Re: Pipe characters in From and To's
Am 11.02.2010 22:37, schrieb Spiro Harvey: We're getting a boatload of To and From addresses starting with pipe characters on one of our clients' mailservers. The messages themselves don't appear particularly malicious -- the ones we've seen are just pill spam -- but there are craploads of them. I was thinking about configuring an SA rule to just bump the scores up a few points (most of those that are getting thru seem to be scoring about 8 or 9), so adding a few points will push them into reject territory. Oh, and the client has historically allowed catch-all mail domains hence why so many of these are being delivered. We've managed to get them to not allow catch-alls now, but they still have 20-odd-thousand historical domains that haven't had the catch-alls removed yet.. So I'm just wondering if others encounter this with enough regularity, and if so what your thoughts and advice are. I don't particularly want to add rules into sendmail, so SA is my avenue of choice. Cheers I also had a lot of load for this kind of mail until I added a header_checks rule Ralph
Re: How should this tricky spam be filtered?
Am 30.01.2010 16:48, schrieb Jeff Mincy: From: K�rlis Repsons karlis.reps...@gmail.com Date: Sat, 30 Jan 2010 14:07:16 + On Saturday 30 January 2010 13:54:14 Jeff Mincy wrote: Retrain the message correctly in Bayes. Bayes will catch on to this after a few times. The subject alone should be a strong enough clue for bayes (I get BAYES_80 on this partial sample), so it looks like you are doing only autolearn and not correcting messages that were learned incorrectly. -jeff I couldn't figure out how to get an unadulterated version of the message from the spamalyser.com link you posted in a previous message. I tried this wget -O - -q http://spamalyser.com/v/5cbffujq/original.txt pastebin has a simple way to download the original. Anyway, I eventually got something. Hmm, well, I just started with SA, so my filters aren't much trained yet. The thing is, I didn't believe its the Bayes filter to be used for that case! Bayes is an incredible tool, but only if you let it. The worst thing you can do to bayes is mistrain it by learning spam messages has ham. The other bad thing is to limit the number of messages that it learns from. Because I still think, that its not correct to train SA filter on that letter as spam! It can contain words, which simply should not contribute to be more spam, no? Thats not a problem? No, that is not a problem. Yes, spam contains words, some of those words will also occur in ham. Bayes will figure out which words are spammy and which are hammy and which occur in both. First start with training Bayes and then check if DCC and network tests are enabled. Anyway, I get the following. BAYES_99,DCC_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_FIVETEN_SPAM,RCVD_IN_NIXSPAM,RCVD_IN_UCEPROTECT1,RCVD_IN_UCEPROTECT2,RCVD_IN_UCEPROTECT3,BOTNET,BOTNET_BADDNS Botnet/FIVETEN/NIXSPAM/UCEPROTECT are additional rules added. -jeff in the Raw Message tab you can get the plain message (http://spamalyser.com/v/5cbffujq/raw)
Re: repair bayes db ?
Am 29.01.2010 19:56, schrieb tonjg: raq550 running strongbolt 2, spamassassin.i386 0:3.2.5-1.el4 I get the following error when trying to do a an sa-learn command: bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/vendor_perl/5.8.5/Mail /SpamAssassin/BayesStore/DBM.pm line 196. Is there a fix for this? I did a search on google but couldn't find a straightforward solution. I did yum remove spamassassin and then re-installed but it made no difference. I really don't want to do a full system rebuild if I can avoid it. Thanks for any pointers. it should be enough to rebuild table bayes_global_vars. sa-learn found version 0 but it should find version 3!
Re: SpamAssassin, One Baye for a lot of SpamAssassin server
Am 22.01.2010 09:41, schrieb Stephane MAGAND: Hello, In a previous post, i have request a information, can i use one central bayes database for a lot of SpamAssassin Server. I have received a answer: Yes But what is the process ? for one spamassassin, we use obligatory a MySQL Server ? If yes, the performence are not decreased ? Thanks for your help Stephane if you do not use MySQL for bayes, migrate. in local.cf : bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:mailscanner:servername:3306 bayes_sql_username bayesuser bayes_sql_password bayespass bayes_sql_override_username bayesuser the performance question depends on so many facts and figures it is hard to answer (network, hardware, traffic) but using one central bayes db gives you the security that each SA server adds the same score for bayes (there is no warranty it will be the same with dedicated local databases) but bear in mind that if anyone is able to poison your central db it is poisoned for all SA servers. ;-) hth Ralph
Re: SpamAssassin, One Baye for a lot of SpamAssassin server
Am 22.01.2010 18:31, schrieb d.h...@yournetplus.com: Quoting LuKreme krem...@kreme.com: On 22-Jan-2010, at 02:07, Ralph Bornefeld-Ettmann wrote: bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:mailscanner:servername:3306 bayes_sql_username bayesuser bayes_sql_password bayespass bayes_sql_override_username bayesuser Where do you specify the name of the database to use? In the above, 'mailscanner' would be the database. oops, sorry, forgot to replace that ...
Re: SpamAssassin, One Baye for a lot of SpamAssassin server
Am 22.01.2010 21:40, schrieb Alex: Hi, if you do not use MySQL for bayes, migrate. How do you determine whether the administrative overhead (downtime for maintenance, etc) is necessary or a simple periodic rsync would do the trick? How long can the bayes databases be out of sync before it becomes a problem? I suppose that question can't really be answered other than the sooner, the better, but is the info really changing that frequently than syncing more than, say, every hour would be a problem? Mariusz Kruk wrote: bayes_file_mode 0666 That's a really bad idea. At least put your users in a group so it's not world-writable, but I would also think there's some suid program you could use in place (although they have problems of their own)? Thanks, Alex h mysqlstudent asks if its necessary to move to MySQL ;-) I personally prefer using a database instead of mounting filesystems via NFS or rsyncing files. for me it is less effort
Re: Problems sending Abuse mails to Twitter
I could find your IP (82.113.106.21) on these lists : b.barracudacentral.org 127.0.0.2 bl.spamcop.net 127.0.0.2 blackholes.five-ten-sg.com 82.113.106.21.misc.blackholes.five-ten-sg.com. 127.0.0.9 blocked.secnap.net 127.0.0.2 cbl.abuseat.org 127.0.0.2 dnsbl-1.uceprotect.net 127.0.0.2 dnsbl-2.uceprotect.net 127.0.0.2 dnsbl-3.uceprotect.net 127.0.0.2 dnsbl.inps.de 127.0.0.2 dnsbl.sorbs.net 127.0.0.7 hostkarma.junkemailfilter.com 127.0.0.2 127.0.1.1 no-more-funn.moensted.dk127.0.0.1 noptr.spamrats.com 127.0.0.37 old.spam.dnsbl.sorbs.net127.0.0.6 pbl.spamhaus.org127.0.0.11 psbl.surriel.com127.0.0.2 sbl-xbl.spamhaus.org127.0.0.4 spam.dnsbl.sorbs.net127.0.0.6 ubl.unsubscore.com 127.0.0.2 web.dnsbl.sorbs.net 127.0.0.7 xbl.spamhaus.org127.0.0.4 zen.spamhaus.org127.0.0.4 127.0.0.11 IP of your server (62.231.42.10) I found on these lists : blocked.secnap.net 127.0.0.2 countries.nerd.dk 127.0.0.1 ips.backscatterer.org 127.0.0.2 your mail got 6.9 Points on my SA (sorry for the german text): 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: Senderechner ist ein ungesicherter WWW-Server [82.113.106.82 listed in dnsbl.sorbs.net] 1.8 RCVD_IN_PSBL RBL: Received via a relay in PSBL Spamikaze trap [82.113.106.82 listed in psbl.surriel.com] 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Transportiert via Rechner in Liste von www.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?82.113.106.82] 0.5 RCVD_IN_BRBL RBL: Received via a relay in Barracuda BRBL [82.113.106.82 listed in bb.barracudacentral.org] 0.0 BAYES_50 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 40-60% [score: 0.4896] 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL for me it seems that the MTA did a RBL lookup and rejected your mail due to being listed cheers Ralph Michelle Konzack schrieb: Hello, Currently I am bombed by more then 100 Twitter messages per day and whenever I send a complaint to ab...@twiter.com I get a message from Google back: [ STDIN ]--- Date: Sun, 22 Nov 2009 19:30:36 + From: Mail Delivery Subsystem mailer-dae...@googlemail.com To: tamay.do...@tamay-dogan.net Subject: Delivery Status Notification (Failure) Delivery to the following recipient failed permanently: ab...@twitter.com Technical details of permanent failure: Message rejected. Please visit http://www.google.com/mail/help/bulk_mail.html to review our Bulk Email Senders Guidelines. - Original message - Received: by 10.216.91.81 with SMTP id g59mr1250353wef.128.1258918236730; Sun, 22 Nov 2009 11:30:36 -0800 (PST) Received: by 10.216.91.81 with SMTP id g59mr1250352wef.128.1258918236699; Sun, 22 Nov 2009 11:30:36 -0800 (PST) Return-Path: tamay.do...@tamay-dogan.net Received: from webmail.codefoundry.com (webmail.codefoundry.com [62.231.42.10]) by mx.google.com with ESMTP id m5si7690370gve.12.2009.11.22.11.30.36; Sun, 22 Nov 2009 11:30:36 -0800 (PST) Received-SPF: neutral (google.com: 62.231.42.10 is neither permitted nor denied by best guess record for domain of tamay.do...@tamay-dogan.net) client-ip=62.231.42.10; Authentication-Results: mx.google.com; spf=neutral (google.com: 62.231.42.10 is neither permitted nor denied by best guess record for domain of tamay.do...@tamay-dogan.net) smtp.mail=tamay.do...@tamay-dogan.net Received: from mail.private.tamay-dogan.net ([:::82.113.106.82]) (AUTH: CRAM-SHA256 konzack.michelle.tamay-catch...@codefoundry.com) by webmail.codefoundry.com with esmtp; Sun, 22 Nov 2009 19:38:25 + id 002BC9CA.4B099335.5B16 Received: from michelle1.private.tamay-dogan.net (michelle1.private.tamay-dogan.net [:::192.168.0.91]) by mail.private.tamay-dogan.net with esmtp; Sun, 22 Nov 2009 20:30:03 +0100 id 0002BF43.4B09913C.2A92 Received: by michelle1.private.tamay-dogan.net (sSMTP sendmail emulation); Sun, 22 Nov 2009 20:30:04 +0100 Subject: Re: Mohammad Jafar wants to keep up with you on Twitter Message-Id: iljdo.a.2zd.8ez...@michelle1 From: Tamay Dogan tamay.do...@tamay-dogan.net Sender: tamay.do...@tamay-dogan.net Date: Sun, 22 Nov 2009 20:30:04 +0100 To: ab...@twitter.com Does someone know whats going on here? Since today I have the same problem with Facebook and Blogger... Collect since ~07:00 CET nearly 400 messages from them. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant
Re: balancechecker.zip balancechecker.exe
rich...@buzzhost.co.uk schrieb: On Mon, 2009-11-16 at 00:07 +0100, Ralph Bornefeld-Ettmann wrote: rich...@buzzhost.co.uk schrieb: Is anyone else seeing an influx of spam with a zip attachment balancechecker.zip? This contains a windows executable, balancechecker.exe, which appears to be testing clean with clam and others. I'm inclined to think it's *not* clean and is viral. EXAMPLE http://pastebin.com/m730f90e9 I really do not think it is clean. It really sounds like a typical bogus mail. see also here : http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/ It is now starting to get picked up and I can see that it was reported at totalvirus on Friday. Yesterday it was passing many checkers as clean, including CLAMAV - which by it's free nature - finds its way into many gateway scanners. This morning, however, is a different tale: balancechecker.exe: Trojan.Zbot-6437 FOUND --- SCAN SUMMARY --- Known viruses: 649889 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB Data read: 0.02 MB (ratio 1.00:1) Time: 2.682 sec (0 m 2 s) For me such mails are simply a logical question : Why should I run a program to check my balance? But I normally I do not ask for logical thinking after my users also tend to look for useable content in mails with subjects like Do you want ro f--k me? :-) Cheers Ralph
Re: balancechecker.zip balancechecker.exe
rich...@buzzhost.co.uk schrieb: Is anyone else seeing an influx of spam with a zip attachment balancechecker.zip? This contains a windows executable, balancechecker.exe, which appears to be testing clean with clam and others. I'm inclined to think it's *not* clean and is viral. EXAMPLE http://pastebin.com/m730f90e9 I really do not think it is clean. It really sounds like a typical bogus mail. see also here : http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
Re: facebook Spam Question
Hi, AFAIK this is just coincidence. I don't have any accounts on such platforms but I also receive mails for passwort requests for Facebook, MySpace . Cheers Ralph twofers schrieb: This may not be an exact Spamassassin type question, but something happened to me recently concerning spam and I am hoping to get some feedback and thoughts about it. I have 3 websites on a VPS and with that several related email addresses. help@, support@, etc; I also have a customer that I host on my VPS, we do business together and I am the webmaster of his site. He has two email addresses, his@ and ad...@. Neither I, nor my customer has ever had a facebook or twitter account. He was recently attending a business convention and he said several of his customers suggested he get a facebook and twitter account for business reasons. So he asked me and I created him both a facebook and twitter account and in the process I also created myself one of each. I used his business email address his@ and I used my personal ISP email address on embarqmail.com. Within a day after creating those accounts, both of us start receiving between 3 and 5 virused spam emails a day related to facebook. Virus attachment emails, Your password to facebook has been updated for security reasons, open the attachment to see your new password, your facebook profile has been updated, open the attachment..., etc. Open the zip file and double click on ?.exe to. We have been receiving them for days now, since last Sunday. We never have in the past ever received any facebook type spam emails. Especially like this. Either one of us. I also monitor his business email address, for customer complaints, suggestions, orders and we never before have received anything related to facebook. A surprising thing is, I am also receiving between 3 and 5 daily emails via my other 3 websites email addresses. These addresses are not even related to the new facebook accounts other than they are part of the VPS hosting the websites. I don't know if that's a considerable relationship? It could very well be coincidence I suppose, that we created those facebook accounts and almost immediately started receiving virus spam, but I really do not think so, based on our history. It seems too coincidental and it is affecting about 10 non-related email addresses also. I think something else is happening, although I do not know what to consider as I am not as knowledgeable about this as you are. What could be going on here? Any ideas? Is it coincidence? Thanks for any help. Wes
Re: How to reject spam where sender = receiver
John Hardin schrieb: On Tue, 27 Oct 2009, rpc1 wrote: My spamassassin plug doesn't check mail where sender address and receiver address are equal. Like this Return-Path: o...@domen.com X-Spam-Status: No, hits=0.0 required=3.2 tests=DNSBL_RELAYS.ORDB.ORG: 5.00,DNSBL_BL.SPAMCOP.NET: 5.00,DNSBL_SBL-XBL.SPAMHAUS.ORG: 5.00, BAYES_99: 4.07,HELO_DYNAMIC_IPADDR2: 3.818,HTML_IMAGE_ONLY_32: 1.052, HTML_MESSAGE: 0.001,MIME_HTML_ONLY: 0.001,NO_REAL_NAME: 0.961, URIBL_AB_SURBL: 3.812,URIBL_JP_SURBL: 4.087,URIBL_OB_SURBL: 3.008, URIBL_SBL: 1.639,URIBL_SC_SURBL: 4.498,URIBL_WS_SURBL: 2.14, CUSTOM_RULE_FROM: ALLOW,TOTAL_SCORE: 44.087 X-Spam-Level: Received: from 75-148-3-221-WashingtonDC.hfc.comcastbusiness.net ([75.148.3.221]) by mail.tvtb.ru for o...@domen.com; Sun, 25 Oct 2009 07:53:00 +1000 To: oper...@tvtb.ru Subject: A path leading to your well-being From: o...@domen.com MIME-Version: 1.0 Importance: High Content-Type: text/html How can I create a new rule which will check equity fields TO and FROM ??? I would suggest that is not really what you want to do, as you'll rarely see that on spam that isn't addressed to your domain. What you probably want to do is reject mail that is claiming to be from your domain, but does not actually originate from your domain - in other words, mail where someone is forging your domain name on the sender address. Is that a better description of what you want to do? That has been covered several times, I am pretty sure within the last month. Please check the list archives for the past two months for a thread having a subject like to = from. You'll find a discussion of setting up an SPF record for your domain and using whitelist_from_auth to enforce it, and another discussion (involving me) of using milter-regex to reject such forged sender addresses at SMTP time. Both methods work well, I would modestly say milter-regex works better because it bypasses SA and is thus a lighter solution overall. mutterMaybe I should throw a rule like that into the sandbox and see how well it does.../mutter If you do not like SPF and you do not have remote users who are allowed to send mail with local domain you can add a rule to header checks. e.g Postfix : /etc/postfix/header_checks : /^From:.*example\.com/ REJECT Cheers Ralph
Re: Making this FN correctly scored as spam
Chris schrieb: http://pastebin.com/m5e126ea This came to one of my address where what I usually get is 99% spam and was scored as ham, no matter what I've done I can't get it to score the minimum +5 points. After learning it as spam with sa-learn and using spamassassin -r to report to razor/pyzor/dcc and removing the senders address from the AWL with spamassassin --remove-addr-from-whitelist it still scores below the required: Content analysis details: (1.6 points, 5.0 required) pts rule name description -- -- -0.1 RCVD_IN_JMF_W RBL: JunkEmailFilter: relay in white list (first pass) [66.114.171.113 listed in hostkarma.junkemailfilter.com] -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [66.114.171.113 listed in list.dnswl.org] 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 DK_SIGNED Domain Keys: message has a signature 0.0 DKIM_SIGNEDDomain Keys Identified Mail: message has a signature 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [localhost 1201; Body=many Fuz1=many] [Fuz2=many] -2.2 KHOP_RCVD_TRUSTDNS-Whitelisted sender is verified These are few and far between however there were two today that made it past. Any suggestions would be appreciated what about headerwebex1 Received =~ /webexmailer.com/i describe webex1 Mail from webexmailer score webex1 10.0 headerwebex2 Received =~ /webex.com/i describe webex2 Mail from webexmailer score webex2 10.0 It seems webexmailer is a trusted mass-mailer so you have to overrule the trusted whitelists (JMF, DNSWL, KHOP) Ralph
Re: Any one interested in using a proper forum?
Michael Hutchinson schrieb: Gidday Peter, I don't know about anyone else, but I'm getting a bit hacked of with this 1980's style forum. I'm trying to get to the bottom of an SA issue and this list/forum thing is giving me a bigger headache than SA! It's a bit like that when you're using Mailing lists, just another thing to get used to in I.T life! Spamassassin has more than one or two users now and I personally think that it should have a support forum to match the class of software, which is now world class. I know it's free and all that, but even so, if this is the only form of support they provide, I'm thinking that I'll just start an alternative support forum, using standard, full featured forum software (like SMF). Is there any support for this (I already know there will be opposition from those who are 'resident' here. Sorry guys, I just want do something to help those who just dive in when they have an urgent problem. No hard feelings I hope.) FWIW I think you're driving at creating a forum that would be easier to use or understand for the average joe-bloggs user. This is all very well, but Mailing Lists aren't exactly hard to stay on top of. As for using E-Mail to discuss problems with Spamassassin, I can think of nothing more applicable. Anyone being an Admin of a Spamassassin enabled Mail Server server, should be familiar enough with E-Mail to be able to handle Mailing Lists without too much fuss. If this is such a big problem perhaps they shouldn't be Administering a Mail Filtering system at all. Just my 2cents. Michael Hutchinson. I did not subscribe to the mailing list. I am using news.gmane.org and for me this is way the best to read. No forum software needed, no rules needed, I only need a newsreader (Thunderbird does this job qute good for me). Not everything that looks old fashioned is less comfortable than a teletubby webinterface ;-) Just to add my 2cents. Ralph Bornefeld-Ettmann