Re: Collecting IP reputation data from many people

2010-10-28 Thread David F. Skoll
On Thu, 28 Oct 2010 11:19:50 -0400 dar...@chaosreigns.com wrote: > Having nothing to prevent someone from registering millions of > accounts and spewing data from a single IP is not acceptable to me. Umm... Perhaps you have heard of a recent phenomenon called "a botnet"? Just what security do y

Re: Collecting IP reputation data from many people

2010-10-28 Thread David F. Skoll
OK, On a somewhat less sarcastic note: One reason we didn't use TCP is that it simply doesn't scale. If you have clients that open a TCP connection, do a report, and then close the TCP connection, there's a huge bandwidth penalty. On the other hand, if your clients maintain persistent TCP conne

Re: Collecting IP reputation data from many people

2010-10-28 Thread David F. Skoll
On Thu, 28 Oct 2010 13:56:08 -0230 "Lawrence @ Rogers" wrote: > What reporting system do you use? Although our Perl client library is free, the server-side code is proprietary. > and how does one avail of the data it provides? We sell rsync access to our lists. We also provide it for free to

Re: Collecting IP reputation data from many people

2010-10-28 Thread David F. Skoll
On Thu, 28 Oct 2010 12:43:51 -0400 dar...@chaosreigns.com wrote: > On 10/28, David F. Skoll wrote: > > Perhaps you have heard of a recent phenomenon called "a botnet"? > > Just what security do you think TCP really buys you? > Requiring them to use the botnet. In oth

Re: Spamhaus Whitelist

2010-11-06 Thread David F. Skoll
On Sat, 06 Nov 2010 00:41:53 -0700 Bill Landry wrote: > You could also test the envelope sender: > header SPAMHAUS_ENV eval:check_rbl_envfrom('SPAMHAUS_ENV', > '_vouch.dwl.spamhaus.org.') But that's an abuse... you should not be using Vouch-by-reference unless either DKIM or SPF returns

Re: email address forgery

2010-11-11 Thread David F. Skoll
On Thu, 11 Nov 2010 21:35:11 -0500 Jason Bertoch wrote: > After many complaints from the DNS community over SPF "hijacking" the > TXT record, a new SPF record type was eventually accepted. The proper fix would have been to make SPF lookups for "example.com" request the TXT record for "_spf.exam

SPF technical problems (was Re: email address forgery)

2010-11-15 Thread David F. Skoll
On Mon, 15 Nov 2010 11:30:59 -0500 Michael Scheidell wrote: > So, SPF works, if EVERYONE FOLLOWS THE RFC'S AND BEST PRACTICES. Not really. SPF is too weasely. If the SPF authors really wanted a useful standard, then: 1) The only return codes would have been "pass", "fail", "none" and "error"

Re: SPF technical problems (was Re: email address forgery)

2010-11-15 Thread David F. Skoll
On Mon, 15 Nov 2010 11:50:50 -0500 Michael Scheidell wrote: > then don't use it: Our record follows the way I said SPF should work. It specifies only 4 hosts as authorized to send for us and has a hard -all at the end. That's because we took the time and trouble to set up our email infrastructu

Re: SPF technical problems (was Re: email address forgery)

2010-11-15 Thread David F. Skoll
On Mon, 15 Nov 2010 08:07:43 -1000 Alexandre Chapellon wrote: > I use it just the same for the domains I have complete controm over. > Unfortunately, be aware that this setup maybe forbid your legitimate > emails to be forwarded by a foreign host: Yes, this is a deficiency in SPF. It would be n

URIBL_RHS_DOB slowness (was Re: How to find out which rules have changed in the last ?)

2010-11-16 Thread David F. Skoll
On Mon, 15 Nov 2010 13:43:57 -0500 Kris Deugau wrote: > I noticed recently that the average ~0.8s scan time on our filter > cluster had jumped to just over 3s. We noticed a huge jump in scan times on several of our customers' systems. Try disabling the Day-old Bread rules. We pushed out this

Re: Do we need a new SMTP protocol? (OT)

2010-12-01 Thread David F. Skoll
On Wed, 01 Dec 2010 07:27:13 -0800 Marc Perkel wrote: > I've been thinking about what it would take to actually eliminate > spam or reduce it to less than 10% of what it is now. One of the > problems is the SMTP protocol itself. And a big problem with that is > that mail servers talk to each othe

IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

2010-12-01 Thread David F. Skoll
On Wed, 01 Dec 2010 16:55:17 + Martin Gregorie wrote: > Besides, I seem to remember hearing that IPV6 is never anonymous Where did you hear that? I can't imagine that IPv6 is any less (or any more) anonymous than IPv4. > OT comment 1: if IPV6 is indeed never anonymous, where does *that* >

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

2010-12-01 Thread David F. Skoll
On Wed, 01 Dec 2010 12:47:16 -0500 Rob McEwen wrote: > One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's > nightmare. A spammers (and blackhat ESPs) would potentially send out > each spam from a different IP and then not use each IP again for > YEARS! Actually, since the smal

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

2010-12-01 Thread David F. Skoll
On Wed, 01 Dec 2010 13:29:28 -0500 Rob McEwen wrote: > When DNSBL resources are order of magnitudes higher... when the > largest data files for DNSBLs go from 100MB to probably Terabytes... > and then trying to transfer that via rsync... and getting all the > mirrors to handle loading that much d

Misguided energy (was Re: Do we need a new SMTP protocol? (OT))

2010-12-01 Thread David F. Skoll
On Wed, 1 Dec 2010 16:02:03 -0500 Michael Grant wrote: > The main problem with this approach is how does > someone send you mail if they're not on your contact list? I don't > have any magic answers how to solve that beyond what's already out > there as in return messages with captchas in them o

Re: Fake MX

2010-12-08 Thread David F. Skoll
On Wed, 08 Dec 2010 15:52:37 -0800 Marc Perkel wrote: > For those who want to try the Fake MX trick you can set your highest > MX to tarbaby.junkemailfilter.com. Sure. I'll publish an MX record potentially sending my domain's mail to a machine I don't control... not. -- David.

Re: preventing authenticated smtp users from triggering PBL

2010-12-17 Thread David F. Skoll
On Fri, 17 Dec 2010 11:24:51 -0800 Ted Mittelstaedt wrote: > It is possible this is because I use sa-milter. If you want to make complex policy decisions, you might want to use something like MIMEDefang (note: I'm the author. :)) It lets you encode your mail processing logic in Perl, so you can

Re: DNSBL for email addresses?

2010-12-23 Thread David F. Skoll
On Thu, 23 Dec 2010 16:33:59 -0800 (PST) John Hardin wrote: [...] > To digress, I would suggest the solution to that (and what I wish PGP > had implemented from day one) is to sign using two different > cryptographic hash algorithms (e.g. MD5 _and_ SHA1). It's extremely > unlikely that two diffe

Re: DNSBL for email addresses?

2010-12-23 Thread David F. Skoll
On Thu, 23 Dec 2010 17:08:11 -0800 (PST) John Hardin wrote: > But the known-evil addresses aren't the data being protected (however > poorly) - the email addresses from your inbound mail that you're > checking against the list of evil addresses (which may include > correspondents who don't want

Re: DNSBL for email addresses?

2010-12-24 Thread David F. Skoll
On Thu, 23 Dec 2010 18:16:31 -0800 (PST) John Hardin wrote: > The response time for listing an email address in a phishing emailRBL > may be too great to see much benefit. We see a pretty good benefit from the anti-phishing email reply list. It's not so much a good tool to catch phishers as it i

Re: Issuing rollback DBI Mysql

2010-12-27 Thread David F. Skoll
On Mon, 27 Dec 2010 12:46:39 -0500 Jason Bertoch wrote: > Dec 24 08:54:05 mail spamd[24172]: Issuing rollback() due to DESTROY > without explicit disconnect() of DBD::mysql::db handle > bayes:127.0.0.1:3306 > at /usr/local/lib/perl5/site_perl/5.8.9/Mail/SpamAssassin/Plugin/Bayes.pm > line 1516,

Re: Issuing rollback DBI Mysql

2010-12-27 Thread David F. Skoll
On Mon, 27 Dec 2010 12:25:28 -0600 "Jack L. Stone" wrote: > >I don't think so. That message typically comes about when a DBI > >database handle goes out of scope without disconnect() having been > >called. > That was also one of my thoughts but noticed (as I recall) that the > Bayes.pm module h

Anti-Perl rant (was Re: Issuing rollback DBI Mysql)

2010-12-27 Thread David F. Skoll
On Mon, 27 Dec 2010 11:16:23 -0800 Ted Mittelstaedt wrote: > Larry Wall never envisioned the octopus monstrosity that Perl has > become. Um. Just because you can write overly-complex slow Perl code doesn't mean that all Perl code is necessarily overly-complex or slow. > Not that I am unhappy w

Re: Anti-Perl rant (was Re: Issuing rollback DBI Mysql)

2010-12-27 Thread David F. Skoll
On Mon, 27 Dec 2010 13:46:34 -0600 "Jack L. Stone" wrote: > In my case a very small percentage of mail actually reaches SA > because of several filters in front of it. Sendmail, Regex-milter, > Greylist-milter, and other milters catch most of the truly bad stuff, > and then hands off finally to S

Greylisting (was Re: Anti-Perl rant (was Re: Issuing rollback DBI Mysql))

2010-12-27 Thread David F. Skoll
On Mon, 27 Dec 2010 12:37:00 -0800 Ted Mittelstaedt wrote: > greylisting, though, is by far the best. But I have noticed an > increasing number of sites out there - and this is large sites - who > apparently are honked-off that people greylist, and they will bounce > delivery of mail that is is

Re: Greylisting (was Re: Anti-Perl rant (was Re: Issuing rollback DBI Mysql))

2010-12-27 Thread David F. Skoll
On Mon, 27 Dec 2010 13:36:39 -0800 Ted Mittelstaedt wrote: [...] > > We do not find virus-scanning before spam-scanning to be > > effective. A tiny percentage of our mail is flagged as containing > > a virus, > That's subject to interpretation I think. I would guess that your > LEGITIMATE ma

Re: A new paradigm for DNS based lists

2010-12-29 Thread David F. Skoll
On Wed, 29 Dec 2010 09:33:25 -0800 Marc Perkel wrote: > Yes - there's no point in doing DNS blacklist lookups on yahoo, > hotmail, and gmail as well as thousands of other mixed source > providers. I disagree. I have a strong feeling that some of those providers route less-trustworthy mail throu

Re: A new paradigm for DNS based lists

2010-12-29 Thread David F. Skoll
On Wed, 29 Dec 2010 11:50:56 -0800 Marc Perkel wrote: > My idea doesn't preclude you from having a "bad yahoo" list and > adding points. I'm just saying that when it comes to checking other > blacklists to see if any yahoo server is listed it's a waste of > resources. If it's a yahoo server of an

Re: [Asrg] draft-levine-iprangepub-01

2010-12-29 Thread David F. Skoll
On Wed, 29 Dec 2010 21:09:42 +0100 Matthias Leisi wrote: > I'm not sure whether that would be more appropriate for the dev list, > but I guess this is relevant/of interest to the SpamAssassin project, > and I don't know whether this has caught attention here yet. In the draft, John asserts:

Re: [Asrg] draft-levine-iprangepub-01

2010-12-29 Thread David F. Skoll
On Wed, 29 Dec 2010 21:34:47 +0100 Matthias Leisi wrote: > It's not certain that ISPs will always allocate /64. Some may allocate > /56 or something entirely different, Bigger than /64 is no problem. > and shared hosting providers may > allocate smaller ranges to their customers (why not an ind

Re: [Asrg] draft-levine-iprangepub-01

2010-12-29 Thread David F. Skoll
On Wed, 29 Dec 2010 22:05:16 +0100 Matthias Leisi wrote: > Today, querying IPv4 DNSxLs is more or less limited to individual IPs. > Making a new protocol that has more flexibility is very much needed - > one size will not fit all, especially not in the protocol design. OK. But I think the draft

Re: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On Wed, 29 Dec 2010 15:42:58 -0800 Ted Mittelstaedt wrote: > What this really calls for is a reworking of the SpamAssassin code. > SA is going to have to start caching the results of any IPv6 DNS > BL queries for a set period of time, probably 2 days. Why? Isn't caching the results of queries t

Re: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On Thu, 30 Dec 2010 10:15:42 +0100 Matthias Leisi wrote: > Can you be really, absolutely sure that there will never, ever be a > need to report reputation on anything else than /64? I think it's a safe bet, especially for whitelists. If you're whitelisting someone, chances are that person knows

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On 30 Dec 2010 17:13:07 - John Levine wrote: > We'll have to change our software to handle v6 lookups no matter what, > so I don't see it as a big deal whether it's a small change or a > slightly larger change. I agree, so I propose a much larger change: Stop using DNS for this purpose. I d

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On Thu, 30 Dec 2010 13:19:03 -0500 Rob McEwen wrote: > If blacklists like CBL are currently at 100 MBs (for IPv4)... the > bloat for IPv6 could break DNSBLs. RSYNCing Gigabyte (or terabyte!) > -sized files is memory and CPU intensive. Well, not really... John Levine proposes a way to summarize s

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On Thu, 30 Dec 2010 13:34:16 -0500 Rob McEwen wrote: > Does John's system do anything to prevent a spammer from sending a > million different spams from a million different IPs (one-ip-per-spam) > ...with that IP never to be heard from again)? Well, obviously not. Nothing can control what a spa

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On Thu, 30 Dec 2010 10:36:59 -0800 (PST) John Hardin wrote: > Timeliness? How often are you going to refresh the local copy of the > entire WL/BL? Or are you assuming the WL/BL will be relatively > unchanging over time? A WL should be relatively unchanging over time. I doubt BLs will be useful

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On 30 Dec 2010 18:43:50 - John Levine wrote: > >I agree, so I propose a much larger change: Stop using DNS for this > >purpose. I don't think it's the right tool for the job. > Sigh. Yes, that's one of the bad ideas. What is? Using DNS or using something else? :) [...] > Consider the a

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On 30 Dec 2010 18:57:44 - John Levine wrote: > Hey! I have an idea! How about if we form the data into a B-tree and > let people download pages on demand via the DNS? Nah, I have a better idea... a "B-ish" tree where some nodes can get out of sync because of caching. Won't be a problem in

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On Thu, 30 Dec 2010 14:18:13 -0500 Rob McEwen wrote: > On 12/30/2010 2:09 PM, David F. Skoll wrote: > > But I think it's really > > stretching DNS way beyond what it was designed for and it might be > > time to look at a different approach. > But David, every exa

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On 30 Dec 2010 17:49:46 -0500 "John R Levine" wrote: [...] > I'm not wedded to the CNAME hack. Actually, I was thinking about that. Consider a hack on a DNS server that gives all records an absolute expiry time that marches forward in (say) 5-minute intervals. Then when the DNS server is quer

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On 31 Dec 2010 01:19:16 - John Levine wrote: > >Now obviously, there's a breakpoint at which synchronizing the local > >database from the master becomes cheaper than doing lookups. Right > >now, that's quite high, but it will move lower with IPv6. > Why do you say that? The number of compu

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2010-12-30 Thread David F. Skoll
On Thu, 30 Dec 2010 19:21:25 -0800 Ted Mittelstaedt wrote: > No, I am assuming the spammers will do as they have always done in the > past - attempt to use other people's computers for free. Other > computers that are NOT cycling through lots of IP number in the > normal case. That's because t

Real-world IPv6 allocation policies (was Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01)

2010-12-31 Thread David F. Skoll
Hi, all, We run a system of data collection that collects reputation information about IP addresses. Our system has data on over 18 million IPv4 addresses and 2658 IPv6 addresses (which shows how poor the penetration of IPv6 is.) For details of our system, see http://mimedefang.org/reputation A

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2011-01-04 Thread David F. Skoll
A couple more cents on this topic... If the problem is blowing DNS caches, then one solution is to query only authoritative name servers. Spamhaus, for example, permits 300,000 free queries per day. I bet many small sites will be under this limit even if they query Spamhaus directly with no cach

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2011-01-04 Thread David F. Skoll
On Tue, 4 Jan 2011 06:18:55 -0800 (PST) John Hardin wrote: > DNS needs to deal with an exponentially-increased address space > regardless of how RBLs behave. Perhaphs DNS caching needs to be > partitioned so that a huge number of queries on *.spamhaus.org don't > blow everything else out of the c

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2011-01-04 Thread David F. Skoll
On Tue, 04 Jan 2011 10:34:43 -0500 Rob McEwen wrote: > "game over".. the spammers have already won. And they are quite amused > right now reading us discuss all different ways to rearrange the deck > chairs on the Titanic. We are talking at cross-purposes here, but I think we mostly agree. :) >

Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01

2011-01-04 Thread David F. Skoll
On Tue, 04 Jan 2011 11:01:52 -0500 Rob McEwen wrote: > I've thought this through and... best case scenario is that spammers > then get 5+ years of play time because it will take at least that time > for those other techniques to catch up. Umm.. no. We have plenty of effective techniques we're u

DNS cache efficiency for low-TTL records (was Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01)

2011-01-04 Thread David F. Skoll
On Tue, 4 Jan 2011 06:18:55 -0800 (PST) John Hardin wrote: [DFS says all queries should be to authoritative name servers to avoid cache blowouts.] > You can't compare them. The nature of the queries is vastly different > - the root nameservers only get queries like "where are the > authoritative

Re: DNS cache efficiency for low-TTL records (was Re: IPv6 DNSBL/WL design, was Fwd: [Asrg] draft-levine-iprangepub-01)

2011-01-04 Thread David F. Skoll
Following up on myself... > I ran a little experiment. Just for fun, I took a day's worth of logs from a fairly busy server. There were just over 3.1 million SMTP connections/day. If they'd been using a DNSBL with a 15-minute TTL, they would have had about 1.13 million cache misses and 1.97 mill

Re: SPAM/Phish and Ham E-mail Dataset

2011-01-12 Thread David F. Skoll
On Wed, 12 Jan 2011 23:23:39 +0100 mouss wrote: [...] > you need to train with _your_mail. do not train with somebody else's > mail. one of the defence args is that attackers can't guess your > setup. if every one of us uses the same corpus then it'll be easy for > an attacker to get around. Th

Re: SPAM/Phish and Ham E-mail Dataset

2011-01-13 Thread David F. Skoll
On Thu, 13 Jan 2011 13:51:14 + RW wrote: > Is there anything to prevent spammers signing up and using your > databases to autogenerate spam? Not really, but then we only make our database available to customers using our commercial product, so the cost would probably deter spammers. > It so

Re: Q about short-circuit over ruling blacklisting rule

2011-01-17 Thread David F. Skoll
On Mon, 17 Jan 2011 22:12:42 +0100 JKL wrote: > I know this is off-topic but is there a way for a third party > programme to silently drop spam from delivery? You could use a milter such as MIMEDefang (www.mimedefang.org). Although it's primarily used by Sendmail admins, it does work with Postf

Re: Q about short-circuit over ruling blacklisting rule

2011-01-18 Thread David F. Skoll
On Tue, 18 Jan 2011 13:37:40 -0200 Rejaine Monteiro wrote: > > I'm not prepared to wait 24 hours for mail servers to successfully > > send me mails - it's the equivalent of sealing my letterbox on > > Mondays, Wednesdays and Fridays for me, and I want near-real time > > email communication. > I

Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-01-18 Thread David F. Skoll
On Tue, 18 Jan 2011 16:55:42 +0100 Giles Coochey wrote: > The legitimate mail that passes through my mail server comes from > hosts / networks I might not hear from again for months, by which > time I have to potentially wait 24 hours for the greylisting / mail > server to try again. My point is

Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-01-18 Thread David F. Skoll
On Tue, 18 Jan 2011 22:18:33 +0100 "Rolf E. Sonneveld" wrote: > RFC821/RFC2821/RFC5321 points out that a client has to wait a minimum > of 30 minutes before a retry attempt should be made, That's fine. I don't care if an email from someone I've never heard from before is delayed 30 minutes or e

Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-01-18 Thread David F. Skoll
On Tue, 18 Jan 2011 22:18:20 + Gary Forrest wrote: > Interesting 2 of our 3 scanning heads use a grey list system that > uses /32 addresses as part of the process, these two servers have > 100's of emails delayed for well over a day. Our 3rd scanning head > uses a grey list system that is les

Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-01-18 Thread David F. Skoll
On Tue, 18 Jan 2011 23:37:07 +0100 "Rolf E. Sonneveld" wrote: > I agree with you, looking at my own personal situation. However, many > mail admins (and maybe you too) are responsible for the e-mail > handling of many (tens/hundreds/thousands) of users. Most users have > unrealistic expectations

Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-01-19 Thread David F. Skoll
On Wed, 19 Jan 2011 09:56:47 -0500 Lee Dilkie wrote: > The second was that I've found that the other spam-catching filtering > is doing a much better job than it was years ago and turning off > greylisting didn't adversely affect the amount of spam that got > through. That's possibly true, but l

What is Ham? (was Re: Need Volunteers for Ham Trap)

2011-01-20 Thread David F. Skoll
On Thu, 20 Jan 2011 11:06:31 -1000 "Warren Togami Jr." wrote: > Ham is a lot easier to define than Spam. Ham is simply anything that > you subscribed for. Not necessarily. You could subscribe to a list expecting it to contain useful content. A few months later, the organization running the l

Re: What is Ham? (was Re: Need Volunteers for Ham Trap)

2011-01-20 Thread David F. Skoll
On Thu, 20 Jan 2011 16:12:58 -0500 Bowie Bailey wrote: > Of course it is. You subscribed to it. If you don't want it anymore, > unsubscribe. I disagree. When you subscribe to a list, there's an implicit understanding of the content you are signing up for. If the list owner violates the rules

Re: What is Ham? (was Re: Need Volunteers for Ham Trap)

2011-01-20 Thread David F. Skoll
On Thu, 20 Jan 2011 16:31:50 -0500 Bowie Bailey wrote: > When you sign up for a company's email list, you get whatever they > decide to send you. OK. I guess we'll agree to disagree on our definitions, then. Regards, David.

Re: SpamAssassin with out gcc

2011-01-24 Thread David F. Skoll
On Mon, 24 Jan 2011 08:03:52 -0800 (PST) ecrews wrote: > Is it possible to install SpamAssassin with out gcc? > Looking for a spam filter for a project. Would like to use > SpamAssassin but am not allowed to install gcc, project lead is > worried about security issues with gcc. You only need gc

Re: Training Bayes on outbound mail

2011-01-28 Thread David F. Skoll
On Fri, 28 Jan 2011 18:10:08 + Dominic Benson wrote: > Recently, in order to balance the ham/spam ratio given to sa-learn, I > have started to pass mail submitted by authenticated users to > sa-learn --ham. > I haven't seen any mention of this strategy on-list or on the web, so > I'm inter

Re: Irony

2011-02-01 Thread David F. Skoll
On Tue, 01 Feb 2011 07:30:19 -0700 Danita Zanre wrote: > Messages from this list have been bouncing since I started enforcing > Reverse DNS lookups on my server. The irony is that you think that's a good idea. -- David.

Re: Irony

2011-02-01 Thread David F. Skoll
On Tue, 01 Feb 2011 09:43:40 -0500 Randy Ramsdell wrote: > Not sure. If our mail servers did not have reverse, we would be > rejected all over the place. Seems like a common setting. Or is it? Microsoft Windows is very common, but that doesn't make it a good idea. We add a small score [1.2 poin

Re: Irony

2011-02-01 Thread David F. Skoll
On Tue, 1 Feb 2011 09:49:36 -0500 Michael Scheidell wrote: > because HELO doesn't match RDNS. Rejecting on that basis would also cause tons of false-positives. Regards, David.

RFC-Ignorant (was Re: Irony)

2011-02-01 Thread David F. Skoll
On Tue, 1 Feb 2011 09:52:04 -0500 Michael Scheidell wrote: > [204.89.241.253] mail from: <> > 250 OK > rcpt to: > 550 Missing, invalid or expired BATV signature A long time ago, I was involved with an argument with the RFC-Ignorant maintainer. The thread starts here: http://lists.megacity.org

Re: RFC-Ignorant (was Re: Irony)

2011-02-03 Thread David F. Skoll
On Thu, 03 Feb 2011 10:42:27 -1000 "Warren Togami Jr." wrote: > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6526 > We finally agreed that rfc-ignorant.org is useless, or slightly more > harmful than good. Spamassassin will be disabling these rules by > default sometime soon. That's

Re: RFC-Ignorant (was Re: Irony)

2011-02-03 Thread David F. Skoll
Ha! I tried posting some log lines and they got rejected because of SURBL hits! :) Here goes again... remove the capital X from domain names and IP addresses :) On Thu, 03 Feb 2011 16:51:15 -0500 Adam Moffett wrote: > That's an interesting point of view. It was suggested on this list > fair

Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-02-08 Thread David F. Skoll
Hi, Steve, > http://www.fsl.com/index.php/resources/whitepapers/99 Interesting. I think you should credit me for this: "Once that has been proven then that â is exempted from further greylisting for 40 days since it was last seen." Our CanIt system has been doing that since at least 2005, and

Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-02-08 Thread David F. Skoll
On Tue, 08 Feb 2011 15:47:12 + Steve Freegard wrote: > See http://www.fsl.com/index.php/resources/whitepapers/99 "Once that has been proven then that 'hostid' is exempted from further greylisting for 40 days since it was last seen." :) Our CanIt system has been doing this since at least 20

Re: Greylisting delay (was Re: Q about short-circuit over ruling blacklisting rule)

2011-02-08 Thread David F. Skoll
On Tue, 08 Feb 2011 17:04:37 + Steve Freegard wrote: > Sure - credit where it is due; I've you to the 'Thanks' section. Thanks. And also, my apologies for posting to the list... that was supposed to be a private message. :( /me mutters something about email amateurs not understanding how e

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread David F. Skoll
On Thu, 10 Feb 2011 12:42:40 -0500 Michael Scheidell wrote: > heads up: Aieee popen() in security-sensitive software!??!?? Also, why does the milter process run as root? That seems like a huge hole all by itself. Regards, David.

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread David F. Skoll
On Fri, 11 Feb 2011 09:50:05 +1300 Jason Haar wrote: > That exploit is dated Mar 2010? Has this really not been fixed in > about a year??? If everyone is talking about http://savannah.nongnu.org/projects/spamass-milt/, it looks like the last release was in 2006. It looks like that project is ab

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-10 Thread David F. Skoll
Sorry to follow up on myself... > If everyone is talking about > http://savannah.nongnu.org/projects/spamass-milt/, it looks like the > last release was in 2006. It looks like that project is abandoned. I cannot edit the wiki, but I think spamass-milt should be removed from http://wiki.apache.or

Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt

2011-02-11 Thread David F. Skoll
On Fri, 11 Feb 2011 12:08:35 -0800 Adam Katz wrote: > I consider it a mission-critical component to be able to deliver a > rejection notice at SMTP-time (to avoid backscatter from an emailed > bounce message). The other systems out there (specifically amavis and > mailscanner) just can't do this

Re: Points for missing MX Records

2011-02-23 Thread David F. Skoll
On Wed, 23 Feb 2011 18:43:58 +0100 Michelle Konzack wrote: > And WHY should my domain have a > MX record if the will NEVER receive any mails? Well... any domain that sends mail must be prepared to receive it also, if only to receive DSNs. It is routine to block mail from a sending domain if

Re: Points for missing MX Records

2011-02-23 Thread David F. Skoll
On Wed, 23 Feb 2011 23:03:46 +0400 Mahmoud Khonji wrote: > However, since many legit senders ignore this, it turns out that FP > rate is too high for now. I am unaware of a single FP from our policy of rejecting MAIL FROM: where example.org lacks MX, A and records. Do you have an example o

Re: Points for missing MX Records

2011-02-23 Thread David F. Skoll
On Wed, 23 Feb 2011 18:48:51 + RW wrote: > That's true for person to person mail, but there are kinds of mail > where loss is inconsequential and no-one is going to read the DSNs > e.g. newsletters. Strongly disagree. If you're sending newsletters, you'd *darn better* have a bounce-processo

Re: Decisions on how to handle mail from some domains

2011-02-24 Thread David F. Skoll
On Wed, 23 Feb 2011 22:17:47 -0500 Alex wrote: > While some of the mail from that sender seems legitimate, other mail > clearly isn't, but it has the same header as a legitimate mail, making > it very difficult to properly train bayes or otherwise accurately > determine that it's indeed spam and

Re: A new reverse DNS trick

2011-02-25 Thread David F. Skoll
On Fri, 25 Feb 2011 12:57:39 + Martin Gregorie wrote: > However, the thing I hadn't seen before is that its IP, 208.115.216.98 > resolves to 98-216-115-208.static.reverse.lstn.net > So, is this a normal, expected reverse DNS result that I just haven't > seen before or is it intended to trick

Re: Points for missing MX Records

2011-02-25 Thread David F. Skoll
On Fri, 25 Feb 2011 21:55:12 +0100 Matus UHLAR - fantomas wrote: > Incorrect. You must have abuse@addresses iat your domain registration > boundary, if you can receive e-mail. > http://www.rfc-ignorant.org/policy-abuse.php That quotes RFC 2142, which is only a proposed standard. rfc-ignorant.o

Re: Points for missing MX Records

2011-02-26 Thread David F. Skoll
On Sat, 26 Feb 2011 16:17:28 +0100 Matus UHLAR - fantomas wrote: [...] > ...and we still don't have better standardized and documented way to > report abuse, do we? postmaster@ *has* to be there for sure, so if abuse@ is not, send your reports to postmaster@ I understand what rfc-ignorant.org

Re: Should Emails Have An Expiration Date

2011-02-28 Thread David F. Skoll
On Mon, 28 Feb 2011 14:42:56 -0600 Matt wrote: > I think this would be a great idea. I think it's dumb on so many levels it's hard to know where to begin. 1) Having an Expires: header would make naive users think that it's actually technically possible to force their email messages to expire.

Re: Should Emails Have An Expiration Date

2011-02-28 Thread David F. Skoll
On Mon, 28 Feb 2011 15:51:32 -0600 Matt wrote: > Looking at top 8 newest messages from my personnel email account: [Spammy subjects deleted] It looks like you need some sort of anti-spam system. Maybe someone on this list can recommend one to you. (You aren't trolling for the guy proposing th

Re: Should Emails Have An Expiration Date

2011-03-02 Thread David F. Skoll
On Tue, 01 Mar 2011 21:15:13 -0800 Ted Mittelstaedt wrote: > Please, instead of just randomly selecting terms related to copyright, > why don't you try to make a coherent and logical argument why > expiration dates on copyrighted material are illegal and should be > ignored. The purpose of copyr

Re: Open letter to Yahoo and Hotmail concerning junkmail

2011-03-07 Thread David F. Skoll
On Mon, 07 Mar 2011 19:51:47 + Ned Slider wrote: > Like you, I've yet to find a reliable set of meta rules to > effectively deal with this junk and invariably it turns into a game > of chasing one's tail. We use an in-house DNSBL based on our reputation-reporting code (http://www.mimedefang.

Re: how to disable network tests?

2011-03-11 Thread David F. Skoll
On Fri, 11 Mar 2011 12:51:44 -0800 (PST) John Hardin wrote: > ...your email is so time-critical that you can't wait an extra ten > seconds for it to be delivered? On a busy server, a ten-second latency in scanning mail could kill you... As another poster said, 10s for network tests seems excess

Re: Microsoft brings down major fake drug spam network

2011-03-18 Thread David F. Skoll
On Sat, 19 Mar 2011 01:08:42 +0100 Michelle Konzack wrote: > No, because there are ore then one Botnet of this size now... I also haven't noticed much difference. Regards, David.

Re: SA and Spear Phishing

2011-03-18 Thread David F. Skoll
> So when it comes to spear phish, in my view, a big question mark > arises to indicate that its risk is simply "unknow" to mankind. This > is unknown in the public domain as far as I know, which is why I > posted this mail to see if any of you see any spear phish within the > load of SPAM you dete

Re: SA and Spear Phishing

2011-03-21 Thread David F. Skoll
On Sat, 19 Mar 2011 05:42:22 +0400 Hamad Ali wrote: > Can I assume that your solution that detected a portion of the spear > phish is 100% SA? In case not fully SA, any hints on its mechanics? It's not fully SA. We don't use the SA Bayes implementation; we have our own that considers both indiv

MessageLabs outbound mail (was Re: Obfuscating advanced fee scams with html attachements?)

2011-03-29 Thread David F. Skoll
On Tue, 29 Mar 2011 10:26:15 -0400 Jason Bertoch wrote: > Apparently, messagelabs has something broken and/or the DNSWL > listing needs adjustment. Yes, some of MessageLabs' customers seem to be spamming or (more likely) compromised: $ reputation-check 216.82.242.115 216.82.242.115: mail132.mes

Re: One thing about bug 6558

2011-03-30 Thread David F. Skoll
On Wed, 30 Mar 2011 16:51:57 +0200 Marcin Mirosław wrote: > I'm using postgresql, but machine isn't quick... Any db is slowly > there. Using Pg for Bayes data will be really slow. We don't use the SpamAssassin Bayes implementation and we went through three iterations of storage back-ends before

Re: One thing about bug 6558

2011-04-01 Thread David F. Skoll
On Fri, 1 Apr 2011 19:52:54 +0200 Mark Martinec wrote: > I can very much believe and agree that for a read-only bayes database > the CDB provides the best performance - as long as you can afford > (or have no other choice in large scale environments) to update it > periodically offline. It turns

Re: Please report IPs delivering ham and spam with this script

2011-04-01 Thread David F. Skoll
On Fri, 1 Apr 2011 14:34:16 -0400 dar...@chaosreigns.com wrote: > Out of the 86,899 IPs I have data for, all but 38 are either 100% > spam or 100% ham, That sounds a bit funny. We have data on over 17 million IP addresses (collected using http://mimedefang.org/reputation) Of those, about 9 milli

Re: multiple from entries

2011-04-09 Thread David F. Skoll
On 9 Apr 2011 14:29:24 - "John Levine" wrote: > >Anyone know of any legitimate use of multiple email addresses in a > >from line? > Yes. I know a few IETF people who do it. Stuff like notes to a > working group from both chairs. RFC 5322 does allow multiple addresses in the From: field, bu

Re: multiple from entries

2011-04-10 Thread David F. Skoll
On Sun, 10 Apr 2011 08:30:46 -0400 Michael Scheidell wrote: > header __MANY_SENDER sender =~ /@.*@/ Trying to match email addresses with regexes is dangerous. The string: "funny@last"@roaringpenguin.com is a valid email address. Check the RFCs if you don't believe me. (That being sai

Re: Yahoo sent 5.5x as much spam as any other legit provider in April

2011-05-11 Thread David F. Skoll
On Wed, 11 May 2011 13:10:31 -0700 Ted Mittelstaedt wrote: > Yahoo's SMTP mailers are unable to handle a standard > SMTP error 4xx, if they get one they abort the > transmission and return the message to the sender Do you have evidence to back up that claim? I don't believe it's true. We use g

Re: Yahoo sent 5.5x as much spam as any other legit provider in April

2011-05-11 Thread David F. Skoll
On Wed, 11 May 2011 16:35:50 -0400 Michael Scheidell wrote: > if someone sends an email to 175 people, once they hit 'x' number in > the first email attempt, we send '4xx too many emails' Ah, ok. We avoid issuing 4xx in response to a "RCPT" command because quite a lot of badly-written SMTP soft

  1   2   3   4   5   >