Nabble - SpamAssassin - Users

Re: Need help running SA in a (comparative) anti-spam test

2009-11-28T15:50:53Z

Alex wrote:
> Hi,
>
>>> - I'm happy to add any extensions as long as these are also free and
>>> open source -- note that our 'target audience' includes big ISPs and
>>> unfortunately for them things as Spamhaus's RBL aren't free;
>
> Do the commercial vendors get to use publically-available DNSBLs like
> zen?

It's not the commercial vendors who are using these DNSBLs it's
the customers of their products who are the users.

> If so, and since they use them for commercial purposes, do they
> license its use in cases such as for this bake-off?
>

The licensing isn't their problem. A commercial vendor can put
in a hook to it's product to use Zen but that doesn't make that
vendor liable if a user of it's product uses Zen against some
sort of restriction by Zen against commercial use.

Ted

> How does zen compare with the commercial DNSBLs that the commercial
> vendors have themselves and we don't have access to?
>
> Thanks,
> Alex

Re: Unhindered Pharma Spam

2009-11-28T14:38:32Z

On Sat, 2009-11-28 at 09:48 +0000, Arthur Dent wrote:

> Hello all,
>
> I have had a couple of these sail into my my inbox untouched by SA with
> the exception of RDNS_NONE and Bayes. Score of -0.1!
>
> http://pastebin.com/m478c33ce
>
> Even after learning they still only score 3.6
>
> Anything I can do?
>

Well actually it seems that Sanesecurity is catching these now...

Subject: [Malware] Hi ArthurDent... We Want To Inform You about ...
X-virus-status: Yes
X-virus-report: Sanesecurity.Junk.24458.UNOFFICIAL FOUND
X-virus-checker-version: clamassassin 1.2.4 with clamdscan / ClamAV 0.95.3/10091/Sat Nov 28 13:57:24 2009

signature.asc (204 bytes) Download Attachment

Re: Need help running SA in a (comparative) anti-spam test

2009-11-28T05:29:19Z

Martijn Grooten wrote:

All,

a few months back, there was a discussion on this list about the
VBSpam comparative anti-spam tests[1], in which SpamAssassin performed
significantly worse than many commercial products. Now I run these
tests and I believe something was the matter with (the installation
of) SA that made it perform so badly. For understandable reasons, none
of the developers had time to help me set it up well for our test, so
we decided to withdraw it for the time being.

I am the official ports maintainer for the freebsd SA port, and I find that a default out of the box SA install (after its first 'sa-update') keeps about an 86% accuracy rate.
(assuming a reasonable MTA setup that blocks DHA's, emails to unknown users, and counts the DHA's as email for 'total email' part of the accuracy tests)

I say make sure you leave sa in its default configuration, and make sure SUSE isn't changeing the defaults.
grab local.cf and the *.pre's from the SA distribution files instead of anything SUSE does (I know that the freebsd port does modify a couple of the defaults, mostly decisions on razor i think)

--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> | SECNAP Network Security Corporation

Certified SNORT Integrator
2008-9 Hot Company Award Winner, World Executive Alliance
Five-Star Partner Program 2009, VARBusiness
Best Anti-Spam Product 2008, Network Products Guide
King of Spam Filters, SC Magazine 2008

This email has been scanned and certified safe by SpammerTrap®.
For Information please see www.spammertrap.com

Re: Unhindered Pharma Spam

2009-11-28T02:12:52Z

On Sat, 2009-11-28 at 09:48 +0000, Arthur Dent wrote:

I got '5' for it, at a push...

X-Spam-Level: *****
X-Spam-Status: Yes, score=5.1 required=5.0
tests=RDNS_NONE,RELAYCOUNTRY_FR
X-Spam-RBL-Results:
<dns:140.123.254.62.dnsbl.sorbs.net> [127.0.0.10]
<dns:server.opencompositing.org> [195.114.19.35]
X-Spam-Relay: GB ** GB ** FR
X-Spam-Report:
* 5.0 RELAYCOUNTRY_FR Relayed through France
* 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS

Unhindered Pharma Spam

2009-11-28T01:48:42Z

Hello all,

I have had a couple of these sail into my my inbox untouched by SA with
the exception of RDNS_NONE and Bayes. Score of -0.1!

http://pastebin.com/m478c33ce

Even after learning they still only score 3.6

Anything I can do?

signature.asc (204 bytes) Download Attachment

Re: Undisclosed recipients :; -- again

2009-11-27T23:33:12Z

John Hardin wrote:

> On Fri, 27 Nov 2009, Philip A. Prindeville wrote:
>
>> header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/
>>
>> Just how do I go about figuring out what the "To:raw" value is (for
>> example)?
>
> header __TO_RAW To:raw =~ /.+/
>
> If you're analyzing something that may have multiple occurrences,
> you'll need a tflags multiple:
>
> body __ALL_BODY /.+/
> tflags __ALL_BODY multiple
>

Interesting, thanks:

[31209] dbg: rules: ran header rule __TO_RAW ======> got hit: " undisclosed recipients: ;_"

wondering why it contains the leading space, and what the trailing
underscore is for...

On a side node, I never figured out why I see:

[31209] warn: plugin: failed to parse plugin (from @INC): syntax error at (eval 43) line 1, near "require Mail::SpamAssassin:"

This seems to be a known issue. What's the fix?

Re: Undisclosed recipients :; -- again

2009-11-27T15:43:59Z

On Fri, 27 Nov 2009, Philip A. Prindeville wrote:

> header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/
>
> Just how do I go about figuring out what the "To:raw" value is (for example)?

header __TO_RAW To:raw =~ /.+/

If you're analyzing something that may have multiple occurrences, you'll
need a tflags multiple:

body __ALL_BODY /.+/
tflags __ALL_BODY multiple

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@... FALaholic #11174 pgpk -a jhardin@...
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
28 days until Christmas

Re: Need help running SA in a (comparative) anti-spam test

2009-11-27T14:47:50Z

Hi,

>> - I'm happy to add any extensions as long as these are also free and
>> open source -- note that our 'target audience' includes big ISPs and
>> unfortunately for them things as Spamhaus's RBL aren't free;

Do the commercial vendors get to use publically-available DNSBLs like
zen? If so, and since they use them for commercial purposes, do they
license its use in cases such as for this bake-off?

How does zen compare with the commercial DNSBLs that the commercial
vendors have themselves and we don't have access to?

Thanks,
Alex

Re: Undisclosed recipients :; -- again

2009-11-27T14:04:23Z

John Hardin wrote:

> On Mon, 23 Nov 2009, LuKreme wrote:
>
>> On Nov 23, 2009, at 12:05, Philip Prindeville
>> <philipp_subx@...> wrote:
>>
>>> I want to block all messages that I'm getting that have:
>>>
>>> To: undisclosed recipients: ;
>>
>> undisclosed recipients is used for Bcc: mail
>>
>> I used it all the time. And you WILL 'block' legitimate mail.
>
> Granted, but in metas such a test can be useful:
>
> http://ruleqa.spamassassin.org/?rule=%2FTO_NO&srcpath=jhardin
>

Speaking of tests, I saved out some messages that should have matched my
rule but didn't into files, and ran them against spamassassin as:

spamassassin -D < /tmp/emails/XXX.eml

and I saw:

[28655] dbg: rules: ran header rule __L_UNDISCLOSED2 ======> got hit: "negative match"

for the ruleset:

header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/
header __L_UNDISCLOSED2 Cc =~ /^$/
meta L_UNDISCLOSED (__L_UNDISCLOSED1 && __L_UNDISCLOSED2)
describe L_UNDISCLOSED To: list is meaningless and no Cc:
score L_UNDISCLOSED 10.0

but didn't see __L_UNDISCLOSED1 match. Also, what does "negative match"
mean? That it didn't match?

Lots of other rules (like __L_UNDISCLOSED1) didn't match, but I didn't
see debug for those...

Just how do I go about figuring out what the "To:raw" value is (for
example)?

Thanks,

-Philip

Re: Need help running SA in a (comparative) anti-spam test

2009-11-27T13:21:25Z

Martijn Grooten wrote:

> - I'm happy to add any extensions as long as these are also free and
> open source -- note that our 'target audience' includes big ISPs and
> unfortunately for them things as Spamhaus's RBL aren't free;

I'm not in any way trying to jump on what you're trying to do as I
firmly believe SpamAssassin can be every bit as effective, if not more
so, than any commercial product in fighting spam.

However, I would just like to raise one point - perhaps others can
comment as to the technical correctness, but I was under the impression
that the Spamhaus (and other) DNSBLs are enabled as part of the default
SpamAssassin install (and weighted scoring system), so if you disable
these tests because they are not free to larger volume users then you
are not really testing the default product, but one in which you have
disabled some of the more effective constituent parts. This IMHO would
put SpamAssassin at a considerable disadvantage.

To give an analogy you might be more familiar with, it's a bit like you
testing an antivirus product but saying we're not going to use any
signatures as these aren't free (they require a paid subscription), so
will only use heuristics and then wondering why said AV product only
catches 50% of your sample viruses :-/

Personally, I'd rather see you test SpamAssassin with DNSBLs such as
Spamhaus enabled as per a default installation, and note that such a
configuration is only free for users producing less than 100,000 queries
per day (or whatever Spamhaus' current limitations are). I assume the
other commercial products in your tests are tested in their default
configurations?

Re: Need help running SA in a (comparative) anti-spam test

2009-11-27T10:23:10Z

Martijn,

I may be missing something here but I went to your website and
you use the terms "malware" and "spam" interchangeably.

Now, it may be true that these days in the commercial realm
that the antivirus vendors are all jumping into the anti-spam market
to enhance revenue, but in reality, viruses are a subset of spam.
It may be true that most commercial "antispam" products are in
reality, "full-meal-deal" products that do both virus and spam
filtering, but SpamAssassin is not, and was never intended to be.

SA isn't going to guarantee to capture viruses, it doesn't even
try to capture viruses. It tries to identify spam - and there's a lot
more spam out there than virus-laden e-mail.

When a mail message has a virus, or has a link to a virus, it's
possible to make a black-and-white decision on that message.

But it's not possible to make a black and white decision on spam.
What's one man's spam is another man's ham.

You have to run SA in conjunction with a virus scanner - probably
the most common one people use is clamAV - for it to be any good as
a "full meal deal" solution.

Further, use of blacklists is a significant difference as well.

These commercial "full-meal-deal" products your comparing have
5 possible components that could be present in them to filter
spam (what is actually there is not known since commercial products
don't disclose source):

1) a private blacklist run by the vendor that's checked for each message
and distributed to each installation of product.
2) Access to free public blacklists that can also be used for checking.
3) A database of viruses in the product that's checked for each message.
4) some "heuristic checks on the body of the email" within the poduct.
5) Reporting back questionable, identified-as-possibly-spam-but-I
-don't know for certain- e-mails to a master server for further
analysis, or possible comparison to a known database of spam held by the
vendor

I'm not saying all commercial "full-meal-deal" products have all 5 of
these components, just that they MIGHT - and there's no way to know
unless the source is published.

The fact that SA, alone, was able to get 50% based on "heuristic
checks on the body of the email" only, compared to these commercial
products which have such a vast possible advantage is simply stunning,
when you put it in perspective.

In your test installation:

SA didn't virus scan
SA didn't use any private blacklists
SA didn't use any public blacklists
SA didn't pass questionables to a more authoritative vendor-owned
mainframe for scanning

And yet, it still got 50% of them.

I don't call that poor performance. SA had 4 of it's 5 hands tied behind
it's back in your test and still got halfway there. Untie 1 or 2 more
and make it an apples-to-apples comparison and it will be kicking those
commercial full-meal-deal product's asses around the block

Ted

Martijn Grooten wrote:

> All,
>
> a few months back, there was a discussion on this list about the
> VBSpam comparative anti-spam tests[1], in which SpamAssassin performed
> significantly worse than many commercial products. Now I run these
> tests and I believe something was the matter with (the installation
> of) SA that made it perform so badly. For understandable reasons, none
> of the developers had time to help me set it up well for our test, so
> we decided to withdraw it for the time being.
>
> I would still love to have the product back in the test. The test is
> paid-for, but free for free, open source products and we made that
> decision because we really wanted to have SA and others in the test.
> Now some people offered on this list to help me and that is why I'm
> writing this email -- Justin is happy for the community to help me. If
> there are people who are willing to help me set up SA so that it runs
> in ideal circumstances for our test, could they reply to me
> off-list[2] at this address or, even better, at
> martijn.grooten@....
>
> A couple of things:
> - the main MTA for the test runs Qpsmtpd[3] on SUSE Linux Enterprise
> Server 11 and SA is run as a Qpsmtd-plugin;
> - from what is seems, all that SA was (and is) doing is doing some
> heuristic checks on the body of the email, which makes it catch about
> 50% of spam, with relatively many (several per cents) false positives;
> it checks every hour or so for updates, but these are rarely found;
> - I'm happy to add any extensions as long as these are also free and
> open source -- note that our 'target audience' includes big ISPs and
> unfortunately for them things as Spamhaus's RBL aren't free;
> - we don't white-list good senders (or blacklist bad ones) in any
> product, nor do we give 'feedback' to the products[4];
> - I won't include SA in the test before the developers are happy with
> it being included: I know that some of the above rules might
> disproportionally disadvantage SA, so I would understand if they were
> to decide they wouldn't want it to be included. It is not in our
> intention to make SA look bad!
>
> Thanks.
>
> Martijn.
>
> [1] http://www.virusbtn.com/vbspam
> [2] but, because I hate people who post once and ask to be contacted
> off-list, I will keep checking the list too!
> [3] http://smtpd.develooper.com/
> [4] we do give generic feedback to developers though: e.g. hey, you
> blocked a lot of newsletters, or you missed a lot of spam in Japanese.
> In the end of the day, the goal of our test is to make products
> better.

Re: which free RBL do you use?

2009-11-27T09:23:04Z

On Friday, November 27, 2009, 11:08:23 AM, Allen Chen wrote:

AC> Thanks for all the replies. yes, RBL, I mean DNSBL. Also I heard
AC> that configuring DNSBL in sendmail is better than in
AC> spammassassin. because this can release some loads on
AC> spamassassin. Am I right?

For some DNSBLs, yes. For others, you want to allow SpamAssassin to
score them.

As long as you are bypassing DNSBL checks for authenticated clients,
you can safely block everything at SMTP session level with ZEN. In
turn, I disable the Spamhaus ZEN checks in SA, as there's no point
in querying ZEN twice when everything that shows up there is bloked
before it gets to SA.

AC> Next, I'm going to upgrade spamassassin to 3.2.5 and try to
AC> configure sendmail to check DNSBL. I will try bl.spamcop.net
AC> first in sendmail. Your inputs are welcome. I'm looking for some
AC> free DNSBLs. We are non-profit organization and don't have too
AC> much email traffic.

Your organization should be free to use the Spamhaus DNSBLs at no
charge. I personally do not block on bl.spamcop.net, but it does add
a score of 2.0 in SA.

--
Best regards,
Robert Braver
rbraver@...

Re: which free RBL do you use?

2009-11-27T09:22:53Z

On fre 27 nov 2009 18:08:23 CET, Allen Chen wrote
> DNSBLs. We are non-profit organization and don't have too much email traffic.

install bind, check spamhaus dnsbl in sendmail, add more internal spam
tests in sendmail, dont add to much dnsbl in sendmail, and i have
found spamcop is more for spamassassin not for mta, but imho zen is
mta safe

rule of thump is dont use dns forwards, use localhost, with do hint
glue ns finding for you and spreed load over more then usely your isp
2 nameservers

as obama says, yes you can :)

--
xpoint

Re: which free RBL do you use?

2009-11-27T09:08:23Z

Robert Braver wrote:

> On Thursday, November 26, 2009, 4:12:57 PM, Allen Chen wrote:
>
> AC> I didn't touch my spamassassin server for almost one year. It's
> AC> still running and filtering spam without any problems. But I
> AC> think things are changed a lot. I'm using 3.2.4. So I am asking
> AC> which free RBLs you guys are still using.
>
> While it's not free for larger volume/commercial use, Spamhaus ZEN
> (which includes the SBL, XBL, PBL, and now CSS DNSBLs) has been
> invaluable here.
>
> I've always scored on ZEN, but recently I began moving clients to a
> newer server where I am enforcing SMTP authentication. As a result,
> I am now able to block based on PBL listings.
>
> This alone has blocked about 80% of the spam outright at the SMTP
> session level that was previously coming in and then being filtered
> by SpamAssassin as well as ClamAV.
>
>

Thanks for all the replies.
yes, RBL, I mean DNSBL. Also I heard that configuring DNSBL in sendmail is
better than in spammassassin. because this can release some loads on
spamassassin.
Am I right?
Next, I'm going to upgrade spamassassin to 3.2.5 and try to configure
sendmail to check DNSBL.
I will try bl.spamcop.net first in sendmail. Your inputs are welcome.
I'm looking for some free
DNSBLs. We are non-profit organization and don't have too much email
traffic.

Allen

Need help running SA in a (comparative) anti-spam test

2009-11-27T08:37:48Z

All,

a few months back, there was a discussion on this list about the
VBSpam comparative anti-spam tests[1], in which SpamAssassin performed
significantly worse than many commercial products. Now I run these
tests and I believe something was the matter with (the installation
of) SA that made it perform so badly. For understandable reasons, none
of the developers had time to help me set it up well for our test, so
we decided to withdraw it for the time being.

I would still love to have the product back in the test. The test is
paid-for, but free for free, open source products and we made that
decision because we really wanted to have SA and others in the test.
Now some people offered on this list to help me and that is why I'm
writing this email -- Justin is happy for the community to help me. If
there are people who are willing to help me set up SA so that it runs
in ideal circumstances for our test, could they reply to me
off-list[2] at this address or, even better, at
martijn.grooten@....

A couple of things:
- the main MTA for the test runs Qpsmtpd[3] on SUSE Linux Enterprise
Server 11 and SA is run as a Qpsmtd-plugin;
- from what is seems, all that SA was (and is) doing is doing some
heuristic checks on the body of the email, which makes it catch about
50% of spam, with relatively many (several per cents) false positives;
it checks every hour or so for updates, but these are rarely found;
- I'm happy to add any extensions as long as these are also free and
open source -- note that our 'target audience' includes big ISPs and
unfortunately for them things as Spamhaus's RBL aren't free;
- we don't white-list good senders (or blacklist bad ones) in any
product, nor do we give 'feedback' to the products[4];
- I won't include SA in the test before the developers are happy with
it being included: I know that some of the above rules might
disproportionally disadvantage SA, so I would understand if they were
to decide they wouldn't want it to be included. It is not in our
intention to make SA look bad!

Thanks.

Martijn.

[1] http://www.virusbtn.com/vbspam
[2] but, because I hate people who post once and ask to be contacted
off-list, I will keep checking the list too!
[3] http://smtpd.develooper.com/
[4] we do give generic feedback to developers though: e.g. hey, you
blocked a lot of newsletters, or you missed a lot of spam in Japanese.
In the end of the day, the goal of our test is to make products
better.

Re: which free RBL do you use?

2009-11-27T08:19:40Z

On Fri, 2009-11-27 at 17:17 +0100, Benny Pedersen wrote:
> On fre 27 nov 2009 16:47:54 CET, "richard@..." wrote
> > Matus, why are you once more sending me off list replies?
> > Again, will you *please* keep your replies *ON LIST*.
>
> priceless reply-to
>
Priceless indeed. Everybody else can manage *not* to do it - even you.

Re: which free RBL do you use?

2009-11-27T08:17:01Z

On fre 27 nov 2009 16:47:54 CET, "richard@..." wrote
> Matus, why are you once more sending me off list replies?
> Again, will you *please* keep your replies *ON LIST*.

priceless reply-to

--
xpoint

Re: which free RBL do you use?

2009-11-27T07:55:00Z

On Thursday, November 26, 2009, 4:12:57 PM, Allen Chen wrote:

AC> I didn't touch my spamassassin server for almost one year. It's
AC> still running and filtering spam without any problems. But I
AC> think things are changed a lot. I'm using 3.2.4. So I am asking
AC> which free RBLs you guys are still using.

While it's not free for larger volume/commercial use, Spamhaus ZEN
(which includes the SBL, XBL, PBL, and now CSS DNSBLs) has been
invaluable here.

I've always scored on ZEN, but recently I began moving clients to a
newer server where I am enforcing SMTP authentication. As a result,
I am now able to block based on PBL listings.

This alone has blocked about 80% of the spam outright at the SMTP
session level that was previously coming in and then being filtered
by SpamAssassin as well as ClamAV.

--
Best regards,
Robert Braver
rbraver@...

Re: which free RBL do you use?

2009-11-27T07:47:54Z

On Fri, 2009-11-27 at 14:03 +0100, Matus UHLAR - fantomas wrote:
> Why do you tell me? Tell the OP, I just have used the same
> terminology.
Matus, why are you once more sending me off list replies?

Again, will you *please* keep your replies *ON LIST*. I pointed out that
RBL is trademark just to be an anal pedant. I'm incredibility surprised
that *you* missed the opportunity given your track record if *I* were to
do it.

Re: which free RBL do you use?

2009-11-27T05:03:29Z

> > On 26.11.09 17:12, Allen Chen wrote:
> > > I didn't touch my spamassassin server for almost one year.
> > > It's still running and filtering spam without any problems.
> > > But I think things are changed a lot. I'm using 3.2.4.
> > > So I am asking which free RBLs you guys are still using.

> On Fri, 2009-11-27 at 12:27 +0100, Matus UHLAR - fantomas wrote:
> > first upgrade to 3.2.5.
> > then run sa-update.
> >
> > THEN ask about RBLs.

On 27.11.09 12:19, richard@... wrote:
> That would be DNSBL's. RBL is a registered trademark AFAIR.

Why do you tell me? Tell the OP, I just have used the same terminology.
--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

Re: UCEPROTECT questions

2009-11-27T05:02:11Z

> >> Alex wrote:
> >> > I'm interested in people's opinion of UCEPROTECT. I'm aware of how
> >> > it works, but even UCEPROTECT1 seems to catch an awful lot of ham,
> >> > and I wondered if I was doing something wrong.
> >
> > On 26.11.09 23:09, Per Jessen wrote:
> >> Don't use UCEPROTECT for catching, only for scoring.

> Matus UHLAR - fantomas wrote:
> > well, there are some postmasters/hosts using even L2 and L3 at SMTP
> > time for rejecting.

On 27.11.09 12:56, Per Jessen wrote:

> I have no doubt there is. Doesn't change anything for uceprotect, imo.
>
> > We have ticket open where a host is rejecting your mail because IP in
> > Received: is in backscatterer.org.
>
> Yeah, I know (which ticket is this?)
>
> >
> > Some people don't know what they are doing.
>
> Too many, unfortunately.

I'm only saying that anyone publishing a RBL SHOULD know what is he doing
and that some people apparently will use it for anything therefore (s)he
should be carefull enough about publishing it.
--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

Re: which free RBL do you use?

2009-11-27T04:19:06Z

On Fri, 2009-11-27 at 12:27 +0100, Matus UHLAR - fantomas wrote:

> On 26.11.09 17:12, Allen Chen wrote:
> > I didn't touch my spamassassin server for almost one year.
> > It's still running and filtering spam without any problems.
> > But I think things are changed a lot. I'm using 3.2.4.
> > So I am asking which free RBLs you guys are still using.
>
> first upgrade to 3.2.5.
> then run sa-update.
>
> THEN ask about RBLs.

That would be DNSBL's. RBL is a registered trademark AFAIR.

Re: UCEPROTECT questions

2009-11-27T03:56:46Z

Matus UHLAR - fantomas wrote:

>> Alex wrote:
>> > I'm interested in people's opinion of UCEPROTECT. I'm aware of how
>> > it works, but even UCEPROTECT1 seems to catch an awful lot of ham,
>> > and I wondered if I was doing something wrong.
>
> On 26.11.09 23:09, Per Jessen wrote:
>> Don't use UCEPROTECT for catching, only for scoring.
>
> well, there are some postmasters/hosts using even L2 and L3 at SMTP
> time for rejecting.

I have no doubt there is. Doesn't change anything for uceprotect, imo.

> We have ticket open where a host is rejecting your mail because IP in
> Received: is in backscatterer.org.

Yeah, I know (which ticket is this?)

>
> Some people don't know what they are doing.

Too many, unfortunately.

/Per Jessen, Zürich

Re: which free RBL do you use?

2009-11-27T03:27:48Z

On 26.11.09 17:12, Allen Chen wrote:
> I didn't touch my spamassassin server for almost one year.
> It's still running and filtering spam without any problems.
> But I think things are changed a lot. I'm using 3.2.4.
> So I am asking which free RBLs you guys are still using.

first upgrade to 3.2.5.
then run sa-update.

THEN ask about RBLs.
--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...

Re: UCEPROTECT questions

2009-11-27T03:25:22Z

> Alex wrote:
> > I'm interested in people's opinion of UCEPROTECT. I'm aware of how it
> > works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I
> > wondered if I was doing something wrong.

On 26.11.09 23:09, Per Jessen wrote:
> Don't use UCEPROTECT for catching, only for scoring.

well, there are some postmasters/hosts using even L2 and L3 at SMTP time for
rejecting.
We have ticket open where a host is rejecting your mail because IP in
Received: is in backscatterer.org.

Some people don't know what they are doing.
--
Matus UHLAR - fantomas, uhlar@... ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

Re: UCEPROTECT questions

2009-11-27T03:17:15Z

Mariusz Kruk wrote:

> But yes, some other RBL's have also unclear rules - I admit.
> Yet, the delisting is kinda different isn't it?

Yes, but that has not been a problem for me so far. As far as I can
tell, the automatic process also works very well.

>> - which is why I don't block with UCEPROTECT.
>
> Yep, me neither, but I had some cases of dimwitted admins setting up
> UCEPROTECT RBL so I couldn't even contact the postmaster!

Yeah, there is no shortage of poorly configured mailservers - missing
rDNS, no postmaster/abuse address, poor HELOs, even illegal
IP-addresses on the internal networks. It's a sad state of affairs.

> (the whole /14 range my server is in is listed in level-2 - that's
> ridiculous).

Now I understand your problem - I have 15 IP-addresses from that network
on my internal list generated from spamtraps. The last one only three
hours ago.

/Per Jessen, Zürich

Re: Problems sending Abuse mails to Twitter

2009-11-27T03:11:42Z

On Thu, 26 Nov 2009, Ralph Bornefeld-Ettmann wrote:

> I could find your IP (82.113.106.21) on these lists :
>
... ... ...
>
> IP of your server (62.231.42.10) I found on these lists :
>
> blocked.secnap.net 127.0.0.2
> countries.nerd.dk 127.0.0.1
> ips.backscatterer.org 127.0.0.2

Being 'suddenly rbl'ed seems also to happen if you create
(mostly unknowing) lots of backscatter. So if your server
was hit by a wave of bounces for a (faked) sender who FORWARDS
AWAY from your server to e.g. google, hotmail, web.de ...
Your server looks like a backscatter generator itself and
the big hostes block it.

We had this a few times already - (university scenario, lots
of usrs forwarding their mail 'home', i.e. freehosters)´so
some students addresses were abused as senders, backscatter
begun streaming in, forwarded to hotmail (gogle, whatever),
and they blacklisted us for 24h or even days. A while
we had an (on ~4h / off 24h -- repeat at inf)-Scenario because
during '24h-blocks the mail waited, then reenabled, then was
seen as 'flooding' - blocked again 24h ...

AND during these times we were definitely blocked from
any electronic contact to the company - and of course no
Phone Number given except 'User Support' (who does not
even know, what an MTA might be).

So dont' wonder, and may be don't forward fo a while
(asking students to NOT forward did help - implementig
one of tbe schemes to ALWAYS only send our OWN addresses
even when forwarding, would have been better, but that's
a completely different story)

Stucki

--
Christoph von Stuckrad * * |nickname |Mail <stucki@...> \
Freie Universitaet Berlin |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online| (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(home): +49 30 77 39 6601/

Re: UCEPROTECT questions

2009-11-27T02:04:26Z

On Fri, 2009-11-27 at 10:31 +0100, Per Jessen wrote:
> > Every respectable RBL has _clear_ rules of
> > 1. Listing
> Hmm, I'm not so sure - how about spamcop, surbl, uribl, spamhaus? Their
> rules are exactly as clear or unclear as those of uceprotect.

First of all, you have (for example on spamcop):
"The SCBL is an aggressive spam-fighting tool. By using this list, you
can block a lot of spam, but you also may block or filter wanted email.
Because of this limitation, one should strongly consider using the SCBL
as part of a scoring system and explicitly whitelist wanted email
senders (e.g., mailing lists and other IPs from which you want to
receive email)."
and
"New users of the SCBL should read the description below and all other
documentation carefully before deciding to use the SCBL"
But yes, some other RBL's have also unclear rules - I admit.
Yet, the delisting is kinda different isn't it?
Not to mention listing only single IP's, not whole ASN's!
Yes, I use RBL's that list whole networks but only those being DUL's.
And I know what I'm doing and why I'm doing this.

> > The problem is not in the fact of running RBL as such. The problem is
> > in misleading people to use this service and using it to gain
> > advantage over people forcing them to pay money.
> How do you see UCEPROTECT misleading anyone? I think they're actually
> being more open/explicit about their policies than some providers I can
> think of.

Come on. Read the main page on their website. "We are the good knights
in shining armors and they all are a bunch of liers".
Or. "For best results against spammers you will need to use all our
Levels together"
Yes, I know that braindead admins who don't know what they're doing
should get half the credit but that's how life is. And UCEPROTECT just
abuses it. IMHO

> > Oh, and BTW, http://www.uceprotect.net/en/index.php?m=2&s=0
> > See the 15th question's response. I don't know about you but for me
> > 'anonymous circle of well-known people' seems kinda oxymoronic.
> Not at all. I have a circle of friends that are well-known to me - when
> I don't tell everyone who they are, they are anonymous.

'well-known people' and 'people well-known by me' are two different
statements.

> > And another BTW. I found a mailinglist discussion about UCEPROTECT in
> > which you also took part (no, I wasn't looking for you :->)
> > http://lists.swinog.ch/public/swinog/2008-January/002432.html
> > Don't you think that manually adding someone to a blacklist (for free!
> > *evil grin*) is tampering with it without clear rules? The guy with
> > the autoresponder was surely causing some inconvenience but the proper
> > response was to notify the list owner, not to add IP to the blacklist.
> Like I said in that thread, yes, I think that is a somewhat problematic
> practice - which is why I don't block with UCEPROTECT.

Yep, me neither, but I had some cases of dimwitted admins setting up
UCEPROTECT RBL so I couldn't even contact the postmaster! (the whole /14
range my server is in is listed in level-2 - that's ridiculous).
So I advice whenever I can that people _don't_ use UCEPROTECT.

--
\------------------------/
| Kruk@... |
| http://epsilon.eu.org/ |
/------------------------\

Re: UCEPROTECT questions

2009-11-27T01:31:37Z

Mariusz Kruk wrote:

> Every respectable RBL has _clear_ rules of
> 1. Listing

Hmm, I'm not so sure - how about spamcop, surbl, uribl, spamhaus? Their
rules are exactly as clear or unclear as those of uceprotect.

http://www.uceprotect.net/en/index.php?m=3&s=3

I too _would_ like to know how the data is collected, coz' that would
enable me to increase the scores (assuming I agree with the
policy/method), but the policy as described are sufficient for me to
use the data.

> The problem is not in the fact of running RBL as such. The problem is
> in misleading people to use this service and using it to gain
> advantage over people forcing them to pay money.

How do you see UCEPROTECT misleading anyone? I think they're actually
being more open/explicit about their policies than some providers I can
think of.

> Oh, and BTW, http://www.uceprotect.net/en/index.php?m=2&s=0
> See the 15th question's response. I don't know about you but for me
> 'anonymous circle of well-known people' seems kinda oxymoronic.

Not at all. I have a circle of friends that are well-known to me - when
I don't tell everyone who they are, they are anonymous.

> And another BTW. I found a mailinglist discussion about UCEPROTECT in
> which you also took part (no, I wasn't looking for you :->)
> http://lists.swinog.ch/public/swinog/2008-January/002432.html
> Don't you think that manually adding someone to a blacklist (for free!
> *evil grin*) is tampering with it without clear rules? The guy with
> the autoresponder was surely causing some inconvenience but the proper
> response was to notify the list owner, not to add IP to the blacklist.

Like I said in that thread, yes, I think that is a somewhat problematic
practice - which is why I don't block with UCEPROTECT.

/Per Jessen, Zürich

Re: UCEPROTECT questions

2009-11-27T00:52:06Z

On Fri, 2009-11-27 at 09:12 +0100, Per Jessen wrote:
> >> >> I'm interested in people's opinion of UCEPROTECT. I'm aware of how
> >> >> it works, but even UCEPROTECT1 seems to catch an awful lot of ham,
> >> >> and I wondered if I was doing something wrong.
> >> > Yes, UCEPROTECT seems to be just a big scam.
> >> A scam?? You'll have to explain that one in a bit more detail. They
> >> provide the data free of charge.
> > Scam - something set up only to make money in not-very-fair way.
> That would seem to describe quite a few businesses I can think of :-)

I agree ;-)
Sorry, english is not my native language so I can't be more precise
without causing further confusion about the definition itself.

> [snip]
> >> As usual, it's not UCEPROTECT you should be swearing at, it's the
> >> people who use it.
> > Yes, Them too. But the whole schema of UCEPROTECT operation stinks.
> > They add people to their blacklists with no clear rules standing
> > behind it.
> This is all you get:
> http://www.uceprotect.net/en/index.php?m=3&s=0
>
> If I were to publish some of our internal data, you wouldn't get any
> clear information about how we collect it either. Such lists are a
> matter of trust and many people obviously trust UCEPROTECT.

In other words - you don't need to know, you don't want to know, you
won't know. But it's not only that. It's the whole package.
Every respectable RBL has _clear_ rules of
1. Listing
2. Escalation
3. Delisting.
In case of UCEPROTECT it's
1. We list whomever we want
2. We escalate whenever we want. And we don't give a damn whether we
block only a so-called spammer or a whole range of innocent people's
networks. Or even whole ASN-s.
3. Give us your money!
The whole webpage says 'we are very good in blocking spam' but they
don't write about possible false positives, about which every
responsible RBL should inform.
The problem is not in the fact of running RBL as such. The problem is in
misleading people to use this service and using it to gain advantage
over people forcing them to pay money.
Let me compare it to a website. If I run a small private website on
which I write, let's say 'Tom Cruise is a neonazist', noone will
probably notice. But if I run a tabloid and I write something like that,
I'll get my ass sued-off.
UCEPROTECT's case is similar - they try hard to be perceived as a
respectable company so that people use their blacklists. And therefore
raising the pressure on listed people to pay for delisting.

Oh, and BTW, http://www.uceprotect.net/en/index.php?m=2&s=0
See the 15th question's response. I don't know about you but for me
'anonymous circle of well-known people' seems kinda oxymoronic.

And another BTW. I found a mailinglist discussion about UCEPROTECT in
which you also took part (no, I wasn't looking for you :->)
http://lists.swinog.ch/public/swinog/2008-January/002432.html
Don't you think that manually adding someone to a blacklist (for free!
*evil grin*) is tampering with it without clear rules? The guy with the
autoresponder was surely causing some inconvenience but the proper
response was to notify the list owner, not to add IP to the blacklist.

--
[------------------------]
[ Kruk@... ]
[ http://epsilon.eu.org/ ]
[------------------------]

Re: UCEPROTECT questions

2009-11-27T00:12:48Z

Mariusz Kruk wrote:

> On Thu, 2009-11-26 at 23:20 +0100, Per Jessen wrote:
>> >> I'm interested in people's opinion of UCEPROTECT. I'm aware of how
>> >> it works, but even UCEPROTECT1 seems to catch an awful lot of ham,
>> >> and I wondered if I was doing something wrong.
>> >
>> > Yes, UCEPROTECT seems to be just a big scam.
>>
>> A scam?? You'll have to explain that one in a bit more detail. They
>> provide the data free of charge.
>
> Scam - something set up only to make money in not-very-fair way.
>

That would seem to describe quite a few businesses I can think of :-)

[snip]
>> As usual, it's not UCEPROTECT you should be swearing at, it's the
>> people who use it.
>
> Yes, Them too. But the whole schema of UCEPROTECT operation stinks.
> They add people to their blacklists with no clear rules standing
> behind it.

This is all you get:
http://www.uceprotect.net/en/index.php?m=3&s=0

If I were to publish some of our internal data, you wouldn't get any
clear information about how we collect it either. Such lists are a
matter of trust and many people obviously trust UCEPROTECT.

/Per Jessen, Zürich

Re: UCEPROTECT questions

2009-11-26T23:51:43Z

On Thu, 2009-11-26 at 23:20 +0100, Per Jessen wrote:
> >> I'm interested in people's opinion of UCEPROTECT. I'm aware of how it
> >> works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I
> >> wondered if I was doing something wrong.
> >
> > Yes, UCEPROTECT seems to be just a big scam.
>
> A scam?? You'll have to explain that one in a bit more detail. They
> provide the data free of charge.

Scam - something set up only to make money in not-very-fair way.

> > Just one opinion -
> > http://www.aaroncake.net/misc/showthought.asp?thought=57 There are
> > many more like this one on the web. Too bad there are some commercial
> > appliances that use this RBL by default. Otherwise noone in their sane
> > minds would use this (at least not any levels higher than 1).
> As usual, it's not UCEPROTECT you should be swearing at, it's the people
> who use it.

Yes, Them too. But the whole schema of UCEPROTECT operation stinks. They
add people to their blacklists with no clear rules standing behind it.
And they demand money for delisting you. It's a simple extortion.
It's as if I wrote on my webpage 'Per Jessen is a stupid asshole' and
wanted money from you for removal of that text.
The problem is that they are quite popular because they seem so
'professional' so many people get 'hit' by them.

--
d'`'`'`'`'`'`'`'`'`'`'`'`'Yb
`b Kruk@... d'
d' http://epsilon.eu.org/ Yb
`b,-,.,-,.,-,.,-,.,-,.,-,.d'

Re: which free RBL do you use?

2009-11-26T15:29:59Z

On Nov 26, 2009, at 15:12, Allen Chen <achen@...>
wrote:

> which free RBLs you guys are still using.

Zen is the only one I use.

Re: UCEPROTECT questions

2009-11-26T14:20:18Z

Mariusz Kruk wrote:

> Alex pisze:
>> I'm interested in people's opinion of UCEPROTECT. I'm aware of how it
>> works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I
>> wondered if I was doing something wrong.
>
> Yes, UCEPROTECT seems to be just a big scam.

A scam?? You'll have to explain that one in a bit more detail. They
provide the data free of charge.

> Just one opinion -
> http://www.aaroncake.net/misc/showthought.asp?thought=57 There are
> many more like this one on the web. Too bad there are some commercial
> appliances that use this RBL by default. Otherwise noone in their sane
> minds would use this (at least not any levels higher than 1).

As usual, it's not UCEPROTECT you should be swearing at, it's the people
who use it.

/Per Jessen, Zürich

which free RBL do you use?

2009-11-26T14:12:57Z

Hi, all
I didn't touch my spamassassin server for almost one year.
It's still running and filtering spam without any problems.
But I think things are changed a lot. I'm using 3.2.4.
So I am asking which free RBLs you guys are still using.

Thank you,

Allen