RE: USing Botnet.cf to delete all spam incoming
Any recipe recommendations? -- Doc, Score the rule high and reject the email before accepted. We do it in some of our installations using a patched older version of qmail-scanner-queue.pl If you need more website references, hit me off list... - rh -- Abba Communications Internet Spokane, WA www.abbacomm.net
RE: USing Botnet.cf to delete all spam incoming
You use sendmail. http://www.google.com/search?hl=enq=reject+spam+during+sendmail+smtp+sessio n+for+spamassassin+scoring http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam http://wiki.apache.org/spamassassin/IntegratedInMta We use qmail, specific qmail patches, ClamAV, Spamassassin, and things like qmail-scanner-queue.pl among other things http://qmail.jms1.net http://qmail-scanner.sourceforge.net/ we use 1.25 ST even though 2.01 ST is out. It allows you to pass the email to SA for scoring and eval before full acceptance to the queue http://www.qmailrocks.org and many other sites. - rh -- Abba Communications Internet Spokane, WA www.abbacomm.net
mistakes with sending email address to list
Greetings, I would appreciate it if the list admins would make it so that mistake (emails with wrong sending email address) would bounce instead of being allowed to make it to the list please? Comments? -rh -- Abba Communications Internet PO Box 7175 Spokane, WA 99207-7175 www.abbacomm.net
RE: Spam bounceback attack
Jason wrote: Thanks Jim and John, that helps a lot. I'm glad that qmail is like this by default because otherwise my setup would be to blame. :) I'm using qmail to handle incoming and outgoing mail for my domain but using a very old lan based mail server to actually deliver mail to our users so the qmail machine doesn't have any idea who's a valid user and who isn't, all non-junk goes into a single mailbox which our lan server then retrieves via pop. Outbound works similarly where our lan server relays through the qmail machine (no it's not an open relay). I'm loking at this patch at the moment: http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch ...but will also look at the ones Jim suggested. Thanks again. -Jason We highly recommend John Simpson's http://qmail.jms1.net and the validrcptto patch as well. There is actually a group of patches that John Simpson rolled into one Many goodies there that can be utilized... He started that as an addon in regards to and with http://www.qmailrocks.org and there is still good info although the site hasn't been as well kept as it could have been the last 6 to 12 months. There are many other items and links to check out on http://qmail.jms1.net as well... If you know and understand everything on that site and a coupla others related to it, you will do extremely well with your mail server overall. Of course, the tie in is that at some point I had to better learn about Spamassassin and joined here for that. Kind regards, - rh -- Abba Communications Internet PO Box 7175 Spokane, WA 99207-7175 www.abbacomm.net
whitelist_from_rcvd inquiry
Greeting, Can lines be combined in a situation like this... whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com does this work or should this be done? can they be combined into one statement or should they be separate? Any other tips etc? Thanks in advance! - rh -- Abba Communications Internet Computer Services PO Box 7175 Spokane, WA 99207-7175 www.abbacomm.net
RE: whitelist_from_rcvd inquiry
Matt Kettler wrote: Separate. *snip* In general, for options that you can do many of on one line, you only put the option name itself once, you don't repeat it. Thanks What I was getting at is what if there are multiple sending hosts... Obviously the thing that changed was the last parameter Still separate??? How do we deal with multiple possible sending domains? I take it that it still cannot be dealt with on one line? :-) The original email should have looked like this as when I got it back it was all one line. Oops. whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com does it make more sense now? - rh -- Abba Communications - Internet PO Box 7175 Spokane, WA 99207-7175 www.abbacomm.net
RE: Sender Address Verification is NOT abouse and very effective
+1 If Marc is bouncing spams, even when domains who refuse to play the SAV game are involved, he's being even more abusive than I had thought. Daryl I'm confused, Rick said he was rejecting in the smtp session above a certain score too... Bounce, reject... etc... Are you talking about the code in the rejection? Why did I miss? Please clarify as you can still do an SMTP rejection after SA scoring - rh -- Robert - Abba Communications http://www.abbacomm.net/
RE: reset spam bayes
Dean Manners said: sa-learn --clear Make sure you have a ham/spam pile ready to re-train your db's after clearing. Hmm so if someone does this sa-learn --clear Q: when that command is completed, should one restart SA or are we good to go immediately after for training etc? - rh -- Robert - Abba Communications http://www.abbacomm.net/
RE: Is Bayes Dead? Have the spammers won?
Are you sure of this? Have you also trained these ham messages to counter this effect? Not too long ago we were in the same situation. I have autolearn enabled but I have adjusted the thresholds to avoid This is quite possible. I have heard other stories of people using things like greylisting and rbls to reject at smtp time that the only things that eventually made it to SA were so limited that it would produce odd results for bayes. From my experience, the more you throw at bayes, the better it gets. The more selective you are, the less it has to work with. Jim So are you saying for these purposes that you do not use RBLs or greylisting or other similar tools that cut down on the obvious cycle consuming garbage? - rh -- Robert - Abba Communications http://www.abbacomm.net/
RE: Spamhaus Tests
I've just spotted a major flaw then that's going to hit me when this changes. Not being an ISP, I have no idea what my users' IP addresses are at any given time. They authenticate when using SMTP so that I will accept and forward the mail but may well be using an ISP dial-up or DSL account which is in the PBL (or even the XBL). How can I let SpamAssassin know that this is a mail from a trusted source? By the way, should I wish to change a value for a score such as this, should I be copying the score line from 50_scores.cf to local.cf and changing the values there? Oh and thank you for your most helpful response. Regards, Cliff. Setup SMTP and AUTH on port 465 (ssl) or port 587 and have the clients come in on those ports without external RBL checking SMTP Port 25 really should be for just in and out from other servers so to speak. If you are talking about RBL checking in SA, I dunno. I shut RBL checking off in SA as until I learn how to tell which ones it is checking/using and how to specifically turn them on or off etc. I think using blanket RBL checking in SA is not particularly bright. Maybe we need more buttons, dials, and knobs for that? :-) - rh -- Robert - Abba Communications http://www.abbacomm.net/
RE: Bayes and Upgrade
F: Theo Van Dinter No. Especially not for a maintenance release upgrade (major.minor.maintenance). Hm Will we need to retrain for the upcoming 3.2.0 ? Im not sure if that is considered major or not -- Robert - Abba Communications http://www.abbacomm.net/
RE: NOTICE: SpamAssassin 3.2.0-pre2 PRERELEASE available
127/8 is now always trusted. Remove that trusted_networks 127/8 line and all should be well. Phil Are you saying we should remove the entry 127.0.0.1 from the trusted_networks ? What about if in the internal_networks entry ? Is this for 3.2.0 only or is it in 3.1.8 too? Isn't this somewhat confusing? There are cases where it isn't necessary to run SMTP or even the same MTA/smtp service on 127.0.0.1 etc... - rh -- Robert - Abba Communications http://www.abbacomm.net/
RE: Spamassassin 3.1.8
I have upgraded spamassassin from 3.1.7 to 3.1.8 and have a easy quiestion, When I look at the headers it still shows that Spamassassin 3.1.7 is installed / running Why is that? I did the following -- downloaded Mail-SpamassAssin- 3.1.8.tar.gz and installed by perl Makefile.PL / make / make install stopped the current spamd and restarted and it shows that 3.1.7 in the header. TIA Greetings back at ya... What operating system? It isn't accidentally installed twice in two separate places is it? Are you using qmail-scanner-queue? If so, you have to run it (the QMS perl script) a certain way to have it reinit the new config - rh -- Robert - Abba Communications http://www.abbacomm.net/
SA integration with qmail-scanner-queue.pl question(s)
Greetings I have stable long term SA setups integrated with qmail-scanner-queue.pl The way I have it setup, I have qmail-scanner-queue.pl take the incoming mail and hand it to SA 3.1.8 for scoring. If the score is equal to or above a certain number it does an SMTP rejection. In this setup we have bayes on and bayes auto learn on too I am wondering if bayes is learning these high scoring emails that get scored and then rejected. Logically, bayes is learning them. How can I most easily and assuredly test this please?? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: lowering your spam threshold howto
Hm. Your experience differs from mine. I tried using bayes, spent hundreds of hours training bayes with lots of good mail from archives, and lots of bad mail, and never got better than .5% (point- five or .005) difference in spam detection. So we stopped using it. In comparison, we've jacked the AWL score range and this works great for us. -- Jo Rhett I shouldn't have been so flippant about AWL. What I was trying to do was say that AWL without a good plan of mgmt can work against you much like anything I spose. I didn't even know how AWL worked or that it was working when I did my first SA install. Ooopps. :-) Can you please specifically describe what you mean by jacked? Or better yet, is there a specific howto so to speak for this approach of yours please?? :-) Thank you Jo. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Google Summer of Code 2007 ...
May I ask... Whis is this thread named as such. Does Google help fund SA efforts in one or multiple ways? If so, may I ask how or directions to already posted docs on it? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Google Summer of Code 2007 ...
Yes, if you Goole for Google Summer of Code+spamassassin you'll get a bunch of relevant hits. ;) For example, check out: http://wiki.apache.org/spamassassin/SummerOfCode2006 Thank you I was hoping for meaningful and relevant info from someone of authority and in the know from the SA group. I know how to search and I know how to discern and even guess. Yet, as of late, my experiences with Google and searching are poor. Sure I can find stuff... yet finding anything helpful or relevant in the sea of garbage that gets spewed back is another story. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: tie failed
1) are you using bayes_path ? 2) have you set bayes_file_mode 0777 in your local.cf? If you use bayes_path in a multi-user environment, you *MUST* set bayes_file_mode 0777 in local.cf. Also, make sure that /var/.spamassassin has world rwx privileges. Doesn't this create a potential or real giant type security risk? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: complete false hits for BASE64 and LW_STOCK_SPAM4
However, all blackberry messages also hit base64 text and excess base64 which puts them right on the edge. Anything that hits any other rule will cause a problem. And frankly I disagree with the logic that rules that hit wrongly shouldn't be fixed unless it raises the score about 5.0. I simply couldn't function with *ANY* of my mailboxes at 5.0 -- I'd be deleting 1-2 pieces of spam per minute. I run my public mailboxes at 3.8 and I'm trying to determine if 3.2 is reasonable. -- Jo Rhett Jo Can you share your specific thought and implementation processes on this re: possibly going from 3.8 to 3.2 and how and why etc please? We for one am interested as we are trying to move in that direction too. Thanks and kind regards! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: lowering your spam threshold howto
It's very simple. Tag messages above your soft limit and put them in a different folder. Check the folder periodically for false positives. Try to identify why they are FP. Look carefully at all of your normal mail, and confirm where it normally scores. Lower your score limit to the lowest limit possible without creating FPs. Keep watching. When your FPs are down to less than 1 a week, you are probably safe leaving it that way. -- Jo Rhett Network/Software Engineer Net Consonance Ok, great Do you use bayes_auto_learn ? I am sure you know I don't mean AWL baloney. ;-) If so, What do you use for these settings then in the local.cf bayes_auto_learn_threshold_nonspam -0.1 bayes_auto_learn_threshold_spam x.x or do you hand train it all and no auto anything? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
latest changes and external rulesets
I looked briefly at the changelog info I was wondering, are there any external rulesets that we should not use or change out of from 3.17 to 3.18 upgrade because some of the external rules were pulled into SA? Thanks and kind regards - rh -- Robert
one or two different processes for sa-learn
In the circumstance of using sa-learn Is it ok to have sa-learn --spam --showdots * sa-learn --ham --showdots * running as two different processes on two different datasets at the same time with SA 3.1.7 ? or is it better to do serially ? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: one or two different processes for sa-learn
If you're using a DBM file (as opposed to SQL), you can only have 1 process writing the DB at any given point. So you can run both commands, but one of them will be sitting there waiting for the write lock until the other one is done. I'd probably just specify both ham and spam sets to sa-learn at the same time anyway, no sense in having an extra process. :) I see How does one do that? :-) -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: one or two different processes for sa-learn
There's a couple of ways, but a simple one is: sa-learn --ham ... --spam ... where ... are the files you want to learn. I see I take it you have done this... And one can use wildcards doing this without problem? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
stupid users tricks in the wrong place with sa-learn
If a person was logged in as user spamd And was in the /home/spamd directory and accidentally did this command sa-learn --spam --showdots * would sa-learn actually do anything and fry the spamassassin database? I know it will try, yet will it succede at anything in this accident? Or? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: stupid users tricks in the wrong place with sa-learn
I don't know about fry the DB, but sa-learn will happily attempt to learn from whatever files/directories matched '*'. Likely, it'll see them all as messages w/ no headers, so a lot of body tokens. The question of course is, does this matter, which is hard to say. If the tokens are one-off type tokens that you don't get in mail, then they won't be used for anything and at some point in the future will get expired out. If the tokens are common in ham, then that won't be good. Restore from backup? :) -- Randomly Selected Tagline: Just remember: Today is the first day after yesterday. I see It isn't that big a biggie as I am learning about training and so this machine doesn't matter so much at this moment. Well, what made me wonder was that I actually made that mistake and it never did show any dots. Notice that please. NO dots ever showed up. I did try ctrl-c yet it didn't want to exit so I had to login as root and kill it. I will build tools to deal with it in the near future, I am just looking for wisdom to learn from now so I can build the tools the best AND to know how to look at a bayes database and understand possible corruptions etc Any help or pointers will be appreciated. Thanks in advance! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: sa-learn --sync importance ???
I didn't quite parse that. But man sa-learn, it has many an informational statement about how it all works. In short, by default, it stores token timestamp updates. Whenever the journal goes over a certain size, SA will automatically sync it for you. Thank you Theo and Matt for the info Do you know what the size or time threshold is? Im sure time is a factor in there too right as maybe the size wouldn't make it there in a reasonable timeframe? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: spamassassin with qmail
_ From: night duke Hi i'm trying to use spamassassin with qmail but i was unable to use them together. Anyone can help me?. Thanks. Until you get to know it well this can and will help http://www.qmailrocks.org http://www.qmailrocks.org/ http://qmail.jms1.net http://qmail.jms1.net/ pay special attention to the combined patch and implementing validrcptto and turning on catchall bounced the pay special attention to integration with qmail-scanner ver 1.25st or the latest 2.0x-st and the qmail-scanner.pl file and settings this is not a two second solution. Always do it on a test box first IMPO if you can some qmail solutions are super scripted and although I know you can do that I am leary of them until you can break it and fix it in less than a minute etc etc - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
sa-learn and qmail Maildir
I guess the bottom line is what are qmail folks doing for training? I had never thought about it before yet I haven't had the need to sa-learn anything until recently When processing using sa-learn in a qmail Maildir should one use an options below --mboxInput sources are in mbox format --mbx Input sources are in mbx format Or should you just go to the Maildir directory and appropriate subdirectory and sa-learn --showdots --ham * sa-learn --showdots --spam * somehow my brain isn't registering Maildir vrs other formats right now and im trying to think in terms of how IMAP allows me to move mail data around... if that makes sense :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: sa-learn and qmail Maildir
From: Theo (note: I don't use qmail) maildir is typically one file per message in a directory. In that situation, just pointing at the directory would be appropriate, sa-learn will use all messages in the directory. Yup. That's why I figure that going to the appropriate directory(ies) and doing the below is correct sa-learn --showdots --ham * sa-learn --showdots --spam * thanks! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
train forwarded messages on local SA server
Is it ok to sa-learn train forwarded messages that end up in my local account mailboxes from accounts on remote servers (out of my admin control) that are spam? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: market buy with image
By fred rules, do you mean by Fred Tarasevicius Which specific fred rules are the best by experience? Thanks! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: market buy with image
I'd use 00_FVGT_File001.cf which is a new file Fred. This combines a lot of his older 88_FVGT* cf files into one. -- -Doc Thanks, if anyone out there running some or a lot of the FRED rules with a lot of success or should we only run certain ones in general Bottom line is, I don't know how aggressive or not the rulesets are etc Please advise and thanks! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Re[2]: market buy with image
My rules are very aggressive, but they can and possibly will cause FP's!! As soon as 3.2 is released, those rules of mine that survive the rescoring and mass-check runs will be included in the stock rules! Frederic Tarasevicius Good lookin' out Frederic Will you please keep us posted as that happens so that those of us that are old enough and have the sometimers disease will remember to deal with the resultant issues? Sometimes I remember, sometimes I dont :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
spamdoptions ???
Apologies for not finding it in my searching yet... I think it is my sometimers kickin' in... ;- I am looking for info on the granularity knob control for number of extra spamd daemons on startup. ...AND if one has enough processors and ram memory, how to know how many extra to have available to speed up scanning and such under load. On Redhat or CentOS machines would that be under SPAMDOPTIONS ? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
sa-learn --sync importance ???
Can anyone comment on the true importance of this command and option below? sa-learn --sync my simple research is telling me that if you don't do this at some regular interval, that your training isn't fully put into action when journaling starts. I haven't found much mention of it on the www yet I am still checking I was tipped off by reading this doc - url and by doing a frequent ls -axl in the /home/spamd/.spamassassin directory on one of our servers http://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html and by noticing that traffic on my server was generating what to my noviceness at this is journaling??? am I correct? Those in the know, Please do enlighten us all :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: dynablock.njabl.org ends (and resolving pbl.spamhaus.org)
Maybe interesting for those that use dynablock.njabl.org (as I do at the MTA-level). Got an email last friday from njabl about dynablock.njabl.org, it's no longer maintained by njabl but is now only a copy of the pbl.spamhaus.org list. Eventually the dynablock.njabl.org zone will be emptied. By the way, pbl.spamhaus.org doesn't resolve at this moment, same problem with sbl-xbl.spamhaus.org, xbl.spamhaus.org etc. So I'll not be switching to pbl.spamhaus.org for now... It resolves, just remember to do this to test dig pbl.spamhaus.org any Or dig pbl.spamhaus.org ns - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
autowhitelist
We are using 3.17 on this particular server In reading the docs on autowhitelist it told me about v310.pre and this setting # AWL - do auto-whitelist checks # loadplugin Mail::SpamAssassin::Plugin::AWL do I need to comment out this below in the v310.pre or leave it alone and add the below setting user_auto_whitelist 0 in the local.cf ??? please let me know what is the best way and thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
botnet 7 perl error
I only found one reference to this error searching the net Use of uninitialized value in string eq at /etc/mail/spamassassin/Botnet.pm line 564, GEN16 line 7 This appears to be the line of code in Botnet.pm although I could be wrong Mail::SpamAssassin::Plugin::dbg(Botnet: miss ( . $tests . )); can anyone point me to anything else that solves this please? I have disabled botnet for now Machine is centos 4.4, perl 5.8.5, sa is 3.1.7 - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
restart from scratch with 3.1.7 ???
Greetings My SA 3.1.7 installs run as user spamd My /home/spamd/.spamassassin directory looks like this -rw--- 1 spamd spamd 5210112 Jan 21 14:25 auto-whitelist -rw--- 1 spamd spamd 60864 Jan 21 14:25 bayes_journal -rw--- 1 spamd spamd 2711552 Jan 21 14:18 bayes_seen -rw--- 1 spamd spamd 5390336 Jan 21 14:18 bayes_toks Now, lately I am getting quite a bit of BAYES_00 hits and from the simple searching and reading I have done it tells me that I may need to start over from scratch as my config was not fully mature at the beginning a year ago and so the AWL probably has some bad info here and there. Should I just stop the spamassassin processes, delete the 4 files above and restart the spamassassin processes and let it go at that, repopulating itself on the fly by itself ??? Or is there a better way? I have populated internal and trusted network with info and AWL is on as is bayes and dns_available is yes Do you need more info? Thanks in advance - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: comprehensive perl module site like cpan or other for SA needs ???
Design and engineering? You want Spamassassin to work or not? You install what it needs. What does that have to do with engineering? If you start managing library installation on a library by library basis you are opening a can of worms. You select the packages you need to get the job done, and install all the libraries (or in this case perl modules) needed for those packages. You don't start at the libraries and work up. You start at the packages and let the package managers/Cpan take of the libraries/modules. -- _ John Andersen No, I want SA to fail frequently and give me headaches all day and avoid my attempts at successfully implementing part of our mail server systems engineering. :-) Can anyone answer the question(s)? Where is the best place to find the docs and info about the current stable perl modules in relationship to SA Is it CPAN? Is that it? Other place? I want to know which versions are current and stable and what the lil buggers actually do. I don't know the answer or I wouldn't be asking. Yes, I know how to search the web yet it still doesn't answer the question. I don't know at any given time what is the most stable version of any perl module in relation to SA use. Please advise on that and thanks in advance. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
comprehensive perl module site like cpan or other for SA needs ???
Greetings Seeking some list wisdom please? We have some well functioning boxes running SA out there Most run RHEL 4 or CentOS 4 I am wondering where to go to find out specifically for each perl module if we have the latest greatest and most stable version(s) etc Please note the sa-update output at bottom. Do we need to search them out individually or has someone put together a place where they all are I am aware of CPAN and sourceforge and other places yet looking for comprehensive site people use in terms of SA and the needs of SA boxen Also, please note the modules that are not active or found in the install below during the SA update Would installing them just be plug and play and they start working or do I search them out individually too and their activation configs etc? Thanks and kind regards - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net [EMAIL PROTECTED] log]# sa-update -D [12921] dbg: logger: adding facilities: all [12921] dbg: logger: logging level is DBG [12921] dbg: generic: SpamAssassin version 3.1.7 [12921] dbg: config: score set 0 chosen. [12921] dbg: message: MIME PARSER START [12921] dbg: message: main message type: text/plain [12921] dbg: message: parsing normal part [12921] dbg: message: added part, type: text/plain [12921] dbg: message: MIME PARSER END [12921] dbg: dns: is Net::DNS::Resolver available? yes [12921] dbg: dns: Net::DNS version: 0.48 [12921] dbg: generic: sa-update version svn454083 [12921] dbg: generic: using update directory: /var/lib/spamassassin/3.001007 [12921] dbg: diag: perl platform: 5.008005 linux [12921] dbg: diag: module installed: Digest::SHA1, version 2.07 [12921] dbg: diag: module installed: Getopt::Long, version 2.34 [12921] dbg: diag: module installed: LWP::UserAgent, version 2.031 [12921] dbg: diag: module installed: HTTP::Date, version 1.46 [12921] dbg: diag: module installed: Archive::Tar, version 1.30 [12921] dbg: diag: module installed: IO::Zlib, version 1.04 [12921] dbg: diag: module installed: DB_File, version 1.809 [12921] dbg: diag: module installed: HTML::Parser, version 3.35 [12921] dbg: diag: module installed: MIME::Base64, version 3.01 [12921] dbg: diag: module installed: Net::DNS, version 0.48 [12921] dbg: diag: module installed: Net::SMTP, version 2.29 [12921] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [12921] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [12921] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed ) [12921] dbg: diag: module not installed: Net::Ident ('require' failed) [12921] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [12921] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [12921] dbg: diag: module installed: Time::HiRes, version 1.55 [12921] dbg: diag: module installed: DBI, version 1.40
RE: comprehensive perl module site like cpan or other for SA needs ???
So how did you install in the first place? Yes, installing these would cause them to start working. I recommend installing using CPAN, as it is portable, reliable, picks up its pre-requsites very well and you are not dependent on some Distro specific packager. If you have the latest distro specific package installed, running CPAN will overlay it with the latest standard version and your package management software will be none the wiser. There are only a very few subtle things you must look out for when overlaying your disto packages with CPAN, namely where spamd is stored. (Suse has its own idea of where things get stored). I always install SA from Cpan, but sometimes I will install the distro package first to get all the pre-requisite perl modules installed. John Andersen It is my experience that CPAN installs can or will tend to do things I do not want it to do (or cannot control) in a RPM environment among other things... I am looking more for documentations and information plus URLs to download so we can make decisions as to what they do, how it affects our design and engineering as well as implementation before I would consider installing. Apologies for not mentioning that or making it more clear at the beginning - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: SA-UPDATE and recent branches/3.1 rules? or Did I miss an SA version update?
No, your SA won't be broken. IIRC SA won't apply anything if there's a failure. At least my SA is still running fine here after my attempted update this morning. I didn't restart after the failure so in theory at least SA should still be running off the old set even if the new set did cause a problem. That said, I'm pretty sure that unless SA gets an OK return from sa-update nothing is applied. If anyone knows different please yell. Kind regards Nigel What I know that is different is, if you go to /var/lib/spamassassin/3.001007/ Or wherever your updates go on your machine and check the directory listings with ls -axl mine show up as the last time I updated and have not been updated as of today. These results tell me we are all ok and should breathe a sigh of relief. Nothing to see here. :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
BAYES_00 possible score modification info thread help etc
Recently there was a thread on BAYES_00 and how folks were considering or changing the score on this etc -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] Ive searched and cannot locate it (the thread) somehow. Can someone help me get to that thread please? And, if there is any new commentary about the changing of this I would sure like to hear about it. Im finding just about everything spam still hits this and loses steam. Thanks! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Deleting SA headers on ham
I changed my ham script to: nice -n15 sa-learn -L --ham --no-rebuild --single | spamassassin -d This did not work. Why on earth are there two different functions for the letter d in spamassassin? Meaning spamassassin -D spamassassin -d do or are associate with two different functions/things Isn't this counterproductive in error or mistake situations? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: sa-update is broken
No. But it does work better if you install all needed dependencies and follow the instructions. Without dependencies it doesn't run (who would have guessed?), and without following the instructions the result may not be what you expected. -thh Thanks, the context of my question was based upon the subject of this thread and that I hadn't seen an update in awhile (I do it manually) and I was tired of following the thread somewhat, so without trying to offend, I asked. :-) Our stuff here is not broken so I wasn't worried unless of course sa-update was broken per that threads subject (it was not). - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: sa-update is broken
With all due respect to all involved. Is sa-update broken or is this just a prolonged and poorly thought up global name for a thread? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Breaking up the Bot army - we need a plan
You didn't read what I actually said. I didn't say the domain didn't look right. I said the IP address registration didn't look right. nslookup ebay.com Name: ebay.com Address: 66.135.192.87 whois 66.135.192.87 OrgName:eBay, Inc OrgID: EBAY Address:2145 Hamilton Ave City: San Jose StateProv: CA PostalCode: 95008 Country:US NetRange: 66.135.192.0 - 66.135.223.255 CIDR: 66.135.192.0/19 NetName:EBAY-1 NetHandle: NET-66-135-192-0-1 Parent: NET-66-0-0-0-0 NetType:Direct Assignment NameServer: SJC-DNS1.EBAYDNS.COM NameServer: SJC-DNS2.EBAYDNS.COM NameServer: SMF-DNS1.EBAYDNS.COM Comment: RegDate:2001-07-13 Updated:2003-02-20 OrgTechHandle: EBAYN-ARIN OrgTechName: eBay Network OrgTechPhone: +1-408-376-7400 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2006-12-13 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. That part looks fine. Now, for emailebay.com: nslookup emailebay.com Name: emailebay.com Address: 216.33.156.118 whois 216.33.156.118 OrgName:Savvis OrgID: SAVVI-2 Address:3300 Regency Parkway City: Cary StateProv: NC PostalCode: 27511 Country:US ReferralServer: rwhois://rwhois.savvis.net:4321/ NetRange: 216.32.0.0 - 216.35.255.255 CIDR: 216.32.0.0/14 NetName:SAVVIS NetHandle: NET-216-32-0-0-1 Parent: NET-216-0-0-0-0 NetType:Direct Allocation NameServer: DNS01.SAVVIS.NET NameServer: DNS02.SAVVIS.NET NameServer: DNS03.SAVVIS.NET NameServer: DNS04.SAVVIS.NET Comment: RegDate:1998-07-30 Updated:2004-10-07 OrgAbuseHandle: ABUSE11-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-877-393-7878 OrgAbuseEmail: [EMAIL PROTECTED] OrgNOCHandle: NOC99-ARIN OrgNOCName: SAVVIS Support Center OrgNOCPhone: + 1-888-638-6771 OrgNOCEmail: [EMAIL PROTECTED] OrgTechHandle: UIAA-ARIN OrgTechName: US IP Address Administration OrgTechPhone: + 1-888-638-6771 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2006-12-13 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Looks quite a bit different to me. Not really Do a dig -x 216.33.156.118 then do a dig -x 216.33.157.1 notice my simple change and see that it appears that it just hasn't been swip'd yet - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
spam testings from outside
Is there a URL on the net where one can go and enter an email address and that server will send a known SA count or random very spammy email to that address to test for various things like SA markup or SA markup total or even smtp rejection and verification based upon SA markup etc? Thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: spam testings from outside
You have a yahoo account? Send yourself a gtube message: http://spamassassin.apache.org/gtube/ or even smtp rejection and verification based upon SA markup etc? Well, considering spamassassin cannot reject messages, thats up to your MTA. But see above. Thanks for the info. I ended up asking a fellow isp for an extra email account and spammed myself with hot *** pill type w/ some spammy website url baloney email. GTUBE worked too. Thankfully I have engineered and implemented a way to reject emails in the SMTP session that score above a certain level in SA, on a qmail server. Today is an awesome day. Praise God! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
SMTP rejection based on SA Scores etc
Those of you that have some good data can you please share some excellent numbers that you base your SMTP rejection based on SA scores and otherwise please? All I have here are SA averages and im not quite sure that is the right vector to base the rejection scores on. Thanks in advance. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Tarpits are fun!
Dec 12 12:16:30 ga : Initial Connect - tarpitting: 124.240.124.222 14526 - x.x.x.x 25 * snip Dec 12 16:19:20 ga : Persist Activity: 124.240.124.222 14526 - x.x.x.x 25 * Three spambot threads stuck for *hours*! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ How are you implementing this? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
required_score aggressive ??
When looking up required_score info, as most know, it say that the default is 5.0 and that it is considered aggressive in various circumstances Used to be called required_hits When I first started using SA I was told that as an ISP going in the 4.0 range give or take a little was an excellent choice. If you are able to chime in, please share your wisdom in any area about required_score and/or just how aggressive is everyone on the list as I am thinking of tweaking a little lower. Thanks in advance - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
rbl insight and wisdom please
Hopefully this hasn't been rehashed to death on this list yet has there ever been a general consensus as to which rbl's and similar lists are best to use if you are going to engineer your mail systems with such? Anyone care to share their implementations as well as current best and worst practices please? Thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: change spamhaus.org's score
On spamhaus or spamcop? This thread is getting confusing. Personally I drop on a spamhaus sbl-xbl hit at the smtp point. To date I've not had a complaint/problem. Though my userbase is pretty static in send/receives. I don't have much faith in spamcop. Nigel Are you saying that you do have faith in spamhaus for these functions in terms of FPs then? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: razor and dcc : high cpu load
Like a text-file based (it's not a security hole?!) or a ldap-replica on mail-server? I'm searching for more examples and other ideas and find this patch for qmail: http://qmail.jms1.net/patches/validrcptto.cdb.shtml I don't no if this patch is really necessary.. but it's a sugestion too... Anyway... I'll search more and to do many tests... Thanks... validrcptto patch works very well This patch does wonders for knocking down garbage before it gets into the queue It is based on system that uses qmail and vpopmail etc and generates a txt file that gets turned into a cdb - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
sa-update -D
On a certain box we ran a successful current sa-update Later on, I went back and ran sa-update -D in it was this [7317] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [7317] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [7317] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [7317] dbg: diag: module not installed: Net::Ident ('require' failed) [7317] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [7317] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) I was wondering... when this is the case, what is this telling me other than those modules are not installed? Is it telling me that some SA tests are not being run because of the lack of modules and therefore the reflective update configs are not pulled? What else should we know in regards to this? Thanks and kind regards - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
SA, clamav qmail-scanner w/ Qmail
Greetings, If anyone on the list is using latest SA, clamav qmail-scanner with the Qmail MTA can you please hit me with an email offlist? I will be glad to share a synopsis of what I am trying to find out and implement once I get there with this list. I haven't been able to find it anywhere after a week of searching and would appreciate some help please? Thanks and kind regards, - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Spamassassin effectiveness, BAYES_99
From: Benny Pedersen i have changed bayes scores to catch most spam here, and changed threshold to learn spam / ham with less range so it more accurate and prevents bayes poinson on the same time, just have them at scores so spam is still autolearned, and ham is still autolearned, check that you don't have whitelist with -100 for spam mails :) if you use whitelist from or whitelist at all make sure it will not trigger the bayes ham learnning on its own if your bayes have nearly same count of spam / ham msgs its good manualy learn helps aswell -- Im not sure I am following the whitelist comments above. What do you mean and how do we prevent whitelisting from triggering the bayes on its own. This is somewhat confusing Thanks - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: scoring spam
If you are having problems with memory after downloading the rules, you just need to be careful that you use the right ones. Read the descriptions of the rules carefully and only use the ones that you think would be useful. Any time you add more rules, the spamd children will take up more memory, but it shouldn't be too bad. And if you do run into problems, you can always lower the max number of children in your spamd startup command to give the children more room. I posted this list a day or two ago, but the most useful SARE rules on my system are: 70_sare_stocks.cf 70_sare_adult.cf 70_sare_specific.cf Besides the SARE rules, you should also consider URIBL, Razor, and FuzzyOCR. -- Bowie I was answering Steve, with the url to the sare website. Thanks again though it didn't have anything to do with a previous post from me. :-) On the other hand, many may find it useful to know to play around with ruleset combo's - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
sare top choices
Greetings I pulled down a large subset of all the sare filters today on a test mail server... -rw-r--r-- 1 root root 53868 Apr 20 02:00 70_sare_adult.cf -rw-r--r-- 1 root root 3839 Jun 1 2005 70_sare_bayes_poison_nxm.cf -rw-r--r-- 1 root root 24298 Oct 5 2005 70_sare_evilnum0.cf -rw-r--r-- 1 root root 45933 Dec 26 2005 70_sare_genlsubj0.cf -rw-r--r-- 1 root root 123406 May 21 13:00 70_sare_header0.cf -rw-r--r-- 1 root root 28066 Jun 3 22:00 70_sare_html0.cf -rw-r--r-- 1 root root 51886 Oct 1 2005 70_sare_obfu0.cf -rw-r--r-- 1 root root 12739 Dec 27 2005 70_sare_oem.cf -rw-r--r-- 1 root root 18190 Dec 12 2005 70_sare_random.cf -rw-r--r-- 1 root root 97820 May 27 20:00 70_sare_specific.cf -rw-r--r-- 1 root root 20301 Jul 25 09:00 70_sare_spoof.cf -rw-r--r-- 1 root root 59515 Oct 18 13:00 70_sare_stocks.cf -rw-r--r-- 1 root root 25124 Nov 12 2005 70_sare_unsub.cf -rw-r--r-- 1 root root 17879 Oct 4 2005 70_sare_uri0.cf -rw-r--r-- 1 root root 13211 Jun 1 2005 72_sare_bml_post25x.cf -rw-r--r-- 1 root root 15481 May 15 20:00 72_sare_redirect_post3.0.0.cf -rw-r--r-- 1 root root 10147 Jun 1 2005 99_sare_fraud_post25x.cf I didn't snag all of them. Im still contemplating the one that says it needs network tests on and spf on and something else. For those of you that use these, can you rate them on how effective in general? Um I do not think I want to run them all and so i am looking for help to trim it to the top 3 to 5 or so of them to use... It appears that several of you run all of them... Any helpful comments will be appreciated. Thanks and kind regards, - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
.cf file update procedures
When you folks are adding, deleting or updating spamassassin .cf files... After the changes are implemented and you have --lint do you folks shutdown your main SMTP process before you run something like /etc/init.d/spamassassin restart And then bring back up your smtp? Or do you just restart spamassassin and call it good? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: .cf file update procedures
It depends from your MTA + SA setup. I use postfix + amavis + SA. Postfix is configured to pre- and post-queue messages around amavis. Postfix and amavis comm by inet/unix socks. SA is run embedded into amavis. As a result, this confs allow restarting amavis (cf.: SA) without loosing messages: the postfix pre-queue would store unchecked messages and then would resubmit them as soon as amavis starts again. I'm used to issue a 'postqueue -f' command just after amavis restart. giampaolo Ok, so best common practice would be to shutdown the smtp daemon and associateds and then restart spamassassin and then bring up the smtp daemon and associateds Anyone using qmail? Correct? - rh
RE: R: Scoring PTR's
Actually, by definition they are supposed to match A to PTR and PTR to A. Just because everyone doesn't do it perfectly does not mean it is correct to not do reverse DNS or to not do it correctly. There are variations on best practices. Oh well... RFC 1123 says you should not reject based upon HELO Lord knows if that was stomped on by a later RFC. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: R: Scoring PTR's
This suggestion has been superceded, or perhaps better elucidated, by later RFC's, particularly RFC 2181, section 10.2. Nowadays many of us have reverse-DNS delegation in place since as an end-user we have no control over the in-addr.arpa records for our particular IP subnet. For instance, mail.cyways.com resolves to 12.148.244.151, but a reverse query for that address yields: # host -t ptr 151.244.148.12.in-addr.arpa 151.244.148.12.in-addr.arpa is an alias for 151.128/27.244.148.12.in-addr.arpa. 151.128/27.244.148.12.in-addr.arpa domain name pointer mail.cyways.com. That's because the 244.148.12.in-addr.arpa zone belongs to our provider (ATT), but they have delegated our /27 subnet's zone to us via this aliasing process. RFC 2181 makes clear that aliasing is fine in the PTR resolution process as long as the aliasing eventually points to a canonical name like mail.cyways.com. This is a much better solution than requiring us to go to the provider to update their PTR records every time we change the names of the hosts in our subnet. RFC's like 1912 reflect a time when most people had control over both forward and reverse name service for a class-A, B, or C IP block. That came to an end when classless, or CIDR, addressing became the norm. Peter Delegation of reverse DNS is not hard at any size block of IP addresses if the authoritative company will allow your name servers to be authoritative correctly It may say it is ok, yet it isn't ok. Nothing personal, yet that is some messed up reverse dns delegation. They do not have to alias anything other than authority. $ dig -x 12.148.244.151 ; DiG 9.2.4 -x 12.148.244.151 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18524 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;151.244.148.12.in-addr.arpa. IN PTR ;; ANSWER SECTION: 151.244.148.12.in-addr.arpa. 172800 IN CNAME 151.128/27.244.148.12.in-addr.arpa. 151.128/27.244.148.12.in-addr.arpa. 43200 IN PTR mail.cyways.com. ;; AUTHORITY SECTION: 128/27.244.148.12.in-addr.arpa. 43200 IN NS ns.cfmr.com. 128/27.244.148.12.in-addr.arpa. 43200 IN NS ns.cyways.com. 128/27.244.148.12.in-addr.arpa. 43200 IN NS ns2.cyways.com. ;; ADDITIONAL SECTION: ns.cfmr.com.172800 IN A 12.148.244.131 ns.cyways.com. 86400 IN A 12.148.244.151 ns2.cyways.com. 86400 IN A 12.148.244.157 - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: R: Scoring PTR's
RFC 1123 says you should not reject based upon HELO Bah. If some mechine I don't control tries to HELO whatever.impsec.org I'm absolutely going to tell them to go away. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ what program is doing the rejection though? Doesn't say you cant, just says you shouldn't. And it is old old old. Was the rfc revised? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: What's with UCEPROTECT List?
It's also a good trick to cause a denial of service. Regards, -sm Maybe... under extremely special circumstances, yet more realistically not. Well programmed software can rate limit itself when things look hokey... - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: What's with UCEPROTECT List?
hat it looks like to me is a way of blacklisting competition to try to stear business their way. The only way to get off their lists is to pay them money. It looks more like extortion to me. Marc After reading their EN website, http://www.uceprotect.net/en/ ...maybe you could be the one to correct their grammar as they put it and they would bless/pay you by pulling your entry... Yes, I am joking... sort of... :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: What's with UCEPROTECT List?
Right. And rate limiting limits the real service. Thus, you have ... oh yeah, DENIAL OF SERVICE. THINK! It's not hard. -- Jo Rhett Network/Software Engineer Net Consonance Don't assume Jo. You do not know specifically what I was talking about rate limiting and why or how. We model thinking outside of the box and therefore do not limit ourselves to that which is known or perceived to be known... Break out of the box, Jo. :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: What's with UCEPROTECT List?
Um, yes. Well, I've seen it DoSed by just attempts to deliver to an address that doesn't exist. User not found after RCPT TO is the exact same traffic load. That was very modern hardware, and it happened just a few weeks ago. Think about it. It doesn't require you to stretch your brain to figure out the math involved. -- Jo Rhett Network/Software Engineer Net Consonance Maybe you can elaborate on very modern hardware and what opsys and config so we can really understand where you are coming from here in terms of the math involved... Please do share. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: dealing with DoS attacks (Re: ALL_TRUSTED creating a problem)
Yes, I know. I'm actually one of the supertechs you refer to. Er, at least top of the food chain in that regard :-) Law enforcement in Santa Clara is excellent, but they have to focus on the big fish. This is small stuff to them. It's also just small enough to fall under the radar of most providers, which argues to me that this guy is fairly clueful. (guy because so far I've never met a woman who dealt with their emotional drama in such stupid ways) Snip You pretty much nailed it. The target is a DSL customer, so sending 100mb/sec is isn't enough to raise the eyebrows of any modern service provider, but the DSL switch receiving that flood gets fairly unhappy and the target is completely offline. -- Jo Rhett Network/Software Engineer Net Consonance Jo I kinda figured you were a supertech, so as you know document, document, document and you will eventually get the idiot... when I started doing this in the early 1990's we used to call the USWest Interprise techs in Minnesota supertechs. I made some friends there as we turned up a lot of frame relay and such... So, as you know they can put flags in the switches to watch for those traffic signs and alert log it and flag someone and they can get their Telco Cops on it... they wear a badge and can carry a gun too. It is a federal crime as I understand it, some of them wires cross state boundaries etc. :-) Best wishes - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: sare suggestions.
I don't use rulesdujour because it seems like too much hackery. sa-update (included with spamassassin) does it all very cleanly, and is supported by the team. (sa-update is newer than rdj, so it's not really rdj's fault) Frankly, I subscribed to almost every single ruleset on the rulesemporium page. If I skipped any that weren't do not use then I don't know what they were. -- Jo Rhett Network/Software Engineer Net Consonance Jo In this type of config, how much RAM are you running and how many processors??? Plus I am wondering how big are the SA processes that are running in RAM with all those rulesets etc? Thanks and kind regards - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: What's with UCEPROTECT List?
My incoming servers know literally nothing about which users have valid addresses and which do not. All these servers do is accept or reject inbound mail based on a (long) list of SMTP-level rules and forward the messages that are accepted to another machine for SA and virus scanning. If sender verification requires that the incoming server have a complete list of valid mailboxes, it's going to fail miserably here. I don't see anything in the RFCs that makes my configuration non-compliant, do you? Maybe you have it backwards??? IMPO the mail server should know exactly what email addresses there are so that it can reject at the smtp level email that is not addressed to a real user or real live mailbox. Ie valid rcpt to :-) Some will disagree as they want every email whether addressed properly or not as some people that want to buy things are stupid and cant type or follow direction properly so they don't filter on invalid rcpt to. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: sare suggestions.
This is a personal colo box with very light load. 1gb of memory and an AMD XP1800+ processor... old, old technology. The daemons are consistently around 70mb apiece, and there are usually 5-7 running. Low limit is 2, upper limit is 10. Load average is always 0 across the board. This system is bored. -- Jo Rhett Senior Network Engineer Network Consonance I see... so 70 meg SA's when running all these ruleset is a good general rule of thumb for size? - rh
RE: SA Webmail Portal
Hi, explain to your customers that giving you a list of mail accounts is beneficial to them Wolfgang Hamann I see your point yet... What specific kind of customers? If if is part of your policy and procedure from start to finish it shouldnt be a big deal... Meaning, if they are renting your hosting or relay servers... If they have their own transport and transit from you and their own hardware, then they should be doing their own thing right? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: ALL_TRUSTED creating a problem
This is the whole point. If the message hasn't been Received: by a local server, it is by definition not in your network. By feeding messages to SA without a local Received: header, you are explicitly telling SA that the message is still in some other network, not yours. So what's SA supposed to do? Is SA supposed to know that the message magically appeared in your mail systems despite never being recorded as Received by them? What should SA do if a message is being direct-delivered and has no existing Recived: headers in it? Where should it decide the message came from? Look, here's a message that got here from nowhere. It wasn't even sent by the localhost, it just spontaneously appeared in the mail system. Nobody sent it, nobody Received it, it just appeared here. This whole scenario is ridiculous.. OF COURSE spamassassin will break when you feed it this. It can't possibly even TRY to make sense of it because required records are missing. How could SA behave properly in this case? What should it do? Should SA inherently assume that some magic exists where messages can magically poof from one mail queue to the next without ever being transmitted over a mail transport protocol? Should it assume hackers have taken over your server and are directly inserting messages into your system without going through your MTA (ie: writing queue files directly?) Or should it just misbehave so hopefully the admin realizes he needs to FIX a BROKEN SERVER. Im a little confused in this thread now... please clarify this... Does this mean my SA config is not correct if I do not have the ip address of the SA box which is also the main SMTP box in the local.cf in that trusted host config line? How should it specifically look again please? ...and is it supposed to have the loopback address in it too? Please clarify as some time ago I some posts from Pedersen and O'Shea talking back and forth about it a little... Thanks in advance... - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Any suggestions for 'postmaster' spams?
Plussed addressing helps here. I hate web forms that refuse to let me put a plus sign in my email address. (Typically a result of over-zealous input filtering.) I probably subscribe to 100 lists. Re-subscribing them all every time a subscribed address was spammed would be murder. Well, ya got me beat by a few lists... Plussed addressing? Explain please... too lasy to google it.. ;- I certainly do not mean that one should do it immediately with the first spam... yet if things get out of hand.. then by all means... Scripting does an awesome job of dealing with this situation though... And btw, im sure many of you have seen a new customer go from first coupla emails in and out and a week later they are getting 500 to 1000 spams a day haven't you? You know what I mean? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Any suggestions for 'postmaster' spams?
It appears that my email address is now being used as a from address in many spam emails to many addresses. Over the past week, I have gotten 150+ postmaster: mail delivery failure -each day-. Does anyone have suggestions on how to handle this? They're all semi-standard 'delivery failure' or 'content blocked' notices, so I created filtering rules based on the subjectline to put them all into a folder. I don't think they should be marked as spam though because they're not. Thanks, Brian First suggestion, don't post to list with the email address you use for biz or personal use. Make another and use it for all lists. When you get spammed on it, change it slightly, unsub the other and sub the new to all the lists you are on. Also, if your MTA will accept an email to an email address that doesn't exist, fix it so it doesn't. Pry more yet escapes me now - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Any suggestions for 'postmaster' spams?
Uh. Yeah. Is it just me, or are all the dumb answers coming up today? Or, perhaps, run spamassassin and don't worry about changing your e-mail constantly? Duh? -- Jo Rhett Network/Software Engineer Net Consonance It's you Jo. Yet we apologize Jo, we are all having a really difficult time trying to live up to your standards but we are trying real hard though Jo... - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: I'm getting killed with spammers
I need some help here.. Last Mon, Tues Wed I had severe inflow of spam, always at 12.30p EST, Wed it didn't stop till almost 5p. The server seems to not be very cooperative when the queue grows over 200 or so. I have max child set to 15 (up from 5) and not sure what else I can offer in the way of what you need to know to help me, but if you tell me where to look I can spout what you need. The install is out of the box with few if any mods except exim does have the dictionary attack, I run BFD and APF I do not believe I have been hacked into.. I DO read the logwatch daily and do poke around looking for dropped files on a semi regular basis.. this high amount of spam, (BTW scoring at 20-well over 1000) is killing the loads and I have screaming clients.. Just this afternoon (again around 12.30) it loaded up again with 312 mails.. the web based control panel was reacting so slow I would get 3 new ones for every one I managed to delete or deliver (I could not just delete the queue because some were actually valid mails in there) Server loads rose to well over 30, I shut exim - but cpanel was so kind to automagically restart it every time.. tried a reboot from ssh but that just hung.. the tech peeps did it from their end it it worked and brought the loads down so I could delete faster than they came in and now we're back to normal loads and queue I did upgrade to SA 3.1.7 last week - Wed night after a long day of battling the loads.. and that seemed to go well suggestions? Offers of help??? thanks Debbie, Is the mail legitimate email? Meaning does the email come from wherever to *valid email addresses* on the server or do you have a system that will catch everything at the smtp level and then sort it out later? If your server catches everything, the smtp gate should probably be fortified with greylisting and invalid email address rejection first. There is not enough other info for me to recommend further... Thanks and kind regards, - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Any suggestions for 'postmaster' spams?
Okay, I'll answer. I am convinced that spam (in all its forms) will continue to be a problem until spammers start dying for what they are doing. That will change the risk/benefit analysis rather strongly towards the negative. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ Either that or the powers that be will try to regulate it so that you have to pay to license an email server and they will control *everything* about connectivity with giant firewalls kinda like some countries already try or do. Whatever brings in the most money and power... - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: How to filter these spam messages
I reviewed greylisting as a solution in the past, we couldn't accept it due to delay and I also read not all email servers will resend properly. So there is a chance few legitimate emails will never get redelivered. When you are running a business shop, such delays or exceptions are not permitted. I believe it should be very easy to write a rule set for these work from home, stock, mortgage, etc... short spam emails, I just don't have the expertise to do it right. -Simon I understand everyone has to make decisions and deal with it yet A minute or two delay from grelisting matters that much Do you really want email from a server that doesnt work right or isnt administered as best it can be? That is kinda why greylisting exists to elimitate bursty worthless email And most people doing business want to use the phone or meet in person to close sales properly. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Re[2]: Any comments of the SpamHaus lawsuit?
Blame the plaintiffs, blame what some might consider to be less-than-stellar legal advice given Spamhaus, but don't blame the court for following the law. -- Best regards, Robert Braver Why blame the plaintiffs? Fortunately or unfortunately as the case may be, law is subject to interpretation based upon precedent, or lack thereof. As is authority and jurisdiction. Plus, people are fallible, make mistakes. Judges too. Then what? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: How to filter these spam messages
Someone want to explain Greylisting? Here is an example that references a coupla websites http://qmail.jms1.net/scripts/jgreylist.shtml - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Should I upgrade to 3.1.6?
Just looked over the bug fix list for 3.1.6 and it doesn't seem like anything *major* that would suggest that I should make the leap. I'm right now running 3.1.5 on my box. Is there other improvements, such as rules and the like, that would make this a preferable upgrade? Or should I just hold tight for 3.2.0 or one of the next maintenance updates? Steven Lake 3.1.7 is out As I recall, 3.1.6 had some oops issues - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Bayesing Filtering needs to be rewritten
tflag FUZZY_OCR noautolearn Is this something we can do now that works? Do we put this in any .cf file or a particular one? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: use of ram after upgrade
From: Balzi Andrea snippers I've try it, but now I've the follow use: Tasks: 83 total, 2 running, 81 sleeping, 0 stopped, 0 zombie Cpu0 : 0.0% user, 1.3% system, 1.7% nice, 97.0% idle Cpu1 : 0.0% user, 1.3% system, 0.0% nice, 98.7% idle Cpu2 : 0.0% user, 0.0% system, 1.3% nice, 98.7% idle Cpu3 : 0.0% user, 0.0% system, 98.7% nice, 1.3% idle Mem: 6206432k total, 909444k used, 5296988k free, 117224k buffers Swap: 284k total, 7856k used, 1992228k free,70724k cached PID PPID PR NI S #C RES SHR SWAP TIME COMMAND 15404 15386 15 10 S 1 354m 33m0 5:29 spamd child 15405 15386 19 10 R 2 176m 34m0 4:33 spamd child 15626 15386 14 10 S 0 88m 36m0 0:22 spamd child 15645 15386 15 10 S 3 85m 36m0 0:07 spamd child 15386 1 15 10 S 2 73m 36m0 0:03 /usr/sbin/spamd My engineers and I have determined that since this is a 4 way processor box (hopefully with a lot of RAM and processor speed), that you should box it up and send it to us for extended testing... ...probably only a year or two and we will fix it and get it right back you you... if you cannot send this one, another 4 proc or 8 proc box will do. ;- Thanks and kind regards! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: Bayesing Filtering needs to be rewritten
One of the problems now with bayes is that image spam is causing bayes to be useless. We need a new plan to avoid bayes poisoning. Poisoning is caused when messages are learned where the text of the message is a nonspam type text and the spam is in the image. Bayes needs to be smarter about what text it learns and know when to not learn the text. We need logic that says the the text is a trick, only learn the headers. In general a lot of text isn't that strong of an indicator of spam or nonspam. Things like URLs and email addresses and phone numbers are good indicators as well as the HTML tags. And the headers are of course the best part. I question if using the whole message is best. I think we should parse the message for what I'll call fingerprint tokens which are tokens that can be used to ID similar messages. Thoughts on avoiding bayes poisoning and looking for fingerprint tokens? The only thought that comes to mind would be code that says, IF email has an attachment of such and such a type, then do not autolearn and/or send it to other conditionals ??? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net