Re: Spamtrap detectors?

2007-02-19 Thread mewolf1 
On 02/19/07 15:21, Giampaolo Tomassoni wrote:

> ([EMAIL PROTECTED])

> Are they spamtrap-detecting messages (see partially masked code),
> bayes poisoners (last text line often changes), a spammer exploding
> in a supernova, or every of the above?


Thanks for mentioning them, now I have noticed them in our mail logs too.

I have noticed that a lot of malware mails (trojans and such) have lately been 
sent with sender addresses like @ where some.domain 
apparently has a catchall behaviour so that it will answer sender verifcation 
requests with "deliverable".

So I guess that by accepting mails to [EMAIL PROTECTED] you will invite abusers 
to use your domain in faked sender addresses.

Cheers,

wolfgang


-- 
"Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ...
Jetzt GMX ProMail testen: www.gmx.net/de/go/mailfooter/promail-out

Re: uri(bl) checks don't detect URLs with capitalized Http

2005-04-13 Thread mewolf1 
In an older episode (Thursday 14 April 2005 00:54), Theo Van Dinter wrote:

> In this case, however, it's not clear if he's running something like a
> Fedora RPM version of SpamAssassin where he could just go ahead and update
> at will, or if it's something like Barracuda/etc, where you really can't
> just go changing things on your own.  The flip side of that of course is
> that you'll have vendor support who you can call and make requests of. ;)

at home, i am running debian linux with SpamAssassin version 3.0.2 running on 
Perl version 5.8.4, or as debian puts it:
Installed: 3.0.2-1
Candidate: 3.0.2-1
== nothing newer available in debian.

at work, we do use a vendors' pre-installed SpamAssassin version 3.0.2 running 
on Perl version 5.8.5 and Fedora Core release 3 (Heidelberg), rpms built by 
the vendor:
spamassassin-3.0.2-1
spamassassin-tools-3.0.2-1

i will have to find out exactly which modifications have been applied to which 
source by the vendor. anyway, further modifications are possible both from 
the vendor or us, the owners. learning at home how to apply the fix at all 
will make it easier to be able to judge / request / apply necessary changes 
at work.

uri(bl) checks don't detect URLs with capitalized Http

2005-04-13 Thread mewolf1 
http://bugzilla.spamassassin.org/show_bug.cgi?id=4111#c12

how would you apply the (apparently existing) fix to an existing SA 3.* 
installation where SA comes from a distributor? can the affected perl module 
be installed via a CPAN shell for example?

Re: SpamAssassin Suddenly Not Catching Spam

2005-04-13 Thread mewolf1 
In an older episode (Wednesday 13 April 2005 20:47), Marisabel Rodríguez 
wrote:
> Hello,
> how can I do for unsubscribe me?

the headers of each mail that i receive from this list contain the line:
list-unsubscribe:

Re: Re[2]: Arithmetic score for replaced O's and I's?

2005-04-13 Thread mewolf1 
Sorry, for some reason Kmail shows the text in my 2 previous mails only when 
viewing the message source, some MIME problem apparently. So once more:

In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:

> Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted [EMAIL PROTECTED], and I'|| 
f1nd
> a 600D horme 4 them...
> 
> (Not the entire spam emails, please -- just the obfuscations.)

Robert, I just sent you obfuscations privately off list, is that what you 
meant?

regards

Re: Re[2]: Arithmetic score for replaced O's and I's?

2005-04-13 Thread mewolf1 
In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:

> Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted [EMAIL PROTECTED], and I'|| 
f1nd
> a 600D horme 4 them...
> 
> (Not the entire spam emails, please -- just the obfuscations.)

I just sent you obfuscations privately off list, is that what you meant?

regards

Re: Re[2]: Arithmetic score for replaced O's and I's?

2005-04-13 Thread mewolf1 
In an older episode (Wednesday 13 April 2005 02:57), Robert Menschel wrote:

> Send me your t1r3d, h0m3|ess, hun6ry, un\/\/anted [EMAIL PROTECTED], and I'|| 
f1nd
> a 600D horme 4 them...
> 
> (Not the entire spam emails, please -- just the obfuscations.)

I just sent you mine off list, is that what you meant?

regards

Re: Applying a patch to Util.pm

2005-04-08 Thread mewolf1 
In an older episode (Friday 08 April 2005 20:23), Stuart Johnston wrote:
> Theo Van Dinter wrote:
> > On Fri, Apr 08, 2005 at 06:28:25PM +0200, [EMAIL PROTECTED] wrote:
> > 
> >>>-  $uri =~ s,:\d+$,,gs; # port
> >>>+  $uri =~ s,:\d*$,,gs; # port
> >>
> >>How exactly should i apply the patch?
> > 
> > 
> > Since it's a 1 character change, you can just edit the file manually. :)

Good point, thanks!
Done.

> > 
> 
> While you're in there, you might want to change the line above it as 
> well (if you haven't already).  Bug #4213
> 
> -  $uri =~ s,[/\?\&].*$,,gs;# path/cgi params
> +  $uri =~ s,[/\?].*$,,gs;  # path/cgi params

Done. Thanks to you, too.

Applying a patch to Util.pm

2005-04-08 Thread mewolf1 
In SpamAssassin version 3.0.2 running on Perl version 5.8.4 I have tried to 
apply the patch suggested in
http://bugzilla.spamassassin.org/show_bug.cgi?id=4191
but it does not work as expected:
> The fix is trival.  Apply the following patch to lib/SpamAssassin/Util.pm:
> 
> --- Util.pm.origMon Mar 14 10:38:59 2005
> +++ Util.pm Mon Mar 14 10:39:12 2005
> @@ -788,7 +788,7 @@
>$uri =~ s#^[a-z]+:/{0,2}##gsi;   # drop the protocol
>$uri =~ s,^[^/]*\@,,gs;  # username/passwd
>$uri =~ s,[/\?\&].*$,,gs;# path/cgi params
> -  $uri =~ s,:\d+$,,gs; # port
> +  $uri =~ s,:\d*$,,gs; # port
> 
>return if $uri =~ /\%/; # skip undecoded URIs.
># we'll see the decoded version as well

I copied that from my browser to a file and ran
patch -p0 < /root/Util.pm.patch in
/usr/share/perl5/Mail/SpamAssassin.
Error:
patching file Util.pm
Hunk #1 FAILED at 788.
1 out of 1 hunk FAILED -- saving rejects to file Util.pm.rej

# cat Util.pm.rej 
***
*** 788,794 
$uri =~ s#^[a-z]+:/{0,2}##gsi;   # drop the protocol
$uri =~ s,^[^/]*\@,,gs;  # username/passwd
$uri =~ s,[/\?\&].*$,,gs;# path/cgi params
-   $uri =~ s,:\d+$,,gs; # port
  
return if $uri =~ /\%/; # skip undecoded URIs.
# we'll see the decoded version as well
--- 788,794 
$uri =~ s#^[a-z]+:/{0,2}##gsi;   # drop the protocol
$uri =~ s,^[^/]*\@,,gs;  # username/passwd
$uri =~ s,[/\?\&].*$,,gs;# path/cgi params
+   $uri =~ s,:\d*$,,gs; # port
  
return if $uri =~ /\%/; # skip undecoded URIs.
# we'll see the decoded version as well

How exactly should i apply the patch?