Re: Disable reporting to Razor while still reporting to Pyzor
On 31.01.23 18:03, spamassassin.us...@ml.karotte.org wrote: I use spamc -C report to report spam mails. I only want to report them to Pyzor. How do I disable reporting the mails to Razor (which fails anyways as I'm not registered)? looks like it's not configurable. You can submit a (wishlist) bugreport, and you can also setup razor config. I recomment doing the latter, if possible. Also as I see it using spamc -C report also marks the mail as spam in the bayes database, is this correct? There is no documentation about this but the code implies that's what happens. spamc manpage describes -C needs to run spamd with --allow-tell option and spamd manpage says it trains bayes DB as long. note that spamd needs proper permissions to write the database. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Disable reporting to Razor while still reporting to Pyzor
Hi, I use spamc -C report to report spam mails. I only want to report them to Pyzor. How do I disable reporting the mails to Razor (which fails anyways as I'm not registered)? Also as I see it using spamc -C report also marks the mail as spam in the bayes database, is this correct? There is no documentation about this but the code implies that's what happens. Best Regards Sebastian -- 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: use of razor/pyzor/dcc on not english messages
On 22.10.19 16:24, hg user wrote: I'm wondering if the plugins listed in the subject may help with messages that are not in english... yes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends?
use of razor/pyzor/dcc on not english messages
Hi, I'm wondering if the plugins listed in the subject may help with messages that are not in english...
Re: razor?
On Sat, 10 Mar 2018 09:39:20 +0100 Matus UHLAR - fantomas wrote: > >>>For example those scores were for a totally legit email that had > >>>some screenshots embedded in the email... > > some screenshots? afaik razor only work on text parts, so short mail > is quite possible to be detected (as some people report image-only > spam) As I said, razor uses a combination of URI domains and text size. Very short emails are all counted as the same size, which makes them more likely to FP, but an image-only spam, without a URI, cannot be listed in razor.
Re: razor?
On Fri, 9 Mar 2018 11:09:40 -0300 Robert Boyl wrote: Just wondering, whats your thoughts on Razor? razor is great at spam detection. It says on their site " Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. " For example those scores were for a totally legit email that had some screenshots embedded in the email... some screenshots? afaik razor only work on text parts, so short mail is quite possible to be detected (as some people report image-only spam) Also, how to report FP? razor-revoke -d -dl=2 -f false-positives where "false-positives" is a mbox file format. On 09.03.18 09:26, David Jones wrote: RAZOR like DCC and PYZOR shouldn't be used as a sole source of determining spam. especially DCC, since it measures bulkiness, not spamminess. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: razor?
On 2018-03-09 09:26, David Jones wrote: > RAZOR like DCC and PYZOR shouldn't be used as a sole source of > determining spam. These are indicators that combine with other rule > hits and scores to be one of many factors. If the score was 10 or > more then you would worry about reporting FPs. Well, _someone_ has to report the FP (I think Razor, confusingly, terms that "whitelisting") for the misclassification to be reversed. That's how Razor is supposed to work - it is a reputation service, both positive and negative, not just a list of badness. Making the score less than a poison pill helps _you_ avoid a FP but it leaves the wrong result in place for other recipients. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Re: razor?
On 03/09/2018 08:58 AM, RW wrote: On Fri, 9 Mar 2018 11:09:40 -0300 Robert Boyl wrote: Hi, everyone Just wondering, whats your thoughts on Razor? Havent analysed big amount of emails yet, but Ive had a few cases where it causes very strange false positives that make no sense. and adds a lot of points... RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK 1.73 That's out of date score RAZOR2_CHECK 0 1.729 0 0.922 # n=0 score RAZOR2_CF_RANGE_51_100 0 2.430 0 1.886 # n=0 n=2 It says on their site " Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. " For example those scores were for a totally legit email that had some screenshots embedded in the email... It's nothing to do with that, currently it's based on a combination of text size and URI domains, it's not far-off being a URIBL. Also, how to report FP? RAZOR like DCC and PYZOR shouldn't be used as a sole source of determining spam. These are indicators that combine with other rule hits and scores to be one of many factors. If the score was 10 or more then you would worry about reporting FPs. If RAZOR scores alone are pushing legit mail over the block threshold, then you need to do something like whitelist_auth the sender if they are trustworthy and have good SPF or DKIM, train the Bayes DB better, or add some custom whitelist rules to bring the score down below 5 -- assuming you still have the default block threshold at 5. In theory (if it hasn't fallen-off) you can do it through SA (spamc or spamassassin) or razor-revoke after registering via razor-admin, but you would need to build-up a reputation before it carries any weight. There may be something on the cloudmark site as well. -- David Jones
Re: razor?
On Fri, 9 Mar 2018 11:09:40 -0300 Robert Boyl wrote: > Hi, everyone > > Just wondering, whats your thoughts on Razor? > > Havent analysed big amount of emails yet, but Ive had a few cases > where it causes very strange false positives that make no sense. > > and adds a lot of points... > > RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, > RAZOR2_CHECK 1.73 That's out of date score RAZOR2_CHECK 0 1.729 0 0.922 # n=0 score RAZOR2_CF_RANGE_51_100 0 2.430 0 1.886 # n=0 n=2 > It says on their site " Detection is done with statistical and > randomized signatures that efficiently spot mutating spam content. " > > For example those scores were for a totally legit email that had some > screenshots embedded in the email... It's nothing to do with that, currently it's based on a combination of text size and URI domains, it's not far-off being a URIBL. > Also, how to report FP? In theory (if it hasn't fallen-off) you can do it through SA (spamc or spamassassin) or razor-revoke after registering via razor-admin, but you would need to build-up a reputation before it carries any weight. There may be something on the cloudmark site as well.
razor?
Hi, everyone Just wondering, whats your thoughts on Razor? Havent analysed big amount of emails yet, but Ive had a few cases where it causes very strange false positives that make no sense. and adds a lot of points... RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK 1.73 It says on their site " Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. " For example those scores were for a totally legit email that had some screenshots embedded in the email... Also, how to report FP? Thanks. Rob
Re: pyzor/razor/dcc and empty body
On Fri, 15 Dec 2017 13:52:32 -0500 Alex wrote: > Hi, > > I have a bunch of rules that rely on the results of pyzor, razor or > DCC. The problem is that they also match on an empty or nearly empty > body. You can use pyzor local_whitelist < email.txt at very least it's a good idea to run echo "" | pyzor local_whitelist razor2 only depends on URIs and message size, people must have reported one the domains as spam for it to hit. DCC is a bulk mail test rather than a spam test. I find it hits a lot of bulk and autogenerated ham. Personally I find short mail to be a small minority of the ham it hits.
Re: pyzor/razor/dcc and empty body
Alex skrev den 2017-12-15 19:52: Other ideas? whitelist ?, dcc have whitelist, pyzor have whitelist if you run own pyzord, razor have whitelist how ?, all the 3 seen before content checkers should know your internal_networks ips just like spamassin does its not relevant imho on empty emails or not
pyzor/razor/dcc and empty body
Hi, I have a bunch of rules that rely on the results of pyzor, razor or DCC. The problem is that they also match on an empty or nearly empty body. I believe we may have discussed something similar in the past, but is there a way to avoid these digest rules from hitting on empty emails or emails with just simple text like "Sent from my iPhone"? Sometimes this even results in multiple digests hitting, resulting in 2.0+ score to start... I see John is working on a rule to identify an empty subject, and I've also created a few rules that count the number of words in the body. Would it be a good idea to negate any of the digest rules for messages with just a few simple words? Other ideas?
Re: Issue RAZOR
On Wed, 28 Jun 2017 13:34:32 + Villalba Moreno Sergio wrote: > Hello and good afternoon, > > They could help me to solve the problem that we have with razor: Currently Razor2 hashes are based on a URI hashed with length/100. I think length is based on rendered text, probably for the mime section. The URI is probably simplified. Try changing the domain names in the URIs to identify which are listed.
Issue RAZOR
Hello and good afternoon, They could help me to solve the problem that we have with razor: https://www.mail-tester.com/web-13coh&reloaded=3 [cid:image001.png@01D2F024.07D1BB00] We took 3 weeks trying to solve the problem. Thank you. Sergio Villalba Moreno IT Department DEKRA Testing and Certification, S.A.U. Parque Tecnológico de Andalucía Severo Ochoa, 2 & 6 | 29590 | Málaga | Spain Phone: +34 952 619 823 Fax: +34 95 261 91 13 sergio.villa...@dekra.com | www.dekra-product-safety.com/wireless<http://www.dekra-product-safety.com/wireless> DEKRA. On the safe side. [http://wireless.dekra-product-safety.com/images/arbol.jpg]Please consider the environment before printing this email. IMPORTANT NOTICE The information contained in this e-mail is intended for the named recipients only. It may contain privileged and confidential information and if you are not the intended recipient you must not copy, distribute or take any action in reliance upon it. If you have received this e-mail in error, please notify us immediately by e-mail or telephone. INFORMACIÓN IMPORTANTE La información contenida en este e-mail va dirigida únicamente a su destinatario y podría contener información confidencial, si Ud. no es el destinatario indicado, no debe copiar, distribuir, o llevar a cabo ninguna acción con el mismo. Si hubiera recibido este e-mail, por error, por favor notifíquenos inmediatamente por e-mail o teléfono.
Re: Razor FP on simple http link (by itself)
On Fri, 5 May 2017 11:37:38 -0400 Rob McEwen wrote: > Does RAZOR extract domains from links and checks them against a bad > domain database... sort of how SURBL works... and/or check the IP > that they resolve to? (I don't think so, but now I have to ask just > to be sure!) > > If not... this seems to go beyond checksum-checking of parts of a > message - this seems much more surgical/specific than that. > > Don't get me wrong... I'm a big fan of razor and of other > checksum-technologies. But I'm sort of shaken by this because I > always thought a FP for razor would be much more difficult due to > larger portions of a message having to match a checksum match in > order to have a hit. (sort of like a larger "fingerprint" that is not > easily duplicated in another innocent message, allegedly making FPs > practically impossible) razor2 supports multiple hash engines, but currently only engine 8 is used. This is based on a hash of URI domain name and message size in multiples of (I think) 100 bytes.
Razor FP on simple http link (by itself)
I use SA as a "helper app" within my custom written spam filter. So I'll get SA give me an opinion about certain marginal messages, and then my spam filter factors the SA score into my spam filter's scoring. Recently, a prominent law firm for whom I host mail - was complaining about FPs where messages from a prominent real estate company were not making it to them. Interestingly, their messages kept hitting RAZOR, where SA was giving the following response: 1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] In testing, I narrowed it all the way down to simply the following (alone!) hitting on razor: either http://www.example.com or http://example.com (except with the sender's domain, of course) ...either one was triggering this razor score. I even put that as the ONLY body text of another message (so a totally different header) - and it still triggered. But either variation WITHOUT the "http://"; part did not trigger. Interesting... this domain name happens to resolve to an IP that is currently blacklisted on Zen. (I know, that is really really bad!) Unfortunately, that confuses issues! Does RAZOR extract domains from links and checks them against a bad domain database... sort of how SURBL works... and/or check the IP that they resolve to? (I don't think so, but now I have to ask just to be sure!) If not... this seems to go beyond checksum-checking of parts of a message - this seems much more surgical/specific than that. Don't get me wrong... I'm a big fan of razor and of other checksum-technologies. But I'm sort of shaken by this because I always thought a FP for razor would be much more difficult due to larger portions of a message having to match a checksum match in order to have a hit. (sort of like a larger "fingerprint" that is not easily duplicated in another innocent message, allegedly making FPs practically impossible) While this kind of more surgical strike can be beneficial in blocking more spam - it seems like it changes the paradigm of what I (mistakenly?) thought to be RAZOR's potential for collateral damage. Is this "extra curricular activity"? or did I misunderstand RAZOR's checksum technique? -- Rob McEwen
Re: Report spam to Razor
On Tue, 21 Jul 2015 21:31:57 -0400 Bill Shirley wrote: > I'm looking into modifying my spam processing script so it will > report spam to Razor. From the Spamassassin Wiki: > https://wiki.apache.org/spamassassin/ReportingSpam I should use: > spamassassin -r < message.txt > It states "The message will also be submitted to SpamAssassin's > learning systems". Looking at the parms for spamassassin there is > not --dbpath like there is for sa-learn. > > Does it in fact train the Bayes DB and if so why is there no way to > specify --dbpath ? I'm using per user Bayes and have some vmail > accounts so the --dbpath is not /home/vmail/.spamassassin I'm not sure what you mean by vmail, but if you are using virtual home directories you can probably work around it by setting HOME. That's how I use sa-learn, which looks in $HOME/.spamassassin/ rather than the actual unix home directory. I would expect the spamassassin script to do the same thing.
Re: Report spam to Razor
On 21.07.15 21:31, Bill Shirley wrote: I'm looking into modifying my spam processing script so it will report spam to Razor. IIRC Razor says it should only be fed up manually (FYI) From the Spamassassin Wiki: https://wiki.apache.org/spamassassin/ReportingSpam I should use: spamassassin -r < message.txt It states "The message will also be submitted to SpamAssassin's learning systems". Looking at the parms for spamassassin there is not --dbpath like there is for sa-learn. Does it in fact train the Bayes DB and if so why is there no way to specify --dbpath ? that's because spamassassin is not sa-learn. you ev en should have your db_path in your SA config. using per user Bayes and have some vmail accounts so the --dbpath is not /home/vmail/.spamassassin Also 'spamassassin --help' says: Usage: spamassassin [options] [ < *mailmessage* | *path* ... ] Does that mean I can use a directory: smapassassin -r < /home/bob/Maildir/.Spam/ ? No: it explicitly says you can only use < with message, you must specify path without the <. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Report spam to Razor
I'm looking into modifying my spam processing script so it will report spam to Razor. From the Spamassassin Wiki: https://wiki.apache.org/spamassassin/ReportingSpam I should use: spamassassin -r < message.txt It states "The message will also be submitted to SpamAssassin's learning systems". Looking at the parms for spamassassin there is not --dbpath like there is for sa-learn. Does it in fact train the Bayes DB and if so why is there no way to specify --dbpath ? I'm using per user Bayes and have some vmail accounts so the --dbpath is not /home/vmail/.spamassassin Also 'spamassassin --help' says: Usage: spamassassin [options] [ < *mailmessage* | *path* ... ] Does that mean I can use a directory: smapassassin -r < /home/bob/Maildir/.Spam/ ? TIA, Bill
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Mon, 3 Dec 2012 07:23:59 -0800 Gary Funck wrote: > Since this is a Spam Assassin list: Is there a way of disabling > grey listing, but still receiving some benefit from the principle > that mail received from a first time or infrequent sender should > be looked upon with some suspicion? Personally I wouldn't want to do it that way round - with a positive score for unknown rather than a negative score for known. YMMV but almost all of the FPs I've had in the last ten years have been that sort of mail because it's less likely to be recognised by Bayes.
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
On Mon, 2012-12-03 at 07:27 -0800, Gary Funck wrote: > On 11/29/12 10:44:54, John Hardin wrote: > > You will probably want to put a little effort into maintaining lists > > of regular correspondents who can bypass greylisting. There may be > > tools to automate that, e.g. to whitelist someone a local user has > > sent mail to. > > Has anyone looked into the use of a DNS-based white listing service? > Everybody's mail stream is different (I don't see any of the spam types discussed over the last week or two) so my guess is that any public whitelister would not be specific enough for any particular site. Its quite likely that stuff you and your users don't want would be whitelisted by it and OTOH you probably have a few mail sources that you want to see but aren't being whitelisted. For instance, I doubt that a US-based whitelister would whitelist customer information sent out by, say, Australian energy companies or British telcos. Martin
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Mon, 2012-12-03 at 07:23 -0800, Gary Funck wrote: > Since this is a Spam Assassin list: Is there a way of disabling > grey listing, but still receiving some benefit from the principle > that mail received from a first time or infrequent sender should > be looked upon with some suspicion? > Yes. If you keep a list of the recipients of outgoing mail its easy to whitelist any mail you receive from them. This approach does what you want: a sender is treated as suspicious until you've sent mail to them and recipient list maintenance is easy to automate. I use a mail archive system as my recipients list because it has a record of everybody I've sent mail to. I use an SA plugin to access the archive. The combination of it and an associated rule will whitelist anybody who is recorded in the archive as having received mail from me. However, the database archives messages at 4-6 /sec, so this and/or the storage requirements (4.3 GB to store 143,000 messages) may mean that, if you're a high volume site and/or don't need an archive, you'd be better off just keeping a list of the recipient(s) of outgoing messages. I wrote my archive for personal use because I can find an old e-mail with the archive search tool faster than I can by ferreting though a set of mail folders: it was never designed as a high volume solution, but should manage small business volumes quite easily with both it and SA running on a typical desktop PC. Up to early this year I was using an 866 MHz P3 with 512MB RAM that easily kept up while PostgreSQL,the archive, Postfix and SA. That is all now running on a 3GHz dual Athlon with 4 GB RAM but not going any faster - an upgrade to Fedora 16 forced the change because its installer wouldn't run in less than 1GB RAM. If you think my SA plugin or the mail archive would be of use to you, contact me off-list. Martin
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
>> You will probably want to put a little effort into maintaining lists >> of regular correspondents who can bypass greylisting. There may be >> tools to automate that, e.g. to whitelist someone a local user has >> sent mail to. > > Has anyone looked into the use of a DNS-based white listing service? > > For example: http://www.dnswl.org/ > > It might be interesting to make a pass over a grey list database > and see if the sites white listed there appear in the registry. > And that sites that were black listed or simply did not retry > are _not_ listed in the white list. Been using it at least couple years to bypass greylisting. Seems to give no negative impact. Be sure to add the IP of your servers there.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
>> We greylist after the end of DATA. This wastes bandwidth, but lets us >> use the Subject: line as an additional mix in the greylisting tuple. >> This catches ratware that retries in the face of greylisting, but >> mutates the subject line with each retry. > We use grey listing on our low volume server, and as others have > noted, it works well because a high percentage of spam bots do > not bother to retry. But as others have mentioned, it can be > painful waiting for the delayed confirmation on a registration to a web > site to come in an hour/two later, or email from a new client > who is waiting on a response. Using dnswl.org to whitelist against greylisting might help some. > Since this is a Spam Assassin list: Is there a way of disabling > grey listing, but still receiving some benefit from the principle > that mail received from a first time or infrequent sender should > be looked upon with some suspicion? > > Assume that either some to-be-implemented SA filter, or some > mail gateway front-end (like MIMEDefang), adds a new tag/two, > for example: SENDER_FIRST_RCPT, SENDER_LOW_FREQ, > SENDER_HI_FREQ, or SENDER_HI_AVE_SA_SCORE? All these tags > might be based upon some look back period (say: 90 days). > > Theoretically, these new tags could be calculated after the fact > when passing through a spam corpus. And since many/most grey > listing systems differentiate by some form of (sender, recipient) > pairing this analysis can be reliably/repeatably performed by an > SA plug-in at the point of delivery to the user, if needed. > > It would need to be shown that these new tags improve > the ability to discriminate spam from ham. If the scheme > worked well, there might be no need for grey listing at all. >
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
On 11/29/12 10:44:54, John Hardin wrote: > You will probably want to put a little effort into maintaining lists > of regular correspondents who can bypass greylisting. There may be > tools to automate that, e.g. to whitelist someone a local user has > sent mail to. Has anyone looked into the use of a DNS-based white listing service? For example: http://www.dnswl.org/ It might be interesting to make a pass over a grey list database and see if the sites white listed there appear in the registry. And that sites that were black listed or simply did not retry are _not_ listed in the white list.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On 11/29/12 14:46:25, David F. Skoll wrote: > We greylist after the end of DATA. This wastes bandwidth, but lets us > use the Subject: line as an additional mix in the greylisting tuple. > This catches ratware that retries in the face of greylisting, but > mutates the subject line with each retry. We use grey listing on our low volume server, and as others have noted, it works well because a high percentage of spam bots do not bother to retry. But as others have mentioned, it can be painful waiting for the delayed confirmation on a registration to a web site to come in an hour/two later, or email from a new client who is waiting on a response. Since this is a Spam Assassin list: Is there a way of disabling grey listing, but still receiving some benefit from the principle that mail received from a first time or infrequent sender should be looked upon with some suspicion? Assume that either some to-be-implemented SA filter, or some mail gateway front-end (like MIMEDefang), adds a new tag/two, for example: SENDER_FIRST_RCPT, SENDER_LOW_FREQ, SENDER_HI_FREQ, or SENDER_HI_AVE_SA_SCORE? All these tags might be based upon some look back period (say: 90 days). Theoretically, these new tags could be calculated after the fact when passing through a spam corpus. And since many/most grey listing systems differentiate by some form of (sender, recipient) pairing this analysis can be reliably/repeatably performed by an SA plug-in at the point of delivery to the user, if needed. It would need to be shown that these new tags improve the ability to discriminate spam from ham. If the scheme worked well, there might be no need for grey listing at all.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On 11/29/2012 18:54, David F. Skoll wrote: [My gut instinct says that a reasonable greylisting interval is too short for most DNSBLs to react. Pyzor/Razor/DCC may be somewhat more adept at reacting quickly.] Something trap-driven like NIX is a candidate. No, it's not safe enough to reject based on it's output, but it was worth use in a scoring system. Invalument too responds reasonably quickly, enough that it sometimes tripped during the greylist period. The other trick is how you define reasonable. A reasonable greylist period for greylisting all mail is about 3 seconds, otherwise you'll have users screaming. However, if you only greylist questionable stuff to start with (rDNS failures, mismatches, etc, SPF fails, borderline-spammy stuff, DUL hits), you can get away with much longer times since most of it is crap anyway but a greylist period can help let the odd gem through. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On 11/29/2012 17:37, John Levine wrote: Does greylisting increase chances of bulk detectors (razor/pyzor/dcc) in case of "yahoo like" spam sources? No. A remarkable fraction of ratware still doesn't bother to retry, so the most simple minded greylister will deter them. That's why it's useful. I've never seen any support for the theory that greylisting delays make it more likely that the host will be blacklisted when it retries. If I run my accepted-and-quarantined spam corpus through a filter to test against DNSBL effectiveness, I always see higher effectiveness ratings than what was shown during the SMTP phase. I haven't done so in recent enough memory to have any actual numbers, but when I last did a comparison, slow moving DNSBLs showed little/no change at all, fast-acting trap-driven ones show more of a difference. Now I've not studied the exactly amount of time it takes for hosts to start getting listed, but since I only greylist questionable stuff already and since I whitelist aggressively, I've been able to set my greylisting in the 30-60 minute range without too many seizures from users and with higher rejection counts -- Since greylisting doesn't cause higher reject counts, I assume (yes, just assume) that it's due to higher hit rates. I admit that it would make sense to do further testing, but for fast-acting DNSBLs, and body-hash based systems, it makes sense that the longer one defers a message, the greater the odds of a hit against a new zombie or a new spam-run. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Thu, 29 Nov 2012 18:01:38 -0800 (PST) John Hardin wrote: > It's not so much the host being blacklisted, as a checksum of the > spam being published by pyzor et. al., or for spamvertised websites > in the spam being published by URIBLs, so that when the sender tries > again the score for that message will be higher than it would the > first time around, hopefully high enough to classify it as spam > rather than a FN. I would love to gather some hard data on this. Maybe a research project for the future... since we do our greylisting post-DATA, we could in principle run all the content-filtering and URIBL lookups and check if the score changes between the first attempt and the final attempt after greylisting. Or those who use SA without greylisting could reprocess messages after an hour or two and see if the score goes up. [My gut instinct says that a reasonable greylisting interval is too short for most DNSBLs to react. Pyzor/Razor/DCC may be somewhat more adept at reacting quickly.] Regards, David.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Thu, 30 Nov 2012, John Levine wrote: Does greylisting increase chances of bulk detectors (razor/pyzor/dcc) in case of "yahoo like" spam sources? No. A remarkable fraction of ratware still doesn't bother to retry, so the most simple minded greylister will deter them. That's why it's useful. I've never seen any support for the theory that greylisting delays make it more likely that the host will be blacklisted when it retries. It's not so much the host being blacklisted, as a checksum of the spam being published by pyzor et. al., or for spamvertised websites in the spam being published by URIBLs, so that when the sender tries again the score for that message will be higher than it would the first time around, hopefully high enough to classify it as spam rather than a FN. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 26 days until Christmas
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
>Does greylisting increase chances of bulk detectors (razor/pyzor/dcc) in >case of "yahoo like" spam sources? No. A remarkable fraction of ratware still doesn't bother to retry, so the most simple minded greylister will deter them. That's why it's useful. I've never seen any support for the theory that greylisting delays make it more likely that the host will be blacklisted when it retries. I haven't seen many legit senders that don't retry as David says he has, but I don't have his volume of mail, either.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Thu, 29 Nov 2012 22:47:45 +0100 Axb wrote: > boxes: About 50 000 > rcpt domains: About 2000 > rcpt users: Lots. I don't have an exact figure. > you guys are sending through greylisting. This is on our machines. Our larger customers have significantly higher numbers. Regards, David.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Thu, 29 Nov 2012, David F. Skoll wrote: On Thu, 29 Nov 2012 21:27:19 +0100 "Andrzej A. Filip" wrote: Do you treat "yahoo like" spam sources in the same way? With respect to greylisting, of course. If a machine passes greylisting once, it's extremely likely to pass it in future and it's an utter waste of time to greylist it. Modulo spamvertised URIs and spam checksums sent via such hosts, particularly if they are freemail. Filtering out the spambots who don't retry (and as trivial as that is to defeat, a large amount still gets blocked by this in my experience) is not the _only_ reason to greylist. Giving the URIBLs a chance to list a new URI and the checksum services a chance to recognize a new body are also benefits of greylisting. (But, as you said, you don't take advantage of those tools.) Also, greylisting generally keys on host+sender, not just host. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 26 days until Christmas
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
Just wondering how many boxes: rcpt domains: rcpt users: you guys are sending through greylisting. Axb
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
>> I've never had any >> complaints about delivery speed, but some senders have broken mail >> servers that don't retry on receiving a temporary failure. > > Many such servers use broken SMTP implementations that can't handle > a 4xx code in response to RCPT properly. > > We greylist after the end of DATA. This wastes bandwidth, but lets us > use the Subject: line as an additional mix in the greylisting tuple. > This catches ratware that retries in the face of greylisting, but > mutates the subject line with each retry. > > Also, once a given IP passes greylisting, we remember that and we don't > greylist that server for 40 days. If you have a large-enough user population, > this can greatly mitigate the problems caused by initial greylisting delays. Every 60 seconds we look at all messages that arrived in last 60 seconds. If there Spamassassin score is less the 1 we add that server to a whitelist for 6 months. If its already on whitelist we update the last message time. If a message scores over 5 we remove it from whitelist if its on it. We do not greylist servers on the whitelist. Works very well. Even though we use greylisting our users very rarely notice if at all due to this.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Thu, 29 Nov 2012 21:59:45 +0100 "Andrzej A. Filip" wrote: > Does greylisting increase chances of bulk detectors (razor/pyzor/dcc) > in case of "yahoo like" spam sources? > [ based on your experience ] I suppose it might, but I don't use razor, pyzor, dcc or anything similar so I have no personal experience. Regards, David.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On 11/29/2012 09:53 PM, David F. Skoll wrote: > On Thu, 29 Nov 2012 21:27:19 +0100 > "Andrzej A. Filip" wrote: > >> Do you treat "yahoo like" spam sources in the same way? > With respect to greylisting, of course. If a machine passes greylisting once, > it's extremely likely to pass it in future and it's an utter waste of > time to greylist it. Does greylisting increase chances of bulk detectors (razor/pyzor/dcc) in case of "yahoo like" spam sources? [ based on your experience ]
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Thu, 29 Nov 2012 21:27:19 +0100 "Andrzej A. Filip" wrote: > Do you treat "yahoo like" spam sources in the same way? With respect to greylisting, of course. If a machine passes greylisting once, it's extremely likely to pass it in future and it's an utter waste of time to greylist it. Regards, David.
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On 11/29/2012 09:31 PM, Dave Warren wrote: > On 11/29/2012 12:27, Andrzej A. Filip wrote: >> On 11/29/2012 08:46 PM, David F. Skoll wrote: >>> [...] >>> Also, once a given IP passes greylisting, we remember that and we don't >>> greylist that server for 40 days. If you have a large-enough user >>> population, >>> this can greatly mitigate the problems caused by initial greylisting >>> delays. >> Do you treat "yahoo like" spam sources in the same way? > > There's almost no point in greylisting an IP that you know will retry > properly anyway, so why wouldn't you allow that IP to bypass > greylisting in the future? > I assume that greylisting of "yahoo like" spam sources increases chances of "bulk detectors" detecting spam. Is not it trues? [based on real data]
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
Am 29.11.2012 20:46, schrieb David F. Skoll: > On Thu, 29 Nov 2012 14:36:45 -0500 > vec...@vectro.org wrote: > >> I've never had any >> complaints about delivery speed, but some senders have broken mail >> servers that don't retry on receiving a temporary failure. > > Many such servers use broken SMTP implementations that can't handle > a 4xx code in response to RCPT properly. > > We greylist after the end of DATA. This wastes bandwidth, but lets us > use the Subject: line as an additional mix in the greylisting tuple. > This catches ratware that retries in the face of greylisting, but > mutates the subject line with each retry. > > Also, once a given IP passes greylisting, we remember that and we don't > greylist that server for 40 days. If you have a large-enough user population, > this can greatly mitigate the problems caused by initial greylisting delays. > > Regards, > > David. > greylisting isnt state of art, however it might helpfull in some domains ( everyone has its own spam), using postscreen with postfix before selective greylisting is a good choice Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On 11/29/2012 12:27, Andrzej A. Filip wrote: On 11/29/2012 08:46 PM, David F. Skoll wrote: [...] Also, once a given IP passes greylisting, we remember that and we don't greylist that server for 40 days. If you have a large-enough user population, this can greatly mitigate the problems caused by initial greylisting delays. Do you treat "yahoo like" spam sources in the same way? There's almost no point in greylisting an IP that you know will retry properly anyway, so why wouldn't you allow that IP to bypass greylisting in the future? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On 11/29/2012 08:46 PM, David F. Skoll wrote: > [...] > Also, once a given IP passes greylisting, we remember that and we don't > greylist that server for 40 days. If you have a large-enough user population, > this can greatly mitigate the problems caused by initial greylisting delays. Do you treat "yahoo like" spam sources in the same way?
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
On 11/29/2012 12:01, Ned Slider wrote: Indeed. But do also play around with the delays in postgrey (--delay). A minimal delay of 60 seconds is enough to force a retry and is adequate - legit hosts will retry, non-legit hosts won't so a longer delay is generally unnecessary. This is only one of the benefits of greylisting; it's one that spammers can trivially bypass by implementing a retry mechanism of their own. The other benefit of greylisting is that you can defer (or re-check) DNSBLs before making the final decision to accept or decline, so a fresh zombie or new spam sender doesn't get a free bite at the inbox. Instead, fact-acting DNSBLs have a chance to get the new sender listed before a greylist retry period expires. Here we do a combination of the two approaches, immediately whitelisting any address to which the user has sent mail in the past, as well as a fairly large list of known senders. After that, we only look at greylisting if the session or message is otherwise a bit suspicious, be it missing or mismatching rDNS, SPF softfail or worse, DK/DKIM failures, BAYES 70+ or SpamAssassin 4+, etc. If it trips one of these normally-too-sensitive-to-use-for-blocking rules, it gets passed over to the greylisting subsystem and then can try again after a few minutes before getting through. This has proved to work very well since it allows a majority of legitimate mail through without greylisting even on the first attempt, but still nets us most of the benefits of greylisting in the end. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
I'll expand a little on John's comments below On 29/11/12 18:44, John Hardin wrote: On Thu, 29 Nov 2012, Ed Flecko wrote: I'll be sure to check into Postgrey. Are there any special considerations to installing/configuring it or is it simply a matter of installing, reading the docs and configuring? The biggest consideration is not technical, it's managing the expectations of your users. You will need to educate your users that email is *not* instant messaging. Indeed. But do also play around with the delays in postgrey (--delay). A minimal delay of 60 seconds is enough to force a retry and is adequate - legit hosts will retry, non-legit hosts won't so a longer delay is generally unnecessary. You will probably want to put a little effort into maintaining lists of regular correspondents who can bypass greylisting. There may be tools to automate that, e.g. to whitelist someone a local user has sent mail to. Postgrey has an auto-whitelisting mechanism that can be fine tuned by reducing the number of times a client must successfully retry (--auto-whitelist-clients) before auto-whitelisting and adjusting the age of the cache (--max-age) so whitelisted clients are cached for longer. Generally after a couple weeks of normal mail flow, all regular hosts should be cached so only new contacts will get greylisted. Also don't be afraid to whitelist big clients that you receive correspondence from - you know they are legit and will resend so it's pointless greylisting them. Postgrey is very configurable and all the options above are documented in the manpage. Some users are extremely allergic to any delays in their email; you may have to maintain a list of exception destination addresses to keep them happy, or for addresses where no delay is acceptable, e.g. or
Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)
On Thu, 29 Nov 2012 14:36:45 -0500 vec...@vectro.org wrote: > I've never had any > complaints about delivery speed, but some senders have broken mail > servers that don't retry on receiving a temporary failure. Many such servers use broken SMTP implementations that can't handle a 4xx code in response to RCPT properly. We greylist after the end of DATA. This wastes bandwidth, but lets us use the Subject: line as an additional mix in the greylisting tuple. This catches ratware that retries in the face of greylisting, but mutates the subject line with each retry. Also, once a given IP passes greylisting, we remember that and we don't greylist that server for 40 days. If you have a large-enough user population, this can greatly mitigate the problems caused by initial greylisting delays. Regards, David.
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
> From: "John Hardin" > I fully agree. When I purchase an air-line ticket, I want the mail > immediately in my inbox. > > If the greylisting software replies a "4xx Please come back in 299 > seconds", > the truth is that you will have to wait an undetermined amount of time, > depending on the sending server setup, and not at all under your control. > Very frustrating. I use a blend of greylisting and spamassassin, so that only mails which are close to the margin by SA score get greylisted; lower-scoring mails are accepted immediately, and high-scoring mails are rejected outright. It works pretty well. I've never had any complaints about delivery speed, but some senders have broken mail servers that don't retry on receiving a temporary failure. Greylisting.org maintains an incomplete list of such servers: http://www.greylisting.org/whitelisting.shtml --Ian
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
From: "John Hardin" Some users are extremely allergic to any delays in their email; you may have to maintain a list of exception destination addresses to keep them happy, or for addresses where no delay is acceptable, e.g. or I fully agree. When I purchase an air-line ticket, I want the mail immediately in my inbox. If the greylisting software replies a "4xx Please come back in 299 seconds", the truth is that you will have to wait an undetermined amount of time, depending on the sending server setup, and not at all under your control. Very frustrating. Use good blacklists such as zen.spamhaus.org (free for small installations). Frédéric De Mees Brussels
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Good thoughts...thank you John. Ed
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
On Thu, 29 Nov 2012, Ed Flecko wrote: I'll be sure to check into Postgrey. Are there any special considerations to installing/configuring it or is it simply a matter of installing, reading the docs and configuring? The biggest consideration is not technical, it's managing the expectations of your users. You will need to educate your users that email is *not* instant messaging. You will probably want to put a little effort into maintaining lists of regular correspondents who can bypass greylisting. There may be tools to automate that, e.g. to whitelist someone a local user has sent mail to. Some users are extremely allergic to any delays in their email; you may have to maintain a list of exception destination addresses to keep them happy, or for addresses where no delay is acceptable, e.g. or -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r --- 26 days until Christmas
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Am 29.11.2012 17:04, schrieb Ed Flecko: > Gentlemen, > Thank you for your feedback! > > I'll be sure to check into Postgrey. > > Are there any special considerations to installing/configuring it or > is it simply a matter of installing, reading the docs and configuring? > > Ed > yes dont do greylist all, use selective also for other checks like rbl, spf etc i.e http://www.arschkrebs.de/postfix/postfix_greylisting.shtml i dont use amavis on gateways i use spamass-milter with sanesecurity antispam sigs and clamav-milter but thats mostly a matter of taste amavis has tons of more features but therefor its more complex anyway in milter mode you are able to reject on smtp income stage Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Gentlemen, Thank you for your feedback! I'll be sure to check into Postgrey. Are there any special considerations to installing/configuring it or is it simply a matter of installing, reading the docs and configuring? Ed
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
Ed, > I'm looking to set up a spam filtering server to replace our ISP's > spam filtering service. > > I've seen this tutorial ( > ftp://orn.mpg.de/pub/unix/mail/Fairly-Secure_Anti-SPAM_Gateway_Using_SpamAssassin.html#antivirus > ) and I'd be very interested in YOUR opinion; do you think, > fundamentally, a server with these software packages could be an > effective combination at fighting spam? We're a (I guess) medium size > organization with appx. 1000 end users. > > What about weaving clam-av into the mix? > > Although this tutorial uses OpenBSD, I'll probably be using FreeBSD. > > Thank you for your input! I use the same setting on FreeBSD with good enought results. Most of the products are from the ports. I have added to the scheme: - postgrey: grey listing is a very effective way to drop spam, at the cost of a 15 to 60 minutes delay in incoming email; - ClamAV and Kaspersky for viruses (even though there are not that many lately); they fit well in amavis as amavis was preliminarily designed to catch viruses... - procmail to handle the mail delivery and quarantine and daily summary of spam. I have 250 users. Good luk, Olivier
Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
On 28/11/12 23:32, Ed Flecko wrote: I'm looking to set up a spam filtering server to replace our ISP's spam filtering service. I've seen this tutorial ( ftp://orn.mpg.de/pub/unix/mail/Fairly-Secure_Anti-SPAM_Gateway_Using_SpamAssassin.html#antivirus ) and I'd be very interested in YOUR opinion; do you think, fundamentally, a server with these software packages could be an effective combination at fighting spam? We're a (I guess) medium size organization with appx. 1000 end users. What about weaving clam-av into the mix? Although this tutorial uses OpenBSD, I'll probably be using FreeBSD. Thank you for your input! :-) Ed I use Postfix with Amavisd-new which allows SpamAssassin and Clam-AV to be easily integrated. I also use Postgrey for greylisting. I find this setup very flexible and efficient. Clam-AV doesn't catch a huge amount on my mail flow - email borne trojans/viruses don't seem to be overly popular these days. You can get 3rd party signatures for things like phishing although I've never tried these as I've trained SA to do a good job on catching phishing emails. I'm running on Linux (RHEL5) but I guess the base OS is largely irrelevant so I'd use what you are comfortable with. I guess there are many ways to skin this particular cat but the above setup works very well for me. In other words, I suspect you will get a number of different answers all providing effective solutions based around the use of SpamAssassin and/or Clam-AV. The difference mostly seems to be how you choose to integrate them into your mail server.
"Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?
I'm looking to set up a spam filtering server to replace our ISP's spam filtering service. I've seen this tutorial ( ftp://orn.mpg.de/pub/unix/mail/Fairly-Secure_Anti-SPAM_Gateway_Using_SpamAssassin.html#antivirus ) and I'd be very interested in YOUR opinion; do you think, fundamentally, a server with these software packages could be an effective combination at fighting spam? We're a (I guess) medium size organization with appx. 1000 end users. What about weaving clam-av into the mix? Although this tutorial uses OpenBSD, I'll probably be using FreeBSD. Thank you for your input! :-) Ed
Re: razor default in SA 3.3.1?
On Thu, 25 Mar 2010, Michael Scheidell wrote: (you using the freebsd SA port?) CentOS 4 (RHEL 4) rpm from rpmforge - C
Re: razor default in SA 3.3.1?
On 3/25/10 12:08 PM, Charles Gregory wrote: Hallo! Follow-up on SA 3.3.1 upgrade yesterday My system changes log reported the addition of several files named .razor/... which brought to my attentino that 'RAZOR2' tests are now enabled by default in SA 3.3.1 A long time ago, in a galaxy far away, razor was (asked? forced?) to restrict razor, so SA rightly pulled it from defaults. Now (as of version 2.8.2? I think), the license restrictions were rescinded. razor does a good job, doesn't take much cpu, and, yes, does catch lots of spam, with little FP's. just check the logs, and every week or so, doublecheck servers. (you using the freebsd SA port?) Is there anything that I should be concerned about? It seems to be functioning well, and I like the stats for the rules on rulesqa :) - Charles -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
razor default in SA 3.3.1?
Hallo! Follow-up on SA 3.3.1 upgrade yesterday My system changes log reported the addition of several files named .razor/... which brought to my attentino that 'RAZOR2' tests are now enabled by default in SA 3.3.1 Is there anything that I should be concerned about? It seems to be functioning well, and I like the stats for the rules on rulesqa :) - Charles
Re: JMF whitelist and RAZOR conflict
On lør 12 sep 2009 23:46:44 CEST, John Hardin wrote The latter. Possibly through another list instead of trusted_networks; the semantics are slightly different and overloading the current trusted list with an SPF meaning might be a it will be one more networks list to manage, and keeping track of what is what later will get more confused if there is a seperate list for spf, it just magic that it have worked so long without any wondering why all that spf fails in sa :) bad idea. spf_forwarders perhaps? imho i will say no keep it trusted_networks, makes lees lists and it still make sense to trusted_networks to also include spf testing outside this barrier, to minic how pypolicyd-spf does it in mta whar types of ips i whitelist is: 1: isp that are known to forward custommers emails 2: forwarders that dont use srs or else have type of email handling email forward systems what types i remove from trusted_networks is: 1: ips that send spams 2: forwards where there is spam scanning and still forward the spam i still have to see spf pass and spf whitelist in spam here :) (first part is easy for the spammer, 2nd part is the paying one) -- xpoint
Re: JMF whitelist and RAZOR conflict
On Sat, 12 Sep 2009, Benny Pedersen wrote: On lør 12 sep 2009 20:22:21 CEST, John Hardin wrote Hrm. Changing that might be something to consider, then. change sa to support srs ? or spf trusted_networks ? The latter. Possibly through another list instead of trusted_networks; the semantics are slightly different and overloading the current trusted list with an SPF meaning might be a bad idea. spf_forwarders perhaps? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- There is no doubt in my mind that millions of lives could have been saved if the people were not "brainwashed" about gun ownership and had been well armed. ... Gun haters always want to forget the Warsaw Ghetto uprising, which is a perfect example of how a ragtag, half-starved group of Jews took 10 handguns and made asses out of the Nazis.-- Theodore Haas, Dachau survivor --- 5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
On lør 12 sep 2009 20:22:21 CEST, John Hardin wrote Hrm. Changing that might be something to consider, then. change sa to support srs ? or spf trusted_networks ? the later does work in my setup, if one know its not so, please tell me what my error is -- xpoint
Re: JMF whitelist and RAZOR conflict
On lør 12 sep 2009 19:30:09 CEST, Henrik K wrote PS. SPF is checked on internal, not trusted border. Even though they are the same for most people.. some ? and I don't think you can disable SPF checks in any way except fully. if spf test is done in mta stage with prepended header for spf pass, no problem to whitelist trusted forwards this header can be used as a spf test header in spf plugin, remember to disable perl spf test perldoc Mail::SpamAssassin::Plugin::SPF cam freemail plugin use spf softfail and or spf fail domain as a freemail domain test ? (maybe even spf neotral) bad idear ? pypolicyd-spf is used here in my postfix after postfix do its rbl testing -- xpoint
Re: JMF whitelist and RAZOR conflict
On Sat, 12 Sep 2009, Henrik K wrote: On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote: On Fri, 11 Sep 2009, MySQL Student wrote: are you recieving forwarded emails from spf domains ? If I understand correctly, no. I have no relationship with any external source and their SPF records. if so add the forward ip to trusted_networks (so spf will be disabled from this hosts) Do you mean to avoid the processing overhead? IOW, don't bother checking SPF records for trusted domains? One of the problems with SPF is that someone who sets up forwarding (e.g. you have a gmail account, and you set it to automatically forward messages to your "real" account) breaks SPF checks for messages received via the forward. If I send a mail to your gmail account, and google forwards it to your real account, your MTA will see a message from an @impsec.org address originating from an MTA that my SPF record says is not a valid source. SPF fail. Bad example, gmail rewrites forwards properly coming from y...@gmail.com. Oops. But you get the idea. If you tell SA that google is trusted, that pushes the SPF test point back one step - where did *google* receive the message from? mail.impsec.org? Okay, then - SPF pass. PS. SPF is checked on internal, not trusted border. Even though they are the same for most people.. and I don't think you can disable SPF checks in any way except fully. Hrm. Changing that might be something to consider, then. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes --- 5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
On Sat, Sep 12, 2009 at 09:02:35AM -0700, John Hardin wrote: > On Fri, 11 Sep 2009, MySQL Student wrote: > >>> are you recieving forwarded emails from spf domains ? >> >> If I understand correctly, no. I have no relationship with any external >> source and their SPF records. >> >>> if so add the forward ip to trusted_networks (so spf will be disabled >>> from this hosts) >> >> Do you mean to avoid the processing overhead? IOW, don't bother >> checking SPF records for trusted domains? > > One of the problems with SPF is that someone who sets up forwarding (e.g. > you have a gmail account, and you set it to automatically forward > messages to your "real" account) breaks SPF checks for messages received > via the forward. If I send a mail to your gmail account, and google > forwards it to your real account, your MTA will see a message from an > @impsec.org address originating from an MTA that my SPF record says is > not a valid source. SPF fail. Bad example, gmail rewrites forwards properly coming from y...@gmail.com. > If you tell SA that google is trusted, that pushes the SPF test point > back one step - where did *google* receive the message from? > mail.impsec.org? Okay, then - SPF pass. PS. SPF is checked on internal, not trusted border. Even though they are the same for most people.. and I don't think you can disable SPF checks in any way except fully.
Re: JMF whitelist and RAZOR conflict
On Fri, 11 Sep 2009, MySQL Student wrote: are you recieving forwarded emails from spf domains ? If I understand correctly, no. I have no relationship with any external source and their SPF records. if so add the forward ip to trusted_networks (so spf will be disabled from this hosts) Do you mean to avoid the processing overhead? IOW, don't bother checking SPF records for trusted domains? One of the problems with SPF is that someone who sets up forwarding (e.g. you have a gmail account, and you set it to automatically forward messages to your "real" account) breaks SPF checks for messages received via the forward. If I send a mail to your gmail account, and google forwards it to your real account, your MTA will see a message from an @impsec.org address originating from an MTA that my SPF record says is not a valid source. SPF fail. If you tell SA that google is trusted, that pushes the SPF test point back one step - where did *google* receive the message from? mail.impsec.org? Okay, then - SPF pass. On a somewhat related note, how does BOTNET differ from RDNS_NONE? What is the logic behind the BOTNET rule? Is there some known list that it's checking, or is it just likely to be a dynamic IP or compromised host if it doesn't have a reverse DNS entry? RDNS_NONE is, well, _no_ rDNS data. BOTNET uses a lot of heuristics to determine whether the sender looks dynamic. I suggest you read the list archives back when it was first proposed and released for more details. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An entitlement beneficiary is a person or special interest group who didn't earn your money, but demands the right to take your money because they *want* it.-- John McKay, _The Welfare State: No Mercy for the Middle Class_ --- 5 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: JMF whitelist and RAZOR conflict
Hi, >> I have several emails that are tagged with RCVD_IN_JMF_W, >> SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: >> http://pastebin.com/m4a4d990e > > why accept SPF_SOFTFAIL ? > > cant this be solved ? I don't understand. I'm still learning how the SPF rules work. Shouldn't I be adding points for an SPF_FAIL? This indicates a spoof attempt, no? > are you recieving forwarded emails from spf domains ? If I understand correctly, no. I have no relationship with any external source and their SPF records. > if so add the forward ip to trusted_networks (so spf will be disabled from > this hosts) Do you mean to avoid the processing overhead? IOW, don't bother checking SPF records for trusted domains? >> Is the criteria for being listed on the JMF_W simply that it >> contains a domain that is whitelisted, despite whether it >> contains another URL that is blacklisted? > > this is spamassassin working, if there is a blacklisted domain add it to > your uribl_skip_domain list Ah, you mean if the domain is erroneously on the blacklist, right? >> Would I be advised to make the JMF_W score very low, or create a >> meta that doesn't really whitelist it unless it isn't also blacklisted? > > this is ip and not domains On a somewhat related note, how does BOTNET differ from RDNS_NONE? What is the logic behind the BOTNET rule? Is there some known list that it's checking, or is it just likely to be a dynamic IP or compromised host if it doesn't have a reverse DNS entry? Thanks so much for the clarification, and confirmation about Gevalia/Kraft. Thanks, Alex
Re: JMF whitelist and RAZOR conflict
RW wrote: Razor looks-up fuzzy hashes of an email on a server that records the values that have previously been reported for spam. JMF_W is based on the IP address of the last hop into your trusted network (or internal if you set it up that way). Neither is based on URLs. Actually, Razor does check URLs as well. It's one of the signature types. Type 8, I think. -- Kelson Vibber SpeedGate Communications
Re: JMF whitelist and RAZOR conflict
On Fri 11 Sep 2009 01:21:16 AM CEST, MySQL Student wrote I have several emails that are tagged with RCVD_IN_JMF_W, SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: http://pastebin.com/m4a4d990e why accept SPF_SOFTFAIL ? cant this be solved ? are you recieving forwarded emails from spf domains ? if so add the forward ip to trusted_networks (so spf will be disabled from this hosts) Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blacklisted? this is spamassassin working, if there is a blacklisted domain add it to your uribl_skip_domain list Would I be advised to make the JMF_W score very low, or create a meta that doesn't really whitelist it unless it isn't also blacklisted? this is ip and not domains meta META_NOT_JMF_RAZOR(RCVD_IN_JMF_W && !RAZOR2_CHECK) It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? rule is okay as a ham score, well writed -- xpoint
RE: JMF whitelist and RAZOR conflict
No - that really came out of mail2.kraftfoods.com (parent corporation of Gevalia, remember?) I have seen other samples of the same message spamming other recipients, and there's no question of source IP. Bob -Original Message- From: MySQL Student [mailto:mysqlstud...@gmail.com] Sent: Thursday, September 10, 2009 4:21 PM It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? -- Check out the Barracuda Spam & Virus Firewall - offering the fastest virus & malware protection in the industry: www.barracudanetworks.com/spam
Re: JMF whitelist and RAZOR conflict
On Thu, 10 Sep 2009 21:23:11 -0400 MySQL Student wrote: > Hi, > > >> http://pastebin.com/m4a4d990e > >> > >> Is the criteria for being listed on the JMF_W simply that it > >> contains a domain that is whitelisted, despite whether it contains > >> another URL that is blacklisted? > > > > I'm not sure what you are saying here, it's not as if the people > > running the whitelist could lookup the IP address on razor. > > I'm saying that it appears odd that it would be listed on both RAZOR > and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR > rules found the bogus > http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com > is a legitimate kraftfoods site? Razor looks-up fuzzy hashes of an email on a server that records the values that have previously been reported for spam. JMF_W is based on the IP address of the last hop into your trusted network (or internal if you set it up that way). Neither is based on URLs. DNS whitelists are hard to spoof. Both examples involve exchange server, perhaps a spammer is exploiting a Windows or exchange vulnerability.
Re: JMF whitelist and RAZOR conflict
Hi, >> http://pastebin.com/m4a4d990e >> >> Is the criteria for being listed on the JMF_W simply that it contains >> a domain that is whitelisted, despite whether it contains another URL >> that is blacklisted? > > I'm not sure what you are saying here, it's not as if the people > running the whitelist could lookup the IP address on razor. I'm saying that it appears odd that it would be listed on both RAZOR and JMF_W, unless the JMF_W found the kraftfoods.com URL and the RAZOR rules found the bogus http://ADSENSETREASUREONLINE.yolasite.com URL. Unless the yolasite.com is a legitimate kraftfoods site? >> meta META_NOT_JMF_RAZOR (RCVD_IN_JMF_W && !RAZOR2_CHECK) > > Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is > that the whitelist rule is then pointless. Set it's score at a value > that's commensurate with it's effectiveness on your email. Does my question now make sense? I was looking at it from more of a validation point of view for JMF_W, because of the apparent conflict with RAZOR. >> It also appears to spoof the kraftfoods.com mail server, correct? Is >> there a possible rule to be created here? > > No, it was almost certainly sent through kraftfoods.com. It's based on > an IP address recorded by your trusted network. Maybe I should have used a better example. Can I ask you to look at this one? http://pastebin.com/m7d61b26f This uses IP 66.132.135.108 as its URL (xybersleuth.com), and unless that's not a spammer's site, then there's something wrong. This email includes JMF_W and RAZOR2_CF_RANGE_51_100 and URIBL_BLACK in the same message, although it has a very low bayes score. Which is correct? Thanks, Alex
Re: JMF whitelist and RAZOR conflict
On Thu, 10 Sep 2009 19:21:16 -0400 MySQL Student wrote: > Hi, > > I have several emails that are tagged with RCVD_IN_JMF_W, > SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: > > http://pastebin.com/m4a4d990e > > Is the criteria for being listed on the JMF_W simply that it contains > a domain that is whitelisted, despite whether it contains another URL > that is blacklisted? I'm not sure what you are saying here, it's not as if the people running the whitelist could lookup the IP address on razor. > Would I be advised to make the JMF_W score very low, or create a meta > that doesn't really whitelist it unless it isn't also blacklisted? > > meta META_NOT_JMF_RAZOR(RCVD_IN_JMF_W && !RAZOR2_CHECK) Why RAZOR2_CHECK? Why not other positive scoring rules? The trouble is that the whitelist rule is then pointless. Set it's score at a value that's commensurate with it's effectiveness on your email. It might be sensible to make metarules for RCVD_IN_DNSWL_* and RCVD_IN_JMF_W, if you are going to use both. > It also appears to spoof the kraftfoods.com mail server, correct? Is > there a possible rule to be created here? No, it was almost certainly sent through kraftfoods.com. It's based on an IP address recorded by your trusted network.
JMF whitelist and RAZOR conflict
Hi, I have several emails that are tagged with RCVD_IN_JMF_W, SPF_SOFTFAIL, and RAZOR2_CHECK such as this one: http://pastebin.com/m4a4d990e Is the criteria for being listed on the JMF_W simply that it contains a domain that is whitelisted, despite whether it contains another URL that is blacklisted? Would I be advised to make the JMF_W score very low, or create a meta that doesn't really whitelist it unless it isn't also blacklisted? meta META_NOT_JMF_RAZOR(RCVD_IN_JMF_W && !RAZOR2_CHECK) It also appears to spoof the kraftfoods.com mail server, correct? Is there a possible rule to be created here? Thanks, Alex
Re: razor/spamcop report question
Patrick Proniewski wrote: Hi all, No idea on this one? I run: # su vscan -c 'spamassassin -r < /tmp/spam' did you register with razor? error message is pretty clear: "report requires authentication" su - vscan -c "/usr/local/bin/razor-admin -create; wait;\ /usr/local/bin/razor-admin -register;wait;\ /usr/local/bin/razor-admin -discover" did you look at the razor logs? cd ~vscan/.razor _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: razor/spamcop report question
On 04 sept. 2009, at 11:49, Giampaolo Tomassoni wrote: I have IMAP folders as "to be reported SPAM" and "Reported SPAM". A cronjob reads every mail on the first and reports it, then moves the file to to the latter. I use instead the amavis' quarantine folder, reporting viruses and spam above a given score threshold (actually 18...). I never had FPs thanks to this high score threshold, while I see a lot of spam and virus reported. I'm doing before-queue content filtering, and have no quarantine: either the spam is not accepted, either it goes in the queue for delivery. IMAP folder is something I can do on my personal server, but not at work. Mac OS X comes with a script that should do the trick with few modifications: http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-124.1/SetupExtras/learn_junk_mail Thank you all for the clarification. Regards patpro
RE: razor/spamcop report question
> -Original Message- > From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] > Sent: Friday, September 04, 2009 12:02 PM > To: users@spamassassin.apache.org > Subject: Re: razor/spamcop report question > > > > Reporting can't be automatic, as there will be or may be false > > > positives. As well as false negatives. > > On 04.09.09 11:49, Giampaolo Tomassoni wrote: > > Razor, DCC, maybe IxHash and surely others do state in their policies > that > > automatic reporting is forbidden. > > DCC? DCC is based on automatic submission, note that it measures > bulkiness > of mail, not spamminess... Right. But you may report a message hash to the DCC servers as "spam", which marks that hash as such on further requests. See Mail::SpamAssassin::Plugin::DCC. It has a reporting handle. Giampaolo
Re: razor/spamcop report question
> > Reporting can't be automatic, as there will be or may be false > > positives. As well as false negatives. On 04.09.09 11:49, Giampaolo Tomassoni wrote: > Razor, DCC, maybe IxHash and surely others do state in their policies that > automatic reporting is forbidden. DCC? DCC is based on automatic submission, note that it measures bulkiness of mail, not spamminess... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
RE: razor/spamcop report question
> Reporting can't be automatic, as there will be or may be false > positives. As well as false negatives. Razor, DCC, maybe IxHash and surely others do state in their policies that automatic reporting is forbidden. SpamCop, however, doesn't. This is probably because of the very nature of the SpamCop reporting system: the report submitter is quite responsible of their own submissions, and submitted sources may request an arbitration about the report itself. > I have IMAP folders as "to be reported SPAM" and "Reported SPAM". A > cronjob reads every mail on the first and reports it, then moves the > file to to the latter. I use instead the amavis' quarantine folder, reporting viruses and spam above a given score threshold (actually 18...). I never had FPs thanks to this high score threshold, while I see a lot of spam and virus reported. I'm using spamgrass (a tool of mines) in a cron job. You may get a copy of it at: http://www.tomassoni.biz/download/spamgrass.pl Use perldoc to get usage instructions. Giampaolo
Re: razor/spamcop report question
> On 04 sept. 2009, at 09:48, Jari Fredriksson wrote: > And I only get an email like this one when I'm running `su vscan -c 'spamassassin -r < /tmp/spam'`. During normal operations, I don't get any email from Spamcop asking me to finish a spam report. >> >> Define "normal operations". Do you have a cron job or >> something that calls spamassassin -r (or spamc -C >> report) on those messages? If not, you should. > > no, I don't have any cron-job for this purpose. I really > thought the report was automatic, as amavisd loads > spamassassin with spamcop code activated. Looks like I > really missed something. > > patpro Reporting can't be automatic, as there will be or may be false positives. As well as false negatives. I have IMAP folders as "to be reported SPAM" and "Reported SPAM". A cronjob reads every mail on the first and reports it, then moves the file to to the latter.
Re: razor/spamcop report question
On 04 sept. 2009, at 09:48, Jari Fredriksson wrote: And I only get an email like this one when I'm running `su vscan -c 'spamassassin -r < /tmp/spam'`. During normal operations, I don't get any email from Spamcop asking me to finish a spam report. Define "normal operations". Do you have a cron job or something that calls spamassassin -r (or spamc -C report) on those messages? If not, you should. no, I don't have any cron-job for this purpose. I really thought the report was automatic, as amavisd loads spamassassin with spamcop code activated. Looks like I really missed something. patpro
Re: razor/spamcop report question
> Hi all, > > No idea on this one? > > On 27 août 2009, at 21:18, Patrick Proniewski wrote: > >> -> spamcop send me an email : >> >>> SpamCop is now ready to process your spam. >>> >>> Use links to finish spam reporting (members use >>> cookie-login please!): >>> http://www.spamcop.net/sc?id=z3261... >> >> And I only get an email like this one when I'm running >> `su vscan -c 'spamassassin -r < /tmp/spam'`. During >> normal operations, I don't get any email from Spamcop >> asking me to finish a spam report. >> Define "normal operations". Do you have a cron job or something that calls spamassassin -r (or spamc -C report) on those messages? If not, you should.
Re: razor/spamcop report question
Hi all, No idea on this one? On 27 août 2009, at 21:18, Patrick Proniewski wrote: Hello, I'm using the amavisd-new/spamassassin 3.2.5/clamav combo on some servers (Freebsd, Mac OS X Server). I would like spamassassin to report spam using razor and spamcop services. in /usr/local/etc/mail/spamassassin/v310.pre (freebsd), I have this: loadplugin Mail::SpamAssassin::Plugin::Razor2 loadplugin Mail::SpamAssassin::Plugin::SpamCop spamcop_to_address submit.@spam.spamcop.net 1- How do I know that spamcop get reports from Spamassassin? 2- I don't understand why Razor does not work. I run: # su vscan -c 'spamassassin -r < /tmp/spam' and it returns: [28395] warn: reporter: razor2 report failed: No such file or directory report requires authentication at /usr/local/lib/perl5/site_perl/5.8.9/Mail/ SpamAssassin/Plugin/Razor2.pm line 178. at /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/ Plugin/Razor2.pm line 326. 1 message(s) examined. -> razor complains about auth. But I'm using Razor version 2.84, it's supposed to provide automatically the credentials (since 2.74 iirc). -> spamcop send me an email : SpamCop is now ready to process your spam. Use links to finish spam reporting (members use cookie-login please!): http://www.spamcop.net/sc?id=z3261... And I only get an email like this one when I'm running `su vscan -c 'spamassassin -r < /tmp/spam'`. During normal operations, I don't get any email from Spamcop asking me to finish a spam report. Am I missing something? regards, patpro
razor/spamcop report question
Hello, I'm using the amavisd-new/spamassassin 3.2.5/clamav combo on some servers (Freebsd, Mac OS X Server). I would like spamassassin to report spam using razor and spamcop services. in /usr/local/etc/mail/spamassassin/v310.pre (freebsd), I have this: loadplugin Mail::SpamAssassin::Plugin::Razor2 loadplugin Mail::SpamAssassin::Plugin::SpamCop spamcop_to_address submit.@spam.spamcop.net 1- How do I know that spamcop get reports from Spamassassin? 2- I don't understand why Razor does not work. I run: # su vscan -c 'spamassassin -r < /tmp/spam' and it returns: [28395] warn: reporter: razor2 report failed: No such file or directory report requires authentication at /usr/local/lib/perl5/site_perl/5.8.9/Mail/ SpamAssassin/Plugin/Razor2.pm line 178. at /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/ Plugin/Razor2.pm line 326. 1 message(s) examined. -> razor complains about auth. But I'm using Razor version 2.84, it's supposed to provide automatically the credentials (since 2.74 iirc). -> spamcop send me an email : SpamCop is now ready to process your spam. Use links to finish spam reporting (members use cookie-login please!): http://www.spamcop.net/sc?id=z3261... And I only get an email like this one when I'm running `su vscan -c 'spamassassin -r < /tmp/spam'`. During normal operations, I don't get any email from Spamcop asking me to finish a spam report. Am I missing something? regards, patpro
Re: Scores, razor, and other questions
MySQL Student wrote: > Hi, > > After another day of hacking, I have a handful of general questions > that I hoped you could help me to answer. > > - How can I find the score of a particular rule, without having to use > grep? I'm concerned that I might find it at some score, only for it to > be redefined somewhere else that I didn't catch. Something I can do > from the command-line? > No, to be comprehensive you'd have to do a series of greps, one for the default set, site rules, and user_prefs. You could probably make a little shell script to automate grepping all 3. > - How do I find out what servers razor is using? What is the current > license now that it's hosted on sf, or are the query servers not also > running there? It doesn't list any restrictions on the web site. > Wow.. the razor client has been hosted on SF for a LOOong time.. Like 6 years now? Regardless, the servers are operated by Vipul's company, cloudmark. Try running razor-admin -d -discover. Alternatively, look at razor's server.lst file. > - The large majority of the spam that I receive these days is a result > of a URL not being listed in one of the SBLs. I'm using SURBL, URIBL, > and spamcop. For example, I caught several hours > ago, and it's still not listed in any of the SBLs. Am I doing > something wrong or am I missing an SBL? Has anyone else's spam with > URLs increased a lot lately? > Note: domain censored, verizon's spam outbreak controls won't let me send the message with that domain in it right now. URIBLs have some inherent lag, and spammers are playing a race game with the URIBLs, trying to change domains faster than they get listed. Fortunately, the domain registrations cost the spammers money, so increasing the number of those they need is good. Personally, I find bayes tends to clean up most of what gets missed, although I auto-feed my bayes using spamtrap addresses that automatically submit to sa-learn --spam, resulting in very fresh spam training. Looking at uribl, they've currently got it listed in URIBL gold, but that's a non-free list of theirs. It's also a "proactive" list, so it will list domains before they send spam, making it more effective against mutating runs, but also might toss a FP or two on new domains. > Thanks, > Alex > > >
Scores, razor, and other questions
Hi, After another day of hacking, I have a handful of general questions that I hoped you could help me to answer. - How can I find the score of a particular rule, without having to use grep? I'm concerned that I might find it at some score, only for it to be redefined somewhere else that I didn't catch. Something I can do from the command-line? - How do I find out what servers razor is using? What is the current license now that it's hosted on sf, or are the query servers not also running there? It doesn't list any restrictions on the web site. - The large majority of the spam that I receive these days is a result of a URL not being listed in one of the SBLs. I'm using SURBL, URIBL, and spamcop. For example, I caught guadelumbouis.com several hours ago, and it's still not listed in any of the SBLs. Am I doing something wrong or am I missing an SBL? Has anyone else's spam with URLs increased a lot lately? Thanks, Alex
Re: Razor, spamassassin - network test
I'm starting to seriously wonder, what your homework actually is about. On Sun, 2009-08-02 at 13:05 -0700, an anonymous Nabble user wrote: > Your command works! I found in spamassassin -D razor2 < sample.msg 2>&1 | > less message the following: > check[9444]: [ 6] a=c&e=4&ep4=7542-10&s=4uO_brp3_KWEDuqMYXBVHI-4-FwA > But I dont know how to recognize that is a signature(hash) of the mail. In This is a question for the Razor community, don't you think? (Hint: The Razor community is also not hosted at some Ubuntu help forum. Where you previously posted these two threads, and then dumped a copy of the forum-mangled text to the SA forum at Nabble.) > the old version it was clearly marked for example: > debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b. This hash is hexadecimal encoded. Unlike the values above. A crypto- graphic hash does not necessarily need to be encoded in hex. > My second question is: When I send mail for example from XP a) station to XP > b) station so spamassassin write to header of mail x-spam-status and so on. > According to I recognise that mail was checked by using SA rules, > bayes(autolearn), but how can I recognize that the mail was really checked > by Razor? In mail header isnt any info and in razor.log is too any > info(about checking the mail) If Razor is enabled in SA, SA will do the test. The rule gets hit (and added to the Status header) only, if it is recognized as spam by Razor. You probably would be able to define more rules, with an informational score of 0.001, using a much wider range possibly covering all cases. See 25_razor2.cf for the current rule. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Razor, spamassassin - network test
Your command works! I found in spamassassin -D razor2 < sample.msg 2>&1 | less message the following: check[9444]: [ 6] a=c&e=4&ep4=7542-10&s=4uO_brp3_KWEDuqMYXBVHI-4-FwA But I dont know how to recognize that is a signature(hash) of the mail. In the old version it was clearly marked for example: debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b. My second question is: When I send mail for example from XP a) station to XP b) station so spamassassin write to header of mail x-spam-status and so on. According to I recognise that mail was checked by using SA rules, bayes(autolearn), but how can I recognize that the mail was really checked by Razor? In mail header isnt any info and in razor.log is too any info(about checking the mail) -- View this message in context: http://www.nabble.com/Razor%2C-spamassassin---network-test-tp24773506p24781568.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Razor, spamassassin - network test
On Sun, 2009-08-02 at 11:17 -0700, monolit wrote: > I understand that I must read whole output(message(TOP message)). But the > output this command is very fast and it stop at the end. I dont catch TOP of > message. I tried "| more" switch but it didint help. I tried redirecting > output to the file but it doesnt work. The file was empty:( I dont know how > can I read the TOP of output message. You mean, your terminal does not have a scroll-back buffer? You can't simply go back a few pages? Well, then try redirecting STDERR, instead of STDOUT only. That's where the debugging messages are. spamassassin -D razor2 < sample.msg 2>&1 | less > Edit your spamd start-up script, or start-up options file (depending on > which OS you're running, these may be different). There should be a -L or > --local switch in that file. Remove it to enable network tests. > > I cant find the file with this switch - I use CentOS distro. This (a) applies to spamd only, not running the 'spamassassin' script as you do right now, and (b) only in the case network-tests have explicitly been disabled in the daemon start-up script. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Razor, spamassassin - network test
I understand that I must read whole output(message(TOP message)). But the output this command is very fast and it stop at the end. I dont catch TOP of message. I tried "| more" switch but it didint help. I tried redirecting output to the file but it doesnt work. The file was empty:( I dont know how can I read the TOP of output message. The last things from spamassassin web is: Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests. I cant find the file with this switch - I use CentOS distro. -- View this message in context: http://www.nabble.com/Razor%2C-spamassassin---network-test-tp24773506p24780477.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Razor, spamassassin - network test
Getting kind of a headache, trying to wrap my head around this confusing mess. Anyway, here's my shot at this. On Sun, 2009-08-02 at 03:31 -0700, an anonymous Nabble user wrote: > > > When I use spamassassin -t -D razor2 < /tmp/spam > > > so I dont get the hash and so on but content analysis > > > details...bayes clasification and so on. I expected message like The -D razor2 option limits debugging to Razor. No Bayes "and so on" debugging. I believe you're ONLY looking at the end. Which, due to the -t option, indeed does show an additional Content Analysis at the end. The Razor debugging however is at the TOP. Have a careful look at ALL the output, not only the end. > debug: Razor is available > debug: Razor Agents 1.20, protocol version 2. > debug: Read server list from /home/jgb/.razor.lst > debug: 72636 seconds before closest server discovery > debug: Closest server is 209.204.62.150 > debug: Connecting to 209.204.62.150... > debug: Connection established > debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b > debug: Server version: 1.11, protocol version 2 > debug: Server response: Negative 48e74b8496877ba45072b201b41eebed7038186b > debug: Message 1 NOT found in the catalogue This is a straight copy from the wiki [1], explaining how to test Razor is working. However, it's an *old* snippet. Do run the command and have a look at the Razor debug output at the top. It will be different, cause this snippet is really, really old. Note the version and protocol. But it will get you all the debugging output. > I dont have any idea howto do razor works. This command(spamassassin -t -D > razor2 < /tmp/spam) is without --lint and its recommended by spamassassin > www pages.so I am begginer in this field and therefore I need accurate > advise. That command is correct. [1] http://wiki.apache.org/spamassassin/RazorHowToTell -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Razor, spamassassin - network test
I am really sorry it was mistake - I was yesterday very tired. Back on-list. I'm not a personal help-line. When I use spamassassin -t -D razor2 < /tmp/spam so I dont get the hash and so on but content analysis > > details...bayes clasification and so on. I expected message like debug: Razor is available > debug: Razor Agents 1.20, protocol version 2. > debug: Read server list from /home/jgb/.razor.lst > debug: 72636 seconds before closest server discovery > debug: Closest server is 209.204.62.150 > debug: Connecting to 209.204.62.150... > debug: Connection established > debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b > debug: Server version: 1.11, protocol version 2 > debug: Server response: Negative > 48e74b8496877ba45072b201b41eebed7038186b > debug: Message 1 NOT found in the catalogue I dont have any idea howto do razor works. This command(spamassassin -t -D razor2 < /tmp/spam) is without --lint and its recommended by spamassassin www pages.so I am begginer in this field and therefore I need accurate advise. Thanks for your help -- View this message in context: http://www.nabble.com/Razor%2C-spamassassin---network-test-tp24773506p24776602.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Razor, spamassassin - network test
Back on-list. I'm not a personal help-line. On Sat, 2009-08-01 at 16:40 -0700, an anonymous Nabble user wrote privately: > I tried it without --lint just "spamassassin --lint -D razor2" so the ^^^^ You did not. > command line freeze(dont work). Or maybe you did, despite your command given. The --lint option creates an internal test message. With real debugging, that means NO --lint option, but usually -D, you need to pipe it a message. Otherwise, it apparently freezes, waiting for input (on STDIN). > > When I use spamassassin -t -D razor2 < /tmp/spam > > so I dont get the hash and so on but content analysis > > details...bayes clasification and so on. I expected message like : Despite the quote indentation, I did not write that. Anyway, something like that should do... > debug: Razor is available > debug: Razor Agents 1.20, protocol version 2. > debug: Read server list from /home/jgb/.razor.lst > debug: 72636 seconds before closest server discovery > debug: Closest server is 209.204.62.150 > debug: Connecting to 209.204.62.150... > debug: Connection established > debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b > debug: Server version: 1.11, protocol version 2 > debug: Server response: Negative > 48e74b8496877ba45072b201b41eebed7038186b > debug: Message 1 NOT found in the catalogue > > Can you type accurate command for using razor. I want test the mail... > Create hash ...send it to the server ang get the answer(is spam or > ham). -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Razor, spamassassin - network test
I tried it without --lint just "spamassassin --lint -D razor2" so the command line freeze(dont work). > When I use spamassassin -t -D razor2 < /tmp/spam > so I dont get the hash and so on but content analysis details...bayes > clasification and so on. I expected message like : debug: Razor is available debug: Razor Agents 1.20, protocol version 2. debug: Read server list from /home/jgb/.razor.lst debug: 72636 seconds before closest server discovery debug: Closest server is 209.204.62.150 debug: Connecting to 209.204.62.150... debug: Connection established debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b debug: Server version: 1.11, protocol version 2 debug: Server response: Negative 48e74b8496877ba45072b201b41eebed7038186b debug: Message 1 NOT found in the catalogue Can you type accurate command for using razor. I want test the mail... Create hash ...send it to the server ang get the answer(is spam or ham). -- View this message in context: http://www.nabble.com/Razor%2C-spamassassin---network-test-tp24773506p24773657.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Razor, spamassassin - network test
On Sat, 2009-08-01 at 16:10 -0700, an anonymous Nabble user wrote: > Hi I need help with antispam. I use spamassassin with razor. And when I test > spamassassin --lint -D razor2 then I get result that razor2 : test local > only, skipping razor. I need test razor in connection to the internet. I > dont know how it do. Can you advise me? Lint checking disables network tests. That's why you see this. What you need to do is to use debugging and feed it a message... > I find out from spamassassin web the following: > > How to turn on network tests > > Edit your spamd start-up script, or start-up options file (depending on > which OS you're running, these may be different). There should be a -L or > --local switch in that file. Remove it to enable network tests. > > But i cant find the file with the switch -L. I use CentOS... > When I type the folowing: spamassassin -t -D razor2 < /tmp/spam Like this. Don't use --lint for that type of check. Use debugging only. Apparently, it works if you do that. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Razor, spamassassin - network test
Hi I need help with antispam. I use spamassassin with razor. And when I test spamassassin --lint -D razor2 then I get result that razor2 : test local only, skipping razor. I need test razor in connection to the internet. I dont know how it do. Can you advise me? I find out from spamassassin web the following: How to turn on network tests Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests. But i cant find the file with the switch -L. I use CentOS... When I type the folowing: spamassassin -t -D razor2 < /tmp/spam I want to get something like this: debug: Razor is available debug: Razor Agents 1.20, protocol version 2. debug: Read server list from /home/jgb/.razor.lst debug: 72636 seconds before closest server discovery debug: Closest server is 209.204.62.150 debug: Connecting to 209.204.62.150... debug: Connection established debug: Signature: 48e74b8496877ba45072b201b41eebed7038186b debug: Server version: 1.11, protocol version 2 debug: Server response: Negative 48e74b8496877ba45072b201b41eebed7038186b debug: Message 1 NOT found in the catalogue -- View this message in context: http://www.nabble.com/Razor%2C-spamassassin---network-test-tp24773506p24773506.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamassassin runs razor spamc not
Jeff Mincy wrote: From: Mester Date: Fri, 22 May 2009 14:52:08 +0200 >>> Check in the ~/.spamassassin/user_prefs file for the user that runs >>> amavisd-new. I know the Mandriva package has that set to 'use_razor2 >>> 0', so I always have to hunt it down and fix it. >> I had no use_razor2 line in the ~amavis/.spamassassin/user_prefs file >> but after appending these lines to the file: >> use_razor2 >> razor_config /var/lib/amavis/.razor/razor-agent.conf >> and restarting both amavis and spamassassin nothig has changed. > > Then, you need to run some of the amavisd-new debugs > > I believe the syntax is > > [amav...@foo]$ /usr/sbin/amavisd debug-sa plugin It worked. And now I found the error: amavis user couldn't read the /var/log/razor-agent.log file. I modified the owner of that file to amavis and now I see the check lines in that file. Is there a way to instruct spamassassin to write the razor, pyzor and dcc check's result to every e-mail's header an not only for spams? SpamAssassin has add_header that can be used for Pyzor and DCC. add_header all Pyzor _PYZOR_ add_header all DCC _DCCB_; _DCCR_ I don't know how headers are added in amavis. -jeff Amavis has its own routines for adding headers. You'll have to look at the Amavis config. -- Bowie
Re: spamassassin runs razor spamc not
From: Mester Date: Fri, 22 May 2009 14:52:08 +0200 >>> Check in the ~/.spamassassin/user_prefs file for the user that runs >>> amavisd-new. I know the Mandriva package has that set to 'use_razor2 >>> 0', so I always have to hunt it down and fix it. >> I had no use_razor2 line in the ~amavis/.spamassassin/user_prefs file >> but after appending these lines to the file: >> use_razor2 >> razor_config /var/lib/amavis/.razor/razor-agent.conf >> and restarting both amavis and spamassassin nothig has changed. > > Then, you need to run some of the amavisd-new debugs > > I believe the syntax is > > [amav...@foo]$ /usr/sbin/amavisd debug-sa plugin It worked. And now I found the error: amavis user couldn't read the /var/log/razor-agent.log file. I modified the owner of that file to amavis and now I see the check lines in that file. Is there a way to instruct spamassassin to write the razor, pyzor and dcc check's result to every e-mail's header an not only for spams? SpamAssassin has add_header that can be used for Pyzor and DCC. add_header all Pyzor _PYZOR_ add_header all DCC _DCCB_; _DCCR_ I don't know how headers are added in amavis. -jeff
Re: spamassassin runs razor spamc not
Check in the ~/.spamassassin/user_prefs file for the user that runs amavisd-new. I know the Mandriva package has that set to 'use_razor2 0', so I always have to hunt it down and fix it. I had no use_razor2 line in the ~amavis/.spamassassin/user_prefs file but after appending these lines to the file: use_razor2 razor_config /var/lib/amavis/.razor/razor-agent.conf and restarting both amavis and spamassassin nothig has changed. Then, you need to run some of the amavisd-new debugs I believe the syntax is [amav...@foo]$ /usr/sbin/amavisd debug-sa plugin It worked. And now I found the error: amavis user couldn't read the /var/log/razor-agent.log file. I modified the owner of that file to amavis and now I see the check lines in that file. Is there a way to instruct spamassassin to write the razor, pyzor and dcc check's result to every e-mail's header an not only for spams? Attila Mesterhazy
Re: spamassassin runs razor spamc not
On Fri, 2009-05-22 at 13:55 +0200, Mester wrote: > > Check in the ~/.spamassassin/user_prefs file for the user that runs > > amavisd-new. I know the Mandriva package has that set to 'use_razor2 > > 0', so I always have to hunt it down and fix it. > > I had no use_razor2 line in the ~amavis/.spamassassin/user_prefs file > but after appending these lines to the file: > use_razor2 > razor_config /var/lib/amavis/.razor/razor-agent.conf > and restarting both amavis and spamassassin nothig has changed. Then, you need to run some of the amavisd-new debugs I believe the syntax is [amav...@foo]$ /usr/sbin/amavisd debug-sa plugin -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: spamassassin runs razor spamc not
Check in the ~/.spamassassin/user_prefs file for the user that runs amavisd-new. I know the Mandriva package has that set to 'use_razor2 0', so I always have to hunt it down and fix it. I had no use_razor2 line in the ~amavis/.spamassassin/user_prefs file but after appending these lines to the file: use_razor2 razor_config /var/lib/amavis/.razor/razor-agent.conf and restarting both amavis and spamassassin nothig has changed. Attila Mesterhazy