Re: Spam volumes down since last week
Am/On Tue, 24 Jun 2008 12:10:53 +0530 schrieb/wrote ram: I am seeing a clear downtrend in the number for spams hitting our servers, I am not sure why ? Since Last week spams are at 50% of what they used to be last month. Is this what you all are seeing not really. I varies between 60 to 89 %, but without any rule. Thanks and all the best Matthias
Re: Spam Assassin
Am/On Fri, 16 May 2008 11:18:04 -0400 schrieb/wrote Michelle Acosta: Does the Spam Assassin work on Mac's? sure it does. http://wiki.apache.org/spamassassin/SpamAssassin_on_Mac_OS_X_Server http://osx.topicdesk.com/content/category/4/18/41/ Thanks and all the best Matthias
User Folder problem with sa_learn
Hello all, since some longer time I have a little problem with the spam learning method, which is used in a script on my box. The script runs as user _amavisd, but it always tries to acces the root folder. This of course produces an error: config: path /var/root/.spamassassin is inaccessible: Permission denied config: path /var/root/.spamassassin/user_prefs is inaccessible: Permission denied the error appears here: sudo -u $spamav_user sa-learn --dbpath /var/amavis/.spamassassin --sync /dev/null as well as here: sudo -u $spamav_user -H sa-learn --dbpath /var/amavis/.spamassassin -- dump magic and here sudo -u $spamav_user sa-learn --dbpath /var/amavis/.spamassassin --sync /dev/null the database gets trained, but it looks like sa_learn can't access the user prefs. What could possibly twist here the path var? It must be something specific to my installation, because it works fine on other boxes with the same OS (Mac OS 10.5). Thanks and all the best Matthias
Re: sa-learn user problem
Am/On Fri, 29 Feb 2008 15:23:28 -0300 schrieb/wrote Diego Pomatta: Matthias Schmidt escribió: Hello, my mac os x leopard (10.5.2 with updated amavis-new and spamassassin) runs a script, which calls sa-learn with sudo and user _amavis. In the config files for amavis and clamAV the user is set to _amavis. Now sa-learn always tries to open /var/root/.spamassassin/user_prefs, which of course fails. Where or how can I correct this problem? Thanks and all the best Matthias I had a similar problem and Luis Otegui suggested I used # su user -c 'command' ...and it worked. Try it. thanks, I did that and the errors are gone, but now it looks like something is wrong. The statistics are showing nothing anymore. Thanks and all the best Matthias
sa-learn user problem
Hello, my mac os x leopard (10.5.2 with updated amavis-new and spamassassin) runs a script, which calls sa-learn with sudo and user _amavis. In the config files for amavis and clamAV the user is set to _amavis. Now sa-learn always tries to open /var/root/.spamassassin/user_prefs, which of course fails. Where or how can I correct this problem? Thanks and all the best Matthias
Re: [WRONG PLACE TO ASK THIS] WHM/Cpanel: Where are the Server-wide SpamAssassin settings?
Am/On Tue, 19 Feb 2008 16:49:34 -0800 schrieb/wrote Evan Platt: At 06:39 AM 2/19/2008, Rubin Bennett wrote: If you want to post to this list, please subscribe like a regular user, and do your research first before you post. Nabble, in a word, sucks. It fences your posts as being from a subscribed address when in fact it's not, and Nabble is not a forum at all, but an interface to a mailing list with thousands of users, none of whom are here to answer questions that are completely irrelevant to the actual content of the mailing list. I agree. Nabble is like Google Groups. Contact them, tell them they don't have permission to archive your posts. I've done that. If enough people do you can do that by yourself by adding an additional header to your mails sent. X-No-Archive: yes but btw this ranting was neither help nor useful. Thanks and all the best Matthias
Re: Plagued by spamassassin
Am/On Fri, 4 Jan 2008 20:46:04 -0600 schrieb/wrote Cedartech Administrator: I have asked before but have been unable to get a usable solution. I am running qmail, spamassassin, clamav, etc from the qmr package on one of our FBSD 6.2 servers. If you email via squirrelmail, your outbound email does not get labeled spam. If you send out via a client with smtp, it labels 95% of it as spam...so when you email someone, they get it with :SPAM: in the subject. These days with the spammers and the ammount of users I can not kill off spamassassin all together. I really do not want to have to pay for a subscription to postini either. Can someone help me stop spamassassin from scanning my users smtp sessions and only scan mail coming in? I don't know about FBSD, but in OS X you need to setup amavisd,conf properly. I use this approach: @local_domains_acl = (.$mydoamain, otherdomains local) and @local_domains_maps = (1); Thanks and all the best Matthias
Re: DDOS, Dictionary Attack... not sure what it is...
Happy New Year everyone :-) Am/On Tue, 1 Jan 2008 04:20:42 +0100 schrieb/wrote mouss: John D. Hardin wrote: On Mon, 31 Dec 2007, Mike Cisar wrote: Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. Tarpit 'em. http://sourceforge.net/projects/labrea Tarpitting may not be the right answer, because they have a lot more resources than us (greetpause seems to work, if you use an asynchronous server or proxy, i.e. one which can do other things while sleeping). you can reduce the load by having your server drop the connection when it rejects the mail, using 421 code. depending on the server, it may be possible to do this at connection time using zen.spamhaus.org (which lists many zombies). It may also be good to reduce the timeout when the server is under attack. but could this not also cause loosing legitimate email? my server was also under attack 2 or 3 month ago. I tried the same thing as the op (listing ips in the fw etc), but these things didn't help at all. Most of the mails (90%) were already dropped, because the ip didn't resolve (cannot find your hostname), the next 9.9% were caught by blacklists and only a very little number was rejected, because of unknown user name. One possibility might be to do the ip-check already through a hardware- firewall. But one actually can't do anything against the traffic coming to one's indoor. best wishes to everybody (not to the spamsenders of course ;-) for 2008 Matthias
Re: OT: The Funny Side of Spam
Am/On Wed, 3 Oct 2007 15:51:21 +0100 schrieb/wrote Michele Neylon :: Blacknight: http://digg.com/tech_news/The_Black_Knight_and_the_Monster that's a good one :-) there're also some other good news, some botnet guy got arrested. Thanks and all the best Matthias
Re: Thoughts on Isolating Viruses - Port 587 Submission [signed]
Am/On Mon, 16 Jul 2007 06:11:32 -0700 schrieb/wrote Marc Perkel: One of the problems with SMTP in my opinion is that it allows end users to talk on port 25 to servers and therefore can't be distinguished from server to server traffic. Imagine a policy where ISPs blocked port 25 for consumers by default and forced them to talk to mail servers on port 587 to send SMTP. Suppose that all SMTP servers who took email from consumers had port 587 open as well as port 25. If port 25 were blocked from consumers and they were forced to talk to servers on port 587, even without authentication, then a server could distinguish consumers from other servers. I think this kind of configuration could be used to help isolate virus infected computers from spamming and spreading. So if I have an SMTP server that is set up to receive email for a bunch of domains and had port 587 closed then I could block out all spam from consumer computers. The idea being that a lot of virus infected spam bots would be isolated. It would force consumer traffic to talk only to smtp servers set up to relay consumer email. Thoughts? imho this won't work ... how you want to keep infected computers off from 25? there are already more effective tools to protect your server, like a good rule combination before the mail even gets to spamassassin. Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 16 July 2007 at 13:49:02 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjhtYXJjQHBlcmtlbC5jb20sIHVzZXJzQHNwYW1hc3Nhc3Np bi5hcGFjaGUub3JnAGJldGFAYWRtaWxvbi5uZXQAZW1haWwgYm9keQBtBAAAfAB8 AQAAAE53m0ZtBAAAlAIAAgACAAIAIP0CLbVXygN8FBmbKstMB6JcUdhet15I Ff/4MQhzNWDdAQAOv7grZzUb4WQMq69DnEJONRUGHRTIcfvZQaPqa3Pmdn7JFyaY s5jnmxxxsa+4mExNmaIrF8SCHisJW2zI1PXCpCLLU2lnRW5k -- [ END DIGITAL SIGNATURE ] --
Re: Thoughts on Isolating Viruses - Port 587 Submission [signed]
Am/On Mon, 16 Jul 2007 09:02:58 -0500 schrieb/wrote Richard Frovarp: Matthias Schmidt [c] wrote: Am/On Mon, 16 Jul 2007 06:11:32 -0700 schrieb/wrote Marc Perkel: One of the problems with SMTP in my opinion is that it allows end users to talk on port 25 to servers and therefore can't be distinguished from server to server traffic. Imagine a policy where ISPs blocked port 25 for consumers by default and forced them to talk to mail servers on port 587 to send SMTP. Suppose that all SMTP servers who took email from consumers had port 587 open as well as port 25. If port 25 were blocked from consumers and they were forced to talk to servers on port 587, even without authentication, then a server could distinguish consumers from other servers. I think this kind of configuration could be used to help isolate virus infected computers from spamming and spreading. So if I have an SMTP server that is set up to receive email for a bunch of domains and had port 587 closed then I could block out all spam from consumer computers. The idea being that a lot of virus infected spam bots would be isolated. It would force consumer traffic to talk only to smtp servers set up to relay consumer email. Thoughts? imho this won't work ... how you want to keep infected computers off from 25? Many ISPs firewall 25 at the edge of their network. If you try to send to port 25 on their network or to their SMTP they allow that traffic. One of the reasons for running the submission port is so that your users can get out of those ISPs to your outgoing server. I know that . I just meant it's not possible in the real world to prevent clients from talking to port 25 (of course as long as it is not closed by some isp) or to distinguish a mail-bot from a real server just through the port they talk to. the suggestion from Forrest has indeed some charme. But how to teach a whole bunch of DAUs to set their mail client to use port 587 instead of the default set port 25? For another way of doing this, see the PBL: http://www.spamhaus.org/pbl/index.lasso Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 16 July 2007 at 14:15:19 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjh1c2Vyc0BzcGFtYXNzYXNzaW4uYXBhY2hlLm9yZwBiZXRh QGFkbWlsb24ubmV0AGVtYWlsIGJvZHkABgcAAHwAfAEAAAB3fZtGBgcAAF8C AAIAAgACACD9Ai21V8oDfBQZmyrLTAeiXFHYXrdeSBX/+DEIczVg3QEADr+4K2c1 G+FkDKuvQ5xCTjUVBh0UyHH72UGj6mtz5nYjlUEJoNgP9ebYb5GrX+H0xYfag1EA QNL7PaGtiHvp04nmU2lnRW5k -- [ END DIGITAL SIGNATURE ] --
Learning Spam-Error? [signed]
Hello, while learning Spam I get these errors: Learning SPAM... archive-iterator: invalid (undef) format in target list, 2 at /Library/ Perl/5.8.6/Mail/SpamAssassin/ArchiveIterator.pm line 724, STDIN line 1. and I also get this error from spamassasin: /bin/sh: line 1: periodic: command not found any idea how to fix this? Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 16 July 2007 at 02:47:37 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjh1c2Vyc0BzcGFtYXNzYXNzaW4uYXBhY2hlLm9yZwBiZXRh QGFkbWlsb24ubmV0AGVtYWlsIGJvZHkAMQEAAHwAfAEAAABJ3JpGMQEAALQC AAIAAgACACD9Ai21V8oDfBQZmyrLTAeiXFHYXrdeSBX/+DEIczVg3QEADr+4K2c1 G+FkDKuvQ5xCTjUVBh0UyHH72UGj6mtz5nY8DrbznJ7U0Ej3/339v+0Ui1PHtsAc 3TyBNGkwFB48cAwgU2lnRW5k -- [ END DIGITAL SIGNATURE ] --
Re: ANNOUNCE: Apache SpamAssassin 3.2.0 available [signed]
Am/On Wed, 2 May 2007 14:11:34 +0100 schrieb/wrote Justin Mason: Rick Macdougall writes: Justin Mason wrote: Apache SpamAssassin 3.2.0 is now available! This is the official release, and contains a significant number of changes and major enhancements -- please use it! Quick question. If I use sa-compile, which works very well here btw, do I need to re-run it after downloading new rules via sa-update ? yep. I do this: sudo sa-update sudo sa-compile sudo /etc/init.d/spamassassin reload and on a Mac OS 10.4.9 System - there is no init.d/spamassassin - ? Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 02 May 2007 at 14:04:23 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjhqbUBqbWFzb24ub3JnLCB1c2Vyc0BzcGFtYXNzYXNzaW4u YXBhY2hlLm9yZwBiZXRhQGFkbWlsb24ubmV0AGVtYWlsIGJvZHkADAIAAHwAfAAA AAEAAABnmjhGDAIAAAoCAAIAAgACACD9Ai21V8oDfBQZmyrLTAeiXFHYXrdeSBX/ +DEIczVg3QEADr+4K2c1G+FkDKuvQ5xCTjUVBh0UyHH72UGj6mtz5naGpVqEnAYy PrMxt+2lvlOxHpMQHaIVCkeKlDAipU5AXe6mzQr7U2lnRW5k -- [ END DIGITAL SIGNATURE ] --
Re: Nigerian Connection Spam was: [***SPAM***Empty Subject] [signed]
Am/On Tue, 10 Apr 2007 20:23:15 +0100 schrieb/wrote Paul Hurley: I've received a couple of Spam recently similar to the attached. They all get through, and all trigger on Empty_Message, except the message body isn't empty, and it contains some phrases that I would expect to score off the scale Here's the spamassassin report No, score=4.0 required=6.0 tests=BAYES_50=0.001, EMPTY_MESSAGE=2.308, HTML_40_50=0.496, HTML_MESSAGE=0.1, RM_rb_ANCHOR=0.001, RM_rb_BREAK=0.001, RM_rb_FONT=0.001, RM_rb_PARA=0.001, SUBJ_ALL_CAPS=0.997, cust_LOCAL_TO_RCVD=0.1 autolearn=no version=3.1.7 I'm running Spamassassin V3.1.7.0 on Windows 32 via SAWin32 (http://sourceforge.net/projects/sawin32/) with all rules, network tests and some of the common SARE rules. Nigerian Connection Spam. They get rejected here becaue there domain is usualy invalid. Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 11 April 2007 at 01:40:00 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjhwYXVsQHBhdWxodXJsZXkuY28udWssIHVzZXJzQHNwYW1h c3Nhc3Npbi5hcGFjaGUub3JnAGJldGFAYWRtaWxvbi5uZXQAZW1haWwgYm9keQAK AwAAfAB8AQAAAHA8HEYKAwAAmAEAAgACAAIAIP0CLbVXygN8FBmbKstMB6Jc Udhet15IFf/4MQhzNWDdAQAOv7grZzUb4WQMq69DnEJONRUGHRTIcfvZQaPqa3Pm dm4b4Bm+V6n6NWLb47GK0rK19oGWm3wR45PhHKNM5taXuD6LU2lnRW5k -- [ END DIGITAL SIGNATURE ] --
Re: Stop the CCing please. (was Who is APEWS.ORG Sender Address Verification is NOT abouse and very effective) [signed]
Am/On Fri, 30 Mar 2007 16:12:52 +0200 schrieb/wrote Jonas Eckerman: Chris St. Pierre wrote: I can't help but note that you have only yourself to blame: Why? From: Jonas Eckerman [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Fix your Reply-To header and you won't get any more list messages in your private email. The Reply-To header is correct. When someone decides to reply to me privately I want the reply to get to my normal address. why so stubborn? Listen what people tell you. That's the way lists do work. So if you set your reply to header as you did, you will all the time get ccs. People won't change their ways because of you, so you need to change your setting. Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 30 March 2007 at 14:23:09 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjhqb25hc0BmcnVrdC5vcmcsIGpvbmFzX2xpc3RzQGZydWt0 Lm9yZywgdXNlcnNAc3BhbWFzc2Fzc2luLmFwYWNoZS5vcmcAYmV0YUBhZG1pbG9u Lm5ldABlbWFpbCBib2R5AF0CAAB8AHwBTR0NRl0CAACZAQACAAIAAgAg /QIttVfKA3wUGZsqy0wHolxR2F63XkgV//gxCHM1YN0BAA6/uCtnNRvhZAyrr0Oc Qk41FQYdFMhx+9lBo+prc+Z2XarO+MuFC80nrsUowOUjNfwwc0U7Z/Ikwpi1HQQ+ v1ywxi75U2lnRW5k -- [ END DIGITAL SIGNATURE ] --
Re: Newbie, Has Questions [signed]
Am/On Fri, 30 Mar 2007 10:05:47 -0700 schrieb/wrote dougp23: So my questions: How do I identify spam with something from the body of the message? (i.e. Viagra in the message, or Nigeria from that very kind man who has all that money and just needs a little cash to get started). And then how do I route those messages off to a junk folder?? use individell rules http://wiki.apache.org/spamassassin/CustomRulesets place your rules here: /etc/mail/spamassassin/ and use greylisting as well: http://www.postfix.org/SMTPD_POLICY_README.html#greylist postgrey works pretty fine for me: http://postgrey.schweikert.ch/ Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 31 March 2007 at 02:12:29 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjhkb3VncDIzQGdtYWlsLmNvbSwgdXNlcnNAc3BhbWFzc2Fz c2luLmFwYWNoZS5vcmcAYmV0YUBhZG1pbG9uLm5ldABlbWFpbCBib2R5ADQCAAB8 AHwBjcMNRjQCAABWAgACAAIAAgAg/QIttVfKA3wUGZsqy0wHolxR2F63 XkgV//gxCHM1YN0BAA6/uCtnNRvhZAyrr0OcQk41FQYdFMhx+9lBo+prc+Z2qwQD QOyT/E0CkgrcC5rT7Km0gK8moOc6B9CL0aFKye0LU2lnRW5k -- [ END DIGITAL SIGNATURE ] --