RE: [OT] Whats inside ? Was: Re: Barracuda's Spam firewall

> > > Virus checker ... no idea. Sorry. > > I believe they use two Virus Scanners - One is ClamAV + Secondary ? Sorry for replying to my own post, but secondary is reported to be Sophos

RE: [OT] Whats inside ? Was: Re: Barracuda's Spam firewall

> Virus checker ... no idea. Sorry. I believe they use two Virus Scanners - One is ClamAV + Secondary ? MB

RE: Barracuda's Spam firewall

> > Several months later, a sales rep called and tried to sell me > on it. I told him I wasn't interested in it as it stood, but > might have some interest if they had an outbound scanner. They have that capability now: http://www.barracudanetworks.com/products/key_features_ob.php

RE: Porn E-Mail

Ditto on this as well. New rules coming out for those. Funny, but the ninjas are excited we get to work on some spam again ;)  We get bored without someone to assassinate.   --Chris -Original Message-From: Arie Kachler [mailto:[EMAIL PROTECTED]Sent: Monday, February 28, 2005

Pyzor Error

Hi, I´m SpamAssassin user logn time ago but new in this list. This is the problem: I've just installed Pyzor (by the way in RH7.3 you need to install in a diferent way the instalation notes says). I was using SpamAssassin inside a perl script (with mod_perl) to check for spam the outgoing mails

Re: Porn E-Mail

We are getting a ridiculous amount of spam related to cheap stocks lately. Spam has definitely increased recently. Some customers are calling us asking if we have spam filters, even though our Spamassassin is blocking about 90-95% of all emails coming to our servers. I remember the days when we

Re: Porn E-Mail

As just an aside.. has anyone noticed a more massive amount of spam lately then normal? Seems in gmail as well as my ISP I am logging a whole lot more spam then normal. On Mon, 28 Feb 2005 14:10:16 -0500, Chris Santerre <[EMAIL PROTECTED]> wrote: > > >Has anyone noticed lately a higher then nor

RE: Porn E-Mail

>Has anyone noticed lately a higher then normal amount of porn spam >getting through?I've seen alot of it that seems to be hitting the >customer base as of late.. marked only by the SURBL... but those that >aren't SURBLed yet.. get through with a score of like 2.3 > Yup. New SARE rule coming

RE: Rule advice please

>Hello. > >Following discussions on this list about obfuscating words to >avoid spam >detection, and not being a ninja, I'd like some feedback about the >possible efficacy or pitfalls on rules like the following. > >As noted in other discussions, words with scrambled letters >between the >fir

Re: Rule advice please

subject =~ /\b(?!cartoon|croatan|carroon)c[arto]{5}n\b/i subject =~ /\b(?!downloadable)d[ownladb]{10}e\b/i subject =~ /\b(?!dripping)d[ripn]{6}g\b/i subject =~ /\b(?!ejaculating|enunciating)e[jacultin]{9}g\b/i You can't use rules like this. The pattern "can" matches your first exam

Re: [OT] Whats inside ? Was: Re: Barracuda's Spam firewall

Philipp Snizek wrote: Sorry to get off-topic-ish here, But could you tell us what Barracuda uses for: - MTA - Anti spam software - Anti virus software Can't say for sure as it's a "black box" to which you don't get real shell access. The command line only grants access to a tool from which the m

spamd, CGPSA, and CommuniGate Pro

I'm trying to get spamd (Spamassassin's daemon) back up until Daniel Zimmerman (hopefully) gets CGPSA updated for SQL. I have SQL working and am incorporating user level sql preferences through a SquirrelMail plugin that I've developed. (It's really slick too!). Its been a long time since I us

RE: Rule advice please

subject =~ /\b(?!cartoon|croatan|carroon)c[arto]{5}n\b/i subject =~ /\b(?!downloadable)d[ownladb]{10}e\b/i subject =~ /\b(?!dripping)d[ripn]{6}g\b/i subject =~ /\b(?!ejaculating|enunciating)e[jacultin]{9}g\b/i You can't use rules like this. The pattern "can" matches your first ex

Re: pyzor

- Original Message - From: "Alan Munday" <[EMAIL PROTECTED]> > My issue is that although a pyzor discover has updated the servers file, and shows the new server address Bill pointed out, when called in debug mode the old address is still being used. How are you executing SA? If via some

Re: pyzor

About UDP for request and TCP for answers I was read here: http://wiki.apache.org/spamassassin/NetTestFirewallIssues >>Pyzor uses both udp and tcp port 24441. It looks as though the client communicates with the server via udp but the server answers back with a tcp connection. But as I see by tcp

Rule advice please

Hello. Following discussions on this list about obfuscating words to avoid spam detection, and not being a ninja, I'd like some feedback about the possible efficacy or pitfalls on rules like the following. As noted in other discussions, words with scrambled letters between the first and last le

Re: pyzor

And my problem, should anyone find this useful: pyzor discover was correctly updating the servers file for the user account it was called from. However I have a --homedir set for pyzor in local.cf and as this is not the same dir as the user file hence the failure to update. Deleting/renaming the

Re: Obfuscation (was: Millions and Billions)

--On Sunday, February 27, 2005 7:46 PM -0800 Loren Wilton <[EMAIL PROTECTED]> wrote: He has a point. A complicated regex is complicated, and that can mean slow. It also by definition means "incomprehensible to humans", and so has to be generated by a tool, and then not touched or looked at. Than

Re: Obfuscation (was: Millions and Billions)

Chris Santerre wrote: > I remember that paper. I was impressed and sceptical at the same time. I > could see it FPing a lot. One person in the crowd brought up Niagra vs. the > V-drug word :) > > Cialis vs. Dial-Lisa > ect.. That was MailFrontier, using the term lexigraphical distancing rat

Re: pyzor

Fixed Thank you for idea ! After install the pyzor from src, it is set permission for /usr/bin/pyzor to: read/write/execute for owner and execute only for group and other. But pyton is interpreter and it is need to read file for execute. Then I set /usr/bin/pyzor readable for group and for ot

Re: pyzor

At 11:42 AM 2/28/2005, Slava Garaschenko wrote: Feb 28 11:29:28 usa spamd[2512]: debug: Pyzor is available: /usr/bin/pyzor Feb 28 11:29:28 usa spamd[2512]: debug: entering helper-app run mode Feb 28 11:29:28 usa spamd[2519]: debug: setuid: helper proc 2519: ruid=97 euid=97 Feb 28 11:29:28 usa spam

Re: pyzor

At 10:51 AM 2/28/2005, Slava Garaschenko wrote: and tcpdump show: 10:47:59.056563 us.ambernet.kiev.ua.4831 > clapton.quatro.com.24441: udp 165 (DF) 10:47:59.080542 clapton.quatro.com.24441 > us.ambernet.kiev.ua.4831: udp 63 (DF) Only things, with which I was surprised, that I was read that pyzor

Re: Amazon is killing me....

>>From [EMAIL PROTECTED] Mon Feb 28 07:23:40 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

Re: pyzor

It seems you are right - it is something with home directory... User vilter have home directory and it is all OK with permissions, but after I start spamd with -D option I see this: Feb 28 11:29:28 usa spamd[2512]: debug: Pyzor is available: /usr/bin/pyzor Feb 28 11:29:28 usa spamd[2512]: debug:

Re: pyzor

Matt Kettler wrote the following on 28/02/2005 15:48: Alan, Slava is running tcpdump, and claims to not see *any* pyzor traffic at all, not even the outbound request. Their problem is almost certainly not due to remote-side timeouts. The only thing I can think of is the -H parameter to spamd... W

RE: I wonder how Google would deal with this one :-)

>On Sunday, February 27, 2005, 4:07:01 PM, Greg Allen wrote: >> I got this spam on Sat 2/12/2005. You sometimes have to >admire the work that >> goes into this non-sense. At first I thought it was an >image. But it is not. >> Notice the words are made up of very small text arranged >into bigger

RE: Obfuscation (was: Millions and Billions)

>-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >Sent: Monday, February 28, 2005 10:34 AM >To: Loren Wilton >Cc: users@spamassassin.apache.org >Subject: Re: Obfuscation (was: Millions and Billions) > > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > > >Loren Wilt

Re: Headers in forwarding messages

At 10:17 AM 2/28/2005, [EMAIL PROTECTED] wrote: Im sure this has been asked before, when someone forwards me a spam email that has gotten through to their box and I want to feed it to bayes, could this cause inaccurate results because of the additional headers added by the forwarding? If so is ther

Re: pyzor

What firewall rule do you use for pyzor ? Did it use any other port, not only 24441 ? Becouse I don't see any packets by tcpdump. Not request, not answers (in daemon mode). But then I type spamassassin -D --lint - all OK: debug: Pyzor is available: /usr/bin/pyzor debug: entering helper-app run mod

Re: pyzor

Alan, Slava is running tcpdump, and claims to not see *any* pyzor traffic at all, not even the outbound request. Their problem is almost certainly not due to remote-side timeouts. The only thing I can think of is the -H parameter to spamd... With no parameter the docs claim it will use the spamc

Re: pyzor

- Original Message - From: "Slava Garaschenko" <[EMAIL PROTECTED]> I use spamassassin at one of the e-mail gateway of my company, and it is processing up to 10-20 messages every minutes (peak). Also, i was try to execute at the same time tcpdump -i eth0 src or dst port 6277 (for dcc) and

Re: pyzor

martin smith wrote the following on 28/02/2005 15:33: Just found this, could be the cause of some of the problems. 2005-02-04 The public server changed its address; please re-run 'pyzor discover' to find the new server. http://pyzor.sourceforge.net/ Martin Martin As the date shows, this is a

Re: Obfuscation (was: Millions and Billions)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton writes: > Since a tool can generate the matching pattern and convert it to a re, it > seems that a tool could in theory generate a matching pattern and convert it > to something else that might be either more comprehensible or more > effi

RE: pyzor

Just found this, could be the cause of some of the problems. 2005-02-04 The public server changed its address; please re-run 'pyzor discover' to find the new server. http://pyzor.sourceforge.net/ Martin

Re: Barracuda's Spam firewall

On Mon, 2005-02-28 at 10:07, Cris Fuhrman wrote: > On Mon, 28 Feb 2005 09:43:32 -0500 (EST), Tom Gwilt <[EMAIL PROTECTED]> wrote: > > The response was along the lines of "not available at this time, and it > > would cost you tens of thousands of dollars to implement with existing > > hardware, etc"

Re: Amazon is killing me....

On Sun, Feb 27, 2005 at 09:52:05PM -0800, Loren Wilton wrote: > Sure sounds like a problem with the ClamAV setup rather than SA to me. > Nothing in what you show indicates that SA even ever saw the messages. Also, FYI, amazon is in the SA default whitelist. -- Randomly Generated Tagline: "Bender

RE: Barracuda's Spam firewall

I've worked with a couple of Barracudas that worked very well, especially for people who are not technical. As far as updates, a Barracuda has three different update mechanisms. There are virus def and spam def updates which can be set to automatically update either hourly or daily, and then ther

Headers in forwarding messages

Im sure this has been asked before, when someone forwards me a spam email that has gotten through to their box and I want to feed it to bayes, could this cause inaccurate results because of the additional headers added by the forwarding? If so is there a setting in SA to resolve that issue? Thanks

CommuniGate Pro / CGPSA plug-in

Title: Message Is anyone using the CommuniGate Pro Email Server along with the CGPSA (SpamAssassin API)?  I having problems setting up and configuring the CGPSA.  I've followed the install directions and configuration steps but when I enable the CGPSA Helper in CommuniGate Pro,  CGPro stops work

Re: pyzor

Matt Kettler wrote the following on 28/02/2005 12:32: At 07:14 AM 2/28/2005, Slava Garaschenko wrote: But, then I run spamassassin in daemon mode by /etc/rc.d/init.d/spamassassinstart I dont' see any request to port 24441 which is used by pyzor. This means that pyzor completely don't work with sp

Re: Barracuda's Spam firewall

On Mon, 28 Feb 2005 09:43:32 -0500 (EST), Tom Gwilt <[EMAIL PROTECTED]> wrote: > The response was along the lines of "not available at this time, and it > would cost you tens of thousands of dollars to implement with existing > hardware, etc". > > OK - so I found a Dell 1600SC, put FreeBSD, Postfi

Re: Obfuscation (was: Millions and Billions)

Hello Kenneth, Sunday, February 27, 2005, 7:35:18 AM, you wrote: KP> --On Thursday, February 24, 2005 6:07 PM -0500 Phil Barnett KP> <[EMAIL PROTECTED]> wrote: >> i or l = [|ííiil1] >> a = [EMAIL PROTECTED] >> e = [eé3] >> o = [o0] KP> It seems like this is getting overly-complicated. Are there

Re: [SPAM-TAG] Porn E-Mail

On Monday, February 28, 2005, 5:23:03 AM, Matt Matt wrote: > Has anyone noticed lately a higher then normal amount of porn spam > getting through?I've seen alot of it that seems to be hitting the > customer base as of late.. marked only by the SURBL... but those that > aren't SURBLed yet.. get

Re[2]: SQL settings & Deprecated rulesets?

Hello Loren, Sunday, February 27, 2005, 7:37:58 PM, you wrote: LW> Also, you show header0 and gensubj0. Almost always you would also LW> want the "1" version of these rulesets. The "0" version mostly LW> just sets up stuff used by the other sets, I believe. Not quite. genlsubj0, header0, html

Re: SQL settings & Deprecated rulesets?

Hello Codger, Sunday, February 27, 2005, 7:30:47 AM, you wrote: C> 2. I have these old rulesets but I can't find the previous download C> page a comprehensive list anywhere of the ones that are deprecated by C> version 3.0.2 and I want to eliminate duplication. Which are absolutely C> deprecated

Re: Porn E-Mail

Hrmm well that could do it: pts rule name description -- -- 1.3 SARE_HOUSEWIVESBODY: Mentions housewives, as in porn or in-home biz 0.8 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML

Re: Barracuda's Spam firewall

On Fri, 25 Feb 2005, Gray, Richard wrote: If any of you fine people has any experience with this (tested it, use it, know someone else who uses it) I'd really appreciate any feedback you could give me on its pros/cons. Thanks. Richard I checked into it several months ago. Seemed nifty, so I call

Re: Porn E-Mail

Matt wrote: Hrmm well that could do it: pts rule name description -- -- 1.3 SARE_HOUSEWIVESBODY: Mentions housewives, as in porn or in-home biz 0.8 HTML_30_40 BODY: Message is 30% to 40% HTML 0

RE: Porn E-Mail

If you are running the 70_SARE_HTML1.CF file, increase the value of SARE_HTML_A_HIDE in your local.cf... this spammer always hits this rule. I've been doing this for several months now, with no false positives. I've set mine to 3 points (5 required). HTH, Shawn -Original Message- From

Re: Porn E-Mail

This hits 22 points on my install. If you ignore all of the BLs and Razor, it's still getting over 5 hits. Of course, if you ignore Bayes, then it's down to about 2 points.Which rules did this hit on your install? The headers don't say. Content analysis details: (22.2 points, 5.0 req

Porn E-Mail

Has anyone noticed lately a higher then normal amount of porn spam getting through?I've seen alot of it that seems to be hitting the customer base as of late.. marked only by the SURBL... but those that aren't SURBLed yet.. get through with a score of like 2.3 Return-Path: <[EMAIL PROTECTED]>

Re: Barracuda's Spam firewall

Hi Tim B, > They bounce EVERYTHING causing a ton of backscatter. ÂThey seem to > accept all mail, process it then bounce it back to the "sender" which is > usually fake. Yeah, that's sad but true for the default configuration. Since long I set mine to "Reject" instead of bounce and completely fo

Re: pyzor

I use spamassassin at one of the e-mail gateway of my company, and it is processing up to 10-20 messages every minutes (peak). Also, i was try to execute at the same time tcpdump -i eth0 src or dst port 6277 (for dcc) and tcpdump -i eth0 src or dst port 24441 (for pyzor) And I see many request to d

Re: pyzor

At 07:14 AM 2/28/2005, Slava Garaschenko wrote: But, then I run spamassassin in daemon mode by /etc/rc.d/init.d/spamassassinstart I dont' see any request to port 24441 which is used by pyzor. This means that pyzor completely don't work with spamassassin. At least then spamassassin is used in dae

Re: Barracuda's Spam firewall

Gray, Richard wrote: Anyone care to comment on how successful/effective this particular product is? (http://www.barracudanetworks.com) There is something of a major dispute going regarding whether this represents better value for mney than other solutions (including our own, self built service

pyzor

>> Jimmy Hayes are right. It's something strange with pyzor. Spamassassin is don't use it in daemon mode. I use spamassassin 3.02 with sendmail with use milter interface at Fedora Core 1. To check did phyzor is really work with spamassassin i execute tcpdump -i eth0 src or dst port 24441 At any

Re: SQL settings & Deprecated rulesets?

Actually the "0" rules are rules which have hit ONLY spam, and are the safest for preventing false positives. >>> "Loren Wilton" <[EMAIL PROTECTED]> 02/27 10:37 PM >>> Check the SARE page for the various rulesets to see if any have been depreciated for 3.0. I don't believe any of the ones you hav

RE: [OT] Whats inside ? Was: Re: Barracuda's Spam firewall

> > Sorry to get off-topic-ish here, > > But could you tell us what Barracuda uses for: > > - MTA > > - Anti spam software > > - Anti virus software > > Can't say for sure as it's a "black box" to which you don't > get real shell access. The command line only grants access to > a tool from wh

Re: [OT] Whats inside ? Was: Re: Barracuda's Spam firewall

Hi Niek, > Sorry to get off-topic-ish here, > But could you tell us what Barracuda uses for: > - MTA > - Anti spam software > - Anti virus software Can't say for sure as it's a "black box" to which you don't get real shell access. The command line only grants access to a tool from which the most

[OT] Whats inside ? Was: Re: Barracuda's Spam firewall

On 2/28/2005 8:13 AM +0100, Michael Stauber wrote: Hi Richard, Anyone care to comment on how successful/effective this particular product is? (http://www.barracudanetworks.com) There is something of a major dispute going regarding whether this represents better value for mney than other solutions

Re: Barracuda's Spam firewall

Hi Richard, > Anyone care to comment on how successful/effective this particular product > is? (http://www.barracudanetworks.com) > > There is something of a major dispute going regarding whether this > represents better value for mney than other solutions (including our own, > self built service)

RE: Amazon is killing me....

> Doesn't look like spamassassin. I think maybe you should look at your > Clamv > virus attachment config http://www.clamav.net/ or call the guy you laid > off > who setup the clam av filter. :-) I believe that is qmail-scanner that's complaining about the MIME stuff. The OP needs to dive into q

Re: Amazon is killing me....

>Disallowed content found in MIME > attachment - potential virus clamdscan: Sure sounds like a problem with the ClamAV setup rather than SA to me. Nothing in what you show indicates that SA even ever saw the messages. Loren

RE: Amazon is killing me....

Doesn't look like spamassassin. I think maybe you should look at your Clamv virus attachment config http://www.clamav.net/ or call the guy you laid off who setup the clam av filter. :-) -Original Message- From: Eric [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 12:36 AM To:

Amazon is killing me....

I have spamassassin running on a debian box: ii spamassassin 2.64-1 Perl-based spam filter using text analysis ii spamc 2.64-1 Client for perl-based spam filtering daemon it's being invoked via qmailscanner. I have the following in my /etc/spamassassin/local.cf file:

Re: Obfuscation (was: Millions and Billions)

> > I just question whether regex's are the right "complicated solution". > > > > How does Google or one of the dictionary sites guess the correct spelling > > for a misspelled word? > > Great, why don't you go see if google can guess the correct spelling for > > c l @ L i @ s He has a point. A c

Re: curious question about sa-spamd contacting cloudmark.com?

On Sun, Feb 27, 2005 at 10:32:01PM -0500, Andy Firman wrote: > Ahh. Okay, for others out there with tight firewalls: [...] > http://www.spamassassinbook.com/chapter11_preview.htm Alternately, BTW: http://wiki.apache.org/spamassassin/NetTestFirewallIssues :) -- Randomly Generated Tagline: I th

Re: SQL settings & Deprecated rulesets?

Check the SARE page for the various rulesets to see if any have been depreciated for 3.0. I don't believe any of the ones you have listed have been, but it is worht a check. That said: you have some ANCIENT rulesets there that have been updated several times and have new names. I don't believe t

Re: curious question about sa-spamd contacting cloudmark.com?

On Sun, Feb 27, 2005 at 10:11:14PM -0500, Theo Van Dinter wrote: > On Sun, Feb 27, 2005 at 10:03:43PM -0500, Andy Firman wrote: > > Feb 27 21:59:06 sockeye ipmon[187]: 21:59:05.589889 em0 @0:16 b > > sockeye[192.168.1.89],62785 -> > > charisma.cloudmark.com[66.151.150.12],2703PR tcp len 20 64 -S

Re: curious question about sa-spamd contacting cloudmark.com?

On Sun, Feb 27, 2005 at 10:03:43PM -0500, Andy Firman wrote: > Feb 27 21:59:06 sockeye ipmon[187]: 21:59:05.589889 em0 @0:16 b > sockeye[192.168.1.89],62785 -> > charisma.cloudmark.com[66.151.150.12],2703PR tcp len 20 64 -S 334621558 0 > 65535 OUT > > Just curious as to what the heck is going o

curious question about sa-spamd contacting cloudmark.com?

Running a fresh install of p5-Mail-SpamAssassin-3.0.2_1 on FreeBSD 5.3. Everytime I start sa-spamd I get hundreds of these in my firewall logs: Feb 27 21:59:06 sockeye ipmon[187]: 21:59:05.550795 em0 @0:16 b sockeye[192.168.1.89],62782 -> charisma.cloudmark.com[66.151.150.12],2703PR tcp len 20

Re: I wonder how Google would deal with this one :-)

On Sunday, February 27, 2005, 4:07:01 PM, Greg Allen wrote: > I got this spam on Sat 2/12/2005. You sometimes have to admire the work that > goes into this non-sense. At first I thought it was an image. But it is not. > Notice the words are made up of very small text arranged into bigger text > whi

Re: I wonder how Google would deal with this one :-)

Well, I dunno, but gmail catched your forwarding :-) Maybe the 4 point font... maybe the URL... but it catched it. Regards. On Sun, 27 Feb 2005 19:07:01 -0500, Greg Allen <[EMAIL PROTECTED]> wrote: > > I got this spam on Sat 2/12/2005. You sometimes have to admire the work that > goes into th

Re: I wonder how Google would deal with this one :-)

Looks more readable with plain text. It scored 16.1 here since it triggered just a whole LOT of odd triples rules. {^_-} - Original Message - From: "Greg Allen" <[EMAIL PROTECTED]> > I got this spam on Sat 2/12/2005. You sometimes have to admire the work that > goes into this non-sense. A

I wonder how Google would deal with this one :-)

I got this spam on Sat 2/12/2005. You sometimes have to admire the work that goes into this non-sense. At first I thought it was an image. But it is not. Notice the words are made up of very small text arranged into bigger text which creates words.        ---snip-