Re: How to use private rules?
Michelle Konzack writes: Am 2008-05-21 10:53:40, schrieb Bob Proulx: Michelle Konzack wrote: Because an experience from last Friday where I have hit the limits of my hosting providers mailserver (over 4000 messages stuck in the queue) I lock already the ~/.promailrc to let only one message after one processing per $USER. You are serializing now? Or you wish to serialize? I am already using LOCKFILE=~/.procmailrc.lock at the beginning of the file to serialize the incoming messages and this troddle already the whole thing. A CPU load of 100% is not realy funny. But now if I use spamc we can not use private rules which we need and AFAIK :0fw * 25 |/usr/bin/spamassassin sould not be used. What to do now to run spamassassin save? Sorry, I must have missed something. This sounds like you want to use allow_user_rules -- is there a problem with using that? --j.
Spam in qmail queue
Hi, I am not sure that I am writing to correct list, but maybe you will help me. On one of my server qmail has been installed, SpamAssassin and qmail-scanner. There is a several virtual domains, and Spam filter is working quite OK. But I have some message which I am worried about: For example: on sever is domain: somedoamin1.com Somebody will send SPAM to HYPERLINK mailto:[EMAIL PROTECTED][EMAIL PROTECTED], and: - Spamassassin marks it as SPAM (which is correct) - But user doesn’t exist on somedomain1.com (it happen) - So qmail is storage this mail in queue as long as it can. My question is, what is the best practice and how can I configure following scenario: Scenario: Spam marks message as SPAM, qmail is trying deliver that message to not exited user, And if is not exist – message is deleted. BUT if message is not SPAM – and user doesn’t exist, bounce message should be send to sender. Thank you very much for your help. Marcin Praczko No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.24.0/1461 - Release Date: 22/05/2008 16:44
Re: can we make AWL ignore mail from self to self?
Jo Rhett wrote: Lots of users of this host have Windows PCs, Another way to do it would be to use different AWLs, or disabling AWL, for mail from your own users (either authenticated or locally submitted). This makes a lot of sense to me. Have no my own users except me ;-) And disabling AWL entirely is again a hack. Let's focus on a fix. 1: Just read it as of when I said your own users I meant the users of the host in question (the ones you mention above). More specifically, the users using your host as a MSA (authenticated or locally). 2: I never suggested disabling the AWL entirely. I suggested disabling it for the above mentioned users. I also suggested (and this is prefferable to disabling it in my opinion) to separate the AWL so that you use one AWL for mail from the above mentioned users and another for unathenticated mail from external relays. Is there any specific reason you do not want to use two different AWLs for those two different types of traffic? A more involved change would be to have the AWL store the authentication state as well as mail address and relay IP/16. When scanning mail from your own users using the same AWL database as for for mail to your users, this seems necessary to me. Again, this seems to be a lot of work for no real gain. What I have proposed makes sense for widespread use. Why hack/slash/burn when a good fix would improve it for everyone? In case you haven't noticed it, your suggestion is not seen as a good fix for the problem by everyone. I was merely suggesting other ways to go about this. If you wish other peoiple to implement/accept something that fixes your problem and you can't convince them that your own ideas are good, it may be that alternative means of fixing the problem are seen as better and therefore stand a bigger chance of being implemented/eccepted. I am not, however, trying to stop you from implementing ignoring self-self mail by the AWL. If you do implement your fix and submit it, please make it an option. I for one would turn it off since it would not improve things here. Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Starting a URIBL - Howto? [OT]
Dallas Engelken wrote: No, you're right, thats not fair. If I compare only recent reactive listings, minus the subdomain hosters that we list, you hit about 60% whereas before it was more like 27%. imvURI stats from last 5000 URIBL black listings - 2981 hits - 2019 misses Dallas, I've made some recent *substantial* improvements to ivmURI. (1) I've added *several* new spam sources... it was always a weakness of ivmURI that the raw data that fed ivmURI wasn't wide enough. That incoming data is much wider now! ...and... (2) I improved ivmSIP's response time (previously, it was getting bogged down in some auditing tasks that was delaying writes to the rsync files... that has been fixed). RESULTS... stats from 5/23/2008 (a few minutes ago). - 322/500 (ivmURI hits from the latest 500 URIBL listings) (whereas a couple of tests in April showed 186/500 and 225/500) 301/500 (URIBL hits from the latest 500 ivmURI listings) NOTE: to compare apples-to-apples, subdomain listings in URIBL were removed Let me know if you'd like a snapshot of ivmURI for your own analysis of these latest improvements. ALSO... In spite of your off-list explanation, I'm STILL confused about what you mean when you refer to URIBL's *pro-active listings*??? You must be either referring to: (A) Listings *currently* in URIBL-GOLD, but *not* *yet* in URIBL-BLACK --or-- (B) Listings *currently* in URIBL-BLACK which were *previously* listed in URIBL-GOLD Which is it? A or B? (or something else?) OF COURSE: The silly part about all these stats is that the *superior* comparison between DNSBLs is hit rates on spams sent to mail servers combined with low FP rates. It is possible for a DNSBL to have far fewer listings, but, in real world testing, hit on higher numbers of spams with less FPs. Rob McEwen
Re: Spam in qmail queue
As this really is a qmail question, if you don't get any answers here, I'd suggesting posting to a qmail forum. Marcin Praczko wrote: Hi, I am not sure that I am writing to correct list, but maybe you will help me. On one of my server qmail has been installed, SpamAssassin and qmail-scanner. There is a several virtual domains, and Spam filter is working quite OK. But I have some message which I am worried about: For example: on sever is domain: somedoamin1.com Somebody will send SPAM to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], and: - Spamassassin marks it as SPAM (which is correct) - But user doesn’t exist on somedomain1.com (it happen) - So qmail is storage this mail in queue as long as it can. My question is, what is the best practice and how can I configure following scenario: Scenario: Spam marks message as SPAM, qmail is trying deliver that message to not exited user, And if is not exist – message is deleted. BUT if message is not SPAM – and user doesn’t exist, bounce message should be send to sender. Thank you very much for your help. Marcin Praczko No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.24.0/1461 - Release Date: 22/05/2008 16:44
Re: Spam in qmail queue
Marcin Praczko wrote: Hi, I am not sure that I am writing to correct list, but maybe you will help me. On one of my server qmail has been installed, SpamAssassin and qmail-scanner. There is a several virtual domains, and Spam filter is working quite OK. But I have some message which I am worried about: For example: on sever is domain: somedoamin1.com Somebody will send SPAM to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], and: - Spamassassin marks it as SPAM (which is correct) - But user doesn’t exist on somedomain1.com (it happen) - So qmail is storage this mail in queue as long as it can. My question is, what is the best practice and how can I configure following scenario: Scenario: Spam marks message as SPAM, qmail is trying deliver that message to not exited user, And if is not exist – message is deleted. BUT if message is not SPAM – and user doesn’t exist, bounce message should be send to sender. Thank you very much for your help. Marcin Praczko Do not bounce! If the user does not exist, reject the message at SMTP time. Problem solved. If you accept the message, it is up to you to deal with it. Bouncing will just send messages back to people who don't deserve it. Look up joe jobbed.
[OT} Spam in qmail queue
Somebody will send SPAM to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], and: - Spamassassin marks it as SPAM (which is correct) - But user doesn’t exist on somedomain1.com (it happen) - So qmail is storage this mail in queue as long as it can. My question is, what is the best practice and how can I configure following scenario: Scenario: Spam marks message as SPAM, qmail is trying deliver that message to not exited user, And if is not exist – message is deleted. BUT if message is not SPAM – and user doesn’t exist, bounce message should be send to sender. Thank you very much for your help. Hi, You want the qmail chkuser patch http://www.interazioni.it/opensource/chkuser/ or the validrcptto patch. I believe most people use the chkuser patch. Regards, Rick
Re: Spam in qmail queue
Marcin Praczko wrote: - Spamassassin marks it as SPAM (which is correct) - But user doesn’t exist on somedomain1.com (it happen) - So qmail is storage this mail in queue as long as it can. Do you have any special reason to receive mail for users that doesn't exist? My question is, what is the best practice and how can I configure following scenario: The best practice is to never accept messages to non-existant users. Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Directory Harvest Attack
I am undergoing a massive directory harvest attack. Is there a good set of rules that will help stop this or a place anyone could point me. Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] weblog.empoweris.com http://weblog.empoweris.com/ www.empoweris.com Skype: holbrook.jason Gtalk: jaholbrook 757-320-2667 (Direct) 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) This message is being sent by or on behalf of Empower Information Systems. It is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender Jason Holbrook immediately by e-mail [EMAIL PROTECTED] and delete all copies of this message. Empower Information Systems operates under a zero spam policy. If you believe this message to be spam, please contact [EMAIL PROTECTED]
Testing DNSRBLs using SA
Good morning all, I am trying to use SA to test a DNSBL and I am not having any luck getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and read the appropriate section in the docs. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings Here is what I have currently, headerRCVD_IN_SIP eval:check_rbl('sip', 'sip.invaluement.com.') describe RCVD_IN_SIP sender is known in Invaluement list tflagsRCVD_IN_SIP net score RCVD_IN_SIP 0.01 And yes, when I query my rbldnsd server from the server running SA with an IP known to be in the list, I do get the proper response. Anyone see a flaw in this concept? Thanks, DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
How to get clarity on AWL?
A lot of my mail is tagged with AWL, and I am often baffled. Here are what I think are the relevent headers from a perplexing example: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on fnord.ir.bbn.com X-Spam-Status: Yes, score=6.8 required=1.0 tests=AWL,BAYES_95,DEAR_WINNER, HTML_MESSAGE,SUBJ_ALL_CAPS autolearn=spam version=3.2.4 X-Spam-Report: * 2.1 SUBJ_ALL_CAPS Subject is all capitals * 3.2 DEAR_WINNER BODY: DEAR_WINNER * 0.0 HTML_MESSAGE BODY: HTML included in message * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% * [score: 0.9582] * -1.5 AWL AWL: From: address is in the auto white-list From: AUSTRALIAN LOTTERY INTL [EMAIL PROTECTED] Reading http://wiki.apache.org/spamassassin/AwlWrongWay, I realize I am confused - this sender has a positive average, and this message was more spammy, and thus given credit for somewhat-less-spammy previous mail. I think that I should be able to infer that because this message was 8.3 before AWL, and AWL was -1.5, that the average is 5.3. But if the message said * -1.5 AWL AWL: From: address is in the auto white-list at 5.3 for 12 messages it would make things easier to follow. Plus, the AutoWhitelist wiki entry says that the key is also IP address that the mail originated at, and it would be nice to print that out, since it's non-obvious what that means (last hop before trusted relay, or relying on maybe-forged received lines?). Somewhat separately, the spamassasin program has options to manipulate whitelist, blacklist: -W, --add-to-whitelistAdd addresses in mail to persistent address whitelist --add-to-blacklistAdd addresses in mail to persistent address blacklist -R, --remove-from-whitelist Remove all addresses found in mail from persistent address list --add-addr-to-whitelist=addr Add addr to persistent address whitelist --add-addr-to-blacklist=addr Add addr to persistent address blacklist --remove-addr-from-whitelist=addr Remove addr from persistent address list but I don't see any to print out the lists and scores for inspection, and I'm unclear on the AWL vs persistent white/black lists. I think it would make sense to have --print-whitelist --print-blacklist --print-autowhitelist or perhaps only one is needed, and also --lookup-in-whitelists=addr to print the white/black/auto status of an address.
Re: Testing DNSRBLs using SA
On Fri, 23 May 2008 at 10:32 -0400, [EMAIL PROTECTED] confabulated: Good morning all, I am trying to use SA to test a DNSBL and I am not having any luck getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and read the appropriate section in the docs. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings Here is what I have currently, headerRCVD_IN_SIP eval:check_rbl('sip', 'sip.invaluement.com.') describe RCVD_IN_SIP sender is known in Invaluement list tflagsRCVD_IN_SIP net score RCVD_IN_SIP 0.01 And yes, when I query my rbldnsd server from the server running SA with an IP known to be in the list, I do get the proper response. Anyone see a flaw in this concept? To me that rule looks fine. Perhaps your testing is completely within your trusted path? Feed the message with SpamAssassin with the -D debug switch to see for sure.
Re: Spam in qmail queue
Marcin Praczko wrote: - Spamassassin marks it as SPAM (which is correct) - But user doesn’t exist on somedomain1.com (it happen) - So qmail is storage this mail in queue as long as it can. Do you have any special reason to receive mail for users that doesn't exist? My question is, what is the best practice and how can I configure following scenario: The best practice is to never accept messages to non-existant users. Agreed. There is no reason to accept then bounce. That's == backscatter. Either REJECT or DISCARD. - Sahil
Re: Testing DNSRBLs using SA
DAve wrote: I am trying to use SA to test a DNSBL SNIP PLEASE--note that direct queries to the invaluement.com DNSBLs will *always* fail. These are *only* available via RSYNC. So please don't try to add SIP to your RBL list... it won't work!!! (Dave knows this... I'm just mentioning this for others' benefit.) embarrassedand I'm not sure what the problem is with Dave's config. I use SA for some spam filtering tasks. But most of my own spam filtering is custom written and, therefore, I don't use SA for DNSBL lookups... which is why I'm sometimes caught off-guard regarding SA's dnsbl implemenations./embarrassed Rob McEwen
RE: Testing DNSRBLs using SA
I am trying to use SA to test a DNSBL and I am not having any luck getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and read the appropriate section in the docs. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html# rule_definitions_and_privileged_settings Here is what I have currently, headerRCVD_IN_SIP eval:check_rbl('sip', 'sip.invaluement.com.') describe RCVD_IN_SIP sender is known in Invaluement list tflagsRCVD_IN_SIP net score RCVD_IN_SIP 0.01 And yes, when I query my rbldnsd server from the server running SA with an IP known to be in the list, I do get the proper response. Anyone see a flaw in this concept? Thanks, Dave Dave If you are really trying to probe the local sip zone data, make it local and create a local zone with a name something like... sip.invaluement.local not .com even though it might work, it creates confusion... even though you can be locally, your name servers are not authoritive for invaluement.com zone. next, as I understand it, the sip zone is ip addresses only is that what you are trying to check? You can also look at the rbldnsd logs to see what is happening as well. - rh
Re: Testing DNSRBLs using SA
Rob McEwen wrote: DAve wrote: I am trying to use SA to test a DNSBL SNIP PLEASE--note that direct queries to the invaluement.com DNSBLs will *always* fail. These are *only* available via RSYNC. So please don't try to add SIP to your RBL list... it won't work!!! (Dave knows this... I'm just mentioning this for others' benefit.) embarrassedand I'm not sure what the problem is with Dave's config. I use SA for some spam filtering tasks. But most of my own spam filtering is custom written and, therefore, I don't use SA for DNSBL lookups... which is why I'm sometimes caught off-guard regarding SA's dnsbl implemenations./embarrassed Sorry Rob, I should have mentioned that so no one tried to duplicate my rule and test it. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Re: Directory Harvest Attack
Jason Holbrook wrote: I am undergoing a massive directory harvest attack. Is there a good set of rules that will help stop this or a place anyone could point me. Assuming you are doing obvious things, like not accepting mail for non-existent users, and using whatever tweaks are available in your MTA (bad recipient throttle, etc), an IDS like ossec will help. (free) http://ossec.net/ It'll block using the system firewall if an IP hits your machine more than a few times causing log entries that it triggers on. There are default rules for common MTAs. Ken Best Regards, Jason Holbrook Chief Technology Integrator / Partner Empower Information Systems [EMAIL PROTECTED] weblog.empoweris.com http://weblog.empoweris.com/ www.empoweris.com Skype: holbrook.jason Gtalk: jaholbrook 757-320-2667 (Direct) 757-273-9399 (office) 757-715-1944 (cell) 866-477-1544 (toll free) This message is being sent by or on behalf of Empower Information Systems. It is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender Jason Holbrook immediately by e-mail [EMAIL PROTECTED] and delete all copies of this message. Empower Information Systems operates under a zero spam policy. If you believe this message to be spam, please contact [EMAIL PROTECTED] -- Ken Anderson Pacific.Net
Re: Testing DNSRBLs using SA
D Hill wrote: On Fri, 23 May 2008 at 10:32 -0400, [EMAIL PROTECTED] confabulated: Good morning all, I am trying to use SA to test a DNSBL and I am not having any luck getting the rule to hit. I've looked through 20_dnsbl_tests.cf, and read the appropriate section in the docs. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html#rule_definitions_and_privileged_settings Here is what I have currently, headerRCVD_IN_SIP eval:check_rbl('sip', 'sip.invaluement.com.') describe RCVD_IN_SIP sender is known in Invaluement list tflagsRCVD_IN_SIP net score RCVD_IN_SIP 0.01 And yes, when I query my rbldnsd server from the server running SA with an IP known to be in the list, I do get the proper response. Anyone see a flaw in this concept? To me that rule looks fine. Perhaps your testing is completely within your trusted path? Feed the message with SpamAssassin with the -D debug switch to see for sure. That is how I have been testing it. spamassassin -D test-mail 21 | grep invaluement No joy, no real clue where to check next. Here is a link to the rule, message, and results from spamassassin debug. http://pixelhammer.com/Dan/dnsbl_rule_test.txt DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Re: Testing DNSRBLs using SA
DAve wrote: D Hill wrote: To me that rule looks fine. Perhaps your testing is completely within your trusted path? Feed the message with SpamAssassin with the -D debug switch to see for sure. That is how I have been testing it. spamassassin -D test-mail 21 | grep invaluement No joy, no real clue where to check next. Here is a link to the rule, message, and results from spamassassin debug. http://pixelhammer.com/Dan/dnsbl_rule_test.txt PEBKAC! #skip_rbl_checks 1 Works now. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Re: Spam in qmail queue
Hi, =20 I am not sure that I am writing to correct list, but maybe you will help = me. =20 On one of my server qmail has been installed, SpamAssassin and = qmail-scanner.=20 There is a several virtual domains, and Spam filter is working quite OK. =20 But I have some message which I am worried about: =20 For example: on sever is domain: somedoamin1.com =20 Somebody will send SPAM to HYPERLINK = mailto:[EMAIL PROTECTED][EMAIL PROTECTED], and: - Spamassassin marks it as SPAM (which is correct) - But user doesn=92t exist on somedomain1.com (it happen) - So qmail is storage this mail in queue as long as it can.=20 =20 My question is, what is the best practice and how can I configure = following scenario: =20 Scenario: Spam marks message as SPAM, qmail is trying deliver that message to not = exited user,=20 And if is not exist =96 message is deleted.=20 =20 BUT if message is not SPAM =96 and user doesn=92t exist, bounce message = should be send to sender.=20 =20 Thank you very much for your help. =20 Marcin Praczko Hi Marcin, you can modify qmail-scanner to exit with error code if spam score is over a given value (usually higher than default score, e.g. 10 rather than 5) Unpatched qmail would return - during the smtp session, not as a bounce - an administratively prohibited message to the sender. It is straightforward to add a new exit value to qmail and have that tell the sender that their message was considered spam. You can do this right away, but you are still encouraged to install whatever matches your system setup and rejects mail to non-existant users Wolfgang
Seeing Bayes token matches for an email
I could have sworn that there was a way to do this, but I can't find it. I have an email that does not look at all spammy to me. On an account where Bayes is trained manually (no auto-learn at all), it got marked with BAYES_99. Is there a way to see what tokens Bayes is keying on? I tried running it through spamassassin -D, but I didn't see it there. Thanks -- Bowie
Re: Spam in qmail queue
On Fri, 23 May 2008, Richard Frovarp wrote: Marcin Praczko wrote: BUT if message is not SPAM - and user doesn't exist, bounce message should be send to sender. Do not bounce! If the user does not exist, reject the message at SMTP time. Problem solved. If you accept the message, it is up to you to deal with it. Bouncing will just send messages back to people who don't deserve it. Look up joe jobbed. In addition, behavior like that can get you blacklisted. Marcin, please do not accept-then-bounce mail sent to nonexistent users or mail blocked for spamminess. You may find it increasingly difficult to communicate with the rest of the world, and you _will_ be hated. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If Microsoft made hammers, everyone would whine about how poorly screws were designed and about how they are hard to hammer in, and wonder why it takes so long to paint a wall using the hammer. --- 2 days until the Mars Phoenix lander arrives at Mars
Re: Seeing Bayes token matches for an email
On Fri, May 23, 2008 at 12:29:21PM -0400, Bowie Bailey wrote: I have an email that does not look at all spammy to me. On an account where Bayes is trained manually (no auto-learn at all), it got marked with BAYES_99. Is there a way to see what tokens Bayes is keying on? I tried running it through spamassassin -D, but I didn't see it there. spamassassin -D bayes It's too noisy for the standard debug output, but the bayes channel will give you the full info. -- Randomly Selected Tagline: Eighty percent of married men cheat in America. The rest cheat in Europe. - Jackie Mason pgpJP3vH3ZZXT.pgp Description: PGP signature
Re: Vars for Custom Plugins
Sorry , didn't send tha last email to the list as well/ Doesn't Spamassassin have a standard routine somewhere to deteremine who an email is for? It would seem like pretty basic stuff? Rick On Thu, May 22, 2008 at 11:38 AM, Theo Van Dinter [EMAIL PROTECTED] wrote: [sending back to users@ list since it's generally useful info] On Thu, May 22, 2008 at 11:25:44AM -0400, Rick Duval wrote: One thing though, IF using to:addr I often get the name of the mailing list as opposed to the actual recipient. Is there a clean way to get that? It sounds like you want the envelope recipient, not the To header field. Unfortunately, there's no standard way to get that since each MTA does it differently, if that information is added at all. There should probably be a standard get() option that at least attempts to figure this out similar to EnvelopeFrom (feel free to open a bugzilla request about it), but in the mean time, looking at another function in PerMsgStatus that wants similar data (in no particular order): $self-get('To') # std $self-get('Cc') # std $self-get('Apparently-To')# sendmail, from envelope $self-get('Delivered-To') # Postfix, poss qmail $self-get('Envelope-Recipients') # qmail: new-inject(1) $self-get('Envelope-To') # exim $self-get('X-Envelope-To')# procmailrc manpage $self-get('X-Delivered-To') # procmail quick start $self-get('X-Original-To')# procmail quick start $self-get('X-Rcpt-To')# procmail quick start $self-get('X-Real-To')# procmail quick start $self-get('Apparently-Resent-To') # procmailrc manpage Hope this helps. :) -- Randomly Selected Tagline: I lost my foo. - Theo
reject vs. delete
Hi, The product I've been working with allows th user to set Rejection and Deletion thresholds, at which a message identified as spam will be rejected with 550 - Message is Spam etc., or accepted with 250 OK but dropped on the floor, respectively. Historically it has been believed that if we have a high enough confidence that a message is spam, it is adventageous to pretend we have accepted the message in order to avoid allowing spammers to know whether their methods are working. I have not verified anywhere that this practice really does have a negative impact on spammers. This would especially be invalidated if most of the rest of the spam filtering world does not make use of 'delete' and simply issues rejections -- in that case, if the spammers don't get the information from me, they'll get it from the next guy. I do know that having a delete threshold occasionally causes false positives to go undetected by end users. That is a bit of a disadvantage. The suggestion has also been raised that claiming to accept spam rather than rejecting it might invite spammers to send more spam your way. Does anyone have any knowledge or opinions on these matters? Does pretending to accept a message contribute to the fight against spam in some way? Or does it invite more spam? Is it worth it? Jared Johnson Software Developer and Support Engineer Network Management Group, Inc. 620-664-6000 x118 -- Inbound and outbound email scanned for spam and viruses by the DoubleCheck Email Manager: http://www.doublecheckemail.com
RE: Seeing Bayes token matches for an email
Theo Van Dinter wrote: On Fri, May 23, 2008 at 12:29:21PM -0400, Bowie Bailey wrote: I have an email that does not look at all spammy to me. On an account where Bayes is trained manually (no auto-learn at all), it got marked with BAYES_99. Is there a way to see what tokens Bayes is keying on? I tried running it through spamassassin -D, but I didn't see it there. spamassassin -D bayes It's too noisy for the standard debug output, but the bayes channel will give you the full info. I thought I already tried that. Oh well... That gives me the info, now how do I interpret it? [26088] dbg: bayes: token 'fax' = 0.0466125715533146 [26088] dbg: bayes: token 'may' = 0.951423151521604 [26088] dbg: bayes: token 'send' = 0.947622860965791 [26088] dbg: bayes: token 'sent' = 0.0562793425809908 The numbers seem to go from 0 to 1. Is 0 non-spammy and 1 spammy, or is there more to it than that? If that's the case, there are quite a few common words that bayes doesn't seem to like. -- Bowie
Re: reject vs. delete
Does anyone have any knowledge or opinions on these matters? Does pretending to accept a message contribute to the fight against spam in some way? Or does it invite more spam? Is it worth it? I accept all spam, and then (for higher spamminess automatically) report them thru SpamCop. If I would not report them, I would reject them at once. No report, no idea to accept spam. It depends. For all spam I report, only one or two ISP:s send a message back confirming a kill. So I have no idea if reporting via SpamCop helps in the fight or not.. But that's what I do.
RE: Seeing Bayes token matches for an email
On Fri, 23 May 2008, Bowie Bailey wrote: That gives me the info, now how do I interpret it? [26088] dbg: bayes: token 'fax' = 0.0466125715533146 [26088] dbg: bayes: token 'may' = 0.951423151521604 [26088] dbg: bayes: token 'send' = 0.947622860965791 [26088] dbg: bayes: token 'sent' = 0.0562793425809908 The numbers seem to go from 0 to 1. Is 0 non-spammy and 1 spammy, or is there more to it than that? If that's the case, there are quite a few common words that bayes doesn't seem to like. Remember, Bayes interprets tokens in relation to other tokens. Those high-scoring tokens may be high-scoring due to context. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority.-- Cringely, 4/8/2004 --- 2 days until the Mars Phoenix lander arrives at Mars
Re: reject vs. delete
On Fri, May 23, 2008 at 3:00 PM, Jared Johnson [EMAIL PROTECTED] wrote: Hi, The product I've been working with allows th user to set Rejection and Deletion thresholds, at which a message identified as spam will be rejected with 550 - Message is Spam etc., or accepted with 250 OK but dropped on the floor, respectively. Historically it has been believed that if we have a high enough confidence that a message is spam, it is adventageous to pretend we have accepted the message in order to avoid allowing spammers to know whether their methods are working. I have not verified anywhere that this practice really does have a negative impact on spammers. This would especially be invalidated if most of the rest of the spam filtering world does not make use of 'delete' and simply issues rejections -- in that case, if the spammers don't get the information from me, they'll get it from the next guy. I do know that having a delete threshold occasionally causes false positives to go undetected by end users. That is a bit of a disadvantage. The suggestion has also been raised that claiming to accept spam rather than rejecting it might invite spammers to send more spam your way. Does anyone have any knowledge or opinions on these matters? Does pretending to accept a message contribute to the fight against spam in some way? Or does it invite more spam? Is it worth it? I prefer to follow the spirit if not the letter of the RFCs. If I am not going to take responsibility for a message, I reject it. I do accept some things and quarantine them rather than put them into a user's mailbox, but I never just throw anything away after saying I will deliver it. There are plenty of sites that do silently throw away mail, and plenty that will reject. unless you are a *really* big site I really don't think spammers are going to care what you do, if they notice at all. I'd worry more about the legitimate users and what happens to their mail in a false positive situation. -Aaron Jared Johnson Software Developer and Support Engineer Network Management Group, Inc. 620-664-6000 x118 -- Inbound and outbound email scanned for spam and viruses by the DoubleCheck Email Manager: http://www.doublecheckemail.com
Interesting data - but is it good for anything?
I started collecting host names where the registry barrier part of the FCrDNS is the same as the registry barrier part of the helo. I don't know what it's good for - if anything - but looking for ideas as to what to do with it. Just have a gut level feeling that I'm on to something here.
Re: How to get clarity on AWL?
Greg Troxel wrote: A lot of my mail is tagged with AWL, and I am often baffled. Here are what I think are the relevent headers from a perplexing example: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on fnord.ir.bbn.com X-Spam-Status: Yes, score=6.8 required=1.0 tests=AWL,BAYES_95,DEAR_WINNER, HTML_MESSAGE,SUBJ_ALL_CAPS autolearn=spam version=3.2.4 X-Spam-Report: * 2.1 SUBJ_ALL_CAPS Subject is all capitals * 3.2 DEAR_WINNER BODY: DEAR_WINNER * 0.0 HTML_MESSAGE BODY: HTML included in message * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% * [score: 0.9582] * -1.5 AWL AWL: From: address is in the auto white-list From: AUSTRALIAN LOTTERY INTL [EMAIL PROTECTED] Reading http://wiki.apache.org/spamassassin/AwlWrongWay, I realize I am confused - this sender has a positive average, and this message was more spammy, and thus given credit for somewhat-less-spammy previous mail. I think that I should be able to infer that because this message was 8.3 before AWL, and AWL was -1.5, that the average is 5.3. But if the message said * -1.5 AWL AWL: From: address is in the auto white-list at 5.3 for 12 messages it would make things easier to follow. Plus, the AutoWhitelist wiki entry says that the key is also IP address that the mail originated at, and it would be nice to print that out, since it's non-obvious what that means (last hop before trusted relay, or relying on maybe-forged received lines?). Agreed this would make things clearer.. either that or have a tag setup so you can add it to the report or an X-Spam-AWL header with these details, should you so choose. Somewhat separately, the spamassasin program has options to manipulate whitelist, blacklist: -W, --add-to-whitelistAdd addresses in mail to persistent address whitelist --add-to-blacklistAdd addresses in mail to persistent address blacklist -R, --remove-from-whitelist Remove all addresses found in mail from persistent address list --add-addr-to-whitelist=addr Add addr to persistent address whitelist --add-addr-to-blacklist=addr Add addr to persistent address blacklist --remove-addr-from-whitelist=addr Remove addr from persistent address list but I don't see any to print out the lists and scores for inspection, and I'm unclear on the AWL vs persistent white/black lists. I think it would make sense to have All of the above pertains to the AWL only. Persistent white/black list entries in your local.cf or user_prefs will show up as separate rule hits like USER_IN_WHITELIST. --print-whitelist --print-blacklist --print-autowhitelist or perhaps only one is needed, and also --lookup-in-whitelists=addr to print the white/black/auto status of an address. There is a tool that does this, but it's not included in the distribution. The check_whitelist script is available from the SVN. http://svn.apache.org/repos/asf/spamassassin/branches/3.2/tools/check_whitelist However, this tool is a bit crude, and it would be much nicer if this was all built into a separate sa-learn-like utility that handled AWL learning, forgetting and dumping.
Re: How to get clarity on AWL?
On Friday 23 May 2008 9:42 am, Greg Troxel wrote: A lot of my mail is tagged with AWL, and I am often baffled. Here are what I think are the relevent headers from a perplexing example: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on fnord.ir.bbn.com X-Spam-Status: Yes, score=6.8 required=1.0 tests=AWL,BAYES_95,DEAR_WINNER, HTML_MESSAGE,SUBJ_ALL_CAPS autolearn=spam version=3.2.4 X-Spam-Report: * 2.1 SUBJ_ALL_CAPS Subject is all capitals * 3.2 DEAR_WINNER BODY: DEAR_WINNER * 0.0 HTML_MESSAGE BODY: HTML included in message * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% * [score: 0.9582] * -1.5 AWL AWL: From: address is in the auto white-list From: AUSTRALIAN LOTTERY INTL [EMAIL PROTECTED] Reading http://wiki.apache.org/spamassassin/AwlWrongWay, I realize I am confused - this sender has a positive average, and this message was more spammy, and thus given credit for somewhat-less-spammy previous mail. I think that I should be able to infer that because this message was 8.3 before AWL, and AWL was -1.5, that the average is 5.3. But if the message said * -1.5 AWL AWL: From: address is in the auto white-list at 5.3 for 12 messages I use a little perl script that I got somewhere in 2004 that takes your AWL and makes a hashed and plain test version. The entries look like this: 7929be75889dbf08c8efc87d226a1974 2 82.058 [EMAIL PROTECTED]|ip=220.81 2 82.058 Here is the explanation from the script itself: # The keys of this hash are like # [EMAIL PROTECTED]|ip=213.41|totscore # and the values are like # 8.7472 # test with values(%hash); and keys(%hash); # every mail address has two entries: # e.g. # [EMAIL PROTECTED]|ip=213.41|totscore # [EMAIL PROTECTED]|ip=213.41 # where totscore is the over-all score (value) and the # value of the second line is the count # of mails received from this sender # write this to a file one entry per line and nice it a little bit # replace | with ' ' # do it with a hash of hashes, keys are mailaddresses, subkeys are totalscore and score # IMPORTANT: Every time the hash is accessed it returns the value # key triples in a different order # (the triples not the keys and values itself of course) # just in case you are wondering If this is something like you're looking for I could post it at a download site. -- Chris KeyID 0xE372A7DA98E6705C pgp0lgJOXhS79.pgp Description: PGP signature
RE: Temp fail not working...
-Original Message- From: Jari Fredriksson [mailto:[EMAIL PROTECTED] Sent: Friday, 23 May 2008 3:29 PM To: Anthony Kamau; users@spamassassin.apache.org Subject: Re: Temp fail not working... Do you have -x in your call to spamc? Thanks for that. I added that option to the startup script and restarted spamc (service spamass-milter restart) then killed spamd (service spamassassin stop). Oddly enough, messages are still being delivered by sendmail!!! I then checked the process list and saw the following: /usr/bin/spamd -d -c -m5 -H -x -q -u spambucket -r /var/run/spamd.pid spamass-milter -p /var/run/spamass.sock -f -x Further reading of `man spamc' revealed that option `-f' is non-existent (at least not mentioned in my spamc man pages); there's only a `-F' option - so why do I have this option that appears to do nothing for me? Could it be that it was meant to be `-F'? Well, I removed that option from the startup script and on trying to start the service, it hang indefinitely! I then added `-F' in its place and I got the following output: ### [EMAIL PROTECTED] ~]# sudo /sbin/service spamass-milter start Starting spamass-milter: spamass-milter: invalid option -- F spamass-milter - Version 0.3.1 SpamAssassin Sendmail Milter Plugin Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host] [-e defaultdomain] [-f] [-i networks] [-m] [-M] [-P pidfile] [-r nn] [-u defaultuser] [-x] [-- spamc args ] -p socket: path to create socket -b bucket: redirect spam to this mail address. The orignal recipient(s) will not receive anything. -B bucket: add this mail address as a BCC recipient of spam. -d xx[,yy ...]: set debug flags. Logs to syslog -D host: connect to spamd at remote host (deprecated) -e defaultdomain: pass full email address to spamc instead of just username. Uses 'defaultdomain' if there was none -f: fork into background -i: skip (ignore) checks from these IPs or netblocks example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0 -m: don't modify body, Content-type: or Subject: -M: don't modify the message at all -P pidfile: Put processid in pidfile -r nn: reject messages with a score = nn with an SMTP error. use -1 to reject any messages tagged by SA. -u defaultuser: pass the recipient's username to spamc. Uses 'defaultuser' if there are multiple recipients. -x: pass email address through alias and virtusertable expansion. -- spamc args: pass the remaining flags to spamc. [FAILED] [EMAIL PROTECTED] ~]# ### This is when I realized that the man page falsely states what the `-x' option does, and as seen above, there isn't even a -F option as stated in the man pages. From the above, it is clear what `-x' does: -x: pass email address through alias and virtusertable expansion. I also understand why when I killed the Ctrl-C'd from the hang session, I got the [OK] message; the process was not forking to the background! So, is it that I have a real old version of spamass-milter? Odd thing is that I cannot find a newer version!!! Puzzled, AK.
Re: Temp fail not working...
Do you have -x in your call to spamc? Thanks for that. I added that option to the startup script and restarted spamc (service spamass-milter restart) then killed spamd (service spamassassin stop). Oddly enough, messages are still being delivered by sendmail!!! I then checked the process list and saw the following: /usr/bin/spamd -d -c -m5 -H -x -q -u spambucket -r /var/run/spamd.pid spamass-milter -p /var/run/spamass.sock -f -x Further reading of `man spamc' revealed that option `-f' is non-existent (at least not mentioned in my spamc man pages); there's only a `-F' option - so why do I have this option that appears to do nothing for me? Could it be that it was meant to be `-F'? Well, I removed that option from the startup script and on trying to start the service, it hang indefinitely! I then added `-F' in its place and I got the following output: ### [EMAIL PROTECTED] ~]# sudo /sbin/service spamass-milter start Starting spamass-milter: spamass-milter: invalid option -- F spamass-milter - Version 0.3.1 SpamAssassin Sendmail Milter Plugin Usage: spamass-milter -p socket [-b|-B bucket] [-d xx[,yy...]] [-D host] [-e defaultdomain] [-f] [-i networks] [-m] [-M] [-P pidfile] [-r nn] [-u defaultuser] [-x] [-- spamc args ] -p socket: path to create socket -b bucket: redirect spam to this mail address. The orignal recipient(s) will not receive anything. -B bucket: add this mail address as a BCC recipient of spam. -d xx[,yy ...]: set debug flags. Logs to syslog -D host: connect to spamd at remote host (deprecated) -e defaultdomain: pass full email address to spamc instead of just username. Uses 'defaultdomain' if there was none -f: fork into background -i: skip (ignore) checks from these IPs or netblocks example: -i 192.168.12.5,10.0.0.0/8,172.16.0.0/255.255.0.0 -m: don't modify body, Content-type: or Subject: -M: don't modify the message at all -P pidfile: Put processid in pidfile -r nn: reject messages with a score = nn with an SMTP error. use -1 to reject any messages tagged by SA. -u defaultuser: pass the recipient's username to spamc. Uses 'defaultuser' if there are multiple recipients. -x: pass email address through alias and virtusertable expansion. -- spamc args: pass the remaining flags to spamc. [FAILED] [EMAIL PROTECTED] ~]# ### This is when I realized that the man page falsely states what the `-x' option does, and as seen above, there isn't even a -F option as stated in the man pages. From the above, it is clear what `-x' does: -x: pass email address through alias and virtusertable expansion. I also understand why when I killed the Ctrl-C'd from the hang session, I got the [OK] message; the process was not forking to the background! So, is it that I have a real old version of spamass-milter? Odd thing is that I cannot find a newer version!!! Puzzled, AK. Hey! Do not mix options for spamc and spamass-milter! Put all the options back as they were, and then (I do not know spamass-milter, but your message has the help in it!) add -- -x to the end of the milter call. See the last line of then milter usage: -- spamc args: pass the remaining flags to spamc. -x for milter is different from -x for spamc! Same goes with -f and -F !!
RE: Temp fail not working...
-Original Message- From: Jari Fredriksson [mailto:[EMAIL PROTECTED] Sent: Saturday, 24 May 2008 12:54 PM To: Anthony Kamau; users@spamassassin.apache.org Subject: Re: Temp fail not working... Hey! Do not mix options for spamc and spamass-milter! Put all the options back as they were, and then Thanks for setting me on the straight and narrow. I now clued in on what I'm doing wrong! Cheers, AK.