Re: email address forgery

2010-11-12 Thread Ken A
On 11/11/2010 7:07 PM, Rob McEwen wrote: On 11/11/2010 7:41 PM, Noel Butler wrote: Really? I don't use SPF in SA, only MTA, if that's the case, it is a shame that SA also is behind the times. It was years ago SPF type was ratified. Justin: Any plans to change that? I guess I'm one of those ma

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

2010-12-01 Thread Ken A
On 12/1/2010 11:47 AM, Rob McEwen wrote: On 12/1/2010 12:05 PM, David F. Skoll wrote: Where did you hear that? I can't imagine that IPv6 is any less (or any more) anonymous than IPv4. One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's nightmare. A spammers (and blackhat E

Re: using spamhaus droplist with sa ?

2011-02-18 Thread Ken A
On 2/17/2011 6:52 PM, Warren Togami Jr. wrote: On 2/17/2011 5:40 AM, RW wrote: The suggestion is that it be scored higher for that reason. Or just outright block all MTA connections from anything listed in zen.spamhaus.org, which seems to be safe. Large sites I know have been doing that for

Re: "day old bread" DNSBL

2011-05-27 Thread Ken A
yes. URIBL_RHS_DOB is somewhat useful. It's not _very_ reliable alone though, so I use it with META rules that add points for combinations with other things that are common with uri type spam. It seems to hit much of the same things as fresh.spameatingmonkey.net ymmv. Ken On 5/27/2011 3:17

Re: [OT] RBLs

2012-01-11 Thread Ken A
On 1/11/2012 11:51 AM, Dave Funk wrote: On Wed, 11 Jan 2012, --[ UxBoD ]-- wrote: The type of SPAM we are seeing is where legit companies are having their adverts cloned and the hyperlinks changed to spammy sites. sanesecurity hits many of these. uri filters can also assist.. surbl, uribl

Re: Strange SpamAssassin Statistical Performance

2005-02-26 Thread Ken A
Matt Kettler wrote: At 02:04 PM 2/25/2005, Jerome Cartagena wrote: The main reason I believe this is a performance issue is the strange flat line that is demonstrated by the graph. Although it concerns me that I get much more HAM than SPAM (I believe current industry standards report 80+% spam

Re: Need critique on new SA plugin

2005-04-29 Thread Ken A
other thing that would get FPs is mail like this list that is sent To: or cc: users@spamassassin.apache.org Not sure how you work around that one. Probably would need to lower the scoring a bit, since you'd have a lot of FPs on this one. Ken A. Pacific.Net Brian R. Jones wrote: So I wr

Re: Detecting short-TTL domains?

2007-08-10 Thread Ken A
Jim Maul wrote: Stream Service || Mark Scholten wrote: For so far I know it isn't possible to have a TTL that is to low (if I may believe the RFC files). It is also impossible to have to many A-records. With both facts in mind I would suggest that you find an other method off detecting SPAM.

Re: Outbound spam filtering for a large ISP

2007-09-04 Thread Ken A
Joe Pranevich wrote: Hello, I maintain a large webmail host (I bet you can figure out which one) for free/paid accounts that sends out tens of thousands of emails a day. We're not quite Yahoo Mail or Hotmail, but we're pretty big. We're looking to scan outbound mail using SpamAssassin and I'm ho

Re: FW: List of 700,000 IP addresses of virus infected computers

2007-09-12 Thread Ken A
Jason Bertoch wrote: On Tuesday, September 11, 2007 7:07 PM Marc Perkel wrote: The details are a little to complex for this forum ... OK - had quite a few trolls here who seem to be hostile to my breakthroughs so I wasn't that motivated to post information. Is there any chance we can get a

Re: What to do with backscatter?

2007-10-29 Thread Ken A
Bob Proulx wrote: Arthur Dent wrote: One thing that does plague me however is a periodic rash of Non Delivery Receipt messages (I've just had one now - about 10-15 or so). These score anywhere between 1.2 and 11.1 but mainly around the 3.7 mark (below my spam threshold of 5.0). They all hit the

Re: Forward Conformed Reverse DNS troubleshooting tool

2007-11-30 Thread Ken A
Matus UHLAR - fantomas wrote: On 30.11.07 06:06, Ben Spencer wrote: Some sendmail milters due look at that banner. And perform lookups on it. One which comes to mind is milter-spiff (SPF checks). A misconfiguration host with misleading banner information may also contain other misconfiguration w

Re: Time to blacklist google.

2008-02-29 Thread Ken A
Michael Scheidell wrote: Ok, google/gmail emails back says 'this didn't come from us because people are forging our domain'. Reverse dns shows it google, dkim sig says its google. Time to blacklist google. Either google lies or they have been hacked and hackers are spamming through them. Eithe

Re: Auto delete if >= X on per user basis

2006-06-05 Thread Ken A
If you throw MailScanner into the mix with SpamAssassin, you can do per user prefs in combination with sendmail (not postfix) and splitting messages with multiple recipients into single messages using sendmail's queue group functionality. Alternately, you could do it in a pop3 proxy.

Re: Auto delete if >= X on per user basis

2006-06-06 Thread Ken A
ail (not postfix) and splitting messages with multiple recipients into single messages using sendmail's queue group functionality. Alternately, you could do it in a pop3 proxy. Ken A. Amavisd-new works well with Postfix. You can use static tables created directly in the configuration file

Re: Auto delete if >= X on per user basis

2006-06-06 Thread Ken A
through S.A. in order to apply per user rules, so some of the overhead of splitting messages in the incoming MTA (sendmail) is mitigated. Ken A Mark

[Fwd: Re: [dns-operations] negative caching of throwaway spam domains]

2006-06-22 Thread Ken A
Rick Wesson over at Alice's Registry has a dnsrbl listing recently registered domains (see below). I thought this might be of interest to SA users. Anyone used this, or other rbl with similar functions? Scoring? Accuracy? Thanks, Ken A Pacific.Net Original Message Su

Re: [Fwd: Re: [dns-operations] negative caching of throwaway spam domains]

2006-06-22 Thread Ken A
Jeff Chan wrote: On Thursday, June 22, 2006, 10:35:10 AM, Ken A wrote: Rick Wesson over at Alice's Registry has a dnsrbl listing recently registered domains (see below). I thought this might be of interest to SA users. Anyone used this, or other rbl with similar functions? Sc

list of misspelled domain names?

2006-06-30 Thread Ken A
send mail to [EMAIL PROTECTED] is quite another. :-( Microsoft has a couple lists at http://research.microsoft.com/URLTracer/ but not all of these are registered or known to be typosquatters. Any others out there? Thanks, Ken A. Pacific.Net

Re: Looking for Turn-key SA solution

2006-07-05 Thread Ken A
http://www.fsl.com/defender5.html Ken Pacific.Net Burton Windle wrote: Does anybody know of a vendor that sells boxes with SpamAssassin pre-installed, with a pretty GUI with quarantine ability? (My company won't allow home-brewed solutions, as they want a vendor to call if I get hit by a spam

Re: abuse of all_spam_to

2006-07-20 Thread Ken A
See http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient Ken A Pacific.Net Patrick Wolfe wrote: I noticed today that an image spam email passed through my sendmail/mimedefang/spamassassin config, because it was addressed to multiple

Re: abuse of all_spam_to

2006-07-20 Thread Ken A
Patrick Wolfe wrote: Ken A wrote: See http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient Ken A Pacific.Net I don't believe this will help, since mimedefang runs spamassassin during the inbound SMTP session, befor

Re: postini.com

2006-07-31 Thread Ken A
jdow wrote: From: "jdow" <[EMAIL PROTECTED]> postini.com is spewing an image spam that is getting through filters. Worse yet they are using acm.org as a relay More specifically the first one of these spams I received was from a Brazillian address. The next two, of a set of three, were

Re: postini.com

2006-08-01 Thread Ken A
Theo Van Dinter wrote: On Mon, Jul 31, 2006 at 04:11:43PM -0700, Ken A wrote: These image spams are not easy to stop. I'm finally getting them with a 'full' rule matching a string that is common in the base64 encoded image part. I'm sure the image will change friday a

Re: Image spams getting thru

2006-08-01 Thread Ken A
Jim Maul wrote: John D. Hardin wrote: On Tue, 1 Aug 2006, Ramprasad wrote: How about sending "450 Please Try later" to ever mail with an inline image and then somehow verify if it really comes back. (Obviously not my original idea :-) ) The problem there, again, is that you've already us

Re: What changes would you make to stop spam? - United Nations Paper

2006-08-01 Thread Ken A
Marc Perkel wrote: I'm writing a paper that I'm submitting to an Internet Governance Forum of the United Nations. Keeping in mind that free speech and freedom is important, what would you change in the world to stop spam? I'm looking for things that are actually possible and practical. Suggest

Re: What changes would you make to stop spam? - United Nations Paper

2006-08-02 Thread Ken A
jdow wrote: From: "Marc Perkel" <[EMAIL PROTECTED]> Magnus Holmgren wrote: On Wednesday 02 August 2006 21:29, Marc Perkel took the opportunity to say: The zombies wouldn't be able to connect because the zombies wouldn't have the IMAP password. In that case, neither the SMTP passwor

Re: What changes would you make to stop spam? - United Nations Paper

2006-08-02 Thread Ken A
jdow wrote: From: "Ken A" <[EMAIL PROTECTED]> That's crazier than I thought you were. If you expect the average user to go along with that you're not connected with reality very well. Your idealism is getting in the way. He's engaged in marc-eting ? sorry...

Re: Word Doc spam

2006-08-11 Thread Ken A
Chris Santerre wrote: -Original Message- From: Rob Poe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 5:40 PM To: Kenneth Porter; users@spamassassin.apache.org Subject: Re: Word Doc spam I got one of these too... Kenneth Porter <[EMAIL PROTECTED]> 8/8/2006 8:07 AM >>> -

Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?

2006-08-14 Thread Ken A
il hub bounces it back to the gateway and it tries to send it back to the domain who's MX is localhost.fabulous.com. We use MailScanner, so there's a ~3 sec delay between when the gateway accepts the mail and when it's delivered to the mail hub. Ken A. Pacific.Net Theo Van Dint

Re: Perfect spamassassin setup?

2006-08-29 Thread Ken A
http://mailwatch.sourceforge.net/ Doesn't do per user SA rule scores since it works with MailScanner, and MailScanner doesn't support that, but does do pretty much everything else SA, clamav and MailScanner do, including logging to mysql, quarantine & release, plus some pretty g

Re: Perfect spamassassin setup?

2006-08-29 Thread Ken A
DAve wrote: Ken A wrote: http://mailwatch.sourceforge.net/ Doesn't do per user SA rule scores since it works with MailScanner, and MailScanner doesn't support that, but does do pretty much everything else SA, clamav and MailScanner do, including logging to mysql, quarantine

ie / oe 0day rule?

2006-09-15 Thread Ken A
ood idea.. Any thoughts on this? fullLOCAL_09152006_0_DAY/DirectAnimation.PathControl/i describe LOCAL_09152006_0_DAY DirectAnimation.PathControl object code score LOCAL_09152006_0_DAY10 Ken A. Pacific.Net

Re: ie / oe 0day rule?

2006-09-15 Thread Ken A
Daniel T. Staal wrote: On Fri, September 15, 2006 4:34 pm, John D. Hardin said: On Fri, 15 Sep 2006, Ken A wrote: Seems like testing for "DirectAnimation.PathControl" would be a good idea.. Any thoughts on this? fullLOCAL_09152006_0_DAY/DirectAnimation.PathControl/

Re: Fw: failure notice / spaassassin.apache.org

2006-09-29 Thread Ken A
It looks like you are listed in spamcop and apparently Comcast is either using spamcop or they have their own list that is blocking you. You really need to contact comcast about this, not the spamassassin list. This list has nothing to do with your problem. See: http://spamcop.net/w3m?action=ch

Re: [OT] Re: Fw: failure notice / spaassassin.apache.org

2006-09-29 Thread Ken A
Andreas Pettersson wrote: Ken A wrote: It looks like you are listed in spamcop and apparently Comcast is either using spamcop or they have their own list that is blocking you. Comcast themselves are using a spam filter? (Let me taste that line one more time...) Comcast themselves are

OT : aol blocking URLs with IPs rather than hostnames?

2006-10-02 Thread Ken A
Anyone else seen this one? http://postmaster.info.aol.com/errors/554hvuip.html Seems rather harsh, but probably quite effective. Ken A. Pacific.Net

Re: OT : aol blocking URLs with IPs rather than hostnames?

2006-10-02 Thread Ken A
Adam Lanier wrote: On Mon, 2006-10-02 at 12:36 -0700, Ken A wrote: Anyone else seen this one? http://postmaster.info.aol.com/errors/554hvuip.html Seems rather harsh, but probably quite effective. As reported on the SPAM-L mailing list, this was an error on AOL's part. According t

Re: OT - verify addresses

2006-10-05 Thread Ken A
. OSSEC HIDS, http://ossec.net/ or something similar can block the IP using iptables or hosts.deny. It will automatically un-block after a configurable time period. Useful for web/smtp/ftp/etc.. attacks also. Ken A. Pacific.Net Wolfgang Hamann I can't speak for others, but our server p

spam attacks - so and so wrote about a stock

2006-10-18 Thread Ken A
These stock spams are usually dead easy to catch with spam assassin, but there's no "quick response" rules database available to get a new rule. It's a battle of hours, not days with these stock spams. Any thoughts on how to best address this issue, other than every SA admin on the planet writin

Re: spam attacks - so and so wrote about a stock

2006-10-18 Thread Ken A
e going to send before they send it.. That doesn't sound like an open source project. ;-) Thanks, Ken A. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com

Re: Phishing

2009-04-26 Thread Ken A.
Neil Schwartzman wrote: On 24/04/09 11:44 PM, it was written: Most people do not fall for it, but the dumbest ones do fall for it. This is not a question of intellect, it is a question of the verisimilitude of the messaging. both might probably more true than false. In fact I could think of

Re: DOB Lookup Timeouts

2009-05-06 Thread Ken A
Raymond Dijkxhoorn wrote: Hi! I wanted to ask if others were seeing timeouts with the DOB lookups within spamassassin. Also, it looks like their website http://www.support-intelligence.com/dob/ is timing out as well. Are others seeing this as well? I'm assuming most are zero'ing out the rul

Re: Barracuda Blacklist

2009-05-28 Thread Ken A
Neil Schwartzman wrote: - Thank you for contacting Barracuda Networks regarding your issue. ... There are a number of reasons your IP address may have been listed as "poor", including: ... 8. In some rare cases, your recipients'

Re: BOTNET timeouts?

2009-06-11 Thread Ken A
I've had no trouble with Botnet timeouts, but just now patched anyway, to avoid any potential trouble. I, and many others appreciate how responsive you've been with your sanesecurity work, but not everyone has the same resources. Whenever I install GNU free software, I have to remember this. If

Re: Directory Harvest Attack

2008-05-23 Thread Ken A
Jason Holbrook wrote: I am undergoing a massive directory harvest attack. Is there a good set of rules that will help stop this or a place anyone could point me. Assuming you are doing obvious things, like not accepting mail for non-existent users, and using whatever tweaks are available in yo

Re: DNS ISP Host List Available

2008-05-29 Thread Ken A
Marc Perkel wrote: I've also created a DNS based list of domains that provide consumer dynamic IP address space. I'm using this list internally but thought I'd make it public in case others can use it. Trying to inspire innovation. Example: dig comcast.com.isphosts.junkemailfilter.com This

Re: DNS ISP Host List Available

2008-05-30 Thread Ken A
John Hardin wrote: On Thu, 29 May 2008, Ken A wrote: http://www.rhyolite.com/anti-spam/you-might-be.html So how is a proponent of the "Hunt down and kill spammers very messily" FUSSP classified? I'm suggesting that some homework should be done before creating a list of t

Re: DNS ISP Host List Available

2008-05-30 Thread Ken A
pire innovation. Example: dig comcast.com.isphosts.junkemailfilter.com This list was created by grabbing the registry barrier part of the domain name of IPs from other DNS lists that list the IPs as dynamic. Ken A wrote: NJABL & PBL already provide this, AND they are already pa

Re: List of Banks often spoofed in Phishing scams

2008-06-05 Thread Ken A
Graham Murray wrote: ram <[EMAIL PROTECTED]> writes: That is not practical. Atleast in India, Banks use third party servers to send their mailers often. And the ips have PTR's & HELO's which dont match the banks', because these dont belong to the bank Which practice does nothing at all to com

Re: I need your spam!

2008-06-06 Thread Ken A
What is this the junkemailfilter announce list? Give it a rest. Ken Marc Perkel wrote: Actually - I just need your spam attempts. I have a way to detect spambots on the first try and add them to my blacklist at hostkarma.junkemailfilter.com Sp - if you want to participate and lose a chunk

Re: Day Old Bread/Spammers

2008-07-03 Thread Ken A
# host contagiousensemble.com.black.uribl.com contagiousensemble.com.black.uribl.com has address 127.0.0.2 uribl.com + milter-link = rejected spam Ken Mailing Lists wrote: Here's today's first WagonJumper's email ... the domain has a registry date back in October 2007. One of the bottom img

Re: Detecting the Registrar of the sending host?

2008-07-07 Thread Ken A
Marc Perkel wrote: Yet Another Ninja wrote: On 7/2/2008 6:05 PM, Marc Perkel wrote: Is there an easy way to detect the registrar of a domain through DNS? For example - can I easilly figure out if an email I'm processing is hosted by GoDaddy or Tucows? Here's what I'm thinking. I think ther

Re: mysterious spam - what is this trying to do?

2008-07-29 Thread Ken A
Can be a probe too. Accepting mail from that IP with that content says something about your system. Spammers aren't stupid. They fingerprint us just like we fingerprint them. Ken Pacific.Net Karsten Bräckelmann wrote: Please do NOT *reply* to a mail, if you start a new thread. Changing the Su

Re: mysterious spam - what is this trying to do?

2008-07-30 Thread Ken A
Arvid Ephraim Picciani wrote: On Wednesday 30 July 2008 00:55:50 mouss wrote: Ken A wrote: Can be a probe too. Accepting mail from that IP with that content says something about your system. Spammers aren't stupid. They fingerprint us just like we fingerprint them. If I was a spammer, I

Re: mysterious spam - what is this trying to do?

2008-07-30 Thread Ken A
ram wrote: On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote: Arvid Ephraim Picciani wrote: On Wednesday 30 July 2008 00:55:50 mouss wrote: Ken A wrote: Can be a probe too. Accepting mail from that IP with that content says something about your system. Spammers aren't stupid. They finger

Re: Blacklist Mining Project - Project Tarbaby

2008-08-26 Thread Ken A
Ralf Hildebrandt wrote: * Robert Schetterer <[EMAIL PROTECTED]>: Project Tarbaby helps you reduce spam and helps us build our blacklist. This is done by adding a fake MX record to your existing MX lists thats could be seen as a security risk cause in rare cases you may recieve legal mails i.

Re: Blacklist Mining Project - Project Tarbaby

2008-08-26 Thread Ken A
Ralf Hildebrandt wrote: * Ken A <[EMAIL PROTECTED]>: How? He tempfails all mails. Are you asking how sending your customer, or company email off someplace you don't control might be a security risk? It's in no way more dangerous than using Postini... Have you compared Po

Re: Blacklist Mining Project - Project Tarbaby

2008-08-26 Thread Ken A
Marc Perkel wrote: Ken A wrote: Ralf Hildebrandt wrote: * Robert Schetterer <[EMAIL PROTECTED]>: Project Tarbaby helps you reduce spam and helps us build our blacklist. This is done by adding a fake MX record to your existing MX lists thats could be seen as a security risk ca

Re: New free blacklist: BRBL - Barracuda Reputation Block List

2008-09-22 Thread Ken A
DAve wrote: Jeff Chan wrote: [Pardon the spam; thought this new blacklist might be worth at least trying.] Apparently Barracuda will be publishing a free-to-use sender blacklist called BRBL: http://www.barracudacentral.org/rbl Haven't tried it myself but thought it may be of interest. We

Re: New free blacklist: BRBL - Barracuda Reputation Block List

2008-09-22 Thread Ken A
Rose, Bobby wrote: I had the same issue and found that the system that's relaying (216.129.105.40) those confirmation emails doesn't have a PTR record. You'd think someone selling a antispam/email appliance would be familiar with the RFCs. -Original Message- From: Justin Piszcz [mailto:[

Re: Trying out a new concept

2008-09-22 Thread Ken A
Marc Perkel wrote: I don't know how this will work but I'm building the data now. For those of you who are familiar with Day old bread lists to detect new domains, as you know there's a lag time in the data and they often don't have data from all the registries. So - here's a different solution

Re: Trying out a new concept

2008-09-23 Thread Ken A
Marc Perkel wrote: Ken A wrote: Marc Perkel wrote: I don't know how this will work but I'm building the data now. For those of you who are familiar with Day old bread lists to detect new domains, as you know there's a lag time in the data and they often don't ha

Re: Trying out a new concept

2008-09-24 Thread Ken A
Marc Perkel wrote: Blaine Fleming wrote: John Hardin wrote: Why is it so flippin' difficult to get a feed of newly-registered domain names? Because the TLDs hate giving people access to the data and certainly won't provide a feed without a bunch of cash involved. Even worse, all the ccTL

Re: botnet dos

2008-10-14 Thread Ken A
Randy wrote: Martin Gregorie wrote: Why would a botnet waste resources by sending tens of thousands of spam to a single e-mail address? Is it really a spambot or could it be a DDOS attack? Martin It is both but not actually. :) It appears to be a spambot ( botnet ) , and it rea

Re: Feature Request: envelope scanning

2006-10-25 Thread Ken A
abled by Bcc, so if you have privacy considerations to worry about, you might think twice. envelope data is available to milters, so SA running via a milter could take this into consideration without including it in the header. Not sure if it does, but other milters certainly do. Ken A. Pacific.Net

Re: FW: MSGID_SPAM_LETTERS

2006-10-30 Thread Ken A
it's not hitting any ham, then you might be okay raising the score a bit. Note this isn't a scientific, nor thourough check, so ymmv.. Ken A Pacific.Net Suhas (QualiSpace) wrote: Hi friends, I just wanted to know whether increasing the score will lead to false positives or not. As

Re: R: BIG increase in spam today

2006-11-03 Thread Ken A
he milter will be unstable (see the explanation in the SPF section). -- snip -- Ken A Pacific.Net Thanks.

bondedsender.org timeouts

2006-11-06 Thread Ken A
Anyone seeing issues with rbl checks going to sa-trusted.bondedsender.org & sa-other.bondedsender.org ? Seeing some timeouts here this am. Any known issues? Ken A. Pacific.Net

Re: mail bounce warning for the list

2006-11-07 Thread Ken A
at FPs you can live with, not the method you use. You will have some FPs with any system that is designed to stop spam if it's any good. Yes, that is a contradiction, and that's the balance any sysadmin has to find. Ken A Pacific.Net mike

Re: I've got TORA.08 spelled with numbers?

2006-11-17 Thread Ken A
to be sure you didn't hit real short emails containing only numbers, like phone numbers, passwords, etc.. The one below also FPs on the real outlook client. The Date header seems to be a bit messed up.(space,tab,date) Might look at that too. ;-) Ken A Pacific.Net Cheers, -=Ray Justin Maso

spamassassin --lint soft errors on SARE rules

2006-12-05 Thread Ken A
'spamassassin --lint' gives me some soft errors on some SARE rules (see below) Are these known, 'ignore for now' sorts of things due to SA 2.x and SA 3.x installs, or should I be doing something about this? Is there any way to adjust --lint to not show these ? Thank

Re: Sorry Dhawal - no personal attacks allowed [OT]

2006-12-12 Thread Ken A
make about how this or that doesn't work (usually because you don't understand it), and the overly broad "how are we gonna make a better toaster?" questions really do increase the noise level quite a bit here. Some people on this list have to pay per kb of bandwidth used. Ken A. Pacific.Net

Re: Sorry Dhawal - no personal attacks allowed [OT]

2006-12-12 Thread Ken A
Jim Maul wrote: Ken A wrote: Dhawal Doshy wrote: Marc Perkel wrote: Well - if you don't like me then why don't you write a filter rule to delete message coming from me? I'm not going away so get used to it. If my threads weren't so damn interesting it wouldn't g

Re: Good source for IP addresses by country

2006-12-12 Thread Ken A
check_rbl_sub('nerds','127.0.0.156') describe RCVD_IN_NERDS_CN Received from China tflags RCVD_IN_NERDS_CN net score RCVD_IN_NERDS_CN 2.5 etc... See http://countries.nerd.dk/ for more info. Ken A Pacific.Net I’ve tried adding “.cn” and

Re: Good source for IP addresses by country

2006-12-13 Thread Ken A
Just add 10 to a test that matches everything, then subtract 10 for being in the U.S. Ken A. Pacific.Net Robert Swan wrote: Let's say I wanted to score everything but the US. Do I have to write rule for every country or is there an easier way? Robert header RCVD_IN_NERDSeval:chec

Re: Good source for IP addresses by country

2006-12-13 Thread Ken A
Giampaolo Tomassoni wrote: From: Ken A [mailto:[EMAIL PROTECTED] Just add 10 to a test that matches everything, then subtract 10 for being in the U.S. Yeah. And keep 10 for canada, mexico and south america... You're beginning to speak alone, isn't it? Well, the way I look at

Re: Topics for SA presentation?

2006-12-15 Thread Ken A
the Bayesian Girl Dancers. *cue Darude - Sandstorm* Ah, yes, that deep green Bayesian skin reminds me of home. "Captain, do you really think we'll find a Spam Assassin here?". "Oh, yes Scotty, I'm sure of it." Ken A Pacific.Net Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com

Re: Odd spam

2006-12-17 Thread Ken A
cribeLOCAL_STOCK_1_TTEN TTEN stock spam score LOCAL_STOCK_1_TTEN 5.5 ymmv! Ken A Pacific.Net

Re: Any anti-spam solution against outgoing mail?

2006-12-29 Thread Ken A
also monitoring your IP space for any RBL listings, setting up TOS feedback loops with AOL, etc... All part of the hosting business these days.. Ken A Pacific.Net > > Thanks for your time.. > > _ > 메신저에서 문자를 바로 보내보세요 http://phonebuddy.msn.co.kr/

Re: Spam graphing

2007-01-22 Thread Ken A
f examples to build from http://cricket.sourceforge.net/contrib/ Ken A Pacific.Net Regards, Scott

Re: Need to block spam - help!

2007-01-22 Thread Ken A
rules, you'll be able to respond to this sort of thing much quicker. The risk of an FP is somewhat greater though.. Especially if you happen to have customers that get email from H&R Block, telling them how they will "increase the size of their" ... tax refund. Ken A Pacific.Net

Re: TVD_SILLY_URI_OBFU

2007-02-06 Thread Ken A
This extends to non url spam as well, of course.. ie: "replace the "R" with a "P" for the stock symbol spam, etc. We need to have a good rule(s) for all of the variations of the 'remove|replace|substitute' text. Ken A. Pacific.Net -- John Hardin KA7OHZ

Re: TVD_SILLY_URI_OBFU

2007-02-06 Thread Ken A
John D. Hardin wrote: On Tue, 6 Feb 2007, Ken A wrote: John D. Hardin wrote: I think the most robust non-DNS test would be on the length of the TLD in the obfuscated domain. There are too many possible obfuscations using valid characters. It doesn't matter what obfuscation character

lookup scores

2006-01-05 Thread Ken A
Is there any way to ask spamassassin what the score of a particular rule is? I have rules here and there, and would like to be able to easily look up the score of a rule without grepping all over the place. Ideas? Thanks, Ken

Re: lookup scores

2006-01-05 Thread Ken A
Bowie Bailey wrote: Kris Deugau wrote: Ken A wrote: Is there any way to ask spamassassin what the score of a particular rule is? I have rules here and there, and would like to be able to easily look up the score of a rule without grepping all over the place. Pass a mail that you know triggers

seeing a lot of these?

2006-05-10 Thread Ken A
Body. I assume it's a spam trojan run amok? Currently, I just added a META rule to deal with them appropriately. Anyone else seeing these? Ken A Pacific.Net

Re: seeing a lot of these?

2006-05-10 Thread Ken A
Bowie Bailey wrote: Ken A wrote: EMPTY_MESSAGE 1.50, MISSING_HEADERS 0.19, MISSING_SUBJECT 1.34, MSGID_FROM_MTA_HEADER 0.00, MSGID_FROM_MTA_ID 0.93, NO_REAL_NAME 0.55, TO_CC_NONE 0.13, UNCLOSED_BRACKET 2.48 ? We are seeing many, many hundreds of these very small messages, with NO Subject: or

Re: AW: WebGUI for Spamassassin?

2006-05-12 Thread Ken A
Christian Reiter wrote: Hi Patrick! is there any WebGUI for training and managing Spamassassin like DSPAM uses one? May Maia Mailguard could help you: http://www.renaissoft.com/maia/ Or MailWatch if you use MailScanner/SA. http://mailwatch.sourceforge.net/ Ken A Kind Regards

Re: Isssues after upgrading / updating SA

2006-06-02 Thread Ken A
"spamassassin time out" can be caused by slow dns lookups. I assume you are using the rbls in S.A., and not MailScanner? Are you running a local caching nameserver? What do `vmstat` and `free` say? Any swap in use? If yes, get more ram. 1gb ram would be a good place to start for a MailScanner/

Re: spam graphs

2007-04-05 Thread Ken A
Jim Knuth wrote: Heute (05.04.2007/02:34 Uhr) schrieb Luis Hernán Otegui, Well, if you have Postfix and Amavis, I've tried amavis-stats (a little bit old now, and frankly, never worked correctly on my Debian-based servers). I'm currently using Mailgraph, from the Debian package. Works like a

DKIM_POLICY_SIGNSOME matches all mail

2007-05-07 Thread Ken A
According to: http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_release_3_2_0/Changes - separate a signature verification from fetching a policy, which makes it possible to avoid one DNS lookups (by not fetching a policy) for each unverified message by setting score to 0 for al

:3793/xpopup.js and _popupControl() ?

2007-05-11 Thread Ken A
Does anyone know what is injecting this "3793/xpopup.js" and "_popupControl()" all over the place. There's usually a http://127.0.0 .1 in front of the port :3793 I'm seeing it in webpages and email (not mine! google for it and you'll see what a mess it's making). I've searched and all I see

Re: So you wanted to firewall your mail server...

2007-05-11 Thread Ken A
Ernie Dunbar wrote: We just put our mailserver (with SpamAssassin of course) behind a firewall, and now we get many many interesting error messages from spamd telling me that there's no route to some host or other. I tweaked the DnsResolver.pm module to show what host it was trying to route to, a

Re: zen.spamhaus.org

2007-06-01 Thread Ken A
Jerry Durand wrote: On Jun 1, 2007, at 6:48 AM, Luis Hernán Otegui wrote: Search through the archives, there was a patch to add it to SA. Also note, do NOT use Zen to evaluate headers or anything in the body. Unless of course you need to. ;-) http://wiki.apache.org/spamassassin/TrustedRel

Re: zen.spamhaus.org

2007-06-01 Thread Ken A
Jerry Durand wrote: At 08:47 AM 6/1/2007, Ken A wrote: Jerry Durand wrote: On Jun 1, 2007, at 6:48 AM, Luis Hernán Otegui wrote: Search through the archives, there was a patch to add it to SA. Also note, do NOT use Zen to evaluate headers or anything in the body. Unless of course you need

Re: zen.spamhaus.org

2007-06-01 Thread Ken A
Jerry Durand wrote: On Jun 1, 2007, at 11:54 AM, Richard Frovarp wrote: That's assuming you aren't using it intelligently. SA checks all received headers via Zen to see if they are in the SBL. PBL and XBL are only checked against last external header, via Zen. Ah, nobody mentioned that S

www.uribl.com

2007-06-06 Thread Ken A
Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( -- Ken Anderson Pacific.Net

Re: www.uribl.com

2007-06-06 Thread Ken A
From: Ken A [mailto:[EMAIL PROTECTED] Sent: 06 June 2007 17:38 To: users@spamassassin.apache.org Subject: www.uribl.com Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( -- Ken Anderson P

Re: www.uribl.com

2007-06-06 Thread Ken A
Raymond Dijkxhoorn wrote: Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( There are some botnets having fun with both URIBL and SURBL. Bye, Raymond. Ah, yes www.surbl.org has gone missing too. Forget national id

  1   2   >