Re: DKIM length 'l=' tag

It appears that Bill Cole said: >Never has been safe. Terrible idea from the start. Never should have >been included in the specification. Agreed. >I was thinking of the same thing in a half-assed way, just catching >anything using the length tag. I'd bet that correlates to spam but we'd >nee

Re: Reporting Spam to csa-complai...@eco.de

It appears that Kirk Ismay said: >-=-=-=-=-=- > >I've got a lot of finance / political spam that is passing through all >filters because it's DKIM signed and using an email provider >(salesforce.com & others).   One thing they do include is a >X-CSA-Complaints: csa-complai...@eco.de header, whi

Re: How to get removed from spamcop?

>Just wondering if any real people are there or if it's totally >automated. I've never had any trouble getting replies to polite inquiries. >They have several of our IP addresses listed and delisting >doesn't seem to work. We're a spam filtering company (Junk Email Filter) >and if we fail to b

Re: Is EndOfSpam a known scam?

>The idea is to charge emailers to send the emailee an email. The details are a >little >bit more complicated than that, but not much (explained below)." This is a bad idea that just won't go away. I wrote a white paper about it. It's ten years old, but nothing of any importance has changed:

Re: Catching fake LinkedIn invites

>Unfortunately not, for the most part. (The "From:" header is at linkedin >dot com, but the envelope sender is a random address, and I guess SPF >and DKIM run on the envelope sender only.) DKIM runs on the message body. If it doesn't have a valid DKIM signature from linkedin, you can be quite s

Re: Tarpitting (was Re: Spam harvesting using Fake Authentication)

>It seems to me that greylisting and TCP tarpitting catch both sides of the >problem. Greylisting blocks junk from the single-attempt zombies, and TCP >tarpitting will catch the ones who are persistent offenders. Maybe, probably not. Modern MTAs, even the ones that are not spambots, can run hun

Re: Big problems with senders who use Microsoft Bigfish (a.k.a. FrontBridge)

Oh, OK. In the future, if you're not prepared to show the actual problem with their actual data, please don't waste our time. R's from a thing with no keyboard, John Nigel Smith wrote: > > > >>> Yes, I have checked on the real Zen lists and the real IP is there. > >>>Then your checking softwar

Re: Big problems with senders who use Microsoft Bigfish (a.k.a. FrontBridge)

>> Yes, I have checked on the real Zen lists and the real IP is there. Then your checking software is broken. None of the Spamhaus lists ever include anything in 10/8. R's, John

Re: Interesting Spam Trap Idea - Fake Authentication

>One of the things I like about it is that if hackers are sending spam >into my fake server then it takes away from their efforts on real >accounts that they could hack. I'm wondering if enough of us put up fake >authentication not only can we detect spam that way but we could waste a >lot of s

Re: .pw / Palau URL domains in spam

>well, I do not know anybody at Palau and so have no real need to exchange >mails, but I >feel that this attitude seems somewhat drastic. The .PW domain isn't really a country domain. It's being sold as a fake generic domain by Directi, an Indian registrar who has never been able to manage abuse

Re: .pw / Palau URL domains in spam

ou an abuse report rather than just blocking .PW out of exasperation is doing you a favor. The easier you make it, the better off you'll be. I hope you're not still telling people to figure out who the registrar is and contact them, which was impressively lame. Regards, John Levine, jo

Re: .pw / Palau URL domains in spam

>Nominet is a registrar No, Nominet is THE .co.uk registry R's, John >Directi is acting as THE .pw registry

Re: .pw / Palau URL domains in spam

In article <517f122c.3050...@trimble.com> you write: >I agree. We've seen a huge increase in ".pw" email - 100% spam > >I see one antispam vendor is telling its customers to just block >anything containing .pw references - I'm rapidly warming to the idea... You can report them to ab...@registry.pw

Re: Interpreting an Authentication-Results: header ?

>> You'd need to configure it to tell which authids to accept, perhaps >> defaulting to the host name of the machine SA is running on since >> that's a likely default for the authid. > >Agreed. I think it would also - at the trust boundary - need a filter before >the DKIM/SPF verifier that adds the

Re: Interpreting an Authentication-Results: header ?

>IIRC there isn't at the moment. One thought that comes to mind immediately: > >If there were it should not be enabled by default or others will try to forge >the results. It should only be enabled if a "trust boundary" > has been established. The >do

Interpreting an Authentication-Results: header ?

The Authentication-Results: header defined in RFC 5451 can describe the SPF and DKIM status of a message. It's typically added by the SMTP daemon as the message is received. Is there any way to tell spamassassin to look at the A-R header rather than trying to rerun the SPF and DKIM checks itsel

Re: NJABL is history

>I'm assuming this means their feed into Zen and XBL has shut down, too? >If I'm wrong and that feed still exists, (anyone who knows...) please >reply to this post with that clarification. (would be interesting to know) The whole thing is kaput. The guy who was running it has a new job, there was

Re: Greylisting (was Re: "Fairly-Secure" Anti-SPAM Gateway Using OpenBSD, Postfix, Amavisd-new, SpamAssassin, Razor and DCC ? Can I get your opinion?)

>Does greylisting increase chances of bulk detectors (razor/pyzor/dcc) in >case of "yahoo like" spam sources? No. A remarkable fraction of ratware still doesn't bother to retry, so the most simple minded greylister will deter them. That's why it's useful. I've never seen any support for the the

Re: Somewhat OT: Is this wrong?

>It appears to be on by default as part of Exchange's Intelligent [sic] >Message Filter. As I understand it, you're referring to Exchange 2003, which was shipped nine years ago, and which, if you believe the Wikipedia article, hasn't been updated since 2005 and hasn't been supported since 2009. W

Re: Somewhat OT: Is this wrong?

>The problem is that I publish SPF records for my domain in the expectation >that they'll be used correctly. By behaving incorrectly, Microsoft >is making it less attractive for sites to publish SPF records lest they >be misinterpreted. Microsoft's Sender-ID has been using SPF records to do Sende

Re: Blacklisting based on SPF

In article you write: >-=-=-=-=-=- > >I've noticed some trojans with addresses from usps.com slip through. > >Does anyone blacklist based on SPF? Nobody with any interest in delivering the mail that their users want. The error rate is much, much too high. R's, John

Re: Caution - access to Spamhaus data-feed may be improperly configured: secnap.com.ionspam.net.

> I for one am tired of getting these emails from MxTools because I > failed to turn off EVERY call in SA that invokes a Spamhaus lookup. Um, the last I checked Spamassassin was an open source package provided for free, even to people who use it as part of a commercial service. If you think that

Re: Caution - access to Spamhaus data-feed may be improperly configured: secnap.com.ionspam.net.

MXTools is real, I know some of the people who work there. Dunno why they'd think you're querying the Spamhaus lists if you aren't -- it is my impression that Spamhaus looks at the query logs and passes along IPs that are close to being rate limited. R's, John

Re: How do I disable all spamhaus calls?

>I wanted to buy spamhaus rsync feeds. our CFO looked at the contract, >where Spamhaus said they could disable the feed without notice if they >wanted to. (if they suspected you got hacked, were selling it, were a >spammer, weren't protecting it, allowed public access to it). In my experience,

Re: How do I disable all spamhaus calls?

>> PS: I don't suppose there's any chance you might consider paying the >> rather modest price for a Spamhaus datafeed, rather than leeching all >> your DNSBL queries for free. > >I suspect you would not say that if you knew more about what Marc does. We all know what he does. But if he's running

Re: How do I disable all spamhaus calls?

>That's a good idea except that I'm using pdns-recursor for my caching >nameservers. A few seconds looking at the manual reveals how to get pdns-recursor to do the same thing: http://doc.powerdns.com/built-in-recursor.html#recursor-settings (hint: see auth-zones) R's, John PS: I don't suppos

Re: caches, was TTL and DNSBLs (was Re: SpamTips.org: Why run your own DNS server?)

>> But if you're looking for a DNS cache, I highly recommend unbound. >> I used to use dnscache but got tired of its limitations (due entirely >> to it being unchanged since 1998.) My copy of unbound runs about >> 27M real RAM, 44M virtual, which is pretty modest on my 12G server. > >how many q/s

Re: TTL and DNSBLs (was Re: SpamTips.org: Why run your own DNS server?)

>My experiments on real mail servers show that DNS caching is quite >ineffective for DNSBLs (at least for typical ones like Spamhaus that >use a short TTL on the order of 15-30 minutes.) That's consistent with what I've seen, although you probably won't be surprised to hear that I have higher hope

Re: multiple from entries

>Anyone know of any legitimate use of multiple email addresses in a from >line? Yes. I know a few IETF people who do it. Stuff like notes to a working group from both chairs. I think I've seen the same multiple-from spam you have. It appears to confuse Mailman, but that's not postfix's problem

Re: Should Emails Have An Expiration Date

>> I know just enough about copyright law to know that this claim is >> nonsense. >No, it is not nonsense. Copyright law does allow the content creator >to specify duration of use. If you go view a movie in a movie theater >you buy a ticket for a single viewing, you do not automatically get >to

Re: Should Emails Have An Expiration Date

> From a legal perspective I will point out that any e-mail you >receive is (at least in the US, but most other countries too) >considered copyrighted by the sender. Under copyright law the >sender has the right to control expiration of content they create, I really think it would be a good idea

Re: Should Emails Have An Expiration Date

>I do like the idea with respect to alerts; if email programs (especially >those on smart phones) would know to avoid alerting you of unread + >expired messages, that could be quite beneficial. Especially if I could >set expiration times with thunderbird filters. If people keep at it, they may ye

Re: RFC-Ignorant (was Re: Irony)

livery problems. One time I asked if they'd delist me if I got rid of the autoresponder and just threw all the abuse mail away. Yes. QED. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly

Re: DNS cache efficiency for low-TTL records (was Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01)

>In summary, I believe DNS caching is basically *useless* for any site >small enough to use Spamhaus for free. And any very large site is >probably large enough to deserve an rsync feed. Hmmn. See the ASRG list where I've posted some numbers I worked up from my own servers. R's, John

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

>This is a great topic! Is this been discussed at the IETF level? Well, yeah, that's the internet draft that I started this with. There's a parallel discussion in the IETF anti-spam research group (ASRG) which is a better place to continue this. See http://wiki.asrg.sp.am/ which has a link to su

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

>Frankly, I'd think that besides costing the spammers money (a good thing in >and of itself) it would also be a pretty good spamsign if a block has more >than, say, 5 or so registered senders in a /64. Just thinking out loud >here There are a lot of non-spam mail systems with a heck of a lot m

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

27;s the issue that started this discussion. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly

Re: Off topic: best RBLs to use to block at smtp connection?

mhaus.org and zen.spamhaus.org Agreed. I also find that bl.spamcop.org now works well with low false positives. It used to have terrible FP, but they fixed it. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

>And SMTP is the same philosophy. Unicode addressing should rightly be >an add-on to a simpler system. And frankly the biggest proponent of >EAI is China - and why do you think that this is? Silly me, I thought it was because they have 1.2 billion citizens who read and write Chinese rather than

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

Ah, I see the problem. You're assuming that spammers will follow the rules. That's a poor assumption. >> The IPv6 address space is big. Very, very big. Even if you chop it >> in half to /64s, it is still four billion times bigger than the v4 >> address space. Bad guys hopping around /64s will

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

that small clients can't use BLs at all. Is that realistic? Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

>I used rsync as an example. You can use a more efficient technique; I >gave ClamAV's signature-distribution mechanism as an example of a >system that works pretty well. Hey! I have an idea! How about if we form the data into a B-tree and let people download pages on demand via the DNS? R's, J

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

>If blacklists like CBL are currently at 100 MBs (for IPv4)... the bloat >for IPv6 could break DNSBLs. RSYNCing Gigabyte (or terabyte!) -sized >files is memory and CPU intensive. Loading those into rbldnsd is also >resource expensive! Furthermore, getting that data out to DNS mirrors >quickly and e

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

7;s cheaper than doing queries is quite high. If you've got a giant mail system, it makes sense, but if you have one or two MTAs, even fairly busy ones, it doesn't. Hence my goal to concoct something which allows efficient publication and caching via the DNS. Regards, John Levine

IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

lients. I don't think it's perfect, and I'd be delighted to get suggestions, but please don't start by assuming that spammers won't be maximally hostile, or that managers will always configure their networks the way you'd prefer. Regards, John Levine, jo...@iecc.com