On 1 Apr 2015, at 17:26, Amir Caspi wrote:
On Apr 1, 2015, at 3:03 PM, Kevin Miller
wrote:
You can reject on RDNS (or lack thereof) in sendmail depending on the
version. Search for "require_rdns".
Thanks, I'll look into it. Sadly I don't think I have time to
manually whitelist misconfig
On Apr 1, 2015, at 3:03 PM, Kevin Miller wrote:
> You can reject on RDNS (or lack thereof) in sendmail depending on the
> version. Search for "require_rdns".
Thanks, I'll look into it. Sadly I don't think I have time to manually
whitelist misconfigured servers, since I suspect there are not
On 04/01/2015 10:45 PM, Amir Caspi wrote:
Certainly it would be interesting to add such capability to SA (to
add points for known spammy DNS providers and/or registrars), though
I imagine that could be a recipe for FPs in some cases. Then again,
we did it for .pw URIs, so...
You can do it run
> -Original Message-
> Ah, I see... you killed them at the firewall itself, before they even
> got to sendmail. I was wondering how blocking the name servers
> themselves would help, since (at least in my configuration) sendmail
> doesn't reject just due to bad rDNS (not sure if that's eve
On Apr 1, 2015, at 2:26 PM, Kevin Miller wrote:
> I blocked the RRPPROXY.NET name servers at the firewall. [...] After I did
> that, almost instantly the spam dropped dramatically.
[...]
> There was some discussion in this group about blocking on DNS providers about
> a month or so ago, spawned
I'm a bit late to the party (was on vacation) but your woes sounded awfully
familiar. I was getting slammed by spam a couple months ago. The domains
changed daily, but the one consistent thing was they were all served by
RRPPROXY.NET. I blocked the RRPPROXY.NET name servers at the firewall.
On Mar 30, 2015, at 9:49 AM, Kris Deugau wrote:
> Seconded; this is exactly what we've been finding. Invaluement is a
> great complement to Spamhaus for a fraction of the cost.
Definitely something to add to my "nice to have" list for the future. Sadly,
as I mentioned earlier, a paid subscri
On 3/30/2015 1:19 PM, Kris Deugau wrote:
The cases I
can recall are more along the lines of "grey-hat ESPs who pick up a
spammer client for a while",
Kris,
The next time you run across this and think it might be causing a little
too much collateral damage (in spite of the spamming), let me kn
Rob McEwen wrote:
> On 3/30/2015 11:49 AM, Kris Deugau wrote:
>> Seconded; this is exactly what we've been finding. Invaluement is a
>> great complement to Spamhaus for a fraction of the cost.
>>
>> I wouldn't put it as a front-line reject DNSBL, because some of the
>> things that have been liste
On 3/30/2015 11:49 AM, Kris Deugau wrote:
Seconded; this is exactly what we've been finding. Invaluement is a
great complement to Spamhaus for a fraction of the cost.
I wouldn't put it as a front-line reject DNSBL, because some of the
things that have been listed are not what I would class, fo
David Jones wrote:
> The invaluement RBL is not expensive either and it is awesome. We pay
> thousands per year for
> a Spamhaus feed because of our volume and mailboxes. The invaluement RBL is
> only hundreds
> per year and it's almost as good as Spamhaus Zen.
Seconded; this is exactly what
Am 28.03.2015 um 13:01 schrieb David Jones:
From: Reindl Harald
Sent: Saturday, March 28, 2015 6:13 AM
To: users@spamassassin.apache.org
Subject: Re: Uptick in spam
Am 28.03.2015 um 12:04 schrieb David Jones:
I know that but I choose to use the "traditional" method in t
On 03/28/2015 06:47 AM, Rob McEwen wrote:
On 3/27/2015 10:13 PM, David Jones wrote:
The invaluement RBL is not expensive either and it is awesome. We pay
thousands per year for
a Spamhaus feed because of our volume and mailboxes. The invaluement
RBL is only hundreds
per year and it's almost as
>From: Reindl Harald
>Sent: Saturday, March 28, 2015 6:13 AM
>To: users@spamassassin.apache.org
>Subject: Re: Uptick in spam
>Am 28.03.2015 um 12:04 schrieb David Jones:
>> I know that but I choose to use the "traditional" method in the Postfix
>> smtpd_re
Am 28.03.2015 um 12:04 schrieb David Jones:
I know that but I choose to use the "traditional" method in the Postfix
smtpd_recipient_restrictions so I can specify the order. I have such a
high volume of mail for more than 100,000 mailboxes, I want to check
in a specific order using my local rbld
>From: Rob McEwen
>Sent: Saturday, March 28, 2015 12:47 AM
>To: users@spamassassin.apache.org
>Subject: Re: Uptick in spam
>On 3/27/2015 10:13 PM, David Jones wrote:
>> The invaluement RBL is not expensive either and it is awesome. We pay
>> thousands per year for
&g
>From: Benny Pedersen
>Sent: Friday, March 27, 2015 10:48 PM
>To: users@spamassassin.apache.org
>Subject: Re: Uptick in spam
>David Jones skrev den 2015-03-28 03:13:
>> I have Spamhaus in
>> front of invaluement in
>> my postfix configuration but I may try fli
On 3/27/2015 10:13 PM, David Jones wrote:
The invaluement RBL is not expensive either and it is awesome. We pay
thousands per year for
a Spamhaus feed because of our volume and mailboxes. The invaluement RBL is
only hundreds
per year and it's almost as good as Spamhaus Zen. I have Spamhaus i
>You also may want to look at the Invaluement IP/URI lists.
>(Invaluement.com). Detection rate is real good and FP level is
>extraordinary.
+1. Very happy with invaluement at $DAYJOB.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
David Jones skrev den 2015-03-28 03:13:
I have Spamhaus in
front of invaluement in
my postfix configuration but I may try flipping the order just to see
if it will start blocking more
than Spamhaus.
with postfix posttscreen one can test all ips on all rbls in same single
smtpd client check, s
On 03/27/2015 03:44 PM, Amir Caspi wrote:
> On Mar 27, 2015, at 3:34 PM, Richard Doyle
> wrote:
>
>> All of these were "From:" domains created today.
> Shouldn't they have been picked up by DOB? Or do I need to manually enable
> some DOB plugin in SA? (If so, please let me know how...) When I
>From: Amir Caspi
>Sent: Friday, March 27, 2015 7:30 PM
>To: RW
>Cc: users@spamassassin.apache.org
>Subject: Re: Uptick in spam
>On Mar 27, 2015, at 6:19 PM, RW wrote:
>> There are deep checks for SBL (via zen) and SPAMCOP. XBL/PBL are
>> last-external only
>
On Mar 27, 2015, at 6:19 PM, RW wrote:
> There are deep checks for SBL (via zen) and SPAMCOP. XBL/PBL are
> last-external only
Interesting. I wonder why I see those XBL/PBL hits, then. Maybe Zen timed out
on those queries from sendmail... or something. Either way I guess this means
I shoul
On 03/28/2015 12:40 AM, Amir Caspi wrote:
On Mar 27, 2015, at 5:12 PM, Axb wrote:
DOB isn't realtime/zero hour.
That kind of defeats the point, isn't it? I mean, if you wait too
long, it's no longer DOB, it's "few-DOB"...
I would have imagined that a DOB server would operate in a caching
m
On Fri, 27 Mar 2015 17:40:58 -0600
Amir Caspi wrote:
> On Mar 27, 2015, at 5:12 PM, Axb wrote:
>
> > DOB isn't realtime/zero hour.
>
> That kind of defeats the point, isn't it? I mean, if you wait too
> long, it's no longer DOB, it's "few-DOB"...
I think it's 5 days, and the "day-old" bit is
On Mar 27, 2015, at 5:12 PM, Axb wrote:
> DOB isn't realtime/zero hour.
That kind of defeats the point, isn't it? I mean, if you wait too long, it's
no longer DOB, it's "few-DOB"...
I would have imagined that a DOB server would operate in a caching mode where
the first query on a domain woul
On 03/27/2015 11:44 PM, Amir Caspi wrote:
On Mar 27, 2015, at 3:34 PM, Richard Doyle
wrote:
All of these were "From:" domains created today.
Shouldn't they have been picked up by DOB? Or do I need to manually
enable some DOB plugin in SA? (If so, please let me know how...)
When I ran the th
On Mar 27, 2015, at 3:34 PM, Richard Doyle wrote:
> All of these were "From:" domains created today.
Shouldn't they have been picked up by DOB? Or do I need to manually enable
some DOB plugin in SA? (If so, please let me know how...) When I ran the third
spample manually a few hours ago, I s
On Mar 27, 2015, at 2:09 PM, Axb wrote:
> As an AV product I'd recommend Sophos AND ESETS/Nod32.
I'll look into Sophos, I'm not entirely sure if I can deploy it on my system or
not. We have to use RPMs that can be distributed to the virtual hosts, etc...
I'll definitely look into it. Haven't
On 03/27/2015 11:51 AM, Amir Caspi wrote:
> On Mar 27, 2015, at 12:20 PM, Axb wrote:
>
>> - Please post missed spam samples in pastebin.com - do not post samples to
>> mailing lists
> Of course, I would never post it to the list. I will put up a few in
> pastebin but there are so many of them,
On Fri, 27 Mar 2015, Amir Caspi wrote:
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas wrote:
I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail wrote:
Are you using network tests? These are scoring pretty high for me.
I presu
On Fri, 27 Mar 2015, Amir Caspi wrote:
On Mar 27, 2015, at 1:38 PM, sha...@shanew.net wrote:
Apologies if this is an overly obvious answer, but are you using any
greylisting? This would (potentially) move your user away from the
"wavefront" of a spam's distribution, and give it a better chanc
On 03/27/2015 08:45 PM, Amir Caspi wrote:
On Mar 27, 2015, at 1:33 PM, Axb wrote:
Are you using Mailscanner? if yes then it's you munging URIS so
they breaking lookups on any hash type as in
Yes, I am using MailScanner. Some URIs are munged, others are not.
For example, you can see in that
On Mar 27, 2015, at 1:38 PM, sha...@shanew.net wrote:
> Apologies if this is an overly obvious answer, but are you using any
> greylisting? This would (potentially) move your user away from the
> "wavefront" of a spam's distribution, and give it a better chance of
> triggering the network-based t
On Mar 27, 2015, at 1:33 PM, Axb wrote:
> Are you using Mailscanner? if yes then it's you munging URIS so they breaking
> lookups on any hash type as in
Yes, I am using MailScanner. Some URIs are munged, others are not. For
example, you can see in that very pastebin you noted that there are
Apologies if this is an overly obvious answer, but are you using any
greylisting? This would (potentially) move your user away from the
"wavefront" of a spam's distribution, and give it a better chance of
triggering the network-based tests.
On Fri, 27 Mar 2015, Amir Caspi wrote:
This is my whol
On 03/27/2015 08:20 PM, Amir Caspi wrote:
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas
wrote:
I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail
wrote:
Are you using network tests? These are scoring pretty high for
me.
I pre
On Mar 27, 2015, at 1:20 PM, Axb wrote:
> These three samples are very different in the sense that #1 is a hacked
> site, #2 & #3 are the regular snowshoe.
Of course, I picked three different samples on purpose. But, I have hundreds
that replicate these.
> What I miss in your sample's SA repo
On 03/27/2015 07:51 PM, Amir Caspi wrote:
Here are a few spamples:
http://pastebin.com/3nSLurGv (this scored BAYES_99 but would still
have been FN with BAYES_999) http://pastebin.com/LaKT5ZZK (I have a
rule template for these URIs but recent spams have modified them to
cause high risk of FPs
On Mar 27, 2015, at 12:56 PM, Matus UHLAR - fantomas wrote:
> I see no network checks here... do you use network checks?
On Mar 27, 2015, at 1:11 PM, Kevin A. McGrail wrote:
> Are you using network tests? These are scoring pretty high for me.
I presume you're talking about things like Razor,
On 3/27/2015 2:51 PM, Amir Caspi wrote:
On Mar 27, 2015, at 12:20 PM, Axb wrote:
- Please post missed spam samples in pastebin.com - do not post samples to
mailing lists
Of course, I would never post it to the list. I will put up a few in pastebin
but there are so many of them, and there a
On 27.03.15 12:51, Amir Caspi wrote:
Here are a few spamples:
http://pastebin.com/3nSLurGv (this scored BAYES_99 but would still have been
FN with BAYES_999)
http://pastebin.com/LaKT5ZZK (I have a rule template for these URIs but recent
spams have modified them to cause high risk of FPs for s
On Mar 27, 2015, at 12:22 PM, Reindl Harald wrote:
> we have currently 577 different subjects and subject-parts scored , i don't
> want to publish them because i'd like the spammers don't change to new ones
> :-)
Sadly, that doesn't help me. I don't have time to compile hundreds of subject
r
On Mar 27, 2015, at 12:20 PM, Axb wrote:
> - Please post missed spam samples in pastebin.com - do not post samples to
> mailing lists
Of course, I would never post it to the list. I will put up a few in pastebin
but there are so many of them, and there are a few different templates in use,
s
On Fri, 27 Mar 2015 12:13:30 -0600
Amir Caspi wrote:
> On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail
> wrote:
>
> > I'm happy to look at a recent sample and throw it through my system
> > to see what it hits but overall, I've been seeing the exact
> > opposite.
>
> So, one of my users has been
Am 27.03.2015 um 19:13 schrieb Amir Caspi:
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail wrote:
I'm happy to look at a recent sample and throw it through my system to see what
it hits but overall, I've been seeing the exact opposite.
So, one of my users has been getting dozens (sometimes
On 03/27/2015 07:13 PM, Amir Caspi wrote:
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail
wrote:
I'm happy to look at a recent sample and throw it through my system
to see what it hits but overall, I've been seeing the exact
opposite.
So, one of my users has been getting dozens (sometimes nea
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail wrote:
> I'm happy to look at a recent sample and throw it through my system to see
> what it hits but overall, I've been seeing the exact opposite.
So, one of my users has been getting dozens (sometimes nearly 100) FNs per DAY
over the last few w
Am 22.02.2015 um 15:30 schrieb @lbutlr:
On 21 Feb 2015, at 08:34 , LuKreme wrote:
On Feb 18, 2015, at 6:20 AM, Reindl Harald wrote:
That is a lot cleaner and more obvious, thank you for sharing
I ran this just after log rotation and got div by zero errors, so here is a
(nearly) compl
On 21 Feb 2015, at 08:34 , LuKreme wrote:
> On Feb 18, 2015, at 6:20 AM, Reindl Harald wrote:
>>
>>
>
> That is a lot cleaner and more obvious, thank you for sharing
I ran this just after log rotation and got div by zero errors, so here is a
(nearly) completely pointless ‘fix’:
BAYES_TOTAL=
On Feb 18, 2015, at 6:20 AM, Reindl Harald wrote:
>
>
That is a lot cleaner and more obvious, thank you for sharing
--
Once again I teeter at the precipice of the generation gap.
Am 17.02.2015 um 15:23 schrieb Reindl Harald:
Am 17.02.2015 um 15:19 schrieb LuKreme:
On 16 Feb 2015, at 12:01 , Reindl Harald wrote:
given that 24266 messages had BAYES_00 with a total number of 30401
delivered mails in the current month that training strategy seems to
work well
[root@mail-
Am 17.02.2015 um 15:19 schrieb LuKreme:
On 16 Feb 2015, at 12:01 , Reindl Harald wrote:
given that 24266 messages had BAYES_00 with a total number of 30401 delivered
mails in the current month that training strategy seems to work well
[root@mail-gw:~]$ bayes-stats.sh
What is bayes-stats.s
On 16 Feb 2015, at 12:01 , Reindl Harald wrote:
> given that 24266 messages had BAYES_00 with a total number of 30401 delivered
> mails in the current month that training strategy seems to work well
>
> [root@mail-gw:~]$ bayes-stats.sh
What is bayes-stats.sh?
--
I have a cunning plan.
Am 16.02.2015 um 21:10 schrieb Amir Caspi:
On Feb 16, 2015, at 1:01 PM, RW wrote:
IIWY I'd look into rescoring the BAYES_* rules.
I was already rescoring them as BAYES_99 = 4.0, BAYES_999 = 0.5 ... so a total
score of 4.5 if both rules hit. These FNs typically get scores of 4.6, so the
o
On Feb 16, 2015, at 1:01 PM, RW wrote:
> IIWY I'd look into rescoring the BAYES_* rules.
I was already rescoring them as BAYES_99 = 4.0, BAYES_999 = 0.5 ... so a total
score of 4.5 if both rules hit. These FNs typically get scores of 4.6, so the
other rules are simply not good enough.
Since
On Mon, 16 Feb 2015 12:47:03 -0700
Amir Caspi wrote:
> Otherwise, I don't really know... it's clearly not a Bayes issue
> since it's hitting Bayes 99/999, it's just that there aren't enough
> other rules being hit to go over the 5.0 threshold.
>
IIWY I'd look into rescoring the BAYES_* rules.
On Feb 16, 2015, at 11:47 AM, Kevin A. McGrail wrote:
> I'm happy to look at a recent sample and throw it through my system to see
> what it hits but overall, I've been seeing the exact opposite.
Hmmm. Well, like I said, maybe we're just first on the list and are getting
all the spam before i
On Mon, 16 Feb 2015, Amir Caspi wrote:
(BTW, I am happy to contribute my spam corpus of well over 7000
messages... right now I can't dedicate CPU time to running masscheck,
but I can contribute the messages.)
It's possible to upload your corpora and have the central system check it.
See the
Am 16.02.2015 um 19:33 schrieb Amir Caspi:
Over the last week I've seen a significant uptick in FN spam to my users. We're getting
tens of FNs per day per user, whereas a few weeks ago it was just a few FNs per day per
user. We're getting BAYES_99/999 on many of these, but no other major mar
On 2/16/2015 1:33 PM, Amir Caspi wrote:
Over the last week I've seen a significant uptick in FN spam to my users. We're getting
tens of FNs per day per user, whereas a few weeks ago it was just a few FNs per day per
user. We're getting BAYES_99/999 on many of these, but no other major markers
Hi all,
Over the last week I've seen a significant uptick in FN spam to my users.
We're getting tens of FNs per day per user, whereas a few weeks ago it was just
a few FNs per day per user. We're getting BAYES_99/999 on many of these, but
no other major markers are hitting (razor, pyzor, dcc,
62 matches
Mail list logo
