Russian Spam
I have received several copies of a spam message that is in Russian (I think it's Russian). I get maybe 1 or 2 a week. I wish I could block all Russian messages, but we are a University and could easily have Russian students. I am unable to read this message and therefore have no ideas on how to block this. Can anyone help me out with suggestions? I apologize if this has been discussed in the last week. I haven't had time to catch up on list messages over the last couple of days and didn't see anything skimming the subjects of recent threads. Thanks, Kris Message with full headers below: Microsoft Mail Internet Headers Version 2.0 Received: from gateway3.oc.edu ([205.143.222.12]) by fsmail.oc.edu with Microsoft SMTPSVC(6.0.3790.211); Thu, 13 Apr 2006 08:50:17 -0500 Received: from ip-189.net-82-216-33.toulouse.rev.numericable.fr ([82.216.33.189])(helo=ip-189.net-82-216-33.toulouse.rev.numericable.fr) by gateway3.oc.edu with smtp (Exim 4.54) id 1FU2CH-0008JS-AY for [EMAIL PROTECTED]; Thu, 13 Apr 2006 08:49:43 -0500 From: Litvinova Elena [EMAIL PROTECTED] To: Samusenko Tat'jana [EMAIL PROTECTED] Date: Thu, 13 Apr 2006 13:50:06 + Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=koi8-r; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1441 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-SA-Exim-Connect-IP: 82.216.33.189 X-SA-Exim-Rcpt-To: [EMAIL PROTECTED] X-SA-Exim-Mail-From: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gateway3.oc.edu X-Spam-Level: X-Spam-Status: No, score=0.3 required=5.0 tests=DNS_FROM_AHBL_RHSBL,RELAY_FR autolearn=disabled version=3.1.0 Subject: Re[6]: =?koi8-r?B?9Nkgzc7Px88gxMzRIM3FztEg2s7B3snb2A==?= davavsheju X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100) X-SA-Exim-Scanned: Yes (on gateway3.oc.edu) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 13 Apr 2006 13:50:17.0572 (UTC) FILETIME=[32A1FA40:01C65F01] Рад Вас снова видеть! Вы собираетесь в США? Хотите свободно работать с технической документацией? Расширить свой кругозор? Центр Американского Английского приглашает выучить английский язык!!! Все стадии обучения - от нуля до высшего. Ассоциативно- образная методика. Преподаватели из США. Без больших скидок не уйдёте! :) Наши телефоны в Москве: 105 пять-один-восемь-шесть два-три-восемь-три-три-восемь-шесть Не хотите получать информацию от Центра? Отправьте свой адрес нам: [EMAIL PROTECTED] сил. Но он не мог понять того, -- вдруг как бы вырвавшимся тонким голосом закричал князь Андрей, -- но он не мог понять, что мы в первый раз дрались там за русскую землю, что в войсках был такой дух, какого никогда я не видал, что мы два дня сряду отбивали французов и что этот успех удесятерял наши силы. Он велел отступать, и все усилия и потери пропали даром. Он не думал об измене, он старался все сделать как можно лучше, он все обдум от этого-то он и не годится. Он не годится теперь именно потому, что он все обдумывает очень основательно и аккуратно, как и следует всякому немцу. Как бы тебе сказать... Ну, у отца твоего немец-лакей, и он прекрасный лакей и удовлетворит всем его нуждам лучше тебя, и пускай он служит; но ежели отец при смерти болен, ты прогонишь лакея и своими непривычными, неловкими станешь ходить за отцом и лучше успокоишь его, чем искусный, но чужой человек. Так и сделали с Барклаем. Пока Россия была здорова, ей мог служить
RE: SpamAssassin large-scale users willing to comment?
We're a university. I'm not sure if we are as big as you're looking for (around 2100 mailboxes), but I'd be willing to talk to a reporter. Kris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 22, 2006 12:00 PM To: users@SpamAssassin.apache.org Subject: SpamAssassin large-scale users willing to comment? Hey all -- Apache SpamAssassin has won DataMation Product of the Year in the anti-spam category *again* this year -- for the second year running! (yay!) One thing that would be really cool would be some comments from our customers, for the press surrounding this. If you, or someone you know, would be willing to talk to a reporter about how SpamAssassin has helped eliminate spam in your organization, that'd be great. (A non-technical organisation would be even better btw.) Anyone interested? Please reply here, or if you'd prefer to follow up confidentially for whatever reason, to [EMAIL PROTECTED]. --j.
RE: User getting spammed to death
Are the messages coming from the same sending server? If so, I'd blacklist it at your MTA until the storm is over. Kris -Original Message- From: Peter Marshall [mailto:[EMAIL PROTECTED] Sent: Monday, February 13, 2006 12:16 PM To: SpamAssassin list Subject: User getting spammed to death I am not sure if there is anything that I can do ... But our marketing email address is getting spammed to death. We are getting about 2000 messages an hour. It is getting to be a problem. Do any of you have a suggestion other than simply turfing the email address ? Thanks Peter
RE: Xtracting urls from saved spams making SA rules - xurl001.pl
I would recommend caution when using such a program. I see lots of spam that have legitimate URLs sprayed in them as well. I do think this would be very useful though. Just need to make sure you look through the rules and remove the good guys. Kris -Original Message- From: Michael W Cocke [mailto:[EMAIL PROTECTED] Sent: Friday, February 10, 2006 8:57 AM To: spamassassin-users@incubator.apache.org Subject: Xtracting urls from saved spams making SA rules - xurl001.pl It's absolutely not finished, but attached is a quick perl hack I'm using to read thru a directory of saved spam (text files), extract urls and automatically build SA rules for them. It's not debugged throughly and I have a few more things to add, but I know I'm not the only person who can use this. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
RE: SA frequently skipping rules
I typically use spamassassin -D testmessage. Kris -Original Message- From: Jim Smith [mailto:[EMAIL PROTECTED] Sent: Friday, February 10, 2006 9:16 AM To: users@spamassassin.apache.org Subject: RE: SA frequently skipping rules Thanks to Stuart and Daryl for your responses. I think I need to ask a basic question that I'm sure is a FAQ somewhere that I haven't located yet (honestly I've hunted!). How do I run a message through the spamassassin command line to get the score results on the screen? I tried saving the email and running spamassassin messagename -d spamassassin messagename -D -d and a few other variations but the results don't show any scored headers. BTW, thanks for the explanation on UNPARSEABLE_RELAY. I was thinking maybe the headers were scrambled so that SA tried to parse but gave up. That obviously isn't the case and not the reason I'm having difficulties. Once I can test select emails by running them back through to compare scores, that will help. Thanks, Jim Smith -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Thursday, February 09, 2006 7:12 PM To: Jim Smith; users@spamassassin.apache.org Subject: Re: SA frequently skipping rules This message does not hit any naughty words rules for me either (tested 3.1.0 and 3.0.3). SA doesn't generally have rules that hit a single word. To avoid FPs, it is better to check for phrases and obfuscations. However, the message does hit BAYES_99 and several networks tests on my system giving it a score of 31.5. Of course, network tests do tend to work better when you are investigating why a message got through than when the message first hits your mail server. Jim Smith wrote: I'm getting lots of spam that are skipping rules. One that came in recently with lots of porn only got tagged for SORBS, NUMERIC HELO, and UNPARSEABLE RELAY (I don't know what unparseable relay means but seems like many emails have that lately). The full headers message (uncensored) of that example is at www.blarneystone.com/spam/spam.txt if that helps. If you look at it you can tell that it should have kicked off lots of porn tags but none were there and it sailed through with a 3.2 score. This has only happened since I upgraded to SA 3.1.0. I've run SA --lint -D without errors. I thought it might be some configuration left over from my older SA when I upgraded so I did a clean install on a new machine and still have the same issue with skipping of rules. BTW, I know the rules aren't missing from the installation because they show up in other emails. A sporadic problem... my favorite sigh. Any suggestions? Thanks, Jim Smith
RE: SA frequently skipping rules
Oops, I sent that too quick. It should be spamassassin -r testmessage. -Original Message- From: Jim Smith [mailto:[EMAIL PROTECTED] Sent: Friday, February 10, 2006 9:16 AM To: users@spamassassin.apache.org Subject: RE: SA frequently skipping rules Thanks to Stuart and Daryl for your responses. I think I need to ask a basic question that I'm sure is a FAQ somewhere that I haven't located yet (honestly I've hunted!). How do I run a message through the spamassassin command line to get the score results on the screen? I tried saving the email and running spamassassin messagename -d spamassassin messagename -D -d and a few other variations but the results don't show any scored headers. BTW, thanks for the explanation on UNPARSEABLE_RELAY. I was thinking maybe the headers were scrambled so that SA tried to parse but gave up. That obviously isn't the case and not the reason I'm having difficulties. Once I can test select emails by running them back through to compare scores, that will help. Thanks, Jim Smith -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Thursday, February 09, 2006 7:12 PM To: Jim Smith; users@spamassassin.apache.org Subject: Re: SA frequently skipping rules This message does not hit any naughty words rules for me either (tested 3.1.0 and 3.0.3). SA doesn't generally have rules that hit a single word. To avoid FPs, it is better to check for phrases and obfuscations. However, the message does hit BAYES_99 and several networks tests on my system giving it a score of 31.5. Of course, network tests do tend to work better when you are investigating why a message got through than when the message first hits your mail server. Jim Smith wrote: I'm getting lots of spam that are skipping rules. One that came in recently with lots of porn only got tagged for SORBS, NUMERIC HELO, and UNPARSEABLE RELAY (I don't know what unparseable relay means but seems like many emails have that lately). The full headers message (uncensored) of that example is at www.blarneystone.com/spam/spam.txt if that helps. If you look at it you can tell that it should have kicked off lots of porn tags but none were there and it sailed through with a 3.2 score. This has only happened since I upgraded to SA 3.1.0. I've run SA --lint -D without errors. I thought it might be some configuration left over from my older SA when I upgraded so I did a clean install on a new machine and still have the same issue with skipping of rules. BTW, I know the rules aren't missing from the installation because they show up in other emails. A sporadic problem... my favorite sigh. Any suggestions? Thanks, Jim Smith
RE: General assistance
-Original Message- From: Ed Russell [mailto:[EMAIL PROTECTED] Sent: Friday, February 10, 2006 10:51 AM To: users@spamassassin.apache.org Subject: General assistance Am I completely off base in the way I have this all setup? I have went with a higher speed HD to increase the threshold on file I/O. Can I tune the performance of razor etc while maintaining delivery time? Is there anything else I should be considering? If I have not explained things well or more information is needed I will certainly provide anything. A few questions I have: What SA version are you running? spamassassin --version What do you have --max-children set to? How much memory do you have free when the box is fully loaded? I'm trying to see if you have any headroom left to have more spamd children running. It sounds like your problem is with waiting on DNS returns. This should mean that you have plenty of processing power remaining just not enough children to handle the requests. Other things to consider: Do you use RBLs at the MTA level? Do you have user verification at the MTA level? Look for messages your MTA can drop before sending to SA. Kris
RE: General assistance
-Original Message- From: Ed Russell [mailto:[EMAIL PROTECTED] Sent: Friday, February 10, 2006 12:32 PM To: users@spamassassin.apache.org Subject: RE: General assistance My homework is: 1.Install and configure dnscache. 2.Look into RBL at the MTA. 3.Begin to investigate user authentication at the MTA. Some questions, 1.Does anyone have an opinion as to what RBL to contact? I know there are quite a few. We use sbl-xbl.spamhaus.org and I know a lot of others on this list do the same. However, I do know that there are FPs mentioned on this list concerning this RBL. I have never encountered one. It is a popular enough list that if someone is on it they usually work quickly to get off of it. If there were any list to choose that most people probably use SBL+XBL is definitely it. Go to http://www.spamhaus.org for more info. Kris
RE: Post your top 10 from sa-stats
This is after greylisting and sbl-xbl checks: TOP SPAM RULES FIRED RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1HTML_MESSAGE 45870 5.13 27.72 70.37 55.36 2RAZOR2_CHECK 44703 5.00 27.02 68.58 2.62 3RAZOR2_CF_RANGE_51_10043826 4.90 26.49 67.24 2.13 4URIBL_BLACK 42959 4.80 25.96 65.91 1.28 5RAZOR2_CF_RANGE_E8_51_100 34656 3.87 20.94 53.17 0.33 6URIBL_JP_SURBL22866 2.56 13.82 35.08 0.01 7URIBL_OB_SURBL22441 2.51 13.56 34.43 0.09 8RAZOR2_CF_RANGE_E4_51_100 21974 2.46 13.28 33.71 1.83 9URIBL_WS_SURBL21952 2.45 13.27 33.68 0.23 10MIME_HTML_ONLY21580 2.41 13.04 33.11 12.03 TOP HAM RULES FIRED RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1HTML_MESSAGE 5551814.38 33.55 70.37 55.36 2GREYLIST_ISWHITE 38116 9.87 23.047.20 38.01 3SPF_PASS 33722 8.73 20.38 24.90 33.63 4NO_REAL_NAME 17871 4.63 10.806.35 17.82 5HTML_FONT_BIG 12612 3.277.62 10.92 12.58 6MIME_HTML_ONLY12061 3.127.29 33.11 12.03 7DCC_CHECK 10988 2.856.64 24.64 10.96 8DBL_12_LETTER_FLDR 9267 2.405.609.38 9.24 9VIRUS_WARNING627489 1.944.530.00 7.47 10DNS_FROM_RFC_ABUSE 7004 1.814.236.24 6.98
RE: Post your top 10 from sa-stats
Hmm, I guess that's a question for Dallas. This is the version I'm using: # file: sa-stats.pl # date: 2005-08-03 # version: 1.0 # author: Dallas Engelken [EMAIL PROTECTED] # desc: SA 3.1.x log parser I don't seem to be the only one showing that strange math. Dave had the same sort of entry in his: TOP HAM RULES FIRED RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1 HTML_MESSAGE6306721.17 21.46 63.61 56.74 Dallas, is there a bug or are we interpreting these numbers incorrectly? Kris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 31, 2006 10:48 AM To: users@spamassassin.apache.org Subject: RE: Post your top 10 from sa-stats Kristopher Austin wrote: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1HTML_MESSAGE 45870 5.13 27.72 70.37 55.36 Wait... so 27% of all mail is HTML, 70% of spam is HTML, and 55% of ham is HTML? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: Post your top 10 from sa-stats
-Original Message- From: Dallas Engelken [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 31, 2006 12:42 PM To: users@spamassassin.apache.org Subject: RE: Post your top 10 from sa-stats The %OFMAIL category is misleading because its comparing the hit count (on that line) against the total email. I've went ahead and changed that is v1.02 and v0.92 respectively. If you like the old way it works, dont get the new version :) SA 3.0.x - http://www.rulesemporium.com/programs/sa-stats.txt SA 3.1.x - http://www.rulesemporium.com/programs/sa-stats-1.0.txt Hope this clarifies! Thanks Dallas. That really explains things and the updated version is more in line with the information I actually need. Although, I can see why others would prefer the other number. Kris
RE: USER_IN_SPF_WHITELIST not firing
After I added always_trust_envelope_sender 1 and run spamassassin -Dspf on several test messages they all have this error: dbg: spf: cannot get Envelope-From, cannot use SPF I guess I must be missing something else. I've been watching my logs since the change and still none have anything other than SPF_HELO_*. SA is running on my gateway MX. Anything else I should look at? Kris -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Monday, January 23, 2006 5:30 PM To: Kristopher Austin Cc: users@spamassassin.apache.org Subject: Re: USER_IN_SPF_WHITELIST not firing On 1/23/2006 12:10 PM, Kristopher Austin wrote: After seeing all the SPF discussion lately I decided to actually ask you guys about this problem. I have many whitelist_from_spf entries where I usually keep my whitelist entries. For some reason, I have never seen a hit on USER_IN_SPF_WHITELIST. I have received plenty of emails that I believe should have hit. Here are some example entries: whitelist_from_spf [EMAIL PROTECTED] After further investigation I notice that I have plenty of SPF_HELO_* hits, but no SPF_* hits. I assume this issue is probably related to the other. What is the difference between SPF_HELO rules and the plain SPF versions? Why would I not be seeing any hits on the non-HELO ones? If SpamAssassin isn't running on your gateway MX, and your trusted_networks are set correctly, which they are... I have trusted_networks configured correctly. I have the plugin enabled and I see no errors with a spamassassin --lint -D. All the SPF dependencies are loaded. I am using SA 3.1 / sa-exim / exim 4.60 / Debian 3.1. ...you won't see anything but SPF_HELO_* hits unless you add this line to your local.cf: always_trust_envelope_sender 1 By default (I'm starting to think that it shouldn't be by default), SA will not trust the envelope sender since it could possibly have been modified by one of the (trusted) internal_networks hosts. Without an envelope sender that it can trust, SA can't do SPF checks on the envelope sender (which is what the SPF_* checks are). I really have no idea on how to proceed from here. How does one test the SPF tests and get debug output on it? spamassassin -Dspf test.msg Daryl
RE: USER_IN_SPF_WHITELIST not firing
Thanks Matt and Daryl. All your suggestions got my SPF checking working. It seems SA-Exim puts in X-SA-Exim-Mail-From as the Envelope From header. Kris -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 24, 2006 11:19 AM To: Kristopher Austin Cc: users@spamassassin.apache.org Subject: Re: USER_IN_SPF_WHITELIST not firing Kristopher Austin wrote: After I added always_trust_envelope_sender 1 and run spamassassin -Dspf on several test messages they all have this error: dbg: spf: cannot get Envelope-From, cannot use SPF I guess I must be missing something else. I've been watching my logs since the change and still none have anything other than SPF_HELO_*. SA is running on my gateway MX. Anything else I should look at? Find out what header your MTA might add to indicate the envelope sender, or how to get it to add one if it does not. SA checks several headers by default, but not all MTAs use a header that SA checks. SA by default checks these places: X-Envelope-From Envelope-Sender X-Sender Return-Path Received (looking for an envelope-from clause) If it's not using one of the defaults, put the header name in an envelope_sender_header statement in your local.cf.
USER_IN_SPF_WHITELIST not firing
After seeing all the SPF discussion lately I decided to actually ask you guys about this problem. I have many whitelist_from_spf entries where I usually keep my whitelist entries. For some reason, I have never seen a hit on USER_IN_SPF_WHITELIST. I have received plenty of emails that I believe should have hit. Here are some example entries: whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] whitelist_from_spf [EMAIL PROTECTED] After further investigation I notice that I have plenty of SPF_HELO_* hits, but no SPF_* hits. I assume this issue is probably related to the other. What is the difference between SPF_HELO rules and the plain SPF versions? Why would I not be seeing any hits on the non-HELO ones? I have trusted_networks configured correctly. I have the plugin enabled and I see no errors with a spamassassin --lint -D. All the SPF dependencies are loaded. I am using SA 3.1 / sa-exim / exim 4.60 / Debian 3.1. I really have no idea on how to proceed from here. How does one test the SPF tests and get debug output on it? Here is some debug output that may or may not be useful: /# spamassassin --lint -D 21 | grep -i spf [29944] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [29944] dbg: config: read file /usr/share/spamassassin/25_spf.cf [29944] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf [29944] dbg: config: read file /etc/spamassassin/70_sare_whitelist_spf.cf [29944] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [29944] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310) [29944] dbg: plugin: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: spf: message was delivered entirely via trusted relays, not required [29944] dbg: plugin: registering glue method for check_for_spf_neutral (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: spf: message was delivered entirely via trusted relays, not required [29944] dbg: plugin: registering glue method for check_for_spf_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: plugin: registering glue method for check_for_spf_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: plugin: registering glue method for check_for_spf_helo_softfail (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: plugin: registering glue method for check_for_def_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: spf: cannot get Envelope-From, cannot use SPF [29944] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [29944] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x92ea310)) [29944] dbg: spf: spf_whitelist_from: could not find useable envelope sender Thanks, Kris
RE: Ohya
Well, to make matters interesting, Outlook makes www.rektoky a hyperlink. Click on it and IE and Firefox will both add the .com. Voila! You have a spam address that makes it through every time. Kris Sent to Nix only previously, meant to send this to the list. -Original Message- From: Nix [mailto:[EMAIL PROTECTED] Sent: Monday, January 09, 2006 9:59 AM To: jdow Cc: users@spamassassin.apache.org Subject: Re: Ohya On Sun, 8 Jan 2006, [EMAIL PROTECTED] announced authoritatively: From: [EMAIL PROTECTED] ===8--- Make it happen! Here : www.rektoky ,ohya add .com ^_^ ===8--- [...] Well Raymond. it's no good if it's listed in uribl if the url does not parse as a url. That's the point. Good grief, was that mess supposed to be read as `www.rektoky.com'? I can't see how anyone would read it as that, nor how they could expect to get any custom (assuming that's what they're aiming for, as opposed to virus drops or testing spamware or something). One of the goals in _A Plan for Spam_ has certainly been achieved: the spammers are having to obfuscate their dubious `messages' so much that they no longer make any great degree of sense. -- `I must caution that dipping fingers into molten lead presents several serious dangers.' --- Jearl Walker
RE: updating WIKI -- InstallingOnWindows
Steven, anyone can update the wiki, you just have to have an account. Just create an account and click edit. At least that seems to have worked for me. Kris -Original Message- From: Steven Manross [mailto:[EMAIL PROTECTED] Sent: Monday, January 09, 2006 10:10 AM To: spamassassin-users Subject: updating WIKI -- InstallingOnWindows Would anyone with access update the WIKI for Windows, please? Namely, http://wiki.apache.org/spamassassin/InstallingOnWindows 90% of the way down... (the following command throws errors -- %%f was unexpected at this time) for %%f in (*.*) do call pod2html %%f --outfile \perl\html\site\lib\mail\spamassassin\plugins\%%f.html --quiet s/b for %f in (*.*) do call pod2html %f --outfile \perl\html\site\lib\mail\spamassassin\plugins\%f.html --quiet (tested on Windows 2000 and 2003) Other than that, the WIKI is very good as I just used it to install SA on a system here last night (and obviously this is for plugin documentation only). Thanks, Steven
RE: Ohya
Well, scratch that on IE 6.0, but it definitely happens in Firefox 1.5 with no extensions installed. I can watch Firefox try .com for any unknown URL before returning an error. I've tested this on 4 machines to be sure. We do not use any proxies. Either way, as you said lots of people will type .com anyway. Kris -Original Message- From: mouss [mailto:[EMAIL PROTECTED] Sent: Monday, January 09, 2006 1:32 PM To: Kristopher Austin Cc: users@spamassassin.apache.org Subject: Re: Ohya Kristopher Austin a écrit : Well, to make matters interesting, Outlook makes www.rektoky a hyperlink. Click on it and IE and Firefox will both add the .com. Voila! You have a spam address that makes it through every time. not here. what versions of IE and firefox are you using? Both return an error here. Are you using a broken proxy?
RE: Default score for UPPERCASE_75_100
grep score UPPERCASE_75_100 /usr/share/spamassassin/50_scores.cf score UPPERCASE_75_100 1.394 1.040 0.809 1.371 -Original Message- From: Fran Fabrizio [mailto:[EMAIL PROTECTED] Sent: Friday, January 06, 2006 2:52 PM To: users@spamassassin.apache.org Subject: Default score for UPPERCASE_75_100 What's the default score for UPPERCASE_75_100? This test does not appear to be documented at http://spamassassin.apache.org/tests_3_1_x.html. I am examining a mail to figure out why it got a false positive. User has no user_prefs or even .spamassassin directory. If the default is 0, where else might this be set? This is the last test I can't account for, and the score is still 1.2 or so higher than the sum of the rest of the tests that hit. Setup is spamassassin 3.1.0 invoked through amavisd on a linux postfix server. Thanks, Fran -- Fran Fabrizio Senior Systems Analyst Department of Computer and Information Sciences University of Alabama at Birmingham http://www.cis.uab.edu/ 205.934.0653
RE: Scoring for MAPS
-Original Message- From: Kai Schaetzl [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 7:54 AM To: users@spamassassin.apache.org Subject: Re: Scoring for MAPS snip I would be interesting to know the nature of these 14 nonspam hits. As I said, if they were not spam but cam from dynamic IP space I *do* consider them as unwanted. I haven't yet seen a complaint because of SBL+XBL. I use that plus safe- sorbs plus njabl and the only one, as explained above, that had a few problems was sorbs-spam which I discontinued. snip Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com Kai, I can't find any mention of safe-sorbs on sorbs.net. Does this list still exist? Can you point me in a direction to find it? I use SBL+XBL, but wanted to test hit rates with a couple of other recommended lists. Also, you've given us a lot of information that I have found useful. However, I'd also like to know what your setup/scope is. What type of email volume do you receive? What's the diversity of your customer base? Thanks, Kris
Find unused rules
Does anyone have a script of some sort to find rules in /etc/spamassassin/*.cf that don't hit any email? Or is this a lot more complicated process than I realize? I have the SA log files since the beginning of time so all I need is a sophisticated script that will scan in all the rule names from /etc/spamassassin then search the logs (maybe for the last 2 weeks) and tell me which ones were never hit. I'll probably start hacking this; I just wanted to make sure no one else has already done a large portion of the work. Even small portions of work would save me some time. Thanks, Kris
untdmarketing.com
I need some help. What do you guys know about untdmarketing.com. About a month ago I started receiving several dozen messages from them a week. SA 3.0 with SURBL, URIBL, and SARE rules does not catch them. The emails seem like requested advertising. There are even unsubscribe links at the bottom. However, since I don't have a NetZero account, there is no way for me to unsubscribe. Any ideas? Can you help me build a rule to block these? I've attached a copy of the message with headers and I have dozens more. They all follow this same format. Thanks, Kris Microsoft Mail Internet Headers Version 2.0 Received: from gateway4.oc.edu ([205.143.222.13]) by fsmail.oc.edu with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Oct 2005 20:59:28 -0500 Received: from spf10.us4.outblaze.com ([64.71.166.199]) by gateway4.oc.edu with smtp (Exim 4.50) id 1EP9QC-0007TV-EN for [EMAIL PROTECTED]; Mon, 10 Oct 2005 20:59:28 -0500 Received: from mta.support.untdmarketing.com (mta.support.untdmarketing.com [65.167.67.211]) by spf10.us4.outblaze.com (Postfix) with ESMTP id ECF1353665 for [EMAIL PROTECTED]; Tue, 11 Oct 2005 01:57:45 + (GMT) X-MID: [EMAIL PROTECTED] Date: Mon, 10 Oct 2005 21:59:12 -0400 (EDT) Message-Id: [EMAIL PROTECTED] From: BIDZ [EMAIL PROTECTED] To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=000 X-SA-Exim-Connect-IP: 64.71.166.199 X-SA-Exim-Rcpt-To: [EMAIL PROTECTED] X-SA-Exim-Mail-From: [EMAIL PROTECTED] Subject: Bidding on Jewelry has never been more fun 50 towards your first item X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on gateway4.oc.edu X-Spam-Level: ** X-Spam-Status: No, score=2.4 required=5.0 tests=FR_BR_AFTER_HTML, HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_TEXT_AFTER_BODY, HTML_TEXT_AFTER_HTML,MONEY_BACK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=disabled version=3.0.3 X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100) X-SA-Exim-Scanned: Yes (on gateway4.oc.edu) Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 11 Oct 2005 01:59:28.0589 (UTC) FILETIME=[69D99FD0:01C5CE07] --000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --000 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit --000-- html head titleOnline Jewelry Auction :: Everything starts at $1 only, No reserve!/title/head center body bgcolor=#FF leftmargin=0 topmargin=20 marginwidth=0 marginheight=0center table width=600 height=400 border=0 cellpadding=0 cellspacing=0 trtd a href=http://support.untdmarketing.com/cgi-bin15/DM/y/nUZQ0ESJn30Cfe0Kux0Eu; img src=http://nztv.untd.com/webads/24642/600x400_auctions96_01.jpg; width=600 height=99 border=0 alt=/a/td/tr trtd a href=http://support.untdmarketing.com/cgi-bin15/DM/y/nUZQ0ESJn30Cfe0Kux0Eu; img src=http://nztv.untd.com/webads/24642/600x400_auctions96_02.jpg; width=600 height=110 border=0 alt=/a/td/tr trtd a href=http://support.untdmarketing.com/cgi-bin15/DM/y/nUZQ0ESJn30Cfe0Kux0Eu; img src=http://nztv.untd.com/webads/24642/600x400_auctions96_03.jpg; width=600 height=109 border=0 alt=/a/td/tr trtd a href=http://support.untdmarketing.com/cgi-bin15/DM/y/nUZQ0ESJn30Cfe0Kux0Eu; img src=http://nztv.untd.com/webads/24642/600x400_auctions96_04.jpg; width=600 height=82 border=0 alt=/a/td/tr /tablebr a href=http://support.untdmarketing.com/cgi-bin15/DM/y/nUZQ0ESJn30Cfe0Jzb0Ec;img src=http://nztv.untd.com/webads/24642/copy.gif; border=0/a /body /center IMG SRC=http://support.untdmarketing.com/cgi-bin15/flosensing?z=UZQ0ESJn30Cfe0Dt;/html html br center br center font face=Arial,Helvetica,Geneva,Swiss,SunSans-Regular size=1 color=#66 - br br You are receiving this e-mail from a NetZero partner because you requested e-mail offers in your NZ member profile. br br If you would like to unsubscribe from future e-mails like these from NetZero, please click a href=http://support.untdmarketing.com/cgi-bin15/DM/y/nUZQ0ESJn30Cfe0Hie0EM; here/a to update your future preferences. br br Please understand that by unsubscribing from the advertisers e-mail list you will be passing your e-mail address to that advertiser. br br If you are not a NetZero member, please click a href=http://support.untdmarketing.com/cgi-bin15/DM/y/nUZQ0ESJn30Cfe0H5V0EF[EMAIL PROTECTED] here/a. br br NetZero, Inc. BR A United Online Company BR PO Box 397 br Woodland Hills, CA 91365-0397br -- br/c /font /CENTER /body /html
RE: Exchange public folders - who is copying?
John, If you view the Public Folder using Outlook just add the column Changed By using Field Chooser. That should be the person that copied it there. I hope that helps. Kris -Original Message- From: Stewart, John [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 20, 2005 1:33 PM To: 'users@spamassassin.apache.org' Subject: OT: Exchange public folders - who is copying? Mostly OT, but I know some others on here are doing the same thing as I on their Exchange systems (using public folders as repositories for sa-learn). I've posted to an Exchange newsgroup, but thought it was worth throwing out here to see if anyone has an idea. We are running Exchange 5.5. We have a few public folders for users to copy email to, to train our anti-spam system (SpamAssassin) in the case of false positives or negatives. Someone is copying emails there that are misclassified, and I'm having a heck of a time figuring out who it is. Is there any way to find out who is copying to a public folder? The SMTP logging on the messages only indicate that the final recipient before hitting Exchange was to a group. No one from this group is owning up to it. Using the Folder Assistant, I've got the folders set up to email me whenever someone copies a file there, and include a copy of the message. However, this doesn't show in any way *who* did it. I've tried setting up also the Folder Assistant to reply (and CC me). However, this replies to the original sender of the email, *NOT* the person who is copying the email to the public folder. Does anyone have any bright ideas? johnS
RE: debug output to file?
Spamassassin -D -t test2.txt 2test2.out would work. In *nix environments you just choose the level by putting the number in front of the redirect. This should help you get up to speed on Linux I/O redirection: http://www.cpqlinux.com/redirect.html Kris -Original Message- From: Mike Schrauder [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 07, 2005 9:42 AM To: users@spamassassin.apache.org Subject: debug output to file? pardon my complete unix ignorance, I have been trying to figure out how to get debug output to a file so I can go back and look at it. I also want to look at the marked up email w/ report so I am using this: spamassassin -D -t test2.txt test2.out How could I also redirect the debug output to a file. i've also tried spamassassin -D -t test2.txt test2.out | more just so I could look, but that doesn't work. Can you give a windows user a clue? TIA Mike Schrauder Specialty Blades, Inc.
RE: Mail/Spam Stats and MRTG
Here are a couple of files that we use to get the stats we need. The glmrtg.pl script counts the number of lines containing the requested text in the last five minutes (configurable). I didn't write this script. I'm not even sure where it came from. I think it might have come with the mrtg distro. The mrtgspam script just outputs the necessary lines in mrtg format. I hope this helps. Kris -Original Message- From: Jake Colman [mailto:[EMAIL PROTECTED] Sent: Monday, June 06, 2005 10:21 AM To: users@spamassassin.apache.org Subject: OT: Mail/Spam Stats and MRTG Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. Thanks! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com glmrtg.pl Description: glmrtg.pl mrtgspam Description: mrtgspam
RE: Dump stats into mysql?
I'm definitely interested in such a script. Thanks, Kris -Original Message- From: Kevin Peuhkurinen [mailto:[EMAIL PROTECTED] Sent: Friday, June 03, 2005 6:37 AM To: users@spamassassin.apache.org Subject: Re: Dump stats into mysql? MIKE YRABEDRA wrote: Hello, I am running a couple stats scripts that output info every day. Does anyone have a script that ( or know of one ) that will dump the info in a mysql database for later processing? I don't know what format you are doing the output in, but I have a script that I use to tail my amavisd log file and dump a bunch of info into a MySQL db. You might be able to modify it for your purposes. Let me know if you are interested.
RE: At wit's end - SA is *still* tagging list traffic!
Thomas, You can do one of two things: whitelist_to users@spamassassin.apache.org or whitelist_from_rcvd [EMAIL PROTECTED] apache.org I prefer the latter. Notice the correct format as opposed to what you used. Make sure to restart SA after performing a --lint. Kris -Original Message- From: Thomas Cameron [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 4:32 PM To: users@spamassassin.apache.org Subject: At wit's end - SA is *still* tagging list traffic! All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas
RE: whitelist
Ronan, whitelist_from hits on the from header. This list sets the from header to the person sending the email (as it should). Therefore your whitelist_from entries won't work as you have them. I use whitelist_from_rcvd instead. This is my entry for this list: whitelist_from_rcvd [EMAIL PROTECTED] apache.org There might be a better way, but I'm not worried about getting spam from any of apache.org servers. Kris -Original Message- From: Ronan McGlue [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 7:39 AM To: users@spamassassin.apache.org Subject: whitelist I think i may be overlooking something to do with the white list here... I like a lot of you regularly get SA list traffic being diverted to the junk folder.. mydomain.com as a main focus in our examples... So step in whitelist_from Running sitewide (atm) for a university (may soon switch to deaprtmental scanning... but in the local.cf file i have the following whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] *.apache.org *.exim.org but list traffic is still coming in with spammy scores... /usr/share/spam../50_sco... score USER_IN_WHITELIST -100.000 what gives??? -- Regards Ronan McGlue Info. Services QUB
RE: SA Gateway - MS Exchange -- what if MSE down?
Tony, Your main question has already been answered, but I noticed something in your proposed setup that concerns me. You state in your diagram that you plan to have the MSE box as the secondary MX record. This would not be a good idea. From experience, we have seen that spammers try the secondary MX first in hopes of finding a server that is not protected by a spam scanner. This obviously would not be what you want to happen. Kris -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Tony pace Sent: Friday, May 27, 2005 10:05 AM To: users@spamassassin.apache.org Subject: SA Gateway - MS Exchange -- what if MSE down? we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
RE: Blacklists entries not getting blocked
The email you attacked a couple posts ago shows that you are. There was this line in it: X-Spam-Level: ** Kris -Original Message- From: Antonio DeLaCruz [mailto:[EMAIL PROTECTED] Sent: Thursday, April 28, 2005 6:39 PM To: martin smith Cc: Spamassassin Subject: RE: Blacklists entries not getting blocked I actually don't know if I'm using the * in the headers. How do I check that? Thanks, Antonio DeLaCruz Quoting martin smith [EMAIL PROTECTED]: M-Original Message- MFrom: Antonio DeLaCruz [mailto:[EMAIL PROTECTED] MSent: 28 April 2005 23:12 MTo: Pettit, Paul MCc: users@spamassassin.apache.org MSubject: RE: Blacklists entries not getting blocked M MAttached is a file that contains the header information and Mthe preview of the message as spamassassin modified it. From Mthe body of the e-mail, you can clearly see that it is Mlooking at my blacklist, it just isn't doing anything with Mit. Well, after ramming my head into the wall to knock some Msense into me, I think that I know why it isn't. My M.procmailrc file isn't doing anything with it. Now, that Mmeans to me that spamassassin does nothing more than assign a Mscore to the e-mail and that proc mail does the actual Mfiltering and deletion. So, what it seems to me is that 1) Mthe black list in the user_prefs file is totally useless Msince you could easily put this in your .procmailrc Mfile: M M:0: M* ^From:*badaddress.com M/dev/null M Mor 2) there has to be a way in the .procmailrc file to send Mto /dev/null anything that has a score over a certain value. MI'm not finding anything on how to do that, so if you know, Mthat would be much appreciated. My only other option is to Mtake the listings in my blacklist and run them through a perl Mscript to re-write them to go into my procmailrc file. But, Msomething tells me that the processing would take longer if Mmy mail server had to parse through a huge procmailrc file. M This will send anything over 15 point to /dev/null, assuming ur using the * in the headers. :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null This message was sent using IMP, the Internet Messaging Program.
RE: Testing new rules with lint
I could be wrong, but I believe spamd is only used for spamc. If you are using spamassassin, it loads the files everytime. At least, that's what I've understood the difference to be between spamd/spamc and spamassassin. If I'm wrong, I do apologize. I'm sure you'll get a more official response shortly. Kris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 01, 2005 12:47 AM To: users@spamassassin.apache.org Subject: Testing new rules with lint If i create new rules in cf files i must restart spamd to test these new rules with spamassassin --lint Is there annother way to check each rule before restarting spamd? What happens if i restart spamd and a message is in the queue or filtering process (SA)? Im using Postfix 2.1 with pers-user config on Mysql
RE: Spammed to death
Nate, I'm sure there are some good SARE rules for this. Go to http://www.rulesemporium.com for some good custom made rules. I know there is antidrug.cf which contains many Pharm phrases. Kris -Original Message- From: Nate [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 22, 2005 9:35 AM To: users@spamassassin.apache.org Subject: Spammed to death Hello, I'm using spamassassin 2.64 on Debian Woody. My clients emails are getting clobbered by Pharma spam. The messages seem to be using different encoding on words like Viagra, Cialis and sa is not picking them up. I've tried setting up header and body tests, but the bastards at Pharma keep changing the words spellings. Here is the typical email I get from these morons. Notice the missing letters Vicodin, Viagra, Xanax, and Cialis. In my email client Microsoft Outlook displays all the letters. However, if I copy and paste the message into a text editor the letters disappear. How do I kill these messages? I've tried sa-learn spam on several messages, but they still keep coming through with almost no spam points. Please help I am so sick of this! Thanks, Nate From: Esaias Billings [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 11:04 PM To: Xzavier Rivera Subject: Re: Best Mediccations Hello, Welcome to the best ONLINE ST0RE. Vi in $178(90p.) a a $209(100p.) ana al cod Vi gr X x $299(90p.) Ci is $324(90p.) With each purchase you get: Home delivery. Secure pay. Total confidentiality Reputable manufacturerrs. Have a nice day!
RE: Resending mail Outlook still strips out headers
In all versions of outlook that I can remember using all you have to do is drag-and-drop the message from outlook into a new message. This creates an exact copy including headers as an attachment. Kris -Original Message- From: Rob MacGregor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 11:54 AM To: users@spamassassin.apache.org Subject: Re: Resending mail Outlook still strips out headers On Mon, 13 Dec 2004 11:53:11 -0500, Kris Deugau [EMAIL PROTECTED] wrote: OE does one thing that Outlook, for whatever stupid reason, does not do. It allows you to forward a message as an attachment - ie, the ENTIRE RFC822 email message received via POP3 will be wrapped in a MIME part without any manglement I've ever seen. Outlook (of most versions) can't do this - or at least, can't do it very easily. I can't imagine why. (Neither can Eudora. But Eudora is a basket^Wspecial case anyway. g) Well, Outlook 2003 does it if you select to forward the message as an attachment. It then forwards the mail as is as an attachment. I can't speak for older versions as I don't have any to hand to test with. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche
RE: Spamassassin on an E-Mail Gateway
You've gotten some good responses, but like Chris I will share my experiences: We use Exim4 with sa-exim. Sa-exim also adds some greylisting abilities. More importantly, Exim4 has LDAP query abilities so we can query our Active Directory before accepting a recipient. This is essential in our situation since we are a university and have a very high turnover in email addresses. My logs show that over 60% of our incoming email is to invalid addresses. If it wasn't for LDAP queries, we would have scanned all that email for spam and viruses and then let the Exchange servers drop the bad addresses. Out of curiosity, does anyone know what other MTAs might support LDAP queries? Have fun! Kris -Original Message- From: Jon Dossey [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 8:59 AM To: users@spamassassin.apache.org Subject: Spamassassin on an E-Mail Gateway Redhat FC2, sendmail 8.13.1, and spamassassin 3.0.1 (spamc/spamd) Can't invoke spamassassin via procmail, since no mail is delivered locally, just relayed to an exchange server. What are my options? I've seen MIMEDefang and spamassass-milter (which won't compile on my completely generic redhat fc2 box). Are those my only real options? Thanks, Jon Dossey DELTA HEALTH GROUP __ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers.
RE: Question on using SpamAssassin at a college?
Matt, We've used SA for over two years now with settings similar to others that have replied. You should be fine with a stock SA 3.0.1 install. We greylist (you'll need other programs to do that) between 3 and 10, tag as spam at 5 and delete at 10. I've never had one complaint about a lost email in that time. We are roughly between 65-70% of incoming email is 10+ spam and deleted on the spot. Kris -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 1:36 PM To: users@spamassassin.apache.org Subject: Question on using SpamAssassin at a college? Hi, Does anyone have experience with using spamassassin and rule sets at a college environment? We'd like to block just mail that is one hundred percent spam, and not risk blocking false positives. Any thoughts or ideas?
RE: FN's with 3.0.0
I went ahead and clicked the link and it is apparently a redirect to a redirect to a redirect before it finally lands at http://www.wherechristiansmeet.com/index.php?affil=1529-CS0930F . I'm not sure what to do from there. Kris -Original Message- From: Gregory Zornetzer [mailto:[EMAIL PROTECTED] Sent: Friday, October 01, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: Re: FN's with 3.0.0 Hi Ed, On Fri, 1 Oct 2004, Ed Kasky wrote: I have had 13 FN's since upgrading to 3.0.0 on Sunday. This is a substantial increase from the one or two I used to get weekly. I have included the text of the most recent one below. They are all scoring betwee 3 and 4 and are all formatted pretty much like this one. snipped -- Forwarded message -- Return-Path: [EMAIL PROTECTED] Received: from moxmail06.flawlessorganization.com (moxmail-1-41.flawlessorganization.com [64.237.3.41]) by wrenkasky.com (8.12.11/8.12.11) with ESMTP id i91CaWps022097 moxmail-1-41.flawlessorganization is a real address, so the header doesn't look like it was forged. Maybe this was sent with legitimate bulk-mailing software, whereas SpamAssassin really goes after spams with obfuscated headers and return addresses. for [EMAIL PROTECTED]; Fri, 1 Oct 2004 05:36:33 -0700 Received: from flawlessorganization.com (localhost.localdomain [127.0.0.1]) by moxmail06.flawlessorganization.com (Postfix) with ESMTP id 02C806710D54D for [EMAIL PROTECTED]; Fri, 1 Oct 2004 05:36:15 -0700 (PDT) MIME-Version: 1.0 From: Christian Singles [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Meet quality Christians Message-Id: [EMAIL PROTECTED] Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Date: Fri, 1 Oct 2004 05:36:15 -0700 (PDT) X-Spam-Status: No, score=3.7 required=6.9 tests=ALL_TRUSTED,BAYES_60, DCC_CHECK,EVILNUMBER_A_2XX_1,EXCUSE_6,SARE_SXLIFE autolearn=no version=3.0.0 X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on yoda2.wrenkasky.com X-Spam-Level: *** There's also not a bunch of HTML tags or weird words and phrases at the beginning, so it passes through most of the rules. The website appears to be in the USA, so perhaps this is one of the few bulk emailers who is fully CAN-SPAM compliant? Or maybe it's just the latest from the spammers... Use a CAN-SPAM compliant email to generate their lists of addresses from the remove requests. One thing that I did notice was that the domain flawlessorganization.com is literally 1 week old according to whois, created September 24, 2004. Perhaps someone could write a module that penalizes email from domains that have been created recently? This would give Bayes some time to catch up. Again, noting below that the web links are all for the same domain as the email came from. This is perhaps the least obfuscated spam that I've ever seen (at least recently). Are you Christian? Are you Single? We have the solution for you! At WhereChristiansMeet, you can meet like-minded Christians that are also single! This isn't an ONLINE dating site full of fake profiles! These are REAL PEOPLE just like you. Click the link below and meet someone REAL today! Click Here: http://flawlessorganization.com/r/2307/8223547/252408859574 -Greg
RE: Start an IP list to block?
It seems to me that Jeff is talking about a way of implementing what Chris is talking about. If not, then it still seems like a great compromise! I love the idea! Kris -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: Friday, September 10, 2004 9:44 AM To: SURBL Discussion list; Spamassassin-Talk Subject: Re: Start an IP list to block? On Friday, September 10, 2004, 7:33:10 AM, Chris Santerre wrote: From: Jeff Chan [mailto:[EMAIL PROTECTED] On Thursday, September 9, 2004, 5:34:05 PM, Jeff Chan wrote: My first pass at cleaning the resolved IP data would be to take the to 70th percentile of IP addresses and only use those to check domain resolved IPs to. It's not perfect, but it should cut down on the uncertainty. I should add that this mostly applies to data where we have a constant feed of actual spam reports such as from SpamCop. It does not apply as strongly to data sources where we only have a unitary list of domains, for example where each domain appears once over the whole list. Though even there, it applies weakly, for example a dozen domains that all resolve to the same network probably could be used to bias future domains appearing in the same network towards list inclusion. But when you have a stream of reports about the *same domain*, then you can get better statistics about that domain or it's resolved IP. There simply more data to work with in more meaningful ways. Holy confusion! I can't tell where you are on this subject now Jeff :) Are you saying , that if we get really good data like what was in my original post, and we keep the data in the 90th percentile area, then we might possibly be able to list the IP hosts and have SURBL check against it? If so..I'm up for that. Granted it would take a little more research then just a domain listing, but I think the benefits are very good. Especially if we keep it only high ranking IP offenders. I mean, we may add less then 50 IPs a year? Just the really nasty spammers. If you're talking about adding resolved IP addresses to SURBLs, no we're not going to do that. :-( What I'm talking about is an internal process where we keep track of resolved IP addresses and use that to add new domains to SURBLs sooner if they resolve to a similar IP range (probably /24s). We would use the resolved IP addresses to add domains to sc.surbl.org and possibly other lists sooner. Most would probably get added on the first report. :-) http://www.surbl.org/faq.html#numbered Jeff C.