How to control the scoring for spam
Hi all, Spamassassin passes every incoming mail through various tests (using spamd spamc) to determine the mail as spam according to the score(As per my knowledge) . But I want to know how this scoring will happen for each test . Can we control or making the scoring mechanism as per our own needs. If possible How can we do that ? How will I understand the scoring of spam mail determined by spamassassin. Any help ... Thanks for your time. Suresh Kumar Send instant messages to your online friends http://uk.messenger.yahoo.com
Re: Pharamcudical list of words in a table
Hi again, I keep getting these kind of pharm. spam where a list of drugs and their prices is arranged in an html table. I'm using all the SARE rules including the OBFU (which I've added thanks to recommendations in this thread. However, only the SARE_HTML_MANY_BR05 is fired ( Tooo many br's!). Indeed the way this is arranged is that this is in a cell on the first column: BVi/BBR The matching cell of the next table column is: Bag/BBR The next is: Bra/B And in between there are all the other pairs of letters for the other drugs and the HTML command: DIV style=FLOAT: left; Obviously, the OBFU rule set is not that sophisticated. On top of that, the spammer (someone said it's Leo Kuvayev) keeps changing the URL it points to. I've recieved it with inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com (scored 6.4) , than with univnews(dot)com (scored 7.1) and the last one was sinceschool(dot)com (scored 7.8) So, the good news is that in spite of the spammer's effort, the score gets higher and higher (due to increased effecency of the network checks) but on my system it should reach 12 to be totally trashed. For scores 5 it only marks the subject as potential spam. -- Ilan AisicRegistered Linux User 8124 http://counter.li.org
Re: How to control the scoring for spam
per my knowledge) . But I want to know how this scoring will happen for each test . Can we control or Step 1: Look at test score. Is it non-zero? If yes, go to step 2. Step 2: Run test. Does it hit? If yes, go to step 3. Step 3: Take score value and add it to the score for the current mail. The scores are mostly in 50_scores.cf. You can copy all or part of this into local.cf or 99_myscores.cr or something like that, and change any score to any value you want. Keep in mind that the existing scores are there for a reason, and randomly and wholesale changing the scores probably isn't going to result in a better spam-catching system. Loren
Re: Pharamcudical list of words in a table
Ilan, I believe this is the *exact* same dude/dudette that I was referring to with the topic 'Rule Question'. Mike Ilan Aisic wrote: Hi again, I keep getting these kind of pharm. spam where a list of drugs and their prices is arranged in an html table. I'm using all the SARE rules including the OBFU (which I've added thanks to recommendations in this thread. However, only the SARE_HTML_MANY_BR05 is fired ( Tooo many br's!). Indeed the way this is arranged is that this is in a cell on the first column: BVi/BBR The matching cell of the next table column is: Bag/BBR The next is: Bra/B And in between there are all the other pairs of letters for the other drugs and the HTML command: DIV style=FLOAT: left; Obviously, the OBFU rule set is not that sophisticated. On top of that, the spammer (someone said it's Leo Kuvayev) keeps changing the URL it points to. I've recieved it with inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com (scored 6.4) , than with univnews(dot)com (scored 7.1) and the last one was sinceschool(dot)com (scored 7.8) So, the good news is that in spite of the spammer's effort, the score gets higher and higher (due to increased effecency of the network checks) but on my system it should reach 12 to be totally trashed. For scores 5 it only marks the subject as potential spam. -- Ilan Aisic Registered Linux User 8124 http://counter.li.org
RE: How to control the scoring for spam
Hi all, Spamassassin passes every incoming mail through various tests (using spamd spamc) to determine the mail as spam according to the score(As per my knowledge) . Technically spamc is just a small executable to send the file to spamd which is a daemon that keeps SpamAssassin in memory so that it isn't necessary to re-initiallize SA for every message. (And read all of the SA files etc as part of that initialization.) But I want to know how this scoring will happen for each test . Can we control or making the scoring mechanism as per our own needs. Every test can be given a score -- and usually is. A later reference of that score will override any previous setting so you can add scores in your local.cf to override the default (increase, decrease, or even disable a test by setting it to zero.) If possible How can we do that ? How will I understand the scoring of spam mail determined by spamassassin. Any help ... Use a line (usually in local.cf) of this form: scoreHM_GAPPY_SIG 3 'score' is a keyword for setting the score, 'HM_GAPPY_SIG' is one of my tests and '3' is the score I wish to set for this test. grep your default .cf files for grep ^score /usr/share/spamassassin/*.cf Or better, include a patter for the test(s) that interest you (to cut down on the amount of output): grep ^score.*BAYES /usr/share/spamassassin/*.cf You will generally find that the default scores are in 50_scores.cf so you may be specific and change the grep to only search that file (but I don't always remember this so may just search them all out of laziness.) -- Herb Martin
Re: Pharamcudical list of words in a table
Obviously, the OBFU rule set is not that sophisticated. On the contrary, they are quite sophisticated in many cases. On top of that, the spammer (someone said it's Leo Kuvayev) However, Leo is also quite sophisticated. And he has changed his spam generators in the last week to make things that SA can't curreently detect. The SARE obfu rules were last updated a couple of weeks ago. That gives Leo currently a 14 day or so headstart on the current SARE rulebase, and about 6 months headstart on the standard SA rulebase. keeps changing the URL it points to. I've recieved it with inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com (scored 6.4) , than with univnews(dot)com (scored 7.1) and the last one was sinceschool(dot)com (scored 7.8) *ALL* spammers buy multiple domain names in batches. Leo buys them by the hundreds at a time. Just as he isn't stupid enough to send all spam from the same machine since it would be very quickly cut off, he isn't stupid enough to target all of a given spam to the same domain, because it will quite quickly be blocked. As near as I can tell, a run of spam from a given zombie typically is targeted at a single domian. However, Leo runs thousands or maybe hundreds of thousands of zombies in any given spam run, and he changes the spam slightly every few days, as best I can tell. This means you have to step back, spend a few moments thinking like Leo, look for what is common and what is uncommon in a spam run, and then target specific rules to catch the stuff that is common. It ain't that hard to do, but it tales time to do it, and those of us that do that sort of thing often only do it when we get annoyed about spam leaking into the inbox. The rest of the time we do our normal day jobs. Leo also does his normal day job most of the time. But that happens to be making spam, so he spends more time at it than the rest of us do. I can see about ten ways to catch Leo's current batch. However, they weren't particularly interesting to me, since most of them are scoring about 40-70 here from net rules mostly. If I get some time in the next day or two I'll cut a set of rules for them. Loren
Re: Pharamcudical list of words in a table
You have the unfortunate luck of being on the cutting edge of the spam runs, most of these domains are now in 4 or 5 SURBL lists, which will give you scores of close to 12 alone. They are also listed at Spamhaus as of yesterday and the name servers from one day before. A partial list at IP 220.80.107.186 is: openjab.-com A 220.80.107.186 www.openjab.-com A 220.80.107.186 pointmac.-comA 220.80.107.186 ns0.pointmac.-com A 220.80.107.186 isince.-com A 220.80.107.186 netsince.-comA 220.80.107.186 sinceschool.-com A 220.80.107.186 www.sinceschool.-com A 220.80.107.186 sincerum.-comA 220.80.107.186 www.sincerum.-com A 220.80.107.186 nthopen.-com A 220.80.107.186 www.nthopen.-com A 220.80.107.186 cupopen.-com A 220.80.107.186 patopen.-com A 220.80.107.186 www.patopen.-com A 220.80.107.186 printhero.-com A 220.80.107.186 ns0.printhero.-com A 220.80.107.186 sincesoft.-com A 220.80.107.186 www.sincesoft.-com A 220.80.107.186 openemu.-com A 220.80.107.186 www.openemu.-com A 220.80.107.186 openjay.-com A 220.80.107.186 www.openjay.-com A 220.80.107.186 openivy.-com A 220.80.107.186 www.openivy.-com A 220.80.107.186 Locally I get these results for an test email with a single line of: http://sinceschool.-com X-Spam-Status: Yes, score=13.5 tests=RAZOR2_CF_RANGE_51_100=0.056. RAZOR2_CHECK=1.511. URIBL_AB_SURBL=0.417. URIBL_JP_SURBL=2.462. URIBL_RHS_URIBL_BLACK=2.33. URIBL_SBL=0.996. URIBL_SC_SURBL=4.263. URIBL_WS_SURBL=1.462 autolearn=no version=3.0.4 This is with only the one local URIBL rule included. With the actual text and proper Bayes training, you should get another 3-4 points and other local rules give me more. Also, add in header points for coming from dynamic hosts (mostly zombie-bots) and you should get another few points. I don;t know if all of these are active yet, but they probably are. All .com's changed to .-com to avoid the list's filter. Paul Shupak [EMAIL PROTECTED]
Re: Pharamcudical list of words in a table
Very interesting Loren. I think a good assesment of whoever is sending the spam. I spend a fair portion of my day trying to catch up (filter) these dudes out of my Inbox. Thanks for the insights! Mike Loren Wilton wrote: Obviously, the OBFU rule set is not that sophisticated. On the contrary, they are quite sophisticated in many cases. On top of that, the spammer (someone said it's Leo Kuvayev) However, Leo is also quite sophisticated. And he has changed his spam generators in the last week to make things that SA can't curreently detect. The SARE obfu rules were last updated a couple of weeks ago. That gives Leo currently a 14 day or so headstart on the current SARE rulebase, and about 6 months headstart on the standard SA rulebase. keeps changing the URL it points to. I've recieved it with inspectioflig(dot)com (scored 2.7) than with exclusivaven(dot)com (scored 6.4) , than with univnews(dot)com (scored 7.1) and the last one was sinceschool(dot)com (scored 7.8) *ALL* spammers buy multiple domain names in batches. Leo buys them by the hundreds at a time. Just as he isn't stupid enough to send all spam from the same machine since it would be very quickly cut off, he isn't stupid enough to target all of a given spam to the same domain, because it will quite quickly be blocked. As near as I can tell, a run of spam from a given zombie typically is targeted at a single domian. However, Leo runs thousands or maybe hundreds of thousands of zombies in any given spam run, and he changes the spam slightly every few days, as best I can tell. This means you have to step back, spend a few moments thinking like Leo, look for what is common and what is uncommon in a spam run, and then target specific rules to catch the stuff that is common. It ain't that hard to do, but it tales time to do it, and those of us that do that sort of thing often only do it when we get annoyed about spam leaking into the inbox. The rest of the time we do our normal day jobs. Leo also does his normal day job most of the time. But that happens to be making spam, so he spends more time at it than the rest of us do. I can see about ten ways to catch Leo's current batch. However, they weren't particularly interesting to me, since most of them are scoring about 40-70 here from net rules mostly. If I get some time in the next day or two I'll cut a set of rules for them. Loren
Re: Pharamcudical list of words in a table
Loren, Just wanted to thank you for the eloquent resonse and for your significant contributions to SARE and this list. On 9/6/05, Loren Wilton [EMAIL PROTECTED] wrote:...I'll cut a set of rules for them.Loren -- Ilan AisicRegistered Linux User 8124 http://counter.li.org
Logging Spamc Connect Failures
Guys, Does anything show up in mail logs when spamc fails to connect? Is there any way to cause this to happen? I just grepped my mailbox for !X-Spam-Check, and found (after eliminating those over 250K) about 23 messages over the course of a couple weeks, in my mailbox alone. Is there a way spamc could possibly just log that the connect failed within the message itself? Or to syslog? -Dan -- When I'm lost, and confused, and trying to make a U-turn, nothing annoys me more than someone telling me to watch out for the tombstone! How often does that happen, Fab? -David Feld Tom Fabry, sometime in High School. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Too many recipients
Hello Mark, Thank you so much for your post to the list. I don't feel we are along now and someone will start looking into the problem. I also found the following reference to the same problem http://www.nntp.perl.org/group/perl.perl5.porters/103500 Though, after increasing the stuck size I learnt it did not fix it. I meant to add a comment with the link (above) to your bug report, but was not sure. If you feel this will be useful, could you please do so? Thank you again for contacting. Hope to hear good news soon. Irina === - Original Message - From: Mark Martinec [EMAIL PROTECTED] To: users@spamassassin.apache.org Cc: Irina [EMAIL PROTECTED] Sent: Monday, September 05, 2005 7:27 PM Subject: Re: Too many recipients I came across the same problem as reported by Irina, but this time with Perl 5.8.7 and SA 3.1.0-rc2. Filed as bug #4570: http://bugzilla.spamassassin.org/show_bug.cgi?id=4570 Mark P.S. sorry for a missing ref to a thread, I fetched the subject from the archive
Spamc, spamassassin, different scores
Hello, my system is a redhat 7.3 with this spamassassin versions and i am using qmail in it. machine:/etc/mail/spamassassin# spamassassin -V SpamAssassin version 3.0.1 running on Perl version 5.6.1 machine:/etc/mail/spamassassin# spamc -V SpamAssassin Client version 3.0.1 The problem that i have is that i only want to launch spamassassin in my account so i am using my .qmail-file to do it. | spamassassin | preline procmail -t -m -p ./skuda/procmailrc I know that i would be launching spamc and not spamassassin perl script but i get different scores from the 2 programs. SPAMC: spamc -r skuda/Maildir/.spam/cur/1121844030.M156489P30796V0303I00436361_2015.betanetweb.com,S=9921:2,S Spam detection software, running on the system betanetweb.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: neuroanotomy Incredible Prices on Rx Hurry While Supplies Last! [...] Content analysis details: (7.3 points, 4.0 required) pts rule name description -- -- 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different 0.3 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.2 HTML_FONT_BIG BODY: HTML tag for a big font size 0.2 HTML_90_100BODY: Message is 90% to 100% HTML 1.1 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 0.1 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: weofferaselection.com] 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: weofferaselection.com] -0.6 AWLAWL: From: address is in the auto white-list Spamassassin: spamassassin cur/1121844030.M156489P30796V0303I00436361_2015.betanetweb.com,S=9921:2,S From [EMAIL PROTECTED] Fri Nov 12 12:53:26 2004 Received: from localhost by betanetweb.com with SpamAssassin (version 3.0.1); Tue, 06 Sep 2005 16:24:08 +0200 From: VicoRx 6 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* Your order Date: Fri, 12 Nov 2004 07:50:35 -0500 (MSD) Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on betanetweb.com X-Spam-Status: Yes, score=11.0 required=4.0 tests=BAYES_95, DNS_FROM_AHBL_RHSBL,HTML_90_100,HTML_FONT_BIG,HTML_IMAGE_RATIO_02, HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,NO_DNS_FOR_FROM, URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no version=3.0.1 X-Spam-Level: ** MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_431DA688.5E031C81 This is a multi-part message in MIME format. =_431DA688.5E031C81 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system betanetweb.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: neuroanotomy Incredible Prices on Rx Hurry While Supplies Last! [...] Content analysis details: (11.0 points, 4.0 required) pts rule name description -- -- 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different 2.1 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9714] 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size 0.0 HTML_90_100BODY: Message is 90% to 100% HTML 1.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 0.3 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: weofferaselection.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: weofferaselection.com] The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor.
Re: Spamc, spamassassin, different scores
Miguel Angel Rasero Peral (TCOR) [EMAIL PROTECTED] wrote on 09/06/2005 10:19:29 AM: Hello, my system is a redhat 7.3 with this spamassassin versions and i am using qmail in it. machine:/etc/mail/spamassassin# spamassassin -V SpamAssassin version 3.0.1 running on Perl version 5.6.1 machine:/etc/mail/spamassassin# spamc -V SpamAssassin Client version 3.0.1 The problem that i have is that i only want to launch spamassassin in my account so i am using my .qmail-file to do it. | spamassassin | preline procmail -t -m -p ./skuda/procmailrc I know that i would be launching spamc and not spamassassin perl script but i get different scores from the 2 programs. Are you running the spamassassin command under the same userid as spamd is running under? Looks like spamd is using bayes that spamassassin did not have, and spamassassin had a negative AWL score that spamd didn't have. Andy
Re: Spamc, spamassassin, different scores
Miguel Angel Rasero Peral (TCOR) wrote: Hello, my system is a redhat 7.3 with this spamassassin versions and i am using qmail in it. The problem that i have is that i only want to launch spamassassin in my account so i am using my .qmail-file to do it. | spamassassin | preline procmail -t -m -p ./skuda/procmailrc I know that i would be launching spamc and not spamassassin perl script but i get different scores from the 2 programs. I have this in my .qmail file | /usr/bin/procmail ~/.procmailrc and then in .procmailrc I first sort out all my mailing lists by matching headers and then call spamc and then dump high scores 14 to /dev/null and 5 - 14 to a Junk mail folder. # # put satalk in it's own folder # :0 H: * ^List-Id:[EMAIL PROTECTED] satalk/new # --- # run thru spamassassin # --- :0fw | spamc # --- # catch high scores # --- :0 H: * ^X-Spam-Status: +(yes|no), +score=\/[^. ]* * ? (( ${MATCH} 14 )) /dev/null # --- # put the rest in Junk folder # --- :0 H: * ^X-Spam-Status: Yes.* Junk/new I get the same score with spamc and spamassassin - different scores would indicate that you aren't running thru the same rulesets or bayes. Content analysis details: (7.3 points, 4.0 required) pts rule name description -- -- 1.5 MPART_ALT_DIFF BODY: HTML and text parts are different 0.3 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.2 HTML_FONT_BIG BODY: HTML tag for a big font size 0.2 HTML_90_100BODY: Message is 90% to 100% HTML 1.1 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 0.1 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: weofferaselection.com] 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: weofferaselection.com] -0.6 AWLAWL: From: address is in the auto white-list Content analysis details: (11.0 points, 4.0 required) pts rule name description -- -- 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different 2.1 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9714] 0.0 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size 0.0 HTML_90_100BODY: Message is 90% to 100% HTML 1.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 0.3 DNS_FROM_AHBL_RHSBLRBL: From: sender listed in dnsbl.ahbl.org 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: weofferaselection.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: weofferaselection.com] I dont know what happening, on other side i have any times that email get my inbox without be analyzed because i cant see in his code the spamassassin headers i suppose that its because any timeout or by the way i use in .qmail file to call spamassassin, anyone can help me please?
Re: Spamc, spamassassin, different scores
Andy Jezierski wrote: Are you running the spamassassin command under the same userid as spamd is running under? Looks like spamd is using bayes that spamassassin did not have, and spamassassin had a negative AWL score that spamd didn't have. Definitely not. Look at the prompts. Miguel is running spamassassin as root. Miguel is running spamc as root, but spamd will *NEVER* scan mail as root. It will setuid itself to nobody if it finds this situation. This causes a huge difference, because only the root account has bayes training, but spamd will never use it. Notice that the spamassassin (run as root) version has BAYES_95 matching, but the spamc one does not. Miguel, this is your problem: you can't train with sa-learn as root and expect this to impact mail run through spamc, unless you set up a global bayes database. Ideally, I'd suggest creating a spamd user, and running spamd with -u spamd. Then when you train mail with sa-learn, just su yourself to spamd first. This way everything all gets scanned using the same bayes db. You also get the security benefit of all scanning being done as a user that isn't used for anything else. If that's not practical, use bayes_path and bayes_file_mode 0777 together in your local.cf to create a single bayes DB that gets used no matter what user calls SA. (Warnings: use bayes_file_mode 0777, not 0666. Also, read the docs on bayes_path very carefully. It's not just a path. The last part is actually the start of a filename, not a directory name)
Re: protecting SQL login info
On Tue, 6 Sep 2005, Eric W. Bates wrote: This is perhaps a little elaborate; and I have not tried to hook this into SA; but we are quite happy with a little bit of misdirection we use for the tools we have reading/writing to the SQL. There is a specified directory (call it dbpasswords). In the directory there is a file for each login. The file is named with the user's login name. The contents of the file is the password. The file is owned by the user in question with perms 400. Subsequently we overload/patch any code that needs a login (e.g. Class::DBI::mysql::set_db()) such that the EUID is used in getpwent to get the username, and thereby the password. This way, no passwords are ever embedded in any code or config files and there is one single location to change when the passwords are updated. This does require that the username used on the system is the same as the username for SQL. We frequently use suid to change the EUID of the web server to something with special access in the SQL (e.g. dbwriter). This special user usually has even lower permission level than the web server; with the exception of SQL access. We use this technique for CGI, mod_perl, php, etc. I have not examined SA 3 for use of this trick; but we are going try sometime soon. No, there's one single user for ALL the database access. Spamd doesn't support per-user SQL logins and passwords. With spamc/spamd this is not a problem, as spamd runs on a machine that the shell users don't have access to (and reads the SQL login as root before dropping its privileges). However, for sa_learn, and things like spamassassin -r (which essentially is the same as sa-learn), they need to write to AWL/Bayes -- and since they run as the user, they need to be able to read/write the SQL login info even while running as that user. However, if *they* can read it there's nothing stopping a malicious user from just logging in and deleting all the table data (said user needs the delete privilege...they may not be able to drop the tables if I revoke the drop priv, but they can still delete all the data) -Dan Dan Mahoney, System Admin wrote: Hey all, I'm doing everything (bayes, AWL, userprefs) in SQL. Is there some way to protect the values I've got in /etc/mail/spamassassin/local.cf such as my mysql username and password from casual snoopage? Only think I could think of was to make SA setGID, and have the file chmod 750. Any better ideas? -Dan -- Belldandy ha. you have not met me. BaldDwarf ha. but i have sene pictures Belldandy thanks but uh., BaldDwarf seen dammit! SEEN! Gushi I don't know who dammit! is. Belldandy so anyway -Undernet #reboot, October 2nd, 2000, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- -- Eric W. Bates [EMAIL PROTECTED] Output from gpg gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Tue Sep 6 12:53:56 2005 EDT using DSA key ID 34382E51 gpg: Good signature from Eric W. Bates [EMAIL PROTECTED] gpg: aka ericx [EMAIL PROTECTED] gpg: aka Eric W. Bates [EMAIL PROTECTED] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EC0E 0CA8 37C3 43D2 5E4C 5D40 0F5A E825 3438 2E51 -- Station! -Bill Ted's Bogus Journey Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: Spamc, spamassassin, different scores
Dan Mahoney, System Admin wrote: Definitely not. Look at the prompts. Miguel is running spamassassin as root. Miguel is running spamc as root, but spamd will *NEVER* scan mail as root. It will setuid itself to nobody if it finds this situation. At least, not on a recent version -- this was a rather prominent bug under many OSen. Very true, that is a definite caveat to my statement that spamd will never scan mail as root. I suppose a better statement would be spamd should never scan mail as root. That said, AFAIK the many OSen are limited *BSD variants, including Mac OS X. In this case RedHat is the OS, which is Linux kernel based, which I think is immune to this issue due to differences in how the Linux kernel handles setuid as compared to the BSD kernel.
Trouble viewing list of SA tests for 3.0 on web site
For days I have been trying to see all of the tests used by SA at the following URL: http://spamassassin.apache.org/tests_3_0_x.html I'm using Win XP and had the same results with Firefox IE6. The page would partially load then just stall. Finally, today I was able to get the entire page to display after resending the URL about a hundred times. Someone with a Unix machine told me he was able to to see the page with no problems. I have the info I need now but I thought I would mention it, in case others have had problems. Tom -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.10.18/89 - Release Date: 9/2/2005
Re: Spamc, spamassassin, different scores
Yeah this was my problems, Thanks. El mar, 06-09-2005 a las 12:00 -0400, Matt Kettler escribió: Andy Jezierski wrote: Are you running the spamassassin command under the same userid as spamd is running under? Looks like spamd is using bayes that spamassassin did not have, and spamassassin had a negative AWL score that spamd didn't have. Definitely not. Look at the prompts. Miguel is running spamassassin as root. Miguel is running spamc as root, but spamd will *NEVER* scan mail as root. It will setuid itself to nobody if it finds this situation. This causes a huge difference, because only the root account has bayes training, but spamd will never use it. Notice that the spamassassin (run as root) version has BAYES_95 matching, but the spamc one does not. Miguel, this is your problem: you can't train with sa-learn as root and expect this to impact mail run through spamc, unless you set up a global bayes database. Ideally, I'd suggest creating a spamd user, and running spamd with -u spamd. Then when you train mail with sa-learn, just su yourself to spamd first. This way everything all gets scanned using the same bayes db. You also get the security benefit of all scanning being done as a user that isn't used for anything else. If that's not practical, use bayes_path and bayes_file_mode 0777 together in your local.cf to create a single bayes DB that gets used no matter what user calls SA. (Warnings: use bayes_file_mode 0777, not 0666. Also, read the docs on bayes_path very carefully. It's not just a path. The last part is actually the start of a filename, not a directory name)
Re: [sa-list] Re: OTC stock spam
On Thu, 26 May 2005, Loren Wilton wrote: I'm not going to try running that, but I've got a pile of rules that catch stock scams like that. SARE has a good bunch of them, the better ones of course. Here, the most recent spam I got was a stock spam. It hit: 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body 0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks 0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha 1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i 2.0 LW_OTCBB BODY: Reference to stock 1.0 LW_1933BODY: Reference to Securities Act 0.7 SARE_MONEYTERMSBODY: Talks about money in some way. 0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha 2.7 NOT_ADVISORBODY: Not registered investment advisor 0.3 SARE_MILLIONSOFBODY: Millions of something. 0.1 HTML_MESSAGE BODY: HTML included in message 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.9 FM_NO_STYLEFM_NO_STYLE Loren, Where can I find those LW_* rules? Or are they part of your private collection? -Dan -- Don't try to out-wierd me. I get stranger things than you free with my breakfast cereal. -Button seen at I-CON XVII (and subsequently purchased) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: OTC stock spam
Also what did you use to get the report? Dan Mahoney, System Admin wrote: On Thu, 26 May 2005, Loren Wilton wrote: I'm not going to try running that, but I've got a pile of rules that catch stock scams like that. SARE has a good bunch of them, the better ones of course. Here, the most recent spam I got was a stock spam. It hit: 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body 0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks 0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha 1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i 2.0 LW_OTCBB BODY: Reference to stock 1.0 LW_1933BODY: Reference to Securities Act 0.7 SARE_MONEYTERMSBODY: Talks about money in some way. 0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha 2.7 NOT_ADVISORBODY: Not registered investment advisor 0.3 SARE_MILLIONSOFBODY: Millions of something. 0.1 HTML_MESSAGE BODY: HTML included in message 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.9 FM_NO_STYLEFM_NO_STYLE Loren, Where can I find those LW_* rules? Or are they part of your private collection? -Dan -- Don't try to out-wierd me. I get stranger things than you free with my breakfast cereal. -Button seen at I-CON XVII (and subsequently purchased) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: protecting SQL login info
Dan Mahoney, System Admin wrote: With spamc/spamd this is not a problem, as spamd runs on a machine that the shell users don't have access to (and reads the SQL login as root before dropping its privileges). However, for sa_learn, and things like spamassassin -r (which essentially is the same as sa-learn), they need to write to AWL/Bayes -- and since they run as the user, they need to be able to read/write the SQL login info even while running as that user. SA 3.1 lets you move this functionality to spamd as well. Michael signature.asc Description: OpenPGP digital signature
Re: protecting SQL login info
On Tue, 6 Sep 2005, Michael Parker wrote: Dan Mahoney, System Admin wrote: With spamc/spamd this is not a problem, as spamd runs on a machine that the shell users don't have access to (and reads the SQL login as root before dropping its privileges). However, for sa_learn, and things like spamassassin -r (which essentially is the same as sa-learn), they need to write to AWL/Bayes -- and since they run as the user, they need to be able to read/write the SQL login info even while running as that user. SA 3.1 lets you move this functionality to spamd as well. which means what, the user would have to call a spamc string like this? | /usr/local/bin/spamc -d quark.gushi.org -S -u [EMAIL PROTECTED] -r ** Spamd needs a config file, preferably with a setGID startup so only spamd can read it. ** Spamd also needs a list of trusted users who can call it with -u, so not just any jerk can poison my bayes tables. ** Spamd also needs an option to include a hostname in the username it sends to spamassassin, either in the config file, or overridden on the command line (possibly only by trusted_users). For speed, any of the about COULD be compile-time options. Are any of these ideas in the queue? -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: OTC stock spam
On Tue, 6 Sep 2005, M.Lewis wrote: Also what did you use to get the report? The report shows up in most setups in any spam email. Considering this one scored the way it did, I'm pretty sure it scored as spam. -Dan Dan Mahoney, System Admin wrote: On Thu, 26 May 2005, Loren Wilton wrote: I'm not going to try running that, but I've got a pile of rules that catch stock scams like that. SARE has a good bunch of them, the better ones of course. Here, the most recent spam I got was a stock spam. It hit: 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body 0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks 0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha 1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i 2.0 LW_OTCBB BODY: Reference to stock 1.0 LW_1933BODY: Reference to Securities Act 0.7 SARE_MONEYTERMSBODY: Talks about money in some way. 0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha 2.7 NOT_ADVISORBODY: Not registered investment advisor 0.3 SARE_MILLIONSOFBODY: Millions of something. 0.1 HTML_MESSAGE BODY: HTML included in message 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.9 FM_NO_STYLEFM_NO_STYLE Loren, Where can I find those LW_* rules? Or are they part of your private collection? -Dan -- Don't try to out-wierd me. I get stranger things than you free with my breakfast cereal. -Button seen at I-CON XVII (and subsequently purchased) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- -- Little tramp sits in her room all day, sewing dolls! Children misbehaving in the basement, and one in the walls, doing his business God knows where! You children will be the death of me, *sniff*. 'Mommy', The People Under The Stairs Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: OTC stock spam
He's more aggressive than I am. For him spam is 4.6. For me it's 5.0 and I only score BAYES_99 at 5.0 points. {^_-} - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] On Tue, 6 Sep 2005, M.Lewis wrote: Also what did you use to get the report? The report shows up in most setups in any spam email. Considering this one scored the way it did, I'm pretty sure it scored as spam. -Dan Dan Mahoney, System Admin wrote: On Thu, 26 May 2005, Loren Wilton wrote: I'm not going to try running that, but I've got a pile of rules that catch stock scams like that. SARE has a good bunch of them, the better ones of course. Here, the most recent spam I got was a stock spam. It hit: 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body 0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks 0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha 1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i 2.0 LW_OTCBB BODY: Reference to stock 1.0 LW_1933BODY: Reference to Securities Act 0.7 SARE_MONEYTERMSBODY: Talks about money in some way. 0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha 2.7 NOT_ADVISORBODY: Not registered investment advisor 0.3 SARE_MILLIONSOFBODY: Millions of something. 0.1 HTML_MESSAGE BODY: HTML included in message 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.9 FM_NO_STYLEFM_NO_STYLE Loren, Where can I find those LW_* rules? Or are they part of your private collection? -Dan
Re: SpamAssassin perceptron curiousity
Hi Felix, [EMAIL PROTECTED] wrote: I got a bit of curiousity in my brain about neural networks, and someone suggested I take a look at how SpamAssassin trains itself. I have been looking into .../masses and come across some things which set off warning bells. I don't think I have actually found any bugs, but it isn't clear to me what is going on, there are some unused variables, and I pathetically justify my intrusion on your time with the thought that there *might* be a bug ... :-) You may want to try sending this to the dev list as most of the developers don't have time to track the users list in depth. Chris signature.asc Description: OpenPGP digital signature
Re: [sa-list] Re: OTC stock spam
Loren, Will you post your LW Stox based rules? I think we would all like to see them. - Original Message - From: Dan Mahoney, System Admin [EMAIL PROTECTED] To: Loren Wilton [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Tuesday, September 06, 2005 2:41 PM Subject: Re: [sa-list] Re: OTC stock spam | On Thu, 26 May 2005, Loren Wilton wrote: | | I'm not going to try running that, but I've got a pile of rules that catch | stock scams like that. SARE has a good bunch of them, the better ones of | course. | | Here, the most recent spam I got was a stock spam. It hit: | | 1.8 LOCAL_OBFU_GENERIC BODY: Obfuscated 'GENERIC' in body | 0.6 J_CHICKENPOX_48BODY: 4alpha-pock-8alpha | 0.5 FB_INVEST_ADVICE BODY: /invest.{1,15}advice/i | 1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks | 0.6 J_CHICKENPOX_71BODY: 7alpha-pock-1alpha | 1.0 LW_LOANBODY: /\bl.?o.?a.?n\b/i | 1.1 FB_SAVE_PERSC BODY: /sav(?:e|ing).{1,45}p[re][re]scription/i | 2.0 LW_OTCBB BODY: Reference to stock | 1.0 LW_1933BODY: Reference to Securities Act | 0.7 SARE_MONEYTERMSBODY: Talks about money in some way. | 0.6 J_CHICKENPOX_53BODY: 5alpha-pock-3alpha | 2.7 NOT_ADVISORBODY: Not registered investment advisor | 0.3 SARE_MILLIONSOFBODY: Millions of something. | 0.1 HTML_MESSAGE BODY: HTML included in message | 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% | [score: 1.] | 0.9 FM_NO_STYLEFM_NO_STYLE | | Loren, | | Where can I find those LW_* rules? Or are they part of your private | collection? | | -Dan | | -- | | Don't try to out-wierd me. I get stranger things than you free with my | breakfast cereal. | | -Button seen at I-CON XVII (and subsequently purchased) | | Dan Mahoney | Techie, Sysadmin, WebGeek | Gushi on efnet/undernet IRC | ICQ: 13735144 AIM: LarpGM | Site: http://www.gushi.org | --- | |
Re: RDJ/Curl issue...
Hi Jamie, Jamie Pratt wrote: Hi. RDJ has broken on me apparently - no updates in a month(?).. Seems to be a curl issue ?... -- RANDOMVAL -- RULESET_NAME=RANDOMVAL INDEX=11 CF_URL=http://www.stearns.org/sa-blacklist/random.current.cf CF_FILE=random.cf CF_NAME=William Stearn's RANDOM WORD Ruleset PARSE_NEW_VER_SCRIPT=grep -i '^#release' | tail -n 1 CF_MUNGE_SCRIPT= Old random.current.cf already existed in /etc/mail/spamassassin/RulesDuJour... Retrieving file from http://www.stearns.org/sa-blacklist/random.current.cf... exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/mail/spamassassin/RulesDuJour/random.current.cf http://www.stearns.org/sa-blacklist/random.current.cf 21 curl_output: 304 random.current.cf was up to date [skipped downloading of http://www.stearns.org/sa-blacklist/random.current.cf ] ... No files updated; No restart required. Any ideas why curl is seeming to have issues? (wget doesnt' seem to work either?) How have you determined curl is failing? The output I see above looks normal for a RDJ run where nothing has been updated. The curl_output: 304 indicates a HTTP 304 response, which means not modified, use local copy. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: Pharamcudical list of words in a table
--On Tuesday, September 06, 2005 12:38 AM -0700 List Mail User [EMAIL PROTECTED] wrote: You have the unfortunate luck of being on the cutting edge of the spam runs, most of these domains are now in 4 or 5 SURBL lists, which will give you scores of close to 12 alone. Greylisting would help here. If you greylist an unknown source long enough, and it gets into SURBL during the delay, you'll get the SURBL score boost when (if) the retry is attempted. Alas, commercial recipients can't use greylisting as effectively because they expect to accept legitimate mail from a lot more unknown senders. And greylisting during a disaster like Katrina could block mail from friends using unusual modes of sending (like an Internet cafe terminal).
Re: ANNOUNCE: SpamAssassin 3.1.0-rc2 release candidate available!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton writes: It isn't fixed in rc2. You only posted that analysis 2 days before the rc2 release, and the tarball had already been cut at the time you posted the message. (It takes a day or two between release cutoff and the release showing up, since it needs to be tested before the announcement.) Furthermore, you only posted the notice here in the users group where it could easily be missed by the SA devs. The proper thing to do is open a bug in Bugzilla on this subject, and include the info that you posted here. FWIW, the change that is causing the problems was a deliberate change to work around another problem in another tool. So the fix isn't likely to be as simple as backing out that change, since that would just bring the previous bug back. Following up on this -- yes, Loren has nailed it here. It would be best to open this as a bug in bugzilla for further followup. - --j. (just back from a week's vacation) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFDHki0MJF5cimLx9ARAmrQAJsESlKBkU7bdWHCJMWGRMn+7kwfzACdH2eD QCjLAPOEV25EZKwZUJmG+ZQ= =Y2Xl -END PGP SIGNATURE-
Re: Pharamcudical list of words in a table
--On Tuesday, September 06, 2005 12:38 AM -0700 List Mail User [EMAIL PROTECTED] wrote: You have the unfortunate luck of being on the cutting edge of the spam runs, most of these domains are now in 4 or 5 SURBL lists, which will give you scores of close to 12 alone. Greylisting would help here. If you greylist an unknown source long enough, and it gets into SURBL during the delay, you'll get the SURBL score boost when (if) the retry is attempted. Alas, commercial recipients can't use greylisting as effectively because they expect to accept legitimate mail from a lot more unknown senders. And greylisting during a disaster like Katrina could block mail from friends using unusual modes of sending (like an Internet cafe terminal). I know the problem with commercial recipients but I dont fully understand it (running a mailserver for clients that dont like greylist, myself) Basically a short greylist hold time (few minutes) is sufficient to block spam from machines sending directly to your server. The internet cafe is supposed to send via an upstream mail relay or run their own mailserver, so the message would get through within minutes. The one thing that is stopped by greylisting is the ability to ask a new contact on the phone to mail some material, and then discuss it right away (and in real life mail delivery often is not that instantaneous, anyway) Wolfgang Hamann