Re: Alan Ralsky indicted
I think I know this guy. I think I've actually done stuff for him about 8-10 years ago. Yeah, the ISP I was working with at the time thought that SPAM was a quick buck and supported a few spamming houses. jdow wrote: http://it.slashdot.org/article.pl?sid=08/01/04/0154229 Points to this article at freep.com http://www.freep.com/apps/pbcs.dll/article?AID=/20080103/NEWS06/80103045/1008/NEWS06 Mich. spammer, 10 others indicted in alleged pump-and-dump scam {^_^}
Bit OT but it's about SPAM
I just thought if anyone hasn't read it yet, this article might be interesting to many of you. According to this report SPAM has now reached being 95% of all email. http://www.net-security.org/secworld.php?id=5545 From the report: * Global spam levels reached an all-time high of 95% of all emails at its peak during the quarter. * Blended threat messages -- or spam messages with links to malicious URLs -- accounted for up to 8% of all global email traffic during the peaks of various attacks during the quarter. * One massive outbreak mid-quarter utilized over 11,000 dynamic zombie IP addresses to host malicious web sites. Leading zombie locations included the United States (36%) and Russia (8%). * Image spam declined to a level of less than 5% of all spam, down from 30% in the first quarter of 2007; also, image pump-and-dump spam has all but disappeared, with pornographic images taking its place. * PDF Spam represented 10-15% of all spam in early July and then dropped significantly, however a steady stream of PDF spam is still being maintained at 3-5% of all spam messages. * Pharmaceuticals and sexual enhancers were the most popular spam topics, at 30% and 23%, respectively.
Re: SpamAssassin 3.1.9 not catching any emails
Dave Addey wrote: Hi all, As part of an “Ensim” (Linux control panel) installation, I’m running the Ensim-provided install of SpamAssassin 3.1.9. Unfortunately, I’m finding that no emails are being caught as spam. Whilst I’m sure that Ensim is doing some non-standard stufff around SpamAssassin, I’m wondering if anyone can help me (as a relative newbie to SpamAssassin) to debug what may be causing the problem. I'm pretty sure that SpamAssassin is set up correctly. However, every single spam message seems to be getting through (assuming it is even being checked). All emails have a header of X-Spam-Status: No, No - which I assume means that SpamAssassin is checking the messages, and passing them all regardless of their spam-ness? I really don't know where to start in debugging this. spamd is definitely running. I've run sa-update. I've sent myself an email with the GTUBE string in it, as described in http://wiki.apache.org/spamassassin/TestingInstallation , and it also came through with the same header as above. I have Enable tests that connect to remote servers enabled in Ensim's Spam Filter Configuration settings, but disabling it doesn't seem to make a difference. Can anyone suggest some things I could investigate to find out where the problem may lie? Many thanks in advance, - maurj. First thing you need to know about running Ensim, is not to run Ensim. I had nothing but problems on the ensim server that I had. I thought it was going to be the low cost answer to my problems and it just was a high cost problem. Their support was horrid also. Do you have access to logs to see if the mail is actually being scanned? It doesn't sound like it at all. Is this your box or someone else's?
Re: charter.net
Kai Schaetzl wrote: Jonn R Taylor wrote on Fri, 24 Aug 2007 07:30:22 -0500: What even more interesting is that they block 25 out going. So I am not sure why we all see so much spam from them. The spam is comming from *.dhcp.*.*.charter.com. Obviously, there's no such blockage. I reject everything from there right-away. Kai Like most ISP, charter.net will block port 25 for those _not_ on their network. I had clients who were using my mail servers for their outgoing mail services until early last year when Comcast, ATT, and Charter (the ones I had to deal with) all seem to start blocking port 25 traffic. All my clients have to use SMTP_Auth in order to send mail through me but Charter.net will not allow off network traffic on port 25. So in a sense, yes they block port 25 but only for non-charter networks. Just as I only allow my dialup and DSL customers to send mail through my servers without authenticating. Charter.net is also horrible about their mail servers deferring mail. I have customers who are forwarding their domain mail to their charter accounts and at least twice a week I see entries in my exim logs showing that Charter.net is deferring incoming mail for various reasons. Mostly it's 421 errors, always nice not to have your mail servers not responding or active. I've called their support and they are beyond horrible. They have no idea what they are doing. It really ticks me off when I have to deal with this. I've been working for small ISP/Hosting companies since 1996 and have spent the last 3 years running my own company. I am self taught with no university or college degrees or any other official certification yet I know more then 95% of the people I talk to at my home cable company (I live in Windsor ON but my business is in MI, US) or any of these other ISPs/Cable/Hosting companies I deal with on a regular basis for my clients. I always love it when I start talking to a Tech Support Rep and they have no idea what I am saying because they have no clue. I usually get I'm sorry sir, I don't know what you are talking about. I just know what my screen tells me Oh and I'm also am on my 6th request and 3rd month of waiting for Charter.net's upper level support team to contact me so we can figure out why they always seem to defer mail 2-3 times a week. -- Tom Ray Cheif Operations Officer Detroit Online DSL * VoIP * Networking * Email * Hosting * Programming http://www.detroitonline.com Toll Free: 888-235-6817 x202 Outside US: 313-887-0805 x202 Fax: 313-887-8321
Re: is it possible to setup SA in a different machine?
I'm a little late stepping in on this and it seems the original email was deleted from my mail box by mistake. As everyone has saids, yes you can use spam assassin on a separate server. I do that right now and it works pretty well. It's also pretty slick because I have it setup not only to filter SPAM only for the domains I tell it but also only for specific email accounts I tell it to. In your primary zone file set up two MX records for the domain. 10 goes to the spam server, 2o goes straight to the mail machine. On the server that is running spam assassin I have it setup with Exim 4.67, SA 3.2.2, ClamAV .091.2, Bind 9.3.3 * Create a user equal to the domain. So domain.com is user domaincom. For me the user dir is /home/sa-users/domaincom * In the home dir setup a directory for each account you want to run along with a 0 byte file called spamcheck so you end up with something like /home/sa-users/domaincom/tom/spamcheck * I add all the domains I'm accepting mail for in /etc/exim/domains * I add all the domains I'm filtering for in /etc/exim/sa-list * I create a zone file in /var/named with the following two lines. In my resolv.conf I have it looking at the local machine only. IN MX 10 mail.domainnamehere.com. mailIN A 1.1.1.120 My exim.conf Router and Transport for SA looks like this: Router: # SpamAssassin spamcheck_router: driver = accept no_verify check_local_user = false # When to scan a message : # - it isn't already flagged as spam # - it isn't already scanned condition = ${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}}} {1}{0}} require_files = /mail/${domain}/spamassassin/${local_part}/spamcheck transport = spamcheck # Only send mail for our domains lookuphost: driver = dnslookup domains = /etc/exim/domains transport = remote_smtp no_more Transport: spamcheck: driver = pipe command = /usr/local/exim/bin/exim -oMr spam-scanned -bS use_bsmtp = true transport_filter = /usr/bin/spamc -u ${lookup{$domain}lsearch*{/etc/exim/sa-list}{$value}} home_directory = /tmp current_directory = /tmp # must use a privileged user to set $received_protocol on the way back in! user = exim group = exim log_output = true return_fail_output = true return_path_add = false message_prefix = message_suffix = Basically it accepts the mail for the domain, if it's supposed to check it for SPAM it does, all mail is scanned for viruses. I automatically drop anything with .vbs .scr or other types of attachments and then it sends the mail onto my mail server or what ever other mail server I specify for the domain in the local zone file. I have clients running in house email servers but I scan for viruses and spam before delivering it on to them. The other beauty is if the main mail server(s) go down, the spam server will hold the message in queue until the server(s) are responding again. I hold messages for 14 days before thawing and dumping them. Oh and finally, once SA scans email once for the domain it puts the user_prefs file in /home/sa-users/domaincom/.spamassassin Hope this helps. -- Tom Ray Cheif Operations Officer Detroit Online DSL * VoIP * Networking * Email * Hosting * Programming http://www.detroitonline.com Toll Free: 888-235-6817 x202 Outside US: 313-887-0805 x202 Fax: 313-887-8321
Includes Question.
I have SA set up to run per user, my question is does the user_prefs file support any include commands like Apache's httpd.conf or Bind's named.conf file does? I basically don't want to re-write the maing user_prefs file when a user updates their White or Black lists via the web interface I'm providing I'm looking for something like: include whitelist.conf include blacklist.conf Or something along those lines.
Re: Am I wasting my time with SpamCop?
Anyone serious about stopping SPAM should not use SpamCop. They have no real checking method, it's like AOL's spam blocking method...they just let users submit what they think is spam and then block it. It's pointless. There's not even a way to contact anyone at SpamCop to fix a falsely listed server or what not. They are a joke. John Rudd wrote: On Aug 2, 2006, at 1:09 PM, Zinski, Steve wrote: I use SpamCop to report my spam. I use the SpamHaus RBL as a first line of defense then I use SpamAssassin to catch the rest of the spam coming to my server. Am I wasting my time? Should I just delete low-scoring spam and let the honeypots harvest and report to the various RBLs, or should I keep reporting spam via SpamCop (which wastes a lot of my time). In my experience, SpamCop is a colossal waste of _everything_ it uses. Time, space, energy, matter, etc. But that's just in my experience. YMMV.
Re: What changes would you make to stop spam? - United Nations Paper
Marc Perkel wrote: Logan Shaw wrote: On Wed, 2 Aug 2006, Marc Perkel wrote: SMTP passwords go away because SMTP goes away. The idea is that outgoing IMAP would replace SMTP and there would be no SMTP between clients and servers. SMTP would be a server to server protocol. That's all well and good saying SMTP is server to server only, but how are you going to get the spammers to cooperate? Do you think they will volunteer? And when you are running an SMTP server, how can you tell if SMTP connections that it receives are really coming from another server? - Logan If SMTP becomes a server to server protocol then it will wipe out consumer virus infected spam zombies. It's not going to get rid of all spam - just most of it. The other problem you run into is the fact that one man's SPAM is another man's acceptable email.
Re: Am I wasting my time with SpamCop?
Derek Harding wrote: On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote: Anyone serious about stopping SPAM should not use SpamCop. They have no real checking method, it's like AOL's spam blocking method...they just let users submit what they think is spam and then block it. It's pointless. There's not even a way to contact anyone at SpamCop to fix a falsely listed server or what not. Spamcop has its problems, some very serious, however the above mis-information should be corrected. If you are listed incorrectly you should email [EMAIL PROTECTED] They're quite helpful although their definition of incorrectly may differ from other people's definitions (including my own). For example, when some muppet reported us 25 times for a single email Spamcop removed all but one report and canceled the listing immediately. So to say there's no way to contact them is plain wrong. Derek Let me re-phrase that, there's no listed form of contact on their website. I was just there...you have a choice of Header Help, and Terms. There's no Contact SpamCop option, no listed email accounts to mail to. So how does Joe Average know how to contact Spam Cop? So one of their serious problems is not listing the fact there is a way to contact them. I remember when SpamCop started, there was a ton more information on the site plus a way to check if you were listed with SpamCop (which you can't do anymore) plus contact information. None of that exists anymore.
Re: Am I wasting my time with SpamCop?
Tom Ray wrote: Derek Harding wrote: On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote: Anyone serious about stopping SPAM should not use SpamCop. They have no real checking method, it's like AOL's spam blocking method...they just let users submit what they think is spam and then block it. It's pointless. There's not even a way to contact anyone at SpamCop to fix a falsely listed server or what not. Spamcop has its problems, some very serious, however the above mis-information should be corrected. If you are listed incorrectly you should email [EMAIL PROTECTED] They're quite helpful although their definition of incorrectly may differ from other people's definitions (including my own). For example, when some muppet reported us 25 times for a single email Spamcop removed all but one report and canceled the listing immediately. So to say there's no way to contact them is plain wrong. Derek Let me re-phrase that, there's no listed form of contact on their website. I was just there...you have a choice of Header Help, and Terms. There's no Contact SpamCop option, no listed email accounts to mail to. So how does Joe Average know how to contact Spam Cop? I stand corrected I was at SpamCop.com and not SpamCop.net which has these methods...nice to link over to the proper site. So one of their serious problems is not listing the fact there is a way to contact them. I remember when SpamCop started, there was a ton more information on the site plus a way to check if you were listed with SpamCop (which you can't do anymore) plus contact information. None of that exists anymore.
Re: What changes would you make to stop spam? - United Nations Paper
4a) maybe generalize #4 to include various other RFC issues (matching PTR and A records is an RFC requirement, after all), such as the things tracked at RFC-Ignorant Less feasible, too many players. How about: domain registrars are required to block any domain they have registered that does not have working (i.e. read-by-a-human) postmaster@ and abuse@ aliases? Being that I am a domain registrar (small but still) how will I know if they have a working postmaster or abuse alias? And even if they did a quick filter setup at the server level will have those mails /dev/null'd in no time. This isn't a feasible idea for one reason and one reason only, Network Solutions. They'll find some way to re-route that domain to their own use. 5) Require ISP's to channel their customer's email through their own mail servers (which will have some impact upon SPF tracking as well) and not allow any non-business customers, nor any dynamic customers (business or commercial), to directly connect to other mail servers. Totalitarian regimes will *love* that one. ISPs will hate it. Hate to break the news to you but many ISPs are already not allowing their users to connect via port 25 outside their networks. Comcast has done it, as have a few others already. I run into this a lot because I'm also a hosting company and offer SMTP Auth but many customers have issues because they can't connect to port 25 on my mail server. I also totally agree with this practice, if they are going to be on the hook for something their users did then they need to keep a watchful eye on their customers. ISPs don't hate this considering that many ISPs now do hosting, it's a way for them to get their customers to bring the hosting over to them also.
Custom .cf files
I know I asked this before but I believe I asked it wrong. Is it possible to have each user have their own 10_misc.cf or any of the other .cf files? Right now all are stored in /usr/share/spamassassin I'd like each user to have their own. Anyone done this before? -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Re: Custom .cf files
Theo Van Dinter wrote: On Wed, Jul 26, 2006 at 03:06:40PM -0400, Tom Ray wrote: Is it possible to have each user have their own 10_misc.cf or any of the other .cf files? Right now all are stored in /usr/share/spamassassin I'd like each user to have their own. Anyone done this before? This is quite usual actually, that's what user_prefs are for. Well I'm still quite new to this. So I can shove that information into user_prefs or do I modify user_prefs to call on a directory? -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Editing Question....
Is there a way to edit the message that appears in your mail when it's marked as spam. This is the text I want to edit: Spam detection software, running on the system mx02.detroitonline.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Actually, the better way to phrase this is that I want each domain owner able to edit their own version of that. I do virtual email hosting but I run each domain under it's own user name so the Admin controls their spam rules. I want them to be able to edit that with their own information. Can we do that? -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Re: Virtual Users
Bowie Bailey wrote: David O'Brien wrote: Hello, I am running SpamAssassin version 3.0.4-2.fc4, exim 4.62-1.fc4 dovecot 0.99.14-4.fc4 I have virtual users, with mail being stored in the directory format /data/mail/domain.com/user/ So, the mail for [EMAIL PROTECTED] would be stored in /data/mail/obrien.com/david/ I have tried setting the --virtual-config-dir option to --virtual-config-dir=/data/mail/%d/%l so the user_prefs file would be created in the correct location, however %d and %l do not seem to be expanding to the domain and local part of the username. I am getting the following in my log file: Using default config for nobody: /data/mail///user_prefs I have seen this mentioned before, but have not seen a solution. Does anyone have any idea what the problem is, and what the solution is? Are you providing the email address via spamc? spamc -u [EMAIL PROTECTED] I'm trying to do the same thing that David is doing. I have spamd running with --config-virtual-dir=/mail/%d/mail/%l so it should expand to mail/detroitonline.com/mail/tom for any email being sent to me. Within my directory I have a directory called .spamassassin and within that I have a user_prefs file. I have my score set to 2 while the global is set to 5. Within exim I have spamc set to run as spamc -u [EMAIL PROTECTED] which does expand to [EMAIL PROTECTED] However I can't find the logfile that David refers to. Spamd start up, stops, etc all display with in my syslog as to any -D messages. So I have a couple questions.. 1) Where do I find that entry at that David refers to? 2) Spam is being scanned but it's being scored out of 5 instead of 2 which means it's reading the global file and not my user file. 3) It is my understanding that spamc needs to run as a user on the machine, but if these are virtual accounts and don't exist on the machine how will spamc run everything? In Exim the user exim runs everything and all mail files and directories have to be set with exim as the user and group. 4) Am I doing this right? I've laid out my specs before and asked that but no ones said yes or no. Any help would be appreciated. Thanks. -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501
Just installed Spam Assassin and having a little issue.
Hey all- I just installed Spam Assassin and I'm running into a small problem. I'm running a mail server with Exim 4.60 and it's hosting virtual accounts. So the setup is basically /mail/domain.com/mail/user/inbox what I would like to do is give each user control over their SA settings so I've tried two different ways to make SA work the way I wanted. I've copied the user_prefs template over to the following: 1) Tried doing it this way: /mail/domain.com/mail/.spamassassin/user.cf 2) /mail/domain.com/mail/user/.spamassasin/user_prefs I have the following Router in my Exim config: # SpamAssassin spamcheck_router: no_verify check_local_user # When to scan a message : # - it isn't already flagged as spam # - it isn't already scanned condition = ${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}}} {1}{0}} require_files = /mail/${domain}/mail/.spamassassin/${local_part}/user_prefs driver = accept transport = spamcheck With this Transport: spamcheck: driver = pipe command = /usr/local/exim/bin/exim -oMr spam-scanned -bS use_bsmtp = true transport_filter = /usr/bin/spamc home_directory = /tmp current_directory = /tmp # must use a privileged user to set $received_protocol on the way back in! user = exim group = exim log_output = true return_fail_output = true return_path_add = false message_prefix = message_suffix = Now I only have one account under one of the domains setup with with a user_prefs and/or a user.cf file. SA is scanning for SPAM on that account so I'm assuming that the require_files command in the Router is working, because other accounts under that domain are not scanning SPAM nor are any other domains/accounts on the server. However, it will only read the /etc/mail/spamassassin/local.cf file and is ignoring the lower score setting I have in my user_prefs file. My question is, how do I get SA to read from the user_prefs file under the virtual email user accounts? Anyone done this before? I'm kinda new to SA and I'm still getting the hang of customizing it. Thanks! -- Tom Ray Detroit Online http://www.detroitonline.com Toll Free: 888-235-6817 x501 Local: 313-887-0805 x501