For a short time we receive several hundreds of non delivery notifications
and other failure notices on one of our mailboxes.
Most of them look very similar, containing Cyrillic charset and .ru
addresses.
Are there any special rules that are able to identify this kind of spam?
As our company is sm
On 30.06.10 02:02, Daniel Lemke wrote:
> For a short time we receive several hundreds of non delivery notifications
> and other failure notices on one of our mailboxes.
> Most of them look very similar, containing Cyrillic charset and .ru
> addresses.
the first can be catched by using ok_locales
On 30.6.2010 2:22, Péter Szekeres wrote:
> Hello SA list,
>
> I try to compile SA on a Debian 5.0.5, via CPAN. (install
> Mail::SpamAssassin), but it fails when running the tests. I have done
> it earlier a hundred times, but now I got strange error. I have found
> a similar in 2007 (bug5510) (may
Matus UHLAR - fantomas wrote:
>
> the first can be catched by using ok_locales
>
We are already using ok_locales, but it does not score all of the mail and
if it scores, the few points at all are not enough to identify it as spam
(since bayes still scores negative). I already trained bayes with
On Wed, 2010-06-30 at 02:02 -0700, Daniel Lemke wrote:
> For a short time we receive several hundreds of non delivery notifications
> and other failure notices on one of our mailboxes.
>
You've been joe jobbed by a spammer who forged your address as the
sender of his junk and then randomly generate
On Wed, 2010-06-30 at 04:14 -0700, Daniel Lemke wrote:
> [...] I already trained bayes with hundreds
> of mails, but it still doesn't recognize this ndr as spam.
It is a bounce, backscatter. It is not spam. It should not be treated as
such, and a lot of (spam) tests won't trigger on them.
> > Fo
On Wed, 30 Jun 2010 02:02:51 -0700 (PDT), Daniel Lemke
wrote:
> Are there any special rules that are able to identify this kind of spam?
Its not spam, its misconfigured mailservers. Stupid people and
malicious people are two different problems. Don't let bayes learn it as spam.
We block them at
Karsten Bräckelmann-2 wrote:
>
> It is a bounce, backscatter. It is not spam. It should not be treated as
> such, and a lot of (spam) tests won't trigger on them.
>
Some definitions of spam include backscatter/bounce as well... but you're
right, they shouldn't.
> Have you tried it? Configure
On Wed, 30 Jun 2010, Daniel Lemke wrote:
For a short time we receive several hundreds of non delivery
notifications and other failure notices on one of our mailboxes.
Publishing SPF records for your domain may reduce this. Spammers _appear_
to avoid forging sender addresses from domains that
Arvid Picciani wrote:
>
> We block them at MTA level using subject matching and
> http://www.backscatterer.org/
> Although we block _all_ NDAs, and only whitelist some that are
> explicitly requested by $boss. May or may not suit your needs.
>
I'll have a look into this, thanks for the hint.
D
John Hardin wrote:
>
> Publishing SPF records for your domain may reduce this. Spammers _appear_
> to avoid forging sender addresses from domains that publish SPF
> information.
>
We do have a valid SPF record:
Found v=spf1 record for jam-software.com:
v=spf1 a mx mx ip4:212.18.213.197 ip4:
On Wed, 30 Jun 2010 06:19:45 -0700 (PDT)
Daniel Lemke wrote:
>
>
> Arvid Picciani wrote:
> >
> > We block them at MTA level using subject matching and
> > http://www.backscatterer.org/
> > Although we block _all_ NDAs, and only whitelist some that are
> > explicitly requested by $boss. May or
On Wed, 2010-06-30 at 02:02 -0700, Daniel Lemke wrote:
> For a short time we receive several hundreds of non delivery notifications
> and other failure notices on one of our mailboxes.
> Most of them look very similar, containing Cyrillic charset and .ru
> addresses.
> Are there any special rules t
I was a little bit surprised to see a phishing email today from
nationwide.co.uk that passed SPF!
So, upon further investigation we see:
$ dig txt nationwide.co.uk
;; ANSWER SECTION:
nationwide.co.uk. 5648IN TXT "v=spf1 mx
a:mailhost.nationet.com a:mailhost2.nationet.com in
On 29-Jun-2010, at 15:26, Kenneth Porter wrote:
> --On Tuesday, June 29, 2010 2:37 PM -0700 John Hardin
> wrote:
>
>>> So it sounds like they're not sending everything through the same
>>> system. Time to post a report about that in one of their game forums.
>>> (Which one? Suggestions? Bug Rep
Daniel Lemke wrote:
> For a short time we receive several hundreds of non delivery
> notifications and other failure notices on one of our mailboxes.
> Most of them look very similar, containing Cyrillic charset and .ru
> addresses.
> Are there any special rules that are able to identify this kin
On 6/30/2010 8:37 AM, Ned Slider wrote:
My solution is to just filter ALL mail from bank or bank-like domains.
The vast majority are phishing anyway with only a few marketing emails
(often not from a bank domain) or "your online statement is ready"
notifications that I'm sure users can do without
On 30/06/10 19:51, Kelson wrote:
On 6/30/2010 8:37 AM, Ned Slider wrote:
My solution is to just filter ALL mail from bank or bank-like domains.
The vast majority are phishing anyway with only a few marketing emails
(often not from a bank domain) or "your online statement is ready"
notifications
On 6/30/10 3:19 PM, Ned Slider wrote:
;; ANSWER SECTION:
email.barclays.co.uk. 3473IN TXT "spf2.0/pra
ip4:207.251.70.64/29 ip4:207.251.97.252/31 ip4:63.146.96.192/30
ip4:63.146.96.196/31 ip4:207.251.96.0/24 ip4:65.125." "54.0/24
ip4:66.165.100.120/29 ip4:208.49.63.128/28 ip4:63.
From: "Ned Slider"
Sent: Wednesday, 2010/June/30 08:37
I was a little bit surprised to see a phishing email today from
nationwide.co.uk that passed SPF!
So, upon further investigation we see:
$ dig txt nationwide.co.uk
;; ANSWER SECTION:
nationwide.co.uk. 5648IN TXT "v=s
On Wed, 30 Jun 2010 20:19:43 +0100
Ned Slider wrote:
> so they have no SPF policy? Wrong, they do, but it's on their
> email.barclays.co.uk subdomain as presumably that's the domain they
> send mail from - but how are you supposed to know that if they don't
> tell you?
I suppose they are being
Without using using the mta, I just want to mark them high enough.
looking to block emails from @secnap.net to @secnap.net where its an
external email and SPF doesn't match.
Was thinking of some header rules that look for EnvelopeFrom and
From:addr, and ALL_TRUSTED.
(Internal senders might
22 matches
Mail list logo
