Re: SpamCop and false positives from Yahoo

[Matthew Kitchin (usenet/public)]

Excuse the top post, on a blackberry. 
They have a list/newsgroup where you can email the 'deputies'. If it is still 
the way they used to be run, they aren't really false positives. Those servers 
really are sending spam. I think all listings are automatically removed after a 
few days or so. 
-Original Message-
From: Julian Yap 
Date: Thu, 7 Apr 2011 14:01:31 
To: 
Subject: SpamCop and false positives from Yahoo

I'm seeing a lot of false positives from SpamCop blacklisting Yahoo mail
IP's.

For example:
http://www.senderbase.org/senderbase_queries/detailip?search_string=98.138.82.0%2F24
http://www.senderbase.org/senderbase_queries/detailip?search_string=115.178.12.0%2F24

Anyone tried or anyone have a contact at SpamCop who can get Yahoo mail
blocks whitelisted?

- Julian

Re: please unsub uppermohawkinc.com

[Matthew Kitchin (public/usenet)]

On 4/1/2011 5:31 PM, Michael Scheidell wrote:

numnuts at
uppermohawkinc.com doesn't know how to run a mail server, and should 
not be 'backscatter' bouncing email.


I just got 6 bounces (not smtp reject) but bounces from them for email 
sent to users@spamassassin.apache.org


anyone that does that should NOT be infecting the rest of the world 
with their backscatter.


also seems the jerks think that email 'From: ' me (sent through 
users@spamassassin.apache.org) needs to match MY spf records
(yes, spf is broken.. no, the jerks that think spf stops spam are 
broken, the jerks that run mail servers and can't read, they are broken)



Thanks for the explanation. I was just trying to decipher the bounce 
message I go to figure out why.

Re: ups.com virus has now switched to dhl.com

[Matthew Kitchin (public/usenet)]

On 3/31/2011 1:34 PM, Ned Slider wrote:


I'd go a step further and say no way you should be accepting 
executables at the smtp level, so no reason to be passing them to SA 
for scanning in the first place. These should be rejected or 
quarantined elsewhere in the mail chain.


Agreed. One of my oldest (probably needs a tune-up) and most effective 
postfix rules is:


/^Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
  ade|adp|asf|asx|avi|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ins|
  isp|js|jse|lnk|mdb|mde|mdt|mdw|mp3|mpe|mpg|mpeg|msc|msi|msp|mst|nws|
  
ops|pcd|pif|prf|qt|ram|rm|rmj|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|
  wma|wmv|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x REJECT 598 Attachment 
name "$2" rejected. Attachments of

 this type are not allowed.

Re: Spamassassin,clamAV and Clamsmtp

[Matthew Kitchin (public/usenet)]

On 3/5/2011 3:36 PM, Cimoni Enwis Ogwujiakwu wrote:

Hello All,
I trying to set up an anti-spam and anti-virus proxy solution with 
spamassassin, clamav and clamsmtp. I have currently setup 
postifix,spamassassin,clamav, and clamsmtp and everything is working 
fine but I do not want the postfix in the setup anymore because I want 
to run the system as a proxy for port 25/587 traffic at my gateway. 
clamav and clamsmtp are both working excellentl as anti-virus proxy 
but i do not know how to include spamassassin in this setup.

Please I need assistance your assistance.

Many have great success with Postfix -> Amavisd (with clamav and 
spassassin).
I have run this in some form or another for about 8 years or so. It may 
not be exactly what you want though. I'm not sure if that would meet 
your requirements for a proxy. You can have postfix pass the mail to 
your next filter before it accepts it in queue.

http://www.postfix.org/SMTPD_PROXY_README.html
I have never actually done this setup, but it has been on by to do list.


Simon

Re: Should Emails Have An Expiration Date

[Matthew Kitchin (usenet/public)]

I argued I could keep an email even if you told me I had delete it. You argued 
that it may be required that I keep an email. I give up. 
-Original Message-
From: Ted Mittelstaedt 
Date: Tue, 01 Mar 2011 21:38:55 
To: 
Subject: Re: Should Emails Have An Expiration Date

On 3/1/2011 8:58 PM, Matthew Kitchin (usenet/public) wrote:
> Sorry for top posting, on a bberry. So, you would say someone can
> send me a letter in the mail with the condition I am only allowed to
> read it one time?

Yes.

Nobody ever said the law isn't stupid.  But in fact the newest
Blue Ray spec, BDXL, will include a WRITABLE area of the disk,
the intent is to allow a BDXL player to write an ID to the disk
so that Hollywood can produce disks that can only be played
on one player, or only be played a limited number of times, etc.
This is because, as I said, copyright law allows the copyright
holder to assert this as a right.  And if you made a copy of
a move on one of those BDXL disks and kept it after it expired,
your breaking the law.

I call BS too. The movie example is completely
> different. The purchase of a ticket is an agreement to watch the
> movie one time. No agreement exists for an email.

The argument that people only have to follow the law with e-mails
when they have bought them isn't supportable.  Courts have found that
e-mails are considered "business documents" and if I am suing you,
I can execute discovery against you and get all your stored
e-mail.  If you claim you had the right to delete whatever mails
that you got just because you didn't pay for those mails, then
guess again, if any of those mails had anything to do with your
business decisions, then your legally required to hang on to them to 
support your other business documentation because of document
retention laws.  That is why I said that the businesses might like
the expiration because they can argue that copyright trumps the
retention laws.

The same thing exists for paper mail.  Suppose your business gets
2000 letters from customers praising your product and you then go
advertise that you have over 20,000 satisfied customers.  You then
get sued for false advertising.  In court you argue that you
normally get a 10% response rate and the 2000 letters mean you
really have 20,000 satisfied customers.  The court buys the 10%
response but then demands to see the 2000 letters.  You claim
because you didn't pay for the letters you can do what you want
with them and you just threw them away.

Guess what, your going to lose.

Ted

  --Original
> Message-- From: Ted Mittelstaedt To:
> users@spamassassin.apache.org Subject: Re: Should Emails Have An
> Expiration Date Sent: Mar 1, 2011 10:50 PM
>
> On 3/1/2011 11:55 AM, John Levine wrote:
>>> From a legal perspective I will point out that any e-mail you
>>> receive is (at least in the US, but most other countries too)
>>> considered copyrighted by the sender.  Under copyright law the
>>> sender has the right to control expiration of content they
>>> create,
>>
>> I really think it would be a good idea for people to refrain from
>> playing Junior Lawyer here.
>>
>> I know just enough about copyright law to know that this claim is
>> nonsense.
>>
>
> No, it is not nonsense.  Copyright law does allow the content
> creator to specify duration of use.  If you go view a movie in a
> movie theater you buy a ticket for a single viewing, you do not
> automatically get to view it multiple times just because you bought a
> ticket.
>
> Ted
>
>> R's, John
>
>
>

Re: Should Emails Have An Expiration Date

[Matthew Kitchin (usenet/public)]

Sorry for top posting, on a bberry. 
So, you would say someone can send me a letter in the mail with the condition I 
am only allowed to read it one time? I call BS too. The movie example is 
completely different. The purchase of a ticket is an agreement to watch the 
movie one time. No agreement exists for an email. 
--Original Message--
From: Ted Mittelstaedt
To: users@spamassassin.apache.org
Subject: Re: Should Emails Have An Expiration Date
Sent: Mar 1, 2011 10:50 PM

On 3/1/2011 11:55 AM, John Levine wrote:
>>  From a legal perspective I will point out that any e-mail you
>> receive is (at least in the US, but most other countries too)
>> considered copyrighted by the sender.  Under copyright law the
>> sender has the right to control expiration of content they create,
>
> I really think it would be a good idea for people to refrain from
> playing Junior Lawyer here.
>
> I know just enough about copyright law to know that this claim is
> nonsense.
>

No, it is not nonsense.  Copyright law does allow the content creator
to specify duration of use.  If you go view a movie in a movie theater
you buy a ticket for a single viewing, you do not automatically get
to view it multiple times just because you bought a ticket.

Ted

> R's,
> John

Re: List of "banned" words/bounce to sender

[Matthew Kitchin (public/usenet)]

 On 8/9/2010 8:27 AM, Henrik K wrote:

Nope, people constantly underestimate the power of regexes.. of course you
can easily make bad ones, but Perl can run huge lists of simple alternations
FAST.

I downloaded a 1 random name pack, and made a quick hack to regexify it
with my favourite Regexp::Assemble.

--
#!/usr/bin/perl
use Regexp::Assemble;
$ra = Regexp::Assemble->new;
while () {
 chomp;
 # Read comma separated names from stdin: Firstname,Lastname
 ($firstname, $lastname) = split(',', lc);
 # Firstname Lastname
 $ra->add("$firstname $lastname");
 # Lastname,? Firstname
 $ra->add("$lastname,? $firstname");
 # Print rule every 1 names
 # (?:^| ) instead of \b since "Kate" would hit "Mary-Kate"
 if (++$cnt % 1 == 0 || eof STDIN) {
print 'body TEST_NAMES_'.++$idx;
 print ' /(?:^| )'.$ra->as_string.'(?:$| )/i'."\n";
 }
}
--
./names.pl<  names.csv>  names.cf

The resulting single 17 byte rule did not affect SA in anyway, there was
virtually no difference in my mass check tests. Running the regex through
some file manually results in 8 lines/second. This with one 3Ghz core.
I think you can make rules/REs of MBs in size, but gains probably nothing.

About ClamAV...

+ It would probably handle this even faster
+ Easy logging of exact signature that got hit (single name per sig)
- It would also match any header like To: From: etc (PRETTY BAD...)

I'd choose SA since it's way more flexible. I doubt performance here is a
factor, especially with outgoing mail..


Thanks for the info.

- It would also match any header like To: From: etc (PRETTY BAD...)

That could be an issue. I will check to see if I can find a workaround, 
if not, ClamAV may not be an option.

Re: List of "banned" words/bounce to sender

[Matthew Kitchin (public/usenet)]

 On 8/5/2010 2:10 PM, Noel Jones wrote:


Use your database to generate rules for clamav.  You could even remove
the stock clamav rules if you want.  Matching the body for 70,000
names would probably take less than 0.1 seconds.
That sounds like a really good idea. I do use ClamAV but have never 
written any rules of my own. Thanks for the tip!

Re: List of "banned" words/bounce to sender

[Matthew Kitchin (public/usenet)]

 On 8/5/2010 2:05 PM, Bowie Bailey wrote:

I would tend to say that something that large would not be practical.
On the other hand, there's no way to really know until you try it.

A database lookup is possible, but the problem is determining what to
look up.  You would have to somehow identify possible names for
comparison to the database.

Thanks. I think I had a brain fart here. Obviously we would have to have 
identified the names before we could look them up... I think I divided 
by 0 in my head at some point :)

Re: List of "banned" words/bounce to sender

[Matthew Kitchin (public/usenet)]

 On 8/5/2010 1:52 PM, Bowie Bailey wrote:

My approach to doing something like this would be to have a rule that
matches the names (however you implement it), and then have the MTA
check for that particular rule hit and bounce the message if it exists.
This is the same way you generally use the VBounce plugin.  Then do the
same thing for your "bypass" rule.

That is pretty much what I wanted to do. The best way I know to make 
Postfix use SA is with Amavisd.


Spamassassin can use whatever custom rule you care to come up with.  It
will happily use a regex with hundreds of names listed.  The question is
whether the rule would cause a noticeable slowdown in processing speed.
The only way to find out is to try it.  Using compiled rules would
probably help here.

Thanks. We are looking at roughly 70,000 names and always growing. If I 
gave it sufficient hardware, would you expect that to be practical, or 
is that totally ridiculous? Any options for a database look up here?

Re: List of "banned" words/bounce to sender

[Matthew Kitchin (public/usenet)]

 On 8/5/2010 1:19 PM, Benny Pedersen wrote:

On tor 05 aug 2010 19:47:37 CEST, "Matthew Kitchin (public/usenet)" wrote


Is this a realistic setup?


postfix will love it if done right with local smtp auth senders, eg no 
sender sends unauthed then its just add smtpd_sender_bcc_naps from a 
list of all local recipients


just dont make it if sender auth is not in place first !

more questions ?, its not a spamassassin answer :)

I'm not sure what you mean. I'm not looking for anything along the lines 
of authorized senders. I'm wanting to search and email to see if it has 
one of several thousand patient names in it.
I guess by main question should be, could I have Spamassassin read a 
custom rule to look for several thousand patient names in the format 
"John Smith" and "Smith, John"?

Re: List of "banned" words/bounce to sender

[Matthew Kitchin (public/usenet)]

 On 8/5/2010 1:03 PM, Evan Platt wrote:


Spamassassin can't handle this - it has no capability to reject mail, 
however you need to think - are you going to have a database of 
patients names, or is your intention to block anything with a "Name"? 
Are you really going to want to manage a databse of every name out 
there? If so, what happens when someone e-mails "I watched a 
presentation from Bill Gates on" Well, that's a name, right?


So let's take the alternative - you have a database of just custom 
names (of your patients). Whos job is it to maintain that? And what 
happens if, again, in the above situation, a patient has the same name 
as say a celebrity or even worse, say a doctor? Let's say there's a 
world famous doctor James Bond. But James Bond (different person) is a 
patient. One of your staf members e-mails "We need to go see the 
conference Dr. James Bond is putting on". Bounced.


Amavisd could reject the mail. I was planning on using Spamassassin 
(with a custom built rule) to examine the email for the names. We would 
only use the names of our patients. The names would be dumped out of our 
patient DB every night. If a patient has a a same name as a friend, 
there would be a code we would put in the subject to bypass the filter. 
I was thinking of a custom rule for that code that would have a score of 
-20 or something like that. Basically, Spamassassin's role would be 
deciding whether or not one of the names was in the email and if the 
override code was in the subject. I'm not saying it is the most 
brilliant idea in the world, but it is what I have been told to implement.


I know Amavisd well, so I can handle that part. I guess by main question 
should be, could I have Spamassassin read a custom rule to look for 
several thousand patient names in the format "John Smith" and "Smith, John"?

List of "banned" words/bounce to sender

[Matthew Kitchin (public/usenet)]

 Hello all. I have been a loyal users for years, but have never had to 
do much more than make a few custom rules. I work for a healthcare 
company, and I have been asked to implement a mechanism to search for 
patient names in outgoing emails an bounce them back to the sender if 
one is identified.

We would search for them in the format "John Smith" and "Smith, John".
We would like to bounce them back to the sender (that would be within 
our company) with a custom notice indicating what they should do to 
properly send the email.

My typical setups are Postfix ->amavisd->SA
In this case, the setup doesn't exist yet, because I'm just exploring 
the feasibility of doing it.  I would run the latest Versions of CentOS 
64 Bit, Postfix, Amavisd, and SA.
It would be great if it could search attachments too, but I could 
probably get by with just looking at the body. Of course, the emails 
will be HTML and RTF too. They originate in and Outlook/Exchange 
environment.

Is this a realistic setup?

Thanks,
Matthew

Re: The Future of Email is SQL

[NM Public]

Sur 2006-06-09, Marc Perkel skribis:


Perhaps the headers and other information that you would index 
be kept in the database and the body of the message stored 
somewhere else, perhaps even as files.



It seems that this is what Zimbra does. Check out my blog post 
here:


 For IMAP, "SQL just sucks"
 

especially the comment from KevinH of Zimbra, which includes 
this:


"It's true that as a mailstore SQL sucks. Databases are not 
designed to store large blobs of data. However in Zimbra's case 
messages aren't stored in the database. Only *meta* data is 
stored behind a SQL interface. [...]"


I hope this is useful. Thanks for inspiring interesting 
discussion Marc!

 Nancy
  (sent via gmane.mail.spam.spamassassin.general)

--
  Nancy McGough
  Infinite Ink: 
  Bookmarks & Blog:  

Re: End-user (not administrator) question

[NM Public]

Sur 2006-05-25, Evan Platt skribis:


Umm... Switch to a different mail provider?


I just blogged about this yesterday. If your university uses 
IMAP, which is the case for almost all universities these days, 
they can set things up so that each user has the option to have 
his/her spammy messages delivered to an IMAP-accessible 
'MaybeSpam' mailbox. Details are here:


 IMAP and Spam Filtering
 

If they won't let you specify your own spam configuration 
options, I agree with Evan Platt: Switch to a different email 
provider!


Good luck with your email sys admin,
 Nancy
  (sent via gmane.mail.spam.spamassassin.general)

--
  Nancy McGough
  Infinite Ink: 
  Bookmarks & Blog:  

Re: Delete spam or move to a folder?

[NM Public]

Sur 2006-05-17, Yusuf Ahmed skribis:
Couldn't find a thread like this hence this new one. Just 
wondering what strategy people are using when it comes to 
dealing with email that gets enough points to be considered as 
spam. Eg. being deleted and quarantined, or delivered and 
quarantined etc.



I put everything with a score of 2 (yes 2) or more in a MaybeSpam 
mailbox. I then greenlist (aka whitelist) any non-spam message 
that is delivered to the MaybeSpam mailbox. I do not use Bayes. 
Details about my system are in these 2 messages:


  Using a MaybeSpam Mailbox
  

  Server-Side Address Books and Server-Side Greenlists
  

Hope this helps,
Feedback is welcome!
 Nancy
  (sent via gmane.mail.spam.spamassassin.general)

--
  Nancy McGough
  Infinite Ink: 
  Bookmarks & Blog:  

Re: Re: Mail not fully scanned

[public]

Hi

> Does this happen on all mails or just specific ones?

It does happen on all mails and aswell on the samples of Spamassassin

> Do you have custom plugins loaded or is the install a default one?

No, I just installed the default one by
# perls Makefile.PL
# make
# make install


regards,
 Alexander

Re: Scanning and deleting my probably-spam folder

[NM Public]

On 22 Mar 2005 Robert Markin ([EMAIL PROTECTED]) wrote:
This should probably be obvious, but I cannot seem to come up with an easy 
way to quickly scan and delete the email that makes it into my spam trap 
folders.

RH9 machine (accessed via SSH, Webmin, IMAP or POP3).
Procmail sends all mail detected as spam by SA 3.0.0 to a "probably-spam" 
file in the user's /home directory. (mbox format)

Since I only have five users I am currently using SSH to cd into their 
directory then pico the "probably-spam" file and start scanning.  (Awkward to 
say the least)
When I decide that the contents of the file is in fact spam, I "rm" then 
"touch" the file.

I am sure that this is probably the worst way that there is to do this, but 
it is the best that I have come up with.

Any ideas?

I used to look for false positives for my family's mail but now I
 *** Let users look for their own false positives ***
and I recommend that you do too! Otherwise you'll go crazy. The
way I look for false positives in my "probably-spam" mailbox is
to 1] set up SA to inject the spam score at the beginning of the
Subject and 2] fire up pine on my probably-spam mailbox and do a
sort by Subject. Usually the false positives bubble to the top of
the sorted-by-spam-score list. I discuss this at the last two
URLs in my sig below.
Hope this helps,
Nancy
--
Infinite Ink: 
Reverse Spam Filtering: 
Procmail Quick Start: 

Re: kinda OT procmailrc

[NM Public]

On 17 Nov 2004 Alex Pleiner ([EMAIL PROTECTED]) wrote:
* ChupaCabra <[EMAIL PROTECTED]> [2004-11-16 17:11]:
#:0:
#* ^Subject:.*[SPAM]
#$HOME/probably-spam/
Consider quoting the brackets:
* ^Subject: \[SPAM\]

Hopefully that will solve the problem, but in addition I 
recommend that you change these two lines:

MAILDIR=$HOME/Maildir/
DEFAULT=$HOME/Maildir/
to this one line:
MAILDIR=$HOME/Maildir
i.e., remove the trailing slash in your MAILDIR setting and do 
not explicitly set DEFAULT (instead use the procmail compiled-in 
DEFAULT and if it is wrong, re-compile procmail).

I discuss these issues in my Procmail Quick Start in this 
section:

 
which among other things says this:
 # * Upon reading a line that contains MAILDIR=
 #Procmail does a chdir to $MAILDIR and
 #relative paths are relative to $MAILDIR
 # * Do not include a trailing slash in your MAILDIR setting
 # * The MAILDIR variable is an entirely different entity from the maildir 
mailbox format
And in this section:
 
which says this:
 If you are using maildir-formatted mailboxes, it is best to
 specify both $ORGMAIL and $DEFAULT in the procmail source code
 and recompile.
Hope this helps,
NM
--
Infinite Ink: 
Reverse Spam Filtering: 
Procmail Quick Start: 
IMAP Service Providers: 

Re: {02.8} Re:spamassassin and web based mails !

[NM Public]

On 12 Nov 2004 Cigan Segun ([EMAIL PROTECTED]) wrote:
To be specific on my question, I want to be able to scan all messages
or mails sent to & fro using yahoo or hotmail or any of these known web
based addresses!
I do not have a mail server in my local network yet.
We all use web based mails.

Can you tell us what web-based mail program the people in your 
company use? The answer will depend on this.

NM
--
Infinite Ink: 
Reverse Spam Filtering: 
Procmail Quick Start: 
IMAP Service Providers: 

Re: Usability. Spamassassin.

[NM Public]

On 7 Sep 2004 Bob Apthorpe ([EMAIL PROTECTED]) wrote:
[...]
If the answer is 'a WinXP user who retrieves mail via POP3 with Outlook
and who does not use the command line and does not program, not even a
little bit, and who wants a button to press to make spam go away' then
the answer is probably not to use SpamAssassin directly but to use some
commercial product instead.
Excellent post Bob. I think that there needs to be a big note on 
the SpamAssassin web site that says something like this:

   * * * SpamAssassin is for system administrators * * *
 Before you even think about installing it, take this quiz
And then have a link to a quiz that includes things like:
* What is an MTA?
* What is an MDA?
* What is an MSA?
* What is an MUA?
* What is SMTP?
* What is IMAP?
* What is POP3?
* What is the structure of an email message?
* What is the structure of a mailbox?
* What is "the envelope"
* How can you determine the original envelope recipient address?
* How can you determine the original envelope sender address?
* Draw a diagram that illustrates how mail flows to your MUA from 
the Internet.
* Draw a diagram that illustrates how mail flows out of your MUA 
to the Internet.
* Write a regular expression that will match a line that begins 
with the string 'From:' and contains the email address 
'[EMAIL PROTECTED]' (make sure that your regexp will not match on 
any other email address)
* If an email message includes this header

From: [EMAIL PROTECTED]
  What does that tell you about the message?
And then say something like: If you do not immediately know the 
answer to all these questions, you should not be installing or 
administering SpamAssassin (unless it is for educational purposes 
and for processing only *your* email).

The Procmail web site needs this too!
NM
--
Infinite Ink: 
Reverse Spam Filtering: 
Procmail Quick Start: 
IMAP Service Providers: 

Re: Rs: SpamAssassin 3.0.0-rc3 RELEASE CANDIDATE available!

[NM Public]

On 7 Sep 2004 Joe Emenaker ([EMAIL PROTECTED]) wrote:
By the same token, the point was never to be able to spot spammers by noting 
who isn't using SPF. Rather, the point is to make the blacklists more 
reliable. It is *only* when you use SPF in *conjunction* with 
blacklists/whitelists that you see any benefit from SPF.
It seems to me that the point is to make whitelists (aka 
greenlists) -- not blacklists -- more reliable. If a MAIL FROM is 
in a blacklist, the spammers will know that and use a different 
MAIL FROM so blacklisting will not be helped much by SPF. But if 
a MAIL FROM is in a whitelist, it will get tagged as non-spam 
(by, for example, my procmail recipes) and it will be hard for a 
spammer to pretend her MAIL FROM is in my whitelist because she 
cannot send through the SPF-approved SMTP server for that MAIL 
FROM.

I've written some about this on my Procmail Quick Start in this
section:
 
I hope this make sense,
NM
--
Infinite Ink: 
Reverse Spam Filtering: 
Procmail Quick Start: 
IMAP Service Providers: