RE: FuzzyOcrPlugin hashdb permissions
And you have added all the users, that need access to the users group in /etc/group? IE your /etc/group file contains a line like: users:x:100:user1,user2,user3,user4,useretc If so, than it is spamassassin that does not switch the user context correctly. -Sietse From: Robert S Sent: Tue 21-Nov-06 13:17 To: users@spamassassin.apache.org Subject: Re: FuzzyOcrPlugin hashdb permissions AFAIK you do not need to set the primary group for all your users to 'users'. Just add them to the 'users' group in /etc/group. Or better yet, create a seperate group (eg. mail_users) for it and assign write permissions to that group. I always thought that was the case, but it just doesn't work that way. As I indicated above - when I set the permissions -rwxrwxr-x root:users /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb I get a permission denied error. I agree it should work. Both of my distros run spamd as root and change permissions to the recipient of the message, when spamc runs through procmail. Here is part of my .procmailrc (on both machines): $ cat /etc/procmailrc DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | /usr/bin/spamc Is there something here that can be changed??
Re: ??
John D. Hardin wrote: On Mon, 20 Nov 2006, twofers wrote: I would like to know what local rule I could invoke to tag email that the subject is not in english. header NOT_IN_ENGLISH Subject !~ /English/i describe NOT_IN_ENGLISH Subject Contains Non English Characters score NOT_IN_ENGLISH 3.5 What regexp could I use? I haven't tested this, but it may work: header NOT_IN_ENGLISH Subject =~ /[\x80-\xFF]{3}/ That should hit on a string of at least three charaters with the high bit set. You may need to drop it down to {2} to get good detection. Don't score it very high. Of course, that would exclude messages with ISO Latin 1 (8859.1) characters like Yen, Pound Sterling, Trademark, etc. Plus, there are words in English that when properly written do contain accents, such as resume, dais, cliche, cooperation, etc. Excluding words with pounds and yen in the Subject line might be a good thing, however... -Philip
Them spammers are getting smarter..
So used to be mail from Richard Smith, subject Me again Richard. Now they're using the last name, ie Me again Smith I'm almost at the point of rejecting anything with the subject Me again... Off topic: In postfix in header_checks, can I specity something at the START? ie if I say /Me again/ Reject I only want to reject Me again Smith but not Hey, it's Me again... Thanks. :) Evan
Re: ****Re: blarsbl
On Tue, 2006-11-21 at 12:07 -0500, DAve wrote: Thomas Lindell wrote: Att mail servers use his service. Which means I can't send to mediacom which is an att partner I couldn't believe att used his service. What's odd is that my company uses att backhaul bandwidth in the form of 4 t1's Grr the whole thing is frustrating Tom -Original Message- From: DAve [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 10:37 AM To: spamassassin Subject: Re: blarsbl Thomas Lindell wrote: Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. Anyone else had to deal with this? This is the guy's www site http://www.blars.org/errors/block.html Any admin blocking based on Blars has no mail we would miss, and we have very liberal limits for mail we accept due to our clients business models. He falls in the same category as SpamBag. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. I would think a phone call to your account manager with an appropriate link to the guys website would be enough to get the problem solved. http://www.blars.org/blars06c.jpg A copy of your past quarter bill from ATT would help to put the point into perspective. by appearances, he doesn't seem much like that ATT type - that picture pretty much sums it up. ;-) Craig
FuzzyOcrPlugin hashdb permissions
I've installed this FuzzyOcrPlugin on two machines (debian and gentoo). Everything works fine on the gentoo box, but on the debian box I get the following in the error log: [2006-11-20 04:06:11] Unable to open/create Image Hash database at /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb, check permissions. [2006-11-20 07:17:15] Unable to open/create Image Hash database at /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb, check permissions. The recipients of the mail are all in the users group. Relevant config file: focr_enable_image_hashing 1 focr_digest_db /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb focr_hashing_learn_scanned 1 Permissions on both machines: ls -l /usr/local/var drwxrwsr-x 2 root users 80 Nov 20 07:34 FuzzyOcr and $ ls -l /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb -rwxrwxr-x 1 root users 499 Nov 20 14:29 /usr/local/var/FuzzyOcr/FuzzyOcr.hashdb I can fix this by doing chmod 777 to the hashdb, but its bad practice to have world-writable files and I'd like to avoid it. Am I doing something obviously wrong here??
Re: amavisd-new or mailscanner?
* Mark Martinec [EMAIL PROTECTED]: As far as invoking SA and getting its results, it should be about the same. You forget your own p0f fingerprinting :) -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED]
Re: DNS Whitelist - rule optimization
Theo Van Dinter wrote: My suggestion was going to be to have the plugin define tags that can be used via add_header. No need for calling add_header() internally. Sounds like an interesting idea. Since I've never written plugins for SA: what is the best starting point / documentation? Btw., if you want to give dnswl.org a try on your own system - please go ahead, feedback is very welcome! how is this different from other whitelist/accreditation systems? It's different in that there is no business model associated with it, ie it's not that some sender can buy it's way into the whitelist. Such buy in models tend to be only used by senders with a shaddy reputation. It's a collaborative effort since it relies for a good part on importing and aggregating whitelisting data from various sources. Most likely, many of you all maintain whitelists of largely overlapping senders (eg banks), so it makes sense to share this data and maintain it collaboratively. There is a certain risk that a bad sender get's into the whitelist through such collaboration. However once detected such a bad sender can easily and swiftly be removed. -- Matthias smime.p7s Description: S/MIME Cryptographic Signature
RE: Is my Bayes DB borked?
Nope - it's not that. Looking through my syslog more closely reveals that I'm getting 'SA TIMED OUT' messages all over the place, and referring to rules as well as Bayes. So, I'm just as confused as ever, and don't know what's going on. More analysis needed, I suppose, but I'm not sure where to start. | -Original Message- | From: Kurt Buff | Sent: Tuesday, November 21, 2006 17:05 | To: 'users@spamassassin.apache.org' | Subject: Is my Bayes DB borked? | | | My postfix queue is climbing like crazy, and I'm getting | *lots* of messages | in my syslog that look like this: | | 2006-11-21 16:50:39 Mail.Warningzetmail3Nov | 21 16:54:43 | amavis[29824]: (29824-01-4) SA TIMED OUT, backtrace: at | /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm line | 481\n\teval {...} called at | /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm line | 481\n\tMail::SpamAssassin::Bayes::tokenize_line('Mail::SpamAss | assin::Bayes=H | ASH(0xa7c65c0)', | 'http://www.orbitz.com/Deals/Images/URC_20061120.gif', '', | 2) called at | /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm | line | 337\n\tMail::SpamAssassin::Bayes::tokenize('Mail::SpamAssassin | ::Bayes=HASH(0 | xa7c65c0)', 'Mail::SpamAssassin::Message=HASH(0xbc4e2bc)', | 'HASH(0xba9fa90)') called at | /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm line | 1200\n\tMail::SpamAssassin::Bayes::scan('Mail::SpamAssassin::B | ayes=HASH(0xa7 | c65c0)', 'Mail::SpamAssassin::PerMsgStatus=HASH(0xbc57698)', | 'Mail::SpamAssassin::Message=HASH(0xbc4e2bc)') called at | /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssa... | | | | Kurt Buff | Lead Network Administrator | Zetron, Inc. | 425.820.6363 x463 | [EMAIL PROTECTED] | PO Box 97004 | Redmond, WA 98073 | | | |
Re: Greylisting
Just to add to the pot I have started working for a company who was receiving +30,000 emails a day and acknowledged they had a spam problem. I got the go ahead to pilot Postfix, MailScanner, SpamAssassin + FuzzyOCR and PolicyD and have now reduced that to ~ 40 emails per day being delivered. The most noticeable change was using Greylisting, with MailScanner and SpamAssassin cleaning the rest up. To say they are impressed would be a understatement. Well done to all the developers and contributors off these fine pieces of software. Cheers, UxBoD --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: blarsbl
Thomas Lindell wrote: Att mail servers use his service. Which means I can't send to mediacom which is an att partner I couldn't believe att used his service. What's odd is that my company uses att backhaul bandwidth in the form of 4 t1's Grr the whole thing is frustrating Tom -Original Message- From: DAve [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 10:37 AM To: spamassassin Subject: Re: blarsbl Thomas Lindell wrote: Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. Anyone else had to deal with this? This is the guy's www site http://www.blars.org/errors/block.html Any admin blocking based on Blars has no mail we would miss, and we have very liberal limits for mail we accept due to our clients business models. He falls in the same category as SpamBag. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. I would think a phone call to your account manager with an appropriate link to the guys website would be enough to get the problem solved. http://www.blars.org/blars06c.jpg A copy of your past quarter bill from ATT would help to put the point into perspective. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
if plugin lines with else functionality?
Hello users, Does anyone thing it might be nice to have if plugin lines with else functionality? Say we create some nice rules that rely on plugins but those plugins aren't available, if we could create alternate rules for when the plugins are not available it might help in some cases. This might be unnecessary but I was writing a meta rule that used some replace-tag tests and started thinking it would be nice to have this feature. Example: body __FOO1 /some foo/ body __FOO2 /mr\. t/ if plugin::replacetags body SOME_RULE /SOMESPFOO/i replace_tags SOME_RULE meta SOME_FOO_RULE(!__FOO1 __FOO2 SOME_RULE) else body SOME_RULEb /[s5][oO]m[e3] f[o0][o0]/i meta SOME_FOO_RULE(!__FOO1 __FOO2 !SOME_RULEb) endif This would most likely only benefit 3rd party rule developers but who knows? -- Best regards, Fred T mailto:[EMAIL PROTECTED]
Re: Them spammers are getting smarter..
On Tue, 2006-11-21 at 12:33 -0800, Evan Platt wrote: In postfix in header_checks, can I specity something at the START? ie if I say /Me again/Reject I only want to reject Me again Smith but not Hey, it's Me again... Put a caret at the start of the pattern: /^Me again/. To anchor at the end of the line, put a dollar sign at the end of the pattern: /Me again $/. Regards, K. -- ~~~ Karl Auer ([EMAIL PROTECTED]) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
Re: blarsbl
Thomas Lindell wrote: Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. Anyone else had to deal with this? This is the guy's www site http://www.blars.org/errors/block.html Any admin blocking based on Blars has no mail we would miss, and we have very liberal limits for mail we accept due to our clients business models. He falls in the same category as SpamBag. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Them spammers are getting smarter..
Theo Van Dinter wrote: On Tue, Nov 21, 2006 at 12:33:36PM -0800, Evan Platt wrote: So used to be mail from Richard Smith, subject Me again Richard. Now they're using the last name, ie Me again Smith FWIW, this is why it's pointless to try keeping up with those things. There's an infinite number of ways they can change around the subject/from/etc that there's no point in trying to keep up. Yep. Given how easy it would be for them to do more random subjects, I'm of the opinion that these are being offered up as decoys. Dangle an obvious sign in front of the spamfighters, wait for us to grab it, then snatch it away at the last minute. It's just a way of tweaking us and keeping us busy. Meanwhile, Bayes + SARE Stocks + header checks are catching these easily, regardless of the subject. Admittedly I've bumped BAYES_99 up to 4.7 points. (On a side note, I have to laugh at the phrase, Make it huge with nanotechnology. Part of it is the huge/nano contrast, but make it huge sounds more typical of another category of spam entirely...) -- Kelson Vibber SpeedGate Communications www.speed.net
Re: user_prefs not used
Are you saying that you have separate rules in user_prefs and those rules are not being processed? or are you talking about just configuration lines in user_prefs like use_bayes 1? Wes Chris Willard [EMAIL PROTECTED] wrote: Hi all, I am using spamd and calling spamc from .procmail using | /usr/bin/spamc -u chris Only the rules in /ec/mail/spamassassin/local.cf are being processed. My $HOME/.spamassassin/user_prefs file is not being used! /etc/mail/spamassassin/local.cf has allow_user_rules 1 in it but I can not get it working! Any help would be apprecriated. Thanks, Chris -- /* _\|/_ (o o) +oOO-{_}-OOo---+ |Chris Willard | | | |I'm clinging to sanity by a thread. Hand me the scissors, willya?| | | +-*/ - Sponsored Link $200,000 mortgage for $660/mo - 30/15 yr fixed, reduce debt, home equity - Click now for info
Re: spammers dodging OCR
lol, just got a spam with the image obfuscated like captchas in a bbs, to avoid detection by ocr. On Mon, Nov 06, 2006 at 02:06:45PM -0600, Jorge Valdes wrote: Gary V wrote: This morning I received my copy of networkworld. Here is an interesting article: http://www.networkworld.com/columnists/2006/103006buzz-spammers-dodging-ocr.html Gary V _ Add a Yahoo! contact to Windows Live Messenger for a chance to win a free trip! http://www.imagine-windowslive.com/minisites/yahoo/default.aspx?locale=en-ushmtagline FuzzyOcr (devel version) is already catching these... has been for a while now. -- Jorge Valdes
Re: Log Mail Caught As Spam
On 11/20/06, itdelany [EMAIL PROTECTED] wrote: François Rousseau wrote: In your log, do you have any things like top 10 spammer, 10 top spam ... or something like this? URIBL_AB_SURBL=3.812, URIBL_PH_SURBL=2.8, URIBL_SC_SURBL=4.498, URIBL_WS_SURBL=2.14] those tags indicate that you have probably many URL or domain know as spam in this email. Francois Rousseau Hi :) Thanks for your answer, and yes, spam word is everywhere in that email, I forgot to say that I already did an sa-learn -ham on this email. What else can I do ? Hello, you have probably not setup correctly whitelist_from_rcvd. Whitelist entries trigger the USER_IN_WHITELIST rule and add an -100 score which is enough to defy any other spam rules all together. Do you use spamd? If you do, did you restarted it after adding the whitelist entries. Regards, Panagiotis
Re: Bayes Database Missing
You can try: mkdir /var/lib/MailScanner/ #Creates the directory cp /etc/mail/spamassassin/bayes* /var/lib/MailScanner/ #Copies the bayes databases from the default spamassassin directory to the bayes_path directory /etc/init.d/spamassassin restart or /etc/init.d/psa-spamassassin restart #restart SA, one of these might work. But you need to restart SA. Wes leemansvg [EMAIL PROTECTED] wrote: I see in my spam.assassin.pref.conf file this entry, bayes_path /var/lib/MailScanner/bayes however when I navigate to this directory this database is not there, is there a way to generate this database. I've been noticing a lot of spam getting through and would like to tighten this. -- View this message in context: http://www.nabble.com/Bayes-Database-Missing-tf2681368.html#a7478860 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. - Sponsored Link Rates near 39yr lows. $420,000 Loan for $1399/mo - Calculate new house payment
Re: Bayes column 'token'
CREATE TABLE bayes_token ( PRIMARY KEY (id, token), INDEX bayes_token_idx1 (token), INDEX bayes_token_idx2 (id, atime) ) TYPE=MyISAM; PRIMARY for `id` and `token` should not have INDEX for `id` and `token` added, too. Why not? IIRC the three indexes above makes perfect sense. Like this: WHERE id=xxx AND token=xxx will use the primary index. WHERE token=xxx will use the bayes_token_idx1 index. WHERE id=xxx AND atime=xxx will use the bayes_token_idx2 index. Again IIRC, the clause WHERE token=xxx should be faster with the existance of the bayes_token_idx1 index than without it. Or is it simply that the MySQL bayse store module never queries with token as the first column in a WHERE clause? I might of course completely misremenber this, so rather than trust me I'd suggest reading about index optimization or something like that in the current MySQL documentation. :-) Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
joe-job/backscatter
Anyone else seeing anything like this? I've been getting these for about two days or so now: Return-Path: Received: from pop.earthlink.net [209.86.93.201] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Tue, 21 Nov 2006 13:19:50 -0600 (CST) Received: from mail.tecnicasmetalicas.com.pe ([216.244.154.186]) by mx-avoceta.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1gMB8H4rO3Nl34k1 for [EMAIL PROTECTED]; Tue, 21 Nov 2006 14:18:44 -0500 (EST) Received: from localhost (unknown [127.0.0.1]) by mail.tecnicasmetalicas.com.pe (Postfix by Sethdev) with ESMTP id DC9F9B38F1 for [EMAIL PROTECTED]; Tue, 21 Nov 2006 19:32:04 + (UTC) Content-Type: multipart/report; report-type=delivery-status; boundary=--=_1164137524-27615-0 Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Subject: Considered UNSOLICITED BULK EMAIL, apparently from you In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] From: Content-filter at mail.tecnicasmetalicas.com.pe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tue, 21 Nov 2006 14:32:04 -0500 (PET) X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=001; X-SenderIP: 216.244.154.186 X-ASN: ASN-12252 X-CIDR: 216.244.128.0/19 A message from [EMAIL PROTECTED] to: - [EMAIL PROTECTED] was considered unsolicited bulk e-mail (UBE). Our internal reference code for your message is 27615-01/n-lQRI5hle46 The message carried your return address, so it was either a genuine mail from you, or a sender address was faked and your e-mail address abused by third party, in which case we apologize for undesired notification. We do try to minimize backscatter for more prominent cases of UBE and for infected mail, but for less obvious cases of UBE some balance between losing genuine mail and sending undesired backscatter is sought, and there can be some collateral damage on both sides. According to a 'Received:' trace, the message originated at: [190.40.199.4], alicia (unknown [190.40.199.4]) Return-Path: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Subject: =?windows-1251?B?VGFsbGVyIGRlIEhhYmlsaWRhZGVzIEVtb2Npb25hbGVzIHkgQXV0b2VzdGltYSBhbCBOafFvICAtIFB1YmxpY2lkYWQ=?= Delivery of the email was stopped! dsn_status Delivery error report header Message headers Return-Path: [EMAIL PROTECTED] Received: from alicia (unknown [190.40.199.4]) by mail.tecnicasmetalicas.com.pe (Postfix by Sethdev) with SMTP id 26BAEB186D for [EMAIL PROTECTED]; Tue, 21 Nov 2006 14:32:04 -0500 (PET) Message-ID: [EMAIL PROTECTED] Reply-To: =?windows-1251?B?SW5zdGl0dXRvIEd1ZXN0YWx0IGRlIExpbWE=?= [EMAIL PROTECTED] From: =?windows-1251?B?SW5zdGl0dXRvIEd1ZXN0YWx0IGRlIExpbWE=?= [EMAIL PROTECTED] Subject: =?windows-1251?B?VGFsbGVyIGRlIEhhYmlsaWRhZGVzIEVtb2Npb25hbGVzIHkgQXV0b2VzdGltYSBhbCBOafFvICAtIFB1YmxpY2lkYWQ=?= Date: Tue, 21 Nov 2006 14:17:44 -0500 MIME-Version: 1.0 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 To: undisclosed-recipients:; -- Chris pgpEHB7hc93xC.pgp Description: PGP signature
Re: would SA benefit from port to Java
Giampaolo Tomassoni writes: Recently in the perl blead code, one of the perl hackers has added a trie-based regexp matcher (with Aho-Corasick optimisations) to efficiently match multiple regular expressions in parallel, to the perl core regexp matching code. That's pretty much what you're describing, Just to know, do you mean this? http://search.cpan.org/~dankogai/Regexp-Trie-0.02/lib/Regexp/Trie.pm Else, what's the perl blead code? Blead is what the perl developers call the main development branch of perl5, which you can rsync live from the perl perforce server; cf: http://www.opensubscriber.com/message/dev@spamassassin.apache.org/712879.html see also: http://taint.org/tag/tries , http://taint.org/tag/aho-corasick You were also asking: That's not even mentioning the metaprogramming and higher-order programming techniques that we use extensively in SpamAssassin -- those are basically *just not possible* in C/C++. ;) Ops. What's this stuff? Let me know. http://en.wikipedia.org/wiki/Metaprogramming http://en.wikipedia.org/wiki/Higher-order_programming http://hop.perl.plover.com/ (which I haven't actually read yet to be quite honest ;) --j.
Re: FuzzyOcr and blank lines?
Matthias Keller wrote: Marc Perkel wrote: I'm running the latest one that is not the devel version. Bill Landry wrote: Marc Perkel wrote the following on 11/19/2006 6:15 PM -0800: Does FuzzyOCR not skip blank lines? * 33 FUZZY_OCR BODY: Mail contains an image with common spam text inside * Words found: * in 1 lines * in 30 lines * (31 word occurrences found) You must be running a fairly old version of FuzzyOCR, as the last several versions have not suffered from this previously known issue. Bill Hi I've also encountered this problem up to 2.3b which I'm currently running... Seems the fix only works on some systems - but not mine. Change in sub load_global_words : if (( $_ =~ /^[ \t]*#.*$/ ) or ( $_ =~ /^[^a-zA-Z]?$/ )) { next; } Not sure what the original if() was but this one filters out empty lines and comment lines (starting with a #) in 2.3b Matt Someone should update that as it is the latest version that isn't a devel version.
Re: blarsbl
[EMAIL PROTECTED]: host gateway.mchsi.com[204.127.203.150] said: 550-12.175.23.161 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net 550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice. (in reply to MAIL FROM command) aha. the mchsi-variant of att. i seem to keep bumping into these guys re: questionable emails/policies. thanks for the info!
Re: blarsbl
DAve wrote: Thomas Lindell wrote: Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. Anyone else had to deal with this? This is the guy's www site http://www.blars.org/errors/block.html Any admin blocking based on Blars has no mail we would miss, and we have very liberal limits for mail we accept due to our clients business models. He falls in the same category as SpamBag. DAve I've dealt with him and he's a total whack job. His list totally sucks and should not be used for any reason.
Re: blarsbl
On 11/21/06, Thomas Lindell [EMAIL PROTECTED] wrote: Att mail servers use his service. can you please share/point-to some evidence of that fact? if that *is* the case, i'll be chatting with my reps at att! if i've missed it here, i apologize in advance ... thanks.
Redundant QP encoding of Subject/From fields...
I got the following spam. I've included the header: Return-Path: [EMAIL PROTECTED] Received: from mail.libertysurf.net (webmail-out.libertysurf.net [213.36.80.105]) by mail.redfish-solutions.com (8.13.8/8.13.7) with ESMTP id kAM1ckKs008704 for [EMAIL PROTECTED]; Tue, 21 Nov 2006 18:38:52 -0700 Received: from aliceadsl.fr (192.168.10.57) by mail.libertysurf.net (7.1.026) id 43F3DDC5003935BF; Wed, 22 Nov 2006 02:22:49 +0100 Date: Wed, 22 Nov 2006 02:22:49 +0100 Message-Id: [EMAIL PROTECTED] Subject: =?iso-8859-1?Q?Representative_Needed.?= MIME-Version: 1.0 X-Sensitivity: 3 Content-Type: multipart/alternative; boundary=_=__=_XaM3_.1164158569.2A.498089.42.6019.52.42.007.3770 From: [EMAIL PROTECTED] [EMAIL PROTECTED] My question is this. The encoding of the Subject: and From: lines is redundant. There are no non-USASCII characters in either field. Hence, specifying =?iso-8859-1?Q? is not necessary. The test SUBJECT_EXCESS_QP seems to handle this (at least the Subject: part). I'd like to crank it up to 3.5 or higher. Any intuitive reasons why this wouldn't work? Are there any valid mailers that are braindead? Thanks, -Philip
Re: getting mail directly and not via mail-relay
On Mon, 20 Nov 2006, Leon Kolchinsky wrote: Hello, There is a Mail-Relay administered by another person and its MX record stand before MX record of my mail server, so theoretically mail should go first through Mail-Relay to my server. The thing is that for some reason there are much e-mails (and spam among them of course) getting to my server directly and not via Mail-Relay. What could be the reason for that? Is this behavior avoidable at all? It is a well documented fact that spammers abuse a setup like yours. Yours is a bit unusual in that the low priority MX is the actual delivery site not a fall-back server but spammers don't know nor care. Spammers explicitly target low priority MXs because they believe that those systems are fall-back servers and thus probably less well 'defended' against spam. To stop your abuse, either remove univ.haifa.ac.il from the MX list for univ.haifa.ac.il or configure the network fire-wall on univ.haifa.ac.il so that it only accepts SMTP traffic from mr2.haifa.ac.il and mr3.haifa.ac.il -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: fuzzyocr 342 fires error warn, but scores anyway ... does it work?
Looks like what happens when your giflib/libungif binaries are not where FuzzyOcr expects them to be. Check your actual paths against those in FuzzyOcr.cf. snowcrash+spamassassin wrote: GIF-LIB error: Failed to Read from given file. but, the message does score: 1.5 FUZZY_OCR_WRONG_CTYPE BODY: Mail contains an image with wrong 2.5 FUZZY_OCR_CORRUPT_IMG BODY: Mail contains a corrupted image so, given the error+warn, did/didn't, fuzzyocr work as it should here? No, it got no hits on tests that actually require scanning. -- View this message in context: http://www.nabble.com/fuzzyocr-342-fires-error---warn%2C-but-scores-anyway-...-does-it-work--tf2624430.html#a7481295 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: FuzzyOcrPlugin hashdb permissions
Here my FuzzyOCR runs with spamd (the daemon of spamassassin) and the default user that run it is the user spamd -rw-r--r-- 1 spamd spamd 433905 Nov 21 08:51 FuzzyOcr.hashdb my FuzzyOcr.hashdb is set to user spamd and all works fine... :) On 11/20/06, Robert S [EMAIL PROTECTED] wrote: I might add that spamc is called from procmail, so it runs with the permissions of the user receiving the message. I should have pointed this out earlier. Make the directory world writeable and remove the databases. New ones will be created with the user that spamd runs under. Than you can set the permissions straight. I can see the problem now. The file is written by username:username because the primary group in debian is set to username - the group is not users as I'd like it to be (as it is on my gentoo box). I could fix this up by making users the primary group for all users, but that might cause other problems. AFAICS I'll need to make the hash db chmod 666. Presumably if its not executable it shouldn't be a security risk?? And making db files executable does noet seem like such a good idea to me. Use CHMOD 664 or 660. Point taken. -- -- Thiago LPS C.E.S.A.R - Administrador de Sistemas msn: [EMAIL PROTECTED] 0xx 81 8735 2591 --
Re: Àú=·Å=ÇÑ ¼=¹Î= ÀÚ=±Ý=´ë==Ãô=¾È= ³»~!
On 20-Nov-2006, at 05:52, twofers wrote: header NOT_IN_ENGLISH Subject !~ /English/i describe NOT_IN_ENGLISH Subject Contains Non English Characters score NOT_IN_ENGLISH 3.5 What regexp could I use? Well, that's tricky. Sometimes the subject is encoded and sometimes it's not. If you want to catch non-7 bit characters in the Subject, that's pretty simple: [^ -~] (or anyway you specify that range, from the range of ' ' (space) to '~' includes the normal 7 bit characters, so you can test for that range, but of course would not include, for example, £ or ¥, and it will do nothing if the subject is encoded. Some possible characters you might want to filter on: [¡¢£¤¥¦§¨©ª«¬ ®¯°±²³ ´µ¶·¸¹º»¼½¾¿åÅäÄöÖàáâçèéêë] [ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß] [àáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ] =[89A-F][0-9A-F] =(E5|C5|E4|C4|F6|D6|E0|E1|E2|E7|E8|E9|EA|EB) However, just so you know, running a grep over my spamassassin-user mail: $ grep -e '^Subject:' spamassassin-users* | grep -e '[^ -~]' Subject:70_sare_header.cf dupe Subject: Re: possible memory memory with SA 3.0.3 under Debian Linux (metoo) Subject: 21:22:05为什么要做*逃*兵? Subject: Re: SpamAssassin integrated with MailScanner, using per- user configuration Subject: Re: spamassassin less effective after upgrade to 3.1.0: some checks no Subject: Re: spamassassin less effective after upgrade to 3.1.0: some checks no Subject: ?ڭ̤wa?Ȩ?ʦ??J ( mailman-owner ) Subject: [SPAM] orkut - Aninha.linda enviou um convite para voc?! Subject:Pyzor Issues Subject: Re: The best way to use Spamassassin is to not use Spamassassin Subject:Undeliverable:RE: Rule for mail contains bad email ids Subject:Re: [EMAIL PROTECTED]: RE: SPAM: Increase in targeted Subject:Re: Sa-learn --ham vs spamassassin -report Subject: Re: rbl checks from 20_dnsbl_tests.cf won't work after upgradingto 3.1.5 Subject: Re: rbl checks from 20_dnsbl_tests.cf won't work after upgradingto 3.1.5 Subject:Re: Work has been closed permanently Subject:Your online activity confirmation Subject: Re: ??=??=?? ??=??=??=??=??==??=??=??~! Subject: Re: ??=??=?? ??=??=??=??=??==??=??=??~! I get a lot of things in there that don't appear to contain anything other than a tab, so you might want to include that in your character class as well (octal 11, 0x009) -- I don't think the kind of friends I'd have would care.
Bayes database: per-user or system-wide?
I have two mailservers running SA. On one (with a very small number of users), there is a shared bayes database (bayes_path /var/work/bayes/bayes in local.cf), and in the other one I use the default per-user databases. In both machines I run sa-learn as a weekly cron job on spam in a Spam folder and ham on the users' inbox - on messages between 1 and 2 weeks old - on the assumption that users categorise their mail properly. The machine that uses the per-user database, there are much more hits on the BAYES_99 rule (it tops the list) compared to the other machine, where it is way down on the list. I therefore get the impression that this rule works better on the first box. My questions are: Should I use the shared database, if it doesn't seem to work as well? - or has something else gone wrong. Is it necessary to run sa-learn regularly, when SA auto-learns ham/spam anyway (except of course when I'm setting it up when I need to run it to initally set up the database)?
RE: Problems running Spam Assassin
Actually I was replying to my forum thread and deleted my original message that it quoted as I thought it had already hit the list. Sietse van Zanen wrote: Probably with him being too lazy to copy and paste his original message from the other board, or list.. Well, I am too lazy to follow his link... From: Theo Van Dinter Sent: Tue 21-Nov-06 15:24 To: CosmicPerl Cc: users@spamassassin.apache.org Subject: Re: Problems running Spam Assassin On Tue, Nov 21, 2006 at 06:16:15AM -0800, CosmicPerl wrote: Can anyone help with this? With what? -- Randomly Selected Tagline: ... the menu is written in more elementary Spanish than a Dora the Explorer episode ... - Karl Chalabala about a lunch menu at work -- View this message in context: http://www.nabble.com/Problems-running-Spam-Assassin-tf2664618.html#a7473175 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: blarsbl
On Tue, 21 Nov 2006 10:29:15 -0600, you wrote: Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. He is. My system is on his list too, which is pretty amazing when you consider that my mail server supports 3, count them, 3 users - myself, my wife, and my 10 year old son - and he's somehow determined that my site hosts spammers. I ignore him. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Using SpamAssassin variables
Hello all! I am relatively new to SpamAssassin and subscribing to this group had really helped me in understanding many of SpamAssassin's intricacies. Thanks to everybody who posts replies to the questions asked here. Also, if this is not the proper place for me to post this question, I apologize in advance. I am in need of assistance in one area. It does not seem to me that this should be too difficult to do, but I can't seem to find any information so I figured I would ask here. I would like to know now to use a variable within SpamAssassin. For example, how would I capture the last name of the From header field for use in comparisons elsewhere? Here is a sample: From: Molly Owens [EMAIL PROTECTED] Subject: Me again Owens I am sure a lot of folks have been seeing this spam coming thru lately. I would like to check if the last name in From (Owens) shows up in the Subject header. There may or may not be a better way to catch this specific example, but being able to define a variable and use it elsewhere would be great. I have to assume that SpamAssassin allows for this, but I just can't seem to figure out how to do it. I have seen mention of eval and $1, $2, etc, and assume they have something to do with defining or using a variable, but I can find no specifics on how to use them. Also, I am curious if using variables has a significant impact on performance. I am using SpamAssassin 2.64. I know it is an older version, but that what I have to work with at this time. Thanks! John W Mickevich Computer Management Technologies [EMAIL PROTECTED]
Sudden drop in spam-rate, parallel to a surge of new trojans - beware
Hi! Yesterday we had a sudden drop in spam-percentage from 80% to near 60%. Parallel to it I got six copies of an undetectable (by NAI and ClamAV) new trojan 'exe' in the Mail. Do we have to prepare for a new flood by an updated (just now reorganizing) botnet? Stucki -- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED] \ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-5 57 78| Mathematik Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 66 00| Arnimallee 6 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/
Re: Greylisting
Am 21.11.2006 um 01:12 schrieb John Andersen: On Monday 20 November 2006 15:08, Rick Macdougall wrote: It's possible that they could send it all twice but I've never seen it. Remember that some unbelievable number of infected Windows clients are the main source of spam and it would just be too much trouble for the spammer to try every address twice after a 15 minute interval. Oh come on! It costs the spammer NOTHING to make that adjustment to his bot net. Its someone else's bandwidth, and someone else's cpu cycles. They are reading this list and planning the changes already. Of course! Spam and Spamassassin is the ultimate cops robbers! I'm sure the best spammers continually update the rules and run their own tests against them to develop new mails which get through. Despite everyone's best efforts we are fighting a losing battle with a solution that does not tackle the botnet problem at source but for that to happen things might have to get a whole lot worst! :-/ Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
Re: Forged From, Other servers bouncing back
Mark Adams wrote: One of the many spammers around has sent out a LOAD of email from [EMAIL PROTECTED] Currently our server is being over-run by the bounce backs, spamassassin is choking due to the extensive checking it is doing and exim will not accept any more connections. OK, keep in mind that I have no familiarity with Exim beyond its name, so I don't know what it can and can't do. So, with that disclaimer... Is that a valid address? If not, see if you can get Exim do user unknown checks before calling SpamAsssassin. That'll save a whole lot of load, since SA will never see the bogus messages. If it's a real address, it might be possible to temporarily reject only bounce notices sent to the address. Again, I'm not familiar with Exim, but we've done something similar using Sendmail and MIMEDefang's filter_recipient functionality, rejecting a message if it's to a certain recipient and from . -- Kelson Vibber SpeedGate Communications www.speed.net
RE: getting mail directly and not via mail-relay
Thanks David, I didn't thought of that simple solution :) Firewall will certainly do the job here. Best Regards, Leon -Original Message- From: David B Funk [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 5:59 AM To: לאון קולצ'ינסקי Cc: users@spamassassin.apache.org Subject: Re: getting mail directly and not via mail-relay On Mon, 20 Nov 2006, Leon Kolchinsky wrote: Hello, There is a Mail-Relay administered by another person and its MX record stand before MX record of my mail server, so theoretically mail should go first through Mail-Relay to my server. The thing is that for some reason there are much e-mails (and spam among them of course) getting to my server directly and not via Mail-Relay. What could be the reason for that? Is this behavior avoidable at all? It is a well documented fact that spammers abuse a setup like yours. Yours is a bit unusual in that the low priority MX is the actual delivery site not a fall-back server but spammers don't know nor care. Spammers explicitly target low priority MXs because they believe that those systems are fall-back servers and thus probably less well 'defended' against spam. To stop your abuse, either remove univ.haifa.ac.il from the MX list for univ.haifa.ac.il or configure the network fire-wall on univ.haifa.ac.il so that it only accepts SMTP traffic from mr2.haifa.ac.il and mr3.haifa.ac.il -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Need an ISP who offers shell account, SA etc....
On Mon, 20 Nov 2006, Robert Nicholson wrote: Is this practical without static ip? Free public dynamic DNS services can make it tolerable. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A sword is never a killer, it is but a tool in the killer's hands. -- Lucius Annaeus Seneca (Martial) 4BC-65AD ---
amavisd-new or mailscanner?
I started out using amavisd-new then switched to MailScanner as my mail tester 'framework' (SpamAssassin has been a constant) Looking thru the docs of Mailscanner, it doesn't come out and SAY that it just does the 'basic' spam test features, but reading between the lines it seems to - I have a feeling that amavisd worked better, but that's completely subjective... Does anyone have an opinion? Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: blarsbl
Hi, I recently got a call from someone trying to send to my email @t-online.de (this is a division of german telecom). While I believe that my friend's ISP might occasionally send spam (any big isp might get unwanted customers), I searched for blacklists and found that isplisted only at blars. So thay probably use blars list too Wolfgang Hamann Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. Anyone else had to deal with this? This is the guy's www site http://www.blars.org/errors/block.html Here is a quote from his www site If you would like a site be added or removed from BlarsBL, you may hire Blars at his normal consulting rates (currently $250/hour, 2 hour minimum, $1000 deposit due in advance for non-established customers) to investigate your evidence about the site. If it is found that the entry was a mistake, no charge will be made and the entire deposit will be refunded. Send Blars email from a non-listed account to verify current rates and arrange payment.
Is my Bayes DB borked?
My postfix queue is climbing like crazy, and I'm getting *lots* of messages in my syslog that look like this: 2006-11-21 16:50:39 Mail.Warningzetmail3Nov 21 16:54:43 amavis[29824]: (29824-01-4) SA TIMED OUT, backtrace: at /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm line 481\n\teval {...} called at /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm line 481\n\tMail::SpamAssassin::Bayes::tokenize_line('Mail::SpamAssassin::Bayes=H ASH(0xa7c65c0)', 'http://www.orbitz.com/Deals/Images/URC_20061120.gif', '', 2) called at /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm line 337\n\tMail::SpamAssassin::Bayes::tokenize('Mail::SpamAssassin::Bayes=HASH(0 xa7c65c0)', 'Mail::SpamAssassin::Message=HASH(0xbc4e2bc)', 'HASH(0xba9fa90)') called at /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Bayes.pm line 1200\n\tMail::SpamAssassin::Bayes::scan('Mail::SpamAssassin::Bayes=HASH(0xa7 c65c0)', 'Mail::SpamAssassin::PerMsgStatus=HASH(0xbc57698)', 'Mail::SpamAssassin::Message=HASH(0xbc4e2bc)') called at /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssa... Kurt Buff Lead Network Administrator Zetron, Inc. 425.820.6363 x463 [EMAIL PROTECTED] PO Box 97004 Redmond, WA 98073
Re: Log Mail Caught As Spam
On 11/21/06, itdelany [EMAIL PROTECTED] wrote: Panagiotis Christias wrote: Thanks for your answer, and yes, spam word is everywhere in that email, I forgot to say that I already did an sa-learn -ham on this email. What else can I do ? Hello, you have probably not setup correctly whitelist_from_rcvd. Whitelist entries trigger the USER_IN_WHITELIST rule and add an -100 score which is enough to defy any other spam rules all together. Do you use spamd? If you do, did you restarted it after adding the whitelist entries. Regards, Panagiotis This is strange, today it did not went to spam quarantine... (one day is caught and one day is not). To answer your question, this is what I added to my local.cf at /etc/spamassassin whitelist_from_rcvd [EMAIL PROTECTED] domain.com Do I have to edit something else ? Do you need anything else? What is wrong? Check again the whitelist_from_rcvd parameters you are using in your local.cf (see man page). Save your message in a file and run it through spamassassin in test/debug mode (spamassassin -t -D messagefile) to debug your configuration. Regards, Panagiotis
Re: Greylisting
On Nov 20, 2006, at 7:29 PM, Mike Jackson wrote: FYI, I work for a large hosting provider, and I've seen customers who have implemented greylisting, but spammers are getting smart enough to work around it. I doubt that they're wasting resources on queuing for redelivery, but they are recognizing 421s and attempting delivery later. I too have noticed a diminishing effect of greylisting. Our abuse desk keeps getting more and more spam and it is not possible to put any real filtering in front of it... greylisting helped a lot initially, but the last couple of months it has really gotten out of hand how much spam makes it past greylisting. smime.p7s Description: S/MIME cryptographic signature
Re: Bayes column 'token'
Michael Alan Dorman wrote: CREATE TABLE bayes_token ( PRIMARY KEY (id, token), INDEX bayes_token_idx1 (token), INDEX bayes_token_idx2 (id, atime) ) TYPE=MyISAM; If the primary key was changed to (token, id), it should be able to be used in the second sort of query as well as the first, no? Ah. Yes. I missed that. Yes, if the key was (token, id), there might be no need at all for the bayes_token_idx1 index above. Sorry for my confusion. I'm no SQL or MySQL guru, so maybe I'm missing something though. I have no idea how one best optimizes a MySQL table for using WHERE xxx IN (yyy) for example, and the module does have WHERE id = ? AND token IN (...) ... in a UPDATE statement. Could that be the reason for the separate (token) index? I'm supposing that whoever wrote the MySQL bayes storage module had a reason for doing what they did and that I simply am not good enough at SQL to realize what the reason is. :-) Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: SpamAssassin for FuzzyOCR only
* On 21/11/06 12:48 -0500, Theo Van Dinter wrote: | On Tue, Nov 21, 2006 at 08:12:03PM +0300, Odhiambo Washington wrote: | I'd like to run SA with only the minimalist set of config ( and .cf | files) that would suffice to just run FuzzyOCR checks only. | SA version is 3.1.7. | | Interesting. Crazy things do happen in this Open Source world ;) Anyway, for me, it's because I want to run a second instance of FuzzyOCR on another box, which in most cases receives mail that has been analyzed by SA from a box sitting in front of it. Spammers still are able to connect to this box though, and this is for other reasons that this box is only hidden by MX, but visible by other means. It's just that I do not want to run a fully fledged SA on it. | Would it be fine to remove all files except: | 10_misc.cf 23_bayes.cf 50_scores.cf 60_awl.cf 60_whitelist.cf languages | | Or, put another way, what files are required for a barebones SA?? | | No files are needed. The rules and the engine are generally separate. The | only reason you need languages, for instance, is that if you use the TextCat | set of rules, it needs that file to function. 23_bayes.cf is only needed if | you want bayes active. etc. Great! This clarifies the doubts that were lingering in my mind. Thank you. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Re graphics: A picture is worth 10K words -- but only those to describe the picture. Hardly any sets of 10K words can be adequately described with pictures.
RE: blarsbl
Here is what I can give you [EMAIL PROTECTED]: host gateway.mchsi.com[204.127.203.150] said: 550-12.175.23.161 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net 550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice. (in reply to MAIL FROM command) Reporting-MTA: dns; adlsrv4.airbornedatalink.com X-Postfix-Queue-ID: 4A6C733DFE X-Postfix-Sender: rfc822; [EMAIL PROTECTED] Arrival-Date: Sun, 19 Nov 2006 18:13:01 -0600 (CST) Final-Recipient: rfc822; [EMAIL PROTECTED] Original-Recipient: rfc822;[EMAIL PROTECTED] Action: failed Status: 5.0.0 Remote-MTA: dns; gateway.mchsi.com Diagnostic-Code: smtp; 550-12.175.23.161 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net 550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice. After contacting media com I was reffered to att to have the ip removed from there blacklist I spoke with my att rep and he informed me that they where using blarssbl as a dns secondary. This was a spoken conversation and no I did not record it. I've sence gotten removed manualy from att's mirrored copy of blars. My rep promised to look into the fact that they where using blars in the first place. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of snowcrash+spamassassin Sent: Tuesday, November 21, 2006 10:58 AM To: Thomas Lindell Cc: spamassassin Subject: Re: blarsbl On 11/21/06, Thomas Lindell [EMAIL PROTECTED] wrote: Att mail servers use his service. can you please share/point-to some evidence of that fact? if that *is* the case, i'll be chatting with my reps at att! if i've missed it here, i apologize in advance ... thanks.
RE: Not all Stock Spam is bad
-Original Message- From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: Monday, November 20, 2006 2:36 PM To: spamassassin Subject: Re: Not all Stock Spam is bad DAve wrote: Randal, Phil wrote: With FuzzyOCR 3.4.2 and using ocrad, $ocrad -s5 -i $pfile should catch them, according to a post from decoder on the FuzzyOCR list. And it seems to here. Thus marks the end of my career as a comedian. I defer to Mr. Santerre and leave him to promote the outrageous and humorous on this list. Hah, dont give up so quick! At least *I* thought it was midly humorous ;) I thought is was funny as well :) Side effect uses of spam. Maybe the next spam run could contain a background of fabric swatches. Cause your going to need curtains for that bathroom! --Chris (Hey, I'm funnier then Michael Richards today!)
Re: Greylisting
On Tue, November 21, 2006 00:23, Michele Neylon :: Blacknight wrote: Dylan Bouterse wrote: Do you have a compiled list of those IPs? And what method are you using to whitelist? Email offlist if more appropriate. Thanks! We whitelist the main Irish ISPs, so our list wouldn't be of much use to you unless you were in Ireland :) i do the same exatly here, just for danmark, no isp should imho be greylisted i solved it by using marbl, search for this postfix policy on google that means greylist if connecting ip is listed on a rbl list, it works nice here olso whitelist ips that typical send forwarded mails, important if you have spf test in mta level -- This message was sent using 100% recycled spam mails.
Re: Bayes Database Missing
leemansvg wrote: I see in my spam.assassin.pref.conf file this entry, bayes_path /var/lib/MailScanner/bayes however when I navigate to this directory this database is not there, is there a way to generate this database. I've been noticing a lot of spam getting through and would like to tighten this. Bayes_path does not specify a directory. It specifies a directory and path. For the above to work there MUST NOT be a /var/lib/MailScanner/bayes/ directory. The bayes DB will be created in a group of files named /var/lib/MailScanner/bayes_*
Re: Greylisting
John Andersen wrote: On Monday 20 November 2006 15:08, Rick Macdougall wrote: It's possible that they could send it all twice but I've never seen it. Remember that some unbelievable number of infected Windows clients are the main source of spam and it would just be too much trouble for the spammer to try every address twice after a 15 minute interval. Oh come on! It costs the spammer NOTHING to make that adjustment to his bot net. Its someone else's bandwidth, and someone else's cpu cycles. They are reading this list and planning the changes already. Sure it costs them. If 70K hosts can send 1 billion emails a day, 70K hosts who have to retry can only send 1/2 a billion emails a day (probably less with code and retrys, the spammers are not actually storing the email addresses on the infected machines, they just send an email to go out). I'm not saying they won't do it, I'm saying they aren't doing it currently. Regards, Rick
Re: How do I stop these?
On Mon, November 20, 2006 15:00, Nathan Zabaldo wrote: I am getting pounded by these types of emails. Does anyone else get these? What rule can I apply to have them killed. It's driving me nuts. SARE Stock ruleset. Available from fine ninjas everywhere. Well trained Bayes would probably help too.
user_prefs not used
Hi all, I am using spamd and calling spamc from .procmail using | /usr/bin/spamc -u chris Only the rules in /ec/mail/spamassassin/local.cf are being processed. My $HOME/.spamassassin/user_prefs file is not being used! /etc/mail/spamassassin/local.cf has allow_user_rules 1 in it but I can not get it working! Any help would be apprecriated. Thanks, Chris -- /* _\|/_ (o o) +oOO-{_}-OOo---+ |Chris Willard [EMAIL PROTECTED] | | | |I'm clinging to sanity by a thread. Hand me the scissors, willya?| | | +-*/
Re: blarsbl
Michael W Cocke wrote: He is. My system is on his list too, which is pretty amazing when you consider that my mail server supports 3, count them, 3 users - myself, my wife, and my 10 year old son - and he's somehow determined that my site hosts spammers. Last I looked, he listed all of Sprint. All of it. Not just Sprint's offices, not just sites hosted by Sprint, but the entire IP space. He states that he normally adds entire netblocks. In fact, he used to block access to his website from anyone who was listed, which meant I needed to use an anonymizing proxy just to read about why he'd blocked it. Oddly, our mail server shows up with a 127.3.0.0 result. According to his description, listings should return 127.1.xxx.xxx, with the last two octets indicating the reason. Going by his table, the return code indicates that he listed us for no reason. I think it's telling that of the three multiple-RBL-lookup sites I have bookmarked, one (http://www.robtex.com/rbls.html) has deprecated the list and no longer checks it, and one (http://moensted.dk/spam/) labels it with the phrase, trying to be removed creates urges to kill. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Bayes Database Missing
Matt Kettler wrote: leemansvg wrote: I see in my spam.assassin.pref.conf file this entry, bayes_path /var/lib/MailScanner/bayes however when I navigate to this directory this database is not there, is there a way to generate this database. I've been noticing a lot of spam getting through and would like to tighten this. Bayes_path does not specify a directory. It specifies a directory and path. Correction, directory and partial filename. For the above to work there MUST NOT be a /var/lib/MailScanner/bayes/ directory. The bayes DB will be created in a group of files named /var/lib/MailScanner/bayes_*
Re: amavisd-new or mailscanner?
* Matt Hampton [EMAIL PROTECTED]: What do you mean by more than the 'basic' features? Bear in mind as well that MailScanner and amavisd-new check for spam at completely different stages of the mail processing - amavisd-new at connection time and MailScanner after it has been queued. Tha's not correct. A normal amavisd-new (with Postfix) scans the mail AFTER it's been queued. It can be made to scan at connection time (by using smtpd_proxy_filter). -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED]
Re: amavisd-new or mailscanner?
Ralf Hildebrandt wrote: * Matt Hampton [EMAIL PROTECTED]: What do you mean by more than the 'basic' features? Bear in mind as well that MailScanner and amavisd-new check for spam at completely different stages of the mail processing - amavisd-new at connection time and MailScanner after it has been queued. Tha's not correct. A normal amavisd-new (with Postfix) scans the mail AFTER it's been queued. It can be made to scan at connection time (by using smtpd_proxy_filter). My mistake - I looked at his headers and thought he was using sendmail so the milter was how I was expecting him to use it./ matt
Bayes Database Missing
I see in my spam.assassin.pref.conf file this entry, bayes_path /var/lib/MailScanner/bayes however when I navigate to this directory this database is not there, is there a way to generate this database. I've been noticing a lot of spam getting through and would like to tighten this. -- View this message in context: http://www.nabble.com/Bayes-Database-Missing-tf2681368.html#a7478860 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bayes column 'token'
On Tue, 21 Nov 2006 13:42:09 +0100 Jonas Eckerman [EMAIL PROTECTED] wrote: CREATE TABLE bayes_token ( PRIMARY KEY (id, token), INDEX bayes_token_idx1 (token), INDEX bayes_token_idx2 (id, atime) ) TYPE=MyISAM; PRIMARY for `id` and `token` should not have INDEX for `id` and `token` added, too. Why not? IIRC the three indexes above makes perfect sense. Like this: WHERE id=xxx AND token=xxx will use the primary index. WHERE token=xxx will use the bayes_token_idx1 index. WHERE id=xxx AND atime=xxx will use the bayes_token_idx2 index. Again IIRC, the clause WHERE token=xxx should be faster with the existance of the bayes_token_idx1 index than without it. If the primary key was changed to (token, id), it should be able to be used in the second sort of query as well as the first, no? Or is MySQL not smart enough to recognize that it's got an index it could match on a prefix basis? Or is it simply that the MySQL bayse store module never queries with token as the first column in a WHERE clause? The position of a column in the WHERE clause shouldn't make a difference whether an index is used; the nature of SQL is such that WHERE clauses should be reorderable. I'm a PostgreSQL guy myself, but I would still be surprised if MySQL were limited in this way. Mike.
RE: Greylisting
-Original Message- From: Vahric MUHTARYAN [mailto:[EMAIL PROTECTED] Hello Everybody, I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? I renamed greylisting the force. I works a lot to me. Just, it may need a bit more effort to get statistical data about how much spam your machine traps: now you probably see a 9/1 spam/ham ratio, after you may easily see a 1/9 spam/ham ratio. You boss may ask you why the hell is your company spending that much for spam trapping... You must be fast answering (and proving) that most of the spam is just left out of the system... :) For reporting, a sql-based greylisting software is probably better suited. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] Regards Vahric
Re: user_prefs not used
Did you restart spamd after changing any options? Loren
Re: How do I stop these?
Duncan Hill writes: On Mon, November 20, 2006 15:00, Nathan Zabaldo wrote: I am getting pounded by these types of emails. Does anyone else get these? What rule can I apply to have them killed. It's driving me nuts. SARE Stock ruleset. Available from fine ninjas everywhere. Well trained Bayes would probably help too. As would running sa-update. --j.
Re: ??
On Mon, 20 Nov 2006, Philip Prindeville wrote: Of course, that would exclude messages with ISO Latin 1 (8859.1) characters like Yen, Pound Sterling, Trademark, etc. Plus, there are words in English that when properly written do contain accents, such as resume, dais, cliche, cooperation, etc. Note the 3-characters-in-a-row requirement. I don't think that will hit too often for symbols or accented English characters. YMMV, Test before deploying, etc. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A sword is never a killer, it is but a tool in the killer's hands. -- Lucius Annaeus Seneca (Martial) 4BC-65AD ---
Re: DNS Whitelist - rule optimization
On Tue, Nov 21, 2006 at 03:21:12PM +, Justin Mason wrote: And a third and last point: Is it possible to add a dedicated header when one of the rules triggered? I see that add_header can only differentiate between spam, ham and all -- any additional options? The idea is that MUAs could display something special for whitelisted mails (eg Thunderbird with the Mnenhy extension). unfortunately, not without a plugin to call $pms-add_header(). I was originally going to respond with what options would there be? The options encapsulate all possible options, such as all. ;) My suggestion was going to be to have the plugin define tags that can be used via add_header. No need for calling add_header() internally. Btw., if you want to give dnswl.org a try on your own system - please go ahead, feedback is very welcome! how is this different from other whitelist/accreditation systems? -- Randomly Selected Tagline: *'M ST*P*D - I'd like to buy a vowel Pat, an 'O' pgpS7Ojcgo6V9.pgp Description: PGP signature
blarsbl
Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. Anyone else had to deal with this? This is the guy's www site http://www.blars.org/errors/block.html Here is a quote from his www site If you would like a site be added or removed from BlarsBL, you may hire Blars at his normal consulting rates (currently $250/hour, 2 hour minimum, $1000 deposit due in advance for non-established customers) to investigate your evidence about the site. If it is found that the entry was a mistake, no charge will be made and the entire deposit will be refunded. Send Blars email from a non-listed account to verify current rates and arrange payment.
Re: Bayes Database Missing
sorry, I there's no bayes files in /etc/mail/spamassassin/ directory. I'm using MailScanner. twofers wrote: You can try: mkdir /var/lib/MailScanner/ #Creates the directory cp /etc/mail/spamassassin/bayes* /var/lib/MailScanner/ #Copies the bayes databases from the default spamassassin directory to the bayes_path directory /etc/init.d/spamassassin restart or /etc/init.d/psa-spamassassin restart #restart SA, one of these might work. But you need to restart SA. Wes leemansvg [EMAIL PROTECTED] wrote: I see in my spam.assassin.pref.conf file this entry, bayes_path /var/lib/MailScanner/bayes however when I navigate to this directory this database is not there, is there a way to generate this database. I've been noticing a lot of spam getting through and would like to tighten this. -- View this message in context: http://www.nabble.com/Bayes-Database-Missing-tf2681368.html#a7478860 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. - Sponsored Link Rates near 39yr lows. $420,000 Loan for $1399/mo - Calculate new house payment -- View this message in context: http://www.nabble.com/Bayes-Database-Missing-tf2681368.html#a7480954 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Greylisting
John Andersen wrote: On Monday 20 November 2006 15:08, Rick Macdougall wrote: It's possible that they could send it all twice but I've never seen it. Remember that some unbelievable number of infected Windows clients are the main source of spam and it would just be too much trouble for the spammer to try every address twice after a 15 minute interval. Oh come on! It costs the spammer NOTHING to make that adjustment to his bot net. Its someone else's bandwidth, and someone else's cpu cycles. They are reading this list and planning the changes already. If the graylist time is 15 minutes (for instance), and someone reports them fairly soon after they start up... and their ISP is quick to shut them down (cough, cough) then we're managed to severely limit how many sites they hit before they get shut down. Of course, graylisting a larger value (2 hours) for totally unknown correspondents would be more effective. -Philip
Re: Problems running Spam Assassin
On Sunday 19 November 2006 18:04, CosmicPerl wrote: Hi, I installed the latest SpamAssassin on my server. At first all my tests looked good, apart from load. So I setup spamc and spamd and everything seemed great, for a short while at least. A day later my mqueue had about 1500 messages in it, most with the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL. This seems to be coming up if the mailbox is full or the email is to an address that doesn't exist. It seemed that about every hour or so Sendmail was trying to flush out these messages, causing 1000's of processes to be started and making the server freeze up. Despite my Sendmail config having define(`confMAX_DAEMON_CHILDREN', `12')dnl In my procmailrc file I have:- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamc The SpamAssassin daemon was started with /usr/bin/spamd -d -u nobody At some point all mail stopped coming in. When I looked at the maillog file it had lots of lines like:- mkdir /root/.spamassassin: Permission denied Which I guess was causing the problem. This wasn't a problem before so I'm not sure why it happened. Any clues? I guess you might get some problem if you run spamd with -u nobody but without --nouser-config (either spamd will try to access the users' home directories as nobody, or it will try to access the home directory of nobody - I'm not sure, but in either case it will work badly. If you want per-user preferences together with -u you must either use -x --virtual-config-dir, make all users' .spamassassin directories readable (and writable, if you want bayes and/or AWL) by the spamd user (should be a special user - the nobody user isn't supposed to have any particular access to any files), or use a database. See README.spamd for security considerations if you have any untrusted users with shell access. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpdCeXbvJVW8.pgp Description: PGP signature
RE: Problems running Spam Assassin
These mails stay there for 5 days. At least if you set up sendmail according to RFC's. that's the whole idea of SMTP store and forward. If address is unavailable, keep trying for a while before giving up. You can set the grace time to any period you like btw. -Sietse From: CosmicPerl Sent: Tue 21-Nov-06 16:48 To: users@spamassassin.apache.org Subject: Re: Problems running Spam Assassin Hi All, Ok, I've figured that having define(`confSEPARATE_PROC', `True') in my SendMail config was what was causing the flushing of the mail queue to create such a huge server load as it was spawning a new sendmail, procmail, and spamassassin child for each message in the mqueue. So I've disabled this, but I still cannot figure out why mail aimed at non existant uses is still staying in the message queue and not being rejected?? Any help would be very much appreciated. CosmicPerl wrote: Hi, It appears that as I was accepted to the mailing list after making my first post, my post did not hit the list. Here is my original full post below:- CosmicPerl wrote: Hi, I installed the latest SpamAssassin on my server. At first all my tests looked good, apart from load. So I setup spamc and spamd and everything seemed great, for a short while at least. A day later my mqueue had about 1500 messages in it, most with the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL. This seems to be coming up if the mailbox is full or the email is to an address that doesn't exist. It seemed that about every hour or so Sendmail was trying to flush out these messages, causing 1000's of processes to be started and making the server freeze up. Despite my Sendmail config having define(`confMAX_DAEMON_CHILDREN', `12')dnl In my procmailrc file I have:- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamc The SpamAssassin daemon was started with /usr/bin/spamd -d -u nobody At some point all mail stopped coming in. When I looked at the maillog file it had lots of lines like:- mkdir /root/.spamassassin: Permission denied Which I guess was causing the problem. This wasn't a problem before so I'm not sure why it happened. Any clues? Basically I need to set things up so that when sendmail trys to flush I don't get my server falling over. Emails that are sent to addresses that don't exist that are currently getting the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL be delete from the queue automatically. Ideally I'd like to give each different virtual server I have it's own possibly spam folder. I'm using Webmin and have a 100 or so Virtual servers so if anyone knows a good automated way of doing this that would be great. Either way I can't have things go down again otherwise I'll loose all my clients! And SpamAssassin working again. At first it was just marking emails with [spam] in the subject. Then Yesterday It then also started changing the message to an attachment and having Spam detection software, running on the system ns.cosmicsitehosting.com, has identified this incoming email as possible spam... in the message text. I've no idea what was changed so that this started happening. I didn't think I changed anything. Then last night it stopped sending any emails. Please help! Thanks in advance. Oh by the way my local.cf file contains required_hits 10 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 skip_rbl_checks 1 use_pyzor 1 Can anyone help with this? -- View this message in context: http://www.nabble.com/Problems-running-Spam-Assassin-tf2664618.html#a7473573 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: Adding new rules for pump and dump
There is a new wave hitting. I've already written rules to catch this simple change the spammers did over the weekend. I expect the results will be very very good. I hope to have the SARE stock ruleset updated later today. So, no you aren't teh only one seeing stock spams slip buy over the weekend. Stay tune for the update :) Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message- From: John Tice [mailto:[EMAIL PROTECTED] Sent: Monday, November 20, 2006 9:02 AM To: users@spamassassin.apache.org Subject: Adding new rules for pump and dump I added the SARE ruleset (etc/mail/sa/local.cf) to try and catch the pump and dumps with GIFs but the rules don't seem to be firing. Does something need to be restarted on the server to activate new rules, or are they just not specific to the spams being sent today? Anybody have a rule to catch these spams that have GIFs and a block of small, nonsensical text? They're only hitting three: BAYES_50,EXTRA_MPART_TYPE, HTML_MESSAGE. Thanks–
Braindeath in the Navy
Well, I tried to contact some people responsible for the servers below that what they were doing was broken, including citing chapter and verse where in RFC-2822 in syntax of the Received: lines was spec'd out: Received: from Gate2-sandiego.nmci.navy.mil (gate2-sandiego.nmci.navy.mil [138.163.0.42]) by mail.redfish-solutions.com (8.13.8/8.13.7) with ESMTP id kAGNLZHp020689 for [EMAIL PROTECTED]; Thu, 16 Nov 2006 16:21:40 -0700 Received: from nawesdnims03.nmci.navy.mil by Gate2-sandiego.nmci.navy.mil via smtpd (for mail.redfish-solutions.com [71.36.29.88]) with ESMTP; Thu, 16 Nov 2006 23:21:40 + Received: (private information removed) Received: (private information removed) Received: (private information removed) Received: (private information removed) Received: (private information removed) and which fields it requires (like the semi-colon followed by the timestamp coming after a comment field) [cf: RFC 2822, section 3.6.7: received= Received: name-val-list ; date-time CRLF name-val-list = [CFWS http://tools.ietf.org/html/rfc2822#ref-CFWS] [name-val-pair *(CFWS name-val-pair)] including the definition of CFWS in 3.2.3.] It just boggles my mind why anyone would go through that much trouble to deliberately damage a header line, rather than just delete it. Well, maybe they'll get a whiff of the errs of their ways in the Hall of Spam Shame... -Philip
Re: getting mail directly and not via mail-relay
Leon Kolchinsky wrote: Hello, There is a Mail-Relay administered by another person and its MX record stand before MX record of my mail server, so theoretically mail should go first through Mail-Relay to my server. The thing is that for some reason there are much e-mails (and spam among them of course) getting to my server directly and not via Mail-Relay. What could be the reason for that? Is this behavior avoidable at all? Spammers will take advantage of any opportunity you leave open. Remove the MX record and close off that server!
Re: Problems running Spam Assassin
Hi All, Ok, I've figured that having define(`confSEPARATE_PROC', `True') in my SendMail config was what was causing the flushing of the mail queue to create such a huge server load as it was spawning a new sendmail, procmail, and spamassassin child for each message in the mqueue. So I've disabled this, but I still cannot figure out why mail aimed at non existant uses is still staying in the message queue and not being rejected?? Any help would be very much appreciated. CosmicPerl wrote: Hi, It appears that as I was accepted to the mailing list after making my first post, my post did not hit the list. Here is my original full post below:- CosmicPerl wrote: Hi, I installed the latest SpamAssassin on my server. At first all my tests looked good, apart from load. So I setup spamc and spamd and everything seemed great, for a short while at least. A day later my mqueue had about 1500 messages in it, most with the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL. This seems to be coming up if the mailbox is full or the email is to an address that doesn't exist. It seemed that about every hour or so Sendmail was trying to flush out these messages, causing 1000's of processes to be started and making the server freeze up. Despite my Sendmail config having define(`confMAX_DAEMON_CHILDREN', `12')dnl In my procmailrc file I have:- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamc The SpamAssassin daemon was started with /usr/bin/spamd -d -u nobody At some point all mail stopped coming in. When I looked at the maillog file it had lots of lines like:- mkdir /root/.spamassassin: Permission denied Which I guess was causing the problem. This wasn't a problem before so I'm not sure why it happened. Any clues? Basically I need to set things up so that when sendmail trys to flush I don't get my server falling over. Emails that are sent to addresses that don't exist that are currently getting the error local mailer (/usr/bin/procmail) exited with EX_TEMPFAIL be delete from the queue automatically. Ideally I'd like to give each different virtual server I have it's own possibly spam folder. I'm using Webmin and have a 100 or so Virtual servers so if anyone knows a good automated way of doing this that would be great. Either way I can't have things go down again otherwise I'll loose all my clients! And SpamAssassin working again. At first it was just marking emails with [spam] in the subject. Then Yesterday It then also started changing the message to an attachment and having Spam detection software, running on the system ns.cosmicsitehosting.com, has identified this incoming email as possible spam... in the message text. I've no idea what was changed so that this started happening. I didn't think I changed anything. Then last night it stopped sending any emails. Please help! Thanks in advance. Oh by the way my local.cf file contains required_hits 10 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 skip_rbl_checks 1 use_pyzor 1 Can anyone help with this? -- View this message in context: http://www.nabble.com/Problems-running-Spam-Assassin-tf2664618.html#a7473573 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Greylisting
Vahric MUHTARYAN [EMAIL PROTECTED] wrote on 11/20/2006 04:33:23 PM: Hello Everybody, I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? We've used greylisting very successfully. Probably stops 80%-90% of the spam from even reaching SA. Several things to be aware of. Greylisting will introduce a delay that you have no control over. So if you require your mail to be delivered immediately, it may not work for you. Not all mail servers respond properly to the temp error and don't try to resend. Some mail servers don't retry for a very long time and your mail can be delayed for a very long time. I've seen an 8 hour delay once. That said, our average initial delay is between 5 - 10 minutes, most users don't notice it at all. After that, the mail isn't delayed at all. HTH Andy
Re: Greylisting
Vahric MUHTARYAN wrote: Hello, Do you come across with any problem from your clients for mails are not arriving at right time ? Because I afraid of people mta's all of them are configured with different retry times . We whitelist the main ISPs SMTPs to avoid this issue -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239
RE: Greylisting
Not to mention that the mail queues are backing up for over half an hour because of all the spam in the first place :-p Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: uxbod [mailto:[EMAIL PROTECTED] Sent: 21 November 2006 15:13 To: users@spamassassin.apache.org Subject: RE: Greylisting Hmmm, customers not willing to wait 5-10 mins for a email ? Would prefer to receive more SPAM instead, especially for a protocol that does not guarantee delivery ;) Urgent Items = Use the phone or fax On Tue, 21 Nov 2006 16:02:34 +0100, [EMAIL PROTECTED] wrote: I'm afraid you're right on this one. Of course the spammers read this very list - and they have already started to implement anti greylisting meassures... It's just a matter of time before they see too little success rate when they read the bot stats and start to circumvent greylisting too :( I have yet to try greylisting on a real production system. I am concerned about the 5-15 mins. delay because we have some sensitive customers that are already on their toes. But with the right set of arguments I'm sure I can convince even the worst customer that greylisting is a good thing... still. I wonder how many years it will take before some organization steps up and lead the way to new SMTP standards. My company has gone from 1 to 4 mail server over the past 6 months. I reckon it's about time protocols adapt to the world today :) - Nicolai -Original Message- From: John Andersen [mailto:[EMAIL PROTECTED] Sent: 21. november 2006 01:12 To: users@spamassassin.apache.org Subject: Re: Greylisting On Monday 20 November 2006 15:08, Rick Macdougall wrote: It's possible that they could send it all twice but I've never seen it. Remember that some unbelievable number of infected Windows clients are the main source of spam and it would just be too much trouble for the spammer to try every address twice after a 15 minute interval. Oh come on! It costs the spammer NOTHING to make that adjustment to his bot net. Its someone else's bandwidth, and someone else's cpu cycles. They are reading this list and planning the changes already. -- _ John Andersen --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Greylisting
On Tue, 21 Nov 2006, Vahric MUHTARYAN wrote: Do you come across with any problem from your clients for mails are not arriving at right time ? Because I afraid of people mta's all of them are configured with different retry times . Whitelist your clients' known MTA IP addresses. Greylisting is supposed to throttle connections from J. Random MTA, not sites with whom you are regularly exchanging legitimate email. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A sword is never a killer, it is but a tool in the killer's hands. -- Lucius Annaeus Seneca (Martial) 4BC-65AD ---
Re: SPF and SMTP AUTH
On Tuesday 21 November 2006 12:07, Rene Caspari wrote: Hi, I have a little problem with SPF: For domain.tld there is a SPF record, which says that mail.domain.tld is allowed to sending mails from [EMAIL PROTECTED] If I use mail.domain.tld with a dialin account by SMTP AUTH, spamassassin says SPF_SOFTFAIL because initially the mail was sent by the dialin account and not mail.domain.tld. OK, so domain.tld is your domain, mail.domain.tld is the MX for that domain as well as the MSA that receives outbound mail from dialin users, and SpamAssassin says SPF_SOFTFAIL of mail received by mail.domain.tld from dialin users? How can I configure spamassassin to do not recognize the dialin account as a mailserver? In that case it should work as long as SpamAssassin trusts mail.domain.tld *and* the MSA/MTA at mail.domain.tld adds a Received: line that correctly states that the client was authenticated. If possible, you can also list your dialin IP ranges in trusted_networks. See http://wiki.apache.org/spamassassin/DynablockIssues and http://wiki.apache.org/spamassassin/TrustPath. Please post the unobfuscated header of a mail that hit SPF_SOFTFAIL if you need more help. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp9ffanUpFd5.pgp Description: PGP signature
Re: Them spammers are getting smarter..
On Tue, Nov 21, 2006 at 12:33:36PM -0800, Evan Platt wrote: So used to be mail from Richard Smith, subject Me again Richard. Now they're using the last name, ie Me again Smith FWIW, this is why it's pointless to try keeping up with those things. There's an infinite number of ways they can change around the subject/from/etc that there's no point in trying to keep up. -- Randomly Selected Tagline: Variety is the spice of life: one day ignore people, the next day annoy them. - A cat's guide to life pgpnSr4eJSo4z.pgp Description: PGP signature
Re: Greylisting
Hello, Actually we are receiving too much mail, and % 60 - % 70 of this are spam , also my hardwares are not enough to handle all load because of this I can miss some mails and they are spam. Instead of using fuzzy ocr or any other think I guess that I can use greylisting How they explained on their web page, maybe with this configuration I can get load from server because image base spams are growing day by day. Regards Vahric - Original Message - From: Giampaolo Tomassoni To: users@spamassassin.apache.org Sent: Tuesday, November 21, 2006 12:52 AM Subject: RE: Greylisting -Original Message- From: Vahric MUHTARYAN [mailto:[EMAIL PROTECTED] Hello Everybody, I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? I renamed greylisting the force. I works a lot to me. Just, it may need a bit more effort to get statistical data about how much spam your machine traps: now you probably see a 9/1 spam/ham ratio, after you may easily see a 1/9 spam/ham ratio. You boss may ask you why the hell is your company spending that much for spam trapping... You must be fast answering (and proving) that most of the spam is just left out of the system... :) For reporting, a sql-based greylisting software is probably better suited. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] Regards Vahric
Greylisting
Hello Everybody, I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? Regards Vahric
RE: Not all Stock Spam is bad
With FuzzyOCR 3.4.2 and using ocrad, $ocrad -s5 -i $pfile should catch them, according to a post from decoder on the FuzzyOCR list. And it seems to here. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: DAve [mailto:[EMAIL PROTECTED] Sent: 20 November 2006 17:41 To: spamassassin Subject: Not all Stock Spam is bad I had my html turned on in my MUA this morning going through my spam box. I saw a stock spam with a background image designed to confuse OCR plugins. The colors were very striking, my wife and I decided they would look great in the upstairs bathroom. I know many spammers read this list, just wanted to say thanks. BTW, I don't use FuzzyOCR, and the message was still tagged. Better luck next time. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: blarsbl
I'm sure the FTC and US Attorny General's office would like to know about this. All you have to do is write a a letter addressed to Attn: of Consumer Affairs and these guys will check it outin a big way. Wes Thomas Lindell [EMAIL PROTECTED] wrote: Has anyone had any dealings with this guy. I take my mail server very seriously. Further I take spamming very seriously in general. Even when I detect one of my customers sending spam I disable there internet until the problem is resolved The guy that runs the blarsbl list wants to charge my company 1500$ to remove our mail server from his list. When it was listed there for no good reason. I checked my mail logs going back 6 months there wasn't a single email sent nor received from this guys domain and or ip block. It would seem to me he's nothing more then a petty extortionist. Anyone else had to deal with this? This is the guy's www site http://www.blars.org/errors/block.html Here is a quote from his www site If you would like a site be added or removed from BlarsBL, you may hire Blars at his normal consulting rates (currently $250/hour, 2 hour minimum, $1000 deposit due in advance for non-established customers) to investigate your evidence about the site. If it is found that the entry was a mistake, no charge will be made and the entire deposit will be refunded. Send Blars email from a non-listed account to verify current rates and arrange payment. - Sponsored Link Want a degree but can't afford to quit? Online degrees from top schools - in as fast as 1 year
Re: Greylisting
On 20-nov-2006, at 23:33, Vahric MUHTARYAN wrote: Hello Everybody, I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? I started using selective greylisting a while ago and the results are simply amazing. For instance, my private mailbox has gone from receiving 75-100 spams/day to 2-4 spams/day. Selective greylisting is a variant of pure greylisting where you don't greylist everything, but only suspicious smtp clients. I'm using maRBL (written by Ian Campbell) for this, which acts as a policy service for Postfix. It greylists clients based on DNSBL lookups. maRBL used to be available from http://www.orangegroove.net/code/marbl/, but the site seems to have disappeared I'm actually using a modified version of maRBL, using a patch by Mark Martinec (of amavisd fame) that integrates p0f support to selectively greylist Windows smtp clients: http://archives.neohapsis.com/archives/postfix/2006-11/0577.html, which is both brilliant and hilarious :-) I have also added (primitive) support for greylisting based on missing PTR records and SPF checks myself (it actually rejects if SPF fails hard). I have put the three versions of maRBL available for download on my server: http://leander.koornneef.net/marbl/ Perhaps it can be of use to anyone. And thanks to Ian and Mark! Leander
Re: Greylisting - branching further off topic
Benny Pedersen wrote: On Tue, November 21, 2006 00:23, Michele Neylon :: Blacknight wrote: Dylan Bouterse wrote: Do you have a compiled list of those IPs? And what method are you using to whitelist? Email offlist if more appropriate. Thanks! We whitelist the main Irish ISPs, so our list wouldn't be of much use to you unless you were in Ireland :) i do the same exatly here, just for danmark, no isp should imho be greylisted i solved it by using marbl, search for this postfix policy on google that means greylist if connecting ip is listed on a rbl list, it works nice here olso whitelist ips that typical send forwarded mails, important if you have spf test in mta level I am running a small test real time whitelist (RWL) suitable for for this. It currently has those addresses that milter-greylist provides (plus a few others) and I intended to open this up for people to test. I am looking for some comments on a policy to add IP addresses to the list. If anyone has any suggests please email me off list. Also if anyone is interested in a patched version of smf-grey which supports RBLs and RWLs then please let me no - again off list regards Matt
Re: Problems running Spam Assassin
Can anyone help with this? -- View this message in context: http://www.nabble.com/Problems-running-Spam-Assassin-tf2664618.html#a7471981 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Braindeath in the Navy
Philip Prindeville wrote: Well, I tried to contact some people responsible for the servers below that what they were doing was broken, including citing chapter and verse where in RFC-2822 in syntax of the Received: lines was spec'd out: snip It just boggles my mind why anyone would go through that much trouble to deliberately damage a header line, rather than just delete it. Well, maybe they'll get a whiff of the errs of their ways in the Hall of Spam Shame... Maybe.. but you never know.. some idiot lawmaker may have passed a law requiring that government organizations use that string whenever censoring private information anywhere.. Once you're dealing with the military (or any government organization) you can definitely have situations of compound stupidity.. Stupid law, interpreted stupidly by a high-ranking officer, with a stupid solution planned by mid-ranking officers and performed stupidly by the rank-and-file who can't make heads nor tails out of the nonsense they're given.. :) It's really amazing, but sometimes together people can collaborate to create something dumber than any of them could have thought up alone. And strict hierarchies of command tend to feed such developments.
RE: Spamassassin
-Original Message- From: Maccie Roux [mailto:[EMAIL PROTECTED] Sent: Monday, November 20, 2006 4:47 AM To: users@spamassassin.apache.org Subject: Spamassassin I think amvis is not looking at spamassassin, I also struggle to get the system to send the spam mail to a separate mailbox and not block it. Try the amavisd-new users list. amavis-user@lists.sourceforge.net Can someone please help! Thanks Maccie Roux [EMAIL PROTECTED]
Re: Greylisting
On Tue, 21 Nov 2006, Vahric MUHTARYAN wrote: I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking Same Problem here ... too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? But wouldn't Spammers simply send every Mail twice in an attemtpt to break greylisting, then after the automatic whitelisting has been switched, you get everything twice, simply doubling the amount of spam on the long run? Just curious why I get so many spams twice or thrice in an short time (I have NOT installed greylisting because of that phenomeneon, I assumed geylisting to 'go awy' or 'to be just a fad', but I re-think about it, because of the CPU-Cycles needed for FuzzyOCR). Stucki -- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED] \ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-5 57 78| Mathematik Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 66 00| Arnimallee 6 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/
RE: would SA benefit from port to Java
From: Matt Kettler [mailto:[EMAIL PROTECTED] Giampaolo Tomassoni wrote: ...omissis But if we are speaking of a /10 mem*cpu factor, well, it could easily be interesting, isn't it? No. I think it would be patently stupid because of the massive effort involved and loss of mind-power. But if you like, by all means, go for it, prove us all wrong.. It isn't going to be that encouraging... :) giampaolo
Re: Greylisting
Hello, Do you come across with any problem from your clients for mails are not arriving at right time ? Because I afraid of people mta's all of them are configured with different retry times . Regards Vahric - Original Message - From: Rick Macdougall [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 21, 2006 12:49 AM Subject: Re: Greylisting Vahric MUHTARYAN wrote: Hello Everybody, I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? Hi, I use it with great success (300-400 spams a day dropped to 2-3 a week) using qmail. You WILL have to add some IP's to a white list to not block braindead exchange (older versions) and Groupwise (lotus notes) servers that bounce on a 421 - Please try again later, instead of trying again later. Since it's not really an SA question, you might be better off asking on your MTA's mailing list. Regards, Rick
Re: How do I stop these?
These are scoring at about 4X my threshold without the SARE stock ruleset. You may need to tweak you scoring. I find bayes_99 to be reliable. FROM_LOCAL_NOVOWEL FORGED_RCVD_HELO BAYES_99 RCVD_IN_SORBS_DUL RCVD_IN_NJABL_DUL On Nov 20, 2006, at 10:00 AM, Nathan Zabaldo wrote: I am getting pounded by these types of emails. Does anyone else get these? What rule can I apply to have them killed. It's driving me nuts. Please help!!!
Sharing bayes DB between accounts - help
I have multiple shell accounts with my ISP that function as multiple inboxes. I want to run SA on all three, and it would be convenient to share the bayesian DB between all three accounts so I only have to train one. I've installed everything in a way that I think should work, but only one of the accounts are using bayesian tests; the other two accounts are behaving as if Bayes is disabled. Here's what I did: 1) I installed SA on one account, and used mysql for bayes. My ISP (dreamhost) supports MySQL DB's at a separate URL, so I am accessing the DB via TCP not a local socket. Everything works correctly on this account. 2) Since all three accounts share a group, I chmod -R g+rw ~/saetc and ~/sausr, and then made symlinks to them in the home directories of the other two accounts 3) Set up ~/.spamassassin and .procmailrc in the other two accounts to match the account I initially installed SA in, including the IP, port, username, and password for the MySQL DB for bayes. 4) Tested from the command line to make sure that all three accounts could access the MySQL DB via tcp. All three can connect to it just fine. What happened: SA runs on all three accounts, but only the original account actually uses Bayes. Email sent to the other accounts gets headers rewritten showing that SA has analyzed the message. However, these headers never include a bayesian score. Only on the original account do the SA-written headers ever show a bayesian score. I've since even tried completely duplicating ~/saetc and ~/sausr to one of the other accounts so that it is essentially using its own install. I've looked for log files or anything like that to determine if there's an error reported when the other accounts are trying to access the DB. But I can't find any messages or logs to figure out why bayes won't run on those accounts. Any advice greatly appreciated... Thanks, Evan Evan Dorn, Ph.D. [EMAIL PROTECTED]
Re: Greylisting
On Monday 20 November 2006 21:06, Duncan Hill wrote: Greylisting has been used now for over 2 years. I haven't seen any spammer adapt their botnets to handle it in that time frame. But its used on .0002% of MTAs. Not worth anybody's effort until it goes mainstream, or gets talked up here on this list. -- _ John Andersen
Re: would SA benefit from port to Java
That's not even mentioning the metaprogramming and higher-order programming techniques that we use extensively in SpamAssassin -- those are basically *just not possible* in C/C++. ;) --j. Matt Kettler writes: Giampaolo Tomassoni wrote: From: Matt Kettler [mailto:[EMAIL PROTECTED] That said, I agree, trying to implement SA in C++ would be a NIGHTMARE. C++ is NOT an optimal language for apps that are string-parsing intensive. I don't agree in this: I think there are good ways to handle strings in C++ which are good enough for the purposes of SA and the security constraints which would need to be enforced. I did not say there were no secure string handling methods. I said C++ was not an optimal language for string parsing. Sure you can use STL's string library and gain some security. However writing string parsing in C++ is a pain in the tail and results in a lot of very long and hard-to-maintain code. Writing string parsing in perl is easy and results in very compact easy-to-maintain code. I know. I write C/C++ for a living. String parsing in C++ sucks. Period. Let's see here.. let's find the last , in a string and extract all the characters after it as a new string.. c++: Urgh.. Make a loop, compare each character, storing the most recent match, then do an ugly substring call using that index and length-index. perl: an easy-to-write regex will do this. There are probably better ways I don't know of. The perl code is slower, but the C++ code is hard to write and hard to maintain. I'm sure there's another way to do the perl code that's faster and comparable to C++ here. However, I've yet to see anyone do this operation repeatedly in C++ without ever making an off-by-one error somewhere. Drawbacks to C/C++: - regex is not language native, added by PCRE library. Which is opensource as well, so it may be used. A lot of things are not language-native in C/C++. That's because C/C++ is designed. It can't be regarded as a language limit, however: you can easily use external libraries for all the natively unsupported features. True, but regexes in perl are NATIVE. You can use them ANYWHERE. Even as a parameter to a function call. To do regexes in C++ you have to make an external call to a library. Have you ever used PCRE? It's a pain. You have to call multiple functions, one to set up the regex, and another to do the match. That's not so bad for the rules, but do you know how many little regexes are scattered around the SA code that would have to be broken out? Urgh. - Too many folks write C/C++ badly, failing to watch their memory. That's a problem which may afflict even perl or python programs and programmers. You're right: under C++ writing bad code often results in sharper effects. But of course if you want to squeeze more performances you need to trade off something. In the C/C++ case, ease of coding would be traded a bit off in spite of higher performances. This is substantially more likely in anything involving string handling, which is everything SA does. - C/C++ does not have many of the very nice libraries that perl has for DNS, SPF, IP:Country, Base64, etc, etc. Well, DNS and Base64 are base services which are provided anyway. They came in a different shape, but still present. As is SPF. But I would not call any of these libraries nice. SPF and IP::Country would need to be somehow rewritten, of course. These falls under the plugin problem. It wouldn't be probably easy to replicate the (good) behaviour of these perl modules, but I don't even think it wouldn't be possible or even not worth to try it. Worse, most of the Mail:: modules would need to be somehow rewritten or otherwise implemented. Of course, a SA recode in C/C++ wouldn't came gratis. -Again, the development team is perl programmers, unless you've got a set of equivalent spam experts, or can prove the existing devs all know your proposed language, even suggesting ANY port to ANY other language is inane. You may as well suggest changing the spoken language of the documentation to something other than English. Thus far, all the writers speak English. Many know other spoken languages besides English, but I doubt you'd find another one that they ALL speak. I agree with you that this would be a great problem, but it is not going to be the main problem, isn't it? I would suggest it would be. Most programmers in this list seems to be very versatile about programming languages. Also, if you know perl, the next language you know is often C/C++. That's just because C/C++ is often the first serious language you learn. Yes, but many of the SA team do not have a programming background. They have a sysadmin background and learned perl to support CGI's and
Re: How do I stop these?
Larry Rosenman writes: [EMAIL PROTECTED] wrote: As would running sa-update. --j. Speaking of sa-update Is there a list of the changes from day-to-day with sa-update? I have an auto-update script that runs for it, but I'd like to see what Gets added as time goes on. Hmm. your best bet would be to subscribe to the commits list and watch out for changes to rules/branches/3.1/ ;) --j.
OT sendmail mailing list - WAS:Re: Greylisting
Can anyone suggest a 'sendmail' mailing list? I am aware of NNTP comp.mail.sendmail Usenet news. Thanks, Jerry Rick Macdougall wrote: Vahric MUHTARYAN wrote: Hello Everybody, I'm using SA for a long time without any problem, nowadays spammers are using too much graphical objects and they are tring to change it day by day. I'm tring to use fuzzyocr but it's taking too much cpu. I think that try greylisting . I wonder are there anybody use greylisting ? Somebody can give me feedback ? Hi, I use it with great success (300-400 spams a day dropped to 2-3 a week) using qmail. You WILL have to add some IP's to a white list to not block braindead exchange (older versions) and Groupwise (lotus notes) servers that bounce on a 421 - Please try again later, instead of trying again later. Since it's not really an SA question, you might be better off asking on your MTA's mailing list. Regards, Rick
Re: Problems running Spam Assassin
On Tue, Nov 21, 2006 at 06:16:15AM -0800, CosmicPerl wrote: Can anyone help with this? With what? -- Randomly Selected Tagline: ... the menu is written in more elementary Spanish than a Dora the Explorer episode ... - Karl Chalabala about a lunch menu at work pgpDc6YlHHGbl.pgp Description: PGP signature
Re: How do I stop these?
John Tice wrote: On Nov 20, 2006, at 10:00 AM, Nathan Zabaldo wrote: I am getting pounded by these types of emails. Does anyone else get these? What rule can I apply to have them killed. It's driving me nuts. Please help!!! These are scoring at about 4X my threshold without the SARE stock ruleset. You may need to tweak you scoring. I find bayes_99 to be reliable. FROM_LOCAL_NOVOWEL FORGED_RCVD_HELO BAYES_99 RCVD_IN_SORBS_DUL RCVD_IN_NJABL_DUL RelayCatcher is doing a fine job of keeping me from seeing most of the spam that's out there, lately. See any messages on this list with RelayCatcher in the subject. Particularly RelayCatcher 0.3 in the subject. I was going to do a new release over the weekend, but got caught up in some things. I'll probably happen Tuesday or Wednesday, now.
Re: Greylisting
On Monday 20 November 2006 19:06, Rick Macdougall wrote: John Andersen wrote: ... the spammers are not actually storing the email addresses on the infected machines, they just send an email to go out). I'm not saying they won't do it, I'm saying they aren't doing it currently. Actually they have been for some time as an anti-botnet surveillance measure. The newer spambots do a bulk download of recipients and payload, then some time later (hours/days?) start the run after having been disconnected from the controlling irc channel/web page. By the time the spam run is noticed all that's left is a autonomous zombie with nothing but smtp traffic. In fact I would guess that passive spam-relays, that the spammer just connects to as an open relay, are less common due to a large percentage of broadband users being behind NATs. I'm also starting to see more behave like a real MTA as well slowly making greylisting less effective.