Hi!
Loads of phishing is done that way.
Having a shtml with a post command to whatever they want from you… usually
banking/dhl …
With kind regards,
Raymond Dijkxhoorn
> Op 12 mrt 2024 om 20:37 heeft Jared Hall via users
> het volgende geschreven:
>
> Is there a use case
27;)
priority SURBL_MULTI_HDR -100
describe SURBL_MULTI_HDR Domain in email headers found in
surbl multi
And score accordingly.
You could also check off reply-to/the from and so on seperately.
Have fun± Raymond Dijkxhoorn - SURBL
g its lised in ABUSE.
I suspect then that I received it prior to it being listed there. Any
way to correlate those dates (if it's even worth it)?
And sure we can do that.
Thanks! Raymond
ess 127.0.0.64
Meaning its lised in ABUSE.
Thanks! Raymond
legit subdomains you definately don’t want to
block.
With kind regards,
Raymond Dijkxhoorn
> Op 26 aug. 2022 om 00:40 heeft Benny Pedersen het volgende
> geschreven:
>
> Raymond Dijkxhoorn via users skrev den 2022-08-25 23:45:
>> Benny,
>> Sorry for the top p
SURBL lookups will be done on the right level.
With kind regards,
Raymond Dijkxhoorn - SURBL
> Op 26 aug. 2022 om 02:47 heeft Benny Pedersen het volgende
> geschreven:
>
> John Hardin skrev den 2022-08-26 02:32:
>>> On Thu, 25 Aug 2022, Axb wrote:
>>> On 8/25/
for several of
the datasources.
With kind regards,
Raymond Dijkxhoorn - SURBL
> Op 25 aug. 2022 om 23:27 heeft Benny Pedersen het volgende
> geschreven:
>
> Axb skrev den 2022-08-25 17:48:
>>> On 8/25/22 16:10, Benny Pedersen wrote:
>>> https://phishtank.com/phi
directive.
at least not SA 3.4.4 (debian 10 backports)
Thats added with 4.0.0-rsv
Bye, Raymond
mentioned page is also listed on SURBL)
This has been ongoing for a few months now with page[.]link and not new
unfortunately.
If you see new ones (and not listed) feel free to send them over to me
directly for listing.
Thanks! Raymond Dijkxhoorn - SURBL
,
Raymond Dijkxhoorn
> Op 13 mei 2021 om 00:12 heeft Matthias Leisi het
> volgende geschreven:
>
>
>>
>> I would suggest to follow rfc’s. So return 127.0.0.1 for example. Or don’t
>> answer at all. Deliberate giving ‘yes to any request’ is something I can
>&
Hi Benny,
The operator of the specific rbl is doing this, on purpose. Can’t make it more
clear then that.
Dnssec would not add anything here.
Thanks,
Raymond Dijkxhoorn
> Op 13 mei 2021 om 00:01 heeft Benny Pedersen het volgende
> geschreven:
>
> On 2021-05-12 23:30, Raymon
Hi Benny,
It’s the authoritive nameserver giving that answer. With likely a view or acl
response. So adding dnssec would not make much of a difference here.
Thanks,
Raymond Dijkxhoorn
> Op 12 mei 2021 om 23:24 heeft Benny Pedersen het volgende
> geschreven:
>
> On 2021
Hi!
I would suggest to follow rfc’s. So return 127.0.0.1 for example. Or don’t
answer at all. Deliberate giving ‘yes to any request’ is something I can
understand you would do but it’s plain wrong.
Thanks,
Raymond Dijkxhoorn
> Op 12 mei 2021 om 23:17 heeft Michael B Allen het volge
ut the netmask?
Bye, Raymond
on of datasets like that...
I agree with Alex, sets like that should be rdldnsd based to make it
scalable imho.
FTR: GoogleSafeBrowsing is not free for all, anymore
that explains low hitratio ? :=)
:-)
Bye, Raymond
correctly the ClamAV support for that also was stopped months
ago. Due toi exactly that.
bye, Raymond
And again i can understand the sentiment. ... :-)
Bye, Raymond
.
We report abuse to many organisations, including, but not limited to
company's like sendgrid.
Raymond Dijkxhoorn - SURBL
system a lot i think.
We list new abused subdomains daily and there shiuld be no interaction on
that with the users of the data IMHO.
How could we get something like this into action? File a bug?
Thanks! Raymond Dijkxhoorn - SURBL
ivers for a long time now.
So if you want to use it add:
util_rb_3tldct.sendgrid.net
Inside your loca.cf
And while you are at it also add:
util_rb_2tldpage.link
Bye, Raymond
the
highest one'. If its in 5 RBL's thats telling a lot more then if its
inside 1 RBL. (The SA scorig engine takes care of this).
Thanks! Raymond
But this might be obvious...
Bye, Raymond
ill do out utterly
best to limit damage of people who try to exploit this as such.
Thanks! Raymond Dijkxhoorn (SURBL)
s work was based on gudo
from Karsten.
SURBL maintains a seperate list of shortners.
It has a little over 2040 entry's...
If that helps.
Bye, Raymond Dijkxhoorn - SURBL
Hai!
I dont understand why they would match your spf record either. Are they sended
out by a IP adres you 'approved' ??
Thanks,
Raymond Dijkxhoorn
> Op 28 jun. 2016 om 03:27 heeft jdebert het volgende
> geschreven:
>
> On Mon, 27 Jun 2016 18:41:04 +0530
> Ram
) that might be a good match for that
problem but isnt available as a free product.
More information can be requested offlist.
Thanks,
Raymond Dijkxhoorn, SURBL.
> Op 11 aug. 2015 om 05:02 heeft Sujit Acharyya-choudhury
> het volgende geschreven:
>
> The URIBL_PH_SURBL is actua
xt.
That telling it all ...
Bye,
Raymond.
Currently I'm using SElinux. I'll disable it and see what happens.
-Original Message-
From: Martin Gregorie [mailto:mar...@gregorie.org]
Sent: Monday, September 09, 2013 11:28 AM
To: users@spamassassin.apache.org
Subject: Re: Rules not working
On Mon, 2013-09-09 at 14:50 +000
I just create a new .cf file on my second MTA and I'm having the same problem.
I don't think this is with my systems. I'm beginning to think it's with the
packages in the Fedora repository. I'm setting up a test MTA now so I can
confirm that. Has anyone else seen this issue when running SA o
I don’t really think it is permissions related. Spamd runs as root (I know
this needs to change). The local.cf file is read in correct. The custom cf
files I create have the same owner and permissions as local.cf.
-Original Message-
From: Benny Pedersen [mailto:m...@junc.eu]
Sent: Mo
:19 +, Raymond Jette wrote:
> Thanks for the information. When running it this way everything
> works. I'm not sure why it is not working with normal mail flow.
>
I don't think you mentioned which O/S you are using. However, you may (it
depends on your O/S) find spamassassin
Yes. I am using selinux.
-Original Message-
From: Benny Pedersen [mailto:m...@junc.eu]
Sent: Monday, September 09, 2013 3:40 AM
To: users@spamassassin.apache.org
Subject: RE: Rules not working
Raymond Jette skrev den 2013-09-09 03:09:
> Yes. The permissions are correct. Yes,
Thanks for the reply. I'm not sure why but my spamd is running as root (I will
have to change this). I've done my tests, from spamd, from both the root and
exim users. These test work both times and I see the rules being loaded.
-Original Message-
From: Martin Gregorie [mailto:mar..
Thank you. I will re-run it with the correct parameters.
From: jdow [j...@earthlink.net]
Sent: Sunday, September 08, 2013 10:08 PM
To: users@spamassassin.apache.org
Cc: Raymond Jette
Subject: Re: Rules not working
> ps -AF | grep spamd
root 12
ot;local.cf" is read first of all, of course.
{^_^}
On 2013/09/08 18:34, Raymond Jette wrote:
> I stoped spamd
>
> # systemctl stop spamassassin.service
>
> Then I ran in debug mode
>
> # echo | spamd -D > /root/spamdDiag 2>&1
>
> The following line shows a
manage
to find things by just going over and over the same ground trying to look
deeper each time.
{^_^}
On 2013/09/08 18:36, Raymond Jette wrote:
> The following lines also show a test rule hitting:
>
> [root@mx1 rjette]# cat mailflow.txt | grep match_
> Sep 8 21:31:47.662 [1028
al flags
and values.
Run tests through it using regular mail and a manual "spamc".
Stop the -D spamd.
Restart the normal spamd.
This should only take a minute or two.
{^_^}
On 2013/09/08 18:09, Raymond Jette wrote:
> Yes. The permissions are correct. Yes, the debug output show
he -D spamd.
Restart the normal spamd.
This should only take a minute or two.
{^_^}
On 2013/09/08 18:09, Raymond Jette wrote:
> Yes. The permissions are correct. Yes, the debug output shows that the
> files and rules were found and matched against the test message.
> ___
Run tests through it using regular mail and a manual "spamc".
Stop the -D spamd.
Restart the normal spamd.
This should only take a minute or two.
{^_^}
On 2013/09/08 18:09, Raymond Jette wrote:
> Yes. The permissions are correct. Yes, the debug output shows that the
> file
: Rules not working
Did you set permissions? (-rw-r--r--)
Are there any signs in the debug output that the files were even found at all?
Whatever it is that actually calls spamd or uses spamassassin internally may
do something to direct it off into left field.
{^_^}
On 2013/09/08 17:23, Raymond
I checked the permissions. Everything is set correctly. Thanks for the reply.
From: Dave Funk [dbf...@engineering.uiowa.edu]
Sent: Sunday, September 08, 2013 8:55 PM
To: Raymond Jette
Cc: users@spamassassin.apache.org
Subject: Re: Rules not working
On
16:55, Raymond Jette wrote:
> When I add add custom rules to /etc/mail/spamassassin/local.cf the rules work
> as expected. If I create any *.cf file and put the rules in they do not
> work. My test rule is:
>
> body test_match_all /.*/
> scoretest_match_all -0
When I add add custom rules to /etc/mail/spamassassin/local.cf the rules work
as expected. If I create any *.cf file and put the rules in they do not work.
My test rule is:
body test_match_all /.*/
scoretest_match_all -0.01
Rules only work if they are in local.cf. If I run th
Hai!
Since a couple of years they have something thats called google. :)
The first hit on 'rbl and postfix' gives:
http://www.cyberciti.biz/tips/postfix-spam-filtering-with-blacklists-howto.html
Thanks,
Raymond Dijkxhoorn, Prolocation
Op 25 apr. 2013 om 21:20 heeft Blason rock he
Hai!
Grin.
Your MTA most likely supports RBL's.
Thanks,
Raymond Dijkxhoorn, Prolocation
Op 25 apr. 2013 om 21:09 heeft Blason rock het volgende
geschreven:
> Hi folks,
>
> Curious to know if i can implement prerbl with SA? What i mean is with SA as
> soon as sombody con
Hi!
Just to follow up we have seen a huge decrease in the amount of SPAM
received since we implemented the Invaluement RBLs.
Overall spam volumes went down generally. So even without any RBL enabled
you would notice this. Stats show this about anywhere.
Just my 2 cents.
Bye,
Raymond.
Hi!
I am not able to lookup surbl
Infact the domain surbl.org does not seem to exist at all.
[root@pop2 bin]# dig surbl.org +short
[root@pop2 bin]#
I am sorry if this is old news .. I have no idea since when SURBL went down ?
[raymond@noc ~]$ dig ns surbl.org
; <<>> DiG 9.6
Hi!
Easiest way would be putting them inside a uribl.
Whats the reason to get on this list?
Eg what policy?
Thanks,
Raymond Dijkxhoorn, Prolocation
Op 13 dec. 2011 om 08:54 heeft Tom Kinghorn het
volgende geschreven:
> Good morning List.
>
> The nice guys at Rhyolite.com have
ultiple words or any non-alphabetic characters
in the subject.
Your subject "Re: MySQL" happened to hit that pattern, but I would
expect ham hits to be pretty rare.
Its a rule i disabled a long time ago and no its not rare. Rules should be
more specific then this imho.
Bye,
Raymond.
.
Thats why i put the rule inside the mail.
72_active.cf:##{ TVD_SPACED_SUBJECT_WORD3
72_active.cf:header TVD_SPACED_SUBJECT_WORD3Subject =~
/^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
72_active.cf:##} TVD_SPACED_SUBJECT_WORD3
Bye,
Raymond.
.cf:header TVD_SPACED_SUBJECT_WORD3Subject =~
/^(?:(?:Re|Fw)[^:]{0,5}: )?[A-Z]+[a-z]+[A-Z]+$/
72_active.cf:##} TVD_SPACED_SUBJECT_WORD3
Bye,
Raymond.
d not post messages inside a
thread with completely removing the old message?
http://lipas.uwasa.fi/~ts/http/quote.html
Thanks,
Raymond.
existing rbl.
Bye,
Raymond.
ess though, because the
two leaders are for the most part reputable and don't just block ANY
IP.
Raymond, I remember your name from reading at surbl.org (actually, you
must go to www.surbl.org, heh). Is this the list you recommend?
I dont recommend any list. Its up to anyone to pick and mix.
erything I would be first.
Setup a blacklist blocking ANY ip and you are ranked #1 in this test.
Its of no use at all IMHO.
Bye,
Raymond.
ished they become worthless for many of us.
And thats the main reason some of the SARE people do make rules, for a
smaller audience, and not publish them on the public SARE page anymore.
Bye,
Raymond.
Hi!
Upgrade to SVN version this is a issue with RC1.
It looks to me like one of the devs fixed the rule. I'm still running rc1,
but the errors have disappeared.
Ah okay perfect!
Thanks,
Raymond.
tps://svn.apache.org/repos/asf/spamassassin/trunk
Install that one and try again ;)
Bye,
Raymond.
zone transfer. I'm just
happy we got a paid subscription. It's the best support I can provide
Spamhaus to keep them in business.
I wish you good luck doing a zone transfer on a rbldnsd server, its not
implemented so its not an available option.
Bye,
raymond.
[4.23.231.50 listed in .zen.dq.spamhaus.net]
I can't be printing our key in the emails, what is a sysadmin to do?
Whats your complete rule looking like, also the subscribe lines please.
Bye,
Raymond.
orium site also where its
based so you could fetch a new copy there also if needed.
http://rulesemporium.com/rules/00_FVGT_File001.cf
Bye,
Raymond.
ther funny, and annoying. Connections do break also
when not running a botnet... pfff....
Bye,
Raymond.
at time is long gone. User reports do have disadvantages ;)
Bye,
Raymond.
Hi!
I reject the notion that spam is a L7 problem.
It is more of a L8 problem... money.
Warren
Or L9, users. In the end :)
Bye,
Raymond.
es is also not a solution, its preventing things afterwards.
Fix it with the source, e-mail isnt designed for what its beeing used for
today
You can brainstorm, but it wont scale.
Bye,
Raymond.
Hi!
Spamassassin doesnt delete mail. This is most likely a issue with the
tools you use around it? MailScanner?
Bye,
Raymond.
On Thu, 29 Oct 2009, Khaled Hussein wrote:
Hi all,
i am recently added saupdates.openprotect.com channel to my server but after
that i am receiving complains from
ctual mail flow...any mistake made comes
down hard.
Bye,
Raymond.
nja's including me are idle due to this same exposure thing. We
share within the SARE group internally but most are not published like in
the past. Some are added by Alex to the generic SA updates however.
Bye,
Raymond.
o get use of it.
We use some rules if we talk open about it and say hey this spammer is
stupid look here, then it will take less then 12 hours and that gap is
closed and we loose a valuable trick.
Fighting spam is more then just ventilating idea's its much more then
that.
Bye,
Raymond.
iable data, especially for .cn, .hk and so on you need to
get a relation with those registry's. And so far (welcome to communism)
not many people succeeded there.
Bye,
Raymond.
gmail.
Warren, its a pretty silly statement.
You are aware that google helps out a lot of blacklists with data?
Appearantly not.
Bye,
Raymond.
ke to help, thats good
but dont end up making a whole lot of noise.
If RH is sserious about this, attend conferences like MAAWG and talk
with people there, talk with the blacklist guys, many are on those
events.
Dont flood people on the user list please. Most likely there are better
lists to start talks like this.
Bye,
Raymond.
please dont include lists that are not up
to the task yet).
thanks for you time.
Raymond Dijkxhoorn.
nions are split here.
Please stick to JMF, its called like that for a long long time now. And
there is installed base. Dont confuse people if its not needed.
Thanks,
Raymond.
itting
isnt an option for those and its also not whaqt DNSWL is about. they WL
sender mailservers, those could be an ISP also. You dont want to
shortcircuit them and say hey, someone put it on his whitelist, feel free
to spam me.
Bye,
Raymond.
TO_RELATED, MONEY_TO_NO_R, RCVD_IN_DNSWL_MED, RCVD_IN_JMF_W,
RELAYCOUNTRY_UK, SPF_FAIL, SPF_HELO_FAIL
Unless I'm really missing something, which server has JMF/Hostkarma
whitelisted that shouldn't be?
You are not missing anything. Its my point also.
Bye,
Raymond.
t
in their local.cf (or any place else).
Why did you invent (Marc) completely new names out of the blue?
The JMF_ stuff is there for months, please stick to it. We didnt invent
those, you did
Bye,
Raymond.
, but its a risk when adding
this into SA i feel personally. Same for the infra the BL is running on.
I might sounds harsh, but i am rather carefull, then again, we have SA
update. So it might not hurt that much. But during outages or DDoS it will
hurt for hours till its gone again.
Bye,
Raymond.
cent per check.
If you fee l20 USD is even to much, dont even bother. Its silly.
Then dont use it, make your own free BL ...
The pricing cant be the issue. Its insain cheap.
Byem
Raymond.
cklist everything)
http://www.sdsc.edu/~jeff/spam/cbc.html
Beat you with what, false positives? :-)
Indeed, it doesnt tell much about -quality- of a list. So its only maths.
Bye,
Raymond.
e to press the 'SPAM' link you allready have gotten the spam,
right? So thats too late if you see this black/white.
Bye,
Raymond.
up in $enduser mailbox, and he didnt ask for it.
So in his opinion the spamfilter is not working ok. And we have to fix
this.
And i cant say he is wrong.
Bye,
Raymond.
Hi!
http://log.perl.org/2009/06/email-issues-org-blocked-now-fixed.html
anyone know what URIBL provider this was?
Wouldn't we all have noticed if this would have been the case?
Doesnt ring a bell here either, best to ask the guys who posted that?
Bye,
Raymond.
isted (yet).
Bye,
Raymond.
OK.
Sorry for the ranting. I didn't mean to insult Raymond or anyone else
knowing the problem but not providing samples.
I didnt take it up as a insult or anything. I just confirmed this is a
generic issue, next time i'll be silent, no problem at all.
I would suggest however that
d for SpamAssassin.
And no i didnt file a bug for this, just confirming what i see myselve.
And this is discussed before also. So no surprises here.
If anyone wants to file a bug go ahead. I wont since people seem to like
loosing regular mail, lets leave it in.
Bye,
Raymond.
ar ago.. I thinks it
a combination of outlook xp and exchange 2003+
What i dont understand, i mean, i did the exact same thing. Why isnt it
either removed from SA Update or downscored???
Bye,
Raymond.
eing?
We have the same troubles when reaching them by mail, someone knows
anyhing about it if they have network issues?
Bye,
raymond.
t a quick optimization.
Just downscore them locally in your local.cf or alike.
Bye,
Raymond.
ng or maybe even
[A-Z]{3}[0-9]{4}\.png
Make that 4,5 since they also vary the size of the filenames...
Bye,
Raymond.
Hi!
Any Idea of when we will expect a new version of SA or new rule
updates. We are getting hit pretty hard with Spam lately.
Feel free to submit rules, dont just sit and wait. ;)
Bye,
Raymond.
ng at 2.13 GHz.
# time sa-compile
real6m46.466s
user6m34.792s
sys 0m9.251s
Same here. compile times went up like crazy with the sought rules.
JM, is this normal?
Bye,
Raymond.
we are seeing now on livejournal. Then we can also start listing the
subdomains and so. 2tld is updated on the SARE site allready if i recall
correctly. Alex?
Bye,
Raymond.
Hi!
TVD_PH_SUBJ_ACCOUNTS_POST, TVD_QUAL_MEDS, TVD_RCVD_SINGLE
What does TDV stand for?
Theo Van Dinter
Bye,
Raymond.
or you if you start shouting around people at URIBL are not
cluefull, this is your problem and i dont share this with you.
Knowing you and seeing what you do on mailingists this will most likely
turn out in a neverending thread. Bare you, this is a one time post. I
have said what i wanted. No need to argue about it.
Bye,
Raymond.
nths after they've been changed in the DNS.
I've seen it YEARS later personally.
Yups here also.
Bye,
Raymond.
to access it from anywhere (of course they have to log in
first).
Count! MAke some scripts on your outbound SMTP and do per user (e-mail)
thresholds. So if you have a exploited account the damage is minimal.
Bye,
Raymond.
s active, real handy.
Bye,
Raymond.
Hi!
"steadyrelationships DOT com" is currently blacklisted on ivmURI
It was added to ivmURI at 12/16/2008, 6:31:03 PM EST
(I think that time is before that spam arrived at your server, but
double-check me on that)
steadyrelationships .com is on SURBL lists: JP
Bye,
Raymond.
. Spamhaus,
ect ect. Whats your point?
I dont want that since that will cause a lint fail incase the rules are
removed later
Check you setup every now and then, wont harm. Its the way to disable the
lookups.
Bye,
Raymond.
1 - 100 of 288 matches
Mail list logo
