Hi all,
I am getting the follow error peppering my maillogs:
Jun 13 01:26:42 kismet spamd[24575]: spf: lookup failed: Can't locate
object method new_from_string via package Mail::SPF::v1::Record
at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SPF/Server.pm line 524.
This occurs very often,
On Wed, 12 Jun 2013 15:26:29 -0500 (CDT)
David B Funk wrote:
However this will not hit all the human engineered varients which
try to fool people into thinking that they're PayPal (EG: PayPaI)
or which have PayPal in the comment field part of the address/URL
but have a completely different
Neil,
I'm sorry but I can't disclose the logs. fortunately 95% of them were
blocked by blacklisting or greylisting. I just wanted to know if other
people see a massive increase of spam the last weeks.
On Wed, Jun 12, 2013 at 9:31 PM, Benny Pedersen m...@junc.eu wrote:
Alex skrev den
--On Wednesday, June 12, 2013 10:12 PM -0600 Mike Brown m...@skew.org
wrote:
Martin wrote:
Do you have a MIRRORED.BY file in you spamassassin update directory? It
looks like it doesn't have the file with the mirrors in and instead is
using the file name.
If so you could copy it over from
On Jun 12, 2013, at 3:37 PM, Daniel McDonald dan.mcdon...@austinenergy.com
wrote:
I believe Paypal is DKIM signed,
Sure is. Also DMARCed and SPFed too.
;; QUESTION SECTION:
;paypal.com.IN TXT
;; ANSWER SECTION:
paypal.com. 7 IN TXT
Hi,
On Wed, Jun 12, 2013 at 2:54 PM, Daniel McDonald
dan.mcdon...@austinenergy.com wrote:
On 6/12/13 1:25 PM, Alex mysqlstud...@gmail.com wrote:
John Hardin wrote:
As was suggested earlier: greylisting?
I really don't think my users would tolerate the delay, so I've never
implemented it.
On Thu, 13 Jun 2013, Alex wrote:
John Hardin wrote:
As was suggested earlier: greylisting?
I'm thinking this is sounding like a better option. The IPs change way
too quickly for me to be able to keep up with updating a DNSBL. It's
funny -- despite all MXs having the same weight, mail03 is
Hi,
On Thu, Jun 13, 2013 at 6:53 PM, John Hardin jhar...@impsec.org wrote:
On Thu, 13 Jun 2013, Alex wrote:
I'm thinking this is sounding like a better option. The IPs change way
too quickly for me to be able to keep up with updating a DNSBL. It's
funny -- despite all MXs having the same
Lately, I've been getting hit with a LOT of this type of spam:
http://pastebin.com/HD0rNdxU
Not all of it is identical in format, but there seems to be one thing
in common: they include lots of random garbage inside either CSS or
in HTML comments. All of this gets ignored by the HTML parser
Hi,
On Wed, Jun 12, 2013 at 12:05 PM, Kris Deugau kdeu...@vianet.ca wrote:
Alex wrote:
It turned out to be a bit of local config,
Care to share the specifics? I can't think of any SA configuration that
might trigger this, TBH.
I had made some changes then ultimately overwrote it with the
Hi,
Lately, I've been getting hit with a LOT of this type of spam:
http://pastebin.com/HD0rNdxU
I think people will start by telling you to block the pw domain
From: Hoveround m...@xanti.shahphiler.pw
More in this thread:
At 7:25 PM -0400 06/13/2013, Alex wrote:
I think people will start by telling you to block the pw domain
Sure, but not all of the comment-laden spam is from the pw domain.
It comes in from .net, .com, .us, and a bunch of other places as
well. This is just the one example I happened to pick
Hi,
On Wed, Jun 12, 2013 at 3:07 PM, Benny Pedersen m...@junc.eu wrote:
Ben Johnson skrev den 2013-06-12 18:26:
Isn't this the function that Bayes is intended to serve, rather precisely?
sa-grey plugin might help, spammers change sender address and ips, so lets
track it, works well here,
In an older episode, on 2013-06-14 01:36, Amir 'CG' Caspi wrote:
(I am relatively new to SA's internal workings and don't know how to
make such a rule, however.)
For basics of writing SA rules, maybe look at
http://wiki.apache.org/spamassassin/WritingRules
Hope this helps,
wolfgang
Hi,
On Thu, Jun 13, 2013 at 7:36 PM, Amir 'CG' Caspi ceph...@3phase.com wrote:
At 7:25 PM -0400 06/13/2013, Alex wrote:
I think people will start by telling you to block the pw domain
Sure, but not all of the comment-laden spam is from the pw domain. It comes
in from .net, .com, .us, and a
At 8:04 PM -0400 06/13/2013, Alex wrote:
After looking at it more closely, it's also only hitting bayes20 for
you. Do the others also score so low? This hits bayes99 on my system.
The ones that SA doesn't catch, yes, they are typically low. I have
some that are bayes50, some bayes20, some
On 14/06/13 07:08, Neil Schwartzman wrote:
Sure is. Also DMARCed and SPFed too.
;; QUESTION SECTION:
;paypal.com http://paypal.com.INTXT
;; ANSWER SECTION:
paypal.com http://paypal.com.7INTXTv=spf1
include:pp._spf.paypal.com http://spf.paypal.com
include:3rdparty._spf.paypal.com
Hi,
After looking at it more closely, it's also only hitting bayes20 for
you. Do the others also score so low? This hits bayes99 on my system.
The ones that SA doesn't catch, yes, they are typically low. I have some
that are bayes50, some bayes20, some bayes00. Any that are bayes99 are
On Thu, 13 Jun 2013, Alex wrote:
There's anecdotal reports that spammers focus on backup MX hosts in the
hopes they are less-well-protected. You might also try changing the MX
weighting and see if that causes the spam to concentrate on a specific MX
host. That might give you a little more
comments (like, multi-KB length comments), and/or looks in the CSS for long
sequences of garbage?
http://ruleqa.spamassassin.org/20130613-r1492572-n/STYLE_GIBBERISH/detail
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk
Jason Haar skrev den 2013-06-14 02:38:
Yeah but notice ~all is not -all. ie they are saying that
legitimate
Paypal email comes from those specific sources - except when it
doesn't
if its pass then its paypal, if its softfail then we are unsure is what
it means
I don't understand why ~all
.
I wonder, can a rule be created that basically looks for incredibly long
HTML comments (like, multi-KB length comments), and/or looks in the CSS for
long sequences of garbage?
http://ruleqa.spamassassin.org/20130613-r1492572-n/STYLE_GIBBERISH/detail
John, I've just tried with your latest
Alex skrev den 2013-06-14 00:42:
I'm thinking this is sounding like a better option. The IPs change
way
too quickly for me to be able to keep up with updating a DNSBL. It's
funny -- despite all MXs having the same weight, mail03 is really the
one that's pounded with these pump-and-dump spams.
Amir 'CG' Caspi skrev den 2013-06-14 01:05:
Lately, I've been getting hit with a LOT of this type of spam:
http://pastebin.com/HD0rNdxU
Not all of it is identical in format, but there seems to be one thing
in common: they include lots of random garbage inside either CSS or
in
HTML comments.
24 matches
Mail list logo