Re: Russian spam

Benny Pedersen wrote: Unfortunately, these two are because I receive mail via BT/Yahoo who never do a PTR lookup on the IP. > 3.3 TVD_RCVD_IP4 TVD_RCVD_IP4 > 1.6 TVD_RCVD_IPTVD_RCVD_IP Oddly, I cant get this one to fire on my SA install. > 2.0 FROM_EXCESS_BASE64 Fro

Re: Russian spam

Michael Hutchinson wrote: Hello, Be careful with the character-set matching rules. I was using some of them and got a high rate of FP's - it was mainly because of the koi8-r charset, and scoring against that meant I was also scoring against perfectly legitimate technical resource newsletters

Re: Russian spam

On Thu, January 15, 2009 01:35, Francis Russell wrote: > http://www.unchartedbackwaters.co.uk/files/russian_spam.txt Content analysis details: (12.6 points, 5.0 required) pts rule name description -- - 1.5

RE: Russian spam

Hello, Be careful with the character-set matching rules. I was using some of them and got a high rate of FP's - it was mainly because of the koi8-r charset, and scoring against that meant I was also scoring against perfectly legitimate technical resource newsletters that are in English. Cheers

Re: Russian spam

Francis Russell wrote: Anyone know of any good rule-sets to block this sort of spam? http://www.unchartedbackwaters.co.uk/files/russian_spam.txt I find that Pyzor and Razor completely miss it as well as the DNS blacklists (although I believe this one has a relay in one of the Spamhaus ones now)

RE: Russian spam

Hello, You could write a Meta rule that contained two sub rules - one for matching "The Bat!" mailer, and the other matching the "chat.ru" link at the bottom. Fire a score if both rules hit. It may not be optimal, but it got rid of that Spam for me, and I haven't had a FP yet. If you check out

Russian spam

Anyone know of any good rule-sets to block this sort of spam? http://www.unchartedbackwaters.co.uk/files/russian_spam.txt I find that Pyzor and Razor completely miss it as well as the DNS blacklists (although I believe this one has a relay in one of the Spamhaus ones now). I'm aware of the langua

Re: Temporary 'Replacements' for SaneSecurity

At 12:44 14-01-2009, Rob McEwen wrote: No. This is just due to the fact that, unfortunately, some mail servers and IPs (which send desired and solicited messages) are somewhat incorrectly configured. It turns out that a distributor receiving legitimate business e-mail from vendors & customers in

Re: Temporary 'Replacements' for SaneSecurity

Rob McEwen a écrit : > SM wrote: >> "Botnet Plugin" sounds like a plugin that detect botnets ... If >> Rasmus is finding that many false positives, then he's using the wrong >> tools. > > No. This is just due to the fact that, unfortunately, some mail servers > and IPs (which send desired and sol

Re: Temporary 'Replacements' for SaneSecurity

On Wed, Jan 14, 2009 at 13:06, Dave Pooser wrote: >> None of my friends are on >> services that are that poorly configured > > No friends on Verizon? Their @#$% mail servers are 70% of my FPs. Heh. Guess not :-)

utf8

Hello. Is there any way to make configuration option "normalize_charset" working? As I understand it didn't work because of broken utf8 support. But without it, there is no way to normal use of spamassassin for not English messages. I am not like rules like this. #body LR_SEMINAR /[[:blank

Re: Temporary 'Replacements' for SaneSecurity

> None of my friends are on > services that are that poorly configured No friends on Verizon? Their @#$% mail servers are 70% of my FPs. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserve

Re: Temporary 'Replacements' for SaneSecurity

SM wrote: > "Botnet Plugin" sounds like a plugin that detect botnets ... If > Rasmus is finding that many false positives, then he's using the wrong > tools. No. This is just due to the fact that, unfortunately, some mail servers and IPs (which send desired and solicited messages) are somewhat in

Re: Temporary 'Replacements' for SaneSecurity

At 06:59 14-01-2009, Rob McEwen wrote: Because Rasmus manages a mail server where B2B mail is routinely sent/received _globally_, Rasmus is the king of finding FPs. I could be wrong, but judging from previous reports about the Botnet Plugin, I predict that Rasmus will either (a) find the Botnet P

Re: Temporary 'Replacements' for SaneSecurity

> -- Forwarded message -- > From: "Bret Miller" > To: "John Rudd" > Date: Tue, 21 Aug 2007 13:08:06 -0700 > Subject: RE: BOTNET Exceptions for Today >> Bret Miller wrote: > Maybe these aren't false positives because botnet is identifying them for > what they are-- badly configure

Re: Spamd skipping tests

Kai Schaetzl wrote: > > Jberliner wrote on Tue, 13 Jan 2009 17:16:20 -0800 (PST): > >> spamassassin -D --lint > > did you check if the same happens when you run those messages thru > "spamassassin -D" and thru spamc? > > Yes, I had already sent the message(s) to spamassassin -D and got the

Re: Temporary 'Replacements' for SaneSecurity

On Wed, 14 Jan 2009 09:23:51 -0500, John Rudd wrote: How's it working for you, so far? On Wed, Jan 14, 2009 at 06:12, Paul Griffith wrote: On Tue, 13 Jan 2009 05:28:42 -0500, si wrote: Guys, I'm sure you're as sad as I am re- temporary suspension of the brilliant services offered by S

Re: Temporary 'Replacements' for SaneSecurity

On Wed, January 14, 2009 17:33, John Hardin wrote: > Is there any other distributed content distribution system they > could use for free this way? bittorrent ? (micro$oft have problem delivering windows 7 betas from there network, opensource problems ?) :=) -- Benny Pedersen Need more webspa

Re: more habeas spam

Neil Schwartzman writes: > As to the complaint submission issues noted here are concerned, the best > point of contact moving forward for SA users would be > sa-ab...@senderscorecertified.com (please don¹t use my personal address as I > travel frequently, and our Standards team see stuff sent to

Re: Spamd skipping tests

Jberliner wrote on Tue, 13 Jan 2009 17:16:20 -0800 (PST): > spamassassin -D --lint did you check if the same happens when you run those messages thru "spamassassin -D" and thru spamc? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com

Re: Temporary 'Replacements' for SaneSecurity

Is there any way that a more distributed method of delivering updates could be more resistant to DDOS attacks? E.g. trackerless bittorrents (DHT), or something along those lines? Just wondering in general

Re: Temporary 'Replacements' for SaneSecurity

On Wed, 14 Jan 2009, Rob McEwen wrote: QUESTIONS: Is SaneSecurity still collecting data and generating the rulesets? (but just not able to distribute them) I was wondering that myself, and was also wondering whether there was a way to leverage the Coral cache system to avoid DDoS - for examp

Re: Temporary 'Replacements' for SaneSecurity

si-12 wrote: > > I appreciate that great progress is being mad re- getting the service back > online again, but in the mean time was wondering ... has anyone found > anything as effective as a temporary replacement or enhancement? One rsync server is already up and running and is currently being

Re: more habeas spam

On 2009-01-06 22:19:39 GMT LuKreme kreme.com> wrote: > If you want the real history of Habeas in a nutshell, the company went > to hell when Anne Mitchell left (the same Anne Mitchell who was part > of MAPS back in the day). She's now at the Institute for Spam and > Internet Public Policy

RE: Spamd skipping tests

RobertH-2 wrote: > > > basically it all depends on the qmail-scanner config and it can be semi > complex and may not be correct in terms of if you reject over certain > score > or if you have other scanning functions happening before calling SA, like > clamav etc etc > > also, the message coul

Re: Temporary 'Replacements' for SaneSecurity

Rob McEwen wrote: > And I thing it is > probably better used as a scoring list instead of a blocking list. > oops. I meant "probably better scored below threshold", since, of course, BotNet isn't a "list". -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032

Re: Temporary 'Replacements' for SaneSecurity

John Rudd wrote: > Botnet isn't a DNSBL... > I never said it was a DNSBL. But it definitely has a particular focus on the sending IP, and that sending IP's rDNS. Therefore, for all practical purposes, it is trying to do the job of a DNSBL. As I recall, the discussion about BotNet's development

Re: Temporary 'Replacements' for SaneSecurity

On Wed, 2009-01-14 at 09:59 -0500, Rob McEwen wrote: > Rasmus Haslund wrote: > >> After a loud outcry from our users from the increasing level of spam in > >> their inboxes, I installed the Botnet >Plugin. > >> > > Is this something that can be used with the SA in Icewarp Merak? > > > > B

Re: Temporary 'Replacements' for SaneSecurity

On Wed, Jan 14, 2009 at 06:59, Rob McEwen wrote: > Regarding using the Botnet Plugin as a replacement for SaneSecurity... I > found that the _best_ part about SaneSecurity was its assistance with > catching spam that could NOT ever be caught using _any_ kind of DNSBL. Botnet isn't a DNSBL...

Re: Temporary 'Replacements' for SaneSecurity

Rasmus Haslund wrote: >> After a loud outcry from our users from the increasing level of spam in >> their inboxes, I installed the Botnet >Plugin. >> > Is this something that can be used with the SA in Icewarp Merak? > Because Rasmus manages a mail server where B2B mail is routinely sent/r

Re: Temporary 'Replacements' for SaneSecurity

We're already using the BotNet plugin, and it really helps. One or two FPs from time-to-time, but nothing we can't live with. We turned score done in steps to 3.0, in stages, and that seems to be just about right.   FYI - also use DCC, Razor, a relatively well trained bayes database and 'standar

Re: Temporary 'Replacements' for SaneSecurity

How's it working for you, so far? On Wed, Jan 14, 2009 at 06:12, Paul Griffith wrote: > On Tue, 13 Jan 2009 05:28:42 -0500, si wrote: > >> Guys, >> >> I'm sure you're as sad as I am re- temporary suspension of the brilliant >> services offered by Steve Basford and is helpers at Sane Security. I

RE: Temporary 'Replacements' for SaneSecurity

>After a loud outcry from our users from the increasing level of spam in their inboxes, I installed the Botnet >Plugin. Is this something that can be used with the SA in Icewarp Merak? NOWACO A/S Rasmus Haslund

Re: Temporary 'Replacements' for SaneSecurity

On Tue, 13 Jan 2009 05:28:42 -0500, si wrote: Guys,   I'm sure you're as sad as I am re- temporary suspension of the brilliant services offered by Steve Basford and is helpers at Sane Security. In a sick kind of way, the 'bad guys' are acknowledging the work these guys have done by DOSing