- John Hardin jhar...@impsec.org wrote:
On Wed, 2009-08-12 at 16:20 -0700, Ted Mittelstaedt wrote:
Maybe this will sound dumb but wouldn't it be perfectly
safe to blacklist example.com after all, that isn't a
domain your ever going to get mail from.
Ted
That is there because
On 12.08.09 11:32, Luis Daniel Lucio Quiroz wrote:
Talking about bayes trying,
I did setup bayes/SQL and i see all tokens in my db.
How ever I dont know if my db has reach the minimun 200 tokens to let bayes
testing work. Is there a SQL query to know this number?
sa-learn --dumpdb should
On Thu, 13 Aug 2009 09:09:59 +0200, Matus UHLAR - fantomas
uh...@fantomas.sk wrote:
How ever I dont know if my db has reach the minimun 200 tokens to let
bayes testing work. Is there a SQL query to know this number?
sa-learn --dumpdb should do that if you have correct parameters for the
DB...
On Wed, 2009-08-12 at 20:36 -0600, LuKreme wrote:
I find my users almost never look at the SPAM
mailbox
On 13.08.09 06:30, rich...@buzzhost.co.uk wrote:
There is an easy fix for that - take that facility away :-)
do you mean, take away spam filtering or the possibility to look at false
My ruleset contains lines like this:
ifplugin Mail::Spamassassin::Plugin::DKIM
whitelist_from_dkim *...@example.com
endif
I see DKIM_VERIFIED hit in mails from example.com, but the whitelisting
doesn't happen for some reason. What am I doing wrong?
/Per Jessen, Zürich
On Thu, 13 Aug 2009 10:41:51 +0200, Per Jessen p...@computer.org wrote:
My ruleset contains lines like this:
ifplugin Mail::Spamassassin::Plugin::DKIM
whitelist_from_dkim *...@example.com
endif
i would use def_whitelist_from_dkim with wildcard user, just me, but imho
better
in other words:
LuKreme wrote:
Got quite a few emails today from users complaining about the huge
onslaught of SPAM into their mailboxes. One user in particular is used
to getting 2-5 email messages a day and logged in this morning to over
250 in the last 12 hours.
So, I investigated.
Ooops, I restarted
Benny Pedersen wrote:
I see DKIM_VERIFIED hit in mails from example.com, but the
whitelisting
doesn't happen for some reason. What am I doing wrong?
this should not happend, check spamassassin --lint
Yep, I always do before loading a new ruleset, shows no problems.
output from
Per,
I see DKIM_VERIFIED hit in mails from example.com, but the
whitelisting
doesn't happen for some reason. What am I doing wrong?
this should not happend, check spamassassin --lint
Yep, I always do before loading a new ruleset, shows no problems.
output from spamassassin 21
Mark Martinec wrote:
Per,
I see DKIM_VERIFIED hit in mails from example.com, but the
whitelisting doesn't happen for some reason. What am I doing
wrong?
this should not happend, check spamassassin --lint
Yep, I always do before loading a new ruleset, shows no problems.
output
Per,
The lint test-message presumably wouldn't cause DKIM_VERIFIED to hit
anyway, but DNS is most definitely enabled.
Please send the debug output on a real signed message run, e.g.:
spamassassin -D -t test.msg test.log 21
Mark
On 12-Aug-2009, at 23:30, rich...@buzzhost.co.uk wrote:
On Wed, 2009-08-12 at 20:36 -0600, LuKreme wrote:
I find my users almost never look at the SPAM
mailbox
There is an easy fix for that - take that facility away :-)
I am tempted. the various SPAM folders are more than half the mail
Mark Martinec wrote:
Per,
The lint test-message presumably wouldn't cause DKIM_VERIFIED to hit
anyway, but DNS is most definitely enabled.
Please send the debug output on a real signed message run, e.g.:
spamassassin -D -t test.msg test.log 21
Just ran a test like that -
On 12-Aug-2009, at 21:09, Ted Mittelstaedt wrote:
Furthermore, since you may want to munge more than 2 pieces
of dissimilar data in a spam, your going to rapidly runout
of example.*. Further, example.com is only good for alpha
data munging and is useless for numeric data munging, ie:
IP
On 12-Aug-2009, at 23:40, rich...@buzzhost.co.uk wrote:
The other day I recall someone mentioning they routinely block
anything
where the mailer is MIME::Lite. I don't do this myself as any self
respecting spammer with more than a quarter of a brain cell is not
going
to make a slip like
Per Jessen wrote:
One very suspicious line is:
dkim: no wl entries match author pen...@belo-news.com, no need to
verify sigs
Despite my config:
ifplugin Mail::Spamassassin::Plugin::DKIM
whitelist_from_dkim *...@belo-news.com
endif
I've done a few more tests - AFAICT, the
Per Jessen wrote:
Per Jessen wrote:
One very suspicious line is:
dkim: no wl entries match author pen...@belo-news.com, no need to
verify sigs
Despite my config:
ifplugin Mail::Spamassassin::Plugin::DKIM
whitelist_from_dkim *...@belo-news.com
endif
I've done a few more tests -
I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d -
r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds
later it is dying without an error.
all I get in /var/log/spamd is:
--
A ship should not ride on a single anchor,
nor life on a single hope
I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d -
r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds
later it is dying without an error.
[Never mind, spamassassin --lint was dying with a core dump. I removed
the spear-fishing rules and all is back right
On 12-Aug-2009, at 23:30, rich...@buzzhost.co.uk wrote:
On Wed, 2009-08-12 at 20:36 -0600, LuKreme wrote:
I find my users almost never look at the SPAM
mailbox
There is an easy fix for that - take that facility away :-)
On 13.08.09 05:18, LuKreme wrote:
I am tempted. the various SPAM
On Thursday 13 August 2009 14:13:33 LuKreme wrote:
I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d -
r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds
later it is dying without an error.
[Never mind, spamassassin --lint was dying with a core dump. I removed
Per Jessen wrote:
http://jessen.ch/files/belo-news-dkim-testmsg.output3
Notice:
# grep cond_clause.*DKIM /tmp/belo-news-dkim-testmsg.output3
dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1
dbg: cond_clause_plugin_loaded: Mail::SpamAssassin::Plugin::DKIM=1
dbg:
On Wed, 12 Aug 2009, LuKreme wrote:
Is it a custom webmail interface you wrote yourself?
The front end is custom, wrapping a standard client.
Any spammer who personally visited my site would be able to hack
it in seconds (with a stolen password, of course). But any existing
canned scripts
On Thu, 13 Aug 2009, Benny Pedersen wrote:
you belive that email sent from webmail is harder to spam scan then
submitted email from remote ?
No, my statement was that I believe spammers, like the rest of us, follow
the 20/80 rule, and hack the 80 percent of vulnerabilities that require
only
On Thu, 13 Aug 2009 12:01:09 +0200, Per Jessen p...@computer.org wrote:
http://jessen.ch/files/sa-lint-debug.txt
old Mail::DKIM (0.32) (0.36 latest)
and warn on netset
Mail::Domainkeys is not needed, check that you dont load it in pre files
--
Benny Pedersen
On Aug 13, 2009, at 12:40 AM, rich...@buzzhost.co.uk wrote:
I noticed this morning that Hampshire County Council use it, and I
expect it is part of a 'solution' that many County Councils and
Government Bodies use in the UK:
X-Mailer: MIME::Lite 3.021 (F2.74; T1.21; A1.77; B3.07; Q3.07)
Date:
I was just wondering -
RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com - but
is that intentional? It's not exactly a numeric helo?
/Per Jessen, Zürich
Per Jessen wrote:
I was just wondering -
RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com -
but is that intentional? It's not exactly a numeric helo?
That should have read helo=2xx.2.2xx.62.fix.example.com.
/Per Jessen, Zürich
Per Jessen,
Per Jessen wrote:
I was just wondering -
RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com -
but is that intentional? It's not exactly a numeric helo?
That should have read helo=2xx.2.2xx.62.fix.example.com.
Bug 5878
Mark Martinec wrote:
Per Jessen,
Per Jessen wrote:
I was just wondering -
RCVD_NUMERIC_HELO will match helo=2xx4.2.2xx.62.fix.example.com -
but is that intentional? It's not exactly a numeric helo?
That should have read helo=2xx.2.2xx.62.fix.example.com.
Bug 5878
Hi,
I was looking at some kind of open-source DKIM-signing piece of code, and
fall into this site:
http://www.dkim-reputation.org/
It has nothing to do with what I'm looking for, nevertheless it seemed
interesting to me and I wanted to give it a try.
Unfortunately, the software they
Giampaolo,
I was looking at some kind of open-source DKIM-signing piece of code, and
fall into this site:
http://www.dkim-reputation.org/
It has nothing to do with what I'm looking for, nevertheless it seemed
interesting to me and I wanted to give it a try.
Unfortunately, the
On Thu, 13 Aug 2009 18:04:04 +0200, Mark Martinec
mark.martinec...@ijs.si
wrote:
Don't know how/if the project has progressed meanwhile.
If anyone is interested, I can send him the DKIMrep.pm.
i like to try it
--
Benny Pedersen
Don't know how/if the project has progressed meanwhile.
If anyone is interested, I can send him the DKIMrep.pm.
i like to try it
Sent off-list.
Mark
Good Day
Im having problems with Spamassassin Bayes using Postgresql as Backend.
SA perfectly learns HamSpam as you can see:
bayesstore=# select count(*) from bayes_seen;
count
---
2669
Debugging output seems fine too:
spamassassin -D ~/some_allready_learned.eml Returns:
[91874] dbg:
-Original Message-
From: Mark Martinec [mailto:mark.martinec...@ijs.si]
Sent: Thursday, August 13, 2009 6:04 PM
To: users@spamassassin.apache.org
Subject: Re: DKIM-Reputation list
Giampaolo,
...omissis...
Back in April (2009) I send to Florian Sager my version of
the
I'm sure I'm not the first to see them but I hadn't seen a post here.
The pharma image spams are back after a long break:
http://pastebin.com/mb1876f6
Like the others they are fairly easily blocked but just thought I'd
pass on what I'd seen.
Chris
On Thu, 13 Aug 2009 18:13:31 +0200
Mark Martinec mark.martinec...@ijs.si wrote:
Don't know how/if the project has progressed meanwhile.
If anyone is interested, I can send him the DKIMrep.pm.
i like to try it
Sent off-list.
Mark
I'm interested too, thanks in advance
--
On 13-Aug-2009, at 06:15, Matus UHLAR - fantomas wrote:
7 days is imho not enough. IF users forget to look at it, I'd give
them at
leaast a month...
7 days seems to work pretty well. If users are desperate and willing
to contact an admin, the entire mailspool is duplicated and stored for
On 13-Aug-2009, at 06:43, Mark Martinec wrote:
On Thursday 13 August 2009 14:13:33 LuKreme wrote:
I am starting spamd (/usr/local/etc/rc.d/sa-spamd start or spamd -d -
r /var/run/spamd.pid -c -s /var/log/spamd) and then a few seconds
later it is dying without an error.
[Never mind,
Have noticed these errors in the log today:
warn: spf: lookup failed: Can't locate object method new_from_string
via package Mail::SPF::Mech::IP4 at /usr/local/lib/perl5/site_perl/
5.10.0/Mail/SPF/Record.pm line 225.
Googled for: Can't locate object method new_from_string via package
LuKreme,
I'm considering 3.3, and am currently trying to overcome my aversion
to things labeled 'alpha'.
Understood. It is mainly labeled as alpha because some new things are
not finished (like the new bayesbdb backend to Bayes), and it would
be nice to close some stale problem reports (almost
LuKreme wrote:
On 12-Aug-2009, at 21:09, Ted Mittelstaedt wrote:
Furthermore, since you may want to munge more than 2 pieces
of dissimilar data in a spam, your going to rapidly runout
of example.*. Further, example.com is only good for alpha
data munging and is useless for numeric data
Tobias, Giampaolo, Bill, and others
I'm interested too, thanks in advance
I've place it on the web page:
http://www.ijs.si/software/amavisd/DKIMrep.pm
http://www.ijs.si/software/amavisd/effectiveTLDs.pm
(the effectiveTLDs.pm is exactly the same as in the
Florian's package, the DKIMrep.pm
Tobias, Giampaolo, Bill, and others
I'm interested too, thanks in advance
I've place it on the web page:
http://www.ijs.si/software/amavisd/DKIMrep.pm
http://www.ijs.si/software/amavisd/effectiveTLDs.pm
Aaaah! Surfing time!
...omissis... (albeit interesting)
I tested it
Charles Gregory wrote:
On Thu, 13 Aug 2009, Benny Pedersen wrote:
you belive that email sent from webmail is harder to spam scan then
submitted email from remote ?
No, my statement was that I believe spammers, like the rest of us,
follow the 20/80 rule, and hack the 80 percent of
On Thu, 13 Aug 2009 20:06:01 +0200, Mark Martinec
mark.martinec...@ijs.si
wrote:
I've place it on the web page:
http://www.ijs.si/software/amavisd/DKIMrep.pm
http://www.ijs.si/software/amavisd/effectiveTLDs.pm
this file seams buggy, not all lines begins with a ' and others dont end
with }
Benny,
http://www.ijs.si/software/amavisd/effectiveTLDs.pm
this file seams buggy, not all lines begins with a ' and others dont end
with } but }}
hope its just me that cant read perl :)
???
Does perl complain?
$ perl effectiveTLDs.pm
Mark
I've done really good with blocking spam up until this one...
It looks like a legitimate e-mailer from both the system perspective
and the system perspective.
When I look at my logs, the servers are reporting their domains
correctly so their mailserver looks ok when attacking to my server.
On Thu, 13 Aug 2009 21:36:28 +0200, Mark Martinec
mark.martinec...@ijs.si
wrote:
Does perl complain?
$ perl effectiveTLDs.pm
no errors
so
'bar' = {},
foo' = {},
'bar' = {},
is valid for perl ?
example in line around 2106
but perl accept it, imho this does not mean that there is no
Benny Pedersen wrote:
On Thu, 13 Aug 2009 21:36:28 +0200, Mark Martinec
mark.martinec...@ijs.si
wrote:
Does perl complain?
$ perl effectiveTLDs.pm
no errors
so
'bar' = {},
foo' = {},
'bar' = {},
is valid for perl ?
example in line around 2106
but perl accept it, imho this
Johnson, S wrote:
It looks like a “legitimate” e-mailer from both the system perspective
and the system perspective.
Er..? Think you meant something other than system perspective
somewhere there. g
When I look at my logs, the servers are reporting their domains
correctly so their
Johnson, S wrote:
The question is… Since everything is configured on their servers ok and
the messages don’t contain words I can really create a rule on..
This is one of the few cases where I might well create a local rule for
something short:
body BAD_SURVEYS/\bGiftCardSurveys\b/
On Thu, 13 Aug 2009 11:38:19 -0500
Chris Owen ow...@hubris.net wrote:
I'm sure I'm not the first to see them but I hadn't seen a post
here. The pharma image spams are back after a long break:
http://pastebin.com/mb1876f6
Like the others they are fairly easily blocked but just thought
It appears as though I don't understand how this is supposed to work. I
have a file in /etc/mail/spamassassin called my-whitelist.cf. In it I
have entries such as:
whitelist_from_rcvd serv...@freenet.de freenet.de
whitelist_from_rcvd harley-requ...@the-hed.net the-hed.net
In my local.cf I have:
Johnson, S wrote:
I’ve done really good with blocking spam up until this one…
It looks like a “legitimate” e-mailer from both the system perspective
and the system perspective.
When I look at my logs, the servers are reporting their domains
correctly so their mailserver looks ok when
Chris wrote:
It appears as though I don't understand how this is supposed to work. I
have a file in /etc/mail/spamassassin called my-whitelist.cf. In it I
have entries such as:
snip
whitelist_from_rcvd harley-requ...@the-hed.net the-hed.net
snip
however, a message from the 2nd
57 matches
Mail list logo