RE: Experimental - use my server for your high fake MX record
Or, The spammers will find his host and don't use the highest MX record. Or just remove his host from all the results. My best solution would be: Marc, - Clean up the code - Write a manual howto install so every admin can install it - Write an extra bit of code which will send you all the information WITHOUT the information below. - Everybody who wants it can use your great software and we all win* I have contracts with my customers that I will not use their email for other business then to deliver it to its destination. Some of my customers will get into problems if other people know their contacts. So I can give you all information about an email message without - The from - The to - The body But with all the IP addresses and with the QUIT after 451 status. * we all know you wouldn't use it as a selling point to spammers or do something else with it but can/will you write that into a contract with all other admins. And pay a large sum of money if some data is "found" on the internet. And do we want that type of "silly" contracts. No we want to stop spam and not kill every other spamkiller (application or person) met vriendelijke groet, Maurice Lucas TAOS-IT Paulus Buijsstraat 191 2613 HR Delft www.taos-it.nl<http://www.taos-it.nl/> KvK Haaglanden nr. 27254410 From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: donderdag 8 mei 2008 19:07 To: Kevin Parris Cc: users@spamassassin.apache.org Subject: Re: Experimental - use my server for your high fake MX record Kevin Parris wrote: Well now, if a spambot actually does start recognizing and avoiding his system, doesn't that mean he wins and the spammer loses? I would say YES! You should make an effort to clean it up so that others *can* install it as a standalone daemon, as I suggested. Why? How long will it be before the spambots explicitly refuse to contact your honeypot if it is listed as an MX for the domain they're attacking? I don't see that happening. If the spammers were that sharp they would send quit and close the connection properly and defeat the meathod rather than defeating just me. But it would cost them some bandwidth and speed to do that. Especially if I added some delays before doing the rejection which would cause the spammer to have to keep the connection open longer which they aren't going to do. I'm going to think about the delay thing. You inspired possibly another good idea.
sa-update failed (SARE channel)
Hello, I receive a error if I use the whitelist_from_spf channel? # sa-update --channelfile sare-sa-update-channels.txt --gpgkey 856AA88A config: failed to parse line, skipping: whitelist_from_spf [EMAIL PROTECTED] config: failed to parse line, skipping: whitelist_from_spf [EMAIL PROTECTED] config: failed to parse line, skipping: whitelist_from_spf [EMAIL PROTECTED] All others are working perfect -- With kind regards, Maurice Lucas TAOS-IT
RE: sa-update failed (SARE channel)
I have SPF installed and it is working with RDJ or manual install. -- With kind regards, Maurice Lucas TAOS-IT On Sat, 2006-08-19 at 08:52 -0400, Michael Scheidell wrote: > Only use that if you have the SPF plugin loaded. > > Maybe someone could add > > ifplugin.. > endif > > wrappers to that file. > > > > -Original Message- > > From: Maurice Lucas [mailto:[EMAIL PROTECTED] > > Sent: Saturday, August 19, 2006 7:40 AM > > To: users@spamassassin.apache.org > > Subject: sa-update failed (SARE channel) > > > > > > Hello, > > > > I receive a error if I use the whitelist_from_spf channel? > > > > # sa-update --channelfile sare-sa-update-channels.txt > > --gpgkey 856AA88A > > config: failed to parse line, skipping: whitelist_from_spf > > [EMAIL PROTECTED] > > config: failed to parse line, skipping: whitelist_from_spf > > [EMAIL PROTECTED] > > config: failed to parse line, skipping: whitelist_from_spf > > [EMAIL PROTECTED] > > > > All others are working perfect > > > > > > -- > > With kind regards, > > > > Maurice Lucas > > TAOS-IT > > > > -- Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: bayes sql storage
On Wed, 2006-10-18 at 14:24 +0200, Henrik Hellerstedt wrote: > I run spamassassin 3.1.5 from MailScanner on multiple machines > and I plan to convert to the sql storage for bayes. I have > already one machine running the sql storage, and i works very > well. > > Before i convert the rest there is one question i fail to find > any answer to: Do every machine need its own db or can they share? I share them without any problem -- With kind regards, Maurice Lucas TAOS-IT
RE: Psst!
On Fri, 2006-10-20 at 10:30 -0400, Chris Santerre wrote: > > -Original Message- > > From: David B Funk [mailto:[EMAIL PROTECTED] > > Sent: Friday, October 20, 2006 1:20 AM > > To: users@spamassassin.apache.org > > Subject: Re: Psst! > > > > > > On Thu, 19 Oct 2006, Matt Kettler wrote: > > > > > Another thing I've been noticing recently.. some idiot has > > been culling > > > the web archives of mailing lists, and is trying to send > > spam emails to > > > MESSAGE ID's of posts I've made. Check your mail logs! > > > > > > One or more of those would make a great spamtrap. > > > > Actually this kind of thing has been going on for some time. I > still > > occasionally see spam sent to a Message-ID address derived from > > a machine that died years ago. The last owner of it was an active > > Usenet poster and is probably in all kinds of news archives. > > Just curious, but how many people see spam being sent to usersnames > with the fisrt letter dropped? I see a ton in my logs. I believe > spammers figure [EMAIL PROTECTED] will also have a [EMAIL PROTECTED] Too bad > for them...they do not. :) > But I also have one client which gets a lot of spam to [EMAIL PROTECTED] So one stupid spammer did put smtp before the usernames. -- With kind regards, Maurice Lucas TAOS-IT
Spam using local newspapers
Hello, I receive some spam today using parts of local newspapers. Just a mixup from some articals put together so my Bayes won't mark it as spam. This is my first time I see spam using local (Dutch) newspapers for this. Normally it is a English random text. Am I the only one seeing this or are there more (Dutch) users seeing this. -- With kind regards, Maurice Lucas TAOS-IT
Re: Disclaimer of the month
If it is a real fax number of teh spammers maybe we should have a DoS on
there fax machine.
"This is send from a fax at a post office. Please remove us from your
mailing or we will ask it again with 100 sheets of paper."
This must be send in reverse color so they are using a toner per day for
there fax machine.
With kind regards,
Maurice Lucas
On Wed, 2006-11-15 at 14:16 -0500, Peter H. Lemieux wrote:
> For your amusement. A spam arriving here today from Taiwan reads:
>
> Dear Sir/Madam,
>
> We learnt your e-mail add.from internet.
>
> FIRST OF ALL,PLEASE KINDLY NOTE THIS E-MAIL IS SENT BY
> OUR "ADVERTISING COMPANY" AND THE E-MAIL ADDRESS IS
> NOT "REAL"(VIRTUAL),THEREFORE,PLEASE CONTACT US
> VIA "FAX" OR "POST".DON'T DIRECTLY RESPONSE VIA " E-MAIL"
> BECAUSE WE CAN'T RECEIVE YOUR E-MAIL.
> IF YOU WANT TO BE REMOVED FROM THE LIST,PLEASE ADVISE
> YOUR E-MAIL ADDRESS & THIS E-MAIL CONTENT OR SUBJECT VIA "FAX" OR "POST".
>
> Wow, I wonder how many people will want to communicate with them. I
> guess they missed the part in marketing class about impulse buying.
>
> The From address was "[EMAIL PROTECTED]," which is a legitimate domain. A
> visit to the "contact us" page at www.parts.com reveals this:
>
> "Parts.com is to be used as a parts portal. We are a software development
> company that provides online software solutions. We do not carry, stock
> or supply parts. If you are looking for a part, please contact a supplier
> under that part category. If your business is looking for an online
> e-commerence [sic] solution, please let us know."
>
> I don't think I'll be contacting them any time soon!
>
> Peter
>
>
> PS: To top it all off, the end of the spam message has this amusing
> tidbit: "Please directly push the button to send your fax message out,
> don't pick up the phone."
>
>
>
> email message attachment ({Spam?} **Make various molded parts for
> you to save your cost.Small Q'ty is OK(inj-tw-02&02)**)
> > Forwarded Message
> > From: [EMAIL PROTECTED]
> > To: [EMAIL PROTECTED]
> > Subject: {Spam?} **Make various molded parts for you to save
> > your cost.Small Q'ty is OK(inj-tw-02&02)**
> > Date: Mon, 13 Nov 06 13:06:20 Taipei Standard Time
> >
> > Dear Sir/Madam,
> >
> > We learnt your e-mail add.from internet.
> >
> > FIRST OF ALL,PLEASE KINDLY NOTE THIS E-MAIL IS SENT BY
> > OUR "ADVERTISING COMPANY" AND THE E-MAIL ADDRESS IS
> > NOT "REAL"(VIRTUAL),THEREFORE,PLEASE CONTACT US
> > VIA "FAX" OR "POST".DON'T DIRECTLY RESPONSE VIA " E-MAIL"
> > BECAUSE WE CAN'T RECEIVE YOUR E-MAIL.
> > IF YOU WANT TO BE REMOVED FROM THE LIST,PLEASE ADVISE
> > YOUR E-MAIL ADDRESS & THIS E-MAIL CONTENT OR SUBJECT VIA "FAX" OR "POST".
> >
> > We are the professional product designer,mold & die maker,machinery builder
> > and molded parts(moldings) supplier for the following parts:
> >
> > * Product design(from simply 3D model creating to whole project
> > sub-contracting)
> > * Prototype making( mock up)
> > * Molds & Dies(sheet metal stamping die including single-staged &
> > progressive dies,
> >plastic injection molding molds,zinc or aluminum high-pressure die
> > casting dies &
> >rubber compression or injection molding molds)
> > * Laser cutting & CNC folding(suitable for small quantity,NO TOOLING(DIE)
> > needed.
> > * Sheet Metal Stampings.
> > * Castings(sand castings)aluminium
> > * (High-Pressure) Die Casting for Zinc or aluminium
> > * Plastic Injection moldings.
> > * Oil Seals & other Rubber Moldings(both for industrial or general uses).
> > * Various Magnets.
> > * Machinings(Machined parts)
> > * Assembled unit(components assembled)
> > * Plastic Injection machines & Rubber Injection machines,
> >other related injection molding machines,custom-built machineries
> > especially
> >in connection with injection molding & hydraulic(oil)/pneumatic
> > operating,
> >whole plant export including know-how and hydraulic(oil)/pneumatic
> > engineering consultation.
> >
> > SMALL ORDER IS OK,PLEASE CONTACT US TO SAVE YOUR COST!
> >
> > Thank you
> >
> > Best Regards
> > Robert Lin
> > P.O.Box 1-120 Yung-Ho,Taipei Hsien,Taiwan
> > Fax: 886-4-8783310 (886 is the country code)
> > NOTE:
> > Please directly push the button to send your fax message out,
> > don't pick up the phone.
> >
> >
> >
--
Met vriendelijke groet,
Maurice Lucas
TAOS-IT
Problems with one ham message
Hello, I have the default scores for all the tests below and doesn't know where the score comes from. Could somebody help? 2006-12-01 15:33:51.100434500 [5834] info: spamd: connection from capella.taos-it.nl [127.0.0.1] at port 51166 2006-12-01 15:33:51.152649500 [5834] info: spamd: processing message <[EMAIL PROTECTED]> for spamd:1031 2006-12-01 15:33:55.571287500 [5834] info: spamd: identified spam (8.9/5.5) for spamd:1031 in 4.5 seconds, 888 bytes. Score is 8.9 with required 5.5 2006-12-01 15:33:55.571562500 [5834] info: spamd: result: Y 8 - AWL,BAYES_00,DK_POLICY_SIGNSOME,FORGED_RCVD_HELO The tests scantime=4.5,size=888,user=spamd,uid=1031,required_score=5.5,rhost=capella.taos-it.nl, raddr=127.0.0.1,rport=51166,mid=<[EMAIL PROTECTED]>,bayes=5.55111512312578e-17,autolearn=no If I run dis message with spamassassin -t
Re: Problems with one ham message
Never mind. I needed more coffee AWL score was the reason On Fri, 2006-12-01 at 16:03 +0100, Maurice Lucas wrote: > Hello, > > I have the default scores for all the tests below and doesn't know where > the score comes from. > Could somebody help? > > > 2006-12-01 15:33:51.100434500 [5834] info: spamd: connection from > capella.taos-it.nl [127.0.0.1] at port 51166 > 2006-12-01 15:33:51.152649500 [5834] info: spamd: processing message > <[EMAIL PROTECTED]> for spamd:1031 > 2006-12-01 15:33:55.571287500 [5834] info: spamd: identified spam > (8.9/5.5) for spamd:1031 in 4.5 seconds, 888 bytes. > Score is 8.9 with required 5.5 > > > 2006-12-01 15:33:55.571562500 [5834] info: spamd: result: Y 8 - > AWL,BAYES_00,DK_POLICY_SIGNSOME,FORGED_RCVD_HELO > The tests > > scantime=4.5,size=888,user=spamd,uid=1031,required_score=5.5,rhost=capella.taos-it.nl, > raddr=127.0.0.1,rport=51166,mid=<[EMAIL > PROTECTED]>,bayes=5.55111512312578e-17,autolearn=no > > If I run dis message with spamassassin -t Content analysis details: (-2.5 points, 5.5 required) > > pts rule name description > -- > -- > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO > 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some > mails > -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% > [score: 0.] > > So why is it in the smtp fase rejected as spam? > > -- With kind regards, Maurice Lucas TAOS-IT
Re: questions about this list
On Mon, 2006-12-11 at 19:51 -0600, René Berber wrote: > Mark Nienberg wrote: > > > In the welcome message that I received when I subscribed to this list it > > says: > > > > Send mail to the following for info and FAQ for this list: > ><[EMAIL PROTECTED]> > ><[EMAIL PROTECTED]> > > Useless addresses, I also tried. > > [snip] > > But a message I sent to that address bounced with this error: > > That, I didn't try... > > [snip] > > At any rate, could someone please answer this question: > > > > How can I stop mail delivery from the list and still stay subscribed? > > No dice ;-) I tried the same you are doing, since I read the newsgroup using > Gmane, and what I found out (very easily) is that this list uses ezmlm, and > that > piece of ... doesn't have that functionality, in fact has very little > functionality (compared to Mailman). A late reply to this thread and I don't know if this works for this list but have it a try. http://www.ezmlm.org/ezman/ezman2.html 2.4 Adding subscriber aliases(*). ezmlm lists may be set up to only allow subscribers to send messages to the list. This is less secure than moderation, but still keeps most ``garbage'' off the list. Occasionally, a user may wish to send messages from an address other than the subscription address. As a remote administrator, you can add the user's alias to a special ``allow'' database. To add [EMAIL PROTECTED] as an alias to the [EMAIL PROTECTED], send mail to [EMAIL PROTECTED] -unsubscribe and other commands work the same way. The messages ezmlm sends talk about the [EMAIL PROTECTED] mailing list, but of course you know that this is just a figure of speech. On lists that do not have subscription moderation, users can add themselves to the ``allow'' database in the same way. This is documented only briefly in the USER'S manual. Archive access may also be restricted to subscribers. Like subscribers of the list or the digest list, addresses in the ``allow'' database are allowed to access the archive. -- With kind regards, Maurice Lucas TAOS-IT
Re: perceptron and over-scoring (Re: Over-scoring of SURBL lists... )
On Tue, 2006-02-21 at 06:53 -0800, Jeff Chan wrote: > On Monday, February 20, 2006, 12:39:31 PM, Theo Dinter wrote: > > > Just for some info... I went through the set1 spam logs for 3.1 score > > generation. > > > 1112804 total messages > > 776108 messages hit SURBL > > 138407 1 SURBL list(s) hit (1+ = 776108) > > 189795 2 SURBL list(s) hit (2+ = 637701) > > 281255 3 SURBL list(s) hit (3+ = 447906) > > 136964 4 SURBL list(s) hit (4+ = 166651) > > 29685 5 SURBL list(s) hit (5+ = 29687) > > 2 6 SURBL list(s) hit (6+ = 2) > > > The set1 ham logs: > > > 477629 total messages > > 1023 messages hit SURBL > >992 1 SURBL list(s) hit (1+ = 1023) > > 23 2 SURBL list(s) hit (2+ = 31) > > 5 3 SURBL list(s) hit (3+ = 8) > > 3 4 SURBL list(s) hit (4+ = 3) > > 0 5 SURBL list(s) hit (5+ = 0) > > 0 6 SURBL list(s) hit (6+ = 0) > > > > So from these results, the FP rate is very low for SURBL (0.21%), and > > while there is a ton of overlap for spam (57.3%), there's very little > > for ham (0.01%). > > > Thank you for data. They seem to support what we've been saying. > > At a count of 138407, messages that hit only 1 SURBL are > significant, so lowering the scoring of a single list hit > significantly may result in significant FNs. But maybe we have to have a scoring like this - current SURBL score if only on that list - if on List1 and list2 then not a score of list1+list2 but more like a basic SURBL score + fixed value - if on List1 and list2 and list3 then not a score of list1+list2+list3 but more like a basic SURBL score + 2*(fixed value) 21% of all the SURBL hitting spam hit more then 4 list records. If this where a FN (not very likely but possible) then the score would be to high to compensate but if we use a scoring rule like above then the score of a 4+ hiting spam message would be e.g. basic SURBL score = 3 3*fixed value = 1 score = 6 and maybe with a SURBL list with very low FP score there could be a gain in the fixed value score. Maurice Lucas
Re: spamassassin counts wrongly
On Thu, 2006-02-23 at 18:52 +0100, Thomas Geldner wrote: > Is this a bug ? > 4.5 + 0.5 = 5.0 or ? ;) > snip > - > X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_99,DATE_IN_PAST_03_06 > autolearn=no version=3.1.0 > X-Spam-Spam-Report: > * 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before > Received: date > * 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > * [score: 0.9976] > > snap > > Tom count by hand the following scores from the default sa3.1.0 install 50_scores.cf:score DATE_IN_PAST_03_06 0.736 0 1.122 0.478 50_scores.cf:score BAYES_99 0.0001 0.0001 3.5 3.5 0.5+3.5 is shown in the spam-report Maurice Lucas
RE: GIF stock spams
> * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
So 6.0 point for your BAYES I hope your BAYES is well trained and never gets
corrupted
Maurice Lucas
On Fri, 2006-02-24 at 17:44 +0100, Ruben Cardenal wrote:
> I catch them all, for example:
>
> X-Spam-Report:
> * 1.0 ICAB_FW2 ICAB_FW2
> * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type=
> entry
> * 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
> words
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 6.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>
> header ICAB_FW2 Subject =~ /^Fw:\s\d{1,9}$/i
> score ICAB_FW2 1
>
> Ruben
>
>
> > -Mensaje original-
> > De: Chris Conn [mailto:[EMAIL PROTECTED]
> > Enviado el: viernes, 24 de febrero de 2006 17:35
> > Para: users@spamassassin.apache.org
> > Asunto: GIF stock spams
> >
> > Hello,
> >
> > Has anyone written any rules to catch the following types of spam
> >
> >
> > http://nisk.creenet.com/~cconn/sa/
> >
> >
> > They consist of a few lines of text (sometimes), and a .gif attachment
> > that
> > is in fact some penny stock being pushed.
> >
> > Thanks in advance,
> >
> > Chris
>
Re: Tinurl being abused by spammers.. (leo/badcow)
On Tue, 2006-05-02 at 15:50 -0500, Igor Chudov wrote: > On Tue, May 02, 2006 at 01:39:26PM -0700, List Mail User wrote: > > >... > > >For the last week, I feel like I should receive a paycheck from Geocities! > > >All I've been doing is submitting damn redirect web pages. I even did some > > >testing and found some sites listed in NANAS as far back as 5 days that > > >were > > >still active. > > > > > >The source code for these pages use at most 3-4 different techniques. Not > > >very hard to filter for on new pages. Hell, I think 100% of the redirected > > >URLs were listed in URIBL black!! Every freaking morning I see more > > >geocities redirects. Whatever they are doing, could be a lot better. > > > > > >Checking on ones from Sunday, I see they are still running, even after > > >being > > >reported. At this rate, the geocities redirect are lasting longer then new > > >domains. > > > > > >Chris Santerre > > >SysAdmin and SARE/URIBL ninja > > >http://www.uribl.com > > >http://www.rulesemporium.com > > >... > > > > Even worse, they will close a site, then another site with exactly > > identical content will appear (probably created at the same time). To > > create > > their own blacklist of already nuke'd sites seem pretty trivial. And also > > the use of Yahoo! sites for hosting spammer images, where the directories > > under the root remain constant seems another easy case to have wiped out, > > but they haven't. In their favor, it seems that Yahoo! is now the second > > largest source of child pornography in the world, down from #1 because so > > many of the sites are now hosted on zombies (but often advertised via sites > > on Geocities that redirect to them). > > It is not so simple. I looked at the source code of these spammers' > websites. They are made with very obfuscated javascript. Not very easy > to recognize programmatically. A question remains open, why allow > javascript on geocities, but that seems to be a business issue for > them. > > Still, that the pages stay up so long after they were spammed, is > suggestive that they are not using spam traps. > > > I do not think that they could fully eliminate all spammy pages, but > they can make themselves a very unattractive target for spammers. Just > doing the following: > > 1) not allowing javascript > 2) using intelligent filters on website URLs in links > 3) using spam traps > 4) Allowing craigslist style "this is spam" button, feeding item 2). > 5) cronjob a process which will download and check every website that is changed and check the source for spam signs and the page which is displayed. even plain old wget has this options to show the outputted html. My 5 cents: geocities gets enough money from displaying these sites and have a name which will keep them from getting world wide blacklisted. Now it is only on peoples local blacklist but I like the idea for a world wide (URIBL, SURBL,...) blacklist entry. Maybe a poll on the major blacklist sites could help. When could we change "big and with a lot of good guys" into "big and with a lot of good guys and to much bad guys, so sorry for the few good guys" -- with kind regards, Maurice Lucas TAOS-IT
Re: Proposal: First URI black list, how about email address black lists?
On Thu, 2006-05-18 at 07:23 -0700, Marc Perkel wrote: > URI based black lists have been extremely effected in identifying spam. > I propose another kind of black list. A list of email addresses embedded > in the message body as replies to nigerian type spam and other spam > where you are instructed to reply to the email address in the message body. > > One thing about all spam is that the spammer wants you to do something. > And it's what the spammer wants you to do that is the key to identifying > spam. Most spam wants you to click on a link. So the URI black lists > work well because it catches the sites that spammers link to. > > But - a lot of spam - like nigerian spam - wants you to reply to an > email address in the message body in order to do what the spammer wants. > So if there were a blacklist of email addresses that spammers use as the > place to reply then that would cut into the remaining spam > significantly. If we can block email based on a real time list of email > addresses within the body a whole new class of spam can be blocked with > very high accuracy. > > Who likes this idea? > Picking up an old thread. Maybe we would not want to do a lookup at for example. dig txt spammer=domain.tld.blacklist.tld To check if [EMAIL PROTECTED] is a spammers email address. But only at domain.tld.blacklist.tld and punnish the webmailprovider (most of the time the free providers) with a low score. It doesn't make a message go over the top but if e.g. in every message with a yahoo/hotmail/... address in it which is scanned by SA a line is included with EMAILBLACKLISTYAHOO=0.5 added maybe then someday yahoo will do someting about spammers. Maybe then there could be even a (dangerous and misused but free advertising for the provider) rule which will be a negative scoring rule. I would "love" to see in every spam message spammers mis-using my good name to lower the amount of point. (possible problems like the good-old bayes poisoning) In this example yahoo is used but it could have been any provider. -- With kind regards, Maurice Lucas TAOS-IT
Re: [dns-operations] negative caching of throwaway spam domains
On Sat, 2006-06-24 at 05:08 -0700, Jeff Chan wrote: > On Friday, June 23, 2006, 5:09:55 PM, jdow jdow wrote: > > Jeff, it's probably quite good when the lookup is implemented on > > spam traps and a small collection of servers. The domain registrars > > who are honest might like it. It'd reduce the incentive and value > > of domain kiting. > > Presumably the list doesn't include kited domains, or it would be > 35 million records long. :-( > > > However, doesn't a greylist perform much the same intent - a domain > > that has not been heard from before is held off for a second chance > > in half an hour to an hour. "Obviously" new domains would trigger > > the greylist. If the greylisting is done on a per domain basis it > > could be combined with the whois lookup. If the whois lookup did > > not provide age data the message is blocked per greylisting. If it > > provides age data indicating an old domain it's blocked per greylisting. > > If it indicates a new domain it's blocked with a permanent error. > > (If the whois source is not trustworthy it's also blocked with a > > permanent error.) > > Michael gives some good possibilities and a discussion of the > difference with greylisting. Note that whois can't really be > done on an automated, high-frequency basis. > DomainKitting must cost good registrars like Go daddy a lot of money due to resource use. So it will make them money if they aren't being used for this kind of abuse. If we could get e.g. Go Daddy support the idea of greydomaining and they will input the data of new domain names in the database and removing 5-day-refund addresses and payed-addresses then Go Daddy won't be a registrar which will be used by spammers. It will *cost* Go Daddy an amount of marketing items like: - we have x million new domains every day/week/month - we have a grand total of x million domain names - ... But it will *give* them a great support from serious users and admins. They won't register that many domain names but if we, the serious admins, do register we will use and pay for that domain. and I like to give my money to a registrar that is doing whatever it cost to keep the internet usable. If Go Daddy does give the data of all the registrations there isn't any need for whois queries. -- With kind regards, Maurice Lucas TAOS-IT
The way SA checks the URI for domainname.us.tt
Hello, I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because SA will only see us.MUNGED.tt. I know there are some domains which use a 2 level tld zone. like .co.uk which will never be included. Is this not an TLD which has be to changed inside SA to a 2 level tld? If I check the website at us.MUNGED.tt they use a countrycode.tt -- With kind regards, Maurice Lucas TAOS-IT
Re: The way SA checks the URI for domainname.us.tt
On Fri, 2006-07-28 at 10:57 -0400, Theo Van Dinter wrote: > On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: > > I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because > > SA will only see us.MUNGED.tt. > > I'm not sure why you think that. us.tt is listed as a two level TLD in > SA, so .us.tt is what gets used. > I could have checked that if I did run a debug on that email. Thank you -- With kind regards, Maurice Lucas TAOS-IT
Re: collecting spam(maybe offtopic)
On Mon, 2006-07-31 at 20:22 +0300, Michael wrote: > Hello! > It may be a strange request, but i need to collect spam for a research > project about the way spammers attack and the way they bypass the > antispam filters. > Obviously, for this project i need to collect spam in different ways > and on different types. Also, my project can be concludent only if the > spam that i analyze is new and variate. > So, i wold like to request your help about the way i can collect spam. > I tried to post with this address on many Usenet groups and many mailing > lists but the results was not so good. Also, i can't abuse to post on > that mailing list because it's not nice to make "noise" on mailing list > were people really need help. > > If you can tell me ways about how to make this address spammed i > will really appreciated. also check http://www.ftc.gov/opa/2005/11/spamharvest.pdf With kind regards, Maurice Lucas
Re: ImageInfo plugin for SA
On Fri, 2006-08-04 at 02:21 -0700, MennovB wrote: > > Matthias Keller wrote: > > > > It seems to load fine but I get some errors every time I run a check: > > warn: plugin: failed to load plugin /etc/mail/spamassassin/ImageInfo.pm: > > No such file or directory > > > Yes, I had to comment this line in 70_imageinfo.cf: > #loadplugin Mail::SpamAssassin::Plugin::ImageInfo ImageInfo.pm > > Then it loads fine. > I'm still testing with some examples though. I wanted to test it in a production enviroment, but I don't see any hits on the moment. But I'm not even seeing a LN also. Maybe i'm off there spamlist ;) but I think i'm just lucky for a few hours. Maurice Lucas
RE: I need your spam!
I think a lot of people have reacted the same way.
We would love to give you all the info you need, so everyones email is
faster/cleaner/less bandwidth. But nobody wants to or can give 100% of his
email to some non contracted 3th party.
If you give us some programs/source so we could implement it for our own high
MX record the results (cleaned of personal info) can be send to some 3th party
server.
We as email service provider have all signed a contract with our end users that
we would not give any information to 3th party's. We do our best to keep the
communication less of man-in-the-middle attacks and now we have to introduce a
man-in-the-middle. It isn't a attack but it is breaking all our contracts.
With kind regards,
met vriendelijke groet,
Maurice Lucas
TAOS-IT
Paulus Buijsstraat 191
2613 HR Delft
www.taos-it.nl
KvK Haaglanden nr. 27254410
Van: Ken A [EMAIL PROTECTED]
Verzonden: vrijdag 6 juni 2008 20:42
Aan: users@spamassassin.apache.org
Onderwerp: Re: I need your spam!
What is this the junkemailfilter announce list?
Give it a rest.
Ken
Marc Perkel wrote:
> Actually - I just need your spam attempts. I have a way to detect
> spambots on the first try and add them to my blacklist at
> hostkarma.junkemailfilter.com
>
> Sp - if you want to participate and lose a chunk of your virus spambot
> spam all you have to do is add us as your highest numbered MX record.
>
> tarbaby.junkemailfilter.com 100
>
> What we will do is return a 451 error after the DATA command is sent.
> And - if you then also use our blacklists then the bots spamming your
> domains will be blacklisted.
>
> Here's infor on our lists:
>
> http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists
>
> Here's the SA rules to make it work.
>
> header __RCVD_IN_JMF
> eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.')
> describe __RCVD_IN_JMF Sender listed in JunkEmailFilter
> tflags __RCVD_IN_JMF net
>
> header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1')
> describe RCVD_IN_JMF_W Sender listed in JMF-WHITE
> tflags RCVD_IN_JMF_W net nice
> score RCVD_IN_JMF_W -5
>
> header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2')
> describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK
> tflags RCVD_IN_JMF_BL net
> score RCVD_IN_JMF_BL 3.0
>
> header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4')
> describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN
> tflags RCVD_IN_JMF_BR net
>
>
> score RCVD_IN_JMF_BR 1.0
>
>
--
Ken Anderson
Pacific.Net
Re: bogus-virus-warnings-cf
From: "Bob McClure Jr" <[EMAIL PROTECTED]> Sent: Sunday, April 03, 2005 1:15 AM On Sat, Apr 02, 2005 at 05:09:40PM -0600, Chris wrote: I use RDJ to update rule sets, I only run it once a day. On the run for the 31st of March, RDJ reported: RulesDuJour Run Summary on cpollock.localdomain: The following rules had errors: Tim Jackson's (et al) bogus virus warnings was not retrieved because of: 403 from http://www.timj.co.uk/linux/bogus-virus-warnings.cf. clicking on the link and opening with Mozilla still shows a 403 - Permission Denied. Anyone else having problems getting this update? Yep, for several days now. It is repaired I can browse the site Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: First attempt at writing SPAM rules
Hello, Send a complete sample to spam \-at/ timj.co.uk for addition to http://www.timj.co.uk/linux/bogus-virus-warnings.cf With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT - Original Message - From: "Ronald I. Nutter" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 03, 2005 3:12 PM Subject: First attempt at writing SPAM rules We are getting flooded this morning with email that contains the following item(s) in the body of the message - *** Server-AntiVirus: No Virus (Clean) *** "GEORGETOWNCOLLEGE" Anti-Virus *** http://www.georgetowncollege.edu OR *** Attachment-Scanner: Status OK *** "GEORGETOWNCOLLEGE" Anti-Virus *** http://www.georgetowncollege.edu Here is that I have created as a rule set - body BOGUS_SERVER_AV /Server-AntiVirus:/ describe BOGUS_SERVER_AV Blocks Bogus AV Clean message score BOGUS_SERVER_AV 20.0 body BOGUS_ATTACH_SCAN /Attachment-Scanner:/ describe BOGUS_ATTACH_SCAN Blocks Bogus Attach Scan message score BOGUS_ATTACH_SCAN 20.0 Any suggestions ? Thanks, Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696
Re: Bombarded by German political spam
Hello, I didn't read this discussion but did found a link on the clamav mailinglist which I want to share before reading 300 emails ;) http://weir.dattitu.de/archives/9-Filtering-Sober-P.html Met vriendelijke groet, Maurice Lucas TAOS-IT - Original Message - From: "Christian Recktenwald" <[EMAIL PROTECTED]> To: "Raymond Dijkxhoorn" <[EMAIL PROTECTED]> Cc: "Bart Schaefer" <[EMAIL PROTECTED]>; Sent: Monday, May 16, 2005 4:11 PM Subject: Re: Bombarded by German political spam On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote: Hi! >>http://mailscanner.prolocation.net/german.cf >You've got a bit of duplication in there (rules 02 and 22 are the >same, as are 04 and 26). I'll clean them, thanks! v0.2 there in a few :) http://www.citecs.de/99_sober.cf took subject lines from abobe - score per subj is 1.0 - put content patterns (3 missing, got no sample) into it with score 8.0 - the often seen "Lese selbst" is scored 4 Greetinx, Chris -- Christian Recktenwald : : citecs GmbH: [EMAIL PROTECTED] Unternehmensberatung fuer : voice +49 711 601 2090 : Boeblinger Strasse 189 EDV und Telekommunikation : fax +49 711 601 2092 : D-70199 Stuttgart
Re: Are the RBL scores high enough?
From: "Matt Kettler" <[EMAIL PROTECTED]> Sent: Friday, June 03, 2005 9:30 PM Kevin Sullivan wrote: On Jun 2, 2005, at 8:27 PM, Matt Kettler wrote: If one's wrong, they are ALL wrong. SA's rule scores are evolved based on a real-world test of a hand-sorted corpus of fresh spam and ham. The whole scoreset is evolved simultaneously to optimize the placement pattern. Of course, one thing that can affect accuracy is if some spams are accidentally misplaced into the ham pile it can cause some heavy score biasing to occur. A little bit of this is unavoidable, as human mistakes happen, but a lot of it will cause deflated scores and a lot of FNs. The rule scores are optimized for the spam which was sent at the time that version of SA was released (actually, at the time the rule scoreset was calculated). Since then, the static SA rules have become less useful since spammers now write their messages to avoid them. The only rules which spammers cannot easily avoid are the dynamic ones: bayes and network checks (RBLs, URIBLs, razor, etc). On my systems, I raise the scores for the dynamic tests since they are the only ones which hit a lot of today's spam. Very true. Most of the static tests (ie: body rule sets like antidrug) spammers quickly adapt to after a SA release, and they loose some effectiveness over time. Maybe we have to make a separate version of the score-file. So you could install an official SA 3.0.3 release and download a score-file say version 3.0.3-date. And ones every month there will be another official score-file. Spammers can adjust there spam to pass the "static" tests but the score will be changed. And after the score-file change Now we have to wait for 3.0.4 before there will be any change in the static score's With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: How to increase score of URIDNSBL?
From: "Roman Volf" <[EMAIL PROTECTED]> Sent: Monday, June 06, 2005 7:53 AM I recieved a spam (http://www.keystreams.com/~volfman/spamd-msg.txt - I stripped the X-Spam headers from the message) that only scored a 4.4, even though the URIDNSBL showed a hit. Here is the debug from spamd - http://www.keystreams.com/~volfman/spamd-debug.txt Is upping the score that a URIDNSBL hit gives a good idea? I mark spam at 5.0. Is this possible? Any suggestions? If you would use uribl [1] with the standard usage line your score was added another 3 points. [1]http://www.uribl.com/ With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: SpamAssassin 3.0.4 Released
Hello, I'm unable to download/view the gpg/md5/sha1 signature from the website eg. http://www.apache.org/dist/spamassassin//Mail-SpamAssassin-3.0.4.tar.bz2.md5 had to be http://www.apache.org/dist/spamassassin/source/Mail-SpamAssassin-3.0.4.tar.bz2.md5 With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
wiki down
Hello, The wiki server is down Making HTTP connection to wiki.apache.org Alert!: Unable to connect to remote host. With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: wiki down <<-- Solved: back online
From: "Maurice Lucas" <[EMAIL PROTECTED]> Sent: Wednesday, June 08, 2005 10:04 AM The wiki server is down Making HTTP connection to wiki.apache.org Alert!: Unable to connect to remote host. I hate to reply myself but forget it he is back online Met vriendelijke groet, Maurice Lucas TAOS-IT
spam sign?
Hello, I did receive an email with a lot of recipients but all of them where on a new line. Is this a spamsign? Maybe we could check for multiple instances of a TO: line in a messageheader. Example from the messageheader I did notice. From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] .. To: [EMAIL PROTECTED] With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Newbie question
Hello, congratulations with the first ASF release I'm just a spamassassin newbie. I get the following in my logfiles debug: bayes: no dbs present, cannot tie DB R/O: /tmp/spamd-4331-init/.spamassassin/bayes_toks debug: Score set 1 chosen. With 4331 my current PID of spamassassin. Is there a way to force spamassassin to write bayes_toks to his homedir? Or do I have some other problems? I had the same problem with 2.64 but I was only testing on the moment so 3.0 is there on the right time ;) With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
two instances of SA3.0 with the same homedir
Hello, I have two instances of spamassassin (3.0) running and both use the same auto_whitelist_path & bayes_path Would this give me some problems? I want both to know the same but with totally different configurations. So the call of spamc with portnumbers give me the possibility to select the configuration. Could I still use lock_method flock ? I don't use NFS With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
spamc
Hello, Is the -f "Cause spamc to safe-failover if it can't connect to spamd" from SA2.64 became a standard in SA3.0? He is removed from the man-pages and I couldn't find anything about it in the Changes. After testing it seems to be enabled by default Should I remove the option from my spamc call? With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: SURBL in 3.0
OK - I think I have narrowed down what is happening with this, though I don't know why. I have placed my local.cf file in a non-standard directory and I am using the --siteconfigpath=path to point to that directory (where my local.cf file and my own custom rules files are located). For some reason this breaks the SURBL checks. If I run spamassassin without that directive (and use local.cf in its standard installation location), the SURBL checks work fine. Can someone else confirm this? This is with 3.0.0. So that's the reason why I don't see any SURBL checks in the headers (_TESTSSCORES_) I do see "uri tests; score so far=-2.599" in my debug logfile but never any line like: 2.0 URIBL_WS_SURBL Contains a URL listed in sa-blacklist [URIs: ca-t.com] I didn't change anything to Makefile.PL, so it's a simple install with a --siteconfigpath=path for starting spamd A test message with http://surbl-org-permanent-test-point-MUNGED.com/ without "-MUNGED" Give the following result in the debug logfile uri found: http://surbl-org-permanent-test-point-MUNGED.com/ And in the headers X-Spam-Status: No, hits=-2.1 required=7.0 tests=ALL_TRUSTED=-3.3,AWL=3.193, BAYES_20=-1.951 autolearn=ham version=3.0.0 With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Net::DNS version is 0.23, but need 0.34
Hello, I have trouble with SURBL and think that it is related to above error But if I test the module with CPAN or with the following script it says that i'm at 0.48. (carefull i'm a complete perl newbie and a SA newbie) #!/usr/bin/perl -T -w use strict; use Net::DNS; print Net::DNS->version, "\n"; I use debian woody so Net::DNS version 0.19 I did install SA again from source but the results are the same Does anybody have any glue Or is this an error for the perl mailinglist? With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
[SA3.0] spamc sometimes hangs
Hello, I use spamd and spamc with SA3.0 in a sitewide configuration. A few percentage of all my connections keeps the spamc call in memory. After a 500 connections I have 23 times "/usr/local/bin/spamc -c -u spamd" in my ps list. Does somebody else sees this? I'm still debuging the why of this. With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: [SA3.0] spamc sometimes hangs
From: "Maurice Lucas" <[EMAIL PROTECTED]> Sent: Monday, October 04, 2004 9:32 AM I use spamd and spamc with SA3.0 in a sitewide configuration. A few percentage of all my connections keeps the spamc call in memory. After a 500 connections I have 23 times "/usr/local/bin/spamc -c -u spamd" in my ps list. Does somebody else sees this? I'm still debuging the why of this. The problem seems to be that spamc is still looking for input strace -p PID gives only recv(1, The mailmessage is scand and delivered so the mailproces is correct (also the SA headers are included in the mail) but no end-of-file for the pipe is send. With kind regards, Maurice Lucas
Re: multiple score based subject/headers
From: "Bob Branch" <[EMAIL PROTECTED]> Sent: Monday, October 04, 2004 3:42 PM I want to set spamassassin so that messages that are most definitely spam (say, score 10+) have headers and a subject tag that indicate such, while messages that could be false-positives (<10) have their own seperate tag. Is this possible? A second SA instance with a score of 0.1 and a subject line of ***non-spam*** with kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: Memory footprint of spamd 3.0
From: "Loren Wilton" <[EMAIL PROTECTED]> Sent: Tuesday, October 05, 2004 7:42 AM Any chance in going back to something that actually worked? I tried running a 2.64 version of spamd, but got a mountain of bayes-related errors. There is an option to only run a single child, which is claimed to be equivalent to the 2.6x implementation. I don't recall the option (something=1), but Theo posted it within the last day here. And I'm almost positive it is in the docs somewhere. Just watching what people have been reporting, I've come to several tentative conclusions on 3.0 as it currently stands: 1.I'm about 70% convinced there is an undiscvered memory leak or other resource leak that has the equivalent result. 2.The copying of the config back and forth with preforking has a few minor but serious problems. 3.There is a problem with spamd children getting hung out to dry on a read that never completes. I had this problem and I'm checking on the moment if I found the "bug". The message was deleted before spamc was killed so with a sleep in my spamc call script I hope to be able to close my problem 4.I suspect that 3.0 is inherently less memory efficient than 2.6x; but probably not by a huge amount. I think that when the first three problems are addressed and solved that 3.0 will become a whole lot more generally usable. With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: [SA3.0] spamc sometimes hangs
For the archives, On Mon, 2004-10-04 at 09:32, Maurice Lucas wrote: I use spamd and spamc with SA3.0 in a sitewide configuration. A few percentage of all my connections keeps the spamc call in memory. After a 500 connections I have 23 times "/usr/local/bin/spamc -c -u spamd" in my ps list. Does somebody else sees this? I'm still debuging the why of this. Problem solved: My mail was injected into spamc and than delivered and deleted, but the delete came sometimes to early. So spamc was still looking for input which never came because the delete. how to find: lsof |grep Gives the error on scanning message but message deleted Sollution: introduced a sleep 1s after calling spamc and before delivering to qmail-queue -- M. Lucas TAOS-IT
SA 3.0.2? Why no mail from announce@spamassassin.apache.org
By just checking the SA website I found out that there is a 3.0.2 release from 2004-12-16. Why isn't there an announce from the announce list? Archives on GMANE and MARC are both out of date. http://wiki.apache.org/spamassassin/MailingLists with kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT Statistics of the TAOS-IT emailscanner for the month November 2004 Positive Predictive Value (PPV) : 100.00% Negative Predictive Value (NPV) : 99.88% Sensitivity : 99.58% Specificity : 100.00% Efficiency : 99.91% For more information (Dutch) : http://www.taos-it.nl/emailserver.htm
new spamsign
Hello, Is this a new spamsign? (EHLO aalma-a.serve.WR.tnp.net) programmed by mail.mtk.nao.ac.jp (1.9[2 the word programmed and (1.9[2 ? More header information Received: from 60-240-125-223.tpgi.com.au (60-240-125-223.tpgi.com.au [60.240.125.223]) by capella.taos-it.nl ([195.86.120.110]) with SMTP via TCP; 20 Jul 2005 10:06:26 - Received: from MVYJWipli.com (EHLO aalma-a.serve.WR.tnp.net) programmed by mail.mtk.nao.ac.jp (1.9[2 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on capella.taos-it.nl X-Spam-Level: ** X-Spam-Status: No, hits=6.8 required=7.0 tests=BAYES_80=2, HELO_DYNAMIC_IPADDR2=3.496,MISSING_HEADERS=0.119, MISSING_SUBJECT=1.226 autolearn=no version=3.0.4 Met vriendelijke groet, Maurice Lucas TAOS-IT
SA 3.1.0-rc1 and rc2: Extra LF in headers
Hello, I have a problem with both 3.1.0-rc1 and 3.1.0-rc2. Some off my mail is checked by SA and marked as spam but gets an extra LF causing the rest of my tools to ignore the X-Spam-Status header field. This is a sample message, I do have more for developers. This problem isn't occuring on every email but on a few a day. --- Start sample --- Received: from MUNGLED ([MUNGLED]) by MUNGLED with Microsoft SMTPSVC(6.0.3790.1830); Tue, 13 Sep 2005 00:45:20 +0200 Received: (qmail 1327 invoked from network); 12 Sep 2005 22:45:19 - Received: from localhost by MUNGLED with SpamAssassin (version 3.1.0-rc2); Tue, 13 Sep 2005 00:45:19 +0200 Content-class: urn:content-classes:message Subject: SPAM(43.8) Viagra letter for our subscribers MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 13 Sep 2005 09:30:55 +0200 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SPAM(43.8) Viagra letter for our subscribers Thread-Index: AcW366dzQ7Zbq0hdSEuQ1d1ysB6ADA== X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 From: <[EMAIL PROTECTED]> To: =?iso-8859-1?Q?Sjarlie_Dresm=E9?= <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on=20 capella.taos-it.nl X-Spam-Level: *** X-Spam-Status: Yes, hits=3D43.8 required=3D7.0 tests=3DBAYES_99=3D3.5, DRUGS_ERECTILE=3D0.493,DRUGS_ERECTILE_OBFU=3D2.408,DRUG_DOSAGE=3D2.242, = DRUG_ED_CAPS=3D0.501,FORGED_RCVD_HELO=3D0.135,FORGED_YAHOO_RCVD=3D1.849, = FROM_LOCAL_NOVOWEL=3D2.861,HTML_BADTAG_30_40=3D0.124,HTML_MESSAGE=3D0.001= , HTML_TEXT_AFTER_BODY=3D0.115,MIME_HEADER_CTYPE_ONLY=3D0, MIME_HTML_ONLY=3D0.001,NO_REAL_NAME=3D0.961,RCVD_IN_NJABL_DUL=3D1.946, RCVD_IN_SORBS_DUL=3D2.046,SARE_SUPERVIAGRA=3D2.222,UPPERCASE_25_50=3D0, URIBL_AB_SURBL=3D3.812,URIBL_BLACK=3D3,URIBL_JP_SURBL=3D4.263, URIBL_OB_SURBL=3D3.008,URIBL_SBL=3D1.639,URIBL_SC_SURBL=3D4.498, URIBL_WS_SURBL=3D2.14 autolearn=3Dno version=3D3.1.0-rc2 MIME-Version: 1.0 Content-Type: multipart/mixed; = boundary=3D"--=3D_432604FF.0E79FAA5" Return-Path: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 12 Sep 2005 22:45:20.0139 (UTC) = FILETIME=3D[A74435B0:01C5B7EB] Date: 13 Sep 2005 00:45:20 +0200 This is a multi-part message in MIME format. --- End sample --- One of the strange things in this message is the generation of the message ID. Message-ID: <[EMAIL PROTECTED]> This ID is generated by my inhouse exchange server The same with this header Message-ID: <[EMAIL PROTECTED]> So there are two Message-ID headers in this mail but only one is in the headers the other is in the body. Another strange thing with all these messages is the insertion of the 3D before every score. With kind regards, Met vriendelijke groet, Maurice Lucas
Re: SA 3.1.0-rc1 and rc2: Extra LF in headers
From: "jdow" <[EMAIL PROTECTED]> From: "Maurice Lucas" <[EMAIL PROTECTED]> Hello, I have a problem with both 3.1.0-rc1 and 3.1.0-rc2. Some off my mail is checked by SA and marked as spam but gets an extra LF causing the rest of my tools to ignore the X-Spam-Status header field. This is a sample message, I do have more for developers. This problem isn't occuring on every email but on a few a day. --- Start sample --- Received: from MUNGLED ([MUNGLED]) by MUNGLED with Microsoft SMTPSVC(6.0.3790.1830); Tue, 13 Sep 2005 00:45:20 +0200 Received: (qmail 1327 invoked from network); 12 Sep 2005 22:45:19 - Received: from localhost by MUNGLED with SpamAssassin (version 3.1.0-rc2); Tue, 13 Sep 2005 00:45:19 +0200 Content-class: urn:content-classes:message Subject: SPAM(43.8) Viagra letter for our subscribers MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 13 Sep 2005 09:30:55 +0200 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SPAM(43.8) Viagra letter for our subscribers Thread-Index: AcW366dzQ7Zbq0hdSEuQ1d1ysB6ADA== X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 From: <[EMAIL PROTECTED]> To: =?iso-8859-1?Q?Sjarlie_Dresm=E9?= <[EMAIL PROTECTED]> X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on=20 capella.taos-it.nl X-Spam-Level: *** THAT may explain what the mad Russian is doing with these high scoring spams. He found a hole that affects systems that use the X-Spam-Flag for something important. (I don't. I route via the spam message in the subject.) I wonder if he is ending the line with to create that confusion. Supposedly a lone not preceded by a is not really a newline for email. But SpamAssassin, thinking 'ix-ishly, does. If so I gotta give the guy credit for being passably clever. I don't think this is the problem because I have fixcrio installed before my qmail daemon to filter of all the bare-LF. I opened a bug report 4585 With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: Explosion in uk.geocities.com spam
Matthew Newton wrote:
On Sat, Oct 08, 2005 at 10:01:22PM -0700, Loren Wilton wrote:
They use html and tables very smart, thus avoiding Bayes rules.
Basically it is an invisible tables, using one row and several
columns. The first column contains the first letter of every line,
separated by "" and optionally some style-tags (b, i, etc.).
Next column contains several more characters for each line, etc.
Leo. There are a good 9 or 10 variations on this now. The SARE
rulesets have a number of rules that catch many of these, though not
all of them.
On the assumption that "normal" URLs don't use the construct /? in
them, and especially at geocities (are CGI scripts even allowed
there?) how about the following?
full UOLCC_UKGEO
/http:\/\/uk.geocities.com\/[A-Z]?[a-z]{2,20}_[A-Z]?[a-z]{2,20}(?:_[A-Z]?[a-z]{2,20})?\d{0,4}\/\?[\w=\.]{3}/
describe UOLCC_UKGEO UK Geocities exploitation
score UOLCC_UKGEO 4.0
I've been testing this for a couple of weeks now, and have had no
complaints yet (but I do not have a corpus of spam to test it
with, though, so can't be too sure).
It could possibly also be condensed to the following (completely
untested):
full UOLCC_UKGEO
/http:\/\/..\.geocities\.com\/[A-Za-z0-9_]{2,40}\/\?[\w=\.]{3}/
I saw somebody else use
uri UK_GEOCITIES m'^http://uk\.geocities\.com\b'i
describe UK_GEOCITIES Body contains spammed domain
score UK_GEOCITIES 3.0
uri MSN_SPACES m'^http://spaces\.msn\.com\/members\b'i
describe MSN_SPACES Body contains spammed domain
score MSN_SPACES 3.0
uri IT_GEOCITIES m'^http://it\.geocities\.com\b'i
describe IT_GEOCITIES Body contains spammed domain
score IT_GEOCITIES 3.0
PLEASE NOTE: I haven't used it myself so I don't know the FP count of these
rules
With kind regards,
Met vriendelijke groet,
Maurice Lucas
TAOS-IT
spambot error
Hello,
An easy check for a spambot signature in spam
Received: from eavesdrop (192.168.97.87)
by {%DOMAIN_FROM} (Biquadratic vy 5.96) with SMTP id RDNnwt-qBDWUk-Ss
for <{%MAIL_TO}>; Fri, 14 Oct 2005 04:04:03 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "{%NAME_FROM}" <{%MAIL_FROM}>
To: "{%NAME_TO}" <{%MAIL_TO}>
Subject: Victoire Whidbee Just do it
Date: Fri, 14 Oct 2005 04:03:59 -0500
With kind regards,
Met vriendelijke groet,
Maurice Lucas
TAOS-IT
Re: Qmail question..
Robert Leonard wrote: Can anybody point me to a good forum for Qmail? I'm a newb and a windows guy so this is quite the daunting thing! What I want to figure out is how to get qmail w/ tcpserver to allow incoming smtp connections from only SPECIFIC IP's.. I'm getting flooded by mail coming from places I shouldn't be getting mail from! Please this isn't the list for yet another qmail vs postfix flame war. I've seen to many. For a good place with a lot of usefull support look at the qmail mailinglist qmail@list.cr.yp.to see also http://qmail.org/top.html and for the latest version http://qmail.org/netqmail-1.05.tar.gz 192.168.1.:deny 192.168.2.1:deny will kill all traffic from 192.168.1.0/24 and 192.168.2.1/32 For the qmail mailinglist don't use qmailrocks but lifewithqmail.org qmailrocks will give you a qmail install with a lot of stuff you don't need like so many other mailserver software. With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: 'lngd' etc
Jonathan Nichols wrote: You know, these days, the *only* spam that slips through is "product test panel" and similar crap. The URL is always similar to this one: http://lngd-pp.com/link/91268749298550548/ Usually 4 letters, dash, 1 or 2 letters, and what looks like a 'hashbuster' Anyone found a way to effectively dunk this stuff? Yes, I'm feeding them all to Bayes. :-) Add uribl to your setup it will add 3 point to this URI www.uribl.com With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
Re: Spamassassin with daemontools ?
Noc Phibee wrote: Hi actually, i run SpamAssassin 3.0.4 with Daemontools (/service/spamassassin) I start the installation of a new server with 3.1.0 version ;=) What do you thinks that start SpamAssassin 3.1.0 by daemontools ? it's best or no change of traditionnal /etc/init.d/spamassassin ? cat spamd/run #!/bin/sh # # -m num, --max-children num Allow maximum num children # -a, --auto-whitelist, --whitelist Use auto-whitelists # -s facility, --syslog=facility Specify the syslog facility (default: mail) exec 2>&1 exec /usr/local/bin/spamd -D -m 10 -u spamd -s stderr cat spamd/log/run #!/bin/sh exec setuidgid spamdlog multilog \ t s5242880 n20 '+*' !/usr/bin/bzip2 /var/log/spamd \ t s1048576 n5 '-*' '+*info: spamd: identified spam*' /var/log/spamd/spam \ t s1048576 n5 '-*' '+*info: spamd: clean message*' /var/log/spamd/clean with kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
RE: Poor man's high MX spam Trap
On Tue, 2007-01-30 at 07:47 -0500, Joey wrote: > -Original Message- > From: John Rudd [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 30, 2007 1:20 AM > To: David B Funk > Cc: users@spamassassin.apache.org > Subject: Re: Poor man's high MX spam Trap > > David B Funk wrote: > > On Mon, 29 Jan 2007, John Rudd wrote: > > > >> It doesn't have to be firewalled. It just has to be non-answering on > >> port 25. It's called "nolisting". > >> > >> I've thought about doing something similar. Nolisting only says: > >> > >> MX 1 non-answering.host > >> MX 10 real.host > >> > >> But adding the non-answering host to the end seems like a good idea > >> to me (for all of the spammers that try to attack the secondaries). > >> > >> There IS a risk of losing mail. But only if the sender is a non-RFC > >> compliant MTA. Which, in theory, might be legit.. but I bet in > >> practice, for this particular RFC issue, it's a near zero level of risk. > > > > > > Um, given that the RFCs (2821, etc) say that the MXs should be tried > > in order with the most preferred (lowest numeric value) first, > > wouldn't that scheme result in delays on all messages (as well as lost > > mail from servers that only try the "best" MX)? > > Small delays. They should try all of your MX hosts, in decreasing priority > order (increasing MX value order) until they get a success. Success of what? 250 message accepted of connection accepted? > That's also in the RFC. So: > > a) the hosts that don't try the 2nd MX, aren't RFC complaint. > b) the delay should only be as much as it takes to timeout on the connection > to the highest priority, lowest MX number, non-answering, MX host. Plus > maybe one queue retry (depending on whether it tries the 2nd MX right away > or after a queue retry interval). > > > Why make your "best" MX be the non-answering.host? > > Because, according to the nolisting proponents (which I am not, I am just > experimenting and exploring the concept), the vast majority of the hosts > that don't do (a), above, are spam/virus sources. And, they say, the hosts > that don't do (a), but are legitimate, are so vanishingly small as to not be > worth worrying about. All of the qmail mailserver are only connecting to a higher distance MX server if and only if the lowest MX doesn't accept the connection. And doesn't accept the conenction means no 4xx or 5xx error. just nothing. If there is a connection made to a listening device then a higher mx is never tried > > - > > > OK I caught this at the end and I'm seeing 2 potential tools to reduce spam. > > 1. is the non-answering host as the primary. Correct me if I'm wrong but > the delay would be almost non-exsistant because the time it takes for the > connection to timeout is almost non-existant and would be better then > greylisting which can cause huge delays based on sending servers not being > correctly configured. > > 2. I see the tarpit of creating a high ranking MX which would capture > information of spammers that would be dropped into a reject list. > > Does this fairly describe what we are talking about here? > > Ralf, or Wietse what do you think of these 2 techniques? > I basically dropped greylisting last week because of the headaches it was > causing with multiple sending smtp servers, and I have seen a huge increase > in spam, method one here sounds like a great replacement. > -- With kind regards, Maurice Lucas TAOS-IT
RE: best way to mark TLDs as spam
> Hello: I am attempting to configure SA to mark as spam all email from > Top-Level-Domains other than .com, .net, and .edu. > I have found three possible ways to do this. Which if any is the > preferred > method: > > 1) blacklisting in local.cf: >add blacklist_from *.info, blacklist_from *.tv, blacklist_from *.fr, > ... >requires 1 entry per undesired TLD, including one for each country > > 2) tweak the scores of existing rules in local.cf: >set custom scores for existing rules >requires knowing exactly which rules to set the custom score for > > 3) Create custom rule: >design a custom rule that sets score to 5 where FROM: > NOT=.com|.net|.org > > 4) Some other way: >is there an easiery or more established solution to this? > > TIA for any assistance you can provide, > I really want to help you but I'm sorry you don't want my answer Sorry *.nl user. Better luck in your next life ;) With kind regards, met vriendelijke groet, Maurice Lucas TAOS-IT Paulus Buijsstraat 191 2613 HR Delft www.taos-it.nl KvK Haaglanden nr. 27254410 Denk aan het milieu; is het afdrukken van deze e-mail echt noodzakelijk?
RE: was failsafe option, old hardware
> > It's getting a little off topic, but keeping old hardware > > because it still works can be a bit of a false economy. > > Yeh, it's nice to have it working and useful rather than > > landfill. But on the other hand, they are so inneficient > > as far as watts used, you could pay for new hardware with > > the energy savings. > > Hah. The CPU does not even have a cooler on it! All there is PSU fan. > > Such a machine can not waste energy, at least it does not generate > heat.. But keep in mind that newer hardware may or may not be more energy efficient but it has more processing power. So you can use one faster newer machine with x Watt energy or use several x Watt older machines to do the same task. I now have a new HP DL385G5p using 80Watt running 1 linux server and a windows 2008 server (using ESX). This server is build to be used to replace 4 old machine and be one new machine (Windows 2008) and my old machines don't use less than 20 to 40 Watt a piece. So sometimes it is better to buy new and sometimes it is better to use old hardware. CAVEAT: I one have installed one power supply on the moment. But normally HP have dynamic power and can "shuts down" a not used power supply. With kind regards, Maurice Lucas TAOS-IT Paulus Buijsstraat 191 2613 HR Delft www.taos-it.nl KvK Haaglanden nr. 27254410 Denk aan het milieu; is het afdrukken van deze e-mail echt noodzakelijk?
