RE: FuzzyOCR Warnings and General Questions

[Leon Kolchinsky]

 
 I'm running Spamassassin on OpenSuse 10.2 and have just installed
 FuzzyOCR.
 
 It appears to be working in that it scans/detects words in the supplied
 test files.
 
 I noticed spamassassin --lint gives:
 
 [25313] warn: FuzzyOcr: Cannot find executable for pamthreshold
 [25313] warn: FuzzyOcr: Cannot find executable for tesseract
 
 Which seems fair enough as I don't have them.
 
 Is it just a spurious warning though or do I need to be concerned?
 
 Also as a general question other than adding words to the wordlist as
 and when, are there any Must Know tips n tricks for FuzzyOCR?
 
 cheers,

Hi,

Take a look here (http://www200.pair.com/mecham/spam/image_spam2.html) and use 
patches for netpbm  10.34


Or do the following (works for me):

1) Download latest stable version:
# svn checkout https://netpbm.svn.sourceforge.net/svnroot/netpbm/stable netpbm

2) Apply this patch:
diff -Naur netpbm-10.35.21/Makefile.config.in 
netpbm-10.35.21-patched/Makefile.config.in
--- netpbm-10.35.21/Makefile.config.in  2007-01-14 16:18:25.0 +0200
+++ netpbm-10.35.21-patched/Makefile.config.in  2007-01-14 16:33:59.304432096 
+0200
@@ -108,7 +108,7 @@
 #OSF1:
 #INSTALL = $(SRCDIR)/buildtools/installosf
 #Red Hat Linux:
-#INSTALL = install
+INSTALL = install

 # STRIPFLAG is the option you pass to the above install program to make it
 # strip unnecessary information out of binaries.
@@ -280,9 +280,9 @@
 # compiler/linker).  Build-time linking fails without it.  I don't
 # know why -- history seems to be repeating itself.  2005.02.23.

-CFLAGS_SHLIB =
+# CFLAGS_SHLIB =
 # Solaris or SunOS with gcc, and NetBSD:
-#CFLAGS_SHLIB = -fpic
+CFLAGS_SHLIB = -fPIC
 #CFLAGS_SHLIB = -fPIC
 # Sun compiler:
 #CFLAGS_SHLIB = -Kpic
@@ -350,7 +350,7 @@
 # The TIFF library.  See above.  If you want to build the tiff
 # converters, you must have the tiff library already installed.

-TIFFLIB = NONE
+TIFFLIB = libtiff.so
 TIFFHDR_DIR =

 #TIFFLIB = libtiff.so
@@ -382,7 +382,7 @@
 # JPEG stuff statically linked in, in which case you won't need
 # JPEGLIB in order to build the Tiff converters.

-JPEGLIB = NONE
+JPEGLIB = libjpeg.so
 JPEGHDR_DIR =
 #JPEGLIB = libjpeg.so
 #JPEGHDR_DIR = /usr/include/jpeg
@@ -413,7 +413,7 @@
 # case, PNGLIB and PNGHDR_DIR are irrelevant, but PNGVER is still meaningful,
 # because the make file runs 'libpng$(PNGVER)-config'.

-PNGLIB = NONE
+PNGLIB = libpng.so
 PNGHDR_DIR =
 PNGVER =
 #PNGLIB = libpng$(PNGVER).so
@@ -432,7 +432,7 @@
 #
 # If you have 'libpng-config' (see above), these are irrelevant.

-ZLIB = NONE
+ZLIB = libz.so
 ZHDR_DIR =
 #ZLIB = libz.so

diff -Naur netpbm-10.35.21/converter/other/fiasco/codec/dfiasco.c 
netpbm-10.35.21-patched/converter/other/fiasco/codec/dfiasco.c
--- netpbm-10.35.21/converter/other/fiasco/codec/dfiasco.c  2007-01-14 
16:18:03.0 +0200
+++ netpbm-10.35.21-patched/converter/other/fiasco/codec/dfiasco.c  
2007-01-14 16:37:35.780522728 +0200
@@ -15,7 +15,7 @@
  */

 #include string.h
-
+#include stdlib.h
 #include config.h

 #include types.h
diff -Naur netpbm-10.35.21/converter/other/fiasco/config.h 
netpbm-10.35.21-patched/converter/other/fiasco/config.h
--- netpbm-10.35.21/converter/other/fiasco/config.h 2007-01-14 
16:18:03.0 +0200
+++ netpbm-10.35.21-patched/converter/other/fiasco/config.h 2007-01-14 
16:36:00.265043288 +0200
@@ -25,6 +25,12 @@
byte first (like Motorola and SPARC, unlike Intel and VAX).  */
 /* #undef WORDS_BIGENDIAN */

+/* since we don't have autoconf... */
+#include endian.h
+#if __BYTE_ORDER == __BIG_ENDIAN
+#define WORDS_BIGENDIAN 1
+#endif
+
 /* Define if the X Window System is missing or not being used.  */
 #define X_DISPLAY_MISSING 1

diff -Naur netpbm-10.35.21/converter/other/fiasco/input/basis.c 
netpbm-10.35.21-patched/converter/other/fiasco/input/basis.c
--- netpbm-10.35.21/converter/other/fiasco/input/basis.c2007-01-14 
16:18:00.0 +0200
+++ netpbm-10.35.21-patched/converter/other/fiasco/input/basis.c
2007-01-14 16:38:10.711212456 +0200
@@ -13,7 +13,7 @@
  *  $Revision: 5.3 $
  *  $State: Exp $
  */
-
+#include string.h
 #include config.h

 #include types.h
diff -Naur netpbm-10.35.21/converter/pbm/icontopbm.c 
netpbm-10.35.21-patched/converter/pbm/icontopbm.c
--- netpbm-10.35.21/converter/pbm/icontopbm.c   2007-01-14 16:18:22.0 
+0200
+++ netpbm-10.35.21-patched/converter/pbm/icontopbm.c   2007-01-14 
16:43:50.478559968 +0200
@@ -13,6 +13,7 @@
 #include string.h

 #include nstring.h
+#include limits.h
 #include pbm.h

 /* size in bytes of a bitmap */
diff -Naur netpbm-10.35.21/converter/ppm/ppmtowinicon.c 
netpbm-10.35.21-patched/converter/ppm/ppmtowinicon.c
--- netpbm-10.35.21/converter/ppm/ppmtowinicon.c2007-01-14 
16:18:20.0 +0200
+++ netpbm-10.35.21-patched/converter/ppm/ppmtowinicon.c2007-01-14 
16:46:54.505583608 +0200
@@ -12,7 +12,7 @@

 #include math.h
 #include string.h
-
+#include stdlib.h
 #include winico.h
 #include ppm.h
 #include 

Re: spam test

[Spamassassin List]

http://hege.li/howto/spam/spamassassin.html


Remove everything from Botnet.cf RULES-section and set it up this way:

Does the above line mean to remove from the # THE RULES?


regards

RE: Email service that does graylisting/razor/spamfiltering/etc?

[Rob McEwen]

Kelly,

I provide just such a service. It does everything you've asked except not
the challenge/response. Additionally, I'd be reluctant to take on a client
who required catch-all accounts, or, as you described [EMAIL PROTECTED]
...because this can place a tremendous burden on a spam filter. For example,
in testing, one of my clients for whom I provide this service would have had
40 times the number of their combined hams/spams in volume of mail if
catch-all is turned on, due to dictionary attacks alone. (In case you missed
that, this would be a 40,000% increase in volume resulting from allowing
dictionary attacks through!)

But here are the upsides:

(1) My filtering is of such high quality that you won't miss not having the
challenge/response. (IMO, challenge/response is for wimpy spam filters!)

(2) Even though I don't allow catch-all accounts, (a.) I can turn
catch-all on for short periods of time if that would help in finding
lost aliases that you'd forgotten (b.) Extra throw-away aliases attached
to the same e-mail account are unlimited and do NOT increase my prices.

(3) I've been heavily involved in SURBL (and to a lesser extent, URIBL) for
years and, therefore, I've worked towards a quality of filtering that far
exceeds the major famous providers, both in terms of spam caught and legit
mail not caught! While I use SpamAssassin as a part of my filtering, most of
my filtering is custom written and I'm beating SA's out of the box
configuration by a wide margin.

E-mail me directly (off-list) if you are interested and for pricing!

Rob McEwen
[EMAIL PROTECTED]

-Original Message-
From: Kelly Jones [mailto:[EMAIL PROTECTED] 
Sent: Monday, April 09, 2007 10:35 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; techtalk@linuxchix.org;
users@spamassassin.apache.org
Subject: Email service that does graylisting/razor/spamfiltering/etc?

I have about 20 domains, and any email to any of these domains
([EMAIL PROTECTED]) forwards to a single mailbox.

I handle email for all these domains myself, but it's becoming a hassle:

 % dictionary attacks mean I often get the same spam repeatedly

 % I'm too scared to change my SMTP config (to setup graylisting for
 example) for fear of breaking something and losing email [not that
 99+% of isn't spam anyway...]

 % My SMTP server sometimes gets flooded w/ connections (probably not
 denial-of-service-- just excess-of-spammers), delaying legit email.

In short, I want to to give up: running a mail server used to be easy,
but it's not anymore.

Is there a reliable, fairly inexpensive service that does graylisting,
razor-checking, sender address verification, RBL-checking, and other
spam filtering? Specifics:

 % I'd like to set the MX records for all 20 domains to their server
 and be done with it.

 % I do NOT want to forward email (to a spamarrest.com address for
 example). Forwarding means I still have to run my own mailserver +
 nullifies RBL checks, graylisting, etc.

 % I'd like the option of having challenge-response (you sent me an
 email + I don't know you -- go here and prove you're human), but
 also the option of turning it off.

 % Senders should always be notified (ideally at the SMTP level) if
 their message is rejected (ideally w/ a custom reject message that I
 choose). Messages shouldn't just disappear.

 % I'd like the ability to check my email via POP/IMAP. Size limits
 are OK: I plan to download email regularly.

 % Most of the email for my domains will come to just me, but I'd like
 the option to forward a copy of emails to certain addresses/domains
 to others. Example: email to [EMAIL PROTECTED] comes to just me, but
 email to [EMAIL PROTECTED] (that makes it through the spam filter)
 comes to me and a copy gets forwarded to [EMAIL PROTECTED] This feature
 isn't critical: I can probably setup Pine rules/etc to do what I want
 if I have to.

Any recommendations?

-- 
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.

Help with rule

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm trying to flag a type of spam that seems to be slipping through with
a very low score

The common factor is that all of the messages have something linke

Just type www [.] pillking [.] org
Just type FONT color=#ffwww/FONT [.]
STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
color=#fforg/FONT/FONT

   Just type www [dot] pilldoc [dot] org

I suspect a rule that looks for www*pill*org would work. How do I turn
that into a regex?


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGG4BveERILVgMyvARAvKDAJ40E2quDemGCoFIheL8XFkgjRcWegCfSDiI
hmR+79G9K1DQJHIN0lI8I6g=
=yqRq
-END PGP SIGNATURE-

Bypassing BOTNET rules

[Robert Fitzpatrick]

I applied BOTNET rules yesterday and have some legitimate mail getting
blocked and looking for the best way to bypass. I added 'bluehill\.com'
to the list of botnet_pass_domains, is that correct or should I be
adding '4servers\.com' or both?

Received: from esmtp.webtent.net ([127.0.0.1])
by localhost (esmtp.webtent.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id hnLlQBEIQsOo for [EMAIL PROTECTED];
Tue, 10 Apr 2007 08:20:27 -0400 (EDT)
Received: from bluehill.com (67-30-129-1.4servers.com [67.30.129.1])
by esmtp.webtent.net (WebTent ESMTP Postfix Internet Mail Gateway) with 
ESMTP i$
for [EMAIL PROTECTED]; Tue, 10 Apr 2007 08:20:27 -0400 (EDT)
Received: from bluehill.com (localhost [127.0.0.1])
by bluehill.com (8.13.1/8.12.10) with ESMTP id l3ACKQxT013801;
Tue, 10 Apr 2007 05:20:26 -0700
Received: (from [EMAIL PROTECTED])
by bluehill.com (8.13.1/8.13.5/Submit) id l3ACKNka013799;
Tue, 10 Apr 2007 05:20:23 -0700


-- 
Robert

whitelist_from_rcvd questions

[Robert]

Greets,

Can lines be combined in a situation like this

whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com
whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com


does this work or should this be done?

can they be combined into one statement or should they be separate?

Any other tips etc?

Thanks!

 - rh

--
Abba Communications Internet  Computer Services
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

Re: spam test

[Luis Hernán Otegui]

The last one is the lowest scoring here, look at the results:
For the first mail:

Content analysis details:   (13.2 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
-0.0 SPF_PASS   SPF: sender matches SPF record
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.5751]
2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
   [88.155.128.48 listed in dnsbl.sorbs.net]
3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [88.155.128.48 listed in zen.spamhaus.org]
7.0 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message

The second one:

Content analysis details:   (14.2 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
-0.0 SPF_PASS   SPF: sender matches SPF record
1.0 DC_IMG_TEXT_RATIO  BODY: Low body to pixel area ratio
0.5 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE   BODY: HTML included in message
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
0.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
0.6 SARE_SPEC_LEO_LINE03e  RAW: common Leo body text
1.0 DC_IMG_HTML_RATIO  RAW: Low rawbody to pixel area ratio
7.0 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message

The third one:

Content analysis details:   (14.1 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
-0.0 SPF_PASS   SPF: sender matches SPF record
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.5442]
3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [84.2.4.148 listed in zen.spamhaus.org]
3.0 BOTNET BOTNET
7.0 BOUNCE_MESSAGE MTA bounce message
0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message

And finaly, the low one:

Content analysis details:   (5.8 points, 5.0 required)

pts rule name  description
 --
--
-0.0 SPF_HELO_PASS  SPF: HELO matches SPF record
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
0.3 RCVD_ILLEGAL_IPReceived: contains illegal IP address
3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 1.]
2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
   [12.162.173.226 listed in dnsbl.sorbs.net]

I give the BOUNCE_MESSAGE a high score because the bonce backs were driving
me (and my users) mad. So I just throw them away. I know it's not very
RFC-something style, but works like a charm ;-)


Luix


2007/4/10, Spamassassin List [EMAIL PROTECTED]:


 http://hege.li/howto/spam/spamassassin.html

Remove everything from Botnet.cf RULES-section and set it up this way:

Does the above line mean to remove from the # THE RULES?


regards





--
-
GNU-GPL: May The Source Be With You...
-

Re: Spam bounceback attack

[ram]

On Mon, 2007-04-09 at 07:18 -0700, J. wrote:
 --- ram [EMAIL PROTECTED] wrote:
 
  On Sun, 2007-04-08 at 11:14 -0700, J. wrote:
   Not sure if this is connected to my agressive smtp connection
  rejection
   campaign over the past week, but we've been hit for the first time
  in
   many months with a backscatter spam attack. Spammer(s) use random
   addresses with our domain for their spamming so we get the flood
   (13000+ since midnight) of bounces.
   
   Is there a good way to deal with this? 70-80% are getting caught by
   spamassassin, but there are still thousands that get through and I
  have
   to filter manually (maildrop). Also, I hate the servers that just
  keep
   the subject line intact when they bounce a message because I can't
   figure out how to filter those. As it is I'm already filtering over
  30
   different subject line types to catch different types of bounces.
  And
   how to I find the legitimate bounces in that haystack? It's a lot
  of
   fun!
   
   Thanks.
  
  1) Verify recipient addresses
  2) Add SPF records for your domain. And blacklist those servers who
  accept forged mails from your domain and bounce them 
  3) If you are suddenly facing a flush of Mailer-Demons give a
  TEMPFAIL
  for   , not a great idea but sometimes you have to do this to save
  your mail server :-) 
 
 Thanks Ram.  Not sure how to implement recipient verification with my
 setup, but I'll look into it. I have an SPF record for my domain
 installed afaik and I'm using the plugin for spamassassin that scores
 non-spf emails. When these types of attacks happen we get about 15,000
 bounces per day so I don't know how to blacklist every server that
 sends bounces without looking at the ip address of every email.


No your bounces will notbe nonspf mails. They wil be from   which you
must accept. Adding SPF checks allows servers not to accept forged
messages from your domain, if they still do and the plan to send you
NDR's IMHO you have every right to blacklist them ( YMMV ) 


Blacklisting usually is best done at the firewall, a 10 liner perlscript
will give you all ips , simply drop packets at your firewall for such
ips and keep refreshing the lists 

Recipient address verification is an *Absolute must*. If you dont do
that you will get your own server into trouble and get them listed in
all RBLs Just like you are cursing mailservers that are flooding you
with backscatter your server too may be generating backscatter for
others. Dont be a part of the problem please 



Thanks
Ram

Re: Bypassing BOTNET rules

[John Rudd]

Depending on which bypass/exemption you're going to use, either 
4servers\.com or the IP address are what you want to use.


The bluehill.com part is the smtp HELO argument, and botnet currently 
ignores that.



Robert Fitzpatrick wrote:

I applied BOTNET rules yesterday and have some legitimate mail getting
blocked and looking for the best way to bypass. I added 'bluehill\.com'
to the list of botnet_pass_domains, is that correct or should I be
adding '4servers\.com' or both?





Received: from bluehill.com (67-30-129-1.4servers.com [67.30.129.1])
by esmtp.webtent.net (WebTent ESMTP Postfix Internet Mail Gateway) with 
ESMTP i$
for [EMAIL PROTECTED]; Tue, 10 Apr 2007 08:20:27 -0400 (EDT)

Starting over with bayes

[Robert Fitzpatrick]

My bayes seems to be a mess, consistently knocking down scores. I have
it disabled now and want to rebuild. I assume I can just wipe out
the .seen, .token, etc. files and it will rebuild on its own? Also, I
have two servers in two different locations and would like to share the
bayes database between them, mysql? If so, can someone point me to some
good info on how to set that up?

-- 
Robert

mistakes with sending email address to list

[R Lists06]

Greetings,

I would appreciate it if the list admins would make it so that mistake
(emails with wrong sending email address) would bounce instead of being
allowed to make it to the list please?

Comments?

 -rh

--
Abba Communications Internet
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

Re: Help with rule

[John D. Hardin]

On Tue, 10 Apr 2007, Steven Stern wrote:

 Just type www [.] pillking [.] org
 Just type FONT color=#ffwww/FONT [.]
 STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
 color=#fforg/FONT/FONT
 
Just type www [dot] pilldoc [dot] org
 
 I suspect a rule that looks for www*pill*org would work. How do I turn
 that into a regex?

Perhaps something like:

  body  OBFUSC_PILL_URI  /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.  -- Henry George
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Spam bounceback attack

[David Morton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Apr 10, 2007, at 12:13 PM, J. wrote:



Recipient address verification is an *Absolute must*. If you dont do
that you will get your own server into trouble and get them listed in
all RBLs Just like you are cursing mailservers that are flooding you
with backscatter your server too may be generating backscatter for
others. Dont be a part of the problem please


We're using the version of qmail smtp that does rbl checking so
hopefully one of those recipient checking patches will work. I didn't
realize that most people are denying smtp connections for bad
addresses. That's great that this is possible. So most of the  
people on

this list reject connections that are for bad addresses? That's great.
I think that would cut down the spam we get by 90%. I had no idea this
was possible.



???

There are all sorts of ways to reject bad addresses.  Mail servers  
*must* reject unknown recipients; it's not just common practice, it's  
the only sane thing to do.  Why waste resources for nonexistent  
addresses?


Here's a link that has links for many MTA's.

http://spamlinks.net/prevent-secure-backscatter.htm


David Morton
Maia Mailguard http://www.maiamailguard.com
[EMAIL PROTECTED]



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGG8fuUy30ODPkzl0RAsyjAJ47RTzHHwEInBTFDrpAJ15KQNRtdQCfTQJ7
5Jqsc1gIM4ttDVkxhTf6E/Y=
=Lewd
-END PGP SIGNATURE-

Re: Help with rule

[John D. Hardin]

On Tue, 10 Apr 2007, John D. Hardin wrote:

 On Tue, 10 Apr 2007, Steven Stern wrote:
 
  Just type www [.] pillking [.] org
  Just type FONT color=#ffwww/FONT [.]
  STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
  color=#fforg/FONT/FONT
  
 Just type www [dot] pilldoc [dot] org
  
  I suspect a rule that looks for www*pill*org would work. How do I turn
  that into a regex?
 
 Perhaps something like:
 
   body  OBFUSC_PILL_URI  /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i

Actually, body matches strip out HTML markup so you could tighten it
up a bit:

  body  OBFUSC_PILL_URI  /\bwww\b.{3,10}\bpill.{3,15}\borg\b/i

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority.-- Cringely, 4/8/2004
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Spam bounceback attack

[John D. Hardin]

On Tue, 10 Apr 2007, J. wrote:

 I didn't realize that most people are denying smtp connections for
 bad addresses. That's great that this is possible. So most of the
 people on this list reject connections that are for bad addresses?
 That's great. I think that would cut down the spam we get by 90%.
 I had no idea this was possible.

That's not *quite* what we're talking about. Sorry if this is a rehash
of what you already know:

Proper behavior is to check addresses *during* the SMTP conversation
with the submitting MTA/MUA, and reject invalid/nonexistent address as
the other guy submits them. If any valid addresses are submitted, the
mail goes through. If no valid addresses are submitted, it is up to
the *other guy* to take some action, such as notifying the sender the
mail couldn't be delivered. The connection itself is not blocked or
rejected, though you could set up a log watcher to detect IPs that
continually submit bad addresses and firewall/tarpit them.

A bulk spam mail tool will likely just ignore the no such address  
rejections, leading to no additional impact on innocent third parties.

Contrast this with having your MTA accept the message for delivery, 
pass the message on down the chain, and then have some later step 
realize the address is invalid and generate a notice to the sender 
address that the message was undeliverable.

You're now generating outbound mail based on a spam you received. This 
is bad.

If the address was forged and nonexistent, your bounce will be 
rejected by the supposed sender's MTA; that's not as bad as actually 
delivering a bounce to a real user, but you're still generating 
pointless traffic to some innocent third party.

Multiply that by the millions of messages in a typical spam run and 
you can get a DDoS against whatever address or domain was forged on 
the spams as the sender address.

Rejecting the addresses during the SMTP conversation doesn't generate 
this extra traffic.

Configuring your MTA to refuse to accept nonexistent addresses is
typically a boolean option in its basic configuration settings, not
something esoteric requiring complex addons. Any MTA that doesn't
support this basic capability is badly broken by current standards.

Some MTAs will also allow you to slow down the SMTP conversation (e.g.  
pause a few seconds before sending responses) if more than a few bad
addresses are submitted, to mitigate against dictionary attacks.

HTH.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority.-- Cringely, 4/8/2004
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Spam bounceback attack

[J.]

--- ram [EMAIL PROTECTED] wrote:

 On Mon, 2007-04-09 at 07:18 -0700, J. wrote:
  --- ram [EMAIL PROTECTED] wrote:
  
   On Sun, 2007-04-08 at 11:14 -0700, J. wrote:
Not sure if this is connected to my agressive smtp connection
   rejection
campaign over the past week, but we've been hit for the first
 time
   in
many months with a backscatter spam attack. Spammer(s) use
 random
addresses with our domain for their spamming so we get the
 flood
(13000+ since midnight) of bounces.

Is there a good way to deal with this? 70-80% are getting
 caught by
spamassassin, but there are still thousands that get through
 and I
   have
to filter manually (maildrop). Also, I hate the servers that
 just
   keep
the subject line intact when they bounce a message because I
 can't
figure out how to filter those. As it is I'm already filtering
 over
   30
different subject line types to catch different types of
 bounces.
   And
how to I find the legitimate bounces in that haystack? It's a
 lot
   of
fun!

Thanks.
   
   1) Verify recipient addresses
   2) Add SPF records for your domain. And blacklist those servers
 who
   accept forged mails from your domain and bounce them 
   3) If you are suddenly facing a flush of Mailer-Demons give a
   TEMPFAIL
   for   , not a great idea but sometimes you have to do this to
 save
   your mail server :-) 
  
  Thanks Ram.  Not sure how to implement recipient verification with
 my
  setup, but I'll look into it. I have an SPF record for my domain
  installed afaik and I'm using the plugin for spamassassin that
 scores
  non-spf emails. When these types of attacks happen we get about
 15,000
  bounces per day so I don't know how to blacklist every server that
  sends bounces without looking at the ip address of every email.
 
 
 No your bounces will notbe nonspf mails. They wil be from   which
 you
 must accept. Adding SPF checks allows servers not to accept forged
 messages from your domain, if they still do and the plan to send you
 NDR's IMHO you have every right to blacklist them ( YMMV ) 
 
 
 Blacklisting usually is best done at the firewall, a 10 liner
 perlscript
 will give you all ips , simply drop packets at your firewall for such
 ips and keep refreshing the lists 
 
 Recipient address verification is an *Absolute must*. If you dont do
 that you will get your own server into trouble and get them listed in
 all RBLs Just like you are cursing mailservers that are flooding you
 with backscatter your server too may be generating backscatter for
 others. Dont be a part of the problem please 

We're using the version of qmail smtp that does rbl checking so
hopefully one of those recipient checking patches will work. I didn't
realize that most people are denying smtp connections for bad
addresses. That's great that this is possible. So most of the people on
this list reject connections that are for bad addresses? That's great.
I think that would cut down the spam we get by 90%. I had no idea this
was possible.



   

Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

Re: Help with rule

[Kelson]

Steven Stern wrote:

I suspect a rule that looks for www*pill*org would work. How do I turn
that into a regex?


Basic:  /www.*pill.*org/
Slightly optimized: /www.{1,30}pill.{1,30}org/

.matches any character.
*means anywhere 0 or more of the preceding item, so
.*   matches 0 or more of any character.
{X,Y} means anywhere from X to Y of the preceding item.

You don't want to use .* in a SA rule, though, because if it matches 
www it'll keep looking for a long time until it finds pill or runs 
out of text to look at.  .{1,30} will match 1 to 30 of any character in 
a row, so if it finds www it will only look through 30 characters for 
pill


You can also make it more specific, matching things only at word 
boundaries, etc.


There's a good tutorial and reference at www.regular-expressions.info -- 
one of the few legit .info names I've seen.


--
Kelson Vibber
SpeedGate Communications www.speed.net

Re: Spam bounceback attack

[Jim Maul]

John D. Hardin wrote:

On Tue, 10 Apr 2007, J. wrote:


I didn't realize that most people are denying smtp connections for
bad addresses. That's great that this is possible. So most of the
people on this list reject connections that are for bad addresses?
That's great. I think that would cut down the spam we get by 90%.
I had no idea this was possible.


That's not *quite* what we're talking about. Sorry if this is a rehash
of what you already know:

Proper behavior is to check addresses *during* the SMTP conversation
with the submitting MTA/MUA, and reject invalid/nonexistent address as
the other guy submits them. If any valid addresses are submitted, the
mail goes through. If no valid addresses are submitted, it is up to
the *other guy* to take some action, such as notifying the sender the
mail couldn't be delivered. The connection itself is not blocked or
rejected, though you could set up a log watcher to detect IPs that
continually submit bad addresses and firewall/tarpit them.

A bulk spam mail tool will likely just ignore the no such address  
rejections, leading to no additional impact on innocent third parties.


Contrast this with having your MTA accept the message for delivery, 
pass the message on down the chain, and then have some later step 
realize the address is invalid and generate a notice to the sender 
address that the message was undeliverable.


You're now generating outbound mail based on a spam you received. This 
is bad.


If the address was forged and nonexistent, your bounce will be 
rejected by the supposed sender's MTA; that's not as bad as actually 
delivering a bounce to a real user, but you're still generating 
pointless traffic to some innocent third party.


Multiply that by the millions of messages in a typical spam run and 
you can get a DDoS against whatever address or domain was forged on 
the spams as the sender address.


Rejecting the addresses during the SMTP conversation doesn't generate 
this extra traffic.


Configuring your MTA to refuse to accept nonexistent addresses is
typically a boolean option in its basic configuration settings, not
something esoteric requiring complex addons. Any MTA that doesn't
support this basic capability is badly broken by current standards.

Some MTAs will also allow you to slow down the SMTP conversation (e.g.  
pause a few seconds before sending responses) if more than a few bad

addresses are submitted, to mitigate against dictionary attacks.




qmail, which i believe the OP was using is one of these badly broken by 
current standards MTAs as you put it.  By default, it accepts ALL mail 
regardless of the validity of the recipient.  It will then generate a 
bounce to the (most likely) forged address when it figures out the 
recipient does not exist.  There are many addons/patches to correct this 
behavior.  I would check (using something other than IE) 
http://qmail.jms1.net for general information and useful patches.  And 
more specifically, http://qmail.jms1.net/patches/validrcptto.cdb.shtml 
which gives you the ability to reject invalid recipients at SMTP time.


-Jim

rule explanation

[Jean-Paul Natola]

Hi everyone,

I'm trying to grasp the concept of making rules- I was hoping someone can
explain what exactly does this mean;

9s/0h of 68401 corpus (53647s/14754h ML) 02/13/06












Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]

Re: Spam bounceback attack

[J.]

--- Jim Maul [EMAIL PROTECTED] wrote:

 John D. Hardin wrote:
  On Tue, 10 Apr 2007, J. wrote:
  
  I didn't realize that most people are denying smtp connections for
  bad addresses. That's great that this is possible. So most of the
  people on this list reject connections that are for bad addresses?
  That's great. I think that would cut down the spam we get by 90%.
  I had no idea this was possible.
  
  That's not *quite* what we're talking about. Sorry if this is a
 rehash
  of what you already know:
  
  Proper behavior is to check addresses *during* the SMTP
 conversation
  with the submitting MTA/MUA, and reject invalid/nonexistent address
 as
  the other guy submits them. If any valid addresses are submitted,
 the
  mail goes through. If no valid addresses are submitted, it is up to
  the *other guy* to take some action, such as notifying the sender
 the
  mail couldn't be delivered. The connection itself is not blocked or
  rejected, though you could set up a log watcher to detect IPs that
  continually submit bad addresses and firewall/tarpit them.
  
  A bulk spam mail tool will likely just ignore the no such address
  
  rejections, leading to no additional impact on innocent third
 parties.
  
  Contrast this with having your MTA accept the message for delivery,
 
  pass the message on down the chain, and then have some later step 
  realize the address is invalid and generate a notice to the sender 
  address that the message was undeliverable.
  
  You're now generating outbound mail based on a spam you received.
 This 
  is bad.
  
  If the address was forged and nonexistent, your bounce will be 
  rejected by the supposed sender's MTA; that's not as bad as
 actually 
  delivering a bounce to a real user, but you're still generating 
  pointless traffic to some innocent third party.
  
  Multiply that by the millions of messages in a typical spam run and
 
  you can get a DDoS against whatever address or domain was forged on
 
  the spams as the sender address.
  
  Rejecting the addresses during the SMTP conversation doesn't
 generate 
  this extra traffic.
  
  Configuring your MTA to refuse to accept nonexistent addresses is
  typically a boolean option in its basic configuration settings, not
  something esoteric requiring complex addons. Any MTA that doesn't
  support this basic capability is badly broken by current standards.
  
  Some MTAs will also allow you to slow down the SMTP conversation
 (e.g.  
  pause a few seconds before sending responses) if more than a few
 bad
  addresses are submitted, to mitigate against dictionary attacks.
  
  
 
 qmail, which i believe the OP was using is one of these badly broken
 by 
 current standards MTAs as you put it.  By default, it accepts ALL
 mail 
 regardless of the validity of the recipient.  It will then generate a
 
 bounce to the (most likely) forged address when it figures out the 
 recipient does not exist.  There are many addons/patches to correct
 this 
 behavior.  I would check (using something other than IE) 
 http://qmail.jms1.net for general information and useful patches. 
 And 
 more specifically,
 http://qmail.jms1.net/patches/validrcptto.cdb.shtml 
 which gives you the ability to reject invalid recipients at SMTP
 time.

Thanks Jim and John, that helps a lot. I'm glad that qmail is like this
by default because otherwise my setup would be to blame. :) I'm using
qmail to handle incoming and outgoing mail for my domain but using a
very old lan based mail server to actually deliver mail to our users so
the qmail machine doesn't have any idea who's a valid user and who
isn't, all non-junk goes into a single mailbox which our lan server
then retrieves via pop. Outbound works similarly where our lan server
relays through the qmail machine (no it's not an open relay).

I'm loking at this patch at the moment:

http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch

...but will also look at the ones Jim suggested. Thanks again.

-Jason


   

Finding fabulous fares is fun.  
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel 
bargains.
http://farechase.yahoo.com/promo-generic-14795097

Re: Empty Subject

[Theo Van Dinter]

On Tue, Apr 10, 2007 at 08:23:15PM +0100, Paul Hurley wrote:
 I've received a couple of Spam recently similar to the attached.  They 
 all get through, and all trigger on Empty_Message, except the message 
 body isn't empty, and it contains some phrases that I would expect to 
 score off the scale
 
 I'm running Spamassassin V3.1.7.0 on Windows 32 via SAWin32 
 (http://sourceforge.net/projects/sawin32/) with all rules, network tests 
 and some of the common SARE rules.
 
 Any ideas ???

I would guess that SAWin32 is not sending things validly to SA.  Something
like a blank line at the top of the header, etc.

-- 
Randomly Selected Tagline:
There are all of these warnings and incantations and unnatural rituals
 and everything's veiled in this threat of you mess with the mayo,
 the mayo mess with you, man.   - Alton Brown, Good Eats, Mayo Clinc


pgp7Jl7kqivHr.pgp
Description: PGP signature

RE: Spam bounceback attack

[R Lists06]

 Jason wrote:
 Thanks Jim and John, that helps a lot. I'm glad that qmail is like this
 by default because otherwise my setup would be to blame. :) I'm using
 qmail to handle incoming and outgoing mail for my domain but using a
 very old lan based mail server to actually deliver mail to our users so
 the qmail machine doesn't have any idea who's a valid user and who
 isn't, all non-junk goes into a single mailbox which our lan server
 then retrieves via pop. Outbound works similarly where our lan server
 relays through the qmail machine (no it's not an open relay).
 
 I'm loking at this patch at the moment:
 
 http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch
 
 ...but will also look at the ones Jim suggested. Thanks again.
 
 -Jason
 

We highly recommend John Simpson's http://qmail.jms1.net and the validrcptto
patch as well.

There is actually a group of patches that John Simpson rolled into one

Many goodies there that can be utilized...

He started that as an addon in regards to and with http://www.qmailrocks.org
and there is still good info although the site hasn't been as well kept as
it could have been the last 6 to 12 months.

There are many other items and links to check out on http://qmail.jms1.net
as well...

If you know and understand everything on that site and a coupla others
related to it, you will do extremely well with your mail server overall.

Of course, the tie in is that at some point I had to better learn about
Spamassassin and joined here for that.

Kind regards,

 - rh

--
Abba Communications Internet 
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

Bad file descriptor

[Halid Faith]

I use spamassassin3.1.7_1
I rarely get a warning from the SA like below;
warn: prefork: select returned -1! recovering: Bad file descriptor
What should I do not to give such as above an error?
 

  

OEM software spam-

[Jean-Paul Natola]

Hi all,

I'm getting killed with a slew of OEM SOFTWARE spams

I'm trying to  add scores to these as they are not scoring anything at all

0.0 HTML_MESSAGE   BODY: HTML included in message

0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL

And increase this one 

1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words






Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]

Re: OEM software spam-

[Richard Frovarp]

Jean-Paul Natola wrote:

Hi all,

I'm getting killed with a slew of OEM SOFTWARE spams

I'm trying to  add scores to these as they are not scoring anything at all

0.0 HTML_MESSAGE   BODY: HTML included in message
  

Not a direct indicator as spam. A ton of ham hits this rule

0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
  

I use PBL (well actually zen) to block at MTA
And increase this one 


1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

  
Watch out for the here's the pics type messages with attached images. 
Or even short messages with a gif background that can FP if the scores 
are too high.

RE: How would i write this rule?

[Bowie Bailey]

Adam Lanier wrote:
 Peter Russell wrote:
 
  
  Sorry last question - seems the parent company is doing spam checks
  and adds the spam score to the headers.
  
  How could i add/change the second condition for a spam score
  greater than 10.00 ? 
  
  the header is X-Spam-Score: *** (11.507)
  
  Many thanks
  Pete
 
 To ask the obvious question, why are you doing spam checks if the
 upstream relay is also doing them?
 
 Based on my performance yesterday, there's almost assuredly something
 wrong with the following but...
 
 header__HIGH_SA_SCOREX-Spam-Score =~ /\*{10,}/
 meta SPAM_FROM_RELAY__GATEWAY_RELAY  __NOT_PAR_DOMAIN  
 __HIGH_SA_SCORE

Since you don't care what the actual score is and you are not anchoring
the end of the expression, you can simplify this to:

header__HIGH_SA_SCOREX-Spam-Score =~ /\*{10}/

In other words...  Match if the header contains ten asterisks.  You
don't care if it has exactly ten or more than ten.  As long as there are
ten asterisks in there somewhere, it will match.

-- 
Bowie

RE: Spam bounceback attack

[J.]

--- R Lists06 [EMAIL PROTECTED] wrote:

  Jason wrote:
  Thanks Jim and John, that helps a lot. I'm glad that qmail is like
 this
  by default because otherwise my setup would be to blame. :) I'm
 using
  qmail to handle incoming and outgoing mail for my domain but using
 a
  very old lan based mail server to actually deliver mail to our
 users so
  the qmail machine doesn't have any idea who's a valid user and who
  isn't, all non-junk goes into a single mailbox which our lan server
  then retrieves via pop. Outbound works similarly where our lan
 server
  relays through the qmail machine (no it's not an open relay).
  
  I'm loking at this patch at the moment:
  
  http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch
  
  ...but will also look at the ones Jim suggested. Thanks again.
  
  -Jason
  
 
 We highly recommend John Simpson's http://qmail.jms1.net and the
 validrcptto
 patch as well.
 
 There is actually a group of patches that John Simpson rolled into
 one
 
 Many goodies there that can be utilized...
 
 He started that as an addon in regards to and with
 http://www.qmailrocks.org
 and there is still good info although the site hasn't been as well
 kept as
 it could have been the last 6 to 12 months.
 
 There are many other items and links to check out on
 http://qmail.jms1.net
 as well...
 
 If you know and understand everything on that site and a coupla
 others
 related to it, you will do extremely well with your mail server
 overall.
 
 Of course, the tie in is that at some point I had to better learn
 about
 Spamassassin and joined here for that.
 
 Kind regards,
 
  - rh

Thanks. Ok, I did some looking around and decided that
http://qmail.jms1.net has the patch for me
(netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems
that when people have tried to patch the Gentoo version of netqmail
they get errors. Has anyone here gotten this working under Gentoo?
Thanks.

-Jason



   

Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html 

Re: Spam bounceback attack

[Rick Macdougall]

J. wrote:


Thanks. Ok, I did some looking around and decided that
http://qmail.jms1.net has the patch for me
(netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems
that when people have tried to patch the Gentoo version of netqmail
they get errors. Has anyone here gotten this working under Gentoo?
Thanks.

  


The Gentoo emerge build of qmail is not recommended.  You'll be much 
better off building from source.  I don't use it myself but I've heard 
horror stories from people on th list.


Another option, that we use, is http://www.shupp.org and the toaster 
patch.  That way clients can login and add users and all invalid users 
are rejected (users don't have to actually be local, you can remove the 
domains from virtualdomains, the user check will still work but the 
smtproutes will be followed).


More info off list if you want.

Regards,

Rick

RE: Spam bounceback attack

[John D. Hardin]

On Tue, 10 Apr 2007, J. wrote:

 Thanks. Ok, I did some looking around and decided that
 http://qmail.jms1.net has the patch for me
 (netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems
 that when people have tried to patch the Gentoo version of netqmail
 they get errors. Has anyone here gotten this working under Gentoo?

I'd respectfully suggest that the Gentoo forums is the place to pursue
this going forward, and that you might want to open a feature-request
Gentoo bugzilla entry for adding that patch to the qmail package with
a USE option so that others may benefit from it.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Phobias should not be the basis for laws.
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Nigerian Connection Spam was: [***SPAM***Empty Subject] [signed]

[Matthias Schmidt [c]]

Am/On Tue, 10 Apr 2007 20:23:15 +0100 schrieb/wrote Paul Hurley:

I've received a couple of Spam recently similar to the attached.  They 
all get through, and all trigger on Empty_Message, except the message 
body isn't empty, and it contains some phrases that I would expect to 
score off the scale

Here's the spamassassin report

No, score=4.0 required=6.0 tests=BAYES_50=0.001, EMPTY_MESSAGE=2.308, 
HTML_40_50=0.496, HTML_MESSAGE=0.1, RM_rb_ANCHOR=0.001, 
RM_rb_BREAK=0.001, RM_rb_FONT=0.001, RM_rb_PARA=0.001, 
SUBJ_ALL_CAPS=0.997, cust_LOCAL_TO_RCVD=0.1 autolearn=no version=3.1.7

I'm running Spamassassin V3.1.7.0 on Windows 32 via SAWin32 
(http://sourceforge.net/projects/sawin32/) with all rules, network tests 
and some of the common SARE rules.

Nigerian Connection Spam.

They get rejected here becaue there domain is usualy invalid.

Thanks and all the best

Matthias



--
- [ SECURITY NOTICE ] -
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
For your security, [EMAIL PROTECTED]
digitally signed this message on 11 April 2007 at 01:40:00 UTC.
Verify this digital signature at http://www.ciphire.com/verify.
 [ CIPHIRE DIGITAL SIGNATURE ] 
Q2lwaGlyZSBTaWcuAjhwYXVsQHBhdWxodXJsZXkuY28udWssIHVzZXJzQHNwYW1h
c3Nhc3Npbi5hcGFjaGUub3JnAGJldGFAYWRtaWxvbi5uZXQAZW1haWwgYm9keQAK
AwAAfAB8AQAAAHA8HEYKAwAAmAEAAgACAAIAIP0CLbVXygN8FBmbKstMB6Jc
Udhet15IFf/4MQhzNWDdAQAOv7grZzUb4WQMq69DnEJONRUGHRTIcfvZQaPqa3Pm
dm4b4Bm+V6n6NWLb47GK0rK19oGWm3wR45PhHKNM5taXuD6LU2lnRW5k
-- [ END DIGITAL SIGNATURE ] --

Re: rule explanation

[Matt Kettler]

Jean-Paul Natola wrote:
 Hi everyone,

 I'm trying to grasp the concept of making rules- I was hoping someone can
 explain what exactly does this mean;

 9s/0h of 68401 corpus (53647s/14754h ML) 02/13/06
   
Reading the line backwards:

The rule was tested against a corpus (hand sorted collection of email)
on 02/13/06. The corpus was composed of 53647 of  spam messages, and
14754 nonspam, for a total of 68401 messages. During the test, the rule
matched 0 nonspam messages and 9 spam messages.