RE: How to ignore multiple Received: headers
-Original Message- How do I tell Spamassasin to ignore the last received Header? Or are there other solutions to this problem? It also happens quite often with emails from cell phones (which always get the strangest dynamic IPs...). A matter of perspective: You don't need to tell SA to ignore the last header, you need to tell it NOT to ignore the second one. Generally speaking, SA checks blacklists against the first hop outside your internal network. It sounds like your local SA has decided that mailserver.provider.com is trusted, so instead of starting there, it's starting at the next one out. (And yes, that last Received: header should be there.) I agree with Matus UHLAR's advice: check the trust path settings. you apparently need to properly configure trusted_networks and internal_networks, see: http://wiki.apache.org/spamassassin/TrustPath
RE: Why doesn't anything at all get these botnet spammers?
From: Jenny Lee Also how ironic is it to write: users -at- spamassassin.apache.org on the website!!! What a confidence in a spam-fighting tool! Write it as users@sa, show you mean business. Ever hear of defense in depth?
RE: antiphishing
-Original Message- From: Bowie Bailey [mailto:bowie_bai...@buc.com] This is an issue that comes up on this list occasionally. It sounds like a good idea at first, but when you start looking into it, you find that there is WAY too much legitimate email that does this for the rule to be useful. Yeah. There's an awful lot of newsletter, opt-in advertisement, and even transactional mail traffic that uses URL redirectors for click-tracking purposes, and far too often they'll put the destination URL (or a simplified form of it) in as the link text. It's a horrible practice, IMO, since it essentially trains people to ignore what should be a major phishing indicator, but it's also very common. --Kelson Vibber
RE: How do I stop SA checking mail from authenticated users
-Original Message- From: Frank Leonhardt [mailto:fra...@extremecomputing.org.uk] I have a single mail server (not commercial) using sendmail to accept incoming mail from all sources, and filtering using spamassassin. It also accepts mail from roaming users - encrypted mail using port 465 and authenticating users with SASL, and is expected to relay this. It all works fine except that the trusted mail goes through the milter like any other, and if it's coming from a dodgy location there's a danger that SA will block it. (This happens - sent from a WiFi hotspot, non-static DSL or mobile network that's been blacklisted everywhere). Is there an easy way I can treat trusted mail differently? Short answer: You need to configure this at the milter or sendmail level and not send the mail to SpamAssassin to begin with. Slightly longer answer: It's been a while since I worked with Sendmail, but we used to do exactly this. Basically, it boils down to one of two things: 1. Use a separate config for the submission port that doesn't send stuff through the milter. (I forget whether this is possible, so if it's not, never mind.) 2. Configure your milter to check whether the message is authenticated (IIRC, you look for the auth_type macro), and not send those messages to spamassassin. (This is what we did.) You don't say what milter you're using. We were using MIMEDefang, and I remember we had to do two things: set MD up to read the Sendmail macros, then add the code to our MD filter to check for the macro before sending mail to SA. Sorry I couldn't be of more detailed help, but this should at least point you in the right direction. --Kelson Vibber
RE: Bayes Apache James server
That said, I would suggest to not decouple bayes from SA, since I wouldn't see any advantage in this approach and you would rather miss the a bayes score from the SA totals. You would end having more FPs due to the bayesian mailer running apart and needing special score thresholds in SA. That was my thinking as well. Thanks for confirming that I'm on the right track. I would also suggest to avoid using amavisd and the like to run SA tests: that application supplies some message routing schemes which are really useful with simple mail exchangers, but that may complicate things a lot with a mailet-based design. I would suggest to use spamd instead. Hmm, that's something I hadn't thought about. As it is, it's not a problem. James 3.0 includes a mailet that talks directly to spamd, and we backported it to the version we're running. Also, to complete the system, I recall there were some AV-mailets at the age. If possible use them before SA to catch message carrying viruses. Absolutely - we've got ClamAV running first, before anything touches SA, and using some of the SaneSecurity signature sets to catch additional malware. Thanks! Kelson Vibber TollFreeForwarding.com, Development
RE: Bayes Apache James server
-Original Message- From: David F. Skoll [mailto:d...@roaringpenguin.com] It's probably more efficient to have the thing that would block more mail run first. On our installation, for example, ClamAV stops less than 0.1% of all mail (yes, you read that right), so running it first is useless from a performance standpoint since SA would be invoked almost all the time anyway. Depends on the requirements. In our case, we're blocking viruses but tagging spam for later, so it's slightly more efficient to do the virus scan first. Even if it blocks 1%, it's still greater than zero. We don't use the Sane Security signatures. If using them would make Clam block (say) 10% or more of all messages, I'd have to re-evaluate my opinion. I wish I could remember the stats from my old job. We had a system that started with IP block lists, then ClamAV with a bunch of the Sane Security spam signatures, then SpamAssassin, all tied together with MIMEDefang. (Thank you, BTW - that piece of software gave me so much flexibility in our scanning!) I had MD sort out the virus hits vs. the spam hits from Clam and decide what got discarded, what got blocked, and what got sent along to SA. I seem to remember it being worth it, but I just can't remember the numbers. Kelson Vibber TollFreeForwarding.com, Development
Bayes Apache James server
I'm setting up the spam/virus filtering on an Apache James mail server, and SpamAssassin is one of the pieces we plan on using. I used to run a Sendmail-based server with SpamAssassin for years at a previous job, so I'm familiar with SA, but I'm still new to James. James includes a plugin for Bayesian spam filtering. So far, the main advantage I see for it is that it includes a system to train the filter by forwarding attachments. Does anyone here have experience with *both* James's Bayesian filter and SA's? If so, would you recommend: 1. Sticking with SA's Bayesian filter? 2. Running SpamAssassin without Bayes, then James' BayesianAnalysis mailet? 3. Running James's BayesianAnalysis mailet first, then SpamAssassin without Bayes? In case it makes a difference, we're running James 2.3 with the SpamAssassin mailet backported from 3.0, and we'll be using a sitewide database (at least to begin with). Thanks in advance, Kelson Vibber TollFreeForwarding.com, Development
Re: How not to implement SPF (nationwide.co.uk)
On Jul 4, 2010, at 11:57 PM, Marc Perkel wrote: It's not even useful for white listing as spammers can set up SPF too. That's not how whitelisting on SPF works. You don't whitelist *solely* on the presence of SPF. You whitelist the *combination* of a domain that you want and a positive SPF match. Let's say you want to whitelist mail from example.com, and you don't want to worry about keeping track of their outgoing servers. You set up whitelisting using SPF such that... 1. Mail from example.com that doesn't pass SPF = neutral, go through normal filtering 2. Mail from example.com that DOES pass SPF = whitelisted 3. Mail from random spammer's domain that passes SPF = neutral, go through normal filtering Multiply steps #1 and #2 by however many domains you want to whitelist, and it's a lot more convenient than keeping track of all their IP addresses yourself, especially if they have a lot of them or change them from time to time.. That's how SpamAssassin uses SPF to whitelist mail. (See the docs for whitelist_from_spf and similar rules.) Notice that it really doesn't matter whether spammers set up their own SPF rules. Actually, you could make use of spammers' SPF records in some circumstances by adding a fourth possibility: 4. Mail from known spammer's domain that passes SPF = blacklisted OK, that fourth possibility isn't likely to crop up very often, but it's still taking advantage of spammers using SPF...which, once again, doesn't interfere with SPF's usefulness as a component of whitelisting.
Re: How not to implement SPF (nationwide.co.uk)
On Jul 5, 2010, at 6:46 AM, Marc Perkel wrote: BTW - does anyone have some big list of domain that when combined with SPF make a good white list? Well, that would depend on who you and your users want mail from, wouldn't it?
Re: How not to implement SPF (nationwide.co.uk)
On 6/30/2010 8:37 AM, Ned Slider wrote: My solution is to just filter ALL mail from bank or bank-like domains. The vast majority are phishing anyway with only a few marketing emails (often not from a bank domain) or your online statement is ready notifications that I'm sure users can do without. I wouldn't be so sure that users can do without* those notifications. I don't know about the UK, but in the US, banks and utilities are really pushing paperless statements. Users might be relying on email from their banks to let them know when their credit card bills are ready. *More generally, I don't think it's our place to decide what users can and can't do without among email that they've actually requested. False positives are one thing. *Deliberately* blocking something on the grounds that it's not necessary? That's something else. -- Kelson Vibber SpeedGate Communications - www.speed.net
Re: Interesting email link in spam
On Tuesday 18 May 2010, fchan wrote: Note the Technical Contact name and his email address. Oh, great, now I'm imagining lasagna made with SPAM. -- Kelson Vibber SpeedGate Communications, www.speed.net
Re: SOUGHT FP on Twitter notices
On 5/5/2010 5:05 PM, Karsten Bräckelmann wrote: Please send us a ham sample. Obfuscating identifying data is ok, but please keep it to a minimum needed, and make it obvious. Raw message attached preferred. Feel free to send it directly to me and/or Justin, rather than the list. Thanks! Will do. Quick interim fix. In your local.cf, add this to stop the FPs. meta __SEEK_O1OO80 (0) Thanks - Since I couldn't remember how to disable a component of a meta rule, I'd commented it out to start with, but of course sa-update clobbers that. Filing away for future reference... -- Kelson Vibber SpeedGate Communications - www.speed.net
Re: FROM_STARTS_WITH_NUMS matches on text-to-email
On 4/12/2010 4:26 PM, Bob O'Brien wrote: Other media references, too: 90210, 4100, I'm sure there are more which have been chosen by fans of one theme or another. Back in the late 1990s, I remember hearing that some site (maybe Hotmail?) was restricted to US residents, but didn't check very thoroughly. They just made sure that the city, state and zip code matched. Strangely, they had a lot of users living in Beverly Hills, 90210. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Off Topic - SPF - What a Disaster
On 2/23/2010 6:33 PM, Marc Perkel wrote: I agree. I've been in the spam filtering business for many years and have yetto find any use for SPF at all. It's disturbing this useless technology is getting the false positive support we are seeing. And as people on this list have pointed out 5,000 times, including myself yesterday: whitelist_from_spf *...@example.com This applies a whitelist rule to messages from example.com if and only if they also pass example.com's SPF policy. So there's one use case right there, unless you're going to claim that functionality is useless. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Off Topic - SPF - What a Disaster
On 2/23/2010 12:38 PM, Jeff Koch wrote: In an effort to reduce spam further we tried implementing SPF enforcement. Within three days we turned it off. What we found was that: snip Our assessment is that SPF is a good idea but pretty much unworkable for an ISP/host without a major education program which we neither have the time or money to do. Since we like our customers and they pay the bills it is now a dead issue. Any other experiences? I love to hear. SPF works great as a selective whitelist in SpamAssassin. (And I don't mean whitelisting all SPF passes. That would be stupid. I mean whitelisting mail coming from domain X, but only when it passes SPF and demonstrates that yes, it really came from domain X.) I'd say that what you found is *not* that SPF itself is a disaster, but that enforcing SPF by rejecting failures is a disaster. It's a data point. It all depends on how you use it. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: unsubscribe
Miles Fidelman wrote: unless, of course, someone happens to be writing a message with the word unsubscribe in it, and DOESN'T want to unsubscribe to the list let you think this is picking a nit I run a list for parents of one of my kid's schools, the school department runs another (badly) -- it's very common for people to write to our list asking how to (un)subscribe to the official school list for that matter, on any list discussing mail handling, or perhaps server-side software in general, I expect the word unsubscribe is quite common Would I be correct in assuming that most or all of those messages have more words in the subject than just the single word unsubscribe? Or at least some message content? If the message body is empty and the subject only contains the word unsubscribe, it's probably a safe bet to assume it's an attempt to remove someone from the list and not a question or comment. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: JMF whitelist and RAZOR conflict
RW wrote: Razor looks-up fuzzy hashes of an email on a server that records the values that have previously been reported for spam. JMF_W is based on the IP address of the last hop into your trusted network (or internal if you set it up that way). Neither is based on URLs. Actually, Razor does check URLs as well. It's one of the signature types. Type 8, I think. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: BAYES_99 score lint
John Hardin wrote: On Mon, 22 Jun 2009, MySQL Student wrote: meta LOCAL_BAYES_RTF(BAYES_99 LOCAL_CTYP_RTF) score LOCAL_BAYES_RTF 1.5 describe LOCAL_BAYES_RTF Rule by AS: Probably an Inline RTF spam If the only thing it's complaining about during lint is the zero score, don't worry too much about it. Or try defining the score like this: score LOCAL_BAYES_RTF 0 0 1.5 1.5 That way SA will only try to run it under the same score sets that Bayes is enabled. The problem might simply be that lint is running with Bayes disabled (score set 0 or 1), in which case BAYES_99 will be scored at 0. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Suggested Change For FS_TEEN_BAD
Wouldn't it be more efficient to write all the single-letter matches like (?:s|z)? as [sz]? or does it end up not making a difference when the regex is actually processed? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: HABEAS_ACCREDITED_COI
LuKreme wrote: It's very simple, I don't see Habeas headers in legitimate email, and haven't for years. I see it in spam. I score it up. The score of -8.0 is ridiculous for something that is so easily forged. They haven't *used* the headers in years, either. Habeas is an IP-based whitelist, and has been for, I don't know, 4 or 5 years. So, seriously -- you've adjusted the score of a rule to point in the opposite direction without actually checking what the rule does? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: SPF_NEUTRAL scoring?
LuKreme wrote: I don't remember what ?all means though, or how it differs from -all or ~all. ? means the record makes no claims about that source. ?all basically says, Mail might come from other places, or it might not, we aren't sure. (In RFC terms, mail from us MAY be sent from other places not listed.) - means mail should *never* come from that source, so -all means Only the sources listed here will send you mail; anything from anywhere else is definitely forged. (In RFC terms, mail from us MUST NOT be sent from other places.) ~ is (IIRC) specific to all, and ~all means Other places shouldn't be sending you mail, but we're not 100% certain we haven't missed something. (In RFC terms, mail from us SHOULD NOT be sent from other places.) -- Kelson Vibber SpeedGate Communications www.speed.net
Re: html experts: empty style tags.
On the subject of style vs style type=text/css *Technically* the TYPE attribute is required in HTML 4, but in practice, no one really uses anything other than CSS, and most browsers will assume it. The current draft of HTML 5 recognizes this, and makes TYPE explicitly optional for STYLE, defaulting to text/css if not present: http://www.whatwg.org/specs/web-apps/current-work/#the-style-element So in HTML 5, this is perfectly valid: style h1 {font-family: Arial} /style It is only allowed within HEAD (though again in practice, most browsers are lenient about this), but if I'm reading the HTML 5 spec correctly, it will also allow style within the body, but *only* if it contains the SCOPED attribute, and only at the beginning of a section, like this: div style scoped h2 {color: green} /style Bunch of content /div But this would not be: div Some content style scoped h2 {color: red} /style More content /div -- Kelson Vibber SpeedGate Communications www.speed.net
Re: how to change score of spf
Matus UHLAR - fantomas wrote: positive SPF results mean NOTHING - any spammer can register a domain and create SPF for it. Only the *FAILs are useful since it means someone is (probably) spoofing. Maybe NEUTRAL can indicate anything, but PASS has non-zero score only because zero score would cause it not to appear. More precisely, a positive SPF result *by itself* is not an indicator of non-spam. It can be combined with other data, such as a whitelist of domain names, and be quite useful, as in the whitelist_spf and whitelist_auth rules. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Spam slipping through
LuKreme wrote: On 10-Dec-2008, at 16:01, mouss wrote: so 5 is a little too high. Ah, gotcha. I am scoring whitelist at -5 though, so a 5 still puts them at 0. Without other spam tags, they should still pass, no? whitelist_from_dkim and related rules (whitelist_from_spf, whitelist_from_auth, etc.) only fire if the authentication is valid. The idea is to whitelist messages from a domain only when you can confirm that they really did come from that domain. So the whitelist and blacklist rules will never cancel each other out, because they'll never fire on the same message. If you want to leave a DKIM failure for that domain as neutral, just remove your custom blacklist rule. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Spam slipping through
LuKreme wrote: So it looks like the only usefulness of DKIM for spam checking is really for the big mailers like gmail, paypal, ebay, etc? A pass on DKIM (or any other sender verification system ) is useful for any mailer that you *recognize*, regardless of size. Trivial example: If you regularly do business with SmallCorp, and you know they sign their mail using DKIM, you can whitelist those messages that claim to be them and come through with a verified DKIM signature. Successful sender verification ALONE doesn't tell you much, because it doesn't distinguish between a legit sender who uses DKIM and a spammer who uses DKIM (or a spammer abusing a large sender). This is why the default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to track the rule, and not enough to significantly affect the score Combine it with a reputation system for those domains, even one as simple as a bunch of whitelist_from_dkim rules in your local.cf, and it becomes a powerful whitelisting blacklisting tool. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Problems with the email adress of our company
Per Jessen wrote: I guess it's a matter of opinion, but an email address is a significant part of a corporate identity - you don't go around changing it ad-hoc, and you certainly try to avoid having one domain in your email-address and another on your brochures and businesscards. Exactly. That sort of thing would train users to expect your company's email to come from multiple and/or unfamiliar domains, such that they will be less likely to notice phishing attempts that claim to be your company but come from other domains. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Rule for encoded/bugged URLs?
Kevin Windham wrote: The other sign is the encoded img tags. I can't recall seeing a regular site use img tags that are encoded with no meaningful name. I take it you've never looked at the HTML code for, say, Flickr or Amazon? A *lot* of dynamic websites will use a catalog number (or equivalent) instead of a human-readable name for their image filenames. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Phishing rules?
Micah Anderson wrote: reject_rbl_client list.dsbl.org, DSBL has shut down, and you should remove the query from your list. It won't help with the phishing, but it'll free up some network resources. Info: http://dsbl.org/node/3 I've got clamav pulling signatures updated once a day from sanesecurity (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, securesiteinfo) and Malware Black List, MSRBL (images, spam). Odd, ClamAV + SaneSecurty does a really good job here at blocking phish before they even get to SpamAssassin. We call clamd through MIMEDefang, then call SpamAssassin (also through MimeDefang) if a message passes. Have you verified that Clam is using the SaneSecurity signatures? How are you calling ClamAV? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: [OT?] rDNS tomfoolery - localhost
John Hardin wrote: While shit has happened too many times, I don't see why a browser would do PTR lookup when given an IP. If security settings are defined by the server's hostname or domain name you'd kinda have to, or else say that all numeric-IP URLs are inherently untrustworthy. In that case, though, they *should* re-check the DNS of the hostname that's been kicked back. 123.30.74.2 - localhost - 127.0.0.1 = mismatch Assuming, of course, that (a) the DNS server being used doesn't do something stupid like assume that the PTR result is symmetric, and (b) the client has the sense to do that verification step. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: SPF rules
Matus UHLAR - fantomas wrote: Of course, PASS tells nothing, but there are *FAIL, NEUTRAL etc. Actually, PASS can tell you quite a bit if you're trying to whitelist a specific address or domain (eg. whitelist_from_spf). -- Kelson Vibber SpeedGate Communications www.speed.net
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Rasmus Haslund wrote: For us, the only FP we have seen are some servers in Argentina, Brazil and 2 legit fish newsletters from Russia. Otherwise it is looking very good here. We've been testing it using SpamAssassin with the lastexternal option, and while it catches a whole lot of obvious junk, the logs also show it tripping on a number of messages that look like they might be legitimate newsletters. A couple of stores that I recognize, a nearby church, a fan club for a well-known movie series, one of our state senators, and a political organization. None of these ended up being marked as spam, but they did trip on the rule, and would have been blocked if I'd been using BRBL at the sendmail level. I still need to verify that they sources are what they appear to be, then do some research on their mailing practices and ask the recipients whether they actually signed up for the mailings, but at the moment it looks like the list is something I can use as a data point through SpamAssassin, but can't use to block mail outright. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: 1000 times easier to just do sa-update --nogpg
SM wrote: There is a reason the updates are signed. You can either try and figure out the right way or you can wait for someone to compromise one of the endpoints to deliver illegitimate updates. Pardon me for putting words in someone's mouth, but I got the impression that the original poster's point was not to advocate disabling signature checking, but to suggest that the error message should be more useful. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Blacklist Mining Project - Project Tarbaby
Marc Perkel wrote: Graham Murray wrote: Because some senders erroneously treat a tempfail as a permfail (or even worse as a successful delivery) and do not retry. If that were the case then they already would have failed before getting to tarbaby as your main server is out. If they are on tarbaby then they already retried to get there. tempfail != timeout If the main servers are down or otherwise not responding, the sender won't get a tempfail from those servers. So even if the sender is broken enough to treat a tempfail as a permfail, it will still fall back to the next MX until it gets to one that *does* respond. And if that happens to respond with a tempfail... -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Yahoogroups not a COI list ?
mouss wrote: I didn't check since long, but last year, it was possible to subscribe addresses without confirmation. Maybe this only applied to groups that existed since long (and had a lot of traffic)? I just checked, and below the text box for the invite function (which sends a confirmation request) is a link labeled, Add members from an existing email list. That brings up another form where you can paste in a list of addresses, and allows up to 100 addresses/day, and sends a welcome notice. It's billed as an import tool, and there are dire warnings about Please use responsibly and how abuse of the tool can get your account deactivated. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: freemail plugin
Benny Pedersen wrote: can you change it to list reverse, so freemail domains is all other then what is not freemail domain ? this is imho more simple to knwo where to pay for email then to know with domains is free :-) So... every time someone registers a new domain name for their start-up company, we need to add it to the list because it isn't a free email service? I don't think that's going to save much effort. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Opera's revolutionary e-mail client?
Justin Mason wrote: Grepping my ham corpora, I find some hits from 2005 and 2006, but nothing in the past 2 years for this. Does anyone use recent builds of the real Opera mail? does it use this footer, or is it safe to list it in the rule? I don't normally use Opera for email, but I use it regularly for web browsing. I just set up email on my copy of Opera 9.5 (the latest release), and hit Compose to see what would happen. The text you're seeing is the default signature. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Opera's revolutionary e-mail client?
To follow up, here's a message actually sent from Opera 9.5 on Windows, in case someone wants the info for header analysis. And yes, I've changed the signature, partly so that it won't trip the rule in question. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Replies to this list
Matthias Leisi wrote: Reply-To considered harmful: http://www.unicom.com/pw/reply-to-harmful.html And still considered harmful: http://woozle.org/~neale/papers/reply-to-still-harmful.html Yeah, well, Considered Harmful essays are also considered harmful: http://meyerweb.com/eric/comment/chech.html Let's remember that these essays are matters of individual opinion, not statements of indisputable truth handed down from on high. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: List of Banks often spoofed in Phishing scams
Marc Perkel wrote: If the FCrDNS matches one of these domains it is ham. If the sender or from address matches one of these domains and the domain doesn't appear in the Received headers - it's a phish. snip citibank.com It's worth noting that Citibank still sometimes uses other domains. I've seen legit mail from them that uses a citibank.com address, but is sent from a citigroup.com server. It could be worse -- a few years ago, they'd use about 5 or 6 domains on a regular basis, including the defunct c2it.com. Take a look at the SARE_FORGED_CITI rule in 70_sare_spoof.cf. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: joe jobbed or hacked?
Jon-Paul Kelly wrote: I just received around 2000 bounce messages from various servers rejecting messages (supposedly) coming from my email address. This has happened to me before but not on this scale. Any ideas on how to tell if this is just a joe job or if someone has actually used my server as a spam sending platform? The first thing to do is look at the bounces to see whether your IP address is listed anywhere. If none of them mention your server, either in the original Received headers on the rejected message or in the bounce notice itself, you can be confident that it was just a forged sender. If it does list your server, you'll need to look more closely. Is it the immediate sender (the one that connected to the server issuing the rejection)? If so, you've got problems. Is it further down in the Received chain? In that case, it could also be forged, and you'll have to keep looking. You can also look at your mail logs, in case they found a hole in your relay config or something. Though if the system is actually hacked, they could send using their own SMTP engine, bypassing your mail queue, and the messages probably wouldn't be logged. Hope this helps. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Returned mail spam
Joseph Brennan wrote: what own rules? I'm talking that forwarding without changing sender's address is broken already and I described how and why. SPS just highlights this problem and SRS is trying to solve it... I don't see this necessity to change the sender address anywhere in RFC 2821. In fact it differentiates between lists where you do change the sender and aliases where you do not. Let's see if I've got this right: There are practical problems with forwarding, whether you do SPF or not. No, there are no problems with forwarding, because the RFC says it's okay. I'm sensing a disconnect here. I assume everyone here has heard the joke about the difference between theory and practice? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: FW: Why is this spam passing my SA (counterfeit goods)
Rick Macdougall wrote: I'm an ISP and we use 5 to mark and 10 to reject at smtp time (not bounce, smtp reject 551). Same here. Dropping below 5 would cause way too many false positives. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Returned mail spam
mouss wrote: Matus UHLAR - fantomas wrote: But back on topic... the OP has been joe-jobbed. mouss wrote: he's not the only one... seems there's a lot of backscatter coming in these days. Thanks for confirming that spf doesn't fix the problem. SPF is designed to fix the problem, ahuh? how would spf fix the problem if spam gets out from an authorized client (yahoo, google, hotmail, aol, ...). however you respond, you'll find out that such (ougoing) spam problem isn't fixed _by_ SPF. In particular, don't tell me they will fix their outgoing spam. Who said anything about spam from an authorized source? The problem *being discussed* is spam with a forged sender address, causing bounce notices to go to an innocent third party. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: DNS Blocklists with Spamassassin (scoring only)
Michael Hutchinson wrote: uridnsbl URIBL_DSBL list.dsbl.org. TXT body URIBL_DSBL eval:check_uridnsbl('URIBL_DSBL') describe URIBL_DSBL Contains a URL listed in the DSBL blocklist (http://dsbl.org) scoreURIBL_DSBL 0.004 Wait... does the DSBL even list URIs? I thought it only listed IP addresses (which is already in the default rule, RCVD_IN_DSBL). -- Kelson Vibber SpeedGate Communications www.speed.net
Re: dns tests and scoring info for modification
Robert - elists wrote: Are all tests for DNS type RBL's in this default 20_dnsbl_tests.cf SA file? Do I need to grep all the other files to check for where the scores are, or is there only one default score file on this? If you use sa-update, there should also be some in 72_active.cf. Either way, I believe all the default scores are in 50_scores.cf. I want to change this to 0 (i.e. enabling dnsbl checks) and zero out any default SA DNSBL type scoring, and then enable only one internal/external DNSBL check source of our choice for testing... You probably know this, but make sure you put the zeroed-out scores in your local config dir (i.e. /etc/mail/spamassassin or the like) so that they won't be overwritten the next time you upgrade and/or run sa-update. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: office rule
ram wrote: header __FROMOFFICE From =~/office/i header __SUBOFFICE Subject =~/office/i meta OFFICERULE (__FROMOFFICE || __SUBOFFICE ) score OFFICERULE 4.0 And don't forget to add word boundaries. You probably don't want it matching on officer header __FROMOFFICE From =~/\boffice\b/i header __SUBOFFICE Subject =~/\boffice\b/i -- Kelson Vibber SpeedGate Communications www.speed.net
Re: tmp file handling
NFN Smith wrote: The Debian release number of MIMEDefang I'm running is 2.57-5. It may be that when Debian froze what went into etch, the current copy of MD was the one with that glitch in it. I'll check the MD archives for release notes, and see what's in the Testing branch. The fix went into MIMEDefang 2.63. That's only one release back (the latest is 2.64), so you might want to look into the 2.64 changes while you're at it. Relevant section from the 2.63 changelog: mimedefang.pl.in(spam_assassin_status): Call $mail-finish() to prevent temporary files from accumulating. http://mimedefang.org/node.php?id=64 -- Kelson Vibber SpeedGate Communications www.speed.net
Re: How to report 120,000 spams a day
Sandy S wrote: OK, I admit I haven't been following this thread closely so I may have missed something and maybe my suggestion won't fit your needs. However, we're accomplishing something like what you describe above using Mimedefang. The Mimedefang milter includes a function called md_check_against_smtp_server which checks the recipient address against the virtusertable defined on whatever MX server you give it. If it's not a valid user voila! message is rejected during the Mimedefang processing - aka as soon as the connecting server has provided the recipient address, before the whole message has been transmitted. Otherwise processing and mail delivery continues as normal. You beat me to it! I'll just add that people have discussed alternate solutions on the MD archives that, instead of using md_check_against_smtp_server, involve exporting the list tot he remote MX so that it can still query that information if/when the primary is unavailable. Looking through the MIMEDefang mailing list archives is left as an exercise for the reader. -- Kelson Vibber SpeedGate Communications www.speed.net
Blogspot (was Re: giberish)
Michael Hutchinson wrote: I don't know how the rest of you feel about blogspot links, but I've never seen a valid/authentic one in an email that isn't spam before. I have. In the last two weeks, I've seen blogspot links in the Drupal newsletter, the OpenOffice.org newsletter, Fedora Weekly News, and a newsletter for the Comic Book Legal Defense Fund -- all things I've signed up for. And that's just me -- that's not counting anyone else on the mail server I manage. I set up a rule to match blogspot links, and tracked the results. It hit things like the Slashdot daily summary, and several newsletters mailing lists that I couldn't guess whether the recipient signed up or not, on topics ranging from chess to ASP to financial news to political opinions. And then there's people sending personal mail referencing a random blog post, or including their blogspot-hosted site in their email signatures. We do still score blogspot URIs --- but we only add 1 point for it. Scoring at 5 would block legit mail. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: HABEAS_ACCREDITED_COI
Igor Chudov wrote: If I recall correctly... This Habeas is some sort of a braindead business idea to insert an unauthenticated header in bodies of legitimate emails coming from their customers, to assure spam filters that the email is legitimate. Not anymore. They've long since switched to an IP-based whitelist because the unauthenticated header proved unreliable. They changed their business model YEARS ago. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: DDOS, Dictionary Attack... not sure what it is...
Mike Cisar wrote: Since about the 26th of Dec I've had one particular mailserver that has been dealing with a constant stream of crap... all emails to unknown users, all of the email addresses seem consistent (either 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). There's one more piece of data needed before you decide on a course of action: what kind of email is being sent. Are you getting first-order spam, or are you getting bounce messages? If all the target addresses are in the same domain, it could be as simple as this: 1. Spammer picks a random domain name known to exist: yours. 2. Spammer generates a bunch of random addresses at that domain. 3. Spammer sends out junk to thousands of targets using these addresses. 4. Thousands of servers send you the bounces, the sender verification checks, etc. This happened a couple of weeks ago with one of my domain names. Similar pattern of addresses: FirstnameLastname@ FirstnameRandomwordLastname@ etc. Actually, it's still going on, but it doesn't have much of an impact since the server rejects unknown recipients right away. It might be worth looking for a couple of addresses that get hit repeatedly and temporarily activating them, or even turning on a catch-all for 20 seconds or so, to capture some of the messages and see whether you're dealing with a botnet or backscatter. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Adjusting SA scores in 50_scores.cf...
John D. Hardin wrote: score URIBL_SBL 5 Discussion of the advisability of a single poison-pill rule is for another day, though if you *do* want to spamcan everything that hits SBL you'd be better served doing it at the MTA layer as a regular DNSBL test. Also, isn't SBL folded into Zen these days? The rule in question is a URIBL test, so it acts on domain names that appear in the message body. A standard DNSBL block at the MTA level, whether just using the SBL or using Zen, would act on the IP address of the sending server. It's not just a matter of one method being more efficient than the other. They're looking at different data. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Score all emails and delete some of them
Ken Goods wrote: Spamassassin only scores emails. You'll need another application to do something with them. I use MailScanner and what you need is easily done with it. It gives you many other options as well. I think Amavis-new and Mailwatch may do the same thing but have no experience with them. MIMEDefang, also. And you can set up procmail rules to delete or redirect mail based on the headers that SpamAssassin adds. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: What to do with known spam connections
mouss wrote: Kelson wrote: Rob Sterenborg wrote: SM wrote: The spam content shouldn't even be getting through as the recipient address is invalid. Unless you don't know who your recipients are, which may be the case when operating a mailrelay. (I'm not saying that such situation is optimal...) Or unless they send to a mix of real and bogus addresses. It could be worth blocking them from hitting any real addresses after they've hit a couple of spamtraps. while some people can afford to block a large ISP, many of us don't. So run some heuristics before deciding to block an IP. Factor in other criteria. It doesn't have to be a snap judgment on one piece of data. We're on the SpamAssassin list, after all. The whole philosophy of SpamAssassin is to take a bunch of signs that, individually, might not be enough to make the call, but taken together can be reasonably accurate. Surely that philosophy can be extended to tactics other than message analysis. How about... Using it to greylist instead of blocking? Or looking at the rDNS and trying to determine whether it looks like a mail server? Or only blocking it if it appears on a list of dynamic IPs (assuming you're not blocking those IPs outright)? Or whitelisting those large ISPs? Or looking at your own recent traffic from that IP, and only blocking it if you don't see any legit traffic? Or adding points to the SA score the next time the IP shows up instead of blocking it? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: What to do with known spam connections
Rob Sterenborg wrote: SM wrote: The spam content shouldn't even be getting through as the recipient address is invalid. Unless you don't know who your recipients are, which may be the case when operating a mailrelay. (I'm not saying that such situation is optimal...) Or unless they send to a mix of real and bogus addresses. It could be worth blocking them from hitting any real addresses after they've hit a couple of spamtraps. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Pretty good, Paypal are making their own phish these days!
Loren Wilton wrote: Thank you for bringing this suspicious email to our attention. We can confirm that the email you received was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website. So apparently email1.paypal.com in some manner is NOT part of paypal.com! I wonder how they managed that. *blink* *blink* Great. Now *that's* encouraging. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Pretty good, Paypal are making their own phish these days!
Loren Wilton wrote: The disturbing thing is it seems to have come from the real Paypal servers, AND, it has my correct name in the body of the email. Now, they don't actually ask me to log on to a link in the email. They just say click here to win with a link with a tracking id. I have to wonder if they have been taking lessons on how to make spam look and feel like week-old dead phish, or if they just brilliantly came up with the idea all on their own. Funny, my reaction to seeing (I assume) the same message was that they'd learned how *not* to look like a phish. In particular, they used their own domain name for *everything*, including the sending server, the return address, matching forward reverse DNS on the sending server (mine came from 206.165.246.86, which has a PTR to email-86.paypal.com, which resolves to 206.165.246.86), all the hyperlinks (with matching rDNS), and nearly all the images. Not to mention validating DomainKeys and SPF. The only thing I found that didn't point to something.paypal.com were two references to the same one-pixel image on postdirect.com, used for spacing and possibly also for tracking. I've seen way too many messages from, say, financial institutions, stores, or even security software companies (*cough*symantec*cough*) where they use multiple domain names, sometimes including that of their third-party list manager, for everything -- even the click-tracked links. Back when I used to shop at what was then DeepDiscountDVD, I'd actually get order confirmations with a return address at their ISP, instead of at their domain. The problem with these companies is that they're training their users to trust mail from and linking to random domains -- not to mention making it harder for us admins to prevent false positives through whitelisting. It was nice to see a sender that had learned to not make that mistake. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Rule for TLS verify=OK?
Dan Mahoney, System Admin wrote: In looking through my sendmail logs, I've found that some connecting mail servers actually are correctly configured with a signed, valid cert from one of the major CA's. Interesting! Is there a rule that can match this, on sendmail, based on the connecting ip on your network edge? It's easy enough to create a rule that matches the phrase in the Received: Header. The trick would be picking only the header for the relay that sent to you. Otherwise, spammers would just add 'verify=OK' to their fake headers. I don't think TLS info is included in the various X-Spam-Relays pseudoheaders described here, which would make it relatively easy: http://wiki.apache.org/spamassassin/TrustedRelays If you can get access to sendmail macros (through a milter, for instance, like MIMEDefang or Amavisd-New), you could match against the verify macro being OK. Relevant macros are listed here: http://www.sendmail.org/~ca/email/starttls.html This might be a place to start: it talks about setting up MIMEDefang to skip filtering entirely on verify=OK, but it could probably be adapted to pass the info to SA. http://sial.org/howto/mimedefang/macro-pass/ -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Milter vs. Procmail
Olivier Nicole wrote: But here is the question, with milter call, how to manage things like per user whitelist? As SA is run only once for all the recipients, it should go on a common set of rules. To get a milter to process settings per-user on a message with multiple recipients, you'll have to resend the message locally. (Messages with single recipients aren't a problem, of course.) We use MIMEDefang www.mimedefang.org, which has a function stream_by_recipient to do this. What we do is check in filter_begin to see whether any of the recipients *have* custom configs, then call the function only if necessary. The disadvantage, of course, is that since it's resent locally, you lose all the advantages that milter gives you in being able to act at SMTP time. Fortunately this only applies to multiple-recipient messages, and if you're careful about it, only to messages that need to be split up. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Mail Classification
Srilatha wrote: Some Anti Spam Engines classify mails as : Clean, Spam or Bulk What is this Bulk classification ? In theory, bulk could refer to anything that's sent out to large numbers of people, or automatically generated without human intervention. That would include newsletters, mailing lists, alerts, auto-responses, and so on. (Spam would also fit that definition, but since there's a separate spam category, it's probably safe to assume that it's bulk messages that aren't spam.) Or bulk could simply mean that the software can identify the message as a mass-mailing, but can't decide whether it's solicited or not. Or it could mean that it found a Precedence: bulk header in the message. I can't say what it means in any specific program, but if I were to set up a clean/spam/bulk classification scheme, I'd probably define them this way: Clean: not spam, person-to-person Spam: spam Bulk: not spam, large volume or automatically generated In any case, SpamAssassin only makes a binary distinction: spam or not spam. Depending on the program you use to call it, you can take the detailed results (which rules fired, what the final score is, etc.) and make further classifications. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: OT: Spamtraps
ram wrote: How can I best create spamtrap ids. Some ideas: Keep those published-on-the-web spamtraps, and have some patience. They'll pick them up eventually. Use a future spamtrap on a mailing list for a week or two, making sure to put the address in your signature, then unsubscribe it from the list. Wait. (And wait long enough that no one's likely to try to contact you directly regarding the list posts.) Find some existing spam with unsubscribe links that don't appear to be address-specific. Try to unsubscribe using the spamtrap address. (If the unsubscribe form is legit, you won't hear back from them. If not, and they start sending you spam, they have no business contacting an address that you used to UNsubscribe.) Wait. The bottom line: be patient. It may take several weeks for them to bite, but once they do, they won't let go. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: [OT] Seeing increase in smtp concurrency ?
Johnson, S wrote: It's interesting you say that I don't give a response (most of the time they're not there to receive it anyway and it clogs up my server with undeliverable email - especially in BIG spam attacks). I have not experienced this with my servers at all. Last week, a friend of mine that owns a very large spam filtering/relay company got hit hard with this issue. I think Jeff was talking about a 5xx response in the SMTP transaction, not generating a bounce message after the fact. When you say your friend was hit with this issue, do you mean the server was clogged with undeliverable bounces, or do you mean they saw spammers hanging onto open connections longer than reasonable in a sort of reverse-tarpit? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Outbound spam filtering for a large ISP
Leon Kolchinsky wrote: Try amavisd-new list. There you could integrate your SA checks in a very efficient way (policy banks, quarantining, releasing etc.) MySQL backend is also a good idea on high load severs. I'd also recommend MIMEDefang for integrating SpamAssassin into sendmail. It's a milter, like amavisd-new. We've been using it for several years on our servers. It's very customizable -- basically if you can write something in Perl, you can do it in MD. The authors also have a commercial product based on MIMEDefang, Can-It, which might be worth looking into. MIMEDefang - http://www.mimedefang.org/ CanIt - http://www.roaringpenguin.com/products/antiSpam -- Kelson Vibber SpeedGate Communications www.speed.net
Re: SPF-Compliant Spam
Jason Bertoch wrote: I think it's safe to say I'm not in the minority when I receive SPF-Compliant spam. I'm looking for opinions on what we can honestly derive from such messages regarding the sending server's IP and the sending address' domain name. Is it wise to blacklist both, or is this yet another case where SPF has failed to meet projections? It's a case where the spammer has just handed you useful information: You know for sure that the domain name is, indeed, the spammer's domain name, and not an innocent third-party's. Blacklist it without hesitation! As for the IP, treat it the same way you'd treat the IP in non-SPF-compliant spam. They can authorize any IP they want, whether it's (legitimately) under their control or not. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: R: completewhois.com
Giampaolo Tomassoni wrote: Wow... whois completewhois.com ... Record expires on 21-Sep-2007. ... whois completewhois.org ... Expiration Date:21-Sep-2007 02:09:06 UTC ... Isn't that they forgot to renew their domains? Not likely -- that expiration date is still 4 weeks in the future, so it shouldn't be an issue. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: SPF-Compliant Spam
Marc Perkel wrote: SPF is useless. Oh, of course. No matter how many times people point out uses they've found for it, no matter whether those uses are actually impacted by email forwarding or not, you're right, obviously we're all living in a fantasy world because the only *possible* thing one could do with an SPF result is to reject all failures and blindly whitelist all passes. No one could *possibly* do something like, say... Take known spam that passes SPF and use it to generate a domain blacklist, or... Take a friendly domain and whitelist only mail *from that domain* that passes SPF, like SpamAssassin's whitelist_from_spf function does... etc. (Notice how neither of those break with email forwarding? A forwarded message just goes through normal channels instead of getting special treatment.) But no, there's absolutely *no way* anyone could do things like that. *sigh* -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Using SpamAssassin to filter port 110
Patman wrote: Question, what I would like to do, is filter incoming traffic on port 110, with a spamassassin server. Our organization is provided email by an outside provider, as a service for doing our web page. What I would like to know is if SpamAssassin can be configured to go between my Cisco Pix box and say the network to filter port 110 for spam? Or does SpamAassassin have to be the IP that port 110 is routed to? I have used SpamAssassin on a in house email server but never as I am attempting. Can it be done and how? Not sure about a dedicated server, but I know some email clients (KMail, for instance) have the ability to filter mail through SpamAssassin as they download it via POP. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Now its zip attachments ^^
John Rudd wrote: Chr. v. Stuckrad wrote: I have a 'political problem' with that. We 'drop' knowv viruses into a quarantine directory without further notice, and only once in years somebody complained and wanted his virus back :-) You could even do it as 5 different instances (1 for base clamav sigs, 1 for each of the signature files from sanesecurity, 1 for each of the signature files from msrbl), and mark them accordingly. Over here we use MIMEDefang as the glue to tie SpamAssassin, Clamd, etc. together. MD filters are very customizable (if you can write it in Perl, you can put it in a MD filter). After our filter calls clamd, we check the name of the matching signature against a regexp. We only actually drop messages that trip on known mass-mailer signatures (most of them have worm or @mm in the name, depending on who first named it), and the rest are rejected. For those who only want to run one instance of clamd, it's easy enough to do the same thing to separate real viruses from spam signatures by looking for sanesecurity or msrbl. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: not everyone is happy with SA
Gene Heskett wrote: I've been toying with DANGER - DIHYDROGEN-MONOXIDE IN USE signs recommending use of appropriate protective gear. But in today's terrorism atmosphere some idiot might not get it and Chuckle... Only if they failed introductory chemistry 101, but it should be good for a chuckle even if you did have to explain it to the high school graduate, I know everything crowd. Its when they _still_ don't get it that could be a problem. By then they wouldn't touch a glass of it even with some of it in frozen form on a steaming hot day. Doesn't Darwin have an award for those? Sadly, this isn't as implausible as one might hope. A few years ago, a nearby city council (Aliso Viejo, California) came close to banning styrofoam cups based on the fact that they contained a dangerous chemical: dihydrogen monoxide. They blamed it on a paralegal who did bad research, but somehow managed not to catch the joke until after it had been scheduled for a vote. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Catching .pdf Spam
nws.charlie wrote: I am catching most of the spam with this. Does anyone see anything negative about a rule like this? header __LOCAL_HEADER_THUNDERBIRD User-Agent =~ /\bthunderbird\b/i full__LOCAL_HAS_PDF /\b\S*\.pdf\b/i metaLOCAL_PDF_VIA_THUNDERBIRD (__LOCAL_HEADER_THUNDERBIRD __LOCAL_HAS_PDF) score LOCAL_PDF_VIA_THUNDERBIRD 6.0 Well, this message will probably go into your spam folder, since I'm using Thunderbird and the phrase .pdf appears in the message. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: How to disable Bayes for PDF emails
Igor Chudov wrote: Bayes, applied to pdf spams, always classifies the message as ham and increases the score. It is not reliable for PDF messages where the content is in PDF. Sounds like you need to train Bayes on those messages. Over here, Bayes is misclassifying less than 15% of PDF spams, and only a handful of those are getting through. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Re Thoughts on Isolating Viruses - Port 587 Submission
John Rudd wrote: 1) Some viruses already know they can put their outbound messages into the Outlook outbound folder. 2) Viruses can/will adapt by figuring out how to leverage stored SMTP-AUTH configurations. They can probably pick 3 or 4 implementations to target (Outlook, Thunderbird, Mail, and Eudora) and still be incredibly effective. Agreed on these two points, but... 3) This doesn't stop a virus on a laptop from still hitting port 25 on your server, or on other people's servers, when they are roaming away from your controlled networks. This is the equivalent of saying it won't help to close your own open relay because a spammer/virus can always just use someone else's. 4) And then there's all of those mail servers that run on port 2525 to get around these kinds of restrictions. And if you block 2525, they'll find a new one to use. Um... so? If someone tries to send out spam or a virus on port 2525, who are they going to reach? How many potential victims are *listening* on port 2525? Somewhere along the line they're going to have to get to a friendly/pwned relay that will send out on port 25. Anything up to that point is just shuffling things around inside the botnet. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Rulesemporium
Phil Barnett wrote: How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. I don't think the typical SA ruleset is big enough to take advantage of BitTorrent. Too much overhead. For comparison, Firefox updates are typically several hundred kilobytes (on Windows Linux, anyway), and they've looked into torrents and concluded they wouldn't gain anything by using them. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: MD5 Hash of URL's
John D. Hardin wrote: On Tue, 3 Jul 2007, Matt wrote: Why can't Spamassassin do like a MD5 hash of any URL's in a message and check them against a database? I just think it would help catch things like: geocities.com/spamer123/ or spamer123.tripod.com and etc. Too easy to defeat using a URI with random parameters pointing to a PHP et. al. page that ignores parameters (assuming you include parameters in the hash) or via wildcard DNS using random third- or fourth-level hostnames. Even the path could be made random if they use mod_rewrite or equivalent. If http://example.com/random/path/gets/ignored always serves up the contents of salespitch.html, they can generate as many URLs as they want. The concept might still be useful for specific known grey hosts with a mix of legit sites and spam sites -- geocities, tripod, blogspot, etc. --where the URL patterns are known. If you know the pattern is account.example.com, or example.com/account, then throw away the rest of the URL and list/lookup the base pattern. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: 10_default_prefs.cf file in 3.2.x branch
Robert - eLists wrote: 10_default_prefs.cf I came across this file in the docs and I am wondering how important it is to the big picture on some of our ISP type installs U I guess I spaced and just didn't see it if it was in the 3.1.x branch... I am investigating yet, it *appears* to override what I have in my local.cf Other way around. These are the defaults, and anything you put in local.cf will override the corresponding setting in this file. SA processes all the files in the general SA directory -- /usr/(local)/share/spamassassin, or /var/lib/spamassassin/path/to/updated/rules -- then processes the files in your local folder (usually /etc/mail/spamassassin) As long as you leave 10_default_prefs.cf in its normal location, you shouldn't have any problems. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: OBSCURED_EMAIL ?
Per Jessen wrote: Theo Van Dinter wrote: On Thu, May 31, 2007 at 09:46:56AM +0200, Per Jessen wrote: I've been looking at what a rot13'ed email-address looks like, and it doesn't come close to matching the pattern above. rot13 is a common/well-defined version of a single substitution cipher. This rule tries to match those, not the rot13 a-m - n-z mapping specifically. Then why is the pattern very specific wrt '^' and '(' ? Because it's very common (or at least was at one time) for spammers to rot13 the target addresses and then do those specific substitutions. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Question about reporting
Giampaolo Tomassoni wrote: what's wrong with automatically SA-report messages scoring above a given threshold (say, 10-12)? Would it be regarded as *BAD* by DCC, Pyzor, Razor, and/or SC? Razor discourages automatic reporting because they're concerned about false positives. They prefer verified reports. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Bayes Auto Learn
Daniel Aquino wrote: Is spam assassin smart enough to not auto-learn (bayesian) spam if the default tests allready detect it as spam... ? What I'm wondering is if the other tests have allready deamed it to be spam, then why would you want to increase the size of your bayesian db... Bayesian I believe would be better applied to messages that appear to be slipping past the other tests... Because you might get a similar message that doesn't trip the same SA tests, and doesn't score 5 points. Maybe the exact wording SA looked for only hits one variation of the message, but other parts are substantially similar from one run to the next. Maybe the first message came from a source that triggers a whole mess of RBLs, but the second one comes from a clean source. Maybe the spammer rotates in a new URL with the same sales pitch, and the new URL hasn't made it into any SURBLs yet. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: perl version
Abba Communications wrote: Is there a standard perl version that the SA team aspires to and uses as a baseline or some sort? From the README file: Perl 5.6.1 or a later version is required. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Spoofed from address but matched my whitelist -- please clarify
How did you whitelist borland.com? Did you use... whitelist_from whitelist_from_rcvd whitelist_from_dkim whitelist_from_spf ...etc? If you just used whitelist_from, it doesn't do any verification. It's a last-ditch option for cases where more reliable methods aren't possible. So that would just subtract 100 points from anything claiming to be from borland.com. As for the DomainKeys header, it looks like your SA installation didn't even check it, since I don't see any DKIM or DomainKeys rules in the list of rules that fired. Do you have either the DKIM or DomainKeys plugin enabled? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Spamassassin: Best Practices
Mike Jackson wrote: 1) How can we train the spamassassin using bayesian to FILTER ALL OUTGOING AS WELL AS INCOMING messages from my server. That depends on your MTA. Some make it easy (Postfix), some make it difficult (Sendmail), some you just shouldn't be using (Qmail). (That last one was a joke, people.) Actually, depending on how you call Sendmail, it's sometimes harder to *avoid* filtering outgoing mail along with incoming. If you use a milter interface like MIMEDefang or Amavisd-new to call SpamAssassin, and if you use the same server for incoming and outgoing mail, the default behavior will be to scan all mail, regardless of which way it's going. (If you're using SMTP-AUTH, or if all outgoing mail comes from a specific IP range, then it's pretty easy to separate them.) -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Dealing w/ poor network citizens like Yahoo! - Solution?
Aggh. I think Thunderbird 2 changed the menu layout a bit. I hit Reply to Sender instead of Reply to All. Marc Perkel wrote: For what it's worth, what would be nice is if yahoo had some kind of automated complaint mailbox so that if complaints about a particular account were coming in at a high rate it would disable the account. Same for Hotmail, Gmail, and other free mailers. If automated complaint features were standard we could fix a lot of spam. Sure... until spammer-pwned botnets start sending hundreds of complaints about the addresses of spamfighters, getting their ISPs to disable their accounts automatically. Sorry, that one's just too easy to abuse. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: whitelist_from ip_range
Benny Pedersen wrote: On Sat, April 14, 2007 10:31, Wael Shahin wrote: whitelist_from 172.16.0.0/16 trusted_networks 172.16.0.0/16 whitelist_from is for email not for ip :-) That won't do what you think. trusted_networks is for IPs that you trust to provide honest header information, not IPs that you trust not to send spam. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Help with rule
Steven Stern wrote: I suspect a rule that looks for www*pill*org would work. How do I turn that into a regex? Basic: /www.*pill.*org/ Slightly optimized: /www.{1,30}pill.{1,30}org/ .matches any character. *means anywhere 0 or more of the preceding item, so .* matches 0 or more of any character. {X,Y} means anywhere from X to Y of the preceding item. You don't want to use .* in a SA rule, though, because if it matches www it'll keep looking for a long time until it finds pill or runs out of text to look at. .{1,30} will match 1 to 30 of any character in a row, so if it finds www it will only look through 30 characters for pill You can also make it more specific, matching things only at word boundaries, etc. There's a good tutorial and reference at www.regular-expressions.info -- one of the few legit .info names I've seen. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Question about Spam Assassin and Google Analytics
Dean Shaw wrote: We recently installed Google Analytics on our site and would like to incorporate the tracking on our HTML-based email campaigns. On our first attempt Spam Assassin flagged our email as ‘porn’. The only different factor was the inclusion of GA code in the HTML of the email. Are you sure it was SpamAssassin that flagged it with such a blanket category? SA usually provides either more finely-grained details -- namely, which rules are being triggered -- or just a simple yes/no and total score. The default SA setup has rules to detect porn, but they only contribute to classification as spam. There isn't a porn classification. What rules is it hitting? -- Kelson Vibber SpeedGate Communications www.speed.net
Re: veryfing the score of a message
maillist wrote: I believe that sendmail doesn't have the headers assembled at that point. So, if you do what you mentioned above, then you will not get the correct score. Sort of. The df file contains the message body, and the qf file contains the headers... but they're not in the normal message format. Each header is prefixed with an H and some possibly-blank status info surrounded by two question marks: H??From: [EMAIL PROTECTED] H?x?Full-Name: Somebody or Other The qf file also includes other envelope and queue data, such as how many times Sendmail has tried to deliver the message, and what responses it's received. It should be possible to extract the headers from the queue file, but simply concatenating the files wouldn't do it. Off the top of my head, maybe something like this? grep '^H' | cut -f3- -d'?' Untested, YMMV. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: veryfing the score of a message
maillist wrote: Well what puzzles me is, is the message in queue, waiting to be sent to someone within your domain, or is it outbound? Why are you wanting to manually scan it? I think you're confusing me with the person who originally posted the question. Putting this thread back on the list... -- Kelson Vibber SpeedGate Communications www.speed.net
Re: New stock spam (2/14/07)
Jonathan Nichols wrote: Any rulesets to deal with them? They're scoring lower and lower all the time. The one I linked to scored -2 :-( It looks like it tripped BAYES_00. Have you been running these through sa-learn as spam? That should help, to start. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: MTA Search: Non contiguous ranges?
Dan wrote: I would like a Mail Transfer Agent recommendation. What's the best MTA, running on any platform, that will accept two or more thresholds (non-contiguous weight values) for treating messages as spam? Something like: ... Where 4 paths are possible, instead of the normal 2 (below 10 allow, above 10 tag) such that the treat-as-ham values are literally in between the spam values. This can be native or via a plugin. Sendmail with MIMEDefang www.mimedefang.org can do that. MIMEDefang can talk to SpamAssassin and several virus scanners, and you can control its behavior using Perl. This means you can set up any behavior you want. As an example, we currently have a three-tiered setup where mail below the SpamAssassin threshold is allowed through, mail above a higher threshold is rejected, and mail in the middle is let through but flagged as spam. It would have no problem defining behavior for additional score ranges. MIMEDefang is free and open-source (GPL). The authors also have a commercial product, Can-It, with additional capabilities and simpler administration: www.roaringpenguin.com -- Kelson Vibber SpeedGate Communications www.speed.net
HTML mail (was Re: A New Approach: Find the Ham)
Tom Allison wrote: Personally, I think HTML email should be outright discarded from the start. If you look at this arguement presented by the OP then it reinforces the idea that most ascii is ham and most html is spam. Therefore, reject delivery of all html based email. Or to be more succinct -- reject any MIME type of alternative content or html only content. That would remove probably 90% of the spam in one shot. Speaking from an ISP perspective: I hate to break it to you, but most end users want some sort of formatted mail. The days of all email being ASCII-only are over, just as the days of all websites being text-only are over. Now, if you can come up with another markup language for formatting email... * That satisfies end users' wants without being vulnerable to the filter-evasion that HTML makes possible * And you can get all the major email clients to render it * And you can get all the major email clients to use it for formatted composition instead of HTML (so end users can still make their text blue and embed the latest cute image of kittens) * And you can get commercial email campaign software to use it instead of HTML (so organizations can include a company logo, or pictures of the items that they're promoting in this week's newsletter) ...*then* it'll be viable to discard HTML. Obviously, individuals and businesses handling their own mail can apply stricter rules. But it's not something that can be done (yet) on a large scale without disappointing a lot of people -- and not just the spammers. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: HTML mail (was Re: A New Approach: Find the Ham)
Gene Heskett wrote: With all due respect, that's 100% BS. MIME was invented to handle the non-ascii stuff, and does it very well except for M$, who couldn't follow a std rule with a loaded 44 magnum stuck in Bills ear. 100% BS? So end-users don't like formatting in their messages? Email is still all-ASCII? Websites are still all-text? Or are you responding to something else? There is, its the proper use of mimetypes. I'm not talking about the MIME structure, I'm talking about the formatted version of the message. Last I looked, MIME *by itself* didn't allow you to change fonts or colors, add bold or italics, create bulleted lists that flow properly, allow images to appear within a document instead of as a separate segment, etc. In other words, what can adequately replace text/html in the non-plaintext multipart/alternative section such that HTML becomes irrelevant for legitimate uses? Microsoft Word? PDF? RTF? Any of those would be worse, IMO. text/richtext might do the job, except Eudora is the only client I can think of that composes in it. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: SA-gen'd message report headers appear differently (with/without linebreaks) in different mail clients
snowcrash+spamassassin wrote: whatever. currently, it's unformatted in tbird, unlike in other clients. intended, or not; bug, or not -- that's a fact. pedanticTechnically, it's left unformatted in those other clients, and has been reformatted according to specs by Thunderbird./pedantic -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Newsletter Help
Ryan Barrett Hastings wrote: My company uses Kintera to generate our e-mail newsletters. We have recently redesigned the newsletter and our spam score has increased. I am looking for help with reducing our score, specifically within the area of HTML_IMAGE_RATIO_08 and MIME_HTML_ONLY. Can you review the newsletter I have included below to offer any suggestions. ... Your spam score is: 2.2 points 2.2 points is less than half the standard threshold (5 points). Unless people have tweaked their systems, 2.2 points means it's *not* spam. That said, MIME_HTML_ONLY is an indication of a wider problem than simply spam score. In general, you should *always* include a plain-text equivalent of any email message, for the following reasons: * Some people still use text-only mail readers. * Some systems will filter out HTML mail for safety reasons. * Some people consider formatted messages to be distracting and prefer to read the plain-text version. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: SA-gen'd message report headers appear differently (with/without linebreaks) in different mail clients
snowcrash+spamassassin wrote: BUT, if i open the message in Thunderbird2, the line-breaks in the header are apparently stripped off; here's what it looks like. ... As per RfC (2)822, header _values_ are always just *one* line. To get around the (server) restriction of 998 usable characters per line, it is allowed to split the value into multiple lines. But these line breaks are *not* part of the actual value and recipients have to remove the line breaks when decoding the message to get back the real value. From your screen shot, I'm guessing you're looking at it via View-Headers-All. You can see the original formatting (even in Thunderbird 2) using the Message Source function instead. Menu: View-Message Source Keyboard: Ctrl+U on Windows Linux, probably Cmd+U on Mac -- Kelson Vibber SpeedGate Communications www.speed.net
Re: To create a cf file: notepad and youfile.cf enough?
Nigel Frankcom wrote: Depending on the level of access you have to your Linux box I'd suggest writing them in joe or vi from the command line. linux can get very picky about line breaks in files created in windows. If you tell your FTP client to treat .cf files as ASCII, it will convert the line endings when you transfer them. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: How do I whitelist this?
Daryl C. W. O'Shea wrote: Matt Kettler wrote: But this assumes that your SA is called after the Return-Path header is added, and not before. If you're using a milter, this won't work, but if you're calling from procmail, it will. Ideally a milter will fake a return-path header when it fakes the required received header. For the record, current versions of MIMEDefang do this. I believe someone mentioned that current versions of Amavisd-new also do this. YMMV with older releases and other milters. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: How do I manaually check SPF validity?
SPF online tester: http://www.kitterman.com/spf/validate.html Scroll down to Test an SPF record and just fill in the IP address and Mail From address (the envelope sender) On Jan 30, 2007, at 6:04 PM, Loren Wilton wrote: Received: from LISTSERV-1A.INT.AIP.ORG ([192.58.150.67]) by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1hbVSH2oa3Nl3494 for ; Tue, 30 Jan 2007 11:30:51 -0500 (EST) Received: from LISTSERV-1A (listserv-1a.int.aip.org) by LISTSERV-1A.INT.AIP.ORG (LSMTP for Windows NT v1.1b) with SMTP id [EMAIL PROTECTED]; Tue, 30 Jan 2007 11:23:53 -0500 There's one critical piece of information missing: the envelope sender (or at least the RHS of the address). -- Kelson Vibber SpeedGate Communications www.speed.net
Re: How to deal with mailing list spam?
Chris Purves wrote: I was wondering what is the best way to deal with spam that comes through on mailing lists? For mailing lists like spamassassin I whitelist all mail because I expect to see examples of spam, but for other lists, is it a good idea to run 'sa-learn --spam'? As long as you also run 'sa-learn --ham' on the legit list traffic, it should be fine, since Bayes will conclude that the list headers administrivia are neutral. What about reporting those spam to razor/pyzor or spamcop? That might warrant some caution. Headers won't be an issue with Razor or Pyzor, but any standard blocks of text could end up in their hash databases. Razor also keeps track of URLs that appear in the message body, so it could theoretically pick up list management URLs or inserted advertising links (a la Yahoo Groups) as spam signs until enough people issue a razor-revoke. You might want to ask on the Razor mailing list to see what they recommend doing in this case. I just checked my local archives and while the issue has come up before -- in fact, at one point the CentOS list management URL ended up listed in Razor -- there was no consensus on what to do with this sort of spam. It's probably worth bringing it up again. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: USER_IN_WHITELIST problem
Sherman Lilly wrote: I was looking on the net and I came across a plugin on spamassassin I don't think i have loaded. Will the SPF plugin help with this problem? Yes... *if* you replace whitelist_from with whitelist_from_spf Alternatively you can try something like this: whitelist_from_rcvd[EMAIL PROTECTED]yourmailserver.com whitelist_from should always be a last resort because it's so easy for spammers to forge the From: and Return-Path: headers. If at all possible, you should use one of the more specific whitelist functions that will double-check against the received headers, SPF, DKIM, etc. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: comprehensive perl module site like cpan or other for SA needs ???
R Lists06 wrote: It is my experience that CPAN installs can or will tend to do things I do not want it to do (or cannot control) in a RPM environment among other things... I use the following methods, in this order, for installing Perl modules: 1. Distro's native repository 2. Well-maintained third-party repository (rpmforge.net has a number of RHEL4 packages through DAG's repository, including Perl modules) 3. cpan2rpm 4a. CPAN command-line 4b. Download the source and build an RPM 5. Download the source and install If at any point the module is unavailable, too old, or cannot be installed, I move to the next option. The idea is to have as much as possible managed through RPM repositories (which will make installing bugfix/security upgrades trivial), then as much as possible through RPM, then get what's necessary. I haven't quite settled on what order to do 4a and 4b in. 4b is better from a management perspective, but 4a is a lot simpler to do. -- Kelson Vibber SpeedGate Communications www.speed.net