RE: How to find where email server has been blacklisted

2010-03-08 Thread Stanier, Alan M
That would be a very useful site, except that it shows the results as colour-coded icons, and I see the listed and not-listed icons as identical. -Original Message- From: Mikael Syska [mailto:mik...@syska.dk] Sent: 08 March 2010 01:56 To: users@spamassassin.apache.org Subject: Re: How to

Scanning HUGE emails - "headers only" scan

2010-03-08 Thread Andrzej Adam Filip
Do you think it would make sense to introduce options for scanning "headers only" in big messages? I have received recently a new (small) wave of big spams. -- [pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu There is nothing new except what has been forgotten. -- Marie Antoinette

Re: How to find where email server has been blacklisted

2010-03-08 Thread Mikael Syska
Hi, Then something is broken at your end ... I see 4 icons ... timeout, listed, non-listed and offline. Or am I missing your point here ? mvh On Mon, Mar 8, 2010 at 9:02 AM, Stanier, Alan M wrote: > That would be a very useful site, except that it shows the results as > colour-coded icons,

Re: How to find where email server has been blacklisted

2010-03-08 Thread Mike Cardwell
On 08/03/2010 00:24, Rops wrote: I'm trying to figure out why some emails get lost, which most likely is due to emails killed by ISP spam filter due to high spam score these lost email have. How to find out if some mail server is blacklisted and where? Is there any central database for queries

Re: How to find where email server has been blacklisted

2010-03-08 Thread Yet Another Ninja
On 2010-03-08 1:24, Rops wrote: Hello I'm trying to figure out why some emails get lost, which most likely is due to emails killed by ISP spam filter due to high spam score these lost email have. How to find out if some mail server is blacklisted and where? Is there any central database for que

Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Dhaval Soni
Dear All, I want to use zen.spamhous.org for spam check. So we need to do entry in spam.lists.conf file. But do we need to mention score for it? If yes, where to do it? Thanks in advance, -- Kind regards, Dhaval Soni Red Hat Certified Architect RHCE No: 804007900325939 Cell: +91-966 20 29 620

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Yet Another Ninja
On 2010-03-08 12:29, Dhaval Soni wrote: Dear All, I want to use zen.spamhous.org for spam check. So we need to do entry in spam.lists.conf file. But do we need to mention score for it? If yes, where to do it? spam.lists.conf is not part of Spamassassin (sounds like MailScanner) Pls see: http:

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Karsten Bräckelmann
On Mon, 2010-03-08 at 16:59 +0530, Dhaval Soni wrote: > Dear All, > > I want to use zen.spamhous.org for spam check. So we need to do entry SA ships with Spamhaus ZEN enabled by default. > in spam.lists.conf file. But do we need to mention score for it? If > yes, where to do it? That's not a SA

Re: How to find where email server has been blacklisted

2010-03-08 Thread Brian
On Mon, 2010-03-08 at 10:51 +0100, Mikael Syska wrote: > Hi, > > Then something is broken at your end ... > > I see 4 icons ... timeout, listed, non-listed and offline. > > Or am I missing your point here ? *HINT* Are you colour blind or normal sighted?

Fw: spam filter using spamassassin mails

2010-03-08 Thread nehaya Mohammad
--- On Mon, 3/8/10, nehaya Mohammad wrote: From: nehaya Mohammad Subject: spam filter using spamassassin mails To: mailus...@spamassassin.apache.org Date: Monday, March 8, 2010, 10:23 AM Dear sir, I hope you doing fine. I'm a graduate student at University of Jordan and I'm doing

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Kai Schaetzl
Dhaval Soni wrote on Mon, 8 Mar 2010 16:59:20 +0530: > Dhaval Soni >From this and your other message on this list I gather that you didn't read any documentation. So, please go and read documentation. There are also many tutorials on the web on using SA. I also deduce from "spam.lists.conf" tha

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Brian
Is zen.spamhous.org new? Personally I'd check your spelling ;-)

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Mike Cardwell
On 08/03/2010 12:34, Brian wrote: Is zen.spamhous.org new? Personally I'd check your spelling ;-) m...@haven:~$ host 1.0.0.127.zen.spamhous.org 1.0.0.127.zen.spamhous.org A 208.73.210.27 m...@haven:~$ host 1.2.3.4.zen.spamhous.org 1.2.3.4.zen.spamhous.orgA 208.73.210.2

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Brian
On Mon, 2010-03-08 at 12:41 +, Mike Cardwell wrote: > On 08/03/2010 12:34, Brian wrote: > > > Is zen.spamhous.org new? Personally I'd check your spelling ;-) > > m...@haven:~$ host 1.0.0.127.zen.spamhous.org > 1.0.0.127.zen.spamhous.org A 208.73.210.27 > m...@haven:~$ host 1.2.3.4.

Re: How to find where email server has been blacklisted

2010-03-08 Thread Mikael Syska
Hi On Mon, Mar 8, 2010 at 11:01 AM, Brian wrote: > On Mon, 2010-03-08 at 10:51 +0100, Mikael Syska wrote: >> Hi, >> >> Then something is broken at your end ... >> >> I see 4 icons ... timeout, listed, non-listed  and offline. >> >> Or am I missing your point here ? > > *HINT* Are you colour blind

Re: How to find where email server has been blacklisted

2010-03-08 Thread Bowie Bailey
Rops wrote: > How to find out if some mail server is blacklisted and where? > Is there any central database for queries from all different blacklists? > Also IP based search is required and data when and why. > I've been using this one: http://www.mxtoolbox.com/blacklists.aspx I'm not sure wh

Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)

2010-03-08 Thread Ned Slider
Adam Katz wrote: On 15-May-2009, at 12:46, Adam Katz wrote: uri URI_HIDDEN /.{7}\/\../ LuKreme wrote: That won't catch http://www.spammer.example.com/.../hidden-malware.asf, it will only catch the relative url form "../path/to/content" which SA improperly prefaces with "http://"; uri URI_HID

Re: SA 3.3.0 depends on Perl 5.10 (FreeBSD Ports)???

2010-03-08 Thread Royce Williams
On Sun, Mar 7, 2010 at 10:26 PM, LuKreme wrote: > On 7-Mar-2010, at 10:08, LuKreme wrote: > On 7-Mar-2010, at 08:31, Royce Williams wrote: >> >>> Semi-OT, but portsnap(8) makes fetching the ports indexes no longer >>> necessary. > >> I'd never heard of it, but am reading the man page now. Sounds g

Re: Zen.spamhous.org score for spam assassin...

2010-03-08 Thread Darxus
This is slightly confusing. SA does use zen by default, but zen is an aggregate blacklist, and the tests are broken up into its pieces: RCVD_IN_PBL RCVD_IN_XBL RCVD_IN_SBL On 03/08, Dhaval Soni wrote: >Dear All, > >I want to use [1]zen.spamhous.org for spam check. So we need to do entry

Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Michael Scheidell
just a heads up: I don't know if there is a problem with SA milter, but there is a snort signature for it now. Original Message Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt Date: Mon, 8 Mar 2010 13:03:52 + From:

rules

2010-03-08 Thread Renata Dias
Some messages receive score 0.00/0.00 and other receive the correct score like the example below. 2010-03-08 16:30:42.038813500 simscan:[63157]:SPAM REJECT (20.90/6.00):215.7090s:[SPAM] Catch the moment poltronieri! 85% Fire Sale:84.224.133.193:poltroni...@provale.com.br:poltroni...@provale.com.b

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian
On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote: > just a heads up: I don't know if there is a problem with SA milter, but > there is a snort signature for it now. > > > Original Message > Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote > Arbit

Spanish/Brazilian/Mexican spam

2010-03-08 Thread Charles Gregory
Hello! I think I asked about this once before. I keep getting foreign language spams with noobvious (to me) indicators that I could test for Can anyone take a look at this crud and see a header or flag/type that I could score in SA? http://pastebin.com/3gGiaZVK (Note: post is set to exp

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Ned Slider
Brian wrote: On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote: just a heads up: I don't know if there is a problem with SA milter, but there is a snort signature for it now. Original Message Subject: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitra

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Ned Slider
Ned Slider wrote: Brian wrote: The key is this: "If spamass-milter is run with the expand flag (-x option) it runs a popen() including the attacker supplied recipient (RCPT TO)." POC IS $ nc localhost 25 220 ownthabox ESMTP Postfix (Ubuntu) mail from: me () me com 250 2.1.0 Ok rcpt to: root+

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian
On Mon, 2010-03-08 at 20:16 +, Ned Slider wrote: > Brian wrote: > > On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote: > >> just a heads up: I don't know if there is a problem with SA milter, but > >> there is a snort signature for it now. > >> > >> > >> Original Message ---

Re: Spanish/Brazilian/Mexican spam

2010-03-08 Thread Martin Gregorie
On Mon, 2010-03-08 at 14:56 -0500, Charles Gregory wrote: > Can anyone take a look at this crud and see a header or flag/type that I > could score in SA? > I can't see anything immediately apart from the rather wackamoleish track of scoring the hidden URL in the body. If this trick: http://www.s

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian
> That's Postfix 2.3.3 on RHEL5 BTW :-) > > $ rpm -q postfix > postfix-2.3.3-2.1.el5_2.x86_64 > Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP time without using a the milter or something hideous like Amavis-crashalot? Perhaps if they added some features to that old dinosa

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Ned Slider
Brian wrote: On Mon, 2010-03-08 at 20:16 +, Ned Slider wrote: Brian wrote: On Mon, 2010-03-08 at 14:08 -0500, Michael Scheidell wrote: just a heads up: I don't know if there is a problem with SA milter, but there is a snort signature for it now. Original Message Subje

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Ned Slider
Brian wrote: That's Postfix 2.3.3 on RHEL5 BTW :-) $ rpm -q postfix postfix-2.3.3-2.1.el5_2.x86_64 Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP time without using a the milter or something hideous like Amavis-crashalot? Perhaps if they added some features to that old

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Ned Slider
Ned Slider wrote: Brian wrote: That's Postfix 2.3.3 on RHEL5 BTW :-) $ rpm -q postfix postfix-2.3.3-2.1.el5_2.x86_64 Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP time without using a the milter or something hideous like Amavis-crashalot? Perhaps if they added some fe

Re: Spanish/Brazilian/Mexican spam

2010-03-08 Thread Bowie Bailey
Martin Gregorie wrote: > On Mon, 2010-03-08 at 14:56 -0500, Charles Gregory wrote: > >> Can anyone take a look at this crud and see a header or flag/type that I >> could score in SA? >> >> > I can't see anything immediately apart from the rather wackamoleish > track of scoring the hidden U

Re: Spanish/Brazilian/Mexican spam

2010-03-08 Thread Martin Gregorie
On Mon, 2010-03-08 at 15:49 -0500, Bowie Bailey wrote: > Martin Gregorie wrote: > > On Mon, 2010-03-08 at 14:56 -0500, Charles Gregory wrote: > > > >> Can anyone take a look at this crud and see a header or flag/type that I > >> could score in SA? > >> > >> > > I can't see anything immedia

Re: rules

2010-03-08 Thread Jari Fredriksson
On 8.3.2010 21:33, Renata Dias wrote: > > Some messages receive score 0.00/0.00 and other receive the correct > score like the example below. > ... > I'm updated SpamAssassin to p5-Mail-SpamAssassin-3.3.0_3 and rules are > /var/db/spamassassin/3.003000/ . > > Can someone help me? > You show

Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)

2010-03-08 Thread John Hardin
On Mon, 8 Mar 2010, Ned Slider wrote: Adam Katz wrote: > > On 15-May-2009, at 12:46, Adam Katz wrote: > > > uri URI_HIDDEN /.{7}\/\../ LuKreme wrote: > > That won't catch > > http://www.spammer.example.com/.../hidden-malware.asf, it will only > > catch the relative url form "../path/to/c

Re: rules

2010-03-08 Thread Kai Schaetzl
Renata Dias wrote on Mon, 8 Mar 2010 16:33:15 -0300: > Some messages receive score 0.00/0.00 and other receive the correct score > like the example below. First: there's no evidence that these messages *should* score anything. Save them to a file and pipe them thru SA to see what they should sco

Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)

2010-03-08 Thread Ned Slider
John Hardin wrote: On Mon, 8 Mar 2010, Ned Slider wrote: So I've refined the rule to specifically exclude hitting on the sequence ../. which stops the rule triggering on multiple relative paths. uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../ How about: uri LOC

Re: Hidden Dir in URI (Was: FreeMail plugin updated - banks)

2010-03-08 Thread John Hardin
On Mon, 8 Mar 2010, Ned Slider wrote: John Hardin wrote: On Mon, 8 Mar 2010, Ned Slider wrote: > > So I've refined the rule to specifically exclude hitting on the sequence > ../. which stops the rule triggering on multiple relative paths. > > uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.

Re: Fwd: [Emerging-Sigs] SIG: SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2010-03-08 Thread Brian
On Mon, 2010-03-08 at 20:44 +, Ned Slider wrote: > Brian wrote: > >> That's Postfix 2.3.3 on RHEL5 BTW :-) > >> > >> $ rpm -q postfix > >> postfix-2.3.3-2.1.el5_2.x86_64 > >> > > Tell me Ned, how do you get Postfix (2.3.3 on RHEL5) to reject at SMTP > > time without using a the milter or someth