Re: List of 700,000 IP addresses of virus infected computers
me too!
hitler!
On Sep 13, 2007, at 5:22 PM, Phil Barnett wrote:
On Thursday 13 September 2007, jdow wrote:
And you just fed the troll-chain, yourself, silly person.
{^_-}
At least I trim my replies...
--
Phil Barnett
AI4OF
SKCC #600
Re: List of 700,000 IP addresses of virus infected computers
Don't feed the animals ? I must have been dreaming when I saw the post about this and OT posts (said he joining in an OT post)
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H.NET wrote: Tuc at T-B-O-H.NET wrote: Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so high from SA anyway, they were well over the limit. The rest were "BR" and again the numbers were so high SA caught them on its own. Tuc/TBOH So - no false positives? No false anything really. SA had scored the others so low BEFORE adding in your score that the "WH" didn't mean anything to the score. Likewise, SA scored the "BL"/"BR" ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just "tagging along" with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that "extra little bit" , that "hanging chad" shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my "production" one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. But, if you were to use the WH and BL/BR lists as pre-filters to reduce spam assassin's load, what difference would it make to your mail server load? And, in that cases, how many errors would you get? I think that might be Marc's actual goal here. Not to "tip the balance on questionable email", but to keep you from having to scan stuff that is definitely ham and definitely spam. Hi, Unfortunately, I don't know how to tell this given that Mark provided SA rules for processing. If this was something I could implement at the sendmail level, before it got to SA (pre-filter), then it may make a difference to AT MOST what seems to be about 5% of my email. But since SA has to run ANYWAY, then if anything it slows the server down since it needs to make an additional DNS call. Tuc/TBOH I gave you rules for SA because this is the SA forum. In the Exim forum I posted the Exim rules. I manage to route over 99% of the email I process around SpamAssassin. But I am running off my own data so that makes a big difference. If the system were scaled up it would catch far more stuff.
Re: List of 700,000 IP addresses of virus infected computers
> > Tuc at T-B-O-H.NET wrote: > >> Tuc at T-B-O-H wrote: > That's as much detail as I'm going to go into here. But the result is > that I have 720,000 IP addresses of virus infected computers and I'm > fiultering about 1600 domains and I'm not getting any more than the > normal few false positive complaints. And those are due to other > unrelated mistakes that I'm still working on. > > > >>> I've had it running for 26 hours so far. Its shown up on 79 > >>> out of 1519 messages processed. Of those, SA decided 482 of them were > >>> spam. Eight were on the whitelist (Which didn't matter, the scores from > >>> SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so > >>> high from SA anyway, they were well over the limit. The rest were "BR" > >>> and again the numbers were so high SA caught them on its own. > >>> > >>> > >>> > >>> Tuc/TBOH > >>> > >>> > >> So - no false positives? > >> > > No false anything really. SA had scored the others so low BEFORE > > adding in your score that the "WH" didn't mean anything to the score. > > Likewise, SA scored the "BL"/"BR" ones so high BEFORE adding in your > > score that your score didn't mean anything. > > > > So, to me, its basically just "tagging along" with the big > > boys and every once and a while giving its .02 where the big boys > > already came to a decision. > > > > What I was hoping it would be was that "extra little bit" , > > that "hanging chad" shall we say, that pushed it over the line one > > way or the other on a much greater percentage of processed messages. > > This was on my personal mail server ONLY, my "production" one processes > > around 57250 emails a day, of which 52000 are thrown out before > > they are even checked (KNOWN spam just by the receiving email address), > > 3500 are identified by SA as spam (Some false positives), 250 are > > passed as clean (Of which I'd say 25% are still spam), and the rest > > aren't even run through SA before reaching the user due to the users > > not being happy with the results of SA scans. > > But, if you were to use the WH and BL/BR lists as pre-filters to reduce > spam assassin's load, what difference would it make to your mail server > load? > > And, in that cases, how many errors would you get? > > I think that might be Marc's actual goal here. Not to "tip the balance > on questionable email", but to keep you from having to scan stuff that > is definitely ham and definitely spam. > Hi, Unfortunately, I don't know how to tell this given that Mark provided SA rules for processing. If this was something I could implement at the sendmail level, before it got to SA (pre-filter), then it may make a difference to AT MOST what seems to be about 5% of my email. But since SA has to run ANYWAY, then if anything it slows the server down since it needs to make an additional DNS call. Tuc/TBOH
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H.NET wrote: Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so high from SA anyway, they were well over the limit. The rest were "BR" and again the numbers were so high SA caught them on its own. Tuc/TBOH So - no false positives? No false anything really. SA had scored the others so low BEFORE adding in your score that the "WH" didn't mean anything to the score. Likewise, SA scored the "BL"/"BR" ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just "tagging along" with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that "extra little bit" , that "hanging chad" shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my "production" one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. But, if you were to use the WH and BL/BR lists as pre-filters to reduce spam assassin's load, what difference would it make to your mail server load? And, in that cases, how many errors would you get? I think that might be Marc's actual goal here. Not to "tip the balance on questionable email", but to keep you from having to scan stuff that is definitely ham and definitely spam.
Re: List of 700,000 IP addresses of virus infected computers
> Tuc at T-B-O-H wrote: > >> That's as much detail as I'm going to go into here. But the result is > >> that I have 720,000 IP addresses of virus infected computers and I'm > >> fiultering about 1600 domains and I'm not getting any more than the > >> normal few false positive complaints. And those are due to other > >> unrelated mistakes that I'm still working on. > >> > >> > > I've had it running for 26 hours so far. Its shown up on 79 > > out of 1519 messages processed. Of those, SA decided 482 of them were > > spam. Eight were on the whitelist (Which didn't matter, the scores from > > SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so > > high from SA anyway, they were well over the limit. The rest were "BR" > > and again the numbers were so high SA caught them on its own. > > > > > > > > Tuc/TBOH > > > > > > So - no false positives? > No false anything really. SA had scored the others so low BEFORE adding in your score that the "WH" didn't mean anything to the score. Likewise, SA scored the "BL"/"BR" ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just "tagging along" with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that "extra little bit" , that "hanging chad" shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my "production" one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. Tuc/TBOH
Re: List of 700,000 IP addresses of virus infected computers
I've been running virus.txt for 23 hours. 23368 messages, only 11 hits. All were Drug messages that were picked up by SA anyway. Still, no false positives, FYI. Jared Hall General Telecom, LLC. On Wednesday 12 September 2007 22:08, Tuc at T-B-O-H wrote: > > That's as much detail as I'm going to go into here. But the result is > > that I have 720,000 IP addresses of virus infected computers and I'm > > fiultering about 1600 domains and I'm not getting any more than the > > normal few false positive complaints. And those are due to other > > unrelated mistakes that I'm still working on. > > I've had it running for 26 hours so far. Its shown up on 79 > out of 1519 messages processed. Of those, SA decided 482 of them were > spam. Eight were on the whitelist (Which didn't matter, the scores from > SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so > high from SA anyway, they were well over the limit. The rest were "BR" > and again the numbers were so high SA caught them on its own. > > > > Tuc/TBOH
Re: List of 700,000 IP addresses of virus infected computers
Tuc at T-B-O-H wrote: That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so high from SA anyway, they were well over the limit. The rest were "BR" and again the numbers were so high SA caught them on its own. Tuc/TBOH So - no false positives?
Re: List of 700,000 IP addresses of virus infected computers
> That's as much detail as I'm going to go into here. But the result is > that I have 720,000 IP addresses of virus infected computers and I'm > fiultering about 1600 domains and I'm not getting any more than the > normal few false positive complaints. And those are due to other > unrelated mistakes that I'm still working on. > I've had it running for 26 hours so far. Its shown up on 79 out of 1519 messages processed. Of those, SA decided 482 of them were spam. Eight were on the whitelist (Which didn't matter, the scores from SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so high from SA anyway, they were well over the limit. The rest were "BR" and again the numbers were so high SA caught them on its own. Tuc/TBOH
RE: List of 700,000 IP addresses of virus infected computers
> -Original Message- > From: Jason Bertoch [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 12, 2007 8:54 AM > To: users@spamassassin.apache.org > Subject: FW: List of 700,000 IP addresses of virus infected computers > > > On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: > > >>> The details are a little to complex for this forum ... > > > > OK - had quite a few trolls here who seem to be hostile to my > > breakthroughs so I wasn't that motivated to post information. > > > > Is there any chance we can get a moderator on this, please? > This is clearly not > a SA topic and I'm weary of insults, flames, and > advertisements from Marc. Marc's topic is better suited for Spam-L. Good luck with it there :) This is a Spamassassin specific list. If the topic doesn't pertain directly to SA in some way, it doesn't belong. (We make exceptions when discussing how freaking creepy that old pink ninja was!) --Chris (13 days until Halo flu.)
Re: List of 700,000 IP addresses of virus infected computers
Kenneth Porter wrote: On Tuesday, September 11, 2007 12:30 PM -0700 Marc Perkel <[EMAIL PROTECTED]> wrote: The details are a little to complex for this forum but the new trick is mostly based on the fact that spam bots general don't issue the QUIT command and when combined with other factors allows me to catch spam bots on the first try. At last we get some technical details. Please post the methodology on a web page for review. For example, how do you know you don't get a QUIT command? OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. I'm using Exim and Exim has a new feature in their latest 4.6.8 version where they added a "notquit" acl. The notquit is executed if the connection terminates without a quit. I have a very complex configuration and I'm not going to be able to go into all the details of how this works. But in addition to being able to detect the notquit condition I can also monitor a dozen other behaviors that mostly only spammers do. Another one for example is hitting my fake high MX records when I have 4 lower MX records available. In both these conditions there are a number of sanity checks to reduce false positives but when I combine all these conditionals and that feeds my "hostkarma" database which stores 3 days of reporting data. Every 5 minutes I rum a pascal program I wrote that generates the zone files for my 5 name servers which I reload to update the data with the new zone information. That's as much detail as I'm going to go into here. But the result is that I have 720,000 IP addresses of virus infected computers and I'm fiultering about 1600 domains and I'm not getting any more than the normal few false positive complaints. And those are due to other unrelated mistakes that I'm still working on. One of the kool things about it is the speed that I can detect these. I don't have to wait for multiple attempts which takes a long time. I can have them blacklisted in the same 5 minute cycle from the first time they hit me. And fast is good. I've eliminated bot spam entirely. About the only spam I get is from yahoo and hotmail that SA doesn't catch.
