URIDNSBL not getting all URLs
Greetings, I've experienced a pretty significant upswing in spam over the last few weeks, and I finally had a chance to track it down. Although not responsible for 100% of the increase, I found that the URIDNSBL isn't getting all of the URLs it should be. I've tracked this down to the behavior of Mail::SpamAssassin::Message::Node::rendered, which seems to be rendering out the URIs which should be hitting! The messages tend to have two parts - a text/plain and a text/html. The text/plain doesn't have any URLs which might hit, and the text/html contains the URL which would hit, but doesn't get passed into the list of URIs because of how the rendered() routine returns blank HTML. I was wondering if anyone else has seen this behavior and had any suggestions or fixed before I take a crack at patching it. Cheers, David.
BOT Army
Greetings, I was reading the ideas about combating the distributed spam attacks, and I was wondering if some combination of a razor+distribution analysis of the IP addresses in the header would lead to a rapid identification of potentially infected machines. If you think about the distribution of a normal email users, it's going to look like a very sparse matrix: (few IPs per sender domain) -> (few recipients per recipient domain) A big email ISP might look more like this: (few IPs per sender domain) -> (many users per many recipient domains) A spam army, though, is going to end up looking like this: (many IPs per sender domain) -> (many users at many recipient domains) If one were to take the first couple of IP addresses in the header, and do DNS lookups of IP+recipient, the central DNS engines (not sure who or how those would get hosted) would rapidly be able to see a new machine enter the spam dominion and could start returning a value based on the distribution of DNS requests. My graph theory is rather dusty these days, but if memory serves the connectedness and sparseness of the graphs is pretty low-overhead to calculate and maintain, so even at a relatively high load you could quickly start to know which IP addresses look "different" and thus return a higher score for them. I don't know if anyone has pursued this type of approach thus far, but I thought I'd toss it out there and see if it stuck. Cheers, David.
RE: DNS errors
I have Net::DNS 0.53_01 right now; it doesn't seem to have fixed the problem, unfortunately. 0.53 had other issues, there was a minor typo that was fixed in 0.53_01, along with another persistent TCP problem: Fix rt.cpan.org 13922 Fixed a problem with persistent TCP sockets which was introdcuced because of using the address family as an index to the array of persistent sockets. Used AF_UNSPEC for the array index for the TCP socket; just to choose a number. The key to the persistent sockets is the remote nameserver:port combination. But regardless, I'm still getting the alert. David. - On Thu, 29 Sep 2005, Herb Martin wrote: From: David Birnbaum [mailto:[EMAIL PROTECTED] I see in various archives that this might be related to a Net::DNS bug about persistent sockets that was supposedly fixed at some point. But perhaps not. Anyone else figure out where this is coming from? This is under Solaris 2.8/SPARC, running Perl 5.6.1. Net::DNS > .49 and < .53 was broken (for SA at least.) Maybe .52 was ok, but I didn't test and don't remember. Current .53 or higher is fine. -- Herb Martin [EMAIL PROTECTED] http://LearnQuick.Com 512 388 7339 -or- 1 800 MCSE PRO Accelerated MCSE Seminars
DNS errors
Howdy. I upgraded to 3.1.0 very recently, and am getting this every so often: Error creating a DNS resolver socket: Permission denied at /opt/siteperl/5.6.1/siteperl/lib/Mail/SpamAssassin/DnsResolver.pm line 202 I see in various archives that this might be related to a Net::DNS bug about persistent sockets that was supposedly fixed at some point. But perhaps not. Anyone else figure out where this is coming from? This is under Solaris 2.8/SPARC, running Perl 5.6.1. Cheers, David.
Re: What is a caching name server?
nscd is a Solaris daemon (perhaps other OSs as well) that caches gethostbynam()/gethostbyaddr() lookups (and others of that ilk), but not all of the DNS lookups that SpamAssassin uses (I think SpamAssassin may specifically bypass some of those by use Net::DNS directly instead of the built-in OS resolver routines). nscd is controlled by parameters in /etc/nscd.conf. You may see big performance gains for IP and name lookup if you tune the negative caching paremters up on busy mail servers, in any case. David. - On Fri, 20 May 2005, Gene Heskett wrote: On Friday 20 May 2005 01:15, [EMAIL PROTECTED] wrote: Hello list, in several posts I have noticed people refer to a "caching nameserver". What exactly is that? Would BIND 9.3.1 qualify? Any advice would be greatly appreciated. Regards, Devin On my systems, there is an 'nscd'. Is this not a Name Service Caching Daemon? Docs seem to be sparse for it here though. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.34% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
RE: Brightmail
Oddly enough, we went up head-to-head with our SpamAssassin solution against Brightmail three times in a row and won the customer every time. This is running 2.64. We have a single 8-way 3500, but we'll probably be upgrading that soon. David. - On Tue, 30 Nov 2004, Damian Mendoza wrote: We sell BrightMail to customers that want a "Commercial" antispam solution and have deep pockets to pay a yearly subscription. We build SA based solutions (http://www.spamgate.us) for customers that want a "low-cost" antispam solution. Regards, Damian From: Gray, Richard [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 30, 2004 8:59 AM To: users@spamassassin.apache.org Subject: Brightmail Brightmail seems to be getting a lot of good press on the SPAM front. So I'm wondering, why do people running large mail systems choose SA over corporate offerings. Is it cost? Is it configurability, or performance? Can anyone shed any light on how Brightmail achieves the rather impressive statistics it is quoting, or do you think it is just smoke and mirrors? Is it possible to reproduce the other features without spending the cash? --- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information contact [EMAIL PROTECTED]
Re: Solaris 9, CommuniGate, and Spamassassin
Mark, We set up our own integration package; however, you probably want something like CGPSA - http://www.tffenterprises.com/cgpsa, which is a pretty nice full-featured setup. Cheers, David. - On Wed, 8 Sep 2004, Mark Wendt (Contractor) wrote: We've been long time users of sendmail with Solaris, along with SpamAssassin, procmail, and John Hardin's ESD for virus scanning (thanks John, it's worked great!) for the last couple of years. We're in the process of upgrading our server, hardware wise, and will also be switching over to CommuniGate for our mail. This is a first time operational install of CommuniGate for me, and I was hoping to be able to integrate SpamAssassin into the mix. I've noticed a few folks here on the list are using CommuniGate, and I was wondering if anybody had a nice how-to for making the two play well in the data sandbox. Thanks, Mark
