> -Original Message-
> >How do I tell Spamassasin to ignore the last received Header? Or are
> >there other solutions to this problem? It also happens quite often with
> >emails from cell phones (which always get the strangest dynamic IPs...).
A matter of perspective: You don't need to tel
From: Jenny Lee
> Also how ironic is it to write: users -at- spamassassin.apache.org on the
> website!!! What a confidence in a
> spam-fighting tool! Write it as users@sa, show you mean business.
Ever hear of defense in depth?
as the link text.
It's a horrible practice, IMO, since it essentially trains people to ignore
what should be a major phishing indicator, but it's also very common.
--Kelson Vibber
using. We were using MIMEDefang, and I
remember we had to do two things: set MD up to read the Sendmail macros, then
add the code to our MD filter to check for the macro before sending mail to SA.
Sorry I couldn't be of more detailed help, but this should at least point you
in the right direction.
--Kelson Vibber
Clam and decide what got
discarded, what got blocked, and what got sent along to SA. I seem to remember
it being worth it, but I just can't remember the numbers.
Kelson Vibber
TollFreeForwarding.com, Development
s SA, and
using some of the SaneSecurity signature sets to catch additional malware.
Thanks!
Kelson Vibber
TollFreeForwarding.com, Development
let backported from 3.0, and we'll be using a sitewide database (at least to
begin with).
Thanks in advance,
Kelson Vibber
TollFreeForwarding.com, Development
On Jul 5, 2010, at 6:46 AM, Marc Perkel wrote:
>
> BTW - does anyone have some big list of domain that when combined with SPF
> make a good white list?
Well, that would depend on who you and your users want mail from, wouldn't it?
On Jul 4, 2010, at 11:57 PM, Marc Perkel wrote:
> It's not even useful for white listing as spammers can set up SPF too.
That's not how whitelisting on SPF works.
You don't whitelist *solely* on the presence of SPF.
You whitelist the *combination* of a domain that you want and a positive SPF
m
bills are ready.
*More generally, I don't think it's our place to decide what users can
and can't do without among email that they've actually requested. False
positives are one thing. *Deliberately* blocking something on the
grounds that it's not necessary? T
On Tuesday 18 May 2010, fchan wrote:
> Note the Technical Contact name and his email address.
Oh, great, now I'm imagining lasagna made with SPAM.
--
Kelson Vibber
SpeedGate Communications,
.
Quick interim fix. In your local.cf, add this to stop the FPs.
meta __SEEK_O1OO80 (0)
Thanks - Since I couldn't remember how to disable a component of a meta
rule, I'd commented it out to start with, but of course sa-update
clobbers that. Filing away for future reference...
due to the phishing campaign that's
been targeting Twitter users over the last few weeks, faking a message
from Twitter support. I've seen several of those phish land in our own
spamtraps and abuse mailbox.
I can send a ham sample if that would help.
--
Kelson Vibber
SpeedGate Communications
27;t check very
thoroughly. They just made sure that the city, state and zip code
matched. Strangely, they had a lot of users living in Beverly Hills, 90210.
--
Kelson Vibber
SpeedGate Communications
functionality is useless.
--
Kelson Vibber
SpeedGate Communications
all depends on how you use it.
--
Kelson Vibber
SpeedGate Communications
web:
http://help.yahoo.com/l/us/yahoo/geocities/close/close-16.html
--
Kelson Vibber
SpeedGate Communications
ably a safe bet to assume it's an attempt to
remove someone from the list and not a question or comment.
--
Kelson Vibber
SpeedGate Communications
does check URLs as well. It's one of the signature
types. Type 8, I think.
--
Kelson Vibber
SpeedGate Communications
(score set 0 or 1), in which case BAYES_99 will be scored at 0.
--
Kelson Vibber
SpeedGate Communications
Wouldn't it be more efficient to write all the single-letter matches
like "(?:s|z)?" as "[sz]?" or does it end up not making a difference
when the regex is actually processed?
--
Kelson Vibber
SpeedGate Communications
abeas is an IP-based
whitelist, and has been for, I don't know, 4 or 5 years.
So, seriously -- you've adjusted the score of a rule to point in the
opposite direction without actually checking what the rule does?
--
Kelson Vibber
SpeedGate Communications
IRC) specific to all, and ~all means "Other places shouldn't be
sending you mail, but we're not 100% certain we haven't missed
something." (In RFC terms, mail from us SHOULD NOT be sent from other
places.)
--
Kelson Vibber
SpeedGate Communications
ractice, most browsers
are lenient about this), but if I'm reading the HTML 5 spec correctly,
it will also allow within the body, but *only* if it contains
</tt><tt>the SCOPED attribute, and only at the beginning of a section, like this:
</tt><pre style="margin: 0em;">
<div>
<style scoped>
h2 {color: green}
Bunch of content
But this would not be:
Some content
h2 {color: red}
More content
--
Kelson Vibber
SpeedGate Communications
cause it
not to appear.
More precisely, a positive SPF result *by itself* is not an indicator of
non-spam. It can be combined with other data, such as a whitelist of
domain names, and be quite useful, as in the whitelist_spf and
whitelist_auth rules.
--
Kelson Vibber
SpeedGate Communications
If you want to leave a DKIM failure for that domain as neutral, just
remove your custom blacklist rule.
--
Kelson Vibber
SpeedGate Communications
ains, even one as
simple as a bunch of whitelist_from_dkim rules in your local.cf, and it
becomes a powerful whitelisting & blacklisting tool.
--
Kelson Vibber
SpeedGate Communications
Exactly. That sort of thing would train users to expect your company's
email to come from multiple and/or unfamiliar domains, such that they
will be less likely to notice phishing attempts that claim to be your
company but come from other domains.
--
Kelson Vibber
SpeedGate Communications
number (or
equivalent) instead of a human-readable name for their image filenames.
--
Kelson Vibber
SpeedGate Communications
MEDefang,
then call SpamAssassin (also through MimeDefang) if a message passes.
Have you verified that Clam is using the SaneSecurity signatures? How
are you calling ClamAV?
--
Kelson Vibber
SpeedGate Communications
ovide better results.
--
Kelson Vibber
SpeedGate Communications
ic, and (b)
the client has the sense to do that verification step.
--
Kelson Vibber
SpeedGate Communications
Matus UHLAR - fantomas wrote:
Of course, PASS tells nothing, but
there are *FAIL, NEUTRAL etc.
Actually, PASS can tell you quite a bit if you're trying to whitelist a
specific address or domain (eg. whitelist_from_spf).
--
Kelson Vibber
SpeedGate Communications
signed up for the mailings, but at the moment it
looks like the list is something I can use as a data point through
SpamAssassin, but can't use to block mail outright.
--
Kelson Vibber
SpeedGate Communications
ginal poster's point was not to advocate disabling signature
checking, but to suggest that the error message should be more useful.
--
Kelson Vibber
SpeedGate Communications
xt MX until it gets to one that *does* respond. And if that
happens to respond with a tempfail...
--
Kelson Vibber
SpeedGate Communications
s about "Please
use responsibly" and how abuse of the tool can get your account deactivated.
--
Kelson Vibber
SpeedGate Communications
company, we need to add it to the list because it isn't a free email
service?
I don't think that's going to save much effort.
--
Kelson Vibber
SpeedGate Communications
To follow up, here's a message actually sent from Opera 9.5 on Windows, in
case someone wants the info for header analysis.
And yes, I've changed the signature, partly so that it won't trip the rule
in question.
--
Kelson Vibber
SpeedGate Communications
mail, but I use it regularly for web
browsing. I just set up email on my copy of Opera 9.5 (the latest
release), and hit Compose to see what would happen.
The text you're seeing is the default signature.
--
Kelson Vibber
SpeedGate Communications
ic/comment/chech.html
Let's remember that these essays are matters of individual opinion, not
statements of indisputable truth handed down from on high.
--
Kelson Vibber
SpeedGate Communications
domains.
I've seen legit mail from them that uses a citibank.com address, but is
sent from a citigroup.com server.
It could be worse -- a few years ago, they'd use about 5 or 6 domains on
a regular basis, including the defunct c2it.com. Take a look at the
SARE_FORGED_CITI rule in 70_s
logged.
Hope this helps.
--
Kelson Vibber
SpeedGate Communications
forwarding, because the RFC says it's okay."
I'm sensing a disconnect here.
I assume everyone here has heard the joke about the difference between
theory and practice?
--
Kelson Vibber
SpeedGate Communications
Rick Macdougall wrote:
I'm an ISP and we use 5 to mark and 10 to reject at smtp time (not
bounce, smtp reject 551).
Same here. Dropping below 5 would cause way too many false positives.
--
Kelson Vibber
SpeedGate Communications
ht it only listed IP
addresses (which is already in the default rule, RCVD_IN_DSBL).
--
Kelson Vibber
SpeedGate Communications
ix their outgoing spam".
Who said anything about spam from an authorized source? The problem
*being discussed* is spam with a forged sender address, causing bounce
notices to go to an innocent third party.
--
Kelson Vibber
SpeedGate Communications
sure you put the zeroed-out scores in
your local config dir (i.e. /etc/mail/spamassassin or the like) so that
they won't be overwritten the next time you upgrade and/or run sa-update.
--
Kelson Vibber
SpeedGate Communications
rom =~/\boffice\b/i
header __SUBOFFICE Subject =~/\boffice\b/i
--
Kelson Vibber
SpeedGate Communications
rary files from accumulating.
http://mimedefang.org/node.php?id=64
--
Kelson Vibber
SpeedGate Communications
ng the list tot he remote MX so that it can still query that
information if/when the primary is unavailable.
Looking through the MIMEDefang mailing list archives is left as an
exercise for the reader.
--
Kelson Vibber
SpeedGate Communications
og
post, or including their blogspot-hosted site in their email signatures.
We do still score blogspot URIs --- but we only add 1 point for it.
Scoring at 5 would block legit mail.
--
Kelson Vibber
SpeedGate Communications
since switched to an IP-based whitelist
because the unauthenticated header proved unreliable.
They changed their business model YEARS ago.
--
Kelson Vibber
SpeedGate Communications
own recipients right away.
It might be worth looking for a couple of addresses that get hit
repeatedly and temporarily activating them, or even turning on a
catch-all for 20 seconds or so, to capture some of the messages and see
whether you're dealing with a botnet or backscatter.
--
Kelson Vibber
SpeedGate Communications
experience with them.
MIMEDefang, also. And you can set up procmail rules to delete or
redirect mail based on the headers that SpamAssassin adds.
--
Kelson Vibber
SpeedGate Communications
thod being more efficient than the
other. They're looking at different data.
--
Kelson Vibber
SpeedGate Communications
mouss wrote:
Kelson wrote:
Rob Sterenborg wrote:
SM wrote:
The spam content shouldn't even be getting through as the recipient
address is invalid.
Unless you don't know who your recipients are, which may be the case
when operating a mailrelay. (I'm not saying that such situa
ss they send to a mix of real and bogus addresses. It could be
worth blocking them from hitting any real addresses after they've hit a
couple of spamtraps.
--
Kelson Vibber
SpeedGate Communications
. Please do
not enter any personal or financial information into this website.
So apparently email1.paypal.com in some manner is NOT part of paypal.com!
I wonder how they managed that.
*blink* *blink*
Great. Now *that's* encouraging.
--
Kelson Vibber
SpeedGate Communications
ns -- not to mention making it harder for us admins to prevent
false positives through whitelisting.
It was nice to see a sender that had learned to not make that mistake.
--
Kelson Vibber
SpeedGate Communications
the info to SA.
http://sial.org/howto/mimedefang/macro-pass/
--
Kelson Vibber
SpeedGate Communications
ages that need to be split up.
--
Kelson Vibber
SpeedGate Communications
tailed results (which rules fired, what the final score is, etc.)
and make further classifications.
--
Kelson Vibber
SpeedGate Communications
e form is legit, you won't hear back from them. If not,
and they start sending you spam, they have no business contacting an
address that you used to UNsubscribe.) Wait.
The bottom line: be patient. It may take several weeks for them to
bite, but once they do, they won't let go.
-
n the
server was clogged with undeliverable bounces, or do you mean they saw
spammers hanging onto open connections longer than reasonable in a sort
of reverse-tarpit?
--
Kelson Vibber
SpeedGate Communications
g into.
MIMEDefang - http://www.mimedefang.org/
CanIt - http://www.roaringpenguin.com/products/antiSpam
--
Kelson Vibber
SpeedGate Communications
yone could do things like that.
*sigh*
--
Kelson Vibber
SpeedGate Communications
ikely -- that expiration date is still 4 weeks in the future, so it
shouldn't be an issue.
--
Kelson Vibber
SpeedGate Communications
thout hesitation!
As for the IP, treat it the same way you'd treat the IP in
non-SPF-compliant spam. They can authorize any IP they want, whether
it's (legitimately) under their control or not.
--
Kelson Vibber
SpeedGate Communications
clients (KMail,
for instance) have the ability to filter mail through SpamAssassin as
they download it via POP.
--
Kelson Vibber
SpeedGate Communications
st named
it), and the rest are rejected.
For those who only want to run one instance of clamd, it's easy enough
to do the same thing to separate "real" viruses from spam signatures by
looking for "sanesecurity" or "msrbl".
--
Kelson Vibber
SpeedGate Communications
ey blamed it on a paralegal who did "bad research," but somehow
managed not to catch the joke until after it had been scheduled for a vote.
--
Kelson Vibber
SpeedGate Communications
, and only a handful of
those are getting through.
--
Kelson Vibber
SpeedGate Communications
(__LOCAL_HEADER_THUNDERBIRD &&
__LOCAL_HAS_PDF)
score LOCAL_PDF_VIA_THUNDERBIRD 6.0
Well, this message will probably go into your spam folder, since I'm
using Thunderbird and the phrase ".pdf" appears in the message.
--
Kelson Vibber
SpeedGate Communications
that point is just shuffling things around inside the botnet.
--
Kelson Vibber
SpeedGate Communications
way), and
they've looked into torrents and concluded they wouldn't gain anything
by using them.
--
Kelson Vibber
SpeedGate Communications
dated/rules -- then processes the files
in your local folder (usually /etc/mail/spamassassin)
As long as you leave 10_default_prefs.cf in its normal location, you
shouldn't have any problems.
--
Kelson Vibber
SpeedGate Communications
L patterns are known. If you know the pattern is
account.example.com, or example.com/account, then throw away the rest of
the URL and list/lookup the base pattern.
--
Kelson Vibber
SpeedGate Communications
titution
cipher. This rule tries to match those, not the rot13 a-m <-> n-z
mapping specifically.
Then why is the pattern very specific wrt '^' and '(' ?
Because it's very common (or at least was at one time) for spammers to
rot13 the target addresses and the
hey prefer verified reports.
--
Kelson Vibber
SpeedGate Communications
URL hasn't made it into any
SURBLs yet.
--
Kelson Vibber
SpeedGate Communications
Abba Communications wrote:
Is there a standard perl version that the SA team aspires to and uses as a
baseline or some sort?
From the README file:
Perl 5.6.1 or a later version is required.
--
Kelson Vibber
SpeedGate Communications
KIM or DomainKeys
plugin enabled?
--
Kelson Vibber
SpeedGate Communications
mail, the default behavior will be to scan all mail, regardless of which
way it's going. (If you're using SMTP-AUTH, or if all outgoing mail
comes from a specific IP range, then it's pretty easy to separate them.)
--
Kelson Vibber
SpeedGate Communications
hters, getting their ISPs to disable their
accounts automatically.
Sorry, that one's just too easy to abuse.
--
Kelson Vibber
SpeedGate Communications
ation, not IPs that you trust not
to send spam.
--
Kelson Vibber
SpeedGate Communications
r-expressions.info --
one of the few legit .info names I've seen.
--
Kelson Vibber
SpeedGate Communications
contribute
to classification as spam. There isn't a "porn" classification.
What rules is it hitting?
--
Kelson Vibber
SpeedGate Communications
n the list...
--
Kelson Vibber
SpeedGate Communications
eliver the message, and what responses
it's received.
It should be possible to extract the headers from the queue file, but
simply concatenating the files wouldn't do it.
Off the top of my head, maybe something like this?
grep '^H' | cut -f3- -d'?'
Unt
Jonathan Nichols wrote:
Any rulesets to deal with them? They're scoring lower and lower all the
time. The one I linked to scored -2 :-(
It looks like it tripped BAYES_00. Have you been running these through
sa-learn as spam? That should help, to start.
--
Kelson Vibber
Spee
ining behavior for additional
score ranges.
MIMEDefang is free and open-source (GPL). The authors also have a
commercial product, Can-It, with additional capabilities and simpler
administration:
--
Kelson Vibber
SpeedGate Communications
section such that HTML becomes
irrelevant for legitimate uses? Microsoft Word? PDF? RTF? Any of
those would be worse, IMO. text/richtext might do the job, except
Eudora is the only client I can think of that composes in it.
--
Kelson Vibber
SpeedGate Communications
e (yet) on a
large scale without disappointing a lot of people -- and not just the
spammers.
--
Kelson Vibber
SpeedGate Communications
atted messages to be distracting and prefer
to read the plain-text version.
--
Kelson Vibber
SpeedGate Communications
snowcrash+spamassassin wrote:
whatever. currently, it's unformatted in tbird, unlike in other
clients. intended, or not; bug, or not -- that's a fact.
Technically, it's left unformatted in those other clients, and
has been reformatted according to specs by Thunderbird.
-
ing you're looking at it via
View->Headers->All. You can see the original formatting (even in
Thunderbird 2) using the Message Source function instead.
Menu: View->Message Source
Keyboard: Ctrl+U on Windows & Linux, probably Cmd+U on Mac
--
Kelson Vibber
SpeedGate Communications
the line endings when you transfer them.
--
Kelson Vibber
SpeedGate Communications
header when it fakes the
required received header.
For the record, current versions of MIMEDefang do this. I believe
someone mentioned that current versions of Amavisd-new also do this.
YMMV with older releases and other milters.
--
Kelson Vibber
SpeedGate Communications
Tue, 30 Jan 2007 11:23:53 -0500
There's one critical piece of information missing: the envelope
sender (or at least the RHS of the address).
--
Kelson Vibber
SpeedGate Communications
1 - 100 of 377 matches
Mail list logo
