How to control the scoring for spam

[suresh kumar]

Hi all,
Spamassassin passes every incoming mail
through various tests (using spamd  spamc) to
determine the mail as spam according to the score(As
per my knowledge) . But I want to know how this
scoring will happen for each test . Can we control or
making the scoring mechanism as per our own needs. If
possible How can we do that ? How will I understand
the scoring of spam mail determined by spamassassin.
Any help ...

 Thanks for your time.
Suresh Kumar

Send instant messages to your online friends http://uk.messenger.yahoo.com 

Re: Pharamcudical list of words in a table

[Ilan Aisic]

Hi again,
I keep getting these kind of pharm. spam where a list of drugs and their prices is arranged in an html table. 
I'm using all the SARE rules including the OBFU (which I've added thanks to recommendations in this thread.
However, only the SARE_HTML_MANY_BR05 is fired ( Tooo many br's!).
Indeed the way this is arranged is that this is in a cell on the first column:
BVi/BBR 
The matching cell of the next table column is:
Bag/BBR
The next is:
Bra/B

And in between there are all the other pairs of letters for the other
drugs and the HTML command: DIV style=FLOAT: left;

Obviously, the OBFU rule set is not that sophisticated. 

On top of that, the spammer (someone said it's Leo Kuvayev) keeps
changing the URL it points to. I've recieved it with
inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com
(scored 6.4) , than with univnews(dot)com (scored 7.1) and the
last one was sinceschool(dot)com (scored 7.8)

So, the good news is that in spite of the spammer's effort, the score
gets higher and higher (due to increased effecency of the network
checks) but on my system it should reach 12 to be totally
trashed.  For scores  5 it only marks the subject as
potential spam.
-- Ilan AisicRegistered Linux User 8124 http://counter.li.org

Re: How to control the scoring for spam

[Loren Wilton]

 per my knowledge) . But I want to know how this
 scoring will happen for each test . Can we control or

Step 1: Look at test score.  Is it non-zero?  If yes, go to step 2.
Step 2: Run test.  Does it hit?  If yes, go to step 3.
Step 3: Take score value and add it to the score for the current mail.

The scores are mostly in 50_scores.cf.  You can copy all or part of this
into local.cf or 99_myscores.cr or something like that, and change any score
to any value you want.

Keep in mind that the existing scores are there for a reason, and randomly
and wholesale changing the scores probably isn't going to result in a better
spam-catching system.

Loren

Re: Pharamcudical list of words in a table

[M.Lewis]

Ilan, I believe this is the *exact* same dude/dudette that I was 
referring to with the topic 'Rule Question'.


Mike


Ilan Aisic wrote:

Hi again,
I keep getting these kind of pharm. spam where a list of drugs and their 
prices is arranged in an html table.  
I'm using all the SARE rules including the OBFU (which I've added thanks 
to recommendations in this thread.

However, only the SARE_HTML_MANY_BR05  is fired  ( Tooo many br's!).
Indeed the way this is arranged is that this is in a cell on the first 
column:

BVi/BBR
The matching cell of the next table column is:
Bag/BBR
The next is:
Bra/B

And in between there are all the other pairs of letters for the other 
drugs and the HTML command: DIV style=FLOAT: left;


Obviously, the OBFU rule set is not that sophisticated.

On top of that, the spammer (someone said it's Leo Kuvayev) keeps 
changing the URL it points to.  I've recieved it with 
inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com 
(scored 6.4) , than with univnews(dot)com (scored 7.1)  and the last one 
was sinceschool(dot)com (scored 7.8)


So, the good news is that in spite of the spammer's effort, the score 
gets higher and higher (due to increased effecency of the network 
checks)  but on my system it should reach 12 to be totally trashed.   
For scores  5 it only marks the subject as potential spam.


--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org

RE: How to control the scoring for spam

[Herb Martin]

 Hi all,
 Spamassassin passes every incoming mail through 
 various tests (using spamd  spamc) to determine the mail as 
 spam according to the score(As per my knowledge) . 

Technically spamc is just a small executable to send the
file to spamd which is a daemon that keeps SpamAssassin
in memory so that it isn't necessary to re-initiallize
SA for every message. (And read all of the SA files etc
as part of that initialization.)

 But I want 
 to know how this scoring will happen for each test . Can we 
 control or making the scoring mechanism as per our own needs. 

Every test can be given a score -- and usually is.

A later reference of that score will override any previous
setting so you can add scores in your local.cf to override
the default (increase, decrease, or even disable a test by
setting it to zero.)

 If possible How can we do that ? How will I understand the 
 scoring of spam mail determined by spamassassin.
 Any help ...

Use a line (usually in local.cf) of this form:

scoreHM_GAPPY_SIG 3

'score' is a keyword for setting the score, 'HM_GAPPY_SIG'
is one of my tests and '3' is the score I wish to set for
this test.

grep your default .cf files for 

grep ^score /usr/share/spamassassin/*.cf

Or better, include a patter for the test(s) that interest
you (to cut down on the amount of output):

grep ^score.*BAYES /usr/share/spamassassin/*.cf

You will generally find that the default scores are in
50_scores.cf so you may be specific and change the grep
to only search that file (but I don't always remember
this so may just search them all out of laziness.)

--
Herb Martin

Re: Pharamcudical list of words in a table

[Loren Wilton]

 Obviously, the OBFU rule set is not that sophisticated.

On the contrary, they are quite sophisticated in many cases.

 On top of that, the spammer (someone said it's Leo Kuvayev)

However, Leo is also quite sophisticated.  And he has changed his spam
generators in the last week to make things that SA can't curreently detect.
The SARE obfu rules were last updated a couple of weeks ago.  That gives Leo
currently a 14 day or so headstart on the current SARE rulebase, and about 6
months headstart on the standard SA rulebase.

 keeps changing the URL it points to.  I've recieved it with
inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com (scored
6.4) , than with univnews(dot)com (scored 7.1)  and the last one was
sinceschool(dot)com (scored 7.8)

*ALL* spammers buy multiple domain names in batches.  Leo buys them by the
hundreds at a time.  Just as he isn't stupid enough to send all spam from
the same machine since it would be very quickly cut off, he isn't stupid
enough to target all of a given spam to the same domain, because it will
quite quickly be blocked.

As near as I can tell, a run of spam from a given zombie typically is
targeted at a single domian.  However, Leo runs thousands or maybe hundreds
of thousands of zombies in any given spam run, and he changes the spam
slightly every few days, as best I can tell.

This means you have to step back, spend a few moments thinking like Leo,
look for what is common and what is uncommon in a spam run, and then target
specific rules to catch the stuff that is common.  It ain't that hard to do,
but it tales time to do it, and those of us that do that sort of thing often
only do it when we get annoyed about spam leaking into the inbox.  The rest
of the time we do our normal day jobs.  Leo also does his normal day job
most of the time.  But that happens to be making spam, so he spends more
time at it than the rest of us do.

I can see about ten ways to catch Leo's current batch.  However, they
weren't particularly interesting to me, since most of them are scoring about
40-70 here from net rules mostly.  If I get some time in the next day or two
I'll cut a set of rules for them.

Loren

Re: Pharamcudical list of words in a table

[List Mail User]

You have the unfortunate luck of being on the cutting edge
of the spam runs, most of these domains are now in 4 or 5 SURBL
lists, which will give you scores of close to 12 alone.  They are
also listed at Spamhaus as of yesterday and the name servers from
one day before.

A partial list at IP 220.80.107.186 is:

openjab.-com A  220.80.107.186
www.openjab.-com A  220.80.107.186
pointmac.-comA  220.80.107.186
ns0.pointmac.-com A 220.80.107.186
isince.-com  A  220.80.107.186
netsince.-comA  220.80.107.186
sinceschool.-com A  220.80.107.186
www.sinceschool.-com A  220.80.107.186
sincerum.-comA  220.80.107.186
www.sincerum.-com A 220.80.107.186
nthopen.-com A  220.80.107.186
www.nthopen.-com A  220.80.107.186
cupopen.-com A  220.80.107.186
patopen.-com A  220.80.107.186
www.patopen.-com A  220.80.107.186
printhero.-com   A  220.80.107.186
ns0.printhero.-com   A  220.80.107.186
sincesoft.-com   A  220.80.107.186
www.sincesoft.-com   A  220.80.107.186
openemu.-com A  220.80.107.186
www.openemu.-com A  220.80.107.186
openjay.-com A  220.80.107.186
www.openjay.-com A  220.80.107.186
openivy.-com A  220.80.107.186
www.openivy.-com A  220.80.107.186

Locally I get these results for an test email with a single line of:

http://sinceschool.-com

X-Spam-Status: Yes, score=13.5 tests=RAZOR2_CF_RANGE_51_100=0.056.
RAZOR2_CHECK=1.511. URIBL_AB_SURBL=0.417. URIBL_JP_SURBL=2.462. 
URIBL_RHS_URIBL_BLACK=2.33. URIBL_SBL=0.996. URIBL_SC_SURBL=4.263. 
URIBL_WS_SURBL=1.462 autolearn=no version=3.0.4

This is with only the one local URIBL rule included.  With the
actual text and proper Bayes training, you should get another 3-4 points
and other local rules give me more.  Also, add in header points for coming
from dynamic hosts (mostly zombie-bots) and you should get another few
points.

I don;t know if all of these are active yet, but they probably are.

All .com's changed to .-com to avoid the list's filter.

Paul Shupak
[EMAIL PROTECTED]

Re: Pharamcudical list of words in a table

[M.Lewis]

Very interesting Loren. I think a good assesment of whoever is sending 
the spam.


I spend a fair portion of my day trying to catch up (filter) these dudes 
out of my Inbox.


Thanks for the insights!

Mike


Loren Wilton wrote:

Obviously, the OBFU rule set is not that sophisticated.



On the contrary, they are quite sophisticated in many cases.



On top of that, the spammer (someone said it's Leo Kuvayev)



However, Leo is also quite sophisticated.  And he has changed his spam
generators in the last week to make things that SA can't curreently detect.
The SARE obfu rules were last updated a couple of weeks ago.  That gives Leo
currently a 14 day or so headstart on the current SARE rulebase, and about 6
months headstart on the standard SA rulebase.



keeps changing the URL it points to.  I've recieved it with


inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com (scored
6.4) , than with univnews(dot)com (scored 7.1)  and the last one was
sinceschool(dot)com (scored 7.8)

*ALL* spammers buy multiple domain names in batches.  Leo buys them by the
hundreds at a time.  Just as he isn't stupid enough to send all spam from
the same machine since it would be very quickly cut off, he isn't stupid
enough to target all of a given spam to the same domain, because it will
quite quickly be blocked.

As near as I can tell, a run of spam from a given zombie typically is
targeted at a single domian.  However, Leo runs thousands or maybe hundreds
of thousands of zombies in any given spam run, and he changes the spam
slightly every few days, as best I can tell.

This means you have to step back, spend a few moments thinking like Leo,
look for what is common and what is uncommon in a spam run, and then target
specific rules to catch the stuff that is common.  It ain't that hard to do,
but it tales time to do it, and those of us that do that sort of thing often
only do it when we get annoyed about spam leaking into the inbox.  The rest
of the time we do our normal day jobs.  Leo also does his normal day job
most of the time.  But that happens to be making spam, so he spends more
time at it than the rest of us do.

I can see about ten ways to catch Leo's current batch.  However, they
weren't particularly interesting to me, since most of them are scoring about
40-70 here from net rules mostly.  If I get some time in the next day or two
I'll cut a set of rules for them.

Loren

Re: Pharamcudical list of words in a table

[Ilan Aisic]

Loren,
Just wanted to thank you for the eloquent resonse and for your significant contributions to SARE and this list. On 9/6/05, Loren Wilton 
[EMAIL PROTECTED] wrote:...I'll cut a set of rules for them.Loren
-- Ilan AisicRegistered Linux User 8124 http://counter.li.org

Logging Spamc Connect Failures

[Dan Mahoney, System Admin]

Guys,

Does anything show up in mail logs when spamc fails to connect?

Is there any way to cause this to happen?  I just grepped my mailbox for 
!X-Spam-Check, and found (after eliminating those over 250K) about 23 
messages over the course of a couple weeks, in my mailbox alone.  Is there 
a way spamc could possibly just log that the connect failed within the 
message itself?  Or to syslog?


-Dan

--

When I'm lost, and confused, and trying to make a U-turn, nothing annoys
me more than someone telling me to watch out for the tombstone!

How often does that happen, Fab?

-David Feld  Tom Fabry, sometime in High School.

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: Too many recipients

[Irina]

Hello Mark,

Thank you so much for your post to the list.  I don't feel we are along now
and someone will start looking into the problem.

I also found the following reference to the same problem
http://www.nntp.perl.org/group/perl.perl5.porters/103500
Though, after increasing the stuck size I learnt it did not fix it.

I meant to add a comment with the link (above) to your bug report, but was
not sure.  If you feel this will be useful, could you please do so?

Thank you again for contacting.  Hope to hear good news soon.

Irina
===

- Original Message - 
From: Mark Martinec [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Cc: Irina [EMAIL PROTECTED]
Sent: Monday, September 05, 2005 7:27 PM
Subject: Re: Too many recipients


 I came across the same problem as reported by Irina,
 but this time with Perl 5.8.7 and SA 3.1.0-rc2.

 Filed as bug #4570:
   http://bugzilla.spamassassin.org/show_bug.cgi?id=4570


 Mark

   P.S. sorry for a missing ref to a thread,
   I fetched the subject from the archive

Spamc, spamassassin, different scores

[Miguel Angel Rasero Peral (TCOR)]

Hello, my system is a redhat 7.3 with this spamassassin versions and i
am using qmail in it.

machine:/etc/mail/spamassassin# spamassassin -V
SpamAssassin version 3.0.1
  running on Perl version 5.6.1
machine:/etc/mail/spamassassin# spamc -V
SpamAssassin Client version 3.0.1


The problem that i have is that i only want to launch spamassassin in my
account so i am using my .qmail-file to do it.
| spamassassin | preline procmail -t -m -p ./skuda/procmailrc

I know that i would be launching spamc and not spamassassin perl script
but i get different scores from the 2 programs.

SPAMC:
spamc -r 
skuda/Maildir/.spam/cur/1121844030.M156489P30796V0303I00436361_2015.betanetweb.com,S=9921:2,S
Spam detection software, running on the system betanetweb.com, has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  neuroanotomy Incredible Prices on Rx Hurry While
  Supplies Last! [...]

Content analysis details:   (7.3 points, 4.0 required)

 pts rule name  description
 --
--
 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different
 0.3 MIME_HTML_MOSTLY   BODY: Multipart message mostly text/html
MIME
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.2 HTML_FONT_BIG  BODY: HTML tag for a big font size
 0.2 HTML_90_100BODY: Message is 90% to 100% HTML
 1.1 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS
records
 0.1 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org
 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: weofferaselection.com]
 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: weofferaselection.com]
-0.6 AWLAWL: From: address is in the auto white-list


Spamassassin:
spamassassin 
cur/1121844030.M156489P30796V0303I00436361_2015.betanetweb.com,S=9921:2,S

From [EMAIL PROTECTED] Fri Nov 12 12:53:26 2004
Received: from localhost by betanetweb.com
with SpamAssassin (version 3.0.1);
Tue, 06 Sep 2005 16:24:08 +0200
From: VicoRx  6 [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: *SPAM* Your order
Date: Fri, 12 Nov 2004 07:50:35 -0500 (MSD)
Message-Id: [EMAIL PROTECTED]
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on
betanetweb.com
X-Spam-Status: Yes, score=11.0 required=4.0 tests=BAYES_95,

DNS_FROM_AHBL_RHSBL,HTML_90_100,HTML_FONT_BIG,HTML_IMAGE_RATIO_02,
HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,NO_DNS_FOR_FROM,
URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no version=3.0.1
X-Spam-Level: **
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=--=_431DA688.5E031C81

This is a multi-part message in MIME format.
=_431DA688.5E031C81
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system betanetweb.com, has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  neuroanotomy Incredible Prices on Rx Hurry While
  Supplies Last! [...]

Content analysis details:   (11.0 points, 4.0 required)

 pts rule name  description
 --
--
 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
 2.1 BAYES_95   BODY: Bayesian spam probability is 95 to 99%
[score: 0.9714]
 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image
area
 1.0 MIME_HTML_MOSTLY   BODY: Multipart message mostly text/html
MIME
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 HTML_FONT_BIG  BODY: HTML tag for a big font size
 0.0 HTML_90_100BODY: Message is 90% to 100% HTML
 1.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS
records
 0.3 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org
 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: weofferaselection.com]
 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: weofferaselection.com]

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

Re: Spamc, spamassassin, different scores

[Andy Jezierski]

Miguel Angel Rasero Peral (TCOR) [EMAIL PROTECTED]
wrote on 09/06/2005 10:19:29 AM:

 
 Hello, my system is a redhat 7.3 with this spamassassin versions and
i
 am using qmail in it.
 
 machine:/etc/mail/spamassassin# spamassassin -V
 SpamAssassin version 3.0.1
  running on Perl version 5.6.1
 machine:/etc/mail/spamassassin# spamc -V
 SpamAssassin Client version 3.0.1
 
 
 The problem that i have is that i only want to launch spamassassin
in my
 account so i am using my .qmail-file to do it.
 | spamassassin | preline procmail -t -m -p ./skuda/procmailrc
 
 I know that i would be launching spamc and not spamassassin perl script
 but i get different scores from the 2 programs.
 

Are you running the spamassassin command under the
same userid as spamd is running under? Looks like spamd is using bayes
that spamassassin did not have, and spamassassin had a negative AWL score
that spamd didn't have. 

Andy

Re: Spamc, spamassassin, different scores

[Tim Litwiller]

Miguel Angel Rasero Peral (TCOR) wrote:

Hello, my system is a redhat 7.3 with this spamassassin versions and i
am using qmail in it.

The problem that i have is that i only want to launch spamassassin in my
account so i am using my .qmail-file to do it.
| spamassassin | preline procmail -t -m -p ./skuda/procmailrc

I know that i would be launching spamc and not spamassassin perl script
but i get different scores from the 2 programs.



I have this in my .qmail file

| /usr/bin/procmail ~/.procmailrc

and then in .procmailrc I first sort out all my mailing lists by 
matching headers and then call spamc and then dump high scores  14 to 
/dev/null and 5 - 14 to a Junk mail folder.


# 
# put satalk in it's own folder
# 
:0 H:
* ^List-Id:[EMAIL PROTECTED]
satalk/new

# ---
# run thru spamassassin
# ---
:0fw
| spamc

# ---
# catch high scores
# ---
:0 H:
* ^X-Spam-Status: +(yes|no), +score=\/[^. ]*
* ? (( ${MATCH}  14 ))
/dev/null

# ---
# put the rest in Junk folder
# ---
:0 H:
* ^X-Spam-Status: Yes.*
Junk/new


I get the same score with spamc and spamassassin - different scores 
would indicate that you aren't running thru the same rulesets or bayes.


  Content analysis details:   (7.3 points, 4.0 required)


 pts rule name  description
 --
--
 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different
 0.3 MIME_HTML_MOSTLY   BODY: Multipart message mostly text/html
MIME
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.2 HTML_FONT_BIG  BODY: HTML tag for a big font size
 0.2 HTML_90_100BODY: Message is 90% to 100% HTML
 1.1 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS
records
 0.1 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org
 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: weofferaselection.com]
 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: weofferaselection.com]
-0.6 AWLAWL: From: address is in the auto white-list





Content analysis details:   (11.0 points, 4.0 required)

 pts rule name  description
 --
--
 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
 2.1 BAYES_95   BODY: Bayesian spam probability is 95 to 99%
[score: 0.9714]
 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image
area
 1.0 MIME_HTML_MOSTLY   BODY: Multipart message mostly text/html
MIME
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 HTML_FONT_BIG  BODY: HTML tag for a big font size
 0.0 HTML_90_100BODY: Message is 90% to 100% HTML
 1.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS
records
 0.3 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org
 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
[URIs: weofferaselection.com]
 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: weofferaselection.com]




I dont know what happening, on other side i have any times that email
get my inbox without be analyzed because i cant see in his code the
spamassassin headers i suppose that its because any timeout or by the
way i use in .qmail file to call spamassassin, anyone can help me
please?

Re: Spamc, spamassassin, different scores

[Matt Kettler]

Andy Jezierski wrote:
 
 
 Are you running the spamassassin command under the same userid as spamd
 is running under? Looks like spamd is using bayes that spamassassin did
 not have, and spamassassin had a negative AWL score that spamd didn't
 have.  


Definitely not.

Look at the prompts. Miguel is running spamassassin as root.

Miguel is running spamc as root, but spamd will *NEVER* scan mail as root. It
will setuid itself to nobody if it finds this situation.

This causes a huge difference, because only the root account has bayes training,
but spamd will never use it.

Notice that the spamassassin (run as root) version has BAYES_95 matching, but
the  spamc one does not.

Miguel, this is your problem: you can't train with sa-learn as root and expect
this to impact mail run through spamc, unless you set up a global bayes 
database.

Ideally, I'd suggest creating a spamd user, and running spamd with -u spamd.
Then when you train mail with sa-learn, just su yourself to spamd first. This
way everything all gets scanned using the same bayes db. You also get the
security benefit of all scanning being done as a user that isn't used for
anything else.

If that's not practical, use bayes_path and bayes_file_mode 0777 together in
your local.cf to create a single bayes DB that gets used no matter what user
calls SA.

(Warnings: use bayes_file_mode 0777, not 0666. Also, read the docs on bayes_path
very carefully. It's not just a path. The last part is actually the start of a
filename, not a directory name)

Re: protecting SQL login info

[Dan Mahoney, System Admin]

On Tue, 6 Sep 2005, Eric W. Bates wrote:


This is perhaps a little elaborate; and I have not tried to hook this
into SA; but we are quite happy with a little bit of misdirection we use
for the tools we have reading/writing to the SQL.

There is a specified directory (call it dbpasswords).  In the directory
there is a file for each login.  The file is named with the user's login
name.  The contents of the file is the password.  The file is owned by
the user in question with perms 400.

Subsequently we overload/patch any code that needs a login (e.g.
Class::DBI::mysql::set_db()) such that the EUID is used in getpwent to
get the username, and thereby the password.

This way, no passwords are ever embedded in any code or config files and
there is one single location to change when the passwords are updated.
This does require that the username used on the system is the same as
the username for SQL. We frequently use suid to change the EUID of the
web server to something with special access in the SQL (e.g. dbwriter).
This special user usually has even lower permission level than the web
server; with the exception of SQL access.

We use this technique for CGI, mod_perl, php, etc. I have not examined
SA 3 for use of this trick; but we are going try sometime soon.


No, there's one single user for ALL the database access.  Spamd doesn't 
support per-user SQL logins and passwords.


With spamc/spamd this is not a problem, as spamd runs on a machine that 
the shell users don't have access to (and reads the SQL login as root 
before dropping its privileges).


However, for sa_learn, and things like spamassassin -r (which essentially 
is the same as sa-learn), they need to write to AWL/Bayes -- and since 
they run as the user, they need to be able to read/write the SQL login 
info even while running as that user.


However, if *they* can read it there's nothing stopping a malicious user 
from just logging in and deleting all the table data (said user needs the 
delete privilege...they may not be able to drop the tables if I revoke the 
drop priv, but they can still delete all the data)


-Dan



Dan Mahoney, System Admin wrote:

Hey all,

I'm doing everything (bayes, AWL, userprefs) in SQL.  Is there some way
to protect the values I've got in /etc/mail/spamassassin/local.cf such
as my mysql username and password from casual snoopage?

Only think I could think of was to make SA setGID, and have the file
chmod 750.

Any better ideas?

-Dan

--

Belldandy ha. you have not met me.
BaldDwarf ha. but i have sene pictures
Belldandy thanks but uh.,
BaldDwarf seen dammit! SEEN!
Gushi I don't know who dammit! is.
Belldandy so anyway

-Undernet #reboot, October 2nd, 2000, 3AM

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---


--
Eric W. Bates
[EMAIL PROTECTED]
 Output from gpg 
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: Signature made Tue Sep  6 12:53:56 2005 EDT using DSA key ID 34382E51
gpg: Good signature from Eric W. Bates [EMAIL PROTECTED]
gpg: aka ericx [EMAIL PROTECTED]
gpg: aka Eric W. Bates [EMAIL PROTECTED]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: EC0E 0CA8 37C3 43D2 5E4C  5D40 0F5A E825 3438 2E51




--

Station!

-Bill  Ted's Bogus Journey

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: [sa-list] Re: Spamc, spamassassin, different scores

[Matt Kettler]

Dan Mahoney, System Admin wrote:

 Definitely not.

 Look at the prompts. Miguel is running spamassassin as root.

 Miguel is running spamc as root, but spamd will *NEVER* scan mail as
 root. It
 will setuid itself to nobody if it finds this situation.
 
 
 At least, not on a recent version -- this was a rather prominent bug
 under many OSen.

Very true, that is a definite caveat to my statement that spamd will never scan
mail as root. I suppose a better statement would be spamd should never scan
mail as root.

That said, AFAIK the many OSen are limited *BSD variants, including Mac OS X.

In this case RedHat is the OS, which is Linux kernel based, which I think is
immune to this issue due to differences in how the Linux kernel handles setuid
as compared to the BSD kernel.

Trouble viewing list of SA tests for 3.0 on web site

[tom]

For days I have been trying to see all of the tests used by SA at the
following URL:
http://spamassassin.apache.org/tests_3_0_x.html
I'm using Win XP and had the same results with Firefox  IE6.  The page
would partially load  then just stall.  Finally, today I was able to
get the entire page to display after resending the URL about a hundred
times.  Someone with a Unix machine told me he was able to to see the
page with no problems.  I have the info I need now but I thought I would
mention it, in case others have had problems.
Tom

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.18/89 - Release Date: 9/2/2005
 

Re: Spamc, spamassassin, different scores

[Miguel Angel Rasero Peral (TCOR)]

Yeah this was my problems, Thanks.

El mar, 06-09-2005 a las 12:00 -0400, Matt Kettler escribió:
 Andy Jezierski wrote:
  
  
  Are you running the spamassassin command under the same userid as spamd
  is running under? Looks like spamd is using bayes that spamassassin did
  not have, and spamassassin had a negative AWL score that spamd didn't
  have.  
 
 
 Definitely not.
 
 Look at the prompts. Miguel is running spamassassin as root.
 
 Miguel is running spamc as root, but spamd will *NEVER* scan mail as root. It
 will setuid itself to nobody if it finds this situation.
 
 This causes a huge difference, because only the root account has bayes 
 training,
 but spamd will never use it.
 
 Notice that the spamassassin (run as root) version has BAYES_95 matching, but
 the  spamc one does not.
 
 Miguel, this is your problem: you can't train with sa-learn as root and expect
 this to impact mail run through spamc, unless you set up a global bayes 
 database.
 
 Ideally, I'd suggest creating a spamd user, and running spamd with -u spamd.
 Then when you train mail with sa-learn, just su yourself to spamd first. This
 way everything all gets scanned using the same bayes db. You also get the
 security benefit of all scanning being done as a user that isn't used for
 anything else.
 
 If that's not practical, use bayes_path and bayes_file_mode 0777 together in
 your local.cf to create a single bayes DB that gets used no matter what user
 calls SA.
 
 (Warnings: use bayes_file_mode 0777, not 0666. Also, read the docs on 
 bayes_path
 very carefully. It's not just a path. The last part is actually the start of a
 filename, not a directory name)
 
 
 

Re: [sa-list] Re: OTC stock spam

[Dan Mahoney, System Admin]

On Thu, 26 May 2005, Loren Wilton wrote:


I'm not going to try running that, but I've got a pile of rules that catch
stock scams like that.  SARE has a good bunch of them, the better ones of
course.

Here, the most recent spam I got was a stock spam.  It hit:

1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha
0.5 FB_INVEST_ADVICE   BODY: /invest.{1,15}advice/i
1.7 SARE_FWDLOOK   BODY: Forward looking statements about stocks
0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha
1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i
1.1 FB_SAVE_PERSC  BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
2.0 LW_OTCBB   BODY: Reference to stock
1.0 LW_1933BODY: Reference to Securities Act
0.7 SARE_MONEYTERMSBODY: Talks about money in some way.
0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha
2.7 NOT_ADVISORBODY: Not registered investment advisor
0.3 SARE_MILLIONSOFBODY: Millions of something.
0.1 HTML_MESSAGE   BODY: HTML included in message
5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
0.9 FM_NO_STYLEFM_NO_STYLE


Loren,

Where can I find those LW_* rules?  Or are they part of your private 
collection?


-Dan

--

Don't try to out-wierd me.  I get stranger things than you free with my
breakfast cereal.

-Button seen at I-CON XVII (and subsequently purchased)

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: [sa-list] Re: OTC stock spam

[M.Lewis]

Also what did you use to get the report?

Dan Mahoney, System Admin wrote:

On Thu, 26 May 2005, Loren Wilton wrote:

I'm not going to try running that, but I've got a pile of rules that 
catch

stock scams like that.  SARE has a good bunch of them, the better ones of
course.

Here, the most recent spam I got was a stock spam.  It hit:

1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha
0.5 FB_INVEST_ADVICE   BODY: /invest.{1,15}advice/i
1.7 SARE_FWDLOOK   BODY: Forward looking statements about stocks
0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha
1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i
1.1 FB_SAVE_PERSC  BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
2.0 LW_OTCBB   BODY: Reference to stock
1.0 LW_1933BODY: Reference to Securities Act
0.7 SARE_MONEYTERMSBODY: Talks about money in some way.
0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha
2.7 NOT_ADVISORBODY: Not registered investment advisor
0.3 SARE_MILLIONSOFBODY: Millions of something.
0.1 HTML_MESSAGE   BODY: HTML included in message
5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
0.9 FM_NO_STYLEFM_NO_STYLE



Loren,

Where can I find those LW_* rules?  Or are they part of your private 
collection?


-Dan

--

Don't try to out-wierd me.  I get stranger things than you free with my
breakfast cereal.

-Button seen at I-CON XVII (and subsequently purchased)

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: protecting SQL login info

[Michael Parker]

Dan Mahoney, System Admin wrote:


 With spamc/spamd this is not a problem, as spamd runs on a machine
 that the shell users don't have access to (and reads the SQL login as
 root before dropping its privileges).

 However, for sa_learn, and things like spamassassin -r (which
 essentially is the same as sa-learn), they need to write to AWL/Bayes
 -- and since they run as the user, they need to be able to read/write
 the SQL login info even while running as that user.


SA 3.1 lets you move this functionality to spamd as well.

Michael


signature.asc
Description: OpenPGP digital signature

Re: protecting SQL login info

[Dan Mahoney, System Admin]

On Tue, 6 Sep 2005, Michael Parker wrote:


Dan Mahoney, System Admin wrote:



With spamc/spamd this is not a problem, as spamd runs on a machine
that the shell users don't have access to (and reads the SQL login as
root before dropping its privileges).

However, for sa_learn, and things like spamassassin -r (which
essentially is the same as sa-learn), they need to write to AWL/Bayes
-- and since they run as the user, they need to be able to read/write
the SQL login info even while running as that user.






SA 3.1 lets you move this functionality to spamd as well.


which means what, the user would have to call a spamc string like this?

| /usr/local/bin/spamc -d quark.gushi.org -S -u [EMAIL PROTECTED] -r

** Spamd needs a config file, preferably with a setGID startup so only 
spamd can read it.


** Spamd also needs a list of trusted users who can call it with -u, so 
not just any jerk can poison my bayes tables.


** Spamd also needs an option to include a hostname in the username it 
sends to spamassassin, either in the config file, or overridden on the 
command line (possibly only by trusted_users).


For speed, any of the about COULD be compile-time options.

Are any of these ideas in the queue?

-Dan

--

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: [sa-list] Re: OTC stock spam

[Dan Mahoney, System Admin]

On Tue, 6 Sep 2005, M.Lewis wrote:


Also what did you use to get the report?


The report shows up in most setups in any spam email.  Considering this 
one scored the way it did, I'm pretty sure it scored as spam.


-Dan




Dan Mahoney, System Admin wrote:

On Thu, 26 May 2005, Loren Wilton wrote:


I'm not going to try running that, but I've got a pile of rules that catch
stock scams like that.  SARE has a good bunch of them, the better ones of
course.

Here, the most recent spam I got was a stock spam.  It hit:

1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha
0.5 FB_INVEST_ADVICE   BODY: /invest.{1,15}advice/i
1.7 SARE_FWDLOOK   BODY: Forward looking statements about stocks
0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha
1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i
1.1 FB_SAVE_PERSC  BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
2.0 LW_OTCBB   BODY: Reference to stock
1.0 LW_1933BODY: Reference to Securities Act
0.7 SARE_MONEYTERMSBODY: Talks about money in some way.
0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha
2.7 NOT_ADVISORBODY: Not registered investment advisor
0.3 SARE_MILLIONSOFBODY: Millions of something.
0.1 HTML_MESSAGE   BODY: HTML included in message
5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
0.9 FM_NO_STYLEFM_NO_STYLE



Loren,

Where can I find those LW_* rules?  Or are they part of your private 
collection?


-Dan

--

Don't try to out-wierd me.  I get stranger things than you free with my
breakfast cereal.

-Button seen at I-CON XVII (and subsequently purchased)

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---







--

Little tramp sits in her room all day, sewing dolls!  Children
misbehaving in the basement, and one in the walls, doing his business God
knows where!  You children will be the death of me, *sniff*.

'Mommy', The People Under The Stairs


Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: [sa-list] Re: OTC stock spam

[jdow]

He's more aggressive than I am. For him spam is 4.6. For me it's 5.0 and
I only score BAYES_99 at 5.0 points.
{^_-}
- Original Message - 
From: Dan Mahoney, System Admin [EMAIL PROTECTED]




On Tue, 6 Sep 2005, M.Lewis wrote:


Also what did you use to get the report?


The report shows up in most setups in any spam email.  Considering this 
one scored the way it did, I'm pretty sure it scored as spam.


-Dan




Dan Mahoney, System Admin wrote:

On Thu, 26 May 2005, Loren Wilton wrote:

I'm not going to try running that, but I've got a pile of rules that 
catch
stock scams like that.  SARE has a good bunch of them, the better ones 
of

course.

Here, the most recent spam I got was a stock spam.  It hit:

1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha
0.5 FB_INVEST_ADVICE   BODY: /invest.{1,15}advice/i
1.7 SARE_FWDLOOK   BODY: Forward looking statements about 
stocks

0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha
1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i
1.1 FB_SAVE_PERSC  BODY: 
/sav(?:e|ing).{1,45}p[re][re]scription/i

2.0 LW_OTCBB   BODY: Reference to stock
1.0 LW_1933BODY: Reference to Securities Act
0.7 SARE_MONEYTERMSBODY: Talks about money in some way.
0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha
2.7 NOT_ADVISORBODY: Not registered investment advisor
0.3 SARE_MILLIONSOFBODY: Millions of something.
0.1 HTML_MESSAGE   BODY: HTML included in message
5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 
100%

   [score: 1.]
0.9 FM_NO_STYLEFM_NO_STYLE



Loren,

Where can I find those LW_* rules?  Or are they part of your private 
collection?


-Dan

Re: SpamAssassin perceptron curiousity

[Chris Thielen]

Hi Felix,

[EMAIL PROTECTED] wrote:


I got a bit of curiousity in my brain about neural networks, and
someone suggested I take a look at how SpamAssassin trains itself.  I
have been looking into .../masses and come across some things which
set off warning bells.  I don't think I have actually found any bugs,
but it isn't clear to me what is going on, there are some unused
variables, and I pathetically justify my intrusion on your time with
the thought that there *might* be a bug ... :-)
 




You may want to try sending this to the dev list as most of the 
developers don't have time to track the users list in depth.


Chris


signature.asc
Description: OpenPGP digital signature

Re: [sa-list] Re: OTC stock spam

[qqqq]

Loren,

Will you post your LW Stox based rules?  I think we would all like to see them.


- Original Message - 
From: Dan Mahoney, System Admin [EMAIL PROTECTED]
To: Loren Wilton [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Tuesday, September 06, 2005 2:41 PM
Subject: Re: [sa-list] Re: OTC stock spam


| On Thu, 26 May 2005, Loren Wilton wrote:
| 
|  I'm not going to try running that, but I've got a pile of rules that catch
|  stock scams like that.  SARE has a good bunch of them, the better ones of
|  course.
| 
|  Here, the most recent spam I got was a stock spam.  It hit:
| 
|  1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body
|  0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha
|  0.5 FB_INVEST_ADVICE   BODY: /invest.{1,15}advice/i
|  1.7 SARE_FWDLOOK   BODY: Forward looking statements about stocks
|  0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha
|  1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i
|  1.1 FB_SAVE_PERSC  BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i
|  2.0 LW_OTCBB   BODY: Reference to stock
|  1.0 LW_1933BODY: Reference to Securities Act
|  0.7 SARE_MONEYTERMSBODY: Talks about money in some way.
|  0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha
|  2.7 NOT_ADVISORBODY: Not registered investment advisor
|  0.3 SARE_MILLIONSOFBODY: Millions of something.
|  0.1 HTML_MESSAGE   BODY: HTML included in message
|  5.4 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
| [score: 1.]
|  0.9 FM_NO_STYLEFM_NO_STYLE
| 
| Loren,
| 
| Where can I find those LW_* rules?  Or are they part of your private 
| collection?
| 
| -Dan
| 
| --
| 
| Don't try to out-wierd me.  I get stranger things than you free with my
| breakfast cereal.
| 
| -Button seen at I-CON XVII (and subsequently purchased)
| 
| Dan Mahoney
| Techie,  Sysadmin,  WebGeek
| Gushi on efnet/undernet IRC
| ICQ: 13735144   AIM: LarpGM
| Site:  http://www.gushi.org
| ---
| 
| 

Re: RDJ/Curl issue...

[Chris Thielen]

Hi Jamie,

Jamie Pratt wrote:


Hi. RDJ has broken on me apparently - no updates in a month(?)..

Seems to be a curl issue ?...

-- RANDOMVAL --
RULESET_NAME=RANDOMVAL
INDEX=11
CF_URL=http://www.stearns.org/sa-blacklist/random.current.cf
CF_FILE=random.cf
CF_NAME=William Stearn's RANDOM WORD Ruleset
PARSE_NEW_VER_SCRIPT=grep -i '^#release' | tail -n 1
CF_MUNGE_SCRIPT=
Old random.current.cf already existed in 
/etc/mail/spamassassin/RulesDuJour...
Retrieving file from 
http://www.stearns.org/sa-blacklist/random.current.cf...
exec: curl -w %{http_code} --compressed -O -R -s -S -z 
/etc/mail/spamassassin/RulesDuJour/random.current.cf 
http://www.stearns.org/sa-blacklist/random.current.cf 21


curl_output: 304

random.current.cf was up to date [skipped downloading of 
http://www.stearns.org/sa-blacklist/random.current.cf ] ...

No files updated; No restart required.


Any ideas why curl is seeming to have issues? (wget doesnt' seem to 
work either?)


How have you determined curl is failing?  The output I see above looks 
normal for a RDJ run where nothing has been updated.  The curl_output: 
304 indicates a HTTP 304 response, which means not modified, use local 
copy.



Chris Thielen


signature.asc
Description: OpenPGP digital signature

Re: Pharamcudical list of words in a table

[Kenneth Porter]

--On Tuesday, September 06, 2005 12:38 AM -0700 List Mail User 
[EMAIL PROTECTED] wrote:



You have the unfortunate luck of being on the cutting edge
of the spam runs, most of these domains are now in 4 or 5 SURBL
lists, which will give you scores of close to 12 alone.


Greylisting would help here. If you greylist an unknown source long enough, 
and it gets into SURBL during the delay, you'll get the SURBL score boost 
when (if) the retry is attempted.


Alas, commercial recipients can't use greylisting as effectively because 
they expect to accept legitimate mail from a lot more unknown senders.


And greylisting during a disaster like Katrina could block mail from 
friends using unusual modes of sending (like an Internet cafe terminal).

Re: ANNOUNCE: SpamAssassin 3.1.0-rc2 release candidate available!

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Loren Wilton writes:
 It isn't fixed in rc2.
 
 You only posted that analysis 2 days before the rc2 release, and the tarball
 had already been cut at the time you posted the message.  (It takes a day or
 two between release cutoff and the release showing up, since it needs to be
 tested before the announcement.)
 
 Furthermore, you only posted the notice here in the users group where it
 could easily be missed by the SA devs.  The proper thing to do is open a bug
 in Bugzilla on this subject, and include the info that you posted here.
 
 FWIW, the change that is causing the problems was a deliberate change to
 work around another problem in another tool.  So the fix isn't likely to be
 as simple as backing out that change, since that would just bring the
 previous bug back.

Following up on this -- yes, Loren has nailed it here.  It would be
best to open this as a bug in bugzilla for further followup.

- --j. (just back from a week's vacation)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFDHki0MJF5cimLx9ARAmrQAJsESlKBkU7bdWHCJMWGRMn+7kwfzACdH2eD
QCjLAPOEV25EZKwZUJmG+ZQ=
=Y2Xl
-END PGP SIGNATURE-

Re: Pharamcudical list of words in a table

[hamann . w]

 
 --On Tuesday, September 06, 2005 12:38 AM -0700 List Mail User 
 [EMAIL PROTECTED] wrote:
 
 You have the unfortunate luck of being on the cutting edge
  of the spam runs, most of these domains are now in 4 or 5 SURBL
  lists, which will give you scores of close to 12 alone.
 
 Greylisting would help here. If you greylist an unknown source long enough, 
 and it gets into SURBL during the delay, you'll get the SURBL score boost 
 when (if) the retry is attempted.
 
 Alas, commercial recipients can't use greylisting as effectively because 
 they expect to accept legitimate mail from a lot more unknown senders.
 
 And greylisting during a disaster like Katrina could block mail from 
 friends using unusual modes of sending (like an Internet cafe terminal).
 
I know the problem with commercial recipients but I dont fully understand it 
(running a mailserver
for clients that dont like greylist, myself)
Basically a short greylist hold time (few minutes) is sufficient to block spam 
from machines
sending directly to your server. The internet cafe is supposed to send via an 
upstream
mail relay or run their own mailserver, so the message would get through within 
minutes.
The one thing that is stopped by greylisting is the ability to ask a new 
contact on the phone
to mail some material, and then discuss it right away (and in real life mail 
delivery often
is not that instantaneous, anyway)

Wolfgang Hamann