Re: Spam bounceback attack
J. said: Thanks Ram. Not sure how to implement recipient verification with my setup, but I'll look into it. I have an SPF record for my domain I'm confused. Are you all saying that J's mail server was processing all incoming e-mails, even if there wasn't an alias set up on that domain? in other words, catch-all accounts? I thought that just about everyone has moved away from catch-all accounts due to dictionary attacks. I was thinking, isn't recipient verification a given??!! Surely, I must be confused! Please clarify. Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: Fundamental question about spam image processing.
It turns out that the basis for their analysis is to look at the size of the image as well as the number of colors. 99.99% of all spam images have less than 16 colors. Once they found an image with 22 colors. This sounds like a dirt cheap way to get a huge boost in spam recognition. They may have other tricks they do, but I just wanted to report what I learned. Sounds great... but this begs the question... what strategies do they use to ensure that someone's GIF logo in a legit e-mail doesn't cause that legit e-mail to get blocked as spam? In other words, for this to be an effective strategy, wouldn't it ALSO need to be true that these stats are NOT typically the case for images in legit e-mail? Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
**exact** info about skip_rbl_checks needed
BACKGROUND: First, I do NOT use SA for IP or URI based lookups as I do those in my own custom programmed spam filter. But I do desire to use SA for such things as Razor, SARE rules, ImageInfo, etc. Therefore, I have the following set up to prevent IP lookups: skip_rbl_checks 1 And other items are commented out to prevent such things as SURBL and URIBL lookups since I'm already doing those, too. Also, I also choose have bayes turned off. THAT IS THE BACKGROUND... HERE IS THE QUESTION: 1st question: Some of my incoming mesasges involve messages forwarded to my server via a rule from accounts that some of my clients have on other ISPs mail servers. For such incoming messages, I have been creating a temporary copy of the message where all headers that were ADDED by either the other ISP and/or my server are removed so that the message is brought back to the state that it was in when originally sent by the original sender (just prior to the ISP's mail server received it). This way, SA can work with that the potential spammer actually sent, without any received headers added. But is that really necessary? Or would I get the same results if, under my configuration described above, I just left the extra added headers in there? (I'm concerned that, even with skip_rbl_checks turned off, there might still be SPF checking or other things going on which then might get messed up if I don't present the message in its original form. PLEASE... let me know if that is the case. This will only be about the 10th time that I've asked what other network checks happen besides Razor/DCC when skip_rbl_checks is set to true.) 2nd question: Does SA have any problems working with a file that OTHER programs are currently accessing (in read mode)? Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Q: **other** good general Spam/Mail Admin Lists?
RE: Questiona bout **other** good general Spam/Mail Admin Lists? About a month or two ago, I recall someone posting advice to another SA list member about *other* lists which would be good lists to post general spam and/or e-mail server administration questions to whenever the topic or question was deemed too off-topic for the Spam Assassin List. Does anyone recalll what those were (or have any good suggestions about this?) Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: sa-learn explained
RE: Spamhaus's Zen list Speaking of which, does anyone know what **exactly** the following xbl-derived return codes represent on the Zen list Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032 -Original message- From: snowcrash+spamassassin [EMAIL PROTECTED] Date: Sat, 30 Dec 2006 03:11:17 -0500 To: Phil Barnett [EMAIL PROTECTED] Subject: Re: sa-learn explained Perhaps it's not ready for prime time. I can't imagine that if it was they would not be making it headline news. linford has, apparently, stated in posts to newgroups that folks should switch _now_. i think there's a reference in this list's archive, iirc. public announcements, i'd guess, will be made when all t's are crossed etc etc
Re: sa-learn explained
[oops... I hit the wrong key and it sent before I was finished. sorry. Here is the entire e-mail I intended to send.] RE: Spamhaus's Zen list Speaking of which, does anyone know what **exactly** the following xbl-derived return codes represent on the Zen list 127.0.0.4|5|6|7|8 I know that 4 probably equals CBL and 5 probably means NJABL ...but what do 6, 7, and 8 represent? I'm hoping that one of these three will represent **both** CBL and NJABL. And I'm curious about all of these! Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED] -Original message- From: snowcrash+spamassassin [EMAIL PROTECTED] Date: Sat, 30 Dec 2006 03:11:17 -0500 To: Phil Barnett [EMAIL PROTECTED] Subject: Re: sa-learn explained Perhaps it's not ready for prime time. I can't imagine that if it was they would not be making it headline news. linford has, apparently, stated in posts to newgroups that folks should switch _now_. i think there's a reference in this list's archive, iirc. public announcements, i'd guess, will be made when all t's are crossed etc etc
Re: MSRBL
John Rudd said: I'm more interested in the Image signatures it has. If they're really useful and reliable. I expect that keeping up with image spam wouldn't be very scalable, but it might at least help reduce some load (since we do virus scanning before letting Spam Assassin see a message) for whichever images are known. I did some testing of the image signature/clamav filter a few months back and I found it effective against a few series of spams... but the problem is that these series of spams were typically **already** caught through multiple other types of spam filtering and the really tricky and hard to catch image spams were missed by MSRBL. Why? Because the tricky kinds send out a slightly altered image for every single spam and MSRBL's image catching technique is ONLY effective where the image is stays the same. This would have been a great tool 2-3 years ago. Oh well. Rob McEwen PowerView Systems [EMAIL PROTECTED]
How To Turn Off ALL Network Tests (except DCC Razor)
RE: How To Turn Off ALL Network Tests (except DCC Razor) In SpamAssassin, how do you turn off ALL Network tests, including ALL DNS and **all** rDNS lookups, but leave DCC Razor running? I commented out the following line: # loadplugin Mail::SpamAssassin::Plugin::URIDNSBL And I have skip_rbl_checks set to true, as follows: skip_rbl_checks 1 Next, I added the following to the local.cf file: score NO_DNS_FOR_FROM 0 score DNS_FROM_RFC_DSN 0 score DNS_FROM_RFC_POST 0 score DNS_FROM_RFC_ABUSE 0 score DNS_FROM_RFC_WHOIS 0 score DNS_FROM_RFC_BOGUSMX 0 score DNS_FROM_AHBL_RHSBL 0 score DNS_FROM_SECURITYSAGE 0 score FAKE_HELO_MSN 0 score FAKE_HELO_MAIL_COM 0 score FAKE_HELO_EMAIL_COM 0 score FAKE_HELO_EUDORAMAIL 0 score FAKE_HELO_EXCITE 0 score FAKE_HELO_LYCOS 0 score FAKE_HELO_YAHOO_CA 0 ...with the idea that a zero tells SA to NOT run this check, correct? If there anything ELSE that should be done to tell SA to NOT do any other network or DNS checking (and NOT do an rDNS lookup!), except still do DCC and Razor checking? Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: How To Turn Off ALL Network Tests (except DCC Razor)
set 'dns_available no' dns_available tells SA whether or not to assume that DNS is working without actually having to stop and to extra time-consuming tests to see if DNS is working. So setting this to no doesn't actually save any time. It only increases time. Also, as I understand it, use of DCC and Razor requires minimal DNS resolution to figure out the IP address of the DCC and/or Razor servers, which, of course, I DO want to continue happening... it is all **other** DNS-stuff that I want turned off why would you want to cripple yourself so badly? I've programmed my own spam filter, where I do all my URI (surbl, uribl), IP-based (rbl), and nRDNS looksups... so I don't want any of these done in SA... I know that I have most of these turned off in SA, but I just want to get anything else turned off, particular rDNS lookups. (I use SA as a helper application to compliment my own spam filter) Rob McEwen PowerView Systems [EMAIL PROTECTED] -Original message- From: Stuart Johnston [EMAIL PROTECTED] Date: Mon, 20 Nov 2006 16:02:43 -0500 To: users@spamassassin.apache.org Subject: Re: How To Turn Off ALL Network Tests (except DCC Razor) Rob McEwen (PowerView Systems) wrote: RE: How To Turn Off ALL Network Tests (except DCC Razor) In SpamAssassin, how do you turn off ALL Network tests, including ALL DNS and **all** rDNS lookups, but leave DCC Razor running? ... If there anything ELSE that should be done to tell SA to NOT do any other network or DNS checking (and NOT do an rDNS lookup!), except still do DCC and Razor checking? I think you'd want to set 'dns_available no' to disable the rDNS lookups. Out of curiosity though, why would you want to cripple yourself so badly?
Could THIS have doubled my SA Speed...
RE: Could THIS have doubled my SA Speed... First, I'm using a windows Port of SA... and I use this as a helper application in addition to my own custom programmed spam filter. Along these lines, I purposely have RBL checks and URI checks disabled in SA because I do these myself. But I **do** have Razor2 and DCC enabled. Anyways, I was trying to see what I could do to speed SA up as it seemed slower than it used to be. I tried adding a resolv.conf file (which wasn't previously there) and entered my local DNS caching server there. Then, I restarted SpamD and ran a corpus of 50 test files through SA (using a batch file, processing them one-by-one)... and this 2nd time it processed twice as fast. I ask if these results sound correct because I figure that my results might be anidotal. Does this type of speedup sound correct? I know that using a local DNS caching server can speed things up, but I was only specifying the SAME one what was already the default DNS server in my NIC card setup... so I would have thought that this would have already been the one chosen. But I have another question: It stands to reason that, even though I have RBLs and URI-checked turned off, there must be something ELSE that is getting checked across the network (via DNS)... or OTHER DNS traffic besides just RAZOR and DCC. Any ideas what that might be? I guess I was a bit surprised at this speedup since I have most of these DNS-type checks disabled. (But maybe there is still more going on via DNS that I realize?) Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: spam attacks - so and so wrote about a stock
In the meantime, it sure would be nice if that new ruleset that Chris bragged about could get on the SARE website ASAP. (Where are you Doc Schneider? I hope we haven't caught you on a busy day. Please hurry.) Rob McEwen PowerView Systems
Re: Mail server performance problems. Possible SA slow down?
The last few weeks I have noted (angry users calling me by phone) that the server is really slow. Don't know for sure, but I suspect slower than usual Razor and/or DCC servers? --Rob McEwen
Re: Q. about spam directed towards highest MX Record?
Jon Trulson said: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. Jon, please tell me, what portion of your overall spams attempt to comes in through this secondary MX compared to all spam that you catch which are headed to your primary MX record. THAT is what I most wanted to know. Thanks! Rob McEwen PowerView Systems
Re: Checking my own users mail
Tom Lindell asked: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. Tom, Don't you require password authentication as a prerequisite for users being allowed to relay message through your server? (and I'm always wondering if this is enough protection from trojans?) Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: Checking my own users mail
Tom said: I do however if they get a Msoutlook trojan that can use outlook to forward the spam it get's right on through What a nightmare. I've been aware of this possibility, but I didn't think it happened that often. Are there any particular characteristics of the outgoing spam and/or viruses? I'd bet that these types of trojans which use existing outlook accounts and send mail through outlook probably tend to fall within a narrow range as far as the actual spam or virus messages that are sent. Do you see a pattern with these? What I'm thinking is that if these fall within a narrow range, then that might make it more wise to scan outbound mail.. but to do so using a limited range of types of scanning to minimize resources... targetting just the types of spams that are being sent by these types of trojans. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
RE: Checking my own users mail
Usually they're the typical viagra or stock scam. Text or image spam? If text, do they include a URL that might be caught by SURBL or URIBL? Rob McEwen PowerView Systems [EMAIL PROTECTED]
Blocking based on ALL IPs in the header
Just thought ya'll would be interested to know that I just spent about 45 minutes trying to convince an I.T. guy at one of the largest regional banks in my area that a spam filter should ONLY check the IP address of the sending mail server against RBLs, NOT every single IP contained within the header. I told him that often, dynamically assigned IPs will show up in blacklists even if they've never sent spam and I explained that on any given day, a person's own computer can get reassigned a blacklisted IP which was previously used by a spammer or by a worm-infected computer even if that computer has never had a worm and the user never had sent a spam. I also explained how he doesn't have to worry about what might happen if he didn't check other IPs in the header because if that person's computer were spewing out spams, he still be able to block them if one were to happen to head his way. My client who couldn't send to this bank uses **my** server for sending mail and they are only allowed to do so based on authentication. But the messages are getting blocked because that bank's spam filter is checking every IP in the header and my client's IP is blacklisted. Unbelievable. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: Spam with mail address in it
Maybe uribl could be changed to also check mail addresses, too? Chris, SURBL and URIBL are not intended to be used for checking against the domains of e-mail addresses, even when the e-mail is contained within the body of the message. In spite of that, I did used to do this... but I discovered that this was a large source for FPs... particularly e-mails which went through many rounds of forwarding and left dozens of e-mail addresses in the body of the message. However, I do think that it would be great if someone created a dns-based blacklist stricktly for e-mails contained within the body of the message. This would be handy for catching the spam that you mentioned as well as for MANY 419 scam e-mails. In fact, Joe Wein maintains just such a list on his web site that one can download and then integrate into their system. But I often find that the few such spams which make it past my system wouldn't have been caught if checked against Joe's list anyways. I attribute this to two things: (1) dns lists that are most successful when they use **multiple** data input sources, all working together (2) turnaround time from the intitial reports to the domain (or e-mail address, in this case) being listed must also be lightening fast. (but I may be making assumptions here about Joe's list) Perhaps sometime someone can take Joe's data and create a web site like URIBL were people can report e-mail addresses found in scam spam to create a more comprehensive list with faster turnaround? Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Spam with mail address in it
Perhaps sometime someone can take Joe's data and create a web site like URIBL were people can report e-mail addresses found in scam spam to create a more comprehensive list with faster turnaround? Oh... I forget... a previous round of discussions about this killed off this idea because there is much potential for abuse. Consider this... a 419 spammer decides to poison such a list by filling out the form and submitting forged 419 samples where they paste a 419 scam e-mail into the box, but use a innocent person's yahoo/hotmail/etc e-mail address. Eventually, too many FPs and it is hard to tell the difference between the real 419 addresses and the fake ones which are really legit addresses of innocent people. But I still think it could be done on a trust basis: (1) submissions ONLY accepted from password-protected accounts... no option for anonomous submissions (2) no data from account fed into system until X number of submissions from that account which match up with OTHER submitters's data (3) data from that submitter nullified as soon as X number of submissions become suspect... with (percent questioned/percent not questioned) factored in... knowing that if someone submits thousands of true 419 scams at some point, a few of these will be questioned) Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Looking for advice on rule creation regular expressions
I've come up with a rule that'll match every one of those instances, but also has the unfortunate consequence of matching plain old ADVIL: Create the rule you mentioned, then create another rule for plan old advil Something like: /badvil/b But make this additional rule **subtract** points... either the same or a little less than the amount of points added by the obfuscation-catching rule, depending on whether you want to leave a little bit of score in there for the correctly spelled instances or cancel it out altogether. Rob McEwen PowerView Systems [EMAIL PROTECTED]
list of two level TLDs in SA
... us.tt is listed as a two level TLD in SA I wasn't involved in that URIBL listing which brought this up... but, BTW, I'd love to have that two level TLD in SA list handy. Therefore, can someone point me in the right direction for where I could find SA's list of two level TLDs? Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: SpamAssassin on Windows(win32)
Haren Kodagoda asked: Has any one implemented SA 3.1.2 or 3 on MS Windows (win32)? If so are they stable on win32? Yes. 1st of all, there as been an emulation mode version out for a long time. But just last month someone ported it to native win32 code: http://physics.ucsd.edu/~epivovar/anti-spam.htm I've found this fully win32 port to be very stable in my testing... but I haven't yet battle tested it. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: AW: AW: Network tests slowing down spamassassin
Speaking of network tests... Other than traditional IP-address-based RBL lookups, SURBL/URIBL lookups, and network traffic for Razor, DCC, etc... is there anything ELSE for which a test requires network traffic which depends on a someone else's remote server that still runs even if/when SURBL/URIBL, Razor/DCC, and RBL lookups are ALL turned off? (for example, suppose that if ALL of these I mentioned above turned off, No rDNS is still tested for. If so, then No rDNS would be an example of what should be on the list that answers my question.) Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: White List and Yellow List DNS Servers - Proposal
Marc, I've developed a system similar to what you've described. For example, I do my own RLB lookups and reject messages which score above a certain number without doing additional spam filtering. (and I've custom weighed various RBLs). This could be considered similar to your own blacklist. I also have a whitelist like yours... except that I surgically apply my IP-based whitelist ONLY towards not doing RBL lookups on the sending server IP addresses for such messages... but continue to do ALL OTHER spam filtering on such messages. (I also apply less spam filtering to authenticated users messages) But while I see the value of your blacklist and your yellowlist, it seems to me that taking an ip-based whitelist and using it to bypass ALL filtering is like writing a blank check. It seems like either (1) you might be taking too many risks and/or (2) in order to prevent taking such risks, you'd have to make this whitelist so small percentage-wise that you might as well go ahead use SA to test all message not caught by your IP-based blacklist. Make sense? Your thoughts? (specifically, can you give examples where you feel VERY assured that you'd NEVER see spam from that remote IP address) Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
RE: skip_rbl_checks
RE: skip_rbl_checks Does anyone know **exactly** what skip_rbl_checks = 1 turns off? I know that it turns of all regular RBL checks (where the IP address is checked against a traditional RBL) I'm fairly sure that it turns off SURBL URIBL checks, right? I'm fairly sure that it does NOT turn off DCC, Razor, Pyzor, etc, right? But what else is effected?... is there a comprehensive list or a more detailed explanation anywhere? Thanks, Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: RE: RE: Various plugins for Windows version?
Just though I'd let ya'll know... there is now a native port of SpamAssassin available with operational Razor DCC (not sure about Pyzor). This is fully ported win32 code, no Cyg emulation needed. In testing, it works great. If anyone on this list is using a Cyg port, I'd love to know if you find that this native win32 port is faster at processing the messages. http://physics.ucsd.edu/~epivovar/anti-spam.htm btw - I'm going to post a new thread about this because I think it is deserving! Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
New!!... native, fully win32 windows port of SA
RE: New!!... native, fully win32 windows port of SA Just though I'd let ya'll know... there is now a native port of SpamAssassin available with operational Razor DCC (not sure about Pyzor). This is fully ported win32 code, no Cyg emulation needed. In testing, it works great. DOWNLOAD HERE: http://physics.ucsd.edu/~epivovar/anti-spam.htm I bring this up because some were mentioning in another thread that the Cyg emulation SA on Windows didn't support Razor DCC... but this one does! If anyone on this list is using a Cyg port, I'd love to know if you find that this native win32 port is faster at processing the messages. PLEASE let me know what you find when comparing the two... I'd love to know! Also, in case anyone is interested, the Razor license has loosened quite a bit recently. They still reserve the right to deny access, but overall welcome participation. (For example, I suggest that no one start marketing a desktop software solution and think they could use Razor for such an application!!! But otherwise, there are really no restrictions, as I understand it.) Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: DNS Blacklist Policy Design
Marc, First, you should make a design decision up front... Are you going to allow IP addresses of valid hotmail and yahoo DNS servers (for example) which spew out a very high percentage of spams (especially nigeria scams) on your list, or not? Personally, I think that it is better to NOT try to catch these via RBLs even if only a tiny percentage of mail from some of those IPs is legit. Therefore, IMHO, a good RBL will try to whitelist frequently used valid SMTP servers up front to prevent such collateral damage. I thank God that many RBLs do NOT do this and many ISPs use such RBLs... this causes collateral damage which then puts pressure on these ISPs to clean up their acts... but I just don't want that collateral damage on MY server. Finally, one really great resource for getting info on valid DNS servers is: http://www.senderbase.org/ For example, if you enter the IP address of a valid SMTP server, it usually returns this IP and OTHER IP address from that same organization. Keep in mind that being listed on serverbase.org alone doesn't mean that the IP isn't a spammer's IP... but if senderbase reports the IP as belonging to a legit organization and as being frequently used, that might be a good IP address (or IP address range) for whitelisting to prevent it from ever showing up on your RBL. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Proposal: First URI black list, how about email address blacklists?
problem I have with it is that it would be very manual, and address rotation per msg would be very easy to defeat this. I'm in favor of this because, despite what Dallas said, (1) Many who are really serious about quality filtering could get much use out of this before it even hits the radar. It might take years for such a list to be used by enough ISPs and spam filter providers for this to attract attention. For one, this wouldn't be something for which you could take a standard mail software package and type in a server address (as can be done for RBL-based blocking)... this has to be custom programed and implemented. (2) If the spammer resorted to use setting up multiple free e-mail accounts, at least that is more work for the spammer... this also increases the chance that they'd just prefer to be blocked by 20% of the spam filters on that one e-mail address and just pursue the 80% that isn't catching them with that one account rather than setting up multiple accounts. (3) For those who did set up multiple accounts... couldn't this potentially trigger red flags which might provide an additional tool for the free mail providers to catch these guys early in the process and wouldn't they be all the more frustrated if/when we started quickly listing ALL of their multiple accounts. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Proposal: First URI black list, how about email address black lists?
jdow said: It'd be easier to simply click fraud the sites until the vendors who commission the spam catch on and turn off the money up front. I think you've misunderstood Marc's proposal. He is talking about identity theft schemes via Nigeria 419 scams where there is only an e-mail address in the body of the message. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: Proposal: First URI black list, how about email address blacklists?
It could actually be a benefit if/when the e-mail address account was terminated because this could keep the overall size of the list smaller. I wonder if there is some automated way to check this getting in trouble for spamming or abusing the free hosting service? Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: Proposal: First URI black list, how about email address blacklists?
And when the spammers use a joe jobbed email address, what will you do? How will you know if it really is a drop box, or someones real email address being Joe Jobbed to mess up your list? Believe me, the spammer will feed false info to give your list a bad name. Chris, that is a really good point. I have three answers: (1) I'm hoping that being below the radar might prevent some of what you are talking about... at least a while. And I don't think that the nigeria spammers are the type of spammers who'd frequent this list, for example, as much much as other spammers do, but I could be wrong about that. (2) Messages caught by an e-mal based dnsbl probably shouldn't, by themselves, score high enough to cause a message to be outright blocked. In fact, I often catch these scam messages in my rules based filtering... only to find that, sometimes, they scored just below the threshold of being placed in the spam folder. A dnsbl service like this could put those particular messages over the top without harming a mislisted address, if used as I've described. (3) Chances are, a single randomly picked e-mail address that was joe-jobbed would have just about 0% chance of showing up in a particular server that happened to use this service. Especially give the incredibly low percentage of servers which might potentially use this anytime in the next months or years. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Suing Spammers
Some of the state laws in the U.S. are stronger than the Federal Government's laws. In Georgia where I live, there is a pretty good law for this type of thing: http://www.gov.state.ga.us/press/2005/press765.shtml Now, interestingly, I've recently taken on several different law firms as mail hosting clients... and... JUST A FEW DAYS AGO... just about all the attorneys in all of these law firms got slammed with some kind of newsletter about law that I'm 100% positive that NONE of them had subscribed to. It **looked** fairly legit... but was sent from some company in Nevada. What is more interesting is that the newsletter even boasted in a banner at the top this newsletter is being sent to xx thousand attorneys in Georgia (and I think they sent to all of them on the same day) Also, to make this more interesting, they kept sending it again and again. ALL of these were just barely being caught by my spam filter... and when my spam filter just barely catches something, it gives the sending server an OK response code... so as far as they could possibly know, ALL of these were being received each of the several times they kept sending them! Add all this up and I'm quite sure that they had to be violating that law in Georgia. But suppose I **could** prove that they were in violation of that law in Georgia, would there be ANY financial motivation or reward for me to sue them... (assuming that I won in court)? If not, I simply don't have the financial resources to put my company and myself through such an ordeal. I would go out of business for lack of focus on the things that I need to concentrate on. Any thoughts Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: socket SA is not fast enough, help
Justin Mason wrote: for what it's worth, the overhead of UNIX domain sockets is a lot less. I confess, I don't use SA... but I've frequented this list for a long time because I respect that expertise of SA users. Anyway... the mail server software I use runs on Windows 2003 and, recently, this same company came out with a Unix version. They claimed many speed improvements and I asked them, hey, why the speed improvements? ...and can we get those improvements implemented on the windows version? They responded by saying that part of the speed improvements are due to Unix's faster sockets handeling or socket processing (or whatever). Therefore, I can't help but wonder if there is any 3rd party tool to enhance and/or speed up window's built-in sockets? Any suggestions? Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Legit Base64 Encoding of text?
Is there ever a legit reason to Base64 encode plain text? For various reasons which I won't go into now, I'm thinking about decoding and overwriting the original Base64 encoded text with its decoded text and then leaving the message that way (whether caught spam or ham). Any thoughts? Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: intimidation from spammer
Paul Shupak: Very nice disection/research of that spam! I learned much just from your message. I really appreciate the time you took if only that it helps me (and probably some others...) learn a bit more about how to investigate these types of e-mails. This thread was well worth it just of the educational value of your message. Can I have your permission (at some point in the future) to do a blog entry about this particular spam and reference your comments about it? (I'll give you credit, of course) Thanks very much! Rob McEwen PowerView Systems
rbldnsd ported to windows?
RE: rbldnsd ported to windows? Does anyone know if rbldnsd has ever been ported to windows? If not, is there an easy way to do this? Thanks, Rob McEwen PowerView Systems
missed by AV programs
RE: missed by great AV programs SEE: http://www.pvsys.com/missedvirus.txt This came in today and I ran this against ClamAV, McAfee, Sophos... all with the latest definitions (at least as of the time that I write this, 9/19/05 3:45 pm EST). It is strange that NONE of these 3 catch this message which I'm pretty sure is a virus (am I wrong?). Could I have made a mistake from lack of sleep? Can anyone else verify this? If my report is correct, does anyone know of an anti-virus program which currently catches this particular virus? (keeping in mind that these I'm mentioned may catch up by the time you read this) Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: missed by AV programs
Have you submitted it to ClamAV, McAfee, or Sophos as a missed virus? Good point. OK. Per your suggestion, I just submitted it to ClamAV (since that is the one I actually use for my mail server). I wouldn't have brought it up on this list except I've never seen this happen before... especially where I get several of these the same day. ClamAV usually gets them all for weeks or months at time before it misses one. Therefore, I was especially surprised when all three of the ones I mentioned missed this one. (I manually tested the other two after I saw that ClamAV missed this one... and I do plan to soon expand to a few other scanners to augment ClamAV) Maybe I'm just seeing the beginning of a new strain? Thanks, Rob McEwen PowerView Systems [EMAIL PROTECTED]
hp.com / atdmt.com busted??
hp.com / atdmt.com busted?? SEE: http://pvsys.com/busted01.txt This was sent to an e-mail address for a client of mine's former employee. After this employee left my client's company MANY months ago, they asked me to turn her mailbox off because of the large amount of spam recieved at that former employee's address. (much of which was gray stuff or even stuff that was subscribed to... and this box was ONLY getting getting about 5 of these per day... but would have been getting 200+ if my spam filtering wasn't in use). Anyway, I asked if I could redirect that mail to my own mailbox for research purposes. They agreed. A few days ago, this box recieved what appears to be an option confirmation. This could be innocent in that someone would have typed this address in an open-loop signup However, I'd be interested to know if this e-mail is actually claiming that a double-opt in (closed loop) subscription already occurred? I can't quite decifer this. If THAT is their claim, I can then verify that some kind of fraud has occurred here. Any opinions on this? (also, I obfuscated any info in that e-mail that might easily give away the recipient e-mail address) Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: Faster rDNS lookups
Cami said: It used to be 80% but Postfix+policyd has reduced it to barely anything The fact that you use graylisting as a means of eliminating spam as a 1st line of defense is makes your 9% of incoming mail is spam as VERY anecdotal for the purposes of this discussion. Please, don't confuse issues here. MANY people prefer to not use graylisting (for a variety of reasons)... and their proportions of incoming spam (prior to being filtered) really is more like your previous used to be 80%. Therefore, for the rest of us non-graylisters... this really could be beneficial. it appears that negative rdns lookups are cached for 10 minutes I think that this depends of a variety of real world factors which might be very different from published standards. Cami... why don't we just count you as a no vote for my idea and let others weigh in on it and, certainly, I'm sure they will take into account all of the good valid point point you brought up. Rob McEwen PowerView Systems
Re: Faster rDNS lookups
And for spam domains, IP-jumping is common... ...for well run, legitimate domains, what you say is indeed correct Overall, I think you actually make the case FOR my idea of artifically long cacheing of rDNS checks. And, I think my earlier messages covered the various scenarios. the load on the hypothetical pre-mapped rDNS server would be extreme. Probably the best point so far against my idea Are you certain that you checked using a different server that was not authoritative; Otherwise the test was invalid and needs to be redone. Should I put a dunce cap on now... turns out that what you describe is exactly that happened. But, since then, I've gotten some mixed results... Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: Worst Establishment or Household Name Pseudo-Spammers
Robert Menschel said: Lots of emails from Staples, and as far as I can tell every one has been subscribed for. Sounds like you are giving them the benefit of the doubt... which is fine. But I don't really think that so many of my clients actually explicity checked subscribe somewhere on a Staples web site. More likely... they bought something from Staples or elsewhere and failed to uncheck receive special offers... and I'm still somewhat giving them the benefit of the doubt in that scenario. Any other thoughts? Anyone? Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: tablets and chemists
Be sure to add the JP list. It's very good: Also, isn't it somewhat of a wasteful resource drain on SURBL's server for people to use each list separately instead of just using the multi.surbl.org list? --Rob McEwen
RE: Quinlan interviewed about SA
Quinlan: Any technique that tries to identify good mail without authentication backing it up, or some form of personalized training. It worked well for a while, but it's definitely not an effective technique today. Is he referring to a system which might assume all mail is spam unless proven good? Or, is he referring to whitelisting senders? Or, something else. The reason that I ask is because I'm wondering whether whitelisting is really a good idea. It seems like every article in the world on spam filters says, a product MUST allow for whitelisting senders or it is no good. However: (1) I suspect that the ability to whitelisting senders is more of a way for poor spam filters to hide their poor quality from those situations where their blocking of legit messages would be most noticed. Often, blocked legit messages go unnoticed... until someone you know personally says, did you get my message about Whitelisting senders minimizes such situations... but, ideally, a filter shouldn't block legit messages to begin with. (2) A second problem with whitelisting senders is the potential to whitelist spam that is being sent by a virus which simply played musical chairs with someone address book. Theoretically, a spam virus could go to town if the recipient had whitelisted the same sender that the virus randomly picked to place in the FROM of that spam. But, am I being paranoid? Does anyone know of this happening? Also, maybe a good compromise is to simply lower the score if the sender is on a trusted sender list. Personally, the biggest problem I have with blocking legit messages is when a client might tease his friend about his friend having a small member. It is easy for this to be caught by rules so I do see the need for trusted senders... But I just feel a need to rethink the way that this should be implemented. Any suggestions? Rob McEwen PowerView Systems
RE: Whitelisting Groups/Lists
RE: Whitelisting Groups/Lists (from another thread) address triggers that flag - even though it talks about a URL. For example, on one mailing list there is a poster who posts from a .biz address. Any thread Remember that article on spam filtering a month or two back where people on the SA thread were upset about SA's treatment? (I forgot the article... but most here will recall what I'm talking about). Well, coincidentally, I e-mailed him to ask him some follow-up questions and the one thing that he mentioned is that the largest source of FPs across the board with all spam filters that he found in his testing were mails generated by discussion lists/groups, (like the SA list, for example.. but these were general discussion lists, not merely ones about spam.) So many topics and web sites can be discussed in these lists. Also, you have that pesky problem where the domains of so many users show up in the body of the e-mail inside their e-mail addresses. Also, what happens when comment spam gets into the list message? Clearly, there is a need to do a better job of whitelisting these, but without whitelisting other real spam. Does anyone know of a ruleset or resource where the largest of these are listed with guidelines for whitelisting them (send server IP, etc). Thanks, Rob McEwen PowerView Systems
Re: Attachment Blocking Rules
Hi Bret...small world... :)
^content-(disposition\|type):.*name[[:blank:]]*=[[:blank:]]*quot;{0,1}[^/\:*?quot;lt;gt;|
]*\.(ade\|adp\|app\|bas\|bat\|chm\|cmd\|cpl\|crt\|csh\|fxp\|hlp\|hta\|inf\|ins\|isp\|js\|jse\|ksh\|mda\|mde\|mdt\|mdw\|mdz\|msc\|msi\|msp\|mst\|pcd\|pif\|prf\|prg\|reg\|scf\|scr\|sct\|shb\|shs\|vb\|vbe\|vbs\|wsc\|wsf\|wsh\|xsl)\b
This is what I use with the RegEx filter and would need to be adapted for the
SA. Note that the \| would probably need to be changed to |. Also the
[[:blank:]] is (I think) equivalent to a [ \t]
Therefore, the proper translation would be:
^content-(disposition|type):.*name[ \t]*=[
\t]*quot;{0,1}[^/\:*?quot;lt;gt;|
]*\.(ade|adp|app|bas|bat|chm|cmd|cpl|crt|csh|exe|fxp|hlp|hta|inf|ins|isp|js|jse|ksh|mda|mde|mdt|mdw|mdz|msc|msi|msp|mst|pcd|pif|prf|prg|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|wsc|wsf|wsh|xsl)\b
(but double check me here)
Also, note that it is easy to add/remove particular extensions as desired.
Rob McEwen
RE: Forwarding mail as an attachment from M-^%@#%$#$@!!!-S Outlo ok
I just have users compose a new email and then drag the old mail from their Inbox into the new email and send it. This preserves the headers of the old email so I can drag the attached message out of their email and review it. Great solution... but a pain to try to explain to novice and/or non-technical users. I can't figure out why Outlook Express has the forward as attachment option right there in the menu, but Outlook doesn't?? Weird. BTW, (slightly off topic), I also hate the way that clicking on a link within Outlook will take over an existing MS Explorer window when I'd rather it open a new window and not interfere. Is there a way to change the default behavior for this? Rob McEwen
Re: Interesting NW article
While I don't actually use SA, I recently subscribed to the SA list because I recognize SA as a leading product and I like to get ideas from this list. Also, I understand (and agree with) the frustration on the part of those here who think that SA should have had better inclusion and coverage in the NW article. However, OTHERWISE, it was a good article. I was curious about some OTHER things in the article and I e-mailed some questions and he replied back with very helpful and candid answers. One thing that he mentioned is that a large portion of the FPs from this testing fit into two categories: (1) bounced virus messages... I presume that he meant situations where a virus joe jobed someone and the person received a warning about sending a virus that was actually sent from another person's computer? (2) List messages... Google Groups... etc. I think that the list messages can be troublesome because so much gets mentioned throughout and because the e-mail address of participants get scattered thoughout the list... perhaps (also) some of the domains of these e-mail address may be actually spammers' domains? I'm going to start separate thread on these two types of FPs to see if anyone has any ideas... it kinda gets off topic to discuss these on this thread. But, nevertheless, try to cut the poor guy some slack. Nobody is perfect and, like I said, I found him to be very competent and helpful. Rob McEwen
whitelisting lists
RE: whitelisting lists Does anyone have suggestions about whitelisting messages from lists. I know that a lot of FPs come from List messages getting blocked (for a number of reaons). Also, there is obviously no way to whitelist ALL lists. However, I was thinking that maybe there is a way to whitelist the leading, most frequently used groups. Of course, it would have to be a ruleset which checks a number of factors to ensure that it doesn't get tricked into whitelisting a clever spam message impersonating a list. Rob McEwen
