On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> > "MD" == McDonald, Dan writes:
>
> MD> They are using underscores, which are a [:punct:], but don't form
> MD> a \b break.
>
> >I'm becoming confused as to what they could poss
On Fri, 2009-07-10 at 14:08 +0100, David Lomax wrote:
David Lomax. Ummm. You would really think a guy working for Barracuda
Networks;
'The world wide leader in email security'
could figure out how to unsubscribe from a mailing list. Oh dear..
> New rules:
> body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i
> body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i
> body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i
> body __MED_BEG_BOTH
> /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2
Dnia 2009-07-10, pią o godzinie 16:48 -0700, fchan pisze:
> Don't tempt them, I already get enough spam not only from these guys.
> Also they will flood the network with smtp useless connections and
> unless you have good network attack mitigation system so you don't
> have a DDoS, don't tempt them
One of our client's websites gets hacked frequently - 1x per month -
usually with some kind of phishing scam.
I understand their first line of defense is to make sure security is
tight and systems are up to date, however, it seems to me that there
must be some scanning utility that would check
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
>On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
>> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
>> > "MD" == McDonald, Dan writes:
>>
>> MD> They are using underscores, which are a [:punct:], but don't form
>> MD>
> One of our client's websites gets hacked frequently - 1x per month -
> usually with some kind of phishing scam.
>
> I understand their first line of defense is to make sure security is
> tight and systems are up to date, however, it seems to me that there
> must be some scanning utility that wou
On Sat, 2009-07-11 at 07:14 -0500, McDonald, Dan wrote:
> From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
> >On Fri, 2009-07-10 at 22:46 -0500, McDonald, Dan wrote:
> >> >From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
> >> > "MD" == McDonald, Dan writes:
> >>
> >> MD> They
schmero...@gmail.com wrote:
>> One of our client's websites gets hacked frequently - 1x per month -
>> usually with some kind of phishing scam.
>>
>> I understand their first line of defense is to make sure security is
>> tight and systems are up to date, however, it seems to me that there
>> must
schmero...@gmail.com wrote:
>>> So, if our client was google, the utility would search all files on the
>>> site looking for domains. If it found microsoft.com within one of the
>>> pages and email would be sent to the administrator who could delete the
>>> page and look for other evidence of being
At 05:06 11-07-2009, schmero...@gmail.com wrote:
One of our client's websites gets hacked frequently - 1x per month -
usually with some kind of phishing scam.
I understand their first line of defense is to make sure security is
tight and systems are up to date, however, it seems to me that the
You could take a look at ModSecurity if you are on Apache(
http://www.modsecurity.org/ ) to block the attacks that found the holes in
the first place, once you have fixed the current issue that is.
The standard ruleset is very good and can be relatively easily tweaked.
--
Regards
Barry
-O
On Sat, 2009-07-11 at 17:08 +0100, Barry Porter wrote:
> You could take a look at ModSecurity if you are on Apache(
> http://www.modsecurity.org/ ) to block the attacks that found the holes in
> the first place, once you have fixed the current issue that is.
>
> The standard ruleset is very good a
MrGibbage wrote:
> When I test SA, I log into a bash shell. I set my environment
> variables in .bash_profile (loading changes with the 'source'
> command).
Login bash shells source the .bash_profile. But scripts and system
daemons such as spamd do not. So you are right that there is
potential
> "MD" == McDonald, Dan writes:
MD> The rules I posted last night catch those. They switched from
MD> underscores to commas this morning, and my rules still catch them.
FYI, they're also using plus signs, which also seem to be caught
properly by your rules. I think we're good until they sw
From: Jason L Tibbitts III [mailto:ti...@math.uh.edu]
>> "MD" == McDonald, Dan writes:
>
>MD> The rules I posted last night catch those. They switched from
underscores to commas this morning, and my rules still catch them.
>I still wonder, though, if we shouldn't be turning these back into
>hos
I have been trying to install Razor2 for two days now. I am on a Dreamhost
VPS, but I don't have root access, so my perl modules go in ~/share/perl. I
have that in my PERL5LIB environment variable. And yet, when I receive an
email, I get the following types of messages in my logs:
[20377] dbg:
I am using Spamassassin 3.2.4-1ubuntu1.1. Spamassassin is used by my Exim
server with spamd.
The problem is have is that sometimes I get RBL hits eventhrough the sender
is using a valid smarthost.
Example:
Received: from fmmailgate04.web.de ([217.72.192.242])
by myMailServer with esmtp (
>
> I am using Spamassassin 3.2.4-1ubuntu1.1. Spamassassin is used by my Exim
> server with spamd.
>
> The problem is have is that sometimes I get RBL hits eventhrough the
> sender
> is using a valid smarthost.
> Example:
> Received: from fmmailgate04.web.de ([217.72.192.242])
> by myMailServ
Thx for the quick reply.
No, I hardly changed the Ubuntu config at all and just to make sure I
scanned all my spamassassin config files and there was no trusted_network
setup.
Now I tested the same message on the console with spamassassin -D
message.txt
It gave me the same hit (RCVD_IN_NJABL_PR
On Sat, 11 Jul 2009 12:52:56 -0700 (PDT)
dmy wrote:
>
> As far as I understand SpamAssassin is supposed to just check the ip
> that directly delivered the email to my server but not the IP the
> email is originally from (as that woundn't make any sense as almost
> everyone is using dyn ips...).
So is there a way to configure that ALL DNS tests just use the last external
ip address (or at least NOT the first one?). Because to me it doesn't make
any sense to test the ip people use to deliver messages to their smarthost
and it produces quite a few false positives on my system...
RW-15 wro
>
> So is there a way to configure that ALL DNS tests just use the last
> external
> ip address (or at least NOT the first one?). Because to me it doesn't make
> any sense to test the ip people use to deliver messages to their smarthost
> and it produces quite a few false positives on my system...
Never mind. I'll just use report_safe 0.
On Sat, July 11, 2009 14:06, schmero...@gmail.com wrote:
> Any ideas where to look for such a beast &/or a mailing list that deals
> with this type of issue?
pages and url that have webserver writeble dirs is always a risk, remove this
possible to do this solves the problem
else make use of ke
On Sun, 12 Jul 2009 00:46:34 +0300 (EEST)
"Jari Fredriksson" wrote:
> >
> > So is there a way to configure that ALL DNS tests just use the last
> > external
> > ip address (or at least NOT the first one?). Because to me it
> > doesn't make any sense to test the ip people use to deliver
> > messag
On Sat, 2009-07-11 at 12:52 -0700, an anonymous Nabble user wrote:
> The problem is have is that sometimes I get RBL hits eventhrough the sender
> is using a valid smarthost.
Some DNSBLs are *meant* to do deep parsing. PBL style ones are not, and
only check the last external, submitting hop. Exac
On Sat, 2009-07-11 at 12:52 -0700, an anonymous Nabble user wrote:
> I am using Spamassassin 3.2.4-1ubuntu1.1. Spamassassin is used by my Exim
> server with spamd.
> X-Spam-Score: -0.4 (/)
> X-Spam-Report: Spam report:
> If you have any questions, see postmas...@dwsa.de for details.
>
From: dmy
Date: Sat, 11 Jul 2009 14:27:34 -0700 (PDT)
So is there a way to configure that ALL DNS tests just use the last external
ip address (or at least NOT the first one?). Because to me it doesn't make
any sense to test the ip people use to deliver messages to their smarthos
I'd establish a
http://people.apache.org/~jm/devel/README.txt
warning people which one of
http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.3.0-alpha1.tar.bz2
http://people.apache.org/~jm/devel/Mail-SpamAssassin-3.3.0.tar.bz2
they really want. I guessed the former.
Karsten Bräckelmann-2 wrote:
>
> On Sat, 2009-07-11 at 12:52 -0700, an anonymous Nabble user wrote:
>> The problem is have is that sometimes I get RBL hits eventhrough the
>> sender
>> is using a valid smarthost.
>
> Some DNSBLs are *meant* to do deep parsing. PBL style ones are not, and
> on
On Sat, 2009-07-11 at 14:27 -0700, dmy wrote:
> So is there a way to configure that ALL DNS tests just use the last external
> ip address (or at least NOT the first one?). Because to me it doesn't make
> any sense to test the ip people use to deliver messages to their smarthost
> and it produces qu
32 matches
Mail list logo
