I had good success with greet pause set to 11 seconds. Empirically 5 seconds
made little difference, but I could see a marked reduction at anything above 10
seconds. Longer than 15 didn’t give much further improvement though.
Sent from my iPhone
> On Sep 28, 2019, at 08:39, Grant Taylor wrot
I see an interesting dichotomy.
Students are on Google, fac/staff on O365 now.
Guess which group is phished most often?
If you said students, bzzzt.
It’s the O365 users, by a large margin. Faculty and staff should be best
trained. Also protected by “Advanced Threat Protection”.
Sent from m
SPF is designed for authentication, not spam filtering. Using a crowbar as a
hammer. We apply a small score mainly so we see the elements reported.
If the "majors" are using in their hygiene stack, for evalation like you are, I
haven't seen much evidence of that. Of course it's hard to test
t: Wednesday, January 24, 2018 12:12:56 PM
To: users@spamassassin.apache.org
Subject: Re: Penalty for no/bad SPF
On 01/24/2018 01:58 PM, Vincent Fox wrote:
> I'd rather not think about the manhours I've wasted this year on SPF.
>
>
> The guy at Evotec.com, among others, wh
sin.apache.org
Subject: Re: Penalty for no/bad SPF
On Wed, 2018-01-24 at 19:01 +, Vincent Fox wrote:
> SPF is a zombie legacy that someone should shoot in
> the head.
>
SPF is still good for what I've always thought was its main use:
detecting spam delivered by backscatter. Giv
SPF is designed for whitelisting, not blacklist.
Remember when "shields" appeared in mail
clients, and how fast that feature disappeared?
Far too many people clicking on phish that seemed
"authentic". With the explosion of cheap domains
and registrars, there's really no snowshoe Black Hat
o
O365 has many very large tenant ponds now. Rules inside a tenant may be very
lax about trusting other users inside the tenant. So one compromised account,
easily leads to tens/hundreds of others. So their 2nd round of phish, nets
Black Hats enough compromised accounts to blast out a camp
Sendmail access.src:
From:proREJECT
Guess that's why I haven't heard about this on our campus.
I block dozens of these apparently lawless domains.
From: Alex
Sent: Wednesday, May 3, 2017 6:37:49 PM
To: SA Mailing list
Subject: Today's Google Docs phish
Come on, look at the datestamps on the addresses in that list! Plenty from
2009. I only know of this project because a few compromised accounts from our
campus were once listed there, and were rejected by other sites. Went through
tedious process of trying to find email for owners, and get t
I cannot state strongly enough, that blocking
entire top-level domains these days should come
before RBL. *.top, *.link, *.download, etc.
RBL depends on paid or free.
Paid: Spamhaus, the 800 lb gorilla of RBL.
Also URIBL various feeds. Direct query to a dedicated
address with fresh data FTW.
3, 2016 9:33:59 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone else just blocking the ".top" TLD?
Unless you have customers/employees/vendors complaining that they are not
receiving legitimate email from that TLD why would you un block it??
On Nov 3, 2016, at
Resurrecting thread
TOP remains at the err... top of abuse heap.
XYZ insights anyone? They have been on my reject list
for a long time, but claim to be cleaning it up. Thinking to
drop my shields on this one.
https://gen.xyz/blog/antiabuse
[http://gen.xyz/wp-content/themes/xyz/images/faceb
I suppose it depends on definition of "trustworthy".
I had the experience with SendGrid, of them adding new servers without
rDNS information. I called in and astoundingly enough, their "technical" person
explained to me DNS didn't matter, and he had no interest in addressing it.
A trustworthy op
gust 9, 2016 3:19:27 PM
To: Vincent Fox
Cc: SpamAssassin
Subject: Re: Spoofed Domain
When you say SPF is not a good tool for filtering, do you mean that it
shouldn't be used at all? Or if SPF_FAIL is triggered that an email should be
rejected altogether?
________
SPF is not a good tool for filtering IMO.
Scoring? Why score them? If you get to the SpamAssassin
layer with this you've already failed. Reject!
We use ClamAV Foxhole databases, to severely restrict attachment types.
Combined with a little bit of greet_pause, and a ton of greylist penalty
ices.
Thus we patch together a simulacrum.
From: Axb
Sent: Monday, August 1, 2016 12:53:27 PM
To: users@spamassassin.apache.org
Subject: Re: Is greylisting effective? (was Re: Using Postfix and Postgrey -
not scanning after hold)
On 01.08.2016 21:30, Vincent
I keep seeing people say "well if you have postscreen, greylisting is just
dumb".
Well what is the equivalent for other MTA?
I still see a lot of spambots on PBL hosts, that never contact again. So the
blanket statement "bots are recoded" just doesn't jibe with what I see.
Maybe you could ma
On 06/27/2016 01:15 PM, Reindl Harald wrote:
Am 27.06.2016 um 21:27 schrieb Vincent Fox:
I saw a reference today in my MxToolbox report, to an RBL named
Protected Sky which had like double the listing activity of Spamhaus.
Does anyone know anything about this outfit?
that's a bullshi
Hello,
I saw a reference today in my MxToolbox report, to an RBL named
Protected Sky which had like double the listing activity of Spamhaus.
Does anyone know anything about this outfit?
We primarily rely on Spamhaus at present, with some others
thrown in which catch some that Spamhaus doesn't.
Greylisting imo helps a lot with RBL lag.
Delay suspect IP long enough that by the time they retry, if they do, they are
on half a dozen RBL and score high and reject.
Sent from my iPhone
> On Jun 17, 2016, at 13:23, Reindl Harald wrote:
>
>
>
> Am 17.06.2016 um 02:57 schrieb Alex:
>>> For
I've been using dnsmasq myself on a list server, with DHCP
disabled, and configured to answer only localhost, for caching.
The stock package seems limited to 10,000 entries BTW.
But it seemed fairly bug-free as opposed to nscd, and simple
to setup unlike BIND.
Gladly switch to something else. T
In 20 years never saw need for backup mx.
If MX pool is down remote MTA should queue it.
Only practical use I've seen is NoListing setup.
I suppose you might run a server in the Arctic which could lose contact for
weeks and you'd want to ensure no bounces. Ymmv.
Sent from my iPhone
> On May
SPF is only about envelopes?
Unless you are Microsoft, who check against the From in the header.
From: Reindl Harald
Sent: Friday, May 20, 2016 10:23:45 AM
To: users@spamassassin.apache.org
Subject: Re: Whitelisting and Expedia/Orbitz
Am 20.05.2016 um 19
+1
Yesterday, 6% of our mail flow was rejected by Foxhole.Zip family.
They are #1 on our list about 50% of the time for weeks now.
I got a commendation last week for prevention work, so rare in email adminning.
Security team would be swimming in overtime if it weren't for
foxhole_js in particula
On 05/13/2016 01:24 PM, David Jones wrote:
This is a very simple concept and yet most mail admins don't know it
or follow it.
I know right? IMO network/firewall backgrounds are worse though.
They are used to thinking in IP all day and DNS is just this
optional convenience.
Cheers.
On 05/13/2016 12:29 PM, Daniel J. Luke wrote:
While you are at it, make sure your forward and reverse dns match.
At least weekly, I get someone bickering with me that reverse DNS is not any
kind of requirement to be a legitimate server.
Often it comes from well-paid network administrators.
rald
Sent: Tuesday, April 26, 2016 2:55:46 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone else just blocking the ".top" TLD?
Am 26.04.2016 um 11:23 schrieb Heinrich Boeder:
> Hi,
>
>> On Apr 21, 2016, at 3:43 PM, Vincent Fox wrote:
>>> Recently seeing incr
Resurrecting thread
Recently seeing increase in spam from these gTLD:
pro
bid
trade
I'm adding them to my reject list, do with this information what you will.
-hth
On 03/28/2016 12:35 PM, Reindl Harald wrote:
nothing easier than that with postfix, just start with.
I wish my EDU was cool with Postfix or Exim.
However our routing pool is Sendmail, and the PHB here are
determined to "upgrade" to Proofpoint which is Sendmail based.
Whoops, list truncated. Continuing
From:work REJECT
From:cricketREJECT
From:xn--plai REJECT
From:review REJECT
From:countryREJECT
From:kimREJECT
From:scienceREJECT
From:party REJECT
From:gq REJECT
From:topREJECT
From:unoREJECT
Fr
On 03/27/2016 06:58 PM, Thomas Cameron wrote:
Has anyone actually gotten a single legit message from that domain?
Never. WTF was ICANN thinking?
I occasionally go through the lists of abused gTLD here:
http://www.surbl.org/tld/
It certainly saves a lot of hygiene processing time to just dum
31 matches
Mail list logo