Simplicity (was Re: SpamAssassin Rules Regarding Abuse of New Top Level Domains)

On Tue, 13 Oct 2015 12:24:53 -0700 Larry Goldman wrote: > So, it is not possible to simplify the process of managing an email > server via an easy-to-use software user interface? I think if your goal is to simplify the process of managing an email server, your best bet is to pay someone else to

Re: The word on messages w/ no Message-Id

On Mon, 28 Sep 2015 12:22:20 -0600 Philip Prindeville wrote: > I’m getting a lot of messages from head-hunters, my wife’s auto > dealership, etc. that look like they’re being generated by legitimate > [sic] email campaigns, but they don’t have a message-id. Yes, we see that quite a bit. > RFC-5

Re: Rule Help

On Fri, 25 Sep 2015 14:21:50 + Dave wrote: > I am trying to create a rule that scores TLD's in received headers if > they are not certain TLD's. What I have so far: Your logic is wrong. And you can do it all with one regex: header GC_TLD_COM Received !~/\.(?:com|net|org|edu|uk)\b/i I won'

Re: Test for empty EnvelopeFrom

On Thu, 24 Sep 2015 14:30:42 + David Jones wrote: > I agree with you and Reindl on this point too. I guess what I meant > to say is usually the hardest spam to block with a null sender is > backscatter from a normally trusted/good reputation mail server. Yes, that can be very annoying. Luc

Re: Test for empty EnvelopeFrom

On Thu, 24 Sep 2015 12:21:33 + David Jones wrote: > I agree with Reindl. You can't block null senders or you break a lot > of legit emails. Well, if you run your own mail server, you can do whatever you like so long as you accept the consequences. I would say: A null sender is not necessar

Re: Resume / Doc Spam

On Fri, 18 Sep 2015 21:51:59 +1000 Anthony Kamau wrote: > No courage needed. Simply install Sanboxie [0] (preferably in a VM) > and you can safely open any application inside the sandbox and see > what it invokes. Or use LibreOffice which has macros turned off by default, but lets you examine e

Re: Resume / Doc Spam

On Wed, 9 Sep 2015 16:51:11 +0200 Matus UHLAR - fantomas wrote: > On 09.09.15 10:44, Dianne Skoll wrote: > >ClamAV is totally useless. > Do you mean generally, or in this case? Generally, at least if you use the official signatures. And the unofficial ones have unacceptably h

Re: Resume / Doc Spam

On Wed, 09 Sep 2015 09:23:44 +0200 Benny Pedersen wrote: > i would run "strings vbaProject.bin" and make clamav signature based > on it ClamAV is totally useless. Here's a trick: Macro viruses must define a subroutine called "Document_Open" So finding the string "Document_Open" case-insensitive

Re: MailBlacklist.com Integration Testing Phase

On Tue, 18 Aug 2015 10:48:54 +0100 "MailBlacklist.com Management" wrote: > Regards, > MailBlacklist.com Management. Really? That's your name? This sounds very fishy, sorry. Regards, Dianne.

Re: RBL format to blacklist email addresses?

On Thu, 30 Jul 2015 01:56:08 +0200 Reindl Harald wrote: > * no mailserver on this world treats the local part case-sensitive Well possibly, but that doesn't apply to all mail-handling software. Mail::SRS originally treated the local part case-sensitively, but it had to weaken the protection

Re: phishing_reply_addresses list

On Sat, 18 Jul 2015 20:36:21 -0400 Alex wrote: > Anyone know what happened to the phishing_reply_addresses list? It > appears that the sourceforge site that was hosting it has been > unreachable for a few days. As The Register saltily puts it, Sourceforge has experienced "Total Inability To Supp

Re: Return Path (TM) whitelists

On Wed, 15 Jul 2015 15:23:44 -0700 Dave Warren wrote: > Huh? Last I looked, somewhere near 80% of my legitimate mail flow > passes SPF. It wouldn't shock me if this has gone higher. That's not what we see. We see quite a lot of legitimate mail that either doesn't have SPF in place at all or hit

Re: Return Path (TM) whitelists

On Fri, 10 Jul 2015 17:34:06 +0200 Reindl Harald wrote: > it's enough *once time* overlook the small letters besides soem > checkbox saying "we give your data to our partners" and so agree > without intention while it's hard to impossible to realize the > connection when wekks or months later a m

Re: Return Path (TM) whitelists

On Fri, 10 Jul 2015 09:06:58 +0200 Matthias Leisi wrote: > For the record, this is the reason why dnswl.org > does not charge for listings (and we don’t call it certification): it > always leads to conflicts of interest. Yes, I trust dnswl.org. What we need is a meta-reputat

Re: Return Path (TM) whitelists

On Fri, 10 Jul 2015 07:58:39 +1000 Noel Butler wrote: > +1 I'll throw my +1 in on this also. Almost by definition, the kinds of organizations who buy into these certifications to get their mail delivered are unlikely to be the kinds of organizations I want to hear from. Just as SPF "pass" is a

Re: Must-Have Plugins?

On Tue, 23 Jun 2015 18:00:27 -0600 Philip Prindeville wrote: > I should have mentioned we also blacklist yahoo... and are thinking > about blocking google, too. I see. If we did this, then yes, we'd probably stop a lot of spam (though nowhere near 98%) but we'd also lose 98% of our customers,

Re: Barracuda / EmailReg.org protection racket? (OT, but help?)

On Sun, 21 Jun 2015 22:55:41 +0200 Reindl Harald wrote: > the question is *how* is that de-listing managed and how do you > manage "i will take care in the future" and if that's not true > because de-listing is just a click how easy is it for spammers to not > realy care I delist anyone who asks

Re: Barracuda / EmailReg.org protection racket? (OT, but help?)

On Sun, 21 Jun 2015 16:26:54 -0400 Jim Popovitch wrote: > On Sun, Jun 21, 2015 at 4:22 PM, Dianne Skoll > > you should not have to pay for delisting one IP. > and with BN you are NOT paying for a delisting. You are splitting hairs. Essentially, you are paying for delisting. We run

Re: Barracuda / EmailReg.org protection racket? (OT, but help?)

On Sun, 21 Jun 2015 19:23:58 +0200 Reindl Harald wrote: > spammers don't invest money, never Of course not. They pay using a stolen credit card. I don't approve of Barracuda's behaviour. If they're blocking /24s because of some bad machines, you should not have to pay for delisting one IP. I

Re: Must-Have Plugins?

On Fri, 19 Jun 2015 12:51:28 -0600 Philip Prindeville wrote: [stuff] > With this, we avoid ever accepting about 98% of the SPAM that we’d > otherwise receive. Really? 98%? I find that surprising. We get quite a lot of spam from gmail, hotmail, yahoo etc. that would pass all of your tests. R

Caching nameserver vs. resolver library (was Re: Must-Have Plugins?)

[I have lost the attribution, but someone wrote:] > >That's not what I'm saying. It should not be necessary to run a > >full-blown DNS server for SA to do it's queries. It should be > >possible to call a library and create a DNS context that has all of > >it's own parameters and then use that in a

Re: DNSBLs and cache hit rate (was Re: Must-Have Plugins?)

On Thu, 11 Jun 2015 01:00:45 +0200 Reindl Harald wrote: > cache-min-ttl: 600 Even a 10-minute cache time buys you very little. My original analysis assumed a 15-minute TTL. Regards, Dianne.

Re: DNSBLs and cache hit rate (was Re: Must-Have Plugins?)

On Wed, 10 Jun 2015 14:56:40 + David Jones wrote: > My point was that running a local caching server is the only way one > can know exactly how the lookups are happening. Ah, true. I missed that point I guess. Regards, Dianne.

DNSBLs and cache hit rate (was Re: Must-Have Plugins?)

On Wed, 10 Jun 2015 13:56:49 + David Jones wrote: [One should run a caching DNS server on a mail server.] > We are giving you solid advice based on real experiences where we > ran into problems and worked around them. Just try to enable RBLs > and see how it works for you. I'm not disputin

Re: Weird empty messages

On Fri, 08 May 2015 13:14:56 -0400 "Kevin A. McGrail" wrote: > Haven't seen any get through our spam filters, though and they > typically score really high (40+). Yes, none have got through for us either... all scoring at least 15 or so. I'm just trying to figure out the motivation behind them (

Weird empty messages

Hi, We are seeing a trickle of weird empty messages. Here's a sample Sendmail log: May 8 11:33:31 colo3 sm-mta[1100]: t48FXPqL001100: from=, size=18, class=0, nrcpts=1, msgid=<8[10, proto=SMTP, daemon=MTA, relay=50-242-22-73-static.hfc.comcastbusiness.net [50.242.22.73] (may be forged) Note the

Re: v=spf1 +all

On Fri, 24 Apr 2015 16:20:41 +0100 Paul Stead wrote: > I've had thoughts of an extension which calculates the number of IP > addresses specified in an SPF record, then calculating the % of > world-wide addresses this SPF declares... I don't seem to be able to > bend the Perl SPF module to spit ou

Re: v=spf1 +all

On Fri, 24 Apr 2015 17:03:11 +0200 Reindl Harald wrote: > besides that i am responsible for a single domain with currently > 12000 users and the usernumber don't matter because it don't say > anything about your insight it's pointless what spammers do and don't > do OK. You essentially said: "+

Re: v=spf1 +all

On Fri, 24 Apr 2015 16:40:07 +0200 Reindl Harald wrote: > WTF read the thread and context - i just statet "I wonder how long > until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all" makes > no sense for spammers, not more and not less It makes plenty of sense. We filter spam for hundred

Re: v=spf1 +all

On Fri, 24 Apr 2015 15:55:50 +0200 Reindl Harald wrote: > and how does that care a SA setup? It probably doesn't seriously affect a default SA setup, but I have quite a few customers who (despite my warnings) knock off a couple of points on SPF "pass" for any domain. Also, as someone else menti

Re: v=spf1 +all

On Fri, 24 Apr 2015 15:38:15 +0200 Reindl Harald wrote: > well, and how becomes SPF part of the game in case of a throw-away > domain as long as "score SPF_NONE 0" - why in the world should a > spammer add a TXT record to a throw-away domain? Ummm are you really that unclear on the concept?

Re: v=spf1 +all

On Fri, 24 Apr 2015 15:17:45 +0200 Reindl Harald wrote: > > v=spf1 exists:gmail.com -all > makes no sense - the spammer don't own the domain in most cases and > if they do then they just don't add a SPF policy to use it with > infected clients Spammers often register and use throwaway domains.

Re: v=spf1 +all

On Fri, 24 Apr 2015 13:13:12 +0200 Benny Pedersen wrote: > thanks for update, nice work Yes. I wonder how long until spammers use: v=spf1 ip4:0.0.0.0/1 ip4:128.0.0.0/1 -all or even: v=spf1 exists:gmail.com -all Unfortunately, the SPF spec makes it tricky to chase down all possible equivalen

Re: FPs on RCVD_ILLEGAL_IP

On Wed, 22 Apr 2015 02:17:00 +0200 Mark Martinec wrote: > Received: from unknown (HELO localhost) >(bsobolew...@stockton-house.com@236.139.213.194) >by 76.172.150.91 with ESMTPA; Tue, 21 Apr 2015 11:41:10 -0800 > so by a lucky coincidence a misparsed Received ends up > yielding a useful-

Re: FPs on RCVD_ILLEGAL_IP

On Wed, 22 Apr 2015 00:47:56 +0200 Mark Martinec wrote: > I can only conclude that a rule like RCVD_ILLEGAL_IP will hit > mostly on misconfigured or misguided sending mailers, not primarily > on spam. I disagree. Now that the Microsoft issue has been fixed, well over 95% of the mail on our syst

Re: FPs on RCVD_ILLEGAL_IP

On Tue, 21 Apr 2015 16:56:48 +0200 Matus UHLAR - fantomas wrote: > what if Microsoft starts using other IP range tested by > RCVD_ILLEGAL_IP? Then it deserves what it gets. Market forces are intended to penalize companies that do stupid things and if we interfere in those market forces, it will

RCVD_ILLEGAL_IP hit data

Hi, The attached graph shows what we were seeing. Yellow rectangles denote weekends. It seems that the problem started on Friday, 17 April. Based on hits so far today, it appears that MSFT has stopped using 0.0.0.0/8 in Office 365. Regards, Dianne.

Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 17:02:09 -0700 (PDT) John Hardin wrote: > I suggest that this rule should treat 0/8 as equivalent to 127/8. > That's essentially what it's reserved for, just "local to the LAN" > vs. "local to the host". Does 0/8 really mean that? On at least one OS (Linux), the TCP stack tr

Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 14:59:19 -0400 "Kevin A. McGrail" wrote: > I don't show it hitting on ham on my system though I trust DFS and > AXB's experience in this matter. You might want to score it to 0 > because I'm not going to raise a panic flag on a 1.3 score rule when > Microsoft could come to th

Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 14:42:35 -0400 "Kevin A. McGrail" wrote: > Weird. Any chance you know one of the senders and can ask them to > email kmcgr...@pccc.com and raptorrevie...@pccc.com with a test? then > you and I can compare tests hit, etc. Hmm... that'd be awkward because it's not my mail; it'

Re: FPs on RCVD_ILLEGAL_IP

On Mon, 20 Apr 2015 14:20:35 -0400 "Kevin A. McGrail" wrote: > Are you seeing it on a lot of emails? Over 25000 today; every single one of them from an "...outlook.com" server. :( Regards, Dianne.

FPs on RCVD_ILLEGAL_IP

Hi, Not sure if this is still an issue in 3.4, but I'm seeing tons of FPs on RCVD_ILLEGAL_IP. Why? Because Microsoft (damn it to hell) has started using RESERVED IP ranges internally! Have a look: Received: from BLUPR10MB0835.namprd10.prod.outlook.com (0.163.216.13) by BLUPR10MB0835.

<    1   2   3