John Rudd wrote:
> René Berber wrote:
>> Here's a good example of why Botnet's default score is too high, those
>> guys at
>> meridiencancun have a so called "Enterprise account" with their ISP,
>> what they
>> get is a fixed IP and no control over reverse DNS, that's why the reverse
>> returns wh
Hi
Suddenly my collegue mails are recieved as spam by 3.1.7 SA. I added to them
on white list entry. Why it comes like this suddenly? any solution?
--
Sg
René Berber wrote:
Bret Miller wrote:
I keep saying that I have false positives with botnet, but haven't
substantiated that to date. So, today I'm spending a little time making
exceptions since I would like this to work. Here are todays:
[snip]
meridiencancun.com.mx, sent from IP , resolves
Nix wrote:
On 21 Aug 2007, Kai Schaetzl said:
Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100:
It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but
also hosts with e.g. the string `adsl' in its rDNS, even if that host happens
to have a static assignment.
Well, if it's stat
On Monday 20 August 2007, Rob McEwen wrote:
> In one of these cases, the message contains ONLY letters and numbers... all
> other spaces, line breaks, and punctuation has been removed. Even
> underscores are removed.
Have you considered the opposite?
Removing all letters, numbers and spaces, leavi
On Tue, 21 Aug 2007 at 17:43 -0700, [EMAIL PROTECTED] confabulated:
On Aug 21, 2007, at 11:48 AM, Duane Hill wrote:
Ok. I just examined the clamav.pm plugin and it does appear to pass the
message text directly to the ClamAV daemon through the use of the
File::Scan::ClamAV perl module. Therefo
Michael Chapman wrote:
> Hi there:
>
> This should be a fairly simple question for the experts out there ...
> everything I'm receiving is being blacklisted, and the reports
> indicate that all these messages are flagged as "USER_IN_BLACKLIST."
> Where? I don't have a user_prefs, and my global is
This would work fine if you expect emails only from those countries. Our
company does business in Central & South America as well (which also means
allowing lots of Spanish & Portuguese). We do not do business in Europe or
Asia and I see quite a bit of spam from from *.ru and *.su. I do not have
On Tue, 21 Aug 2007 16:56:27 -0500
Andy Sutton <[EMAIL PROTECTED]> wrote:
> On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote:
> > b) Botnet gets 0% false positives at one of my services (not just
> > "borked DNS == bad", as you're suggesting, but actual "everything
> > that triggered botnet was
I used IP::Country::Fast to block everything except canada and usa...
I've only had to add one company to an allow list because they are in Italy...
I don't think its that bad of a solution,
depending on where your companies customers are located..
On 8/21/07, Skip Brott <[EMAIL PROTECTED]> w
-- Forwarded message --
From: Daniel Aquino <[EMAIL PROTECTED]>
Date: Aug 21, 2007 9:51 PM
Subject: Re: Bouncing emails from certain countries
To: "John D. Hardin" <[EMAIL PROTECTED]>
I used IP::Country::Fast to block everything except canada and usa...
I've only had to add one c
> No need for these settings if you have the above "ok_languages en"
I think you are correct if you assume that emails coming from *.ru (for
example), are written in something other than English, which is rarely the
case. Much of the spam I see from *.ru and *.su is in English.
- Skip
On Aug 21, 2007, at 1:42 PM, Marc Perkel wrote:
I've been using Clam but I've heard of Amavisd - do I want it? What
all does it do?
amavisd-new provides a nice front-end for virus and spamassassin
scanning. It's like using spamd, but a lot more featurefull. In my
case it was the easiest
On Aug 21, 2007, at 11:48 AM, Duane Hill wrote:
Ok. I just examined the clamav.pm plugin and it does appear to pass
the message text directly to the ClamAV daemon through the use of
the File::Scan::ClamAV perl module. Therefore, it doesn't sound
like a temp file is created.
Read the code
Nix wrote on Tue, 21 Aug 2007 23:24:23 +0100:
> (Personally I'd prefer that *no* single rule could push a mail more than
> halfway towards spamminess...)
Absolutely agreed, with a few exceptions, like Bayes_99 :-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services:
Bret Miller wrote:
> I keep saying that I have false positives with botnet, but haven't
> substantiated that to date. So, today I'm spending a little time making
> exceptions since I would like this to work. Here are todays:
[snip]
> meridiencancun.com.mx, sent from IP , resolves to
> customer-14
Maybe you don't have a user_prefs, but then maybe you are not the user
calling SpamAssassin.
find / -name user_prefs | xargs grep -i blacklist_from
find / -name local.cf | xargs grep -i blacklist_from
Gary V
or (better)
find / -name user_prefs | xargs grep -i blacklist_
find / -name local.cf
I had to dive back into spam to get your message though.
Michael Chapman wrote:
Well, nothing has worked so far ... every message that I have coming in
(except for the specifically white-listed messages from this mailing
list) have USER_IN_BLACKLIST flagged. Where on earth is it getting this?
At 14:08 21-08-2007, John Rudd wrote:
Technically, there is a problem with it: it violates best practices
asserted by RFC 1912, section 2.1, which warns that not having
matching PTR and A records can cause a loss/denial of internet services.
You're right.
Regards,
-sm
Oh, and yes, I did restart SA. That's not a silly question, Andy! :)
I had to dive back into spam to get your message though.
Michael Chapman wrote:
Well, nothing has worked so far ... every message that I have coming in
(except for the specifically white-listed messages from this mailing lis
On 21 Aug 2007, Kai Schaetzl outgrape:
> Nix wrote on Tue, 21 Aug 2007 09:27:11 +0100:
>
>> If anybody is really so stupid as to unconditionally block mail from
>> hosts merely because of string matching in their rDNS, I'm not sure they
>> *deserve* to see any email...
>
> No, it's stupid to send
On 21 Aug 2007, Kai Schaetzl said:
> Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100:
>
>> It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but
>> also hosts with e.g. the string `adsl' in its rDNS, even if that host happens
>> to have a static assignment.
>
> Well, if it's sta
Oh, and yes, I did restart SA. That's not a silly question, Andy! :)
I had to dive back into spam to get your message though.
Michael Chapman wrote:
Well, nothing has worked so far ... every message that I have coming
in (except for the specifically white-listed messages from this
mailing li
On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote:
> b) Botnet gets 0% false positives at one of my services (not just
> "borked DNS == bad", as you're suggesting, but actual "everything that
> triggered botnet was actually spam"). And, yes, I actually check
I never suggested that. My thoughts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael Chapman schrieb:
> Well, nothing has worked so far ... every message that I have coming in
> (except for the specifically white-listed messages from this mailing
> list) have USER_IN_BLACKLIST flagged. Where on earth is it getting
> this? Y
Well, nothing has worked so far ... every message that I have coming in
(except for the specifically white-listed messages from this mailing
list) have USER_IN_BLACKLIST flagged. Where on earth is it getting
this? You've seen my local.cf, I don't have a user_prefs anymore (blew
it away in hop
I don't know, but botnet hits a significant amount
of legitimate email here, regardless of how badly configured the sending
servers are.
I set botnet to score two, and I flag as spam at four. Every time I've
had a false positive botnet hit, other rules have been enough to keep
the score bel
Bret Miller wrote on Tue, 21 Aug 2007 13:08:06 -0700:
> When I see on the list that many people run botnet with ZERO false
> positives, I have to ask myself, "how? And why is our setup here so
> different?" Perhaps they already block email with invalid rdns at the MTA
> level, so none of this ever
Marc Perkel wrote:
>
>
> Jo Rhett wrote:
>> On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
>>> On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED]
>>> confabulated:
It seems to mostly help when it drops the message into a file for
clamav to scan.
>>>
>>> Is that using the ClamAV plug
SM wrote:
The
server.nch.com.au case is an interesting one. Technically, there isn't
anything wrong with that setup. But I digress as we are talking about
antispam here.
Technically, there is a problem with it: it violates best practices
asserted by RFC 1912, section 2.1, which warns that
I'd like to get some people to take an idea that I'm been using
successfully for a long time that I would like to see implemented in SA.
I'm doing it mostly with Exim rules and generating these lists in some
unusual ways. But if this were done right it would make SA a lot faster
and more accura
Thanks ... I can certainly take care of the whitelist items. The
country codes are all remarked out, as I used the the ok_languages as
you indicated.
How will changing the whitelist entries prevent my incoming mail as
being blacklisted?
Thanks again!
Michael
I would set the following
Michael Chapman wrote:
Hi there:
This should be a fairly simple question for the experts out there ...
everything I'm receiving is being blacklisted, and the reports
indicate that all these messages are flagged as "USER_IN_BLACKLIST."
Where? I don't have a user_prefs, and my global is reall
OK ... after diving back into my spam to get responses to this message,
I turned off AWL in v310.pre and removed all blacklist items from
local.cf and user_prefs. Still no joy. Everything is still getting
flagged as before! What is going on?
Thanks for all of your help so far, gang!
Michae
At 13:08 21-08-2007, Bret Miller wrote:
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, "how? And why is our setup here so
different?" Perhaps they already block email with invalid rdns at the MTA
Your setup is different as your users communic
Andy Sutton wrote:
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, "how?
Anyone who claims that isn't really looking at the email they are
blocking, or don't believe borked DNS qualify as
Jo Rhett wrote:
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED]
confabulated:
It seems to mostly help when it drops the message into a file for
clamav to scan.
Is that using the ClamAV plugin or outside of SA completely? I am
currently
Bret Miller wrote on Tue, 21 Aug 2007 12:15:27 -0700:
> Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
> 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
> this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
> 86, and others. All sim
Michael Chapman wrote on Tue, 21 Aug 2007 12:10:08 -0700:
> Is there a way I can reset the blacklist?
There is no "auto blacklist". It's your blacklist entries. For a quick
diagnosis disable all of them and check if it persists.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive In
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote:
> When I see on the list that many people run botnet with ZERO false
> positives, I have to ask myself, "how?
Anyone who claims that isn't really looking at the email they are
blocking, or don't believe borked DNS qualify as a FP.
> "we can't
> At 12:36 21-08-2007, John Rudd wrote:
> ># nslookup www2mail.wordreference.com
> >
> >Non-authoritative answer:
> >Name: www2mail.wordreference.com
> >Address: 75.126.29.11
> >
> >baddns.
>
> There's an authoritative answer for www2mail.wordreference.com.
>
> ># nslookup server.nch.com.au
> >
At 12:36 21-08-2007, John Rudd wrote:
# nslookup www2mail.wordreference.com
Non-authoritative answer:
Name: www2mail.wordreference.com
Address: 75.126.29.11
baddns.
There's an authoritative answer for www2mail.wordreference.com.
# nslookup server.nch.com.au
Non-authoritative answer:
Name
> Bret Miller wrote:
>
> > Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
> > 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com
> #not sure why
> > this got a BOTNET=1 flag, but it did. Also find hosts 92,
> 75, 70, 74, 93,
> > 86, and others. All similarly resolve to
Bret Miller wrote:
Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why
this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93,
86, and others. All similarly resolve to smtpnn.enews.webbuyersg
I keep saying that I have false positives with botnet, but haven't
substantiated that to date. So, today I'm spending a little time making
exceptions since I would like this to work. Here are todays:
Americanpayroll.org, sent from IP 67.106.104.135, resolves to
67.106.106.135.ptr.us.xo.net #OK, th
Hi there:
This should be a fairly simple question for the experts out there ...
everything I'm receiving is being blacklisted, and the reports indicate
that all these messages are flagged as "USER_IN_BLACKLIST." Where? I
don't have a user_prefs, and my global is really simple:
# These valu
On Tue, 21 Aug 2007 at 11:31 -0700, [EMAIL PROTECTED] confabulated:
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated:
It seems to mostly help when it drops the message into a file for clamav
to scan.
Is that using the ClamAV p
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote:
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED]
confabulated:
It seems to mostly help when it drops the message into a file for
clamav to scan.
Is that using the ClamAV plugin or outside of SA completely? I am
currently using the ClamAV
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated:
On Aug 21, 2007, at 8:28 AM, Duane Hill wrote:
I have seen the suggestion recently in this thread to run SA from a ram
drive. I am going to experiment with that over the course of this next
weekend. I'm not quiet sure how much
Really the only way to solve this properly is to stop providing relay
service. Relay service is a non-op in the current spam war. If you
do what you are trying to do here, then legitimate bounce messages
will also be dropped and thus you'll be decreasing the quality of
their service. (an
On Aug 21, 2007, at 8:28 AM, Duane Hill wrote:
I have seen the suggestion recently in this thread to run SA from a
ram drive. I am going to experiment with that over the course of
this next weekend. I'm not quiet sure how much increase in speed I
will get. All of our userprefs, AWL and bayes
> Hello,
>
> It must been asked before, but I couldn't find any
> suitable, will be glad if you point me somewhere...
> In our company we have the (mailer-exchange ->
> spam-scanner -> customers with their own mail servers)
> topology.
> We relay mail to them but some of them don't have the
> s
Hello,
It must been asked before, but I couldn't find any suitable, will be glad if
you point me somewhere...
In our company we have the (mailer-exchange -> spam-scanner -> customers
with their own mail servers) topology.
We relay mail to them but some of them don't have the spam service with us
a
On Tue, 21 Aug 2007, Skip Brott wrote:
> Out of curiosity (as this is a feature that I would like to have
> as well for a couple of speficic countries), is there a reason
> that a couple of SA plugins cant be used:
>
> http://wiki.apache.org/spamassassin/URICountryPlugin
> Or
> http://wiki.apache
On Tue, 21 Aug 2007, Chris wrote:
> Hi John, How do I find that file please ? I look at my
> SA in Cpanel and can't see where to input the text
> below?
>
> describe BL_COUNTRY_CN_1 Mail client in China
> header BL_COUNTRY_CN_1 eval:check_rbl('china',
> 'cn.countries.nerd.dk')
> scoreBL_C
On Tue, 21 Aug 2007 at 09:33 -0500, [EMAIL PROTECTED] confabulated:
You're doing a LOT better than I am with it. Makes me wonder if I have
something set up wrong. My main SA server has a fast dual core Athlon
and 8 gigs of ram and it can get bogged down rather quickly. I wonder if
I'm doing some
I have seen this once or twice, but still very rarely - spamd will fail
to restart after receiving a SIGHUP. It stops, but does not restart.
There's nothing in the log to indicate why. Has anyone seen the same?
/Per Jessen, Zürich
On 8/20/07, Robert Fitzpatrick <[EMAIL PROTECTED]> wrote:
> The plugins page at SARE says this is 0.8, but is it? The pm file looks
> fine.
>
> http://www.rulesemporium.com/plugins/pdfinfo.cf
>
You probably want to be looking at:
http://www.rulesemporium.com/plugins/PDFInfo.pm
not the .cf file. I
> You're doing a LOT better than I am with it. Makes me wonder if I have
> something set up wrong. My main SA server has a fast dual core Athlon
> and 8 gigs of ram and it can get bogged down rather quickly. I wonder if
> I'm doing something wrong
Are you running 64bit OS? If so how stable a
On Mon, 2007-08-20 at 10:13 -0700, John D. Hardin wrote:
> That's kind of an extreme solution, and generally considered bad
> practice.
Yup - Be prepared for false positive hits if you use this method. I
rented a server that just happened to be on a netblock in Germany. US
websites/email thoug
[EMAIL PROTECTED] wrote:
> How does sa-update know if to update or not without going over the
> network?
>
> channel: attempting channel updates.spamassassin.org
> channel: update directory
> /home/jidanni/var/spamassassin/3.002003/updates_spamassassin_org
> channel: channel cf file
> /home/jidann
Out of curiosity (as this is a feature that I would like to have as well for
a couple of speficic countries), is there a reason that a couple of SA
plugins cant be used:
http://wiki.apache.org/spamassassin/URICountryPlugin
Or
http://wiki.apache.org/spamassassin/RelayCountryPlugin
I am not certain
Steve Freegard wrote:
>
> How about:
>
> Spam Actions = deliver header "X-TM-AS-Product-Ver:
> SMEX-7.0.0.1557-5.0.1021-15334.002"
>
> That should do what you need.
Interesting. I didn't know MailScanner could do that.. and I use it.
Thanks for correcting me Steve, I'll try to file that factoid i
>-Original Message-
>From: John D. Hardin [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, August 21, 2007 3:24 PM
>To: Chris
>Cc: users@spamassassin.apache.org
>Subject: RE: Bouncing emails from certain countries
>
>On Tue, 21 Aug 2007, Chris wrote:
>
>> Hi John, Many thanks for the input on
On 19.08.07 12:18, Leon Kolchinsky wrote:
> After an upgrade to SA3.2.2 I've noticed that I've started to get FP's from
> e-mail accounts originating at walla.com
>
> I can see that it may be wise to adjust some scores to make these FP get thru
> my system:
>
> score DNS_FROM_OPENWHOIS 0
> scor
On Tue, 21 Aug 2007, Chris wrote:
> Hi John, Many thanks for the input on this - it's
> appreciated.
>
> John, whereabouts *precisely* do I input the text below
> please and is that all that needs to be done ?
>
> >describe BL_COUNTRY_CN_1 Mail client in China
> >header BL_COUNTRY_CN_1 eval:ch
On 18.08.07 10:38, Marc Perkel wrote:
> I have what I call a yellow list which is a list of IP addresses of
> hosts like yahoo, google, hotmail, aol, etc that send a mix of spam and
> nonspam. The idea being that if you are yellow listed then don't check
> any other list because if it was listed
Nix wrote on Tue, 21 Aug 2007 09:27:11 +0100:
> If anybody is really so stupid as to unconditionally block mail from
> hosts merely because of string matching in their rDNS, I'm not sure they
> *deserve* to see any email...
No, it's stupid to send mail from "adsl" named ranges if you want to get
Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100:
> It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but
> also hosts with e.g. the string `adsl' in its rDNS, even if that host happens
> to have a static assignment.
Well, if it's static they can give you rDNS and you can use a
Also, Robert, take a look at this page:
http://www.stearns.org/doc/spamassassin-setup.current.html
local.cf has TONS of options, many of which are lightly documented. Pay
close attention to
bayes_path
auto_whitelist_path
Scalix is also a bit of an oddity when it comes to using spamass-milter
(
> -Original Message-
> From: Robert Fitzpatrick [mailto:[EMAIL PROTECTED]
> Sent: Saturday, 18 August 2007 1:24
> To: users@spamassassin.apache.org
> Subject: Re: Suggested botnet rule scores
>
> On Fri, 2007-08-17 at 16:31 +0200, Kai Schaetzl wrote:
> > Robert Fitzpatrick wrote on Fri, 1
Just need to proxy POP3 through SpamAssassin. There are a number of ways to
do that and some commercial products/services out there.
On 8/20/07, Patman <[EMAIL PROTECTED]> wrote:
>
>
> Hello,
>
> New to the forum.
>
>
> Question, what I would like to do, is filter incoming traffic on port 110,
> w
Matt Kettler wrote:
yossim wrote:
Hi forum, I am running MailScanner integrated with SA sendmail based.
I would like to add a new header to SA report, so the next stage of
spam filtering which is the trend micro will always forward the email
the outlook junk mail. The header is as follows: X-TM-
John Thompson wrote on Mon, 20 Aug 2007 21:36:51 -0500:
> Indeed. But some people have a religious objection to all things google,
> so I hesitate to recommend it as a universal solution.
Misunderstanding. I meant to say that you do not need a Google Mail account
for this. That is why it is an
On 18 Aug 2007, Kai Schaetzl said:
> Nix wrote on Sat, 18 Aug 2007 15:14:53 +0100:
>
>> > Worms and spam have made it impossible for users to use their own
>> > personal mail servers.
>>
>> Really? Fascinating, I'm doing the impossible. I had no idea.
>
> You should not read that literally. You c
On 18 Aug 2007, Kai Schaetzl stated:
> Nix wrote on Sat, 18 Aug 2007 17:35:20 +0100:
>
>> Competent ISPs give you rDNS. (Really good ones delegate your rDNS to
>> you.)
>
> So, your ISP is not competent? How would they give specific rDNS to
> dynamic IP addresses, anyway?
It's not dynamic, but B
On 18 Aug 2007, Magnus Holmgren said:
> On Saturday 18 August 2007 16:14, Nix wrote:
>> On 17 Aug 2007, Robert Fitzpatrick verbalised:
>> > ISP's are blocking port 25 from anything but their own stuff, especially
>> > dial-up.
>>
>> Mine blocks until you prove you're competent (or post a bond: I d
>-Original Message-
>From: John D. Hardin [mailto:[EMAIL PROTECTED]
>Sent: Monday, August 20, 2007 7:14 PM
>To: Chris
>Cc: users@spamassassin.apache.org
>Subject: Re: Bouncing emails from certain countries
>
>On Mon, 20 Aug 2007, Chris wrote:
>
>> Does anyone know of a way, that wheneve
Ah, of course, the DNS response was already cached by pdnsd, and I
can't figure out from the man page how to use tcpflow's udp options
anyway.
But more importantly, for my second question,
http://www.ezmlm.org/ezman/ezman1.html says after long research,
"To temporarily leave an ezmlm list, just u
79 matches
Mail list logo
