Increase this weekend?

[diane <di...@mathermotorsports.com>]

Hi folks,

My webhost has spamassassin installed on their machines, we can turn 
it on and configure it if we desire. I did so about a month ago for 
one of my servers. It's worked pretty good for me, hardly any spam 
gets through.

But all of the sudden this weekend a ton of spam has come through. 
These are messages that are the same or similar to other spam that 
was stopped previously.

I had not set up any blakclists or whitelists, or done any tweaking 
yet. My host says they have not changed anything and suggested 
disabling and re-enabling it. There is still mail going into the spam 
box

I've read the faq and didn't see anything posted since I joined this 
list this morning. If there is a more basic list please point me to 
it, I'm a spamassasin newbie.

TIA,

Diane

Re: Increase this weekend?

[John Andersen <js...@pen.homeip.net>]

On Monday 02 August 2004 10:37 am, diane wrote:
> Hi folks,
>
> My webhost has spamassassin installed on their machines, we can turn
> it on and configure it if we desire. I did so about a month ago for
> one of my servers. It's worked pretty good for me, hardly any spam
> gets through.
>
> But all of the sudden this weekend a ton of spam has come through.
> These are messages that are the same or similar to other spam that
> was stopped previously.

Spammers are up to new tricks, even the big guys like 
postini were passing tons of spam to their customers this weekend.



-- 
_____________________________________
John Andersen

Re[2]: Increase this weekend?

[Robert Menschel <Ro...@Menschel.net>]

Hello Jim, Diane,

Monday, August 2, 2004, 11:55:04 AM, you wrote:

JM> Quoting diane <di...@mathermotorsports.com>:

>> Hi folks,
>>
>> My webhost has spamassassin installed on their machines, we can turn
>> it on and configure it if we desire. I did so about a month ago for
>> one of my servers. It's worked pretty good for me, hardly any spam
>> gets through. ...

JM> I cant comment (well I could, but not accurately) on the increase in 
JM> spam levels
JM> as I have not seen this myself, but since you say you have the ability to
JM> customize your install of spamassassin, I would suggest either downloading and
JM> installing a couple of relevant rulesets and/or configure SURBL support.

Unfortunately, many hosting arrangements like this give us only
user_prefs configuration options, which means that we can't add new rules
(eg: SARE) to the mix, and can't update SA itself (eg: SURBL).

Me, I cheat -- I have a script which waits for my host's SA run to
complete, grabs the email, accepts any "this is spam" determination
without question, and does not believe any "this is ham" determination.
My script then issues the spamassassin command against that email, with
my own rules in place, and sees whether those rules call this spam or
ham. If both runs call an email ham, then I accept that. If either run
calls an email spam, then spam it am.

Bob Menschel

Re[2]: Increase this weekend?

[Robert Menschel <Ro...@Menschel.net>]

Hello Jeff,

I agree with you, but

Tuesday, August 3, 2004, 4:49:56 PM, you wrote:

JC> On Tuesday, August 3, 2004, 12:50:00 PM, Robert Menschel wrote:
>> I then grabbed the blacklist William Stearns maintains at
>> http://www.stearns.org/sa-blacklist/sa-blacklist.current.cf
>> It's a big help, and I update my copy here from his system every month or
>> so.

JC> Uh, sa-blacklist is getting huge lately.  Better to use
JC> the SURBL version of it: ws.surbl.org in order to
JC> prevent server choking and SpamAssassing crashing...
JC> (not trying to FUD, but....)
JC>   http://www.surbl.org/lists.html#ws
JC>   http://www.surbl.org/quickstart.html

we are talking about a lowly domain owner on a shared server, where we do
not have the ability to modify the SA setup.  I can't install surbl on my
host's server, and chances are she can't either.

The blacklist is the majority of my user_prefs, even with just about all
SARE rules in there as well, and yes, it consumes overhead, but it's the
best solution in my environment.

When my host eventually upgrades to 3.0 with surbl built-in, then
depending upon results I may discontinue using sa-blacklist.cf ... until
then I rely on it.

Bob Menschel

Re: Increase this weekend?

[Jeff Chan <je...@surbl.org>]

On Tuesday, August 3, 2004, 12:50:00 PM, Robert Menschel wrote:
> I then grabbed the blacklist William Stearns maintains at
> http://www.stearns.org/sa-blacklist/sa-blacklist.current.cf
> It's a big help, and I update my copy here from his system every month or
> so.

Uh, sa-blacklist is getting huge lately.  Better to use
the SURBL version of it: ws.surbl.org in order to
prevent server choking and SpamAssassing crashing...
(not trying to FUD, but....)

  http://www.surbl.org/lists.html#ws

  http://www.surbl.org/quickstart.html

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re[3]: Increase this weekend?

[Robert Menschel <Ro...@Menschel.net>]

Hello Diane,

Tuesday, August 3, 2004, 12:23:04 PM, you wrote:

d> Thanks for the tips. I may ask you later about your cheating method.  ;)

d> As for configuration, I can do:
d> blacklist
d> whitelist
d> required hits
d> rewrite subject
d> score
d> subject tag

d> Is that all you can do at your host Bob?

Without cheating, yes. Not sure what you many by "subject tag", though,
unless that's the same thing as rewriting the subject.

First thing I did last year when I first discovered I had SA capabilities
and read the SA web site was increase my required hits to 9 (I'm what
you'd call conservatively aggressive -- I hate spam, and nuke all spam so
my end-users don't see them (with a 99.8% accuracy rate), but I hate
false positives even more, so I increased the required hits to make sure
I didn't get any false positives from the default system.

I then increased a number of scores on the safest and most commonly hit
rules to allow for that increased required hits.

I then grabbed the blacklist William Stearns maintains at
http://www.stearns.org/sa-blacklist/sa-blacklist.current.cf
It's a big help, and I update my copy here from his system every month or
so.

I also have a few whitelists, but I try to keep those to a minimum.

All of that got me to around 98% accuracy.  I then began to cheat, and
that's how I get to 99.8%.

d> The servers are Linux and I have dabbled in Unix a few times in the 
d> last 10 years or so.

So it's very possible some adaptation of my system will work for you.
Basic requirements are that you be able to create secondary/intermediate
mailboxes, and run cron jobs to handle automated sa-learn and
spamassassin runs.

d> The misguided spams have slowed down since yesterday but were 
d> completely out of control Sat - Mon.

Never had a problem here.  Apparently my system headed them off.

Bob Menschel

Re[2]: Increase this weekend?

[diane <di...@mathermotorsports.com>]

At 12:11 PM -0700 8/3/04, Robert Menschel wrote:
>Hello diane,
>
>Monday, August 2, 2004, 12:12:17 PM, you wrote:
>
>d> Thanks all! I've been on the net since before there was a net, but at
>d> this I am pretty new and the posts this morning were pretty technical
>d> compared to my question. Considering I've been in IT since the
>d> mid-80's I felt like a bumbling fool for a little bit LOL
>
>How extensive is your experience with the O/S used by your web host?  If
>Linux of some flavor, and if you have a few years experience in Linux or
>any Unix flavor, you might be able to adapt my solution to your
>situation.
>
>Bob Menschel


Bob,

Thanks for the tips. I may ask you later about your cheating method.  ;)

As for configuration, I can do:
blacklist
whitelist
required hits
rewrite subject
score
subject tag

Is that all you can do at your host Bob?

The servers are Linux and I have dabbled in Unix a few times in the 
last 10 years or so.

The misguided spams have slowed down since yesterday but were 
completely out of control Sat - Mon.

Thanks!

Diane

Re[2]: Increase this weekend?

[diane <di...@mathermotorsports.com>]

ps - and from looking at my headers, autolearn is set to off.  :(

Diane

Re[2]: Increase this weekend?

[Robert Menschel <Ro...@Menschel.net>]

Hello diane,

Monday, August 2, 2004, 12:12:17 PM, you wrote:

d> Thanks all! I've been on the net since before there was a net, but at 
d> this I am pretty new and the posts this morning were pretty technical 
d> compared to my question. Considering I've been in IT since the 
d> mid-80's I felt like a bumbling fool for a little bit LOL

How extensive is your experience with the O/S used by your web host?  If
Linux of some flavor, and if you have a few years experience in Linux or
any Unix flavor, you might be able to adapt my solution to your
situation.

Bob Menschel

Re: Increase this weekend?

[diane <di...@mathermotorsports.com>]

Thanks all! I've been on the net since before there was a net, but at 
this I am pretty new and the posts this morning were pretty technical 
compared to my question. Considering I've been in IT since the 
mid-80's I felt like a bumbling fool for a little bit LOL

I don't know how deep I can get w/the install. It's installed on the 
servers and any domain owner can enable/disable and the same with the 
spam box. I can also do black/whitelists and probably a few other 
things. I don't know about actually installing it.

I'll dig around and look at what I can do WRT your suggestions.

They claim they made no changes but you know how that goes.  ;)


Thanks,

Diane

Re: Increase this weekend?

[Jim Maul <jm...@elih.org>]

Quoting diane <di...@mathermotorsports.com>:

> Hi folks,
>
> My webhost has spamassassin installed on their machines, we can turn
> it on and configure it if we desire. I did so about a month ago for
> one of my servers. It's worked pretty good for me, hardly any spam
> gets through.
>
> But all of the sudden this weekend a ton of spam has come through.
> These are messages that are the same or similar to other spam that
> was stopped previously.
>
> I had not set up any blakclists or whitelists, or done any tweaking
> yet. My host says they have not changed anything and suggested
> disabling and re-enabling it. There is still mail going into the spam
> box
>
> I've read the faq and didn't see anything posted since I joined this
> list this morning. If there is a more basic list please point me to
> it, I'm a spamassasin newbie.
>
>

I cant comment (well I could, but not accurately) on the increase in 
spam levels
as I have not seen this myself, but since you say you have the ability to
customize your install of spamassassin, I would suggest either downloading and
installing a couple of relevant rulesets and/or configure SURBL support.

As far as I know, there is no lower level spamassassin mailing list so posting
your questions here is perfectly acceptable.

Check http://www.rulesemporium.com and http://ws.surbl.org/ for more 
information
regarding how to set up and maintain rulesets and SURBL.

Hope this helps,

Jim