Re: channel 70_zmi_german.cf.zmi.sa-update.dostech.net update?
On 05/09/2011 1:32 AM, Michael Monnerie wrote: On Samstag, 12. Februar 2011 Daryl C. W. O'Shea wrote: Something might be wedged in that channel generation... I'll have to look. Hi Daryl, referring to that old mail, I also only see that old 2010-08 config of ZMI_GERMAN. I'm the maintainer of ZMI_GERMAN, and would wish to have a fix - could you do that please? Is there something I can do to fix it? Hrm, I thought that was fixed. I will check what's up. Daryl
Re: Rule to match X-Spam-Flag
On 09/06/2011 5:09 AM, Alessandro Dentella wrote: Hi, I find a lot of spam that has already passed other spam-filters with spamassassin better tuned than mine an already have a X-Spam-Flag to YES. I tried to add a rule to match that case: header CUSTOM_X_SPAM_FLAG X-Spam-Flag =~ /\bYES\b/i score CUSTOM_X_SPAM_FLAG 5 But spamassassin -t /tmp/spam does not show any hit ot that rule. Moreover using flag -D I don't see it being called. I set it in /etc/spamassassin/local.cf Is it any possible to match on that rule? Have you tried matching against the ALL:raw header? I don't think it will work but I can't remember for sure. header CUSTOM_X_SPAM_FLAG ALL:raw =~ /\bX-Spam-Flag: YES\b/i A custom plugin may also be able to use get_pristine_header() to match against what you want to match against. Again, though, I can't remember for sure when/where the X-Spam headers get stripped out. Daryl
Re: Rule to match X-Spam-Flag
On 09/06/2011 10:26 PM, Benny Pedersen wrote: On Fri, 10 Jun 2011 04:08:08 +0200, Benny Pedersen wrote: On Thu, 09 Jun 2011 22:00:09 -0400, Daryl C. W. O'Shea wrote: header CUSTOM_X_SPAM_FLAG ALL:raw =~ /\bX-Spam-Flag: YES\b/i aol have left out the space before YES will test it and report back, thanks for this tip if it works :-) # header CUSTOM_X_SPAM_FLAG ALL:raw =~ /\bX-Spam-Flag: YES\b/i # aol forget the space before YES # does the other versions exists ? header X_SPAM_FLAG_YES ALL:raw =~ /\bX-Spam-Flag:YES\b/i describe X_SPAM_FLAG_YES Header: says its spam score X_SPAM_FLAG_YES 1.5 tested and works Good. This may work then, too: header CUSTOM_X_SPAM_FLAG X-Spam-Flag:raw =~ /\bYES\b/i Daryl
Re: channel 70_zmi_german.cf.zmi.sa-update.dostech.net update?
Something might be wedged in that channel generation... I'll have to look. Daryl On 11/02/2011 4:26 AM, C.M. Burns wrote: Hi list, what happend to channel 70_zmi_german.cf.zmi.sa-update.dostech.net ? is this not being updated anymore although still advertised on http://wiki.apache.org/spamassassin/CustomRulesets ? sa-update reports Feb 11 10:22:16.646 [20894] dbg: channel: current version is 20100831, new version is 20100831, skipping channel but if I check the website linked in the wiki http://zmi.at/x/70_zmi_german.cf I can find a much newer version: # Version: 01.33.1 # zmide_genericspam reduced # Created: 2005-10-07 # Modified: 2011-02-07 ZMI bye Stefan
Re: Automatic Rule Combination Generator
On 02/01/2011 11:30 AM, Marc Perkel wrote: Here's a wild idea that might prove a point. Create a set of meta rules which is a combination of every set of two rules. meta COMBO_RULE1_RULE2 (RULE1 RULE2) describe COMBO_RULE1_RULE2 RULE1 and RULE2 score COMBO_RULE1_RULE2 0.1 Then run stats to see if any of the combos produce interesting and useful results. Then do 3 rule combos. I'm betting that new useful rule combos will be discovered Someone could write a perl script hat would generate the rules. I bet Henry Stern could! http://svn.apache.org/repos/asf/spamassassin/trunk/masses/evolve_metarule/README Daryl
Re: Only running network tests when necessary - feature request
On 30/10/2010 4:28 AM, Yet Another Ninja wrote: rsync? to check mail? Hrm, not a bad idea for the basis of a bayesian filter. Daryl
Re: Massive drop in spam in network mass checks in the last two weeks
On 30/10/2010 1:12 PM, dar...@chaosreigns.com wrote: In the last two network mass checks, today and a week ago, only 3.1% and 3.4%, respectively, of the corpora has been spam. Why? I had an IBM Deathstar go on me. Although I thought it had, moving my mail spool and personal home directory to a RAID array never made it to the top of my to-do list. To make it worse, my backups-to-disk array failed the week before. I've never been able to justify a tape library for home, so I'm without any backups now. If anybody at a major data recovery firm feels like helping me out, I'd appreciate it. I'm on the fence right now about spending big $$ to recover the data. Such an extreme drop has happened three times before in as many years, That's a pretty good record given the volunteer nature, I think. but this is the first time it was the result of a multi-week trend, and the first time it stayed so low two weeks in a row. That's probably a result of me having been running a city council election campaign in October and not having time to get mass-checks running again on what mail I can collect from caches. Unfortunately, for the SpamAssassin community, I was elected so time continues to be short on my end. Although I do think that I got it pretty much working last night so their should be results sometime today. I maybe having some DNS issues though, so it might be another week or two before I have solid results. Regards, Daryl
Re: TMPDIR as a tmpfs
On 22/06/2010 10:52 AM, Henrique Fernandes wrote: It is safe to use spamassassin tmpdir on a tmpfs mounted system ? Yes it's safe. And if its safe it would have a better performance ? Potentially. If you've got memory free for it, it certainly shouldn't perform worse. Daryl
Re: sa-update problem
On 30/05/2010 7:06 PM, John Hardin wrote: On Sat, 29 May 2010, Illó Gábor wrote: And you have any idea for this? May 29 21:06:38 mail spamd[88295]: rules: meta test ADVANCE_FEE_3_NEW_FORM has dependency 'ADVANCE_FEE_3_NEW' with a zero score May 29 21:06:38 mail spamd[88295]: rules: meta test ADVANCE_FEE_3_NEW_MONEY has dependency 'ADVANCE_FEE_3_NEW' with a zero score I've manually corrected 72_scores.cf so that all of the rules with zero scores now have 0.001 scores. The dependency warnings should stop as soon as the next sa-update goes out. Daryl will look at the score generator sometime this week, and I'll try to keep an eye on 72_scores.cf and fix it if it gets regenerated prior to that. I think I've fixed, or at least avoided, this issue in r949640. I can't remember what the root cause is (I last looked at it around r530564). Daryl
Re: How to use German spam channel? (GPG problems)
On 16/05/2010 7:53 AM, Yves Goergen wrote: On 16.05.2010 12:13 CE(S)T, C.M. Burns wrote: I suppose you have problems with the key #856AA88A. Yes, that was it. If you imported it to your keyring, try this: sa-update --channel 70_zmi_german.cf.zmi.sa-update.dostech.net --gpgkey 856AA88A or you could try this: sa-update --channel 70_zmi_german.cf.zmi.sa-update.dostech.net --gpgkeyfile /path/to/your_channel_keyfile.chan Thanks, that worked. sa-update doesn't seem to know what keys to use on its own. Yes, by design, to limit the ability of people to distribute rouge updates. http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Daryl
Re: Mail::SPF vs. Mail::SPF::Query
On 25/03/2010 5:04 PM, Clayton Keller wrote: I have run into a snag. The release notes for 3.3.0 indicate that Mail::SPF::Query is no longer used. I have been using the pypolicyd-spf package from openspf.org, which required python-spf to be installed to take advantage of their module. With that I had previously used to following config option in my local.cf to for the use of Mail::SPF::Query: do_not_use_mail_spf 1 At the moment I am running into a conflict with the binaries for the python-spf and perl-Mail-SPF packages. My question is with the statement in the release announcements could I run into an issue without having Mail::SPF installed? The SPF plugin appears to still include the use of Mail::SPF::Query if that value is toggled, and appears to also look for headers added (in my case by the pypolicyd-spf package as well). As long as the logic didn't change (except for dropping Mail::SPF::Query support) from when I wrote it, yeah, you should be able to just re-use your already added Received-SPF headers. Of course, if there is no Received-SPF header present in a message you won't be able to do an SPF check in SA if you don't have the required module (Mail::SPF) installed. Daryl
Re: FPs on DOS_HIGHBIT_HDRS_BODY
On 25/03/2010 12:35 PM, John Wilcock wrote: I've seen a few FPs on this rule from genuine ham sent by one of my colleagues using Thunderbird 3.0.4 - not all her mail, but specifically replies to certain messages with UTF-8 encoding. Anyone else seeing this? Can you share samples in a bug report at http://issues.apache.org/SpamAssassin/ ? Daryl
Re: dumb question, opinion about KHOP_SC_TOP200 and 5.3 point score?
On 25/03/2010 2:26 PM, Michael Scheidell wrote: yes, somehow the sender was in spamcop rbl, and the nightly sa-update keeps up to date with 72_active.cf rule.. but, maybe a score of 5.3 is pretty high for ONE rule? ( KHOP_SC_TOP200 is 3.9. but since its in the spamcop database, you add 1.34. total of 5.3. ) score KHOP_SC_TOP2003.999 3.999 3.999 3.999 shouldn't a minor tweak on the score be something that takes into account 'network tests' ? something like score KHOP_SC_TOP2003.999 2.65 3.999 2.65 I can't think of a way for the GA to know that the rule contains the same info as a DNSBL test. There are rule overlap stats, but I don't think that would be enough with only a small number of ham occurrences. I think the correct thing to do would be to modify the KHOP_SC_TOP200 to be a meta that doesn't fire if the corresponding spamcop DNSBL rule fires. Perhaps you could open a bug at http://issues.apache.org/SpamAssassin/ about it. Daryl
Re: Mail::SPF vs. Mail::SPF::Query
On 25/03/2010 5:37 PM, Clayton Keller wrote: On 3/25/2010 4:25 PM, Daryl C. W. O'Shea wrote: On 25/03/2010 5:04 PM, Clayton Keller wrote: I have run into a snag. The release notes for 3.3.0 indicate that Mail::SPF::Query is no longer used. I have been using the pypolicyd-spf package from openspf.org, which required python-spf to be installed to take advantage of their module. With that I had previously used to following config option in my local.cf to for the use of Mail::SPF::Query: do_not_use_mail_spf 1 At the moment I am running into a conflict with the binaries for the python-spf and perl-Mail-SPF packages. My question is with the statement in the release announcements could I run into an issue without having Mail::SPF installed? The SPF plugin appears to still include the use of Mail::SPF::Query if that value is toggled, and appears to also look for headers added (in my case by the pypolicyd-spf package as well). As long as the logic didn't change (except for dropping Mail::SPF::Query support) from when I wrote it, yeah, you should be able to just re-use your already added Received-SPF headers. Of course, if there is no Received-SPF header present in a message you won't be able to do an SPF check in SA if you don't have the required module (Mail::SPF) installed. Daryl So, the previous statements in the SPF plugin that reference Mail::SPF::Query to be used instead of Mail::SPF have now been removed? Or there are plans to have them yanked in the not-so-near future? Hrm. It looks like they're still there. I actually don't see that support for Mail::SPF::Query has been dropped. Daryl
Re: Mail::SPF vs. Mail::SPF::Query
On 25/03/2010 6:03 PM, Clayton Keller wrote: On 3/25/2010 4:58 PM, Daryl C. W. O'Shea wrote: Hrm. It looks like they're still there. I actually don't see that support for Mail::SPF::Query has been dropped. Daryl Ok, that's what I was seeing as well. Thank you for confirming that for me. Was there any decisions regarding the deprecation of the use of Mail::SPF::Query that has been tossed around? I will admit I have not looked through any bug report requests regarding this at all. I haven't either. Hopefully Mark or someone else will chime in. Daryl
Re: Mail::SPF vs. Mail::SPF::Query
On 25/03/2010 7:33 PM, Mark Martinec wrote: Was there any decisions regarding the deprecation of the use of Mail::SPF::Query that has been tossed around? I will admit I have not looked through any bug report requests regarding this at all. I haven't either. Hopefully Mark or someone else will chime in. I believe the following statement from 3.3.0 release notes was imprecise: - CPAN module requirements: - no longer used: Mail::DomainKeys, Mail::SPF::Query; Actually the Mail::DomainKeys is no longer used, but Mail::SPF::Query is no longer REQUIRED, as Mail::SPF has been preferred for some time. I think the code in the SPF plugin hasn't changed in any substantial way, so it most likely still works with Mail::SPF::Query when Mail::SPF is unavailable, Please try it. Mark That makes sense. FWIW, Mail::SPF::Query was no longer *required* when support for Mail::SPF was introduced (sometime in 3.2 I think, maybe 3.2.0). You could install either and run SPF checks. Daryl
Re: careful on your clicks: at least one hijacked server: ANNOUNCE: Apache SpamAssassin 3.3.1 available
On 20/03/2010 12:34 PM, Michael Scheidell wrote: O http://www.takeyellow.com/ But the mirror is also there: http://www.takeyellow.com/apachemirror/ I agree that combination looks fishy first. But I rather think that this I think I would worry about the integrety of a mirror like that, but up to SA folks. if they think its ok to use them as a mirror, so be it. It's not up to us, it's really up to ASF infrastructure. I am concerned that you were apparently directed there before the files were there. AFAIK that's not supposed to happen. (its just that if the file does NOT exist, like it didn't exist yesterday... you get their search pages. try it, pretend you are looking for sa332. Again, I'm pretty sure you're not supposed to be directed to a mirror unless it has updated. Although a plain 404 would be better. with all the problems lately, fake search pages, legit (yahoo search, doubleclick, etc) serving up malware laden ads, its just too fishy. I don't think anything is fishy and I'm still not convinced that the original owners of the domain have lost control of it. Daryl
Re: careful on your clicks: at least one hijacked server: Re: ANNOUNCE: Apache SpamAssassin 3.3.1 available
On 19/03/2010 2:34 PM, Michael Scheidell wrote: On 3/19/10 12:31 PM, Justin Mason wrote: Release Notes -- Apache SpamAssassin -- Version 3.3.1 I clicked on the download and got redirected (hijacked)? to this site: http://www.takeyellow.com/apachemirror/spamassassin/source/Mail-SpamAssassin-3.3.1.tar.gz TAKEYELLOW IS NO LONGER UNDER CONTROL OF THE ORIGINAL OWNERS. ITS A PARKING, DRIVE BY DOWNLOAD SITE. I'm not sure that's accurate. Did you get that link from our download page today? The site seems to still be an Apache mirror, it just hasn't updated yet, AFAICS. http://www.takeyellow.com/apachemirror/spamassassin/ [...@cyan ~]$ whois takeyellow.com [Querying whois.verisign-grs.com] [whois.verisign-grs.com] Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: TAKEYELLOW.COM Registrar: SPOT DOMAIN LLC DBA DOMAINSITE.COM Whois Server: whois.domainsite.com Referral URL: http://www.domainsite.com Name Server: NS1139.HOSTGATOR.COM Name Server: NS1140.HOSTGATOR.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 06-sep-2009 Creation Date: 04-jul-2008 Expiration Date: 04-jul-2011 Last update of whois database: Sat, 20 Mar 2010 00:42:47 UTC
Re: Default rulesets updating daily
On 19/03/2010 8:34 PM, Chris wrote: SA3.3.0, just a general question, I've noticed that over the past six days that during my 01:11 sa-update cronjob that the complete default rulesets are being updated. The file names are in fact changing, ie..922182.tar.gz, 922507.tar.gz and so forth, just curious as to why the daily changes when I've not noticed daily updates of the default rules prior to the 13th. We can, so we are. We've automated QA and scoring of new rules and are publishing them frequently. Daryl
Re: What happened to SOUGHT rules' server?
On 15/03/2010 11:07 PM, j wrote: I've been having the same problem from several locations/ISPs, since mid-Saturday. 500 Can't connect to yerp.org:80 (connect: timeout) Dave Anyone figure this out? I have received the same yerp.org down errors and it's screwing up my SA royally. I guess this is what we get when we rely on external sources to help us at no charge.. :( Just so I understand your use case, so we can improve sa-update... how is it that a failing channel is royally screwing up your SA? Thanks! Daryl
Re: Error with sa-update.
On 26/02/2010 7:13 AM, Lee Dilkie wrote: Folks, I'm getting a parse error when I run sa-update to pick up the latest ruleset (3.3? from updates.spamassassin.org. Are you still having this issue? $ sa-update --allowplugins --nogpg --channel updates.spamassassin.org Wow. That's an incredibly bad idea. Allowing sa-update to install Perl, or other, code (--allowplugins) without verifying that the code is signed (--nogpg) is pretty risky. If a mirror gets hacked you'll run (possibly as root) whatever code the attacker wants you to. config: failed to parse line, skipping, in /tmp/.spamassassin46123uY1E3Ntmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin46123uY1E3Ntmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin46123uY1E3Ntmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i channel: lint check of update failed, channel failed On the surface this indicates an issue with the MIMEEval plugin. However, it appears that you're loading that plugin (see below). Maybe verify that your version of MIMEEval is OK. [...@cyan Plugin]$ sha1sum MIMEEval.pm ec62013c06d3a51d972cd02d51169221be6d51c2 MIMEEval.pm [...@cyan Plugin]$ Shag it.. here's the dump (this includes updates from saupdates.openprotect.com as well but that one runs error free) Feb 26 04:15:02.614 [14130] dbg: generic: lint check of site pre files succeeded, continuing with channel updates That's good. A lint succeeds using minimal configuration. Feb 26 04:15:06.323 [14130] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC The MIMEEval plugin seems to be loading. config: failed to parse line, skipping, in /tmp/.spamassassin14130V3YzQDtmp/72_active.cf: mimeheader __TVD_MIME_ATT_AOPDF Content-Type =~ /^application\/octet-stream.*\.pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin14130V3YzQDtmp/72_active.cf: mimeheader __TVD_MIME_ATT_AP Content-Type =~ /^application\/pdf/i config: failed to parse line, skipping, in /tmp/.spamassassin14130V3YzQDtmp/72_active.cf: mimeheader __TVD_MIME_ATT_TP Content-Type =~ /^text\/plain/i These are all MIMEEval rules. I've checked and they are all wrapped in the appropriate ifplugin statements. Feb 26 04:15:07.438 [14130] dbg: zoom: loading compiled ruleset from /var/db/spamassassin/compiled/5.008/3.003000 Feb 26 04:15:07.447 [14130] dbg: zoom: using compiled ruleset in /var/db/spamassassin/compiled/5.008/3.003000/Mail/SpamAssassin/CompiledRegexps/body_0.pm for Mail::SpamAssassin::CompiledRegexps::body_0 Hmm. This is probably a flaw in sa-update, but probably doesn't affect your issue. For fun, try rm'ing /var/db/spamassassin/compiled/ and run sa-update again. Daryl
Re: Off Topic - SPF - What a Disaster
On 23/02/2010 7:51 PM, Dave Pooser wrote: 2) whitelist_auth is worth its weight in platinum Damn! I knew that should have been a subscription only feature! ;)
Re: v3.3.x Rule installs/updates from updates.spamassassin.org sought.rules.yerp.org FAIL @ dns query (NXDOMAIN); other channels resolve work fine.
On 19/02/2010 12:37 PM, Ben DJ wrote: 2010/2/15 Daryl C. W. O'Shea spamassas...@dostech.ca: Yeah. That'll be corrected RSN. Great. Atm, dig +short -t TXT 1.3.3.updates.spamassassin.org 903765 Just to be clear, this^^^ will be the channel used by spamassassin's sa-update from SVN 3.3.x branch, correct? Yeah, at least until the branch version number increments to 3.3.2, 3.3.3, etc. Daryl
Re: v3.3.x Rule installs/updates from updates.spamassassin.org sought.rules.yerp.org FAIL @ dns query (NXDOMAIN); other channels resolve work fine.
On 15/02/2010 8:11 AM, Karsten Bräckelmann wrote: On Fri, 2010-02-12 at 09:35 -0800, Ben DJ wrote: I've installed, spamassassin -V SpamAssassin version 3.3.1-r905461 running on Perl version 5.10.0 Attempts to pull rules from updates.spamassassin.org, (1), sought.rules.yerp.org, (2), channels FAIL w/ dns: query fails: ... NXDOMAIN. (1) sa-update -D -v --channel updates.spamassassin.org --gpgkey 5244EC45 --gpghomedir /root/.gnupg ... Feb 12 09:24:37.457 [31615] dbg: dns: query failed: 1.3.3.updates.spamassassin.org = NXDOMAIN $ dig +short -t TXT 0.3.3.updates.spamassassin.org 903765 $ dig +short -t TXT 1.3.3.updates.spamassassin.org Hrm, yeah -- no version response for 3.3.1. :/ Yeah. That'll be corrected RSN. Daryl
Re: sa-update fails: daryl.dostech...404
On 13/02/2010 6:35 PM, jida...@jidanni.org wrote: $ sa-update http: GET http://daryl.dostech.ca/sa-update/asf/909775.tar.gz request failed: 404 Not Found There was an issue on the source host that has since been resolved. Daryl
Re: 90_2tld.cf / / 90_3tld.cf
On 01/02/2010 6:51 PM, Adam Katz wrote: Karsten Bräckelmann wrote: The DNS entries for this channel lack version noting as well: People shouldn't be just adding channels at whim. They should read the documentation. If they try to use a channel that's not going to work sa-update won't install the update. If they don't bother to check that it works right the first time... well, they're probably going to do something dumb eventually anyway. $ host -t txt 0.0.2.90_2tld.cf.sare.sa-update.dostech.net 0.2.90_2tld.cf.sare.sa-update.dostech.net descriptive text 200912211500 So it's apparently okay to use that channel for SA version 2.0.0... These rules won't work of course, but some of the other channels could be used for 2.xx, I suppose, if you hacked sa-update to work with 2.xx or wrote your own 2.xx version. I don't know why you'd want to anymore or why we're concerned that somebody might and that a particular ruleset won't work for them. This is easily solved by changing the wildcard entry in BIND (assuming you're using BIND), e.g. No, not really... 4.2.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 5.2.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 6.2.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 *.3.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 *.4.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 ...that requires manually intervention in a currently completely automated process. I don't see the value add for adding in the time and delay of the manual intervention. Quite simply, don't add channels that don't work for your version of SA, or if you do, sa-update is not going to install them anyway. BTW, a much easier way to do this sort of stuff if we wanted to that would not require changes if, say, we released a 3.2.7, would be exclude, rather than include, versions (not tested, subject to typos): *.1.3.90_2tld.cf.sare.sa-update IN A 127.0.0.1 0.2.3.90_2tld.cf.sare.sa-update IN A 127.0.0.1 1.2.3.90_2tld.cf.sare.sa-update IN A 127.0.0.1 2.2.3.90_2tld.cf.sare.sa-update IN A 127.0.0.1 3.2.3.90_2tld.cf.sare.sa-update IN A 127.0.0.1 *.*.3.90_2tld.cf.sare.sa-update IN TXT 200912211500 Daryl
Re: Apache SpamAssassin 3.3.0 Press Release - Quotes Needed
On 18/01/2010 1:05 PM, Ted Mittelstaedt wrote: How About: As the per-seat costs for any available commercial spamfilter solution exceed the margin for a retail Internet service account, SpamAssassin is the only spamfilter solution usable by ISPs Nothing like the truth, eh? ;-) I'm sure we could use something like that if you believe it's accurate. I'd need a name and company to go along with it. Daryl
Re: Apache SpamAssassin 3.3.0 Press Release - Quotes Needed
We've delayed when we're going to do the press release so I'm still open to (and looking for) quotes for use in the press release. Please send quotes my way... it's a good way to get free publicity for your organization. Daryl On 17/01/2010 4:45 PM, Daryl C. W. O'Shea wrote: Hi All, I'm putting together a press release for our upcoming release of Apache SpamAssassin 3.3.0, our first major code release since the release of 3.2.0 in May 2007 and our first code release since the release of 3.2.5 in June 2008 (we've been doing periodic rule updates since then). I am currently looking for two quotes from quote-worth sources, AKA, people from large ISPs or companies, etc. The better known the organization is the better for us. :) If you're one of the above and would be willing to provide a quote for us to use in a widely distributed press release (PR for us and you!) please reply to me with such a quote ASAP (preferably by noon Monday). Quotes like SpamAssassin has the largest ROI of any software we use, SpamAssassin makes email usable, send Daryl money, etc, are possible ideas. Thanks! Daryl VP Apache, SpamAssassin
Re: is bayes enabled by default?
On 17/01/2010 4:05 PM, tonjg wrote: Herbert J. Skuhra wrote: You can set use_bayes and bayes_auto_learn to 1 in your local.cf. so if there is no 'use_bayes' entry in local.cf does that mean bayes is disabled by default? No, bayes is enabled by default provided that you have any required modules installed. You previously said you saw autolearn no presumably in your maillog. This by itself tells you that bayes is being used. autolearn no means that the message that was scanned did not have a score in the autolearn ranges (-0.1 or below and some higher spam value like 6.0 and above; I can't remember what the minimum spam value is to autolearn). Daryl
Apache SpamAssassin 3.3.0 Press Release - Quotes Needed
Hi All, I'm putting together a press release for our upcoming release of Apache SpamAssassin 3.3.0, our first major code release since the release of 3.2.0 in May 2007 and our first code release since the release of 3.2.5 in June 2008 (we've been doing periodic rule updates since then). I am currently looking for two quotes from quote-worth sources, AKA, people from large ISPs or companies, etc. The better known the organization is the better for us. :) If you're one of the above and would be willing to provide a quote for us to use in a widely distributed press release (PR for us and you!) please reply to me with such a quote ASAP (preferably by noon Monday). Quotes like SpamAssassin has the largest ROI of any software we use, SpamAssassin makes email usable, send Daryl money, etc, are possible ideas. Thanks! Daryl VP Apache, SpamAssassin
Re: spamd: respawning server - why?
On 15/01/2010 11:42 AM, Rosenbaum, Larry M. wrote: Yesterday one of our servers started having problems. I found the following messages in the syslog file: Jan 14 14:12:38 localhost spamd[20926]: spamd: respawning server at /usr/local/bin/spamd line 1080. Jan 14 14:12:38 localhost spamd[20927]: spamd: respawning server at /usr/local/bin/spamd line 1080. Jan 14 14:13:45 localhost spamd[21038]: spamd: respawning server at /usr/local/bin/spamd line 1080. Jan 14 14:13:45 localhost spamd[21056]: spamd: respawning server at /usr/local/bin/spamd line 1080. Jan 14 14:13:45 localhost spamd[21057]: spamd: respawning server at /usr/local/bin/spamd line 1080. Jan 14 15:17:46 localhost spamd[21726]: spamd: respawning server at /usr/local/bin/spamd line 1080. ..etc.. What causes this to happen? A reboot fixed the problem, but I want to make sure it doesn't happen again. SunOS ornl50 5.9 Generic_118558-39 sun4u sparc SUNW,Sun-Fire-V210 SpamAssassin Server version 3.2.5 running on Perl 5.8.8 with zlib support (Compress::Zlib 2.011) I think this is caused by some sort of race condition funkiness that happens in Perl on a heavily loaded systems. I also think that 3.3 may not be affected. I also think I could be completely mistaken. Daryl
Re: How to check if user is authenticated via Sendmail
On 13/01/2010 9:29 PM, Jean-Yves Avenard wrote: Hi Mail system is made of Sendmail as MTA - spamass-milter - spamd Legitimate users are using the sendmail server over TLS and first need to authenticate themselves before being able to post. Is there a way to have a particular score if the sender has succesfully authenticated ? There's already a rule that checks for (the opposite) of this... __LAST_UNTRUSTED_RELAY_NO_AUTH. If you invert it with a meta rule you'll get what you want... meta AUTHD_RELAY !__LAST_UNTRUSTED_RELAY_NO_AUTH describe AUTHD_RELAY Message submission was via an authenticated user score AUTHD_RELAY -10 Daryl
Re: [sa] Re: FH_DATE_PAST_20XX
On 04/01/2010 2:05 AM, Mathias Homann wrote: ... is a fix for that out through sa-update now? then why am i not getting it? my channels for sa-update: saupdates.openprotect.com updates.spamassassin.org 70_zmi_german.cf.zmi.sa-update.dostech.net any hints? saupdates.openprotect.com presumably still includes the old 00_FVGT_File001.cf that also contains the old version of the FH_DATE_PAST_20XX rule. Daryl
Re: Apache SpamAssassin Y2K10 Rule Bug - Update Your Rules Now!
On 02/01/2010 7:38 AM, Martin wrote: Ran sa-update twice and no new update available as yet! Perhaps you're system has already updated itself? Rule update version 895075 is the current version. Daryl
Re: Dostech Rules Updates Failing
I'm investigating why now. The root cause I know... that mirror blew a power supply last night, so I moved it to a new server in a hurry at midnight. Apparently I messed up the config somewhere. Anywho... it's now working. Not the way I would like it to, but how it wants to. Daryl On 02/01/2010 1:01 PM, Don O'Neil wrote: I noticed that my channels were not updating from the master list over at DOStech... so I decided to rename my rules folder to .old and re-run sa-update I get the spamassassin master cf files, but on every other entry I get something similar to this: http: request failed: 404 Not Found: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title404 Not Found/title /headbody h1Not Found/h1 pThe requested URL /sa-update/sare/mangled.cf/MIRRORED.BY was not found on this server./p hr addressApache/2.2.6 (Fedora) Server at daryl.dostech.ca Port 80/address /body/html error: no mirror data available for channel mangled.cf.sare.sa-update.dostech.net channel: MIRRORED.BY contents were missing, channel failed Any idea why? I suppose I could download each file manually, but that is time consuming.
Apache SpamAssassin Y2K10 Rule Bug - Update Your Rules Now!
I've posted the following note on the Apache SpamAssassin website [1] about an issue with a rule that may cause wanted email to be classified as spam by SpamAssassin. If you're running SpamAssassin 3.2.x you are encouraged to update you rules (updates were released on sa-update around 1900 UTC Jan 1, 2010). Y2K10 Rule Bug - Update Your Rules Now! 2010-01-01: Versions of the FH_DATE_PAST_20XX [2] rule released with versions of Apache SpamAssassin 3.2.0 thru 3.2.5 will trigger on most mail with a Date header that includes the year 2010 or later. The rule will add a score of up to 3.6 towards the spam classification of all email. You should take corrective action immediately; there are two easy ways to correct the problem: 1) If your system is configured to use sa-update [3] run sa-update now. An update is available that will correct the rule. No further action is necessary (other than restarting spamd or any service that uses SpamAssassin directly). 2) Add score FH_DATE_PAST_20XX 0 without the quotes to the end of your local.cf file to disable the rule. If you require help updating your rules to correct this issue you are encouraged to ask for assistance on the Apache SpamAssassin Users' list. Users' mailing list info is here. [4] On behalf of the Apache SpamAssassin project I apologize for this error and the grief it may have caused you. Regards, Daryl C. W. O'Shea VP, Apache SpamAssassin [1] http://spamassassin.apache.org/ [2] http://wiki.apache.org/spamassassin/Rules/FH_DATE_PAST_20XX [3] http://wiki.apache.org/spamassassin/RuleUpdates [4] http://wiki.apache.org/spamassassin/MailingLists
Re: How can a plugin report a dynamic score to SpamAssassin 3.1.7?
On 19/12/2009 3:20 PM, Alban Deniz wrote: I would like to know if there's a way to report dynamic scores in SpamAssassin 3.1.7. I haven't been able to find info for this on the FAQ or on the FrontPage. If I recall correctly the only way to do it is to access the score hash of the $permsgstatus object directly. - in the rule definition assign any score (or don't) as long as you don't assign it zero the rule will run - during message processing modify the score hash directly for that rule... you might have to do this really late (in one of the last plugin calls)... I seem to remember the score not sticking if you did it too early Your best bet is to take a look at the AWL plugin. It assigns socres dynamically just as you'd like to do. The code in that plugin will work for you. Daryl
Re: Dear Santa
On 19/12/2009 11:23 AM, R-Elists wrote: i would encourage other SA team members to have a wish list and publish. A number of committers have have added Amazon wishlists to the CREDITS file included with the distribution. The most up-to-date version is available on our website [1] by clicking CREDITS [2] right off the top of the home page. Some of the newer committers have not yet added a wishlist. ummm i am confused though... there are projects out there like CentOS that are dealing with things and cannot accept donations right now that would go towards the project or team salaries... I think CentOS is accepting hardware and stuff like that. It's cash that they're currently not accepting, I believe, probably due to tax concerns (but I speculate). since SA is part of Apache Foundation, do you get paid or can you get paid or how does this all work? The only staff paid by the Apache Software Foundation (ASF) is 1 (or maybe 2 now) full time network administrator(s). Everyone else, including committers, PMC members, PMC chairs/Apache VPs (me), members (Justin, Theo, me, etc) and board members/VP/President, etc are not paid. AFAIK our in-house lawyer and even the main PR person volunteer their time. Many committers/etc that do stuff for the ASF work for companies that pay them to work on ASF software projects as a part of (or their entire) their job. As far as I know there is no-one involved with SpamAssassin right now that gets paid for their work. Except for perhaps, Warren Togami who I believe is employed by RedHat. I think even Warren donates a good bit of his own time though. The ASF gets revenue to pay the network administrator(s), for hardware, network infra, etc, solely from sponsorship. Info on that is here. [3] as awesome as SA is, i often wonder why the SA team isnt salaried or something to that effect. It's hard to find people willing to pay for what they can get free. The best a lot of open source contributors get is consulting work for custom integrations or what not. do i need to read the apache foundation docs somewhere? You're of course more than welcome to. Perhaps the best place to start is here [4] and here [5]. [1] http://spamassassin.apache.org/ [2] http://svn.apache.org/repos/asf/spamassassin/trunk/CREDITS [3] http://www.apache.org/foundation/sponsorship.html [4] http://www.apache.org/foundation/ [5] http://www.apache.org/foundation/how-it-works.html Regards, Daryl
Re: [sa] Re: Whitelists in SA
On 19/12/2009 5:51 PM, Charles Gregory wrote: On Fri, 18 Dec 2009, Warren Togami wrote: Why wait, when you do relatively simple things to help make it happen? http://wiki.apache.org/spamassassin/NightlyMassCheck We can more frequently update rules if more people participate in the nightly masschecks. The current documentation is a bit of a confusing mess unfortunately. More unfortunately, privacy concerns prevent me from building a useful corpus of ham. Sigh But otherwise such a good idea Can you not trust yourself to use your own ham? You don't need to provide us with your mail. You can scan your own mail locally on your own machine(s). Daryl
Re: habeas - tainted white list
On 18/12/2009 3:09 AM, LuKreme wrote: On 18-Dec-2009, at 00:24, Daryl C. W. O'Shea wrote: From the data we have from mass-checks we are erring a very small amount on the side of caution by not disabling the whitelists by default. I guess that the real issue that I have with the whole HABEAS thing is the magnitude of the default scores. −4 and −8 caused issues that would never have arisen had the defaults been −0.4 and −0.8. Or even −1 and −2. The scores have been decreased in the upcoming proposed release ruleset. Not to -0.4 and -0.8, but they're no longer -4 and -8. I'm sure that we'll get to (it's been -4 and -8 for years, we're not in a huge rush to do anything now) decreasing them in the 3.2.x sa-update ruleset also once we've firmed up an opinion of what they should be going forward. Please stop beating the -4 and -8 horse. We agree. Daryl
Re: habeas - tainted white list
On 18/12/2009 3:32 AM, Christian Brel wrote: On Fri, 18 Dec 2009 02:24:45 -0500 Daryl C. W. O'Shea spamassas...@dostech.ca wrote: Reputation type rules (such as DNSWLs) are probably the only (or certainly one of the very few) types of rules that you can weight heavily negatively. This is due to the nature of an open source product (or even given enough time to game a closed source product). Content based rules are very often easily beaten. If we could have a body rule that looks for this mail is good and assign a -20 score we would. Clearly that would not work. With the kindest of respect, I have to disagree with this. How the following text supports your disagreement I don't know. But I'll agree to disagree. If for argument sake five blocklists with no business {or other} relationship with Spamassassin flag an IP for spamming, then it's a good bet that they are correct and any perceived negativity is earned. How this impacts on Spamassassin is dependent on the scores set - which comes back to you and the developers - so the arguement not only has not legs, it has no arms either. Consider that blocklists are often universally trusted to be sat on the SMTP connection level ahead of Spamassassin, whereas the suggestion of doing that with Habeas as a whitelist would be pure comedy gold :-) Again, find me a commercial white list that wants to be included in SpamAssassin on a free for use basis and I'll pay for the phone call to talk to them. Seriously. I shake my head in utter disbelief at this comment, and I'm sure that Apache Sponsor Barracuda AKA 'emailreg.org' will have just pricked up their ears. So what if they do. We'll test it and judge it on stats (not random FPs or stories about friends who had a bad employment experience). If it works good it works good, if it doesn't we won't use it and they'll understand. I'm pretty sure I brought up the SA developers' *long* standing principle of being as safe as possible for the majority of users by erring on the side of missing spam rather than tagging ham while still putting out a useful product. It's a fair statement that in using an Antispam 'product' that blocks nothing and only assigns a score, the issue of having that score reduced in favour of a known commercial bulk mailer is undesirable. Just so I'm clear, are you equating all commercial bulk mail to spam? I would disagree if that is the case. You would likely disagree with me and then I would agree to disagree. The statistics may have some interest but can be applied to show there is little cause to keep the rule at all if you so wish to bend it the other way. I've already explained my rationale for keeping it. It's a small trade off to cover the unknown. Our ham corpus is not that large. The key is this: I would *never* have known what HABEAS was if I had not seen the name in low scoring spam and asked why. It does not look like I'm the first to ask either. You know, it's funny you mention it. I've found out about some blacklists, even ones now included in SpamAssassin, only because they caught one-to-one personal emails (that no-one could argue were commercial) of random people that I know (and who have inquired about the block). From the data we have from mass-checks we are erring a very small amount on the side of caution by not disabling the whitelists by default. It's a big fat favourable score to one organisation for 'erring a very small amount on the side of caution' don't you think? -4/-8 given the average 419 spam only scores 4-8 points. Again, we agree. We've changed it in the upcomming release and will surely backport it when we're done getting 3.3 out. It's been like this for years, I don't think we need to jump like crazy to change the 3.2 updates before we've even settled on a final score. Forgive me but are Return Path pulling someones strings here as Puppet Masters? I really wish they would. I sure could use the money. In 6 or so years of SA development I've netted me a total of... a $30 book (Thanks Dan!). If I were to sell that book I'd be a small way towards covering this month's costs for the sa-update mirrors I run out of my own pocket. If everything is open and transparent give the default user the option to *enable* them and score them zero, unless - of course - there is some kind of logical reason for these mad scoring spam assisting rules that favour Return Path in the default set up? I stand firm on my opinion that our principle of safe for most users is the logical reason for including DNSWLs. If you like you can transparently disable the DNSWLs. Daryl
Re: habeas - tainted white list
On 18/12/2009 2:58 PM, John Hardin wrote: On Fri, 18 Dec 2009, Jason Bertoch wrote: John Hardin wrote: On Fri, 18 Dec 2009, Jason Bertoch wrote: Charles Gregory wrote: If a spammer gets an IP blacklisted, at the least DNSWL and HABEAS should make note of this and remove the IP Or we could have the whitelist rules in a meta such that they only hit when a blacklist rule doesn't, if this is a common enough problem. It might also allow people to get past the high negative score for the whitelists. That sounds like a good idea to me... Is there a way to pull stats on this concept from mass check results or would a new rule need to be checked in by a dev? The latter. I can do that tonight or tomorrow. If you do it tonight it'll make tonight's --net enabled mass-check, otherwise it'll be another week before we have results. Daryl
Re: [sa] Re: Whitelists in SA
On 18/12/2009 5:13 PM, Warren Togami wrote: On 12/18/2009 04:56 PM, Charles Gregory wrote: On Fri, 18 Dec 2009, John Hardin wrote: We hope to get rule scoring and publication much more automated - i.e., if a rule in the sandbox works well based on the automated masschecks, it would be automatically scored and published via sa-update. Music to my ears. I will wait (semi-)patiently. Thanks. - C Why wait, when you do relatively simple things to help make it happen? http://wiki.apache.org/spamassassin/NightlyMassCheck We can more frequently update rules if more people participate in the nightly masschecks. The current documentation is a bit of a confusing mess unfortunately. Exactly! We have code to do this now. But I'm positive that we don't have a large and diverse enough ham corpus (on a daily basis, not the big turn out for the legacy re-score mass-checks) to trust it. Contributors are always welcome! Daryl
Re: [sa] Re: habeas - tainted white list
On 18/12/2009 4:46 PM, Charles Gregory wrote: On Fri, 18 Dec 2009, jdow wrote: I suppose it's not a whole lot of bother to change the 3.2 scores. But, people who feel they have been bitten with a HABEAS score have probably already overridden them. Again, I make a note that my concern is for the thousands who install a 'pre-canned' Spamassassin install, with a wrapper to handle what happens to the messages, etc, etc. If you feel a slight chill at the notion of people operating mail servers with so little knowledge, I'm right there with you, but I *was* one of these people a few years ago. Stumbling and learning. Trial by fire. Fun way to learn. :) Interestingly this is one of the reasons why we err on the side of not-tagging mail. Daryl
Re: habeas - tainted white list
On 18/12/2009 8:35 AM, Per Jessen wrote: Daryl C. W. O'Shea wrote: If we had more mass-check data from a wider number of mail recipients maybe it would change things, statistically, maybe it wouldn't. New mass-check contributors are always welcome. They take very little effort to manage once you've set it up (I ignore mine for years at a time). Is there a good howto for setting this up? Other than a clean corpus, it doesn't take much more effort: http://wiki.apache.org/spamassassin/NightlyMassCheck Daryl
Re: habeas - tainted white list
On 18/12/2009 2:44 PM, Rob McEwen wrote: R-Elists wrote: here is a chance for possible help in more areas than just this specific ruleset issue... i asked Rob some time ago if he could write a script that would check logs and report if a certain rule was effective or not by itself vrs if other rules hit with it and maybe that rule was not needed or could be lowered etc Well it doesn't report to alert people that a rule may not make much of a difference in the scheme of things, you can infer the information from ruleqa's score map output. Daryl
Re: sa-update 403 forbidden
On 17/12/2009 1:00 PM, jida...@jidanni.org wrote: Sometimes sa-update works, sometimes one gets http: GET http://daryl.dostech.ca/sa-update/asf/891585.tar.gz request failed: 403 Forbidden: You don't have permission to access /sa-update/asf/891585.tar.gz on this server. Apache/2.2.3 (Fedora) Server at daryl.dostech.ca Port 80 I recommend that http://daryl.dostech.ca/ have an email address for contact shown, so I can tell him directly the next time it happens. Fixed. Sorry. I missed perms on a symlink target when I moved things to a new server early early this morning. Daryl
Re: sa-update 403 forbidden
On 17/12/2009 1:36 PM, jida...@jidanni.org wrote: OK, thanks. I'd put some contact info on top of http://daryl.dostech.ca/, above This blog is currently in a static state pending an upgrade of WordPress, in case something breaks next time. I used to have that and I got about 100 messages a day asking for help setting up sa-update. Perhaps I'll try it again when I fix the website. Daryl
Re: sa-update 403 forbidden
On 17/12/2009 3:31 PM, Kai Schaetzl wrote: Daryl C. W. O'Shea wrote on Thu, 17 Dec 2009 13:28:48 -0500: early this morning. BTW, I was already getting this temporarily when trying to run the first sa-update for SA 3.3.0 beta1 a few days ago. Could you tell me, off-list, the public facing IP that this was happening to, the channel you were using, and approximately when this happened? I could potentially expect time-outs on the old host, but not 403s. Checking the logs I only see 403s for the 5 banned-for-abuse IPs (the list hasn't changed since Mar 2 2008). Daryl
Re: habeas - tainted white list
On 17/12/2009 2:21 PM, R-Elists wrote: ...based upon Togami's data processing, the biggest thing that comes to mind is this... *IF* these or similar rulesets are not truly not making a difference one way or the other, then why are they there? why do we really need them or the other similar rulesets? We can't and aren't really sure that they don't make a difference. Our ham corpus isn't really all that big. For the most part it's probably made up largely of types of mail that Return-Path wouldn't be dealing with on their lists. Clearly it's not containing much mail that Return-Path deals with. The corpus isn't big enough to say that most people (and most people aren't technical people, rather are just common Internet users) won't get mail that Return-Path doesn't deal with though. ...and why should any rules such as these have a default SA installation value other than zero and then educate admins in the documentation what to do in regards to enabling and suggested scoring? SA is designed to be safe for most users. Most as in general Internet users and safe as in it would rather not tag mail than tag it. IMO whitelists have a place in SA, even whitelists that we cannot determine due to a small corpus size whether or not they're actually making a difference... at least when based on our corpus there's no evidence that they're statistically and drastically causing a significant amount of spam to pass that otherwise wouldn't. We treat blacklists the same way. We include blacklists in the default install to stop spam. We include whitelists because of our core principle of being safe for most users in general. I think the current score changes are a good step. Another step may be including in the release notes that there are whitelists and that people may want to disable them by score whatever rules (a list of them) 0. BTW, I will not waste any cycles defending individual instances on spam getting by because of whitelists for the exact same reason that I do not do the same for ham that gets caught by whitelists. Daryl
Re: habeas - tainted white list
On 18/12/2009 1:11 AM, Christian Brel wrote: On Thu, 17 Dec 2009 15:51:35 -0500 Daryl C. W. O'Shea spamassas...@dostech.ca wrote: I think the current score changes are a good step. Another step may be including in the release notes that there are whitelists and that people may want to disable them by score whatever rules (a list of them) 0. Why not default them to zero and include in the release notes/man that there are whitelists and they can *enable* them? I'm pretty sure I brought up the SA developers' *long* standing principle of being as safe as possible for the majority of users by erring on the side of missing spam rather than tagging ham while still putting out a useful product. From the data we have from mass-checks we are erring a very small amount on the side of caution by not disabling the whitelists by default. If we had more mass-check data from a wider number of mail recipients maybe it would change things, statistically, maybe it wouldn't. New mass-check contributors are always welcome. They take very little effort to manage once you've set it up (I ignore mine for years at a time). Daryl
Re: habeas - tainted white list
On 18/12/2009 1:22 AM, Christian Brel wrote: The issues here are clear: *The inclusion of white list that pretty much favours a single commercial mail organisation. At present, to my knowledge Return Path is the only organization which has approached us for inclusion in SpamAssassin. We would more than welcome other commercial vendors provided that their lists are free for use by the majority of our users (like any blacklists we include) and that they provide reasonable good results (the same criteria for blacklists but s/spam/ham/). *The default score applied to that listed senders being hideously favourable(are there any other rules with such mad negative scores in the mix by default?) Reputation type rules (such as DNSWLs) are probably the only (or certainly one of the very few) types of rules that you can weight heavily negatively. This is due to the nature of an open source product (or even given enough time to game a closed source product). Content based rules are very often easily beaten. If we could have a body rule that looks for this mail is good and assign a -20 score we would. Clearly that would not work. I think that the new scores are inline with what is needed to correct the high scores that some of the wanted commercial crap currently scores at. I see stuff at upwards of 8 or more regularly. *The lack of any other commercial white lists from the competitors of Return Path being used in the product. Again, find me a commercial white list that wants to be included in SpamAssassin on a free for use basis and I'll pay for the phone call to talk to them. Seriously. I'm interested but equally suspicious as to why a small set of people involved in this anti-spam product are keen to try and move on from this and sweep it under the carpet. Could this be AssassinGate??? Lol. You do realize that there's only a small set of active developers, right? Daryl
Re: habeas - tainted white list
On 18/12/2009 2:13 AM, Christian Brel wrote: On he subject of Spammy whitelists... * -1.0 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low * trust * [212.159.7.100 listed in list.dnswl.org] Yet the same IP is on and off SORBS and part of an ongoing spam problem. Perhaps this can be reviewed and given a zero score by default? Forgot individual occurrences of FPs or FNs. They're statistically meaningless. In last week's net-enabled mass-check the -1.0 score for RCVD_IN_DNSWL_LOW RBL caused only 10 of 148025 (0.00675%) spams to fall below 5.0 (and that could have happened with as small as a -0.1 score, I don't have data, so at approx -0.5 the same thing could have happened). On the other hand, it moved 101 of 199558 (0.05061%) hams below the 5.0 mark. That's an S/O of 0.035 which is pretty good (we wouldn't be questioning a spam hitting rule with an S/O of 0.965, at least not at a score of 1). http://ruleqa.spamassassin.org/20091212-r889898-n/RCVD_IN_DNSWL_LOW/detail Again, to anyone, if our statistics are way off from the reality our users are seeing we need more mass-check contributors. Daryl
Note from SA PMC: Removal of an abusive list member
Dear List Members, As you are all aware there has been a lot of name calling going on lately and, in my opinion, at least one instance of what could be considered a threat. This is not acceptable behaviour in our community. What you are probably not aware of is that there has also been a number of instances of a certain list member sending abusive emails to Apache SpamAssassin project members and members of our mailing list community. This is not acceptable and will not be tolerated. As such the member has had their mailing list posting privileges revoked. They are no longer a welcomed member of our community. Please be aware that we are by no means singling out this member. We will not accept, nor tolerate, similar or other abuse towards us or our community by anyone at any time. We do, however, encourage rational, productive and civilized debate on our mailing lists. If you have been a target of any on- or off-list abuse please make the Apache SpamAssassin PMC aware of it. We can be reached at priv...@spamassassin.apache.org. The private@ list is moderated so it may take a while for your message to make it through. If you have been a target of any threats please make the appropriate authorities aware of the situation if you deem it appropriate to do so. Best Regards, Daryl C. W. O'Shea VP Apache, Chair Apache SpamAssassin (on behalf of the Apache SpamAssassin PMC)
Re: Note from SA PMC: Removal of an abusive list member
...if you feel the need to reply, please reply to this email. Not the original one in the thread. There is no need to copy responses to bo...@apache.org and priv...@sa. Thanks! Daryl On 08/12/2009 11:01 PM, Daryl C. W. O'Shea wrote: Dear List Members, As you are all aware there has been a lot of name calling going on lately and, in my opinion, at least one instance of what could be considered a threat. This is not acceptable behaviour in our community. What you are probably not aware of is that there has also been a number of instances of a certain list member sending abusive emails to Apache SpamAssassin project members and members of our mailing list community. This is not acceptable and will not be tolerated. As such the member has had their mailing list posting privileges revoked. They are no longer a welcomed member of our community. Please be aware that we are by no means singling out this member. We will not accept, nor tolerate, similar or other abuse towards us or our community by anyone at any time. We do, however, encourage rational, productive and civilized debate on our mailing lists. If you have been a target of any on- or off-list abuse please make the Apache SpamAssassin PMC aware of it. We can be reached at priv...@spamassassin.apache.org. The private@ list is moderated so it may take a while for your message to make it through. If you have been a target of any threats please make the appropriate authorities aware of the situation if you deem it appropriate to do so. Best Regards, Daryl C. W. O'Shea VP Apache, Chair Apache SpamAssassin (on behalf of the Apache SpamAssassin PMC)
Re: NOTICE: SpamAssassin 3.3.0 mass-checks now starting
On 19/09/2009 3:33 PM, Warren Togami wrote: On 09/16/2009 11:47 AM, Warren Togami wrote: On 09/04/2009 10:51 AM, Justin Mason wrote: OK, if you're planning to send us mass-check logs for the 3.3.0 rescoring, now's the time! http://wiki.apache.org/spamassassin/RescoreDetails has all the details. cheers! --j. -rw-r--r-- 174911850 2009/09/16 01:03:40 ham-bayes-net-hege.log -rw-r--r-- 36909774 2009/09/11 20:39:47 ham-bayes-net-mmartinec.log -rw-r--r-- 3179193 2009/09/14 23:16:15 ham-bayes-net-wt-en1.log -rw-r--r-- 1591286 2009/09/14 23:24:19 ham-bayes-net-wt-en2.log -rw-r--r-- 5687443 2009/09/14 23:53:41 ham-bayes-net-wt-en3.log -rw-r--r-- 354 2009/09/14 23:56:00 ham-bayes-net-wt-en4.log -rw-r--r-- 575780 2009/09/14 22:13:01 ham-bayes-net-wt-jp1.log -rw-r--r-- 2139873 2009/09/14 22:23:07 ham-bayes-net-wt-jp2.log -rw-r--r-- 40760753 2009/09/16 01:04:24 spam-bayes-net-hege.log -rw-r--r-- 35666309 2009/09/11 20:52:01 spam-bayes-net-mmartinec.log -rw-r--r-- 4341537 2009/09/14 23:16:16 spam-bayes-net-wt-en1.log -rw-r--r-- 1576 2009/09/14 23:24:20 spam-bayes-net-wt-en2.log -rw-r--r-- 310 2009/09/14 23:53:42 spam-bayes-net-wt-en3.log -rw-r--r-- 494742 2009/09/14 23:56:00 spam-bayes-net-wt-en4.log -rw-r--r-- 79101 2009/09/14 22:13:02 spam-bayes-net-wt-jp1.log -rw-r--r-- 311 2009/09/14 22:23:08 spam-bayes-net-wt-jp2.log One day from the deadline for spamassassin-3.3.0 scoring and we currently have only three people reporting. The deadline has been extended until Monday, September 21st. But at this moment the number of logs reporting for the rescore masscheck has not changed. Are the uploaded corpa being processed? They'll all be processed together when its declared that time to submit has expired. Who else is still working on their own corpus? Due to unreleated to SA memory leaks in haldaemon on my machines, and me not noticing and instead fighting with Perl to build modules, I'm just starting my mass-check now. I imagine that it will be sometime Tuesday after work before I have results submitted. Daryl
Re: NOTICE: SpamAssassin 3.3.0 mass-checks now starting
On 16/09/2009 4:03 PM, Justin Mason wrote: Who is running a mass-check that's still in progress? (fwiw, I am ;) I had a NAS failure over the weekend that consumed the time I was planning on getting my systems right up-to-date for the mass-check. I now hope to do this Thursday/Friday. I should be able to scan my million or so messages in a day on my cluster. Daryl
Re: daryl.dostech.ca offline?
Hi John, Yeah, I've had some issues with that host on and off lately. I thought that the sa-update infra was redundant, but it looks like I forgot to add the second MIRRORED.BY file location to DNS. Although, I seem to recall that if you already have the MIRRORED.BY file it will continue without downloading it again. In which case you should be able to get updates from updates.sa-update.com. Regards, Daryl On 11/04/2009 12:54 PM, John Hardin wrote: Daryl: Is the SARE sa-update repository offline for some reason? I get !H from home and from my hosted server... traceroute to daryl.dostech.ca (69.61.78.188), 30 hops max, 38 byte packets ... 6 p-atlix.globalcompass.com (198.32.132.13) 7.550 ms 3.403 ms 3.000 ms 7 atl1-cust1.102.globalcompass.com (69.61.56.194) 9.987 ms 2.690 ms 2.952 ms 8 66.154.81.30 (66.154.81.30) 5.067 ms 2.608 ms 3.052 ms 9 * * 66.154.81.30 (66.154.81.30) 951.236 ms !H 10 * * * 11 * * * 12 66.154.81.30 (66.154.81.30) 312.637 ms !H
Re: Using Mail::SpamAssassin::Client
On 02/04/2009 10:01 AM, Justin Mason wrote: we should probably remove that warning. it's been stable (at least in the sense of the code not changing) for a long time now! +1 -- I've been using M::SA::Client on my clusters (processing many millions of messages a day) for more than 4 years without a single issue. I also use it in the check_spamd nagios plugin which I have doing about 100,000 checks a day without any issues. Daryl
Re: does whitelist_from_spf match SPF_HELO_PASS?
SPF_HELO_PASS is NOT considered by whitelist_from_spf. Daryl
ApacheCon Europe 2009: Early Bird Deadline Extended until 13th of February
Here's some great news for everyone who's thinking of traveling to Amsterdam for this year's ApacheCon Europe. The Early Bird deadline has been extended to Friday, February 13th - and remember, there is a discount of 150 Euro on registration for anyone staying at the Mövenpick Hotel. Register at http://www.eu.apachecon.com. ApacheCon is a week of open source goodness straight from the source of The Apache Software Foundation: - More than 60 1-Hour Sessions on System Administration, Development, Data Mining and Search Technologies, Enterprise Web Services, SOA, and Cloud Technologies, Open Source Business and Community, and more - Over a dozen Training Workshops from industry experts (see below) - World-class Keynotes and vendor Expo - Lightning Talks and Birds-of-a-Feather sessions - New this year: Geeks for Geeks Track, BarCampApache, and Hackathon! ApacheCon Europe 2009 features 2-day, 1-day, and half-day Training Workshops on the following topics: Data Mining and Search Technologies --- - Lucene Boot Camp (Grant Ingersoll) - Solr Boot Camp (Erik Hatcher) The Next Generation of Web Data Storage --- - Building Standalone CouchDB Applications (J. Chris Anderson) - High Performance CouchDB (J. Chris Anderson) Cloud and Distributed Computing Technologies - Hadoop Tools and Tricks for Data Processing Pipelines (Christophe Bisciglia and Aaron Kimball) System Administration - - Apache HTTP Server - Nuts to Bolts (Jim Jagielski) - Everything Tomcat - Administering, Tuning, Troubleshooting and Developing (Mark Thomas) Developing State-of-the-Art Web Applications - A Day of REST (J Aaron Farr) - Apache CXF - Developing and Deploying Open Source SOA Endpoints (Adrian Trenaman) - Ajax on Struts 2: How a Second Generation Web Application Framework Meets the Demands of RIA (Chad Michael Davis) - Behavior-Driving Your Apache Wicket Application: Making the Most of Webdriver and JDave-Wicket (Timo Rantalaiho) Building and Managing Java-based Projects - - Maven Workshop (Zeger Hendrikse) Professional Media Trainings - Media Analyst Training (Sally Khudairi) - Intermediate Media Analyst Training (Sally Khudairi) We hope to see you on the 23-27 March at the Mövenpick Hotel in Amsterdam! Visit http://www.eu.apachecon.com for further information and registration details. Interested in sponsoring the ApacheCon conferences? Please contact Delia Frees at de...@apachecon.com for further information. -- ApacheCon Europe 2009 Team planners-2009-eu at apachecon.com http://www.eu.apachecon.com
Re: sa-update damages existing SA installation
On 22/12/2008 12:11 PM, Rosenbaum, Larry M. wrote: From: Daryl C. W. O'Shea [mailto:spamassas...@dostech.ca] Sent: Saturday, December 20, 2008 2:48 AM On 19/12/2008 5:40 AM, Marcin Krol wrote: Daryl C. W. O'Shea wrote: do it all at once. See my SARE sa-update page for details: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Are SARE rules still being updated a bit at least / are they still working? The only one really being updated is 90_2tld.cf: What do I need to put in my sa-update channel file to get updates for 90_2tld.cf? (I can't get to the howto web page above.) Should be fine now... had a little load issue there for a while. Daryl
Re: sa-update damages existing SA installation
On 23/12/2008 11:18 AM, Mike Bird wrote: Karsten Bräckelmann-2 wrote: Daily is fine, cause it means a single DNS request only most of the time. Updates of the stock rules however usually are less frequent than once a week. DNS seems to have been reporting 709395 as current for about eight weeks now, and a lot of very obvious spam is getting through. Have the stock rule updates ceased? Rule updates are largely dependent on both the amount of time the core developers have and the amount of spam they are receiving. I for one seem to have been largely whitelisted as of late and probably wouldn't have the time to push updates anyway. Justin's sought rules work good, so try those if you're not already. If you've got any good rules to contribute send them our way and we'll try them out for you. Daryl
Re: sa-update damages existing SA installation
On 19/12/2008 5:40 AM, Marcin Krol wrote: Daryl C. W. O'Shea wrote: do it all at once. See my SARE sa-update page for details: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Are SARE rules still being updated a bit at least / are they still working? The only one really being updated is 90_2tld.cf: [...@wally channels]$ pwd ; ls -l | grep -v 2006 /home/dos/sare-sa-updates/channels total 428 drwxr-xr-x 2 dos dos 4096 Apr 6 2007 00_FVGT_File001.cf drwxrwxr-x 2 dos dos 4096 Nov 11 2007 70_sare_adult.cf drwxrwxr-x 2 dos dos 4096 Oct 27 07:14 70_sare_header.cf drwxrwxr-x 2 dos dos 4096 Oct 27 07:14 70_sare_header3.cf drwxrwxr-x 2 dos dos 4096 Jun 5 2007 70_sare_obfu.cf drwxrwxr-x 2 dos dos 4096 Jun 4 2007 70_sare_obfu0.cf drwxrwxr-x 2 dos dos 4096 Jun 4 2007 70_sare_obfu1.cf drwxrwxr-x 2 dos dos 4096 Jan 15 2007 70_sare_spoof.cf drwxrwxr-x 2 dos dos 4096 Aug 18 2007 70_sare_stocks.cf drwxrwxr-x 2 dos dos 16384 Jan 18 2008 70_sc_top200.cf drwxrwxr-x 2 dos dos 4096 May 21 2007 72_sare_bml_post25x.cf drwxrwxr-x 2 dos dos 4096 Jan 2 2007 88_FVGT_headers.cf drwxr-xr-x 2 dos dos 4096 Dec 13 11:14 90_2tld.cf -rw-r--r-- 1 dos dos 1687 Nov 22 2007 sare-sa-update-howto.txt [...@wally channels]$ Daryl
Re: sa-update damages existing SA installation
On 18/12/2008 1:00 PM, Marcin Krol wrote: Jeff Mincy wrote: Try doing sa-update of the normal rules before you use sa-update of additional rule sets. Hmm, how do I do that? sa-update -–channel updates.spamassassin.org ? Sure, or just run sa-update without a channel parameter or so create a channel file (or use --channel on the command line more than once) and do it all at once. See my SARE sa-update page for details: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Is there a way to *sensibly* combine JM's rules with those from Debian package? Is there some reason you don't want to use the updated rules from the SpamAssassin project itself? They're essentially from the same people with a tiny bit more QA than Justin's sought rules. Sure, I can do sa-update ... and then move those files elsewhere, rename them etc. But is that a right thing to do? IMO, it's not. Daryl
Re: do TEST2 only if TEST1 was positive
On 17/12/2008 8:26 PM, jida...@jidanni.org wrote: Sure we can do meta META0 TEST1 TEST2 but say TEST2 is expensive, and we only want it to be run if TEST1 is positive. I suppose SpamAssassin's whole train of thought has no ifs ands or buts, other than a method of quitting early, but that not what I want to do. I suppose branching is only possible on the procmail level. To achieve this you can either write yourself a custom Check plugin or write a plugin to take are of alongside the normal Check plugin. Just be sure that however you implement it (lots of ways to do it) that not running the check and then deciding to do it later really is worth the trade off vs just doing it in the first place... ie if you're concerned about a regular regex check just do it, if it's some sort of plugin you're already set to have the plugin run late and decide if it should run or not. Daryl
Re: Inconsistent RBL checks
On 08/12/2008 7:09 PM, James Grant wrote: Hi all, I've run into a weird situation where spamassassin will (seemingly randomly) only do certain RBL checks. The following are all the same spam message (1.txt), executed ~30 seconds apart: $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RDNS_DYNAMIC,URI_HEX $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,URI_HEX $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RDNS_DYNAMIC,URI_HEX I've done it with spamd in debug mode and there's never any warnings or errors about it not doing certain checks, it seems to just leave them out. Any thoughts on why this might happen? Assuming the results were obtained in that order, my first guess would be an overloaded DNS recursive server and/or a congested Internet connection. What's the spamd DNS related timing debug output say? What are you using for DNS service for your spamd machine? Daryl
Re: installing sanesecurity
On 03/12/2008 9:06 PM, Karsten Bräckelmann wrote: Darly posted a very similar rule to this a while ago, triggering on the strange cid- prefix in the live spaces URI. You can use that just as well. Thanks I will give that rule a shot and check out the earlier post by Darly. Whoops. :) Daryl C. W. O'Shea I mean... Sorry Daryl. Would that be ok as a pet-name? ;) Sorry, a high school science teacher of mine (Phil Stoesser... Physics with Phil) beat you to that one a long time ago. Daryl
Re: IPv6 only sa-update channels?
On 28/11/2008 10:11 PM, George Fong wrote: I suspect I have missed something simple but when I do sa-update --debug it can't find spamassassin.apache.org for the updates. I am guessing that this server only lives in Ipv4 Land? Correct. If this is the case, is there an IPv6 repository that can be reached? There are no IPv6 repositories that I am aware of. If there's enough interest in one, I'd be happy to look into setting an official one up. As an aside, I'd be interested to know how much, if any, spam you get to your IPv6 only server. I had one for a short while a number or years ago and didn't get any mail at all. Daryl
[Announce] Call For Papers opens for ApacheCon US 2009
If you have only 30 seconds to read this; Join us in celebrating the ASF's 10th Anniversary at ApacheCon! The Call for Papers is now open for ApacheCon US 2009, taking place 2-6 November in Oakland, California. Proposals are being accepted at http://us.apachecon.com/c/acus2009/cfp/ and can be revised at anytime until the submissions closing deadline of 28 February 2009. In addition, sponsorship opportunities for both ApacheCon EU 2009/Amsterdam and ApacheCon US 2009/Oakland are available. Please contact Delia Frees at [EMAIL PROTECTED] for further information. Please, read on... *** ApacheCon Celebrates the ASF's 10th Anniversary in Oakland, California, 2-6 November 2009 Call for Papers Opens for ApacheCon US 2009 The Apache Software Foundation (ASF) invites submissions to its official user and developer conference, taking place 2-6 November 2009 at the Oakland Convention Center and Marriott Hotel. ApacheCon serves as a forum for showcasing the ASF's latest projects, members, and community initiatives. Offering unparalleled educational opportunities, ApacheCon's presentations, hands-on trainings, and sessions address key technology, development, business/community, and licensing issues in Open Source. The wide range of activities offered at ApacheCon promotes the exchange of ideas amongst ASF Members, committers, innovators, developers, vendors, and users interested in the future of Open Source technology. The conference program includes peer-reviewed sessions, trainings/workshops, and select invited keynote presentations and speakers. Conference Themes and Topics Building on ten years of success, ApacheCon returns to the Bay Area for the 10th anniversary of the Apache Software Foundation. Comprising some of the most active and recognized developers in the Open Source community, ApacheCon provides an influential platform for dialogue between Open Source developers and users, traversing a wide range of ideas, expertise, and personalities. ApacheCon welcomes submissions across many fields, geographic locations, and areas of development. The breadth of the Apache community lends itself to conference content that is somewhat loosely-structured, with common themes of interest addressing groundbreaking technologies and emerging trends, best practices (from development to deployment), case studies and lessons learned (tips, tools, and tricks). In addition, ApacheCon will continue to offer its highly popular, two-day intensive trainings; certifications of completion will be distributed to those who fulfill all the training requirements. Topics appropriate for submission are manifold, and may include but are not restricted to: Apache HTTP server (installation, configuration, migration, and more); ASF-wide projects (including Lucene, Hadoop, Jackrabbit, and Maven); Scripting languages and dynamic content (such as Java, Perl, Python, Ruby, XSL, and PHP); Security and e-commerce (performance tuning, load balancing and high availability); New technologies (including broader initiatives such as Web Services and Web 2.0); ASF-Incubated projects (such as Sling, UIMA, and Shindig); and Business/Community issues (Open Source driven business models, open development, enterprise adoption, and more). Submission Guidelines Submissions must include; – Session title - Speaker name - Speaker biography - Session description - Format and duration - Audience expertise level Full details are available online on the CFP page at [WWW] http://us.apachecon.com/c/acus2009/cfp/ Types of Presentations; - Trainings/Workshops - General Sessions - Case Studies/Industry Profiles - Corporate Showcases Demonstrations - Fast Feather (short) sessions - Birds of a Feather discussions - Invited Keynotes/Panels/Speakers Pre-Conference Trainings/Workshops Held on the first two days of the conference (2-3 November 2009), ApacheCon trainings are available at a registration fee beyond the regular conference fee. Proposals may be submitted for half-day (3 hours), full-day (6 hours), or two-day (12 hours) training sessions. These proposed tutorials should be aimed at providing in-depth, hands-on development experience or related continuing education. Training submissions are welcome at beginner, intermediate, and expert levels. General Sessions include presentations on practical development applications, insight into high-interest projects, best practices and key advances, overcoming implementation challenges, and industry innovations. Especially welcome are submissions that extend participants' understanding the role of ASF projects and their influence on the Open Source community at large. General Sessions are scheduled for 50 minutes and are accessible to all conference delegates. Case Study/Industry Profile Practitioners are invited to submit presentations that focus on how implementing particular ASF technologies led to improved products/solutions, service offerings, changes in work practices, among other successes. Proposals
[Fwd: [Urgent] Please help promote ApacheCon video streaming!]
Original Message Subject: [Urgent] Please help promote ApacheCon video streaming! Date: Tue, 4 Nov 2008 10:27:25 -0600 From: Lars Eilebrecht [EMAIL PROTECTED] Organization: The Apache Software Foundation To: [EMAIL PROTECTED] Hi, please help promote the ApacheCon live video streaming by forwarding the email below to your PMC user and dev mailing lists, ASAP! Thank you Lars Eilebrecht - Subject: ApacheCon live video streaming available; keynotes and Apache 101 are free Can't make ApacheCon this week in New Orleans? You can still watch all the keynotes, Apache 101 sessions, and system administration track in live video streams: http://streaming.linux-magazin.de/en/program_apacheconus08.htm?ann Keynotes and the Apache 101 lunchtime sessions are free; the full sysadmin track, including httpd performance, security, and server stack administration talks are available for a fee. Keynotes include: - David Recordon, Six Apart (Wednesday 09:30) Learning from Apache to create Open Specifications - Shahani Markus Weerawarana, Ph.D. (Thursday 11:30) Standing on the Shoulders of Giants - Sam Ramji, Microsoft (Friday 11:30) struct.new(future, :open, :microsoft) Reminder: New Orleans is CST or UTC/GMT -6 hours. Advance notice: ApacheCon EU 2009 returns to Amsterdam, 23-27 March. We had a great response to our CFP and look forward to announcing the schedule in the next month. --- -- Lars Eilebrecht - V.P., Conference Planning [EMAIL PROTECTED] - http://www.us.apachecon.com
Re: whitelist_from_rcvd propigating between users
On 09/10/2008 11:57 AM, Karsten Bräckelmann wrote: On Thu, 2008-10-09 at 08:33 -0700, William Taylor wrote: On Mon, Oct 06, 2008 at 11:30:11AM -0700, William Taylor wrote: It would seem the whitelist_from_rcvd is incorrectly propigating to the wrong users in the same thread. For example usera has whitelist_from_rcvd *.sonic.net sonic.net setup. If userb gets sent mail that is processed by that same thread it will pickup the whitelist_from_rcvd from usera Any ideas where I can look for answers on this to track it down? https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4179 Daryl, I guess that's the one you where referring to? Fixed in 3.2.4. Yes, that's the one. Thanks... that's twice in a couple months I've forgotten which bug it was. Daryl
Re: whitelist_from_rcvd propigating between users
On 09/10/2008 12:16 PM, Karsten Bräckelmann wrote: On Thu, 2008-10-09 at 09:02 -0700, William Taylor wrote: On Thu, Oct 09, 2008 at 05:53:30PM +0200, Karsten Bräckelmann wrote: I replied with more information to Daryl's post but I must have sent it directly to him instead of the list. I don't have the exact reply handy but I am running SpamAssassin 3.2.5 (2008-06-10) The bug does seem to be very simmilar to bug# 4179 Yes, sorry, I did receive that and just haven't had the time to respond. So maybe the bug still exists under different circumstances? It's certainly the same sort of thing. Different code though, so it probably got overlooked. Yup, your follow-up didn't make it to the list. Anyway, now that we know about your SA version, we're getting somewhere. Still assuming bug 4179 actually is the one Daryl was talking about... Maybe it merely fixes issues with user *rules*, and the same bug with user settings slipped by unnoticed. Daryl, Justin? Yes, I don't recall anything in the patch that targetted non regex rule copy issues. Of course it's been nearly a year... but I think the only thing that was fixed were actual regex type rules. William, please search bugzilla for duplicates first. If you're positive this issue hasn't been reported before, please feel free to file a new bug, adding as much details as possible. Thanks. Yes, please open a new bug and along with your problem report please reference bug 4179. Thanks, Daryl
Re: whitelist_from_rcvd propigating between users
On 06/10/2008 2:30 PM, William Taylor wrote: It would seem the whitelist_from_rcvd is incorrectly propigating to the wrong users in the same thread. For example usera has whitelist_from_rcvd *.sonic.net sonic.net setup. If userb gets sent mail that is processed by that same thread it will pickup the whitelist_from_rcvd from usera Any ideas where I can look for answers on this to track it down? There was a long standing issue with user configs being copied between users. It was fixed in a recent 3.2 release. Unfortunately I cannot remember the bug or which release it was fixed in. Upgrading to the latest 3.2 release should fix your issue. Regards, Daryl
Re: question about testing new rulesets
On 03/10/2008 5:13 PM, Rob McEwen wrote: RE: question about testing new rulesets Is it possible to do the following when testing out a new ruleset: (1) score that rule at 0.01 (of course this is possible... but then also...) (2) copy the original source file that was fed to SA to a separate directory if (a) the new rule being tested triggered ...AND... (b) if that message ended up scoring below threshold and was therefore NOT considered spam. Yep. The plugin you would need to do that is pretty trivial. This would allow someone to audit those messages which would ONLY have been blocked had that new ruleset been giving a higher score. Analysis on such messages could then be done to see how many of these are FNs and how many of these are FPs. I'm thinking that, if SA can delete and re-write the source file with a SA doesn't do that, but it's irrelevant I suppose. Daryl
[Fwd: Travel Assistance to ApacheCon US 2008 - 3 days to apply!]
Original Message Subject: Travel Assistance to ApacheCon US 2008 - 3 days to apply! Date: Mon, 29 Sep 2008 20:10:19 +1000 From: Gav... [EMAIL PROTECTED] To: [EMAIL PROTECTED] *- Apologies to those PMCs that already got this email. The first attempt I made was rejected by at least 1/2 of all PMCs without being modded through, 1/2 of those that did mod it through did not forward it on to their user or dev lists. That's at least 2+ folks who don't know they can get financial help. WITH NOW ONLY 3 DAYS TO GO BEFORE WE HAVE TO CLOSE OUR HELP OF TRAVEL ASSISTANCE TO APACHECON US 2008, Please, give your community a chance to go. -* Dear PMCs, Please could you forward the below message to your user@ and dev@ mailing lists, thanks in advance. - The Travel Assistance Committee is taking in applications for those wanting to attend ApacheCon US 2008 between the 3rd and 7th November 2008 in New Orleans. The Travel Assistance Committee is looking for people who would like to be able to attend ApacheCon US 2008 who need some financial support in order to get there. There are VERY few places available and the criteria is high, that aside applications are open to all open source developers who feel that their attendance would benefit themselves, their project(s), the ASF and open source in general. Financial assistance is available for flights, accommodation and entrance fees either in full or in part, depending on circumstances. It is intended that all our ApacheCon events are covered, so it may be prudent for those in Europe and or Asia to wait until an event closer to them comes up - you are all welcome to apply for ApacheCon US of course, but there must be compelling reasons for you to attend an event further away that your home location for your application to be considered above those closer to the event location. More information can be found on the main Apache website at http://www.apache.org/travel/index.html - where you will also find a link to the application form and details for submitting. Time is very tight for this event, so applications are open now and will end on the 2nd October 2008 - to give enough time for travel arrangements to be made. Good luck to all those that will apply. Regards, The Travel Assistance Committee
Re: dsbl.org down for good
On 26/09/2008 2:03 PM, McDonald, Dan wrote: someone noticed and mentioned it on the user list. another person saw that and filed a bug. Then one of the developers made the change, pushed out the update, and closed the bug. I don't see that there is any crisis here that needs to be solved. In fact, I saw the report on the users@ list, opened the bug, fixed it, pushed the update and closed the bug. We're usually pretty good at getting things like this resolved as quickly as we can. We're spread pretty thin too... I know at least for me I'm explicitly *not* permitted to work on SA or read any SA related email at either of my two full time jobs (and we don't have computers at my part time job). Daryl
Re: dsbl.org down for good
On 26/09/2008 11:44 AM, Todd Adamson wrote: So, it basically boils down to my lack of knowledge that dsbl died back in June, and was used from within spamassassin. I'll admit it. I didn't know about it. My fault. No problem. We didn't know either. It wasn't causing any problems so there's not really much to be concerned about. If the list had have stopped responding someone would have mentioned slow scan times and we would have identified the issue (if no one else pointed out the list died) and removed it asap. Developer time resources are very tight so we depend on the user community to help out with this sort of thing. Daryl
Re: dsbl.org down for good
On 25/09/2008 11:34 AM, Todd Adamson wrote: Would I be correct or incorrect that this will get updated to our rules through sa-update. If this does get corrected, what kind of time frame are we guessing at? Updates are currently being distributed to the mirrors. DNS will update in a few minutes. And in the short term, if we zero the score for RCVD_IN_DSBL, will that properly disable the test? It will, but it's not really necessary as they're currently serving an empty zone. People not using sa-update should zero the score for the rule though. Daryl
Re: dsbl.org down for good
Thanks Jason! I've opened bug 5988. Regards, Daryl
Re: Score Hit Frequency in SA Corpus?
On 20/09/2008 12:12 PM, Bob Proulx wrote: Are the hit frequencies from the SpamAssassin corpus available on the web somewhere? I looked through the docs and wiki but didn't see it if they were. On the web, http://ruleqa.spamassassin.org/ In the tarball, rules/STATISTICS* What is the hit frequency in the corpus of SUBJ_ALL_CAPS scoring 2.1? OVERALLSPAM% HAM% S/ORANK SCORE NAME 1.116 1.5957 0.27050.855 0.512.08 SUBJ_ALL_CAPS Daryl
Re: False Positive on DRUGS_STOCK_MIMEOLE rule
On 20/09/2008 12:56 PM, Bob Proulx wrote: I have what appears to me to be a completely legitimate mail message from a person who has the following in the mail header. X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 That is triggering both __MIMEOLE_1106 and __MAILER_OL_5510 which triggers DRUGS_STOCK_MIMEOLE for 3.5 points. That seems to be an overly agressive combination. Should the rule be double checked? There are a few rule issues concerning Outlook 11, but few sample messages have been submitted so that things can be corrected. Please open a bug about your particular issue and attach some samples. Daryl
Re: Spamassassin Letting a Lot of Spams Through
Check to make sure that network tests aren't disabled. Many distro packages have network tests turned off my default. Not sure where Debian would configure this, sorry. Daryl
Re: Spamassassin Letting a Lot of Spams Through
On 13/09/2008 8:20 PM, aladdin wrote: On Saturday 13 September 2008 20:00, Daryl C. W. O'Shea wrote: Check to make sure that network tests aren't disabled. Many distro packages have network tests turned off my default. Not sure where Debian would configure this, sorry. Daryl Thanks for the reply! Where would I check that and what would I look for? Can you tell that from either the header or the config file I posted? Not sure where Debian keeps its daemon config files, but you can probably find out by running the following command and looking for -L or --local in the output. ps aux | grep spamd Daryl
Re: user rules not being cleared out before the next user comes along
On 07/09/2008 4:48 AM, Per Jessen wrote: All, I'm using spamd and I allow per-user rules. I've noticed that the user rules are being kept although the user changes. I'm currently using spamassassin 3.1.7, and I was just wondering if this behaviour might already have been fixed in a later version? There was a bug about this open, from years ago, that I can no longer find as an open bug, so I think it was fixed sometime in 3.2. Daryl
Re: 1000 times easier to just do sa-update --nogpg
On 06/09/2008 4:09 PM, [EMAIL PROTECTED] wrote: Yes, I'm saying instead of just letting sa-update fail with the generic GNU message and GNU hyperlink, setting the user off on a PhD Thesis effort of trying to figure out what to do, instead just detect the problem and print out: Hello, this is the sa-update program talking to you. We've detected a problem. You need to do $ wget http://spamassassin.apache.org/updates/GPG.KEY $ sa-update --import GPG.KEY and then run sa-update again. Thank you. Have that hardwired into the sa-update program, ready and waiting for the next time it fails. What could be wrong with that? You can even add: Patches welcome. Please keep in mind, when parsing the output of GPG, that the error text may be platform dependent. For instance, even getting the cross-signed key error is platform dependent. Daryl
Re: score USER_IN_DEF_WHITELIST 0, for me at least
On 06/09/2008 6:03 PM, [EMAIL PROTECTED] wrote: I set score USER_IN_DEF_WHITELIST 0 as I guess I'm not the well rounded person reflected in the pre-defined whitelists. Indeed not many people are I bet. You see one day this spam got through riding high on that -15 point boost, causing me to notice the existence of these lists. I'm not sure if my one liner stopped all of them though. Perhaps you would like to share an example of such a spam so that the offending domain can be considered for removal from the whitelist. It's probably best that you open a bug for this issue at http://issues.apache.org/SpamAssassin/ Daryl
Re: when/why to toggle use_newest_received_spf_header?
On 21/08/2008 11:07 AM, Bob Gereford wrote: i've read the description for SA's use_newest_received_spf_header @ http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_SPF.html. i understand i can toggle the option, Use this option to start with the newest (top most) Received-SPF headers, working downwards until results are successfully parsed. under what specific circumstances would this be a better option? The only scenario I immediately recall from when I wrote this was that you may have an intermediate relay that is processing SPF checks that isn't doing it correctly. Having the last relay (top most) re-do it correctly would apply to this config option. 99.99% of installations are probably fine with the default, which I recommend. I really only added the option for those users who have multiple Received-SPF headers for some reason so that they would have at least somewhat of an option of which one gets used. I assume that they know why they have multiple headers and which one would be most appropriate to use. Daryl
Re: Mass-check not scanning all messages.
On 10/08/2008 4:11 PM, RN-Chris wrote: In the two respective corpus directories (ham | spam) emails are just dumped in there. $WORKINGDIR/mass-check --progress --all --showdots \ ham:mbox:/var/home/c/h/chris/spamcorpus/custom/ham \ spam:mbox:/var/home/c/h/chris/spamcorpus/custom/spam dir not mbox
Re: WrongMX plugin
Hi Matus, Sorry for the huge delay in responding... On 03/07/2008 4:50 AM, Matus UHLAR - fantomas wrote: On 11.06.08 15:40, Matus UHLAR - fantomas wrote: On 30.05.08 11:46, Matus UHLAR - fantomas wrote: I'd like to use WrongMX plugin on our mailservers (I found it very good idea and I was explicitly searching for it), but I'd like to ask a few questions, if someone of you uses it: - did you modify score of it? - did you modify the maximum time difference allowed for the plugin to hit? - why does it has single score of '1' when it's a network rule? I was also thinking about modifying it to be allowed to hit more times with different scores for smaller time differences (resulting would be sum of all matched). Any opinions? since nobody replied, I installed it, but it does not produce anything. Could you please check if it still should work? Sorry for bugging. It works, I only need to find a way for using the current recipient. I'm not sure what it is you are wanting to do. Regards, Daryl
Re: trusted_networks set in local.cf, but not according to sa-update
On 21/06/2008 1:10 AM, Sahil Tandon wrote: I see the following when running sa-update with debug flags: [20528] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually This is expected and intentional. Your local cf files are not used to lint the rulesets. Your pre files, however, are. However: # grep trusted /usr/local/etc/mail/spamassassin/local.cf trusted_networks 69.55.228.210 --lint does not complain, and I know that local.cf is being otherwise interpreted by SA because custom rules contained therein are scoring. Yes, this is also the expected and intentional behaviour. Everything is working as it should. Daryl
Re: trusted_networks set in local.cf, but not according to sa-update
On 21/06/2008 2:05 PM, Jari Fredriksson wrote: On 21/06/2008 1:10 AM, Sahil Tandon wrote: I see the following when running sa-update with debug flags: [20528] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually This is expected and intentional. Your local cf files are not used to lint the rulesets. Your pre files, however, are. However: # grep trusted /usr/local/etc/mail/spamassassin/local.cf trusted_networks 69.55.228.210 --lint does not complain, and I know that local.cf is being otherwise interpreted by SA because custom rules contained therein are scoring. Yes, this is also the expected and intentional behaviour. Everything is working as it should. Daryl Should? What good is that lint anyway if it can't be used to test local rules? Yes. sa-update is specifically designed not to be concerned with your local rules. sa-update only cares if the *update* is valid (passes a lint test). It ignores your local cf files (since it doesn't care about them) but uses the pre files so that it can load any plugins that may be used by the *update* rulesets. If you want to lint your local rules (in your local cf files) use spamassassin --lint which will all [1] rules that are used by SA on your system. The sa-update lint is not meant to be (nor can I see a reason why you'd want it to be) used to lint test your local rules. [1] All system wide rules and the current user's per-user rules. Daryl
Re: trusted_networks set in local.cf, but not according to sa-update
On 21/06/2008 10:45 PM, Sahil Tandon wrote: Daryl C. W. O'Shea [EMAIL PROTECTED] wrote: On 21/06/2008 1:10 AM, Sahil Tandon wrote: I see the following when running sa-update with debug flags: [20528] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually This is expected and intentional. Your local cf files are not used to lint the rulesets. Your pre files, however, are. Are trusted_networks generally set in any of the .pre files? If not, then why bother checking (and complaining about the absence of) trusted_networks if local.cf is not queried by sa-update's lint? No, they should be set in a cf file. You could open a bug in bugzilla to request an enhancement to have this debug output avoided. It's really only cosmetic. http://issues.apache.org/SpamAssassin/ Daryl
Re: sa-update and location of rules
On 16/06/2008 10:12 AM, Helmut Schneider wrote: Hi, running FreeBSD I have two directories with rules in it: /usr/local/share/spamassassin /var/db/spamassassin/3.002005/updates_spamassassin_org Which is the correct directory, which rules are used? Both and both. Rules obtained via sa-update will be under /var but do not delete the files under /usr as they're still required. Daryl
Re: sa-update, dostech, / RHEL5 question
On 06/06/2008 4:43 PM, Aaron Bennett wrote: Hi, I'm in the process of converting to sa-update on rhel5, spamassassin 3.2.4, to replace a rules_du_jour installation. I'm trying to use the dostech sa-update channels. Ultimately I'm looking to use a channel file, but for now I'm trying to get just one channel to work. I'm getting this error when I run with debugging: [20790] dbg: dns: query failed: 4.2.3.72_sare_bml_post25x.cf.sare.sa-update.dostech.net = NOERROR Is this still happening? It seems to be working for me... [EMAIL PROTECTED] ~]$ dig +short txt 4.2.3.72_sare_bml_post25x.cf.sare.sa-update.dostech.net 200705210700 [EMAIL PROTECTED] ~]$
Re: SPF Errors
On 24/04/2008 12:43 PM, Michael Dunne wrote: dbg: spf: cannot get Envelope-From, cannot use SPF Make sure that the message as passed to SA has a Return-Path header. If there are any trusted relays (received headers) in the message passed to SA enable the always_trust_envelope_sender option. Daryl
Re: SA Test Hangs
On 11/04/2008 3:12 PM, macosxdh wrote: i seem to have a problem, when i run this command: spamassassin -tD /users/sysadmin/Desktop/Mail-SpamAssassin-3.1.9/sample-spam.txt it just hangs there, no end in site, i let it go for about 10min, no response.any ideas? spamassassin is waiting for input. Until you give it some it'll wait forever. Since you redirected STDOUT to sample-spam.txt you'll find that that file is now empty. Perhaps you intended to use an '' rather than a ''. Daryl
Re: spamd network access
On 06/04/2008 2:58 PM, Martin Gregorie wrote: /usr/bin/spamd -d -c -m5 -A 127.0.0.1,192.168 --allow-tell -H -r I've obviously missed something, so I'd appreciate help in spotting the obvious mistake in configuring spamd. 192.168 isn't valid for -A. See the spamd POD for more info or just add a trailing dot so it reads 192.168.. Daryl
Re: spamd network access
On 06/04/2008 4:34 PM, Martin Gregorie wrote: On Sun, 2008-04-06 at 20:02, Daryl C. W. O'Shea wrote: On 06/04/2008 2:58 PM, Martin Gregorie wrote: /usr/bin/spamd -d -c -m5 -A 127.0.0.1,192.168 --allow-tell -H -r I've obviously missed something, so I'd appreciate help in spotting the obvious mistake in configuring spamd. 192.168 isn't valid for -A. See the spamd POD for more info or just add a trailing dot so it reads 192.168.. Thanks, but the problem still isn't solved. Ah, you're missing the -i option to tell it to listen on whatever IP is on the 192.168. network. -A controls what client IPs are allowed to connect to spamd. Again the POD for spamd is quite useful... it's a lot more clear than the short help text. Daryl
Re: sa-update doesn't do languages file?
On 22/03/2008 11:17 AM, Chris Hoogendyk wrote: Arthur Dent wrote: On Thu, Mar 13, 2008 at 06:39:01PM -0400, Daryl C. W. O'Shea wrote: If either of you post complete debug output of sa-update (run it with -D) and the complete output of spamassassin --lint -D, preferably attached as text files to an email, I'll at least look at it. Copy me on the email so I don't miss it or forget. Daryl Sorry for the delay. Busy end of term I'm afraid - but I'm on holiday now! The problem with this is that I can't reproduce the error. I think it's only when the channelfile actually gets updated (last time was on Feb 14) that this error will occur. I've not reproduced it yet either, but I haven't really focused on doing it either. I have reproduced it. It's an issue caused by the config loaded for earlier channel linting re-appearing when additional channels are linted. As it pertains to sa-update it is harmless. At worst it *may* be possible for a channel that doesn't pass a lint to sometimes cause later channels to fail a lint test when they really shouldn't. So, unless you're doing some weird things with the SA libraries yourself (loading multiple different configs into memory concurrently or sequentially) I wouldn't worry about it. Daryl