Re: New Spam Mails plz suggest
Thanks a lot all of you for your help. Please help with this how can i do this * smtp-auth mails do not scan for spam at all* can somebody please guide me for this. Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. 2009/6/9 LuKreme krem...@kreme.com On 8-Jun-2009, at 09:42, Matus UHLAR - fantomas wrote: On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? Why should I have any? Because you are asserting something we know is not true. Your choices are 1) prove it 2) be dismissed. -- Boy, it sure would be nice if we had some grenades, don'tcha think?
Re: [sa] Re: New Spam Mails plz suggest
On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? On Mon, 8 Jun 2009, Matus UHLAR - fantomas wrote: Why should I have any? Any spamming client can get us to blacklist, so it's important that they would not spread spam... On 08.06.09 12:12, Charles Gregory wrote: I believe his request for stats is a polite way of disagreeing with your statement that bots 'often' use Outlook SMTP Auth. Personally, I have always thought that bots avoided ISP mail servers in order to minimize detection and maximize the amount of time they can spew before being blocked/deleted. This is actually the premise that makes RBl checks for 'direct to MX' so successful. So your statement was quite surprising. Rather than just challenge its accuracy, we politely ask for more info. :) OK, to be more accurate: times change, and maybe currently it's not that common to use outlook's (or whatever's) engine to send spam/viruses/etc comparing to direct delivery (not even to MX, but also NS etc, remember?) However since there are always cases a malware sends through outgoing relays (Should I search out ticketing systm for those?) I think it's still not good to skip scanning of authenticated/outgoing e-mail. Since each one can cause blacklisting, it's worth blocking, although it should be taken carefully (I've seen a report where outgoing mail was refused because it hit score of 7...) And, since there are reputation services on the net, and outgoing mailservers are expected to have better reputation than customers' end IPs, the situation may change once again... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: New Spam Mails plz suggest
On 09.06.09 12:09, Anshul Chauhan wrote: Thanks a lot all of you for your help. Please help with this how can i do this * smtp-auth mails do not scan for spam at all* can somebody please guide me for this. OK, I'll ask again: Do you have problems with scanning authenticated outgoing mail? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: New Spam Mails plz suggest
no i dont have any problem but because of authenticated outgoing as well as mail within my domain server is busy all the time with mails in queue so i just want to disable it for my users in my local network only. I've specified as *trusted_networks 10.* for all my networks by this it is scanning mails marking them as non spam which i don't want. Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Tue, Jun 9, 2009 at 1:02 PM, Matus UHLAR - fantomas uh...@fantomas.skwrote: On 09.06.09 12:09, Anshul Chauhan wrote: Thanks a lot all of you for your help. Please help with this how can i do this * smtp-auth mails do not scan for spam at all* can somebody please guide me for this. OK, I'll ask again: Do you have problems with scanning authenticated outgoing mail? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: New Spam Mails plz suggest
On 09.06.09 12:09, Anshul Chauhan wrote: Thanks a lot all of you for your help. Please help with this how can i do this * smtp-auth mails do not scan for spam at all* can somebody please guide me for this. On Tue, Jun 9, 2009 at 1:02 PM, Matus UHLAR - fantomas uh...@fantomas.skwrote: OK, I'll ask again: Do you have problems with scanning authenticated outgoing mail? On 09.06.09 13:10, Anshul Chauhan wrote: no i dont have any problem but because of authenticated outgoing as well as mail within my domain server is busy all the time with mails in queue so i just want to disable it for my users in my local network only. I've specified as *trusted_networks 10.* for all my networks by this it is scanning mails marking them as non spam which i don't want. trusted_networks? configuring spamassassin won't help you if wou want to skip spamassassin. Maybe if you created rule that catches mail uthenticated on your server and shortcircuited it. I better advise using separate port for mail submission (we use 587, optional TLS, and 465, implicit SSL) where mail sent through that port(s) would not be passed to spamassassin. However be careful if any customer will start spamming through your mailserver... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: New Spam Mails plz suggest
On Tue, June 9, 2009 09:40, Anshul Chauhan wrote: *trusted_networks 10.* for all my networks by this it is scanning mails marking them as non spam which i don't want. you ask for advice on how to get spamassassin malfunction ? see reports from spamassassin and remove the spam, is imho much better then try to let your server have spamming users turn of html mails in gmail, when you post to ml -- http://localhost/ 100% uptime and 100% mirrored :)
Re: [sa] Re: New Spam Mails plz suggest
On Tue, 9 Jun 2009, Matus UHLAR - fantomas wrote: I believe his request for stats is a polite way of disagreeing with your statement that bots 'often' use Outlook SMTP Auth. OK, to be more accurate: times change, and maybe currently it's not that common to use outlook's (or whatever's) engine to send spam/viruses/etc Please stay in context. We're talking about how to weigh SMTP auth in *spamassassin*, which implies it is only the spam and not 'viruses/etc' that are being discussed. Perhaps botnets spread their viral component via a sender's MX to try and gain 'trust' for that all-important infection process, but that is low volume and does not look like spam. However since there are always cases a malware sends through outgoing relays (Should I search out ticketing systm for those?) I think it's still not good to skip scanning of authenticated/outgoing e-mail. If you're talking anti-virus scanning, you are quite correct. If you are talking anti-spam scanning, and in particular about spam sent from botnets, then at *best* the arguments are highly specific to a given system. At worst, as a generality, I would say 'infrequently', not 'often'. You know, YMMV stuff. :) And, since there are reputation services on the net, and outgoing mailservers are expected to have better reputation than customers' end IPs, the situation may change once again... Blah. Don't get me going on the whole 'reputation' thing. Still annoys me that Yahell 4xx's mail from our lists because of 'too many recipients'. Well, duh, it's a list. (shake head). I suppose it's better than 5xx... :) -Charles
Re: [sa] Re: New Spam Mails plz suggest
On Tue, 9 Jun 2009, Matus UHLAR - fantomas wrote: I believe his request for stats is a polite way of disagreeing with your statement that bots 'often' use Outlook SMTP Auth. OK, to be more accurate: times change, and maybe currently it's not that common to use outlook's (or whatever's) engine to send spam/viruses/etc On 09.06.09 10:10, Charles Gregory wrote: Please stay in context. That was just what I have tried. We're talking about how to weigh SMTP auth in *spamassassin*, which implies it is only the spam and not 'viruses/etc' that are being discussed. Perhaps botnets spread their viral component via a sender's MX to try and gain 'trust' for that all-important infection process, but that is low volume and does not look like spam. There was also recommendation not to scan outgoing, authentized e-mail by SA, which I objected against. However since there are always cases a malware sends through outgoing relays (Should I search out ticketing systm for those?) I think it's still not good to skip scanning of authenticated/outgoing e-mail. If you're talking anti-virus scanning, you are quite correct. If you are talking anti-spam scanning, and in particular about spam sent from botnets, then at *best* the arguments are highly specific to a given system. At worst, as a generality, I would say 'infrequently', not 'often'. You know, YMMV stuff. :) I'm sure once that was often and I guess there's still some malware spreading spam this way. Well, just today I have found customer spamming through our SMTP servers... And, since there are reputation services on the net, and outgoing mailservers are expected to have better reputation than customers' end IPs, the situation may change once again... Blah. Don't get me going on the whole 'reputation' thing. Still annoys me that Yahell 4xx's mail from our lists because of 'too many recipients'. Well, duh, it's a list. (shake head). I suppose it's better than 5xx... :) does not matter if we agree with the reputation system, there are still people and blacklist who refuse mail from an IP if they receive more than X spams and less than Y hams within Z seconds etc.sending spam via gmail servers is more effective than from e.g. malaysian dialup, since people usually object against blacklisting google/gmail, while they don't against .my dialups... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: New Spam Mails plz suggest
can i do this in sendmail SMTP auth session without RBL rest with RBL. can you plz give me some hint for both the solutions of SMTP auth without RBL not scanning mails with spamassassin with SMTP auth ** Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Mon, Jun 8, 2009 at 11:05 AM, ram r...@netcore.co.in wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. You can still use RBL's. Allow users with SMTP auth only without rbl checks rest you check rbls and reject if listed. I think you use postfix you could do something like this smtpd_recipient_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, . ..(other rules ) And for the smtp-auth mails do not scan for spam at all. Not only will you avoid FP's .. you will also save a lot of processing on your server Thanks Ram PS: Why are you hiding the spammail in the pastebin. The contents of spam mail are usually not very important
Re: New Spam Mails plz suggest
On Mon, June 8, 2009 08:41, Anshul Chauhan wrote: can i do this in sendmail SMTP auth session without RBL rest with RBL. http://www.sendmail.org/~ca/email/auth.html -- http://localhost/ 100% uptime and 100% mirrored :)
Re: New Spam Mails plz suggest
On 7-Jun-2009, at 22:44, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. And why does this mean you can't use RBLs? Use RBLs in your SMTP transaction phase to reject unauthorized/ unauthenticated senders. -- The most perfidious way of harming a cause consists of defending it deliberately with faulty arguments.
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. As has been suggested by various others, just do not scan outgoing mail from authenticated users. These are the RBL settings which i'v used earlier but bcoz of these my geninue mails send from datacards are also spammed, can i use this but my datacard users mail not marked as SPAM score RCVD_IN_PBL 3 score RCVD_IN_XBL 5 score RDNS_NONE 5 score RCVD_IN_SORBS_DUL 3 score SPF_FAIL 10 score SPF_SOFTFAIL 5 score SPF_NEUTRAL 2 score RDNS_DYNAMIC 3 These are all *severely* and arbitrarily raised by you. So you adjust scores in-appropriately, and get false positives due to that. And your conclusion is, you can't use RBLs at all? Yeah, right... Your scores, your problem. Instead, try the defaults and enable RBL checks again. Hint: From and To being the same is valid, seen in real legit mail and not the solution to your problem. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. On 08.06.09 11:56, Karsten Bräckelmann wrote: As has been suggested by various others, just do not scan outgoing mail from authenticated users. Actually, such mail _should_ be scanned, for cases when they start spreading spam. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
Re: New Spam Mails plz suggest
On Mon, June 8, 2009 11:56, Karsten Bräckelmann wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. As has been suggested by various others, just do not scan outgoing mail from authenticated users. at the risk one user sends spam from mta ip, this is desired to be blocked outside as well, and clearly all your users will be even more happy with this then scan outgoing mails for spam aswell, it also helps learning ham in bayes just my 2 -- http://localhost/ 100% uptime and 100% mirrored :)
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 11:59 +0200, Matus UHLAR - fantomas wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. On 08.06.09 11:56, Karsten Bräckelmann wrote: As has been suggested by various others, just do not scan outgoing mail from authenticated users. Actually, such mail _should_ be scanned, for cases when they start spreading spam. By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... In that case I'd prefer a sucker rod [1] over scanning messages anytime. Anyway, IMHO -- you can not scan outgoing mail sent by authenticated users submitted directly from dial-up lines. They are almost guaranteed to be listed by PBL and DUL style lists. [1] From the syslogd manpage: Use step 4 and if the problem persists and is not secondary to a rogue program/daemon get a 3.5 ft (approx. 1 meter) length of sucker rod* and have a chat with the user in question. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. ^^^ Just noticed this -- I kind of hope this is just a typo. SBL listing of your users would be bad indeed. After all, it lists verified IPs where the spammers actually live on. No dial-up style or something. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
Below is mail headers for one more mail http://pastebin.com/d3da8daa6 I'm new to SA so please suggest/gve some hint for how to use RBL for non smtp authenticated session for smtp authicated mails not spam scanning. Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Mon, Jun 8, 2009 at 11:05 AM, ram r...@netcore.co.in wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. You can still use RBL's. Allow users with SMTP auth only without rbl checks rest you check rbls and reject if listed. I think you use postfix you could do something like this smtpd_recipient_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, . ..(other rules ) And for the smtp-auth mails do not scan for spam at all. Not only will you avoid FP's .. you will also save a lot of processing on your server Thanks Ram PS: Why are you hiding the spammail in the pastebin. The contents of spam mail are usually not very important
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 17:05 +0530, Anshul Chauhan wrote: I'm new to SA so please suggest/gve some hint for how to use RBL for non smtp authenticated session for smtp authicated mails not spam scanning. Not scanning outbound messages from your users is entirely the duty of your SMTP and outside the scope of SA. It all depends on your SMTP server, configuration and how you integrate SA. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 11:59 +0200, Matus UHLAR - fantomas wrote: On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. On 08.06.09 11:56, Karsten Bräckelmann wrote: As has been suggested by various others, just do not scan outgoing mail from authenticated users. Actually, such mail _should_ be scanned, for cases when they start spreading spam. On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. Not even talking about customers' mail proxies that accept mail from intranet w/o authentication (although we recomment users not to do that) and submit them with authentication to ISP's relays. Both are especially nice if any other machine on customers' intranet is owned by a bot or even an open relay. Anyway, IMHO -- you can not scan outgoing mail sent by authenticated users submitted directly from dial-up lines. They are almost guaranteed to be listed by PBL and DUL style lists. I think that SA skips RBL checks for authenticated clients, which should avoid this problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!.
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? Why should I have any? Any spamming client can get us to blacklist, so it's important that they would not spread spam... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 17:42 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? Why should I have any? Any spamming client can get us to blacklist, so it's important that they would not spread spam... Oh, I thought you could back up your claim... Never mind. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa] Re: New Spam Mails plz suggest
On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? On Mon, 8 Jun 2009, Matus UHLAR - fantomas wrote: Why should I have any? Any spamming client can get us to blacklist, so it's important that they would not spread spam... I believe his request for stats is a polite way of disagreeing with your statement that bots 'often' use Outlook SMTP Auth. Personally, I have always thought that bots avoided ISP mail servers in order to minimize detection and maximize the amount of time they can spew before being blocked/deleted. This is actually the premise that makes RBl checks for 'direct to MX' so successful. So your statement was quite surprising. Rather than just challenge its accuracy, we politely ask for more info. :) - Charles
Re: New Spam Mails plz suggest
On 8-Jun-2009, at 09:42, Matus UHLAR - fantomas wrote: On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote: On 08.06.09 12:21, Karsten Bräckelmann wrote: By authenticated users? So that's no bot spam, and the user spams deliberately and consciously... says who? Afaik spamware often uses outlook's SMTP engine, so it's quite common for those to be distributed with authentication info. On 08.06.09 16:52, Karsten Bräckelmann wrote: Got any stats about a non-negligible amount of bot spam authenticating with the real user's SMTP, instead of direkt-to-MX submission? Why should I have any? Because you are asserting something we know is not true. Your choices are 1) prove it 2) be dismissed. -- Boy, it sure would be nice if we had some grenades, don'tcha think?
Re: New Spam Mails plz suggest
Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. These are the RBL settings which i'v used earlier but bcoz of these my geninue mails send from datacards are also spammed, can i use this but my datacard users mail not marked as SPAM score RCVD_IN_PBL 3 score RCVD_IN_XBL 5 score RDNS_NONE 5 score RCVD_IN_SORBS_DUL 3 score SPF_FAIL 10 score SPF_SOFTFAIL 5 score SPF_NEUTRAL 2 score *RDNS_DYNAMIC* 3 My mailserver is not accepting relay with an account from my domain without auth. All the users are authenticated first then only they can send the mails. i use SASL authentication on my server. Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Sat, Jun 6, 2009 at 4:04 PM, ram r...@netcore.co.in wrote: On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote: I'm getting a lot of mails daily in which to from addresses are same spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but stills its not catching them. How can i make spamassassin catch these mails. Please post a sample ( full mail source including headers) on some pastebin and post the link here
Re: New Spam Mails plz suggest
On Mon, 2009-06-08 at 10:14 +0530, Anshul Chauhan wrote: Below is the link for one of the spam mail in which to from address is same. http://pastebin.com/f20358d76 I can't use RBL because most of my users use datacards their ip addresses are listed in RBL in SBL XBL SPAMCOP. You can still use RBL's. Allow users with SMTP auth only without rbl checks rest you check rbls and reject if listed. I think you use postfix you could do something like this smtpd_recipient_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, . ..(other rules ) And for the smtp-auth mails do not scan for spam at all. Not only will you avoid FP's .. you will also save a lot of processing on your server Thanks Ram PS: Why are you hiding the spammail in the pastebin. The contents of spam mail are usually not very important
New Spam Mails plz suggest
I'm getting a lot of mails daily in which to from addresses are same spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but stills its not catching them. How can i make spamassassin catch these mails. -- View this message in context: http://www.nabble.com/New-Spam-Mails-plz-suggest-tp23900308p23900308.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: New Spam Mails plz suggest
On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote: I'm getting a lot of mails daily in which to from addresses are same spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but stills its not catching them. How can i make spamassassin catch these mails. Please post a sample ( full mail source including headers) on some pastebin and post the link here
Re: New Spam Mails plz suggest
Below is the mail header for one of the mail in which to from id id same From u...@mydomain.com Sat Jun 6 12:41:57 2009 Return-Path: u...@mydomain.com X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mailserver1.mydomain.com X-Spam-Level: X-Spam-Status: No, score=4.4 required=5.0 tests=HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_DYNAMIC shortcircuit=noautolearn=no version=3.2.5 Received: from ABTS-KK-dynamic-136.34.172.122.airtelbroadband.in ( ABTS-KK-dynamic-026.159.172.122.airtelbroadband.in [122.172.159.26] (may be forged))by mailserver1.mydomain.com (8.13.1/8.13.1) with ESMTP id n567Ban7019772for u...@mydomain.com; Sat, 6 Jun 2009 12:41:42 +0530 Date: Sat, 6 Jun 2009 12:41:42 +0530 Message-ID: 618687839783948.slilovsyitpo...@abts-kk-dynamic-136.34.172.122.airtelbroadband.in From: Lauran u...@mydomain.com To: u...@mydomain.com Subject: Video Bush's accident MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9433/Sat Jun 6 02:49:42 2009 on mailserver1.mydomain.com X-Virus-Status: Clean X-Logged: Logged by mailserver1.mydomain.com as n567Ban7019772 at Sat Jun 6 12:41:42 2009 Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Sat, Jun 6, 2009 at 4:04 PM, ram r...@netcore.co.in wrote: On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote: I'm getting a lot of mails daily in which to from addresses are same spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but stills its not catching them. How can i make spamassassin catch these mails. Please post a sample ( full mail source including headers) on some pastebin and post the link here
Re: New Spam Mails plz suggest
Anshul Chauhan schrieb: Below is the mail header for one of the mail in which to from id id same From u...@mydomain.com mailto:u...@mydomain.com Sat Jun 6 12:41:57 2009 Return-Path: u...@mydomain.com mailto:u...@mydomain.com X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mailserver1.mydomain.com http://mailserver1.mydomain.com X-Spam-Level: X-Spam-Status: No, score=4.4 required=5.0 tests=HTML_FONT_SIZE_HUGE,HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_DYNAMIC shortcircuit=noautolearn=no version=3.2.5 Received: from ABTS-KK-dynamic-136.34.172.122.airtelbroadband.in http://ABTS-KK-dynamic-136.34.172.122.airtelbroadband.in (ABTS-KK-dynamic-026.159.172.122.airtelbroadband.in http://ABTS-KK-dynamic-026.159.172.122.airtelbroadband.in [122.172.159.26] (may be forged))by mailserver1.mydomain.com http://mailserver1.mydomain.com (8.13.1/8.13.1) with ESMTP id n567Ban7019772for u...@mydomain.com mailto:u...@mydomain.com; Sat, 6 Jun 2009 12:41:42 +0530 Date: Sat, 6 Jun 2009 12:41:42 +0530 Message-ID: 618687839783948.slilovsyitpo...@abts-kk-dynamic-136.34.172.122.airtelbroadband.in mailto:618687839783948.slilovsyitpo...@abts-kk-dynamic-136.34.172.122.airtelbroadband.in From: Lauran u...@mydomain.com mailto:u...@mydomain.com To: u...@mydomain.com mailto:u...@mydomain.com Subject: Video Bush's accident MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/9433/Sat Jun 6 02:49:42 2009 on mailserver1.mydomain.com http://mailserver1.mydomain.com X-Virus-Status: Clean X-Logged: Logged by mailserver1.mydomain.com http://mailserver1.mydomain.com as n567Ban7019772 at Sat Jun 6 12:41:42 2009 Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. On Sat, Jun 6, 2009 at 4:04 PM, ram r...@netcore.co.in mailto:r...@netcore.co.in wrote: On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote: I'm getting a lot of mails daily in which to from addresses are same spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but stills its not catching them. How can i make spamassassin catch these mails. Please post a sample ( full mail source including headers) on some pastebin and post the link here looks like your mailserver accepting relay with an account from your domain without auth. why? after all its easy to reject mail from *dynamic* reverse ipaddr and i am nearly sure that you will find the ip in serveral rbls as well you might filter with clam and sanesecurity and use greylisting etc that all can be done before passing mail to spamassassin the score is near to mark, so i would say give a litte more priors to RDNS_DYNAMIC or and use more rules, looks like image spam, fuzzy ocr may help etc, but as i said there is a lot you should and can do before accepting such mails on smtp income level -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: New Spam Mails plz suggest
Below is the mail header for one of the mail in which to from id id same From u...@mydomain.com Sat Jun 6 12:41:57 2009 Return-Path: u...@mydomain.com mydomain.com really exists, and it is not advisable to mask one's read domain behind it. Use example.com, that is what it is for.
Re: New Spam Mails plz suggest
On Sat, June 6, 2009 11:55, chauhananshul wrote: How can i make spamassassin catch these mails. you can do this better in your mta 2 ways to solve it: 1 use postfwd with a rule that check sender equal to recipient 2 add spf to your domain, and test spf in your mta 3 take a ice :) -- http://localhost/ 100% uptime and 100% mirrored :)