RE: filtered by mass hosters
> -Original Message- > From: mouss [mailto:[EMAIL PROTECTED] > Sent: Saturday, April 12, 2008 8:31 AM > Cc: users@spamassassin.apache.org > Subject: Re: filtered by mass hosters > > [EMAIL PROTECTED] wrote: > HI, > unfortunatly lots of our legitime mails are filtered by mass > hosters like > web.de and aol. > Does anyone have any clue how to find out why? > I'm not talking about mass mailing here, just regular mails like > this one from > exactly the server i am sending from now. > > >>> Individual issue, individual problem. > >>> Contact aol and web.de and ask them. > >>> > >>> > > Hi, > > > > at least aol does not like being contacted :( > > > > > > and I don't think they do callouts. Hi. As for aol.com , you could try this setup with them - (we've used it for a year or so, it works quite well. They whitelist our mail, and send us the complaints when people there click "this is spam" so we can resolve it on our end). http://postmaster.aol.com/fbl/fblinfo.html regards, jamie
RE: SORBS_DUL
> > Do your own queries and whois lookups...but these address blocks are > INCORRECTLY LISTED BY SORBS and they refuse (yes, I've heard from them) > to remove them. Apparently because our inbound and outbound MTA's > don't > use the same addresses! I have no idea what crack-monkey at SORBS > wrote > that, but that was the response we got in relation to our request to > remove our IP's. > > I hope that clears it up :) > > Cheers, > > James Sigh... Can we clear this up for _real_?? ... Regardless of whether or not SORBS listings are "accurate" or not, or should or should not be included in SA, apparently some people cannot read, or are overly confused... -- Straight from the SORBS website: If you are listed in the Spam Database read the Spam Database FAQ, then and only then you have 2 options. Pay the fine, and get delisted. Argue that you shouldn't have to pay. Paying the fine will get you delisted very quickly (usually within 48 hours)... However, when donating to the Royal Childrens Hospital and sending in the receipt ensure you send in the receipt number (the actual receipt is not needed, only the number - this is usually prefixed 'IR'). Due to privacy laws and the fact SORBS is not part of or connected with the charity. Payment confirmations can only be verified when a receipt number is given along withe the payee's name. Arguing with a SORBS administrator about how you are not the person responsible, or how you just got the address (or any other excuse) will result in a 'boiler plate' reply. It will be blunt and usually impersonal, this may appear rude, but is it not meant to be, it is just meant to be efficient. Note: There are a few good reasons why you may get delisted without paying the fine. These will be dealt with by an admin personally. -- So James - Like it says above, you really have two options. Quit complaining here and pay the AU Hospital and send sorbs the invoice/receipt, or perhaps if you approached the situation without downright rudeness (yes, you sound like a rude person to have to deal with based on your posts.. Sorry!), the admin would deal with you "personally", but frankly, if anyone there reads this list-serv, well.. all I can say is "good luck with that".. :\ ~Ciao jp
RE: SORBS_DUL
> > > > Why? Can you remove them from the SORBS_DUL? No, then it's not > really > > relevant then is it ;) > > I was trying to help you find the real problem. If you don't want help, > stop > bitching. > > I have seen more requests here to stop using some blacklists because of > the > requestor was unable to understand something. I think this is just > another > case... > Here's a story, maybe some of the "whiners" will learn from it... We got listed on SORBS once in early '06... Yes, we had to pay $ to get removed - a whopping $50 AU to the Australian children's hospital ... (not even $50 US at the time?) Yes, this was a giant hassle and inconvenience, it caused us much trouble, wasted time, loss of mail, as well as loss of productivity and (possibly) business revenue. Did we feel extorted? No. Why? Because it was indeed our fault (getting listed) and the money did not go to SORBS, their whole point in making it difficult to get de-listed is so you WON'T GET LISTED AGAIN and have to FIX YOUR DNS AND/OR MTA! (..is this really a "bad thing"?) Needless to say, we haven't been listed anywhere since, and it helped us fix some major security holes we weren't aware of, so in the long run, it was almost worth it... Regards, j
RE: Why two spam assassins rank the same message so differently?
> > by dgw218.neoplus.adsl.tpnet.pl with smtp (Exim 4.62 We've been blocking adsl.tpnet.pl for over a year yet they still barrage our servers daily with bot-infested clients. Some sites block the whole .PL tld, but that's a bit evil IMO.
blogspot spam
Hi. I'm seeing lots of these get by: http://pastebin.com/m8520d64 anyone have a rule for these? The last one I put up is at: http://pastebin.com/m159c02de Thanks, Jamie
RE: Why can't I change value of required_score ?
Apologies, I meant to send this to the qmail-toaster list... :( > -Original Message- > From: James E. Pratt [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 18, 2008 2:38 PM > To: [EMAIL PROTECTED] > Subject: FW: Why can't I change value of required_score ? > > > > > -----Original Message- > > From: James E. Pratt > > Sent: Tuesday, March 18, 2008 2:36 PM > > To: 'Yavuz Maslak' > > Subject: RE: Why can't I change value of required_score ? > > > > > > > > > -Original Message- > > > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, March 18, 2008 2:33 PM > > > To: users@spamassassin.apache.org > > > Subject: Why can't I change value of required_score ? > > > > > > I use spamassassin3.2.1 and simscan1.2 > > > My value of required_score doesn't work in > > > /usr/local/etc/mail/spamassassin/local.cf. > > > > > > I couldn't change required_score's value. The server still looks at > > old > > > value which I must have been set it. > > > I checked that the server reads /usr/local/etc/mail/spamassassin > > > directory. > > > > > > How can I correct that ? > > > > > See the file: > > /var/qmail/control/simcontrol > > Regards, > jamie
FW: Why can't I change value of required_score ?
> -Original Message- > From: James E. Pratt > Sent: Tuesday, March 18, 2008 2:36 PM > To: 'Yavuz Maslak' > Subject: RE: Why can't I change value of required_score ? > > > > > -Original Message- > > From: Yavuz Maslak [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, March 18, 2008 2:33 PM > > To: users@spamassassin.apache.org > > Subject: Why can't I change value of required_score ? > > > > I use spamassassin3.2.1 and simscan1.2 > > My value of required_score doesn't work in > > /usr/local/etc/mail/spamassassin/local.cf. > > > > I couldn't change required_score's value. The server still looks at > old > > value which I must have been set it. > > I checked that the server reads /usr/local/etc/mail/spamassassin > > directory. > > > > How can I correct that ? > > See the file: /var/qmail/control/simcontrol Regards, jamie
RE: ways to react faster to spam attacks
> -Original Message- > From: Arvid Ephraim Picciani [mailto:[EMAIL PROTECTED] > Sent: Monday, March 17, 2008 4:43 PM > To: users@spamassassin.apache.org > Subject: ways to react faster to spam attacks > > greetings. > most of the spam we get (like 90%) is the usual internet noise. sa > filters > them perfectly with 10 to 20 points. > Unfortunatly from time to time there are waves of very prefessional > spam. > I wonder how you react on those. Do you quickly hack up an sa rule to > filter > by specific words? Do you have a central repo for rules? > -- > best regards/Mit freundlichen Grüßen > Arvid Ephraim Picciani Like these? http://pastebin.com/m159c02de (free software. Eww.) Tia,regards, jp
RE: Whitelisting PayPal "Notification of payment" Messages
> -Original Message- > From: Rob McEwen [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 13, 2008 1:27 PM > To: users@spamassassin.apache.org > Subject: Re: Whitelisting PayPal "Notification of payment" Messages > > James E. Pratt wrote: > > Well, if they truly aren't coming from paypal servers at all, the > above > > is really of no use... Can you find a static text string in them that > is > > unique to the emails for which you could write a body rule for? > > > > Regards, > > jamie > > > James, > > That would be too easy to forge, right? > > And can you give examples of IPs used to send official PayPal messages > that are not on that list I sent? > > Rob McEwen Rob, the OP stated the emails were *not* coming from any paypal servers. Am I missing something here? Regards, Jamie
RE: Whitelisting PayPal "Notification of payment" Messages
> -Original Message- > From: Rob McEwen [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 13, 2008 12:40 PM > To: users@spamassassin.apache.org > Subject: Re: Whitelisting PayPal "Notification of payment" Messages > > Michael B Allen wrote: > > I really have my HTML rules cranked up and it's killing my PayPal > payment > > notifications. I can't whitelist by From because PayPal sends the > > notifications from the person sending the money and not an address in > the > > paypal.com domain. > > > > How can I whitelist these messages? Is there some way to whitelist > based on > > something other than the From address? > > > > > Michael, > > Try whitelisting the actual sending IPs of PayPal: > > SEE: > http://www.senderbase.org/senderbase_queries/detaildomain?search_string > =paypal.com > > Rob McEwen Well, if they truly aren't coming from paypal servers at all, the above is really of no use... Can you find a static text string in them that is unique to the emails for which you could write a body rule for? Regards, jamie
RE: new version always trusts 127.0.0.1
> -Original Message- > From: Matt Kettler [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2008 11:14 AM > To: dougp23 > Cc: users@spamassassin.apache.org > Subject: Re: new version always trusts 127.0.0.1 > > dougp23 wrote: > > Hi. Running SA 3.1.8 > > > > Would like to move to a newer version for a few reasons... > > > > Anyways the 3.2.3 version looks compelling, but I use a mailserver > called > > Scalix. It uses Sendmail as its engine. But each X-Spam header > shows this: > > > > rhost=localhost,raddr=127.0.0.1,rport=34757, > > > Erm.. What's that generated by? That's not SpamAssassin... > > Which makes me think that for my mailserver, ALL email appears to > originate > > from the localhost. In fact, under 3.1.8, I once tried to set the > network > > ignore option to 127.0.0.1, and all spam immediately was let through. > > > Well, even if SpamAssassin trusts a host, and all the hosts involved in > handling a message, it will still scan it. You'll just see the > ALL_TRUSTED rule fire off. That reduces the score a little, but not > enough that you'd be missing all spam.. > > Your problem is more compressive, as it sounds like email isn't even > being scanned by SA. > > Is there a spamassassin generated X-Spam-Status with a list of rule > hits > on those spam emails? > > > > > Just wondering if I am missing something or do I just utilize a flaky > > mailserver, lol! > > > > > > LOL... I won't answer your last question for fear of being flamed(!), ... but.. have you tried hitting up the Scalix folks and/or their dev/support forums on this? Regards, jamie
RE: How to report 120,000 spams a day
> -Original Message- > From: SM [mailto:[EMAIL PROTECTED] > Sent: Monday, March 10, 2008 3:49 PM > To: users@spamassassin.apache.org > Subject: Re: How to report 120,000 spams a day > > At 11:47 10-03-2008, Bob Proulx wrote: > >What would have been the downside of *not* having a backup MX? The > > Loss of mail. No. "Possible mail loss" is really the correct term. Just because I have no backup MX, it does not mean I will lose mail (Mail loss can, and usually is caused by many more issues than just no backup/secondary MX). > > >mail would have remained in the mailqueue. Comcast, AOL, Yahoo, > >Gmail, corporate servers, private servers, etc. would have retried to > >send the mail to you later. When your main mail relay came online > >they would have retried and delivered it. There would have been NO > >DIFFERENCE at all. You didn't need your backup MX relay to proxy > >relay the mail to you. > > The difference is that you are making assumptions about their retry > strategy. Yes, all are different. In the grand scheme though, who cares? We've had no "backup mx" here for over 5 years, and have lost no mail that I'm aware of... (or rather, no one has complained anyhow?). We've been down once for like 8 hours and lost nothing as far as I could tell. If it were down longer (unlikely with a hot spare ready to go, but besides the point) some stuff would just bounce and the senders would resend it. Life goes on). Regards, jp
RE: SV: "Nice girl like to chat" spam
> > In general, any rules you see posted to the list that you want to use
> > should be pasted into any .cf file in your main SA site-rules
> directory
> > (usually either /etc/mail/spamassassin/ or /etc/spamassassin/). Not
> > all
> > of them are formally distributed as rulesets - these are an
> independent
> > block of rules for a relatively small set of spam that was otherwise
> > slipping by SA.
> >
> > -kgd
>
> Thanks!
> It works fine, but I tried to make a addition to it, and for some
> reason it won't "bite" on that..
>
> I added this;
> body NICE_GIRL_06 /Email me at [^\s]{,74} only, because I am using my
> friend\'s email to write this\./
>
> to hopefully catch messages like this one:
> Hello! I am bored tonight. I am nice girl that would like to chat with
> you. Email me at [EMAIL PROTECTED] only, because I am using my
> friend's email to write this. I want to show you some pictures
>
> However, only your rules 1 and 2 hits, not my addition... Any ideas
> please?
>
> Anders.
>
Apologies if it has been noted already in this thread, but if you use ClamAv,
you can install http://www.sanesecurity.co.uk/ 's set of AV/anti-spam sigs, and
the "Nice Girls" will be gone... :)
Regards,
jamie
RE: [OT] Bogus MX opinions
-Original Message- From: Francesco Abeni [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 19, 2008 11:12 AM To: users@spamassassin.apache.org >> Spamassassin Subject: Re: [OT] Bogus MX opinions > Something else that can be useful is using an MTA blacklist. I use the > zen.spamhaus.org blacklist on my MTA. (...) Using SpamAssassin, i think these checks should be already active. Am i wrong? I checked 20_dnsbl_tests.cf, it contains spamhaus query as well as other ones. --- Yes, but by utilizing the spamhaus DNSBL at the smtp level, you can reject the email before it even touches SA. :) Regards, Jamie
RE: upgrading is just like installing
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 12, 2008 3:26 PM To: users@spamassassin.apache.org Subject: Re: upgrading is just like installing KB> User? SA is for administrators, not for users. Also, there is *nothing* KB> special about SA version numbers. J> Is too or else there wouldn't be a user_prefs file or instructions for J> installing non-root. And SA version numbers & aliases often need explaining, J> just like Debian package version numbers etc. Not all software version J> number systems are the same or else there would be several ways to enter a J> decimal password OK never mind. Ummm .. sa version numbers? Aliases? Decimal passwords? Package explanations? HUH? (I think you are on the wrong list, or have to go back to school or something(?) Anyhow, yes , the user_prefs files are for user-based settings, but you are missing too many points for me to continue as it's just too silly to add more to the thread! :P cheers, jamie
FW: [Mimedefang] MD tries to open /root/.spamassassin/user_prefs(was Re: mimedefang-multiplexor and bayes_path)
-Original Message- From: James E. Pratt Sent: Tuesday, January 29, 2008 9:34 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: [Mimedefang] MD tries to open /root/.spamassassin/user_prefs(was Re: mimedefang-multiplexor and bayes_path) > Kelson wrote: > Since upgrading from MIMEDefang 2.63 to 2.64, I've started seeing the > following pairs of errors on slave startup: > Jan 28 02:23:29 speed3 mimedefang-multiplexor[7521]: Slave 11 stderr: > config: path "/root/.spamassassin" is inaccessible: Permission denied > Jan 28 02:23:29 speed3 mimedefang-multiplexor[7521]: Slave 11 stderr: > config: path "/root/.spamassassin/user_prefs" is inaccessible: >> David wrote: >>That's weird. As another affected user, I will note that I had MD 2.64 installed prior to updating to SA 3.2.4 - I have had the symptom ever since, but nothing seems to be affected(?) except the log entries overall that I can tell. > Kelson wrote: > Interestingly, if I explicitly set HOME to the defang user's homedir in > the init script, the messages disappear. This suggests to me that MD > used to pick up the environment from the user specified in -U, but > doesn't anymore. >> David wrote: > As far as I know, that code has not changed. We never set HOME based > on the -u user, ever. >I will take a close look at the 2.63->2.64 diffs. Well, I hope your not wasting your time, but thank you ... The server here is rhel4, sa 323/2.64 installed a few months ago, and just put in production shortly thereafter. After updating to sa 3.2.4 I started seeing it in the logs and before that it was not there. Sa-lint shows no issues either?. I may try the workaround above. Let us know what you find out. Perhaps it's a sendmail/compile or config issue? Hrmm. Anyhow, If I can be of any more help let me know ;) Regards, jamie
RE: Apache SpamAssassin 3.2.4
>> -Original Message- >> From: James Lay [mailto:[EMAIL PROTECTED] >> Sent: Monday, January 07, 2008 1:54 PM >> To: Spamassassin >> Subject: Re: Apache SpamAssassin 3.2.4 >> >> New upgrade is running GREAT here :) >> >> James >> Not so great here with MimeDefang/Sendmail. Imageinfo plugin seemed to break SA clean lint, so had to remove it. Overall seems to be running ok in test, but still seeing lots of this in maillog: mimedefang-multiplexor[14449]: Slave 1 stderr: config: path "/root/.spamassassin" is inaccessible: Permission denied (wth? - sa home is same = /etc/mail/spamassassin ?) Any ideas? jamie
RE: Botnet why?
>> -Original Message- >> From: Dan Barker [mailto:[EMAIL PROTECTED] >> Sent: Thursday, January 03, 2008 4:00 PM >> To: users@spamassassin.apache.org >> Subject: Botnet why? >> >> Why'd baddns hit? I'm confused. >> >> Dan >> >> Report: >> >> Content analysis details: (5.9 points, 5.6 required) >> >> pts rule name description >> -- >> -- >> 5.0 BOTNET Relay might be a spambot or virusbot Better question, why is BOTNET scoring at 5.0!!?? I will admit I have not used it in quite some time due to many many many fp's, so perhaps that is default, but 5.0 seems excessively high to me either way... :\ Regards, jamie
RE: How often is the main rules channel updated?
>> -Original Message- >> From: Dan Grossman [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, December 18, 2007 7:21 PM >> To: users@spamassassin.apache.org >> Subject: How often is the main rules channel updated? >> >> I'm worried that my cronjob for sa-update is not working correctly, as >> it >> hasn't updated anything since I installed it on 12-12. >> >> How often do new rules come out on the main spamassassin.org channel? >> Are >> there announcements when that happens? >> >> Thanks, >> -dg In the past few months, there have been a few updates, but in general, they don't change all too often. There are no announcements either that I am aware of, unless they are on rulesemporium.com or openprotect.com. Regards, Jamie
RE: How to trust my "domain"?
>> -Original Message-
>> From: maillist [mailto:[EMAIL PROTECTED]
>> Sent: Wednesday, October 17, 2007 2:12 PM
>> To: Skip
>> Cc: users@spamassassin.apache.org
>> Subject: Re: How to trust my "domain"?
>>
>> Skip wrote:
>> > Guess this would help:
>> >
>> > Using sendmail 8.13.8 with SA 3.2.3
>> >
>> > - Skip
>> >
>> >
>> >> From: Chris 'Xenon' Hanson [mailto:[EMAIL PROTECTED]
>> >>Usually you do this with a combination of trusted_networks
>> >> and exclusion in your scanner.
>> >>
>> >
>> >
>>
>> You may want to look into mimedefang. It works well with sendmail,
>> and
>> spamassassin, as well as whatever antivirus you may be running.
>>
>> If you are already running mimedefang, and assuming that your LAN ip
>> scheme is 10.0.1., then add this bit to the sub filter_end part of
>> mimedefang-filter:
>>
>> # stopmyfilter
>> sub filter_relay($$$) {
>> my ($ip, $name, $helo) = @_;
>> if ($ip =~ /10\.0\.1\./)
>>{
>> return('ACCEPT_AND_NO_MORE_FILTERING', "ok");
>>}
>> else
>> {
>>return ('CONTINUE', "ok");
>> }
>> }
>>
>> -Aubrey
As a sidenote, I believe "filter_relay" only works if you either set
MX_RELAY_CHECK=yes in /etc/sysconfig/mimedefang, and/or use the -r
option in mimedefang's init script if not using
/etc/sysconfig/mimedefang to source startup/config options from ...
RE: Bit OT but it's about SPAM
>> -Original Message- >> From: Bart Schaefer [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, October 17, 2007 11:58 AM >> To: users@spamassassin.apache.org >> Subject: Re: Bit OT but it's about SPAM >> >> On 10/17/07, Tom Ray <[EMAIL PROTECTED]> wrote: >> > I just thought if anyone hasn't read it yet, this article might be >> > interesting to many of you. According to this report SPAM has now >> > reached being 95% of all email. >> >> This is hyperbole. >> >> What it really means is that 95% of the mail processed by someone's >> commercial spam filter has been classified, possibly incorrectly, as >> spam. The rates are much lower (though still too high for comfort) if >> false positives are accounted for. >> >> See, for example: http://www.bcs.org/server.php?show=conWebDoc.14617 Ok.. so in reality, it's more like 80-85% no matter how you dice it ... still way too much... :\
RE: Advice on MTA blacklist
>> -Original Message- >> From: Skip [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 09, 2007 2:26 PM >> To: users@spamassassin.apache.org >> Subject: RE: Advice on MTA blacklist >> >> > Well, in the real world, many of us who would have to scan >> > over 150,000 inbound emails a day, of which about 85% are >> > pure 100% spam simply don't have that luxury... >> > >> > We've had best results with zen.spamhaus.org , other dnsbls >> > seem unreliable/not worth the effort >> > >> > regards, >> > jp >> >> Admittedly, I process more on the order of 10,000 messages a day. But >> your >> second point here is the very reason I won't use them: unreliable. >> When I >> initially rolled out SA, I was using both spamcop and spamhaus along >> with a >> couple of others. I quickly eliminated down to those two. Then to >> one. >> Then removed them entirely after about 2 months of use. >> >> I have a number of travelling personnel from my company. I don't want >> the >> call at 11pm on a Wednesday night or 6 am on a Sunday morning from a >> hotel >> and the network they are on is on one of those lists and they can't >> use >> their email. I also have seen my ISP have a range of their network >> falsely >> flagged (and it encompassed our network range) for a period of 36-48 >> hours. >> That put a major dent in communication with our customers. >> >> I am not certain how anyone can claim that they have no FPs running >> through >> those services unless they have prior knowledge of every inbound >> email. >> That is impossible. My company deals with on the order of thousands >> of >> companies and multiple times that in email addresses. There is no way >> to >> know how many of those systems were falsely (or correctly) placed on a >> blacklist at any point in time. >> >> - Skip Good points... I'm certainly not claiming we have no fp's from spamhaus, but since no one has complained in over a year, why would I stop now and bring the server to it's knees? Sure, I'd love to accept and scan them all but we simply don't have the resources...
RE: Advice on MTA blacklist
>> -Original Message- >> From: Skip [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 09, 2007 1:17 PM >> To: users@spamassassin.apache.org >> Subject: RE: Advice on MTA blacklist >> >> None. I'd rather bump up my system resources than allow a system >> completely >> out of my control to assess whether or not mail should run through my >> MTA >> and SA. >> >> - Skip Well, in the real world, many of us who would have to scan over 150,000 inbound emails a day, of which about 85% are pure 100% spam simply don't have that luxury... We've had best results with zen.spamhaus.org , other dnsbls seem unreliable/not worth the effort regards, jp
RE: Botnet 0.8 Plugin is available (FINALLY!!!)
>> -Original Message- >> From: hanz [mailto:[EMAIL PROTECTED] >> Sent: Friday, September 28, 2007 4:31 PM >> To: users@spamassassin.apache.org >> Subject: RE: Botnet 0.8 Plugin is available (FINALLY!!!) >> >> >> Thanks for confirming how botnet works. This is exactly the problem! >> >> Botnet.pm is only checking the LAST IP and not the FIRST in the >> example >> email. >> >> The first IP in the list is a definite botnet source but botnet.pm >> does not >> detect this as a botnet email. >> >> hanz >> >> >> Jason Bertoch [Electronet] wrote: >> > >> > On Friday, September 28, 2007 4:06 PM hanz wrote: >> > >> >> >> >> looking at the debug code, I notice that botnet,pm version 0.8 is >> only >> >> checking the last server IP and not all IPs in the path. >> >> >> > >> > A botnet sends mail directly from the infected source, rather than >> relay >> > it via >> > the ISP's mail server. Any previous received headers would be >> forged so >> > there's >> > no point in checking them. >> > >> > >> > Jason >> > >> > >> > >> >> -- >> View this message in context: http://www.nabble.com/Botnet-0.8-Plugin- >> is-available-%28FINALLY%21%21%21%29-tf4221965.html#a12948014 >> Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Yes, but in most cases, it is the LAST ip that is part of the botnet (ie, it connected to your server LAST.) - checking all of the IP's I believe would be counterproductive and just add to false-positives. Btw - it appears you are using botnet in the wrong place if this email only traversed Rutgers.edu servers, minus the first bot-net IP - it should be running on your internet-facing relay, not internal relays... that's just weird IMO... Regards, jamie
RE: List of 600,000 IP addresses of virus infected computers
I think I speak for many when I ask you that you please take your remarks off-list. I definitely don't want or need this type of garbage in my inbox. Thanks, jamie -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 11, 2007 11:30 AM To: users@spamassassin.apache.org Subject: Re: List of 600,000 IP addresses of virus infected computers Screw you.
RE: Newbie, Has Questions
>My email server is Scalix, which appears to use Sendmail as its engine. >My SA is already tagging messages as Spam (fast learner), but like I said, >rather than deliver them, I want to just throw them out. No, I don't think >Sendmail supports maildir. > > >I run on FC3. Sorry, I can't help you with Sendmail. But if it doesn't >support maildir, I think you'll have problems getting spam to go to a >junk folder. If you can figure out what program does scalix's local delivery (procmail maybe/hopefully?) from whatever your running sendmail.cf/.mc says it is, then possibly change it to dump all spam mails to a file instead. It's fairly simple to do with mimedefang and sendmail, anyhow, despite no support for maildir.. Regards, jamie
RE: whitelisting yahoogroups.com
No as I understand it, whitelist_from_rcvd checks relaying domain, whitelist_from is a "blanket-whitelist" that only checks from header - Only mail that matches: [EMAIL PROTECTED] sent from actual yahoo.com relays will get whitelisted. (Sorry I forgot my "-" before!) It appears this may not work anymore anyhow, since I'm seeing stuff like: from=<[EMAIL PROTECTED] ahoo.com> in the maillog lately... :\ Regards, Jamie -Original Message- From: Ilya Vishnyakov [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:42 PM To: James E. Pratt Cc: users@spamassassin.apache.org Subject: Re: whitelisting yahoogroups.com -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does this mean whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com That all mail coming from yahoo will be in the whitelist? I certanly don't want this to happen. James E. Pratt wrote: > But, wouldn't that allow a spammer spoofing using that address > "full-spammer-access"? > > I use: > > whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com > > regards, jamie > > -Original Message- From: maillist > [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:34 > PM To: Ilya Vishnyakov Cc: users@spamassassin.apache.org Subject: > Re: whitelisting yahoogroups.com > > Ilya Vishnyakov wrote: Hmm. Hello Spamassassin Gurus! I'm having > difficulties with yahoogroups.com emails. I whitelisted them as > [EMAIL PROTECTED] , but emails still get into the spam. Is > there any other way that I can whitelist it? I attach 2 screenshots > with the headers for your convenience. Thank you in advance! > Just whitelist like this: > whitelist_from @yahoogroups.com > -=Aubrey=- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCrb1UZGmaUWxLn8RAk66AJsF8E6J3DLvr54Xl6t5XF0020AcEgCfTWA0 avlktBmq+tHGq+Ks9WzKhws= =zNjQ -END PGP SIGNATURE-
RE: whitelisting yahoogroups.com
But, wouldn't that allow a spammer spoofing using that address "full-spammer-access"? I use: whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com regards, jamie -Original Message- From: maillist [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 28, 2007 2:34 PM To: Ilya Vishnyakov Cc: users@spamassassin.apache.org Subject: Re: whitelisting yahoogroups.com Ilya Vishnyakov wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hmm. Hello Spamassassin Gurus! > I'm having difficulties with yahoogroups.com emails. I whitelisted > them as [EMAIL PROTECTED] , but emails still get into the > spam. Is there any other way that I can whitelist it? > I attach 2 screenshots with the headers for your convenience. > Thank you in advance! > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.5 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGCrPLUZGmaUWxLn8RAq7LAJsFKpJDrk3qQ/JeuyxjZL6mTvrO3QCfbjT/ > ecQNvPrGApYTdSmAzdVYLsI= > =xoye > -END PGP SIGNATURE- > Just whitelist like this: whitelist_from @yahoogroups.com -=Aubrey=-
Pyzor issue since upgrade to 3.1.3
Hi. ever since I updated a test relay to SA 3.1.3 from 3.1.2, pyzor (0.40) has stopped(?) working ... spamassassin -D --lint [7207] dbg: pyzor: pyzor is available: /usr/bin/pyzor [7207] dbg: info: entering helper-app run mode [7207] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin72070f78SItmp [7208] dbg: util: setuid: ruid=0 euid=0 [7207] dbg: pyzor: killed stale helper [7208] [7207] dbg: pyzor: [7208] terminated: exit=0x000f [7207] dbg: info: leaving helper-app run mode [7207] dbg: pyzor: check timed out after 5 seconds It's been doing this since the update, no pyzor checks seem to work anymore judging from test spam reports etc.., anyone else seeing this? I've tried the "patched" version of pyzor and the unpatched version I'm running with sendmail 8.13.6, mimedefang 2.56, latest Dcc/razor2 (both still work great) - all else seems to work fine... any ideas? I've googled for it, but no luck... (This is from my sa-mimedefang.cf - takes the place of sa's default system-wide default local.cf with mimedefang) : ## pyzor opts use_pyzor 1 pyzor_options --homedir /etc/mail/spamassassin/.pyzor thanks, Jamie
RE: Re[2]: problem with using SARE rules, names longer than 22 chars
-Original Message- From: Robert Menschel [mailto:[EMAIL PROTECTED] Sent: Thursday, May 18, 2006 12:22 AM To: James E. Pratt Cc: users@spamassassin.apache.org Subject: Re[2]: problem with using SARE rules, names longer than 22 chars Hello James, Wednesday, May 17, 2006, 6:09:51 AM, you wrote: JEP> I had the same probllem with sa 3.04 JEP> Anyhow, i solved it by changing the trusted ruleset entry JEP> "SARE_HEADER_0" to "SARE_HEADER_X31" as advised on rulesemporium.com, JEP> and all works fine now. Either you misread the web page, or we really weren't clear about that. If you use any of the HEADER rules at all, you should be using HEADER0. HEADER0 is designed to hit spam and only spam -- never hit any ham (a single ham hit removes the rule from that file). Header X31 contains those rules which have been incorporated into SA 3.1.x; if you're on 3.0, then you ALSO want header X31, but you should not be removing Header0. The invalid (overly long) rule name lint error has been fixed. Bob Menschel Thanks Bob - I didn't actually remove the ruleset file 0 itself, so I understood that part ok - I just took it out of rules_du_jour config file (because of the errors) - I'll add it back and try again now - (I'm upgrading/replacing the relay with a new install of SA latest soon, so) Also,,, HUGE Thanks to all of you SARE Ninjas!! :) Regards, Jamie
RE: problem with using SARE rules, names longer than 22 chars
-Original Message- From: Jo [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 17, 2006 9:05 AM To: Matt Kettler Cc: users@spamassassin.apache.org Subject: Re: problem with using SARE rules, names longer than 22 chars Matt Kettler wrote: > Jo wrote: > >> Hi, >> >> We're using spamassassin-3.0.5-3.el4 with amavisd-new-2.4.1-1.el4.rf. >> Since yesterday I'm receiving this message when downloading the SARE >> rules: >> >> ***WARNING***: spamassassin --lint failed. >> Rolling configuration files back, not restarting SpamAssassin. >> Rollback command is: mv -f >> /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf >> /etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2; mv >> -f >> /etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2006051 7-0758 >> /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf; mv -f >> /etc/mail/spamassassin/70_sare_header0.cf >> /etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.2; mv -f >> /etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.20060517-0758 >> /etc/mail/spamassassin/70_sare_header0.cf; >> >> Lint output: warning: rule 'SARE_MULT_SEXCLUBGMAILA' is over 22 chars >> warning: rule 'SARE_BOUNDARY_0264192082' is over 22 chars >> warning: rule 'SARE_MSGID_HEX30XIDSRVR' is over 22 chars >> warning: rule 'SARE_BOUNDARY_D118112147' is over 22 chars >> warning: rule 'SARE_HEAD_MIME_INVALID32' is over 22 chars >> warning: rule 'SARE_MULT_SUBJR_XBNCETR' is over 22 chars >> warning: rule 'SARE_FROM_SPAM_NAME2A177' is over 22 chars >> lint: 7 issues detected. please rerun with debug enabled for more >> information. >> >> Are these simply problems with the names? >> > Yes, but it's not really a problem. > Thanks for your answer. I only saw after I sent the mail that they were only warnings and not errors. I'm a bit less worried now. I thought I had a version mismatch or something like that. >> Would it help if I shortened those names? >> > You could, or you could wait until SARE fixes the rules. > Still it seems to strange to arbitrarily limit the length of those names to 22 characters. >> Am I really the only one who is having this problem? >> > I haven't noticed it yet. > I had the same probllem with sa 3.04 Anyhow, i solved it by changing the trusted ruleset entry "SARE_HEADER_0" to "SARE_HEADER_X31" as advised on rulesemporium.com, and all works fine now. regards, Jamie
