Re: How to use private rules?

[Justin Mason]

Michelle Konzack writes:
 Am 2008-05-21 10:53:40, schrieb Bob Proulx:
  Michelle Konzack wrote:
   Because an
   experience from last Friday where I have hit the limits  of  my  hosting
   providers mailserver (over 4000 messages stuck  in  the  queue)  I  lock
   already the ~/.promailrc to let only one message  after  one  processing
   per $USER.
  
  You are serializing now?  Or you wish to serialize?
 
 I am already using
 
  LOCKFILE=~/.procmailrc.lock
 
 at the beginning of the file to serialize the incoming messages and this
 troddle already the whole thing.  A CPU load of 100% is not realy funny.
 
 But now if I use spamc we can not use private rules which we need  and
 AFAIK
 
  :0fw
  *  25
  |/usr/bin/spamassassin
 
 sould not be used.  What to do now to run spamassassin save?

Sorry, I must have missed something.  This sounds like you want
to use allow_user_rules -- is there a problem with using that?

--j.

Spam in qmail queue

[Marcin Praczko]

Hi,
 
I am not sure that I am writing to correct list, but maybe you will help me.
 
On one of my server qmail has been installed, SpamAssassin and qmail-scanner. 
There is a several virtual domains, and Spam filter is working quite OK.
 
But I have some message which I am worried about:
 
For example: on sever is domain: somedoamin1.com
 
Somebody will send SPAM to HYPERLINK mailto:[EMAIL PROTECTED][EMAIL 
PROTECTED], and:
- Spamassassin marks it as SPAM (which is correct)
- But user doesn’t exist on somedomain1.com (it happen)
- So qmail is storage this mail in queue as long as it can. 
 
My question is, what is the best practice and how can I configure following 
scenario:
 
Scenario:
Spam marks message as SPAM, qmail is trying deliver that message to not exited 
user, 
And if is not exist – message is deleted. 
 
BUT if message is not SPAM – and user doesn’t exist, bounce message should be 
send to sender. 
 
Thank you very much for your help.
 
Marcin Praczko

No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.24.0/1461 - Release Date: 22/05/2008 
16:44
 

Re: can we make AWL ignore mail from self to self?

[Jonas Eckerman]

Jo Rhett wrote:


Lots of users of this host have Windows PCs,


Another way to do it would be to use different AWLs, or disabling AWL, 
for mail from your own users (either authenticated or locally 
submitted). This makes a lot of sense to me.


Have no my own users except me ;-)   And disabling AWL entirely is 
again a hack.  Let's focus on a fix.


1: Just read it as of when I said your own users I meant the 
users of the host in question (the ones you mention above). More 
specifically, the users using your host as a MSA (authenticated 
or locally).


2: I never suggested disabling the AWL entirely. I suggested 
disabling it for the above mentioned users.


I also suggested (and this is prefferable to disabling it in my 
opinion) to separate the AWL so that you use one AWL for mail 
from the above mentioned users and another for unathenticated 
mail from external relays.


Is there any specific reason you do not want to use two different 
AWLs for those two different types of traffic?


A more involved change would be to have the AWL store the 
authentication state as well as mail address and relay IP/16. When 
scanning mail from your own users using the same AWL database as for 
for mail to your users, this seems necessary to me.


Again, this seems to be a lot of work for no real gain.  What I have 
proposed makes sense for widespread use.  Why hack/slash/burn when a 
good fix would improve it for everyone?


In case you haven't noticed it, your suggestion is not seen as a 
good fix for the problem by everyone. I was merely suggesting 
other ways to go about this.


If you wish other peoiple to implement/accept something that 
fixes your problem and you can't convince them that your own 
ideas are good, it may be that alternative means of fixing the 
problem are seen as better and therefore stand a bigger chance of 
being implemented/eccepted.


I am not, however, trying to stop you from implementing ignoring 
self-self mail by the AWL.


If you do implement your fix and submit it, please make it an 
option. I for one would turn it off since it would not improve 
things here.


Regards
/Jonas
--
Jonas Eckerman, FSDB  Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: Starting a URIBL - Howto? [OT]

[Rob McEwen]

Dallas Engelken wrote:
No, you're right, thats not fair.   If I compare only recent reactive 
listings, minus the subdomain hosters that we list, you hit about 60% 
whereas before it was more like 27%.


imvURI stats from last 5000 URIBL black listings
- 2981 hits
- 2019 misses
Dallas, I've made some recent *substantial* improvements to ivmURI. (1) 
I've added *several* new spam sources... it was always a weakness of 
ivmURI that the raw data that fed ivmURI wasn't wide enough. That 
incoming data is much wider now! ...and... (2) I improved ivmSIP's 
response time (previously, it was getting bogged down in some auditing 
tasks that was delaying writes to the rsync files... that has been fixed).


RESULTS...

stats from 5/23/2008 (a few minutes ago).
-
322/500 (ivmURI hits from the latest 500 URIBL listings)
(whereas a couple of tests in April showed 186/500 and 225/500)

301/500 (URIBL hits from the latest 500 ivmURI listings)
NOTE: to compare apples-to-apples, subdomain listings in URIBL were removed

Let me know if you'd like a snapshot of ivmURI for your own analysis of 
these latest improvements.


ALSO...

In spite of your off-list explanation, I'm STILL confused about what you 
mean when you refer to URIBL's *pro-active listings*???


You must be either referring to:

(A) Listings *currently* in URIBL-GOLD, but *not* *yet* in URIBL-BLACK
--or--
(B) Listings *currently* in URIBL-BLACK which were *previously* listed 
in URIBL-GOLD


Which is it? A or B? (or something else?)

OF COURSE: The silly part about all these stats is that the *superior* 
comparison between DNSBLs is hit rates on spams sent to mail servers 
combined with low FP rates. It is possible for a DNSBL to have far fewer 
listings, but, in real world testing, hit on higher numbers of spams 
with less FPs.


Rob McEwen

Re: Spam in qmail queue

[Evan Platt]

As this really is a qmail question, if you don't get any answers here, 
I'd suggesting posting to a qmail forum.


Marcin Praczko wrote:


Hi,

I am not sure that I am writing to correct list, but maybe you will 
help me.


On one of my server qmail has been installed, SpamAssassin and 
qmail-scanner.


There is a several virtual domains, and Spam filter is working quite OK.

But I have some message which I am worried about:

For example: on sever is domain: somedoamin1.com

Somebody will send SPAM to [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED], and:


- Spamassassin marks it as SPAM (which is correct)

- But user doesn’t exist on somedomain1.com (it happen)

- So qmail is storage this mail in queue as long as it can.

My question is, what is the best practice and how can I configure 
following scenario:


Scenario:

Spam marks message as SPAM, qmail is trying deliver that message to 
not exited user,


And if is not exist – message is deleted.

BUT if message is not SPAM – and user doesn’t exist, bounce message 
should be send to sender.


Thank you very much for your help.

Marcin Praczko


No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.24.0/1461 - Release Date: 
22/05/2008 16:44

Re: Spam in qmail queue

[Richard Frovarp]

Marcin Praczko wrote:


Hi,

 

I am not sure that I am writing to correct list, but maybe you will 
help me.


 

On one of my server qmail has been installed, SpamAssassin and 
qmail-scanner.


There is a several virtual domains, and Spam filter is working quite OK.

 


But I have some message which I am worried about:

 


For example: on sever is domain: somedoamin1.com

 

Somebody will send SPAM to [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED], and:


-  Spamassassin marks it as SPAM (which is correct)

-  But user doesn’t exist on somedomain1.com (it happen)

-  So qmail is storage this mail in queue as long as it can.

 

My question is, what is the best practice and how can I configure 
following scenario:


 


Scenario:

Spam marks message as SPAM, qmail is trying deliver that message to 
not exited user,


And if is not exist – message is deleted.

 

BUT if message is not SPAM – and user doesn’t exist, bounce message 
should be send to sender.


 


Thank you very much for your help.

 


Marcin Praczko

Do not bounce! If the user does not exist, reject the message at SMTP 
time. Problem solved. If you accept the message, it is up to you to deal 
with it. Bouncing will just send messages back to people who don't 
deserve it. Look up joe jobbed.

[OT} Spam in qmail queue

[Rick Macdougall]

Somebody will send SPAM to [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED], and:


- Spamassassin marks it as SPAM (which is correct)

- But user doesn’t exist on somedomain1.com (it happen)

- So qmail is storage this mail in queue as long as it can.

My question is, what is the best practice and how can I configure 
following scenario:


Scenario:

Spam marks message as SPAM, qmail is trying deliver that message to 
not exited user,


And if is not exist – message is deleted.

BUT if message is not SPAM – and user doesn’t exist, bounce message 
should be send to sender.


Thank you very much for your help.




Hi,

You want the qmail chkuser patch 
http://www.interazioni.it/opensource/chkuser/ or the validrcptto patch.


I believe most people use the chkuser patch.

Regards,

Rick

Re: Spam in qmail queue

[Jonas Eckerman]

Marcin Praczko wrote:


- Spamassassin marks it as SPAM (which is correct)
- But user doesn’t exist on somedomain1.com (it happen)
- So qmail is storage this mail in queue as long as it can.


Do you have any special reason to receive mail for users that 
doesn't exist?


My question is, what is the best practice and how can I configure 
following scenario:


The best practice is to never accept messages to non-existant users.

Regards
/Jonas
--
Jonas Eckerman, FSDB  Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Directory Harvest Attack

[Jason Holbrook]

I am undergoing a massive directory harvest attack. Is there a good set
of rules that will help stop this or a place anyone could point me.

 

Best Regards,

Jason Holbrook

Chief Technology Integrator / Partner

Empower Information Systems

[EMAIL PROTECTED]

weblog.empoweris.com http://weblog.empoweris.com/ 

www.empoweris.com

Skype: holbrook.jason

Gtalk: jaholbrook

757-320-2667 (Direct)

757-273-9399 (office)

757-715-1944 (cell)

866-477-1544 (toll free)

 

 

This message is being sent by or on behalf of Empower Information
Systems. It is intended exclusively for the individual or entity to
which it is addressed.  This communication may contain information that
is proprietary, privileged or confidential or otherwise legally exempt
from disclosure.  If you are not the named addressee, you are not
authorized to read, print, retain, copy or disseminate this message or
any part of it.  If you have received this message in error, please
notify the sender Jason Holbrook immediately by e-mail
[EMAIL PROTECTED] and delete all copies of this message.

 

Empower Information Systems operates under a zero spam policy. If you
believe this message to be spam, please contact [EMAIL PROTECTED] 

 

Testing DNSRBLs using SA

[DAve]

Good morning all,

I am trying to use SA to test a DNSBL and I am not having any luck 
getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and read 
the appropriate section in the docs.


http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings

Here is what I have currently,

headerRCVD_IN_SIP   eval:check_rbl('sip', 'sip.invaluement.com.')
describe  RCVD_IN_SIP   sender is known in Invaluement list
tflagsRCVD_IN_SIP   net
score RCVD_IN_SIP   0.01

And yes, when I query my rbldnsd server from the server running SA with 
an IP known to be in the list, I do get the proper response.


Anyone see a flaw in this concept?

Thanks,

DAve

--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

How to get clarity on AWL?

[Greg Troxel]

A lot of my mail is tagged with AWL, and I am often baffled.  Here are
what I think are the relevent headers from a perplexing example:

  Return-Path: [EMAIL PROTECTED]
  X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on fnord.ir.bbn.com
  X-Spam-Status: Yes, score=6.8 required=1.0 tests=AWL,BAYES_95,DEAR_WINNER,
  HTML_MESSAGE,SUBJ_ALL_CAPS autolearn=spam version=3.2.4
  X-Spam-Report: 
  *  2.1 SUBJ_ALL_CAPS Subject is all capitals
  *  3.2 DEAR_WINNER BODY: DEAR_WINNER
  *  0.0 HTML_MESSAGE BODY: HTML included in message
  *  3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
  *  [score: 0.9582]
  * -1.5 AWL AWL: From: address is in the auto white-list
  From: AUSTRALIAN LOTTERY INTL [EMAIL PROTECTED]

Reading http://wiki.apache.org/spamassassin/AwlWrongWay, I realize I am
confused - this sender has a positive average, and this message was more
spammy, and thus given credit for somewhat-less-spammy previous mail.

I think that I should be able to infer that because this message was 8.3
before AWL, and AWL was -1.5, that the average is 5.3.  But if the message said

  * -1.5 AWL AWL: From: address is in the auto white-list at 5.3 for 12 
messages

it would make things easier to follow.  Plus, the AutoWhitelist wiki
entry says that the key is also IP address that the mail originated
at, and it would be nice to print that out, since it's non-obvious what
that means (last hop before trusted relay, or relying on maybe-forged
received lines?).

Somewhat separately, the spamassasin program has options to manipulate
whitelist, blacklist:

 -W, --add-to-whitelistAdd addresses in mail to persistent 
address whitelist
 --add-to-blacklistAdd addresses in mail to persistent 
address blacklist
 -R, --remove-from-whitelist   Remove all addresses found in mail from
   persistent address list
 --add-addr-to-whitelist=addr  Add addr to persistent address whitelist
 --add-addr-to-blacklist=addr  Add addr to persistent address blacklist
 --remove-addr-from-whitelist=addr Remove addr from persistent address list

but I don't see any to print out the lists and scores for inspection,
and I'm unclear on the AWL vs persistent white/black lists.  I think it would 
make sense to have

--print-whitelist
--print-blacklist
--print-autowhitelist

or perhaps only one is needed, and also

--lookup-in-whitelists=addr

to print the white/black/auto status of an address.

Re: Testing DNSRBLs using SA

[D Hill]

On Fri, 23 May 2008 at 10:32 -0400, [EMAIL PROTECTED] confabulated:


Good morning all,

I am trying to use SA to test a DNSBL and I am not having any luck getting 
the rule to hit. I've looked through 20_dnsbl_tests.cf, and read the 
appropriate section in the docs.


http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings

Here is what I have currently,

headerRCVD_IN_SIP   eval:check_rbl('sip', 'sip.invaluement.com.')
describe  RCVD_IN_SIP   sender is known in Invaluement list
tflagsRCVD_IN_SIP   net
score RCVD_IN_SIP   0.01

And yes, when I query my rbldnsd server from the server running SA with an IP 
known to be in the list, I do get the proper response.


Anyone see a flaw in this concept?


To me that rule looks fine. Perhaps your testing is completely within your 
trusted path? Feed the message with SpamAssassin with the -D debug switch 
to see for sure.

Re: Spam in qmail queue

[Sahil Tandon]

Marcin Praczko wrote:


- Spamassassin marks it as SPAM (which is correct)
- But user doesn’t exist on somedomain1.com (it happen)
- So qmail is storage this mail in queue as long as it can.


Do you have any special reason to receive mail for users that  
doesn't exist?


My question is, what is the best practice and how can I configure  
following scenario:


The best practice is to never accept messages to non-existant users.


Agreed. There is no reason to accept then bounce. That's ==  
backscatter. Either REJECT or DISCARD.


- Sahil

Re: Testing DNSRBLs using SA

[Rob McEwen]

DAve wrote:

I am trying to use SA to test a DNSBL
SNIP
PLEASE--note that direct queries to the invaluement.com DNSBLs will 
*always* fail.


These are *only* available via RSYNC. So please don't try to add SIP to 
your RBL list... it won't work!!!


(Dave knows this... I'm just mentioning this for others' benefit.)

embarrassedand I'm not sure what the problem is with Dave's config. I 
use SA for some spam filtering tasks. But most of my own spam filtering 
is custom written and, therefore, I don't use SA for DNSBL lookups... 
which is why I'm sometimes caught off-guard regarding SA's dnsbl 
implemenations./embarrassed


Rob McEwen

RE: Testing DNSRBLs using SA

[Robert - elists]

 
 I am trying to use SA to test a DNSBL and I am not having any luck
 getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and read
 the appropriate section in the docs.
 
 http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#
 rule_definitions_and_privileged_settings
 
 Here is what I have currently,
 
 headerRCVD_IN_SIP   eval:check_rbl('sip', 'sip.invaluement.com.')
 describe  RCVD_IN_SIP   sender is known in Invaluement list
 tflagsRCVD_IN_SIP   net
 score RCVD_IN_SIP   0.01
 
 And yes, when I query my rbldnsd server from the server running SA with
 an IP known to be in the list, I do get the proper response.
 
 Anyone see a flaw in this concept?
 
 Thanks,
 
 Dave

Dave

If you are really trying to probe the local sip zone data, make it local and
create a local zone with a name something like...

sip.invaluement.local

not .com even though it might work, it creates confusion...

even though you can be locally, your name servers are not authoritive for
invaluement.com zone.

next, as I understand it, the sip zone is ip addresses only is that what
you are trying to check?

You can also look at the rbldnsd logs to see what is happening as well.

 - rh

Re: Testing DNSRBLs using SA

[DAve]

Rob McEwen wrote:

DAve wrote:

I am trying to use SA to test a DNSBL
SNIP
PLEASE--note that direct queries to the invaluement.com DNSBLs will 
*always* fail.


These are *only* available via RSYNC. So please don't try to add SIP to 
your RBL list... it won't work!!!


(Dave knows this... I'm just mentioning this for others' benefit.)

embarrassedand I'm not sure what the problem is with Dave's config. I 
use SA for some spam filtering tasks. But most of my own spam filtering 
is custom written and, therefore, I don't use SA for DNSBL lookups... 
which is why I'm sometimes caught off-guard regarding SA's dnsbl 
implemenations./embarrassed




Sorry Rob, I should have mentioned that so no one tried to duplicate my 
rule and test it.


DAve


--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

Re: Directory Harvest Attack

[Ken A]

Jason Holbrook wrote:

I am undergoing a massive directory harvest attack. Is there a good set
of rules that will help stop this or a place anyone could point me.


Assuming you are doing obvious things, like not accepting mail for 
non-existent users, and using whatever tweaks are available in your MTA 
(bad recipient throttle, etc), an IDS like ossec will help. (free) 
http://ossec.net/ It'll block using the system firewall if an IP hits 
your machine more than a few times causing log entries that it triggers 
on. There are default rules for common MTAs.


Ken




 


Best Regards,

Jason Holbrook

Chief Technology Integrator / Partner

Empower Information Systems

[EMAIL PROTECTED]

weblog.empoweris.com http://weblog.empoweris.com/ 


www.empoweris.com

Skype: holbrook.jason

Gtalk: jaholbrook

757-320-2667 (Direct)

757-273-9399 (office)

757-715-1944 (cell)

866-477-1544 (toll free)

 

 


This message is being sent by or on behalf of Empower Information
Systems. It is intended exclusively for the individual or entity to
which it is addressed.  This communication may contain information that
is proprietary, privileged or confidential or otherwise legally exempt
from disclosure.  If you are not the named addressee, you are not
authorized to read, print, retain, copy or disseminate this message or
any part of it.  If you have received this message in error, please
notify the sender Jason Holbrook immediately by e-mail
[EMAIL PROTECTED] and delete all copies of this message.

 


Empower Information Systems operates under a zero spam policy. If you
believe this message to be spam, please contact [EMAIL PROTECTED] 

 






--
Ken Anderson
Pacific.Net

Re: Testing DNSRBLs using SA

[DAve]

D Hill wrote:

On Fri, 23 May 2008 at 10:32 -0400, [EMAIL PROTECTED] confabulated:


Good morning all,

I am trying to use SA to test a DNSBL and I am not having any luck 
getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and 
read the appropriate section in the docs.


http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings 



Here is what I have currently,

headerRCVD_IN_SIP   eval:check_rbl('sip', 'sip.invaluement.com.')
describe  RCVD_IN_SIP   sender is known in Invaluement list
tflagsRCVD_IN_SIP   net
score RCVD_IN_SIP   0.01

And yes, when I query my rbldnsd server from the server running SA 
with an IP known to be in the list, I do get the proper response.


Anyone see a flaw in this concept?


To me that rule looks fine. Perhaps your testing is completely within 
your trusted path? Feed the message with SpamAssassin with the -D debug 
switch to see for sure.


That is how I have been testing it.

 spamassassin -D  test-mail 21 | grep invaluement

No joy, no real clue where to check next. Here is a link to the rule, 
message, and results from spamassassin debug.


http://pixelhammer.com/Dan/dnsbl_rule_test.txt

DAve


--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

Re: Testing DNSRBLs using SA

[DAve]

DAve wrote:

D Hill wrote:
To me that rule looks fine. Perhaps your testing is completely within 
your trusted path? Feed the message with SpamAssassin with the -D 
debug switch to see for sure.


That is how I have been testing it.

 spamassassin -D  test-mail 21 | grep invaluement

No joy, no real clue where to check next. Here is a link to the rule, 
message, and results from spamassassin debug.


http://pixelhammer.com/Dan/dnsbl_rule_test.txt


PEBKAC!

#skip_rbl_checks 1

Works now.

DAve

--
In 50 years, our descendants will look back on the early years
of the internet, and much like we now look back on men with
rockets on their back and feathers glued to their arms, marvel
that we had the intelligence to wipe the drool from our chins.

Re: Spam in qmail queue

[hamann . w]

 
 Hi,
 =20
 I am not sure that I am writing to correct list, but maybe you will help =
 me.
 =20
 On one of my server qmail has been installed, SpamAssassin and =
 qmail-scanner.=20
 There is a several virtual domains, and Spam filter is working quite OK.
 =20
 But I have some message which I am worried about:
 =20
 For example: on sever is domain: somedoamin1.com
 =20
 Somebody will send SPAM to HYPERLINK =
 mailto:[EMAIL PROTECTED][EMAIL PROTECTED], and:
 - Spamassassin marks it as SPAM (which is correct)
 - But user doesn=92t exist on somedomain1.com (it happen)
 - So qmail is storage this mail in queue as long as it can.=20
 =20
 My question is, what is the best practice and how can I configure =
 following scenario:
 =20
 Scenario:
 Spam marks message as SPAM, qmail is trying deliver that message to not =
 exited user,=20
 And if is not exist =96 message is deleted.=20
 =20
 BUT if message is not SPAM =96 and user doesn=92t exist, bounce message =
 should be send to sender.=20
 =20
 Thank you very much for your help.
 =20
 Marcin Praczko
 

Hi Marcin,

you can modify qmail-scanner to exit with error code if spam score is over a 
given value
(usually higher than default score, e.g. 10 rather than 5)
Unpatched qmail would return - during the smtp session, not as a bounce - an
administratively prohibited message to the sender.
It is straightforward to add a new exit value  to qmail and have that tell the 
sender that their
message was considered spam.
You can do this right away, but you are still encouraged to install whatever 
matches your system
setup and rejects mail to non-existant users

Wolfgang

Seeing Bayes token matches for an email

[Bowie Bailey]

I could have sworn that there was a way to do this, but I can't find it.
 
I have an email that does not look at all spammy to me.  On an account
where Bayes is trained manually (no auto-learn at all), it got marked
with BAYES_99.  Is there a way to see what tokens Bayes is keying on?  I
tried running it through spamassassin -D, but I didn't see it there.
 
Thanks
 
-- 
Bowie

Re: Spam in qmail queue

[John Hardin]

On Fri, 23 May 2008, Richard Frovarp wrote:


Marcin Praczko wrote:


 BUT if message is not SPAM - and user doesn't exist, bounce message
 should be send to sender.


Do not bounce! If the user does not exist, reject the message at SMTP 
time. Problem solved. If you accept the message, it is up to you to deal 
with it. Bouncing will just send messages back to people who don't 
deserve it. Look up joe jobbed.


In addition, behavior like that can get you blacklisted.

Marcin, please do not accept-then-bounce mail sent to nonexistent users or 
mail blocked for spamminess. You may find it increasingly difficult to 
communicate with the rest of the world, and you _will_ be hated.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If Microsoft made hammers, everyone would whine about how poorly
  screws were designed and about how they are hard to hammer in, and
  wonder why it takes so long to paint a wall using the hammer.
---
 2 days until the Mars Phoenix lander arrives at Mars

Re: Seeing Bayes token matches for an email

[Theo Van Dinter]

On Fri, May 23, 2008 at 12:29:21PM -0400, Bowie Bailey wrote:
 I have an email that does not look at all spammy to me.  On an account
 where Bayes is trained manually (no auto-learn at all), it got marked
 with BAYES_99.  Is there a way to see what tokens Bayes is keying on?  I
 tried running it through spamassassin -D, but I didn't see it there.

spamassassin -D bayes

It's too noisy for the standard debug output, but the bayes channel will give
you the full info.

-- 
Randomly Selected Tagline:
Eighty percent of married men cheat in America.  The rest cheat in Europe.
  - Jackie Mason


pgpJP3vH3ZZXT.pgp
Description: PGP signature

Re: Vars for Custom Plugins

[Rick Duval]

Sorry , didn't send tha last email to the list as well/

Doesn't Spamassassin have a standard routine somewhere to deteremine who an
email is for? It would seem like pretty basic stuff?

Rick

On Thu, May 22, 2008 at 11:38 AM, Theo Van Dinter [EMAIL PROTECTED]
wrote:

 [sending back to users@ list since it's generally useful info]

 On Thu, May 22, 2008 at 11:25:44AM -0400, Rick Duval wrote:
  One thing though, IF using to:addr I often get the name of the mailing
 list
  as opposed to the actual recipient. Is there a clean way to get that?

 It sounds like you want the envelope recipient, not the To header field.

 Unfortunately, there's no standard way to get that since each MTA does it
 differently, if that information is added at all.

 There should probably be a standard get() option that at least attempts
 to figure this out similar to EnvelopeFrom (feel free to open a bugzilla
 request about it), but in the mean time, looking at another function in
 PerMsgStatus that wants similar data (in no particular order):

 $self-get('To')   # std
 $self-get('Cc')   # std
 $self-get('Apparently-To')# sendmail, from envelope
 $self-get('Delivered-To') # Postfix, poss qmail
 $self-get('Envelope-Recipients')  # qmail: new-inject(1)
 $self-get('Envelope-To')  # exim
 $self-get('X-Envelope-To')# procmailrc manpage
 $self-get('X-Delivered-To')   # procmail quick start
 $self-get('X-Original-To')# procmail quick start
 $self-get('X-Rcpt-To')# procmail quick start
 $self-get('X-Real-To')# procmail quick start
 $self-get('Apparently-Resent-To') # procmailrc manpage

 Hope this helps. :)

 --
 Randomly Selected Tagline:
 I lost my foo.   - Theo

reject vs. delete

[Jared Johnson]

Hi,

The product I've been working with allows th user to set Rejection and 
Deletion thresholds, at which a message identified as spam will be 
rejected with 550 - Message is Spam etc., or accepted with 250 OK 
but dropped on the floor, respectively.  Historically it has been 
believed that if we have a high enough confidence that a message is 
spam, it is adventageous to pretend we have accepted the message in 
order to avoid allowing spammers to know whether their methods are 
working.  I have not verified anywhere that this practice really does 
have a negative impact on spammers.  This would especially be 
invalidated if most of the rest of the spam filtering world does not 
make use of 'delete' and simply issues rejections -- in that case, if 
the spammers don't get the information from me, they'll get it from the 
next guy.


I do know that having a delete threshold occasionally causes false 
positives to go undetected by end users.  That is a bit of a 
disadvantage.  The suggestion has also been raised that claiming to 
accept spam rather than rejecting it might invite spammers to send more 
spam your way.


Does anyone have any knowledge or opinions on these matters?  Does 
pretending to accept a message contribute to the fight against spam in 
some way?  Or does it invite more spam?  Is it worth it?


Jared Johnson
Software Developer and Support Engineer
Network Management Group, Inc.
620-664-6000 x118

--
Inbound and outbound email scanned for spam and viruses by the

DoubleCheck Email Manager: http://www.doublecheckemail.com

RE: Seeing Bayes token matches for an email

[Bowie Bailey]

Theo Van Dinter wrote:
 On Fri, May 23, 2008 at 12:29:21PM -0400, Bowie Bailey wrote:
  I have an email that does not look at all spammy to me.  On an
  account where Bayes is trained manually (no auto-learn at all), it
  got marked with BAYES_99.  Is there a way to see what tokens Bayes
  is keying on?  I tried running it through spamassassin -D, but I
  didn't see it there. 
 
 spamassassin -D bayes
 
 It's too noisy for the standard debug output, but the bayes channel
 will give you the full info.

I thought I already tried that.  Oh well...

That gives me the info, now how do I interpret it?

[26088] dbg: bayes: token 'fax' = 0.0466125715533146
[26088] dbg: bayes: token 'may' = 0.951423151521604
[26088] dbg: bayes: token 'send' = 0.947622860965791
[26088] dbg: bayes: token 'sent' = 0.0562793425809908

The numbers seem to go from 0 to 1.  Is 0 non-spammy and 1 spammy, or is
there more to it than that?  If that's the case, there are quite a few
common words that bayes doesn't seem to like.

-- 
Bowie

Re: reject vs. delete

[Jari Fredriksson]

 
 Does anyone have any knowledge or opinions on these
 matters?  Does pretending to accept a message contribute
 to the fight against spam in some way?  Or does it
 invite more spam?  Is it worth it? 
 

I accept all spam, and then (for higher spamminess automatically) report them 
thru SpamCop. If I would not report them, I would reject them at once. No 
report, no idea to accept spam.

It depends.

For all spam I report, only one or two ISP:s send a message back confirming a 
kill. So I have no idea if reporting via SpamCop helps in the fight or not.. 
But that's what I do.

RE: Seeing Bayes token matches for an email

[John Hardin]

On Fri, 23 May 2008, Bowie Bailey wrote:


That gives me the info, now how do I interpret it?

   [26088] dbg: bayes: token 'fax' = 0.0466125715533146
   [26088] dbg: bayes: token 'may' = 0.951423151521604
   [26088] dbg: bayes: token 'send' = 0.947622860965791
   [26088] dbg: bayes: token 'sent' = 0.0562793425809908

The numbers seem to go from 0 to 1.  Is 0 non-spammy and 1 spammy, or is 
there more to it than that?  If that's the case, there are quite a few 
common words that bayes doesn't seem to like.


Remember, Bayes interprets tokens in relation to other tokens. Those 
high-scoring tokens may be high-scoring due to context.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority.-- Cringely, 4/8/2004
---
 2 days until the Mars Phoenix lander arrives at Mars

Re: reject vs. delete

[Aaron Wolfe]

On Fri, May 23, 2008 at 3:00 PM, Jared Johnson [EMAIL PROTECTED] wrote:

 Hi,

 The product I've been working with allows th user to set Rejection and
 Deletion thresholds, at which a message identified as spam will be rejected
 with 550 - Message is Spam etc., or accepted with 250 OK but dropped on
 the floor, respectively.  Historically it has been believed that if we have
 a high enough confidence that a message is spam, it is adventageous to
 pretend we have accepted the message in order to avoid allowing spammers to
 know whether their methods are working.  I have not verified anywhere that
 this practice really does have a negative impact on spammers.  This would
 especially be invalidated if most of the rest of the spam filtering world
 does not make use of 'delete' and simply issues rejections -- in that case,
 if the spammers don't get the information from me, they'll get it from the
 next guy.

 I do know that having a delete threshold occasionally causes false
 positives to go undetected by end users.  That is a bit of a disadvantage.
  The suggestion has also been raised that claiming to accept spam rather
 than rejecting it might invite spammers to send more spam your way.

 Does anyone have any knowledge or opinions on these matters?  Does
 pretending to accept a message contribute to the fight against spam in
 some way?  Or does it invite more spam?  Is it worth it?



I prefer to follow the spirit if not the letter of the RFCs.  If I am not
going to take responsibility for a message, I reject it.

I do accept some things and quarantine them rather than put them into a
user's mailbox, but I never just throw anything away after saying I will
deliver it.

There are plenty of sites that do silently throw away mail, and plenty that
will reject.  unless you are a *really* big site I really don't think
spammers are going to care what you do, if they notice at all.  I'd worry
more about the legitimate users and what happens to their mail in a false
positive situation.

-Aaron




 Jared Johnson
 Software Developer and Support Engineer
 Network Management Group, Inc.
 620-664-6000 x118

 --
 Inbound and outbound email scanned for spam and viruses by the

 DoubleCheck Email Manager: http://www.doublecheckemail.com

Interesting data - but is it good for anything?

[Marc Perkel]

I started collecting host names where the registry barrier part of the 
FCrDNS is the same as the registry barrier part of the helo. I don't 
know what it's good for - if anything - but looking for ideas as to what 
to do with it. Just have a gut level feeling that I'm on to something here.

Re: How to get clarity on AWL?

[Matt Kettler]

Greg Troxel wrote:

A lot of my mail is tagged with AWL, and I am often baffled.  Here are
what I think are the relevent headers from a perplexing example:

  Return-Path: [EMAIL PROTECTED]
  X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on fnord.ir.bbn.com
  X-Spam-Status: Yes, score=6.8 required=1.0 tests=AWL,BAYES_95,DEAR_WINNER,
  HTML_MESSAGE,SUBJ_ALL_CAPS autolearn=spam version=3.2.4
  X-Spam-Report: 
  *  2.1 SUBJ_ALL_CAPS Subject is all capitals

  *  3.2 DEAR_WINNER BODY: DEAR_WINNER
  *  0.0 HTML_MESSAGE BODY: HTML included in message
  *  3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
  *  [score: 0.9582]
  * -1.5 AWL AWL: From: address is in the auto white-list
  From: AUSTRALIAN LOTTERY INTL [EMAIL PROTECTED]

Reading http://wiki.apache.org/spamassassin/AwlWrongWay, I realize I am
confused - this sender has a positive average, and this message was more
spammy, and thus given credit for somewhat-less-spammy previous mail.

I think that I should be able to infer that because this message was 8.3
before AWL, and AWL was -1.5, that the average is 5.3.  But if the message said

  * -1.5 AWL AWL: From: address is in the auto white-list at 5.3 for 12 
messages

it would make things easier to follow.  Plus, the AutoWhitelist wiki
entry says that the key is also IP address that the mail originated
at, and it would be nice to print that out, since it's non-obvious what
that means (last hop before trusted relay, or relying on maybe-forged
received lines?).
  
Agreed this would make things clearer.. either that or have a tag setup 
so you can add it to the report or an X-Spam-AWL header with these 
details, should you so choose.



Somewhat separately, the spamassasin program has options to manipulate
whitelist, blacklist:

 -W, --add-to-whitelistAdd addresses in mail to persistent 
address whitelist
 --add-to-blacklistAdd addresses in mail to persistent 
address blacklist
 -R, --remove-from-whitelist   Remove all addresses found in mail from
   persistent address list
 --add-addr-to-whitelist=addr  Add addr to persistent address whitelist
 --add-addr-to-blacklist=addr  Add addr to persistent address blacklist
 --remove-addr-from-whitelist=addr Remove addr from persistent address list

but I don't see any to print out the lists and scores for inspection,
and I'm unclear on the AWL vs persistent white/black lists.  I think it would 
make sense to have
  
All of the above pertains to the AWL only. Persistent white/black list 
entries in your local.cf or user_prefs will show up as separate rule 
hits like USER_IN_WHITELIST.



--print-whitelist
--print-blacklist
--print-autowhitelist

or perhaps only one is needed, and also

--lookup-in-whitelists=addr

to print the white/black/auto status of an address.
  
There is a tool that does this, but it's not included in the 
distribution. The check_whitelist script is available from the SVN.


http://svn.apache.org/repos/asf/spamassassin/branches/3.2/tools/check_whitelist

However, this tool is a bit crude, and it would be much nicer if this 
was all built into a separate sa-learn-like utility that handled AWL 
learning, forgetting and dumping.

Re: How to get clarity on AWL?

[Chris]

On Friday 23 May 2008 9:42 am, Greg Troxel wrote:
 A lot of my mail is tagged with AWL, and I am often baffled.  Here are
 what I think are the relevent headers from a perplexing example:

   Return-Path: [EMAIL PROTECTED]
   X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
 fnord.ir.bbn.com X-Spam-Status: Yes, score=6.8 required=1.0
 tests=AWL,BAYES_95,DEAR_WINNER, HTML_MESSAGE,SUBJ_ALL_CAPS autolearn=spam
 version=3.2.4
   X-Spam-Report:
   *  2.1 SUBJ_ALL_CAPS Subject is all capitals
   *  3.2 DEAR_WINNER BODY: DEAR_WINNER
   *  0.0 HTML_MESSAGE BODY: HTML included in message
   *  3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
   *  [score: 0.9582]
   * -1.5 AWL AWL: From: address is in the auto white-list
   From: AUSTRALIAN LOTTERY INTL [EMAIL PROTECTED]

 Reading http://wiki.apache.org/spamassassin/AwlWrongWay, I realize I am
 confused - this sender has a positive average, and this message was more
 spammy, and thus given credit for somewhat-less-spammy previous mail.

 I think that I should be able to infer that because this message was 8.3
 before AWL, and AWL was -1.5, that the average is 5.3.  But if the message
 said

   * -1.5 AWL AWL: From: address is in the auto white-list at 5.3
 for 12 messages

I use a little perl script that I got somewhere in 2004 that takes your AWL 
and makes a hashed and plain test version. The entries look like this:

7929be75889dbf08c8efc87d226a1974 2 82.058
[EMAIL PROTECTED]|ip=220.81 2 82.058

Here is the explanation from the script itself:

# The keys of this hash are like
# [EMAIL PROTECTED]|ip=213.41|totscore
# and the values are like
# 8.7472
# test with values(%hash); and keys(%hash);
# every mail address has two entries:
# e.g.
# [EMAIL PROTECTED]|ip=213.41|totscore
# [EMAIL PROTECTED]|ip=213.41
# where totscore is the over-all score (value) and the
# value of the second line is the count
# of mails received from this sender
# write this to a file one entry per line and nice it a little bit
# replace | with ' '
# do it with a hash of hashes, keys are mailaddresses, subkeys are totalscore 
and score
# IMPORTANT: Every time the hash is accessed it returns the value
# key triples in a different order
# (the triples not the keys and values itself of course)
# just in case you are wondering

If this is something like you're looking for I could post it at a download 
site.

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgp0lgJOXhS79.pgp
Description: PGP signature

RE: Temp fail not working...

[Anthony Kamau]

 -Original Message-
 From: Jari Fredriksson [mailto:[EMAIL PROTECTED]
 Sent: Friday, 23 May 2008 3:29 PM
 To: Anthony Kamau; users@spamassassin.apache.org
 Subject: Re: Temp fail not working...
 
 
 Do you have -x in your call to spamc?
 
 

Thanks for that.  I added that option to the startup script and restarted
spamc (service spamass-milter restart) then killed spamd (service
spamassassin stop).

Oddly enough, messages are still being delivered by sendmail!!!  I then
checked the process list and saw the following:

/usr/bin/spamd -d -c -m5 -H -x -q -u spambucket -r /var/run/spamd.pid
spamass-milter -p /var/run/spamass.sock -f -x

Further reading of `man spamc' revealed that option `-f' is non-existent (at
least not mentioned in my spamc man pages); there's only a `-F' option - so
why do I have this option that appears to do nothing for me?  Could it be
that it was meant to be `-F'?

Well, I removed that option from the startup script and on trying to start
the service, it hang indefinitely!  I then added `-F' in its place and I got
the following output:

###
[EMAIL PROTECTED] ~]# sudo /sbin/service spamass-milter start
Starting spamass-milter: spamass-milter: invalid option -- F
spamass-milter - Version 0.3.1
SpamAssassin Sendmail Milter Plugin
Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]
  [-e defaultdomain] [-f] [-i networks] [-m] [-M]
  [-P pidfile] [-r nn] [-u defaultuser] [-x]
  [-- spamc args ]
   -p socket: path to create socket
   -b bucket: redirect spam to this mail address.  The orignal
  recipient(s) will not receive anything.
   -B bucket: add this mail address as a BCC recipient of spam.
   -d xx[,yy ...]: set debug flags.  Logs to syslog
   -D host: connect to spamd at remote host (deprecated)
   -e defaultdomain: pass full email address to spamc instead of just
  username.  Uses 'defaultdomain' if there was none
   -f: fork into background
   -i: skip (ignore) checks from these IPs or netblocks
  example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0
   -m: don't modify body, Content-type: or Subject:
   -M: don't modify the message at all
   -P pidfile: Put processid in pidfile
   -r nn: reject messages with a score = nn with an SMTP error.
  use -1 to reject any messages tagged by SA.
   -u defaultuser: pass the recipient's username to spamc.
  Uses 'defaultuser' if there are multiple recipients.
   -x: pass email address through alias and virtusertable expansion.
   -- spamc args: pass the remaining flags to spamc.
   [FAILED]
[EMAIL PROTECTED] ~]#
###

This is when I realized that the man page falsely states what the `-x'
option does, and as seen above, there isn't even a -F option as stated in
the man pages.  From the above, it is clear what `-x' does:

-x: pass email address through alias and virtusertable expansion.

I also understand why when I killed the Ctrl-C'd from the hang session, I
got the [OK] message; the process was not forking to the background!

So, is it that I have a real old version of spamass-milter?  Odd thing is
that I cannot find a newer version!!!


Puzzled,
AK.

Re: Temp fail not working...

[Jari Fredriksson]

 
 
 Do you have -x in your call to spamc?
 
 
 
 Thanks for that.  I added that option to the startup script and restarted
 spamc (service spamass-milter restart) then killed spamd (service
 spamassassin stop).
 
 Oddly enough, messages are still being delivered by sendmail!!!  I then
 checked the process list and saw the following:
 
 /usr/bin/spamd -d -c -m5 -H -x -q -u spambucket -r /var/run/spamd.pid
 spamass-milter -p /var/run/spamass.sock -f -x
 
 Further reading of `man spamc' revealed that option `-f' is non-existent (at
 least not mentioned in my spamc man pages); there's only a `-F' option - so
 why do I have this option that appears to do nothing for me?  Could it be
 that it was meant to be `-F'?
 
 Well, I removed that option from the startup script and on trying to start
 the service, it hang indefinitely!  I then added `-F' in its place and I got
 the following output:
 
 ###
 [EMAIL PROTECTED] ~]# sudo /sbin/service spamass-milter start
 Starting spamass-milter: spamass-milter: invalid option -- F
 spamass-milter - Version 0.3.1
 SpamAssassin Sendmail Milter Plugin
 Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host]
  [-e defaultdomain] [-f] [-i networks] [-m] [-M]
  [-P pidfile] [-r nn] [-u defaultuser] [-x]
  [-- spamc args ]
   -p socket: path to create socket
   -b bucket: redirect spam to this mail address.  The orignal
  recipient(s) will not receive anything.
   -B bucket: add this mail address as a BCC recipient of spam.
   -d xx[,yy ...]: set debug flags.  Logs to syslog
   -D host: connect to spamd at remote host (deprecated)
   -e defaultdomain: pass full email address to spamc instead of just
  username.  Uses 'defaultdomain' if there was none
   -f: fork into background
   -i: skip (ignore) checks from these IPs or netblocks
  example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0
   -m: don't modify body, Content-type: or Subject:
   -M: don't modify the message at all
   -P pidfile: Put processid in pidfile
   -r nn: reject messages with a score = nn with an SMTP error.
  use -1 to reject any messages tagged by SA.
   -u defaultuser: pass the recipient's username to spamc.
  Uses 'defaultuser' if there are multiple recipients.
   -x: pass email address through alias and virtusertable expansion.
   -- spamc args: pass the remaining flags to spamc.
   [FAILED]
 [EMAIL PROTECTED] ~]#
 ###
 
 This is when I realized that the man page falsely states what the `-x'
 option does, and as seen above, there isn't even a -F option as stated in
 the man pages.  From the above, it is clear what `-x' does:
 
 -x: pass email address through alias and virtusertable expansion.
 
 I also understand why when I killed the Ctrl-C'd from the hang session, I
 got the [OK] message; the process was not forking to the background!
 
 So, is it that I have a real old version of spamass-milter?  Odd thing is
 that I cannot find a newer version!!!
 
 
 Puzzled,
 AK.
 
 


Hey! Do not mix options for spamc and spamass-milter! Put all the options back 
as they were, and then

(I do not know spamass-milter, but your message has the help in it!)

add 

-- -x

to the end of the milter call. See the last line of then milter usage:
   -- spamc args: pass the remaining flags to spamc.

-x for milter is different from -x for spamc! Same goes with -f and -F !!

RE: Temp fail not working...

[Anthony Kamau]

 -Original Message-
 From: Jari Fredriksson [mailto:[EMAIL PROTECTED]
 Sent: Saturday, 24 May 2008 12:54 PM
 To: Anthony Kamau; users@spamassassin.apache.org
 Subject: Re: Temp fail not working...
 
 Hey! Do not mix options for spamc and spamass-milter! Put all the options
 back as they were, and then
 

Thanks for setting me on the straight and narrow.  I now clued in on what
I'm doing wrong!

Cheers,
AK.