Greetings.
I'm thinking of implementing:
- greylisting
- honeypots
- rejecting broken HELO at smtp time (such as "MUMS_XP_BOX")
- rejecting dynamic IPS at smtp time (PBL)
- firewalling hosts with 100% spam, forever.
Are there any oposing opinions on those?
I recall some people dont like greyl
*facepalm*
I was testing an already scored message and reading the wrong report.
Thanks anyway, and sorry.
greetings,
with 3.2.5 i can't get custom scores working.
i usually added them in /etc/mail/spamassassin/x_90_scores.cf
but that won't work anymore so i added them at the bottom of
/etc/mail/spamassassin/local.cf but no luck either.
for example i have:
score HTML_MESSAGE 0.1
but sa still sco
Casartello, Thomas wrote:
The phish are coming from real hacked accounts (Basically people that have
gotten the phish email and fallen for it) at other Educational institutes
(We already use SPF).
I'd go for a non technical solution here, since its effects only a
small amount of organisation
What do you mean "its impossible to train bayes"?
i was assuming the random text at the end is what couses my bayes db to
behave randomly.
Bayes really can be trained to deal with this message.
For example, I get BAYES_95:
well i get 00
After I learn this message the probability increase
Well, if it was in URIBL/SURBL, you couldn't use it to post samples to
this mail list, which is kinda the purpose, isn't it?
then dont provide urls. use numbers like dating agents.
"i posted my sample on the sa spambin. id 213912"
-> reader checks spambin.apache.org
which has nothing but
http://codepad.org/W53onqK9
i gave on this kind of spam. its impossible to train bayes and changing
to fast to make custom rules. matching senders doesnt work either
becouse those are sent using live.com, gmail, sourceforge, etc
Jack Raats wrote:
Today I received two messages with a kinds of new(?) spam.
The messages, html ones, contained the word viagra made by colouring cells
in a table.
The message also contained a link to a blog (live.com). The rest of the
message contained a text to mislead the bayes filtering.
Single-user, vanilla install with two exceptions: the install will check our
two whitelists and give a pass (-100) to any of our clients so we don't
bounce their mail.
I hope you're not actually considering bouncing spam. That statement
sounds like it.
Either jecect them at smtp time or sile
Where can i past the raw header? pastebin triggers it as spam
there is more then one pastebin. just like there is more then one OS.
try:
http://rafb.net/paste/
http://codepad.org/
http://paste.nn-d.de/
http://www.copypaste.at/
http://paste.uni.cc/
etc etc
__ Information from ESET
John Hardin wrote:
It would be somewhat more robust if SA offered multiline rawbody matching,
but try this:
thanks for your effords. unfortunatly spammers read this list and
they'll adapt too quickly to make any use of custom rules
It's also fairly specific to the HTML in the sample messag
http://codepad.org/W53onqK9
i gave on this kind of spam. its impossible to train bayes and changing
to fast to make custom rules. matching senders doesnt work either
becouse those are sent using live.com, gmail, sourceforge, etc
nt score, check if you have Mail::SPF::Query installed.
--
best regards
Arvid Ephraim Picciani
Asgaard Technologies
--
The software engineer tribe.
>By any chance, didn't your ISP start "providing search service" for any
>web name that does not exist?
btw, whats the workaround for this? opendns didnt work for me as they have
similar "features".
do you simply query the bl's dns service directly?
--
HI,
what was the solution again for windows live spam? It hit me finally.
(does this list have a search facility?)
--
best regards
Arvid Ephraim Picciani
Asgaard Technologies
--
The software engineer tribe.
negatives. But somone feel free to correct me.
--
best regards
Arvid Ephraim Picciani
Asgaard Technologies
--
Join the Asgaard ASX open alpha and comment early on its design.
http://www.asgaartech.com/asx/openalpha
able to do the job for us, since
i'm actually not the server admin, i just accidently happen to know unix.
Yet i didnt find any trustworty company or organisation. Colorfull ads and
closed source infrastructures dont realy convince me to trust my companys
entire email trafic to someone.
.
Whois Server: whois.onlinenic.com
Referral URL: http://www.OnlineNIC.com
did i miss the pun?
--
best regards
Arvid Ephraim Picciani
Asgaard Technologies
--
Join the Asgaard ASX open alpha and comment early on its design.
http://www.asgaartech.com/asx/openalpha
MRA (mail receive agent) such as postfix,
exim, qmail, etc. only your mra knows what to do with those mails after
spamassasin has flagged it as spam.
hence, this is unfortunatly the wrong list for your question.
--
best regards
Arvid Ephraim Picciani
Lead Software Engineer
Asgaard Technologies
t regards
Arvid Ephraim Picciani
Lead Software Engineer
IB C SOLUTIONS LTD
eep log of how often which rule triggered? or are there any neat
scripts for it?
--
best regards
Arvid Ephraim Picciani
Lead Software Engineer
IB C SOLUTIONS LTD
or use a MUA that
supports lists by default.
--
best regards
Arvid Ephraim Picciani
IB C SOLUTIONS LTD
sites?
--
best regards
Arvid Ephraim Picciani
IB C SOLUTIONS LTD
ose.
The suggested solution was iirc, to provide the source for the harvesting
service, so everyone can submit a feed to a common repo.
Just summing up the previous discussion. Personally i wouldn't offer my
customers domains, but i could add my private one, since i don't care who
reads my mails anyway.
--
best regards
Arvid Ephraim Picciani
maybe i'm missinterpreting the headers, but this message actually looks like
it has been sent by this mailinglist.
--
best regards
Arvid Ephraim Picciani
--- Begin Message ---
Attn: webmail Subscriber:
This mail is to inform all our webmail Subscriber that would will be
upgrading our
lways the posibility that the ratware is simply broken.
shit happens :P
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
ll
just have to be patient.
The proper solution would be implementing a plugin that analyses the
referenced website. That would finally kill canadian pharmacy as well.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
debugging, since any tests just show
SA is working fine. except on that message.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
On Saturday 26 July 2008 13:28:23 Arvid Ephraim Picciani wrote:
err ignore the weird received headers. it was resent by multiple people
internaly.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
-- --
_SUMMARY_
that's it.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
--- Begin Message ---
Obama vows to win the elections so that he can bring daughters into the Oval
Circle http://segelclub-honau.de/topnews.html
--- End Message ---
rted. just don't use it.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
On Sunday 06 July 2008 05:26:03 Banyan He wrote:
> SPAMD/1.0 76 Bad header line:
> Connection closed by foreign host.
spamd is not an MTA. I don't think it supports smtp. use spamc.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
ins to be very common, so i wonder when SA will be able to
differ between content and noise.
the obfuscation of the drug name is quite funny so it might at least be
usefull for some office-fun ;)
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
--- Begin Message ---
Saluton,
http
that was my worry. With the default configuration, SA might be confused.
--
best regards
Arvid Ephraim Picciani
>Received: from n75.bullet.mail.sp1.yahoo.com ([10.10.10.21]) by
>EXCHANGE02.norddeutsche.de with Microsoft SMTPSVC(6.0.3790.3959);
>Mon, 30 Jun 2008 18:58:44 +0200
huh? what's that weird IP doing there?
--
best regards
Arvid Ephraim Picciani
contact to actual italian
companies or individuals. So as usually it depends on your environment.
--
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani
should trigger on those mails.
That doesn't completly eliminate spam checking of course, so if your mail gets
scored very high, it is still flagged as spam.
--
best regards
Arvid Ephraim Picciani
t neither can you "fix" SA, nor can you "fix" other peoples SA.
--
best regards
Arvid Ephraim Picciani
gards
Arvid Ephraim Picciani
you where saying that an MSA shouldnt
add those either. Obviously if you are the last MX in the chain, adding a
message id is totally useless. i agree on that.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
ays "SHOULD". So actually your system is supposed to handle a
non existing message id gracefully and qmail gets away once again.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
5.201] (unknown [10.10.1.25]) by smtp-sfn.sitkom.cz
(atre there any dnsbls for reserved IPS?)
--
best regards
Arvid Ephraim Picciani
e WILL start claming that
this is real backscatter and block or score the IP or hostname.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
look like bounceback from your machines.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
> On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
> > http://rafb.net/p/q3eZwd93.html
> >
> > anyone can see any sense in it? it uses my hostname to fake a bounceback
> > that claims i sent a message to a
eundlichen Grüßen
Arvid Ephraim Picciani
a message manually, unless you want to test your MTA,
in which case you need to check the manual of your mta.
You can as well just send a message to yourself using telnet from your home
computer. a properly setup spamfilter will match XBL, no matter the content
of your message.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
m&Submit=Continue
I doubt that helps. The spammers are just recreating them.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
big enough.
If the problem is too small for spamhaus, try getting them on small but
no-one-should-use lists like rfcignorant. Just to slap them around a little.
And link back to the entries ;)
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
On Wednesday 16 April 2008 11:13:04 Daniel Zaugg wrote:
> Wow ! Aren't you guys proud to be postmasters !
no. the real one got fired.
hehe
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
27;t help white-listing my domain name and many of our normal
> emails might get marked as spam as a result.
--
best regards
Arvid Ephraim Picciani
On Monday 14 April 2008 22:28:58 Bob Proulx wrote:
> Martin Gregorie wrote:
> > Arvid Ephraim Picciani wrote:
> > > I'd like to discuss if returning a mail that went through a
> > > mailing list, back to the sender can be described as backscatter.
> > >
th him/her and would like to
hear your opinion.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
sure that you won't
ever receive mails from those countries (including forward services, free
hosters, etc)
For most situations there are way better mthods of catching the spam.
like locales_ok.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
the word "fuck".
that doesn't mean it's smart.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
louts btw :(
(no i dont block those)
--
best regards
Arvid Ephraim Picciani
thanks Matt and Mathus. That helps.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
hink
anyone actually checks them but so what? Maybe somone does. Whats the trouble
you speak of?
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
n just the
language.
--
best regards
Arvid Ephraim Picciani
/ submit a file
>
> lets kill that worm now :=)
>
will do. thanks.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
we've got a domain that got joe jobed.
and found a spam worm on some faildows machine.
where do i send those? I mean, maybe somone can make use of it.
--
best regards
Arvid Ephraim Picciani
> On 01.04.08 17:20, Arvid Ephraim Picciani wrote:
> > actually i mean SORBS and NJABL. they matched the sender.
>
> if we are still talking about mail from 66-211-213-17.velocity.net
> [66.211.213.17], they were not matched by any dynamic lists.
>
sender! not the rela
just a hint for those who use blogspot rules:
the uri scheme changed to a random number/character combination.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
server
[91.151.146.244 listed in dnsbl.sorbs.net]
again a perfectly valid login into gmail.
So if you want to damage an ISP you're going to run some open proxys on dynips
and voila the next user having that ip gets blocked. i dont get it.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
IP that can
> > > autenticate them.
>
> On 31.03.08 22:06, Arvid Ephraim Picciani wrote:
> > True. The problem is, thats exactly what happened but SA matched the
> > sender anyway becouse he's in the received headers.
>
> iirc they only matched RDNS_DYNAMIC whic
SA matched the sender
anyway becouse he's in the received headers.
Somone mentioned trust path but i don't think it's broken. SA matched the
archlinux server perfectly fine as the first dynhost sending to my trusted
network.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Ephraim Picciani
mx.google.com with ESMTPS id c5sm3272661qbc.19.2008.03.29.09.47.06
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Sat, 29 Mar 2008 09:47:08 -0700 (PDT)
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
I updated from debian to arch and figured my exact same sa configuration
doesn't test uribl anymore. yes spamhaus works fine, so no i dont have a -L
switch.
any clues? i did sa-update once but dunno if that had any effect at all.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
l users. I use exim but every proper MTA
around should be able to do that. just google or ask at their ML.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
contact , but you're not allowed to see it becouse they are commies"
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
all rules at the end of local.cf.
whatever you prefer.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
sarah.ibcsolutions.de/~aep/sa/70_telecomitalia.cf
thank you!
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
On Saturday 22 March 2008 21:31:13 Karsten Bräckelmann wrote:
> On Sat, 2008-03-22 at 19:31 +0100, Arvid Ephraim Picciani wrote:
> > > http://rafb.net/p/S95P6c12.html
>
> Yes, this is a spam alright. The Message-Id alone tells so. See my rule
> KB_RATWARE_MSGID in bug
lichen Grüßen
Arvid Ephraim Picciani
pasts such urls unless
he/she intends to bypass url checks.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
On Saturday 22 March 2008 19:10:03 Arvid Ephraim Picciani wrote:
> http://rafb.net/p/S95P6c12.html
i forgot two things:
thats a dynamic ip from telecomitalia. i'm getting lots of spam from there but
the ips are in no dynamic list. is there a more complete list of dynamic
hosts? i'
default ruleset)
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
/Mit freundlichen Grüßen
Arvid Ephraim Picciani
minute ago :D
its updated
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
0.8 SARE_OEM_PRODS_1 SARE_OEM_PRODS_1
0.9 SARE_OEM_PRODS_FEW SARE_OEM_PRODS_FEW
0.4 SARE_PRODUCTS_02 SARE_PRODUCTS_02
adjust the scores to your needs
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
ionen\b.{0,100}\blegal\b)/i
>
> Loren
awesome. thanks a lot
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
hen Grüßen
Arvid Ephraim Picciani
IBL_GREY Contains an URL listed in the URIBL greylist
[URIs: geocities.com]
3.0 SOFT_AND_URIGREY contains both an url in the URIBL greylist and
software advertisement
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
On Thursday 20 March 2008 18:44:14 Arvid Ephraim Picciani wrote:
> not really. we don't say things like " or "*" too
> often :D
hahahaha i shouldnt have provoked it!
just got a bounceback from some MS filter which was almost filtered by my SA
which would propa
On Thursday 20 March 2008 18:25:15 SM wrote:
> At 08:44 20-03-2008, Arvid Ephraim Picciani wrote:
> >wow. i got -1.0 here. you're filtering html agressivly?
>
> That's from ASF.
what's ASF?
tests there where:
-0.0 SPF_PASS SPF: sender match
On Thursday 20 March 2008 16:31:54 SM wrote:
> At 03:12 20-03-2008, Arvid Ephraim Picciani wrote:
> >nice. spam on the spamassassin ml. anyone got a rule for those already? :D
>
> It's already included in SpamAssassin:
>
> HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY
27;t dead serious anyway (see the smiley)
--
best regards
Arvid Ephraim Picciani
n the below
> link to accept my Invitation and increase both your Industry connections
> and influence. http://www.orglex.com/joinhubs/0306184118f09fe4a7f1/
> Thanks
--
best regards
Arvid Ephraim Picciani
ugh :(
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
n't take any file
parameter.
means, no, sa doesn't need the orgininal mail after you feed it to sa-learn
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
pache.org/SpamAssassin/show_bug.cgi?id=5777
>
> guenther
thanks for that info!
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
yeah exactly my issue. the site is in uribl already but sa doesn't work with
uribl and subdomains. see previous posts.
SARE_OEM helps a little.
--
best regards
Arvid Ephraim Picciani
ed that but no luck. besides it would propably be overwritten
the next sa-update anyway. why is it there?
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
urm, i just figured those geocity sites are all on the URIBL. but sa doesn't
seem to check those. any hint how to add it?
thank you
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
te rules. thanks alot.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
> The SARE "oem software" rules shoudl catch this sort of stuff just dandy.
>
> Loren
0.9 SARE_OEM_PRODS_FEW SARE_OEM_PRODS_FEW
0.4 SARE_PRODUCTS_02 SARE_PRODUCTS_02
not enough :(
any aditional rules i could add?
--
best regards/Mit freundlichen G
ties url, which shoudl be good for an automatic 2-3
> points or more.
>
> Loren
It's changing too fast :/
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
err way way worse.
this babelfish translation of the same spam just got autolearned as ham
http://rafb.net/p/99iIHK53.html
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
lichen Grüßen
Arvid Ephraim Picciani
1 - 100 of 101 matches
Mail list logo
