administra...@willspc.net bounces

[RobertH]

why is the account or accounts that create the Delivery Status Notification
(Failure) bounces from administra...@willspc.net still subscribed to the
list?

 - rh

RE: oh where oh where...

[RobertH]

 

> >
> > :-)
> 
> 
> Eh?  Whut?   (in the manner of someone woken from sleep)
> 
> --
> Jo Rhett

Jo,

sometimes we just need some input from you...

overall though, i am guessing that you havent needed anything special from
the list for a lllooonnn time

 - rh

oh where oh where...

[RobertH]

you know, with all the duking it out on the list over some methods and such,
where is Jo Rhett when you need him?

he was always short and to the point...

:-)

 - rh

RE: Freelotto.com

[RobertH]

 

> 
> If you've got any proof of spam from any BSP_TRUSTED IP, 
> please report it to senderscorecertified@abuse.net or via 
> the web form at http://www.returnpath.net/support/ and our 
> compliance team will take appropriate action.  Thanks!
> 
> --
> J.D. Falk
> Return Path Inc

shouldnt you folks know that your customers are spamming before we do?

then you could spank a lil hiney

or at least charge them a lot more for abusing your services  ;-)

maybe it isnt the smartest idea in the world, yet shouldnt your types of
companies have several "stealth" email addresses on yourt customers lists
that get email from them just like everyone else that is getting spammed?

and then actually have eyeballs on your clients workings ???

if you cannot be trusted to do a really good job, then MS is right and the
rules pertaning to your customers email should be made positive or at least
removed from SA

 - rh

RE: emailbl info update please ?

[RobertH]

> 
> as announced, it has been disabled.
> 

i see...

if it is determined to be the right thing to do, what is it going to take to
get it back online and helping the cause?

 - rh

emailbl info update please ?

[RobertH]

so

is emailbl offline since it is now 7/1/09 or has the term status changed?

updates please?

 - rh

RE: vpopmail / qmail testers needed

[RobertH]

 
> Sent: Monday, June 29, 2009 4:24 AM
> To: SpamAssassin Users List
> Subject: vpopmail / qmail testers needed
> 
> hi folks.  could someone using vpopmail/qmail please test this patch:
> 
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=2536
> (patch id 4432)
> 
> A fix to vpopmail/qmail support is unlikely to make it into 
> 3.3.0 without testers.
> 
> --j.
> 

Justin,

would you want this info forwarded to two specific Qmail lists with a
reference back to you for those that can help?

i looked at the URL above and well, it appears that we wouldnt be of any
help that i can tell unless there is more docs out there about whatever
needs to be done.

i take it this is some type of per user filtering using Qmail, Spamassassin,
vpopmail etc?

most of what we do is site-wide

TIA

 -rh

gpg signed spam email ???

[RobertH]

i was reading at

http://www.karan.org/blog/

specifically

http://www.karan.org/blog/index.php/2009/06/15/gpg-signed-spam

that he recv'd a "gpg signed spam email"

ive never heard of that before yet i havent thought much about it or studied
it...

Q: is this unheard of, or common?

near as i can quickly investigate, it doesnt appear to be common as per
"papa google" [sic].

comments? feedback?

just trying to get up on the curve now.

tia

 - rh

RE: [sa] Re: BOTNET timeouts?

[RobertH]

 

Blazing Fast Slap ya twice for ya know it JH wrote:

> A word of advice, though: your rants would be a great deal 
> more impressive and might actually generate some respect for 
> your opinions if they displayed a greater degree of 
> sophistication than that possessed by an average seventh-grader.
> 

whoa!!!

john john john,

dont dis on the 7th graders...  ;-)

some of them are smarter than we ever were, so to speak...

as necessary though, get 'dem *moron* guns out and ready padner  :-)

 - rh

RE: sa-update and SA versions (was: Re: New slew of spams)

[RobertH]

 

> From: Karsten Bräckelmann
> The differences between 3.2.x versions are code fixes. There 
> is no difference in rules, when using sa-update.
> 
> While it is possible to publish per micro version updates, 
> this is not necessary and thus not used for 3.2.x. They all 
> share the very same rules and updates.
> 

Karsten,

what about when we consider and migrate from 3.2.5 to 3.3.x once it is
officially released ?

will there be info from the SA Team about what rules have changes and what
"mods" that have come from the list that most of us are using in 3.2.5 that
should be double checked for and removed in terms of rules and otherwise?

anything you can clue us in on before hand?

thanks in advance...

 - rh

emailbl production server testing

[RobertH]

greetings,

we are testing emailbl & scoring it 0.5 for now.

i am *hoping* to increase the score since i have seen 3 emails make it
through that should have been rejected.

yet, when hand checking the results in the logs today i came across this in
relationship to an email score properly by SA as HAM

  0.5 EMAILBL_TEST_LEM   EmailBL hit at listed.emailbl.me.
 (undisclosed-recipient[at]yahoo.com)

note: we did not edit the above info from the logs.

it was from a client that forwarded from thier yahoo account to their email
account on one of our systems.

of course, if the EMAILBL score was higher for "blacklisting" purposes it
would have been rejected.

if there is more i can do to help the dev, please contact me off list for
more personal debug info

 - rh

RE: Boxtrapper and Spamassassin Cpanel 11 strange behaviour.

[RobertH]

digital toast...

if you have a good system, them implement it for real with real email
addresses and reject all the fake (not valid) email addresses

to streamline, use a database of some sort if you have to

anything you do after that will at least follow more proper design flow...

isnt using a catch all poor engineering?

 - rh

RE: [sa] Re: The weirdest problem .....

[RobertH]

if people/you are using port 25 for submission, stop that.

since you are using qmail, why dont you just create an login auth only smtpd
service on port 587 for submission and let people hit it to login to relay
emails

make sure that the server does not check and score those emails coming in
auth'd on port 587 with qmail-scanner-queue.pl

just hand those emails directly to qmail-queue and send them on their way...

you can find some of the info you need at http://qmail.jms1.net, or among
several other qmail sites.

 - rh

RE: sa-compile

[RobertH]

 

> From: Matt
>
> Using a slightly different method - using a maximum number of 
> children parser.  The times were taken after deleting the 
> ~/.spamassassin folder before each run.
> 
> Before
> 
> real21m24.068s
> user18m58.465s
> sys 0m45.532s
> 
> After using 4 children
> 
> real13m7.309s
> user12m1.438s
> sys 0m37.143s
> 
> After using 8 children
> 
> real12m28.601s
> user11m38.879s
> sys 0m37.250s
> 
> matt

matt,

wouldnt deleting the ~./spamassassin folder also delete the bayes data in
many circumstances?

also, how did you specifically implement this maximum number of children
parser to speed up the sa-compile with sought ruleset?

thanks in advance

 - rh

RE: sa-compile

[RobertH]

 
for those in the know re the programming and speed of processing using
sa-compile...

it appears the fules compile fast without the sought ruleset applied.

and time to compile increases by roughly (very rough) a factor of 10 with
sought ruleset applied.

is that time extra time spent strictly in the cpu and ram cycles or are
their other slower factors involved?

is the processing by sa-compile serial or can it be paralleled out to many
processors at the same time?

sorry, i dont know and havent looked at the code.

what i am wondering is how much processing speed or how many processors does
one have to throw at it to get it down "substantially" and then equate that
to a new server box in costs so to speak

:-)

 - rh

RE: rules for specific inbound email address

[RobertH]

> Subject: rules for specific inbound email address
>
> is this the best, most proper way to check for an inbound 
> email address to make sure that inbound emails are able to 
> skip around the rule when evaluated by SA in any way
> 
> header  TO_USERNAME   TO =~ /userna...@example.tld/i
> score   TO_USERNAME   0.1
> 
> :-)
> 
> what we want to do is eventually create a meta with this rule 
> and some others.
> 
> advise please?
> 
> thanks!


gonna be one of those days

i meant NOT able to skip around...

sorry... 

rules for specific inbound email address

[RobertH]

is this the best, most proper way to check for an inbound email address to
make sure that inbound emails are able to skip around the rule when
evaluated by SA in any way

header  TO_USERNAME   TO =~ /userna...@example.tld/i
score   TO_USERNAME   0.1

:-)

what we want to do is eventually create a meta with this rule and some
others.

advise please?

thanks!

 - rh

bayes training on snowshoe spam effectiveness

[RobertH]

since i do not know, how effective is it to train on snowshoe spam?

under what conditions is it good idea? 

always?

under what conditions is it not a good idea?

thanks in advance...

 - rh

RE: simple script idea for checking reputation disagreement

[RobertH]

 
> 
> Maybe they don't have the $25 or something
> 
> 
> ;-)
> 
> --
> Neil Schwartzman


...would hope they have some money...

i found out about a nice family on the cabletv list and i was checking out
this guy and his wife that (if i recall correctly) were cable company people
making good money.

when business things started changing, they started
http://www.joyofbaking.com and are doing even better all the way around.

so, you would think a website like that one should make a lil bit of $ eh?

 - rh

RE: simple script idea for checking reputation disagreement

[RobertH]

 

> 
> >   0.2 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from 
> dynamic IP
> > address
> >  [209.92.22.130 listed in 
> dnsbl.sorbs.net]
> 
> That would be incorrect. The IP is static, not dynamic.
> 
> whois://209.92.22@whois.arin.net
> PaeTec Communications, Inc. PAETECCOMM (NET-209-92-0-0-1)
>   209.92.0.0 - 209.92.255.255 
> Rodale Inc. RODALE-430488 (NET-209-92-22-0-1)
>   209.92.22.0 - 209.92.23.255
> 
> # ARIN WHOIS database, last updated 2009-04-03 19:10
> --
> Neil Schwartzman

neil,

you can forget the sorbs stuff. in the last coupla days i unzero'd the sorbs
scores just to check the behavior.

as i noted in the last post, it was about the difference between
JMF_Whitelist and RCVD in Barracuda

barracusa says spam, jmf whitelist is obvious.

personally, i say spam

 - rh

RE: simple script idea for checking reputation disagreement

[RobertH]

michael,

i had to reply to this one as i was having a hard time replying to your
email and bottom posting.

here was the scoring on that particular email.

although it isnt really strict "reputation" issue, i found it interesting
that JMF had it whitelisted and Barracuda tells it more like it is...

i cant imagine perkel's people want that junk, yet he is a big moy and can
make his own decisions...

maybe it is a boo boo...

anyways...

 -1.0 RCVD_IN_JMF_W  RBL: Sender listed in JMF-WHITE
[209.92.22.130 listed in
hostkarma.junkemailfilter.com]
  1.5 RCVD_IN_BRBL   RBL: Received via relay listed in Barracuda RBL
 [209.92.22.130 listed in
b.barracudacentral.org]
  0.2 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
 [209.92.22.130 listed in dnsbl.sorbs.net]
  2.1 FS_WEIGHT_LOSS Subject says Weight Loss
  0.1 DIET_1 BODY: Lose Weight Spam
  0.2 HTML_IMAGE_RATIO_04BODY: HTML has a low ratio of text to image
area
  0.0 HTML_MESSAGE   BODY: HTML included in message
  0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
 [score: 0.5000]
  1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
  1.5 SAGREY Adds 1.0 to spam from first-time senders

 - rh

simple script idea for checking reputation disagreement

[RobertH]

greetings...

i am working at re-learning and applying SA fine tuning.

in doing so, i have some across some real life SA scoring anomalies.

it is interesting because one public reputaion service rule offering says to
score "positive", i.e. spammy, spam, or blacklist, and another public
reputation service says the opposite, i.e. negative score aka ham, hammy, or
whitelist.

eyebrow raising to say the least...  ;-)

has anyone developed a basic script they can share that goes through and
checks rule scoring logs email by email and looks for when specific types of
rules (whitelist / blacklist or other reputation rules) should be in
agreement, yet oppose each other?

i realize that it is time sensative on some types of rules yet this is
reputation based on actual domain name and ip address

 - rh

RE: update overkill (was: help lowering score on a specific emaillist situation)

[RobertH]

> 
> Oh, come on, Robert -- I didn't say your way is abusive, just 
> overkill.
> 
> The most part of this discussion isn't specific to you, nor 
> SA. It's a well-known, general problem when running update 
> services. It isn't meant to be a decree either, it's partly 
> my opinion, partly best-practices.
> 
> You shouldn't take it personally.
> 
> 

not taking it personally.  :-)  everyone please read. maybe you can shed
light on what i am experiencing that is detailed towards the bottom.



I really believe the wiki should be modified and have more info in regards
to making decisions. like not less than such and such hours and typically
not more than such and such day.

ALSO :-) 

i was *genuinely* thanking you for humbling my day.

short long story.

what i have been going througg is, many people like us that work in telecom,
networks, computers, etc... well we all think we know how to setup things
just so, and it has to be *perfect* and well, i know i dont know it all.

YET, communicating that is hard to people that are *not* in our respective
fields.

fortunately, i have been having a really hard time explaining things to lay
people lately and it is just **kicking** my rear.

you know, kinda like if you have to do tech support and are responsible for
millions of people and say they are all family you know and love dearly.

i wont bring the associated Bible items into it on list, yet sincerely, i
appreciate a respectful humbling.

again, thank you all for helping me!

yes, even you Evan. (apologies)

  :-)

 - rh

RE: help lowering score on a specific email list situation

[RobertH]

 

> 
> Checking once an hour is obscene.
> 
> 

Evan,

dude, shut up and mind your own business. (and i mean that in the most
constructive manner)

you dont know me, you do not admin this business, and we are not stupid and
have been doing this for longer than many on this list have been alive.

if you cannot be constructive, get off the list

there was a reason it was done this way and things have changed since that
time and can be modified easily.

if i come to the list with my hat in my hand asking for help, please know
that i am willing to make changes or i wouldnt ask questions in the first
place.

 - rh

RE: update overkill

[RobertH]

 


> Mouss wrote:
> In most cases, it's not the admins fault. many systems allow 
> adding cron jobs by simply putting a file in a 
> /some/path/hourly and so on instead of editing /etc/crontab 
> (or running the crontab command). This is nice (exceptionally 
> for packages when editing files is problematic), but on the 
> other hand it doesn't provide flexibility for tasks such 
> downloading data from a (more or less) central place.
> 
> I don't know what the problem is, but P2P may be the answer ;-p
> 
> 

mouss

the P2P solution part is FUNNY!   ;-) (you have excellent sense of humor)

i chose it that way for specific reasons.

see previous email to K

;-)

 - rh

RE: update overkill (was: help lowering score on a specific email list situation)

[RobertH]

 

> From: Karsten Bräckelmann
> Heh, true. And he could run sa-update even more frequently. 
> After all, the DNS answer is cached for an hour... ;)
> 
> The real impact isn't the DNS query, but whenever an update 
> has been pushed. If everyone would check once an hour, the 
> full load would have to be shouldered in 60 minutes, as 
> opposed to evenly distributed about, say, a day...
> 
> It's the same classic problem with uninspired admins, running 
> such cron jobs strictly at a full hour.
> 

karsten,

why not change the wiki to be far less ambiguous on this issue, and put out
a specific decree to *all* admins in these regards ?

if there is a more specific better way to deal with it, change it and make
it better and let us all know how it must be done.

anyone can find fault with anything given enough opportunity.

thank you for humbling my day.

 - rh

RE: help lowering score on a specific email list situation

[RobertH]

> 
> Indeed. Either Robert is running some really old SA version, 
> or updating is plain broken on his machine.
> 
> Well, or he deliberately put those rules back in locally...

i believe i have checked all the rules.

we run 3.2.5

most of the rules were addons.

here is

[r...@ac updates_spamassassin_org]# pwd

/var/lib/spamassassin/3.002005/updates_spamassassin_org

[r...@ac updates_spamassassin_org]# grep TVD_RCVD_IP *

50_scores.cf:score TVD_RCVD_IP 0.502 1.617 2.270 1.931 # n=2
50_scores.cf:score TVD_RCVD_IP4 4.099 3.344 2.901 3.183 # n=2
72_active.cf:##{ TVD_RCVD_IP
72_active.cf:header TVD_RCVD_IP  Received =~
/^from\s+(?:\d+[^0-9a-zA-Z\s]){3}\d+[.\s]/
72_active.cf:##} TVD_RCVD_IP
72_active.cf:##{ TVD_RCVD_IP4
72_active.cf:header TVD_RCVD_IP4 Received =~ /^from\s+(?:\d+\.){3}\d+\s/
72_active.cf:##} TVD_RCVD_IP4

do you see something broke below here?

[9511] dbg: gpg: adding key id 6C6191E3
[9511] dbg: gpg: Searching for 'gpg'
[9511] dbg: util: current PATH is:
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/lib/ccache/bin:/usr/local/sbin:/us
r/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:/root/log
ging
[9511] dbg: util: executable for gpg was found at /usr/bin/gpg
[9511] dbg: gpg: found /usr/bin/gpg
[9511] dbg: gpg: release trusted key id list:
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
26C900A46DD40CD5AD24F6D7DEE01987265FA05B
0C2B1D7175B852C64B3CDC716C55397824F434CE 6C6191E3
[9511] dbg: channel: reading in channelfile /etc/mail/sa-update.conf
[9511] dbg: channel: adding updates.spamassassin.org
[9511] dbg: channel: attempting channel updates.spamassassin.org
[9511] dbg: channel: update directory
/var/lib/spamassassin/3.002005/updates_spamassassin_org
[9511] dbg: channel: channel cf file
/var/lib/spamassassin/3.002005/updates_spamassassin_org.cf
[9511] dbg: channel: channel pre file
/var/lib/spamassassin/3.002005/updates_spamassassin_org.pre
[9511] dbg: channel: metadata version = 752903
[9511] dbg: dns: 5.2.3.updates.spamassassin.org => 752903, parsed as 752903
[9511] dbg: channel: current version is 752903, new version is 752903,
skipping channel
[9511] dbg: diag: updates complete, exiting with code 1

TIA

 - rh

RE: help lowering score on a specific email list situation

[RobertH]

> 
> Nope, you don't. You got a problem with your custom rules.
> 
> 
> > here is what it is tripping on...
> > 
> >   0.7 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
> >   1.2 HOST_EQ_STATIC HOST_EQ_STATIC
> >   0.7 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d
> >   1.3 HOST_EQ_CHARTERHOST_EQ_CHARTER
> 
> Neither of these is in stock SA 3.2.5, nor pulled by 
> sa-update for any 3.2.x version. Sorry, too lazy to check all 
> old and not-updated versions. Minus 3.9...
> 
> >   1.9 TVD_RCVD_IPTVD_RCVD_IP
> >   0.5 FROM_NOT_REPLYTO   From: does not match Reply-To:
> 
> Not stock SA, and *does* happen frequently on lists. Local rule.
> 
> >  -2.6 BAYES_00   BODY: Bayesian spam 
> probability is 0 to 1%
> >  [score: 0.]
> >   1.5 SAGREY Adds 1.0 to spam from 
> first-time senders
> 
> Custom, third-party plugin. Use at your own risk. Explicitly 
> mentions in the description, to add 1.0 points -- raised 
> arbitrarily by you. Local rule, local problem.
> 
> 
> > can someone help me formulate a good rule to reduce scoring.
> 
> You do not need a good negative scoring rule (besides 
> proposals for rules already posted), you seriously need to 
> review your custom rules.
> 
> According to your rules hit, stock SA merely would score 1.9 
> for the single TVD_RCVD_IP hit. Plus Bayes (which affects 
> this rule's score) and even subtracts significantly for you.
> 
> 
> 1.9 -- this is a local problem with your custom rules.
> 

Karsten,

thank you for your analysis...  :-)

i had forgotten about (not in a bad way) the use of some FVGT sets etc...

those rules help catch spam.

00_FVGT_File001.cf:
  Rule Name Score Ham   Spam   %of Ham   %of Spam
  ---
  FH_HOST_EQ_D_D_D_D 0.67   1505   9458 1.14%  7.31%
  FH_HOST_EQ_D_D_D_DB0.69663   6756 0.50%  5.22%

88_FVGT_headers.cf:
  Rule Name Score Ham   Spam   %of Ham   %of Spam
  ---
  HOST_EQ_CHARTER1.29 42 61 0.03%  0.05%
  HOST_EQ_STATIC 1.17157   2224 0.12%  1.72%

sagrey.cf:
  Rule Name Score Ham   Spam   %of Ham   %of Spam
  ---
  SAGREY 1.50  0  111668 0.00% 86.33%

SAGREY on a daily basis is more like 90 to 93 percent. i ran the simple
analysis script against a longer period of time and there have been some
minor changes in between.

yet... thanks for pointing this all out. i just grepped the rules against
that directory and gained some extra enlightenment.

regardless, the original question stands, and i thank all of you for your
advise.

i have applied the necessary fix and things are just fine.

everyone's help has been fantastic. thank you!

:-)

 - rh 

RE: help lowering score on a specific email list situation

[RobertH]

 

> From: Evan Platt
> 
> Isn't that a tad overkill?
> 
> http://wiki.apache.org/spamassassin/RuleUpdates
> 
> How often should I run sa-update?
> 
> As often as you like. It typically depends on what time-frame 
> is comfortable for you, and how quickly channels are going to 
> be publishing updates. Generally speaking, once a day is a 
> good starting point.
> 
> 

Evan,

naw, hourly is just fine.

we update "sought ruleset" at the same time.

i spose i could change it, yet spam is not a once a day thing.

spam is all day every day, so hourly is the least i want to see things
updated.

sometimes i think it would be nice if we had a *come get* or "push" trigger
on the serving side for some types of update "flags"...

:-)

 - rh

RE: help lowering score on a specific email list situation

[RobertH]

 


> From: LuKreme
> 
> Why re you running SA over known list messages?
> 

LuKreme,

u good question.

we do it cause i havent decided to want, develope & implement, and to use a
way to filter out things i dont want to run through SA on inbound SMTP port
25.

it is easier for me to know everything is treated the same

others have mentioned whitelisting via spf etc which we do in some cases,
yet this one is unique in that it is hosted on a situation where SPAM flags
abound and such emails are generally rejected 100%

 - rh

RE: help lowering score on a specific email list situation

[RobertH]

 

> 
> Received-SPF: pass (ac.abbacomm.net: SPF record at 
> cabletv.org designates
> 24.196.65.34 as permitted sender)
> 
> how about:
> 
>whitelist_from_spf   *...@cabletv.org
> 
> -- 
>   John Hardin KA7OHZ

i saw that, yet i dont want to use wildcards...

unless i have to in this instance...

i was hoping to score off something that doesnt change.

although spf can be used, i was hoping for something else.

 - rh

RE: help lowering score on a specific email list situation

[RobertH]

> 
> when did you sa-update for last time? afaik FH_HOST_EQ_* 
> rules were removed some time ago. Not that current rules 
> don't have some issues...
> 
> 
> And, of course, you have some rules unknown to me and clean 
> SA, are you sure those problems aren't caused by them?
> 
> --
> Matus UHLAR 

Matus,

we SA update hourly.

unless i have something messed up from old directory or something

 - rh

help lowering score on a specific email list situation

[RobertH]

hello

i have problems with the cabletv.org email list.

it is hosted on a charter static and has wierd reverse dns etc etc blah.

so, almost always scores as spam

here is what it is tripping on...

  0.7 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
  1.2 HOST_EQ_STATIC HOST_EQ_STATIC
  0.7 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d
  1.3 HOST_EQ_CHARTERHOST_EQ_CHARTER
  1.9 TVD_RCVD_IPTVD_RCVD_IP
  0.5 FROM_NOT_REPLYTO   From: does not match Reply-To:
 -2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
 [score: 0.]
  1.5 SAGREY Adds 1.0 to spam from first-time senders

pastebin said the headers tripped the spam filter so i have to post this
way...

here are some headers.

http://www.abbacomm.net/temp/salisthdr1.txt

can someone help me formulate a good rule to reduce scoring.

i tried this, yet it is obviously not working because of my faulty logic i
presume.

header SPEC_DOMAIN_CABLE From =~ /\...@cabletv\.org/
describe SPEC_DOMAIN_CABLE   Reduce score for domain cabletv.org
score SPEC_DOMAIN_CABLE  -5.0

i am looking for something reliable to key on and i am certainly not a rule
creation expert yet...

..and i need help from you much more expert people please?

:-)

thanks in advance...

 - rh

RE: interesting flash attack in spam

[RobertH]

 

> >
> > http://pastebin.com/m2fcbe7b5
> 
> Thanks for posting the sample.
> 
> 
> My email sanitizer successfuly defends against this attack.
> 
> 
> :)
> 
> -- 
>   John Hardin  

no disrespect intended yet i would like to understand...

u, if your "email sanitizer" caught it, why isnt that something
programmed "in another way" inside SA, or clamav, etc...?

i mean we have viruses, we have spyware, we have spam, we have UCE, we have
all these different terms that describe the essentially the same stuff...

cant this be dealt with in something that already exists like SA, Clamav, or
whateverm besides having another custom piece of coding ?

i mean, John, at the very least get out some them there GUNS and shoot it a
bunch and make it stop or something!

;-)

 - rh

RE: HABEAS_ACCREDITED_COI

[RobertH]

> From: Neil Schwartzman
> 
snip
> 
> Well, to each his own. I have spent a lot of time reporting spam in my 
> life, (probably too much), in actual fact.
> 
> My thinking in reporting spam to DNSBLs (I am or was in the top 10 
> reporters at Phishtank & URIBL, high on the board at Netcraft, and 
> have an ROKSO listing based upon the data I provided), accreditation 
> services, and the spammers hosting is that it makes life more 
> difficult for the bad guys.
> 
> If you don't want to help us, that's fine, but helping the email 
> ecosystem is always a good thing.
> 
snip
>
> Habeas cannot be more vigilant since they do not exist, Return Path 
> has begun to, and will be. Once the Safelist IPs are migrated to our 
> systems, and we have pressed down on obvious things (I have done some 
> preliminary work with the legacy systems but they are not set up to do 
> programme compliance and the work is extremely laborious and 
> inaccurate to a degree), we will begin a process of auditing the whole 
> lot of them, as well as our existing certified customers.
> That's about 800 of them.
> 
> These are not placating platitudes; again, we take this seriously. 
> Without our receiving partners, our product becomes valueless. This is 
> a point recognized and acknowledged all the way to the top of the 
> company, and unlike Habeas, I do not report to Sales. That's not how 
> we roll.
> --
> Neil Schwartzman
> 
> 

Neil

there is bound to be some way that those (of us or the SA Team) that want to
participate, can help you and help us at the same time.

some type of automated plugin that needs to be created that reports to us
and returnpath info relevant to stopping the bad eggs yet allowing the good
eggs!

something that does not toss internal security in the trash...

:-)

 - rh

RE: HABEAS_ACCREDITED_COI

[RobertH]

> 
> I still think it's much better to report them to habeas for 
> spamming...
> COI means confirmed opt-in. If you did subscribe, it is NOT 
> spam whether you want it or not. Isn't it good to have 
> someone who will sue spammers?
> 
> --
> Matus UHLAR -


Matus

even though it is COI, what i see happening is that folks on our systems
sign up for something they *think* they want, yet the language in the signup
says something to the effect that if you signup with us, you signup with the
whole community of our affiliates which essentially is every spamming outfit
in the world that buys sucker email addresses

and then the flood of garbage starts all over again...

do you want to spend your whole life discerning and reporting that info to
them?

if you can automate it, let us know and then maybe HABEAS could do a better
job

 - rh

RE: HABEAS_ACCREDITED_COI

[RobertH]

some time back this was posted to the list by Scheidell and after checking
and investigating our logs, we adopted it.

is it still valid to be using, or should we modify it again

:-)

# from scheid...@secnap.net
#
score HABEAS_ACCREDITED_SOI 2.5
tflags HABEAS_ACCREDITED_SOI net
#
score HABEAS_ACCREDITED_COI 0
tflags HABEAS_ACCREDITED_COI net
#
score HABEAS_UNCONFIRMED 8.0
tflags HABEAS_UNCONFIRMED net
header HABEAS_UNCONFIRMED
eval:check_rbl('habeas-firsttrusted','sa-accredit.habeas.com.',
'127\.\d+\.\d+\.[6789]\d')

 - rh

RE: Spamd still running as root?

[RobertH]

 
> 
> I suggested to read up on "sitewide bayes". Did you?
> 
> > ls -axl /usr/local/virtual/ash...@example.com/
> 
> This stuff is not of interest to SA at all. The bayes db and 
> the AWL is. 
> If you cannot change ownership of that directory or of the db 
> files, you have to move them elsewhere. Cut the connection 
> between spamd and your virtual users that hangs in your mind.
> 
> Again: I suggested to read up on "sitewide bayes". Did you?
> 
> Kai
> 
> --
> Kai Schätzl

kai,

yes, it is of interest.

in using sa-learn, it should be called by the proper SA processing account
i.e. UID/GID so that sa-learn can process the files and save the results in
the proper place for the system SA files, right?

it appeared that he was using the vpopmail user (and whatever GID) to run
sa-learn and get it to function.

i am guessing that he does not run SA as the vpopmail user, although i could
be wrong.

even so, UID and GID matters when running sa-learn, and if i cannot read the
files it is processing because they do not have the required perms or
UID/GID, then it will fail.

that is what i was addressing.

 - rh

RE: Spamd still running as root?

[RobertH]

 

> From: LuKreme
> Not *A* virtual mail account, *the* virtual mail account; 
> that is, the account that owns /usr/local/virtual and all the 
> files and directories in it.
>

LuKreme,

it appeared to me that you were setup as vpopmail UID aka *user*

in administration, as you well know, you also need to be aware of the GID or
group

when you su change to the vpopmail user, everything works cause it is the
right UID and GID

in my experience, how you deal with that can and/or will also make a
difference in how things function

if you do a 

ls -axl

on all those subdirectories, what do you see ?

:-)

maybe i am misunderstanding your thought processes, yet that is one place i
visit when working out solutions

 - rh

RE: List-Post: NO

[RobertH]

 


> From: LuKreme 
> 
> I forget, can I put rulesets in my user_prefs file?
> 

LuKreme,

you can override the default value of 0

yet, parse the docs carefully,
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html

there is a security warning and other excellent information

 - rh

RE: dnsbl checks time out

[RobertH]

u since the machine does not do dns, and it is not labeled in the hosts
file, does the machine really know who it is???

usually in /etc/host.conf you will have like

order hosts,bind

if the machine cannot know who it is and resolv itself, it will kinda freak
out eh?

and, you can put in ip addresses and names for the nameservers too.

something like this...

127.0.0.1   localhost.localdomain localhost
206.63.24.6 ac.abbacomm.net ac
206.63.24.5 ns1.abbacomm.net ns1

in other words, the machine should be in dns as more than a localhost entry

localhost to me is a simple loopback yet does not describe the machine to
itself except by default

the ip address on your nic and the fqdn etc should be in the hosts file too
imho

-- side note.

if you are not actively using ipv6 internally and/or externally, i would
turn it off and reboot

that is just me though as there are several places on our servers where that
has to be done as ipv6 configs slow down certain functions on the box and
can or may cause problems...

RE: dnsbl checks time out

[RobertH]

Elsa Andrés

since all the other machines are ok, you may want to check and verify this
specific machine configs

/etc/hosts

/etc/resolv.conf

ethernet speed and duplex on the machine and switchport

if i remember right, there are even settings in SA local.cf to check re DNS

etc etc...

 - rh

RE: HELO checks give too high score together

[RobertH]

 

> 
> SA jello wrestling?
> 
> :)
> 
> -- 
>   John Hardin 

Hardin,

SA jello wrestling?

now that is just sick. [sic]

...just not wanting to imagine a bunch of over caffinated computer geeks
rolling in jello...

Now, on the other hand, *jdow* and friends in jello might be much more
interesting for those that are not already married.

:-)

 - rh

RE: HELO checks give too high score together

[RobertH]

 

> 
> Ummm  Did you just ask Matt to unsubscribe??  He's one of 
> the developers.  I think most of us would prefer that he 
> stick around... :)
> 
> --
> Bowie
> 

maybe Hardin will lend them each some guns and they can duke it out on the
range or something

;-)

 - rh

RE: Some emails pass spamassassin unprocessed

[RobertH]

 

> 
> if spamc can't connect spamd for any reason, it will use 
> safe-fallback - pass mail unchecked. If you want to avoid 
> this behaviour and cause a temporary failure, use the -x 
> switch for spamc. Note that it also disables conectins 
> multiple hosts if spamd is unreachable.
> --
> Matus UHLAR - 

matus

what do you mean by temp failure?

SA rejection?

does SA rejection then go backwards on this and equal SMTP rejection
depending on the setup?

 - rh

sagrey meta's ???

[RobertH]

greetings

we have noticed that sagrey has roughly 95% effective re: % of spam hits in
our environments

is anyone here that is using sagrey come up with some really effective meta
rules using it??

would you mind sharing on list?

 - rh

RE: html picture spam

[RobertH]

 
for those that replied, thank you, and yes, i already checked the spamc docs
before my first post in re: the -s switch.

-

one of my questions was answered in seeing the diff between 3.1.x and 3.2.x.
doh!

now, u, in the 3.1.x it says this and is more than understandable.
:-)

-s max_size

Set the maximum message size which will be sent to spamd -- any bigger than
this threshold and the message will be returned unprocessed (default: 250
KB). If spamc gets handed a message bigger than this, it won't be passed to
spamd. 
The size is specified in bytes, as a positive integer greater than 0. For
example, -s 25.

---

in the 3.2.x docs it says the max is 256KB yet the default is 500KB (see
below)

-s max_size, --max-size=max_size

Set the maximum message size which will be sent to spamd -- any bigger than
this threshold and the message will be returned unprocessed (default: 500
KB). If spamc gets handed a message bigger than this, it won't be passed to
spamd. The maximum message size is 256 MB. 
The size is specified in bytes, as a positive integer greater than 0. For
example, -s 50.

:-(

can someone tell me if this is just a typo or are we supposed to infer
something else from this?

 - rh

RE: html picture spam

[RobertH]

 

> 
> there were some OCR plugins that used external OCR software 
> for understanging the text in image. for example FuzzyOCR 
> (http://wiki.apache.org/spamassassin/FuzzyOcrPlugin).
> 
> Note that image spam is not so common now, and SA only checks 
> messages smaller than 512KB
> --
> Matus UHLAR 

Matus,

i was still under the impression that it was 250KB

when did that change?

i know you can tell spamc a size paramenter, yet what i am wondering is
where else can this size parameter be set?

local.cf  other?

 - rh

html picture spam

[RobertH]

is anyone finding any value in scanning html picture spam of size 250kB to
500kB in size?

what are you using?

 - rh

RE: misc_10.cf

[RobertH]

 

> 
> What is it that you don't understand in this description? 
> Don't you find report_template ? Did you notice that is says 
> "something like" ?
> 
> Kai
> 

kai

i was only trying to find out if there was something that could benefit
clients or people that email them and save our organization time was all.

evidentally, it is all a wild goose chase

...otherwise i would have gotten better understanding from many on the list
that know what it is used for to help clients communicate with
organizational administrators in dealing with problems or whatever

 - rh

RE: misc_10.cf

[RobertH]

matus and others

i hadnt ever seen that info before and was just checking to see what it was
all about

first of all, the info on the SA website download area is outdated. bad
info.

second of all, i was trying to figure out if it was talking about getting
valid info to people and if it could be benefical for our clients and even
more specifically if it could benefit legit people that email our clients
who send garbage that gets bounced.

getting good info to people when there are problems usually seems to be
helpful.

we do not use the function where the email becomes an attachment if that is
what you mean by report safe

 - rh

RE: misc_10.cf

[RobertH]

 

> 
> 10_misc.cf isn't in 3.2, 3.1 was the last version to have it.
> In 3.2 it's called 10_default_prefs.cf.
> 
> You should have it installed in the default rules dir, 
> probably /usr/share/spamassassin.
> 
> And no, it's not editable.  Or more specifically, you 
> shouldn't edit it.
> 

theo,

thanks for the info.

after a few, i kinda figured that it wasnt in 3.2.x yet i was still trying
to understand why on the website and then the download link page has that
info at the bottom.

so the bottom line is that page should be edited / corrected and i am still
wanting to find the right example to make this file

/etc/mail/spamassassin/10_local_report.cf

am i chasing a ghost for no reason?

anyone else using this in thier installs?

 - rh

--- from downloads link page on spamassassin site

System Administrators
Please create a local copy of the report_template text in a file named
something like /etc/mail/spamassassin/10_local_report.cf, and modify it to
provide your tech support desk's contact information, instead of the
default. Otherwise your users will be confused, and some may ultimately
contact the SpamAssassin development team, which is not appreciated; we
cannot help them with whitelisting/blacklisting/customisation of settings at
your site, after all. The default report text can be found in the file
rules/10_misc.cf. 

RE: misc_10.cf

[RobertH]

 

> Um, that's a file that comes with SA, and it is *NOT* user editable.
> Therefore, it's not an example, it is a standard config file 
> that generates the default settings that you later over-ride 
> with your local.cf.
> 
> The 3.2.5 installation tarball will install the version of 
> this file that is appropriate for 3.2.5, and sa-update may update it.
> 
> 

matt,

i am not seeing that file anywhere in my install and i am quite capable of
using the locate command etc...

i am fairly certain i hand generated and installed via rpm generated by

rpm -tb sa-tarballname.whateveritwas.somethingsomething

something like that.

on a centos aka redhat clone

the misc_10.cf file looks pretty editable to me in some respects.

i wouldnt have even have asked if i had not gone to

spamassassin.apache.org and then clicked on "downloads" and on that page it
says

System Administrators
Please create a local copy of the report_template text in a file named
something like /etc/mail/spamassassin/10_local_report.cf, and modify it to
provide your tech support desk's contact information, instead of the
default. Otherwise your users will be confused, and some may ultimately
contact the SpamAssassin development team, which is not appreciated; we
cannot help them with whitelisting/blacklisting/customisation of settings at
your site, after all. The default report text can be found in the file
rules/10_misc.cf. 

so, i searched for 10_misc.cf so that i could consider and generate a
/etc/mail/spamassassin/10_local_report.cf

eh???

 - rh

misc_10.cf

[RobertH]

is this the best example on the www for this file?

http://spamassassin.apache.org/full/3.0.x/dist/rules/10_misc.cf

or is there one more recent for 3.2.5 or newer?

 - rh

RE: country in africa

[RobertH]

matt

i hear ya.

ill be using it and scoring low (or whatever i desire) and using meta's it
appears.

i wasnt asking for it to be some major contention in SA core scoring...

i just honestly cannot belive that there are still people out there sending
these emails pretending to be someone from that country

wouldnt it be a joke in those circles by now?

 - rh

RE: country in africa

[RobertH]

is this good enough for a basic rule to flag that word

or should it be different or raw or what?

something better?

body LOCAL_NIGERIA   /\bnigeria\b/i
score LOCAL_NIGERIA 0.1
describe LOCAL_NIGERIA   This is a simple test rule for nigeria

i know that single word rules in general are a bad idea, i just want to
continue to learn and be able to contrib more over time

thanks

 - rh

RE: country in africa

[RobertH]

thanks mouss

u the reason i made the subject, "country in africa" was that i didnt
want to use the exact word

i can see my mistake it that now.

as always, i sincerely appreciate the vast programming and SA application
wisdom & knowledge on this list.

thank you all for you help.

and again, this is like probably the only word that in small quantities
regularly slips through untouched.

may i ask, in writing this non standard rule for a single word, and you
wanted to capture the most possibilities of that single word coming through
so that you could flag it with very small score / hit

how should that be written?

something like this two word one?

body   LOCAL_JASONHART   /\bJason Hart\b/
score LOCAL_JASONHART 10.1

 - rh

RE: country in africa

[RobertH]

 

> 
> You could score the content if it mentions a country in 
> Africa.  We then have to obfuscate the words so that we can 
> mention them on this mailing list.  It's better to use Bayes 
> to deal with that type of email.
> 
> Regards,
> -sm 
> 
> 

actually, one does not have to obfuscate a word on this list and of course
we know we should *NOT* send spam email content to the list, it should be
posted elsewhere.

it is my understanding that in your local config you could use something
like whitelisting by spf aka 

[r...@rs1 ~]# dig spamassassin.apache.org txt

spamassassin.apache.org. 1323   IN  TXT "v=spf1 a:mail.apache.org
-all"

aka

whitelist_from_spf *...@spamassassin.apache.org

and if i understand correctly, you can tell the SA config not to 

bayes_ignore_from *...@spamassassin.apache.org

bayes_ignore_to users@spamassassin.apache.org

right?

 - rh

RE: country in africa

[RobertH]

 

> 
> No. Scoring based on single-words is pretty much the 
> opposite of the SA approach. That's all I was saying.
> 

karsten,

i get the SA approach

and to the no answer, baloney

this word should get a *HIT* no mattter how small it is scored.

 - rh

RE: country in africa

[RobertH]

 
> 
> You must not be looking very hard. It's there, both in the 
> default ruleset and in the updated ruleset, but not as a 
> single-word rule:
> 
> grep -i nigeria
> /var/db/spamassassin/3.002005/updates_spamassassin_org/*
> jo...@chip:~$ grep -i nigeria
> /var/db/spamassassin/3.002005/updates_spamassassin_org/*
> /var/db/spamassassin/3.002005/updates_spamassassin_org/20_adva
nce_fee.cf:#
> SpamAssassin rules file: advance fee fraud rules (Nigerian 
> 419 scams) 
> /var/db/spamassassin/3.002005/updates_spamassassin_org/20_adva
nce_fee.cf:body 
#
SNIPPERS
#
> 
> /Jonas
> --
> Jonas Eckerman, FSDB & Fruktträdet

looking hard?

of course i did.

you guys must think i just fell off the truck or something...

;-)

i get the *in general* thing about SA not just using single words for
scoring as a general principle

YET, this the word Nigeria.

when an email comes in with the word nigeria in it, it should get scored
something.

point, billionth of a point, whatever.

it should get a hit.

how many legitimate emails a day do you people get with the work Nigeria in
it?

yeah, that is what i thought.   :-)

when i get an nigerian email scam email that hits squat, well you get the
idea.

 - rh

RE: country in africa

[RobertH]

Karsten and Matus

i hear you, yet lets get real...

and, we do use jm_sought stuff.

the word nigeria alone is worth a point is all i was saying.

guess that should be in local rules eh?

;-)

 - rh

RE: country in africa

[RobertH]

matus,

what i mean is how could an email with nigeria make it through SA without a
score based on the word nigeria?

 - rh

country in africa

[RobertH]

how is it that the country in africa so often mentioned in email scams is
not worth a point in SA default config

nor do i see it anywhere

 - rh

RE: experienced comments on these rules and their effectiveness in large installations please

[RobertH]

 

> 
> Sorry, don't understand what you mean.
> 
> Kai
> 


recently i put a small list of RBL rulenames we have zero'd out on the list
to ask if anyone would share their experience and comments about how
effective they are in stopping spam in their large installations.

we have them zero'd out cause we were not using them

you mentioned to find out how good they are to try the ones that are not
being used by the MTA for awhile and then going to the config at some later
date and setting skip_rbl_checks to 1 and then monitoring more

i asked, doesnt that shut off network tests (in general) that we always want
to have running

if not, how does SA know only to stop using certain rules and are they only
ones with URIBL in them?

a long time ago Ratatouille aka Mouss said do this to get info to zero out

egrep "_(SBL|XBL|PBL|SPAMCOP|DSBL|SORBS|NJABL|AHBL|MAPS)" 
/path/to/share/spamassassin/50_scores.cf | grep -v URIBL | awk '{print
"score " $2 " 0"}' > scores.cf

i realize that one or more no longer function as i am just quoting the full
script

thanks

 - rh

RE: experienced comments on these rules and their effectiveness in large installations please

[RobertH]

 


> 
> fairly easy. run one week with default settings and one week 
> with "skip_rbl_checks 1". Then compare.
> In general, these rules will provide hits if you don't use 
> RBLs at MTA level. If you use RBLs to reject at MTA level 
> they won't hit much.
> 
> Kai
> 
> --
> Kai Schätzl, Berlin, Germany
 

kai

we have them zero'd out for now.

we use other network tests so turning off rbl checks wouldnt be a good idea
right?

:-)

 - rh

RE: experienced comments on these rules and their effectiveness in large installations please

[RobertH]

 


> >   
> A general grasp of how it performs across a diverse range of 
> email can be gotten from the STATISTICS-set*.txt files 
> included in the tarball.
> Look in the rules directory.
> 
> The file contains the mass-check results that were used in 
> score generation. Generally the best numbers to look at are 
> %spam, mostly to see how often a rule hits, and S/O, to see 
> how accurate it is. S/O is the ratio of spam to overall hits, 
> where a rule with a S/O of 1.0 hits only spam, and never any 
> nonsapm, while a S/O of 0 never hits any spam, only nonspam.
> 
> 
> 

how often is that file on mass-check updated?

daily?

 - rh

RE: SARE false positives on MY_CID_* rules

[RobertH]

 

> 
> At least on our generally german e-mails, the following rules 
> very often cause false positives:
> 
>  1.6 MY_CID_AND_CLOSING SARE cid and closing
>  1.5 MY_CID_AND_STYLE   SARE cid and style
>  1.6 MY_CID_ARIAL2_CLOSING  SARE cid arial2 closing
>  1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style
>  1.5 MY_CID_AND_ARIAL2  SARE CID and Arial2
> 
> They are part of 70_sare_stocks and I'd like to know if 
> others do not have this problem or if it's a speciality of 
> german e-mails?
> 
> I looked into the ruleset and found that all of the MY_CID 
> rules refer to spam from 2006. Maybe those rules can be 
> dismissed by now?
> 
> mfg zmi
> -- 
> // Michael Monnerie, Ing.BSc-  http://it-management.at

michael,

not that it will shatter the earth, yet on a lower traffic server we see
this

Total: 247677
Ham:   127925
Spam:  119752

70_sare_stocks.cf:
  Rule Name Score Ham   Spam   %of Ham   %of Spam
  ---
  MY_CID_AND_ARIAL2  1.46   2115274 1.65%  0.23%
  MY_CID_AND_CLOSING 1.60133 97 0.10%  0.08%
  MY_CID_AND_STYLE   1.54412285 0.32%  0.24%
  MY_CID_FONT0.92 81 44 0.06%  0.04%
  MY_CID_ARIAL2_CLOSING  1.63  6 59 0.00%  0.05%
  MY_CID_ARIAL_STYLE 1.58117171 0.09%  0.14%

this is on what would be mostly "english" based emails...

would that indiate we should pull these specific rules?

:-)

 - rh

proper way to design rules on this?

[RobertH]

what is the proper way to write a rule that checks for a few things and then
scores accordingly

basically, i get emails from a church i didnt subscribe to their email
list(s) etc...

n...@victorysomething.com

i see icontact.com and icptrack.com as part of urls in the email for click
or subscription management

plus, i would only want to reject if sent to my specific email address.

do i work at and write several rules and do a META ?

since others on the system may get emails from this place, i only want to
reject if to my email address, and i will be SMTP rejecting

;-)

 - rh

experienced comments on these rules and their effectiveness in large installations please

[RobertH]

would those of you in the know please comment based upon your data re: the
below rules and their effectiveness in hitting spam vrs ham and/or false
readings in diverse or fairly diverse large scale isp and/or corporate
installations please

  RCVD_IN_BL_SPAMCOP_NET 
  RCVD_IN_DSBL  
  RCVD_IN_NJABL_CGI  
  RCVD_IN_NJABL_MULTI  
  RCVD_IN_NJABL_PROXY
  RCVD_IN_NJABL_RELAY  
  RCVD_IN_NJABL_SPAM
  RCVD_IN_SBL 
  RCVD_IN_SORBS_BLOCK
  RCVD_IN_SORBS_DUL 
  RCVD_IN_SORBS_HTTP 
  RCVD_IN_SORBS_MISC 
  RCVD_IN_SORBS_SMTP
  RCVD_IN_SORBS_SOCKS
  RCVD_IN_SORBS_WEB   
  RCVD_IN_SORBS_ZOMBIE  
  RCVD_IN_XBL  
  RCVD_IN_PBL  
  DNS_FROM_AHBL_RHSBL
  RCVD_IN_MAPS_RBL
  RCVD_IN_MAPS_DUL
  RCVD_IN_MAPS_RSS   
  RCVD_IN_MAPS_NML   

we are just wondering if we should use them or not, and specifically which
ones are the best, if any at all.

RE: How can this free MX backup service be exploited?

[RobertH]

 

> 
> I'm doing an experimental free MX backup service and 
> wondering if it will get exploited. I'm wondering if I'm 
> overlooking anything obvious? 
> Here's the info on it:
> 
> http://www.free-mx-backup.com
> 
> The idea is that it detects if we are the secondary and not 
> the primary MX and will store and deliver email for those 
> domains. I'm trying to think if I'm leaving myself open for 
> anything I'm going to regret. If you were a spammer how would 
> you take advantage of this?
> 
> 

perkel,

there are several ways to attempt to exploit this.

the most obvious to me is that you cannot check for a validrcptto without
knowing all the valid email addresses and aliases etc that are available on
the authorized mail exchangers and/or final destination mail server(s)...

so, even it is does not appear to be spam, you may be accepting email for a
non existant email address and eventually that will bounce, eh?

need more?

 - rh

RE: Free-test russian xxx site

[RobertH]

 

> Thanks.  I filter out all email from nabble groups because I 
> find their users are less than intelligent (they tend to 
> compliant about spamassassin group posters INFRINGING  ON 
> THEIR NABBLE GROUP)
> 
> If it were not for kind people like you who repost the crap 
> nabble posted, my filters would have keep it out of our network.
> 
> Yep, nabble users are idiots, if you think so, filter them, 
> don't repost their crap.
> 
> 
> --
> Michael Scheidell, CTO


michael,

how are you filtering the nabble stuff?

in SA or special tools?

please share

 - rh

RE: Test order

[RobertH]

 

> 
> I find it very silly to try anything but rejecting of the virus.
> 
> (unless as was stated before it's a phish, which is not a virus)
> --
> Matus UHLAR 

we would agree, yet we take it a lil farther.

we smtp reject spam and virus and other signatures etc.

if a client had sincerely different needs that didnt fit that bill, we would
accomodate thier passion for wasting time, yet who wants to look through
zillions of spam for possible fp

why not consider a phish a type of malware, it is bad code and you will
realistically get bad code on your workstation if you go there and start
clicking OK etc

wont you?

 - rh

RE: help please

[RobertH]

 

> 
> brunope...@aol.com wrote on Thu, 15 Jan 2009 11:28:09 -0500:
> 
> > My mail server guy
> > > told me it is because of SpamAssassin .
> 

Then Kai wrote:

> Great, you have a "mail server guy". That's the right person 
> who can fix that for you. 
> 
> Kai
> 

Then -rh wrote:

hmm

only as long as he isnt a she and she isnt a female voodoo priestess pastor
wannabe like the last one that started with the hate rant subject re: SA

at least Bruno appears polite. i cannot imagine how he found the list though
if he isnt an admin and has a server person.

:-)

 - rh

RE: Botnet plugin (was: Temporary 'Replacements' for SaneSecurity)

[RobertH]

 

> 
> I just found one reason for FPs in the Botnet plugin. It 
> doesn't make a difference between timeouts (and other DNS 
> errors) and negative answers. So if your DNS server/proxy is 
> overloaded (or slow for some other reason), you'll get FPs
> 
> Since 15 minutes ago, I'm running a slightly modified version 
> of the plugin that tries to avoid this. In a while I'll send 
> a patch to the author.
> 
> Apart from this the plugin seems to work fine here with a 
> score of +2 (with an extra +1 if p0f says it's a Windows system).
> 
> Regards
> /Jonas
> 
> --
> Jonas Eckerman, FSDB & Fruktträdet

Jonas,

please send the patch to the list too whether or not the author does
anything with it is his business, and then eventually ours.

:-)

it will benefit a lot of people that will choose to use your idea or patch
regardless.

thanks!

 - rh

RE: Spamd skipping tests

[RobertH]

> Can anyone give me any possible pointers or things to check? 
> I am at my wits' end here...I am happy to post a spamassassin 
> -D --lint if that helps.
> 
> Thanks - John

john

basically it all depends on the qmail-scanner config and it can be semi
complex and may not be correct in terms of if you reject over certain score
or if you have other scanning functions happening before calling SA, like
clamav etc etc

also, the message could be two big and bypassed, and that is controlled in
more than one place if i remember right.

we disable clamav in qmail-scanner and use the clamav plugin, yet we also
reject at or above a certain score in the smtp session too.

we do not use the newest qmail-scanner either, and the one we use is the
special patched one, ummm 1.25-st or something like that

 - rh

RE: Test order

[RobertH]

> >   
> That makes sense. However, the OP was looking to do the opposite.. Run 
> clamav *LAST* and try to shortcircuit before you get there.
> 
> 

why do the opposite of the logical?

 - rh

RE: spamassassin on qmail

[RobertH]

 

> 
> Which option is better... 
> using a Milter such as mail scanner or integrating 
> spamassassin and clamav with qmail?
> 
> Could you help me with pros and cons of each.
> 
> Thank in advance!
> 

u you will probably need qmail-scanner or simscan

http://qmail.jms1.net

www.lifewithqmail.org

and other sites depending on your skill levels

 - rh

RE: SA + Clamv

[RobertH]

 

> 
> Is there any direct way to make SA and clamav talk thour it 
> clam.socke file?
> 
> I want to avoid amavis or mailscanner
> 
> :)
> 

luis

and also, dont forget to program to use the other clamav signatures that are
out there.

dont forget to score the clamav plugin rule high and "smtp reject"

 - rh

RE: sought rules updates

[RobertH]

> 
> Right. I removed most if not all of the SARE rules on most 
> machines some months ago with no ill effects.
> 
> Kai

what ones did you keep? if you recall, any particular reason why?

 - rh

RE: Bug in iXhash plugin - fixed version available

[RobertH]

is there anything wrong with still using an older pre 1.5.x version of
iXhash?

is there a problem that makes an upgrade recommended?

OR

is there a problem that forces up to upgrade?

 - rh

RE: I'm thinking about offering a free MX backup service

[RobertH]

 

> >
> If the recipient is bad then no one would have got the email 
> anyway. But there wouldn't a a notification to the sender. I 
> suppose I could make it smarter so that if the message is 
> blessed in one of my many white lists then I would do a 
> bounce message, otherwise not.
> 
> OTOH, if someone is rarely down then the backscatter would 
> probably be minimal. This will probably be something to 
> experiment with.
> 

to do it properly, you must check for "validrcptto"

therefore, you must sync user databases with the main email server for each
domain...

 - rh

RE: rules

[RobertH]

 

> > 
> 
> as I note in the comments on the blog post -- it seems likely 
> that the people having problems are using a bad version of "re2c".
> 
> --j.
> 

by bad version, do you mean one that doesnt compile or finish compiling
properly, or one that compiles (completes compilation) yet does "bad" stuff
during the compile (or processing) ??

 - rh

RE: Getting hammered by backscatter

[RobertH]

 

> how can anyone solve anything when postmasters cant talk together ?
> 
> doh
> 
> 
> --
> Benny Pedersen
>
*snip* advertisement and link

benny,

do you trust emails from some postmaster at some domain and spend lots of
time answering them?

yeah, right.

and btw benny, please stop spamming us w/ the need more webspace ads
please???

DOH!

 - rh

RE: had it with spaces spam and idiots at hotmail

[RobertH]

> 
>  this looks for it, assigns some reasonable scores, and if (add your 
> favorite shortcut) bumps it up another 5.
> 
> uri ST_SPACES   /\.spaces\.live\.com/$
> score   ST_SPACES 5 3 4 2
> 
> meta ST_SPACES_BUMP (ST_SPACES && (RCVD_IN_BL_SPAMCOP_NET || 
> RCVD_IN_XBL 
> || RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK))
> tflags ST_SPACES_BUMP net
> score ST_SPACES_BUMP 5
> 
> -- 
> Michael Scheidell, CTO

is it just me?

:-)

[EMAIL PROTECTED] ~]$ spamassassin --lint
[27054] warn: config: invalid regexp for rule ST_SPACES:
/\.spaces\.live\.com/$: missing or invalid delimiters
[27054] warn: lint: 1 issues detected, please rerun with debug enabled for
more information

 - rh

RE: I hate Spam Assassin, don't know how it got on my computer anddesperately need to get rid of it

[RobertH]

> Corbie Wrote:
> 75% of my mail one on one to clients is  getting blocked...I 
> keep having to back-door mail through an online  mail service 
> which means I can't access items I need easily...please,  
> please, how do I remove it?  I didn't ask for it, I don't 
> want it and  my clients are furious at what looks like my 
> lack of response...when I wrote to J Mason he said it was my 
> ISP, and their tech people say it definitely is not.
> 

Corbie,

if your isp will not help you, then get out your checkbook and call and hire
a qualified computer and networking specialist to diagnose and fix your
computer, email, and internet technical issues.

...although it appears that you have much more dangerous sidelines to be
concerned about.

 - rh

RE: doesn't drop email above required hits

[RobertH]

 
nelson
 
i have typed this up before on other lists and possibly this one
 
it is a qmail-scanner-queue.pl issue and requires delicate config changes
 
also, because of that, we changed the clamav config to the spamassassin
clamav plugin way as well and stopped it in the above qmail-scanner-queue.pl
 
 - rh

RE: DnsBlocklists not working?

[RobertH]

> Yes, I tried running spamassassin -D < /tmp/email.eml
> 
> It checks against URIBL if there is a link inside the message body.
> It doesn't seem to check against DNSBL at all.
> 
> 
> --
> Tomasz Chmielewski
> http://wpkg.org
> 

Check these type of things, this is a cut from one of our
/etc/mail/spamassassin/local.cf files

Notice they get commented or uncommented as necessary

#
#
rbl_timeout 15
#
# commented out 5/23/2008 by rh for local rbltesting
#
#skip_rbl_checks 1

#use_auto_whitelist 0

#   Set headers which may provide inappropriate cues to the Bayesian
#   classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status
#
#
#
# Enable or disable network checks
# skip_rbl_checks 0
# use_razor2  1
# use_dcc 1
# use_pyzor   1

 - rh

RE: dsbl.org down for good

[RobertH]

> 
> You expect the same from the other people on this dont you? This issue was
> handled like explained in a normal way. The list was frozen and was
> expected to return. Now that its known to turn out otherwise its removed.
> 
> And within a day promoted on SA update.
> 
> I still see it listed inside the configurations on a lot of commercial
> products. It was a widely used and, at least for me, appreciated list
> 
> > Ill be kind and resist the fleshly urges and just request that you
> please
> > slap yourself upside the head, twice.
> 
> Likewise.
> 
> Bye,
> Raymond.

Raymond,

Thank you for clarification.

I added a 3rd one for good measure.

:-)

Coffee? Pickled herring? Crackers?

Now I am just wondering how much traffic is on the SVN developer list so
that I and/or others would be more up to speed on issues not typically
discussed in the main public area.

 - rh

RE: dsbl.org down for good

[RobertH]

> 
> They run a bunch of tests every night, and are notified by nagios if the
> tests fail.  lurk on the -dev mail list every now and again and you'll
> see it.
> 
> 
> --
> Daniel J McDonald, 

Thanks Dan

I know some and figured some of the rest.

Yeah, I went to the dsbl website some time back and again recently.

Maybe I am just much more proactive than other at certain things...

Doesn't make it right, I just know that customers (not talking about SA
stuff) typically expect the world for whatever they pay, whether a little or
a lot.

Over so many years, we always just wanted a life worth living and that meant
designing systems that were ultra reliable and blah blah blah.

People should not be slaves to technology...

It should be the other way around.

 - rh

RE: dsbl.org down for good

[RobertH]

> 
> Visionary people can read messages, many RBL servers have announce lists.
> So go ahead and report of file a bug whenever needed :-)
> 
> Bye,
> Raymond.

So what is your point Raymond?

That we are end users should find out every external subsystem call and
document it and search for and get on lists that may or may not exist let
alone email us if their baby fails and bites the dust?

Yeah, worked real good this time huh?

Ill be kind and resist the fleshly urges and just request that you please
slap yourself upside the head, twice.

Evidentally haven't looked up the word proactive before.

 - rh

RE: dsbl.org down for good

[RobertH]

> 
> No, it boils down to the attitude in your e-mail - "Why didn't the
> SpamAssassin benefactors do their job better".  I for one am impressed
> with their willingness to provide such a useful piece of software, and
> maintain it.  But most of them have real jobs, and don't spend every
> waking moment trolling the webpages of obscure rbl'slooking for notices
> that things are borked.
> 

Dan 

The OP had a good point regardless of whether anyone sees it as an attack on
SA folks or whatever.

When people design and build a system(s) of any type, there should be checks
and balances designed in that can check and see if sub parts of the systems
(or called by the system(s)) are broken or disappeared or what have you so
that allowances / changes can be made in a quicker, more orderly fashion.

Even if the checking mechanisms are external to the main system, maybe
something should be written and tested???

Maybe there is something in the works already?

:-)

no, I cannot do it. I am more visionary than coder.

 - rh

RE: New free blacklist: BRBL - Barracuda Reputation Block List

[RobertH]

\
> It hits significantly more spam than zen.spamhaus.org
> 
> On my primary mx, today I had 94 mails that hit a zen list but not brbl,
> 591 that hit a zen list and brbl, and 8042 that hit brbl but not zen.
> 
> I am checking -lastexternal addresses only.
> 
> Looking through the 2400 or so domains that were marked as spam, I
> didn't see any obvious false positives.  Looking through the 631 domains
> that did not have enough points to be classed as spam, I didn't see more
> than one or two that shouldn't have been blocked.  granted, i did not
> look through the emails themselves, just the domain name.
> 
> I'm currently scoring it 1.0, and might raise it up to 2.0 in a couple
> of days if nobody starts squawking
> --
> Daniel J McDonald, 

Would someone consider and post the final somewhat agreed upon rule(s) and
scoring that you are using please?

I saw one or two yet they were picked a bit by the list for scoring theory
and syntax.

I think not using last external was one of the reasons the others were not
recommended or used.

Thanks

 - rh

RE: spamassassin can't rewrite subject in cpanel 11?

[RobertH]

> 
> "header tests were not available in Outlook
> Express "
> 

This might be the wrong question in the wrong place yet in this day and age,
why in the world is anyone using outlook express?

Stop do it!

;->

There are many other good choices.

 - rh

RE: Erroneous doubled letters in subject

[RobertH]

> 
> 
> ok, the rule-QA results are in:
> 
> http://ruleqa.spamassassin.org/?daterev=20080916-r695772-
> n&rule=%2FTD_NOWRAP&srcpath=rulesrc%2Fsandbox%2Fjm%2F20_basic&g=Change
> 
> MSECS  SPAM% HAM% S/ORANK   SCORE  NAME WHO/AGE
> 0.0   0.1669   0.   1.0000.770.01  T_PR_TD_NOWRAP_BAT
> 0.0   0.1684   0.1352   0.5550.650.01  T_PR_TD_NOWRAP
> 
> so T_PR_TD_NOWRAP_BAT doesn't lose much in the way of hitrate, well
> worth it.
> 
> --j.

Jm

Thanks for the heads up.

Im still a little confused on this ruleset mod though.

Was it just the last 4 lines of the SVN ruleset jm sandbox 20_basic.cf that
was posted recently?

AND

Do we need to add it manually or just wait for an sa-update to run?

 - rh

RE: Erroneous doubled letters in subject

[RobertH]

> 
> Cool! I've added it as a test rule in my environment and will bump up the
> score once I see how it goes.
> 
> For others looking for the rule, see here:
> 
>  .cf?revision=695394&view=markup>
> 

Are these rules we can keep there indefinitely, or do they get migrated into
future SA releases and should be removed?

Also, I notice on SA 3.2.5 there were several linting issues.

Ill look closer at the warnings soon yet are others seeing the same?

 - rh

RE: Skip scanning for large mails

[RobertH]

> From: mouss > 
> 
> 1MB is probably too large. There is not much spam with such size
> (although few ones were reported here).
> 
> 

What has the studies of the average and realistic maximum of spam email
sizes concluded?

Was the conclusion the SA default size?

 - rh

RE: senderbase rating - how to appeal?

[RobertH]

> 
> Considering that only spammers (er... 'email marketing companies') pay for
> habeas, we have set a POSITIVE score for habeas accredited spam.  We track
> any FP right up front, track any rule in a fp (releases from amavisd-new
> managed quarantine), we use sa-learn.pl on shared imap folders, and let
> users drag 'not spam' and 'whitelist user' to a shared folder (and keep
> track of all fp rules), so far, three years, no user has dragged a habeas
> certified email into the false positive folders.
> 
> (on the other hand, lots of fps last month on failed dkim messages.  New
> messages from gmail not even being signed.. I wonder if gmail knows
> something broke lately in dkim).
> 
> --
> Michael Scheidell, CTO

Michael,

May we ask and know what you are setting those scores to please?

  -rh

RE: OT: Ongoing phishing mail flood

[RobertH]

> 
> Yup.  That's why I send a 250 - SPAM - discarded.  That way, the
> spammers think they have delivered the mail, and go on to the next
> victim
> --
> Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
> Austin Energy

Dan

Using which server software?

Are you /dev/null or reject while sending an accept message?

 - rh

RE: final authority on forwarded email and spamassassin

[RobertH]

Ok mouss lets try this

I forward some email accounts of other domains I do not own with .forward
files on those *nix boxen

I have them forward to an email address I have in the abbacomm.net domain
and of course we run spamassassin.

They run spamassassin on their boxes too yet it does a poor admin job.

Should I forward to my box or not and train those spammy emails or what?

Or should I just pop3 from them and be done with it or?

That is what I am talking about...

 - rh

RE: senderbase rating - how to appeal?

[RobertH]

> 
> If the spammer had faked a host that really sends mail, then we would
> have had a practical problem to solve.  The cheapest solution would
> probably be to rename the host and change its IP, and let the spammer
> keep faking the old name and IP.
> 
> Maybe a letter from your lawyer to Ironport would get attention.  We
> did not go to that stage.
> 
> Does that help?
> 
> Joseph Brennan
> Lead Email Systems Engineer

If you have alumni or full time lawyers on staff at Columbia, get out the
lawyerStick much earlier

Or (har har) you could always start a EDU class project in CS to find the
ironport traps and send out emails to the traps in all their actual various
ironport and affiliated business domains and see if they fix the issues

;->

 - rh