Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: How then can I tell spamassassin to fire the ALL_TRUSTED rule if the connecting host is on the trusted list and ignore further Received: header checks? I have read Mail::SpamAssassin::Conf help file but cannot find the solution yet. I thought the whitelist_allows_relays would help, but I'm not too sure what that does! Is there a better source of documentation somewhere? msa_networks
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Daryl C. W. O'Shea wrote: Anthony Kamau wrote: How then can I tell spamassassin to fire the ALL_TRUSTED rule if the connecting host is on the trusted list and ignore further Received: header checks? I have read Mail::SpamAssassin::Conf help file but cannot find the solution yet. I thought the whitelist_allows_relays would help, but I'm not too sure what that does! Is there a better source of documentation somewhere? msa_networks That's only available with 3.2, though, so you'll either need to patch SA [1] or do something else [2]. Daryl [1] http://people.apache.org/~dos/sa-patches/msa_networks.3.1 [2] http://wiki.apache.org/spamassassin/DynablockIssues
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks Daryl. I've done a little bit of reading on msa_netowrks and it appears I need to upgrade to SA 3.2.x to get this added benefit - correct? Cheers, AK. -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 June 2007 4:07 PM To: Anthony Kamau Cc: SpamAssassin Mailing List Subject: Re: Problems with Received: header checks and ALL_TRUSTED rule... Anthony Kamau wrote: How then can I tell spamassassin to fire the ALL_TRUSTED rule if the connecting host is on the trusted list and ignore further Received: header checks? I have read Mail::SpamAssassin::Conf help file but cannot find the solution yet. I thought the whitelist_allows_relays would help, but I'm not too sure what that does! Is there a better source of documentation somewhere? msa_networks
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: Thanks Daryl. I've done a little bit of reading on msa_netowrks and it appears I need to upgrade to SA 3.2.x to get this added benefit - correct? Yeah, I missed that you were using 3.1.7 in my first reply. If you can't upgrade I think that the 3.1 patch for msa_networks still applies cleanly to 3.1.7 (maybe even 3.1.9). Daryl
Re: sa-update claims it's up to date
On 6/13/07, Theo Van Dinter [EMAIL PROTECTED] wrote: On Wed, Jun 13, 2007 at 01:44:43PM +1000, Hans Holt wrote: I've been running sa-update daily ever since, sa-update claims that no newer updates are available. The version sa-update downloaded the There haven't been 3.1 updates in a while, fwiw. The 3.2 updates are different from the 3.1 updates, and may or may not have different rules. When we get more time/more people, there should be more 3.1 updates. (I used to do them, but then work took over all my time, so ...) Thanks for that. Is there a approximate lifespan given to a particular spamassassin release ? I realise much is dependent on the time sa contibutors can spare to work on the project, but is there a time frame beyond which rule updates for the 3.1.x releases definitely will not be available and upgrading spamassassin itself is the only option ? Thank you Regards Hans
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks a ton Daryl. I've patched my SA 3.1.7 per [1] and it is working as expected. Cheers, AK. -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: Wednesday, 13 June 2007 4:15 PM To: Anthony Kamau Cc: SpamAssassin Mailing List Subject: Re: Problems with Received: header checks and ALL_TRUSTED rule... That's only available with 3.2, though, so you'll either need to patch SA [1] or do something else [2]. Daryl [1] http://people.apache.org/~dos/sa-patches/msa_networks.3.1 [2] http://wiki.apache.org/spamassassin/DynablockIssues
RE: emails to non existent recipients -- forward to spam honey pot.
Very interesting question ! I don't have any idea about how to do this but I'm interested in answers too ! :-) -Message d'origine- De : mbano [mailto:[EMAIL PROTECTED] Envoyé : mardi 12 juin 2007 19:03 À : users@spamassassin.apache.org Objet : emails to non existent recipients -- forward to spam honey pot. Hallo all, is there a way to higher score the email sent to non-existent local recipient (detected via ldap) and even so collect them to honex pot, smamaccount for re-feed the bayes. especially if the sender is the same .. thanks for ideas... cheers Marco -- View this message in context: http://www.nabble.com/emails-to-non-existent-recipientsforward-to-spam-h oney-pot.-tf3908794.html#a11082818 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: How to decrease the bayes database size
Thanks Theo for these usefull answers. As we're using auto_learn and never use sa-learn by hand, is there a more particular risk if we simply delete the file ? Here's the configuration we use about Bayes : use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 -Message d'origine- De : Theo Van Dinter [mailto:[EMAIL PROTECTED] Envoyé : mardi 12 juin 2007 17:06 À : users@spamassassin.apache.org Objet : Re: How to decrease the bayes database size On Tue, Jun 12, 2007 at 10:07:15AM +0200, Stéphane LEPREVOST wrote: Thanks for this tip but what about the efficiency of the Bayes Database after this operation ? The _seen database just tracks which mails have been learned from, and has no effect on the ratings coming out of the Bayes system. Is ther a way to export the real records of the file before deleting it and then re-import them back to it ? Shall we use something similar to check_whitelist and trim_whitelist tools ? There'd be no point to that, entries are only deleted rarely (whenever you do a sa-learn --forget), otherwise they're just added. If you're not worried about relearning the same mail, then just delete the seen DB file. -- Randomly Selected Tagline: Last year we drove across the country... We switched on the driving... every half mile. We had one cassette tape to listen to on the entire trip. I don't remember what it was. -- Steven Wright
Re: How to decrease the bayes database size
Stéphane LEPREVOST wrote: Thanks Theo for these usefull answers. As we're using auto_learn and never use sa-learn by hand, is there a more particular risk if we simply delete the file ? Here's the configuration we use about Bayes : use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 -Message d'origine- De : Theo Van Dinter [mailto:[EMAIL PROTECTED] Envoyé : mardi 12 juin 2007 17:06 À : users@spamassassin.apache.org Objet : Re: How to decrease the bayes database size On Tue, Jun 12, 2007 at 10:07:15AM +0200, Stéphane LEPREVOST wrote: Thanks for this tip but what about the efficiency of the Bayes Database after this operation ? The _seen database just tracks which mails have been learned from, and has no effect on the ratings coming out of the Bayes system. Is ther a way to export the real records of the file before deleting it and then re-import them back to it ? Shall we use something similar to check_whitelist and trim_whitelist tools ? There'd be no point to that, entries are only deleted rarely (whenever you do a sa-learn --forget), otherwise they're just added. If you're not worried about relearning the same mail, then just delete the seen DB file. -- Randomly Selected Tagline: Last year we drove across the country... We switched on the driving... every half mile. We had one cassette tape to listen to on the entire trip. I don't remember what it was. -- Steven Wright Thank you all for these usefull answers. I have deleted the bayes_seen file and things are looking better now. Not perfect. Sometimes I get an amavisd process with a memory load of 2 GB. This seems really out of proportions. 17581 amavis25 0 2549M 2.1G 444 R21.9 72.1 3:15 1 amavisd This process goes away, but really slows things down. Could this be a corrupt database, or should I look at a different angle ? Greetings... Richard
[OT] RDJ RulesDuJour Updates dont lint
Hello! Any tipps:? ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/tripwire.cf /etc/mail/spamassassin/RulesDuJour/99_FVGT_Tripwire.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/tripwire.cf.20070613-0836 /etc/mail/spamassassin/tripwire.cf; mv -f /etc/mail/spamassassin/blacklist.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist.cf.20070613-0836 /etc/mail/spamassassin/blacklist.cf; mv -f /etc/mail/spamassassin/blacklist-uri.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist-uri.cf.20070613-0836 /etc/mail/spamassassin/blacklist-uri.cf; mv -f /etc/mail/spamassassin/70_sc_top200.cf /etc/mail/spamassassin/RulesDuJour/70_sc_top200.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sc_top200.cf.20070613-0836 /etc/mail/spamassassin/70_sc_top200.cf; mv -f /etc/mail/spamassassin/70_sare_genlsubj.cf /etc/mail/spamassassin/RulesDuJour/70_sare_genlsubj.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_genlsubj.cf.20070613-0836 /etc/mail/spamassassin/70_sare_genlsubj.cf; mv -f /etc/mail/spamassassin/70_sare_uri3.cf /etc/mail/spamassassin/RulesDuJour/70_sare_uri3.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_uri3.cf.20070613-0837 /etc/mail/spamassassin/70_sare_uri3.cf; Lint output: [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= 268980629;var coupon2= 304354668;var style1= 519728833;var style2= 192774663;var add = coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= 268980629;var coupon2= 304354668;var style1= 519728833;var style2= 192774663;var add = coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= 268980629;var coupon2= 304354668;var style1= 519728833;var style2= 192774663;var add = coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [18730] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Pragma CONTENT=no-cache [18730] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Expires CONTENT=-1 [18730] warn: config: failed to parse line, skipping: /HEAD/HTML [18730] warn: lint: 7 issues detected, please rerun with debug enabled for more information -- Thx for your help! MH Dont send mail to: [EMAIL PROTECTED] --
Re: [OT] RDJ RulesDuJour Updates dont lint
Hi! /etc/mail/spamassassin/tripwire.cf; mv -f /etc/mail/spamassassin/blacklist.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist.cf.20070613-0836 /etc/mail/spamassassin/blacklist.cf; mv -f coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= What about you check the content of those files first before mailing the list? Seems you have broken files, eg, HTML errors inside them. Pretty obvious. Bye, Raymond.
RE: These are getting through SA...
What happens if Botnet is patched to use Mail::SpamAssassin::DnsResolver instead of Net::DNS::Resolver? I'm musuing about Net::DNS::Resolver's default timeouts and retries... Phil (probably barking up the wrong tree) -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Bill Landry [mailto:[EMAIL PROTECTED] Sent: 12 June 2007 23:30 To: users@spamassassin.apache.org Subject: Re: These are getting through SA... Mark Martinec wrote the following on 6/12/2007 3:05 PM -0800: Bill, Mark, just curious if you are running Botnet? I found that some messages cause the Botnet RDNS test to timeout after hanging for about 30 seconds, and then network test randomly fail (primarily URIBL tests). I found that if I disable Botnet, then all network tests will run fine on the very same messages. Thanks, looks like the same cause (Botnet runs with Razor, dcc, etc., before the first and the second round of DNS launches). Please try the patch attached to http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5511 (applies to SA 2.3.1 or 2.3.0), it is likely to fix these symptoms too. Mark Mark, I patched Dns.pm but this didn't resolve the issue for me. You can test with the sample messages I posted to bugzilla: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5506 The only way I can get the URIBL tests to report hits it to run the messages through SA without the headers (samples without headers also posted to the bugzilla). Bill
Re: Errors in logs after upgrade from debian sarge to etch
Ok, I saw the upgrade file. I've done quite a bit of modifications on the local.cf file. But I still get a bunch of errors when restarting spamd. Any help ? Le mardi 12 juin 2007 à 21:06 +0200, LESOUEF Emmanuel a écrit : Hello, After upgrading SA from 3.0 to 3.1, I get the attached logs when I restart spamd. This seems to be a configuration error. In fact, the local.cf file has been wrote for the 3.0 version. Can someone help me with it ? Thanks. -- Emmanuel Lesouef DSI | CRBN t : 0231069671 m : [EMAIL PROTECTED] -- Emmanuel Lesouef CRBN | DSI t : 0231069671 m : [EMAIL PROTECTED]
RE: emails to non existent recipients -- forward to spam honey pot.
=20 Very interesting question !=20 I don't have any idea about how to do this but I'm interested in answers = too ! :-) -Message d'origine- De : mbano [mailto:[EMAIL PROTECTED] Envoy=E9 : mardi 12 juin 2007 19:03 =C0 : users@spamassassin.apache.org Objet : emails to non existent recipients -- forward to spam honey pot. Hallo all, is there a way to higher score the email sent to non-existent local recipient (detected via ldap) and even so collect them to honex pot, smamaccount for re-feed the bayes. especially if the sender is the same .. thanks for ideas... cheers Marco -- Ideally your MTA should check that the recipient does not exist in ldap, and then either - refuse the mail completely at the RCPT command - redirect the mail to sa-learn (it is most likely spam) and then issue a 5xx error in response to the DATA command (if the message really was a typo, the sender will be informed that it could not be delivered) Further, you might want to check your mails whether you can reject mails from your own address (our roaming users are required to auth). Note: some time ago ebay was sending certain mails this way ... they should have learned by now that this will also trigger spf, dkim, etc. Wolfgang Hamann
Re: No buffer space available
spamd[46771]: bayes: cannot open bayes databases /usr/local/share/spamassassin/bayes_* R/W: lock failed: No buffer space available That wouldn't be TCP buffers. It's doing file I/O not network I/O. Since it's file buffers, which on nearly every OS are dynamic, it implies Mike's machine is out-of-memory. Is berkeley database on a local disk? Make sure to use: lock_method flock Mark
Looks like image spam is coming back (fuzzyocr useless in this situation)
Some weeks ago I posted a message about fuzzyocr not scoring a spam contents gif file with a broken frame. I got confirmation in the list from Keith De Souza being able to reproduce the problem. Well, it looks like spammers have found their way to deal with fuzzyocr. These days we're getting more and more of those image spam messages. If anyone is interested in testing the file, here it is: http://www.anfitrion.net/MvPmAyp9yb.gif Analysis to the gif file shows that frame #3 is broken. I'm thinking of disabling fuzzyocr for the time being until the problem is solved. However, fuzzyocr is still doing a good job on other files. Does anybody have a suggestion or clue on how to solve this? Is there a way for fuzzyocr to consider this broken gif images as indecipherable and mark it accordingly? TIA Ignacio
Re: These are getting through SA...
Phil, What happens if Botnet is patched to use Mail::SpamAssassin::DnsResolver instead of Net::DNS::Resolver? I'm musuing about Net::DNS::Resolver's default timeouts and retries... Phil (probably barking up the wrong tree) It would do good if Botnet would impose a time limit on its DNS queries. It would also sidestep the Dns.pm problem, but not fix it. If the time spent by Razor+dcc+Botnet+(not sure what else) is longer than rbl_timeout, then replies to RBL queries are thrown away by mistake. Mark
Re: Looks like image spam is coming back (fuzzyocr useless in this situation)
On Wed, June 13, 2007 10:08, Oenus Tech Services wrote: I'm thinking of disabling fuzzyocr for the time being until the problem is solved. However, fuzzyocr is still doing a good job on other files. Does anybody have a suggestion or clue on how to solve this? Is there a way for fuzzyocr to consider this broken gif images as indecipherable and mark it accordingly? The FuzzyOcr cf file on my system indicates that it scores corrupted GIF files. Might want to check whether you're on the most recent version, and how it actually works this out (which tool does it basically).
AW: Looks like image spam is coming back (fuzzyocr useless in this situation)
we also get many of these and FuzzyOcr is doing a good job here: Inhaltsanalyse im Detail: (13.3 Punkte, 5.0 benötigt) Pkte Regelname Beschreibung -- -- 1.1 EXTRA_MPART_TYPE Unnötige Parameter in Content-Type-Kopfzeile (...type=) 1.6 FRT_LITTLE BODY: ReplaceTags: Little 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML 0.0 BAYES_50 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 40-60% [score: 0.5001] 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif 0.5 RAZOR2_CHECK Gelistet im Razor2-System (http://razor.sf.net/) 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Transportiert via Rechner in Liste von www.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?213.33.168.29] 0.1 RCVD_IN_IMP_SPAMLIST RBL: Listed in spamrbl.imp.ch [213.33.168.29 listed in spamrbl.imp.ch] 0.7 MY_CID_AND_STYLE SARE cid and style 7.0 FUZZY_OCR BODY: Mail contains an image with common spam text inside Words found: addressbar in 1 lines stock in 1 lines cialis in 1 lines viagra in 1 lines xanax in 1 lines (5 word occurrences found) with details in FuzzyOCR.log: 2007-06-13 11:15:27 [16507] Saved: /tmp/.spamassassin16507iEX20Ytmp/raw.eml 2007-06-13 11:15:27 [16507] Wrote: /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif 2007-06-13 11:15:27 [16507] Found: 1 images 2007-06-13 11:15:27 [16507] Errors to: /tmp/.spamassassin16507iEX20Ytmp/raw.err 2007-06-13 11:15:27 [16507] Analyzing file with content-type=image/gif 2007-06-13 11:15:27 [16507] pfile = /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif.pnm 2007-06-13 11:15:27 [16507] efile = /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif.err 2007-06-13 11:15:27 [16507] Found GIF header name=wNd2KIniaa.gif 2007-06-13 11:15:27 [16507] Image is interlaced or animated... 2007-06-13 11:15:27 [16507] File contains 4 images, deanimating... 2007-06-13 11:15:27 [16507] Calculating the image hash: /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif.pnm 2007-06-13 11:15:27 [16507] Got: 337515:250:450:234::252:254:252:253:102091::5:4:5:4:1530::252:3:5:78:964::252:25:24:93:939::219:218:220:219:328::246:233:23 3:237:284 2007-06-13 11:15:35 [16507] Expiring 201:218:242:216:88485::0:0:255:29:1990::255:0:0:76:984::0:153:255:119:774::153:0:102:57:587::51:51:153:63:509 older th an 35 days 2007-06-13 11:15:36 [16507] Expiring 221:255:255:245:49642::255:255:255:255:25621::0:0:255:29:1304::255:0:0:76:710::0:153:255:119:622::153:0:102:57:589 old er than 35 days 2007-06-13 11:15:41 [16507] Trying: $gocr -i $pfile 2007-06-13 11:15:41 [16507] Trying: $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:41 [16507] Trying: $ocrad -c ascii -s5 -T 0.5 $pfile 2007-06-13 11:15:41 [16507] Trying: $ocrad -c ascii -s5 $pfile 2007-06-13 11:15:42 [16507] Trying: $ocrad -c ascii -s5 -T 0.5 -i $pfile 2007-06-13 11:15:42 [16507] Found word addressbar in line intheadarssbarofyourbrowsgrhenprejstheenterkey with fuzz of 0.2000 scanned with scanset $ocrad -c ascii -s5 $pfile 2007-06-13 11:15:42 [16507] Found word stock in line lomstpcegugnxebfastoeive with fuzz of 0.2000 scanned with scanset $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:42 [16507] Found word cialis in line iiciaiisoniyo with fuzz of 0.1667 scanned with scanset $gocr -i $pfile 2007-06-13 11:15:42 [16507] Found word cialis in line cialisonlyoo with fuzz of 0. scanned with scanset $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:42 [16507] Found word viagra in line viagraniooii with fuzz of 0. scanned with scanset $gocr -i $pfile 2007-06-13 11:15:42 [16507] Found word viagra in line viagraonioo with fuzz of 0. scanned with scanset $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:42 [16507] Found word viagra in line viaigraonlysoai with fuzz of 0.1667 scanned with scanset $ocrad -c ascii -s5 -T 0.5 $pfile 2007-06-13 11:15:42 [16507] Found word viagra in line viaigraonlygoai with fuzz of 0.1667 scanned with scanset $ocrad -c ascii -s5 $pfile 2007-06-13 11:15:42 [16507] Found word xanax in line xanxinlygoo with fuzz of 0.2000 scanned with scanset $gocr -i $pfile 2007-06-13 11:15:42 [16507] Found word xanax in line xanaxonlygoo with fuzz of
Re: AW: Looks like image spam is coming back (fuzzyocr useless in this situation)
Ove, could you please do me a favor and confirm that the one I have at http://www.anfitrion.net/MvPmAyp9yb.gif is also blocked? If you want, I can send an email to you with the gif attached to it. If it works for you, then the problem lays with the applications I use with FuzzyOCR to handle those gif images. TIA, Ignacio Starckjohann, Ove escribió: we also get many of these and FuzzyOcr is doing a good job here: Inhaltsanalyse im Detail: (13.3 Punkte, 5.0 benötigt) Pkte Regelname Beschreibung -- -- 1.1 EXTRA_MPART_TYPE Unnötige Parameter in Content-Type-Kopfzeile (...type=) 1.6 FRT_LITTLE BODY: ReplaceTags: Little 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML 0.0 BAYES_50 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 40-60% [score: 0.5001] 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif 0.5 RAZOR2_CHECK Gelistet im Razor2-System (http://razor.sf.net/) 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Transportiert via Rechner in Liste von www.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?213.33.168.29] 0.1 RCVD_IN_IMP_SPAMLIST RBL: Listed in spamrbl.imp.ch [213.33.168.29 listed in spamrbl.imp.ch] 0.7 MY_CID_AND_STYLE SARE cid and style 7.0 FUZZY_OCR BODY: Mail contains an image with common spam text inside Words found: addressbar in 1 lines stock in 1 lines cialis in 1 lines viagra in 1 lines xanax in 1 lines (5 word occurrences found) with details in FuzzyOCR.log: 2007-06-13 11:15:27 [16507] Saved: /tmp/.spamassassin16507iEX20Ytmp/raw.eml 2007-06-13 11:15:27 [16507] Wrote: /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif 2007-06-13 11:15:27 [16507] Found: 1 images 2007-06-13 11:15:27 [16507] Errors to: /tmp/.spamassassin16507iEX20Ytmp/raw.err 2007-06-13 11:15:27 [16507] Analyzing file with content-type=image/gif 2007-06-13 11:15:27 [16507] pfile = /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif.pnm 2007-06-13 11:15:27 [16507] efile = /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif.err 2007-06-13 11:15:27 [16507] Found GIF header name=wNd2KIniaa.gif 2007-06-13 11:15:27 [16507] Image is interlaced or animated... 2007-06-13 11:15:27 [16507] File contains 4 images, deanimating... 2007-06-13 11:15:27 [16507] Calculating the image hash: /tmp/.spamassassin16507iEX20Ytmp/wNd2KIniaa.gif.pnm 2007-06-13 11:15:27 [16507] Got: 337515:250:450:234::252:254:252:253:102091::5:4:5:4:1530::252:3:5:78:964::252:25:24:93:939::219:218:220:219:328::246:233:23 3:237:284 2007-06-13 11:15:35 [16507] Expiring 201:218:242:216:88485::0:0:255:29:1990::255:0:0:76:984::0:153:255:119:774::153:0:102:57:587::51:51:153:63:509 older th an 35 days 2007-06-13 11:15:36 [16507] Expiring 221:255:255:245:49642::255:255:255:255:25621::0:0:255:29:1304::255:0:0:76:710::0:153:255:119:622::153:0:102:57:589 old er than 35 days 2007-06-13 11:15:41 [16507] Trying: $gocr -i $pfile 2007-06-13 11:15:41 [16507] Trying: $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:41 [16507] Trying: $ocrad -c ascii -s5 -T 0.5 $pfile 2007-06-13 11:15:41 [16507] Trying: $ocrad -c ascii -s5 $pfile 2007-06-13 11:15:42 [16507] Trying: $ocrad -c ascii -s5 -T 0.5 -i $pfile 2007-06-13 11:15:42 [16507] Found word addressbar in line intheadarssbarofyourbrowsgrhenprejstheenterkey with fuzz of 0.2000 scanned with scanset $ocrad -c ascii -s5 $pfile 2007-06-13 11:15:42 [16507] Found word stock in line lomstpcegugnxebfastoeive with fuzz of 0.2000 scanned with scanset $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:42 [16507] Found word cialis in line iiciaiisoniyo with fuzz of 0.1667 scanned with scanset $gocr -i $pfile 2007-06-13 11:15:42 [16507] Found word cialis in line cialisonlyoo with fuzz of 0. scanned with scanset $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:42 [16507] Found word viagra in line viagraniooii with fuzz of 0. scanned with scanset $gocr -i $pfile 2007-06-13 11:15:42 [16507] Found word viagra in line viagraonioo with fuzz of 0. scanned with scanset $gocr -l 180 -d 2 -i $pfile 2007-06-13 11:15:42 [16507] Found word viagra in line viaigraonlysoai with fuzz of 0.1667 scanned with scanset $ocrad -c ascii -s5 -T 0.5 $pfile 2007-06-13 11:15:42
Re: emails to non existent recipients -- netzero.com fixed this problem?
On a related topic, netzero.com has been refusing connections from our SMTP servers. When I queried them the response I got was: have been blocked because we detected probe attempts. Activities like sending mail to non-existent accounts or empty connections would qualify as a dictionary search or probing for valid addresses and IP's used for such activity would be automatically blocked for a temporary period. Subsequent communications have dealt only with the non-existent accounts. Does blocking us on this basis make any sense? And has anybody else encountered similar issues with netzero? If so, how resolved? In their favor, they did at least respond to me. And it doesn't appear to be a robot (or if it is, at least an intelligent one) as it entered into a sort of a dialog. This is better than other s who either don't respond ot use a robotic response. Among these are yahoo.com, aol.com, bellsouth.net and charter,net. I list these here not as a form of criticism as I accept the possibility that we may have something configured incorrectly or sub-optimally. My real aim is to find other postmasters who have had similar problems with these (or other sites) and discover from them what it is we may need to change. Thanks, Mike On 6/12/07, Ralf Hildebrandt [EMAIL PROTECTED] wrote: * mbano [EMAIL PROTECTED]: Hallo all, is there a way to higher score the email sent to non-existent local recipient (detected via ldap) and even so collect them to honex pot, smamaccount for re-feed the bayes. especially if the sender is the same .. Depends on your MTA, with postfix you could for example use luser_relay. But I strongly advise AGAINST this idea, since every typo'ed address ends up being learned as spam. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED]
RE: emails to non existent recipients -- netzero.com fixed this problem?
Some would consider 'address verification', ie connecting and doing an rcpt to then dropping a DHA. Its bad practice, because someone can 'spam you' from forged netzero (aol, yahoo, etc) accounts, and if you do a address verification on them, you, and the billion others who decided to do that also will DOS them. Bad practice. if its spam, drop it and don't even try to bounce it (backscatter). Just drop it. and, yes, netzero has every right to blacklist anyone they want, unless of course you have an explicit contract with them to the contrary. Fighting net abuse with more net abuse is still net abuse. -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news -Original Message- From: Mike Kenny [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 13, 2007 5:58 AM To: Ralf Hildebrandt Cc: users@spamassassin.apache.org Subject: Re: emails to non existent recipients -- netzero.com fixed this problem? On a related topic, netzero.com has been refusing connections from our SMTP servers. When I queried them the response I got was: have been blocked because we detected probe attempts. Activities like sending mail to non-existent accounts or empty connections would qualify as a dictionary search or probing for valid addresses and IP's used for such activity would be automatically blocked for a temporary period. Subsequent communications have dealt only with the non-existent accounts. Does blocking us on this basis make any sense? And has anybody else encountered similar issues with netzero? If so, how resolved? In their favor, they did at least respond to me. And it doesn't appear to be a robot (or if it is, at least an intelligent one) as it entered into a sort of a dialog. This is better than other s who either don't respond ot use a robotic response. Among these are yahoo.com, aol.com, bellsouth.net and charter,net. I list these here not as a form of criticism as I accept the possibility that we may have something configured incorrectly or sub-optimally. My real aim is to find other postmasters who have had similar problems with these (or other sites) and discover from them what it is we may need to change. Thanks, Mike On 6/12/07, Ralf Hildebrandt [EMAIL PROTECTED] wrote: * mbano [EMAIL PROTECTED]: Hallo all, is there a way to higher score the email sent to non-existent local recipient (detected via ldap) and even so collect them to honex pot, smamaccount for re-feed the bayes. especially if the sender is the same .. Depends on your MTA, with postfix you could for example use luser_relay. But I strongly advise AGAINST this idea, since every typo'ed address ends up being learned as spam. -- Ralf Hildebrandt ( i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
DCC and Razor
Hi, When I first got spamassassin working, I had dcc and razor, but some where a long the way, they have stop scanning. I am currently running... SpamAssassin Server version 3.1.8 � running on Perl 5.8.7 � with SSL support (IO::Socket::SSL 0.97) I know that ddcifd is running, because if I do a ps ax I see... 5331 ?��� Ss 0:00 /var/spool/amavis/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID �5332 ?��� Sl 0:00 /var/spool/amavis/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID I know that SA still has them in the config... v310.pre # DCC - perform DCC message checks. # # DCC is disabled here because it is not open source.� See the DCC # license for more details. # loadplugin Mail::SpamAssassin::Plugin::DCC # Pyzor - perform Pyzor message checks. # loadplugin Mail::SpamAssassin::Plugin::Pyzor # Razor2 - perform Razor2 message checks. # loadplugin Mail::SpamAssassin::Plugin::Razor2 But I no longer in any messages see a stamp in my X-Spam headers. Any clue where I can start? By the way, I have been updating ddc when I can, so it is up-to-date. www.britishscifiexchange.com www.magigames.net
Rejecting spam during SMTP session
Hi, for a while i've been watching my spamassassin perform great on almost all spam - i've never had any false positives and also a very low count of false negatives. So I thought about rejecting sure spam during the SMTP session and came up with a few bits of shellscript code thats rejecting spam with a score of 10 and above (I normally mark spam at 5). But i'm not really sure if i'm doing it correct - it apears to me like i'm not rejecting mail but i'm bouncing it which is surely not what i want. Here is my code which is called as a qmail-command in my .qmail file. #!/bin/sh message=`/usr/bin/spamassassin 2/dev/null` if [ $? -eq 1 ]; then # sa returned an error, make sure we dont lose the mail exit 111 else printf %s\n $message | grep -qs X-Spam-Level: \*\*\*\*\*\*\*\*\*\* if [ $? -eq 0 ]; then echo Message was permanently rejected as spam 2 exit 100 else printf %s\n $message | maildir ./Maildir/ exit $? fi fi If you want to test the setup, you can send a mail with for example GTUBE to [EMAIL PROTECTED] Your advice will be welcome, arni
Status of Spamassassin
Cans rules_du_jour work? Still getting a no update state. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! PAtriots! MAke your declaration of loyalty! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Status of Spamassassin
The Doctor wrote: Cans rules_du_jour work? Still getting a no update state. SARE is back up (knock on wood). Delete your .cf files and re-run RDJ... -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Rejecting spam during SMTP session
Deja-Vu. On Wed, 13 Jun 2007, Hendrik Helmvoigt wrote: Hi, for a while i've been watching my spamassassin perform great on almost all spam - i've never had any false positives and also a very low count of false negatives. So I thought about rejecting sure spam during the SMTP session and came up with a few bits of shellscript code thats rejecting spam with a score of 10 and above (I normally mark spam at 5). But i'm not really sure if i'm doing it correct - it apears to me like i'm not rejecting mail but i'm bouncing it which is surely not what i want. Here is my code which is called as a qmail-command in my .qmail file. #!/bin/sh message=`/usr/bin/spamassassin 2/dev/null` if [ $? -eq 1 ]; then # sa returned an error, make sure we dont lose the mail exit 111 else printf %s\n $message | grep -qs X-Spam-Level: \*\*\*\*\*\*\*\*\*\* if [ $? -eq 0 ]; then echo Message was permanently rejected as spam 2 exit 100 else printf %s\n $message | maildir ./Maildir/ exit $? fi fi If you want to test the setup, you can send a mail with for example GTUBE to [EMAIL PROTECTED] Your advice will be welcome, arni
Re: Status of Spamassassin
On Wed, Jun 13, 2007 at 07:30:10AM -0500, Dallas Engelken wrote: The Doctor wrote: Cans rules_du_jour work? Still getting a no update state. SARE is back up (knock on wood). Delete your .cf files and re-run RDJ... -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. I got: Script started on Wed Jun 13 06:38:41 2007 doctor.nl2k.ab.ca//etc/mail/spamassassin$ rulesdu _du_jour exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour 21 curl_output: 304 Performing preliminary lint (sanity check; does the CURRENT config lint?). No files updated; No restart required. Rules Du Jour Run Summary:RulesDuJour Run Summary on doctor.nl2k.ab.ca: ***NOTICE***: /usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint failed. This means that you have an error somwhere in your SpamAssassin configuration. To determine what the problem is, please run '/usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint' from a shell and notice the error messages it prints. For more (debug) information, add the -D switch to the command. Usually the problem will be found in local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. Here are the errors that '/usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint' reported: [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: socre FORGED_HOTMAIL_RCVD2 45.0 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: socre SARE_URGBIZ 45.0 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: terse_report This message came for a spam friendly e-mail server. [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: HTMLHEAD [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: TITLE302 Found/TITLE [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: /HEADBODY [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: H1Found/H1 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: The document has moved A HREF=http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf;here/A.P [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: /BODY/HTML [15745] warn: config: warning: score set for non-existent rule SARE_WEOFFER [15745] warn: config: warning: score set for non-existent rule SARE_PRODUCTS_03 [15745] warn: config: warning: score set for non-existent rule SARE_OBFU_HARD_SUB [15745] warn: config: warning: score set for non-existent rule SARE_FREE_WEBM_MailD [15745] warn: config: warning: score set for non-existent rule SARE_LOANOFF [15745] warn: config: warning: score set for non-existent rule SARE_ADULT2 [15745] warn: config: warning: score set for non-existent rule SARE_FRAUD_X5 [15745] warn: config: warning: score set for non-existent rule SARE_HOMELOAN [15745] warn: config: warning: score set for non-existent rule SARE_OBFU_PART_OFF [15745] warn: config: warning: score set for non-existent rule DNS_FROM_RFC_WHOIS [15745] warn: config: warning: score set for non-existent rule SARE_FWDLOOK [15745] warn: config: warning: score set for non-existent rule SARE_FRAUD_X4 [15745] warn: config: warning: score set for non-existent rule SARE_OEM_SOFT_IS [15745] warn: config: warning: score set for non-existent rule SARE_OEM_PRODS_2 [15745] warn: config: warning: score set for non-existent rule SARE_OEM_PRODS_FEW [15745] warn: config: warning: score set for non-existent rule SARE_UNSUB09 [15745] warn: config: warning: score set for non-existent rule SARE_HEAD_HDR_XCLIHST [15745] warn: config: warning: score set for non-existent rule SARE_UNSUB38D [15745] warn: config: warning: score set for non-existent rule SARE_ADLTSUB6 [15745] warn: config: warning: score set for non-existent rule SARE_SUB_ONLINE_DRUGS [15745] warn: config: warning: score set for non-existent rule SARE_SUB_IMPROVE [15745] warn: config: warning: score set for non-existent rule SARE_PRODUCTS_02 [15745] warn: config: warning: score set for non-existent rule SARE_OBFU_ALL [15745] warn: config: warning: score set for non-existent rule SARE_OEM_MONEY_WIN [15745] warn: config: warning: score set for non-existent rule SARE_LOTTO_SPAM2 [15745] warn: config:
Re: Status of Spamassassin
The Doctor wrote: On Wed, Jun 13, 2007 at 07:30:10AM -0500, Dallas Engelken wrote: The Doctor wrote: Cans rules_du_jour work? Still getting a no update state. SARE is back up (knock on wood). Delete your .cf files and re-run RDJ... -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. I got: Script started on Wed Jun 13 06:38:41 2007 doctor.nl2k.ab.ca//etc/mail/spamassassin$ rulesdu _du_jour exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour 21 curl_output: 304 Performing preliminary lint (sanity check; does the CURRENT config lint?). No files updated; No restart required. Rules Du Jour Run Summary:RulesDuJour Run Summary on doctor.nl2k.ab.ca: ***NOTICE***: /usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint failed. This means that you have an error somwhere in your SpamAssassin configuration. To determine what the problem is, please run '/usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint' from a shell and notice the error messages it prints. For more (debug) information, add the -D switch to the command. Usually the problem will be found in local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. Here are the errors that '/usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint' reported: [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: socre FORGED_HOTMAIL_RCVD2 45.0 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: socre SARE_URGBIZ 45.0 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: terse_report This message came for a spam friendly e-mail server. [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: HTMLHEAD [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: TITLE302 Found/TITLE [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: /HEADBODY [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: H1Found/H1 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: The document has moved A HREF=http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf;here/A.P [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: /BODY/HTML where do you get /usr/contrib/etc/mail/spamassassin/random.cf from? -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: DNS tests getting aborted
On Mon, 2007-06-11 at 09:34 -0400, Theo Van Dinter wrote: On Mon, Jun 11, 2007 at 06:48:04PM +0530, ram wrote: [8454] dbg: dns: success for 0 of 29 queries [8454] dbg: dns: timeout for after 10 seconds but dig on the machine is working fine without any issues. my user_prefs file shows dns_available yes and I have Net::DNS Is the first DNS server listed in resolv.conf functional? Net::DNS isn't quite as resilient as bind-tools, unfortunately. ie: dig may return fine if it's skipping other name servers, while Net::DNS stops at the first one. Actually my DNS is working fine. Other DNS rulesets are hitting fine like RCVD_IN_BL_SPAMCOP_NET In order to get URI tests working I have to put rbl_timeout 40 in my local.cf The default rbl_timeout of 15 is too less, but that is strange. It had been working with my older SA 3.1.5 though Among these RBL tests can I give higher priority can I say do URIDNSBL_1 first and if found short circuit else perform other RBLs Thanks Ram
Re: DCC and Razor
Chuck Payne schrieb: Hi, When I first got spamassassin working, I had dcc and razor, but some where a long the way, they have stop scanning. I am currently running... SpamAssassin Server version 3.1.8 � running on Perl 5.8.7 � with SSL support (IO::Socket::SSL 0.97) I know that ddcifd is running, because if I do a ps ax I see... 5331 ?��� Ss 0:00 /var/spool/amavis/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID �5332 ?��� Sl 0:00 /var/spool/amavis/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID I know that SA still has them in the config... v310.pre # DCC - perform DCC message checks. # # DCC is disabled here because it is not open source.� See the DCC # license for more details. # loadplugin Mail::SpamAssassin::Plugin::DCC # Pyzor - perform Pyzor message checks. # loadplugin Mail::SpamAssassin::Plugin::Pyzor # Razor2 - perform Razor2 message checks. # loadplugin Mail::SpamAssassin::Plugin::Razor2 But I no longer in any messages see a stamp in my X-Spam headers. Any clue where I can start? This functionality is gone, at least it is not available any more without some nasty config, afaik. By the way, I have been updating ddc when I can, so it is up-to-date. You tried:? man 3 spamassassin spamassassin -D /path/to/messages ? (perhaps you want to press CTRL + D, shortly after the test started ...) spamassassin -D --lint Since you seem to use amavisd-new: amavisd-new debug-sa ... (after stopping amavis) -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Connection wont close
Hi all, after upgrading to 3.2 I think I discovered my problem- it appears that the connections don't disconnect , here's the output I'd say about 95% of these are port 783 103 CLOSE_WAIT 27 ESTABLISHED 19 FIN_WAIT_1 78 FIN_WAIT_2 3 LAST_ACK 5 LISTEN 8 TIME_WAIT Is there something I missed during the upgrade? I'm downgrading to 3.18 to see if it changes anything- FreeBsd 5.5 Exim CLAM SA Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: DNS tests getting aborted
Actually my DNS is working fine. Other DNS rulesets are hitting fine like RCVD_IN_BL_SPAMCOP_NET In order to get URI tests working I have to put rbl_timeout 40 in my local.cf The default rbl_timeout of 15 is too less, but that is strange. It had been working with my older SA 3.1.5 though See http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5511
Re: Rejecting spam during SMTP session
Sorry. I should have been a little more elaborate. The message you posted yesterday had two responses. Both pretty much were in agreement the .qmail file handles messages after the SMTP session. One of the responses mentioned using qmail-scanner. On Wed, 13 Jun 2007, Hendrik Helmvoigt wrote: Hi, for a while i've been watching my spamassassin perform great on almost all spam - i've never had any false positives and also a very low count of false negatives. So I thought about rejecting sure spam during the SMTP session and came up with a few bits of shellscript code thats rejecting spam with a score of 10 and above (I normally mark spam at 5). But i'm not really sure if i'm doing it correct - it apears to me like i'm not rejecting mail but i'm bouncing it which is surely not what i want. Here is my code which is called as a qmail-command in my .qmail file. #!/bin/sh message=`/usr/bin/spamassassin 2/dev/null` if [ $? -eq 1 ]; then # sa returned an error, make sure we dont lose the mail exit 111 else printf %s\n $message | grep -qs X-Spam-Level: \*\*\*\*\*\*\*\*\*\* if [ $? -eq 0 ]; then echo Message was permanently rejected as spam 2 exit 100 else printf %s\n $message | maildir ./Maildir/ exit $? fi fi If you want to test the setup, you can send a mail with for example GTUBE to [EMAIL PROTECTED] Your advice will be welcome, arni
Re: [OT] RDJ RulesDuJour Updates dont lint
On Wed, 13 Jun 2007, Raymond Dijkxhoorn wrote: coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= What about you check the content of those files first before mailing the list? Seems you have broken files, eg, HTML errors inside them. Pretty obvious. In the words of Inigo Montoya, I do not think [that word] means what you think it means. While the errors do contain HTML tags, I wouldn't exactly call them obvious, especially given all the javascript and a context where HTML is unexpected. In any case, I've found that it's sometimes better to just let it go and allow someone else respond to questions you find irritating and unnecessary. Matthias, if you look through recent list posts, you'll find that RDJ has been causing lots of people trouble due to the fact that certain rule channels have been unavailable. -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: Freebsd Port of SA 3.2.1
At 10:47 PM 6.12.2007 -0400, Michael Scheidell wrote: If anyone wants a 'pre release' of the Freebsd sa 3.2.1 portfile, you can download it here: http://www.secnap.com/downloads/sa321.tgz Instructions: rm everything in /usr/ports/mail/p5-Mail-SpamAssassin, untar above there, make or portupgrade it. Some dependencies that have not been committed to freebsd ports are also needed. One I just stumbled upon, for anyone using Mail::SPF: in SA INSTALL doc: If using Mail::SPF note that NetAddr::IP (required by Mail::SPF) versions up to and including version 4.006 include a bug that will slow down the entire perl interpreter. NetAddr::IP version 4.007 or later fixes this. (freebsd ports still has 4.004, but here are patches against ../ports/net-mgmt/p5-NetAddr-IP) You need these patches in /usr/ports/net-mgmt/p5-NetAddr-IP http://www.secnap.com/downloads/netaddrip.patch See http://www.freebsd.org/cgi/query-pr.cgi?pr=113638 Also, you need patches for re2c =.12.0 (ports has .11.1), Razor 2.8.2_1 (ports has 2.8.2) http://www.secnap.com/downloads/re2c.tgz (ports package, clean out ../ports/devel/re2c and untar this) See: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/112501 If you use Razor, you should update it: http://www.secnap.com/downloads/razor.patch (patches against ../ports/mail/razor-agents) see http://www.freebsd.org/cgi/query-pr.cgi?pr=112522 Anyone with freebsd and want to see something (universal!, not site specific), send me an explaination of what it is, what it does, and if you include that and patches against the current 3.2.0, it will likely be included in freebsd 3.2.1 port since I am the official ports maintainer. (note: thanks jimmy I have included the libspamc* support as you requested in http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/106441 -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news Michael: Many thanks for your upgrade to the port. I am using FBSD-6.2 amd64 and ran into this problem when running make: bunch of other stuff all okay stopped here: Manifying blib/man3/Mail::SpamAssassin::Plugin::RelayCountry.3 make -f spamc/Makefile spamc/libspamc.so gcc -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz /usr/bin/ld: /var/tmp//cchaPM1S.o: relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /var/tmp//cchaPM1S.o: could not read symbols: Bad value *** Error code 1 (^_^) Happy trails, Jack L. Stone System Admin Sage-american
CPAN mirror delay
I was wondering how long CPAN takes to update its mirrors? I just checked and Mail::SpamAssassin is still 3.2.0 from whatever mirror we're going to. cpan[1] look Mail::SpamAssassin CPAN: Storable loaded ok (v2.13) Going to read /private/var/root/.cpan/Metadata Database was generated on Tue, 12 Jun 2007 19:08:28 GMT Running look for module 'Mail::SpamAssassin' Trying to open a subshell in the build directory... CPAN: Digest::SHA loaded ok (v5.44) CPAN: Compress::Zlib loaded ok (v2.004) Checksum for /private/var/root/.cpan/sources/authors/id/J/JM/JMASON/ Mail-SpamAssassin-3.2.0.tar.gz ok Scanning cache /private/var/root/.cpan/build for sizes -- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California, USA tel: +1-408-356-3886, USA Toll Free: 866-356-3886 www.interstellar.com, skype: jerrydurand
RE: Connection wont close
Hi all, after upgrading to 3.2 I think I discovered my problem- it appears that the connections don't disconnect , here's the output I'd say about 95% of these are port 783 103 CLOSE_WAIT 27 ESTABLISHED 19 FIN_WAIT_1 78 FIN_WAIT_2 3 LAST_ACK 5 LISTEN 8 TIME_WAIT Is there something I missed during the upgrade? I'm downgrading to 3.18 to see if it changes anything- FreeBsd 5.5 Exim CLAM SA Well that worked- downgrading to 3.18 seems to have fixed my connection problem Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: Freebsd Port of SA 3.2.1
Jack L. Stone wrote: At 10:47 PM 6.12.2007 -0400, Michael Scheidell wrote: If anyone wants a 'pre release' of the Freebsd sa 3.2.1 portfile, you can download it here: http://www.secnap.com/downloads/sa321.tgz Instructions: rm everything in /usr/ports/mail/p5-Mail-SpamAssassin, untar above there, make or portupgrade it. Some dependencies that have not been committed to freebsd ports are also needed. One I just stumbled upon, for anyone using Mail::SPF: in SA INSTALL doc: If using Mail::SPF note that NetAddr::IP (required by Mail::SPF) versions up to and including version 4.006 include a bug that will slow down the entire perl interpreter. NetAddr::IP version 4.007 or later fixes this. (freebsd ports still has 4.004, but here are patches against ../ports/net-mgmt/p5-NetAddr-IP) You need these patches in /usr/ports/net-mgmt/p5-NetAddr-IP http://www.secnap.com/downloads/netaddrip.patch See http://www.freebsd.org/cgi/query-pr.cgi?pr=113638 Also, you need patches for re2c =.12.0 (ports has .11.1), Razor 2.8.2_1 (ports has 2.8.2) http://www.secnap.com/downloads/re2c.tgz (ports package, clean out ../ports/devel/re2c and untar this) See: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/112501 If you use Razor, you should update it: http://www.secnap.com/downloads/razor.patch (patches against ../ports/mail/razor-agents) see http://www.freebsd.org/cgi/query-pr.cgi?pr=112522 Anyone with freebsd and want to see something (universal!, not site specific), send me an explaination of what it is, what it does, and if you include that and patches against the current 3.2.0, it will likely be included in freebsd 3.2.1 port since I am the official ports maintainer. (note: thanks jimmy I have included the libspamc* support as you requested in http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/106441 -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news Michael: Many thanks for your upgrade to the port. I am using FBSD-6.2 amd64 and ran into this problem when running make: bunch of other stuff all okay stopped here: Manifying blib/man3/Mail::SpamAssassin::Plugin::RelayCountry.3 make -f spamc/Makefile spamc/libspamc.so gcc -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz /usr/bin/ld: /var/tmp//cchaPM1S.o: relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /var/tmp//cchaPM1S.o: could not read symbols: Bad value *** Error code 1 looks like a 64bit compile error. what does uname -p show? Try this patch to Makefile (if you want to mess with compile options, be my guest). --- Makefile.orig Tue Jun 12 22:43:19 2007 +++ MakefileWed Jun 13 09:56:03 2007 @@ -230,18 +230,23 @@ .endif post-build: +.if ${ARCH} == i386 @(cd ${BUILD_WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} spamc/libspamc.so) .if !defined(WITHOUT_SSL) @(cd ${BUILD_WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} spamc/libsslspamc.so) .endif +.endif pre-install: @${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL +.if ${ARCH} == i386 ${INSTALL_DATA} ${WRKSRC}/spamc/libspamc.so ${PREFIX}/lib ${INSTALL_DATA} ${WRKSRC}/spamc/libspamc.h ${PREFIX}/include .if !defined(WITHOUT_SSL) ${INSTALL_DATA} ${WRKSRC}/spamc/libsslspamc.so ${PREFIX}/lib .endif +.endif + .if ${OSVERSION} 50 @${SED} -i s| /etc/rc.subr| ${PREFIX}/etc/rc.subr| work/sa-spamd.sh .endif (^_^) Happy trails, Jack L. Stone System Admin Sage-american _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
SASL and SPF Fail
Hi, list, several of my users are beggining to use the SASL method to send mails trhough the server. The point is that the messages from one of these users are getting tagged as spam (the lil' bastard uses Incredimail, so a bunch of another stuff regardind this crappy piece of software gets his messages over the discard line, but that's another story. I'll search the list messages, I think I remember a thread on that issue). Anyway, I've noticed SPF checks of his mails fail. He's connecting from a network outside ours, so I was wandering what makes the SPF checks fail, even when he is connecting as a client to our server... Thanks, Luis -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: Freebsd Port of SA 3.2.1
Michael, I am using FBSD-6.2 amd64 and ran into this problem when running make: bunch of other stuff all okay stopped here: Manifying blib/man3/Mail::SpamAssassin::Plugin::RelayCountry.3 make -f spamc/Makefile spamc/libspamc.so gcc -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz /usr/bin/ld: /var/tmp//cchaPM1S.o: relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /var/tmp//cchaPM1S.o: could not read symbols: Bad value looks like a 64bit compile error. It is not a compile error. Somebody forgot to put a -fPIC option when compiling code for a shareable library. It happens to work on i386, but is wrong anyway. +.if ${ARCH} == i386 ... +.endif Please don't do that! Mark
Re: Status of Spamassassin
On Wed, Jun 13, 2007 at 07:51:55AM -0500, Dallas Engelken wrote: The Doctor wrote: On Wed, Jun 13, 2007 at 07:30:10AM -0500, Dallas Engelken wrote: The Doctor wrote: Cans rules_du_jour work? Still getting a no update state. SARE is back up (knock on wood). Delete your .cf files and re-run RDJ... -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. I got: Script started on Wed Jun 13 06:38:41 2007 doctor.nl2k.ab.ca//etc/mail/spamassassin$ rulesdu _du_jour exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour 21 curl_output: 304 Performing preliminary lint (sanity check; does the CURRENT config lint?). No files updated; No restart required. Rules Du Jour Run Summary:RulesDuJour Run Summary on doctor.nl2k.ab.ca: ***NOTICE***: /usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint failed. This means that you have an error somwhere in your SpamAssassin configuration. To determine what the problem is, please run '/usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint' from a shell and notice the error messages it prints. For more (debug) information, add the -D switch to the command. Usually the problem will be found in local.cf, user_prefs, or some custom rulelset found in /etc/mail/spamassassin. Here are the errors that '/usr/contrib/bin/spamassassin -p /usr/contrib/etc/MailScanner/spam.assassin.prefs.conf --lint' reported: [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: socre FORGED_HOTMAIL_RCVD2 45.0 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: socre SARE_URGBIZ 45.0 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/local.cf: terse_report This message came for a spam friendly e-mail server. [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: HTMLHEAD [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: TITLE302 Found/TITLE [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: /HEADBODY [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: H1Found/H1 [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: The document has moved A HREF=http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf;here/A.P [15745] warn: config: failed to parse line, skipping, in /usr/contrib/etc/mail/spamassassin/random.cf: /BODY/HTML where do you get /usr/contrib/etc/mail/spamassassin/random.cf from? From the distribution AFAIK. -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! PAtriots! MAke your declaration of loyalty! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: emails to non existent recipients -- netzero.com fixed this problem?
On a related topic, netzero.com has been refusing connections from our SMTP servers. When I queried them the response I got was: have been blocked because we detected probe attempts. Activities like sending mail to non-existent accounts or empty connections would qualify as a dictionary search or probing for valid addresses and IP's used for such activity would be automatically blocked for a temporary period. Subsequent communications have dealt only with the non-existent accounts. Does blocking us on this basis make any sense? And has anybody else encountered similar issues with netzero? If so, how resolved? In their favor, they did at least respond to me. And it doesn't appear to b= e a robot (or if it is, at least an intelligent one) as it entered into a sor= t of a dialog. This is better than other s who either don't respond ot use a robotic response. Among these are yahoo.com, aol.com, bellsouth.net and charter,net. I list these here not as a form of criticism as I accept the possibility that we may have something configured incorrectly or sub-optimally. My real aim is to find other postmasters who have had simila= r problems with these (or other sites) and discover from them what it is we may need to change. Hi, this is not about netzero (but I am a particular friend of aol:( for similar reasons.) To start with, I am maintaining a web shop, so people will eventually complete a form with their email address, and the server will send them an order confirmation. We observed a certain rate of failed deliveries (perhaps 1%) due to visitors unable to spell their own email address correctly. After some time, I changed the system so that a connection is attempted when the visitor completes the form, and any 5xx response will result in a please check your email address to the browser. Of course a few domains that are known to bounce later (aol) are not probed. Recipient servers could consider the same thing as address probing - how tell them? About responses: I received a please be patient type of auto response from aol; when I mailed them the auto response back a week later, they informed me that they could not find the original message Wolfgang Hamann
3.2.1 install failure
For the first time ever I've had a failure with an SA install. I've actually no clue what the problem could be, the output of 'make test' can be found here http://mediasafe.embarq.com/chris1948/Hosted/SAfailed.txt if someone would be so kind as to look at it and help me see what the issues might be. Thank you Chris -- Chris KeyID 0xE372A7DA98E6705C pgpbOEHL2CasB.pgp Description: PGP signature
Re: emails to non existent recipients -- netzero.com fixed this problem?
At 02:57 13-06-2007, Mike Kenny wrote: On a related topic, http://netzero.comnetzero.com has been refusing connections from our SMTP servers. When I queried them the response I got was: have been blocked because we detected probe attempts. Activities like sending mail to non-existent accounts or empty connections would qualify as a dictionary search or probing for valid addresses and IP's used for such activity would be automatically blocked for a temporary period. Were you sending mail to non-existent accounts or doing sender validation? Subsequent communications have dealt only with the non-existent accounts. Does blocking us on this basis make any sense? And has anybody else encountered similar issues with netzero? If so, how resolved? Yes, it does if most of the connections are for non-existent accounts. It can be resolved by not doing that. Regards, -sm
RE: 3.2.1 install failure
This has been covered on the list already. Try building at as a non-root user. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: 13 June 2007 15:46 To: users@spamassassin.apache.org Subject: 3.2.1 install failure For the first time ever I've had a failure with an SA install. I've actually no clue what the problem could be, the output of 'make test' can be found here http://mediasafe.embarq.com/chris1948/Hosted/SAfailed.txt if someone would be so kind as to look at it and help me see what the issues might be. Thank you Chris -- Chris KeyID 0xE372A7DA98E6705C
RE: 3.2.1 install failure
Chris Don't compile as root and you'll be fine - already been raised as a bug. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Chris [mailto:[EMAIL PROTECTED] Sent: 13 June 2007 15:46 To: users@spamassassin.apache.org Subject: 3.2.1 install failure For the first time ever I've had a failure with an SA install. I've actually no clue what the problem could be, the output of 'make test' can be found here http://mediasafe.embarq.com/chris1948/Hosted/SAfailed.txt if someone would be so kind as to look at it and help me see what the issues might be. Thank you Chris -- Chris KeyID 0xE372A7DA98E6705C ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
Re: emails to non existent recipients -- netzero.com fixed this problem?
On 6/13/07, SM [EMAIL PROTECTED] wrote: Were you sending mail to non-existent accounts or doing sender validation? we weren't sending anything. We are an ISP providing email services to a large number of users in South Africa. Some of these users may have: mis-remembered an email mis-typed an email sent to an acquaintance who had changed email provide (maybe because they weren't receiving their emails :-) responded to a forged spam been abusing our system but the possibilities cover a lot of ground. I have had a further communication from netzero asking that I check for email addresses that look unlikely. I am doing this, but apart from the fact that many of the large ISPs provide emails that look unlikely due to the appending of digits, we have over 10 official languages here and an address that looks unlikely in English may make perfect sense in Zulu or Xhosa. Subsequent communications have dealt only with the non-existent accounts. Does blocking us on this basis make any sense? And has anybody else encountered similar issues with netzero? If so, how resolved? Yes, it does if most of the connections are for non-existent accounts. It can be resolved by not doing that. As I said above we don't do that. Regards, -sm Thanks for showing the interest anyway Mike
Missing rule? AND I've updated my SUSE builds
I just noticed this in my lint; [3425] warn: config: warning: score set for non-existent rule SARE_GIF_STOX And I can't find the source for the SARE_GIF_STOX rule, any hints please? Also, I've updated my SUSE builds to SpamAssassin 3.2.1 for SUSE 10.1 and 10.2, found at ftp://ftp.norrbring.com/pub/linux/inst-source/
Re: emails to non existent recipients -- netzero.com fixed this problem?
Hi Mike, At 08:50 13-06-2007, Mike Kenny wrote: we weren't sending anything. We are an ISP providing email services to a large number of users in South Africa. Some of these users may have: mis-remembered an email mis-typed an email sent to an acquaintance who had changed email provide (maybe because they weren't receiving their emails :-) responded to a forged spam The above should not cause a block unless you don't send a lot of valid mail to the provider. been abusing our system As you are an ISP and you are servicing an area which has a lot of lawyers, the amount of abuse can be significant. I assume that you have taken measures to detect and keep that type of email to a minimum. but the possibilities cover a lot of ground. I have had a further communication from netzero asking that I check for email addresses that look unlikely. I am doing this, but apart from the fact that many of the large ISPs provide emails that look unlikely due to the appending of digits, we have over 10 official languages here and an address that looks unlikely in English may make perfect sense in Zulu or Xhosa. It's difficult to check for email addresses that look unlikely. As you said above, people may read the local-part of the email address differently if they are using a language which is not English. Consecutive digits may look like a dictionary attack and trigger alerts at the receiver's end. A traffic analysis should give you a better picture of what's going on. Regards, -sm
Re: ANNOUNCE: Apache SpamAssassin 3.2.1 available
Daniel J McDonald dan.mcdonald at austinenergy.com writes: On Tue, 2007-06-12 at 16:07 -0400, Rosenbaum, Larry M. wrote: From: Duncan Hill [mailto:spamassassin at cricalix.net] On Tue, June 12, 2007 13:33, Justin Mason wrote: Daniel J McDonald writes: So, you can't build the RPM as root. Very interesting, but I ran into this problem on a Solaris system and I wasn't trying to build an RPM. I was just trying to build SA from source with the usual perl Makefile.PL make make test (this step gave errors when run as root) Does the same logic apply when RPMs are not involved? Yes, unless your umask is 666. When it detects the root user, it tries to change to nobody. since Nobody can't write in the t/log/* directories, the test fails. Pardon my ignorance, but for those of us who have always installed SA as root, this new behavior in 3.2.1 appears to be a bit of a bug (and I'm just using the SA distribution the same way Larry is using - no RPM is being built). Is the workaround y'all are suggesting that the SA make be done as a non-root user, but the install be done as root in my situation? In other words, As non-root user: perl Makefile.PL make make test As root: make install Thanks, Jake
Re: ANNOUNCE: Apache SpamAssassin 3.2.1 available
On Wed, June 13, 2007 9:38 am, Jake Richter wrote: Is the workaround y'all are suggesting that the SA make be done as a non-root user, but the install be done as root in my situation? In other words, As non-root user: perl Makefile.PL make make test As root: make install
Re: Freebsd Port of SA 3.2.1
I am using FBSD-6.2 amd64 and ran into this problem when running make: bunch of other stuff all okay stopped here: Manifying blib/man3/Mail::SpamAssassin::Plugin::RelayCountry.3 make -f spamc/Makefile spamc/libspamc.so gcc -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz /usr/bin/ld: /var/tmp//cchaPM1S.o: relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /var/tmp//cchaPM1S.o: could not read symbols: Bad value looks like a 64bit compile error. It is not a compile error. Somebody forgot to put a -fPIC option when compiling code for a shareable library. It happens to work on i386, but is wrong anyway. +.if ${ARCH} == i386 +.endif Please don't do that! Both of the following cc commands need option -fPIC in order to be able to build a shareable library: gcc -fPIC -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz gcc -fPIC -DSPAMC_SSL -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libsslspamc.so -shared -L/usr/local/lib -lssl -lcrypto -lz This way it will build on any architecture, not just on Intel in 32-bit mode. This seem to be a SpamAssassin issue, and is not specific to FreeBSD ports. Mark
Re: 3.2.1 install failure
On Wednesday 13 June 2007 10:27 am, Randal, Phil wrote: This has been covered on the list already. Try building at as a non-root user. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK I've always installed with CPAN via webmin, guess I'll have to download and read the cpan man pages to see how to install as non-root user Thanks Chris -- Chris KeyID 0xE372A7DA98E6705C pgpkCMQnfSax2.pgp Description: PGP signature
[Maybe OT] how do I avoid SPF_FAIL?
Hi, list, I've recently added the feature of SMTP Auth to my MTA (Postfix running on Debian Sarge), and when any user tries to send a mail trhoug the server, it hits SPF_FAIL (which, on the other hand, seems natural, since one of the relays sits outside of the mynetworks directive of Postfix. Is there any way to a) disable SPF tests inside SA for authenticated users? or b) add the authenticated sender to the trust SPF chain? Thanks a lot, Luis -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: CPAN mirror delay
Jerry Durand wrote: I was wondering how long CPAN takes to update its mirrors? I just checked and Mail::SpamAssassin is still 3.2.0 from whatever mirror we're going to. Some mirrors appear to have a sync interval of 24 hours. Which is semi-reasonable given that it can take upwards of 8 hours for an uploaded module to appear anywhere in CPAN. Daryl
Re: CPAN mirror delay
At 11:15 AM 6/13/2007, Daryl C. W. O'Shea wrote: Some mirrors appear to have a sync interval of 24 hours. Which is semi-reasonable given that it can take upwards of 8 hours for an uploaded module to appear anywhere in CPAN. Daryl Thanks, and thanks for all the hard work! -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: SASL and SPF Fail
Luis Hernán Otegui wrote: Hi, list, several of my users are beggining to use the SASL method to send mails trhough the server. The point is that the messages from one of these users are getting tagged as spam (the lil' bastard uses Incredimail, so a bunch of another stuff regardind this crappy piece of software gets his messages over the discard line, but that's another story. I'll search the list messages, I think I remember a thread on that issue). Anyway, I've noticed SPF checks of his mails fail. He's connecting from a network outside ours, so I was wandering what makes the SPF checks fail, even when he is connecting as a client to our server... http://wiki.apache.org/spamassassin/DynablockIssues
Re: [Maybe OT] how do I avoid SPF_FAIL?
Luis Hernán Otegui wrote: Hi, list, I've recently added the feature of SMTP Auth to my MTA (Postfix running on Debian Sarge), and when any user tries to send a mail trhoug the server, it hits SPF_FAIL (which, on the other hand, seems natural, since one of the relays sits outside of the mynetworks directive of Postfix. Is there any way to a) disable SPF tests inside SA for authenticated users? or b) add the authenticated sender to the trust SPF chain? Either setting msa_networks in SA if your MTA is just an MSA or adding smtpd_sasl_authenticated_header = yes to your Postfix 2.3 or later config will do it. http://wiki.apache.org/spamassassin/DynablockIssues Didn't you ask this same question 4 hours ago? Daryl
Re: CPAN mirror delay
Jerry Durand wrote: Thanks, and thanks for all the hard work! No problem, just wait until I start hitting you up for DMX hardware tips and tricks. :) Daryl
Re: CPAN mirror delay
At 11:32 AM 6/13/2007, Daryl C. W. O'Shea wrote: No problem, just wait until I start hitting you up for DMX hardware tips and tricks. :) Currently fighting with a project I bid low since it would be simple (we've all done that). DMX in, dual stepping motors out (color and dowser for a building exterior illuminator). I used a processor at the very low end of the series I normally use. Then I start having the ICE crash. Several conference calls with the chip manufacturer, e-mails/calls with the ICE programmer and other tools people, still don't know exactly what's wrong. :( I did manage to get a demo version working for the client to show to the big boss who's arriving in this country shortly and wants to see something working. :) The life of a hardware/software guy... -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: SASL and SPF Fail
OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth headers. Now, a question: how do I assign a score of zero to SPF_FAIL (in order to disable that rule) if my custom rule matches? I guess it's via a META rule, but I can't get it working... Based on the rule published at SA's Wiki, I was thinking of something like this: header LOCAL_AUTH_RCVDReceived =~ /\(authenticated \(\d+ bits\)\) by services04\.student\.cs\.uwaterloo\.ca / meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD SPF_FAIL) But here I lost it. Thought of something like this: score LOCAL_AUTH_NO_SPF -0.693 which has the exact reverse score of SPF_FAIL. I think it would be more elegant to zero that rule in this particula case. But I don't know how to do it... Thanks Luis 2007/6/13, Daryl C. W. O'Shea [EMAIL PROTECTED]: Luis Hernán Otegui wrote: Hi, list, several of my users are beggining to use the SASL method to send mails trhough the server. The point is that the messages from one of these users are getting tagged as spam (the lil' bastard uses Incredimail, so a bunch of another stuff regardind this crappy piece of software gets his messages over the discard line, but that's another story. I'll search the list messages, I think I remember a thread on that issue). Anyway, I've noticed SPF checks of his mails fail. He's connecting from a network outside ours, so I was wandering what makes the SPF checks fail, even when he is connecting as a client to our server... http://wiki.apache.org/spamassassin/DynablockIssues -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: SASL and SPF Fail
Luis Hernán Otegui wrote: OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth headers. Now, a question: how do I assign a score of zero to SPF_FAIL (in order to disable that rule) if my custom rule matches? I guess it's via a META rule, but I can't get it working... Based on the rule published at SA's Wiki, I was thinking of something like this: header LOCAL_AUTH_RCVDReceived =~ /\(authenticated \(\d+ bits\)\) by services04\.student\.cs\.uwaterloo\.ca / meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD SPF_FAIL) But here I lost it. Thought of something like this: score LOCAL_AUTH_NO_SPF -0.693 which has the exact reverse score of SPF_FAIL. I think it would be more elegant to zero that rule in this particula case. But I don't know how to do it... The problem is that SPF_FAIL isn't the only thing that you don't want to trigger that could trigger. Any of the DNSBL tests could hit, too, depending on where your roaming users connect from. If you can't get one of the methods to extend trust to work (getting Postfix to insert an auth header in late 2.2 or any 2.3+ or using msa_networks in SA 3.2) you're best off not scanning auth'd mail at all if you can manage a way to do it. Otherwise, the UW example of matching on a received header and deducting a score is your last resort. You might as well make it a fairly large negative score since you'll want it to counter both SPF_FAIL and any DNSBL tests that hit. There's no way to use a meta, or anything other than a plugin that mucks with SA internals, to zero the score for SPF_FAIL as you'd like. Daryl
Re: SASL and SPF Fail
OK, got the picture. Guess I'll go for the upgrade of postfix. Thanks again, Luis 2007/6/13, Daryl C. W. O'Shea [EMAIL PROTECTED]: Luis Hernán Otegui wrote: OK, Daryl, got the point. Made a rule to match my Postfix-2.2 auth headers. Now, a question: how do I assign a score of zero to SPF_FAIL (in order to disable that rule) if my custom rule matches? I guess it's via a META rule, but I can't get it working... Based on the rule published at SA's Wiki, I was thinking of something like this: header LOCAL_AUTH_RCVDReceived =~ /\(authenticated \(\d+ bits\)\) by services04\.student\.cs\.uwaterloo\.ca / meta LOCAL_AUTH_NO_SPF (LOCAL_AUTH_RCVD SPF_FAIL) But here I lost it. Thought of something like this: score LOCAL_AUTH_NO_SPF -0.693 which has the exact reverse score of SPF_FAIL. I think it would be more elegant to zero that rule in this particula case. But I don't know how to do it... The problem is that SPF_FAIL isn't the only thing that you don't want to trigger that could trigger. Any of the DNSBL tests could hit, too, depending on where your roaming users connect from. If you can't get one of the methods to extend trust to work (getting Postfix to insert an auth header in late 2.2 or any 2.3+ or using msa_networks in SA 3.2) you're best off not scanning auth'd mail at all if you can manage a way to do it. Otherwise, the UW example of matching on a received header and deducting a score is your last resort. You might as well make it a fairly large negative score since you'll want it to counter both SPF_FAIL and any DNSBL tests that hit. There's no way to use a meta, or anything other than a plugin that mucks with SA internals, to zero the score for SPF_FAIL as you'd like. Daryl -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
new system
Sometime later this summer I'm going to be replacing our server. It's currently a Mac (1.42GHz G4) running OS X Server. Since the mail server part of OS X needs work, I'm thinking of just replacing this with an Intel/AMD based Linux box. I'm considering Ubuntu, any suggestions/warnings/panics? Not a big panic if I can't move the IMAP files over, most mail is read by APOP so there isn't much there. Other than mail, I'll need Apache for web serving and Samba for our Windows network in the office. We have several domains, these go to separate web pages but due to the way the Mac was set up, all e-mail addresses are valid across all domains (jdurand@ works on any domain we server). -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: new system
On Wed, 13 Jun 2007, Jerry Durand wrote: Sometime later this summer I'm going to be replacing our server. It's currently a Mac (1.42GHz G4) running OS X Server. Since the mail server part of OS X needs work, I'm thinking of just replacing this with an Intel/AMD based Linux box. I'm considering Ubuntu, any suggestions/warnings/panics? Not a big panic if I can't move the IMAP files over, most mail is read by APOP so there isn't much there. I have OS X Server running email server too, To save the headache of replacing this OS X server, moving mail boxes, reducing the memory load...You can run Amavisd-new/SpamAssassin on a seperate Linux box and let Postfix on OS X talk to Amavisd-new on the Linux box. Vincent Li http://bl0g.blogdns.com
v3.2.1 gives spamd: handle_user unable to find user:
SpamAssassin Server version 3.2.1 running on Perl 5.8.8 with zlib support (Compress::Zlib 2.004) I've started seeing the spamd: handle_user unable to find user: message in the spamd log file. This was not happening in v3.2.0. We are starting spamd with this command: spamd -d -u spamd -r $pidfile -x -m 12 --syslog=local2 --syslog-socket=inet -i -A $me,$em1,$em2,$em3,$em4 We are not using any kind of per-user configuration or per-user Bayes or anything like that, and I don't expect the username that is running spamc (on another machine) to exist on the spamd machine. What options do I need to specify to suppress this error? Is spamd doing anything it shouldn't do because of this error? The change in behavior seems to be related to this change to the got_user_header() function: @@ -1886,9 +1911,12 @@ handle_user_setuid_with_ldap($current_user); $setuid_to_user = 1;# as above } +else { + handle_user_setuid_basic($current_user); +} } else { -handle_user($current_user); +handle_user_setuid_basic($current_user); if ( $opt{'sql-config'} ) { unless ( handle_user_sql($current_user) ) { service_unavailable_error(Error fetching user preferences via SQL);
R: new system
-Messaggio originale- Da: Vincent Li [mailto:[EMAIL PROTECTED] On Wed, 13 Jun 2007, Jerry Durand wrote: Sometime later this summer I'm going to be replacing our server. It's currently a Mac (1.42GHz G4) running OS X Server. Since the mail server part of OS X needs work, I'm thinking of just replacing this with an Intel/AMD based Linux box. I'm considering Ubuntu, any suggestions/warnings/panics? Not a big panic if I can't move the IMAP files over, most mail is read by APOP so there isn't much there. I have OS X Server running email server too, To save the headache of replacing this OS X server, moving mail boxes, reducing the memory load...You can run Amavisd-new/SpamAssassin on a seperate Linux box and let Postfix on OS X talk to Amavisd-new on the Linux box. Just to know, what's the matter with installing amavisd-new on MacOS X? Giampaolo Vincent Li http://bl0g.blogdns.com
Re: new system
At 01:03 PM 6/13/2007, Vincent Li wrote: I have OS X Server running email server too, To save the headache of replacing this OS X server, moving mail boxes, reducing the memory load...You can run Amavisd-new/SpamAssassin on a seperate Linux box and let Postfix on OS X talk to Amavisd-new on the Linux box. The system's getting old, I'm worried about hardware failure. And a new Mac would be Intel based, so that's a lot of work anyway. Using Linux saves me from paying retail for a Mac and the extra $ for OS X Server. I plan to bring up the second server off-line so I can take my time getting it working. Hopefully I'll end up with a working Mac left over that I can donate to a worthy person (I already know two teens who'd fight over it). I'm also having to upgrade our Windows systems, the next CAD update won't run on Windows-00, and those systems are also old. So...new XP systems all around. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: R: new system
At 01:12 PM 6/13/2007, Giampaolo Tomassoni wrote: Just to know, what's the matter with installing amavisd-new on MacOS X? Nothing if you follow the tutorial at TopicDesk.com , OS X Server has an old version of amavisd-new, you need to install a second copy and change operation over to that. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
Re: R: new system
On Wed, 13 Jun 2007, Giampaolo Tomassoni wrote: -Messaggio originale- Da: Vincent Li [mailto:[EMAIL PROTECTED] On Wed, 13 Jun 2007, Jerry Durand wrote: Sometime later this summer I'm going to be replacing our server. It's currently a Mac (1.42GHz G4) running OS X Server. Since the mail server part of OS X needs work, I'm thinking of just replacing this with an Intel/AMD based Linux box. I'm considering Ubuntu, any suggestions/warnings/panics? Not a big panic if I can't move the IMAP files over, most mail is read by APOP so there isn't much there. I have OS X Server running email server too, To save the headache of replacing this OS X server, moving mail boxes, reducing the memory load...You can run Amavisd-new/SpamAssassin on a seperate Linux box and let Postfix on OS X talk to Amavisd-new on the Linux box. Just to know, what's the matter with installing amavisd-new on MacOS X? Giampaolo Nothing wrong to run amavisd-new on OSX, just an idea :) Vincent
Re: v3.2.1 gives spamd: handle_user unable to find user:
On Wed, 13 Jun 2007, Rosenbaum, Larry M. wrote: SpamAssassin Server version 3.2.1 running on Perl 5.8.8 with zlib support (Compress::Zlib 2.004) I've started seeing the spamd: handle_user unable to find user: message in the spamd log file. This was not happening in v3.2.0. We are starting spamd with this command: spamd -d -u spamd -r $pidfile -x -m 12 --syslog=local2 --syslog-socket=inet -i -A $me,$em1,$em2,$em3,$em4 We are not using any kind of per-user configuration or per-user Bayes or anything like that, and I don't expect the username that is running spamc (on another machine) to exist on the spamd machine. What options do I need to specify to suppress this error? Is spamd doing anything it shouldn't do because of this error? If you simply want to suppress this info log, I guess you can just comment #info(spamd: handle_user unable to find user: $username\n); Since you don't run spamd in paranoid mode -P option, spamd will not die and fall back to user nobody Vincent Li http://bl0g.blogdns.com
Re: 3.2.1 install failure
Chris-394 wrote: For the first time ever I've had a failure with an SA install. I've actually no clue what the problem could be, the output of 'make test' can be found here http://mediasafe.embarq.com/chris1948/Hosted/SAfailed.txt if someone would be so kind as to look at it and help me see what the issues might be. Thank you Chris -- Chris KeyID 0xE372A7DA98E6705C hi chris! same prob here, make shows same errors. hopefully there will be a fix for this, or atleast an advice on how to fix it locally, if sth. is misconfigured. cu, nitrox -- View this message in context: http://www.nabble.com/3.2.1-install-failure-tf3915393.html#a11108793 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
make test dnsbl tests sporadically fail
When I run make test for v3.2.1, why do some of the dnsbl tests sporadically fail? For instance: t/dnsbl.Not found: P_2 = dns:134.88.73.210.dnsbltest.spamassassin.org [127.0.0.4] # Failed test 1 in t/SATest.pm at line 635 Not found: P_7 = dns:134.88.73.210.sb.dnsbltest.spamassassin.org?type=TXT # Failed test 2 in t/SATest.pm at line 635 fail #2 Not found: P_4 = dns:14.35.17.212.dnsbltest.spamassassin.org [127.0.0.1] t/dnsbl.NOK 1# Failed test 3 in t/SATest.pm at line 635 fail #3 Not found: P_3 = dns:18.13.119.61.dnsbltest.spamassassin.org [127.0.0.12] # Failed test 4 in t/SATest.pm at line 635 fail #4 Not found: P_5 = dns:226.149.120.193.dnsbltest.spamassassin.org [127.0.0.1] # Failed test 5 in t/SATest.pm at line 635 fail #5 t/dnsbl.NOK 2 Not found: P_1 = dns:98.3.137.144.dnsbltest.spamassassin.org [127.0.0.2] # Failed test 6 in t/SATest.pm at line 635 fail #6 Not found: P_6 = dns:example.com.dnsbltest.spamassassin.org [127.0.0.2] # Failed test 7 in t/SATest.pm at line 635 fail #7 Not found: P_15 = DNSBL_RHS t/dnsbl.NOK 3# Failed test 8 in t/SATest.pm at line 635 fail #8 Not found: P_17 = DNSBL_SB_FLOAT t/dnsbl.NOK 4# Failed test 9 in t/SATest.pm at line 635 fail #9 Not found: P_18 = DNSBL_SB_STR # Failed test 10 in t/SATest.pm at line 635 fail #10 Not found: P_16 = DNSBL_SB_TIME # Failed test 11 in t/SATest.pm at line 635 fail #11 t/dnsbl.NOK 5 Not found: P_10 = DNSBL_TEST_DYNAMIC # Failed test 12 in t/SATest.pm at line 635 fail #12 Not found: P_12 = DNSBL_TEST_RELAY # Failed test 13 in t/SATest.pm at line 635 fail #13 t/dnsbl.NOK 6 Not found: P_11 = DNSBL_TEST_SPAM # Failed test 14 in t/SATest.pm at line 635 fail #14 Not found: P_8 = DNSBL_TEST_TOP # Failed test 15 in t/SATest.pm at line 635 fail #15 Not found: P_9 = DNSBL_TEST_WHITELIST t/dnsbl.NOK 7# Failed test 16 in t/SATest.pm at line 635 fail #16 Not found: P_14 = DNSBL_TXT_RE # Failed test 17 in t/SATest.pm at line 635 fail #17 Not found: P_13 = DNSBL_TXT_TOP t/dnsbl.NOK 8# Failed test 18 in t/SATest.pm at line 635 fail #18 t/dnsbl.NOK 9Output can be examined in: log/d.dns/1 t/dnsbl.FAILED tests 1-18 Failed 18/23 tests, 21.74% okay If I run t/dnsbl.t later, a smaller number of the subtests fail. If I repeat it later, a different set of dnsbl subtests fail. There is nothing obviously wrong with the DNS server. What causes this problem?
R: R: new system
-Messaggio originale- Da: Vincent Li [mailto:[EMAIL PROTECTED] On Wed, 13 Jun 2007, Giampaolo Tomassoni wrote: -Messaggio originale- Da: Vincent Li [mailto:[EMAIL PROTECTED] On Wed, 13 Jun 2007, Jerry Durand wrote: Sometime later this summer I'm going to be replacing our server. It's currently a Mac (1.42GHz G4) running OS X Server. Since the mail server part of OS X needs work, I'm thinking of just replacing this with an Intel/AMD based Linux box. I'm considering Ubuntu, any suggestions/warnings/panics? Not a big panic if I can't move the IMAP files over, most mail is read by APOP so there isn't much there. I have OS X Server running email server too, To save the headache of replacing this OS X server, moving mail boxes, reducing the memory load...You can run Amavisd-new/SpamAssassin on a seperate Linux box and let Postfix on OS X talk to Amavisd-new on the Linux box. Just to know, what's the matter with installing amavisd-new on MacOS X? Giampaolo Nothing wrong to run amavisd-new on OSX, just an idea :) Ah, ok. For the records: I'm not MacOS X-addicted. My question was just because I was pretty sure that installing a fresh copy of amavisd-new on a MacOS X box was possible... Thank you, Giampaolo Vincent
Error on startup after upgrade to 3.2.1:CompiledRegexps
[EMAIL PROTECTED] ~]# rpm -Uvh /usr/src/redhat/RPMS/i386/spamassassin-3.2.1-1.i386.rpm /usr/src/redhat/RPMS/i386/perl-Mail-SpamAssassin-3.2.1-1.i386.rpm Preparing...### [100%] 1:perl-Mail-SpamAssassin ### [ 50%] 2:spamassassin ### [100%] Stopping spamd: [ OK ] Starting spamd: [13775] error: Can't locate Mail/SpamAssassin/CompiledRegexps/body_0.pm in @INC (@INC contains: /var/lib/spamassassin/compiled/3.002001 /var/lib/spamassassin/compiled/3.002001/auto lib /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.6/i386-linux-thread-multi /usr/lib/perl5/5.8.6) at (eval 570) line 1. [ OK ] Am I concerned? Where is CompiledRegexps supposed to be and why is it not there? TIA -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net
Re: ANNOUNCE: Apache SpamAssassin 3.2.1 available
Jake Richter jake at richterscale.org writes: Is the workaround y'all are suggesting that the SA make be done as a non-root user, but the install be done as root in my situation? [snip] To answer my own question: Yes. This works fine. Jake
RE: Error on startup after upgrade to 3.2.1:CompiledRegexps
From: Steven W. Orr [mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] ~]# rpm -Uvh /usr/src/redhat/RPMS/i386/spamassassin-3.2.1-1.i386.rpm /usr/src/redhat/RPMS/i386/perl-Mail-SpamAssassin-3.2.1-1.i386.rpm Preparing... ### [100%] 1:perl-Mail-SpamAssassin ### [ 50%] 2:spamassassin ### [100%] Stopping spamd: [ OK ] Starting spamd: [13775] error: Can't locate Mail/SpamAssassin/CompiledRegexps/body_0.pm in @INC (@INC contains: ... Am I concerned? Where is CompiledRegexps supposed to be and why is it not there? I think it means you have Rule2XSBody uncommented in v320.pre but you don't have a compiled ruleset. Perhaps you ran sa-compile under v3.2.0 but you haven't run it under v3.2.1.
RE: Freebsd Port of SA 3.2.1
-Original Message- From: Jack L. Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 13, 2007 9:29 AM To: Michael Scheidell; [EMAIL PROTECTED] Cc: users@spamassassin.apache.org; [EMAIL PROTECTED] Subject: Re: Freebsd Port of SA 3.2.1 At 10:47 PM 6.12.2007 -0400, Michael Scheidell wrote: If anyone wants a 'pre release' of the Freebsd sa 3.2.1 portfile, you can download it here: http://www.secnap.com/downloads/sa321.tgz I am using FBSD-6.2 amd64 and ran into this problem when running make: bunch of other stuff all okay stopped here: Manifying blib/man3/Mail::SpamAssassin::Plugin::RelayCountry.3 make -f spamc/Makefile spamc/libspamc.so gcc -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz /usr/bin/ld: /var/tmp//cchaPM1S.o: relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /var/tmp//cchaPM1S.o: could not read symbols: Bad value *** Error code 1 Give this a shot: http://www.secnap.com/downloads/sa321.tgz I added this to post-build: (mind the wrap) post-build: + @(cd ${BUILD_WRKSRC}/spamc; ${SED} -e '/^CCDLFLAGS/s/-Wl/-DPIC -fPIC -Wl/' Makefile Makefile.lib) This based on other makefile with both -DPIC and -fPIC in it, and darn if I know why spamc/Makefile doesn't have it there. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Missing rule? AND I've updated my SUSE builds
Anders Norrbring wrote: I just noticed this in my lint; [3425] warn: config: warning: score set for non-existent rule SARE_GIF_STOX And I can't find the source for the SARE_GIF_STOX rule, any hints please? /etc/mail/spamassassin/70_sare_stocks.cf $ head /etc/mail/spamassassin/70_sare_stocks.cf # SARE Stocks Ruleset for SpamAssassin # Version: 01.01.01 # Created: 2005-12-18 # Modified: 2007-05-06 ... [snip] -- René Berber
Re: Freebsd Port of SA 3.2.1
+.if ${ARCH} == i386 +.endif Please don't do that! Both of the following cc commands need option -fPIC in order to be able to build a shareable library: gcc -fPIC -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libspamc.so -shared -L/usr/local/lib -lz gcc -fPIC -DSPAMC_SSL -Wl,-R/usr/local/lib/perl5/5.8.8/mach/CORE spamc/libspamc.c spamc/utils.c -o spamc/libsslspamc.so -shared -L/usr/local/lib -lssl -lcrypto -lz This way it will build on any architecture, not just on Intel in 32-bit mode. This seem to be a SpamAssassin issue, and is not specific to FreeBSD ports. Now on: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5515 Mark
Fine-tuning bayes
I'm using SpamAssassin 3.1.7 as an individual user. I carefully sa-learn all spam (and all ham with a bayes score over 0), and it's rather good now, but it's not perfect. I have an idea, and I'd like to bounce it off the community to see if it makes sense. I have various filters in procmail to move spam to different folders, based on what address it was sent to. I set up a filter in procmail to move all spam that doesn't need the bayes score to be classified as spam (the score is over 16, for example) to it's own filter, and stopped sa-learning it as spam (I just delete it). The idea being, that will free up the bayes filtering for more of the gray zone spam. Does that idea make any sense? I've already noticed some of the high score spam getting lower bayes scores. But I'm not sure if it will increase the bayes hits of the others. One other thing I did is I changed the score for BAYES_99 to 9.0, all but guaranteeing that anything that the bayes thinks is spam really is. Michael
SA 3.2.1 on OS X
Good news, I can send/receive mail with 3.2.1 installed. Had a slight panic, I forgot to do the second install and got the message I was using the 3.002000 script with 3.002001. Fixed that. Now I see the list is being tagged again as junk mail. I think there was a message about whitelists not working right, I'd say mine was one. whitelist_from_spf *.apache.org bayes_ignore_to users@spamassassin.apache.org bayes_ignore_to [EMAIL PROTECTED] bayes_ignore_from [EMAIL PROTECTED] Headers from a message (it came through our backup MX since I was down while updating, they ARE on our trusted_networks list): From: [EMAIL PROTECTED] Subject:*** JUNK MAIL *** Fine-tuning bayes Date: June 13, 2007 4:12:23 PM PDT To: users@spamassassin.apache.org Return-Path: users-return-59711- [EMAIL PROTECTED] Received: from murder ([unix socket]) by smtp.interstellar.com (Cyrus v2.2.12-OS X 10.4.8) with LMTPA; Wed, 13 Jun 2007 16:15:20 -0700 Received: from localhost (localhost [127.0.0.1]) by smtp.interstellar.com (Postfix) with ESMTP id 9F0534186C2 for [EMAIL PROTECTED]; Wed, 13 Jun 2007 16:15:20 -0700 (PDT) Received: from smtp.interstellar.com ([127.0.0.1]) by localhost (interstellar.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLzbi25KRgd2 for [EMAIL PROTECTED]; Wed, 13 Jun 2007 16:15:13 -0700 (PDT) Received: from prxy.net (mail.prxy.net [209.177.145.7]) by smtp.interstellar.com (Postfix) with ESMTP id 171C6418693 for [EMAIL PROTECTED]; Wed, 13 Jun 2007 16:14:59 -0700 (PDT) Received: from mail.apache.org ([140.211.11.2] verified) by prxy.net (CommuniGate Pro SMTP 4.2.10) with SMTP id 46507602 for [EMAIL PROTECTED]; Wed, 13 Jun 2007 16:13:51 -0700 Received: (qmail 84604 invoked by uid 500); 13 Jun 2007 23:12:54 - Received: (qmail 84590 invoked by uid 99); 13 Jun 2007 23:12:54 - Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jun 2007 16:12:54 -0700 Received: from [129.55.12.40] (HELO ll.mit.edu) (129.55.12.40) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Jun 2007 16:12:49 -0700 Received: (from [EMAIL PROTECTED]) by ll.mit.edu (8.12.10/8.8.8) id l5DNCSTD025784 for users@spamassassin.apache.org; Wed, 13 Jun 2007 19:12:28 -0400 (EDT) Received: from kivoto.llan.ll.mit.edu(), claiming to be [155.34.64.39] via SMTP by llpost, id smtpdAAA4kaGqY; Wed Jun 13 19:12:23 2007 X-Sieve:CMU Sieve 2.2 X-Virus-Scanned:amavisd-new 2.5.0 (20070423) at interstellar.com X-Spam-Flag:YES X-Spam-Score: 2.162 X-Spam-Level: ** X-Spam-Status: Yes, score=2.162 tagged_above=0 required=2 tests= [DKIM_POLICY_SIGNSOME=0, DK_POLICY_SIGNSOME=0, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1] X-Scanned-By: RAE MPP/ClamAV http://raeinternet.com/mpp X-Scanned-By: This message was scanned by MPP Free Edition (www.messagepartners.com)! Received-Spf: pass receiver=prxy.net; client-ip=140.211.11.2; envelope-from=users-return-59711- [EMAIL PROTECTED] Received-Spf: pass (herse.apache.org: local policy) Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id:users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org X-Asf-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By:apache.org Message-Id: [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050923) X-Accept-Language: en-us, en Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked:Checked by ClamAV on apache.org -- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California, USA tel: +1-408-356-3886, USA Toll Free: 866-356-3886 www.interstellar.com, skype: jerrydurand
Re: SA 3.2.1 on OS X
Jerry Durand wrote: Good news, I can send/receive mail with 3.2.1 installed. Had a slight panic, I forgot to do the second install and got the message I was using the 3.002000 script with 3.002001. Fixed that. Now I see the list is being tagged again as junk mail. I think there was a message about whitelists not working right, I'd say mine was one. whitelist_from_spf *.apache.org I don't think that syntax will work. Try whitelist_from_spf [EMAIL PROTECTED]. Daryl
Re: Status of Spamassassin
From: Dallas Engelken [EMAIL PROTECTED] The Doctor wrote: Cans rules_du_jour work? Still getting a no update state. SARE is back up (knock on wood). Delete your .cf files and re-run RDJ... That appears to be the only way to make it work. The -N option on wget, which actually reduces traffic, results in an infinite delay when fetching. {^_^}
Re: 3.2.1 install failure
On Wednesday 13 June 2007 12:55 pm, Chris wrote: I've always installed with CPAN via webmin, guess I'll have to download and read the cpan man pages to see how to install as non-root user Thanks Chris Never mind, my pain drugs are working too hard, I just downloaded the source, ran perl Makefile.PL make make test as non-root and make install as root and all is good. -- Chris KeyID 0xE372A7DA98E6705C pgpxYCpxcVkV7.pgp Description: PGP signature
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Hey Daryl, et al, I've just discovered something rather interesting after I enabled the msa_networks feature in local.cf. What's happening is this: 1/ spam arrives at the sendmail box from someone who has used a non-existent email address in our domain 2/ spamassassin clearly marks this as spam, sendmail adds the necessary headers, modifies the subject and relays to exchange 3/ if exchange is configured to send a copy of received email to an external account OR the message is destined for a non-existent mailbox, exchange will initiate a connection with sendmail either for forwarding mail or for NDR 4/ since the exchange box is now trusted via msa_networks, the email receives a clean bill of health from spamassassin and sendmail proceeds to remove the headers previously added for the incoming message except for the subject line which is left with the previously changed header! How can I tell sendmail milter not to remove any of the headers as the email message is really still spam??? Although we could drop all spam and forget about this whole issue, company policy dictates that any email destined to an existing recipient mailbox will be delivered be it spam or not (false positives in the past have left many weary of lost email)! Cheers, AK.
RE: Problems with Received: header checks and ALL_TRUSTED rule...
I've just discovered something rather interesting after I enabled the msa_networks feature in local.cf. What's happening is this: 1/ spam arrives at the sendmail box from someone who has used a non-existent email address in our domain 2/ spamassassin clearly marks this as spam, sendmail adds the necessary headers, modifies the subject and relays to exchange 3/ if exchange is configured to send a copy of received email to an external account OR the message is destined for a non-existent mailbox, exchange will initiate a connection with sendmail either for forwarding mail or for NDR 4/ since the exchange box is now trusted via msa_networks, the email receives a clean bill of health from spamassassin and sendmail proceeds to remove the headers previously added for the incoming message except for the subject line which is left with the previously changed header! How can I tell sendmail milter not to remove any of the headers as the email message is really still spam??? Although we could drop all spam and forget about this whole issue, company policy dictates that any email destined to an existing recipient mailbox will be delivered be it spam or not (false positives in the past have left many weary of lost email)! Cheers, AK. AK, The MTA should not accept email for non existent email addresses - rh
RE: Problems with Received: header checks and ALL_TRUSTED rule...
Thanks Robert. And you are correct - the exchange rejects mail destined to non-existent mailboxes! Due to lack of time, I have not yet found a quick method to have sendmail authenticate against active directory so I've instructed sendmail to relay all mail and leave it to exchange to deal with rejection and NDR's. OT Any chance you know of a quick and dirty method to implement sendmailAD authentication? I did search during build of the sendmail box, but did not find conclusive instructions to do so - possibly because I was under immense pressure to get a spam identifier installed. /OT Cheers, AK. -Original Message- From: Robert - eLists [mailto:[EMAIL PROTECTED] Sent: Thursday, 14 June 2007 10:47 AM To: users@spamassassin.apache.org Subject: RE: Problems with Received: header checks and ALL_TRUSTED rule... AK, The MTA should not accept email for non existent email addresses - rh
Re: Problems with Received: header checks and ALL_TRUSTED rule...
Anthony Kamau wrote: 3/ if exchange is configured to send a copy of received email to an external account OR the message is destined for a non-existent mailbox, exchange will initiate a connection with sendmail either for forwarding mail or for NDR 4/ since the exchange box is now trusted via msa_networks, the email receives a clean bill of health from spamassassin and sendmail proceeds to remove the headers previously added for the incoming message except for the subject line which is left with the previously changed header! How can I tell sendmail milter not to remove any of the headers as the email message is really still spam??? This depends entirely on the milter. Perhaps you can configure it to either not scan mail that has already been scanned by your system or to not scan outgoing mail at all. In any case, spamming people with backscatter in the form of NDRs from your system is completely unacceptable. You have at least three options to prevent this; (i) configure out how to do LDAP queries from Sendmail against your Exchange system to verify addresses, or (ii) use a milter such as Anthony Howe's milter-ahead (which I believe he licenses for 90 Euros), or (iii) export all of your addresses to your Sendmail box. Daryl
BAYES_99 issue: spamd using info for nobody, not given spamc user
Howdy -- I've seen a few mentions of BAYES_99 problems on the list over the past month or two, but nothing that reflects what I discovered was going on tonight on my system; I'm hoping someone can help! The executive summary is that every message on my system was hitting BAYES_99, and I deduced finally that spamd was using the bayes tokens for the nobody user even when it was successfully being passed another user's ID to use. First, as the inciting event: two nights ago, I upgraded from Spamassassin 3.1.0 to 3.2.1 (damn Ubuntu 6.06, which *still* is stuck at 3.1.0, hence me compiling and deploying 3.2.1 for myself). Now, I have filters set up so that mail scoring more than 5.0 gets thrown into users' spam folders, and tonight, one of my users mentioned that a few more messages than normal were making it into her spam folder. I looked into it, and saw that all the false positive messages were hitting the BAYES_99 rule, and with further investigation, saw that *every* message coming through my mail system was hitting BAYES_99. I started debugging, and saw that spamd was running as root (as intended by me), and was being successfully passed the correct user by Postfix when it was passing the messages onto spamc to run through spamd; my spamd log showed something akin to this for each message: Wed Jun 13 19:40:19 2007 [2404] info: spamd: connection from localhost [127.0.0.1] at port 39765 Wed Jun 13 19:40:19 2007 [2404] warn: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody Wed Jun 13 19:40:19 2007 [2404] info: spamd: processing message [EMAIL PROTECTED] for rachel:65534 Wed Jun 13 19:40:21 2007 [2404] info: spamd: identified spam (6.5/5.0) for rachel:65534 in 2.0 seconds, 6275 bytes. Wed Jun 13 19:40:21 2007 [2404] info: spamd: result: Y 6 - AWL,BAYES_99,HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_DYNAMI C scantime=2.0,size=6275,user=rachel,uid=65534,required_score=5.0,rhost=lo calhost,raddr=127.0.0.1,rport=39765,mid=[EMAIL PROTECTED] s2.jtgservers.com,bayes=1.00,autolearn=no As you can see from that, I'm getting a spamd warning that it's running as root and falling back to nobody, but it specifically also says that it's identified the user as rachel and is processing it as her -- and that it's hitting the BAYES_99 rule. I then did a sa-learn -u rachel --clear, verified that it cleared the bayes tokens, learned a piece of ham as the user rachel (to re- establish her bayes token database), and used spamd again to send the same message as above through spamd as rachel (spamc -u rachel message.raw message.out); again, I got the same hit on BAYES_99. I then did a sa-learn -u root --clear and ran it again, and again hit BAYES_99. Finally, I did a sa-learn -u nobody --clear and ran it again, and BAYES_99 was gone. Looking at all the messages streaming through spamd, BAYES_99 was no longer being hit for them all, so clearly it was the nobody user that was causing the issue. My question is: WHY?!? According to all the logging I could get, spamd was clearly seeing that the user passed in was rachel; where did nobody come into it? As I said before, I was seeing this behavior running spamc directly (using the -u option to specify the user), so I can't imagine that my MTA enters into the problem; just in case, though, I'm running Postfix, and it calls spamc with the following argv argument in my master.cf file: /usr/bin/spamc -u ${user} -e /usr/sbin/sendmail -oi -f ${sender} $ {recipient} Spamd is running daemonized, with the following options: spamd --max-children=10 -d -x -q -i 127.0.0.1 -A 209.10.108.198,204.193.152.163,192.168.1.163,127.0.0.1 I'm using MySQL for my user prefs and bayes token databases; I know that the DB connection is working, because my user whitelist prefs are firing on appropriate emails, and when I issued the sa-learn -- clear commands, I could see the MySQL process running in the processlist clearing out the appropriate DB entries. What could be going on? Thanks for any insight you might have! Jason Levine
Re: 404 while getting RDJ updates?
guenther skrev: On Thu, 2007-06-07 at 17:45 +0200, Anders Norrbring wrote: Anyone else getting 404 errors from RDJ lately? Yes, this topic came up just a few hours ago. Probably a dDOS attack. Please disable all RDJ till further notice. guenther Now it's at least partly working, I still have problems with BOGUSVIRUS that only results in some html code. Ideas on that one? Google didn't turn up much useful info (or I didn't catch it..) Anders.