You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by uk1host <Da...@Damb-Tech.co.uk> on 2008/03/07 13:09:29 UTC
Domain Name SPAM
I am getting alot of spam from domains which are:
Name.de
Name.ch
And alot for diffrent tablets.
Is there any way this can be filter. I am new to this as my server was setup
for me and it is running Smartermail. We want ot get some of the spam down
before we place a large amount of customers onto the service.
cheers
--
View this message in context: http://www.nabble.com/Domain-Name-SPAM-tp15891193p15891193.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Domain Name SPAM
Posted by Martin Gregorie <ma...@gregorie.org>.
On Sat, 2008-03-08 at 16:14, Rob McEwen wrote:
>
> It looks to me like you have some kind of DNS malfunction...or
> SmarterMail malfunction.
>
If you think this may be the case, try using Ethereal/Wireshark while
you run a piece of known spam through a freshly started copy of SA. This
will give a positive indication of whether it is querying the blacklists
etc. If you're running a DNS or name caching server restart that too so
its caches are empty before you run the test.
Martin
Re: Domain Name SPAM
Posted by Rob McEwen <ro...@invaluement.com>.
Dave,
I don't think that you can score Zen too high. I'd bump Zen up to the
highest score and see what happens. If a legit e-mail were to get
blocked by Zen, you'd be able to tell your mail hosting client that the
sender is listed on such a world-famous and reliable blacklist that this
incoming message would also have been blocked by 95+% of all spam
filters in the world.
I'd also bump up the score for SpamCop... perhaps also to the maximum.
(BTW - Because I do so much research. and run a DNSBL, I don't
personally score any list that high... but my situation is vastly
different... which is why I don't use my own advice here.)
Also, you mentioned a concern about how this would effect your own users...
I don't see how blocking more spam via increased points for SpamCop and
Zen could possibly effect your user's ability to use your services.
Of course, be sure that...
(1) these DNSBLs should ONLY be testing against the sending IP of each
incoming message... NOT every IP found in the header. As long as you are
checking against the Sender's IP, then you should be OK.
(2) You should also NOT be checking the sending IPs of
SMTP-authenticated e-mail... that being e-mail sent by your own users.
Follow those two guidelines and you should be OK.
If you move SpamCop and Zen to the max scores, but STILL see spam listed
on Zen and SpamCop, then you'll at least know that you have some sort of
malfunction (perhaps DNS related?) that pushing a button or lever on
your Spam Filter's control panel alone probably won't fix.
If that is the case, you should probably seek help from one of the
following: Your hosting provider (if not you), the company that makes
SmarterMail, or some kind of discussion forum specifically about
SmarterMail.
It looks to me like you have some kind of DNS malfunction...or
SmarterMail malfunction.
Rob McEwen
rob@invaluement.com
Re: Domain Name SPAM
Posted by Rob McEwen <ro...@invaluement.com>.
John Hardin wrote:
> I wouldn't recommend doing that for *all* the RBLS, just Zen, and if
> you're going to make Zen a poison pill, then just put it into the MTA's
> DNSBL list and spare SA the load.
>
John,
Good suggestion... except that I don't think that Dave is using SA. He
said he uses SmarterMail. If I'm correct, then this whole thread would
have been more appropriate for SPAM-L and really didn't belong on the SA
list in the first place... though parts of this discussion would be
helpful to SA users. (I think that SmarterMail is both the MTA and the
spam filter all together in one package).
Rob McEwen
Re: Domain Name SPAM
Posted by John Hardin <jh...@impsec.org>.
On Sat, 2008-03-08 at 09:22 -0800, uk1host wrote:
>
> uk1host wrote:
> >
> >
> > I have moved the weight of the RBLs including Spamcop and Zen to 30.
> >
> > Hopefully this will cut it back although at the moment I am still getting
> > mail through.
I wouldn't recommend doing that for *all* the RBLS, just Zen, and if
you're going to make Zen a poison pill, then just put it into the MTA's
DNSBL list and spare SA the load.
> > ----------------------------------------------
> > MAIL 1
> > Return-Path: <sw...@info.gamanetwork.com>
> > Received: from 254.Red-88-12-175.dynamicIP.rima-tde.net [88.12.175.254] by
> > mail.uk1host.co.uk with SMTP;
{mass snippage}
PLEASE prune your replies to the relevant text. Thanks.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Failure to plan ahead on someone else's part does not constitute
an emergency on my part. -- David W. Barts in a.s.r
-----------------------------------------------------------------------
Tomorrow: Daylight Saving Time begins in U.S. - Spring Forward
Re: Domain Name SPAM
Posted by uk1host <Da...@Damb-Tech.co.uk>.
uk1host wrote:
>
>
> I have moved the weight of the RBLs including Spamcop and Zen to 30.
>
> Hopefully this will cut it back although at the moment I am still getting
> mail through.
>
> ----------------------------------------------
> MAIL 1
> Return-Path: <sw...@info.gamanetwork.com>
> Received: from 254.Red-88-12-175.dynamicIP.rima-tde.net [88.12.175.254] by
> mail.uk1host.co.uk with SMTP;
> Sat, 8 Mar 2008 11:12:49 -0600
> Received: from obsidiannowzzz (HELO padrehost.localbayed)
> by losl7.verne.sd.biz with WQMTP; Sat, 08 Mar 2008 22:02:45 +0600
> Date: Sat, 08 Mar 2008 13:55:45 -0200
> Message-Id: <CF...@mopalinux.com>
> From: "Arline Lam" <sw...@info.gamanetwork.com>
> To: dave@damb-tech.com
> Subject: [SPAM] SPAM-HIGH: incredible prices for best drug$!
> Reply-To: dirk@deploy.foursquare.adair.ac.za
> X-Scanner: vacillate for perilla (http://duncanthrax.net/exiscan/)
> X-Virus-Scanner: AMaVis 0.2.0-pre6 / Virus Scan
> X-Loop: taboo@chamomile.fr
> Mime-Version: 1.0
> Content-Type: text/html; charset=iso-8859-1
> Content-Transfer-Encoding: 7bit
> X-SmarterMail-Spam: Bayesian Filtering, SpamAssassin 90.25 [raw: 36.1],
> SPF_Fail, ZEN
> X-MSKTag: [SPAM]
> X-MSK: DNS=2
>
> ------------------
>
> MAIL 2
> Return-Path: <_g...@alliantfs.com>
> Received: from adsl-pool2-41.metrotel.net.co [190.182.63.41] by
> mail.uk1host.co.uk with SMTP;
> Sat, 8 Mar 2008 11:12:44 -0600
> Message-ID: <00...@catbej>
> From: "Manuela Mainard" <_g...@alliantfs.com>
> To: <da...@damb-tech.com>
> Subject: [SPAM] SPAM-HIGH: professor Michael Bugeja
> Date: Sat, 08 Mar 2008 15:25:12 +0000
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> X-SmarterMail-Spam: SpamAssassin 58.75 [raw: 23.5], SPF_None, DNSBL-1,
> HOSTKARMA, SpamCop, ZEN
> X-MSKTag: [SPAM]
> X-MSK: DNS=2
>
> -----------------
>
> MAIL 3
> Return-Path: <<d...@correo1.com>
> Received: from u93e4.net.azartsat.pl [82.177.216.93] by mail.uk1host.co.uk
> with SMTP;
> Sat, 8 Mar 2008 11:11:30 -0600
> Received: (from Latasha Petersen@sagacious.togging.saud.us)
> by Latasha Petersen.net MqFx id g42Ls1T27291;
> Sat, 08 Mar 2008 09:54:25 -0600
> Message-Id: <di...@wreck.com>
> From: "Latasha Petersen" <deodorant@correo1.com >
> Date: Sat, 08 Mar 2008 09:52:25 -0600
> To: dave@damb-tech.com
> Subject: [SPAM] SPAM-HIGH: Apcal~is (Tadalafil)--The "S.u.p.e.r
> V.i.a.g.r.a" hkoprigmo -electrophoresis
> User-Agent: Mutt/1.2.5.1i
> Mime-Version: 1.0
> Content-Type: text/html; charset=iso-8859-1
> Content-Transfer-Encoding: 7bit
> X-SmarterMail-Spam: Bayesian Filtering, SpamAssassin 52.25 [raw: 20.9],
> SPF_None
> X-MSKTag: [SPAM]
> X-MSK: DNS=2
>
> Cheers
> Dave
> =====================================================
>
>
Rob McEwen wrote:
>
> OOPS...
>
> When I said "PBL and CBL both will cause this to be on XBL and ZEN as
> well"
>
> I should clarify that:
>
> PBL feeds into ZEN, but not XBL (didn't mean to imply that)
>
> CBL feeds into XBL and ZEN
>
> Nevertheless, since both are in ZEN, this didn't alter my observations
> about each message and this didn't change my conclusions.
>
> --Rob McEwen
>
>
>
--
View this message in context: http://www.nabble.com/Domain-Name-SPAM-tp15891193p15917313.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Domain Name SPAM
Posted by Rob McEwen <ro...@invaluement.com>.
OOPS...
When I said "PBL and CBL both will cause this to be on XBL and ZEN as well"
I should clarify that:
PBL feeds into ZEN, but not XBL (didn't mean to imply that)
CBL feeds into XBL and ZEN
Nevertheless, since both are in ZEN, this didn't alter my observations
about each message and this didn't change my conclusions.
--Rob McEwen
Re: Domain Name SPAM
Posted by Rob McEwen <ro...@invaluement.com>.
uk1host (Dave) wrote:
> (1)
>
> Return-Path: <dw...@stllaborers.com>
> Received: from Wimax-c3-ppy-pt-190-70-170-132.orbitel.net.co
> [190.70.170.132] by mail.uk1host.co.uk with SMTP;
> Sat, 8 Mar 2008 08:59:14 -060
190.70.170.132 is currently listed on CBL, SpamCop, and ivmSIP. (XBL and
ZEN would also have this via the CBL listing)
ivmSIP listed this on Thursday, March 06, 2008 11:19 AM (eastern)
CBL listed this 2008-03-08 13:00 GMT
SpamCop says "listed for 2.8 days" (from before I check this a few
minutes ago)
I think that CBL/XBL/ZEN *might* have listed this right at the time that
you received this... or just after... but I could be miscalculating
either way by an hour. But that doesn't matter... both SpamCop and
ivmSIP listed this long before you received it.
> (2)
>
> Return-Path: <<e...@regiomontano.com>
> Received: from 109.Red-88-15-17.dynamicIP.rima-tde.net [88.15.17.109
> ] by
> mail.uk1host.co.uk with SMTP;
> Sat, 8 Mar 2008 08:36:19 -060
This one should have easily been blocked by PBL, which is a part of Zen.
So ZEN should have blocked this.
> (3)
>
> X-McAfeeVS-TimeoutProtection: 0
> Return-Path: <ja...@savetheinternet.com>
> Received: from dsl88-226-51303.ttnet.net.tr [88.226.200.103
> ] by
> mail.uk1host.co.uk with SMTP;
> Sat, 8 Mar 2008 07:58:24 -060
This one is currently listed on PBL and CBL and SpamCop. PBL and CBL
both will cause this to be on XBL and ZEN as well. I'm confused by
SpamCop's description of when this was listed by SpamCop. CBL said that
it was listed about 3 hours ago... but, regardless, PBL would have
already had this in Zen long before you received the message. So ZEN
should have easily been enough without anything else.
CONCLUSION:
ALL three of these spams would have been caught with proper use of just
ZEN and SpamCop, assuming that those two lists are implemented correctly
and are scored such that either one alone scores high enough in your
system to outright block an incoming spam.
Rob McEwen
rob@invaluement.com
Re: Domain Name SPAM
Posted by uk1host <Da...@Damb-Tech.co.uk>.
uk1host wrote:
>
>
>
> uk1host wrote:
>>
>>
>>
>> Rob McEwen wrote:
>>>
>>> Dave@Damb-Tech.co.uk wrote:
>>>> Do you know if there is a list of RBL's and where I can get it from.
>>>> I have a customer who is getting alot of spam and I need to cut it
>>>> down alot, he seems to be getting alot from drug companies and medical
>>>> extension companies.
>>>
>>> Dave,
>>>
>>> I recommend the following 5 "1st tier" Sender's IP blacklist (or "RBLs",
>>> as you described them):
>>>
>>> (NOT in any particular order)
>>>
>>> *****************
>>> SENDER'S IP BLACKLISTS:
>>> *****************
>>>
>>> THE FIVE "1ST TIER" DNSBLs:
>>>
>>> (1) zen.spamhaus.org (may require subscription if volume is high)
>>> ALSO: cbl.abuseat.org (already included in zen, so don't use both.)
>>>
>>> (2) psbl.surriel.com (I recommend using their free RSYNC access.)
>>>
>>> (3) bl.spamcop.net (used to have some FPs of legit newletters. But not
>>> anymore.. so don't believe anything bad you read about this one because
>>> it is now really high quality and has extreme low FPs.)
>>>
>>> (4) list.dsbl.org (I recommend using their free RSYNC access)
>>>
>>> (5) invaluement.com's SIP list (**requires subscription for RSYNC access
>>> to files. ivmSIP will NOT impress based on % of spam blocked... but it
>>> WILL impress based on the spam it catches which ALL the other 1st tier
>>> lists miss... and it has a 1st-tier extreme-low-FP rate.)
>>>
>>> Contact me off-list for a free test of ivmSIP.
>>>
>>> FOUR "HONORABLE MENTIONS":
>>>
>>> (1) dnsbl.ahbl.org (really good, but I've seen a few too many FPs to
>>> consider this in the 1st tier. But when I say "a few".. I mean a tiny,
>>> tiny fraction of a percent.)
>>>
>>> (2) dnsbl.njabl.org (really good, but I've seen a few too many FPs to
>>> consider this in the 1st tier. But when I say "a few".. I mean a tiny,
>>> tiny fraction of a percent.)
>>>
>>> (3) hostkarma.junkemailfilter.com (might be a 1st tier list.. but I
>>> haven't test it myself. Like ivmSIP, it catches lots of spam that other
>>> lists miss. I know its FPs are overall at least very low, but I haven't
>>> verified yet that it's FPs are low enough to be considered a 1st tier
>>> RBL. This one might very well be 1st tier... I just can't personally
>>> verify that.)
>>>
>>> (4) dnsbl-1.uceprotect.net (used to have too many FPs... but under new
>>> management and FPs are getting lower and lower... if the improvement
>>> keeps up, this might just be 1st tier very soon, if not already!)
>>>
>>> Again, the FP rates on at least three of these "honorable mentions" are
>>> really just a hair below those of the 1st tier lists. I'm insanely
>>> committed to having zero FPs.... so, again, don't take my "few FPs"
>>> comments too far. I hear that some ISPs outright block on various
>>> combinatinos of these "honorable mentions" with extreme few complains
>>> about FPs.
>>>
>>> *****************
>>> URI BLACKLISTS:
>>> *****************
>>>
>>> There are three that stand head and shoulders above the rest. There
>>> isn't a close 4th. These three have (1) extreme low FP rates... and (2)
>>> each of these three catch many spammer's URIs that the other two miss.
>>> Outside of these three, no other (publicly available) URI-dnsbl in
>>> existence can come close to making those two claims.
>>>
>>> These are (A) SURBL.org, (B) URIBL.COM, and (C) ivmURI.com
>>>
>>> SURBL and URIBL are generally free. URIBL is starting to requiring a
>>> paid subscription to RSYNC access for organizations with large volumes
>>> of queries. Also, ivmURI is subscription-only (again, contact me
>>> off-list for more info). BTW - check out
>>> http://invaluement.com/results.txt
>>>
>>> SURBL can be queried with "multi.surbl.org"
>>>
>>> URIBL can be queried with "multi.uribl.com"
>>>
>>> ivmURI requires a subscription to get the data via RSYNC
>>>
>>> Hope this helps!
>>>
>>> BTW - a good place for looking at catch rates and FPs for the various
>>> Sender's IP blacklists is Al Iverson's web site:
>>>
>>> http://www.dnsbl.com/
>>>
>>> But ivmSIP isn't listed there because Al Iverson hates me. :(
>>>
>>> (a) I bugged Al one too many times last summer when Al had found a
>>> single FP on my ivmSIP and wouldn't tell me what it was. I didn't mind
>>> that he wouldn't tell me... but I'd e-mail him about once a week to ask
>>> him if it was still there and, apparently, this eventually angered him.
>>> (b) I tried to explain to Al that ivmSIP is suppose to have a catch rate
>>> of only about 20% (at that time, it is higher now)... but that it was
>>> still far superior to other lists that have a much higher catch rate
>>> since ivmSIP had an overall 1st tier FP rate and ivmSIP catches spams
>>> that other 1st tier lists miss. IOW, suppose that ivmSIP had a catch
>>> rate of 80%, but was ONLY listing stuff that Zen *already* caught. What
>>> good would a list like that be? Such a hypothetical list would superior
>>> to ivmSIP according to Al's and his ratings ratings, but would be
>>> absolute worthless in the real world! But since ivmSIP catches MANY
>>> spams that all other 1st tier lists above miss... it is, instead,
>>> extremely valuable and useful. After repeated attempts, Al NEVER even
>>> acknowledged this logic and eventually told me to.... well... nevermind.
>>> I guess he hates me... but he does a jam up job with his web site... He
>>> is a true expert in this field and gives very good advice. His web sites
>>> are chalk full of excellent analysis and review. Highly recommended!
>>> (Though his site would do better if he factored in "unique" catches
>>> among the 1st tier extreme-low-FP lists.)
>>>
>>> Rob McEwen
>>> rob@invaluement.com
>>>
>>>
>>>
>>
>> ==============================================================
>>
>> Thanks Rob,
>>
>> I am hoping it will cut down on the spam I am getting. I had a auto
>> response on my mail (which I have now removed) and I was getting 300+
>> spam over night.
>>
>> I have put the info into the RBL list on my mail so I am hoping it will
>> cut it down.
>>
>> I have marked it to enable for filtering and enable for incoming blocking
>> is this correct?
>>
>> cheers
>> DAVE (uk1host)
>>
>>
>>
> =======================================================
>
> I have added all the stuff above and am still getting alot of spam,
> medication, degree's and stop being floppy in the bedroom.
>
> Anyone got any other idea's to help cut back on this.
>
> cheers
>
> =======================================================
>
I have posted some of the spam (HEADERS) I am still getting below.
(1)
Return-Path: <dw...@stllaborers.com>
Received: from Wimax-c3-ppy-pt-190-70-170-132.orbitel.net.co
[190.70.170.132] by mail.uk1host.co.uk with SMTP;
Sat, 8 Mar 2008 08:59:14 -0600
Received: from [190.70.170.132] by mail.stllaborers.com; Sat, 9 Mar 2008
09:55:54 -0500
From: "Chad Mason" <dw...@stllaborers.com>
To: <da...@damb-tech.com>
Subject: [SPAM] SPAM-HIGH: Purchase popular impotency treatment drugs in
Canada for the best Net prices.
Date: Sat, 9 Mar 2008 09:55:54 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
Thread-Index: Aca6QV856JQ1J4ANEM22NA4K585XC6==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <01...@dwstllaborersm>
X-SmarterMail-Spam: SpamAssassin 55.75 [raw: 22.3], SPF_None, DNSBL-1,
SpamCop, ZEN
X-MSKTag: [SPAM]
X-MSK: DNS=2
-----------------------------------------------
(2)
Return-Path: <<e...@regiomontano.com>
Received: from 109.Red-88-15-17.dynamicIP.rima-tde.net [88.15.17.109] by
mail.uk1host.co.uk with SMTP;
Sat, 8 Mar 2008 08:36:19 -0600
Received: from camelnowzzz (HELO bookbindhost.localadultery)
by conceptuall7.elect.sd.biz with WQMTP; Sat, 08 Mar 2008 18:18:10 +0500
Date: Sat, 08 Mar 2008 09:18:10 -0400
Message-Id: <CF...@mopalinux.com>
From: "Milagros Ramey" <extrema@regiomontano.com >
To: dave@damb-tech.com
Subject: [SPAM] SPAM-HIGH: di$c0unt meds shipping world wide!
Reply-To: dirk@criterion.faber.suicidal.ac.za
X-Scanner: policeman for emitter (http://duncanthrax.net/exiscan/)
X-Virus-Scanner: AMaVis 0.2.0-pre6 / Virus Scan
X-Loop: mccracken@beadle.fr
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-SmarterMail-Spam: SpamAssassin 92.25 [raw: 36.9], SPF_SoftFail, ZEN
X-MSKTag: [SPAM]
X-MSK: DNS=2
-----------------------------------------
(3)
X-McAfeeVS-TimeoutProtection: 0
Return-Path: <ja...@savetheinternet.com>
Received: from dsl88-226-51303.ttnet.net.tr [88.226.200.103] by
mail.uk1host.co.uk with SMTP;
Sat, 8 Mar 2008 07:58:24 -0600
Received: from personify
by savetheinternet.com with SMTP id RIoxZWFLwo
for <da...@dambtech.co.uk>; Sat, 8 Mar 2008 15:57:35 -0200
From: "Theodore Ferguson" <Ja...@savetheinternet.com>
To: <da...@dambtech.co.uk>
Subject: SPAM-HIGH: Hey, start seeing dollars pouring in.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-SmarterMail-Spam: SpamAssassin 64.75 [raw: 25.9], SPF_None, DNSBL-1,
SpamCop, ZEN
X-MSK: BYS=0.000000,HRC=0.510931
---------------
Hope this helps I have the RBL Weight Set to 10.
Cheers
--
View this message in context: http://www.nabble.com/Domain-Name-SPAM-tp15891193p15913213.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Domain Name SPAM
Posted by Rob McEwen <ro...@invaluement.com>.
uk1host wrote:
>> I have moved the weight of the RBLs including Spamcop and Zen to 30.
>>
>> Hopefully this will cut it back although at the moment I am still getting
>> mail through.
>>
Dave,
SpamCop and Zen won't block all the spam... but, along the lines of what
I said previously, if this adjustment in scores doesn't cause a dramatic
improvement from what you've have been describing, then the problem
isn't with these blacklists. The problem would then be that something in
your configuration and/or spam software and/or mail server and/or DNS
server is just plain broken.
Is this a shared hosting account, or do you control the whole server?
What I'm getting at is... do you have "remote desktop" (or equivalent)
access to the server?
What platform? (windows? unix?)
If "yes", then I suggest first figuring out what DNS server your
SmarterMail program is using and then see if direct queries to the
looksups I've already verified as listed really do work. That would be a
good place to start.
(when doing lookups, reverse the IP)
for example, 127.0.0.1 would be:
1.0.0.127.bl.spamcop.net
and
1.0.0.127.zen.spamhaus.org
(replace with those IPs you gave as examples... and depending on which
list I said that an IP was listed on)
Also, look in SmarterMail to see if there is a place where you can
specify the DNS server.
Rob McEwen
rob@invaluement.com
Re: Domain Name SPAM
Posted by uk1host <Da...@Damb-Tech.co.uk>.
>
> I have moved the weight of the RBLs including Spamcop and Zen to 30.
>
> Hopefully this will cut it back although at the moment I am still getting
> mail through.
>
> ----------------------------------------------
> MAIL 1
> Return-Path: <sw...@info.gamanetwork.com>
> Received: from 254.Red-88-12-175.dynamicIP.rima-tde.net [88.12.175.254] by
> mail.uk1host.co.uk with SMTP;
> Sat, 8 Mar 2008 11:12:49 -0600
> Received: from obsidiannowzzz (HELO padrehost.localbayed)
> by losl7.verne.sd.biz with WQMTP; Sat, 08 Mar 2008 22:02:45 +0600
> Date: Sat, 08 Mar 2008 13:55:45 -0200
> Message-Id: <CF...@mopalinux.com>
> From: "Arline Lam" <sw...@info.gamanetwork.com>
> To: dave@damb-tech.com
> Subject: [SPAM] SPAM-HIGH: incredible prices for best drug$!
> Reply-To: dirk@deploy.foursquare.adair.ac.za
> X-Scanner: vacillate for perilla (http://duncanthrax.net/exiscan/)
> X-Virus-Scanner: AMaVis 0.2.0-pre6 / Virus Scan
> X-Loop: taboo@chamomile.fr
> Mime-Version: 1.0
> Content-Type: text/html; charset=iso-8859-1
> Content-Transfer-Encoding: 7bit
> X-SmarterMail-Spam: Bayesian Filtering, SpamAssassin 90.25 [raw: 36.1],
> SPF_Fail, ZEN
> X-MSKTag: [SPAM]
> X-MSK: DNS=2
>
> ------------------
>
> MAIL 2
> Return-Path: <_g...@alliantfs.com>
> Received: from adsl-pool2-41.metrotel.net.co [190.182.63.41] by
> mail.uk1host.co.uk with SMTP;
> Sat, 8 Mar 2008 11:12:44 -0600
> Message-ID: <00...@catbej>
> From: "Manuela Mainard" <_g...@alliantfs.com>
> To: <da...@damb-tech.com>
> Subject: [SPAM] SPAM-HIGH: professor Michael Bugeja
> Date: Sat, 08 Mar 2008 15:25:12 +0000
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.3138
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
> X-SmarterMail-Spam: SpamAssassin 58.75 [raw: 23.5], SPF_None, DNSBL-1,
> HOSTKARMA, SpamCop, ZEN
> X-MSKTag: [SPAM]
> X-MSK: DNS=2
>
> -----------------
> MAIL 3
> Return-Path: <<d...@correo1.com>
> Received: from u93e4.net.azartsat.pl [82.177.216.93] by mail.uk1host.co.uk
> with SMTP;
> Sat, 8 Mar 2008 11:11:30 -0600
> Received: (from Latasha Petersen@sagacious.togging.saud.us)
> by Latasha Petersen.net MqFx id g42Ls1T27291;
> Sat, 08 Mar 2008 09:54:25 -0600
> Message-Id: <di...@wreck.com>
> From: "Latasha Petersen" <deodorant@correo1.com >
> Date: Sat, 08 Mar 2008 09:52:25 -0600
> To: dave@damb-tech.com
> Subject: [SPAM] SPAM-HIGH: Apcal~is (Tadalafil)--The "S.u.p.e.r
> V.i.a.g.r.a" hkoprigmo -electrophoresis
> User-Agent: Mutt/1.2.5.1i
> Mime-Version: 1.0
> Content-Type: text/html; charset=iso-8859-1
> Content-Transfer-Encoding: 7bit
> X-SmarterMail-Spam: Bayesian Filtering, SpamAssassin 52.25 [raw: 20.9],
> SPF_None
> X-MSKTag: [SPAM]
> X-MSK: DNS=2
>
> Cheers
> Dave
> =====================================================
>
>
Rob McEwen wrote:
>
> Dave wrote:
>
>> I had a auto response
>> on my mail (which I have now removed) and I was getting 300+ spam over
>> night.
>>
>> I have marked it to enable for filtering and enable for incoming blocking
>> is
>> this correct?
>>
> Dave,
>
> First, it is good that you removed the "auto response" because some
> argue that this should never be done... and, certainly, no one should
> ever use an autoresponder if they don't already have exceptional spam
> filtering. A high percentage of spam has the "FROM" address forged, and
> many of these forged FROMs are real people who are innocent. If you are
> getting much spam past your spam filtering, then many innocent people
> will become a victim of your auto-responder as it responds back to them
> for spams that they really had nothing to do with. Additionally, you
> might have been getting notifications from your own server about these
> responders not be deliverable and/or these might have triggered
> backscatter from misconfigured servers. Auto-responders are already a
> messy business when the spam filtering is working well... but they are
> out-of-control bad when the spam filtering isn't up to par.
>
>> I have added all the stuff above and am still getting alot of spam,
>> medication, degree's and stop being floppy in the bedroom.
>>
>
> First, you couldn't have implemented "all" the stuff, because you
> haven't implemented my lists! :)
>
> But forget my lists for now... my lists are for going from good spam
> filtering to incredibly great spam filtering. But without my lists, you
> should be able to go from mediocre filtering to good filtering with only
> the "free" non-subscription lists I mentioned.
>
> I'm just not convinced that all those other lists missed so much.
>
> I have a suggestion:
>
> Post the sending IP addresses of 5 recent spams that made it past your
> filter... and post the URLs used by spammers within the content of 5
> recent spams. (I don't filter SA list mail... but in case others do, put
> a space before the "." in the domain names of those URLs so that your
> won't get blocked by other's filters when you reply back to the SA list)
>
> I'll let you know which of those DNSBLs I mentioned, if any,
> should/would have blocked the spams based on the Sender's IP and based
> on the links within the messages.
>
> We need to get to the bottom of what is really happening... are these
> REALLY being missed by ALL those lists?? ...Or are these REALLY being
> used (and scored?) properly by your filter??
>
> Those questions can't be answered without some examples.
>
> Thanks!
>
> Rob McEwen
> rob@invaluement.com
>
>
>
>
--
View this message in context: http://www.nabble.com/Domain-Name-SPAM-tp15891193p15916870.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Domain Name SPAM
Posted by Rob McEwen <ro...@invaluement.com>.
Dave wrote:
> I had a auto response
> on my mail (which I have now removed) and I was getting 300+ spam over
> night.
>
> I have marked it to enable for filtering and enable for incoming blocking is
> this correct?
>
Dave,
First, it is good that you removed the "auto response" because some
argue that this should never be done... and, certainly, no one should
ever use an autoresponder if they don't already have exceptional spam
filtering. A high percentage of spam has the "FROM" address forged, and
many of these forged FROMs are real people who are innocent. If you are
getting much spam past your spam filtering, then many innocent people
will become a victim of your auto-responder as it responds back to them
for spams that they really had nothing to do with. Additionally, you
might have been getting notifications from your own server about these
responders not be deliverable and/or these might have triggered
backscatter from misconfigured servers. Auto-responders are already a
messy business when the spam filtering is working well... but they are
out-of-control bad when the spam filtering isn't up to par.
> I have added all the stuff above and am still getting alot of spam,
> medication, degree's and stop being floppy in the bedroom.
>
First, you couldn't have implemented "all" the stuff, because you
haven't implemented my lists! :)
But forget my lists for now... my lists are for going from good spam
filtering to incredibly great spam filtering. But without my lists, you
should be able to go from mediocre filtering to good filtering with only
the "free" non-subscription lists I mentioned.
I'm just not convinced that all those other lists missed so much.
I have a suggestion:
Post the sending IP addresses of 5 recent spams that made it past your
filter... and post the URLs used by spammers within the content of 5
recent spams. (I don't filter SA list mail... but in case others do, put
a space before the "." in the domain names of those URLs so that your
won't get blocked by other's filters when you reply back to the SA list)
I'll let you know which of those DNSBLs I mentioned, if any,
should/would have blocked the spams based on the Sender's IP and based
on the links within the messages.
We need to get to the bottom of what is really happening... are these
REALLY being missed by ALL those lists?? ...Or are these REALLY being
used (and scored?) properly by your filter??
Those questions can't be answered without some examples.
Thanks!
Rob McEwen
rob@invaluement.com
Re: Domain Name SPAM
Posted by uk1host <Da...@Damb-Tech.co.uk>.
uk1host wrote:
>
>
>
> Rob McEwen wrote:
>>
>> Dave@Damb-Tech.co.uk wrote:
>>> Do you know if there is a list of RBL's and where I can get it from.
>>> I have a customer who is getting alot of spam and I need to cut it
>>> down alot, he seems to be getting alot from drug companies and medical
>>> extension companies.
>>
>> Dave,
>>
>> I recommend the following 5 "1st tier" Sender's IP blacklist (or "RBLs",
>> as you described them):
>>
>> (NOT in any particular order)
>>
>> *****************
>> SENDER'S IP BLACKLISTS:
>> *****************
>>
>> THE FIVE "1ST TIER" DNSBLs:
>>
>> (1) zen.spamhaus.org (may require subscription if volume is high)
>> ALSO: cbl.abuseat.org (already included in zen, so don't use both.)
>>
>> (2) psbl.surriel.com (I recommend using their free RSYNC access.)
>>
>> (3) bl.spamcop.net (used to have some FPs of legit newletters. But not
>> anymore.. so don't believe anything bad you read about this one because
>> it is now really high quality and has extreme low FPs.)
>>
>> (4) list.dsbl.org (I recommend using their free RSYNC access)
>>
>> (5) invaluement.com's SIP list (**requires subscription for RSYNC access
>> to files. ivmSIP will NOT impress based on % of spam blocked... but it
>> WILL impress based on the spam it catches which ALL the other 1st tier
>> lists miss... and it has a 1st-tier extreme-low-FP rate.)
>>
>> Contact me off-list for a free test of ivmSIP.
>>
>> FOUR "HONORABLE MENTIONS":
>>
>> (1) dnsbl.ahbl.org (really good, but I've seen a few too many FPs to
>> consider this in the 1st tier. But when I say "a few".. I mean a tiny,
>> tiny fraction of a percent.)
>>
>> (2) dnsbl.njabl.org (really good, but I've seen a few too many FPs to
>> consider this in the 1st tier. But when I say "a few".. I mean a tiny,
>> tiny fraction of a percent.)
>>
>> (3) hostkarma.junkemailfilter.com (might be a 1st tier list.. but I
>> haven't test it myself. Like ivmSIP, it catches lots of spam that other
>> lists miss. I know its FPs are overall at least very low, but I haven't
>> verified yet that it's FPs are low enough to be considered a 1st tier
>> RBL. This one might very well be 1st tier... I just can't personally
>> verify that.)
>>
>> (4) dnsbl-1.uceprotect.net (used to have too many FPs... but under new
>> management and FPs are getting lower and lower... if the improvement
>> keeps up, this might just be 1st tier very soon, if not already!)
>>
>> Again, the FP rates on at least three of these "honorable mentions" are
>> really just a hair below those of the 1st tier lists. I'm insanely
>> committed to having zero FPs.... so, again, don't take my "few FPs"
>> comments too far. I hear that some ISPs outright block on various
>> combinatinos of these "honorable mentions" with extreme few complains
>> about FPs.
>>
>> *****************
>> URI BLACKLISTS:
>> *****************
>>
>> There are three that stand head and shoulders above the rest. There
>> isn't a close 4th. These three have (1) extreme low FP rates... and (2)
>> each of these three catch many spammer's URIs that the other two miss.
>> Outside of these three, no other (publicly available) URI-dnsbl in
>> existence can come close to making those two claims.
>>
>> These are (A) SURBL.org, (B) URIBL.COM, and (C) ivmURI.com
>>
>> SURBL and URIBL are generally free. URIBL is starting to requiring a
>> paid subscription to RSYNC access for organizations with large volumes
>> of queries. Also, ivmURI is subscription-only (again, contact me
>> off-list for more info). BTW - check out
>> http://invaluement.com/results.txt
>>
>> SURBL can be queried with "multi.surbl.org"
>>
>> URIBL can be queried with "multi.uribl.com"
>>
>> ivmURI requires a subscription to get the data via RSYNC
>>
>> Hope this helps!
>>
>> BTW - a good place for looking at catch rates and FPs for the various
>> Sender's IP blacklists is Al Iverson's web site:
>>
>> http://www.dnsbl.com/
>>
>> But ivmSIP isn't listed there because Al Iverson hates me. :(
>>
>> (a) I bugged Al one too many times last summer when Al had found a
>> single FP on my ivmSIP and wouldn't tell me what it was. I didn't mind
>> that he wouldn't tell me... but I'd e-mail him about once a week to ask
>> him if it was still there and, apparently, this eventually angered him.
>> (b) I tried to explain to Al that ivmSIP is suppose to have a catch rate
>> of only about 20% (at that time, it is higher now)... but that it was
>> still far superior to other lists that have a much higher catch rate
>> since ivmSIP had an overall 1st tier FP rate and ivmSIP catches spams
>> that other 1st tier lists miss. IOW, suppose that ivmSIP had a catch
>> rate of 80%, but was ONLY listing stuff that Zen *already* caught. What
>> good would a list like that be? Such a hypothetical list would superior
>> to ivmSIP according to Al's and his ratings ratings, but would be
>> absolute worthless in the real world! But since ivmSIP catches MANY
>> spams that all other 1st tier lists above miss... it is, instead,
>> extremely valuable and useful. After repeated attempts, Al NEVER even
>> acknowledged this logic and eventually told me to.... well... nevermind.
>> I guess he hates me... but he does a jam up job with his web site... He
>> is a true expert in this field and gives very good advice. His web sites
>> are chalk full of excellent analysis and review. Highly recommended!
>> (Though his site would do better if he factored in "unique" catches
>> among the 1st tier extreme-low-FP lists.)
>>
>> Rob McEwen
>> rob@invaluement.com
>>
>>
>>
>
> ==============================================================
>
> Thanks Rob,
>
> I am hoping it will cut down on the spam I am getting. I had a auto
> response on my mail (which I have now removed) and I was getting 300+ spam
> over night.
>
> I have put the info into the RBL list on my mail so I am hoping it will
> cut it down.
>
> I have marked it to enable for filtering and enable for incoming blocking
> is this correct?
>
> cheers
> DAVE (uk1host)
>
>
>
=======================================================
I have added all the stuff above and am still getting alot of spam,
medication, degree's and stop being floppy in the bedroom.
Anyone got any other idea's to help cut back on this.
cheers
=======================================================
--
View this message in context: http://www.nabble.com/Domain-Name-SPAM-tp15891193p15912821.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Domain Name SPAM
Posted by uk1host <Da...@Damb-Tech.co.uk>.
Rob McEwen wrote:
>
> Dave@Damb-Tech.co.uk wrote:
>> Do you know if there is a list of RBL's and where I can get it from.
>> I have a customer who is getting alot of spam and I need to cut it
>> down alot, he seems to be getting alot from drug companies and medical
>> extension companies.
>
> Dave,
>
> I recommend the following 5 "1st tier" Sender's IP blacklist (or "RBLs",
> as you described them):
>
> (NOT in any particular order)
>
> *****************
> SENDER'S IP BLACKLISTS:
> *****************
>
> THE FIVE "1ST TIER" DNSBLs:
>
> (1) zen.spamhaus.org (may require subscription if volume is high)
> ALSO: cbl.abuseat.org (already included in zen, so don't use both.)
>
> (2) psbl.surriel.com (I recommend using their free RSYNC access.)
>
> (3) bl.spamcop.net (used to have some FPs of legit newletters. But not
> anymore.. so don't believe anything bad you read about this one because
> it is now really high quality and has extreme low FPs.)
>
> (4) list.dsbl.org (I recommend using their free RSYNC access)
>
> (5) invaluement.com's SIP list (**requires subscription for RSYNC access
> to files. ivmSIP will NOT impress based on % of spam blocked... but it
> WILL impress based on the spam it catches which ALL the other 1st tier
> lists miss... and it has a 1st-tier extreme-low-FP rate.)
>
> Contact me off-list for a free test of ivmSIP.
>
> FOUR "HONORABLE MENTIONS":
>
> (1) dnsbl.ahbl.org (really good, but I've seen a few too many FPs to
> consider this in the 1st tier. But when I say "a few".. I mean a tiny,
> tiny fraction of a percent.)
>
> (2) dnsbl.njabl.org (really good, but I've seen a few too many FPs to
> consider this in the 1st tier. But when I say "a few".. I mean a tiny,
> tiny fraction of a percent.)
>
> (3) hostkarma.junkemailfilter.com (might be a 1st tier list.. but I
> haven't test it myself. Like ivmSIP, it catches lots of spam that other
> lists miss. I know its FPs are overall at least very low, but I haven't
> verified yet that it's FPs are low enough to be considered a 1st tier
> RBL. This one might very well be 1st tier... I just can't personally
> verify that.)
>
> (4) dnsbl-1.uceprotect.net (used to have too many FPs... but under new
> management and FPs are getting lower and lower... if the improvement
> keeps up, this might just be 1st tier very soon, if not already!)
>
> Again, the FP rates on at least three of these "honorable mentions" are
> really just a hair below those of the 1st tier lists. I'm insanely
> committed to having zero FPs.... so, again, don't take my "few FPs"
> comments too far. I hear that some ISPs outright block on various
> combinatinos of these "honorable mentions" with extreme few complains
> about FPs.
>
> *****************
> URI BLACKLISTS:
> *****************
>
> There are three that stand head and shoulders above the rest. There
> isn't a close 4th. These three have (1) extreme low FP rates... and (2)
> each of these three catch many spammer's URIs that the other two miss.
> Outside of these three, no other (publicly available) URI-dnsbl in
> existence can come close to making those two claims.
>
> These are (A) SURBL.org, (B) URIBL.COM, and (C) ivmURI.com
>
> SURBL and URIBL are generally free. URIBL is starting to requiring a
> paid subscription to RSYNC access for organizations with large volumes
> of queries. Also, ivmURI is subscription-only (again, contact me
> off-list for more info). BTW - check out
> http://invaluement.com/results.txt
>
> SURBL can be queried with "multi.surbl.org"
>
> URIBL can be queried with "multi.uribl.com"
>
> ivmURI requires a subscription to get the data via RSYNC
>
> Hope this helps!
>
> BTW - a good place for looking at catch rates and FPs for the various
> Sender's IP blacklists is Al Iverson's web site:
>
> http://www.dnsbl.com/
>
> But ivmSIP isn't listed there because Al Iverson hates me. :(
>
> (a) I bugged Al one too many times last summer when Al had found a
> single FP on my ivmSIP and wouldn't tell me what it was. I didn't mind
> that he wouldn't tell me... but I'd e-mail him about once a week to ask
> him if it was still there and, apparently, this eventually angered him.
> (b) I tried to explain to Al that ivmSIP is suppose to have a catch rate
> of only about 20% (at that time, it is higher now)... but that it was
> still far superior to other lists that have a much higher catch rate
> since ivmSIP had an overall 1st tier FP rate and ivmSIP catches spams
> that other 1st tier lists miss. IOW, suppose that ivmSIP had a catch
> rate of 80%, but was ONLY listing stuff that Zen *already* caught. What
> good would a list like that be? Such a hypothetical list would superior
> to ivmSIP according to Al's and his ratings ratings, but would be
> absolute worthless in the real world! But since ivmSIP catches MANY
> spams that all other 1st tier lists above miss... it is, instead,
> extremely valuable and useful. After repeated attempts, Al NEVER even
> acknowledged this logic and eventually told me to.... well... nevermind.
> I guess he hates me... but he does a jam up job with his web site... He
> is a true expert in this field and gives very good advice. His web sites
> are chalk full of excellent analysis and review. Highly recommended!
> (Though his site would do better if he factored in "unique" catches
> among the 1st tier extreme-low-FP lists.)
>
> Rob McEwen
> rob@invaluement.com
>
>
>
==============================================================
Thanks Rob,
I am hoping it will cut down on the spam I am getting. I had a auto response
on my mail (which I have now removed) and I was getting 300+ spam over
night.
I have put the info into the RBL list on my mail so I am hoping it will cut
it down.
I have marked it to enable for filtering and enable for incoming blocking is
this correct?
cheers
DAVE (uk1host)
--
View this message in context: http://www.nabble.com/Domain-Name-SPAM-tp15891193p15912505.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.