SA config recommendations to block these spammers?

["ROY,RHETT G" <IS...@womans.com>]

I have two spammers that consistently get messages through to my inbox.
Based on the attached, can you make any recommendations for improvements to
my configuration that will help give these messages a higher score? I'm
calling SA (spamd, 3.0.2) as a content filter from Postfix.

Thanks,

Rhett Roy

Re: SA config recommendations to block these spammers?

[Eugene Kurmanin <ku...@mtmail.ru>]

Hello, RHETT.

Are you correctly install Mail::SPF::Query ?
Do you use Postfix sender verification realtime callback?
I recommend to increase RCVD_IN_BL_SPAMCOP_NET to 4 or something...
Legitimate sources usually don't fall into this list.

You wrote 26 апреля 2005 г., 17:51:15:

> I have two spammers that consistently get messages through to my inbox.
> Based on the attached, can you make any recommendations for improvements to
> my configuration that will help give these messages a higher score? I'm
> calling SA (spamd, 3.0.2) as a content filter from Postfix.

> Thanks,

> Rhett Roy




-- 
Kind regards,
Eugene Kurmanin

Re: SA config recommendations to block these spammers?

[Robert Brooks <ro...@hyperlink-interactive.co.uk>]

Jeff Chan wrote:
>>Will try a bit more debugging shortly, not convinced it's parsing the 
>>message correctly.

> Is your Net::DNS current?  Are you calling SpamAssassin so as to
> use network tests?

yes, problem was the attachment need fixing up before it would scan, 
4191 had been applied and does work.

Thanks,

Rob

-- 
Robert Brooks,           Network Manager,          Cable & Wireless UK
<ro...@hyperlink-interactive.co.uk> http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7339 8600                      Fax: +44 (0)20 7339 8601
-  Help Microsoft stamp out piracy.  Give Linux to a friend today!   -

Re: SA config recommendations to block these spammers?

[Jeff Chan <je...@surbl.org>]

On Tuesday, April 26, 2005, 8:49:34 AM, Robert Brooks wrote:
> Daryl C. W. O'Shea wrote:
>> Robert Brooks wrote:
>>> the url has a : but no port so it doesn't get checked properly by the
>>> URIDNSBL code, think there's a bugzilla to fix this, but I can't locate
>>> it at the moment.
>> 
>> 
>> bug 4191... it's fixed in 3.0.3.

> that's the one.  I applied the patch and have just rechecked.  Odd 
> though the url still isn't hitting any SURBLs yet:

> $ host coolestrxever.com.multi.surbl.org
> coolestrxever.com.multi.surbl.org has address 127.0.0.80

> Will try a bit more debugging shortly, not convinced it's parsing the 
> message correctly.

> Rob

Is your Net::DNS current?  Are you calling SpamAssassin so as to
use network tests?

  http://www.surbl.org/faq.html#nettest

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: SA config recommendations to block these spammers?

[Robert Brooks <ro...@hyperlink-interactive.co.uk>]

Daryl C. W. O'Shea wrote:
> Robert Brooks wrote:
>> the url has a : but no port so it doesn't get checked properly by the
>> URIDNSBL code, think there's a bugzilla to fix this, but I can't locate
>> it at the moment.
> 
> 
> bug 4191... it's fixed in 3.0.3.

that's the one.  I applied the patch and have just rechecked.  Odd 
though the url still isn't hitting any SURBLs yet:

$ host coolestrxever.com.multi.surbl.org
coolestrxever.com.multi.surbl.org has address 127.0.0.80

Will try a bit more debugging shortly, not convinced it's parsing the 
message correctly.

Rob

-- 
Robert Brooks,           Network Manager,          Cable & Wireless UK
<ro...@hyperlink-interactive.co.uk> http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7339 8600                      Fax: +44 (0)20 7339 8601
-  Help Microsoft stamp out piracy.  Give Linux to a friend today!   -

Re: SA config recommendations to block these spammers?

["Daryl C. W. O'Shea" <sp...@dostech.ca>]

Robert Brooks wrote:
> ROY,RHETT G wrote:
> 
>> I have two spammers that consistently get messages through to my inbox.
>> Based on the attached, can you make any recommendations for 
>> improvements to
>> my configuration that will help give these messages a higher score? I'm
>> calling SA (spamd, 3.0.2) as a content filter from Postfix.
> 
> 
>> <A href="http://coolestMUNGEDrxever.com:">
> 
> 
> the url has a : but no port so it doesn't get checked properly by the
> URIDNSBL code, think there's a bugzilla to fix this, but I can't locate
> it at the moment.

bug 4191... it's fixed in 3.0.3.

Daryl

Re: SA config recommendations to block these spammers?

[Loren Wilton <lw...@earthlink.net>]

> URIDNSBL code, think there's a bugzilla to fix this, but I can't locate
> it at the moment.

There is; should be in 3.0.3 when it comes out, I believe.

        Loren

Re: SA config recommendations to block these spammers?

[Robert Brooks <ro...@hyperlink-interactive.co.uk>]

ROY,RHETT G wrote:
> I have two spammers that consistently get messages through to my inbox.
> Based on the attached, can you make any recommendations for improvements to
> my configuration that will help give these messages a higher score? I'm
> calling SA (spamd, 3.0.2) as a content filter from Postfix.

> <A href="http://coolestMUNGEDrxever.com:">

the url has a : but no port so it doesn't get checked properly by the
URIDNSBL code, think there's a bugzilla to fix this, but I can't locate
it at the moment.

-- 
Robert Brooks,           Network Manager,          Cable & Wireless UK
<ro...@hyperlink-interactive.co.uk> http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7339 8600                      Fax: +44 (0)20 7339 8601
-  Help Microsoft stamp out piracy.  Give Linux to a friend today!   -

RE: SA config recommendations to block these spammers?

[martin smith <ma...@ntlworld.com>]

 
M>-----Original Message-----
M>From: ROY,RHETT G [mailto:IS-RGR@womans.com] 
M>Sent: 26 April 2005 14:51
M>To: users@spamassassin.apache.org
M>Subject: SA config recommendations to block these spammers?
M>
M>I have two spammers that consistently get messages through to 
M>my inbox.
M>Based on the attached, can you make any recommendations for 
M>improvements to my configuration that will help give these 
M>messages a higher score? I'm calling SA (spamd, 3.0.2) as a 
M>content filter from Postfix.
M>
M>Thanks,
M>
M>Rhett Roy
M>
M>debug: Net::DNS version: 0.23

Your Net::DNS is way too old to work with 3.0*, it needs upgrading for RBL
and SURBL lookups to work and like Daryl says one of the spam's had a
trailing : after the URL which makes SURBL lookups fail unless the patch is
applied.
I did write a rule to catch these since a lot of spammers are still using
this trick :-

uri __SpoofPort_URL /(?:\....:|\...:)/

uri __OkPort_URL /(?:\....:[0-9]|\...:[0-9])/

meta MS_Spoof_Port_URL ((__SpoofPort_URL - __OkPort_URL) > 0)

score MS_Spoof_Port_URL 9

describe MS_Spoof_Port_URL Exploits SURBL bug in 3.0* URL with trailing :

Worth having even with the patch, not had a FP on it yet.

Martin