I've gotten a ton of spam directed at our mailing list so I set up some auto discard filters. Unfortunately I don't know regular expressions so may have misconfigured - result is some seemingly valid messages getting discarded (could be different reason than my filters).
A couple yesterday were from un-subscribed users. but usually I get a bounce saying it is held for moderation.. though not in this case. I don't always check the auto discard messages because of the number of them, but a registered user sent an email that never showed up as a bounce (held for moderation) or as accepted, so I assume it was auto discarded as well.
Here's my filter config for subject:
^Subject: .*Phentermine ^Subject: .*F\*ckbuddy ^Subject: .*H00kup ^Subject: .*InstaF\*ck ^Subject: .*Instacheat ^Subject: .*\(dating\)* ^Subject: .*Larisa ^Subject: .*Viagra ^Subject: .*on line* ^Subject: .*pills ^Subject: .*Cialis ^Subject: .*Yulia ^Subject: .*rewarded ^Subject: .*viagra ^Subject: .*Orgasm ^Subject: .*Russia ^Subject: .*my gentle sun* ^Subject: .*Good day to you* ^Subject: .*Do.not.write.me* ^Subject: .*Casino ^Subject: .*Your invoice* ^Subject: .*Re\:Hey* ^Subject: .*Ukraine ^Subject: .*Re\:You ^Subject: .*Wives ^Subject: .*PowerPack ^Subject: .*our.communication* ^Subject: .*easy.money* ^Subject: .*Live.Chat* ^Subject: .*Games.and.profits* ^Subject: .*new.message* ^Subject: .*\?\?\?\?* ^Subject: .*SuperDiscount ^Subject: .*Easily.Earn* ^Subject: .*help.you.earn* ^Subject: .*let\'s.chat* ^Subject: .*I.am.on\-line* ^Subject: .*Making.\$* ^Subject: .*\(on\-line.now\) ^Subject: .*Xenical ^Subject: .*cure.yourself ^Subject: .*celexa ^Subject: .*binary.options ^Subject: .*Re\:.don\'t ^Subject: .*effective.tabs ^Subject: .*ED\! ^Subject: .*lexapro ^Subject: .*big.deal\! ^Subject: .*your.vigor ^Subject: .*boner ^Subject: .*medications ^Subject: .*buy.meds ^Subject: .*lasting.erection ^Subject: .*RE\:.Pure ^Subject: .*pure.joy ^Subject: .*hey\! ^Subject: .*online.trade ^Subject: .*ED.remedy ^Subject: .*answer\! ^Subject: .*best.meds ^Subject: .*powerful.meds ^Subject: .*start.trading ^Subject: .*RE\:.Now ^Subject: .*RE\:.loan ^Subject: .*sex ^Subject: .*fantasies ^Subject: .*make.money ^Subject: .*your.depression ^Subject: .*antidepressant ^Subject: .*impotence ^Subject: .*anti.depression ^Subject: .*our.portal ^Subject: .*without.depression ^Subject: .*bright.life ^Subject: .*amorous
and legacy: # Lines that *start* with a '#' are comments. to: friend@public.com message-id: relay.comanche.denmark.eu from: list@listme.com from: .*@uplinkpro.com
and email:
^[^@]+@bcira\.com$ ^[^@]+@airablo\.com$ ^[^@]+@bfklaw\.com$ ^[^@]+@bettella\.com$ ^[^@]+@areallycool\.com$ ^[^@]+@aristo-tec\.com$ ^[^@]+@benallgood\.com$ ^[^@]+@al-meshkah\.com$ ^[^@]+@atoccs\.stream$ ^[^@]+@authors\.com$ ^[^@]+@aulson\.com$ ^[^@]+@atmyx\.bid$ ^[^@]+@airtecperforms\.com$ vmservice@nomekennelclub.com ^[^@]+@.+\.loan$ ^[^@]+@.+\.stream$ ^[^@]+@.+\.trade$ ^[^@]+@.+\.bid$ ^[^@]+@.+\.cn$ ^[^@]+@postingmuscle\.com$ ^[^@]+@adirondack\.net$ ^[^@]+@bicycleexpertwitness\.com$ ^[^@]+@allpoetry\.com$ ^[^@]+@autecsafety\.com$ ^[^@]+@proshred\.com$ ^[^@]+@archangel-films\.com$ ^[^@]+@alansphotos\.com$ ^[^@]+@agoprofil\.com$ ^[^@]+@readytech\.com$ ^[^@]+@blakecarrington\.com$ ^[^@]+@bigcatcafe\.com$ ^[^@]+@biovectra\.com$ ^[^@]+@blueridgeknives\.com$ ^[^@]+@akarenga\.com$ ^[^@]+@appetez\.com$ ^[^@]+@angelaortiz\.com$ ^[^@]+@agridfencing\.com$ ^[^@]+@blumenstetter-bindesysteme\.com$ ^[^@]+@alienwebhost\.com$ ^[^@]+@barkingcafe\.com$ ^[^@]+@babynamegenie\.com$ ^[^@]+@bluechick\.com$ ^[^@]+@bienenstock\.com$ ^[^@]+@askwith\.com$ ^[^@]+@bespoke-fp\.com$ ^[^@]+@alcoa\.com$ ^[^@]+@fotolia\.com$ ^[^@]+@betsonenterprises\.com$ ^[^@]+@argentinosonline\.com$ ^[^@]+@adeptus\.com$ dgimmingan@gci.net ^[^@]+@andover-healthcare\.com$ ^[^@]+@bearablemoments\.com$ ^[^@]+@avexnet\.com$ ^[^@]+@avidnano\.com$ ^[^@]+@amcarco\.com$ ^[^@]+@biyougeka-kensakuya\.com$ ^[^@]+@albawardi\.com$ ^[^@]+@barrao\.com$ ^[^@]+@affordableweddinggown\.com$ ^[^@]+@barshield\.com$ ^[^@]+@autographink\.com$ ^[^@]+@blankethealthinsurance\.com$ ^[^@]+@alfredojunior\.com$ ^[^@]+@marketingautomationtools\.org$ ^[^@]+@wexonex\.com$ ^[^@]+@bargedirect\.com$ ^[^@]+@blacktoastintolerance\.com$ ^[^@]+@bada-bing\.com$ ^[^@]+@africanews\.com$ ^[^@]+@marketplace\.amazon\.co\.uk$ ^[^@]+@blazingworld\.com$ ^[^@]+@csu\.edu$ ^[^@]+@artecollezione\.com$ ^[^@]+@billupsdesign\.com$ ^[^@]+@art4sale\.com$ ^[^@]+@bdwt\.com$ ^[^@]+@architechies\.com$ ^[^@]+@banklife\.comfe\.com$ ^[^@]+@aveek\.com$ ^[^@]+@adweek\.com$ ^[^@]+@allendistribution\.com$ ^[^@]+@1800radiator\.com$ ^[^@]+@alarabiaco\.com$ ^[^@]+@boldconcepts\.com$ ^[^@]+@andersonvaluationgroup\.com$ ^[^@]+@armandbasi\.com$ ^[^@]+@arastra\.com$ ^[^@]+@arcticspassaskatoon\.com$ ^[^@]+@aubreynorris\.com$ ^[^@]+@bctc\-lb\.com$ ^[^@]+@alongtheway\.com$ ^[^@]+@espbs\.net$ ^[^@]+@allthingsdigital\.com$ ^[^@]+@adinfocenter\.com$ ^[^@]+@arabize\.com$ ^[^@]+@giesting\.com$ ^[^@]+@.+\.co\.nz$ ^[^@]+@morebusinesswithfacebook\.com$ ^[^@]+@.+\.de$ ^[^@]+@.+\.ru$ ^[^@]+@.+\.ca$ ^parsons@nome\.net$
The subject on one discarded msg was (from unsubscribed user - just used wrong email): MEDITATION! RURAL BUSINESS FINANCE! Register today.
And another subject same situation: SPARC MEETING
Message sources didn't give me any clues, but I could provide one if it would help.
thx, JD
I can’t help you - but are you sure that you want to exclude all German addresses (.de) from your list?
Christian
--
Christian F. Buser, Hohle Gasse 6, CH-5507 Mellingen (Switzerland)
Hilfe für Strassenkinder in Ghana: http://www.chance-for-children.org
Good question! Nothing against Germany, but the list is strictly local community stuff. If someone with that domain moved here, I would remove that block. But it was easy to block whole countries rather than individual spammers.
On Feb 16, 2018 12:27, "Christian F Buser" luscheina@yahoo.de wrote:
I can’t help you - but are you sure that you want to exclude all German addresses (.de) from your list?
Christian
-- Christian F. Buser, Hohle Gasse 6, CH-5507 Mellingen (Switzerland) Hilfe für Strassenkinder in Ghana: http://www.chance-for-children.org
On 02/16/2018 11:09 AM, Jim Dory wrote:
I've gotten a ton of spam directed at our mailing list so I set up some auto discard filters. Unfortunately I don't know regular expressions so may have misconfigured - result is some seemingly valid messages getting discarded (could be different reason than my filters).
A couple yesterday were from un-subscribed users. but usually I get a bounce saying it is held for moderation.. though not in this case. I don't always check the auto discard messages because of the number of them, but a registered user sent an email that never showed up as a bounce (held for moderation) or as accepted, so I assume it was auto discarded as well.
First, you need to look at logs. Mailman's vette log will have a message like
Message discarded, msgid: ...' list: ..., handler: ...
for each discarded message. In the case of header_filter_rules, the handler will be SpamDetect.
Note that if you change the action to Hold,the vette log message will be
<listname> post from <sender> held, message-id=<...>: <reason>
and if your Mailman is 2.1.26, <reason> will tell you which regexp matched. Prior to 2.1.26 it just says "message matched a filter rule"
Here's my filter config for subject: ...
You should be aware that these regexps are matched case-insensitively. You can't make them be case-sensitive.
and legacy: # Lines that *start* with a '#' are comments.
For bounce_matching_headers it appears you just have the defaults which probably never match as they are over 15 years old, and these result in Holds, not Discards.
and email:
...
If these are in discard_these_nonmembers, the handler will be Moderate.
The subject on one discarded msg was (from unsubscribed user - just used wrong email): MEDITATION! RURAL BUSINESS FINANCE! Register today.
And another subject same situation: SPARC MEETING
Message sources didn't give me any clues, but I could provide one if it would help.
How are you seeing these things if the messages are discarded?
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
We are on Mailman 2.1.23. CPanel version.
Here is a typical auto discard vette log entry from a guy who isn't subscribed on the particular email he used, but is on other email addresses:
Feb 16 18:13:35 2018 (1341) Message discarded, msgid: < CALKxJoSAAhuBCRZCmmbWFpsrCjdZPwiwy--N95_1BDk4kniMGw@mail.gmail.com>' list: Nome-announce, handler: Moderate
This message went to a nome-announce.bounces "Auto discard notification" I can actually see the message in that notification.
What has changed in the last month or two is when a non-member used to try to post, I would get a nome-announce-bounces "Nome-announce post from someone@nome.net requires approval" and the message would be "Post to a moderated list". In that case I could then go into the administrative interface "Tend to pending moderator requests" and review who had tried to post and act on it one way or another. If it was a local non-spam email I could write to the person and tell them to subscribe and give instructions, or to use their subscribed email account. But now it seems like if anyone tries to post with an unsubscribed account, I don't see them unless I go through the (up to) hundreds of "Auto discard notification"s. So I'm thinking now it isn't to do with any of my spam filters because I haven't touched them for several months.. except I did add that ^parsons@nome\.net$ last entry in the sender filters not too long ago.
On Fri, Feb 16, 2018 at 7:04 PM, Mark Sapiro mark@msapiro.net wrote:
On 02/16/2018 11:09 AM, Jim Dory wrote:
I've gotten a ton of spam directed at our mailing list so I set up some auto discard filters. Unfortunately I don't know regular expressions so may have misconfigured - result is some seemingly valid messages getting discarded (could be different reason than my filters).
A couple yesterday were from un-subscribed users. but usually I get a bounce saying it is held for moderation.. though not in this case. I don't always check the auto discard messages because of the number of them, but a registered user sent an email that never showed up as a bounce (held for moderation) or as accepted, so I assume it was auto discarded as well.
First, you need to look at logs. Mailman's vette log will have a message like
Message discarded, msgid: ...' list: ..., handler: ...
for each discarded message. In the case of header_filter_rules, the handler will be SpamDetect.
Note that if you change the action to Hold,the vette log message will be
<listname> post from <sender> held, message-id=<...>: <reason>
and if your Mailman is 2.1.26, <reason> will tell you which regexp matched. Prior to 2.1.26 it just says "message matched a filter rule"
Here's my filter config for subject: ...
You should be aware that these regexps are matched case-insensitively. You can't make them be case-sensitive.
and legacy: # Lines that *start* with a '#' are comments.
For bounce_matching_headers it appears you just have the defaults which probably never match as they are over 15 years old, and these result in Holds, not Discards.
and email:
...
If these are in discard_these_nonmembers, the handler will be Moderate.
The subject on one discarded msg was (from unsubscribed user - just used wrong email): MEDITATION! RURAL BUSINESS FINANCE! Register today.
And another subject same situation: SPARC MEETING
Message sources didn't give me any clues, but I could provide one if it would help.
How are you seeing these things if the messages are discarded?
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/ mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/ james%40dorydesign.com
On 02/16/2018 11:55 PM, Jim Dory wrote:
We are on Mailman 2.1.23. CPanel version.
Here is a typical auto discard vette log entry from a guy who isn't subscribed on the particular email he used, but is on other email addresses:
Feb 16 18:13:35 2018 (1341) Message discarded, msgid: < CALKxJoSAAhuBCRZCmmbWFpsrCjdZPwiwy--N95_1BDk4kniMGw@mail.gmail.com>' list: Nome-announce, handler: Moderate
This is a normal non-member discard. it is either because the non-member address is in discard_these_nonmembers or not in any *_these_nonmembers and generic_nonmember_action is Discard.
This message went to a nome-announce.bounces "Auto discard notification" I can actually see the message in that notification.
Right. I forgot about forward_auto_discards.
What has changed in the last month or two is when a non-member used to try to post, I would get a nome-announce-bounces "Nome-announce post from someone@nome.net requires approval" and the message would be "Post to a moderated list".
That should only happen if the post is from a member whose mod bit is set and member_moderation_action is Hold.
In that case I could then go into the administrative interface "Tend to pending moderator requests" and review who had tried to post and act on it one way or another. If it was a local non-spam email I could write to the person and tell them to subscribe and give instructions, or to use their subscribed email account.
What you are describing is more like a post being held because generic_nonmember_action is Hold, but then the reason is 'Post by non-member to a members-only list'
But now it seems like if anyone tries to post with an unsubscribed account, I don't see them unless I go through the (up to) hundreds of "Auto discard notification"s. So I'm thinking now it isn't to do with any of my spam filters because I haven't touched them for several months.. except I did add that ^parsons@nome\.net$ last entry in the sender filters not too long ago.
It has nothing to do with your spam filters. I think you, perhaps inadvertently, changed Privacy options... -> Sender filters -> generic_nonmember_action from Hold to Discard.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thanks for your help Mark.. I think your last sentence nailed it.
/jim
On Fri, Feb 16, 2018 at 11:18 PM, Mark Sapiro mark@msapiro.net wrote:
On 02/16/2018 11:55 PM, Jim Dory wrote:
We are on Mailman 2.1.23. CPanel version.
Here is a typical auto discard vette log entry from a guy who isn't subscribed on the particular email he used, but is on other email addresses:
Feb 16 18:13:35 2018 (1341) Message discarded, msgid: < CALKxJoSAAhuBCRZCmmbWFpsrCjdZPwiwy--N95_1BDk4kniMGw@mail.gmail.com>' list: Nome-announce, handler: Moderate
This is a normal non-member discard. it is either because the non-member address is in discard_these_nonmembers or not in any *_these_nonmembers and generic_nonmember_action is Discard.
This message went to a nome-announce.bounces "Auto discard notification" I can actually see the message in that notification.
Right. I forgot about forward_auto_discards.
What has changed in the last month or two is when a non-member used to try to post, I would get a nome-announce-bounces "Nome-announce post from someone@nome.net requires approval" and the message would be "Post to a moderated list".
That should only happen if the post is from a member whose mod bit is set and member_moderation_action is Hold.
In that case I could then go into the administrative interface "Tend to pending moderator requests" and review who had tried to post and act on it one way or another. If it was a local non-spam email I could write to the person and tell them to subscribe and give instructions, or to use their subscribed email account.
What you are describing is more like a post being held because generic_nonmember_action is Hold, but then the reason is 'Post by non-member to a members-only list'
But now it seems like if anyone tries to post with an unsubscribed account, I don't see them unless I go through the (up to) hundreds of "Auto discard notification"s. So I'm thinking now it isn't to do with any of my spam filters because I haven't touched them for several months.. except I did add that ^parsons@nome \.net$ last entry in the sender filters not too long ago.
It has nothing to do with your spam filters. I think you, perhaps inadvertently, changed Privacy options... -> Sender filters -> generic_nonmember_action from Hold to Discard.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/ mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/ james%40dorydesign.com
participants (3)
-
Christian F Buser -
Jim Dory -
Mark Sapiro