Re: Spamassassin tests help please

2002-04-28 Thread Dave Carrigan 
Dave Sherohman [EMAIL PROTECTED] writes:

  Then, my mail filters filter the spam based on the color. I have yet to
  find any false positives at yellow and above, so my comfort level is
  getting close to bit-bucketing orange and red, and rejecting yellow with
  a message that it's flagged as spam.
 
 So where can we download it?  And (just to be on-topic) do you plan
 to package it as a deb?

As promised, I've released my assassind relay. You can download it from
http://www.rudedog.org/assassind/. I've also packaged it as a .deb; you
can just add the following line to your apt-sources list.

  deb http://www.rudedog.org/ debian/

Most of the perl packages needed by assassind are already in
Debian/unstable and probably Debian/woody. Any that are missing are also
available in the above archive.

Enjoy.

-- 
Dave Carrigan ([EMAIL PROTECTED])| Yow! I always liked FLAG DAY!!
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | 
Seattle, WA, USA| 
http://www.rudedog.org/ | 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-26 Thread Patrick Kirk 
On Thu, Apr 25, 2002 at 01:28:39PM +0100, My Personal Mail wrote:
On Thu, Apr 25, 2002 at 04:50:23AM -0500, Colin Watson wrote:

I've been wading through the documentation and cannot find how to stop
spamassassin rewriting the message bodies?  Does anyone know how to do
this?

Patrick


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-26 Thread Erik van der Meulen 
On Fri, Apr 26, 2002 at 11:01:00AM +0100, Patrick Kirk wrote:

 I've been wading through the documentation and cannot find how to stop
 spamassassin rewriting the message bodies?  Does anyone know how to do
 this?

Yep, put:

  defang_mime 0

in the local or system wide prefs. I think it does not change the actual
body, only puts the mime type to 'plain text'.

HTH!

--
  Erik van der Meulen [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-26 Thread Colin Watson 
On Fri, Apr 26, 2002 at 11:01:00AM +0100, Patrick Kirk wrote:
 I've been wading through the documentation and cannot find how to stop
 spamassassin rewriting the message bodies?  Does anyone know how to do
 this?

Try something like 'report_header 1' and 'use_terse_report 1'. The
documentation you probably want is in the Mail::SpamAssassin::Conf(3pm)
man page.

-- 
Colin Watson  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-26 Thread Dave Carrigan 
Patrick Kirk [EMAIL PROTECTED] writes:

 I've been wading through the documentation and cannot find how to stop
 spamassassin rewriting the message bodies?  Does anyone know how to do
 this?

I just wrote my own processor. All mine does is add a X-Spam-Color
header. I use green, blue, yellow, orange and red, just like Tom Ridge's
terrorist alert system :-).

Then, my mail filters filter the spam based on the color. I have yet to
find any false positives at yellow and above, so my comfort level is
getting close to bit-bucketing orange and red, and rejecting yellow with
a message that it's flagged as spam.

-- 
Dave Carrigan ([EMAIL PROTECTED])| Yow! I can't think about that.
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | It doesn't go with HEDGES in the
Seattle, WA, USA| shape of LITTLE LULU -- or
http://www.rudedog.org/ | ROBOTS making BRICKS...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-26 Thread Dave Sherohman 
On Fri, Apr 26, 2002 at 08:51:23AM -0700, Dave Carrigan wrote:
 I just wrote my own processor. All mine does is add a X-Spam-Color
 header. I use green, blue, yellow, orange and red, just like Tom Ridge's
 terrorist alert system :-).
 
 Then, my mail filters filter the spam based on the color. I have yet to
 find any false positives at yellow and above, so my comfort level is
 getting close to bit-bucketing orange and red, and rejecting yellow with
 a message that it's flagged as spam.

So where can we download it?  And (just to be on-topic) do you plan
to package it as a deb?

-- 
When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius

Innocence is no protection when governments go bad. - Tom Swiss


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-26 Thread Dave Carrigan 
Dave Sherohman [EMAIL PROTECTED] writes:

  Then, my mail filters filter the spam based on the color. I have yet to
  find any false positives at yellow and above, so my comfort level is
  getting close to bit-bucketing orange and red, and rejecting yellow with
  a message that it's flagged as spam.
 
 So where can we download it?  And (just to be on-topic) do you plan
 to package it as a deb?

I've had a couple of requests for this. I will spend the weekend writing
some documentation and making it presentable for public consumption.

-- 
Dave Carrigan ([EMAIL PROTECTED])| Yow! Didn't I buy a 1951 Packard
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | from you last March in Cairo?
Seattle, WA, USA| 
http://www.rudedog.org/ | 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Peter Jay Salzman 
dude -- you are SO ready for the open relay database.

you sound pretty harried.  that's where i was a few months ago.  not to
sound overly dramatic, but www.ordb.org changed my life.

also, i've been compiling a list of networks that send spam from asian
countries like china and korea.  when i get 3 pieces of spam from the
same network, and my letters of complaint go unanswered, i block the
entire network using tcpwrappers.   my /etc/hosts.deny contains a vast
number of chinese and korean networks.   you can manage exim connections
with tcpwrappers by simply running exim as:

smtp stream   tcp   nowait   mail /usr/sbin/tcpd  /usr/sbin/exim -bs

in inetd.conf.   my 3 pronged approach to spam is:

1. using ordb.org
2. running exim from tcpwrappers and dumping IP's into /ect/hosts.deny
3. spamcop

how effective is this?  i was getting *upwards* of 40 pieces of spam per
day.

today i got simply 4 pieces of spam, and this is what i would call a
heavy spam day.

pete


begin Patrick Kirk [EMAIL PROTECTED] 
 Hi all,
 
 I have given up on using my .forward as a spam filter because I've now
 gone up to over 40 spam pieces a day and its a pain to keep adding
 conditions on each .forward on each account.
 
 Just to make clear, my particular desire to stop stuff from Korean and
 Taiwan is that I speak neither Korean nor Chinese.  
 
 
 I wonder if anyone can help with these tests:
 
 1. I am on numerous Korean spam lists.  So I want to exclude all email
 with Korean charsets.  How do I set $h_Content-Type: contains
 ks_c_5601-1987 to score 20?
 
 2. I get a lot of stuff from Taiwan.  Is it poossible to simply
 blacklist all mail relayed from ISPs with .tw tld?
 
 3. How can I blacklist specific names?  For example, esavingszone send
 me two messages every day and I want them automatically blocked.  But
 they use differing domain nemaes so I want to block
 [EMAIL PROTECTED] [EMAIL PROTECTED] and every other
 [EMAIL PROTECTED]
 
 4. The ISP that uses hanmail.net and daum.net is the single worst
 offender.  Can I block all mail relayed theough these domains?
 
 
 Thanks in advance,
 
 Patrick
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Osamu Aoki 
On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote:
 I wonder if anyone can help with these tests:
 1. I am on numerous Korean spam lists.  So I want to exclude all email
 with Korean charsets.  How do I set $h_Content-Type: contains
 ks_c_5601-1987 to score 20?
...
These Asian spams are annoying if you do not know how to filter.

I use an good idea from 

 http://www3.sympatico.ca/walter.dnes/email/chinese/

This is based on high bit characters.  Usually these spam senders are
not smart enough to use 7 bit Asian codings but use M$ encodings.  So
this is sufficient to block them.

My kind-of-older implementation of .procmailrc is stored as _procmailrc
  http://www.debian.org/doc/manuals/reference/examples/

Good luck.
-- 
~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ +
 Osamu Aoki [EMAIL PROTECTED], GnuPG-key: 1024D/D5DE453D
.
 See User's Guide: http://www.debian.org/doc/manuals/users-guide/
 See Debian reference: http://www.debian.org/doc/manuals/reference/
.
 Debian reference Project at: http://qref.sf.net
.
 I welcome your constructive criticisms and corrections.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Peter Ross 
patrick wrote:

 I have given up on using my .forward as a spam filter because I've now
 gone up to over 40 spam pieces a day and its a pain to keep adding
 conditions on each .forward on each account.

Why don't you look into http://www.spambouncer.org/



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Colin Watson 
On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote:
 I have given up on using my .forward as a spam filter because I've now
 gone up to over 40 spam pieces a day and its a pain to keep adding
 conditions on each .forward on each account.
 
 Just to make clear, my particular desire to stop stuff from Korean and
 Taiwan is that I speak neither Korean nor Chinese.  
 
 
 I wonder if anyone can help with these tests:
 
 1. I am on numerous Korean spam lists.  So I want to exclude all email
 with Korean charsets.  How do I set $h_Content-Type: contains
 ks_c_5601-1987 to score 20?

Something like this should do the job (although I just blackhole it in
.procmailrc now because it's faster):

header BROKEN_KOREAN_CHARSETContent-Type =~ /charset=?ks_c_5601-1987/
describe BROKEN_KOREAN_CHARSET  I don't speak Korean
score BROKEN_KOREAN_CHARSET 20

(I called it BROKEN because I understand real Koreans, as opposed to
spammers, actually use a different character set - but I may be
misinformed here.)

 2. I get a lot of stuff from Taiwan.  Is it poossible to simply
 blacklist all mail relayed from ISPs with .tw tld?

You can probably match on Received: headers. Check
/etc/spamassassin/20_head_tests.cf for examples.

 3. How can I blacklist specific names?  For example, esavingszone send
 me two messages every day and I want them automatically blocked.  But
 they use differing domain nemaes so I want to block
 [EMAIL PROTECTED] [EMAIL PROTECTED] and every other
 [EMAIL PROTECTED]

'blacklist_from [EMAIL PROTECTED]' in ~/.spamassassin/user_prefs, I think.

 4. The ISP that uses hanmail.net and daum.net is the single worst
 offender.  Can I block all mail relayed theough these domains?

Again, you can probably do this by matching on Received: headers.

-- 
Colin Watson  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Patrick Kirk 
On Thu, Apr 25, 2002 at 09:14:32AM +0100, My Personal Mail wrote:
Hi all,

My question was a little verbose so here it is in short form:
I want to add to the default set of Spamassassin tests.  

Does anyone have an example of for example, blocking al email from
someone called 'esavings'?

Procmail based solutions are not appropriate in that I have a
spamassassin filter that works in conjuction with user level .forward
files.  Moving the user level filters to the spamassassin filter is
the objective.

Thanks.

Patrick


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Patrick Kirk 
On Thu, Apr 25, 2002 at 04:50:23AM -0500, Colin Watson wrote:
On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote:
 I have given up on using my .forward as a spam filter because I've now
.procmailrc now because it's faster):

header BROKEN_KOREAN_CHARSETContent-Type =~ /charset=?ks_c_5601-1987/
describe BROKEN_KOREAN_CHARSET  I don't speak Korean
score BROKEN_KOREAN_CHARSET 20

'blacklist_from [EMAIL PROTECTED]' in ~/.spamassassin/user_prefs, I think

I am trying to use /etc/spamassassin/local.cf for these tests.  But I
can't get spamassassin to see them.  Is there anything I need to do?
I've restarted the service so that's not it and there is nothing in my
home directory that should cause it.

Patrick


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Craig Dickson 
begin  Peter Ross  quotation:

 Why don't you look into http://www.spambouncer.org/

Why? Spamassassin, in my experience, is vastly more accurate and
effective than SpamBouncer. I used SpamBouncer for several months up
until March 2002. I could never get it to block even almost all spam
without also having a lot of false positives, even after extensive
tweaking of variables and even some customization of SpamBouncer's
procmail recipes. (Some of SpamBouncer's tests are utterly mad -- block
all mail from Telstra? That's most of Australia!) I switched to
Spamassassin plus Razor and found that even without customizing my
configuration at all, it did a much, much better job. It's quite rare
now for me to see spam other than in the junk folder to which I
redirect such things, and false-positives are even more rare.

Craig


pgphQtHjcPA0g.pgp
Description: PGP signature

Re: Spamassassin tests help please

2002-04-25 Thread dman 
On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote:

Do you use exim?  Some of this stuff can be done at that level.

In /etc/exim/exim.conf include something like this (may need to be
adjusted for version 3.x) :

system_filter = /etc/exim/system.filter
system_filter_user = nobody
system_filter_group = nogroup

Then put the snippets below in /etc/exim/system.filter.


| I have given up on using my .forward as a spam filter because I've now
| gone up to over 40 spam pieces a day and its a pain to keep adding
| conditions on each .forward on each account.
| 
| Just to make clear, my particular desire to stop stuff from Korean and
| Taiwan is that I speak neither Korean nor Chinese.  
| 
| I wonder if anyone can help with these tests:
| 
| 1. I am on numerous Korean spam lists.  So I want to exclude all email
| with Korean charsets.  How do I set $h_Content-Type: contains
| ks_c_5601-1987 to score 20?

# I actually have this in my filter
if
$h_Content-Type: $h_Subject: contains ks_c_5601-1987
or
$h_Content-Type: contains EUC-KR
then

# use 'fail' if you want to send back a bounce message
#fail incomprehensible foreign charset

# this is a black hole
seen finish

endif


| 3. How can I blacklist specific names?  For example, esavingszone send
| me two messages every day and I want them automatically blocked.  But
| they use differing domain nemaes so I want to block
| [EMAIL PROTECTED] [EMAIL PROTECTED] and every other
| [EMAIL PROTECTED]
 
In SA use the blacklist_from directive.  (this checks the From: header)


In exim version 4 you can include this in an acl :

  deny senders = [EMAIL PROTECTED]

(This checks the envelope sender.)
If the envelope sender is predictable, then IMO this is the best
solution, and can be extended to look up addresses from a file.


In a system filter (exim 3 or 4) :

if
${local_part:$sender_address} is esavingszone
or
${local_part:$h_From:} is esavingszone
then
fail $sender_address , $h_From: \
You have been blocked by the administrator.
seen finish
endif

(this checks both the envelope sender and the From: header)


| 2. I get a lot of stuff from Taiwan.  Is it poossible to simply
| blacklist all mail relayed from ISPs with .tw tld?

| 4. The ISP that uses hanmail.net and daum.net is the single worst
| offender.  Can I block all mail relayed theough these domains?

# I haven't tested this regex.  Exim uses pcre (perl-compatible), but
# I'm more familiar with the old-school dialect used by vim, sed and grep.
if
$h_Received: matches [a-zA-Z_]+\.tw\b
or
$h_Received: matches (hanmail|daum)\.net\b
then
seen finish
endif


As an alternative to checking Received: headers, if you receive the
spam directly you can simply reject connections at SMTP time. 
(or even firewall them)

HTH,
-D

-- 

Religion that God our Father accepts as pure and faultless is this: to
look after orphans and widows in their distress and to keep oneself from
being polluted by the world.
James 1:27
 
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg



pgpFD9FFcHd7W.pgp
Description: PGP signature

Re: Spamassassin tests help please

2002-04-25 Thread Robert L. Harris 

 | 3. How can I blacklist specific names?  For example, esavingszone send
 | me two messages every day and I want them automatically blocked.  But
 | they use differing domain nemaes so I want to block
 | [EMAIL PROTECTED] [EMAIL PROTECTED] and every other
 | [EMAIL PROTECTED]
  

how about a way instead of blacklisting, bounce it with a user unknown?
Bounce all the spam and you'll hopefully be taken off the mailing list.
I was looking for a way to fail a message in mutt but didn't find one.



:wq!
---
Robert L. Harris|  Micros~1 :  
Senior System Engineer  |For when quality, reliability 
  at RnD Consulting |  and security just aren't
\_   that important!
DISCLAIMER:
  These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread dman 
On Thu, Apr 25, 2002 at 11:36:10AM -0600, Robert L. Harris wrote:

|  | 3. How can I blacklist specific names?  For example, esavingszone send
|  | me two messages every day and I want them automatically blocked.  But
|  | they use differing domain nemaes so I want to block
|  | [EMAIL PROTECTED] [EMAIL PROTECTED] and every other
|  | [EMAIL PROTECTED]
| 
| how about a way instead of blacklisting, bounce it with a user unknown?

If you use the 'fail' command in the exim system filter you'll bounce
it (with whatever error message you specify).

Alternatively, you can create a blacklist and have exim check it and
bounce accordingly.

| Bounce all the spam and you'll hopefully be taken off the mailing list.

Might work.  If the message arrives through another list (eg d-u) it
doesn't work quite as nicely.  (I now bounce ms-tnef and virus alerts
too)

| I was looking for a way to fail a message in mutt but didn't find one.

The MTA is the one who can fail message deliveries.  It has already
been delivered by the time mutt has it.

-D

-- 

Commit to the Lord whatever you do,
and your plans will succeed.
Proverbs 16:3
 
GnuPG key : http://dman.ddts.net/~dman/public_key.gpg



pgpN1OnhsfavZ.pgp
Description: PGP signature

Re: Spamassassin tests help please

2002-04-25 Thread Glyn Millington 
Osamu Aoki [EMAIL PROTECTED] writes:

  http://www.debian.org/doc/manuals/reference/examples/

Great!!  Many thanks for this - good stuff.  



Glyn

-- 
Debian Home   http://www.debian.org
Debian Planet http://www.debianplanet.org/ 
For the children  http://www.debian.org/devel/debian-jr/
In a hurry??? http://qref.sourceforge.net/ 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Spamassassin tests help please

2002-04-25 Thread Karsten M. Self 
on Thu, Apr 25, 2002, Craig Dickson ([EMAIL PROTECTED]) wrote:
 begin  Peter Ross  quotation:
 
  Why don't you look into http://www.spambouncer.org/
 
 Why? Spamassassin, in my experience, is vastly more accurate and
 effective than SpamBouncer. I used SpamBouncer for several months up
 until March 2002. I could never get it to block even almost all spam
 without also having a lot of false positives, even after extensive
 tweaking of variables and even some customization of SpamBouncer's
 procmail recipes. (Some of SpamBouncer's tests are utterly mad --
 block all mail from Telstra? That's most of Australia!) I switched to
 Spamassassin plus Razor and found that even without customizing my
 configuration at all, it did a much, much better job. It's quite rare
 now for me to see spam other than in the junk folder to which I
 redirect such things, and false-positives are even more rare.

I've been keeping tabs on SA's specificity and sensitivity.  On ~40k
mails, ~3300 spams, adjusting for some exceptional cases (one
mailbombing of 300+ items handled with a separate rule), since Feb 1:

   True positive:  95.5%
   False negative:  4.5%
   True negative:  99.82%
   False positive:  0.18%

Damned good tool.

Peace.

-- 
Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/
 What Part of Gestalt don't you understand?
   A guide to GNU/Linux backups:
 http://kmself.home.netcom.com/Linux/FAQs/backups.html


pgpGHuh7TTpCu.pgp
Description: PGP signature