On Wed, 2024-02-14 at 09:59 +0100, Matus UHLAR - fantomas wrote:
> > > > On Feb 14, 2024, at 06:12, Ken Wright
> > > > wrote:
> > > >
> > > > I've built a mail server and I wanted to include Spamassasin.
> > > > As noted above,
On Wed, 2024-02-14 at 06:15 +0100, Niels Kobschätzki wrote:
>
> > On Feb 14, 2024, at 06:12, Ken Wright
> > wrote:
> >
> > I've built a mail server and I wanted to include Spamassasin. As
> > noted above, the machine is running Ubuntu Server 23.10, so
mctl start spamassassin
says "Failed to start spamassassin.service: Unit spamassassin.service
not found." Spamd, however, is active and running. Is this normal?
If it isn't, what can I do to correct things?
Further information available on request. Thanks in advance!
Ken
ht mocked by him. And so, while I have zero sway as a
team member or anything like that, as a newbie mailing list member,
looking for help, I humbly submit that he's not someone you want being
the first interaction a new list member has.
$.02, YMMV, etc.
-Ken
On 7/27/2023 12:08 PM, Ken D'Ambrosio wrote:
Hey, all. I've recently started getting spam that's really hard to
deal with, and I'm open to suggestions as to how to approach it.
Superficially,
I'm not sure why the OP's rule didn't match the target message,
much nicer if users could just use blacklist_from.
So what about an option to ignore specific addresses in the Resent_From
field and go on to the actual From field when one of those addresses is
present? Something like "ignore_resent_from a...@ress.com".
Ken
d "Access My Account"). Maybe the latter test is too
accepting of things between "confirm" and "account".
Ken
>From bounces+140785-04cf-kdo=cosmos.phy.tufts@email2.patientconnect365.com
>Wed Jul 31 01:21:10 2019
Return-path
/spamassassin
had a glitch, so I tweaked it a bit and tried again. Joy!
My sincere thanks to everyone who tried to help. I'm sure this won't be
the last time I need advice!
Ken
On 2/12/19 9:53 AM, Bill Cole wrote:
> On 12 Feb 2019, at 1:14, Ken Wright wrote:
>
>> On 2/11/19 11:42 PM, Bill Cole wrote:
>>> On 11 Feb 2019, at 21:40, Ken Wright wrote:
>>>
>>>> On 2/11/19 9:33 PM, Bill Cole wrote:
>>>>> On 11 Feb 2
On 2/12/19 1:56 AM, Evan Booyens wrote:
>
> Hi Ken
>
> My only other fix would be to specify the config path in
> /etc/default/spamassassin at the OPTIONS="" section - add in
> "--configpath=/etc/spamassassin " at the start of the configs.
>
> Hope i
>
Just checked. The symlink is there. Would that it had been that easy!
Ken
On 2/11/19 11:42 PM, Bill Cole wrote:
> On 11 Feb 2019, at 21:40, Ken Wright wrote:
>
>> On 2/11/19 9:33 PM, Bill Cole wrote:
>>> On 11 Feb 2019, at 20:24, Ken Wright wrote:
>>>
>>>> it does say it's loading the Mail::SpamAssassin::Plugin::Check m
On 2/11/19 9:33 PM, Bill Cole wrote:
> On 11 Feb 2019, at 20:24, Ken Wright wrote:
>
>> it does say it's loading the Mail::SpamAssassin::Plugin::Check module
>
> This is evidence that one or more of the following is true about spamd:
>
> 1. It is using a different
robably want to run it like:
>
> spamassassin -D --lint 2>&1 | less
>
Whew, that's a lot of output! I didn't see any obvious errors, and it
does say it's loading the Mail::SpamAssassin::Plugin::Check module
(along with several others). Is there anything in particula
On 2/10/19 3:56 AM, Giovanni Bechis wrote:
> On Sun, Feb 10, 2019 at 02:30:28AM -0500, Ken Wright wrote:
>> I've been trying to set up an email server and I want to use
>> Spamassassin to prevent it from becoming Spam Central. I've installed
>> SA and spamass-mi
in::Plugin::Check module, which
is installed and up to date. I've just about run out of ideas. Anyone
have any?
Sorry this is so long, but I didn't want to omit any pertinent information.
Ken Wright,
pulling his hair out.
ot the one I want.
>
>Can someone provide an example or point me toward
>documentation of how to write such a rule?
>
>Thanks,
>
>Ken
Thank you for the helpful responses!
ow to
write such a rule?
Thanks,
Ken
Bill,
Thanks for the helpful reply. I performed a reverse lookup on several of
the IPs, but didn't take the next step of looking up the name in the PTR.
Ken
On 17 Sep 2015, at 15:35, Ken Johnson wrote:
> Spamassassin is run by Exim.
>
> Spamassassin version:
> X-Spa
y.com). From
(host=NULL [45.58.126.146]) for x...@y.com
which included the string "(host=NULL " was a message I could safely filter
out. Or at least, could safely add two or three to the score.
What condition or attribute of received mail corresponds to a log entry of
"host=NULL"?
Thanks,
Ken
On 2015-08-06 11:53, RW wrote:
On Thu, 06 Aug 2015 11:38:56 -0400
Ken D'Ambrosio wrote:
Hi! I'm getting headers like this:
Aug 4 04:24:58 agrajag spamc[2557]: skipped message, greater than
max message size (512000 bytes)
Now, I'm just not sure where t
I have no idea where/how that gets
invoked by spamd.
Suggestions?
Thanks!
-Ken
On 10/22/2014 2:40 PM, Jesse Stroik wrote:
I noticed URLs from the TLD .link aren't properly classified on my
mail server. I wrote a simple URI rule to recognize that TLD which
never matched. I wrote a similar body rule, which did properly match.
Interestingly, I do see DNS queries going out f
On 10/15/2014 6:50 PM, Kevin A. McGrail wrote:
I'd have to dig into it to find out more but there are different
modules used for different tests so deviation in behavior is not
something that alarms me. If you replace your RegistrarBoundaries.pm
and it still has issues, please let us know. I a
On 10/15/2014 6:12 PM, Martin Gregorie wrote:
I'm certain KAM is right and here's why.
...snip...
IOW, uri rules depend on matching the terminal part of the domain name
with an entry in SA's built-in TLD list and my version, installed from
the Fedora repo, doesn't yet include .link.
I reverted
On 10/15/2014 4:52 PM, Kevin A. McGrail wrote:
The TLDs are hardcoded in SA 3.3.2. We are working on not having
them hard-coded in 3.4.1.
I found Bug 6782, which I think you are referring to. I don't quite
understand the details of it. But are saying that the 'uri' and uridnsbl
rules
rely on
On 10/15/2014 4:52 PM, Kevin A. McGrail wrote:
On 10/15/2014 4:49 PM, Ken Bass wrote:
1) My local.cf has a rule to address the new .link domain which
spammers appear to be using recently:
uri LR_LINK_TLD /^(?:https?:\/\/|mailto:)[^\/]+\.link(?:\/|$)/i
describe LR_LINK_TLD Contains a URL in
I'm using Centos 7, which means SA version 3.3.2.
I am encountering several emails that are not being processed correctly
when checking against URI rules.
1) My local.cf has a rule to address the new .link domain which spammers
appear to be using recently:
uri LR_LINK_TLD /^(?:https?:\/\/|m
of sending.
Actually had a faculty ask me how to set his T-bird to check for
new messages every -second-, didn't want to wait a minute. ;(
imap?
--
Ken Anderson
yes. URIBL_RHS_DOB is somewhat useful. It's not _very_ reliable alone
though, so I use it with META rules that add points for combinations
with other things that are common with uri type spam.
It seems to hit much of the same things as fresh.spameatingmonkey.net
ymmv.
Ken
On 5/27/2
response for infected
hosts?
Ken
Warren
--
Ken Anderson
Pacific Internet - http://www.pacific.net
probably a large droplist. Greylisting and
watching for IPv6 "hopping" would probably be useful too..
Ken
If we must receive mail from IPv6 IPs, then I recommend doing the
equivalent of the following (put in IPv4 terms for simplicity):
(A) All other non-authenticated mail rejected... unless t
ders.
But, as a small ISP with lots of roaming users, SPF is pretty much
useless for outgoing mail (?all).
Ken
Because many feel this way, I suspect that this may be the reason why
the lastest and greatest SPF support probably wasn' a huge priority for SA?
--
Ken Anderson
Pacific Internet - http://www.pacific.net
r this. If
someone wants to fork Botnet, go for it! Otherwise, just patch.
This isn't Microsoft, where you can sit on a serious security bug for 3
years and be held accountable... u.. nevermind.
Ken
Bill Landry wrote:
McDonald, Dan wrote:
On Wed, 2009-06-10 at 21:40 -0700, John Rudd
recipients' Barracuda Spam Firewall may be
misconfigured
I have seen this in less than 'rare' cases. It's quite easy using the
Barracuda web admin to apply PBL or other dynamic range lists to all IPs
found in ALL Received headers. You will certainly get "less spam&qu
ng out the
rule for the time being?
We have the same troubles when reaching them by mail, someone knows
anyhing about it if they have network issues?
Bye,
raymond.
Looks like maybe they just changed nameserver providers.
Try flushing your dns cache.
Ken
--
Ken Anderson
Pacific Inter
of
several more, but won't bore you..
Ken
place, but
don't quote me on that.
Thanks,
Randy Ramsdell
Are you sure it's not spam bounces (joe job)?
This is more common than a spam attack.
Ken
--
Ken Anderson
Pacific.Net
g from connections to you free tempfail mx service?
Ken
That is the plan - if it works. And it will get the offenders listed
quickly.
--
Ken Anderson
Pacific.Net
Marc Perkel wrote:
Ken A wrote:
Marc Perkel wrote:
I don't know how this will work but I'm building the data now. For
those of you who are familiar with Day old bread lists to detect new
domains, as you know there's a lag time in the data and they often
don't ha
really new domains, but
will have some false positives. But - if it is mixed with other
conditionals it might be a good way to detect and block spam from or
linking to tasting domains.
Thoughts?
How will you keep your list from being easily polluted?
Ken
--
Ken Anderson
Pacific.Net
but never got a confirmation
e-mail
from them? What is the RBL name?
Justin.
It hit botnet rules here too, just now.
Ken
--
Ken Anderson
Pacific.Net
pam tagged from client managed systems I
would think it not much to count on.
I hope that's not how it's managed! We regularly see barracudas bounce
email with PBL listed IPs in the received headers (NOT the connecting
server). MailMarshall does this too, if properly misconfigured. :-(
Ken
DAve
--
Ken Anderson
Pacific.Net
Marc Perkel wrote:
Ken A wrote:
Ralf Hildebrandt wrote:
* Robert Schetterer <[EMAIL PROTECTED]>:
Project Tarbaby helps you reduce spam and helps us build our
blacklist. This is done by adding a fake MX record to your existing
MX lists
thats could be seen as a security risk
ca
Ralf Hildebrandt wrote:
* Ken A <[EMAIL PROTECTED]>:
How? He tempfails all mails.
Are you asking how sending your customer, or company email off someplace
you don't control might be a security risk?
It's in no way more dangerous than using Postini...
Have you compared Po
ail off
without their explicit permission. That's a breach of trust at least,
and perhaps of contract. It might also be a violation of company policy,
or just plain illegal.
Ken
--
Ken Anderson
Pacific.Net
ram wrote:
On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:
Arvid Ephraim Picciani wrote:
On Wednesday 30 July 2008 00:55:50 mouss wrote:
Ken A wrote:
Can be a probe too. Accepting mail from that IP with that content says
something about your system. Spammers aren't stupid. They finger
Arvid Ephraim Picciani wrote:
On Wednesday 30 July 2008 00:55:50 mouss wrote:
Ken A wrote:
Can be a probe too. Accepting mail from that IP with that content says
something about your system. Spammers aren't stupid. They fingerprint us
just like we fingerprint them.
If I was a spammer, I
Can be a probe too. Accepting mail from that IP with that content says
something about your system. Spammers aren't stupid. They fingerprint us
just like we fingerprint them.
Ken
Pacific.Net
Karsten Bräckelmann wrote:
Please do NOT *reply* to a mail, if you start a new thread. Changin
y think it's worth it. DKIM does a
better job with most of these domains anyway, imo.
fwiw, markmonitor 'monitors' 'marks' - they are in the intellectual
property protection business. Too bad ICANN wasn't using them.
http://www.icann.org/en/announcements/announcement-03jul08-en.htm
ooops!
Ken
--
Ken Anderson
Pacific.Net
# host contagiousensemble.com.black.uribl.com
contagiousensemble.com.black.uribl.com has address 127.0.0.2
uribl.com + milter-link = rejected spam
Ken
Mailing Lists wrote:
Here's today's first WagonJumper's email ... the domain has a registry date back in
October 2007.
One of
Our spam levels are 1/2 to 1/3 of what they were two weeks ago.
Also, virus e-mails are also very very low. Low enough for me to
start reviewing the e-mail logs for anomalies.
The summer doldrums are upon us...
s staff
directory (http://academic.mbc.edu/cis/search/facstaff/
namesearch.asp). It was not taken from the SA mailing list.
- The message to Dave was a one-to-one correspondence - it was not
part of a bulk mail-out.
Regards,
Ken
--
Ken Simpson
CEO
MailChannels - Reliable Email Delivery
http://blog.mailchannels.com
604 685 7488 tel
What is this the junkemailfilter announce list?
Give it a rest.
Ken
Marc Perkel wrote:
Actually - I just need your spam attempts. I have a way to detect
spambots on the first try and add them to my blacklist at
hostkarma.junkemailfilter.com
Sp - if you want to participate and lose a chunk
admins out there that can afford to block them, please do!
In the "customer centric world" of email service providers, most email
admins can't block these mailers, even if they do invite a phishing tag.
Hopefully, they will get a clue eventually.
Ken
--
Ken Anderson
Pacific.Net
pire innovation.
Example:
dig comcast.com.isphosts.junkemailfilter.com
This list was created by grabbing the registry barrier part of the
domain name of IPs from other DNS lists that list the IPs as dynamic.
Ken A wrote:
NJABL & PBL already provide this, AND they are already pa
John Hardin wrote:
On Thu, 29 May 2008, Ken A wrote:
http://www.rhyolite.com/anti-spam/you-might-be.html
So how is a proponent of the "Hunt down and kill spammers very messily"
FUSSP classified?
I'm suggesting that some homework should be done before creating a list
of t
inspire innovation', you should take note
of this potential problem:
http://www.rhyolite.com/anti-spam/you-might-be.html
Ken
--
Ken Anderson
Pacific.Net
your MTA
(bad recipient throttle, etc), an IDS like ossec will help. (free)
http://ossec.net/ It'll block using the system firewall if an IP hits
your machine more than a few times causing log entries that it triggers
on. There are default rules for common MTAs.
Ken
Best Regards,
Hi Miguel,
I run /usr/local/bin/sa-learn --force-expire daily with MySQL and it
works fine.
Here is an excellent slide show on use SQL with SA:
http://people.apache.org/~parker/presentations/MO13slides.pdf
You may also find these SQL queries helpful, I run them monthly.
echo "Starting Mont
equirement of
transparency or accessibility. Use it or don't. I've found it quite
useful simply because nobody else has made this data available, so it's
a good thing for use in SA META rules.
Ken
Pacific.Net
with SMTP id 4mr9872622fgc.69.1204268912528;
Thu, 28 Feb 2008 23:08:32 -0800 (PST)
Message-ID: <[EMAIL PROTECTED]>
Are there any X- headers?
It's known that the captcha was cracked and that some webmail
auto-responders are being abused.
There might be a better way to ID this mail.
Ken
--
Ken Anderson
Pacific.Net
don't see where they are scored
negatively. Have those rules been obsoleted?
If I wanted to add a point for messages coming from The Bat!, how would
I write that rule?
Thanks!
Ken Morley
Here's a sample. Note that I'm also using Passive OS Fingerprinting,
which doesn&#
f
altering each e-mail by changing the recipient and adding several
X-Amavisd headers and I understand that might impact Bayes accuracy.
It's also a pain...
I'm curious: how do the rest of you approach this problem?
Thanks!
Ken Morley
appreciated.
>
> Chris.
Spamassassin only scores emails. You'll need another application to "do"
something with them. I use MailScanner and what you need is easily done with
it. It gives you many other options as well. I think Amavis-new and
Mailwatch may do the same thing but have no ex
I'm running SpamAssassin 3.2.3 and have been advised to increase the
score for URIBL_SBL to 5.0. I see where it is defined in 50_scores.cf,
but I don't completely understand the format.
Mine shows:
score URIBL_SBL 0 2.468 0 1.499 # n=0 n=2
Is the last score (1.499) the one I should increase? We
you have a legitimate reason to reject based on helo, imo.
Ken
--
Ken Anderson
Pacific.Net
ds.
Bob
milter-null
--
Ken Anderson
Pacific.Net
l,clamav and
SA. Great flexibility. Lots of mimedefang recipes on the wiki page.
Ken
y humorous, "What changes would you make to stop spam? - United
Nations Paper", there are dozens of other equally off topic and
troll-like posts here by M. Perkel.
It's clearly turned from plain ignorance of the rules of this list to
marketing his junk list now, and that really does
a milter. It has a queue, check, then forward
approach that nicely levels out the load on SA. There's also some nice
addon reporting available in MailWatch (sourceforge).
--
Ken Anderson
Pacific.Net
ww.honeynet.org/papers/ff/index.html
Ken
--
Ken Anderson
Pacific.Net
re back to sending a
challenge email, which is broken for all the other reasons already
stated by many here. Stick a fork in it, it's done.
Ken
--
Ken Anderson
Pacific.Net
return a 5xx error, what is to prevent the spammer from clicking
to release? CAPTCHA? What if this system was in widespread use? It could
be a serious single point of failure.
--
Ken Anderson
Pacific.Net
Igor Chudov wrote:
Ken, I just downloaded clamav, it seems to be a file scanning tool?
How do you use it from procmail? Thanks a lot!
i
sorry. I don't know how to use from procmail, but if you want to scan
for viruses, read the install docs.
--
Ken Anderson
Pacific.Net
ue to fear of false positives. Any idea if there are
any rules that I am missing that would help?
i
clamav is catching these, fwiw.
--
Ken Anderson
Pacific.Net
ays until The 38th anniversary of Apollo 11 landing on the Moon
--
Ken Anderson
Pacific.Net
Per Jessen wrote:
Ken A wrote:
Nope, that's not correct. It's being sent by a Wells Fargo mail
server, that is all.
or maybe a bot, who knows.. unless you establish with some confidence
that the IP used sends ham only, you have nothing.
My point exactly. And even if you do
ish with some confidence
that the IP used sends ham only, you have nothing. According to arin,
wellsfargo.com has 151.151.0.0/16 at least.. probably more. You really
think you can trust 65534 hosts, so long as somebody setup the DNS
properly?
Ken
/Per Jessen, Zürich
--
Ken Anderson
Pacific.Net
on again.
It's tricky, but if you do it just right, you can browse the whole
site before the IDS blocks you.
The rulesemporium site is great, and much thanks goes to the ninjas
who operate it and write the rules, forcing spammers to read harry
potter books.
Ken
Yes, the rulesemporium
jdow wrote:
From: "Ken A" <[EMAIL PROTECTED]>
SARE Webmaster wrote:
Daryl C. W. O'Shea wrote:
Loren
Wilton wrote:
Mike Grau <[EMAIL PROTECTED]> 07/09/07 5:15 PM >>>
On 07/09/2007 04:01 PM the voices made Joe Zitnik write:
I can't get he
_|_
(_| |
You are 100% correct. Works from here as well, though not real quick at
the moment. I should have tried tcptraceroute instead; works nice for
stuff like this!
Ken
--
Ken Anderson
Pacific.Net
so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 75.275 ms
so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 78.995 ms
so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 81.046 ms
Looks like maybe Level3 has dampend the route to you due to the problem.
Time to get a mirror in Miami?
Ken
The issue wit
to a special account, then run SpamAssassin
(if they're not already tagged by e.g. MailScanner) and procmail to
filter them into appropriate buckets.
Well, if you are running MailScanner with SA, you can have it do the
bcc'ing, only on high scoring spam if you like.
Ken
-Bill
-
ional id cards. How about a license to operate a computer?
Everyone running unpatched, unfirewalled windows, please shutdown now.
Thanks,
--
Ken Anderson
Pacific.Net
Martin.Hepworth wrote:
Ken
Web site may be having trouble but the BL's are still responding
Only one of three US rsync mirrors is. Good to know the public BLs are.
Ken
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
-Original Message-
Anyone else having trouble getting to uribl ?
www not coming up. I hope we aren't seeing another anti-spam casualty. :-(
--
Ken Anderson
Pacific.Net
osts sharing that same
ip. In virtual hosting environment, there can be hundreds of sites on a
single IP, so FPs are common doing this - except perhaps with SBL.
--
Ken Anderson
Pacific.Net
Jerry Durand wrote:
At 08:47 AM 6/1/2007, Ken A wrote:
Jerry Durand wrote:
On Jun 1, 2007, at 6:48 AM, Luis Hernán Otegui wrote:
Search through the archives, there was a patch to add it to SA.
Also note, do NOT use Zen to evaluate headers or anything in the body.
Unless of course you need
/TrustedRelays
Ken
Zen is ONLY for approving the server that contacted your server.
See
the notes on the Spamhaus.org web page.
--
Ken Anderson
Pacific.Net
DOMAIN, not 'no route to host'; you get _that_ when you
block the connection to the dns server you are using.
--
Ken Anderson
Pacific.Net
false positives in SA, so I want to know what it is.
Thanks for any ideas,
--
Ken Anderson
Pacific.Net
E
is set to 0.
Obviously this is wrong, since most spam isn't coming from domains that
'sign some'. Any ideas?
--
Ken Anderson
Pacific.Net
e a *nix version out
there somewhere.
A quick google search turned up
http://www.softpedia.com/get/Network-Tools/Network-Tools-Suites/Sam-Spade.sh
tml
HTH
Kind regards,
Ken
Ken Goods
Network Administrator
change.hoovers.com a:mail.eca.com include:dartmail.net ~all"
The sending server is hamhock-outbound.hoovers.com [66.179.38.26] and
that IP address is within the range listed in the first SPF entry. Why
did this fail?
Thanks!
Ken Morley
JM Technology Group
Ken -AT- jmtg.com
s a nice, and easy to use once you figure out the config files..
http://cricket.sourceforge.net/
or if you really want the boss to think you have too much time on your
hands.. http://www.aditus.nu/jpgraph/
Ken Anderson
Pacific.Net
ER -e\
"DELETE FROM bayes_seen WHERE lastupdate <= DATE_SUB(SYSDATE(),
INTERVAL 6 MONTH); " \
$DB
Hope this helps,
Ken
John D. Hardin wrote:
On Tue, 6 Feb 2007, Ken A wrote:
John D. Hardin wrote:
I think the most robust non-DNS test would be on the length of the TLD
in the obfuscated domain.
There are too many possible obfuscations using valid characters.
It doesn't matter what obfuscation character
This extends to non url spam as well, of course.. ie: "replace the "R"
with a "P" for the stock symbol spam, etc.
We need to have a good rule(s) for all of the variations of the
'remove|replace|substitute' text.
Ken A.
Pacific.Net
--
John Hardin KA7OHZ
1 - 100 of 179 matches
Mail list logo
