Re: Alan Ralsky indicted

[Tom Ray]

I think I know this guy. I think I've actually done stuff for him about 
8-10 years ago. Yeah, the ISP I was working with at the time thought 
that SPAM was a quick buck and supported a few spamming houses.


jdow wrote:

http://it.slashdot.org/article.pl?sid=08/01/04/0154229

Points to this article at freep.com

http://www.freep.com/apps/pbcs.dll/article?AID=/20080103/NEWS06/80103045/1008/NEWS06 


Mich. spammer, 10 others indicted in alleged pump-and-dump scam


{^_^}

Bit OT but it's about SPAM

[Tom Ray]

I just thought if anyone hasn't read it yet, this article might be 
interesting to many of you. According to this report SPAM has now 
reached being 95% of all email.


http://www.net-security.org/secworld.php?id=5545

From the report:

   * Global spam levels reached an all-time high of 95% of all emails
 at its peak during the quarter.
   * Blended threat messages -- or spam messages with links to
 malicious URLs -- accounted for up to 8% of all global email
 traffic during the peaks of various attacks during the quarter.
   * One massive outbreak mid-quarter utilized over 11,000 dynamic
 zombie IP addresses to host malicious web sites. Leading zombie
 locations included the United States (36%) and Russia (8%).
   * Image spam declined to a level of less than 5% of all spam, down
 from 30% in the first quarter of 2007; also, image pump-and-dump
 spam has all but disappeared, with pornographic images taking its
 place.
   * PDF Spam represented 10-15% of all spam in early July and then
 dropped significantly, however a steady stream of PDF spam is
 still being maintained at 3-5% of all spam messages.
   * Pharmaceuticals and sexual enhancers were the most popular spam
 topics, at 30% and 23%, respectively.

Re: SpamAssassin 3.1.9 not catching any emails

[Tom Ray]

Dave Addey wrote:

Hi all,

As part of an “Ensim” (Linux control panel) installation, I’m running 
the Ensim-provided install of SpamAssassin 3.1.9. Unfortunately, I’m 
finding that no emails are being caught as spam. Whilst I’m sure that 
Ensim is doing some non-standard stufff around SpamAssassin, I’m 
wondering if anyone can help me (as a relative newbie to SpamAssassin) 
to debug what may be causing the problem.


I'm pretty sure that SpamAssassin is set up correctly. However, every 
single spam message seems to be getting through (assuming it is even 
being checked). All emails have a header of X-Spam-Status: No, No - 
which I assume means that SpamAssassin is checking the messages, and 
passing them all regardless of their spam-ness?


I really don't know where to start in debugging this. spamd is 
definitely running. I've run sa-update. I've sent myself an email with 
the GTUBE string in it, as described in 
http://wiki.apache.org/spamassassin/TestingInstallation , and it also 
came through with the same header as above. I have Enable tests that 
connect to remote servers enabled in Ensim's Spam Filter 
Configuration settings, but disabling it doesn't seem to make a 
difference.


Can anyone suggest some things I could investigate to find out where 
the problem may lie?


Many thanks in advance,

- maurj. 
First thing you need to know about running Ensim, is not to run Ensim. I 
had nothing but problems on the ensim server that I had. I thought it 
was going to be the low cost answer to my problems and it just was a 
high cost problem. Their support was horrid also.


Do you have access to logs to see if the mail is actually being scanned? 
It doesn't sound like it at all. Is this your box or someone else's?

Re: charter.net

[Tom Ray]

Kai Schaetzl wrote:

Jonn R Taylor wrote on Fri, 24 Aug 2007 07:30:22 -0500:

  
What even more 
interesting is that they block 25 out going. So I am not sure why we all 
see so much spam from them.



The spam is comming from *.dhcp.*.*.charter.com. Obviously, there's no such 
blockage. I reject everything from there right-away.


Kai

  
Like most ISP, charter.net will block port 25 for those _not_ on their 
network. I had clients who were using my mail servers for their outgoing 
mail services until early last year when Comcast, ATT, and Charter (the 
ones I had to deal with) all seem to start blocking port 25 traffic. All 
my clients have to use SMTP_Auth in order to send mail through me but 
Charter.net will not allow off network traffic on port 25. So in a 
sense, yes they block port 25 but only for non-charter networks. Just as 
I only allow my dialup and DSL customers to send mail through my servers 
without authenticating.


Charter.net is also horrible about their mail servers deferring mail. I 
have customers who are forwarding their domain mail to their charter 
accounts and at least twice a week I see entries in my exim logs showing 
that Charter.net is deferring incoming mail for various reasons. Mostly 
it's 421 errors, always nice not to have your mail servers not 
responding or active. I've called their support and they are beyond 
horrible. They have no idea what they are doing.


It really ticks me off when I have to deal with this. I've  been working 
for small ISP/Hosting companies since 1996 and have spent the last 3 
years running my own company. I am self taught with no university or 
college degrees or any other official certification yet I know more then 
95% of the people I talk to at my home cable company (I live in Windsor 
ON but my business is in MI, US) or any of these other 
ISPs/Cable/Hosting companies I deal with on a regular basis for my 
clients. I always love it when I start talking to a Tech Support Rep 
and they have no idea what I am saying because they have no clue. I 
usually get I'm sorry sir, I don't know what you are talking about. I 
just know what my screen tells me


Oh and I'm also am on my 6th request and 3rd month of waiting for 
Charter.net's upper level support team to contact me so we can figure 
out why they always seem to defer mail 2-3 times a week.


--
Tom Ray
Cheif Operations Officer
Detroit Online

DSL * VoIP * Networking * Email * Hosting * Programming 


http://www.detroitonline.com
Toll Free: 888-235-6817 x202
Outside US: 313-887-0805 x202
Fax: 313-887-8321

Re: is it possible to setup SA in a different machine?

[Tom Ray]

I'm a little late stepping in on this and it seems the original email 
was deleted from my mail box by mistake. As everyone has saids, yes you 
can use spam assassin on a separate server. I do that right now and it 
works pretty well. It's also pretty slick because I have it setup not 
only to filter SPAM only for the domains I tell it but also only for 
specific email accounts I tell it to.


In your primary zone file set up two MX records for the domain. 10 goes 
to the spam server, 2o goes straight to the mail machine.


On the server that is running spam assassin I have it setup with Exim 
4.67, SA 3.2.2, ClamAV .091.2, Bind 9.3.3



* Create a user equal to the domain. So domain.com is user domaincom. 
For me the user dir is /home/sa-users/domaincom


* In the home dir setup a directory for each account you want to run 
along with a 0 byte file called spamcheck so you end up with something 
like /home/sa-users/domaincom/tom/spamcheck


* I add all the domains I'm accepting mail for in /etc/exim/domains

* I add all the domains I'm filtering for in /etc/exim/sa-list

* I create a zone file in /var/named with the following two lines. In my 
resolv.conf I have it looking at the local machine only.


IN  MX  10 mail.domainnamehere.com.
mailIN  A   1.1.1.120

My exim.conf Router and Transport for SA looks like this:

Router:
# SpamAssassin
spamcheck_router:
 driver = accept
 no_verify
 check_local_user = false
 # When to scan a message :
 #   -   it isn't already flagged as spam
 #   -   it isn't already scanned
 condition = ${if and { {!def:h_X-Spam-Flag:} {!eq 
{$received_protocol}{spam-scanned}}} {1}{0}}

require_files = /mail/${domain}/spamassassin/${local_part}/spamcheck
transport = spamcheck

# Only send mail for our domains
lookuphost:
 driver = dnslookup
 domains = /etc/exim/domains
 transport = remote_smtp
 no_more

Transport:
spamcheck:
   driver = pipe
   command = /usr/local/exim/bin/exim -oMr spam-scanned -bS
   use_bsmtp = true
   transport_filter = /usr/bin/spamc -u 
${lookup{$domain}lsearch*{/etc/exim/sa-list}{$value}}

   home_directory = /tmp
   current_directory = /tmp
   # must use a privileged user to set $received_protocol on the way 
back in!

   user = exim
   group = exim
   log_output = true
   return_fail_output = true
   return_path_add = false
   message_prefix =
   message_suffix =

Basically it accepts the mail for the domain, if it's supposed to check 
it for SPAM it does, all mail is scanned for viruses. I automatically 
drop anything with .vbs .scr or other types of attachments and then it 
sends the mail onto my mail server or what ever other mail server I 
specify for the domain in the local zone file. I have clients running in 
house email servers but I scan for viruses and spam before delivering it 
on to them. The other beauty is if the main mail server(s) go down, the 
spam server will hold the message in queue until the server(s) are 
responding again. I hold messages for 14 days before thawing and dumping 
them.


Oh and finally, once SA scans  email once for the domain it puts the 
user_prefs file in /home/sa-users/domaincom/.spamassassin


Hope this helps.

--
Tom Ray
Cheif Operations Officer
Detroit Online

DSL * VoIP * Networking * Email * Hosting * Programming 


http://www.detroitonline.com
Toll Free: 888-235-6817 x202
Outside US: 313-887-0805 x202
Fax: 313-887-8321

Includes Question.

[Tom Ray]

I have SA set up to run per user, my question is does the user_prefs 
file support any include commands like Apache's httpd.conf or Bind's 
named.conf file does? I basically don't want to re-write the maing 
user_prefs file when a user updates their White or Black lists via the 
web interface I'm providing


I'm looking for something like:

include whitelist.conf
include blacklist.conf

Or something along those lines.

Re: Am I wasting my time with SpamCop?

[Tom Ray]

Anyone serious about stopping SPAM should not use SpamCop. They have no 
real checking method, it's like AOL's spam blocking method...they just 
let users submit what they think is spam and then block it. It's 
pointless. There's not even a way to contact anyone at SpamCop to fix a 
falsely listed server or what not.


They are a joke.

John Rudd wrote:


On Aug 2, 2006, at 1:09 PM, Zinski, Steve wrote:


I use SpamCop to report my spam.

I use the SpamHaus RBL as a first line of defense then I use
SpamAssassin to catch the rest of the spam coming to my server.

Am I wasting my time? Should I just delete low-scoring spam and let the
honeypots harvest and report to the various RBLs, or should I keep
reporting spam via SpamCop (which wastes a lot of my time).



In my experience, SpamCop is a colossal waste of _everything_ it 
uses.  Time, space, energy, matter, etc.


But that's just in my experience.  YMMV.

Re: What changes would you make to stop spam? - United Nations Paper

[Tom Ray]

Marc Perkel wrote:



Logan Shaw wrote:

On Wed, 2 Aug 2006, Marc Perkel wrote:

SMTP passwords go away because SMTP goes away.


The idea is that outgoing IMAP would replace SMTP and there would be 
no SMTP between clients and servers. SMTP would be a server to 
server protocol.


That's all well and good saying SMTP is server to server
only, but how are you going to get the spammers to cooperate?
Do you think they will volunteer?  And when you are running
an SMTP server, how can you tell if SMTP connections that it
receives are really coming from another server?

  - Logan



If SMTP becomes a server to server protocol then it will wipe out 
consumer virus infected spam zombies. It's not going to get rid of all 
spam - just most of it.


The other problem you run into is the fact that one man's SPAM is 
another man's acceptable email.

Re: Am I wasting my time with SpamCop?

[Tom Ray]

Derek Harding wrote:

On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote:
  
Anyone serious about stopping SPAM should not use SpamCop. They have no 
real checking method, it's like AOL's spam blocking method...they just 
let users submit what they think is spam and then block it. It's 
pointless. There's not even a way to contact anyone at SpamCop to fix a 
falsely listed server or what not.



Spamcop has its problems, some very serious, however the above
mis-information should be corrected.

If you are listed incorrectly you should email [EMAIL PROTECTED]
They're quite helpful although their definition of incorrectly may
differ from other people's definitions (including my own). For example,
when some muppet reported us 25 times for a single email Spamcop removed
all but one report and canceled the listing immediately. So to say
there's no way to contact them is plain wrong.

Derek
  
Let me re-phrase that, there's no listed form of contact on their 
website. I was just there...you have a choice of Header Help, and Terms. 
There's no Contact SpamCop option, no listed email accounts to mail 
to. So how does Joe Average know how to contact Spam Cop?


So one of their serious problems is not listing the fact there is a way 
to contact them. I remember when SpamCop started, there was a ton more 
information on the site plus a way to check if you were listed with 
SpamCop (which you can't do anymore) plus contact information. None of 
that exists anymore.

Re: Am I wasting my time with SpamCop?

[Tom Ray]

Tom Ray wrote:



Derek Harding wrote:

On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote:
 
Anyone serious about stopping SPAM should not use SpamCop. They have 
no real checking method, it's like AOL's spam blocking method...they 
just let users submit what they think is spam and then block it. 
It's pointless. There's not even a way to contact anyone at SpamCop 
to fix a falsely listed server or what not.



Spamcop has its problems, some very serious, however the above
mis-information should be corrected.

If you are listed incorrectly you should email [EMAIL PROTECTED]
They're quite helpful although their definition of incorrectly may
differ from other people's definitions (including my own). For example,
when some muppet reported us 25 times for a single email Spamcop removed
all but one report and canceled the listing immediately. So to say
there's no way to contact them is plain wrong.

Derek
  
Let me re-phrase that, there's no listed form of contact on their 
website. I was just there...you have a choice of Header Help, and 
Terms. There's no Contact SpamCop option, no listed email accounts 
to mail to. So how does Joe Average know how to contact Spam Cop?


I stand corrected I was at SpamCop.com and not SpamCop.net which has 
these methods...nice to link over to the proper site.
So one of their serious problems is not listing the fact there is a 
way to contact them. I remember when SpamCop started, there was a ton 
more information on the site plus a way to check if you were listed 
with SpamCop (which you can't do anymore) plus contact information. 
None of that exists anymore.

Re: What changes would you make to stop spam? - United Nations Paper

[Tom Ray]

  
4a) maybe generalize #4 to include various other RFC issues (matching 
PTR and A records is an RFC requirement, after all), such as the things 
tracked at RFC-Ignorant



Less feasible, too many players.

How about: domain registrars are required to block any domain they
have registered that does not have working (i.e. read-by-a-human)
postmaster@ and abuse@ aliases? 

  
Being that I am a domain registrar (small but still) how will I know if 
they have a working postmaster or abuse alias? And even if they did a 
quick filter setup at the server level will have those mails /dev/null'd 
in no time. This isn't a feasible idea for one reason and one reason 
only, Network Solutions. They'll find some way to re-route that domain 
to their own use.
5) Require ISP's to channel their customer's email through their own 
mail servers (which will have some impact upon SPF tracking as well) 
and not allow any non-business customers, nor any dynamic customers 
(business or commercial), to directly connect to other mail servers.



Totalitarian regimes will *love* that one. ISPs will hate it.

  
Hate to break the news to you but many ISPs are already not allowing 
their users to connect via port 25 outside their networks. Comcast has 
done it, as have a few others already. I run into this a lot because I'm 
also a hosting company and offer SMTP Auth but many customers have 
issues because they can't connect to port 25 on my mail server. I also 
totally agree with this practice, if they are going to be on the hook 
for something their users did then they need to keep a watchful eye on 
their customers.


ISPs don't hate this considering that many ISPs now do hosting, it's a 
way for them to get their customers to bring the hosting over to them also.

Custom .cf files

[Tom Ray]

I know I asked this before but I believe I asked it wrong.

Is it possible to have each user have their own 10_misc.cf or any of the 
other .cf files? Right now all are stored in /usr/share/spamassassin I'd 
like each user to have their own.


Anyone done this before?

--

Tom Ray
Detroit Online

http://www.detroitonline.com
Toll Free: 888-235-6817 x501
Local: 313-887-0805 x501

Re: Custom .cf files

[Tom Ray]

Theo Van Dinter wrote:

On Wed, Jul 26, 2006 at 03:06:40PM -0400, Tom Ray wrote:
  
Is it possible to have each user have their own 10_misc.cf or any of the 
other .cf files? Right now all are stored in /usr/share/spamassassin I'd 
like each user to have their own.


Anyone done this before?



This is quite usual actually, that's what user_prefs are for.

  
Well I'm still quite new to this. So I can shove that information into 
user_prefs or do I modify user_prefs to call on a directory?


--

Tom Ray
Detroit Online

http://www.detroitonline.com
Toll Free: 888-235-6817 x501
Local: 313-887-0805 x501

Editing Question....

[Tom Ray]

Is there a way to edit the message that appears in your mail when it's 
marked as spam.


This is the text I want to edit:

Spam detection software, running on the system mx02.detroitonline.com, has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
[EMAIL PROTECTED] for details.

Actually, the better way to phrase this is that I want each domain owner 
able to edit their own version of that. I do virtual email hosting but I 
run each domain under it's own user name so the Admin controls their 
spam rules. I want them to be able to edit that with their own 
information. Can we do that?


--

Tom Ray
Detroit Online

http://www.detroitonline.com
Toll Free: 888-235-6817 x501
Local: 313-887-0805 x501

Re: Virtual Users

[Tom Ray]

Bowie Bailey wrote:

David O'Brien wrote:
  

Hello,

I am running SpamAssassin version 3.0.4-2.fc4, exim 4.62-1.fc4 
dovecot 0.99.14-4.fc4 


I have virtual users, with mail being stored in the directory format
/data/mail/domain.com/user/ 
So, the mail for [EMAIL PROTECTED] would be stored in
/data/mail/obrien.com/david/ 


I have tried setting the --virtual-config-dir option to
--virtual-config-dir=/data/mail/%d/%l so the user_prefs file would be
created in the correct location, however %d and %l do not seem to be
expanding to the domain and local part of the username.  I am getting
the following in my log file:


Using default config for nobody: /data/mail///user_prefs

I have seen this mentioned before, but have not seen a solution. 
Does anyone have any idea what the problem is, and what the solution
is?  



Are you providing the email address via spamc?

spamc -u [EMAIL PROTECTED]

  
I'm trying to do the same thing that David is doing. I have spamd 
running with --config-virtual-dir=/mail/%d/mail/%l so it should expand 
to mail/detroitonline.com/mail/tom for any email being sent to me.


Within my directory I have a directory called .spamassassin and within 
that I have a user_prefs file. I have my score set to 2 while the global 
is set to 5.


Within exim I have spamc set to run as spamc -u 
[EMAIL PROTECTED] which does expand to [EMAIL PROTECTED] 
However I can't find the logfile that David refers to. Spamd start up, 
stops, etc all display with in my syslog as to any -D messages. So I 
have a couple questions..


1) Where do I find that entry at that David refers to?
2) Spam is being scanned but it's being scored out of 5 instead of 2 
which means it's reading the global file and not my user file.
3) It is my understanding that spamc needs to run as a user on the 
machine, but if these are virtual accounts and don't exist on the 
machine how will spamc run everything? In Exim the user exim runs 
everything and all mail files and directories have to be set with exim 
as the user and group.
4) Am I doing this right? I've laid out my specs before and asked that 
but no ones said yes or no.


Any help would be appreciated.

Thanks.

--

Tom Ray
Detroit Online

http://www.detroitonline.com
Toll Free: 888-235-6817 x501
Local: 313-887-0805 x501

Just installed Spam Assassin and having a little issue.

[Tom Ray]

Hey all-

I just installed Spam Assassin and I'm running into a small problem. I'm 
running a mail server with Exim 4.60 and it's hosting virtual accounts. 
So the setup is basically /mail/domain.com/mail/user/inbox what I would 
like to do is give each user control over their SA settings so I've 
tried two different ways to make SA work the way I wanted.


I've copied the user_prefs template over to the following:

1) Tried doing it this way: /mail/domain.com/mail/.spamassassin/user.cf
2) /mail/domain.com/mail/user/.spamassasin/user_prefs

I have the following Router in my Exim config:

# SpamAssassin
spamcheck_router:
 no_verify
 check_local_user
 # When to scan a message :
 #   -   it isn't already flagged as spam
 #   -   it isn't already scanned
 condition = ${if and { {!def:h_X-Spam-Flag:} {!eq 
{$received_protocol}{spam-scanned}}} {1}{0}}
 require_files = 
/mail/${domain}/mail/.spamassassin/${local_part}/user_prefs

 driver = accept
 transport = spamcheck

With this Transport:

spamcheck:
   driver = pipe
   command = /usr/local/exim/bin/exim -oMr spam-scanned -bS
   use_bsmtp = true
   transport_filter = /usr/bin/spamc
   home_directory = /tmp
   current_directory = /tmp
   # must use a privileged user to set $received_protocol on the way 
back in!

   user = exim
   group = exim
   log_output = true
   return_fail_output = true
   return_path_add = false
   message_prefix =
   message_suffix =

Now I only have one account under one of the domains setup with with a 
user_prefs and/or a user.cf file. SA is scanning for SPAM on that 
account so I'm assuming that the require_files command in the Router is 
working, because other accounts under that domain are not scanning SPAM 
nor are any other domains/accounts on the server. However, it will only 
read the /etc/mail/spamassassin/local.cf file and is ignoring the lower 
score setting I have in my user_prefs file.


My question is, how do I get SA to read from the user_prefs file under 
the virtual email user accounts? Anyone done this before? I'm kinda new 
to SA and I'm still getting the hang of customizing it.


Thanks!

--

Tom Ray
Detroit Online

http://www.detroitonline.com
Toll Free: 888-235-6817 x501
Local: 313-887-0805 x501