d party sigs (SaneSecurity, etc).
[...]
Ahem. Why Cc'ing the SA users list?
This thread should stay on the sanesecurity list, and *only* there.
Moreover, please don't cross-post unless absolutely necessary.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\
rently possible to run two clamav instances in parallel ?
That is exactly what I do. I have two clamav instances using seperate
config files, library directories, listening on different sockets.
The first runs just the official ClamAV supplied sigs, the second all the
various 3rd party sigs (Sa
> header L_AV_Unofficial X-Amavis-AV-Status =~
> m{\bAV:Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL\b}
> Which seems to be scoring 4 just fine:
> X-Spam-Status: ... tests=[.. L_AV_Unofficial=4
Indeed.
> The weird part is this:
>
> X-Spam-Status: ...
> tests=[AV:Sanesecurity.TestSig_Type4_Hdr
On 05/08, Munroe Sollog wrote:
> I am working on adding some rules to SA so that SA adds more points when
> detecting a signature. Here is a pastebin of the headers and the rules:
>
> http://pastebin.com/qnwbSq5d
>
> It should be adding 4 points as per my rule, but as it is it is only
> adding 0
I am working on adding some rules to SA so that SA adds more points when
detecting a signature. Here is a pastebin of the headers and the rules:
http://pastebin.com/qnwbSq5d
It should be adding 4 points as per my rule, but as it is it is only
adding 0.1 points.
--
Munroe Sollog
Digirati Consult
> At my end spamassassin using the ClamAV plugin, armed with the
> SaneSecurity sigs detected it. So open source rocks. ;)
>
> The amusing part of this little scenario is that there's a messagelabs
> martetdroid who's been pinging at me to try their e-mail "protection"
&
I just now found a phish in one of my spamtraps, no surprise there.
The surprising thing is that it was sent out via a messagelabs.com
mailserver, complete with headers indicating that it passed their virus
checks.
At my end spamassassin using the ClamAV plugin, armed with the
SaneSecurity sigs
Just to inform who might be interested - SANESecurity signatures are back!
AD
- Forwarded message from Steve Basford
-
Date: Tue, 20 Jan 2009 20:31:09 +
From: Steve Basford
To: sanesecur...@freelists.org
Reply-to: sanesecur...@freelists.org
Subject: [sanesecurity] We're back
On Thu, Jan 15, 2009 at 09:06, Mark Martinec wrote:
> Jonas,
>
>> I just found one reason for FPs in the Botnet plugin. It doesn't
>> make a difference between timeouts (and other DNS errors) and
>> negative answers. So if your DNS server/proxy is overloaded (or
>> slow for some other reason), you
On Thu, January 15, 2009 18:06, Mark Martinec wrote:
> Not to forget the long-standing DNS problem with Botnet:
> http://marc.info/?l=spamassassin-users&m=118641079630268
> http://marc.info/?l=spamassassin-users&m=120783518919154
i have changed to use BadRelay from
http://sa.hege.li/BadRela
Jonas,
> I just found one reason for FPs in the Botnet plugin. It doesn't
> make a difference between timeouts (and other DNS errors) and
> negative answers. So if your DNS server/proxy is overloaded (or
> slow for some other reason), you'll get FPs
>
> Since 15 minutes ago, I'm running a slightly
At 01:36 15-01-2009, Rasmus Haslund wrote:
implement it with the SA engine running in Icewarp Merak. Anyway we do
have alot of problems with FP when we try out new things and I just have
to say some things just does not work good on a large scale where you
have to deal with all kinds og languages
>
> I just found one reason for FPs in the Botnet plugin. It
> doesn't make a difference between timeouts (and other DNS
> errors) and negative answers. So if your DNS server/proxy is
> overloaded (or slow for some other reason), you'll get FPs
>
> Since 15 minutes ago, I'm running a slight
Daniel J McDonald wrote:
I too found botnet to be a great source of FP. By combining it with p0f
it's moderately useful.
I just found one reason for FPs in the Botnet plugin. It doesn't
make a difference between timeouts (and other DNS errors) and
negative answers. So if your DNS server/pro
On 1/15/2009 1:36 AM, Rasmus Haslund wrote:
SM wrote:
"Botnet Plugin" sounds like a plugin that detect botnets ... If
Rasmus is finding that many false ositives, then he's using the wrong tools.
Well I am not using the botnet plugin because i am not sure how to
implement
SM wrote:
> "Botnet Plugin" sounds like a plugin that detect botnets ... If
> Rasmus is finding that many false positives, then he's using the wrong
> tools.
Well I am not using the botnet plugin because i am not sure how to
implement it with the SA engine running in Icewarp Merak. Anyway we do
At 12:44 14-01-2009, Rob McEwen wrote:
No. This is just due to the fact that, unfortunately, some mail servers
and IPs (which send desired and solicited messages) are somewhat
incorrectly configured. It turns out that a distributor receiving
legitimate business e-mail from vendors & customers in
Rob McEwen a écrit :
> SM wrote:
>> "Botnet Plugin" sounds like a plugin that detect botnets ... If
>> Rasmus is finding that many false positives, then he's using the wrong
>> tools.
>
> No. This is just due to the fact that, unfortunately, some mail servers
> and IPs (which send desired and sol
On Wed, Jan 14, 2009 at 13:06, Dave Pooser wrote:
>> None of my friends are on
>> services that are that poorly configured
>
> No friends on Verizon? Their @#$% mail servers are 70% of my FPs.
Heh. Guess not :-)
> None of my friends are on
> services that are that poorly configured
No friends on Verizon? Their @#$% mail servers are 70% of my FPs.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserve
SM wrote:
> "Botnet Plugin" sounds like a plugin that detect botnets ... If
> Rasmus is finding that many false positives, then he's using the wrong
> tools.
No. This is just due to the fact that, unfortunately, some mail servers
and IPs (which send desired and solicited messages) are somewhat
in
lines?
Isn't that technology certified for illegal content only? :-)
Sanesecurity could have been better protected against DDOS
attacks. They are a ripe target.
Regards,
-sm
> -- Forwarded message --
> From: "Bret Miller"
> To: "John Rudd"
> Date: Tue, 21 Aug 2007 13:08:06 -0700
> Subject: RE: BOTNET Exceptions for Today
>> Bret Miller wrote:
> Maybe these aren't false positives because botnet is identifying them for
> what they are-- badly configure
On Wed, 14 Jan 2009 09:23:51 -0500, John Rudd wrote:
How's it working for you, so far?
On Wed, Jan 14, 2009 at 06:12, Paul Griffith wrote:
On Tue, 13 Jan 2009 05:28:42 -0500, si wrote:
Guys,
I'm sure you're as sad as I am re- temporary suspension of the
brilliant
services offered by S
On Wed, January 14, 2009 17:33, John Hardin wrote:
> Is there any other distributed content distribution system they
> could use for free this way?
bittorrent ?
(micro$oft have problem delivering windows 7 betas from there
network, opensource problems ?) :=)
--
Benny Pedersen
Need more webspa
Is there any way that a more distributed method of delivering
updates could be more resistant to DDOS attacks? E.g.
trackerless bittorrents (DHT), or something along those lines?
Just wondering in general
On Wed, 14 Jan 2009, Rob McEwen wrote:
QUESTIONS:
Is SaneSecurity still collecting data and generating the rulesets? (but
just not able to distribute them)
I was wondering that myself, and was also wondering whether there was a
way to leverage the Coral cache system to avoid DDoS - for
over to sanesecurity.co.uk and sign up
to the list...
Cheers and thanks for all the positive comments,
Steve
Sanesecurity
--
View this message in context:
http://www.nabble.com/Temporary-%27Replacements%27-for-SaneSecurity-tp21444618p21459579.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Rob McEwen wrote:
> And I thing it is
> probably better used as a scoring list instead of a blocking list.
>
oops. I meant "probably better scored below threshold", since, of
course, BotNet isn't a "list".
--
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032
Ps than the BotNet Plugin.
I did a quick cursory search of discussions about BotNet Plugin FPs. See
attached for an example post I quickly grabbed after searching just a
few seconds.
NOTE: I'm NOT saying that the BotNet Plugin is bad or shouldn't be used.
I just don't see it a
her (a) find the Botnet Plugin utterly
> unusable due to FPs, or (b) only be able to score it by a point or two
> due to excessive FPs. (Rasmus--by all means--please don't take my word
> for it--try it out and then let us know what happened!)
I too found botnet to be a great source
On Wed, Jan 14, 2009 at 06:59, Rob McEwen wrote:
> Regarding using the Botnet Plugin as a replacement for SaneSecurity... I
> found that the _best_ part about SaneSecurity was its assistance with
> catching spam that could NOT ever be caught using _any_ kind of DNSBL.
Botnet isn't a DNSBL...
or two
due to excessive FPs. (Rasmus--by all means--please don't take my word
for it--try it out and then let us know what happened!)
Regarding using the Botnet Plugin as a replacement for SaneSecurity... I
found that the _best_ part about SaneSecurity was its assistance with
catching spam that coul
e're still in pretty good shape, but we certainly notice that the Sane
Security stuff isn't there any more.
Mup.
--- On Wed, 14/1/09, John Rudd wrote:
From: John Rudd
Subject: Re: Temporary 'Replacements' for SaneSecurity
To: "Paul Griffith"
Cc: g_b...@yahoo.c
How's it working for you, so far?
On Wed, Jan 14, 2009 at 06:12, Paul Griffith wrote:
> On Tue, 13 Jan 2009 05:28:42 -0500, si wrote:
>
>> Guys,
>>
>> I'm sure you're as sad as I am re- temporary suspension of the brilliant
>> services offered by Steve Basford and is helpers at Sane Security. I
>After a loud outcry from our users from the increasing level of spam in
their inboxes, I installed the Botnet >Plugin.
Is this something that can be used with the SA in Icewarp Merak?
NOWACO A/S
Rasmus Haslund
On Tue, 13 Jan 2009 05:28:42 -0500, si wrote:
Guys,
I'm sure you're as sad as I am re- temporary suspension of the brilliant
services offered by Steve Basford and is helpers at Sane Security. In a
sick kind of way, the 'bad guys' are acknowledging the work these guys
have done by DOSing
Guys,
I'm sure you're as sad as I am re- temporary suspension of the brilliant
services offered by Steve Basford and is helpers at Sane Security. In a sick
kind of way, the 'bad guys' are acknowledging the work these guys have done by
DOSing them, but that doesn't help much with the daily grin
FYI for anyone using ClamAV with the Sanesecurity phish/scam signatures:
Their website is being DDOSed and they've suspended updates.
Please disable attempts to download/update the sigs until they
manage to get out from under this attack.
See: http://www.sanesecurity.co.uk/
--
Dave
Lists a écrit :
> mouss wrote:
>> Lists a écrit :
>>
>>> Karsten Bräckelmann wrote:
>>>
> Thank you for the information I will attempt to get it up an running,
> have had a huge increase in spam last week or so and just trying to
> get it under control.
>
Wha
On 03/12/2008 9:06 PM, Karsten Bräckelmann wrote:
>>> Darly posted a very similar rule to this a while ago, triggering on the
>>> strange cid- prefix in the live spaces URI. You can use that just as
>>> well.
>> Thanks I will give that rule a shot and check out the earlier post by Darly.
>
> Whoop
> > Darly posted a very similar rule to this a while ago, triggering on the
> > strange cid- prefix in the live spaces URI. You can use that just as
> > well.
>
> Thanks I will give that rule a shot and check out the earlier post by Darly.
Whoops. :) Daryl C. W. O'Shea I mean... Sorry Daryl. Wo
any custom rule for the live spaces URI, including the one
above as per SaneSecurity scam sigs, Daryls, and a custom one I am
running locally, targeting the alphanumeric alternation.
They all are direct MUA to MX transmissions, no relay.
That spample (like most of these I have seen) hit RCVD_IN_BR
mouss wrote:
Lists a écrit :
Karsten Bräckelmann wrote:
Thank you for the information I will attempt to get it up an running,
have had a huge increase in spam last week or so and just trying to
get it under control.
What type of *spam* are you referring to that you want t
didn't you just ask how to catch these providing in example in the first
place, rather than asking something strange you *guessed* might help...
Yeah I had done a bit of googling and reading on the list and it seemed
the sanesecurity for clamav was a good option to try.
I think I will st
Back to that spam. I assume they are all quite similar in design, text,
and the spaces.live.com URI?
You can *easily* get the result of that SaneSecurity scam sig in SA.
uri SANESEC_9216 m~http://cid-.{0,30}\.spaces\.live
\.com/blog/cns~
scoreSANESEC_9216 5.0
describe SANESEC_9216
Lists a écrit :
> Karsten Bräckelmann wrote:
>>> Thank you for the information I will attempt to get it up an running,
>>> have had a huge increase in spam last week or so and just trying to
>>> get it under control.
>>>
>>
>> What type of *spam* are you referring to that you want to kill by
>
Karsten Bräckelmann wrote:
Thank you for the information I will attempt to get it up an running,
have had a huge increase in spam last week or so and just trying to
get it under control.
What type of *spam* are you referring to that you want to kill by
throwing anti-virus signatures at th
> Thank you for the information I will attempt to get it up an running,
> have had a huge increase in spam last week or so and just trying to get
> it under control.
What type of *spam* are you referring to that you want to kill by
throwing anti-virus signatures at them? Are all of them phishing
On Thu, 2008-12-04 at 12:43 +1300, Lists wrote:
> Arthur Dent wrote:
> > The best thing to do is to download the script, put it somewhere where
> > the user that will run it (possibly "clamav") has read + execute access,
> > (I created a /home/clamav/ directory) and then try running it manually
>
Arthur Dent wrote:
On Thu, Dec 04, 2008 at 09:49:23AM +1300, Lists wrote:
Hi all,
I am wanting to implement the sanesecurity addins to clamav but i am a
bit lost.
I am running CentOS5 MailScanner Spamassassin ClamAV
Do I download the download scripts from
http://www.sanesecurity.com
Karsten Bräckelmann wrote:
I am wanting to implement the sanesecurity addins to clamav but i am a
bit lost.
I am running CentOS5 MailScanner Spamassassin ClamAV
Kate, this is the wrong mailing list. The ClamAV users list comes
closest for third-party ClamAV (sic) signatures without a
> I am wanting to implement the sanesecurity addins to clamav but i am a
> bit lost.
> I am running CentOS5 MailScanner Spamassassin ClamAV
Kate, this is the wrong mailing list. The ClamAV users list comes
closest for third-party ClamAV (sic) signatures without a list of their
own
On Thu, Dec 04, 2008 at 09:49:23AM +1300, Lists wrote:
> Hi all,
>
> I am wanting to implement the sanesecurity addins to clamav but i am a
> bit lost.
> I am running CentOS5 MailScanner Spamassassin ClamAV
>
> Do I download the download scripts from
> http://www
Hi all,
I am wanting to implement the sanesecurity addins to clamav but i am a
bit lost.
I am running CentOS5 MailScanner Spamassassin ClamAV
Do I download the download scripts from
http://www.sanesecurity.com/clamav/usage.htm
or do I go to the downloads page? (they seem to be different
OliverScott wrote:
Is [running two instances of clamd] the following easy to do?
I think it's pretty easy. Exactly how you do it depends on the
platform/distribution you use. Here's what I did in FreeBSD:
I copied the init script (/usr/local/etc/rc.d/clamav-clamd.sh to
/usr/local/etc/rc.d
e has the official databases with phishing
>signatures (and some other stuff) turned on as well as the
>SaneSecurity*, MSRBL* and Malware* signatures. This instance is
>used by SpamAssassin for scoring mail.
--
View this message in context:
http://www.nabble.com/SaneSecurity-t
Craig Carriere wrote:
Perhaps more a clamav question, but does anyone use the additional
definitions for clam from SaneSecurity and are they helpful in the Spam
Wars?
We do, an I think they are. Currently I run two instances of
clamd in our mail gateway.
One instance has only the official
John Rudd wrote the following on 6/27/2007 10:27 AM -0800:
> Bret Miller wrote:
>>> Perhaps more a clamav question, but does anyone use the additional
>>> definitions for clam from SaneSecurity and are they helpful in the
>>> Spam Wars?
>>
>> You'r
I'm using it and I really like it. Very effective.
Craig Carriere schrieb:
Perhaps more a clamav question, but does anyone use the additional
definitions for clam from SaneSecurity and are they helpful in the Spam
Wars?
Thanks
very effective"
M. Häker
> Bret Miller wrote:
> >> Perhaps more a clamav question, but does anyone use the additional
> >> definitions for clam from SaneSecurity and are they helpful
> >> in the Spam Wars?
> >
> > You're in luck! I just installed them yesterday. Had been
>
> -Original Message-
> From: John Rudd [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 27, 2007 1:27 PM
> To: Bret Miller
> Cc: users@spamassassin.apache.org
> Subject: Re: SaneSecurity
>
> Bret Miller wrote:
> >> Perhaps more a clamav
Bret Miller wrote:
Perhaps more a clamav question, but does anyone use the additional
definitions for clam from SaneSecurity and are they helpful
in the Spam Wars?
You're in luck! I just installed them yesterday. Had been meaning to for
a while, but things have been too busy to get the s
> Perhaps more a clamav question, but does anyone use the additional
> definitions for clam from SaneSecurity and are they helpful
> in the Spam Wars?
You're in luck! I just installed them yesterday. Had been meaning to for
a while, but things have been too busy to get the scr
Perhaps more a clamav question, but does anyone use the additional
definitions for clam from SaneSecurity and are they helpful in the Spam
Wars?
Thanks
66 matches
Mail list logo
