Re: Next Rule Causing False Positives: BOTNET

On Sat, 2009-06-06 at 13:32 -0700, Rich Shepard wrote: > On Sat, 6 Jun 2009, Karsten Br?ckelmann wrote: > > > This is a third-party plugin, deliberately installed by you. Given the previous thread I was actually wondering about the phrasing. Anyway, make that "any admin, or previous admin". >

Re: FCrDNS and localhost

mouss wrote: > $ host localhost 127.0.0.1 > localhost.netoyen.net has address 127.0.0.1 You forgot the trailing dot, so it tacked your own domain onto the end of that. I'm believe "localhost.$domain" is not required by any specs and is non-standard. ... That's okay, I'll just assume your DNS ser

Re: FCrDNS and localhost

> On Thu, Jun 4, 2009 at 16:32, Adam Katz wrote: > > I think FCrDNS stands for "Forward-confirmed reverse DNS" as noted at > > http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS   :-) On 06.06.09 13:39, John Rudd wrote: > Every place I've seen it talked about, including past discussion on

spamd dies - please help

Hi, I am trying to setup a new mail server. With postfix - dovecot ldap - spamd. All virtual users. Over Centos 5.3 64 bits. Spamassassin version is 3.2.5 installed with yum. This is the line in postfix's master.cf dovecot unix - n n - 30 pipe flags=DRhu user=vmail argv=/usr/bin/spamc -s 204800 -

Re: FCrDNS and localhost

> Matus UHLAR - fantomas a écrit : > > Actually, I think this is not good. "localhost." should resolve, but > > putting localhost to other domains even with 127.0.0.1 address is > > something that should be imho avoided ;) On 06.06.09 20:39, mouss wrote: > why? if it's because of xss and the like,

Re: FCrDNS and localhost

John Rudd wrote: >> I think FCrDNS stands for "Forward-confirmed reverse DNS" as noted at >> http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS :-) > > Every place I've seen it talked about, including past discussion on > this list, calls it Full Circle, not Forward Confirmed. Based on

Re: Next Rule Causing False Positives: BOTNET

On Sat, Jun 6, 2009 at 13:38, Rich Shepard wrote: > On Sat, 6 Jun 2009, John Rudd wrote: > >> The thing thing to do to fix messages from given locations is lean, >> heavily, upon the sender to get their sending environment fixed.  What >> botnet finds are sites with bad DNS (no full circle reverse

Re: FCrDNS and localhost

On Thu, Jun 4, 2009 at 16:32, Adam Katz wrote: > John Rudd wrote: >> That seems to be an important distinction for >> strict/rigorous/theoretical discussions of "what is full circle >> reverse DNS", and things along those lines... but I'm not sure if >> it really is an important distinction for the

Re: Next Rule Causing False Positives: BOTNET

On Sat, 6 Jun 2009, John Rudd wrote: The thing thing to do to fix messages from given locations is lean, heavily, upon the sender to get their sending environment fixed. What botnet finds are sites with bad DNS (no full circle reverse DNS), or sending hosts that look like clients instead of loo

Re: Next Rule Causing False Positives: BOTNET

On Sat, 6 Jun 2009, Karsten Br?ckelmann wrote: This is a third-party plugin, deliberately installed by you. Actually, it was most likely installed with the SA upgrade because I've not made any modifications or tuning to the system. I figure that those who set up defaults know much more than

Re: check message body/subject for spam?

On Sat, 6 Jun 2009, Don Ireland wrote: P.S. What I'm looking to do is check it for spam BEFORE sending the message. I find that this kind of 'form spam' is best handled by a couple of simple 'tricks' within the form and the cgi that processes it: 1) Include a 'hidden' field (using the st

Re: FCrDNS and localhost

Matus UHLAR - fantomas a écrit : > On 05.06.09 23:55, mouss wrote: >> localhost.netoyen.net has address 127.0.0.1 > oh, I didn't even realize it was the .$domain" one! old habit to avoid nslookup barking and then lusers asking what's the problem... > Actually, I think this is not good. "localho

Re: Next Rule Causing False Positives: BOTNET

Different people run botnet at different score levels, depending on what they want the rule to do. The default is 5 because 5 is the common point where people set messages aside for review (remove them from their regular mail stream). That's what botnet is saying about such messages: this message

Re: Next Rule Causing False Positives: BOTNET

On Sat, 2009-06-06 at 10:48 -0700, Rich Shepard wrote: > Now that the EMPTY_BODY and mis-identified spam issues have been resolved > I've countered a new one creating false positives: the rule (in > /etc/mail/spamassassin/Botnet.cf is: This is a third-party plugin, deliberately installed by you.

Re: New Spam Mails plz suggest

On Sat, June 6, 2009 11:55, chauhananshul wrote: > How can i make spamassassin catch these mails. you can do this better in your mta 2 ways to solve it: 1 use postfwd with a rule that check sender equal to recipient 2 add spf to your domain, and test spf in your mta 3 take a ice :) -- htt

Next Rule Causing False Positives: BOTNET

Now that the EMPTY_BODY and mis-identified spam issues have been resolved I've countered a new one creating false positives: the rule (in /etc/mail/spamassassin/Botnet.cf is: describeBOTNET Relay might be a spambot or virusbot header BOTNET eva

Re: FCrDNS and localhost

> Matus UHLAR - fantomas wrote: > > Actually, I think this is not good. "localhost." should resolve, but > > putting localhost to other domains even with 127.0.0.1 address is > > something that should be imho avoided ;) On 06.06.09 11:28, Bob Proulx wrote: > I think it is okay and normal to have l

Re: FCrDNS and localhost

Matus UHLAR - fantomas wrote: > Actually, I think this is not good. "localhost." should resolve, but > putting localhost to other domains even with 127.0.0.1 address is > something that should be imho avoided ;) I think it is okay and normal to have localhost.$mydomain resolve to 127.0.0.1. But t

Re: FCrDNS and localhost

On 05.06.09 23:55, mouss wrote: > localhost.netoyen.net has address 127.0.0.1 Actually, I think this is not good. "localhost." should resolve, but putting localhost to other domains even with 127.0.0.1 address is something that should be imho avoided ;) -- Matus UHLAR - fantomas, uh...@fantomas.

Re: check message body/subject for spam?

On Sat, 6 Jun 2009, Don Ireland wrote: If I write the message/subject to a file (so that it looks like a message without most of the headers), can I run it through SA and make sure that it's not spam? Certainly. Figuring out the headers shouldn't be too difficult, and you will probably want

Re: New Spam Mails plz suggest

> Below is the mail header for one of the mail in which to > & from id id same > > From u...@mydomain.com Sat Jun 6 12:41:57 2009 > Return-Path: u...@mydomain.com mydomain.com really exists, and it is not advisable to mask one's read domain behind it. Use example.com, that is what it is fo

Re: New slew of spams

On Fri, 05 Jun 2009 14:05:40 -0400 Rob McEwen wrote: > An occassional legit e-mail will have RDNS_NONE, and an occassional > legit e-mail will have RCVD_IN_PBL. But even extreme fewer legit > emails will have hits on BOTH of these. So I'd suggest scoring the > combination of the two either just a

Re: New Spam Mails plz suggest

Anshul Chauhan schrieb: > Below is the mail header for one of the mail in which to & from id id same > > From u...@mydomain.com Sat Jun 6 12:41:57 2009 > Return-Path: mailto:u...@mydomain.com>> > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > mailse

Re: check message body/subject for spam?

P.S. What I'm looking to do is check it for spam BEFORE sending the message. Thx! Don Ireland Don Ireland wrote: Hi everyone. I have a contact form that allows visitors to send messages to me. Some nimnod is using it to send me ads wanting me to use his "Search Engine Optimization" ser

check message body/subject for spam?

Hi everyone. I have a contact form that allows visitors to send messages to me. Some nimnod is using it to send me ads wanting me to use his "Search Engine Optimization" service. Because the form sends messages as though it is ME, the mail server doesn't check messages received from my form

Re: New Spam Mails plz suggest

Below is the mail header for one of the mail in which to & from id id same >From u...@mydomain.com Sat Jun 6 12:41:57 2009 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mailserver1.mydomain.com X-Spam-Level: X-Spam-Status: No, score=4.4 required=5.0

Re: New Spam Mails plz suggest

On Sat, 2009-06-06 at 02:55 -0700, chauhananshul wrote: > I'm getting a lot of mails daily in which to & from addresses are same & > spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf > CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but > stills its n

New Spam Mails plz suggest

I'm getting a lot of mails daily in which to & from addresses are same & spamassassin is not able to stop them. I'm using spamassassin-3.2.5-1.el4.rf CentOS4.7 with sendmail.I've increased the score to 4 frm default 5 but stills its not catching them. How can i make spamassassin catch these mails

Re: FCrDNS and localhost

mouss wrote: > Adam Katz a écrit : > > Actually, localhost doesn't resolve via DNS; > > I don't know where you're taking this from: > > $ host localhost 127.0.0.1 > Using domain server: > Name: 127.0.0.1 > Address: 127.0.0.1#53 > Aliases: > > localhost.netoyen.net has address 127.0.0.1 Although