On 1 Apr 2015, at 17:26, Amir Caspi wrote:
On Apr 1, 2015, at 3:03 PM, Kevin Miller kevin.mil...@juneau.org
wrote:
You can reject on RDNS (or lack thereof) in sendmail depending on the
version. Search for require_rdns.
Thanks, I'll look into it. Sadly I don't think I have time to
On 04/01/2015 10:45 PM, Amir Caspi wrote:
Certainly it would be interesting to add such capability to SA (to
add points for known spammy DNS providers and/or registrars), though
I imagine that could be a recipe for FPs in some cases. Then again,
we did it for .pw URIs, so...
You can do it
On Apr 1, 2015, at 3:03 PM, Kevin Miller kevin.mil...@juneau.org wrote:
You can reject on RDNS (or lack thereof) in sendmail depending on the
version. Search for require_rdns.
Thanks, I'll look into it. Sadly I don't think I have time to manually
whitelist misconfigured servers, since I
On Apr 1, 2015, at 2:26 PM, Kevin Miller kevin.mil...@juneau.org wrote:
I blocked the RRPPROXY.NET name servers at the firewall. [...] After I did
that, almost instantly the spam dropped dramatically.
[...]
There was some discussion in this group about blocking on DNS providers about
a
-Original Message-
Ah, I see... you killed them at the firewall itself, before they even
got to sendmail. I was wondering how blocking the name servers
themselves would help, since (at least in my configuration) sendmail
doesn't reject just due to bad rDNS (not sure if that's even
I'm a bit late to the party (was on vacation) but your woes sounded awfully
familiar. I was getting slammed by spam a couple months ago. The domains
changed daily, but the one consistent thing was they were all served by
RRPPROXY.NET. I blocked the RRPPROXY.NET name servers at the firewall.
David Jones wrote:
The invaluement RBL is not expensive either and it is awesome. We pay
thousands per year for
a Spamhaus feed because of our volume and mailboxes. The invaluement RBL is
only hundreds
per year and it's almost as good as Spamhaus Zen.
Seconded; this is exactly what
On 3/30/2015 11:49 AM, Kris Deugau wrote:
Seconded; this is exactly what we've been finding. Invaluement is a
great complement to Spamhaus for a fraction of the cost.
I wouldn't put it as a front-line reject DNSBL, because some of the
things that have been listed are not what I would class,
On 3/30/2015 1:19 PM, Kris Deugau wrote:
The cases I
can recall are more along the lines of grey-hat ESPs who pick up a
spammer client for a while,
Kris,
The next time you run across this and think it might be causing a little
too much collateral damage (in spite of the spamming), let me
Rob McEwen wrote:
On 3/30/2015 11:49 AM, Kris Deugau wrote:
Seconded; this is exactly what we've been finding. Invaluement is a
great complement to Spamhaus for a fraction of the cost.
I wouldn't put it as a front-line reject DNSBL, because some of the
things that have been listed are not
On Mar 30, 2015, at 9:49 AM, Kris Deugau kdeu...@vianet.ca wrote:
Seconded; this is exactly what we've been finding. Invaluement is a
great complement to Spamhaus for a fraction of the cost.
Definitely something to add to my nice to have list for the future. Sadly,
as I mentioned earlier,
From: Benny Pedersen m...@junc.eu
Sent: Friday, March 27, 2015 10:48 PM
To: users@spamassassin.apache.org
Subject: Re: Uptick in spam
David Jones skrev den 2015-03-28 03:13:
I have Spamhaus in
front of invaluement in
my postfix configuration but I may try flipping the order just to see
Am 28.03.2015 um 13:01 schrieb David Jones:
From: Reindl Harald h.rei...@thelounge.net
Sent: Saturday, March 28, 2015 6:13 AM
To: users@spamassassin.apache.org
Subject: Re: Uptick in spam
Am 28.03.2015 um 12:04 schrieb David Jones:
I know that but I choose to use the traditional method
From: Reindl Harald h.rei...@thelounge.net
Sent: Saturday, March 28, 2015 6:13 AM
To: users@spamassassin.apache.org
Subject: Re: Uptick in spam
Am 28.03.2015 um 12:04 schrieb David Jones:
I know that but I choose to use the traditional method in the Postfix
smtpd_recipient_restrictions so I can
On 03/28/2015 06:47 AM, Rob McEwen wrote:
On 3/27/2015 10:13 PM, David Jones wrote:
The invaluement RBL is not expensive either and it is awesome. We pay
thousands per year for
a Spamhaus feed because of our volume and mailboxes. The invaluement
RBL is only hundreds
per year and it's almost
Am 28.03.2015 um 12:04 schrieb David Jones:
I know that but I choose to use the traditional method in the Postfix
smtpd_recipient_restrictions so I can specify the order. I have such a
high volume of mail for more than 100,000 mailboxes, I want to check
in a specific order using my local
From: Rob McEwen r...@invaluement.com
Sent: Saturday, March 28, 2015 12:47 AM
To: users@spamassassin.apache.org
Subject: Re: Uptick in spam
On 3/27/2015 10:13 PM, David Jones wrote:
The invaluement RBL is not expensive either and it is awesome. We pay
thousands per year for
a Spamhaus feed
On 03/27/2015 08:20 PM, Amir Caspi wrote:
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas
uh...@fantomas.sk wrote:
I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail kmcgr...@pccc.com
wrote:
Are you using network tests? These are
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail kmcgr...@pccc.com wrote:
Are you using network tests? These are scoring pretty high for me.
I presume you're
On Mar 27, 2015, at 1:20 PM, Axb axb.li...@gmail.com wrote:
These three samples are very different in the sense that #1 is a hacked
site, #2 #3 are the regular snowshoe.
Of course, I picked three different samples on purpose. But, I have hundreds
that replicate these.
What I miss in your
On Mar 27, 2015, at 1:33 PM, Axb axb.li...@gmail.com wrote:
Are you using Mailscanner? if yes then it's you munging URIS so they breaking
lookups on any hash type as in
Yes, I am using MailScanner. Some URIs are munged, others are not. For
example, you can see in that very pastebin you
On 03/27/2015 08:45 PM, Amir Caspi wrote:
On Mar 27, 2015, at 1:33 PM, Axb axb.li...@gmail.com wrote:
Are you using Mailscanner? if yes then it's you munging URIS so
they breaking lookups on any hash type as in
Yes, I am using MailScanner. Some URIs are munged, others are not.
For example,
On 03/27/2015 07:51 PM, Amir Caspi wrote:
Here are a few spamples:
http://pastebin.com/3nSLurGv (this scored BAYES_99 but would still
have been FN with BAYES_999) http://pastebin.com/LaKT5ZZK (I have a
rule template for these URIs but recent spams have modified them to
cause high risk of FPs
Apologies if this is an overly obvious answer, but are you using any
greylisting? This would (potentially) move your user away from the
wavefront of a spam's distribution, and give it a better chance of
triggering the network-based tests.
On Fri, 27 Mar 2015, Amir Caspi wrote:
This is my whole
On Mar 27, 2015, at 1:38 PM, sha...@shanew.net wrote:
Apologies if this is an overly obvious answer, but are you using any
greylisting? This would (potentially) move your user away from the
wavefront of a spam's distribution, and give it a better chance of
triggering the network-based tests.
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
I'm happy to look at a recent sample and throw it through my system to see
what it hits but overall, I've been seeing the exact opposite.
So, one of my users has been getting dozens (sometimes nearly 100) FNs per DAY
On Mar 27, 2015, at 12:20 PM, Axb axb.li...@gmail.com wrote:
- Please post missed spam samples in pastebin.com - do not post samples to
mailing lists
Of course, I would never post it to the list. I will put up a few in pastebin
but there are so many of them, and there are a few different
Am 27.03.2015 um 19:13 schrieb Amir Caspi:
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
I'm happy to look at a recent sample and throw it through my system to see what
it hits but overall, I've been seeing the exact opposite.
So, one of my users has been getting
On 27.03.15 12:51, Amir Caspi wrote:
Here are a few spamples:
http://pastebin.com/3nSLurGv (this scored BAYES_99 but would still have been
FN with BAYES_999)
http://pastebin.com/LaKT5ZZK (I have a rule template for these URIs but recent
spams have modified them to cause high risk of FPs for
On 03/27/2015 07:13 PM, Amir Caspi wrote:
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com
wrote:
I'm happy to look at a recent sample and throw it through my system
to see what it hits but overall, I've been seeing the exact
opposite.
So, one of my users has been getting
On Fri, 27 Mar 2015 12:13:30 -0600
Amir Caspi wrote:
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com
wrote:
I'm happy to look at a recent sample and throw it through my system
to see what it hits but overall, I've been seeing the exact
opposite.
So, one of my users
On Mar 27, 2015, at 12:22 PM, Reindl Harald h.rei...@thelounge.net wrote:
we have currently 577 different subjects and subject-parts scored , i don't
want to publish them because i'd like the spammers don't change to new ones
:-)
Sadly, that doesn't help me. I don't have time to compile
On 3/27/2015 2:51 PM, Amir Caspi wrote:
On Mar 27, 2015, at 12:20 PM, Axb axb.li...@gmail.com wrote:
- Please post missed spam samples in pastebin.com - do not post samples to
mailing lists
Of course, I would never post it to the list. I will put up a few in pastebin
but there are so many
On Fri, 27 Mar 2015, Amir Caspi wrote:
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote:
I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail kmcgr...@pccc.com wrote:
Are you using network tests? These are
On Fri, 27 Mar 2015, Amir Caspi wrote:
On Mar 27, 2015, at 1:38 PM, sha...@shanew.net wrote:
Apologies if this is an overly obvious answer, but are you using any
greylisting? This would (potentially) move your user away from the
wavefront of a spam's distribution, and give it a better chance
On 03/27/2015 11:51 AM, Amir Caspi wrote:
On Mar 27, 2015, at 12:20 PM, Axb axb.li...@gmail.com wrote:
- Please post missed spam samples in pastebin.com - do not post samples to
mailing lists
Of course, I would never post it to the list. I will put up a few in
pastebin but there are so
On Mar 27, 2015, at 2:09 PM, Axb axb.li...@gmail.com wrote:
As an AV product I'd recommend Sophos AND ESETS/Nod32.
I'll look into Sophos, I'm not entirely sure if I can deploy it on my system or
not. We have to use RPMs that can be distributed to the virtual hosts, etc...
I'll definitely
On Mar 27, 2015, at 3:34 PM, Richard Doyle lists...@islandnetworks.com wrote:
All of these were From: domains created today.
Shouldn't they have been picked up by DOB? Or do I need to manually enable
some DOB plugin in SA? (If so, please let me know how...) When I ran the third
spample
On 03/27/2015 11:44 PM, Amir Caspi wrote:
On Mar 27, 2015, at 3:34 PM, Richard Doyle
lists...@islandnetworks.com wrote:
All of these were From: domains created today.
Shouldn't they have been picked up by DOB? Or do I need to manually
enable some DOB plugin in SA? (If so, please let me know
On Mar 27, 2015, at 5:12 PM, Axb axb.li...@gmail.com wrote:
DOB isn't realtime/zero hour.
That kind of defeats the point, isn't it? I mean, if you wait too long, it's
no longer DOB, it's few-DOB...
I would have imagined that a DOB server would operate in a caching mode where
the first query
On 03/27/2015 03:44 PM, Amir Caspi wrote:
On Mar 27, 2015, at 3:34 PM, Richard Doyle lists...@islandnetworks.com
wrote:
All of these were From: domains created today.
Shouldn't they have been picked up by DOB? Or do I need to manually enable
some DOB plugin in SA? (If so, please let me
On Fri, 27 Mar 2015 17:40:58 -0600
Amir Caspi wrote:
On Mar 27, 2015, at 5:12 PM, Axb axb.li...@gmail.com wrote:
DOB isn't realtime/zero hour.
That kind of defeats the point, isn't it? I mean, if you wait too
long, it's no longer DOB, it's few-DOB...
I think it's 5 days, and the
On 03/28/2015 12:40 AM, Amir Caspi wrote:
On Mar 27, 2015, at 5:12 PM, Axb axb.li...@gmail.com wrote:
DOB isn't realtime/zero hour.
That kind of defeats the point, isn't it? I mean, if you wait too
long, it's no longer DOB, it's few-DOB...
I would have imagined that a DOB server would
From: Amir Caspi ceph...@3phase.com
Sent: Friday, March 27, 2015 7:30 PM
To: RW
Cc: users@spamassassin.apache.org
Subject: Re: Uptick in spam
On Mar 27, 2015, at 6:19 PM, RW rwmailli...@googlemail.com wrote:
There are deep checks for SBL (via zen) and SPAMCOP. XBL/PBL are
last-external only
You also may want to look at the Invaluement IP/URI lists.
(Invaluement.com). Detection rate is real good and FP level is
extraordinary.
+1. Very happy with invaluement at $DAYJOB.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
On Mar 27, 2015, at 6:19 PM, RW rwmailli...@googlemail.com wrote:
There are deep checks for SBL (via zen) and SPAMCOP. XBL/PBL are
last-external only
Interesting. I wonder why I see those XBL/PBL hits, then. Maybe Zen timed out
on those queries from sendmail... or something. Either way I
David Jones skrev den 2015-03-28 03:13:
I have Spamhaus in
front of invaluement in
my postfix configuration but I may try flipping the order just to see
if it will start blocking more
than Spamhaus.
with postfix posttscreen one can test all ips on all rbls in same single
smtpd client check,
On 3/27/2015 10:13 PM, David Jones wrote:
The invaluement RBL is not expensive either and it is awesome. We pay
thousands per year for
a Spamhaus feed because of our volume and mailboxes. The invaluement RBL is
only hundreds
per year and it's almost as good as Spamhaus Zen. I have Spamhaus
Am 22.02.2015 um 15:30 schrieb @lbutlr:
On 21 Feb 2015, at 08:34 , LuKreme krem...@kreme.com wrote:
On Feb 18, 2015, at 6:20 AM, Reindl Harald h.rei...@thelounge.net wrote:
bayes-stats.txt
That is a lot cleaner and more obvious, thank you for sharing
I ran this just after log rotation
On 21 Feb 2015, at 08:34 , LuKreme krem...@kreme.com wrote:
On Feb 18, 2015, at 6:20 AM, Reindl Harald h.rei...@thelounge.net wrote:
bayes-stats.txt
That is a lot cleaner and more obvious, thank you for sharing
I ran this just after log rotation and got div by zero errors, so here is a
On Feb 18, 2015, at 6:20 AM, Reindl Harald h.rei...@thelounge.net wrote:
bayes-stats.txt
That is a lot cleaner and more obvious, thank you for sharing
--
Once again I teeter at the precipice of the generation gap.
Am 17.02.2015 um 15:23 schrieb Reindl Harald:
Am 17.02.2015 um 15:19 schrieb LuKreme:
On 16 Feb 2015, at 12:01 , Reindl Harald h.rei...@thelounge.net wrote:
given that 24266 messages had BAYES_00 with a total number of 30401
delivered mails in the current month that training strategy seems to
Am 17.02.2015 um 15:19 schrieb LuKreme:
On 16 Feb 2015, at 12:01 , Reindl Harald h.rei...@thelounge.net wrote:
given that 24266 messages had BAYES_00 with a total number of 30401 delivered
mails in the current month that training strategy seems to work well
[root@mail-gw:~]$ bayes-stats.sh
On 16 Feb 2015, at 12:01 , Reindl Harald h.rei...@thelounge.net wrote:
given that 24266 messages had BAYES_00 with a total number of 30401 delivered
mails in the current month that training strategy seems to work well
[root@mail-gw:~]$ bayes-stats.sh
What is bayes-stats.sh?
--
I have a
On 2/16/2015 1:33 PM, Amir Caspi wrote:
Over the last week I've seen a significant uptick in FN spam to my users. We're getting
tens of FNs per day per user, whereas a few weeks ago it was just a few FNs per day per
user. We're getting BAYES_99/999 on many of these, but no other major
On Mon, 16 Feb 2015 12:47:03 -0700
Amir Caspi wrote:
Otherwise, I don't really know... it's clearly not a Bayes issue
since it's hitting Bayes 99/999, it's just that there aren't enough
other rules being hit to go over the 5.0 threshold.
IIWY I'd look into rescoring the BAYES_* rules.
On Feb 16, 2015, at 1:01 PM, RW rwmailli...@googlemail.com wrote:
IIWY I'd look into rescoring the BAYES_* rules.
I was already rescoring them as BAYES_99 = 4.0, BAYES_999 = 0.5 ... so a total
score of 4.5 if both rules hit. These FNs typically get scores of 4.6, so the
other rules are
Am 16.02.2015 um 21:10 schrieb Amir Caspi:
On Feb 16, 2015, at 1:01 PM, RW rwmailli...@googlemail.com wrote:
IIWY I'd look into rescoring the BAYES_* rules.
I was already rescoring them as BAYES_99 = 4.0, BAYES_999 = 0.5 ... so a total
score of 4.5 if both rules hit. These FNs typically
On Mon, 16 Feb 2015, Amir Caspi wrote:
(BTW, I am happy to contribute my spam corpus of well over 7000
messages... right now I can't dedicate CPU time to running masscheck,
but I can contribute the messages.)
It's possible to upload your corpora and have the central system check it.
See the
Hi all,
Over the last week I've seen a significant uptick in FN spam to my users.
We're getting tens of FNs per day per user, whereas a few weeks ago it was just
a few FNs per day per user. We're getting BAYES_99/999 on many of these, but
no other major markers are hitting (razor, pyzor, dcc
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:
I'm happy to look at a recent sample and throw it through my system to see
what it hits but overall, I've been seeing the exact opposite.
Hmmm. Well, like I said, maybe we're just first on the list and are getting
all
Am 16.02.2015 um 19:33 schrieb Amir Caspi:
Over the last week I've seen a significant uptick in FN spam to my users. We're getting
tens of FNs per day per user, whereas a few weeks ago it was just a few FNs per day per
user. We're getting BAYES_99/999 on many of these, but no other major
62 matches
Mail list logo