Re: I have developed a new method of blocking spam that's a game changer
I'd be willing to test it. -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net<http://www.fluxlabs.net/> On Jan 13, 2016, at 7:12 PM, Marc Perkel mailto:supp...@junkemailfilter.com>> wrote: OK - this might sound a little unbelievable but I'm not making this up. I want to introduce this because I'm hoping to release this soon and I want to create some buzz and anticipation. I'm not going to talk about the details yet but I hope to soon. I just filed a provisional method patent on the method and tomorrow I'm going to be talking to some investor types about it. I'm also working on improving the methods I'm using, but this new trick is so accurate that 1 month ago if someone asked me if this level of accuracy was possible, I would have said - no way! I'm calling it the Evolution Filter. The name is somewhat of a clue to how it works. I'm seeing levels of accuracy getting really close to 100%. And it's especially good at actively detecting good email so false positives are almost not existent. I've been filtering spam now for 15 years and been on this list for about that long and I'm not the kind of guy to just make this stuff up. My intent right now is to just get enough IP protection so I can get a license fee from the big corps. I plane on giving it away free to the little guys. So that if you have less that 10,000 email accounts it's free. Hoping to get like 1 cent per email account per year from the big guys. Although this idea is very unique, it's actually rather simple to implement. I'm using Redis and since SA is also using redis it should be trivial to add it to SA. My programming skills are good but not great. So the developers here should be able to do a significantly better job than me. It only took me an afternoon to implement the concept and it was already impressive with just 3 hours of learning. This is not Bayesian or remotely similar to Bayesian. It does use a DB like Bayesian does and there is learning involved. But it's probably 100x better at detecting spam and 1000x better at detecting good email. My plan is that this technique is going to be so good that everyone is going to immediately implement it. And because of that the big boys will license it from me. The accuracy is so good that it could put many spammers out of business. It can recognize spam more accurately that I can by hand looking at someone elses email. If someone on this list wants to verify that I'm not just smoking the wrong kind of cigarettes I'm willing to let people test it on the condition that you report back here and tell everyone what your experience is. If anyone has some feedback about how I can make this available to everyone and make a little something in licensing fees I'm definitely listening. I do want to release this to you all soon because you'll probably make it better than I have. I have a little more info on Dvorak's blog. http://www.dvorak.org/blog/2016/01/12/i-invented-a-new-way-to-filter-spam-thinking-about-a-patent/ -- Marc Perkel - Sales/Support supp...@junkemailfilter.com<mailto:supp...@junkemailfilter.com> http://www.junkemailfilter.com Junk Email Filter dot com 415-992-3400
Re: sa-update not updating the rules
current version is 1720996 new version is 1720996, skipping channel 1720996 == 1720996 -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net<http://www.fluxlabs.net/> On Jan 4, 2016, at 3:19 PM, Muthu N.C mailto:ncmu...@gmail.com>> wrote: Jan 4 13:55:47.226 [8531] dbg: channel: current version is 1720996, new version is 1720996, skipping channel Jan 4 13:55:47.226 [8531] dbg: dia
Re: all connections being refused
Make sure it's running. Check firewall/iptables/selinux -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net<http://www.fluxlabs.net/> On Jul 29, 2015, at 12:48 PM, josh schooler mailto:mindlessgh...@live.com>> wrote: Hello everyone I'm having issues with spamassassin I've recently upgraded from 12.3 opensuse to 13.2, and while updating and getting everything turned back on I noticed my logs throwing out massive errors, running the newest version of spam assassin (3.4.0-82.1), also use EXIM Example. 2015-07-29 10:31:56 1ZKVCu-0002wU-BN H=wecanhost4u.com<http://wecanhost4u.com> [174.75.35.98] Warning: ACL "warn" statement skipped: condition test deferred 2015-07-29 10:31:56 1ZKVCu-0002wU-BN spam acl condition: warning - spamd connection to 127.0.0.1, port 783 failed: Connection refused 2015-07-29 10:41:30 1ZKVM9-0003Rx-TR spam acl condition: warning - spamd connection to 127.0.0.1, port 783 failed: Connection refused 2015-07-29 10:41:30 1ZKVM9-0003Rx-TR spam acl condition: all spamd servers failed
Re: Turning off queries to SORBS
dig +trace and see if your ISP is intercepting queries. -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net<http://www.fluxlabs.net/> On May 12, 2015, at 8:49 PM, Chris mailto:cpoll...@embarqmail.com>> wrote: Is there a way to turn off queries to SORBS so I don't keep seeing this in my logs: error (connection refused) resolving '23.164.11.209.dnsbl.sorbs.net/A/IN':<http://dnsbl.sorbs.net/A/IN':> 67.228.187.34#53 I have Bind9 setup as a caching name server and am using 127.0.0.1 as my DNS. Chris -- Chris KeyID 0xE372A7DA98E6705C 31.11?N 97.89?W (Elev. 1092 ft) 20:47:11 up 1 day, 14:56, 1 user, load average: 0.66, 0.43, 0.33 Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar 31 02:07:04 UTC 2015
Re: The query to URIBL was blocked
Use only 127.0.0.1 as your DNS in /etc/resolv.conf ... Nothing else. -- Jeremy McSpadden | Flux Labs Local - 850-250-5590x501 | Mobile - 850-890-2543 Fax - 850-254-2955 | Toll Free - 877-699-FLUX Web - http://www.fluxlabs.net<http://www.fluxlabs.net/> On May 2, 2015, at 8:31 PM, Chris mailto:cpoll...@embarqmail.com>> wrote: Seeing this in most of the markups 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block I installed Bind9 as a caching name server and AFAICT it's running correctly. I followed the directions here - https://www.digitalocean.com/community/tutorials/how-to-configure-bind- as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 If I go to the URIBL.com<http://URIBL.com> site it has a test to see which DNS server is being blocked. I ran the test and the result is: 2.0.0.127.multi.uribl.com<http://multi.uribl.com> descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 205.171.25.244]" which is of course my ISP CenturyLink which most places probably block. However if I: chris@localhost:~$ dig linuxfoundation.org<http://linuxfoundation.org> ; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> linuxfoundation.org<http://linuxfoundation.org> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43647 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;linuxfoundation.org<http://linuxfoundation.org>.INA ;; ANSWER SECTION: linuxfoundation.org<http://linuxfoundation.org>.9987INA 140.211.169.4 ;; Query time: 14 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Sat May 02 19:57:24 CDT 2015 ;; MSG SIZE rcvd: 64 It seems to me like it's using 192.168.0.1 which is what I have setup in my /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.0.1 nameserver 127.0.0.1 search PK5001Z and /etc/network/interfaces shows: chris@localhost:/etc/network$ cat interfaces # interfaces(5) file used by ifup(8) and ifdown(8) auto lo iface lo inet loopback dns-nameservers 192.168.0.1 I just can't figure out where I'm going wrong. I'm sure it's something very stupid and hoping someone can give me a kick in the head. Chris -- Chris KeyID 0xE372A7DA98E6705C 31.11?N 97.89?W (Elev. 1092 ft) 20:17:41 up 5 min, 1 user, load average: 2.92, 2.56, 1.21 Ubuntu 14.04.2 LTS, kernel 4.0.0-997-generic #201503310205 SMP Tue Mar 31 02:07:04 UTC 2015
Re: Lots of Polish spam
Usually scores are 6 low 10 high. Are you running any RBLs ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Feb 24, 2015, at 11:35 AM, Yves Goergen mailto:nospam.l...@unclassified.de>> wrote: Hello, for a few months I'm getting lots of Polish spam to one of my e-mail addresses, sometimes a dozen per day. I have no idea what it's telling me, I don't understand a single word. I just recognise characteristic characters to know the language. Some messages have a .pl domain as sender address, others not. The sending hosts have all kinds of TLDs. Most messages have only a very short or empty body (a few words at maximum). Almost all messages contain a .zip attachment, often named like *_JPG.zip or *.pdf.zip. It doesn't seem to contain malware caught by clamav, but I haven't looked into any of these archives yet. SpamAssassin doesn't seem to be too successful in filtering them out. I set up that mailbox to reject anything beyond 10 points. Almost all messages stay under that limit. Only occasionally, a few messages are rejected with scores up to around 15. (Other regular spam can easily reach scores in the 50s.) Does anybody have an idea how to stop that? Are there special rule sets for that? I could provide samples of those messages if somebody is interested in it. These messages include my SpamAssassin headers so the matching rules can be seen. Unfortunately I'm not an SA wizard so I can't make new rules for such things. -- Yves Goergen http://unclassified.software
Re: Some tips email gateway
Are you using any RBLs with postfix ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Feb 17, 2015, at 1:05 PM, ricky gutierrez mailto:xserverli...@gmail.com>> wrote: Hi , I have mounted one gateway filtering me all spam in the business, I have to postfix + centos6.6 + amavisd-new 2.8 + clamav + spamassassin, currently captures 65% of spam the other 35 gets through, I want to improve the effectiveness making a Bayesian db. I am not an expert in postfix and spamassassin, I was thinking to leave a copy of all messages for the domain and classify emails as spam and ham, and then build the db, the problem is that postfix is only a gateway and leaves no emails locally! , someone has faced this type of situation? -- rickygm http://gnuforever.homelinux.com
Re: Amazon phishing spam
Content analysis details: (5.1 points, 5.0 required) pts rule name description -- -- -2.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.8 DKIM_ADSP_ALL No valid author signature, domain signs all mail -2.0 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.] 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 1.5 BASE64_LENGTH_79_INF BODY: base64 encoded email part uses line length greater than 79 characters 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net<http://dcc-servers.net>) 1.0 KAM_HTMLNOISE Spam containing useless HTML padding 4.0 LOTS_OF_MONEY Huge... sums of money 0.0 T_REMOTE_IMAGE Message contains an external image -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Feb 12, 2015, at 3:25 PM, Alex Regan mailto:mysqlstud...@gmail.com>> wrote: Hi, I was hoping someone could help me analyze this possible phishing scam: http://pastebin.com/C0YTr3Wn It hit bayes00 for me, which is obviously a problem, but the body looks to be from an actual amazon email with the exception of a Word document attachment, so is it all that unusual for it to hit bayes00? I've added the IP range and sender to local blocklists. Can you suggest any other possibilities for blocking these? Any ideas greatly appreciated. It's still not hitting any RBLs here for me. Thanks, Alex
Re: Spamassassin doesn't work
http://www.mimedefang.org/node/14 -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Oct 16, 2014, at 7:32 AM, Carlo Filippetto mailto:carlo.filippe...@gmail.com>> wrote: 2014-10-16 14:21 GMT+02:00 Kevin A. McGrail mailto:kmcgr...@pccc.com>>: Does your mimedefang filter include a spamassassin check? This should be that mimedefang is included? # mimedefang.pl<http://mimedefang.pl> -features MIMEDefang version 2.75 HTML::Parser : yes Net::DNS : yes Path:CONFDIR : yes (/etc/mail) Path:QUARANTINEDIR: yes (/var/spool/MD-Quarantine) Path:SENDMAIL : yes (/usr/sbin/sendmail) Path:SPOOLDIR : yes (/var/spool/MIMEDefang) SpamAssassin : yes Virus:CLAMAV : yes (/usr/bin/clamscan) Virus:CLAMD : yes (/usr/sbin/clamd)
Re: Delays with Check_Bayes
Do not have enough HAM to kick on bayes. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Aug 20, 2014, at 10:36 AM, "redtailjason" mailto:ja...@redtailtechnology.com>> wrote: Aug 20 07:54:54.456 [6955] dbg: bayes: not available for scanning, only 0 ham(s) in bayes DB < 200
Re: Filters Don't Seem to Be Learning
As you can see, this message was not flagged as spam. You also have this domain on the AWL per your SA output. X-Spam-Status: No, score=2.558 tagged_above=- required=5 tests=[AWL=-0.337, DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392, RP_MATCHES_RCVD=-0.001, T_DKIM_INVALID=0.01] autolearn=no -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 23, 2014, at 12:55 PM, "Asai" mailto:a...@globalchangemusic.org>> wrote: Thanks for responding. What other info exactly can I provide that will help to troubleshoot this? I also train SA to look at my inbox and learn ham from it. For an example of the spam, an excerpt: "Click here if this email isn't displaying correctly. garden a might are tonight tag update tag. mailman an pickup pod orchestra are france are. otherwise pod community an senior gen france hat. seller gen confirmation are thread hope log hat. server an club a thanks taxi password hope. engineering last honolulu tag herr ram copyrighted gen. dad taxi periodic gen command last periodic a. forward taxi greens taxi pick tag acrobat pod. personalized a otherwise are van gen damage taxi. astrology tag team taxi comic are periodic taxi." And in the headers of this spam message: X-Virus-Scanned: amavisd-new at globalchangemultimedia.net<http://globalchangemultimedia.net> X-Spam-Flag: NO X-Spam-Score: 2.558 X-Spam-Level: ** X-Spam-Status: No, score=2.558 tagged_above=- required=5 tests=[AWL=-0.337, DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, PYZOR_CHECK=1.392, RP_MATCHES_RCVD=-0.001, T_DKIM_INVALID=0.01] autolearn=no --Asai On 7/23/14 10:49 AM, Jeremy McSpadden wrote: Would need more info than this; rather vague. If your receiving the same email daily it's more than likely been trained as HAM, but marked as spam through TB. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 23, 2014, at 12:47 PM, "Asai" mailto:a...@globalchangemusic.org>> wrote: Greetings, I have configured my SA learn spam to check my Junk mailbox every night. In the logs I see that it's actually learning, but daily, I get the very same spams that go straight to my junk mail. The Thunderbird filters seem to be doing a better job of identifying spam in this one situation. Can anyone point me in the right direction on how to catch this spam better? Thanks. -- --Asai
Re: Filters Don't Seem to Be Learning
Would need more info than this; rather vague. If your receiving the same email daily it's more than likely been trained as HAM, but marked as spam through TB. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 23, 2014, at 12:47 PM, "Asai" mailto:a...@globalchangemusic.org>> wrote: Greetings, I have configured my SA learn spam to check my Junk mailbox every night. In the logs I see that it's actually learning, but daily, I get the very same spams that go straight to my junk mail. The Thunderbird filters seem to be doing a better job of identifying spam in this one situation. Can anyone point me in the right direction on how to catch this spam better? Thanks. -- --Asai
Re: Dealing with a bad network device affecting DNS lookups
Then I think we can all agree that just extending the timeout is not a fix. You have network issues that should be resolved. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 15, 2014, at 4:16 PM, "Quanah Gibson-Mount" mailto:qua...@zimbra.com>> wrote: --On Tuesday, July 15, 2014 11:13 PM +0100 Martin Hepworth mailto:max...@gmail.com>> wrote: Run your own caching server on the sa box itself, makes a surprising difference and something I always reconmend *sigh* I DO already. That still does not prevent FIRST TIME LOOKUPS from failing. --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Dealing with a bad network device affecting DNS lookups
Have you considered running your own DNS server locally ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 15, 2014, at 3:47 PM, "Quanah Gibson-Mount" mailto:qua...@zimbra.com>> wrote: Hi, Apparently there is a network device somewhere on the network my production servers use that is causing very long delays with first time DNS lookups. This is having a significant impact on SA's ability to score spam, as the various RBL lookups time out, as well as Razor and Pyzor. I've attempted to workaround this by setting: pyzor_timeout 60 razor_timeout 60 dcc_timeout 60 rbl_timeout 45 30 but I'm still seeing lookups being aborted. Here's an example of the problem: Jul 15 13:27:38 edge02 amavis[27683]: (27683-03) spam-tag, mailto:deg...@fullbaluster.co.uk>> -> mailto:x...@zimbra.com>>, No, score=0.984 tagged_above=-10 required=3 tests=[BAYES_00=-0.05, DCC_CHECK=1.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RP_MATCHES_RCVD=-0.8, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no Same email 2 seconds later, we can see Razor scoring is now there: Jul 15 13:28:40 edge02 amavis[27682]: (27682-06) spam-tag, mailto:deg...@fullbaluster.co.uk>> -> mailto:x...@zimbra.com>>,mailto:a...@zimbra.com>>, Yes, score=6.413 tagged_above=-10 required=3 tests=[BAYES_00=-0.05, DCC_CHECK=1.1, DIGEST_MULTIPLE=0.293, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=2.75, RP_MATCHES_RCVD=-0.8, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no So the second time it comes through, we get a valid spam tag. I most often see this with RBL lookups, which is a huge problem for scoring. Here's another example: First time run: X-Spam-Status: No, score=4.8 required=5.0 tests=DKIM_SIGNED, HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.0 Second time run: X-Spam-Status: Yes, score=5.2 required=5.0 tests=DKIM_SIGNED, HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE,NO_DNS_FOR_FROM, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.0 Note how "NO_DNS_FOR_FROM" is now added to the score set. In the successful run, I have: Jul 15 15:32:27.498 [52317] dbg: async: completed in 5.322 s: NO_DNS_FOR_FROM, DNSBL-MX, dns:MX:askpcm.com In the unsuccessful run, I have: Jul 15 15:28:14.563 [48690] dbg: async: aborting after 25.456 s, deadline shrunk: NO_DNS_FOR_FROM, DNSBL-MX, dns:MX:askpcm.com The next run, I have: Jul 15 15:32:27.498 [52317] dbg: async: completed in 5.322 s: NO_DNS_FOR_FROM, DNSBL-MX, dns:MX:askpcm.com So clearly my timeout values (45, 30) are not being honored, since 25 seconds < 30 second minimum. Is there any way to set a global value of 60 seconds MINIMUM for all tests, period? Thanks! --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: production MTA not doing URIBL lookups, why?
What does a debug output show ? On both .. Pastebin -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 11, 2014, at 4:34 PM, "Quanah Gibson-Mount" mailto:qua...@zimbra.com>> wrote: For some reason, my production MTA is not doing URIBL lookups for spam scoring, for no obvious reason. If I run a message through via the command line, I see the same behavior. If I run it through a test server, I see URIBL scores hit like mad. I do not appear to be blocked on my production MTA: [zimbra@edge01 ~]$ host -tTXT 2.0.0.127.multi.uribl.com<http://multi.uribl.com> 2.0.0.127.multi.uribl.com<http://multi.uribl.com> descriptive text "permanent testpoint" Message scoring for an obvious spam on prod gets: No, score=-0.8 required=5.0 tests=HTML_FONT_LOW_CONTRAST, HTML_IMAGE_RATIO_06,HTML_MESSAGE,RP_MATCHES_RCVD,T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.0 On my test server, I get: Yes, score=8.2 required=5.0 tests=DKIM_SIGNED, HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_06,HTML_MESSAGE, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL, RP_MATCHES_RCVD,SPF_HELO_PASS,T_DKIM_INVALID,UNPARSEABLE_RELAY,URIBL_BLACK, URIBL_DBL_SPAM,URIBL_SBL,URIBL_SBL_A autolearn=no autolearn_force=no version=3.4.0 Obviously, I'd like my production server to be catching spam. ;) --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: getting tons of SPAM
pastebin .. and do not edit the message, do not remove headers or email addresses -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955
Re: getting tons of SPAM
No mention of RBLs or greylisting ... -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 1, 2014, at 2:06 PM, "Steve Bergman" mailto:sbergma...@gmail.com>> wrote: Hey motty cruz, I just moved our 100 users over from our ISP's mail servers to our own. Apparently, the ISP's mail servers were doing remarkably well. Because it turns out that we get some 5000 spams a day, and users were getting essentially no spam. Then I upgraded us to a new OS on our Debian/X2Go/MATE desktop server, and move us to our own mail server, and the spam was coming through like water through the sluice gates of a dam. It didn't help that I'd moved everyone from Evolution to Thunderbird. So the client bayesian spam filters were completely untrained. So I installed SA on the server. That helped. But it wasn't enough. I compiled up DCC and and installed Pyzor, and that helped some. (Though SA's Pyzor support had some teething problems, as you can see from my recent posts, which I think may be now resolved.) What SA really needs if for its own Bayesian filter to kick in. But to be used at all, you need at least 200 ham and 200 spam messages registered with it. i.e. if you have to have a way to train the filter. I don't really have much confidence in "autolearn". And I'm a little scared of it. So I turned it off. We use Dovecot. So I used the dovecot-antispam plugin to automatically train SA when mail gets moved in or out of the junk folder. (It handles the moving of mail from Junk into Trash or regular folders intelligently and appropriately.) But that only solved half the problem. You need 200 hams and 200 spams. Mail was not getting marked as ham when it went into the Inboxes. So I wrote a script that could be called from the users' .forward files to mark messages as ham. Then if the user, or Thunderbird's own spam filter chooses to move it to Junk, it gets relearned as spam. Finally, to deal with many of the false positives I was getting with SA, I wrote a script, executed from cron, which takes new mail in the users' Sent folders, and whitelists them with spamassassin in the users' own individual user_prefs files. This is what it took before I was really happy with the performance of SA. Well... that and adding a 1 second sleep after connection in the Postfix configuration. That made a huge difference. But our mail volume is small enough that the 1 second sleep doesn't cause any problems as it would on a really high volume server. I hope that rough outline is helpful to you in some way. However, having come through all that, I find myself wondering if we should simply impose capital punishment for the crime of spamming, or if more drastic action is indicated. ;-)
Re: getting tons of SPAM
... A catchall ? -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 26, 2014, at 9:24 AM, "motty cruz" mailto:motty.c...@gmail.com>> wrote: X-Original-To: catch...@fqdn.com<mailto:catch...@fqdn.com> Delivered-To: catch...@fqdn.com<mailto:catch...@fqdn.com>
Re: Bayer Filter Not Working
Try adding -U to your mailscanner banger/# line. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jun 24, 2014, at 5:42 PM, "Bruce Sackett" mailto:br...@oecnw.com>> wrote: failed: Insecure dependency in
Re: CentOS/RHEL repo?
Centalt may have it. I'm not sure. 3.4 is still fairly new. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net | Endless Solutions Office : 850-250-5590x501 | Cell : 850-890-2543 | Fax : 850-254-2955 On Fri, Mar 14, 2014 at 2:01 PM -0700, "Bowie Bailey" mailto:bowie_bai...@buc.com>> wrote: Which is the best repo to use for SpamAssassin? In the past, I have installed in via CPAN or used RPMForge. I'm trying to avoid non-rpm installs on my new server and RPMForge and the CentOS base are both behind on the versions (3.3.1 and 3.3.2). I just found the link to the SpamTips.org packages, but that is also at 3.3.2 right now. I have built rpms from source with a provided spec file for other packages. There is no spec file included with the source in this case. Could I grab the spec file from one of the existing rpms and use it to build the latest version, or would I run into problems doing that? Thanks, Bowie
Re: dependency hell]
You've still left as all wondering what the purpose of that machine is considering it has no internet access. -- Jeremy McSpadden Flux Labs | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x101 | Cell : 850-890-2543 | Fax : 850-254-2955 On Nov 15, 2013, at 9:39 AM, Jay G. Scott mailto:g...@arlut.utexas.edu>> wrote: Sorry. Haven't been able to work on this for several weeks. (I'm the OP.)
Re: Errors when processing mail.
Check as to why this directory/file doesn't exist or change paths. -- Jeremy McSpadden Flux Labs, Inc | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x101 | Cell : 850-890-2543 | Fax : 850-254-2955 On Jul 14, 2013, at 5:16 PM, "Christian Dysthe" mailto:cdys...@gmail.com>> wrote: /nonexistent/.spamassassin/bayes.lock: No such file or directory
Re: Bayes - Problem using SQLite
SQLite is/can-be extremely slow with inserts/updates. It uses a temporary file for each write operation. It also waits for the OS to complete the insert/update. … Thats all assuming you can even get it working. -- Jeremy McSpadden Flux Labs, Inc | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590x101 | Cell : 850-890-2543 | Fax : 850-254-2955 On Mar 19, 2013, at 2:22 PM, Walter Hurry mailto:walterhu...@gmail.com>> wrote: I am experimenting with using SQLite for my Bayes db. However when I start spamd, it reports the following in /var/log/maillog: bayes: tok_get_all: SQL error: no such function: RPAD This is correct, in that SQLite does not support RPAD. I believe this call is in SQL.pm (part of Mail::SpamAssassin::BayesStore). Is it possible to hack that module in any way to work around the issue? Sorry if this is too simple a question; whilst I am familiar with SQL, I know nothing of perl. In case it matters, this is SA 3.3.2
Re: Is the SpamAssassin wiki dead?
Kevin added you back on the 31st. Should be done. Happy new year, KAM On 12/28/2012 7:53 AM, Jeremy Morton wrote: Hi, Please add me to the Contributors Group with the wiki username jez. -- Jeremy McSpadden Flux Labs | Endless Solutions Cell : 850-890-2543 | Fax : 850-254-2955 On Jan 6, 2013, at 6:50 AM, "Jeremy Morton" mailto:ad...@game-point.net>> wrote: I've been trying to get edit access to the SpamAssassin wiki now for weeks, and have gotten nowhere. Is the wiki just dead now? Should someone else start a documentation project for SpamAssassin? It's pretty ludicrous that nobody even seems to care about letting people improve the documentation when they are willing to do so. -- Best regards, Jeremy Morton (Jez)
Re: Somewhat OT: Is this wrong?
Microsoft handles SPF using the Edge Transport service, in 2010. If it is configured on the domain. You are correct with the article, although 2003 is old ... -- Jeremy McSpadden Flux Labs, Inc | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590 x 101 | Cell : 850-890-2543 | Fax : 850-254-2955 On Aug 24, 2012, at 9:58 AM, Ned Slider mailto:n...@unixmail.co.uk>> wrote: On 24/08/12 15:37, David F. Skoll wrote: Hi, Somewhat OT, but I figure there are SPF experts here: http://technet.microsoft.com/en-us/library/aa995992.aspx It appears to me that Microsoft uses header sender/from addresses to do an SPF lookup (see "How Sender ID Works") Am I the only one who thinks this is utterly wrong? To me, this is pretty clear: http://www.openspf.org/FAQ/Envelope_from_scope Regards, David. The Microsoft Sender ID system is not the same as SPF. See here: http://www.openspf.org/SPF_vs_Sender_ID Hope that helps.
Re: Somewhat OT: Is this wrong?
Topic Last Modified: 2006-04-05 http://technet.microsoft.com/en-us/library/aa996295.aspx .. for Exchange 2010 -- Jeremy McSpadden Flux Labs, Inc | http://www.fluxlabs.net<http://www.fluxlabs.net/> | Endless Solutions Office : 850-250-5590 x 101 | Cell : 850-890-2543 | Fax : 850-254-2955 On Aug 24, 2012, at 9:37 AM, "David F. Skoll" mailto:d...@roaringpenguin.com>> wrote: Hi, Somewhat OT, but I figure there are SPF experts here: http://technet.microsoft.com/en-us/library/aa995992.aspx It appears to me that Microsoft uses header sender/from addresses to do an SPF lookup (see "How Sender ID Works") Am I the only one who thinks this is utterly wrong? To me, this is pretty clear: http://www.openspf.org/FAQ/Envelope_from_scope Regards, David.
Pyzor broke after update
messages: Jun 15 10:12:28 smtp1 python: abrt: detected unhandled Python exception in /usr/bin/pyzor Jun 15 10:12:28 smtp1 abrtd: New client connected Jun 15 10:12:28 smtp1 abrtd: Directory 'pyhook-2012-06-15-10:12:28-32379' creation detected Jun 15 10:12:28 smtp1 abrt-server[32380]: Saved Python crash dump of pid 32379 to /var/spool/abrt/pyhook-2012-06-15-10:12:28-32379 Jun 15 10:12:28 smtp1 abrt-server[32380]: statvfs('(null)'): Bad address Jun 15 10:12:28 smtp1 abrtd: Package 'pyzor' isn't signed with proper key Jun 15 10:12:28 smtp1 abrtd: Corrupted or bad dump /var/spool/abrt/pyhook-2012-06-15-10:12:28-32379 (res:2), deleting Jun 15 10:12:31 smtp1 MailScanner: Process did not exit cleanly, returned 2 with signal 0 I am getting the message above after updating MS yesterday. Unable to trace this one back. [root@smtp1 ~]# spamassassin -D pyzor < sample-spam.txt Jun 15 10:13:45.440 [742] dbg: pyzor: network tests on, attempting Pyzor Jun 15 10:13:47.833 [742] dbg: pyzor: pyzor is available: /usr/bin/pyzor Jun 15 10:13:47.834 [742] dbg: pyzor: opening pipe: /usr/bin/pyzor check < /tmp/.spamassassin742YetsRQtmp Jun 15 10:13:48.083 [742] dbg: pyzor: [745] finished successfully Jun 15 10:13:48.083 [742] dbg: pyzor: got response: public.pyzor.org:24441 (200, 'OK') 351 0 MailScanner --lint --debug: pyzor: check failed: internal error, python traceback seen in response But cannot find the trace -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-250-5590 Cell : 850-890-2543 Fax : 850-254-2955
Re: Missed SPAM
Post what you feel. The ML will help if they can. You can replace IPs and domains etc. -- Jeremy McSpadden On Mar 31, 2012, at 11:19 AM, "joea" wrote: >>>> On 3/31/2012 at 8:22 AM, Michael Scheidell > wrote: >> On 3/31/12 8:04 AM, joea wrote: >>> starting below my local and MP details? Hopefully, the latter, as the >> former leaves me feeling a bit exposed. >>> >> we already know everything you think you want to hide. > > Well, let's hope not . . . > >> if you need help, you need enough full information. >> Or, you make the pastebin 'private', and send the link offlist to >> someone who has volunteered to help. . . . . >> > > If there are more volunteers, beyond the presumed one . . . feel free to . . . > >> >> munging the headers with 'somehost.somenet.sometld [1.1.1.1]' helps no >> one at all. >> >> What information is important might not be apparent to you. > > Well, true as that may be, I cannot fathom how munging any IP or > hostname between final drop and fetch from MSP could have any bearing > on the issue. > >> If it was, you might have solved the problem yourself. > > Perhaps . . . > > Beyond that, where can I find the difference, in a SPAM learning sense, > between "sa-learn --spam filename" and "spamassassin -r < filename"? > > If I do the sa-learn on the same file, after doing spamassassin, it tells me > 0 tokens. > If I then do "sa-learn --forget filename", then "sa-learn --spam filename" it > tells me 1 token learned. > > I infer from this they perform similar or the same function, from a Bayes > sense. > > joe a. > >> -- >> Michael Scheidell, CTO >> o: 561-999-5000 >> d: 561-948-2259 >>> *| *SECNAP Network Security Corporation >> > > > >
Re: sa-update
Sa-update should reload SA, therefore reloading rules. What error are you getting ? -- Jeremy McSpadden On Mar 26, 2012, at 9:46 PM, "j...@j4computers.com" wrote: > After running sa-update, will restarting spamd load the new rulesets? I see > references to "spamassassin reload" but that seems to present an error > message. > >
Re: uribl lastminute.com listed in uribl whte and is now used for nordea phisting mails (SOLVED)
Leap Year -- Jeremy McSpadden On Mar 2, 2012, at 11:11 AM, "Benny Pedersen" wrote: > Den 2012-03-02 17:50, Axb skrev: >> On 03/02/2012 05:36 PM, Benny Pedersen wrote: >>> just a note to whom it might concern :) >> why no pastebin a sample? > > february had 29 days this yaer ? > > its being resolved, sorry for the noice > > >
Re: uribl lastminute.com listed in uribl whte and is now used for nordea phisting mails
Ha. Nice -- Jeremy McSpadden On Mar 2, 2012, at 10:38 AM, "Michael Scheidell" wrote: > On 3/2/12 11:36 AM, Benny Pedersen wrote: >> just a note to whom it might concern :) >> > phisting? > > OUCH. > > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > >*| *SECNAP Network Security Corporation > > * Best Mobile Solutions Product of 2011 > * Best Intrusion Prevention Product > * Hot Company Finalist 2011 > * Best Email Security Product > * Certified SNORT Integrator > > __ > This email has been scanned and certified safe by SpammerTrap(r). For > Information please see http://www.spammertrap.com/ > __
Re: Spam messages with no payload
For starters, your using qmail. I know postfix will give you more protection up front with just rbl and certain restrictions that would help quite a bit. Are you running any rbl or dns checks with qmail? -- Jeremy McSpadden On Feb 19, 2012, at 4:46 PM, "Jason Haar" wrote: > I know what you mean - see if anyone can figure out what this one was > about! I think they're just screwing with us :-/ > > (I mean, do they seriously think people are going to reply "excuse me, > did you mean to send this to me?" and take it from there?) > > http://pastebin.com/MCwFrP6C > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > >
Re: Spam messages with no payload
Can you pastebin some sample messages + headers ? -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net <http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On 2/18/12 6:55 PM, "neon_overload" wrote: > >I'm convinced that spammers are using me as a guinea pig. > >I'm getting hit pretty hard by just a few determined spammers at the >moment >who seem to vary their spam signature every day or so (they sent out >through >thousands of free accounts at free email providers, so can't use client >DNSBL). But every now and again, I'll get a spam from them that follows >pretty much the same pattern as everything else, except that the vital >ingredient - the link to their spam site or any mention of what they are >promoting - is not there. Just the formatting and the random words. And >these mails get right through my spam filter. > >It's as if they are just sending out a test run when they come up with a >new >pattern, to see if it increases their bounce rate or something. > >BAYES_99 often hits on them, but I don't want to reject email just because >it hits BAYES_99. The thing is, it's difficult to classify these emails >even manually as spam or not spam, so it'd be hard to come up with rules >to >filter them. They are once-off, so they're not "bulk" per se - and they >are >not promoting the spammer - they are just random words. But they are, of >course, still spam to me because they are noise I didn't request. >-- >View this message in context: >http://old.nabble.com/Spam-messages-with-no-payload-tp33350242p33350242.ht >ml >Sent from the SpamAssassin - Users mailing list archive at Nabble.com. > >
Re: DNSWL will be disabled by default as of tomorrow
I agree with what you are saying, but to enable a plugin out of the box; with no warning or instructions stating you need to "run a local caching dns server in order to use this plugin successfully if your machine is using a dns server that may or may not be used and making millions of queries therefore banned" which returns a score that is giving a negative score ... has no justification. (sorry for the run on sentence) -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Dec 12, 2011, at 12:35 PM, Daniel McDonald wrote: Can I ask you a fairly blunt question? What action could they have taken that would have caused you to notice that you were engaging in abusive miss-use of their service by continuing to forward your requests through google? I'm quite serious. DNSBLs have this problem of never being able to get rid of the queries from sources that appear to be abusive. What can be done so that a part-time admin will take notice and fix their equipment? A log message? Special header in every e-mail? Change the subject line to "you have Spamassassin integrated wrong!"? Or a visit from Guido and some of the boys, trying to make an offer you can't refuse? In this case, they moved you to action by causing your customers some grief. That made you look into the issue, get guidance that you really need to run a local recursive caching DNS server in order to get clear answers from DNSBLs, and then I imagine you fixed the problem. How else could they have let you know? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: DNSWL will be disabled by default as of tomorrow
Thank you! I raised this question a few months ago and was in awe that it was enabled by default. It has caused quite a few issues that i've seen around the ML. They should return a different value than a negative score. Very bad design. -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Dec 12, 2011, at 11:58 AM, mailto:dar...@chaosreigns.com>> wrote: Tomorrow's sa-update will include disabling of the DNSWL rules. If you wish to locally enable them with the same scores which had previously been default, use this: score RCVD_IN_DNSWL_NONE -0.0001 score RCVD_IN_DNSWL_LOW -0.7 score RCVD_IN_DNSWL_MED -2.3 score RCVD_IN_DNSWL_HI -5 It was disabled because it is returning a value triggering RCVD_IN_DNSWL_HI for all queries from DNS servers deemed abusive, causing false negatives in SpamAssassin. It was the only network test, enabled in SpamAssassin by default, intentionally returning known incorrect values under any circumstances. It is recommended that you use a local, caching, non-forwarding DNS server with SpamAssassin: http://wiki.apache.org/spamassassin/CachingNameserver This should prevent you from being considered abusive by DNSWL unless you are actually doing multi-million queries per day, based on the list DNSWL provided yesterday of who is currently categorized as abusive: * Google Public DNS servers (multi-million queries per 24 hours, no response from Google contacts) * Some big hosting provider resolvers: softlayer.com<http://softlayer.com>, dimenoc.com<http://dimenoc.com>, theplanet.com<http://theplanet.com>, bluehost.com<http://bluehost.com>, dyndns.com<http://dyndns.com>, netline.net.uk<http://netline.net.uk> (multi-million queries per 24 hours, no response/action from abuse@ and similar contacts) * Five single hosts with multi-million queries per 24 hours with no response/action from multiple contacts. Problems have only been occurring when people use the above DNS Servers. Relevant bug (and source of above list): https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6668 -- "Begin at the beginning and go on till you come to the end; then stop." - Lewis Carrol, Alice in Wonderland http://www.ChaosReigns.com
Re: dns problems :/
connection refused means your dns servers are not responding properly. Check your entries in /etc/resolv.conf. The format should be: nameserver 1.2.3.4 -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Nov 1, 2011, at 9:46 PM, Benny Pedersen wrote: my own fault ? 30-Oct-2011 04:41:25.873 lame-servers: info: error (connection refused) resolving '194.210.16.72.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 30-Oct-2011 18:20:05.598 lame-servers: info: error (connection refused) resolving '99.79.61.69.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 30-Oct-2011 22:22:53.196 lame-servers: info: error (connection refused) resolving '230.106.87.192.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 31-Oct-2011 02:29:45.026 lame-servers: info: error (connection refused) resolving '225.84.0.173.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 31-Oct-2011 07:12:20.441 lame-servers: info: error (connection refused) resolving '115.11.211.140.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 31-Oct-2011 11:00:06.988 lame-servers: info: error (connection refused) resolving '67.130.210.193.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 31-Oct-2011 18:31:48.071 lame-servers: info: error (connection refused) resolving '230.5.92.213.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 31-Oct-2011 23:46:33.663 lame-servers: info: error (connection refused) resolving '230.106.87.192.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 12:09:59.376 lame-servers: info: error (connection refused) resolving '98.25.7.195.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 17:23:23.633 lame-servers: info: error (connection refused) resolving '230.106.87.192.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 19:06:13.188 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 19:08:00.774 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 19:09:53.385 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 19:24:16.733 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 19:32:02.230 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 22:43:00.600 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 22:44:54.003 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 22:46:32.903 lame-servers: info: error (connection refused) resolving '225.250.35.66.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 22:53:10.873 lame-servers: info: error (connection refused) resolving '176.210.85.209.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:10:29.354 lame-servers: info: error (connection refused) resolving '175.83.125.74.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:30:09.634 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:36:20.841 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:37:58.282 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:39:08.519 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:40:28.596 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:43:56.847 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 01-Nov-2011 23:54:19.315 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 02-Nov-2011 00:04:49.034 lame-servers: info: error (connection refused) resolving '219.2.132.129.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53 02-Nov-2011 02:41:05.057 lame-servers: info: error (connection refused) resolving '189.196.132.188.sa-accredit.habeas.com/TXT/IN': 94.76.206.138#53
Re: Disable a Rule
Thanks Ned, my question being now - why create a rule that can reduce the spam count when the provider decides to enforce such a policy; and start returning incorrect queries. Denied or not, it should NEVER return any value that would lower the spam count, if it cannot provide the correct answer to the query, it should send a null result; not some crap answer because they're systems cannot provide sufficient queries to the demand the public puts on their infrastructure. Although I personally am not doing 100k look-ups, the DNS resolvers at the DC very well may. ... less than 0.1% are affected by this stricter enforcement ... I have setup bind to do name-caching and no longer doing forwarding. I will continue to examine longs and monitor the system. Thanks for those who took the time to reply w/ enough information, rather than smart comments; or vague 1 liners. -- Jeremy McSpadden Flux Labs, Inc On Oct 30, 2011, at 5:56 PM, Ned Slider wrote: On 30/10/11 20:45, Jeremy McSpadden wrote: Thanks for the help Benny. .. Anyone besides this guy have anything to say ? -- See here: http://www.dnswl.org/news/archives/24-Abusive-use-of-dnswl.org-infrastructure-enforcing-limits.html and also the thread on this list from the archives dated 17th Oct 2011 with subject: DNSWL.org enforcement of free usage limits. Benny is correct - using your providers DNS servers results in exceeding the limit at DNSWL which results in all queries hitting RCVD_IN_DNSWL_HI - that's generally how they get your attention. Now they have your attention, the solution if you want to continue using DNSWL is to deploy your own local DNS caching server assuming you can stay under the free usage terms, or buy a data feed, or disable the DNSWL rules in SA by scoring them at zero: score RCVD_IN_DNSWL_HI 0 score RCVD_IN_DNSWL_MED 0 score RCVD_IN_DNSWL_LOW 0 score RCVD_IN_DNSWL_NONE 0 all of which has previously been stated. Hope that helps.
Re: Disable a Rule
Thanks for the help Benny. .. Anyone besides this guy have anything to say ? -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Oct 30, 2011, at 3:40 PM, Benny Pedersen wrote: On Sun, 30 Oct 2011 20:36:14 +, Jeremy McSpadden wrote: Yes, that is in place. (not a newbie here) seems your hosters is not newbee either, you are firewalled to use there dns server if it still does not work, ask them :)
Re: Disable a Rule
Yes, that is in place. (not a newbie here) -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Oct 30, 2011, at 3:14 PM, Benny Pedersen wrote: On Sun, 30 Oct 2011 20:05:08 +, Jeremy McSpadden wrote: Then why would this rule be enabled by default, or even setup for SA out of the box. So your telling me that in order to use this rule, i have to setup a local dns ? i don't think so. I've run SA boxes for years and never had to run a local dns server. using shared dns gives shared limits, thats why, so yes to use the free service one need dns servers in loopback interface
Re: Disable a Rule
Very well. DNSMasq setup and running local, yet still returns HI -- Jeremy McSpadden Flux Labs, Inc http://www.fluxlabs.net<http://www.fluxlabs.net/> Endless Solutions Office : 850-588-4626 Cell : 850-890-2543 Fax : 850-254-2955 On Oct 30, 2011, at 3:14 PM, Benny Pedersen wrote: On Sun, 30 Oct 2011 20:05:08 +, Jeremy McSpadden wrote: Then why would this rule be enabled by default, or even setup for SA out of the box. So your telling me that in order to use this rule, i have to setup a local dns ? i don't think so. I've run SA boxes for years and never had to run a local dns server. using shared dns gives shared limits, thats why, so yes to use the free service one need dns servers in loopback interface
Re: Disable a Rule
Then why would this rule be enabled by default, or even setup for SA out of the box. So your telling me that in order to use this rule, i have to setup a local dns ? i don't think so. I've run SA boxes for years and never had to run a local dns server. -- Jeremy McSpadden Flux Labs, Inc On Oct 30, 2011, at 2:57 PM, Benny Pedersen wrote: On Sun, 30 Oct 2011 19:18:12 +0000, Jeremy McSpadden wrote: I am using local dns servers. The server is at SoftLayer's DC. Using their local DNS servers, 10.0.X there ip need datafeed or you need to have dns server on 127.0.0.1 to get the free use at dnswl i cant find this ip listed anywhere
Re: Disable a Rule
No, i was editing the actual rule file itself. I have done a lookup on several of the IPs that SA is stating are HI on DNSWL, yet they come back as not whitelisted. http://www.dnswl.org/search.pl?s=98.126.47.12 = IP address 98.126.47.12 is not whitelisted at dnswl.org<http://dnswl.org>. spamassassin -t -D < MSGID = -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, hightrust [98.126.47.12 listed in list.dnswl.org<http://list.dnswl.org>] I am using local dns servers. The server is at SoftLayer's DC. Using their local DNS servers, 10.0.X -- Jeremy McSpadden Flux Labs, Inc On Oct 30, 2011, at 1:50 PM, John Hardin wrote: On Sun, 30 Oct 2011, Jeremy McSpadden wrote: I am editing the local, thanks. sa-update should not touch your local configuration file. Are you saying it is doing so? Letting them know is fine and all, except the mail is still getting through my systems. I have noticed this on several of my MS gateways. The emails are blatant spam. This is for hundreds of emails. DNSWL thinks just because one yahoo/gmail/hotmail account is clean; all are. Does not make sense to me. What upstream DNS are you using for your SA? DNSWL has usage limits absent subscription, and if you're using a busy public DNS (e.g. Google's public DNS servers) for your queries then DNSWL may be returning HI for _all_ queries regardless of how the sender is actually classified in their database. Does running your SA against a local caching DNS server that doesn't forward to an upstream DNS server change the behavior for these messages? -- Jeremy McSpadden Flux Labs, Inc On Oct 30, 2011, at 12:54 PM, John Hardin wrote: On Sun, 30 Oct 2011, Jeremy McSpadden wrote: It seems nightly the rule is re-enabled. Don't edit the files that are deep in the SpamAssassin working directories, they will get overwritten with updates as you have seen. If you want to disable a rule, set its score to zero in your _local_ configuration file, typically under /etc/mail/spamassassin. If you're getting spams from hosts in DNSWL HI, please let the DNSWL people know so they can deal with it. Either the source MTA needs to be cleaned up, or their listing demoted. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org<mailto:jhar...@impsec.org>FALaholic #11174 pgpk -a jhar...@impsec.org<mailto:jhar...@impsec.org> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com<http://www.darwinawards.com> --- Tomorrow: Halloween
Re: Disable a Rule
I am editing the local, thanks. Letting them know is fine and all, except the mail is still getting through my systems. I have noticed this on several of my MS gateways. The emails are blatant spam. This is for hundreds of emails. DNSWL thinks just because one yahoo/gmail/hotmail account is clean; all are. Does not make sense to me. -- Jeremy McSpadden Flux Labs, Inc On Oct 30, 2011, at 12:54 PM, John Hardin wrote: On Sun, 30 Oct 2011, Jeremy McSpadden wrote: It seems nightly the rule is re-enabled. Don't edit the files that are deep in the SpamAssassin working directories, they will get overwritten with updates as you have seen. If you want to disable a rule, set its score to zero in your _local_ configuration file, typically under /etc/mail/spamassassin. If you're getting spams from hosts in DNSWL HI, please let the DNSWL people know so they can deal with it. Either the source MTA needs to be cleaned up, or their listing demoted. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org<mailto:jhar...@impsec.org>FALaholic #11174 pgpk -a jhar...@impsec.org<mailto:jhar...@impsec.org> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com<http://www.darwinawards.com> --- Tomorrow: Halloween
Disable a Rule
I have several MS boxes and it seems that the RCVD_IN_DNSWL_HI rule in 72_active is allowing way to much through. Running at a score of 5 for spam, and it -5 on score is pushing it as clean. How do i disable the rule completely, even on sa-updates. It seems nightly the rule is re-enabled. -- Jeremy McSpadden