Re: emailreg.org - tainted white list
Last week the blackhats that make up the '$pamAssassin PMC' sought to
silence people who object to paid whitelists appearing in the core
program which seek to give advantage to certain ESP's. vocal in the odd
behaviour of the program. Namely those listed in whitelist 'Habeas' (a
river flowing back to Return Path) are given a negative score to grease
the wheels for the delivery of their UCE.
Now that the dust has settled the Barracuda Marketing Machine (who
appear to have some financial connection with Apache - {citation:
http://www.barracudanetworks.com/ns/company/open-source.php} and
probably have people sitting on the PMC) takes the chance to rear it's
ugly arse and begin redo the spin out it's own pay to spam whitelist
"emailreg.org". emailreg.org may form part of a discussion in a spam
list, but it is off topic for the Spamassassin list.
Whilst Bob O Brian @ Barracuda trying to distance Barracuda from a
direct connection may fool some, sensible people involved in anti-spam
know full well this is a Barracuda product thinly garnished as
something else. Sensible people also know that the Barracuda owner
Micheal Perone is claimed to be a known former spammer: (citation:
http://www.rhyolite.com/anti-spam/objections/mperone.shtml)
Barracuda Spam 'and virus' Firewall hardware (a cobbled together mix of
free open source software and largely free rules/virus definitions) by
default passes emailreg.org registered mail. There is *no* facility for
the owner of the Barracuda to disable this without calling Barracuda
Support. Contrast this to the Barracuda Whitelist, which has a check
box to turn it on/off. It is fair to suggest this obmission is because
Barracuda *don't want* users turning off emailreg.org.
The Barracuda White List from Decemeber 2009 is posted elsewhere if you
are interested in a 'who's who':
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/a9f757e7a2ee38d5#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/2745f741838c23ea#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/ce79b2349a83a2d5#
The Barracuda machine is now trying to suggest that emailreg.org is of
the calibre of Habeas. It is not. It is a pay to spam service and
deserves no place in the Spamassassin ruleset OTHER than to INCREASE
the score of mail.
Whilst some halfbread moron has suggested giving emailreg.org a -100
score (compared to -4 for Habeas) the better rule is posted below.
PEOPLE READING THIS LIST BE VERY AWARE DARK FORCES ARE AT WORK HERE TO
DISCREDIT AND STRIKE VIEWS THAT EFFECT REVENUE. SPAMASSASSIN IS AS MUCH
ABOUT MAKING MONEY AS IT IS ABOUT BLOCKING SPAM - KEEP YOUR EYES OPEN
TO THE DARK FORCES THAT USE SPAMASSASSIN TO FACILITATE THE DELIVERY OF
PAID FOR, JUNK COMMERCIAL MAIL. DON'T BE BLIND TO THE POWER WEILDED BY
RETURN PATH, BARRACUDA AND OTHERS IN WINING AND DINING Daryl C. W.
O'Shea.
Suggested sensible Spamassassin Rule for emailreg.org:
header __RCVD_IN_EMAILREG eval:check_rbl('emailreg-trusted',
'resl.emailreg.org.')
header RCVD_IN_EMAILREG_0 eval:check_rbl_sub('emailreg-trusted',
'127.0.\d+.0')
describe RCVD_IN_EMAILREG_0 Sender in emailreg.org pay to spam list
tflags RCVD_IN_EMAILREG_0 black hat
header RCVD_IN_EMAILREG_1 eval:check_rbl_sub('emailreg-trusted',
'127.0.\d+.1')
describe RCVD_IN_EMAILREG_1 Sender in emailreg.org pay to spam list
tflags RCVD_IN_EMAILREG_1 black hat
score RCVD_IN_EMAILREG_0 30
score RCVD_IN_EMAILREG_1 30
--
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations.
Re: emailreg.org - tainted white list
Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases), is back... Bill
Re: emailreg.org - tainted white list
On 14-Dec-2009, at 07:59, Bill Landry wrote: > Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases), is > back… Ah, that explains the tone and typo pattern of that email. While I am suspicious of emailreg.org and Barracuda's ties to each other I am not moving to a shack in Montana because of it, if you know what I mean. Personally, I am not going to waste the processor cycles checking emailreg AT ALL, so I am not going to score up emails on the whitelist either. Now, if other more … levelheaded users of this list find that a slight positive nudge is worthwhile I'm certainly willing to reconsider. Thirty points in one rule? Do I look like I'm wearing a tinfoil hat? DARK FORCES indeed. -- Well boys, we got three engines out, we got more holes in us than a horse trader's mule, the radio is gone and we're leaking fuel and if we was flying any lower why we'd need sleigh bells on this thing... but we got one little budge on those Roosskies. At this height why they might harpoon us but they dang sure ain't gonna spot us on no radar screen!
Re: emailreg.org - tainted white list
Christian Brel wrote:
Last week the blackhats that make up the '$pamAssassin PMC' sought to
silence people who object to paid whitelists appearing in the core
program which seek to give advantage to certain ESP's. vocal in the odd
behaviour of the program. Namely those listed in whitelist 'Habeas' (a
river flowing back to Return Path) are given a negative score to grease
the wheels for the delivery of their UCE.
Now that the dust has settled the Barracuda Marketing Machine (who
appear to have some financial connection with Apache - {citation:
http://www.barracudanetworks.com/ns/company/open-source.php} and
probably have people sitting on the PMC) takes the chance to rear it's
ugly arse and begin redo the spin out it's own pay to spam whitelist
"emailreg.org". emailreg.org may form part of a discussion in a spam
list, but it is off topic for the Spamassassin list.
Whilst Bob O Brian @ Barracuda trying to distance Barracuda from a
direct connection may fool some, sensible people involved in anti-spam
know full well this is a Barracuda product thinly garnished as
something else. Sensible people also know that the Barracuda owner
Micheal Perone is claimed to be a known former spammer: (citation:
http://www.rhyolite.com/anti-spam/objections/mperone.shtml)
Barracuda Spam 'and virus' Firewall hardware (a cobbled together mix of
free open source software and largely free rules/virus definitions) by
default passes emailreg.org registered mail. There is *no* facility for
the owner of the Barracuda to disable this without calling Barracuda
Support. Contrast this to the Barracuda Whitelist, which has a check
box to turn it on/off. It is fair to suggest this obmission is because
Barracuda *don't want* users turning off emailreg.org.
The Barracuda White List from Decemeber 2009 is posted elsewhere if you
are interested in a 'who's who':
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/a9f757e7a2ee38d5#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/2745f741838c23ea#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/ce79b2349a83a2d5#
The Barracuda machine is now trying to suggest that emailreg.org is of
the calibre of Habeas. It is not. It is a pay to spam service and
deserves no place in the Spamassassin ruleset OTHER than to INCREASE
the score of mail.
Whilst some halfbread moron has suggested giving emailreg.org a -100
score (compared to -4 for Habeas) the better rule is posted below.
PEOPLE READING THIS LIST BE VERY AWARE DARK FORCES ARE AT WORK HERE TO
DISCREDIT AND STRIKE VIEWS THAT EFFECT REVENUE. SPAMASSASSIN IS AS MUCH
ABOUT MAKING MONEY AS IT IS ABOUT BLOCKING SPAM - KEEP YOUR EYES OPEN
TO THE DARK FORCES THAT USE SPAMASSASSIN TO FACILITATE THE DELIVERY OF
PAID FOR, JUNK COMMERCIAL MAIL. DON'T BE BLIND TO THE POWER WEILDED BY
RETURN PATH, BARRACUDA AND OTHERS IN WINING AND DINING Daryl C. W.
O'Shea.
Well, I started the emailreg thread and I'm technically a competitor of
Barracuda's so I'm not part of the "machine". I would also point out
that SA allows you to assign scores however you want. So if you want to
pass spam and block ham SA can do that. Personally I'm interested in
blocking spam and keeping my customers happy.
Although I can appreciate the "slippery slope" argument the way I see it
if if anyone starts selling white listed to spammers then that would
taint their list and no one would use their white list anymore. We (and
I really mean me) use only that which actually works. So if people sold
out to spammers then their list would stop working and would come out of
my rule set.
As to your published list of some Barracuda data, that a rather small
list. Looks like something that would pass my white list too. So I don't
see your point in publishing it in that it doesn't make your point.
I think everyone knows that emailreg is linked to Barracuda. In my
opinion that's a good thing because that have a vast network of spam
filtering servers and can instantly detect if a spammer has bought into
their emailreg and instantly remove them and keep the $20 of the bad
guys money.
But - regardless of the politics and religion, I started the thread to
discuss technical issues and looking for some technical response.
And - in closing - SA focuses too much on detecting spam and not enough
on detecting ham. One of the ways I got my false positives down to
almost nothing is by actively detecting ham. And in many cases this is
easier because those sending nothing but ham are not trying to be
evasive and are fairly easy to discover.
Re: emailreg.org - tainted white list
LuKreme wrote: On 14-Dec-2009, at 07:59, Bill Landry wrote: Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases), is back… Ah, that explains the tone and typo pattern of that email. While I am suspicious of emailreg.org and Barracuda's ties to each other I am not moving to a shack in Montana because of it, if you know what I mean. Personally, I am not going to waste the processor cycles checking emailreg AT ALL, so I am not going to score up emails on the whitelist either. Now, if other more … levelheaded users of this list find that a slight positive nudge is worthwhile I'm certainly willing to reconsider. Thirty points in one rule? Do I look like I'm wearing a tinfoil hat? DARK FORCES indeed. If you think about it, if Barracuda, a spam filtering company, started selling access to spammers, how long do you think Barracuda would stay in business. Their customers who got the spam would move elsewhere. So I really don't think that Barracuda is going to sell out their main business to make $20 off of a few spammers.
Re: emailreg.org - tainted white list
On Mon, 14 Dec 2009 07:28:22 -0800 Marc Perkel wrote: > If you think about it, if Barracuda, a spam filtering company, > started selling access to spammers, how long do you think Barracuda > would stay in business. To quote Dean Drako of Barracuda on a 2008 visit to the UK "Just sell them anything and we will worry about it afterwards" Draw your own conclusions. > Their customers who got the spam would move > elsewhere. So I really don't think that Barracuda is going to sell > out their main business to make $20 off of a few spammers. If it's so clear cut, why is the option for the owner of the said Barracuda spam device *not* able to disable emailreg.org, but they *can* disable the Barracuda whitelist 'proper'? When asked on this point Justin O Brien of Barracuda said 'We don't want them switching it off'. Why? Possibly because it is a paid to spam, pay to bypass Barracuda list??? If you expand that into Spamassassin then that really is going to look corrupt. Please at least try and disguise it a little bit better than that, FFS. Don't underestimate those $20 payments. The last time I looked scale of economy was alive and well given sufficient market. Drako, Perone et al don't do anything unless there is more than the price of a cup of tea in it for them. I'm sorry if people take offence to that, but it has foundations in reality. A place that seems to scare some people. -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: emailreg.org - tainted white list
-1
/dev/null? Let's see if he earns it.
{^_^}
- Original Message -
From: "Christian Brel"
To:
Sent: Monday, 2009/December/14 01:54
Subject: Re: emailreg.org - tainted white list
Last week the blackhats that make up the '$pamAssassin PMC' sought to
silence people who object to paid whitelists appearing in the core
program which seek to give advantage to certain ESP's. vocal in the odd
behaviour of the program. Namely those listed in whitelist 'Habeas' (a
river flowing back to Return Path) are given a negative score to grease
the wheels for the delivery of their UCE.
Now that the dust has settled the Barracuda Marketing Machine (who
appear to have some financial connection with Apache - {citation:
http://www.barracudanetworks.com/ns/company/open-source.php} and
probably have people sitting on the PMC) takes the chance to rear it's
ugly arse and begin redo the spin out it's own pay to spam whitelist
"emailreg.org". emailreg.org may form part of a discussion in a spam
list, but it is off topic for the Spamassassin list.
Whilst Bob O Brian @ Barracuda trying to distance Barracuda from a
direct connection may fool some, sensible people involved in anti-spam
know full well this is a Barracuda product thinly garnished as
something else. Sensible people also know that the Barracuda owner
Micheal Perone is claimed to be a known former spammer: (citation:
http://www.rhyolite.com/anti-spam/objections/mperone.shtml)
Barracuda Spam 'and virus' Firewall hardware (a cobbled together mix of
free open source software and largely free rules/virus definitions) by
default passes emailreg.org registered mail. There is *no* facility for
the owner of the Barracuda to disable this without calling Barracuda
Support. Contrast this to the Barracuda Whitelist, which has a check
box to turn it on/off. It is fair to suggest this obmission is because
Barracuda *don't want* users turning off emailreg.org.
The Barracuda White List from Decemeber 2009 is posted elsewhere if you
are interested in a 'who's who':
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/a9f757e7a2ee38d5#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/2745f741838c23ea#
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/ce79b2349a83a2d5#
The Barracuda machine is now trying to suggest that emailreg.org is of
the calibre of Habeas. It is not. It is a pay to spam service and
deserves no place in the Spamassassin ruleset OTHER than to INCREASE
the score of mail.
Whilst some halfbread moron has suggested giving emailreg.org a -100
score (compared to -4 for Habeas) the better rule is posted below.
PEOPLE READING THIS LIST BE VERY AWARE DARK FORCES ARE AT WORK HERE TO
DISCREDIT AND STRIKE VIEWS THAT EFFECT REVENUE. SPAMASSASSIN IS AS MUCH
ABOUT MAKING MONEY AS IT IS ABOUT BLOCKING SPAM - KEEP YOUR EYES OPEN
TO THE DARK FORCES THAT USE SPAMASSASSIN TO FACILITATE THE DELIVERY OF
PAID FOR, JUNK COMMERCIAL MAIL. DON'T BE BLIND TO THE POWER WEILDED BY
RETURN PATH, BARRACUDA AND OTHERS IN WINING AND DINING Daryl C. W.
O'Shea.
Suggested sensible Spamassassin Rule for emailreg.org:
header __RCVD_IN_EMAILREG eval:check_rbl('emailreg-trusted',
'resl.emailreg.org.')
header RCVD_IN_EMAILREG_0 eval:check_rbl_sub('emailreg-trusted',
'127.0.\d+.0')
describe RCVD_IN_EMAILREG_0 Sender in emailreg.org pay to spam list
tflags RCVD_IN_EMAILREG_0 black hat
header RCVD_IN_EMAILREG_1 eval:check_rbl_sub('emailreg-trusted',
'127.0.\d+.1')
describe RCVD_IN_EMAILREG_1 Sender in emailreg.org pay to spam list
tflags RCVD_IN_EMAILREG_1 black hat
score RCVD_IN_EMAILREG_0 30
score RCVD_IN_EMAILREG_1 30
--
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations.
Re: emailreg.org - tainted white list
From: "Marc Perkel"
Sent: Monday, 2009/December/14 07:28
LuKreme wrote:
On 14-Dec-2009, at 07:59, Bill Landry wrote:
Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases), is
back…
Ah, that explains the tone and typo pattern of that email.
While I am suspicious of emailreg.org and Barracuda's ties to each other I
am not moving to a shack in Montana because of it, if you know what I
mean.
Personally, I am not going to waste the processor cycles checking emailreg
AT ALL, so I am not going to score up emails on the whitelist either. Now,
if other more … levelheaded users of this list find that a slight positive
nudge is worthwhile I'm certainly willing to reconsider. Thirty points in
one rule? Do I look like I'm wearing a tinfoil hat?
DARK FORCES indeed.
If you think about it, if Barracuda, a spam filtering company, started
selling access to spammers, how long do you think Barracuda would stay in
business. Their customers who got the spam would move elsewhere. So I
really don't think that Barracuda is going to sell out their main business
to make $20 off of a few spammers.
Marc, I am admiring a nice pattern I see here. My mental Bayes algorithm
has ticked over. Is rich...@bizzhost.co.uk a spammer trying to derail the
effective tools? He's certainly acting like it.
{^_^}
Re: emailreg.org - tainted white list
On Mon, 2009-12-14 at 16:09 +, Christian Brel wrote: > If it's so clear cut, why is the option for the owner of the said > Barracuda spam device *not* able to disable emailreg.org, but they > *can* disable the Barracuda whitelist 'proper'? Not germane to the spamassassin list. Please redirect followups to alt.flame.bararacuda.bork.bork.bork > This e-mail and any attachments may form pure opinion and may not have > any factual foundation. Good to know. I'd hate to read an email full of facts. > Please check any details provided to satisfy > yourself as to suitability or accuracy of any information provided. > Data Protection: Unless otherwise requested we may pass the > information you have provided to other partner organisations. Hereby requested that you not pass *any* information to any partner organisation. Or any partner organization. Or to any competitor. Or even to yourself. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: emailreg.org - tainted white list
On Mon, 14 Dec 2009 08:37:02 -0800
"jdow" wrote:
> Yup - he's a spammer.
{enter stage left the name calling}
That's what I heard about you JD, ain't that a blast! I better get my
$20 out and trot over to barracuda.spam.for.mo...@emailreg.org then, so
I can grease the wheels and make it official. Can I use your discount
referal code seeing as your qualified in this area?
--
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations.
Re: emailreg.org - tainted white list
If I ever do anything questionable, or not ethical, or even illegal, I hope that Richard is the one to call me out on it publicly because once he's confused issues with his personal insults and his best "Art Bell" impression, I'll then come out smelling like a rose. If he can ever stay banned, I won't miss the personal insults, I won't miss his "holier than thou"/"us against them"/all-or-none positions & attitudes, and I certainly won't miss the endless argumentative threads he inspired about seemingly nothing (imo). But I will miss (a) the entertainment value of some of his posts (his "dark forces" one from earlier today was a classic) --AND-- last but not least--I will miss his willingness to break through the political correctness and bring up various points that few others were willing (or brave enough?) to point out. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
RE: emailreg.org - tainted white list
> But I will miss (a) the entertainment value of some of his posts (his > "dark forces" one from earlier today was a classic) --AND-- last but > not > least--I will miss his willingness to break through the political > correctness and bring up various points that few others were willing > (or > brave enough?) to point out. If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. I agree that the entertainment value is good, but your last point is best of all. I re-quote: "I will miss his willingness to break through the political correctness and bring up various points that few others were willing (or brave enough?) to point out." Me too. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. My 2cents. Cheers, Mike
Re: emailreg.org - tainted white list
On Mon, 14 Dec 2009, jdow wrote: selling access to spammers, how long do you think Barracuda would stay in business. Their customers who got the spam would move elsewhere. So I really don't think that Barracuda is going to sell out their main business to make $20 off of a few spammers. Marc, I am admiring a nice pattern I see here. My mental Bayes algorithm has ticked over. Is rich...@bizzhost.co.uk a spammer trying to derail the effective tools? He's certainly acting like it. Remove the paranoia and low flying black helicopters from his posts, he has some merit in one comment, the emailreg.org _should_ be able to be disabled by customers, but, then again, you can always vote with your feet and simply not use their systems, they will quickly get the picture, but sadly a lot of people just have no clue, there are afterall, plenty of saleman out there who could sell ice to an Eskimo. I really am amazed that anyone would trust any third party whitelist of any kind in the anti-spam world. FWIW, there is only one whitelist that deserves to be active, and that's the one that we, as individuals, apply locally for our own networks for our own situations, I will never allow someone unrelated to my business to decide whats "not a spam host". Even the most looked after networks, can have an authorised user who becomes worm infected, and spams the hell out of everyone. -- Res "What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
Re: emailreg.org - tainted white list
Bill Landry a écrit : > Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases), is > back... > > Bill he switched MUA, but forgot to switch "helo" and get a different IP range... Received-SPF: softfail (nike.apache.org: transitioning domain of brel.spamassassin091...@copperproductions.co.uk does not designate 82.70.24.237 as permitted sender) Received: from [82.70.24.237] (HELO styone.spampig.org.uk) (82.70.24.237) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Dec 2009 16:09:40 + From: Christian Brel Received: from [82.70.24.238] (HELO stytwo.spampig.org.uk) (82.70.24.238) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Dec 2009 14:42:42 + Subject: Interesting low scoring phish From: "rich...@buzzhost.co.uk"
Re: emailreg.org - tainted white list
On Tue, 15 Dec 2009 00:40:44 +0100 mouss wrote: > Bill Landry a écrit : > > Christian Brel, AKA "rich...@buzzhost.co.uk" (among other aliases), > > is back... > > > > Bill > > > he switched MUA, but forgot to switch "helo" and get a different IP > range... > Good work Columbo. Tell me, how much would it cost to have you do background checks on someone ;-) -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: emailreg.org - tainted white list
On 15-Dec-2009, at 09:42, Charles Gregory wrote: > On Tue, 15 Dec 2009, Martin Gregorie wrote: >> Clarification: I, for one, was only proposing that the whitelisting >> plugins and rules that query external databases are removed from the >> standard ruleset and sa_update and placed in a separate library of >> optional rules. > > The 'issue' (as I see it) is that a great many servers install a 'standard' > SA 'package', quite possibly just the one that came as a 'supported' version > with their OS distro. So it is important to not simply exclude from that > 'core' SA install anything that is contentious, but to make the best possible > assessment of all rules, including whitelist rules, which will have the best > chances of catching spam with few FP's. The trouble with that is exactly what is happening now, people getting spam through because HABEAS has a −8.0 score in the standard config. This is exactly what we want to avoid in the future. -- You've never heard of the Millennium Falcon?
Re: emailreg.org - tainted white list
On Tue, 15 Dec 2009, LuKreme wrote: On 15-Dec-2009, at 09:42, Charles Gregory wrote: The 'issue' (as I see it) is that a great many servers install a 'standard' SA 'package' So it is important to to make the best possible assessment of all rules... The trouble with that is exactly what is happening now, people getting spam through because HABEAS has a −8.0 score in the standard config. Which finally brings us back to the core questions which seem to go unanswered: 1) Is Habeas (whoever runs it) exercising due diligence? 2) OR has Habeas changed such that it does not deserve such a strong negative score? 3) Along side the second question is the issue of whether the answer is sufficiently uniform across diverse systems for it to be a default? But no matter what other answers may be true, we should look at the current circumstance and ask why there has not been an 'update' that corrects for it? With Anti-virus engines, like Clam, there are *frequent* 'signature' updates, and then less frequent updates to the 'engine'. It seems to me (could bt wrong?) that SA rule updates are (almost) tied to the engine updates? Should there not be a monthly (?) 'mass check' that updates rules to reflect their changing effectiveness? - Charles
Re: emailreg.org - tainted white list
On Dec 15, 2009, at 12:04 PM, Charles Gregory wrote: > Which finally brings us back to the core questions which seem to go > unanswered: They've all been answered many times, in other threads. Habeas wasn't involved in emailreg.org, though. No connection at all. -- J.D. Falk Return Path Inc
Re: emailreg.org - tainted white list
From: "J.D. Falk"
Sent: Tuesday, 2009/December/15 13:28
On Dec 15, 2009, at 12:04 PM, Charles Gregory wrote:
Which finally brings us back to the core questions which seem to go
unanswered:
They've all been answered many times, in other threads. Habeas wasn't
involved in emailreg.org, though. No connection at all.
J.D. (from another J.D.) - I note that Richard, however, was very active
in both discussions in a singular manner and direction in both cases. We
have two apparently effective and on the up and up anti-spam through
approved vendor lists facing attempted character assassination. That's
the only common point between emailreg.org and HABEAS.
(I've noted my early visceral reaction and it's not being supported by
current facts, too.)
{^_^}
Re: emailreg.org - tainted white list
On Tue, 15 Dec 2009 14:28:05 -0700 "J.D. Falk" wrote: > On Dec 15, 2009, at 12:04 PM, Charles Gregory wrote: > > > Which finally brings us back to the core questions which seem to go > > unanswered: > > They've all been answered many times, in other threads. Habeas > wasn't involved in emailreg.org, though. No connection at all. I don't recall anyone claiming Emailreg.org was related to Habeas? Habeas has enough bulkers on it to make a simple paupers 'pay to spam' list like Emailreg pale into total insignificance. Whist Micheal Perone may have a bit of a chequered history as far as bulk mail goes, it would be unfair to compare Emailreg/Barracuda on a like for like basis with a bulk mailer/spammer like Return Path - and the can of wheel grease that is Habeas. The point comes back to this and it has *not* been answered sensibly; WHY DOES SPAMASSASSIN DEFAULT INSTALL WITH A NEGATIVE SCORING RULE THAT FAVOURS A COMMERCIAL BULK MAILER. Namely the negative score for Habeas? Ship it with a 0.0 score, the problem goes. Leave it as it is and it smells corrupt. It's that old addage. If it looks corrupt, and it smells corrupt, it's probably corrupt. Perhaps the time has come for a fork of Spamassassin where these commercial considerations are not so obvious? > > -- > J.D. Falk > Return Path Inc > > -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: emailreg.org - tainted white list
Christian Brel wrote: > Perhaps the time has come for a fork of Spamassassin where these > commercial considerations are not so obvious? No need for such drastic measures - it's only a ruleset. /Per Jessen, Zürich
Re: emailreg.org - tainted white list
On Wed, 16 Dec 2009, Per Jessen wrote: Christian Brel wrote: Perhaps the time has come for a fork of Spamassassin where these commercial considerations are not so obvious? No need for such drastic measures - it's only a ruleset. no whitelist should ever become default part of SA the day it is, is the day I look elsewhere. -- Res "What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
Re: emailreg.org - tainted white list
On Wed, 16 Dec 2009 21:10:11 +1000 (EST) Res wrote: > On Wed, 16 Dec 2009, Per Jessen wrote: > > > Christian Brel wrote: > > > >> Perhaps the time has come for a fork of Spamassassin where these > >> commercial considerations are not so obvious? > > > > No need for such drastic measures - it's only a ruleset. > > > no whitelist should ever become default part of SA > > the day it is, is the day I look elsewhere. Unless yours installed without the -4 and below rule for Habeas, then you may just want to review that point of view ;-) > > -- > Res > > "What does Windows have that Linux doesn't?" - One hell of a lot of > bugs! Grub2 anyone. -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: emailreg.org - tainted white list
Res wrote: > On Wed, 16 Dec 2009, Per Jessen wrote: > >> Christian Brel wrote: >> >>> Perhaps the time has come for a fork of Spamassassin where these >>> commercial considerations are not so obvious? >> >> No need for such drastic measures - it's only a ruleset. > > > no whitelist should ever become default part of SA > > the day it is, is the day I look elsewhere. You're too late - better start looking. /Per Jessen, Zürich
Re: emailreg.org - tainted white list
On Wed, 16 Dec 2009, Christian Brel wrote: On Wed, 16 Dec 2009 21:10:11 +1000 (EST) Res wrote: On Wed, 16 Dec 2009, Per Jessen wrote: Christian Brel wrote: Perhaps the time has come for a fork of Spamassassin where these commercial considerations are not so obvious? No need for such drastic measures - it's only a ruleset. no whitelist should ever become default part of SA the day it is, is the day I look elsewhere. Unless yours installed without the -4 and below rule for Habeas, then you may just want to review that point of view ;-) I'm the person here who has final say as to who/what gets whitelisted, I will not ever use ANY third party whitelist service, for reasons as outlined earler in this thread, just because someone pays to be a good guy doesnt mean they are. -- Res "What does Windows have that Linux doesn't?" - One hell of a lot of bugs!
Re: emailreg.org - tainted white list
On ons 16 dec 2009 12:10:11 CET, Res wrote no whitelist should ever become default part of SA, the day it is, is the day > I look elsewhere. please post on this maillist what you do when you find replacement for sa -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: emailreg.org - tainted white list
Christian Brel wrote:
> The point comes back to this and it has *not* been answered sensibly;
> WHY DOES SPAMASSASSIN DEFAULT INSTALL WITH A NEGATIVE SCORING RULE THAT
> FAVOURS A COMMERCIAL BULK MAILER. Namely the negative score for Habeas?
>
This point has been answered. SA ships with that rule because the rule
was useful and the score made sense at the time. It obviously needs to
be re-addressed to take into account the changes that have occurred with
the whitelist, and this is already being done for the next SA release.
> Ship it with a 0.0 score, the problem goes. Leave it as it is and it
> smells corrupt. It's that old addage. If it looks corrupt, and it
> smells corrupt, it's probably corrupt.
>
> Perhaps the time has come for a fork of Spamassassin where these
> commercial considerations are not so obvious?
I really don't care who creates the whitelists and blacklists that SA
uses. The only thing that really matters is how effective they are. If
a blacklist blocks spammers without blocking too many legitimate mails,
use it. If a whitelist allows legitimate mail without sending through
too many spams, use it. Even lists that have a fair number of false
hits are useful in SA -- just with lower scores.
("legitimate mail" in this context means mail that the end user wishes
to receive...bulk or otherwise)
--
Bowie
Re: emailreg.org - tainted white list
On 16-Dec-2009, at 07:12, Bowie Bailey wrote: > uses. The only thing that really matters is how effective they are. If > a blacklist blocks spammers without blocking too many legitimate mails, > use it. If a whitelist allows legitimate mail without sending through > too many spams, use it. Even lists that have a fair number of false > hits are useful in SA -- just with lower scores. The trouble with this is how often are these rules being re-examined and re-evaluated? Not that often. HABEAS has been through three iterations since those rules were set at −4 and −8. What is enabled by default should be the safest possible settings. Relying on a third party that is in the spam business to make money doesn't seem very prudent to me, especially when it might be 5 years before the scores in the default config are evaluated again. And that doesn't even take into account the glacial speed at which most people upgrade their systems. We still see questions here for SA 3.1 and earlier. (Whatever you think of HABEAS they ARE in the SPAM business and they are in it to make money). -- He wasn't good or evil or cruel or extreme in any way but one, which was that he had elevated greyness to the status of a fine art and cultivated a mind that was as bleak and pitiless and logical as the slopes of Hell. --The Light Fantastic
Re: emailreg.org - tainted white list
On 12/16/2009 3:23 PM, LuKreme wrote: On 16-Dec-2009, at 07:12, Bowie Bailey wrote: uses. The only thing that really matters is how effective they are. If a blacklist blocks spammers without blocking too many legitimate mails, use it. If a whitelist allows legitimate mail without sending through too many spams, use it. Even lists that have a fair number of false hits are useful in SA -- just with lower scores. The trouble with this is how often are these rules being re-examined and re-evaluated? blabber... checkout SVN - follow dev list... HABEAS is history...
Re: emailreg.org - tainted white list
On Dec 16, 2009, at 8:13 AM, "Bowie Bailey"
wrote:
Christian Brel wrote:
The point comes back to this and it has *not* been answered sensibly;
WHY DOES SPAMASSASSIN DEFAULT INSTALL WITH A NEGATIVE SCORING RULE
THAT
FAVOURS A COMMERCIAL BULK MAILER. Namely the negative score for
Habeas?
Because it allows desired mail to be delivered, while permitting more
aggressive rules to detect spam, even if those same techniques are
sometimes used by legitimate bulk mailers.
("legitimate mail" in this context means mail that the end user wishes
to receive...bulk or otherwise)
Quite right. Now, can we drop this? Or is the black-helicopter crowd
able to produce masscheck results that show better accuracy without
those distributed whitelists so that they can argue with facts that
they can do a better job?
Re: emailreg.org - tainted white list
On Wed, 16 Dec 2009 08:39:25 -0600
"McDonald, Dan" wrote:
> On Dec 16, 2009, at 8:13 AM, "Bowie Bailey"
> wrote:
>
> > Christian Brel wrote:
> >> The point comes back to this and it has *not* been answered
> >> sensibly; WHY DOES SPAMASSASSIN DEFAULT INSTALL WITH A NEGATIVE
> >> SCORING RULE THAT
> >> FAVOURS A COMMERCIAL BULK MAILER. Namely the negative score for
> >> Habeas?
>
> Because it allows desired mail to be delivered, while permitting
> more aggressive rules to detect spam, even if those same techniques
> are sometimes used by legitimate bulk mailers.
Is there some kind of citation to support this at all? If so would it
not be appropriate to add every white list favouring bulkersso that all
'legitimate' bulk mail - not just that leading back to Habeas >
Return Path - flows easily around the so called aggressive
rules?
>
> >
> > ("legitimate mail" in this context means mail that the end user
> > wishes to receive...bulk or otherwise)
If it's legitimate, and the user wants it *give them the option to set
the minus score* don't ASSUME they want it because they once
bought a keychain or snowstorm from spamersrus.whatever.
>
> Quite right. Now, can we drop this? Or is the black-helicopter
> crowd able to produce masscheck results that show better accuracy
> without those distributed whitelists so that they can argue with
> facts that they can do a better job?
Selective default whitelisting in an anti-spam program attracts fair
suspicion. Quite apart from the smell of corruption, there is a clear
and fair augment of anti-competitive behaviour. Other commercial emails
that don't employ Habeas / Return Path cannot expect similar transit.
I'm no lawyer, but given recent US goings on with e360-v-Spamhaus, it's
probably not ideal to keep this scoring.
Naturally it's an emotive issue with those that stand to lose as a
result of such normalisation getting quite vocal, or trying to
discredit a point of view. It's a simple, sensibe and fair request to
zero the scores applied on whitelists and add advice in the docs.
People here are all to happy to yell 'RTFM' after all.
Which answer sits better with an end user:
a. Why is spam getting through my anti-spam
b. Why is my bulk email scoring so high?
It's also fair to say any ESP such as Return Path taking money to
deliver mail should be optimising it {or offering advice on
optimisation) so it does *not* score high. Otherwise what are their
customers paying them for?
--
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations.
RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, jdow wrote: Three points: 1) It is known this list is read by spammers to learn what we are doing. I've verified this with "challenge/response" tactics including taunting more than once. Sh! They'll hear you! :) 2) On several occasions now Richard has tried to torpedo valid attempts to scuttle spam. (I've STILL not seen a spam get through that has the HABEAS tag. I am lower volume than you guys. So that's simply my own verification of other people's data sets indicating HABEAS has a very low but not zero false alarm rate.) I've seen them. And also some occasional hits on DNSWL. Was enough to make me ask my question about 'targeting'. But not enough to change scores. I am making no conclusion here. I'm presenting facts. Call me out on the facts not the "taunt" lest you damage your argument. Actually, you *make* my argument. When presented with facts, you respond with facts. Not taunts or conspiracy theories. You haven't called me a name or attempted to demean my character or motives. Nor have you belittled my capabilities (except in the ordinary way of letting your facts speak for themselves, which is valuable constructive criticism). Thanks for the response. - C
Re: emailreg.org - tainted white list
On 16/12/2009 14:23, LuKreme wrote: uses. The only thing that really matters is how effective they are. If a blacklist blocks spammers without blocking too many legitimate mails, use it. If a whitelist allows legitimate mail without sending through too many spams, use it. Even lists that have a fair number of false hits are useful in SA -- just with lower scores. The trouble with this is how often are these rules being re-examined and re-evaluated? Not that often. HABEAS has been through three iterations since those rules were set at −4 and −8. What is enabled by default should be the safest possible settings. Relying on a third party that is in the spam business to make money doesn't seem very prudent to me, especially when it might be 5 years before the scores in the default config are evaluated again. And that doesn't even take into account the glacial speed at which most people upgrade their systems. We still see questions here for SA 3.1 and earlier. (Whatever you think of HABEAS they ARE in the SPAM business and they are in it to make money). For what it's worth, I just ran sa-stats.pl against my last ten days of logs. The only mention of habeas was: 10HABEAS_ACCREDITED_SOI 367 1.450.00 17.36 So it hit on 17.36% of my Ham, and 0% of my Spam. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/ Technical Blog: https://secure.grepular.com/blog/
Re: emailreg.org - tainted white list
On 16-Dec-2009, at 08:33, Mike Cardwell wrote: > For what it's worth, I just ran sa-stats.pl against my last ten days of logs. > The only mention of habeas was: > > 10HABEAS_ACCREDITED_SOI 367 1.450.00 17.36 > > So it hit on 17.36% of my Ham, and 0% of my Spam. With the default settings that's no surprise. SOI gets a −4 by default, and SOI stands for "single Opt in" which is what spammers call it when there is no actual agreement from the receiver to receive email (that is, a site that lets me enter your email address and then sends you mail is 'SOI'). I had to expand the rules to the top 25 instead of the top 20 to get HABEAS to hit. 23HABEAS_ACCREDITED_SOI 783 2.221.023.71 That's with SOI set to … re, I forget. +1 I think. 1% of spam, 3.71% of ham. Compare this to BAYES_99 with a similar default score: 1BAYES_991279736.35 89.790.27 -- '(...) And the Patrician has been ironical at me,' said Mr. Clete. 'I'm not having that again.' --Soul Music
Re: emailreg.org - tainted white list
On Tue, 15 Dec 2009, J.D. Falk wrote: Which finally brings us back to the core questions which seem to go unanswered: They've all been answered many times, in other threads. Perhaps I missed the messages, but it seems to me that the deep issues are *debated* a little, but never really answered in any concrete way. For example, I've not seen any indication that the 'datetheuk' issue was resolved. WAs it? - C
Re: emailreg.org - tainted white list
On Wed, 16 Dec 2009, Yet Another Ninja wrote:
blabber... checkout SVN - follow dev list... HABEAS is history...
I believe the *point* here is that HABEAS is NOT 'history' for ordinary
systems running ordinary sa-update on 3.2.5.
My rules (in /var/lib/spamassassin) still include the strong negative
scores for HABEAS, as discussed here.
I respect the freedom and privileges of developers who are not being paid
for all their hard work, but I would appreciate it if statements like the
one above could be more accurately phrased, to at least say "HABEAS will
be history after {date}, at which time sa-update channels will be
updated"
- Charles
Re: emailreg.org - tainted white list
From: "Res"
Sent: Wednesday, 2009/December/16 03:18
On Wed, 16 Dec 2009, Christian Brel wrote:
On Wed, 16 Dec 2009 21:10:11 +1000 (EST)
Res wrote:
On Wed, 16 Dec 2009, Per Jessen wrote:
Christian Brel wrote:
Perhaps the time has come for a fork of Spamassassin where these
commercial considerations are not so obvious?
No need for such drastic measures - it's only a ruleset.
no whitelist should ever become default part of SA
the day it is, is the day I look elsewhere.
Unless yours installed without the -4 and below rule for Habeas, then
you may just want to review that point of view ;-)
I'm the person here who has final say as to who/what gets whitelisted,
I will not ever use ANY third party whitelist service, for reasons as
outlined earler in this thread, just because someone pays to be a good guy
doesnt mean they are.
Res, I am still the person who white lists who I want via the actual
"whitelist" commands. On the other paw, a DNSWL is just another source
of "criteria" by which your email is measured. It's up to you to vary
the scores for yourself. You can vary them in local.cf, in user_prefs,
or any other configuration file you might add to /etc/mail/spamassassin
with a .cf suffix.
Unlather yourself and unwind a little.
{^_-} Joanne
Re: emailreg.org - tainted white list
From: "Mike Cardwell"
Sent: Wednesday, 2009/December/16 07:33
On 16/12/2009 14:23, LuKreme wrote:
uses. The only thing that really matters is how effective they are. If
a blacklist blocks spammers without blocking too many legitimate mails,
use it. If a whitelist allows legitimate mail without sending through
too many spams, use it. Even lists that have a fair number of false
hits are useful in SA -- just with lower scores.
The trouble with this is how often are these rules being re-examined and
re-evaluated?
Not that often. HABEAS has been through three iterations since those
rules were set at −4 and −8.
What is enabled by default should be the safest possible settings.
Relying on a third party that is in the spam business to make money
doesn't seem very prudent to me, especially when it might be 5 years
before the scores in the default config are evaluated again. And that
doesn't even take into account the glacial speed at which most people
upgrade their systems. We still see questions here for SA 3.1 and
earlier.
(Whatever you think of HABEAS they ARE in the SPAM business and they are
in it to make money).
For what it's worth, I just ran sa-stats.pl against my last ten days of
logs. The only mention of habeas was:
10HABEAS_ACCREDITED_SOI 367 1.450.00 17.36
So it hit on 17.36% of my Ham, and 0% of my Spam.
Verified ham and spam? User complaints ham and spam? Things that score
as ham and spam? What score does HABEAS have?
Partial data is what you tend to see when somebody is railroading an agenda.
Full data is what helps make rational decisions, be it with spam tools,
government officials, global warming, or anything else. Look for full
disclosure
rather than numbers you have no idea where they came from. Now, I am not
accusing you of anything nefarious. I am simply explaining how my mind
works after many decades of life on this ball of dirt called Earth. That's
why I
would like a little more data about those raw numbers.
{^_^}
Re: emailreg.org - tainted white list
From: "LuKreme"
Sent: Wednesday, 2009/December/16 07:56
On 16-Dec-2009, at 08:33, Mike Cardwell wrote:
For what it's worth, I just ran sa-stats.pl against my last ten days of
logs. The only mention of habeas was:
10HABEAS_ACCREDITED_SOI 367 1.450.00 17.36
So it hit on 17.36% of my Ham, and 0% of my Spam.
With the default settings that's no surprise. SOI gets a −4 by default, and
SOI stands for "single Opt in" which is what spammers call it when there is
no actual agreement from the receiver to receive email (that is, a site that
lets me enter your email address and then sends you mail is 'SOI').
I had to expand the rules to the top 25 instead of the top 20 to get HABEAS
to hit.
23 HABEAS_ACCREDITED_SOI 783 2.22 1.02 3.71
That's with SOI set to … re, I forget. +1 I think.
1% of spam, 3.71% of ham.
Compare this to BAYES_99 with a similar default score:
1 BAYES_9912797 36.35 89.79 0.27
<< jdowThat still does not say whether it is verified ham and spam as
compared to what SpamAssassin declared. Is it verified that these people
did not opt in at some time in the past?
And, yes, your SOI observation is a very valid one. I suspect any SOI test
is not a valid anti-spam measure. I just make the rules for that myself.
Something I would like to see is ALL the DNS based scores moved out of
the immutable (and hard to find once updated) SA private directories into
a 00_dns_scores.cf in with local.cf. It's there with all the default scores
and
marked read only for everybody. It should state that you can override the
scores with a 01_dns_scores.cf file with your score overrides. It would make
it easy to see what's going on.
Heck, even having a 00_scores.cf file with ALL the scores commented out
just as an index of all the rule scores that exist would help when a rule
starts
to misfire - like HABEAS_ACCREDITED_SOI has for you. (And not unlikely
a lot of people. I bet it varies with your customer base and their
particular
personalities quite a bit, too.)
{^_^}
RE: emailreg.org - tainted white list
> > The trouble with this is how often are these rules being re-examined > and re-evaluated? > > Not that often. HABEAS has been through three iterations since those > rules were set at −4 and −8. > > What is enabled by default should be the safest possible settings. > Relying on a third party that is in the spam business to make money > doesn't seem very prudent to me, especially when it might be 5 years > before the scores in the default config are evaluated again. And that > doesn't even take into account the glacial speed at which most people > upgrade their systems. We still see questions here for SA 3.1 and > earlier. > > (Whatever you think of HABEAS they ARE in the SPAM business and they > are in it to make money). > So far only 1 person on this list has claimed to have been hit by Spam that has been let through by the Habeas rules in SA. No-one else has posted figures (Well, I did a while ago - showing that since June this year, not one piece of Spam that slipped through was assisted by a Habeas rule) but that has dropped by the way side. My question is, what would you do without Spamassassin? Surely its time to quit moaning about a whitelist that very few people have an actual real issue with (ISSUE, as in an existing problem with Spam sailing in thanks to Habeas rules, not the other ISSUE which seems to be "There's a whitelist I don’t approve of here" - well DISABLE it. I agree that the safest settings should be default, but in saying that, it is also on the shoulders of the system's Administrator to ensure that the software he/she installs is configured correctly for their site, and IMHO this would include any default whitelists/blacklists/RBL's etc. Cheers, Mike
Re: emailreg.org - tainted white list
On 12/16/2009 6:16 PM, Charles Gregory wrote:
On Wed, 16 Dec 2009, Yet Another Ninja wrote:
blabber... checkout SVN - follow dev list... HABEAS is history...
I believe the *point* here is that HABEAS is NOT 'history' for ordinary
systems running ordinary sa-update on 3.2.5.
they can adjust scores if they don't approve of what has been delivered,
right? If they don't it means they're ok, don't care or can't be
bothered, pick what fits.
My rules (in /var/lib/spamassassin) still include the strong negative
scores for HABEAS, as discussed here.
funny.. my rules show a 0 score for HABEAS stuff, same with all the
other "certification services" oh wait!! I adjusted the scores myself
coz I didn't want them in my way.
So cool that I can do stuff like that without depending and/or waiting
for a minor "fix" via Windows Update.
BIG thanks to Daniel Quinlan, Justin and all the others who came up with
such a nifty system.
Also thanks to McAfee for your dev support.
I respect the freedom and privileges of developers who are not being
paid for all their hard work, but I would appreciate it if statements
like the one above could be more accurately phrased, to at least say
"HABEAS will be history after {date}, at which time sa-update channels
will be updated"
when SA 3.3.0 is released... when? when its finished, as you have
already read in the dev list.
Sarcasm?
Yes...
moving on
Re: emailreg.org - tainted white list
On 16-Dec-2009, at 16:11, Michael Hutchinson wrote: > So far only 1 person on this list has claimed to have been hit by Spam that > has been let through by the Habeas rules in SA. I'm the only one? Really? That doesn’t jibe with my memory, but I'm not scanning the entire list to prove you wrong. Really? Yeah, sorry, not buying it. -- Bishops move diagonally. That's why they often turn up where the kings don't expect them to be.
RE: emailreg.org - tainted white list
> > I'm the only one? Really? That doesn't jibe with my memory, > but I'm not scanning the entire list to prove you wrong. > > Really? > > Yeah, sorry, not buying it. > LuKreme et al, you were not the only one much goes under or over the radar on the list... re those rules, we see 2 to 4 percent spam appears to be on the rise... and 4 to 8 percent ham... - rh
Re: emailreg.org - tainted white list
LuKreme writes: > On 16-Dec-2009, at 16:11, Michael Hutchinson wrote: >> So far only 1 person on this list has claimed to have been hit by Spam that >> has been let through by the Habeas rules in SA. > > > I'm the only one? Really? That doesn’t jibe with my memory, but I'm not > scanning the entire list to prove you wrong. > > Really? You're not the only one. I've reported multiple instances of HABEAS-accredited spam, and filed an SA bug about the scores long ago: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5902 At the time there were a lot of 'me too' posts. pgpDxOGp3CAR3.pgp Description: PGP signature
Re: emailreg.org - tainted white list
On Wed, 16 Dec 2009, LuKreme wrote: On 16-Dec-2009, at 16:11, Michael Hutchinson wrote: So far only 1 person on this list has claimed to have been hit by Spam that has been let through by the Habeas rules in SA. I'm the only one? Really? That doesn’t jibe with my memory, but I'm not scanning the entire list to prove you wrong. No, no! I'm the one! (smile) Though in fairness, I don't see a terrible problem with it. Just the occasional hit I would suspect a hacked server - C
Re: emailreg.org - tainted white list
On Dec 16, 2009, at 8:11 AM, Christian Brel wrote:
> It's also fair to say any ESP such as Return Path taking money to
> deliver mail should be optimising it {or offering advice on
> optimisation) so it does *not* score high. Otherwise what are their
> customers paying them for?
Return Path is not an ESP by any of the common definitions.
http://en.wikipedia.org/wiki/ESP
(No wonder you're confused.)
--
J.D. Falk
Return Path Inc
RE: emailreg.org - tainted white list
> -Original Message- > From: LuKreme [mailto:krem...@kreme.com] > Sent: Thursday, 17 December 2009 4:59 p.m. > To: users@spamassassin.apache.org > Subject: Re: emailreg.org - tainted white list > > On 16-Dec-2009, at 16:11, Michael Hutchinson wrote: > > So far only 1 person on this list has claimed to have been hit by > Spam that has been let through by the Habeas rules in SA. > > > I'm the only one? Really? That doesn’t jibe with my memory, but I'm not > scanning the entire list to prove you wrong. > > Really? > > Yeah, sorry, not buying it. > OK I am probably wrong, but the list certainly hasn't been inundated with people saying that they have that exact issue. Come on, how many people have been hit with Spam, to find that the only reason it has gotten through their Gateway is because of a Habeas rule? I only remember Richard complaining about this. Everyone else started carrying on about the Habeas rules being present at all, when it is more than within their power to disable those rules. Buy what you want, but I'm not selling anything. Cheers, Mike
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, Michael Hutchinson wrote: If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. The taunting *is* the issue. The rest of the arguments, about design and defaults, are carried on by numerous individuals in a quite civilized manner. But when someone starts throwing arond stupid accusations, then the person attacked focuses their efforts on 'defending' themselves, rather than on a fair unbiased review of what *should* be the 'issue'. To make a point requires nothing more than well-established facts. But name-calling and mindless accusations are an ego-driven thing. Once someone invests their arguments with ego, you cannot count on anything they say being accurate to any degree. They will literally say anything to advance their 'cause' and 'win' whatever argument they have joined. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. Interestingly enough, *I* have stirred this same pot a couple of times, with very little effect. So while it is a reasonable argument that being offensive and abusive fails to achieve results, I have to admit that being quiet and deferring in tone also has little effect. So I wonder, what *does* it take for the 'amateurs' (that would be folks like me! *grin*) to bring a possible issue to the attention of the people in the 'know', and have it discussed? I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? - Charles
Re: [sa] RE: emailreg.org - tainted white list
Charles Gregory wrote: I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? To my knowledge, such a correlation has not yet been observed. Which is different from asserting that it hasn't happened, but I think for the purposes of your question it does indicate that there is not currently "a serious issue" as you put it. I can mostly just offer opinion, and that would be that whitelisting is not (yet) in wide enough use to have become a sufficiently attractive target. Bob --
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 14 Dec 2009, Bob O'Brien wrote: I can mostly just offer opinion, and that would be that whitelisting is not (yet) in wide enough use to have become a sufficiently attractive target. Which brings us back to the 'rational version' of the discussion about SA weighing whitelists favorably by default. I'm *presuming* that the whitelists are seen on more ham than spam, but I only *see* the spam, that's the nature of my watchdog role. (smile) I've not heard any further comment on what has happened with that 'datetheuk' spam. Was it accidental? A hack? Mismanagment of the whitelist? The silence is deafening. I'd like to think we're not going to just drop the issue because *someone* unpopular was talking about it... :) - C
Re: [sa] RE: emailreg.org - tainted white list
May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: - exclude the modules from the default SA configuration and from SA updates. - create a library of downloadable modules, one for each external resource. Each module consists of: - a .cf file and a .pm file, if required, that should be installed by putting both in /etc/mail/spamassassin - version info - installation and configuration instructions - attributions: author, the author's affiliations, etc - a disclaimer saying that SA distributes the module as is and without liability or responsibility for its correctness - anybody, including whitelist owners, can supply a module and will be solely responsible for maintaining it. - modules MUST be accompanied by regression test data in the form of messages that demonstrate hits, misses and corner tests. - SA devs should review the documentation and verify module operation using the supplied test data to show that the module does what it says on the tin and doesn't crash SA or interfere with other rules/plugins before accepting a module for publication. - the modules should be included in regression tests for new SA versions. If a module fails a regression test it is excluded from the library and its author notified. This way unmaintained modules will eventually disappear with minimal work from SA devs apart from removing the model from the distribution library and adding it to a list of no longer supported modules. There may be problems with this approach that I'm not aware of, but I'm floating it because AFAIK nobody else has suggested it and it may defang some of the discussions around whitelists, etc. by making the use of such rules and modules independent of the SA project. Martin
Re: [sa] RE: emailreg.org - tainted white list
On 12/14/2009 10:23 PM, Martin Gregorie wrote: May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: - exclude the modules from the default SA configuration and from SA updates. - create a library of downloadable modules, one for each external resource. Each module consists of: - a .cf file and a .pm file, if required, that should be installed by putting both in /etc/mail/spamassassin - version info - installation and configuration instructions - attributions: author, the author's affiliations, etc - a disclaimer saying that SA distributes the module as is and without liability or responsibility for its correctness - anybody, including whitelist owners, can supply a module and will be solely responsible for maintaining it. - modules MUST be accompanied by regression test data in the form of messages that demonstrate hits, misses and corner tests. - SA devs should review the documentation and verify module operation using the supplied test data to show that the module does what it says on the tin and doesn't crash SA or interfere with other rules/plugins before accepting a module for publication. - the modules should be included in regression tests for new SA versions. If a module fails a regression test it is excluded from the library and its author notified. This way unmaintained modules will eventually disappear with minimal work from SA devs apart from removing the model from the distribution library and adding it to a list of no longer supported modules. There may be problems with this approach that I'm not aware of, but I'm floating it because AFAIK nobody else has suggested it and it may defang some of the discussions around whitelists, etc. by making the use of such rules and modules independent of the SA project. your modules are all there already and much of it is already managed as you suggest: they're called rules.. you can even switch them on or off, or add your own "modules" /plugins/modules. SA provides an Open Source FRAMEWORK which caters to many millions of systems - if it doesn't fit your needs, use as you wish and/or fork out. Many do that with the ruleset - many don't SA devs are volunteers. What's stopping you from actively contributing to the development? Get familiar with the Wiki, checkout SVN, look at the masscheck code, bath in the Wiki. Following a comprehensive set of standards, anybody can contribute patches/fixes/etc. h2h Axb
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 21:23 +, Martin Gregorie wrote: > May I suggest that handling whitelist or blacklist rules and any > associated plugins by packaging them as separately installable modules > may be of benefit to SA maintainers. The idea is to reduce the SA dev > workload by handing off responsibility for maintaining and bugfixing > such modules to external developers. These may, as at present, be the > person who independently develops the module or the people who are > responsible for the resources it queries. Here's a little more detail: The problem is scoring. masschecks are going to shape scores so that whitelists get a little boost if they are mediocre, and a large boost if they are good. Ditto for blacklists. And they two sets of scores will work in synergy. The big problem with "make them all external and let the universe pick a score at random" is that the relative effectiveness of the various lists isn't tested. I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. I'd hate to have to guess for everyone's whitelist... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 22:39 +0100, Yet Another Ninja wrote: > your modules are all there already and much of it is already managed as > you suggest: they're called rules.. you can even switch them on or off, > or add your own "modules" /plugins/modules. > > SA provides an Open Source FRAMEWORK which caters to many millions of > systems - if it doesn't fit your needs, use as you wish and/or fork out. > Many do that with the ruleset - many don't > I'm aware of that, BUT: - there is resource-specific stuff permanently wired in, e.g. the HABEAS rules - there are other rules and modules littered round the net. AFAIK there is no single reference point or code library where stripped-out specifics (HABEAS) or independent code can be placed. > SA devs are volunteers. What's stopping you from actively contributing > to the development? > Time and the fact that I'm a C/Java person rather than a Perl maven. I have a couple of projects on the boil at present, one being mail-related. This has an associated SA plugin and rule that is up and running on my server and will be released as part of the mail-related project. Martin
Re: [sa] RE: emailreg.org - tainted white list
On 12/14/2009 10:55 PM, Daniel J McDonald wrote: I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. someone, somewhere is alreay converting ClamV signatures to HUGE (slow) rule files, forgot where I saw them. Google around...
RE: [sa] RE: emailreg.org - tainted white list
Hello, > The taunting *is* the issue. The rest of the arguments, about design > and > defaults, are carried on by numerous individuals in a quite civilized > manner. But when someone starts throwing arond stupid accusations, then > the person attacked focuses their efforts on 'defending' themselves, > rather than on a fair unbiased review of what *should* be the 'issue'. Fair call. > To make a point requires nothing more than well-established facts. But > name-calling and mindless accusations are an ego-driven thing. Once > someone invests their arguments with ego, you cannot count on anything > they say being accurate to any degree. They will literally say anything > to > advance their 'cause' and 'win' whatever argument they have joined. I'd have to agree on this point. My missus does this all of the time. She will know she is wrong, and still tell me until blue in the teeth that she's right about said topic.. So I guess what you're saying here is that it's no longer possible to do what we did in the "old days" and just 'ignore the troll'.. > > Someone has to stir the pot occasionally, and it doesn't hurt to > > have someone around that makes you think outside the square. > > Interestingly enough, *I* have stirred this same pot a couple of times, > with very little effect. So while it is a reasonable argument that > being > offensive and abusive fails to achieve results, I have to admit that > being > quiet and deferring in tone also has little effect. So I wonder, what > *does* it take for the 'amateurs' (that would be folks like me! *grin*) > to bring a possible issue to the attention of the people in the 'know', > and have it discussed? If you ask me, it's the whole "newbie" thing. People with lesser knowledge/skills are probably too afraid to raise issues, thinking that their issue is probably caused by their own ignorance, or lack of experience. I know I've felt like this before, and have certainly been made to feel rather stupid after asking certain questions - this is not specific to this mailing list, but mailing lists in general. > I ask again, on the issue of whitelists, is there a serious issue with > spammers targetting white-listed IP's as favored candidates for > hacking? > I'm okay with the answer being 'no'. I'm sure people with large servers > and good statistics could answer this question. But I get no answer at > all. I don't think it is because of any conspiracy. But perhaps the > people > who know are just too busy? To answer the first question : No. We do not have any problems with Spam or hacking regarding our Mail gateway, using Spamassassin. Any Spam that has slipped through in the last several months certainly have not had any SA Default Whitelist scores assigned to them whatsoever. If anything, spam that gets through our system is stuff that hits almost no rules at all (positive or negative). Statistics are at the end of this E-Mail. I think one of the issues with getting information from people that aren't having any problems is the fact that they probably can't be bothered posting if they don't have any issues to resolve. What do you think? Statistics Since Thursday 04th Jun, 2009 RBL Reject: 8480229 HELO Reject:5827978 Clean Messages: 2014848 Invalid Recipients: 277983 Spam Messages: 228941 Relay Denied: 26112 Virus Messages: 2588 Total Messages Processed: 16858679 I get all of the Spam messages that slip through the system submitted to a public folder on our network, and analyse the headers for what rules did/did not fire. As previous, I've not seen any Spam that has default SA whitelist scores associated.
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 23:07 +0100, Yet Another Ninja wrote: > On 12/14/2009 10:55 PM, Daniel J McDonald wrote: > > I'd love to have the clamav unofficial signature families scored. I > > have a fine guess as to how relevant they are, but it is just that - a > > guess. > > someone, somewhere is alreay converting ClamV signatures to HUGE (slow) > rule files, forgot where I saw them. Google around... That's not the issue. I have no problem scanning with clam and no problem associating some signature families with scores rather than blindly discarding. The issue is: how much should I trust the various sets of signatures? Although I have a fairly good feel for it based on intuition, there is nothing like a mass-check to settle the matter. That's the issue with pulling all of the whitelists out of the scoring mix - the whitelist components are part of the mix that allows 5 points to indicate spam. And I was trying to counter the argument that we should simply rip those pieces out and expect that, when people re-assemble them piecemeal, the end result will still be 5 points for spam... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 2009-12-15 at 07:29 -0600, Daniel J McDonald wrote: > That's the issue with pulling all of the whitelists out of the scoring > mix - the whitelist components are part of the mix that allows 5 points > to indicate spam. And I was trying to counter the argument that we > should simply rip those pieces out and expect that, when people > re-assemble them piecemeal, the end result will still be 5 points for > spam... > Clarification: I, for one, was only proposing that the whitelisting plugins and rules that query external databases are removed from the standard ruleset and sa_update and placed in a separate library of optional rules. My reasons for making this suggestion are: - all URIBL tests can be disabled with skip_rbl_checks. All whitelist/blacklist rules should be controlled by this preference, hence it should already be possible to disable them without impacting any other standard rule. - they can safely be excluded from sa_update since the rule(s) and plugin will not change during the life of an SA version. Apart from bugfixes all changes[*] that affect message scoring are applied to the external database by its maintainer. - the act of separating these rules from the main rule corpus makes it clear to SA admins that they are optional. It also has the side-effect of removing their maintenance workload from SA devs. [*] apart from score adjustment, obviously. Martin
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, Martin Gregorie wrote: Clarification: I, for one, was only proposing that the whitelisting plugins and rules that query external databases are removed from the standard ruleset and sa_update and placed in a separate library of optional rules. The 'issue' (as I see it) is that a great many servers install a 'standard' SA 'package', quite possibly just the one that came as a 'supported' version with their OS distro. So it is important to not simply exclude from that 'core' SA install anything that is contentious, but to make the best possible assessment of all rules, including whitelist rules, which will have the best chances of catching spam with few FP's. Once we reach the level of a competent (sic) sysadmin reviewing the default configuratino and modifying it, it matters very little whether the rules are in the core set or added-on. In some ways it is still easier to have a rule included by default that can then be disabled if it proves to have poor results. So although the 'modular' concept is always a good one, it does not allow us to sidestep that burden of responsiblity to have the core default SA be the best that it can be. :) - Charles
Re: [sa] RE: emailreg.org - tainted white list
From: "Charles Gregory"
Sent: Monday, 2009/December/14 12:35
On Tue, 15 Dec 2009, Michael Hutchinson wrote:
If everyone could ignore the taunting, and just carry on, there wouldn't
be an issue.
The taunting *is* the issue. The rest of the arguments, about design and
defaults, are carried on by numerous individuals in a quite civilized
manner. But when someone starts throwing arond stupid accusations, then
the person attacked focuses their efforts on 'defending' themselves,
rather than on a fair unbiased review of what *should* be the 'issue'.
Three points:
1) It is known this list is read by spammers to learn what we are
doing. I've verified this with "challenge/response" tactics including
taunting more than once. Once I taunted a spam I received for not
making it to 100. "The guy didn't try hard enough." Within two days
a small number of spams reaching well over 100 came through. I consider
that as confirmation of common-sense. Spammers read this list.
2) On several occasions now Richard has tried to torpedo valid attempts
to scuttle spam. (I've STILL not seen a spam get through that has the
HABEAS tag. I am lower volume than you guys. So that's simply my own
verification of other people's data sets indicating HABEAS has a very
low but not zero false alarm rate.) I see this effort as something of
high profit to spammers. So it seemed rational to remind people that
this list is basically anonymous, spammers read it and can post just
as can non-spammers.
3) Coincidence or not, since I posted that "taunt" to Richard and his
response personal spam to this account has increased sharply.
I am making no conclusion here. I'm presenting facts. Call me out on
the facts not the "taunt" lest you damage your argument.
It is possible to claim coincidence on 1 and 3. I suspect that's a
low probability coincidence. It is possible, though, particularly
for 3. Spam does seem to come in "waves". And I haven't particularly
noticed any newly prominent "type" of spam yet, which is a good
indicator of spam from one master source.
(Item 1 was a well known drug spammer who had a very well established
"pattern" and sat on the ROKSO top ten. His response was amusing,
probably for him as much as for me. I respect his abilities as I
deplore his ethics and morals.)
{^_^}
Re: [sa] RE: emailreg.org - tainted white list
jdow wrote: > his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009 11:01:51 -0800 "jdow" wrote: > From: "Charles Gregory" > Sent: Monday, 2009/December/14 12:35 > > > > On Tue, 15 Dec 2009, Michael Hutchinson wrote: > >> If everyone could ignore the taunting, and just carry on, there > >> wouldn't be an issue. > > > > The taunting *is* the issue. The rest of the arguments, about > > design and defaults, are carried on by numerous individuals in a > > quite civilized manner. But when someone starts throwing arond > > stupid accusations, then the person attacked focuses their efforts > > on 'defending' themselves, rather than on a fair unbiased review of > > what *should* be the 'issue'. > > Three points: > 1) It is known this list is read by spammers to learn what we are > doing. I've verified this with "challenge/response" tactics including > taunting more than once. Once I taunted a spam I received for not > making it to 100. "The guy didn't try hard enough." Within two days > a small number of spams reaching well over 100 came through. I > consider that as confirmation of common-sense. Spammers read this > list. In the same way spammers own Barracuda's, Ironports, have Messagelabs and Postini accounts etc etc. This is kinda obvious, but I guess some people may not know it. I too see a big increase in spam from this posting to this list. I, however, welcome it as is useful to study. > > 2) On several occasions now Richard has tried to torpedo valid > attempts to scuttle spam. That is a lie. Would you like to back that up with some kind of basis in fact? Richard has been at the other end of this claim in asking *why* obvious spam gets past SA, and why Whitelists that 'grease the wheels' are part of the default core. > > 3) Coincidence or not, since I posted that "taunt" to Richard and his > response personal spam to this account has increased sharply. If it were a taunt I'm sure Richard would find that very lame. You only have to look at his NANAE postings to realise that calling him a 'spammer' would not even register on his insult scale. If you think it would, you are probably very mistaken. > > I am making no conclusion here. I'm presenting facts. Call me out on > the facts not the "taunt" lest you damage your argument. You have presented an opinion, not facts. A fact would be 'Datetheuk' emits spam - but is Habeas whitelisted. The Titanic has sunk - is a fact, Marc Bolan is dead - is a fact. Perhaps are some kind of spammer trying to divert attention from yourself? -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: [sa] RE: emailreg.org - tainted white list
From: "Rob McEwen"
Sent: Tuesday, 2009/December/15 11:10
jdow wrote:
his response personal spam to this account has increased sharply
Uuh, what does that mean, exactly?
A possible cause and effect exists. I can neither prove nor disprove
it. the fact exists.
{^_^}
Re: [sa] RE: emailreg.org - tainted white list
From: "Christian Brel"
Sent: Tuesday, 2009/December/15 11:54
On Tue, 15 Dec 2009 11:01:51 -0800
"jdow" wrote:
Perhaps are some kind of spammer trying to divert attention from
yourself?
I have longer bona fides on this list than I suspect you
do and my partner is a currently inactive SARE ninja who has
contributed some effective rules. Ah well.
{^_^}
Re: [sa] RE: emailreg.org - tainted white list
jdow wrote: From: "Rob McEwen" Sent: Tuesday, 2009/December/15 11:10 jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. Properly known as a correlation. Which, as you say, does not prove cause and effect. The correlation exists. -- --- Chris Hoogendyk - O__ Systems Administrator c/ /'_ --- Biology & Geology Departments (*) \(*) -- 140 Morrill Science Center ~~ - University of Massachusetts, Amherst --- Erdös 4
Re: [sa] RE: emailreg.org - tainted white list
jdow wrote: >> jdow wrote: >>> his response personal spam to this account has increased sharply >> Uuh, what does that mean, exactly? > A possible cause and effect exists. I can neither prove nor disprove > it. the fact exists. Still doesn't answer my question. Perhaps I'm "dense". But to spell out my question more explicitly: what do you mean by "personal response spam"? Is that just Richard's on-list responses we've all seen? Or something else? (did I miss that part of the conversation?). And what do you mean by "to this account"? To this list? To your own inbox? Are you referring to messages that are obviously from Richard (including alter-ego ones)? Or some kind of UBE campaign that you think he is behind? (if so, please describe) Still confused. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, Rob McEwen wrote: jdow wrote: jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. Still doesn't answer my question. Perhaps I'm "dense". But to spell out my question more explicitly: what do you mean by "personal response spam"? try: his response, personal spam to this account has increased Does that parse better? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- Today: Bill of Rights day
Re: [sa] RE: emailreg.org - tainted white list
From: "Rob McEwen"
Sent: Tuesday, 2009/December/15 13:13
jdow wrote:
jdow wrote:
his response personal spam to this account has increased sharply
Uuh, what does that mean, exactly?
A possible cause and effect exists. I can neither prove nor disprove
it. the fact exists.
Still doesn't answer my question. Perhaps I'm "dense". But to spell out
my question more explicitly:
what do you mean by "personal response spam"? Is that just Richard's
on-list responses we've all seen? Or something else? (did I miss that
part of the conversation?). And what do you mean by "to this account"?
To this list? To your own inbox? Are you referring to messages that are
obviously from Richard (including alter-ego ones)? Or some kind of UBE
campaign that you think he is behind? (if so, please describe)
Thank you for spelling it out. I am speaking of spam directed to this
account. That email must be to this address or one of three others
(which showed no increase) in order to get through to our machines.
I use fetchmail for my email and for Loren's several accounts. I can't
say if his spam increased dramatically in the last two days ( to
2359:59 PST) or not.
I am speaking of generic spam. I've not noticed a specific type that
has increased. I'm to lazy to look. I have received an unusual number
of "You've won" emails today and yesterday. I've not looked for a
specific style so I left the observation at "increase in spam
received." That in no way accuses anybody of personally sending me
spam. I simply looked at the bulk numbers which took a maybe 20% jump
beyond the normal Monday bounce. This correlation is not nearly as
strong as with the earlier episode.
Given what data and facts I have I am taking anything Richard and his
sock puppets, alter-egos, or fellow conspiracy theorists might suggest
and pretty much tossing it into the intellectual black hole in which
it belongs. And I'm stating that's what I've observed. Now I've stated
what I intend to do about it.
Others here are adults. They an make up their own minds, generate their
own facts, and add them up.
I'll add one other thing, I'm not a fan of Habeas; however, I have seen
reason to give them a modest negative score low enough it will likely
get overridden by a trusted source going rogue. The old Haiku approach
was so bad I had a strong positive score on it. That had colored my
attitudes - the Aw Sh**! vs Brownie Points issue struck again.
{^_^}
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009 14:11:13 -0800
"jdow" wrote:
> From: "Rob McEwen"
> Sent: Tuesday, 2009/December/15 13:13
>
>
> > jdow wrote:
> >>> jdow wrote:
> his response personal spam to this account has increased sharply
> >>> Uuh, what does that mean, exactly?
> >> A possible cause and effect exists. I can neither prove nor
> >> disprove it. the fact exists.
> >
> > Still doesn't answer my question. Perhaps I'm "dense". But to spell
> > out my question more explicitly:
> >
> > what do you mean by "personal response spam"? Is that just Richard's
> > on-list responses we've all seen? Or something else? (did I miss
> > that part of the conversation?). And what do you mean by "to this
> > account"? To this list? To your own inbox? Are you referring to
> > messages that are obviously from Richard (including alter-ego
> > ones)? Or some kind of UBE campaign that you think he is behind?
> > (if so, please describe)
>
> Thank you for spelling it out. I am speaking of spam directed to this
> account. That email must be to this address or one of three others
> (which showed no increase) in order to get through to our machines.
> I use fetchmail for my email and for Loren's several accounts. I can't
> say if his spam increased dramatically in the last two days ( to
> 2359:59 PST) or not.
You are now claiming Richard is powerful enough to produce a worldwide
increase in spam that only effects you?
>
> I am speaking of generic spam. I've not noticed a specific type that
> has increased. I'm to lazy to look. I have received an unusual number
> of "You've won" emails today and yesterday. I've not looked for a
> specific style so I left the observation at "increase in spam
> received." That in no way accuses anybody of personally sending me
> spam. I simply looked at the bulk numbers which took a maybe 20% jump
> beyond the normal Monday bounce. This correlation is not nearly as
> strong as with the earlier episode.
>
> Given what data and facts I have I am taking anything Richard and his
> sock puppets, alter-egos, or fellow conspiracy theorists might suggest
> and pretty much tossing it into the intellectual black hole in which
> it belongs. And I'm stating that's what I've observed. Now I've stated
> what I intend to do about it.
Habeas + Emailreg are *not* spam BLOCKING tools. They are tools that
facilitate the delivery of UCE/UBE/SPAM. To point that out is *not*
scuffling any attempt to block spam. To the contrary. Are we clear on
that or are you ignoring that?
All that is required is for Spamassassin to default install with
NEUTRAL (0 point) rules for Habeas {or any other p2s whitelist it
chooses to include}.
The views about Return Path, Habeas, Barracuda, Emailreg.org will fall
by the wayside and give the 'product' more credibility if this simple
change is made and, in effect, rain on Richard's parade of black
helicopters and corruption. There is no *logical* reason not to make
this change. There may be a business one (Barracuda have donated to
Apache - what about Return Path/Habeas?).
Again if you have any *facts* or proof that Richard has been behind a
personal worldwide increase in spam to your inbox, please share it.
Otherwise you look like you are trolling with your imagination running
away with the fairies.
--
This e-mail and any attachments may form pure opinion and may not have
any factual foundation. Please check any details provided to satisfy
yourself as to suitability or accuracy of any information provided.
Data Protection: Unless otherwise requested we may pass the information
you have provided to other partner organisations.
RE: [sa] RE: emailreg.org - tainted white list
> Still doesn't answer my question. Perhaps I'm "dense". But to > spell out my question more explicitly: > > what do you mean by "personal response spam"? Is that just > Richard's on-list responses we've all seen? Or something > else? (did I miss that part of the conversation?). And what > do you mean by "to this account"? > To this list? To your own inbox? Are you referring to > messages that are obviously from Richard (including alter-ego > ones)? Or some kind of UBE campaign that you think he is > behind? (if so, please describe) > > Still confused. > > -- > Rob McEwen Rob, dont be confused, she missed a comma in that line was all... btw, we are still waiting on the hearsay secret squirrel info... - rh
Re: [sa] Re: emailreg.org - tainted white list
On Thu, 17 Dec 2009, Yet Another Ninja wrote: On 12/16/2009 6:16 PM, Charles Gregory wrote: On Wed, 16 Dec 2009, Yet Another Ninja wrote: > blabber... checkout SVN - follow dev list... HABEAS is history... I believe the *point* here is that HABEAS is NOT 'history' for ordinary systems running ordinary sa-update on 3.2.5. they can adjust scores if they don't approve of what has been delivered... Agreed. But that does not make the statement "HABEAS is history" accurate in any way that is relevant to current sa-update.. My rules (in /var/lib/spamassassin) still include the strong negative scores for HABEAS, as discussed here. funny.. my rules show a 0 score for HABEAS stuff, same with all the other "certification services" oh wait!! I adjusted the scores myself coz I didn't want them in my way. Why don't you go one step further and just 'unsubscribe' from any spam you receive? If you want the ultimate in responsive after-the-spam-has-arrived customization, that's the way to go ;) Oh. Sorry. Someimes the sarcasm gets away from me. We are discussing the DEFAULT rules. The only way someone can tell me that HABEAS is "history" and have it apply to ME is if they have propogated a change through sa-update. They haven't. Your customizatino sounds a lot like mine. But just because you and I have solved our problems for *us* personally does not mean we can just forget about everyone else. You're a Ninja, judging by your From header. You *must* be in this to improve things for everyone. I'm certainly not posting here just to hear myself talk. I can customize my server far faster (it's actually a daily routine) than I can type suggestions here. But I want this to work for everyone. And everyone is not on this list. So changing SA defaults is the best way to help everyone. I don't have the 'budget' to just jump in and help code, so I make suggestions, with (I hope) the appropriate tone of respect for the people who *do* have the 'budget' to be working on improving SA. But this is NOT me whining about *my* problems. I don't have a problem with HABEAS. I occasionally notice their rule fire, but usually something else knocks out the spam anyways (shrug) - C
hacking whitelists (was Re: [sa] RE: emailreg.org - tainted white list)
On Dec 14, 2009, at 1:35 PM, Charles Gregory wrote: > I ask again, on the issue of whitelists, is there a serious issue with > spammers targetting white-listed IP's as favored candidates for hacking? > I'm okay with the answer being 'no'. I'm sure people with large servers and > good statistics could answer this question. But I get no answer at all. I > don't think it is because of any conspiracy. But perhaps the people who know > are just too busy? We're fairly certain the bad guys haven't been targeting whitelists (ours, or others) -- yet. Occasionally some spam will come from a whitelisted IP after a server gets infected, but then that IP doesn't stay whitelisted for very long -- and there's no proof that the botnet operator had any idea the IP was whitelisted. Besides, there's not all that much value for them. When the big ISPs use whitelists like ours, they'll give IPs on the list a lot of leeway -- but not a free pass forever. There are still volume limits (though higher than for non-whitelisted IPs), and they're still watching complaint rates. If there's a problem, they'll let us know. It's very similar to how SpamAssassin uses whitelists: enough points are subtracted to override /some/ spam rules, but not all. When a message is extremely spammy, the whitelist won't be enough to rescue it. And that's how it should be. All that said, I think it's only a matter of time until the bad guys DO intentionally go after whitelisted IPs, or (worse) whitelisting services. We'll detect if spam suddenly starts coming from any IP we're monitoring, and it won't stay whitelisted for long -- that's the core of our program. We've also put a lot of effort into the security of our own systems. I've been involved with computer security issues for too long to say it could never ever happen, but I can say we're always watching. -- J.D. Falk Return Path Inc
