Why is this not seen as spam?
Hi. The following is a sample of mail that seems to pass through spamassassin, but somehow seems to get marked as ham as it is tested for spam content. I am not able to figure out why this is happening. If anyone could lend some insight on this, I'd appreciate it. The one major issue I keep having with my server is with e-mail. I suspect that my sendmail is an open gate for spammers, though not in high volume. I think that I have curtailed a lot of it, but still see strange things, that I am trying to track down. This one is not an open gate issue, but is still driving me nuts... Thanks, in advance, for any help you might be able to offer. First, I will show you the header information, then the body (at least a reasonable copy of the message). Headers: Return-Path:[EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on my.server.domain.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=1.0 tests=UNPARSEABLE_RELAY, UPPERCASE_25_50 autolearn=ham version=3.1.3 Received: from 143000144 (host-213-213-227-17.brutele.be [213.213.227.17]) bymy.server.domain.org (8.12.11/8.12.11) with SMTP id k581jZvD024979for [EMAIL PROTECTED]; Wed, 7 Jun 2006 18:46:32 -0700 Received: from gms0.mar.lmco.com (142854568 [142884056]) by host-213-213-227-17.brutele.be (Qmailv1) with ESMTP id D1E9EE1BD9 for[EMAIL PROTECTED]; Wed, 07 Jun 2006 20:48:40 -0500 Date: Wed, 07 Jun 2006 20:48:40 -0500 From: Guiana V. Darkness [EMAIL PROTECTED] X-Mailer: The Bat! (v2.00.8) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: Tomas [EMAIL PROTECTED] Subject:did the please 's ROI inform CLIFFORD 's penny X-AntiVirus:skaner antywirusowy poczty Wirtualnej Polski S. A. Status: O X-UID: 656 Content-Length: 1248 X-Keywords: X-Antivirus:AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain (I think that the AVG header is from my local box which is used to pop3 the message from my server. AVG is used locally on all incoming mail from my pop mailbox). Now, the body: WE TOLD YOU TO WATCH!!! IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!! Profits of 200-400% EXPECTED TRADING SYMB0L: ABSY Opening Price: 0.98 Yes, it is MOVING, Tomorrow could be even BIGGER!!! A $1,000 dollar investment could yield a $5,000 dollar profit injust one trade if you trade out at the top. ABSY should be one of the most profitable ST0CKs to trade this year. In this range the ST0CK has potential to move in either direction in bigs wings.This means you should be able to buy at the lows and sell at thehighs for months to come. YOU COULD MAKE $$$THOUSANDS OF DOLLARS$$$ TRADING.THIS OVER AND OVER AGAIN. ABSY is also on The REG SHO Threshold list, this means someone is short the ST0CK. Any significant volume spike could yield drastic results. If the people that are short have to cover, they will bebuying the shares from you at higher prices. This makes this ST0CKa TRIPLE PLAY for profits. For pennies you can participate in a ST0CK that could yield results over and over again just based on the trading patterns if thecompany is able to effectuate it's business model. WATCH OUT!!!We could see a GREAT STORY IN THE MAKING. GOOD LUCK AND TRADE OUT AT THE TOP --No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006 -- 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
Another example...
Here are headers from another example of spam, that is marked STRONGLY as NOT being spam. What is VERY interesting about THIS one, is that it seems to actually be FROM me!!! However, it made its rounds on other servers, first. Is it possible someone is spoofing my email address?? Or, is there a gateway e-mail hole on my server? Here are the headers: (and, I deleted my whitelists, like the auto learn one, etc.) Return-Path:[EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on helios.hfradio.org X-Spam-Level: X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO, UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.3 Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for [EMAIL PROTECTED]; Wed, 7 Jun 2006 23:30:28 -0700 Envelope-to:[EMAIL PROTECTED] Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200 Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150 with smtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED])id W3mNJ-2xnyDQA-8Kx for [EMAIL PROTECTED];Thu, 08 Jun 2006 18:36:11 +1200 Received: from gallery48.freeserve.co.uk (02055232 [17238173668]) by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for [EMAIL PROTECTED]; Thu, 08 Jun 2006 17:36:07 +1200 Date: Thu, 08 Jun 2006 17:36:07 +1200 From: Jon R. Pirrello Jr [EMAIL PROTECTED] X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:General health store X-IMAPbase: 1148015368 4545 Status: O X-UID: 4545 Content-Length: 11005 X-Keywords: X-Antivirus:AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Type: multipart=mixed; b0undaryAVGMAIL-4487C4C83823=== (I changed the last header, in case it might case a problem... the message has an attachment that contained a virus or trojan.) I could really use some help in figuring out how to end this sort of activity. Thanks, 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
On Wednesday, June 7, 2006, 11:33:52 PM, Tomas NW7US wrote: The following is a sample of mail that seems to pass through spamassassin, but somehow seems to get marked as ham as it is tested for spam content. I am not able to figure out why this is happening. Try using the SARE stock rules: http://www.rulesemporium.com/rules.htm The one major issue I keep having with my server is with e-mail. I suspect that my sendmail is an open gate for spammers, though not in high volume. I think that I have curtailed a lot of it, but still see strange things, that I am trying to track down. This one is not an open gate issue, but is still driving me nuts... If your sendmail is recent (past few years) it won't be open relay by default. If it's not current, upgrade. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Why is this not seen as spam?
Tomas, I presume you have a stirling reason for not using Bayes. At least I see no hint of a Bayes score in your headers even though it says it autolearned as ham. Either you are autolearning to a different database than you are using for scanning or you really hashed up its initial training. Or so it seems to this person whose messages are always HAM the same as yours - for the same reason. ('cept I'm a W6) {^_-} - Original Message - From: NW7US, Tomas [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, June 07, 2006 23:33 Subject: Why is this not seen as spam? Hi. The following is a sample of mail that seems to pass through spamassassin, but somehow seems to get marked as ham as it is tested for spam content. I am not able to figure out why this is happening. If anyone could lend some insight on this, I'd appreciate it. The one major issue I keep having with my server is with e-mail. I suspect that my sendmail is an open gate for spammers, though not in high volume. I think that I have curtailed a lot of it, but still see strange things, that I am trying to track down. This one is not an open gate issue, but is still driving me nuts... Thanks, in advance, for any help you might be able to offer. First, I will show you the header information, then the body (at least a reasonable copy of the message). Headers: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on my.server.domain.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=1.0 tests=UNPARSEABLE_RELAY, UPPERCASE_25_50 autolearn=ham version=3.1.3 Received: from 143000144 (host-213-213-227-17.brutele.be [213.213.227.17]) bymy.server.domain.org (8.12.11/8.12.11) with SMTP id k581jZvD024979for [EMAIL PROTECTED]; Wed, 7 Jun 2006 18:46:32 -0700 Received: from gms0.mar.lmco.com (142854568 [142884056]) by host-213-213-227-17.brutele.be (Qmailv1) with ESMTP id D1E9EE1BD9 for[EMAIL PROTECTED]; Wed, 07 Jun 2006 20:48:40 -0500 Date: Wed, 07 Jun 2006 20:48:40 -0500 From: Guiana V. Darkness [EMAIL PROTECTED] X-Mailer: The Bat! (v2.00.8) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: Tomas [EMAIL PROTECTED] Subject: did the please 's ROI inform CLIFFORD 's penny X-AntiVirus: skaner antywirusowy poczty Wirtualnej Polski S. A. Status: O X-UID: 656 Content-Length: 1248 X-Keywords: X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain (I think that the AVG header is from my local box which is used to pop3 the message from my server. AVG is used locally on all incoming mail from my pop mailbox). Now, the body: WE TOLD YOU TO WATCH!!! IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!! Profits of 200-400% EXPECTED TRADING SYMB0L: ABSY Opening Price: 0.98 Yes, it is MOVING, Tomorrow could be even BIGGER!!! A $1,000 dollar investment could yield a $5,000 dollar profit injust one trade if you trade out at the top. ABSY should be one of the most profitable ST0CKs to trade this year. In this range the ST0CK has potential to move in either direction in bigs wings.This means you should be able to buy at the lows and sell at thehighs for months to come. YOU COULD MAKE $$$THOUSANDS OF DOLLARS$$$ TRADING.THIS OVER AND OVER AGAIN. ABSY is also on The REG SHO Threshold list, this means someone is short the ST0CK. Any significant volume spike could yield drastic results. If the people that are short have to cover, they will bebuying the shares from you at higher prices. This makes this ST0CKa TRIPLE PLAY for profits. For pennies you can participate in a ST0CK that could yield results over and over again just based on the trading patterns if thecompany is able to effectuate it's business model. WATCH OUT!!!We could see a GREAT STORY IN THE MAKING. GOOD LUCK AND TRADE OUT AT THE TOP --No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006 -- 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: Another example...
I'm semi-asleep at the switch. The autolearn=no means you do indeed have Bayes turned off or completely untrained. Very seriously, a well trained Bayes is your BEST spam fighting friend. So are the rule sets at http://www.rulesemporium.com/. I am still back on 3.0.6. I have not had a stock spam get by the filters in over a year. Both Bayes and the SARE rules I run seem to nail them. But the SINGLE most RELIABLE spam catcher is BAYES_99 set to 5.0, per user Bayes well trained, and spoon feeding salearn with known cases of missed spam that do not contain a preponderance of unique words typical for what I consider ham. (I have gotten Bayes to the state that it has not flagged a single ham in the last month while it has flagged about 90.65% of all spam. Likewise BAYES_00 has flagged about 0.04% of spam and 81.17% of ham. This is on about 100,000 messages over 10.5 weeks.) {^_^} Joanne - Original Message - From: NW7US, Tomas [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, June 07, 2006 23:42 Subject: Another example... Here are headers from another example of spam, that is marked STRONGLY as NOT being spam. What is VERY interesting about THIS one, is that it seems to actually be FROM me!!! However, it made its rounds on other servers, first. Is it possible someone is spoofing my email address?? Or, is there a gateway e-mail hole on my server? Here are the headers: (and, I deleted my whitelists, like the auto learn one, etc.) Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on helios.hfradio.org X-Spam-Level: X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO, UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.3 Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for [EMAIL PROTECTED]; Wed, 7 Jun 2006 23:30:28 -0700 Envelope-to: [EMAIL PROTECTED] Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200 Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150 with smtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED])id W3mNJ-2xnyDQA-8Kx for [EMAIL PROTECTED];Thu, 08 Jun 2006 18:36:11 +1200 Received: from gallery48.freeserve.co.uk (02055232 [17238173668]) by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for [EMAIL PROTECTED]; Thu, 08 Jun 2006 17:36:07 +1200 Date: Thu, 08 Jun 2006 17:36:07 +1200 From: Jon R. Pirrello Jr [EMAIL PROTECTED] X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: General health store X-IMAPbase: 1148015368 4545 Status: O X-UID: 4545 Content-Length: 11005 X-Keywords: X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Type: multipart=mixed; b0undaryAVGMAIL-4487C4C83823=== (I changed the last header, in case it might case a problem... the message has an attachment that contained a virus or trojan.) I could really use some help in figuring out how to end this sort of activity. Thanks, 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
Excellent! I am doing this, now. One other question: where would I find a reasonably aggressive user_conf example for version 3.1.3? Thank you for the help so far. On Wed, 07 Jun 2006 23:42:39 -0700, Jeff Chan [EMAIL PROTECTED] wrote: Try using the SARE stock rules: http://www.rulesemporium.com/rules.htm 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: [SPAM-TAG] Why is this not seen as spam?
user_conf? It's a user_prefs for each user and local.cf for the whole installation, normally, 'ix-ishly speaking. {o.o} - Original Message - From: NW7US, Tomas [EMAIL PROTECTED] Excellent! I am doing this, now. One other question: where would I find a reasonably aggressive user_conf example for version 3.1.3? Thank you for the help so far. On Wed, 07 Jun 2006 23:42:39 -0700, Jeff Chan [EMAIL PROTECTED] wrote: Try using the SARE stock rules: http://www.rulesemporium.com/rules.htm 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
how to now where are the matches
Sometimes I can't find in the message body where is the string that matched the spam regex. I have tried KRegExpEditor but I enter the regex and no string in the messages gets highlighted, as if there were no matches. How can I now where did Spamassassin find the match?
Re: how to now where are the matches
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Toni Casueps wrote: Sometimes I can't find in the message body where is the string that matched the spam regex. I have tried KRegExpEditor but I enter the regex and no string in the messages gets highlighted, as if there were no matches. How can I now where did Spamassassin find the match? Run spamassassin with the -d (debug) option. Included below are snippets of the debug output showing rules that were triggered and what the text was that caused them to match. Dave [21399] dbg: rules: running header regexp tests; score so far=0 [21399] dbg: rules: ran header rule __HAS_MSGID == got hit: [21399] dbg: rules: ran header rule __SANE_MSGID == got hit: [EMAIL PROTECTED] [21399] dbg: rules: [21399] dbg: rules: ran header rule __CT_TEXT_PLAIN == got hit: text/plain [21399] dbg: rules: ran header rule __MSGID_OK_HOST == got hit: @webmail.unguarded.org [21399] dbg: rules: ran header rule __CTE == got hit: 8 [21399] dbg: rules: ran header rule __SARE_HEAD_MIME_VALID == got hit: 1.0 [21399] dbg: rules: ran header rule __CT == got hit: t [21399] dbg: rules: ran header rule NO_REAL_NAME == got hit: [EMAIL PROTECTED] [21399] dbg: rules: [21399] dbg: rules: ran header rule __TOCC_EXISTS == got hit: [21399] dbg: rules: ran header rule __SARE_PREC_BULK == got hit: bulk [21399] dbg: rules: ran header rule __HAS_SUBJECT == got hit: P [21399] dbg: rules: ran header rule __SARE_WHITELIST_FLAG == got hit: [21399] dbg: rules: ran header rule __HAS_RCVD == got hit: ( [21399] dbg: rules: ran header rule __HAS_X_MAILER == got hit: S [21399] dbg: rules: ran header rule __HAS_SQUIRRELMAIL_IN_MAILER == got hit: SquirrelMail [21399] dbg: rules: ran header rule __MIME_VERSION == got hit: 1 [21399] dbg: rules: ran header rule __MSGID_OK_DIGITS == got hit: 1149692214 [21399] dbg: rules: ran header rule __HAS_X_PRIORITY == got hit: 3 [21399] dbg: rules: ran header rule __MOZILLA_MSGID == got hit: [EMAIL PROTECTED] [21399] dbg: rules: ran eval rule UNPARSEABLE_RELAY == got hit [21399] dbg: rules: ran eval rule __UNUSABLE_MSGID == got hit [21399] dbg: rules: ran body rule __KAM_TIME4 == got hit: time [21399] dbg: rules: ran body rule __SARE_SPEC_PROLEO5 == got hit: http://www.; [21399] dbg: rules: ran body rule __NONEMPTY_BODY == got hit: P [21399] dbg: uri: running uri tests; score so far=0.962 [21399] dbg: rules: ran uri rule __LOCAL_PP_NONPPURL == got hit: http://www.cenzic.com; [21399] dbg: rules: ran uri rule __SARE_URI_ANY == got hit: m -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiATx417vU8/9QfkRAnp+AJsGtp95ScuHO40YzHQG8XHy/7Z9gACgsASS lvzqc/euQy6wMWYMgPjgLDA= =dRHU -END PGP SIGNATURE-
Removing content preview
Hi All When SA finds a email to be spam, and ' report_safe ' is sent to 1 SA generates a ' content preview ' section. Can this function be turned off ? Thanks in advance Gary |Gary Forrest |(Director) |Email: [EMAIL PROTECTED] |Tel: 0845 058 2001 |Fax: 0845 058 2003 | |Netnorth Limited |Units 7 and 8 Queensbrook |Bolton Technology Exchange |Spa Road |Bolton |BL1 4AY | |Sales queries: [EMAIL PROTECTED] |Domain name queries: [EMAIL PROTECTED] |Support queries: [EMAIL PROTECTED] |Accounts queries: [EMAIL PROTECTED]
Re: is there a way to block email coming from
Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 01:18:11 -0400: Some even with T1s (probably quietly provisioned over DSL) that have IPs smack in the middle of static business DSL ranges that are listed in SORBS' dynamic list. Nevertheless, it's their ISP's fault and if they remain on the list for longer than a week they obviously want to. static business DSL is not a criterion for listing in SORBS at all, it's an anti-criterion. I have static business DSL with a /28 myself. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: is there a way to block email coming from
Greg Allen wrote on Thu, 8 Jun 2006 00:05:12 -0400: They probably don't have a full time IT staff. They don't need one for getting unlisted. There are a lot of small businesses on these legitimate business class DSL lines with fixed IP addresses (which they pay extra for) who are very frequently incorrectly listed as dynamic IP addresses. In that case they should ask their ISP to get these ranges unlisted, it doesn't cost him anything other than issueing a support request. It's actually that ISP that isn't doing what they get paid for. To expect every small start-up to be on a major Internet carrier with a T1 is simply not reality these days. Greg, no dynamic list expects this. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: is there a way to block email coming from
John D. Hardin wrote on Wed, 7 Jun 2006 20:41:38 -0700 (PDT): The greatest drawback is that using the RBL within sendmail is an all-or-nothing proposition. What if you *do* have legitimate correspondents in those countries? You can still whitelist these in access.db. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Removing content preview
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary Forrest - Netnorth wrote: Hi All When SA finds a email to be spam, and ' report_safe ' is sent to 1 SA generates a ' content preview ' section. Can this function be turned off ? Sure. Set 'report_safe' to 0. Or if you are asking specifically about removing just the 'Content preview' portion, then you will need to redefine the 'report' template. Copy the 'report' template from your 10_misc.cf file and add it to your local.cf and remove the reference to '_PREVIEW_'. be sure to included the line 'clear_report_template' above your new definition to clear the old one out. Thanks in advance Gary |Gary Forrest |(Director) |Email: [EMAIL PROTECTED] |Tel: 0845 058 2001 |Fax: 0845 058 2003 Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiAxI417vU8/9QfkRAryIAKCWjATDl7DIHVB/At+xE+8je1yIbQCeKPy6 aetPpXO5aRdLJjXu7hCpCkU= =e2dm -END PGP SIGNATURE-
size of bayes db
Hello list, I'm using SA 3.1.2 with amavis-new and postfix on a mailrelay. I turned on bayes autolearning with the standard options, but my bayes_seen db grows and grows, now it is by 1.1 GB. Why reduce SA the size not automatically? What can I do, to reduce the size of the db? What are your experience with the bayes db? Thanks for help. Greetings Stefan
Whitelist clarification
Thanks for the help and great suggestions all :) James
RE: Spam Virus MX forwarding firewall
Never used Amavis, so I can't comment. All config here is done by the text-based config files. And because it's a mail hub we're running, we use site-wide rules, no user-specific stuff. We've got a pretty standard Dell 2650 server, 2.4GHz processor, way too little RAM (I'd recommend at least 2GB) so it swaps a bit too much (we're also running squid on that box), and the load average is normally under 5. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Paul Tenfjord [mailto:[EMAIL PROTECTED] Sent: 07 June 2006 17:07 To: [EMAIL PROTECTED]; users@spamassassin.apache.org; Randal, Phil Subject: RE: Spam Virus MX forwarding firewall Hi Phil. Thank you for the quick reply. I was considering using amavis, but mailscanner looks promising indeed. Speedwice, what do you recommend amavis versus mailscanner. Also does your SA configuration support user defined settings as explained previously? Are you storing in sql or userfile? I am very interested in hearing about your configuration. How high is your server load with 20k per day, and what hardware do you have? Thanks again. Paul -- Original Message -- From: Randal, Phil [EMAIL PROTECTED] Date: Wed, 7 Jun 2006 16:11:36 +0100 Have a look at MailScanner (http://www.mailscanner.info) along with MailWatch (http://mailwatch.sf.net), mailscanner-mrtg (http://mailscannermrtg.sf.net/), and Vispan (http://www.while.org.uk/mailstats/). Add ClamAV and Bitdefender for Linux to the mix and you're zapping most viruses before they get anywhere near your real mail server. We're happily processing 20,000 emails a day on our MailScanner box. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Paul Tenfjord [mailto:[EMAIL PROTECTED] Sent: 07 June 2006 15:59 To: users@spamassassin.apache.org Subject: Spam Virus MX forwarding firewall Hello mailing list. My first post, nice to meet you all. I'm setting up a SpamVirus mail firewall (forwarding only). This is a MX only server, it has no pop3/imap, it's only purpose is to clean mail and route it to the next server which then delivers it to imap accounts. For this purpose I am considering Postfix, as I am familiar with it. I am hoping to get some information/suggestions on how to do this in a way that is fast,secure, easy to add /domains users and stable. I need the option to have user specific settings, some domains wants to route all spam to [EMAIL PROTECTED], specific domains want to delete (if SA tags the mail that is over a certain limit) and some to tag SPAM in the subject header. I am very interested in storing the domains in SQL or LDAP rather then text files. Does somebody know the performance loss/gain on sql versus text file when dealing with thousands of domains with users. Also I am interested in statistics on how many mails pass and how many gets tagged if this is available somewhere. A lot of question for a first post, I am hoping for a positive answer. Kind Regards Paul Tenfjord
Re: Removing content preview
Hi David Many thanks, that has worked perfectly :) Cheers Gary - Original Message - From: David Goldsmith [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Thursday, June 08, 2006 12:38 PM Subject: Re: Removing content preview -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary Forrest - Netnorth wrote: Hi All When SA finds a email to be spam, and ' report_safe ' is sent to 1 SA generates a ' content preview ' section. Can this function be turned off ? Sure. Set 'report_safe' to 0. Or if you are asking specifically about removing just the 'Content preview' portion, then you will need to redefine the 'report' template. Copy the 'report' template from your 10_misc.cf file and add it to your local.cf and remove the reference to '_PREVIEW_'. be sure to included the line 'clear_report_template' above your new definition to clear the old one out. Thanks in advance Gary |Gary Forrest |(Director) |Email: [EMAIL PROTECTED] |Tel: 0845 058 2001 |Fax: 0845 058 2003 Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiAxI417vU8/9QfkRAryIAKCWjATDl7DIHVB/At+xE+8je1yIbQCeKPy6 aetPpXO5aRdLJjXu7hCpCkU= =e2dm -END PGP SIGNATURE-
Question on tests
I have a email that is scoring as follows using SA 2.64 (I know I am on a old version - upgrade is schedule for about 2 weeks from now) - X-Spam-Status: Yes, hits=68.753 tag=0 tag2=2.5 kill=3.75 tests=AWL, BAYES_30, NO_REAL_NAME, PRIORITY_NO_NAME, SUBJ_HAS_UNIQ_ID, USER_IN_BLACKLIST, X_PRIORITY_HIGH, _LOCAL_click3 X-Spam-Level: How do I get this email removed from the USER_IN_BLACKLIST test ? I was doing a global blacklist from [EMAIL PROTECTED] but had to stop that because of two vendors used by the college that are sending emails to us with a from address of georgetowncollege.edu. Suggestions ? Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696
How to handle your domain in received from field
I am fighting a situation where two vendors used by my college are sending email out authorized by the college (remote distance learning situations) where the email looks like it came from us because it has our domain name in the from field. I had been using a global blacklist of [EMAIL PROTECTED] but drop that because of these two cases. I have been able to look for a way to allow email to come through for selected addresses but keep a global block in place - none found so far. Is there a way to do what I am trying to accomplish ? Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696
Re: Virtual Users
http://www.exim.org/eximwiki/ExiscanExamples#head-962411f515d3c420ace6c0672cd70e91224f4355 David O'Brien wrote: Hello, Thanks for the reply. I am quite new at this. I didn't actually know a lot about spamc. Well I still don't but I have read a little bit about it now. I am calling SpamAssassin from an Exim ACL. I have the following lines uncommented in my exim.conf warnspam = nobody message = X-Spam_score: $spam_score\n\ X-Spam_score_int: $spam_score_int\n\ X-Spam_bar: $spam_bar\n\ X-Spam_report: $spam_report I was thinking that I need to change nobody to be the email address of the recipient... however now I am not so sure. I see that that '$local_part' and '$domain' variables are not set in DATA ACL, and this is because you can have multiple recipients to an email. Therefore it is not possible to change nobody to the recipient email address? Is this because an email is only scanned once even if it is going to multiple recipients? If I change nobody to be [EMAIL PROTECTED], then %d and %l do expand correctly in my log file. So I can see that it works, but I don't know how to pass the email address to spamd... So I guess I am a little confused now... 1. It seems logical that you only want to scan an email once, no matter how many people it is sent to. 2. But if you setup user_prefs, doesn't that mean that an email would be scanned once for each user based on their preferences? Tom, I have spamassassin logging to its own log file /var/log/spamassassin I followed the instructions here and it seems to be working ok : http://wiki.apache.org/spamassassin/SeparateLogFile Thanks David.
how do reject email with ....
I getting this type of spam: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on X-Spam-Virus: No X-Spam-Status: No, score=1.4 required=8.0 tests=BAYES_50,HTML_30_40, HTML_MESSAGE autolearn=no version=3.1.0 X-Spam-Level: * Received: from 1802EC8 ([59.95.26.84]) by . (8.11.6/8.11.6) with SMTP id k58CtsN23285; Thu, 8 Jun 2006 08:55:55 -0400 Received: from echoes (unknown [59.95.26.84]) by WXMVW (LBYSys) with ESMTP The ip 59.95.26.84 is not resolvable. How can I not accept email from sources which does not have a proper reverve lookup or name lookup. Thanks.
Re: Another example...
Looks like you have [EMAIL PROTECTED] whitelisted somewhere. That's probably a bad idea. Spam usually uses a spoofed address. NW7US, Tomas wrote: Here are headers from another example of spam, that is marked STRONGLY as NOT being spam. What is VERY interesting about THIS one, is that it seems to actually be FROM me!!! However, it made its rounds on other servers, first. Is it possible someone is spoofing my email address?? Or, is there a gateway e-mail hole on my server? Here are the headers: (and, I deleted my whitelists, like the auto learn one, etc.) Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on helios.hfradio.org X-Spam-Level: X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO, UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.3 Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for [EMAIL PROTECTED]; Wed, 7 Jun 2006 23:30:28 -0700 Envelope-to: [EMAIL PROTECTED] Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200 Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150 with smtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED])id W3mNJ-2xnyDQA-8Kx for [EMAIL PROTECTED];Thu, 08 Jun 2006 18:36:11 +1200 Received: from gallery48.freeserve.co.uk (02055232 [17238173668]) by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for [EMAIL PROTECTED]; Thu, 08 Jun 2006 17:36:07 +1200 Date: Thu, 08 Jun 2006 17:36:07 +1200 From: Jon R. Pirrello Jr [EMAIL PROTECTED] X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: General health store X-IMAPbase: 1148015368 4545 Status: O X-UID: 4545 Content-Length: 11005 X-Keywords: X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Type: multipart=mixed; b0undaryAVGMAIL-4487C4C83823=== (I changed the last header, in case it might case a problem... the message has an attachment that contained a virus or trojan.) I could really use some help in figuring out how to end this sort of activity. Thanks, 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: How to handle your domain in received from field
Ronald I. Nutter wrote: I am fighting a situation where two vendors used by my college are sending email out authorized by the college (remote distance learning situations) where the email looks like it came from us because it has our domain name in the from field. I had been using a global blacklist of [EMAIL PROTECTED] but drop that because of these two cases. I have been able to look for a way to allow email to come through for selected addresses but keep a global block in place - none found so far. Is there a way to do what I am trying to accomplish ? Have you tried adding a whitelist entry for those two addresses, after the blacklist. I'm guessing that the whitelist score would cancel out the blacklist score.
RE: How to handle your domain in received from field
Will give it a shot. Didn't want to get too fancy before I checked with others who knew more than I do. Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 10:14 AM To: users@spamassassin.apache.org Subject: Re: How to handle your domain in received from field Ronald I. Nutter wrote: I am fighting a situation where two vendors used by my college are sending email out authorized by the college (remote distance learning situations) where the email looks like it came from us because it has our domain name in the from field. I had been using a global blacklist of [EMAIL PROTECTED] but drop that because of these two cases. I have been able to look for a way to allow email to come through for selected addresses but keep a global block in place - none found so far. Is there a way to do what I am trying to accomplish ? Have you tried adding a whitelist entry for those two addresses, after the blacklist. I'm guessing that the whitelist score would cancel out the blacklist score.
Re: Why is this not seen as spam?
On 6/7/2006 at 11:33 PM NW7US, Tomas [EMAIL PROTECTED] wrote: The following is a sample of mail that seems to pass through spamassassin, ... WE TOLD YOU TO WATCH!!! IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!! ... Bayes training, plus the 70_sare_stocks.cf ruleset has caught almost all of my stock spam. Greg
SA Checking user unknown e-mail?
Hello oh gurus of Spamassassin: I have a, hopefully, quick question with regards to my implementation of Spamassassin. In a nutshell it appears that Spamassassin is taking the time and energy to check user- unknown e-mail. I am running Spamassassin 3.1.1 Attached is my sendmail log showing a piece of e-mail (which is spam) coming in to an unknown user account: Jun 8 10:13:56 ns1 sendmail[20493]: k58EDuQQ020493: [EMAIL PROTECTED]... User unknown Jun 8 10:13:56 ns1 sendmail[20493]: k58EDuQQ020493: from=[EMAIL PROTECTED], size=15866, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=ns2.flanigan.net [67.36.126.141] Jun 8 10:13:57 ns1 sendmail[20493]: k58EDuQS020493: from=, size=19201, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=ns2.flanigan.net [67.36.126.141] Then the following from my spamd log: Jun 8 10:13:57 ns1 spamd[13477]: spamd: connection from ns1.flanigan.net [127.0.0.1] at port 43625 Jun 8 10:13:57 ns1 spamd[13477]: spamd: processing message [EMAIL PROTECTED] for root:505 Jun 8 10:14:00 ns1 spamd[13477]: spamd: identified spam (24.3/5.0) for root:505 in 2.3 seconds, 19499 bytes. Jun 8 10:14:00 ns1 spamd[13477]: spamd: result: Y 24 - ALL_TRUSTED,AWL,BAYES_99,HTML_90_100,HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IM G_1,MIME_HTML_MOSTLY,SARE_GIF_ATTACH,SARE_GIF_STOX,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_ OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=2.3,size=19499,user=root,uid=505,required_score=5.0,rhost=ns1.flanigan.net,rad dr=127.0.0.1,rport=43625,mid=[EMAIL PROTECTED],bayes=0.999 657933165012,autolearn=no Notice the same msgid [EMAIL PROTECTED] from both sendmail and spamd. My question is why dose sendmail not just reject the message and leave it be? Why process a message we have no intention of delivering to anyone? Or am I reading this wrong? My link between sendmail and spamd is though /etc/procmailrc which reads simply: :0fw | /usr/bin/spamc This quest to track this down has all come from the fact that I am seeing over 900 spam messages an hour. (see spam stats: http://www.flanigan.net/spam/) and there are only about a doze active mailboxes across my 3 or 4 domains. Any wisdom would be greatly appreciated! --- Kind Regards, David http://www.flanigan.net
Bad quoting
I noticed the following message (well, I'll just put a fragment): !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1252 META content=3DMSHTML 6.00.2900.2670 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial size=3D2IMG alt=3D hspace=3D0=20 src=3Dcid:000e01c68b04$73437a90$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:000f01c68b04$73437aaa$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001001c68b04$73437ac4$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001101c68b04$73437ade$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001201c68b04$73437af8$41e45853@qop align=3Dbaseline=20 border=3D0/FONT/DIV Note that the '=' got escaped as '=3D' they probably entered the text and their HTML editor escaped it, not figuring it was raw HTML being entered directly... -Philip
RE: SA Checking user unknown e-mail?
David Flanigan wrote: Hello oh' gurus of Spamassassin: I have a, hopefully, quick question with regards to my implementation of Spamassassin. In a nutshell it appears that Spamassassin is taking the time and energy to check user- unknown e-mail. [snip] My question is why dose sendmail not just reject the message and leave it be? Why process a message we have no intention of delivering to anyone? Or am I reading this wrong? My link between sendmail and spamd is though /etc/procmailrc which reads simply: 0fw /usr/bin/spamc This is a sendmail issue. SpamAssassin simply scans whatever procmail sends it. Ask on the sendmail list. This quest to track this down has all come from the fact that I am seeing over 900 spam messages an hour. (see spam stats: http://www.flanigan.net/spam/) and there are only about a doze active mailboxes across my 3 or 4 domains. This is why I am constantly reminding people to make sure their spam and virus scanning machines can reject mail for unknown users. -- Bowie
Re: blocking email from Vietname is not working...
Sorry, I wasn't aware of this option, where can I read up on it? Thanks. On 6/7/06, Matt Kettler [EMAIL PROTECTED] wrote: Screaming Eagle wrote: I have this in local.cf http://local.cf file: describe BL_COUNTRY_VN_1 Mail client in Vietnam header BL_COUNTRY_VN_1 eval:check_rbl('vietnam', 'vn.countries.nerd.dk http://vn.countries.nerd.dk') scoreBL_COUNTRY_VN_1 8.0 tflags BL_COUNTRY_VN_1 net Whis is it not working? I get an email from Vietname, and the score is 0. Well, at casual glance, the rule looks ok, although it would be more standard to have the header line first and the describe line second. However, that shouldn't be a problem... Did you run spamassassin --lint to make sure there's no config typos? Do you use spamd? If so, did you restart it? (local.cf is only parsed at spamd startup time) Have you verified that the IP in question is in fact listed by vn.countries.nerd.dk? (note that countries.nerd.dk is NOT perfect, and will not list each and every IP in a country) Are you using a lot of lists all on countries.nerd.dk? If so, I'll warn you that in my experience with blackholes.us, bombarding a site with many queries will generally cause only the first few lists to actually work. The rest of the queries get dropped. Why are you using a DNSBL for this anyway? Why not use the RelayCountry plugin that comes with SA 3.0.0 and higher? If you install IP::Country and enable the RelayCountry plugin, this can all run very fast with reasonable accuracy.. then you can make rules like this: header RELAY_CN X-Relay-Countries=~/\bCN\b/ describe RELAY_CN Relayed through china score RELAY_CN 1.0 All with no network-test overhead.
Re: how do reject email with ....
Call SA from Mimedefang. And see the sample config I put up: http://www.mimedefang.org/kwiki/index.cgi?PhilipsWorkingFilter See the last test in filter_relay(). Note that there are two blocks that need to be downloaded and put into the mimedefang-filter file. I broke them up to be able to document them. -Philip Screaming Eagle wrote: I getting this type of spam: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on X-Spam-Virus: No X-Spam-Status: No, score=1.4 required=8.0 tests=BAYES_50,HTML_30_40, HTML_MESSAGE autolearn=no version=3.1.0 X-Spam-Level: * Received: from 1802EC8 ([59.95.26.84]) by . (8.11.6/8.11.6) with SMTP id k58CtsN23285; Thu, 8 Jun 2006 08:55:55 -0400 Received: from echoes (unknown [59.95.26.84]) by WXMVW (LBYSys) with ESMTP The ip 59.95.26.84 is not resolvable. How can I not accept email from sources which does not have a proper reverve lookup or name lookup. Thanks.
Re: Bad quoting
Philip Prindeville wrote: I noticed the following message (well, I'll just put a fragment): !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1252 META content=3DMSHTML 6.00.2900.2670 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial size=3D2IMG alt=3D hspace=3D0=20 src=3Dcid:000e01c68b04$73437a90$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:000f01c68b04$73437aaa$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001001c68b04$73437ac4$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001101c68b04$73437ade$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001201c68b04$73437af8$41e45853@qop align=3Dbaseline=20 border=3D0/FONT/DIV Note that the '=' got escaped as '=3D' they probably entered the text and their HTML editor escaped it, not figuring it was raw HTML being entered directly... =3D comes from quoted-printable encoding. HTML messages are often QP encoded.
Re: size of bayes db
Stefan Jakobs wrote: I'm using SA 3.1.2 with amavis-new and postfix on a mailrelay. I turned on bayes autolearning with the standard options, but my bayes_seen db grows and grows, now it is by 1.1 GB. Why reduce SA the size not automatically? Probably because its automatic expiry runs are getting interrupted by amavis-new. Check back in the list archives; quite a few people have had this problem. For *any* file-based sitewide Bayes setup, IMO, you should set the SA options so it doesn't run automatic expiry, and set up a cron job to manually run the expiry process on a regular basis (daily is probably good for most sites; *really* high-traffic sites can probably go every few hours but they should be using SQL-based Bayes anyway IMO g). What can I do, to reduce the size of the db? Right away, you can manually expire tokens by running sa-learn --force-expire. What are your experience with the bayes db? One legacy system still running 2.64 has had a stable Bayes db around 40M for close to four years now. (Possibly 5 years. I don't recall when I upgraded to 2.5x on that box.) Fairly early on, I disabled automatic expiry and set up a daily cron job to run the expiry process manually. I've *never* had trouble with the database inflating out of control. If you do set up a cron'ed expiry on your system, make sure it runs as the same user amavis-new is running as. Otherwise you'll end up with file permission issues. Check the man pages for your local SA install for the exact Bayes options you need to tweak. -kgd
Re: how do reject email with ....
Screaming Eagle wrote on Thu, 8 Jun 2006 09:59:49 -0400: How can I not accept email from sources which does not have a proper reverve lookup or name lookup. This is actually a question for the documentation of your mail server or for a mailing list/newsgroup that supports your mail server. I wonder what your next subject is. is there a way to block email coming from get this type of spam blocking email from Vietname is not working... how do reject email with reject email by ... ? reject email with ... ? reject? block? Kai
Re: Another example...
Looks like you have [EMAIL PROTECTED] whitelisted somewhere. That's probably a bad idea. Spam usually uses a spoofed address. NW7US, Tomas wrote: Here are headers from another example of spam, that is marked STRONGLY as NOT being spam. What is VERY interesting about THIS one, is that it seems to actually be FROM me!!! However, it made its rounds on other servers, first. Is it possible someone is spoofing my email address?? What's surprising is that you are surprised that someone can make mail appear to come from you. There is nothing stopping them. Gary V _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Re: Another example...
The autolearn=no does not mean that bayes is turned off completely. It means that it was not learned as spam or ham. Other messages will show that they are learned as spam or ham and some that they are not learned. - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Subject: Re: Another example... Date: Thu, 8 Jun 2006 00:45:46 -0700 I'm semi-asleep at the switch. The autolearn=no means you do indeed have Bayes turned off or completely untrained. Very seriously, a well trained Bayes is your BEST spam fighting friend. So are the rule sets at http://www.rulesemporium.com/. I am still back on 3.0.6. I have not had a stock spam get by the filters in over a year. Both Bayes and the SARE rules I run seem to nail them. But the SINGLE most RELIABLE spam catcher is BAYES_99 set to 5.0, per user Bayes well trained, and spoon feeding salearn with known cases of missed spam that do not contain a preponderance of unique words typical for what I consider ham. (I have gotten Bayes to the state that it has not flagged a single ham in the last month while it has flagged about 90.65% of all spam. Likewise BAYES_00 has flagged about 0.04% of spam and 81.17% of ham. This is on about 100,000 messages over 10.5 weeks.) {^_^} Joanne - Original Message - From: NW7US, Tomas [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, June 07, 2006 23:42 Subject: Another example... Here are headers from another example of spam, that is marked STRONGLY as NOT being spam. What is VERY interesting about THIS one, is that it seems to actually be FROM me!!! However, it made its rounds on other servers, first. Is it possible someone is spoofing my email address?? Or, is there a gateway e-mail hole on my server? Here are the headers: (and, I deleted my whitelists, like the auto learn one, etc.) Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on helios.hfradio.org X-Spam-Level: X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO, UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.3 Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for [EMAIL PROTECTED]; Wed, 7 Jun 2006 23:30:28 -0700 Envelope-to: [EMAIL PROTECTED] Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200 Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150 with smtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED])id W3mNJ-2xnyDQA-8Kx for [EMAIL PROTECTED];Thu, 08 Jun 2006 18:36:11 +1200 Received: from gallery48.freeserve.co.uk (02055232 [17238173668]) by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for [EMAIL PROTECTED]; Thu, 08 Jun 2006 17:36:07 +1200 Date: Thu, 08 Jun 2006 17:36:07 +1200 From: Jon R. Pirrello Jr [EMAIL PROTECTED] X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: General health store X-IMAPbase: 1148015368 4545 Status: O X-UID: 4545 Content-Length: 11005 X-Keywords: X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Type: multipart=mixed; b0undaryAVGMAIL-4487C4C83823=== (I changed the last header, in case it might case a problem... the message has an attachment that contained a virus or trojan.) I could really use some help in figuring out how to end this sort of activity. Thanks, 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) : = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
RE: is there a way to block email coming from
Title: RE: is there a way to block email coming from -Original Message- From: Greg Allen [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 08, 2006 12:05 AM To: [EMAIL PROTECTED] Apache. Org Subject: RE: is there a way to block email coming from However, the ISP dynamic address tests *do* belong in the MTA RBL checks. The fraction of legitimate emails received from dynamic-IP hosts is vanishingly small compared to the tens or hundreds of thousands of compromised Windows boxen spewing spam and viruses... Sorry to poke in on the thread, but I disagree. Most small start-up businesses buy business class DSL these days with 1-5 fixed IP addresses. They often have small firewalls, anti-virus, most everything they should have. They probably don't have a full time IT staff. Relying on email for communication and NOT having somone on staff to handle email problems is just bad business. There are a lot of small businesses on these legitimate business class DSL lines with fixed IP addresses (which they pay extra for) who are very frequently incorrectly listed as dynamic IP addresses. The vast majority of these small companies are NOT spammers. It is then the customer's responsibiliy to inform the ISP about any block. Because we all know the ISPs don't bother to check RBLs for their IPs being listed. Then if the ISP doesn't work to get it fixed, they suck and should not be considered when the contract is up. Also almost all ISPs allow customers to relay email thru the ISP's server. I had to do this once when AOL decided to block my ISPs section of static IPs for some unknown reason. Took all of about 5 clicks to solve. To expect every small start-up to be on a major Internet carrier with a T1 is simply not reality these days. To block on dynamic is asking for a lot of trouble. It also is a pay-to-play mentality. If a start-up business can't afford a T1 then they can't send email? If they are that small, then perhaps they shouldn't be hosting their own email? If you are a system admin and you flat-out reject email that shows on various error ridden dial-up lists as dynamic IP address for a company, other than your own, you should be fired IMO. Well you are intitled to that opinion. But whitelisting in the Sendmail access.db would make you an admin worth keeping around. DUL and Dynamic DSL Pool RBLs are extremely helpful. ANd I'm sure if I turned them off, my phone would be ringing off the hook. Instead of teh once a quarter call for whitelisting someone. Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
Re: is there a way to block email coming from
Kai Schaetzl wrote: Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 01:18:11 -0400: Some even with T1s (probably quietly provisioned over DSL) that have IPs smack in the middle of static business DSL ranges that are listed in SORBS' dynamic list. Nevertheless, it's their ISP's fault and if they remain on the list for longer than a week they obviously want to. static business DSL is not a criterion for listing in SORBS at all, it's an anti-criterion. I have static business DSL with a /28 myself. Still, when your ISP isn't responsive and it's the single option for connectivity, it's your own fault too if you don't at least try to avoid the problem by relaying your mail through a cleaner relay. Does it suck that a major telecom company is your only choice and they can screw you around all they want? Uh, yeah, but hey, what else are you going to do? Daryl
RE: is there a way to block email coming from
On Thu, 8 Jun 2006, Greg Allen wrote: There are a lot of small businesses on these legitimate business class DSL lines with fixed IP addresses (which they pay extra for) who are very frequently incorrectly listed as dynamic IP addresses. The vast majority of these small companies are NOT spammers. Amusingly enough, I am dealing with that exact situation right now. GoDaddy has my hosting provider's netblock listed as dynamic space. To expect every small start-up to be on a major Internet carrier with a T1 is simply not reality these days. To block on dynamic is asking for a lot of trouble. It also is a pay-to-play mentality. If a start-up business can't afford a T1 then they can't send email? I never said that or meant to imply that. Perhaps I was placing too much trust in the accuracy of the public DULs. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows. -- anytwofiveelevenis on Y! SCOX -- 10 days until SWMBO's Birthday
Re: blocking email from Vietname is not working...
On Thu, 8 Jun 2006, Daryl C. W. O'Shea wrote: Try this: $ dig @vn.countries.nerd.dk 8.231.210.203.in-addr.arpa I get: dig: couldn't get address for 'vn.countries.nerd.dk': not found It seems they don't provide this information for vietnam. vn.countries.nerd.dk isn't a name server and they don't list things like 8.231.210.203.in-addr.arpa. The IP is listed though... [EMAIL PROTECTED] dos]$ host 8.231.210.203.vn.countries.nerd.dk 8.231.210.203.vn.countries.nerd.dk has address 127.0.0.2 Gah. How embarrassing. um... I'm on vacation and my IT mojo is out being repaired? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows. -- anytwofiveelevenis on Y! SCOX -- 10 days until SWMBO's Birthday
Re: SA 3.1.1 sometimes takes a long time...
On Thu, Jun 08, 2006 at 01:51:22PM +1000, Guy Waugh wrote: Jun 8 13:21:07 server spamd[22945]: locker: safe_lock: trying to get lock on /var/vscan/spamassassin/auto-whitelist with 11 retries If /var/vscan/spamassassin is on a local filesystem, try switching the lock method to flock. It tends to suck less. ;) * Will there be locking issues if I put all the Berkeley DB stuff into, say, MySQL? I don't believe so. -- Randomly Generated Tagline: See you in hell, candy boys!! -- Homer Simpson Homer Badman pgpnhxoOQe9Hj.pgp Description: PGP signature
How-to find the good rules for some spam ??
Hello all .. I would like to finish my mail server. And to do that i would like to stop the spam who continue to pass spamassasin.. For exemple i have this rules : SARE_ADULT SARE_EVILNUMBERS0 SARE_FRAUD SARE_HTML0 SARE_HEADER0 SARE_GENLSUBJ0 SARE_OBFU0 SARE_OEM SARE_RANDOM SARE_REDIRECT_POST300 SARE_SPECIFIC SARE_SPOOF SARE_STOCKS SARE_UNSUB SARE_URI0 SARE_WHITELIST_SPF SARE_WHITELIST_RCVD TRIPWIRE But this spam don't was stoped : http://number.number.ath.cx/spam.png (i Have add this on a png file because if i don't my message was bouce by spamassasin mailing list) __ I don't want to know the rules they can stop this spam but how-to find myself the good rules? I can read all the rules :-s Many thanks _ Votre ordinateur est aussi bien rangé que votre chambre ? Retrouvez tout avec la barre d'outils MSN Search ! http://join.msn.com/mobile-Messaging/overview
Re: How-to find the good rules for some spam ??
Try URIBL -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
RE: is there a way to block email coming from
-Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 12:33 PM To: Greg Allen Cc: [EMAIL PROTECTED] Apache. Org Subject: RE: is there a way to block email coming from On Thu, 8 Jun 2006, Greg Allen wrote: There are a lot of small businesses on these legitimate business class DSL lines with fixed IP addresses (which they pay extra for) who are very frequently incorrectly listed as dynamic IP addresses. The vast majority of these small companies are NOT spammers. Amusingly enough, I am dealing with that exact situation right now. GoDaddy has my hosting provider's netblock listed as dynamic space. Ironic huh... ;-)
Re: How-to find the good rules for some spam ??
Thanks for your reply ... I use Spamassasin with rulesdujours and the SARE rules ... Can i use SARE rules and URIBL ?? What are the best? Try URIBL _ Vous vous sentez seul au monde? Elargissez votre horizon grâce au bouton Messenger . http://www.fr.msn.be/messengerbutton
RE: How-to find the good rules for some spam ??
Title: RE: How-to find the good rules for some spam ?? -Original Message- From: Num ber [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 08, 2006 2:13 PM To: users@spamassassin.apache.org Subject: Re: How-to find the good rules for some spam ?? Thanks for your reply ... I use Spamassasin with rulesdujours and the SARE rules ... Can i use SARE rules and URIBL ?? What are the best? Yes. URIBL is a network test. www.uribl.com Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
RE: How-to find the good rules for some spam ??
Thanks to you ... I'm only need to add this code in /etc/mail/spamassassin/local.cf ?? (I have read the site : To utilize our lists in SpamAssasin, add the following ruleset to your local configuration directory (ie /etc/mail/spamassassin). But i'm not sure to understand ... They say to add this to the local config.. The local config was local.cf ??) urirhssub URIBL_BLACK multi.uribl.com.A 2 bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') describeURIBL_BLACK Contains an URL listed in the URIBL blacklist tflags URIBL_BLACK net score URIBL_BLACK 3.0 urirhssub URIBL_GREY multi.uribl.com.A 4 bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY') describeURIBL_GREY Contains an URL listed in the URIBL greylist tflags URIBL_GREY net score URIBL_GREY 0.25 Thanks i will test :-) I will come back :p Yes. URIBL is a network test. www.uribl.com _ Votre ordinateur est aussi bien rangé que votre chambre ? Retrouvez tout avec la barre d'outils MSN Search ! http://join.msn.com/mobile-Messaging/overview
RE: How-to find the good rules for some spam ??
On Thu, 8 Jun 2006, Num ber wrote: I'm only need to add this code in /etc/mail/spamassassin/local.cf ?? (I have read the site : To utilize our lists in SpamAssasin, add the following ruleset to your local configuration directory (ie /etc/mail/spamassassin). But i'm not sure to understand ... They say to add this to the local config.. The local config was local.cf ??) If I understand correctly, you can put it in any file in the /etc/mail/spamassassin directory as long as the file's name ends in .cf. SpamAssassin will read all the .cf files in the directory. - Logan
Re: How-to find the good rules for some spam ??
Num ber wrote: Thanks to you ... I'm only need to add this code in /etc/mail/spamassassin/local.cf ?? (I have read the site : To utilize our lists in SpamAssasin, add the following ruleset to your local configuration directory (ie /etc/mail/spamassassin). But i'm not sure to understand ... They say to add this to the local config.. The local config was local.cf ??) Read what you just wrote. It specifically says directory. There is no mention of local.cf and nor would you expect there to be. Simply create a new file called youruriblthing.cf (it really doesn't matter) shove the rules you want into it and put it in your /etc/mail/spamassassin directory Lint the rules to make sure you don't have any errors and off you go Obviously you will have uncommented the line: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL in your init.pre (or whichever file it may end up in) And it should just work -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
RE: How-to find the good rules for some spam ??
Title: RE: How-to find the good rules for some spam ?? -Original Message- From: Michele Neylon :: Blacknight.ie [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 08, 2006 3:15 PM To: users@spamassassin.apache.org Subject: Re: How-to find the good rules for some spam ?? Num ber wrote: Thanks to you ... I'm only need to add this code in /etc/mail/spamassassin/local.cf ?? (I have read the site : To utilize our lists in SpamAssasin, add the following ruleset to your local configuration directory (ie /etc/mail/spamassassin). But i'm not sure to understand ... They say to add this to the local config.. The local config was local.cf ??) Read what you just wrote. It specifically says directory. There is no mention of local.cf and nor would you expect there to be. Simply create a new file called youruriblthing.cf (it really doesn't matter) shove the rules you want into it and put it in your /etc/mail/spamassassin directory Lint the rules to make sure you don't have any errors and off you go Obviously you will have uncommented the line: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL in your init.pre (or whichever file it may end up in) And it should just work Almost... restart spamd if you're using it :) --Chris
Re: How-to find the good rules for some spam ??
Chris Santerre wrote: Almost... restart spamd if you're using it :) Heh I don't :) -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox
On Wed, Jun 07, 2006 at 05:13:07PM -0700, Arias Hung wrote: Are you aware of any issues such as I described in 3.2.0? The only two ways that occur to me off-hand for a message to skip SA is either 1) the message is larger than the spamc max size (250k) or 2) all of the spamd children are busy so spamc eventually times out waiting for attention. Yes, I'm noticing copy_config timeouts ... could this be a consequence of too little children? Typically a timeout on copy_config means your machine is extremely busy, perhaps just a lot of processes, or you're hitting swap a lot, or ... What kind of load levels are you seeing on there? -- Randomly Generated Tagline: If you live to the age of a hundred you have it made because very few people die past the age of a hundred. -- George Burns pgphKkpwYwBwf.pgp Description: PGP signature
Re: Odd DCC Hit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler wrote: David Goldsmith wrote: I just got a posting from the pen-test Security Focus mailing list. Here are the scores it got: X-Spam-Level: ** X-Spam-Status: No, score=6.1 required=6.8 tests=DCC_CHECK,NO_REAL_NAME, UNPARSEABLE_RELAY,URIBL_BLACK autolearn=no version=3.1.3 snip I can possibly understand the list sponsored by XXX website URL being in a URIBL and generating a hit but how could this messages have generated many hits from DCC? That's quite normal for really large mailing lists. DCC does NOT strictly match spam. It matches bulk mail. Period. I realized that. DCC does not care if that bulk is a result of spamming, or merely large-scale distribution. The security focus mailing lists have a truly huge scale of distribution, and many subscribers there use DCC. Most of those subscribers, such as yourself, are not using DCC correctly. By default, every message received by your site is reported to the DCC system. Every message. Spam or not. I hadn't realized that. I thought I was just querying. In general, to DCC there's no difference between checking and reporting. Thus, you must to configure DCC to explicitly whitelist messages from your legitamate bulk senders, as otherwise they will be reported as soon as you receive the message. Ok, so I have dcc-1.3.35 installed from source tarball. The config files are under /var/dcc. This specific mailing list adds the following List-Id header: List-Id: pen-test.list-id.securityfocus.com I created a new whitelist-sans file and added include whitelist-sans to both the 'whiteclnt' and 'whitelist' file right after the include directive for the 'whitecommon' file. In my 'whitelist-sans' file, I added the following lines: # SecurityFocus ok substitute List-Id: pen-test.list-id.securityfocus.com Running my sample message thru 'dccproc foo | more', I still see it appears to query DCC since it is adding the 'X-DCC-##-Metrics:' header. I looked through the 'dcc_conf' file and saw that for the DCCM_ARGS and DCCIFD_ARGS variables, it was only adding '-SList-ID' by default so I added '-SList-Id' but the message is apparently still being submitted. Can you provide any pointers as to what I am missing in order to make DCC apply the whitelisting rules? Thanks, Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiIjw417vU8/9QfkRAn8sAKCN8OnoF31JMwOeH0/IIYMg8RU45ACgsEyV hdVRasH5qwPCbhcaQbd1khA= =NIQ0 -END PGP SIGNATURE-
Re: is there a way to block email coming from
Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 11:46:48 -0400: Still, when your ISP isn't responsive As Chris says you better move away from them then if you can. If you can't I'd really bother them day and night since I don't get what I paid for. My IP range was once listed at SORBS as well, three years ago or so. When I contacted my upstream ISP they were already in contact with SORBS and it all got sorted out within 48 hours. Mistakes can happen and I understand that they cannot simply put addresses on the list that are *confirmed* to be dynamic. If they don't know if something is dynamic or not, it's better to get it listed once and remove it per request. That usually removes it forever and broadens the covered range of addresses. and it's the single option for connectivity, it's your own fault too if you don't at least try to avoid the problem by relaying your mail through a cleaner relay. yes, of course. I was merely addressing the you cannot rely on DUL lists theme. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: size of bayes db
Stefan Jakobs wrote on Thu, 8 Jun 2006 13:56:22 +0200: I turned on bayes autolearning with the standard options, but my bayes_seen db grows and grows, now it is by 1.1 GB. This is indeed very much. This is a dbm db? (SQL has bigger sizes because of indexing.) How much mail do you process per day? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Odd DCC Hit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Goldsmith wrote: Running my sample message thru 'dccproc foo | more', I still see it appears to query DCC since it is adding the 'X-DCC-##-Metrics:' header. I looked through the 'dcc_conf' file and saw that for the DCCM_ARGS and DCCIFD_ARGS variables, it was only adding '-SList-ID' by default so I added '-SList-Id' but the message is apparently still being submitted. Can you provide any pointers as to what I am missing in order to make DCC apply the whitelisting rules? Thanks, Dave I haven't got the whitelisting to work yet but I did find that I can add 'dcc_options -Q' to my SA config and then I will only query rather than report and query so at least I wouldn't be contributing to the over-reporting. However, I would still like to get whitelisting working so I can ignore valid bulk mail and report the checksums for spam messages. Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiJWj417vU8/9QfkRAvWQAJ9HkE+9bo/IphvVRu0Y1VlzYUdGYQCghZ6h I3e9bRrGl51ogGuHHmafEEs= =GURI -END PGP SIGNATURE-
Re: blocking email from Vietname is not working...
$ dig @vn.countries.nerd.dk 8.231.210.203.in-addr.arpa I get: dig: couldn't get address for 'vn.countries.nerd.dk': not found It seems they don't provide this information for vietnam. http://moensted.dk/spam/?addr=203.210.231.8Submit=Submit Try contacting nerd.dk directly. http://countries.nerd.dk/
Re: is there a way to block email coming from
Kai Schaetzl wrote: Daryl C. W. O'Shea wrote on Thu, 08 Jun 2006 11:46:48 -0400: Still, when your ISP isn't responsive As Chris says you better move away from them then if you can. If you can't I'd really bother them day and night since I don't get what I paid for. My Over the years, for one company alone, I've spent well over a week on hold with Bell attempting to get it resolved. They suck. It came to the point where it really wasn't worth anymore of my time trying to get them to do anything and was just easier and more cost effective to just relay their few thousand messages a day through my own systems. If their was another provider able to provide service they'd move in a second. IP range was once listed at SORBS as well, three years ago or so. When I contacted my upstream ISP they were already in contact with SORBS and it all got sorted out within 48 hours. Mistakes can happen and I understand that they cannot simply put addresses on the list that are *confirmed* to be dynamic. If they don't know if something is dynamic or not, it's better to get it listed once and remove it per request. That usually removes it forever and broadens the covered range of addresses. Don't get me wrong, I have no problem with SORBS, even their DUHL list. Matt and his crew do a great job. I've never had a problem having IP ranges that meet their criteria removed and have never had a problem with getting any ISP (except for Bell) to conform to their criteria for static IP ranges. and it's the single option for connectivity, it's your own fault too if you don't at least try to avoid the problem by relaying your mail through a cleaner relay. yes, of course. I was merely addressing the you cannot rely on DUL lists theme. I agree that outright blocking based on dynamic IP range lists often doesn't suite a particular organizations needs. I was just pointing out that some people do rely on these lists, often blindly, and that anyone who is aware that they are on such a list and does nothing to avoid the problems that it causes is also foolish. Daryl
Re: Another example...
For there to be no Bayes score at all either bayes is turned off completely or it has never had any training at all. Anything other than an exact 0.5 return gets a tag. Never training means bayes is effectively turned off. {^_-} - Original Message - From: Kevin W. Gagel [EMAIL PROTECTED] The autolearn=no does not mean that bayes is turned off completely. It means that it was not learned as spam or ham. Other messages will show that they are learned as spam or ham and some that they are not learned. - Original Message - From: jdow [EMAIL PROTECTED] I'm semi-asleep at the switch. The autolearn=no means you do indeed have Bayes turned off or completely untrained. Very seriously, a well trained Bayes is your BEST spam fighting friend. So are the rule sets at http://www.rulesemporium.com/. I am still back on 3.0.6. I have not had a stock spam get by the filters in over a year. Both Bayes and the SARE rules I run seem to nail them. But the SINGLE most RELIABLE spam catcher is BAYES_99 set to 5.0, per user Bayes well trained, and spoon feeding salearn with known cases of missed spam that do not contain a preponderance of unique words typical for what I consider ham. (I have gotten Bayes to the state that it has not flagged a single ham in the last month while it has flagged about 90.65% of all spam. Likewise BAYES_00 has flagged about 0.04% of spam and 81.17% of ham. This is on about 100,000 messages over 10.5 weeks.) {^_^} Joanne - Original Message - From: NW7US, Tomas [EMAIL PROTECTED] Here are headers from another example of spam, that is marked STRONGLY as NOT being spam. What is VERY interesting about THIS one, is that it seems to actually be FROM me!!! However, it made its rounds on other servers, first. Is it possible someone is spoofing my email address?? Or, is there a gateway e-mail hole on my server? Here are the headers: (and, I deleted my whitelists, like the auto learn one, etc.) Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on helios.hfradio.org X-Spam-Level: X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO, UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.3 Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for [EMAIL PROTECTED]; Wed, 7 Jun 2006 23:30:28 -0700 Envelope-to: [EMAIL PROTECTED] Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200 Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150 with smtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED])id W3mNJ-2xnyDQA-8Kx for [EMAIL PROTECTED];Thu, 08 Jun 2006 18:36:11 +1200 Received: from gallery48.freeserve.co.uk (02055232 [17238173668]) by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for [EMAIL PROTECTED]; Thu, 08 Jun 2006 17:36:07 +1200 Date: Thu, 08 Jun 2006 17:36:07 +1200 From: Jon R. Pirrello Jr [EMAIL PROTECTED] X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: General health store X-IMAPbase: 1148015368 4545 Status: O X-UID: 4545 Content-Length: 11005 X-Keywords: X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Type: multipart=mixed; b0undaryAVGMAIL-4487C4C83823=== (I changed the last header, in case it might case a problem... the message has an attachment that contained a virus or trojan.) I could really use some help in figuring out how to end this sort of activity. Thanks, 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) : = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: How-to find the good rules for some spam ??
From: Michele Neylon :: Blacknight.ie [EMAIL PROTECTED] Chris Santerre wrote: Almost... restart spamd if you're using it :) Heh I don't :) Unless something like procmail calls spamassassin for each mail message, which is machine hungry and slow, you need to restart whatever has spamassassin operating as a part of its own daemon process. This might be Amavis, Mailscanner, or whatever. {^_-}
Re: False positive from Yahoo Groups' new HTML email format
On Thu, 8 Jun 2006, John Beranek wrote: P.S. and a Yahoo email server is listed in Spamcop?? Perennially. I've had to whitelist them so that my wife's Yahoo Groups mailing lists weren't constantly being discarded. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Senator, when you took your oath of office, you placed your hand on the Bible and swore to uphold the Constitution. You didn't place your hand on the Constitution and swear to uphold the Bible. -- Jamie Raskin, Professor of Law at American University, testifying before the Maryland Senate --- 10 days until SWMBO's Birthday
Re: blocking email from Vietname is not working...
Screaming Eagle wrote: Sorry, I wasn't aware of this option, where can I read up on it? Thanks. Not much to read, but: http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_RelayCountry.html It should exist in your init.pre file, just uncomment the line after you have added IP:Country. If you install IP::Country and enable the RelayCountry plugin, this can all run very fast with reasonable accuracy.. then you can make rules like this: header RELAY_CN X-Relay-Countries=~/\bCN\b/ describe RELAY_CN Relayed through china score RELAY_CN 1.0 All with no network-test overhead.
Re: How-to find the good rules for some spam ??
Num ber wrote: Hello all .. I would like to finish my mail server. And to do that i would like to stop the spam who continue to pass spamassasin.. For exemple i have this rules : snip, lots of rules But this spam don't was stoped : http://number.number.ath.cx/spam.png (i Have add this on a png file because if i don't my message was bouce by spamassasin mailing list) __ Do you have SA 3.0.0 or higher? Do you have the Net::DNS perl module installed, and URIBLs enabled? The reason you can't post that spam to the list is that the URL contained in it is listed in 4 lists on surbl.org, and URIBL_BLACK. If you had these tests enabled, the spam should have been tagged.
Re: False positive from Yahoo Groups' new HTML email format
From: John D. Hardin [EMAIL PROTECTED] On Thu, 8 Jun 2006, John Beranek wrote: P.S. and a Yahoo email server is listed in Spamcop?? Perennially. I've had to whitelist them so that my wife's Yahoo Groups mailing lists weren't constantly being discarded. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Senator, when you took your oath of office, you placed your hand on the Bible and swore to uphold the Constitution. You didn't place your hand on the Constitution and swear to uphold the Bible. -- Jamie Raskin, Professor of Law at American University, testifying before the Maryland Senate --- 10 days until SWMBO's Birthday IMAO the new Yahoo format should not EVER get a free pass. It is spam from the getgo holding real content hostage. God but they're annoying! I ripped them a new orifice in email I sent them about the new format. {o.o}