You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michelle Konzack <li...@tamay-dogan.net> on 2009/06/30 00:46:00 UTC
New type of spam... (very curious)
For some seconds I have goten this spam, which has passed my spmassassin
but was hit by a seperated ZEN rule in procmail:
Return-Path: soria.h.stevenson@gmail.com
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
samba3.private.tamay-dogan.net
X-Spam-Level: *
X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE,
RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3
Delivered-To: linux4michelle@tamay-dogan.net
Received: from delta4.net ([::ffff:69.43.203.202])
by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200
id 00002765.4A48FAF1.0000587B
Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC)
by delta4.net (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 18578669 for linux4michelle@tamay-dogan.net; Mon, 29 Jun 2009 10:33:51 -0700
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=_vserver1-22651-1246296817-0001-2"
Date: Mon, 29 Jun 2009 13:33:43 -0400
Message-ID: <CH...@Gsurface-PC>
X-Mailer: Chilkat Software Inc (http://www.chilkatsoft.com)
X-Priority: 3 (Normal)
Subject: RE: [SA Rule] meds, pill and shop spams
Reply-To: soria.h.stevenson@gmail.com
Old-Return-Path: soria.h.stevenson@gmail.com
From: Soriah Stevenson <so...@gmail.com>
To: Michelle Konzack <li...@tamay-dogan.net>
X-TDMailSerialnumber: 9189409
X-TDMailCount: true
X-TDTools-Procmail: FILTER=FLT_spamhaus, WLIST=PRI_linux.FLT_spamhaus
Hi Michelle Konzack,
This email is a response to the apartment that is for rent. I am sorry it took so long to respond, your email was sent to the spam folder. In order to schedule showings, I am asking all tenants for their latest credit score and income. If you don't have your credit score at the moment, you can check it online using the link below.
http://www.icredit-scores.com/
Please email me this information at your earliest convinience. Thanks.
From: linux4michelle@tamay-dogan.net Sent: 6/29/2009 12:31:48 PM Subject:
[SA Rule] meds, pill and shop spams Hello,
because I am currently hit by several 10.000 new type of spam using
domains like www.(meds|pill|shop)XX.(net|com|org) I sugest you to put
the following in your spamassassin config:
----[ '~/.spamassassin/user_prefs' ]------------------------------------
body AE_MEDS35 /\(\s?w{2,4}\s(?:meds|pill|shop)\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
------------------------------------------------------------------------
Works perfectly and has today catched over 63.000 spams on my server.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
25.9V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/> Michelle Konzack
<http://www.can4linux.org/> c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/> Blumenstrasse 2
Jabber linux4michelle@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886 Tel. FR: +33 6 61925193
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/> Michelle Konzack
<http://www.can4linux.org/> c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/> Blumenstrasse 2
Jabber linux4michelle@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886 Tel. FR: +33 6 61925193
Re: New type of spam... (very curious)
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Am 2009-06-30 04:33:57, schrieb Benny Pedersen:
> what ip ?
[michelle.konzack@michelle1:~] host 224.118.146.174.zen.spamhaus.org
224.118.146.174.zen.spamhaus.org has address 127.0.0.11
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/> Michelle Konzack
<http://www.can4linux.org/> c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/> Blumenstrasse 2
Jabber linux4michelle@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886 Tel. FR: +33 6 61925193
Re: New type of spam... (very curious)
Posted by Benny Pedersen <me...@junc.org>.
On Tue, June 30, 2009 00:46, Michelle Konzack wrote:
> For some seconds I have goten this spam, which has passed my spmassassin
> but was hit by a seperated ZEN rule in procmail:
what ip ?
imho ipv6 is still not stable in any sa versions, and this might be your problem
--
xpoint
Re: New type of spam... (very curious)
Posted by Spiro Harvey <sp...@knossos.net.nz>.
On Tue, 30 Jun 2009 00:46:00 +0200
Michelle Konzack <li...@tamay-dogan.net> wrote:
> For some seconds I have goten this spam, which has passed my
> spmassassin but was hit by a seperated ZEN rule in procmail:
please use a pastebin when pasting things like email headers.
http://en.wikipedia.org/wiki/Pastebin
http://pastebin.com/
--
Spiro Harvey Knossos Networks Ltd
021-295-1923 www.knossos.net.nz
Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > On 30.06.09 07:06, richard@buzzhost.co.uk wrote:
> > > Are you saying that ZEN caught it after SA processed it? Why are
> > > you not using ZEN in SA or at the SMTP stage?
> On Tue, 30 Jun 2009 09:10:36 +0200
> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> > She apparently does not have control over 69.43.203.202, which is not
> > listed, but 174.146.118.224 is. 69.43.203.202 is apparently in her
> > internal_networks because 174.146.118.224 is listed in the PBL which
> > is checked only on internal network boundary...
On 30.06.09 19:08, RW wrote:
> And note also that it was authenticated, it was a mail submission, so
> PBL should not have been run against it.
wow, I missed this. Any chance that SA did not carch this message?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
Re: New type of spam... (very curious)
Posted by RW <rw...@googlemail.com>.
On Tue, 30 Jun 2009 09:10:36 +0200
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> On 30.06.09 07:06, richard@buzzhost.co.uk wrote:
> > Are you saying that ZEN caught it after SA processed it? Why are
> > you not using ZEN in SA or at the SMTP stage?
>
> She apparently does not have control over 69.43.203.202, which is not
> listed, but 174.146.118.224 is. 69.43.203.202 is apparently in her
> internal_networks because 174.146.118.224 is listed in the PBL which
> is checked only on internal network boundary...
And note also that it was authenticated, it was a mail submission, so
PBL should not have been run against it.
Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
> > For some seconds I have goten this spam, which has passed my spmassassin
> > but was hit by a seperated ZEN rule in procmail:
> >
> >
> > Return-Path: soria.h.stevenson@gmail.com
> > X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
> > samba3.private.tamay-dogan.net
> > X-Spam-Level: *
> > X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE,
> > RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3
> > Delivered-To: linux4michelle@tamay-dogan.net
> > Received: from delta4.net ([::ffff:69.43.203.202])
> > by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200
> > id 00002765.4A48FAF1.0000587B
> > Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC)
> > by delta4.net (CommuniGate Pro SMTP 5.2.3)
> > with ESMTPA id 18578669 for linux4michelle@tamay-dogan.net; Mon, 29 Jun 2009 10:33:51 -0700
On 30.06.09 07:06, richard@buzzhost.co.uk wrote:
> Are you saying that ZEN caught it after SA processed it? Why are you not
> using ZEN in SA or at the SMTP stage?
She apparently does not have control over 69.43.203.202, which is not
listed, but 174.146.118.224 is. 69.43.203.202 is apparently in her
internal_networks because 174.146.118.224 is listed in the PBL which is
checked only on internal network boundary...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 01.07.09 11:26, richard@buzzhost.co.uk wrote:
> And there is the argument that anything other than the final IP can
> easily be forged or inserted into the headers rendering a great many
> costly DNS checks. Swings and roundabouts.
if a spammer forges Received: line so the checked ip is in blacklist, it
only will add more points to catch the spam. Very effective in cases of
low-scoring spam.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 12:00 +0200, Matus UHLAR - fantomas wrote:
> > On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
> >
> > > Note that rbl checks do not only control the IP you are receiving mail from,
> > > but also an IP others are receiving mail from. That means, rbl checks can
> > > help you catch spam others are (unintentionally) forwarding to you.
> > >
> > > I object against disabling RBL checks in SA ...
>
> On 01.07.09 09:40, richard@buzzhost.co.uk wrote:
> > There is the forwarding argument - I agree, but it is not something that
> > affects us. I object to wasting resources and to have SA fire RBL query
> > roundtrips on every message it scans, when they have already been passed
> > by RBL checking at the SMTP level, seems like a pointless waste of time
> > and clock cycles.
>
> they often have not, since SA checks more headers than the last one.
> (and it may check more rbls than your MTA does at SMTP level).
>
> and the results from MTA checks should be cached already as it was mentioned
> already...
>
> > If sorbs bites the dust I'm sure as hell going to want to comment that
> > out someplace.
>
> - rbl_checks are more than just SORBS.
> - SORBS does not have any problems now and it should even not in the future
> (it may have outages but that's what mirrors are for, and sorbs does have
> mirrors)
>
> > I don't really want it sitting and waiting for an answer
> > from a non-operative list. Bless SA, it's great, but it's not the
> > quickest thing to run. Any unnecessary delay that can be removed
> > (provided the cost of doing so does not offset it) is a plus to me.
>
> well, skip network_checks at all. Note that they all (including rbls) are
> effective.
>
And there is the argument that anything other than the final IP can
easily be forged or inserted into the headers rendering a great many
costly DNS checks. Swings and roundabouts.
Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
>
> > Note that rbl checks do not only control the IP you are receiving mail from,
> > but also an IP others are receiving mail from. That means, rbl checks can
> > help you catch spam others are (unintentionally) forwarding to you.
> >
> > I object against disabling RBL checks in SA ...
On 01.07.09 09:40, richard@buzzhost.co.uk wrote:
> There is the forwarding argument - I agree, but it is not something that
> affects us. I object to wasting resources and to have SA fire RBL query
> roundtrips on every message it scans, when they have already been passed
> by RBL checking at the SMTP level, seems like a pointless waste of time
> and clock cycles.
they often have not, since SA checks more headers than the last one.
(and it may check more rbls than your MTA does at SMTP level).
and the results from MTA checks should be cached already as it was mentioned
already...
> If sorbs bites the dust I'm sure as hell going to want to comment that
> out someplace.
- rbl_checks are more than just SORBS.
- SORBS does not have any problems now and it should even not in the future
(it may have outages but that's what mirrors are for, and sorbs does have
mirrors)
> I don't really want it sitting and waiting for an answer
> from a non-operative list. Bless SA, it's great, but it's not the
> quickest thing to run. Any unnecessary delay that can be removed
> (provided the cost of doing so does not offset it) is a plus to me.
well, skip network_checks at all. Note that they all (including rbls) are
effective.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
Re: New type of spam... (very curious)
Posted by Per Jessen <pe...@computer.org>.
richard@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
>
>> Note that rbl checks do not only control the IP you are receiving
>> mail from, but also an IP others are receiving mail from. That means,
>> rbl checks can help you catch spam others are (unintentionally)
>> forwarding to you.
>>
>> I object against disabling RBL checks in SA ...
>
> There is the forwarding argument - I agree, but it is not something
> that affects us. I object to wasting resources and to have SA fire RBL
> query roundtrips on every message it scans, when they have already
> been passed by RBL checking at the SMTP level, seems like a pointless
> waste of time and clock cycles.
A minimal waste though given that the result will have already been
cached, either by nscd or by your local name server.
/Per Jessen, Zürich
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 10:27 +0200, Matus UHLAR - fantomas wrote:
> Note that rbl checks do not only control the IP you are receiving mail from,
> but also an IP others are receiving mail from. That means, rbl checks can
> help you catch spam others are (unintentionally) forwarding to you.
>
> I object against disabling RBL checks in SA ...
There is the forwarding argument - I agree, but it is not something that
affects us. I object to wasting resources and to have SA fire RBL query
roundtrips on every message it scans, when they have already been passed
by RBL checking at the SMTP level, seems like a pointless waste of time
and clock cycles.
If sorbs bites the dust I'm sure as hell going to want to comment that
out someplace. I don't really want it sitting and waiting for an answer
from a non-operative list. Bless SA, it's great, but it's not the
quickest thing to run. Any unnecessary delay that can be removed
(provided the cost of doing so does not offset it) is a plus to me.
Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > Am 2009-06-30 14:08:33, schrieb John Hardin:
> > > If zen worked to catch the message in procmail, how does it not work on
> > > your MTA? Or did we misinterpret your original post?
> On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote:
> > In Debian, the network related scans are activated and I do not know,
> > why ZEN is never executed. If you know more about the "Debian Lenny"
> > version of spamassassin, maybe you can point me into the right direction
> > where to search.
On 01.07.09 06:44, richard@buzzhost.co.uk wrote:
> First of all, I don't use ZEN in SA. My personal feeling is I want to
> get rid of spam at the earliest possible stage. I block anything on
> these lists at the MTA level;
>
> zen.spamhaus.org
> dnsbl.sorbs.net
> b.barracudacentral.org
[...]
> My understanding is even if you get an RBL hit it's only going to up the
> score of the mail. So you are, essentially, scanning spam if you do it
> this way. However, some people like the safety blanket of scanning
> hundreds of thousands of spam messages in case there may one day be a
> false positive :-)
Note that rbl checks do not only control the IP you are receiving mail from,
but also an IP others are receiving mail from. That means, rbl checks can
help you catch spam others are (unintentionally) forwarding to you.
I object against disabling RBL checks in SA ...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Thu, 2009-07-02 at 09:33 +0200, Matus UHLAR - fantomas wrote:
> > > On Wed, July 1, 2009 08:50, richard@buzzhost.co.uk wrote:
> > > > I'm going to need to disable some of these lists as the MTA has already
> > > > blocked stuff on them Kind of pointless making repeat lookups for stuff
> > > > already tested. Thanks for pointing that out Benny.
>
> > On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote:
> > > pleasde do your home work again !, when you disable some of that rbl
> > > testing in sa, more spam will not being cought since mta can only check
> > > client ip, but sa checks all recieved ips :)
>
> On 01.07.09 17:57, richard@buzzhost.co.uk wrote:
> > I never said that it would Benny. Where have I said that?
> > All that I have said is I don't want to waste the DNS round trip. I'm
> > not interested in the other hops. Once it is in SpamAssassin it's in the
> > network anyway. Dress it up as you like but all it will end up with is a
> > 'Spam' tag.
>
> Or it will not because SA won't detect it because of disabled RBL checks.
>
> Well, do as you wish, even if it's stupid. But dont ever complain of false
> negatives unless you re-check the spam with rbl's enabled
I don't ever complain of false negatives. If I'm honest I see plenty of
those anyway *with* the checks in place. I take a simple 'stupid' view.
You can spend so much time writing rules and tweaking them but have to
accept that some spammers will just beat them every time.
>
> > > if you think it does to much checking add more trusted_networks, msa_networks
> > >
> > > its not that hard is it ?
> > What R E A D I N G W H A T I **ACTUALLY** S A I D no, that's easy.
> > Most kids learn it at school.
>
> actually, they learn to read what the others _wrote_.
>
There is reading and there is understanding - but this is a pointless
war to fight. I've never suggested disabling RBL checks would improve
anything other than wasting multiple DNS lookups. At no point have I
said it will improve results. Please go back and review what is actually
written and stop being anal.
Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > On Wed, July 1, 2009 08:50, richard@buzzhost.co.uk wrote:
> > > I'm going to need to disable some of these lists as the MTA has already
> > > blocked stuff on them Kind of pointless making repeat lookups for stuff
> > > already tested. Thanks for pointing that out Benny.
> On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote:
> > pleasde do your home work again !, when you disable some of that rbl
> > testing in sa, more spam will not being cought since mta can only check
> > client ip, but sa checks all recieved ips :)
On 01.07.09 17:57, richard@buzzhost.co.uk wrote:
> I never said that it would Benny. Where have I said that?
> All that I have said is I don't want to waste the DNS round trip. I'm
> not interested in the other hops. Once it is in SpamAssassin it's in the
> network anyway. Dress it up as you like but all it will end up with is a
> 'Spam' tag.
Or it will not because SA won't detect it because of disabled RBL checks.
Well, do as you wish, even if it's stupid. But dont ever complain of false
negatives unless you re-check the spam with rbl's enabled
> > if you think it does to much checking add more trusted_networks, msa_networks
> >
> > its not that hard is it ?
> What R E A D I N G W H A T I **ACTUALLY** S A I D no, that's easy.
> Most kids learn it at school.
actually, they learn to read what the others _wrote_.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 08:50, richard@buzzhost.co.uk wrote:
>
> > I'm going to need to disable some of these lists as the MTA has already
> > blocked stuff on them Kind of pointless making repeat lookups for stuff
> > already tested. Thanks for pointing that out Benny.
>
> pleasde do your home work again !, when you disable some of that rbl testing in sa, more spam will not being cought since mta can
> only check client ip, but sa checks all recieved ips :)
I never said that it would Benny. Where have I said that?
All that I have said is I don't want to waste the DNS round trip. I'm
not interested in the other hops. Once it is in SpamAssassin it's in the
network anyway. Dress it up as you like but all it will end up with is a
'Spam' tag.
>
> if you think it does to much checking add more trusted_networks, msa_networks
>
> its not that hard is it ?
What R E A D I N G W H A T I **ACTUALLY** S A I D no, that's easy.
Most kids learn it at school.
>
> back to my c64 in my nokia e51 :)
You may want to upgrade those. Or did you misread the ads for them
thinking P64 and N91?
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 19:21 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 19:04, richard@buzzhost.co.uk wrote:
>
> > You may want to fix that backscatter problem you have too :-)
>
> just stop sending cc to me, then its fixed
>
My apologies. I figured if I sent it twice you may *READ* it
properly :-)
Re: New type of spam... (very curious)
Posted by Benny Pedersen <me...@junc.org>.
On Wed, July 1, 2009 19:04, richard@buzzhost.co.uk wrote:
> You may want to fix that backscatter problem you have too :-)
just stop sending cc to me, then its fixed
--
xpoint
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 18:26 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 08:50, richard@buzzhost.co.uk wrote:
>
> > I'm going to need to disable some of these lists as the MTA has
already
> > blocked stuff on them Kind of pointless making repeat lookups for
stuff
> > already tested. Thanks for pointing that out Benny.
>
> pleasde do your home work again !, when you disable some of that rbl
testing in sa, more spam will not being cought since mta can
> only check client ip, but sa checks all recieved ips :)
I never said that it would Benny. Where have I said that?
All that I have said is I don't want to waste the DNS round trip. I'm
not interested in the other hops. Once it is in SpamAssassin it's in the
network anyway. Dress it up as you like but all it will end up with is a
'Spam' tag.
>
> if you think it does to much checking add more trusted_networks,
msa_networks
>
> its not that hard is it ?
What R E A D I N G W H A T I **ACTUALLY** S A I D no, that's easy.
Most kids learn it at school.
>
> back to my c64 in my nokia e51 :)
You may want to upgrade those. Or did you misread the ads for them
thinking P64 and N91?
You may want to fix that backscatter problem you have too :-)
Re: New type of spam... (very curious)
Posted by Benny Pedersen <me...@junc.org>.
On Wed, July 1, 2009 08:50, richard@buzzhost.co.uk wrote:
> I'm going to need to disable some of these lists as the MTA has already
> blocked stuff on them Kind of pointless making repeat lookups for stuff
> already tested. Thanks for pointing that out Benny.
pleasde do your home work again !, when you disable some of that rbl testing in sa, more spam will not being cought since mta can
only check client ip, but sa checks all recieved ips :)
if you think it does to much checking add more trusted_networks, msa_networks
its not that hard is it ?
back to my c64 in my nokia e51 :)
--
xpoint
Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > > > On 1-Jul-2009, at 06:47, richard@buzzhost.co.uk wrote:
> > > > >
> > > > > But for the paranoid will changing 50_scores.cf from;
> > > > >
> > > > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> > > > > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> > > > > score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
> > > > > score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2
> > > > > score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
> > > > > score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2
> > > > > score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
> > > > > score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
> > > > >
> > > > > TO
> > > > >
> > > > > score RCVD_IN_SORBS_BLOCK 0
> > > > > score RCVD_IN_SORBS_DUL 0
> > > > > score RCVD_IN_SORBS_HTTP 0
> > > > > score RCVD_IN_SORBS_MISC 0
> > > > > score RCVD_IN_SORBS_SMTP 0
> > > > > score RCVD_IN_SORBS_SOCKS 0
> > > > > score RCVD_IN_SORBS_WEB 0
> > > > > score RCVD_IN_SORBS_ZOMBIE 0
> > > On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> > > > DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100%
> > > > positive you want to.
> > On Thu, 2009-07-02 at 05:32 +0100, richard@buzzhost.co.uk wrote:
> > > Why?
> On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
> > It might get overwritten if updated. The safe bet is to put it in
> > local.cf. (Any .cf in /etc/mail/spamassassin will work afaik).
On 02.07.09 08:20, richard@buzzhost.co.uk wrote:
> On my box this is a symlink to /etc/spamassassin.
then put the .cf to /etc/spamassassin.
> It will read .cf fine,
> but it won't tolerate a subdirectory 'custom_rules' with .cf
there's no code to search in subdirectories. I doubt it will ever be.
> > Besides from a logical point of view it makes sense for me to have all
> > my rules in one file/dir, and leave the standard files alone so i can
> > blame other people when things go wrong :)
> So, to disable these rules and stop the Sorbs lookups from happening
> just how do we do it ? If we should not alter the score here do we just
> paste the above block into a file like custom_sorbs.cf and that will do
> it or will the built in rule take precedence?
there are no built-in rules. scores of 0 in local .cf will override those in
rule subdirectories.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
Re: New type of spam... (very curious)
Posted by Benny Pedersen <me...@junc.org>.
On Thu, July 2, 2009 06:32, richard@buzzhost.co.uk wrote:
> Will it result in a nuclear war?
yes, and burn down all googles servers aswell :)
--
xpoint
Re: New type of spam... (very curious)
Posted by Steve Freegard <st...@fsl.com>.
Kasper Sacharias Eenberg wrote:
> On Thu, 2009-07-02 at 08:20 +0100, richard@buzzhost.co.uk wrote:
>> On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
>>> On Thu, 2009-07-02 at 05:32 +0100, richard@buzzhost.co.uk wrote:
>>>> On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
>>>>> On 1-Jul-2009, at 06:47, richard@buzzhost.co.uk wrote:
>> So, to disable these rules and stop the Sorbs lookups from happening
>> just how do we do it ? If we should not alter the score here do we just
>> paste the above block into a file like custom_sorbs.cf and that will do
>> it or will the built in rule take precedence?
>
> The /etc/mail/spamassassin ( or /etc/spamassassin in your case) is the
> custom dir. Just put them in there.
>
> Anything you put into rules in /etc/mail/spamassassin will take
> presedence over rules made with sa-update or installed with
> Spamassassin.
>
> So putting these in /etc/... will disable SORBS lookups altogether.
>
> score RCVD_IN_SORBS_BLOCK 0
> score RCVD_IN_SORBS_DUL 0
> score RCVD_IN_SORBS_HTTP 0
> score RCVD_IN_SORBS_MISC 0
> score RCVD_IN_SORBS_SMTP 0
> score RCVD_IN_SORBS_SOCKS 0
> score RCVD_IN_SORBS_WEB 0
> score RCVD_IN_SORBS_ZOMBIE 0
>
> Run 'man spamassassin' and read the 'CONFIGURATION FILES' chapter to get
> a full understanding.
>
Actually; you could save yourself some typing:
score __RCVD_IN_SORBS 0
score RCVD_IN_SORBS_DUL 0
is all that is necessary to put into local.cf to disable the lookups for
SORBS. This is because for multiple return lists like SORBS SA queries
the list once (using eval:check_rbl()) and then each test checks the
result and return code of the original (using eval:check_rbl_sub()), so
if you disable the parent query; you disable all the dependent tests.
If you do a "grep -Eh 'check_rbl\(' *" in your SpamAssassin updates
directory; you'll be able to see all of these parent lookups, then do a
"grep -Eh 'check_rbl_sub\(' *'" to see the lookups based on these.
Cheers,
Steve.
Re: New type of spam... (very curious)
Posted by Kasper Sacharias Eenberg <ks...@hovmark.dk>.
On Thu, 2009-07-02 at 08:20 +0100, richard@buzzhost.co.uk wrote:
> On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
> > On Thu, 2009-07-02 at 05:32 +0100, richard@buzzhost.co.uk wrote:
> > > On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> > > > On 1-Jul-2009, at 06:47, richard@buzzhost.co.uk wrote:
> > > > >
> > > > > But for the paranoid will changing 50_scores.cf from;
> > > > >
> > > > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> > > > > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> > > > > score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
> > > > > score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2
> > > > > score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
> > > > > score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2
> > > > > score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
> > > > > score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
> > > > >
> > > > > TO
> > > > >
> > > > > score RCVD_IN_SORBS_BLOCK 0
> > > > > score RCVD_IN_SORBS_DUL 0
> > > > > score RCVD_IN_SORBS_HTTP 0
> > > > > score RCVD_IN_SORBS_MISC 0
> > > > > score RCVD_IN_SORBS_SMTP 0
> > > > > score RCVD_IN_SORBS_SOCKS 0
> > > > > score RCVD_IN_SORBS_WEB 0
> > > > > score RCVD_IN_SORBS_ZOMBIE 0
> > > > >
> > > > > Stop the 'cost' of the lookup?
> > > >
> > > > DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100%
> > > > positive you want to.
> > > Why?
> > >
> > > Will it result in a nuclear war?
> > >
> > And blood will flow from the elevators!
> NO WAY! Will there be any Al Bowlly music playing in the background?
> >
> > It might get overwritten if updated. The safe bet is to put it in
> > local.cf. (Any .cf in /etc/mail/spamassassin will work afaik).
> On my box this is a symlink to /etc/spamassassin. It will read .cf fine,
> but it won't tolerate a subdirectory 'custom_rules' with .cf
> >
> > Besides from a logical point of view it makes sense for me to have all
> > my rules in one file/dir, and leave the standard files alone so i can
> > blame other people when things go wrong :)
> > You know the saying "Code like the person who's gonna be maintaining the
> > code is a homicidal maniac"?
> Windows Vista?
> > It's the same for sysadmining.
> So, to disable these rules and stop the Sorbs lookups from happening
> just how do we do it ? If we should not alter the score here do we just
> paste the above block into a file like custom_sorbs.cf and that will do
> it or will the built in rule take precedence?
> >
>
The /etc/mail/spamassassin ( or /etc/spamassassin in your case) is the
custom dir. Just put them in there.
Anything you put into rules in /etc/mail/spamassassin will take
presedence over rules made with sa-update or installed with
Spamassassin.
So putting these in /etc/... will disable SORBS lookups altogether.
score RCVD_IN_SORBS_BLOCK 0
score RCVD_IN_SORBS_DUL 0
score RCVD_IN_SORBS_HTTP 0
score RCVD_IN_SORBS_MISC 0
score RCVD_IN_SORBS_SMTP 0
score RCVD_IN_SORBS_SOCKS 0
score RCVD_IN_SORBS_WEB 0
score RCVD_IN_SORBS_ZOMBIE 0
Run 'man spamassassin' and read the 'CONFIGURATION FILES' chapter to get
a full understanding.
With regards,
Kasper
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Thu, 2009-07-02 at 08:28 +0200, Kasper Sacharias Eenberg wrote:
> On Thu, 2009-07-02 at 05:32 +0100, richard@buzzhost.co.uk wrote:
> > On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> > > On 1-Jul-2009, at 06:47, richard@buzzhost.co.uk wrote:
> > > >
> > > > But for the paranoid will changing 50_scores.cf from;
> > > >
> > > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> > > > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> > > > score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
> > > > score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2
> > > > score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
> > > > score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2
> > > > score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
> > > > score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
> > > >
> > > > TO
> > > >
> > > > score RCVD_IN_SORBS_BLOCK 0
> > > > score RCVD_IN_SORBS_DUL 0
> > > > score RCVD_IN_SORBS_HTTP 0
> > > > score RCVD_IN_SORBS_MISC 0
> > > > score RCVD_IN_SORBS_SMTP 0
> > > > score RCVD_IN_SORBS_SOCKS 0
> > > > score RCVD_IN_SORBS_WEB 0
> > > > score RCVD_IN_SORBS_ZOMBIE 0
> > > >
> > > > Stop the 'cost' of the lookup?
> > >
> > > DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100%
> > > positive you want to.
> > Why?
> >
> > Will it result in a nuclear war?
> >
> And blood will flow from the elevators!
NO WAY! Will there be any Al Bowlly music playing in the background?
>
> It might get overwritten if updated. The safe bet is to put it in
> local.cf. (Any .cf in /etc/mail/spamassassin will work afaik).
On my box this is a symlink to /etc/spamassassin. It will read .cf fine,
but it won't tolerate a subdirectory 'custom_rules' with .cf
>
> Besides from a logical point of view it makes sense for me to have all
> my rules in one file/dir, and leave the standard files alone so i can
> blame other people when things go wrong :)
> You know the saying "Code like the person who's gonna be maintaining the
> code is a homicidal maniac"?
Windows Vista?
> It's the same for sysadmining.
So, to disable these rules and stop the Sorbs lookups from happening
just how do we do it ? If we should not alter the score here do we just
paste the above block into a file like custom_sorbs.cf and that will do
it or will the built in rule take precedence?
>
Re: New type of spam... (very curious)
Posted by Kasper Sacharias Eenberg <ks...@hovmark.dk>.
On Thu, 2009-07-02 at 05:32 +0100, richard@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> > On 1-Jul-2009, at 06:47, richard@buzzhost.co.uk wrote:
> > >
> > > But for the paranoid will changing 50_scores.cf from;
> > >
> > > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> > > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> > > score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
> > > score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2
> > > score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
> > > score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2
> > > score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
> > > score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
> > >
> > > TO
> > >
> > > score RCVD_IN_SORBS_BLOCK 0
> > > score RCVD_IN_SORBS_DUL 0
> > > score RCVD_IN_SORBS_HTTP 0
> > > score RCVD_IN_SORBS_MISC 0
> > > score RCVD_IN_SORBS_SMTP 0
> > > score RCVD_IN_SORBS_SOCKS 0
> > > score RCVD_IN_SORBS_WEB 0
> > > score RCVD_IN_SORBS_ZOMBIE 0
> > >
> > > Stop the 'cost' of the lookup?
> >
> > DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100%
> > positive you want to.
> Why?
>
> Will it result in a nuclear war?
>
And blood will flow from the elevators!
It might get overwritten if updated. The safe bet is to put it in
local.cf. (Any .cf in /etc/mail/spamassassin will work afaik).
Besides from a logical point of view it makes sense for me to have all
my rules in one file/dir, and leave the standard files alone so i can
blame other people when things go wrong :)
You know the saying "Code like the person who's gonna be maintaining the
code is a homicidal maniac"?
It's the same for sysadmining.
With regards,
Kasper
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 16:13 -0600, LuKreme wrote:
> On 1-Jul-2009, at 06:47, richard@buzzhost.co.uk wrote:
> >
> > But for the paranoid will changing 50_scores.cf from;
> >
> > score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> > score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> > score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
> > score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2
> > score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
> > score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2
> > score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
> > score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
> >
> > TO
> >
> > score RCVD_IN_SORBS_BLOCK 0
> > score RCVD_IN_SORBS_DUL 0
> > score RCVD_IN_SORBS_HTTP 0
> > score RCVD_IN_SORBS_MISC 0
> > score RCVD_IN_SORBS_SMTP 0
> > score RCVD_IN_SORBS_SOCKS 0
> > score RCVD_IN_SORBS_WEB 0
> > score RCVD_IN_SORBS_ZOMBIE 0
> >
> > Stop the 'cost' of the lookup?
>
> DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100%
> positive you want to.
Why?
Will it result in a nuclear war?
Re: New type of spam... (very curious)
Posted by LuKreme <kr...@kreme.com>.
On 1-Jul-2009, at 06:47, richard@buzzhost.co.uk wrote:
>
> But for the paranoid will changing 50_scores.cf from;
>
> score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
> score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
> score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
> score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2
> score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
> score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2
> score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
> score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
>
> TO
>
> score RCVD_IN_SORBS_BLOCK 0
> score RCVD_IN_SORBS_DUL 0
> score RCVD_IN_SORBS_HTTP 0
> score RCVD_IN_SORBS_MISC 0
> score RCVD_IN_SORBS_SMTP 0
> score RCVD_IN_SORBS_SOCKS 0
> score RCVD_IN_SORBS_WEB 0
> score RCVD_IN_SORBS_ZOMBIE 0
>
> Stop the 'cost' of the lookup?
DO NOT EDIT 5-_Scores.cf. Don't do it. No, not even if you're 100%
positive you want to.
If you want to change the scores, put them in local.cf, where all
other config changes go. Or, put them in some other .cf file in the
same folder as local.cf. Maybe sorbs0.cf would be a good name.
DO NOT edit the default files of SA. Ever.
--
The early bird gets the worm, but the second mouse gets the cheese.
Re: [sa] Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 14:21 +0200, Matus UHLAR - fantomas wrote:
> > On Wed, 1 Jul 2009, richard@buzzhost.co.uk wrote:
> >> Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
> >> Oh, and look: dnsbl.sorbs.net
> >> So it seems that the demise of sorbs will add latency if their servers
> >> stop answering...
>
> On 01.07.09 08:08, Charles Gregory wrote:
> > ...which leads back to my original question,
> > Will the developers issue an sa-update to remove the sorbs test
> > if sorbs is not kept alive?
>
> I think the answer is YES since they did that for other obsolete nework
> lists...
But for the paranoid will changing 50_scores.cf from;
score RCVD_IN_SORBS_BLOCK 0 # n=1 n=2 n=3
score RCVD_IN_SORBS_DUL 0 1.615 0 0.877 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 0.001 0 0.353 # n=0 n=2
score RCVD_IN_SORBS_SMTP 0 # n=0 n=1 n=2 n=3
score RCVD_IN_SORBS_SOCKS 0 0.182 0 0.801 # n=0 n=2
score RCVD_IN_SORBS_WEB 0 1.117 0 0.619 # n=0 n=2
score RCVD_IN_SORBS_ZOMBIE 0 # n=0 n=1 n=2 n=3
TO
score RCVD_IN_SORBS_BLOCK 0
score RCVD_IN_SORBS_DUL 0
score RCVD_IN_SORBS_HTTP 0
score RCVD_IN_SORBS_MISC 0
score RCVD_IN_SORBS_SMTP 0
score RCVD_IN_SORBS_SOCKS 0
score RCVD_IN_SORBS_WEB 0
score RCVD_IN_SORBS_ZOMBIE 0
Stop the 'cost' of the lookup?
Re: [sa] Re: New type of spam... (very curious)
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Wed, 1 Jul 2009, richard@buzzhost.co.uk wrote:
>> Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
>> Oh, and look: dnsbl.sorbs.net
>> So it seems that the demise of sorbs will add latency if their servers
>> stop answering...
On 01.07.09 08:08, Charles Gregory wrote:
> ...which leads back to my original question,
> Will the developers issue an sa-update to remove the sorbs test
> if sorbs is not kept alive?
I think the answer is YES since they did that for other obsolete nework
lists...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
Re: [sa] Re: New type of spam... (very curious)
Posted by Charles Gregory <cg...@hwcn.org>.
On Wed, 1 Jul 2009, richard@buzzhost.co.uk wrote:
> Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
> Oh, and look: dnsbl.sorbs.net
> So it seems that the demise of sorbs will add latency if their servers
> stop answering...
...which leads back to my original question,
Will the developers issue an sa-update to remove the sorbs test
if sorbs is not kept alive?
-C
Re: New type of spam... (very curious)
Posted by Per Jessen <pe...@computer.org>.
richard@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 11:11 +0200, Per Jessen wrote:
>> richard@buzzhost.co.uk wrote:
>>
>> > I'm guessing there is some way to modify the network checks to it
>> > does not use specific RBL's. I've not studied closely, but I think
>> > today I need to become acquainted with it.
>>
>> Adjust their scores to 0, that should do it.
>>
>>
>> /Per Jessen, Zürich
>>
> But will that *stop* the lookup in the first place?
Yes, rules with score 0 are not considered at all.
/Per Jessen, Zürich
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 11:11 +0200, Per Jessen wrote:
> richard@buzzhost.co.uk wrote:
>
> > On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote:
> >> On 7/1/2009 8:50 AM, richard@buzzhost.co.uk wrote:
> >> > Oh, and look: dnsbl.sorbs.net
> >> >
> >> > So it seems that the demise of sorbs will add latency if their
> >> > servers stop answering...
> >>
> >>
> >> See "Update: 25th June 2009 "
> >>
> >> http://www.au.sorbs.net/
> >
> > Still looks ominous to me. If you consider 'outage' = 'latency'.
> >
> > I'm guessing there is some way to modify the network checks to it does
> > not use specific RBL's. I've not studied closely, but I think today I
> > need to become acquainted with it.
>
> Adjust their scores to 0, that should do it.
>
>
> /Per Jessen, Zürich
>
But will that *stop* the lookup in the first place?
Re: New type of spam... (very curious)
Posted by Per Jessen <pe...@computer.org>.
richard@buzzhost.co.uk wrote:
> On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote:
>> On 7/1/2009 8:50 AM, richard@buzzhost.co.uk wrote:
>> > Oh, and look: dnsbl.sorbs.net
>> >
>> > So it seems that the demise of sorbs will add latency if their
>> > servers stop answering...
>>
>>
>> See "Update: 25th June 2009 "
>>
>> http://www.au.sorbs.net/
>
> Still looks ominous to me. If you consider 'outage' = 'latency'.
>
> I'm guessing there is some way to modify the network checks to it does
> not use specific RBL's. I've not studied closely, but I think today I
> need to become acquainted with it.
Adjust their scores to 0, that should do it.
/Per Jessen, Zürich
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 08:58 +0200, Yet Another Ninja wrote:
> On 7/1/2009 8:50 AM, richard@buzzhost.co.uk wrote:
> > Oh, and look: dnsbl.sorbs.net
> >
> > So it seems that the demise of sorbs will add latency if their servers
> > stop answering...
>
>
> See "Update: 25th June 2009 "
>
> http://www.au.sorbs.net/
Still looks ominous to me. If you consider 'outage' = 'latency'.
I'm guessing there is some way to modify the network checks to it does
not use specific RBL's. I've not studied closely, but I think today I
need to become acquainted with it.
Re: New type of spam... (very curious)
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 7/1/2009 8:50 AM, richard@buzzhost.co.uk wrote:
> Oh, and look: dnsbl.sorbs.net
>
> So it seems that the demise of sorbs will add latency if their servers
> stop answering...
See "Update: 25th June 2009 "
http://www.au.sorbs.net/
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 08:26 +0200, Benny Pedersen wrote:
> On Wed, July 1, 2009 07:44, richard@buzzhost.co.uk wrote:
> > In particular
> > # Enable or disable network checks
> > skip_rbl_checks 0
> > 0 = off 1 = on
>
> wroung
>
> 0 = use rbl
> 1 = skib rbl test
>
Indeed I was "WROUNG";
Test show it is the other way round. Mmm. That's assumption for you. For
years the binary zero has meant 'off' to me. Now SA have 'NOT'd' it to
mean 'ON' LOL;
With it at zero and checking the DNS server logs it doeas all this...
Jul 1 07:38:46 munged #14781: query: 1.2.3.4plus.bondedsender.org IN A
+
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.combined.njabl.org IN A +
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.bl.spamcop.net IN TXT +
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.zen.spamhaus.org IN A +
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.dnsbl.sorbs.net IN A +
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.sa-accredit.habeas.com IN
A +
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.list.dnswl.org IN A +
Jul 1 07:38:46 munged #14781: query:
1.2.3.4.sa-trusted.bondedsender.org IN TXT +
Jul 1 07:38:46 munged #14781: query: 1.2.3.4.iadb.isipp.com IN A +
Jul 1 07:38:46 munged #14781: query: munged.co.uk IN SPF +
Jul 1 07:38:47 munged #14781: query: munged.co.uk IN TXT +
I'm going to need to disable some of these lists as the MTA has already
blocked stuff on them Kind of pointless making repeat lookups for stuff
already tested. Thanks for pointing that out Benny.
Oh, and look: dnsbl.sorbs.net
So it seems that the demise of sorbs will add latency if their servers
stop answering...
Re: New type of spam... (very curious)
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Am 2009-07-01 08:26:09, schrieb Benny Pedersen:
>
> On Wed, July 1, 2009 07:44, richard@buzzhost.co.uk wrote:
> > In particular
> > # Enable or disable network checks
> > skip_rbl_checks 0
> > 0 = off 1 = on
>
> wroung
>
> 0 = use rbl
> 1 = skib rbl test
Both are right...
because the name of then option is "skip_rbl_checks" and 0 is off.
So if I set "skip_rbl_checks 0" the skiping is set to off, which mean,
SA does the checks.
Yeah, sometimes, negotiating options are confusing.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack c/o Shared Office KabelBW ICQ #328449886
+49/177/9351947 Blumenstasse 2 MSN LinuxMichi
+33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com)
Re: New type of spam... (very curious)
Posted by Benny Pedersen <me...@junc.org>.
On Wed, July 1, 2009 07:44, richard@buzzhost.co.uk wrote:
> In particular
> # Enable or disable network checks
> skip_rbl_checks 0
> 0 = off 1 = on
wroung
0 = use rbl
1 = skib rbl test
--
xpoint
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Wed, 2009-07-01 at 01:15 +0200, Michelle Konzack wrote:
> Am 2009-06-30 14:08:33, schrieb John Hardin:
> > If zen worked to catch the message in procmail, how does it not work on
> > your MTA? Or did we misinterpret your original post?
>
> In Debian, the network related scans are activated and I do not know,
> why ZEN is never executed. If you know more about the "Debian Lenny"
> version of spamassassin, maybe you can point me into the right direction
> where to search.
>
> Note: On my "Debian Etch" installation it is working
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> Tamay Dogan Network
> Debian GNU/Linux Consultant
>
First of all, I don't use ZEN in SA. My personal feeling is I want to
get rid of spam at the earliest possible stage. I block anything on
these lists at the MTA level;
zen.spamhaus.org
dnsbl.sorbs.net
b.barracudacentral.org
There are differing political views about this, but it is the method
found in the top selling anti-spam appliance, so hence I'm happy to use
it. How you would implement this depends on the MTA.
Moving specifically to SpamAssassin on Debian. Look at the contents of
these (adjusting the path where necessary);
/etc/spamassassin/init.pre
(just to make sure there is nothing killing the network tests in here)
And then check the basic config file;
/etc/spamassassin/local.cf
In particular
# Enable or disable network checks
skip_rbl_checks 0
0 = off 1 = on
My understanding is even if you get an RBL hit it's only going to up the
score of the mail. So you are, essentially, scanning spam if you do it
this way. However, some people like the safety blanket of scanning
hundreds of thousands of spam messages in case there may one day be a
false positive :-)
If this does not throw light onto your problem Michelle I would do a
couple of very basic sanity checks on your DNS system *from* the box
running SA. Randomly from my logs I've picked a IP address blocked by
ZEN in the last hour (for testing) EG
Jul 1 06:23:25 Rejected; blocked by zen.spamhaus.org 84.108.206.164
So from a command prompt (assuming you have dig installed) look for an
ANSWER section on in reply to this query)
dig 164.206.108.84.zen.spamhaus.org
EG;
;; ANSWER SECTION:
164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.10
164.206.108.84.zen.spamhaus.org. 472 IN A 127.0.0.4
Means you have a sane reply and the IP is blacklisted but of equal
importance is the time in which it takes to serve the request;
;; Query time: 3 msec
Anything much over a couple of hundred msecs would not be ideal, into
the thosands (1000+) and you have a problem.
If you don't get any result to this, or the result is hideously slow,
then you need to fix the DNS issue. This is not uncommon and usually
centres around firewall policy.
If it fails, btw, this is also worth a try;
dig @4.2.2.2 164.206.108.84.zen.spamhaus.org
dig @4.2.2.3 164.206.108.84.zen.spamhaus.org
and see if the issue is local DNS.
(AFAIR dig is part of dns utils if it is not already on the box but
check that: apt-get install dnsutils)
Re: New type of spam... (very curious)
Posted by RW <rw...@googlemail.com>.
On Wed, 1 Jul 2009 01:15:56 +0200
Michelle Konzack <li...@tamay-dogan.net> wrote:
> Am 2009-06-30 14:08:33, schrieb John Hardin:
> > If zen worked to catch the message in procmail, how does it not
> > work on your MTA? Or did we misinterpret your original post?
>
> In Debian, the network related scans are activated and I do not
> know, why ZEN is never executed.
If you mean in Spamassassin, the Zen rules rarely do anything because
the're normally used at the SMTP level, so you just end-up a few
hits on SBL from the untrusted headers (and some XBL hits on
desktop/soho installations where there's a retrieval delay).
In the quoted email, the procmail hit on PBL shouldn't have happened,
you penalized the use of a smarthost, it was coincidental that it
happened on a spam. Spamassassin handled it properly.
Re: New type of spam... (very curious)
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Jul 2009, Michelle Konzack wrote:
> Am 2009-06-30 14:08:33, schrieb John Hardin:
>> If zen worked to catch the message in procmail, how does it not work on
>> your MTA? Or did we misinterpret your original post?
>
> In Debian, the network related scans are activated and I do not know,
> why ZEN is never executed. If you know more about the "Debian Lenny"
> version of spamassassin, maybe you can point me into the right direction
> where to search.
I was speaking of using zen as a MTA-level hard reject in your MTA, not in
SpamAssassin running on the same box as your MTA. That's what we're
suggesting. Do you have the ability to add it as a MTA-level DNSBL?
I don't know why zen wouldn't be working in SA. Network tests disabled,
perhaps? Do other DNSBLs or URIBLs work there? Perhaps run SpamAssassin in
debugging mode and see if it complains about something like Net::DNS being
missing.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Democrats '61: Ask not what your country can do for you,
ask what you can do for your country.
Democrats '07: Ask not what your country can do for you,
demand it!
-----------------------------------------------------------------------
4 days until the 233rd anniversary of the Declaration of Independence
Re: New type of spam... (very curious)
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Am 2009-06-30 14:08:33, schrieb John Hardin:
> If zen worked to catch the message in procmail, how does it not work on
> your MTA? Or did we misinterpret your original post?
In Debian, the network related scans are activated and I do not know,
why ZEN is never executed. If you know more about the "Debian Lenny"
version of spamassassin, maybe you can point me into the right direction
where to search.
Note: On my "Debian Etch" installation it is working
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/> Michelle Konzack
<http://www.can4linux.org/> c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/> Blumenstrasse 2
Jabber linux4michelle@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886 Tel. FR: +33 6 61925193
Re: New type of spam... (very curious)
Posted by John Hardin <jh...@impsec.org>.
On Tue, 30 Jun 2009, Michelle Konzack wrote:
> Am 2009-06-30 07:06:37, schrieb richard@buzzhost.co.uk:
>> Are you saying that ZEN caught it after SA processed it? Why are you
>> not using ZEN in SA or at the SMTP stage?
>
> Because it does not work...
> My Mailserver does tonns (the syslog of my DNS server is full of it) of
> DNS checks but ZEN does not work...
If zen worked to catch the message in procmail, how does it not work on
your MTA? Or did we misinterpret your original post?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
4 days until the 233rd anniversary of the Declaration of Independence
Re: New type of spam... (very curious)
Posted by Michelle Konzack <li...@tamay-dogan.net>.
Am 2009-06-30 07:06:37, schrieb richard@buzzhost.co.uk:
> Are you saying that ZEN caught it after SA processed it? Why are you
> not
> using ZEN in SA or at the SMTP stage?
Because it does not work...
My Mailserver does tonns (the syslog of my DNS server is full of it) of
DNS checks but ZEN does not work...
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
<http://www.tamay-dogan.net/> Michelle Konzack
<http://www.can4linux.org/> c/o Vertriebsp. KabelBW
<http://www.flexray4linux.org/> Blumenstrasse 2
Jabber linux4michelle@jabber.ccc.de 77694 Kehl/Germany
IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
ICQ #328449886 Tel. FR: +33 6 61925193
Re: New type of spam... (very curious)
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Tue, 2009-06-30 at 00:46 +0200, Michelle Konzack wrote:
> For some seconds I have goten this spam, which has passed my spmassassin
> but was hit by a seperated ZEN rule in procmail:
>
>
> Return-Path: soria.h.stevenson@gmail.com
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
> samba3.private.tamay-dogan.net
> X-Spam-Level: *
> X-Spam-Status: No, score=1.3 required=4.5 tests=BAYES_00,HTML_MESSAGE,
> RDNS_NONE,SUBJECT_FUZZY_MEDS autolearn=no version=3.2.3
> Delivered-To: linux4michelle@tamay-dogan.net
> Received: from delta4.net ([::ffff:69.43.203.202])
> by vserver1.tamay-dogan.net with esmtp; Mon, 29 Jun 2009 19:33:36 +0200
> id 00002765.4A48FAF1.0000587B
> Received: from [174.146.118.224] (account d4henrynazar0202 HELO Gsurface-PC)
> by delta4.net (CommuniGate Pro SMTP 5.2.3)
> with ESMTPA id 18578669 for linux4michelle@tamay-dogan.net; Mon, 29 Jun 2009 10:33:51 -0700
> Mime-Version: 1.0
> Content-Type: multipart/alternative; boundary="=_vserver1-22651-1246296817-0001-2"
> Date: Mon, 29 Jun 2009 13:33:43 -0400
> Message-ID: <CH...@Gsurface-PC>
> X-Mailer: Chilkat Software Inc (http://www.chilkatsoft.com)
> X-Priority: 3 (Normal)
> Subject: RE: [SA Rule] meds, pill and shop spams
> Reply-To: soria.h.stevenson@gmail.com
> Old-Return-Path: soria.h.stevenson@gmail.com
> From: Soriah Stevenson <so...@gmail.com>
> To: Michelle Konzack <li...@tamay-dogan.net>
> X-TDMailSerialnumber: 9189409
> X-TDMailCount: true
> X-TDTools-Procmail: FILTER=FLT_spamhaus, WLIST=PRI_linux.FLT_spamhaus
>
> Hi Michelle Konzack,
>
> This email is a response to the apartment that is for rent. I am sorry it took so long to respond, your email was sent to the spam folder. In order to schedule showings, I am asking all tenants for their latest credit score and income. If you don't have your credit score at the moment, you can check it online using the link below.
>
> http://www.icredit-scores.com/
>
> Please email me this information at your earliest convinience. Thanks.
>
> From: linux4michelle@tamay-dogan.net Sent: 6/29/2009 12:31:48 PM Subject:
> [SA Rule] meds, pill and shop spams Hello,
>
> because I am currently hit by several 10.000 new type of spam using
> domains like www.(meds|pill|shop)XX.(net|com|org) I sugest you to put
> the following in your spamassassin config:
>
> ----[ '~/.spamassassin/user_prefs' ]------------------------------------
> body AE_MEDS35 /\(\s?w{2,4}\s(?:meds|pill|shop)\d{1,4}\s(?:net|com|org)\s?\)/
> describe AE_MEDS35 obfuscated domain seen in spam
> score AE_MEDS35 3.00
> ------------------------------------------------------------------------
>
> Works perfectly and has today catched over 63.000 spams on my server.
>
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> 25.9V Electronic Engineer
> Tamay Dogan Network
> Debian GNU/Linux Consultant
>
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> ##################### Debian GNU/Linux Consultant #####################
> <http://www.tamay-dogan.net/> Michelle Konzack
> <http://www.can4linux.org/> c/o Vertriebsp. KabelBW
> <http://www.flexray4linux.org/> Blumenstrasse 2
> Jabber linux4michelle@jabber.ccc.de 77694 Kehl/Germany
> IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947
> ICQ #328449886 Tel. FR: +33 6 61925193
>
>
Are you saying that ZEN caught it after SA processed it? Why are you not
using ZEN in SA or at the SMTP stage?