Re: blacklisting a forger
On söndagen den 2 augusti 2009, RW wrote: On Sat, 1 Aug 2009 21:34:04 -0400 Terry Carmen te...@cnysupport.com wrote: Of course it's blacklisted, but would you care to explain how rejecting mail from 59.184.51.13 helps, when the backscatter doesn't come from there? According to the OP, that's the IP he received the message from. No, he quoted the following: Received-From-MTA: dns;triband-mum-59.184.51.13.mtnl.net.in as I already said: Received-From-MTA is a standard DSN field set by the MTA generating the DSN. So it might perhaps be worthwhile to extract that field and test it against some RBLs? -- Magnus Holmgrenholmg...@lysator.liu.se (No Cc of list mail needed, thanks) signature.asc Description: This is a digitally signed message part.
Re: trust SMTP authenticated users
On lördagen den 25 april 2009, Arthur Kerpician wrote: Hi, I'm facing the following problem lately. Some of my users are connecting to the mail server (qmail) through mobile phones and the leased IPs from the GSM operator are blacklisted in spamhaus and spamcop. So, they are using the smtp server with spamassassin 3.2.5 but their messages are marked as spam and not delivered, since the rbl checks are positive. Is there a way to trust smtp authenticated users in SA? It should happen automatically if the users authenticate with SMTP AUTH and the MSA signals it in the Received: field (e.g. Received: from ... with ESMTPSA ... instead of with ESMTP), but I don't know if Qmail does that (the official Qmail isn't exactly known as the most modern mail server). Otherwise I think you need to let a separate MSA, separate from the main MTA and included in trusted_networks but not in internal_networks, receive the users' mail, or arrange for a fake Received line, simulating this, to be inserted. -- Magnus Holmgrenholmg...@lysator.liu.se (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans signature.asc Description: This is a digitally signed message part.
Re: SUBJ_ALL_CAPS anti-Asian (KS - SWC Ê)
On lördagen den 18 april 2009, Benny Pedersen wrote: On Sat, April 18, 2009 11:58, mouss wrote: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5859 please attach full headers to this ticket (feel free to obfuscate private infos). subject seems imho bad in the way that it must be utf-8 encoded in the whole subject not just partly, i might of course be wroung changed subject here to see if squirrelmail make bugs :) I'm not sure what you mean, but there can be any number of encoded-words in a field, using different encodings and character sets, and mixed with ordinary 7-bit text. See RFC 2047. -- Magnus Holmgrenholmg...@lysator.liu.se (No Cc of list mail needed, thanks) signature.asc Description: This is a digitally signed message part.
Re: Spam from windows live
On onsdagen den 25 mars 2009, Bowie Bailey wrote: BAYES_50 means Bayes has no opinion, the score for that should be 0. I've set the score for BAYES_50 to 0.7 (I could probably increase that) because in practice, almost all my ham is BAYES_00 or BAYES_01, so if a message scores 4.3 from other rules it's almost certainly spam unless it looks like previous ham. Conversely, if a message hits no other rules, a point or even two from BAYES_50 won't bring it anywhere close to the threshold. But this is on a personal mail server with a well-trained bayes database, and raising the score for BAYES_50 is basically equivalent to lowering the threshold, which is usually not recommended. -- Magnus Holmgrenholmg...@lysator.liu.se (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans signature.asc Description: This is a digitally signed message part.
Re: Detecting the Registrar of the sending host?
On fredagen den 4 juli 2008, Michele Neylon wrote: On 3 Jul 2008, at 22:06, Marc Perkel wrote: You can't spoof Forward Confirmed rDNS. But you can't stop $bigcorporations PCs getting compromised either You don't have to. As long as there is a non-zero correlation coefficient between some property of a mail message and its spamminess, you can assign a score. The correlation coefficient doesn't have to be 1 or -1 - in other words, the property, in this example the registrar of the domain of the remote host, doesn't have to be a perfect indicator of spam or ham. It's enough that mail from domains registered with some registrars are less likely to emit spam than others. And I really love the way you completely ignored my example of gmail.com Exceptions are possible to handle. After all, SpamAssassin is all about combining and adding many various rules. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) signature.asc Description: This is a digitally signed message part.
Re: Howto stop SPF_FAIL from internal network?
On torsdagen den 20 mars 2008, Matus UHLAR - fantomas wrote: you probably do not understand the internal_networks meaning. internal networks are only those (fully) under your control, trusted may not be under your control but you have to trust them I'd say that internal_networks contain hosts that receive mail from random hosts for you, including secondary MXes. Even hosts handling mailing lists that you subscribe to, and other hosts that you have forward mail to you, may be worth adding, if you can trust them. The reason is that certain DNSBL rules check the address of the last external server that handled the mail, and the server you want to check in the case of list mail is not the list server but the server that delivered the mail to the list server. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans signature.asc Description: This is a digitally signed message part.
Re: Confusing issue regarding SPF_FAIL and local delivery
On Sunday 23 September 2007 18:50, John D. Hardin wrote: On Sun, 23 Sep 2007, Jari Fredriksson wrote: SpamAssassin's trusted_network configuration caught my eye. What exactly does this do, and should I put my box's ip address in there? Absolutely. You put all your internal servers and possible ISP servers there too. Trusted networks are networks and hosts that you trust are not generating spam. Incorrect! trust means the Received: headers they generate are trusted to be accurate (i.e. not forged), **not** that those hosts are not originating spam! No, Jari is correct. He also wrote And mostly, they will not tamper with email headers, that's what the trust is about., but you left that out. And hosts in trusted_networks *are* (mildly) trusted not to originate spam. That's what ALL_TRUSTED is about. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpuq4M7OHMBJ.pgp Description: PGP signature
Re: bayes_seen = 256GB
On Thursday 20 September 2007 07:59, Graham Murray wrote: Loren Wilton [EMAIL PROTECTED] writes: If tokens are expired from the DB based on time, and assuming *all* tokens older than some date are expired, wouldn't it be reasonable to prune bayes_seen to the expiry date after the expiry run? You cannot assume that all tokens earlier than some date have expired. A token (in bayes_token) is only expired when its last occurrence in an email was before the expiry interval. So it is perfectly possible for a token from the very first email ever learnt to still be in bayes years later. It doesn't really matter whether the tokens have expired, I think. You probably don't want to relearn an old message anyway. The Bayes system can record the message date (e.g. from the top Received: field), expire messages older than a certain age, and refuse to learn older messages, unless explicitly overridden (for example when populating a clean bayes DB with an initial corpus). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp6jhYlXZsPa.pgp Description: PGP signature
Re: SPF-Compliant Spam
Please use a MUA that indents quotes properly. On Tuesday 28 August 2007 00:45, Rick Cooper wrote: Forwarded mail isn't send from my server. It is sent from the sender. I am relaying the message and it's not up to me to mangle the from address. The people who I farward to want the from address to be original. Then your server(s) should be listed in their SPF records, problem solved. We list every host that could possibly end up sending mail on from any of our systems, that includes back up relays, ect. If you are sending mail for them you should be listed in their SPF records, easy enough. That won't work here. Marc's customers are the mail recipients. They can't get all Marc's servers added to all SPF records in the whole world. There are two possible solutions: envelope sender rewriting or adjusting the SPF policy on the destination (meaning: adding Marc's servers as permitted senders for all domains (perhaps that was what you meant) or applying the SPF check to the server that delivered to Marc's servers, e.g. by adding Marc's server to internal_networks). Stubbornly demanding that the envelope sender address be unmodified without adjusting the local policy is not going to work. It's the same thing as demanding that the envelope sender always be trusted by everybody, but we know that it can't be. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpcOYFSoHO5L.pgp Description: PGP signature
Re: SPF-Compliant Spam
On Monday 27 August 2007 14:59, Jason Bertoch wrote: I think it's safe to say I'm not in the minority when I receive SPF-Compliant spam. I'm looking for opinions on what we can honestly derive from such messages regarding the sending server's IP and the sending address' domain name. Is it wise to blacklist both, or is this yet another case where SPF has failed to meet projections? It is a fundamental property of electronic mail that new identities can be created almost infinitely often and no authentication scheme can do anything about that. The fact that the sender identity is not forged says nothing unless you trust that sender. For spammers to be able to send SPF-authenticated spam using botnets, they usually have to authorize ridiculously large address blocks, for example with +all or +a:0.0.0.0/2 +a:64.0.0.0/2 +a:128.0.0.0/2 +a:192.0.0.0/2, so it's possible to check for that. Another approach is to add a few points for newly-registered domains, so called day-old bread. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpiXzM53chcF.pgp Description: PGP signature
Re: SPF-Compliant Spam
On Monday 27 August 2007 15:26, Marc Perkel wrote: Jason Bertoch wrote: I think it's safe to say I'm not in the minority when I receive SPF-Compliant spam. I'm looking for opinions on what we can honestly derive from such messages regarding the sending server's IP and the sending address' domain name. Is it wise to blacklist both, or is this yet another case where SPF has failed to meet projections? SPF breaks email forwarding. I haven't found anything I can't use it for that's useful. SPF does not in itself break email forwarding. SPF tells MTAs where mail with certain senders may originate from. It's their job to know if the recipient forwards mail from the connecting host. It can be tricky, but it's not impossible in principle. Applying SPF without thinking is incompetent and will cause false positives. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpF5sLrymWkD.pgp Description: PGP signature
Re: SPF-Compliant Spam
On Monday 27 August 2007 21:54, Marc Perkel wrote: Magnus Holmgren wrote: SPF does not in itself break email forwarding. SPF tells MTAs where mail with certain senders may originate from. It's their job to know if the recipient forwards mail from the connecting host. It can be tricky, but it's not impossible in principle. Applying SPF without thinking is incompetent and will cause false positives. Yes it does break email forwarding because if you have restrictive SPF and it gets forwarded then the forwarding server isn't a valid server. Thus if the receiving server enforces SPF rules then it bounces the forwared message. That's precisely applying SPF without thinking. Anyone who does that should be fired, nuked or something worse. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpK3i4gN6ICi.pgp Description: PGP signature
Re: MS outlook can't read parsed email... HELP!!
On Monday 13 August 2007 07:12, Nigel Frankcom wrote: [20:35] !JamesDR man, who ever wrote this ExchangeSpamC NEVER use option explicit, therefore almost all of his vars (that he didn't copy/paste from) weren't dimensioned Sounds like Visual Basic... ;-P -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpbBhp6ILqkC.pgp Description: PGP signature
Re: Huge server load problem with Exim and SpamAssassin
Please do not abuse the subject line with excessive capitals and exclamation marks. On Thursday 02 August 2007 15:14, Diego H. wrote: Below is my spamassassin rules at exim, seems that SA is scanning everything and I want to limit the scanning size up to 100k, no more. I read that there is a rule called message_size but I dont know where to insert it in my config: This is an Exim question, so please post further questions there. There is an expansion variable called $message_size. You can add something like condition = ${if ={$message_size}{200K}} to the beginning of each warn statement to disable scanning of messages larger than (in this example) 200 KiB. Please read chapters 11 and 40-41 of the Exim specification to learn how your configuration works. Thanks in advance!! warn condition = ${if eq {${acl_m0}}{1}{1}{0}} spam = ${acl_m1}/defer_ok log_message = SpamAssassin as ${acl_m1} detected message as spam add_header = X-Spam-Subject: ***SPAM*** $h_subject add_header = X-Spam-Status: Yes, score=$spam_score add_header = X-Spam-Score: $spam_score_int add_header = X-Spam-Bar: $spam_bar add_header = X-Spam-Report: $spam_report add_header = X-Spam-Flag: YES set acl_m2 = 1 warn condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}} add_header = X-Spam-Status: No, score=$spam_score add_header = X-Spam-Score: $spam_score_int add_header = X-Spam-Bar: $spam_bar add_header = X-Spam-Flag: NO log_message = SpamAssassin as ${acl_m1} detected message as NOT spam deny condition = ${if eq {${acl_m0}}{1}{${if {$spam_score_int}{100}{1}{0}}}{0}} log_message = The mail server detected your message as spam and has prevented delivery (100). message = The mail server detected your message as spam and has prevented delivery. :super: -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpR3X8KihPo0.pgp Description: PGP signature
Re: BAYES_99 and ham
On Thursday 26 July 2007 13:40, Joe Zitnik wrote: Bump your BAYES_99 score. And perhaps even define a BAYES_99_9 and/or BAYES_99_99 rule for bayes probabilities over 99.9% and 99.99%, respectively. I use body BAYES_99 eval:check_bayes('0.99', '0.999') body BAYES_999 eval:check_bayes('0.999', '1.00') describe BAYES_99 Bayesian spam probability is 99 to 99.9% describe BAYES_999 Bayesian spam probability is 99.9 to 100% score BAYES_99 6.5 score BAYES_999 8 (with spam threshold at 5.0 and reject threshold (in SA-Exim) at 7.5). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpGXgMDOcZQY.pgp Description: PGP signature
Re: How do you stop others from sending emails from your email addresses ?
Please start a new thread instead of using the Reply function when you have a new issue. On Wednesday 25 July 2007 13:46, Chris wrote: I constantly, (about 15-20 times a day), receive s**m emails from other people, but addressed from my email address. Is there any way of using SA to help on this in any way at all please ? I'd say that it's easier/better to tell your MTA to reject mail from your address that is not authenticated or coming from the machines you use. Within SA, you can create a rule that matches if your mail address is found in one of the sender headers, and use whitelist_from_rcvd, whitelist_from_spf etc. to whitelist it. But unless you have used whitelist_from to whitelist your address (never do that!), spam using your address shouldn't slip through more often than other spam. I want to stop myself from receiving them, but even more importantly, how do I stop someone from sending from my email address - can it be done please ? You can publish SPF records saying that mail from your address always originates from certain IP addresses. You can deploy DKIM and publish DKIM records saying that mail from your address is always DKIM-signed. This won't directly stop others from abusing your email address, but sites verifying SPF or DKIM can tell when they get a forgery. You can also start PGP-signing your mail and tell your friends and other folks you correspond with not to trust unsigned or badly signed mail purporting to come from you. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpYxXKPtfBzM.pgp Description: PGP signature
Re: Why doesn't Spamassassin bounce spam?
Matt wrote: I agree, bouncing that way is bad. Something I have thought about lately is rejecting. We have run ClamAV on Exim for years now. It scans messages at MTA time and rejects any that contain viruses. Does not 'really' bounce them just refuses them. There is talk of a mod to Exim to do same thing for high scoring spam. Sounds interesting. Talk of a mod? It's been a standard feature for ages now. For even longer with SA-Exim. -- Magnus Holmgren
Re: SA-Exim - not scanning local nets.
On Thursday 24 May 2007 14:28, Simon Avery wrote: I have SA-Exim running and I want it to ignore any mail coming from local domains (ie, a 10.0.0/24 etc) because the users within these nets are complaining the sending delay is too big. I've tried following half a dozen rough guides, which assume a lot of knowledge of Exim by restricting by ACL, but they don't work for me. Why don't they work for you? The setting controlling whether SA-Exim contacts spamd or not is SAEximRunCond in /etc/exim4/sa-exim.conf. Since SA-Exim's configuration parser is very simple and doesn't allow line continuations, the condition can become rather unwieldy. For that reason, I recommend setting an ACL variable in Exim's ACLs. You should find an example in sa-exim.conf, or in sa-exim.conf.dpkg-dist if you have upgraded and opted to keep your own version of the configuration file. You're invited to join the SA-Exim mailing list, [EMAIL PROTECTED] See http://lists.merlins.org/lists/listinfo/sa-exim -- Magnus Holmgren[EMAIL PROTECTED] (Debian sa-exim(No Cc of list mail needed, thanks) maintainer) pgpqqA0L2hFvq.pgp Description: PGP signature
Re: spam forwarding
On Monday 21 May 2007 12:05, Mark || Stream Service wrote: I did install it from source, but I only want to know if it is possible to change the spam assassin configuration for this forward. No, SpamAssassin doesn't forward anything anywhere, it merely scans mail. You have to change the configuration of Exim or procmail or whatever you use. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpXTek3H9crw.pgp Description: PGP signature
Re: spam forwarding
On Sunday 20 May 2007 14:17, Mark || Stream Service wrote: Is it possible to forward all spam on a server to an other mail account (on an other server) so I can look if there are any mistakes? Some system information: - EXIM - SPAM ASSASSIN (really nice tool) - DEBIAN 3.1 Yes, various ways depending on exactly how you've set up your system. Please ask on [EMAIL PROTECTED] and provide more details on your configuration. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpQV8BCPq8sd.pgp Description: PGP signature
Re: spamassassin upgrade
On Sunday 20 May 2007 17:38, night duke wrote: Currently i have this version of spamassassin SpamAssassin version 3.1.7-deb Can i update it to the last version? Apt-get or yum or howto? There's no newer official version in Debian at this time (the maintainer seems to be temporarily away). You could use packages from Ubuntu instead, either by adding a suitable line to /etc/apt/sources.list, for example deb http://mirror.ox.ac.uk/sites/archive.ubuntu.com/ubuntu/ gutsy universe or by downloading manually, for example from http://mirror.ox.ac.uk/sites/archive.ubuntu.com/ubuntu/pool/universe/s/spamassassin and installing with dpkg -i filename. Be aware that you might need to write things in /etc/apt/preferences to prevent yourself from accidentally switching to Ubuntu versions of other packages. I also recommend that you get used to aptitude, which is more powerful than apt-get and has a UI. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpYyMA6LukKC.pgp Description: PGP signature
Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available
On Friday 04 May 2007 15:20, Jack L. Stone wrote: At 01:43 PM 5.2.2007 +0100, Justin Mason wrote: Apache SpamAssassin 3.2.0 is now available! This is the official release, and contains a significant number of changes and major enhancements -- please use it! Downloads are available from: http://spamassassin.apache.org/downloads.cgi?update=200705021400 Any projection when SA-3.2 will be in the FBSD ports? Sent email to [EMAIL PROTECTED], but bounced back. I'm wondering when there will be a new Debian version. Duncan and Jesus, do you need help? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpe7PsGi60rD.pgp Description: PGP signature
Re: Per User
On Thursday 03 May 2007 12:50, Ali Hameed wrote: I am using spamd on my linux system, I now want to give our users choice that they want to use spamd or not, if yes they can write their own rules, please help! This is a very general question. What MTA do you have and how do you call spamd from it? Perhaps you know all that and are merely looking for this specific option: allow_user_rules. It has to be set to 1 to allow user rules. That's strongly discouraged though. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpWS6JGwItdP.pgp Description: PGP signature
Re: SUBJECT_ENCODED_TWICE really wrong?
On Wednesday 25 April 2007 15:40, Andy Spiegl wrote: afaik no, but other things which spammers do are not forbidden too ;-)? Right. :-) But the score for SUBJECT_ENCODED_TWICE is pretty high: 1.723 How does that justify? Not at all. At least not outside English-speaking locales. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpMSCVvY59oA.pgp Description: PGP signature
Re: Newsletter gets declared as spam
On Tuesday 24 April 2007 15:52, Merlin Morgenstern wrote: X-Sieve: CMU Sieve 2.3 X-Spam-score: 1.9 X-Spam-hits: BAYES_00 -0.7, EXTRA_MPART_TYPE 1.091, FORGED_RCVD_HELO 0.135, HTML_MESSAGE 0.001, HTML_TAG_BALANCE_BODY 0.228, MIME_HTML_ONLY 0.001, TVD_FW_GRAPHIC_NAME_MID 1.2 EXTRA_MPART_TYPE gets highest, but I do not see a way to get rid of this? Can anybody help please? EXTRA_MPART_TYPE has been bug reported already. Its rationale is incorrect (the type parameter is actually required), but on the other hand SA doesn't care about what is correct or not, only what indicates spam. Apparently there hasn't been enough ham matching it in the corpora fed to the mass-checks. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpdRwUcGfcqR.pgp Description: PGP signature
Re: How to use SpamAssassin from PHP?
On Tuesday 17 April 2007 04:44, Derek Harding wrote: TBH I'm not sure SA is really going to help you here since you'll have zero headers for it to work on meaning you're pretty much down to content URIBL checks. You can always construct a message header (I try to use the RFC 2822 terminology: it's one _header_ consisting of multiple _fields_, like Subject, Received etc.) from the information available. Don't be honest and say that you Received the post with HTTP though - SA will think that the sender was authenticated! I agree that a dedicated configuration, in particular a separate bayes DB, is recommended. It shouldn't have to be a completely separate _installation_ though. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp2HjDr92zQU.pgp Description: PGP signature
Re: domainkey
On Monday 16 April 2007 19:59, Spamassassin List wrote: Hi, spamassassin -D --lint shows that i am having some problem with domainkey [31077] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/DKIM.pm in @INC [...] [...] at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/DKIM.pm line 60. [EMAIL PROTECTED] ~]# rpm -q perl-Mail-DomainKeys perl-Mail-DomainKeys-1.0 What other package do i need? perl-Mail-DKIM-something. DKIM != DomainKeys. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpEibUCnmmJQ.pgp Description: PGP signature
Re: spamc and Mail::SpamAssassin::Client don't return same result
On Monday 16 April 2007 09:27, Phil Dibowitz wrote: I'm trying to use Mail::SpamAssassin::Client in my code, but I get very different results using it than I do when I use spamc. [...] Here's the test spam: Well done! http://amcvuhwk.com/qeix/uopk.html | http://mtldkvuq.com/eojy/hyia.html [EMAIL PROTECTED] tmp]$ cat /tmp/spam | spamc X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on alt.home.pv X-Spam-Level: * X-Spam-Status: No, score=5.7 required=6.0 tests=EMPTY_MESSAGE,MISSING_HB_SEP, ^^ MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [...] [EMAIL PROTECTED] tmp]$ /tmp/test.pl Score is 3.2 Message was X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on alt.home.pv X-Spam-Level: *** X-Spam-Status: No, score=3.2 required=6.0 tests=EMPTY_MESSAGE,MISSING_HEADERS, MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE autolearn=no I'm not completely sure why the perl module doesn't trigger that rule, byt please try a test spam *with* a header. | describe MISSING_HB_SEP Missing blank line between message header and body -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpwbU755cWGP.pgp Description: PGP signature
Re: Messages receiving High Score but still getting through
On Wednesday 04 April 2007 00:48, kiwidesign wrote: So this is the case. When spamassassin is run as root, the message gets a high score, but when sudo'd as the postfix user, it gets a significantly lower score, and two error messages about not being able to write to /root/.spamassassin/user_prefs. When you sudo, $HOME isn't changed, so that's not strange. How do I stop spamassassin from looking in here for this (vital?) config, and furthermore, where do I migrate the config in /root/.spamassassin to, to enable this (good?) config to work all the time. If you are *not* going to use user-specific scores, bayes databases etc., run spamd with -x (--nouser-config) and possibly as a designated user, move any settings from /root/.spamassassin/user_prefs to a global configuration file, and set bayes_path to an absolute path prefix (the same goes for awl_whitelist_path if you use it). Have you read README.spamd? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpnIowAnIhNj.pgp Description: PGP signature
Re: Tool for validating sender address as spam-fighting technique?
On Tuesday 03 April 2007 16:40, Benny Pedersen wrote: On Sun, March 11, 2007 14:31, Justin Mason wrote: at others, forged to appear to be from them. It's the obvious response to SAV, which is one reason why we never implemented something like that in SpamAssassin. if more mta reject from spf then it was not that a big problem, but spf braks forwarding, or is it users that breaks spf ? :( SPF doesn't break forwarding if employed carefully. Mail isn't forwarded totally randomly; in sane configurations a user U tells a system A to forward his mail to system B. If B wants to enforce SPF, they have to allow U to tell them about this forwarding, so that an exception can be made. A relatively secure and not too user-unfriendly way of doing this could be with special addresses on this form: user+forwarded-(secret)@domain.example. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpIwKM9KM6H7.pgp Description: PGP signature
Re: Things I would change to stop spam
On Friday 30 March 2007 15:39, Marc Perkel wrote: So - what I propose is a addition to the IMAP/POP protocols that allow email to be sent out over IMAP/POP and eliminate SMTP for the end user. NO, NO, NO! What is it, the tenth time you bring up this theme? Every time it's explained to you that it won't accomplish anything that can't already be accomplished. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpipCg5SeUTi.pgp Description: PGP signature
Re: Sender Address Verification is NOT abouse and very effective
On Friday 30 March 2007 02:36, John Rudd wrote: There is no polite way to do it. It's not polite to take advantage of someone else's resources without their permission. That's exactly what SAV does. I can think of a couple of ways to be at least less impolite. First of all, use SAV as the last check before finally accepting a message, i.e. after it passes SA. Second, use SAV only if the SPF check returns neutral (and possibly temperr/permerr). On softfail you can suspect that the sender is a spammer and that performing a verification might make you a part of a DDoS. On fail you might reject the message *if* all authorized forwardings are accounted for or use SRS. This would mean that those who don't want SAVs from Marc Perkel just have to publish SPF records. DK/DKIM could perhaps be used in a similar way. SAV is the same thing as TDMA/Challege-Response, only the challenge is to the machine instead of the human. Most of the same arguments apply. However, the bandwidth used is a lot less. The same arguments could be extended to SPF queries and even simple DNS queries to check that the given domain even exists. The question is, and it's not a rhetorical one: Where do you draw the line between being abused and providing the kind of directory services you have to run when you own a domain? (One answer might be that SAV (and even simple domain checks) is abusive because it's futile.) SAV the way it's commonly carried out is definitely an abuse of protocol, so one way to go might be by advocating VRFY: Since accept everything, then bounce is discouraged, one could as well allow VRFY (if one welcomes verification requests from others). (But I'm not sure about the possibility of differentiating negative VRFY responses from rejections due to policy.) -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpEPwDRWBqFq.pgp Description: PGP signature
Re: spamc/spamd bayes learning question
On Saturday 24 March 2007 23:04, Marc Perkel wrote: The learn-spam script looks like this: /usr/bin/spamc -d euclid.ctyme.com -x -t 15 -L spam /dev/null 2 /dev/null /bin/echo /dev/null The echo command is just there so it returns a 0 and exim doesn't complain. Probably a better way to do that. It's common to put || true at the end of a command you don't care about the exit status of. Or you could just exit 0. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgp2R2b4NU4nl.pgp Description: PGP signature
Re: spamassassin 3.1.8 fine tuning
On Monday 19 March 2007 09:22, ram wrote: On Mon, 2007-03-19 at 12:20 +0530, Praveen Kumar wrote: Hi ALL, I've integrated Spamassassin 3.1.8 with SUN Java messaging. It's working fine but success rate of spam-detection is very less (around 20-25%). How can i fine tune to get best results? TIA, Use rules_du_jour. This will download cf files from rulesemporium No, use sa-update instead. It can download cf files from rulesemporium as well as the official rule updates. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpg5iXiF7ae0.pgp Description: PGP signature
Re: Training SA-Migrating from old IMAP to new IMAP server
On Sunday 11 March 2007 18:09, Don Ireland wrote: I'm my email over from the services of fusemail.com to the IMAP server that comes with my shared hosting account. When I copy my messages over from the old server, do I just run SA-learn against the messages as they are? Or will the fact that they have fusemail headers in them cause SA to think messages without fusemail headers are spam? If so, you can make bayes ignore those headers with bayes_ignore_header in local.cf. See the Mail::SpamAssassin::Conf(3pm) manpage. I've always deleted spam after training the filters so I don't have any to feed to to the new system. Will that be a problem? Having too great an imbalance in numbers between ham and spam will bias the bayes classifier towards everything is spam or in this case everything is ham. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpaKX1rPnVSG.pgp Description: PGP signature
Re: 0 padding the _SCORE_
On Monday 12 March 2007 09:04, LuKreme wrote: I have rewrite_header Subject (Spam? _SCORE_) in my local.cf file, but the trouble is when I sort by subject I get a list like this: (Spam? 49.8) (Spam? 5.1) (Spam? 50.1) (Spam? 6.0) Is there any way to get _SCORE_ to print with a zero pad of one character? This particular account does not auto delete any mail, regardless of score (hey, not my idea, m'kay?) Yes; see the Mail::SpamAssassin::Conf(3pm) manpage, section Template tags. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpsWRo17fll8.pgp Description: PGP signature
Re: Odd score
On Tuesday 20 February 2007 17:35, Scott Lockwood wrote: X-Spam-Status: No, score=-79.4 required=5.0 tests=BAYES_99,HELO_DYNAMIC_HCC, HELO_DYNAMIC_IPADDR2,HTML_MESSAGE,INVALID_DATE,RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_XBL,SPF_SOFTFAIL,UPPERCASE_25_50,USER_IN_WHITELIST autolearn=no version=3.1.1 I keep getting these messages with really low scores that should be really high scores. I can't figure out why, after all the tests that it hit on, the score ends up -79.4. Anyone have any ideas??? USER_IN_WHITELIST, -100 points This means you have whitelisted an address in some sender header. It doesn't have to be From:, it can be Return-Path: or Envelope-Sender: among others. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpNG0Kx6LiAM.pgp Description: PGP signature
Re: Spam not getting scanned
On Thursday 15 February 2007 15:48, Dave Williss wrote: Is there some Spamassassin rule that may be auto-whitelisting this (because the forged sender is an actual account), or is Postfix confused into thinking that the sender is local and just not running it through SA? Now that I think about it, I'm guessing it's Postfix. SpamAssassin always processes all mail it gets and at the very least adds an X-Spam-Checker-Version: line to the mail header, so you're guessing correctly. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpNwuq9Rd85p.pgp Description: PGP signature
Re: quick question
On Wednesday 14 February 2007 14:55, maillist wrote: Content analysis details: (8.6 points, 7.0 required) pts rule name description -- -- 2.4 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=janis.comip=212.11.121.229receiver =mail.emailacs.com] -1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP 8.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9970] Is there any reason that such a message with the above score would make it to an in-box? That depends entirely on whatever moves the spam to the spamdrop in-box. What MDA do you use and what criteria is it configured to make its decisions upon? All of my users are getting these messages a few times a day. Other than that, all other spam is correctly moved to a spamdrop in-box. I sent a question in the other day about this, and never heard anything back from anyone. I'm still puzzled by this. I don't have any sort of whitelist setup. Does any of the correctly moved spam have a lower score than this? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpjwNWPfGir2.pgp Description: PGP signature
Re: MTA Search: Non contiguous ranges?
On Tuesday 13 February 2007 19:57, Dan wrote: I would like a Mail Transfer Agent recommendation. What's the best MTA, running on any platform, that will accept two or more thresholds (non-contiguous weight values) for treating messages as spam? Something like: 0-1 is ham 2-9 is spam 10 is ham 11-99 is spam Now I'm curious. How does that work? Where 4 paths are possible, instead of the normal 2 (below 10 allow, above 10 tag) such that the treat-as-ham values are literally in between the spam values. This can be native or via a plugin. Exim can do that without any plugin. In order of priority, I'm looking for: 1) Compatibility with SpamAssassin Check! 2) Non contiguous score acceptance Exim can do almost anything you want. 3) Compatibility with multiple AV scanners Check! 4) Ease of use That's what Exim is best at. 5) Good logging system I think so, but I can't guarantee that there is no MTA with better logging facilities. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpUC9S7uydCr.pgp Description: PGP signature
Re: sa-update gives error message Insecure dependency in open while running with -T switch
On Friday 09 February 2007 00:52, Philip Seccombe wrote: I really am getting confused here nibbler:/etc/init.d# spamassassin -V SpamAssassin version 3.0.3 running on Perl version 5.8.4 nibbler:/etc/init.d# nibbler:/etc/init.d# apt-get install spamassassin Reading Package Lists... Done Building Dependency Tree... Done spamassassin is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 38 not upgraded. nibbler:/etc/init.d# Hey, you didn't say nothing about Debian (or Ubuntu, etc.)! You most likely don't want to mix deb-packaged perl modules with cpan-installed ones. Looks like you have multiple versions of everything installed. The modules installed by cpan are probably under /usr/local/lib/perl and /usr/local/share/perl. Clean out the ones you already have under /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, and /usr/share/perl5. If apt-get will not install it, how do I upgrade it properly? You have to wait for Etch to be released or add a suitable repository specification to /etc/apt/sources.list, for example one from backports.org. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgp1fyLx4vxE6.pgp Description: PGP signature
Re: Difference between debian package and cpan-installation
On Tuesday 06 February 2007 13:49, Sebastian Ries wrote: We have several instacnes of spamassassin running. Most of them are installed as Debian packages. When I upgrade these from sarge-backports to version 3.1.7 and run sa-update I get about 95% of Spam detected. Another instance is running on an old Suse system. I uninstalled the rpm-Packages and installed Spamassassin 3.1.7 via cpan. But even after an sa-update I only have about 50% of Spam detected. Does anyone know what is configured within the debian package that is different from the cpan installation? http://www.backports.org/backports.org/pool/main/s/spamassassin/spamassassin_3.1.7-1~bpo.1.diff.gz That's the difference. :-) AFAICT, the Debian package merely adds an init script, changes /etc/mail/spamassassin to /etc/spamassassin, adds some Debian-specific rules (which have no effect if sa-update is used), and does some other minor documentation changes. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpUxKPvRu0Lw.pgp Description: PGP signature
Re: can you trust the MX?
On Monday 29 January 2007 15:01, Matt Kettler wrote: Mike Jackson wrote: Shouldn't mail be sent through the MX for a domain? Not if the domain is of any decent size.. Using different servers for outbound vs inbound mail is a very common load balancing tactic for large sites. Which is why SPF was created in the first place, because you can't assume that mail is sent by the MX. So, it is well established that mail from a domain doesn't have to be sent from the MX for the domain. But the converse should be true, shouldn't it? I.e. an MX for a domain is normally a legitimate deliverer of mail from that domain (if it delivers any outbound mail at all). Would a whitelist_from_mx option perhaps be worthwile? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpG1mv8qOGRQ.pgp Description: PGP signature
Re: Should I use greylisting
On Friday 26 January 2007 03:21, uNiXpSyChO wrote: Chris Purves wrote: Personally, I didn't like the added delay for first-time mails, which is why I chose to greylist only on blocklists, but for a minimal effort my spam was significantly reduced. Hope that helps. what are you using to greylist based on blocklists? Judging from his presence on the Exim-related mailing lists he is probably using the Exim MTA and its ACL facilities. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans ---BeginMessage--- Marc Haber wrote: On Tue, Jan 16, 2007 at 01:57:38PM -0700, Chris Purves wrote: I am having difficulties getting AUTH to work for remote connections. I have had it working in the past, but don't normally use my server for sending e-mail because it has a dynamic IP. Yesterday I found that it doesn't seem to be working at all. I have tried with Thunderbird and Opera to send e-mail, both say something the server is not accepting SMTP connections or is not set up properly. Any chance that your ISP might be blocking incoming port 25? Does submission on port 587 have the same problem? The problem was along these lines. Port 25 seems to be blocked for outgoing on the network I was testing the e-mail client. I added listening on port 587 for situations like that and everything is working now; or rather it was always working and I just now realised it. Thanks for pointing out the most obvious reason. It could have taken weeks for my brain to turn on. I also found that when using telnet remotely, the welcome banner was very slow to come up ~60s. I set rfc1413_query_timeout = 0s to get around that. If that didn't help, you might be experiencing DNS issues. If it helped, I have no idea because rfc1413 timeout was always shorter than 30 seconds. Yes, you're right. I reset to 30s and from some hosts it takes about 35s and from others about 3s. I must have made a mistake when I measured 60s. I have set the timeout to 5s, which I think is the default for exim 4.6 (I have 4.5). Thanks again. -- Chris ___ Pkg-exim4-users mailing list [EMAIL PROTECTED] http://lists.alioth.debian.org/mailman/listinfo/pkg-exim4-users ---End Message--- pgpIKAe32PDDi.pgp Description: PGP signature
Re: bayes 101
On Sunday 21 January 2007 16:44, Matt Kettler wrote: Tom Allison wrote: [5411] info: config: SpamAssassin failed to parse line, /var/cache/spampd/bayes is not valid for bayes_path, skipping: bayes_path /var/cache/spampd/bayes debug helped. But what does it mean? Is there a directory named /var/cache/spampd/bayes/? If so, remove it, or change your bayes_path to /var/cache/spampd/bayes/bayes Should that really be a problem? The bayes module should be able to use /var/cache/spampd/bayes_* despite the directory /var/cache/spampd/bayes being there. Would it be a bad idea to change the code such that bayes_path can optionally name a directory? Either by including a trailing slash or by there actually being a directory with the name in question. In these cases the files would simply be called toks, seen, and journal, without a prefix. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgp99XBTFCPmS.pgp Description: PGP signature
Re: AWL question
On Wednesday 17 January 2007 11:24, Rocco Scappatura wrote: I use SA storing data on MySQL databases. I have seen the awl contains email address with the value 'none' in the field 'IP'. Why this field for some entriesis not correctly filled? Perhaps it could be that mail was submitted locally (not with SMTP), over IPv6 or that the IP address couldn't be extracted for some other reason. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpOeXaErVFbr.pgp Description: PGP signature
Re: Sync bayes between multiple servers.
On Tuesday 02 January 2007 18:01, Big Wave Dave wrote: I currently have several machines providing mail relay for my domains. I have started training one of the machines using sa-learn. However I would like the other relays to be knowledgable of the training I have done. I have considered a few options: -- use sa-learn --backup ... and then restore to the other machines. -- simply rsync the bayes files to the other machines. What is the best method? Is there a proper way of doing this? In a situation where you need several machines to handle email I think others have recommended storing bayes data in a database. Perhaps you can manage with a single database server; otherwise you can use whatever replication methods offered by the database engine of your choice. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpEVLSxarehO.pgp Description: PGP signature
Re: Making use of other spam checkers
On Tuesday 02 January 2007 19:28, Rick van der Zwet wrote: A lot of e-mail derived today is already scanned by an other (relay) spam checker. Does sa has some way of making use of this information and store this information instead of deleting it. Not AFAIK. Most preferably I would like to see/make this kind of setup -set in config, spam checker host is trusted (something like trusted_networks) -score based on a X-Spam-* tag -write the old X-Spam-* - X-History-00-Spam-* (eq write the old value of a header to a new header) Does anyone has a clue how to make/write the following working? Let the MTA rewrite the headers if they come from a trusted host. Make the MTA not pass the mail to SA if the score is high (or low) enough. Write SA rules that look for particular rules in the old X-Spam-Status field. Use bayes_ignore_header to exclude the old headers from bayes classification. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpKbQMns1Qif.pgp Description: PGP signature
Re: localhost bypass?
On Monday 01 January 2007 23:00, Thomas S. Crum wrote: How do I stop sa from processing mail relayed/originated from localhost, 127.0.0.1? Don't give the mail to SA. SA will process everything it gets, and there is (as of yet) no other way to prevent it. I tried: trusted_networks 127.0.0.1 internal_networks 127.0.0.1 But, it is still processing mail from localhost and adding this header: X-Spam-Status: No, score=0.6 required=5.0 tests=ALL_TRUSTED,AWL,HTML_10_20, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HEADER_CTYPE_ONLY, MIME_HTML_ONLY,NO_REAL_NAME autolearn=no version=3.1.7 Yes, it correctly identified that the mail only travelled through trusted hosts. It also didn't query for those hosts (127.0.0.1 - I don't think it would have anyway, but it doesn't matter). That's about all it means to be trusted by SA. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgp72alDLjKMO.pgp Description: PGP signature
Re: what does Image is single non-interlaced mean ?
On Monday 18 December 2006 09:41, Halid Faith wrote: I see a messages as below in Fuzzyocr.log. Image is single non-interlaced Since nobody else has answered yet: What does it mean? I don't really know, but IMHO it *should* mean that an image consisted of a single non-interlaced block (as opposed to multiple blocks puzzled together, as is possible with the GIF format, to make life harder for programs like FuzzyOCR). Interlacing can also make things harder. In other words it seems to indicate a *non*-suspect kind of image. What should I do ? Probably nothing. Possibly lower log level. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpGXWuPxOHBe.pgp Description: PGP signature
Re: starting spamd
On Saturday 16 December 2006 23:02, spamassassin wrote: When I try to run it using the -u root this is the error that I get spamd: cannot run as nonexistent user or root with -u option That's right. spamd refuses to do that for security reasons. If run without -u user, it changes identity to the caller, or nobody if the caller is root, after accepting a connection. If run with -u user, it changes identity to user after binding to its listening socket, unless user is root, in which case it complains and exits. Configuring site-wide means adding a dedicated spamassassin user to run spamd as. Also use -x to stop spamd from reading any personal config files. If you want per-user configuration, you can arrange for it to be stored in a database (but that sounds unnecessarily fancy). The thing to realise is that running things as root is dangerous and should be limited to an absolute minimum. Under no circumstance treat root as a normal user among the rest! -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgp7AaNkiwYYW.pgp Description: PGP signature
Re: SPF is hopelessly broken and must die!
On Thursday 14 December 2006 01:51, Giampaolo Tomassoni wrote: From: Marc Perkel [mailto:[EMAIL PROTECTED] OK Daryl, How do you deal with people forwarding email from another domain when using SPF? Right. That's the big reason for using +all (or not using SPF at all). Using +all means to me: Look, I - the postmaster - I'm aware of SPF, but unfortunately my customers have the need to send their mail through many ISPs. No, you say ?all. That means that users may send mail from anywhere, but then we don't guarantee that it's genuine. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpaPkLxMZqZh.pgp Description: PGP signature
Re: SPF is hopelessly broken and must die!
On Thursday 14 December 2006 01:37, Marc Perkel wrote: How do you deal with people forwarding email from another domain when using SPF? *If* you intend to reject mail based on hard SPF failures, then you *must* allow for exceptions for forwarded mail. Mail can only be forwarded from specific hosts, so while it might be tricky it's definitely possible to define such exception in a meaningful way. Demanding that forwarding between arbitrary hosts must simply work (without SRS, DKIM or some other mechanism) is to say that everyone must always trust the envelope sender and mail header like 20 years ago. That is what is really broken. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpVkJTLMWo1f.pgp Description: PGP signature
Re: Problem Adding the X-Spam-Status: header
On Monday 27 November 2006 16:27, Odhiambo Washington wrote: After I migrated from 2.64 to 3.1.7, I seem to have lost a very important functionality that I need with SA - adding the X-Spam-Status: header. Believe me, I have RTFMed already the Mail::SpamAssassin::Conf... From my local.cf, I have the following: [meta-cut] . but I don't see the header being added. Here is a typical example: X-Spam-Score: -0.2 (/) X-Spam-Report: Start Spam/Junk Filter results Filter analysis score is (-0.2/2.0) -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3295] End Spam/Junk Filter results You seem to be running Exim with Exiscan. The add_header options in local.cf are of no consequence - everything is controlled from the ACL configuration. If you want to configure the headers freely from local.cf, use the SA-Exim add-on. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp70FU1iXs9h.pgp Description: PGP signature
Re: Problem Adding the X-Spam-Status: header
On Tuesday 28 November 2006 00:22, Chris Purves wrote: Magnus Holmgren wrote: On Monday 27 November 2006 16:27, Odhiambo Washington wrote: You seem to be running Exim with Exiscan. The add_header options in local.cf are of no consequence - everything is controlled from the ACL configuration. If you want to configure the headers freely from local.cf, use the SA-Exim add-on. If you don't want to use sa-exim, you can add the headers in the exim acl: Something like: Off topic! :-) warn message = X-Spam-Status: Yes spam = nobody condition = ${if {$spam_score_int}{49}{1}{0}} condition = ${if {$message_size}{100k}{1}{0}} warn message = X-Spam-Status: No spam = nobody condition = ${if {$spam_score_int}{50}{1}{0}} condition = ${if {$message_size}{100k}{1}{0}} Not quite. If he wants to have the X-Spam-Status described in the OP, he would have to do like this: # local.cf: clear_report_template report _YESNO_ score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ # exim.conf, DATA ACL somewhere, with Exim 4.61 or later: warn condition = ${if {$message_size}{100k}} spam = nobody:true add_header = X-Spam-Status: $spam_report spam = nobody add_header = X-Spam-Flag: YES With earlier versions of Exim, without the add_header modifier, the size check has to be duplicated. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpjTFHZ5H0nt.pgp Description: PGP signature
Re: Bayes - Autoexpiry, bayes_seen, and bayes_tok
On Sunday 26 November 2006 16:16, Jason Frisvold wrote: On 11/26/06, Matt Kettler [EMAIL PROTECTED] wrote: Make sure you run the --force-expire as the proper userid. run sa-learn --dump magic, as I asked. If you need help interpreting it, post the output. This doesn't look right to me.. ? Half are new and half old? I'm going right now to google this to death.. :) [EMAIL PROTECTED] ~]$ sudo sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 1 0 non-token data: nham 0.000 0 72 0 non-token data: ntokens 0.000 0 1106663054 0 non-token data: oldest atime 0.000 0 1106663054 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Looks like you're looking at the wrong database here. The above means that you have 72 tokens from 1 ham mail and no spam. 1106663054 is a unix timestamp meaning Tue, 25 Jan 2005 14:24:14 UTC. su to the right user or use --dbpath (it works like bayes_path in local.cf). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpKkoOzNYoH9.pgp Description: PGP signature
Re: BayesStore/SQL.pm
On Sunday 26 November 2006 14:27, Giampaolo Tomassoni wrote: No answer to this? Is this the wrong list to ask code details? You could try [EMAIL PROTECTED] -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpOPo1eUouFh.pgp Description: PGP signature
Re: spamd crashing...
On Saturday 25 November 2006 21:12, Jeff Funk wrote: My spamd process is crashing a lot. Sometimes several times an hour. I've got a monitor that restarts it but I'd really like to figure out the cause and fix it. Any clues as to where I would look to begin?? Have you read the logs, to begin with? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpPopryspRGE.pgp Description: PGP signature
Re: Why won't imageinfo.pm work with SA 3.17? - access
On Monday 27 November 2006 00:04, Michael W Cocke wrote: I can't get the imgeinfo plugin to load with SA 3.17? I put this in v310.pre loadplugin Mail::SpamAssassin::Plugin::ImageInfo The Imageinfo.pm file is in the same directory as other PM files that are being correctly found, and When I try a spamassassin --lint, I get The same directory as *what* other PM files? Is it named Imageinfo.pm or ImageInfo.pm? It has to be in a subdirectory called Mail/SpamAssassin/Plugin/ImageInfo of one of the locations below - /usr/lib/perl5/site_perl/5.8.8 is probably best, I think - and have the name capitalized correctly. [5522] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8) at (eval 80) line 1. [5522] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::ImageInfo at (eval 81) line 1. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpV4Z9vE6o1l.pgp Description: PGP signature
Re: Problems running Spam Assassin
On Sunday 19 November 2006 18:04, CosmicPerl wrote: Hi, I installed the latest SpamAssassin on my server. At first all my tests looked good, apart from load. So I setup spamc and spamd and everything seemed great, for a short while at least. A day later my mqueue had about 1500 messages in it, most with the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL. This seems to be coming up if the mailbox is full or the email is to an address that doesn't exist. It seemed that about every hour or so Sendmail was trying to flush out these messages, causing 1000's of processes to be started and making the server freeze up. Despite my Sendmail config having define(`confMAX_DAEMON_CHILDREN', `12')dnl In my procmailrc file I have:- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamc The SpamAssassin daemon was started with /usr/bin/spamd -d -u nobody At some point all mail stopped coming in. When I looked at the maillog file it had lots of lines like:- mkdir /root/.spamassassin: Permission denied Which I guess was causing the problem. This wasn't a problem before so I'm not sure why it happened. Any clues? I guess you might get some problem if you run spamd with -u nobody but without --nouser-config (either spamd will try to access the users' home directories as nobody, or it will try to access the home directory of nobody - I'm not sure, but in either case it will work badly. If you want per-user preferences together with -u you must either use -x --virtual-config-dir, make all users' .spamassassin directories readable (and writable, if you want bayes and/or AWL) by the spamd user (should be a special user - the nobody user isn't supposed to have any particular access to any files), or use a database. See README.spamd for security considerations if you have any untrusted users with shell access. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpdCeXbvJVW8.pgp Description: PGP signature
Re: SPF and SMTP AUTH
On Tuesday 21 November 2006 12:07, Rene Caspari wrote: Hi, I have a little problem with SPF: For domain.tld there is a SPF record, which says that mail.domain.tld is allowed to sending mails from [EMAIL PROTECTED] If I use mail.domain.tld with a dialin account by SMTP AUTH, spamassassin says SPF_SOFTFAIL because initially the mail was sent by the dialin account and not mail.domain.tld. OK, so domain.tld is your domain, mail.domain.tld is the MX for that domain as well as the MSA that receives outbound mail from dialin users, and SpamAssassin says SPF_SOFTFAIL of mail received by mail.domain.tld from dialin users? How can I configure spamassassin to do not recognize the dialin account as a mailserver? In that case it should work as long as SpamAssassin trusts mail.domain.tld *and* the MSA/MTA at mail.domain.tld adds a Received: line that correctly states that the client was authenticated. If possible, you can also list your dialin IP ranges in trusted_networks. See http://wiki.apache.org/spamassassin/DynablockIssues and http://wiki.apache.org/spamassassin/TrustPath. Please post the unobfuscated header of a mail that hit SPF_SOFTFAIL if you need more help. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp9ffanUpFd5.pgp Description: PGP signature
Re: Thoughts on using DCC
On Friday 17 November 2006 02:44, Chris wrote: On Thursday 16 November 2006 9:21 am, Magnus Holmgren wrote: So basically you're right and I haven't added anything. What I can add is that I don't use DCC myself, for precisely the aforementioned reason, i.e. that it requires to much fiddling with mailing lists. If you happen to be running procmail its easy to have your list mail processed into the correct folders before spamassassin is even called. Not so easy if you call SpamAssassin after end of DATA to be able to reject spam at SMTP time... -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpBWFIev8VKL.pgp Description: PGP signature
Re: Hi !
On Friday 17 November 2006 13:52, Cristi Tudose wrote: Hi .. One tip for the future: Hi ! is not a good subject line. I have installed qmail with qmail-scan, spamassassin and clamav. The installation was going well. The clamav and spamassassin is running under qscand user. The mails what came with virus attachment, the attachment is deleted by the clamav. But the spam not. I want the subject to be rewrited what's not happen. In my local.cf I have: rewrite_header Subject SPAM(_SCORE_) required_score 20.0 required_hits 20 It appears that Qmail-scanner can be run in one of two modes, and in the fast mode it adds its own headers, just like Amavis. See http://qmail-scanner.sourceforge.net/FAQ.php#cs, points 16 and 17. Also lower the required_score to something more normal. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpQwXj1IMzTf.pgp Description: PGP signature
Re: Thoughts on using DCC
On Thursday 16 November 2006 12:59, Anthony Peacock wrote: I realise that DCC is not a direct indicator of spamminess but an indicator of bulkiness. And I also realise that the correct answer to my question is 'it depends on your local needs'... Given that what are people's thoughts on using DCC in SA? DCC gives a high hit rate on SPAM here, but also contributes highly to false positives. Since setting up DCC I seem to have lots of list emails reported as false positives, and spend a fair amount of time checking and tweaking whitelisting settings for these. And in most cases a combination of DCC and a highish Bayes score is enough to tip these over. I know I could adjust the DCC score, but was wondering what other people do? The thing with DCC is that it combines checking and reporting, which is why it is an indicator of bulkiness and not spamminess, as you say. To get around that you should whitelist all mailing lists so that mailing list mail isn't checked against DCC, both to avoid false positives yourself and to help others avoid false positives. So basically you're right and I haven't added anything. What I can add is that I don't use DCC myself, for precisely the aforementioned reason, i.e. that it requires to much fiddling with mailing lists. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpXF7edCj7oc.pgp Description: PGP signature
Re: Bayesian scores
On Thursday 09 November 2006 22:14, Steve Ingraham took the opportunity to say: Ok, I have a question on these Bayes rules related to false positives. It appears that many of my users are having legitimate emails scored in the 8 to 9 range. These emails are scoring high basically because they are hitting on one of the various Bayes rule (most notably the Bayes_50_Body and the Bayes_95_Body rules). Is there something straightforward that can be done to stop these legitimate scores from scoring high on the Bayes rules? I have already decreased the Bayes_50_Body rule from 5.0 to 2.5. I don't want to decrease the scores with every Bayes rule because I think I will start seeing some true spam delivered because it did not score high. Any ideas? 1) False negatives are better than false positives (up to a certain limit at least). 2) BAYES_50 means that the classifier has no idea whether it's spam or not. It should definitely not be scored at 5.0, and 2.5 is probably way too high, but it depends on what other rules your ham trigger. The important thing is that the total for a ham message doesn't go over 5 (or whatever limit you choose). If almost all ham hits BAYES_00 or the occasional BAYES_05, then in principle there is nothing wrong with a relatively high BAYES_50 score (1.0, for example). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpngTvZSV9rs.pgp Description: PGP signature
Re: Log Mail Caught As Spam
On Monday 06 November 2006 13:59, itdelany took the opportunity to say: I successfully run spamassassin with bayes filter on my site and is working really really fine. But, this morning i noticed that an email i receive everyday from my server (It's from LogWatch application, it sends detailed log information from past events, like users logons and postfix statistics) So i run # sa-learn --progress --ham a0f3773f-bc37-4eae-b912-5339ea06735d.eml 100% [===] 20.02 msgs/sec 00m00s DONE Learned tokens from 1 message(s) (1 message(s) examined) BUT the email keeps being caught as Spam by SpamAssassin, do i forgot something? SpamAssassin will not see all those messages as the same. However, one would expect it to learn to recognise it as ham with time. Maybe it has, but the negative score of BAYES_00 is too small to bring the total back under 5.0. There should be an X-Spam-Status line enumerating the rules that hit. What exactly --forget do ? How can i assure this email will not be considered spam in the future? --forget forgets about a previously learnt piece of ham or spam, like you hadn't run sa-learn --ham at all. A better approach however would be to skip running those messages through SA at all, or to whitelist the sender address (read about whitelist_from_rcvd in Mail::SpamAssassin::Conf(3pm) manual page. Also, is the server in trusted_networks? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpDwXnXIMowd.pgp Description: PGP signature
Re: rewrite subject?
On Wednesday 01 November 2006 13:29, Pablo Allietti took the opportunity to say: hi all. i have a problem with rewrite subject. many meesages in the server detected has spam and rewrite subject with ***SPAM*** but others NOT. and in the headers have this. what is the problem why spamassassin dont rewrite this messages? what is tagged_above=-999 ? tagged_above indicates that you're using Amavisd-new, and it is adding the headers and (not) rewriting the subject, not SpamAssassin. X-Spam-Status: Yes, hits=6.86 tagged_above=-999 required=4 tests=AWL, BAYES_00, NA_DOLLARS, NIGERIAN_BODY1, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SORBS_WEB, RISK_FREE, TO_EMPTY, URG_BIZ, US_DOLLARS_3 X-Spam-Level: ** X-Spam-Flag: YES -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp9XihfSsD4F.pgp Description: PGP signature
Re: problems with redirected mail
On Monday 30 October 2006 06:07, Wojciech Potrzebowski took the opportunity to say: I am running spamassassin with qmail. It catchs up most of mail that is scored as spam. However, some e-mails that are redirected form the other mail server (also with spam checking system) get through even it is treates spam if I run local test. Any idea how to fix the problem? Please provide one or more examples, with the SA headers from both servers, of mail that got through the other server but was classified as spam on the local server. There are a couple of ways the scores can differ if the systems don't exchange information. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgptcwaxCvv4l.pgp Description: PGP signature
Re: problems with redirected mail
On Monday 30 October 2006 20:44, Wojciech Potrzebowski took the opportunity to say: Thank you for your time in handling with this case! I have atached two e-mails with headers from both servers. I can only configure SA on my local server: iwonka.med.virginia.edu. I don't have access to the other mail server. As you can see, on your local server the spam hits BAYES_99: X-Spam-Status: Yes, score=5.5 required=4.0 tests=BAYES_99,NO_RECEIVED, NO_RELAYS,TO_WM_FROM_COM autolearn=no version=3.0.6 But on the other server bayesian-style (it's not pure bayesian, but modified to be better) classifying isn't used at all, or isn't trained (they're using Amavisd-new as the interface to SA, which (in a way) explains the slightly different header format. In any case, you won't get the same results unless both servers share the same bayes database. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpsV8RYWvryj.pgp Description: PGP signature
Re: OT/Humor: Do I have to live in fear of spammers?
On Wednesday 25 October 2006 10:44, Chr. v. Stuckrad took the opportunity to say: Does somebody have a list for something like 'the best random-generated spam/text' without polluting this list ? Perhaps not random, but there's always http://spamusement.com/ -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpj5SglscYVn.pgp Description: PGP signature
Re: I'm thinking about suing Microsoft
On Wednesday 25 October 2006 10:27, Mike Woods took the opportunity to say: Mosenior 'Mo' Moses wrote: That is, Until it starts being used. Then all of the issues will be fixed in the next release ;-). I've noticed that M$ is always secure... before it goes into circulation. Reminds me of the old line about computer security The only way to completely secure a computer is to unplug it :p The ultimate windows security accessory, A pair of scissors to cut the power cable :D http://www.ranum.com/security/computer_security/papers/a1-firewall/ -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpiIPcWPGvki.pgp Description: PGP signature
BUG: Re: Does re-learning really work?
On Sunday 15 October 2006 20:49, Magnus Holmgren took the opportunity to say: Apparently, when sa-learn reads a message from stdin, for some reason the entire header, and possibly even the empty line separating it from the body, disappears. Or at least $msg-get_header(Date) and $msg-get_header(Received) in get_msgid() in Bayes.pm return undef or ''. When I give sa-learn a filename it works. Also, learning via the TELL spamd method works, as does spamassassin -r with filename as well as stdin. I found the reason now. Mail::SpamAssassin::ArchiveIterator::scan_file() consumes the headers from STDIN. A normal file is read from the start the next time, but not standard input. '-' can't be treated like any other file. The reason that it works in 3.0.3 is that $self-{opt_n} is set, but in 3.1.4 there is $opt-{opt_want_date}, which is 1 by default and causes $self-{determine_receive_date} to be true as well. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpKixQ4SBsID.pgp Description: PGP signature
Re: I'm thinking about suing Microsoft
On Monday 23 October 2006 20:34, Marc Perkel took the opportunity to say: I'm considering filing a lawsuit against Microsoft to try to get an order to make them make public security updates for Windows to everyone, registered or not. I thought they did? At least the message from WU/WGA on one computer with Windows XP I used recently was that unauthorised installations only get critical updates, but they do get those. Is that going to change with Vista? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpbYCVWuY4zj.pgp Description: PGP signature
Re: I'm thinking about suing Microsoft
On Monday 23 October 2006 21:58, Peter H. Lemieux took the opportunity to say: Magnus Holmgren wrote: I thought they did? At least the message from WU/WGA on one computer with Windows XP I used recently was that unauthorised installations only get critical updates, but they do get those. Is that going to change with Vista? Yes. See, for instance, http://www.computerworld.com/blogs/node/3665 Vista machines that Windows Genuine Advantage believes to be pirated will operate with reduced functionality, including disabling the Windows Defender software that protects against malware. But Windows Defender != patches for security holes? Still, bad move (security in depth etc.). We can only pray that, to the extent SPP works, people will either pay up or get rid of Vista, or Windows altogether. All that said, those of you who think a lawsuit is a good approach should start by reading the Windows EULA. Like most EULA's it exempts Microsoft from liability for just about anything it's software does. The EULA isn't binding to third parties, though. The question is whether Microsoft, by willfully denying some computers adequate protection, is liable of contributing to the crimes committed by others, or those installing unauthorised copies are fully responsible. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpftWD2JL9Vx.pgp Description: PGP signature
Re: ALL_TRUSTED creating a problem
On Thursday 19 October 2006 20:34, Jo Rhett took the opportunity to say: Mark wrote: -Original Message- From: Jo Rhett [mailto:[EMAIL PROTECTED] Sent: donderdag 19 oktober 2006 9:56 To: Mark Cc: users@spamassassin.apache.org Subject: Re: ALL_TRUSTED creating a problem Perhaps SA being focused on post-SMTP is the problem here. Why is this the focus? In the modern world, you want to reject during SMTP not send backscatter to the poor folks whose e-mail got forged. Frankly, a milter environment is the only possible right way to run SA. So why the constant comments as if this is some one-off weird config? I reckon the focus of SA on post-SMTP is due to the fact that it operates, by nature, post DATA phase. Huh? It operates when I ask it to. What are you trying to say here? I agree that milters, or any other stuff done during the SMTP dialogue, are a preferable first line of defense. But since full SA checks need to be done post-DATA anyway, you lose much of the advantage of a milter (e.g. pre-DATA phase early-outs). Huh? I don't get you. What exactly about SA *requires* that it be done post-SMTP...? Not strictly post-SMTP, but after the terminating \r\n.\r\n. And if that's true, why isn't there a major effort to overhaul it? As for backscatter to the poor folks whose e-mail got forged, you're not supposed to do that anyway. And LDA using SA should either silently drop a message indicated as spam, or attach it with ***SPAM*** in the subject or some such. But never re-open a connection to who one thought was the sender, to tell them they sent you spam; that very act is spamming itself. No kidding. But silently dropping FP is a major problem too. You want FP to bounce back to the sender as normal. Therefore SMTP-time running is the only sensible solution. I like to run SA at SMTP time too, but rejecting isn't always a good idea, e.g. when mail is forwarded from some other place, or in some cases when it comes from a mailing list, which might unsubscribe you if you're unlucky (if the server has crappy spam protection and the MLM doesn't probe before unsubscribing). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpuOkAgVXood.pgp Description: PGP signature
Re: What's with UCEPROTECT List?
On Thursday 19 October 2006 06:39, Jo Rhett took the opportunity to say: Magnus Holmgren wrote: OK, the attacker might have 100 zombies on different ISPs, with each ISP's smarthost helping amplify the attack a bit. But does that really count? The servers making the callouts aren't the ones which are amplifying. You really don't have to deal with spam at your day job, do you? 100? 100? What is this, 1991? No, it's an example. I was only after the relative numbers. Modern trojan systems run in the multi-thousand PER ISP. Then there are roughly half a million open relays in China and Korea alone. Finding places to submit mail spam for you is trivial if all you have to do is get to RCPT TO, not get it delivered. So with your army of bot-machines and open relays, you start delivering all over the planet with a single forged envelope sender. Of course. That wasn't the question. The question was whether servers doing callouts would help a deliberate attack against a particular network by providing amplification. (Mark Perkel wrote: If somene had the bandwidth to cause a denial of service through sender verification they could do it more easlly by just attacking the target directly.) Spammers nonetheless might, and do, choose an adversary's address as sender and get the blowback against him as an extra bonus. Yes, it isn't a problem today. But if everyone turned on sender authentication, it would be. Instantly. I can agree with that. If everyone turned on sender verification it would force spammers to use valid sender addresses, which they can easily do, making the verification useless. Unless everyone also use means to force the spammers to use their own addresses. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpauymTAAvWA.pgp Description: PGP signature
Re: ALL_TRUSTED creating a problem
On Thursday 19 October 2006 09:55, Jo Rhett took the opportunity to say: Mark wrote: We cannot really say SA's autodetection is broken, because SA is designed to be called post-SMTP. Nor that a milter is broken per se for not adding a Received: header, as that is the responsibility of the MTA itself. But a milter using SA *can* be said to be broken if it's not proving SA with the required post-SMTP view of things. Instead of patching SA, or trying to fix it even, any milter using SA should simply DTRT (Do The Right Thing): which is: add a pseudo Received: header before handing it over to SA. You'all are way behind the boat. We've already patched it to support the undocumented requirement. That's not an issue. Perhaps SA being focused on post-SMTP is the problem here. Why is this the focus? In the modern world, you want to reject during SMTP not send backscatter to the poor folks whose e-mail got forged. Frankly, a milter environment is the only possible right way to run SA. So why the constant comments as if this is some one-off weird config? Exim, another MTA, adds a preliminary Received: line before processing the DATA ACL, which is usually where spamd is called from (this is to say that not all MTAs have problem calling SA during SMTP). This lets SpamAssassin handle varying setups in a general way, without having to pass the parameters of the last hop out-of-band (e.g. command-line arguments). Since obviously Sendmail/Postfix and the milter protocol are different, a milter that talks to SpamAssassin must do the part of adding that preliminary header. Just to straighten things out, are you saying that auto-detection doesn't even work when there is a single Received: from remote.example.com ([w.x.y.z]) by my.domain.example with ESMTP id 1234-567-9 and my.domain.example resolves to a local interface address? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpaCho6tTXbb.pgp Description: PGP signature
Re: What's with UCEPROTECT List?
On Tuesday 17 October 2006 19:33, Jo Rhett took the opportunity to say: Marc Perkel wrote: Not really. If somene had the bandwidth to cause a denial of service through sender verification they could do it more easlly by just attacking the target directly. No one is going to use sender verification as a DIS tool. It's to inefficient. [...] Send a bunch of spam with a single forged sender address to a lot of sites that do sender verification. Watch their mail server fall down. I can assure you that even with modern hardware, no e-mail MTA available today can handle 20mb/sec of e-mail connections. The best I have personally observed is commercial Sendmail handling 12mb/sec. (of connections with no data transfer is a LOT of connections) But surely the amount of traffic generated by the verifying servers is less than or approximately equal to the amount of traffic generated by the attacker? At least if the servers are well configured, i.e. demand a good HELO and don't perform the callout until after the first RCPT. In that case the attacker could just as well attack the victim directly, whether he has a botnet at disposal or not (admittedly, I'm not taking into account the additional anonymity the extra hop gives). The thing with e.g. the DNS-based DDoS attacks that became common a while ago is that there is a considerable bandwidth amplification; you send a small query packet with a forged sender address, asking for a response that is known to be many times larger, to a large number of recursing nameservers. So if you *intend* to DDoS someone's network, there are surely more effective ways of doing it. On the other hand, if you're mererely running your dirty spamming business using a borrowed sender address, callout-verifying servers can cause a DoS against the guy who lended his address, at no additional cost, especially if the callouts are done too early. (Then there is SPF...) -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpMdvQnWWvxg.pgp Description: PGP signature
Re: mails without headers
On Wednesday 18 October 2006 13:17, angel bosch took the opportunity to say: are all mails supossed to contain X-Spam* headers? im receiving spam marked as spam with this headers: X-Spam: Not detected X-Spam-Status: True ; 24.9 / 5.0 How do you *call* SpamAssassin, how have you configured the software that calls it and SA itself? By default, SA adds X-Spam-Checker-Version, X-Spam-Level, and X-Spam-Status headers to all mail, and X-Spam-Flag: YES to spam. Those lines seem to be added by some other software. It wouldn't surprise me if the first line was in the spam to begin with, as a lame attempt to bypass spam checking. but i also receive lot of other mails without any X-Spam header. is this by design? must i enable something in the config to enable headers on all mails? it is possible that server can't handle too much mails and bypass those that can't process? That is possible, yes. It can also be that the messages are too big (over 250 kB, usually). But again it depends on how SA is called. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpC1KipZDBD1.pgp Description: PGP signature
Re: mails without headers
On Wednesday 18 October 2006 16:20, angel bosch took the opportunity to say: How do you *call* SpamAssassin, how have you configured the software that calls it and SA itself? By default, SA adds X-Spam-Checker-Version, X-Spam-Level, and X-Spam-Status headers to all mail, and X-Spam-Flag: YES to spam. Those lines seem to be added by some other software. It wouldn't surprise me if the first line was in the spam to begin with, as a lame attempt to bypass spam checking. i'm using Java Enterprise System Messaging Server with internal configuration. its similar to master.cf configuration in postfix. now you confirm me that every message should have headers i must identify why not all messages are filtered. Maybe they are, but JESMS doesn't add any headers if the score is low. The header you presented are not in the standard format, so probably JESMS doesn't filter the mail through spamd, but instead just gives it to spamd, gets the score back and adds its own headers. Have you checked the log files (typically /var/log/mail.log)? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpIAQOP3Jhe6.pgp Description: PGP signature
Re: whitelist the sa list from learning?
On Wednesday 18 October 2006 16:50, Matt Kettler took the opportunity to say: RobertH wrote: Please pardon my missing it recently If someone wants to whitelist a subscribed email list (specifically this list) from being auto learned by SA what is the local.cf entry please? Hehehhe I notice with so much talk of spam, things get canned a lot. ;-) To quote and old post of mine: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200601.mbox/%3C [EMAIL PROTECTED] - If you can't do that then try these settings to disable bayes learning for this list: bayes_ignore_to users@spamassassin.apache.org bayes_ignore_to spamassassin-users@incubator.apache.org bayes_ignore_from [EMAIL PROTECTED] Too bad it not only turns off autolearning, but also bayes scoring. Or maybe it isn't that bad? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpR43T5yj7gs.pgp Description: PGP signature
Re: What's with UCEPROTECT List?
On Wednesday 18 October 2006 19:41, Jo Rhett took the opportunity to say: Magnus Holmgren wrote: The thing with e.g. the DNS-based DDoS attacks that became common a while ago is that there is a considerable bandwidth amplification; you send a small query packet with a forged sender address, asking for a response that is known to be many times larger, to a large number of recursing nameservers. Bingo. Very small spam messages with many recipients can get magnified by the sending mail servers. This works with e-mail, unlike any other TCP-based attack. How, without open relays? Each MAIL FROM (+RCPT TO, preferably) from the attacker should cause at most one callout to the victim. OK, the attacker might have 100 zombies on different ISPs, with each ISP's smarthost helping amplify the attack a bit. But does that really count? The servers making the callouts aren't the ones which are amplifying. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpqhhz8pHyWS.pgp Description: PGP signature
Re: False positive with FUZZY_PLEASE on this e-mail
On Monday 16 October 2006 12:36, Michael Monnerie took the opportunity to say: Hi, I've got a FP on this e-mail, it triggered FUZZY_PLEASE, but it's written in german, so there should be no PLEASE in it really. Maybe the rule could be enhanced? mfg zmi -- Forwarded message from [EMAIL PROTECTED]: -- Subject: Das netbanking-Wertpapierservice ab 27.11.2006 Date: Freitag, 13. Oktober 2006 15:21 It's triggering on pierse. Apparently somebody thinks an r looks like an a (or, probably more correctly, found that many spammers make that substitution). Besides, why would anyone want to obfuscate the word please anyway? Except in certain phrases, maybe. Perhaps some general rules should be made specific to English mail? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpSovT3LDCxW.pgp Description: PGP signature
Re: ALL_TRUSTED creating a problem
On Monday 16 October 2006 13:32, Suhas (QualiSpace) took the opportunity to say: Most of the spam emails are getting through due to ALL_TRUSTED. If ALL_TRUSTED (is reducing the score) was not there then they might have caught by SA. What can be the solution on this; I haven't declared any trusted networks yet and using the default setting. I am using SA 3.0.1. A list search for ALL_TRUSTED would have given you tons of hits. You could also have gone to the FAQ page and from there to the FixingErrors wiki page, where you'd find a reference to ALL_TRUSTED. So see http://wiki.apache.org/spamassassin/FixingAllTrusted and http://wiki.apache.org/spamassassin/TrustPath. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp229eMXdVYH.pgp Description: PGP signature
Does re-learning really work?
I'm worried. Whenever I feed a message with autolearn=spam or autolearn=ham to sa-learn --forget, I get Forgot tokens from 0 message(s) (1 message(s) examined) back. That's bad, because it means that the net effect of re-learning a spam incorrectly learnt as ham is one spam occurrence and one ham occurrence of each token, instead of just one spam occurrence. Indeed, when I did spamassassin -D bayes testmessage the debug output reported learning from a different @sa_generated message ID than sa-learn -D bayes --forget said it was trying to forget (but didn't find). AFAICT from reading the source, get_msg() in Mail::SpamAssassin::Bayes is used in both cases. So why does it make up different IDs? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpXUlYVd2XFV.pgp Description: PGP signature
Re: Does re-learning really work?
On Sunday 15 October 2006 16:55, Magnus Holmgren took the opportunity to say: Indeed, when I did spamassassin -D bayes testmessage the debug output reported learning from a different @sa_generated message ID than sa-learn -D bayes --forget said it was trying to forget (but didn't find). AFAICT from reading the source, get_msg() in Mail::SpamAssassin::Bayes is used in both cases. So why does it make up different IDs? Apparently, when sa-learn reads a message from stdin, for some reason the entire header, and possibly even the empty line separating it from the body, disappears. Or at least $msg-get_header(Date) and $msg-get_header(Received) in get_msgid() in Bayes.pm return undef or ''. When I give sa-learn a filename it works. Also, learning via the TELL spamd method works, as does spamassassin -r with filename as well as stdin. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpMlZK2lBfzc.pgp Description: PGP signature
Re: Does re-learning really work?
On Sunday 15 October 2006 21:38, jdow took the opportunity to say: From: Magnus Holmgren [EMAIL PROTECTED] On Sunday 15 October 2006 16:55, Magnus Holmgren took the opportunity to say: Indeed, when I did spamassassin -D bayes testmessage the debug output reported learning from a different @sa_generated message ID than sa-learn -D bayes --forget said it was trying to forget (but didn't find). AFAICT from reading the source, get_msg() in Mail::SpamAssassin::Bayes is used in both cases. So why does it make up different IDs? Apparently, when sa-learn reads a message from stdin, for some reason the entire header, and possibly even the empty line separating it from the body, disappears. Or at least $msg-get_header(Date) and $msg-get_header(Received) in get_msgid() in Bayes.pm return undef or ''. When I give sa-learn a filename it works. Also, learning via the TELL spamd method works, as does spamassassin -r with filename as well as stdin. jdow: First, if you have fed a message through SpamAssassin and it has encapsulated the spam as an attachment the resultant message will have a different message id. I will do no such thing. I want my mail intact. I am not sure which message ID gets reported at the place you are looking. (It appears you are messing with the source. That's not a good idea until you are sure what the program is doing. But I'm sure you know that already.) The only thing I've done to the source is add a debug printout. You do not give adequate information about how you are running salearn testmessage is of course a single plain message. What I'm saying is that $ sa-learn --spam testmessage and $ sa-learn --spam testmessage give different results. I forgot to mention the version, 3.1.4 (Debian Etch). 3.0.3 (Debian Sarge) doesn't exhibit this behaviour, but there seems to be some other fishiness going on. I'll investigate further. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpymZSS4UfHQ.pgp Description: PGP signature
Re: Are others getting triple copies of all posts to [EMAIL PROTECTED]
On Monday 09 October 2006 10:28, John Andersen took the opportunity to say: On Sunday 08 October 2006 23:48, Clifton Royston wrote: I am, just wondering if others are having the same problem. -- Clifton Yes. I got Triples of two of your posts in the thread titled Re: First Received Header only and three of Christopher Martin's Careful with that regex! Ha! I got *six* copies of one mail, and four of another. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpShuFJtOtcx.pgp Description: PGP signature
Re: spf: no suitable relay for spf use found
On Friday 06 October 2006 11:47, Tomasz Chmielewski took the opportunity to say: When I test spamassassin setup by running spamassassin -D --lint, I get these complaints about spf: [6100] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [6100] dbg: spf: no suitable relay for spf use found, skipping SPF check [6100] dbg: spf: cannot get Envelope-From, cannot use SPF [6100] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [6100] dbg: spf: spf_whitelist_from: could not find useable envelope sender Is it because I didn't feed spamassassin with an email containing headers, or is something broken with my setup? SA didn't find a jump from an external host to an internal one. Have you set up trusted_networks and/or internal_networks correctly? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpAFfluDgbfc.pgp Description: PGP signature
Re: spf: no suitable relay for spf use found
On Saturday 07 October 2006 22:36, Tomasz Chmielewski took the opportunity to say: Magnus Holmgren wrote: On Friday 06 October 2006 11:47, Tomasz Chmielewski took the opportunity to say: When I test spamassassin setup by running spamassassin -D --lint, I get these complaints about spf: [6100] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [6100] dbg: spf: no suitable relay for spf use found, skipping SPF check [6100] dbg: spf: cannot get Envelope-From, cannot use SPF [6100] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [6100] dbg: spf: spf_whitelist_from: could not find useable envelope sender Is it because I didn't feed spamassassin with an email containing headers, or is something broken with my setup? SA didn't find a jump from an external host to an internal one. What does that mean? Have you set up trusted_networks and/or internal_networks correctly? I believe I did. Anyway, why should SA care about trusted_networks and/or internal_networks if I start spamassassin -D --lint from bash prompt locally? Oh, I didn't read or think properly. I think it's perfectly normal for SA not to find any suitable relay in that case. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpVxLuK8axTn.pgp Description: PGP signature
Re: RCVD_IN_WHOIS_INVALID
On Saturday 23 September 2006 22:50, Kenneth Porter took the opportunity to say: 2.2 RCVD_IN_WHOIS_INVALID RBL: CompleteWhois: sender on invalid IP block [65.119.30.206 listed in combined-HIB.dnsiplists.completewhois.com] I just got an order confirmation from Newegg and it got a big score boost of 2.2 from this rule. What does this rule mean? I ran the address through the whois form at http://arin.net/ and it's listed in Quest's block. Is this complaining that there's no more detailed information for the exact address? See http://cwhois0.completewhois.com/cgi-bin/dbcheck-invalidipwhois.cgi?IP=65.119.30.206 Apparently the listing, which was imported from rfc-ignorant.org two years ago, is obsolete. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpRCC0f1i58N.pgp Description: PGP signature
Re: checking local domains against spam
On Wednesday 20 September 2006 12:45, Artur Kuśmierek took the opportunity to say: How can I force spamassassin to check e-mails from local domains to local recipients against spam? Now all local messages are delivered without even any spamassassin stamp in headers. It depends entirely on your MTA/MDA setup. SpamAssassin scans everything that gets thrown on it. You have to tell us more or go ask the appropriate mailing list. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp4CkyZtzylp.pgp Description: PGP signature
Re: OS X Server spam still getting through :-(
On Saturday 02 September 2006 12:31, mikemacfr took the opportunity to say: I'm completely new to this list and am not a UNIX person. I have SpamAssassin 3.1.4 installed on our mail server together with Squirrel and Amavis-new. Spam is still getting through at an unacceptable rate and I haven't got a clue how fault find what's going wrong? Have you checked out http://wiki.apache.org/spamassassin/UsingSpamAssassin (Spam getting through?)? If you need more help you can attach one or two spam mails for us to analyze. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpFBKlq4EeGv.pgp Description: PGP signature
Re: Strange SPF problem/wrong result
On Friday 01 September 2006 16:14, Ramprasad took the opportunity to say: This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained snip If 134.96.254.200 is accepting mails for you then you must do all SPF checks on that host. SPF checks dont work unless you do the checks on the receiving host. SPF checks work (since the information needed is included in a Received: line that can be trusted), but you can't reject mail at SMTP time based on the result. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpcu7X6lj37J.pgp Description: PGP signature
Re: Strange SPF problem/wrong result
On Friday 01 September 2006 13:41, decoder took the opportunity to say: So adding the line trusted_networks 134.96.254.200 to local.cf will fix this problem and this mail would be recognized correctly (as in pass SPF) ? If 134.96.254.200 is the MX for your domain, then it should even be in internal_networks (which default to trusted_networks, however). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpv6eBFhyFku.pgp Description: PGP signature
Re: File mode set incorrectly
On Thursday 31 August 2006 05:33, Albert Poon took the opportunity to say: My box is FreeBSD 6.1-I386 and my SA is installed from ports. (MIMEDefang + SA + ClamAV) The combination is running as mailnull and I have changed the owner of the related directories accordingly. My problem is, both auto_whitelist_file_mode and bayes_file_mode cannot be set correctly, and they have different problem: For bayes_file_mode, I set to 0777, but the output is only 0666. If I set to 0700, it turns out to be 0600. That's by design. The mode is used as is (e.g. 0700) for any directories that need to be created, but for the files the x bits are masked off. Why would you want the databases to be executable? For auto_whitelist_file_mode, no matter what I set, it only becomes 0640. The same should be true for this one. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpFvn750K7gl.pgp Description: PGP signature
Re: File mode set incorrectly
On Thursday 31 August 2006 14:30, Albert Poon took the opportunity to say: If so whats the point of these options? You might want to set group or others permissions differently depending on how you run SpamAssassin (per-user or global) and whether users have their own primary group or belong to a common group. There are many reasons, but there is no point in setting the executable bit of data files. Are you meaning its the design of the ports collection or SA itself? It has nothing to do with Ports; you can read about the options in the SA man pages (Mail::SpamAssassin::Conf(3pm) and Mail::SpamAssassin::Plugin::AWL(3pm)). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpYc7i3WUD60.pgp Description: PGP signature
BAYES_99_99 and such
The highest and lowest bayes rules are BAYES_99 (spam probability 99%) and BAYES_00 (spam probability 1%), but often the confidence is as high as 0. or 1. (rounded). 0.999 instead of 0.99 means (in theory at least) that the FP chance decreases by a factor 10. Conversely at the other end. This has been mentioned before on this list and I have added such rules locally. Question: Wouldn't it be wise to add them to the standard distribution as well? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpDC7U1c74Y8.pgp Description: PGP signature
Re: Stupid phisher
On Monday 28 August 2006 01:00, Chris took the opportunity to say: This is a pretty good fake site except he left a little something from Mother Russia at the bottom. http://signin-ebay-co-uk-ebay.land.ru/ws.eBayISAPI.dll.SignIn.pUserId.co.pa rtnerid.siteid.pageType.pa1.i1.html Speaking about phishers, has anyone thought about spamming them with phony personal data? It's probably not very effective with things that can automatically and instantly be verified, such as eBay credentials, but perhaps more effective with credit card numbers? -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpDS7yS4gmC7.pgp Description: PGP signature
Re: Stupid phisher
On Tuesday 29 August 2006 17:43, Gino Cerullo took the opportunity to say: On 29-Aug-06, at 7:49 AM, Magnus Holmgren wrote: On Monday 28 August 2006 01:00, Chris took the opportunity to say: This is a pretty good fake site except he left a little something from Mother Russia at the bottom. http://signin-ebay-co-uk-ebay.land.ru/ ws.eBayISAPI.dll.SignIn.pUserId.co.pa rtnerid.siteid.pageType.pa1.i1.html Speaking about phishers, has anyone thought about spamming them with phony personal data? It's probably not very effective with things that can automatically and instantly be verified, such as eBay credentials, but perhaps more effective with credit card numbers? If you noticed, [...] No, I was talking about phishers and phishing in general. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpKerBHl4ZKh.pgp Description: PGP signature