Theo Van Dinter wrote:
On Thu, Aug 16, 2007 at 09:47:06AM -0700, Jo Rhett wrote:
(dropping __TVT_MIME_ for ease of typing)
You just don't like typing my initials... ;)
Honestly not. I just skip common prefixes when typing ;-)
ATT is a meta of ATT_AP *or* ATT_AOPDF.
But the PDF_FINGER01
Marc Perkel wrote:
OK - it's interesting that of all of you who responded this is the only
person who is doing it right. I have to say that I'm somewhat surprised
that so few people are preprocessing their email to reduce the SA load.
As we all know SA is very processor and memory expensive.
Loren Wilton wrote:
From: Jo Rhett [EMAIL PROTECTED]
So the only thing which is actually working to catch these is bayes
and bayes-based systems. Not rules, and not AV.
Is that a statement about your own system? MANY people have responded
that quite a number of other things like pdfinfo
Jo Rhett wrote on Wed, 15 Aug 2007 15:47:37 -0700:
The SA-team has an environment designed to do this, I don't. Nor do
most people on this list.
Kai Schaetzl wrote:
Sigh, I give up.
I find it vastly amusing that when there is real work to do (ie fix a
broken rule) the list grows very
Chris Lear wrote:
* Jo Rhett wrote (16/08/07 07:41):
Since nobody is paying attention
Or they're asleep. Your messages were at 23:44 and 07:41 here.
, let me clarify. The current rule is wrong:
mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i
mimeheader
useful as generalized testing tools in my environment.
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
, actually, and I recommend you try it out. These are the
tools we use:
http://wiki.apache.org/spamassassin/MassCheck
http://wiki.apache.org/spamassassin/HitFrequencies
They are bundled with SpamAssassin in the masses folder. All the
documentation is there on the wiki.
--j.
Jo Rhett writes
/MassCheck
http://wiki.apache.org/spamassassin/HitFrequencies
They are bundled with SpamAssassin in the masses folder. All the
documentation is there on the wiki.
--j.
Jo Rhett writes:
Since nobody is paying attention, let me clarify. The current rule is
wrong:
mimeheader __TVD_MIME_ATT_AP
)1865 842300
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: 15 August 2007 23:46
To: Arthur Dent
Cc: users@spamassassin.apache.org
Subject: Re: Rule for PDF and eCard Spam Needed
On Aug 15, 2007, at 12:47 AM, Arthur Dent wrote:
I am only a home user, but I have found
On Aug 15, 2007, at 3:31 AM, Kai Schaetzl wrote:
I can just tell you what *I* would do.
- test the rules
- test the rules
- test the rules
- gather statistics about hits, FPs and FNs
The SA-team has an environment designed to do this, I don't. Nor do
most people on this list.
--
Jo Rhett
in SpamAssassin.
Thanks for that informative answer. So the right way to get this
fixed is to ask the rule developer to provide them with a compatible
(or no) license? In bugzilla or where do you want them?
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
clamav does not catch these.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
of the multiline possibility
in __TVD_MIME_ATT.
Loren
describe TVD_PDF_FINGER01 Mail matches standard pdf spam
fingerprint
- Original Message - From: Jo Rhett
[EMAIL PROTECTED]
To: SpamAssassin Users users@spamassassin.apache.org
Sent: Tuesday, August 14, 2007 10:16 PM
Subject
-jrhett.pdf
Content-Disposition: attachment;
filename=marketing-jrhett.pdf
JVBERi0xLjUNJeLjz9MNCjIyIDAgb2JqPDwvSFs0MzYgMTQ4XS9MaW5lYXJpemVkIDEvRSAx
NjU5
L0wgMTM1NzYvTiAxMC9PIDI2L1QgMTMwNzQ
+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgICAg
*snip*
--
Jo Rhett
, with an example spam
included.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
On Aug 14, 2007, at 2:22 PM, Robert - elists wrote:
You might consider the clamav integration into SA, as clamav is
catching all
the ecard ones
Apparently with alternate virus files, which I had not yet tested.
Someone mentioned that earlier today and I'm investigating it.
--
Jo Rhett
. I am not an SA committer,
so I can't run these through their test environment and them commit
them to the tree. So I'm asking someone who is if they'd be willing
to do this.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
it up, etc.
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
are on this (short and easy to read) page.
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
Can someone clue me in on why this rule isn't matching?
Jo Rhett wrote:
So I've been getting a metric ton of PDF spam. Investigating the rule
that is supposed to match this, I see
rawbody __TVD_BODY /\S{4}/
header __TVD_MIME_CT_MM Content-Type =~ /^multipart\/mixed/i
Kai Schaetzl wrote:
Jo Rhett wrote on Sat, 11 Aug 2007 09:31:05 -0700:
No, I didn't. I asked where a given rule was. I was given a reference
to a page that described how to set up sa-update.
You were given the exact name of the rule, that reference to sa-update was
an additional courtesy
% perfect and seeing some corner cases slip through
is not unusual. It is a process of continual improvement.
Bob
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
this out if the original problem was
fixed and you wanted to receive the mail?
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other randomness
Kai Schaetzl wrote:
Jo Rhett wrote on Fri, 10 Aug 2007 20:30:37 -0700:
Thank you for the very useless reference to sa-update.
Please, don't do this! You got a nice answer that exactly answered your
question.
No, I didn't. I asked where a given rule was. I was given a reference
Theo Van Dinter wrote:
Sure, one for PDF has been available via sa-update for weeks.
Where? I'm using sa-update and almost all of the sare rulesets, and I'm
getting a metric ton of these. Searching rulesemporium for empty or
pdf gets nothing.
--
Jo Rhett
Net Consonance ... net
SM wrote:
At 19:39 10-08-2007, Jo Rhett wrote:
Where? I'm using sa-update and almost all of the sare rulesets, and
I'm getting a metric ton of these. Searching rulesemporium for
empty or pdf gets nothing.
TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint
http
that the real world should accept backup MX servers which reject the
mail, and should retry to a higher level MX?
Please include RFC documentation of this behavior.
(last I checked, a bounce is bounce from coast to cost ...)
--
Jo Rhett
Net Consonance ... net philanthropy, open source and other
On Jun 30, 2007, at 6:23 PM, Theo Van Dinter wrote:
On Sat, Jun 30, 2007 at 12:07:04PM -0700, Jo Rhett wrote:
There's no URL in this message. What is it mis-matching against?
When in doubt, run through spamassassin -D:
[9710] dbg: uridnsbl: domains to query: sync.pl svcolo.com
Thanks
From: Jo Rhett [mailto:[EMAIL PROTECTED]
I need to completely disable this over-opportunistic behavior. 90%
of my e-mails have either system output, or are concerning code
segments or router interfaces, etc, etc. I need these mails to get
through.
At the very least, common collisions like
that stupid Windows programs will
try to interpret for the user. The file.pl example above will never
get a user to the file.pl spam site.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
: June 29, 2007 9:00:06 AM PDT
To: [EMAIL PROTECTED]
Subject: Cron [EMAIL PROTECTED] /etc/webmin/time/sync.pl
Failed to connect to ntp0.svcolo.com:37 : Connection refused
--
Jo Rhett
senior geek
Silicon Valley Colocation
Support Phone: 408-400-0550
, but keep monitoring and whitelisting broken
sender.
Way too much work.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
, and never got better than .5% (point-
five or .005) difference in spam detection. So we stopped using it.
In comparison, we've jacked the AWL score range and this works great
for us.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
, and it needs to be fixed.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Jo Rhett wrote:
Can you explain how this isn't an FP in the standard config?
There's absolutely nothing custom about my config, so what
standard are you applying here?
Again, I have a 100% stock SA configuration. Why do I need a
custom rule to work around an FP in the ruleset?
On Feb
of the rule.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
the score about 5.0. I simply
couldn't function with *ANY* of my mailboxes at 5.0 -- I'd be
deleting 1-2 pieces of spam per minute. I run my public mailboxes at
3.8 and I'm trying to determine if 3.2 is reasonable.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open
On Feb 9, 2007, at 9:34 AM, Adam Lanier wrote:
On Fri, 2007-02-09 at 09:01 -0800, Jo Rhett wrote:
It's really hard not to be really annoyed with this answer. What
kind of nonsense did you think my question was?
If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to
the SARE rule
600 spam messages would have hit this mailbox today. That's
just this one, and nevermind hostmaster/webmaster/etc that get nailed
harshly.
I don't have that kind of time.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
On Feb 21, 2007, at 3:19 PM, SM wrote:
At 12:36 21-02-2007, Jo Rhett wrote:
However, all blackberry messages also hit base64 text and excess
base64 which puts them right on the edge. Anything that hits any
other rule will cause a problem.
The alternatives are:
1. Fix the rule
2. Lower
On Feb 21, 2007, at 12:54 PM, Coffey, Neal wrote:
Jo Rhett wrote:
You're making all sorts of claims that I can positively tell you are
wrong. I have *NO* local customizations to SpamAssassin other than
the use of SA-update to retrieve the recommended SARE rules.
That would be the very
are down to less than 1 a week, you are
probably safe leaving it that way.
--
Jo Rhett
Network/Software Engineer
Net Consonance
At 16:17 21-02-2007, Jo Rhett wrote:
The point of sending a note about this to the mailing list is that
this problem will effect *EVERYONE* who gets crackberry messages, and
thus it could probably use a real fix instead of forcing everyone to
fix it locally.
SM wrote:
The problem affects
a dozen examples.
Honey, if I ever cared about your problems, I sure as heck don't now.
Code either works or it doesn't. Your code doesn't. How you feel about
that is irrelevant.
--
Jo Rhett
Network/Software Engineer
Net Consonance
On Feb 9, 2007, at 2:41 AM, Matt Kettler wrote:
Jo Rhett wrote:
Again, I have a 100% stock SA configuration.
No you don't have a 100% stock config. There are at least two
differences relevant to them message you posted:
1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock
;-)
--
Jo Rhett @ Lizard Arts
velociRaptor Racing
#5 SMRRC
#553 WERA West / AFM
Matt Kettler wrote:
Jo Rhett wrote:
On Feb 7, 2007, at 8:31 PM, Matt Kettler wrote:
As for LW_STOCK_SPAM4, it's being triggered by the fact that the message
is base-64 encoded text AND has a Date: header that's missing a proper
timezone. Apparently a batch of stock spam went out at some point
On Feb 7, 2007, at 1:47 PM, John D. Hardin wrote:
On Wed, 7 Feb 2007, Jo Rhett wrote:
So this user's e-mail keeps getting tagged with rules that aren't
right. There's no base64 here, at all (looked at the raw text) and
there's certainly no stock spam. What's going on here?
Have you run
This is now bug 5235
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5235
On Dec 5, 2006, at 4:17 PM, Daryl C. W. O'Shea wrote:
Jo Rhett wrote:
While you are fixing bugs related to authentication, any chance
you'll fix the SPF plugin to skip checks on authenticated
delivery? Or have an option to enable this behavior?
Or do you want a patch from me? It'll take
René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
The change I made works on a test from someone that was on vacation and sending
a message (to me) using his ISP account, the header includes a lot of extra text
with the usual dynamic IP stuff and may be forged and there was no way
.
That's your argument. That may not have been the thought process of
the person who wrote that rule, was all I was trying to say.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Jo Rhett wrote:
Do you know why the SMTP authenticating server was forging the
HELO name? Normal mail clients will give their IP address,
right? And the may be forged only appears if they gave a full
name and resolution succeeded *and* none of the addresses returned
matched the helo
attention in the
more than two years since I wrote that code.
It'll be fixed in the next version of SpamAssassin to be released.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5223
Daryl
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other
to decrement the score a bit, but it doesn't extend the trust
path at all.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=1 id=kB3G26P6019032 auth=Sendmail ]
...
The full path to the patched file is
/usr/lib/perl5/site_perl/5.8/Mail/SpamAssassin/Message/Metadata/Received.pm
--
Jo Rhett
Network/Software Engineer
Net Consonance
Sorry, in my reply I meant to point out that the original line was
working properly for me (Sendmail environment) but that the line working
did not solve my problem.
John Rudd wrote:
Jo Rhett wrote:
René Berber wrote:
If I change Received.pm, line 414, like this:
# Sendmail, MDaemon
René Berber wrote:
Jo Rhett wrote:
René Berber wrote:
If I change Received.pm, line 414, like this:
# Sendmail, MDaemon, some webmail servers, and others
- elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+ elsif (/^from .*?(.*?authenticated.*?\).*? by/) {
This can't
header FROM_ADDRESS_EQ_REAL From =~ /^\s*([^@[EMAIL
PROTECTED]@]+)\s+\1\s*$/i
describe FROM_ADDRESS_EQ_REAL To: repeats address as real name
score FROM_ADDRESS_EQ_REAL 1
--
Jo Rhett
Network/Software Engineer
Net Consonance
for it. So this isn't how to deal with it properly it is a
recipe for how to negate the score which is entirely different.
Am I overlooking anything? Or do I need to change the code and submit a
patch so that a person can optionally avoid doing DUL and SPF checks on
authenticated e-mail?
--
Jo
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]
Any help clarifying how the LOCAL_AUTH_RCVD rule is used, or an alternative to
make SA recognize the authenticated user, will be appreciated.
Using SA 3.1.7, under Solaris 9 with sendmail 8.13.8 and Windwos XP manually for
testing.
--
Jo
from
authenticated clients, without turning off all the other checks (as, for
example, would happen if mail was submitted via port 587)?
--
Jo Rhett
Network/Software Engineer
Net Consonance
, and the systems sending bounces
aren't the ones that are being kept up-to-date enough to check SPF
either.
Umm... not in my experience. Every time we turn on SPF for a domain,
the amount of backscatter goes to about a third of the previous
amount. Every time I've been involved anyway.
--
Jo Rhett
that I put up there :-)
--
Jo Rhett
Network/Software Engineer
Net Consonance
than you do.
--
Jo Rhett
Network/Software Engineer
Net Consonance
in that hierarchy.
No. A CNAME can point to anything, but nothing can refer to a CNAME.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Documentation :-)
--
Jo Rhett
Network/Software Engineer
Net Consonance
Jo Rhett wrote:
Right. Which proves that you weren't reading. I was replying to
the comment that someone made that any host with more than one
address would have more than one HELO. This isn't true.
Now a host with more than one interface might have more than one
helo name. But that's
enabled and decide if their policy matches your objectives.
--
Jo Rhett
Senior Network Engineer
Network Consonance
any mistakes I made.
Jo Rhett wrote:
Elizabeth Schwartz wrote:
IMHO if a rule is getting legit email tagged as SPAM it should be toned
down. Obeying the RFC's is a good thing, but I am trying to tune our spam
filter to filter spam, not to be a netcop.
Then you should disable these BLs in your
I have no official position with spamassassin, but I am requesting that
you please take this thread to another mailing list. It isn't relevant
to spamassassin and we don't need to read this.
--
Jo Rhett
Senior Network Engineer
Network Consonance
John D. Hardin wrote:
On Wed, 18 Oct 2006, Jo Rhett wrote:
In our experience the mail which goes to 50 without trying 10 is
always spam.
Any feel for whether or not you're experiencing the same
Exchange-related brokenness as an earlier poster mentioned?
No. I've seen a lot of Exchange
response. That was *EXACTLY* what
I was looking for. :-)
--
Jo Rhett
Network/Software Engineer
Net Consonance
in some odd config that I'm not imagining here.
I'm sorry, but I still consider the expert here to be the amavis
developer(s). There's only a few of them, and what they need to do is
documented.
Really? I've asked 5 times now, and you divert every time I ask. Where?
--
Jo Rhett
Network
is the only possible right way to run SA.
So why the constant comments as if this is some one-off weird config?
--
Jo Rhett
Network/Software Engineer
Net Consonance
connect, no NAT system. (ie most people)
OK, maybe it doesn't work
in Jo Rhett's system. But defining most people as people who do
things like Jo Rhett is suspect at best.
Actually, I'm using it bone stock from FreeBSD ports, so yeah - in this
case my
that I observed or do you mean I tried testing it from dozens
of systems and dozens of mail pathways and I have confirmed that it
works right?
--
Jo Rhett
Network/Software Engineer
Net Consonance
Matt Kettler wrote:
Jo Rhett wrote:
I'd love to, but the SA project didn't write the milter you're using,
and the problems you're having can't be fixed by having SpamAssassin
detect the problem without doing something even dumber to someone
else.
Sure it can! It's dead simple to determine
John Andersen wrote:
On Thursday 19 October 2006 00:00, Jo Rhett wrote:
This, it seems to me, is exactly what it does.
Show me it working properly on a out-of-the-box rpm/ports config on a
direct connect, no NAT system. (ie most people)
Amavis worked for me that way when I installed Suse
they are
identical in result.
--
Jo Rhett
Network/Software Engineer
Net Consonance
it more seamless.
(and in this case I could avoid bugs with the package I use that calls it)
--
Jo Rhett
Network/Software Engineer
Net Consonance
Nigel Frankcom wrote:
On Thu, 19 Oct 2006 01:18:18 -0700, Jo Rhett
[EMAIL PROTECTED] wrote:
And as I've stated several times before, spamassassin *DOES* run.
Always. It's just whether or not it's doing anything useful. When it
can't talk to the sockets, it's dead in the water.
Frank
that is known to mangle headers.
No, it's not. You're not paying attention. This is unrelated to Amavis
entirely.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Jonas Eckerman wrote:
Jo Rhett wrote:
You can only exclude the mailing list if you're running SA from
procmail or .forward or something like that.
No. You can exclude it in other situations as well.
Usually it's running on the MX hosts.
We're using SA on our MX host, daemonized
to compile without razor support locally.
I think I'll take my own advice and not reply on things that I don't
know the in-depth details of.
--
Jo Rhett
Network/Software Engineer
Net Consonance
. IE, most cable and DSL providers
on the market.
...Don't ask me why we call things which annoy us a Tax in the US.
Probably just still emotionally locked up around that whole Tea Party
thing ;-)
--
Jo Rhett
Network/Software Engineer
Net Consonance
ERROR: SA-update appears to have failed.
fi
fi
--
Jo Rhett
Network/Software Engineer
Net Consonance
is reporting as spam
something they explicitly signed up for. And used for months and then
when they don't want to receive it any more, it is SPAM and IT IS BAD
and our customer is EVIL.
Please raise your consciousness just a bit.
--
Jo Rhett
Network/Software Engineer
Net Consonance
this. amavisd will step on itself and
this won't work if the current daemon is running.
--
Jo Rhett
Network/Software Engineer
Net Consonance
of SA[1] and usage[2]
Heh - from reading your reply it is clear you do pay enough attention,
which is all I was looking for :-)
--
Jo Rhett
Network/Software Engineer
Net Consonance
Jo Rhett wrote:
Just FYI, this score will be a Tax on everyone who has a provider who
won't let them edit the reverse DNS. IE, most cable and DSL providers
on the market.
Richard Frovarp wrote:
Or for any machine that hosts more domains than has IPs. Even being able
to edit the reverse
that one.
I can't comment on that, mostly because I don't understand your story.
It reads like it was tossed in a blender to me :-) (no insult intended,
but it is confusing as stated)
--
Jo Rhett
Network/Software Engineer
Net Consonance
Magnus Holmgren wrote:
On Thursday 19 October 2006 09:55, Jo Rhett took the opportunity to say:
Mark wrote:
We cannot really say SA's autodetection is broken, because SA is designed
to be called post-SMTP. Nor that a milter is broken per se for not adding
a Received: header
Mark wrote:
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: donderdag 19 oktober 2006 9:56
To: Mark
Cc: users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem
Perhaps SA being focused on post-SMTP is the problem here. Why is
this the focus
Jo Rhett wrote:
Autodetection should work out of the box for out of the box
installs. Custom installations, and most especially people creating
appliances out of this, are managed by Experts who have a clue.
Jonas Eckerman wrote:
If you are using a milter that calls SA, you are in effect
earlier was how to you get someone to start sending
spam, the quick answer is unsubscribe.
And as I mentioned before, this whole story is also in the SA
archives...
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 19, 2006 11:27 AM
To: Gary W. Smith
Cc
relevant here, because I deal with spam EVERY DAY.
It's my day job too :-)
That said, a friend of mine did sign up for Lending Tree and used their
service, and now gets spam to that address constantly. But when you
send mail to a mailing list of unknown recipients ...
--
Jo Rhett
Network/Software
hardware.
--
Jo Rhett
Network/Software Engineer
Net Consonance
Coffey, Neal wrote:
Jo Rhett wrote:
... it operates, by nature, post DATA phase.
Huh? It operates when I ask it to.
While that's certainly true, if you've configured SA to scan *before*
the DATA phase, I'd be curious to see how well it's working for you.
*giggle* yes :-) Sorry
the message. What
possible detraction can you find?
--
Jo Rhett
Network/Software Engineer
Net Consonance
101 - 200 of 277 matches
Mail list logo
