Re: Constant Contact
Adam Katz wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? In preparing a list of HOSTKARMA_W violators for Marc, I noticed a very large amount of spam, coming from completely different companies, was sent through constantcontact.com servers using their Safe Unsubscribe feature. After some web searches, I decided to use the unsubscribe feature, but apparently I needed to unsubscribe every email address with every company that uses constantcontact.com. To me, this means it is quite clear that Constant Contact's anti-spam policy is improperly enforced at best and flagrantly ignored at worst. The biggest problem is that they're well seeded in the DNS whitelists, including HostKarma and IADB, and they often use SPF, which gets the OK from my double-check in khop-bl. Before I write a custom rule to add points to anything passing through a constantcontact.com relay, I was wondering if anybody here had thoughts on this. (Note, questionable custom rules like this get tested on my production servers with near-zero scores, then real scores, and /then/ they find their way to my sa-update channels.) They're cluefull; they monitor SPAM-L; they use one of my email addresses as a spamtrap. We don't use them, but they're still aware enough to email us and ask if something looks dodgy. Good folks, IMHO. -- -- tim -- Tim Boyer Chief Technical Officer Denman Tire Corporation
UNDESIRED_LANGUAGE_BODY gone
I see that the UNDESIRED_LANGUAGE_BODY test has gone away from 3.0 to 3.1. Is there another method somewhere for testing for other languages now? -- Tim Boyer Denman Tire Corporation [EMAIL PROTECTED]
RE: UNDESIRED_LANGUAGE_BODY gone
Um, what makes you think it's gone? [EMAIL PROTECTED] updates_spamassassin_org]# fgrep UNDESIRED_LANGUAGE_BODY * [EMAIL PROTECTED] updates_spamassassin_org]# and I apparently made a silly assumption. Didn't notice anything in the release notes. It's been made into a plugin, but it's still there. It's now the TextCat plugin, and works just fine if you uncomment the line to load the TextCat plugin in v310.pre. (and for reference, the UNDESIRED_LANGUAGE_BODY rule itself lives in 25_textcat.cf, and automatically activates when the plugin is loaded) Aha! That's it. No, it doesn't: body UNWANTED_LANGUAGE_BODY eval:check_language() It's changed from UNDESIRED to UNWANTED, which is why I didn't spot it. And why UNDESIRED is no longer scoring anything for me. Thanks much! -- tim --
RE: Score all emails and delete some of them
Does anyone know if there's a way to score *all* emails at the server with scores from 0-100, then delete all emails at the server with scores of over 10 and deliver the rest with the scores in the subject title please ? Any help much appreciated. Chris. MimeDefang - http://www.mimedefang.org/ MimeDefang can reject at the SMTP level. -- tim --
RE: ezmlm warning
Found this in my inbox this evening, is this just a burp on earthlink's end? Chris - I strongly suspect that Earthlink has begun to do some strange anti-spam stuff - and don't quite have the bugs worked out. We got this this morning, for the first time ever: - Transcript of session follows - ... while talking to mx1.earthlink.net.: MAIL From:[EMAIL PROTECTED] SIZE=6052 550 550 Dynamic/zombied/spam IPs blocked. Write [EMAIL PROTECTED] 554 5.0.0 Service unavailable and we're on a T1, with rDNS for everything, and not on any of the dnsbl lists. They delisted us within a few hours. Better give them a call... -- Tim Boyer Director Information Systems and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]
TVD_SILLY_URI_OBFU
It was bound to happen. The rule TVD_SILLY_URI_OBFU catches stuff like this: http://www.zodrx*.com - Remove * to make the link working! So today I got my first http://www.zonrx.%com Impotant: Remove % to make the link working. and it didn't fire, of course. -- Tim Boyer Director IT and Engineering Projects Denman Tire Corporation (330) 675-4249
RE: xbl.spamhaus.org
Is the PBL (codes 10 11) stable enough to run in production? I notice these are not in the current SA rulesets From another list: FYI: We will 'officially' release the PBL during the coming week, however the PBL zone is currently live as a public beta. MTAs already querying zen.spamhaus.org are now receiving the PBL data and will therefore be already rejecting a lot more spam. Anyone who has not yet switch from SBL-XBL to ZEN is encouraged to do so now. More info at http://www.spamhaus.org/pbl/ (just in case anyone worries: 'Public Beta' is not for ironing out any potential problems with the DNSBL zone but is for ironing out any potential problems with our ISP signup/admin/remove HTTP pages) Steve Linford The Spamhaus Project http://www.spamhaus.org -- Tim Boyer Director IT and Engineering Projects Denman Tire Corporation (330) 675-4249
RE: large increase in spam after upgrading SA
I just upgraded SA from 3.1.0 to the current 3.1.7 via CPAN and am finding that a huge increase in the amount of spam that's coming in. On the order of almost 10 times the number that leaked into my inbox. Has anyone else run into this behavior? If so, what can I do? Configurations are unchanged as far as I can tell. Thanks in advance. I've run CPAN with the wrong umask, which resulted in the .cf files being installed readable only by root. So as root, it installed fine and tested fine... but when it ran for real it only picked up my local.cf rules. -- Tim Boyer Director Information Systems and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]
Inconsistent scoring
I've been using SA for years. I'm running 3.1.6 on a Red Hat box, and 99% of the time, all is well. Last week I added a rule to tag those annoying .gif pump-and-dump emails. Nothing fancy: rawbody IMG_SRC_CID /src\=(\c|c)id\:/i score IMG_SRC_CID 2.0 Most of the time it works fine. However, occasionally, I'll get an email that ONLY sees that rule. I'm using MimeDefang to rewrite the headers, and all it shows is X-Spam-Score: 2 (**) IMG_SRC_CID But when I do a spamassassin --debugtest with the message, it finds all kinds of fun things: Content analysis details: ( 6.6 points, 9.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.5 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -0.3 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.2631] 1.9 HTML_IMAGE_ONLY_28 BODY: HTML: images with 2400-2800 bytes of words 0.0 HTML_MESSAGE BODY: HTML included in message 1.4 HTML_10_20 BODY: Message is 10% to 20% HTML 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 2.0 IMG_SRC_CIDRAW: cid in body The very next message is the same kind of scam, but sees everything: X-Spam-Score: 7.967 (***) BAYES_00,DNS_FROM_RFC_ABUSE,FORGED_RCVD_HELO,HTML_ 00_10,HTML_MESSAGE,IMG_SRC_CID,MIME_HTML_ONLY,RCVD_NUMERIC_HELO So what obvious mistake am I making? Thanks for any help... -- tim boyer [EMAIL PROTECTED]
RE: Inconsistent scoring
This seems rather odd. I suppose you did lint your rules to make sure that you don't have a problem somewhere? It is known that SA can do things like dropping most of the rules file following a rule with an error in it. Yup; no lint problems at all. Maybe you are using Amvis-new or one of the other tools that does its own header rewriting in at least some cases? MIMEDefang, but I can't see it doing this. I do have a suggestion for improving your rule though. There are several things that aren't as efficient as they should be. Instead of rawbody IMG_SRC_CID /src\=(\c|c)id\:/i do rawbody IMG_SRC_CID /src=?cid:/i Thanks much - I need all the perl help I can get. :) -- tim --
Re: SpamAssassin milter and logs
On Fri, 10 Jun 2005 22:06:11 -0400, Matt Kettler [EMAIL PROTECTED] wrote: Tim Boyer wrote: I'm using SpamAssassin as a Sendmail milter, called from MIMEDefang. With spamd, it's possible to send the log somewhere else. Is it possible to do so with the Mail::SpamAssassin module? I've read Mail::SpamAssassin::Conf a couple of times, and can't find anything. Thanks... Really, that's up to mimedefang. Not Mail::SpamAssassin. Matt - I'll take your word for it, but... why? All MIMEDefang is doing is calling SpamAssassin, right? Once control is passed to SpamAssassin, shouldn't it be doing the logging? -- Tim Boyer [EMAIL PROTECTED]
SpamAssassin milter and logs
I'm using SpamAssassin as a Sendmail milter, called from MIMEDefang. With spamd, it's possible to send the log somewhere else. Is it possible to do so with the Mail::SpamAssassin module? I've read Mail::SpamAssassin::Conf a couple of times, and can't find anything. Thanks... -- Tim Boyer [EMAIL PROTECTED]
Re: upgrade to SA 3.0.3 - pod2man path issue
On Sat, 30 Apr 2005 17:24:24 -0400, Greg Allen [EMAIL PROTECTED] wrote: FYI: Ok, I just tried upgrading 3.0.2 to 3.0.3 and get the following -- During install, after I run: perl Makefile.PL It asks me a few setup questions then I get: Warning: I could not locate your pod2man program. Please make sure, your pod2man program is in your PATH before you execute 'make'. -- I have installed multiple programs on my Linux box with no such error. Looks like the new SA uses pod2man and doesn't know where it is at, even though it is installed on the system (podlators-1.27 from Cpan). Since I am not a total Linux geek it will take me a little while to figure our how to correct the path issue. I will try to add the location of pod2man to the path on the Linux system and see what happens. Red Hat, right? This particular error has pladued me from 6 all the way through Enterprise 3. Just do a LANG=en_US export LANG -- Tim Boyer [EMAIL PROTECTED]
Re: Line continuation in rules?
On Mon, 27 Dec 2004 20:14:58 -0500, Theo Van Dinter [EMAIL PROTECTED] wrote: On Mon, Dec 27, 2004 at 07:31:20PM -0500, Tim Boyer wrote: Is there a way to do line continuation in the rules? I've got a bunch of subjects that I want to filter out, and the result is a 600-character wide line. It works, but it's not the most legible thing around. Nope, rules are 1 line only. If your line is that long, you're probably going to be better off splitting it into multiple rules, btw. Thanks much - I'll do just that. -- Tim Boyer [EMAIL PROTECTED]
Re: Original-Content-Type in header
On Sat, 6 Nov 2004 17:23:28 -0500, Theo Van Dinter [EMAIL PROTECTED] wrote: On Sat, Nov 06, 2004 at 05:18:29PM -0500, Tim Boyer wrote: I'm using RH Enterprise, Sendmail Switch, MimeDefang 2.44 and SpamAssassin 3.0.1. Somewhere in there a very few html messages are having their content type changed to text/plain, and an 'Original-Content-Type' line inserted, like so: Content-Type: text/plain Original-Content-Type: text/html I've asked around on the MIMEDefang list, and have been told that that string isn't being added by anything MIMEDefang is set to do. Does anyone know if SpamAssassin could be changing this? Are you sure it's not just a bad spam program? If it is something changing the CT around, it's not SA. We either encapsulate the message, or add a handful of X-Spam headers. Hmmm I think that just leaves Sendmail, then. It's a newsletter. I know it's coming in as html, because I tossed a little debugging log entry into MIMEDefang: if ($type eq text/html) { md_graphdefang_log('html', $Subject, $RelayAddr); } so it's getting in as html. OK, I'll turn off the attachment filter in Sendmail and see what happens. Thanks much! -- tim -- -- Tim Boyer [EMAIL PROTECTED]
Original-Content-Type in header
I'm using RH Enterprise, Sendmail Switch, MimeDefang 2.44 and SpamAssassin 3.0.1. Somewhere in there a very few html messages are having their content type changed to text/plain, and an 'Original-Content-Type' line inserted, like so: Content-Type: text/plain X-Spam-Score: -0.652 () AWL,BAYES_00,HTML_50_60,HTML_FONT_BIG,HTML_MESSAGE,HTML_TEXT_AFTER_BODY,HTML_TEXT_AFTER_HTML,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,OPTING_OUT X-Scanned-By: MIMEDefang 2.44 Original-Content-Type: text/html X-UIDL: DZR!?_9!!3MS!!,c0! ... but I'll be darned if I can figure out which program is mangling the headers. I've asked around on the MIMEDefang list, and have been told that that string isn't being added by anything MIMEDefang is set to do. Does anyone know if SpamAssassin could be changing this? Thanks much... -- Tim Boyer [EMAIL PROTECTED] -- Tim Boyer [EMAIL PROTECTED]
RE: MIMEDefang, SpamAssassin and URIDNSBLs
Tim Boyer said: But the same question applies. Even _if_ I had it set wrong, why would it work when I do a 'spamassassin --test', but not when MIMEDefang calls it? You calling it as the user mimedefang runs as.. do all your tests like such: su -c spamassassin --test defang ... and that does it. When run as defang: debug: is Net::DNS::Resolver available? no When run as root: debug: is Net::DNS::Resolver available? yes It's probably a permissions thing. Figures. It's always either a permissions thing, or a SCSI termination problem, isn't it? :) Sure enough, found it, and it was a directory permissions. All is working. Thanks _very_ much, everyone! -- Tim Boyer Director Information Systems and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]
RE: MIMEDefang, SpamAssassin and URIDNSBLs
Tim Boyer wrote: Tim Boyer wrote to users@spamassassin.apache.org: 3. Do I have DNS lookup enabled? Yup: # Enable or disable network checks dns_available yes skip_rbl_checks 0 rbl_timeout 15 Can't think of anything else to try. Try checking /etc/mail/sa-mimedefang.cf for a line that says skip_rbl_checks 1 Comment it out, restart mimedefang, and see if this changes anything Actually, I've got it set to 0: # Enable or disable network checks skip_rbl_checks 0 rbl_timeout 15 But the same question applies. Even _if_ I had it set wrong, why would it work when I do a 'spamassassin --test', but not when MIMEDefang calls it? -- Tim Boyer Director, IS and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]
RE: MIMEDefang, SpamAssassin and URIDNSBLs
Tim Boyer wrote to users@spamassassin.apache.org: 3. Do I have DNS lookup enabled? Yup: # Enable or disable network checks dns_available yes skip_rbl_checks 0 rbl_timeout 15 Can't think of anything else to try. Do you have # If boolean true, skip SA network tests $SALocalTestsOnly = 1; in your mimedefang-filter? Make sure you set $SALocalTestsOnly to zero. For whatever reason, MIMEDefang decided they would override this *one* SA option within mimedefang-filter. ;-) Yup: $AdminAddress = '[EMAIL PROTECTED]'; $AdminName = Tim Boyer; $SALocalTestsOnly = 0; If that doesn't help, get a bigger hammer, or maybe ask on the MIMEDefang list. I've posted substantially the same message there - with substantially the same results. If I knew how to make MIMEDefang call SpamAssassin with the debug switch, that might point me in the right direction. MIMEDefang uses the SA libs directly... which means, so can you, in mimedefang-filter. :-) I've never tried it, but you should be able to enable debugging output before calling the SA check in filter_end(). I'll give it a try in the morning. Thanks much... -- Tim Boyer Director Information Systems and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]