You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jonathan Nichols <jn...@pbp.net> on 2005/05/05 18:14:28 UTC
hillsdale media
Ugh. I'm getting stuff from these jerks slipping through left & right..
anyone else seeing this stuff? :|
It's hitting the sbl rules, but still only scoring 4.152..
From: ChristianMortgageUSA.com <in...@clicklexicon.com>
To: jnichols@pbp.net
Subject: Let our experts help you save on your home
Date: Thu, 5 May 2005 12:10:57 EST
Message-ID: <q3...@soi-14.clicklexicon.com>
X-Mailer: 3.2.3-39 [Apr 21 2005, 20:38:21]
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at mailgate.pbp.net
X-Spam-Status: No, hits=4.152 tagged_above=-999 required=6
tests=ALL_TRUSTED,
DOMAIN_RATIO, HTML_90_100, HTML_FONT_INVISIBLE, HTML_IMAGE_ONLY_16,
HTML_MESSAGE, MIME_HTML_ONLY, T_NUM_IN_DOMAIN_0, URIBL_SBL, URIBL_WS_SURBL
X-Spam-Level: ****
Re: hillsdale media
Posted by Jim Maul <jm...@elih.org>.
Kevin Peuhkurinen wrote:
> Kelson wrote:
>
>>
>>
>> Which won't solve the problem of the trust path being incorrect and
>> causing SA to check the wrong hosts against blacklists, etc.
>>
>> If he can get his trust path working, he's much better off doing so
>> than just masking the symptom of ALL_TRUSTED misfiring.
>>
>> I would *not* recommend disabling ALL_TRUSTED except as a last resort.
>>
>
> I am reasonably sure that my trusted and internal network paths are
> correct. I base this on the fact that 1) all DNSRBL rules are being
> applied correctly, 2) SPF checks are working properly, and 3) I am under
> the illusion that I know what I am doing and can follow procedures in
> documentation most of the time.
>
> Despite this, however, ALL_TRUSTED was still being hit constantly when
> it should not have. I don't see any reason why I should re-enable the
> rule. And frankly, judging by the number of other people who have also
> had problems with ALL_TRUSTED, I think it should just be disabled by
> default.
>
Disabling this rule because it is misfiring is NOT a good idea as stated
above. If your trust path is set correctly and it is still misfiring,
there is still a problem somewhere. It may not affect you in your
current setup, but the problem still exists. ALL_TRUSTED firing when it
shouldnt is a symptom of the problem, not the problem itself. Disabling
the rule simply makes the symptoms go away...for some people this is all
they care about. For any admin worth anything, this should NOT be a
solution. But hey, what do i know?
-Jim
Re: hillsdale media = PWN3D
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Jonathan Nichols wrote:
> Ok, right on! I fixed the trusted_networks thing, and check this out!
>
> BTW, the jerks are using another domain.. for a new "division." my god,
> CAN-SPAM is a piece of crap. How the *hell* did it get passed? Ugh.
>
Jonathan
Yup complete waste of time, not unlike the crud getting passed through
various law making bodies in other countries.
Of course the best recourse is user education. If people didn't buy
products advertised via email then the spammers would go and do
something else.
Either that or remove Florida from the Internet ;-)
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
hillsdale media = PWN3D
Posted by Jonathan Nichols <jn...@pbp.net>.
Ok, right on! I fixed the trusted_networks thing, and check this out!
BTW, the jerks are using another domain.. for a new "division." my god,
CAN-SPAM is a piece of crap. How the *hell* did it get passed? Ugh.
At least it's getting plonked now. And with that, off to KFC I go...
Return-Path: <3-...@stderr.bluetopscout.com>
Received: from mailgate.pbp.net (mailgate.pbp.net [192.168.10.87])
by mail.pbp.net (Postfix) with ESMTP id 3CFDFA1707
for <jn...@pbp.net>; Fri, 6 May 2005 13:01:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mailgate.pbp.net (Postfix) with ESMTP id 158B94BFEA
for <jn...@pbp.net>; Fri, 6 May 2005 13:18:14 -0700 (PDT)
Received: from mailgate.pbp.net ([127.0.0.1])
by localhost (mailgate [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 24326-03 for <jn...@pbp.net>; Fri, 6 May 2005 13:18:07 -0700 (PDT)
Received: from outmail-34.bluetopscout.com (outmail-34.bluetopscout.com
[209.104.210.34])
by mailgate.pbp.net (Postfix) with SMTP id 5EC4646354
for <jn...@pbp.net>; Fri, 6 May 2005 13:18:07 -0700 (PDT)
MIME-Version: 1.0
X-Accept-Language: en
X-Priority: Normal
From: HealthCare Professions <ca...@bluetopscout.com>
To: jnichols@pbp.net
Subject: *SPAM* Don't put it off any longer; get your degree now
Date: Fri, 6 May 2005 16:18:07 EST
Message-ID: <q7...@outmail-34.bluetopscout.com>
X-Mailer: 3.2.2-23 [Dec 14 2004, 19:36:15]
Content-Type: text/html; charset="ISO-8859-1";
class-id=3:0vebozYkN9MxMUecr:6163081
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at mailgate.pbp.net
X-Spam-Status: Yes, hits=13.937 tagged_above=-999 required=6
tests=DNS_FROM_AHBL_RHSBL, EVILNUMBER_A_BOX_1, EXCUSE_6,
HTML_FONT_INVISIBLE,
HTML_IMAGE_ONLY_24, HTML_MESSAGE, MIME_HTML_ONLY, RAZOR2_CF_RANGE_51_100,
RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_SBL, URIBL_SBL
X-Spam-Level: *************
X-Spam-Flag: YES
Re: hillsdale media
Posted by Jonathan Nichols <jn...@pbp.net>.
> Try the wiki:
>
> http://wiki.apache.org/spamassassin/TrustPath
>
> Which will end up explaining a few things, and then direct you to the
> manpages for the trusted_networks setting.
Ah. Thanks! :D
I added "trusted_networks 192.168/16 127/8" to local.cf - the box itself
is a 192.168.x.x host, as it's behind a firewall providing static NAT.
These hillsdale media punks are *still* sending me crap, even after
(yes, I know) I clicked their "unsubscribe" link. I did that and took a
screenshot confirming the "opt-out" just in case there's *some* loophole
in CAN-SPAM that will allow me to sue the $%&*#@! out of them.
Fortunately, I have access to some lawyers that hate spam too.
Re: hillsdale media
Posted by Matt Kettler <mk...@evi-inc.com>.
Jonathan Nichols wrote:
>
>> The OP said nothing about having verified and set the trust path, and
>> his server setup does appear to use a local IP, which means that
>> there's a good chance that, *in his case*, the actual problem is not
>> with the ALL_TRUSTED *rule* but with the *actual trust path*. In
>> that case, disabling ALL_TRUSTED will not solve the real problem.
>>
>
> The concept of the "trust path" is a new one to me. I haven't the
> slightest clue as to how to verify/correct it, and a search through
> the archives/google didn't give me much to go on. :|
>
Try the wiki:
http://wiki.apache.org/spamassassin/TrustPath
Which will end up explaining a few things, and then direct you to the
manpages for the trusted_networks setting.
You can jump to the chase and read about trusted_networks in:
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#network_test_options
Re: hillsdale media
Posted by Jonathan Nichols <jn...@pbp.net>.
> The OP said nothing about having verified and set the trust path, and
> his server setup does appear to use a local IP, which means that there's
> a good chance that, *in his case*, the actual problem is not with the
> ALL_TRUSTED *rule* but with the *actual trust path*. In that case,
> disabling ALL_TRUSTED will not solve the real problem.
>
The concept of the "trust path" is a new one to me. I haven't the
slightest clue as to how to verify/correct it, and a search through the
archives/google didn't give me much to go on. :|
Re: hillsdale media
Posted by Kelson <ke...@speed.net>.
Kevin Peuhkurinen wrote:
> I am reasonably sure that my trusted and internal network paths are
> correct. I base this on the fact that 1) all DNSRBL rules are being
> applied correctly, 2) SPF checks are working properly, and 3) I am under
> the illusion that I know what I am doing and can follow procedures in
> documentation most of the time.
>
> Despite this, however, ALL_TRUSTED was still being hit constantly when
> it should not have. I don't see any reason why I should re-enable the
> rule. And frankly, judging by the number of other people who have also
> had problems with ALL_TRUSTED, I think it should just be disabled by
> default.
As I said, disable it as a last resort. You apparently did. Nowhere
did I say *you* should re-enable it. I did, however, disagree with your
recommendation that Jonathan should disable it.
The OP said nothing about having verified and set the trust path, and
his server setup does appear to use a local IP, which means that there's
a good chance that, *in his case*, the actual problem is not with the
ALL_TRUSTED *rule* but with the *actual trust path*. In that case,
disabling ALL_TRUSTED will not solve the real problem.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: hillsdale media
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Kelson wrote:
>
>
> Which won't solve the problem of the trust path being incorrect and
> causing SA to check the wrong hosts against blacklists, etc.
>
> If he can get his trust path working, he's much better off doing so than
> just masking the symptom of ALL_TRUSTED misfiring.
>
> I would *not* recommend disabling ALL_TRUSTED except as a last resort.
>
I am reasonably sure that my trusted and internal network paths are
correct. I base this on the fact that 1) all DNSRBL rules are being
applied correctly, 2) SPF checks are working properly, and 3) I am under
the illusion that I know what I am doing and can follow procedures in
documentation most of the time.
Despite this, however, ALL_TRUSTED was still being hit constantly when
it should not have. I don't see any reason why I should re-enable the
rule. And frankly, judging by the number of other people who have also
had problems with ALL_TRUSTED, I think it should just be disabled by
default.
Re: hillsdale media
Posted by Kelson <ke...@speed.net>.
Kevin Peuhkurinen wrote:
> Right, so clearly your email is incorrectly hitting the "ALL_TRUSTED"
> rule which is lowering its score by 2.4 points. Otherwise, it would
> have been above your kill level of 6. Apparently there is some means of
> getting ALL_TRUSTED to work properly but personally I've never been able
> to do so (even despite setting up my trusted and internal networks in
> local.cf as per the documentation), and so I have just disabled this
> rule entirely.
>
> I'd certainly recommend disabling the rule by setting:
> score ALL_TRUSTED 0
> in your user_prefs or local.cf file.
Which won't solve the problem of the trust path being incorrect and
causing SA to check the wrong hosts against blacklists, etc.
If he can get his trust path working, he's much better off doing so than
just masking the symptom of ALL_TRUSTED misfiring.
I would *not* recommend disabling ALL_TRUSTED except as a last resort.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: hillsdale media
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Jonathan Nichols wrote:
>
> Whoops. I thought that I did, clearly I did not.
> Here's the full header:
>
> From - Thu May 5 09:12:37 2005
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 00000000
> Return-Path: <1-...@stderr.clicklexicon.com>
> Received: from mailgate.pbp.net (mailgate.pbp.net [192.168.10.87])
> by mail.pbp.net (Postfix) with ESMTP id 12DED9ED14
> for <jn...@pbp.net>; Thu, 5 May 2005 08:54:21 -0700 (PDT)
> Received: from localhost (localhost [127.0.0.1])
> by mailgate.pbp.net (Postfix) with ESMTP id AD4BE4635C
> for <jn...@pbp.net>; Thu, 5 May 2005 09:24:17 -0700 (PDT)
> Received: from mailgate.pbp.net ([127.0.0.1])
> by localhost (mailgate [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
> id 17278-02 for <jn...@pbp.net>; Thu, 5 May 2005 09:24:12 -0700 (PDT)
> Received: from soi-14.clicklexicon.com (soi-14.clicklexicon.com
> [66.227.103.14])
> by mailgate.pbp.net (Postfix) with SMTP id 6B4A3462E0
> for <jn...@pbp.net>; Thu, 5 May 2005 09:24:12 -0700 (PDT)
> MIME-Version: 1.0
> X-Accept-Language: en
> X-Priority: Normal
> From: ChristianMortgageUSA.com <in...@clicklexicon.com>
> To: jnichols@pbp.net
> Subject: Let our experts help you save on your home
> Date: Thu, 5 May 2005 12:10:57 EST
> Message-ID: <q3...@soi-14.clicklexicon.com>
> X-Mailer: 3.2.3-39 [Apr 21 2005, 20:38:21]
> Content-Type: text/html; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Virus-Scanned: by amavisd-new at mailgate.pbp.net
> X-Spam-Status: No, hits=4.152 tagged_above=-999 required=6
> tests=ALL_TRUSTED,
> DOMAIN_RATIO, HTML_90_100, HTML_FONT_INVISIBLE, HTML_IMAGE_ONLY_16,
> HTML_MESSAGE, MIME_HTML_ONLY, T_NUM_IN_DOMAIN_0, URIBL_SBL, URIBL_WS_SURBL
> X-Spam-Level: ****
>
Right, so clearly your email is incorrectly hitting the "ALL_TRUSTED"
rule which is lowering its score by 2.4 points. Otherwise, it would
have been above your kill level of 6. Apparently there is some means of
getting ALL_TRUSTED to work properly but personally I've never been able
to do so (even despite setting up my trusted and internal networks in
local.cf as per the documentation), and so I have just disabled this
rule entirely.
I'd certainly recommend disabling the rule by setting:
score ALL_TRUSTED 0
in your user_prefs or local.cf file.
Re: hillsdale media
Posted by Jonathan Nichols <jn...@pbp.net>.
>>
> He may not have posted the received headers for some ineffable
> reason. Plus, if the actual email did not originally hit ALL_TRUSTED,
> then the original score would have been 4.152 + 2.4 (ALL_TRUSTED score)
> = 6.552 which should have stopped the email unless his kill level is set
> higher than that.
>
Whoops. I thought that I did, clearly I did not.
Here's the full header:
From - Thu May 5 09:12:37 2005
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <1-...@stderr.clicklexicon.com>
Received: from mailgate.pbp.net (mailgate.pbp.net [192.168.10.87])
by mail.pbp.net (Postfix) with ESMTP id 12DED9ED14
for <jn...@pbp.net>; Thu, 5 May 2005 08:54:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
by mailgate.pbp.net (Postfix) with ESMTP id AD4BE4635C
for <jn...@pbp.net>; Thu, 5 May 2005 09:24:17 -0700 (PDT)
Received: from mailgate.pbp.net ([127.0.0.1])
by localhost (mailgate [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 17278-02 for <jn...@pbp.net>; Thu, 5 May 2005 09:24:12 -0700 (PDT)
Received: from soi-14.clicklexicon.com (soi-14.clicklexicon.com
[66.227.103.14])
by mailgate.pbp.net (Postfix) with SMTP id 6B4A3462E0
for <jn...@pbp.net>; Thu, 5 May 2005 09:24:12 -0700 (PDT)
MIME-Version: 1.0
X-Accept-Language: en
X-Priority: Normal
From: ChristianMortgageUSA.com <in...@clicklexicon.com>
To: jnichols@pbp.net
Subject: Let our experts help you save on your home
Date: Thu, 5 May 2005 12:10:57 EST
Message-ID: <q3...@soi-14.clicklexicon.com>
X-Mailer: 3.2.3-39 [Apr 21 2005, 20:38:21]
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at mailgate.pbp.net
X-Spam-Status: No, hits=4.152 tagged_above=-999 required=6
tests=ALL_TRUSTED,
DOMAIN_RATIO, HTML_90_100, HTML_FONT_INVISIBLE, HTML_IMAGE_ONLY_16,
HTML_MESSAGE, MIME_HTML_ONLY, T_NUM_IN_DOMAIN_0, URIBL_SBL, URIBL_WS_SURBL
X-Spam-Level: ****
Re: hillsdale media
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Theo Van Dinter wrote:
>It's not really misfiring here. In the sample message, there are no Received
>headers, so the message looks as if it was sent from local to the machine.
>
>
>
He may not have posted the received headers for some ineffable
reason. Plus, if the actual email did not originally hit ALL_TRUSTED,
then the original score would have been 4.152 + 2.4 (ALL_TRUSTED score)
= 6.552 which should have stopped the email unless his kill level is set
higher than that.
Re: hillsdale media
Posted by Theo Van Dinter <fe...@kluge.net>.
On Thu, May 05, 2005 at 05:20:53PM +0100, Martin Hepworth wrote:
> the ALL_TRUSTED rule is misfiring. Read the documentation on setting
> ythe trusted_networks etc and configure this for you setup and that will
> help the problem
It's not really misfiring here. In the sample message, there are no Received
headers, so the message looks as if it was sent from local to the machine.
--
Randomly Generated Tagline:
I'll be comfortable on the couch. Famous last words.
-- Lenny Bruce
Re: hillsdale media
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Jonathan
the ALL_TRUSTED rule is misfiring. Read the documentation on setting
ythe trusted_networks etc and configure this for you setup and that will
help the problem
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Jonathan Nichols wrote:
> Ugh. I'm getting stuff from these jerks slipping through left & right..
> anyone else seeing this stuff? :|
> It's hitting the sbl rules, but still only scoring 4.152..
>
>
> From: ChristianMortgageUSA.com <in...@clicklexicon.com>
> To: jnichols@pbp.net
> Subject: Let our experts help you save on your home
> Date: Thu, 5 May 2005 12:10:57 EST
> Message-ID: <q3...@soi-14.clicklexicon.com>
> X-Mailer: 3.2.3-39 [Apr 21 2005, 20:38:21]
> Content-Type: text/html; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Virus-Scanned: by amavisd-new at mailgate.pbp.net
> X-Spam-Status: No, hits=4.152 tagged_above=-999 required=6
> tests=ALL_TRUSTED,
> DOMAIN_RATIO, HTML_90_100, HTML_FONT_INVISIBLE, HTML_IMAGE_ONLY_16,
> HTML_MESSAGE, MIME_HTML_ONLY, T_NUM_IN_DOMAIN_0, URIBL_SBL, URIBL_WS_SURBL
> X-Spam-Level: ****
>
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************