Re: AOL Backscatter Spam?
mouss wrote: [EMAIL PROTECTED] wrote: Has anyone else noticed a major spike in backscatter from AOL servers? No. can you share that (publishing the actual backscatter)? I'll post log entries from postfix as soon as I can sanitize them to protect our addresses.
AOL Backscatter Spam?
Has anyone else noticed a major spike in backscatter from AOL servers?
Re: Postfix/SpamAssassin Integration
James Keating wrote: Dear Sirs/Madams, I have been attempting to properly integrate SpamAssassin into Postfix and have not found the solution that I am looking for. Currently I have Spamassassin running as a daemon (spamd, version 3.1.0a-2) which uses MySQL to store Bayes, AWL, user preferences and stats. Postfix is currently configured to connect to spamd using a pipe setup inside master.cf. Here is the current configuration: smtp inet n - - - 50 smtpd -o content_filter=spamassassin spamassassin unix - n n - 50 pipe user=nobody argv=/usr/bin/spamc -u ${recipient} -d localhost -e /usr/lib/sendmail -oi -f ${sender} ${recipient} This setup appears to work properly but I am concerned about what happens when/if spamc cannot communicate properly with spamd. Currently if spamd is not functioning or is dead, the message is passed through to sendmail, instead of being deferred and placed back into the queue until spamc can connect to spamd. I have modified the spamc flags to contain -x (which is supposed to stop the graceful fall back), but sendmail is still passed the message and it is delivered to the user. I have already tried amavisd-new, spampd, qpsmtpd and a simple shell script for connecting to spamassassin. None of these allow me to fully use spamassassin's per user preferences and get proper fall back when/if spamd is dead. I am hoping there is another option that I have not tried yet. Any input would be greatly anticipated. Thanks, James Is this a high volume mail server? If it is not, you could call spamc/spamd procmail, check the email to see if it has spamassassin results, and if it does not, run it through spamassassin instead This is dangerous if your mail server is high volume because spamassassin chews a lot more resources then spamc/spamd Something like this should do the trick (this is off the cuff, and just a reference, you will have to modify for your exact setup). master.cf spamassassin unix - n n - 50 pipe argv=/usr/bin/procmail -m /path to procmailrc/procmailrc ${sender} ${recipient} :0 * < 512000 { :0fw | spamc :0fw * !^X-SPAM-STATUS: | spamassassin } :0 ! -f "$@"
Re: Doubling up of score on these Outlook rules?
Jason Haar wrote: I just received a (valid) email notification from a Web service that got a score of 7/5. It contained the following scores 2.5 FORGED_OUTLOOK_HTMLOutlook can't send HTML message only 3.4 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook That seems a bit of a double-whammy doesn't it? I mean if SA think it's forged Outlook (the 3.4), then shouldn't the 2.5 be dropped? If that isn't the case, then why not just give FORGED_MUA_OUTLOOK a score of 5.9? I thought these were different tests? 1) test saying that Outlook can not send HTML only email 2) the MUA header isn't a legitimate OUTLOOK MUA? IMHO these rules compliment each other Or am I reading these wrong
Re: Anyone ever see this?
Thanks for the input all!
Anyone ever see this?
Got a nasty spam with an extremly oversized Thread-Index header. (I set my word wrap to 72 characters, I don't know if it will hold up however when I hit send). Does anyone know if it is exploiting a known Outlook/Exchange security hole? The Thread-Index header seems to have caused Microsoft Outlook to "pick" a friendly name from the users's address book and also hide the To: header so it came through to undisclosed recipients. The entire mail was 1.2megs so SpamAssassin of course did not scan it. From [EMAIL PROTECTED] Tue Aug 30 15:47:08 2005 Return-Path: <[EMAIL PROTECTED]> Received: from excluster1.scriptlogic.com (excluster1.scriptlogic.com [65.248.131.18]) by inpf1.XXX.com (Postfix) with ESMTP id 46F0231A829 for <[EMAIL PROTECTED]>; Tue, 30 Aug 2005 15:47:01 -0400 (EDT) X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_=_NextPart_001_01C5AD9B.92851B9B" Subject: Active Directory Security, Back up and Restore with Active Administrator 4.0 Date: Tue, 30 Aug 2005 15:46:53 -0400 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Active Directory Security, Back up and Restore with Active Administrator 4.0 Thread-Index: AcWGJwzVhgXvfzM9S6i4YiAif+/YQAAIGvRQAABuKoAAJH1ZV/BQAAAEEGAAAigZcAAAcZ2QAAOJJ93v8AAANqMQAAAfGgAAACKvkAAAhhjgAAA9GYAAAQ2GIAAACxRwAAConqAAAEAwQAA6TJVgAB/7SsAAAFCxwAABGqKQAAHmjBAAAJcnQAAAK9aUr1AAABu/wAAADc9AAABPN+AAAFOtoAAAJExRVtAAABZkfq+MzMAAAISQ0AAAEZWAAAcICWeMJD1gAABmgjAAJIXI0AAADQzwAABhXTAAAHEq0AAAhI/QAACd/QAAAFUSsAAHUX6QAAAaofAAAE2csAAAMx6voxAAAIOowAAAaQFQAAANTWAAABe+sAAABfFgAAAMFRZvQAAABhwkYfAAABOsw98wAAAeBfAAABc0EAAALYmQAABABtABK97joAAAJNRwAAB6x7AAAS2uYAAAFeNwAPJxAtAAANAgQAAAajHQAAA5EdAAAvyKMAABANfAAABDDM9/0AADI60QAAARuXAAABMnJrCQAFlEW8AAAzf54AAAGrrgAAS50+AAA+SYcADH4mfwAAD2JVAAAINs0AAAKMFgAAAcqPAAACbyTgigAAFxAbAAALJzMAAAFcegAAAWW4AAAEsHYAAiKKdgAAsa0XAAARbTgAABRIgQAAC9mwayYAAih/ewAAA80zAAACXuEAAAHJtQAAEo3YAAABgkUAAAEp/QAABPTKlb0AAAJwyAAAC82PAAAF0zoAAArTdgAAEPV0AAAB/owAAAmUzwAANSIGAAACGskAAAed1QAAHmLuAAAFTk0AAADqagAAEqkZAAACJKsAAAF7IgAABcElAAAB7mIAAARU1wAAC1M5AAAmLDQAAARGowAABOzOAAHyHRUAAACPtQAAAVVAAA AFmBhm0AAABXSU3/oAAAqFFjY2AAAGz+UAAAU3UgAAA1tEAAAN+CoAAAv3aQANAsWRV0UAAABZnQAAAggdAAAFkRQAAAd/7gAAAzB8AAABDtgAAANdHgAARjVZMRUAAfU5hAAABRJ4AAAB28kAANM1lwAADHelAAAMXwQAAAr8+wAAAXoXAAADIuoAAABDDCxIUGYAAB8mbeDGhmcAAAMMdDXOAAABStEAAAC7ZgAAAaqiAAAGp3sAAiYy+QAACU7Zu2QAAACXlQAAAUpXAAABKYAAABCzpwAAAdZ6AAAB+t4AAAPSWgAAAIGKmCkAAAHt4gAAAhiISxmUmwAABGSpAAABEIUAAALSdgAAdDT2JhYAAAETkgAAFbNEAAAHm4oAAAGgMQAB+BNZAAACR3oAAAEWiQAAA2oGLO0AAAIc8wAACNRwAAAH2MgAAAi3fwAAAVXsph8AAABYNwAAAhuBXRgAABhOYwAAlcQsAAy5EewAAAGbuwAAD2Fby1YAAAIzTgAAC2+rAAAT1k4AAASmOgAAFaj8K2sAAgHZfQAADHilUJ4AAAFO/QAAAIctAAA1bK8AAABGkQAAATTmOocqSgASqHvHAAACIgsAAAFcNgAAA74KAAANPWEAAHRRPgAADyx2AAAHFMEAAFESBQAADnSRAAACIiQ/ngAAACiD82UAAABAiwAAAgP4AAADIvgAAAOBfAAABamUAALpBv0AABTQcgAAMB+WAAABJUUAAAGW0gAAAySqjXYAAATm7gAAFRIjAAHeOj8AAEf/+gAAAG83AAAGsq4AAAFODAAAajQjAAAKJOsAABH5/AAAB/lMAAAEko0AAALwTQAAAeOyAABCclIAAAQepgAAAwRDAAACxOMAAAGDTwAAAXkn M1MrcQAABkikAAABo7UAAACh9gAADFfA9p0AAAGjjwAAAg2HAAKaui8AAAByWQAAAQVxJoUAAz9yDgAJOgxbK+sAAAfCWwAAAWmxAAABJWsAAAJAOQAAAm4KAAAG5l8AAAOulQAAADfpAAABA3IAAEPefwAAA5tOPNoAABgDXgACBE0tAAATBjwAAAex2AAACFjoAAAOMtMAAAdZCgAAADXWKzMubgAAFGHBAAA/Qa4AAAtObAAAQPqkAAAGSK0AAAzuzQ From: "Jeffrey Colas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>