Re: 3 Lines of Defense

I had good success with greet pause set to 11 seconds. Empirically 5 seconds made little difference, but I could see a marked reduction at anything above 10 seconds. Longer than 15 didn’t give much further improvement though. Sent from my iPhone > On Sep 28, 2019, at 08:39, Grant Taylor

Re: Invoice phish

I see an interesting dichotomy. Students are on Google, fac/staff on O365 now. Guess which group is phished most often? If you said students, bzzzt. It’s the O365 users, by a large margin. Faculty and staff should be best trained. Also protected by “Advanced Threat Protection”. Sent from

Re: Penalty for no/bad SPF

SPF is designed for authentication, not spam filtering. Using a crowbar as a hammer. We apply a small score mainly so we see the elements reported. If the "majors" are using in their hygiene stack, for evalation like you are, I haven't seen much evidence of that. Of course it's hard to

Re: Penalty for no/bad SPF

: Wednesday, January 24, 2018 12:12:56 PM To: users@spamassassin.apache.org Subject: Re: Penalty for no/bad SPF On 01/24/2018 01:58 PM, Vincent Fox wrote: > I'd rather not think about the manhours I've wasted this year on SPF. > > > The guy at Evotec.com, among others, who t

Re: Penalty for no/bad SPF

assin.apache.org Subject: Re: Penalty for no/bad SPF On Wed, 2018-01-24 at 19:01 +0000, Vincent Fox wrote: > SPF is a zombie legacy that someone should shoot in > the head. > SPF is still good for what I've always thought was its main use: detecting spam delivered by backscatter.

Re: Penalty for no/bad SPF

SPF is designed for whitelisting, not blacklist. Remember when "shields" appeared in mail clients, and how fast that feature disappeared? Far too many people clicking on phish that seemed "authentic". With the explosion of cheap domains and registrars, there's really no snowshoe Black Hat

Re: Receiving a lot of junk from Office 356

O365 has many very large tenant ponds now. Rules inside a tenant may be very lax about trusting other users inside the tenant. So one compromised account, easily leads to tens/hundreds of others. So their 2nd round of phish, nets Black Hats enough compromised accounts to blast out a

Re: Today's Google Docs phish

Sendmail access.src: From:proREJECT Guess that's why I haven't heard about this on our campus. I block dozens of these apparently lawless domains. From: Alex Sent: Wednesday, May 3, 2017 6:37:49 PM To: SA Mailing list Subject:

Re: Google anti-phishing code project

Come on, look at the datestamps on the addresses in that list! Plenty from 2009. I only know of this project because a few compromised accounts from our campus were once listed there, and were rejected by other sites. Went through tedious process of trying to find email for owners, and get

Re: Fastest listing RBL ?

I cannot state strongly enough, that blocking entire top-level domains these days should come before RBL. *.top, *.link, *.download, etc. RBL depends on paid or free. Paid: Spamhaus, the 800 lb gorilla of RBL. Also URIBL various feeds. Direct query to a dedicated address with fresh data FTW.

Re: Anyone else just blocking the ".top" TLD?

gt; Sent: Thursday, November 3, 2016 9:33:59 AM To: users@spamassassin.apache.org Subject: Re: Anyone else just blocking the ".top" TLD? Unless you have customers/employees/vendors complaining that they are not receiving legitimate email from that TLD why would you un block it?? On Nov

Re: Anyone else just blocking the ".top" TLD?

Resurrecting thread TOP remains at the err... top of abuse heap. XYZ insights anyone? They have been on my reject list for a long time, but claim to be cleaning it up. Thinking to drop my shields on this one. https://gen.xyz/blog/antiabuse

Re: whitelist_auth and how to test

I suppose it depends on definition of "trustworthy". I had the experience with SendGrid, of them adding new servers without rDNS information. I called in and astoundingly enough, their "technical" person explained to me DNS didn't matter, and he had no interest in addressing it. A trustworthy

Re: Spoofed Domain

Tuesday, August 9, 2016 3:19:27 PM To: Vincent Fox Cc: SpamAssassin Subject: Re: Spoofed Domain When you say SPF is not a good tool for filtering, do you mean that it shouldn't be used at all? Or if SPF_FAIL is triggered that an email should be rejected altogether? _________

Re: Spoofed Domain

SPF is not a good tool for filtering IMO. Scoring? Why score them? If you get to the SpamAssassin layer with this you've already failed. Reject! We use ClamAV Foxhole databases, to severely restrict attachment types. Combined with a little bit of greet_pause, and a ton of greylist penalty

Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

together a simulacrum. From: Axb <axb.li...@gmail.com> Sent: Monday, August 1, 2016 12:53:27 PM To: users@spamassassin.apache.org Subject: Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold) On 01.08.2016 21:30, V

Re: Is greylisting effective? (was Re: Using Postfix and Postgrey - not scanning after hold)

I keep seeing people say "well if you have postscreen, greylisting is just dumb". Well what is the equivalent for other MTA? I still see a lot of spambots on PBL hosts, that never contact again. So the blanket statement "bots are recoded" just doesn't jibe with what I see. Maybe you could

Re: Protected Sky?

On 06/27/2016 01:15 PM, Reindl Harald wrote: Am 27.06.2016 um 21:27 schrieb Vincent Fox: I saw a reference today in my MxToolbox report, to an RBL named Protected Sky which had like double the listing activity of Spamhaus. Does anyone know anything about this outfit? that's a bullshit RBL

Protected Sky?

Hello, I saw a reference today in my MxToolbox report, to an RBL named Protected Sky which had like double the listing activity of Spamhaus. Does anyone know anything about this outfit? We primarily rely on Spamhaus at present, with some others thrown in which catch some that Spamhaus doesn't.

Re: Which DNSBLs do you use?

Greylisting imo helps a lot with RBL lag. Delay suspect IP long enough that by the time they retry, if they do, they are on half a dozen RBL and score high and reject. Sent from my iPhone > On Jun 17, 2016, at 13:23, Reindl Harald wrote: > > > > Am 17.06.2016 um

Re: Odd results when using whitelisting

I've been using dnsmasq myself on a list server, with DHCP disabled, and configured to answer only localhost, for caching. The stock package seems limited to 10,000 entries BTW. But it seemed fairly bug-free as opposed to nscd, and simple to setup unlike BIND. Gladly switch to something else.

Re: Problem with SPF plugin and MX2

In 20 years never saw need for backup mx. If MX pool is down remote MTA should queue it. Only practical use I've seen is NoListing setup. I suppose you might run a server in the Arctic which could lose contact for weeks and you'd want to ensure no bounces. Ymmv. Sent from my iPhone > On May

Re: Whitelisting and Expedia/Orbitz

SPF is only about envelopes? Unless you are Microsoft, who check against the From in the header. From: Reindl Harald Sent: Friday, May 20, 2016 10:23:45 AM To: users@spamassassin.apache.org Subject: Re: Whitelisting and

Re: SA cannot block messages with attached zip

+1 Yesterday, 6% of our mail flow was rejected by Foxhole.Zip family. They are #1 on our list about 50% of the time for weeks now. I got a commendation last week for prevention work, so rare in email adminning. Security team would be swimming in overtime if it weren't for foxhole_js in

Re: understanding HELO_DYNAMIC_IPADDR

On 05/13/2016 01:24 PM, David Jones wrote: This is a very simple concept and yet most mail admins don't know it or follow it. I know right? IMO network/firewall backgrounds are worse though. They are used to thinking in IP all day and DNS is just this optional convenience. Cheers.

Re: understanding HELO_DYNAMIC_IPADDR

On 05/13/2016 12:29 PM, Daniel J. Luke wrote: While you are at it, make sure your forward and reverse dns match. At least weekly, I get someone bickering with me that reverse DNS is not any kind of requirement to be a legitimate server. Often it comes from well-paid network

Re: Anyone else just blocking the ".top" TLD?

ald <h.rei...@thelounge.net> Sent: Tuesday, April 26, 2016 2:55:46 AM To: users@spamassassin.apache.org Subject: Re: Anyone else just blocking the ".top" TLD? Am 26.04.2016 um 11:23 schrieb Heinrich Boeder: > Hi, > >> On Apr 21, 2016, at 3:43 PM, Vincent Fox <vb..

Re: Anyone else just blocking the ".top" TLD?

Resurrecting thread Recently seeing increase in spam from these gTLD: pro bid trade I'm adding them to my reject list, do with this information what you will. -hth

Re: Anyone else just blocking the ".top" TLD?

On 03/28/2016 12:35 PM, Reindl Harald wrote: nothing easier than that with postfix, just start with. I wish my EDU was cool with Postfix or Exim. However our routing pool is Sendmail, and the PHB here are determined to "upgrade" to Proofpoint which is Sendmail based.

Re: Anyone else just blocking the ".top" TLD?

Whoops, list truncated. Continuing From:work REJECT From:cricketREJECT From:xn--plai REJECT From:review REJECT From:countryREJECT From:kimREJECT From:scienceREJECT From:party REJECT From:gq REJECT From:topREJECT From:unoREJECT

Re: Anyone else just blocking the ".top" TLD?

On 03/27/2016 06:58 PM, Thomas Cameron wrote: Has anyone actually gotten a single legit message from that domain? Never. WTF was ICANN thinking? I occasionally go through the lists of abused gTLD here: http://www.surbl.org/tld/ It certainly saves a lot of hygiene processing time to just