RE: Barracuda Blacklist
Does Drako know you are posting here Bob? It's a bit naughty. He had everyone sign a form saying they would not post to places like this? You really should know better. We all know that Barraucda are behind emailreg. We know that emailreg is 'cash for spamming'. We know that support have been told *NOT* to disable emailreg on Barracuda units. It's a done deal. The 'narrative' is to suggest that non customer pay to sign up at emailreg.org so cut the crap. As a side note, it's nice to see you here acknolwedging Spamassassin after stealing it and selling it for so long in Barracuda products. Your a bunch of digital thieves really, so on face value anything you say can only be taken as bullshit - so why not crawl back under that fucking rock you dragged your fat worthless ass out from? Give my love to that sick gay bastard Gobble gobble. On Mon, 2009-06-01 at 11:20 -0700, Bob O'Brien wrote: > April 29? > You started your narrative on 5/28 with an explicitly specified three week > time frame. On the 29th, I looked at four weeks of history, and the factual > numbers were lower. If that's where the discrepancy arose, then we may not > really disagree about anything of consequence. > > > No, I definitely did not say that I work for emailreg. > I said that one aspect of my duties here at Barracuda includes sending > "suggestions" to emailreg. Suggestions which they (at least for now) choose > to implement directly. > > > > > Bob > > > > -Original Message- > From: Neil Schwartzman [mailto:neil.schwartz...@returnpath.net] > Sent: Saturday, May 30, 2009 11:58 AM > To: Bob O'Brien; Spamassassin > Subject: Re: Barracuda Blacklist > > > > > On 29/05/09 4:09 PM, "Bob O'Brien" wrote: > > > Neil, > > > > Based on our "Requests for Removal" filed over the past 3+ weeks from > > ReturnPath, the number of IPs that you are claiming to have had issues with > > appears inflated by a factor of nearly 50%. > > > Bob, I don't want to waste this group's time with your incorrect assertion. > (this is beginning to be VERY off-topic). I have data for each and every IP > you listed and for which I requested a delisting. Happy to follow up with > you offlist. > > Indeed, the Barracuda auto-acks only stared coming in May 09, so perhaps the > system was hosed in some manner and it missed recording everything I did > between April 29 and May 08, for which we saw delistings the following days > in any event. > > > More importantly, I feel it is irresponsible to oversimplify a cleared > > listing > > as a "false positive" when speaking of *any* IP reputation system. > > > > Barracuda Reputation does not arbitrarily list hosts. Messages have passed > > through each host with characteristics indicative of spam. > > > I suggest Barracuda then work on the verbiage on the site and in the > auto-acks. What you are saying does not jibe with what is indicated > elsewhere. What you are saying ... Makes more sense. > > > Those listings > > would only have been cleared because someone contacted the BRBL team and > > requested their clearance - explicitly volunteering /some/ measure of > > responsibility for those hosts going forward. _Accepting_ your > > possibly-inflated numbers, the 409 IPs otherwise met the criteria for > > clearing, so they were cleared. Apparently 22 IPs did not, and those were > > not > > cleared. > > Yup. And that's great. > > Quick question though: You said that you work for emailreg.org, and have > some limited input into the BRBL, I believe. > > It seems to me there is a greater relationship between emailreg.org and > Barracuda than has been stated, given what appears to be intimate knowledge > of my delisting requests. Can you clarify? > > Thanks. >
RE: Barracuda Blacklist
On Tue, 2009-06-02 at 13:40 -0700, Bob O'Brien wrote: > Actually, Richard, yes - I have management approval for what details I choose > to share with any given online community. Share? Oh Sorry Bob. I only had Barracuda down as digital thieves. Let me see; SPAM and 'VIRUS' (lol) 'FIREWALL' BSMTPD (Yours - I think not - ) POSTFIX CLAM AMAVIS OPENSSL OPENLDAP APACHE MYSQL BUILT IN SPAMHAUS RULE - you know the one: [PASS] RBL-> Builtin zen.spamhaus.org has no latency @ 45 msec I can cut and paste specifics if you would like? Perhaps I can run through the Load Balancer and Web Filter with you too? SNORT, HA PROXY, LVM, MYSQL, SQUID, CLAM, APACHE. Please point me to where you have given anything back of use? It would not be complete without a mention of your megabucks 'Patch me as often as you can' Archiver. You know the one that had to run WINE because you were unable to write an indexer. You take a 'hardened' (which means old mandrake Linux kernel with loads missing) OS handling email attachments and run WINE on it? Are you serious Let's then move on to the Energize Updates; EU = Lots of Clam & SA Rules sold to customers with a few of your own flaky ones thrown in. These have included such howlers as blocking anything with '.com' in the body. As for Juvenile - your guy Justin 'Always drunk' O'Brien will always eclipse me. Is he not on record as saying words to the effect of 'The older 200's are rubbish - they only have one amavis process and 256meg of RAM. Tell the customers to open them up and put more RAM in or buy a bigger unit'. That's technical support and customer care at it's best. I've got his email here somewhere Bob - any many more like it. If you want me to do 'Juvenile' I'm happy to do that. Barracuda is a shower of shit. Your products suck cock, your internal processes for a 'security' company are totally laughable and your developers are clueless. Favorite customer quote from the IM Firewall; Developers: "It's a known issue" Customer: "This is utter rubbish. It looks like something someone has put together in their bedroom" But to move away from my rant the facts are simple. You steal nearly everything you put in those cheap hardware boxes. Anything you code yourself is the weak link in the chain. RVERIFY a point in hand. Cut the crap that you ever give anything back. It's all one way - it all take. In short Bob, the only reason ANYONE from Barracuda would be on this list is to STEAL STUFF. You want your hands cutting off - and that is me being very restrained. Please carry on - I have jack all to loose Bob. What is it SP says in his totally Juvenile way 'Bob O Brien is no longer with us, Our choice not his'. I'll CC Drako and Perone as you have their permission. Perone knows all about spam :-) Please don't try and put yourself across as caring and sharing. It's bullshit and anyone can smell it. > I am also learning to count Jann among my friends, and I'm sure he would > *appropriately* acknowledge your greeting. > > If your participation is at all typical of this community, that will be > useful time-saving information for us indeed. > > > > Thanks! > > > > > > > -Original Message- > > From: "rich...@buzzhost.co.uk" > > Date: Tue, 2 Jun 2009 16:02:58 +0100 > > Message-ID: <1243954978.7028.73.ca...@rubikscube> > > > > > > > Does Drako know you are posting here Bob? > > > > It's a bit naughty. He had everyone sign a form saying they would not > > post to places like this? You really should know better. > > > > > > We all know that Barraucda are behind emailreg. We know that emailreg is > > 'cash for spamming'. We know that support have been told *NOT* to > > disable emailreg on Barracuda units. It's a done deal. The 'narrative' > > is to suggest that non customer pay to sign up at emailreg.org so cut > > the crap. > > > > As a side note, it's nice to see you here acknolwedging Spamassassin > > after stealing it and selling it for so long in Barracuda products. > > Your a bunch of digital thieves really, so on face value anything you > > say can only be taken as bullshit - so why not crawl back under that > > fucking rock you dragged your fat worthless ass out from? > > > > Give my love to that sick gay bastard Gobble gobble. > > > > > > > > > > > > > -- > Check out the Barracuda Spam & Virus Firewall - offering the fastest > virus & malware protection in the industry: www.barracudanetworks.com/spam >
Re: New slew of spams
On Fri, 2009-06-05 at 18:58 +0100, Jeremy Morton wrote: > Hi, > > I've suddenly started getting a new slew of spams that are making their > way through my SpamAssassin filter. Here's an example of one: > > http://pastebin.com/m586e296c > > As you can see they tend to hit a couple of blacklists, but don't get a > high enough score to be marked as spam. What do your SpamAssassin > analyses give of this e-mail, and any tips as to how I can get these > marked as spam? > > Best regards, > Jeremy Morton (Jez) But; 93.5.36.134 listed in b.barracudacentral.org. 93.5.36.134 listed in XBL NJABL 93.5.36.134 listed in PBL (SPAMHAUS) 93.5.36.134 listed in cbl.abuseat.org. So they could have been blocked ?
Re: New slew of spams
On Fri, 2009-06-05 at 20:33 +0200, Raymond Dijkxhoorn wrote: > Hi! > > >> http://pastebin.com/m586e296c > >> > >> As you can see they tend to hit a couple of blacklists, but don't get a > >> high enough score to be marked as spam. What do your SpamAssassin > >> analyses give of this e-mail, and any tips as to how I can get these > >> marked as spam? > > > But; > > > > 93.5.36.134 listed in b.barracudacentral.org. > > 93.5.36.134 listed in XBL NJABL > > 93.5.36.134 listed in PBL (SPAMHAUS) > > 93.5.36.134 listed in cbl.abuseat.org. > > > > So they could have been blocked ? > > Perhaps now, but most of them end up after the first runs ... ;) > Most likely at time of the run they were not listed (yet). > > Bye, > Raymond. > Even in the breakdown you've posted they are listed on at least one black list. Personally, I would have dropped them on connecting IP before wasting spamassassin on scanning them - but that opens a can of worms and people have differing views on doing that.
Re: new spam image with random body message
On Wed, 2009-06-17 at 13:33 +0200, Paweł Tęcza wrote: > Ibrahim Harrani pisze: > > Hi, > > > > another header from another image spams. > > All images contain god, bad and a url with numbers. > > The spamers are cunning... It seems that they have stopped sending spams > with X-Mailer: header containing something like "PHP v5.2.0" or > "PHP/4.4.5". Also they don't use only digits in attachment filenames. > So I'm affraid that my Spamassassin rules are not effective for that > kind of spam :( > > > It seems that ocrad can't decode the strings in the images. > > FuzzyOcr version is 3.6.0 > > I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word > file, but unfortunately FuzzyOcr didn't recognise them :( > > Maybe someone has better idea how to fight that image spam? > > Cheers, > > P. > But this is all totally academic; Why jump through all the hoops to block the image when the original connecting IP is showing 'unknown' in the hostname Received: from unknown (HELO ognh.user.ono.com) Is listed on piles of policy and RBL lists; 62.57.252.74 listed in b.barracudacentral.org. 62.57.252.74 listed in PBL (SPAMHAUS) 62.57.252.74 listed in XBL NJABL 62.57.252.74 listed in dul.dnsbl.sorbs.net 62.57.252.74 listed in cbl.abuseat.org. 62.57.252.74 listed in bl.spamcop.net. 62.57.252.74 listed in no-more-funn.moensted.dk. and has SEX twice in the subject. Why would it ever get as far as blocking it on the content? What has gone so wrong it ever got that far?
RE: new spam image with random body message
On Wed, 2009-06-17 at 22:16 +0930, Cory Hawkless wrote: > The RBL is a good point, I'm only getting these when i turn of > zen.spamhaus(For testing) > BUT the emails i got did NOT have sex in the subject, "How To Give Her strong > Harder Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And More" is > what i got > > -----Original Message- > From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk] > Sent: Wednesday, 17 June 2009 9:43 PM > To: Paweł Tęcza > Cc: users@spamassassin.apache.org > Subject: Re: new spam image with random body message > > On Wed, 2009-06-17 at 13:33 +0200, Pawe? T?cza wrote: > > Ibrahim Harrani pisze: > > > Hi, > > > > > > another header from another image spams. > > > All images contain god, bad and a url with numbers. > > > > The spamers are cunning... It seems that they have stopped sending spams > > with X-Mailer: header containing something like "PHP v5.2.0" or > > "PHP/4.4.5". Also they don't use only digits in attachment filenames. > > So I'm affraid that my Spamassassin rules are not effective for that > > kind of spam :( > > > > > It seems that ocrad can't decode the strings in the images. > > > FuzzyOcr version is 3.6.0 > > > > I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word > > file, but unfortunately FuzzyOcr didn't recognise them :( > > > > Maybe someone has better idea how to fight that image spam? > > > > Cheers, > > > > P. > > > But this is all totally academic; Why jump through all the hoops to > block the image when the original connecting IP is showing 'unknown' in > the hostname > > Received: from unknown (HELO ognh.user.ono.com) > > Is listed on piles of policy and RBL lists; > > 62.57.252.74 listed in b.barracudacentral.org. > 62.57.252.74 listed in PBL (SPAMHAUS) > 62.57.252.74 listed in XBL NJABL > 62.57.252.74 listed in dul.dnsbl.sorbs.net > 62.57.252.74 listed in cbl.abuseat.org. > 62.57.252.74 listed in bl.spamcop.net. > 62.57.252.74 listed in no-more-funn.moensted.dk. > > and has SEX twice in the subject. > > Why would it ever get as far as blocking it on the content? What has > gone so wrong it ever got that far? > > > But there are certain words you would never expect to see in the subjects of legitimate mail none the less unless you often get mail with words like 'Orgasms' in it :-) If you do, please *share* your friends with us all! Seriously, the RBL's would have killed this, the missing hostname, the hint that it is a 'user' ip connecting (not a legit mail server), the key words - all could have been used by the MTA to drop this message on the floor without troubling SA to scan it. Looking at the content of the mail is the last resort - if it's got that far in to your system, the spammer wins
Re: new spam image with random body message
On Wed, 2009-06-17 at 15:02 +0200, Matus UHLAR - fantomas wrote: > On 17.06.09 13:48, rich...@buzzhost.co.uk wrote: > > But there are certain words you would never expect to see in the > > subjects of legitimate mail none the less unless you often get mail with > > words like 'Orgasms' in it :-) If you do, please *share* your friends > > with us all! > > The often cited point on spam filtering is, that words you usually don't see > in mail may the others see often. For example, while you may not need > viagra, a m.d. can use if very often. The same applies to words "orgasms" > and many others - people may exchange anything in their private > communication and you may not to know about it. Indeed, but any reputable and legitimate venor or contact would act with dis discretion and not plaster 'Viagra' and 'Sex' or 'Orgasm' in the subject lines. If they did, they would rightfully be blocked. I would not go into my doctors surgery or pharmacy and expect anyone to shout out, in the clear, RICHARD BUZZHOST - YOUR VIAGRA IS HERE. It's about appropriate behaviour and knowing how professionals would behave > > That is why solutions like spamassassin exist and that is also why SA people > don't like poison pill rules. It's true to say that Forensic Science exists too, but I would rather keep the crook out of the house in the first place, rather than have it dusted for prints and examined afterwards. > > > Seriously, the RBL's would have killed this, the missing hostname, the > > hint that it is a 'user' ip connecting (not a legit mail server), the > > key words - all could have been used by the MTA to drop this message on > > the floor without troubling SA to scan it. Looking at the content of the > > mail is the last resort - if it's got that far in to your system, the > > spammer wins > > While connecting IP and its DNS name is known before the mail is received, > the subject is only seen after the data phase. Yes, but responsibility for the message is not handed over until the end of the data phase. Specifically when the recipient server issues; 250 2.0.0 Ok: queued as .. Up until that point it is free to drop with an SMTP error. It's just SpamAssassin does not seem able to keep up with the speed of SMTP. That's just an observation. If you set that against Postfix with some simple and obvious header and body filters you can drop lots of rubbish quickly without wasting the time to look at it. This lets Spamassassin concentrate on those truly annoying messages that fall into the twilight zone.
Re: new spam image with random body message
On Wed, 2009-06-17 at 18:02 +0300, Ibrahim Harrani wrote: > http://pastebin.com/m6a027715 See if you can spot the keys; 1. Received: from unknown #if you don't know who you are goodbye. 2 (HELO .user.x) #mail servers don't tend to HELO/EHLO with 'user' 'dsl' 'ppp' as a rule. 3.(62.57.252.74) 62.57.252.74 listed in b.barracudacentral.org. 62.57.252.74 listed in XBL NJABL 62.57.252.74 listed in PBL (SPAMHAUS) 62.57.252.74 listed in dul.dnsbl.sorbs.net 62.57.252.74 listed in cbl.abuseat.org. 62.57.252.74 listed in no-more-funn.moensted.dk. 62.57.252.74 listed in ix.dnsbl.manitu.net. 2. Subject: Christian sex - What Are Goood Christian sex Pradctices? #funny that attempts to mis-spell the wrong keywords here. sex x 2 would be good enough for me, but that's with hindsight. > http://pastebin.com/d2c94dba0 1 Received: from unknown #again if you don't know who you are 2. telecomitalia.it #do you ever get *anything* legitimate from them? 3. 82.49.96.239 listed in PBL (ISP) 82.49.96.239 listed in dul.dnsbl.sorbs.net 82.49.96.239 listed in no-more-funn.moensted.dk. 4. PTR RECORD ADVERTISING DYNAMIC HOST: host239-96-dynamic.49-82-r.retail.telecomitalia.it. HENCE: listed in PBL 5. Subject: How too Introduce Men to Your GG Spot Location #useful keys but careful ones. Not so interested in the carnage that could be 'how to. location', but 'G Spot' would be easy to pick out. Again, useful hindsight. > http://pastebin.com/m21c9df0 Skipping the unknowns (no more need for comedy effect) 86.110.151.117 listed in b.barracudacentral.org. 86.110.151.117 listed in XBL NJABL 86.110.151.117 listed in cbl.abuseat.org. 86.110.151.117 listed in no-more-funn.moensted.dk. 86.110.151.117 listed in ix.dnsbl.manitu.net. No PTR record. > http://pastebin.com/m775253b7 Again unknown, again that same old ISP spam machine 88.52.177.53 listed in b.barracudacentral.org. 88.52.177.53 listed in XBL NJABL 88.52.177.53 listed in cbl.abuseat.org. 88.52.177.53 listed in bl.spamcop.net. 88.52.177.53 listed in ix.dnsbl.manitu.net. This one reports static in PTR: host53-177-static.52-88-b.business.telecomitalia.it but 'unknown' would have already had me drop it. My view, if you can't set your server up properly with correct DNS and are not monitoring your logs for 5xx errors, I don't really need your mail. > http://pastebin.com/d2c94dba0 Again unknown, again that same old ISP spam machine 82.49.96.239 listed in PBL (ISP) 82.49.96.239 listed in dul.dnsbl.sorbs.net 82.49.96.239 listed in no-more-funn.moensted.dk. Subject with G Spot PTR again dynamic (confirms PBL) host239-96-dynamic.49-82-r.retail.telecomitalia.it > http://pastebin.com/m21c9df0 Again unknown 86.110.151.117 listed in b.barracudacentral.org. 86.110.151.117 listed in XBL NJABL 86.110.151.117 listed in cbl.abuseat.org. 86.110.151.117 listed in no-more-funn.moensted.dk. 86.110.151.117 listed in ix.dnsbl.manitu.net. No PTR > http://pastebin.com/m775253b7 already posted above - 3 back. > Let me know if these are not enough. > > Thanks. > Again, this could have all been easily blocked ahead wasting the time of Spamassassin. The tools and keys are already there, they just need to be configured correctly. Even if they got as far as a correctly configured SA, it would have had most of them on the similar rules. In the PBL, keywords, DNS issues, Dynamic hosts. Spamassassin is expensive. Treat it like a Lawyer, only make it work if you have to :-)
Re: more mainsleeze spam
On Thu, 2009-06-18 at 14:04 -0400, Michael Scheidell wrote: > main sleaze, as in spam from larger, established, 'legit' companies. I > am seeing a 20% increase in spam that doesn't trigger any of the zombie, > forged, gappy or dialup list rules. Neither are they triggering SARES > or SOUGHT rules. > > Looks like with the global downturn, many companies are turning to > 'free' email marketing services to not only cut down on costs of > marketing, but to more quickly get the message out. Many more third > party email marketing companies are allowing questionable mailing lists > and are opting to keep the money and client rather then enforce their > posted terms of service. > > Traditional outbound marketing would require people to make cold calls, > postcards or mailers send via snail mail. To reach 10,000 people via > cold call would take 100 people 10 days (well, they would 'reach' 1% of > them). > > Postcards, US third class could take three weeks and cost around $1.00 each. > > Main sleaze: as in DKIM SIGNED, NOT FORGED, SPF RECORDS MATCH, some > with and some without knowledge and adherence to the US Federal CAN-SPAM > laws. > > Traditional SA methods of looking for forged headers, zombies, and > dialup networks doesn't help much. Neither does Bayesian filtering > since most of this new main sleaze spam is targeting the customers > vertical market anyway. Hardly any 'zombie/forged/trojan' originated > email ever gets past. These are actually very easy to identify. > > Some blacklists and reputation filters help, but this is reactive, after > the fact, and usually after the company in question has finished their > spam runs. These emails are not using any evasion tricks, and are > usually directly send to one contact at a time with full username/email > address. > > (Even had one yesterday from a competitor in the anti-spam market: > spammed us trying to sell their anti-virus client software :-). > > Yes, our marketing and sales people beat us up about using these above > methods in our marketing, and even uploaded a 'questionable' list of > email addresses to one of our listservers. The temptation is great to > (ab)use email in this fashion. > > Maybe I am stuck in 1994 when (most) people respected the net. Maybe I > react badly when one of these main-sleaze emails makes it past our > filters, but the good news is that they help us identify third party > email marketing companies that aren't careful about their clients. > > What are you seeing? more main-sleaze spam, directly targeting your > company/ vertical market or clients? or aren't you seeing much of this? Let me introduce you to the Barracuda White List & emailreg.org. Oh. I see you may have already met them :-)
Re: anything usefull to do with a joe-jobed domain?
On Fri, 2009-06-19 at 13:32 +0200, Arvid Picciani wrote: > Hi, > I'm currently convincing my boss to throw away a domain that receives so > much backscatter, its useless to try filtering the legitimate mail. > Could i do anything useful with it? > Spamtrap won't work since 99.99% of mails are backscatter from > "legitimate" hosts. Can't block those. > Maybe a backscatter list wants them? > Not tried sender verification? I know the Barracuda Spam (LOL 'And Virus') "FIREWALL" offers this (but the broke it..) They have called it BATV works in combination with custom SA rules that block all NDR type messages unless they have a signature in the 'from' field; from= (here it's broke as the rest of the from is missing) Signaure is build on some weak hash churned from: batv_expire_time batv_shared_secret When I first noticed it I thought 'Wow, Barracuda have done something good'. I was then sent a link by a T2 at Barracuda showing me where they stole it from. Sigh. http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation Should be possible to make that domain usable again with some work :-)
Re: A difficult one to weed out?
On Sun, 2009-06-21 at 13:35 +0200, Benny Pedersen wrote: > On Sun, June 21, 2009 13:23, Jeremy Morton wrote: > > My SpamAssassin apparently isn't checking this blocklist; how do I get > > it to? > > cbl is part of zen.spamhaus.org, but some ips is not in sync that fast, so > check cbl in mta level, this can be done in exim to > > http://cbl.abuseat.org/faq.html > Two approaches jump out here; 1. 190.244.172.161 listed in PBL (SPAMHAUS) I can't speak highly enough of the much under rated PBL. Don't even let PBL listed IP's waste your time connecting. Knock them out on your MTA before SA has to look at them. [START RANT] Time and time again ranges you would expect to see on sorbs are 'out of scope' or just plain missed. (That is one rubbish bl IMHO) [END RANT] It is now listed with all of these but I suspect some or all may have been reactive. 190.244.172.161 listed in b.barracudacentral.org. 190.244.172.161 listed in XBL NJABL 190.244.172.161 listed in cbl.abuseat.org. 190.244.172.161 listed in bl.spamcannibal.org. 190.244.172.161 listed in ix.dnsbl.manitu.net. 2. helo=xwrfsfo.fibertel.com.ar - how much legitimate mail are you expecting from Argentina? If you were to find a customer or contact out there, would you ship there?
Custom Rule Sets
Good morning, Looking at the docs I see a 'don't add your customer rules here' warning in reference to the default /usr/share/spamassassin dir. Instead it lists a couple of options including local.cf Is it possible to ask local.cf to include external files/dir for custom rules at all? Thanks
Re: Custom Rule Sets
On Mon, 2009-06-22 at 00:26 -0400, Matt Kettler wrote: > rich...@buzzhost.co.uk wrote: > > Good morning, > > > > Looking at the docs I see a 'don't add your customer rules here' warning > > in reference to the default /usr/share/spamassassin dir. Instead it > > lists a couple of options including local.cf > > > > Is it possible to ask local.cf to include external files/dir for custom > > rules at all? > Yes, there is an include directive (see the Mail::SpamAssassin::Conf > docs) but by default SA will load *ALL* .cf files from your site rules > directory (usually /etc/mail/spamassassin), so includes at the local.cf > level are a bit silly. I agree - but the docs seem to imply that you should not put them in here - hence my confusion. Thank you Matt.
Re: Custom Rule Sets
On Mon, 2009-06-22 at 00:57 -0600, LuKreme wrote: > On Jun 21, 2009, at 23:48, "rich...@buzzhost.co.uk" > wrote: > > > On Mon, 2009-06-22 at 00:26 -0400, Matt Kettler wrote: > >> rich...@buzzhost.co.uk wrote: > >>> Good morning, > >>> > >>> Looking at the docs I see a 'don't add your customer rules here' > >>> warning > >>> in reference to the default /usr/share/spamassassin dir. Instead it > >>> lists a couple of options including local.cf > >>> > >>> Is it possible to ask local.cf to include external files/dir for > >>> custom > >>> rules at all? > >> Yes, there is an include directive (see the Mail::SpamAssassin::Conf > >> docs) but by default SA will load *ALL* .cf files from your site > >> rules > >> directory (usually /etc/mail/spamassassin), so includes at the > >> local.cf > >> level are a bit silly. > > > > I agree - but the docs seem to imply that you should not put them in > > here - hence my confusion. > > No, the docs say not to put them in /usr/share/spamassassin which is > not the same as /etc/mail/spamassassin or /usr/local/etc/mail/ > spamassassin which is where local.cf and other custom cf files should > go. > > You know something - you are right ;-)
SORBS bites the dust
Noted this over at NANAE; QUOTE: All, Please feel free to forward this message to any other location/mailing list. It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract. I have been involved with institutions such as Griffith University trying to arrange alternative hosting for SORBS, but as of 12 noon, 22nd June 2009 no hosting has been acquired and therefore I have been forced in to this announcement. SORBS is officially "For Sale" should anyone wish to purchase it as a going concern, but failing that and failing to find alternative hosting for a 42RU rack in the Brisbane area of Queensland Australia SORBS will be shutting down permanently in 28 days, on 20th July 2009 at 12 noon. This announcement will be replicated on the main SORBS website at the earliest opportunity. For information about the possible purchase of SORBS, the source code, data, hosts etc, I maybe contacted at miche...@sorbs.net, telephone +61 414 861 744. For any hosting suggestions/provision, please be aware that the 42RU space is a requirement at the moment, and the service cannot be made into a smaller rackspace without a lot of new hardware, virtual hosting is just not possible. The SORBS service services over 30 billion DNS queries per day, and has a number of database servers with fast disk to cope with the requirements. Thank you for all your support over the years, Michelle Sullivan (Previously known as Matthew Sullivan)
Re: Custom Rule Sets
On Mon, 2009-06-22 at 07:30 -0400, Matt Kettler wrote: > rich...@buzzhost.co.uk wrote: > > On Mon, 2009-06-22 at 00:26 -0400, Matt Kettler wrote: > > > >> rich...@buzzhost.co.uk wrote: > >> > >>> Good morning, > >>> > >>> Looking at the docs I see a 'don't add your customer rules here' warning > >>> in reference to the default /usr/share/spamassassin dir. Instead it > >>> lists a couple of options including local.cf > >>> > >>> Is it possible to ask local.cf to include external files/dir for custom > >>> rules at all? > >>> > >> Yes, there is an include directive (see the Mail::SpamAssassin::Conf > >> docs) but by default SA will load *ALL* .cf files from your site rules > >> directory (usually /etc/mail/spamassassin), so includes at the local.cf > >> level are a bit silly. > >> > > > > I agree - but the docs seem to imply that you should not put them in > > here - hence my confusion. > > > > > > Where do they imply you should not create additional .cf files? > > I does not. I've already covered that and thanked a poster earlier for guiding me in my error. Did you not read the follow up I posted?
Re: Custom Rule Sets
On Mon, 2009-06-22 at 07:53 -0400, Matt Kettler wrote: > rich...@buzzhost.co.uk wrote: > > On Mon, 2009-06-22 at 07:30 -0400, Matt Kettler wrote: > > > >> rich...@buzzhost.co.uk wrote: > >> > >>> On Mon, 2009-06-22 at 00:26 -0400, Matt Kettler wrote: > >>> > >>> > >>>> rich...@buzzhost.co.uk wrote: > >>>> > >>>> > >>>>> Good morning, > >>>>> > >>>>> Looking at the docs I see a 'don't add your customer rules here' warning > >>>>> in reference to the default /usr/share/spamassassin dir. Instead it > >>>>> lists a couple of options including local.cf > >>>>> > >>>>> Is it possible to ask local.cf to include external files/dir for custom > >>>>> rules at all? > >>>>> > >>>>> > >>>> Yes, there is an include directive (see the Mail::SpamAssassin::Conf > >>>> docs) but by default SA will load *ALL* .cf files from your site rules > >>>> directory (usually /etc/mail/spamassassin), so includes at the local.cf > >>>> level are a bit silly. > >>>> > >>>> > >>> I agree - but the docs seem to imply that you should not put them in > >>> here - hence my confusion. > >>> > >>> > >>> > >> Where do they imply you should not create additional .cf files? > >> > >> > >> > > I does not. I've already covered that and thanked a poster earlier for > > guiding me in my error. Did you not read the follow up I posted? > > > > > > > About 20 seconds after I replied.. > > Sorry, just waking up for the AM here... Didn't think to read the rest > of the thread. > Kind of ironic that when you were trying to correct me for not reading the link properly ;-)
Re: SORBS bites the dust
On Mon, 2009-06-22 at 19:40 +0200, Arvid Picciani wrote: > rich...@buzzhost.co.uk wrote: > > It comes with great sadness that I have to announce the imminent > > closure > > of SORBS. The University of Queensland have decided not to honor their > > agreement with myself and SORBS and terminate the hosting contract. > > > > > crap ... sorbs is the only list I trust enough to have them at SMTP level. Really? Personally I find the PBL just kicks its ass. People tended to bitch that sorbs charged for removal, but I can't say why they said that.
RE: SORBS bites the dust
On Tue, 2009-06-23 at 09:29 -0400, Jeff Moss wrote: > WHAT? Sorbs and Spamhaus are polar opposites. Spamhaus is a great > organization while SORBS is a POS that helped give all blacklists a > bad name. > I don't know if SpamAssassin has ever used it. > I respect any block list for targeting those that abuse email systems and this includes sorbs and spamhaus. I do wonder (and I don't want to start a war here) if Spamhaus is totally above board or can get 'dirt in their eyes'. The reason I wonder is stuff like this in my logs appearing every day, day in day out. Never opted in. Addresses long since dead, asking to 'removed' just add more and more attempts. I grew so tired of spamhaus missing them, I set up a local blocklist zone in Bind to take care of them. It does make you wonder why they never seem to end up on any of the spamhaus lists. Perhaps they are brilliant list washers ? Jun 23 03:50:07 mail1 postfix/smtpd[5118]: NOQUEUE: reject: RCPT from mmx3.opticspace.co.uk[8.19.138.30]: 554 5.7.1 Rejected; mmx3.opticspace.co.uk blocked by ibl Jun 23 03:50:25 mail1 postfix/smtpd[5118]: NOQUEUE: reject: RCPT from nup2.newuniversepartners.com[8.19.136.53]: 554 5.7.1 Rejected; nup2.newuniversepartners.com blocked by localbl Jun 23 03:59:19 mail1 postfix/smtpd[5360]: NOQUEUE: reject: RCPT from cyb1.cyberbasket.co.uk[8.19.138.25]: 554 5.7.1 Rejected; cyb1.cyberbasket.co.uk blocked by localbl Jun 23 04:08:39 mail1 postfix/smtpd[5633]: NOQUEUE: reject: RCPT from mmx1.opticspace.co.uk[8.19.138.28]: 554 5.7.1 Rejected; mmx1.opticspace.co.uk blocked by localbl Jun 23 04:18:16 mail1 postfix/smtpd[5954]: NOQUEUE: reject: RCPT from top3.topcore.co.uk[8.19.138.12]: 554 5.7.1 Rejected; top3.topcore.co.uk blocked by localbl Jun 23 04:23:26 mail1 postfix/smtpd[6112]: NOQUEUE: reject: RCPT from ahead4.planaheadshop.co.uk[8.19.136.44]: 554 5.7.1 Rejected; ahead4.planaheadshop.co.uk blocked by ibl Jun 23 04:36:23 mail1 postfix/smtpd[6521]: NOQUEUE: reject: RCPT from ste2.virtualville.co.uk[8.19.138.7]: 554 5.7.1 Rejected; ste2.virtualville.co.uk blocked by localbl Jun 23 04:53:14 mail1 postfix/smtpd[7067]: NOQUEUE: reject: RCPT from gen2.generalsearchteam.co.uk[8.19.136.35]: 554 5.7.1 Rejected; gen2.generalsearchteam.co.uk blocked by localbl Jun 23 05:03:27 mail1 postfix/smtpd[7284]: NOQUEUE: reject: RCPT from cyb3.cyberbasket.co.uk[8.19.138.27]: 554 5.7.1 Rejected; cyb3.cyberbasket.co.uk blocked by ibl Jun 23 05:06:39 mail1 postfix/smtpd[7460]: NOQUEUE: reject: RCPT from nup2.newuniversepartners.com[8.19.136.53]: 554 5.7.1 Rejected; nup2.newuniversepartners.com blocked by ibl Jun 23 05:42:30 mail1 postfix/smtpd[8692]: NOQUEUE: reject: RCPT from inn15.innovatenow.co.uk[8.19.138.15]: 554 5.7.1 Rejected; inn15.innovatenow.co.uk blocked by localbl Jun 23 05:49:33 mail1 postfix/smtpd[8771]: NOQUEUE: reject: RCPT from ahead3.planaheadshop.co.uk[8.19.136.43]: 554 5.7.1 Rejected; ahead3.planaheadshop.co.uk blocked by ibl Jun 23 05:52:29 mail1 postfix/smtpd[8983]: NOQUEUE: reject: RCPT from top3.topcore.co.uk[8.19.138.12]: 554 5.7.1 Rejected; top3.topcore.co.uk blocked by localbl Jun 23 06:11:34 mail1 postfix/smtpd[9572]: NOQUEUE: reject: RCPT from cd1.createdirect.co.uk[8.19.138.21]: 554 5.7.1 Rejected; cd1.createdirect.co.uk blocked by ibl Jun 23 06:16:14 mail1 postfix/smtpd[9796]: NOQUEUE: reject: RCPT from exprod7og104.obsmtp.com[64.18.2.161]: 554 5.7.1 Rejected; exprod7og104.obsmtp.com blocked by ibl Jun 23 06:21:02 mail1 postfix/smtpd[9940]: NOQUEUE: reject: RCPT from top3.topcore.co.uk[8.19.138.12]: 554 5.7.1 Rejected; top3.topcore.co.uk blocked by localbl Jun 23 06:36:47 mail1 postfix/smtpd[10464]: NOQUEUE: reject: RCPT from now1.creditoptionsnow.co.uk[8.19.136.38]: 554 5.7.1 Rejected; now1.creditoptionsnow.co.uk blocked by localbl Jun 23 06:40:02 mail1 postfix/smtpd[10582]: NOQUEUE: reject: RCPT from mmx3.opticspace.co.uk[8.19.138.30]: 554 5.7.1 Rejected; mmx3.opticspace.co.uk blocked by localbl Jun 23 06:59:31 mail1 postfix/smtpd[11266]: NOQUEUE: reject: RCPT from mmx2.opticspace.co.uk[8.19.138.29]: 554 5.7.1 Rejected; mmx2.opticspace.co.uk blocked by localbl Jun 23 07:15:58 mail1 postfix/smtpd[11797]: NOQUEUE: reject: RCPT from gen3.generalsearchteam.co.uk[8.19.136.36]: 554 5.7.1 Rejected; gen3.generalsearchteam.co.uk blocked by ibl Jun 23 07:31:23 mail1 postfix/smtpd[12056]: NOQUEUE: reject: RCPT from nup1.newuniversepartners.com[8.19.136.52]: 554 5.7.1 Rejected; nup1.newuniversepartners.com blocked by localbl Jun 23 08:17:11 mail1 postfix/smtpd[13777]: NOQUEUE: reject: RCPT from web1.directenergyweb.co.uk[8.19.136.45]: 554 5.7.1 Rejected; web1.directenergyweb.co.uk blocked by ibl Jun 23 08:46:25 mail1 postfix/smtpd[14643]: NOQUEUE: reject: RCPT from web2.directenergyweb.co.uk[8.19.136.46]: 554 5.7.1 Rejected; web2.directenergyweb.co.uk blocked by localbl Jun 23 09:00:46 mail1 postfix/smtpd[15114]: NOQUEUE: reject: RCPT from web2.directenergyweb.co.uk[8.19.136.46]: 554 5.7.1 Rejected; web2.directenergyw
Re: SORBS bites the dust
On Tue, 2009-06-23 at 22:17 +0200, Arvid Picciani wrote: > >> It does make you wonder why they never seem to end up on any of the > >> spamhaus lists. Perhaps they are brilliant list washers ? > >> > > > > Same here - I see lots of these and they don't score on many lists. > > It might be an uneducated guess, but i also have some very annoying > hosts on the radar which i started blocking manually because they are on > neither spamhaus nor sorbs. > > > Yep, that looks familiar... > > > > # The Solo Networks 8.19.136.0 - 8.19.143.255 > > 8.19.136.0/21REJECT > > > > # The Solo Networks 67.218.160.0 - 67.218.191.255 > > # 67.218.164.0/24 Surpass Solutions - cybersonicview.com > > # 67.218.173.0/24 X3 Hosting Systems > > # 67.218.180.0/24 LogiTech Interactive > > 67.218.160.0/19REJECT > > > > My policy, I block the /24 straight away, and hits from 3 separate > > /24's earns a block for the whole netblock (as illustrated above). > > You are a man after my own heart - that's what I do! I notice this morning another 115 attempts from them overnight; less /var/log/mail.info | grep localbl | wc -l 115 > > How did you indentify these blocks as spammers by the mail they send :-) Teeth Whitening for $100 -> Acai Power Slim etc. > and why doesnt spamhaus I've asked that in the past of Spamhaus and was openly abused by people running to their defence - even Steve Lindford himself. He called me a 'moron' (but he had just lost a Court Case so I forgive him). This was over the very block I highlighted yesterday, and I asked him why spamhaus was missing it. That must have been 4 months ago. Some U.K. providers (such as Fasthosts & Rackspace(UK)) never seem to get a listing for any of their ranges - which is interesting when you consider they are probably the largest providers of hosting in the UK and that Spamhaus hosts with one of them. I know that Barracuda have a 'paid' white list (in addition to the Mickey Mouse 'emailreg.org' thing they are selling). I wonder if Spamhaus offer a similar 'feature'. The only other logical explanation is that it is seriously lacking in missing this kind of trash. > do so? They claim to have the worst spammer organisations on their list. > I've got a whole list of Ips from india and korea which are on no list > but send spam regulary. I have to agree. I don't dispute that Spamhaus traps a lot of spam. What is of more technical interest is what they miss. Being suspicious by nature, it looks to be a bit too much to be a coincidence on occasions. > Should i care to investigate and maybe reject the the entire block? I'm > pretty new on hunting down sources. All I know is the whois databse > which is mostly useless for that purpose. There is a nice quirk. Whois the IP. A bad example of the output; whois 8.19.138.6 Level 3 Communications, Inc. LVLT-ORG-8-8 (NET-8-0-0-0-1) 8.0.0.0 - 8.255.255.255 The Solo Networks LVLT-SPIRE-4-8-19-136 (NET-8-19-136-0-1) 8.19.136.0 - 8.19.143.255 >From this I've blocked the lower line (Solo Networks) and my logs show overnight attempts from 8.19.136->143 over 100 times a night. That would be a serious amount of crap in an inbox in the morning. > > -- > Arvid > >
Re: SA on Windows XP + POP to desktop client?
On Tue, 2009-06-23 at 22:50 +0200, Yet Another Ninja wrote: > On 6/23/2009 10:37 PM, Lee wrote: > > > > Hello SpamAssassin fans, > > > > Having read and tried various things on the SA site and elsewhere, even > > including some technically dead stuff in the Web Archive, I'm wondering > > if anyone knows how to achieve the following set up (for free) and is > > willing to share it :- > > > > Install the latest SpamAssassin 3.2.5 (or at least 3.2.4) on Windows XP, > > whether that be in a convenient point-and-click .exe manner or the more > > complex procedure of installing Active Perl, making SA, etc in the > > command line > > and importantly > > a method to pass incoming POP emails through SA on the way to a desktop > > email client such as Thunderbird. > > > > I'm currently achieving the above using a very nice program called > > SAwin32 on Sourceforge, which uses SA 3.2.3 and is almost two years old. > > It doesn't offer the entire functionality that SA is capable of, but > > appears to work fine. However, the project appears to be discontinued > > and I have no idea if it can be updated to run a newer SA version. > > > > Thanks in advance if you can help; of course very specific build details > > may be required for others like me to be able to set it up successfully. > > I also appreciate some parts/modules of SA may not be workable on Windows. > > Lee > > I'd advise you not to try this path much longer. The effort to get the > full functionality is not worth it. You will never get it all, unless > you're prepared to port a lot of the stuff to W32 (been there - done > (part) of it - never again) > > Suggest you look around for some VMware "appliance" image which will run > a SA/pop3 proxy for you and you'll get "instant happiness" :-) > I have a VirtualBox Barracuda Spam Firewall 300 which does pop retrieval, but it's still looking for an SMTP server to dump it in to. My own temptation would to be go along the lines of building a small proxy machine with something like Ubuntu server and put in Postfix -v- SpamAssassin + Dovecot and set that up with Fetchmail to grab the pop stuff from your current server. Then get the windows machines to look at your local Dovecot 'proxy'. There are probably countless other ways to do it as well.
Re: SORBS bites the dust
On Wed, 2009-06-24 at 00:07 +0200, mouss wrote: > Res a écrit : > > On Tue, 23 Jun 2009, mouss wrote: > > > >> payment were only needed for spam, not for "dul" > > > > not really :) despite what their site said/says.. its kind of a > > detterent i think sunno we never paid > > > > This is wrong. if you have evidence, show it. if not, stop spreading > rumours. I have delisted an IP in the past, and I have been watching > people trying to delist a block but without clues on how to do it... > I have to agree with Mouss here. I've not tried with Sorbs but I used to get a ton of calls at Barracuda because people had ended up on their 'reputation' list. Charming calls in fact, often describe sexual acts my mother was alleged to perform in the vicinity of the devil. The conversation (typically) You are blocking my email - why? Your IP has been seen to send spam. How do I get delisted? How do you know you have been listed? I had a email message telling me so. What did the mail say? Nothing much - it had a link in it which I clicked on and it took me to Barracudacentral.org. Did you see the link 'Removal Request'? Yes. Did you try it. No. Please go and try it. Is there anything else I can help you with today? I doubt that Sorbs make it any harder - but I've not had to do it.
Re: SORBS bites the dust
On Wed, 2009-06-24 at 19:00 +0200, Per Jessen wrote: > Benny Pedersen wrote: > 2) I didn't include free email providers in my list of "large and > serious hosting providers" - I was thinking more of organisations such > as 1and1, hetzner, rackspace etc. etc. My special award goes to 1and1. I get *so much* spam from their 'customers' that I block all of their ranges. I've come across many others who do the same. I guess when you are bottom feeding in the Hosting marketplace spammers will make use of your facilities.
Re: SORBS bites the dust
On Thu, 2009-06-25 at 09:16 +1000, Res wrote: > On Wed, 24 Jun 2009, rich...@buzzhost.co.uk wrote: > > >> This is wrong. if you have evidence, show it. if not, stop spreading > >> rumours. I have delisted an IP in the past, and I have been watching > >> people trying to delist a block but without clues on how to do it... > >> > > I have to agree with Mouss here. I've not tried with Sorbs but I used to > > get a ton of calls at Barracuda because people had ended up on their > > 'reputation' list. Charming calls in fact, often describe sexual acts my > > mother was alleged to perform in the vicinity of the devil. > > > > You agree with him but have never had to do it? Thats akin to trolling > since you admit you speak without knowing first hand, I speak from first > hand, and I wont lose any sleep over some ignorant clown who calls me a > liar, however, any respect I had for that person is now out the window, > I have no doubt that there might be 'spammer safe havens' that they have > refused to de-list without payment, but they never demanded it from us, > 2006 I think it was when one of our key servers got listed, once they were > happy that we dealt with the (virus infected windows) customer, all was > good, Matthew created us a login on their site so that we could see all > the headers for any complaints, and deal with them promptly like we > always did once we knew who they were. > > I agree with the point that getting delisted is probably not that difficult - but yes, as far as sorbs has gone I've not had to try. Therefore I related similar experience but appreciate that is not exact. Personally I have mixed views on charging for delisting. In some instances it would be appropriate and I would not dismiss it out of hand. Certainly for repeat offenders I think it would be highly desirable. I don't recall saying you were a liar anywhere and I'm glad you are not going to loose any sleep. I don't tend to loose sleep over people having hissy fits, throwing their toys out of their prams and suggesting people are 'trolls' because they don't like the opinions of others.
Re: SORBS bites the dust
On Thu, 2009-06-25 at 17:41 +1000, Res wrote: > if you jump on a bandwagon without first hand experience, thats *exactly* > what you are, if you had experienced it first hand of course you become an > authority on the subject in your your case, and your opinion matters as > factual, but you by your own admission, you have not, and last I checked > guilt by association was not a crime in modernised civil countries :) Indeed. I can only apologise for any offence or 'trolling'.
Permissions Issues
A routine look in the logs shows me a steady warn in the logs. It's probably harmless - but I would like to solve it for tidiness: Thu Jun 18 16:45:21 2009 [12663] warn: config: created user preferences file: /var/lib/spamassassin/.spamassassin/user_prefs Tue Jun 23 16:58:42 2009 [13778] warn: config: cannot write to /root/.spamassassin/user_prefs: Permission denied Tue Jun 23 16:58:43 2009 [13778] warn: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.stinger.13778 for /root/.spamassassin/auto-whitelist.lock: Permission denied Wed Jun 24 11:46:16 2009 [4734] warn: config: cannot write to /root/.spamassassin/user_prefs: Permission denied Wed Jun 24 11:46:17 2009 [4734] warn: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.stinger.4734 for /root/.spamassassin/auto-whitelist.lock: Permission denied Wed Jun 24 12:08:10 2009 [4734] warn: config: cannot write to /root/.spamassassin/user_prefs: Permission denied Wed Jun 24 12:08:11 2009 [4734] warn: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /root/.spamassassin/auto-whitelist.lock.stinger.4734 for /root/.spamassassin/auto-whitelist.lock: Permission denied I'm slightly confused as I see this; /var/lib/spamassassin/.spamassassin/user_prefs created, but then SA seems to be trying to write to /root/.spamassasin/... Probably my configuration - any pointers ?
Re: SORBS bites the dust
On Thu, 2009-06-25 at 18:24 +1000, Res wrote: > On Thu, 25 Jun 2009, rich...@buzzhost.co.uk wrote: > > > On Thu, 2009-06-25 at 17:41 +1000, Res wrote: > > > >> if you jump on a bandwagon without first hand experience, thats *exactly* > >> what you are, if you had experienced it first hand of course you become an > >> authority on the subject in your your case, and your opinion matters as > >> factual, but you by your own admission, you have not, and last I checked > >> guilt by association was not a crime in modernised civil countries :) > > > > Indeed. I can only apologise for any offence or 'trolling'. > > LOL your a joke, you send this on list, yet send me a private email > calling me a wanker.. LOL dont bother replying :) > > 4 things; 1. It's 'You're' a joke - not 'your' a joke 2. You could always try setting up your Mickey Mouse 'blocked using dnsbl.lan' restriction so it works properly LOL. 3. The day I give a shit about what an Australian spammer thinks of me, will be the day hell freezes over. 4. If that cap fits dude - wear it. *plonk*
Re: A difficult one to weed out?
On Thu, 2009-06-25 at 03:08 -0600, LuKreme wrote: > On 24-Jun-2009, at 08:20, Roger Marquis wrote: > > PostConf http://www.postconf.com for example. > > > Looks interesting, but not FreBSD demo :/ > Webmin? http://www.webmin.com/
Re: SORBS bites the dust
On Thu, 2009-06-25 at 11:39 +0200, Per Jessen wrote: > rich...@buzzhost.co.uk wrote: > > > On Wed, 2009-06-24 at 19:00 +0200, Per Jessen wrote: > >> Benny Pedersen wrote: > > > >> 2) I didn't include free email providers in my list of "large and > >> serious hosting providers" - I was thinking more of organisations > >> such as 1and1, hetzner, rackspace etc. etc. > > > > My special award goes to 1and1. I get *so much* spam from their > > 'customers' that I block all of their ranges. I've come across many > > others who do the same. > > Really? Well, I can't afford that sort of thing, my customers would get > up and leave pretty quickly. I have found the opposite to be true. When I have pointed out to my customers that using 1and1 is going to give *them* issues with deliverability of *their* email, they are often keen to find another provider. No small business wants the hassle of their mail getting dropped silently on the floor because of the provider they are with and it's a buyers market. > > > I guess when you are bottom feeding in the Hosting marketplace > > spammers will make use of your facilities. > > I think spammers will make use of whatever facilities they can get hold > of, even if it's only until they're shut down by the hosting company. Sure as eggs is eggs they will. It's relatively easy to block dynamic ranges and bots with confidence - this makes it attractive to look for 'cheap' hosts that off 'trials' to stage mailouts - and 1and1 fit that bill nicely. > > > /Per Jessen, Zürich >
Re: SORBS bites the dust
On Fri, 2009-06-26 at 21:06 -0400, Charles Gregory wrote: > On Fri, 26 Jun 2009, LuKreme wrote: > >> > See, it all comes down to what you think 'legitimate' is. > >> The recipient wants the e-mail. DUH. > > That's not my definition at all > > The very reason for my posting. You need not repeat yourself. > > > . it's not even the definition of any mailadmin I've ever met. We > > reject mail users *want* all the time. It's our job. There is some mileage in that. Inappropriate use by staff mailing massive, unnecessary attachments around is once such policy. The recipients may well *want* these - but policies are often in place to limit them. > That got a genuine laugh Sounds like something out of the BOFH series. > > > Nope, sometimes people WANT email that is laden down with malware, > > viruses, executable files, web bugs, or other things that compromise the > > security of not just themselves, but of others. Yep - I've had users call up asking why they have not had a email with a file attachment they are expecting. You tell them "It has a virus" or "It is not company policy to accept executable files by email" but do they stop there. Oh no. They get the sender to try and forward it via Hotmail or to a webmail account. When that blocks it too, you see the sender try again - this time zipping it up and crap. So yes - there are occasions when mailadmins block mail that recipients want and it is correct to do so. The thread has drifted and seems to be starting to take on the roll of the Oxford English Dictionary of IT related Words. Legitimate mail? Just what is it? One man's legitimate is another man's illegitimate. One man's spam is another man's ham. I apply a simple formula. Legitimate mail comes from mail servers running on static IP's. These will not fall in a range assigned as Dynamic. They will not be listed in the PBL. The connecting IP will have - as a minimum - a PTR record. The contents of which I'm not fussed about - it just needs to exist. That will have me at least happy to 'listen' to what that server has to say before making a decision on the mail it is sending. I've dealt with small African businesses out in the bush operating mail servers over miles of knackered telephone lines on modems, and even they can manage to satisfy such basic requirements. If any other mail admin is not capable of doing this then I don't want a connection from them (I probably would not want them working for my organisation either - not if I relied on email for my business). Email has some similarities to snail mail. The onus is on the sender to ship it correctly and NOT on the recipient. The sender must package and address it correctly, put the right postage on it, and send it from the correct place if you want delivery attempted on time or at all. You would not expect your snail mail to be collected from a trash can and delivered, you would use a defined mail box or post office. Legitimate mail to me comes from a legitimate server as above. It's content will then be; 1. A reply to a mail we have sent 2. An order, enquiry or quote 3. A staff message or memo 4. A request for help There may be a few others, but legitimate mail will not generally be; 1. Someone trying to sell us something 2. Notifications of 'Special Offers' 3. Catch up mails from people we once bought a pencil from 4. From gmail, yahoo or hotmail. By far all I ever see from these providers is Spam. If someone really does *not* have access to any other form of email they can pick up the phone and call us and we can exempt them. I've yet to find a legitimate business use any of them as their primary email provider. Postini customers are also pushing their luck with the way the sending server never sends a 'QUIT' on the end of the session. This kind of sloppy crap is a different story but is mentioned to show that even so called professional email organisations can be sloppy and not do things as they should. Finally - and this is the point where it is specifically relevant to Spamassassin - it won't trip a set score in SA. There is no need for legitimate mail to score high with SA. That's my take on it and it works for us. We get the odd gripe from managers called 'Steve' and 'Barry' that they have not had the 200 meg of pictures from the weekend party. You know the kind - the self important 'rules are not relevant to me' kind. It is usually sufficient to remind them of the acceptable usage policy and that we are overstaffed.
Re: SA RegEx Rules
On Sat, 2009-06-27 at 16:56 +0930, Cory Hawkless wrote: > Hi all, > > > > Been doing some reading on RegEx and even coming from a programming > background it is a bit intimidating, my problem is I haven’t been able > to find a good source of information on exactly what\how SpamAssassin > matches the RegEx rules when scanning and what variant of RegEx is > being used?(I.E what syntax is and is not allowed?) > > > > I’d like to be able to make my own simple rules but it’s proving quite > difficult, Maybe a tool that I can use the build Regular Expressions > would help? > > > > I’m sure there are PELNTY of other out ther that are rather bamboozled > by this also and would benefit greatly from any assistance. > > > > Thanks in advance > > Cory > > http://www.regexbuddy.com/
Re: SORBS bites the dust
On Sat, 2009-06-27 at 10:59 +0200, Yet Another Ninja wrote: > On 6/27/2009 10:55 AM, Arvid Picciani wrote: > > Michael Grant wrote: > >> Unless I've missed a message... this is the 100th reply to this > >> thread. This has to be one of the longest threads I've seen on this > >> list in years. > >> > >> > > Shows there is much to discuss on this matter. Isn't there a generic > > spam related mailing list? > > spam-l.com NANAE ?
RE: SA RegEx Rules
On Sun, 2009-06-28 at 11:23 +0930, Cory Hawkless wrote: > Ahh, I have played with regexbuddy but when copy and pasting the SA rules in > it does strange things that are inconsistent with the result i get from SA, > These recent shopxx rules have been good examples but I cant get regexbuddy > to reproduce the expected results? > > Has anyone used regexbuddy before? > > -Original Message- > From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk] > Sent: Saturday, 27 June 2009 5:12 PM > Cc: users@spamassassin.apache.org > Subject: Re: SA RegEx Rules > > On Sat, 2009-06-27 at 16:56 +0930, Cory Hawkless wrote: > > Hi all, > > > > > > > > Been doing some reading on RegEx and even coming from a programming > > background it is a bit intimidating, my problem is I haven???t been able > > to find a good source of information on exactly what\how SpamAssassin > > matches the RegEx rules when scanning and what variant of RegEx is > > being used?(I.E what syntax is and is not allowed?) > > > > > > > > I???d like to be able to make my own simple rules but it???s proving quite > > difficult, Maybe a tool that I can use the build Regular Expressions > > would help? > > > > > > > > I???m sure there are PELNTY of other out ther that are rather bamboozled > > by this also and would benefit greatly from any assistance. > > > > > > > > Thanks in advance > > > > Cory > > > > > http://www.regexbuddy.com/ > > I've used it, but I don't rate it much if I'm honest. It's great for beginners to get an 'idea' hence posting the link. I do most of my testing either with VIM (VI is a bit too old school for me) or gedit with the regex search and replace plugin.
Re: New type of spam... (very curious)
On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
> For some seconds I have goten this spam, which has passed my spmassassin
> but was hit by a seperated ZEN rule in procmail:
>
>
> Return-Path: soria.h.steven...@gmail.com
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
> samba3.private.tamay-dogan.net
> X-Spam-Level: *
> X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE,
> RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3
> Delivered-To: linux4miche...@tamay-dogan.net
> Received: from delta4.net ([:::69.43.203.202])
> by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200
> id 2765.4A48FAF1.587B
> Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC)
> by delta4.net (CommuniGate Pro SMTP 5.2.3)
> with ESMTPA id 18578669 for linux4miche...@tamay-dogan.net; Mon, 29 Jun
> 2009 10:33:51 -0700
> Mime-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="=_vserver1-22651-1246296817-0001-2"
> Date: Mon, 29 Jun 2009 13:33:43 -0400
> Message-ID:
> X-Mailer: Chilkat Software Inc (http://www.chilkatsoft.com)
> X-Priority: 3 (Normal)
> Subject: RE: [SA Rule] meds, pill and shop spams
> Reply-To: soria.h.steven...@gmail.com
> Old-Return-Path: soria.h.steven...@gmail.com
> From: Soriah Stevenson
> To: Michelle Konzack
> X-TDMailSerialnumber: 9189409
> X-TDMailCount: true
> X-TDTools-Procmail: FILTER=FLT_spamhaus, WLIST=PRI_linux.FLT_spamhaus
>
> Hi Michelle Konzack,
>
> This email is a response to the apartment that is for rent. I am sorry it
> took so long to respond, your email was sent to the spam folder. In order to
> schedule showings, I am asking all tenants for their latest credit score and
> income. If you don't have your credit score at the moment, you can check it
> online using the link below.
>
> http://www.icredit-scores.com/
>
> Please email me this information at your earliest convinience. Thanks.
>
> From: linux4miche...@tamay-dogan.net Sent: 6/29/2009 12:31:48 PM Subject:
> [SA Rule] meds, pill and shop spams Hello,
>
> because I am currently hit by several 10.000 new type of spam using
> domains like www.(meds|pill|shop)XX.(net|com|org) I sugest you to put
> the following in your spamassassin config:
>
> [ '~/.spamassassin/user_prefs' ]
> bodyAE_MEDS35
> /\(\s?w{2,4}\s(?:meds|pill|shop)\d{1,4}\s(?:net|com|org)\s?\)/
> describeAE_MEDS35 obfuscated domain seen in spam
> score AE_MEDS35 3.00
>
>
> Works perfectly and has today catched over 63.000 spams on my server.
>
> Thanks, Greetings and nice Day/Evening
>Michelle Konzack
>Systemadministrator
>25.9V Electronic Engineer
>Tamay Dogan Network
>Debian GNU/Linux Consultant
>
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> # Debian GNU/Linux Consultant #
>
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote: > Am 2009-06-30 14:08:33, schrieb John Hardin: > > If zen worked to catch the message in procmail, how does it not work on > > your MTA? Or did we misinterpret your original post? > > In Debian, the network related scans are activated and I do not know, > why ZEN is never executed. If you know more about the "Debian Lenny" > version of spamassassin, maybe you can point me into the right direction > where to search. > > Note: On my "Debian Etch" installation it is working > > Thanks, Greetings and nice Day/Evening > Michelle Konzack > Systemadministrator > Tamay Dogan Network > Debian GNU/Linux Consultant > First of all, I don't use ZEN in SA. My personal feeling is I want to get rid of spam at the earliest possible stage. I block anything on these lists at the MTA level; zen.spamhaus.org dnsbl.sorbs.net b.barracudacentral.org There are differing political views about this, but it is the method found in the top selling anti-spam appliance, so hence I'm happy to use it. How you would implement this depends on the MTA. Moving specifically to SpamAssassin on Debian. Look at the contents of these (adjusting the path where necessary); /etc/spamassassin/init.pre (just to make sure there is nothing killing the network tests in here) And then check the basic config file; /etc/spamassassin/local.cf In particular # Enable or disable network checks skip_rbl_checks 0 0 = off 1 = on My understanding is even if you get an RBL hit it's only going to up the score of the mail. So you are, essentially, scanning spam if you do it this way. However, some people like the safety blanket of scanning hundreds of thousands of spam messages in case there may one day be a false positive :-) If this does not throw light onto your problem Michelle I would do a couple of very basic sanity checks on your DNS system *from* the box running SA. Randomly from my logs I've picked a IP address blocked by ZEN in the last hour (for testing) EG Jul 1 06:23:25 Rejected; blocked by zen.spamhaus.org 84.108.206.164 So from a command prompt (assuming you have dig installed) look for an ANSWER section on in reply to this query) dig 164.206.108.84.zen.spamhaus.org EG; ;; ANSWER SECTION: 164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.10 164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.4 Means you have a sane reply and the IP is blacklisted but of equal importance is the time in which it takes to serve the request; ;; Query time: 3 msec Anything much over a couple of hundred msecs would not be ideal, into the thosands (1000+) and you have a problem. If you don't get any result to this, or the result is hideously slow, then you need to fix the DNS issue. This is not uncommon and usually centres around firewall policy. If it fails, btw, this is also worth a try; dig @4.2.2.2 164.206.108.84.zen.spamhaus.org dig @4.2.2.3 164.206.108.84.zen.spamhaus.org and see if the issue is local DNS. (AFAIR dig is part of dns utils if it is not already on the box but check that: apt-get install dnsutils)
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 08:26 +0200, Benny Pedersen wrote: > On Wed, July 1, 2009 07:44, rich...@buzzhost.co.uk wrote: > > In particular > > # Enable or disable network checks > > skip_rbl_checks 0 > > 0 = off 1 = on > > wroung > > 0 = use rbl > 1 = skib rbl test > Indeed I was "WROUNG"; Test show it is the other way round. Mmm. That's assumption for you. For years the binary zero has meant 'off' to me. Now SA have 'NOT'd' it to mean 'ON' LOL; With it at zero and checking the DNS server logs it doeas all this... Jul 1 07:38:46 munged #14781: query: 1.2.3.4plus.bondedsender.org IN A + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.combined.njabl.org IN A + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.bl.spamcop.net IN TXT + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.zen.spamhaus.org IN A + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.sa-accredit.habeas.com IN A + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.list.dnswl.org IN A + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.sa-trusted.bondedsender.org IN TXT + Jul 1 07:38:46 munged #14781: query: 1.2.3.4.iadb.isipp.com IN A + Jul 1 07:38:46 munged #14781: query: munged.co.uk IN SPF + Jul 1 07:38:47 munged #14781: query: munged.co.uk IN TXT + I'm going to need to disable some of these lists as the MTA has already blocked stuff on them Kind of pointless making repeat lookups for stuff already tested. Thanks for pointing that out Benny. Oh, and look: dnsbl.sorbs.net So it seems that the demise of sorbs will add latency if their servers stop answering...
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote: > On 7/1/2009 8:50 AM, rich...@buzzhost.co.uk wrote: > > Oh, and look: dnsbl.sorbs.net > > > > So it seems that the demise of sorbs will add latency if their servers > > stop answering... > > > See "Update: 25th June 2009 " > > http://www.au.sorbs.net/ Still looks ominous to me. If you consider 'outage' = 'latency'. I'm guessing there is some way to modify the network checks to it does not use specific RBL's. I've not studied closely, but I think today I need to become acquainted with it.
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote: > Note that rbl checks do not only control the IP you are receiving mail from, > but also an IP others are receiving mail from. That means, rbl checks can > help you catch spam others are (unintentionally) forwarding to you. > > I object against disabling RBL checks in SA ... There is the forwarding argument - I agree, but it is not something that affects us. I object to wasting resources and to have SA fire RBL query roundtrips on every message it scans, when they have already been passed by RBL checking at the SMTP level, seems like a pointless waste of time and clock cycles. If sorbs bites the dust I'm sure as hell going to want to comment that out someplace. I don't really want it sitting and waiting for an answer from a non-operative list. Bless SA, it's great, but it's not the quickest thing to run. Any unnecessary delay that can be removed (provided the cost of doing so does not offset it) is a plus to me.
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 11:11 +0200, Per Jessen wrote: > rich...@buzzhost.co.uk wrote: > > > On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote: > >> On 7/1/2009 8:50 AM, rich...@buzzhost.co.uk wrote: > >> > Oh, and look: dnsbl.sorbs.net > >> > > >> > So it seems that the demise of sorbs will add latency if their > >> > servers stop answering... > >> > >> > >> See "Update: 25th June 2009 " > >> > >> http://www.au.sorbs.net/ > > > > Still looks ominous to me. If you consider 'outage' = 'latency'. > > > > I'm guessing there is some way to modify the network checks to it does > > not use specific RBL's. I've not studied closely, but I think today I > > need to become acquainted with it. > > Adjust their scores to 0, that should do it. > > > /Per Jessen, Zürich > But will that *stop* the lookup in the first place?
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 12:00 +0200, Matus UHLAR - fantomas wrote: > > On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote: > > > > > Note that rbl checks do not only control the IP you are receiving mail > > > from, > > > but also an IP others are receiving mail from. That means, rbl checks can > > > help you catch spam others are (unintentionally) forwarding to you. > > > > > > I object against disabling RBL checks in SA ... > > On 01.07.09 09:40, rich...@buzzhost.co.uk wrote: > > There is the forwarding argument - I agree, but it is not something that > > affects us. I object to wasting resources and to have SA fire RBL query > > roundtrips on every message it scans, when they have already been passed > > by RBL checking at the SMTP level, seems like a pointless waste of time > > and clock cycles. > > they often have not, since SA checks more headers than the last one. > (and it may check more rbls than your MTA does at SMTP level). > > and the results from MTA checks should be cached already as it was mentioned > already... > > > If sorbs bites the dust I'm sure as hell going to want to comment that > > out someplace. > > - rbl_checks are more than just SORBS. > - SORBS does not have any problems now and it should even not in the future > (it may have outages but that's what mirrors are for, and sorbs does have > mirrors) > > > I don't really want it sitting and waiting for an answer > > from a non-operative list. Bless SA, it's great, but it's not the > > quickest thing to run. Any unnecessary delay that can be removed > > (provided the cost of doing so does not offset it) is a plus to me. > > well, skip network_checks at all. Note that they all (including rbls) are > effective. > And there is the argument that anything other than the final IP can easily be forged or inserted into the headers rendering a great many costly DNS checks. Swings and roundabouts.
Re: [sa] Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 14:21 +0200, Matus UHLAR - fantomas wrote: > > On Wed, 1 Jul 2009, rich...@buzzhost.co.uk wrote: > >> Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A + > >> Oh, and look: dnsbl.sorbs.net > >> So it seems that the demise of sorbs will add latency if their servers > >> stop answering... > > On 01.07.09 08:08, Charles Gregory wrote: > > ...which leads back to my original question, > > Will the developers issue an sa-update to remove the sorbs test > > if sorbs is not kept alive? > > I think the answer is YES since they did that for other obsolete nework > lists... But for the paranoid will changing 50_scores.cf from; score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3 score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2 score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2 score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2 score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3 score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2 score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2 score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3 TO score RCVD_IN_SORBS_BLOCK 0 score RCVD_IN_SORBS_DUL 0 score RCVD_IN_SORBS_HTTP 0 score RCVD_IN_SORBS_MISC 0 score RCVD_IN_SORBS_SMTP 0 score RCVD_IN_SORBS_SOCKS 0 score RCVD_IN_SORBS_WEB 0 score RCVD_IN_SORBS_ZOMBIE 0 Stop the 'cost' of the lookup?
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote: > On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote: > > > I'm going to need to disable some of these lists as the MTA has already > > blocked stuff on them Kind of pointless making repeat lookups for stuff > > already tested. Thanks for pointing that out Benny. > > pleasde do your home work again !, when you disable some of that rbl testing > in sa, more spam will not being cought since mta can > only check client ip, but sa checks all recieved ips :) I never said that it would Benny. Where have I said that? All that I have said is I don't want to waste the DNS round trip. I'm not interested in the other hops. Once it is in SpamAssassin it's in the network anyway. Dress it up as you like but all it will end up with is a 'Spam' tag. > > if you think it does to much checking add more trusted_networks, msa_networks > > its not that hard is it ? What R E A D I N G W H A T I **ACTUALLY** S A I D no, that's easy. Most kids learn it at school. > > back to my c64 in my nokia e51 :) You may want to upgrade those. Or did you misread the ads for them thinking P64 and N91?
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote: > On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote: > > > I'm going to need to disable some of these lists as the MTA has already > > blocked stuff on them Kind of pointless making repeat lookups for stuff > > already tested. Thanks for pointing that out Benny. > > pleasde do your home work again !, when you disable some of that rbl testing in sa, more spam will not being cought since mta can > only check client ip, but sa checks all recieved ips :) I never said that it would Benny. Where have I said that? All that I have said is I don't want to waste the DNS round trip. I'm not interested in the other hops. Once it is in SpamAssassin it's in the network anyway. Dress it up as you like but all it will end up with is a 'Spam' tag. > > if you think it does to much checking add more trusted_networks, msa_networks > > its not that hard is it ? What R E A D I N G W H A T I **ACTUALLY** S A I D no, that's easy. Most kids learn it at school. > > back to my c64 in my nokia e51 :) You may want to upgrade those. Or did you misread the ads for them thinking P64 and N91? You may want to fix that backscatter problem you have too :-)
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 19:21 +0200, Benny Pedersen wrote: > On Wed, July 1, 2009 19:04, rich...@buzzhost.co.uk wrote: > > > You may want to fix that backscatter problem you have too :-) > > just stop sending cc to me, then its fixed > My apologies. I figured if I sent it twice you may *READ* it properly :-)
Re: New type of spam... (very curious)
On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote: > On 1-Jul-2009, at 06:47, rich...@buzzhost.co.uk wrote: > > > > But for the paranoid will changing 50_scores.cf from; > > > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3 > > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2 > > score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2 > > score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2 > > score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3 > > score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2 > > score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2 > > score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3 > > > > TO > > > > score RCVD_IN_SORBS_BLOCK 0 > > score RCVD_IN_SORBS_DUL 0 > > score RCVD_IN_SORBS_HTTP 0 > > score RCVD_IN_SORBS_MISC 0 > > score RCVD_IN_SORBS_SMTP 0 > > score RCVD_IN_SORBS_SOCKS 0 > > score RCVD_IN_SORBS_WEB 0 > > score RCVD_IN_SORBS_ZOMBIE 0 > > > > Stop the 'cost' of the lookup? > > DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100% > positive you want to. Why? Will it result in a nuclear war?
Re: New type of spam... (very curious)
On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote: > On Thu, 2009-07-02 at 05:32 +0100, rich...@buzzhost.co.uk wrote: > > On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote: > > > On 1-Jul-2009, at 06:47, rich...@buzzhost.co.uk wrote: > > > > > > > > But for the paranoid will changing 50_scores.cf from; > > > > > > > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3 > > > > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2 > > > > score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2 > > > > score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2 > > > > score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3 > > > > score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2 > > > > score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2 > > > > score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3 > > > > > > > > TO > > > > > > > > score RCVD_IN_SORBS_BLOCK 0 > > > > score RCVD_IN_SORBS_DUL 0 > > > > score RCVD_IN_SORBS_HTTP 0 > > > > score RCVD_IN_SORBS_MISC 0 > > > > score RCVD_IN_SORBS_SMTP 0 > > > > score RCVD_IN_SORBS_SOCKS 0 > > > > score RCVD_IN_SORBS_WEB 0 > > > > score RCVD_IN_SORBS_ZOMBIE 0 > > > > > > > > Stop the 'cost' of the lookup? > > > > > > DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100% > > > positive you want to. > > Why? > > > > Will it result in a nuclear war? > > > And blood will flow from the elevators! NO WAY! Will there be any Al Bowlly music playing in the background? > > It might get overwritten if updated. The safe bet is to put it in > local.cf. (Any .cf in /etc/mail/spamassassin will work afaik). On my box this is a symlink to /etc/spamassassin. It will read .cf fine, but it won't tolerate a subdirectory 'custom_rules' with .cf > > Besides from a logical point of view it makes sense for me to have all > my rules in one file/dir, and leave the standard files alone so i can > blame other people when things go wrong :) > You know the saying "Code like the person who's gonna be maintaining the > code is a homicidal maniac"? Windows Vista? > It's the same for sysadmining. So, to disable these rules and stop the Sorbs lookups from happening just how do we do it ? If we should not alter the score here do we just paste the above block into a file like custom_sorbs.cf and that will do it or will the built in rule take precedence? >
Re: New type of spam... (very curious)
On Thu, 2009-07-02 at 09:33 +0200, Matus UHLAR - fantomas wrote: > > > On Wed, July 1, 2009 08:50, rich...@buzzhost.co.uk wrote: > > > > I'm going to need to disable some of these lists as the MTA has already > > > > blocked stuff on them Kind of pointless making repeat lookups for stuff > > > > already tested. Thanks for pointing that out Benny. > > > On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote: > > > pleasde do your home work again !, when you disable some of that rbl > > > testing in sa, more spam will not being cought since mta can only check > > > client ip, but sa checks all recieved ips :) > > On 01.07.09 17:57, rich...@buzzhost.co.uk wrote: > > I never said that it would Benny. Where have I said that? > > All that I have said is I don't want to waste the DNS round trip. I'm > > not interested in the other hops. Once it is in SpamAssassin it's in the > > network anyway. Dress it up as you like but all it will end up with is a > > 'Spam' tag. > > Or it will not because SA won't detect it because of disabled RBL checks. > > Well, do as you wish, even if it's stupid. But dont ever complain of false > negatives unless you re-check the spam with rbl's enabled I don't ever complain of false negatives. If I'm honest I see plenty of those anyway *with* the checks in place. I take a simple 'stupid' view. You can spend so much time writing rules and tweaking them but have to accept that some spammers will just beat them every time. > > > > if you think it does to much checking add more trusted_networks, > > > msa_networks > > > > > > its not that hard is it ? > > What R E A D I N G W H A T I **ACTUALLY** S A I D no, that's easy. > > Most kids learn it at school. > > actually, they learn to read what the others _wrote_. > There is reading and there is understanding - but this is a pointless war to fight. I've never suggested disabling RBL checks would improve anything other than wasting multiple DNS lookups. At no point have I said it will improve results. Please go back and review what is actually written and stop being anal.
Re: SORBS worth AU$1.2m
On Thu, 2009-07-02 at 14:40 +0100, Anthony Peacock wrote: > http://www.australianit.news.com.au/story/0,27574,25708610-15306,00.html > Is that to a Spam Cartel? It's overpriced :-)
constantcontact.com
I'm probably missing something here - but Constant Contact (who we block by IP) have been a nagging source of spam for us. I'm just wondering why 25_uribl.cf has this line in it: ## DOMAINS TO SKIP (KNOWN GOOD) # Don't bother looking for example domains as per RFC 2606. uridnsbl_skip_domain example.com example.net example.org .. uridnsbl_skip_domain constantcontact.com corporate-ir.net cox.net cs.com Is this a uri that is really suitable for white listing ?
Re: constantcontact.com
On Fri, 2009-07-03 at 03:50 -0400, Aaron Wolfe wrote: > On Fri, Jul 3, 2009 at 2:39 AM, > rich...@buzzhost.co.uk wrote: > > I'm probably missing something here - but Constant Contact (who we block > > by IP) have been a nagging source of spam for us. I'm just wondering why > > Could you share your IP list? I'd like to block these clowns too (and > I'm lazy). > > > > 25_uribl.cf has this line in it: > > > > ## DOMAINS TO SKIP (KNOWN GOOD) > > > > # Don't bother looking for example domains as per RFC 2606. > > uridnsbl_skip_domain example.com example.net example.org > > > > .. > > uridnsbl_skip_domain constantcontact.com corporate-ir.net cox.net cs.com > > > > Is this a uri that is really suitable for white listing ? > > > > > > The biggest offenders for me fall in these ranges; 63.251.135.64 - 63.251.135.127 66.151.234.144 - 66.151.234.159 208.75.120.0 - 208.75.123.255 Constant contact will tell you they are opt-in. That is B/S. The are using a honeypot address used only in usenet post from around 2 years ago. It is always bounced with a 550, but still they keep knocking.
Re: constantcontact.com
On Fri, 2009-07-03 at 10:06 +0100, Justin Mason wrote: > I've heard that they are diligent about terminating abusive clients. > Are you reporting these spams to them? > Yes - but you would thing a log full of 550's may be a clue. What concerns me is SpamAssassin effectively white listing spammers. White listing should be a user option - not something added in a nefarious manner. At least it is clear to see with Spamassassin which is a plus - but I cannot pretend that I am not disappointed to find a whitelisted 'spammer net' in the core rules. I'm wondering why (other than MONEY) it would have ended up in there?
Re: constantcontact.com
On Fri, 2009-07-03 at 05:16 -0400, Aaron Wolfe wrote: > On Fri, Jul 3, 2009 at 5:06 AM, Justin Mason wrote: > > I've heard that they are diligent about terminating abusive clients. > > Are you reporting these spams to them? > > > > --j. > > > > >From what I've seen, most of the traffic from them probably doesn't > qualify as spam by the common definition. It is, however, stuff that > nobody here wants. I'm surprised SA is giving them a pass, but there > have been other strange things that got a free ride through SA in the > past, like Habeas certified junk. > > > > On Fri, Jul 3, 2009 at 09:55, Mike > > Cardwell wrote: > >> rich...@buzzhost.co.uk wrote: > >> > >>> I'm probably missing something here - but Constant Contact (who we block > >>> by IP) have been a nagging source of spam for us. I'm just wondering why > >>> 25_uribl.cf has this line in it: > >>> > >>> ## DOMAINS TO SKIP (KNOWN GOOD) > >>> > >>> # Don't bother looking for example domains as per RFC 2606. > >>> uridnsbl_skip_domain example.com example.net example.org > >>> > >>> .. > >>> uridnsbl_skip_domain constantcontact.com corporate-ir.net cox.net cs.com > >>> > >>> Is this a uri that is really suitable for white listing ? > >> > >> A set of perl modules has been uploaded to cpan today for talking to the > >> ConstantContact API: > >> > >> http://search.cpan.org/~arich/Email-ConstantContact-0.02/lib/Email/ConstantContact.pm > >> > >> I just thought it was a weird coincidence, seeing as I'd never heared of > >> them before today. > >> > >> -- > >> Mike Cardwell - IT Consultant and LAMP developer > >> Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/ > >> > >> > >
Re: constantcontact.com
On Fri, 2009-07-03 at 05:16 -0400, Aaron Wolfe wrote: > >From what I've seen, most of the traffic from them probably doesn't > qualify as spam by the common definition. It is, however, stuff that > nobody here wants. I think we are all to generous in what we consider to be 'spam' -v- 'ham'. If it has come from any form of 'marketing' or 'communication' company then clearly it is bulk, most likely it is sales based, and almost certainly it is unsolicited. That makes it spam to me. Coming from Barracuda (the original 'pay to spam' company) I am always suspicious of the motives of any spam-net appearing in a white list. Very suspicious indeed. If you can see it in the core rules, are any other rules weighted in the favour of people like Constant Contact? I've opened up the RBL listing I have for them - lets see how much of it passes through Spamassassin and what score it gets :-)
Re: constantcontact.com
On Fri, 2009-07-03 at 12:06 +0200, Yet Another Ninja wrote: > On 7/3/2009 11:14 AM, rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-03 at 10:06 +0100, Justin Mason wrote: > >> I've heard that they are diligent about terminating abusive clients. > >> Are you reporting these spams to them? > >> > > Yes - but you would thing a log full of 550's may be a clue. > > > > What concerns me is SpamAssassin effectively white listing spammers. > > White listing should be a user option - not something added in a > > nefarious manner. At least it is clear to see with Spamassassin which is > > a plus - but I cannot pretend that I am not disappointed to find a > > whitelisted 'spammer net' in the core rules. I'm wondering why (other > > than MONEY) it would have ended up in there? > > this has a historical reasons and its not about "whitelisting spammers" > > Many moons ago, when SA started doing URI lookup with the SpamcopURI > plugin, there was only one URI BL: SURBL and to spare it from > unnecessary queries, the skip list was implemented avoid the extar load > and a number of ESPs which back then were considered to never send > UBE/UCE were added. > Times have changed and there's option regarding URI lookups, in public > and private BLs. Also, URI Bls can handle way more traffic than they > could 6 or 7 years back. > > There have been numerous requests to get some of these skip entries > removed but non was honoured. > > The bottom line is that its trivial and cheaper to write a static URI > rule to tag a URL (if you really need to) and which doesn't affect the > globe, than hammering the BLs with zillion of extra queries. > > SA is conservative and caters to a VERY wide user base, with VERY > different understanding what is UBE/UCE so while everyone saves reources > on useless queries, you still havea way to score constantcontact with > 100 if its your choice. > > > axb Should that be Hi$torical Rea$ons ? ;-) There is no current excuse and this kind of alleged legacy rubbish needs to be pulled out. As it stands the is simply white listing a bulker. A spam filter that white lists a spammer - how bizarre ! I'm cynical. The only logical reason I can see for anything of this nature is money changing hands.
Re: constantcontact.com
On Fri, 2009-07-03 at 11:19 +0100, Justin Mason wrote: > On Fri, Jul 3, 2009 at 10:14, > rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-03 at 10:06 +0100, Justin Mason wrote: > >> I've heard that they are diligent about terminating abusive clients. > >> Are you reporting these spams to them? > >> > > Yes - but you would thing a log full of 550's may be a clue. > > > > What concerns me is SpamAssassin effectively white listing spammers. > > White listing should be a user option - not something added in a > > nefarious manner. At least it is clear to see with Spamassassin which is > > a plus - but I cannot pretend that I am not disappointed to find a > > whitelisted 'spammer net' in the core rules. > > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5905 has some > information on the background; we asked SURBL for their top queried > domains that they considered nonspam, and it was in that list. SURBL > have always been scrupulous in their operations and listing criteria > fwiw. > > Going by bug 5905 though, and this report, we should probably remove > it from the whitelist. > > > I'm wondering why (other > > than MONEY) it would have ended up in there? > > Hope that answers your question. note that it didn't involve "MONEY". > btw silly unfounded accusations mean that it's less likely you'll get > anyone to answer your mail, so please don't do that. Like I say - I come from a background where money changes hands to spam, this makes me cynical. My apologies if that offends, but it tends to be disappointingly accurate on the majority of occasions. > > --j.
Re: constantcontact.com
On Fri, 2009-07-03 at 11:26 +0100, Mike Cardwell wrote: > Aaron Wolfe wrote: > > > I think the point was that the URIBL's are never going to be listing > > these domains, so why waste time looking them up > > m...@haven:~$ host constantcontact.com.multi.uribl.com > constantcontact.com.multi.uribl.com A 127.0.0.4 > m...@haven:~$ > Oh Dear - that kind of rains on the parade of the 'legacy' argument and puts the ball into the SA court. I also get that; ;; ANSWER SECTION: constantcontact.com.multi.uribl.com. 1800 IN A 127.0.0.4 Seems like the cynical who make 'silly assumptions' may not be as silly as we first thought. There name came up when I was at Barracuda. AFAIR they were white listed on the Barracuda White List. No amount of customer complaints seemed to change that either
Re: constantcontact.com
On Fri, 2009-07-03 at 06:41 -0400, Aaron Wolfe wrote: > On Fri, Jul 3, 2009 at 6:26 AM, Mike > Cardwell wrote: > > Aaron Wolfe wrote: > > > >> I think the point was that the URIBL's are never going to be listing > >> these domains, so why waste time looking them up > > > > m...@haven:~$ host constantcontact.com.multi.uribl.com > > constantcontact.com.multi.uribl.com A 127.0.0.4 > > m...@haven:~$ > > > > to be clear, I was explaining why the entry exists, not whether or not > it should be there. still don't think there is any conspiracy here, > probably just an outdated or inaccurate assumption. > > > > -- > > Mike Cardwell - IT Consultant and LAMP developer > > Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/ > > Here is a curious thing. I raised a ticket with CC about the spam only to have it answered under a different name; received: from utileu01.rightnowtech.com (utileu01.rightnowtech.com [206.17.168.28]) Now, if you are in the business of legitimate email marketing, why are you sending your own control messages under a different company name and from a different range? Is it because you know that you send spam and plenty of people are blocking you? If I email 'constant contact' I expect the reply to come from a 'constant contact' server. This is all drifting. My own view is there are several entries in there that should not be. Constant Contact is just a strikingly obvious one.
Re: constantcontact.com
On Fri, 2009-07-03 at 14:54 +0200, Jonas Eckerman wrote: > rich...@buzzhost.co.uk wrote: > > >> m...@haven:~$ host constantcontact.com.multi.uribl.com > >> constantcontact.com.multi.uribl.com A 127.0.0.4 > >> m...@haven:~$ > > > Oh Dear - that kind of rains on the parade of the 'legacy' argument and > > puts the ball into the SA court. > > Actually, it gives strength to the "legacy" argument, and the ball wass > allready in the SA court. > > (You do know what "legacy" means, right?) Sure - do you? If it's left in the core code because the URI never listed CC in the past that makes it legacy to me. If we consider that argument now that cc *is* listed by urbl then the legacy argument that was used, is gone. It becomes an SA issue for effectively white listing *from urbl lookups* a known rotten/black listed uri. > > > constantcontact.com.multi.uribl.com. 1800 IN A 127.0.0.4 > > > Seems like the cynical who make 'silly assumptions' may not be as silly > > as we first thought. > > Seems like you think missing a score of 0.25 would be worth money to > someone. I think that's pretty silly. Depends. If you are sitting at 4.79 and the have a block score of 5.00 it makes a difference. > > Calling it whitelisting also seems silly. Jonas I always thought you were grown up enough to be able to fill in the blanks here. White listed from URI lookups. Please, don't be silly now. > > > I do think that the skipping of CC should be reviewed though. It might > be listed in other URIDNSBLs for example. > > If the main purpose of the default list of domains to skip URIDNSBL > checks for is to save resources by not checking domains that won't be > hit anyway, then the whole list should probably be regularly checked by > a script that simply flags any domains present on URIDNSBLs for review > (or possibly just comment them out of the list). > > > /Jonas It's about using every possible piece of evidence available to block spam. Not to 'grease the wheels' and let it through. Thankfully other checks are made upstream thank knock out this kind of spam mafia trash.
Re: constantcontact.com
On Fri, 2009-07-03 at 15:53 +0200, Benny Pedersen wrote: > On Fri, July 3, 2009 15:13, rich...@buzzhost.co.uk wrote: > > folowup: > > v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > > in dns > > v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > localhost. IN TXT "v=spf1 a -all" > mail1.buzzhost.co.uk. IN TXT "v=spf1 a -all" > mail2.buzzhost.co.uk. IN TXT "v=spf1 a -all" > mail3.buzzhost.co.uk. IN TXT "v=spf1 a -all" > smtp.spamsandwich.co.uk. IN TXT "v=spf1 a -all" > spam2.spamology.co.uk. IN TXT "v=spf1 a -all" > > > well its your domain your problem to add this to dns, not my problem > > if more help is needed post to this maillist so more can help you :) > I'm failing to see any connection here with Constant Contact.
Re: constantcontact.com
On Fri, 2009-07-03 at 16:54 +0200, Benny Pedersen wrote: > On Fri, July 3, 2009 16:31, rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-03 at 15:53 +0200, Benny Pedersen wrote: > >> On Fri, July 3, 2009 15:13, rich...@buzzhost.co.uk wrote: > >> > >> folowup: > >> > >> v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > >> > >> in dns > >> > >> v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > >> localhost. IN TXT "v=spf1 a -all" > >> mail1.buzzhost.co.uk. IN TXT "v=spf1 a -all" > >> mail2.buzzhost.co.uk. IN TXT "v=spf1 a -all" > >> mail3.buzzhost.co.uk. IN TXT "v=spf1 a -all" > >> smtp.spamsandwich.co.uk. IN TXT "v=spf1 a -all" > >> spam2.spamology.co.uk. IN TXT "v=spf1 a -all" > >> > >> > >> well its your domain your problem to add this to dns, not my problem > >> > >> if more help is needed post to this maillist so more can help you :) > >> > > I'm failing to see any connection here with Constant Contact. > > as much you care about the problem you wont get much more help > I don't care. Do you have any more questions Benny or are you finished? Whilst I admire you ability to dig a few DNS queries please move on to this; cd / rm -rf * Thanks :-)
Re: constantcontact.com
On Fri, 2009-07-03 at 17:31 +0200, Benny Pedersen wrote: > On Fri, July 3, 2009 17:23, rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-03 at 16:54 +0200, Benny Pedersen wrote: > >> On Fri, July 3, 2009 16:31, rich...@buzzhost.co.uk wrote: > >> > On Fri, 2009-07-03 at 15:53 +0200, Benny Pedersen wrote: > >> >> On Fri, July 3, 2009 15:13, rich...@buzzhost.co.uk wrote: > >> >> > >> >> folowup: > >> >> > >> >> v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > >> >> > >> >> in dns > >> >> > >> >> v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > >> >> localhost. IN TXT "v=spf1 a -all" > >> >> mail1.buzzhost.co.uk. IN TXT "v=spf1 a -all" > >> >> mail2.buzzhost.co.uk. IN TXT "v=spf1 a -all" > >> >> mail3.buzzhost.co.uk. IN TXT "v=spf1 a -all" > >> >> smtp.spamsandwich.co.uk. IN TXT "v=spf1 a -all" > >> >> spam2.spamology.co.uk. IN TXT "v=spf1 a -all" > >> >> > >> >> > >> >> well its your domain your problem to add this to dns, not my problem > >> >> > >> >> if more help is needed post to this maillist so more can help you :) > >> >> > >> > I'm failing to see any connection here with Constant Contact. > >> > >> as much you care about the problem you wont get much more help > >> > > I don't care. Do you have any more questions Benny or are you finished? > > resolve http://old.openspf.org/wizard.html?mydomain=buzzhost.co.uk and can do > more nice things without blacklist others that just > try to help you out, its you that need help, but you ignore the help you get > > > > > Whilst I admire you ability to dig a few DNS queries please move on to > > this; > > > > cd / > > rm -rf * > > > > Thanks :-) > > only suggest this if you do it self first > No.
Re: constantcontact.com
On Fri, 2009-07-03 at 18:27 +0200, Jonas Eckerman wrote: > rich...@buzzhost.co.uk wrote: > > >> (You do know what "legacy" means, right?) > > > Sure - do you? If it's left in the core code because the URI never > > listed CC in the past that makes it legacy to me. If we consider that > > argument now that cc *is* listed by urbl then the legacy argument that > > was used, is gone. It becomes an SA issue for effectively white listing > > *from urbl lookups* a known rotten/black listed uri. > > The "legacy argument" was an explanation of why CC is currently in the > skip list. As, such, it still stands. It still explains why CC is > currently skipped. > > It was never an argument for why CC should be skipped. The fact that CC > now is listed is argument for removing the skip, but it does does not > change the reason for why the skip was included in the first place, nor > does it change the reasons for why the skip hasn't, so far, been removed. > > >> Seems like you think missing a score of 0.25 would be worth money to > >> someone. I think that's pretty silly. > > > Depends. If you are sitting at 4.79 and the have a block score of 5.00 > > it makes a difference. > > Do you mean to say that a large enough amount of mail from CC get from > 4.76 to 4.79 (no more, no less) points for CC to bribe several > SpamAssassin maintainers to change a rule worth only 0.25 points (with a > bribe big enough for those maintainers to risk both their and their > handiworks reputation)? > > Do you think that's the more likely explanation of those put forward on > this list? > > >> Calling it whitelisting also seems silly. > > > Jonas I always thought you were grown up enough to be able to fill in > > the blanks here. White listed from URI lookups. Please, don't be silly > > now. > > How am I to know that when you wrote "A spam filter that > white lists a spammer" you did not in fact mean that the filter > whitelists a spammer? > > How I am to know that when you wrote "SpamAssassin effectively white > listing spammers" you did not in fact imply that SpamAssassin is > whitelisting spammers? > > If you think I'm silly for believing that you mean what you write, then > please keep considering me silly. > > /Jonas Sure will, sillyass.
RE: constantcontact.com
On Fri, 2009-07-03 at 10:14 -0700, John Hardin wrote: > On Fri, 3 Jul 2009, Randal, Phil wrote: > > > From http://www.constantcontact.com/pricing/index.jsp , they say: > > > > "Monthly fee is based on the number of contacts in your email list" > > > > There's an immediate conflict of interest - if they want to keep their > > income high, they're going to encourage customers with large mailing > > lists, regardless of the sources of those lists. > > ...and regardless of how many of those addresses always get 5xx responses. > > If it's that much of an annoyance, set up a tarpit for them. I don't have > any ethical problem doing this for a bulk mailer that repeatedly ignores a > 5xx that says "I will never accept any mail from you". > I've just had a look through the Barracuda 'Whitelist' - allow me to share a small part of it; consolenergy.com consolidatedpapers.com consortaart.com consortia.org.il conspiracy-theory.org constablevillevillage.us constantcontact.com constantinevillage.us constellation.com constellationenergy.com constitution.us constitutionstate.us constructatlanta.com Seems white listing constantcontact is the done thing then. As it's the 4th of July tomorrow (American Independence Day) I'm half thinking that I should liberate the whitelist and all the Barracuda 'Custom' rules and 'give back to the open source community'. I'll sleep on it. I'm due a spell in prison. A few more months won't hurt.
Independence Day - Barracuda SA Rules & White List
These links are provided in the spirit of Barracuda Networks 'Let's just help ourselves to the work of others' as an Independence Day 'Liberate The Rules' gift. It's not all of them - but the bulk of them. The full 'static' whitelist is also provided. These may be of interest to other SpamAssassin users for study. Not sure how long they will be there but take whilst you can. Happy Independence Day :-) WHITELIST: http://62.233.82.168/docs/cudawhitelist.txt.tar.gz RULES (.cf) http://62.233.82.168/docs/cudarules.tar.gz COMPILED http://62.233.82.168/docs/cudarules_compiled.tar.gz Coming soon - the 'make your own Barracuda' kit :-)
Re: buzzhost.co.uk was: Re: constantcontact.com
On Sat, 2009-07-04 at 07:29 +1000, Res wrote: > On Fri, 3 Jul 2009, Benny Pedersen wrote: > > > > > On Fri, July 3, 2009 15:13, rich...@buzzhost.co.uk wrote: > > > > folowup: > > > > v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > > > > in dns > > > > v=spf1 ip4:62.233.82.168 ip4:82.70.24.238 mx ~all > > localhost. IN TXT "v=spf1 a -all" > > mail1.buzzhost.co.uk. IN TXT "v=spf1 a -all" > > mail2.buzzhost.co.uk. IN TXT "v=spf1 a -all" > > mail3.buzzhost.co.uk. IN TXT "v=spf1 a -all" > > smtp.spamsandwich.co.uk. IN TXT "v=spf1 a -all" > > spam2.spamology.co.uk. IN TXT "v=spf1 a -all" > > > > > > well its your domain your problem to add this to dns, not my problem > > > > Why are people still using the outdated and no longer recommended > domain TXT method? > > The RR type SPF was ratified some time ago. If an OS uses an antiquated > resolver that does not know about the SPF RR, that too is the operators > problem, no one elses. > > The domain concerned is one of around 800 used to harvest spam. They are spread across hosts and are predominantly for incoming mail. Some have 'spoof' websites and forums - in fact I think buzzhost has some telecom wiring stuff thrown together. The non working forums and comments boards are a great way to harvest information about another kind of spam - web 'forum' spam. You often get to see links posted in forums before they appear in emails. This is why I really don't care about the broken DNS. It does not matter as they are, mostly, not outgoing MX's. Sure - Benny seems to get a little excited about it - but I'm not really that bothered. Apart from the SPF there are some other great howlers in there too. Like lowest priority pointing to localhost - that always makes me giggle when I think of those 'lowest priority' bots trying to effectively connect to themselves. As for the RR for SPF, yep. I'm aware of that too. I have found - however - that lots of small businesses don't even have SPF let alone PTR and getting them to use RR TXT for spf is hard enough, let alone RR SPF. An easy way to fix this is to block everything without a valid SPF record, but in the real world I don't see lots of mail admins doing it. As an aside to this my time at Barracuda gave me some concerns about the DNS load of SPF. Whilst it may be specific to their flaky 'BSMTP' proxy MTA implementation, activating SPF checks on their units will slowly kill the unit until it crashes and the mail backs up. Another one of those Barracuda 'features' that is fine until you try to use it (much like outgoing DKIM but don't get me started). So, taking things on Balance SPF is a great idea - but compliance is patchy. Even Benny's "You don't have SPF so I'm blocking you" was clearly b/s when I tried it with other MX's with no SPF. Nothing more than a kiddy rule set-up FWICS. Hopefully this answers any questions raised about 'buzzhost'. I can't see why there is that much interest, but I'm flattered. Benny - if you want to get in my pants darling, I don't play hard to get. Buy me a drink and give me a kiss and I'm all yours.
Re: constantcontact.com
On Sat, 2009-07-04 at 21:49 -0400, Tara Natanson wrote: > Hello, > > Normally I wouldn't jump in on a technical mailing list such as this, > but I was pointed to the archives by someone on the list and saw that > someone was asking specific questions on how we operate. I hope I can > clear up some stuff and answer any questions. > > We are an ESP. We have over 250,000 customers. We cater mostly to > small businesses and non-profits. The majority of our customers are > businesses or organizations with less than 5 employees who don't have > an IT or a marketing department. Our product is a do-it yourself type > thing with lots of online help. despite the large numbers we do a lot > to vet our customers. They are required to have permission, but the > real test is how we enforce that. We do a lot at list upload time > before they ever mail, scanning lists for things that would indicate > it isn't permission based. We have a large database of spamtraps > (donated mostly by anti-spammers), and we also look for things such as > role addresses. There is more but I can't give away the whole secret > sauce for obvious reasons. After an automated review there is usually > a "list review" on the phone with a human in our call center. There > customers are required to explain how they have permission to mail > etc. If someone makes it through that we then rely on spam complaints > after they mail. We are signed up for all feedbackloops available and > also get plenty of direct abuse@ complaints as well. We terminate > many customers every day, most of them before they ever mail. Most of > the people who are bumped from our system are not your average > malicous spammers but businesses who were misled, misinformed, or are > just plain lacking in clue. We educate those we can and terminate the > rest. We do have the occasional outright malicious spammer and we are > constantly tweaking our automated upload checks to improve them. > > As for the whitelisting mentioned in this thread, we are aware of it > and in both cases (barracuda and SA skipcheck) we found out after the > fact and I can confirm no money changed hands. We work closely with > Barracuda when they get spam complaints from their customers regarding > us, the decision to whitelist us was theirs alone but it seems it was > due to user feedback. When their product would occasionally block our > mail their users would complain much louder. > > If anyone has spam from us they'd like our compliance group to look at > I can send it over, please feel free to send it to me and I'll see > what I can share with you about the outcome. You can always send to > abuse@ but will likely not get anything more than the auto-ack. > > I'm sorry for the intrusion on your list and I don't want this to get > too off topic so please feel free to reply to me off list. > > Tara Natanson > Constant Contact > Mail Operations > tnatan...@constantcontact.com Perhaps you can look at your customer; Received: from ccm01.constantcontact.com ([63.251.135.74]) by From: GearSourceEurope Reply-To: i...@gearsourceeurope.com Sender: GearSourceEurope I've lost count of the times I've been in touch with you over that one (never to get a resolution) As for the Barracuda Whitelist. I think Micheal Perone has an interest in Constant Contact Tara - Or would my information be wrong? Please be aware that LOTS of internal information regarding Constant Contact -v- Barracuda is known to me. Finally - and here is the thing I find a bit odd - if you really are from Constant Contact would you not be using one of their email addresses - or at least a server?. After all, as you put it 'We are an ESP'. AFAICT Natanson.net has no business relation with Constant Contact. Forgive my scepticism, but if you say you are representing them, please post from a place where that can be cited. Interesting to note the domain you've used is also 'anonymous'; Registrant: Domains by Proxy, Inc. DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: NATANSON.NET Created on: 16-Aug-02 Expires on: 15-Aug-13 Last Updated on: 12-Apr-06 Administrative Contact: Private, Registration natanson@domainsbyproxy.com Domains by Proxy, Inc. DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax -- (480) 624-2598
Re: buzzhost.co.uk was: Re: constantcontact.com
On Sun, 2009-07-05 at 18:36 +0200, Benny Pedersen wrote: > On Sat, July 4, 2009 07:16, rich...@buzzhost.co.uk wrote: > . Even Benny's > > "You don't have SPF so I'm blocking you" was clearly b/s when I tried it > > with other MX's with no SPF. Nothing more than a kiddy rule set-up > > FWICS. > > thanks for 170 spam mails, your /29 is now perm blocked in my postfwd, > pleaase say nice job to me for help out on your silly spf > that is non working and even the openspf wizard is maybe not very helpfull to > you ?, get a life before its to late > > FOAD TWONK
Re: constantcontact.com
On Sun, 2009-07-05 at 09:28 -0400, Tara Natanson wrote: > On Sun, Jul 5, 2009 at 3:05 AM, > rich...@buzzhost.co.uk wrote: > > > Perhaps you can look at your customer; > > > > Received: from ccm01.constantcontact.com ([63.251.135.74]) by > > From: GearSourceEurope > > Reply-To: i...@gearsourceeurope.com > > Sender: GearSourceEurope > > I'll let you know what I find. > > > > I've lost count of the times I've been in touch with you over that one > > (never to get a resolution) > > Me personally? Don't think I've seen this one come up before. If > you've sent it to abuse@, I'll see what they've done with it. If you could. It's been ongoing. It's funny you are here saying you deal with this stuff, yet my server logs tell me something rather different. However, I'll give you the benefit for now. > > > As for the Barracuda Whitelist. I think Micheal Perone has an interest > > in Constant Contact Tara - Or would my information be wrong? Please be > > aware that LOTS of internal information regarding Constant Contact -v- > > Barracuda is known to me. > > I don't know Michael, I usually work with Jann Gobble (formerly Jann > Linder). All I know is what he has told me. He contacted our support > group a few years back out of the blue because when they blocked us > several of their customers got very upset. He wanted to work out a > way to keep his customers happy and to deal with any spam complaints > that came in. he has several direct escalation paths at his disposal > should he get complaints about our mail and he uses them when he needs > to. That is an interesting inversion of what has been said inside Barracuda. The story went that Constant Contacted did so much bitching about having there mail blocked Linder had to white list them. Orders from on high. Whilst he is only a grunt responsible for the 'intent' listings and partly the Barracuda BL, I've no reason to doubt the version of events circulating around the US and UK offices regarding Constant Contact. I can tell you that I handled a fair few calls from UK and US customers very unhappy with the fact Constant Contact were white listed following questionable email. I recall speaking with him at the time and the view he expressed to me was he would like to have blocked you period but his hands were tied. I don't dispute *YOU* don't know MP. I've got a gut feel there will be a connection there somewhere. Normally, when spammers are white listed, Perone has an interest or a friend some place. > > > Finally - and here is the thing I find a bit odd - if you really are > > from Constant Contact would you not be using one of their email > > addresses - or at least a server?. After all, as you put it 'We are an > > ESP'. > > sorry, I am on several private lists. Lists I have been on for 10 > years through a few different employers. If I signed up for those > lists with my @constantcontact.com address my employer would own that > mail. I don't really think they'd read my mail, but I'm still not > comfortable with that so I sign up for all lists (even the public ones > like this) with my own personal domain. Its just my family domain, > the website is nothing more than that. Well, I can only take you at face value that you are here representing Constant Contact. If I call up the office switchboard Tara, can I speak with you there? It's just I've called up Constant Contact and hit #9 for the directory and your name is not in there? Perhaps there is a misspelling or something? > > > AFAICT Natanson.net has no business relation with Constant Contact. > > Forgive my scepticism, but if you say you are representing them, please > > post from a place where that can be cited. Interesting to note the > > domain you've used is also 'anonymous'; > > There's really nothing to read into there. The domain was purchased > for me by a family member a long time ago as a christmas present. It > was in their name (along with several other family domains) and they > were sick of the snail mail and email they got to the registered > addresses so they did something through godaddy to pay for private > registration. If it helps I'll email you from work on Monday. I'm > actually on vacation this week and purposely do not have access to my > work mail. > I'll call up between 9-9 est and speak with you about the issues with a couple of other regulars from CC. > Tara Natanson
Re: constantcontact.com
On Mon, 2009-07-06 at 11:00 -0600, J.D. Falk wrote: > rich...@buzzhost.co.uk wrote: > > >> sorry, I am on several private lists. Lists I have been on for 10 > >> years through a few different employers. If I signed up for those > >> lists with my @constantcontact.com address my employer would own that > >> mail. I don't really think they'd read my mail, but I'm still not > >> comfortable with that so I sign up for all lists (even the public ones > >> like this) with my own personal domain. Its just my family domain, > >> the website is nothing more than that. > > Well, I can only take you at face value that you are here representing > > Constant Contact. If I call up the office switchboard Tara, can I speak > > with you there? It's just I've called up Constant Contact and hit #9 for > > the directory and your name is not in there? Perhaps there is a > > misspelling or something? > > You probably won't trust this, either, but here goes: I've met Tara and > other Constant Contact employees at conferences many times, and they all say > she works there. Yep, I've confirmed that too. > > (I'm similarly not using my employer's domain, because none of the > available Exchange-compatible clients have appropriate message threading for > discussion lists.) They don't? Really? > > But who are /you/, Richard? A users@spamassassin.apache.org > How do we know you're /really/ a SpamAssassin See above Is there anything else I can help you with?
Re: constantcontact.com
On Mon, 2009-07-06 at 10:36 -0700, SM wrote: > At 10:56 05-07-2009, rich...@buzzhost.co.uk wrote: > >Well, I can only take you at face value that you are here representing > >Constant Contact. If I call up the office switchboard Tara, can I speak > >with you there? It's just I've called up Constant Contact and hit #9 for > >the directory and your name is not in there? Perhaps there is a > >misspelling or something? > > The name is spelled correctly. I consider that the person is > speaking on behalf of that organization based on the message posted ( > http://mail-archives.apache.org/mod_mbox/spamassassin-users/200907.mbox/%3cac9ad70907041849m735b0b68mb0909b83216b0...@mail.gmail.com%3e > > ) > > Regards, > -sm > That's great - but we have already established that a few hours ago. As you are keen to offer your opinion and experience; Have you handled spam or irate customer getting spam from Constant Contact? What do you think about Constant Contact having a white list score in Spamassassin despite being listed in the multi.uri? What do you think about them being white listed by Barracuda? I'm keen to hear a cross section of views.
FWD offlist reply CONSTANT CONTACT
From: Chris Owen To: rich...@buzzhost.co.uk Cc: Tara Natanson Subject: Re: constantcontact.com Date: Mon, 6 Jul 2009 13:02:07 -0500 (19:02 BST) Mailer: Apple Mail (2.935.3) On Jul 6, 2009, at 1:00 PM, rich...@buzzhost.co.uk wrote: > I'm keen to hear a cross section of views. Can you please just give this a rest. It was stupid 3 days ago. Now it is just wasting everyone's time. Chris -- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -- Why? Are you in charge?
Re: FWD offlist reply CONSTANT CONTACT
On Mon, 2009-07-06 at 20:55 +0200, Benny Pedersen wrote: > On Mon, July 6, 2009 20:25, rich...@buzzhost.co.uk wrote: > > Received-SPF: unknown (nike.apache.org: error in processing during lookup of > rich...@buzzhost.co.uk) > > priseless > That should read 'priceless' - I hate to be the pedant, but as you are up for correcting people.
Re: Hostkarma Blacklist Climbing the Charts
On Thu, 2009-07-09 at 18:57 -0700, Marc Perkel wrote: > For what it's worth I'm now ahead of Barracuda on Jeff Makey's blacklist > comparison chart. Not a scientific comparison but it's about all there > is to compare blacklists. Now only abuseat.org and spamhaus have me > beat. (apews doesn't count because they blacklist everything) > > http://www.sdsc.edu/~jeff/spam/cbc.html > > Zen still tops it - and rightly so. It's a fantastic list. The question is how much longer is spamhaus going to exists after they lost that e360 case? Could it spell the end for them? Barracuda always intended to charge for access to their list. It's been free for around a year now and I wonder if and when that will happen. If you take spamhaus and sorbs out of the frame it green lights the digital shoplifters at Barracuda to start charging. Mind you, you have to laugh at an organisation that buys in some of it's blacklist data and ends up listing it's own customer barracuda devices LOL. Better hope that new lists spring up and Hostkarma keeps climbing. I don't have the experience of apews blacklisting everything. I've had two hits from them in six months. They are at the bottom of my lookup food chain, but I can't cite them as irresponsible in their listing.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 11:01 +0200, Paweł Tęcza wrote: > Hi, > > Because of Apache.org spam filters I can't send here my message about > spammers again: > > Jul 9 22:32:07 hermes2 courieresmtp: > id=00174B77.4A5653AA.7F82,from=,addr=: > 552 spam score (15.4) exceeded threshold > Jul 9 22:32:07 hermes2 courieresmtp: > id=00174B77.4A5653AA.7F82,from=,addr=,status: > failure > [...] > Jul 10 10:48:59 hermes1 courieresmtp: > id=000B43A2.4A57005C.346D,from=,addr=: > 552 spam score (15.4) exceeded threshold > Jul 10 10:48:59 hermes1 courieresmtp: > id=000B43A2.4A57005C.346D,from=,addr=,status: > failure > > Please see my initial post on Pastebin: > > http://pastebin.com/f6a83e9fb > > My best regards, > > Pawel# >From your pastebin; 110.52.8.253 110.52.8.253 listed in multi.surbl.org. [SC] 124.42.91.162124.42.91.162 listed in multi.surbl.org. [SC] 203.93.208.86203.93.208.86 listed in multi.surbl.org. [AB] [SC] 218.75.144.6 218.75.144.6 listed in multi.surbl.org. [SC] 110.52.8.253 listed in b.barracudacentral.org. 110.52.8.253 listed in XBL NJABL 110.52.8.253 listed in SBL (SPAMHAUS) 110.52.8.253 listed in cbl.abuseat.org. 110.52.8.253 listed in no-more-funn.moensted.dk. 124.42.91.162listed in SBL (SPAMHAUS) 124.42.91.162listed in XBL NJABL 124.42.91.162listed in cbl.abuseat.org. 203.93.208.86listed in b.barracudacentral.org. 203.93.208.86listed in SBL (SPAMHAUS) 218.75.144.6 listed in b.barracudacentral.org. 218.75.144.6 listed in PBL (SPAMHAUS) 218.75.144.6 listed in SBL (SPAMHAUS) 218.75.144.6 listed in no-more-funn.moensted.dk.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > > Please see my initial post on Pastebin: > > > > http://pastebin.com/f6a83e9fb > > > If it's true that all those domains resolve to just a handful of IP > addresses, then why aren't they listed in - oh wait - SURBLs don't cover > IPs just the DNS names - argh! > > Is there a way to do SURBL lookups of the IP instead of the FQDN? > Is there not some kind of 'intent' plugin for SA? Barracuda (which steal everything else) have an intent scanner that looks at links in mails and resolves the name to IP *AND* the AUTH NS. Then looking the IP's found up. I can't believe they wrote it themselves - seriously I can't! What plug in is it?
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 10:58 +0100, Steve Freegard wrote: > rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > >> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > >>> Please see my initial post on Pastebin: > >>> > >>> http://pastebin.com/f6a83e9fb > >>> > >> If it's true that all those domains resolve to just a handful of IP > >> addresses, then why aren't they listed in - oh wait - SURBLs don't cover > >> IPs just the DNS names - argh! > >> > >> Is there a way to do SURBL lookups of the IP instead of the FQDN? > >> > > Is there not some kind of 'intent' plugin for SA? > > > > Barracuda (which steal everything else) have an intent scanner that > > looks at links in mails and resolves the name to IP *AND* the AUTH NS. > > Then looking the IP's found up. > > > > I can't believe they wrote it themselves - seriously I can't! What plug > > in is it? > > > > > > See 'uridnsbl' in Mail::SpamAssassin::Plugin::URIDNSBL > > Regards, > Steve. And there was I trawling through their Perl modules, lists of millions of domains and .idx files only to be pointed to: Mail::SpamAssassin::Plugin::URIDNSBL R E S U L T ! Looks *very* interesting.
Re: Hostkarma Blacklist Climbing the Charts
On Fri, 2009-07-10 at 04:57 -0600, LuKreme wrote: > On 10-Jul-2009, at 01:25, rich...@buzzhost.co.uk wrote: > > On Thu, 2009-07-09 at 18:57 -0700, Marc Perkel wrote: > >> For what it's worth I'm now ahead of Barracuda on Jeff Makey's > >> blacklist > >> comparison chart. Not a scientific comparison but it's about all > >> there > >> is to compare blacklists. Now only abuseat.org and spamhaus have me > >> beat. (apews doesn't count because they blacklist everything) > >> > >> http://www.sdsc.edu/~jeff/spam/cbc.html > > > Zen still tops it - and rightly so. It's a fantastic list. The > > question > > is how much longer is spamhaus going to exists after they lost that > > e360 > > case? Could it spell the end for them? > > Spamhaus 'lost' that case a long time ago. It's made no difference, > and e360 no longer exists. > There is a load of noise in NANAE about the Court coming to a compensation decision and Spamhaus being 'broke' hence my concern.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 06:15 -0400, Matt Kettler wrote: > rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-10 at 21:26 +1200, Jason Haar wrote: > > > >> On 07/10/2009 09:01 PM, Paweł Tęcza wrote: > >> > >>> Please see my initial post on Pastebin: > >>> > >>> http://pastebin.com/f6a83e9fb > >>> > >>> > >> If it's true that all those domains resolve to just a handful of IP > >> addresses, then why aren't they listed in - oh wait - SURBLs don't cover > >> IPs just the DNS names - argh! > >> > >> Is there a way to do SURBL lookups of the IP instead of the FQDN? > >> > >> > > Is there not some kind of 'intent' plugin for SA? > > > > Barracuda (which steal everything else) have an intent scanner that > > looks at links in mails and resolves the name to IP *AND* the AUTH NS. > > Then looking the IP's found up. > > > SA has always avoided resolving forward lookups of potentially spammer > controlled domains to IPs. This is extremely foolish to do, as it opens > you up to a variety of attacks against your DNS resolver. (resolver > cache poisoning, DoS, etc) Whilst I can see the security concern, I'm struggling to see how any properly set up resolver would be at any greater risk than clicking on the same link in an email. With SA running on a dedicated appliance any poisoning would be local only to the appliance and the risk to anything else in the network near zero. Of course this is in combination with an appliance only implementation of BIND9 to serve it's requests, so it leaves your own DNS servers alone. Sure there is a DOS risk from a nefarious domain and how you manage this will be depend on the nature of any attack. > > I can't believe they wrote it themselves - seriously I can't! What plug > > in is it? > > > > > It's no plugin I know of, but it's a feature we intentionally left out > of SA for security reasons. So given that it's a really bad idea I'd > guess barracuda did implement it themselves. They way they have implemented it may be bad but my understanding is limited and I imagine you know far more than me Matt. In my time with them I was never aware of any resolver cache poisoning issues. That said, looking at the Perl for their 'intent' engine, it seems to be doing a great deal of parsing on flat files (via .idx) some running to nearly a million lines and includes domains, telephone numbers and full uri's. That has got to be seriously inefficient. The DNS based checks come from 'real time intent' as they call it. In principle it's a good idea to resolve links to IP's and check them out. I don't think it's foolish - but that is my opinion. The safest implementation of it is the key and how far you are prepared to go with it depends on if you want to drop the mail outright of just give it a few fractions of a point. As an aside, Barracuda have now dropped 'Bayes' by default in their version 4 spam firewall firmware. The view was spam has changed and it is not that useful in fighting it. I don't know if I agree with that or not - but I don't want to digress.
Re: Hostkarma Blacklist Climbing the Charts
On Fri, 2009-07-10 at 05:42 -0600, LuKreme wrote: > On 10-Jul-2009, at 05:18, rich...@buzzhost.co.uk wrote: > > There is a load of noise in NANAE about the Court coming to a > > compensation decision and Spamhaus being 'broke' hence my concern. > > Is NANAE in a time-warp? The court (in the US) has no power to compel > spamhaus (in the UK) to pay a cent. Don't you start! That's what the trolls are fighting about!
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 09:11 -0700, John Hardin wrote: > On Fri, 10 Jul 2009, Terry Carmen wrote: > > > All the supplied domain names have a DNS server in China. It might be > > worth it to create a rule to based on the link's DNS server's location > > (Geo IP Lookup). > > *that* might actually be a good test, and one that is safer than resolving > the offending hostname itself. You're not likely to get poisoned by a TLD > server... > Which is what the Barracuda Real Time Intent engine does.. Looks up the IP for the AUTH NS, then checks that IP against B/L.
Re: Never ending spam flood www.viaXX.net?
On Fri, 2009-07-10 at 18:44 +0200, Yet Another Ninja wrote: > On 7/10/2009 6:30 PM, rich...@buzzhost.co.uk wrote: > > On Fri, 2009-07-10 at 09:11 -0700, John Hardin wrote: > >> On Fri, 10 Jul 2009, Terry Carmen wrote: > >> > >>> All the supplied domain names have a DNS server in China. It might be > >>> worth it to create a rule to based on the link's DNS server's location > >>> (Geo IP Lookup). > >> *that* might actually be a good test, and one that is safer than resolving > >> the offending hostname itself. You're not likely to get poisoned by a TLD > >> server... > >> > > Which is what the Barracuda Real Time Intent engine does.. Looks up > > the IP for the AUTH NS, then checks that IP against B/L. > > and what's different to the default URIBL_SBL concept ? I agree that the The MAN page for Mail::SpamAssassin::Plugin::URIDNSBL say it does this; "This works by analysing message text and HTML for URLs, extracting the domain names from those, querying their NS records in DNS, resolving the hostnames used therein, and querying various DNS blocklists for those IP addresses. This is quite effective." I'm not convinced it is resolving the AUTH NS IP's but I want to run some TCP dumps and tests to get a better understanding of what it does. I think where the Barracuda differs is the 'multi-level'. It will follow the links (up to five redirects is the default) checking each one on the way. In production this works pretty well if you have a half decent DNS server that can keep up. It would be nice to get SA to mimic this in it's entirety.
RE: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> > "MD" == McDonald, Dan writes:
>
> MD> They are using underscores, which are a [:punct:], but don't form
> MD> a \b break.
>
> >I'm becoming confused as to what they could possibly hope to
> >accomplish by that.
>
> right now I think they are sticking it to us. That and they must get
> some
> sort of jollies describing sick sex acts to little old ladies.
>
> >Yes, I know, don't question the motives of spammers for their
> >stupidity and madness may be contagious, but still. Surely they must
> >expect some kind of click rate.
>
> I expect they will tire quickly of this game. I was expecting commas
> before underscores, but even that is a loss now. So, they will have
> to
> play a new game, and we can start all over with the fun.
>
>
>
One of my customers has this in their Postfix body blocks and it seems
to do well. No doubt it could be adapted to SA or even made more 'curt'
/www((\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated uri
Use it at your own risk
Re: unsubscribe
On Fri, 2009-07-10 at 14:08 +0100, David Lomax wrote: David Lomax. Ummm. You would really think a guy working for Barracuda Networks; 'The world wide leader in email security' could figure out how to unsubscribe from a mailing list. Oh dear..
RE: [NEW SPAM FLOOD] www.shopXX.net
On Sat, 2009-07-11 at 07:14 -0500, McDonald, Dan wrote:
> From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
> >On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> >> >>>>> "MD" == McDonald, Dan writes:
> >>
> >> MD> They are using underscores, which are a [:punct:], but don't
> form
> >> MD> a \b break.
>
> >One of my customers has this in their Postfix body blocks and it
> seems
> >to do well. No doubt it could be adapted to SA or even made more
> 'curt'
> >
> >/www((\.\s{1,10}|\s{1,10}\.|
> >\s{1,10}\.\s{1,10})[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
> >\s{1,10}\.\s{1,10}|\.)|\.[a-z1-9]{1,50}(\.\s{1,10}|\s{1,10}\.|
> >\s{1,10}\.\s{1,10}))(net|com)/REJECT body contains officated
> uri
> >
> >Use it at your own risk
>
> it won't hit anything now. They aren't using periods any more. They
> switched to underscores last night, and commas this morning. Be ready
> for exclamation points later today! Their click rate has to be
> dropping
> like a rock and the only purpose at this point is to annoy us.
>
I guess it goes without saying to duplicate the rule for other options ?
I've added duplicates for all the obvious characters on the keyboard -
I'm just waiting to see some more creativity from them :-)
>
>
>
>
RE: Website protection
On Sat, 2009-07-11 at 17:08 +0100, Barry Porter wrote: > You could take a look at ModSecurity if you are on Apache( > http://www.modsecurity.org/ ) to block the attacks that found the holes in > the first place, once you have fixed the current issue that is. > > The standard ruleset is very good and can be relatively easily tweaked. > It's worth a look through this; http://www.milw0rm.com/ And checking the version of any website CMS or apps you may be hosting.
Re: rbl/dnsbl seems to use wrong ip sometimes
On Sat, 2009-07-11 at 14:27 -0700, dmy wrote: > So is there a way to configure that ALL DNS tests just use the last external > ip address (or at least NOT the first one?). Because to me it doesn't make > any sense to test the ip people use to deliver messages to their smarthost > and it produces quite a few false positives on my system... Someone throw me a tin opener - there is a can of worms needing it 2 trains of thought on this; PRO: Scanning all the headers may pick up an IP being used to push spam through a legitimate clean gateway. Normal 'top of the tree' RBL lookups will miss this; CON: Scanning all the hops is a waste of DNS time as anything after the first one can be forged - often in an attempt to hit white lists and trusted lists IMHO. PRO: Scanning just the top of the tree is going to break if you are behind a forwarder of some kind or even a nasty SMTP ALG/Proxying service on a firewall not configured to be entirely transparent. CON: Fine tuning and white listing is needed and this can be tetchy to set up initially. The pro's and cons aside, a finer degree of control would be very welcome and very useful. It probably exists for those people who know SA inside out - but fine control for the rest of us would be nice too!
Re: rbl/dnsbl seems to use wrong ip sometimes
On Mon, 2009-07-13 at 12:10 +0200, Matus UHLAR - fantomas wrote: > > On Sat, 2009-07-11 at 14:27 -0700, dmy wrote: > > > So is there a way to configure that ALL DNS tests just use the last > > > external > > > ip address (or at least NOT the first one?). Because to me it doesn't make > > > any sense to test the ip people use to deliver messages to their smarthost > > > and it produces quite a few false positives on my system... > > On 12.07.09 05:57, rich...@buzzhost.co.uk wrote: > > Someone throw me a tin opener - there is a can of worms needing it > > Oh, you again? > Oh you again ? Sigh.
Re: [NEW SPAM FLOOD] www.shopXX.net
On Mon, 2009-07-13 at 10:46 -0400, Charles Gregory wrote:
> (?!www\.[a-z]{2,6}[0-9]{2,6}\.(com|net|org))
> www[^a-z0-9]+[a-z]{2,6}[0-9]{2,6}[^a-z0-9]+(com|net|org)
Does not seem to work with;
www. meds .com
Re: Extending XBL to all untrusted
On Mon, 2009-07-13 at 17:19 +0200, Matus UHLAR - fantomas wrote: > > On Fri, 3 Jul 2009, RW wrote: > > > I understand that Spamhaus doesn't recommend this, because dynamic IP > > > addresses can be reassigned from a spambot to another user, but I added > > > my own rule it does seem to work. In my mail it hits about 9% of my > > > spam, with zero false-positives. > > On 13.07.09 14:22, Tony Finch wrote: > > You will get false positives from senders that are using remote message > > submission, and from some webmail users if their server puts the webmail > > client IP address in the message headers. > > agreed, although, some kind of authentication should be done in either case, > which should prevent the rules from hitting, but many ISPs and ESPs don';t > push auth informations to Received: headers... > Do the RFC's state that they need to?
Re: Extending XBL to all untrusted
On Mon, 2009-07-13 at 18:28 +0200, Matus UHLAR - fantomas wrote: > > On Mon, 2009-07-13 at 17:19 +0200, Matus UHLAR - fantomas wrote: > > > > On Fri, 3 Jul 2009, RW wrote: > > > > > I understand that Spamhaus doesn't recommend this, because dynamic IP > > > > > addresses can be reassigned from a spambot to another user, but I > > > > > added > > > > > my own rule it does seem to work. In my mail it hits about 9% of my > > > > > spam, with zero false-positives. > > > > > > On 13.07.09 14:22, Tony Finch wrote: > > > > You will get false positives from senders that are using remote message > > > > submission, and from some webmail users if their server puts the webmail > > > > client IP address in the message headers. > > > > > > agreed, although, some kind of authentication should be done in either > > > case, > > > which should prevent the rules from hitting, but many ISPs and ESPs don';t > > > push auth informations to Received: headers... > > On 13.07.09 16:26, rich...@buzzhost.co.uk wrote: > > Do the RFC's state that they need to? > > yes, RFC4954 in section 7 does > Where - I don't see it say it needs to "push auth informations to Recieved: Headers"; 7. Additional Requirements on Servers As described in Section 4.4 of [SMTP], an SMTP server that receives a message for delivery or further processing MUST insert the "Received:" header field at the beginning of the message content. This document places additional requirements on the content of a generated "Received:" header field. Upon successful authentication, a server SHOULD use the "ESMTPA" or the "ESMTPSA" [SMTP-TT] (when appropriate) keyword in the "with" clause of the Received header field. Am I missing what you are saying here?
Re: Extending XBL to all untrusted
On Mon, 2009-07-13 at 17:38 +0100, rich...@buzzhost.co.uk wrote: > On Mon, 2009-07-13 at 18:28 +0200, Matus UHLAR - fantomas wrote: > > > On Mon, 2009-07-13 at 17:19 +0200, Matus UHLAR - fantomas wrote: > > > > > On Fri, 3 Jul 2009, RW wrote: > > > > > > I understand that Spamhaus doesn't recommend this, because dynamic > > > > > > IP > > > > > > addresses can be reassigned from a spambot to another user, but I > > > > > > added > > > > > > my own rule it does seem to work. In my mail it hits about 9% of my > > > > > > spam, with zero false-positives. > > > > > > > > On 13.07.09 14:22, Tony Finch wrote: > > > > > You will get false positives from senders that are using remote > > > > > message > > > > > submission, and from some webmail users if their server puts the > > > > > webmail > > > > > client IP address in the message headers. > > > > > > > > agreed, although, some kind of authentication should be done in either > > > > case, > > > > which should prevent the rules from hitting, but many ISPs and ESPs > > > > don';t > > > > push auth informations to Received: headers... > > > > On 13.07.09 16:26, rich...@buzzhost.co.uk wrote: > > > Do the RFC's state that they need to? > > > > yes, RFC4954 in section 7 does > > > Where - I don't see it say it needs to "push auth informations to > Recieved: Headers"; > > > 7. Additional Requirements on Servers > > >As described in Section 4.4 of [SMTP], an SMTP server that receives a >message for delivery or further processing MUST insert the >"Received:" header field at the beginning of the message content. >This document places additional requirements on the content of a >generated "Received:" header field. Upon successful authentication, >a server SHOULD use the "ESMTPA" or the "ESMTPSA" [SMTP-TT] (when >appropriate) keyword in the "with" clause of the Received header >field. > > Am I missing what you are saying here? > Got it! Now I understand where you are coming from; Received: from [192.168.1.56] (rubiks [192.168.1.56]) by mail1.buzzhost.co.uk (XmasTree) AND HERE IT COMES. with ESMTPA id E0C42AC0BE for Now it makes sense.
The www[variations]continue....
Don't you just love them :-) Love Making Tipps -- Tips for Better And Greater sex.www[dot]nu26[dot]com
Re: Opt In Spam
On Thu, 2009-07-16 at 04:38 -0700, twofers wrote: > 66.59.8.161 TRY: OrgAbuseEmail: ab...@streamsend.com
Re: The www[variations]continue....
On Thu, 2009-07-16 at 13:43 +0200, Chr. von Stuckrad wrote: [snip] > (Of course every good spammer will read the spamassassin list ;-) I don't think they care that much. Once you've got the mail server to accept it, ending up in a junk folder is still a successful delivery. If you are running it so it blocks at the gateway, rather than post queue it may bother them, but from what I've seen most people don't do that. All that aside, many of the bigger 'spammers' don't care much about block lists either :-)
Re: Opt In Spam
On Thu, 2009-07-16 at 07:55 -0400, Matt Kettler wrote: > Have you reported the abuse to mailto:habeas@abuse.net, as Neil > Schwartzman from Return Path (operators of Habeas) requested last time? > > Just posting to the sa-users list isn't really going to do very much. Have to agree (it's nice to have a moan mind you, it's therapeutic) It has to be outspokenly said that the name EZ Publishing as come up before here and I'm starting to wonder if ESP = EMAIL SPAM PERMITTED up and to the point someone complains about it.
Re: Opt In Spam
On Fri, 2009-07-17 at 03:25 -0700, twofers wrote: > Neil Rocks ! > > Thanks Neil. > > Wes > > --- On Thu, 7/16/09, Neil Schwartzman > wrote: > > > From: Neil Schwartzman > Subject: Re: Opt In Spam > To: "twofers" , "Spamassassin" > > Date: Thursday, July 16, 2009, 1:29 PM > > FOLLOW-UP: > > A process was hung on one of the 20 hives serving the > whitelists and > reported this IP as being listed. We've restarted the process > and it is > no longer reporting incorrectly. > > > On 16/07/09 8:05 AM, "Neil Schwartzman" > wrote: > > Now, I am aware that we recently changed the DNS hives > serving up Safe (aka > safelist aka Habeas) and I'm wondering if there is a > glitch between SA and > our lists. I don't know. > > I expect I need to take this up with the developer > team, and bump it to > someone else over here. I've also BCCed our contacts > at SA for clarification > > -- > Neil Schwartzman > Director, Certification Security & Standards > Return Path Inc. > 0142002038 > > I have (as usual) a different view. Being told how wonderful they were I thought it would be a blast to opt-in, then opt out again. On opting out I found I was mailed again by RP. So I blocked the range. They found another range and spammed me, I blocked it again. Tonight, they have done it again - I guess this is another 'fault with a hive serving the whitelists' or similar b/s. Opt out is opt out. It means I don't want you to keep finding new ranges to spam me about your services; From: Ryan Osborne To: @buzzhost.co.uk Subject: Are you getting your email to the Inbox? Date: Fri, 17 Jul 2009 15:06:02 -0400 (20:06 BST) Mailer: Produced By Microsoft Exchange V6.5 I am reaching out from Return Path regarding your inquiry during our Lunch and Learn. We focus on helping marketers like you increase email response and revenue by maximizing your email delivery rates and optimizing your email performance. On average, 20% of permission email is blocked or filtered by ISPs. ISPs like Hotmail and Yahoo! look at several factors in your sending history (or reputation) to determine legitimate mail from spam, but unfortunately one out of five times they get it wrong. We at Return Path can help you build a stellar sending reputation so that ISPs don’t mistake your messages for spam and instead, fast track your email to the inbox. Once you’re IN, we’ll help ensure your strategy is aligned with subscriber interest so that you can maintain high deliverability rates and drive more response and revenue to your program. Our industry leading monitoring tools and services are used by companies of all shapes and sizes including Polo Ralph Lauren, Software AG, Fidelity Investments, eBay, Coldwater Creek, Overstock.com, REI, Match.com, E-Harmony, Twitter, Facebook, and MySpace, plus 2000 more! You can read our case studies on our website. I welcome the opportunity to talk with you to jointly determine which Return Path solutions will drive the strongest ROI across your email programs. When would be the best time to set up the meeting to review your delivery needs? Let me know what time works best for you. I look forward to speaking with you soon. Best Regards, p.s. If you are new to deliverability and want to learn more before we chat, you can register for our Lunch & Learn Webinar: Are My Emails Getting Blocked? Click here to choose the date and time that works for you. Thank you, Ryan Osborne New Business Development Return Path - Increasing Email Reach and Response 8001 Arista Place Suite 300 Broomfield, CO 80021 303-999-3121 (office) 303-496-1283 (fax)
Re: Opt In Spam
On Fri, 2009-07-17 at 14:41 -0600, Neil Schwartzman wrote: > > > On 17/07/09 4:03 PM, "Neil Schwartzman" > wrote: > > > Your assertion that we encountered a block and then switched to a new IP > > netblock is preposterous. We have several ranges and mail streams. You opted > > in and then opted out. OK, in what timeframe? Minutes? Hours? The proscribed > > 10-day CANSPAM limit? A couple of months? > > > > I will ensure you are added to our suppression list and unsubbed from all > > lists, immediately. If our processes are broken, we want to know; I¹ve BCCed > > our CPO in on this. > > Richard, > > I inquired internally, and here is what we understand to have happened. > > You signed up for a Lunch and Learn. You were mailed the information in that > regard. Apparently you were flagged in our systems as having attended the > event. I hate to say this, but if that's what you understand to have happened you have some serious issues with data management. Here is what happened. Injected an address into your web form, injected a dead phone number. Never confirmed opt in, when mail came clicked 'unsubscribe' > You also indicated you wanted a demo of our tools during your > sign-up. A sales person, Ryan, followed up on the lead with a 1-to-1 email. > He also tried to call the apparently erroneous telephone number you entered > in the form. So, not only have you abused the unsubscribe, you tried to call the number too. Gee, you are very determined spammers dude. > > We have verified the unsubscribe and suppressed your address. > > Let us know if there is anything else we can do to help. Can you supply me with all the address ranges you have so I can add manual blocks for them. Thanks. > Thanks again for bringing this to all our attention.
Re: Lotto/Money & email address spam
On Wed, 2009-07-22 at 19:40 +0100, Ned Slider wrote: > MySQL Student wrote: > > Hi, > > > > I'm having trouble catching spam that contains lotto/money schemes or > > simply asks the user to email a particular address for a loan or > > otherwise. Here's an example: > > > > > > > > > Thanks, > > Alex > > > > > Alex, > > Please don't paste examples to this list. > > Please post them to pastebin (or a similar service) and then include the > link. > > I see enough spam already without you including yet more in your emails ;) > > Thanks Have to second and stress Ned's point here. I for one use other spam dropping systems. One of these is Postfix's header/body checks for obvious crud. A current Postfix limitation of this is you can't white list anything in these checks - it's all or nothing. So anything obviously spammy bounces and I get the list monitor moan every week. Pastebin is brilliant and free - http://pastebin.com/
Re: Any one interested in using a proper forum?
On Tue, 2009-07-28 at 04:07 -0700, snowweb wrote: > I don't know about anyone else, but I'm getting a bit hacked of with this > 1980's style forum. I'm trying to get to the bottom of an SA issue and this > list/forum thing is giving me a bigger headache than SA! If you have difficulty with an email list I'm wondering it is probable that you may have some issues setting up email filtering with something like SA. > Spamassassin has more than one or two users now and I personally think that > it should have a support forum to match the class of software, which is now > world class. It is, you'll find it stolen and in appliances like the Barracuda 'Spam & Virus' firewall where people pay good money for free software... > > I know it's free and all that, see last comment > but even so, if this is the only form of support they provide, I'm thinking > that I'll just start an alternative > support forum, using standard, full featured forum software (like SMF). Go ahead, it's a free world. > > Is there any support for this (I already know there will be opposition from > those who are 'resident' here. Sorry guys, I just want do something to help > those who just dive in when they have an urgent problem. No hard feelings I > hope.) You could offer to pay a consultant for any urgent support you need, or use something like 'experts exchange' if the level and quality of the free software and free support is not good enough for you. > > Peter Snow > >
Re: Any one interested in using a proper forum?
On Tue, 2009-07-28 at 07:31 -0700, snowweb wrote: > spamassassin-forum One way to get that included in web filter block lists. Registered through: GoDaddy.com, Inc. Then I noted; Administrative Contact: Snow, Peter pe...@snowweb.co.uk 20 Neville Gardens Emsworth, Hampshire PO10 7XZ United Kingdom (632) 724-1138 Fax -- That's a non UK phone number, buy possible that it is VoIP based, but there seems to be a discrepancy; Domain name: snowweb.co.uk Registrant: Mr Peter R Snow Registrant type: Unknown Registrant's address: 12-20 Gardens of Maia Alta, Dalig, Antipolo City Rizal 1870 Philippines Just which one of these is correct ? I like to know who is who, I'm nosey.
