Disable SpamCop reporting in SpamAssassin

If you’ve been using SpamAssassin and have been reporting to SpamCop then you’ll have found overnight that you got a heap of bounces back saying things like:

<devnull@prod-sc-app7.sv4.ironport.com> (expanded from
    <spamassassin-submit@spam.spamcop.net>): unknown user: "devnull"

It turns out that the spamassassin-submit@spam.spamcop.net appears to be something that the SpamAssassin developers set without consulting with SpamCop, and SpamCop have just been blackholing those reports for an unknown amount of time. Last night it went away and so now IronPort are rejecting them which was how I learnt of this. I’m not impressed by what the SA developers did her, it should have required you to put in a registered SpamCop address and not reported if that wasn’t set.

I’ve disabled my SpamCop reporting by commenting out this line in /etc/mail/spamassassin/v310.pre on my Debian mailserver:

loadplugin Mail::SpamAssassin::Plugin::SpamCop

If you use SpamAssassin and don’t have a registered SpamCop account you’ll want to do the same.

Protect Your Family with the Kogan Portector!

If you’re worried about spam and scams coming through the Internet Portal (thanks to Stephen Conroy for pointing that threat out) then get yourself a Kogan Portector! Here’s their advert for it on YouTube..

Of course you must be sure to read the disclaimer..

DISCLAIMER: The Kogan “Portector” Internet Filter is not a real product. This product is in no way affiliated with Communications Minister Stephen Conroy, The Australian Labor Party, or the Australian Government. Incorrect use may result in uncensored Internet content, freedom of speech, freedom of choice, freedom of thought, and protection of your civil liberties.

Phew, thanks Kogan for saving us!

WordPress “Worst Offenders” Plugin Works in WP 2.9.x!

I’ve just spent a bit of time fixing up a fairly simple bug that was preventing Rich Boakes’sWorst Offenders” plugin1 from working in current WordPress versions (basically it was assuming it had created a submenu somewhere it wasn’t) and merged my branch back into trunk to check the content of comments for a list of bad words. No release yet, this is just in trunk, but if you are feeling adventurous you can go into your WordPress’s wp-content/plugins directory and do:

svn co http://plugins.svn.wordpress.org/worst-offenders/trunk/ worst-offenders

Of course make sure you’ve nuked any earlier version of Worst Offenders first!

  1. This plugin classifies your Akismet spam queue by various criteria to let you do bulk deletes for comments matching various criteria [back]

SpamAssassin Y2K10 Bug

Update: removed the link to the SpamAssassin announcement as the link isn’t permanent! :-(

In case you’ve not noticed – SpamAssassin had a nasty Y2K10 bug which had been fixed months ago but the fix never got pushed out into a release or updates. :-(

Those of you using SpamAssassin to filter your mail may want to watch things a bit more closely than usual; it seems that current versions still include the rule known as FH_DATE_PAST_20XX, which adds 2-3 points to any message with a 2010 date in the headers. Surprisingly enough, such dates have suddenly become common, with the result that SpamAssassin may be generating more false positives than usual.

The fix is now included in the updates pushed out by sa-update, run it with -D to get debug output and check you’ve picked up 895075 or later. You’ll see it say:

[4096] dbg: dns: 5.2.3.updates.spamassassin.org => 895075, parsed as 895075

If you’re running Zimbra then you’ll need to fix this manually, in the VPAC install (5.0.x) I changed a line in /opt/zimbra/conf/spamassassin/72_active.cf from:

header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]


header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006]

The other alternative is to set the score of the rule to 0 in your local.cf file:

score FH_DATE_PAST_20XX 0.0

Then go hunting for legitimate email in your spam folder (I’m lucky enough that none got picked up).

Phishing by Phone

This got caught by the spam filters:

To speed up the process, you are required to call us at our free toll free number (+61) 731-235-996 to verify your Commonwealth Maestro Card.

First time I’ve seen a phishing attack that uses (presumably VOIP) phone numbers (in this case allocated to GoTalk in Brisbane, they own 0731230000 to 0731239999 according to the search you can do here) rather than a web site (though I suspect it’s been around for a while).

Comment for Michael Carden about comment spam

I read on PLOA that Michael Carden briefly tried to open his blog for comments, only to find:

The WordPress UI balked at deleting 194,000 (okay, I ignored it for a while) comment spams. I had to dig in as admin and run a fun sql query on the database to delete all 47 meg of them.

I guess I’ve got a couple of suggestions for Michael to make his life a little easier should he decide to try again.

  1. Akismet has an option to “Automatically discard spam comments older than a month“, that might help (though it’d be nice to be able to adjust the time).
  2. Run, do not walk, to Rich Boakes most excellent Worst Offenders plugin. This will both group comments for deletion based on various criteria but also (if you have permission) add Apache “Deny From” rules for the offending IP addresses. It’s also worth bumping the number of IP addresses it can ban up, Donna’s blog is up to over 8,000 at the moment!
  3. There are also tools like Bad Behaviour to try and catch bots before they get to you and if you are a member of Project Honeypot then there is the http:BL WordPress Plugin to check and block IP’s listed as baddies there.

Anyway, I hope that helps some people out.