Nabble - SpamAssassin - Users

Re: user rules not being cleared out before the next user comes along

2008-09-07T12:24:49Z

Per Jessen wrote:
> All,
>
> I'm using spamd and I allow per-user rules. I've noticed that the user
> rules are being kept although the user changes.
>
> I'm currently using spamassassin 3.1.7, and I was just wondering if this
> behaviour might already have been fixed in a later version?
>
Is this the issue affecting you?

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179

Re: user rules not being cleared out before the next user comes along

2008-09-07T12:00:51Z

On 07/09/2008 4:48 AM, Per Jessen wrote:
> All,
>
> I'm using spamd and I allow per-user rules. I've noticed that the user
> rules are being kept although the user changes.
>
> I'm currently using spamassassin 3.1.7, and I was just wondering if this
> behaviour might already have been fixed in a later version?

There was a bug about this open, from years ago, that I can no longer
find as an open bug, so I think it was fixed sometime in 3.2.

Daryl

Re: Setting up razor

2008-09-07T07:09:48Z

Michael Scheidell wrote:

  
      

It was the firewall.  I go that fixed.  Now, here's my next problem.  I
think taint mode is stopping razor from running on my system.  Since I
can't be root, I have to install Razor in my home home directory.  So


Will the system administrator allow you to set up a 'jailed',zen or vm
environment so you can look like you are root while protecting his bas
server?  Can you razor installed in the main system root?

I seriously doubt it. Is that my only option?

-- 
Get my PGP Public key here:
http://pelorus.org/skip@...

HABEAS_ACCREDITED_SOI spam (Was: senderbase rating - how to appeal?)

2008-09-07T07:05:34Z

At 14:45 05-09-2008, Greg Troxel wrote:

>I don't know that spamassassin pays attention to senderbase; if not this
>probablly won't work. I say this, mostly joking, from my experience
>with habeas. I have gotten spam on multiple occasions from senders that
>are HABEAS_ACCREDITED_SOI, and complained to habeas - with absolutely
>zero useful response. I filed a bug:
>
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5902
>
>and soon heard from habeas, who claimed that they revoked the listing of
>that sender.
>
>I then got more spam from a different habeas-accredited spammer, and
>complained privately to complaints@..., and heard nothing back.
>
>So the only rational conclusion seems to be that habeas accreditation is
>bogus, and they only respond to public pressure. Perhaps that's not
>true and I've been unlucky, but that's how it feels from my end.

The rule in the subject line is described as "Habeas Accredited
Opt-In or Better". That is not double Opt-In. If Habeas is not
responding to complaints sent to complaints@..., then it may
be better to set the current score for that test from -4.3 to 0.

>(If anyone thinks streamsend are other than spammers, please email me
>privately and let me know)

1. Streamsend requires their users to abide with CAN-SPAM
2. An unsubscribe link is required but double opt-in is not.
3. The domain information in Whois is hidden by a privacy service.

Would you whitelist such a domain?

Regards,
-sm

Re: Setting up razor

2008-09-07T07:01:02Z

>>
> It was the firewall. I go that fixed. Now, here's my next problem. I
> think taint mode is stopping razor from running on my system. Since I
> can't be root, I have to install Razor in my home home directory. So

Will the system administrator allow you to set up a 'jailed',zen or vm
environment so you can look like you are root while protecting his bas
server? Can you razor installed in the main system root?

--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________

Re: senderbase rating - how to appeal?

2008-09-07T05:52:28Z

RobertH wrote:
>
> Michael,
>
> May we ask and know what you are setting those scores to please?
>
> -rh
>
>

http://www.mail-archive.com/dev@.../msg25017.html
(note, even after complaints above, habeas still claims 'secure
referrals': proof I think that SA should lower these scores A LOT.

host 41.233.149.63.sa-accredit.habeas.com.
41.233.149.63.sa-accredit.habeas.com has address 127.0.0.50

*

10 to 39 : *Personal, transactional, and Confirmed Opt In*

*

40 to 59 : Secure referrals and Single Opt In

*

60 to 99 : Checked but not accredited by Habeas.

HABEAS_ACCREDITED_SOI is 'opt in or better' (orig -4.3) their score 49-59.
HABEAS_ACCREDITED_COI is 'accredited or confirmed opt in or better'
(orig -8) their score 10-39

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5921

since habeas does nothing about spammers, I set (including flags to take
'nice' off)

score HABEAS_ACCREDITED_SOI 2.5
tflags HABEAS_ACCREDITED_SOI net

score HABEAS_ACCREDITED_COI 0
tflags HABEAS_ACCREDITED_COI net

I added:
score HABEAS_UNCONFIRMED 8.0
tflags HABEAS_UNCONFIRMED net
header HABEAS_UNCONFIRMED eval:check_rbl('habeas-firsttrusted',
'sa-accredit.habeas.com.', '127\.\d+\.\d+\.[6789]\d')

even though spamassassin team says this is a habeas issue, there is
enough documented proof that the only people who use habeas are email
marketing companies, the very existence of an ip in the habeas network
proves it is bulk email, commercial bulk email. the decision as to if
your clients want (or should have) commercial bulk email is up to your
TOS. If you are an ISP, you should NOT use these above rules if you
have consumer clients. If you are the email administrator for a
business, and your business forbids users to use their email address for
personal use, then use them. If your marketing department has signed up
for 'permission based email', have them whitelist the senders.

Some might even use different tests to blacklist them at the MTA level,
graylisting won't help, these come from 'real' mail servers.
for postfix:
|smtpd_recipient_restrictions =
{standard tests}
reject rbl_client sa-accredit.habeas.com
|

--
Michael Scheidell, President
Main: 561-999-5000, Office: 561-939-7259
> *| *SECNAP Network Security Corporation

* Certified SNORT Integrator
* Everything Channel Hot Product of 2008
* Shaping Information Security Award 2008
* CRN Magazine Top 40 Emerging Security Vendors

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________

Re: Setting up razor

2008-09-07T05:03:12Z

Theo Van Dinter wrote:

> On Sat, Sep 06, 2008 at 11:32:54AM -0400, Skip wrote:
>
>> peloruso@... [~]# telnet discovery.razor.cloudmark.com 2703
>> Trying 208.83.137.205...
>> telnet: connect to address 208.83.137.205: Connection timed out
>> Trying 208.83.137.117...
>> telnet: connect to address 208.83.137.117: Connection timed out
>>
> It would seem you probably have a firewall in the way. As far as I know,
> no, you can't use other ports, the servers only run on 2703.
>
>

It was the firewall. I go that fixed. Now, here's my next problem. I
think taint mode is stopping razor from running on my system. Since I
can't be root, I have to install Razor in my home home directory. So
while everything seems fine outside of SA, as soon as SA starts running,
my PERL5LIB environment variable gets reset and Razor2 doesn't know how
to run. At least that's my theory. Any thoughts on how I could fix this?

peloruso@... [~]# perl -e 'require
Mail::SpamAssassin::Plugin::Razor2'
peloruso@... [~]# perl -e 'require Razor2::Client::Agent'
peloruso@... [~]# cat Procmail/pmlog-skip |grep taint
[27100] dbg: util: running in taint mode? yes
[27100] dbg: util: taint mode: deleting unsafe environment variables,
resetting PATH
peloruso@... [~]# cat Procmail/pmlog-skip |grep razor -i
[27100] dbg: config: read file /home/peloruso/.spamassassin/25_razor2.cf
[27100] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
[27100] dbg: razor2: razor2 is not available
[27100] dbg: config: fixed relative path:
/home/peloruso/.spamassassin/updates_spamassassin_org/25_razor2.cf
[27100] dbg: config: using
"/home/peloruso/.spamassassin/updates_spamassassin_org/25_razor2.cf" for
included file
[27100] dbg: config: read file
/home/peloruso/.spamassassin/updates_spamassassin_org/25_razor2.cf
[27100] dbg: config: fixed relative path:
/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/25_razor2.cf
[27100] dbg: config: using
"/home/peloruso/etc/mail/spamassassin/skip/updates_spamassassin_org/25_razor2.cf"
for included file

By the way, I have also tried pointing the loadplugin right to the
Razor2.pm file, but that didn't help either, again because I think perl
doesn't know how to find the rest of the files it needs once SA starts
running.
#loadplugin Mail::SpamAssassin::Plugin::Razor2
/home/peloruso/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Razor2.pm

I am using SA version 3.2.4

--
Get my PGP Public key here:
http://pelorus.org/skip@...

user rules not being cleared out before the next user comes along

2008-09-07T01:48:22Z

All,

I'm using spamd and I allow per-user rules. I've noticed that the user
rules are being kept although the user changes.

I'm currently using spamassassin 3.1.7, and I was just wondering if this
behaviour might already have been fixed in a later version?

/Per Jessen, Zürich

Re: score USER_IN_DEF_WHITELIST 0, for me at least

2008-09-06T18:32:16Z

DCWO> Perhaps you would like to share an example of such a spam

OK, https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5970 thanks.

RE: senderbase rating - how to appeal?

2008-09-06T18:19:16Z

>
> Considering that only spammers (er... 'email marketing companies') pay for
> habeas, we have set a POSITIVE score for habeas accredited spam. We track
> any FP right up front, track any rule in a fp (releases from amavisd-new
> managed quarantine), we use sa-learn.pl on shared imap folders, and let
> users drag 'not spam' and 'whitelist user' to a shared folder (and keep
> track of all fp rules), so far, three years, no user has dragged a habeas
> certified email into the false positive folders.
>
> (on the other hand, lots of fps last month on failed dkim messages. New
> messages from gmail not even being signed.. I wonder if gmail knows
> something broke lately in dkim).
>
> --
> Michael Scheidell, CTO

Michael,

May we ask and know what you are setting those scores to please?

-rh

Re: 1000 times easier to just do sa-update --nogpg

2008-09-06T16:18:48Z

>> Hello, this is the sa-update program talking to you.
>> We've detected a problem.
>> You need to do
>> $ wget http://spamassassin.apache.org/updates/GPG.KEY
>> $ sa-update --import GPG.KEY
>> and then run sa-update again. Thank you.

DCWO> Patches welcome. Please keep in mind, when parsing the output of GPG,
DCWO> that the error text may be platform dependent. For instance, even
DCWO> getting the cross-signed key error is platform dependent.

Well as I am more an expert in breakfast cereals than whatever that is
all about, somebody else please write the patch. Thanks.

Re: senderbase rating - how to appeal?

2008-09-06T16:11:49Z

> On Fri, Sep 5, 2008 at 5:45 PM, Greg Troxel <gdt@...> wrote:
>

> After seeing similar spam from "accredited" senders, we disabled any
> score from the habeas rules long ago and have yet to notice any
> increase in FP (we have ~5000 fairly sensitive users who definitely
> let us know when things don't work as they want them to). I've know
> of other sites that have disabled the habeas rules/score as well with
> similar results. IMHO, they are not worth scoring on since they
> obviously do accredit sites that send UCE. Does anyone see any
> benefit from using habeus? Does it outweigh the spam that gets
> through because of them?
>

Considering that only spammers (er... 'email marketing companies') pay for
habeas, we have set a POSITIVE score for habeas accredited spam. We track
any FP right up front, track any rule in a fp (releases from amavisd-new
managed quarantine), we use sa-learn.pl on shared imap folders, and let
users drag 'not spam' and 'whitelist user' to a shared folder (and keep
track of all fp rules), so far, three years, no user has dragged a habeas
certified email into the false positive folders.

(on the other hand, lots of fps last month on failed dkim messages. New
messages from gmail not even being signed.. I wonder if gmail knows
something broke lately in dkim).

--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________

Re: score USER_IN_DEF_WHITELIST 0, for me at least

2008-09-06T15:38:57Z

On 06/09/2008 6:03 PM, jidanni@... wrote:
> I set score USER_IN_DEF_WHITELIST 0
> as I guess I'm not the well rounded person reflected in the
> pre-defined whitelists. Indeed not many people are I bet.
>
> You see one day this spam got through riding high on that -15 point
> boost, causing me to notice the existence of these lists. I'm not sure
> if my one liner stopped all of them though.

Perhaps you would like to share an example of such a spam so that the
offending domain can be considered for removal from the whitelist. It's
probably best that you open a bug for this issue at
http://issues.apache.org/SpamAssassin/

Daryl

score USER_IN_DEF_WHITELIST 0, for me at least

2008-09-06T15:03:47Z

I set score USER_IN_DEF_WHITELIST 0
as I guess I'm not the well rounded person reflected in the
pre-defined whitelists. Indeed not many people are I bet.

You see one day this spam got through riding high on that -15 point
boost, causing me to notice the existence of these lists. I'm not sure
if my one liner stopped all of them though.

Not sure if --local turns them off too.

Re: 1000 times easier to just do sa-update --nogpg

2008-09-06T15:00:49Z

On 06/09/2008 4:09 PM, jidanni@... wrote:

> Yes, I'm saying instead of just letting sa-update fail with the generic GNU
> message and GNU hyperlink, setting the user off on a PhD Thesis effort
> of trying to figure out what to do, instead just detect the problem and print out:
> ----------------
> Hello, this is the sa-update program talking to you.
> We've detected a problem.
> You need to do
> $ wget http://spamassassin.apache.org/updates/GPG.KEY
> $ sa-update --import GPG.KEY
> and then run sa-update again. Thank you.
> ----------------
> Have that hardwired into the sa-update program, ready and waiting for
> the next time it fails. What could be wrong with that? You can even add:

Patches welcome. Please keep in mind, when parsing the output of GPG,
that the error text may be platform dependent. For instance, even
getting the cross-signed key error is platform dependent.

Daryl

Re: 1000 times easier to just do sa-update --nogpg

2008-09-06T14:30:25Z

jidanni@... <jidanni@...> wrote:

> Yes, I'm saying instead of just letting sa-update fail with the generic
> GNU message and GNU hyperlink, setting the user off on a PhD Thesis
> effort

Wow. Hyperbole much?

--
Sahil Tandon <sahil@...>

Re: 1000 times easier to just do sa-update --nogpg

2008-09-06T13:09:16Z

>>>>> "K" == Kelson <kelson@...> writes:

K> Pardon me for putting words in someone's mouth, but I got the
K> impression that the original poster's point was not to advocate
K> disabling signature checking, but to suggest that the error message
K> should be more useful.

Yes, I'm saying instead of just letting sa-update fail with the generic GNU
message and GNU hyperlink, setting the user off on a PhD Thesis effort
of trying to figure out what to do, instead just detect the problem and print out:
----------------
Hello, this is the sa-update program talking to you.
We've detected a problem.
You need to do
$ wget http://spamassassin.apache.org/updates/GPG.KEY
$ sa-update --import GPG.KEY
and then run sa-update again. Thank you.
----------------
Have that hardwired into the sa-update program, ready and waiting for
the next time it fails. What could be wrong with that? You can even add:
----------------
If that doesn't work, use sa-update --nogpg, and consult
http://news.gmane.org/gmane.mail.spam.spamassassin.general/ ...

Re: Setting up razor

2008-09-06T11:27:08Z

On Sat, Sep 06, 2008 at 11:32:54AM -0400, Skip wrote:

> peloruso@... [~]# telnet discovery.razor.cloudmark.com 2703
> Trying 208.83.137.205...
> telnet: connect to address 208.83.137.205: Connection timed out
> Trying 208.83.137.117...
> telnet: connect to address 208.83.137.117: Connection timed out
>
> Should I be able to telnet to discovery.razor.cloudmark.com on port
> 2703? If my system is blocking that port for some reason, can other
> ports be used and where is that configured? I don't know how successful
> I would be at getting my server to unblock that port.

It would seem you probably have a firewall in the way. As far as I know,
no, you can't use other ports, the servers only run on 2703.

--
Randomly Selected Tagline:
"Oh My God! They Killed init! You Bastards!" - Unknown

attachment0 (196 bytes) Download Attachment

Re: Setting up razor

2008-09-06T09:23:19Z

Ron Smith wrote:
> I think razor is not free anymore.
>
> Ron Smith
> postmaster@...
>
> "Having an email problem is painful, but character-building."
>
>
>
Unless there is something newer than this, I believe Razor is free.
http://sourceforge.net/forum/forum.php?forum_id=576145

--
Get my PGP Public key here:
http://pelorus.org/skip@...

Re: Setting up razor

2008-09-06T08:54:12Z

I think razor is not free anymore.

Ron Smith
postmaster@...

"Having an email problem is painful, but character-building."

On Sep 6, 2008, at 11:32 AM, Skip wrote:

> Sep 06 09:25:48.685019 admin[5746]: [ 5] Razor Discovery Server
> discovery.razor.cloudmark.com is unreachable
> Sep 06 09:25:48.685019 admin[5746]: [ 1] razor-admin error:
> nextserver: Bootstrap discovery failed. Giving up.

Setting up razor

2008-09-06T08:32:54Z

Any idea what is wrong here? I am trying to set up razor on my system.
It is a shared system where I do not have root access.

peloruso@... [~]# razor-admin -d -create
Razor-Log: Computed razorhome from env: /home/peloruso/.razor
Razor-Log: Found razorhome: /home/peloruso/.razor
Razor-Log: read_file: 15 items read from
/home/peloruso/.razor/razor-agent.conf
Razor-Log: -create will force complete discovery
Sep 06 09:25:28.578010 admin[5746]: [ 2] [bootup] Logging initiated
LogDebugLevel=9 to stdout
Sep 06 09:25:28.578010 admin[5746]: [ 6] Not creating razorhome
/home/peloruso/.razor, already exists
Sep 06 09:25:28.578010 admin[5746]: [ 5] read_file: 15 items read from
/home/peloruso/.razor/razor-agent.conf
Sep 06 09:25:28.579010 admin[5746]: [ 5] wrote 15 HASH items to file:
/home/peloruso/.razor/razor-agent.conf
Sep 06 09:25:28.579010 admin[5746]: [ 5] computed
razorhome=/home/peloruso/.razor,
conf=/home/peloruso/.razor/razor-agent.conf,
ident=/home/peloruso/.razor/identity
Sep 06 09:25:28.579010 admin[5746]: [ 2] Razor-Agents v2.84 starting
razor-admin -d -create
Sep 06 09:25:28.579010 admin[5746]: [ 5] Can't read file
/home/peloruso/.razor/servers.discovery.lst: No such file or directory
Sep 06 09:25:28.579010 admin[5746]: [ 5] Can't read file
/home/peloruso/.razor/servers.nomination.lst: No such file or directory
Sep 06 09:25:28.579010 admin[5746]: [ 5] Can't read file
/home/peloruso/.razor/servers.catalogue.lst: No such file or directory
Sep 06 09:25:28.579010 admin[5746]: [ 5] no listfile:
/home/peloruso/.razor/servers.nomination.lst
Sep 06 09:25:28.579010 admin[5746]: [ 6] no discovery listfile:
/home/peloruso/.razor/servers.discovery.lst
Sep 06 09:25:28.579010 admin[5746]: [ 8] Checking with Razor Discovery
Server discovery.razor.cloudmark.com
Sep 06 09:25:28.579010 admin[5746]: [ 6] No port specified, using 2703
Sep 06 09:25:28.579010 admin[5746]: [ 5] Connecting to
discovery.razor.cloudmark.com ...
Sep 06 09:25:48.685019 admin[5746]: [ 3] Unable to connect to
discovery.razor.cloudmark.com:2703; Reason: Operation now in progress.
Sep 06 09:25:48.685019 admin[5746]: [ 5] Razor Discovery Server
discovery.razor.cloudmark.com is unreachable
Sep 06 09:25:48.685019 admin[5746]: [ 1] razor-admin error: nextserver:
Bootstrap discovery failed. Giving up.
nextserver: Bootstrap discovery failed. Giving up.

peloruso@... [~]# razor-admin -d -discover
Razor-Log: Computed razorhome from env: /home/peloruso/.razor
Razor-Log: Found razorhome: /home/peloruso/.razor
Razor-Log: read_file: 15 items read from
/home/peloruso/.razor/razor-agent.conf
Razor-Log: -discover will force complete discovery
Sep 06 09:25:55.432686 admin[6212]: [ 2] [bootup] Logging initiated
LogDebugLevel=9 to stdout
Sep 06 09:25:55.432686 admin[6212]: [ 5] computed
razorhome=/home/peloruso/.razor,
conf=/home/peloruso/.razor/razor-agent.conf,
ident=/home/peloruso/.razor/identity
Sep 06 09:25:55.432686 admin[6212]: [ 2] Razor-Agents v2.84 starting
razor-admin -d -discover
Sep 06 09:25:55.432686 admin[6212]: [ 5] Can't read file
/home/peloruso/.razor/servers.discovery.lst: No such file or directory
Sep 06 09:25:55.432686 admin[6212]: [ 5] Can't read file
/home/peloruso/.razor/servers.nomination.lst: No such file or directory
Sep 06 09:25:55.432686 admin[6212]: [ 5] Can't read file
/home/peloruso/.razor/servers.catalogue.lst: No such file or directory
Sep 06 09:25:55.433686 admin[6212]: [ 5] no listfile:
/home/peloruso/.razor/servers.nomination.lst
Sep 06 09:25:55.433686 admin[6212]: [ 6] no discovery listfile:
/home/peloruso/.razor/servers.discovery.lst
Sep 06 09:25:55.433686 admin[6212]: [ 8] Checking with Razor Discovery
Server discovery.razor.cloudmark.com
Sep 06 09:25:55.433686 admin[6212]: [ 6] No port specified, using 2703
Sep 06 09:25:55.433686 admin[6212]: [ 5] Connecting to
discovery.razor.cloudmark.com ...
Sep 06 09:26:15.434701 admin[6212]: [ 3] Unable to connect to
discovery.razor.cloudmark.com:2703; Reason: Operation now in progress.
Sep 06 09:26:15.434701 admin[6212]: [ 5] Razor Discovery Server
discovery.razor.cloudmark.com is unreachable
Sep 06 09:26:15.434701 admin[6212]: [ 1] razor-admin error: nextserver:
Bootstrap discovery failed. Giving up.
nextserver: Bootstrap discovery failed. Giving up.

peloruso@... [~]# ls .razor
./ ../ razor-agent.conf

peloruso@... [~]# cat .razor/razor-agent.conf
#
# Razor2 config file
#
# Autogenerated by Razor-Agents v2.84
# Sat Sep 6 09:25:28 2008
# Non-default values taken from /home/peloruso/.razor/razor-agent.conf
#
# see razor-agent.conf(5) man page
#

debuglevel = 9
identity = identity
ignorelist = 0
listfile_catalogue = servers.catalogue.lst
listfile_discovery = servers.discovery.lst
listfile_nomination = servers.nomination.lst
logfile = razor-agent.log
logic_method = 4
min_cf = ac
razordiscovery = discovery.razor.cloudmark.com
rediscovery_wait = 172800
report_headers = 1
turn_off_discovery = 0
use_engines = 4,8
whitelist = razor-whitelist

peloruso@... [~]# telnet discovery.razor.cloudmark.com 2703
Trying 208.83.137.205...
telnet: connect to address 208.83.137.205: Connection timed out
Trying 208.83.137.117...
telnet: connect to address 208.83.137.117: Connection timed out

Should I be able to telnet to discovery.razor.cloudmark.com on port
2703? If my system is blocking that port for some reason, can other
ports be used and where is that configured? I don't know how successful
I would be at getting my server to unblock that port.

Skip

--
Get my PGP Public key here:
http://pelorus.org/skip@...

Re: senderbase rating - how to appeal?

2008-09-05T20:48:49Z

On Fri, Sep 5, 2008 at 5:45 PM, Greg Troxel <gdt@...> wrote:

>
> "Michele Neylon :: Blacknight" <michele@...> writes:
>
>> Does anyone know how you can appeal or query a senderbase rating?
>
> I resisted answering at first, because I'm perhaps a bit too cynical:
>
> The way to appeal is to file a bug with spamassassin saying that
> senderbase is bogus and ask that any senderbase rules in SA be
> dropped.
>
> I don't know that spamassassin pays attention to senderbase; if not this
> probablly won't work. I say this, mostly joking, from my experience
> with habeas. I have gotten spam on multiple occasions from senders that
> are HABEAS_ACCREDITED_SOI, and complained to habeas - with absolutely
> zero useful response. I filed a bug:
>
> https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5902
>
> and soon heard from habeas, who claimed that they revoked the listing of
> that sender.
>
> I then got more spam from a different habeas-accredited spammer, and
> complained privately to complaints@..., and heard nothing back.
>
> So the only rational conclusion seems to be that habeas accreditation is
> bogus, and they only respond to public pressure. Perhaps that's not
> true and I've been unlucky, but that's how it feels from my end.
>

After seeing similar spam from "accredited" senders, we disabled any
score from the habeas rules long ago and have yet to notice any
increase in FP (we have ~5000 fairly sensitive users who definitely
let us know when things don't work as they want them to). I've know
of other sites that have disabled the habeas rules/score as well with
similar results. IMHO, they are not worth scoring on since they
obviously do accredit sites that send UCE. Does anyone see any
benefit from using habeus? Does it outweigh the spam that gets
through because of them?

Re: 1000 times easier to just do sa-update --nogpg

2008-09-05T16:44:26Z

SM wrote:
> There is a reason the updates are signed. You can either try and figure
> out the right way or you can wait for someone to compromise one of the
> endpoints to deliver illegitimate updates.

Pardon me for putting words in someone's mouth, but I got the impression
that the original poster's point was not to advocate disabling signature
checking, but to suggest that the error message should be more useful.

--
Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: 1000 times easier to just do sa-update --nogpg

2008-09-05T15:40:05Z

At 14:10 05-09-2008, jidanni@... wrote:
>You know, it is a 1000 times easier to just do
>$ sa-update --nogpg

As it's 1000 times easier to disable the firewall to solve user issues.

>than to try to figure our the right way from the messages that
>surround "channel: GPG validation failed, channel failed", or the

There is a reason the updates are signed. You can either try and
figure out the right way or you can wait for someone to compromise
one of the endpoints to deliver illegitimate updates.

Regards,
-sm

Re: senderbase rating - how to appeal?

2008-09-05T14:45:48Z

"Michele Neylon :: Blacknight" <michele@...> writes:

> Does anyone know how you can appeal or query a senderbase rating?

I resisted answering at first, because I'm perhaps a bit too cynical:

The way to appeal is to file a bug with spamassassin saying that
senderbase is bogus and ask that any senderbase rules in SA be
dropped.

I don't know that spamassassin pays attention to senderbase; if not this
probablly won't work. I say this, mostly joking, from my experience
with habeas. I have gotten spam on multiple occasions from senders that
are HABEAS_ACCREDITED_SOI, and complained to habeas - with absolutely
zero useful response. I filed a bug:

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5902

and soon heard from habeas, who claimed that they revoked the listing of
that sender.

I then got more spam from a different habeas-accredited spammer, and
complained privately to complaints@..., and heard nothing back.

So the only rational conclusion seems to be that habeas accreditation is
bogus, and they only respond to public pressure. Perhaps that's not
true and I've been unlucky, but that's how it feels from my end.

Here's my previously private complaint. I predict that perhaps now it
will be paid attention to.

(If anyone thinks streamsend are other than spammers, please email me
privately and let me know)

Return-Path: <gdt@...>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fnord.ir.bbn.com
X-Spam-Level: *
X-Spam-Status: Yes, score=1.7 required=1.0 tests=BAYES_50,HASHCASH_20,
HTML_IMAGE_ONLY_24,HTML_IMAGE_RATIO_02,HTML_MESSAGE,NO_RELAYS,
PRICES_ARE_AFFORDABLE,URIBL_GREY autolearn=no version=3.2.5
X-Spam-Report:
* -0.5 HASHCASH_20 Contains valid Hashcash token (20 bits)
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
* 0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too
* expensive
* 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
* 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5008]
* 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
* [URIs: streamsend.com]
X-Original-To: gdt@...
Delivered-To: gdt@...
Received: by fnord.ir.bbn.com (Postfix, from userid 10853)
id 79F8152A5; Sun, 29 Jun 2008 07:58:52 -0400 (EDT)
X-Hashcash: 1:20:080629:complaints@...::nCSVyDXiQZdSlr1V:00000000000000000000000000000000000000001jsn
X-Hashcash: 1:20:080629:gdt@...::QLD2PaPUAPhTusXX:00007z3
From: Greg Troxel <gdt@...>
To: complaints@...
Cc: Greg Troxel <gdt@...>
Subject: [Italian Pages] Uncover more of Italy for less than you would expect
Date: Sun, 29 Jun 2008 07:58:52 -0400
Message-ID: <rmiy74omozn.fsf@...>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.1 (berkeley-unix)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=

I received the following spam which SA tagged as HABEAS_ACCREDITED_SOI.
Please investigate and de-accredit streamsend.

--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <streamsendbouncer@...>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fnord.ir.bbn.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.3 required=1.0 tests=AWL,BAYES_99,
HABEAS_ACCREDITED_SOI,HTML_IMAGE_ONLY_24,HTML_IMAGE_RATIO_02,HTML_MESSAGE,
PRICES_ARE_AFFORDABLE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,
RAZOR2_CHECK,URIBL_GREY autolearn=no version=3.2.5
X-Spam-Report:
* -4.3 HABEAS_ACCREDITED_SOI RBL: Habeas Accredited Opt-In or Better
* [72.19.240.167 listed in sa-accredit.habeas.com]
* 0.2 URIBL_GREY Contains an URL listed in the URIBL greylist
* [URIs: streamsend.com]
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too
* expensive
* 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
* 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
* above 50%
* [cf: 76]
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 76]
* 0.4 AWL AWL: From: address is in the auto white-list
X-Original-To: gdt@...
Delivered-To: gdt@...
Received: from mailengine.streamsend.com (mailengine.streamsend.com [72.19.240.167])
by fnord.ir.bbn.com (Postfix) with ESMTP id 35EBB52A0
for <gdt@...>; Sun, 29 Jun 2008 04:27:20 -0400 (EDT)
Received: by mailengine.streamsend.com (PowerMTA(TM) v3.2r22) id hct3mg0cg8k5 for <gdt@...>; Sun, 29 Jun 2008 00:56:43 -0700 (envelope-from <streamsendbouncer@...>)
X-Mailer: StreamSend2 - 80871
X-Mailer-Version: 2.0
X-Mailer-Environment: production
X-Report-Abuse-At: abuse@...
X-Report-Abuse-Info: It is important to please include full email headers in the report
X-Campaign-ID: 868031
X-Streamsend2id: 80871++161801+868031+mailengine.streamsend.com
Date: Sun, 29 Jun 2008 00:56:43 -0700
From: "Italian Pages" <info@...>
To: gdt@...
Subject: Uncover more of Italy for less than you would expect
Message-Id: <20080629082720.35EBB52A0@...>
X-Greylist: Delayed for 00:30:04 by milter-greylist-4.0 (fnord.ir.bbn.com [0.0.0.0]); Sun, 29 Jun 2008 04:27:20 -0400 (EDT)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="===-=-="

--===-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Uncover more of Italy for less than you would expect

Finding just the right accommodation in just the right area is priceless. O=
ur wide range of properties includes luxury villas, charming farmhouses, co=
astal retreats and city apartments, mainly in Tuscany, but we also cover th=
e regions of Umbria, Le Marche and the Amalfi Coast.

Because we are Italian specialists we can offer the most authentic places t=
o stay at affordable prices=E2=80=A6 and we still have some availability fo=
r this summer.

Why not visit our website to discover more, then just contact us at: info@i=
talianpages.co.uk or by telephone on +44 (0) 207 873 2111.

~ The Italian Pages ~

Quality Italian Holiday Rentals for Less

www.italianpages.co.uk=20

Italian Pages is a partner company of The Villa Book.
If you do not wish to receive any further mailings, please click here to un=
subscribe http://app.streamsend.com/private/FMSM/Uas4IJE/unsubscribe/868031.

26 York Street, London, W1U 6PZ
Tel: +44 (0) 207 873 2111

--===-=-=
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Uncover more of Italy for less than you would expect</title>
<style type="text/css">

</style>
</head>

<body>
<table width="520" border="0" align="center">
<tr>
<td class>If you cannot view this email correctly, please follow this
link <a
href="http://app.streamsend.com/c/868031/29/Uas4IJE/FMSM?redirect_to=http%3A%2F%2Fwww.italianpages.co.uk%2Femail_0608"
target="_blank">http://www.italianpages.co.uk/email_0608</a><br />
<br />
</td>
</tr>
<tr>
<td><img src="http://www.italianpages.co.uk/email%5F0608/itp_1.gif"
alt="Uncover more of Italy for less than you would expect." width="520"
height="141" /><br />
<img src="http://www.italianpages.co.uk/email%5F0608/itp_2.gif"
width="520" height="209" /><br />
<a
href="http://app.streamsend.com/c/868031/31/Uas4IJE/FMSM?redirect_to=http%3A%2F%2Fwww.italianpages.co.uk"><img
src="http://www.italianpages.co.uk/email%5F0608/itp_3.gif" alt="~ The
Italian Pages ~" width="520" height="70" border="0" /></a><br />
<img src="http://www.italianpages.co.uk/email%5F0608/itp_4.gif"
width="520" height="180"/><br /> </td>
</tr>
<tr>
<td>
<br />
<br />
Italian Pages is a partner company of The Villa Book.<br />
If you do not wish to receive any further mailings, <a
href="http://app.streamsend.com/private/FMSM/Uas4IJE/unsubscribe/868031">please
click here to unsubscribe</a>.<br />
<br />
<a
href="http://app.streamsend.com/private/FMSM/Uas4IJE/forward/868031">Forward
to a friend</a><br />
<br />
26 York Street, London, W1U 6PZ<br />Tel: +44 (0) 207 873
2111</div>
</div></td>
</tr>
</table>
<img src="http://app.streamsend.com/v/868031/Uas4IJE/FMSM"/>
</body>
</html>
--===-=-=--

--=-=-=--

attachment0 (199 bytes) Download Attachment

Re: OT: Ongoing phishing mail flood

2008-09-05T14:33:54Z

We are currently receiving lots of password phishing mails with
envelope sender and From: header
loudonarc@... and Reply-To:
webITService@....

The connecting mail servers
que41.charter.net[209.225.8.24]
que51.charter.net[209.225.8.25]

do apparently *not* stop re-connecting after receiving REJECT (554)
errors, but keep coming back with the same sender-recipient pairs.

That's interesting. I am seeing mailgw1.lmco.com sending repeated mails
From <> to 551foo@..., where foo@... is valid but the 551 is
spurious (yes, that's a username with a number prepended). I am sending
554 each time. period is 1h20m to 1h30m or so.

attachment0 (199 bytes) Download Attachment

Re: 1000 times easier to just do sa-update --nogpg

2008-09-05T14:32:01Z

jidanni@... wrote:

> You know, it is a 1000 times easier to just do
> $ sa-update --nogpg
> than to try to figure our the right way from the messages that
> surround "channel: GPG validation failed, channel failed", or the
> sa-update man page, or writing this group and asking what to do. So
> there, the result is gpg is defeated.
>
> The cure is to have the error message to say
> "Do sa-update --import bbblllaaa", with the exact name it wants.
>
> I challenge you to figure it out just from the failure message to
> sa-update -D. One ends up lost reading
> http://www.gnupg.org/faq/subkey-cross-certify.html.
>
> It is 1000 times easier to just do
> $ sa-update --nogpg.

curl -o sa.gpg http://spamassassin.apache.org/updates/GPG.KEY
echo "24F434CE" >> gpg.keys
sa-update --import sa.gpg
echo "updates.spamassassin.org" >> channel.list

curl -o jm.gpg http://yerp.org/rules/GPG.KEY
echo "6C6191E3" >> gpg.keys
sa-update --import jm.gpg
echo "sought.rules.yerp.org" >> channel.list

curl -o sare.gpg http://daryl.dostech.ca/sa-update/sare/GPG.KEY
echo "856AA88A" >> gpg.keys
sa-update --import sare.gpg
#echo "...." >> channel.list

sa-update --gpgkeyfile gpg.keys --channelfile channel.list

I see no gpg failure...

Re: 1000 times easier to just do sa-update --nogpg

2008-09-05T14:22:13Z

On Sat, 6 Sep 2008, jidanni@... wrote:

I don't have any issues using GPG. Instructions have ALWAYS been clear and
when followed to the letter, have no issues.

-d

1000 times easier to just do sa-update --nogpg

2008-09-05T14:10:54Z

You know, it is a 1000 times easier to just do
$ sa-update --nogpg
than to try to figure our the right way from the messages that
surround "channel: GPG validation failed, channel failed", or the
sa-update man page, or writing this group and asking what to do. So
there, the result is gpg is defeated.

The cure is to have the error message to say
"Do sa-update --import bbblllaaa", with the exact name it wants.

I challenge you to figure it out just from the failure message to
sa-update -D. One ends up lost reading
http://www.gnupg.org/faq/subkey-cross-certify.html.

It is 1000 times easier to just do
$ sa-update --nogpg.

Re: senderbase rating - how to appeal?

2008-09-05T12:06:58Z

Hi Michele,
At 03:27 05-09-2008, Michele Neylon :: Blacknight wrote:
>Our main issue wasn't with the listing but with the total lack of
>appeals procedure or delisting, as several large corporates seem to
>trust Senderbase and block based on its score

The "industry's most accurate reputation system" cannot be wrong.
:-) Most people trust DNSBLs because it's the magical solution to
their problems.

A reputation system does not work as a DNSBL and won't have a
delisting procedure. As for appeals, you'll have to convince them
that their data is not accurate. See whether you can get a
resolution through SpamCop.

Regards,
-sm

RE: OT: Ongoing phishing mail flood

2008-09-05T11:18:14Z

>
> Yup. That's why I send a 250 - SPAM - discarded. That way, the
> spammers think they have delivered the mail, and go on to the next
> victim....
> --
> Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
> Austin Energy

Dan

Using which server software?

Are you /dev/null or reject while sending an accept message?

- rh

Re: OT: Ongoing phishing mail flood

2008-09-05T10:18:20Z

On Fri, 2008-09-05 at 18:56 +0200, Wolfgang Zeikat wrote:

> We are currently receiving lots of password phishing mails with envelope
> sender and From: header
> loudonarc@... and Reply-To:
> webITService@....
>
> The connecting mail servers
> que41.charter.net[209.225.8.24]
> que51.charter.net[209.225.8.25]
>
> do apparently *not* stop re-connecting after receiving REJECT (554)
> errors, but keep coming back with the same sender-recipient pairs.
>

Yup. That's why I send a 250 - SPAM - discarded. That way, the
spammers think they have delivered the mail, and go on to the next
victim....

--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

signature.asc (204 bytes) Download Attachment

OT: Ongoing phishing mail flood

2008-09-05T09:56:43Z

Re: How can I see all rules applied?

2008-09-05T06:58:48Z

patrickbaer wrote:

> Dear Lord, I am going nuts! I promised my colleagues a new filter three days
> ago. Now they are drowning in spam and I have no idea about what's going on!
>
> I have this test-machine with a fresh installation of postfix, spamassassin
> and amavisd and it works like a charme. I have a catch rate of no less than
> 99.6% on this machine and not a single false negative!
>
> Now on the crappy live box, absolutely NOTHING works as it should. I just
> tried, in my despair, to apply a custom rule, but no way it will accept
> them! Added it to local.cf, no work. Added a new file to
> /var/lib/spamassassin.../20_test.cf, no work. Spamassassin parses the rule,
> yes, but it doesn't apply the score!
>
> Pleeeeeeeeease, what the hell is going on there and how can I find out how
> to solve it? I have no idea where to go from here any more...
>

the first thing is to clam down. then try to explain in a way that _we_
understand what problem you have. saying "nothing works" is meaningless.

if a spam message is missed, then save it to a file. Please save an
unalatered message (if your mailer or an internal exchange modifies the
message, it is useless). then post a copy somewhere so that we can test
it on our systems (try pastebin, or use your own web server). also run
'spamassassin -t < message.file' on both servers (please use the same
message file) and see the results. once again, use an unmodified message
(it's ok if few headers are added by amavisd-new or your MTA/MDA after
filtering).

if AWL is causing you problems, disable it and _restart_ amavisd-new.

when you train SA, make sure you train it as the same user that
amavisd-new uses. if using mysql for Bayes, force a single user:
bayes_sql_override_username spamassassin
(do this in your local.cf).

when you modify a rule, a .cf or a .pre file, you need to reload
amavisd-new. if you use sa-compile, run it before reloading amavisd-new
or testing.

Re: How can I see all rules applied?

2008-09-05T06:56:35Z

McDonald, Dan wrote:

On Fri, 2008-09-05 at 06:18 -0700, patrickbaer wrote:

> Now on the crappy live box, absolutely NOTHING works as it should. I just
> tried, in my despair, to apply a custom rule, but no way it will accept
> them! Added it to local.cf, no work. Added a new file to
> /var/lib/spamassassin.../20_test.cf, no work. Spamassassin parses the rule,
> yes, but it doesn't apply the score!

>Did you run sa-compile? then you will need to run sa-compile each time
>you change a body rule.

I just tried, just to make sure. But it failed with an error with e2c (?)

>Are you re-starting amavisd when you make the changes? Amavisd-new
>daemonizes the spamassassin libraries. Only when it is restarted will
>it load any new rules.

Yes, but it also fails when I sent the email from the command line (see above)

And finally, have you checked that the amavisd user is able to read the
files you are modifying?

Of course :)

As I am now pi.... for various reasons, I'll put my desktop machine (the testbox) in the DMZ and enable it in the other mailserver, then report back.

I'll just add it to the current config: localhost:25 => localhost:10024 => external:10024 => localhost:10025

--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com