for
1. rejects of high-rate @sender.garbage.domain or rhsbl garbage domains
or
2. hold: for high-rate @sender.domain,
here is the distribution of qty of letters in the 2nd level label for preceding
10 days:
9 chars: 34 domains
10 : 30
11 : 23
12 : 180
13 : 16
14 : 15
Which corresponds t
At 12:41 AM 8/31/2010, you wrote:
>On Mon, 30 Aug 2010, Len Conrad wrote:
>
>>for
>>
>>1. rejects of high-rate @sender.garbage.domain or rhsbl garbage domains
>
>Can you provide a sample of each pls?
My msg had nearly 250+ examples of 12-letter .tld
Len
>Dete
-- Original Message --
From: John Hardin
Date: Tue, 31 Aug 2010 08:20:33 -0700 (PDT)
>On Tue, 31 Aug 2010, Len Conrad wrote:
>
>> At 12:41 AM 8/31/2010, you wrote:
>>> On Mon, 30 Aug 2010, Len Conrad wrote:
>>>
>>>
no wrap on my 20" screen, sorry for the wrap here.
high-rate 12-letter sender domains:
hold:'s for excessive sender per unknown client IP
egrep -i "postfix.*hold: .*CLIENT_" /var/log/maillog | egrep -i unknown | awk
'{print $10,$(NF-3), $NF}' | sort -f | uniq -ic | sort -t[ -k2 | sed -e 's/\[/
-- Original Message --
From: Marc Perkel
Date: Wed, 01 Sep 2010 14:32:40 -0700
> Anyone else seeing an increase in .info spam?
yeah, tons of it.
rejects for last preceding 10 days:
bzegrep -ic "postfix.*reject:.*\.info" /var/log/mx1.hctc.net/maillog.[
>Mem:772880k total, 685316k used,87564k free,31344k buffers
>Swap: 1076312k total, 249032k used, 827280k free, 156328k cached
250MB swapped, for less than 1 GB RAM, used is disastrous for an MTA.
Increase RAM to 2GB, or until swap is always "0k used"
Len
>Are you sure? At the moment I can not resolv the name truncate.gbudb.net.
that's correct, and OK.
and you can't resolve zen.spamhaus.org, either. :)
truncate is a good RBL, in my experience of a couple months. Its picks up some
bad stuff that gets past b.barracuda and zen.
Len
>
We've had 10+ of these. Our cracked users can't say what it was they did to
get cracked.
We HOLD: them with postfwd sender rate-limiting on our outbound mx.
Never in the 1000s usually 100 to 150 per batch.
Anybody know of any email that is a vector for this probable phish?
Len
>Came up with a cool trick that seems to be working well after running for
>several months.
I do the same by harvesting the IPs that fail SMTP AUTH a number of times, and
then if more than a number of IPs in a ClassC, I block the entire ClassC.
I don't care about the body of the msgs they AUTH
-- Original Message --
From: Gary Smith
Date: Wed, 26 Aug 2009 12:29:24 -0700
>I've been finding a lot of singletons in the AWL db for domains that are all
>spam. Is there a way put an entire domain into AWL or set it up to give an
>average score for th
>>>postmap -q "weekendhotdeals.info" mysql:/usr/local/etc/postfix/mysql-
>>>from_senders_rhsbl.cf
>>>554 RHSBL_DOMAIN
>
>post the mysql map
it's a two-field table, just like a postfix .map file, index + data
1. rhsbl_domain
2. 554 RHSBL_DOMAIN
>, without password of course if you want to shar
-- Original Message --
From: Warren Togami
Date: Sun, 04 Oct 2009 19:42:06 -0400
>http://spameatingmonkey.com
>
>Anyone have any experience using these DNSBL and URIBL's?
I plugged these into my main.cf just just before "permit", and therefore before
con
-- Original Message --
From: Michael Scheidell
Date: Mon, 01 Feb 2010 10:11:36 -0500
>I am almost ready to post the pr to upgrade SA 3.2.5 to SA 3.3.0 which
>is the first step in getting the SA 3.30 port officially on FreeBsd
>ports system.
>Prior to thi
portupgrade -R p5-Mail-SpamAssassin.
freebsd 6.3-R
I used this, but various "bits kept breaking" so I added -k -v -f,
and now kerberos is messed up, killing ssh and telnet into the machine:
for sshd:
/libexec/ld-elf.so.1: shared object "libkrb5.so.8" not found required by "sshd"
lots of
Both sshd and libkrb5.so.8 are part of the base system so I guess
you messed up something else.
I claim innocence. portugrade of spamassassin messed it up.
Does libkrb5.so.8 exist (usually in /usr/lib/)?!
no.
installed heimdal then krb5 from ports, no
problem. re-booted. same msgs a
Does libkrb5.so.8 exist (usually in /usr/lib/)?!
after installing heimdal and krb5 from ports with no errors:
find / -iname "libkrb5.so.*"
/usr/local/lib/libkrb5.so.21
/usr/compat/linux/usr/lib/libkrb5.so.3
/usr/compat/linux/usr/lib/libkrb5.so.3.2
/usr/ports/security/heimdal/work/heimdal-0
Does libkrb5.so.8 exist (usually in /usr/lib/)?!
no.
installed heimdal then krb5 from ports, no
problem. re-booted. same msgs as before in sshd logs. sshd
won't allow any logins. and complains same as before.
Did you install security/krb5 or security/heimdal from ports?
yes, after
Traffic from UltraDNS.net PTRs has been suspect, but I never really
looked at them until today.
The following stats are from one of two equal preference secondary
MXs, where there are 3 equal preference primary MXs active. The
quality of the secondary traffic is extremely low. The overwhelm
example:
Sep 16 01:18:22 mx1 amavis[11483]: (11483-01-31) Passed CLEAN, [12.xx.40.141]
[12.xx.40.141] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL
PROTECTED]>, mail_id: 2M64mzvIA3wf, Hits: -, queued_as: 2CC9D1AF49B, 407 ms
is "-" the same as "0.0", or something else?
Len
FreeBSD 6.2
re2c-0.13.5
SpamAssassin version 3.2.5
running on Perl version 5.8.8
Wdeclaration-after-statement -I/usr/local/include -O2 -fno-strict-aliasing
-pipe-DVERSION=\"1.0\" -DXS_VERSION=\"1.0\" -DPIC -fPIC
"-I/usr/local/lib/perl5/5.8.8/mach/CORE" body_0.c
cc -c-DAPPLLIB_E
>From updates_spamassassin_org/20_dnsbl_tests.cf, using this as a model for a
>multi-valued DNS blacklist query:
header __RCVD_IN_SORBS eval:check_rbl('sorbs', 'dnsbl.sorbs.net.')
describe __RCVD_IN_SORBS SORBS: sender is listed in SORBS
tflags __RCVD_IN_SORBS net
header
We're trying it today.
For the same period of about 4.5 hours, zen had about 110 hits, while
b.barracuda had about 165.
Len
__
IMGate OpenSource Mail Firewall www.IMGate.net
>> For the same period of about 4.5 hours, zen had about 110 hits, while
>> b.barracuda had about 165.
>
>What about overlap? Were the barracuda hits only those that skipped by
>zen? Thanks.
for the same period, zen = 153 hits, barracuda = 226 hits
when I comm the two sorted files, zen and bar
I've been trying out ixhash today. It seems to be quite accurate on spam, but
adds no increment to the spam already identified by sa. It just runs up the
score:
egrep -i 'spam\,.*(ixhash)' /var/log/maillog | awk '{print $12}' | less
score=33.423
score=25.893
score=28.28
score=24.472
score=29.4
FreeBSD 6.2
2 GHz
1 GB RAM
Amavisd-new
400 KB max msg size to scan
10 servers
TIMING shows sa-check taking 85% - 90%
spamassassin:
rulesets:
updates.spamassassin.org
saupdates.openprotect.com
sought.rules.yerp.org
We run sa-compile.
external checks: pyzor, razor, dcc
bayes uses Berkeley
>
>Are you using shortcircuit?
no. I'll look into it
>Also you might graylisting with a very short retry time. That can
>reduce incoming spam 20+% or so.
We already run greylisting and envelope policies before amavis content-filter,
so our content-scanning is see only about 10% of the raw MX t
>On 16/10/2008 8:57 PM, Len Conrad wrote:
>> FreeBSD 6.2
>> 2 GHz
>> 1 GB RAM
>
>> In business hours (08:00-17:00), traffic inbound is about 400 msgs/hour
>
>400 msgs/hr for a 2GHz processor shouldn't really even show up as
>noticible load.
glad to
>Are you using your provider's DNS server?
no, BIND on the local machine, no forwarding.
As I mentioned, we are doing RBL check in a policy service also, so RBL checks
in SA will be answered from local cache.
Len
__
IMGate OpenSource Mail Firewal
>My guess is that you have too many processes running for the amount of
>ram you have.
each vscan process take 60 - 75 MB.
When the machine is way behind, there is 200 - 300 MB of free + inactive RAM.
On this fbsd 6.2, "Top version 3.5beta12" doesn't show the swap info, "Swap: "
is a blank lin
>># host mail.example.com
>>mail.example.com is an alias for hostname.example.com.
>>hostname.example.com has address 1.2.3.4
>
>
>Wrong. The MX record has to point to an A name, not a CNAME.
what?
MX record's data field is a domain name
That domain name owns one or more A records.
With mai
>How do I correct this problem? When I run 'nslookup 74.220.16.65' from various
>machines it shows the correct answer.
dig cronus.intersessions.com. @ns.intersessions.com. +short
74.220.16.65
dig -x 74.220.16.65 @ns.intersessions.com. +short
cronus.intersessions.com.
so there is PTR+A "match".
>we have noticed that sagrey has roughly 95% effective re: % of spam hits in
>our environments
We find that bad recipients, then selective greylisting kills 90%+.
>is anyone here that is using sagrey come up with some really effective meta
>rules using it??
greylisting after DATA seems so ineff
I just pushed out an update for 3.1 which includes 7 and 8. Not sure why
those weren't in there before. :(
I'm getting NO hits for anything but .2, .4, .5, .11
Len
With the severe obfuscation of spam images with:
1) low-contrast between f/g and b/g and
2) random images/edges in the b/g,
... how effective is FuzzyOCR in OCR accuracy?
Len
I am a bit worried about blocking people with dynamic IP addresses say from
their ISP, if they "inherit" an IP address recently used by an infected PC
they will still be in the RBL and get blocked.
Machines on dynamic IPs should not be doing direct-to-MX submission,
so block their entire netw
Anybody got any links / how-to for setting up SA as postfix policy service?
I want SA policy service to perform only envelope checks, not content scans.
thanks
Len
Anybody got any links / how-to for setting up SA as postfix policy service?
I want SA policy service to perform only envelope checks, not content scans.
thanks
Len
Since the actual headers are not available
headers are DATA/contetn, aren't in the envelope data passed to
policy service, so
Port 587 is the mail submission port. That port should accept mail
only after SMTP AUTH, no matter whether the submitter is on "my
networks" or roaming. What's the point of accepting unauthenticatd
sumbission on port 587 (or any port)?
Port 25 is the mail relay port (no authentication for M
38 matches
Mail list logo
