Re: Oh ohh. grey listing starting to fail
SM wrote: At 10:06 24-04-2008, Johnson, S wrote: Thanks for the input. I'm using: Postfix (I drop a ton of connections before the mail is even allowed in to my filters) - 6 RBLs - malformed email tests Spamassassin mimedefang razor2 dcc pyzor bayes lists Mailscanner If you have Mailscanner, you don't need to call SpamAssassin separately. I believe he's calling SpamAssassin during the SMTP session, using mimedefang (a milter). Mailscanner doesn't let you do that (at least, not the last time I used it; it didn't have milter bindings).
Re: Oh ohh. grey listing starting to fail
At 08:03 25-04-2008, John Rudd wrote: I believe he's calling SpamAssassin during the SMTP session, using mimedefang (a milter). Mailscanner doesn't let you do that (at least, not the last time I used it; it didn't have milter bindings). He's using Mailscanner as well. That package includes SpamAssassin. Each message will be scanned twice if he also has Mimedefang. Regards, -sm
Re: Oh ohh. grey listing starting to fail
SM wrote: At 08:03 25-04-2008, John Rudd wrote: I believe he's calling SpamAssassin during the SMTP session, using mimedefang (a milter). Mailscanner doesn't let you do that (at least, not the last time I used it; it didn't have milter bindings). He's using Mailscanner as well. That package includes SpamAssassin. Each message will be scanned twice if he also has Mimedefang. Not if he turns off SA in Mailscanner. Personally, when I was using both, I did it the other way around (Anti-virus in Mimedefang, to reject viruses up front; and then SA in mailscanner, since we tagdeliver all spam). But after a while I moved everything to mimedefang.
Re: Oh ohh. grey listing starting to fail
From: Johnson, S [EMAIL PROTECTED] Date: Thu, 24 Apr 2008 09:27:33 -0500 To: users@spamassassin.apache.org Conversation: Oh ohh. grey listing starting to fail Subject: Oh ohh. grey listing starting to fail After months of doing a great job, I started to get spam back into my system again. Apr 23 16:26:06 mail sqlgrey: grey: new: 82.67.64.191(82.67.64.191), [EMAIL PROTECTED] - [EMAIL PROTECTED] Apr 23 16:26:06 mail postfix/smtpd[23130]: NOQUEUE: reject: RCPT from mut38-1-82-67-64-191.fbx.proxad.net[82.67.64.191]: 450 4.7.1 [EMAIL PROTECTED]: Sender address rejected: Greylisted for 5 minutes; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=SMTP helo=wzbkw.proxad.net It sucks that they are now starting to re-queue their stupid spam; why don¹t they GET A CLUE that we don¹t want their [EMAIL PROTECTED] Anyone have an idea on how I can help shore this up? Greylisting only works for zombies¹. Real MTA¹s will requeue. (are you saying this is a zombie? On pbl.spamhaus.org ? _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Oh ohh. grey listing starting to fail
On Thu, April 24, 2008 16:27, Johnson, S wrote: It sucks that they are now starting to re-queue their stupid spam; why don't they GET A CLUE that we don't want their [EMAIL PROTECTED] why not block the ip ? or: 1: accept if spf is pass 2: accept if dkim signed else reject Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
RE: Oh ohh. grey listing starting to fail
I'm not sure if it's a zombie or not. I've received 3 spam from this place within 2 days. If I've received the spam, I know my users have received it even more as that was the pattern in the past. It's not listed on any of the RBLs yet. From: Michael Scheidell [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 10:12 AM To: Johnson, S; users@spamassassin.apache.org Subject: Re: Oh ohh. grey listing starting to fail From: Johnson, S [EMAIL PROTECTED] Date: Thu, 24 Apr 2008 09:27:33 -0500 To: users@spamassassin.apache.org Conversation: Oh ohh. grey listing starting to fail Subject: Oh ohh. grey listing starting to fail After months of doing a great job, I started to get spam back into my system again. Apr 23 16:26:06 mail sqlgrey: grey: new: 82.67.64.191(82.67.64.191), [EMAIL PROTECTED] - [EMAIL PROTECTED] Apr 23 16:26:06 mail postfix/smtpd[23130]: NOQUEUE: reject: RCPT from mut38-1-82-67-64-191.fbx.proxad.net[82.67.64.191]: 450 4.7.1 [EMAIL PROTECTED]: Sender address rejected: Greylisted for 5 minutes; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=SMTP helo=wzbkw.proxad.net It sucks that they are now starting to re-queue their stupid spam; why don't they GET A CLUE that we don't want their [EMAIL PROTECTED] Anyone have an idea on how I can help shore this up? Greylisting only works for 'zombies'. Real MTA's will requeue. (are you saying this is a zombie? On pbl.spamhaus.org ? This email has been scanned and certified safe by SpammerTrap(tm). For Information please see www.spammertrap.com -- This message has been scanned for viruses and dangerous content by MailScanner http://www.mailscanner.info/ , and is believed to be clean.
Re: Oh ohh. grey listing starting to fail
At 07:27 24-04-2008, Johnson, S wrote: After months of doing a great job, I started to get spam back into my system again. Apr 23 16:26:06 mail sqlgrey: grey: new: 82.67.64.191(82.67.64.191), [EMAIL PROTECTED] - mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Apr 23 16:26:06 mail postfix/smtpd[23130]: NOQUEUE: reject: RCPT from mut38-1-82-67-64-191.fbx.proxad.net[82.67.64.191]: 450 4.7.1 [EMAIL PROTECTED]: Sender address rejected: Greylisted for 5 minutes; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=SMTP helo=wzbkw.proxad.net (waited exactly 5 minutes to retry connection) Apr 23 16:31:10 mail sqlgrey: grey: reconnect ok: 82.67.64.191(82.67.64.191), [EMAIL PROTECTED] - [EMAIL PROTECTED] (00:05:04) It's trivial for malware engines to retry. There isn't any queueing, as a standard MTA does, being done. This has been happening since some time. Greylisting only fails if you rely on it to stop spam. Regards, -sm
Re: Oh ohh. grey listing starting to fail
On Thu, 24 Apr 2008, SM wrote: It's trivial for malware engines to retry. There isn't any queueing, as a standard MTA does, being done. This has been happening since some time. Greylisting only fails if you rely on it to stop spam. Greylisting, like any other antispam technique, blocks some portion of the flood. There is no one magic silver bullet. It is still a useful tool. Greylisting only fails if you rely on it *alone* to stop spam. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An operating system design that requires a system reboot in order to install a document viewing utility does not earn my respect. --- 14 days until the 63rd anniversary of VE day
Re: Oh ohh. grey listing starting to fail
Johnson, S wrote: It’s not listed on any of the RBLs yet. Actually, 82.67.64.191 is currently listed on the following DNSBLs: FiveTenSig HostKarma PSBL UceProtect-1 NoMoreFunn But SOME of those are too FP-risky to outright block on, and I don't know if any of these listings existed at the time your spam arrived. Any other IPs to check? Rob McEwen
Re: Oh ohh. grey listing starting to fail
John Hardin wrote: On Thu, 24 Apr 2008, SM wrote: It's trivial for malware engines to retry. There isn't any queueing, as a standard MTA does, being done. This has been happening since some time. Greylisting only fails if you rely on it to stop spam. Greylisting, like any other antispam technique, blocks some portion of the flood. There is no one magic silver bullet. It is still a useful tool. Greylisting only fails if you rely on it *alone* to stop spam. yup. Interesting that this was posted on the spamassassin users list rather than on the milter-greylist users list. Suggestions that I've seen, but not yet tried myself, include using various dnsrbl's, using a longer greylisting period for certain types of sites to allow time for them to show up in the dnsrbl's, etc. In addition, we have started using a lot more of the filtering features on our mta (sendmail) directly, thus dropping lots of stuff before it ever reaches milter-greylist or spamassassin. The OP was using postfix, so someone else will have to provide suggestions there. I would suggest searching the milter-greylist archives and wiki and going to the postfix users list and wiki to see what options it may have. I've got a white board filled with the structure and all the pieces and interconnections of our mail system's software. Milter-greylist is in the upper right corner, just above mimedefang and spamassassin. Lots of other stuff going on. In a spam free world, I wouldn't need that white board -- think of it as a war room visual aid. --- Chris Hoogendyk - O__ Systems Administrator c/ /'_ --- Biology Geology Departments (*) \(*) -- 140 Morrill Science Center ~~ - University of Massachusetts, Amherst [EMAIL PROTECTED] --- Erdös 4
RE: Oh ohh. grey listing starting to fail
It's on here because its not an issue with greylisting (afterall it IS working), but the overall Spamassassin process involved. I'm looking to optimize what I am doing with Spamassassin since I am seeing the greylisting stop catching the spam now... Thanks for the input. I'm using: Postfix (I drop a ton of connections before the mail is even allowed in to my filters) - 6 RBLs - malformed email tests Spamassassin mimedefang razor2 dcc pyzor bayes lists Mailscanner - clamav/sophosav local whitelist/blacklist SPF (working on it anyway) Anyone had any luck with SPF checking? How about dkim? Am I missing anything that I can look at? Regards, Scott -Original Message- From: Chris Hoogendyk [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 11:27 AM To: SpamAssassin Users List Subject: Re: Oh ohh. grey listing starting to fail John Hardin wrote: On Thu, 24 Apr 2008, SM wrote: It's trivial for malware engines to retry. There isn't any queueing, as a standard MTA does, being done. This has been happening since some time. Greylisting only fails if you rely on it to stop spam. Greylisting, like any other antispam technique, blocks some portion of the flood. There is no one magic silver bullet. It is still a useful tool. Greylisting only fails if you rely on it *alone* to stop spam. yup. Interesting that this was posted on the spamassassin users list rather than on the milter-greylist users list. Suggestions that I've seen, but not yet tried myself, include using various dnsrbl's, using a longer greylisting period for certain types of sites to allow time for them to show up in the dnsrbl's, etc. In addition, we have started using a lot more of the filtering features on our mta (sendmail) directly, thus dropping lots of stuff before it ever reaches milter-greylist or spamassassin. The OP was using postfix, so someone else will have to provide suggestions there. I would suggest searching the milter-greylist archives and wiki and going to the postfix users list and wiki to see what options it may have. I've got a white board filled with the structure and all the pieces and interconnections of our mail system's software. Milter-greylist is in the upper right corner, just above mimedefang and spamassassin. Lots of other stuff going on. In a spam free world, I wouldn't need that white board -- think of it as a war room visual aid. --- Chris Hoogendyk - O__ Systems Administrator c/ /'_ --- Biology Geology Departments (*) \(*) -- 140 Morrill Science Center ~~ - University of Massachusetts, Amherst [EMAIL PROTECTED] --- Erdös 4 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Oh ohh. grey listing starting to fail
You mention that some are to false positive risky, are any of those not? I'm not using any of those RBLs at the moment but I have 6 others that I am. Scott -Original Message- From: Rob McEwen [mailto:[EMAIL PROTECTED] Sent: Thursday, April 24, 2008 10:43 AM To: users@spamassassin.apache.org Subject: Re: Oh ohh. grey listing starting to fail Johnson, S wrote: It's not listed on any of the RBLs yet. Actually, 82.67.64.191 is currently listed on the following DNSBLs: FiveTenSig HostKarma PSBL UceProtect-1 NoMoreFunn But SOME of those are too FP-risky to outright block on, and I don't know if any of these listings existed at the time your spam arrived. Any other IPs to check? Rob McEwen -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: Oh ohh. grey listing starting to fail
At 10:06 24-04-2008, Johnson, S wrote: Thanks for the input. I'm using: Postfix (I drop a ton of connections before the mail is even allowed in to my filters) - 6 RBLs - malformed email tests Spamassassin mimedefang razor2 dcc pyzor bayes lists Mailscanner If you have Mailscanner, you don't need to call SpamAssassin separately. How about dkim? Am I missing anything that I can look at? That's for whitelisting. Regards, -sm