Re: Time to blacklist google.
Michael Scheidell wrote: Ok, google/gmail emails back says 'this didn't come from us because people are forging our domain'. Reverse dns shows it google, dkim sig says its google. Time to blacklist google. I read an article the other day about the bad people have cracked gmail's captcha system and are automatically creating gmail accounts with a success rate of 1 in 5. http://www.virusbtn.com/news/2008/02_26.xml -- Mark Johnson http://www.astroshapes.com/information-technology/blog
Re: [OT] Bogus MX opinions
Marc Perkel wrote: I'm using Exim and I have it listening on several IP addresses. If you aren't using Exim then you'll have to get someone to help you. defercondition = ${if match{$interface_address}{69.50.231.160}} You could just point it to a dead IP address which is the simple way to do it. I'll try it this way. I'd like to be able to log the connection attempts to see what's going on. It sounds like you run a number of servers. What are you doing to combine your logging information? Thanks for the advice! -- Mark Johnson http://www.astroshapes.com/information-technology/blog
Re: [OT] Bogus MX opinions
Marc Perkel wrote: Because there is occasionally some server doing something very weird you might have to open up port 25 one some specific IP who is running something really dumb. I think I've had to do this only once or twice. But once you open up port 25 to the problem user you solved the problem. For the most part if you do an MX sandwich as above you'll get rid of 80% of your spam and not lose good email. If you are fearful of going all the way then just do the higher numbered MX and leave the bottom as is. This has been interesting and I want to give this a try. What's the easiest way to give out a 421 on a bogus MX and log the attempt? Build a separate server? Use an existing server and run a service on another port? I've got extra IP's but don't want to over complicate the process. -- Mark Johnson http://www.astroshapes.com/information-technology/blog/
Re: Bayes and celebrity spam
Theo Van Dinter wrote: On Tue, Jan 29, 2008 at 07:51:03PM -0500, Robert Fitzpatrick wrote: I have some users getting slammed with this spam. Before I start trying to figure out how to intercept, can someone test this message and tell me if your getting a score above 5.0? http://esmtp.webtent.net/test.txt 2.5 MISSING_HB_SEP Missing blank line between message header and body This appears to be a badly pasted email. For example, the topmost Received header (and then a lot of the rest of the headers) is malformed. Hitting MISSING_HB_SEP w/ real mails is possible, but very uncommon. If you see it hitting somewhere, you're more likely to have a misconfiguration in your setup than a valid hit. I put extreme scores against emails from TW as we don't do business with anyone from there. If it wasn't for that, this would have made it through my system as well. I am really surprised bayes scored a 0 as it did for the original poster. I do serious bayes training on a regular basis. I see alot of others are getting bayes scores of 80. Content analysis details: (5.6 points, 5.0 required) pts rule name description -- -- 0.9 SUBJ_HAS_SPACESSubject contains lots of white space 0.2 SUBJECT_NOVOWELSubject: has long non-vowel letter sequence 7.0 RELAYCOUNTRY_TWRelayed through TW 0.2 SUBJ_HAS_UNIQ_ID Subject contains a unique ID -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.0 HTML_MESSAGE BODY: HTML included in message -- Mark Johnson http://www.astroshapes.com/information-technology/blog/
Re: Feeding SA-learn
John Thompson wrote: No. I use Thunderbird and just set the Junk filter controls to expire junk messages after a couple weeks. Interesting idea! Thanks for the tips! You have no idea how much time and how many steps this is going to save me. -- Mark Johnson http://www.astroshapes.com/information-technology/blog
Re: Feeding SA-learn
Depends on the client. For instance, Thunderbird stores it's folders in mbox format, so sa-learn can work against those files as-is. Other email clients can save emails in text format complete with headers. I use Thunderbird. There are two files for that folder: Junk.msf (7k) and Junk (53.172k). The msf file must be some kind of index. I just feed the biggest one to sa-learn? Yes, the .msf file is an index file. I just copy the mbox file (Junk in your case) to the server and run the following command specifying the filename (as shown): /usr/local/bin/spamassassin --report --mbox Junk I use Thunderbird as my mail client but have found that I needed to use Evolution to save the messages in mbox format, which was always a hassle. My emails are stored on an IMAP server and what you suggested wasn't working for me. I had the .msf file, but no corresponding mbox file. Because the emails are kept on the IMAP server and are not local, I had to enable the Select this folder for offline use on the Offline tab of the folder properties. I then had the mbox file that I could copy off. -- Mark Johnson http://www.astroshapes.com/information-technology/blog/
Re: Feeding SA-learn
John Thompson wrote: Isn't that what cron is for? :-) I have a cron job on my imap server to regularly feed ham and spam through sa-learn. Do you delete the messages from the IMAP folder after you learn them? If so, how do you go about that? I'm pretty sure if I deleted the mail files from the command line, I have to run a reconstruct on the mailbox or the folder throws errors on the client. This is on a Cyrus IMAP server. Thanks! -- Mark Johnson http://www.astroshapes.com/information-technology/blog/
Re: Spamassassin not being called.
Nick Gilbert wrote: Hi, I have a problem whereby spamassassin isn't always processing messages. It is being called by SimScan. I can see from the headers that SimScan IS being called but it doesn't ALWAYS seem to be able to process the messages with SpamAssassin - resulting in 300+ SPAM messages a day going into my inbox. Running spamassassin -D -t spam.txt works fine but I have just noticed that if I call spamc spam.txt, most of the time it takes AGES to complete - and even when it does, the messages are often missing the spamassassin headers implying they haven't been processed. The box was previously reliable but I have recently upgraded from 3.0.3 to 3.1.6 and the problems seemed to have started at this time (but I did change a few other things too such as rules. Any ideas anybody? Nick... I am noticing this from time to time also using Mimedefang, but haven't figured out how to determine the cause. I get the Mimedefang headers, but no scores from SA. Mark
Re: Psst!
Chris Santerre wrote: Just curious, but how many people see spam being sent to usersnames with the fisrt letter dropped? I see a ton in my logs. I believe spammers figure [EMAIL PROTECTED] will also have a [EMAIL PROTECTED] Too bad for them...they do not. :) I am noticing alot of this. Another thing I'm noticing and am getting a little nervous about is the amount of spam coming in that's basically directed towards us. It's physically coming from others countries, from the from addresses and reply-to addresses are from customers/suppliers/vendors of ours. It's like someone is gathering addresses that they KNOW will be in a whilelist table. Any idea how they could be coordinating something like this? There's too many to be a coincidence... Mark