DBL and SBL checks on from address domain
How can I check if the domain used in from address is listed in spamhaus DBL or the IP it resolves to is listed in SBL I find all the URIBL_DBL_SPAM rules etc work only for urls in the body not headers Thanks Ram
Score on sender domain by country
Hi, One of our clients has a purely local business and wants any mail coming from a foreign domain to be given a score for spam I would like to reduce the spam threshold , and then give a negative score for every mail with sender domain in India Is there a possibility of identifying the country where a domain is registered. Identyfying by tld seems in-correct Thanks Ram
Re: return-path program
Alexandre Chapellon wrote: Hello, I would like to know if someone here is part of the returnpath.net (http://www.returnpath.net/emailserviceprovider/certification/) certification program? Sender certification usually is unnecessary unless you send mails in bulk. For bulk mailers, any certification program would work only if you maintain strictly opt-in mailing. You could easily go their site and ask for info , the guys at returnpath will get back to you. Does it really increase deliverability of email and to which MSP? Yes getting certified definitely increases deliverability. (Yahoo , Hotmail , Msn .. Even spamassassin by default scores certified mails as non-spam.) What are the necessary steps to get into that program and is it free or do I have to pay something? Obviously there is a certification fee. BTW If you are already a good sender I dont know if you really require certification, if your arent then you wont qualify for certification :-) Thanks Ram
What is the error with clamav module
http://www.zimbra.com/forums/administrators/36295-every-new-message-flagged-exploit-pdf-9669-nothing-getting-through.html How do I disable False positives with clam For now I am disabling clam totally on all servers .. anyway real viruses are so few.
Re: [OT] Odd spammer tactic?
Marc Perkel wrote: There's people out there who are better and faster programmers than I am. I need a simple utility written We can post it on the SA Wiki when we're done. I don't care what it's written in but I'm thinking that xinetd might be easiest. What I want is something to record the IP address of any host connection to port 25. Then going to need it to run a one line script file that runc netcat (nc) and sends me data. Basically I just need te IP address. I have a collector program listening that feeds the blacklist system. The collector is. echo $* | nc -w 2 host port exit 0 You mean you need a script will listen to port 25 instead of a smtpd daemon ? Will be a trivial thing to do? What should this do , just log to syslog the IP's and break connection immediately after connect The idea of this project is to collect hits on port 25 of computers that shouldn't be hit on port 25. Thses hits would be 100% spambots and hackers. They hit it - they get listed. I'll share my collector code, which is a one line script. socat -u TCP4-LISTEN:port,reuseaddr,fork OPEN:/logfile The pair of these programs can be used to collect any kind of data base on trouble makers hitting port that shouldn't be hit. This could be used for ssh attempts - anything. These programs feed IP collection systems and then some task manages the list, rotates it, and generates DNS blacklists. I'm thinking such a system might be really useful. Yes , I think that would give a zero fp blacklist on ip's Any real MTA would mx lookup , IMO If mail is sent on non mx ips the mail is spam and the ip is of a spammer (internal misconfigured transport relays need to be excluded ) === sms START NEWS your city to 09845398453 for Breaking News and Top Stories on Business, Sports Politics. For more services visit http://www.mytodaysms.com ===
Re: [OT] Odd spammer tactic?
Christopher Bort wrote: This is really not a SpamAssassin issue, but since this list is populated by people who are interested in spammer behavior, I'm throwing it out for comment. If it's too far off topic, my apologies and I'll let it go at that. At $DAYJOB I run a mail server and a name server for several domains, both our own and for clients. At home, I run a mail server and a name server for a couple of personal domains. The home name server is a slave for most of the domains hosted at $DAYJOB. The home mail server is _not_ configured to handle mail for any of the $DAYJOB domains and it is _not_ an MX for any of those domains. The only connection is that it is an NS for the $DAYJOB domains. These domains _do_ have $DAYJOB mail server as their MX. For a while now, I've been seeing attempts to send mail to the home server for addresses in $DAYJOB domains. This is not a problem since the volume is low and they are being properly rejected as third-party relay attempts (authentication required - relay not permitted). However, the fact that someone is apparently trying to send mail to an NS instead of an existing MX has piqued my curiosity. It looks like it's all spam (the sender addresses tend to support that). So, has anyone else seen this sort of behavior and what could be the rationale for trying to deliver mail to an NS like this? I have seen that spammers usually target most available A records of a domain So if a domain is example.com All machines , mail.example.com , example.com , ns.example.com etc are all targeted. Remove the A record ns.example.com ( if possible ) and you will see spams disappear Unfortunately this works :-( in evading spam filters in far too many cases. A lot of domains host their websites/mailboxes/DNS on shared servers who do not offer any protection at SMTP levels .Even if the customer subscribes to a third party Antispam solution and points his MX to a spam filter the spammer easily sends his mail to the unportected mailhost server and gets straight to the inbox. We ourselves had extremely tough times explaining to clients Probably Spamassassin Comunity needs to develop a email client plugin that can detect such mails Thanks Ram === sms START NEWS your city to 09845398453 for Breaking News and Top Stories on Business, Sports Politics. For more services visit http://www.mytodaysms.com ===
Re: [OT] Yahoo Deferred
Tony Bunce wrote: Sorry for the Off Topic thread but I’m at a loss Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I’ve filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don’t want to pay yahoo just to accept my messages I’m running out of options and the customer complaints are getting more frequent every day. Almost everyone. Tell your customers not to use yahoo ids :-( I dont know if there is any standard reason , But I think yahoo defers mails from an IP when there are 'n' message attempts to incorrect ids. n being too low for any practical server. Also keep your rates of delivery low .. lest you enrage the yahoo guys. ( Their server , their rules :-( ) On my servers I ratelimit yahoo deliveries and deliver thru a separate server. Also keep changing the smtp bind address. That helps a bit but yet mailq is always quiet high. We have already told our servers yahoo defers our mails so it is not in our control to get done BTW if you get any solution please share with me too :-) Thanks Ram === sms START NETCORE to 575758 to get updates on Netcore's enterprise products and services sms START MYTODAY to 09845398453 for more information on our mobile consumer services or go to http://www.mytodaysms.com ===
Re: googlepages.com abuse
alex wrote: I made a script too, then I found your script when I searched later! Your script is more efficient, now I just use yours :P I call it directly from procmail. glad to be of use , it was not a great effort though BTW I think google has started taking complaints seriously. I dont seem many such spams now === sms START NETCORE to 575758 to get updates on Netcore's enterprise products and services sms START MYTODAY to 09845398453 for more information on our mobile consumer services or go to http://www.mytodaysms.com ===
Securitysage rhsbl down
my MTA is configured to block domains listed in securitysage but I cant see any hits lately Is blackhole.securitysage.com down ?? Thanks Ram
Nuisance stock spams
The stock spams are getting obfuscated to extreme lengths. This mail went clean thru spamassassin. All it got hit were my custom rules where I score mails containing companies mentioned in stock spam ( risky but no alternative ) Stock spams are a real nuisance , because the spammer just has to send the message no tell tale links , no addresses , no phone numbers etc How do you folks tackle them This spam came from a clean machine , not listed in any BL's and went straight thru http://ecm.netcore.co.in/spams/stock1.txt Thanks Ram
Re: TVD_SILLY_URI_OBFU
On Mon, 2007-02-05 at 18:46 -0800, Kenneth Porter wrote: On Tuesday, February 06, 2007 12:31 AM +0100 Chr. v. Stuckrad [EMAIL PROTECTED] wrote: So what really will be needed, would be a combination of Rules for 'illegal hostname in url' and something like the URIBLS to catch 'sytactically legal looking' obfuscations. (if such a thing is feasible) What about a meta rule that combines string does not resolve (ie. by DNS lookup of the raw, obfuscated URL) and the presence of the words remove or replace? You could also have a plugin that saves away illegal characters found in a domain string and looks for one of those characters within some distance of the URL in the message. Good idea , I think you mean domainname instead of URL OTOH there could be genuine typos ? how to avoid Fp'ing that Fp's have become a bane nowadays. Today people send mails and then call up to make sure the mail has reached, or is not in spam folder Thanks Ram
Re: TVD_SILLY_URI_OBFU
On Tue, 2007-02-06 at 22:25 -0800, John D. Hardin wrote: On Tue, 6 Feb 2007, Ken A wrote: But what's the point if they simply have to move the obfuscation to the domain part, rather than the tld? Is it worth the cost of the additional test? ie: http://www.swell_your_dongR.com ...which brings us back to verification via a DNS lookup. even DNS lookup could fail visit us at http://goOgle.com (Important remove the capital O from domain name ) Assuming the spammer could register gogle.com Thanks Ram
Re: what are the rules directories
On Wed, 2007-01-24 at 09:46 -0500, Theo Van Dinter wrote: On Wed, Jan 24, 2007 at 01:17:15PM +0530, Ramprasad wrote: But If I have /var/lib/spamassassin with some files in it SA is apparently ignoring /usr/share/spamassassin/*.cf Yes. That's how updates work. How do I make it use files on /usr/share/spamassassin too I just need a command line version to run lint Anyway I use Mailscanner which defines what directories to use for scanning of mails, so that is not an issue Thanks Ram
what are the rules directories
I have been using SA for more than 3 years now and I have a dumb question I am using SA 3.1.5 on Centos AFAIK By default Spamassassin reads from /usr/share/spamassassin and /etc/mail/spamassassin But If I have /var/lib/spamassassin with some files in it SA is apparently ignoring /usr/share/spamassassin/*.cf Is this so by design or have I misconfigured something Thanks Ram
SA webredirect not able to get pages, but firefox can
I am using a custom script using spamassassin and webredirect.pm while scanning mails in my honeypots and get all uris that can go into my self-maintained uribls Off late I have been seeing too many urls timing out when using webredirect I tried using lynx, or wget even these timeout , but when I try the same url on my desktop firefox browser the page opens up Most of these urls are INFO_TLD urls soliciting pornsites ( I cant risk putting them here, my own mail will get caught as spam :-) ) Is anyone else seeing the same problem Thanks Ram
My bayes journal just keeps growing
I run SA 3.1.5 with MailScanner I have in my cf file bayes_learn_to_journal 1 use_bayes 1 bayes_path /var/spool/MailScanner/spamassassin/bayes bayes_file_mode 0666 bayes_auto_expire 0 The problem is my bayes_journal file grows immensely ( around 500Mb a day ) but the bayes_toks files hardly gets touched When I do a bayes-expiry the process seems to hang (after even 3-4 hours ) and I simply resort to deleting the journal file. Because I cant keep waiting for expiry to get complete. (We get a HUGE traffic of around 7 Million mails a day on 14 loadbalanced servers ) I am looking at MySQL based bayes, but that will take time to get implemented What is the best way of setting up bayes for high traffic servers Thanks Ram
Stupid spammer using same pattern in from ids
I thought all the stupid spammers were already eliminated. But now there is another full generation alive These spammers use specific patterns for their from-ids that makes themselves too obvious. It took us quite a while to find out what was hammerring us but Now I am blocking all these spams right at the MTA (postfix pcre tables ) last week it was something like /^fbi.+war@/ Now it is /^daf.+cpu@/ I grep my maillogs and feel pleased I have blocked around 10-20 spams a sec ( we get 6-7 million mails a day ) booted at the gate Any idea why anyone would use such specific patterns ? Thanks Ram
OT: sender address verification .. is it feasible
I had read of sender address verification(SAV) about a year back, some people had done that too. I found the idea too unfeasible for checking from-addresses before accepting mail at MTA. The scene is different today now with 90% of all mail being spam it seems not that bad an idea anyway My guess is around 50% of these spams dont have a deliverable from-id Waste resource and bandwidth accepting mail and scanning it or waste time probing for correct from ids ( and also risk being blacklisted for probes ) .. which is better. IMHO if SAV becomes some standard then domains can have something like DNS records for all correct ids and probing will become a lot easier Is anyone already having experiences with sender address verification Thanks Ram
mangled drug spam again
This drug spam seems pretty simple http://ecm.netcore.co.in/tmp/spammail1.txt but is not caught by my sare (mangled.cf) MANGLED* rulesets am I missing something here Thanks Ram
Re: backscatter from a joejob is killing me
On Wed, 2006-11-22 at 19:34 -0600, Chris wrote: I've been receiving tons of supposed bounces from Peru saying I've sent messages to non-existant address using a [EMAIL PROTECTED] address. One such bounce is below: Return-Path: Received: from pop.earthlink.net [209.86.93.201] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Wed, 22 Nov 2006 03:44:55 -0600 (CST) Received: from barracuda.americatv.com.pe ([200.60.156.44]) by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1gMOEB4tQ3Nl3490 for [EMAIL PROTECTED]; Wed, 22 Nov 2006 04:44:29 -0500 (EST) MIME-Version: 1.0 From: MAILER-DAEMON Message-Id: [EMAIL PROTECTED] Subject: **Message you sent blocked by our bulk email filter** Content-Type: multipart/report; report-type=delivery-status; charset=utf-8; boundary=--=_1164188668-21286-133 To: [EMAIL PROTECTED] Date: Wed, 22 Nov 2006 04:44:28 -0500 (PET) X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=001; X-SenderIP: 200.60.156.44 X-ASN: ASN-6147 X-CIDR: 200.60.128.0/19 Your message to: [EMAIL PROTECTED] was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED: Subject: Manual de Comercio Exterior para empresarios Exportadores - Publicidad Reporting-MTA: dns; barracuda.americatv.com.pe Received-From-MTA: smtp; barracuda.americatv.com.pe ([127.0.0.1]) Arrival-Date: Wed, 22 Nov 2006 04:44:27 -0500 (PET) Content-Type: X-UID: 80197 Final-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=21286-02-6 Last-Attempt-Date: Wed, 22 Nov 2006 04:44:28 -0500 (PET) Received: from ROSITAS (unknown [201.240.82.234]) by barracuda.americatv.com.pe (Spam Firewall) with SMTP id 53F60AC0B for [EMAIL PROTECTED]; Wed, 22 Nov 2006 04:44:25 -0500 (PET) Message-ID: [EMAIL PROTECTED] Reply-To: =?windows-1251?B?RXhwb3J0YSBQZXJ1IElQSg==?= [EMAIL PROTECTED] From: =?windows-1251?B?RXhwb3J0YSBQZXJ1IElQSg==?= [EMAIL PROTECTED] Subject: =?windows-1251?B?TWFudWFsIGRlIENvbWVyY2lvIEV4dGVyaW9yIHBhcmEgZW1wcmVzYXJpb3MgRXhwb3J0YWRvcmVzIC0gUHVibGljaWRhZA==?= Date: Wed, 22 Nov 2006 04:43:26 -0500 MIME-Version: 1.0 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 I've gotten about 500 of these today and its getting to be hell weeding through them to pull out my LARTs which are also bouncing. Any ideas/suggestions are whole heartedly welcome. From the stats on my server earthlink.net is a top forged domain. So many of my users simply want earthlink.net blacklisted, but I cant do that. They could use spf but apparently that didnt work for them Unfortunately such bounces are creating problems for my servers too , who send these NDRs to innocent emailids from earthlink I had been reading about BATV. But didnt quiet get time to really go thru the docs http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation Anyone using BATV already ?
Bayes file or SQL
Which is lighter to use bayes in files or bayes in SQL for a large setup We get around 6-7 Million mails per day on our 14 servers ( 80% get rejected at MTA however) Currently each machine( dual Xeon 4GB Ram) running Postfix + SA + MailScanner has it own bayes files. How about running a mysql server with common bayes Thanks Ram
Flooded by pointless spam
I am no getting what the spammer intends to say here http://ecm.netcore.co.in/tmp/spam1.txt There is no meaningful message , no sales pitch , no stock recommendation nothing at all Any ideas ? Thanks Ram
Re: Enabling/testing SPF?
On Fri, 2006-11-03 at 10:21 +, Henry Kwan wrote: Am finally getting around to making SPF records for our domains so naturally I was fiddling with SA to see SPF-checking was enabled. Running 3.17 with Mail-SPF-Query-1.999.1 installed. During make test, it seemed to pass all 36 tests in t/spf...ok. But when I do a debug test via spamassassin -D sample-nonspam.txt, it doesn't seem to return debug: registering glue method for check_for_spf_helo_pass (Mail::SpamAssassin::Plugin::SPF=HASH(0x8d21990)). I then sent a test email from another machine, forging an email with a domain known to have a good SPF record and I didn't see any references to SPF in the tests section. So what might be the issue here? TIA for any insights. spamassassin -D file 21 | grep -i spf check the output which MTA do you use ? Your MTA must insert an X-Envelope-From: header ( or similar ) Thanks Ram
Re: Per Domain Whitelisting
On Mon, 2006-10-23 at 14:36 -0700, jasonegli wrote: I'm running multiple domains on one SPAM cleaning server. I'm wondering if there's a way in spamassassin to build a separate whitelist for each domain. If not, can you build a whitelist based on BOTH To and From addresses. For example let's say that domain xyz.com wants to allow all messages from yahoo.com, but domain 123.com does not. Is there a way to allow FROM [EMAIL PROTECTED] TO [EMAIL PROTECTED]? Thanks How are you running SA, I mean you must be using some scanner software like MailScanner milter etc Whitelists are best implemented at that level Thanks Ram
Re: Re[4]: Any comments of the SpamHaus lawsuit?
I got this on my google alerts Can anyone confirm http://www.mercurynews.com/mld/mercurynews/business/technology/15809465.htm CHICAGO - A federal judge presiding over a spam dispute rejected a marketing company's request to suspend the domain name of an anti-spam group that ignored an $11.7 million judgment against it. U.S. District Court Judge Charles P. Kocoras denied a proposed motion from e360 Insight, which sued the Spamhaus Project over its black list of spammers. Wheeling, Ill.-based e360 Insight contends it is improperly on the list because it is a direct marketer that does not send unsolicited e-mail. The Spamhaus Project did not bother defending itself and refused to recognize Kocoras' $11.7 million judgment against it, saying the court had no jurisdiction over the U.K.-based group. So e360 Insight asked that the judge order the spamhaus.org domain suspended. But Kocoras said Thursday that the requested action was too broad and would cut off all lawful online activities of Spamhaus, not just those targeted by any court order. Service providers and others use Spamhaus' list to help identify which messages to block, send to a junk folder or accept. Spamhaus claims that more than 650 million Internet users benefit from its list of spammers.
rules to catch mangled phone numbers
Is it possible to write a quick rule to catch phone numbers mangled with [\- *] in between Like these 1--314--414---4001 If someone is writing phonenumbers this way there is enough reason to believe he is a spammer Thanks Ram
How do I use size of mail in a ruleset
I want to use size of mail in a custom ruleset. Can I get this as any parameter. Can someone please give me an example Thanks Ram
Re: Mail server performance problems. Possible SA slow down?
On Mon, 2006-10-09 at 11:43 -0400, Rob McEwen (PowerView Systems) wrote: The last few weeks I have noted (angry users calling me by phone) that the server is really slow. Don't know for sure, but I suspect slower than usual Razor and/or DCC servers? --Rob McEwen I second that. Razor had been killing our servers too last 4-5 days. With no razor checks things are much better now. I want really to run a local pyzord now Thanks Ram
Re: Earthlink emails
On Fri, 2006-09-29 at 11:20 -0400, Michel Vaillancourt wrote: Ramprasad wrote: On Fri, 2006-09-29 at 08:12 -0400, Michel Vaillancourt wrote: Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. I have a script that automatically blocks SPF-pass domains sending spam consistently. you could make good use of the SPF_PASS too. Care to share? This would be very handy. This is a perl script a part of larger module. And not exactly worth sharing. But the idea is very simple * cronscript on each machine parses the logs for SPF_PASS mails with SA score above 15 and puts the messages log lines in a file in http area * The rbldns server wgets all files from different servers and finds the top sender domains who send spam * Delete all whitelisted domains from the list and those domains who are also sending a lot of ham to correct ids ( I get this from a mysql db query to my reports db ) * Put the remaining into the rbldns blacklist and restart the rbldns server for postfix to use these What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. How. All the while I thought dkfilter helps me block after dataend ? Do I have to RTFM again ? My mistake.. this one runs as a content filter. The same author is working on a DKIM Proxy that would be your first point-of-contact and handle the mail from intercept. I got confused. So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. We have 8 dual xeons already. for this much traffic. And servers are always loaded with all kinds tests enabled in SA I'm curious... what is the RAM/ MHz spec of your machines? 5M mail/day is 7 mail per second per machine... at a median 8 seconds mail handle time, that is 57 mail in the pipes at any one time... 50Mb for SA or anti-virus per message works to about 3Gb of RAM in use. I can see your concern. However, again, I'd say that even two more machines in the pool would bring that down to ~2GB of RAM in use per machine, and that should give you the cycles and memory to run SPF queries as well as DK filters. 4GB Ram , 3GHz x 2 xeon with HT But I think you too would know mail never comes uniformly at 7/s. There are peak times when my mailservers touch 43k/hour while in the nights they may be sleeping with the rest of us. And at peak times the mail delay starts killing us. ( Thats exactly when I start sending 450 to bad domains ) I do understand the notion your boss might not be willing to put another $5K down to deal with the problem. However, as anyone can attest to, good customer service costs money to provide.
Re: Earthlink emails
On Thu, 2006-09-28 at 19:11 -0700, jdow wrote:
From: Ramprasad [EMAIL PROTECTED]
On Tue, 2006-09-26 at 21:28 -0700, jdow wrote:
Before you blame Earthlink note that it has NOT gone through Earthlink
servers.
relay2.corp.good-sam.com is the receiving email server.
It's a forged email, at a guess. (It also has mangled headers. Newlines
are missing. MAYBE it would do better if you sent it plain text. HTML
tends to mangle things.
{^_^}
Nobody would blame earthlink for the mail , But Most of the spams to my
clients come from earthlink.net.( sometimes as high as 20% of spams
Yahoo comes in next with ~10% )
How do you determine this? Is it by a legitimate domain keys tested
Earthlink SMTP or does it simply say it came from Earthlink? I see
a lot of mail that SAYS it came from Earthlink. But there is not a
single Earthlink name in any of the Received headers. It's forged.
I am going by envelope from only. Obviously can be forged
I have written to them several times that their domain is being forged
heavily by spammers but they refuse to take any action
Explain how they can take any action? How can Earthlink stop it? They
do sue in particularly blatent cases. But if it's some other ISP with
a user forging Earthlink names what on Earth do you expect Earthlink
to do?
Apparently they have removed SPF records after publishing them once.
Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids
whenever there is a spam attack on my servers
They went to domain keys. It seems to be better for the Earthlink
situation.
{^_^}
Why not SPF ??
DK is a resource HOG. And I cant do that easily in postfix ,( I know you
will point to dk-milter )
What is the point accepting the mail and the entire data and then
scanning for DK when It should have ideally been rejected after
mail from:
So I let SA do the testing .. which catches the spams but eats resources
of my servers. When you receive 3-5 million mails a day you tend to
bother more about resources
Thanks
Ram
Re: Earthlink emails
On Thu, 2006-09-28 at 11:05 -0700, Loren Wilton wrote: Apparently they have removed SPF records after publishing them once. Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids whenever there is a spam attack on my servers SPF can be a pain for a number of reasons that have been discussed endlessly. I suspect Dirtlink found them to be effectively useless. Why not try using domainkeys instead? DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=FB4IOaniCvpDwkx5cYm2jFWe8LB9zRfxL9FHzbhv1JHyGSVrA0o4mttb3jjbU4C3; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP; Loren Darn, I dont want to again get into SPF debates. Assume I am using domain keys and catching all spams forged from earthlink , still I am scanning the mails. Anyway that is already happening today. SA is catching spams from earthlink( forged ?) but when you scan a huge number of mails you would like to be able to reject forged mails straight after mail from:. That is what SPF lets you do and that works. No wonder a lot of spammers have stopped forging hotmail or msn because most of those mails dont even get thru the MTA. And a majority of the forged spams I still get is from earthlink or yahoo. Thanks Ram
Re: Earthlink emails
On Fri, 2006-09-29 at 08:12 -0400, Michel Vaillancourt wrote: Ramprasad wrote: Why not SPF ?? Over two thirds of the email I receive that is UCE/Spam has an SPF_PASS associated with it from SA. All SPF seems to do is make the stupid spammers look more stupid. The clever ones aren't affected. I have a script that automatically blocks SPF-pass domains sending spam consistently. you could make good use of the SPF_PASS too. DK is a resource HOG. And I cant do that easily in postfix ,( I know you will point to dk-milter ) http://jason.long.name/dkfilter/ ... Postfix specific implementation using the Sourceforge/ OpenSource adoptation of the DK standards. What is the point accepting the mail and the entire data and then scanning for DK when It should have ideally been rejected after mail from: That would be the exact point of DK at the Postfix/ MTA level. How. All the while I thought dkfilter helps me block after dataend ? Do I have to RTFM again ? So I let SA do the testing .. which catches the spams but eats resources of my servers. When you receive 3-5 million mails a day you tend to bother more about resources I would humbly submit to you that if you move that much traffic, you should be able to justify one more MX machine in the pool and implementing DK. We have 8 dual xeons already. for this much traffic. And servers are always loaded with all kinds tests enabled in SA Thanks Ram Another point here is that SPF and DK are NOT mutually exclusive technologies. If a thirty-customer/ 10k message-a-day shop like me can implement both, I am sure that a Big Shop like yours can.
Re: Earthlink emails
On Tue, 2006-09-26 at 21:28 -0700, jdow wrote:
Before you blame Earthlink note that it has NOT gone through Earthlink
servers.
relay2.corp.good-sam.com is the receiving email server.
It's a forged email, at a guess. (It also has mangled headers. Newlines
are missing. MAYBE it would do better if you sent it plain text. HTML
tends to mangle things.
{^_^}
Nobody would blame earthlink for the mail , But Most of the spams to my
clients come from earthlink.net.( sometimes as high as 20% of spams
Yahoo comes in next with ~10% )
I have written to them several times that their domain is being forged
heavily by spammers but they refuse to take any action
Apparently they have removed SPF records after publishing them once.
Thats a stupid idea IMHO. Today I am forced to TEMP FAIL earthlink ids
whenever there is a spam attack on my servers
Thanks
Ram
running a local fingerprinting server
Hi, We scan a huge number of mails ( upto 150k an hour ) on our load balanced array of servers. I was thinking of running a local fingerprinting server like pyzord Is the pyzor project still alive .. I havent seen any updates for quiet some time. And are there any issues integrating pyzor with SA Thanks Ram
spamassassin --lint just hangs
I find that spamassassin -D --lint sometimes just hangs. the output goes . .. [28316] dbg: bayes: tie-ing to DB file R/W /var/spool/MailScanner/spamassassin/bayes_toks [28316] dbg: bayes: tie-ing to DB file R/W /var/spool/MailScanner/spamassassin/bayes_seen [28316] dbg: bayes: found bayes db version 3 [28316] dbg: locker: refresh_lock: refresh /var/spool/MailScanner/spamassassin/bayes.mutex (Thats it .. here it waits for ever ) I have got a busy system and a bayes_toks file of 32MB I tried to strace the pid of the process .. could see a lots of pread/pwrite any idea whats going on ? Thanks Ram
Another pointless spam
Hi, All the LARGO tests and our own custom rules notwithstanding , some image spams still get thru. But spams like these are absolutely pointless. http://ecm.netcore.co.in/tmp/buildup.eml.txt I dont get any message from this spam , atleast on my evolution client. I doubt if this some spam-for-outlook-only. What is the message the stupid spammer is trying to get across Thanks Ram
Re: Another pointless spam
On Mon, 2006-09-04 at 13:06 +, Duane Hill wrote: On Monday, September 4, 2006 at 6:13:50 AM, Ramprasad confabulated: Hi, All the LARGO tests and our own custom rules notwithstanding , some image spams still get thru. But spams like these are absolutely pointless. http://ecm.netcore.co.in/tmp/buildup.eml.txt I dont get any message from this spam , atleast on my evolution client. I doubt if this some spam-for-outlook-only. What is the message the stupid spammer is trying to get across Thanks Ram That message would have been trapped on our server: X-Spam-Status: Hits:6.2 Tests:EXTRA_MPART_TYPE,HTML_MESSAGE,SARE_GIF_ATTACH, TVD_FW_GRAPHIC_ID1,TVD_FW_GRAPHIC_NAME_LONG It is a stock Spam with the stock contained within the GIF image. What are these TVD_FW* rules ? Thanks Ram
Re: Strange SPF problem/wrong result
Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) snip This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained snip If 134.96.254.200 is accepting mails for you then you must do all SPF checks on that host. SPF checks dont work unless you do the checks on the receiving host. Thanks Ram
Rule to trap unqualified image names
I need to trap images that are not given full names Something like this -=_NextPart_000_00EB_01C5061E.42C54EA0 Content-Type: image/gif; name=zpalaver Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED] The name should have been zpalaver.gif but the extension is deliberately omitted. Can someone help me with a regex for images without \.(?:gif| png|jpg) extensions Thanks Ram
Re: Using a ramdisk
On Wed, 2006-08-09 at 10:27 +0200, Bjorn Jensen wrote: Can spamassassin benefit in any way from a ramdisk ? The server we have for spamassassin, has 3 gigs of ram, and spamd doesn't even use 1 gig of that, so I thought perhaps it would speed things up if I could place something on a ramdisk. But this leads to the question, does spamassassin do any disk intensive things ? I'm running that gocr image scanning as well, could this benefit from it, or is it the network lookups that are the slow part in any case ? Currently a mail is processed in about 1.5 - 6 seconds regards, Bjorn Jensen Can you get your MTA to write in the ramdisk while it is queing/scanning the mail. That is where you will get most of your speed. But this may not be a safe option always. Typically using scanners like Mailscanner , you could do the actual Mail scanning when the mail is on the ramdisk. That gives you good performance benefit. http://www.mailscanner.info/serve/cache/120.html Thanks Ram
Image spam with inline jpeg image
All my rulesets and the LARGO rules are for catching inline png and inline gif. Now I am getting stock spams with images like --=_NextPart_001_000C_01C6BBE8.11C02650-- --=_NextPart_000_000B_01C6BBE8.11BB4450 Content-Type: image/jpeg; name=militarism.jpg Content-Transfer-Encoding: base64 Content-ID: ICRPXHAOOE Thanks Ram
Re: Image spam with inline jpeg image
http://www.rulesemporium.com/plugins.htm#imageinfo Updates: - added optimization changes by Theo Van Dinter - added jpeg support - added function image_named() - added function image_size_exact() - added function image_size_range() - added function image_to_text_ratio() - dhawal Thanks. I have updated my servers But still this mail is getting thru http://ecm.netcore.co.in/tmp/imagespam.txt Thanks Ram
Re: Image spams getting thru
How about sending 450 Please Try later to ever mail with an inline image and then somehow verify if it really comes back. (Obviously not my original idea :-) ) How many spams would really comeback. max 20% .. those which are routed thru zombies Thanks Ram
Re: Image spams getting thru
On Sat, 2006-07-29 at 18:22 +, [EMAIL PROTECTED] wrote: Does DCC, RAZOR, PYZOR, or any other signature algorithms work with the image spams? It's not apparent from reading the man pages. It seems to me that one could compare the signatures of attachments instead of the whole e-mail and provide additional detection. Thanks, Tim Hi Tim, it seems to be fairly easy to modify images programatically in ways that changes chechsums but not appearance ... so this would just block less sophisticated spammers anyway Wolfgang Hamann So if the spammer keeps generating different images for every spam mail then DCC RAZOR etc would be useless right ? Thanks Ram
Re: SPF breaks email forwarding
On Thu, 2006-07-27 at 14:35 -0700, John D. Hardin wrote: On Thu, 27 Jul 2006, Hamish wrote: Forwarding should (IMO) be implemented in such a way as the FORWARDING mailbox should be used as the new return-path (Just like if you forwarded an email from your MUA rather than with the MDA). Then both SPF and forwarding would work fine. And furthermore be consistent. ...and lead to a mail loop if the forward-to address starts bounding messages for some reason... And how does not implementing SRS solve the mail loop problem.
Image spams getting thru
I am suddenly facing a lot of image spams from a pretty effiecient spammer now . The Ips he is using are not listed anywhere All spams advertising stocks of HLUN.PK Am I alone facing this problem. Also I found that the From header in all mails is a typical repeated string Like these From: Rory [mailto:[EMAIL PROTECTED] From: Barbra [mailto:[EMAIL PROTECTED] From: Ada [mailto:[EMAIL PROTECTED] From: Hattie [mailto:[EMAIL PROTECTED] From: Stacy [mailto:[EMAIL PROTECTED] From: Lynne [mailto:[EMAIL PROTECTED] From: Juliet [mailto:[EMAIL PROTECTED] From: Genevieve [mailto:[EMAIL PROTECTED] From: Aisha [mailto:[EMAIL PROTECTED] From: Monique [mailto:[EMAIL PROTECTED] From: Kirsten [mailto:[EMAIL PROTECTED] From: Pablo [mailto:[EMAIL PROTECTED] From: Sadie [mailto:[EMAIL PROTECTED] Can I write a ruleset to hit these froms Thanks Ram
Re: Image spams getting thru
Oops they were single from headers , but from different mails On Fri, 2006-07-28 at 16:50 +0200, Benny Pedersen wrote: On Fri, July 28, 2006 13:14, Ramprasad wrote: From: Rory [mailto:[EMAIL PROTECTED] From: Barbra [mailto:[EMAIL PROTECTED] Can I write a ruleset to hit these froms yes attached a rule for this -- Benny
bottleneck analsyis on spamassassin
Hi, Spamassassin has so many dependencies on various external factors like network , disck IO , RAM etc If I want to analyse the performance on my SA box , how do I find out what the bottlenecks are. I am using spamassassin as a module in Mailscanner on CentOS Is there any tool by which I can analyze the bottlenecks of my system Thanks Ram
RE: bottleneck analsyis on spamassassin
I can tell you right now, its either Net tests or poorly written rules. Otherwise SA runs pretty darn good. Darn good is how good ? On a Dual Xeon with 4GB ram can SA scan 30k mails per hour. Today at 15k the machine starts signalling problems , 20k is the max it can do beyond which there are unacceptable delays Spammassassin -D --lint some_test_email How do I know what percentage of time is taken by individual tests ? Thanks Ram
Re: New DNS Black list, White List, Yellow List
An ISP wpuld never be whitelisted anyhow. Whitelisting is for things like banks and other institutions and organizations that produce no spam. Yellowlisting is for ISPs so that they don't accidentally get blacklisted. SPF is useless because few are using it due to the fact that it just doesn't work. I too agree with your idea that we should start looking for ham in mails rather than looking for spam. This approach would help us tackle spam much more aggressively. But IMHO SPF works great and is much cleaner. A lot of banks/legitimate bulk email senders change their relay server. Many reasons for that. The most common is that they use a third party to relay their mails and these would keep changing You would have to delist your whitelisted ip before some spammer gets those. And since the whitelist is exposed there is a greater potential for abuse here. Thanks Ram
Re: SPF breaks email forwarding
Except = SPF breaks email forwarding. It requires that the world change how email is forwarded and that's not going to happen. Thus if a bank has a hard fail and someone with an account on my server gets email from an account that is forwarded then my server sees the email as coming from an illegitimate source. I know this is a troll subject Yes SPF breaks email forwarding, so does PTR checking ( which never was a great idea IMHO ). Every technique has some drawbacks. SPF has some but is still better than the rest When you want add security to an inherently insecure medium you cant say I will not change my servers. You want to put a .forward and receive mails from banks, get you mail- admin to use SRS. What is unreasonable in that ? Thanks Ram
Rule for mail contains bad email ids
There are now a few spams passing thru with plain emailids ( not mailto links ) There is noting else in the mail that can be caught. How can I check such ids Show I do a body check after all Thanks Ram Sample spam mail --- I have a new email address! You can now email me at: [EMAIL PROTECTED] Sir/MA I am Abbott Hayes Iam contacting you on business transaction of US$23M into a safe AC - abbott hayes --
Re: Whitelist_subject and Blacklist_Subject
On Mon, 2006-07-17 at 14:04 -0300, Claudia Burman wrote: I've googled and I searched the list archives but I can't find information on this. How do you use the whitelist subject and the blacklist subject plugin? Where do yo write the blacklist or the whitelist? Thanks Claudia Burman El Bolsón, Patagonia Argentina http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_WhiteListSubject.html just put in your local.cf ( or wherever you want to ) whitelist_subject good subject blacklist_subject spammy subject Assuming you have the subject module loaded in SA Thanks Ram
rsync.njabl.org not working
Can Someone give me alternate mirrors where I can download njabl lists from rsync.njabl.org is timing out even before connection Thanks Ram
Re: AW: Network tests slowing down spamassassin
Hi, i think the best way to reduce the network traffic regarding to the network test is to do all network test locally. we are serving many list locally. For example spamhaus (commercial agreement),spamcop (one time fee), njabl, sorbs , cbl.abuseat, dsbl (all free). We are using a rbldnsd to serve all local lists. Thanks for the info We are already using local lists from spamhaus. spamcop $1000 / year is unreasonable I will try njabl cdbl and DSBL. Can you tell me where do I get lists from SORBS couldnt get anything on their site Thanks Ram
mangled uris
Spamassassin works pretty great for me, but some spammers keep upgrading. Some of my clients are still getting stupid spams thru I think this was discussed before how do I catch spam with mangled urls. Sorry if this is a repeat Something like -- visit http://somespammmersite. com ... delet the space befre the com - I dont know if the spammer will ever get any customer to really delet the space and go to the url he intends. I dont understand the business sense behind this spam. Its a lose - lose game. The spammer never gets anyone to click,( who would click a broken url and fix it and click again ) the site owner never gets hits, the spam filter guy gets more headaches and the end user has to delete one more mail. Thanks Ram
72_sare_redirect_post3.0.0.cf not catching google redirects
I have the redirect cf on (I can see in sa --lint ), but this url goes through clean. ( see below ) Do I have to do anything besides enabling the CF in RDJ. To get it working BTW I am using SA 3.1.0 on linux Thanks Ram .. Mathew told me to shoot you an email about the store I tried to get my goodies at. I had to look through my safari but i finally saw it at http://www.google.com/url?q=http://tawdg.meetorseelogonandse.org/hy/ make in is I wouldnt members ripping thought make away at as any I the pressedmoney
Re: how do i integrate SPF In ...
On Fri, 2006-06-23 at 11:48 -0400, Screaming Eagle wrote: how about those test that does not have plugins, e.g: 20_drugs.cf and 20_fake_helo_tests.cf, how do you include this in your spamasassin? Thanks. You must have found that by now , put any file with name *.cf in /etc/mail/spamassassin ( YMMV) and that is included Thanks Ram
Re: how do i integrate SPF In ...
On Fri, 2006-06-23 at 00:51 -0400, Screaming Eagle wrote: how do I integrate SPF in /usr/share/spamassassin/25_spf.cf into /etc/mail/spamassassin/local.cf? The content of 25_spf.cf directed me to Mail::Spamassassin::Conf, after reading it, I am still not clear on how to configure spf? Thanks. Just see to it that you have this line in /etc/mail/spamassassin/init.pre unhashed loadplugin Mail::SpamAssassin::Plugin::SPF That should work then. As long as your MTA is inserting X-Envelope-From headers properly Thanks Ram
sudden deluge of university spams
Hi, My servers are suddenly facing a deluge of university spams. All that get gen uine de grees from pr estigious univers ities type These mails have no urls or email addresses, just some phone numbers to call back. And the spammers are using some virgin routes , so they dont hit the RCVD_IN_* rules too For now I have written my own rulesets to catch these mangled words .. but I am surprised there arent rules in SARE etc to catch such words already If anyone has a better Idea please let me know Thanks Ram
RE: sudden deluge of university spams
There's a reason. The amount of permutations is ridiculous. But SARE has Evilnumbers which catches these. Is the Evilnumbers ruleset not too heavy But the numbers are also mangled eg 1-22-33 could be written in numerous ways just adding spaces in between randomly I am doing regex match something like /1 *- *2 *2 *- *3 *3 */ Any inputs ? Thanks Ram
RE: sudden deluge of university spams
I am doing regex match something like /1 *- *2 *2 *- *3 *3 */ Any inputs ? Yes, as SA collapses multiple spaces down to a single space (in 'body' tests), you only need to look for a single instance of the space, not an unlimited number. Also you can omit that final ' *' as it's an optional tail match, thus the rule will work without it. IE: /1 ?- ?2 ?2 ?- ?3/ Wow SA is doing a lot of work already. Can I also have a collapsed body string with all whitespaces removed so I could do collapsedbody BADNUMBER /1-22-33/ score BADNUMBER 10 I this this will also help get rid of the genu ine uni versity degre es Thanks Ram
Re: The Future of Email is SQL
On Wed, 2006-06-14 at 11:50 -0700, Steve Thomas wrote: So - like I said - this is visionary stuff. Think SQL - think outside the box. It's not all that visionary. Microsoft's been working on WinFS - a SQL based system for storing files - for years. It's supposed to have been released as a part of longhorn (vista), but they're pushing it back. Oracle has OCS , which consists of a mail/calendar/ldap/fileserver/webserver/ ... blah blah all with SQL storage. And the database is .. no points for guessing that. But OCS is a terrible resource HOG ( understatement ) I dont think there are many users for OCS IMHO SQL storage is definitely going to be there. The common indexing mechanism is what makes such storage interesting. I agree it is slow now, but hardware and software will get better then resource will not be an issue Ram
Best use of caching DNS servers
We have an array of 8 load balanced linux boxes running Spamassassin with peak traffic upto 20k mails per hour per server. How do I make optimum use of DNS caching. Currently I am using bind as caching DNS server on each machine. Would it be better I have a central DNS server. That way the DNS Cache hit will increase dramatically , but could also bog the DNS server down with too many requests. Also which is the best caching nameserver I can use on linux Thanks Ram
Re: Best use of caching DNS servers
As you suggest, you will get higher cache hit rates with a centralized server, at the cost of some LAN traffic. But a few million DNS queries per day over a LAN is probably insignificant. Given that the BL zone files are pretty large, I'd recommend a centralized server running rbldnsd. That way you're not using up a lot of memory for BLs across many boxes. rbldnsd is so efficient that you could probably just pick some existing server that has enough memory and choose it to be your rbldnsd server. You don't need a new box; any old server with enough memory will work. Will rbldnsd be efficient when I am using dns forwarding for some zones. For eg we have a local nameserver serving for zones like sbl- xbl.spamhaus.org. ( This local nameserver is actually a rbldnsd server running on port 530 ) Thanks Ram
Re: Whitelist_from clarification
On Wed, 2006-06-07 at 07:03 -0600, James Lay wrote: Hey all! Soomail from myspace has been getting tagged as spam...been trying to halt that on a domain basis. Here's what I've tried (and seen online): .*myspace.com @myspace.com *myspace.com [EMAIL PROTECTED] Can someone tell me which is the correct format? Thanks! James Oops Now spammers know how to spam you, just forge the from address. :-)
Re: Anyone using MyDNS to create private dsn rbl lists?
On Thu, 2006-06-01 at 19:52 -0700, Marc Perkel wrote: I'm thinking about using MyDNS to create my own DNS blacklist. I'm thinking I'll make it available to everyone to list IPs that are not on other lists. Mostly virus infected zombies and such. So - has anyone else done this? Looking for some pointers. I'm running Exim and wanting to have Exim add IP addresses to the list. I'm also thinking about adding another field that will have an expiration date for the record so as to self clean the list. But - I don't want to reinvent everything so if someone is doing this I can use some help. Will share the results. Thanks in advance. I have been using rbldnsd without any problems. Only that it does not have an expire option Thanks Ram Marc Perkel Junk Email Filter dot com
SPF whitelisting from id for all sub domains
Hi, I am using spamassassin with postfix on Linux. I am using def_whitelist_from_spf rules for whitlelisting popular newsletter mails Some domains send mails with from id as a subdomain of the main domain. for eg [EMAIL PROTECTED] How do I whitelist such ids ( the subdomain does not have a SPF record ) Thanks Ram
Re: whitelist_from_spf is not working
Matt, Thanks for helping. Got whitelist_from_spf working ( with some help from postfix guys ) I had to do the following IN postfix In file /etc/postfix/main.cf smtpd_data_restrictions = reject_unauth_pipelining, check_sender_access regexp:/etc/postfix/add_x_envelope_from, permit that file contains /^$/ PREPEND X-Envelope-From: /^(.*)$/ PREPEND X-Envelope-From: $1 Now it works great Thanks Ram
whitelist_from_spf is not working
Hi, I am using SA 3.1.1 as a module in MailScanner. I am not able to get whitelist_from_spf working. In my local.cf I have ifplugin Mail::SpamAssassin::Plugin::SPF whitelist_from_spf [EMAIL PROTECTED] endif A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf checks are working ), but no USER_IN_SPF_WHITELIST why, do I have to do anything else ?? Thanks Ram
Re: whitelist_from_spf is not working
On Tue, 2006-05-02 at 10:12 -0400, Matt Kettler wrote: Ramprasad wrote: Hi, I am using SA 3.1.1 as a module in MailScanner. I am not able to get whitelist_from_spf working. In my local.cf I have ifplugin Mail::SpamAssassin::Plugin::SPF whitelist_from_spf [EMAIL PROTECTED] endif A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf checks are working ), but no USER_IN_SPF_WHITELIST why, do I have to do anything else ?? You need to have a SPF_PASS, not a SPF_HELO_PASS. SPF_HELO_PASS means the claimed hostname in the HELO sent to the server would pass SPF. SPF_PASS means the actual host (based on IP address) passed SPF. Only the second one is any kind of real pass. The first one can be trivially forged, and unless it fires with SPF_PASS, you may as well consider the email forged. Check your SPF records and your Received: headers more closely, apparently there's something preventing SPF from matching here. Sorry, I am quiet lost. How do I debug this. Is there a way I can check if the SPF records are working ?
Re: whitelist_from_spf is not working
On Tue, 2006-05-02 at 10:12 -0400, Matt Kettler wrote: Ramprasad wrote: Hi, I am using SA 3.1.1 as a module in MailScanner. I am not able to get whitelist_from_spf working. In my local.cf I have ifplugin Mail::SpamAssassin::Plugin::SPF whitelist_from_spf [EMAIL PROTECTED] endif A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf checks are working ), but no USER_IN_SPF_WHITELIST why, do I have to do anything else ?? You need to have a SPF_PASS, not a SPF_HELO_PASS. SPF_HELO_PASS means the claimed hostname in the HELO sent to the server would pass SPF. SPF_PASS means the actual host (based on IP address) passed SPF. Only the second one is any kind of real pass. The first one can be trivially forged, and unless it fires with SPF_PASS, you may as well consider the email forged. Check your SPF records and your Received: headers more closely, apparently there's something preventing SPF from matching here. Oh I can see this '[29194] dbg: spf: cannot get Envelope-From, cannot use SPF' What is the envelope-from header I must use with postfix ? Thanks Ram
Re: whitelist_from_spf is not working
On Tue, 2006-05-02 at 10:18 -0400, Matt Kettler wrote: Ramprasad wrote: Hi, I am using SA 3.1.1 as a module in MailScanner. I am not able to get whitelist_from_spf working. In my local.cf I have ifplugin Mail::SpamAssassin::Plugin::SPF whitelist_from_spf [EMAIL PROTECTED] endif A mail from a SPF allowed IP is scored SPF_HELO_PASS ( evidently spf checks are working ), but no USER_IN_SPF_WHITELIST why, do I have to do anything else ?? Follow-up: Looking at your SPF records, you don't have 127.0.0.1 listed. Any mail generated locally on darkstar.netcore.co.in will NOT pass SPF because the actual IP address is 127.0.0.1, which isn't listed. SA. However, the HELO string is (darkstar.netcore.co.in). That presumably resolves to one of the listed IP addresses, which causes the SPF_HELO_PASS (I can't resolve darkstar right now so so I cannot verify this) Add 127.0.0.1, and any other local IPs, to your SPF record and you should be good to go. Personally, I do this at my work, but we use split-dns. The external view doesn't see 127.0.0.1, or any internal IP addresses, but the internal one (used by SA) does. darkstar.netcore is just my desktop. So any mailserver who sees this ip from outside just gets the mail from my gateway-ip ( ip masquaraded ) , and that one is listed in SPF records. This is a problem of setting the enevlope-from header for postfix. Because the server that runs SA uses postfix. How do I do that ? Thanks Ram
Re: whitelist_from_spf is not working
Yes, but what box performs the SA scan? is it darkstar? or some other box? Does the box performing the SA scan see the masquerade, or is it also behind your firewall and thus sees the private IPs? You're not concerned with what outside machines see here. You are trying to diagnose why YOUR local SA box does not cause SPF_PASS for messages that you sent to your own domain. Sorry, I must have been clearer in the first step. The MX for mydomain points to a machine on the the internet, where I am running SA + Mailscanner + postfix. In my test environment, the mail originating from my desktop goes to this internet box ( using the gateway ip allowed in SPF ). So SPF_PASS *must* score for the mail. But I think I know the problem .. I will have to test it out though. I will have to configure postfix to put a X-Envelope-From header before it queues the mail. SA is looking for this header , thats why it is failing. Will write back if it works. Thanks Ram
SA script to get bayes score
I want to run just the bayes test on several files and get bayes scores I tried writing my own script using Mail::SpamAssassin but thats seems to not give any score at all. Is there any ready script available Or can I get any pointers Thanks Ram
SPF for avoiding newsletter FPs
Hi, We get considerable number of newsletter mails with spammy content. How do people tackle Fp's from newsletters ? typically the stock newsletters , the bank promotional newsletters etc I would like know if this is possible ( I am using SA3.1 + Mailscanner + postfix ) 1) Maintain a list of newsletters ( this would grow with time ) 2) For each of these newlsetter mails if their SPF records match give a high negative score. Atleast those newsletters from domains who *have* SPF records will not have problems. Thanks Ram
How to tackle FPs with RCVD_IN_*
Hi, I am using SA 3.1.0 ( + many SARE rulesetes ) for my Antispam cluster of machines. We get a huge traffic and by and large the solution works fine. Only problem is when legitimate senders use dialups etc. Their source IPs get listed in a lot of BL's and in effect their mails get marked spam. I assume , this would not be a unique problem to my case. What do others use to tackle these FP's. I have already reduced scores of some BL's but now I risk letting some spams thru. THanks Ram
mangled rules ; new rules required
Hi, I find quiet a few spams with mangled words like Dea C r Home Ow v ner , Dea 1 r Home O a wner and many such combinations are passing thru my SA (SA 3.1.0 with quite a few SARE rules ) I can tar these spams and send if anyone wants The mangled.cf is able to catch mangled credit or mangled deals etc but not all these mangled lines. Is there a guide on how to write these rulesets. The mangled.cf is quiet complex to understand. I would like to roll out my rulesets immediately not to lose on any time Thanks Ram
inconsistent results on dns tests
Hi, I have seen that dns tests for the same mail sent twice ( to different recipients ) give inconsistent results The first mail got hit by RCVD_IN_WHOIS_BOGONS and the second did not ( I use a local caching name server ). I cant figure out why ? Has this occurred to anybody else ? Thanks Ram
Re: Personal rule matching ToCc
On Tue, 2006-02-07 at 00:15 -0800, jdow wrote: From: Ramprasad [EMAIL PROTECTED] Hi, I want to write a personal domain-wise rule The rule I am using now is header __TO_DOMAIN_NETToCc =~ /[EMAIL PROTECTED]/i But the above rule would match @domain.net as well as @domain.net.in You have not tried it, have you? The \b assures that it will not match on @domain.net.in. I have tested this with SA3.1 ToCc =~ /[EMAIL PROTECTED]/i matched @domain.net as well as @domain.net.in Thanks Ram
Personal rule matching ToCc
Hi, I want to write a personal domain-wise rule The rule I am using now is header __TO_DOMAIN_NETToCc =~ /[EMAIL PROTECTED]/i But the above rule would match @domain.net as well as @domain.net.in Which is the best way to match only @domain.net and not @domain.net.in Thanks Ram
Personal rule matching ToCc
Hi, I want to write a personal rule to match recipients of a particular domain The rule I am using now is header __TO_DOMAIN_NETToCc =~ /[EMAIL PROTECTED]/i But the above rule would match @domain.net as well as @domain.net.in Which is the best way to match only @domain.net and not @domain.net.in Thanks Ram
bayes on tmpfs
Hi, We run spamassassin on our Mailservers that receive close to 20k mails per hour. The problem is SA takes too long especially for the bayesian checks I am thinking of moving the BAYES DB to a tmpfs partition. What are the pros and cons ? I could write a cron to just copy the bayes to a harddisk partition for recovery in case of a reboot. The only concern is that there would be too much of memory consumed because bayes by itself also caches a lot in the memory Thanks Ram
Managing a personal SURBL list
Hi all, We are running spamassassin 3.1 with Mailscanner. The SURBL checks are very efficient in catching spams ( without risk of FP's). Sometimes we get a lot of spam with URI's not listed in SURBL's , probably because they are too specific to our domain / locality. To make sure that these spams too get caught .. we plan to run our own SURBL list. Whats the best way of achieving this ? Any inputs ? Thanks Ram
Re: Pharamcudical list of words in a table
On Sun, 2005-09-04 at 03:20, wolfgang wrote: In an older episode (Saturday, 3. September 2005 19:51), Ilan Aisic wrote: It would be very difficult to write rules that would detect spam disguised like this in an HTML table. I think the SARE obfu rules catch quite a few of those, see http://www.rulesemporium.com/rules.htm#obfu Does this cf 70_sare_obfu.cf file work with SA 2.64 as well Thanks Ram
Re: ANNOUNCE: SpamAssassin 3.1.0-rc1 release candidate available!
On Tue, 2005-08-16 at 05:31, jdow wrote: From: Kenneth Porter [EMAIL PROTECTED] --On Saturday, August 13, 2005 6:58 PM -0400 Theo Van Dinter [EMAIL PROTECTED] wrote: On Sat, Aug 13, 2005 at 03:07:14PM +0530, Ramprasad A Padmanabhan wrote: When I build the rpm from the spec file ( on fedora core 3 ) the spamassassin-tools rpm is not created. Was it not a part of SA. The tools RPM was deprecated. There was very little in there that wasn't development related, which is better taken out of SVN or the tarball, so ... I'd recommend adding an Obsoletes tag for the deprecated subpackage, then. Otherwise the 3.0.4 subpackage gets orphaned and blocks updating of the surviving subpackages. What sub-packages that a CPAN style update won't catch? CPAN style updates are not good for System Adminstrators , who find it easier to create rpm, scp to all the machines and run rpm -Uvh for all. Especially when you have more than 7-8 machines to manage Ram
Re: ANNOUNCE: SpamAssassin 3.1.0-rc1 release candidate available!
When I build the rpm from the spec file ( on fedora core 3 ) the spamassassin-tools rpm is not created. Was it not a part of SA. Thanks Ram On Sat, 2005-08-13 at 06:44, Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 *** THIS IS A RELEASE CANDIDATE ONLY, NOT THE FINAL 3.1.0 RELEASE *** SpamAssassin 3.1.0-rc1 is released! SpamAssassin 3.1.0 is a major update. SpamAssassin is a mail filter which uses advanced statistical and heuristic tests to identify spam (also known as unsolicited bulk email). This is a release candidate, and NOT the general availability release (yet.) We think it's pretty rock solid, however. ;) Highlights of the release - - - - Apache preforking algorithm adopted; number of spamd child processes is now scaled, according to demand. This provides better VM behaviour when not under peak load. - - added PostgreSQL, MySQL 4.1+, and local SDBM file Bayes storage modules. SQL storage is now recommended for Bayes, instead of DB_File. NDBM_File support has been dropped due to a major bug in that module. - - detect legitimate SMTP AUTH submission, to avoid false positives on Dynablock-style rules. - - new plugins: DomainKeys (off by default), MIMEHeader: a new plugin to perform tests against header in internal MIME structure, ReplaceTags: plugin by Felix Bauer to support fuzzy text matching, WhiteListSubject: plugin added to support user whitelists by Subject header. - - Razor: disable Razor2 support by default per our policy, since the service is not free for non-personal use. It's trivial to reenable. - - DCC: disable DCC for similar reasons, due to new license terms. - - Net::DNS bug: high load caused answer packets to be mixed up and delivered as answers to the wrong request, causing false positives. worked around. - - DNSBL lookups and other DNS operations are now more efficient, by using a custom single-socket event-based model instead of Net::DNS. Downloading - --- Pick it up from: http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.1.0-rc1.tar.gz http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.1.0-rc1.tar.bz2 http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.1.0-rc1.zip md5sum: c41126e515eacc5480d6d44498d5b99d Mail-SpamAssassin-3.1.0-rc1.tar.bz2 196a22f1a9d27792d8388fbc6f1b522f Mail-SpamAssassin-3.1.0-rc1.tar.gz 1763521a992ebd45c46ca1dcab586474 Mail-SpamAssassin-3.1.0-rc1.zip sha1sum: 17145041222d607d1591eb5cffdff80fdd55cd6c Mail-SpamAssassin-3.1.0-rc1.tar.bz2 904c9b67498ec456c674545c15d0c4f89950a9da Mail-SpamAssassin-3.1.0-rc1.tar.gz f6d5d50abc70a4cedde3bc50715848aba1c3a4e4 Mail-SpamAssassin-3.1.0-rc1.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key [EMAIL PROTECTED] Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B Important installation notes - - - see the INSTALL and UPGRADE files in the distribution. Summary of major changes since 3.0.x - - - Apache preforking algorithm adopted; number of spamd child processes is now scaled, according to demand. This provides better VM behaviour when not under peak load. - - Inclusion of sa-update script which will allow for updates of rules and scores in between code releases. - - added PostgreSQL, MySQL 4.1+, and local SDBM file Bayes storage modules. SQL storage is now recommended for Bayes, instead of DB_File. NDBM_File support has been dropped due to a major bug in that module. - - detect legitimate SMTP AUTH submission, to avoid false positives on Dynablock-style rules. - - new Advance Fee Fraud (419 scam) rules. - - removed use of the Storable module, due to several reported hangs on SMP Linux machines. - - Converted several rule/engine components into Plugins such as: AccessDB, AWL, Pyzor, Razor2, DCC, Bayes AutoLearn Determination, etc. - - new plugins: DomainKeys (off by default), MIMEHeader: a new plugin to perform tests against header in internal MIME structure, ReplaceTags: plugin by Felix Bauer to support fuzzy text matching, WhiteListSubject: plugin added to support user whitelists by Subject header. - - TextCat language guesser moved to a plugin. (This means ok_languages is no longer part of the core engine by default.) - - Razor: disable Razor2 support by default per our policy, since the service is not free for non-personal use. It's trivial to reenable. - - DCC: disable DCC for similar reasons, due to new license terms. - - Net::DNS bug:
Bayes is a cpu hog ?
Hi all, I am using Spamassassin on our SMTP servers with almost 2 mails an hour. The problem is the machine is almost always heavily loaded. Spamassassin takes a lot of time and I think the Bayes checking / learning is the real cpu hog ? Also I feel bayes is no good for a server like ours , we process mails for different customers , so bayesian learning for one customer has little sense for the other. I would like to completely disable bayes , can someone provide some inputs on this. Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Bayes poisoning ?
Hi We are using Spamassassin + Postfix + Mailscanner on our SMTP servers. Of late I have noticed that a lot of ham mails are getting a high BAYES score. I have overriden bayes with lower scores in order to avoid false postives ( and possibly mail loss ) How do I de-poison the bayes database, and are there any ways to avoid bayes poisoning ? Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
ruleset for antidrug.cf
Hi list, Our servers are frequently getting spam mails with taablets , or ta.blets in the subject. I run rules_du_jour regularly, I am surprised there is no ruleset for catching this kind of subjects /\bta+\.?b(let)?s\b/ Has someone already a ruleset for this Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: ruleset for antidrug.cf
On Tue, 2005-07-19 at 21:34, Matt Kettler wrote: Ramprasad A Padmanabhan wrote: Hi list, Our servers are frequently getting spam mails with taablets , or ta.blets in the subject. I run rules_du_jour regularly, I am surprised there is no ruleset for catching this kind of subjects /\bta+\.?b(let)?s\b/ Has someone already a ruleset for this One problem with the above regex.. it will match tablets or tabs in an un-obfuscated form. I think that is ok in the subject. subject with tablets even un obfuscated still deserves a score around 1 Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
user wise preferences from database
Hi, I want to use Spamassassin with Postfix-Mailscanner or Postfix-amavisd for an ISP level spam filter. All users are virtual, and I would like to give the users full control for setting their rulesets For eg, A user must be able to set his own scores for the DRUGS_ERECTILE or DCC_CHECKS. ( say he works in a pharmacy ) Since there may be several thousands of users and most users would not make custom settings ( though in theory they can ); it is not practical to have users home directories. Ideally I should be able to get the prefernces from a database or ldap per user Is this possible ? Can someone point me some links to how this can be done Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
