From [EMAIL PROTECTED] Mon Mar 21 12:58:20 2005
Date: 21 Mar 2005 21:03:22 -
Subject: RE: ZDNET redirecting to spammer websites?
To: List Mail User [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
...
P.S. The address, if it does exist, would seem to be in the center of the
water in a canal:)
Vicki Brown wrote:
At 10:55 -0500 03/19/2005, Matt Kettler wrote:
And be sure to spamassassin --lint it (should run without any messages),
and restart spamd after adding the rules.
vent
I realize that this is standard canonical advice and I will make the
necessary assumption that it's
Is anybody else receiving a large amount of these?
Here is a sample:
The Oi| and Gas Advisory
Now that Oi| and Gas has entered a long-term bu|l market,
our specialty in pinpointing the hottest companies of the few remaining
undervalued energy p|ays has produced soaring returns.
Emerson Oil and
I have been receiving pill spams lately that have an ampersand encoded
in the URL. This seems to confuse URIDNSBL and results in the message
passing through. A debug output shows this:
debug: uri found:
http://www.awtfdaojj.com.easysimpleRx-munged.com/b/S0gyR2twMGpWbjkxQkQxQThihxqq
debug:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stuart Johnston writes:
I have been receiving pill spams lately that have an ampersand encoded
in the URL. This seems to confuse URIDNSBL and results in the message
passing through. A debug output shows this:
debug: uri found:
I've used a different approach,
IN MX 10 primary.domain.com (4 machines)
IN MX 20 primary1.domain.com (2 of those 4)
IN MX 30 primary1.domain.com (the other 2 of those 4)
IN MX 20 backup.domain.com
IN MX 30 primary.domain.com
Seems to force most of the spam through the primary. Very little
Matt Kettler wrote:
Second, converting to spamc/spamd would be SLOWER for a MimeDefang
setup, not faster.
eh... depends on what else MIMEDefang is doing...
MimeDefang calls the SpamAssassin perl API's directly, a method that
is faster than using spamc/spamd, but is only usable by tools
Ugg, just ran across another open redirector abused in spam
www.nate.com/r/XY12/target.domain
where XY12 seems to be any combination of 4 letters and digits.
Looks like some Korean ISP thingie.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.edu
In that case I'd have a few REALLY choice words for them. They are
serving as an open spam redirector. Of course, I never get anything
legitimate from them so zdnet.com can simply be black listed locally
for the entire domain.
{^_^}
- Original Message -
From: [EMAIL PROTECTED]
Let's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Eric, I think you've found another bug ;) could you open a BZ
entry on this?
- --j.
Eric A. Hall writes:
Eric A. Hall wrote:
I'm storing the session variables (such as login status) as part of $self,
and storing message variables with
On Monday, March 21, 2005, 11:32:45 AM, Bobby Rose wrote:
Wouldn't this just be something that SURBL should take care of? If this
URL is the source of spam then it should be in SURBL regardless if it's
in the zdnet.com domain. Right!?
Which domain are you referring to?
zdnet.com should not
On Monday, March 21, 2005, 8:55:17 PM, David Funk wrote:
Ugg, just ran across another open redirector abused in spam
www.nate.com/r/XY12/target.domain
where XY12 seems to be any combination of 4 letters and digits.
Looks like some Korean ISP thingie.
Yes, we spotted it earlier. It's
On Monday, March 21, 2005, 7:34:56 AM, Larry Rosenbaum wrote:
We received a drug spam containing the following URL:
http://chkpt.zdnet.com/chkpt/supposedtoallow/fdl%2ev%69%61%67%73.co%6d/p/b/kmioa
This URL will actually take you to fdl.viags.com (which then goes to
www.simply-rx.net). As
On Monday, March 21, 2005, 9:43:02 PM, Jeff Chan wrote:
On Monday, March 21, 2005, 7:34:56 AM, Larry Rosenbaum wrote:
We received a drug spam containing the following URL:
http://chkpt.zdnet.com/chkpt/supposedtoallow/fdl%2ev%69%61%67%73.co%6d/p/b/kmioa
This URL will actually take you to
Chris Santerre wrote:
-Original Message-
From: Jeff Chan [mailto:[EMAIL PROTECTED]
Sent: Friday, March 18, 2005 2:21 AM
To: users@spamassassin.apache.org
Subject: Re: OT: SURBL usage for content-filters like SquidGuard?
On Thursday, March 17, 2005, 7:13:32 PM, Jason Haar wrote:
I was
SNIP
I've used a different approach,
IN MX 10 primary.domain.com (4 machines)
IN MX 20 primary1.domain.com (2 of those 4)
IN MX 30 primary1.domain.com (the other 2 of those 4)
IN MX 20 backup.domain.com
IN MX 30 primary.domain.com
Seems to force most of the spam through the primary. Very
Hi
according to Dr Google I'm not the first one to encounter this error
below.
SpamAssassin: invoked with 'spamd -D -q -u filter'
failed to load user (filter) scores from SQL database: SQL Error:
Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13)
Thus, I
Even though zdnet.com shouldn't be in SURBL, wouldn't having
chkpt.zdnet.com (the actually site doing the redirect) be in SURBL?
-Original Message-
From: Jeff Chan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 22, 2005 12:38 AM
To: users@spamassassin.apache.org
Cc: SURBL Discuss
On Tuesday, March 22, 2005, 4:13:33 AM, Bobby Rose wrote:
Even though zdnet.com shouldn't be in SURBL, wouldn't having
chkpt.zdnet.com (the actually site doing the redirect) be in SURBL?
Good thought, but there are two problems with that:
1. SURBLs usually list only registered domains like
Last night, I had to do a minor hardware upgrade on my server. Later
that night when I checked my mail, I had about 20 spams, when I'd
normally get one or two during that time. Overnight, I got about
another 30. From the headers, I can see that spamd *is* running and
generating scores, but LOTS
please help! still no solution for that!
still massive CPU and Mem problems
[EMAIL PROTECTED] schrieb am 16.03.2005 19:56:54:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I would suggest running with -D and monitoring spamd memory size
as it starts up. Something is causing it to balloon
Greetings Pat:
Check the following:
1. /tmp is not full.
2. The directory where the spamd socket is created has the correct
ownership (uid, guid) and permissions; if it is not in the /tmp area, then
also make sure the area the socket is created is not full.
Thank you.
At 07:46 AM
Hello List, I am running SA 2.63, Posfix 2 Amavisd-new. I have many updated
rule sets, any rules out there to see letters spelled as below?
The following spam got in, just thought I'd share with the list, I have never
seen this technique. My tagged above is set to -100 so I can see the tests
Hello List, I am running SA 2.63, Posfix 2 Amavisd-new. I have many updated
rule sets, any rules out there to see letters spelled as below?
Anyone else doing this?
TIA
Eric
Yes, I got a very nice one lately with all the meds in it, with pricing. It
got marked as spam because of the URL in
-Original Message-
From: Jeff Chan [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 22, 2005 7:23 AM
To: users@spamassassin.apache.org; SURBL Discuss
Subject: Re: ZDNET redirecting to spammer websites?
On Tuesday, March 22, 2005, 4:13:33 AM, Bobby Rose wrote:
Even though zdnet.com
Same problem here. I have written a script to cycle spamd when the CPU hits
a load average of 8 for now.
- Original Message -
From: [EMAIL PROTECTED]
To: Justin Mason [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, March 22, 2005 5:53 AM
Subject: Re: Re: SA 3.0.2 MASSIVE
Hey everybody,
RH9
SA 3.0.0 (invoked by procmail spamc/spamd)
Sendmail 8
Procmail
I tried to search for this on GMANE but was unsuccessful.
I would like to know how some of you guys are whitelisiting this actual
mailing list. I have the following in my local.cf, but I still get
quite a few
On Tue, Mar 22, 2005 at 07:20:32AM -0800, Robert Markin wrote:
Hey everybody,
RH9
SA 3.0.0 (invoked by procmail spamc/spamd)
Sendmail 8
Procmail
I tried to search for this on GMANE but was unsuccessful.
I would like to know how some of you guys are whitelisiting this actual
mailing
Bob McClure Jr wrote:
On Tue, Mar 22, 2005 at 07:20:32AM -0800, Robert Markin wrote:
Hey everybody,
RH9
SA 3.0.0 (invoked by procmail spamc/spamd)
Sendmail 8
Procmail
I tried to search for this on GMANE but was unsuccessful.
I would like to know how some of you guys are
Bob McClure Jr wrote:
On Tue, Mar 22, 2005 at 07:20:32AM -0800, Robert Markin wrote:
Hey everybody,
RH9
SA 3.0.0 (invoked by procmail spamc/spamd)
Sendmail 8
Procmail
I tried to search for this on GMANE but was unsuccessful.
I would like to know how some of you guys are whitelisiting this actual
I'll mention this again since i have yet to come up with a solution.
While the above works great for people using procmail, does anyone have
a solution that works without procmail? Im stuck passing all list
traffic through SA because of this. Just this morning someone on this
list posted a
Hi Robert,
I put this in the (on my machine) /etc/MailScanner/rules/spam.whitelist.rules:
From: jiscmail.ac.uk yes # MailScanner mailing list
From: spamassassin.apache.org yes # SpamAssassin mailing list
Those are tabs, and not spaces.
I tried a bunch of other things... but
Hello,
Can I simply SIGHUP my spamd process after making changes to local.cf,
or do I have to kill the pid then /usr/bin/spamd -c -d
Simply put, does SIGHUP keep any flags that I may be using after my
executable?
Also, do I need to use these flags at all? The man page shows -c as
create
Andy
Robert uses procmail and spamd/spamc so your MailScanner setup (and
mine!) won't work.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Andy Norris wrote:
Hi Robert,
I put this in the (on my machine)
/etc/MailScanner/rules/spam.whitelist.rules:
From:
Robert Markin wrote:
Hey everybody,
RH9
SA 3.0.0 (invoked by procmail spamc/spamd)
Sendmail 8
Procmail
I tried to search for this on GMANE but was unsuccessful.
I would like to know how some of you guys are whitelisiting this
actual mailing list. I have the following in my local.cf, but I still
wrote:
Is anybody else receiving a large amount of these?
Here is a sample:
The Oi| and Gas Advisory
Now that Oi| and Gas has entered a long-term bu|l market,
our specialty in pinpointing the hottest companies of the few remaining
undervalued energy p|ays has produced soaring returns.
Emerson
I am trying to use the following from a posting on Mar 2 2004
RHES3/spamassassin-2.63-1 ...
# match Bayes-poison lists of lowercase words without articles or common
#prepositions
body PT_WORDLIST_10
/(?:\b(?!(?:from|that|have|this|were|with)\b)[a-z]{4,12}\s+){10}/
describe PT_WORDLIST_10
Sorry about the oversite. I saw this email this morning after a
not-very-good night's sleep at a motel. Struck close to my heart, as I just
could not get the whitelist_from_rcvd to work on my box. Very frustrating,
and a lot of time spent. I finally resorted to the MailScanner way. But I'm
Robert Markin wrote:
Hello,
Can I simply SIGHUP my spamd process after making changes to local.cf,
or do I have to kill the pid then /usr/bin/spamd -c -d
Simply put, does SIGHUP keep any flags that I may be using after my
executable?
Also, do I need to use these flags at all? The man page
On Tue, Mar 22, 2005 at 12:22:14PM -0500, Shelley Waltz wrote:
body PT_WORDLIST_10
/(?:\b(?!(?:from|that|have|this|were|with)\b)[a-z]{4,12}\s+){10}/
describe PT_WORDLIST_10 string of 10+ random words
score PT_WORDLIST_10 1.0
Failed to parse line in SpamAssassin configuration, skipping:
Robert Markin wrote:
Hello,
Can I simply SIGHUP my spamd process after making changes to local.cf,
or do I have to kill the pid then /usr/bin/spamd -c -d
Simply put, does SIGHUP keep any flags that I may be using after my
executable?
It should.
Also, do I need to use these flags at
Shelley Waltz wrote:
When I spamassassin -D --lint I get the following ...
Failed to parse line in SpamAssassin configuration, skipping: body
PT_WORDLIST_10
Failed to parse line in SpamAssassin configuration, skipping:
/(?:\b(?!(?:from|that|have|this|were|with)\b)[a_z]{4,12}\s+){10}/
Do these
If you setup a mailbox specifically for Bayes to learn and forwarded emails to
it, will Bayes sniff them out in a forwarded form? I assume you couldn't bulk
forward, but would this work otherwise?
--
JAV
Joe Polk wrote:
If you setup a mailbox specifically for Bayes to learn and forwarded emails to
it, will Bayes sniff them out in a forwarded form? I assume you couldn't bulk
forward, but would this work otherwise?
No. If you feed sa-learn a forwarded mail, it will learn that forwarded
messages
Hello,
I've got a problem. I've got a lot of phishing attacks making it
through my mailscanner setup. I do have phishing fraud detection turned
on, and I have not modifed the phishing safe sites list. Most(if not
all) of the phishing emails are ebay account notices with forged IP
Sunny Forro wrote:
Hello,
I've got a problem. I've got a lot of phishing attacks making it
through my mailscanner setup. I do have phishing fraud detection turned
on, and I have not modifed the phishing safe sites list. Most(if not
all) of the phishing emails are ebay account notices with
And this has what to do with Spamassassin?
Sunny Forro wrote:
Hello,
I've got a problem. I've got a lot of phishing attacks making it
through my mailscanner setup. I do have phishing fraud detection turned
on, and I have not modifed the phishing safe sites list. Most(if not
all) of the
Jim Maul wrote:
While the above works great for people using procmail, does anyone have
a solution that works without procmail?
whitelist_from_rcvd [EMAIL PROTECTED] apache.org worked when I used static
whitelists.
I had a bunch of similar entries for various mailing lists in a big
Our ISP, Covad, is periodically claiming that we have excessive DNS
requests and is threatening to turn off our service. It's primarily due
to SA, I think. Looked around for answers, and already set a bunch of
the BL checks to 0.0 to turn off the rules. Any idea how to further
prevent the
Andy Norris wrote:
Sorry about the oversite. I saw this email this morning after a
not-very-good night's sleep at a motel. Struck close to my heart, as I
just could not get the whitelist_from_rcvd to work on my box. Very
frustrating, and a lot of time spent
If you can't get
lister lynch wrote:
Our ISP, Covad, is periodically claiming that we have excessive DNS
requests and is threatening to turn off our service. It's primarily due
to SA, I think. Looked around for answers, and already set a bunch of
the BL checks to 0.0 to turn off the rules. Any idea how to
lister lynch wrote:
Our ISP, Covad, is periodically claiming that we have excessive DNS
requests and is threatening to turn off our service. It's primarily due
to SA, I think. Looked around for answers, and already set a bunch of
the BL checks to 0.0 to turn off the rules. Any idea how to
lister lynch wrote:
Our ISP, Covad, is periodically claiming that we have excessive DNS
requests and is threatening to turn off our service. It's primarily due
to SA, I think. Looked around for answers, and already set a bunch of
the BL checks to 0.0 to turn off the rules. Any idea how to
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from mail.apache.org
whitelist_from_rcvd [EMAIL PROTECTED]
whitelist_from_rcvd [EMAIL PROTECTED]
whitelist_from_rcvd mail.apache.org
This will not work as all it does is assign -100 points to the message.
This could
On Tue, 22 Mar 2005 15:49:01 -0500, lister lynch wrote
Our ISP, Covad, is periodically claiming that we have excessive DNS
requests and is threatening to turn off our service. It's primarily
due to SA, I think. Looked around for answers, and already set a
bunch of the BL checks to 0.0 to
On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote:
On Tue, 22 Mar 2005 15:49:01 -0500, lister lynch wrote
Our ISP, Covad, is periodically claiming that we have excessive DNS
requests and is threatening to turn off our service. It's primarily
due to SA, I think. Looked around
lister lynch wrote:
Our ISP, Covad, is periodically claiming that we have excessive DNS
requests and is threatening to turn off our service. It's primarily due
to SA, I think. Looked around for answers, and already set a bunch of
the BL checks to 0.0 to turn off the rules. Any idea how to
Jim Maul wrote:
This will not work as all it does is assign -100 points to the
message. This could cause an autolearn=ham on every message, even the
spam that people post to the list!
Sorry Jim, but that's 100% pure fallacy.. The autolearner explicitly
ignores whitelist and blacklist
Jim Maul wrote:
Ok, so if the autolearner ignores the -100 from the
whitelist_from_rcvd and uses the score without the -100 to determine
whether or not it should be autolearned, what is the point of adding
the whitelist_from_rcvd entry at all? I understand that it will
pretty much prevent
Kelson wrote:
Bob McClure Jr wrote:
On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote:
I can't give you specific instructions for FC1, but I know older
versions of
RedHat had a package specifically for this, all preconfigured.
I think it was pdnsd, but it appears not to be in the FC
On Tue, 2005-03-22 at 17:25, Kelson wrote:
Bob McClure Jr wrote:
On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote:
I can't give you specific instructions for FC1, but I know older versions of
RedHat had a package specifically for this, all preconfigured.
I think it was
lister lynch wrote:
I checked the PDC of the domain (W2003), and it was running DNS for
forward and reverse lookup zones, as well as caching lookup. There
shouldn't be any problem installing caching-nameserver on the FC box as
well, should there?
No, but why not just make the FC box use the PDC
David Brodbeck wrote:
lister lynch wrote:
I checked the PDC of the domain (W2003), and it was running DNS for
forward and reverse lookup zones, as well as caching lookup. There
shouldn't be any problem installing caching-nameserver on the FC box
as well, should there?
No, but why not just
...
From: David B Funk [EMAIL PROTECTED]
To: [EMAIL PROTECTED], users@spamassassin.apache.org
Subject: New redirector: www.nate.com
...
Ugg, just ran across another open redirector abused in spam
www.nate.com/r/XY12/target.domain
where XY12 seems to be any combination of 4 letters and digits.
hi all
is anyone using qmailmrtg7 to graph spamassassin stats ?
i'm having problem with the logs spamassassin is trying to parse... does
qmailmrtg7 looking for syslog style spamassassin logs or spmad specific
logs?
if it's looking for spamd logs, where are they kept ?
my installation (with
65 matches
Mail list logo
