Re: Bombarded by German political spam

>... > >>> > Tonight our site is being bombarded by German political spam or >>> > Joe-jobbed bounce fall-out. So far it appears to all be coming >>> > from trojaned PCs. Other than the specific URLs in the messages >>> > havn't found any easily identified parts to create rules for. >>> > >>> > an

Re: Bombarded by German political spam

>... > >wolfgang wrote: >> In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote: >> >>>Hi! >>> >>> >Anyone has a full list of subjects yet, time to do some SA magic... ;) >>> I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch F

Re: Evading URI checks

>... > >Today I got some spams which evaded URI checks like this: > >Go Here to Order Online: RxRealness.com > >How would one go about adding checks for the omission of http:// ? > >Only things that hit were: bayes, base64 raw and drugs_erctile by the way. > >Niek > taiwantelco/taiwanmedia

Re: Drug SPAM problem..any fixes?

>... > >--nextPart12555236.45TTRGDWuC >Content-Type: text/plain; > charset="utf-8" >Content-Transfer-Encoding: quoted-printable >Content-Disposition: inline > >On Saturday 14 May 2005 18:30, List Mail User wrote: >[...] >> >> Just to k

Re: Drug SPAM problem..any fixes?

>... > >Hi All, > >I am having an issue with the following DRUG related spam. Does >anyone have any rules to catch this? > >Environment: SA 3.0.2 with network tests and the following SARE rule sets: >70_sare_adult.cf >70_sare_bayes_poison_nxm.cf >70_sare_evilnum0.cf >70_sare_genlsubj0.cf >70_sare_

Re: IP whitelist?

>... > >If an incomming email is from a IP listed in IP whitelist, we don't >need to check it at all. >The whitelist I mentioned here is a large-scale one. Say Microsoft and >Yahoo's IPs should be added to IP whitelist since we suppose they >won't send spams. >Currently I am maintaining a RBL list,

Re: New variant of rot-13 trick.

Thanks Matt, a new multitrade domain, pics-4-showMUNGED.com. Even with private registration, it is using a set of their private name servers. Paul Shupak [EMAIL PROTECTED]

Re: [Fwd: Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org]

Just to keep up with listing the spam gangs; coolestrxever. com belongs to the taiwantelco/taiwanmedial group. (and is one of their fake Beverly Hills 90210/90211 addresses). BTW. The latest registrations have moved back to Turkey (where they started), but use a Pakistani cellular phone a

Re: Oops - drug rules need more work

>... > >At 09:59 PM 5/8/2005, mouss wrote: >>rfci lists so many people that one can't rely on (they liste yahoo, aol, >>hotmail, ) except for a personal site (or a company where you can >>enforce your rules). A fashist approach might (seem to) work, but it'll >>never solve the real problems.

Re: Oops - drug rules need more work

missionandgoal. com has made [ob] on SURBL, but it also hits the rfci lists for "whois", "postmaster", "DSN" and "bogusmx" - the "abuse" nomination is pending. Paul Shupak [EMAIL PROTECTED]

Re: Confession and rage

>>[old material snipped] >> >http://www.spamlaws.com/federal/108s877.shtml > >Point 1) - "Tell you that you're going to get it when you sign up" The "standard out" for this is a clause like "and you agree to the terms referenced on our standard policies page" - which includes a clause s

Re: Confession and rage

>... > >List Mail User wrote: > > >> JohnS, >> >> As many of the regulars on this list can tell you, I *hate* spam >>as much as nearly anyone here; But... Mike is absolutely correct, what >>they have done is "slimely", b

Re: More Messed Up www URLs

>... > >I'm starting to see references in messages that look like this: > >www.achat-montre-rolex.net./ > > >Of course, it's not really a valid URL, but then the spam gets through >too. Is it possible to strip excess garbage ( . / ) off the end of the >domain before processing it? > >Running SpamAs

Re: hillsdale media = PWN3D

>... > >Ok, right on! I fixed the trusted_networks thing, and check this out! > >BTW, the jerks are using another domain.. for a new "division." my god, >CAN-SPAM is a piece of crap. How the *hell* did it get passed? Ugh. > >At least it's getting plonked now. And with that, off to KFC I go... > >

Re: Confession and rage

>... >From: "Mike Jackson" <[EMAIL PROTECTED]> >To: >References: <[EMAIL PROTECTED]> >Subject: Re: Confession and rage >Date: Fri, 6 May 2005 08:34:00 -0700 >... > >[snipped - um, pun intended] > >Okay, I'm going to take the devil's advocate approach here. By signing up >with them, you created a

Re: URIs being split over multiple lines

>... > >Hello Craig, > >Thursday, May 5, 2005, 10:33:51 AM, you wrote: > >CB> Most of my spam that's getting through at this point is stuff that has a >URI >CB> with multiple carriage returns in it like this: > >CB> > > >CB> I know this trick has been discussed. I looked for a bug report, and >c

Re: hillsdale media

>... >Date: Thu, 05 May 2005 09:14:28 -0700 >From: Jonathan Nichols <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >Organization: pbp.net >User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: users@spamassassin.apache.org >Subject: hills

Re: PTR Rules

>... >Date: Thu, 05 May 2005 11:27:59 -0400 >From: Matt Kettler <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: Dan Barker <[EMAIL PROTECTED]> >Cc: users@spamassassin.apache.org >Subject: Re: PTR Rules >... > >Dan B

Re: Content type allowing spammers to evade URIBL

>>From [EMAIL PROTECTED] Wed May 4 21:21:27 2005 >... >Date: Wed, 4 May 2005 22:21:11 -0600 >From: Craig Baird <[EMAIL PROTECTED]> >To: users@spamassassin.apache.org >Subject: Content type allowing spammers to evade URIBL >... > >Today, I've received a number of spams containing a domain that is

Re: Observation on secondary MX

>... > >About a month ago, there was a discussion on the list about how spammers >specifically target secondary MX records. After reading I verified >that indeed 99% of the mail that flowed through my store-and-forward >secondary mail server was spam. So, I removed the second MX record >fro

Vendare Media Corporation / VENDAREGROUP. COM

Does anyone know of any emails from the VENDARE folks, or any of their few hundred domains that was *not* spam. From their web site, they look legitimate (though they are "email marketeers"), but I've never gotten anything but spam from them. Maybe, they are just very sleazy (they do run

Re: spamd children run as root (again)

>... > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > > >It's specifically a problem with perl on *BSD platforms -- there's >a bug open about it, but it's stalled because we don't have any >developers with BSD machines ;) > >at least on some platforms (MacOS X) it appears perl's setuid >support

Re: SA config recommendations to block these spammers?

The first domain, coolestrxever. com, is part of the group of taiwantelco/taiwanmedialtd pill pushers, using a new (and false) Beverley Hills address (the earliest ones actually used the zipcode "90210" and the address was spoken in an episode of the show). The second domain, magna

Re: SpamAssassin and Horde

... > Angelo Ayres Camargo wrote: >... I hate to say it, but... Anyone with the last name "Camargo" using a domain with a contact address in Florianopolis, Brazil is automatically suspect. Maybe Angelo, you can tell us: Is "Camargo" a common name in that region, or is it just ba

Re: random rudeness!

>... > >okay, this all makes sense. Thanks. > >I see manlove .com has been listed already. Do rfc-ignorant take action >on the bogus whois information with the registrar or is that another step? > >Regards, > >Rob > Yes, I nominated it this morning, and it was accepted a few minutes late

Re: random rudeness!

>... > >List Mail User wrote: >> Did either of you try listing himlove. com (invalid telephone/fax), >> or notice that the contacts' email is from a non-existant domain, >> heroutside. com. Or that the name servers in carr821. com also have >> an invali

Re: random rudeness!

>... >Robert Brooks wrote: >> bizarre! >> >> > Subject: intimate encounter >> > >> > Heyyy it's me %ASSHOLE... %OUT >> > >> > %PROFILE...%PART4 >> > >> > http://himMUNGEDlove.com/d/8.php >> > >I got the same damn thing ;) > >Subject: me out >From: "Mrs.Sherman" <[EMAIL PROTECTED]> >Date: Mon

Re: OT: Do spammers have a sense of humor?

Obviously, you've never noticed contact emails at iamaspammer. com:) Paul Shupak [EMAIL PROTECTED] P.S. "Manila Industries, Inc." of Thailand provides many domains for spam support services.

Re: [SURBL-Discuss] More spams with Zdnet redirector

>... >Date: Sat, 9 Apr 2005 10:56:10 +0200 (CEST) >From: Raymond Dijkxhoorn <[EMAIL PROTECTED]> >X-X-Sender: [EMAIL PROTECTED] >To: "Kevin A. McGrail" <[EMAIL PROTECTED]> >Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector >... > >Hi! > >> Why the use of the full test rather than the uri

Re: EFF Newsletter as SPAM

>... >Date: Mon, 04 Apr 2005 11:08:49 -0400 >From: Matt Kettler <[EMAIL PROTECTED]> >... >To: Jeff Chan <[EMAIL PROTECTED]> >Cc: Chris <[EMAIL PROTECTED]>, users@spamassassin.apache.org >Subject: Re: EFF Newsletter as SPAM >... > >Jeff Chan wrote: > >>Perhaps DCC took these out. Please ask Pyzor t

Re: Webmail and IP rules

>... >Date: Sun, 27 Mar 2005 00:51:25 -0500 >From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], >users@spamassassin.apache.org >Subject: Re: Webmail and IP

Re: Excessive DNS Requests

>>From [EMAIL PROTECTED] Wed Mar 23 08:41:38 2005 >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], users@spamassassin.apache.org >Subject: Re: Excessive DNS Requests >... >From: Nix <[EMAIL PROTECTED]> >... >... >Date: Wed, 23 Mar 2005 1

Re: How do I whitelist this list?

>... >> > >> >This header is relatively stable: >> > >> >List-Id: >> > >> >Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 >> >Hispanic Business Inc./HireDiversity.com Software Engineer >> >perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," >> > >> And t

RE: How do I whitelist this list?

>... >Subject: RE: How do I whitelist this list? >Date: Tue, 22 Mar 2005 16:25:54 -0800 >... >From: <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]>, >... > >Loren Wilton wrote: >> Normally this would work very well, but this list changes its name and >> description and other characteristics so often

Re: Excessive DNS Requests

>... >Subject: Excessive DNS Requests >From: lister lynch <[EMAIL PROTECTED]> >To: users@spamassassin.apache.org > >Our ISP, Covad, is periodically claiming that we have excessive DNS >requests and is threatening to turn off our service. It's primarily due >to SA, I think. Looked around for answe

Re: How do I whitelist this list?

>... >"whitelist_from_rcvd [EMAIL PROTECTED] apache.org" worked when I used static >whitelists. > >I had a bunch of similar entries for various mailing lists in a big >whitelists.cf file in /etc/mail/spamassassin > > >-- >Eric A. Hallhttp://www.ehsco.com/ >

Re: How do I whitelist this list?

>... >> >> I'll mention this again since i have yet to come up with a solution. >> While the above works great for people using procmail, does anyone have >> a solution that works without procmail? Im stuck passing all list >> traffic through SA because of this. Just this morning someone on t

Re: New redirector: www.nate.com

>... >From: David B Funk <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED], users@spamassassin.apache.org >Subject: New redirector: www.nate.com >... > >Ugg, just ran across another open redirector abused in spam > > www.nate.com/r/XY12/target.domain > >where XY12 seems to be any combination of 4 letters

RE: ZDNET redirecting to spammer websites?

>>From [EMAIL PROTECTED] Mon Mar 21 12:58:20 2005 >Date: 21 Mar 2005 21:03:22 - >Subject: RE: ZDNET redirecting to spammer websites? >To: List Mail User <[EMAIL PROTECTED]> >From: [EMAIL PROTECTED] >... > >>> >>> P.S. The address, if it d

RE: ZDNET redirecting to spammer websites?

Just a little more info - one of my favorite spammers taiwanmedialtd.com-munged New trick for them (i.e. the redirector). The registration address is false, and likely the rest is too. They like to use joker to register, and Joker has already caught on to a few, o

Re: ZDNET redirecting to spammer websites?

>... >From: Duncan Hill <[EMAIL PROTECTED]> >To: users@spamassassin.apache.org >Subject: Re: ZDNET redirecting to spammer websites? >Date: Mon, 21 Mar 2005 16:10:46 + >... > >On Monday 21 March 2005 15:34, Rosenbaum, Larry M. typed: >> We received a drug spam containing the following URL: >> >>

Re: call-back plug-in

>>From [EMAIL PROTECTED] Sun Mar 20 10:45:29 2005 >Date: Sun, 20 Mar 2005 13:45:19 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: users@spamassassin.apache.org >Subject: Re: call-back plug-in >

Re: Unsubscribe "noisy" subscriber - Was: FW: ****SPAM(7.2)**** rule didn't fire

I talked to Dave Hill's brother on Friday (he is the "listed" "zone contact" for dailyhills.com in 'whois'. He is Dennis Hills, he promised to speak to his brother that day, so the problem will hopefully have finally ended. Obviously Dave Hills is an enthusiast - he even has a page on his

Re: call-back plug-in

>... >Date: Sun, 20 Mar 2005 01:45:12 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 0.8 (X11/20040913) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: users@spamassassin.apache.org >Subject: call-back plug-in >... > > >I'm thinking that SA might also benefit

Re: Spammers Target Secondary MX hosts?

>... >| One possibility is to list your primary again as the tertiary, possibly >| under a different name and/or IP address. Spammers that deliver in reverse >| MX order will still end up trying to deliver to your primary first. > >I tried this and it resulted in mail loops when one of the servers

Re: Is this Received header correctly formatted?

>>>... >>>Date: Thu, 17 Mar 2005 00:29:43 +0100 >>>From: mouss <[EMAIL PROTECTED]> >>>... >>>To: List Mail User <[EMAIL PROTECTED]> >>>Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], >>> [EMAIL PROTECTED] >>>Su

Re: Is this Received header correctly formatted?

>... >Date: Fri, 18 Mar 2005 03:40:20 +0100 >From: mouss <[EMAIL PROTECTED]> >... >Subject: Re: Is this Received header correctly formatted? >... > >List Mail User wrote: >>>... >>>Date: Thu, 17 Mar 2005 00:29:43 +0100 >>>From: mouss

Re: URI Tests and Japanese Chars (solved)

>>[all sipped] > > >Since you mentioned the scores, please note the Bobby Rose, the original >poster of this issue had modified the score for URIBL_SBL from its >defaults to 10 ... > >I had suggested that he reduce the score (possibly setting it back to >the defaults) > >While it doesn't negate the

RE: URI Tests and Japanese Chars (solved)

>... >Subject: RE: URI Tests and Japanese Chars (solved) >Date: Thu, 17 Mar 2005 17:41:03 -0500 >... >From: "Rose, Bobby" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]>, "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> >Cc: "List Mail Use

Re: URI Tests and Japanese Chars (solved)

>... >To: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> >Cc: List Mail User <[EMAIL PROTECTED]>, [EMAIL PROTECTED], >users@spamassassin.apache.org >Subject: Re: URI Tests and Japanese Chars (solved) >In-Reply-To: <[EMAIL PROTECTED]> >F

Re: URI Tests and Japanese Chars (solved)

Jeff, RFC 1630 make pretty clear that a email address in either a "mailto:"; or "cid:"; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be

Re: rule didn't fire

Loren, While true for vdrugz.net-munged, gh6.net-munged does not always use a www. prefix. Also, now gh6.net-munged is caught by the SBL, 4 SURBLs, and completewhois (if you use it). I get 14.6 points for just the bare domain name. vdrugz.net-munged is caught by the SBL and 4 SU

Re: rule didn't fire

gh6.net-munged, don't the SURBLs have this one yet? Another from the taiwanmedialtd.com-munged group (two new domains a day - time for Spamhaus to take notice; Also they seem to hace given up on the Turkish address as on last week). Paul Shupak [EMAIL PROTECTED]

Re: Is this Received header correctly formatted?

>... >Date: Thu, 17 Mar 2005 00:29:43 +0100 >From: mouss <[EMAIL PROTECTED]> >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], >[EMAIL PROTECTED] >Subject: Re: Is this Received header correctly formatted? >..

RE: URI Tests and Japanese Chars (solved)

> >This is an excerpt that I used in trying to track it down. No real mailto URI >unless there is some translation going on with email addresses embedded in the >body by the email client on send. At first, I just thought it might be a bug >since the messages were using ISO-2022-JP character se

Re: Is this Received header correctly formatted?

>To: Loren Wilton <[EMAIL PROTECTED]> >Cc: SpamAssassin Mailing List <[EMAIL PROTECTED]> >Subject: Re: Is this Received header correctly formatted? > > >Loren Wilton wrote: >> Received: from ar39.lsanca2-4.16.241.28.lsanca2.elnk.dsl.genuity.net >> ([4.16.241.28] helo=watson1) >> by pop-a065d23.pas

Re: Is there such a test?

>... >Date: Wed, 16 Mar 2005 09:38:13 - (GMT) >Subject: Re: Is there such a test? >From: "Mike Spamassassin" <[EMAIL PROTECTED]> > >I'd take that bet. >While you are almost certainly correct with the likes of those who >subscribe to this group, who often have multiple email addresses, >out ther

Re: Is there such a test?

>... >From: "Loren Wilton" <[EMAIL PROTECTED]> >To: >References: <[EMAIL PROTECTED]> >Subject: Re: Is there such a test? >Date: Tue, 15 Mar 2005 15:39:32 -0800 >... >> I have just received spam from [EMAIL PROTECTED] >> Is there a test which identifies that the description (Esmeralada >> Bouchard

Re: Is this Received header correctly formatted?

>From: "Loren Wilton" <[EMAIL PROTECTED]> >Subject: Is this Received header correctly formatted? >Date: Tue, 15 Mar 2005 14:36:36 -0800 >... > >Received: from ar39.lsanca2-4.16.241.28.lsanca2.elnk.dsl.genuity.net >([4.16.241.28] helo=watson1) > by pop-a065d23.pas.sa.earthlink.net with smtp (Exim 3.

Re: Is there such a test?

>... >Point taken, but I still think it would be a valid test. >Like all SpamAssassin tests it should only be one of many indicators. >In particular all the ones that I receive I would expect to have "Mike" or >"Michael" in the description of my email address. >I would also like to be able to pick

Re: Is there such a test?

identifies itself as "Administrative Account", which cause the internal MS classifier to always mark it as "BULK". Several friends have complained to me about it -- MS does seem to pass "List Mail User" through untouched. Other accounts which I commonly use have ever "

Re: [Slight OT] Problems with perl modules req for rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz

... >Its part of a larger quote, to the effect that someone with one clock is >sure of the time, someone withe two clocks isn't and I forget what is >supposed to happen as you get more clocks. Maybe you get back closer to the >assurance you had with a single cheap windup clock. I originally came

Re: [Slight OT] Problems with perl modules req for rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz

>... >From: "List Mail User" <[EMAIL PROTECTED]> > >> > ...The person with two clocks is never really sure of >> > the current time. >> >> OT, but... above - *not* a good quote, but it sounds nice) >> To be `s

Re: Was: List of spamvertised sites sent via zombies, open proxies, etc.?

... On Sun, 13 Mar 2005 05:29:04 -0800, Jeff Chan wrote: >On Sunday, March 13, 2005, 5:12:30 AM, Jeff Chan wrote: >> On Friday, March 11, 2005, 11:27:52 PM, Jeff Chan wrote: >>> Does anyone have or know about a list of spam-advertised URIs >>> where the spam they appeared in was sent through open r

Re: [Slight OT] Problems with perl modules req for rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz

> ...The person with two clocks is never really sure of > the current time. OT, but... above - *not* a good quote, but it sounds nice) To be `sure' of the time, you need at least three clocks (look at the documentation for ntp/ntpd). > > ... ... Paul Shupak

Re: SA addr tests need to be updated

>... >Date: Sat, 12 Mar 2005 18:46:52 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: users@spamassassin.apache.org >Subject: Re: SA addr tests need to be updated >References: <[EMAIL PROTE

Re: Spam Assassin pattern help for regular expression

>... >Greetings: > >While it has never been pleasant, we regularly review spam including the >HTML source code behind the spam to help us adjust our system-wide spam >tagging rules. > >We've noticed a lot of sick porn spam being left untagged. > >The tests that raised the score, though not high e

Re: Telltale whois data (was: Rule for downwards writing spam)

>... >--On Thursday, March 10, 2005 7:23 AM -0800 List Mail User ><[EMAIL PROTECTED]> wrote: > >> They mostly use Joker, who has *very* good policies for killing >> domains like this. You should complain and file at wdprs.internic.net. >> >> Th

Re: Rule for downwards writing spam

>>From [EMAIL PROTECTED] Thu Mar 10 06:20:20 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

Re: RCVD_IN_BSP_TRUSTED

> >On 09/03/2005 11:55:32, Alana Craig ([EMAIL PROTECTED]) wrote: > > Hello > > > > > > > > I would like to include your contact information in an address book I am > > creating for myself. Please enter your particulars using the link you see > > below: > > > > > > > > http://www.bebo.com/fr1/10076

Re: SA addr tests need to be updated

>>>... >>> ..." >>> >Now, these are the rules > >However, I still believe it is perfectly legal to refuse mail if >- the HELO matches my own MX, or lists one of my IPs >or >- the MAIL FROM pretends to be one of my users > >I am currently refusing this stuff at the MTA level and suggest to >au

Re: ENC: Take that!

Daniel, Regarding the domain "dftphildeutschv-munged.net", since this morning one of the name servers "fujins-munged.com" has been delisted by planetdomain, and "miftrue-munged.com" has been placed on "HOLD" bu Namebay (i.e. expect deletion or full suspention within 15 days maximum

Re: SA addr tests need to be updated

>Justin Mason wrote: > >>Eric A. Hall writes: >> >> >>>SA 3.0.2 currently performs a handful of tests against HELO greetings that >>>contain an IP address. These tests don't currently fire when an "address >>>literal" is used in the HELO greeting, but they should. >>> >>> >> >>actually, that'

Re: SA addr tests need to be updated

> > >On 3/9/2005 3:29 PM, List Mail User wrote: > >>> See section 3.6 of RFC 2821: >>> >>> | - The domain name given in the EHLO command MUST BE either a >>> primary |host name (a domain name that resolves to an A RR) or, >>> if the

Re: SA addr tests need to be updated

Eric, I believe that you have misinterpreted (and only partially quoted) RFC2821. A more correct interpretation (or at least different) and a fuller set of quotations is below. > >SA 3.0.2 currently performs a handful of tests against HELO greetings that >contain an IP address. T

Re: ENC: Take that!

I know that I had already replied, but the in using u2club.com for the contact email, the spammer has made a serious error. That account is a reseller of outblaze and likely the account will not last more that a day or two (one more domain made ineffective). Outblaze has the best policy o

Re: ENC: Take that!

This same spammer has been at it for many months. What this shows is that among registrars, Joker take wdprs complaints seriously - most do not. He has been using the set of name servers: ns1.mikahak-munged.com ns1.fujins-munged.com ns1.miftrue-munged.com and

Re: Interesting new spam!

Regarding spuries-munged.com: Notice that the DNS servers have invalid physical and email addresses listed for xzdns-munged.biz (listed at rfci on Feb. 18 - the physical address would be valid for China, but is not for Vietnam; Not noted in the listing). Paul Shupak [EMAIL

Re: [SPAM-TAG] SURBL missing this spam

Duncan, As written your rule only checks for a ':' immediately before a '/'. But at least one valid use of the colon is http://[EMAIL PROTECTED]:host, which is defined as part of the stardard HTTP protocol. Paul Shupak [EMAIL PROTECTED]

Re: Quinlan interviewed about SA

>> using whitelist_from_rcvd), make a lot of sense to me. > >If some mentally deficient spammer has the stupidity to maintain an SPF >record for his spam site that is identified in black lists he probably >should get some additional Brownie Points for his stupidity, eh? > >{^_-} > Just came

Re: SURBL missing this spam

Martin, The domain you gave, " crazyrxl0wprices-munged.com" hits (for me), three SURBL lists ( _AB_, _OB_, and _SC_), also it hits ths SBL and also hits combined-HIB.dnsiplists.completewhois.com. Since its registration data is pretty much completely bogus, by this time tommorow, i

Re: Webmail and IP rules

I look at the code and it sure seemed to use both trust and internal to me (I looked at 3.0.2, but tested on 3.0.1). So I constructed a small example from you headers; I used as input: Return-Path: <[E

Re: Webmail and IP rules

Shane, Your example *is* much better. What you are showing, if my assumptions are correct (I list them below) is everything working exactly as it is designed to - i.e. both IMP and SA are doing the correct things. 1) I assume that the receiving host "mail.ischool.utexas.edu" is a

Re: Webmail and IP rules

Dave, You have a few valid points, and the rule may be misnamed with HELO at its prefix; But look at some email coming from the free services like Yahoo!, Hotmail or Gmail and you will see HTTP (as well as other protocols; Hotmail/MSN also uses both of the MS proprietary protocols

Re: Webmail and IP rules

>>From [EMAIL PROTECTED] Wed Mar 2 15:01:17 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >... >Delivered-To: mailing list users@spamassassin.apache.org >... > >I think the problem is being caused by IMP being "too good" at >generating a Received header that looks like a normal one a

RE: Typical spam not detected at all.. there is no rule for it :- \

Chris, I know you don't like bayes, but it is the best single tool for stock scams. The trouble with counting '|' is the frequency of transcribed spead- sheets would give too many FPs (typical is to use '|' to separate the columns). Most scock scams use non-obfucated words to look

Re: Typical spam not detected at all.. there is no rule for it :-\

Marian, For these stock scams, bayes is your friend; Parsing it locally I get Content analysis details: (3.2 points, 5.0 required) pts rule name description -- -- 0.1 MISSING_HEADERS

Re: another request for RECEIVED[x] array

>>From [EMAIL PROTECTED] Tue Mar 1 22:15:46 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] >Subject: Re: another request for RECEIVED[x] array >References: <[EMAIL

Re: another request for RECEIVED[x] array

>>From [EMAIL PROTECTED] Tue Mar 1 18:30:49 2005 >Date: Tue, 01 Mar 2005 21:30:33 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: List Mail User &

Re: another request for RECEIVED[x] array

>... >List-Id: >Delivered-To: mailing list users@spamassassin.apache.org >Delivered-To: [EMAIL PROTECTED] >... >Date: Tue, 01 Mar 2005 19:32:22 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >

Re: Amazon is killing me....

>>From [EMAIL PROTECTED] Mon Feb 28 07:23:40 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

Re: commercial license

No city "shiraz California" No zipcode in America of 71436 +98 in the prefix for Iran; +98:711 is Shirazn Iran No resolvable reverse DNS for the domain or its name servers. Any one else try to check out the fellow who wants us to accept unresolvable domains? - [EMAIL PROTECTED]/[EMAIL PROTECTED]/

Re: accuracy

>>From [EMAIL PROTECTED] Fri Feb 25 01:19:46 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

RE: URIDNSBL error

Crhis, Yes. Try using the rfci lists and/or AHBL (no they're not in the code base as delivered, but they work very well). Paul Shupak [EMAIL PROTECTED] >>From [EMAIL PROTECTED] Tue Feb 15 10:53:26 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Prece

Re: new strategy?

Richard Gray wrote: >Please just throw fish at me if this has already been proposed, but I >was thinking today about what aspects of spamming a spammer finds hard >to change. >=20 >Changing names and IP addresses are easy, but I imagine that finding a >DNS server that will be authoratitive for the

Re: announcing new functionality in bugzilla: auto mass-checks

Looks great. I've added comments to #4104 and #4105 just to be able to see these results. Please tell me if I've done anything incorrectly (the rules had been/are originally specified as an attachment). Thanks in advance, Paul Shupak

Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com

>>From [EMAIL PROTECTED] Wed Jan 19 06:57:31 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >.. >Subject: Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com > > >>A message (from <[EMAIL PROTECTED]>) was received at 19 Jan 2005 >>14:21:48 +. >> >>The following addresses had delivery

Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com

>>From [EMAIL PROTECTED] Wed Jan 19 06:22:05 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >... >List-Id: >Delivered-To: mailing list users@spamassassin.apache.org >... > >At 10:44 PM 1/18/2005, List Mail User wrote: >> I don't know abou

Re: very handy new whois tool

This tool has been abused is known (and blocked) by many spammers (unfortunately). Paul Shupak P.S. It is still always worth a try though.

(was Re: DIGEX) dnsreports.com/dnsstuff.com

>>From [EMAIL PROTECTED] Tue Jan 18 15:55:21 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >... From: Matt Kettler <[EMAIL PROTECTED]> >... >No listing in any blacklists: >http://www.dnsstuff.com/tools/ip4r.ch?ip=164.109.26.27 > I don't know about digex, but

<    1   2   3   4   >