Re: Oops - drug rules need more work

missionandgoal. com has made [ob] on SURBL, but it also hits the rfci lists for "whois", "postmaster", "DSN" and "bogusmx" - the "abuse" nomination is pending. Paul Shupak [EMAIL PROTECTED]

Re: Oops - drug rules need more work

>... > >At 09:59 PM 5/8/2005, mouss wrote: >>rfci lists so many people that one can't rely on (they liste yahoo, aol, >>hotmail, ) except for a personal site (or a company where you can >>enforce your rules). A fashist approach might (seem to) work, but it'll >>never solve the real problems.

More URI tests to drive up scores (was Re: Implicit trust of surbl and sbl)

I have used the following rules (which greatly overlap the existing URI rules) to drive up scores, while not repeating the same tests or increasing the scores for existing tests. YMMV, but they work for me (v3.0.x). uridnsblURIBL_COMPLETEWHOIS combined-HIB.dnsiplists.complet

RE: Postfix relay problem with SA ?

Check rfc-ignorant.org for the domain "bsweetinc.com". Basically checked and listed after your first message - many strange games in their bag. BTW., My Postfix setup would have bounced it also (and now many more people will). Paul Shupak [EMAIL PROTECTED]

Re: White list problem

Every one seem to be missing the forged HELO which (incorrectly) used the IP address of the receiving machine. This seems to have fooled both your MTA; The critical headers are: > > Received: from 61.32.186.51 by kukla (envelope-from <[EMAIL PROTECTED]>, > > uid 71) with qmail-scanner-

Re: White list problem

>>From [EMAIL PROTECTED] Tue Jan 11 18:23:25 2005 >... > >On Tue, Jan 11, 2005 at 05:46:58PM -0800, List Mail User wrote: >> Every one seem to be missing the forged HELO which (incorrectly) used >> the IP address of the receiving machine. This seems to have fo

(was Re: DIGEX) dnsreports.com/dnsstuff.com

>>From [EMAIL PROTECTED] Tue Jan 18 15:55:21 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >... From: Matt Kettler <[EMAIL PROTECTED]> >... >No listing in any blacklists: >http://www.dnsstuff.com/tools/ip4r.ch?ip=164.109.26.27 > I don't know about digex, but

Re: very handy new whois tool

This tool has been abused is known (and blocked) by many spammers (unfortunately). Paul Shupak P.S. It is still always worth a try though.

Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com

>>From [EMAIL PROTECTED] Wed Jan 19 06:22:05 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >... >List-Id: >Delivered-To: mailing list users@spamassassin.apache.org >... > >At 10:44 PM 1/18/2005, List Mail User wrote: >> I don't know abou

Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com

>>From [EMAIL PROTECTED] Wed Jan 19 06:57:31 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >.. >Subject: Re: (was Re: DIGEX) dnsreports.com/dnsstuff.com > > >>A message (from <[EMAIL PROTECTED]>) was received at 19 Jan 2005 >>14:21:48 +. >> >>The following addresses had delivery

Re: announcing new functionality in bugzilla: auto mass-checks

Looks great. I've added comments to #4104 and #4105 just to be able to see these results. Please tell me if I've done anything incorrectly (the rules had been/are originally specified as an attachment). Thanks in advance, Paul Shupak

Re: new strategy?

Richard Gray wrote: >Please just throw fish at me if this has already been proposed, but I >was thinking today about what aspects of spamming a spammer finds hard >to change. >=20 >Changing names and IP addresses are easy, but I imagine that finding a >DNS server that will be authoratitive for the

RE: URIDNSBL error

Crhis, Yes. Try using the rfci lists and/or AHBL (no they're not in the code base as delivered, but they work very well). Paul Shupak [EMAIL PROTECTED] >>From [EMAIL PROTECTED] Tue Feb 15 10:53:26 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Prece

Re: accuracy

>>From [EMAIL PROTECTED] Fri Feb 25 01:19:46 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

Re: commercial license

No city "shiraz California" No zipcode in America of 71436 +98 in the prefix for Iran; +98:711 is Shirazn Iran No resolvable reverse DNS for the domain or its name servers. Any one else try to check out the fellow who wants us to accept unresolvable domains? - [EMAIL PROTECTED]/[EMAIL PROTECTED]/

Re: Amazon is killing me....

>>From [EMAIL PROTECTED] Mon Feb 28 07:23:40 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

Re: another request for RECEIVED[x] array

>... >List-Id: >Delivered-To: mailing list users@spamassassin.apache.org >Delivered-To: [EMAIL PROTECTED] >... >Date: Tue, 01 Mar 2005 19:32:22 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >

Re: another request for RECEIVED[x] array

>>From [EMAIL PROTECTED] Tue Mar 1 18:30:49 2005 >Date: Tue, 01 Mar 2005 21:30:33 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: List Mail User &

Re: another request for RECEIVED[x] array

>>From [EMAIL PROTECTED] Tue Mar 1 22:15:46 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] >Subject: Re: another request for RECEIVED[x] array >References: <[EMAIL

Re: Typical spam not detected at all.. there is no rule for it :-\

Marian, For these stock scams, bayes is your friend; Parsing it locally I get Content analysis details: (3.2 points, 5.0 required) pts rule name description -- -- 0.1 MISSING_HEADERS

RE: Typical spam not detected at all.. there is no rule for it :- \

Chris, I know you don't like bayes, but it is the best single tool for stock scams. The trouble with counting '|' is the frequency of transcribed spead- sheets would give too many FPs (typical is to use '|' to separate the columns). Most scock scams use non-obfucated words to look

Re: Webmail and IP rules

>>From [EMAIL PROTECTED] Wed Mar 2 15:01:17 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >... >Delivered-To: mailing list users@spamassassin.apache.org >... > >I think the problem is being caused by IMP being "too good" at >generating a Received header that looks like a normal one a

Re: Webmail and IP rules

Dave, You have a few valid points, and the rule may be misnamed with HELO at its prefix; But look at some email coming from the free services like Yahoo!, Hotmail or Gmail and you will see HTTP (as well as other protocols; Hotmail/MSN also uses both of the MS proprietary protocols

Re: Webmail and IP rules

Shane, Your example *is* much better. What you are showing, if my assumptions are correct (I list them below) is everything working exactly as it is designed to - i.e. both IMP and SA are doing the correct things. 1) I assume that the receiving host "mail.ischool.utexas.edu" is a

Re: Webmail and IP rules

I look at the code and it sure seemed to use both trust and internal to me (I looked at 3.0.2, but tested on 3.0.1). So I constructed a small example from you headers; I used as input: Return-Path: <[E

Re: SURBL missing this spam

Martin, The domain you gave, " crazyrxl0wprices-munged.com" hits (for me), three SURBL lists ( _AB_, _OB_, and _SC_), also it hits ths SBL and also hits combined-HIB.dnsiplists.completewhois.com. Since its registration data is pretty much completely bogus, by this time tommorow, i

Re: Quinlan interviewed about SA

>> using whitelist_from_rcvd), make a lot of sense to me. > >If some mentally deficient spammer has the stupidity to maintain an SPF >record for his spam site that is identified in black lists he probably >should get some additional Brownie Points for his stupidity, eh? > >{^_-} > Just came

Re: [SPAM-TAG] SURBL missing this spam

Duncan, As written your rule only checks for a ':' immediately before a '/'. But at least one valid use of the colon is http://[EMAIL PROTECTED]:host, which is defined as part of the stardard HTTP protocol. Paul Shupak [EMAIL PROTECTED]

Re: Interesting new spam!

Regarding spuries-munged.com: Notice that the DNS servers have invalid physical and email addresses listed for xzdns-munged.biz (listed at rfci on Feb. 18 - the physical address would be valid for China, but is not for Vietnam; Not noted in the listing). Paul Shupak [EMAIL

Re: ENC: Take that!

This same spammer has been at it for many months. What this shows is that among registrars, Joker take wdprs complaints seriously - most do not. He has been using the set of name servers: ns1.mikahak-munged.com ns1.fujins-munged.com ns1.miftrue-munged.com and

Re: ENC: Take that!

I know that I had already replied, but the in using u2club.com for the contact email, the spammer has made a serious error. That account is a reseller of outblaze and likely the account will not last more that a day or two (one more domain made ineffective). Outblaze has the best policy o

Re: SA addr tests need to be updated

Eric, I believe that you have misinterpreted (and only partially quoted) RFC2821. A more correct interpretation (or at least different) and a fuller set of quotations is below. > >SA 3.0.2 currently performs a handful of tests against HELO greetings that >contain an IP address. T

Re: SA addr tests need to be updated

> > >On 3/9/2005 3:29 PM, List Mail User wrote: > >>> See section 3.6 of RFC 2821: >>> >>> | - The domain name given in the EHLO command MUST BE either a >>> primary |host name (a domain name that resolves to an A RR) or, >>> if the

Re: SA addr tests need to be updated

>Justin Mason wrote: > >>Eric A. Hall writes: >> >> >>>SA 3.0.2 currently performs a handful of tests against HELO greetings that >>>contain an IP address. These tests don't currently fire when an "address >>>literal" is used in the HELO greeting, but they should. >>> >>> >> >>actually, that'

Re: ENC: Take that!

Daniel, Regarding the domain "dftphildeutschv-munged.net", since this morning one of the name servers "fujins-munged.com" has been delisted by planetdomain, and "miftrue-munged.com" has been placed on "HOLD" bu Namebay (i.e. expect deletion or full suspention within 15 days maximum

Re: SA addr tests need to be updated

>>>... >>> ..." >>> >Now, these are the rules > >However, I still believe it is perfectly legal to refuse mail if >- the HELO matches my own MX, or lists one of my IPs >or >- the MAIL FROM pretends to be one of my users > >I am currently refusing this stuff at the MTA level and suggest to >au

Re: RCVD_IN_BSP_TRUSTED

> >On 09/03/2005 11:55:32, Alana Craig ([EMAIL PROTECTED]) wrote: > > Hello > > > > > > > > I would like to include your contact information in an address book I am > > creating for myself. Please enter your particulars using the link you see > > below: > > > > > > > > http://www.bebo.com/fr1/10076

Re: Rule for downwards writing spam

>>From [EMAIL PROTECTED] Thu Mar 10 06:20:20 2005 >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >list-help: >list-unsubscribe: >List-Post: >List-Id: >Delivered-To: mailing list u

Re: Telltale whois data (was: Rule for downwards writing spam)

>... >--On Thursday, March 10, 2005 7:23 AM -0800 List Mail User ><[EMAIL PROTECTED]> wrote: > >> They mostly use Joker, who has *very* good policies for killing >> domains like this. You should complain and file at wdprs.internic.net. >> >> Th

Re: Spam Assassin pattern help for regular expression

>... >Greetings: > >While it has never been pleasant, we regularly review spam including the >HTML source code behind the spam to help us adjust our system-wide spam >tagging rules. > >We've noticed a lot of sick porn spam being left untagged. > >The tests that raised the score, though not high e

Re: SA addr tests need to be updated

>... >Date: Sat, 12 Mar 2005 18:46:52 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: users@spamassassin.apache.org >Subject: Re: SA addr tests need to be updated >References: <[EMAIL PROTE

Re: [Slight OT] Problems with perl modules req for rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz

> ...The person with two clocks is never really sure of > the current time. OT, but... above - *not* a good quote, but it sounds nice) To be `sure' of the time, you need at least three clocks (look at the documentation for ntp/ntpd). > > ... ... Paul Shupak

Re: Was: List of spamvertised sites sent via zombies, open proxies, etc.?

... On Sun, 13 Mar 2005 05:29:04 -0800, Jeff Chan wrote: >On Sunday, March 13, 2005, 5:12:30 AM, Jeff Chan wrote: >> On Friday, March 11, 2005, 11:27:52 PM, Jeff Chan wrote: >>> Does anyone have or know about a list of spam-advertised URIs >>> where the spam they appeared in was sent through open r

Re: [Slight OT] Problems with perl modules req for rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz

>... >From: "List Mail User" <[EMAIL PROTECTED]> > >> > ...The person with two clocks is never really sure of >> > the current time. >> >> OT, but... above - *not* a good quote, but it sounds nice) >> To be `s

Re: [Slight OT] Problems with perl modules req for rpmbuild -tb Mail-SpamAssassin-3.0.2.tar.gz

... >Its part of a larger quote, to the effect that someone with one clock is >sure of the time, someone withe two clocks isn't and I forget what is >supposed to happen as you get more clocks. Maybe you get back closer to the >assurance you had with a single cheap windup clock. I originally came

Re: Is there such a test?

identifies itself as "Administrative Account", which cause the internal MS classifier to always mark it as "BULK". Several friends have complained to me about it -- MS does seem to pass "List Mail User" through untouched. Other accounts which I commonly use have ever "

Re: Is there such a test?

>... >Point taken, but I still think it would be a valid test. >Like all SpamAssassin tests it should only be one of many indicators. >In particular all the ones that I receive I would expect to have "Mike" or >"Michael" in the description of my email address. >I would also like to be able to pick

Re: Is this Received header correctly formatted?

>From: "Loren Wilton" <[EMAIL PROTECTED]> >Subject: Is this Received header correctly formatted? >Date: Tue, 15 Mar 2005 14:36:36 -0800 >... > >Received: from ar39.lsanca2-4.16.241.28.lsanca2.elnk.dsl.genuity.net >([4.16.241.28] helo=watson1) > by pop-a065d23.pas.sa.earthlink.net with smtp (Exim 3.

Re: Is there such a test?

>... >From: "Loren Wilton" <[EMAIL PROTECTED]> >To: >References: <[EMAIL PROTECTED]> >Subject: Re: Is there such a test? >Date: Tue, 15 Mar 2005 15:39:32 -0800 >... >> I have just received spam from [EMAIL PROTECTED] >> Is there a test which identifies that the description (Esmeralada >> Bouchard

Re: Is there such a test?

>... >Date: Wed, 16 Mar 2005 09:38:13 - (GMT) >Subject: Re: Is there such a test? >From: "Mike Spamassassin" <[EMAIL PROTECTED]> > >I'd take that bet. >While you are almost certainly correct with the likes of those who >subscribe to this group, who often have multiple email addresses, >out ther

Re: Is this Received header correctly formatted?

>To: Loren Wilton <[EMAIL PROTECTED]> >Cc: SpamAssassin Mailing List <[EMAIL PROTECTED]> >Subject: Re: Is this Received header correctly formatted? > > >Loren Wilton wrote: >> Received: from ar39.lsanca2-4.16.241.28.lsanca2.elnk.dsl.genuity.net >> ([4.16.241.28] helo=watson1) >> by pop-a065d23.pas

RE: URI Tests and Japanese Chars (solved)

> >This is an excerpt that I used in trying to track it down. No real mailto URI >unless there is some translation going on with email addresses embedded in the >body by the email client on send. At first, I just thought it might be a bug >since the messages were using ISO-2022-JP character se

Re: Is this Received header correctly formatted?

>... >Date: Thu, 17 Mar 2005 00:29:43 +0100 >From: mouss <[EMAIL PROTECTED]> >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], >[EMAIL PROTECTED] >Subject: Re: Is this Received header correctly formatted? >..

Re: rule didn't fire

gh6.net-munged, don't the SURBLs have this one yet? Another from the taiwanmedialtd.com-munged group (two new domains a day - time for Spamhaus to take notice; Also they seem to hace given up on the Turkish address as on last week). Paul Shupak [EMAIL PROTECTED]

Re: rule didn't fire

Loren, While true for vdrugz.net-munged, gh6.net-munged does not always use a www. prefix. Also, now gh6.net-munged is caught by the SBL, 4 SURBLs, and completewhois (if you use it). I get 14.6 points for just the bare domain name. vdrugz.net-munged is caught by the SBL and 4 SU

Re: URI Tests and Japanese Chars (solved)

Jeff, RFC 1630 make pretty clear that a email address in either a "mailto:"; or "cid:"; clause *is* a URI. It does not address whether a bare email address would count (it seems that it doesn't fit the RFC definition, but does fit some other I found by Goggle). I could be

Re: URI Tests and Japanese Chars (solved)

>... >To: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> >Cc: List Mail User <[EMAIL PROTECTED]>, [EMAIL PROTECTED], >users@spamassassin.apache.org >Subject: Re: URI Tests and Japanese Chars (solved) >In-Reply-To: <[EMAIL PROTECTED]> >F

RE: URI Tests and Japanese Chars (solved)

>... >Subject: RE: URI Tests and Japanese Chars (solved) >Date: Thu, 17 Mar 2005 17:41:03 -0500 >... >From: "Rose, Bobby" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]>, "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> >Cc: "List Mail Use

Re: URI Tests and Japanese Chars (solved)

>>[all sipped] > > >Since you mentioned the scores, please note the Bobby Rose, the original >poster of this issue had modified the score for URIBL_SBL from its >defaults to 10 ... > >I had suggested that he reduce the score (possibly setting it back to >the defaults) > >While it doesn't negate the

Re: Is this Received header correctly formatted?

>... >Date: Fri, 18 Mar 2005 03:40:20 +0100 >From: mouss <[EMAIL PROTECTED]> >... >Subject: Re: Is this Received header correctly formatted? >... > >List Mail User wrote: >>>... >>>Date: Thu, 17 Mar 2005 00:29:43 +0100 >>>From: mouss

Re: Is this Received header correctly formatted?

>>>... >>>Date: Thu, 17 Mar 2005 00:29:43 +0100 >>>From: mouss <[EMAIL PROTECTED]> >>>... >>>To: List Mail User <[EMAIL PROTECTED]> >>>Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], >>> [EMAIL PROTECTED] >>>Su

Re: Spammers Target Secondary MX hosts?

>... >| One possibility is to list your primary again as the tertiary, possibly >| under a different name and/or IP address. Spammers that deliver in reverse >| MX order will still end up trying to deliver to your primary first. > >I tried this and it resulted in mail loops when one of the servers

Re: call-back plug-in

>... >Date: Sun, 20 Mar 2005 01:45:12 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 0.8 (X11/20040913) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: users@spamassassin.apache.org >Subject: call-back plug-in >... > > >I'm thinking that SA might also benefit

Re: Unsubscribe "noisy" subscriber - Was: FW: ****SPAM(7.2)**** rule didn't fire

I talked to Dave Hill's brother on Friday (he is the "listed" "zone contact" for dailyhills.com in 'whois'. He is Dennis Hills, he promised to speak to his brother that day, so the problem will hopefully have finally ended. Obviously Dave Hills is an enthusiast - he even has a page on his

Re: call-back plug-in

>>From [EMAIL PROTECTED] Sun Mar 20 10:45:29 2005 >Date: Sun, 20 Mar 2005 13:45:19 -0500 >From: "Eric A. Hall" <[EMAIL PROTECTED]> >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: users@spamassassin.apache.org >Subject: Re: call-back plug-in >

Re: ZDNET redirecting to spammer websites?

>... >From: Duncan Hill <[EMAIL PROTECTED]> >To: users@spamassassin.apache.org >Subject: Re: ZDNET redirecting to spammer websites? >Date: Mon, 21 Mar 2005 16:10:46 + >... > >On Monday 21 March 2005 15:34, Rosenbaum, Larry M. typed: >> We received a drug spam containing the following URL: >> >>

RE: ZDNET redirecting to spammer websites?

Just a little more info - one of my favorite spammers taiwanmedialtd.com-munged New trick for them (i.e. the redirector). The registration address is false, and likely the rest is too. They like to use joker to register, and Joker has already caught on to a few, o

RE: ZDNET redirecting to spammer websites?

>>From [EMAIL PROTECTED] Mon Mar 21 12:58:20 2005 >Date: 21 Mar 2005 21:03:22 - >Subject: RE: ZDNET redirecting to spammer websites? >To: List Mail User <[EMAIL PROTECTED]> >From: [EMAIL PROTECTED] >... > >>> >>> P.S. The address, if it d

Re: New redirector: www.nate.com

>... >From: David B Funk <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED], users@spamassassin.apache.org >Subject: New redirector: www.nate.com >... > >Ugg, just ran across another open redirector abused in spam > > www.nate.com/r/XY12/target.domain > >where XY12 seems to be any combination of 4 letters

Re: How do I whitelist this list?

>... >> >> I'll mention this again since i have yet to come up with a solution. >> While the above works great for people using procmail, does anyone have >> a solution that works without procmail? Im stuck passing all list >> traffic through SA because of this. Just this morning someone on t

Re: How do I whitelist this list?

>... >"whitelist_from_rcvd [EMAIL PROTECTED] apache.org" worked when I used static >whitelists. > >I had a bunch of similar entries for various mailing lists in a big >whitelists.cf file in /etc/mail/spamassassin > > >-- >Eric A. Hallhttp://www.ehsco.com/ >

Re: Excessive DNS Requests

>... >Subject: Excessive DNS Requests >From: lister lynch <[EMAIL PROTECTED]> >To: users@spamassassin.apache.org > >Our ISP, Covad, is periodically claiming that we have excessive DNS >requests and is threatening to turn off our service. It's primarily due >to SA, I think. Looked around for answe

RE: How do I whitelist this list?

>... >Subject: RE: How do I whitelist this list? >Date: Tue, 22 Mar 2005 16:25:54 -0800 >... >From: <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]>, >... > >Loren Wilton wrote: >> Normally this would work very well, but this list changes its name and >> description and other characteristics so often

Re: How do I whitelist this list?

>... >> > >> >This header is relatively stable: >> > >> >List-Id: >> > >> >Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 >> >Hispanic Business Inc./HireDiversity.com Software Engineer >> >perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," >> > >> And t

Re: Excessive DNS Requests

>>From [EMAIL PROTECTED] Wed Mar 23 08:41:38 2005 >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], users@spamassassin.apache.org >Subject: Re: Excessive DNS Requests >... >From: Nix <[EMAIL PROTECTED]> >... >... >Date: Wed, 23 Mar 2005 1

Re: Webmail and IP rules

>... >Date: Sun, 27 Mar 2005 00:51:25 -0500 >From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]> >... >To: List Mail User <[EMAIL PROTECTED]> >Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], >users@spamassassin.apache.org >Subject: Re: Webmail and IP

Re: EFF Newsletter as SPAM

>... >Date: Mon, 04 Apr 2005 11:08:49 -0400 >From: Matt Kettler <[EMAIL PROTECTED]> >... >To: Jeff Chan <[EMAIL PROTECTED]> >Cc: Chris <[EMAIL PROTECTED]>, users@spamassassin.apache.org >Subject: Re: EFF Newsletter as SPAM >... > >Jeff Chan wrote: > >>Perhaps DCC took these out. Please ask Pyzor t

Re: [SURBL-Discuss] More spams with Zdnet redirector

>... >Date: Sat, 9 Apr 2005 10:56:10 +0200 (CEST) >From: Raymond Dijkxhoorn <[EMAIL PROTECTED]> >X-X-Sender: [EMAIL PROTECTED] >To: "Kevin A. McGrail" <[EMAIL PROTECTED]> >Subject: Re: [SURBL-Discuss] More spams with Zdnet redirector >... > >Hi! > >> Why the use of the full test rather than the uri

Re: OT: Do spammers have a sense of humor?

Obviously, you've never noticed contact emails at iamaspammer. com:) Paul Shupak [EMAIL PROTECTED] P.S. "Manila Industries, Inc." of Thailand provides many domains for spam support services.

Re: random rudeness!

>... >Robert Brooks wrote: >> bizarre! >> >> > Subject: intimate encounter >> > >> > Heyyy it's me %ASSHOLE... %OUT >> > >> > %PROFILE...%PART4 >> > >> > http://himMUNGEDlove.com/d/8.php >> > >I got the same damn thing ;) > >Subject: me out >From: "Mrs.Sherman" <[EMAIL PROTECTED]> >Date: Mon

Re: random rudeness!

>... > >List Mail User wrote: >> Did either of you try listing himlove. com (invalid telephone/fax), >> or notice that the contacts' email is from a non-existant domain, >> heroutside. com. Or that the name servers in carr821. com also have >> an invali

Re: random rudeness!

>... > >okay, this all makes sense. Thanks. > >I see manlove .com has been listed already. Do rfc-ignorant take action >on the bogus whois information with the registrar or is that another step? > >Regards, > >Rob > Yes, I nominated it this morning, and it was accepted a few minutes late

Re: SpamAssassin and Horde

... > Angelo Ayres Camargo wrote: >... I hate to say it, but... Anyone with the last name "Camargo" using a domain with a contact address in Florianopolis, Brazil is automatically suspect. Maybe Angelo, you can tell us: Is "Camargo" a common name in that region, or is it just ba

Re: SA config recommendations to block these spammers?

The first domain, coolestrxever. com, is part of the group of taiwantelco/taiwanmedialtd pill pushers, using a new (and false) Beverley Hills address (the earliest ones actually used the zipcode "90210" and the address was spoken in an episode of the show). The second domain, magna

Re: spamd children run as root (again)

>... > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > > >It's specifically a problem with perl on *BSD platforms -- there's >a bug open about it, but it's stalled because we don't have any >developers with BSD machines ;) > >at least on some platforms (MacOS X) it appears perl's setuid >support

Vendare Media Corporation / VENDAREGROUP. COM

Does anyone know of any emails from the VENDARE folks, or any of their few hundred domains that was *not* spam. From their web site, they look legitimate (though they are "email marketeers"), but I've never gotten anything but spam from them. Maybe, they are just very sleazy (they do run

Re: Observation on secondary MX

>... > >About a month ago, there was a discussion on the list about how spammers >specifically target secondary MX records. After reading I verified >that indeed 99% of the mail that flowed through my store-and-forward >secondary mail server was spam. So, I removed the second MX record >fro

Re: Content type allowing spammers to evade URIBL

>>From [EMAIL PROTECTED] Wed May 4 21:21:27 2005 >... >Date: Wed, 4 May 2005 22:21:11 -0600 >From: Craig Baird <[EMAIL PROTECTED]> >To: users@spamassassin.apache.org >Subject: Content type allowing spammers to evade URIBL >... > >Today, I've received a number of spams containing a domain that is

Re: PTR Rules

>... >Date: Thu, 05 May 2005 11:27:59 -0400 >From: Matt Kettler <[EMAIL PROTECTED]> >User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: Dan Barker <[EMAIL PROTECTED]> >Cc: users@spamassassin.apache.org >Subject: Re: PTR Rules >... > >Dan B

Re: hillsdale media

>... >Date: Thu, 05 May 2005 09:14:28 -0700 >From: Jonathan Nichols <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >Organization: pbp.net >User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: users@spamassassin.apache.org >Subject: hills

Re: URIs being split over multiple lines

>... > >Hello Craig, > >Thursday, May 5, 2005, 10:33:51 AM, you wrote: > >CB> Most of my spam that's getting through at this point is stuff that has a >URI >CB> with multiple carriage returns in it like this: > >CB> > > >CB> I know this trick has been discussed. I looked for a bug report, and >c

Re: Confession and rage

>... >From: "Mike Jackson" <[EMAIL PROTECTED]> >To: >References: <[EMAIL PROTECTED]> >Subject: Re: Confession and rage >Date: Fri, 6 May 2005 08:34:00 -0700 >... > >[snipped - um, pun intended] > >Okay, I'm going to take the devil's advocate approach here. By signing up >with them, you created a

Re: hillsdale media = PWN3D

>... > >Ok, right on! I fixed the trusted_networks thing, and check this out! > >BTW, the jerks are using another domain.. for a new "division." my god, >CAN-SPAM is a piece of crap. How the *hell* did it get passed? Ugh. > >At least it's getting plonked now. And with that, off to KFC I go... > >

Re: More Messed Up www URLs

>... > >I'm starting to see references in messages that look like this: > >www.achat-montre-rolex.net./ > > >Of course, it's not really a valid URL, but then the spam gets through >too. Is it possible to strip excess garbage ( . / ) off the end of the >domain before processing it? > >Running SpamAs

Re: Confession and rage

>... > >List Mail User wrote: > > >> JohnS, >> >> As many of the regulars on this list can tell you, I *hate* spam >>as much as nearly anyone here; But... Mike is absolutely correct, what >>they have done is "slimely", b

Re: Confession and rage

>>[old material snipped] >> >http://www.spamlaws.com/federal/108s877.shtml > >Point 1) - "Tell you that you're going to get it when you sign up" The "standard out" for this is a clause like "and you agree to the terms referenced on our standard policies page" - which includes a clause s

Re: [Fwd: Re: SpamAssassin 3.0.2 flags messages from users@spamassassin.apache.org]

Just to keep up with listing the spam gangs; coolestrxever. com belongs to the taiwantelco/taiwanmedial group. (and is one of their fake Beverly Hills 90210/90211 addresses). BTW. The latest registrations have moved back to Turkey (where they started), but use a Pakistani cellular phone a

Re: New variant of rot-13 trick.

Thanks Matt, a new multitrade domain, pics-4-showMUNGED.com. Even with private registration, it is using a set of their private name servers. Paul Shupak [EMAIL PROTECTED]

Re: IP whitelist?

>... > >If an incomming email is from a IP listed in IP whitelist, we don't >need to check it at all. >The whitelist I mentioned here is a large-scale one. Say Microsoft and >Yahoo's IPs should be added to IP whitelist since we suppose they >won't send spams. >Currently I am maintaining a RBL list,

Re: Drug SPAM problem..any fixes?

>... > >Hi All, > >I am having an issue with the following DRUG related spam. Does >anyone have any rules to catch this? > >Environment: SA 3.0.2 with network tests and the following SARE rule sets: >70_sare_adult.cf >70_sare_bayes_poison_nxm.cf >70_sare_evilnum0.cf >70_sare_genlsubj0.cf >70_sare_

  1   2   3   4   >