Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote: René Berber wrote: Jo Rhett wrote: René Berber wrote: If I change Received.pm, line 414, like this: # Sendmail, MDaemon, some webmail servers, and others - elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) { + elsif (/^from .*?(.*?authenticated.*?\).*? by/) { This can't be right. You have mismatched parens. Perl agrees with me: Yes, it's a typo, should be: elsif (/^from .*?\(.*?authenticated.*?\).*? by/) { So just FYI, with both plain sendmail and with amavisd-milter, the original line worked fine for me. Thanks for the info; more comments below. If you are using a different MTA then perhaps you should submit this as a patch with its own elsif {} container for that mailer? I'm using sendmail 8.13.8, the line before the one I changed says it is for sendmail and others (that's why I included the original comment in the code) so that is the correct line. Or send me a copy of your recieved line and I'll do the patch for you. The change I made works on a test from someone that was on vacation and sending a message (to me) using his ISP account, the header includes a lot of extra text with the usual dynamic IP stuff and may be forged and there was no way it would be a match by the original line. With my change, there is a match. It is probable that other, fixed, IPs can be matched by that original line, but I haven't even look at them since the sendmail configuration I'm using is some fixed IPs defined in relay-domains and access db, those don't need to use authentication, every other IP (all dynamic) does need authentication if they want to relay from the server. A comment, the original line looks suspicious to me first because it looks like a modified copy of the previous match on the code (for qmail), that one used a match field that is unnecessary on the sendmail's line. But if you say it works, then I must be mistaken; anyway the modified line should also work so there is no damage in my change. -- René Berber
first received header forged
Hi, recently i saw a lot of spam that didn't get catched by spamassassin. All the messages have in common that the first received header ist forged. Here an example: Received: from 141.88.223.236 (HELO mx1.ihk.de) by mydomain.at with esmtp (08E71A-P)@7X K0'+V) id 76)4Y6-50O4:-+8 for [EMAIL PROTECTED]; Mon, 4 Dec 2006 01:20:50 +0180 From: Annmarie Esposito [EMAIL PROTECTED] To: [EMAIL PROTECTED] They use the recipient domain (virtual domain on our mailcluster) as the servername in the received line. Is there a way to write a custom rule for this scenario? I have set trusted and internal_networks to our public mailserver subnet. Thanks! Alex Handle
Re: 5 digit probe spam?
On 12/5/2006 7:27 AM, Marc Perkel wrote: Is anyone else getting these? Messages with a random subject and the message is a 5 digit number. What is it? aren't those digits the password for a password protected Bagle variant? I'd bet some braindead AV strips the infected attachements and lets the useless msg go down the path... Y_A_N
Re: Scan Messages according to arrival
Hi, leemansvg wrote: Hello, I don't know if anyone has come across this, but my Mailscanner/spamasssasin/sendmail bunch seems to scan messages randomly. I noticed this because it once got behind on scanning mail and it started to scan the ones that came in immediately first. Is there a setting that I tweak for it to adopt the policy first in, first out ? You might be better off asking this on the MailScanner users mailing list. http://www.mailscanner.info/support.html#mailing How large was the queue when it started to process 'randomly'? Mailscanner normally processes the incoming queue in batches in FIFO order. But it has a setting that if the queue size exceeds the configured value it reverts to a more oppurtunistic processing mode. From the docs: Max Normal Queue Size If more messages are found in the queue than this, then switch to an accelerated mode of processing messages. This will cause it to stop scanning messages in strict date order, but in the order it finds them in the queue. If your queue is bigger than this size a lot of the time, then some messages could be greatly delayed. So treat this option as in emergency only. This defaults to 800. As the docs say, if this happens regularly you can raise this value to keep the FIFO behaviour. But if your incoming queue is regularly backing up that much you probably should look at why. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: spam
On Monday 04 December 2006 15:35, Evan Platt wrote: How in the hell does one write a rule for this sh*? Maybe a rule if the message body is less than X characters? I mean unless you expect lots of legitimate mail that says Hello. Oh crap, there go all my test mails -- _ John Andersen pgpUarPgq6AVC.pgp Description: PGP signature
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote: René Berber wrote: The change I made works on a test from someone that was on vacation and sending a message (to me) using his ISP account, the header includes a lot of extra text with the usual dynamic IP stuff and may be forged and there was no way it would be a match by the original line. With my change, there is a match. Can you post the line with the hostnames obscured? I'd like to see it. It's the same one I posted before: Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged)) (authenticated bits=0) by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032 for [EMAIL PROTECTED]; Sun, 3 Dec 2006 10:02:16 -0600 (CST) The original test is looking for a pair of closing parenthesis )] or ]) which is not there (not together, but a fixed IP probably has those), or something followed by colon and there is no colon at all (the test is done starting with from). -- René Berber
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
René Berber wrote: Jo Rhett wrote: René Berber wrote: The change I made works on a test from someone that was on vacation and sending a message (to me) using his ISP account, the header includes a lot of extra text with the usual dynamic IP stuff and may be forged and there was no way it would be a match by the original line. With my change, there is a match. Can you post the line with the hostnames obscured? I'd like to see it. It's the same one I posted before: Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged)) (authenticated bits=0) by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032 for [EMAIL PROTECTED]; Sun, 3 Dec 2006 10:02:16 -0600 (CST) The original test is looking for a pair of closing parenthesis )] or ]) which is not there (not together, but a fixed IP probably has those), or something followed by colon and there is no colon at all (the test is done starting with from). Do you know why the SMTP authenticating server was forging the HELO name? Normal mail clients will give their IP address, right? And the may be forged only appears if they gave a full name and resolution succeeded *and* none of the addresses returned matched the helo name. In short, this may have been a deliberate choice to prevent a match on hosts with forged helo names. It would make sense. -- Jo Rhett Network/Software Engineer Net Consonance
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote: René Berber wrote: Jo Rhett wrote: René Berber wrote: The change I made works on a test from someone that was on vacation and sending a message (to me) using his ISP account, the header includes a lot of extra text with the usual dynamic IP stuff and may be forged and there was no way it would be a match by the original line. With my change, there is a match. Can you post the line with the hostnames obscured? I'd like to see it. It's the same one I posted before: Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged)) (authenticated bits=0) by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032 for [EMAIL PROTECTED]; Sun, 3 Dec 2006 10:02:16 -0600 (CST) The original test is looking for a pair of closing parenthesis )] or ]) which is not there (not together, but a fixed IP probably has those), or something followed by colon and there is no colon at all (the test is done starting with from). Do you know why the SMTP authenticating server was forging the HELO name? Normal mail clients will give their IP address, right? And the may be forged only appears if they gave a full name and resolution succeeded *and* none of the addresses returned matched the helo name. In short, this may have been a deliberate choice to prevent a match on hosts with forged helo names. It would make sense. I don't agree, there is no HELO forging, the name MARISELA is the laptop's name (set in Windows), the address is the dynamic IP given by the ISP. The IP does have a reverse but no name for the IP which is normal for the big pool of addresses from that ISP and produces the may be forged part. You say normal clients, well this client is Microsoft Outlook (Office 200x edition), I don't see anything abnormal in what it is doing. Giving the IP address is probably useless if they are, most of the time, inside a private network (no name resolution at all). The test in question is doing only one thing: check if there was authentication or not. No attempt is made, and IMO should be made, to check if the HELO is forged; that is another test done somewhere else. Remember the context, SA only takes authentication in consideration if it was done with a trusted server, in this case it was so it counts. -- René Berber
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
On Tue, 5 Dec 2006, Jo Rhett wrote: René Berber wrote: It's the same one I posted before: Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged)) (authenticated bits=0) by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032 for [EMAIL PROTECTED]; Sun, 3 Dec 2006 10:02:16 -0600 (CST) The original test is looking for a pair of closing parenthesis )] or ]) which is not there (not together, but a fixed IP probably has those), or something followed by colon and there is no colon at all (the test is done starting with from). Do you know why the SMTP authenticating server was forging the HELO name? Normal mail clients will give their IP address, right? And the may be forged only appears if they gave a full name and resolution succeeded *and* none of the addresses returned matched the helo name. In short, this may have been a deliberate choice to prevent a match on hosts with forged helo names. It would make sense. Jo you are mistaken. Sendmail adds the (may be forged) comment when the client's IP rDNS and DNS don't match, it has -nothing- to do with the HELO name. It still should not matter. So long as the client can authenticate to the server's statisfaction, SA should honor its decision regardless of how bogus the HELO or client's DNS entrys look. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: 5 digit probe spam?
On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja [EMAIL PROTECTED] wrote: On 12/5/2006 7:27 AM, Marc Perkel wrote: Is anyone else getting these? Messages with a random subject and the message is a 5 digit number. What is it? aren't those digits the password for a password protected Bagle variant? I'd bet some braindead AV strips the infected attachements and lets the useless msg go down the path... Y_A_N Don' think so, my anti vir systems don't clean a message, they punt it to quarantine. That said, after them getting through initially I found a large number in the spam folder this morning; so they are being caught now. I haven't yet added any rules or made any changes. The botnet one looks funky though; I must dig that out. Nigel
Re: 5 digit probe spam?
On 12/5/2006 11:02 AM, Nigel Frankcom wrote: On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja [EMAIL PROTECTED] wrote: On 12/5/2006 7:27 AM, Marc Perkel wrote: Is anyone else getting these? Messages with a random subject and the message is a 5 digit number. What is it? aren't those digits the password for a password protected Bagle variant? I'd bet some braindead AV strips the infected attachements and lets the useless msg go down the path... Y_A_N Don' think so, my anti vir systems don't clean a message, they punt it to quarantine. What about the Rcvd path? Hasn't the msg gone thru some other MTA which may have removed the infected file and you end up getting the trash...
Re: 5 digit probe spam?
On Tue, 05 Dec 2006 11:16:15 +0100, Yet Another Ninja [EMAIL PROTECTED] wrote: On 12/5/2006 11:02 AM, Nigel Frankcom wrote: On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja [EMAIL PROTECTED] wrote: On 12/5/2006 7:27 AM, Marc Perkel wrote: Is anyone else getting these? Messages with a random subject and the message is a 5 digit number. What is it? aren't those digits the password for a password protected Bagle variant? I'd bet some braindead AV strips the infected attachements and lets the useless msg go down the path... Y_A_N Don' think so, my anti vir systems don't clean a message, they punt it to quarantine. What about the Rcvd path? Hasn't the msg gone thru some other MTA which may have removed the infected file and you end up getting the trash... Not that I noticed, tho I didn't look too hard. If it's the spammer's outbound smtp it would be ironic to say the least :-D It's certainly a possibility.
Re: first received header forged
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alex Handle wrote: Received: from 141.88.223.236 (HELO mx1.ihk.de) by mydomain.at with esmtp (08E71A-P)@7X K0'+V) id 76)4Y6-50O4:-+8 for [EMAIL PROTECTED]; Mon, 4 Dec 2006 01:20:50 +0180 [..] Is there a way to write a custom rule for this scenario? I have set trusted and internal_networks to our public mailserver subnet. The following works for me (with the obvious replacement of the domain): header ML_UPPERHELO_FAKE Received =~ /\(HELO .*by mydomain.at/ 11'000 hits on overall 240'000 messages, no noticeable FP until now (at least not that my users would have told me...). - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFdVa4xbHw2nyi/okRAvkVAJ9yjcdHbHkgfmSDfbH/q5/jGJ3GxgCgjPUL PXhiYIfOxkmhQoi+AyfijBA= =1Jug -END PGP SIGNATURE-
antispam recipe
I've been using SA and other software for few years for antispam gateway. During first few month, the results was very good, most spam was rejected and finaly SA examine the rest. However, after almost 2 years now, the spam rate received by user are high, so I think that I have to change the way we react to spammers. Right now Im using Postfix, DNSBL, sqlgrey and spampd+SA. I need input to build a new antispam gateway that can adapt to a new spam technics. I would highly appreciate any inputs. TIA Regards,
Re: 5 digit probe spam?
On 12/5/2006 11:26 AM, Nigel Frankcom wrote: On Tue, 05 Dec 2006 11:16:15 +0100, Yet Another Ninja [EMAIL PROTECTED] wrote: On 12/5/2006 11:02 AM, Nigel Frankcom wrote: On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja [EMAIL PROTECTED] wrote: On 12/5/2006 7:27 AM, Marc Perkel wrote: Is anyone else getting these? Messages with a random subject and the message is a 5 digit number. What is it? aren't those digits the password for a password protected Bagle variant? I'd bet some braindead AV strips the infected attachements and lets the useless msg go down the path... Y_A_N Don' think so, my anti vir systems don't clean a message, they punt it to quarantine. What about the Rcvd path? Hasn't the msg gone thru some other MTA which may have removed the infected file and you end up getting the trash... Not that I noticed, tho I didn't look too hard. If it's the spammer's outbound smtp it would be ironic to say the least :-D It's certainly a possibility. Just found a few ... sent directly from DULs. (there went my theory...) :-(
Re: check_illegal_chars
Thanks - however I don't know anything about Perl scripts, so unfortunately it doesn't help me! :) For example, within EvalTests.pm I can see what appear to be four variables: ($self, $header, $ratio, $count) The $header variable is pretty straight forward, but what's with $self, $ratio and $count? What do these mean, and what values could I put in an SA rule for them? I guess I was also hoping to find a list of the actual characters that were considered illegal. Cheers, Jeremy Theo Van Dinter [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Thu, Nov 30, 2006 at 06:22:46PM +0100, Jeremy Fairbrass wrote: Can someone please let me know exactly what illegal characters are being checked for with the eval:check_illegal_chars rules? Can I find a list of those characters somewhere? Also, what are the meanings of the variables that this rule takes? For example: You'll want to take a look at EvalTests.pm. It should answer all your questions. -- Randomly Selected Tagline: Stewie: Ah! Damn it! I want pancakes. God! You people understand every language except English. Yo quiero pancakes. Dali mua pancakes. Clik clik bloody clik pancakes! - Family Guy, Love Thy Trophy
RE: RE: How to extract the Reverse DNS hostname by script means?
It’s been discussed on Amavisd-new list. Look here for more info: http://marc.theaimsgroup.com/?t=116483411500019r=1w=2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 30, 2006 4:40 PM To: לאון קולצ'ינסקי; users@spamassassin.apache.org Subject: RE: RE: How to extract the Reverse DNS hostname by script means? Hello! Leon Kolchinsky [EMAIL PROTECTED] wrote on 19.11.2006 09:28:14: Hi Bret, According to tip from Gary V. you can reliably use whitelist_from_rcvd, You only should configure the following parameters right: trusted_networks internal_networks Best Regards, Leon Kolchinsky ... SpamAssassin will be testing the whitelist_from_rcvd against the topmost (final) received header when SA runs, so that's the one you need to look at. ... Well, does SA really check *only* topmost header? I've found that whitelist_from_rcvd works only if e-mail has *only one* received: header that fits with corresponding whitelist_from_rcvd record. If there are some additional untrusted received: headers in e-mail then whitelisting fails for me... Here is my configuration. my_server1.my_domain1.com is our SMTP server with Exim + SpamAssassin installed. my_server.my_domain.com acts as a relay for the first server (it can send both it's own mail and external mail to my_server1.my_domain1.com). my_server.my_domain.com is added in trusted_networks. For example, I have the following record in my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] my_domain.com. E-mail with the following *two* received: headers will not be whitelisted while with the *first* only will be: Received: from my_server.my_domain.com ([XXX.XXX.XXX.XXX]) by my_server1.my_domain1.com with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1Gpcaa-0003ZF-Ti for [EMAIL PROTECTED]; Thu, 30 Nov 2006 06:27:57 +0300 Received: from alien_server.alien_domain.com ([YYY.YYY.YYY.YYY]) by my_server.my_domain.com (8.13.6/8.13.4) with SMTP id kAU3ROA5001821 for [EMAIL PROTECTED]; Thu, 30 Nov 2006 06:27:50 +0300 (MSK) (envelope-from [EMAIL PROTECTED]) So, Am I missing something? Thanx in advance. Vitaly.
Spam from local users.
Dear All Some emails from local users are getting MARKED as (S.P.A.M.) as shown in following log. === Dec 5 17:02:57 mail spamd[355]: spamd: identified spam (8.6/2.5) for [EMAIL PROTECTED]:510 in 1.9 seconds, 2862 bytes. Dec 5 17:02:57 mail spamd[355]: spamd: result: Y 8 - AWL,BAYES_00,DEAR_SOMETHING,FH_RELAY_NODNS,FM_NO_STYLE,HTML_MESSAGE,JR_RCVD_HOST_PROBS1,JR_RCVD_HOST_PROBS2,JR_RCVD_TOO_FEW_HOPS,MISSING_SUBJECT,RELAY_CHECKER,RELAY_CHECKER_NORDNS scantime=1.9,size=2862,[EMAIL PROTECTED],uid=510,required_score=2.5,rhost=mail.ocs.com.pk,raddr=127.0.0.1,rport=52373,mid=[EMAIL PROTECTED],bayes=0.00139389667305584,autolearn=no Dec 5 17:02:57 mail spamd[3573]: prefork: child states: II Dec 5 17:02:57 mail qmail-scanner[6079]: Clear:RC:0(61.5.138.198):SA:1(8.6/2.5): 2.240486 2830 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 1165320175.6092-0.mail.ocs.com.pk:446 1165320175.6092-1.mail.ocs.com.pk:1366 orig-mail.ocs.com.pk11653201754926079:2830 == Only differance is that user comming from outside LAN. How can I resolve this problem. Regards, Shahzad Abid
RE: New spam
Yes, These kind of e-mails get caught by my FuzzyOcr. It's all in the scansets configuration and words in the dictionary. Some other image spam couldn't be read by FuzzyOcr, but this is the best tool for now, that I'm aware of. -Original Message- From: Ray Anderson [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 05, 2006 5:03 AM To: users@spamassassin.apache.org Subject: New spam Hello, I've been lurking for a while and had just recently decided to try to put the FuzzyOCR on my spam filtering machine, when I found the following incredibly obfuscated stock spam (link at bottom of message) The question is this: Will FuzzyOCR find/detect the garbage in this image or is even implenting OCR pointless as the generators get more sophisticated? I wasn't sure if I could post an image, so here is a link to the headers and the image. I'll take it down tomorrow morning. Thanks! -=Ray http://www.rb-com.com/spam.php
Re: Spam from local users.
Shahzad Abid skrev: Dear All Some emails from local users are getting MARKED as (S.P.A.M.) as shown in following log. === Dec 5 17:02:57 mail spamd[355]: spamd: identified spam (8.6/2.5) for [EMAIL PROTECTED]:510 in 1.9 seconds, 2862 bytes. Dec 5 17:02:57 mail spamd[355]: spamd: result: Y 8 - AWL,BAYES_00,DEAR_SOMETHING,FH_RELAY_NODNS,FM_NO_STYLE,HTML_MESSAGE,JR_RCVD_HOST_PROBS1,JR_RCVD_HOST_PROBS2,JR_RCVD_TOO_FEW_HOPS,MISSING_SUBJECT,RELAY_CHECKER,RELAY_CHECKER_NORDNS scantime=1.9,size=2862,[EMAIL PROTECTED],uid=510,required_score=2.5,rhost=mail.ocs.com.pk,raddr=127.0.0.1,rport=52373,mid=[EMAIL PROTECTED],bayes=0.00139389667305584,autolearn=no Dec 5 17:02:57 mail spamd[3573]: prefork: child states: II Dec 5 17:02:57 mail qmail-scanner[6079]: Clear:RC:0(61.5.138.198):SA:1(8.6/2.5): 2.240486 2830 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 1165320175.6092-0.mail.ocs.com.pk:446 1165320175.6092-1.mail.ocs.com.pk:1366 orig-mail.ocs.com.pk11653201754926079:2830 == Only differance is that user comming from outside LAN. How can I resolve this problem. Regards, First I'd like to say that it's good.. ;) They're probably sending spam, so it should get tagged. But if you don't want it, just configure to not scan outgoing mails originating from localhost. -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
Re: antispam recipe
beast wrote: I've been using SA and other software for few years for antispam gateway. During first few month, the results was very good, most spam was rejected and finaly SA examine the rest. However, after almost 2 years now, the spam rate received by user are high, so I think that I have to change the way we react to spammers. Right now Im using Postfix, DNSBL, sqlgrey and spampd+SA. I need input to build a new antispam gateway that can adapt to a new spam technics. I would highly appreciate any inputs. TIA Regards, I suggest you need to use third party rules like SARE and the URI-RBL's, DCC etc to get decent detection rates now-a-days. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: How to examine a system and determine the mail delivery agent.
How would, where would a mail transfer agent tell you the mail delivery agent for a the system at hand?... Just connect to port 25 and observe the banner. Not 100% foolproof, but most of them either identify themselves (Sendmail) or have a recognizable banner (Postfix, Qmail, Exchange).
multiple whitelist_rcvd_from
my whitelist_rcvd_from works with a pair of arguments. i was trying to get it working with multiple arguments for multiple virtual domains. anyone can share examples of it with 3 or more pairs of arguments? tnx
RE: Spam from local users.
I think you should read this http://www200.pair.com/mecham/spam/bypassing.html -Original Message- From: Anders Norrbring [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 05, 2006 2:19 PM To: users@spamassassin.apache.org Subject: Re: Spam from local users. Shahzad Abid skrev: Dear All Some emails from local users are getting MARKED as (S.P.A.M.) as shown in following log. === Dec 5 17:02:57 mail spamd[355]: spamd: identified spam (8.6/2.5) for [EMAIL PROTECTED]:510 in 1.9 seconds, 2862 bytes. Dec 5 17:02:57 mail spamd[355]: spamd: result: Y 8 - AWL,BAYES_00,DEAR_SOMETHING,FH_RELAY_NODNS,FM_NO_STYLE,HTML_MESSAGE,JR_RCVD_HOST_PROBS1,JR_RCVD_HOST_PROBS2,JR_RCVD_TOO_FEW_HOPS,MISSING_SUBJECT,RELAY_CHECKER,RELAY_CHECKER_NORDNS scantime=1.9,size=2862,[EMAIL PROTECTED],uid=510,required_score=2.5,rhost=mail.ocs.com.pk,raddr=127.0.0.1,rport=52373,mid=[EMAIL PROTECTED],bayes=0.00139389667305584,autolearn=no Dec 5 17:02:57 mail spamd[3573]: prefork: child states: II Dec 5 17:02:57 mail qmail-scanner[6079]: Clear:RC:0(61.5.138.198):SA:1(8.6/2.5): 2.240486 2830 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] 1165320175.6092-0.mail.ocs.com.pk:446 1165320175.6092-1.mail.ocs.com.pk:1366 orig-mail.ocs.com.pk11653201754926079:2830 == Only differance is that user comming from outside LAN. How can I resolve this problem. Regards, First I'd like to say that it's good.. ;) They're probably sending spam, so it should get tagged. But if you don't want it, just configure to not scan outgoing mails originating from localhost. -- Anders Norrbring Norrbring Consulting
Re: multiple whitelist_rcvd_from
On Tue, Dec 05, 2006 at 02:06:09PM +0100, vertito wrote: my whitelist_rcvd_from works with a pair of arguments. i was trying to get it working with multiple arguments for multiple virtual domains. anyone can share examples of it with 3 or more pairs of arguments? you can't have more than two arguments. if you want multiple rcvd whitelists, use multiple statements. -- Randomly Selected Tagline: La Brea Tar Pits As seen on the tar channel pgpDzJcPVq1Pg.pgp Description: PGP signature
SA TIMED OUT
Hello list, I use a mailrelay with postfix, amavisd-new 2.3.3 and Spamassassin 3.1.7. I get the following failure ca. 25 times a day: Dec 5 15:32:58 server amavis[23505]: (23505-01-24) SA TIMED OUT, backtrace: at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm line 71\n\teval {...} called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm line 71\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::SpamAssassin::Locker::UnixNFSSafe=HASH(0x9747010)') called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 85\n\tMail::SpamAssassin::Locker::UnixNFSSafe::safe_lock('Mail::SpamAssassin::Locker::UnixNFSSafe=HASH(0x9747010)','/var/amavis/.spamassassin/bayes',10,0700) called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore/DBM.pm line 268\n\tMail::SpamAssassin::BayesStore::DBM::tie_db_writable('Mail::SpamAssassin::BayesStore::DBM=HASH(0x9c840c4)') called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 715\n\teval {...} called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Bayes.pm line 7... Does anybody know where the problem is? Thanks for help. Stefan pgp2X0QSMT0bn.pgp Description: PGP signature
RE: rules_du_jour not working confusion?
Bazooka Joe wrote: rules_du_jour seems to fail on lint. I am trying to figure that out now but I have a different question. Has channels replaced rules_du_jour? Should I be using something else to update my sare rules? thx -bazooka ps I am using SpamAssassin 3.1.4 pps below are the lint errors if anyone has come across it before I delve into it. Lint output: [29533] warn: config: failed to parse line, skipping: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; [29533] warn: config: failed to parse line, skipping: html [29533] warn: config: failed to parse line, skipping: headmeta name=GENERATOR content=Microsoft Visual Studio .NET 8.0 /meta name=CODE_LANGUAGE content=C [29533] warn: config: failed to parse line, skipping: meta name=keywords content=emporium,rule,school,supply,bulletin,board,back,to,list,3 [29533] warn: config: failed to parse line, skipping: meta name=description content=child art teacher supply classroom store discount boat part propeller I ran into this problem a while back when the RDJ update site had some problems. What happens is that a placeholder or 404 page gets downloaded to the rule file. To fix it, just empty the RDJ working directory and force it to download all of the rules again. On my machine, the directory is /etc/mail/spamassassin/RulesDuJour. So just do this: rm /etc/mail/spamassassin/RulesDuJour/* (assuming your directory is located in the same place as mine) And then run rules_du_jour again and it should work fine. -- Bowie
Re: SA TIMED OUT
On Tue, Dec 05, 2006 at 04:06:17PM +0100, Stefan Jakobs wrote: Dec 5 15:32:58 server amavis[23505]: (23505-01-24) SA TIMED OUT, backtrace: at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm line 71\n\teval {...} called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm That's not very nice. 71\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::SpamAssassin::Locker::UnixNFSSafe=HASH(0x9747010)') Are you using NFS? If not, switch to flock. Does anybody know where the problem is? Amavis decides that it's tired of waiting for SA, which is waiting to write to the Bayes DB. -- Randomly Selected Tagline: Before you criticize someone, you should walk a mile in their shoes. That way, when you criticize them, you're a mile away and you have their shoes. - Zen Musings pgp1AYZPiOWwN.pgp Description: PGP signature
NMake error
Hi, I have a problem with SA installation on Windows 2000 Server SP4, in particular: C:\Perl\bin\perl.exe version.h.pl version.h.pl: creating version.h copy config.h.win config.h copy spamc.h.win spamc.h C:\Perl\bin\perl.exe ..\build\preprocessor -Mvars -iMakefile.win -oMakefile cd .. NMAKE -f spamc/Makefile spamc/spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cd spamc NMAKE spamc.exe Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cl /DWIN32 /W4 spamc.c replace\getopt.c libspamc.c utils.c ws2_32.lib cl non è riconosciuto come comando interno o esterno, un programma eseguibile o un file batch. NMAKE : fatal error U1077: 'C:\WINNT\system32\cmd.exe' : return code '0x1' Stop. NMAKE : fatal error U1077: 'C:\WINNT\system32\cmd.exe' : return code '0x2' Stop. NMAKE : fatal error U1077: 'C:\WINNT\system32\cmd.exe' : return code '0x2' Stop. ..thanks. -- Salvatore.
RE: multiple whitelist_rcvd_from
nice. thanks! -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 05, 2006 3:44 PM To: users@spamassassin.apache.org Subject: Re: multiple whitelist_rcvd_from On Tue, Dec 05, 2006 at 02:06:09PM +0100, vertito wrote: my whitelist_rcvd_from works with a pair of arguments. i was trying to get it working with multiple arguments for multiple virtual domains. anyone can share examples of it with 3 or more pairs of arguments? you can't have more than two arguments. if you want multiple rcvd whitelists, use multiple statements. -- Randomly Selected Tagline: La Brea Tar Pits As seen on the tar channel -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.7/569 - Release Date: 12/5/2006 3:00 AM
Re: first received header forged
recently i saw a lot of spam that didn't get catched by spamassassin. All the messages have in common that the first received header ist forged. Here an example: Received: from 141.88.223.236 (HELO mx1.ihk.de) by mydomain.at with esmtp (08E71A-P)@7X K0'+V) id 76)4Y6-50O4:-+8 for [EMAIL PROTECTED]; Mon, 4 Dec 2006 01:20:50 +0180 From: Annmarie Esposito [EMAIL PROTECTED] To: [EMAIL PROTECTED] They use the recipient domain (virtual domain on our mailcluster) as the servername in the received line. You mean the hi its me! spams with headers like Received: from 216.117.144.149 (HELO smtp.accadia.com) by earthlink.net with esmtp (0.U011UE BG391) id N6.'[EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 5 Dec 2006 12:29:13 -0540 Around here those trigger 2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam) 0.1 FORGED_RCVD_HELO Received: contains a forged HELO (This particular spam got 28 points between the above and a bunch of other rule hits.) Loren
Why did I get an error while I were installing spamassassin
I want to use spamassassin3.1.7 on freebsd6.1 I get an error as below, # cd /usr/ports/dns/p5-Net-DNS # make === Building for p5-Net-DNS-0.59 Makefile out-of-date with respect to /usr/local/lib/perl5/5.8.8/mach/Config.pm Cleaning current config before rebuilding Makefile... make -f Makefile.old clean /dev/null 21 /usr/local/bin/perl5.8.8 Makefile.PL INSTALLDIRS=site CC=cc CCFLAGS=-O2 -fno-strict-aliasing -pipe PREFIX=/usr/local INSTALLPRIVLIB=/usr/local/lib INSTALLARCHLIB=/usr/local/lib The libraries needed to support IPv6 transport have not been found. You will need recent versions of the IO::Socket::INET6 and Socket6 libraries (from CPAN). Testing if you have a C compiler and the needed header files You have a working compiler. You appear to be directly connected to the Internet. I have some tests that try to query live nameservers. Do you want to enable these tests? [y] NO Checking if your kit is complete... Looks good Warning: prerequisite Digest::HMAC_MD5 1 not found. Warning: prerequisite Net::IP 1.2 not found. Writing Makefile for Net::DNS == Your Makefile has been rebuilt. == == Please rerun the make command. == false *** Error code 1 Stop in /usr/ports/dns/p5-Net-DNS/work/Net-DNS-0.59. *** Error code 1 Stop in /usr/ports/dns/p5-Net-DNS. What Should I do ? Thanks
Re: Why did I get an error while I were installing spamassassin
On Tue, Dec 05, 2006 at 06:43:26PM +0200, Halid Faith wrote: # cd /usr/ports/dns/p5-Net-DNS What Should I do ? Ask the Net::DNS or ports guys? This has nothing to do with SpamAssassin. -- Randomly Selected Tagline: Decapitation cures headaches! pgpq0bWNgrB50.pgp Description: PGP signature
E-mailed addressed to numbered username
Hi, I get a lot of e-mail where the username contains only numbers. ex. [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] These users don't exist so postfix simply throws the e-mail away but I am curious if anyone knows why spammers bother to send all these e-mails? Are they checking to see if I have a mail server running? Thanks, Rob
Re: SA TIMED OUT
Am Dienstag, 5. Dezember 2006 16:12 schrieb Theo Van Dinter: On Tue, Dec 05, 2006 at 04:06:17PM +0100, Stefan Jakobs wrote: Dec 5 15:32:58 server amavis[23505]: (23505-01-24) SA TIMED OUT, backtrace: at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm line 71\n\teval {...} called at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locker.pm That's not very nice. 71\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::SpamAss assin::Locker::UnixNFSSafe=HASH(0x9747010)') Are you using NFS? If not, switch to flock. No, I don't use NFS. What do you mean with switch to flock? Does anybody know where the problem is? Amavis decides that it's tired of waiting for SA, which is waiting to write to the Bayes DB. Bye Stefan pgpbmlm2zrA6T.pgp Description: PGP signature
spamstats incomplete
Hi everyone, First and foremost, excuse the cross post for those that are on the both lists- but I'm not sure if this is an SA issue or a BSD issue Due to disk space issues I recently created a symlink for /var/log/exim in /usr/var2 Could the creation of the symlink be related to what my spamstats.pl is now producing? As you can see its still reading from /var/log/maillog but data is not complete. File /var/log/maillog : from Dec 5 00:00:00 to Dec 5 11:33:44 Total number of emails processed by the spam filter : 0 Number of spams : n/a Number of clean messages: n/a Average message analysis time : 7.03 seconds Average spam analysis time : 5.83 seconds Average clean message analysis time : 10.06 seconds Average message score : 10.01 Average spam score : 20.42 Average clean message score :-16.28 Total spam volume : 6 Mbytes Total clean volume :38 Mbytes Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: SA TIMED OUT
On Tue, Dec 05, 2006 at 06:11:56PM +0100, Stefan Jakobs wrote: 71\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::SpamAss assin::Locker::UnixNFSSafe=HASH(0x9747010)') Are you using NFS? If not, switch to flock. No, I don't use NFS. What do you mean with switch to flock? This doesn't necessarily solve your problem, but you should switch the SA lock method to flock ala: lock_method flock it's better, but only works on non-network FS. -- Randomly Selected Tagline: The programmer needs the machine to run long enough to destroy it. - Prof. Michaelson pgpbDCRDRdAUg.pgp Description: PGP signature
RE: E-mailed addressed to numbered username
From: Rob Myroon [mailto:[EMAIL PROTECTED] Hi, I get a lot of e-mail where the username contains only numbers. ex. [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] These users don't exist so postfix simply throws the e-mail away but I am curious if anyone knows why spammers bother to send all these e-mails? Are they checking to see if I have a mail server running? FWIK, some (often large) e-mail service providers do create custom mailbox and accounts with just the account id, then they assign the customer-wanted name aliasing that mailbox. Also, in some cases and some (quaint) MTA's, a mailbox may be identified by its uid. Since uids and mailbox's numeric ids are often assigned sequentially, this kind of scavenging approach has the advantage that when a mailbox if finally found, all the others are just numbers following the same pattern. I.e.: suppose you can send a mail to [EMAIL PROTECTED] You may easily bet that you'l find mailboxes on every id starting from, say, 1 up to the first delivery error. Thanks, Rob You welcome, g
spamassassin --lint soft errors on SARE rules
'spamassassin --lint' gives me some soft errors on some SARE rules (see below) Are these known, 'ignore for now' sorts of things due to SA 2.x and SA 3.x installs, or should I be doing something about this? Is there any way to adjust --lint to not show these ? Thanks, Ken A Pacific.Net [14609] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [14609] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' grep SARE_HEAD_SUBJ_RAND /etc/mail/spamassassin/*.cf 70_sare_header.cf:meta SARE_HEAD_SUBJ_RAND 0 70_sare_header.cf:header__SARE_HEAD_SUBJ_RANDSubject =~ /^(?:R[Ee]: )?(?:[a-z]{2,20}[\-\.\,]?\s?){1,8}/ # no /i! 70_sare_header.cf:meta SARE_HEAD_SUBJ_RAND (__SARE_HEAD_SUBJ_RAND (SARE_XMAIL_SUSP2 || SARE_HEAD_XAUTH_WARN || X_AUTH_WARN_FAKED))
SpamAssassin 3.1.7 and Openbsd 4.0 installation fail
Hi, Anybody can guide me how to proceed. I am installing SpamAssassin on OpenBSD 4.0 and it failed during the test phase. I have attached the output. Perl version is v5.8.8 built for i386-openbsd 4.0 Running make test PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 'blib/lib', 'blib/arch') t/*.t t/basic_lintok t/bayesdbm..ok t/bayesdbm_flockok t/bayessdbm.ok t/bayessdbm_seen_delete.ok t/bayessql..skipped all skipped: no reason given t/blacklist_autolearn...ok t/body_mod..ok t/cidrs.ok t/config_errs...skipped all skipped: no reason given t/db_awl_path...ok t/db_based_whitelistok t/db_based_whitelist_ipsok t/dcc...skipped all skipped: no reason given t/debug.ok t/desc_wrap.ok t/dnsbl.skipped all skipped: no reason given t/forged_rcvd...ok t/get_headers...ok t/gtube.ok t/hashcash..ok t/html_colors...ok t/html_obfu.ok t/ifversion.ok t/ip_addrs..ok t/lang_lint.ok t/lang_pl_tests.ok t/lint_nocreate_prefs...ok t/memory_cycles.skipped all skipped: no reason given t/meta..ok t/metadata..ok t/mimeheaderok t/mimeparse.ok t/missing_hb_separator..ok t/nonspam...ok t/pluginok t/plugin_file...ok t/prefs_include.ok t/razor2skipped all skipped: no reason given t/rcvd_parser...ok t/recipsok t/recursion.ok t/regexp_valid..ok t/relative_scores...ok t/report_safe...ok t/reportheader..ok t/reportheader_8bit.ok t/rule_namesok t/rule_testsok t/rule_typesok t/sha1..ok t/spam..ok t/spamc.ok t/spamc_B...ok t/spamc_c...ok t/spamc_c_stdout_closed.ok t/spamc_cf..ok t/spamc_E...ok t/spamc_l...ok t/spamc_optCok t/spamc_optLok t/spamd.ok t/spamd_allow_user_rulesok t/spamd_hup.ok 19/80Use of uninitialized value in scalar chomp at t/spamd_hup.t line 69. t/spamd_hup.NOK 20# Failed test 20 in t/spamd_hup.t at line 39 fail #3 # t/spamd_hup.t line 39 is: ok ($pid2 = get_pid($pid1)); Use of uninitialized value in concatenation (.) or string at t/spamd_hup.t line 40. Use of uninitialized value in numeric ne (!=) at t/spamd_hup.t line 42. t/spamd_hup.NOK 21# Failed test 21 in t/spamd_hup.t at line 42 fail #3 # t/spamd_hup.t line 42 is: ok ($pid2 != 0 and kill (0, $pid2)); t/spamd_hup.FAILED tests 20-21 Failed 2/80 tests, 97.50% okay t/spamd_ldapskipped all skipped: no reason given t/spamd_maxchildren.ok t/spamd_maxsize.ok t/spamd_parallelok t/spamd_plugin..ok t/spamd_portok t/spamd_prefork_stress..skipped all skipped: no reason given t/spamd_prefork_stress_2skipped all skipped: no reason given t/spamd_prefork_stress_3skipped all skipped: no reason given t/spamd_protocol_10.ok t/spamd_report..ok t/spamd_report_ifspam...ok t/spamd_ssl.skipped all skipped: no reason given t/spamd_ssl_accept_fail.skipped all skipped: no reason given t/spamd_stopok t/spamd_symbols.ok t/spamd_syslog..ok t/spamd_unixok t/spamd_utf8skipped all skipped: no reason given t/spf...skipped all skipped: no reason given t/sql_based_whitelist...skipped all skipped: no reason given t/strip2ok t/strip_no_subject..ok t/stripmarkup...ok t/trust_pathskipped all skipped: no reason given t/uri...ok t/uri_html..ok t/uri_text..ok t/utf8..ok t/whitelist_addrs...ok t/whitelist_fromok t/whitelist_subject.ok t/whitelist_to..ok t/zz_cleanupok Failed Test Stat Wstat Total Fail Failed List of Failed --- t/spamd_hup.t 802 2.50% 20-21 16 tests skipped. Failed 1/98 test scripts, 98.98% okay. 2/2116 subtests failed,
Re: SpamAssassin 3.1.7 and Openbsd 4.0 installation fail
Anybody can guide me how to proceed. I am installing SpamAssassin on OpenBSD 4.0 and it failed during the test phase. I have attached the output. Perl version is v5.8.8 built for i386-openbsd 4.0 You didn't build your own perl or anything, did you? I have installed 3.1.7 on OpenBSD 4.0-STABLE dozens of times since 4.0 was released, and have not had any problems. Have you updated to -STABLE? Benny -- The faster you finish the fight, the less shot you will get. -- Marine Corps Rules for Gunfighting
Re: rules_du_jour not working confusion?
Thx Bowie That fixed rdj. But what about channels? Is that to replace rdj? -bazooka On 12/5/06, Bowie Bailey [EMAIL PROTECTED] wrote: Bazooka Joe wrote: rules_du_jour seems to fail on lint. I am trying to figure that out now but I have a different question. Has channels replaced rules_du_jour? Should I be using something else to update my sare rules? thx -bazooka ps I am using SpamAssassin 3.1.4 pps below are the lint errors if anyone has come across it before I delve into it. Lint output: [29533] warn: config: failed to parse line, skipping: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN http://www.w3.org/TR/html4/loose.dtd; [29533] warn: config: failed to parse line, skipping: html [29533] warn: config: failed to parse line, skipping: headmeta name=GENERATOR content=Microsoft Visual Studio .NET 8.0 /meta name=CODE_LANGUAGE content=C [29533] warn: config: failed to parse line, skipping: meta name=keywords content=emporium,rule,school,supply,bulletin,board,back,to,list,3 [29533] warn: config: failed to parse line, skipping: meta name=description content=child art teacher supply classroom store discount boat part propeller I ran into this problem a while back when the RDJ update site had some problems. What happens is that a placeholder or 404 page gets downloaded to the rule file. To fix it, just empty the RDJ working directory and force it to download all of the rules again. On my machine, the directory is /etc/mail/spamassassin/RulesDuJour. So just do this: rm /etc/mail/spamassassin/RulesDuJour/* (assuming your directory is located in the same place as mine) And then run rules_du_jour again and it should work fine. -- Bowie
Need regexp tip
I'm working on a series of rules to find obfuscated words in subject lines that have been misspelled by adding an extra character (often a repeated letter) to a word. For certain words, it seems to be appropriate to assume that if they're misspelled in that way, it's deliberate. I've got the syntax for a regular expression mostly working (including words with trailing punctuation), but I don't have it identifying words where the last letter is doubled. Thus if I have a regexp that looks like: /\b(?!badword)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i I'm getting hits on things like 'baddword' and 'badwoord', and even 'badworrd!', but I'm not getting a hit on 'badwordd' I've tried a number of variants, but still am not quite getting it. What am I missing? Smith
Re: SpamAssassin 3.1.7 and Openbsd 4.0 installation fail
It is on OpenBSD 4.0-STABLE. I did not build perl and install it from the package. On 12/5/06, C. Bensend [EMAIL PROTECTED] wrote: Anybody can guide me how to proceed. I am installing SpamAssassin on OpenBSD 4.0 and it failed during the test phase. I have attached the output. Perl version is v5.8.8 built for i386-openbsd 4.0 You didn't build your own perl or anything, did you? I have installed 3.1.7 on OpenBSD 4.0-STABLE dozens of times since 4.0 was released, and have not had any problems. Have you updated to -STABLE? Benny -- The faster you finish the fight, the less shot you will get. -- Marine Corps Rules for Gunfighting
RE: rules_du_jour not working confusion?
Bazooka Joe wrote: Thx Bowie That fixed rdj. But what about channels? Is that to replace rdj? Yes, you can replace RDJ with the sa-update channels. I am still using RDJ for rule updates, so I can't help you with the channel configuration. -- Bowie
RE: spamstats incomplete
As you can see its still reading from /var/log/maillog but data is not complete. File /var/log/maillog : from Dec 5 00:00:00 to Dec 5 11:33:44 Total number of emails processed by the spam filter : 0 Number of spams : n/a Number of clean messages: n/a Average message analysis time : 7.03 seconds Average spam analysis time : 5.83 seconds Average clean message analysis time : 10.06 seconds Average message score : 10.01 Average spam score : 20.42 Average clean message score :-16.28 Total spam volume : 6 Mbytes Total clean volume :38 Mbytes Never mind , I got it - sorry to waste a thread
Re: SA TIMED OUT
Am Dienstag, 5. Dezember 2006 18:16 schrieb Theo Van Dinter: On Tue, Dec 05, 2006 at 06:11:56PM +0100, Stefan Jakobs wrote: 71\n\tMail::SpamAssassin::Locker::jittery_one_second_sleep('Mail::Spa mAss assin::Locker::UnixNFSSafe=HASH(0x9747010)') Are you using NFS? If not, switch to flock. No, I don't use NFS. What do you mean with switch to flock? This doesn't necessarily solve your problem, but you should switch the SA lock method to flock ala: lock_method flock Good, I will try this. it's better, but only works on non-network FS. Here an other hint: Every day I execute the following command and force an expire of the Bayes DB: /usr/bin/sa-learn --dbpath /var/amavis/.spamassassin -p /var/amavis/.spamassassin/user_prefs -u vscan --force-expire In local.cf I have the following entries: bayes_auto_expire 1 bayes_expiry_max_db_size 300 bayes_journal_max_size 102400 Can this be the reason for the Time out? Thanks, Stefan pgpysCC8j5XQM.pgp Description: PGP signature
Re: Need regexp tip
On Tue, 5 Dec 2006, NFN Smith wrote: I'm working on a series of rules to find obfuscated words /\b(?!badword)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i I have a tool that does this (for double letters as well as other obfuscations) automatically. http://www.impsec.org/~jhardin/antispam/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 10 days until Bill of Rights day
RE: Need regexp tip
NFN Smith wrote: I'm working on a series of rules to find obfuscated words in subject lines that have been misspelled by adding an extra character (often a repeated letter) to a word. For certain words, it seems to be appropriate to assume that if they're misspelled in that way, it's deliberate. I've got the syntax for a regular expression mostly working (including words with trailing punctuation), but I don't have it identifying words where the last letter is doubled. Thus if I have a regexp that looks like: /\b(?!badword)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i I'm getting hits on things like 'baddword' and 'badwoord', and even 'badworrd!', but I'm not getting a hit on 'badwordd' I've tried a number of variants, but still am not quite getting it. What am I missing? I think the negative lookahead is biting you. Try this: /\b(?!badword\b)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i -- Bowie
Re: 5 digit probe spam?
Yet Another Ninja wrote: Just found a few ... sent directly from DULs. (there went my theory...) :-( I have a theory that spammers are either doing some sort of probe or sending out nonspam so that ther headers are learned by bayes as good. I think it's either probes or bayes poison.
Re: How novice end users, neophytes can set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are a
Don Saklad wrote: So many end users looking over the SpamAssassin headers on email haven't climbed the too steep learning curve for making the best use of the headers. Most end users (at least in Swden) haven't got access to the MDA configuration, so the porcmail stuff is of no use to them. Instead they'll have to use whatever filtering capabilities their mail reader has. More info about this should be available in the help and the documentation for the mail reader. On Windows that's usually the odd little menu item called Help. Also, not all SpamAssassin installations are the same, so the end users should start by finding out how the mail they receive is marked. This will influence how they set up their filters. How could something be developed that's easier, simple and straightforward?... That's easy. Just force all users to use the same mail client and force all ISPs to use the same markup. :-/ Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Need regexp tip
Bowie Bailey wrote: NFN Smith wrote: /\b(?!badword)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i I'm getting hits on things like 'baddword' and 'badwoord', and even 'badworrd!', but I'm not getting a hit on 'badwordd' I've tried a number of variants, but still am not quite getting it. What am I missing? I think the negative lookahead is biting you. Try this: /\b(?!badword\b)(?:b.?a.?d.?w.?o.?r.?d.?)(\b|\!|\.|\,|\;|\:|\?)/i That one seems to do the trick. Thanks for the help. Smith
Re: rules_du_jour not working confusion?
Bowie Bailey wrote: Bazooka Joe wrote: Thx Bowie That fixed rdj. But what about channels? Is that to replace rdj? Yes, you can replace RDJ with the sa-update channels. I am still using RDJ for rule updates, so I can't help you with the channel configuration. Are you sure? I'm using both and I don't see any duplication of score hits. For instance, what is the SA equivalent to 70_sare_stocks.cf? -- René Berber
Re: SA TIMED OUT
On Tue, Dec 05, 2006 at 06:42:01PM +0100, Stefan Jakobs wrote: Here an other hint: Every day I execute the following command and force an expire of the Bayes DB: /usr/bin/sa-learn --dbpath /var/amavis/.spamassassin -p /var/amavis/.spamassassin/user_prefs -u vscan --force-expire In local.cf I have the following entries: bayes_auto_expire 1 Can this be the reason for the Time out? If you run an expire daily via cron, I would disable the auto-expiry. Expire runs can definitely cause timeouts since they take a while to run (SQL is faster than DBM fwiw), but your messages indicated the problem was locking as opposed to expiry. -- Randomly Selected Tagline: You can use a morphing program and morph someone you don't like into satan or something... - From C|Net pgpsvsBF4Mr97.pgp Description: PGP signature
Re: SpamAssassin 3.1.7 and Openbsd 4.0 installation fail
On Tue, Dec 05, 2006 at 12:20:39PM -0500, Pauk Sa wrote: Anybody can guide me how to proceed. I am installing SpamAssassin on OpenBSD 4.0 and it failed during the test phase. I have attached the output. Perl version is v5.8.8 built for i386-openbsd 4.0 fwiw, it doesn't appear to be a major failure, apparently more with the test than anything else. -- Randomly Selected Tagline: You can't be a real country unless you have a beer and an airline - it helps if you have some kind of a football team, or some nuclear weapons, but at the very least you need a beer. - Frank Zappa pgp3bFrZG45tD.pgp Description: PGP signature
Re: 5 digit probe spam?
On Tue, 05 Dec 2006 09:51:06 -0800, Marc Perkel [EMAIL PROTECTED] wrote: Yet Another Ninja wrote: Just found a few ... sent directly from DULs. (there went my theory...) :-( I have a theory that spammers are either doing some sort of probe or sending out nonspam so that ther headers are learned by bayes as good. I think it's either probes or bayes poison. I can't see 5 digits being of any use in bayes poisoning, with that little data there's not much point feeding it to bayes anyway. As for getting their headers known, surely that is counter-productive? If we (and spamhaus, spamcop etc etc etc) know the headers, the spam are less likely to get through after the probe, The time to send the spam would have been initially? Maybe, like me last night, they had a couple too many beers and fired off their mails without much thought? Nigel
Re: SpamAssassin 3.1.7 and Openbsd 4.0 installation fail
Yes, it is fail only in test phase. I can do force install but, I would like to know is there any affect on the functioning of spamassassin? Thanks Pauk On 12/5/06, Theo Van Dinter [EMAIL PROTECTED] wrote: On Tue, Dec 05, 2006 at 12:20:39PM -0500, Pauk Sa wrote: Anybody can guide me how to proceed. I am installing SpamAssassin on OpenBSD 4.0 and it failed during the test phase. I have attached the output. Perl version is v5.8.8 built for i386-openbsd 4.0 fwiw, it doesn't appear to be a major failure, apparently more with the test than anything else. -- Randomly Selected Tagline: You can't be a real country unless you have a beer and an airline - it helps if you have some kind of a football team, or some nuclear weapons, but at the very least you need a beer. - Frank Zappa
Re: Over Zealous Checks for Nigerian 419 Scams
Rick Mallett wrote: What's the proper way to submit material for the ham corpus? I have never done it myself, by I found this in the wiki: http://wiki.apache.org/spamassassin/UploadedCorpora -- Chris
Re: Over Zealous Checks for Nigerian 419 Scams
Nigel Frankcom writes: On Mon, 04 Dec 2006 16:12:01 -0500 (EST), Rick Mallett [EMAIL PROTECTED] wrote: What's the proper way to submit material for the ham corpus? I've got the entire newsletter that resulted in the Nigerian Scam FP I reported but I wasn't sure if it was appropriate to include it in the posting. Its only about 3 pages long but its got both a plain text and an HTML component and its about 50KB in size. - rick On Mon, 4 Dec 2006, Justin Mason wrote: please feel free to pass on more FP samples for these rules -- so far we clearly don't have enough, given those scores! --j. [deleted] What's the method for submitting false negatives to that particular corpus? I got 6 of em in one day last week - that's usually my entire spam quotient for a month; that they came to my personal account added insult to injury :-D an mbox, as an attachment or available via HTTP, to me via email -- that would work fine. --j.
Re: SpamAssassin 3.1.7 and Openbsd 4.0 installation fail
On Tue, Dec 05, 2006 at 01:36:36PM -0500, Pauk Sa wrote: Yes, it is fail only in test phase. I can do force install but, I would like to know is there any affect on the functioning of spamassassin? As I said, the error looked like it was the test, and not SA, so I wouldn't worry about it. -- Randomly Selected Tagline: Minix is one of the reasons I decided microkernels are bad. VMS is the reason I decided VMS is bad. - Linus Torvalds pgpQTtACkjIVj.pgp Description: PGP signature
Re: Why did I get an error while I were installing spamassassin
Hello, What I usually do when a perl port does not build is first to try perl -MCPAN -eshell then when in the shell install Digest::HMAC_MD5 or install Net::DNS One may also go to http://search.cpan.org then download the source for the modules, untar it, then make make install. On Tue, 5 Dec 2006 18:43:26 +0200 Halid Faith [EMAIL PROTECTED] wrote: I want to use spamassassin3.1.7 on freebsd6.1 I get an error as below, # cd /usr/ports/dns/p5-Net-DNS # make === Building for p5-Net-DNS-0.59 Makefile out-of-date with respect to /usr/local/lib/perl5/5.8.8/mach/Config.pm Cleaning current config before rebuilding Makefile... make -f Makefile.old clean /dev/null 21 /usr/local/bin/perl5.8.8 Makefile.PL INSTALLDIRS=site CC=cc CCFLAGS=-O2 -fno-strict-aliasing -pipe PREFIX=/usr/local INSTALLPRIVLIB=/usr/local/lib INSTALLARCHLIB=/usr/local/lib The libraries needed to support IPv6 transport have not been found. You will need recent versions of the IO::Socket::INET6 and Socket6 libraries (from CPAN). Testing if you have a C compiler and the needed header files You have a working compiler. You appear to be directly connected to the Internet. I have some tests that try to query live nameservers. Do you want to enable these tests? [y] NO Checking if your kit is complete... Looks good Warning: prerequisite Digest::HMAC_MD5 1 not found. Warning: prerequisite Net::IP 1.2 not found. Writing Makefile for Net::DNS == Your Makefile has been rebuilt. == == Please rerun the make command. == false *** Error code 1 Stop in /usr/ports/dns/p5-Net-DNS/work/Net-DNS-0.59. *** Error code 1 Stop in /usr/ports/dns/p5-Net-DNS. What Should I do ? Thanks -- Ron System Administrator Computer Geex, Inc. (406) 494-5806
user_prefs
I installed postfix-2.2.8 amavisd-new-2.4.1 clamav-0.88.6 and spamassassin-3.1.3 I would like to use local Bayesian database for each user. Example For andrea user I created the directory /home/andrea/.spamassassin and with sa-learn (ham/spam) I created in that directory bayes_* with user ham/spam e-mail. Then I created in that directory user_prefs file and I put it bayes_path /home/andrea/.spamassassin/bayes bayes_file_mode 0770 I would test what I did. How can I do?Spamassassin should to use andrea bayesian database for andrea e-mail and not sharing bayesian database(these are in /var/amavis/.spamassassin) Thank Andrea
Re: user_prefs
On Tue, Dec 05, 2006 at 07:51:32PM +0100, Andrea Bencini wrote: I would test what I did. How can I do?Spamassassin should to use andrea bayesian database for andrea e-mail and not sharing bayesian database(these are in /var/amavis/.spamassassin) If running SA in site-wide mode (such as using Amavis), you can't have per-user configs or databases. If you want per-user stuff, you have to run SA at delivery time, which typically happens through something like procmail. -- Randomly Selected Tagline: Say No to cannabalism: Friends don't let friends eat friends. - Jeff Stilson pgpyGwfef0ZIL.pgp Description: PGP signature
Re: How to examine a system and determine the mail delivery agent.
Mike Jackson wrote: mail delivery agent for a the system at hand?... Just connect to port 25 and observe the banner. That normally won't work. The banner normally only includes the mail *transfer* agent and not the mail *delivery* agent. Even though many MTAs have a builtin or bundled MDA, many of them can be configured to use another one. Also, many MTAs forward mail to internal MTAs for delivery. Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Filtering capabilities, filtering features of RMAIL in EMACS
For novice end users, neophytes, emphasis on novice, what filtering capabilities, what features are there?... for RMAIL in EMACS when novice end users begin to take note of the spamassassin headers appearing on messages?...
Re: HTML Source Rule
Kenneth Porter wrote: On Thursday, November 30, 2006 5:01 PM -0600 Richard Frovarp [EMAIL PROTECTED] wrote: Kenneth Porter wrote: --On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp [EMAIL PROTECTED] wrote: I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS and the TVD rules to catch stocks, and this is after ALL_TRUSTED has done its work to reduce the score. These messages of course have inline images and are being sent via Outlook Express. Some of the scores on those rules are over 2.0. I have started to reduce the scores, as the stock messages I get usually have header problems and hit on Razor as well. I've seen legit messages fire the MY_CID set of rules enough to rack up a score of over 7.0 from those rules alone. Can you attach a sample? Perhaps the sender can be convinced to change the format to make the message look less spammy. I'll find one tomorrow. The big three rules are/were 2.00 PART_CID_STOCK 2.00 PART_CID_STOCK_LESS 2.80 TVD_FW_GRAPHIC_ID1 The PART_CID rules have been removed from where ever they were located. I have reduced the score on the TVD rule. I have 40K+ users. Talking to individual users isn't something that I can do effectively. To make a message look less spammy, they would have to not inline the image with OE. [Please reply to the list.] My point is simply that others may be seeing the same issue but not know how to report it so that rule developers can exclude the ham. Given some samples, it may be possible to separate the wheat from the chaff. Just followed the reply-to header, was too tired to notice anything different. I was wrong the PART_CID_STOCK and PART_CID_STOCK_LESS rules are there. Some of my machines were not running sa-update correctly. Attached is one of my FPs. Pretty brutal for including a simple GIF. Here is the report for the attached message: score = 8.98 -1.44 ALL_TRUSTED 0.81 EXTRA_MPART_TYPE 0.00 HTML_MESSAGE 0.81 INFO_TLD 2.00 PART_CID_STOCK 2.00 PART_CID_STOCK_LESS 2.80 TVD_FW_GRAPHIC_ID1 2.00 TVD_FW_MESG1 Return-Path: g Received: from mail2.domain.com (mail2.domain.com [xxx.xxx.xxx.xx]) by vaccine1.domain.com (8.13.1/8.13.1) with ESMTP id kB5GqMKb014211 for [EMAIL PROTECTED]; Tue, 5 Dec 2006 10:52:23 -0600 Received: from user ([xx.xxx.xx.xx]) by mail2.domain.com (8.13.1/8.13.1) with SMTP id kB5GqJbK004966 for [EMAIL PROTECTED]; Tue, 5 Dec 2006 10:52:21 -0600 Message-ID: [EMAIL PROTECTED] From: user [EMAIL PROTECTED] To: user [EMAIL PROTECTED] Subject: subject Date: Tue, 5 Dec 2006 10:52:22 -0600 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_0008_01C7185B.711AF0B0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (vaccine1.domain.com [134.129.111.58]); Tue, 05 Dec 2006 10:52:23 -0600 (CST) This is a multi-part message in MIME format. --=_NextPart_000_0008_01C7185B.711AF0B0 Content-Type: multipart/alternative; boundary==_NextPart_001_0009_01C7185B.711AF0B0 --=_NextPart_001_0009_01C7185B.711AF0B0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Citrus Punchthanks - Original Message -=20 From: user=20 To: user=20 Sent: Tuesday, December 05, 2006 9:43 AM Subject: subject text = test =20 text= text text= text --=20 This message has been scanned for viruses and=20 dangerous content by EduTech's MailScanner Vaccine2, and is=20 believed to be clean. --=_NextPart_001_0009_01C7185B.711AF0B0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTML xmlns:v =3D urn:schemas-microsoft-com:vml xmlns:o =3D=20 urn:schemas-microsoft-com:office:office xmlns:w =3D=20 urn:schemas-microsoft-com:office:wordHEADTITLE=20 id=3DridTitleCitrus Punch/TITLEBASE=20 href=3Dfile://C:\Program Files\Common Files\Microsoft = Shared\Stationery\ META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Diso-8859-1 META content=3DWord.Document name=3DProgId META content=3DMSHTML 6.00.2900.2995 name=3DGENERATOR META content=3DMicrosoft Word 10 name=3DOriginatorLINK=20 href=3DCitrus%20Punch_files/filelist.xml rel=3DFile-List!--[if gte = mso 9]xml o:DocumentProperties o:Authorauthor/o:Author o:TemplateNORMAL/o:Template o:LastAuthorauthor/o:LastAuthor o:Revision4/o:Revision o:TotalTime1/o:TotalTime o:Created2006-10-17T15:42:00Z/o:Created o:LastSaved2006-10-17T15:57:00Z/o:LastSaved o:Pages1/o:Pages o:Lines1/o:Lines o:Paragraphs1/o:Paragraphs o:Version10.2625/o:Version /o:DocumentProperties /xml![endif]--!--[if gte mso 9]xml w:WordDocument w:SpellingStateClean/w:SpellingState
Re: How is LOCAL_AUTH_RCVD used?
René Berber wrote: Daryl C. W. O'Shea wrote: René Berber wrote: I read all the page before asking, and I understand that it follows the trust path page. The fact is SA is not detecting the authentication, and there is nothing in that page that gives a clue as to why, it just mentions that LOCAL_AUTH_RCVD rule and it certainly doesn't say it's not needed for sendmail. The second line of the sections starts with Note: The problem described was fixed in version 3.0.2.. To me that would infer that it works with Sendmail, one of the most popular MTAs on the planet. In your case you found a bug that happens when an auth'd user's IP address has sub-optimal DNS entries (see your later mail), but in any other case I don't see how this isn't clear that it should work with Sendmail. dbg: metadata: X-Spam-Relays-Untrusted: [ ip=200.52.129.137 rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident= [EMAIL PROTECTED] intl=0 id=J9POUJ-0001MC-JY auth= ] [ ip=189.149.70.163 rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ] It doesn't look like you have your trusted_networks configured correctly. Fix that before you even attempt to get auth token detection working. It is configured correctly (don't assume something you don't know), it is in my mailscanner.cf, like this : I'm rarely one to make assumptions about things, but when I do, it's usually about something I don't know. There's not much point in making assumptions about something you already know. In any case, I didn't assume anything, I said It doesn't look like, and with the little info you provided at the time, looking only at those debug lines it really didn't look like you'd configured it. Maybe I should be more verbose about things like that, but I suspect the list is better off with some number of terse answers from people who are really familiar with the code than verbose answers to far fewer questions. Any help clarifying how the LOCAL_AUTH_RCVD rule is used, or an alternative to make SA recognize the authenticated user, will be appreciated. I've updated the DynablockIssues wiki page to be clear that custom rules are only a workaround for less than helpful MTAs. I've ran SA with -D, it sees the (standard sendmail) header and created the 2 trusted pseudo-headers, but doesn't detect the authentication: $ spamassassin -x -D -t S.eml [824] dbg: logger: adding facilities: all [824] dbg: logger: logging level is DBG [824] dbg: generic: SpamAssassin version 3.1.7 Great, this debug snippet is useful. ... [824] dbg: received-header: unknown format: via tmail-2002(14) (invoked by user rberber) for rberber; Sun, 3 Dec 2006 13:01:33 -0600 [824] dbg: received-header: unparseable: via tmail-2002(14) (invoked by user rberber) for rberber; Sun, 3 Dec 2006 13:01:33 -0600 [824] dbg: received-header: parsed as [ ip=200.52.129.137 rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident= [EMAIL PROTECTED] intl=0 id=J9POUJ-0001MC-JY auth= ] [824] dbg: received-header: relay 200.52.129.137 trusted? yes internal? yes [824] dbg: received-header: parsed as [ ip=189.149.70.163 rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ] [824] dbg: received-header: relay 189.149.70.163 trusted? no internal? no [824] dbg: metadata: X-Spam-Relays-Trusted: [ ip=200.52.129.137 rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident= [EMAIL PROTECTED] intl=1 id=J9POUJ-0001MC-JY auth= ] [824] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=189.149.70.163 rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ] [824] dbg: metadata: X-Spam-Relays-Internal: [ ip=200.52.129.137 rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident= [EMAIL PROTECTED] intl=1 id=J9POUJ-0001MC-JY auth= ] [824] dbg: metadata: X-Spam-Relays-External: [ ip=189.149.70.163 rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ] ... The message headers are : even more useful! Received: via tmail-2002(14) (invoked by user rberber) for rberber; Sun, 3 Dec 2006 13:01:33 -0600 ... Received: from mail.legosoft.com.mx ([200.52.129.137]) by cactus-soft.dyndns.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id J9POUJ-0001MC-JY for [EMAIL PROTECTED]; Sun, 03 Dec 2006 13:01:32 -0600 Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx [189.149.70.163] (may be forged)) (authenticated bits=0) by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032 for [EMAIL PROTECTED]; Sun, 3 Dec 2006 10:02:16 -0600 (CST) ... Daryl
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
René Berber wrote: Daryl C. W. O'Shea wrote: [snip] Sendmail should be putting a (authenticated bits=0) line in its Received header when the user authenticates. SA will automatically use this to extend the trust path if the header above it is trusted. Let's start by saying two things: 1) LOCAL_AUTH_RCVD doesn't do anything useful, just to clarify what happened to the original subject. It's solely a workaround, suggested by Dana from UW's CIS dept before there was any support at all for detecting authenticated relays, for how you might workaround the problem. As I said yesterday, I updated the wiki page to hopefully make this clear. If it's still somehow not clear that it's only a workaround please let me know, or take a shot at making it clearer yourself. 2) SA 3.1.7 (and 3.1.5) doesn't seem to recognize Sendmail's authentication under some circumstances. I assume that it does recognize it for other messages, even if I have not seen evidence to that effect. If I change Received.pm, line 414, like this: # Sendmail, MDaemon, some webmail servers, and others - elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) { + elsif (/^from .*?(.*?authenticated.*?\).*? by/) { Yeah, as you've found, the regex doesn't match when Sendmail adds a comment about a connection's funky DNS entries. Amazingly nobody has had the same problem and brought it to our attention in the more than two years since I wrote that code. It'll be fixed in the next version of SpamAssassin to be released. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5223 Daryl
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
John Rudd wrote: Though, CommuniGate Pro's authenticated received header looks like this: from [$ipaddr] (acccount $account HELO $helostring) by $host (CommuniGate Pro So, you could match that with: /^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+ \(CommuniGate Pro/ Cool, I don't think we currently support that. Daryl
RE: rules_du_jour not working confusion?
René Berber wrote: Bowie Bailey wrote: Bazooka Joe wrote: Thx Bowie That fixed rdj. But what about channels? Is that to replace rdj? Yes, you can replace RDJ with the sa-update channels. I am still using RDJ for rule updates, so I can't help you with the channel configuration. Are you sure? I'm using both and I don't see any duplication of score hits. For instance, what is the SA equivalent to 70_sare_stocks.cf? By default, there is no duplication. sa-update will update only the stock rules. However, there have been additional channels created for sa-update to allow it to update the SARE rules as well. You just add the ones you want to your sa-update channels file. See the wiki: http://wiki.apache.org/spamassassin/SareChannels -- Bowie
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
David B Funk wrote: On Tue, 5 Dec 2006, Jo Rhett wrote: In short, this may have been a deliberate choice to prevent a match on hosts with forged helo names. It would make sense. Jo you are mistaken. Sendmail adds the (may be forged) comment when the client's IP rDNS and DNS don't match, it has -nothing- to do with the HELO name. It still should not matter. So long as the client can authenticate to the server's statisfaction, SA should honor its decision regardless of how bogus the HELO or client's DNS entrys look. Yeah, simply an oversight on my part. I get extremely little ham with (may be forged) and zero that also is authenticated at that relay. I'll be fixed. Daryl
Re: 5 digit probe spam?
On Dec 5, 2006, at 1:38 AM, Evan Platt wrote: At 10:27 PM 12/4/2006, you wrote: Is anyone else getting these? Messages with a random subject and the message is a 5 digit number. What is it? See thre thread earlier today spam But there is no conclusion or discussion on what the point of that type of message is. And anyone who starts a thread on this discussion list with the subject 'spam' has got to get some clues! smime.p7s Description: S/MIME cryptographic signature
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote: Do you know why the SMTP authenticating server was forging the HELO name? Normal mail clients will give their IP address, right? And the may be forged only appears if they gave a full name and resolution succeeded *and* none of the addresses returned matched the helo name. Actually, there are a number of SMTP clients that will use the local system's hostname (either partial or FQDN) as the HELO string. Outlook Express, Opera, and KMail are examples. Eudora has an annoying habit of using the local hostname plus the domain name of the email address, which often results in a nonexistent FQDN. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Daryl C. W. O'Shea wrote: John Rudd wrote: Daryl C. W. O'Shea wrote: John Rudd wrote: Though, CommuniGate Pro's authenticated received header looks like this: from [$ipaddr] (acccount $account HELO $helostring) by $host (CommuniGate Pro So, you could match that with: /^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+ \(CommuniGate Pro/ Cool, I don't think we currently support that. Daryl That works for CGP's SMTP-AUTH, but not for CGP's webmail (which are also, technically, authenticated users, just not SMTP-AUTH authenticated). The following regexp will catch both: /^from \[\S+\] \(account [EMAIL PROTECTED]( .*)?\) by \S+ \(CommuniGate Pro/ Could you provide me with some sample headers so that I can add these? I can't add them without regression tests. SMTP-AUTH: Received: from [128.114.2.223] (account [EMAIL PROTECTED] HELO [128.114.2.223]) by silver.ucsc.edu (CommuniGate Pro SMTP 4.3.7) with ESMTPSA id 88402416 for [EMAIL PROTECTED]; Mon, 04 Dec 2006 13:15:07 -0800 Webmail: Received: from [128.114.2.223] (account [EMAIL PROTECTED]) by tin.ucsc.edu (CommuniGate Pro WebUser 4.3.7) with HTTP id 109780632 for [EMAIL PROTECTED]; Tue, 05 Dec 2006 11:17:51 -0800 (CGP does this odd thing of putting the relay's IP addr out front, instead of the HELO string.. and then putting the Helo string, for SMTP, inside the ()'s ... and it doesn't appear to ever put the relay's RDNS)
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
John Rudd wrote: Daryl C. W. O'Shea wrote: John Rudd wrote: Though, CommuniGate Pro's authenticated received header looks like this: from [$ipaddr] (acccount $account HELO $helostring) by $host (CommuniGate Pro So, you could match that with: /^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+ \(CommuniGate Pro/ Cool, I don't think we currently support that. Daryl That works for CGP's SMTP-AUTH, but not for CGP's webmail (which are also, technically, authenticated users, just not SMTP-AUTH authenticated). The following regexp will catch both: /^from \[\S+\] \(account [EMAIL PROTECTED]( .*)?\) by \S+ \(CommuniGate Pro/ Could you provide me with some sample headers so that I can add these? I can't add them without regression tests. Thanks, Daryl
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
John Rudd wrote: Daryl C. W. O'Shea wrote: Could you provide me with some sample headers so that I can add these? I can't add them without regression tests. SMTP-AUTH: Received: from [128.114.2.223] (account [EMAIL PROTECTED] HELO [128.114.2.223]) by silver.ucsc.edu (CommuniGate Pro SMTP 4.3.7) with ESMTPSA id 88402416 for [EMAIL PROTECTED]; Mon, 04 Dec 2006 13:15:07 -0800 Great, already handled via the RFC 3848 with protocol type of ESMTPSA and I assume ESMTPA. Webmail: Received: from [128.114.2.223] (account [EMAIL PROTECTED]) by tin.ucsc.edu (CommuniGate Pro WebUser 4.3.7) with HTTP id 109780632 for [EMAIL PROTECTED]; Tue, 05 Dec 2006 11:17:51 -0800 Also handled via the HTTP with protocol type. Thanks! Daryl
Re: rules_du_jour not working confusion?
Bowie Bailey wrote: René Berber wrote: [snip] Are you sure? I'm using both and I don't see any duplication of score hits. For instance, what is the SA equivalent to 70_sare_stocks.cf? By default, there is no duplication. sa-update will update only the stock rules. However, there have been additional channels created for sa-update to allow it to update the SARE rules as well. You just add the ones you want to your sa-update channels file. See the wiki: http://wiki.apache.org/spamassassin/SareChannels Thanks for the clarification. -- René Berber
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Daryl C. W. O'Shea wrote: John Rudd wrote: Though, CommuniGate Pro's authenticated received header looks like this: from [$ipaddr] (acccount $account HELO $helostring) by $host (CommuniGate Pro So, you could match that with: /^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+ \(CommuniGate Pro/ Cool, I don't think we currently support that. Daryl That works for CGP's SMTP-AUTH, but not for CGP's webmail (which are also, technically, authenticated users, just not SMTP-AUTH authenticated). The following regexp will catch both: /^from \[\S+\] \(account [EMAIL PROTECTED]( .*)?\) by \S+ \(CommuniGate Pro/
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Daryl C. W. O'Shea wrote: René Berber wrote: [snip] 1) LOCAL_AUTH_RCVD doesn't do anything useful, just to clarify what happened to the original subject. It's solely a workaround, suggested by Dana from UW's CIS dept before there was any support at all for detecting authenticated relays, for how you might workaround the problem. As I said yesterday, I updated the wiki page to hopefully make this clear. If it's still somehow not clear that it's only a workaround please let me know, or take a shot at making it clearer yourself. OK, but it would be better if you showed the full workaround (i.e. add a line with score LOCAL_AUTH_RCVD -10.0). 2) SA 3.1.7 (and 3.1.5) doesn't seem to recognize Sendmail's authentication under some circumstances. I assume that it does recognize it for other messages, even if I have not seen evidence to that effect. If I change Received.pm, line 414, like this: # Sendmail, MDaemon, some webmail servers, and others - elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) { + elsif (/^from .*?(.*?authenticated.*?\).*? by/) { ---^ watch out for the typo, it should be \( Yeah, as you've found, the regex doesn't match when Sendmail adds a comment about a connection's funky DNS entries. Amazingly nobody has had the same problem and brought it to our attention in the more than two years since I wrote that code. It'll be fixed in the next version of SpamAssassin to be released. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5223 Thanks! -- René Berber
Old spamd, new SpamAssassin
I'm back after a couple years break. SpamAssassin 3.0.1 has been doing heroic work for us, even though I'm stuck on the windoze platform. I recently upgraded the mailserver (unfortunately, still windoze) and thought I should put on SpamAssassin 3.1.7. The upgrade worked a charm, except the windoze hacks for spamd.raw described in the WiKi (http://wiki.apache.org/spamassassin/SpamdOnWindows) are for 3.0.x and don't work on 3.1.x. (I did find one note that implied it would have worked on 3.1.3 or less, but not on 3.1.4 or greater). In any case, I know this isn't the forum to look for implementation suggestions or to push for the development of a Windoze capable spamd, but I do have a question I believe this forum could address. The 3.0.1 spamd does successfully call the 3.1.7 SpamAssassin code and appears to function correctly after commenting out one line ([if ($copy_config_p !$spamtest-_is_storable_available());]. What is my exposure from using the old spamd code? It appears to be working and reporting the SpamAssassin and Perl levels correctly. --- OR --- What is the proper forum for such discussions? Dan Barker (The SpamAssassin Caller for IMail guy) www.visioncomm.net/sac
Re: Old spamd, new SpamAssassin
Dan Barker wrote: I'm back after a couple years break. SpamAssassin 3.0.1 has been doing heroic work for us, even though I'm stuck on the windoze platform. I recently upgraded the mailserver (unfortunately, still windoze) and thought I should put on SpamAssassin 3.1.7. The upgrade worked a charm, except the windoze hacks for spamd.raw described in the WiKi (http://wiki.apache.org/spamassassin/SpamdOnWindows) are for 3.0.x and don't work on 3.1.x. (I did find one note that implied it would have worked on 3.1.3 or less, but not on 3.1.4 or greater). In any case, I know this isn't the forum to look for implementation suggestions or to push for the development of a Windoze capable spamd, Have you tried running it under Cygwin? I'm not using it, but after installing SA 3.1.7 using cpan everything seems to work. Starting spamd as a service (using Cygwin's cygrunsrv) would be easy. [snip] -- René Berber
RE: spam
Has anybody come up with a rule for these yet? I tried the following: body ORNL_B0RKEN1 /^\d{3,5}\n{1,3}$/s describe ORNL_B0RKEN1 B0rken spamware, message just contains a short number scoreORNL_B0RKEN1 1 This matches the spam message, but it also matches messages where the number is followed by a blank line and more text, which is a false positive. If I replace body with full, then it doesn't match the spam message. I have also tried the following variations: - using /s, /m, or neither switch - using the ^ and $ anchors or the \A and \Z anchors - using \n, \s, or neither (i.e. the pattern /^\d{3,5}$/) In all cases I got the same results. What am I missing? Thanks, Larry -Original Message- From: Nigel Frankcom [mailto:[EMAIL PROTECTED] Posted At: Monday, December 04, 2006 8:02 PM Posted To: sa-users Conversation: spam Subject: Re: spam On Mon, 04 Dec 2006 16:35:33 -0800, Evan Platt [EMAIL PROTECTED] wrote: At 04:24 PM 12/4/2006, you wrote: On Mon, 4 Dec 2006 16:11:28 -0800 (PST), san [EMAIL PROTECTED] wrote: Hi, Am recieving a spam mails which is just having number on the body just like 1265 or 2196... any thoughts how to stop this kind of spam.. thanks san Ditto How in the hell does one write a rule for this sh*? Maybe a rule if the message body is less than X characters? I mean unless you expect lots of legitimate mail that says Hello. Good point; thanks. Though I think I'll do one that picks only numerals. That said I'm pretty sure there's a sare rule that covers this sort of thing though I could easily be wrong; it wouldn't be the 1st time :-D KR Nigel
RE: spam
Rosenbaum, Larry M. wrote: This matches the spam message, but it also matches messages where the number is followed by a blank line and more text, which is a false positive. In all cases I got the same results. What am I missing? Try a compound rule. Look for the number, and then anything that's not a number. (Mind the line wrapping, of course.) body ORNL_B0RKEN1_SHORTNUM /^\d{3,5}\n{1,3}$/s body ORNL_B0RKEN1_BODYTEXT /[a-zA-Z]/ meta ORNL_B0RKEN1(ORNL_B0RKEN1_SHORTNUM ORNL_B0RKEN1_BODYTEXT) describe ORNL_B0RKEN1 B0rken spamware, message just contains a short number scoreORNL_B0RKEN11.0 That'll prevent the rule from matching if there's so much as a single letter in the body.
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
On Dec 5, 2006, at 2:02 AM, David B Funk wrote: Jo you are mistaken. Sendmail adds the (may be forged) comment when the client's IP rDNS and DNS don't match, it has -nothing- to do with the HELO name. RTFC(...code) If the hello is numeric or non a domain name, the may be forged is *NOT* added to the Received line. It's only added when what Sendmail was told appears to be false. It still should not matter. So long as the client can authenticate to the server's statisfaction, SA should honor its decision regardless of how bogus the HELO or client's DNS entrys look. That's your argument. That may not have been the thought process of the person who wrote that rule, was all I was trying to say. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: rules_du_jour not working confusion?
By default, there is no duplication. sa-update will update only the stock rules. However, there have been additional channels created for sa-update to allow it to update the SARE rules as well. You just add the ones you want to your sa-update channels file. One advantage RDJ seems to have is that it won't leave you in the situation of a non functional SA because your updated rules don't lint. If using sa-update for SARE rules, are these stored in the same location as the originals or are they downloaded to the /var/lib/spamassassin tree? If so is there a migration guide somewhere on moving from RDJ to sa-update? Alan
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote: Do you know why the SMTP authenticating server was forging the HELO name? Normal mail clients will give their IP address, right? And the may be forged only appears if they gave a full name and resolution succeeded *and* none of the addresses returned matched the helo name. On Dec 5, 2006, at 12:47 PM, Kelson wrote: Actually, there are a number of SMTP clients that will use the local system's hostname (either partial or FQDN) as the HELO string. Outlook Express, Opera, and KMail are examples. Eudora has an annoying habit of using the local hostname plus the domain name of the email address, which often results in a nonexistent FQDN. Heh, got me on assumptions. I use 7 different mail clients and have never seen this problem with my mail but you've just named 4 clients I don't use :-) FYI partial names are fine by my reading of the sendmail code. forged only appears when a FQDN is provided but isn't valid. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
While you are fixing bugs related to authentication, any chance you'll fix the SPF plugin to skip checks on authenticated delivery? Or have an option to enable this behavior? Or do you want a patch from me? It'll take me a lot longer than you, since I'll spend hours just tracing down the data structures On Dec 5, 2006, at 11:22 AM, Daryl C. W. O'Shea wrote: René Berber wrote: Daryl C. W. O'Shea wrote: [snip] Sendmail should be putting a (authenticated bits=0) line in its Received header when the user authenticates. SA will automatically use this to extend the trust path if the header above it is trusted. Let's start by saying two things: 1) LOCAL_AUTH_RCVD doesn't do anything useful, just to clarify what happened to the original subject. It's solely a workaround, suggested by Dana from UW's CIS dept before there was any support at all for detecting authenticated relays, for how you might workaround the problem. As I said yesterday, I updated the wiki page to hopefully make this clear. If it's still somehow not clear that it's only a workaround please let me know, or take a shot at making it clearer yourself. 2) SA 3.1.7 (and 3.1.5) doesn't seem to recognize Sendmail's authentication under some circumstances. I assume that it does recognize it for other messages, even if I have not seen evidence to that effect. If I change Received.pm, line 414, like this: # Sendmail, MDaemon, some webmail servers, and others - elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) { + elsif (/^from .*?(.*?authenticated.*?\).*? by/) { Yeah, as you've found, the regex doesn't match when Sendmail adds a comment about a connection's funky DNS entries. Amazingly nobody has had the same problem and brought it to our attention in the more than two years since I wrote that code. It'll be fixed in the next version of SpamAssassin to be released. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5223 Daryl -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
SMTP-AUTH: Received: from [128.114.2.223] (account [EMAIL PROTECTED] HELO [128.114.2.223]) by silver.ucsc.edu (CommuniGate Pro SMTP 4.3.7) with ESMTPSA id 88402416 for [EMAIL PROTECTED]; Mon, 04 Dec 2006 13:15:07 -0800 Webmail: Received: from [128.114.2.223] (account [EMAIL PROTECTED]) by tin.ucsc.edu (CommuniGate Pro WebUser 4.3.7) with HTTP id 109780632 for [EMAIL PROTECTED]; Tue, 05 Dec 2006 11:17:51 -0800 Not sure if the following one is relevant, but it just fell into my hands: Received: from 10.235.209.117 (SquirrelMail authenticated user sername) by xxx.ijs.si with HTTP; Tue, 5 Dec 2006 15:31:13 +0100 (CET) Mark
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Mark Martinec wrote: Not sure if the following one is relevant, but it just fell into my hands: Received: from 10.235.209.117 (SquirrelMail authenticated user sername) by xxx.ijs.si with HTTP; Tue, 5 Dec 2006 15:31:13 +0100 (CET) Thanks Mark. Anything with a with protocol type of HTTP is considered authenticated and in the case of SquirrelMail we ignore the relay altogether (a hold over from before we did any auth detection). Daryl
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote: While you are fixing bugs related to authentication, any chance you'll fix the SPF plugin to skip checks on authenticated delivery? Or have an option to enable this behavior? Or do you want a patch from me? It'll take me a lot longer than you, since I'll spend hours just tracing down the data structures I know for sure that if there are no external relays detected there will be no SPF checks. There might be checks done (read I'm almost certain there is) if all the relays are trusted, but one or more of them are external. Your other email about this didn't include the necessary debug info to confirm the bug as you reported it. If you'd like me to look at it, I'd need a full debug output, including the complete message headers, of a message that exhibits the bug. Daryl
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
Jo Rhett wrote: On Dec 5, 2006, at 2:02 AM, David B Funk wrote: It still should not matter. So long as the client can authenticate to the server's statisfaction, SA should honor its decision regardless of how bogus the HELO or client's DNS entrys look. That's your argument. That may not have been the thought process of the person who wrote that rule, was all I was trying to say. Just an oversight. I have no ham that is both authenticated and includes the may be forged comment so I missed considering it in the regex. Daryl
Re: rules_du_jour not working confusion?
Alan Munday wrote: By default, there is no duplication. sa-update will update only the stock rules. However, there have been additional channels created for sa-update to allow it to update the SARE rules as well. You just add the ones you want to your sa-update channels file. One advantage RDJ seems to have is that it won't leave you in the situation of a non functional SA because your updated rules don't lint. Advantage over sa-update? Other than the issue with 3.1.6 (only), there shouldn't be any issues with how sa-update lints rules. I think the only way you'll end up without a working ruleset is if problems with the file system containing your local state directory start occurring half way through the update process. At that point, a working SA ruleset probably won't be your main concern. If using sa-update for SARE rules, are these stored in the same location as the originals or are they downloaded to the /var/lib/spamassassin tree? What originals? SARE rules you saved somewhere (probably /etc/mail/spamassassin)? If yes, you'll want to remove those before switching to getting SARE rules via sa-update. All rules obtained via sa-update will be stored under your local state directory which is often /var/lib/spamassassin. If so is there a migration guide somewhere on moving from RDJ to sa-update? - remove existing SARE rules from wherever you've got them - decide on which provider of the SARE channel(s) you're going to use - follow that providers directions See this wiki page for about the same info: http://wiki.apache.org/spamassassin/SareChannels Here's my how to on it: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Daryl
SA, DCC rules du jour
Not sure if I'm posting to the right list for this or not bvut since SA is the one not co-operating I figured I'd try here first. I have the latest versions SA and DCC both installed on a Fedora Core 4 system and am trying to install rules du jour but it won't let me get past the lint test. The following is the error I'm getting which confuses me as the dccproc is where it states it should be. [EMAIL PROTECTED] rules_du_jour]# ./install.sh Running SpamAssassin lint test [13007] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13007] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13007] warn: lint: 2 issues detected, please rerun with debug enabled for more information SpamAssassin lint test failed Please resolve exiting problems with SpamAssassin configuration and try again Any one have any ideas? Thanks
Re: spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Coffey, Neal wrote: Rosenbaum, Larry M. wrote: This matches the spam message, but it also matches messages where the number is followed by a blank line and more text, which is a false positive. In all cases I got the same results. What am I missing? Try a compound rule. Look for the number, and then anything that's not a number. (Mind the line wrapping, of course.) body ORNL_B0RKEN1_SHORTNUM /^\d{3,5}\n{1,3}$/s body ORNL_B0RKEN1_BODYTEXT /[a-zA-Z]/ meta ORNL_B0RKEN1(ORNL_B0RKEN1_SHORTNUM ORNL_B0RKEN1_BODYTEXT) describe ORNL_B0RKEN1B0rken spamware, message just contains a short number scoreORNL_B0RKEN11.0 That'll prevent the rule from matching if there's so much as a single letter in the body. Actually, that'll only hit if there's a 3-5 digit number followed by 1 to 3 \n characters *AND* there *ARE* alphabetical characters in the body. I'm guessing this isn't what you want. your meta should probably look like (!ORNL_B0RKEN1_BODYTEXT ORNL_B0RKEN1_SHORTNUM) (this is untested, but should work as expected) Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFdiJQE2gsBSKjZHQRAtfXAJ9YMWfkxAx7Oq31DilaqdGCqA9WegCgvBaL 9ld47BoNnFo2ePYG3IlcK0k= =DQ7t -END PGP SIGNATURE-
Re: SA, DCC rules du jour
Vernon Webb wrote: Not sure if I'm posting to the right list for this or not bvut since SA is the one not co-operating I figured I'd try here first. I have the latest versions SA and DCC both installed on a Fedora Core 4 system and am trying to install rules du jour but it won't let me get past the lint test. The following is the error I'm getting which confuses me as the dccproc is where it states it should be. [EMAIL PROTECTED] rules_du_jour]# ./install.sh Running SpamAssassin lint test [13007] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13007] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13007] warn: lint: 2 issues detected, please rerun with debug enabled for more information SpamAssassin lint test failed Please resolve exiting problems with SpamAssassin configuration and try again Any one have any ideas? Thanks You probably also have MailScanner installed, the warning is about a line in mailscanner.cf (which usually is a link to $MS/etc/spam.assassin.prefs.conf). I'm not sure, I think I saw something like this once and corrected it by just changing the path (if you have the dcc binary somewhere else). But this may not be necessary with the latest MS which has the line in the warning inside an if expression that tests for the existence of the plugin. Other places to check: Is DCC enabled in v310.pre? -- René Berber
Re: SA, DCC rules du jour
I commented out the line to the dccproc, but does that now disable dcc from running? Should I re-enable after install? Vernon Webb (201) 703-1232 web designs web hosting by comp-wiz.com, inc. Information in this transmission is privileged confidential. It is intended for the use of the individual or entity named above. Any review, dissemination, disclosure, alteration, printing, circulation or transmission of this email or it's attachments is prohibited and unlawful. -- Original Message --- From: René Berber [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tue, 05 Dec 2006 20:27:37 -0600 Subject: Re: SA, DCC rules du jour Vernon Webb wrote: Not sure if I'm posting to the right list for this or not bvut since SA is the one not co-operating I figured I'd try here first. I have the latest versions SA and DCC both installed on a Fedora Core 4 system and am trying to install rules du jour but it won't let me get past the lint test. The following is the error I'm getting which confuses me as the dccproc is where it states it should be. [EMAIL PROTECTED] rules_du_jour]# ./install.sh Running SpamAssassin lint test [13007] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13007] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [13007] warn: lint: 2 issues detected, please rerun with debug enabled for more information SpamAssassin lint test failed Please resolve exiting problems with SpamAssassin configuration and try again Any one have any ideas? Thanks You probably also have MailScanner installed, the warning is about a line in mailscanner.cf (which usually is a link to $MS/etc/spam.assassin.prefs.conf). I'm not sure, I think I saw something like this once and corrected it by just changing the path (if you have the dcc binary somewhere else). But this may not be necessary with the latest MS which has the line in the warning inside an if _expression_ that tests for the existence of the plugin. Other places to check: Is DCC enabled in v310.pre? -- René Berber -- This message has been scanned for viruses and dangerous content by comp-wiz.com, inc.'s MailScanner, and is believed to be clean. --- End of Original Message ---
Email scoring way too high... what's wrong?
I have a new client whose mail is scoring way high... several others on the same server, different domains, score in negative numbers. Mail sent through a mail script on this domain scores -1.0. I believe they're using verizon dsl, windows xp w/ outlook or outlook express. This is just going from one domain to another on the same server (cpane). I'll send headers if you need them. Do they have a misconfigured router? John pts rule name description -- -- 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings 0.0 BOTNET_IPINHOSTNAMEHostname contains its own IP address 1.0 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3651] 0.7 HTML_MESSAGE BODY: HTML included in message 3.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [71.254.35.168 listed in dnsbl.sorbs.net] 3.0 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [71.254.35.168 listed in combined.njabl.org] 0.0 BOTNET_CLIENT Hostname looks like a client hostname 5.0 BOTNET Any Botnet rule hit
Re: Confused about white/black lists.
On Monday, Dec 4th 2006 at 23:34 -0500, quoth Theo Van Dinter: =On Mon, Dec 04, 2006 at 10:12:26PM -0500, Steven W. Orr wrote: = I have some spam getting through that has USER_IN_WHITELIST. I go and look = and sher nuff, the From address is there in the email column of the awl = table. I don't know how it got there but it's there. Can someone please = 'splain to me how this works? = =USER_IN_WHITELIST has nothing to do with the AWL. You'll want to find your =whitelist_from/whitelist_from_rcvd entry that matches the mail. I promise that the addresses that got through do not have any such entries in any cf file. But I guess the problem I have is this: I reject all mail that hits a 5 via a milter before reception completes. It would seem to me that the ones that get through would be acting as a type of poison for the awl table. When a spam message comes through, should I not do something to tell the awl table that the address it saved is bad the same way that I run sa-learn to fix th4e bayes tables? -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net
Re: Email scoring way too high... what's wrong?
He's hitting on 2 different DUL rules, because he's sending directly from his DSL IP to your S/A server. You need to whitelist his IP address, or otherwise have it bypasss S/A scanning. On Tue, 5 Dec 2006, John Tice wrote: I have a new client whose mail is scoring way high... several others on the same server, different domains, score in negative numbers. Mail sent through a mail script on this domain scores -1.0. I believe they're using verizon dsl, windows xp w/ outlook or outlook express. This is just going from one domain to another on the same server (cpane). I'll send headers if you need them. Do they have a misconfigured router? John pts rule name description -- -- 0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings 0.0 BOTNET_IPINHOSTNAMEHostname contains its own IP address 1.0 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3651] 0.7 HTML_MESSAGE BODY: HTML included in message 3.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [71.254.35.168 listed in dnsbl.sorbs.net] 3.0 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [71.254.35.168 listed in combined.njabl.org] 0.0 BOTNET_CLIENT Hostname looks like a client hostname 5.0 BOTNET Any Botnet rule hit James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
Re: SA, DCC rules du jour
Vernon Webb wrote: I commented out the line to the dccproc, but does that now disable dcc from running? Should I re-enable after install? Yes on both accounts, also enable the relevant part in v310.pre . -- René Berber