Re: EmailBL plugin released
On Tue, May 19, 2009 at 13:24, Steve Freegard st...@stevefreegard.com wrote: Justin Mason wrote: http://ruleqa.spamassassin.org/20090516-r775436-n/T_EMAILBL_TEST_LEM/detail Would be interesting to see if the 5 ham hits really were ham or whether they were accidentally misclassified and what the e-mail address was. if you click through the [logs] links on http://ruleqa.spamassassin.org/20090516-r775436-n/T_EMAILBL_TEST_LEM/detail#all , you can see that they're in dos and zmi's collections: http://ruleqa.spamassassin.org/20090516-r775436-n/T_EMAILBL_TEST_LEM?mclog=ham-net-dos http://ruleqa.spamassassin.org/20090516-r775436-n/T_EMAILBL_TEST_LEM?mclog=ham-net-zmi if you ask them nicely on the dev@ list they may dig up the FPs for you ;) --j.
Re: EmailBL plugin released
http://ruleqa.spamassassin.org/20090516-r775436-n/T_EMAILBL_TEST_LEM/detail --j. On Tue, May 12, 2009 at 15:54, Justin Mason j...@jmason.org wrote: I've added it to SVN for testing -- my sandbox for now, but I'll move it to Alex's once his acct is set up ;) is there a test entry for this zone? --j. On Tue, May 12, 2009 at 11:26, Yet Another Ninja sa-l...@alexb.ch wrote: On 5/12/2009 11:20 AM, Henrik K wrote: Hi, EmailBL plugin is now available for testing. Small test zone has been running for a while, it contains trapped addresses from some of the most popular freemail domains. http://sa.hege.li/EmailBL.pm (see inside for documentation) http://sa.hege.li/EmailBL.cf (contains the test zone) http://sa.hege.li/emailbl_lemfreemail.cf (needed for the test zone) Remember that the zone with this name WILL disappear after a month or so. Your feedback will contribute in whether it will be discarded or enhanced for wider use. grep EMAILBL /var/log/maillog | wc -l 186 nice!!!
Re: EmailBL plugin released
Justin Mason wrote: http://ruleqa.spamassassin.org/20090516-r775436-n/T_EMAILBL_TEST_LEM/detail Would be interesting to see if the 5 ham hits really were ham or whether they were accidentally misclassified and what the e-mail address was. Cheers, Steve.
Re: EmailBL plugin released - I like it!
Henrik K wrote: First we should test if there actually are such FPs and not speculate. ;) There are FPs by nature. Some of the accounts are legitimate accounts co-opted by spammers to send the phishing attempts to compromise more accounts. Use the list with caution, and pay attention to the type. Specifically, you shouldn't use type E (or even B in many cases) for spam detection. Expect a few FPs even in type A. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thomp...@doit.wisc.edu smime.p7s Description: S/MIME Cryptographic Signature
Re: EmailBL plugin released - I like it!
On 5/19/2009 4:02 PM, Jesse Thompson wrote: Henrik K wrote: First we should test if there actually are such FPs and not speculate. ;) There are FPs by nature. Some of the accounts are legitimate accounts co-opted by spammers to send the phishing attempts to compromise more accounts. Use the list with caution, and pay attention to the type. Specifically, you shouldn't use type E (or even B in many cases) for spam detection. Expect a few FPs even in type A. from the descriptions you are using, you are speaking about a totally different BL... this is not the one in googlegroups.
Re: EmailBL plugin released - I like it!
Yet Another Ninja wrote: from the descriptions you are using, you are speaking about a totally different BL... this is not the one in googlegroups. ah, my bad. I didn't know that the term 'EmailBL' was used generically. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thomp...@doit.wisc.edu smime.p7s Description: S/MIME Cryptographic Signature
Re: EmailBL plugin released
I would like to offer my help for your project. So far it's working well. I can offer you any of the following: Data - I have tons of spam if you need to harvest data. Computers - I have a lot of processing power if you need a VPS. Bandwidth - I have some bandwidth to spare rbldnsd servers - I can provide you with 6 mirrors Let me know if I can help. Henrik K wrote: Hi, EmailBL plugin is now available for testing. Small test zone has been running for a while, it contains trapped addresses from some of the most popular freemail domains. http://sa.hege.li/EmailBL.pm (see inside for documentation) http://sa.hege.li/EmailBL.cf (contains the test zone) http://sa.hege.li/emailbl_lemfreemail.cf (needed for the test zone) Remember that the zone with this name WILL disappear after a month or so. Your feedback will contribute in whether it will be discarded or enhanced for wider use. Cheers, Henrik
Re: EmailBL plugin released - I like it!
On Tue, May 12, 2009 at 05:23:07PM -0400, Charles Gregory wrote: Still no description of how an address is chosen for inclusion in the RBL blacklist itself. Particularly where the (often forged) From header is being used, how does the list avoid FP's? First we should test if there actually are such FPs and not speculate. ;) Trying to optimize things beforehand might just make things more inefficient and complex. Considering this plugin is intedted for _scoring_, rare FPs might not matter at all. If you do spot FPs let us know what kind. Cheers, Henrik
Re: EmailBL plugin released - I like it!
On Wed, 13 May 2009, Henrik K wrote: Still no description of how an address is chosen for inclusion in the RBL blacklist itself. Still wouldn't mind knowing this, unless you fear it would sharing a secret with spammers that they could use to get around this test... First we should test if there actually are such FPs and not speculate. ;) (nod) Okay. I'm just asking these questions too early in the development cycle then... thanks. - C
Re: EmailBL plugin released
On 5/12/2009 11:20 AM, Henrik K wrote: Hi, EmailBL plugin is now available for testing. Small test zone has been running for a while, it contains trapped addresses from some of the most popular freemail domains. http://sa.hege.li/EmailBL.pm (see inside for documentation) http://sa.hege.li/EmailBL.cf (contains the test zone) http://sa.hege.li/emailbl_lemfreemail.cf (needed for the test zone) Remember that the zone with this name WILL disappear after a month or so. Your feedback will contribute in whether it will be discarded or enhanced for wider use. grep EMAILBL/var/log/maillog | wc -l 186 nice!!!
Re: EmailBL plugin released - I like it!
On 5/12/2009 4:32 PM, Marc Perkel wrote: I'm not using your plugin yet but using it from Exim instead and it's working well. Lots of hist. I suppose we'll find out if there's any false positives. Here's how you do it in Exim set acl_c_from_address = ${lc:${address:$h_From:}} set acl_c_from_address_hash = ${md5:$acl_c_from_address} dnslists = listed.emailbl.me/$acl_c_from_address_hash And you do the same with the reply-to your idea is a has a MASSIVE drawback. It queries the mailbl for EVERY address - the plugin does it selectively... so I dare suggest you remove the ACL and don't kill the mirrors :-)
Re: EmailBL plugin released
Hi On 05/12/2009 11:20 AM, Henrik K wrote: http://sa.hege.li/EmailBL.pm (see inside for documentation) ### About: # # This plugin creates rbl style DNS lookups for emails. does this plugin handle emails in the sense of email addresses? Or does it make md5hashes of emails in the sense of email messages? Regards, wolfgang
Re: EmailBL plugin released
I've added it to SVN for testing -- my sandbox for now, but I'll move it to Alex's once his acct is set up ;) is there a test entry for this zone? --j. On Tue, May 12, 2009 at 11:26, Yet Another Ninja sa-l...@alexb.ch wrote: On 5/12/2009 11:20 AM, Henrik K wrote: Hi, EmailBL plugin is now available for testing. Small test zone has been running for a while, it contains trapped addresses from some of the most popular freemail domains. http://sa.hege.li/EmailBL.pm (see inside for documentation) http://sa.hege.li/EmailBL.cf (contains the test zone) http://sa.hege.li/emailbl_lemfreemail.cf (needed for the test zone) Remember that the zone with this name WILL disappear after a month or so. Your feedback will contribute in whether it will be discarded or enhanced for wider use. grep EMAILBL /var/log/maillog | wc -l 186 nice!!!
Re: EmailBL plugin released - I like it!
Yet Another Ninja wrote: On 5/12/2009 4:32 PM, Marc Perkel wrote: I'm not using your plugin yet but using it from Exim instead and it's working well. Lots of hist. I suppose we'll find out if there's any false positives. Here's how you do it in Exim set acl_c_from_address = ${lc:${address:$h_From:}} set acl_c_from_address_hash = ${md5:$acl_c_from_address} dnslists = listed.emailbl.me/$acl_c_from_address_hash And you do the same with the reply-to your idea is a has a MASSIVE drawback. It queries the mailbl for EVERY address - the plugin does it selectively... so I dare suggest you remove the ACL and don't kill the mirrors :-) That's not the whole code that I'm using. I'm just demonstrating the concept of how you would make it usable from Exim. I have a lot of other logic in there that greatly reduces the calls I make.
Re: EmailBL plugin released - I like it!
I'm not using your plugin yet but using it from Exim instead and it's working well. Lots of hist. I suppose we'll find out if there's any false positives. Here's how you do it in Exim set acl_c_from_address = ${lc:${address:$h_From:}} set acl_c_from_address_hash = ${md5:$acl_c_from_address} dnslists = listed.emailbl.me/$acl_c_from_address_hash And you do the same with the reply-to
Re: EmailBL plugin released
Do you need more mirrors? I can offer you 4 additional servers. Henrik K wrote: Hi, EmailBL plugin is now available for testing. Small test zone has been running for a while, it contains trapped addresses from some of the most popular freemail domains. http://sa.hege.li/EmailBL.pm (see inside for documentation) http://sa.hege.li/EmailBL.cf (contains the test zone) http://sa.hege.li/emailbl_lemfreemail.cf (needed for the test zone) Remember that the zone with this name WILL disappear after a month or so. Your feedback will contribute in whether it will be discarded or enhanced for wider use. Cheers, Henrik
Re: EmailBL plugin released
On 5/12/2009 5:02 PM, Marc Perkel wrote: Do you need more mirrors? I can offer you 4 additional servers. This is all a proof of concept thing and nobody knows what the outcome may be. This zone will disappear in +- 30 days. and unless the mirrors complain that the load is rising a lot, I don't think it needs more mirrors. What will happen later... dunno. I'm partially involved in this project, mainly working with Henrik with the backend/plugin but I have other commitments which won't allow me to add this to my collection of spamfighting hobbies. The more stats users provide, the more it will motivate a group to carry on. Axb
Re: EmailBL plugin released - I like it!
On Tue, 12 May 2009, Marc Perkel wrote: Here's how you do it in Exim your idea is a has a MASSIVE drawback. It queries the mailbl for EVERY address... That's not the whole code that I'm using. I'm just demonstrating the concept of how you would make it usable from Exim. I have a lot of other logic in there that greatly reduces the calls I make. I already have the reputation of a dumb schmuck (grin) so it doesn't hurt for me to say that in the absence of specific instuctions/notes on limiting usage, I would presume that the exact code presented was all I needed to do the job. The world is full of people looking for the 'quick fix' that don't have the 'background' to apply an idea with intelligence. Yeah, I might be one of those guys. LOL - Charles
Re: EmailBL plugin released - I like it!
On 5/12/2009 5:37 PM, Charles Gregory wrote: On Tue, 12 May 2009, Marc Perkel wrote: Here's how you do it in Exim your idea is a has a MASSIVE drawback. It queries the mailbl for EVERY address... That's not the whole code that I'm using. I'm just demonstrating the concept of how you would make it usable from Exim. I have a lot of other logic in there that greatly reduces the calls I make. I already have the reputation of a dumb schmuck (grin) so it doesn't hurt for me to say that in the absence of specific instuctions/notes on limiting usage, I would presume that the exact code presented was all I needed to do the job. The world is full of people looking for the 'quick fix' that don't have the 'background' to apply an idea with intelligence. Yeah, I might be one of those guys. LOL Use the plugin.. its easy and self explained. Mark's idea is very errr... Perkelian? .-) This won't solve your spam problem but it may help. It won't deliver Esspressos, do your laundry or walk the dog, but if all goes well it might... grep EMAILBL/var/log/maillog | wc -l 384. help tag some low scored stuff.
Re: EmailBL plugin released - I like it!
I haven't been following the long thread about this plugin. When I followed the links and examined the code/docs, I found that I really didn't have a sense of WHAT this plugin does. At first I thought it was checking for spam 'reply' e-mail addresses within the body of an e-mail (the often used don't reply, but instead e-mail to blahb...@abusedfreemail.tld). Latest discussions make it seem like it is just checking the sender envelope address? That is so often faked. Why check it? I was hoping that a well-formed mechanism like this might also be usable to catch abused freehosting web pages, like that run of sites all on geocities a month back So could we please have a nice here is what it does summary? Thanks! - Charles
Re: EmailBL plugin released - I like it!
On 5/12/2009 5:45 PM, Charles Gregory wrote: I haven't been following the long thread about this plugin. When I followed the links and examined the code/docs, I found that I really didn't have a sense of WHAT this plugin does. At first I thought it was checking for spam 'reply' e-mail addresses within the body of an e-mail (the often used don't reply, but instead e-mail to blahb...@abusedfreemail.tld). Latest discussions make it seem like it is just checking the sender envelope address? That is so often faked. Why check it? I was hoping that a well-formed mechanism like this might also be usable to catch abused freehosting web pages, like that run of sites all on geocities a month back So could we please have a nice here is what it does summary? Thanks! Oh.. you must have skipped the first 52 lines of EmailBL.pm A nice here is what it does summary contribution would be very appreciated.
Re: EmailBL plugin released
On Tue, May 12, 2009 at 04:47:25PM +0200, Wolfgang Zeikat wrote: Hi On 05/12/2009 11:20 AM, Henrik K wrote: http://sa.hege.li/EmailBL.pm (see inside for documentation) ### About: # # This plugin creates rbl style DNS lookups for emails. does this plugin handle emails in the sense of email addresses? Or does it make md5hashes of emails in the sense of email messages? Thank you, I have added tiny bits of more information to EmailBL.pm. Email addresses are collected from From/Reply-To headers and body (see EmailBL.pm check_emailbl description). Currently no more than 3 unique emails are collected from body. Emails in URLs are ignored to be safe. For more indepth information, you need to see the code. Things might still change, options or methods might come and go.
Re: EmailBL plugin released - I like it!
On Tue, 12 May 2009, Yet Another Ninja wrote: Oh.. you must have skipped the first 52 lines of EmailBL.pm No I can *now* see the two lines that say where the module gathers addresses from. If they were there before, my apologies. But I read that section of the module pretty closely. Still no description of how an address is chosen for inclusion in the RBL blacklist itself. Particularly where the (often forged) From header is being used, how does the list avoid FP's? - Charles