> In the future, if you're not prepared to show the actual problem with their
> actual data, please don't waste our time.
You know that's the sort of thing I hate about the Open Source community, the
big ego trips by the crusty old dudes who've been around forever and enjoy
giving the relati
>> Yes, I have checked on the real Zen lists and the real IP is there.
>>Then your checking software is broken. None of the Spamhaus lists ever
>>include anything in 10/8.
John, the big hint was in the word *REAL IP*... as I said hundreds of times
subsequently to the initial post, I stupid
>Close, but if you notice, the check on the full Zen bl at the top is an
>unscored sub-rule, while you were scoring 30 points for your version.
Well, I guess my rules needed updating anyway. Spamhaus rolled out two new
response codes I was not checking for !
Looking forward to seeing the
On 08/14/2013 05:31 PM, Nigel Smith wrote:
> Actually Axb, these are my current rules, so I might not be as wrong
as you think..
>
> # ITS Local
> header ITS_RCVD_IN_ZEN eval:check_rbl('zen', 'zen.dnsbl.')
> describe ITS_RCVD_IN_ZEN R
>As I posted previously, the safer way to do it is to tell your recursor
>to forward all spamhaus queries to you local rblsnd and NOT to tinker
>with SA rules but then...
My local recursor does forward to rbldnsd, as per their instructions...
zone "dnsbl" {
type forward;
forward o
Actually Axb, these are my current rules, so I might not be as wrong as you
think..
# ITS Local
header ITS_RCVD_IN_ZEN eval:check_rbl('zen', 'zen.dnsbl.')
describe ITS_RCVD_IN_ZEN Received via a relay in Spamhaus Zen
tflags ITS_RCVD_IN_ZEN net
reuse ITS_RCVD_IN
> Because some Webmail providers don't use a proper Received: header for
> the initial hop, but add an X-Originating-IP: header instead.
Two things that bother me about that reply. First, SA *should* know about
the major filtering providers (Bigfish, Postini etc.) and be able to deal with
t
>Irrelevant.
>Why is an "X-*" header even being parsed for IPs?
Agreed. That's what I came here to ask in the first place, even if I managed
to make a right mess of even asking that ! ;-)
>That's a rotten idea when asking questions about RBLs... In this case,
>asking about X.X. would have been less confusing.
Yes, I'm sorry and I've already given myself 30 lashings ! ;-(
>Se we have two problems here: parsing IP addresses from inappropriate
>headers, and (potentially) the RBL
> If he borked his rbldnsd config badly, it could be possible.
Please guys, can we get this thread back on track. The RFC1918 send many of
you off on the wrong tangent, I apologise for that profusely again. ;-)
>Right ... "On your incoming mail relays" ...
> If you use it in SA where it can check other IP addresses
>in the headers, it can be dangerous.
If its such a big deal, why does __RCVD_IN_ZEN have a default score of >0
.. all I did was disable __RCVD_IN_ZEN and copy its exact rule to my
lo
> I wonder whether you should have chosen an RFC5737 address rather than an
> RFC1918 address for your obfuscation purposes...
Because I forgot about RFC5737. ;-(
As I said, happy to give full un-munged headers off-list.
>YOu're rule sort of dangerous as it may list PBL stuff on non
>last-external, etc,
Sort of dangerous ? It works beautifully for us ! Until the recent issues
with Bigfish we've had zero false positives and many many many good catches !
I'm only following the guidelines at
http://www.spamha
Hi Kevin (and the entire list),
Many many many apologies for not making it clear that I masked the affected IP.
I don't really want to post it in public for all and sundry. Happy to give
people the REAL headers off-list.
Nigel
> 10.X is a private network. Why is Zen listing it ?
Becasuse I masked the first two octets to protect the innocent. ;-)
> Have you checked that IP on the real Zen listing and not on your cached
> server?
Yes, I have checked on the real Zen lists and the real IP is there.
Hi,
SpamAssassin version 3.3.2
running on Perl version 5.14.2
3.2.0-49-generic #75-Ubuntu SMP Tue Jun 18 17:39:32 UTC 2013 x86_64 x86_64
x86_64 GNU/Linux
(ubuntu 12.04LTS)
I'm having some major problems at the moment with people who send mail via
their corporate email platforms hosted on
Damn, I thought I had you in my junk list - play nice spammer and keep
one address?
On Sun, 17 Feb 2013 08:34:15 -0800, Marc Perkel
wrote:
>OK - I'm getting mass checking set up and working. I'm still in the
>testing phase.
>
>Right now the process of selecting spam and ham is automated. It's n
aware
>> you might get doubles with bayes store, this should be ignored
>>
>> but i am told PostgreSQL is better in replacation stuff
>
>Why replicate? Why not just share the same database?
No failover with shared. Distributed adds redundancy.
KR
Nigel
On Wed, 21 Sep 2011 17:08:42 +0200, Matus UHLAR - fantomas
wrote:
>On 20.09.11 18:57, Nigel Frankcom wrote:
>>I moved SA to a newer box and have the following output in my logs:
>>http://pastebin.com/VvZfXwAC
>>
>>Apologies if I'm being dense, but is there a wa
27;s an undeserved bad name. Additionally, BT's approach of 'we are
big ergo you do what we say' doesn't add much in the way of help
either.
After many years I'm moving off BT, though that is because of their
billing and the incompetence there makes their rbl handling look like
it's 6 sigma.
I've defended BT for years, seems I was naive.
Expect to see me in SORBS soon :-D
Nigel
On Fri, 18 Mar 2011 04:22:40 +0100, Karsten Bräckelmann
wrote:
>On Thu, 2011-03-17 at 12:58 +0000, Nigel Frankcom wrote:
>> Unrelated but reminded me I hadn't posted a thanks to all those that
>> responded about the sa-update rules. That's partly because I'm
>&
Unrelated but reminded me I hadn't posted a thanks to all those that
responded about the sa-update rules. That's partly because I'm
awaiting permission from clients to add their mails to the corpus.
So, thanks all. Apologies for forgetting my manners.
Have no clue about Spear Phishing other than
Hi All,
Apologies if this has been covered, an admittedly fairly cursory
Google showed nothing new. My local sa-update hasn't updated in the
better part of a month. Is it that there have been no updates or do I
need to dig into my systems to see what I broke, how and when?
Regards to all
Nigel
;space allocated by a provider (even to an end-user) is likely to be a
>/64, so I don't see why whitelists can't list /64's too. Essentially,
>I disagree with the phrase "which by their nature list individual IP
>addresses".
>
>Regards,
>
>DAvid.
I'd wonder at the DNS traffic, I may be wrong but this looks like
between 4 and 24 look-ups per check. DoS?
Nigel
and it's Lynford and his money grabbing cronies mostly behind it
>- hence it lacks sophistication.
I guess we all have our opinions based on our experiences. Personally,
I've had no issue with zen, though cbl does seem sometimes to have an
issue with back-scatter. That said, proper spf should help stop
back-scatter.
Kind regards
Nigel
t think they could do it better, and maybe accept that we all get
it wrong sometimes... Just my 2.5p worth :-D
Kind regards
Nigel
On Tue, 14 Dec 2010 22:41:40 -0500, Jason Bertoch
wrote:
>On 12/14/2010 8:06 PM, Bart Schaefer wrote:
>> http://blog.wordtothewise.com/2010/12/gfi-sorbs-consider
Hi All,
Is sorbs going to be continued as a scoring option in SA?
Having hit yet more problems with them I've zeroed their scoring.
I found this a couple of days ago, maybe it can add weight.
http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful/
Best to all
Nigel
the Perl modules for the
correct ones then do: yum install Perl-Digest-SHA
Hope that helps
Nigel
On Wed, 27 Oct 2010 01:13:56 -0700 (PDT), Gnanam
wrote:
>
>Hi,
>
>I'm trying to install SpamAssassin version 3.3.1 on CentOS release 5.2
>(Final).
>
>During installation,
Un-subscribe
>;+4;;crivitzlippiest.com/30101624u&271074362e&17874825c/
>
>
>TransmitterUn-subscribe
>;+4;;crivitzlippiest.com/30101625u&271074362e&17874825c/
Raw mail looks the same so nothing hidden. Anyone else seeing similar,
Is there perhaps a rule already done or should I write one?
As always, all help appreciated.
Kind regards
Nigel
On Fri, 30 Apr 2010 17:48:49 +0100, "corpus.defero"
wrote:
>On Fri, 2010-04-30 at 17:19 +0100, Nigel Frankcom wrote:
>> On Fri, 30 Apr 2010 16:59:57 +0100, "corpus.defero"
>> wrote:
>>
>> >On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wro
On Fri, 30 Apr 2010 16:59:57 +0100, "corpus.defero"
wrote:
>On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote:
>
>> We're on a BT only exchange here so it's them or nothing, well not
>> quite, I could go CoLo... hmmm maybe not, or satellite, I was in
th
luck they and SORBS will open a dialogue.
As admins we face and deal with issues every day, sometimes it's nice
to know that others out there are listening and, where they can,
acting.
I have a lot of karma to repay :-D Now, if the SA list would let me
post from 'home'. I'd be copacetic :-D
All the best
Nigel
On 20 April 2010 18:29, Benny Pedersen wrote:
> On tir 20 apr 2010 19:17:10 CEST, Nigel Frankcom wrote
>
>> My IP has full rDNS supplied by my ISP - please feel free to ping -a
>> 217.36.54.209 and tell me what exactly is wrong wit that?
>
> http://www.db.ripe.ne
On 20 April 2010 18:07, Benny Pedersen wrote:
> On tir 20 apr 2010 18:56:37 CEST, John Hardin wrote
>>>
>>> not correct, hotmail gmail yahoo works without isp dependice, why care ?
>>
>> You're kidding, right, Benny?
>
> does it looks so ?
>
>> Why care that the ISP providing my IP addresses can't
My IP has full rDNS supplied by my ISP - please feel free to ping -a
217.36.54.209 and tell me what exactly is wrong wit that?
On 20 April 2010 16:08, Benny Pedersen wrote:
> On tir 20 apr 2010 15:04:53 CEST, Nigel Frankcom wrote
>
>> If anyone has any ideas - please let me know?
>
On 20 April 2010 14:13, corpus.defero wrote:
> On Tue, 2010-04-20 at 14:04 +0100, Nigel Frankcom wrote:
>> Hi All,
>>
>> Am I the only one incabale of figuring out the SORBS interface?
>>
>> I'm told by various mailserver that sorbs is blocking me (includ
d.
If anyone has any ideas - please let me know?
Kind regards
Nigel
On Tue, 23 Mar 2010 09:12:16 +, Nigel Frankcom
wrote:
>Hi All,
>
>Apologies if this has already been asked. A hunt through Google didn't
>help much nor did any digging around the SA site. That's not to say
>it's not there, just that I can't find it :-/
install the new SA I get:
Error: Missing Dependency: perl(Razor2) >= 2.61 is needed by package
spamassassin
Is this stupidity on my part or, is there a simple work round, or is
there an updated version of Razor2?
All help gratefully received.
Kind regards
Nigel
egory it is useful to relearn
it in the other - so spam - ham and ham - spam.
Just observations, not suggestions; except that they have worked for
me.
KR
Nigel
On Sun, 14 Mar 2010 12:08:17 -0400, Alex
wrote:
>Hi,
>
>I'm concerned that my bayes database may contain incorrect
>information. I performed a search on all of the messages in the
>quarantine, and pulled out the ones that contained BAYES_00 in their
>score. There weren't all that many of them, bu
On Sun, 14 Mar 2010 12:08:17 -0400, Alex
wrote:
>Hi,
>
>I'm concerned that my bayes database may contain incorrect
>information. I performed a search on all of the messages in the
>quarantine, and pulled out the ones that contained BAYES_00 in their
>score. There weren't all that many of them, bu
h I am eternally grateful; the usual culprits
know who they are)
Kind regards
Nigel
On Fri, 31 Jul 2009 11:41:14 -0700 (PDT), poifgh
wrote:
>
>In my tests - there was not MTA. The mails/spam were collected from some
>server in mbox format and fed to SA using --mbox switch. The si
imary SA. Assuming (again) that mail
size has been factored and any AV is running remotely?
Just a few thoughts based on a very cursory read of a few posts, sadly
- or happily, work make my contributions here limited.
I'd be interested in the results of this though.
Kind regards
Nigel
PS -
keep it current. If not Install it via CPAN. You may need to
restart SA after, not sure.
It may also be worth running "spamassassin --lint -D" to see if you
are missing any other packages.
HTH
Nigel
On Thu, 19 Feb 2009 08:01:48 -0800 (PST), John Hardin
wrote:
>On Thu, 19 Feb 2009, Nigel Frankcom wrote:
>
>> Testing was done through spamassassin --lint and with debug. I used a
>> mail that *should* have hit the rules.
>
>--lint is not for testing rule performance, as
On Thu, 19 Feb 2009 16:16:48 +0100, Karsten Bräckelmann
wrote:
>On Thu, 2009-02-19 at 14:50 +0000, Nigel Frankcom wrote:
>
>> Using --lint the rule come back clean but on testing it appears to be
>> ignored. It's in the spamassassin directory.
>>
>> Am I mis
received.
Kind regards
Nigel
On Thu, 29 Jan 2009 18:00:47 -0800, Kelson wrote:
>On the subject of vs