RE: [SAtalk] Ruleset for RND UC CHAR spam

2003-12-20 Thread Aaron Everett 
SUBJ_RAND_UC_CHAR is working well... but I just saw a variant come
through.

Subject:  Re: XBHGX,7844, tales of these

Looks like we'll need another rule for this guy - I guess it would be
something like:

Subject =~ /^Re:\s[A-Z]{2,8},\s[0-9]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/

Can someone confirm the syntax?  I'm new at rule writing.

Aaron Everett
Network Administrator
Forte Design Systems
425-869-4227 ext 125
425-869-4229 FAX
[EMAIL PROTECTED]
http://www.forteds.com
http://support.forteds.com


I've stopped 10,957 spam messages. You can too!
One month FREE spam protection at http://www.cloudmark.com/spamnetsig/}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Brent J. Nordquist
Sent: Friday, December 19, 2003 12:18 PM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Ruleset for RND UC CHAR spam

On Fri, 19 Dec 2003, Christopher X. Candreva wrote:

> A Spam got through SA last night, with two things I hadn't seen before
- 
> Yet another form of a %RANDOM variable that isn't replaced by a value:
> 
> Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned

Heh, yeah, the developer clearly screwed up in early revisions of their
spam software.  Seeing a literal %RND_UC_CHAR[2-8] is a dead giveaway;  
later revisions are sending 2-8 random upper-case characters in that
spot.

As people pointed out, the backhair set (THANKS Jennifer) helps detect
this one, but many were still getting through here.  So here is my
solution; this plus backhair catches all the ones I've seen so far.

#
# $Id: rnd_uc_char.cf,v 1.2 2003/12/19 20:08:50 bjn Exp $
# SpamAssassin RND_UC_CHAR pattern
#
# Thanks to "Christopher X. Candreva" 
#
http://marc.theaimsgroup.com/?l=spamassassin-talk&m=107184646319270&w=2
#
# This type of email is generated by some kind of spamware package.
# The first pattern shows where the developer screwed up.  :-)
# The second pattern is where they fixed their bug; we might have
# false-positives there, so use a tight pattern and score it lower.
# The third pattern appears in all emails I've seen of this type.
#

###

header SUBJ_RND_UC_CHAR_L   Subject =~ /\%RND_UC_CHAR/
describe SUBJ_RND_UC_CHAR_L Subject contains literal RND_UC_CHAR tag
score SUBJ_RND_UC_CHAR_L5.0

header SUBJ_RND_UC_CHAR Subject =~
/^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
describe SUBJ_RND_UC_CHAR   Subject fits RND_UC_CHAR pattern
score SUBJ_RND_UC_CHAR  2.0

header XOIP_RND_UC_CHAR X-Originating-IP =~
/\[.*\.(com|net|org|biz).*IP\]/
describe XOIP_RND_UC_CHAR   X-Originating-IP fits RND_UC_CHAR
pattern
score XOIP_RND_UC_CHAR  2.0

-- 
Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN
Other contact information:
http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray
http://tinyurl.com/7sti



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] dont scan

2003-12-20 Thread Barry Porter 
On 17/12/2003 18:44,  Ricki wrote:

> I was wondering, Is there a was to prevent spamassassin from scanning
> mail from a particular IP address ?

I use a perl script to check for a specific received line in each mail,
if it is there, it is a local mail and should not be scanned.

This is the script, courtesy of Sebastian Breier:

*** START PERL SCRIPT
#!D:/Perl/bin/perl.exe

use strict;

open(MAIL, '<' . $ARGV[0]);
my @mail = ;
close(MAIL);
my $result = grep(/Received: .+ \((192\.168\.1\..+|127\.0\.0\.1)\) by
servername\.domain\.name \(Mercury\/32 v4\.01a\)/, @mail);

my $exitvalue = 0;
if (!$result) {# Special Received line not found, so mail is
non-local (check for spam)
`Call D:\\perl\\bin\\spamassassin.bat -D -e < $ARGV[0] > $ARGV[1]`;
$exitvalue = ($? >> 8);
}

if (!$exitvalue) {
$exitvalue = 0;
}

exit($exitvalue);

*** END PERL SCRIPT


I call this from my mail server and it does the rest.

HTH,

--
Regards
Barry



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Spammer causing Denial Of Service

2003-12-20 Thread Matthew Western,R&D Aust 
it's still a pain to block them at the gateway.  i spent about 4 hours
chucking in numbers into iptables and still they came in.  i found out it
was this stupid new remote access trojan that acts as spam relays.  i turned
on dnsbl.sorbs.net and havn't looked back since.  had about a week where i
watch mail being blocked and chucked about 6 australian isps into the
/etc/mail/access file and nobody has complained sincewe can use our
email link again for surfing again which we couldn't before.  i had about
15-20 idiots sending me random email addresses at our domain.  goodness
knows what that proves, except perhaps to bounce back to someone else as
spam.  

goto www.sorbs.net - they are the business...

-Original Message-
From: Scott Harris [mailto:[EMAIL PROTECTED]
Sent: Saturday, December 20, 2003 12:49 AM
To: 'Scott Williams'; Spamassassin-List
Subject: RE: [SAtalk] Spammer causing Denial Of Service


 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Scott Williams
> Sent: Thursday, December 18, 2003 11:10 PM
> To: Scott Williams
> Cc: Spamassassin-List
> Subject: [SAtalk] Spammer causing Denial Of Service
> 
> I was looking at the SA logs and noticed how a spammer would 
> open up multiple sessions all to one target address. He 
> opened 15 sessions in 10 seconds and proceded to hold them 
> for 5 minutes until I timed out on the connections. So for 5 
> minutes my filter was essentially rendered useless since I 
> limit it to 15 simultaneous connections due to hardware limitations.
>  
> Has anyone else seen this?  What would be the best solution 
> to combat this?
>  
>  
> 

I've seen this before.  I'm not sure if it is malicious, or they are 
just trying 30 different email address all at the same time.  I just
block them at the router/gateway level on a per IP basis.

Scott
 



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] bigevil 2.04 posted

2003-12-20 Thread Matthew Western,R&D Aust 
hmm.  i love www.sorbs.net dns BL.  he says we can help by running a server
to help catch more rubbish and report it.   

out of interest, does anybody do that here?

-Original Message-
From: Chris Santerre [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 18, 2003 6:50 AM
To: 'Gary Funck'; Spamassassin List
Subject: RE: [SAtalk] bigevil 2.04 posted


Actually my email gateway is behind a firewall :)  I do some really crazy
stuff because I'm a paranoid security nut. Never on the same machine. 1
machine for 1 job. No other processes, no remote access, local only. 

  I don't firewall a lot. You have to really bother me to get placed in the
list. This domain was brand new (Dec 6th) and blatant spam, I just decided
to deny all http + mail traffic from there. More people doing that might
discourage spammers, might not. Sort of a HTTP proxy blacklist. (It would be
nice if I ever get off my butt and finished my squid proxy project. The
server has been running unused, in my office, 5 feet from me for about a
year!) 

Cisco router wouldn't handle 1000's. At least not the 26XXs I have here. But
I doubt I have more then 50 ips listed. 

IPtables is better then ipchains. Stateful inspection and such. So If your
going to learn one, learn iptables. Deny all, allow only what you want. 

HTH
Chris

> -Original Message-
> From: Gary Funck [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 17, 2003 2:51 PM
> To: Spamassassin List
> Subject: RE: [SAtalk] bigevil 2.04 posted
> 
> 
> 
> Hi Chris, welcome back. I've been running with the prior
> version of BigEvil, and their working great. Thanks for all
> your hard work.
> 
> quick question:
> 
> > For fun, check out http://www.rollie.biz/  , yeah that IP 
> got a listing in
> > my firewall now.
> 
> When you say "firewall", above, does that mean in your MTA 
> sitting on a
> firewalled machine, or in the router? I ask
> because we have a Cisco router here, but I doubt it is 
> feasible to feed it
> thousands of IP addresses to deny routing.  Now with 
> ipchains, that sort
> of thing might
> be feasible?
> 
> 
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] bigevil 2.04 posted

2003-12-20 Thread Peter SJF Bance 
> hmm.  i love www.sorbs.net dns BL.  he says we can help by 
> running a server
> to help catch more rubbish and report it.   
> 
> out of interest, does anybody do that here?

You don't need to run your own server to do that - try www.spamcop.net

--
Peter SJF Bance CEng MBCS
CESG and BCS Listed Security Adviser
http://www.minstrel.org.uk/



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Provider issue

2003-12-20 Thread Erik van der Meulen 
Dear group - 

I used to run SA local on my Linux mailserver with great results. I was
quite pleased. Some time ago, I discovered that my ISP also started
filterig through SA and delivering the mail to my spool already tagged.
This seemd to cause some conflict with my local setup, because that
would interpret the other spam-report as content of a genuine mail
message.
My answer to that was to disable my local SA check but only filter on
the results generated my my ISP's check.

It turns out that this left me with 2 problems:

- Less control over treshold, black and white list and learning.
- My ISP is not too frequent with his upgrading. Currently he runs 2.55
  while SA is at 2.61

Result is that numurous messages a day pass through!

Now I thought of the following scenario:

If I filter my incoming mail first with:

  spamassassin -d

in order to get 'vanilla' messages (remove signs of my ISP's check) and
consecutively do a normal SA spam-check as I used to.

Would anyone be able to comment on this if it is possible and safe? And
what procmail lines would be best to accomplish this. That would be very
helpful. I am no expert at this and always a little causious when live
mail is involved...

Thanks a lot!

--
  Erik van der Meulen <[EMAIL PROTECTED]>


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Ruleset for RND UC CHAR spam

2003-12-20 Thread Brent J. Nordquist 
On Fri, 19 Dec 2003, Aaron Everett <[EMAIL PROTECTED]> wrote:

> Subject:  Re: XBHGX,7844, tales of these

Yes; in looking closer at the ones I've seen, I find one of this variant
also.  It just had enough backhair that it was caught anyway.  :-)  Also,
my sample of that variant has more than 8 upper-case letters.  So here's
the revised rule I'm now using which will catch both kinds of subject:

Subject =~ /^Re:\s[A-Z]{2,},(\d+,)?\s[a-z]+\s[a-z]+\s[a-z]+\s*$/

-- 
Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Excessive amavisd memory use with spamassasin 2.6 on ppc platform

2003-12-20 Thread Mike Vanecek 
On Fri, 19 Dec 2003 21:21:02 +, Iain Stevenson wrote
> System:
> 
> Linux ppc (basicallu Yellowdog), 2.4.21 kernel
> Postfix
> amavisd-new-20030314
> spamassassin 2.6 or 2.61
> clamav-0.65
> 
> System is configured to use the spamd interface to spamassassin.  If 
> I install the 2.6 or 2.61 version of spamassassin the memory used by 
> amavisd just climbs and climbs until the system grinds almost to a 
> halt. Over-writing back to the old version of spamassassin cures the 
> problem. What's up?

My setup on RedHat 9 is Postfix 2x, amavisd-new-p5, SA 2.61, and fprot. I have
zero such problems. However, amavisd calls spamassassin, not spamd. You may
find it works better not using spamd?



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Excessive amavisd memory use with spamassasin 2.6 on ppc platform

2003-12-20 Thread cami 
| System:
|
| Linux ppc (basicallu Yellowdog), 2.4.21 kernel
not that it should make any difference, but, you could
go through a trial and elimination process by upgrading
each software component to the latest version (start
with your kernel).
| Postfix
| amavisd-new-20030314
| spamassassin 2.6 or 2.61
| clamav-0.65
|
| System is configured to use the spamd interface to spamassassin.  If I
you really shouldnt be passing mails back and forth since the whole
point of amavisd would be to do direct library calls, its far more
efficient..

| install the 2.6 or 2.61 version of spamassassin the memory used by
| amavisd just climbs and climbs until the system grinds almost to a
| halt. Over-writing back to the old version of spamassassin cures the
| problem. What's up?
dont use 2.6 .. it has memory leaks when expiring bayes entries
(you'll have to check the changelog for specifics)
regards,
cami


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] auto whitelist questions

2003-12-20 Thread Gary Funck 

[I'm reposting this question. I think it might've gotten lost in the
many messages over the past few days.]



Hello,

I've been using auto whitelist for a while now, but today while doing some
experimentation I'm wondering if the explicit (auto) white listing feature
is working at all (version 2.61)? I'm also unsure of the exact syntax for
explicitly (auto) white listing an address.

I begin by trying to dump the auto whitelist database using the
check_whitelist command located in the SA tools directory.

% tools/check_whitelist | sort +0n -1 | less

outputs lines such as the following:

   -20.2   (-20.2/1)  --  [EMAIL PROTECTED]|ip=205.206
   -20.2   (-20.2/1)  --  [EMAIL PROTECTED]|ip=205.206
   -18.6   (-18.6/1)  --  [EMAIL PROTECTED]|ip=205.206
   -18.6   (-18.6/1)  --  [EMAIL PROTECTED]|ip=205.206
   -18.0   (-18.0/1)  --  [EMAIL PROTECTED]|ip=205.206
   -17.8   (-17.8/2)  --  [EMAIL PROTECTED]|ip=64.4
   -16.5  (-16.5/11)  --  [EMAIL PROTECTED]|ip=64.4
-9.5(-9.5/1)  --  [EMAIL PROTECTED]|ip=127.0
-9.5(-9.5/3)  --  [EMAIL PROTECTED]|ip=127.0

The lines above have the smallest values in the database, and therefore as I
understand it would add the stated negative score to the total.

Question: where are the entries that I tried to explicitly add?
Does check_whitelist skip over them?

I tried the following:
% spamassassin --add-addr-to-whitelist '[EMAIL PROTECTED]'
and then dumped the database again in sorted score order, but there
was bascially no change in where the named address showed up:

 1.8 (1.8/5)  --  [EMAIL PROTECTED]|ip=216.60

with the 1.8 weight it is still looking a little bit spammy.

Question: will -add-addr-to-whitelist accept the ip address syntax
shown in check_whitelist above? Stated differently, if I know the
IP address how do I enter it with the --add-addr-to-whitelist switch?




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] checking outgoing mail

2003-12-20 Thread Jeff Koch 
Hi,

We've been burned a few times by spammers getting into our servers to send 
out spam. Does anyone know (or can provide a reference) for how SA could be 
integrated into qmail to examine outgoing emails?

Thanks.

Jeff Koch 



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Provider issue

2003-12-20 Thread Martin Radford 
At Sat Dec 20 11:29:26 2003, Erik van der Meulen wrote:
> 
> Dear group - 
> 
> I used to run SA local on my Linux mailserver with great results. I was
> quite pleased. Some time ago, I discovered that my ISP also started
> filterig through SA and delivering the mail to my spool already tagged.
> This seemd to cause some conflict with my local setup, because that
> would interpret the other spam-report as content of a genuine mail
> message.
> My answer to that was to disable my local SA check but only filter on
> the results generated my my ISP's check.

You should talk to your ISP.  First of all, they should not have
introduced spam filtering without telling their customers first.
Secondly, you should ask if they are able to turn off filtering on
your account so you can do it yourself.

My own ISP has recently announced plans to start filtering mail at
some point early next year.  Their plan is to filter mail by default,
but to allow subscribers to opt-out.  Their web interface is already
set up to allow opt-out (even before they've introduced the service)
and I've chosen to do so (not least because I want a complete set of
spam for my contributions to SA's mass-checks).

Martin
-- 
Martin Radford  |   "Only wimps use tape backup: _real_ 
[EMAIL PROTECTED] | men just upload their important stuff  -o)
Registered Linux user #9257 |  on ftp and let the rest of the world  /\\
- see http://counter.li.org |   mirror it ;)"  - Linus Torvalds _\_V


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Browser Bug: Very bad in IE and varies on Netscape and Mozilla]

2003-12-20 Thread Lucas Albers 
Another mailing list pointed out the new ie exploit.
What would be the SA code to detect/block such and exploit in email.
Here's an untested potentially cpu intensive rule to detect this, I am not
reccomending this rule, but looking for an improved version of it.

uri KAM_URIPARSE /^[^\/]*\%0[01][^\/]*\@/

From:"Kevin A. McGrail" <[EMAIL PROTECTED]>


WARNING: There is documentation of a scam in this document.  Read the
document, don't feel the need to click on things!

Not to alarm everyone, but I feel that there is a bug/scam that more
people need to know about that I found out about last week.  This bug
causes some browsers, notably Internet Explorer but ALSO AFFECTING
NETSCAPE AND MOZILLA TO SOME EXTENT, to parse web links incorrectly and
allow a person to nearly perfectly cover up the fact that they are
redirecting you to a different link.

I believe this bug should be identifiable in SpamAssassin but I have seen
a few different techniques and I am not 100% sure what the bug is! 
Something akin to this (tested but I don't make a lot of rules):

# This rule is to mark emails using the exploit of the URI parsing uri
KAM_URIPARSE   /\%01\@/i
describe KAM_URIPARSEAttempted use of URI bug.  Very high probability
of fraud.
score KAM_URIPARSE 7.00

This trick is so good, it even tricks popup blockers such as google's
toolbar.

As an example, using a link such as the one below will LOOK like you are
going to paypal.com but in fact you are going to netcbc.net/paypal (this
is a REAL fraud website so don't go using it).

http://[EMAIL PROTECTED]/paypal/

I found out about this problem late last week and was hoping Microsoft
would have it patched before I had to write this note.

Unfortunately, it is still not patched to the best of my knowledge on
December 19th over a week later.  Additionally, on December 17th, I was
forwarded a copy of one of the emails using this technique to fraudulently
gather information.  This technique called "Phishing" has been around for
a while but this bug will make even expert users fall prey to this trick.

I would recommend forwarding this information to people you feel can
properly handle the information but I think this is going to very quickly
become the largest scam tool on the internet.

Regards,
KAM




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: checking outgoing mail

2003-12-20 Thread David Gibbs 
Jeff Koch wrote:
We've been burned a few times by spammers getting into our servers to 
send out spam. Does anyone know (or can provide a reference) for how SA 
could be integrated into qmail to examine outgoing emails?
IMHO, your energy would be far better served working on securing your 
servers better and/or implemnting some intrusion detection system.

david

--
| Internet: [EMAIL PROTECTED]
| WWW:  http://david.fallingrock.net
|
| We're not in the middle of nowhere...
|   we're on the outskirts of everywhere!
|
|   - DMRoth (adapted)


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Running sa-learn while SpamAssassin is checking mail: Bayes lock problem?

2003-12-20 Thread Nix 
On Thu, 18 Dec 2003, Lars Magne Ingebrigtsen muttered drunkenly:
> If I run sa-learn while SpamAssassin is checking mail, I get messages
> like the following from the spam-checking process:
> 
> Cannot open bayes databases /var/list/.spamassassin/bayes_* R/W: lock failed: File 
> exists
> 
> (This is with SA version 2.70-cvs from a few days ago.)
> 
> Both the sa-learn process and the mail-checking process run as the
> same user, so it shouldn't be a file permissions problem, I think.

This is normal and expected: the Bayes databases are locked while
they're being written to (by a learn or expire) because they might
be in an inconsistent state, so they shouldn't be used at all until
the lock is removed.

The spam-checking process skips the Bayes-checking if the database is
locked (as blcoking on that lock for a long time would be a very bad
idea). This warning message is just saying that Bayes was skipped.

(Perhaps the message should be made a bit less frightening...)

-- 
`...some suburbanite DSL customer who thinks kernel patches are some
 form of military insignia.' --- Bob Apthorpe


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] We have big evil now we need big good...

2003-12-20 Thread Gary Smith 
So we implemented SA some time ago because our clients were getting too much spam.  
Lately we have found that several html marked up emails have been getting marked as 
spam.  These ones are clearly fp's.

Some of the domains include Morningstar.com, charlesswab.com and several other 
financial institutions.  Some of the clients get their weekly reportings sent to them, 
and it has of course the "remove me" tag at the bottom as well as a bunch of html so 
it gets marked as spam.

I know I could just create a simple white list but it might be more useful to create a 
project of good companies to fix the fp's.

Looking for feedback on the topic


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: checking outgoing mail

2003-12-20 Thread Jeff Koch 

Good grief. What a 'holier than thou' attitude.

To be more specific we have had cases where user cgi scripts have been 
subverted into being spam senders. And yes we don't allow FormMail scripts 
that don't control the recipient list - but occasionally a user will 
upload a weak formmail script and then
we have a potential problem. Or possibly if we end up with a spammer as a 
user. So I am simply asking if there is a method we can use with qmail to 
SA check outgoing email and close this possibility.

At 12:01 PM 12/20/2003, you wrote:
Jeff Koch wrote:
We've been burned a few times by spammers getting into our servers to 
send out spam. Does anyone know (or can provide a reference) for how SA 
could be integrated into qmail to examine outgoing emails?
IMHO, your energy would be far better served working on securing your 
servers better and/or implemnting some intrusion detection system.

david

--
| Internet: [EMAIL PROTECTED]
| WWW:  http://david.fallingrock.net
|
| We're not in the middle of nowhere...
|   we're on the outskirts of everywhere!
|
|   - DMRoth (adapted)


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Best Regards,

Jeff Koch
Best Regards,

Jeff Koch, Intersessions 



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: checking outgoing mail

2003-12-20 Thread David Gibbs 
Jeff Koch wrote:
Good grief. What a 'holier than thou' attitude.
Not in the slightest ... you didn't mention you had customers that might
be spammers (I won't touch that).
Based on your original post, it seemed to me that your primary problem
wasn't the spam going out, but that people were getting into your system
and sending spam.  That warrants tightening your security.
To be more specific we have had cases where user cgi scripts have been 
subverted into being spam senders. And yes we don't allow FormMail 
scripts that don't control the recipient list - but occasionally a user 
will upload a weak formmail script and then
we have a potential problem. Or possibly if we end up with a spammer as 
a user. So I am simply asking if there is a method we can use with qmail 
to SA check outgoing email and close this possibility.
Now that is a different story ... Although I still don't think setting
up SA on your outbound email is a good aproach.  Educating your
customers, enforcing TOS when they violate, and possibly reviewing
customer code before it's implemented would probably be better (I know
that could be a major burden ... I'm a Sr. Developer for the company I
work for and have to review other developers code frequently).
Mind you, I've never run an ISP, and security is not a major concern of
mine (I'm the only person using my system and [I think] I've locked it
down fairly well).I do, however, keep an eye on what my systems are
doing ... so if they start doing something I don't expect, I can shut it
down (hasn't happened yet).
Best regards!

david

--
| Internet: [EMAIL PROTECTED]
| WWW:  http://david.fallingrock.net
|
| We're not in the middle of nowhere...
|   we're on the outskirts of everywhere!
|
|   - DMRoth (adapted)






---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: checking outgoing mail

2003-12-20 Thread JRiley 
Based on your query, I don't think David's suggest was at all 'holier than
thou'.
And I agree with him , that unless you plan on pushing ALL outbound traffic
from all your Webservers utilizing SMTP scripts,pushes,forms,etc to relay
off your SA Gateway before being pushed to the Internet, I would suggest
EXACTLY what David said.
Enforcing a stronger policy on form code, uploads, Users , a strong TOS, and
reviewing what code is being placed on your servers.
If you are allowing users to upload 'weak formmail script' that is still
YOUR responsibility, and its your IP block that will get listed, not your
users.
Having an outbound spewage detection on smtp emails sent from formmailers,
webservers,etc is going to cause about the same amount of administrative
management cost as it would to enforce a strict TOS, and code review policy,
except the latter won't increase your bandwidth utilization, or put a
heavier load on your mail gateway.
And I won't touch that 'spammer as a user' comment either 

-JR


- Original Message - 
From: "David Gibbs" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, December 20, 2003 12:51 PM
Subject: Re: [SAtalk] Re: checking outgoing mail


> Jeff Koch wrote:
> > Good grief. What a 'holier than thou' attitude.
>
> Not in the slightest ... you didn't mention you had customers that might
> be spammers (I won't touch that).
>
> Based on your original post, it seemed to me that your primary problem
> wasn't the spam going out, but that people were getting into your system
> and sending spam.  That warrants tightening your security.
>
> > To be more specific we have had cases where user cgi scripts have been
> > subverted into being spam senders. And yes we don't allow FormMail
> > scripts that don't control the recipient list - but occasionally a user
> > will upload a weak formmail script and then
> > we have a potential problem. Or possibly if we end up with a spammer as
> > a user. So I am simply asking if there is a method we can use with qmail
> > to SA check outgoing email and close this possibility.
>
> Now that is a different story ... Although I still don't think setting
> up SA on your outbound email is a good aproach.  Educating your
> customers, enforcing TOS when they violate, and possibly reviewing
> customer code before it's implemented would probably be better (I know
> that could be a major burden ... I'm a Sr. Developer for the company I
> work for and have to review other developers code frequently).
>
> Mind you, I've never run an ISP, and security is not a major concern of
> mine (I'm the only person using my system and [I think] I've locked it
> down fairly well).I do, however, keep an eye on what my systems are
> doing ... so if they start doing something I don't expect, I can shut it
> down (hasn't happened yet).
>
> Best regards!
>
> david
>
> -- 
> | Internet: [EMAIL PROTECTED]
> | WWW:  http://david.fallingrock.net
> |
> | We're not in the middle of nowhere...
> |   we're on the outskirts of everywhere!
> |
> | - DMRoth (adapted)
>
>
>
>
>
>
>
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: bayes permission errors (still)

2003-12-20 Thread Lukreme 
On 19 Dec 2003, at 22:15, Lukreme wrote:
I set the permissions on all the bayes files to 700 for all users and 
I still ended up having them get switched to - after some 
period of time.  Although, it appears that this time it was a couple 
of hours:
One more datum, this does not happen only on my list account.  It 
happens on all accounts, eventually.  It's just my list account is by 
far the highest volume account that is using bayes.  For example, this 
morning I had to set 4 accounts back to 0700 permissions on the 
bayes_journal file.  There are many accounts that have bayes_toks and 
bayes_seen and have no bayes_journals.



--
I find Windows of absolutely no technical interest... Mac OS X is a 
rock-solid system that's beautifully designed. I much prefer it to 
Linux. -- Bill Joy


smime.p7s
Description: S/MIME cryptographic signature

[SAtalk] SPF Support in SA?

2003-12-20 Thread Bill Landry 
I was wondering if the SA developers are considering adding support for
"Sender Permitted From" (SPF) in SA, as defined at spf.pobox.com?  I have
been using a product call Declude JunkMail, that just added SPF support in a
beta version of their product, and it seems to be working quite well.

Although it will take wide support to make SPF a really viable spam test, by
including native support for SPF in SA, this would certainly go a long way
in helping to make SPF a more widely adopted standard.

Thoughts?

Bill



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] why are these messages getting low scores?

2003-12-20 Thread Ricardo Kleemann 
Hi,

I've attached 3 messages that are getting quite low scores by SA.

I'm running SA 2.60, with bayes. I frequently get messages quite similar
to these, a number of them every single day. And every day I run them
through sa-learn.

However they continue to get low scores.

Are spammers learning new techniques recently that are bypassing SA? I've
seen a significant increase in messages getting through.

Please help!

Thanks
Ricardo


msgs.tgz
Description: GNU Unix tar archive

Re: [SAtalk] SPF Support in SA?

2003-12-20 Thread Theo Van Dinter 
On Sat, Dec 20, 2003 at 11:49:37AM -0800, Bill Landry wrote:
> I was wondering if the SA developers are considering adding support for
> "Sender Permitted From" (SPF) in SA, as defined at spf.pobox.com?  I have

We have test rules in 2.70 already.   If you weren't at LISA 2003, we
pushed SPF at the mini-spam symposium they had, so I think we can be
considered pro-SPF.  ;)

-- 
Randomly Generated Tagline:
/* This bit of chicanery makes a unary function followed by
 a parenthesis into a function with one argument, highest precedence. */
  -- Larry Wall in toke.c from the perl source code


pgp0.pgp
Description: PGP signature

Re: [SAtalk] SPF Support in SA?

2003-12-20 Thread Bill Landry 
- Original Message - 
From: "Theo Van Dinter" <[EMAIL PROTECTED]>


> On Sat, Dec 20, 2003 at 11:49:37AM -0800, Bill Landry wrote:
> > I was wondering if the SA developers are considering adding support
> for
> > "Sender Permitted From" (SPF) in SA, as defined at spf.pobox.com?  I
> have
>
> We have test rules in 2.70 already.   If you weren't at LISA 2003, we
> pushed SPF at the mini-spam symposium they had, so I think we can be
> considered pro-SPF.  ;)

That's awesome, looking forward to the SA 2.70 release!  And since I seem to
be on a roll here, what about Web-o-Trust support (www.web-o-trust.org) in
SA?

  :-)

Regards,

Bill



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Moving Bayes and Auto Whitelist Databases

2003-12-20 Thread Philip Ross 
I am trying to move some SpamAssassin 2.60 databases from a Red Hat 7.1
machine to a Debian Woody machine running SpamAssassin 2.61.

On the Red Hat 7.1 box I have the following auto whitelist and bayes files
(identity provided by file utility):

auto-whitelist.db: Berkeley DB (Hash, version 5, native byte-order)
bayes_seen:Berkeley DB (Hash, version 7, native byte-order)
bayes_toks:Berkeley DB (Hash, version 7, native byte-order)

The new SpamAssassin 2.61 installation running on Debian has created the
following files and formats:

auto-whitelist.dir: GNU dbm 1.x or ndbm database, little endian
auto-whitelist.pag: GNU dbm 1.x or ndbm database, little endian
bayes_seen: Berkeley DB (Hash, version 5, native byte-order)
bayes_toks: Berkeley DB (Hash, version 5, native byte-order)


A different library is in use for the auto whitelist and a different version
is in use for the Berkeley DB bayes database.

What is my best route for moving the databases from the Red Hat machine to
the Debian one? Is there way to export and then import in the different
format?

Thanks,

Phil





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: checking outgoing mail

2003-12-20 Thread Scott A Crosby 
On Sat, 20 Dec 2003 12:51:20 -0600, David Gibbs <[EMAIL PROTECTED]> writes:

> Jeff Koch wrote:
> > Good grief. What a 'holier than thou' attitude.
> 
> Not in the slightest ... you didn't mention you had customers that might
> be spammers (I won't touch that).
> 
> Based on your original post, it seemed to me that your primary problem
> wasn't the spam going out, but that people were getting into your system
> and sending spam.  That warrants tightening your security.
> 

Tough problem. If wishing customer computers secure made it so, then
how do you explain the ten million worm infections over the last few
months? Or the few thousand computers *still* infected with code red,
over a year and a half later.

Having something like SA on outgoing email *is* a good thing. It can
act as an alarm, triggering if any host does do something evil, and at
the same time act as a throttle, to minimize the damage until a person
can diagnose the alarm.  A computer on a 1mbit connection can send 30
spams a second, or a hundred thousand an hour. A throttle that slowed
down high-scoring email to at most one a second won't stop
misbehavior, but will cut it down by a factor of 30.

Jeff, to answer your question, I don't know, but I do think it is a
good question to ask.


Scott


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: We have big evil now we need big good...

2003-12-20 Thread Scott A Crosby 
On Sat, 20 Dec 2003 09:52:00 -0800, "Gary Smith" <[EMAIL PROTECTED]> writes:

> So we implemented SA some time ago because our clients were getting
> too much spam.  Lately we have found that several html marked up
> emails have been getting marked as spam.  These ones are clearly
> fp's.
> 
> Some of the domains include Morningstar.com, charlesswab.com and
> several other financial institutions.  Some of the clients get their
> weekly reportings sent to them, and it has of course the "remove me"
> tag at the bottom as well as a bunch of html so it gets marked as
> spam.
> 
> I know I could just create a simple white list but it might be more
> useful to create a project of good companies to fix the fp's.
> 
> Looking for feedback on the topic
> 

Such a 'well known whitelist' give spammers a list of domains to forge.

So, such a program would also have to identify the actual mail server
IP addresses for each whitelisted domain to verify that an email
purporting to come from that domain actually did come from the correct
IP. This isn't scalable, the project would have to update the
whitelist each time any listed domain changed email providers.

With one of the RMX proposals (where a domain can dns encode a list of
smtp servers authorized to send email from the domain), it then is
probably feasible.



Scott


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] RE: We have big evil now we need big good...

2003-12-20 Thread Gary Smith 
Makes sense.

Gary Smith

 -Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent:   Saturday, December 20, 2003 12:45 PM
To: Gary Smith
Cc: [EMAIL PROTECTED]
Subject:Re: We have big evil now we need big good...

On Sat, 20 Dec 2003 09:52:00 -0800, "Gary Smith" <[EMAIL PROTECTED]> writes:

> So we implemented SA some time ago because our clients were getting
> too much spam.  Lately we have found that several html marked up
> emails have been getting marked as spam.  These ones are clearly
> fp's.
> 
> Some of the domains include Morningstar.com, charlesswab.com and
> several other financial institutions.  Some of the clients get their
> weekly reportings sent to them, and it has of course the "remove me"
> tag at the bottom as well as a bunch of html so it gets marked as
> spam.
> 
> I know I could just create a simple white list but it might be more
> useful to create a project of good companies to fix the fp's.
> 
> Looking for feedback on the topic
> 

Such a 'well known whitelist' give spammers a list of domains to forge.

So, such a program would also have to identify the actual mail server
IP addresses for each whitelisted domain to verify that an email
purporting to come from that domain actually did come from the correct
IP. This isn't scalable, the project would have to update the
whitelist each time any listed domain changed email providers.

With one of the RMX proposals (where a domain can dns encode a list of
smtp servers authorized to send email from the domain), it then is
probably feasible.



Scott




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA 2.61 and DYNABLOCK/SORBS

2003-12-20 Thread Christopher M. Iarocci 
Peter SJF Bance wrote:

All,

[Hoping this gets through, and isn't blocked by SpamAssassin on another
server!!]
I've been trying to work this one out for a few days now - I run various
mailman lists, and recently all my mail has been rejected when I've
attempted to post to them.  I use Sendmail, Amavis-new (via milter), Clamd
and SpamAssassin on the server (paranoid, me?!), and have investigated a
little...
A full example message quarantined by the server is reproduced below (I know
I shouldn't post spam to this list, but then this isn't actually spam!).
The problem appears to be down to the DYNABLOCK list recently taken over by
SORBS.
From previous discussions on this list, I was under the impression that the
DYNABLOCK list should be used as a filter *only* where a listed IP is
sending mail directly to a recipient server.  I am using (as always) my
ISP's SMTP relays, and so don't believe SA should be using DYNABLOCK.  This
is confirmed by SORBS' assertion that dynamically-addressed users should
always use their ISP's SMTP relays.
Can anyone tell me whether SpamAssassin is using DYNABLOCK incorrectly, or
if there may be something wrong with my configuration?  Up until now, the
6.3 tag/kill threshold has worked well, and I don't really want to have to
increase it if I don't need to.
All .cf files are up-to-date...

Many thanks in advance for any advice.

 Begin Quarantined Mail

Return-Path: 
Delivered-To: spam-quarantine
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-id:

Received: from Minstrel ([82.0.67.38]) by mta07-svc.ntlworld.com
 (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
 id <[EMAIL PROTECTED]>
 for <[EMAIL PROTECTED]>;
 Sat, 20 Dec 2003 03:50:23 +
Reply-To: 
From: "My Name" 
To: <[EMAIL PROTECTED]>
Subject: Test Message
Date: Sat, 20 Dec 2003 03:50:27 -
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain;
   charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
X-Spam-Status: Yes, hits=12.6 tag1=3.0 tag2=6.3 kill=6.3 tests=AWL,
RCVD_IN_DYNABLOCK, RCVD_IN_SORBS
X-Spam-Level: *
Only intended to produce SA rejection...

--
Peter SJF Bance CEng MBCS
CESG and BCS Listed Security Adviser
http://www.minstrel.org.uk/
- End Quarantined Mail
-
 

I might be wrong here, but there is only 1 received line.  Since you 
stated you are using your ISP's SMTP gateway, can I assume that 
smtp.ntlworld.com is your ISPs SMTP relay?  If so, it seems that your 
ISP is the one marking this email as spam?  I'm confused here because 
there is only 1 received line.  Another point of confusion, isn't 
dynablock.easynet.nl now dead?  I don't believe anything should be 
matching a dynablock lookup.  Have a look at 
http://dynablock.easynet.nl.  What's SA up to here if it's matching 
dynablock lookups? 

As far as the SORBS match, that is probably due to your IP of  
82.0.67.28 being listed, and there only being 1 received line.  SA 
always ignores the first received line, except in the case where there 
is only 1 received line.  I know there was a bug in the previous version 
of SA (2.60) where it wasn't ignoring the first received line, but 
believe that has been fixed in 2.61.  Anyone please correct me if I'm wrong.

Chris



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] SA 2.61 and DYNABLOCK/SORBS

2003-12-20 Thread Peter SJF Bance 
Hi Chris,

> I might be wrong here, but there is only 1 received line.  Since you 
> stated you are using your ISP's SMTP gateway, can I assume that 
> smtp.ntlworld.com is your ISPs SMTP relay?  If so, it seems that your 
> ISP is the one marking this email as spam?  I'm confused here because 
> there is only 1 received line.

This just seems to be the way that quarantined mail is stored - because the
local MTA hasn't processed the message yet (it's still being scanned by the
Amavis/SA milter), the Received line for the local host hasn't been
inserted.  Amavis/SA is running on my server, which is the next hop (and
destination) after smtp.ntlworld.com (my ISP's relay).

> Another point of confusion, isn't 
> dynablock.easynet.nl now dead?  I don't believe anything should be 
> matching a dynablock lookup.  Have a look at 
> http://dynablock.easynet.nl.  What's SA up to here if it's matching 
> dynablock lookups?

SORBS have started matching DYNABLOCK entries on everybody's behalf (and, in
fact, I suspect this is the reason things have stopped working recently,
since they took it over).

> As far as the SORBS match, that is probably due to your IP of  
> 82.0.67.28 being listed, and there only being 1 received line.  SA 
> always ignores the first received line, except in the case 
> where there 
> is only 1 received line.  I know there was a bug in the 
> previous version 
> of SA (2.60) where it wasn't ignoring the first received line, but 
> believe that has been fixed in 2.61.  Anyone please correct 
> me if I'm wrong.

Ah, I didn't realise there was a known bug in 2.60.  I feel perhaps it
hasn't been fixed in 2.61.  As far as I can tell, the reason for the SORBS
match is *only* because of the DYNABLOCK match (for some reason this results
in two hits)...

--
Peter SJF Bance CEng MBCS
CESG and BCS Listed Security Adviser
http://www.minstrel.org.uk/



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] RE: We have big evil now we need big good...

2003-12-20 Thread SpamTalk 
These companies need to get a Habeas mark.
Minimally, they should prescreen their formats through SA.

Any database created as suggested should include contact information that
could be used to provide those suggestions.

If/when such companies get whitelisted they should get a temporary reject
with that very request. I wonder if Marc Merlin would be interested in
adding it to SA-EXIM? If their postmaster gets enough of these it might
motivate them to take the burden from our shoulders.

Regards, Bob


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Question for developpers: Who maintain now php-sa-mysql!

2003-12-20 Thread Kevin A. McGrail 
Justin England wrote the original PHP-SA. In short, after working on some
patches and fixing some things ages ago, Justin wasn't interested in
continuing the work.  I forked the code and added my initials.

I would suggest if you want to create another fork that you consider my
vanilla code.  There are several bugs and large garage door sized security
issues with the original code by Justin.

Regards,
KAM

> I checked out this URL, and not found what i'm looking for. Asking
> google about it, i found something that seems to be the latest version
> at http://www.peregrinehw.com/downloads/SpamAssassin/
>
> 1) php-sa-mysql-0.5-KAM-0.2.11.tar.gz
>

> is the latest version available? If yes, why named "KAM"
> 2) who maintain NOW php-sa-mysql?
> 3) where is the official website for this apps because i want to be sure
> that i get a vanila source code...
>
> Before i code a new iterface, just i want to see how is codded this one
> and if can be tuned according to my needs!
>
> Regards,
> Alex



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk