Re: Academic interested in interviewing you for research paper.
On 8/17/12 12:11 AM, jonathonb wrote: As such a detailed knowledge of its history or inner working is not necessary as I am only interested in YOUR views and contributors will remain anonymous. No, we do all of this for fame and fortune. We WANT to see our name in research papers. (preferable in a country where we might be looking for work!) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 * Official port maintainer for FreeBSD port of SpamAssassin http://www.freebsd.org/cgi/ports.cgi?query=scheidell&stype=maintainer <http://www.freebsd.org/cgi/ports.cgi?query=scheidell&stype=maintainer>* Maintainer of one of the three official SpamAssassin sa-update mirrors http://sa-update.secnap.net/ * Member of the FreeBSD Development team http://people.FreeBSD.org/~scheidell <http://people.FreeBSD.org/%7Escheidell> * Media and Fame Hound http://www.secnap.tv CTO and Founder of: >*| *SECNAP Network Security Corporation http://www.secnap.com __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: SpamAssassin scores and 12-letter domains
On 8/5/12 1:48 PM, Benny Pedersen wrote: Den 2012-08-05 19:13, Ben Johnson skrev: There is hardly any published information on this subject, so perhaps one of the experts here will weigh-in. Apparently, I'm not the only one who feels this "feature" needs to die: X-ASF-Spam-Status: No, hits=4.8 required=10.0 tests=FROM_12LTRDOM,SPF_HELO_PASS,SPF_PASS,URI_HEX default is 5.0, not 10.0 as you see there is long way to 10 .2 points to go to 5.0 and: score FROM_12LTRDOM 0.099 3.499 0.099 3.499 is a HUGE difference, any score over 2.75 points should be suspect. http://spamassassin.1065346.n5.nabble.com/FROM-12LTRDOM-high-scored-remove-td100710.html this is the url that hits hex -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Spamhaus and others check at MTA level: how disable in Spamassassin?
On 8/4/12 8:53 AM, Axb wrote: On 08/04/2012 11:16 AM, Alessio Cecchi wrote: Hi, we are using zen.spamhaus.org and psbl.surriel.com DNSBL at MTA level (qmail + rblsmtpd) so we would like to disable this check in spamassassin. So we added this in local.cf: and, since DNS is cached anyway, why bother disabling them? (oh, and I have seen similar rules show up in SA scores even through we blocked using other dns bls'. why they didn't get blocked in mta is sometimes a mystery.. or has to do with slow dns servers, finally answering) and, as Axb said, you could mess up meta rules. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Advice
On 7/3/12 2:34 PM, Kevin A. McGrail wrote: On 7/3/2012 12:51 PM, Bowie Bailey wrote: I've had this set up for a while. I find the emails they send to be almost useless. I don't know if there is any benefit to simply being signed up. The point isn't to remove the person complaining as much as it is to know if you have patterns of problems. So if I get 45 complaints, I can usually look and see that someone isn't using opt-in lists or has a virus, etc. to confirm, the point for AOL isn't 'list washing', since if you get a lot of complaints, this means that a large multiple of that number has manually blacklisted you and your network :-( oh, and you can't get past AOL's rate limiting unless you do sign up. So, it works exactly as AOL designed it. ESP's who listwash and don't want to disable spamming clients can't get on AOL's good list -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Can't locate object method "get_tag"
On 6/28/12 9:08 PM, Richard B. Pyne wrote: SpamAssassin version 3.3.2 running as spamd called from maiad called form postfix on CentOS 6.2 64bit linux. I am trying to get a new installation of SpamAssassin working am getting this error: spam_scan FAILED: Can't locate object method "get_tag" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 69) line 366. Any help will be greatly appreciated. review the perl modules that SA needs. you are missing at least one. did you install from source? or a package? a package should have all the perl modules. (HTML::TokeParse?) just googled for 'perl+get_tag' what version of perl? something somewhat modern? 5.10+? install all the missing modules and restart spamd/mia --Richard -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Is this a new typoe of URI obfuscation?
On 6/12/12 11:36 AM, Martin Gregorie wrote: Today I got a piece of spam carrying the URL chasovik.it.gg as its payload. I was intrigued because I didn't think .gg was a valid tld and looked it up with 'whois'. that just means that the tld provider is violating RFC's, no that the tld is invalid: ;; QUESTION SECTION: ;chasovik.it.gg.INA ;; ANSWER SECTION: chasovik.it.gg.86387INA80.190.202.40 ;; AUTHORITY SECTION: it.gg.86386INNSns2.webme.com. it.gg.86386INNSns1.webme.com. ;; ADDITIONAL SECTION: ns1.webme.com.287INA62.116.130.62 ns2.webme.com.287INA62.116.162.62 and it is a valid tld: <http://en.wikipedia.org/wiki/.gg> -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: What to tell senders of these messages
On 6/9/12 8:24 AM, haman...@t-online.de wrote: Michael Scheidell wrote: HS_INDEX_PARAM: tell them not to use web bugs in their marketing emails Hi Michael, since we are sending out newsletters (to people who really subscribed:) and I got the role to be my own "email marketing company", I want to comment on that. We are using a setup similar to ezmlm, so the mail sender contains a bit of encoding that identifies the recipient. from SA's perspective, that's kinda irrelevant. sorry, but your 'brothers' have behaved so badly that drastic measures have to be taken. SA score is based on 'real numbers', as in 'x% of all email with webbugs is spam' vs x% of all email with webbugs is ham. (we use mailchimp, does the same thing, ), so we live with it. I don't like it, but marketing dept wants to know who read the email. (note, SA isn't in the business of deciding if you read email, just the likelyhood that a specific email is spam, based on 700+ rules that each one decides the likelyhood that each rule is triggered as spam) that one rule will not make your email be blocked. a combination of rules will. SA won't remove that rule, and you won't remove the webbug, so, move on. We are willing to live with one or two false positives on 'marketing email', and, if you want to use webbugs, you need to live with some of your 'timely information that the user needs' letters getting marked spam. We do not live in a perfect world. You make the business decision: track users or have them read your emails. *(our marketing dept made the business decision to track users :-(. not my decision. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: What to tell senders of these messages
On 6/9/12 5:55 AM, Cecil Westerhof wrote: The following tree messages I see a lot in false positives: 1.2 HS_INDEX_PARAM URI: Link contains a common tracker pattern. 1.5 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words 1.7 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS I am an user, not a spam expert. What does this mean and what could I tell the sender to have there email not ending in my spam folder? RDNS_DYNAMIC: you can't. their reverse dns is 'hinkey'. Their ISP won't change it HS_INDEX_PARAM: tell them not to use web bugs in their marketing emails HTML_IMAGE_ONLY_28: tell them not to use email marketing templates that contain lots of crap designed to try to fool spamassassin (the harder you try to fool spamassassin, the more likely you get caught as spam) just unsubscribe from their marketing newsletter, that is the best way to tell the spammer/sender to find a more RFC compliant, more reliable email marketing company or program. of, just whitelist that person -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Large image spam
On 5/29/12 2:44 PM, JP Kelly wrote: I've been getting a fair amount of spam which contains a large image which causes SA to bypass scanning due to the large file size. Has anyone found a way to combat these types of spam? JP Kelly sha256 checksum and add to local clamav (.hb?) file? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Solved! Re: claims "no rules found" but I have run sa-update
On 4/25/12 9:31 PM, Chad Leigh Shire.Net LLC wrote: Ok, I solved this. This was user error/misunderstanding. I should have been calling this with --siteconfigpath and not --configpath. --configpath changes the actual rules directory, while I thought it was my own "rules" in the local.cf. Once I changed it to --siteconfigpath we were all set! Thanks! Chad glad you solved it. ps, Im the port maintainer for the FreeBSD port (scheid...@freebsd.org) how different was you needs that the basic port, or at worst, a slave port would have worked? in the port, I have also added critical patches backported from 3.4. have you ever done a slave port? even a local one? (look at japanese/p5-Mail-SpamAssassin for example of slave port) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: New versions of Perl are slower
On 4/11/12 3:09 PM, Julian Yap wrote: Hey Michael, I noticed that in Perl 5.8, PERL_MALLOC is on by default and on 5.10 onwards it is off by default. I have been building with the old option of PERL_MALLOC being on since I've been upgrading from old versions. Do you know if that makes any performance impact? - Julian don't know, we always used WITH_PERL_MALLOC so I never tested it without. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: New versions of Perl are slower
p5-Mail-SpamAssassin-3.3.2_6. -- Michael Scheidell, CTO >|SECNAP Network Security -Original message- From: Julian Yap To: Michael Scheidell Cc: "users@spamassassin.apache.org" Sent: Wed, Apr 11, 2012 00:35:04 GMT+00:00 Subject: Re: New versions of Perl are slower On Tue, Apr 10, 2012 at 12:49 PM, Michael Scheidell wrote: > On 4/10/12 5:12 PM, Julian Yap wrote: >> I'm running SpamAssassin 3.3.2 port revision 6 (latest from FreeBSD >> ports) on FreeBSD 8.2-RELEASE 64-bit. >> >> I recently upgraded my Perl from 5.10 to 5.14 but I needed to >> downgrade because SpamAssassin was crashing on a daily basis. See >> bug: >> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6745 >> >> I have since downgraded my servers to Perl 5.10 and Perl 5.12. >> > Interesting... (im the maintainer of p5-Mail-SpamAssassin). > If they get a patch for this before 3.4 comes out, give me a heads up and I > can get it into the port. > > >> Have others experienced the same thing? >> > I am running amavisd-new in all of our commercial installations, so, never > saw a spamd crash :-) Are you running p5-Mail-SpamAssassin-3.3.2_6? Or do you run a development release? On the plus side I haven't experienced the crash on 5.12 but just a generally slower scan speed compared to 5.10.
Re: New versions of Perl are slower
On 4/10/12 5:12 PM, Julian Yap wrote: I'm running SpamAssassin 3.3.2 port revision 6 (latest from FreeBSD ports) on FreeBSD 8.2-RELEASE 64-bit. I recently upgraded my Perl from 5.10 to 5.14 but I needed to downgrade because SpamAssassin was crashing on a daily basis. See bug: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6745 I have since downgraded my servers to Perl 5.10 and Perl 5.12. Interesting... (im the maintainer of p5-Mail-SpamAssassin). If they get a patch for this before 3.4 comes out, give me a heads up and I can get it into the port. Have others experienced the same thing? I am running amavisd-new in all of our commercial installations, so, never saw a spamd crash :-) But still, if we can get a patch to spamd to fix it, I am all for it. (any idea if a copy of spamd from sa 3.4 will help?) ps, if you can get them to package 3.4, I can push a p5-Mail-SpamAssassin-devel out. visit here and ping them: <https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6689> -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: FreeBSD ports users: Q: Value in SA 3.4?
On 4/4/12 10:01 AM, Michael Scheidell wrote: so, anyone want to follow the FreeBSD ports/p5-Mail-SpamAssassin-devel? ok, so I am an idiot. I can't find Mail-SpamAssassin-3.4.0.tar.gz, and the nightly build link on http://spamassassin.apache.org/downloads.cgi points nowhere. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
FreeBSD ports users: Q: Value in SA 3.4?
I am looking to create a mail/p5-Mail-SpamAssassin-devel port for FreeBSD. This will be a port of the current 3.3.2 to the 3.4 development version. I will attempt to follow the daily builds as closely as possible. If I see something fixed in 3.4 that interests me, or I just have spare time, I'll sync up the versions. (I am on the FreeBSD development team, so, my commits show up immediately in ports tree main). If a few of you are following this in FreeBSD, then I would be more inclined to update it more often. Especially if there is something in the update that fixes an issue you are working on. so, anyone want to follow the FreeBSD ports/p5-Mail-SpamAssassin-devel? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Request to change rule RCVD_IN_RP_CERTIFIED
On 4/2/12 9:44 AM, Bowie Bailey wrote: Actually, my experience has been the opposite. I used to receive lots of Linked-In emails and complained to them a few times regarding the lack of an opt-out. Now that they have added one, it seems to work normally for me. I do not, and have never had, a Linked-In membership. When I click the opt-out link, it takes me to a page where, if I remember correctly, it displays your email address and asks you to click a button to opt out of further emails. As far as I can tell, it seems to be working. I have not received any Linked-In emails in quite some time now. correct, both of you. previously, you needed to sign up, accept their TOS. (which allows them to spam you), all OT subjects aside, my issue is the 'sfh' (spam for hire) credits in SA. and the autolearn tflags. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Missed SPAM
On 3/31/12 8:04 AM, joea wrote: starting below my local and MP details? Hopefully, the latter, as the former leaves me feeling a bit exposed. we already know everything you think you want to hide. if you need help, you need enough full information. Or, you make the pastebin 'private', and send the link offlist to someone who has volunteered to help. If you want true accountability and privacy (by contract), you might need to pay someone to help you. Have them sign an NDA, and pay them. munging the headers with 'somehost.somenet.sometld [1.1.1.1]' helps no one at all. What information is important might not be apparent to you. If it was, you might have solved the problem yourself. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Request to change rule RCVD_IN_RP_CERTIFIED
On 3/30/12 2:26 AM, Dave Warren wrote: I'd argue that their inability to offer a functional opt-out is bordering on spam-support. months ago, it was non functional (you needed to join, which gave them permission to spam you in order to opt-out) they finally (and I hope it was my constant bitching about it) that they finally STARTED with the 'easy opt-out'. From a OCD perspective, I might have just dragged them into the 'report spam' folder (sends to DCC/RAZOR/SPAMCOP) and be done with it if they had (if they ever do) add the full physical address of the sender (who is the sender? linkedin? or the guy who loaded up all the @FreeBSD.org addresses harvested from the developers web site?) So, no, this isn't an SA issue per say, but I did want to mention that they look like they finally fixed the easy opt-out. one click, leave the checkbox, hit 'apply', and they TELL you that you are opted out. so, they fixed that (still say that if RP gets paid to certify an easily abused system, then the score should not be -3.0). and, that score itself is arbitrary, added because its pretty difficult to qualify a corpus of spammy like emails and decide which ones you wanted or not. I am talking about the whole RP/IADB group of rules in general. Some human being decided on the -3.0 score. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Request to change rule RCVD_IN_RP_CERTIFIED
On 3/29/12 6:06 PM, Kevin A. McGrail wrote: As a side note, linkedin likely had someone from FreeBSD list use the email address to invite people. I doubt linkedin actually did it. They are an easily abused system but I've never seen them actually support spam. as in 'technically', yes linkedin did (see sender and from headers.) is in who pushed the button, who loaded the names, no, they didn't. But, unless they want to identify the user in the From (not the mfrom/sender which would break spf), they 'sent it', facilitated it being sent, allowed it to be sent. or, they allow the sender to forge From headers. (if they didn't send it, they forged the From headers) But I am not asking SA to fix linked in, or stop them from spamming (it was unsolicited, it was commercial. (they want to build up their links, actual member wants to spam me using linked in). I want to address the 'easily abused system'. If linked in has an easily abused system, and RP gets paid to list them, and the default SA score for RCVD_IN_RP_CERTIFIED is -3.0 points than I request that until RP stops certifying 'easily abused system(s)' that the score be lowered. further, I would like SA to consider, in general, the - scores for all the 'spam for hire' rules. If this email would not score high on its own, it would not need -3.0 score. If it gets its score dropped by -3.0 points, not only is questionable valuable email passed through, but Bayesian keys are added as if they are 'clean' email. So, email like this sent from other sources will eventually come in as 'clean', due to Bayesian credits. I would like to consider tflags for all 'spam for hire' scores be changed to net nice noautolearn this way, at least you aren't adding insult to injury. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Request to change rule RCVD_IN_RP_CERTIFIED
If you go back, I and many others have complained about the 'pay to spam' rules currently in SpamAssassin. Some of these, like linked in, are blatant violations of US federal CAN Spam laws. Last time I got a spam from linked in, they insisted: (the company that certified them, and took money to let them spam), insisted: A) that somehow _I_ was at fault (you must have signed up) B) that it was my responsibility to unsubscribe (Sorry, you have to sign up, and agree to their terms, which allow them to spam you, this was the only way to unsubscribe) Well, today, at least they have a link in their spam that lets you unsubscribe without joining linked in. However, they still don't have a full physical address of the sender in their emails. This email was sent to an email address used for technical mailing lists (I am on the development team for FreeBSD/) and, or harvested from a web site that archives emails (again, either of these is a violation of federal can spam laws) Why bring this up? I want SA to disable all these pay to spam rules as defaults. I have brought this up with linked in, and the 'spam for hire' company that sends these, and all I get is the runaround. if this rule is truly CERTIFIED not to spam, then they had better review us federal laws, and make this company conform. <http://pastebin.com/K0r29v6F> (even pastebin thought this was spam and made me type in chars to prove I wasn't a robot/zombot) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: My Mad Plan's Achillies heel?
On 3/28/12 5:55 PM, j...@j4computers.com wrote: Continuing my learning curve with spamassassin, I find a fly in the ointment. Some SPAM continues to slip thru. I thought, oh well, I'll just block by IP. Hmm, I use fetchmail to grab mail from various accounts. add the ip address (last received) from each account to trusted_networks in local.cf. S . . . the actual source or "IP of interest" will not be the connection IP. So, best course? These emails all have the same format, but cover a range of subjects. I'd have thought that Bayes would have learned, by now, as I have submitted close to a dozen via spamassassin -r< text.file -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Want help to create a rule for filtering mails with empty message body and attachments
Sorry for bothering you guys. Found answer to my question: Cool.. this should be part of the stock SA rules -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: having trouble running spamassassin from command line to test rules.
On 3/22/12 7:15 PM, Eliezer Croitoru wrote: Hello there, i wanted to try some rules but it seems like my spamassassin is ignoring my score rules. so i wanted to test it from command line using this tool http://wiki.apache.org/spamassassin/DumpTextPlugin but every time i'm running the command as described in the web site i'm getting error: [quote] /usr/bin/spamassassin -L -t -c dumptext < spammail > /dev/null config: no rules were found! Do you need to run 'sa-update'? at /usr/bin/spamassassin line 403. first, run sa-update. second, make sure you don't have two copies of spamassassin installed. third, since you are running amavisd-new, you should run as the amavisd user su - vscan -c 'spamassassin -L -t -c dumptext < spammail ' > /dev/null ? forth, amavisd-new adds,subtracts points, so this won't really be a valid test. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: SPF_FAIL
On 3/22/12 10:05 AM, David F. Skoll wrote: On Thu, 22 Mar 2012 13:55:50 + Martin Gregorie wrote: Disagreed. I don't believe SPF has cut backscatter down by more than a few percentage points. YMMV of course, but it worked for me: when I put up an SPF record backscatter, which had been a problem at the time, was dramatically reduced. Hmm... OK. I may have been hasty. Assuming that the large providers like Google, Hotmail, and Yahoo reject SPF-failing mail during the SMTP transaction, I can see it making a measurable difference. I still stand by my opinions about the lack of competence of most Microsoft Exchange admins, though. :) like ip/dns that is not 'round trip' consistent :-) host colo3.roaringpenguin.com colo3.roaringpenguin.com has address 70.38.112.54 host 70.38.112.54 54.112.38.70.in-addr.arpa domain name pointer roaringpenguin.com -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: SPF_FAIL
On 3/21/12 6:19 PM, Kevin A. McGrail wrote: I know that and I wanted to add some more score when there is no SPF record its possible to do this with Spamassassin ? I'm not aware of a "no spf record rule" but the underlying plugin looks to support what you want. I think you might find that to be a poorly performing rule except in meta rules, though. I'm going to add this to the default rules with a score 0 so you can then just give it a score you want. header SPF_NONEeval:check_for_spf_none() describeSPF_NONESPF sender does not publish an SPF Record score SPF_NONE1 score of zero? or 1? regards, kAM -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Allowing IMAP users to train spam/ham
On 3/21/12 9:57 AM, Kevin A. McGrail wrote: Very elegant IMO. I'd love to look at moving some of the framework to support this into SA. Any objections? Won't be anything quick but it's a really great idea. We thought about this once. add (ie: modify body of email) with 'report spam', 'blacklist sender' links. If the links are internal (private ip's), or internally resolvable names, or names or ip's that resolve only locally or via vpn, then that might be ok. But, what do you do about an email that was forwarded to someone else? And, that someone else has one of those silly anti-malware plugins that surfs to every url in any inbound email? (or some forwarder recipient decides to click on of the links) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: OT how to bypass public nameservers as bind forwarders?
On 3/21/12 8:24 AM, Jari Fredriksson wrote: I use public DNS services as forwarders in my LAN dns (bind9). I remember that once disabled forwarders for some URIBL but the setting is gone, and I can't find a recipe. Howto? don't use public forwarders. unless you are doing 100K dns queries per day, just use bind and root zones. if you want information on how to fix bind, then you need the bind faq/man page/news group. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Allowing IMAP users to train spam/ham
On 3/21/12 5:06 AM, Matus UHLAR - fantomas wrote: there are two problems when requiring users to manually learn on everythhing. - it's more work to implement - it's more work for users to do the training. and, if 95% of the users are using microsoft exchange, exchange will horribly mangle the headers, and the body, even changing the actual encoding. so, what would you manually learn? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update doesn't work anymore after upgrade to spamassassin-3.3.2-4.el4.rfx
On 3/18/12 9:44 AM, Bernard Lheureux wrote: I get ; <<>> DiG 9.2.4 <<>> -t txt 2.3.3.updates.spamassassin.org ;; global options: printcmd ;; connection timed out; no servers could be reached But the DNS resolution works correctly, what does that mean ? it means the DNS resolution isn't working correctly. you should get something like this: dig -t txt 2.3.3.updates.spamassassin.org ; <<>> DiG 9.3.5-P2 <<>> -t txt 2.3.3.updates.spamassassin.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37105 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3 ;; QUESTION SECTION: ;2.3.3.updates.spamassassin.org.INTXT ;; ANSWER SECTION: 2.3.3.updates.spamassassin.org.3600 INTXT"1293136" ;; AUTHORITY SECTION: spamassassin.org.3600INNSa.auth-ns.sonic.net. spamassassin.org.3600INNSb.auth-ns.sonic.net. spamassassin.org.3600INNSc.auth-ns.sonic.net. spamassassin.org.3600INNSns.hyperreal.org. ;; ADDITIONAL SECTION: a.auth-ns.sonic.net.37091INA209.204.159.20 b.auth-ns.sonic.net.37091INA184.173.92.18 c.auth-ns.sonic.net.37091INA69.9.186.104 ;; Query time: 117 msec ;; SERVER: 10.70.1.2#53(10.70.1.2) ;; WHEN: Sun Mar 18 09:54:41 2012 ;; MSG SIZE rcvd: 208 -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Understanding AXB_X_AOL_SEZ_S
On 3/15/12 3:52 PM, Alex wrote: Hi, I've noticed that a number of hams have been tagged with AXB_X_AOL_SEZ_S, creating false positives. Is this looking for a simple pattern in the body that would cause so many fp's for me? cluestick: find where your updated rules live. (locate MIRRORED.BY) grep AXB_X_AOL_SEZ_S * -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Updated: 90_axb_fraud.cf
On 3/15/12 10:28 AM, Benny Pedersen wrote: sa-update how ? click download. copy it to your spamassassin (local) rules dir bsd: /usr/local/etc/mail/spamassassin others (might be) /etc/mail/spamassassin. its where your local.cf lives if you use sa-compile, compile now. if you use spamd, restart spamd, amavisd new, reload amavisd. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Updated: 90_axb_fraud.cf
On 3/15/12 7:34 AM, Axb wrote: I've run a small update of 90_axb_fraud.cf https://sourceforge.net/projects/sare/ As nobody except John Hardin has shown up to contribute data, this is the last update I'll release as it requires massive fresh data to make the work worthwhile. I didn't know anything about 9_axb_fraud.cf what kind of data do you need? enjoy... -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: someone hijacked spamassassin.org whois record?
On 3/11/12 2:52 PM, João Gouveia wrote: - Original Message - From: "Michael Scheidell" To: "SpamAssassin Users List" Sent: Sunday, March 11, 2012 6:25:52 PM Subject: someone hijacked spamassassin.org whois record? hacked dns servers records? Not likely. It does look like someone screwed up something. This seams to be related: https://svn.apache.org/repos/infra/infrastructure/trunk/dns/zones/spamassassin.org https://issues.apache.org/jira/browse/INFRA-2507 (check bottom/latest of the thread) yeh, right: "Global Redundancy. No-IP deploys nameservers across the globe to ensure 100% DNS uptime. No one DNS server is at the same data center or utilizes the same Internet connectivity. With 5 nameservers in addition to your nameserver DNS will ALWAYS resolve!" -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
someone hijacked spamassassin.org whois record?
hacked dns servers records? Domain ID:D81255450-LROR Domain Name:SPAMASSASSIN.ORG Created On:17-Dec-2001 02:01:49 UTC Last Updated On:11-Mar-2012 12:32:35 UTC Expiration Date:17-Dec-2012 02:01:49 UTC Sponsoring Registrar:Dotster, Inc. (R34-LROR) Status:CLIENT DELETE PROHIBITED Status:CLIENT TRANSFER PROHIBITED Status:CLIENT UPDATE PROHIBITED Registrant ID:DOT-2MZ7O47A2BT8 Registrant Name:Host Master Registrant Organization:Apache Software Foundation Registrant Street1:1901 Munsey Drive Registrant Street2: Registrant Street3: Registrant City:Forest Hill Registrant State/Province:MD Registrant Postal Code:21050-2747 Registrant Country:US Registrant Phone:+1.14104200140 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:hostmaster-2005-al...@apache.org Admin ID:DOT-BYQQQJZSKSZD Admin Name:Host Master Admin Organization:Apache Software Foundation Admin Street1:1901 Munsey Drive Admin Street2: Admin Street3: Admin City:Forest Hill Admin State/Province:MD Admin Postal Code:21050-2747 Admin Country:US Admin Phone:+1.14104200140 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:hostmaster-2005-al...@apache.org Tech ID:DOT-WQUT26ZZD3R7 Tech Name:Host Master Tech Organization:Apache Software Foundation Tech Street1:1901 Munsey Drive Tech Street2: Tech Street3: Tech City:Forest Hill Tech State/Province:MD Tech Postal Code:21050-2747 Tech Country:US Tech Phone:+1.14104200140 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:hostmaster-2005-al...@apache.org Name Server:NS2.SURFNET.NL Name Server:NS3.NO-IP.COM Name Server:NS2.NO-IP.COM Name Server:NS1.NO-IP.COM Name Server:NS4.NO-IP.COM -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: uribl lastminute.com listed in uribl whte and is now used for nordea phisting mails
On 3/2/12 11:36 AM, Benny Pedersen wrote: just a note to whom it might concern :) phisting? OUCH. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Bayes now changed to autolearn=unavailable.
On 2/27/12 5:48 AM, Simon Loewenthal wrote: seems reasonably well trained. It works well. I noticed that emails that did not hit BAYES_00 (so no shortcircuit) were not autolearnt by SA. Even though these were well below the autolearn threshold of -1. In the example below, the score was -7.8. Below this, the bayes settings in the local.cf are listed. A score of beneath -1 should have been autolearnt. DCC_CHECK,RCVD_IN_DNSWL_HI, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,SPF_PASS,T_RP_MATCHES_RCVD,URI_HEX for each rule triggered, does it have an autolearn flag? you need enough rules that together score below -1 and do NOT have noautolearn flags. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Yet another thread about AWL
On 2/22/12 8:17 AM, Antonio Gutiérrez Mayoral wrote: Oh, thank you! I though that restarting spamd was sufficient. you don't run spamd at all with amavisd-new. just wasting ram/cpu/swap. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Yet another thread about AWL
On 2/22/12 7:36 AM, Antonio Gutiérrez Mayoral wrote: I have checked with spamassassin --lint the config and restart spamd. I am still seeing AWL triggered on the amavis log: and, you don't use spamd with amavisd-new. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Yet another thread about AWL
On 2/22/12 5:14 AM, Antonio Gutiérrez Mayoral wrote: But in the MySQL shows up the record... usernameemailipcount totscore vscan mailer-dae...@relay.hostingconsult.ru <mailto:mailer-dae...@relay.hostingconsult.ru> 194.587 -2.393 disable AWL. it is depracated, and amavisd-new has better ways of handling this, and you are running amavisd-new. why are you beating a dead horse? AWL was deprecated because it is slow, not accurate, easy to poison, and the FN rate is unacceptable (it is unacceptable to you, right?) spammers forge their from address, use 'random' ip addresses on zombot networks. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Yet another thread about AWL
On 2/21/12 4:09 PM, Benny Pedersen wrote: Den 2012-02-21 16:29, Duane Hill skrev: http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_AWL.html 3.3.x have it enabled so this url is okay :-) use_auto_whitelist ( 0 | 1 ) (default: 1) this line is to disable it pr user in user_prefs, the plugin is still enabled in *.pre file starting in 3.3.0, new installs of spamassassin do not have the plugin loaded by default. If you have it loaded, then it is your port/package/yum/or rpm that did it, or you have an old v310.pre that they preserved. http://wiki.apache.org/spamassassin/AutoWhitelist "Previous version implementation In 3.3, the plugin is not loaded by default." -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Yet another thread about AWL
On 2/21/12 10:11 AM, Antonio Gutiérrez Mayoral wrote: rule AWL is triggered with a negative score. Reading the documentation I think that the problem was a wrong auto-learn thresold for HAM, the first week the system starts to work. The initial thresold for Ham was -0.001 and I think that this thresold causes a lot of spam and backscatter addresses was learned as non-spam addresses. Could be possible? and, this is one reason why awl is deprecated, and disabled by default in all new SA installations for (2 years? someone correct me on the time?) Q: if you did not have that negative score, would you have marked those emails as spam? if answer is yes, disable AWL. also, since you are using amavisd-new, you might want to ask specific (non AWL) questions on their mailing list about backscatter. they have a solution that might work better than AWL. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Spam messages with no payload
On 2/19/12 5:45 PM, Jason Haar wrote: I know what you mean - see if anyone can figure out what this one was about! I think they're just screwing with us :-/ (I mean, do they seriously think people are going to reply "excuse me, did you mean to send this to me?" and take it from there?) http://pastebin.com/MCwFrP6C this is a typical 'freight forwarder scam' they want you to prepay freight to their 'authorized forwarder' who never accepts the shipment, it gets sent back to you, but you are on the hook for the original payments, and/ or, you totally lose your shipment anyway. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: how do I fix my spamassassin setup? I can't use Bayes anymore -- won't open the files...
On 2/10/12 11:04 PM, Linda Walsh wrote: /home/law/.spamassassin/bayes.lock bayes: cannot open bayes databases /home/law/.spamassassin/bayes_* R/W: tie failed: No such file or directory Learned tokens from 0 message(s) (1 message(s) examined) Feb 10 20:01:23.326 [3573] dbg: plugin: Mail::SpamAssassin::Plugin::Bayes=HASH(0x3078b58) implements 'learner_close', priority 0 ERROR: the Bayes learn function returned an error, please re-run with -D for more information at /usr/bin/sa-learn line 493. Ishtar:law/bin> llg /home/law/.spamassassin/bayes_* -rwxrwxrwx+ 1 law spamd 20393984 Jan 10 11:25 /home/law/.spamassassin/bayes_seen* -rwxrwxrwx+ 1 law spamd 14253097 Jan 10 11:25 /home/law/.spamassassin/bayes_seen.txt* -rwxrwxrwx+ 1 law spamd 5177344 Jan 10 11:25 /home/law/.spamassassin/bayes_toks* what does it do when you re-run with -D? anyway, the db4 files are likely corrupted, or locked. stop spamd try copying them somewhere, erase them, copy them back. if that doesn't work, use backup function inside sa-learn, backup, restore. if that doesn't work, delete them, reboot, copy them back or restore them. if that doesn't work, delete them and start from scratch. if you have a busy system, use the mysql dbi, with innodb engine. less likely to corrupt. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Getting high spam score for email server hosted on AWS instance
On 2/8/12 6:41 AM, Sharma, Ashish wrote: Hi, I have a mail server setup on an AWS instance. When I am sending mails via this setup to a test spamassassin setup that acts as an email receiver server, I am getting high spam scores as follows: [FROM_LOCAL_HEX=0.331, HTML_IMAGE_ONLY_24=1.282, HTML_MESSAGE=0.001, RCVD_ILLEGAL_IP=3.399, T_REMOTE_IMAGE=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no As can be seen, the highest contributor is "RCVD_ILLEGAL_IP=3.399" no, since the ip address in question is, by definition, an unroutable ip, and should never be seen in a received list (I am just guessing: Received: from G9W0725.americas.hpqcorp.net ([169.254.8.28]) by You have a microsoft cluster, where microsoft thought it would be a good idea to use 169.254.0.0/16 ip addresses?) Bring this up with microsoft, have them 'fix' this. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: ACL vs. TRANSPORT styles
On 2/3/12 2:53 PM, Antonio Leding wrote: Does anyone out there have any information regarding two purported "styles" for SpamAssassin operation - ACL and TRANSPORT? I was recently made aware of this distinction but after searching for a couple days, I am unable to find any further details nor any documentation discussing this topic let alone these two different styles. You did not get any information via searcher, most likely because someone made those "styles" up for their own marketing purposes. There is a third style, and it is actually the most accurate style.. it is the MIB style (no, not snmp, MIB, MIKE IN a BOX). -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: SA 3.0.2 buggie? -- message that DB file doesn't exist -- but systrace shows successful lock and open!
On 1/16/12 9:36 AM, Linda Walsh wrote: This is not permission problem -- Message I get: have you tried to upgrade to the released version? 3.3.2? 3.0.2 was obsolete 6 years ago. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
FreeBSD port ja-p5-Mail-SpamAssassin needs adoption
FreeBSD is committed to keeping the most up to date, current versions of all major software packages and utilities. We need your help in doing this. Any FreeBSD users, with ports experience, who use the Japanese version of SpamAssassin: We need someone to adopt that port, move it to a slave port of mail/p5-Mail-SpamAssassin. Work with that maintainer (me) so that all new updates cascade down to the Japanese version. All you need to so is make sure the ja-* specific parts are up to date since the master port will keep the ja-* port automagically up to date with generic SA code. If you want this port, see the information in FreeBSD porters handbook, and do what it asks. (if you don't know, and can't find the information, you might not want to do this). Mention in your submission that you are working with the portmaintainer of mail/p5-Mail-SpamAssassin (me: use email address reference: scheid...@freebsd.org) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update channel list
On 1/11/12 10:09 PM, jida...@jidanni.org wrote: "MS" == Michael Scheidell writes: All I know is I'm using Jan 12 11:07:09.394 [21138] dbg: generic: SpamAssassin version 3.4.0-r1102360 which is obviously newer than 3.3.2. they whoever built that unreleased development version for you broke something, because the current sa-update for 3.4.0, and 3.3.2 is dated jan 11th, 2012 host -t txt 0.4.3.updates.spamassassin.org 0.4.3.updates.spamassassin.org is an alias for 2.3.3.updates.spamassassin.org. 2.3.3.updates.spamassassin.org descriptive text "1229933" ls -lt 1229933.tar.gz -rw-r--r-- 1 rsync rsync 250587 Jan 11 22:15 1229933.tar.gz tar -ztvf 1229933.tar.gz | less -rw-r--r-- 0 updatesd dns 8687 Jan 11 22:11 10_default_prefs.cf -rw-r--r-- 0 updatesd dns 7612 Jan 11 22:11 20_advance_fee.cf -rw-r--r-- 0 updatesd dns 7886 Jan 11 22:11 20_aux_tlds.cf -rw-r--r-- 0 updatesd dns 7005 Jan 11 22:11 20_body_tests.cf -rw-r--r-- 0 updatesd dns 1894 Jan 11 22:11 20_compensate.cf -rw-r--r-- 0 updatesd dns 11342 Jan 11 22:11 20_dnsbl_tests.cf -rw-r--r-- 0 updatesd dns 15055 Jan 11 22:11 20_drugs.cf -rw-r--r-- 0 updatesd dns 11490 Jan 11 22:11 20_dynrdns.cf -rw-r--r-- 0 updatesd dns 8437 Jan 11 22:11 20_fake_helo_tests.cf -rw-r--r-- 0 updatesd dns 3014 Jan 11 22:11 20_freemail.cf -rw-r--r-- 0 updatesd dns 36267 Jan 11 22:11 20_freemail_domains.cf -rw-r--r-- 0 updatesd dns 26123 Jan 11 22:11 20_head_tests.cf -rw-r--r-- 0 updatesd dns 10504 Jan 11 22:11 20_html_tests.cf -rw-r--r-- 0 updatesd dns 5287 Jan 11 22:11 20_imageinfo.cf -rw-r--r-- 0 updatesd dns 3330 Jan 11 22:11 20_meta_tests.cf -rw-r--r-- 0 updatesd dns 1880 Jan 11 22:11 20_net_tests.cf -rw-r--r-- 0 updatesd dns 8069 Jan 11 22:11 20_phrases.cf -rw-r--r-- 0 updatesd dns 2062 Jan 11 22:11 20_porn.cf -rw-r--r-- 0 updatesd dns 15967 Jan 11 22:11 20_ratware.cf -rw-r--r-- 0 updatesd dns 5650 Jan 11 22:11 20_uri_tests.cf -rw-r--r-- 0 updatesd dns 19268 Jan 11 22:11 20_vbounce.cf -rw-r--r-- 0 updatesd dns 2549 Jan 11 22:11 23_bayes.cf -rw-r--r-- 0 updatesd dns 1544 Jan 11 22:11 25_accessdb.cf -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update channel list
On 1/11/12 9:35 PM, jida...@jidanni.org wrote: MS> #1 priority: keep your version of sa updated Hmmm, taking a look at it, I find the last update was about 2011/10/24. Too bad sa-update -D doesn't spit out the date. I meant your version of spamassassin. 3.3.2 was updated yesterday. if you don't have the current version of spamassassin then your sa-update channel will be older. (case in point) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update channel list
On 1/9/12 1:33 PM, Juergen Edner wrote: Hello, I'm using SpamAssassin for years now to get rid of spam. Now I wonder which sa-update channels you're using by default to improve your scan results. Are you sticking to the default 'updates.spamassassin.org' Commercial product, maintainer of the FreeBSD version of sa, and running one of the mirrors: We use stock sa-update channel, and (local) custom rules, lots of meta rules. #1 priority: keep your version of sa updated, because new(er) rules and tests are only added, or are added first to current/stable version. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update / perl error again
On 1/9/12 6:25 AM, Michael Scheidell wrote: On 1/8/12 9:52 PM, email builder wrote: rpm -e --nodeps perl-IO-Socket-INET6 By the way, is there a way to grep for the errant code? My feeble attempt didn't turn up much: as in one of my previous emails: 'locate IO-Socket-INET6' locate INET6 and/or: (here was previous email) or, you could just delete (manually) IO-Socket-INET6 (make a backup first!) on freebsd (with perl 5.10.1): /usr/local/lib/perl5/5.10.1/man/man3/IO::Socket::INET6.3.gz /usr/local/lib/perl5/site_perl/5.10.1/IO/Socket/INET6.pm /usr/local/lib/perl5/site_perl/5.10.1/mach/auto/IO/Socket/INET6 /usr/local/lib/perl5/site_perl/5.10.1/mach/auto/IO/Socket/INET6/.packlist on fedora, try: find /usr/lib/ -name 'INET6*' (back them up) you should see them as above. but, yum won't know they are gone. might be in /usr/lib/perl5/{version} and /usr/lib/perl5{version}|vendor} ask on linux users group how to get yum to rm a dependency without the package. on freebsd, it would be something like 'pkg_delete -f p5-IO-SOCKET-INET6' (the -f to force it to be removed) and, pkgdb -F (to FIX the package database and remove the dependency link) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update / perl error again
On 1/8/12 9:52 PM, email builder wrote: rpm -e --nodeps perl-IO-Socket-INET6 By the way, is there a way to grep for the errant code? My feeble attempt didn't turn up much: as in one of my previous emails: 'locate IO-Socket-INET6' -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update / perl error again
On 1/7/12 1:56 PM, email builder wrote: while I*DO* appreciate your suggestion, since I am fairly confident to say I doubt that my config is the problem in a DNS resolver/IPv6 function redefinition, I'm not too interested in proving that point by making those changes on a production machine. Again, thanks anyway. I am the ports maintainer for the FreeBSD version of SpamAssassin. used 'it' for YEARS in production, (commercial product,) several platforms, i386, amd64, FreeBSD versions 6.4-7.4. ONE DAY, ONE BRAND NEW CLIENT was having real problems with their mailq. email was backing up. Two days to figure it out, I deleted the INET6 module (on freebsd, its a lot easier, I suppose than on your linux thing). Now, all the email flowed perfectly. SA was trying to do ipv6 lookups, the kernel did NOT have ipv6 compiled in.. NONE OF OUR PRODUCTION SYSTEMS DO, and there is no logical explanation for it. SA does NOT need INET6, unless you have two things: #0, INET6 compiled into your kernel #1, INET6 dns server as the first server in /etc/resolv.conf #2, INET6 firewall, routing, mx records, etc. I updated FreeBSD port so that it did not even try to install INET6 pm unless the system was compiled with INET6 in the kernel. ymmv, Did I mention that we were not able to reproduce this in the lab? and up till then, no other client had a problem? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: sa-update / perl error again
On 12/31/11 10:46 PM, email builder wrote: Hi, Running CentOS5 with SpamAssassin v3.3.1-2.el5 installed via yum I remember getting this error a while ago, and it was fixed (don't remember how, but I think just by upgrading), but now it's happening again: Subroutine Net::DNS::Resolver::Base::AF_INET6 redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/Net/DNS/Resolver/Base.pm line 65 are you still running perl 5.8.8? (perl -v) if you have multiple perl sitelibs, you might have a conflict. cd /usr/lib/perl5. ls. how many vendor_perl and site_perl's do you have? or, you could just delete (manually) IO-Socket-INET6 (make a backup first!) on freebsd (with perl 5.10.1): /usr/local/lib/perl5/5.10.1/man/man3/IO::Socket::INET6.3.gz /usr/local/lib/perl5/site_perl/5.10.1/IO/Socket/INET6.pm /usr/local/lib/perl5/site_perl/5.10.1/mach/auto/IO/Socket/INET6 /usr/local/lib/perl5/site_perl/5.10.1/mach/auto/IO/Socket/INET6/.packlist on fedora, try: find /usr/lib/ -name 'INET6*' (back them up) The results I get from Google regarding this are all circa 2008. The only hints I can find seem to suggest to remove perl-IO-Socket-INET6, but trying to do so using yum (I don't want to start using another method of package management) tells me that spamassassin is a dependency and will also be removed - obviously undesirable. Perl is up to date on the machinge. no its not :-) perl is at 5.14.* something now, but don't update it, it might now help. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: installation problem
On 12/31/11 1:41 PM, Steve Blinkhorn wrote: Hi, I just tried to install spamassassin: everything proceeded normally, AFAIK, but the basic "spamassassin -t' on the provided sample fails because no rules are found (line 400, which looks to my untutored eye like an all-purpose error-spitter). sa-update appears to run, and as you saw, sa no longer distributes rules with package. You used NetBSD, right? did you install from SA source, or did you use NetBSD ports? try running sa-update -D, see what it did. exits silently. There is a rules directory under the the directory where I ran the installation, and also under usr/pkg/share, and they are both populated with files which look relevant. I tweaked the script so as not to require rules, and it ran and produced output. utweak. you need rules. NetBSD 4.01, working as root. What is amiss? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Fwd: cvs commit: ports/mail/p5-Mail-SpamAssassin Makefile pkg-plist ports/mail/p5-Mail-SpamAssassin/files patch-bug6698
this patch of the patch fixes the case where X-DCC headers are injected by the upstream mail provider. SpamAssassin bugzilla has been updated also. Original Message Subject: cvs commit: ports/mail/p5-Mail-SpamAssassin Makefile pkg-plist ports/mail/p5-Mail-SpamAssassin/files patch-bug6698 Date: Mon, 26 Dec 2011 18:14:37 + From: Michael Scheidell To: , , scheidell2011-12-26 18:14:37 UTC FreeBSD ports repository Modified files: mail/p5-Mail-SpamAssassin Makefile pkg-plist mail/p5-Mail-SpamAssassin/files patch-bug6698 Log: - private email, patch to fix issue with dcc and existing X-DCC headers [1] - pet pkg-plist Submitted by: Herbert J. Skuhra [1] Reviewed by:Vernon Schryverv...@rhyolite.com Approved by:gabor (mentor) Obtained from: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6698 Revision ChangesPath 1.144 +1 -1 ports/mail/p5-Mail-SpamAssassin/Makefile 1.2 +1 -1 ports/mail/p5-Mail-SpamAssassin/files/patch-bug6698 1.48 +3 -3 ports/mail/p5-Mail-SpamAssassin/pkg-plist __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: dccproc/dccifd error
I am going to update the original bug with patch. Ill have mark look at it first. -- Michael Scheidell, CTO SECNAP Network Security -Original message- From: "dar...@chaosreigns.com" To: Michael Scheidell Cc: "users@spamassassin.apache.org" Sent: Fri, Dec 23, 2011 17:28:28 GMT+00:00 Subject: Re: dccproc/dccifd error On 12/23, Michael Scheidell wrote: > #2, bug.. yep, bug. Vernon (author of DCC) will investigate and fix > it, and update the SA BUGzilla soon. > (so, yes, this would be a bug in 3.4 if released, but only shows up > under one certain condition) Please post the bug to https://issues.apache.org/SpamAssassin/ so we can keep track of it, and make sure 3.4.0 doesn't get released with it. -- "Life is either a daring adventure or it is nothing at all." - Helen Keller http://www.ChaosReigns.com
Re: dccproc/dccifd error
On 12/22/11 9:44 PM, dar...@chaosreigns.com wrote: On 12/22, dar...@chaosreigns.com wrote: The author did say "I believe it is entirely upward compatible." in November, which was well after the DCC 1.3.140 release, so it probably works. I'd be interested to hear how that works if you try it. Might be worth posting the results to that bug. found the issue, twofold. #1, the upstream email provider is adding X-DCC-Metrics headers (but they are disconnected from global DCC network) #2, bug.. yep, bug. Vernon (author of DCC) will investigate and fix it, and update the SA BUGzilla soon. (so, yes, this would be a bug in 3.4 if released, but only shows up under one certain condition) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: solicitations via netsuite.com
On 12/13/11 3:35 PM, R - elists wrote: greetings how are you folks on this list dealing with unwanted solicitations from companies that spam via netsuite.com ? -rh don't see them... I guess SA marks them spam :-) but, I suppose it's no different than sugarcrm or salesforce (I dropped salesforce over two email support issues. #1 being they seems to allow big clients to spam, #2 was that so many people blocked salesforce that 50% of our emails to our clients were being sent to junk email folders) oh, I could solve issue #2 by setting up relaying (our email from Salesforce would be relayed through our servers, not theirs), but it would raise our cost by 65%. so, who really cares about netsuite.com them selves.. they are just a CRM. send complaints to abuse@ and see what happens. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: DNSWL will be disabled by default as of tomorrow
On 12/13/11 7:44 AM, Kevin A. McGrail wrote: Blocking seems to be the only thing that really achieves the goal they want beyond conversion to paying customers which is not SA's issue. I agree with Kevin. A while back, I published an 'example' blocking list, 'blocked.secnap.net' (wildcard entry for ipv4 :-). Guess what? it was added to a couple of perl dnsbl modules and used by people who never looked at what it was! Two things happened: #1, lots of (hundreds of thousands of queries per day) from one or two unnamed large ISP's #2, calls from 'internet lawyers' demanding that we remove them from the list. (we emailed them the bind zone and told them to identify their ip address and we would gladly remove it). Also, emailing or calling 'abusers' doesn't work. Kevin and I both run two of three sa-update mirror servers, and we have seen several 'ill configured' servers that try to pull the same sa-update every 5 mins forever. I had our night shift guys track down and send the admins a friendly note, mentioning that they aren't getting the updates anyway, so why not fix it? No response, no change in activity (note: this might be due to one of the distro's not being able to store and check pgp keys if they are in the /tmp directory, a proposed SA bugzilla starts to address this, but these queries are for older versions of SA) And/or full /tmp filesystems, etc. We never did figure it out, but if anyone wants a list of the top 10 ip's, they can email me offlist. Now, I disagree TOTALLY on setting the 'abuser's dns queries to return FP on DNSWL_HIGH, this serves no purpose. Blocking the ip address by firewall will save bandwidth and cpu cycles. returning FP on HIGH won't ever get google's attention, will it? and you still get the bandwidth and cpu cycles from the largest abusers. Regards, KAM -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: score based on a list of domains
On 12/13/11 3:38 AM, Raymond Dijkxhoorn wrote: Hi! Easiest way would be putting them inside a uribl. Whats the reason to get on this list? Eg what policy? The policy is clearly stated on their web site, first paragraph of that link. I believe it is a private list, not meant to be used for spam blocking. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: error on SA learning.
On 12/11/11 8:16 AM, Sergio wrote: Hi all, I have run a function in my server to learn some email spams and it shows up the following message: Running sa-learn for spam against [/home/spam/cur] Are they errors? if so, What they mean? *netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included netset: cannot include 0:0:0:0:0:0:0:1/128 as it has already been included* it means that the ipv6 localhost address has already been included. Ignore this, these are not the droids you are looking for. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Mark all invites as spam
On 12/9/11 7:58 AM, Ram wrote: If I want to mark *all* invite mails as spam linkedin, WAYN , facebook , google+ or anything else. Is there a global way of doing this copy the rule that marks all phishing emails as spam, and change 'phishing' to 'invites' -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Bayes database in mysql on multiple servers
On 12/1/11 10:06 AM, Benny Pedersen wrote: does not make sense so hire a unix programmer to help you understand. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Bayes database in mysql on multiple servers
On Wed, 30 Nov 2011 08:23:59 -0500, Michael Scheidell wrote: sed -i '' -e '/INSERT INTO bayes_seen/s/INTO/IGNORE INTO/' MySQL.pm (hey SA folks.. any reason not to just put that into 3.4.0? won't hurt anything, will it?) or simply just ALTER TABLE `bayes_seen` ENGINE = INNODB no, that won't do anything (I use engine = innodb), what has innodb have to do with replication collisions? nothing. nothing at all. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Bayes database in mysql on multiple servers
Hi all, I have two fedora15 boxes that process mail for a few domains, and recently set up bayes in mysql for each of them. The servers are in geographically different locations, a few hops from each other. Since they both process mail for the same domains, I thought it made sense to share the database between them. What's the best way to do this? Set one as a master and the other as a slave, or perhaps replication between them? easy: set master on mx1, slave on mx2. master is in charge of adding to db, and expiring, and slave can read it. problem: mx2 will get mostly spam, since spammers hit mx2 first, you 'spam' hits will be lower then you thought. hard: master/master. you have replication issues, especially when the sam spammer sends 500 emails to the mx1, and the same 500 to mx2. only run manual expire via cronjob on master. try this patch: (changes insert into bayes_seen to insert ignore into, ymmv, use at own risk, your HP printer sets on fire because of it, its not my fault) cd /usr/local/lib/perl5/site_perl/${pv}/Mail/SpamAssassin/BayesStore sed -i '' -e '/INSERT INTO bayes_seen/s/INTO/IGNORE INTO/' MySQL.pm (hey SA folks.. any reason not to just put that into 3.4.0? won't hurt anything, will it?) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Rules for opt-in mailing list
Hi Bit of an unusal question but ive been getting increasing questions of why spamassasin didnt classify an email as spam. When I look at the mail its normally an opt-in mailing list of some kind and therefore spamassasin is correct in not classifying it as spam. I was on icsa's anti-spam consortium, trying to create a 'specification' on anti-spam systems so they could certify them (quit after verizon bought them.. ) 6 hours of the first 8 hour meeting was on trying to define 'spam' (because one of the specs was a minimum capture rate, and a maximum fp rate) gotaa define spam first! uce? bulk? what? 'spam is email you didn't want'. we decided it is UNSOLICITED COMMERCIAL EMAIL. You are right though, if this is CONFIRMED OPT-IN, then the user asked for it, it is BULK, it might be Commercial, but it is not UNSOLICITED. its not spam. 'OPT-OUT' (or opt-in, where someone other than user opted you in.. like the list manager, IS SPAM) but that doesn't solve your problem. we tell users not to click on opt-out buttons because it confirms their email address. unless they remember opting in :-). I have had numerous conversations with users explaining opt-in mailing lists are not spam - if you dont want it unsubscribe to it, however its getting so frequent now I was wondering if anyone had created a set of rules that would fire on the characteristics of mailling lists? e.g. unsubscribe links in the email, CANSPAM mentioned in body etc... use, SA has tests for lots of unsubscribe/opt./out links, but they use them to trigger 'spam', not to try to see who is sending can spam email. and, guess what: a fully legal, 'opt out' email list, can spam compliant, with full physical address, unsub instructions, and truthful subject line can still be spam if user did not opt-in themselves. Then when someone complains ill enable the rules to stop them bothering me. If not ill look at writing some myself, if anyone has suggestions on what to look for on opt-in lists please let me know. some of the PAID reputation lists, have 'credits' for opt-in lists, look at some of the 'nice' rules for hints. (YMMV.. the sender is paying someone else to let their email in because they feel it is likely going to be caught by sa otherwise) I mentioned in an earlier email about the Freebsd SA update, DCC. DCC goes the other way, sorta, and it will set higher scores on BULK email (yes, even bulk email you opted in to) If you use the build in SA credits, and offset them with the DCC bulk scores, it still would not help you, because: if the list owner has a good ip reputation, and your user opted in, the ip reputation rbls would still be giving them credit. real answer? get smarter users! you can make something foolproof, but not idiot proof. ps, publish an SLA. offer accuracy SLA's on 'BUSINESS CRITICAL EMAIL', not just email. SA will most likely score as spam that joke your brother in law sent. is that SPAM? it is sure bulk, and has lots of 'cruft' in it, by the time he has gotten it forwarded to him by 20 people. did you want it? no. is it COMMERCIAL? no. is it SPAM? heck yes, I didn't want it :-) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Freebsd Users: Mail-SpamAssassin update available
For you Freebsd users of SpamAssassin. I have posted an update to p5-Mail-SpamAssassin: Major change includes the back porting of the updated DCC.pm module from SA 3.4.0 This update beings increased performance and reliability, as well as supporting both the commercial(private) and non-commercial(public) DCC servers. As a background, DCC <http://www.rhyolite.com/dcc/cdcc.html> automatically scores BULK EMAIL (not SPAM!), some bulk is NOT spam, some spam is not BULK, but is very useful in catching zero day BULK email, and has less overhead than similar numbers of rbl lookups. The commercial version also scores percentage of BULK vs NON BULK, allowing you to catch zombies in training. <http://www.rhyolite.com/dcc/reputations.html> As you know, DCC is dual licensed, similar to spamhaus and other major blacklists. Free for non-commercial use, up to 100K queries per day, licenses available for > 100K. One difference, if you are an ISP, and only serving your clients, you can get support for running your own local DCC server(s) for free. to update: use portupgrade/portmanager, make deinstall reinstall for package p5-Mail-SpamAssassin. Updated dcc-cddd port is available on Freebsd. Other distributions do not all include updated dcc source due to the licensing issue, but it is available on their web site. Happy SpamHunting. ps, if you have any problems with the Freebsd SA update, email me. I am the ports maintainer for the Freebsd SA port. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: new paradigm
On 11/24/11 3:30 PM, Martin Hepworth wrote Rfc 5321 says I can discard if I have high confidence it's rubbish ! -- Martin I wonder what the rfc's say about helo line not matching dns: Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: new paradigm
On 11/24/11 8:18 AM, Lucio Chiappetti wrote: On Wed, 23 Nov 2011, spamassas...@lists.grepular.com wrote: If a message comes in to my MTA with one of those Message-Id's in the "In-Reply-To" header, it bypasses the spam filtering because it is a response to a message that I sent again, sounds like amavisd-new penpals. what about if your message was stored in a folder of your correspondent, his machine is infected by a virus, and this virus sends fake replies using your message id ? I've seen cases like that in the past. you can't whitelist a virus in amavisd-new. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: new paradigm
On 11/24/11 3:16 AM, Martin Gregorie wrote: - you need to maintain a database containing every address you ever received mail from and have sent mail to. All addresses must be recorded as you receive mail from them and updated to record when you send mail to them. You could delete addresses that you haven't replied to for, say, a month but that is about all you can delete. sounds like amavisd-new 'penpals'. (sliding credit score starting at -100, counting down to 0 for your time period..). -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: One-line URI body spam
On 10/18/11 6:27 PM, David B Funk wrote: So if you black-list those hosts you are generating FPs on any legit mails that link to those sites. Would you black-list google.com because somebody puts 'phish' forms in a google-docs spread-sheet and then sends out spams with that as the payload? (I see lots of 'phish' spam with that tactic on a regular basis). google will. its the safebrowsing list, clamav uses their list also. if an innocent site gets hacked, and drive by crud installed on it, google will list them. In fact, on a security site, that might show examples of hack's, you must prevent google from indexing those pages. you might need to have the reader sign up, log in to view them. if google sees them, they will blacklist you. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11/11 1:47 PM, John Hardin wrote: Yahoo is in RCVD_IN_DNSWL_HI ?!?! YGBFKM! there goes the neighborhood. I am removing RCVD_IN_DNSWL_HI checks on our servers right now. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11/11 1:27 PM, dar...@chaosreigns.com wrote: On 10/11, Alessio Cecchi wrote: 403 Forbidden Forbidden You don't have permission to access /dnswl/dl/DNSWLh.pm on this server. Apache/2.2.14 (Ubuntu) Server at www.chaosreigns.com Port 80 http://www.chaosreigns.com/dnswl/sa_plugin/ And I have my own IP reputation project that could use your data: http://www.chaosreigns.com/iprep/ -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Spam email many have RCVD_IN_DNSWL_MED
On 10/11/11 12:18 PM, Alessio Cecchi wrote: I'm an italian user of spamassassin. During the last 3 weeks many spam email have rating cut down by the rules "RCVD_IN_DNSWL_MED". Also BAYES_99 can to nothing against this :-( college.. new year, new students, new computers, new worms. as the old saying used to go "Its September again (tinc)" RCVD_IN_DNSWL_MED means that the ip address owner doesn't spam much, and will take immediate action on spams. (I have an issue with this being applied to a university, where the it/email admin/staff has no control over the students computers) you can register with dnswl.org and post full emails to them, and they will act. NORMALLY, all we do with DNSWL_MED is to make sure that they don't get blacklists applied. we still spam check them. and, to prevent these from messing up bayes, put this in local.cf and restart spamd/ tflags RCVD_IN_DNSWL_HI nice net noautolearn tflags RCVD_IN_DNSWL_HI net nice noautolearn tflags RCVD_IN_DNSWL_MED net nice noautolearn tflags RCVD_IN_DNSWL_LOW net nice noautolearn -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Increasing score based on membership to commercial whitelist
On 10/11/11 8:55 AM, Greg Troxel wrote: To returnpath's credit, it appears that the addresses linkedin uses to send invitation spam to mailinglists have been delisted - but this should have happened within a few business days of the first complaint. I have sent linkedin spam to returnpath, to their APPROVED reporting email address, which is certificat...@returnpath.net for almost two years. This spam had no remove links, no unsubscription information, and the only way to stop spam from the specific spammer who used linked in, was to sign up for linked in, agree to their terms (which allowed people to spam you). and, return path argued with me for months and months, telling me that it wasn't spam, that I signed up for it (but could not prove it) and that it was 'transactional email' (since I had signed up for it.. which I hadn't) and, for linked in, all they needed, to keep me from complaining, was a link like twitter had: 'report this as abuse', AND, 'I never want to hear from linked in about anything, ever again', and for US CAN-SPAM compliance, the full, physical address of the spammer. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Blacklisting based on SPF
On 10/5/11 5:01 PM, Julian Yap wrote: I've noticed some trojans with addresses from usps.com <http://usps.com> slip through. Does anyone blacklist based on SPF? I took a look at the source for SpamAssassin/Plugin/SPF.pm but it only has evaluation rules for whitelisting: $self->register_eval_rule ("check_for_spf_whitelist_from"); $self->register_eval_rule ("check_for_def_spf_whitelist_from"); Thanks, Julian I tried blacklist_from *@usps.com with an whitelist_from. (would even themselves out...) problem is.. if I send to xmail, and xmail fwds (incorrectly), OR, dns doesn't answer in time, you lose email. best to write a metarule. put your def_ whitelist from (7 points), and set up some metarules. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Rule updates
On 10/4/11 3:07 AM, Lars Jørgensen wrote: Hi, Is it me or has it been a long time since there has been an update to the spamassassin ruleset? what is 'long'? ls -lt *.tar.gz | grep 'gz$' | head -rw-r--r-- 1 rsync rsync 170211 Oct 4 04:51 1178724.tar.gz <-- 3.4.0 -rw-r--r-- 1 rsync rsync 170211 Oct 3 04:51 1178340.tar.gz -rw-r--r-- 1 rsync rsync 170169 Oct 2 04:51 1178152.tar.gz -rw-r--r-- 1 rsync rsync 170169 Oct 1 04:51 1177951.tar.gz -rw-r--r-- 1 rsync rsync 170166 Sep 30 04:51 1177560.tar.gz -rw-r--r-- 1 rsync rsync 236977 Aug 26 23:32 1162027.tar.gz <-- 3.3.2 -rw-r--r-- 1 rsync rsync 236957 Aug 25 23:23 1161446.tar.gz -rw-r--r-- 1 rsync rsync 236980 Aug 24 23:22 1161015.tar.gz -rw-r--r-- 1 rsync rsync 236920 Aug 23 23:18 1160585.tar.gz -rwxr--r-- 1 rsync rsync 237167 Aug 22 23:17 1160145.tar.gz -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: critsend (/gridsend?)... what's the(ir) trick?
On 9/12/11 1:14 AM, Yanek wrote: Well, I don't use spamc. SA is called by amavisd-new, but I don't think that makes any difference, does it? The message posted here (http://pastebin.com/dpnYY16K) is 30k big. since this is amavisd-new, I would suggest starting over again in the amavisd-new users group. (please don't crosspost, people replying might get bounces) looking at these headers, I only see this Received: from localhost (vscan1 [10.10.10.15]) by smtp.abetternet.net (Postfix) with ESMTP id 742831A8351 for; Thu, 8 Sep 2011 01:34:23 +0200 (CEST) X-Virus-Scanned: antivirus scanner at abetternet.net this seems to bean that 10.10.10.15 is running amavisd-new, right? and that in your amavisd.conf file you have something like this: $X_HEADER_LINE = "$myproduct_name $myversion_id at $myhostname"; or, you have '$myproduct_name = 'antivirus scanner'; myhostname='abetternet.net'? but I don't see any other amavisd-new headers. also, you make MOST of your SA settings in the amavisd.conf file, NOT ../local.cf set $sa_tag_level_deflt = -999; (default is 2.0), set it in amavisd.conf and then restart amavisd-new. if that didn't help by adding more status lines, then ask in amavisd-new group. again, this is most likely an amavisd.conf issue, so start your question in the amavisd-new users group. don't assume they read spamassassin group. some do, some don't. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Plugin for Spanish Spams?
On 9/9/11 5:16 AM, Alok Kushwaha wrote: Hi All, I am using the 'SpamAssassin Server version 3.3.2' but 'Spanish spams' are getting through. Can anyone please suggest/point me the rule-set/plug-in for Spanish spams. adjust languages in local.cf? only leave in languages and char sets that you expect? block spanish charset in MTA? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: critsend (/gridsend?)... what's the(ir) trick?
On 9/8/11 4:58 PM, Yanek wrote: Hello list, Please bear with me if it has been asked already, I searched the archives a bit and could not find any answer. post the email, full headers and all to pastebin.com, send the url here. we suspect you have them whitelisted, and/or shortcut is enabled for those whitelists. possibly you are using postfix in pre-queue ip whitelisting? other than that, there has been a lot less ability to use the government supplied crystal balls.. they are all being used to forecast the hurricanes, outcome of the next presidential election, and the economy. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: Anybody else getting hit by WannaBeBig forum notifications?
On 9/7/11 2:21 PM, dar...@chaosreigns.com wrote: So either it's a (semi?) legit web forum that is using its private message alerts for spamming which changed its domain (so I can't find my matching login information), or it's entirely a spamming operation doing a real good job of looking like a legit forum. I don't see anything in our larger installations, guess you just must be blessed :-) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ __
Re: spamd takes forever to start
On 9/3/11 2:01 PM, Noah wrote: Hi there, are there some maintenance considerations I should keep in mind when using spamd. It is taking forever to start? What could cause that? Also I just killed off two spamd processes that were running at 100% cpu. What would cause this issue? How can I use the logs or other diagnostics to figure out root cause? generic: ram, cpu, disk. make sure you arn't swapping, tmp dirs on nfs? don't do that, dns:? run a local caching dns server. specific: if low on ram (lots of swapping), lower number of spamd processes. try using compiled rules. sares rules? depricated, private rules? take them out for now. perl versions? update modules? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Curious phenomenon with 9-repetitions of each spam...
On 9/2/11 10:13 AM, Steve wrote: could find a way to do that, I could reduce the volume of spam I have to process/store by a factor of about 8. Rejecting only emails with credentials identical to known recent highly scoring spam would make the risk of false positives minimal. Does anyone do this already? I think postfix has some policy services to do this. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
OT Re: sa users list down due to irene?
On 8/29/11 8:49 PM, Lawrence @ Rogers wrote: What about Yahoo, which is not only freemail, but also used by the biggest ISP here in Canada (Rogers)? sometimes its hard to explain to a client. :-) They blame the SA based spam filter for losing email. if {freemail server} sends email to 250 of your most important users, all at once... and you send the '250 ok' the first 100 times, and '4xx' retry later, some of the freemail servers will just drop the conversation and start over. then again, some freemail servers will send 250 individual copies, and make about 30 parallel connections to your smtp server. some won't retry for a day or two. (some of you running graylisting know what I mean, which is why you need to whitelist large providers against graylisting. their interpretation of 4xx is different than how we would expect it to work) ah., the joys of RFC compliance. I remember POSIX compliance in years past.. as in POSIX SAYS: you need two headlights and 4 tires. NORMAL people would expect the headlights to be in front, and the tires somewhere where it helps the car to roll.. but, POSIX didn't state EXACTLY where they needed to be. same with RFC compliance. (which I think still says that you should send an NDR if you can't deliver the spam :-) getting OT here, just ranting this am. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: sa users list down due to irene?
On 8/29/11 2:13 PM, David F. Skoll wrote: Is anyone even maintaining qmail any more? I thought the project was dead. I wish it would just go away.) I wish ASF would stop using it for its mailing lists, or just apply all the patches that seem to be needed to make it 'play nice' with the rest of the world. (ok, I don't care if it plays nice with aol/hotmail/etc, you get free email? you get what you pay for). -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: sa users list down due to irene?
On 8/29/11 12:46 PM, Andy Jezierski wrote: Looks like it's up. I've only received one post on the 27th and this post. Last post on the 26th was about 4:30CDT. Andy just figured it out. its that qmail bug. the 10 year old one where if an mx is down for maint, qmail won't try other mx records. (sorta) if the FIRST TIME qmail sends an email, it hits mx1, it seems to 'stick' there, and will NEVER try mx2,3, or 4. we run into this all the time. is it a bug? depending on who you ask. if it prevents sending email to RFC compliant mail servers, than I think its a bug. if it violates RFC's so badly, that it prevents sending email to RFC compliant mail servers, than I think its a bug. <http://www.mail-archive.com/qmail@id.wustl.edu/msg45399.html> there are 'UNOFFICIAL' patches out there to help qmail conform to RFC's in this area, but 10 years and counting, its never made it into the official build. causes a lot of anger, back and forth when this patch is discussed. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
sa users list down due to irene?
is sa-users list down? haven't seen a post since the 26th. note: I have an update to bug 6655. a patch to sa-update as well as Util.pm <https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6655> note: patch is against sa-update.raw, but seems to work on ../bin/sa-update as well. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: sa-update bug: TMPDIR full?
On 8/26/11 4:59 PM, Michael Scheidell wrote: found a bug in sa-update bigger bug.. bug is in ../Util.pm. it will TRY to create a tmpfile on a nonexistant or read only dir, and anything that trys to use that dir will fail and not know why. patch to fix included. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
sa-update bug: TMPDIR full?
found a bug in sa-update <https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6655> if TMPDIR is not writable, sa-update will continue to attempt to rotate through mirrors, over and over and over. if (!$UPDTmp) { $UPDTmp = Mail::SpamAssassin::Util::secure_tmpdir(); dbg("generic: update tmp directory $UPDTmp"); } elsif (!clean_update_dir($UPDTmp)) { die "channel: attempt to clean update dir failed, aborting"; } -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Mirror daryl.dostech.ca down forever?
On 8/25/11 5:13 AM, Paolo Vicario wrote: Hi, same "500 Can't connect to daryl.dostech.ca:80 (connect: timeout)" problem for me as for many others, seeing the mailing archive. But I don't understand whether this is a temporary failure or not. My MIRRORED.BY file is: try it now. either delete MIRRORED.BY or run sa-update --refreshmirrors now. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Please format you mail so people can read it. WAS: updates mirror is down
On 8/25/11 4:46 AM, Lars Jørgensen wrote: Hi people, I know that top quoting is bad form, but being forced to use Outlook at the office, it's sometimes the only option when replying to formatted mail. Like this. And I do prefer top-quoting to the mess below, where I have no idea who is writing what. Maybe I'm just grumpy and low on coffee, but I hope list submitters will be a little more considerate legibility-wise in the future. strange as I don't use any ms stuff, and have no idea why your mail reader is broken. maybe you should check to see why it is? i just checked the headers on the email I sent back, its a normal, legit, 'multipart alternative' where PROPERLY formatted plain text/flowed email is on top, and second multi-part is html. first part has the customary > or >> prefix's to indicate levels of reply inclusion, html part has correct to that any modern mail reader can read it. oh, ps, ms outlook CAN allow you to bottom post. you just have to move the mouse down below before you post. (or so I have been told) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Mirror daryl.dostech.ca down forever?
On 8/25/11 5:13 AM, Paolo Vicario wrote: I tried to manually run 'sa-update --refreshmirrors', but the file remained the same. What could I do? Should I modify manually the file? Delete the 'daryl.dostech.ca' line? Alter the 'weight' value? in THEORY, if you have at least ONE working mirror, it will pull a new MIRRORED.BY each time, so you should not be blocked unless all mirrors are down. I don't think you need to run --refreshmirrors, unless sa-update fails. I have a script that if it sees rc=4, it pulls a new GPG key, or rc=2, erases MIRRORED.BY and then runs sa-update again. (if sa-update can't find MIRRORED.BY, it automatically pulls a new one) and, if sa-update RUNS, it pulls a new MIRRORED.BY. so, if you want to manually tweak things (not really necessary unless you really want to save the timeout on a broken mirror), you edit MIRRORED.BY JUST BEFORE calling sa-update. be careful: daryl will be up and running soon, and if you edit them out, and the other mirror(s) are down, .. just saying, that the only time you will get a total failure is when all mirrors are down, and tweaking the file won't help anyway. be patient.. it takes a little time to set up, test, QA and make sure any new mirror is up and running before adding it to the rotation. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: updates mirror is down
On 8/24/11 10:46 AM, Michael Cronenworth wrote: http://www.sa-update.pccc.com/ weight=5 question is... why didn't it pull from pccc.com? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: updates mirror is down
On 8/24/11 10:37 AM, Michael Cronenworth wrote: Michael Scheidell wrote: if you are trying to update this by hand, you are on your own. just use sa-update (-D to watch) it will delete MIRRORED.BY for you, pull a new one, and use it. I *am* using sa-update. sa-update is continuously failing. sa-update doesn't pull a new one automatically? use 'locate' to find it and delete it, or edit it and just keep pccm line. Aug 24 09:53:06.636 [61273] dbg: generic: lint check of site pre files succeeded, continuing with channel updates Aug 24 09:53:06.649 [61273] dbg: channel: no MIRRORED.BY file available Aug 24 09:53:09.065 [61273] dbg: http: GET request, http://spamassassin.apache.org/updates/MIRRORED.BY Aug 24 09:53:09.356 [61273] dbg: channel: MIRRORED.BY file retrieved Aug 24 09:53:09.356 [61273] dbg: channel: reading MIRRORED.BY file Aug 24 09:53:09.356 [61273] dbg: channel: found mirror http://daryl.dostech.ca/sa-update/asf/ weight=5 Aug 24 09:53:09.356 [61273] dbg: channel: found mirror http://www.sa-update.pccc.com/ weight=5 Aug 24 09:53:09.356 [61273] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf Fedora 14 box. I'm using the default cron job, which calls sa-update. on freebsd, its in locate MIRRORED.BY /var/db/spamassassin/3.003002/updates_spamassassin_org/MIRRORED.BY I am not trying to update my definitions by hand. Thanks, Michael -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: updates mirror is down
On 8/24/11 10:27 AM, Michael Cronenworth wrote: Benny Pedersen wrote: remove self the mirrored.by file Where is this file? I cannot find it. I'm using SpamAssassin 3.3.2. if you are trying to update this by hand, you are on your own. just use sa-update (-D to watch) it will delete MIRRORED.BY for you, pull a new one, and use it. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: updates mirror is down
On 8/24/11 10:26 AM, Michael Cronenworth wrote: Michael Scheidell wrote: pccm mirror is back up again. Huh? $ wget daryl.dostech.ca --2011-08-24 09:25:17-- http://daryl.dostech.ca/ Resolving daryl.dostech.ca... 71.164.246.108 Connecting to daryl.dostech.ca|71.164.246.108|:80... (hangs forever) so, sa-update will call dostech, and when it fails, it will call pccm mirror. see MIRRORED.BY file. http://daryl.dostech.ca/sa-update/asf/ weight=5 http://www.sa-update.pccc.com/ weight=5 -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: updates mirror is down
On 8/24/11 10:02 AM, Michael Cronenworth wrote: Hello, For the past few days, my SpamAssassin instance has been trying to get its updates from one mirror and the mirror is down. Can someone contact the admin of the mirror or remove it from the mirror list? Mirror: daryl.dostech.ca pccm mirror is back up again. Thanks, Michael -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: 500 Can't connect to daryl.dostech.ca:80 (connect: timeout):
On 8/23/11 11:50 AM, dar...@chaosreigns.com wrote: On 08/23, Michael Scheidell wrote: since at least 3am http: GET http://daryl.dostech.ca/sa-update/asf/1160145.tar.gz request failed, retrying: 500 Can't connect to daryl.dostech.ca:80 (connect: timeout): 500 Can't connect to daryl.dostech.ca:80 (connect: timeout) good now, thanks. Is it working for you now? -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
500 Can't connect to daryl.dostech.ca:80 (connect: timeout):
since at least 3am http: GET http://daryl.dostech.ca/sa-update/asf/1160145.tar.gz request failed, retrying: 500 Can't connect to daryl.dostech.ca:80 (connect: timeout): 500 Can't connect to daryl.dostech.ca:80 (connect: timeout) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 >*| *SECNAP Network Security Corporation * Best Mobile Solutions Product of 2011 * Best Intrusion Prevention Product * Hot Company Finalist 2011 * Best Email Security Product * Certified SNORT Integrator __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __