You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Scott Blomquist <sc...@innertraditions.com> on 2004/07/09 18:12:18 UTC
These slimy B*%$^&ds are forging whitelist_from_rcvd
Just in today. I only have Whitelist_from_rcvd entires in my local.cf.
This one hit on that rule. Damn...now what.
/header paste
Return-Path: <MY...@parkstpress.com>
Received: from 216.114.128.66 ([221.127.165.47])
by babyblue-eth1.parkstpress.com (8.10.2/8.10.2) with SMTP id i69ACHo02440;
Fri, 9 Jul 2004 06:12:17 -0400
X-Message-Info: 311I1VCl443hDzX704RUW0iDAFjvH8
Received: from y-0-3-84-1.VZXXHO34.MYUSER@parkstpress.com
([208.236.71.0]) by xxek85-kjf25.MYUSER@parkstpress.com with Microsoft
SMTPSVC(5.0.3550.1784);
Sat, 10 Jul 2004 09:08:40 -0100
Message-ID: <99...@parkstpress.com>
X-Originating-IP: [81.250.232.92]
X-Originating-Email: [MYUSER@parkstpress.com]
X-Sender: MYUSER@parkstpress.com
Reply-To: "Clara Call" <MY...@parkstpress.com>
From: "Clara Call" <MY...@parkstpress.com>
To: "Dawn" <MY...@parkstpress.com>
Subject: Hi MYUSER
Date: Sat, 10 Jul 2004 07:12:40 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--289992752399318"
X-Spam-Status: No, hits=-83.3 required=5.0
tests=BAYES_90,DRUGS_ANXIETY,DRUGS_ANXIETY_OBFU,DRUGS_DEPRESSION,
DRUGS_DIET,DRUGS_DIET_PAIN,DRUGS_MANYKINDS,DRUGS_MUSCLE,
DRUGS_PAIN,DRUGS_PAIN_OBFU,J_CHICKENPOX_13,J_CHICKENPOX_24,
J_CHICKENPOX_26,SARE_BOUNDARY_07,SARE_HEAD_SPAM,
SARE_MSGID_CHAR_2AT,SARE_RECV_IP_221124,SARE_RECV_SUSP_3,
USER_IN_WHITELIST
version=2.53
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)
--
Scott V. Blomquist,A-SA-CN-NRK TINLC(tm) #2598
ITI/Bear&Co Rochester, VT
802-767-3174(v) 802-767-3726(f)
"Any technology sufficiently advanced is indistinguishable from Magic."
A. C. Clarke
Re: Discarding spam based on score range
Posted by Tim Litwiller <ti...@litwiller.net>.
put this in you /etc/mail/spamassassin/local.cf
add_header all Level _STARS(*)_
then put this in your procmail
# Delete Blatant Spam
:0 H:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.*
/dev/null
Craig Mayers wrote:
>Hi all, I am de-lurking to ask a question that has probably been asked
>before (forgive me).
>
>Is there a procmail recipe that can be crafted to forward any mail with a
>spam score above a certain threshold to /dev/null (or elsewhere)? For
>example, anything over 15 is not likely to be an FP for us. Would procmail
>be able to read the spam score header that gets added when SA runs and make
>a determination based on it? If so, what syntax would we use?
>
>If this exists on the Wiki site, or elsewhere, I'd appreciate a point in the
>right direction. Thanks in advance, this is a great group. I'm only sorry
>I didn't discover it earlier, I'm sure our initial implementation would have
>gone much smoother! 8-)
>
>Thanks!
>
>Craig Mayers
>5DollarHosting.com
>
>
>
>
Re: Discarding spam based on score range
Posted by John Fleming <jo...@wa9als.com>.
This receipe should delete only those scoring 8 or higher in procmail:
:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*
/dev/nullFrom:
http://www.exit0.us/index.php/So%20you%20want%20to%20'delete'%20all%20your%2
0spam!----- Original Message -----
From: "Craig Mayers" <sa...@5dollarhosting.com>
To: <sp...@incubator.apache.org>
Sent: Friday, July 09, 2004 2:14 PM
Subject: Discarding spam based on score range
> Hi all, I am de-lurking to ask a question that has probably been asked
> before (forgive me).
>
> Is there a procmail recipe that can be crafted to forward any mail with a
> spam score above a certain threshold to /dev/null (or elsewhere)? For
> example, anything over 15 is not likely to be an FP for us. Would
procmail
> be able to read the spam score header that gets added when SA runs and
make
> a determination based on it? If so, what syntax would we use?
>
> If this exists on the Wiki site, or elsewhere, I'd appreciate a point in
the
> right direction. Thanks in advance, this is a great group. I'm only
sorry
> I didn't discover it earlier, I'm sure our initial implementation would
have
> gone much smoother! 8-)
>
> Thanks!
>
> Craig Mayers
> 5DollarHosting.com
>
>
Discarding spam based on score range
Posted by Craig Mayers <sa...@5dollarhosting.com>.
Hi all, I am de-lurking to ask a question that has probably been asked
before (forgive me).
Is there a procmail recipe that can be crafted to forward any mail with a
spam score above a certain threshold to /dev/null (or elsewhere)? For
example, anything over 15 is not likely to be an FP for us. Would procmail
be able to read the spam score header that gets added when SA runs and make
a determination based on it? If so, what syntax would we use?
If this exists on the Wiki site, or elsewhere, I'd appreciate a point in the
right direction. Thanks in advance, this is a great group. I'm only sorry
I didn't discover it earlier, I'm sure our initial implementation would have
gone much smoother! 8-)
Thanks!
Craig Mayers
5DollarHosting.com
Re: These slimy B*%$^&ds are forging whitelist_from_rcvd
Posted by Matt Kettler <mk...@evi-inc.com>.
At 01:23 PM 7/9/2004, Duncan Hill wrote:
>Why does your mail server let other people claim to be it? That's just
>asking
>for abuse. I don't have exact stats, but every time I look in my logs, I see
>hundreds of lines of rejects where remote nodes have said HELO with my IP
>address. HELO is meant to identify the remote end, not me.
Bah, doesn't matter.. SA ignores the HELO part of the Received: headers in
current versions of SA.. The poster's problem is entirely due to lack of
update (the poster is using SA 2.53).
Of course, one could argue that SA problems aside it would be beneficial to
block anyone trying to HELO as your own IP or hostname since they are
obviously spammers or broken, but that's not really the root cause of his
problems.
2.53 is vulnerable to a wide variety of forgery tricks that fool
whitelist_from_rcvd, even the default ones like ebay are forgeable to it
under the right circumstances.
Re: These slimy B*%$^&ds are forging whitelist_from_rcvd
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Friday 09 July 2004 17:12, Scott Blomquist wrote:
> Received: from 216.114.128.66 ([221.127.165.47])
> by babyblue-eth1.parkstpress.com (8.10.2/8.10.2) with SMTP id
> i69ACHo02440; Fri, 9 Jul 2004 06:12:17 -0400
Lets see...
Ahh, 216.x.x.x is you.
Why does your mail server let other people claim to be it? That's just asking
for abuse. I don't have exact stats, but every time I look in my logs, I see
hundreds of lines of rejects where remote nodes have said HELO with my IP
address. HELO is meant to identify the remote end, not me.
Re: These slimy B*%$^&ds are forging whitelist_from_rcvd
Posted by Matt Kettler <mk...@evi-inc.com>.
At 12:12 PM 7/9/2004, Scott Blomquist wrote:
>Just in today. I only have Whitelist_from_rcvd entires in my local.cf.
>This one hit on that rule. Damn...now what.
>/header paste
>X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp)
Upgrade to a RECENT version of SpamAssassin. This bug was fixed AGES ago
with the release of 2.60. (Your version is over a year old!)
http://bugzilla.spamassassin.org/show_bug.cgi?id=846
http://bugzilla.spamassassin.org/show_bug.cgi?id=1543