Re: Integrate Spamassassin in linux
Paul Hurley wrote: I've just moved my laptop to Ubuntu Feisty 7.04 and am very happy. I'm still using Thunderbird as I'm happy, but am unsure on how to integrate Spamassassin into things. It's just me, although I get mail from multiple pop accounts on different domains / servers. Ideally I'd like something similar to SAproxy, just on Linux... Maybe there's an SAproxy for Linux? Otherwise, a typical one-person setup for multiple POP-accounts might be fetchmail+postfix, to which you could add spamassassin or amavisd. That's what I was using for a year or two. /Per Jessen, Zürich
Re: SA on iPhone yet?
on 7/2/07 10:08 PM, Robert - eLists at [EMAIL PROTECTED] wrote: Anyone get Spamassassin installed on their iPhone yet? :-) - rh What are you talking about? SA is a server level tool. Why, if it was even possible, would you install it on a phone? -- Mike Yrabedra B^)
Are W. Stearn's blacklist in 3.2.* usable?
Hi all. Testing new setup: CentOS 4.4 amavisd-new-2.5.1 SpamAssassin version 3.2.1 running on Perl version 5.8.5 +RulesDuJour Quad proc Dell PE w/ 4 GB RAM. Using calls to the timestamp function I've been testing this setup over the past week. While following the debug output I've removed: SARE_SPECIFIC SARE_FRAUD and SARE_HEADER0 from my TRUSTED_RULESETS in RulesDuJour/config And also removed 99_sare_fraud_post25x.cf, 70_sare_header0.cf, 70_sare_specific.cf in /etc/mail/spamassassin -D --lint. It is not compatible with SA3.2. Fair enough. But the processing time during the manual test was still really slow. Depending on the message, the total processing time averaged between 8-15 minutes per message! *If I then dropped both the blacklist[-uri] out, the timing was a consistent ~45 seconds per message. (using) # su vscan -c 'spamassassin -D sample-spam-GTUBE-junk.txt 21' | timestamp $HOME/SAdebug_spam-GTUBE_10 [EMAIL PROTECTED] ~]# head -1 SAdebug_spam-GTUBE_10; tail -1 SAdebug_spam-GTUBE_10 10:03:02.508 2.354 2.354 [32673] dbg: logger: adding facilities: all 10:12:29.882 569.727 0.000 It was down to the 2 blacklist files. So I removed them. I couldn't see it in an 'obvious' way in the debug output, it would just hang forever after: dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC - So, I pulled all the rulesdujour out of /etc/mail/spamassassin and added them in one by one, along w/ a debug test message until I could find which rules were holding it back. After, I put it in the production stream (w/ no blacklist) and let around 5000 messages through. (With pyzor-razor2-dcc-SA-amavisd-clamd all running correctly.) I awk'd out the timing from the mail.log I was seeing the general average 'total processing time' between 4-7 seconds per message. No errors in test debug output or anything via syslogd. I'm quite happy with this, but I'd like to make use of the blacklist as well! So my questions are: 1. is the timing 'normal' when using the blacklist rules called through 'spamassassin'? Is it just a storm in a teacup? When it's called from Perl will it all be loaded into memory and the timing will drop down? 2. are the rules compatible w/ the 3.2 branch of SA? 3. if it's 'wrong' how does one debug further? I've enabled level 5 in amavisd.conf 'smtpd -v' at the top of my master.cf. Am I looking in the wrong place? Am I missing some sort of Perl module that would mitigate this in some way? (I'll list these at the end) -Peter Farrell Cardiff, Wales installed modules Archive::Extract -- 0.18 Archive::Tar -- 1.30 Archive::Zip -- 1.18 BerkeleyDB -- 0.31 CPAN -- 1.9102 CPAN::Reporter -- 0.44 Class::ErrorHandler -- 0.01 Class::Loader -- 2.03 Compress::Raw::Zlib -- 2.004 Compress::Zlib -- 2.004 Config::Tiny -- 2.10 Convert::ASCII::Armour -- 1.4 Convert::PEM -- 0.07 Convert::TNEF -- 0.17 Convert::UUlib -- 1.08 Crypt::Blowfish -- 2.10 Crypt::CAST5_PP -- 1.04 Crypt::CBC -- 2.22 Crypt::DES -- 2.05 Crypt::DES_EDE3 -- 0.01 Crypt::DSA -- 0.14 Crypt::IDEA -- 1.08 Crypt::OpenPGP -- 1.03 Crypt::OpenSSL::RSA -- 0.24 Crypt::OpenSSL::Random -- 0.03 Crypt::Primes -- 0.50 Crypt::RIPEMD160 -- 0.04 Crypt::RSA -- 1.58 Crypt::Random -- 1.25 Crypt::Rijndael -- 1.04 Crypt::Twofish -- 2.12 Cwd -- 3.25 DB_File -- 1.815 Data::Buffer -- 0.04 Data::Dump -- 1.08 Digest::MD2 -- 2.03 Digest::MD5 -- 2.36 Digest::SHA -- 5.44 Digest::SHA1 -- 2.11 Encode::Detect -- 1.00 Error -- 0.17008 ExtUtils::CBuilder -- 0.19 ExtUtils::MakeMaker -- 6.32 File::Copy::Recursive -- 0.33 File::HomeDir -- 0.65 File::Temp -- 0.18 File::Which -- 0.05 File::pushd -- 0.99 HTML::Parser -- 3.56 IO -- 1.23 IO::CaptureOutput -- 1.03 IO::Compress::Base -- 2.004 IO::Compress::Zlib -- ??? IO::Socket::INET6 -- 2.51 IO::Socket::SSL -- 1.06 IO::Stringy -- 2.110 IO::Zlib -- 1.05 IP::Country -- 2.23 IPC::Cmd -- 0.36 IPC::Run3 -- 0.037 Image::Info -- 1.24 LWP -- 5.805 Locale::Maketext::Simple -- 0.18 Log::Message -- 0.01 Log::Message::Simple -- 0.01 MIME-tools -- ??? MIME::Base64 -- 3.07 Mail -- ??? Mail::DKIM -- 0.24 Mail::SPF -- v2.004 Mail::SPF::Query -- 1.999.1 Mail::SpamAssassin -- 3.002001 Math::Pari -- 2.010709 Module::Build -- 0.2808 Module::CoreList -- 2.11 Module::Load -- 0.10 Module::Load::Conditional -- 0.16 Module::Loaded -- 0.01 Module::Pluggable -- 3.6 Net -- ??? Net::CIDR::Lite -- 0.20 Net::DNS -- 0.59 Net::DNS::Resolver::Programmable -- 0.002.2 Net::IP -- 1.25 Net::Ident -- 1.20 Net::SSLeay -- 1.30 Net::Server -- 0.96 NetAddr::IP -- 4.004 Object::Accessor -- 0.32 Package::Constants -- 0.01 Params::Check -- 0.26 Perl -- 5.8.5 Pod::Escapes -- 1.04 Pod::Parser -- 1.35 Pod::Simple -- 3.05 Probe::Perl -- 0.01 Socket6 -- 0.19 Sort::Versions -- 1.5 Sys::Hostname::Long -- 1.4 Tee -- 0.13 Term::ReadKey -- 2.14 Term::ReadLine -- 1.01 Term::UI -- 0.14 Test::Harness -- 2.64 Test::Reporter -- 1.27 Tie::EncryptedHash -- 1.8 Time::HiRes -- 1.9707 Time::Local -- 1.17 URI -- 1.35 Unix::Syslog
Re: ClamAV in SA( was: SaneSecurity)
OliverScott wrote: Is [running two instances of clamd] the following easy to do? I think it's pretty easy. Exactly how you do it depends on the platform/distribution you use. Here's what I did in FreeBSD: I copied the init script (/usr/local/etc/rc.d/clamav-clamd.sh to /usr/local/etc/rc.d/clamav-clamd-spam.sh). I edited the copy to use another name, socket, pid file and config file. I copied the config file to the name I specified in the copy of the init script. I edited the copy of the config file to use a nother database directory, turn phishing signatures on, etc. I edited the ClamAV plugin for SpamAssassin to use the socket specified above. My values for socket etc was changed to the following (it's quite probable that those values does not fit your Linux distribution): socket: /var/run/clamav/clamd-spam pid file: /var/run/clamav/clamd-spam.pid config file: /usr/local/etc/clamd-spam.conf database dir: /var/db/clamav-spam Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Are W. Stearn's blacklist in 3.2.* usable?
Quoting Peter Farrell [EMAIL PROTECTED]: Hi all. Testing new setup: CentOS 4.4 amavisd-new-2.5.1 SpamAssassin version 3.2.1 running on Perl version 5.8.5 +RulesDuJour Quad proc Dell PE w/ 4 GB RAM. Using calls to the timestamp function I've been testing this setup over the past week. While following the debug output I've removed: SARE_SPECIFIC SARE_FRAUD and SARE_HEADER0 from my TRUSTED_RULESETS in RulesDuJour/config And also removed 99_sare_fraud_post25x.cf, 70_sare_header0.cf, 70_sare_specific.cf in /etc/mail/spamassassin -D --lint. It is not compatible with SA3.2. Fair enough. But the processing time during the manual test was still really slow. Depending on the message, the total processing time averaged between 8-15 minutes per message! *If I then dropped both the blacklist[-uri] out, the timing was a consistent ~45 seconds per message. Please DO NOT use sa-blacklist. Use multi.surbl.org instead. Bill will tell you the same thing when he gets a chance. No one should be using sa-blacklist any more. It's way too large and inefficient. The WS bit in multi.surbl.org has the same data and it's in DNSBL form so there is no huge ruleset to fill up your memory, just DNS queries. In your case it's probably causing spamassassin to swap out of memory. See: http://www.surbl.org/ Jeff C.
Re: Writing a rule to access SA ClamAV Plugin Header
There is a SpamAssassin plugin which checks messages with ClamAV, which adds the following header to emails What I would like to do would be to score the ClamAV detection differently depending on whether it was Your problem is that the ClamAV plugin doesn't add a header as metadata to the message, so there is no header to check in rules. Fortunately, you only have to add one single line to the plugin in order to add the header. This is the line I've added here: $permsgstatus-{msg}-put_metadata('ClamAV-Result',$header); It's added directly before the line and makes it possible to use the header ClamAV-Result in rules (and to get it from the mail object, wich is what I do). For your rules to work as is you'd want to add it as: $permsgstatus-{msg}-put_metadata('X-Spam-Virus',$header); Add the line directly above the line: return $isspam; Regards /Jonas OliverScott wrote: There is a SpamAssassin plugin which checks messages with ClamAV, which adds the following header to emails it processes: X-Spam-Virus: Yes ($VirusName) http://wiki.apache.org/spamassassin/ClamAVPlugin By default you can set a score in its clamav.cf file: score CLAMAV 10 I am currently testing a 3rd party set of ClamAV definitions from a website called www.sanesecurity.co.uk which look to be very effective against some phishing and image spam emails. When it fires on an email the headers the ClamAV plugin adds are as follows: X-Spam-Virus: Yes ($Name.Sanesecurity) What I would like to do would be to score the ClamAV detection differently depending on whether it was detected by the ClamAV default signatures (virus) or the Sanesecurity signatures (spam). I have tried adding the following to local.cf but it doesn't seem to be working: header __MY_CLAMAV X-Spam-Virus =~ /Yes/i header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i meta MY_CLAMAV (__MY_CLAMAV !__MY_CLAMAV_SANE) meta MY_CLAMAV_SANE (__MY_CLAMAV __MY_CLAMAV_SANE) score MY_CLAMAV 10 score MY_CLAMAV_SANE 5 Any suggestions? -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: Writing a rule to access SA ClamAV Plugin Header
Jonas Eckerman writes: There is a SpamAssassin plugin which checks messages with ClamAV, which adds the following header to emails What I would like to do would be to score the ClamAV detection differently depending on whether it was Your problem is that the ClamAV plugin doesn't add a header as metadata to the message, so there is no header to check in rules. Fortunately, you only have to add one single line to the plugin in order to add the header. This is the line I've added here: $permsgstatus-{msg}-put_metadata('ClamAV-Result',$header); It's added directly before the line and makes it possible to use the header ClamAV-Result in rules (and to get it from the mail object, wich is what I do). For your rules to work as is you'd want to add it as: $permsgstatus-{msg}-put_metadata('X-Spam-Virus',$header); Add the line directly above the line: return $isspam; This is a good idea. I've modified the plugin code on the wiki to include this. thanks Jonas! --j. Regards /Jonas OliverScott wrote: There is a SpamAssassin plugin which checks messages with ClamAV, which adds the following header to emails it processes: X-Spam-Virus: Yes ($VirusName) http://wiki.apache.org/spamassassin/ClamAVPlugin By default you can set a score in its clamav.cf file: score CLAMAV 10 I am currently testing a 3rd party set of ClamAV definitions from a website called www.sanesecurity.co.uk which look to be very effective against some phishing and image spam emails. When it fires on an email the headers the ClamAV plugin adds are as follows: X-Spam-Virus: Yes ($Name.Sanesecurity) What I would like to do would be to score the ClamAV detection differently depending on whether it was detected by the ClamAV default signatures (virus) or the Sanesecurity signatures (spam). I have tried adding the following to local.cf but it doesn't seem to be working: header __MY_CLAMAV X-Spam-Virus =~ /Yes/i header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i meta MY_CLAMAV (__MY_CLAMAV !__MY_CLAMAV_SANE) meta MY_CLAMAV_SANE (__MY_CLAMAV __MY_CLAMAV_SANE) score MY_CLAMAV 10 score MY_CLAMAV_SANE 5 Any suggestions? -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
MySQL Quotas
Hi, I am posting this here thinking this may be more of an OS thing than a mysql thing... Since all mysql databases and tables need to be owned by the mysql user, is there, er, has anyone figured out a way to impose disk quotas per database for mysql? -Grant
Re: MySQL Quotas
On Tue, 3 Jul 2007 at 08:12 -0400, [EMAIL PROTECTED] confabulated: I am posting this here thinking this may be more of an OS thing than a mysql thing... Since all mysql databases and tables need to be owned by the mysql user, is there, er, has anyone figured out a way to impose disk quotas per database for mysql? Perhaps you should consult with the mysql list or a list with your OS.
Re: Are W. Stearn's blacklist in 3.2.* usable?
Jeff Chan wrote: Quoting Peter Farrell [EMAIL PROTECTED]: Hi all. Testing new setup: CentOS 4.4 amavisd-new-2.5.1 SpamAssassin version 3.2.1 running on Perl version 5.8.5 +RulesDuJour Quad proc Dell PE w/ 4 GB RAM. Using calls to the timestamp function I've been testing this setup over the past week. While following the debug output I've removed: SARE_SPECIFIC SARE_FRAUD and SARE_HEADER0 from my TRUSTED_RULESETS in RulesDuJour/config And also removed 99_sare_fraud_post25x.cf, 70_sare_header0.cf, 70_sare_specific.cf in /etc/mail/spamassassin -D --lint. It is not compatible with SA3.2. Fair enough. But the processing time during the manual test was still really slow. Depending on the message, the total processing time averaged between 8-15 minutes per message! *If I then dropped both the blacklist[-uri] out, the timing was a consistent ~45 seconds per message. Please DO NOT use sa-blacklist. Use multi.surbl.org instead. Bill will tell you the same thing when he gets a chance. No one should be using sa-blacklist any more. It's way too large and inefficient. The WS bit in multi.surbl.org has the same data and it's in DNSBL form so there is no huge ruleset to fill up your memory, just DNS queries. In your case it's probably causing spamassassin to swap out of memory. See: http://www.surbl.org/ Jeff C. Make sure you have a caching name server on the machine as well. Richard
Re: SA on iPhone yet?
on 7/2/07 10:08 PM, Robert - eLists at [EMAIL PROTECTED] wrote: Anyone get Spamassassin installed on their iPhone yet? :-) - rh What are you talking about? SA is a server level tool. Why, if it was even possible, would you install it on a phone? -- Mike Yrabedra B^) Perhaps because the upstream server doesn't filter spam? Or not to the user's liking? I'm sorry I failed to read someplace that SA only worked on servers. If I had known that I might not have had it running perfectly satisfactorly filtering spam on my workstation for the last 4+ years. Now personally I have no clue why someone would want a phone that can be a TV set too. But if they can read spam on it, I can imagine why they might want SA there instead.
FuzzyOcr and PDF files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, because some people insisted on it, I added an experimental feature to FuzzyOcr that allows you to scan PDFs as if they were images. The feature was implemented in the latest SVN revision and is of course disabled by default. Personally, I would not use this feature because the risk of false positives on important documents is really high, but if you really want to test this, here are the steps to enable it: 1. Get dependencies: -A netpbm version that includes pstopnm -Poppler (http://poppler.freedesktop.org/) for the pdfinfo and pdftops binaries 2. Add those binaries as helper apps in FuzzyOcr.cf (see the .cf file included in SVN) 3. Enable PDF scanning with focr_scan_pdfs 1 in config. Optionally, it is possible to skip PDFs which contain more than x pages (focr_pdf_maxpages). Currently, the parameters for pstopnm are hardcoded (-xsize=1000), there might be better ways/values to translate PDFs into usable, but not too big pnm files. If you know better ways, tell me. Also I am missing some recent PDF spam samples (which contain images), so if you could upload some sample, that would also help. Best regards, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGik19JQIKXnJyDxURAs04AKDFRAq4khA+iRouIbpVBZEsjxEJ6ACeLpBO F4GSUMSqpHubHr9bZkSLS+w= =Nu8d -END PGP SIGNATURE-
Re: Are W. Stearn's blacklist in 3.2.* usable?
Peter Farrell wrote: Hi all. Testing new setup: CentOS 4.4 amavisd-new-2.5.1 SpamAssassin version 3.2.1 running on Perl version 5.8.5 +RulesDuJour Quad proc Dell PE w/ 4 GB RAM. Point blank. In general, *NOBODY* should use WS's blacklist file's for ANYTHING. It is most unfortunate that RDJ has a built-in configuration for this file. Just take a look at the size of the files. sa-blacklist is over 24 MB! 1) the uri blacklist is redundant with SURBL. SURBL is lightweight and reasonably fast, while the uri blacklist is a heavy memory burden and relatively slow. 2) the email address blacklist is interesting for research purposes, but it's real-world use is almost pointless. spammers rotate domains in from addresses so often that the gains of this blacklist are limited, and the memory consumption is absurd. The files add something like 500MB to an instance of SA. That's *HUGE*. Check your memory usage and see if the blacklist file is making your box page. your box *might* be enough to handle the sa-blacklist, but personally I'd consider your box kinda borderline stats-wise for running sa-blacklist. I'd generally think more on the scale of 8GB of ram unless I was going to constrain SA to only existing in 1 or 2 instances. So my questions are: 1. is the timing 'normal' when using the blacklist rules called through 'spamassassin'? Is it just a storm in a teacup? When it's called from Perl will it all be loaded into memory and the timing will drop down? Well, calling 'spamassassin' with sa-blacklist loaded is going to be very painful. sa-blacklist will cause SA to initialize around 500MB of memory, that's not quick. Or were those multi-minute times from amavis? That would be a bit much, and I'd be checking to see if you're thrashing your swap partition. Even so, I'd still expect it to take a least 60 seconds to scan a message with these blacklist files loaded, on a very fast CPU. 2. are the rules compatible w/ the 3.2 branch of SA? Yes, both of WS's blacklist files are technically compatible with most any version of SA, save very, very old ones that don't support the uri keyword. (at the very least, both will work with anything from 2.40 and higher. digging back futher than 2.40 is an archaeological dig I'm not really interested in at the moment). However, in practice, sa-blacklist is not practical for real-world use, so you could also say it's incompatible with every version of SA. 3. if it's 'wrong' how does one debug further? I've enabled level 5 in amavisd.conf 'smtpd -v' at the top of my master.cf. Am I looking in the wrong place? Am I missing some sort of Perl module that would mitigate this in some way? (I'll list these at the end) Nope. sa-blacklist is just too huge for practical purposes. SA is designed to efficiently support hundreds, even thousands of blacklist_from's, but sa-blacklist has hundreds of thousands of them. (691,372 in fact).
So what about rulesemporium.com and these anti-PDF rules?
It's been announced that these rules are coming soon and...? Or maybe I missed something? -- Michał Jęczalik, +48.603.64.62.97 INFONAUTIC, +48.33.487.69.04
RE: So what about rulesemporium.com and these anti-PDF rules?
You didn't miss anything. I don't believe they are released yet. FInal testing being done. Results look great. I'll see if they can get released soon. --Chris -Original Message- From: Michal Jeczalik [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 9:47 AM To: users@spamassassin.apache.org Subject: So what about rulesemporium.com and these anti-PDF rules? It's been announced that these rules are coming soon and...? Or maybe I missed something? -- Michał Jęczalik, +48.603.64.62.97 INFONAUTIC, +48.33.487.69.04
A plan for HAM - White list for ham domains
A little play on words spoofing A plan for spam. I have been testing a new technique for detecting ham that is working quite well. It's nearly (or possibly at) 100% accurate in that what it identifies is ham. First of all you get a verified RDNS lookup on the host. Verified means that you do a reverse lookup and then look up the host name to see if it resolves to the same IP that you looked up. That's something spammers can't spoof. Then you separate the name at the registrar barrier and look up that name from a list of host domains that never send spam. For example, all hosts that end in apache.org are considered spam. This idea is different that an IP based whitelist in that you are really whitelisting based on a list of blessed host names rather than just unnamed IP addresses. Also - a dynamic whitelist could be generated in the fly if someone could write a custom DNS server. Here's how it would work. You send a request about an IP address. If the server doesn't already know the IP then it does a reverse DNS to get the name and them looks up the name to verify the name resolves to the same IP address. If it does you then break the name at the registrar barrier and do a lookup to see if the name is on the blessed list. If it is you return a cude indicating it is whitelisted and you cache the IP of the lookup. The master list of blessed host names could be dynamically generated by some sort of automated reputation system where ham and spam are reported by IP address from some trusted sources. Those domains that are consistently producing nothing but ham make the list. The advantage of this is increased accuracy and lower system load. Domains that are whitelisted need not be further tested and can be instantly classified as ham and fed into the bayes learner. This should greatly reduce false positives. Who likes this idea?
Botnet over aggressive?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm still a bit vague on how the SpamAssassin rules fit together but I've noticed that, since upgrading to the latest version, I'm getting a lot of false positives. The common cause seems to be Botnet.cf. Where a server has no reverse DNS, BOTNET_NORDNS scores it as 0.01 but BOTNET adds 5.0 to that. In addition, RDNS_NONE is adding 0.1 so every mail that lacks reverse dns is getting a minimum of 5.1. Is this intended behaviour? Regards, Cliff. - -- Cliff Stanford Might Limited +44 845 0045 666 (Office) Suite 67, Dorset House +44 7973 616 666 (Mobile) Duke Street, Chelmsford, CM1 1TB -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGil+XfNTx9pWyKfwRAmC8AJ45pI4cAdwZb1z+PcYOBDO0nMbiIgCfY0Ac NCcY+rXss72dEeylJAbmLdA= =i67i -END PGP SIGNATURE-
Errors in CPAN test
Hi List, So what's with 3.2.1 ? I'm running 3.1.8 and did the standard: cpan Mail::SpamAssassin and got: t/spamc_optCFAILED tests 2, 4, 6, 8 Failed 4/9 tests, 55.56% okay t/spamc_optLFAILED tests 1-16 Failed 16/16 tests, 0.00% okay t/spamd_allow_user_rulesFAILED test 4 Failed 1/5 tests, 80.00% okay t/spamd_plugin..FAILED tests 2, 4, 6 Failed 3/6 tests, 50.00% okay Failed TestStat Wstat Total Fail List of Failed --- t/spamc_optC.t94 2 4 6 8 t/spamc_optL.t 16 16 1-16 t/spamd_allow_user_rules.t51 4 t/spamd_plugin.t 63 2 4 6 23 tests skipped. Failed 4/129 test scripts. 24/1924 subtests failed. Not found: reported spam = Message successfully reported/revoked # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamc_optC/out.1 Not found: revoked ham = Message successfully reported/revoked # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 Not found: failed to report spam = Unable to report/revoke message # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 Not found: failed to revoke ham = Unable to report/revoke message # Failed test 8 in t/SATest.pm at line 635 fail #4 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 log/d.spamc_optC/out.7 # Failed test 1 in t/spamc_optL.t at line 20 Not found: learned spam = Message successfully un/learned # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: # Failed test 3 in t/spamc_optL.t at line 24 Not found: already learned spam = Message was already un/learned # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: ERROR: Bayes dump returned an error, please re-run with -D for more information # Failed test 5 in t/spamc_optL.t at line 28 Not found: spam in database = 1 0 non-token data: nspam # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: # Failed test 7 in t/spamc_optL.t at line 32 Not found: forget spam = Message successfully un/learned # Failed test 8 in t/SATest.pm at line 635 fail #4 Output can be examined in: # Failed test 9 in t/spamc_optL.t at line 36 Not found: learned ham = Message successfully un/learned # Failed test 10 in t/SATest.pm at line 635 fail #5 Output can be examined in: # Failed test 11 in t/spamc_optL.t at line 40 Not found: already learned ham = Message was already un/learned # Failed test 12 in t/SATest.pm at line 635 fail #6 Output can be examined in: ERROR: Bayes dump returned an error, please re-run with -D for more information # Failed test 13 in t/spamc_optL.t at line 44 Not found: ham in database = 1 0 non-token data: nham # Failed test 14 in t/SATest.pm at line 635 fail #7 Output can be examined in: # Failed test 15 in t/spamc_optL.t at line 48 Not found: learned ham = Message successfully un/learned # Failed test 16 in t/SATest.pm at line 635 fail #8 Output can be examined in: Not found: myfoo = 1.0 MYFOO # Failed test 4 in t/SATest.pm at line 635 Output can be examined in: log/d.spamd_allow_user_rules/out.2 log/d.spamd_allow_user_rules/spamd.err.1 Not found: called1 = test: called myTestPlugin, round 1 # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 Not found: called2 = called myTestPlugin, round 2 # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 log/d.spamd_plugin/spamd.err.1 Not found: called3 = called myTestPlugin, round 3 # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.5 log/d.spamd_plugin/spamd.err.1 Failed 4/129 test programs. 24/1924 subtests failed. make: *** [test_dynamic] Error 255 What do I do next ? Jonathan
Re: Which version fuzzyocr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary V wrote: Hello, On the fuzzyocr site I see 3.5.1 version is not SA 3.2.X compatible ? Is this true, or can I safely ignore :-) We have an older server with SA 3.2.0 and Fuzzyocr 2.3b and it works. Greetings.. Richard http://marc.info/?l=spamassassin-usersm=118254092310213 The revision mentioned in this post is the correct one, I am sorry for any confusion, I will make another release soon for 3.2 compatiblity. Until that, use the svn checkout command that Gary wrote about in his reply. About FuzzyOcr 2.3b, I recommend to not use this version anymore as it has plenty of problems/bugs which remained unfixed because those were design errors. Best regards, Chris Gary V _ Like puzzles? Play free games earn great prizes. Play Clink now. http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGimJLJQIKXnJyDxURAvOrAKCPJuMotPrU46onCPWN3fGlSka8BwCcCT3F wI/JIWA3i0fWXKvgoDPDpJQ= =Ep+Q -END PGP SIGNATURE-
Re: Errors in CPAN test
Force install or wait for 3.2.2 on 7/3/07 10:46 AM, Jonathan Allen at [EMAIL PROTECTED] wrote: Hi List, So what's with 3.2.1 ? I'm running 3.1.8 and did the standard: cpan Mail::SpamAssassin and got: t/spamc_optCFAILED tests 2, 4, 6, 8 Failed 4/9 tests, 55.56% okay t/spamc_optLFAILED tests 1-16 Failed 16/16 tests, 0.00% okay t/spamd_allow_user_rulesFAILED test 4 Failed 1/5 tests, 80.00% okay t/spamd_plugin..FAILED tests 2, 4, 6 Failed 3/6 tests, 50.00% okay Failed TestStat Wstat Total Fail List of Failed -- - t/spamc_optC.t94 2 4 6 8 t/spamc_optL.t 16 16 1-16 t/spamd_allow_user_rules.t51 4 t/spamd_plugin.t 63 2 4 6 23 tests skipped. Failed 4/129 test scripts. 24/1924 subtests failed. Not found: reported spam = Message successfully reported/revoked # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamc_optC/out.1 Not found: revoked ham = Message successfully reported/revoked # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 Not found: failed to report spam = Unable to report/revoke message # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 Not found: failed to revoke ham = Unable to report/revoke message # Failed test 8 in t/SATest.pm at line 635 fail #4 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 log/d.spamc_optC/out.7 # Failed test 1 in t/spamc_optL.t at line 20 Not found: learned spam = Message successfully un/learned # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: # Failed test 3 in t/spamc_optL.t at line 24 Not found: already learned spam = Message was already un/learned # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: ERROR: Bayes dump returned an error, please re-run with -D for more information # Failed test 5 in t/spamc_optL.t at line 28 Not found: spam in database = 1 0 non-token data: nspam # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: # Failed test 7 in t/spamc_optL.t at line 32 Not found: forget spam = Message successfully un/learned # Failed test 8 in t/SATest.pm at line 635 fail #4 Output can be examined in: # Failed test 9 in t/spamc_optL.t at line 36 Not found: learned ham = Message successfully un/learned # Failed test 10 in t/SATest.pm at line 635 fail #5 Output can be examined in: # Failed test 11 in t/spamc_optL.t at line 40 Not found: already learned ham = Message was already un/learned # Failed test 12 in t/SATest.pm at line 635 fail #6 Output can be examined in: ERROR: Bayes dump returned an error, please re-run with -D for more information # Failed test 13 in t/spamc_optL.t at line 44 Not found: ham in database = 1 0 non-token data: nham # Failed test 14 in t/SATest.pm at line 635 fail #7 Output can be examined in: # Failed test 15 in t/spamc_optL.t at line 48 Not found: learned ham = Message successfully un/learned # Failed test 16 in t/SATest.pm at line 635 fail #8 Output can be examined in: Not found: myfoo = 1.0 MYFOO # Failed test 4 in t/SATest.pm at line 635 Output can be examined in: log/d.spamd_allow_user_rules/out.2 log/d.spamd_allow_user_rules/spamd.err.1 Not found: called1 = test: called myTestPlugin, round 1 # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 Not found: called2 = called myTestPlugin, round 2 # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 log/d.spamd_plugin/spamd.err.1 Not found: called3 = called myTestPlugin, round 3 # Failed test 6 in t/SATest.pm at line 635 fail #3 Output can be examined in: log/d.spamd_plugin/out.1 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.3 log/d.spamd_plugin/spamd.err.1 log/d.spamd_plugin/out.5 log/d.spamd_plugin/spamd.err.1 Failed 4/129 test programs. 24/1924 subtests failed. make: *** [test_dynamic] Error 255 What do I do next ? Jonathan -- Mike Yrabedra B^)
Re: Are W. Stearn's blacklist in 3.2.* usable?
On Tue, Jul 03, 2007 at 06:04:33AM -0500, Jeff Chan wrote: Please DO NOT use sa-blacklist. Use multi.surbl.org instead. Bill will tell you the same thing when he gets a chance. It seems as if the blacklist.cf file is still available for people to download, since this question comes up periodically. If people aren't supposed to use it, rm blacklist.cf ? -- Randomly Selected Tagline: It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.- Charles Darwin pgpVPVhSJh291.pgp Description: PGP signature
MD5 Hash of URL's
Why can't Spamassassin do like a MD5 hash of any URL's in a message and check them against a database? I just think it would help catch things like: geocities.com/spamer123/ or spamer123.tripod.com and etc. It would also work for Tinyurl links and the like. Matt
Re: Are W. Stearn's blacklist in 3.2.* usable?
Thanks for all the advice. It's been extremely helpful. RE: the comment for local caching name server - I'd not really thought about that when I was deploying these, but it makes sense and I rolled that out this afternoon. RE: RulesDuJour I didn't find these things documented anywhere. Ie. What's for production, what's for research, when not to mix-n-match, why one is depreciated for another, etc. As I said before - I was trying them by trial and error to see what works while tracking my timing... At the end of the day I'm left w/ a much edited and picked apart parameter list for 'TRUSTED RULESETS'. I had been on the SURBL site just this morning but nothing really 'clicked' for me. I re-read the docs, I knew it already existed in /usr/share/spamassassin, etc. I went over to William Stearn's website as well thinking I'd just had a duffer file or something and saw that the last update was July 3rd - and just assumed that I was meant to be using it. I mean, it's integrated into the RDJ's, the site's updated regularly, he seems like a pretty legit player, etc. What's a girl to do? In any case - I've updated all local documentation for the next person, the next time around. Many thanks! -Peter Farrell On 03/07/07, Matt Kettler [EMAIL PROTECTED] wrote: Peter Farrell wrote: Hi all. Testing new setup: CentOS 4.4 amavisd-new-2.5.1 SpamAssassin version 3.2.1 running on Perl version 5.8.5 +RulesDuJour Quad proc Dell PE w/ 4 GB RAM. Point blank. In general, *NOBODY* should use WS's blacklist file's for ANYTHING. It is most unfortunate that RDJ has a built-in configuration for this file. Just take a look at the size of the files. sa-blacklist is over 24 MB! 1) the uri blacklist is redundant with SURBL. SURBL is lightweight and reasonably fast, while the uri blacklist is a heavy memory burden and relatively slow. 2) the email address blacklist is interesting for research purposes, but it's real-world use is almost pointless. spammers rotate domains in from addresses so often that the gains of this blacklist are limited, and the memory consumption is absurd. The files add something like 500MB to an instance of SA. That's *HUGE*. Check your memory usage and see if the blacklist file is making your box page. your box *might* be enough to handle the sa-blacklist, but personally I'd consider your box kinda borderline stats-wise for running sa-blacklist. I'd generally think more on the scale of 8GB of ram unless I was going to constrain SA to only existing in 1 or 2 instances. So my questions are: 1. is the timing 'normal' when using the blacklist rules called through 'spamassassin'? Is it just a storm in a teacup? When it's called from Perl will it all be loaded into memory and the timing will drop down? Well, calling 'spamassassin' with sa-blacklist loaded is going to be very painful. sa-blacklist will cause SA to initialize around 500MB of memory, that's not quick. Or were those multi-minute times from amavis? That would be a bit much, and I'd be checking to see if you're thrashing your swap partition. Even so, I'd still expect it to take a least 60 seconds to scan a message with these blacklist files loaded, on a very fast CPU. 2. are the rules compatible w/ the 3.2 branch of SA? Yes, both of WS's blacklist files are technically compatible with most any version of SA, save very, very old ones that don't support the uri keyword. (at the very least, both will work with anything from 2.40 and higher. digging back futher than 2.40 is an archaeological dig I'm not really interested in at the moment). However, in practice, sa-blacklist is not practical for real-world use, so you could also say it's incompatible with every version of SA. 3. if it's 'wrong' how does one debug further? I've enabled level 5 in amavisd.conf 'smtpd -v' at the top of my master.cf. Am I looking in the wrong place? Am I missing some sort of Perl module that would mitigate this in some way? (I'll list these at the end) Nope. sa-blacklist is just too huge for practical purposes. SA is designed to efficiently support hundreds, even thousands of blacklist_from's, but sa-blacklist has hundreds of thousands of them. (691,372 in fact).
bayes_ignore_header for X-Spam values
Hi all, Can someone please advise me: is it good or bad to add bayes_ignore_header values in my local.cf file for the X-Spam headers that are added by SA? For example: bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Checker-Version bayes_ignore_header X-Spam-Report bayes_ignore_header X-Spam-Processed I've seen some installations that do have these values, but I'm not sure why - I'd have thought it was good for Bayes to be able to learn from those headers. What would happen if I would *not* ignore those headers and let Bayes learn from them? Thanks, Jeremy
R: A plan for HAM - White list for ham domains
-Messaggio originale- Da: Marc Perkel [mailto:[EMAIL PROTECTED] A little play on words spoofing A plan for spam. I have been testing a new technique for detecting ham that is working quite well. It's nearly (or possibly at) 100% accurate in that what it identifies is ham. First of all you get a verified RDNS lookup on the host. Verified means that you do a reverse lookup and then look up the host name to see if it resolves to the same IP that you looked up. That's something spammers can't spoof. Then you separate the name at the registrar barrier and look up that name from a list of host domains that never send spam. For example, all hosts that end in apache.org are considered spam. This idea is different that an IP based whitelist in that you are really whitelisting based on a list of blessed host names rather than just unnamed IP addresses. Also - a dynamic whitelist could be generated in the fly if someone could write a custom DNS server. Here's how it would work. You send a request about an IP address. If the server doesn't already know the IP then it does a reverse DNS to get the name and them looks up the name to verify the name resolves to the same IP address. If it does you then break the name at the registrar barrier and do a lookup to see if the name is on the blessed list. If it is you return a cude indicating it is whitelisted and you cache the IP of the lookup. The master list of blessed host names could be dynamically generated by some sort of automated reputation system where ham and spam are reported by IP address from some trusted sources. Those domains that are consistently producing nothing but ham make the list. The advantage of this is increased accuracy and lower system load. Domains that are whitelisted need not be further tested and can be instantly classified as ham and fed into the bayes learner. This should greatly reduce false positives. Who likes this idea? This is basically a whitelist based on negative results from the BOTNET plugin. Which means you are going to reduce FPs when the botnet plugin says it's not spam. Now, the botnet plugin (due to its high default scoring) is one of the most important FP sources, thereby, when it doesn't says 'this is spam', there are really few FPs left by other rules. You are, however, going to increase FNs a lot: many spam ships from legitimate servers (perhaps hacked). In summary: I personally don't find this idea useful. You may prove me wrong, anyway... Giampaolo
Re: A plan for HAM - White list for ham domains
Who likes this idea? While its a little out of date now and was manually generated and verified, SARE has a whitelist of hosts and the like that are supposedly never spam, even though they may be commercial mail. Loren
PDF spam indicator: unusual document dimensions?
In today's SANS diary: During the last two days, we've received continuous reports of new PDF spam. This time the pages attached are generally of different size each time (no longer A4, but 4x3 inch or 6x1 inch). Might a non-standard-paper-size PDF attachment be worth a point? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence
Re: A plan for HAM - White list for ham domains
Loren Wilton wrote: Who likes this idea? While its a little out of date now and was manually generated and verified, SARE has a whitelist of hosts and the like that are supposedly never spam, even though they may be commercial mail. Loren Looks like a useful list. I'm going to extract it and add it to my blessed list.
RE: SA on iPhone yet?
-Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 9:16 AM To: users@spamassassin.apache.org Subject: Re: SA on iPhone yet? on 7/2/07 10:08 PM, Robert - eLists at [EMAIL PROTECTED] wrote: Anyone get Spamassassin installed on their iPhone yet? :-) - rh What are you talking about? SA is a server level tool. Why, if it was even possible, would you install it on a phone? -- Mike Yrabedra B^) Perhaps because the upstream server doesn't filter spam? Or not to the user's liking? I'm sorry I failed to read someplace that SA only worked on servers. If I had known that I might not have had it running perfectly satisfactorly filtering spam on my workstation for the last 4+ years. Now personally I have no clue why someone would want a phone that can be a TV set too. But if they can read spam on it, I can imagine why they might want SA there instead. Wouldn't the email you retrieve on the Iphone get filtered through whatever ISP or mail server you are using- hotmail yahoo etc. I'm not an expert nor would I spend 500+ dollars on a phone - especially when my Samsung does just about everything the Iphone does except and I'm limited to TV- and with slingo in the mix I do get tv- Did I mention it cost me 25 bucks
Re: Returned mail: see transcript for details
At 08:26 03-07-2007, Jonathan Allen wrote: I am neither a spammer, nor in Poland but a legitimate UK business with Are you absolutely sure you are not in Poland? :-) Antispam systems can sometimes be geography-challenged. the same IP address for some years. Where on earth did this response come from ? It's a bit thick to get branded as a spammer when replying to someone from this list! The response came from the mail server for cobatco.com. They have a user subscribed to this mailing list. Regards, -sm
yet another FuzzyOcr version question
I have another question concerning FozzyOcr 2.3b versus FuzzyOcr 3.5.1: A spam picture like this: http://213.146.165.18/spam2.gif does generate a SA FuzzyOcr score of 19 with version 2.3b (and gocr 0.40). With version 3.5.1 (and gocr 0.44) does not generate a score at all. I'm sure the systems works because other picture spam messages are generating a score. Both are running SA 3.1.7-2 on debian etch. How can I solve this? P.
Re: Returned mail: see transcript for details
SM, Where on earth did this response come from ? The response came from the mail server for cobatco.com. They have a user subscribed to this mailing list. Yes: [EMAIL PROTECTED], to whom I was trying to respond. But I worded my question badly - what I meant was: why on earth should their machine think that I am a Polish spammer ? The IP address is in one of the static blocks administered by my (UK) ISP. Jonathan
Re: Returned mail: see transcript for details
Hi, Yes: [EMAIL PROTECTED], to whom I was trying to respond. But I worded my question badly - what I meant was: why on earth should their machine think that I am a Polish spammer ? The IP address is in one of the static blocks administered by my (UK) ISP. And for the sake of argument, why on earth a POLISH spammer? Why does a spammer have to be Polish. I happen to live in Poland but I am no way a spammer, never have been and never will be. Warm regards, Zbigniew Szalbot
Re: Returned mail: see transcript for details
On Tue, 3 Jul 2007, Jonathan Allen wrote: I just tried to reply to a kind soul that had offered some help with the 3.2.1 root errors and got: - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 554 mailgate.barumtrading.co.uk[83.104.103.142]: Client host rejected: Polish Spammer) - Transcript of session follows - ... while talking to mail.cobatco.com.: DATA 554 mailgate.barumtrading.co.uk[83.104.103.142]: Client host rejected: Polish Spammer 554 5.0.0 Service unavailable 554 Error: no valid recipients I am neither a spammer, nor in Poland but a legitimate UK business with the same IP address for some years. Where on earth did this response come from ? It's a bit thick to get branded as a spammer when replying to someone from this list! Well, if somebody trusts in RBLs and rejects mail basing only upon RBL queries... This IP is not in Poland, even RIPE whois database would confirm this fact. Biggest Polish ADSL provider uses some of 83.x classes, so that could be the problem, but it's no reason for some some dumb soul to insert whole 83.x subnet into the RBL... Maybe he should put 0.0.0.0/0 and have spam problem 'solved'. :) -- Michał Jęczalik, +48.603.64.62.97 INFONAUTIC, +48.33.487.69.04
Re: Returned mail: see transcript for details
Maybe because statistic talks :) Zbigniew Szalbot schrieb: Hi, Yes: [EMAIL PROTECTED], to whom I was trying to respond. But I worded my question badly - what I meant was: why on earth should their machine think that I am a Polish spammer ? The IP address is in one of the static blocks administered by my (UK) ISP. And for the sake of argument, why on earth a POLISH spammer? Why does a spammer have to be Polish. I happen to live in Poland but I am no way a spammer, never have been and never will be. Warm regards, Zbigniew Szalbot
Re: Returned mail: see transcript for details
At 09:04 AM 7/3/2007, Jonathan Allen wrote: Yes: [EMAIL PROTECTED], to whom I was trying to respond. But I worded my question badly - what I meant was: why on earth should their machine think that I am a Polish spammer ? The IP address is in one of the static blocks administered by my (UK) ISP. Perhaps they mean Polish Spammer not as you're a spammer in Poland, but a spammer spamming in Polish (language)? Think of it like if you spammed Mortgage crap, it might say you're a Mortgage Spammer. Of couse, we're all guessing here.
Re: Botnet over aggressive?
On Tue, 2007-07-03 at 16:39 +0200, Cliff Stanford wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm still a bit vague on how the SpamAssassin rules fit together but I've noticed that, since upgrading to the latest version, I'm getting a lot of false positives. The common cause seems to be Botnet.cf. Botnet is very aggressive by default. Combining it with p0f it is almost useful. setting up p0f support is a non-trivial exercise, for which there are good articles in the archives that would explain it much better than I could do here. My rules are: meta BOTNET_WXP!DKIM_VERIFIED !DK_VERIFIED L_P0F_WXP (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) 0 score BOTNET_WXP 3.2 meta BOTNET_W!DKIM_VERIFIED !DK_VERIFIED ( L_P0F_W || L_P0F_UNKN) (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) 0 score BOTNET_W2.0 meta BOTNET_OTHER !BOTNET_W (BOTNET_CLIENT+BOTNET_BADDNS +BOTNET_NORDNS) 0 score BOTNET_OTHER 0.5 I'm still getting a trickle of false positives, but that seems to be much more realistic than 5 for everything. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Returned mail: see transcript for details
Jonathan and all: First off sorry for the problem and to any from the country of Poland that were offended by this. The response came from our ISP which we fetch our mail from; they run a anti-spamming service that we are suppose to be opted out off but apparently are not. One of its many "features are country wide blocks or entire class A subnets. In the past they have blocked out China and HK which includes several of our customers. Gives me something to address this afternoon since I thought I had this solved, and, again, sorry if they/we offended anyone. Jonathan Allen wrote: All, I just tried to reply to a kind soul that had offered some help with the 3.2.1 root errors and got: - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 554 mailgate.barumtrading.co.uk[83.104.103.142]: Client host rejected: Polish Spammer) - Transcript of session follows - ... while talking to mail.cobatco.com.: DATA 554 mailgate.barumtrading.co.uk[83.104.103.142]: Client host rejected: Polish Spammer 554 5.0.0 Service unavailable 554 Error: no valid recipients I am neither a spammer, nor in Poland but a legitimate UK business with the same IP address for some years. Where on earth did this response come from ? It's a bit thick to get branded as a spammer when replying to someone from this list! Jonathan
Re: Returned mail: see transcript for details
Hi Jonathan, Yes: [EMAIL PROTECTED], to whom I was trying to respond. But I worded my question badly - what I meant was: why on earth should their machine think that I am a Polish spammer ? The IP address is in one of the static blocks administered by my (UK) ISP. They may be using a blacklist to block SMTP connections from Poland. That list has the wrong geographic information for your IP address block. Regards, -sm
Re: MD5 Hash of URL's
On Tue, 2007-07-03 at 10:11 -0500, Matt wrote: Why can't Spamassassin do like a MD5 hash of any URL's in a message and check them against a database? Well, not MD5, but Whiplash type 8 signatures in Razor-2 are pretty similar. I just think it would help catch things like: geocities.com/spamer123/ or spamer123.tripod.com and etc. Again, Razor does a fair job at finding this, as long as people report. It would also work for Tinyurl links and the like. Google recently came out with an anti-malware API that uses various MD5 hashes of URI's, but they have not yet licensed it for the world, and I only briefly thought about writing a plugin to call it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Are W. Stearn's blacklist in 3.2.* usable?
Quoting Theo Van Dinter [EMAIL PROTECTED]: On Tue, Jul 03, 2007 at 06:04:33AM -0500, Jeff Chan wrote: Please DO NOT use sa-blacklist. Use multi.surbl.org instead. Bill will tell you the same thing when he gets a chance. It seems as if the blacklist.cf file is still available for people to download, since this question comes up periodically. If people aren't supposed to use it, rm blacklist.cf ? Yes, probably, and Bill would probably agree too. Jeff C.
Re: Returned mail: see transcript for details
List and [EMAIL PROTECTED], First off sorry for the problem and to any from the country of Poland that were offended by this. I need to apologise to the nice chap at cobatco - I really didn't mean to cause you any embarassment on the public list, but I didn't think I could reach you any other way since your ISP is blocking my emails. Someone else suggested that I should have used the [EMAIL PROTECTED] address since by the RFC that isn't supposed to be filtered, but I had already posted by then. Gives me something to address this afternoon since I thought I had this solved ... Hope you get it fixed ... Jonathan
Re: MD5 Hash of URL's
Matt wrote: Why can't Spamassassin do like a MD5 hash of any URL's in a message and check them against a database? Because there isn't such a database? Daryl
Re: MD5 Hash of URL's
Funny you should mention that. I recently wrote a proof of concept plugin that does exactly what you're talking about. The point was to check URLs against google's safebrowsing list, which was just announced. Unfortunately, the results were rather poor. The only hits that I got were on messages that already scored 10+ points. And a few false positives -- last I checked, the main page for myspace was listed in the malware list (I believe). If anyone's interested, the (very rough) code for syncing google's lists, and for checking a database containing the hashes is available. Austin. On 7/3/07, Matt [EMAIL PROTECTED] wrote: Why can't Spamassassin do like a MD5 hash of any URL's in a message and check them against a database? I just think it would help catch things like: geocities.com/spamer123/ or spamer123.tripod.com and etc. It would also work for Tinyurl links and the like. Matt
Re: RE: So what about rulesemporium.com and these anti-PDF rules?
Chris Santerre wrote: You didn't miss anything. I don't believe they are released yet. FInal testing being done. Results look great. I'll see if they can get released soon. --Chris -Original Message- From: Michal Jeczalik [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 9:47 AM To: users@spamassassin.apache.org Subject: So what about rulesemporium.com and these anti-PDF rules? It's been announced that these rules are coming soon and...? Or maybe I missed something? The PDFInfo.pm and accompanying ruleset will not be public. If you want it, please go to http://www.rulesemporium.com/plugins.htm#pdfinfo and request it. I'll try and get PDF support added into ImageInfo.pm soon, but it will only extend the capabilities that you currently have for gif/jpg/png... that being attachment count, file name matching, pdf image dimensions, pixal coverage (area), etc.However, thats not an ideal solution, and the rules you can write with that will stop the spam, but also have a greater chance of falsing. The mechanism used for accurate detection in the PDFInfo plugin is not going to be a part of this.. and I'd recommend you request the plugin and use it privately. If the information gets publicized, that method would soon be useless... and I dont feel like reworking it if I dont have to, nor maintaining a ruleset that is highly dependent on the plugin. Updates to the ruleset could very well mean updating the plugin, and you cant get people to update a plugin en masse as easy as you can get them to RDJ a new ruleset. :) -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Returned mail: see transcript for details
Jonathan: No need to apologize at all; you did me a favor by letting me know we were still having these issues with our ISP's anti-spam methods. Will get this sorted out one way or the other. Trying to keep your user's mailboxes free of spam is work enough, but having to to battle with your ISP over services you are suppose to be opted out of is another issue. Thanks again and another apology to any on the list who were offended by my ISP's response. Jonathan Allen wrote: List and [EMAIL PROTECTED], First off sorry for the problem and to any from the country of Poland that were offended by this. I need to apologise to the nice chap at cobatco - I really didn't mean to cause you any embarassment on the public list, but I didn't think I could reach you any other way since your ISP is blocking my emails. Someone else suggested that I should have used the [EMAIL PROTECTED] address since by the RFC that isn't supposed to be filtered, but I had already posted by then. Gives me something to address this afternoon since I thought I had this solved ... Hope you get it fixed ... Jonathan
Re: RE: So what about rulesemporium.com and these anti-PDF rules?
On Tue, Jul 03, 2007 at 11:35:01AM -0500, Dallas Engelken wrote: The mechanism used for accurate detection in the PDFInfo plugin is not going to be a part of this.. and I'd recommend you request the plugin and use it privately. If the information gets publicized, that method would soon be useless... YMMV, but this is a pretty short-sighted argument imo. a) you're letting people request it, which means that if someone wanted it (like the spammers you're apparently attempting to keep it from), they would just request it. b) by forcing people to manually request it, you're just making it harder for people to get the benefit of using it. c) also due to (b), it'll be harder for you to catch (if you could at all) (a). d) after (a) happens, if the detection happens due to something simple like no text in text/plain part and pdf attachment with A4 paper size, the method will be changed and you're back to square one. All in all, you're better off just making things public. -- Randomly Selected Tagline: I believe in getting into hot water; it keeps you clean. - G. K. Chesterton pgpkXYrWU1u9W.pgp Description: PGP signature
Re: Returned mail: see transcript for details
Hi Zbigniew, At 09:08 03-07-2007, Zbigniew Szalbot wrote: And for the sake of argument, why on earth a POLISH spammer? Why does a spammer have to be Polish. I happen to live in Poland but I am no way a spammer, never have been and never will be. It's easier to blame some country for the spam problem. Your netblock is somewhat similar to the one used by Jonathan which may explain the problem he had. Regards, -sm
Re: SA on iPhone yet?
MIKE YRABEDRA wrote: Robert - eLists wrote: Anyone get Spamassassin installed on their iPhone yet? What are you talking about? SA is a server level tool. What are *you* talking about? As far as I can tell (I don't have one) the iphone is perfectly capable enough to be considered a server. Anything that *I* would be using to read mail would be a server by your definition. Why, if it was even possible, would you install it on a phone? In this case I am sure it was simply to illustrate the capabilities of the device. Personally I think it would have a negative effect on battery life and would filter upstream of it. But it would be a fun demo just the same! Bob
Re: SA on iPhone yet?
MIKE YRABEDRA wrote: on 7/2/07 10:08 PM, Robert - eLists at [EMAIL PROTECTED] wrote: Anyone get Spamassassin installed on their iPhone yet? :-) - rh What are you talking about? SA is a server level tool. Why, if it was even possible, would you install it on a phone? SA is not necessarily a server level tool. You can run it client side, as well.
Re: Botnet over aggressive?
My take on botnet scoring, like that of any custom rule is that I can change the scoring to suit my requirements. Considering the kind of users we deal with adding in the default scores would have caused a lot of headaches, so I actually tested it with scores of 0 on all to see how many hits they were getting. This is one of the reasons why using SA is so cool - you can customise it to suit your needs! Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: So what about rulesemporium.com and these anti-PDF rules?
Theo Van Dinter wrote: All in all, you're better off just making things public. I agree. It's sort of like saying that Open Source cannot work as a model in the antivirus/antispam arena... ...and it may be true - but no-one on this list believes it ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: RE: So what about rulesemporium.com and these anti-PDF rules?
On Tue, 3 Jul 2007, Dallas Engelken wrote: The PDFInfo.pm and accompanying ruleset will not be public. If you want it, please go to http://www.rulesemporium.com/plugins.htm#pdfinfo and request it. Despite of my opinion about security-by-obscurity approach, I still experience major connection problems with that site. By now it seems that it does not resolve it's hostname to me at all. At least from my subnet, which is unfortunately one of those polish-spam 83.x subnets, that are being blocked at network level by some foolish admins, that think that limiting Internet to their own network will solve all problems. -- Michał Jęczalik, +48.603.64.62.97 INFONAUTIC, +48.33.487.69.04
Re: SA on iPhone yet?
on 7/3/07 2:01 PM, John Rudd at [EMAIL PROTECTED] wrote: MIKE YRABEDRA wrote: on 7/2/07 10:08 PM, Robert - eLists at [EMAIL PROTECTED] wrote: Anyone get Spamassassin installed on their iPhone yet? :-) - rh What are you talking about? SA is a server level tool. Why, if it was even possible, would you install it on a phone? SA is not necessarily a server level tool. You can run it client side, as well. Yes, I stand corrected. Thanks John :-) Still, it is not possible to install any third party software on the iPhoneyet. Apple will eventually allow this, I am sure. -- Mike Yrabedra B^)
Re: MD5 Hash of URL's
On Tue, 3 Jul 2007, Matt wrote: Why can't Spamassassin do like a MD5 hash of any URL's in a message and check them against a database? I just think it would help catch things like: geocities.com/spamer123/ or spamer123.tripod.com and etc. Too easy to defeat using a URI with random parameters pointing to a PHP et. al. page that ignores parameters (assuming you include parameters in the hash) or via wildcard DNS using random third- or fourth-level hostnames. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence
Re: So what about rulesemporium.com and these anti-PDF rules?
Hi! All in all, you're better off just making things public. model in the antivirus/antispam arena... ...and it may be true - but no-one on this list believes it ;-) Its a matter of fact that published rules (see sare rulesets) become less effective immediate after publishing. That due to spammers reading along ect ect. I can understand Dallas point and dont agree that making this open will give the same results It should, but it just doesnt. We have rules very ok hitting, and i know once we put this in a SARE set the effeciveness will drop and we have to come up with new rules. Not really something people look forward to. Its just a handfull people contributing as you know. Bye, Raymond.
DB_File::AUTOLOAD error
Folks, SpamAssassin version 3.2.1 running on Perl version 5.8.8 Solaris 10 x86 I am seeing the following error at startup of spamd. Does DB_File.pm load to make a connection to the AWL and Bayes DBs ? If so does this point to a corrupt or munged db? SA/Spamd built fine and has been running fine for several weeks now so has me puzzled. -john Executing legacy init script /etc/rc3.d/S78spamd. Starting SpamAssassin Mail Filter Daemon: [591] warn: Use of uninitialized value in numeric ge (=) at /usr/local/perl-5.8.8/lib/5.8.8/i86pc-solaris/DB_File.pm lin e 275. [591] warn: Use of uninitialized value in numeric gt () at /usr/local/perl-5.8.8/lib/5.8.8/i86pc-solaris/DB_File.pm line 279. [591] warn: Deep recursion on subroutine DB_File::AUTOLOAD at /usr/local/perl-5.8.8/lib/5.8.8/i86pc-solaris/DB_File.pm line 234. Out of memory! Legacy init script /etc/rc3.d/S78spamd exited with return code 1. -- John Goubeaux Systems Administrator Gevirtz Graduate School of Education UC Santa Barbara Phelps Hall 3534 805 893-8190
Re: *****SPAM***** Re: DNS list service to detect the registrar barrier
You are if you're the only one dumb enough to run email from this list through SpamAssassin then you might be. {o.o} - Original Message - From: arni [EMAIL PROTECTED] To: mouss [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Monday, 2007, July 02 13:06 Subject: Re: *SPAM* Re: DNS list service to detect the registrar barrier am i the only one getting a pretty solid false positive on the previous post? X-Spam-Report: * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com * 2.0 SPOOF_COM2OTH URI: URI contains .com in middle * 2.5 SARE_SPOOF_COM2OTH URI: a.com.b.c * 2.3 SPOOF_COM2COM URI: URI contains .com in middle and end * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.]
Re: Botnet over aggressive?
John Rudd wrote: Botnet's score of 5 is meant to say this message should be quarantined or flagged for review. It's not saying this message is _definitely_ spam.[snip] The trouble is redundancy in scores, the BOTNET score is usually just the start of a HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR plus RDNS_DYNAMIC or RDNS_NONE and RCVD_IN_PBL,RCVD_IN_SORB ... long list. So, unless one disables the redundant scores, the other option is to lower the BOTNET score. The first procedure is better but needs more work (which ones are the redundant rules?), the second procedure is easy and that's why most of us use it. -- René Berber
Mail Queue stops working
I'm having problems with my mail not getting processed properly. This setup has been in place for years and worked without problems. All of a sudden this weekend it stopped delivering its mail from the incoming queue. If I modify my MailScanner.conf file to run in debug mode it will process a bunch of email and sends it of but it?s always finishing with the messages below. The number of EOCD messages seems to very with the number of email processed in that debug run. Something else I notice is that the emails only actually get sent on after the debug has ended. If I run without debug as normal it seems to just start gathering in the incoming queue. After a while it will show the odd message go through but it's marked as a virus and I don't believe that every email coming in contains a virus. I went through all the mysql databases and repaired any tables that contained errors as well but that didn't seem to help. Does anyone have any clues as to how I can solve this issue? I'm lost here. Starting MailScanner daemons: incoming sendmail: SPF milter already running [ OK ] outgoing sendmail:[ OK ] MailScanner: In Debugging mode, not forking... Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, CLIENT line 707. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, CLIENT line 707. Stopping now as you are debugging me. [ OK ]
Upgrading to 3.2
We are trying to upgrade from 3.1.0 on SLES9 using spamd. I have viewed the install notes and downloaded the zip. Extracted and CD'd to that new SA dir. Followed these install instructions: [unzip/untar the archive] cd Mail-SpamAssassin-* perl Makefile.PL [option: add -DSPAMC_SSL to $CFLAGS to build an SSL-enabled spamc] make make install[as root] On the first step, i get these required errors: *** ERROR: the required HTML::Parser (version 3.43) module is installed, but is not an up-to-date version. at lib/Mail/SpamAssassin/Util/DependencyInfo.pm line 293, STDIN line 1. HTML is used for an ever-increasing amount of email so this dependency is unavoidable. Run perldoc -q html for additional information. Followed by a host of other warnings: *** NOTE: the optional Mail::SPF module is not installed. Used to check DNS Sender Policy Framework (SPF) records to fight email address forgery and make it easier to identify spams. (This is preferred over Mail::SPF::Query.) *** NOTE: the optional Mail::SPF::Query module is not installed. Used to check DNS Sender Policy Framework (SPF) records to fight email address forgery and make it easier to identify spams. (Mail::SPF is preferred instead of this module.) *** NOTE: the optional IP::Country module is not installed. Used by the RelayCountry plugin (not enabled by default) to determine the domain country codes of each relay in the path of an email. *** NOTE: the optional Net::Ident module is not installed. If you plan to use the --auth-ident option to spamd, you will need to install this module. *** NOTE: the optional IO::Socket::INET6 module is not installed. This is required if the first nameserver listed in your IP configuration or /etc/resolv.conf file is available only via an IPv6 address. *** NOTE: the optional IO::Socket::SSL module is not installed. If you wish to use SSL encryption to communicate between spamc and spamd (the --ssl option to spamd), you need to install this module. (You will need the OpenSSL libraries and use the ENABLE_SSL=yes argument to Makefile.PL to build and run an SSL compatibile spamc.) *** NOTE: the optional Mail::DomainKeys module is not installed. If this module is installed, and you enable the DomainKeys plugin, SpamAssassin will perform Domain Key lookups when Domain Key information is present in the message headers. (Note that new versions of Mail::DKIM render this module superfluous.) *** NOTE: the optional Mail::DKIM module is not installed. If this module is installed, and you enable the DKIM plugin, SpamAssassin will perform DKIM lookups when a DKIM-Signature header is present in the message headers. (New versions of this module support both Domain Keys and DKIM, rendering Mail::DomainKeys obsolete.) *** NOTE: the optional LWP::UserAgent module is not installed. The sa-update script requires this module to make HTTP requests. *** NOTE: the optional HTTP::Date module is not installed. The sa-update script requires this module to make HTTP If-Modified-Since GET requests. *** NOTE: the optional Archive::Tar (version 1.23) module is not installed. The sa-update script requires this module to access tar update archive files. *** NOTE: the optional IO::Zlib (version 1.04) module is not installed. The sa-update script requires this module to access compressed update archive files. *** NOTE: the optional Encode::Detect module is not installed. If you plan to use the normalize_charset config setting to detect charsets and convert them into Unicode, you will need to install this module. REQUIRED module out of date: HTML::Parser optional module missing: Mail::SPF optional module missing: Mail::SPF::Query optional module missing: IP::Country optional module missing: Net::Ident optional module missing: IO::Socket::INET6 optional module missing: IO::Socket::SSL
Re: *****SPAM***** Re: DNS list service to detect the registrar barrier
jdow schrieb: You are if you're the only one dumb enough to run email from this list through SpamAssassin then you might be. I dont exactly know why you have to flame people on this mailinglist but i'm gonna explain it to you: This list offers a great way to learn bayes with spam related ham, which is in my opinion on of the best hams around. It is spam related, so it might contain tokens that are also found in spam and it a great way to show bayes that these tokens are not only present in spam, but can also be in ham. arni
Re: Upgrading to 3.2
Hi, 2007/7/3, [EMAIL PROTECTED] [EMAIL PROTECTED]: We are trying to upgrade from 3.1.0 on SLES9 using spamd. I have viewed the install notes and downloaded the zip. Extracted and CD'd to that new SA dir. Followed these install instructions: [unzip/untar the archive] cd Mail-SpamAssassin-* perl Makefile.PL [option: add -DSPAMC_SSL to $CFLAGS to build an SSL-enabled spamc] make make install[as root] On the first step, i get these required errors: *** ERROR: the required HTML::Parser (version 3.43) module is installed, but is not an up-to-date version. at lib/Mail/SpamAssassin/Util/DependencyInfo.pm line 293, STDIN line 1. HTML is used for an ever-increasing amount of email so this dependency is unavoidable. Run perldoc -q html for additional information. Followed by a host of other warnings: *** NOTE: the optional Mail::SPF module is not installed. Used to check DNS Sender Policy Framework (SPF) records to fight email address forgery and make it easier to identify spams. (This is preferred over Mail::SPF::Query.) *** NOTE: the optional Mail::SPF::Query module is not installed. Used to check DNS Sender Policy Framework (SPF) records to fight email address forgery and make it easier to identify spams. (Mail::SPF is preferred instead of this module.) *** NOTE: the optional IP::Country module is not installed. Used by the RelayCountry plugin (not enabled by default) to determine the domain country codes of each relay in the path of an email. *** NOTE: the optional Net::Ident module is not installed. If you plan to use the --auth-ident option to spamd, you will need to install this module. *** NOTE: the optional IO::Socket::INET6 module is not installed. This is required if the first nameserver listed in your IP configuration or /etc/resolv.conf file is available only via an IPv6 address. *** NOTE: the optional IO::Socket::SSL module is not installed. If you wish to use SSL encryption to communicate between spamc and spamd (the --ssl option to spamd), you need to install this module. (You will need the OpenSSL libraries and use the ENABLE_SSL=yes argument to Makefile.PL to build and run an SSL compatibile spamc.) *** NOTE: the optional Mail::DomainKeys module is not installed. If this module is installed, and you enable the DomainKeys plugin, SpamAssassin will perform Domain Key lookups when Domain Key information is present in the message headers. (Note that new versions of Mail::DKIM render this module superfluous.) *** NOTE: the optional Mail::DKIM module is not installed. If this module is installed, and you enable the DKIM plugin, SpamAssassin will perform DKIM lookups when a DKIM-Signature header is present in the message headers. (New versions of this module support both Domain Keys and DKIM, rendering Mail::DomainKeys obsolete.) *** NOTE: the optional LWP::UserAgent module is not installed. The sa-update script requires this module to make HTTP requests. *** NOTE: the optional HTTP::Date module is not installed. The sa-update script requires this module to make HTTP If-Modified-Since GET requests. *** NOTE: the optional Archive::Tar (version 1.23) module is not installed. The sa-update script requires this module to access tar update archive files. *** NOTE: the optional IO::Zlib (version 1.04) module is not installed. The sa-update script requires this module to access compressed update archive files. *** NOTE: the optional Encode::Detect module is not installed. If you plan to use the normalize_charset config setting to detect charsets and convert them into Unicode, you will need to install this module. REQUIRED module out of date: HTML::Parser optional module missing: Mail::SPF optional module missing: Mail::SPF::Query optional module missing: IP::Country optional module missing: Net::Ident optional module missing:
RE: Upgrade to 3.2
OK, so i installed HTML::Parser and now tried installing SA 3.2 with cpan. This is what i get with cpan install: Going to read /root/.cpan/sources/modules/03modlist.data.gz Going to write /root/.cpan/Metadata Mail::SpamAssassin is up to date. cpan quit Caught SIGINT Lockfile removed. Do you need to also update perl-spamassassin too? Because when i look to see what version of SA is installed, my system still shows 3.1. Chris begin:vcard n:Arnold;Chris fn:Arnold, Chris url:http://www.mytimewithgod.net version:2.1 email;internet:[EMAIL PROTECTED] end:vcard
Re: Mail Queue stops working
On Tue, 3 Jul 2007, David Boltz wrote: I went through all the mysql databases and repaired any tables that contained errors as well but that didn't seem to help. commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, CLIENT line 707. Wild-arse guess: turn off AutoCommit in mysql and see what happens? (Note: don't hold me responsible if that erases your database... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence
Re: Upgrade to 3.2
On Tue, Jul 03, 2007 at 07:56:00PM -0400, [EMAIL PROTECTED] wrote: OK, so i installed HTML::Parser and now tried installing SA 3.2 with cpan. This is what i get with cpan install: [...] Mail::SpamAssassin is up to date. Do you need to also update perl-spamassassin too? Because when i look to see what version of SA is installed, my system still shows 3.1. perl-spamassassin sounds like a package. Don't mix using CPAN and using packages. If you're using a package, upgrade SA through a package. If you want to use CPAN, get rid of the packages first. -- Randomly Selected Tagline: Leela: Great. We're two days from earth with no food. Bender: Problem solved. You two fight to the death and I'll cook the loser. pgpg3lCscleT5.pgp Description: PGP signature
Re: Re: So what about rulesemporium.com and these anti-PDF rules?
Jason Haar wrote: Theo Van Dinter wrote: All in all, you're better off just making things public. I agree. It's sort of like saying that Open Source cannot work as a model in the antivirus/antispam arena... It can, if you have the people willing to contribute new dats on every revision of insert name of virus/phish/malware/spamrun here. ...and it may be true - but no-one on this list believes it ;-) The method used in the plugin is very simple, and very easy to work around if made public. What happens here is that when that workaround occurs, we have to release a new plugin, and a new ruleset. Its not like we just release a new ruleset, someone runs RDJ/sa-update and they are off.There is no way to auto-update the plugin (currently) besides to announce it and hope people install it. I foresee a major failure there. If you think you can improve it so that the plugin remains static, and only the rules need changing, then be my guest... -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: Botnet over aggressive?
René Berber wrote: John Rudd wrote: Botnet's score of 5 is meant to say this message should be quarantined or flagged for review. It's not saying this message is _definitely_ spam.[snip] The trouble is redundancy in scores, the BOTNET score is usually just the start of a HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR plus RDNS_DYNAMIC or RDNS_NONE and RCVD_IN_PBL,RCVD_IN_SORB ... long list. So, unless one disables the redundant scores, the other option is to lower the BOTNET score. The first procedure is better but needs more work (which ones are the redundant rules?), the second procedure is easy and that's why most of us use it. There's a couple things that come to mind here: 1) I have no problem with people lowering BOTNET's score. Different people have different concepts of what a score of 5+ means (definitely spam, quarantine as suspicious, etc.). Set it at whatever score works for you. 2) I think if you're getting hits on LOTS of overlapping rule concepts, then the problem isn't with the individual rule's score. It's something else (it's really spam? the sender site is mismanaged in one way or another? etc.). 3) overlapping rule concepts isn't a bad thing. They each use a different technique, and some will catch ones that that the others don't. For example, I expect that PBL catches a TON of stuff that Botnet also catches. But there will be some that PBL catches that Botnet wont, and perhaps visa-versa. So, I wouldn't eliminate either one.
Re: Mail Queue stops working
Thanks for the info. Could it be that because the debug mode tries to do an commit before it closes and the system is set to auto commit for when it's running continuously it says this? Regards, Dave B.. John D. Hardin [EMAIL PROTECTED] To .org David Boltz [EMAIL PROTECTED] cc 2007-07-03 users@spamassassin.apache.org 20:06Subject Re: Mail Queue stops working On Tue, 3 Jul 2007, David Boltz wrote: I went through all the mysql databases and repaired any tables that contained errors as well but that didn't seem to help. commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, CLIENT line 707. Wild-arse guess: turn off AutoCommit in mysql and see what happens? (Note: don't hold me responsible if that erases your database... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence
RE: So what about rulesemporium.com and these anti-PDF rules?
I for one agree with the protected model. I've read post after post in this group and others where people complain that some new method is no longer effective due to the other guys knowing our every step. If there were an application process, which would be too burdensome on the maintainers, I'd support that as well - and offer my help. No I'm not a spammer and I've never played one on TV either... That's just my two cents worth of opinion, I could be wrong. Thank you to the people who write these plugins. You people rock! -Original Message- From: Raymond Dijkxhoorn [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 03, 2007 4:10 PM To: Jason Haar Cc: users@spamassassin.apache.org Subject: Re: So what about rulesemporium.com and these anti-PDF rules? Hi! All in all, you're better off just making things public. model in the antivirus/antispam arena... ...and it may be true - but no-one on this list believes it ;-) Its a matter of fact that published rules (see sare rulesets) become less effective immediate after publishing. That due to spammers reading along ect ect. I can understand Dallas point and dont agree that making this open will give the same results It should, but it just doesnt. We have rules very ok hitting, and i know once we put this in a SARE set the effeciveness will drop and we have to come up with new rules. Not really something people look forward to. Its just a handfull people contributing as you know. Bye, Raymond.
RE:Upgrade to 3.2
Theo Van Dinter wrote: perl-spamassassin sounds like a package. Don't mix using CPAN and using packages. If you're using a package, upgrade SA through a package. If you want to use CPAN, get rid of the packages first. I did install from rpm. So, if i understand you right, i need to uninstall the rpm's and then use CPAN to install? Chris begin:vcard n:Arnold;Chris fn:Arnold, Chris url:http://www.mytimewithgod.net version:2.1 email;internet:[EMAIL PROTECTED] end:vcard
Re: Mail Queue stops working
On Tue, 3 Jul 2007, David Boltz wrote: Thanks for the info. Could it be that because the debug mode tries to do an commit before it closes and the system is set to auto commit for when it's running continuously it says this? No idea. That's why it's a wild guess. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence
RE:Upgrade to 3.2
On Tue, 3 Jul 2007 [EMAIL PROTECTED] wrote: Theo Van Dinter wrote: perl-spamassassin sounds like a package. Don't mix using CPAN and using packages. If you're using a package, upgrade SA through a package. If you want to use CPAN, get rid of the packages first. I did install from rpm. So, if i understand you right, i need to uninstall the rpm's and then use CPAN to install? Do one or the other. If you like RPMs, then download the SA tarball from the website and rpmbuild it to get an RPM. That's what I do. But don't install or try to upgrade SA from CPAN if you've installed it from an RPM. At this point, if you've partly installed SA from CPAN, you will probably want to uninstall the older SA RPM and then reinstall SA from CPAN to make sure everything's there. Note: even if you install SA from an RPM, you will still need to install or upgrade some of the *supporting* modules (like Net::DNS) from CPAN. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence
RE:Upgrade to 3.2
Theo Van Dinter wrote: perl-spamassassin sounds like a package. Don't mix using CPAN and using packages. If you're using a package, upgrade SA through a package. If you want to use CPAN, get rid of the packages first. I did install from rpm. So, if i understand you right, i need to uninstall the rpm's and then use CPAN to install? Chris Chris: You do not NEED to uninstall the rpms (or deb) that you used to install SA originally. You can use CPAN to install the latest version of SA; however you will need to remember that your package database will not reflect the installations that you make from source. Best
Re: Re: So what about rulesemporium.com and these anti-PDF rules?
On Tue, Jul 03, 2007 at 07:16:19PM -0500, Dallas Engelken wrote: ... we have to release a new plugin, and a new ruleset. Its not like we just release a new ruleset, someone runs RDJ/sa-update and they are off.There is no way to auto-update the plugin (currently) besides to announce it and hope people install it. fwiw, sa-update is happy to update plugins for you and make them active, though it does require the end user to consciously allow it. Generally speaking, for that type of situation, I would suggest making a separate channel w/ the plugin stuff and then people can just --allowplugins for those specific channels that they deem fit (separate run from channels where they don't want to allow plugins). fyi. -- Randomly Selected Tagline: A journey of a thousand miles begins with a cash advance. pgpV6PtQ34EPE.pgp Description: PGP signature
RE:Upgrade to 3.2
John D. Hardin wrote: On Tue, 3 Jul 2007 [EMAIL PROTECTED] wrote: Theo Van Dinter wrote: perl-spamassassin sounds like a package. Don't mix using CPAN and using packages. If you're using a package, upgrade SA through a package. If you want to use CPAN, get rid of the packages first. I did install from rpm. So, if i understand you right, i need to uninstall the rpm's and then use CPAN to install? Do one or the other. If you like RPMs, then download the SA tarball from the website and rpmbuild it to get an RPM. That's what I do. But don't install or try to upgrade SA from CPAN if you've installed it from an RPM. At this point, if you've partly installed SA from CPAN, you will probably want to uninstall the older SA RPM and then reinstall SA from CPAN to make sure everything's there. Note: even if you install SA from an RPM, you will still need to install or upgrade some of the *supporting* modules (like Net::DNS) from CPAN. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence I downloaded the traball and made a rpm; which created perl-spamassassin.rpm and mail-spamassassin.rpm. I installed perl-spamassassin first using yast and then spamassassin using yast. The spamassassin rpm failed to installed but when i do a rpm -qa spamassassin it shows both 3.1 and 3.2 installed. I look in yast and it shows 3.2 only. I look in /etc/mail/spamassassin and all the 3.1 files are still there along with 3.2pre file. Should i uninstall and then reinstall and if i do this, what will happen to all the existing rules and what-not? Chris begin:vcard n:Arnold;Chris fn:Arnold, Chris url:http://www.mytimewithgod.net version:2.1 email;internet:[EMAIL PROTECTED] end:vcard
Re: *****SPAM***** Re: DNS list service to detect the registrar barrier
From: arni [EMAIL PROTECTED] jdow schrieb: You are if you're the only one dumb enough to run email from this list through SpamAssassin then you might be. I dont exactly know why you have to flame people on this mailinglist but i'm gonna explain it to you: This list offers a great way to learn bayes with spam related ham, which is in my opinion on of the best hams around. It is spam related, so it might contain tokens that are also found in spam and it a great way to show bayes that these tokens are not only present in spam, but can also be in ham. I assure you that was not a flame. I do agree I did not frame it as a suggestion. But the concept seems so obvious to me that it seems silly someone does not determine unambiguously that the email came from this list and then completely bypass SpamAssassin. With procmail an effective but not bullet proof method exists that is fairly simple to apply. (And if someone DOES spoof it the email ends up in my SA users list folder where it becomes instant grist for the mill.) You can also use whitelist_from_rcvd. But that's not as machine efficient. {^_^}
TQMcube apparently gone dormant
If you read JM's Planet Antispam, you know this already, but: http://www.dnsbl.com/2007/06/status-of-dnsbltqmcubecom-abandoned.html
RE:Upgrade to 3.2
Well, i may have really messed up now. I uninstalled all spamassassin 3.1 using red carpet and the installed perl-spamassassin from rpm using yast (this was fine). Then i tried to install spamassassin 3.2 from rpm using yast, this gives this error: ERROR(InstTarget:E_RpmDB_subprocess_failed) --- error: %post(spamassassin-3.2.1-1) scriptlet failed, exit status 127 2007-07-03 21:41:52 perl-Mail-SpamAssassin.rpm installed ok 2007-07-03 21:43:16 spamassassin.rpm install failed rpm output: spamassassin 0:off 1:off 2:off 3:on 4:off 5:on 6:off /var/tmp/rpm-tmp.97155: line 13: /sbin/service: No such file or directory warning: waiting to reestablish exclusive database lock error: %post(spamassassin-3.2.1-1) scriptlet failed, exit status 127 Now we don't have any spam guard. Ooopppsss Chris begin:vcard n:Arnold;Chris fn:Arnold, Chris url:http://www.mytimewithgod.net version:2.1 email;internet:[EMAIL PROTECTED] end:vcard
Re:Upgrade to 3.2
Well, i may have really messed up now. I uninstalled all spamassassin 3.1 using red carpet and the installed perl-spamassassin from rpm usingyast (this was fine). Then i tried to install spamassassin 3.2 from rpm using yast, this gives this error: ERROR(InstTarget:E_RpmDB_subprocess_failed) --- error: %post(spamassassin-3.2.1-1) scriptlet failed, exit status 127 2007-07-03 21:41:52 perl-Mail-SpamAssassin.rpm installed ok 2007-07-03 21:43:16 spamassassin.rpm install failed rpm output: spamassassin 0:off 1:off 2:off 3:on 4:off 5:on 6:off/var/tmp/rpm-tmp.97155: line 13: /sbin/service: No such file or directory warning: waiting to reestablish exclusive database lock error: %post(spamassassin-3.2.1-1) scriptlet failed, exit status 127 Now we don't have any spam guard. Ooopppsss Chris Sorry to keep sending email but i also get this on a restart of spamassassin from the runlevel editor: /etc/init.d/spamassassin: line 12: /etc/rc.d/init.d/functions: No such file or directory begin:vcard n:Arnold;Chris fn:Arnold, Chris url:http://www.mytimewithgod.net version:2.1 email;internet:[EMAIL PROTECTED] end:vcard
RE: RE: So what about rulesemporium.com and these anti-PDF rules?
Despite of my opinion about security-by-obscurity approach, I still experience major connection problems with that site. By now it seems that it does not resolve it's hostname to me at all. At least from my subnet, which is unfortunately one of those polish-spam 83.x subnets, that are being blocked at network level by some foolish admins, that think that limiting Internet to their own network will solve all problems. -- Michał Jęczalik Bummer... You are not the only person to experience issues... Rulesemporium itself is awesome .unfortunately, since network control was turned over, access to it is more than stinky retentive and only good for a few clicks or so and locked out. There is or are mirrors for various purposes, I just don't have that info handy at this time - rh
Re:Upgrade to 3.2
Well, i may have really messed up now. I uninstalled all spamassassin 3.1 using red carpet and the installed perl-spamassassin from rpm usingyast (this was fine). Then i tried to install spamassassin 3.2 from rpm using yast, this gives this error: ERROR(InstTarget:E_RpmDB_subprocess_failed) --- error: %post(spamassassin-3.2.1-1) scriptlet failed, exit status 127 2007-07-03 21:41:52 perl-Mail-SpamAssassin.rpm installed ok 2007-07-03 21:43:16 spamassassin.rpm install failed rpm output: spamassassin 0:off 1:off 2:off 3:on 4:off 5:on 6:off/var/tmp/rpm-tmp.97155: line 13: /sbin/service: No such file or directory warning: waiting to reestablish exclusive database lock error: %post(spamassassin-3.2.1-1) scriptlet failed, exit status 127 Now we don't have any spam guard. Ooopppsss Chris Chris Nice to see another SuSE user. Part of your problem is the nomenclature used by SuSE for perl-spamassassin as opposed to the rpm made via the tarball using rpmbuild which is perl-Mail-spamassassin if I recall correctly. I suspect that you have perl-spamassin installed correctly but spamassassin is an older version. Here is what I would do on a SuSE box. Go back into yast and reinstall the perl-mail-spamassassin and spamassassin from your CD or repo (SLES or openSUSE). Execute rpm -qa and make sure the system acknowledges that the versions of perl-sa and SA agree. Run spamassassin --lint -D as your amavis user to make sure the rules lint and the install is functioning without error. If the --lint gives you errors correct these first. Then cd to you SA tarball directory and install from source (perl Makefile.plm make, sudo make install). You rpm diretory via YAST will still tell you the old versions are installed, but via perl you can confirm the install of the new versions. If you try to install via CPAN you will get errors as SuSE runs Make Test as root and is a known bug for 3.2.1. If you want to install via rpms go to the SuSE build repos (software.opensuse.org) and search for spamassassin. There are a couple of builds for 3.2.0 there, also Norrbring consulting posts SuSE rpm builds which I have used with great results. Any problems post back. Best Sorry to keep sending email but i also get this on a restart of spamassassin from the runlevel editor: /etc/init.d/spamassassin: line 12: /etc/rc.d/init.d/functions: No such file or directory
RE: So what about rulesemporium.com and these anti-PDF rules?
I for one agree with the protected model. I've read post after post in this group and others where people complain that some new method is no longer effective due to the other guys knowing our every step. If there were an application process, which would be too burdensome on the maintainers, I'd support that as well - and offer my help. No I'm not a spammer and I've never played one on TV either... That's just my two cents worth of opinion, I could be wrong. Thank you to the people who write these plugins. You people rock! Thomas, Why agree with a protected model? For the wages of sin is death. Right? I am grateful for the SA team SA tools and also very importantly, the many diverse white hats that are slowly but surely making things better too. Especially those with badges and guns that put their lives on the line. Spammers and various other types of criminals are being watched, getting caught, and seeing their dumb asses tossed in prison. Not money itself, yet For the **love* of money* is the root of all evil Although we should not encourage stupidity or foolish activities classified against the law, those that indulge in it are going to reap the rewards of what they sow. - rh
Question about missing rules for 3.2.1 upgrade
I recently upgraded to 3.2.1 In doing so, I find that the following rules which were previously used are no longer in service. Can someone explain why? [/etc/mail/spamassassin] spamassassin --lint [22753] warn: config: warning: score set for non-existent rule HTML_FONT_INVISIBLE [22753] warn: config: warning: score set for non-existent rule NO_REAL_NAME [22753] warn: config: warning: score set for non-existent rule ADVANCE_FEE_1 [22753] warn: config: warning: score set for non-existent rule FORGED_RCVD_HELO [22753] warn: config: warning: score set for non-existent rule DNS_FROM_RFC_POST [22753] warn: config: warning: score set for non-existent rule NO_OBLIGATION [22753] warn: config: warning: score set for non-existent rule MSGID_FROM_MTA_ID [22753] warn: lint: 7 issues detected, please rerun with debug enabled for more information Thanks in advance. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant ABS Computer Technology, Inc. http://www.ABS-CompTech.com - Email, Internet and Security Consultants SPAMZapper http://www.Spam-Zapper.com - No-JunkMail.com http://www.No-JunkMail.com - *True Spam Elimination*.
RE:Upgrade to 3.2
On Tue, 3 Jul 2007 [EMAIL PROTECTED] wrote: I downloaded the traball and made a rpm; which created perl-spamassassin.rpm and mail-spamassassin.rpm. I installed perl-spamassassin first using yast and then spamassassin using yast. The spamassassin rpm failed to installed but when i do a rpm -qa spamassassin it shows both 3.1 and 3.2 installed. I assume you provided the upgrade option on the command line? You can install multiple versions of the same package if you're not careful. This should do it: rpm -Uvh *spamassassin*3.2*.rpm I look in /etc/mail/spamassassin and all the 3.1 files are still there along with 3.2pre file. What does spamassassin --debug --lint say about the version? Should i uninstall and then reinstall and if i do this, what will happen to all the existing rules and what-not? You should know what custom rules you've installed. They should be copied somewhere safe and/or checked into revision control (learn RCS. live RCS.) and should be easy to reinstall if needed. It won't hurt to uninstall all of the SA RPMs and reinstall just the latest one. The rites of initiation continue... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It there a Special Olympics for terrorists going on in the UK this week? -- Bruce Schneier, 07/02/2007 --- Tomorrow: The 231st anniversary of the Declaration of Independence
Re: bayes_ignore_header for X-Spam values
Jeremy Fairbrass wrote: Hi all, Can someone please advise me: is it good or bad to add bayes_ignore_header values in my local.cf file for the X-Spam headers that are added by SA? It's pointless.. SA already removes it's own markings when learning messages. The only time you'd need to do something like this is if you're using a tool that generates it's own headers that don't follow the normal convention. ie: MailScanner. For example: bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Checker-Version bayes_ignore_header X-Spam-Report bayes_ignore_header X-Spam-Processed I've seen some installations that do have these values, but I'm not sure why - I'd have thought it was good for Bayes to be able to learn from those headers. What would happen if I would *not* ignore those headers and let Bayes learn from them? Absolutely nothing, because SA will not learn from them.