RE: USing Botnet.cf to delete all spam incoming

[R Lists06]

 
 Any recipe recommendations?
 --

Doc,

Score the rule high and reject the email before accepted.

We do it in some of our installations using a patched older version of
qmail-scanner-queue.pl

If you need more website references, hit me off list...

 - rh

--
Abba Communications Internet
Spokane, WA
www.abbacomm.net

RE: USing Botnet.cf to delete all spam incoming

[R Lists06]

You use sendmail.

http://www.google.com/search?hl=enq=reject+spam+during+sendmail+smtp+sessio
n+for+spamassassin+scoring

http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam

http://wiki.apache.org/spamassassin/IntegratedInMta

We use qmail, specific qmail patches, ClamAV, Spamassassin, and things like
qmail-scanner-queue.pl among other things

http://qmail.jms1.net

http://qmail-scanner.sourceforge.net/

we use 1.25 ST even though 2.01 ST is out.

It allows you to pass the email to SA for scoring and eval before full
acceptance to the queue

http://www.qmailrocks.org

and many other sites.

 - rh

--
Abba Communications Internet
Spokane, WA
www.abbacomm.net

mistakes with sending email address to list

[R Lists06]

Greetings,

I would appreciate it if the list admins would make it so that mistake
(emails with wrong sending email address) would bounce instead of being
allowed to make it to the list please?

Comments?

 -rh

--
Abba Communications Internet
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

RE: Spam bounceback attack

[R Lists06]

 Jason wrote:
 Thanks Jim and John, that helps a lot. I'm glad that qmail is like this
 by default because otherwise my setup would be to blame. :) I'm using
 qmail to handle incoming and outgoing mail for my domain but using a
 very old lan based mail server to actually deliver mail to our users so
 the qmail machine doesn't have any idea who's a valid user and who
 isn't, all non-junk goes into a single mailbox which our lan server
 then retrieves via pop. Outbound works similarly where our lan server
 relays through the qmail machine (no it's not an open relay).
 
 I'm loking at this patch at the moment:
 
 http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch
 
 ...but will also look at the ones Jim suggested. Thanks again.
 
 -Jason
 

We highly recommend John Simpson's http://qmail.jms1.net and the validrcptto
patch as well.

There is actually a group of patches that John Simpson rolled into one

Many goodies there that can be utilized...

He started that as an addon in regards to and with http://www.qmailrocks.org
and there is still good info although the site hasn't been as well kept as
it could have been the last 6 to 12 months.

There are many other items and links to check out on http://qmail.jms1.net
as well...

If you know and understand everything on that site and a coupla others
related to it, you will do extremely well with your mail server overall.

Of course, the tie in is that at some point I had to better learn about
Spamassassin and joined here for that.

Kind regards,

 - rh

--
Abba Communications Internet 
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

whitelist_from_rcvd inquiry

[R Lists06]

Greeting,

Can lines be combined in a situation like this...

whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com whitelist_from_rcvd
[EMAIL PROTECTED] hisotherdomain.com


does this work or should this be done?

can they be combined into one statement or should they be separate?

Any other tips etc?

Thanks in advance!

 - rh

--
Abba Communications Internet  Computer Services
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

RE: whitelist_from_rcvd inquiry

[R Lists06]

 Matt Kettler wrote:
 Separate.
*snip*
 In general, for options that you can do many of on one line, you only
 put the option name itself once, you don't repeat it.

Thanks

What I was getting at is what if there are multiple sending hosts...

Obviously the thing that changed was the last parameter

Still separate???

How do we deal with multiple possible sending domains?

I take it that it still cannot be dealt with on one line?  :-)

The original email should have looked like this as when I got it back it was
all one line. Oops.

whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com

whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com

does it make more sense now?

 - rh

--
Abba Communications - Internet 
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

RE: Sender Address Verification is NOT abouse and very effective

[R Lists06]

 
 +1
 
 If Marc is bouncing spams, even when domains who refuse to play the SAV
 game are involved, he's being even more abusive than I had thought.
 
 
 Daryl

I'm confused, Rick said he was rejecting in the smtp session above a certain
score too...

Bounce, reject... etc...

Are you talking about the code in the rejection?

Why did I miss?

Please clarify as you can still do an SMTP rejection after SA scoring

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/

RE: reset spam bayes

[R Lists06]

 Dean Manners said:

 sa-learn --clear
 
 Make sure you have a ham/spam pile ready to re-train your db's after
 clearing.
 

Hmm so if someone does this

sa-learn --clear

Q: when that command is completed, should one restart SA or are we good to
go immediately after for training etc?

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/

RE: Is Bayes Dead? Have the spammers won?

[R Lists06]

 
 
 
  Are you sure of this?  Have you also trained these ham messages to
  counter this effect?  Not too long ago we were in the same situation.
  I have autolearn enabled but I have adjusted the thresholds to avoid
 This is quite possible.  I have heard other stories of people using
 things like greylisting and rbls to reject at smtp time that the only
 things that eventually made it to SA were so limited that it would
 produce odd results for bayes.  From my experience, the more you throw
 at bayes, the better it gets.  The more selective you are, the less it
 has to work with.
 
 Jim

So are you saying for these purposes that you do not use RBLs or greylisting
or other similar tools that cut down on the obvious cycle consuming garbage?

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/

RE: Spamhaus Tests

[R Lists06]

 
 I've just spotted a major flaw then that's going to hit me when this
 changes.
 
 Not being an ISP, I have no idea what my users' IP addresses are at any
 given time.  They authenticate when using SMTP so that I will accept and
 forward the mail but may well be using an ISP dial-up or DSL account
 which is in the PBL (or even the XBL).
 
 How can I let SpamAssassin know that this is a mail from a trusted source?
 
 By the way, should I wish to change a value for a score such as this,
 should I be copying the score line from 50_scores.cf to local.cf and
 changing the values there?
 
 Oh and thank you for your most helpful response.
 
 Regards,
 Cliff.

Setup SMTP and AUTH on port 465 (ssl) or port 587 and have the clients come
in on those ports without external RBL checking

SMTP Port 25 really should be for just in and out from other servers so to
speak.

If you are talking about RBL checking in SA, I dunno.

I shut RBL checking off in SA as until I learn how to tell which ones it is
checking/using and how to specifically turn them on or off etc.

I think using blanket RBL checking in SA is not particularly bright.

Maybe we need more buttons, dials, and knobs for that?

:-)

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/

RE: Bayes and Upgrade

[R Lists06]

 F: Theo Van Dinter 
 No.  Especially not for a maintenance release upgrade
 (major.minor.maintenance).

Hm

Will we need to retrain for the upcoming 3.2.0 ?

Im not sure if that is considered major or not

--
Robert - Abba Communications
http://www.abbacomm.net/

RE: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available

[R Lists06]

 
 127/8 is now always trusted.
 
 Remove that trusted_networks 127/8 line and all should be well.
 
 Phil


Are you saying we should remove the entry 127.0.0.1 from the
trusted_networks ?

What about if in the internal_networks entry ?

Is this for 3.2.0 only or is it in 3.1.8 too?

Isn't this somewhat confusing?

There are cases where it isn't necessary to run SMTP or even the same
MTA/smtp service on 127.0.0.1 etc...

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/

RE: Spamassassin 3.1.8

[R Lists06]

 I have upgraded spamassassin from 3.1.7 to 3.1.8 and have a easy
 quiestion,
 When I look at the headers it still shows that Spamassassin 3.1.7 is
 installed / running
 Why is that?  I did the following -- downloaded Mail-SpamassAssin-
 3.1.8.tar.gz and installed
 by perl Makefile.PL / make / make install
 stopped the current spamd and restarted and it shows that 3.1.7 in the
 header.
 TIA

Greetings back at ya...

What operating system?

It isn't accidentally installed twice in two separate places is it?

Are you using qmail-scanner-queue?

If so, you have to run it (the QMS perl script) a certain way to have it
reinit the new config 

 - rh

--
Robert - Abba Communications
http://www.abbacomm.net/

SA integration with qmail-scanner-queue.pl question(s)

[R Lists06]

Greetings

I have stable long term SA setups integrated with qmail-scanner-queue.pl

The way I have it setup, I have qmail-scanner-queue.pl take the incoming
mail and hand it to SA 3.1.8 for scoring.

If the score is equal to or above a certain number it does an SMTP
rejection.

In this setup we have bayes on and bayes auto learn on too

I am wondering if bayes is learning these high scoring emails that get
scored and then rejected.

Logically, bayes is learning them.

How can I most easily and assuredly test this please??

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: lowering your spam threshold howto

[R Lists06]

 
 Hm.  Your experience differs from mine.  I tried using bayes, spent
 hundreds of hours training bayes with lots of good mail from
 archives, and lots of bad mail, and never got better than .5% (point-
 five or .005) difference in spam detection.  So we stopped using it.
 
 In comparison, we've jacked the AWL score range and this works great
 for us.
 
 --
 Jo Rhett

I shouldn't have been so flippant about AWL. What I was trying to do was say
that AWL without a good plan of mgmt can work against you much like
anything I spose.

I didn't even know how AWL worked or that it was working when I did my first
SA install.  Ooopps. :-)

Can you please specifically describe what you mean by jacked?

Or better yet, is there a specific howto so to speak for this approach of
yours please??

:-)

Thank you Jo.

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Google Summer of Code 2007 ...

[R Lists06]

May I ask...

Whis is this thread named as such.

Does Google help fund SA efforts in one or multiple ways?

If so, may I ask how or directions to already posted docs on it?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Google Summer of Code 2007 ...

[R Lists06]

 
 Yes, if you Goole for Google Summer of Code+spamassassin
 you'll get a bunch of relevant hits. ;)
 
 For example, check out:
 http://wiki.apache.org/spamassassin/SummerOfCode2006
 

Thank you

I was hoping for meaningful and relevant info from someone of authority and
in the know from the SA group.

I know how to search and I know how to discern and even guess.

Yet, as of late, my experiences with Google and searching are poor.

Sure I can find stuff... yet finding anything helpful or relevant in the sea
of garbage that gets spewed back is another story.

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: tie failed

[R Lists06]

 
 1) are you using bayes_path ?
 2) have you set bayes_file_mode 0777 in your local.cf?
 
 If you use bayes_path in a multi-user environment, you *MUST* set
 bayes_file_mode 0777 in local.cf.
 
 Also, make sure that /var/.spamassassin has world rwx privileges.
 

Doesn't this create a potential or real giant type security risk?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: complete false hits for BASE64 and LW_STOCK_SPAM4

[R Lists06]

 
 However, all blackberry messages also hit base64 text and excess
 base64 which puts them right on the edge.  Anything that hits any
 other rule will cause a problem.
 
 And frankly I disagree with the logic that rules that hit wrongly
 shouldn't be fixed unless it raises the score about 5.0.  I simply
 couldn't function with *ANY* of my mailboxes at 5.0 -- I'd be
 deleting 1-2 pieces of spam per minute.  I run my public mailboxes at
 3.8 and I'm trying to determine if 3.2 is reasonable.
 
 --
 Jo Rhett

Jo

Can you share your specific thought and implementation processes on this re:
possibly going from 3.8 to 3.2 and how and why etc please?

We for one am interested as we are trying to move in that direction too.

Thanks and kind regards!

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: lowering your spam threshold howto

[R Lists06]

 
 It's very simple.  Tag messages above your soft limit and put them in a
 different folder.  Check the folder periodically for false positives.
 Try to identify why they are FP.
 
 Look carefully at all of your normal mail, and confirm where it normally
 scores.
 
 Lower your score limit to the lowest limit possible without creating FPs.
 
 Keep watching.  When your FPs are down to less than 1 a week, you are
 probably safe leaving it that way.
 
 --
 Jo Rhett
 Network/Software Engineer
 Net Consonance

Ok, great

Do you use bayes_auto_learn ? 

I am sure you know I don't mean AWL baloney.  ;-)

If so, What do you use for these settings then in the local.cf

bayes_auto_learn_threshold_nonspam -0.1

bayes_auto_learn_threshold_spam x.x

or do you hand train it all and no auto anything?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

latest changes and external rulesets

[R Lists06]

I looked briefly at the changelog info

I was wondering, are there any external rulesets that we should not use or
change out of from 3.17 to 3.18 upgrade because some of the external rules
were pulled into SA?

Thanks and kind regards

 - rh

--
Robert 

one or two different processes for sa-learn

[R Lists06]

In the circumstance of using sa-learn

Is it ok to have

sa-learn --spam --showdots *

sa-learn --ham --showdots *

running as two different processes on two different datasets at the same
time with SA 3.1.7 ?

or is it better to do serially ?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: one or two different processes for sa-learn

[R Lists06]

 
 If you're using a DBM file (as opposed to SQL), you can only have 1
 process
 writing the DB at any given point.  So you can run both commands, but one
 of
 them will be sitting there waiting for the write lock until the other one
 is
 done.
 
 I'd probably just specify both ham and spam sets to sa-learn at the same
 time
 anyway, no sense in having an extra process. :)
 

I see

How does one do that?

:-)

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: one or two different processes for sa-learn

[R Lists06]

 
 There's a couple of ways, but a simple one is:
 
 sa-learn --ham ... --spam ...
 
 where ... are the files you want to learn.
 

I see

I take it you have done this...

And one can use wildcards doing this without problem?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

stupid users tricks in the wrong place with sa-learn

[R Lists06]

If a person was logged in as user spamd

And was in the /home/spamd directory and accidentally did this command

sa-learn --spam --showdots *

would sa-learn actually do anything and fry the spamassassin database?

I know it will try, yet will it succede at anything in this accident?

Or?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: stupid users tricks in the wrong place with sa-learn

[R Lists06]

 
 I don't know about fry the DB, but sa-learn will happily attempt to
 learn
 from whatever files/directories matched '*'.  Likely, it'll see them all
 as
 messages w/ no headers, so a lot of body tokens.
 
 The question of course is, does this matter, which is hard to say.  If the
 tokens are one-off type tokens that you don't get in mail, then they won't
 be
 used for anything and at some point in the future will get expired out.
 
 If the tokens are common in ham, then that won't be good.
 
 Restore from backup?  :)
 
 --
 Randomly Selected Tagline:
 Just remember: Today is the first day after yesterday.

I see

It isn't that big a biggie as I am learning about training and so this
machine doesn't matter so much at this moment.

Well, what made me wonder was that I actually made that mistake and it never
did show any dots.

Notice that please. NO dots  ever showed up.

I did try ctrl-c yet it didn't want to exit so I had to login as root and
kill it.

I will build tools to deal with it in the near future, I am just looking for
wisdom to learn from now so I can build the tools the best AND to know how
to look at a bayes database and understand possible corruptions etc

Any help or pointers will be appreciated.

Thanks in advance!

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: sa-learn --sync importance ???

[R Lists06]

 
 I didn't quite parse that.  But man sa-learn, it has many an
 informational
 statement about how it all works.
 
 In short, by default, it stores token timestamp updates.  Whenever the
 journal
 goes over a certain size, SA will automatically sync it for you.
 

Thank you Theo and Matt for the info

Do you know what the size or time threshold is?

Im sure time is a factor in there too right as maybe the size wouldn't make
it there in a reasonable timeframe?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: spamassassin with qmail

[R Lists06]

 

  _  

From: night duke



 

Hi i'm trying to use spamassassin with qmail but i was unable to use them
together.

 

Anyone can help me?.


Thanks.

 

 

 

 

Until you get to know it well this can and will help

 

http://www.qmailrocks.org http://www.qmailrocks.org/ 

 

http://qmail.jms1.net http://qmail.jms1.net/ 

 

pay special attention to the combined patch and implementing validrcptto and
turning on catchall bounced

 

the pay special attention to integration with qmail-scanner ver 1.25st or
the latest 2.0x-st and the qmail-scanner.pl file and settings

 

this is not a two second solution.

 

Always do it on a test box first IMPO if you can

 

some qmail solutions are super scripted and although I know you can do that
I am leary of them until you can break it and fix it in less than a minute
etc etc

 

-  rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

 

sa-learn and qmail Maildir

[R Lists06]

I guess the bottom line is what are qmail folks doing for training?

I had never thought about it before yet I haven't had the need to sa-learn
anything until recently

When processing using sa-learn in a qmail Maildir should one use an
options below

--mboxInput sources are in mbox format

 --mbx Input sources are in mbx format

Or should you just go to the Maildir directory and appropriate subdirectory
and

sa-learn --showdots --ham *

sa-learn --showdots --spam *

somehow my brain isn't registering Maildir vrs other formats right now and
im trying to think in terms of how IMAP allows me to move mail data
around... if that makes sense  :-)

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: sa-learn and qmail Maildir

[R Lists06]

 From: Theo 
 (note: I don't use qmail)
 
 maildir is typically one file per message in a directory.  In that
 situation,
 just pointing at the directory would be appropriate, sa-learn will use all
 messages in the directory.
 

Yup.

That's why I figure that going to the appropriate directory(ies) and doing
the below is correct

sa-learn --showdots --ham *

sa-learn --showdots --spam *

thanks!

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

train forwarded messages on local SA server

[R Lists06]

Is it ok to sa-learn train forwarded messages that end up in my local
account mailboxes from accounts on remote servers (out of my admin control)
that are spam?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: market buy with image

[R Lists06]

By fred rules, do you mean by Fred Tarasevicius

Which specific fred rules are the best by experience?

Thanks!

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: market buy with image

[R Lists06]

 
 I'd use 00_FVGT_File001.cf which is a new file  Fred. This combines a
 lot of his older 88_FVGT* cf files into one.
 
 
 --
 
   -Doc
 

Thanks, if anyone out there running some or a lot of the FRED rules with a
lot of success or should we only run certain ones in general

Bottom line is, I don't know how aggressive or not the rulesets are etc

Please advise and thanks!

 - rh
 
--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Re[2]: market buy with image

[R Lists06]

 
 My rules are very aggressive, but they can and possibly will cause
 FP's!!  As soon as 3.2 is released, those rules of mine that survive
 the rescoring and mass-check runs will be included in the stock rules!
 
 Frederic Tarasevicius


Good lookin' out Frederic

Will you please keep us posted as that happens so that those of us that are
old enough and have the sometimers disease will remember to deal with the
resultant issues?

Sometimes I remember, sometimes I dont

:-)

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

spamdoptions ???

[R Lists06]

Apologies for not finding it in my searching yet...

I think it is my sometimers kickin' in...  ;-

I am looking for info on the granularity knob control for number of extra
spamd daemons on startup.

...AND if one has enough processors and ram memory, how to know how many
extra to have available to speed up scanning and such under load.

On Redhat or CentOS machines would that be under SPAMDOPTIONS ?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

sa-learn --sync importance ???

[R Lists06]

Can anyone comment on the true importance of this command and option below?

sa-learn --sync

my simple research is telling me that if you don't do this at some regular
interval, that your training isn't fully put into action when journaling
starts.

I haven't found much mention of it on the www yet I am still checking

I was tipped off by reading this doc - url and by doing a frequent  ls -axl
in the /home/spamd/.spamassassin directory on one of our servers

http://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html

and by noticing that traffic on my server was generating what to my
noviceness at this is journaling???

am I correct?

Those in the know, Please do enlighten us all  :-)

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: dynablock.njabl.org ends (and resolving pbl.spamhaus.org)

[R Lists06]

 
 Maybe interesting for those that use dynablock.njabl.org (as I do at the
 MTA-level).
 Got an email last friday from njabl about dynablock.njabl.org, it's no
 longer maintained by njabl but is now only a copy of the pbl.spamhaus.org
 list. Eventually the dynablock.njabl.org zone will be emptied.
 
 By the way, pbl.spamhaus.org doesn't resolve at this moment, same problem
 with sbl-xbl.spamhaus.org, xbl.spamhaus.org etc.
 So I'll not be switching to pbl.spamhaus.org for now...
 

It resolves, just remember to do this to test

dig pbl.spamhaus.org any

Or

dig pbl.spamhaus.org ns

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

autowhitelist

[R Lists06]

We are using 3.17 on this particular server

In reading the docs on autowhitelist it told me about v310.pre and this
setting

# AWL - do auto-whitelist checks
#
loadplugin Mail::SpamAssassin::Plugin::AWL

do I need to comment out this below in the v310.pre or leave it alone and
add the below setting

user_auto_whitelist 0

in the local.cf ???

please let me know what is the best way and thanks

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

botnet 7 perl error

[R Lists06]

I only found one reference to this error searching the net

Use of uninitialized value in string eq at /etc/mail/spamassassin/Botnet.pm
line 564, GEN16 line 7

This appears to be the line of code in Botnet.pm although I could be wrong

  Mail::SpamAssassin::Plugin::dbg(Botnet: miss ( . $tests . ));

can anyone point me to anything else that solves this please?

I have disabled botnet for now

Machine is centos 4.4, perl 5.8.5, sa is 3.1.7

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

restart from scratch with 3.1.7 ???

[R Lists06]

Greetings

My SA 3.1.7 installs run as user spamd

My /home/spamd/.spamassassin directory looks like this

-rw---  1 spamd spamd 5210112 Jan 21 14:25 auto-whitelist
-rw---  1 spamd spamd   60864 Jan 21 14:25 bayes_journal
-rw---  1 spamd spamd 2711552 Jan 21 14:18 bayes_seen
-rw---  1 spamd spamd 5390336 Jan 21 14:18 bayes_toks

Now, lately I am getting quite a bit of BAYES_00 hits and from the simple
searching and reading I have done it tells me that I may need to start over
from scratch as my config was not fully mature at the beginning a year ago
and so the AWL probably has some bad info here and there.

Should I just stop the spamassassin processes, delete the 4 files above and
restart the spamassassin processes and let it go at that, repopulating
itself on the fly by itself ???

Or is there a better way?

I have populated internal and trusted network with info and AWL is on as is
bayes and dns_available is yes

Do you need more info?

Thanks in advance

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: comprehensive perl module site like cpan or other for SA needs ???

[R Lists06]

 Design and engineering?
 
 You want Spamassassin to work or not?  You install what it
 needs.
 What does that have to do with engineering?
 
 If you start managing library installation on a library by library
 basis you are opening a can of worms.  You select the packages
 you need to get the job done, and install all the libraries (or in this
 case perl modules) needed for those packages.  You don't start
 at the libraries and work up. You start at the packages and let
 the package managers/Cpan take of the libraries/modules.
 
 --
 _
 John Andersen

No, I want SA to fail frequently and give me headaches all day and avoid my
attempts at successfully implementing part of our mail server systems
engineering.

:-)

Can anyone answer the question(s)?

Where is the best place to find the docs and info about the current stable
perl modules in relationship to SA

Is it CPAN? Is that it? Other place?

I want to know which versions are current and stable and what the lil
buggers actually do.

I don't know the answer or I wouldn't be asking.

Yes, I know how to search the web yet it still doesn't answer the question.

I don't know at any given time what is the most stable version of any perl
module in relation to SA use.

Please advise on that and thanks in advance.

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

comprehensive perl module site like cpan or other for SA needs ???

[R Lists06]

Greetings

Seeking some list wisdom please?

We have some well functioning boxes running SA out there

Most run RHEL 4 or CentOS 4

I am wondering where to go to find out specifically for each perl module if
we have the latest greatest and most stable version(s) etc

Please note the sa-update output at bottom.

Do we need to search them out individually or has someone put together a
place where they all are

I am aware of CPAN and sourceforge and other places yet looking for
comprehensive site people use in terms of SA and the needs of SA boxen

Also, please note the modules that are not active or found in the install
below during the SA update

Would installing them just be plug and play and they start working or do I
search them out individually too and their activation configs etc?

Thanks and kind regards

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

[EMAIL PROTECTED] log]# sa-update -D
[12921] dbg: logger: adding facilities: all
[12921] dbg: logger: logging level is DBG
[12921] dbg: generic: SpamAssassin version 3.1.7
[12921] dbg: config: score set 0 chosen.
[12921] dbg: message:  MIME PARSER START 
[12921] dbg: message: main message type: text/plain
[12921] dbg: message: parsing normal part
[12921] dbg: message: added part, type: text/plain
[12921] dbg: message:  MIME PARSER END 
[12921] dbg: dns: is Net::DNS::Resolver available? yes
[12921] dbg: dns: Net::DNS version: 0.48
[12921] dbg: generic: sa-update version svn454083
[12921] dbg: generic: using update directory: /var/lib/spamassassin/3.001007
[12921] dbg: diag: perl platform: 5.008005 linux
[12921] dbg: diag: module installed: Digest::SHA1, version 2.07
[12921] dbg: diag: module installed: Getopt::Long, version 2.34
[12921] dbg: diag: module installed: LWP::UserAgent, version 2.031
[12921] dbg: diag: module installed: HTTP::Date, version 1.46
[12921] dbg: diag: module installed: Archive::Tar, version 1.30
[12921] dbg: diag: module installed: IO::Zlib, version 1.04
[12921] dbg: diag: module installed: DB_File, version 1.809
[12921] dbg: diag: module installed: HTML::Parser, version 3.35
[12921] dbg: diag: module installed: MIME::Base64, version 3.01
[12921] dbg: diag: module installed: Net::DNS, version 0.48
[12921] dbg: diag: module installed: Net::SMTP, version 2.29
[12921] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
[12921] dbg: diag: module not installed: IP::Country::Fast ('require'
failed)
[12921] dbg: diag: module not installed: Razor2::Client::Agent ('require'
failed
)
[12921] dbg: diag: module not installed: Net::Ident ('require' failed)
[12921] dbg: diag: module not installed: IO::Socket::INET6 ('require'
failed)
[12921] dbg: diag: module not installed: IO::Socket::SSL ('require' failed)
[12921] dbg: diag: module installed: Time::HiRes, version 1.55
[12921] dbg: diag: module installed: DBI, version 1.40

RE: comprehensive perl module site like cpan or other for SA needs ???

[R Lists06]

 
 So how did you install in the first place?
 
 Yes, installing these would cause them to start working.
 
 I recommend installing using CPAN, as it is portable, reliable,
 picks up its pre-requsites very well and you are not dependent
 on some Distro specific packager.
 
 If you have the latest distro specific package installed, running
 CPAN will overlay it with the latest standard version and your
 package management software will be none the wiser.
 
 There are only a very few subtle things you must look out for
 when overlaying your disto packages with CPAN, namely where
 spamd is stored.  (Suse has its own idea of where things get stored).
 
 I always install SA from Cpan, but sometimes I will install the distro
 package first to get all the pre-requisite  perl modules installed.
 John Andersen

It is my experience that CPAN installs can or will tend to do things I do
not want it to do (or cannot control) in a RPM environment among other
things...

I am looking more for documentations and information plus URLs to download
so we can make decisions as to what they do, how it affects our design and
engineering as well as implementation before I would consider installing.

Apologies for not mentioning that or making it more clear at the beginning

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: SA-UPDATE and recent branches/3.1 rules? or Did I miss an SA version update?

[R Lists06]

 
 No, your SA won't be broken. IIRC SA won't apply anything if there's a
 failure. At least my SA is still running fine here after my attempted
 update this morning. I didn't restart after the failure so in theory
 at least SA should still be running off the old set even if the new
 set did cause a problem. That said, I'm pretty sure that unless SA
 gets an OK return from sa-update nothing is applied.
 
 If anyone knows different please yell.
 
 Kind regards
 
 Nigel

What I know that is different is, if you go to

/var/lib/spamassassin/3.001007/

Or wherever your updates go on your machine and check the directory listings
with ls -axl mine show up as the last time I updated and have not been
updated as of today.

These results tell me we are all ok and should breathe a sigh of relief.

Nothing to see here.  :-)

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

BAYES_00 possible score modification info thread help etc

[R Lists06]

Recently there was a thread on BAYES_00 and how folks were considering or
changing the score on this etc

-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
 [score: 0.]

Ive searched and cannot locate it (the thread) somehow.

Can someone help me get to that thread please?

And, if there is any new commentary about the changing of this I would sure
like to hear about it.

Im finding just about everything spam still hits this and loses steam.

Thanks!

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Deleting SA headers on ham

[R Lists06]

 
 I changed my ham script to:
 nice -n15 sa-learn -L --ham --no-rebuild --single | spamassassin -d
 
 This did not work.

Why on earth are there two different functions for the letter d in
spamassassin?

Meaning 

spamassassin -D
spamassassin -d

do or are associate with two different functions/things

Isn't this counterproductive in error or mistake situations?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: sa-update is broken

[R Lists06]

 
 No.
 
 But it does work better if you install all needed dependencies and
 follow the instructions. Without dependencies it doesn't run (who
 would have guessed?), and without following the instructions the
 result may not be what you expected.
 
 -thh

Thanks, the context of my question was based upon the subject of this thread
and that I hadn't seen an update in awhile (I do it manually) and I was
tired of following the thread somewhat, so without trying to offend, I
asked.

:-)

Our stuff here is not broken so I wasn't worried unless of course sa-update
was broken per that threads subject (it was not).

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: sa-update is broken

[R Lists06]

With all due respect to all involved.

 

Is sa-update broken or is this just a prolonged and poorly thought up global
name for a thread?

 

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Breaking up the Bot army - we need a plan

[R Lists06]

 
 You didn't read what I actually said.
 
 I didn't say the domain didn't look right.  I said the IP address
 registration didn't look right.
 
   nslookup ebay.com
 
  Name:   ebay.com
  Address: 66.135.192.87
 
   whois 66.135.192.87
 
  OrgName:eBay, Inc
  OrgID:  EBAY
  Address:2145 Hamilton Ave
  City:   San Jose
  StateProv:  CA
  PostalCode: 95008
  Country:US
 
  NetRange:   66.135.192.0 - 66.135.223.255
  CIDR:   66.135.192.0/19
  NetName:EBAY-1
  NetHandle:  NET-66-135-192-0-1
  Parent: NET-66-0-0-0-0
  NetType:Direct Assignment
  NameServer: SJC-DNS1.EBAYDNS.COM
  NameServer: SJC-DNS2.EBAYDNS.COM
  NameServer: SMF-DNS1.EBAYDNS.COM
  Comment:
  RegDate:2001-07-13
  Updated:2003-02-20
 
  OrgTechHandle: EBAYN-ARIN
  OrgTechName:   eBay Network
  OrgTechPhone:  +1-408-376-7400
  OrgTechEmail:  [EMAIL PROTECTED]
 
  # ARIN WHOIS database, last updated 2006-12-13 19:10
  # Enter ? for additional hints on searching ARIN's WHOIS database.
 
 That part looks fine.
 
 Now, for emailebay.com:
 
   nslookup emailebay.com
 
  Name:   emailebay.com
  Address: 216.33.156.118
 
   whois 216.33.156.118
 
  OrgName:Savvis
  OrgID:  SAVVI-2
  Address:3300 Regency Parkway
  City:   Cary
  StateProv:  NC
  PostalCode: 27511
  Country:US
 
  ReferralServer: rwhois://rwhois.savvis.net:4321/
 
  NetRange:   216.32.0.0 - 216.35.255.255
  CIDR:   216.32.0.0/14
  NetName:SAVVIS
  NetHandle:  NET-216-32-0-0-1
  Parent: NET-216-0-0-0-0
  NetType:Direct Allocation
  NameServer: DNS01.SAVVIS.NET
  NameServer: DNS02.SAVVIS.NET
  NameServer: DNS03.SAVVIS.NET
  NameServer: DNS04.SAVVIS.NET
  Comment:
  RegDate:1998-07-30
  Updated:2004-10-07
 
  OrgAbuseHandle: ABUSE11-ARIN
  OrgAbuseName:   Abuse
  OrgAbusePhone:  +1-877-393-7878
  OrgAbuseEmail:  [EMAIL PROTECTED]
 
  OrgNOCHandle: NOC99-ARIN
  OrgNOCName:   SAVVIS Support Center
  OrgNOCPhone:  + 1-888-638-6771
  OrgNOCEmail:  [EMAIL PROTECTED]
 
  OrgTechHandle: UIAA-ARIN
  OrgTechName:   US IP Address Administration
  OrgTechPhone:  + 1-888-638-6771
  OrgTechEmail:  [EMAIL PROTECTED]
 
  # ARIN WHOIS database, last updated 2006-12-13 19:10
  # Enter ? for additional hints on searching ARIN's WHOIS database.
 
 
 Looks quite a bit different to me.

Not really

Do a

dig -x 216.33.156.118

then do a dig -x 216.33.157.1

notice my simple change

and see that it appears that it just hasn't been swip'd yet

 - rh


--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

spam testings from outside

[R Lists06]

Is there a URL on the net where one can go and enter an email address and
that server will send a known SA count or random very spammy email to that
address to test for various things like SA markup or SA markup total or even
smtp rejection and verification based upon SA markup etc?

Thanks

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: spam testings from outside

[R Lists06]

 You have a yahoo account? Send yourself a gtube message:
 http://spamassassin.apache.org/gtube/
 
 or even smtp rejection and verification based upon SA markup etc?
 
 Well, considering spamassassin cannot reject messages, thats up to 
 your MTA.
 
 But see above.
 
 

Thanks for the info.

I ended up asking a fellow isp for an extra email account and spammed myself
with hot *** pill type w/ some spammy website url baloney email.

GTUBE worked too.

Thankfully I have engineered and implemented a way to reject emails in the
SMTP session that score above a certain level in SA, on a qmail server.

Today is an awesome day. Praise God!

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

SMTP rejection based on SA Scores etc

[R Lists06]

Those of you that have some good data can you please share some excellent
numbers that you base your SMTP rejection based on SA scores and otherwise
please?

All I have here are SA averages and im not quite sure that is the right
vector to base the rejection scores on.

Thanks in advance.

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Tarpits are fun!

[R Lists06]

 Dec 12 12:16:30 ga : Initial Connect - tarpitting: 124.240.124.222 14526 -
  x.x.x.x 25 *
snip
 Dec 12 16:19:20 ga : Persist Activity: 124.240.124.222 14526 - x.x.x.x 25
 *
 
 Three spambot threads stuck for *hours*!
 
 --
  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/

How are you implementing this?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

required_score aggressive ??

[R Lists06]

When looking up required_score info, as most know, it say that the default
is 5.0 and that it is considered aggressive in various circumstances

Used to be called required_hits

When I first started using SA I was told that as an ISP going in the 4.0
range give or take a little was an excellent choice.

If you are able to chime in, please share your wisdom in any area about
required_score and/or just how aggressive is everyone on the list as I am
thinking of tweaking a little lower.

Thanks in advance

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

rbl insight and wisdom please

[R Lists06]

Hopefully this hasn't been rehashed to death on this list yet has there ever
been a general consensus as to which rbl's and similar lists are best to use
if you are going to engineer your mail systems with such?

Anyone care to share their implementations as well as current best and worst
practices please?

Thanks

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: change spamhaus.org's score

[R Lists06]

 
 On spamhaus or spamcop? This thread is getting confusing. Personally I
 drop on a spamhaus sbl-xbl hit at the smtp point. To date I've not had
 a complaint/problem. Though my userbase is pretty static in
 send/receives.
 
 I don't have much faith in spamcop.
 
 Nigel

Are you saying that you do have faith in spamhaus for these functions in
terms of FPs then?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: razor and dcc : high cpu load

[R Lists06]

 
 
 Like a text-file based (it's not a security hole?!) or a ldap-replica on
 mail-server?
 I'm  searching for more examples and other ideas and find this patch for
 qmail:
 http://qmail.jms1.net/patches/validrcptto.cdb.shtml
 
 I don't no if this patch is really necessary.. but it's a sugestion too...
 Anyway... I'll search more and to do many tests...
 
 Thanks...

validrcptto patch works very well

This patch does wonders for knocking down garbage before it gets into the
queue

It is based on system that uses qmail and vpopmail etc and generates a txt
file that gets turned into a cdb

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

sa-update -D

[R Lists06]

On a certain box we ran a successful current sa-update

Later on, I went back and ran

sa-update -D

in it was this

[7317] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
[7317] dbg: diag: module not installed: IP::Country::Fast ('require' failed)
[7317] dbg: diag: module not installed: Razor2::Client::Agent ('require'
failed)
[7317] dbg: diag: module not installed: Net::Ident ('require' failed)
[7317] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[7317] dbg: diag: module not installed: IO::Socket::SSL ('require' failed)

I was wondering... when this is the case, what is this telling me other than
those modules are not installed?

Is it telling me that some SA tests are not being run because of the lack of
modules and therefore the reflective update configs are not pulled?

What else should we know in regards to this?

Thanks and kind regards

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

SA, clamav qmail-scanner w/ Qmail

[R Lists06]

Greetings,

If anyone on the list is using latest SA, clamav  qmail-scanner with the
Qmail MTA can you please hit me with an email offlist?

I will be glad to share a synopsis of what I am trying to find out and
implement once I get there with this list.

I haven't been able to find it anywhere after a week of searching and would
appreciate some help please?

Thanks and kind regards,

- rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Spamassassin effectiveness, BAYES_99

[R Lists06]

 From: Benny Pedersen  
 i have changed bayes scores to catch most spam here, and changed threshold
 to
 learn spam / ham with less range so it more accurate and prevents bayes
 poinson on the same time, just have them at scores so spam is still
 autolearned, and ham is still autolearned, check that you don't have
 whitelist
 with -100 for spam mails :)
 
 if you use whitelist from or whitelist at all make sure it will not
 trigger
 the bayes ham learnning on its own
 
 if your bayes have nearly same count of spam / ham msgs its good
 
 manualy learn helps aswell
 
 --

Im not sure I am following the whitelist comments above.

What do you mean and how do we prevent whitelisting from triggering the
bayes on its own.

This is somewhat confusing

Thanks

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: scoring spam

[R Lists06]

 
 If you are having problems with memory after downloading the rules,
 you just need to be careful that you use the right ones.  Read the
 descriptions of the rules carefully and only use the ones that you
 think would be useful.  Any time you add more rules, the spamd
 children will take up more memory, but it shouldn't be too bad.  And
 if you do run into problems, you can always lower the max number of
 children in your spamd startup command to give the children more room.
 
 I posted this list a day or two ago, but the most useful SARE rules on
 my system are:
 
 70_sare_stocks.cf
 70_sare_adult.cf
 70_sare_specific.cf
 
 Besides the SARE rules, you should also consider URIBL, Razor, and
 FuzzyOCR.
 
 --
 Bowie

I was answering Steve, with the url to the sare website. Thanks again though
it didn't have anything to do with a previous post from me.

:-)

On the other hand, many may find it useful to know to play around with
ruleset combo's

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

sare top choices

[R Lists06]

Greetings

I pulled down a large subset of all the sare filters today on a test mail
server...

-rw-r--r--  1 root root  53868 Apr 20 02:00 70_sare_adult.cf
-rw-r--r--  1 root root   3839 Jun  1  2005 70_sare_bayes_poison_nxm.cf
-rw-r--r--  1 root root  24298 Oct  5  2005 70_sare_evilnum0.cf
-rw-r--r--  1 root root  45933 Dec 26  2005 70_sare_genlsubj0.cf
-rw-r--r--  1 root root 123406 May 21 13:00 70_sare_header0.cf
-rw-r--r--  1 root root  28066 Jun  3 22:00 70_sare_html0.cf
-rw-r--r--  1 root root  51886 Oct  1  2005 70_sare_obfu0.cf
-rw-r--r--  1 root root  12739 Dec 27  2005 70_sare_oem.cf
-rw-r--r--  1 root root  18190 Dec 12  2005 70_sare_random.cf
-rw-r--r--  1 root root  97820 May 27 20:00 70_sare_specific.cf
-rw-r--r--  1 root root  20301 Jul 25 09:00 70_sare_spoof.cf
-rw-r--r--  1 root root  59515 Oct 18 13:00 70_sare_stocks.cf
-rw-r--r--  1 root root  25124 Nov 12  2005 70_sare_unsub.cf
-rw-r--r--  1 root root  17879 Oct  4  2005 70_sare_uri0.cf
-rw-r--r--  1 root root  13211 Jun  1  2005 72_sare_bml_post25x.cf
-rw-r--r--  1 root root  15481 May 15 20:00 72_sare_redirect_post3.0.0.cf
-rw-r--r--  1 root root  10147 Jun  1  2005 99_sare_fraud_post25x.cf

I didn't snag all of them.

Im still contemplating the one that says it needs network tests on and spf
on and something else.

For those of you that use these, can you rate them on how effective in
general?

Um I do not think I want to run them all and so i am looking for help to
trim it to the top 3 to 5 or so of them to use...

It appears that several of you run all of them...

Any helpful comments will be appreciated.

Thanks and kind regards,

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

.cf file update procedures

[R Lists06]

When you folks are adding, deleting or updating spamassassin .cf files...

After the changes are implemented and you have --lint do you folks shutdown
your main SMTP process before you run something like

/etc/init.d/spamassassin restart

And then bring back up your smtp?

Or do you just restart spamassassin and call it good?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: .cf file update procedures

[R Lists06]

 
 It depends from your MTA + SA setup.
 
 I use postfix + amavis + SA. Postfix is configured to pre- and post-queue
 messages around amavis. Postfix and amavis comm by inet/unix socks. SA is
 run embedded into amavis.
 
 As a result, this confs allow restarting amavis (cf.: SA) without loosing
 messages: the postfix pre-queue would store unchecked messages and then
 would resubmit them as soon as amavis starts again.
 
 I'm used to issue a 'postqueue -f' command just after amavis restart.
 
 giampaolo
 

Ok, so best common practice would be to shutdown the smtp daemon and
associateds and then restart spamassassin and then bring up the smtp daemon
and associateds

Anyone using qmail?

Correct?

 - rh

RE: R: Scoring PTR's

[R Lists06]

Actually, by definition they are supposed to match A to PTR and PTR to A.

Just because everyone doesn't do it perfectly does not mean it is correct to
not do reverse DNS or to not do it correctly.

There are variations on best practices. Oh well...

RFC 1123 says you should not reject based upon HELO

Lord knows if that was stomped on by a later RFC.

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: R: Scoring PTR's

[R Lists06]

 
 This suggestion has been superceded, or perhaps better elucidated, by
 later RFC's, particularly RFC 2181, section 10.2.
 
 Nowadays many of us have reverse-DNS delegation in place since as an
 end-user we have no control over the in-addr.arpa records for our
 particular IP subnet.  For instance, mail.cyways.com resolves to
 12.148.244.151, but a reverse query for that address yields:
 
 # host -t ptr 151.244.148.12.in-addr.arpa
 151.244.148.12.in-addr.arpa is an alias for
 151.128/27.244.148.12.in-addr.arpa.
 151.128/27.244.148.12.in-addr.arpa domain name pointer mail.cyways.com.
 
 That's because the 244.148.12.in-addr.arpa zone belongs to our provider
 (ATT), but they have delegated our /27 subnet's zone to us via this
 aliasing process.  RFC 2181 makes clear that aliasing is fine in the PTR
 resolution process as long as the aliasing eventually points to a
 canonical name like mail.cyways.com.
 
 This is a much better solution than requiring us to go to the provider to
 update their PTR records every time we change the names of the hosts in
 our subnet.  RFC's like 1912 reflect a time when most people had control
 over both forward and reverse name service for a class-A, B, or C IP
 block.  That came to an end when classless, or CIDR, addressing
 became the norm.
 
 
 Peter

Delegation of reverse DNS is not hard at any size block of IP addresses if
the authoritative company will allow your name servers to be authoritative
correctly

It may say it is ok, yet it isn't ok.

Nothing personal, yet that is some messed up reverse dns delegation.

They do not have to alias anything other than authority.

$ dig -x 12.148.244.151

;  DiG 9.2.4  -x 12.148.244.151
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 18524
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;151.244.148.12.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
151.244.148.12.in-addr.arpa. 172800 IN  CNAME
151.128/27.244.148.12.in-addr.arpa.
151.128/27.244.148.12.in-addr.arpa. 43200 IN PTR mail.cyways.com.

;; AUTHORITY SECTION:
128/27.244.148.12.in-addr.arpa. 43200 IN NS ns.cfmr.com.
128/27.244.148.12.in-addr.arpa. 43200 IN NS ns.cyways.com.
128/27.244.148.12.in-addr.arpa. 43200 IN NS ns2.cyways.com.

;; ADDITIONAL SECTION:
ns.cfmr.com.172800  IN  A   12.148.244.131
ns.cyways.com.  86400   IN  A   12.148.244.151
ns2.cyways.com. 86400   IN  A   12.148.244.157

- rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: R: Scoring PTR's

[R Lists06]

 
  RFC 1123 says you should not reject based upon HELO
 
 Bah. If some mechine I don't control tries to HELO
 whatever.impsec.org I'm absolutely going to tell them to go away.
 
 --
  John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/

what program is doing the rejection though?

Doesn't say you cant, just says you shouldn't.

And it is old old old. Was the rfc revised?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: What's with UCEPROTECT List?

[R Lists06]

 It's also a good trick to cause a denial of service.
 
 Regards,
 -sm
 

Maybe... under extremely special circumstances, yet more realistically not.

Well programmed software can rate limit itself when things look hokey...

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: What's with UCEPROTECT List?

[R Lists06]

 
 hat it looks like to me is a way of blacklisting competition to try to
 stear business their way. The only way to get off their lists is to pay
 them money. It looks more like extortion to me.
 

Marc

After reading their EN website, http://www.uceprotect.net/en/

...maybe you could be the one to correct their grammar as they put it and
they would bless/pay you by pulling your entry...

Yes, I am joking... sort of...

:-)

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: What's with UCEPROTECT List?

[R Lists06]

 
 Right.  And rate limiting limits the real service.  Thus, you have ...
 oh yeah, DENIAL OF SERVICE.
 
 THINK! It's not hard.
 
 --
 Jo Rhett
 Network/Software Engineer
 Net Consonance

Don't assume Jo.

You do not know specifically what I was talking about rate limiting and why
or how.

We model thinking outside of the box and therefore do not limit ourselves to
that which is known or perceived to be known...

Break out of the box, Jo.  :-)

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: What's with UCEPROTECT List?

[R Lists06]

 
 Um, yes.  Well, I've seen it DoSed by just attempts to deliver to an
 address that doesn't exist. User not found after RCPT TO is the exact
 same traffic load.  That was very modern hardware, and it happened just
 a few weeks ago.
 
 Think about it.  It doesn't require you to stretch your brain to figure
 out the math involved.
 
 --
 Jo Rhett
 Network/Software Engineer
 Net Consonance

Maybe you can elaborate on very modern hardware and what opsys and config
so we can really understand where you are coming from here in terms of the
math involved...

Please do share.

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: dealing with DoS attacks (Re: ALL_TRUSTED creating a problem)

[R Lists06]

 
 Yes, I know.  I'm actually one of the supertechs you refer to.  Er, at
 least top of the food chain in that regard :-)
 
 Law enforcement in Santa Clara is excellent, but they have to focus on
 the big fish.  This is small stuff to them.  It's also just small enough
 to fall under the radar of most providers, which argues to me that this
 guy is fairly clueful.  (guy because so far I've never met a woman who
 dealt with their emotional drama in such stupid ways)
 
Snip
 
 You pretty much nailed it.  The target is a DSL customer, so sending
 100mb/sec is isn't enough to raise the eyebrows of any modern service
 provider, but the DSL switch receiving that flood gets fairly unhappy
 and the target is completely offline.
 
 --
 Jo Rhett
 Network/Software Engineer
 Net Consonance

Jo

I kinda figured you were a supertech, so as you know document, document,
document and you will eventually get the idiot...

when I started doing this in the early 1990's we used to call the USWest
Interprise techs in Minnesota supertechs.

I made some friends there as we turned up a lot of frame relay and such...

So, as you know they can put flags in the switches to watch for those
traffic signs and alert log it and flag someone and they can get their Telco
Cops on it... they wear a badge and can carry a gun too.

It is a federal crime as I understand it, some of them wires cross state
boundaries etc.

:-)

Best wishes

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: sare suggestions.

[R Lists06]

 
 I don't use rulesdujour because it seems like too much hackery.
 sa-update (included with spamassassin) does it all very cleanly, and is
 supported by the team.  (sa-update is newer than rdj, so it's not really
 rdj's fault)
 
 Frankly, I subscribed to almost every single ruleset on the
 rulesemporium page.  If I skipped any that weren't do not use then I
 don't know what they were.
 
 --
 Jo Rhett
 Network/Software Engineer
 Net Consonance

Jo

In this type of config, how much RAM are you running and how many
processors??? Plus I am wondering how big are the SA processes that are
running in RAM with all those rulesets etc?

Thanks and kind regards

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: What's with UCEPROTECT List?

[R Lists06]

 
 My incoming servers know literally nothing about which users have valid
 addresses and which do not.  All these servers do is accept or reject
 inbound mail based on a (long) list of SMTP-level rules and forward the
 messages that are accepted to another machine for SA and virus scanning.
 
 If sender verification requires that the incoming server have a complete
 list of valid mailboxes, it's going to fail miserably here.  I don't see
 anything in the RFCs that makes my configuration non-compliant, do you?
 
 
 

Maybe you have it backwards???

IMPO the mail server should know exactly what email addresses there are so
that it can reject at the smtp level email that is not addressed to a real
user or real live mailbox. Ie valid rcpt to  :-)

Some will disagree as they want every email whether addressed properly or
not as some people that want to buy things are stupid and cant type or
follow direction properly so they don't filter on invalid rcpt to.

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: sare suggestions.

[R Lists06]

 
 This is a personal colo box with very light load.  1gb of memory and
 an AMD XP1800+ processor...  old, old technology.
 
 The daemons are consistently around 70mb apiece, and there are
 usually 5-7 running.  Low limit is 2, upper limit is 10.
 
 Load average is always 0 across the board.  This system is bored.
 
 --
 Jo Rhett
 Senior Network Engineer
 Network Consonance
 

I see... so 70 meg SA's when running all these ruleset is a good general
rule of thumb for size?

 - rh

RE: SA Webmail Portal

[R Lists06]

 
 Hi,
 
 explain to your customers that giving you a list of mail accounts is
 beneficial to them
 
 Wolfgang Hamann
 

I see your point yet...

What specific kind of customers?

If if is part of your policy and procedure from start to finish it shouldnt
be a big deal...

Meaning, if they are renting your hosting or relay servers...

If they have their own transport and transit from you and their own
hardware, then they should be doing their own thing right?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: ALL_TRUSTED creating a problem

[R Lists06]

 
 This is the whole point. If the message hasn't been Received: by a local
 server, it is by definition not in your network.
 
 By feeding messages to SA without a local Received: header, you are
 explicitly telling SA that the message is still in some other network,
 not yours. So what's SA supposed to do?
 
 Is SA supposed to know that the message magically appeared in your mail
 systems despite never being recorded as Received by them?
 
 What should SA do if a message is being direct-delivered and has no
 existing Recived: headers in it? Where should it decide the message came
 from?
 
  Look, here's a message that got here from nowhere. It wasn't even sent
 by the localhost, it just spontaneously appeared in the mail system.
 Nobody sent it, nobody Received it, it just appeared here.
 
 This whole scenario is ridiculous.. OF COURSE spamassassin will break
 when you feed it this.
 
  It can't possibly even TRY to make sense of it because required records
 are missing. How could SA behave properly in this case? What should it do?
 
 Should SA inherently assume that some magic exists where messages can
 magically poof from one mail queue to the next without ever being
 transmitted over a mail transport protocol?
 
 Should it assume hackers have taken over your server and are directly
 inserting messages into your system without going through your MTA (ie:
 writing queue files directly?)
 
 Or should it just misbehave so hopefully the admin realizes he needs to
 FIX a BROKEN SERVER.
 
 

Im a little confused in this thread now... please clarify this...

Does this mean my SA config is not correct if I do not have the ip address
of the SA box which is also the main SMTP box in the local.cf in that
trusted host config line?

How should it specifically look again please?

...and is it supposed to have the loopback address in it too?

Please clarify as some time ago I some posts from Pedersen and O'Shea
talking back and forth about it a little...

Thanks in advance...

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Any suggestions for 'postmaster' spams?

[R Lists06]

 Plussed addressing helps here. I hate web forms that refuse to let me put
 a
 plus sign in my email address. (Typically a result of over-zealous input
 filtering.)
 
 I probably subscribe to 100 lists. Re-subscribing them all every time a
 subscribed address was spammed would be murder.

Well, ya got me beat by a few lists...

Plussed addressing? Explain please... too lasy to google it.. ;-

I certainly do not mean that one should do it immediately with the first
spam... yet if things get out of hand.. then by all means...

Scripting does an awesome job of dealing with this situation though...

And btw, im sure many of you have seen a new customer go from first coupla
emails in and out and a week later they are getting 500 to 1000 spams a day
haven't you?

You know what I mean?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Any suggestions for 'postmaster' spams?

[R Lists06]

 
 It appears that my email address is now being used as a from address in
 many spam emails to many addresses. Over the past week, I have gotten 150+
 postmaster: mail delivery failure -each day-.
 
 Does anyone have suggestions on how to handle this? They're all
 semi-standard 'delivery failure' or 'content blocked' notices, so I
 created filtering rules based on the subjectline to put them all into a
 folder. I don't think they should be marked as spam though because they're
 not.
 
 Thanks,
 Brian
 

First suggestion, don't post to list with the email address you use for biz
or personal use.

Make another and use it for all lists. When you get spammed on it, change it
slightly, unsub the other and sub the new to all the lists you are on.

Also, if your MTA will accept an email to an email address that doesn't
exist, fix it so it doesn't.

Pry more yet escapes me now

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Any suggestions for 'postmaster' spams?

[R Lists06]

 
 Uh.  Yeah.  Is it just me, or are all the dumb answers coming up today?
 
 Or, perhaps, run spamassassin and don't worry about changing your e-mail
 constantly?  Duh?
 
 --
 Jo Rhett
 Network/Software Engineer
 Net Consonance

It's you Jo.

Yet we apologize Jo, we are all having a really difficult time trying to
live up to your standards but we are trying real hard though Jo...

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: I'm getting killed with spammers

[R Lists06]

 
 I need some help here..
 
 Last Mon, Tues  Wed I had severe inflow of spam, always at 12.30p EST,
 Wed
 it didn't stop till almost 5p. The server seems to not be very cooperative
 when the queue grows over 200 or so.
 
 I have max child set to 15 (up from 5) and not sure what else I can offer
 in
 the way of what you need to know to help me, but if you tell me where to
 look I can spout what you need.
 
 The install is out of the box with few if any mods except exim does have
 the
 dictionary attack, I run BFD and APF
 
 I do not believe I have been hacked into.. I DO read the logwatch daily
 and
 do poke around looking for dropped files on a semi regular basis..
 
 this high amount of spam, (BTW scoring at 20-well over 1000) is killing
 the
 loads and I have screaming clients..
 
 Just this afternoon (again around 12.30) it loaded up again with 312
 mails..
 the web based control panel was reacting so slow I would get 3 new ones
 for
 every one I managed to delete or deliver (I could not just delete the
 queue
 because some were actually valid mails in there) Server loads rose to well
 over 30, I shut exim - but cpanel was so kind to automagically restart it
 every time.. tried a reboot from ssh but that just hung.. the tech peeps
 did
 it from their end it it worked and brought the loads down so I could
 delete
 faster than they came in and now we're back to normal loads and queue
 
 I did upgrade to SA 3.1.7 last week - Wed night after a long day of
 battling
 the loads.. and that seemed to go well
 
 suggestions? Offers of help???
 
 thanks

Debbie,

Is the mail legitimate email?

Meaning does the email come from wherever to *valid email addresses* on the
server or do you have a system that will catch everything at the smtp level
and then sort it out later?

If your server catches everything, the smtp gate should probably be
fortified with greylisting and invalid email address rejection first.

There is not enough other info for me to recommend further... 

Thanks and kind regards,

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Any suggestions for 'postmaster' spams?

[R Lists06]

 
 Okay, I'll answer.
 
 I am convinced that spam (in all its forms) will continue to be a
 problem until spammers start dying for what they are doing. That will
 change the risk/benefit analysis rather strongly towards the negative.
 
 --
  John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/

Either that or the powers that be will try to regulate it so that you have
to pay to license an email server and they will control *everything* about
connectivity with giant firewalls kinda like some countries already try or
do. 

Whatever brings in the most money and power...

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: How to filter these spam messages

[R Lists06]

I reviewed greylisting as a solution in the past, we couldn't accept it due to
delay and I also read not all email servers will resend properly. So there is a
chance few legitimate emails will never get redelivered. When you are running
a business shop, such delays or exceptions are not permitted.

I believe it should be very easy to write a rule set for these work from
home,
stock, mortgage, etc... short spam emails, I just don't have the expertise to
do
it right.

-Simon






I understand everyone has to make
decisions and deal with it yet



A minute or two delay from grelisting
matters that much



Do you really want email from a server
that doesnt work right or isnt administered as best it can be?



That is kinda why greylisting exists
to elimitate bursty worthless email



And most people doing business want to use
the phone or meet in person to close sales properly.



- rh

--
Robert - Abba Communications
 Computer  Internet Services
(509) 624-7159 - www.abbacomm.net

RE: Re[2]: Any comments of the SpamHaus lawsuit?

[R Lists06]

 
 Blame the plaintiffs, blame what some might consider to be
 less-than-stellar legal advice given Spamhaus, but don't blame the
 court for following the law.
 
 --
 Best regards,
  Robert Braver

Why blame the plaintiffs?

Fortunately or unfortunately as the case may be, law is subject to
interpretation based upon precedent, or lack thereof.

As is authority and jurisdiction.

Plus, people are fallible, make mistakes. Judges too.

Then what?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: How to filter these spam messages

[R Lists06]

 
 Someone want to explain Greylisting?

Here is an example that references a coupla websites

http://qmail.jms1.net/scripts/jgreylist.shtml

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Should I upgrade to 3.1.6?

[R Lists06]

 
  Just looked over the bug fix list for 3.1.6 and it doesn't seem
 like anything *major* that would suggest that I should make the leap.  I'm
 right now running 3.1.5 on my box.  Is there other improvements, such as
 rules and the like, that would make this a preferable upgrade?  Or should
 I
 just hold tight for 3.2.0 or one of the next maintenance updates?
 Steven Lake

3.1.7 is out

As I recall, 3.1.6 had some oops issues

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Bayesing Filtering needs to be rewritten

[R Lists06]

 tflag FUZZY_OCR noautolearn
 

Is this something we can do now that works?

Do we put this in any .cf file or a particular one?

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: use of ram after upgrade

[R Lists06]

 From: Balzi Andrea
 snippers
 I've try it, but now I've the follow use:
 
 Tasks:  83 total,   2 running,  81 sleeping,   0 stopped,   0 zombie
  Cpu0 :   0.0% user,   1.3% system,   1.7% nice,  97.0% idle
  Cpu1 :   0.0% user,   1.3% system,   0.0% nice,  98.7% idle
  Cpu2 :   0.0% user,   0.0% system,   1.3% nice,  98.7% idle
  Cpu3 :   0.0% user,   0.0% system,  98.7% nice,   1.3% idle
 Mem:   6206432k total,   909444k used,  5296988k free,   117224k buffers
 Swap:  284k total, 7856k used,  1992228k free,70724k cached
 
   PID  PPID  PR  NI S #C  RES  SHR SWAP   TIME COMMAND
 15404 15386  15  10 S  1 354m  33m0   5:29 spamd child
 15405 15386  19  10 R  2 176m  34m0   4:33 spamd child
 15626 15386  14  10 S  0  88m  36m0   0:22 spamd child
 15645 15386  15  10 S  3  85m  36m0   0:07 spamd child
 15386 1  15  10 S  2  73m  36m0   0:03 /usr/sbin/spamd
 

My engineers and I have determined that since this is a 4 way processor box
(hopefully with a lot of RAM and processor speed),  that you should box it
up and send it to us for extended testing...

...probably only a year or two and we will fix it and get it right back you
you...

if you cannot send this one, another 4 proc or 8 proc box will do.

;-

Thanks and kind regards!

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net

RE: Bayesing Filtering needs to be rewritten

[R Lists06]

 One of the problems now with bayes is that image spam is causing bayes
 to be useless. We need a new plan to avoid bayes poisoning. Poisoning is
 caused when messages are learned where the text of the message is a
 nonspam type text and the spam is in the image.
 
 Bayes needs to be smarter about what text it learns and know when to not
 learn the text. We need logic that says the the text is a trick, only
 learn the headers.
 
 In general a lot of text isn't that strong of an indicator of spam or
 nonspam. Things like URLs and email addresses and phone numbers are good
 indicators as well as the HTML tags. And the headers are of course the
 best part. I question if using the whole message is best. I think we
 should parse the message for what I'll call fingerprint tokens which
 are tokens that can be used to ID similar messages.
 
 Thoughts on avoiding bayes poisoning and looking for fingerprint tokens?

The only thought that comes to mind would be code that says, IF email has an
attachment of such and such a type, then do not autolearn and/or send it to
other conditionals

???

 - rh

--
Robert - Abba Communications
   Computer  Internet Services
 (509) 624-7159 - www.abbacomm.net