Re: Catching well directed spear phishing messages
On Tuesday 28 June 2016 12:03 PM, Raymond Dijkxhoorn wrote: Hai! I dont understand why they would match your spf record either. Are they sended out by a IP adres you 'approved' ?? SPF does not fail , because they use a different envelope address.. which may pass SPF The end recipient does not check the envelope anyway Thanks, Raymond Dijkxhoorn Op 28 jun. 2016 om 03:27 heeft jdebert <jdeb...@garlic.com> het volgende geschreven: On Mon, 27 Jun 2016 18:41:04 +0530 Ram <r...@netcore.co.in> wrote: I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account These messages were initially few and I ignored. But now this has become a problem. I know these are not spam messages so catching them will be out of scope for a spam filter. These messages have different envelope ids so SPF checks always pass. The header from is properly formatted exactly how it will be in a normal mail What measures do you take for such spear phishing Thanks Ram You're not using the proper tools. you cannot expect spamassassin to magically prevent all such messages. Just because spamassassin or any other filter passes such a message does not mean it is valid. To use spamassassin and filters to block such messages gives a false sense of security and leads to false assumptions of authenticity. Your company must enforce strict AP controls to prevent payouts based on such messages and the controls must apply to everyone, including the CEO. Those are the proper tools. Given that these messages are appearing more frequently, it may be that some have already been successful. I suggest you consider an AP audit to ensure that this is not the case
Re: Catching well directed spear phishing messages
On Monday 27 June 2016 06:50 PM, Reindl Harald wrote: Am 27.06.2016 um 15:11 schrieb Ram: I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account happens all day long I know these are not spam messages so catching them will be out of scope for a spam filter. "appear to come from" is by definition a spam message and most of that crap *in fact* is trainable and catchable with a combination of clamav-signatures (sanesecurity) and bayes These messages have different envelope ids so SPF checks always pass. The header from is properly formatted exactly how it will be in a normal mail What measures do you take for such spear phishing without a sample or a crystal ball hard to say Here is the sample I just redacted the actual recpient email id and name Return-Path: <c-le...@cognitorex.com> Received: from ho.targeteddomain.com ([unix socket]) by ho.targeteddomain.com with LMTPA; Thu, 23 Jun 2016 15:12:30 +0530 X-Sieve: CMU Sieve 2.4 X-Envelope-From: <c-le...@cognitorex.com> Received: from p3plwbeout16-06.prod.phx3.secureserver.net (p3plsmtp16-06-2.prod.phx3.secureserver.net [173.201.193.64]) by mta3p4r.targeteddomain.com (Postfix) with ESMTP id CCF881284F for <vish@targeteddomain.com>; Thu, 23 Jun 2016 15:11:43 +0530 (IST) Received: from localhost ([173.201.193.27]) by p3plwbeout16-06.prod.phx3.secureserver.net with bizsmtp id A9hj1t0010bvwv9019hjyn; Thu, 23 Jun 2016 02:41:43 -0700 X-SID: A9hj1t0010bvwv901 Received: (qmail 7400 invoked by uid 99); 23 Jun 2016 09:41:43 - Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" X-Originating-IP: 41.144.23.225 User-Agent: Workspace Webmail 6.3.7 Message-Id: <20160623024142.b85a750d2ce78aac2cd21c9e32050f02.6816dce81f@email16.godaddy.com> From: "YY Jain" <yyy...@targeteddomain.com> X-Sender: c-le...@cognitorex.com Reply-To: "YY Jain" <exe...@execs.com> To: ...@targeteddomain.com Subject: RE: SV/PI- Ref - 909020AX Date: Thu, 23 Jun 2016 02:41:42 -0700 Mime-Version: 1.0 X-NetcoreISpam11-ECMScanner-Information: Please contact Netcore Support for more information X-NetcoreISpam11-MailScanner-ID: E7ADE5F.A055E X-NetcoreISpam11-ECMScanner: Found to be clean X-NetcoreISpam11-ECMScanner-SpamCheck: not spam, CTSCORE : 0 str=0001.0A160205.576BAEE5.013C:SCFMA16949757, ss=1, re=-1.900, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, SpamAssassin (not cached, score=0.701, required 5, autolearn=disabled, ECM_HDR_MISMATCH1 0.10, ECM_PHISH 0.50, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.10) X-NetcoreISpam11-ECMScanner-From: c-le...@cognitorex.com X-MailServ-MailFilter-MailScanner-Information: Please contact the ISP for more information X-MailServ-MailFilter-MailScanner-ID: EF7C66C466.AB237 X-MailServ-MailFilter-MailScanner: Found to be clean X-MailScanner-From: c-le...@cognitorex.com - Process Rtgs Tf to this below account - BANK NAME : UNJAB NATIONAL BANK BENEFICIARY NAME : KARAN SHYAM SINGH ACCOUNT NO : 038600692824 IFSC CODE : UNB0038600 BRANCH : CAMP PAN NO: GAHPS7812F AMOUNT - 3.1 Lacs I will provide the Invoice later in the day as i am busy now, and please make sure they receive in their account before 3pm Thanks, YY
Catching well directed spear phishing messages
I am seeing messages that appear to come from the MD or the CEO of the company to the accounts department asking people to transfer money to some fake account These messages were initially few and I ignored. But now this has become a problem. I know these are not spam messages so catching them will be out of scope for a spam filter. These messages have different envelope ids so SPF checks always pass. The header from is properly formatted exactly how it will be in a normal mail What measures do you take for such spear phishing Thanks Ram
Re: SA both at external and internal servers
On 08/02/2013 01:39 AM, N. Raghavendra wrote: I work in a setup where the external mail server (say, extmail.example.com) in a DMZ runs Spamassassin as soon as mail arrives from the Internet, and then passes the mail to an internal mail server (say, intmail.example.com) which has user maildirs. The trouble is that the Spamassassin filtering at extmail isn't good, and a lot of spam get through as ham to intmail. However, the intmail machine also has Spamassassin. Is it possible for me, as a user, to refilter the mail coming in from extmail through Spamassassin using procmail on intmail? In case, it's relevant, the mail coming in from extmail has headers like this: X-FOO-MailScanner-Information: Please contact *** for more info X-FOO-MailScanner-ID: CD5545F305.A22A6 X-FOO-MailScanner: Found to be clean X-FOO-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-5.818, required 5, autolearn=not spam, BAYES_00 -1.90, HTML_IMAGE_RATIO_04 0.56, HTML_MESSAGE 0.00, MIME_HTML_MOSTLY 0.43, MPART_ALT_DIFF 0.79, RCVD_IN_DNSWL_HI -5.00, RP_MATCHES_RCVD -0.70, T_REMOTE_IMAGE 0.01, UNPARSEABLE_RELAY 0.00) X-FOO-MailScanner-From: epromoti...@bar.com X-Spam-Status: No Bayes and dnswl rules are causing spams to get mis classified here. You can ( allegedly :-) ) train your bayes , but I could not do this successfully myself with spammers deliberately putting junk text in mails Use better network based rules Filtering twice with the same rules, IMHO , will be really pointless. Just more cpu cycles consumed Thanks and best regards, Raghu.
How do I write a custom rule to match any header
I want to write a custom rule to match if Any header contain a particular string How do I do this ?
Spamreport plugin for email clients
When I ask users to send misclassified mails ( FN or FP ) as an attachment , they often dont get it right. Also attaching from outlook , windows live mail etc is a big pain Is there an outlook plugin people can use to report spam , that can come to a URL or by mail ? Thanks Ram
What is spamhaus BGPCC list
I have seen some listings on spamhaus as Spamhaus Botnet CC (BGPCC) List See for eg. http://www.spamhaus.org/sbl/query/SBL140862 ( This listing is available at least for now ) What is this .. a new list ? What is the criteria for listing ? Do I include lookups for these too in scoring my mails in spamassassin ? Thanks Ram
Spam from google photos ?
These are the headers http://pastebin.com/udbDgJ8L Seems to have come from google , but is spam. I cant even read the language :)
SURBL down ?
I am not able to lookup surbl Infact the domain surbl.org does not seem to exist at all. [root@pop2 bin]# dig surbl.org +short [root@pop2 bin]# I am sorry if this is old news .. I have no idea since when SURBL went down ? Thanks Ram
Re: Mark all invites as spam
On Fri, 2011-12-09 at 10:20 +0100, Robert Schetterer wrote: Am 09.12.2011 13:58, schrieb Ram: If I want to mark *all* invite mails as spam linkedin, WAYN , facebook , google+ or anything else. Is there a global way of doing this my short solution was blacklist facebook invites as far i know the use always the same sender address Is there a generic invites addresses available somewhere .. so that I can put all of them in the blacklist
Mark all invites as spam
If I want to mark *all* invite mails as spam linkedin, WAYN , facebook , google+ or anything else. Is there a global way of doing this
Re: How do I get delisted from SORBS? [OT]
On Thu, 2010-10-07 at 05:27 -0700, Marc Perkel wrote: Got this listing on sorbs: SORBS DNSBL http://www.de.sorbs.net/ 127.0.0.2 Aggregate zone See: http://www.sorbs.net/lookup.shtml?65.49.42.106; http://www.de.sorbs.net/overview.shtml Went to their web site and can't find a way to remove it. Their web site is barely responsive and there doesn't seem to be a removal tool. Anyone else having this problem or can give me some insight as to what is going on? If you create a support ticket they respond ( usually within a month :-) ) and most likely delist the ip address. The problem with sorbs is that they take unreasonably long time to list or delist I have had machines listed because of relaying spams due to bad passwords. While the listing itself is quiet reasonable .. SORBS seems to notice the oubreak only a month after the spam outbreak happened and was stopped. Thanks Ram
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
On Sun, May 9, 2010 at 1:03 AM, Benny Pedersen m...@junc.org wrote: On lør 08 maj 2010 16:38:58 CEST, ram wrote User-Agent: Internet Messaging Program (IMP) 3.2.5 un updated webmail what is that means ? Ram,
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
On Wed, May 5, 2010 at 6:49 PM, Bowie Bailey bowie_bai...@buc.com wrote: ram wrote: i still see this errors May 5 10:28:03.484 [3153] dbg: config: warning: score set for non-existent rule SHORTCIRCUIT May 5 10:28:03.485 [3153] dbg: config: warning: score set for non-existent rule SUBJ_RE_NUM May 5 10:28:03.485 [3153] dbg: config: warning: score set for non-existent rule FM_VIAGRA_SPAM1114 May 5 10:28:03.485 [3153] dbg: config: warning: score set for non-existent rule AXB_HELO_LH_HOME May 5 10:28:03.486 [3153] dbg: config: warning: score set for non-existent rule ACCESSDB You are setting scores for non-existent rule names. This will have no adverse affect on SA other than generating the warnings. Look in your local.cf file and delete the score lines for these rules to get rid of the warning messages. ok thanks let me tweak the local.cf but i see still spam getting in Return-Path: e...@w.cn Delivered-To: u...@realdomain.com Received: (qmail 6203 invoked from network); 8 May 2010 06:46:07 +0530 Received: by simscan 1.4.0 ppid: 6180, pid: 6187, t: 5.6827s scanners: regex: 1.4.0 attach: 1.4.0 clamav: 0.96/m:52/d:10942 spam: 3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail4.* realdomain.com* X-Spam-Level: X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_95,MISSING_SUBJECT, T_FILL_THIS_FORM_SHORT,T_LOTS_OF_MONEY autolearn=no version=3.3.1 Received: from mta03.eastlink.ca (24.224.136.9) by mail4.*realdomain.com* with SMTP; 8 May 2010 06:46:02 +0530 Received-SPF: none (mail4.*realdomain.com*: domain at w.cn does not designate permitted sender hosts) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from ip05.eastlink.ca ([unknown] [24.222.39.68]) by mta03.eastlink.ca (Sun Java(tm) System Messaging Server 7.3-11.01 64bit (built Sep 1 2009)) with ESMTP id 0l2200na3u7b0...@mta03.eastlink.ca for u...@*realdomain.com u...@realdomain.com*; Fri, 07 May 2010 22:16:23 -0300 (ADT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApQHAPJX5EvOhDAYmWdsb2JhbACdQVoVAQEBAQEICwoHESEBhg6vHYkBhRUEjHuCUAI X-IronPort-AV: E=Sophos;i=4.52,351,1270436400; d=scan'208;a=788773172 Received: from mail1.xcelco.on.ca ([206.132.48.24]) by ip05.eastlink.ca with ESMTP; Fri, 07 May 2010 22:15:48 -0300 Received: from www1.xcelco.on.ca (www1.xcelco.on.ca [206.132.48.23]) by mail1.xcelco.on.ca (Postfix) with ESMTP id D1407D0CFCD; Fri, 07 May 2010 19:17:51 -0400 (EDT) Received: from a4.pantarhei.ba.cust.gts.sk (a4.pantarhei.ba.cust.gts.sk [195.168.109.60]) by webmail.xcelco.on.ca(IMP) with HTTP for bked...@imap.xcelco.on.ca; Fri, 07 May 2010 19:18:19 -0400 Message-id: 1273274299.4be49fbbc3...@webmail.xcelco.on.ca Date: Fri, 07 May 2010 19:18:19 -0400 From: G.Epps e...@w.cn Reply-to: wu.africadeptt2...@w.cn User-Agent: Internet Messaging Program (IMP) 3.2.5 X-Originating-IP: 195.168.109.60 To: undisclosed-recipients: ; You have $50,000, confirm receipt by sending your name,address,age,phone number etc to (wu.africadeptt2...@w.cn)
Re: Scanning Outbound emails
On Wed, 2010-05-05 at 10:44 +0300, Alans wrote: Hi all, Can we use spamassasin in ISP environment to scan outbound emails? Regards, Alans Yes. But separate out your inbound outbound scans. For outbound Disable all IP based rules because they will cause FP's. Also we have often seen fingerprinting methods also cause FP's And what do you plan to do with the spams ? On my servers I just add the score header and let the mail go but send a copy to a program. If more than 10 occur in 30 minutes from the same customer , the customers account is temporarily blocked and we manually check. Thanks Ram
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
On Mon, May 3, 2010 at 7:28 PM, Benny Pedersen m...@junc.org wrote: On man 03 maj 2010 07:51:01 CEST, ram wrote this is my output super May 3 11:19:22.416 [621] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1 remove that use_auto_whitelist line in local.cf more info see perldoc Mail::SpamAssassin::Plugin::AWL perldoc Mail::SpamAssassin::Conf i lost if this config is in a plugin now or not, but if it is then ifplugin Mail::SpamAssassin::Plugin::AWL use_auto_whitelist 1 endif # Mail::SpamAssassin::Plugin::AWL and check all *.pre files for plugins needed or not needed, most defaults are fine but, be in control is better :) Hi thanks i have changed in v320.pre file it was commented i did uncoment the error gone i still see this errors May 5 10:28:03.484 [3153] dbg: config: warning: score set for non-existent rule SHORTCIRCUIT May 5 10:28:03.485 [3153] dbg: config: warning: score set for non-existent rule SUBJ_RE_NUM May 5 10:28:03.485 [3153] dbg: config: warning: score set for non-existent rule FM_VIAGRA_SPAM1114 May 5 10:28:03.485 [3153] dbg: config: warning: score set for non-existent rule AXB_HELO_LH_HOME May 5 10:28:03.486 [3153] dbg: config: warning: score set for non-existent rule ACCESSDB any suggestions Ram
Re: Filtering zip spam
On Tue, 2010-04-27 at 11:08 -0400, Alex wrote: Hi, Might as well just block all of \.fr at smtp time for that matter :-) Poor France :( I mostly do... au revoir Le France Somewhat off-topic, but in the interest of increasing awareness, India reportedly ranks first: http://www.dnaindia.com/mumbai/report_india-ranks-first-in-sending-spam-mails_1374118 If you read it India ranks first in asia pacific regions. No surprises , Afganistan has almost no internet , Pakistan has almost no power, and Bangladesh has almost no users. The others are too small. Worldwide most spam comes from the US and China and then followed by Russia http://www.spamhaus.org/statistics/countries.lasso India doesnt even figure in the top 20
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
On Wed, Apr 28, 2010 at 10:11 PM, Benny Pedersen m...@junc.org wrote: On ons 28 apr 2010 10:55:10 CEST, ram wrote /usr/bin/spamd -V SpamAssassin Server version 3.3.1 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 1.01) with zlib support (Compress::Zlib 1.42) spamassassin 21 -D --lint | less see what gets loaded where Sorry for the delay when i run that command end i get this warn: lint: 1 issues detected, please rerun with debug enabled for more information Ram
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
Hi thanks but i rerun next time i have not seen that error is that normal behaviour ? Ram On Wed, Apr 28, 2010 at 11:29 AM, C.M. Burns montibu...@googlemail.comwrote: ram schrieb: Hi i have recently update from 3.2.X to 3.3.X when i restart i get this message spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf http://local.cf: use_auto_whitelist 1 any suggestions Ram As far as I remember the AWL plugin is not loaded by default anymore. You have to load the plugin in your config file. I think this was mentioned in the update FAQ bye SK
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
after update also still it shows old version why ? X-Spam-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00, DATE_IN_PAST_03_06,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY, RCVD_IN_SORBS_WEB autolearn=no version=3.2.5 On Wed, Apr 28, 2010 at 11:36 AM, ram talk2...@gmail.com wrote: Hi thanks but i rerun next time i have not seen that error is that normal behaviour ? Ram On Wed, Apr 28, 2010 at 11:29 AM, C.M. Burns montibu...@googlemail.comwrote: ram schrieb: Hi i have recently update from 3.2.X to 3.3.X when i restart i get this message spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf http://local.cf: use_auto_whitelist 1 any suggestions Ram As far as I remember the AWL plugin is not loaded by default anymore. You have to load the plugin in your config file. I think this was mentioned in the update FAQ bye SK
Re: Top Ten Rules
On Fri, Apr 23, 2010 at 1:06 AM, Alex mysqlstud...@gmail.com wrote: Hi, How many entries? Does it just keep growing? We have a local one too, and every so often correlate it with the public RBLs so as to not duplicate the check and overhead. They expire in 2 weeks. They should make it into a public RBL by that time. Maybe it should even be shorter. I'm not sure that's the best approach. I can't say definitively, of course, but that seems very quick for them to automatically be expunged after two weeks. Do you have routines that query the blacklists periodically and remove the entries from your list based on the query result? I think that if you thought it was spam at one point, and even several months later it hasn't been listed on one of the public RBLs, then either submit it to them, or kat least keep it on your list or recheck it manually. Of course it depends on your workload, inherent benefit, etc... Sender address? Are you talking about protection from dictionary attacks, like a...@columbia.edu, b...@... etc? If the sender claims to be a...@columbia.edu, then we can verify whether the localpart aaa exists. Our own domain is the only one for which we can check localpart, of course. If it does not exist, goodbye. Ah, that's a different matter. That's an easy one that we all do too. Joseph Brennan Columbia University Information Technology It would be very cool to work at Columbia :-) Regards, Alex my stats show new server like this ( sitewide spamassassin) is the spamassassin configured in good way. ? or any suggestions ./sa-stats Email: 3347 Autolearn: 1422 AvgScore: 1.44 AvgScanTime: 8.03 sec Spam: 689 Autolearn: 287 AvgScore: 11.72 AvgScanTime: 8.16 sec Ham: 2658 Autolearn: 1135 AvgScore: -1.23 AvgScanTime: 8.00 sec Time Spent Running SA: 7.47 hours Time Spent Processing Spam:1.56 hours Time Spent Processing Ham: 5.90 hours TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1HTML_MESSAGE 45569.82 66.04 70.81 2RAZOR2_CHECK 40915.72 59.364.40 3RAZOR2_CF_RANGE_51_10038914.40 56.463.50 4BAYES_99 35710.67 51.810.00 5RAZOR2_CF_RANGE_E4_51_100 259 8.25 37.590.64 6AWL 25167.85 36.43 76.00 7RAZOR2_CF_RANGE_E8_51_100 230 9.17 33.382.90 8PYZOR_CHECK 223 7.59 32.371.17 9MIME_HTML_ONLY22022.74 31.93 20.35 10URIBL_BLACK 208 7.92 30.192.14 11DIGEST_MULTIPLE 200 6.01 29.030.04 12URIBL_JP_SURBL172 5.32 24.960.23 13BAYES_50 157 7.80 22.793.91 14RDNS_NONE 148 9.59 21.486.51 15SUBJ_ALL_CAPS 147 7.38 21.343.76 16FORGED_MUA_OUTLOOK129 4.51 18.720.83 17MISSING_HEADERS 129 5.08 18.721.54 18RCVD_IN_SORBS_WEB 126 8.37 18.295.79 19URIBL_WS_SURBL124 3.79 18.000.11 20HTML_MIME_NO_HTML_TAG 121 7.83 17.565.30 -- TOP HAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1BAYES_00 249175.836.82 93.72 2AWL 202067.85 36.43 76.00 3HTML_MESSAGE 188269.82 66.04 70.81 4SPF_HELO_PASS 57717.903.19 21.71 5MIME_HTML_ONLY54122.74 31.93 20.35 6DEAR_SOMETHING276 9.084.06 10.38 7RCVD_IN_DNSWL_MED 195 5.920.447.34 8MISSING_MID 192 8.93 15.537.22 9RDNS_NONE 173 9.59 21.486.51 10RCVD_IN_SORBS_WEB 154 8.37 18.295.79 11HTML_MIME_NO_HTML_TAG 141 7.83 17.565.30 12RCVD_IN_DNSWL_LOW 119 6.30 13.354.48 13RAZOR2_CHECK 11715.72 59.364.40 14MIME_QP_LONG_LINE 110 4.063.774.14 15BAYES_50 104 7.80 22.79
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
both installed from rpm Ram On Wed, Apr 28, 2010 at 12:14 PM, Jari Fredriksson ja...@iki.fi wrote: On 28.4.2010 9:10, ram wrote: after update also still it shows old version why ? X-Spam-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00, DATE_IN_PAST_03_06,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY, RCVD_IN_SORBS_WEB autolearn=no version=3.2.5 Maybe you used to use the distro packaked version /usr/sbin/spamd and now you compiled from source or from CPAN: /usr/local/bin/spamd The /etc/init.d/spamassassin or such must be changed to start the correct version. -- http://www.iki.fi/jarif/ There is no hunting like the hunting of man, and those who have hunted armed men long enough and liked it, never care for anything else thereafter. -- Ernest Hemingway
Re: spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
/usr/bin/spamd -V SpamAssassin Server version 3.3.1 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 1.01) with zlib support (Compress::Zlib 1.42) On Wed, Apr 28, 2010 at 12:14 PM, Jari Fredriksson ja...@iki.fi wrote: On 28.4.2010 9:10, ram wrote: after update also still it shows old version why ? X-Spam-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_00, DATE_IN_PAST_03_06,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY, RCVD_IN_SORBS_WEB autolearn=no version=3.2.5 Maybe you used to use the distro packaked version /usr/sbin/spamd and now you compiled from source or from CPAN: /usr/local/bin/spamd The /etc/init.d/spamassassin or such must be changed to start the correct version. -- http://www.iki.fi/jarif/ There is no hunting like the hunting of man, and those who have hunted armed men long enough and liked it, never care for anything else thereafter. -- Ernest Hemingway
spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
Hi i have recently update from 3.2.X to 3.3.X when i restart i get this message spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1 any suggestions Ram
newbie for spam optimisation
Hi i have installed spamassassin 3.2.5 with qmail i would like to configure site wide so iam following this URL http://wiki.apache.org/spamassassin/SiteWideBayesSetup I have added bayes_path /var/spamassassin/bayes/bayes bayes_file_mode 0777 lines to my /etc/mail/spamassassin/local.cf file sa-learn --spam --showdots --dir /path/to/directory/full/of/spam/msgs sa-learn --ham --showdots --dir /path/to/directory/full/of/ham/msgs i have not able to understand this path ? i need to created seperate user for this like s...@domain.com, is this correct. so all my users are using Outlook express, when they see some message is spam how can i ask them to report back so that create rules based on that Any suggestion or help is appriciated Ram
Re: newbie for spam optimisation
On Thu, Apr 8, 2010 at 12:27 AM, John Hardin jhar...@impsec.org wrote: On Wed, 7 Apr 2010, ram wrote: sa-learn --spam --showdots --dir /path/to/directory/full/of/spam/msgs sa-learn --ham --showdots --dir /path/to/directory/full/of/ham/msgs i have not able to understand this path ? i need to created seperate user for this like s...@domain.com, is this correct. No, you don't _need_ a special user in your domain to catch spam for training. There are ways to do that, look up spamtrap for instance. But as per the document domain wide, user need to create and as the users to forward the spam mail to that user and learn. correct me if my understand wrong so all my users are using Outlook express, when they see some message is spam how can i ask them to report back so that create rules based on that How are your users retrieving their mail from the server? POP or IMAP? If they are using POP then it becomes difficult, as the mail client will unavoidably mangle the spam messages when your users try to send them to you to be learned. I'll let others who actually use POP comment on that. 90% of my users are Outlook express.. people on the roam use Imap, but its only 20%, but iam more concern people using OE. i appriciate if some one using this kind of setup. If you are using IMAP it becomes really easy. Just set up a SpamAssassin-SPAM mail folder for each user, tell them to _move_ spams from their inbox to that folder, and train from it nightly. Poke around under http://www.impsec.org/~jhardin/antispam/ for some scripting that you can use as a starting point. thanks for the link, let me see what best i can do for the users who using IMAP Ram
Re: Filtering eMails with certain subjects
On Wed, 2010-03-17 at 08:45 +0100, Per Jessen wrote: Hans-Werner Friedemann wrote: Hi @ all I have another Newbee-Question but i can´t find any information about that. how can I adjust in SA, that eMails with a certain subject are listed in my blacklist and filtered out? Thanks for any help! Add this to your ruleset: header HW_RULE1 Subject =~ /certain subject/ Or just use blacklist_subject certain subject with this plugin http://wiki.apache.org/spamassassin/WhiteListSubjectPlugin
Re: Bogus mails from hijacked accounts
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote: We seem to be having a problem where clients that we interact with regularly are having their hotmail/gmail/yahoo accounts hijacked. We are receiving e-mails from their accounts that legitimately go through the correct servers (hotmail,yahoo, etc.) and so they get passed through our spam filters. The messages have different bodies but basically say the same thing that they were on vacation and had all their money stolen so they need to have money wire transferred to them. Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? In one case I had probably 15 users that received the same message and naturally they freaked out. Why only free accounts , The 419'ers hijack legitimate corporate accounts too. Again , As Ips have good reputation and the mails land in the inbox I think the only way of handling this to send proper abuse reports Probably the free mail providers are less reponsive to abuse reports than corporate ones. Thanks Ram
Spamhaus DBL
http://www.spamhaus.org/dbl/ I think sa-folks would have this already in some URIBL rule. What are the scores you assign for a dbl positive hit ? I assume my current datafeed would already extend to data access on the dbl list. I will have to setup my rbldnsd before trying this out.
Re: Bogus Dollar Amounts
On Wed, Feb 24, 2010 at 8:44 PM, Dennis B. Hopp dh...@coreps.com wrote: I have been seeing a few spam mails slip past that talk about being able to get bogus dollar amounts. What I mean by that is it will give a large value in the e-mail but where there should be a comma it puts a period. I put an example of one of these messages at: http://pastebin.com/SXuGELUS Are there any rules that can detect this? The only rules this hit on mine are: 1.900 DCC_CHECK 1.449 RCVD_IN_BRBL_LASTEXT 1.000 RCVD_IN_BRBL -0.001 SPF_PASS -0.010 T_RP_MATCHES_RCVD -1.900 BAYES_00 http://pastebin.com/6c9sEEn9 even recently i installed new qmail server i still see lot of junk mail coming with different charecters, i do not even read them clearly how can i stop those kind of emails Ram
Re: Off Topic - SPF - What a Disaster
Marc, Which fails when you have someone that has multiple domains that may be sending mail from the same organization. Mail to me from Citi may comes from any one of at least 6 different domains, and the mailserver is not necessarily in the same domain. Whitelist all 6 domains. What if Citi starts using mail services from another provider with a different ptr. Do you expect them to announce that on this mailing list ? Conversely what if City stops services from one and then a phisher/spammer buys of the server space. Thanks to the stupid whitelist I will be sending all these spams whitelisted until we have angry calls on the customer support helpdesk. This is useless for me to keep tracking what servers Citi ,Bank of America, or ICICIBank uses. I put just 1 line in my .cf file and forget about it. Because their SPF record already keeps track. Even the largest banks today are outsourcing their email. FcRDNS works only if the organization runs their own mailing and dont keep changing their mailhost names. Thanks Ram
Re: Off Topic - SPF - What a Disaster
On Tue, 2010-02-23 at 18:33 -0800, Marc Perkel wrote: Jeff Koch wrote: In an effort to reduce spam further we tried implementing SPF enforcement. Within three days we turned it off. What we found was that: - domain owners are allowing SPF records to be added to their zone files without understanding the implications or that are just not correct - domain owners and their employees regularly send email from mailservers that violate their SPF. - our customers were unable to receive email from important business contacts - our customers were unable to understand why we would be enforcing a system that prevented them from getting important email. - our customers couldn't understand what SPF does. - our customers could not explain SPF to their business contacts who would have had to contact their IT people to correct the SPF records. Our assessment is that SPF is a good idea but pretty much unworkable for an ISP/host without a major education program which we neither have the time or money to do. Since we like our customers and they pay the bills it is now a dead issue. Any other experiences? I love to hear. Best Regards, Jeff Koch, Intersessions I agree. I've been in the spam filtering business for many years and have yetto find any use for SPF at all. It's disturbing this useless technology is getting the false positive support we are seeing. Marc, This is just to repeat the cliche. SPF was not designed to help *you* in *spam filtering*. This was designed to help legitimate senders send mails. However as much as you, unreasonably , dislike it .. SPF adoption is on the rise.Two years ago most banks in India had no SPF records. Today almost every bank here publishes a SPF record. And that helps. For eg I use SPF checks to whitelist all local banks mail. Conversely, I have a custom rule that says if the header-from contains $popularbank.com and mail did not SPF pass add a score of 3.0. Phishers can use whatever envelope from they want. But if they put the banks domain in the header-from the mail will be caught as spam. I know there are ways to get around this rule too but in practical life this has been real effective against phishing. IMHO most of the anti-SPF bandwagon is more due ego issues than technical. Thanks Ram
Re: Yahoo Feedback Loop - off topic
On Thu, 2010-02-18 at 12:17 -0800, J.D. Falk wrote: On Feb 14, 2010, at 10:31 PM, ram wrote: Anyway ReturnPath operates FBL's for yahoo and they provide IP address based feedback loops at Cox etc I dont know why this diff for yahoo. Because that's how Yahoo! wants it. There are a lot of advantages to routing feedback by authenticated domain: ease of maintenance, survives forwarding, et cetera. But for an ISP this is so painful. Every new customer who comes on board you have to ask them to dkim sign their mails or sign them on their behalf. Setting up the FBL on behalf of the customer is another pain And anyway for the spams which dont get signed ( for eg using a direct relay with a compromised account ) you may be relaying the spams inadvertently on the outbound , but never get FBL's until all the world blacklists you -- J.D. Falk jdf...@returnpath.net Return Path Inc
Re: Yahoo Feedback Loop - off topic
On Sun, 2010-02-14 at 18:51 +0100, Ralf Hildebrandt wrote: * Jeff Koch jeffk...@intersessions.com: Sorry this is off-topic but has anyone successful applied for the Yahoo Email Complaint Feedback Loop? Yes, I did. On the one hand their website says they have an ISP program based on IP addresses and CIDR ranges that does not require emails to be signed with DomainKeys or DKIM and then, on the other hand, they send out emails from their abuse-admin saying that they have no such program. Yahoo is making me crazy. I'm signed up and now their users are driving me crazy. If anyone has the email address of someone their that can actually get an ISP signed up for the program I would appreciate it. I signed up via their website http://feedbackloop.yahoo.net/ I set up DKIM. According to some pages I read they're not signing up new ISPs. If they were to give feedback loops to ESP/ISP's based on ip addresses that would be great. But I think yahoo only provides FBL's for signed up domain names and only if mail is DKIM/DK signed. Anyway ReturnPath operates FBL's for yahoo and they provide IP address based feedback loops at Cox etc I dont know why this diff for yahoo.
best way to catch spams and fine tune the bayes
Hi its been 30days now i have setup a new qmail server with spamassassin 3.2.5 works well, but iam using here simscan i use to get in my old server lot of virus and spam emails so we made strict rules now, like if simscan detect spam we are rejecting the total mail either it can be from incoming or outgoing. may be i see now the trafic now is less compare to 30days back now i would like to give a relaxation to simscan to allow even if the spam captured. so i can use sitewide configuration to configure spamassassin to catch more spams here is my question iam running deamon user spamd its located in /home/spamd so how can i configure side wide bayes to capture more bayes iam running sa-update cron. its upto date. Ram
Re: best way to catch spams and fine tune the bayes
On Wed, Feb 10, 2010 at 9:13 AM, ram talk2...@gmail.com wrote: Hi its been 30days now i have setup a new qmail server with spamassassin 3.2.5 works well, but iam using here simscan i use to get in my old server lot of virus and spam emails so we made strict rules now, like if simscan detect spam we are rejecting the total mail either it can be from incoming or outgoing. may be i see now the trafic now is less compare to 30days back now i would like to give a relaxation to simscan to allow even if the spam captured. so i can use sitewide configuration to configure spamassassin to catch more spams here is my question iam running deamon user spamd its located in /home/spamd so how can i configure side wide bayes to capture more bayes iam running sa-update cron. its upto date. I have enabled in local.cf learn bayes to 1 still i see 0 records sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest atime 0.000 0 0 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count ram
Re: Spam filtering similar to SPF, less breakage
On Tue, 2010-02-09 at 11:42 -0500, dar...@chaosreigns.com wrote: I apparently need to clarify that I think this is a good idea because I am concerned about the number of people (who control DNS records) who are very strongly against creating SPF records specifically because of forwarding breakage. The email I got in response to my request for my employer to create an SPF record included the word abomination. From a friend. I don't entirely agree, but it is a problem for adoption. This is entirely an attempt to replicate the functionality of SPF without breaking forwarding, and without causing other problems that might discourage adoption. How does this idea authenticate mail from domain ? SPF is aimed at doing that. IMHO the SPF-breaks-forwarding argument is misplaced What about SRS. If SRS implementation is not going to be easy because mailservers have been there too long for adopting anything new then can your be sure MailServer IP validation will be adopted ? Anyway I block spams from almost all non-mailservers by using RBL's I dont see any value add in implementing this Thanks Ram I set this up for my mail server (using mtx instead of designatedsender): $ host -t PTR 64.71.152.40 40.152.71.64.in-addr.arpa domain name pointer panic.chaosreigns.com. $ host -t A 40.152.71.64.mtx.panic.chaosreigns.com 40.152.71.64.mtx.panic.chaosreigns.com has address 127.0.0.1 All it took was creating a single record in bind: 40.152.71.64.mtx.panic.chaosreigns.com. IN A 127.0.0.1 I'll define it slightly differently: 127.0.0.1 is a pass (negative SA score). not found is a fail (positive SA score). 127.0.0.0 is a fail (positive SA score). Anything else is undefined (0 SA score) for future options. I'd still appreciate feedback on the format of the A record. On 02/09, RW wrote: You've mixed-up A record and PTR record. Yes. Embarrassing. Checking for full-circle DNS already does most of this. My home dynamic cablemodem address passes full-circle DNS. But not this. So this is far more useful for checking if an IP is a legitimate sending mail server. What your scheme would do is check for otherwise legitimate servers that have been compromised and are delivering direct-to-mx. An otherwise legitimate but compromised mail server would not be detected by this. I'm curious why you interpreted it differently. On 02/09, Charles Gregory wrote: On Mon, 2010-02-08 at 22:08 -0500, dar...@chaosreigns.com wrote: What you describe here is functionally similar to an SPF lookup with a 'pass' result. The server provides positive verification that the listed IP is a legitimate sender for that domain. Yes. As long as 'otherwise' is a definitive 'fail' response from an SPF (or equivalent) server, and not merely an absence of SPF server Yes. Definitive fail. Your method would allow 'spoofing' so that a spammer who hacks a legitimate server can use a valid return address on a different domain, but still the mail would receive a 'passing' grade. At least, with SPF, the spammer must forge an address on the hacked domain, which increases the likelihood of detection Yes. I would blacklist domains that pass hacked servers. Just as IPs of hacked servers are blacklisted. They're sending spam, and need to be fixed. Forwarding doesn't break. Ah, so you want to allow 'legitimate' forwarding, but not allow spammers to 'forward' their mail? Good luck with that. The only way to make it work for the legitimate sender, but not for spammers is to have a mechanism built-in to the forwarding server that encapsulates or rewrites the envelope 'From' address. Encapsulating or rewriting the envelope 'From' address seems significantly less likely to be adopted from what I've read. Obviously you'd need a blacklist of spammer domains that list spamming IPs as legit senders. And you would be playing the same 'musical chairs' game with new domains created by spammers on a daily basis. All the same flaws of SPF, and no greater benefit. Same domain blacklisting issues as SPF, yes. I am not very concerned about the throw-away domains because I'll reject all mail from domains not at least 10 days old. 10+ day old domains are already listed as 127.0.2.3 records from example.com.hostkarma.junkemailfilter.com. I believe the benefit of not breaking forwarding is sufficient to make it much more useful than SPF for spam filtering. I've come across enough people, personally, recently, in trying to block (some = positive SA score) emails without an SPF pass, who are not willing to ever implement SPF due to breaking forwarding that I believe this would be useful. Is there any way this wouldn't be very useful? Is there any place where SPF does not do the same job, other than mail forwarding? No. But as I said, I am concerned about
Re: Spam filtering similar to SPF, less breakage
On Mon, 2010-02-08 at 22:08 -0500, dar...@chaosreigns.com wrote: You get an email delivered from 64.71.152.40 (last untrusted relay). You look up the DNS A record for that IP, and get mail.chaosreigns.com. Then you look up the DNS PTR record of 40.152.71.64.designatedsender.mail.chaosreigns.com, and if it's 127.0.0.1, it's a legit email sender and gets some negative SA score. Otherwise it's not, and gets some positive SA score (low at first until adoption spreads). So it's not tied to the SMTP MAIL FROM or anything. Forwarding doesn't break. Eventually you reject all email from IPs without such records. Obviously you'd need a blacklist of spammer domains that list spamming IPs as legit senders. Not an RHSBL / MAIL FROM blacklist, but a blacklist where, when the A record of a delivering IP is in a blacklisted domain, the mail gets rejected. I am not at all attached to the format of the PTR record and would like suggestions. Is there any way this wouldn't be very useful? Apparently you want to check if non mail servers are sending mails .. but what percentage of spams today come from non mail servers ?
Re: how can i finetune to spamassassin to handle spams
On Mon, Feb 1, 2010 at 10:23 PM, Bowie Bailey bowie_bai...@buc.com wrote: ram wrote: hi what i am looking is iam looking sitewide, not userwide so if the user feel its spam mail, he will send that mail to another email of local account, from there i want to choose the bayes learn and decide what is spam and what is not spam hope i explained well i feel Yes. Makes much more sense this time! :) You can do something similar to that, but if you do a normal forward, you will generally lose the header information. There are two basic ways to do it. 1) Have the user copy the emails to a local spam folder and then have a process that collects the mail from those folders and learns from it on a regular basis. This is easy to do if you are using IMAP or webmail since everything is on the server. If you are using POP3, it gets more complicated since everyone's mail folder is on their own computer. 2) Have the user forward the mail as an attachment. This will usually preserve the headers depending on the mail client. The downside is that you then have to extract the original mail from the attachment before you can learn from it and you have to teach your users how to forward mail as an attachment. yes i do have different users some use webmail and some use outlook and outlook exress diffrent clients using pop3ssl iam not sure how can i ask user to send spam mail as attachment to some u...@domain.com if spammers know we are allowing u...@domain.com everything, they start filling with spam ? is this correct ? ram
Re: how can i finetune to spamassassin to handle spams
On Fri, Jan 29, 2010 at 7:58 PM, Bowie Bailey bowie_bai...@buc.com wrote: ram wrote: The rules in /usr/share/spamassassin are the original rules from the install. If /var/lib/spamassassin/3.002.005 exists, those rules will be used instead. You can verify which rules are being used by running this command: $ spamassassin --lint -D 21 | grep read file spamassassin --lint -D 21 | grep read file [26114] dbg: config: read file /etc/mail/spamassassin/init.pre [26114] dbg: config: read file /etc/mail/spamassassin/v310.pre [26114] dbg: config: read file /etc/mail/spamassassin/v312.pre [26114] dbg: config: read file /etc/mail/spamassassin/v320.pre [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org.cf http://updates_spamassassin_org.cf [26114] dbg: config: read file /etc/mail/spamassassin/local.cf http://local.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/ 10_default_prefs.cf http://10_default_prefs.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/ 20_advance_fee.cf http://20_advance_fee.cf [snip] [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_scores.cf http://72_scores.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/80_additional.cf http://80_additional.cf So you are running from the updated rules... To see if you have the latest rule, cd to /var/lib/spamassassin/3.002005/updates_spamassassin_org and do this: $ grep FH_DATE_PAST_20XX 72_active.cf http://72_active.cf/ grep FH_DATE_PAST_20XX 72_active.cf http://72_active.cf ##{ FH_DATE_PAST_20XX header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006] describe FH_DATE_PAST_20XX The date is grossly in the future. ##} FH_DATE_PAST_20XX and you are up to date on this rule. You should see this rule if you have the latest update: header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006] yes i see that line, i belive now thats, after update the sa-update and rules taking updated files. Are you still seeing false positives with this rule? iam still in confuse, how can i fine tune sitewide rules to send all the users to send spam mails to one user ID and configure rule to calculate based on that user I am not following this. Please restate the question. hi what i am looking is iam looking sitewide, not userwide so if the user feel its spam mail, he will send that mail to another email of local account, from there i want to choose the bayes learn and decide what is spam and what is not spam hope i explained well i feel Ram
Re: how can i finetune to spamassassin to handle spams
On Fri, Jan 29, 2010 at 8:41 PM, David Morton morto...@dgrmm.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bowie Bailey wrote: ram wrote: iam still in confuse, how can i fine tune sitewide rules to send all the users to send spam mails to one user ID and configure rule to calculate based on that user If you are talking about the bayes database, bayes_sql_username user will learn all mail under one common bayes database. If you mean forward all spam emails to a email address which is used to train the system, then you have a bigger problem. (forwarding email usually loses headers) thanks for quick reply i was in impression i can forward all mails to one user and tune the base if that is not workable solution, how can fine tune to learn bay's be best manner Ram
Re: how can i finetune to spamassassin to handle spams
On Thu, Jan 28, 2010 at 7:53 PM, John Hardin jhar...@impsec.org wrote: On Wed, 27 Jan 2010, ram wrote: On Wed, Jan 27, 2010 at 9:54 AM, John Hardin jhar...@impsec.org wrote: On Wed, 27 Jan 2010, ram wrote: it works, but i see most of the mails are tagged as SPAM. A little more detail, please: Are you complaining about seeing lots of false positives? Or are you complaining about seeing lots of properly classified spams that are being delivered to your mailbox when you don't want them to be delivered to your mailbox? If the former, and both those samples were from false positives, then your bayes appears to need retraining. yes they are false positive even person sending just simple mail hi how are you its treating as spam and not able send mail and it is rejecting both the sides, outgoing and incoming Hi thanks for your quick responce some of my information i have changed like ip address and domain names Can you post the complete headers from such an inbound false positive? here is the simple mail requested locally asking for new mailID Return-Path: sen...@domain.com sen...@domain.com Delivered-To: t...@domain.com X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail.sol.net.in X-Spam-Level: * X-Spam-Status: Yes, score=5.6 required=5.0 tests=DEAR_SOMETHING, FH_DATE_PAST_20XX,NO_RELAYS autolearn=no version=3.2.5 X-Spam-Report: * 3.4 FH_DATE_PAST_20XX The date is grossly in the future. * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 2.2 DEAR_SOMETHING BODY: Contains 'Dear (something)' Received: (qmail 8836 invoked by uid 48); 27 Jan 2010 14:33:13 +0530 To: t...@domain.com Subject: [SPAM] mailid MIME-Version: 1.0 Date: Wed, 27 Jan 2010 14:33:13 +0530 From: sen...@domain.com Message-ID: 309f6a80cf3833e2a47b801cf4b93...@domain.com X-Sender: sen...@domain.com User-Agent: Company Webmail/0.3.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 X-Spam-Prev-Subject: mailid Or do you have simscan configured to completely delete spams rather than quarantining them? @40004b610d3003da07d4 simscan:[19879]:SPAM REJECT (7.00/5.00):3.3421s:[SPAM] mail:x.x.x.211:f...@domain.com:t...@domain.com even simple mail it hits 3.4 @40004b5db6be10acf584 simscan:[10034]:CLEAN (3.40/5.00):5.4026s:Re_ mail from:x.x.x.10:send...@domain.com:recei...@yahoo.com this is mail sent from yahoo to my domain.com Hi. This is the qmail-send program at yahoo.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. u...@domain.com: (MYSERVERIP) failed after I sent the message. Remote host said: 554 Your email is considered spam (5.10 spam-hits) --- Below this line is a copy of the message. Return-Path: u...@yahoo.com u...@yahoo.com Received: (qmail 1647 invoked by uid 60001); 25 Jan 2010 15:45:45 - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1264434345; bh=rqUtJyMLicobcyhmr74TepjmUQAEmlazKT3vjV/n3aA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=YguNuhzD1Rin2zserVev7wc8xFv0OvPQWaEtOhEzGHLk4xQDfvpROEa8LmfoV42+/60FcgfZQ583qLfcYS4Nhr9k7Cj7saEKadq01riAkv5R6oFAnHpLpI1Ch9ldw6a7aYFpDvzHoigin/MdHNDRyryV8/ge3VJkUQGE3q+lDPA= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=ukmcU3+ntQciOpxQAs5wD6eeMyqhoBAZpC7JPx+6kvgl2XUsExdM5zua1fQvib7sKRzW3XwMPMlSEl3udGVYqanBkXvW8+uEhbQd/Ouf+bS7arAtNovq6jalosQD2U4TJ0QXZBFWL2rP75L7IPyo2PGbJzfAE0n4u3WwhZt85ok=; Message-ID: 854000.982...@web50407.mail.re2.yahoo.com X-YMail-OSG: xzkFu1wVM1kvOC_p_A.2KDQosFYh84Thdznof8TcPGY_K9N0pMQeCGgj4BVJgnq18AbGG.eHPB2yZvPP8Js2cWEFSFYEh.GcCQP6yEIXnJ5qfu7OR0xXnJIly2mec7hlEnBH4vSyb7U_ocsXgCqVEyLAKbzpCU.Cnc1KAPedBc0Ygra2Ejml8uQo2GIsJ7qIRpjfyZ0on8fZ6Y2PVfT7rSS6IjgiCnsqOxMaGp7WUCR9uMTzrKCFbUN4eSwKtq6tRbfaDO.wIXYyp66AayMBJMBCxAQDYbOWcqk5bkOAT0QJArx4RWfCckJGoKaRDA-- Received: from [ClientIP] by web50407.mail.re2.yahoo.com via HTTP; Mon, 25 Jan 2010 07:45:45 PST X-Mailer: YahooMailRC/272.7 YahooMailWebService/0.8.100.260964 Date: Mon, 25 Jan 2010 07:45:45 -0800 (PST) From: hari u...@yahoo.com u...@yahoo.com Subject: testing To: u...@domain.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii What is the output from sa-learn --dump magic ? 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest atime 0.000 0 0 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last
Re: how can i finetune to spamassassin to handle spams
Hi I normal do reply with other mailing list, when i do reply it go to the mailing list ID as a sender here i have not observed it is going to user. sorry for that. On Thu, Jan 28, 2010 at 10:03 PM, Bowie Bailey bowie_bai...@buc.com wrote: ram wrote: On Thu, Jan 28, 2010 at 8:22 PM, Bowie Bailey bowie_bai...@buc.com mailto:bowie_bai...@buc.com wrote: ram wrote: * 3.4 FH_DATE_PAST_20XX The date is grossly in the future. This rule started causing problems at the beginning of the year and was fixed. Have you run sa-update to get the latest rules? yes i ran sa-update i see the rules all updating /var/lib/spamassassin folder but i see still the same configs in /usr/share/spamassassin Please reply to the list and not directly to me. The rules in /usr/share/spamassassin are the original rules from the install. If /var/lib/spamassassin/3.002.005 exists, those rules will be used instead. You can verify which rules are being used by running this command: $ spamassassin --lint -D 21 | grep read file spamassassin --lint -D 21 | grep read file [26114] dbg: config: read file /etc/mail/spamassassin/init.pre [26114] dbg: config: read file /etc/mail/spamassassin/v310.pre [26114] dbg: config: read file /etc/mail/spamassassin/v312.pre [26114] dbg: config: read file /etc/mail/spamassassin/v320.pre [26114] dbg: config: read file /var/lib/spamassassin/3.002005/ updates_spamassassin_org.cf [26114] dbg: config: read file /etc/mail/spamassassin/local.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/10_default_prefs.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_advance_fee.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_body_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_compensate.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dnsbl_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_drugs.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_dynrdns.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/ 20_fake_helo_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_head_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_html_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_imageinfo.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_meta_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_net_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_phrases.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_porn.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_ratware.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_uri_tests.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/20_vbounce.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/23_bayes.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_accessdb.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_antivirus.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_asn.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dcc.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_dkim.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_domainkeys.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_hashcash.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_pyzor.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_razor2.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_replace.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_spf.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_textcat.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/25_uribl.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org/30_text_de.cf [26114] dbg: config: read file /var/lib/spamassassin/3.002005/updates_spamassassin_org
Re: how can i finetune to spamassassin to handle spams
On Thu, Jan 28, 2010 at 11:11 PM, Alex mysqlstud...@gmail.com wrote: What is the output from sa-learn --dump magic ? 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham Are you sure you are running sa-learn as the user that actually contains the database? This should be the user that spamd or amavisd-new is running as. Have you done anything that may have deleted the bayes database? Have you at any point in the past properly trained the database and is it enabled with use_bayes 1 in local.cf? yes iam running that command inside spamd user in the document said use_bayes default to 1 iam just trying to learn, what is the best way to learn bayes and fine tune the configs Ram Best, Alex
how can i finetune to spamassassin to handle spams
Hi i recently installed 3.2.5 version of spamassassin iam runing with simscan+spamassassin+clamav it works, but i see most of the mails are tagged as SPAM. like example Jan 27 20:36:28 mail spamd[15138]: spamd: identified spam (9.1/5.0) for simscan:509 in 3.7 seconds, 584 bytes. Jan 27 20:36:28 mail spamd[15138]: spamd: result: Y 9 - BAYES_99,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK scantime=3.7,size=584,user=simscan,uid=509,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=48597,mid=(unknown),bayes=0.998146,autolearn=no Jan 27 20:34:59 mail spamd[15138]: spamd: processing message 20100127134941.24e0f4ef...@mx.aguasguariroba.com.br for simscan:509 Jan 27 20:35:03 mail spamd[15138]: spamd: identified spam (12.0/5.0) for simscan:509 in 4.1 seconds, 1646 bytes. Jan 27 20:35:03 mail spamd[15138]: spamd: result: Y 12 - BAYES_99,FORGED_MUA_OUTLOOK,MSOE_MID_WRONG_CASE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,SUBJ_ALL_CAPS scantime=4.1,size=1646,user=simscan,uid=509,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=48587,mid= 20100127134941.24e0f4ef...@mx.aguasguariroba.com.br,bayes=1.00,autolearn=no20100127134941.24e0f4ef...@mx.aguasguariroba.com.br%3e,bayes=1.00,autolearn=no and after installation i have run sa-update and restarted spamassassin i do not see its updating in /usr/share/spamassassin but i see there are files updated in /var/lib/spamassassin/ my config /etc/sysconfig/spamassassin # Options to spamd SPAMDOPTIONS=-x -u spamd -H /home/spamd -d grep FH_DATE_PAST_20XX /usr/share/spamassassin/72_active.cf ##{ FH_DATE_PAST_20XX header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006] describe FH_DATE_PAST_20XX The date is grossly in the future. ##} FH_DATE_PAST_20XX grep FH_DATE_PAST_20XX /var/lib/spamassassin/3.002005/updates_spamassassin_org/72_active.cf ##{ FH_DATE_PAST_20XX header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006] describe FH_DATE_PAST_20XX The date is grossly in the future. ##} FH_DATE_PAST_20XX more /etc/mail/spamassassin/local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5 report_safe 0 rewrite_header Subject [SPAM] any advice will be appriciated Ram
Re: how can i finetune to spamassassin to handle spams
Hi thanks for the quick answer my coments below On Wed, Jan 27, 2010 at 9:54 AM, John Hardin jhar...@impsec.org wrote: On Wed, 27 Jan 2010, ram wrote: it works, but i see most of the mails are tagged as SPAM. A little more detail, please: Are you complaining about seeing lots of false positives? Or are you complaining about seeing lots of properly classified spams that are being delivered to your mailbox when you don't want them to be delivered to your mailbox? yes they are false positive even person sending just simple mail hi how are you its treating as spam and not able send mail and it is rejecting both the sides, outgoing and incoming they are not delivering to mail box sinve simscan rejects If the former, and both those samples were from false positives, then your bayes appears to need retraining. If the latter, then whatever is interpreting the SA score to make delivery decisions (simscan?) needs to be looked at. SA _does not_ make delivery decisions itself, it only generates scores. yes iam using simscan with spamassassin and also clamav 3.2.5 picking up the rules from /usr/share/spamassassin or from /var/lib/spamassassin since sa-update doing only /var/lib/spamassassin how can i fine tune bayes to retraining ? to catch real spam messages compare to simple mails. like how are you message from friends you help always appriciated Ram -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A well educated Electorate, being necessary to the liberty of a free State, the Right of the People to Keep and Read Books, shall not be infringed. ...means only registered voters can read books, and only those books obtained with State permission from State-controlled bookstores? --- Today: the 43rd anniversary of the loss of Apollo 1
Re: Problems with false positives
On Tue, 2010-01-19 at 10:52 -0200, Taylon Silmer wrote: Hello guys! I have a lot of mail servers running spamassassin and I never had false positives problems. Recently I installed more one server and I'm having a lot of false positives problem with it. I understand that spamassassin is a software and it can get wrong sometimes, the another servers get false positives sometimes, but in this server it's really getting a lot more. I use: Postfix 2.3.3 Amavis 2.6.4 Spamassassin 3.2.5 CentOS 5.4 with linux kernel 2.6.18 Please post what rules are causing your FP's Have you patched the Date issue https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6269
Re: [SPAM:9.6] Re: semi-legit senders in DNSWL and habeas - a hard problem
On Wed, 2010-01-06 at 07:51 +, Christian Brel wrote: On Tue, 5 Jan 2010 14:18:54 -0800 jdow j...@earthlink.net wrote: From: J.D. Falk jdfalk-li...@cybernothing.org Sent: Tuesday, 2010/January/05 12:43 On Jan 5, 2010, at 10:10 AM, Greg Troxel wrote: Once again I went to returnpath and senderscorecertified's web pages, and found no link to an email address to report being spammed by one of their customers. Is the font size for Contact Us and Support too small? I'll forward your report to the appropriate team. J.D., rather than getting snarky it might be a good idea to suggest to your webmaster that a formal Report Abuse link be placed on your front page? I'd not look to support or contact us for reporting abuse, myself. So I can understand Greg's problem. {o.o} I'm jealous, at least you can get a *narky* reply from Return Path. I've been trying for three days http://www.spampig.org.uk/bbs/showthread.php?tid=31 Ebay is definitely a too big spammer. So what if they pay habeas and other accreditation lists Their unsubscribe doesnt work. I had all notifications off still I used to get their mails. I got fed up of their reminders .. even though I have never purchased anything at ebay they keep sending me nonsense The only last resort ... I configured a dummy alias on my server and changed the ebay notification email address to the dummy alias. After activating the dummy .. now I give a std 450 Try later to all mails that come to the dummy.
Re: [SPAM:9.6] semi-legit senders in DNSWL and habeas - a hard problem
On Tue, 2010-01-05 at 14:39 -0500, Bowie Bailey wrote: Christian Brel wrote: On Tue, 05 Jan 2010 12:10:28 -0500 Greg Troxel g...@ir.bbn.com wrote: Does anyone have any ideas of what else might help? #ADD TO THE END OF local.cf at your own risk score RCVD_IN_BSP_TRUSTED 0 4.3 0 4.3 score RCVD_IN_SSC_TRUSTED_COI 0 3.7 0 3.7 score HABEAS_ACCREDITED_COI 0 8.0 0 8.0 score HABEAS_ACCREDITED_SOI 0 4.3 0 4.3 score HABEAS_CHECKED 0 0.2 0 0.2 score RCVD_IN_DNSWL_LOW 0 1 0 1 score RCVD_IN_DNSWL_MED 0 4 0 4 score RCVD_IN_DNSWL_HI 0 8 0 8 Dont your SA-list mails go into spam .. or do you whitelist them
Re: ebay date field is wrong
On Mon, 2009-11-16 at 21:32 -0900, Royce Williams wrote: On Mon, Nov 16, 2009 at 11:04 AM, Per Jessen p...@computer.org wrote: I was just wondering if anyone had mentioned this to ebay: Date: Sun, 15 Nov 09 16:42:23 GMT-0700 will hit INVALID_DATE. I've reported this multiple times, with no response. Royce I use default_spf_whitelist to whitelist ebay mails So that we dont 'FP' the messages
Re: OT bad news
On Mon, 2009-10-05 at 15:05 -0700, Quanah Gibson-Mount wrote: --On Monday, October 05, 2009 11:50 PM +0200 mouss mo...@ml.netoyen.net wrote: Thomas Mullins a écrit : We have been running Spamassassin for maybe eight years now. But, my coworkers do not like OpenSource. So they have finally complained enough that my boss is going to replace our reliable FreeBSD/Spamassassin boxes. They are planning on purchasing something that runs ON Exchange. What a bummer. and the problem is? if they want exchange, give them exchange. don't fight (directly), watch instead. take pleasure of the situation, get fun as you can. I personally took fun all day long in windows-only (and believe it or not, in linux-only) environments. that said, you can still try to explain that exchange should not be exposed to the internet. you still need a relay (such as freebsd/postfix). And once exchange falls over, show them Zimbra. ;) Which uses postfix/SA/amavis, etc, and looks a lot like exchange... only better. ;) Isnt zimbra dead as yet ? Yahoo deliberately messed it I believe , and now look to dump it Anyway I think people run away from open source because it is unsupported. Management doesnt want to have any indispensable IT team , so that they can always recruit some cheap M$$ trained guy from the market to do a dirty job. There is also security in question. If something goes wrong with your linux/BSD box *you* will be blamed. If something goes wrong with m$ box (as usual) they would claim that that is how it is supposed to work :-). After all it is from the leading software makers. Never mind that the management also get sponsored International holidays for putting their entire budget in worthless stuff. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: some URIBL accidentally listed .org?
On Mon, 2009-06-15 at 15:35 +1000, Con Tassios wrote: On Mon, 15 Jun 2009, Chip M. wrote: DOB (Day Old Bread) had the same problem last year: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200810.mbox/%3cva.33f1.14690...@news.conactive.com%3e With software bugs, lightning often DOES strike twice in the same spot. :) I'm quite sure 'Day Old Bread' had the same problem again in the last day or so. Is the Day Old Bread list a reliable list. I found that their DNS times out a lot of times.
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. You can still use RBL's. Allow users with SMTP auth only without rbl checks rest you check rbls and reject if listed. I think you use postfix you could do something like this smtpd_recipient_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, . ..(other rules ) And for the smtp-auth mails do not scan for spam at all. Not only will you avoid FP's .. you will also save a lot of processing on your server Thanks Ram PS: Why are you hiding the spammail in the pastebin. The contents of spam mail are usually not very important
Re: New Spam Mails plz suggest
On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote: I'm getting a lot of mails daily in which to from addresses are same spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but stills its not catching them. How can i make spamassassin catch these mails. Please post a sample ( full mail source including headers) on some pastebin and post the link here
Re: best way to mark TLDs as spam
On Wed, 2009-06-03 at 00:48 -0700, ryefish wrote: Hello: I am attempting to configure SA to mark as spam all email from Top-Level-Domains other than .com, .net, and .edu. I have found three possible ways to do this. Which if any is the preferred method: 1) blacklisting in local.cf: add blacklist_from *.info, blacklist_from *.tv, blacklist_from *.fr, ... requires 1 entry per undesired TLD, including one for each country 2) tweak the scores of existing rules in local.cf: set custom scores for existing rules requires knowing exactly which rules to set the custom score for 3) Create custom rule: design a custom rule that sets score to 5 where FROM: NOT=.com|.net|.org 4) Some other way: is there an easiery or more established solution to this? TIA for any assistance you can provide, Tim Why dont you block at the MTA ( much before the mail goes to SA ) If you use postfix look for check_sender_address I personally would never block an entire TLD , anyway your server your rules
Re: Implementing SPF
On Tue, 2008-12-30 at 21:30 -0800, Bijayant wrote: From all the discussions and reading all the replies in this thread I have understood many things like 1) We use smtp-auth for sending the mails. So, I can reject all mails which are not generating from my mail server, right? This will be a good tactics. Now the SPF parts, 2) If the SPF records is configured in DNS, then we do not have to do any additional configuration in Postfix and spamassassin. We can create the Meta rules in local.cf to increase/decrease the score, right? No need for a meta rule. You can redefine the score in local.cf and that will override the default 3) Gmail adds a header like Received-SPF: fail/pass/neutral. I think MTA is adding this header. How this type of headers can be added? Try Google search , or ask in the MTA mailing list. That is off-topic here Thanks Ram BTW: Any post you make to the list I see multiple copies. I am not sure why anyway Martin Gregorie-2 wrote: On Tue, 2008-12-30 at 15:36 +0100, Arvid Ephraim Picciani wrote: On Tuesday 30 December 2008 12:44:09 Bijayant wrote: Hi, I am a newbie so please excuse me if its a very silly question. I have been searching the forums and Internet about my query but could not found satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my mail server. We get many spam mails from our own emails. Then we came to know that SPF can prevent this. I want to implement this but do not know how to do this. We have created the SPF records for our domains and about to put in to DNS. But I have a some confusion. I want to give some sa-score based on spf check. For this, 1) does postfix has to be also configured to support SPF or insert some headers or spam-assassin alone can be used? no. SPF will be checked against the last host outside your trusted path. the defaults should be perfectly fine for a simple setup were you only have one. Here's a description of what SPF is and what its meant to do: http://www.openspf.org/ As others have said, SA can check incoming messages against the alleged sender's domain to see if that's where the message really came from provided the SPF plugin is installed and enabled. Most modern MTAs can also use SPF records to see if undeliverable mail has a forged sender address. If so, they won't send a rejection slip since that would go to the wrong place. Such rejection slips are known as 'backscatter' and are a real annoyance, so be kind to other mail users and set up an SPF record for your domain. There are wizards and test tools to help you create a valid record here: http://www.kitterman.com/spf/validate.html Martin
Re: Blocking sender spoofing [Was: Implementing SPF]
On Tue, 2008-12-30 at 04:11 -0800, Bijayant wrote: Thanks, but I do not want to reject those mails. Why not? The only reason I see is that legitimate senders also send to the same mail server. Get them to use smtp-auth and send the messages. (I know its easier said than done ) I want only some scores to be added if it fails the SPF test. So, should I have to configure postfix also for this settings. You can do SPF test at the MTA level , but then that wont help you much on scoring The SPF plugin in SA can help you score mails forged with from as your domain But If legitimate senders, of your domain, are also sending to the same server , your SPF record should include all of their ips.:-) Read more on SPF records and where they are useful. http://www.openspf.org/FAQ Thanks Ram mouss-2 wrote: Bijayant a écrit : Hi, I am a newbie so please excuse me if its a very silly question. I have been searching the forums and Internet about my query but could not found satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my mail server. We get many spam mails from our own emails. Then we came to know that SPF can prevent this. I want to implement this but do not know how to do this. We have created the SPF records for our domains and about to put in to DNS. But I have a some confusion. I want to give some sa-score based on spf check. For this, 1) does postfix has to be also configured to support SPF or insert some headers or spam-assassin alone can be used? 2) If yes then what? 3) If not then, How the headers will be inserted regarding SPF checks? Please suggest me how to proceed or some doc/links pointing in to right direction. you can reject such mail in postfix: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/etc/postfix/access_sender ... == access_sender: mydomain.exampleREJECT blah blah .mydomain.example REJECT blah blah with this, your domain can be used as sender only if mail comes from your networks or was SASL authenticated. PS. do not put the check_sender_access before reject_unauth_destination. if you have questions regarding this, post on the postfix-users list.
Re: Blocking sender spoofing [Was: Implementing SPF]
On Tue, 2008-12-30 at 13:38 +, Ned Slider wrote: ram wrote: On Tue, 2008-12-30 at 04:11 -0800, Bijayant wrote: Thanks, but I do not want to reject those mails. Why not? I agree - this is by far the simplest method of tackling this problem. SPF is meant as a mechanism for *others* to block mail spoofed from your domain. The only reason I see is that legitimate senders also send to the same mail server. Get them to use smtp-auth and send the messages. (I know its easier said than done ) What's not easy, implementing smtp-auth or forcing users to use it? Seems easy to me: Implementing: http://www.postfix.org/SASL_README.html#server_sasl http://wiki.centos.org/HowTos/postfix_sasl Forcing users to use it: Restrict $mynetworks to only allow 127.0.0.0/8 so anyone *not* on localhost *has* to authenticate. And what if your Boss ( or your client ) yells at you , How dare my mails get rejected at your server ?. Dealing with technology is very easy, not the same for people. The typical response I will get in such a situation is I always used my Outlook to send mails and now this stopped working. So it is *your* fault and *you* have to fix it And Worse, there are still some archaic smtp relay servers in use that dont support smtp-auth!!. Can you get them all to upgrade at once ?? We have done all this and know it is a pain. Getting those important IP's writing special rules in postfix to allow etc etc Thanks Ram
Re: From: and To: Spamers
On Mon, 2008-12-29 at 13:26 +0100, Michelle Konzack wrote: Hello *, since arrount 5 days I am hit by several 10.000 very small (~2 kByte) messages which use my email addresse in From: and To:... Does anyone know, how to stop this shit effectively? If the spammer is forging your domain in the from , thats very easy to trap You could reject mailfrom your domain at the MTA (if your real mail never arrives there ) One of the other ways is set up an SPF record and give a high score for SPF-FAIL for your domain, that is what I do and works great here
Re: All emails being tagged URIBL
On Sun, 2008-12-28 at 23:55 -0600, David Hasbrouck wrote: Hello, I use qmail with simscan, run spamd as a daemon. I am running Spam Assassin 3.2.5 on CentOS 4.7. I am having an issue where all my emails are getting tagged with URIBL_RED/GREY/BLACK. Emails that contain invalid domains in them are also getting tagged. save the mail as a textfile with full headers run ( assuming u have a *nix OS ) spamassassin -D -t /path/mail /tmp/sa.log 21 Now read the sa.log file and see exactly where the URIBL rule hit It must be some footer/disclaimer in the mails .. that happens frequently enough From the information I have found, to test this, I should lookup the domains as follows: dig somedomaingoeshere12345.com.multi.surbl.org A multi.surbl.org is for SURBL rules not URIBL Using somedomaingoeshere12345.com as an example, that isn't listed in URIBL (and isn't even a valid domain name), but an email that contains just somedomaingoeshere12345.com in the body is getting tagged. We have valid domains that are also getting tagged. I looked them up in URIBL and they are not there (both at their site and using the above dig method). I found a few valid domains that are listed, and the dig command properly returns an A record for those. I am not sure what other information would be helpful, so will leave it at this for now. Thanks for any help! David
remove SURBL rules
I would like to remove the SURBL lookups from our servers since they are no longer free (and their charges are unreasonable ) I would just put a 0.0 score in local.cf for all their rules , but I guess when the rules are removed from the actual cf files by sa-update then at that time I will have sa --lint errors I have a lot of servers , including some at remote locations. What is the recommended way of disabling the rules Thanks Ram
Re: remove SURBL rules
On Wed, 2008-12-17 at 07:43 +0100, Benny Pedersen wrote: On Ons, December 17, 2008 07:35, ram wrote: I would like to remove the SURBL lookups from our servers since they are no longer free (and their charges are unreasonable ) show links where this is stated or make a bug on it :) http://www.surbl.org/usage-policy.html else: score *_SURBL 0 I dont want that since that will cause a lint fail incase the rules are removed later
Re: heads up: php5 security and emergency fix
On Tue, 2008-12-09 at 07:38 -0500, Michael Scheidell wrote: Last week, a security bullet was released about security problems with php5 prior to version 5.2.7. Yesterday, a major regression testing problem was fixed in 5.2.7, with the removal of the 5.2.7 binaries, and the emergency release of 5.2.8. Any reference links , I tried to google. Didnt get any
Re: google groups abuse for spam
On Wed, 2008-12-10 at 13:09 +, Ned Slider wrote: ram wrote: I got a spam with just a link to a google groups page https://ecm.netcore.co.in/tmp/spam_google.txt Now I am scoring all mails with links to groups.google but (may not be a gr8 idea though ) Bayes training may help :) Google's Notebook is currently being abused too. See here: http://www.marshal.com/trace/traceitem.asp?article=835 Google should have better interfaces to report abuse that is the minimum they could do I Tried reporting a google group ... there is no specific page that google has for this
google groups abuse for spam
I got a spam with just a link to a google groups page https://ecm.netcore.co.in/tmp/spam_google.txt Now I am scoring all mails with links to groups.google but (may not be a gr8 idea though )
Re: I'm thinking about offering a free MX backup service
If they are online then I do forward callouts to see if the recipient is valid and based on that I would return a 550 at connect time indicating an invalid account. And return a 450 if the callout connection times-out , I guess ? On the primary MX too this may be already being done, Will that double callout make the delay too long The major problem , in such an architecture is the reporting. Customers may get a little fussy when they dont see one particular mail and may ask for reports By my experience I see that more work is done on reports than on antispam in any solution. Do you plan to pass on reports too from your free MX, BTW Marc, Do you think this is all really worth it ? See your spamgraphs, At least for me spams have been going down since the beginning of the year. Even before McColo :-) . I am assuming as ISP's around the world get stricter with their clients spams will still reduce further. All the pill spamming you see may be a thing of the past. Just like today we dont see any of the stock spams as before ( I dont know why though ? ) Antispam will be a low end commodity service like antivirus is today Thanks Ram PS: If you want to increase your business , diversify or get another real job
Re: OT: Google alerts FP's
On Tue, 2008-11-18 at 11:26 +0100, Matus UHLAR - fantomas wrote: On 17.11.08 18:15, Mark Martinec wrote: I have been using USER_IN_SPF_WHITELIST to whitelist mails from google alerts It had been working fine , but last 2-3 days I see that these mails dont get an SPF-pass. Seems guys at google are using some other servers whitelist_from_dkim [EMAIL PROTECTED] whitelist_auth should apply for both SPF and DKIM (hmmm, what if the mail passes one check, but fails the another?) Oops sorry, The trusted networks setting was wrong on one of the servers. That messed up the SPF.
Is spam volume really down
Is this news true ( spams down by 75% ) http://www.securecomputing.net.au/News/128340% 2cspam-volumes-drop-75-percent-in-a-day.aspx On my servers I havent seen any big change Thanks Ram
Re: OT: Google alerts FP's
On Mon, 2008-11-17 at 07:32 +0100, Benny Pedersen wrote: On Mon, November 17, 2008 05:48, ram wrote: I have been using USER_IN_SPF_WHITELIST to whitelist mails from google alerts It had been working fine , but last 2-3 days I see that these mails dont get an SPF-pass. Seems guys at google are using some other servers Authentication-Results: localhost.junc.org (amavisd-new); dkim=pass [EMAIL PROTECTED] Authentication-Results: localhost.junc.org (amavisd-new); domainkeys=pass [EMAIL PROTECTED] How can I report to them , The gmail/google alerts site does not have any such contact form might have dropped spf, but dkim works still on the alerts enable dkim in spamassassin then if not done already They havent dropped SPF , because most other mails still get correct results Enabling dkim plugin, will it increase resource requirements on my server ? The SPF checks are just on the envelope/helo and ip .. so obviously must be much cheaper Thanks Ram
OT: Google alerts FP's
I have been using USER_IN_SPF_WHITELIST to whitelist mails from google alerts It had been working fine , but last 2-3 days I see that these mails dont get an SPF-pass. Seems guys at google are using some other servers How can I report to them , The gmail/google alerts site does not have any such contact form
Re: Funds / Award release scams poor scoring
Thanks 1 scored like this: Content analysis details: (12.9 points, 5.0 required) pts rule name description -- -- -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [70.103.162.29 listed in list.dnswl.org] 1.0 FREEMAIL_FROM From-address is freemail domain 0.7 SPF_NEUTRALSPF: sender does not match SPF record (neutral) 0.0 DK_SIGNED Domain Keys: message has a signature 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mx1.riseup.netip=10.8.0.3receiver=cpollock.localdomain] 2.0 FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5005] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [cpollock 1117; Body=1 Fuz1=many] [Fuz2=many] 0.0 DIGEST_MULTIPLEMessage hits more than one network digest check 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 2.9 KAM_LOTTO1 Likely to be a e-Lotto Scam Email 2.5 L_UNVERIFIED_GMAIL L_UNVERIFIED_GMAIL 1.0 SAGREY Adds 1.0 to spam from first-time senders 2 scored: Content analysis details: (12.6 points, 5.0 required) pts rule name description -- -- -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [70.103.162.29 listed in list.dnswl.org] The number of DNSWL_LOW and DNSWL_MED misfires have gone up especially in last two days. Even Marc's JMF_W misfires. What it means is these are good mailservers who normally relay ham and have some weak links ( weak password etc ) that just got exposed Also I notice a definite pattern. These are 419 scams and come up only in the weekends. Probably the spammers expect that action will be late since most systems guys will be away from work ?
Re: Rule for encoded/bugged URLs?
On Fri, 2008-10-31 at 08:53 -0500, Kevin Windham wrote: Is there a ruleset for encoded URLs or addresses? I have some examples I can send, but so far I tried to send this email twice with the example URLs, and it never makes it to the list, so I'm guessing someone has some rules in place that I would like to be running on my server. Use a pastebin to paste the entire mail and send us the the URL.
Re: Problem with rules
On Fri, 2008-10-03 at 20:36 +0200, [EMAIL PROTECTED] wrote: Hello, I have done an upgrade with perl -MCPAN -e shell and then i recognized, that spamassassin will not run. He said: spam_scan FAILED: Can't locate object method get_tag via package Mail::SpamAssassin::PerMsgStatus at (eval 87) line 335, GEN53 line 64. spamassassin -D --lint See the logs
custom SA plugin, how do I get the envelope recipient
I am trying to write a Custom SA plugin. Can I get the envelope recipient(s) of a mail. Because I am going to have recipient specific rules , and I dont want to rely on the ToCc headers Thanks Ram
Yahoo I have a new email abuse
419 scammers are abusing the Yahoos I have a new email announce service https://ecm.netcore.co.in/tmp/scam1.eml.txt The scammer sets the message and sends the spams thru yahoos servers And the mails would go thru clean Initially these were very few , but now the numbers are growing. Yahoo should do better than allowing such a gaping loophole Thanks Ram
RE: dsbl.org down for good
dsbl has been down for a long long time now Any more DNS checks is just waste of time On Thu, 2008-09-25 at 11:41 -0400, Bowie Bailey wrote: Todd Adamson wrote: Would I be correct or incorrect that this will get updated to our rules through sa-update. If this does get corrected, what kind of time frame are we guessing at? No idea here. And in the short term, if we zero the score for RCVD_IN_DSBL, will that properly disable the test? Yep.
Re: New free blacklist: BRBL - Barracuda Reputation Block List
On Mon, 2008-09-22 at 10:58 -0500, Matt wrote: I had the same issue and found that the system that's relaying (216.129.105.40) those confirmation emails doesn't have a PTR record. You'd think someone selling a antispam/email appliance would be familiar with the RFCs. That would explain why I got no confirmation, we do not accept email from IP's without a PTR record. I agree, if true this looks pretty bad for a so called antispam company. In fairness -- if you drop mail with no rDNS, you are dropping 3.6% of legit email in general, going by the test results for our RDNS_NONE rule... ;) Everyone should block/defer ALL email with no reverse DNS. Then maybe those email admins would get a clue. We tried, But when the client yells I am losing my mails, you got to change your rules
Re: New Day old Bread list trick
On Mon, 2008-09-15 at 07:11 -0700, Marc Perkel wrote: I just discovered the Day old Bread list of host names under 5 days old. I don't know where they get it but the list is very useful. As many of you know I also track hosts that don't use the QUIT command to close connections. So it occurred to me that if a domain is less than 5 days old AND it isn't using quit that it's spam. I'm thinking about creating some kind of feed or public list of the host names I catch. Is anyone interested in this data and if so - what form would you like it in? But Marc, I have found that the DOB dns lookups keep timing out often ( 5s on my servers ) and in general they cannot be used on high traffic servers. The results may/maynot be good but spending 5s on DNS lookups are unaffordable The DNS zone dob.sibl.support-intelligence.net seems poorly maintained. There is not even a website for support-intelligence.net. Thanks Ram
Re: MagicSpam
On Thu, 2008-09-11 at 15:25 -0700, fchan wrote: Hi, Sorry I don't have experience with this product. I do have limited experience with Barracuda Networks appliance and I think is a great product for an e-mail filter which I had experienced with my friend to set up on their network email server. It is easy to set up, configure and maintain so for an alternative to spamassassin this is great alternative. Price a fairly good and since they were a educational institute they got an discount. http://www.barracudanetworks.com/ns/products/spam_overview.php Alternative to spamassassin ?? , AFAIK barracuda uses spamassassin. You just get their rules and DNS lists that makes it better than the default SA But to be honest ,Not everyone can keep managing SA boxes. If some company wants to dump SA because of management issues , I would suggest just tie up with some commercial plugin for SA No change to the user interfaces. Almost immediately implementable on an existing setup and would be economical too
Re: Capture -D --lint output
On Thu, 2008-09-11 at 07:53 -0500, Jack L. Stone wrote: Folks, I'm trying to capture/grep specific given info from the subject output, like this: #spamassassin -D --lint | grep database spamassassin -D --lint 21 | grep database
Safe rulesets for german
I have been using SA for english mails all along If I want to use SA for german mails , what are the rulesets I should use. I have seen my installation throws up a few FP's for german mails. I use the default SA rules + select SARE rules Thanks Ram
Re: Blacklist Mining Project - Project Tarbaby
On Tue, 2008-08-26 at 10:21 +0100, Graham Murray wrote: Ralf Hildebrandt [EMAIL PROTECTED] writes: * Robert Schetterer [EMAIL PROTECTED]: thats could be seen as a security risk cause in rare cases you may recieve legal mails i.e at an network outage etc I think just hits on the fake MX does not blacklist the SMTP server. Marc keeps saying this often that spammers dont issue any QUIT By now spammers would have learnt ... IMHO :-). How? He tempfails all mails. Because some senders erroneously treat a tempfail as a permfail (or even worse as a successful delivery) and do not retry. Do they get their mails delivered at all ?? Such server admins would deserve what they get. Thanks Ram
Re: How to avoid localhost mails tagged as spam
On Tue, 2008-08-26 at 00:40 +0200, GoodnGo.de (R) Zentrale wrote: Hello List, I am using SpamAssassin version 3.2.5 Postfix, amavis, clamd, *nix My question: All emails from localhost are tagged als ***Spam*** in the subject line. How can I avoid this ? Please help me. (Header-Merssage:Received: from localhost (unknown [127.0.0.1])) Regards, Oliver What I do is I dont pass local mails through the scan at all. You dont expect spam from localhost ( else you are in much bigger trouble :-) ) I am sure amavis will have an option when to scan messages for spam and when not
Re: Spam from your email address.
On Fri, 2008-08-22 at 13:11 -0400, [EMAIL PROTECTED] wrote: I do have a SPF record. I just dont understand how I can recieve a email from myself. In the headers it show a completely different address. I am not a open relay . I think will try domain keys.next. No wait. Just make sure your MTA rejects mail on SPF Fail , or mark them as spam in your SA. That should be enough for your own server
Yahoogroups not a COI list ?
I have some users complain to me that their ids get subscribed automatically to some yahoo groups and they want these mails to be scored by SA I had created special rules in SA not to flag yahoogroups mails , but it seems yahoogroups is not that innocent after all Thanks Ram
Re: Yahoogroups not a COI list ?
On Fri, 2008-08-22 at 12:13 +0100, Martin Gregorie wrote: On Fri, 2008-08-22 at 11:55 +0200, mouss wrote: you can unsubscribe via email without a password (and without having a yahoo account): OK, thanks for the info. I don't use Yahoo Groups and wasn't sure if there was some gotcha to prevent people from being unsubscribed by 'friends'. Martin Unfortunately there seems none. Any group owner can approve my id on my friend's request. This is ridiculous. ( Especially After the spamza.com where you get your friend's subscribed into 1000's of unconfirmed opt-ins ... Yahoo should do better than that )
Spammer trying to hijack more accounts
In the past we have had cases where spammers used our customers weak password accounts and started sending spams , but now the spammer is sending mails asking users to give them their username/passwords https://ecm.netcore.co.in/tmp/spam3.txt I am sure there are many naive customers who would send their username passwords back I need to write a SA rule to score mails asking for username / passwords inside the mail Thanks Ram
Re: mysterious spam - what is this trying to do?
On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote: Arvid Ephraim Picciani wrote: On Wednesday 30 July 2008 00:55:50 mouss wrote: Ken A wrote: Can be a probe too. Accepting mail from that IP with that content says something about your system. Spammers aren't stupid. They fingerprint us just like we fingerprint them. If I was a spammer, I don't see why I would probe you. I understand if it's filter poisoning, but probing to see if the message will be accepted is useless. they can just send their spam. if you reject it, others will accept it, and some will read it, which is exactly what they want to achieve. No. Some spammers are a lot more clever then that. Especialy if you sell lists, you usually make sure they are high quality. This is a low volume probe. Propably to clean out harvested lists. - They are probing for wrong addresses (This is why returning 550 imho makes sense and greylisting does not) - They are probing for backscatterer All mails would have the same From address,envelope, and helo of a compromised mailserver. - They are probing for spamtraps. Bigger ISPs can propably detect that best, since the mails would have a pattern. Of course there is always the posibility that the ratware is simply broken. shit happens :P Yes. And also, in any war, consider resource usage. A simple example: Spammer at any given time may have access to a number of DNSRBL listed bots, and a number of unlisted bots. With an understanding of how ISP handles filtering based on a given DNSRBL, spammer may choose a certain delivery pattern. How does the spammer come to know his mail is delivered and not quarantined / deleted / or spam tagged
Re: [OT] Odd spammer tactic?
On Fri, 2008-07-25 at 18:15 +0200, Jonas Eckerman wrote: Michelle Konzack wrote: in short, if someone declares you as their MX (without your authorization), you should not start listing clients that try to send mail to such domains. Are there ANY leagal reasons to declare someons MX as there MX? You miss mouss' point. If someone (maliciously or by mistake) declare your system as their MX, innocent third party mail servers may through no fault of their own connect to your system in order to send mail to addresses for wich your system is not a MX. I think I still miss the point. How can someone else declare the MX of my domain. ( dns poisoning ignored ). If that were possible , he would be getting my mails which is much more a serious issue Anyway for the stats I just created two brand new A records with mail.domain.com just for testing , and pointed to a fake smtp server No Mxes pointing to that IP so no real mail should come here For the last 3 days , 154 distinct ips have connected and of them 144 are already listed in zen.spamhaus.org So it doesnt seem to be a very useful effort afterall to list those ips :-(. I would have blocked those mails with spamhaus anyway Thanks Ram
Re: SPF-check works, but Whitelist-by-SPF does not
On Fri, 2008-07-11 at 07:06 -0700, Wil Decius wrote: I'm trying to get Spamassassin local configuration setup to whitleist-by-SPF. The box, as delivered to me, runs Debian with spamassassin -V SpamAssassin version 3.2.5-r609689 running on Perl version 5.8.8 In local.cf I've added whitelist_from_spf [EMAIL PROTECTED] Checking the target SPF record it looks OK. dig TXT technologyladder.com +short v=spf1 mx ip4:64.14.60.0/27 ip4:64.14.53.64/26 ip4:67.151.144.115/32 ip4:64.20.188.0/24 ip4:64.210.209.0/24 ip4:165.193.208.0/24 ip4:165.193.209.0/24 ip4:165.193.210.0/24 ip4:165.193.211.0/24 -all But email received FROM the target does NOT get whitelisted. The message headers contain From: [EMAIL PROTECTED] Return-Path:[EMAIL PROTECTED] X-Spam-Report: * 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS * -0.0 SPF_PASS SPF: sender matches SPF record * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=165.193.208.162,rdns=r14nj3ip1.idc.technologyladder.com,maildomain=technologyladder.com,client,clientwords] * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.5 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4966] * 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.3 AWL AWL: From: address is in the auto white-list Received: from r14nj3ip1.idc.technologyladder.com ([165.193.208.162] verified) by mail.mydomain.com (SMTP) with ESMTP id 6850528 for [EMAIL PROTECTED]; Fri, 11 Jul 2008 02:28:10 -0700 Received: from unknown (HELO script1.idc.theladders.com) ([10.0.1.221]) by r14nj3ip1.idc.technologyladder.com with ESMTP; 11 Jul 2008 05:28:08 -0400 Just simulate a message that should spf-pass whitelist then run spamassassin -D -t FILE.eml What is the output you get, that info would help
How to make an exception to URIBL_SBL
One of our customers domain is hitting URIBL_SBL. For no fault of his , his DNS provider is listed So mails containing his own domain links get marked spam How do I make an exception to this ? Is there a way to say for known list of domains do no uri checks I dont want to reduce scores of URIBL_SBL since it is very good at catching spam Thanks Ram
Re: Detecting the Registrar of the sending host?
You can't spoof Forward Confirmed rDNS. If we could find registrar of domain then I can write a rule if( Expensive_registrar Not_spoofed Not_freemail ) we can give a negative score I would not like to whitelist the entire stuff though That means I would have to maintain a list of Expensive_registrars as well as a list of Freemail domains. I wonder if such lists are available though But you could have big corporates , with weak password policies and accounts getting compromised. So spam does come from these accounts Thanks Ram
Re: Better whitelisting with DNSWL
On Thu, 2008-07-03 at 10:48 +0200, Matus UHLAR - fantomas wrote: On 03.07.08 11:35, Henrik K wrote: I'd like to encourage people to take more advantage of DNSWL. while DNSWL('s) may be good, I encountered many cases whan spam and bounces won't get catched by SA because the sender is in DNSQL. Yes , but you report that to them and they usually take care
Short circuit priority doesnt seem to work
Hi In my local.cf I have -- score USER_IN_SPF_WHITELIST -100 priority USER_IN_SPF_WHITELIST -1000 priority RCVD_IN_XBL -800 shortcircuit USER_IN_SPF_WHITELIST on shortcircuit RCVD_IN_XBL spam -- So I expect RCVD_IN_XBL to be evaluated after USER_IN_SPF_WHITELIST , but this does not happen If a mail hits RCVD_IN_XBL it is immediately marked spam even if it were to hit USER_IN_SPF_WHITELIST I disable short circuit plugin and it works fine How do I enforce SA to wait for results negative short circuited rules of higher priority before shorcicuiting mail as spam due to positive ones Thanks Ram
Re: Short circuit priority doesnt seem to work
On Thu, 2008-06-26 at 19:48 -0400, Matt Kettler wrote: ram wrote: Hi In my local.cf I have -- score USER_IN_SPF_WHITELIST -100 priority USER_IN_SPF_WHITELIST -1000 priority RCVD_IN_XBL -800 shortcircuit USER_IN_SPF_WHITELIST on shortcircuit RCVD_IN_XBL spam -- So I expect RCVD_IN_XBL to be evaluated after USER_IN_SPF_WHITELIST , but this does not happen If a mail hits RCVD_IN_XBL it is immediately marked spam even if it were to hit USER_IN_SPF_WHITELIST I disable short circuit plugin and it works fine How do I enforce SA to wait for results negative short circuited rules of higher priority before shorcicuiting mail as spam due to positive ones You can't apply priority to DNS based checks this way and be 100% sure of never getting a match. DNS queries are launched before any other rules start running. It then runs the rules, and collects the results later on. This way, the DNS queries run in parallel with the message scan. A shortcircuit will cause SA to cut-short any waiting for answers on the DNS tests, but IIRC, any that did complete already will still match. Technically, SA waits until something like priority 500 before it starts waiting for all the DNS tests to complete. In general, shortcircuit isn't intended to be a rule-bypassing measure, it's a speed measure. You'd have to use a non DNS test to be sure that shortcircuit is working. So would you suggest I remove all shortcircuit on DNS Rules. Is there anyway I can get USER_IN_SPF_WHITELIST evaluated before All other tests Thanks Ram
Spam volumes down since last week
I am seeing a clear downtrend in the number for spams hitting our servers, I am not sure why ? Since Last week spams are at 50% of what they used to be last month. Is this what you all are seeing But the irritant 419's are still coming in ( and some get past SA ), in many new variants. I have seen scamsters are sending targetted spams to people of hotel industry , holiday industry etc Thanks Ram
Re: Undeliverable mails
On Wed, 2008-06-04 at 18:24 +0200, Benny Pedersen wrote: On Wed, June 4, 2008 17:11, mouss wrote: If they can't configure their system to reject invalid recipients at smtp time, there is no hope that they will setup SPF checking correctly! it was olso my conclusion after i have writed it :-) You might be surprised , but that is not exactly true. I have seen a lot of backscatter from Cisco Ironports. Most Ironport boxes dont do any address verification at the time accepting mail, and then send NDR's. But if these are getting SPF fail, then these messaged may get discarded as spam ( I assume ) And this may happen with a lot of other outsourced antispam vendors too
Re: List of Banks often spoofed in Phishing scams
On Thu, 2008-06-05 at 12:02 +0200, Benny Pedersen wrote: On Thu, June 5, 2008 07:33, ram wrote: I do something like this. ((! SPF_PASS ) ( ENV_FROM_GOOD_BANKS || HEADER_FROM_GOOD_BANKS) ) then give a score 3.0 Of course the GOOD_BANKS are a list of bank which have SPF records. we could olso just give scores on spf fail with a meta :-) NO, Phishers sometimes just forge the Header from not the Env-From. You would not get a SPF_FAIL, because there was nothing wrong with the sender address. But the end users are usually are not trained to look at the real sender.
Re: List of Banks often spoofed in Phishing scams
On Thu, 2008-06-05 at 13:08 +0200, Benny Pedersen wrote: On Thu, June 5, 2008 12:53, ram wrote: Phishers sometimes just forge the Header from not the Env-From. You would not get a SPF_FAIL, because there was nothing wrong with the sender address. But the end users are usually are not trained to look at the real sender. good banks have equal envelope sender and from, else i blame my bank :-) why care about phishers that fails to do it right ? The phisher deliberately fails to do it right and forges only the header from:. It is for us to catch them
Re: List of Banks often spoofed in Phishing scams
Actually in some ways this leads to an interesting idea. In our wiki here perhaps we should write some guidelines for banks and everyone else running legitimate email servers as to what is the correct way to configure their servers. The first thig that come to mind is getting FCrDNS correct and making sure that the domain of the from address, the HELO, and FCrDNS all resolve to the banks domain. That is not practical. Atleast in India, Banks use third party servers to send their mailers often. And the ips have PTR's HELO's which dont match the banks', because these dont belong to the bank I do something like this. ((! SPF_PASS ) ( ENV_FROM_GOOD_BANKS || HEADER_FROM_GOOD_BANKS) ) then give a score 3.0 Of course the GOOD_BANKS are a list of bank which have SPF records. Thanks Ram