RE: dynablock.njabl.org ends (and resolving pbl.spamhaus.org)
R Lists06 wrote: > > It resolves, just remember to do this to test > > dig pbl.spamhaus.org any > > Or > > dig pbl.spamhaus.org ns > > - rh > > -- > Robert - Abba Communications >Computer & Internet Services > (509) 624-7159 - www.abbacomm.net > > Yes, stupid me didn't read the FAQ :-0 Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/OT%3A-dynablock.njabl.org-ends-%28and-resolving-pbl.spamhaus.org%29-tf3058362.html#a8504413 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
OT: dynablock.njabl.org ends (and resolving pbl.spamhaus.org)
Maybe interesting for those that use dynablock.njabl.org (as I do at the MTA-level). Got an email last friday from njabl about dynablock.njabl.org, it's no longer maintained by njabl but is now only a copy of the pbl.spamhaus.org list. Eventually the dynablock.njabl.org zone will be emptied. By the way, pbl.spamhaus.org doesn't resolve at this moment, same problem with sbl-xbl.spamhaus.org, xbl.spamhaus.org etc. So I'll not be switching to pbl.spamhaus.org for now... Below is a copy of the email. Regards Menno van Bennekom With the advent of Spamhaus's PBL (http://spamhaus.org/pbl/), dynablock.njabl.org has become obsolete. Rather than maintain separate similar DNSBL zones, NJABL will be working with Spamhaus on the PBL. Effective immediately, dynablock.njabl.org exists as a copy of the Spamhaus PBL. After dynablock users have had ample time to update their configurations, the dynablock.njabl.org zone will be emptied. Other NJABL zones (i.e. dnsbl, combined, bhnc, and the qw versions) will continue, business as usual, except that combined will eventually lose its dynablock component. If you currently use dynablock.njabl.org we recommend you switch immediately to pbl.spamhaus.org. If you currently use combined.njabl.org, we recommend you add pbl.spamhaus.org to the list of DNSBLs you use. You may also want to consider using zen.spamhaus.org, which is a combination zone consisting of Spamhaus's SBL, XBL, and PBL zones. *** -- View this message in context: http://www.nabble.com/OT%3A-dynablock.njabl.org-ends-%28and-resolving-pbl.spamhaus.org%29-tf3058362.html#a8503463 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: mail bounce warning for the list
Jim Maul wrote: > > I think pretty much everyone understand WHY people use these BLs. This > is not the point. The point is, its not a very good solution. > Why I have to use RBL's at the MTA level is because many providers still allow direct SMTP. So all the botnets can send their garbage around freely, forcing the use of the providers mail-server stops that. Probably new bots will be made that find out the right mail-server but then the provider can detect the spamming machine easily. If you don't want the provider to read your mail you could encrypt it. I know, this has been discussed here many times, some have problems with this but I haven't seen any unsolvable ones yet.. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/mail-bounce-warning-for-the-list-tf2586834.html#a7260091 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: mail bounce warning for the list
Chris Santerre wrote: > > This isn't the best idea for a large ISP, but for companies I see no > problem > rejecting on RBLs when you have a trained administrator. > I agree! Not that I use spamcop as a blacklist, maybe it's better now but I've seen them blocking mailservers from aol, hotmail and the like so I only give it a score in SA. But I'm very happy with the lists I do use for blocking in Postfix, it saves my mailservers a lot of work. Dynablock.njabl.org and dul.dnsbl.sorbs.net are used to block dynamic and dialup lines. I know there are also some non-dynamic addresses in those lists, but I don't mind as long as the providers mail-servers (like smtp.provider.com) are not blocked. In the last 4 years I only had to white-list 10 addresses. An other block-list I use is cbl.abuse.org, AFAIK there hasn't been one false positive yet. The last blocking lists are my own ones, during the years I collected spam-networks and ip-segments of countries (KR, CN etc) in a file with about 2000 ip-segments and domain-names (pool/broadband/dsl.provider.com etc). Also machines with viruses are put into this file. In the error message I typed the hint to use 'smtp.provider.com' if they want to send me some real mail. At the spamcop site 'statistics' page you can see the segments with the most spam, they match nicely with my maillogs. I know my server would be in big trouble if I wouldn't use these blocking methods, no way it would be able to keep up.. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/mail-bounce-warning-for-the-list-tf2586834.html#a7258640 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Images spams cropping up again
Bill Randle wrote: > > Would you be willing to share the postfix rules you are using to block > these? > I don't think that would be wise, I'm afraid they are a bit too risky and simple for general use.. In most of them I've put the mail on HOLD so I can still inspect for FP's, probably not workable on larger sites. I simply collect similar spam in a directory (copied from my amavisd archive dir) and with cat/lowercase/sort/awk utils find out what 'interesting' long string is at least once in all spam-files. Even the MIME-part is (mis-)used for this. I test that on a HAM-dir (and on other spam to maybe find a more general use or patterns) and then place it in body_checks.regexp. During last night 82 mails went on HOLD because of a month old rule, all spam (only looking at the weird sender-addresses says enough, also the file-sizes are comparable in spam-batches). Some rules get hit more than a year long and others last only a day (then it's a waste of time). It's time consuming and not a necessity (SA tags most of it) but I'm a little (too) fanatic to prevent SPAM from getting into the users mailboxes. BTW more spam here is blocked because of blocklists, blocked ip-ranges/domains (china/korea/..), checks on the helo etcetera than with postfix rules. Regards Menno -- View this message in context: http://www.nabble.com/Images-spams-cropping-up-again-tf2115239.html#a5835275 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Images spams cropping up again
Robert Fitzpatrick wrote: > > I used some recipes found with the help of this list that pretty much > wiped out these images spams until this morning they are coming through > again different, of course. Is the OCR solution what I need to do? If > so, can someone point me to some info or suggest how to set this up? > Here too, much more than other days during the last 24 hours. Most (the ~30k ones) were blocked by existing postfix rules, but some were different and got through. ImageInfo didn't hit on them, but SA scored them as SPAM anyway. I made two new postfix rules to block them (for now..). Hope OCR will catch them for you, might try that too if it gets worse. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/Images-spams-cropping-up-again-tf2115239.html#a5833480 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: statistic amavisd + spamassassin
Markus Edholm wrote: > > I´m looking for some simple statistic script > using amavisd and spamassassin just to se how my own and "standard" > rules work > There are several simple scripts for amavisd/SA but it depends on what info you want. For example in the list on http://www.ijs.si/software/amavisd/ the second amavislogsumm works. I use pflogsumm (http://jimsun.linxnet.com/postfix_contrib.html). This one works fine too: http://www.flakshack.com/anti-spam/nosack-spamreport.pl. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/statistic-amavisd-%2B-spamassassin-tf2095682.html#a5795921 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Image spam with inline jpeg image
Ramprasad wrote: > > But still this mail is getting thru > http://ecm.netcore.co.in/tmp/imagespam.txt > I tested your mail here with the latest imageinfo.pm and it comes through indeed. The exact same one in .gif (same text, same background) was detected though. It was even my first and only image-spam that got a LARGO score since the install last week, I don't get many of those spams.. Regards Menno -- View this message in context: http://www.nabble.com/Image-spam-with-inline-jpeg-image-tf2079118.html#a5728450 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: ImageInfo plugin for SA
Bill Randle wrote: > > In the last 11 hours since I installed the plugin, it's caught 837 > messages. > Good for you! I'm now at 11 hours too and in the meantime only 12 image spams came in, 11 were discarded by postfix rules, 1 new one came through and was catched by SA but was not marked by the image-info rules. Not really spectacular, maybe I should remove all the spam-rules and blocklists in Postfix so I get to see some action, or type our 1500 mailaddresses in on a 'remove me' page ;-) Regards Menno -- View this message in context: http://www.nabble.com/ImageInfo-plugin-for-SA-tf2047808.html#a5654827 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: ImageInfo plugin for SA
I'm having a bit of troubles to get this ImageInfo to hit anything. For example the attached image gives no hit, maybe because it seems to be snowing on the image or because I configured something wrong. Could somebody check if this viewer81.gif picture triggers the imageinfo rule? (first time I upload a file with nabble so not sure how it will appear) http://www.nabble.com/user-files/196/viewer81.gif viewer81.gif Thanks Menno van Bennekom -- View this message in context: http://www.nabble.com/ImageInfo-plugin-for-SA-tf2047808.html#a5651232 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: ImageInfo plugin for SA
Maurice Lucas wrote: > > Maybe i'm off there spamlist ;) but I think i'm just lucky for a few > hours. > I've got zero hits here sofar, very little image-spam comes in and what does is discarded by postfix rules. We'll see after the weekend.. Regards Menno -- View this message in context: http://www.nabble.com/ImageInfo-plugin-for-SA-tf2047808.html#a5648595 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: ImageInfo plugin for SA
Matthias Keller wrote: > > It seems to load fine but I get some errors every time I run a check: > warn: plugin: failed to load plugin /etc/mail/spamassassin/ImageInfo.pm: > No such file or directory > Yes, I had to comment this line in 70_imageinfo.cf: #loadplugin Mail::SpamAssassin::Plugin::ImageInfo ImageInfo.pm Then it loads fine. I'm still testing with some examples though. Regards Menno -- View this message in context: http://www.nabble.com/ImageInfo-plugin-for-SA-tf2047808.html#a5647179 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
Kenneth Porter wrote: > > Will ISP's do anything? Are they doing anything now for outbound spam? > They will have to otherwise they will end up in a blacklist ;-) Most of the ISP's here are already scanning on inbound spam, not too hard to do it for outgoing then. The ISP I use the most reacts quite fast on abuse. And they have already used an automatically shutoff of clients in the time of virus outbreaks, that traffic got detected and then all you could access was 1 page with an explanation how to get connected again. That's doable too by counting the amount of outgoing spam I think. > BTW, are there any SMTP providers operating independent of ISP's, sorta > like independent newsgroup providers, so that one can use authenticated > SMTP over the submission port to that provider instead of one's ISP? > Yes, the ones who I know about offer anti SPAM/virus services. We've used cleanport for a while for that. It wasn't authenticated but firewalled, SMTP was only opened up for certain IP-addresses of ours. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5636668 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
Kenneth Porter wrote: > > What I don't understand is how making them use the ISP server stops them > from spamming any more than rate-limiting direct port 25 connections. Why > do the packets need to be reassembled in an MTA and stored and forwarded? > What does that step buy you? > I don't want to make the zombies use the ISP's SMTP server, I want to stop them from spamming. Right now they can only connect directly to the Internet so if the ISP blocks direct SMTP outgoing the zombies stop working, they can't deliver their spam. Probably they will then be adapted to figure out and use the ISP's SMTP server, but that makes them easy to detect for the ISP. Apart from the SMTP-servers from the ISP there may be some other addresses you legitimately want to access with SMTP, could be serviced by the ISP with a web-interface where you can configure a certain number of accessible IP-addressess. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5635088 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
jdow wrote: > > The direct in that case is probably the fault of the underlying cable > provider more than Earthlink. Did the spam come through the Earthlink > servers or merely from an address that claimed to be Earthlink? By the > way, there is no such address as "cable.earthlink.net". The address > may have been spoofed. > Of course cable.earthlink.net does not exist, you must be joking ;-) and no it is not spoofed. I mentioned 'cable' so that you could see it is not sent through the server but directly, meaning port 25 to the Internet seems still wide open for that host. Here's the complete address: user-0c2i63l.cable.earthlink.net [24.41.24.117] Spamassassin got that one fine with URIBL_JP_SURBL and GAPPY_SUBJECT! But I rather didn't get it at all.. I know I want too much (or too little in this case). Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5629948 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
jdow wrote: > > Menno, if the Earthlink "progressive delays" strategy is adopted then > even spam relayed through ISPs becomes time expensive. > Personally I don't believe much in delaying/throttling, there are so much zombies that it's just a matter of dispersing the load intelligently. I can see in my mail-logs in the rejects that tactics like that are used, many of the same spam arrives at the same moment on our server coming from different addresses all over the world. And each zombie picks another one of our mailaddresses that got on a spamlist. But there is also a spambot-version that uses a kind of burst-mode, in about 1 minute it spams all addresses on the spamlist at topspeed and then that zombie is (until now) never used again, so blocking it on IP is somewhat useless. Maybe throttling that one can help a little, but not very much I think. jdow wrote: > > Add to that smtp-auth pointing directly to the perpetrator and Earthlink > has a > clear excuse to block email except to their help desk or even to > block all Internet access except to a page of their own suggesting > that the perpetrator or malware on the perpetrator's machine is spewing > spam and the situation should be remedied. "Help can be found here" > > Of course, then if you have the spammer friendly ISPs and registrars > in the picture it's all null and void. > > Something I do not know and suspect is REALLY hard to ascertain until > recently when Earthlink went smtpauth only, is how much REAL spam > actually does originate from Earthlink servers. If there is much they > are certainly canny enough not to spam Earthlink customers for some > reason. > I have no knowledge about the Earthlink situation, is direct SMTP is blocked? By the way here dialup/dynamic addresses are becoming a rarity (or at least you keep your address for several months even on dynamic cable) so mostly you don't need SMTP-auth to find the spammer. There is very little spam coming in here from Earthlink, the last one (that is detected) is from July the 28 coming directly from a cable.earthlink.net address advertising an erotic site. So I guess this means direct SMTP is still possible, too bad IMHO.. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5629162 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Block direct SMTP
hamann.w wrote: > > Well, I am customer to an access provider, and have an email address with > them, > so I quite naturally use their smarthost > Now, add in my own domain. If the domain is hosted, one would, of course, > use the hosts > SMTP server, and smtp auth > What happens if the access privider blocks outgoing smtp and the webhost > cannot be > bothered to offer an alternate port, or smtps? > I think if this really would be a major problem it is feasible to let the ISP make exceptions, like allowing in their firewall outgoing SMTP from you to the other IP-address. Maybe they can even make this user-configurable in web-selfservice, say 10 entries to open SMTP to a certain ip-addresses.. hamann.w wrote: > > In a different area, we occasionally see discussions about people whose > access provider > is selling a "business" static ip access but does not get their act > together as far as > dul listings, dns entries etc are concerned > We've got static addresses and several 'business' contracts but we don't use direct SMTP. I don't think I would notice it if our addresses would be in DUL lists. Unless one is checking all hops and giving lots of spam-points to RCVD_DUL_something, then we may suddenly start sending spam ;-) Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5620629 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
Kenneth Porter wrote: > > Does it really have to be funneled through their SMTP servers? Would it > not > be sufficient simply to add a connection-level SYN throttle on that port > at > the routers? Perhaps someone here could propose a set of iptables rules > that would implement this. Or the equivalent rule for a Cisco. > I understand 'funneling' as routing, but what I mean is the customer has to configure smtp.provider.com as outgoing mailserver. On my Cisco PIX firewalls I have configured embryonic limits on every static, Cisco FW-IOS has (I think) about the same commands, in plain IOS I wouldn't know the command. Anyway, IMHO with SYN throttle you would only be rate-limiting the zombies, I would rather they stopped sending spam completely.. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5620144 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
John D. Hardin wrote: > > On Tue, 1 Aug 2006, John Rudd wrote: > Reducing volume of spam *sent* probably requires fundamental redesign > of the protocols, or some other major change in the cost/benefit > analysis. > Don't think that's needed, if ISP's only allow outgoing SMTP to the ISP's SMTP servers and not directly then most (current) bots and most spam will be dealt with. I wouldn't be surprised to see the amount of spam then drop more than 80%. (I know, just repeating myself ;-)) Come to think of it, changes are the zombies/bots will then be used for DDOS'ing everything that has an IP-address just as revenge :( Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5618619 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: What changes would you make to stop spam? - United Nations Paper
Marc Perkel wrote: > > Here's what I've written so far. Deadline is today. Still working on it. > http://wiki.ctyme.com/index.php/UN_Spam_Paper > I think in this part you're missing one of the main issues: Marc Perkel wrote: > > "Today we have more of a consumer model where consumers run email clients > and leave the SMTP servers to their Internet Service Providers (ISPs) The > user creates an email message that is sent to their local ISP who has an > SMTP server. That server accepts the email and then transfers the email by > SMTP to the server that stores the incoming email for that user. Then the > recipient connects to their server by POP/IMAP protocols to download their > email. > The problem is that anyone can impersonate any other person by setting > their address to be anyone else on the planet." > The problem is that these zombies do NOT use the ISP SMTP servers but send it directly to the SMTP-server of the addressed person. And this could (and already is in some cases) be prohibited by the provider by only allowing SMTP traffic from the client to the SMTP-servers of the ISP itself, not to others. After that action there is time to work on a better mail protocol. Marc Perkel wrote: > > This junk email known as “Spam” is NOT over 90% of all email traffic. > I think you mean "now" ? In "the cost of spam" I miss the SCAM (some people really fell for this and have lost thousands of dollars..) and FISHING (lots of this to collect accounts and passwords for banks, credit-card info etc). In "Microsoft Zombies" there is a lot of text how bad Microsoft is, that's OK but I think the user is to blame too, if they don't think and just keep clicking yes/ok then eventually they will install malware no matter what patches. In "where spam comes from" I think some countries could be mentioned, like China and Korea that happily do the hosting for western spammers, and where the ISPs do not act on abuse messages about zombies. My few eurocents.. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5614921 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Block direct SMTP [MTA level]
Andrzej Adam Filip wrote: > > The core challange in such aproach is to standardize way of blocking > messages from DUL ranges *in SMTP session* that gives sending MTA a > chance to use fallback relay (smarthost provided by ISP). > > One suggested approach was to use "in greeting message" 5?? reject. > It makes *sendmail* "as it is" use fallback relays. > Yes, but of course this blocking happens at the MTA level, my mailserver for incoming mail is not allowed outgoing SMTP (I hate bounces/doublebounces etc so also the recipient-address is checked at MTA-level). So for example these lines are in my log: Aug 2 11:23:32 server postfix/smtpd[1224]: NOQUEUE: reject: RCPT from 84-75-0-121.dclient.hispeed.ch[84.75.0.121]: 554 <84-75-0-121.dclient.hispeed.ch[84.75.0.121]>: Client host rejected: dclient.hispeed.ch no direct mail allowed, please send via your provider-mailserver smtp.hispeed.ch; from=<[EMAIL PROTECTED]> to= proto=SMTP helo=<84-75-0-121.dclient.hispeed.ch> Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5611498 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Block direct SMTP
Loren Wilton wrote: > > Forcing mail through specific gateways has plusses and minuses. It allows > for the institution of traffic cops that can block the speeders from > speeding. > The main thing for me is that it would block the bots on the infected computers from sending out spam/viruses. That does not involve any checking on the ISP SMTP server. Of course when new bots are programmed to find out the correct SMTP server and start using that than the ISP can help blocking this spam. Loren Wilton wrote: > > But it also gives a home for a nest of pesky government > busybodies to tell me who I can and can't talk to, and how much I'm going > to > have to pay them in voluntary fees (bribes) to be able to talk to anyone > at > all. And it also eliminates a lot of the original net redundancy, since > now > one bad guy only has to control a very few points to stop all > communication. > I'm not so sure about that, there are/can be more mailservers to choose from, and there certaiinly are more ways to communicate (ICQ, blog, AOL, messenger etc). I understand the fear of centralization/regulation but as said for now (until better measures are found) to me the benefits of 'blocking direct-smtp' outweigh the costs. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5610865 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Block direct SMTP
John Andersen wrote: > > The very trouble we are in with spam is caused by the fact that > spammers can hide behind several layers of ISPs and forwarders. > The very thing you suggest is the solution IS THE PROBLEM!. > I guess you get different spam then than I get on my mailservers.. Spam from ISP's SMTP servers here is a rarity. Most of it comes directly from infected pc's at home or small sites. Sometimes there is a layer of relays in the header but that's almost always a fake one. When it comes form larger sites or even ISP's it's mostly from well known spam countries and they are already blocked here at the MTA level. John Andersen wrote: > > If all smtp traffic had to go direct, then finding a spammer > would be easy. You can fake a few headers, but its pretty > hard to fake the IP you are connecting with if you expect > to open a tcp session. > That's the unfortunate situation right now and because of the increasing number of bots there are way to many IP-addresses to block. And the spammers are getting better in dispersing the Spam over all their bots so detecting multiple spams from the same addresses gets more and more difficult for me. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5610480 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Block direct SMTP
Like others here I would want the ISPs to allow outgoing SMTP from their customers only to the ISP's SMTP servers. This is already been done with a lot of ISPs and it's very effective. I think it is a waste of time that it still isn't implemented everywhere. Lots of bots would become useless. I know that it will be difficult to force this in some countries but then I have the choice to block the mail from such countries. I already block mail from lots of adsl/cable urls. In the reject message I mention the SMTP-server of their ISP so they know what to change if they want to send mail to me. I also use the DUL list for blocking. Forcing SMTP to go through the ISP has IMHO nothing to do with free-speech or not, even direct SMTP traffic is passing through routers of the ISP anyway so they could monitor it, and you can always encrypt mail if you want to. Okay, spammers will find other methods probably, but then it can be dealt with centrally by the ISP. And using better protocols than SMTP is a possibility but that takes a lot of time before it is implemented, so for the time being, block it I would say. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5609471 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Image spams getting thru
jdow wrote: > > One that made it through here had no URLs in the body, a LOT of HTML > formatting, and hit HTML_IMAGE_RATIO_06, a very low scoring rule. > The HTML formatting is excessive use of this long string for > individually formatting small chunks of text which are then covered > by the enclosed Base64 image: > > > > That can probably lead to some tests. > > I also noticed here that HTML_IMAGE_RATIO_06 hit 0.3 percent spam > and 0.0 percent ham, here. So I bumped its score up a little. I expect > that to be safe here. YMMV. > > That is the only spam that has broken through in a VERY long time. > Yes, if we're talking about the same spam, the one with that string started only recently here. They score between 7 and 15 points due to network-tests, but are since an hour ago being discarded because luckily they contain several unique strings.. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/Image-spams-getting-thru-tf2014839.html#a5589996 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Image spams getting thru
These image spams have recognizable strings, but normally not in the header. Just collect a few of them and compare (e.g. cat|sort the lines, you will always find similarities (sometimes only in the Mime-part but even that can work nicely and safe enough). You could then make a Spamassassin rule for it (check them on your HAM first). The strings I'm sure enough about are not configured in SA but in Postfix with body_checks, if needed first I put them on HOLD to check the result a few days in the hold-queue then I put them on DISCARD so it is thrown away unnoticed. One of these newer checks 'HOLDED' 170 spams this weekend without FP's, not a big absolute number but there's not a lot of spam coming in anyway because of ip-blocks, RBL's etc in postfix. Only trouble is after some time they change the spam, but then already hundreds of spams are stopped. And finding a new string/regexp can be an entertaining puzzle. But some spam is just used over and over again so some rules still get hit after 2 years, very kind of the spammers.. I check the spam (archived by SA/Amavisd) every morning and if I see more spam than normal and a lot of spam of the same size I know there's work to do ;-) Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/Image-spams-getting-thru-tf2014839.html#a5577751 Sent from the SpamAssassin - Users forum at Nabble.com.