Tom Lane heads up
Just dropping a quick not for Tom Lane. I sent a personal message
today, but I wasn't sure if you'd get it after I remembered all of the
spam filters you've got set up.
Sorry for the off topic post.
DeJuan Jackson wrote:
Just dropping a quick not for Tom Lane. I sent a personal message
today, but I wasn't sure if you'd get it after I remembered all of the
spam filters you've got set up.Sorry for the off topic post.
That's ok. He is only filtering me :-)
Actually, you get a rejection notice if his spam filters catch you. If
you didn't get one, your'e ok.
Shachar
--
Shachar Shemesh
Lingnu Open Systems Consulting
http://www.lingnu.com/
On Fri, Mar 05, 2004 at 01:19:13PM +0200, Shachar Shemesh wrote:
DeJuan Jackson wrote:
I sent a personal message today, but I wasn't sure if you'd
get it after I remembered all of the spam filters you've got
set up.Actually, you get a rejection notice if his spam filters catch
you. If you didn't get one, you're ok.
is there some way of getting a look at tom's or marc's filters? i could
sure use a bit of help there. lordy, we're close to drowing in the
stuff!
if it's in the archives already, i apparently didn't hit the
right search string. a quickie pointer is all i need...
thanks in advance!
--
"Why did they hard code that value into the program?".
"My only guess would be to maximize suckage."
http://suso.suso.org/docs/apache_and_frontpage/htmldocs/part4-2.phtml
On Mon, 19 Apr 2004, Will Trillich wrote:
On Fri, Mar 05, 2004 at 01:19:13PM +0200, Shachar Shemesh wrote:
DeJuan Jackson wrote:
I sent a personal message today, but I wasn't sure if you'd
get it after I remembered all of the spam filters you've got
set up.Actually, you get a rejection notice if his spam filters catch
you. If you didn't get one, you're ok.is there some way of getting a look at tom's or marc's filters? i could
sure use a bit of help there. lordy, we're close to drowing in the
stuff!
Huh? I just use Spamassassin myself, with Razor/Pyzor/DCC and Bayes all
enabled ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
Marc G. Fournier wrote:
Huh? I just use Spamassassin myself, with Razor/Pyzor/DCC and Bayes all
enabled ...
I use exactly the same setup. But recently I've noticed that the
spammers are getting smarter -- I think 20% of it is slipping by the
filters. I'm going to need something better.
Joe
Joe Conway wrote:
Marc G. Fournier wrote:
Huh? I just use Spamassassin myself, with Razor/Pyzor/DCC and Bayes all
enabled ...I use exactly the same setup. But recently I've noticed that the
spammers are getting smarter -- I think 20% of it is slipping by the
filters. I'm going to need something better.
Here is what I use:
http://candle.pha.pa.us/main/writings/spam/
I get 98% blockage with no false positives, or at least only 1-2 a year
(that folks tell me about). :-)
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
When grilled further on (Mon, 19 Apr 2004 21:19:05 -0700),
Joe Conway <mail@joeconway.com> confessed:
Marc G. Fournier wrote:
Huh? I just use Spamassassin myself, with Razor/Pyzor/DCC and Bayes all
enabled ...I use exactly the same setup. But recently I've noticed that the
spammers are getting smarter -- I think 20% of it is slipping by the
filters. I'm going to need something better.
Have you played with the "spamassassin --report" feature? Works fairly well if
you can integrate it into your e-mail client and report a bunch of
messages as spam. It trains the Bayes filter and reports to Razor (at
the least).
Sylpheed Claws has actions (you use "spamassassin--report %F" as the action),
and it'll batch the report on all selected messages.
I find that after a 10-20 messages, it starts finding the ones that were
slipping through. Since February, I have 200 missed out of 4200.
Cheers,
Rob
--
22:28:27 up 3 days, 2:06, 3 users, load average: 3.24, 3.08, 3.45
Linux 2.6.5-01 #5 SMP Tue Apr 6 21:32:39 MDT 2004
Will Trillich <will@serensoft.com> writes:
is there some way of getting a look at tom's or marc's filters? i could
sure use a bit of help there. lordy, we're close to drowing in the
stuff!
Tell me about it :-(
I currently use four levels of filtering:
1. DNSBL lists: blackholes.five-ten-sg.com, bl.spamcop.net, relays.ordb.org
(there are others out there, but these seem to have a good impedance
match to my personal spam load).
2. Private blacklist of IP ranges that have sent me too much spam.
sendmail has a pretty easy mechanism to support this, although it
only seems to support /8 /16 or /24 ranges which is a bit coarse.
(If you've gotten a "Go away spammer" bounce from me, you were caught
by this filter --- let me know and I'll tighten the ranges.)
3. I have noticed that bouncing any machine that sends "HELO
sss.pgh.pa.us" gets rid of a ton of spam and viruses. I don't know of
any real clean way to do this, but I have a sendmail.cf hack for it.
4. Very long list of procmail filters on header and body patterns.
#2 and #4 are fairly personal, in the sense that they have a decent
success/failure ratio for the junk mail I get. I wouldn't recommend
that someone else try my lists, and in any case they take a heck of a
lot of hand maintenance. I've been looking into more automated methods
such as CRM114 but haven't made the jump yet.
regards, tom lane
Tom Lane said:
Will Trillich <will@serensoft.com> writes:
is there some way of getting a look at tom's or marc's filters? i could
sure use a bit of help there. lordy, we're close to drowing in the
stuff!Tell me about it :-(
I currently use four levels of filtering:
1. DNSBL lists: blackholes.five-ten-sg.com, bl.spamcop.net, relays.ordb.org
(there are others out there, but these seem to have a good impedance
match to my personal spam load).2. Private blacklist of IP ranges that have sent me too much spam.
sendmail has a pretty easy mechanism to support this, although it
only seems to support /8 /16 or /24 ranges which is a bit coarse.
(If you've gotten a "Go away spammer" bounce from me, you were caught
by this filter --- let me know and I'll tighten the ranges.)3. I have noticed that bouncing any machine that sends "HELO
sss.pgh.pa.us" gets rid of a ton of spam and viruses. I don't know of
any real clean way to do this, but I have a sendmail.cf hack for it.4. Very long list of procmail filters on header and body patterns.
#2 and #4 are fairly personal, in the sense that they have a decent
success/failure ratio for the junk mail I get. I wouldn't recommend
that someone else try my lists, and in any case they take a heck of a
lot of hand maintenance. I've been looking into more automated methods
such as CRM114 but haven't made the jump yet.
Yes they sure are. I tried my personal blacklist on a client's server one
time after they complained of seeing dozens a minute slipping by. It did just
about nothing, but it got them started on their own. #3 looks interesting
though...
Best regards,
Jim Wilson
Quoting Tom Lane <tgl@sss.pgh.pa.us>:
Will Trillich <will@serensoft.com> writes:
is there some way of getting a look at tom's or marc's filters? i could
sure use a bit of help there. lordy, we're close to drowing in the
stuff!Tell me about it :-(
I currently use four levels of filtering:
1. DNSBL lists: blackholes.five-ten-sg.com, bl.spamcop.net, relays.ordb.org
(there are others out there, but these seem to have a good impedance
match to my personal spam load).2. Private blacklist of IP ranges that have sent me too much spam.
sendmail has a pretty easy mechanism to support this, although it
only seems to support /8 /16 or /24 ranges which is a bit coarse.
(If you've gotten a "Go away spammer" bounce from me, you were caught
by this filter --- let me know and I'll tighten the ranges.)
There is a sendmail script for this called "cidrexpand" that allows you to put
in CIDR blocks- i.e. things like 216.185.96.0/19 can be put into the sendmail
access file.
<--stuff deleted-->
--
Keith C. Perry, MS E.E.
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com
____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com
On Tue, Apr 20, 2004 at 01:06:18AM -0400, Tom Lane wrote:
Will Trillich <will@serensoft.com> writes:
is there some way of getting a look at tom's or marc's filters? i could
sure use a bit of help there. lordy, we're close to drowing in the
stuff!Tell me about it :-(
I currently use four levels of filtering:
1. DNSBL lists: blackholes.five-ten-sg.com, bl.spamcop.net, relays.ordb.org
(there are others out there, but these seem to have a good impedance
match to my personal spam load).2. Private blacklist of IP ranges that have sent me too much spam.
sendmail has a pretty easy mechanism to support this, although it
only seems to support /8 /16 or /24 ranges which is a bit coarse.
(If you've gotten a "Go away spammer" bounce from me, you were caught
by this filter --- let me know and I'll tighten the ranges.)3. I have noticed that bouncing any machine that sends "HELO
sss.pgh.pa.us" gets rid of a ton of spam and viruses. I don't know of
any real clean way to do this, but I have a sendmail.cf hack for it.4. Very long list of procmail filters on header and body patterns.
It must be pretty difficult maintain these header and body patterns
and the others lists. I had same problem and I resolve if by
"spamassassin", it knows learn and it's more simple than procmailrc
coding. Now I have cca 5% of all spams in my INBOX.
Karel
--
Karel Zak <zakkr@zf.jcu.cz>
http://home.zf.jcu.cz/~zakkr/
"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
Doesn't that just force the delivering system to send the spam through your
secondary server?
A 500-series error isn't supposed to be retried is it? But in any case,
I run the same filters on my secondary server. Both the IP and the HELO
checks would be quite useless if I used an MX that wouldn't support 'em.
regards, tom lane
Import Notes
Reply to msg id not found: Pine.LNX.4.21.0404200825160.4406-100000@ponder.fairway2k.co.ukReference msg id not found: Pine.LNX.4.21.0404200825160.4406-100000@ponder.fairway2k.co.uk | Resolved by subject fallback
On Mon, 19 Apr 2004, Joe Conway wrote:
Marc G. Fournier wrote:
Huh? I just use Spamassassin myself, with Razor/Pyzor/DCC and Bayes all
enabled ...I use exactly the same setup. But recently I've noticed that the
spammers are getting smarter -- I think 20% of it is slipping by the
filters. I'm going to need something better.
do you force learn those spam that get through the cracks? I get about 20
or 30 messages that slip through the cracks, which I process through with
sa-learn nightly ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
Karel Zak wrote:
It must be pretty difficult maintain these header and body patterns
and the others lists. I had same problem and I resolve if by
"spamassassin", it knows learn and it's more simple than procmailrc
coding. Now I have cca 5% of all spams in my INBOX.
It's not that difficult here but I'm using Postfix, which has built in
pattern checking. Because my mail server also hosts a bunch of topical
internet mailing lists (mainly motorcycle and bass player stuff) and all
of their admin addresses were harvested by spammers long ago, I don't
just get one copy of spam. I usually get several because each of those
admin addresses eventually alias back to me.
I don't use SpamAssassin or Razor but I manage to kill 95% of spam at
the SMTP stage, before the message is accepted for delivery. This works
better than a delivery stage mail processor like procmail because it
bounces the spam back to the server actually sending it. It's easy to
see from the maillogs what IPs are regularly sending me this crap so
they can be blackholed permanently. I think I've got most of CHINANET
in the bit bucket now <g>.
On Tue, Apr 20, 2004 at 05:35:51AM -0000 I heard the voice of
Jim Wilson, and lo! it spake thus:
Tom Lane said:
3. I have noticed that bouncing any machine that sends "HELO
sss.pgh.pa.us" gets rid of a ton of spam and viruses. I don't know of
any real clean way to do this, but I have a sendmail.cf hack for it.#3 looks interesting though...
I've been blocking HELO as anything under my domain, as well as my IP
address (as well as any bare IP addresses) for a while, and it
certainly drops a fair bit. And I maintain a long list of HELO names,
AND IP ranges, AND sending hostnames, AND senders domains, plus all
the filtering I do after accepting the mail... Wacky. If we just
renamed 'spam' to 'justifiable homicide'...
--
Matthew Fuller (MF4839) | fullermd@over-yonder.net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/
"The only reason I'm burning my candle at both ends, is because I
haven't figured out how to light the middle yet"
Marc G. Fournier wrote:
do you force learn those spam that get through the cracks? I get about 20
or 30 messages that slip through the cracks, which I process through with
sa-learn nightly ...
No, I haven't been doing that, but I guess I ought to start. Thanks for
the suggestion!
Joe
On Tue, 20 Apr 2004, Joe Conway wrote:
Marc G. Fournier wrote:
do you force learn those spam that get through the cracks? I get about 20
or 30 messages that slip through the cracks, which I process through with
sa-learn nightly ...No, I haven't been doing that, but I guess I ought to start. Thanks for
the suggestion!
Also check to make sure that you don't have autolearn disabled ... you
would have had to do it manually, as it is enabled by default, but, for
instance, if you are a user on a system, the site-wide may be set to
disable autolearn, so you'd have to enable it yourself ...
I'm looking forward to 3.x coming out, as the Bayes stuff will be able to
run out of an SQL database instead of flat files ... so servers running
Cyrus IMAPd, where there are no physical user accounts, will be able to
start makng use of Bayes as well ...
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org Yahoo!: yscrappy ICQ: 7615664
Quoting "Matthew D. Fuller" <fullermd@over-yonder.net>:
On Tue, Apr 20, 2004 at 05:35:51AM -0000 I heard the voice of
Jim Wilson, and lo! it spake thus:Tom Lane said:
3. I have noticed that bouncing any machine that sends "HELO
sss.pgh.pa.us" gets rid of a ton of spam and viruses. I don't know of
any real clean way to do this, but I have a sendmail.cf hack for it.#3 looks interesting though...
I've been blocking HELO as anything under my domain, as well as my IP
address (as well as any bare IP addresses) for a while, and it
certainly drops a fair bit. And I maintain a long list of HELO names,
AND IP ranges, AND sending hostnames, AND senders domains, plus all
the filtering I do after accepting the mail... Wacky. If we just
renamed 'spam' to 'justifiable homicide'...--
Matthew Fuller (MF4839) | fullermd@over-yonder.net
Systems/Network Administrator | http://www.over-yonder.net/~fullermd/"The only reason I'm burning my candle at both ends, is because I
haven't figured out how to light the middle yet"---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
We could only wish for "justifiable homicide". Now there's a law I would
support! :)
Are you guys miltering to drop the messages with those HELO patterns? I'm
nailing 80%+ across all my clients and I may get 20 to 50 spams/day (down from
200+) which is acceptable but I was going to start using some netfilter hooks
(i.e. Linux firewall code) to inspect mail traffic and apply some more patterns.
If you guys are getting 95%+ via miltering then thats definitely the way to go.
--
Keith C. Perry, MS E.E.
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com
____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com
Tom Lane <tgl@sss.pgh.pa.us> wrote:
[snip]
3. I have noticed that bouncing any machine that sends "HELO
sss.pgh.pa.us" gets rid of a ton of spam and viruses.
IOW: Anything the HELOs with your mail server's own hostname. If you
can do it: Changing that to anything that HELOs with your domain name
(that's not supposed to) and you'll catch still more. Add to that
anything HELOing with your mail server's IP address and you'll catch
more yet.
I don't know of
any real clean way to do this, but I have a sendmail.cf hack for it.
[snip]
Postfix, which is what I use, has built-in support for HELO checks.
--
Jim Seymour | Spammers sue anti-spammers:
jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund:
| http://www.spamcon.org/legalfund/
Tom Lane <tgl@sss.pgh.pa.us> wrote:
"Nigel J. Andrews" <nandrews@investsystems.co.uk> writes:
Doesn't that just force the delivering system to send the spam through your
secondary server?A 500-series error isn't supposed to be retried is it?
Nope. But we're talking about spammers, so all bets are off. In
fact: Spammers will frequently try the secondary (or beyond) MX in
favour of the primary, as they know that frequently secondary MX'
aren't under the target domain's control and likely will have lowered
shields.
But in any case,
I run the same filters on my secondary server. Both the IP and the HELO
checks would be quite useless if I used an MX that wouldn't support 'em.
Yup. If you can't employ the same anti-UCE checks on a secondary as
you can on a primary, dump the secondary. Secondary MX' are of no
value if they just queue things up for the primary, anyway.
--
Jim Seymour | Spammers sue anti-spammers:
jseymour@LinxNet.com | http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com | Please donate to the SpamCon Legal Fund:
| http://www.spamcon.org/legalfund/
