Is this a crazy idea? Double scoring..
Hi, I've been looking at doing the Sitewide Bayes and Sitewide Bayes Feedback. My mail server averages a KNOWN spam every 2 seconds, so I'd like to feed it to a site wide database. THEN, would like to score mail completely by the users private one, but then RESCORE it against the site one. Track for a few weeks and if it proves fine, then switch over. If it doesn't make a major difference, then it was a nice try. Is there a way I could do it, have 2 sets of headers? I know when I have my mail scanned on my server, and then again on my laptop all the previous headers are gone, but could I have some add_header lines in a 2ndpass.local.cf that I point a config file to? Would I have to run 2 instances of spamd? Thanks, Tuc
Re: List of 700,000 IP addresses of virus infected computers
> Tuc at T-B-O-H wrote: > >> That's as much detail as I'm going to go into here. But the result is > >> that I have 720,000 IP addresses of virus infected computers and I'm > >> fiultering about 1600 domains and I'm not getting any more than the > >> normal few false positive complaints. And those are due to other > >> unrelated mistakes that I'm still working on. > >> > >> > > I've had it running for 26 hours so far. Its shown up on 79 > > out of 1519 messages processed. Of those, SA decided 482 of them were > > spam. Eight were on the whitelist (Which didn't matter, the scores from > > SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so > > high from SA anyway, they were well over the limit. The rest were "BR" > > and again the numbers were so high SA caught them on its own. > > > > > > > > Tuc/TBOH > > > > > > So - no false positives? > No false anything really. SA had scored the others so low BEFORE adding in your score that the "WH" didn't mean anything to the score. Likewise, SA scored the "BL"/"BR" ones so high BEFORE adding in your score that your score didn't mean anything. So, to me, its basically just "tagging along" with the big boys and every once and a while giving its .02 where the big boys already came to a decision. What I was hoping it would be was that "extra little bit" , that "hanging chad" shall we say, that pushed it over the line one way or the other on a much greater percentage of processed messages. This was on my personal mail server ONLY, my "production" one processes around 57250 emails a day, of which 52000 are thrown out before they are even checked (KNOWN spam just by the receiving email address), 3500 are identified by SA as spam (Some false positives), 250 are passed as clean (Of which I'd say 25% are still spam), and the rest aren't even run through SA before reaching the user due to the users not being happy with the results of SA scans. Tuc/TBOH
Re: List of 700,000 IP addresses of virus infected computers
> > Tuc at T-B-O-H.NET wrote: > >> Tuc at T-B-O-H wrote: > >>>> That's as much detail as I'm going to go into here. But the result is > >>>> that I have 720,000 IP addresses of virus infected computers and I'm > >>>> fiultering about 1600 domains and I'm not getting any more than the > >>>> normal few false positive complaints. And those are due to other > >>>> unrelated mistakes that I'm still working on. > >>>> > >>>> > >>> I've had it running for 26 hours so far. Its shown up on 79 > >>> out of 1519 messages processed. Of those, SA decided 482 of them were > >>> spam. Eight were on the whitelist (Which didn't matter, the scores from > >>> SA were 0 or negative ANYWAY). 68 were "BL", but the numbers were so > >>> high from SA anyway, they were well over the limit. The rest were "BR" > >>> and again the numbers were so high SA caught them on its own. > >>> > >>> > >>> > >>> Tuc/TBOH > >>> > >>> > >> So - no false positives? > >> > > No false anything really. SA had scored the others so low BEFORE > > adding in your score that the "WH" didn't mean anything to the score. > > Likewise, SA scored the "BL"/"BR" ones so high BEFORE adding in your > > score that your score didn't mean anything. > > > > So, to me, its basically just "tagging along" with the big > > boys and every once and a while giving its .02 where the big boys > > already came to a decision. > > > > What I was hoping it would be was that "extra little bit" , > > that "hanging chad" shall we say, that pushed it over the line one > > way or the other on a much greater percentage of processed messages. > > This was on my personal mail server ONLY, my "production" one processes > > around 57250 emails a day, of which 52000 are thrown out before > > they are even checked (KNOWN spam just by the receiving email address), > > 3500 are identified by SA as spam (Some false positives), 250 are > > passed as clean (Of which I'd say 25% are still spam), and the rest > > aren't even run through SA before reaching the user due to the users > > not being happy with the results of SA scans. > > But, if you were to use the WH and BL/BR lists as pre-filters to reduce > spam assassin's load, what difference would it make to your mail server > load? > > And, in that cases, how many errors would you get? > > I think that might be Marc's actual goal here. Not to "tip the balance > on questionable email", but to keep you from having to scan stuff that > is definitely ham and definitely spam. > Hi, Unfortunately, I don't know how to tell this given that Mark provided SA rules for processing. If this was something I could implement at the sendmail level, before it got to SA (pre-filter), then it may make a difference to AT MOST what seems to be about 5% of my email. But since SA has to run ANYWAY, then if anything it slows the server down since it needs to make an additional DNS call. Tuc/TBOH
Objective site to run spamcheck against?
Hi, An inordinate amount of people are telling me I'm ending up in spam folders, so I wondered if there was some "objective" site where I might be able to run a message through and have it score an email. I realize this could also be used by spammers to check about getting past the filters, so I'm thinking maybe there isn't. I can't run it against my own systems since they like me too much. :) Thanks, Tuc/TBOH
Re: Objective site to run spamcheck against?
Hi, Thanks. That Robtex is pretty nice. Saw other info that was interesting.. ANYWAY, it doesn't look like my server is in the lists, BUT..The IP I send from (RR.COM) is blacklisted here : dnsbl.sorbs.net dul.dnsbl.sorbs.net dynablock.njabl.org sorbs.dnsbl.net.au t1.dnsbl.net.au So could that be the primary reason? Unfortunately the sites I am getting spam foldered to won't tell you EXACTLY why.. So I'm sorta shooting in the dark here. Thanks, Tuc > > If you don t want to search: > > http://www.robtex.com/rbl.html and http://www.dnsstuff.com/ . > > 2007/9/14, Bowie Bailey <[EMAIL PROTECTED]>: > > Tuc at T-B-O-H.NET wrote: > > > Hi, > > > > > > An inordinate amount of people are telling me I'm > > > ending up in spam folders, so I wondered if there was > > > some "objective" site where I might be able to run a > > > message through and have it score an email. I realize this > > > could also be used by spammers to check about getting past > > > the filters, so I'm thinking maybe there isn't. I can't > > > run it against my own systems since they like me too much. :) > > > > > > Thanks, Tuc/TBOH > > > > A good first step would be checking to see if your mail servers are on > > any blacklists. There are two or three sites that will check multiple > > lists for you. I don't know of one offhand, but a Google search should > > be able to come up with one for you. > > > > -- > > Bowie > > >
How to report 120,000 spams a day
Hi, Our mail server receives about 128K emails a day. Of those, 120K are absolutely known spam so I don't even run them through spamassassin. Of the 8K left, 6K are determined to be spams, and 2K are considered "good". I'm wondering if there is some way to help the community (and, admittedly, ourselves) to somehow process and report those spams to various databases. For the smaller users, I've implemented the SiteWideRazor and use procmail to save off their spams to "probably-spam" and process them through "spamassassin -r" once an hour. For our bigger ones, though, so as not to wear a hole in the disk drive, I wondered if there were any suggestions what to do. Thanks, Tuc
spamc/spamd .. diff versions, diff systems
Hi, We are in the middle of a migration of users from a system which we can't upgrade running 3.1.8, to a new system (which can of course be upgraded) running 3.2.4 . I'm contemplating having the .procmailrc of users on the old system call spamc with the hostname of the system running 3.2.4 (After I start the daemon listening on its IP instead of 127.0.0.1 only). Would there be any issues doing this? Is there a way I can libwrap the port instead of firewalling it? Thanks, Tuc
Re: spamc/spamd .. diff versions, diff systems
> > We are in the middle of a migration of users from a > > system which we can't upgrade running 3.1.8, to a new system > > (which can of course be upgraded) running 3.2.4 . > > > > I'm contemplating having the .procmailrc of users > > on the old system call spamc with the hostname of the system > > running 3.2.4 (After I start the daemon listening on its IP > > instead of 127.0.0.1 only). > > That'll work. > > > Would there be any issues doing this? Is there a way > > I can libwrap the port instead of firewalling it? > > Not that I'm aware of. > Is that to the "Any issues" or "Libwrap"? :) I'm guessing just to the libwrap. Will probably try it over the weekend and see what happens. Which system will it update the .spamassassin directory on? The "spamc" client, or "spamd" server? I just need to know if I have to make sure not to clobber it when I do my final copy of the users files to the "server". Thanks, Tuc
Re: [spamassassin] Re: spamc/spamd .. diff versions, diff systems
> > Is that to the "Any issues" or "Libwrap"? :) I'm guessing > > just to the libwrap. > > Both. > Thanks. > > > Will probably try it over the weekend and see what happens. > > > > Which system will it update the .spamassassin directory on? > > The "spamc" client, or "spamd" server? I just need to know if I have to > > make sure not to clobber it when I do my final copy of the users files to > > the "server". > > It's not currently possible to pass user config to spamd (at least not > without modifying it), so everything is server centric. Config will be > read from the .spamassassin directory in home directories on the server. > Gotcha. Ok. Thanks. I used the same id/uid/group/gid on the new/old so I don't think it'll be an issue. You'll know if I run into any issues. :) Thanks, Tuc
Re: [spamassassin] Re: How to report 120,000 spams a day
> > On 08.03.08 18:28, Tuc at T-B-O-H wrote: > > > Our mail server receives about 128K emails a day. Of > > > those, 120K are absolutely known spam so I don't even run > > > them through spamassassin. Of the 8K left, 6K are determined > > > to be spams, and 2K are considered "good". > > > > > > I'm wondering if there is some way to help the > > > community (and, admittedly, ourselves) to somehow process > > > and report those spams to various databases. For the > > > smaller users, I've implemented the SiteWideRazor and > > > use procmail to save off their spams to "probably-spam" > > > and process them through "spamassassin -r" once an hour. > > > > > > For our bigger ones, though, so as not to wear > > > a hole in the disk drive, I wondered if there were any > > > suggestions what to do. > > > Anyone?? > > afaik razor requires manual reporting, not anything automatic. Also note > that some people tend to mark as "spam" anything they don't like, even > mailing lists they have subscribed to (but are unable to unsubscribe - this > if very common form of dumbness) > > You can run DCC server which does something similar but is completely > automated. > Hi, Thanks for the reply. I have a feeling that I'm not explaining myself well enough given this and private replies I've received. I am mail hosting for a domain, we'll call it example.com . There are, and have only been 4 VALID email addresses for example.com such as : [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Those come in, get scanned by SA, and the ones we think are good enough we pass along to the owners email address on his local ISP (Hughes.net, who has their email processed by Tucows's securehostedemail.com that violates RFC's and causes sendmail to pump out kernel based messages which I can't get anyone there to listen to!). In the mean time, anything that isn't going to bingo, bango, bongo or irving is sent straight to /dev/null from the MTA. Its these messages that go straight to /dev/null that I'd like to somehow get processed into something useful for the community. Its not the result of a user getting an email from examplemacys.com, and saying "Well, I did subscribe, but I have no need for their shoe sale this week, I call "SPAM" ". These are messages to email addresses at example.com that were NEVER legit email addresses. As part of it all, I also want to try to keep disk usage and CPU down to as little as possible. With 120,000 per day, thats a junk mail every 3/4's of a second. Since I have it set to deliver to /dev/null, I reduce the amount of disk usage. I'm looking for a solution that would be easy on the disk and easy on the CPU. So something directly out of the MTA would be great (sendmail) or something that the delivery would not store it locally. I'm concerned if I set up another user, who has a .procmailrc to send it directly to "spamassassin -r" that it start spawning off way too many processes, too many perl invocations, etc. Same for piping to razor-report (And it only benefits razor, no one else). I thought DCC was running on this system, but it appears not. I'll have to check why and get it running. I thought it was just another database for SA to check, I'll have to read more about it. Thanks. Tuc Thanks, Tuc
Re: [spamassassin] Re: [spamassassin] Re: How to report 120,000 spams a day
> > At 17:51 08-03-2008, Tuc at T-B-O-H.NET wrote: > > As part of it all, I also want to try to keep disk usage and CPU > >down to as little as possible. With 120,000 per day, thats a junk mail > >every 3/4's of a second. Since I have it set to deliver to /dev/null, I > >reduce the amount of disk usage. I'm looking for a solution that would be > >easy on the disk and easy on the CPU. So something directly out of the MTA > >would be great (sendmail) or something that the delivery would not store > >it locally. > > Rewrite the recipient address of these emails to another > address. That should reduce disk usage on that server and filtering > load. You can run the reporting on another server. It can be done > hourly by processing the mailbox instead of one message at a > time. That would require some code changes. > > Regards, > -sm > Hi, Thanks for the reply. In as much as I'd like to help the community, I'm under a set of constraints. Starting a whole other server to start doing this isn't something that fits under those constraints. It looks like I'll probably just end up having to /dev/null them as I have been. Tuc
Re: [spamassassin] Re: [spamassassin] Re: How to report 120,000 spams a day
> > Automatic reporting - that's another thing entirely. As was pointed out in > previous replys, the user > community is not always accurate in reporting what is legit spam, and what > is/was requested > or "permitted". I tend to report manually, although I am writing some code > to semi-automate the > process. The program picks out domains, TLDs in URLs and IP addresses (in > spam), puts them in edit > windows, and then allows me to view the message. At this point, I can click > a button to report the > offending hosts/ips/etc. or not. But, it is semi-manual and therefore > involves time. The tradeoff is > accurate reporting to the various block lists. > I guess I'm still not being clear. There are 120K emails a day coming to INVALID EMAIL ADDRESSES THAT NEVER EXISTED. Its not a case of a user being fickle, its a case that they are emailing addresses that NEVER EVER ACTUALLY EXISTED. About 1 ever 3/4 of a second. So running them through ANYTHING is counter productive since , atleast in my eyes, if you try to email an email address that never existed... ITS SPAM. Its not things the user ever sees/knows, etc. I have in my sendmail virtusertable: [EMAIL PROTECTED] bingo [EMAIL PROTECTED] bango [EMAIL PROTECTED] bongo [EMAIL PROTECTED] irving [EMAIL PROTECTED] nobody The user doesn't even SEE the emails, and processing what they consider spam I really don't care about. But getting 120K emails to *@ that are absolutely known spam... I would like to help the community out by reporting them to every system possible. Yea, if the added benefit is the mail that bingo, bango, bongo and irving gets filtered a little better... I won't complain at all. Tuc
Re: [spamassassin] Re: [spamassassin] Re: [spamassassin] Re: How to report
> > I see delivery attempts to invalid email address regularly. They get > rejected at the SMTP level. Running such messages through > SpamAssassin doesn't make sense. Your previous message mentioned > that you wanted to report these "spam" messages and my reply was > based upon that. > I don't run them through SA. I /dev/null them. They are going to an email address that doesn't exist, especially 120K of them a day to a SINGLE domain, they are spam and don't even need to be run through SA or anything else. They get discarded as soon as they arrive. > > >etc. I have in my sendmail virtusertable: > > > >[EMAIL PROTECTED] bingo > >[EMAIL PROTECTED] bango > >[EMAIL PROTECTED] bongo > >[EMAIL PROTECTED] irving > >[EMAIL PROTECTED] nobody > > The above is incorrect as there is still a processing overhead. I > suggest using: > > @example.com error:nouser User unknown > Can't do that as much as I'd like to. Mail comes through an MX. The MX just passes it along. When the final machine errors it out, the MX is stuck with trying to get rid of it. The postmaster also ends up getting a copy of the emails (Yes, I could turn that off, but for the number of times its pointed out potential hacks, system issues, etc, I'd rather not. ). Tuc
Re: [spamassassin] RE: [spamassassin] Re: [spamassassin] Re: How to report 120,000 spams a day
> > > Hi, > > > > Thanks for the reply. In as much as I'd like to help the community, > > I'm under a set of constraints. Starting a whole other server to start > > doing > > this isn't something that fits under those constraints. It looks like > > I'll probably just end up having to /dev/null them as I have been. > > > > Tuc > > Tuc > > Didn't it come out that you were accepting emails to any email address > whether it is a valid email address or not? > > If so, that is where to start... > > do not accept those emails... reject them properly. > > - rh > There are "considerations" in doing this. Right now, all my systems are set up running sendmail, and all with the config of : define(`confCOPY_ERRORS_TO',`Postmaster') As such, true to its name, anytime there is an error, the postmaster gets a copy. 120K copies of The original message was received at Sun, 9 Mar 2008 15:12:41 -0400 (EDT) from pD9E3AE30.dip.t-dialin.net [217.227.174.48] - The following addresses had permanent fatal errors - <[EMAIL PROTECTED]> (reason: 550 5.0.0 <[EMAIL PROTECTED]>... No such user here) - Transcript of session follows - ... while talking to smtp.example.com.: >>> DATA <<< 550 5.0.0 <[EMAIL PROTECTED]>... No such user here 550 5.1.1 <[EMAIL PROTECTED]>... User unknown <<< 503 5.0.0 Need RCPT (recipient) - Message header follows - isn't acceptable. Yes, I could take out the COPY_ERRORS_TO, but we also run alot of things that are piped to programs, and we usually don't see the errors unless that is set. If there is some way to have my errors copied to me, but "User unknown" not, then I'll implement it. My way of preventing it from happening, but still seeing my errors, was to /dev/null addresses that don't exist. I could have the COPY_ERRORS_TO sent to a special user that uses procmail to weed them out, but then it defeats my attempts to reduce disk space wear and tear, CPU, etc. Even if I did that, though, the next thing I run into is MX's. The MX blindly accepts the mail. If the destination server rejects it, then usually the original sender is forged or invalid, etc. That then causes a mail spool backup on the MX host until it then errors out after 5 days of inability to make its delivery. I'd love to take advantage of some functionality ZoneEdit (My DNS provider) gives and letting them scan and forward the email. However, with the amount of emails and databits it is, I think the cost would be more than I care to pay given its a "favor" account. (Also why setting up another server doesn't make sense.) Tuc
Re: [spamassassin] Re: How to report 120,000 spams
> > If you are proposing some kind of checksums or other types of 'message > identifying' techniques on the messages, those few mistyped addresses > could certainly make a difference for your site. What if bongo's mom > mistypes to bungo, realizes her mistake and resends it to bongo a few > minutes later. It is quite likely that the valid message will be > rejected now since it's (almost) identical to the one your proposed > system just marked as spam. What if bongo signs up for the a mailing > list and mistypes his own email address (yes, this happens). Now your > system marks all list mailings as spam, so everyone using your system > starts losing their copies of the mailing list messages too? > Bango said that if his mom can't spell his name right, he doesn't care if he gets her emails. :) I'm not proposing anything. I originally wanted to see if there was some way that these 120,000 emails that don't go to a valid/usable end user could be used to help the community out in some way. I had 2 filtering systems agree to do something with them, but for reasons I'd rather not share neither one worked out. (One may still yet, I'm not sure, waiting to hear back) We also don't do sitewide Bayes/etc. We do it per received user. For this domain, it just happens that all 4 users of the domain constitute a single received user. I realize that collectively this list could propose well over 5000 reasons that make sense why "good" mail could be part of that 120,000. I just didn't think the ever so insignificant percentage mattered. For as much as spam gets through, and good mail gets marked bad also, I thought this was "acceptable". > > I think you have good intentions but the source of your data is flawed > for anything but maybe limited statistical training. Unfortunately it > probably is not great for that either, since the mail you are seeing > for non existent users is probably not at all similar to the mix of > spam you get to real accounts. The scanner would end up biased > towards whatever junk the spammers desperate enough to use > dictionaries send, which would drown out the stats from those spams > that are actually difficult to detect. > Ok, very valid point that makes alot of sense. Thank you. > > Why do you accept messages for non existent accounts? You're wasting > bandwidth, regardless of what you do or don't do with the junk after > you accept it. From the sound of it you could reduce your mail > bandwidth to a tiny fraction of what it is now by just refusing this > stuff (which is what most everyone else does, AFAIK). > How do you do it on MX hosts? I realize that if I stop the wildcard acceptance and stop copying errors to postmaster that I can do it on the destination server. However, due to circumstances out of my control for the next few months, all email arrives to the main mail server via MXs ONLY. Thanks, Tuc
Re: [spamassassin] Re: How to report 120,000 spams
> The same argument applies to mail to valid addresses (bingo, bango, ...) > as well. would you like to use all your mail as a spam corpus? after > all, you get only 10 out of 12 messages to these addresses :) > Well, bingo DOES like to hear from his mom, SOMETIMES. ;) I understand your point, but like I previously said... The domain owners have told me that the incidence of mistypes and use of email addresses that people think are valid but aren't is so low that they accept that ones are being tossed and consider that an acceptable loss. > > anyway, you'll have to make your mind. N spam messages is not the same > thing as N probable spam messages, even if the probablity is > 0.999 (with a finite number > of 9s). if the probability is not 1 (exactly), then the corpus is > polluted. It may be statistically good, but that's not always good. > Ok, I see where people are coming from on it. > > The worst part of this story is that you may be silently (and > "frivoulously") discarding legitimate mail, which is not very nice (if I > mistype an address in the said domain, my mail gets dropped and I don't > have a chance to fix my typo...). Do yourself and others a favour and > find a way to reject these at smtp time. if you want to trap some spam, > use carefully selected addresses. > The owners are aware this can happen, and in the grand scheme of things are more happy that they don't have to go through the 120K emails to delete tham, than worry about "The one that got away". As mentioned in the previous message, I need to know of a suitable option for MX hosts. I may have to decide not to be so vigilant about real errors and turn error copying to postmaster, but that still won't solve MX's. Thanks, Tuc Thanks, Tuc
Re: [spamassassin] Re: [spamassassin] Re: How to report 120,000 spams
> > Bango said that if his mom can't spell his name right, he doesn't > > care if he gets her emails. :) > > > > fair enough (he can also discard delivered mail anyway). but I've seen a > lot of people subscribing to services with a mistyped address (their > own) and then calling us to complain why they didn't get the > confirmation request... > > anyway, your "corpus" is probably usable provided one uses heuristics to > avoid hitting possible ham (or example by computing a distance between > the recipient address and your valid addresses to make sure the > recipient address is not mistyped, ... etc). but I still believe it > should be "reduced" by rejecting mail at smtp time and only keeping some > selected "trap" addresses (for example /[EMAIL PROTECTED]/ to catch > attempts to use a phone-like address). > The bango/mom thing was a joke. Not to make the situation any worse, but the user has never called me wondering where email they expected is. But then again, I rarely ever hear from the user period. Anyway, I'm fine with the 120,000 mails now being considered useless in the long run. Atleast 2 people put it well enough to me that I get it. I'm fine with not having ANY spam traps either. But it still remains, I'm looking to find what people think is the best way on an MX host to do the rejecting at SMTP time. Thanks, Tuc
Re: How to report 120,000 spams a day
> > Seriously... > > How hard is it to setup the MX boxen to only allow 4 email addresses to pass > for that particular domain, rejecting all others in the SMTP conversation? > > Unless the customer is dropping BIG DADDY $$$ with you, tell him policy > change and that he isn't losing any email if you do not do a catchall for > his domain > > That postmaster thing is a monster. Send the postmaster stuff to that > customer and see how soon they want it turned off > > ;-> > > Otherwise do what Kris said and push or pull or whatever all the > validrcptto's out to the MX's > > - rh > Hi, Everyone keeps telling me to push the userlist out to the MX. This isn't possible, since everything is handled in virtusertable. So then they tell me to push the virtusertable out to the MX's. So I've asked multiple people multiple times how using sendmail on an MX thats not a final delivery server how to use the virtusertable to accept the mail, process against the virtusertable, and then when the final delivery server is contactable, send it there. Of what I've read, no one can tell me. Maybe I'm missing a fundamental fact. Are virtusertables checked during non final delivery MX handling in sendmail? The postmaster emails are necessary to be able to find issues with the systems before clients do. I've caught issues with disks going bad, perl updates gone wrong, memory problems, and the most recent was that a client was having email sent directly to their ISP, who finally decided I was a spammer. The "5 days worth of attempts" finally expired and I started seeing all the upchuck from the system. If I turn postmaster bounce off, I lose that. But yea, it might become something I have to do. Lose the ability to monitor things happening on my systems in the name of spam. I think the issue most people are having is that they have the luxury that every MX in their list is a final delivery host. We don't. MX's for us fall under the heading of "If the sole final delivery host is too overburdened, or is down for maintenance, hold the mail atleast until it comes back". That REALLY REALLY worked well for us when the datacenter we were at in NYC went down during 9/11 because the National Guard stopped a fuel delivery truck for an hour. Our MX was uptown. When we finally came back online. In any case, if someone can explain the mechanics of having a sendmail MX that is not the final delivery server do localized verification against something and then pass it along to the final delivery server please let me know. Its not that I don't want to do any of this all, its that from what I know, at last look, the virtusertable is only consulted during final delivery. Thanks, Tuc
Was: : How to report 120,000 spams a day
Hi, I wanted to thank everyone who responded both on and off list. In the end there was still alot of confusion from people about my configuration, my intentions, my set up, some things I said But its really not worth rehashing again. The end result is I've changed my setup. The other good that came out of this is that my [EMAIL PROTECTED] Recent Average Credit went up by 10% total. Thanks again, Tuc
nologin: Attempted login by root on UNKNOWN
Hi, At around 1p yesterday all of a sudden I started to see some messages out of the ordinary. I've tracked it down to happening around the same time SA is running. I syslog everything to /var/log/spool, and if I do : egrep 'clean |nologin' /var/log/spool | grep -v kernel I see things like: Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for mkasper:2005 in 7.2 seconds, 1538 bytes. Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for aries:2000 in 7.8 seconds, 70282 bytes. Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for mkasper:2005 in 2.3 seconds, 1635 bytes. Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for mariansb:2004 in 1.6 seconds, 11011 bytes. Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for mariansb:2004 in 1.4 seconds, 2251 bytes. Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for mariansb:2004 in 1.7 seconds, 11323 bytes. Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for aries:2000 in 4.4 seconds, 20370 bytes. Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN I know this sounds the usual, but I didn't change or upgrade anything when it started. Any thoughts? How do I debug? Thanks, Tuc/TBOH
Re: nologin: Attempted login by root on UNKNOWN
> > From: "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]> > > > Hi, > > > > At around 1p yesterday all of a sudden I started to see some > > messages out of the ordinary. I've tracked it down to happening around > > the same time SA is running. > > > > I syslog everything to /var/log/spool, and if I do : > > > > egrep 'clean |nologin' /var/log/spool | grep -v kernel > > > > I see things like: > > > > Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for > > mkasper:2005 in > > 7.2 seconds, 1538 bytes. > > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for > > aries:2000 in 7.8 > > seconds, 70282 bytes. > > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for > > mkasper:2005 in > > 2.3 seconds, 1635 bytes. > > Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for > > mariansb:2004 in > > 1.6 seconds, 11011 bytes. > > Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for > > mariansb:2004 in > > 1.4 seconds, 2251 bytes. > > Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for > > mariansb:2004 in > > 1.7 seconds, 11323 bytes. > > Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN > > Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for > > aries:2000 in 4.4 > > seconds, 20370 bytes. > > Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN > > > > I know this sounds the usual, but I didn't change or upgrade > > anything when it started. > > > > > > Any thoughts? How do I debug? > > Recognize that you likely have two different "problems." > > The clean simply means spamd correctly processed a message that was not > spam. > Right, I know. I was trying to point out that every time I had a clean message, I had one of those attempts... Showing it was related in my investigation. > > The attempted login messages are some other item attempting to > break into your machine on the root account. I'd suspect an ssh based > attack. > Actually, no, its not. SSH is closed up pretty tight, open to only a single box in the datacenter. It turns out the solution to this was to put : SHELL=/bin/sh in the top of each users .procmailrc that ran spamc. Thanks for the reply though. Tuc/TBOH
Re: [spamassassin] Re: Spam volumes down since last week
> Daniel J McDonald wrote: > > On Tue, 2008-06-24 at 10:19 -0400, Randy Ramsdell wrote: > > > >> ram wrote: > >> > >>> I am seeing a clear downtrend in the number for spams hitting our > >>> servers, I am not sure why ? Since Last week spams are at 50% of what > >>> they used to be last month. Is this what you all are seeing > >>> > > > > > >>> > >>> > >> Our spam levels are 1/2 to 1/3 of what they were two weeks ago. Also, > >> virus e-mails are also very very low. Low enough for me to start > >> reviewing the e-mail logs for anomalies. > >> > > > > two weeks ago was a little higher than 8 weeks ago, but nothing > > dramatic. The whole quarter has been in the 10-14 spams per minute > > range I don't track the number of connections dropped by greylisting, > > so that might be masking anything anomalous. > > > > > > My list of virus infected spambots has dropped from 2 million to 1.7 > million. It's interesting that others are seeing a drop as well. If this > keeps up I might have to get a real job. :) > > Hi, Our spam is looking normal. Around 11 in, 6 spam every 5 minutes for the last 30 hours . Around 12 in, 7 spam every 5 for the last 8 days. Around 12 in, 7 spam every 5 for the last 5 weeks. Our Spamcop RBL has been a steady decline on the number of ones it blocks. Tosseds (For various reasons) are holding steady. Unknown users are declining ever so slowly. Zen RBL has been on a steady decline on the number it blocks too. Thats our view. :) Tuc
ID or UID?
Hi,
I'm running 3.1.5 on FreeBSD from ports. I have a unique
situation and I wondered if I was doing something to confuse SA.
My server has a series of users :
server:*:1004:1004:TBOH Listproc:/usr/local/etc/server:/usr/local/bin/zsh
stcomp:*:1004:1004:TBOH
Listproc:/usr/local/etc/server/procfilter/tboh-comp:/usr/local/bin/zsh
stcust:*:1004:1004:TBOH
Listproc:/usr/local/etc/server/procfilter/tboh-cust:/usr/local/bin/zsh
strgcn:*:1004:1004:TBOH
Listproc:/usr/local/etc/server/procfilter/corewar-l-news:/usr/local/bin/zsh
strgc:*:1004:1004:TBOH
Listproc:/usr/local/etc/server/procfilter/corewar-l:/usr/local/bin/zsh
stmtn:*:1004:1004:TBOH
Listproc:/usr/local/etc/server/procfilter/misc-test-news:/usr/local/bin/zsh
stmt:*:1004:1004:TBOH
Listproc:/usr/local/etc/server/procfilter/misc-test:/usr/local/bin/zsh
Different id's, but the same UID/GID. I have the virt user table
set up in sendmail to send to the different users depending on the
inbound email address. A sample of my .procmailrc looks like:
-
:0 c
COPY
:0fw: spamassassin.lock
* < 256000
| /usr/local/bin/spamc
:0:
* ^X-Spam-Status: Yes
/dev/null
:0 H
* ! ^From[ ]
* ^rom[ ]
{
LOG="*** Dropped F off From_ header! Fixing up. "
:0 fhw
| sed -e 's/^rom /From /'
}
:0:
| /usr/local/etc/server/catmail -L COREWAR-L -f -m
-
I've been running it like this for a year 1/2 so far.
I recently started getting so much spam I decided to start running
sa-learn on the COPY box every once and a bit after I weed out
bounces and legit emails (3 out of 300). Before I ran the first
sa-learn, there wasn't a .spamassassin directory. Now there
is, with 2 files (bayes_seen and bayes_toks).
The "owner" (per se) of the 1004 uid, server, has a
.spamassassin directory, that has 5... auto-whitelist,
bayes[_seen|_toks|_journal] and user_prefs. The most recent date
is Oct 24th for all files except user_prefs, which is Apr 26 2005.
Is spamc/spamd taking the uid owner, and sa-learn taking
just the id? Is there something I should do to chance this
configuration?
Thanks, Tuc
Re: Someone explain sa-update to me
> If sa-update finds an update, you will also need to restart spamd if you > are using the daemon. See the wiki for more details: > > http://wiki.apache.org/spamassassin/RuleUpdates > Maybe run a script like this... (UNTESTED*) #!/bin/sh SAUPDATE="/usr/local/bin/sa-update" SAUPDATECLI="" STOPSPAMD="/usr/local/etc/rc.d/sa-spam.sh stop" RESTARTSPAMD="/usr/local/etc/rc.d/sa-spam.sh start" SLEEP=10 MAILUPDATE="[EMAIL PROTECTED]" MAILERR="[EMAIL PROTECTED]" MAILPROG="/bin/mail" MAILPROGUPDATECLI=" -s \"update-sa-learn refreshed rules\"" MAILPROGUPDATEERR=" -s \"update-sa-learn bad exit\"" $SAUPDATE $SAUPDATECLI sarc=$? if [ $sarc -eq 0 ] then $STOPSPAMD sleep $SLEEP $RESTARTSPAMD echo "SA-UPDATE updated rules"|$MAILPROG $MAILPROGUPDATECLI $MAILUPDATE exit fi if [ $sarc -eq 1 ] then exit fi if [ $sarc -ge 4 ] then echo "SA-UPDATE exited with $sarc"|$MAILPROG $MAILPROGUPDATEERR $MAILERR exit fi
2 word spam subject starting with "at"/"for"/"good"
Hi, Is anyone else seeing these. They seem to have 2 word subjects starting with "at", "for" or "good". I don't seem to get any personally, but one of my users seems to get 500 or 600 a week Thanks, Tuc
Ever seen "bulletin"?
Hi, It comes as a blank message with a "bulletin.zip". Its actually a RAR file. You unrar it and it produces "bulletin.txt". Then its a stock spam. Tuc
Re: Ever seen "bulletin"?
> > > It comes as a blank message with a "bulletin.zip". Its actually a > > RAR file. You unrar it and it produces "bulletin.txt". Then its a stock > > spam. > > I guess they've given up on hoping PC owners will sucker for their game. > I can't imaging that one PC owner in 100K knows what a RAR file is or how to > crack it. > > Loren > > Don't kid yourself, RAR is getting more popular, especially in the adult pix world. I'm not a Winderz user, but looks like Winzip 11 is now supporting RAR and BZ2 files. Tuc
