>>
>> Ken A wrote:
>> > Don't accept mail for non-existent users. Your MTA should reject it.
>>
>> Yeah, we should. Not quite there yet.
>>
>> In spite of that, I thought it may be a good test to do anyway. Even if
>> the mail is addressed to an existent user, if the MX for the sender
>> doma
[EMAIL PROTECTED] wrote:
I don't understand your point.
I run a Mac. I don't care for _any_ .exes period.
You could use your MTA to do a light content filtering, so it will
reject mail with .exe atachment at MTA level.
Try postfix.
--beast
At 11:03 14-08-2006, Mark Martinec wrote:
Having received a couple of messages faking to be from yahoo,
despite FORGED_YAHOO_RCVD and few other rules firing, the final
score was not high enough. Since Yahoo! is signing their
outgoing mail with DomainKeys, I came up with:
header __L_FROM_YAHO
On 8/14/2006 6:45 PM, Xepher wrote:
I've got a server configured with postfix and spamassassin. The
mailserver is the only one for the domain, and thus receives mail from
other servers, as well as letting users connect directly (with smtp
auth) to send mail. Everything works fine, EXCEPT when use
2. the check isn't thorough enough because it doesn't consider
other content-types whereby people hide executable attachments.
Suggestion: you know the line in the plugin that is only checking the two
content types. You know the other content types you want to check.
Change the line in the
On Mon, 14 Aug 2006, Robert Nicholson wrote:
> You are failing to understand my point.
>
> To me any message that has a .exe attachment is spam.
I understand you completely. You have internalized "bad email ==
spam". There are more nuances than that - bulk unsolicited commercial
solicitations an
On Mon, 14 Aug 2006, Ole Nomann Thomsen wrote:
> Hi, in order to avoid bouncing spam back to the (almost certainly) faked
> sender-addresses, I thought I could use SA directly:
>
> Suppose I configure it to substitute "<>" for the sender/reply-to in any
> spam? That way spam-generated bounces woul
On Tue, August 15, 2006 02:23, Xepher wrote:
> I tried them, and still have the exact same problem. Any other ideas?
clear_internal_networks
internal_networks 127.0.0.1
clear_trusted_networks
trusted_networks
trusted_networks 127.0.0.1
save my msg with full header
and then test my msg with
sp
On Monday 14 August 2006 01:44, Ole Nomann Thomsen wrote:
> Hi, in order to avoid bouncing spam back to the (almost certainly) faked
> sender-addresses, I thought I could use SA directly:
Why would you bounce spam, with or without spamassassin?
That is a MTA setting, and every MTA in existence to
Thanks Justin and Daryl.
> > (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to
> > use?
> I'd say yes. DK signs the message, not the envelope. I'm pretty sure
> the current milters look for a From: header to decide on what
> selector/etc to use.
Right, DK (as well as DKIM)
Benny Pedersen wrote:
> i had the same problem once :-)
>
> see attached
>
> for rbl check the internal_networks and trusted_networks, spf test is disable
> on internal networks, so make sure your smtp auth ip is not listed as internal
> in your spamassassin, but it should still be in trusted_net
On Tue, 15 Aug 2006, Guy Waugh wrote:
|# Theo Van Dinter wrote:
|# > On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote:
|# >
|# > > Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root):
|# > > localhost.fabulous.com. config error: mail loops back to me (MX problem?)
|#
Ken A wrote:
Don't accept mail for non-existent users. Your MTA should reject it.
Yeah, we should. Not quite there yet.
In spite of that, I thought it may be a good test to do anyway. Even if
the mail is addressed to an existent user, if the MX for the sender
domain is DNSed to the localhost
On Tue, August 15, 2006 00:45, Xepher wrote:
> Any help would be appreciated, as I'd really rather not disable SPF and
> RBL completely.
i had the same problem once :-)
see attached
for rbl check the internal_networks and trusted_networks, spf test is disable
on internal networks, so make sure
Don't accept mail for non-existent users. Your MTA should reject it.
That said, we get these too, though it's usually just an odd one now and
then. They come in from some domain that sendmail on a gateway box can
lookup in DNS, so it's accepted. Then there's an NDN generated for some
reason...
Theo Van Dinter wrote:
On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote:
Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287:
SYSERR(root): localhost.fabulous.com. config error: mail loops back to
me (MX problem?)
Do people actively combat this somehow?
I guess it depends
decoder wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michel Vaillancourt wrote:
Simon Standley wrote:
Hi Gang,
I've had the latest FuzzyOcr on test for the past day or so -
very nice work. Congrats to all involved.
Thought you may be interested in the attached GIF. It was onl
On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote:
> Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287:
> SYSERR(root): localhost.fabulous.com. config error: mail loops back to
> me (MX problem?)
>
> Do people actively combat this somehow?
I guess it depends how it got into you
Howdy,
I've been noticing an increasing amount of messages like this in my
sendmail log:
Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287:
SYSERR(root): localhost.fabulous.com. config error: mail loops back to
me (MX problem?)
I couldn't back it up with statistics, but I'd swear
You are failing to understand my point.
To me any message that has a .exe attachment is spam. That's just how
I work because I'm on a Mac therefore I'd like to use
check_microsoft_executable who's job it is to bump up the score if
there's an executable attachment. The problem right now is t
I've got a server configured with postfix and spamassassin. The
mailserver is the only one for the domain, and thus receives mail from
other servers, as well as letting users connect directly (with smtp
auth) to send mail. Everything works fine, EXCEPT when users send email
to each other. In those
On Mon, 14 Aug 2006, Thomas Lindell wrote:
Every now and again one of my bonehead customers get's a trojon that starts
shooting out spam message like crazy. I usualy catch it withen a few hours
but I am wondering if there's a way for me to scan messages my customers
send and drop them or bounce
On Mon, 14 Aug 2006 [EMAIL PROTECTED] wrote:
> So in summary...
>
> SPAM is not always the same for everybody.
Sure it is. Spam (please don't capitalize the entire word - Hormel
gets annoyed) is Unsolicited Bulk Email.
> In my case anything with .exe is SPAM because nobody will send me a .exe
On Mon, 14 Aug 2006 [EMAIL PROTECTED] wrote:
> I don't understand your point.
Spamassassin is a tool to determine the spamminess of a message, not
to check whether attachments to that message pose security risks.
> I run a Mac. I don't care for _any_ .exes period.
Fine. Your site email policy,
Bookworm writes:
> [EMAIL PROTECTED] wrote:
> > that analyzes and scores email addresses:
> >
> > we have big companies that give their employees more or less random strings
> > as email addresses
> > (but length will not be extremely long)
> > Otherwise we have email addresses that somehow
From: "Bookworm" <[EMAIL PROTECTED]>
[EMAIL PROTECTED] wrote:
that analyzes and scores email addresses:
we have big companies that give their employees more or less random strings as email
addresses
(but length will not be extremely long)
Otherwise we have email addresses that somehow a
If my mail server must address it then I am off to check some man pages I
really just needed a place to start
Yes. At a guess you may want to set up two different SA configurations,
although you can probably do it wit a single one, somehow. You would
somehow in your server chain route outgoi
[EMAIL PROTECTED] wrote:
that analyzes and scores email addresses:
we have big companies that give their employees more or less random strings as
email addresses
(but length will not be extremely long)
Otherwise we have email addresses that somehow are built from a person's name,
(e.g firs
I appreciate where your going with this I just didn't know how to approach
it.
If my mail server must address it then I am off to check some man pages I
really just needed a place to start
Thanks
Tom
-Original Message-
From: Evan Platt [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14
that analyzes and scores email addresses:
we have big companies that give their employees more or less random strings as
email addresses
(but length will not be extremely long)
Otherwise we have email addresses that somehow are built from a person's name,
(e.g first.last, f.last, last17f o
> Usually they're the typical viagra or stock scam.
Text or image spam?
If text, do they include a URL that might be caught by SURBL or URIBL?
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
At 12:36 PM 8/14/2006, you wrote:
They are generaly a clone of each other just substituting the send to
address.
Usualy there the typical viagra or stock scam.
If they where incoming my SA would catch em and mark em but as there not
being processed by sa they don't even get marked.
That's a f
From: "Beast" <[EMAIL PROTECTED]>
Nigel Frankcom wrote:
I will turn on auto leaarn mostly because I need to feed more HAM to SA
(so far I only feed ham for any false positive which is very low daily
and i think that is not good enough for SA)
If it is well trained then Bayes should
My fault for being lazy I guess ...
The build from source did the trick.
Thanks.
-Original Message-
From: decoder [mailto:[EMAIL PROTECTED]
Sent: 14 August 2006 20:03
To: users@spamassassin.apache.org
Subject: Re: The arms race continues
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
S
They are generaly a clone of each other just substituting the send to
address.
Usualy there the typical viagra or stock scam.
If they where incoming my SA would catch em and mark em but as there not
being processed by sa they don't even get marked.
Worse yet is even if sa marks em they still go
On 8/14/2006 2:23 PM, Justin Mason wrote:
Mark Martinec writes:
Having received a couple of messages faking to be from yahoo,
despite FORGED_YAHOO_RCVD and few other rules firing, the final
score was not high enough. Since Yahoo! is signing their
outgoing mail with DomainKeys, I came up with:
Tom said:
> I do however if they get a Msoutlook trojan that can use outlook to forward
> the spam it get's right on through
What a nightmare. I've been aware of this possibility, but I didn't think it
happened that often.
Are there any particular characteristics of the outgoing spam and/or vir
On Mon, Aug 14, 2006 at 01:59:59PM -0500, [EMAIL PROTECTED] wrote:
> therefore I'm loading the antivirus plugin in order to make use of
> check_microsoft_executable rule. However that rule doesn't fire
> if the attacker is disguising the .exe with a non sensical content type
> primarily because the
I do have amavis running the problem is identifiying the message Idealy I
guess I would like it to pop up an error in outlook like it does when they
try to send a file attachment that's to large.
I suppose I could implement some sort of rate limiting but that's just
irritating I am trying to stay
Thomas Lindell wrote:
> Every now and again one of my bonehead customers get's a trojon that starts
> shooting out spam message like crazy. I usualy catch it withen a few hours
> but I am wondering if there's a way for me to scan messages my customers
> send and drop them or bounce them back if th
I do however if they get a Msoutlook trojon that can use outlook to forward
the spam it get's right on through
-Original Message-
From: Rob McEwen (PowerView Systems) [mailto:[EMAIL PROTECTED]
Sent: Monday, August 14, 2006 1:59 PM
To: Thomas Lindell; users@spamassassin.apache.org
Subject
On Aug 14, 2006, at 12:01 PM, decoder wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Theo Van Dinter wrote:
On Mon, Aug 14, 2006 at 08:46:51PM +0200, decoder wrote:
gocr features a nice parameter called -d. It is able to remove
smaller particles before scanning, compare these results:
So in summary...
SPAM is not always the same for everybody.
In my case anything with .exe is SPAM because nobody will send me a .exe
So I want the ability to make use of SA's configurability to learn what is SPAM
for me.
I don't call that a virus checker.
-
I really don't understand why you bring this up.
I do not want SA to check the .exe. I just want the rule to fire
so that it goes over my SPAM threshold when an .exe is attached.
right now the rule does not fire unless the attachment had a correspondily
correct content-type. In my case it does not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Simon Standley wrote:
> Hey - cool!
>
> ... but my gocr doesn't have that option :(
>
> Which version do you have, and where did you get it from?
I am using version 0.40-r2. This is probably the newest available.
Since I'm using gentoo I always have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Theo Van Dinter wrote:
> On Mon, Aug 14, 2006 at 08:46:51PM +0200, decoder wrote:
>> gocr features a nice parameter called -d. It is able to remove
>> smaller particles before scanning, compare these results:
>
> So my problem with the OCR idea is that
I don't understand your point.
I run a Mac. I don't care for _any_ .exes period.
therefore I'm loading the antivirus plugin in order to make use of
check_microsoft_executable rule. However that rule doesn't fire
if the attacker is disguising the .exe with a non sensical content type
primarily bec
At 12:00 PM 8/14/2006, you wrote:
Every now and again one of my bonehead customers get's a trojon that starts
shooting out spam message like crazy. I usualy catch it withen a few hours
but I am wondering if there's a way for me to scan messages my customers
send and drop them or bounce them back
Tom Lindell asked:
> Every now and again one of my bonehead customers get's a trojon that starts
> shooting out spam message like crazy. I usualy catch it withen a few hours
> but I am wondering if there's a way for me to scan messages my customers
> send and drop them or bounce them back if there
Hey - cool!
... but my gocr doesn't have that option :(
Which version do you have, and where did you get it from?
Thanx
Si.
-Original Message-
From: decoder [mailto:[EMAIL PROTECTED]
Sent: 14 August 2006 19:47
To: users@spamassassin.apache.org
Subject: Re: The arms race continues
---
Every now and again one of my bonehead customers get's a trojon that starts
shooting out spam message like crazy. I usualy catch it withen a few hours
but I am wondering if there's a way for me to scan messages my customers
send and drop them or bounce them back if there detected as spam.
Thanks
On Mon, Aug 14, 2006 at 08:46:51PM +0200, decoder wrote:
> gocr features a nice parameter called -d. It is able to remove smaller
> particles before scanning, compare these results:
So my problem with the OCR idea is that it inevitably gets to the point
where we'd need to programatically solve the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michel Vaillancourt wrote:
> Simon Standley wrote:
>> Hi Gang,
>>
>> I've had the latest FuzzyOcr on test for the past day or so -
>> very nice work. Congrats to all involved.
>>
>> Thought you may be interested in the attached GIF. It was only a
>> ma
Mark Martinec writes:
> Having received a couple of messages faking to be from yahoo,
> despite FORGED_YAHOO_RCVD and few other rules firing, the final
> score was not high enough. Since Yahoo! is signing their
> outgoing mail with DomainKeys, I came up with:
>
> header __L_FROM_YAHOOFrom
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michel Vaillancourt wrote:
> Simon Standley wrote:
>> Hi Gang,
>>
>> I've had the latest FuzzyOcr on test for the past day or so - very
nice work. Congrats to all involved.
>>
>> Thought you may be interested in the attached GIF. It was only a
matter o
Simon Standley wrote:
> Hi Gang,
>
> I've had the latest FuzzyOcr on test for the past day or so - very nice work.
> Congrats to all involved.
>
> Thought you may be interested in the attached GIF. It was only a matter of
> time before something like this came along ...
>
> Si.
>
> <>
>
>
Hi Gang,
I've had the latest FuzzyOcr on test for the past day or so - very nice work.
Congrats to all involved.
Thought you may be interested in the attached GIF. It was only a matter of time
before something like this came along ...
Si.
<>
.
forgiving26.gif
Description: forgiving26.gi
Having received a couple of messages faking to be from yahoo,
despite FORGED_YAHOO_RCVD and few other rules firing, the final
score was not high enough. Since Yahoo! is signing their
outgoing mail with DomainKeys, I came up with:
header __L_FROM_YAHOOFrom:addr =~ /[EMAIL PROTECTED]/i
met
> Hi, in order to avoid bouncing spam back to the (almost certainly) faked
> sender-addresses, I thought I could use SA directly:
What's your MTA and/or SA-invoking app? Surely it is easier to have
that agent parse SA's feedback (headers, subject mod or score) in
deciding the final disposi
> MennovB wrote:
>> Markus Edholm wrote:
>>
>>> I´m looking for some simple statistic script
>>> using amavisd and spamassassin just to se how my own and "standard"
>>> rules work
>>>
>>>
>> There are several simple scripts for amavisd/SA but it depends on what
>> info
>> you want.
>> For example
Found the problem:
skip_rbl_checks
was set to 1.
Set it to 0 and it be now catching spammers... ;)
Thanks
On Monday 14 August 2006 18:00, Scott Ryan wrote with regard to - Re: Not
doing checks :
> On Monday 14 August 2006 17:55, Theo Van Dinter wrote with regard to - Re:
> Not
>
> doin
On Monday 14 August 2006 17:55, Theo Van Dinter wrote with regard to - Re: Not
doing checks :
> On Mon, Aug 14, 2006 at 05:41:40PM +0200, Scott Ryan wrote:
> > [11431] dbg: check:
> > tests=AWL,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,RCVD_IN_NJABL_DUL,RCVD_I
> >N_SORBS_DUL,RCVD_IN_WHOIS_INVALID [29
On Mon, Aug 14, 2006 at 05:41:40PM +0200, Scott Ryan wrote:
> [11431] dbg: check:
> tests=AWL,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_WHOIS_INVALID
> [29351] dbg: check: tests=DATE_IN_FUTURE_03_06
>
> Whis is it not doing as many checks as the FC5 machin
I have SA3.1 installed on my fedora machine and 3.1 (built from fedora SRPM)
on a RedHat Enterprise Linux 4 box . The fedora machine identifies a message
as spam, but the redhat one lets it through. The only difference in the
configs is basically, the redhat machine use MySQL for prefs where the
MennovB wrote:
Markus Edholm wrote:
I´m looking for some simple statistic script
using amavisd and spamassassin just to se how my own and "standard"
rules work
There are several simple scripts for amavisd/SA but it depends on what info
you want.
For example in the list on http://www.
> -Original Message-
> From: Burton Windle [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 14, 2006 9:27 AM
> To: users@spamassassin.apache.org
> Subject: Penalizing for SPF being too broad
>
> Now that even spammers are using SPF, is there a way to
> penalize those with SPF records
On Mon, 14 Aug 2006, Robert Nicholson wrote:
> Any plans to change this? It's obviously an area where the spammer
> has found a way to work around the rule.
SA is not an antivirus tool, and an attached executable is not spam,
it is a security attack.
If you're not willing to run a traditional vi
On 14-Aug-06, at 9:38 AM, [EMAIL PROTECTED] wrote:Now that even spammers are using SPF, is there a way to penalize those with SPF records that are too broad?[EMAIL PROTECTED]:~$ host -t txt topsyvwkh.nettopsyvwkh.net descriptive text "v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2 ip4:145.0.0.0/2 ip4:245.0.0
David Baron wrote:
> On Sunday 13 August 2006 18:44, Theo Van Dinter wrote:
> > On Sun, Aug 13, 2006 at 09:08:50AM -0400, Michael Di Martino wrote:
> > > So how does razor differ over SA's ruleset?
> >
> > Razor compares MIME part hashes and URI domain hashes to a central
> > database where people
On 8/14/2006 9:27 AM, Burton Windle wrote:
Now that even spammers are using SPF, is there a way to penalize those
with SPF records that are too broad?
[EMAIL PROTECTED]:~$ host -t txt topsyvwkh.net
topsyvwkh.net descriptive text "v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2
ip4:145.0.0.0/2 ip4:245.0.0
Now that even spammers are using SPF, is there a way to penalize those
with SPF records that are too broad?
[EMAIL PROTECTED]:~$ host -t txt topsyvwkh.net
topsyvwkh.net descriptive text "v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2 ip4:145.0.0.0/2
ip4:245.0.0.0/2 -all"
I doubt any legit sender would S
This is why the rule doesn't trigger
I see ... so the reason this gets thru is the following.
foreach my $p ($pms->{msg}->find_parts(qr/^(application|text)\b/)) {
... just looking for application|text is being too kind
that needs to be more broad in this case.
I'd be for checking any attachme
Markus Edholm wrote:
>
> I´m looking for some simple statistic script
> using amavisd and spamassassin just to se how my own and "standard"
> rules work
>
There are several simple scripts for amavisd/SA but it depends on what info
you want.
For example in the list on http://www.ijs.si/software
On 8/13/2006 10:14 PM, DAve wrote:
Daryl C. W. O'Shea wrote:
On 8/13/2006 4:49 PM, DAve wrote:
Chainsaws, couldn't live without 'em. I hope all you lost were trees.
For the most part. Still trying to figure out how I'm going to cut up
one of the trees that is 23 feet in diameter, which c
spamassassin --lint was reporting:
debug: bayes: no dbs present, cannot tie DB R/O: =
/var/spool/amavis/.spamassassin/bayes_toks
sa-learn --dump reported:
ERROR: Bayes dump returned an error, please re-run with -D for more information
sa-learn --backup reported:
v 3 db_version # this
On Mon, 14 Aug 2006 16:28:21 +0700, Beast <[EMAIL PROTECTED]> wrote:
>Nigel Frankcom wrote:
>>
I will turn on auto leaarn mostly because I need to feed more HAM to SA
(so far I only feed ham for any false positive which is very low daily
and i think that is not good enough for
Hi, in order to avoid bouncing spam back to the (almost certainly) faked
sender-addresses, I thought I could use SA directly:
Suppose I configure it to substitute "<>" for the sender/reply-to in any
spam? That way spam-generated bounces would be dumped. Unfortunately It
doesn't seem possible:
* "
Nigel Frankcom wrote:
I will turn on auto leaarn mostly because I need to feed more HAM to SA
(so far I only feed ham for any false positive which is very low daily
and i think that is not good enough for SA)
If it is well trained then Bayes should be hitting. It may be that
SA cannot
On Mon, 14 Aug 2006 01:52:33 -0700, "jdow" <[EMAIL PROTECTED]> wrote:
>From: "Beast" <[EMAIL PROTECTED]>
>
>> jdow wrote:
>>> From: "Beast" <[EMAIL PROTECTED]>
>>>
Hi,
From some (spam) mail which not caught by SA, it seems that bayes is
not applied to this mail.
X-Sp
From: "Beast" <[EMAIL PROTECTED]>
jdow wrote:
From: "Beast" <[EMAIL PROTECTED]>
Hi,
From some (spam) mail which not caught by SA, it seems that bayes is
not applied to this mail.
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.7 SARE_SPEC_ROLEX Rolex watch spa
Le 13 août 06 à 10:14, Pascal Maes a écrit :
Hello,
I have installed MailScanner (4.55.10-3) on a solaris 10 (x86) box.
MailScanner is using SpamAssassin 3.1.4
I'm also using postfix and MailScanner is running as the user postfix.
MailScanner, in debugging mode, is going fine.
When I run spa
81 matches
Mail list logo