How to filter these spam messages
Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
I have adopted the following policy, I run commercial free email. If it is unsolicited it gets blacklisted. If they want to run commercials through my email site, I will let them, provided they use a mailing list and the user can opt out. Random, unsolicited emails go in the blacklist. This method (too me) works the best. While spamassassin works very well also, it becomes much more inflated in terms of code, the more rules there are. I use spamassassin also, but for just standard unsolicited email, it goes to the bit bucket. I will sell them commercials on my site, I will be glad to set up a site wide mailing list and let my customers subscribe to the ones they want (for a monthly fee). I am not going to subsidize email commercials on bandwidth my customers and I pay for, nor do I want to let someone, such as a spammer, use my resources for free, if they want to use them, they will pay for them, through the sales of subscribe/unsubscribe mailing lists. So, if they wanna play, their gonna hafta pay. I believe this is the only way to force spammers to comply with some kind of email policy. Simon wrote: Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
Yea, I was getting ready to post about the same kind of spam.. Very obnoxious. Anyone ideas? - Original Message - From: "Simon" <[EMAIL PROTECTED]> To: Sent: Sunday, October 15, 2006 2:29 PM Subject: How to filter these spam messages Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
Try Greylisting if you are admin on your own e-mail server! That will filter most of those e-mails. /Micke Simon wrote: Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
Someone want to explain Greylisting? - Original Message - From: "Micke Andersson" <[EMAIL PROTECTED]> To: "Simon" <[EMAIL PROTECTED]> Cc: Sent: Sunday, October 15, 2006 3:50 PM Subject: Re: How to filter these spam messages Try Greylisting if you are admin on your own e-mail server! That will filter most of those e-mails. /Micke Simon wrote: Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
From: "Simon" <[EMAIL PROTECTED]> Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium 1) Technically every message sent through SpamAssassin is filtered. So I've no idea what you mean above. 2) Taking a stab in the dark you are expecting SpamAssassin to fail to pass along spam messages for delivery. This is not something that SpamAssassin does. All SA does is issue a score, one of several different ways. It is up to your MDA to act on that score if you do not want spams (and mismarked hams) delivered. Personally I use a markup that places this at the front of the spam message subject lines and encapsulates the spam inside a protective outer message. *SPAM* 057.6 ** (That one was a drug spam that triggered just a whole LOT of regular, SARE, DNS, and JD special rules that are up to 100% perfect anti-spam rules.) Then I use OutlookExpress's filtering capability on the first part of that markup to toss the messages into a "SPAM" folder. I check the spam folder maybe twice a day to see if there is any mismarked ham. Those will be low scoring so I sort on the subjects and look at the ones with the low scores only. Sometimes I amuse myself with the rather high scores some spams can achive. Leo (see SpamHaus) managed to break 100 on all low points rules once. He has a sense of humor at least. He's still a dispensible human being. I hope this helps you just a little. (And maybe even shows how to make anti-spam at least "amusing" as well as rewarding.) {^_^}
Re: How to filter these spam messages
Google for it. LOTS OF information lives out there to find. - Original Message - From: "Billy Huddleston" <[EMAIL PROTECTED]> To: Sent: Sunday, October 15, 2006 12:58 Subject: Re: How to filter these spam messages Someone want to explain Greylisting? - Original Message - From: "Micke Andersson" <[EMAIL PROTECTED]> To: "Simon" <[EMAIL PROTECTED]> Cc: Sent: Sunday, October 15, 2006 3:50 PM Subject: Re: How to filter these spam messages Try Greylisting if you are admin on your own e-mail server! That will filter most of those e-mails. /Micke Simon wrote: Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium Thanks, Simon
Re: How to filter these spam messages
What I meant to say is that, eventhough they do get filtered, these spam messages do not get scored high enough to offset threshold so they get marked as spam. I will check on greylisting, but what I was really hoping for is a ruleset which helps score these high enough so they are marked as spam. -Simon On Sun, 15 Oct 2006 13:00:12 -0700, jdow wrote: >From: "Simon" <[EMAIL PROTECTED]> > >> Hello, >> >> I'm trying to figure out what to do to filter these spam messages. I can't seem to >> find a ruleset which would filter them. Perhaps I need to change something in >> my configuration? any help would be appreciated, thanks! >> >> Here are the latest spam I'm receiving: >> >> http://optinet.com/spam.txt >> >> My config is pretty much default and I have few extra rulesets from rulesemporium > >1) Technically every message sent through SpamAssassin is filtered. So >I've no idea what you mean above. > >2) Taking a stab in the dark you are expecting SpamAssassin to fail to >pass along spam messages for delivery. This is not something that >SpamAssassin does. All SA does is issue a score, one of several >different ways. It is up to your MDA to act on that score if you do >not want spams (and mismarked hams) delivered. Personally I use a >markup that places this at the front of the spam message subject >lines and encapsulates the spam inside a protective outer message. >*SPAM* 057.6 ** > >(That one was a drug spam that triggered just a whole LOT of regular, >SARE, DNS, and JD special rules that are up to 100% perfect anti-spam >rules.) > >Then I use OutlookExpress's filtering capability on the first part of >that markup to toss the messages into a "SPAM" folder. I check the >spam folder maybe twice a day to see if there is any mismarked ham. >Those will be low scoring so I sort on the subjects and look at the >ones with the low scores only. Sometimes I amuse myself with the >rather high scores some spams can achive. Leo (see SpamHaus) managed >to break 100 on all low points rules once. He has a sense of humor >at least. He's still a dispensible human being. > >I hope this helps you just a little. (And maybe even shows how to make >anti-spam at least "amusing" as well as rewarding.) > >{^_^} > >
RE: How to filter these spam messages
> -Original Message- > From: Billy Huddleston [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 15, 2006 3:58 PM > To: users@spamassassin.apache.org > Subject: Re: How to filter these spam messages > > > Someone want to explain Greylisting? It delays any email for up to 45 mins. If the sender is running a REAL server[sic] like aol or yahoo, it will retry it. Ok if you don't mind waiting a log time for email.
Re: How to filter these spam messages
(Long answer in email sent direct.) Short answer - SARE. Check the "Other Rules" in the side bar. Fred's rules are generally useful. And Jennifer's are timeless and useful. {^_^} - Original Message - From: "Simon" <[EMAIL PROTECTED]> What I meant to say is that, eventhough they do get filtered, these spam messages do not get scored high enough to offset threshold so they get marked as spam. I will check on greylisting, but what I was really hoping for is a ruleset which helps score these high enough so they are marked as spam. -Simon On Sun, 15 Oct 2006 13:00:12 -0700, jdow wrote: From: "Simon" <[EMAIL PROTECTED]> Hello, I'm trying to figure out what to do to filter these spam messages. I can't seem to find a ruleset which would filter them. Perhaps I need to change something in my configuration? any help would be appreciated, thanks! Here are the latest spam I'm receiving: http://optinet.com/spam.txt My config is pretty much default and I have few extra rulesets from rulesemporium 1) Technically every message sent through SpamAssassin is filtered. So I've no idea what you mean above. 2) Taking a stab in the dark you are expecting SpamAssassin to fail to pass along spam messages for delivery. This is not something that SpamAssassin does. All SA does is issue a score, one of several different ways. It is up to your MDA to act on that score if you do not want spams (and mismarked hams) delivered. Personally I use a markup that places this at the front of the spam message subject lines and encapsulates the spam inside a protective outer message. *SPAM* 057.6 ** (That one was a drug spam that triggered just a whole LOT of regular, SARE, DNS, and JD special rules that are up to 100% perfect anti-spam rules.) Then I use OutlookExpress's filtering capability on the first part of that markup to toss the messages into a "SPAM" folder. I check the spam folder maybe twice a day to see if there is any mismarked ham. Those will be low scoring so I sort on the subjects and look at the ones with the low scores only. Sometimes I amuse myself with the rather high scores some spams can achive. Leo (see SpamHaus) managed to break 100 on all low points rules once. He has a sense of humor at least. He's still a dispensible human being. I hope this helps you just a little. (And maybe even shows how to make anti-spam at least "amusing" as well as rewarding.) {^_^}
Re: How to filter these spam messages
From: "Michael Scheidell" <[EMAIL PROTECTED]> From: Billy Huddleston [mailto:[EMAIL PROTECTED] Someone want to explain Greylisting? It delays any email for up to 45 mins. If the sender is running a REAL server[sic] like aol or yahoo, it will retry it. Ok if you don't mind waiting a log time for email. /for email/s//for some email/ Done right greylisting includes a list of addresses allowed to skip the greylisting delay once the address proves to be valid. {^_-}
RE: How to filter these spam messages
> > Someone want to explain Greylisting? Here is an example that references a coupla websites http://qmail.jms1.net/scripts/jgreylist.shtml - rh -- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
Re: How to filter these spam messages
On 2006-10-15, Michael Scheidell <[EMAIL PROTECTED]> wrote: > Billy Huddleston wrote: >> >> Someone want to explain Greylisting? > It delays any email for up to 45 mins. > If the sender is running a REAL server[sic] like aol or yahoo, it will > retry it. > > Ok if you don't mind waiting a log time for email. The latest versions of milter-greylist for sendmail allow you to fine tune greylisting on a per-user basis. My wife doesn't want to wait for her email, and has a small enough internet footprint that she doesn't get much spam anyway, so I put no delay on her account. My daughter and me, OTOH, get tons of spam and are willing to wait 30 minutes for delivery if it means less spam. Seems to work well here, anyway. -- John ([EMAIL PROTECTED])
Re: How to filter these spam messages
Won't work for my use.. Running SA for ISP.. Way too many people.. Way too much volume.. People upset at the time delays already.. which ar under 2 - 10 minutes.. Go Figure. - Original Message - From: "John Thompson" <[EMAIL PROTECTED]> To: Sent: Sunday, October 15, 2006 10:59 PM Subject: Re: How to filter these spam messages On 2006-10-15, Michael Scheidell <[EMAIL PROTECTED]> wrote: Billy Huddleston wrote: Someone want to explain Greylisting? It delays any email for up to 45 mins. If the sender is running a REAL server[sic] like aol or yahoo, it will retry it. Ok if you don't mind waiting a log time for email. The latest versions of milter-greylist for sendmail allow you to fine tune greylisting on a per-user basis. My wife doesn't want to wait for her email, and has a small enough internet footprint that she doesn't get much spam anyway, so I put no delay on her account. My daughter and me, OTOH, get tons of spam and are willing to wait 30 minutes for delivery if it means less spam. Seems to work well here, anyway. -- John ([EMAIL PROTECTED])
Re: How to filter these spam messages
On Mon, October 16, 2006 05:23, Billy Huddleston wrote: > Won't work for my use.. Running SA for ISP.. Way too many people.. Way too > much volume.. People upset at the time delays already.. which ar under 2 - > 10 minutes.. Go Figure. same people use upto 2 - 10 minutes to delete spam, Go Figure :) -- "This message was sent using 100% recycled spam mails."
Re: How to filter these spam messages
On Sun, 15 Oct 2006, Billy Huddleston wrote: > Won't work for my use.. Running SA for ISP.. Way too many > people.. Way too much volume.. People upset at the time delays > already.. which ar under 2 - 10 minutes.. Go Figure. Adjust their expectations. Email is *not* IM. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 15 days until Halloween
Re: How to filter these spam messages
On Mon, 16 Oct 2006, John D. Hardin wrote: On Sun, 15 Oct 2006, Billy Huddleston wrote: Won't work for my use.. Running SA for ISP.. Way too many people.. Way too much volume.. People upset at the time delays already.. which ar under 2 - 10 minutes.. Go Figure. Adjust their expectations. Email is *not* IM. I guess the problem with being an ISP is that there would be other ISPs who would be willing to not try to adjust their expectations and instead promise them super-speedy e-mail delivery in all cases. The fact that it isn't possible to deliver on that promise might not matter if they still manage to take away your customers. :-) The point being that even though e-mail isn't IM, if people expect you to get as close to IM as possible, then you probably have to do that if you want to keep your customers. So it's kinda a moot point. - Logan
Re: How to filter these spam messages
Logan Shaw wrote: I guess the problem with being an ISP is that there would be other ISPs who would be willing to not try to adjust their expectations and instead promise them super-speedy e-mail delivery in all cases. The fact that it isn't possible to deliver on that promise might not matter if they still manage to take away your customers. :-) Exactly so. At an ISP I did some work for, I used to argue this until people very reasonably pointed out that yahoo mail got delivered faster, and it was free. Yahoo averages ~2 minutes for mail delivery. That sets the bar for anyone who is trying to sell their mail services. -- Jo Rhett Network/Software Engineer Net Consonance
Re: How to filter these spam messages
Jo Rhett wrote: Logan Shaw wrote: I guess the problem with being an ISP is that there would be other ISPs who would be willing to not try to adjust their expectations and instead promise them super-speedy e-mail delivery in all cases. The fact that it isn't possible to deliver on that promise might not matter if they still manage to take away your customers. :-) Exactly so. At an ISP I did some work for, I used to argue this until people very reasonably pointed out that yahoo mail got delivered faster, and it was free. Yahoo averages ~2 minutes for mail delivery. That sets the bar for anyone who is trying to sell their mail services. And, oddly enough, mail coming FROM yahoo can sometimes take up to an hour to hit my server after the person has hit send. Im still trying to figure that one out.. -Jim
Re: How to filter these spam messages
Yup.. and it sucks.. I get a 10 minute delay, and my phone starts ringing off the hook. I've had to beef up our spamassassin engines at least 3 times in the past 18 months to handle the load.. and now getting these stupid text only 3 or 4 line emails that hard very difficult to block.. Greylisting just isn't a option that I'm willing to do if it's simply refusing to take delivery of the message on the first go around.. Thanks, Billy - Original Message - From: "Jo Rhett" <[EMAIL PROTECTED]> To: "Logan Shaw" <[EMAIL PROTECTED]> Cc: Sent: Monday, October 16, 2006 2:47 PM Subject: Re: How to filter these spam messages Logan Shaw wrote: I guess the problem with being an ISP is that there would be other ISPs who would be willing to not try to adjust their expectations and instead promise them super-speedy e-mail delivery in all cases. The fact that it isn't possible to deliver on that promise might not matter if they still manage to take away your customers. :-) Exactly so. At an ISP I did some work for, I used to argue this until people very reasonably pointed out that yahoo mail got delivered faster, and it was free. Yahoo averages ~2 minutes for mail delivery. That sets the bar for anyone who is trying to sell their mail services. -- Jo Rhett Network/Software Engineer Net Consonance
Re: How to filter these spam messages
I reviewed greylisting as a solution in the past, we couldn't accept it due to delay and I also read not all email servers will resend properly. So there is a chance few legitimate emails will never get redelivered. When you are running a business shop, such delays or exceptions are not permitted. I believe it should be very easy to write a rule set for these "work from home", stock, mortgage, etc... short spam emails, I just don't have the expertise to do it right. -Simon On Mon, 16 Oct 2006 15:06:34 -0400, Billy Huddleston wrote: >Yup.. and it sucks.. I get a 10 minute delay, and my phone starts ringing >off the hook. I've had to beef up our spamassassin engines at least 3 times >in the past 18 months to handle the load.. and now getting these stupid >text only 3 or 4 line emails that hard very difficult to block.. Greylisting >just isn't a option that I'm willing to do if it's simply refusing to take >delivery of the message on the first go around.. > >Thanks, Billy > >- Original Message - >From: "Jo Rhett" <[EMAIL PROTECTED]> >To: "Logan Shaw" <[EMAIL PROTECTED]> >Cc: <users@spamassassin.apache.org> >Sent: Monday, October 16, 2006 2:47 PM >Subject: Re: How to filter these spam messages > > >> Logan Shaw wrote: >>> I guess the problem with being an ISP is that there would be >>> other ISPs who would be willing to not try to adjust their >>> expectations and instead promise them super-speedy e-mail >>> delivery in all cases. The fact that it isn't possible to >>> deliver on that promise might not matter if they still manage >>> to take away your customers. :-) >> >> Exactly so. At an ISP I did some work for, I used to argue this until >> people very reasonably pointed out that yahoo mail got delivered faster, >> and it was free. >> >> Yahoo averages ~2 minutes for mail delivery. That sets the bar for anyone >> who is trying to sell their mail services. >> >> -- >> Jo Rhett >> Network/Software Engineer >> Net Consonance >> > > >
RE: How to filter these spam messages
I reviewed greylisting as a solution in the past, we couldn't accept it due to delay and I also read not all email servers will resend properly. So there is a chance few legitimate emails will never get redelivered. When you are running a business shop, such delays or exceptions are not permitted. I believe it should be very easy to write a rule set for these "work from home", stock, mortgage, etc... short spam emails, I just don't have the expertise to do it right. -Simon I understand everyone has to make decisions and deal with it… yet… A minute or two delay from grelisting matters that much Do you really want email from a server that doesn’t work right or isn’t administered as best it can be? That is kinda why greylisting exists… to elimitate bursty worthless email… And most people doing business want to use the phone or meet in person to close sales properly. - rh -- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
RE: How to filter these spam messages
I'm not the orginal poster, but... On Mon, October 16, 2006 3:43 pm, R Lists06 said: > Do you really want email from a server that doesn't work right or isn't > administered as best it can be? I want every legitimate email sent to me. Period. No matter how it was sent; the sender of the email may have no idea their sysadmin is braindead. > That is kinda why greylisting exists. to elimitate bursty worthless email. > > And most people doing business want to use the phone or meet in person to > close sales properly. True, to close sales. But they often open sales via email. And if you don't get that email, you'll never get a chance to close the sale at all. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---
Re: How to filter these spam messages
On Mon, October 16, 2006 3:43 pm, R Lists06 said: Do you really want email from a server that doesn't work right or isn't administered as best it can be? Daniel T. Staal wrote: I want every legitimate email sent to me. Period. No matter how it was sent; the sender of the email may have no idea their sysadmin is braindead. That makes sense. And that's why you can modify the scores locally. The vast majority of spamassassin users feel otherwise, which is why it is defaulted on. -- Jo Rhett Network/Software Engineer Net Consonance
Re: How to filter these spam messages
I'm not sure what you have defaulted on, but majority of clients I deal with will not accept delayed or missing emails. This is why greylisting is not an option for a lot of us. At most, I see greylisting acceptable for noncommercial clients, if that, to whom email isn't crucial part of their job. Spamassassin has rules for majority of emails, so I don't see what's so difficult about adding more rules to combat these new breed of spam. -Simon On Mon, 16 Oct 2006 13:12:27 -0700, Jo Rhett wrote: >> On Mon, October 16, 2006 3:43 pm, R Lists06 said: >>> Do you really want email from a server that doesn't work right or isn't >>> administered as best it can be? > >Daniel T. Staal wrote: >> I want every legitimate email sent to me. Period. No matter how it was >> sent; the sender of the email may have no idea their sysadmin is >> braindead. > >That makes sense. And that's why you can modify the scores locally. > >The vast majority of spamassassin users feel otherwise, which is why it >is defaulted on. > >-- >Jo Rhett >Network/Software Engineer >Net Consonance > >
Re: How to filter these spam messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 16, 2006, at 1:47 PM, Jo Rhett wrote: Logan Shaw wrote: I guess the problem with being an ISP is that there would be other ISPs who would be willing to not try to adjust their expectations and instead promise them super-speedy e-mail delivery in all cases. The fact that it isn't possible to deliver on that promise might not matter if they still manage to take away your customers. :-) Exactly so. At an ISP I did some work for, I used to argue this until people very reasonably pointed out that yahoo mail got delivered faster, and it was free. Yahoo averages ~2 minutes for mail delivery. That sets the bar for anyone who is trying to sell their mail services. OTOH, in my experience, the few customers who were so concerned about such things also tended to be a drain on support resources in other ways too, and losing them to another ISP was was actually profitable. Besides, with most SA deployments, the filtering job can easily scale horizontally which will bring that time to delivery down. David Morton Maia Mailguard http://www.maiamailguard.com [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFM+sWUy30ODPkzl0RAiu3AKDDNkumsnhaLynE6VLF3+ED67TApgCfQPUO 9Y7YXrDh+zd9GiedTLIFREE= =d+1o -END PGP SIGNATURE-
Re: How to filter these spam messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 16, 2006, at 2:27 PM, Simon wrote: I reviewed greylisting as a solution in the past, we couldn't accept it due to delay and I also read not all email servers will resend properly. So there is a chance few legitimate emails will never get redelivered. When you are running a business shop, such delays or exceptions are not permitted. Fortune 500's are greylisting... so why is it not acceptable? Really, you should try it for a bit and see if it really works. sqlgrey keeps a list of sites/addresses that have proven themselves good, and so over time it delays less legit email. It also has a list of known sites that are broken to whitelist. When I implemented greylisting for one site, they called in the next morning sure that email was broken. But after poring through the logs, we determined that the real issue was simply that they didn't get any legit email all night, and all the usual spam had been turned away. Once business hours opened up, their clients started emailing them, and the legit messages came right in. It also reduces the load on the SA servers, which makes the delivery time quicker. In my experience, greylisting averages out better. :) David Morton Maia Mailguard http://www.maiamailguard.com [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFM+2UUy30ODPkzl0RAr/vAJ4wljyZWdo06dS9Fzz9P0jh+yx6EACeP+eG +yZEokUZiRBQ4hkz5kDT0hk= =xwin -END PGP SIGNATURE-
Re: How to filter these spam messages
On Oct 16, 2006, at 2:27 PM, Simon wrote: I reviewed greylisting as a solution in the past, we couldn't accept it due to delay and I also read not all email servers will resend properly. So there is a chance few legitimate emails will never get redelivered. When you are running a business shop, such delays or exceptions are not permitted. Fortune 500's are greylisting... so why is it not acceptable? Really, you should try it for a bit and see if it really works. sqlgrey keeps a list of sites/addresses that have proven themselves good, and so over time it delays less legit email. It also has a list of known sites that are broken to whitelist. When I implemented greylisting for one site, they called in the next morning sure that email was broken. But after poring through the logs, we determined that the real issue was simply that they didn't get any legit email all night, and all the usual spam had been turned away. Once business hours opened up, their clients started emailing them, and the legit messages came right in. It also reduces the load on the SA servers, which makes the delivery time quicker. In my experience, greylisting averages out better. :) David Morton Maia Mailguard http://www.maiamailguard.com [EMAIL PROTECTED] I don't use greylisting on my primary MX because I do not wish to delay mail, but I do on my secondary (not round robin) - and it is very effective there. I have one of those SMTP servers (from a major company) that does not retry. Because of greylisting, I can no longer safely use it for outbound mail - and don't. Granted, these links are specific to Postfix, but offer some insight into lessening the possibility of loosing legitimate mail to greylisting: http://lists.ee.ethz.ch/postgrey/msg01214.html http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml Gary V _ Add a Yahoo! contact to Windows Live Messenger for a chance to win a free trip! http://www.imagine-windowslive.com/minisites/yahoo/default.aspx?locale=en-us&hmtagline
Re: How to filter these spam messages
Why can't we simply have a new ruleset to score these short spam messages higher? -Simon On Mon, 16 Oct 2006 20:44:58 -0600, Gary V wrote: > >>On Oct 16, 2006, at 2:27 PM, Simon wrote: >> >>> >>>I reviewed greylisting as a solution in the past, we couldn't accept it >>>due to >>>delay and I also read not all email servers will resend properly. So >>>there is a >>>chance few legitimate emails will never get redelivered. When you are >>>running >>>a business shop, such delays or exceptions are not permitted. >> >>Fortune 500's are greylisting... so why is it not acceptable? Really, >>you should try it for a bit and see if it really works. >> >>sqlgrey keeps a list of sites/addresses that have proven themselves good, >>and so over time it delays less legit email. It also has a list of known >>sites that are broken to whitelist. >> >>When I implemented greylisting for one site, they called in the next >>morning sure that email was broken. But after poring through the logs, we >>determined that the real issue was simply that they didn't get any legit >>email all night, and all the usual spam had been turned away. Once >>business hours opened up, their clients started emailing them, and the >>legit messages came right in. >> >>It also reduces the load on the SA servers, which makes the delivery time >>quicker. In my experience, greylisting averages out better. :) >> >> >>David Morton >>Maia Mailguard http://www.maiamailguard.com >>[EMAIL PROTECTED] > >I don't use greylisting on my primary MX because I do not wish to delay >mail, but I do on my secondary (not round robin) - and it is very effective >there. > >I have one of those SMTP servers (from a major company) that does not retry. >Because of greylisting, I can no longer safely use it for outbound mail - >and don't. > >Granted, these links are specific to Postfix, but offer some insight into >lessening the possibility of loosing legitimate mail to greylisting: >http://lists.ee.ethz.ch/postgrey/msg01214.html >http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_greylisting.shtml > >Gary V > >_ >Add a Yahoo! contact to Windows Live Messenger for a chance to win a free >trip! >http://www.imagine-windowslive.com/minisites/yahoo/default.aspx?locale=en-us&hmtagline > > >
Re: How to filter these spam messages
Why can't we simply have a new ruleset to score these short spam messages higher? -Simon I'm not good at creating rules, but these work, and should help a little: body GV_MAKE_K / how to (generate|make) 1\.5 - 3\.5k / score GV_MAKE_K 3.5 uri GEOCITIES /^http:\/\/(..|www)\.geocities\.com\/+.+/i describe GEOCITIES Geocities URL scoreGEOCITIES 3.5 on these: Learn how to make 1.5 - 3.5k a day from your house. Find out how to generate 1.5 - 3.5k daily from your house. Learn how to make 1.5 - 3.5k a day from home. Learn how to make 1.5 - 3.5k a day from your home. http://cf.geocities.com/Angelo33_b637 See: http://wiki.apache.org/spamassassin/WritingRules Gary V _ Try Search Survival Kits: Fix up your home and better handle your cash with Live Search! http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmtagline
Re: How to filter these spam messages
Gary V wrote: body GV_MAKE_K / how to (generate|make) 1\.5 - 3\.5k / score GV_MAKE_K 3.5 uri GEOCITIES /^http:\/\/(..|www)\.geocities\.com\/+.+/i describe GEOCITIES Geocities URL scoreGEOCITIES 3.5 FWIW, if you process large quantities of mail, scoring on just the Geocities URI itself *will* cause a significant number of false positives even at scores as low as 2.0. Not to tout my own horn, but I know of people scanning 2-3 million messages a day using my WebRedirect plugin to catch Geocities and similar spam with much success. If you can afford the HTTP queries against the free web host URIs you might want to consider using it instead. Daryl
Re: How to filter these spam messages
Gary V wrote: uri GEOCITIES /^http:\/\/(..|www)\.geocities\.com\/+.+/i describe GEOCITIES Geocities URL scoreGEOCITIES 3.5 FWIW, if you process large quantities of mail, scoring on just the Geocities URI itself *will* cause a significant number of false positives even at scores as low as 2.0. Not to tout my own horn, but I know of people scanning 2-3 million messages a day using my WebRedirect plugin to catch Geocities and similar spam with much success. If you can afford the HTTP queries against the free web host URIs you might want to consider using it instead. Daryl SA does not process a lot of mail, so I can easily afford it. Thanks for the tip. I'll give it a try. Gary V _ Add a Yahoo! contact to Windows Live Messenger for a chance to win a free trip! http://www.imagine-windowslive.com/minisites/yahoo/default.aspx?locale=en-us&hmtagline
Re: How to filter these spam messages
Michael Scheidell wrote: Someone want to explain Greylisting? It delays any email for up to 45 mins. Usually not that long. In my experience a forced delay of 3 minutes and a grey period of 72 hours is enough to stop most spam. Granted, it then depends on the sending servers retry times, but many servers retries again after about 10 minutes. Only a few servers wait a slong as 45 minutes or more. Ok if you don't mind waiting a long time for email. ALso, you don't have to delay *all* mail. In the implementation I use a sending host will be whitelisted (from the greylist check) for 7 days after it has managed to get past it once (so that for 7 days no mail from that host will be subjected to the greylist). Also, we keep triplets white for 36 days. We also massacre the sender address a bit so that for most mailing lists only the first mail to a recipient is delayed. This means that the majority of mail we get are not delayed by the greylist. The greylist together with two different automatic black-lists (one short-lived and one longer-lived) means a less work for the system since a lot of spam is stopped without having to be checked with SpamAssassin. /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: How to filter these spam messages
R Lists06 wrote: A minute or two delay from grelisting matters that much Greylisting usually delay a mail for more than two minutes (when it delays, a good implementation can excempt most mail from the delay after a while). Even if the greylist implementation only enforces a one minute delay, most servers will wait longer than that before retrying. 5-15 minutes seems to be pretty common ("seems" because I havent collected any statistics). Just had a thought... Haven't thought it through or checked any stats for it, so it may not be a good one. The greylist code could be to do a reverse lookup and/or a DNS-list check on the sending host before deciding wether it should be subjected to the greylist or not. If it's in a dial-up-list, or the hostname fits a pattern for dial-up and dyanamic addresses the host can be subjected to the greylist, and otherwise it could be excempted from it. Most spam that is stopped by a greylist is sent from zombies, so I wouldn't be suprised if a greylist such as this could be pretty effective while minimizing that impact on legit mail. (When I get the time I'll do some stats on this, and if it seems like a good idea I'll implement it in the code at http://whatever.frukt.org/mimedefangfilter.text.shtml) Regrads /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
R: How to filter these spam messages
> We also massacre the sender address a bit so that for most > mailing lists only the first mail to a recipient is delayed. Which kind of algorithm you use for address "massacring"? giampaolo
Re: How to filter these spam messages
Jonas Eckerman wrote: R Lists06 wrote: A minute or two delay from grelisting matters that much Greylisting usually delay a mail for more than two minutes (when it delays, a good implementation can excempt most mail from the delay after a while). Even if the greylist implementation only enforces a one minute delay, most servers will wait longer than that before retrying. 5-15 minutes seems to be pretty common ("seems" because I havent collected any statistics). Just had a thought... Haven't thought it through or checked any stats for it, so it may not be a good one. The greylist code could be to do a reverse lookup and/or a DNS-list check on the sending host before deciding wether it should be subjected to the greylist or not. If it's in a dial-up-list, or the hostname fits a pattern for dial-up and dyanamic addresses the host can be subjected to the greylist, and otherwise it could be excempted from it. This is sometimes referred to as selective greylisting. See for example: http://www.tahina.priv.at/~cm/spam/
RE: How to filter these spam messages
Title: RE: How to filter these spam messages > -Original Message- > From: Jonas Eckerman [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 18, 2006 7:08 AM > To: users@spamassassin.apache.org > Subject: Re: How to filter these spam messages > > > Michael Scheidell wrote: > >> Someone want to explain Greylisting? > > > It delays any email for up to 45 mins. > > Usually not that long. > In my experience a forced delay of 3 minutes and a grey > period of 72 hours is enough to stop most spam. > > Granted, it then depends on the sending servers retry times, > but many servers retries again after about 10 minutes. Only a > few servers wait a slong as 45 minutes or more. I see this argument a lot. IMHO if you can't wait 30 minutes for an email, then you should be using a phone, fax, or a car to drive over and talk to the person. Absolute last resort, when all else fails, you could use instant messege. Ewww! But if you rely on email for time sensitive info you best rethink what you are doing :) --Chris
Re: How to filter these spam messages
Chris Santerre wrote: But if you rely on email for time sensitive info you best rethink what you are doing :) Regardless of your perspective, Chris, the fact is that most people have come to expect email to be as reliable and instantaneous as making a phone call. In one sense that's a tribute to the hard work of mail admins around the world, but it's also raised the expectation of most email users well beyond what was envisioned when RFC822 was written. Peter
Re: How to filter these spam messages
Chris Santerre wrote: But if you rely on email for time sensitive info you best rethink what you are doing :) Text messages don't provide authentication, validation nor archival. E-mail can provide both. I agree that people should be more patient, but when e-mail works as well as it does - with all the benefits - I'm not surprised that they use it as they do. I'd like to note for the record that we tried greylisting on a major ISP's e-mail system. It did work *very* well in stopping quick spam. However, when we had to abandon it due to complaints about mail delay, the amount of spam which reached the mailbox DID NOT CHANGE AT ALL. In short, everything that greylisting stopped was also caught by spamassassin. Since the net effect of not using greylisting is 0, and the net effect of using greylisting is delayed mail ... you do the math. -- Jo Rhett Network/Software Engineer Net Consonance
Re: How to filter these spam messages
Jo Rhett wrote: Chris Santerre wrote: But if you rely on email for time sensitive info you best rethink what you are doing :) Text messages don't provide authentication, validation nor archival. E-mail can provide both. Email does a lousy job at authentication (over the full path, not at the initial server; at the initial server, email and IM are the same). IM can do archival. Most of the IM clients I've used have a facility for that.
Re: How to filter these spam messages
Chris Santerre wrote: I see this argument a lot. IMHO if you can't wait 30 minutes for an email, then you should be using a phone, fax, or a car to drive over and talk to the person. I agree with that. My boss accepts it, though I'm not sure she agrees. Some of those above her have have other views on the subject, as does some users. But if you rely on email for time sensitive info you best rethink what you are doing :) Agreed. But it's not allways easy to make people rethink... Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: R: How to filter these spam messages
Giampaolo Tomassoni wrote: Which kind of algorithm you use for address "massacring"? To see it in context, read the code at http://whatever.frukt.org/mimedefangfilter.text.shtml The following sub routine is the main part of the mail address changing: ---8<--- sub greylist_strip_mail($$$) { my($a,$d,$s) = @_; $a = address_strip($a); my $au = $a; my $ad = $a; $ad =~ s/.*@([EMAIL PROTECTED])$/$1/; $au =~ s/@[EMAIL PROTECTED]//; if ($d) { $au = "*"; } elsif ($s) { $au =~ s/(.+)\+.*$/$1/; my $aut; my $autt = $au; do { $aut = $autt; $autt =~ s/^(|.*[^a-z0-9])[a-f0-9]*\d[a-f0-9]*(|[^a-z0-9].*)$/$1#$2/; } until ($autt eq $aut); $au = $aut if ($aut =~ /[a-z0-9]/); #$au =~ s/[^-a-z0-9_.#]/?/g; } return greylist_strip($au."@".$ad); } ---8<--- Below are two examples where parts of the sender address has been replaced before using in the greylist: [EMAIL PROTECTED] [EMAIL PROTECTED] Regards /Jonas -- Jonas Eckerman, FSDB & Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/