Re: yet another stupid spammer trick

John D. Hardin wrote: http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt I'm seeing a few of these today too. In fact, at home, I've had maybe 5 spam messages slip through my defenses today. That's a HUGE increase for me ... I usually average 1 message every week. Sort of makes

Re: SURBL questions

On Tuesday, December 19, 2006, 7:19:51 PM, Theo Dinter wrote: > On Tue, Dec 19, 2006 at 09:47:15PM -0500, Charles Sprickman wrote: >> "http://refinance-poiku07-com"; >> >> In the cgi lookup linked above, the subdomain does not hit, but the main >> domain does. Should SA be looking at the domain

Re: How to check message size?

Forgive me for spamming the list, but I just realized that if I just score -10 to long messages, SP will keep on applying other rules, and it will take long time again. Therefore, what I need is a rule which will score -10 points and tell SP to stop processing of all other rules. Thanks, Kosmaj

How to check message size?

I'm using JSpamAssassin, a pop3 proxy in Java (Win-2k/Outlook Express) and I have a problem that long messages (more than 1M bytes) are coming truncated. I think it's related to the 20sec time-out which is hard coded in Java. I have a fast Internet connection, at least 5Mbit/sec, but most likely it

Re: Specification of sa-learn --backup format

On Fri, Dec 15, 2006 at 11:53:34PM +, Nigel Frankcom wrote: > Cool - thanks Theo, is that in one of the FAQ's/Manuals somewhere? I don't think so (or else I would have just pointed you there ;)), but feel free to add it on the wiki. :) -- Randomly Selected Tagline: Backup aborted: Remove dis

Re: What did sa-update change?

On Tue, Dec 19, 2006 at 07:55:17PM -0800, Kenneth Porter wrote: > Which dir would that be? This one looks like it might be the right one: > Yup. :) > Is the previous update tagged? How do I know which revisions to compare? No, the p

Re: What did sa-update change?

--On Tuesday, December 19, 2006 7:48 PM -0500 Theo Van Dinter <[EMAIL PROTECTED]> wrote: Yeah. The easiest way for us is to check out the svn dir for the updates and look at the revision history. Otherwise grab the previous update, then diff -r. Which dir would that be? This one looks like

Re: SURBL questions

On Tue, Dec 19, 2006 at 09:47:15PM -0500, Charles Sprickman wrote: > "http://refinance-poiku07-com"; > > In the cgi lookup linked above, the subdomain does not hit, but the main > domain does. Should SA be looking at the domain for surbl checks or not? It should only be looking at the domain.

Re: yet another stupid spammer trick

Kelson, My apologies. As I looked at my own reply, my response to your e-mail made it look like I wrote the great background information that you did and I just wanted to publicly give you credit for the elaborate and well thought out response. I was merely agreeing with you and posting a

SURBL questions

Hi all, I'm not completely understanding how these checks work... I'm seeing some email with a URL in it that hits at the online surbl checker (http://www.rulesemporium.com/cgi-bin/uribl.cgi), but not in spamassassin with the default uribl rules. Plugin is enabled and it does work on a good

Re: yet another stupid spammer trick

On Tue, 19 Dec 2006, Ray Anderson wrote: > This looks like a failed header injection attack. > > Some background: Lots of web form handlers, including the most basic > Perl and PHP tools, will build the headers and body of a message as one > long string, then pass it to Sendmail. Ah, okay, the

Re: yet another stupid spammer trick

This looks like a failed header injection attack. Some background: Lots of web form handlers, including the most basic Perl and PHP tools, will build the headers and body of a message as one long string, then pass it to Sendmail. If a form allows user-supplied data for any header content -- m

Re: yet another stupid spammer trick

John D. Hardin wrote: http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt Clumsy (and stupid) people can manage to put the entire body of their message into the Subject: header (how they don't notice the mistake before hitting [SEND] I don't know), but *this* genius spammer managed to

Re: What did sa-update change?

On Wed, Dec 20, 2006 at 01:45:22AM +0100, Raymond Dijkxhoorn wrote: > >I just saw that sa-update pulled a new edition of rules. How can I find > >out what changed? > > diff them? :) Yeah. The easiest way for us is to check out the svn dir for the updates and look at the revision history. Other

Re: What did sa-update change?

Hi! I just saw that sa-update pulled a new edition of rules. How can I find out what changed? diff them? :) Bye, Raymond.

What did sa-update change?

I just saw that sa-update pulled a new edition of rules. How can I find out what changed?

RE: yet another stupid spammer trick

On Tue, 19 Dec 2006, Michael Scheidell wrote: > > http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt > > And you can't talk them into dropping postini for a SpamAssassin > based system? Before we got bought it *was* a SA setup, managed by *me*... With tarpits, and dshield reporting, and

RE: yet another stupid spammer trick

> -Original Message- > From: John D. Hardin [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 19, 2006 5:50 PM > To: SpamAssassin Users List > Subject: yet another stupid spammer trick > > > > http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt And you can't talk them into dr

Re: How to check spf works ?

Starting spamd. [92020] dbg: logger: adding facilities: all [92020] dbg: logger: logging level is DBG [92020] dbg: logger: successfully opened file /var/log/spamd.log [92020] dbg: logger: successfully added file method [92020] dbg: spamd: creating INET socket: [92020] dbg: spamd: Listen: 128 [92020

Re: How to check spf works ?

Starting spamd. [92020] dbg: logger: adding facilities: all [92020] dbg: logger: logging level is DBG [92020] dbg: logger: successfully opened file /var/log/spamd.log [92020] dbg: logger: successfully added file method [92020] dbg: spamd: creating INET socket: [92020] dbg: spamd: Listen: 128 [92020

Re: How to check spf works ?

On Wed, Dec 20, 2006 at 01:02:19AM +0200, Halid Faith wrote: > [87780] dbg: config: read file > /var/lib/spamassassin/3.001007/updates_spamassassin_org/25_spf.cf > > Although I run spamd with Debug, I never see a word of SPF in spam.log Ok, but what does the debug output say about spf, other th

Re: How to check spf works ?

I already see that SPF is installed in spamassassin -D --lint : [87780] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [87780] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [87780] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x919dfd0) [87780] dbg

Re: Rules - How to capture matched text

On Mon, 18 Dec 2006, Theo Van Dinter wrote: > I can save you the time and tell you not to bother. It's "subject > of the day". FWIW, we used to have a username in subject rule, > but it fp'ed so much that it wasn't useful and got removed. Hrm. That prompts a thought: how about some useful state

yet another stupid spammer trick

http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ---

Re: Plugin help-- need to store state

On Tue, Dec 19, 2006 at 03:40:19PM -0600, [EMAIL PROTECTED] wrote: > Problem solved. I was not acquiring the PerMsgStatus object correctly > from the options passed to "check_start". > I misled myself with the ReplaceTags plugin using the variable "$pms" and I > thought that was the PerMsgStatus o

Re: Plugin help-- need to store state

Problem solved. I was not acquiring the PerMsgStatus object correctly from the options passed to "check_start". I misled myself with the ReplaceTags plugin using the variable "$pms" and I thought that was the PerMsgStatus object. But in that code, $pms->{permsgstatus} is it. thanks

Plugin help-- need to store state

Hi. Were writing an in house plugin. Our SA version is 3.1.5. Basically we have a lot of rules based on data from a database. We want to hit the data base once and then have all the rules beable to check the data to score accordingly similar to how Bayes works. >From reading the M::SA::Plugin do

Re: What to do about False Positives on messages I am sending?

On Tue, 19 Dec 2006, Kelson wrote: > John D. Hardin wrote: > > Do they still subtract points from the score? That's the relevant > > factor. > > The headers? No. Unless you're running a really old SpamAssassin. No, the fact that the sender has registered with either Habeas or Bonded Sender.

Re: What to do about False Positives on messages I am sending?

John D. Hardin wrote: Do they still subtract points from the score? That's the relevant factor. The headers? No. Unless you're running a really old SpamAssassin. -- Kelson Vibber SpeedGate Communications

Re: What to do about False Positives on messages I am sending?

On Tue, Dec 19, 2006 at 10:46:22AM -0800, John D. Hardin wrote: > Do they still subtract points from the score? That's the relevant > factor. Yes, they do. Just sharing that it doesn't involve modifying the message anymore. :) -- Randomly Selected Tagline: "Hey, you know what'd cheer you up? Y

Re: What to do about False Positives on messages I am sending?

On Tue, 19 Dec 2006, Theo Van Dinter wrote: > On Tue, Dec 19, 2006 at 09:59:40AM -0800, John D. Hardin wrote: > > ...sign up with a service like Habeas or Bonded Sender and put their > > headers in your messages? > > FWIW, neither of those put headers in the message (Habeas stopped > doing that y

Re: Perl SA module and logs like spamd

Hello Oliver, Monday, December 18, 2006, 11:05:08 AM, you wrote: > Hi, > I'm using SA from mimedefang.org, > Is there is a way to tell SA Perl module to write to log files > in the same way/format as spamd does? > That will help using tools like sa-stats.pl > Thanks > Oliver In mimedefang-fil

Re: What to do about False Positives on messages I am sending?

On Tue, Dec 19, 2006 at 09:59:40AM -0800, John D. Hardin wrote: > ...sign up with a service like Habeas or Bonded Sender and put their > headers in your messages? FWIW, neither of those put headers in the message (Habeas stopped doing that years ago). They're both DNS reputation services. -- Ra

RE: local.cf being ignored

itdelany wrote: > Hi all :) > > My Setup is Postfix - Amavis - SpamAssassin running on ubuntu linux > 6.06, I have this entries on my /etc/mail/spamassasin/local.cf > > # Set the threshold at which a message is considered spam (default: > 5.0) # > required_score 7.0 > > But this is ignored, an

Re: What to do about False Positives on messages I am sending?

On Tue, 19 Dec 2006, Jon Ribbens wrote: > I work at a company with an automated on-line system. This system > sends emails to people. Spam Assassin appears to be triggering > very strongly, and incorrectly, on our messages. > Any advice would be gratefully received! ...sign up with a service lik

Re: local.cf being ignored

On 12/19/06, itdelany <[EMAIL PROTECTED]> wrote: Hi all :) My Setup is Postfix - Amavis - SpamAssassin running on ubuntu linux 6.06, I have this entries on my /etc/mail/spamassasin/local.cf # Set the threshold at which a message is considered spam (default: 5.0) # required_score 7.0 But thi

local.cf being ignored

Hi all :) My Setup is Postfix - Amavis - SpamAssassin running on ubuntu linux 6.06, I have this entries on my /etc/mail/spamassasin/local.cf # Set the threshold at which a message is considered spam (default: 5.0) # required_score 7.0 But this is ignored, and I think the whole file is being i

Re: ORDB.org is shutting down

I was using it but with postfix checking sender restrictions. I think it is not used in SA but by mail servers. Anyone got a replacement ? Giampaolo Tomassoni a écrit : > See: http://www.ordb.org/news/?id=38 > > Does SA uses it somewhere somehow by default? > > Regards, > > Giampaolo > --

Re: What to do about False Positives on messages I am sending?

On Tue, 2006-12-19 at 16:58 +, Jon Ribbens wrote: > > But that's all a bit philosophical and beside the point of my > question, which is: should I change our emails, and if so, in what > way - or do SpamAssassin's default settings as provided on > updates.spamassassin.org need changing? Perha

Re: How to check spf works ?

On Tue, Dec 19, 2006 at 06:53:15PM +0200, Halid Faith wrote: > Yet I can't see whether SPF works in spamd.log > How can I check SPF works ? The answer to most questions is: run with -D and you'll see what's going on. -- Randomly Selected Tagline: "The best thing that came out of Italy is the roa

Re: What to do about False Positives on messages I am sending?

Sietse van Zanen <[EMAIL PROTECTED]> wrote: > Do you have your trusted_networks, internal_networks and all_trusted set > up correctly? > > With these three options you should be able to exclude messages sent > from your IP address. Yes, the problem is not that *our* SpamAssassin installation is f

How to check spf works ?

I use qmail-1.03. I installed p5-Mail-SPF-Query-1.999.1 I added SPF plugin in init.pre as below on spamassassin3.1.7 loadplugin Mail::SpamAssassin::Plugin::SPF I restarted sa-spamd. Yet I can't see whether SPF works in spamd.log How can I check SPF works ? Thanks

RE: What to do about False Positives on messages I am sending?

If you look at politicians you will surely see that saying: "you shouldn't ..." wih a straight face is not that hard at all. :-) Do you have your trusted_networks, internal_networks and all_trusted set up correctly? With these three options you should be able to exclude messages sent from your IP

RE: sa-update is broken

I second that. :-) Sa-update works perfectly -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 4:57 PM To: users@spamassassin.apache.org Subject: Re: sa-update is broken On Tue, Dec 19, 2006 at 07:43:28AM -0800, R Lists06 wrote:

Copy all mail to certain account

Is there anyway to send a blind copy of every email filtered through copfilter to another email address? Perhaps by modifying mailscanner.sh? I thought i saw something about this some time ago, but I can't for the life of me find it. I'm using spamassasin 3.1.4 that comes with the copfilter pl

What to do about False Positives on messages I am sending?

I work at a company with an automated on-line system. This system sends emails to people. Spam Assassin appears to be triggering very strongly, and incorrectly, on our messages. FWIW, no we are not spammers, in fact the emails I'm talking about aren't even a mailing list. They're emails generated

Re: Name in Subject CF RuleSet

On Tue, Dec 19, 2006 at 10:02:02AM -0600, Jess Mooers wrote: > I started to install components needed to use sa-update. I am getting this > error when I run sa-update -D: > > error: gpg required but not found! > > I tried to install GPG and GnuPG::Interface, but I am now getting errors on > in

RE: Name in Subject CF RuleSet

Bowie Bailey <[EMAIL PROTECTED]> wrote on Tuesday, December 19, 2006: > >Jess Mooers wrote: >> Theo Van Dinter <[EMAIL PROTECTED]> wrote on Monday, December 18, >> 2006: >> >> > On Mon, Dec 18, 2006 at 12:23:31PM -0600, Jess Mooers wrote: >> > > Does anyone know of a cf ruleset that will address

Re: sa-update is broken

On Tue, Dec 19, 2006 at 07:43:28AM -0800, R Lists06 wrote: > Is sa-update broken or is this just a prolonged and poorly thought up global > name for a thread? The second one. :) -- Randomly Selected Tagline: "Do we have the magnitude of P? A slight nod would do." - Roxanne Tisch pgpZtTMvtHxF9

Re: Intermittent spamc error

Jon Armitage <[EMAIL PROTECTED]> wrote: > > I solved the problem by simply making my filter not bother passing the > > message to spamc at all if it was over 200k. > > Yes, as I understand sa-exim, messages over 250K (the default in my case) > should not be passed to SA. That's why I'm wondering w

RE: Name in Subject CF RuleSet

>> -Original Message- >> From: Theo Van Dinter [mailto:[EMAIL PROTECTED] >> Sent: Monday, December 18, 2006 1:33 PM >> To: users@spamassassin.apache.org >> Subject: Re: Name in Subject CF RuleSet >> >> >> On Mon, Dec 18, 2006 at 12:23:31PM -0600, Jess Mooers wrote: >> > Does anyone know

RE: sa-update is broken

With all due respect to all involved. Is sa-update broken or is this just a prolonged and poorly thought up global name for a thread? - rh -- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net

RE: Name in Subject CF RuleSet

Jess Mooers wrote: > Theo Van Dinter <[EMAIL PROTECTED]> wrote on Monday, December 18, > 2006: > > > On Mon, Dec 18, 2006 at 12:23:31PM -0600, Jess Mooers wrote: > > > Does anyone know of a cf ruleset that will address this, or > > > another way to stop it. > > > > Chasing the subject of the d

RE: Intermittent spamc error

> -Original Message- > From: Jon Ribbens [mailto:[EMAIL PROTECTED] > > I solved the problem by simply making my filter not bother passing the > message to spamc at all if it was over 200k. > Yes, as I understand sa-exim, messages over 250K (the default in my case) should not be passed t

RE: Intermittent spamc error

> From: Sietse van Zanen [mailto:[EMAIL PROTECTED] > Sent: 19 December 2006 14:54 > Subject: RE: Intermittent spamc error > Don't think that that is a problem SA, because on my sendmail set-up it works perfectly. Maybe a bug in the local_scan() > function? Thanks, Sietse, I agree. I think it is

Re: Intermittent spamc error

Sietse van Zanen <[EMAIL PROTECTED]> wrote: > > I have found the related Exim message... > > > > 2006-12-19 11:47:02 1GwdM9-0006Pd-35 local_scan() function timed out - > > message temporarily rejected (size 320896) > > > ... so maybe I've posted this to the wrong list. Sorry. > >Unfortuna

RE: Help! rewrite_header subject not working for me

That is version 2.x config. -Sietse From: Fettke, Dirk Sent: Tue 19-Dec-06 16:03 To: Tony Guadagno Cc: users@spamassassin.apache.org Subject: AW: Help! rewrite_header subject not working for me Hi, I don't know if this works with your solution because I do subject-rewriting in the amavisd

AW: Help! rewrite_header subject not working for me

Hi, I don't know if this works with your solution because I do subject-rewriting in the amavisd.conf, but my local.cf looks like this (in short form): # rewrite the Subject: line with SPAM .* if set to 1 (default=1) rewrite_subject 1 required_score 5 subject_tag SPAM(_SCORE_)*

Re: Question about sa-learn return codes

Tom Q Citizen wrote: When I enable debugging in the spam_buttons plugin, I get this output: *COMMAND USED TO REPORT:* /usr/bin/sa-learn --spam --configpath=/etc/spamassassin [EMAIL PROTECTED] < ../data//sb_tmp_13069_1166402817 This is the command the plugin issues to when it tries to flag a

RE: Help! rewrite_header subject not working for me

Rewriting the subject is ultimately the responsibility of the MTA. So, question is: What MTA are you using and how does it link SA? -Sietse From: Tony Guadagno Sent: Tue 19-Dec-06 15:45 To: users@spamassassin.apache.org Subject: Help! rewrite_header subject not working for me Hi, I have b

Re: Help! rewrite_header subject not working for me

Tony Guadagno wrote: > Hi, > I have been reading and I don't see my problem exactly. This is my > local.cf I am using 3.1.7 I have report_safe =1 and the rewrite_header set. > from the docs "For the Subject header, this will be prepended to the original > subject." the problem i have is th

RE: Intermittent spamc error

Unfortunately I don't know exim, but it seems it cannot cope with SA not scanning / returning messages due to them bigger than the max msg size. Don't think that that is a problem SA, because on my sendmail set-up it works perfectly. Maybe a bug in the local_scan() function? Wouldn't hurt to po

Help! rewrite_header subject not working for me

Hi, I have been reading and I don't see my problem exactly. This is my local.cf I am using 3.1.7 I have report_safe =1 and the rewrite_header set. from the docs "For the Subject header, this will be prepended to the original subject." the problem i have is the string is not prepended to th

Bayes learn problem

Hi, I have a problem with Spamassassin and Bayes the command "sa-learn -p /etc/MailScanner/spam.assassin.pref --dump magic" give me: 0.000 0 3 0 non-token data: bayes db version 0.000 0 37411 0 non-token data: nspam 0.000 0 82399

Intermittent spamc error

I have found the related Exim message... 2006-12-19 11:47:02 1GwdM9-0006Pd-35 local_scan() function timed out - message temporarily rejected (size 320896) ... so maybe I've posted this to the wrong list. Sorry. Jon

Intermittent spamc error

I am running SpamAssassin 3.1.7 on a Sunfire V210 with Solaris 10. SA is called from Exim via the sa-exim localscan patch. Nothing has changed since I last upgraded Exim at the beginning of November. Over the past couple of days, I have been seeing the following messages in my logs from time to ti

How to check spf works ?

I use qmail-1.03. I installed p5-Mail-SPF-Query-1.999.1 I added SPF plugin in init.pre as below on spamassassin3.1.7 loadplugin Mail::SpamAssassin::Plugin::SPF I restarted sa-spamd. Yet I can't see whether SPF works in spamd.log How can I check SPF works ? Thanks

RE: sa-update is broken

Yeah sure, blame someone else for your own ignorance.. "Mummy I'm stupid, and it's all your fault..." Sad and funny at the same time. Oh and while you're at it, go shout at some people for trying to help you. I have four more letters for you. RTFM MF From: Yves Goergen Sent: Mon 18-De

AW: special spam-account for spam mails

Thank you for your help, but as I read mimedefang is only a program for sendmail. can I use it with postfix, too? I have no technical know-how about sendmail... :) Is there anywhere a "ready to use" howto? Von: aubreyL [mailto:[EMAIL PROTECTED] Gesendet: Montag,

Salesforce web bug

I noticed an email from salesforce has a 'user tracking' web bug in it but it isn't currently detected by SA or SARES ( I removed the real numbers after oid so it doesn't cause FP's here ;-) http://na3.salesforce.com/servlet/servlet.ImageServer?oid=0 00&esid="> Would this fin

AW: special spam-account for spam mails

Thank you for your help, but as I read mimedefang is only a program for sendmail. can I use it with postfix, too? I have no technical know-how about sendmail... :) Is there anywhere a "ready to use" howto? Von: aubreyL [mailto:[EMAIL PROTECTED] Gesendet: Montag,

Adding TO in custom header

Hi there I need to filter mails via header_checks in postfix. These checks schould contain the ricipient and the spam status at the same time. Clearly: I want to redirect mail to a different user if (and only if) the mail was detected as spam AND was sent to a specified recipient. As header_che

Re: {Spam?} Re: Botnet 0.7 soon

Phil Barnett wrote: On Monday 18 December 2006 20:16, John Rudd wrote: New things: I think that's everything... Just need another day or two of testing before I release it. One thing I noticed from the previous version was there was no mention of version numbers anywhere in the package

Re: Botnet 0.7 soon

On Monday 18 December 2006 20:16, John Rudd wrote: > New things: > I think that's everything... > > > Just need another day or two of testing before I release it. One thing I noticed from the previous version was there was no mention of version numbers anywhere in the package. Not in the name,

Re: Negative AWL on a spam & received from localhost?

Matt Kettler verizon.net> writes: > In this case, the past average for the sender was approximately 7.7 > (spam), this message came in at 11.5 (also spam), so the AWL split the > difference and took off 1.9 points to make it 9.6 (still spam). That's > 100% normal. > > See also: > > http://wiki.

Re: Rule that negative scores emails from blackberry.com, not spoofers

Hiya, Kelly Jones schrieb: > Reason I want to do this: by default, Blackberry sends text email > MIME-encoded and its timezone is +. This means it gets dinged by > the MIME_BASE64_TEXT rule AND the LW_STOCK_SPAM4 which is defined as: > > meta LW_STOCK_SPAM4 __RATWARE_0_TZ_DATE && MIME_BASE64_