Re: 419 for school???

2004-10-01 Thread David B Funk
On Fri, 1 Oct 2004, Chris Santerre wrote: > I don't get his one at all!!! WTH??? > > I'm CC'ing to SURBL because look at the MX for this domain! > > uniprepacademy.com dns_mx: > neti-outblaze-com.mr.outblaze.com > neti-outblaze-com-bk.mr.outblaze.com > > I know it didn't come form that domain,

Re: SA 3.0 is eating up all my memory!!!

2004-10-05 Thread David B Funk
On Tue, 5 Oct 2004, Jon Trulson wrote: On Mon, 4 Oct 2004, Luis Hernan Otegui wrote: > Well, a weekend update: > Nothing has changed here. I removed EVERYTHING (except for local.cf) > from /etc/mail/spamassassin, and still it chews as much memory as it > could get. I limited the number of childs to

Re: Oh the temptation......

2004-10-16 Thread David B Funk
On Fri, 15 Oct 2004, Roger Taranto wrote: > On Sun, 2004-10-10 at 20:04, jdow wrote: > > > Well, a new variant of 419 has hit my mailbox. Someone named Allan Hofer > > died in Nigeria. And he left a big estate. The "barrister" wants to take > > 70%, reserve 5% for expenses, and give me 25%. I am S

Re: BUG: miltrassassin and parsing Received: header

2004-10-21 Thread David B Funk
On Thu, 21 Oct 2004, Wolfgang Friebel wrote: > Hi, > > I observed with miltrassassin (Revision: 1.14 Date: 2003/05/28 18:43:47) > from check_local.5.6.tar.gz formerly available at > http://www.digitalanswers.org/check_local/check_local.5.6.tar.gz > the following bug: > > Miltrassassin generates a

RE: Memory issues have forced me back to 2.64

2004-11-04 Thread David B Funk
On Thu, 4 Nov 2004, Kang, Joseph S. wrote: > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: Thursday, November 04, 2004 1:10 PM > > To: Oban Lambie > > Cc: users@spamassassin.apache.org > > Subject: Re: Memory issues have forced me back to 2.64 > > > >

RE: spamassassin and web based mail !

2004-11-14 Thread David B Funk
On Sat, 13 Nov 2004, Peter P. Benac wrote: > You could stand over their shoulders? > > I really doubt that any real spammer will use a cybercafé to send spam. > These idiots use software that generate messages and send them thru any open > relay they can find. Just because the reply to address sa

Re: How can I catch these messages?

2004-11-20 Thread David B Funk
On Fri, 19 Nov 2004, Rob Blomquist wrote: > I run Kmail with SA 3.0.1, and I filter by piping incoming mail to spamc. > > I am currently using SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_HTML1 > SARE_HTML2 SARE_HEADER1 SARE_HEADER2 SARE_HTML_ENG SARE_BML SARE_FRAUD > SARE_SPOOF SARE_UNSUB SARE_R

Re: ALL_TRUSTED problems

2004-11-24 Thread David B Funk
On Wed, 24 Nov 2004, Justin Mason wrote: > Kevin Sullivan writes: [snip.] > > But I still get *lots* of mail incorrectly triggering ALL_TRUSTED. I'm > > running spamassassin from a milter. It looks like the milter runs before > > sendmail adds its own Received: line, so much mail comes in with n

RE: sa-learn ham

2004-11-25 Thread David B Funk
On Wed, 24 Nov 2004, Gustafson, Tim wrote: > How do you keep your ntokens so low? > > Mine averages ((nspam + nham) * 10). Yours is basically (nspam + nham). > Do you run some job that expires tokens or something? I'm running > sa-learn --force-expire once a day (and it takes about 2-3 minutes t

Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???

2004-12-07 Thread David B Funk
On Tue, 7 Dec 2004, Thomas Cameron wrote: > I do not understand why this is tagged ALL_TRUSTED! > > Here is my local.cf: > ### [snip..] > > clear_trusted_networks > trusted_networks24.173.79.19/32 > ### > > As

Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???

2004-12-07 Thread David B Funk
On Tue, 7 Dec 2004, Thomas Cameron wrote: > Hrm - that makes a lot of sense. I am using spamass-milter (the latest > from CVS as of about a week ago). > > I actually have the following at the bottom of my sendmail.mc: > > INPUT_MAIL_FILTER > (`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,T

RE: need a rule to whitelist spamassassin users group

2004-12-15 Thread David B Funk
On Tue, 14 Dec 2004, Andy Norris wrote: > > In that case, this leads to another question -- how, then, to reliably > whitelist eBay? I would imagine they are a big target of forgers? I tried > > def_whitelist_from_rcvd [EMAIL PROTECTED] ebay.com > > but that didn't work. Now I just have > > whit

RE: need a rule to whitelist spamassassin users group

2004-12-15 Thread David B Funk
On Tue, 14 Dec 2004, Evan Platt wrote: > Andy Norris said: > > > Or if a company uses more than one mail server... getting all the IPs? Is > > this just something I should email support at eBay for and see if they've > > got something of a canned response for this? > > You're kidding right? First,

Re: need a rule to whitelist spamassassin users group

2004-12-15 Thread David B Funk
On Tue, 14 Dec 2004, jdow wrote: > Of course, for the spamassassin lists I found something like what I did > in procmail is best: > > ---9<--- > :0 fw: spamassassin.lock > * < 25 > * !^List-Id: .*(spamassassin\.apache.\org) > | /usr/bin/spamc -t 150 > ---9<--- > > {^_^} Ahh, I see. OK spammer

Re: spamd vs spamass-milter

2004-12-15 Thread David B Funk
On Wed, 15 Dec 2004 [EMAIL PROTECTED] wrote: > currently i'm using procmailrc to start spamd since i have > a couple users who dont want their mails checked by SA, now > i'm looking into spamass-milter. > > Is their a option within the milter api to exclude certain users from SA > or is their anot

Re: consensus on SPF

2004-12-15 Thread David B Funk
On Wed, 15 Dec 2004, Christopher X. Candreva wrote: > On Tue, 14 Dec 2004, jdow wrote: > > > > Why not configure your MTA to relay mail ONLY on encrypted authenticated > > > sessions, and deliver locally (after some anti-spam checks) on plain > > > sessions, all this done at port 25? [snip..] > Ac

Re: whitelist_to parametr question

2004-12-22 Thread David B Funk
On Tue, 21 Dec 2004, Matt Kettler wrote: [snip..] > However, beware... SA cannot always determine who the recipient of a > message is. It does not get a copy of the envelope, thus it must try to > decipher the recipient from the headers alone. If the message is Bcc'ed and > your MTA doesn't insert

RE: Any way to block really bad SPAMs?

2005-01-03 Thread David B Funk
On Mon, 3 Jan 2005, Gustafson, Tim wrote: > Thanks for all the help everyone. I guess the real question for me is > "how do I make spamass-milter block e-mails of a certain score", because > that's how I integrate SpamAssassin into Sendmail. > > Thanks again! > > Tim Gustafson Add the "-r 15" fl

RE: Any way to block really bad SPAMs?

2005-01-03 Thread David B Funk
On Mon, 3 Jan 2005, Gustafson, Tim wrote: > David, > > I found that option and tried it, but here's what I get now when I run > spamass-milter: > > Jan 3 22:16:09 maze spamass-milter[56478]: Could not extract score from > J_CHICKENPOX_41,SARE_URI_PILLS autolearn=no version=2.64> > > Any ideas?

Spammer Anti-SURBL tactic

2005-02-22 Thread David B Funk
I'm seeing a new spam varient that is clearly designed to get past SURBL. It is an HTML message that contains many (50~100) 'invisible' links; links that have no target text, just: http://garbage.sitename.tld";> The intention is clear, they want to fill up the 20 'slots' of the spamcop_uri_limit w

Re: Spammed to death

2005-02-22 Thread David B Funk
On Tue, 22 Feb 2005, Nate wrote: > Hello, > > I'm using spamassassin 2.64 on Debian Woody. > > My clients emails are getting clobbered by "Pharma" spam. The messages seem > to be using different encoding on words like Viagra, Cialis and sa is not > picking them up. [snip..] > Here is the typical

Re: SA 3.01 eventually stops noticing DNSBLs

2005-02-23 Thread David B Funk
On Tue, 22 Feb 2005, Andy Jezierski wrote: > Kelson <[EMAIL PROTECTED]> wrote on 02/22/2005 11:30:46 AM: > > > Jay Levitt wrote: > > > I have SA 3.01 running under mimedefang 2.43 with sendmail 8.13.1. At > > > some point, SA seems to stop doing lookups on the DNSBLs; spam gets > > > through that

Re: Millions and Billions

2005-02-24 Thread David B Funk
On Thu, 24 Feb 2005, Stuart Johnston wrote: > [EMAIL PROTECTED] wrote: [snip..] > > > > How about (slightly easier to read) > > body L_MILLBILL /[mb]i[l|][l|]ions?/i > > or even > > body L_MILLBILL /[mb]i[l|]{2}ions?/i > > I started with something similar to that but it will also match millions >

Re: FPs on MSGID_FROM_MTA_ID

2005-03-01 Thread David B Funk
On Tue, 1 Mar 2005, Stuart Johnston wrote: > Eric A. Hall wrote: > > It appears to be doing the right thing. The message originated off-net, > > but the Message-ID was added locally, which is pretty good spam-sign. > > Frankly I wish it worked here, because I've had to create my own rule to > > hi

Re: Greylisting

2005-03-02 Thread David B Funk
On Wed, 2 Mar 2005, Matt wrote: > Hi, > Is there any kind of plugin or patch for spamassassin that will allow > me to selectively turn on GREYLISTing for certain user accounts? > > When I say greylist I mean: All e-mail coming into them is bounced > with a temporary error the first time, and then

Re: Confused about HELO_DYNAMIC_*

2005-03-02 Thread David B Funk
On Wed, 2 Mar 2005, Justin Mason wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > It's OK to have a dyn IP as the source, alright, as long as it > doesn't HELO using that hostname. That's what HELO_DYNAMIC_* > matches, as it's a very strong spam signature. > > > Received: from h00c

Re: Webmail and IP rules

2005-03-03 Thread David B Funk
On Wed, 2 Mar 2005, List Mail User wrote: > >... > >I think the problem is being caused by IMP being "too good" at > >generating a Received header that looks like a normal one added > >by an MTA. Good enough to fool SpamAssassin into thinking it's > >an SMTP one, anyway. ;) > > > >Could someone o

Re: Webmail and IP rules

2005-03-03 Thread David B Funk
Sigh, Paul, Do me a favor, go look at the SA code and see what "HELO_DYNAMIC_ATTBI" is all about. Note that it is looking at the 'X-Spam-Relays-Untrusted' meta-data thus SA already knows that client is untrusted, so it is NOT a trusted_networks issue at all. So hacking the trust settings will do N

Re: [SPAM-TAG] SURBL missing this spam

2005-03-05 Thread David B Funk
On Fri, 4 Mar 2005, Jeff Chan wrote: > On Friday, March 4, 2005, 5:12:28 PM, Theo Dinter wrote: > > On Fri, Mar 04, 2005 at 05:10:42PM -0800, Jeff Chan wrote: > >> The URI is a little unusual, with a missing port number after the > >> colon: > >> > >> http://crazyrxl0wprices-MUNGED.com:/ > >> >

Re: How to setup things. Novices with no or little mastery of computers.

2005-03-05 Thread David B Funk
On Sat, 5 Mar 2005, Bob Proulx wrote: > Don Saklad wrote: > > > Spamassassin instructional information around the web makes use of > > jargon and arcane references that make it a research project for > > people with no or little mastery just to get through the instructional > > information ! > > S

RE: Spamassassin Tagging

2005-03-07 Thread David B Funk
On Mon, 7 Mar 2005, Jon Dossey wrote: > > Sounds like a spamass-milter bug... have you checked their site: > > http://savannah.nongnu.org/bugs/?group=spamass-milt > > I don't think it's a milter problem, because the messages are being > tagged - the subject just isn't being rewritten if the score

New redirector: www.nate.com

2005-03-22 Thread David B Funk
Ugg, just ran across another open redirector abused in spam www.nate.com/r/XY12/target.domain where XY12 seems to be any combination of 4 letters and digits. Looks like some Korean ISP thingie. -- Dave Funk University of Iowa College of Engineering 319

Re: Phishing attempts getting through.

2005-03-22 Thread David B Funk
On Tue, 22 Mar 2005, Matt Kettler wrote: > Sunny Forro wrote: > > >Hello, > > I've got a problem. I've got a lot of phishing attacks making it > >through my mailscanner setup. I do have phishing fraud detection turned > >on, and I have not modifed the phishing safe sites list. Most(if not > >a

Re: [SURBL-Discuss] Yet another redirector

2005-03-29 Thread David B Funk
One good redirector deserves Yet another. http://cz7.clickzs. com/tn.php?carefullyacross&kza%2eiB%72s%6fft.%63Om This one SURBL does not catch, except for the fact that 'clickzs. com' is listed in WS. ;) -- Dave Funk University of Iowa College of Engine

Re: Sudden spam to this email address

2005-03-29 Thread David B Funk
On Mon, 14 Mar 2005, Jeff Chan wrote: > Well when they can sell spams that don't advertise a web site > for the same price as those that do, let us know. Until > then SURBLs have them. > > Jeff C. OK, how about 419'ers or stock scammers? The child porn sites that use: http://beam.to/adultworld

Re: OT: Do spammers have a sense of humor?

2005-04-11 Thread David B Funk
On Sat, 9 Apr 2005, List Mail User wrote: > Obviously, you've never noticed contact emails at iamaspammer. com:) > > Paul Shupak > [EMAIL PROTECTED] > > P.S. "Manila Industries, Inc." of Thailand provides many domains for spam > support services. Yes, almost as good a trick as w

Re: OT?: If you need proof that spammers use the same resources as us...

2005-04-29 Thread David B Funk
On Thu, 28 Apr 2005, jdow wrote: > From: "Matt Kettler" <[EMAIL PROTECTED]> > > > Evan Platt wrote: > > > > > > > > Allow myself ... to introduce... myself. > > > > "Please allow me to introduce myself, I'm a man of wealth and taste..." > > But are you married? And if not would a hard core techie

Re: character set / encoding problem?

2005-04-30 Thread David B Funk
On Sat, 30 Apr 2005, Theo Van Dinter wrote: > On Sat, Apr 30, 2005 at 01:27:39PM +0200, wolfgang wrote: > > Again and again, we receive messages that contain stuff like > > http://advinc-ma=2enetfirms=2ecom/";> > > instead of > > http://advinc-ma.netfirms.com/";> > > > > I wonder if there is some

Re: SPF Whitelist implementation flaw?

2005-05-03 Thread David B Funk
On Tue, 3 May 2005 [EMAIL PROTECTED] wrote: > I'd love to implement SPF checks in SA rather than having to run two > milters on our sendmail, but there's a fundamental flaw in the > whitelisting for SPF. > > It looks like the whitelist applies to internet domains or email > addresses. Whitelistin

Re: Combining whitelist_from and to

2005-05-04 Thread David B Funk
On Tue, 3 May 2005, Loren Wilton wrote: > Use a meta: > > header __MY_FROMFrom =~ /from\.tld/ > header __MY_TO To =~ /someone\.somewhere/ > meta MY_FUNNY_WHITELIST __MY_FROM && __MY_TO > score MY_FUNNY_WHITELIST 10 > > Loren Um, for a whitelist shouldn't that be a -10 for the score? N

Re: More Messed Up www URLs

2005-05-06 Thread David B Funk
On Fri, 6 May 2005, Bret Miller wrote: > I'm starting to see references in messages that look like this: > > www.achat-montre-rolex.net./ > > > Of course, it's not really a valid URL, but then the spam gets through > too. Is it possible to strip excess garbage ( . / ) off the end of the > domain b

RE: More Messed Up www URLs

2005-05-06 Thread David B Funk
On Fri, 6 May 2005, Stewart, John wrote: > > > > I'm starting to see references in messages that look like this: > > > > > > www.achat-montre-rolex.net./ > > > > > Upgrade to SA-2.6.4+SpamCopURI, catches those just fine. ;) > > > > I'm running 2.6.4 with SpamCopURI - is this being flagged on your

Bombarded by German political spam

2005-05-14 Thread David B Funk
Tonight our site is being bombarded by German political spam or Joe-jobbed bounce fall-out. So far it appears to all be coming from trojaned PCs. Other than the specific URLs in the messages havn't found any easily identified parts to create rules for. anybody else seeing this? -- Dave Funk

Re: Bombarded by German political spam

2005-05-17 Thread David B Funk
On Tue, 17 May 2005, Matt wrote: > Does anyone know the logic behind this spam bombing? I have a friend > who has a gmx.de account and he has gotten 0 german spam in it... yet > here in the u.s. we are getting bombarded by the spam. Yes, it's an intelligence/clue level logic. Last week some hack

Re: against this spam mail...

2005-05-18 Thread David B Funk
On Wed, 18 May 2005, Jeff Chan wrote: > On Wednesday, May 18, 2005, 12:05:13 AM, Monty Ree wrote: > > Hello, all. > > > When I see maillog, I can see lots of logs like below.. > > Some spammer send spam mails from [EMAIL PROTECTED] to [EMAIL PROTECTED], I > > guess. > > So mail server load is hig

Re: SA Being Bypassed?

2005-05-23 Thread David B Funk
On Sun, 22 May 2005, Elizabeth Schwartz wrote: > I'm sorry, I shoudln't post late at night. I am running SA as a > sendmail milter. And of course SA is happy to filter again mail which > has been filtered once - but I would love some way to tell it NOT to. > I have an external relay running SA, a

Re: Is Bayes Really Necessary?

2005-05-26 Thread David B Funk
On Thu, 26 May 2005, Thomas Cameron wrote: > On Thu, 2005-05-26 at 10:08 -0400, Jake Colman wrote: > > Given the rather complete set of rules that ship with SA and which can > > expanded with SARE, does bayes learning really help? Won't the rules catch > > pretty much everything anyway? > > I hav

Re: spamassassin --lint

2005-05-26 Thread David B Funk
On Thu, 26 May 2005, Tim Macrina wrote: > Hi Matt, > looked in every user_prefs file on my system and I could find any > reference to those lines. > > On 5/26/05, Matt Kettler <[EMAIL PROTECTED]> wrote: > > Tim Macrina wrote: > > > THis may be a dumb question but were can I find those lines? I loo

Re: Comparison of SA and commercial solutions

2005-05-26 Thread David B Funk
On Thu, 26 May 2005, jdow wrote: > From: "Kevin Peuhkurinen" <[EMAIL PROTECTED]> [snip..] > > putting me on hold for another 30+ minutes while they try to track down > > a second level support person. > > That's 30 minutes > > > On the other hand, I had a question about SpamAssassin the other

Re: [SPAM-TAG] Spam

2005-05-27 Thread David B Funk
On Fri, 27 May 2005, Loren Wilton wrote: > Yes: > > > > What you have wrong is a clever hack url that ends in a slash and confuses > SA so that it doens't run the URI tests. There is a patch in 3.1, and I > think it may also be in

Re: procmailrc being bypassed - again

2005-06-02 Thread David B Funk
On Thu, 2 Jun 2005, Jake Colman wrote: > > I posted this problem last week and was told that it might be due to an SA > problem when overwhelmed by too many connections. This problem only occurs > when my server has been off-line and then gets swamped from the backup MX > once it comes back on-li

Re: return-path test

2005-06-04 Thread David B Funk
On Sat, 4 Jun 2005, Craig Jackson wrote: > I notice that the return-path: is often different from the from: > > But my return-path: tests all fail. Here's one: > > header RETPATH_NUMS_CJ Return-path =~ /[0-9]{6,}/ > score RETPATH_NUMS_CJ 3.000 > > It will successfully match From:addr or Reply-To:

Re: More spam humor :-)

2005-06-05 Thread David B Funk
On Sun, 5 Jun 2005, List Mail User wrote: > My favorite, for a long time has been: > > ... my name is Linda. I teach 4'th grade math class at a junior h i g h. ... > > I think I got about 20 copies of that message. > > Paul Shupak Ah, but you have to understand she's teaching Ne

Re: Anyone seeing Account closed emails ?

2005-06-06 Thread David B Funk
On Mon, 6 Jun 2005, Rick Macdougall wrote: > Ronald I. Nutter wrote: > > >Anyone seeing this type of email coming through with a header of > >*WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED ? > > > >Didn't know if someone already had a ruleset out before I starting > >working on one for my system. > >

RE: Is Bayes Really Necessary?

2005-06-06 Thread David B Funk
On Mon, 6 Jun 2005 [EMAIL PROTECTED] wrote: > David Brodbeck wrote: > > Loren Wilton wrote: > >> You'ld think that there should be some way to do a reverse DNS to > >> determine from an ip the domains that exist on that ip. I suspect > >> though that the whole internet fabric is designed the othe

Re: debug output to file?

2005-06-07 Thread David B Funk
On Tue, 7 Jun 2005, Bob McClure Jr wrote: > On Tue, Jun 07, 2005 at 10:42:07AM -0400, Mike Schrauder wrote: > > pardon my complete unix ignorance, I have been trying to figure > > out how to get debug output to a file so I can go back and look [snip..] > > i've also tried spamassassin -D -t < tes

Re: Is SPF working 100%? Problems with hotmail.com

2005-06-07 Thread David B Funk
On Tue, 7 Jun 2005, Raul Dias wrote: > SPF would never work if not there, right? > Note that it does work, but not always. > > I have never see it fail from calling the spamassassin form the command > line, just as spamd. > It has enough permission for spamd to read it. > > Could it be that it hap

RE: Gif-Only spams

2005-06-09 Thread David B Funk
On Thu, 9 Jun 2005, Bret Miller wrote: > > has anyone developed a good strategy against spams > > that contain a random text and the actual spam in > > an image within a multipart/alternative mail? > > > > Short of entirely blocking mails containing images, that > > is. > > SURBL, URIBL Sorry, bu

RE: Gif-Only spams

2005-06-09 Thread David B Funk
On Thu, 9 Jun 2005, Chris Santerre wrote: > >My only comment on a system like this is that it could be > >easily subverted. > >A spammer could use automated image editting tools to randomly > >change some > >aspect of the file that would give it a totally different MD5 sum. Like > >changing the lo

RE: Gif-Only spams

2005-06-09 Thread David B Funk
On Thu, 9 Jun 2005, Chris Santerre wrote: > >There are image processing algorithms that are much better at 'looking' > >at two images and giving a 'distance' value. (Only problem is > >that they're > >compute intensive). > > Well then don't use MD5 :) > > Hell then just pull a sample from the imag

RE: couple of issues

2005-06-09 Thread David B Funk
On Thu, 9 Jun 2005, Kern, Tom wrote: > Perhaps, I'm not sure. > Is there a way to tell? > Also, I have seen some go through that I know are in spamcop. > > Do you know of a way to troubleshoot spamcop? > i plan on upgrading sa, but I can't just yet, so I'd like to figure this out. > > Thanks for y

Re: Exceptions to all_spam_to?

2005-06-17 Thread David B Funk
On Fri, 17 Jun 2005, Tom Lanyon wrote: > Unfortunately, since we're using sendmail (ergh!) and cyrus (cyrdeliver > for the MTA), we can't fit procmail in there anywhere. > I'm currently researching cyrdeliver to see if there's any way to call > spamassassin (or spamc) from that. > > If anyone know

Re: fdf spam

2007-08-10 Thread David B Funk
On Sat, 11 Aug 2007, wolfgang wrote: > In an older episode (Friday, 10. August 2007), Mike Cisar wrote: > > Has anyone else been seeing the empty-body "PDF" spam, but with a > > .fdf file extension. Had a whole pile in my inbox here this morning. > > Thousands of them went through our mail gatewa

Re: how to stop the spam assassin

2007-08-15 Thread David B Funk
On Tue, 14 Aug 2007, Gokhan ALKAN wrote: > it depends on which distro have you used . you can use stop/start script to > stop spamassin. or you can see spamassassin prcocess with ps command and > kill . > > you can see pid of spamassassin with below command and you can kill > spamassassin > >

Re: R: Sneaky [EMAIL PROTECTED] slipped through

2007-08-17 Thread David B Funk
On Fri, 17 Aug 2007, Giampaolo Tomassoni wrote: > > -Messaggio originale- > > Da: SM [mailto:[EMAIL PROTECTED] > > > > At 13:02 17-08-2007, John Rudd wrote: > > >Hm. This is the first I've heard of the chickenpox rule. Where > > >does it come from? Is it part of SARE? > > > > It was wri

Re: sa-update doesn't connect to updates.spamassassin.org

2007-08-20 Thread David B Funk
On Tue, 21 Aug 2007 [EMAIL PROTECTED] wrote: > How does sa-update know if to update or not without going over the > network? > > channel: attempting channel updates.spamassassin.org > channel: update directory > /home/jidanni/var/spamassassin/3.002003/updates_spamassassin_org > channel: channel c

Re: Question - How many of you run ALL your email through SA?

2007-08-20 Thread David B Funk
On Mon, 20 Aug 2007, Duane Hill wrote: > On Mon, 20 Aug 2007 at 16:24 -0600, [EMAIL PROTECTED] confabulated: > [snip..] > > I have to second that... In the early days when spammers were just > > getting started, we started using some RBL's at the MTA level. ORBS > > was one I believe. Then th

Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]

2007-08-26 Thread David B Funk
On Sun, 26 Aug 2007, Marc Perkel wrote: > If you have one MX and you create a fake low MX and a fake high MX (or > many fake high MX) about 75% to 95% of your spam goes away. It's that > simple. How do you deal with the false-positives, legit servers that are blocked by this configuration? --

Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]

2007-08-27 Thread David B Funk
On Mon, 27 Aug 2007, Marc Perkel wrote: > David B Funk wrote: > > On Sun, 26 Aug 2007, Marc Perkel wrote: > > > >> If you have one MX and you create a fake low MX and a fake high MX (or > >> many fake high MX) about 75% to 95% of your spam goes away. It's tha

Re: Posioned MX is a bad idea [Was: Email forwarding and RBL trouble]

2007-08-27 Thread David B Funk
On Mon, 27 Aug 2007, Marc Perkel wrote: > David B Funk wrote: > > On Mon, 27 Aug 2007, Marc Perkel wrote: > > > >> There aren't any false positives. That's what is so great about this trick. > >> > > > > I guess I didn't make my que

Re: SPF-Compliant Spam

2007-08-27 Thread David B Funk
On Mon, 27 Aug 2007, Marc Perkel wrote: > Matt Kettler wrote: > > Marc Perkel wrote: > > > >> Matt Kettler wrote: > >> > >>> Marc Perkel wrote: > >>> > >>> > SPF breaks email forwarding. > > > >>> SPF breaks mail forwarding services that are unwilling to expend a > >>> little effort

Re: autolearn=failed

2007-09-04 Thread David B Funk
On Mon, 3 Sep 2007, Raquel wrote: > On Mon, 3 Sep 2007 18:31:03 -0700 > Raquel <[EMAIL PROTECTED]> wrote: > > > I'm setting up a new server. However, email sent to the server > > keeps getting "autolearn=failed". I don't seem to be able to > > figure out is causing that. > > > > -- > > Raquel >

Re: Handling Spam Surges

2007-09-10 Thread David B Funk
On Mon, 10 Sep 2007, Paul Griffith wrote: > Greetings, > > How do you handle Spam surges/DoS attacks? We just had a Spam surge/DoS > and are looking at ways to better withstand (as best as we can) another > surge > > > Here is how we start SA: > > -c -d -r $PIDFILE -s /var/log/spamd --socketpath=$

RE: Q about mail proxy servers and setups

2007-09-23 Thread David B Funk
On Sun, 23 Sep 2007, Michael Scheidell wrote: > For the purposes of this discussion, the biggest reason I can't be on > the edge where Id like to be is that there is a massive proxy/load > balancer/failover device that does more than email. > > Many firewalls 'proxy' the email also, so its not lik

Re: Every e-mail is now getting a new score, creating a lot of false postive.

2007-09-24 Thread David B Funk
On Mon, 24 Sep 2007, cpayne wrote: > Guys, > > I am not sure when this started but now every e-mail that comes on to my > box has this score... > > 2.0 MISSING_SUBJECTMissing Subject: header > -0.0 NO_RECEIVEDInformational: message has no Received headers > 0.1 TO_CC_NONE

Re: Milter vs. Procmail

2007-09-26 Thread David B Funk
On Thu, 27 Sep 2007, Olivier Nicole wrote: > But here is the question, with milter call, how to manage things like > per user whitelist? As SA is run only once for all the recipients, it > should go on a common set of rules. In the general case, with a milter (or most in-line filtering) per-user

Re: Advice on MTA blacklist

2007-10-10 Thread David B Funk
On Tue, 9 Oct 2007, Jo Rhett wrote: > On Oct 9, 2007, at 4:22 PM, Chris Edwards wrote: > > Your server then enforces encryption and SMTP-AUTH, and the SSL will > > (hopefully) defeat any man-in-the-middle attacks by trans-proxies. > > That's exactly the problem I am reporting. A lot of mail clien

Re: How to Reject Messages

2007-10-19 Thread David B Funk
On Fri, 19 Oct 2007, Noel Jones wrote: > On 10/19/07, Yoda Woda <[EMAIL PROTECTED]> wrote: > > Here my scenario: I have postfix and spamassassin installed in a gateway > > machine. Postfix accepts incoming messages, pipes them to spamassassin for > > scoring, which then pipes them back to postfi

Re: Per-User required_score

2008-01-07 Thread David B Funk
On Mon, 7 Jan 2008, Theo Van Dinter wrote: > Well, the problem is that if you run at MTA time, you can't really do per-user > configs. > > "spamc -u" will work, if there's only 1 user. it won't work with multiple > users, such as when there are several recipients for a single message, unless > yo

Re: Bypassing MX

2008-01-08 Thread David B Funk
On Tue, 8 Jan 2008, Peter Smith wrote: > Here's my situation: > > server1: mail gateway, runs Spamassassin > server2: multi-purpose server. hosts http, mail boxes, pop/imap, runs > sendmail and Spamassassin. > example.org: my domain. The MX record points to server1, A record points to > server2 >

Re: Can anyone help me? surbl.org FP problems?

2008-01-31 Thread David B Funk
On Thu, 31 Jan 2008, David Zinder wrote: > What should dig return? I too have Verizon fios. If /etc/resolve.conf > contains their DNS servers I get similar dig results as you. If I change > it to DNS servers I trust I get: > > $ dig techweb.com.multi.surbl.org > > ; <<>> DiG 9.2.4 <<>> techweb.co

Re: [OT] Bogus MX opinions

2008-02-21 Thread David B Funk
On Wed, 20 Feb 2008, Aaron Wolfe wrote: > Quotes from this thread (and the nolisting site which was posted as a > response): > > Michael Scheidell -> "Do NOT use a bogus mx as your lowest priority." > Bowie Bailey -> "I would say that it is too risky to put a non-smtp > host as your primary > M

Re: Adding custom Mime headers

2008-03-05 Thread David B Funk
On Wed, 5 Mar 2008 [EMAIL PROTECTED] wrote: > Karsten Bräckelmann <[EMAIL PROTECTED]> wrote on 03/05/2008 01:13:11 > PM: > > > On Wed, 2008-03-05 at 11:05 -0500, [EMAIL PROTECTED] wrote: > > > > > > I'm trying to get the RelayCountry plugin running here in order to get > > > a Mime header of all o

Re: Milter (spamassassin): timeout before data read

2008-03-11 Thread David B Funk
On Tue, 11 Mar 2008, Sebastian Hoffmann wrote: This was why I postet the settings from the sendmail-milter: "INPUT_MAIL_FILTER(`spamassassin', S=local:/var/spamd/spamass-milter.sock, F=,T=C:15m;S:4m;R:4m;E:10m') INPUT_MAIL_FILTER(`clmilter', S=local:/var/run/clamav/clmilter.socket, F=,T=S:4m;R:

Re: Zen?

2008-03-25 Thread David B Funk
On Tue, 25 Mar 2008, Mike Hatz wrote: > Hi, > > Sorry if this is an old topic, but is Zen from spamhaus still working? > > I used to see entries in my sendmail log along the lines of: > > "550 Mail from "spammer-s machine listed here" refused - see > http://www.spamhaus.org/lookup.lasso"; > > And

Re: Newbie question

2006-06-06 Thread David B Funk
On Tue, 6 Jun 2006, Gary Forrest - Netnorth wrote: > Hi All > > We have been using SA v3.1.1, all seems to work well :) > ( FreeBSD 6.1, Sendmail 8.13.6 & few milters ) > > Is it possible to get SA not to scan inbound email addressed to certain > domain names. > We have looked at the various white

Re: All digits

2006-06-06 Thread David B Funk
On Tue, 6 Jun 2006, wrote: > I have to wonder if a spammer is testing their Zombies since all I have > received are from > Dialup/broadband customers. Could this be the rain before the flood of > spam/virus? > > I'm voting for this explanation. It started here yesterday and they're v

Re: Can SA be used to implement greylisting?

2006-06-19 Thread David B Funk
On Mon, 19 Jun 2006, Steven W. Orr wrote: > And this is my point. SA *DOESN'T* work on messages after they have been > received. Since I use spamass-milter, SA sees the messages before > reception is completed. (You're free to do otherwise.) Then when SA > decides that the message doesn't conform

Re: Can SA be used to implement greylisting?

2006-06-19 Thread David B Funk
On Mon, 19 Jun 2006, Justin Mason wrote: > Yep -- that's the key point -- as far as I know it's illegal (in > SMTP terms) to offer a 421 after DATA. > > --j. RFC-2821 section 3.9: An SMTP server MUST NOT intentionally close the connection except: - After receiving a QUIT command and resp

Re: Can SA be used to implement greylisting?

2006-06-19 Thread David B Funk
On Mon, 19 Jun 2006, Rick Macdougall wrote: > JamesDR wrote: > > 1) Message comes in, check against AWL, if sender/ip pair do not exist, > > send the tempfail, if sender/ip pair do exist: > > 2) Check the average score against some threshold (say 4 points as a > > figure.) If sender's score is ove

RE: sudden deluge of university spams

2006-06-22 Thread David B Funk
On Thu, 22 Jun 2006, Ramprasad wrote: > Is the Evilnumbers ruleset not too heavy > > But the numbers are also mangled > eg > 1-22-33 could be written in numerous ways just adding spaces in between > randomly > I am doing regex match something like > /1 *- *2 *2 *- *3 *3 */ > > Any inputs ? Yes,

RE: sudden deluge of university spams

2006-06-23 Thread David B Funk
On Fri, 23 Jun 2006, Ramprasad wrote: > > Yes, as SA collapses multiple spaces down to a single space (in 'body' > > tests), you only need to look for a single instance of the space, > > not an unlimited number. Also you can omit that final ' *' as it's > > an optional "tail" match, thus the rule

Re: On bichromatic GIF stock spam

2006-06-25 Thread David B Funk
On Sun, 25 Jun 2006, John D. Hardin wrote: > On Sun, 25 Jun 2006, Philip Prindeville wrote: > > > John D. Hardin wrote: > > > > >On Sat, 24 Jun 2006, Philip Prindeville wrote: > > > > > >>The spammers send multipart/alternative > > >>because they want the text/plain section to confuse the Bayes >

Re: Rejection text

2006-07-12 Thread David B Funk
On Wed, 12 Jul 2006, Paul Dudley wrote: > We are using SA 3.0.4. > > If we decide to reject low grade spam messages rather than quarantine > them, is it possible to add text to the body of the rejection message? > > Paul Dudley Assuming you are talking about a true SMTP-reject operation, no. You

Re: SPF breaks email forwarding

2006-07-24 Thread David B Funk
On Mon, 24 Jul 2006, Ramprasad wrote: > > Except = SPF breaks email forwarding. It requires that the world > > change how email is forwarded and that's not going to happen. Thus if > > a bank has a hard fail and someone with an account on my server gets > > email from an account that is forwarded

Re: Using SA to prevent bouncing spam?

2006-08-14 Thread David B Funk
On Mon, 14 Aug 2006, Ole Nomann Thomsen wrote: > Hi, in order to avoid bouncing spam back to the (almost certainly) faked > sender-addresses, I thought I could use SA directly: > > Suppose I configure it to substitute "<>" for the sender/reply-to in any > spam? That way spam-generated bounces woul

Re: .GIF images without .gif in filename and empty messages

2006-08-15 Thread David B Funk
On Tue, 15 Aug 2006, Craig Baird wrote: [snip..] > The other type of spam I'm seeing are empty messages. They have a single word > for a subject, but nothing in the body. About a year ago, I was getting > flooded with these, and I solved the problem by using the SARE_HTML_NO_BODY > rule from 70_

Re: Dealing with spam bots and dialup/dsl spammers

2006-08-17 Thread David B Funk
On Thu, 17 Aug 2006, Daryl C. W. O'Shea wrote: > John Rudd wrote: > > > Is there a way to make that trigger only on the _first_ (most recent) > > received header? > > Modify the regex so that you can test against the format provided in the > X-Spam-Relays-Untrusted or X-Spam-Relays-External pseudo

Re: Dealing with spam bots and dialup/dsl spammers

2006-08-17 Thread David B Funk
On Thu, 17 Aug 2006, Loren Wilton wrote: > >> Modify the regex so that you can test against the format provided in the > >> X-Spam-Relays-Untrusted or X-Spam-Relays-External pseudo headers and > >> anchor it to the beginning. > >> > >> Daryl > > > > I thought that X-Spam-Relays-Untrusted has a lis

Re: Dealing with spam bots and dialup/dsl spammers

2006-08-17 Thread David B Funk
On Fri, 18 Aug 2006, Daryl C. W. O'Shea wrote: > On 8/17/2006 8:24 PM, David B Funk wrote: > > > Is there some documentation about how those pseudo headers work? > > some way to print out their values or debug their usage? > > You can see them by adding header

<    1   2   3   4   5   6   >