 nigerian scam.
> 
> Thoughts?
> 
> 


Experian, the 'free' trial that takes your credit card details and all
attempts to cancel still sees them trying to debit the card.
Ironically, in the UK you can get a copy of your credit report from
Experian by post for £2 without providing any card details. It's been
this way since the days they were CCN Systems. For a company managing
personal financial data their desire to debit cards without
authorisation surprised me, and the follow up spam they kick out after
you cancel is something else.

Personally I would class them as a data abuser and I have them blocked
in a private dnsbl that I have extended to 'cheetah' as well, which I
believe is their 'esp'.

FWIW I have a couple of 'Virgin' PAYG Mastercards which I keep active
for such places that require valid card details. These are very
effective for making sure any mainsleaze scammers get nothing in return
for what they purport to offer for free.

Re: [SPAM:9.6] What are these headers?

[Christian Brel]

On Thu, 14 Jan 2010 16:30:37 -0700
Brent Gardner  wrote:

> Anybody seen headers like this?
> 
> X-SI: 538
> X-EN: 1470024
> X-SE: 69846
> X-EV: 0
> X-Job: 69846
> X-SO: 2
> 
> 
> I've seen them in a few spams.  I assume they're metadata generated
> by a bulk mailing program.  I'm going to write some rules against
> them.  If I knew more about what generates them I could write a
> better rule.
> 
> Google was not much help.
> 
> Thanks.
> 
> 
> Brent Gardner
> 
> 


I've seen them, but I'm yet to work out what ratware drops them. I've
also seen a few like this:

EM-Campaign: {D4F901DE-.blah}
EM-Task: 7

Re: newbie: configure SA to reject spam

[Christian Brel]

On Thu, 14 Jan 2010 13:28:06 +0100
Robert Schetterer  wrote:

> Am 14.01.2010 13:00, schrieb tonjg:
> > 
> > 
> > David B Funk wrote:
> >>
> >> So you need to tell us exactly how you've integrated SA into your
> >> sendmail before we can give you a precise answer.
> > 
> > what I did was edit the local.cf so it contained this:
> > required_hits 8
> > rewrite_subject 1
> > report_header 1
> > use_terse_report 1
> > defang_mime 0
> > report_safe 0
> > use_bayes 1
> > auto_learn 1
> > ok_locales en
> > rewrite_header Subject [SPAM]
> > --
> > 
> > and I edited the procmailrc file so it contained this:
> > ORGMAIL=$HOME/mbox
> > DEFAULT=$ORGMAIL
> > DROPPRIVS=yes
> > 
> > :0fw
> > * < 50
> > | /usr/bin/spamc
> > -
> > 
> > if I've done the right thing then next I want sendmail to reject
> > the spam mails in the same way the dnsbl lists do.
> > I think I'm getting somewhere because my mail log has started
> > showing entries like this:
> > Jan 14 06:00:14 home spamd[17440]: spamd: connection from
> > Jan 14 06:00:14 home spamd[17440]: spamd: setuid to
> > Jan 14 06:00:14 home spamd[17440]: spamd: processing message
> > Jan 14 06:00:28 home spamd[17440]: spamd: clean message
> > (3.3/8.0) Jan 14 06:00:28 home spamd[17440]: spamd: result: .
> > 3 Jan 14 06:00:28 home spamd[17415]: prefork: child states: II 
> > 
> > and a spam email just came in as I was writing this (lol) and the
> > header of that email contains this:
> > Return-Path: 
> > X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on home.svr5
> > X-Spam-Level: ***
> > X-Spam-Status: No, score=7.9 required=8.0
> > tests=FH_DATE_PAST_20XX,HTML_MESSAGE,
> > 
> > but I see this mail wasn't tagged because the score was 7.9 (lol).
> > this is what I've done so far so thanks for any further advice.
> 
> you can use spamass-milter to reject spam mails over a wanted level
> at smtp income stage i.e with postfix or sendmail, rejecting later
> may cause backscatter, i recommend also use clamav-milter with
> antispam sanesecurity sigs in milter stage too, this is good enough
> for daily filtering, i would only use procmail for putting i.e marked
> mails in special imap folders ( i.e Junk ) etc, anyway
> postfix-dovecot-sieve is more nice to handle filtering then procmail,
> give it a try
> 


Sound and good advice form Robert Schetterer. Spamass-milter is sturdy
and combined with the clamav-milter + Sanesecurity rules it kicks ass!

You need to help yourself a little now, use Google, look up the
documentation and come back with what you've done if you get stuck.

You won't get the most helpful responses to 'how do I' questions,
whereas the 'I have tried this but I'm stuck' will often yield a
flurry of help.

Re: [Fwd: Delivery Status Notification (Failure)]

[Christian Brel]

On Wed, 13 Jan 2010 16:17:31 +0100
Matus UHLAR - fantomas  wrote:

> > On Wed, 13 Jan 2010 09:39:34 -0500
> > Jason Bertoch  wrote:
> > > Can a list admin disable the
> > > spamassas...@hundredacrewood.willspc.net account as we're still
> > > getting bounces?
> 
> On 13.01.10 14:49, Christian Brel wrote:
> > I found dropping the whole: 66.192.0.0/14 in iptables solved this
> > for me :-) Seen lots of connection attempts, but hey ho
> 
> I recomment not to drop whole IP ranges unless you know you need to.
> You can block important mail that way


Not from that range I wont :-)

Re: [Fwd: Delivery Status Notification (Failure)]

[Christian Brel]

On Wed, 13 Jan 2010 09:39:34 -0500
Jason Bertoch  wrote:

> 
> Can a list admin disable the spamassas...@hundredacrewood.willspc.net
> account as we're still getting bounces?
> 
> 
>  Original Message 
> Subject: Delivery Status Notification (Failure)
> Date: Wed, 13 Jan 2010 09:36:54 -0500
> From: Administrator 
> To: Jason Bertoch 
> 
> Your message
> 
>   To:  SpamAssassin
>   Subject: Re: SA not picking up rules from /var/lib/spamassassin/
>   Sent:Wed, 13 Jan 2010 09:36:54 -0500
> 
> did not reach the following recipient(s):
> 
> SpamAssassin on Wed, 13 Jan 2010 09:36:54 -0500
> The e-mail account does not exist at the organization this message
> was sent to.  Check the e-mail address, or contact the recipient
> directly to find out the correct address.
> 
> 

I found dropping the whole: 66.192.0.0/14 in iptables solved this for
me :-) Seen lots of connection attempts, but hey ho

Re: Interesting Low Scoring SPAM with odd script

[Christian Brel]

On Wed, 13 Jan 2010 00:41:00 +0100
Benny Pedersen  wrote:

> On Tue 12 Jan 2010 07:48:23 AM CET, Christian Brel wrote
> 
> > http://pastebin.com/m66a5a2ae
> 
> X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL)
> 

Err, yes - I had already *highlighted* that, it was posted because the
content was interesting ;-)

Re: Interesting Low Scoring SPAM with odd script

[Christian Brel]

On Tue, 12 Jan 2010 10:56:09 -0800 (PST)
John Hardin  wrote:

> On Tue, 12 Jan 2010, Per Jessen wrote:
> 
> > Christian Brel wrote:
> >
> >> On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote:
> >> On 12.01.10 06:48, Christian Brel wrote:
> >>>> http://pastebin.com/m66a5a2ae
> >>>>
> >>>> Anyone seen script like that?
> >>
> >> I'm just interested in the kind of java-script(?) munging that has
> >> gone on there and what it is in 'English' for want of a better
> >> phrase.
> >
> > Nothing was munged, it's just random text.
> 
> If so, what's the point to it?
> 

That was also my thought. Spammers never do something without a reason,
but they do screw up. My initial thoughts were 'is this some kind of
obfuscated Java-script? But the more I look at it, the less I think it
is anything useful. I guess it could poison a bayes at best if marked
as spam?

Re: [SPAM:9.6] Re: Interesting Low Scoring SPAM with odd script

[Christian Brel]

On Tue, 12 Jan 2010 12:15:41 +0100
Per Jessen  wrote:

> Christian Brel wrote:
> 
> > On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote:
> > On 12.01.10 06:48, Christian Brel wrote:
> >> > http://pastebin.com/m66a5a2ae
> >> > 
> >> > Anyone seen script like that?
> >> 
> >> IT's the kind of content that should be captured by clamav imho.
> >> clamav does have some kind og javascript decopding engine.
> > 
> > If I'm fair to Clam, Matus, it did catch it :-)
> > X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL)
> > 
> > I'm just interested in the kind of java-script(?) munging that has
> > gone on there and what it is in 'English' for want of a better
> > phrase.
> 
> Nothing was munged, it's just random text.
> 
> 
> /Per Jessen, Zürich
> 

Call me suspicious ;-)

Re: Interesting Low Scoring SPAM with odd script

[Christian Brel]

On Tue, 2010-01-12 at 10:44 +0100, Matus UHLAR - fantomas wrote:
On 12.01.10 06:48, Christian Brel wrote:
> > http://pastebin.com/m66a5a2ae
> > 
> > Anyone seen script like that?
> 
> IT's the kind of content that should be captured by clamav imho.
> clamav does have some kind og javascript decopding engine.

If I'm fair to Clam, Matus, it did catch it :-)
X-Virus-Status: Infected (Sanesecurity.Junk.25057.UNOFFICIAL)

I'm just interested in the kind of java-script(?) munging that has gone
on there and what it is in 'English' for want of a better phrase.

Re: hostkarma false positive

[Christian Brel]

On Mon, 11 Jan 2010 06:46:55 -0800
Marc Perkel  wrote:

> 
> 
> Christian Brel wrote:
> > On Mon, 11 Jan 2010 09:35:37 +0100
> > Michael Monnerie  wrote:
> >
> >   
> >> Another FP on hostkarma:
> >>
> >> bsmtp5.bon.at[195.3.86.187]
> >>
> >> Please investigate and fix. And put them on YELLOW, they are an ISP
> >> here in Austria. Please check bsmtp[1-9] also.
> >>
> >> 
> > It's also listed in:
> > 195.3.86.187BLACKLISTED:ips.backscatterer.org
> >
> >   
> Backscatterer.org isn't a real blacklist. They have us blacklisted as 
> well. Anyone using them is making a serious mistake.
> 

mus...t try and resist tem..tation..

Neither is the rest of UCEProtect...

Damn it came out, I tried to stop it..

Re: pill image spam learns to walk

[Christian Brel]

> http://pastebin.com/m574da717

> They aren't triggering (enough) network rule matches, contain a
> bayes-killer, and even FuzzyOCR can't manage the swirly image trick
>...

I've yet to see one score under 10 here, but I have some additional
rule in place:

*   4.5 BL_CUDA RBL: Relay in BARRACUDA,
*   http://www.barracudacentral.org/
*   [79.178.8.244 listed in b.barracudacentral.org]
*   2.7 BL_UCEP2 RBL: Relay in UCEPL2,
*   http://www.uceprotect.net/
*   [79.178.8.244 listed in dnsbl-2.uceprotect.net]
*   2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
*   bl.spamcop.net
*   [Blocked - see
*   ]
*   1.0 BL_UCEP3 RBL: Relay in UCEPL3,
*   http://www.uceprotect.net/
*  [79.178.8.244 listed in dnsbl-3.uceprotect.net]
*   2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
*  [79.178.8.244 listed in zen.spamhaus.org]
*   0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
*   0.1 RDNS_DYNAMIC Delivered to trusted network by host with
*  dynamic-looking rDNS
*   0.0 DYN_RDNS_AND_INLINE_IMAGE Contains image, and was sent
*   by dynamic rDNS

Re: hostkarma false positive

[Christian Brel]

On Mon, 11 Jan 2010 09:35:37 +0100
Michael Monnerie  wrote:

> Another FP on hostkarma:
> 
> bsmtp5.bon.at[195.3.86.187]
> 
> Please investigate and fix. And put them on YELLOW, they are an ISP
> here in Austria. Please check bsmtp[1-9] also.
> 
It's also listed in:
195.3.86.187BLACKLISTED:ips.backscatterer.org

-- 
Multi-platform Freeware IP Blacklist checker
http://www.spampig.org.uk/dnsblcheck.php

Re: Spamhaus and paid subscription

[Christian Brel]

On Thu, 07 Jan 2010 12:27:44 -0500
DAve  wrote:

> Michael Scheidell wrote:
> > On 1/7/10 11:25 AM, DAve wrote:
> >> Good morning all,
> >>
> >> I can't be printing our key in the emails, what is a sysadmin to
> >> do?
> >>
> >>
> > you could (maybe) use meta rules?
> > zero out (disable) originals, use meta rules, keep meta names to
> > match original rule names in case of other meta rules that depend
> > on it.
> > 
> > then (I suspect) only the meta rule will show up.
> 
> I think you are right, I will give it a try later today.
> 
> DAve
> 
> 

Given your status as a paid Spamhaus subscriber, it may be worth asking
their 'support' team the best way to apply it to popular applications
if it gives you trouble.

Re: semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel]

On Wed, 6 Jan 2010 14:06:23 -0800
"jdow"  wrote:

> From: "Kai Schaetzl" 
> Sent: Wednesday, 2010/January/06 13:03
> 
> 
> > Jdow wrote on Wed, 6 Jan 2010 10:40:14 -0800:
> >
> >> Actually, Charles, this is a VERY good reason I'd use to justify
> >> changing my quote character to something goofy like % or # or
> >> even ; just to annoy the anal retentive types.
> >
> > First, to clarify, it was Charles who sent this to the list, not me.
> > Second, I see, RFC-compliance is "anal-retentive".
> >
> > Kai
> 
> It's a Request For Comment, not a rule or law. Using something
> different would be my comment.
> 
> {^_^} 
> 


Oh dear. *plonk*

Re: [SPAM:9.6] Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel]

On Wed, 06 Jan 2010 14:27:25 +0530
ram  wrote:

> On Wed, 2010-01-06 at 07:51 +0000, Christian Brel wrote:
> > On Tue, 5 Jan 2010 14:18:54 -0800
> > "jdow"  wrote:
> > 
> > > From: "J.D. Falk" 
> > > Sent: Tuesday, 2010/January/05 12:43
> > > 
> > > 
> > > > On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
> > > > 
> > > >> Once again I went to returnpath and senderscorecertified's web
> > > >> pages, and found no link to an email address to report being
> > > >> spammed by one of their customers.
> > > > 
> > > > Is the font size for "Contact Us" and "Support" too small?
> > > > 
> > > > I'll forward your report to the appropriate team.
> > > 
> > > J.D., rather than getting snarky it might be a good idea to
> > > suggest to your webmaster that a formal "Report Abuse" link be
> > > placed on your front page? I'd not look to support or contact us
> > > for reporting abuse, myself. So I can understand Greg's problem.
> > > 
> > > {o.o}
> > 
> > I'm jealous, at least you can get a *narky* reply from Return Path.
> > I've been trying for three days
> > 
> > http://www.spampig.org.uk/bbs/showthread.php?tid=31
> > 
> 
> Ebay is definitely a too big spammer. So what if they pay habeas and
> other accreditation lists 
> 
> Their unsubscribe doesnt work.
> I had all notifications off still I used to get their mails. 
> I got fed up of their reminders .. even though I have never purchased
> anything at ebay they keep sending me nonsense
> 
> The only last resort ... I configured a dummy alias on my server and
> changed the ebay notification email address to the dummy alias. 
> After activating the dummy .. now I give a std "450" Try later to all
> mails that come to the dummy.
> 
> 
The point is, if you accredit someone as a email professional, and that
sender fails to act professionally - it's the accreditation that is
brought into question, not the spammy sender. After all, the
accrediation is saying - more or less - that the sender is not a
spammer and will act professionally when complaints are raised.

Just because eBay is a big company does not mean it respects peoples
choices and behaves appropriately.

However, this in *not* the place for that discussion. It just starts a
hissy fit between the 'professional spammers' and those that seek to
stop them.

Sensible folk know people like Return Path will never grow the balls to
stand up to eBay, they will just take the money and smile.

Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel]

On Tue, 5 Jan 2010 14:18:54 -0800
"jdow"  wrote:

> From: "J.D. Falk" 
> Sent: Tuesday, 2010/January/05 12:43
> 
> 
> > On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote:
> > 
> >> Once again I went to returnpath and senderscorecertified's web
> >> pages, and found no link to an email address to report being
> >> spammed by one of their customers.
> > 
> > Is the font size for "Contact Us" and "Support" too small?
> > 
> > I'll forward your report to the appropriate team.
> 
> J.D., rather than getting snarky it might be a good idea to suggest to
> your webmaster that a formal "Report Abuse" link be placed on your
> front page? I'd not look to support or contact us for reporting
> abuse, myself. So I can understand Greg's problem.
> 
> {o.o}

I'm jealous, at least you can get a *narky* reply from Return Path.
I've been trying for three days

http://www.spampig.org.uk/bbs/showthread.php?tid=31

Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem

[Christian Brel]

On Tue, 05 Jan 2010 12:10:28 -0500
Greg Troxel  wrote:

> 
> I've recently gotten multiple spams from linkedin.  (I don't consider
> invitations from people I dimly have heard of spam.)  These are
> typically invitations that are sent to mailinglists, and occasionally
> invitationos from people that I have never ever heard of.
> 
> I believe what is going on is that there is some way for people to
> upload an entire addressbook and then bulk-spam all those addresses
> with invitations.
> 
> The problem is that linkedin is getting adjusted scores due to
> 
>   RCVD_IN_DNSWL_MED
>   HABEAS_ACCREDITED_SOI
>   RCVD_IN_BSP_TRUSTED
> 
> Here is an example (I have the postgis mailinglist in
> trusted_networks):
> 
>   http://www.lexort.com/spam/spam-linkedin.out.txt
> 
> At least for my scores, the +2 points for HABEAS and BSP
> counterbalance the dnswl.
> 
> I have sent mail to ab...@linkedin.com, but have never gotten any
> response.
> 
> I complained to dnswl, and that got linkedin.com moved to MED from HI
> (thanks!), but I think MED is still excessive.
> 
> Once again I went to returnpath and senderscorecertified's web pages,
> and found no link to an email address to report being spammed by one
> of their customers.  Can anyone from returnpath explain why this
> glaring problem hasn't been fixed, or better yet fix it?  And also
> remove linkedin as a certified address, because they are spamming?
> 
> This is a general problem, more than linkedin - this has happened with
> twitter and faceboook as well.
> 
> The problem seems to have multiple related components:
> 
>   linkedin is a spam source because they off bulk inviting
> 
>   whitelists list them because some of their mail is legitimate
> 
>   SA gives negative points to whitelists where most of the hosts on
> the whitelist don't send spam, and those that do send some ham
> 
> Clearly some things that should happen are:
> 
>   dnswl should drop linkedin, because it doesn't meet "Extremely rare
>   spam occurrences, corrected promptly." because 1) this keeps
> happening because the structural problem has not been addressed and
> 2) there is no functioning ab...@.  I don't think linkedin belongs
> even in LOW, but it's fair to be in NONE (legit server, also sends
> spam).
> 
>   returnpath should drop linkedin, because they send spam and the
> mails I referenced above clearly do not meet any definition of opt in
> 
> But it's hard for SA to cause these changes.  dnswl clearly has value,
> and perhaps part of the difficulty is that it gets used for two
> reasons: not blocking connections or greylisting at the MTA level,
> and spam filtering.  It's certainly reasonable for linkedin to be in
> a "don't outright block" list, but not for it to get a pass from
> filtering given the spam that comes out of it.
> 
> Does anyone have any ideas of what else might help?


#ADD TO THE END OF local.cf at your own risk
score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3
score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7
score HABEAS_ACCREDITED_COI 0 8.0 0 8.0
score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3
score HABEAS_CHECKED 0 0.2 0 0.2
score RCVD_IN_DNSWL_LOW 0 1 0 1
score RCVD_IN_DNSWL_MED 0 4 0 4
score RCVD_IN_DNSWL_HI 0 8 0 8
score RCVD_IN_IADB_VOUCHED 0 2.2 0 2.2
score RCVD_IN_IADB_DOPTIN 0 4 0 4
score RCVD_IN_IADB_ML_DOPTIN 0 6 0 6
score HASHCASH_20 0.500
score HASHCASH_21 0.700
score HASHCASH_22 1.000
score HASHCASH_23 2.000
score HASHCASH_24 3.000
score HASHCASH_25 4.000
score HASHCASH_HIGH 5.000

Re: [SPAM:13.0] Re: [sa] FH_DATE_PAST_20XX

[Christian Brel]

You know - anyone unhappy about this can always ask for a full refund
on the purchase price paid for SpamAssassin :-)

Re: FH_DATE_PAST_20XX

[Christian Brel]

On Fri, 01 Jan 2010 13:44:27 +
Mike Cardwell  wrote:

> Also, the "fix" five months ago was to add 10 years to what is
> classified as "grossly in the future"... That doesn't sound to me as
> though this ruke was based on the results of a mass check...
> 

And Happy New Year to you from the development team
{joke -}

[SPAM:9.4] Re: FH_DATE_PAST_20XX

[Christian Brel]

On Fri, 01 Jan 2010 10:17:57 +0100
"Herbert J. Skuhra"  wrote:

> At Thu, 31 Dec 2009 17:53:24 -0800 (PST),
> John Hardin wrote:
> > 
> > On Fri, 1 Jan 2010, Mike Cardwell wrote:
> > 
> > > I just received some HAM with a surprisingly high score. The
> > > following rule triggered:
> > >
> > > *  3.2 FH_DATE_PAST_20XX The date is grossly in the future.
> > >
> > > Yet the date header looks fine to me:
> > >
> > > Date: Fri, 1 Jan 2010 00:46:45 GMT
> > >
> > > In /usr/share/spamassassin/72_active.cf I find:
> > >
> > > header   FH_DATE_PAST_20XXDate =~ /20[1-9][0-9]/
> > > [if-unset: 2006]
> > >
> > > Doesn't look particularly sane to me... I have given that rule a
> > > score of 0 in my local.cf for now.
> > 
> > Agree, that should probably be [2-9][0-9].
> 
> What about
> 
> header   FH_DATE_PAST_20XXDate =~ /(201[1-9])|(20[2-9][0-9])/
> 
> and
> 
> ##{ FH_DATE_IS_200X
> header   FH_DATE_IS_200XDate =~ /200[0-9]/ [if-unset: 2006]
> describe FH_DATE_IS_200XThe date is not 200x.
> ##} FH_DATE_IS_200X
> 
> -Herbert

Perhaps in a couple of days. There may still be deferred mail sat in
peoples outbound queues with 2009 on it ;-)

Re: [OT] Leo Kuvayev

[Christian Brel]

On Wed, 30 Dec 2009 10:47:26 -0800
"Bob O'Brien"  wrote:

> jdow wrote:
> > Guys, spam here kicked up 100% very recently, about the time I
> > tweaked "Richard". And it bears a Leo Kuvayev sort of stamp to
> > it - porn, pharmaceuticals, etc.
> >   
> 
> 
> Watching spam patterns can be very interesting.
> 
> Thinking that you know what one single stand-out data point means
> is almost always very foolish.
> 
> 
> 
> Bob

Thank you Bob. I'm sure this is not a sniff of a hint of support given
our differences, but if jdow was aware of who I am and my past (as no
doubt you are privileged to from the files of Barracuda) they would
probably feel a bit of a fool for assuming me to be in any way
associated with the generation of spam.

Happy New Year to you Sir.


-- 
CONFIDENTIAL
The information contained in this e-mail and any attachment is
confidential. It is intended only for the named addressee(s). If you
are not the named addressee please notify the sender immediately and do
not disclose, copy or distribute the contents to any other person other
than the intended addressee(s).

Camera Candy is an Employment Business and operates under The
Employment Agencies Act 1973. Berkley Square House, Berkeley Square,
London, W1J 6BB

Re: [sa] Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 11:40:40 -0800
"jdow"  wrote:

> From: "Charles Gregory" 
> Sent: Friday, 2009/December/18 09:18
> 
> 
> > On Fri, 18 Dec 2009, Christian Brel wrote:
> >>> Go read the archives, troll.
> >> All of them or do you have something specific, troll?
> > 
> > Fine, fine, pedant.
> > 
> > Go SEARCH the archives, troll.  :)
> 
> OK, (Problem Exists Between Monitor And Keyboard) Christian.
> {^_-}

Said the woman who is having layer 8 issues with the /dev/null <>
killfile LOL.

You have a real lot to say about what *I* think - do you do any
thinking of your own or just spit out the dummy at other people point
of view. How very sweet :-) Merry Christmas.
-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: [sa] Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 13:29:40 -0500 (EST)
Charles Gregory  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> > Charles, you *are* speaking for J D Falk with his Auspices?
> 
> Hey, J D! Please post and give me your auspices.
> I'd love to see what this Troll posts if you say 'sure'. :)
> 
> - C


I was just under the impression that J D - who I actually rather
respect for the difficult balance he has to strike, was in the job of
reputation management and is a consummate professional, so I'm not
entirely sure he would put his reputation into your hands - but he may
as he has a wicked sense of humour.

But to put you out of your misery I would say;
"Thank you J.D."
"Thank you Charles".

Anything else I can help you with Charles, or are you done?
Merry Christmas


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: [sa] Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 13:21:00 -0500 (EST)
Charles Gregory  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> > There comes a time when you need to deal with that and move on. We
> > are all grown up now and not - like you say - '5 & 6 year old
> > children'.
> 
> Good. Then stop talking like them.
Perhaps you need to stop *acting* like them ;-)
> 
> > Please feel free to act like an adult and end the personal attacks,
> > or, act like a troll. It's your reputation ;-)
> 
> The man who got banned and had to fake a new user name is lecturing
> me on reputation? ROFLMAOUIPMP
> 
So two wrongs would make a right. I see. Yep, I'm laughing too :-)

> > Return Path:
> > "Today we are the world’s leading email deliverability services
> > company and our clients include Fortune 500 firms"
> 
> There. You now have the answer to your question. So stop asking it.
> (Finally)
I don't thing anyone was ever under the impression they were a charity
doing it for love. But that would be an assumption. After all, those
HABEAS 'oil can' rules are in Spamassassin for love and not money

> 
> > do you think this is a commercial enterprise or a charity?
> 
> Do I think you will ever ask any questions not already answered or
> obvious from the website?
> 
> - C
I apologise, that was rude of me. I was told *not* to assume something
even if it was obvious. So it's clear for the Archives;

Return Path is a commercial operation that makes money.
Return Path mail is eased through Spamassassin with negative scoring
rules.
Asking if any money changed hands for this position of privilege
provokes hostility.
Despite these rules benefiting the commercial interests of Return Path,
and not necessarily the users - and despite there being no fiscal
reward for Apache/Spamassassin - this state of affairs will remain.

Yep, I'm clear on that.

Most of this has been addressed by Daryl in grown up talk whilst you
were tucked up in your bed.

I would like to take this opportunity to thank you Charles, you've
really made me laugh this afternoon and I love you. X X X. You've been
really helpful and I'm glad you've become my friend :-) Have a Merry
Christmas.
-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: [sa] Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 13:00:05 -0500 (EST)
Charles Gregory  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> >> Go SEARCH the archives, troll.  :)
> > Perhaps I can help you understand why the question was asked on
> > list.
> 
> It's obvious as to why. You failed to read previous postings that
> answered the question the first time(s) you (or someone else) asked
> it
> 
> > "Return Path is not an ESP by any of the common definitions.
> > http://en.wikipedia.org/wiki/ESP
> > (No wonder you're confused.)"
> > To which I asked J D Falk:
> > "Would it be rude of me to ask how you make your money? Is it from
> > the provision and delivery of bulk commercial email or am I
> > confused?" Now, I've not seen J D follow up to that, unless you
> > have elected yourself to his spokesperson and qualified to answer
> > for him?
> 
> Hint: "No wonder you're confused" refers to your question "or am I 
> confused?" So you have *quoted* his follow up and pretended that it
> was *before* your useless, repeated question. And then you claim that
> you have 'not seen' the follow up you quote? ROFLMAO!
> 
> I ammend my request one more time:
> 
> Go SEARCH the archive IN CHRONOLOGICAL ORDER, troll.
> 
> - C

Charles, you *are* speaking for J D Falk with his
Auspices? No? Then you are trolling - keep going. I love it when you
are angry ;-)

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 12:03:38 -0500 (EST)
Charles Gregory  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> >>> You need to resort to abuse for what particular reason?
> >> Repeatedly accusing the SA developers of fraudulent collusion is
> >> abusive. Don't be surprised if people are abusive in return.
> > That is your choice of words - not mine. It is interesting that
> > when reasonable questions about the motivation for a bizarre part
> > of SA is brought up, others are entitled to abuse the person with
> > that point of view - but he must not respond to that abuse or runs
> > the risk of the mob ganging up.
> 
> Now where have I heard this before...?   Sounds so familiar.
> 
> Ah! Right! Got it.
> My (then) 5 and 6 year old children arguing over who "started it".
> 
> - C
> PS. You did. No one calls you 'troll' until you act like one.

And this pointless post you have just made is ?not? trolling to provoke
a reaction? I apologise if at some point in the past I've hurt your
feelings or made you look small. Sincerely.

There comes a time when you need to deal with that and move on. We are
all grown up now and not - like you say - '5 & 6 year old children'.

Please feel free to act like an adult and end the personal attacks, or,
act like a troll. It's your reputation ;-)

BTW:
Return Path:
"Today we are the world’s leading email deliverability services company
and our clients include Fortune 500 firms" do you think this is a
commercial enterprise or a charity?


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: [sa] Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 12:18:46 -0500 (EST)
Charles Gregory  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> >> Go read the archives, troll.
> > All of them or do you have something specific, troll?
> 
> Fine, fine, pedant.
> 
> Go SEARCH the archives, troll.  :)
> 
> - C
Perhaps I can help you understand why the question was asked on list.
Yesterday, J D Falk of Return Path said;

"Return Path is not an ESP by any of the common definitions.
http://en.wikipedia.org/wiki/ESP
(No wonder you're confused.)"

To which I asked J D Falk:
"Would it be rude of me to ask how you make your money? Is it from the
provision and delivery of bulk commercial email or am I confused?"

Which is perfectly fair, direct and reasonable. There is a like for
like sarcastic ending, just as J D Provided.

Now, I've not seen J D follow up to that, unless you have elected
yourself to his spokesperson and qualified to answer for him? The
alternative would be you are just spoiling for an argument and fit the
'troll' definition rather well:

"a troll is someone who posts ...with the primary intent of provoking"

But please, carry on - it suits you.

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 10:26:28 -0500 (EST)
Charles Gregory  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> > But they should not have to disable a whitelist that assists
> > with the delivery of bulk commercial mail in an anti-spam
> > application! If the sender is relying on such rules to keep the
> > mailout under the radar then clearly there is something very wrong
> > with that?
> 
> Go read the archives, troll.
> 
> - C
> 
All of them or do you have something specific, troll?

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 09:53:37 -0500 (EST)
Charles Gregory  wrote:

> On Thu, 17 Dec 2009, Christian Brel wrote:
> > Would it be rude of me to ask how you make your money? Is it from
> > the provision and delivery of bulk commercial email or am I
> > confused?
> 
> Wow. People are running down ReturnPath and they don't even have a
> clear idea of what RP *does*? How lame is that?
> 
> Oh. Beg pardon. It's Christian. Now I know for sure that he's Richard.
> Same lame hyperbole and straw man BS.
> 
> (yawn)
> 
> - Charles
I did ask for clarification as to if they earned money for assisting in
the delivery of bulk, commercial email. I've not seen a reply yet to
help me clarify this. I've been open and transparent about it and asked
on list. But your abusive rebuttal is noted. 


Perhaps you can explain tome what they do and how they make their
money? I would prefer to hear it from someone authorised to speak for
RP - but please feel free to post something constructive.

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 06:19:25 -0800 (PST)
John Hardin  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> 
> > On Fri, 18 Dec 2009 06:49:41 -0600
> > Daniel J McDonald  wrote:
> >
> >> On Fri, 2009-12-18 at 08:49 +, Christian Brel wrote:
> >>> On Fri, 18 Dec 2009 03:44:32 -0500
> >>> "Daryl C. W. O'Shea"  wrote:
> >>>
> >>>> Please stop beating the -4 and -8 horse.  We agree.
> >>>
> >>> Then fix it and show who really is in charge of this project?
> >>
> >> It's been fixed.  Don't you know how to use bugzilla?
> >>
> >> http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460&r2=891459&pathrev=891460
> >>
> >> The new scores will come out in 3.3.0, RC1 is very soon...
> >
> > +score RCVD_IN_RP_CERTIFIED 0.0 -3.0 0.0 -3.0
> > +score RCVD_IN_RP_SAFE 0.0 -2.0 0.0 -2.0
> >
> > This is 'fixed'?
> 
> In the absence of evidence to the contrary, yes.
> 
> If it's that big a problem for you in real life, then you should be
> able to provide FNs to the masscheck corpora that will _prove_ these
> scores are too generous.
> 
> We understand your philosophical objection. Providing hard evidence
> of FNs will go much further towards making your point than name
> calling will.
> 
The name calling being?


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 06:12:06 -0800 (PST)
John Hardin  wrote:

> On Fri, 18 Dec 2009, Christian Brel wrote:
> 
> > On Fri, 18 Dec 2009 02:29:56 -0700
> > LuKreme  wrote:
> >
> >> I might agree with some small portion of our resident troll's
> >> posts,
> >
> > You need to resort to abuse for what particular reason?
> 
> Repeatedly accusing the SA developers of fraudulent collusion is
> abusive. Don't be surprised if people are abusive in return.
> 

That is your choice of words - not mine. It is interesting that  when
reasonable questions about the motivation for a bizarre part of SA is
brought up, others are entitled to abuse the person with that point of
view - but he must not respond to that abuse or runs the risk of the
mob ganging up.

It seems that *some* can alter subject lines to abuse, send abusive
off-list mail, openly abuse etc, whilst others just have to sit and
take it. When they are not happy to do that they are accused of
trolling. Strikes me as cyber-bulling, but I've no intention of rising
to it - it's all rather boring.

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 06:49:41 -0600
Daniel J McDonald  wrote:

> On Fri, 2009-12-18 at 08:49 +0000, Christian Brel wrote:
> > On Fri, 18 Dec 2009 03:44:32 -0500
> > "Daryl C. W. O'Shea"  wrote:
> > 
> > > Please stop beating the -4 and -8 horse.  We agree.
> > > 
> > > Daryl
> > > 
> > > 
> > 
> > Then fix it and show who really is in charge of this project?
> > 
> It's been fixed.  Don't you know how to use bugzilla?
> 
> http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460&r2=891459&pathrev=891460
> 
> The new scores will come out in 3.3.0, RC1 is very soon...
> 

+score RCVD_IN_RP_CERTIFIED 0.0 -3.0 0.0 -3.0
+score RCVD_IN_RP_SAFE 0.0 -2.0 0.0 -2.0

This is 'fixed'? 

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 02:29:56 -0700
LuKreme  wrote:

> I might agree with some small portion of our resident troll's posts,  

You need to resort to abuse for what particular reason?

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 10:33:31 +0100
Benny Pedersen  wrote:

> On fre 18 dec 2009 10:23:48 CET, Christian Brel wrote
> 
> >> If you like you can transparently disable the DNSWLs.
> > I found it much more useful to apply them as blocklists and give
> > the a +4/+8 myself - but that's a personal choice.
> 
> and "No, hits=0.7 required=10.0 tests=SPF_SOFTFAIL" is also a
> personal choice ?
> 
For what I am doing, yes ;-)

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 02:21:00 -0700
LuKreme  wrote:

> On Dec 18, 2009, at 1:32, Christian Brel
>   > wrote:
> 
> > the issue of having that score
> > reduced in favour of a known commercial bulk mailer is undesirable.
> 
> The trouble is you seem to consider ALL commercial senders to be  
> spammers. That's just not true.
>   
No, I don't. But I do consider many commercial emailers to abuse
personal data for their own gain. To me it is spam if it does not
directly relate to a transaction that I have instigated. If it's
special offers, news or other marketing rubbish aimed at selling me
something or telling me about new services - it's spam.

We've moved on since the Tandy/Radio Shack days of data collected at
the point of sale forever being used to abuse you forever more.

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 04:07:55 -0500
"Daryl C. W. O'Shea"  wrote:

> > If everything is open and transparent give the default user the
> > option to *enable* them and score them zero, unless - of course -
> > there is some kind of logical reason for these mad scoring spam
> > assisting rules that favour Return Path in the default set up?
> 
> I stand firm on my opinion that our principle of safe for most users
> is the logical reason for including DNSWLs.

Spamassassin is not something trivially installed like a piece of
Microsoft junkware. In fact, it is nearly impossible to get it to do
anything useful without reading lots of documents Daryl. Couple this
with the fact it only *scores* mail - it does not block it - any mish
mash of rules could be argued to be 'safe'. If it were deployed at the
SMTP level where it was kicking out 55x's it may be a different story.
So the 'safe' angle really has no legs.


> 
> If you like you can transparently disable the DNSWLs.
I found it much more useful to apply them as blocklists and give the a
+4/+8 myself - but that's a personal choice.

Thank you for your time Daryl. We don't agree - but I don't want to
waste more of your personal time on this.


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 03:44:32 -0500
"Daryl C. W. O'Shea"  wrote:

> Please stop beating the -4 and -8 horse.  We agree.
> 
> Daryl
> 
> 

Then fix it and show who really is in charge of this project?

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 02:24:45 -0500
"Daryl C. W. O'Shea"  wrote:

> Reputation type rules (such as DNSWLs) are probably the only (or
> certainly one of the very few) types of rules that you can weight
> heavily negatively.  This is due to the nature of an open source
> product (or even given enough time to game a closed source product).
> Content based rules are very often easily beaten.  If we could have a
> body rule that looks for "this mail is good" and assign a -20 score
> we would. Clearly that would not work.

With the kindest of respect, I have to disagree with this. If for
argument sake five blocklists with no business {or other} relationship
with Spamassassin  flag an IP for spamming, then it's a good bet
that they are correct and any perceived negativity is earned. How this
impacts on Spamassassin is dependent on the scores set - which comes
back to you and the developers - so the arguement not only has not
legs, it has no arms either. Consider that blocklists are often
universally trusted to be sat on the SMTP connection level ahead of
Spamassassin, whereas the suggestion of doing that with Habeas as a
whitelist would be pure comedy gold :-)

> Again, find me a commercial white list that wants to be included in
> SpamAssassin on a "free for use basis" and I'll pay for the phone call
> to talk to them.  Seriously.
I shake my head in utter disbelief at this comment, and I'm sure that
Apache Sponsor Barracuda AKA 'emailreg.org' will have just pricked up
their ears. 

> I'm pretty sure I brought up the SA developers' *long* standing
> principle of being as safe as possible for the majority of users by
> erring on the side of missing spam rather than tagging ham while still
> putting out a useful product.

It's a fair statement that in using an Antispam 'product' that blocks
nothing and only assigns a score, the issue of having that score
reduced in favour of a known commercial bulk mailer is undesirable.
The statistics may have some interest but can be applied to show there
is little cause to keep the rule at all if you so wish to bend it the
other way. The key is this: I would *never* have known what HABEAS was
if I had not seen the name in low scoring spam and asked why. It does
not look like I'm the first to ask either.

> 
> From the data we have from mass-checks we are erring a very small
> amount on the side of caution by not disabling the whitelists by
> default.
It's a big fat favourable score to one organisation for 'erring a very
small amount on the side of caution' don't you think? -4/-8 given the
average 419 spam only scores 4-8 points. Forgive me but are Return Path
pulling someones strings here as Puppet Masters?

If everything is open and transparent give the default user the option
to *enable* them and score them zero, unless - of course - there is
some kind of logical reason for these mad scoring spam assisting rules
that favour Return Path in the default set up?



-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On he subject of Spammy whitelists...

 * -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
low
 *  trust
 *  [212.159.7.100 listed in list.dnswl.org]

Yet the same IP is on and off SORBS and part of an ongoing spam
problem. Perhaps this can be reviewed and given a zero score by default?



-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Fri, 18 Dec 2009 09:46:03 +1300
"Michael Hutchinson"  wrote:


> Everyone else started carrying on about the Habeas rules being
> present at all, when it is more than within their power to disable
> those rules.

But they should not have to disable a whitelist that assists
with the delivery of bulk commercial mail in an anti-spam application!
If the sender is relying on such rules to keep the mailout under the
radar then clearly there is something very wrong with that?

The issues here are clear:
*The inclusion of white list that pretty much favours a single
commercial mail organisation.
*The default score applied to that listed senders being hideously
favourable(are there any other rules with such mad negative scores in
the mix by default?)
*The lack of any other commercial white lists from the competitors of
Return Path being used in the product.

I'm interested but equally suspicious as to why a small set of people
involved in this anti-spam product are keen to try and move on from
this and sweep it under the carpet. Could this be AssassinGate??? Lol.



> 
> Buy what you want, but I'm not selling anything. 
> 
> Cheers,
> Mike
> 
> 


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Thu, 17 Dec 2009 15:51:35 -0500
"Daryl C. W. O'Shea"  wrote:


> I think the current score changes are a good step.  Another step may
> be including in the release notes that there are whitelists and that
> people may want to disable them by score whatever rules (a list of
> them) 0.

Why not default them to zero and include in the release notes/man that
there are whitelists and they can *enable* them?
> 

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: habeas - tainted white list

[Christian Brel]

On Thu, 17 Dec 2009 12:21:37 -0700
"J.D. Falk"  wrote:

> On Dec 16, 2009, at 8:11 AM, Christian Brel wrote:
> 
> > It's also fair to say any ESP such as Return Path taking money to
> > deliver mail should be optimising it {or offering advice on
> > optimisation) so it does *not* score high. Otherwise what are their
> > customers paying them for?
> 
> Return Path is not an ESP by any of the common definitions.
> 
> http://en.wikipedia.org/wiki/ESP
> 
> (No wonder you're confused.)
> 
> --
> J.D. Falk 
> Return Path Inc
> 
Would it be rude of me to ask how you make your money? Is it from the
provision and delivery of bulk commercial email or am I confused?


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: [sa] Re: habeas - tainted white list

[Christian Brel]

{side note}
Has anyone noticed how the thread 'emailreg.org - tainted white list'
has been left unchanged, despite the topic moving on to Habeas. Whilst
this is side splittingly funny if you do a search on emailreg.org and
see it in the archives, it's probably not fair to drag their name
through the mud when the topic has moved on?

I wonder how long the thread will be left at the new 're: habeas -
tainted white list'? How many will post using it? Or if those black
helicopters and MIB's will seek to put a stop to it?


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: OT: Museum piece...

[Christian Brel]

On Wed, 16 Dec 2009 11:05:18 -0800
Ted Mittelstaedt  wrote:

> Charles Gregory wrote:
> > On Tue, 15 Dec 2009, Chris Hoogendyk wrote:
> >> Marc Perkel wrote:
> >>>  http://www.vintage-computer.com/asr33.shtml 
> >> There was actually a time when I had one of those in my house.
> > 
> > For your amusement:
> > 
> > I still have my old Commodore 64 and 1541 drive sitting in the
> > basement.
> > 
> > One year my daughter's school had a project to construct exhibits
> > for a show called 'working class treasures' for the local Worker's
> > Heritage Museum. The idea was to put on display 'precious'
> > possesions from their parents' childhood. Baseballs, old toys,
> > favorite tools, whatever.
> > 
> > Well, the only thing I had of any 'meaning' to me was my C-64. So
> > she put that in her exhibit.
> > 
> > So yes, my Commodore 64 has actually been displayed in a museum.
> > Not just figuratively, but *literally* a 'museum piece'. :)
> > 
> > - Charles
> 
> I had a Vic-20 once and I also had the port expander card that
> allowed you to make copies of the game cartridges to cassette tape.
> We were so naive back then, running our data and addressing lines
> for a foot outside the computer, the clock speeds were so slow
> that we never knew anything about propagation delays.
> 
> Those were the days.  A few poke and peek commands, 15 minutes
> waiting for the cassette tape to load the pirated game into the
> 16k memory card, then a flip of the switch changing the address
> locations of the memory card, and a final command to start execution
> and we were off and playing.  $250 worth of electronic gear to
> be able to pirate a $15 game cartridge that was merely a copy of
> some arcade game that cost 25 cents at the local pizza parlor, and
> ran at 3 times the resolution at the arcade.  I think the most fun of
> it was learning how to actually do it.
> 
> 
> Ted
They introduced Microsoft to the three finger salute with the 'run
stop' and 'restore' combo. Man, that machine haunted me. POKE 36879,8

Lol


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: emailreg.org - tainted white list

[Christian Brel]

On Wed, 16 Dec 2009 08:39:25 -0600
"McDonald, Dan"  wrote:

> On Dec 16, 2009, at 8:13 AM, "Bowie Bailey"   
> wrote:
> 
> > Christian Brel wrote:
> >> The point comes back to this and it has *not* been answered
> >> sensibly; WHY DOES SPAMASSASSIN DEFAULT INSTALL WITH A NEGATIVE
> >> SCORING RULE THAT
> >> FAVOURS A COMMERCIAL BULK MAILER. Namely the negative score for  
> >> Habeas?
> 
> Because it allows desired mail to be delivered, while permitting
> more aggressive rules to detect spam, even if those same techniques
> are sometimes used by legitimate bulk mailers.

Is there some kind of citation to support this at all? If so would it
not be appropriate to add every white list favouring bulkersso that all
'legitimate' bulk mail - not just that leading back to Habeas >
Return Path - flows easily around the so called aggressive
rules?
> 
> >
> > ("legitimate mail" in this context means mail that the end user
> > wishes to receive...bulk or otherwise)
If it's legitimate, and the user wants it *give them the option to set
the minus score* don't ASSUME they want it because they once
bought a keychain or snowstorm from spamersrus.whatever.
> 
> Quite right. Now, can we drop this?  Or is the black-helicopter
> crowd able to produce masscheck results that show better accuracy
> without those distributed whitelists so that they can argue with
> facts that they can do a better job?

Selective default whitelisting in an anti-spam program attracts fair
suspicion. Quite apart from the smell of corruption, there is a clear
and fair augment of anti-competitive behaviour. Other commercial emails
that don't employ Habeas / Return Path cannot expect similar transit.
I'm no lawyer, but given recent US goings on with e360-v-Spamhaus, it's
probably not ideal to keep this scoring.

Naturally it's an emotive issue with those that stand to lose as a
result of such normalisation getting quite vocal, or trying to
discredit a point of view. It's a simple, sensibe and fair request to
zero the scores applied on whitelists and add advice in the docs.
People here are all to happy to yell 'RTFM' after all.

Which answer sits better with an end user:
a. Why is spam getting through my anti-spam
b. Why is my bulk email scoring so high?

It's also fair to say any ESP such as Return Path taking money to
deliver mail should be optimising it {or offering advice on
optimisation) so it does *not* score high. Otherwise what are their
customers paying them for?

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: emailreg.org - tainted white list

[Christian Brel]

On Wed, 16 Dec 2009 21:10:11 +1000 (EST)
Res  wrote:

> On Wed, 16 Dec 2009, Per Jessen wrote:
> 
> > Christian Brel wrote:
> >
> >> Perhaps the time has come for a fork of Spamassassin where these
> >> commercial considerations are not so obvious?
> >
> > No need for such drastic measures - it's only a ruleset.
> 
> 
> no whitelist should ever become default part of SA
> 
> the day it is, is the day I look elsewhere.
Unless yours installed without the -4 and below rule for Habeas, then
you may just want to review that point of view ;-)

> 
> --
> Res
> 
> "What does Windows have that Linux doesn't?" - One hell of a lot of
> bugs!
Grub2 anyone.

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: emailreg.org - tainted white list

[Christian Brel]

On Tue, 15 Dec 2009 14:28:05 -0700
"J.D. Falk"  wrote:

> On Dec 15, 2009, at 12:04 PM, Charles Gregory wrote:
> 
> > Which finally brings us back to the core questions which seem to go
> > unanswered:
> 
> They've all been answered many times, in other threads.  Habeas
> wasn't involved in emailreg.org, though.  No connection at all.

I don't recall anyone claiming Emailreg.org was related to Habeas?
Habeas has enough bulkers on it to make a simple paupers 'pay to spam'
list like Emailreg pale into total insignificance.

Whist Micheal Perone may have a bit of a chequered history as far as
bulk mail goes, it would be unfair to compare Emailreg/Barracuda on a
like for like basis with a bulk mailer/spammer like Return
Path - and the can of wheel grease that is Habeas.

The point comes back to this and it has *not* been answered sensibly;
WHY DOES SPAMASSASSIN DEFAULT INSTALL WITH A NEGATIVE SCORING RULE THAT
FAVOURS A COMMERCIAL BULK MAILER. Namely the negative score for Habeas?

Ship it with a 0.0 score, the problem goes. Leave it as it is and it
smells corrupt. It's that old addage. If it looks corrupt, and it
smells corrupt, it's probably corrupt.

Perhaps the time has come for a fork of Spamassassin where these
commercial considerations are not so obvious?

> 
> --
> J.D. Falk 
> Return Path Inc
> 
> 


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: [sa] RE: emailreg.org - tainted white list

[Christian Brel]

On Tue, 15 Dec 2009 14:11:13 -0800
"jdow"  wrote:

> From: "Rob McEwen" 
> Sent: Tuesday, 2009/December/15 13:13
> 
> 
> > jdow wrote:
> >>> jdow wrote:
>  his response personal spam to this account has increased sharply
> >>> Uuh, what does that mean, exactly?
> >> A possible cause and effect exists. I can neither prove nor
> >> disprove it. the fact exists.
> > 
> > Still doesn't answer my question. Perhaps I'm "dense". But to spell
> > out my question more explicitly:
> > 
> > what do you mean by "personal response spam"? Is that just Richard's
> > on-list responses we've all seen? Or something else? (did I miss
> > that part of the conversation?). And what do you mean by "to this
> > account"? To this list? To your own inbox? Are you referring to
> > messages that are obviously from Richard (including alter-ego
> > ones)? Or some kind of UBE campaign that you think he is behind?
> > (if so, please describe)
> 
> Thank you for spelling it out. I am speaking of spam directed to this
> account. That email must be to this address or one of three others
> (which showed no increase) in order to get through to our machines.
> I use fetchmail for my email and for Loren's several accounts. I can't
> say if his spam increased dramatically in the last two days ( to
> 2359:59 PST) or not.

You are now claiming Richard is powerful enough to produce a worldwide
increase in spam that only effects you? 

> 
> I am speaking of generic spam. I've not noticed a specific type that
> has increased. I'm to lazy to look. I have received an unusual number
> of "You've won" emails today and yesterday. I've not looked for a
> specific style so I left the observation at "increase in spam
> received." That in no way accuses anybody of personally sending me
> spam. I simply looked at the bulk numbers which took a maybe 20% jump
> beyond the normal Monday bounce. This correlation is not nearly as
> strong as with the earlier episode.
> 
> Given what data and facts I have I am taking anything Richard and his
> sock puppets, alter-egos, or fellow conspiracy theorists might suggest
> and pretty much tossing it into the intellectual black hole in which
> it belongs. And I'm stating that's what I've observed. Now I've stated
> what I intend to do about it.
Habeas + Emailreg are *not* spam BLOCKING tools. They are tools that
facilitate the delivery of UCE/UBE/SPAM. To point that out is *not*
scuffling any attempt to block spam. To the contrary. Are we clear on
that or are you ignoring that?

All that is required is for Spamassassin to default install with
NEUTRAL (0 point) rules for Habeas {or any other p2s whitelist it
chooses to include}. 

The views about Return Path, Habeas, Barracuda, Emailreg.org will fall
by the wayside and give the 'product' more credibility if this simple
change is made and, in effect, rain on Richard's parade of black
helicopters and corruption. There is no *logical* reason not to make
this change. There may be a business one (Barracuda have donated to
Apache - what about Return Path/Habeas?).


Again if you have any *facts* or proof that Richard has been behind a
personal worldwide increase in spam to your inbox, please share it.
Otherwise you look like you are trolling with your imagination running
away with the fairies.

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: [sa] RE: emailreg.org - tainted white list

[Christian Brel]

On Tue, 15 Dec 2009 11:01:51 -0800
"jdow"  wrote:

> From: "Charles Gregory" 
> Sent: Monday, 2009/December/14 12:35
> 
> 
> > On Tue, 15 Dec 2009, Michael Hutchinson wrote:
> >> If everyone could ignore the taunting, and just carry on, there
> >> wouldn't be an issue.
> >
> > The taunting *is* the issue. The rest of the arguments, about
> > design and defaults, are carried on by numerous individuals in a
> > quite civilized manner. But when someone starts throwing arond
> > stupid accusations, then the person attacked focuses their efforts
> > on 'defending' themselves, rather than on a fair unbiased review of
> > what *should* be the 'issue'.
> 
> Three points:
> 1) It is known this list is read by spammers to learn what we are
> doing. I've verified this with "challenge/response" tactics including
> taunting more than once. Once I taunted a spam I received for not
> making it to 100. "The guy didn't try hard enough." Within two days
> a small number of spams reaching well over 100 came through. I
> consider that as confirmation of common-sense. Spammers read this
> list.
In the same way spammers own Barracuda's, Ironports, have Messagelabs
and Postini accounts etc etc. This is kinda obvious, but I guess some
people may not know it. I too see a big increase in spam from this
posting to this list. I, however, welcome it as is useful to study.

> 
> 2) On several occasions now Richard has tried to torpedo valid
> attempts to scuttle spam.
That is a lie. Would you like to back that up with some kind of
basis in fact? 

Richard has been at the other end of this claim in asking *why* obvious
spam gets past SA, and why Whitelists that 'grease the wheels' are part
of the default core. 
> 
> 3) Coincidence or not, since I posted that "taunt" to Richard and his
> response personal spam to this account has increased sharply.
If it were a taunt I'm sure Richard would find that very lame. You only
have to look at his NANAE postings to realise that calling him a
'spammer' would not even register on his insult scale. If you think it
would, you are probably very mistaken.
> 
> I am making no conclusion here. I'm presenting facts. Call me out on
> the facts not the "taunt" lest you damage your argument.
You have presented an opinion, not facts. A fact would be 'Datetheuk'
emits spam - but is Habeas whitelisted. The Titanic has sunk - is a
fact, Marc Bolan is dead - is a fact. 

Perhaps are some kind of spammer trying to divert attention from
yourself?
-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: emailreg.org - tainted white list

[Christian Brel]

On Tue, 15 Dec 2009 00:40:44 +0100
mouss  wrote:

> Bill Landry a écrit :
> > Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases),
> > is back...
> > 
> > Bill
> 
> 
> he switched MUA, but forgot to switch "helo" and get a different IP
> range...
> 
Good work Columbo. Tell me, how much would it cost to have you do
background checks on someone ;-)

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: emailreg.org - tainted white list

[Christian Brel]

On Mon, 14 Dec 2009 08:37:02 -0800
"jdow"  wrote:

> Yup - he's a spammer.
{enter stage left the name calling}
That's what I heard about you JD, ain't that a blast! I better get my
$20 out and trot over to barracuda.spam.for.mo...@emailreg.org then, so
I can grease the wheels and make it official. Can I use your discount
referal code seeing as your qualified in this area?


-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: emailreg.org - tainted white list

[Christian Brel]

On Mon, 14 Dec 2009 07:28:22 -0800
Marc Perkel  wrote:


> If you think about it, if Barracuda, a spam filtering company,
> started selling access to spammers, how long do you think Barracuda
> would stay in business.
To quote Dean Drako of Barracuda on a 2008 visit to the UK "Just sell
them anything and we will worry about it afterwards" Draw your own
conclusions.

> Their customers who got the spam would move
> elsewhere. So I really don't think that Barracuda is going to sell
> out their main business to make $20 off of a few spammers.

If it's so clear cut, why is the option for the owner of the said
Barracuda spam device *not* able to disable emailreg.org, but they
*can* disable the Barracuda whitelist 'proper'?

When asked on this point Justin O Brien of Barracuda said 'We don't
want them switching it off'. Why? Possibly because it is a paid to
spam, pay to bypass Barracuda list??? If you expand that into
Spamassassin then that really is going to look corrupt. Please at least
try and disguise it a little bit better than that, FFS.

Don't underestimate those $20 payments. The last time I looked scale of
economy was alive and well given sufficient market. Drako, Perone et al
don't do anything unless there is more than the price of a cup of tea
in it for them.

I'm sorry if people take offence to that, but it has foundations in
reality. A place that seems to scare some people.

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations. 

Re: emailreg.org - tainted white list

[Christian Brel]

Last week the blackhats that make up the '$pamAssassin PMC' sought to
silence people who object to paid whitelists appearing in the core
program which seek to give advantage to certain ESP's. vocal in the odd
behaviour of the program. Namely those listed in whitelist 'Habeas' (a
river flowing back to Return Path) are given a negative score to grease
the wheels for the delivery of their UCE.

Now that the dust has settled the Barracuda Marketing Machine (who
appear to have some financial connection with Apache - {citation:
http://www.barracudanetworks.com/ns/company/open-source.php} and
probably have people sitting on the PMC) takes the chance to rear it's
ugly arse and begin redo the spin out it's own pay to spam whitelist
"emailreg.org". emailreg.org may form part of a discussion in a spam
list, but it is off topic for the Spamassassin list.

Whilst Bob O Brian @ Barracuda trying to distance Barracuda from a
direct connection may fool some, sensible people involved in anti-spam
know full well this is a Barracuda product thinly garnished as
something else. Sensible people also know that the Barracuda owner
Micheal Perone is claimed to be a known former spammer: (citation:
http://www.rhyolite.com/anti-spam/objections/mperone.shtml)

Barracuda Spam 'and virus' Firewall hardware (a cobbled together mix of
free open source software and largely free rules/virus definitions) by
default passes emailreg.org registered mail. There is *no* facility for
the owner of the Barracuda to disable this without calling Barracuda
Support. Contrast this to the Barracuda Whitelist, which has a check
box to turn it on/off. It is fair to suggest this obmission is because
Barracuda *don't want* users turning off emailreg.org.

The Barracuda White List from Decemeber 2009 is posted elsewhere if you
are interested in a 'who's who':
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/a9f757e7a2ee38d5#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/2745f741838c23ea#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/ce79b2349a83a2d5#

The Barracuda machine is now trying to suggest that emailreg.org is of
the calibre of Habeas. It is not. It is a pay to spam service and
deserves no place in the Spamassassin ruleset OTHER than to INCREASE
the score of mail.

Whilst some halfbread moron has suggested giving emailreg.org a -100
score (compared to -4 for Habeas) the better rule is posted below.

PEOPLE READING THIS LIST BE VERY AWARE DARK FORCES ARE AT WORK HERE TO
DISCREDIT AND STRIKE VIEWS THAT EFFECT REVENUE. SPAMASSASSIN IS AS MUCH
ABOUT MAKING MONEY AS IT IS ABOUT BLOCKING SPAM - KEEP YOUR EYES OPEN
TO THE DARK FORCES THAT USE SPAMASSASSIN TO FACILITATE THE DELIVERY OF
PAID FOR, JUNK COMMERCIAL MAIL. DON'T BE BLIND TO THE POWER WEILDED BY
RETURN PATH, BARRACUDA AND OTHERS IN WINING AND DINING Daryl C. W.
O'Shea.


Suggested sensible Spamassassin Rule for emailreg.org:


header __RCVD_IN_EMAILREG eval:check_rbl('emailreg-trusted',
'resl.emailreg.org.')
header RCVD_IN_EMAILREG_0 eval:check_rbl_sub('emailreg-trusted',
'127.0.\d+.0')
describe RCVD_IN_EMAILREG_0   Sender in emailreg.org pay to spam list
tflags RCVD_IN_EMAILREG_0 black hat

header RCVD_IN_EMAILREG_1 eval:check_rbl_sub('emailreg-trusted',
'127.0.\d+.1')
describe RCVD_IN_EMAILREG_1   Sender in emailreg.org pay to spam list
tflags RCVD_IN_EMAILREG_1 black hat
score RCVD_IN_EMAILREG_0 30
score RCVD_IN_EMAILREG_1 30

-- 
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations.