Yahoo groups big5 subscribe spam

[Alex]

Hi all,

I wonder if anyone has encountered spam like this recently?

http://pastebin.com/raw.php?i=3ByuaFva

It's a base64-encoded subscribe request for a yahoo group with
japanese characters. It has a significant negative score (-17) with
bayes00, so I was kind of concerned and hoped someone had some ideas
how to detect this.

To look at anything except the headers, you'd have to download it and
decode it. I wasn't sure if it would be better to do this, or create a
pastebin that was already decoded...

Thanks for any ideas.
Alex

Re: yahoo groups: Date: fields flagged as non-rfc-2822-compliant?

[Mark Martinec]

On Saturday April 14 2007 01:24:47 John Clements wrote:
> >> Date: 05 Apr 2007 05:05:39 -0700
> >> Date: 05 Apr 2007 05:05:39 -0700
> >> Date: Thu, 05 Apr 2007 06:46:01 -0500

> >> Now, I took a quick look at rfc 2822, and all of the Date fields
> >> in this e-mail would appear to be compliant.

Yes, the day-of-week with its comma is optional.

> >> So: is there a bug 
> >> in spamassassin's Date parsing, or is yahoo committing some subtle
> >> bug, or is the mailer's original date somehow non-compliant?

> Yes, that's a wonderful question.  Apparently, Yahoo feels the need
> to insert additional Date: headers as it remails things.

RFC 2822 section 3.6 mandates there must be exactly one Date
header field.

> Perhaps multiple Date: headers is the reason that spam assassin
> considers it non-compliant?

So it seems (and rightfully so).

Perhaps it would be better to have a separate rule for multiple
header fields which may appear at most once, in analogy with
a MISSING_DATE which covers for the lower bound - if need appears
to give them different scores.

  Mark

Re: yahoo groups: Date: fields flagged as non-rfc-2822-compliant?

[John Clements]

On Apr 13, 2007, at 2:05 PM, mouss wrote:


John Clements wrote:
It appears to me that all mail coming through Yahoo groups is  
getting at least 4.5 points because of yahoo's use of tiny fonts  
and of non-compliant Date: formats.  Here's the spamassassin  
analysis:


And below, here's a segment of the headers; I'm reluctant to post  
the whole thing, because it's not my mail.  I have included every  
one of the "Date:" headers, though.


...
Date: 05 Apr 2007 05:05:39 -0700
...
Date: 05 Apr 2007 05:05:39 -0700
...
Date: Thu, 05 Apr 2007 06:46:01 -0500
Subject: [unison-users] Why aren't my emails hitting the list or  
being sent back to me as

a subscriber? {Scanned}
...

(The "..."s are inserted by me, of course.)

Now, I took a quick look at rfc 2822, and all of the Date fields  
in this e-mail would appear to be compliant.  So: is there a bug  
in spamassassin's Date parsing, or is yahoo committing some subtle  
bug, or is the mailer's original date somehow non-compliant?


Many thanks in advance,

John Clements




- why are there multiple Date headers?
- the date fields look ok indeed.


Yes, that's a wonderful question.  Apparently, Yahoo feels the need  
to insert additional Date: headers as it remails things.  Perhaps  
multiple Date: headers is the reason that spam assassin considers it  
non-compliant?


Many thanks,

John Clements

Re: yahoo groups: Date: fields flagged as non-rfc-2822-compliant?

[mouss]

John Clements wrote:
It appears to me that all mail coming through Yahoo groups is getting 
at least 4.5 points because of yahoo's use of tiny fonts and of 
non-compliant Date: formats.  Here's the spamassassin analysis:


 pts rule name  description
 -- 
--

 2.2 INVALID_DATE   Invalid Date: header (not RFC 2822)
 0.1 HTML_90_100BODY: Message is 90% to 100% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
 2.3 HTML_TINY_FONT RAW: body contains 1 or 0-point font


And below, here's a segment of the headers; I'm reluctant to post the 
whole thing, because it's not my mail.  I have included every one of 
the "Date:" headers, though.


...
Received: from n20c.bullet.sp1.yahoo.com (n20c.bullet.sp1.yahoo.com 
[69.147.64.135])

by penkwe.pair.com (Postfix) with SMTP id 9934261ED1
for <[EMAIL PROTECTED]>; Thu,  5 Apr 2007 08:05:40 
-0400 (EDT)

Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima; 
d=yahoogroups.com;
b=L8RGQYYJQzzj14LQLy04I7M37sr6NZrdaJlbusX3mPJeVXc9ATVUhGAalGuLy4DJa+HamL/DpLAKac8J+Hgpk8AHzE/zr22UYsp8uxU0YJomaT+8NAlFujfGv+/UNDxs; 

Received: from [216.252.122.219] by n20.bullet.sp1.yahoo.com with 
NNFMP; 05 Apr 2007 12:05:39 -

Date: 05 Apr 2007 05:05:39 -0700
Received: from [66.218.69.6] by t4.bullet.sp1.yahoo.com with NNFMP; 05 
Apr 2007 12:05:39 -

Date: 05 Apr 2007 05:05:39 -0700
Received: from [66.218.67.93] by t6.bullet.scd.yahoo.com with NNFMP; 
05 Apr 2007 12:05:39 -

X-Yahoo-Newman-Id: 479767-m1695
Received: (qmail 36685 invoked by uid 7800); 5 Apr 2007 12:05:37 -
X-Sender: [EMAIL PROTECTED]
X-Apparently-To: [EMAIL PROTECTED]
Received: (qmail 88523 invoked from network); 5 Apr 2007 11:45:21 -
Received: from unknown (66.218.67.34)
  by m25.grp.scd.yahoo.com with QMQP; 5 Apr 2007 11:45:21 -
Received: from unknown (HELO bastion.rcwm.com) (24.153.175.131)
  by mta8.grp.scd.yahoo.com with SMTP; 5 Apr 2007 11:45:21 -
...
MIME-Version: 1.0
Mailing-List: list [EMAIL PROTECTED]; contact 
[EMAIL PROTECTED]

Delivered-To: mailing list [EMAIL PROTECTED]
List-Id: 
Precedence: bulk
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
Date: Thu, 05 Apr 2007 06:46:01 -0500
Subject: [unison-users] Why aren't my emails hitting the list or being 
sent back to me as

a subscriber? {Scanned}
...

(The "..."s are inserted by me, of course.)

Now, I took a quick look at rfc 2822, and all of the Date fields in 
this e-mail would appear to be compliant.  So: is there a bug in 
spamassassin's Date parsing, or is yahoo committing some subtle bug, 
or is the mailer's original date somehow non-compliant?


Many thanks in advance,

John Clements




- why are there multiple Date headers?
- the date fields look ok indeed.

yahoo groups: Date: fields flagged as non-rfc-2822-compliant?

[John Clements]

It appears to me that all mail coming through Yahoo groups is getting  
at least 4.5 points because of yahoo's use of tiny fonts and of non- 
compliant Date: formats.  Here's the spamassassin analysis:


 pts rule name  description
 --  
--

 2.2 INVALID_DATE   Invalid Date: header (not RFC 2822)
 0.1 HTML_90_100BODY: Message is 90% to 100% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to  
60%

[score: 0.5000]
 2.3 HTML_TINY_FONT RAW: body contains 1 or 0-point font


And below, here's a segment of the headers; I'm reluctant to post the  
whole thing, because it's not my mail.  I have included every one of  
the "Date:" headers, though.


...
Received: from n20c.bullet.sp1.yahoo.com (n20c.bullet.sp1.yahoo.com  
[69.147.64.135])

by penkwe.pair.com (Postfix) with SMTP id 9934261ED1
	for <[EMAIL PROTECTED]>; Thu,  5 Apr 2007 08:05:40 -0400  
(EDT)

Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima;  
d=yahoogroups.com;
	b=L8RGQYYJQzzj14LQLy04I7M37sr6NZrdaJlbusX3mPJeVXc9ATVUhGAalGuLy4DJa 
+HamL/DpLAKac8J+Hgpk8AHzE/zr22UYsp8uxU0YJomaT+8NAlFujfGv+/UNDxs;
Received: from [216.252.122.219] by n20.bullet.sp1.yahoo.com with  
NNFMP; 05 Apr 2007 12:05:39 -

Date: 05 Apr 2007 05:05:39 -0700
Received: from [66.218.69.6] by t4.bullet.sp1.yahoo.com with NNFMP;  
05 Apr 2007 12:05:39 -

Date: 05 Apr 2007 05:05:39 -0700
Received: from [66.218.67.93] by t6.bullet.scd.yahoo.com with NNFMP;  
05 Apr 2007 12:05:39 -

X-Yahoo-Newman-Id: 479767-m1695
Received: (qmail 36685 invoked by uid 7800); 5 Apr 2007 12:05:37 -
X-Sender: [EMAIL PROTECTED]
X-Apparently-To: [EMAIL PROTECTED]
Received: (qmail 88523 invoked from network); 5 Apr 2007 11:45:21 -
Received: from unknown (66.218.67.34)
  by m25.grp.scd.yahoo.com with QMQP; 5 Apr 2007 11:45:21 -
Received: from unknown (HELO bastion.rcwm.com) (24.153.175.131)
  by mta8.grp.scd.yahoo.com with SMTP; 5 Apr 2007 11:45:21 -
...
MIME-Version: 1.0
Mailing-List: list [EMAIL PROTECTED]; contact unison-users- 
[EMAIL PROTECTED]

Delivered-To: mailing list [EMAIL PROTECTED]
List-Id: 
Precedence: bulk
List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
Date: Thu, 05 Apr 2007 06:46:01 -0500
Subject: [unison-users] Why aren't my emails hitting the list or  
being sent back to me as

a subscriber? {Scanned}
...

(The "..."s are inserted by me, of course.)

Now, I took a quick look at rfc 2822, and all of the Date fields in  
this e-mail would appear to be compliant.  So: is there a bug in  
spamassassin's Date parsing, or is yahoo committing some subtle bug,  
or is the mailer's original date somehow non-compliant?


Many thanks in advance,

John Clements

Re: Yahoo groups

[jdow]

I have custom rules for the individual groups. Some are cleaner than
others. The rule scores range from -10 for the clean groups to +2 for
the dirty ones.

header UHS_MMSSTV   Subject =~ /\[MM-SSTV\]/i
describe UHS_MMSSTV MMSSTV is not always nice
score UHS_MMSSTV2.0

That's an example of a not always clean one. Clean messages hit BAYES_0
most of the time. So even with a +2 on the group it VERY seldom false
alarms. Other groups get a high a negative score as -10 when it is known
they are squeaky clean. (GoogleGroups is another kettle of Bandini(tm).
Note that Bandini(tm) is "The word for fertilizer.")

Your rule would work except that messages from mailinglists on YahooGroups
are never from yahoogroups.com. But it might let more than a little garbage
through. "Sender" as a replacement for "From" might trigger a trifle more
often unless you are looking for subscription feedback messages. Those have

From lines with stuff like: [EMAIL PROTECTED] You can at

least trap on the @yahoogroups.com part.

Read the headers for what you want to capture. Don't guess. It's like
guessing a password.

{^_^}
- Original Message - 
From: "Rodney Richison" <[EMAIL PROTECTED]>



In my fight against spam, yahoo groups seems to be the only casualty.
I'm not a rule writer, so please forgive this feable attempt and let me
know if it looks ok

# Example of a rule for text in the header of the mail:
header   LOCAL__H_from_yahoogroupsFrom =~ /yahoogroups\.com/i
scoreLOCAL__H_from_yahoogroups-2.0
describe LOCAL__H_from_yahoogroupsFrom yahoogroups.com




Highest Regards,


Rodney Richison 
RCR Computing 
PO Box 566 - 118 N. Broadway 
Cleveland, OK 74020 
Phone: 918-358-

Proud ChannelVar member!
www.ChannelVar.com

Re: Yahoo groups

[mouss]

Rodney Richison wrote:

did you install Mail::DKIM?



I just now did, no luck.

  

if it was really installed, then you need to find out where!

try to reinstall it and watch the output.



do you have multiple perl versions on your system?



Not that I know of.  :)  Which I'm sure means no.  



Debian sarge with spamassassin from backports

  

Re: Yahoo groups

[Daryl C. W. O'Shea]

Rodney Richison wrote:

did you install Mail::DKIM?


I just now did, no luck.


DomainKeys requires Mail::DomainKeys, DKIM requires Mail::DKIM.

Daryl

RE: Yahoo groups

[Rodney Richison]

> 
> did you install Mail::DKIM?

I just now did, no luck.

> do you have multiple perl versions on your system?

Not that I know of.  :)  Which I'm sure means no.  


Debian sarge with spamassassin from backports


Highest Regards,


Rodney Richison 
RCR Computing 
PO Box 566 - 118 N. Broadway 
Cleveland, OK 74020 
Phone: 918-358-
Proud ChannelVar member!
www.ChannelVar.com 

Re: Yahoo groups

[mouss]

Rodney Richison wrote:


Unfortunatly, I can't enable the domainkeys pluging. I loaded it with
cpan and got this on a lint.

[18770] warn: plugin: failed to parse plugin (from @INC): Can't locate
Mail/DomainKeys/Message.pm in @INC (@INC contains: lib /usr/share/perl5
/etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4
/usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8
/usr/local/lib/site_perl) at
/usr/share/perl5/Mail/SpamAssassin/Plugin/DomainKeys.pm line 45.
[18770] warn: BEGIN failed--compilation aborted at
/usr/share/perl5/Mail/SpamAssassin/Plugin/DomainKeys.pm line 45.
[18770] warn: Compilation failed in require at (eval 80) line 1.
[18770] warn: plugin: failed to create instance of plugin
Mail::SpamAssassin::Plugin::DomainKeys: Can't locate object method "new"
via package "Mail::SpamAssassin::Plugin::DomainKeys" at (eval 81) line
1.





  


did you install Mail::DKIM?
do you have multiple perl versions on your system?

RE: Yahoo groups

[Rodney Richison]

Rodney Richison wrote:
> In my fight against spam, yahoo groups seems to be the only casualty.
> I'm not a rule writer, so please forgive this feable attempt and let 
> me know if it looks ok
>
> # Example of a rule for text in the header of the mail:
> header   LOCAL__H_from_yahoogroupsFrom =~ /yahoogroups\.com/i
> scoreLOCAL__H_from_yahoogroups-2.0
> describe LOCAL__H_from_yahoogroupsFrom yahoogroups.com
>
>   

This matches

From: [EMAIL PROTECTED]

you can play with other headers such as Sender, List-Id, ... etc, but
all these can be forged.

if these are to be trusted, look at whitelist_rcvd_from. Note that
yahoogroups mail have a domain key signature.


Unfortunatly, I can't enable the domainkeys pluging. I loaded it with
cpan and got this on a lint.

[18770] warn: plugin: failed to parse plugin (from @INC): Can't locate
Mail/DomainKeys/Message.pm in @INC (@INC contains: lib /usr/share/perl5
/etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4
/usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8
/usr/local/lib/site_perl) at
/usr/share/perl5/Mail/SpamAssassin/Plugin/DomainKeys.pm line 45.
[18770] warn: BEGIN failed--compilation aborted at
/usr/share/perl5/Mail/SpamAssassin/Plugin/DomainKeys.pm line 45.
[18770] warn: Compilation failed in require at (eval 80) line 1.
[18770] warn: plugin: failed to create instance of plugin
Mail::SpamAssassin::Plugin::DomainKeys: Can't locate object method "new"
via package "Mail::SpamAssassin::Plugin::DomainKeys" at (eval 81) line
1.

Re: Yahoo groups

[mouss]

Rodney Richison wrote:

In my fight against spam, yahoo groups seems to be the only casualty.
I'm not a rule writer, so please forgive this feable attempt and let me
know if it looks ok

# Example of a rule for text in the header of the mail:
header   LOCAL__H_from_yahoogroupsFrom =~ /yahoogroups\.com/i
scoreLOCAL__H_from_yahoogroups-2.0
describe LOCAL__H_from_yahoogroupsFrom yahoogroups.com

  


This matches

   From: [EMAIL PROTECTED]

you can play with other headers such as Sender, List-Id, ... etc, but 
all these can be forged.


if these are to be trusted, look at whitelist_rcvd_from. Note that 
yahoogroups mail have a domain key signature.

Yahoo groups

[Rodney Richison]

In my fight against spam, yahoo groups seems to be the only casualty.
I'm not a rule writer, so please forgive this feable attempt and let me
know if it looks ok

# Example of a rule for text in the header of the mail:
header   LOCAL__H_from_yahoogroupsFrom =~ /yahoogroups\.com/i
scoreLOCAL__H_from_yahoogroups-2.0
describe LOCAL__H_from_yahoogroupsFrom yahoogroups.com




Highest Regards,


Rodney Richison 
RCR Computing 
PO Box 566 - 118 N. Broadway 
Cleveland, OK 74020 
Phone: 918-358-
Proud ChannelVar member!
www.ChannelVar.com

Re: White listing yahoo groups

[Benny Pedersen]

On Tue, November 14, 2006 19:00, SM wrote:

> See whitelist_from_dk [EMAIL PROTECTED] example.com

for me this is not possible with domainkeys

but only with dkim

-- 
This message was sent using 100% recycled spam mails.

Re: White listing yahoo groups

[Andrew Hodgson]

On Tue, 14 Nov 2006 10:21:02 -0800, Bill Moseley <[EMAIL PROTECTED]>
wrote:

[...]

>Yes, it is my machine rejecting the mail that is flagged spam.
>And when I reject too many messages Yahoo's mailing list software
>considers my email non-working and stops delivering list messages.

Snap!  I have the same issue here, I reject with a high score, and it
only takes one to put it into bounce mode.  Also, they never let you
know you are bouncing until like the next couple of days.

The other problem is I have a system here which does some checks on
the SMTP transaction and performs checks which gets to SA, and due to
the way Yahoo delivers the messages to multiple recipients on the same
domain (through sending the message multiple times in the same SMTP
transaction) this caused problems as well.
>
>I guess I'm just curious how others deal with mailing lists.  I
>suspect just like any other mail -- if a message has a high enough
>spam score then reject it.

I am going to try some of the other messages in this thread - may take
a while though, as I have to wait for one to trip the system.

Andrew.

Re: White listing yahoo groups

[David B Funk]

On Tue, 14 Nov 2006,  wrote:

> whitelist_from_rcvd *.mail.mud.yahoo.com *.bullet.scd.yahoo.com
>

Um shouldn't that first component be in address format?
EG:

whitelist_from_rcvd [EMAIL PROTECTED]  yahoo.com


Also that second argument doesn't need that '*'. It already
patern matches against the substring of the sending domain name.

If you want to "shotgun" whitelist all stuff coming from yahoo
you could use:

whitelist_from_rcvd [EMAIL PROTECTED]   yahoo.com


Of course, whitelist_from_rcvd demands that your DNS and
trusted_networks be functional.

Dave


-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: White listing yahoo groups

[Kelson]

Benny Pedersen wrote:

i whitelist with trusted_networks

...

add ALL yahoo.com outgoing ip to trusted_networks in spamassassin solves it,
but who knows there ip's ?


That probably isn't doing what you think it is.

trusted_networks isn't a whitelist.  It doesn't mean you trust them not 
to send spam.  It just means you trust the data in their Received headers.


It does, however, push RBL checks out one level, so you'll be checking 
RBLs against the original senders, not against Yahoo.  But it won't 
reduce the score on messages that trip your threshold based on content 
or header rules.


--
Kelson Vibber
SpeedGate Communications 

Re: White listing yahoo groups

[Benny Pedersen]

On Tue, November 14, 2006 19:25,  wrote:
> whitelist_from_rcvd *.mail.mud.yahoo.com *.bullet.scd.yahoo.com

wish it was that simple :(

spamassassin will still check spamcop

but may not say its spam and thus accept it

-- 
This message was sent using 100% recycled spam mails.

Re: White listing yahoo groups

[Benny Pedersen]

On Tue, November 14, 2006 19:21, Bill Moseley wrote:

>> Unless YOUR machine is bouncing them, your SA will not help. Spamcap is
>> usually the culprit and is being used by Yahoo.

ip is listed so:

Resolved 69.147.64.135 to n20c.bullet.sp1.yahoo.com.
[n20c.bullet.sp1.yahoo.com. has 1 MX record .(0)]

why hava a mx on a reverse dns ?, silly :-)

> Yes, it is my machine rejecting the mail that is flagged spam.
> And when I reject too many messages Yahoo's mailing list software
> considers my email non-working and stops delivering list messages.
>
> I guess I'm just curious how others deal with mailing lists.  I
> suspect just like any other mail -- if a message has a high enough
> spam score then reject it.

i whitelist with trusted_networks

> One problem is yahoo's machine is in spamcop, which might happen
> more often due to the volume of mail they send out.  So, I might want
> to reduce the score for mail that comes from any of the yahoo mail
> servers.  Although, I'm not clear how to know that the mail is from
> yahoo (or any other larger list provider).

spamcop should filter out maillist servers !

> For example, can I say ignore spamcop's report if the connecting
> server's reverse lookup includes "yahoo.com"?  Not sure how SA would
> know the connecting server (I'm running SA from an Exim4 ACL, by the
> way).

add ALL yahoo.com outgoing ip to trusted_networks in spamassassin solves it,
but who knows there ip's ?

> IIRC, the problem with Yahoo is that if you belong to, say, 20 lists
> and if one of those lists sends a lot of spam that gets rejected then
> your address is considered non-working resulting in all 20 lists
> stopping.

it have to be this way, since yahoo can not see if the mailbox is working or
just a spam checker that does not work :(

-- 
This message was sent using 100% recycled spam mails.

Re: White listing yahoo groups

[qqqq]

whitelist_from_rcvd *.mail.mud.yahoo.com *.bullet.scd.yahoo.com

Re: White listing yahoo groups

[Bill Moseley]

On Tue, Nov 14, 2006 at 05:42:58PM +0200, David Baron wrote:
> On Tuesday 14 November 2006 17:01, Bill Moseley wrote:
> > I keep getting my yahoo groups account shut down because of too many
> > bounces.  For one thing, their mail server is listed:
> >
> > Blocked - see <http://www.spamcop.net/bl.shtml?69.147.64.135>
> >
> > Is there a recommended method for dealing with mailing lists where the
> > mail may come from any number of mail servers?
> >
> > Should I try and white list the hosts?  Or better to give a large
> > negative score?
> >
> > Can their use of "DomainKeys" be used in my scoring?
> 
> Unless YOUR machine is bouncing them, your SA will not help. Spamcap is 
> usually the culprit and is being used by Yahoo.

Yes, it is my machine rejecting the mail that is flagged spam.
And when I reject too many messages Yahoo's mailing list software
considers my email non-working and stops delivering list messages.

I guess I'm just curious how others deal with mailing lists.  I
suspect just like any other mail -- if a message has a high enough
spam score then reject it.

One problem is yahoo's machine is in spamcop, which might happen
more often due to the volume of mail they send out.  So, I might want
to reduce the score for mail that comes from any of the yahoo mail
servers.  Although, I'm not clear how to know that the mail is from
yahoo (or any other larger list provider).

For example, can I say ignore spamcop's report if the connecting
server's reverse lookup includes "yahoo.com"?  Not sure how SA would
know the connecting server (I'm running SA from an Exim4 ACL, by the
way).

IIRC, the problem with Yahoo is that if you belong to, say, 20 lists
and if one of those lists sends a lot of spam that gets rejected then
your address is considered non-working resulting in all 20 lists
stopping.




-- 
Bill Moseley
[EMAIL PROTECTED]

Re: White listing yahoo groups

[SM]

At 07:01 14-11-2006, Bill Moseley wrote:

Should I try and white list the hosts?  Or better to give a large
negative score?


Yes, if you don't receive spam from these hosts.


Can their use of "DomainKeys" be used in my scoring?


See whitelist_from_dk [EMAIL PROTECTED] example.com

The signing domain (last parameter) is optional.

Regards,
-sm 

Re: White listing yahoo groups

[David Baron]

On Tuesday 14 November 2006 17:01, Bill Moseley wrote:
> I keep getting my yahoo groups account shut down because of too many
> bounces.  For one thing, their mail server is listed:
>
> Blocked - see <http://www.spamcop.net/bl.shtml?69.147.64.135>
>
> Is there a recommended method for dealing with mailing lists where the
> mail may come from any number of mail servers?
>
> Should I try and white list the hosts?  Or better to give a large
> negative score?
>
> Can their use of "DomainKeys" be used in my scoring?

Unless YOUR machine is bouncing them, your SA will not help. Spamcap is 
usually the culprit and is being used by Yahoo.

Re: White listing yahoo groups

[Bill Moseley]

On Tue, Nov 14, 2006 at 07:01:12AM -0800, Bill Moseley wrote:
> Can their use of "DomainKeys" be used in my scoring?

Sorry, that was more of "*should* their use..." -- I'm not clear
on the use of Mail::SpamAssassin::Plugin::DomainKeys.

-- 
Bill Moseley
[EMAIL PROTECTED]

White listing yahoo groups

[Bill Moseley]

I keep getting my yahoo groups account shut down because of too many
bounces.  For one thing, their mail server is listed:

Blocked - see <http://www.spamcop.net/bl.shtml?69.147.64.135>

Is there a recommended method for dealing with mailing lists where the
mail may come from any number of mail servers?

Should I try and white list the hosts?  Or better to give a large
negative score?

Can their use of "DomainKeys" be used in my scoring?


-- 
Bill Moseley
[EMAIL PROTECTED]

Re: False positive from Yahoo Groups' new HTML email format

[jdow]

From: "John D. Hardin" <[EMAIL PROTECTED]>


On Thu, 8 Jun 2006, John Beranek wrote:


P.S. and a Yahoo email server is listed in Spamcop??


Perennially. I've had to whitelist them so that my wife's Yahoo Groups
mailing lists weren't constantly being discarded.

--
John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
Senator, when you took your oath of office, you placed your hand on
the Bible and swore to uphold the Constitution. You didn't place your
hand on the Constitution and swear to uphold the Bible.
   -- Jamie Raskin, Professor of Law at American
   University, testifying before the Maryland Senate
---
10 days until SWMBO's Birthday


IMAO the new Yahoo format should not EVER get a free pass. It is spam
from the getgo holding real content hostage. God but they're annoying!
I ripped them a new orifice in email I sent them about the new format.

{o.o}

Re: False positive from Yahoo Groups' new HTML email format

[John D. Hardin]

On Thu, 8 Jun 2006, John Beranek wrote:

> P.S. and a Yahoo email server is listed in Spamcop??

Perennially. I've had to whitelist them so that my wife's Yahoo Groups
mailing lists weren't constantly being discarded.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Senator, when you took your oath of office, you placed your hand on
 the Bible and swore to uphold the Constitution. You didn't place your
 hand on the Constitution and swear to uphold the Bible.
-- Jamie Raskin, Professor of Law at American
University, testifying before the Maryland Senate
---
 10 days until SWMBO's Birthday

Re: {Disarmed} False positive from Yahoo Groups' new HTML email format

[Michele Neylon]

John Beranek wrote:
> FYI...
> 
> John.
> 
> P.S. and a Yahoo email server is listed in Spamcop??
> 

Happens all the time...

Re: Null Messages from Yahoo! Groups?

[Yousef Raffah]

On Sat, 2006-03-11 at 01:23 -0800, Loren Wilton wrote:
> > @yahoogroups.com, although the message has the below headers, it shows
> > no sender and no subject.
> 
> > Subject: [ Nawaf ] äÝÓ ÇáÅÍÓÇÓ íÇ äÇÓ / ÕæÑ æßáãÇÊ ÊÓÊÍÞ ÇáÞÑÇÁÉ
> > From: SOFI <[EMAIL PROTECTED]>
> 
> Looks to me like a sender and a subject.
> Of course, the sender doesn't match
> 
You are right but the message does not have any "From" nor subject in my
E-mail client! As a normal user, I'm not supposed to check the headers
of the message, right?

> > X-Sender: [EMAIL PROTECTED]
> 
> But maybe that has something to do with the mailing list software.
> 
If that is the case, anybody else having the same issue on the list here
with @yahoogroups.com mails?

> Loren
> 

Sincerely,
Yousef Raffah
Senior Systems Administrator
SSIS - The Savola Group

--
Aren't you using Firefox? Get it at getfirefox.com
yousef.raffah.com


signature.asc
Description: This is a digitally signed message part

Re: Null Messages from Yahoo! Groups?

[Loren Wilton]

> @yahoogroups.com, although the message has the below headers, it shows
> no sender and no subject.

> Subject: [ Nawaf ] äÝÓ ÇáÅÍÓÇÓ íÇ äÇÓ / ÕæÑ æßáãÇÊ ÊÓÊÍÞ ÇáÞÑÇÁÉ
> From: SOFI <[EMAIL PROTECTED]>

Looks to me like a sender and a subject.
Of course, the sender doesn't match

> X-Sender: [EMAIL PROTECTED]

But maybe that has something to do with the mailing list software.

Loren

Null Messages from Yahoo! Groups?

[Yousef Raffah]

Hi Everyone,

I'm having a quite strange status of all the mails coming from
@yahoogroups.com, although the message has the below headers, it shows
no sender and no subject.


Return-Path: <>
Received: from 10.10.1.9 by mailsrv with ESMTP id 48206191142061138;
Sat, 11 Mar 2006 10:12:18 +0300
Received: from kansai.savoladns.com ([10.10.1.4]) by srv2 with InterScan
Messaging Security Suite; Sat, 11 Mar 2006 10:33:55 +0300
X-Envelope-From:
<[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-Id: 
Received: from n3a.bullet.scd.yahoo.com (n3a.bullet.scd.yahoo.com
[66.94.237.37]) by kansai.savoladns.com (Postfix) with SMTP id
C2BB410202 for <[EMAIL PROTECTED]>; Sat, 11 Mar 2006 10:22:52 +0300
(AST)
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima;
d=yahoogroups.com; b=McSL2mOL1JAeQdrWDsH+dj+3PKD3ZPnbcluWkPQt5peTWU/Qnp
+XWFgmG7r6xgNB7LQPZa3o+eTTw3US4sM70jrWRK
+XqnxNKXmcQ4JmyCczJW1Gg9MNbtqsTfVCkmDU;
Received: from [66.218.66.59] by n3.bullet.scd.yahoo.com with NNFMP; 11
Mar 2006 07:21:39 -
Received: from [66.218.66.96] by t8.bullet.scd.yahoo.com with NNFMP; 11
Mar 2006 07:21:39 -
X-Yahoo-Newman-Property: groups-email
Received: (qmail 39706 invoked from network); 11 Mar 2006 07:08:52 -
Received: from unknown (66.218.67.36) by m13.grp.scd.yahoo.com with
QMQP; 11 Mar 2006 07:08:52 -
Received: from unknown (HELO n4a.bullet.dcn.yahoo.com) (216.155.203.224)
by mta10.grp.scd.yahoo.com with SMTP; 11 Mar 2006 07:08:51 -
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
Received: from [216.155.201.64] by n4.bullet.dcn.yahoo.com with NNFMP;
11 Mar 2006 07:08:44 -
Received: from [66.218.69.5] by t1.bullet.dcn.yahoo.com with NNFMP; 11
Mar 2006 07:08:43 -
Received: from [66.218.66.89] by t5.bullet.scd.yahoo.com with NNFMP; 11
Mar 2006 07:08:43 -
X-Sender: [EMAIL PROTECTED]
X-Apparently-To: [EMAIL PROTECTED]
Received: (qmail 94798 invoked from network); 10 Mar 2006 03:31:55 -
Received: from unknown (66.218.67.33) by m13.grp.scd.yahoo.com with
QMQP; 10 Mar 2006 03:31:55 -
Received: from unknown (HELO hotmail.com) (65.54.174.17) by
mta7.grp.scd.yahoo.com with SMTP; 10 Mar 2006 03:31:55 -
Received: from mail pickup service by hotmail.com with Microsoft
SMTPSVC; Thu, 9 Mar 2006 19:31:33 -0800
Message-ID: <[EMAIL PROTECTED]>
Received: from 65.54.174.200 by by103fd.bay103.hotmail.msn.com with
HTTP; Fri, 10 Mar 2006 03:31:32 GMT
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-OriginalArrivalTime: 10 Mar 2006 03:31:33.0974 (UTC)
FILETIME=[2132F760:01C643F3]
X-Originating-IP: 65.54.174.17
X-eGroups-Msg-Info: 1:7:0:0
From: SOFI <[EMAIL PROTECTED]>
X-eGroups-Edited-By: n_i_22000 <[EMAIL PROTECTED]>
X-eGroups-Approved-By: n_i_22000 <[EMAIL PROTECTED]> via web; 11 Mar
2006 07:08:41 -
MIME-Version: 1.0
Mailing-List: list [EMAIL PROTECTED]; contact
[EMAIL PROTECTED]
Delivered-To: mailing list [EMAIL PROTECTED]
List-Id: 
Precedence: bulk
List-Unsubscribe: 
Date: Fri, 10 Mar 2006 03:31:32 +  (06:31 AST)
Subject: [ Nawaf ] äÝÓ ÇáÅÍÓÇÓ íÇ äÇÓ / ÕæÑ æßáãÇÊ ÊÓÊÍÞ ÇáÞÑÇÁÉ
Reply-To: [EMAIL PROTECTED]
Content-Type: text/html
Content-Transfer-Encoding: 8bit
X-Spam-Status: Yes, score=11.167 tag=-100 tag2=6.3 kill=6.3
tests=[BAYES_99=3.5, DNS_FROM_RFC_ABUSE=0.2, DNS_FROM_RFC_WHOIS=1.447,
HTML_90_100=0.113, HTML_FONT_LOW_CONTRAST=0.194, HTML_MESSAGE=0.001,
HTML_TAG_EXIST_BGSOUND=2.107, MIME_HTML_ONLY=0.001,
MSGID_FROM_MTA_HEADER=0, SARE_HTML_COLOR_NWHT3=0.656,
SARE_HTML_FONT_INVIS2=0.64, SARE_HTML_GIF_SHORT=0.5,
SARE_HTML_NO_BODY2=0.2, SARE_HTML_NO_BODY3=0.129, SARE_HTML_P_BREAK=0.2,
SUBJ_ILLEGAL_CHARS=4.279]
X-Spam-Score: 11.167
X-Spam-Level: **
X-Spam-Flag: YES

Has any of you had a similar situation? What could it be related to?
One more thing, in case it makes any difference, I have greylisted
@yahoo.com and @hotmail.com mails! :|

Sincerely,
Yousef Raffah
Senior Systems Administrator
SSIS - The Savola Group

--
Aren't you using Firefox? Get it at getfirefox.com
yousef.raffah.com


signature.asc
Description: This is a digitally signed message part