Hi guys,
some days ago I started deploying spamassassin in a load balanced
environment (though no real lb but round robin DNS lb with spamc's -d
switch). When I watch the logs it's sometimes with peaks that one server is
under heavy load 90 spamd childs and the other very low.
Maybe it's a good
Am Sonntag, 20. April 2008 22:51 schrieb Christoph Petersen:
Hi guys,
some days ago I started deploying spamassassin in a load balanced
environment (though no real lb but round robin DNS lb with spamc's -d
switch). When I watch the logs it's sometimes with peaks that one server is
under
Hi Jarif,
No, the spam assasin is called by procmail. It seems that it was a problem
with a new whitelist entry not configured well. I rolled back the changes
now but still receive a couple of bounced emails from the half an hour I
changed the configuration.
Thanks for the advice.
Best
=?utf-8?B?V2lsbGlhbSBUYXlsb3I=?= writes:
I'm having some issues getting the dns blacklists to work on a box.
I have an ip in an email that I have verified manually that its listed in
spamcop via dns query and via the webpage. However when I run the message
through spamassassin it doesn't
I'm having some issues getting the dns blacklists to work on a box.
I have an ip in an email that I have verified manually that its listed in
spamcop via dns query and via the webpage. However when I run the message
through spamassassin it doesn't produce a hit. When ran with -D I see it
On Monday 21 April 2008 06:27:57 Dan Mahoney, System Admin wrote:
The possibility of catering the reporting protocols to different sites
(i.e. the major free sites have their own reporting systems that might be
better used). It's beyond the scope of this thread, but are there any
docs on how
Hi Michael,
Hi guys,
some days ago I started deploying spamassassin in a load balanced
environment (though no real lb but round robin DNS lb with spamc's -d
switch). When I watch the logs it's sometimes with peaks that one
server is
under heavy load 90 spamd childs and the other
Am Montag, 21. April 2008 13:20 schrieb Christoph Petersen:
Hi Michael,
(...)
I'm using round robin load balancing from DNS right now. But it's simply
switching the host every time. What I would like to have a small daemon or
something which keep track how many processes are running on each
I have two MXes, both writing Bayes data to a shared MySQL database.
Something is quite awry.
My Bayes database is _huge_:
-rw-rw 1 mysql mysql 145044032 Apr 21 08:09 bayes_seen.MYD
-rw-rw 1 mysql mysql 189879296 Apr 21 08:09 bayes_seen.MYI
-rw-rw 1 mysql mysql 1881960784 Apr 21
On Apr 21, 2008, at 8:17 AM, Chris St. Pierre wrote:
Consequently, my database is growing, apparently without bound.
Any ideas how I can get expiry to work properly again? (Hopefully
without completely dumping the database?)
select * from bayes_vars;
What user do you run bayes under on
On Mon, 21 Apr 2008, Michael Parker wrote:
select * from bayes_vars;
...
2289 rows in set (0.00 sec)
What user do you run bayes under on your MXs?
I think you've found the issue. We run as spamd.
# sa-learn -u spamd --dump magic
0.000 0 3 0 non-token data:
On Apr 18, 2008, at 11:30 AM, McDonald, Dan wrote:
http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29
I had the same thing happen and all is well now.
Ah, thank you. I dug around the wiki for an hour last night and
didn't
find this article...
I
On Apr 21, 2008, at 8:40 AM, Chris St. Pierre wrote:
On Mon, 21 Apr 2008, Michael Parker wrote:
select * from bayes_vars;
...
2289 rows in set (0.00 sec)
What user do you run bayes under on your MXs?
I think you've found the issue. We run as spamd.
# sa-learn -u spamd --dump magic
On Mon, April 21, 2008 04:10, Spamassassin List wrote:
My inbox is flooded by some new spams. Any idea how do I block it?
http://202.42.86.77/1.eml
http://202.42.86.77/2.eml
both hits on spamhaus
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule to not
so much check links, but count periods.
Here's the example that just came in my email -
(removing http:// ) -
Bookworm wrote:
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule to
not so much check links, but count periods.
Here's the example that just came in my email -
(removing http:// ) -
On Mon, April 21, 2008 19:51, Bookworm wrote:
Notice that there are ten periods. That makes it be an eleventh level
domain name? :)
the uri is just a domain with long tracking subdomain, its still a domain
see 20_uri_tests.cf for example on make your own rules against it :-)
Thoughts?
On Mon, April 21, 2008 19:59, Randy Ramsdell wrote:
I haven't, but I think a rule for this would be a good idea. I always
write rules then check them every so often with a custom perl script.
body LOGIN_RULE /\.com\/logon\./i
score LOGIN_RULE 0.1
describe LOGIN_RULE apache does not use that
1.eml hits a 12.7 on my system:
--
--
1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
http://www.spamcop.net/bl.shtml?201.233.220.168]
3.1 RCVD_IN_XBLRBL:
Chris wrote:
http://wiki.apache.org/spamassassin/MailingLists
is this list open?
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score SILLYLONGDOMAINURI 1.8
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
body SILLYDOTSDOMAINURI
On Mon, April 21, 2008 21:52, mouss wrote:
Chris wrote:
http://wiki.apache.org/spamassassin/MailingLists
is this list open?
or Chris wanted to be, or is, or was, only owner and Chris now knows :-)
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
OOpsie - typo:
body should have been uri in the second one.
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
jp
Quoting Jack Pepper [EMAIL PROTECTED]:
Maybe try these:
describe
On Mon, April 21, 2008 21:59, Jack Pepper wrote:
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score SILLYLONGDOMAINURI 1.8
describe SILLYDOTSDOMAINURI Includes a multiple dots
On Mon, 21 Apr 2008, Jack Pepper wrote:
OOpsie - typo:
body should have been uri in the second one.
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
uri SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
score SILLYDOTSDOMAINURI 1.8
Plus, you probably meant /^https?
Bookworm wrote:
I'm starting to see some new phishing/scam attempts.
What I was thinking was that it might be worthwhile to add a rule to
not so much check links, but count periods.
Here's the example that just came in my email -
(removing http:// ) -
Quoting John Hardin [EMAIL PROTECTED]:
Plus, you probably meant /^https?
right you are, sir. thx
--
Framework? I don't need no steenking framework!
@fferent Security Labs: Isolate/Insulate/Innovate
Benny Pedersen wrote:
On Mon, April 21, 2008 04:10, Spamassassin List wrote:
My inbox is flooded by some new spams. Any idea how do I block it?
http://202.42.86.77/1.eml
http://202.42.86.77/2.eml
both hits on spamhaus
but the question I would have is what is the '0' in
On Mon, April 21, 2008 23:13, mouss wrote:
Received: from unknown (HELO tdev148-211.codetel.net.do) (201.229.148.211)
by 0 with SMTP; 20 Apr 2008 16:27:31 -
is this a new MTA?
in that case none want to use it :-)
but the body olso have fuzzy dot tld that are listed in surbl
On Mon, 2008-04-21 at 22:16 +0200, mouss wrote:
untested yet:
uri URI_DEEP5 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP5 0.1
uri URI_DEEP6 m|https?://[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.[\w-]\.|
score URI_DEEP6 1.0
uri URI_DEEP7
On Mon, 2008-04-21 at 14:59 -0500, Jack Pepper wrote:
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score SILLYLONGDOMAINURI 1.8
describe SILLYDOTSDOMAINURI Includes a multiple
On Tue, 2008-04-22 at 01:29 +0200, Karsten Bräckelmann wrote:
On Mon, 2008-04-21 at 14:59 -0500, Jack Pepper wrote:
Maybe try these:
describe SILLYLONGDOMAINURI Includes a very long domain name gt 8 levels
uri SILLYLONGDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.){8,}/
score
I haven't run any real statistics about this, but it's worth realizing
that unless there's a significant number of spams that have this behavior,
a rule probably costs more in resource use than it provides in hits.
A quick:
pcregrep -ri 'http://(?:[^/.]+\.){7}'
in my corpus shows about 20 spam
On Mon, 2008-04-21 at 19:35 -0400, Theo Van Dinter wrote:
I haven't run any real statistics about this, but it's worth realizing
that unless there's a significant number of spams that have this behavior,
a rule probably costs more in resource use than it provides in hits.
Yeah. I didn't say
Quoting Karsten Bräckelmann [EMAIL PROTECTED]:
describe SILLYDOTSDOMAINURI Includes a multiple dots domain name
body SILLYDOTSDOMAINURI /^http?\:\/\/([a-z0-9_\-A-Z]+\.)+\./
Have you ever seen these? Would it work, does any MUA or browser
silently collapse multiple dots?
I saw one of
On Mon, Apr 21, 2008 at 10:26:02PM -0500, Jack Pepper wrote:
I saw one of these in a phishing email. I didn't know if it was
supposed to be that way or not, but I was quite curious. Firefox
tries to connect to http://www..google.com . (click it and see)
Firefox can't find the server at
Matt Kettler wrote:
There's
nothing in trusted networks, I don't trust anything...
Jo, that's impossible in spamassasin. You cannot have an empty trust, it
doesn't make any logical sense, and would cause spamassassin to fail
miserably.
I should rather have said trust is only localhost.
If
John Hardin wrote:
I'm only suggesting bypassing SA for mail that originates on the local
network and is destined to the local network.
No. I don't trust every user who can authenticate to this host to run
active anti-virus on their hosts. I scan all mail, everywhere.
And again, this
Bob Proulx wrote:
Who to forge? The answer is Everyone! Any address that can be
obtained from a spam-virus infected PC and any address that can be
harvested from a web page. Forge them all. They are (mostly) valid
email addresses and will pass sender verification. Send To: and From:
all of
Justin Mason wrote:
hmm, I'm not sure. It depends on your trusted_networks setting.
try running spamassassin -D and see what it logs...
I'm sorry -- feeling dense, how is this supposed to help? From the
headers quoted below you know what spamassassin is seeing. There's
nothing in
On Mon, Apr 21, 2008 at 09:56:39PM -0700, Jo Rhett wrote:
Yes, a spammer can forge anyone. Can they forge the exact e-mail
addresses used by people I correspond with regularly? Not in my
experience. Can they forge my e-mail to me? Easily.
Actually I don't think it's that hard, at least
Problem: I can run sa-learn as root, but not as any other user.
I'm using SpamAssassin version 3.2.4, running on Perl version 5.8.6,
running on Mac OS X Server 10.4.11. All of this was working before I
updated to SpamAssassin 3.2.4, but I updated a lot of other perl
modules at the same
Jo Rhett wrote:
Bob Proulx wrote:
Who to forge? The answer is Everyone! Any address that can be
You're going out of your way to miss the point. That's hard work
It is you who are missing the point. When spammers generate mail
from and to every possible combination they will eventually
44 matches
Mail list logo
