This morning we have been getting drilled by spam/virus emails. 40 so
far. Been getting a lot of phone calls from across the company about
these emails. At least my mailscanner boxes are stripping the files,
and tagging it as spam, but what worries me, is the low scores these
messages are receiving. I start tagging spam, at 3.5 so each message
has been tagged, but still sent through. Any one else seeing these
emails?
Header:
Return-Path: < g>
Received: from bohoqsobp.us (
[12.219.139.163])
by mail.lovebox.com (8.13.4/8.13.4) with SMTP id jALMiLIS008948;
Mon, 21 Nov 2005 16:44:22 -0600
From: webmaster (AT) dfa (DOT) state.ny.us
To: XPost (AT) lovebox (DOT) com
Date: Mon, 21 Nov 2005 22:41:54 UTC
Subject: Mail delivery failed
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <5dbcea3e2fce.853b4 (AT) dfa (DOT) state.ny.us>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=""
Content-Transfer-Encoding: 7bit
Subject: Mail delivery failed
Report:
MailScanner: Executable DS/Windows programs are dangerous in email
(File-packed_da.exe)
Inoculate: File ./jALMiLIS008948/mail_body.zip is infected by virus:
Win32/Sober.W!Worm Inoculate: File
is infected by
virus: Win32/Sober.W!Worm
ClamAV: mail_body.zip contains Worm.Sober.U
Inoculate: File is infected by
virus: Win32/Sober.W!Worm ClamAV: File-packed_dataInfo.exe contains
Worm.Sober.U
MailScanner: Executable DS/Windows programs are dangerous in email
(File-packed_dataInfo.exe)
MailScanner: Executable DS/Windows programs are dangerous in email
(File-packed_da.exe)
Inoculate: File is infected by
virus: Win32/Sober.W!Worm
ClamAV: File-packed_dataInfo.exe contains Worm.Sober.U
MailScanner: Executable DS/Windows programs are dangerous in email
(File-packed_dataInfo.exe)
SpamAssassin Score: 3.85
Spam Report:
ScoreMatching RuleDescription-1.80ALL_TRUSTED
Did not pass through any untrusted hosts
2.19INVALID_DATEInvalid Date: header (not RFC 2822)
0.96NREAL_NAMEFrom: does not include a real name
0.50RAZR2_CF_RANGE_51_100Razor2 gives confidence level above 50%
1.50RAZR2_CF_RANGE_E4_51_100
0.50RAZR2_CHECKListed in Razor2 (http://razor.sf.net/)
/var/log/maillog
Nov 21 16:44:42 wks-lin12 MailScanner[21338]: Saved archive copies of
jALMiUJ008973 jALMiLIS008948
Nov 21 16:44:52 wks-lin12 MailScanner[21338]: Message jALMiLIS008948
from 12.219.139.163 (webmaster (AT) dfa (DOT) state.ny.us) to lovebox.com is spam,
SpamAssassin (score=3.854, required 3, ALL_TRUSTED -1.80, INVALID_DATE
2.19, NREAL_NAME 0.96, RAZR2_CF_RANGE_51_100 0.50,
RAZR2_CF_RANGE_E4_51_100 1.50, RAZR2_CHECK 0.50)
Nov 21 16:44:53 wks-lin12 MailScanner[21338]: Spam Actions: message
jALMiLIS008948 actions are store,deliver,striphtml
Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File
/
nfo.exe is infected by virus: Win32/Sober.W!Worm
Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File
/ is
infected by virus: Win32/Sober.W!Worm
Nov 21 16:44:55 wks-lin12 MailScanner[21338]: File
/<Fil
e-packed_dataInfo.exeis infected by virus: Win32/Sober.W!Worm
Nov 21 16:44:57 wks-lin12 MailScanner[21338]:
/
nfo.exe: Worm.Sober.U FUND
Nov 21 16:44:57 wks-lin12 MailScanner[21338]:
/
Worm.Sober.U FUND
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Infected message
jALMiLIS008948 came from 12.219.139.163
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Filename Checks:
Windows/DS Executable (jALMiLIS008948 File-packed_dataInfo.exe)
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Filename Checks:
Windows/DS Executable (jALMiLIS008948 File-packed_dataInfo.exe)
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved entire message to
/
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected
"File-packed_da.exe" to
/
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected
"mail_body.zip" to
/
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Saved infected
"File-packed_dataInfo.exe" to
/
Nov 21 16:44:57 wks-lin12 MailScanner[21338]: Logging message
jALMiLIS008948 to SQL
Nov 21 16:44:57 wks-lin12 MailScanner[1488]: jALMiLIS008948: Logged to
MailWatch SQL
Nov 21 16:44:58 wks-lin12 sendmail[9046]: jALMiLIS008948: to=dfair,
ctladdr=<eBay (AT) lovebox (DOT) com(8/0), delay=00:00:36, mailer=local,
pri=285904, dsn=5.1.1, stat=User unknown
Nov 21 16:44:58 wks-lin12 sendmail[9046]: jALMiLIS008948:
to=awray (AT) imap (DOT) lovebox.com,root (AT) imap (DOT) lovebox.com,tprice (AT) imap (DOT) lovebox.com,
delay=00:00:36, xdelay=00:00:00, mailer=esmtp, pri=285904,
relay=imap.lovebox.com. [172.16.3.106], dsn=2.0.0, stat=Sent
(jALMiw1A006072 Message accepted for delivery)
Nov 21 16:44:58 wks-lin12 sendmail[9046]: jALMiLIS008948:
jALMivMA009046: DSN: User unknown

Tuesday 22 Nov 2005 14:56, Casey King wrote:
messages are receiving. *I start tagging spam, at 3.5 so each message
has been tagged, but still sent through. *Any one else seeing these
emails?

New Sober outbreak, not spam, virus.

Just junk them totally, stripping is a waste of time for Sober (and most other
W32/* viruses).

At 09:56 AM 11/22/2005, Casey King wrote:

>This morning we have been getting drilled by spam/virus emails.

Are they spam, or viruses? Not the same thing.

>40 so far.

I should be so lucky to see as few as 40/hour during any kind of outbreak

Been getting a lot of phone calls from across the company about these
emails. At least my mailscanner boxes are stripping the files, and
tagging it as spam, but what worries me, is the low scores these messages
are receiving.

SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
care about virus emails. No effort is made to try to catch them, because
doing so would dilute the scores of the spam ruleset. No effort is made to
try to avoid tagging them either. They're just removed from the corpus and
handled by the developers as if they don't exist.

>I start tagging spam, at 3.5 so each message has been tagged, but still
>sent through. Any one else seeing these emails?

I see plenty of viruses, and never give them a mind. My selective
greylisting helps, but so far this morning my mailscanner still got 20 of
them.

There was also a steep burst last Weds, 18 of them, which then leveled off
through the rest of the day.

*shrug* tell your users in a broadcast email that there is a virus
outbreak, but to not be concerned unless they have a message that looks
like a virus and isn't tagged. You might also want to include some standard
educational notes about viruses and their auto-sending, auto-forging habits.

From: "Matt Kettler" <mkettler_sa (AT) comcast (DOT) net>

At 09:56 AM 11/22/2005, Casey King wrote:

>>This morning we have been getting drilled by spam/virus emails.

Are they spam, or viruses? Not the same thing.

>>40 so far.

I should be so lucky to see as few as 40/hour during any kind of outbreak

>Been getting a lot of phone calls from across the company about these
>emails. At least my mailscanner boxes are stripping the files, and
>tagging it as spam, but what worries me, is the low scores these messages
>are receiving.

SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
care about virus emails. No effort is made to try to catch them, because
doing so would dilute the scores of the spam ruleset. No effort is made to
try to avoid tagging them either. They're just removed from the corpus and
handled by the developers as if they don't exist.

Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
I get the best of both worlds. Creative use of BLs also helps.

{^_^}

Where are BLs setup at?

Thanks in advance

Regards

Leonard Bernstein

| Email leonardb (AT) pcnetsources (DOT) com
| Mobile (917) 807-3883
| BlackBerry PIN 40082120
| Technology Consultant

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 5:37 PM
Subject: Re: New Spammer?

From: "Matt Kettler" <mkettler_sa (AT) comcast (DOT) net>
>
>At 09:56 AM 11/22/2005, Casey King wrote:
>>
This morning we have been getting drilled by spam/virus emails.
>>
>Are they spam, or viruses? Not the same thing.
>>
40 so far.
>>
>I should be so lucky to see as few as 40/hour during any kind of outbreak
>>
Been getting a lot of phone calls from across the company about these
emails. At least my mailscanner boxes are stripping the files, and
tagging it as spam, but what worries me, is the low scores these
messages are receiving.
>>
>SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
>care about virus emails. No effort is made to try to catch them, because
>doing so would dilute the scores of the spam ruleset. No effort is made
>to try to avoid tagging them either. They're just removed from the corpus
>and handled by the developers as if they don't exist.
>
Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
I get the best of both worlds. Creative use of BLs also helps.

{^_^}
--

Nowhere if he has no trusted network setup. That's his problem in a
nutshell. He cannot usefully run network tests.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

Where are BLs setup at?

Thanks in advance

Regards

Leonard Bernstein

| Email leonardb (AT) pcnetsources (DOT) com
| Mobile (917) 807-3883
| BlackBerry PIN 40082120
| Technology Consultant

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 5:37 PM
Subject: Re: New Spammer?


>From: "Matt Kettler" <mkettler_sa (AT) comcast (DOT) net>
>>
At 09:56 AM 11/22/2005, Casey King wrote:

This morning we have been getting drilled by spam/virus emails.

Are they spam, or viruses? Not the same thing.

40 so far.

I should be so lucky to see as few as 40/hour during any kind of outbreak

Been getting a lot of phone calls from across the company about these
emails. At least my mailscanner boxes are stripping the files, and
tagging it as spam, but what worries me, is the low scores these
messages are receiving.

SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not
care about virus emails. No effort is made to try to catch them, because
doing so would dilute the scores of the spam ruleset. No effort is made
to try to avoid tagging them either. They're just removed from the corpus
and handled by the developers as if they don't exist.
>>
>Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
>I get the best of both worlds. Creative use of BLs also helps.
>>
>{^_^}
>>
>>

J,

sorry about that offline email :(

Thanks for the answer also. I will definitely make some changes to adjust a
more secure setup

Regards

Leonard
Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>
Sent: Tuesday, November 22, 2005 8:09 PM
Subject: Re: New Spammer?

That is the general format. I do not have your original message to know
if the data is correct. It almost looks like you are trusting WAY too
much at the 70.119. part. Trust only the mail server(s) from which you
expect to never forge emails itself. In my case I trust the set of
mail servers earthlink lumps as pop3.earthlink.net outside of the local
network.

{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>
To: "jdow" <jdow (AT) earthlink (DOT) net>
Sent: 2005 November, 22, Tuesday 16:38
Subject: Re: New Spammer?
>
>
>J,
>>
>Is the trusted_network your speaking of in the local.cf file as I have
>below?
>>
>trusted_networks 192.168.2. 127.0.0.1 70.119.
>>
>I also use badmailfrom which will block mail at the SMTP level is SA
>able to stop spam with some sort of BL / WL rules?
>>
>Regards
>>
>Leonard
>>
>Message
>From: "jdow" <jdow (AT) earthlink (DOT) net>
>To: <users (AT) spamassassin (DOT) apache.org>
>Sent: Tuesday, November 22, 2005 6:23 PM
>Subject: Re: New Spammer?
>>
>>
Nowhere if he has no trusted network setup. That's his problem in a
nutshell. He cannot usefully run network tests.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

Where are BLs setup at?

Thanks in advance

Regards

Leonard Bernstein

| Email leonardb (AT) pcnetsources (DOT) com
| Mobile (917) 807-3883
| BlackBerry PIN 40082120
| Technology Consultant

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 5:37 PM
Subject: Re: New Spammer?

From: "Matt Kettler" <mkettler_sa (AT) comcast (DOT) net>

At 09:56 AM 11/22/2005, Casey King wrote:

This morning we have been getting drilled by spam/virus emails.

Are they spam, or viruses? Not the same thing.

40 so far.

I should be so lucky to see as few as 40/hour during any kind of
outbreak

Been getting a lot of phone calls from across the company about
these emails. At least my mailscanner boxes are stripping the
files, and tagging it as spam, but what worries me, is the low
scores these messages are receiving.

SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY
not care about virus emails. No effort is made to try to catch them,
because doing so would dilute the scores of the spam ruleset. No
effort is made to try to avoid tagging them either. They're just
removed from the corpus and handled by the developers as if they
don't exist.

Heh, I use the ClamAV plugin for SA and give it a hefty score. That
way
I get the best of both worlds. Creative use of BLs also helps.

{^_^}

--

The key to understanding "trusted" is that these are mail transfer agents
that you can trust not to forge headers. If you fetch from an ISP then it
is, perforce, the ISP's pop3 or imap client through which you fetch mail
with the fetchmail utility or equivalent. Such is my case. If you run an
smtp server yourself and receive from the world then that server, by all
its known addresses, is the extent of your trusted network. These are NT
collections of addresses you "trust not to spam you." They ARE a very few
addresses that can be trusted not to forge headers and nothing more.

That is why the bl tests throw up their hands and fail if trusted_networks
is set wrong. It has to find at least NE header, starting from the bottom,
that it trusts. From the last address working upwards in the Received
headers it can't trust so it performs the lookup.

If I remember correctly you were hitting ALL_TRUSTED. That is an indication
that you have this setup messed up. Misunderstanding the use of the
trusted_network concept is usually the problem. If you CAN change the
local.cf then with a little work Bob's your uncle. (I remember my
fortunately brief struggle with this. At the moment mine looks much like
this:
trusted_networks 127/8 207.217.121/24
internal_networks 192.168/16

The 207 address space I accept is where Earthlink.net's pop3 servers live.
I use fetchmail from them.

I hope this helps.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

J,

sorry about that offline email :(

Thanks for the answer also. I will definitely make some changes to adjust a
more secure setup

Regards

Leonard
Message
From: "jdow" <jdow (AT) earthlink (DOT) net>

>That is the general format. I do not have your original message to know
>if the data is correct. It almost looks like you are trusting WAY too
>much at the 70.119. part. Trust only the mail server(s) from which you
>expect to never forge emails itself. In my case I trust the set of
>mail servers earthlink lumps as pop3.earthlink.net outside of the local
>network.
>>
>{^_^}
>Message
>From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>
>>
J,

Is the trusted_network your speaking of in the local.cf file as I have
below?

trusted_networks 192.168.2. 127.0.0.1 70.119.

I also use badmailfrom which will block mail at the SMTP level is SA
able to stop spam with some sort of BL / WL rules?

Regards

Leonard

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 6:23 PM
Subject: Re: New Spammer?

Nowhere if he has no trusted network setup. That's his problem in a
nutshell. He cannot usefully run network tests.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

Where are BLs setup at?

Thanks in advance

Regards

Leonard Bernstein

| Email leonardb (AT) pcnetsources (DOT) com
| Mobile (917) 807-3883
| BlackBerry PIN 40082120
| Technology Consultant

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 5:37 PM
Subject: Re: New Spammer?

From: "Matt Kettler" <mkettler_sa (AT) comcast (DOT) net>

At 09:56 AM 11/22/2005, Casey King wrote:

This morning we have been getting drilled by spam/virus emails.

Are they spam, or viruses? Not the same thing.

40 so far.

I should be so lucky to see as few as 40/hour during any kind of
outbreak

Been getting a lot of phone calls from across the company about
these emails. At least my mailscanner boxes are stripping the
files, and tagging it as spam, but what worries me, is the low
scores these messages are receiving.

SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY
not care about virus emails. No effort is made to try to catch them,
because doing so would dilute the scores of the spam ruleset. No
effort is made to try to avoid tagging them either. They're just
removed from the corpus and handled by the developers as if they
don't exist.

Heh, I use the ClamAV plugin for SA and give it a hefty score. That
way
I get the best of both worlds. Creative use of BLs also helps.

{^_^}


>>
>>

J,

explanation :) Thank you

I don't have the all_trusted setting; just the trusted_networks and the
internal_networks I've made some adjustment to the other IP address with
too much weight since this is a static IP and I can place the full address
as a trusted network. This is my home static IP. the server is owned by me,
runs publicly. is a qmail, apache, etc server so I can control it as
necessary

Thanks again for all of your help

Regards

Leonard
Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 9:41 PM
Subject: Re: New Spammer?

The key to understanding "trusted" is that these are mail transfer agents
that you can trust not to forge headers. If you fetch from an ISP then it
is, perforce, the ISP's pop3 or imap client through which you fetch mail
with the fetchmail utility or equivalent. Such is my case. If you run an
smtp server yourself and receive from the world then that server, by all
its known addresses, is the extent of your trusted network. These are NT
collections of addresses you "trust not to spam you." They ARE a very few
addresses that can be trusted not to forge headers and nothing more.

That is why the bl tests throw up their hands and fail if trusted_networks
is set wrong. It has to find at least NE header, starting from the
bottom,
that it trusts. From the last address working upwards in the Received
headers it can't trust so it performs the lookup.

If I remember correctly you were hitting ALL_TRUSTED. That is an
indication
that you have this setup messed up. Misunderstanding the use of the
trusted_network concept is usually the problem. If you CAN change the
local.cf then with a little work Bob's your uncle. (I remember my
fortunately brief struggle with this. At the moment mine looks much like
this:
trusted_networks 127/8 207.217.121/24
internal_networks 192.168/16

The 207 address space I accept is where Earthlink.net's pop3 servers live.
I use fetchmail from them.

I hope this helps.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>
>
>
>J,
>>
>sorry about that offline email :(
>>
>Thanks for the answer also. I will definitely make some changes to adjust
>a more secure setup
>>
>Regards
>>
>Leonard
>Message
>From: "jdow" <jdow (AT) earthlink (DOT) net>
>>
That is the general format. I do not have your original message to know
if the data is correct. It almost looks like you are trusting WAY too
much at the 70.119. part. Trust only the mail server(s) from which you
expect to never forge emails itself. In my case I trust the set of
mail servers earthlink lumps as pop3.earthlink.net outside of the local
network.

{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

J,

Is the trusted_network your speaking of in the local.cf file as I have
below?

trusted_networks 192.168.2. 127.0.0.1 70.119.

I also use badmailfrom which will block mail at the SMTP level is SA
able to stop spam with some sort of BL / WL rules?

Regards

Leonard

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 6:23 PM
Subject: Re: New Spammer?

Nowhere if he has no trusted network setup. That's his problem in a
nutshell. He cannot usefully run network tests.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

Where are BLs setup at?

Thanks in advance

Regards

Leonard Bernstein

| Email leonardb (AT) pcnetsources (DOT) com
| Mobile (917) 807-3883
| BlackBerry PIN 40082120
| Technology Consultant

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 5:37 PM
Subject: Re: New Spammer?

From: "Matt Kettler" <mkettler_sa (AT) comcast (DOT) net>

At 09:56 AM 11/22/2005, Casey King wrote:

This morning we have been getting drilled by spam/virus emails.

Are they spam, or viruses? Not the same thing.

40 so far.

I should be so lucky to see as few as 40/hour during any kind of
outbreak

Been getting a lot of phone calls from across the company about
these emails. At least my mailscanner boxes are stripping the
files, and tagging it as spam, but what worries me, is the low
scores these messages are receiving.

SpamAssassin is a spam scanner. It's official policy is to
EXPLICITLY not care about virus emails. No effort is made to try to
catch them, because doing so would dilute the scores of the spam
ruleset. No effort is made to try to avoid tagging them either.
They're just removed from the corpus and handled by the developers
as if they don't exist.

Heh, I use the ClamAV plugin for SA and give it a hefty score. That
way
I get the best of both worlds. Creative use of BLs also helps.

{^_^}

--

No problem. I do like to help people when I can given time and knowledge.
If it works you got lucky.

{^_-}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

J,

explanation :) Thank you

I don't have the all_trusted setting; just the trusted_networks and the
internal_networks I've made some adjustment to the other IP address with
too much weight since this is a static IP and I can place the full address
as a trusted network. This is my home static IP. the server is owned by me,
runs publicly. is a qmail, apache, etc server so I can control it as
necessary

Thanks again for all of your help

Regards

Leonard
Message
From: "jdow" <jdow (AT) earthlink (DOT) net>

>The key to understanding "trusted" is that these are mail transfer agents
>that you can trust not to forge headers. If you fetch from an ISP then it
>is, perforce, the ISP's pop3 or imap client through which you fetch mail
>with the fetchmail utility or equivalent. Such is my case. If you run an
>smtp server yourself and receive from the world then that server, by all
>its known addresses, is the extent of your trusted network. These are NT
>collections of addresses you "trust not to spam you." They ARE a very few
>addresses that can be trusted not to forge headers and nothing more.
>>
>That is why the bl tests throw up their hands and fail if trusted_networks
>is set wrong. It has to find at least NE header, starting from the
>bottom,
>that it trusts. From the last address working upwards in the Received
>headers it can't trust so it performs the lookup.
>>
>If I remember correctly you were hitting ALL_TRUSTED. That is an
>indication
>that you have this setup messed up. Misunderstanding the use of the
>trusted_network concept is usually the problem. If you CAN change the
>local.cf then with a little work Bob's your uncle. (I remember my
>fortunately brief struggle with this. At the moment mine looks much like
>this:
>trusted_networks 127/8 207.217.121/24
>internal_networks 192.168/16
>>
>The 207 address space I accept is where Earthlink.net's pop3 servers live.
>I use fetchmail from them.
>>
>I hope this helps.
>{^_^}
>Message
>From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>
>>
>>
J,

sorry about that offline email :(

Thanks for the answer also. I will definitely make some changes to adjust
a more secure setup

Regards

Leonard
Message
From: "jdow" <jdow (AT) earthlink (DOT) net>

That is the general format. I do not have your original message to know
if the data is correct. It almost looks like you are trusting WAY too
much at the 70.119. part. Trust only the mail server(s) from which you
expect to never forge emails itself. In my case I trust the set of
mail servers earthlink lumps as pop3.earthlink.net outside of the local
network.

{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

J,

Is the trusted_network your speaking of in the local.cf file as I have
below?

trusted_networks 192.168.2. 127.0.0.1 70.119.

I also use badmailfrom which will block mail at the SMTP level is SA
able to stop spam with some sort of BL / WL rules?

Regards

Leonard

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 6:23 PM
Subject: Re: New Spammer?

Nowhere if he has no trusted network setup. That's his problem in a
nutshell. He cannot usefully run network tests.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

Where are BLs setup at?

Thanks in advance

Regards

Leonard Bernstein

| Email leonardb (AT) pcnetsources (DOT) com
| Mobile (917) 807-3883
| BlackBerry PIN 40082120
| Technology Consultant

Message
From: "jdow" <jdow (AT) earthlink (DOT) net>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Tuesday, November 22, 2005 5:37 PM
Subject: Re: New Spammer?

From: "Matt Kettler" <mkettler_sa (AT) comcast (DOT) net>

At 09:56 AM 11/22/2005, Casey King wrote:

This morning we have been getting drilled by spam/virus emails.

Are they spam, or viruses? Not the same thing.

40 so far.

I should be so lucky to see as few as 40/hour during any kind of
outbreak

Been getting a lot of phone calls from across the company about
these emails. At least my mailscanner boxes are stripping the
files, and tagging it as spam, but what worries me, is the low
scores these messages are receiving.

SpamAssassin is a spam scanner. It's official policy is to
EXPLICITLY not care about virus emails. No effort is made to try to
catch them, because doing so would dilute the scores of the spam
ruleset. No effort is made to try to avoid tagging them either.
They're just removed from the corpus and handled by the developers
as if they don't exist.

Heh, I use the ClamAV plugin for SA and give it a hefty score. That
way
I get the best of both worlds. Creative use of BLs also helps.

{^_^}


>>
>>

By the way, aside from that the BLs are setup out of the box just
about the way I use them.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

J,

explanation :) Thank you

I don't have the all_trusted setting; just the trusted_networks and the
internal_networks I've made some adjustment to the other IP address with
too much weight since this is a static IP and I can place the full address
as a trusted network. This is my home static IP. the server is owned by me,
runs publicly. is a qmail, apache, etc server so I can control it as
necessary

Thanks again for all of your help

Regards

Leonard

And as it turns out I had an address wrong and had slightly fooed up what
was minimum needed for trusted. It turns out that this setup works just
fine with fetchmail.

trusted_networks 127/8
internal_networks 192.168/16

It appears I was slightly overtrusting since Earthlink's pop3 and its smtp
servers which don't use authentication share the same addresses. The above
works quite nicely and should some idiot play with Earthlink.net's smtp
to send spam it won't get the ALL_TRUSTED hit.

I'm glad I got motivated to look at this a little closer. This header
seems to be key for being trusted via localhost.

Received: from smtp.earthlink.net [209.86.93.210]
by localhost with PP3 (fetchmail-6.2.5)
for jdow (AT) XXX (DOT) XXX.XXX (single-drop); Tue, 22 Nov 2005 15:24:50 -0800 (PST)

Suits me fine!
{^_^}
Message
From: "jdow" <jdow (AT) earthlink (DOT) net>

By the way, aside from that the BLs are setup out of the box just
about the way I use them.
{^_^}
Message
From: "Leonard SA" <spamassassin (AT) pcnetsources (DOT) com>

>J,
>
>explanation :) Thank you
>
>I don't have the all_trusted setting; just the trusted_networks and the
>internal_networks I've made some adjustment to the other IP address with
>too much weight since this is a static IP and I can place the full address
>as a trusted network. This is my home static IP. the server is owned by me,
>runs publicly. is a qmail, apache, etc server so I can control it as
>necessary
>
>Thanks again for all of your help
>
>Regards
>
>Leonard
>

>
Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
I get the best of both worlds. Creative use of BLs also helps.

Very pleased with ClamAV too, but just ClamAV is not enough for us. The
last hours some virus-types were not recognized by ClamAV, even not with
the most recent database (just submitted the samples to clamav). Luckily
they were catched because we allow only password-protected zip files if
they contain executable files. And we have 4 other virus-scanners on our
exchange-server.
The virus-types change so fast now that ClamAV has difficulty to keep up.

Regards
Menno van Bennekom