[SAtalk] Ick Viruses!

2002-05-04 Thread LuKreme 


OK, I know SA is not an anti virus tool, and frankly I don't care about 
viruses anyway, but I am getting a lot of exe file attachements the last 
day or two

Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost [127.0.0.1])
by mail.syth.serveftp.net (Postfix) with ESMTP id E29DCCFA14
for ; Sat,  4 May 2002 01:29:28 -0600 (MDT)
Received: from southgaylord.com [207.174.31.23]
by localhost with POP3 (fetchmail-5.8.17)
for kreme@localhost (single-drop); Sat, 04 May 2002 01:29:28 -0600 (MDT)
Received: from [62.4.86.214] (HELO localhost.localdomain) by southgaylord.
com (Stalker SMTP Server 1.8b9d9) with ESMTP id S.206007 for 
<[EMAIL PROTECTED]>; Sat, 04 May 2002 01:26:36 -0600
Received: from Hynmzvt (APh-Aug-106-1-1-146.abo.wanadoo.fr [80.11.238.146]
)
by localhost.localdomain (8.11.3/8.11.3) with SMTP id g447PPN00654
for <[EMAIL PROTECTED]>; Sat, 4 May 2002 09:25:25 +0200
Date: Sat, 4 May 2002 09:25:25 +0200
Message-Id: <[EMAIL PROTECTED]>
From: alex-e <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: A special  funny game
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=K4u88yH9gm7JR4m57S3v
X-Spam-Status: No, hits=1.1 required=5.0 tests=LARGE_HEX version=2.21
X-Spam-Level: *

> --K4u88yH9gm7JR4m57S3v
> Kontent-Type: te (* Mangled to prevent mailing list rejecting this 
> thinking there is a REAL attachment *) xt/html;
> Content-xfer-Encoding: quoted-printable
>
> 
>
> This is a special  funny game
> This game is my first work.
> You're the first player.
> I wish you would like it.
>
> --K4u88yH9gm7JR4m57S3v
> Kontent-Type: appl i cation (* Mangled to prevent mailing list rejecting 
> this thinking there is a REAL attachment *)
> octet-stream;
> name=demo.exe
> Content-xfer-Encoding: base64
> Content-ID: 

I was surprised there wasn't a .exe rule or a application/octet-stream rule.

--
You are responsible for your rose.


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Brute force spam prevention for NSP's

2002-05-04 Thread Matthew Cline 

On Friday 03 May 2002 10:48 am, Viraj Alankar wrote:

> Some questions I have is if anyone in a similar situation that I'm in? And
> if so, would you think such a system like the above would be useful? I'd
> appreciate any suggestions.

First check the mail against a private DCC server which SA auto-reports any 
spam too (remove Razor and set the auto-report threshold to the 
spam-threshold), and only use SA if the DCC check fails.  This way you won't 
invoked the processor intensive SA for every mail message checked.

-- 
Visit http://dmoz.org, the world's   | Give a man a match, and he'll be warm
largest human edited web directory.  | for a minute, but set him on fire, and
 | he'll be warm for the rest of his life.
[EMAIL PROTECTED]  ICQ: 132152059 |

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: Ick Viruses!

2002-05-04 Thread Daniel Pittman 

On Sat, 4 May 2002, LuKreme wrote:
> OK, I know SA is not an anti virus tool, and frankly I don't care
> about viruses anyway, but I am getting a lot of exe file attachements
> the last day or two

[...]

> I was surprised there wasn't a .exe rule or a application/octet-stream
> rule.

Those two statements seem to contradict each other. Given that you know
that SpamAssassin is not a virus scanner, why are you surprised when it
fails to detect virus content?

If you want to filter these, try something that's designed for the
purpose.

Daniel

-- 
I believe that the depths of metaphor and symbol can convey what words cannot,
perhaps allowing for resolution of what appears impossible to resolve.
-- Suzanne McLeod

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] PHP user Interface

2002-05-04 Thread Andrew Stephen 

Hi

I have followed all the various documents I can find on setting up the PHP
interface for spamassassin, but I am still unable to past the user login.

Can someone point me in the right direction or offer some suggestions as to
why the authentication is failing.

Regards
Andrew


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Multi-user SpamAssassin setup on vpopmail

2002-05-04 Thread Christopher Kunz 

Hi,

> Take a look at the new vpopmail integration in SA 2.20 first before
> resorting to SQL.  See the README.spamd-vpopmail in the spamd dir of the
> 2.20 distribution for details.  It gives support for virtual
> vpopmail users.
> I wrote the patch and use it daily and works great.

great, thanks. I originally wanted to postpone using spamd and try the
procmail approach, but this is SO MUCH easier.

Now my silly question for the day is: where do i find PHPSA?
I grepped spamassassin.org and my local files for "php" but didn't find
anything - google didn't turn out any good either.

Gruß,

--ck

--
freelance php development  -  hosting  -  high performance chat systems
http://www.de-punkt.de  [ [EMAIL PROTECTED] ]   http://www.titanchat.de
+49 511 1237503 | +49 5241 2349820 | laportestr. 2a, 30449 hannover, de
Rather to reign in Hell, than serve in Heaven. -- Milton, Paradise Lost


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Richie Laager 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Saturday 04 May 2002 03:26 am, Daniel Pittman wrote:
> On Sat, 4 May 2002, LuKreme wrote:
> > OK, I know SA is not an anti virus tool, and frankly I
> > don't care about viruses anyway, but I am getting a lot of
> > exe file attachements the last day or two
>
> [...]
>
> > I was surprised there wasn't a .exe rule or a
> > application/octet-stream rule.
>
> Those two statements seem to contradict each other. Given
> that you know that SpamAssassin is not a virus scanner, why
> are you surprised when it fails to detect virus content?

Not necessarily. I've seen my share of spams (typically 
porno-spams) that include an .exe, which is not a virus. When 
you run it, it sets up a dial-up account for a pay-per-minute 
porn service. I've seen many users accidentally open these 
files out of habit. (I think they're ignoring the message and 
going straight for the attachment.)

> If you want to filter these, try something that's designed
> for the purpose.

Correction: "If you want to filter [viruses], try something 
that's designed for the purpose."

I feel that a rule to catch .exe attachments would be great. 
However, if this gets taken as far as blocking .vbs files, 
then you're treading into the realm of viruses.

- -- 
Richie Laager
Wikstrom Telecom Internet
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE809tsbfU6uV4fG84RAp9UAJoDgatMhQh/VzAG/3f+O3M2XXQjkwCfUQOU
MXqrm8yEy5KosDowVdWKjPI=
=uiz6
-END PGP SIGNATURE-

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Darren Coleman 

In most cases these EXEs are caught by virus scanners under the "Trojan"
category.

Daz

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:spamassassin-
> [EMAIL PROTECTED]] On Behalf Of Richie Laager
> Sent: 04 May 2002 14:00
> To: Daniel Pittman
> Cc: [EMAIL PROTECTED]
> Subject: Re: [SAtalk] Re: Ick Viruses!
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Saturday 04 May 2002 03:26 am, Daniel Pittman wrote:
> > On Sat, 4 May 2002, LuKreme wrote:
> > > OK, I know SA is not an anti virus tool, and frankly I
> > > don't care about viruses anyway, but I am getting a lot of
> > > exe file attachements the last day or two
> >
> > [...]
> >
> > > I was surprised there wasn't a .exe rule or a
> > > application/octet-stream rule.
> >
> > Those two statements seem to contradict each other. Given
> > that you know that SpamAssassin is not a virus scanner, why
> > are you surprised when it fails to detect virus content?
> 
> Not necessarily. I've seen my share of spams (typically
> porno-spams) that include an .exe, which is not a virus. When
> you run it, it sets up a dial-up account for a pay-per-minute
> porn service. I've seen many users accidentally open these
> files out of habit. (I think they're ignoring the message and
> going straight for the attachment.)
> 
> > If you want to filter these, try something that's designed
> > for the purpose.
> 
> Correction: "If you want to filter [viruses], try something
> that's designed for the purpose."
> 
> I feel that a rule to catch .exe attachments would be great.
> However, if this gets taken as far as blocking .vbs files,
> then you're treading into the realm of viruses.
> 
> - --
> Richie Laager
> Wikstrom Telecom Internet
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE809tsbfU6uV4fG84RAp9UAJoDgatMhQh/VzAG/3f+O3M2XXQjkwCfUQOU
> MXqrm8yEy5KosDowVdWKjPI=
> =uiz6
> -END PGP SIGNATURE-
> 
> ___
> 
> Have big pipes? SourceForge.net is looking for download mirrors. We
supply
> the hardware. You get the recognition. Email Us:
[EMAIL PROTECTED]
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] incorporating SA in qmail-smtpd

2002-05-04 Thread Jon Myers 

This may be a big task, but has anyone thought about incorporating
SpamAssassin into qmail-smtpd.  Doing this will allow the admin to have the
ability to reject spam, and return an ERROR to the initial relay/mailer.
Doing this should help in getting usernames removed from spam email lists,
or having admins close their open relays.

Currently, we are running flame.org's qmail-smtpd patch which allows a
point system based on header info only.  When a threshold is met, a 553
error is returned to the mailer trying to deliver the message.

We've had some legit mail get blocked, but since the system sends back an
error, the sender knows that something is going on..

- - -  Jon Myers
The Circuit's Edge



___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Nathan Neulinger 

> > If you want to filter these, try something that's designed
> > for the purpose.
> 
> Correction: "If you want to filter [viruses], try something
> that's designed for the purpose."
> 
> I feel that a rule to catch .exe attachments would be great.
> However, if this gets taken as far as blocking .vbs files,
> then you're treading into the realm of viruses.

I personally couldn't care less about doing generalized virus scanning.
If you're unfortunate enough to use windows and don't bother to apply
patches or a decent virus scanner on your client, that's your problem. 

I am however concerned about the constant load on my mail server dealing
with the worm traffic from these klez/melissa/hybrid/etc. infections.
Those are "Unsolicited Bulk EMail" in my book. The fact that they are a
virus is really a side issue.

I would not be interested in putting in rules for catching every pissant
windows virus out there, however, if there were a provided set of rules
(i.e. in a contrib section or similar) that would catch the
headline-making-windows-worms stuff, that would be a great improvement.
(I understand the reasons for not making SA into a general purpose virus
scanner - and agree with them. Most of us I'd say are not asking for a
general purpose one.)

If you don't want to have them in the main distribution - that's fine,
but instead of forcing all the SA users that want to do minimalist worm
scanning to reinvent the wheel, stick some samples that work in a
contrib area.

-- Nathan


Nathan Neulinger   EMail:  [EMAIL PROTECTED]
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services   Fax: (573) 341-4216

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Ick Viruses!

2002-05-04 Thread Sean Rima 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, 4 May 2002, LuKreme yowled:

> OK, I know SA is not an anti virus tool, and frankly I don't care
> about viruses anyway, but I am getting a lot of exe file attachements
> the last day or two
> 
> Return-Path: <[EMAIL PROTECTED]> Delivered-To:
> [EMAIL PROTECTED] Received: from localhost (localhost
> [127.0.0.1]) by mail.syth.serveftp.net (Postfix) with ESMTP id

As you use Postfix, why not use Amavis to check your inbound for virii.


Please I am subscribed to this list
so there is no need to cc me a reply
- -- 
  Sean Rimahttp://www.tcob1.net
  Linux User:  231986  Jabber:   [EMAIL PROTECTED]
  THE VIEWS EXPRESSED HERE ARE NOT NECESSARILY THOSE OF MY WIFE.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Use GPG for Secure Mail

iD8DBQE80+8deR/L2ZZp3E8RAoOsAJ9y9ddkIL4AzOfsf07JGriDyt6VgQCdES0r
CnBhAdxUYmqUeUNvbEyyvdY=
=I1Bf
-END PGP SIGNATURE-

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] [Fwd: I have some exclusive information for you.]

2002-05-04 Thread Derek Broughton 

From: "Craig R Hughes" <[EMAIL PROTECTED]>

> Derek Broughton wrote:
>
> DB> From: "CertaintyTech - Ed Henderson" <[EMAIL PROTECTED]>
> DB> > they used to improve rules or just added the spam corpus?
> DB>
> DB> Aren't the two things synonymous? ;-)  I'm sure that that is, at
least, the
> DB> intention.
>
> The sightings stuff mostly does not currently end up in the corpus, at
least not
> in an automated way.  The trouble is there's no real way to know if the
stuff

But that's not what I said.  The corpus is used for the GA, right?  So spams
added to the corpus are used to improve the rules, though I guess there may
be spams that are used to improve rules _without_ being added to the corpus,
so it may not be entirely synonymous.  "sightings" otoh might not be used
for anything, as you said.

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: Ick Viruses!

2002-05-04 Thread LuKreme 


On Saturday, May 4, 2002, at 02:26 AM, Daniel Pittman wrote:

> On Sat, 4 May 2002, LuKreme wrote:
>> OK, I know SA is not an anti virus tool, and frankly I don't care
>> about viruses anyway, but I am getting a lot of exe file attachements
>> the last day or two
>
> [...]
>
>> I was surprised there wasn't a .exe rule or a application/octet-stream
>> rule.
>
> Those two statements seem to contradict each other. Given that you know
> that SpamAssassin is not a virus scanner, why are you surprised when it
> fails to detect virus content?

I know they contradict each other.  Still, it seems that Spamassassin is 
already running a lot of checks and having a application/octet-stream or a 
check for attachment types would be trivial to add.  Sort of a "while you'
re there."

> If you want to filter these, try something that's designed for the
> purpose.

Nah.. I don't care if windoids get viruses.  Actaully, it kinda gives me a 
warm feeling.  Does that make me a bad person, or just an elitist mac/unix 
geek?

:)

--
You are responsible for your rose.


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Bart Schaefer 

On Sat, 4 May 2002, Nathan Neulinger wrote:

> I personally couldn't care less about doing generalized virus scanning.
> 
> I am however concerned about the constant load on my mail server dealing
> with the worm traffic from these klez/melissa/hybrid/etc. infections.
> 
> I would not be interested in putting in rules for catching every pissant
> windows virus out there, however, if there were a provided set of rules
> (i.e. in a contrib section or similar) that would catch the
> headline-making-windows-worms stuff, that would be a great improvement.

SA is designed to flag messages as spam (or not) and pass them through for
the end recipient to dispose of as he chooses.  Using SA in this way on a
virus would not decrease the load on your mail server, unless maybe you're
talking about outgoing load that results from having your users's PCs
become infected.

In any case, it'd take either a collection of rules or an eval test to
identify most viruses.  There are lots of tools -- MIMEdefang, the
procmail sanitizer, etc. -- that would do a more efficient job than SA.


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Bart Schaefer 

On Sat, 4 May 2002, LuKreme wrote:

> Still, it seems that Spamassassin is already running a lot of checks and
> having a application/octet-stream or a check for attachment types would
> be trivial to add.

I get application/octet-stream attachments all the time that are comletely
innocent.  Often they're patch files sent on the zsh mailing list or the
like, but that's not the only case.  There are any number of MUAs -- pine,
for a unix example -- that offer the user no direct control over the type
that is used for an attached file, and attach anything they don't think
they recognize as a/o-s.

In short, an a/o-s rul wouldn't be a very effective indicator for me of 
either spam or virus.


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread dman 

On Sat, May 04, 2002 at 09:17:14AM -0700, Bart Schaefer wrote:
| On Sat, 4 May 2002, LuKreme wrote:
| 
| > Still, it seems that Spamassassin is already running a lot of checks and
| > having a application/octet-stream or a check for attachment types would
| > be trivial to add.
| 
| I get application/octet-stream attachments all the time that are comletely
| innocent. 

MS LookOut thinks _everything_ is application/octect-stream, even
plain-text stuff.  I wouldn't mind hitting it (MS LookOut/LookOut
Express) across the head a few times, though :-).

-D

-- 

Be sure of this:  The wicked will not go unpunished,
but those who are righteous will go free.
Proverbs 11:21
 
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg




msg04611/pgp0.pgp
Description: PGP signature

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread dman 

On Sat, May 04, 2002 at 09:25:09AM -0500, Nathan Neulinger wrote:
| > > If you want to filter these, try something that's designed
| > > for the purpose.
| > 
| > Correction: "If you want to filter [viruses], try something
| > that's designed for the purpose."
| > 
| > I feel that a rule to catch .exe attachments would be great.
| > However, if this gets taken as far as blocking .vbs files,
| > then you're treading into the realm of viruses.
| 
| I personally couldn't care less about doing generalized virus scanning.
| If you're unfortunate enough to use windows and don't bother to apply
| patches or a decent virus scanner on your client, that's your problem. 

Ditto.

| I am however concerned about the constant load on my mail server dealing
| with the worm traffic from these klez/melissa/hybrid/etc. infections.
| Those are "Unsolicited Bulk EMail" in my book. The fact that they are a
| virus is really a side issue.

Right.

| I would not be interested in putting in rules for catching every pissant
| windows virus out there, however, if there were a provided set of rules
| (i.e. in a contrib section or similar) that would catch the
| headline-making-windows-worms stuff, that would be a great improvement.
| (I understand the reasons for not making SA into a general purpose virus
| scanner - and agree with them. Most of us I'd say are not asking for a
| general purpose one.)

How about 
ftp://ftp.exim.org/pub/filter/system_filter.exim
?

(for exim users -- have the server fail the message for any executable
content)

I added my own rule to check the message body (no mime-parsing)
instead of the Content-Type: header since klez usually comes as an
attachment :


if
"$message_body $message_body_end"
matches "Content-.*audio/x-wav.*\.(?:pif)"
or
"$message_body $message_body_end"
matches "Content-.*audio/x-mid.*\.(?:scr)"
then
  fail "<<(sender: $sender_address) (From: $h_From:)>> \
 This message has been rejected because the body contains \n\
 text that appears to be MIME Content-Type: headers used by KLEZ.\n\
 If you intended to send the file then please gzip it and resend it."
  seen finish
endif


I bet it wouldn't be too hard for a C programmer to put that test in
the local_scan() function or to make a psuedo-scanner for exiscan so
the message can be rejected at SMTP time (rather than accepting and
then generating a bounce).

-D

-- 

"He is no fool who gives up what he cannot keep to gain what he cannot lose."
--Jim Elliot
 
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg




msg04612/pgp0.pgp
Description: PGP signature

[SAtalk] Who gets the High Score?

2002-05-04 Thread John Lang 

I started using subject_tag _HITS_  and find it's fun to see just what 
creates a 56 point score :-)  I'm sure thats no where near the highest.. 
How about a page for the highest scoring spam as a way to educate the 
public and promote Spamassassin?

-- 
John Lang, 
E-mail: [EMAIL PROTECTED] 

BrightNoise Inc.,
16111 East Carmel Drive,
Fountain Hills, AZ 85268
Tel: (480) 837-5483, Fax: (480) 837-5189



___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Setting up Oulook filters on SA headers (was Re: setting default scores)

2002-05-04 Thread Dan Kohn 

FYI, I've been quite happy with creating two folders Spam (for scores of
8 or higher) and Possible Spam (for scores higher than 5 but lower than
8).  This is easily accomplished after SA 2.20 has been run on the mail
by adding the following two rules at the top of Outlook Rules Wizard:

Apply this rule after the message arrives
with "X-Spam-Level: " in the message header
move it to the "Spam" folder
  and stop processing more rules

Apply this rule after the message arrives
with "X-Spam-Level: *" in the message header
move it to the "Possible Spam" folder
  and stop processing more rules


The rest of my rules than filter mailing lists into mailboxes.  I check
the Possible Spam for false positives everyday, and the Spam once a week
or so.

  - dan
--
Dan Kohn 
  
Essays announced on 

-Original Message-
From: Michael C. Berch [mailto:[EMAIL PROTECTED]] 
Sent: Friday, May 03, 2002 13:24
To: Spamassassin List
Subject: Re: [SAtalk] [Fwd: I have some exclusive information for you.]


It seems to me that it would be useful to have a single repository of 
false negatives (i.e., stuff that slipped past SA) with some sort of 
automated process to crunch the messages to produce fodder for rules 
updates.

This would be most useful for body tests, since people would be using 
all sorts of methods of re-sending the messages, including manual 
cut-and-paste and other methods which do not preserve the original 
intact header.

One meta-rule is that we might not want to consider messages that scored

above a certain threshold, since most peoples' SAs would have caught 
them anyway.  (There's no point in looking at a message that scored 5.5 
which someone sent it because it got through their SA that is set to 
trigger at 6.0, for example.) One interesting number to know would be 
what percentage of SA users use the default score (5) as the spam 
threshold, and how many have raised or lowered it.

I think this would help keep the spam-phrases, porn_NN, etc., rules 
fresh.

I'm not volunteering (yet) but I have some ideas about how this might 
work.

--
Michael C. Berch
[EMAIL PROTECTED]


___

Have big pipes? SourceForge.net is looking for download mirrors. We
supply
the hardware. You get the recognition. Email Us:
[EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] rule for IMG

2002-05-04 Thread Craig R Hughes 

There's a lot of nonspam which uses IMG too, thing like Amazon order
confirmations, fancier newsletters, etc, etc.  Still, might be the case that
it's a useful rule with a low score.

C


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] rule for IMG

2002-05-04 Thread LuKreme 



> There's a lot of nonspam which uses IMG too, thing like Amazon order
> confirmations, fancier newsletters, etc, etc.  Still, might be the case
> that it's a useful rule with a low score.

But is it more useful than the HTML check?

Is there a reason to have both?

-- 
You are responsible for your rose.



___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread LuKreme 



> I added my own rule to check the message body (no mime-parsing)
> instead of the Content-Type: header since klez usually comes as an
> attachment :

That looks pretty nice.  Can procmail do that as well?  (Never used
procmail except to trigger SA).
If so, that would solve the problem for me as I could simply filter mail
that contains and exe or vbs or something.  My mom would appreciate that.


-- 
You are responsible for your rose.



___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Craig R Hughes 

SpamAssassin does not do virus checking for one simple reason:

it would be horrendously innefficient at it.  Virus checking vs Spam checking is
analogous to the different between cmp and diff.  One is looking at the
bit-level (more or less), while the other is looking for much higher-order
patterns.

There are certainly grey areas, such as the attached auto-porn-dialler things,
but I think I have a pretty decent way of clarifying what I think SA should scan
for vs what a Virus checker should scan for.  SA will try to identify messages;
Virus scanners should try to identify "bad" executables.  Most messages are not
executable.  Some messages might be "executable", which for example is why we do
look for IFRAME tags in SA at the moment.  The case of the porn-auto-dialler
though is not a case of a message which happens to be executable -- the dialler
part is more like a virus/trojan than it is part of the message the porn guy's
trying to get across.

If you want to look for particular MIME types, try something like MIMEDefang
which specializes in that, and can even invoke SA as part of its scanning.  If
you want to look for viruses in general, use Amavis or some such in parallel
with SA.

The argument "Well, SA is already looking at the message, so it's convenient to
add it in there" is akin to "Well, I've just landed in the 747 at the airport;
it's a transportation device, why can't it just transport me right to my front
door?".  Sure, there are some similarities between virus and spam scanning, in
that both involve scanning email content.  A car and an airplane both have
engines.  But the engines are very very different in both cases.

C


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Bart Schaefer 

On Sat, 4 May 2002, LuKreme wrote:

> 
> 
> > I added my own rule to check the message body (no mime-parsing)
> > instead of the Content-Type: header since klez usually comes as an
> > attachment :
> 
> That looks pretty nice.  Can procmail do that as well?

Of course.  See for example

http://www.impsec.org/email-tools/procmail-security.html



___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] More on mailing lists that test as spammers

2002-05-04 Thread Robert Fleming 

--On Saturday, May 4, 2002 1:00 AM -0600 Syth <[EMAIL PROTECTED]> is rumoured to 
have written:

> OK, related question:  What's the best way to allow emails from this list
> to get through to me without completely whitelisting the list?  Is there
> a way I can define a user_pref that says "If From is [EMAIL PROTECTED]
> then -1.5" or something?
>
> How do other people handle this?

I use maildrop, and have all my listserv subscriptions filtered (and moved 
to different imap folders) before I invoke spamassassin.  This of course 
won't work if you're using POP3.



--

"Never underestimate the bandwidth of a station wagon full of tapes
hurtling down the highway."
-- Andrew S. Tanenbaum - Computer Networks

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] checking ml admin bounce messages

2002-05-04 Thread Randy Bush 

freebsd 4.5-stable
exim 4.03
procmail 3.15
spamassassin 2.1q

i admin many majordomo lists.  i get garbage such as

To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Subject: BOUNCE [EMAIL PROTECTED]:Non-member submission from 
[¹é¸¸ÀåÀÚŬ·´ <[EMAIL PROTECTED]>]   
Date: Fri, 03 May 2002 16:30:19 -0700

>From [EMAIL PROTECTED] Fri May 03 16:30:18 2002
Received: from [211.225.8.21] (helo=hanmail.net)
by psg.com with smtp (Exim 3.36 #1)
id 173mVG-000CJN-00
for [EMAIL PROTECTED]; Fri, 03 May 2002 16:30:18 -0700
Reply-To: [EMAIL PROTECTED]
From: ¹é¸¸ÀåÀÚŬ·´ <[EMAIL PROTECTED]>
To:  <[EMAIL PROTECTED]>
Subject: [±¤°í]Àý´ë ÃëÁ÷ÇÏÁö¸¶¶ó
Sender: ¹é¸¸ÀåÀÚŬ·´ <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/html; charset="ks_c_5601-1987"
Date: Sat, 4 May 2002 08:33:41 +0900
Message-Id: <[EMAIL PROTECTED]>




¾È³çÇϼ¼¿ä?



http://goal7.starhana.com/"; target="_blank">http://i.kebi.com/~c2s7109/pr_1.gif"; width="395" height="383" border="0">
¾È³çÇϼ¼¿ä? 21¼¼±â ÀÏ»ýÀÏ´ëÀÇ ±âȸ°¡ ´ç½Å¿¡°Ô ¿Ô½À´Ï´Ù

i.e. spam encapsulated in a bounce report.  some are good, i.e. valid
messeages from non-subscribers, e.g. valid cross-posters.  so i can't
just tube them en masse.

is there a recipe/hack to filter these as if the body was a header+body?

also, is there a *searchable* spamassassin mailing list archive?

randy


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Kaitlin Duck Sherwood 

I'm a Mac user, so I presume a virus-checker wouldn't find the Windows viruses.

I'm getting enough Klezes that just the sheer volume is a nuisance.

There are a lot of virii that use the same basic vector: using

to launch the attachment as soon as the message is viewed.

Thus, looking for
src\s?=\s?cid:   (<- perl notation)
is a fine way to get rid of Klez-type nuisance messages.

You might even be able to get away with looking for
\Wcid:



-- 
Kaitlin Duck Sherwood
Author of the _Overcome Email Overload_ series, 
http://www.OvercomeEmailOverload.com

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RULE] SPAM regarding international drivers license...

2002-05-04 Thread Daniel Pittman 

I get a few of these and almost without exception they don't hit any
existing rule. So, how about:

body WANT_TO_DRIVE  /(want|need|desire|like).{,20}(drivers?[ \t]+)?licen[sc]e/i
describe WANT_TO_DRIVE  Asks if you want a drivers license.

full INTERNATIONAL_LICENSE /international.{1,15}(drivers?.{1,15})?licen[cs]e/i 
describe INTERNATIONAL_LICENSE Tries to sell you on an international license.

full LEGAL_MANY_PLACES  /legal.{1,15}[0-9]+(state|count|cit|countr)(ys?|ies)/i
describe LEGAL_MANY_PLACES If it was legal everywhere, would you need to advertise the 
fact?

Daniel

-- 
Why could one never do a natural thing without having to
screen it behind a structure of artifice?
-- Edith Wharton,  _House of Mirth_

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Assuming whitelisting by default. (was Re: rule for IMG)

2002-05-04 Thread Daniel Pittman 

On Sat, 04 May 2002, Kaitlin Duck Sherwood wrote:
> Craig said:
>>   > There's a lot of nonspam which uses I-M-G too, thing like Amazon
>>   > order confirmations, fancier newsletters, etc, etc.
> 
> Though those are easy to whitelist. Is the philosophy here to assume
> that the user isn't whitelisting? (<- That's not a hostile question, I
> just don't know.)

In my opinion -- and I am not a core developer here -- it should be.
Whitelisting should be a "nothing else works" solution, not an
assumption that everything is that way.

The main reason for this, of course, is that I use SpamAssassin because
I get five to ten times the volume of SPAM through mailing lists to
which I am subscribed that I do directly.

So, whitelisting any mailing list service is, for me, a loss overall.

Daniel

-- 
My fate cannot be mastered; it can only be collaborated with
and thereby, to some extent, directed. Nor am I the captain
of my soul; I am only the noisiest passenger.
-- Aldous Huxley

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Brute force spam prevention for NSP's

2002-05-04 Thread Olivier Nicole 

Jeremy,

>STARTTLS tunneled mail does not take kindly to being transparently
>redirected, especially if client certificates are being used.  Not
>sure what percentage of your customers would be using TLS mail, but a
>false positive redirect would break things.


I'd beleive not many spammer use TLS, because it increase the xmit
cost and the software are not designed to. Plus it would kind of break
their anonynity, what they would not be very happy of.

As I said, redirect only identified, and complained about, spammers.

Olivier

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] RFC: ok_languages patch

2002-05-04 Thread Olivier Nicole 

Beside the intrest for selected languages, I see another general
interest in that piece of code, is to apply rules depending on the
language.

Why trying to find "click below" if the message is detected to be in
French.

That could lead to buid rules with language variants, one single
CLICKBELOW rule would have alternative in French, English, whatever,
but it would be only one rule. Of course the describe would have
laguage variants too.

In future, I think that any rule that contains words should be allowed
to have language variants.

Olivier

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] rule for IMG

2002-05-04 Thread Olivier Nicole 

> > install SA and silently drop spam traffic.
> Oooo!  that is clever.  I like it I like it.

Remember it is droping the mail at source, not at destination.

Any why taking any precaution with identified spammers, that have been
going against the rules for years.  If they are not happy they can
still leave.

Olivier

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: Brute force spam prevention for NSP's

2002-05-04 Thread Alan Shutko 

Olivier Nicole <[EMAIL PROTECTED]> writes:

> As I said, redirect only identified, and complained about, spammers.

Good luck on avoiding false positives.  Any reason you think you can
completely avoid them when _every_ previous attempt has failed? 

-- 
Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors!
Lemmings don't grow older, they just die.

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: Brute force spam prevention for NSP's

2002-05-04 Thread Olivier Nicole 

>Good luck on avoiding false positives.  Any reason you think you can
>completely avoid them when _every_ previous attempt has failed?

Once again, I am not the ISP, but I would have no remorse at all to
miss handle false positive for a known spammer (the kind of guy you
receive 50 complains a week).

Once again, I'd filter at the source, only email *sent by* the
spammer, not at the destination. So it will hurt the spammer only, no
other internet user.

Olivier

___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: Ick Viruses!

2002-05-04 Thread Michael Moncur 


> I would not be interested in putting in rules for catching every pissant
> windows virus out there, however, if there were a provided set of rules
> (i.e. in a contrib section or similar) that would catch the
> headline-making-windows-worms stuff, that would be a great improvement.
> (I understand the reasons for not making SA into a general purpose virus
> scanner - and agree with them. Most of us I'd say are not asking for a
> general purpose one.)

I was going to contribute a rules file for just this purpose, but after
working on it for a while and having a heck of a time getting SA rules to
detect certain viruses, I decided it would be massively easier to just
install a virus scanner instead. Why reinvent the wheel? Everyone who
contributes to SA could spend all of their time keeping up with the latest
virus mutations, or we could just focus on trapping spam and let the virus
scanners do their own job.

I am using Odeiavir at the moment, it's basically a wrapper for QMail that
calls FPROT or another virus scanner. Here's the URL:
http://virus.isverybad.org/

If SA was going to have *any* virus support at all, I'd rather it just had
an optional eval rule that calls FPROT or sophos or another easily
available, regularly updated virus scanner. Heck, there's even an
open-source one in development:
http://www.openantivirus.org/

--
michael moncur   mgm at starlingtech.com   http://www.starlingtech.com/
"The ships hung in the sky in much the same way that bricks don't."
-- Douglas Adams


___

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk