On Dec 12, 2006, at 6:46 PM, Phil Barnett wrote:
On Tuesday 12 December 2006 07:28, JamesDR wrote:
Sounds like a good spam sign to me. Let the spammers put 0.0.0.0/0 in
their spf records, I'll pop in 3 points for good measure.
But, you are making some assumptions at this point and that is the
>>
>> I know this is a bit off topic, but does anyone know a good source that
>> breaks down IP addresses by country?
>>
>> =20
>>
>> I=92ve added a number of IP addresses to my hosts.deny file just from
>> =91experience=92.
>>
>> =20
>>
>> My server never gets e-mail from countries outside of
On Tuesday, December 12, 2006, 5:52:33 AM, Dhawal Doshy wrote:
> I am not against off-topic discussions (and also indulge in a few when
> appropriate), what i am tired of is 'Perkel', have a look at some of the
> threads started by him..
> Breaking up the Bot army - we need a plan
> Who wants my
Peter Matulis wrote:
> --- Ken A <[EMAIL PROTECTED]> wrote:
>
>
>> Jon D. Slater wrote:
>>
>>> I know this is a bit off topic, but does anyone know a good source
>>>
>> that
>>
>>> breaks down IP addresses by country?
>>>
>>>
>>>
>>> I’ve added a number of IP addresses to my h
--- Ken A <[EMAIL PROTECTED]> wrote:
>
>
> Jon D. Slater wrote:
> > I know this is a bit off topic, but does anyone know a good source
> that
> > breaks down IP addresses by country?
> >
> >
> >
> > Ive added a number of IP addresses to my hosts.deny file just from
> > experience.
> >
>
On Tuesday 12 December 2006 07:28, JamesDR wrote:
> > There is nothing in SPF to keep a spammer with a botnet from putting
> > 0.0.0.0/0 as their approved domain limit.
>
> Sounds like a good spam sign to me. Let the spammers put 0.0.0.0/0 in
> their spf records, I'll pop in 3 points for good measu
On Tue, 12 Dec 2006, R Lists06 wrote:
> > Three spambot threads stuck for *hours*!
>
> How are you implementing this?
http://www.impsec.org/~jhardin/antispam/spammer-firewall
plus labrea with patches I worked up this weekend:
http://sourceforge.net/projects/labrea
http://sourceforge.net/track
> Dec 12 12:16:30 ga : Initial Connect - tarpitting: 124.240.124.222 14526 -
> > x.x.x.x 25 *
snip
> Dec 12 16:19:20 ga : Persist Activity: 124.240.124.222 14526 -> x.x.x.x 25
> *
>
> Three spambot threads stuck for *hours*!
>
> --
> John Hardin KA7OHZhttp://www.impsec.org/~
My $.02, (and that's about all it's worth).
I was running a server with 1and1 who uses ip address blocks assigned to
Amsterdam.
The server was physically located in New York City.
I had several customers who could not send mail outbound because people
hate to receive mail from Amsterdam. P
On Wed, 13 Dec 2006, Michele Neylon :: Blacknight wrote:
> You could simply use Geoip scoring using this lot:
> http://countries.nerd.dk/
If you're looking for hosts.allow or firewall-friendly CIDR format
entries, take a look at www.blackholes.us
You can get the zone files and CIDR files via rsy
Jon D. Slater wrote:
I know this is a bit off topic, but does anyone know a good source that
breaks down IP addresses by country?
I’ve added a number of IP addresses to my hosts.deny file just from
‘experience’.
My server never gets e-mail from countries outside of the US. So, I’m
lo
You could simply use Geoip scoring using this lot:
http://countries.nerd.dk/
It's pretty effective..
http://www.mneylon.com/blog/archives/2005/01/15/geo-specific-scoring/
Regards
Michele
--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.i
Nicely done!
John D. Hardin wrote:
{snicker!}
Dec 12 09:48:03 ga : Initial Connect - tarpitting: 124.240.124.222 60241 ->
x.x.x.x 25
Dec 12 09:44:20 ga : Initial Connect - tarpitting: 124.240.124.222 53486 ->
x.x.x.x 25 *
Dec 12 12:16:30 ga : Initial Connect - tarpitting: 124.240.124.222 1452
I know this is a bit off topic, but does anyone know a good source that
breaks down IP addresses by country?
I’ve added a number of IP addresses to my hosts.deny file just from
‘experience’.
My server never gets e-mail from countries outside of the US. So, I’m
looking for an effective way
{snicker!}
Dec 12 09:48:03 ga : Initial Connect - tarpitting: 124.240.124.222 60241 ->
x.x.x.x 25
Dec 12 09:44:20 ga : Initial Connect - tarpitting: 124.240.124.222 53486 ->
x.x.x.x 25 *
Dec 12 12:16:30 ga : Initial Connect - tarpitting: 124.240.124.222 14526 ->
x.x.x.x 25 *
...
Dec 12 16:08:06
On 12/12/06, Robert Fitzpatrick <[EMAIL PROTECTED]> wrote:
Having the same problem with two gateways running FreeBSD with Postfix
2.2.9 and amavisd-new content filtering using SA 3.1.x where delays I
think are running high. The delay on a message is generally above 10 and
amavisd-new logs show 96
>
> The numbers you need to look at are the false positives on your own
> incoming mail. Look at the FP rate at each score level (i.e. how many
> legit messages get mistagged with that score or higher, whether in
> absolute terms or in percentages) and decide whether it's acceptable to
> block th
R Lists06 wrote:
Those of you that have some good data can you please share some excellent
numbers that you base your SMTP rejection based on SA scores and otherwise
please?
All I have here are SA averages and im not quite sure that is the right
vector to base the rejection scores on.
The numb
Having the same problem with two gateways running FreeBSD with Postfix
2.2.9 and amavisd-new content filtering using SA 3.1.x where delays I
think are running high. The delay on a message is generally above 10 and
amavisd-new logs show 96-97% of that delay is SA. And this with no .cf
files being lo
Those of you that have some good data can you please share some excellent
numbers that you base your SMTP rejection based on SA scores and otherwise
please?
All I have here are SA averages and im not quite sure that is the right
vector to base the rejection scores on.
Thanks in advance.
- rh
> You have a yahoo account? Send yourself a gtube message:
> http://spamassassin.apache.org/gtube/
>
> >or even smtp rejection and verification based upon SA markup etc?
>
> Well, considering spamassassin cannot reject messages, thats up to
> your MTA.
>
> But see above.
>
>
Thanks for the i
also, if i extract the .gif from the spam, attach to a new message and
mail that to myself, it scores/reports. correctly with all -- fuzzyocr
& others -- test.
hm ...
that is hard to tell, can you reproduce the error somehow? (i.e.
reproduce the situation where FuzzyOcr did NOT score?).
well, there lies the challenge -- and the point, i guess -- *i* can't
reproduce the non-scoring. every test i run scores OK.
If so, enable
debugging to the logfile to see w
Unsubscribe requests are sent to that e-mail address.
Putting that e-mail address on the subject line does nothing.
At 11:56 AM 12/12/2006, you wrote:
--
Êàìåí
--
Камен
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
snowcrash+spamassassin wrote:
> i have SA 3.1.x branch head installed with FuzzyOCR 350rc1.
>
> in --lint tests pass w/o error, and image-containing test messages
> score as expected.
>
> today, i received a spam msg with an attached gif.
>
> it score
JJ Johnson wrote:
> Can Spamassassin be configured to do host testing on forwarded
> messages?
>
> I have an email account hosted on a server running Spamassasin. I
> also forward email from another host that doesn't run any spam
> filtering software to the same email address. I can receive a
>
Ken A wrote:
How very thoughtful. I'd prefer we expect a bit of self restraint. I
promise to do my homework before posting to the list, and not post
about off topic or overly broad issues, since this is the Spam
Assassin Users Discussion list.
Ken A
Pacific.Net
Your complaint is off t
i have SA 3.1.x branch head installed with FuzzyOCR 350rc1.
in --lint tests pass w/o error, and image-containing test messages
score as expected.
today, i received a spam msg with an attached gif.
it scored as spam, and was scored/delivered with report headers of,
X-Spam-Status: score=8.6/4.0
Andrew Hearn (AAISP) wrote:
X-Spam-Status: No, score=4.3 required=4.4 tests=BAYES_99,NO_RELAYS
autolearn=disabled version=3.1.7
X-Spam-Report:
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
* 4.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
I came across a message from an appriver.com (a large mail filtering service and mail
provider) server that failed the BOTNET_BADDNS rule. It does have a serverword, so I
modified my scores to prevent the BADDDNS rule from hitting if SERVERWORDS also hits.
Also, I suppose serverwords should in
Jim Maul wrote:
Ken A wrote:
Dhawal Doshy wrote:
Marc Perkel wrote:
Well - if you don't like me then why don't you write a filter rule
to delete message coming from me? I'm not going away so get used to
it. If my threads weren't so damn interesting it wouldn't generate
so much interest.
Can Spamassassin be configured to do host testing on forwarded messages?
I have an email account hosted on a server running Spamassasin. I also
forward email from another host that doesn't run any spam filtering software
to the same email address. I can receive a message that gets scores of 20+
Hello List,
Here is a sample mail sent from a blackberry device.
===
Received: from smtp01.bis.eu.blackberry.com
(smtp01.bis.eu.blackberry.com [216.9.253.48])
by mx1.netmagicians.com (Postfix) with ESMTP id 6D9D8CC70C
for <[EMAIL PROTECTED]>; Tue, 12 Dec 2006 20:18:13 +
Ken A wrote:
Dhawal Doshy wrote:
Marc Perkel wrote:
Well - if you don't like me then why don't you write a filter rule to
delete message coming from me? I'm not going away so get used to it.
If my threads weren't so damn interesting it wouldn't generate so
much interest.
I think that your
At 09:00 AM 12/12/2006, you wrote:
Is there a URL on the net where one can go and enter an email address and
that server will send a known SA count or random very spammy email to that
address to test for various things like SA markup or SA markup total
You have a yahoo account? Send yourself a
Dhawal Doshy wrote:
Marc Perkel wrote:
Well - if you don't like me then why don't you write a filter rule to
delete message coming from me? I'm not going away so get used to it.
If my threads weren't so damn interesting it wouldn't generate so much
interest.
I think that your personal atta
Of course. Use sense in determining if it's spammy or not -- it's easy
enough to do. If an ad talks about "bulletproof hosting", and use of
anonymous proxies for their SMTP traffic, or offers direct-to-MX sending,
those are spam features.
--j.
Sietse van Zanen writes:
> Why does this have to be
Sietse van Zanen wrote:
> Why does this have to be spammers call?
> There are loads of legit uses for bulk e-mail.
Because the listing specifies they want "experience working with spam in
the past." It was a grey area right up until that statement. If they
wanted a legitimate bulk mailer, they
> -Original Message-
> From: Loren Wilton [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, December 12, 2006 6:12 AM
> To: users@spamassassin.apache.org
> Subject: Re: question to SARE_URI_EQUALS
>
>
> It's looking for an equal sign in the hostname/domain name, such as
> http://www.foo=bar.c
Why does this have to be spammers call?
There are loads of legit uses for bulk e-mail.
A member of my family runs an Internet advertising company, which specializes
in for instance opt-in bulk mailing.
For example, small company, which hosts two servers and has 4 employees need to
reach 20.000 c
On Tue, Dec 12, 2006 at 06:06:02PM +0100, Janek Kozicki wrote:
> Can you tell me how to painlessly tell spamassassin to call my script?
Write a plugin. See something like FuzzyOcr.
--
Randomly Selected Tagline:
If Major BBS sucked, it would be good for something.
pgpmGPNHMqFH0.pgp
Description
Jean-Paul Natola writes:
> From: Philip Prindeville [mailto:[EMAIL PROTECTED]
> > Any takers? ;-)
> >
> > http://seeker.dice.com/seeker.epl?rel_code=1102&op=5&type=14&docke
> y=xml/7/a/[EMAIL PROTECTED]&bb=0&source=15
>
> Aaaah! I need a telecommuter and I don't even know what's it...
> g
> May
Hello,
I have debian sarge and backported from testing spamassassin 3.1.7
For configuring it, I had only modified
file /etc/default/spamassassin, it has following content:
ENABLED=1
OPTIONS="--create-prefs --max-children 5 --helper-home-dir -s
/var/log/spamd.log"
PIDFILE="/var/run/spamd.pid"
NI
Is there a URL on the net where one can go and enter an email address and
that server will send a known SA count or random very spammy email to that
address to test for various things like SA markup or SA markup total or even
smtp rejection and verification based upon SA markup etc?
Thanks
- rh
Hello!
Since I upgraded my perl-installation with eshell
install N/NW/NWCLARK/perl-5.8.8.tar.gz
I get this error executing:
# su - vscan -c "sa-learn --spam --showdots --dir /spam"
Learned tokens from 0 message(s) (0 message(s) examined)
Insecure dependency in piped open while running with -T sw
On Tue, Dec 12, 2006 at 11:16:44AM -0500, Jean-Paul Natola wrote:
> I'm getting A LOT of these in my log-
> I'm not sure if this is an exim thing or an SA issue
>
> 2006-12-12 10:41:04 1Gu9dv-000DDz-Ss spam acl condition: error reading from
> spamd socket: Operation timed out
It's an exim error.
Given the slight hostility that's been going back and forth , I hope not to
get bashed-I hope this is not too OT -
I'm getting A LOT of these in my log-
I'm not sure if this is an exim thing or an SA issue
2006-12-12 10:41:04 1Gu9dv-000DDz-Ss spam acl condition: error reading from
spamd socket
On Tuesday 12 December 2006 15:39, David Birnbaum wrote:
> If you think about the distribution of a normal email users, it's going to
> look like a very sparse matrix:
>
>(few IPs per sender domain) -> (few recipients per recipient domain)
>
> A big email ISP might look more like this:
>
>
JamesDR wrote:
Phil Barnett wrote:
On Monday 11 December 2006 16:50, JamesDR wrote:
Would you care to elaborate on why SPF doesn't work for sender
verification? Its pretty simple, doesn't get much more simple that what
SPF does... If SPF doesn't work, nothing will.
There is nothing in SPF to
Xavi Montero wrote:
Hello.
I have SpamassAssin running but I want to change its behaviour.
Although I'm subscribed to this list from time ago, but this is my first
post (as far as I can remember). If this message is not adequate here,
please, redirect me to the correct place.
I have SpamAss
Greetings,
I was reading the ideas about combating the distributed spam attacks, and I was
wondering if some combination of a razor+distribution analysis of the IP
addresses in the header would lead to a rapid identification of potentially
infected machines.
If you think about the distributi
Rob McEwen wrote:
Steve Thomas wrote:
Once again, Perkel clutters the SpamAssassin list with a non-SpamAssassin
discussion. ...Is anyone else getting tired of this? ...have nothing to do
with SA. What's the point of having a
topical mailing list if nobody cares that the discussion is off-topi
Marc Perkel wrote:
Well - if you don't like me then why don't you write a filter rule to
delete message coming from me? I'm not going away so get used to it. If
my threads weren't so damn interesting it wouldn't generate so much
interest.
I think that your personal attack is not appropriate f
Is it possible to "whitelist_from" or "blacklist_from" an IP address?
Instead of a domain name or e-mail address.
Thanks in advance,
Robert
Peace he would say instead of goodbyepeace my brother.
> -Original Message-
> From: Michael Scheidell [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, December 12, 2006 1:29 AM
> To: לאון קולצ'ינסקי; users@spamassassin.apache.org
> Subject: RE: backup for bayesian DB
>
>
>
> > -Original Message-
> > From: Leon Kolchinsky [mailto:[EMAIL P
Marc Perkel wrote:
Well - if you don't like me then why don't you write a filter rule to
delete message coming from me? I'm not going away so get used to it. If
my threads weren't so damn interesting it wouldn't generate so much
interest.
I think that your personal attack is not appropriate f
Well - if you don't like me then why don't you write a filter rule to
delete message coming from me? I'm not going away so get used to it. If
my threads weren't so damn interesting it wouldn't generate so much
interest.
I think that your personal attack is not appropriate for this forum.
This
Mathias Homann wrote:
> Hi,
>
> I'm running spamassassin 3.1.7 on a redhat box that is not an endpoint mta
> but sort of an
> inbetween mta between our external MX and several internal machines.
> So, most of the mails that spamd sees on it have recipient adresses that are
> not local users,
> bu
Hi,
I have setup spamassassin with postfix and ldap. I also setup userprefs
table through mysql. :) little pat on the back thanks...
My question is this:
How can I get spamassassin to do scoring on mail messages based on words
in the body and subject fields pulling the criteria for specific words
Rob McEwen wrote:
Dhawal said:
Also "from my limited memory", a fuzzyocr like implementation existed on
antispan.imp.ch long before it was discussed on the sa-users list.
Someone can correct me if this is incorrect information.
And, like SURBL, regardless of the official origin of the idea, I
Hi,
I'm running spamassassin 3.1.7 on a redhat box that is not an endpoint mta but
sort of an
inbetween mta between our external MX and several internal machines.
So, most of the mails that spamd sees on it have recipient adresses that are
not local users,
but still valid, which leads to AWL ent
Dhawal said:
>Also "from my limited memory", a fuzzyocr like implementation existed on
>antispan.imp.ch long before it was discussed on the sa-users list.
>Someone can correct me if this is incorrect information.
And, like SURBL, regardless of the official origin of the idea, I know for a
fact t
Jeff Chan wrote:
On Tuesday, December 12, 2006, 12:29:26 AM, Rob McEwen wrote:
It is just these types of
discussions which led to things like SURBL and fuzzyOCR.
In the interests of preserving some history, SURBLs were not
created as a result of discussions here. We created SURBLs
concurrent
Jeff,
I think you somewhat misinterpreted what I said. But I understand how I one
might mistakenly get the impression that I was saying that discussions on
the SA list led to SURBL so I understand your need to clear that potential
misunderstanding up... but, to be clear, I stated:
"things **like*
Phil Barnett wrote:
On Monday 11 December 2006 16:50, JamesDR wrote:
Would you care to elaborate on why SPF doesn't work for sender
verification? Its pretty simple, doesn't get much more simple that what
SPF does... If SPF doesn't work, nothing will.
There is nothing in SPF to keep a spammer
On Tuesday, December 12, 2006, 12:29:26 AM, Rob McEwen wrote:
> It is just these types of
> discussions which led to things like SURBL and fuzzyOCR.
In the interests of preserving some history, SURBLs were not
created as a result of discussions here. We created SURBLs
concurrently with Eric Kolv
It's looking for an equal sign in the hostname/domain name, such as
http://www.foo=bar.com/blah.
Offhand I don't see what it hit in the mail you have posted there, but
something must have extracted a uri that had an equal sign in it.
There once was a version of the rule that used rawbody to che
I've got a false positive with
uri SARE_URI_EQUALS
m{^https?:?[/\\]{0,2}[^/\&?;]{1,100}=(?!(?:..)?$).*$}i
and would like to know if somebody could tell me what is looked for with
this rule, or maybe one SARE ninja could optimise it?
I've put the original e-mail into http://zmi.at
I reckon I'll just stick to a single MySQL instance given the
complexities of syncing. I can always run a nightly dump and transfer to
the backup server so I can fail over manually.
Bart...
-Original Message-
From: Nigel Frankcom [mailto:[EMAIL PROTECTED]
Sent: 10 December 2006 21:58
T
Hello.
I have SpamassAssin running but I want to change its behaviour.
Although I'm subscribed to this list from time ago, but this is my first post
(as far as I can remember). If this message is not adequate here, please,
redirect me to the correct place.
I have SpamAssassin in my Debian bo
Jeff Chan wrote:
On Sunday, December 10, 2006, 3:50:33 AM, Arthur CPTeam wrote:
Howdy,
As Matt says, SURBLs are included in the default configuration
for SA since 3.0. Be sure to have a recent Net::DNS installed
and to enable network tests with the appropriate flags:
http://www.surbl.org/
On Sunday, December 10, 2006, 3:50:33 AM, Arthur CPTeam wrote:
> Howdy,
>> As Matt says, SURBLs are included in the default configuration
>> for SA since 3.0. Be sure to have a recent Net::DNS installed
>> and to enable network tests with the appropriate flags:
>>
>> http://www.surbl.org/faq.h
Steve Thomas wrote:
> Once again, Perkel clutters the SpamAssassin list with a non-SpamAssassin
> discussion. ...Is anyone else getting tired of this? ...have nothing to do
> with SA. What's the point of having a
> topical mailing list if nobody cares that the discussion is off-topic?
Dhawal wrot
Steve Thomas wrote:
Once again, Perkel clutters the SpamAssassin list with a non-SpamAssassin
discussion. One which, IIRC, he's just rehashing from a year or so ago
(are we going to see a rehash of the "the future of email storage is sql"
thread, too?). There are FAR more appropriate forums for t
75 matches
Mail list logo