Re: Hrm, this spam is annoying

On 21-May-2009, at 13:29, Benny Pedersen wrote: On Thu, May 21, 2009 19:40, LuKreme wrote: Gotten multiples of this spam on multiple accounts, include one that ONLY gets spam. dont whitelist *...@gmail, if you need to whitelist, do it with full email addy I don't whitelist gmail. -- Bish

Re: Become spamed currently... :-/

Good morning Benny, Am 2009-05-22 02:11:55, schrieb Benny Pedersen: > > On Fri, May 22, 2009 00:44, Michelle Konzack wrote: > > Am 2009-05-21 18:28:32, schrieb Karsten Bräckelmann: > >> Doh! Failed to munge the quoted Received header, featuring the > >> blacklisted URI. :) > >> X-ASF-Spam-Stat

Re: spamassassin runs razor spamc not

I have a Debian 5.0 server with postfix, amavis-new, spamassassin and razor. Amavis implements it's own SA daemon, it does not use spamd. So there's a third variable in the equation. So do I need spamassassin at all? For some reason razor check only runs if I run the following command spamass

Re: rule for testing

On Fri, May 22, 2009 at 06:14:53AM +0200, Benny Pedersen wrote: > > header HELO_WIERD_FORMAT ALL =~ /\?\d+\.\d+\.\d+\.\d+\?/ > describe HELO_WIERD_FORMAT Helo with ? around nummeric ip > score HELO_WIERD_FORMAT 1.5 It's something that mx.google.com likes to do. Better luck next time. :) OVERALL%

Re: rule for testing

> header HELO_WIERD_FORMAT ALL =~ /\?\d+\.\d+\.\d+\.\d+\?/ > describe HELO_WIERD_FORMAT Helo with ? around nummeric ip > score HELO_WIERD_FORMAT 1.5 your spelling of weird is weird. :) -- Spiro Harvey Knossos Networks Ltd 021-295-1923www.knossos.net.nz sig

rule for testing

header HELO_WIERD_FORMAT ALL =~ /\?\d+\.\d+\.\d+\.\d+\?/ describe HELO_WIERD_FORMAT Helo with ? around nummeric ip score HELO_WIERD_FORMAT 1.5 -- http://localhost/ 100% uptime and 100% mirrored :)

Re: Hrm, this spam is annoying

On Thu, May 21, 2009 19:40, LuKreme wrote: > 0.0 URICOUNTRY_SE Contains a URI hosted in SE 0.0 URICOUNTRY_US Contains a URI hosted in US 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server

Re: Hrm, this spam is annoying

On Thu, May 21, 2009 at 08:26:07PM +0200, Mark Martinec wrote: > > > Gotten multiples of this spam on multiple accounts, include one that > > ONLY gets spam. > > If the RCVD_IN_SORBS_WEB, TVD_SPACE_RATIO, HTML_IMAGE_ONLY, > SARE_HTML_IMG_ONLY etc does not suffice, you may have to > add dedicated

Re: spamassassin runs razor spamc not

On Thu, 2009-05-21 at 23:00 +0200, Mester wrote: > Hi, > > I have a Debian 5.0 server with postfix, amavis-new, spamassassin and razor. Amavis implements it's own SA daemon, it does not use spamd. So there's a third variable in the equation. > For some reason razor check only runs if I run the f

Re: Become spamed currently... :-/

On Fri, May 22, 2009 00:44, Michelle Konzack wrote: > Am 2009-05-21 18:28:32, schrieb Karsten Bräckelmann: >> Doh! Failed to munge the quoted Received header, featuring the >> blacklisted URI. :) >> X-ASF-Spam-Status: No, hits=7.6 required=10.0 >> tests=SPF_NEUTRAL,URIBL_BLACK,URIBL_JP_SU

Re: Become spamed currently... :-/

Hallo Karsten, Am 2009-05-21 18:28:32, schrieb Karsten Bräckelmann: > Doh! Failed to munge the quoted Received header, featuring the > blacklisted URI. :) > > X-ASF-Spam-Status: No, hits=7.6 required=10.0 > tests=SPF_NEUTRAL,URIBL_BLACK,URIBL_JP_SURBL Things happen... Thanks, Greetings

Re: Become spamed currently... :-/

Hi Mark, Am 2009-05-21 19:10:05, schrieb Mark Martinec: > Never use a backup MX which does not have a list of your valid recipients. > If you do, you are contributing to backscatter when your own MX later > rejects the message. It does not reject. SPAM is normaly saved to mailfolder /dev/null bu

spamassassin runs razor spamc not

Hi, I have a Debian 5.0 server with postfix, amavis-new, spamassassin and razor. For some reason razor check only runs if I run the following command spamassassin < /tmp/test.txt But if I receive an e-mail from outside the server, or start the following command spamc < /tmp/test.txt razor che

Re: Possible FPs on FORGED_MUA_OUTLOOK

Karsten Bräckelmann wrote: On Thu, 2009-05-21 at 20:54 +0100, Ned Slider wrote: Hi, I'm seeing regular FPs against FORGED_MUA_OUTLOOK from one particular (legitimate) sender, and not really understanding the rule it's difficult to understand why or how to go about fixing it. Hmm,

Re: Possible FPs on FORGED_MUA_OUTLOOK

On Thu, 2009-05-21 at 20:54 +0100, Ned Slider wrote: > Hi, > > I'm seeing regular FPs against FORGED_MUA_OUTLOOK from one particular > (legitimate) sender, and not really understanding the rule it's > difficult to understand why or how to go about fixing it. Hmm, sounds familiar. > Unfortunate

Possible FPs on FORGED_MUA_OUTLOOK

Hi, I'm seeing regular FPs against FORGED_MUA_OUTLOOK from one particular (legitimate) sender, and not really understanding the rule it's difficult to understand why or how to go about fixing it. Unfortunately I'm not in a position to openly post copies to the net, so wondered if I could be

Re: one domain gets 99% of spam

Marc Perkel wrote: > What I've noticed is that domains with catchall accounts are > usually the ones that get abbused this way. MTAs the reject bad > email addresses at SMTP time are not what spammers like when it > comes to choices of domains to spam or spoof. To clarify, from the senders' perspe

Re: Hrm, this spam is annoying

On Thu, May 21, 2009 19:40, LuKreme wrote: > Gotten multiples of this spam on multiple accounts, include one that > ONLY gets spam. dont whitelist *...@gmail, if you need to whitelist, do it with full email addy -- http://localhost/ 100% uptime and 100% mirrored :)

Re: Whitelist_from_*

LuKreme wrote: > > OK, I know about whitelist_from_spf and whitelist_from_rcvd and, of > course whitelist_from and I seem to recall a whitelist_from_dkim ... > > Is that all of them? Where are they documented and what exactly does > _rcvd check? (I did google, found lots of posts, not docs, which

Re: Hrm, this spam is annoying

LuKreme, > * -1.3 DKIM_VERIFIED Domain Keys Identified Mail: signature passes > * verification > * -1.0 DKIM_SIGNED Domain Keys Identified Mail: message has a signature > * -0.7 ENV_AND_HDR_DKIM_MATCH Env and Hdr From used in default DKIM WL > > total of -6.3 if ham scores, sigh. These rules

Re: Hrm, this spam is annoying

Quoting LuKreme : Scores 1.0 for me X-Spam-Report: * 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server * [93.86.56.82 listed in dnsbl.sorbs.net] * -0.0 SPF_PASS SPF: sender matches SPF record * -3.3

Re: Spamcop Delays?

Clayton Keller wrote: I wanted to see if others began experiencing some delay in lookups to bl.spamcop.net -- roughly 4+ second lookups. Not here, moving along just fine. Large volume server with dnscache. Regards, Rick

Hrm, this spam is annoying

Scores 1.0 for me X-Spam-Report: * 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server * [93.86.56.82 listed in dnsbl.sorbs.net] * -0.0 SPF_PASS SPF: sender matches SPF record * -3.3 USER_IN_DEF_DKIM_WL From:

Re: Become spamed currently... :-/

Michelle, > On my own courier server, there is no problem with it now, because I am > blocking any but there is a problem with my > secondary MX. > > And of course, the user (does not exist on my system) is very > popular because he her over 8 spams per day (REJECT). Never use a ba

Re: Become spamed currently... :-/

On Thu, 2009-05-21 at 18:18 +0200, Karsten Bräckelmann wrote: > > Received: from mx1. MUNGED .com ([:::66.xx.xxx.188]) by > Sending links to blacklisted URIs to the list isn't the smartest > decision. Yes, the ASF list-servers do run SA. Doh! Failed to munge the quoted Received header, fea

Re: Become spamed currently... :-/

On Thu, 2009-05-21 at 17:32 +0200, Michelle Konzack wrote: > However, the domain should be listet worldwide in > any RBLs or whatever It *is* listed in URIBL_BLACK. See your own results. Also listed in SURBL JP as of the time of this writing. > X-Spam-Status: No, score=-0.5 required=4.5 tests

Spamcop Delays?

I wanted to see if others began experiencing some delay in lookups to bl.spamcop.net -- roughly 4+ second lookups.

Become spamed currently... :-/

Hello *, does someone know this Enterprise? They have a million MX servers and currently my network (I have only a 2.5 MBit Upstream) is under attach of this pigs, speak, gotten currently 5800 messages in the last 5 hours over my first and second MX: On my own courier server, there is no pr

Re: Got dead domains that get a lot of spam?

On 21-May-2009, at 07:19, Karsten Bräckelmann wrote: Is it really that confusing? ;) Nah, I figured it was a nickname of some sort. Heck, for all I knew Guenther is a 'standard' nick for Karsten! -- Can I tell you the truth? I mean this isn't like TV news, is it?

Re: Got dead domains that get a lot of spam?

On Thu, 2009-05-21 at 14:09 +0200, Michelle Konzack wrote: > you E-Mails are confusing because in the "From:" you have Focus on the content! > Karsten Bräckelmann That's my real name. :) > but in teh signature you write Actually, my sig decodes to my full email address. ;) > guenther

Re: Got dead domains that get a lot of spam?

Hai! you E-Mails are confusing because in the "From:" you have Karsten Bräckelmann but in teh signature you write guenther Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280

Re: BOUNCE_MESSAGE problem

Am 2009-05-19 22:40:54, schrieb Jari Fredriksson: > > On Tue, May 19, 2009 20:59, Jari Fredriksson wrote: > > > >> What might be wrong here? > > > > fetchmail > > > > bounces do not make sense in rfc1918 > > err.. So why does VBounce mark is as BOUNCE? It is not a bounce. > > Does it mark all

Re: Rule to detect same address in sender and receiver

On Thu, May 21, 2009 07:10, LuKreme wrote: > On 8-May-2009, at 19:20, Benny Pedersen wrote: >> meta __SPF_NOT_PASS (!SPF_PASS) >> meta __NOT_LOCAL_TRUSTED (!NO_RELAYS || !ALL_TRUSTED) >> meta BLACKLIST_SPF (__SPF_NOT_PASS && __NOT_LOCAL_TRUSTED) >> describe BLACKLIST_SPF Meta: Blacklisted spf send

Re: Whitelist_from_*

On Thu, May 21, 2009 07:07, LuKreme wrote: > Also, does anyone have a suggestion on how to find a bunch of spf pass > and dkim pass emails to 'seed' a whitelist? whitelist_from is just for testing forged senders :) perldoc Mail::SpamAssassin::Conf perldoc Mail::SpamAssassin::Plugin::SPF perldoc

Re: Whitelist_from_*

On 20.05.09 23:07, LuKreme wrote: > OK, I know about whitelist_from_spf and whitelist_from_rcvd and, of > course whitelist_from and I seem to recall a whitelist_from_dkim ... > > Is that all of them? Where are they documented and what exactly does > _rcvd check? (I did google, found lots of pos