Problems with new spam getting through in SA 2.64 the last few days
These are the rules I have: 31854 jun 1 2004 70_sare_adult.cf 3927 apr 24 2004 70_sare_bayes_poison_nxm.cf 85658 jan 28 07:23 70_sare_genlsubj0.cf 70561 jan 28 07:23 70_sare_genlsubj1.cf 107315 feb 12 23:35 70_sare_header0.cf 75276 feb 12 23:35 70_sare_header1.cf 32960 sep 13 02:23 70_sare_html0.cf 38006 sep 13 02:23 70_sare_html1.cf 11559 sep 14 20:43 70_sare_oem.cf 17845 feb 8 18:15 70_sare_random.cf 385 sep 20 03:35 70_sare_ratware.cf 18709 feb 3 06:48 70_sare_specific.cf 7006 nov 17 19:48 70_sare_spoof.cf 18192 nov 17 00:05 71_sare_redirect_pre3.0.0.cf 13211 mai 12 2004 72_sare_bml_post25x.cf 56134 feb 13 2004 99_FVGT_Tripwire.cf 10147 mai 2 2004 99_sare_fraud_post25x.cf 22546 jan 30 03:50 backhair.cf 23422 jan 30 03:50 chickenpox.cf 18052 okt 30 18:30 evilnumbers.cf 3526 okt 24 23:21 rolex.cf 1923 okt 26 17:36 spamcop_uri.cf What exactly is RCVD_IN_SORBS_DUL, and why doesn't it give any score? I've been hit by quite alot of these spams the last few days, they don't look any alike excep that they all seem to have the random words in the last paragraph, as well as also having a RCVD_IN_SORBS_DUL match. Does anyone have a rule to catch them? This is very annoying, spamassassin used to stop 99.99% of all my spam before these came along. -Frank. -- Forwarded message -- Received: from doond.com ([220.188.181.115]) by my-mail-host (8.11.6/8.11.1) with SMTP id j1J1mfO27438; Sat, 19 Feb 2005 02:48:42 +0100 Message-ID: <[EMAIL PROTECTED]> Reply-To: "sterling kingery" <[EMAIL PROTECTED]> From: "sterling kingery" <[EMAIL PROTECTED]> To: "Arron Fanoele" <[EMAIL PROTECTED]> Subject: The prices you wanted on functional program disc. Date: Sat, 19 Feb 2005 11:11:51 +1200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on my-mail-host X-Spam-Level: X-Spam-Status: No, hits=0.1 required=3.0 tests=BAYES_50,RCVD_IN_SORBS_DUL autolearn=ham version=2.64 X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.2 with clamscan / ClamAV 0.82/710/Fri Feb 18 23:05:27 2005 Find top selling program for office operation, operation system, programming, server maintenance, PC diagnostics, finance and graphic design& processing on our site at low prices. All of our program or installation discs products are the highest quality available. Install or upgrade the program on office operation, programming, server maintenance, PC diagnostics, finance and graphic design& processing easily from now on. http://2Og.gooddealstime.com/wob/ Why not have a try and get quality PC program discs at low prices from now on. The discount store offers customers more convenience and saving on program installation and upgrade. while addressing Israeli and international demands that he help resolve the fouryearold IsraeliPalestinian NBCSports.com contributorUpdated:7:03 p.m. ET Jan. 16, 2005PHILADELPHIA It was more a party than a playoff game, with the Eagles
Re: www.rulesemporium.com
Oh it is in whois, paid, all sound and good. And its nameservers are even responding. Its just the root-nameservers that aren't updated (or has some other problems). Domain Name: RULESEMPORIUM.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM Status: REGISTRAR-LOCK Updated Date: 15-oct-2004 Creation Date: 16-oct-2003 Expiration Date: 16-oct-2005 $ nslookup www.rulesemporium.com DNS1.NAME-SERVICES.COM Server: DNS1.NAME-SERVICES.COM Address:63.251.163.102#53 Name: www.rulesemporium.com Address: 69.56.160.30 -Frank. On Tue, 7 Dec 2004, jdow wrote: Fascinating - "whois" doesn't even report a vistage of the name. - Original Message - From: "Martin Hepworth" <[EMAIL PROTECTED]> rulesemporium seems to be down (not resolving actually). Did you forget to re-register the domain
Re: [SURBL-Discuss] Spamassassin and SpamCopURI
Sorry for being a bit quick with my last mail. I got it to work now, was just an erroneously newline that got into the rules files when I cut & pasted. -Frank.
Re: [SURBL-Discuss] Spamassassin and SpamCopURI
Thanks. I did the changes you illustrated below (into spamassassin/spamcop_uri.cf). The "make test" errors went away, so I went ahead and did "make install" of SpamAssassin 2.64, as well as a reinstall of SpamCopURI-0.22 (just in case). I also removed the old override in local.cf and skip_rbl_checks is still set to 0. Unfortunatedly I don't get hits on RBL checks anymore. I verified this by forwarding a mail with a verified listed domain (in ws.surbl.org and multi.surbl.org). I'm not using spamc/spamd. (And all the non-RBL checks still work fine.) Any ideas on how I go about figuring out why RBL checks turned themselves off on the upgrade? How can I get any kind of debug log? -Frank. On Tue, 26 Oct 2004, Jeff Chan wrote: On Tuesday, October 26, 2004, 1:40:05 AM, Frank Johansen wrote: Hi, I'm in the progress of upgrading SA from 2.63 to 2.64 and SpamCopURI from 0.19 to 0.22. The syntax for the SpamCopURI 0.22 rules is new to reflect use of the combined list multi.surbl.org, so please update them to look like these. Also please add two lists, AB and JP, to the 0.22 configs: uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+2') describe SPAMCOP_URI_RBL Has URI in SC at http://www.surbl.org/lists.html tflags SPAMCOP_URI_RBL net uri WS_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+4') describe WS_URI_RBL Has URI in WS at http://www.surbl.org/lists.html tflags WS_URI_RBL net uri PH_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+8') describe PH_URI_RBL Has URI in PH at http://www.surbl.org/lists.html tflags PH_URI_RBL net uri OB_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+16') describe OB_URI_RBL Has URI in OB at http://www.surbl.org/lists.html tflags OB_URI_RBL net uri AB_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+32') describe AB_URI_RBL Has URI in AB at http://www.surbl.org/lists.html tflags AB_URI_RBL net uri JP_URI_RBL eval:check_spamcop_uri_rbl('multi.surbl.org','127.0.0.0+64') describe JP_URI_RBL Has URI in JP at http://www.surbl.org/lists.html tflags JP_URI_RBL net score SPAMCOP_URI_RBL 4.0 score WS_URI_RBL 1.5 score PH_URI_RBL 3.0 score OB_URI_RBL 2.2 score AB_URI_RBL 3.0 score JP_URI_RBL 2.5 Please remove any old rules referring to lists other than multi.surbl.org (i.e. sc.surbl.org, ws.surbl.org should no longer be used since they're in multi now). Hope this helps, Jeff C. -- "If it appears in hams, then don't list it."
Spamassassin and SpamCopURI
Hi, I'm in the progress of upgrading SA from 2.63 to 2.64 and SpamCopURI from 0.19 to 0.22. During make test of SA I get these during each t/rule_tests: t/rule_testsok 61/62Failed to compile URI SpamAssassin tests, skipping: (syntax error at /etc/mail/spamassassin/local.cf, rule WS_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 1, near "eval:" syntax error at /etc/mail/spamassassin/spamcop_uri.cf, rule SPAMCOP_URI_RBL, line 6, near "} }" I am aware that there was a discussion on the surbl list about this a few months ago, where someone said it could be caused by two Conf.pm's. However, I only have the one in /local/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Conf.pm and the two in the 2.64 distribution: the original ./lib/Mail/SpamAssassin/Conf.pm and the make-generated ./blib/lib/Mail/SpamAssassin/Conf.pm The errors didn't go away after installing SpamCopURI 0.22. I still haven't dared install SA. This is the relevant entry in local.cf: # Domain blacklists uri WS_URI_RBL eval:check_spamcop_uri_rbl('ws.surbl.org','127.0.0.2') describe WS_URI_RBL URI's domain appears in sa-blacklist tflagsWS_URI_RBL net score WS_URI_RBL 3.0 And this is from spamcop_uri.cf: uri SPAMCOP_URI_RBL eval:check_spamcop_uri_rbl('sc.surbl.org','127.0.0.2') describe SPAMCOP_URI_RBL URI's domain appears in spamcop database at sc.surbl.org tflags SPAMCOP_URI_RBL net score SPAMCOP_URI_RBL 3.0 So, what is causing the test errors? Can I safely ignore them, or will my RBL's stop working if I upgrade? I had hoped for a quick upgrade from 2.63 to 2.64 due to warnings about DOS (and the last few days our mailserver actually went out of memory twice, so it could be that spammers have started actually using this DOS)... -Frank.
False positives with FAKED_HOTMAIL_DAV
Hi, I have seen a handfull of these mails triggering FAKED_HOTMAIL_DAV, which is kind of bad since it adds 3.9 in version 2.63. Here are the headers in question, and at the bottom comes the scores from spamassassin. -Frank. --- Received: from listserv.brown.edu (canis.services.brown.edu [128.148.19.203]) by serum.osc.no (8.11.6/8.11.1) with ESMTP id i9MHa4i21225 for <[EMAIL PROTECTED]>; Fri, 22 Oct 2004 19:36:04 +0200 Received: from canis.services.brown.edu (canis.services.brown.edu [128.148.19.203]) by listserv.brown.edu (8.11.6+Sun/8.9.3) with ESMTP id i9MHYpd17217; Fri, 22 Oct 2004 13:34:51 -0400 (EDT) Received: from LISTSERV.BROWN.EDU by LISTSERV.BROWN.EDU (LISTSERV-TCP/IP release 1.8d) with spool id 3230944 for [EMAIL PROTECTED]; Fri, 22 Oct 2004 13:34:50 -0400 Approved-By: [EMAIL PROTECTED] Received: from hotmail.com (bay18-f21.bay18.hotmail.com [65.54.187.71]) by listserv.brown.edu (8.11.6+Sun/8.9.3) with ESMTP id i9MGE6d08614 for <[EMAIL PROTECTED]>; Fri, 22 Oct 2004 12:14:06 -0400 (EDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 22 Oct 2004 09:14:05 -0700 Received: from 172.202.236.243 by by18fd.bay18.hotmail.msn.com with HTTP; Fri, 22 Oct 2004 16:13:07 GMT X-Originating-IP: [172.202.236.243] X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 22 Oct 2004 16:14:05.0187 (UTC) FILETIME=[26DA0D30:01C4B852] Message-ID: <[EMAIL PROTECTED]> Date: Fri, 22 Oct 2004 16:13:07 + Reply-To: Hayao Miyazaki Discussion Group <[EMAIL PROTECTED]> Sender: Hayao Miyazaki Discussion Group <[EMAIL PROTECTED]> From: Lilian Chan <[EMAIL PROTECTED]> Subject: Re: Ghibli Museum To: [EMAIL PROTECTED] From: John Jacobs <[EMAIL PROTECTED]> I was just wondering how to get tickets. Plus, have any of you been to it? Is it good? I love Ghibli, and I'm proud of being a new fan. Hi John, Good for u to be a new fan of Ghibli :) I live in London and I went to the Museum last month. It was absolutely fantastic. I nearly cried when I had to leave. I bought the tickets in Japanese local convenience store, Lawson, after I landed in Tokyo. The ticketing machine is not hard to use but it might be a bit risky to look for tickets AFTER you arrive cos tickets for your desired dates may be sold out. My trip to Japan lasted for 17 days so that was not a problem for me. According to the official guide, you should purchase tickets from travel agency in the UK. If you don't understand the purchase guide from the website, contact the agency directly for details. MY BUS CENTER 15 Lower Regent St., London SW1Y 4LR, U.K. Tel: 020-7976-1191 / Facs: 020-7976-1192 [EMAIL PROTECTED] Also take a look at http://anime-tourist.com/article.php?sid=607 It's US-based but provides good guide on how to get to the Museum. Although the information about the exhibits sounds a bit outdated and I must say I give much higher praises to the Museum than this article depicts :) _ Linguaphone : Learning English? Get Japanese lessons for FREE http://go.msnserver.com/HK/46165.asp -- http://www.nausicaa.net/miyazaki/mailing-list > -- Unsubscribing? Send "UNSUBSCRIBE NAUSICAA" to [EMAIL PROTECTED] Content analysis details: (3.8 points, 3.0 required) pts rule name description -- -- 0.6 FOR_FREE BODY: No such thing as a free lunch (1) 0.6 J_CHICKENPOX_21BODY: 2alpha-pock-1alpha -1.5 BAYES_01 BODY: Bayesian spam probability is 1 to 10% [score: 0.0110] 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS [172.202.236.243 listed in dnsbl.sorbs.net] 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org [172.202.236.243 listed in dnsbl.njabl.org] 3.9 FAKED_HOTMAIL_DAV X-Originating-Email header does not match From --- Begin Message --- From: John Jacobs <[EMAIL PROTECTED]> I was just wondering how to get tickets. Plus, have any of you been to it? Is it good? I love Ghibli, and I'm proud of being a new fan. Hi John, Good for u to be a new fan of Ghibli :) I live in London and I went to the Museum last month. It was absolutely fantastic. I nearly cried when I had to leave. I bought the tickets in Japanese local convenience store, Lawson, after I landed in Tokyo. The ticketing machine is not hard to use but it might be a bit risky to look for tickets AFTER you arrive cos tickets for your desired dates may be sold out. My trip to Japan lasted for 17 days so that was not a problem for me. According to the official guide, you should purchase tickets from travel agency in the UK. If you don't understand the pu
Some fake mails, ham-trainers?
I have received 3 fake mails claiming to be from myredtrap.com, with the following ip numbers (twice on the first one): Received: from unknown (HELO www.myredtrap.com) (212.240.72.97) Received: from unknown (HELO www.myredtrap.com) (212.21.97.209) They are guaranteed spam, since the To: field doesn't match anything that should forward the email to me. (All have been To: a non-existing user). My biggest worry is that these get autolearned as ham. Could that be the whole purpose of these spams, to train bayesian filters? Has anyone else seen spam like this the last few days? See below for the contents, I can send the headers too if anyone wants. -Frank. --- David, Could you email me the contact details for the person that deals with the ADSL connection at the Chippenham offices? I need to organise switching the ISP provider so that we can be fully operational on Monday 1st!! Thanks Joel --- Dave, I sourced two UPS's both APC 3000Va exactly the same one for each Rack. The cost for both is £500.00 excluding VAT and delivery. I'm prepared to split the cost so that you own one for your rack and we have one for our rack. The UPS will come with the power supply cable, and I can source management cables and software so that we can monitor the status and health of the batteries within the UPS. Let me know if you're interested and I can reserve them. Kind Regards Joel --- David, Can I confirm, are you still interested in having a UPS for your cabinet? I'm sorting out collection for tomorrow, so if you could let me know ASAP either way that would be great. Kind Regards Joel ---