Why does spamd not support full Unix permission?
Hello, I see Bug#4506 as well as http://bugzilla.spamassassin.org/attachment.cgi?id=3042 I wonder why current implementations does not support to set the secondary (aka supplemental) groups of the user? I intend to use spamd where some users shall share certain data, e.g. Bayes database and AWL, which will require secondary groups. Bye, Steffen -- View this message in context: http://www.nabble.com/Why-does-spamd-not-support-full-Unix-permission--tf4060164.html#a11535001 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Debian and sa-update
Hi, I'm planning to use sa-update for my SA installation to be updated. I ran sa-update and it downloaded the updated rulesets in /var/lib/spamassassin/3.001007 along with some other files. In the previous directory, I found some configuration files : updates_spamassassin_org.cf which point to the rule sets. But, the problem is to add these rulesets to /etc/spamassassin/local.cf. Do I nedd to just : include /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf in local.cf ? More infos : I use Amavis to check emails incoming. Thanks for your help. -- Emmanuel Lesouef CRBN | DSI t : 0231069671 m : [EMAIL PROTECTED]
Re: Rulesemporium
From: Daryl C. W. O'Shea [EMAIL PROTECTED] jdow wrote: From: Daryl C. W. O'Shea [EMAIL PROTECTED] Loren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Daryl, I've tried before to tell you and other people RDJ is broken. Actually, you've not, and if you did it would be a waste of time given that I don't use RDJ and actually provide the sa-update channels for SARE rules. Put a 1 second sleep between each file fetch and see if that improves things. If you weren't in a hurry to make 3 posts about the same thing to the same thread, you'd see that I wrote that I'm seeing the timeout in 1 (or more) of ONLY THREE QUERIES AN **HOUR**. I've already got a 20 minute delay between queries. I'll try adding a 1 second delay to that though. :) It keeps you from looking like a DoS attack. Since I put that hack in my GetRule.sh script has never failed me. As has been noted already, by Dallas, it's a problem with at least one of their network links being saturated by the DoS, not the DoS protection. Is this perhaps a difference in wget and curl? This is an off hour. But I am running again with no problems so far. (A friend put in the delay and it worked for him, too.) Yeah, just finished faster than earlier today. What was happening to me was nice fast progress through the first few of my long list. Then it would start showing the timeouts for all the rest. It was pure hunch that led to the delay strategy. And it has appeared to work. I've never seen a timeout since then. Go figure. It's magic? I dunno. {^_^}
Re: Spam log file
From: Sg [EMAIL PROTECTED] Hi Where is the spam log file located? It varies. It seems to be in /var/log/ somewhere. For RH/FC it seems to be in /var/log/maillog*. I hope that helps. {^_^}
Re: Rulesemporium
As I said, we use a trick that makes the fetches work. It does not get us tarred by the DoS filter. So access to the web site is really easy. I also check when I feel like it rather than hourly as I've heard some people work. Weekly is more than enough unless you see a notification here. Well that could be automated. I dont know why they cannot use someting like an RSS and we could get rules as feeds. Rather than having to get each file all the time Thanks Ram
Re: Debian and sa-update
You shouldn't need to add anything, it will pay attention to them automatically once they've downloaded. However, make sure you're using a new enough version of SpamAssassin that supports sa-update - the version in the standard Sarge repository doesn't, you'll have to get 3.1.7 from Backports. On Wed, 11 Jul 2007 09:22:08 +0200 Emmanuel Lesouef [EMAIL PROTECTED] wrote: Hi, I'm planning to use sa-update for my SA installation to be updated. I ran sa-update and it downloaded the updated rulesets in /var/lib/spamassassin/3.001007 along with some other files. In the previous directory, I found some configuration files : updates_spamassassin_org.cf which point to the rule sets. But, the problem is to add these rulesets to /etc/spamassassin/local.cf. Do I nedd to just : include /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf in local.cf ? More infos : I use Amavis to check emails incoming. Thanks for your help. -- Adam Wilbraham - Assistant Systems Administrator TechnoPhobia Limited The Workstation 15 Paternoster Row SHEFFIELD England S1 2BX t: +44 (0)114 2212123 f: +44 (0)114 2212124 e: [EMAIL PROTECTED] w: http://www.technophobia.com/ Registered in England and Wales Company No. 3063669 VAT registration No. 598 7858 42 ISO 9001:2000 Accredited Company No. 21227 ISO 14001:2004 Accredited Company No. E997 ISO 27001:2005 (BS7799) Accredited Company No. IS 508906 Investor in People Certified No. 101507 The contents of this email are confidential to the addressee and are intended solely for the recipients use. If you are not the addressee, you have received this email in error. Any disclosure, copying, distribution or action taken in reliance on it is prohibited and may be unlawful. Any opinions expressed in this email are those of the author personally and not TechnoPhobia Limited who do not accept responsibility for the contents of the message. All email communications, in and out of TechnoPhobia, are recorded for monitoring purposes.
RE: Rulesemporium
Hi! Wouldn't you say the DDOS protection theory and/or implementation is broken if topology and routing is not taken into account? You know, we are not posting to this list to rag on them, we just wanna be able to hit the website for info when necessary and without being tossed in the crapper after a few page views etc. If you can provide a better solution let us know. Bye, raymond.
PDFInfo plugin with SA 3.1.7
Hello, I am trying to run PDFInfo plugin with SA 3.1.7. SA registers the plugin successfully but does not scan the PDFs in the emails. According to Dallas Engelken (Creator of PDFInfo) , The MIME parser in SA is not seeing a PDF attachment on this message. Has anyone tried running PDFInfo plugin with 3.1.7 version?
Re: Debian and sa-update
Sounds great. I'm currently using 3.1.7 version as I upgraded the server to Debian 4.0. How can I be sure Spamassassin and Amavis are using the updated rulesets ? Thanks for you help. Le mercredi 11 juillet 2007 à 10:12 +0100, Adam Wilbraham a écrit : You shouldn't need to add anything, it will pay attention to them automatically once they've downloaded. However, make sure you're using a new enough version of SpamAssassin that supports sa-update - the version in the standard Sarge repository doesn't, you'll have to get 3.1.7 from Backports. On Wed, 11 Jul 2007 09:22:08 +0200 Emmanuel Lesouef [EMAIL PROTECTED] wrote: Hi, I'm planning to use sa-update for my SA installation to be updated. I ran sa-update and it downloaded the updated rulesets in /var/lib/spamassassin/3.001007 along with some other files. In the previous directory, I found some configuration files : updates_spamassassin_org.cf which point to the rule sets. But, the problem is to add these rulesets to /etc/spamassassin/local.cf. Do I nedd to just : include /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf in local.cf ? More infos : I use Amavis to check emails incoming. Thanks for your help. -- Emmanuel Lesouef CRBN | DSI t : 0231069671 m : [EMAIL PROTECTED]
RE: bayes directory
From: Jari Fredriksson [mailto:[EMAIL PROTECTED] Sent: Tue 7/10/2007 15:22 To: Jean-Paul Natola; users@spamassassin.apache.org Subject: Re: bayes directory Bayes needs 200 ham 200 spam to work. You can read it's statistics by command sa-learn --dump magic ok after traing it , i now see them - should i be concerned that they are not in the spamassassin directory? they are now here /root/.spamassassin /root/.spamassassin/auto-whitelist /root/.spamassassin/bayes_seen /root/.spamassassin/bayes_toks /root/.spamassassin/user_prefs
Bayes - one database per user or one for everybody?
Hello, I'm migrating to SQL Bayes storage method. I have plenty of email accounts. By this time, all of them had their own database in their home directories. Such approach unfortunately consumes a lot of disk space, so now I'm thinking about bayes_sql_override_username option, which allows me to have one single database for all. I wonder if it's better to have a single database (which probably could be larger than the size of 8MB per user I allowed with DBM storage method) or keep per-user ones? So, what are the advantages of a single database? And does it make any sense to make it larger? Maybe 8MB of tokens is simply enough and it doesn't pay to use more resources to seek in a larger base? Are there any security or privacy problems with this setup? BTW, users don't have access to their databases, they are unable to feed any spam/ham manually, so loosing this ability is not a problem for me. Regards, -- Michal Jeczalik, +48.603.64.62.97
Re: PDFInfo plugin with SA 3.1.7
On Wed, 2007-07-11 at 14:49 +0530, Suhas Ingale wrote: Has anyone tried running PDFInfo plugin with 3.1.7 version? No, finally got it working yesterday evening using 3.2.1, but the initial results are underwhelming. Almost 100% overlap with TVD_SPACE_RATIO. Only one miss: sudo grep GMD_PDF /var/log/mail/info | grep -v TVD_SPACE_RATIO Jul 11 03:26:15 sa amavis[25324]: (25324-17) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=25.456 tag=-99 tag2=4.5 kill=6.31 tests=[BODY_8BITS=1.5, BOTNET_CLIENT=0.01, BOTNET_CLIENTWORDS=0, BOTNET_IPINHOSTNAME=0, BOTNET_W=2, DKIM_POLICY_SIGNSOME=0, FH_HELO_EQ_D_D_D_D=0.498, GMD_PDF_BAD_FUZZY=3.75, GMD_PDF_HORIZ=0.25, GMD_PDF_STOX=1, HELO_DYNAMIC_DHCP=1.52, HELO_DYNAMIC_IPADDR=2.935, L_P0F_W=1, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=2.188, RCVD_IN_PBL=0.509, RCVD_IN_XBL=2.896, RDNS_DYNAMIC=0.1, UNWANTED_LANGUAGE_BODY=2.8], autolearn=disabled That's out of [EMAIL PROTECTED] ~]$ sudo grep -o -P GMD_PDF.+?= /var/log/mail/info | sort | uniq -c 684 GMD_PDF_BAD_FUZZY= 43 GMD_PDF_HORIZ= 67 GMD_PDF_STOX= 24 GMD_PDF_VERT= -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Spam log file
Sg wrote: Hi Where is the spam log file located? On windows? Probably nowhere. I don't think Windows has a syslogd. On *nix, spamd will log to the mail facility, so it will end up where-ever syslogd is configured to write that facility, generally /var/log/maillog. If you're just invoking spamassassin instead of spamc/spamd, then even on linux there's no logging. The spamassassin script is really intended to be simple enough to use by hand, but not really offer many features, nor offer reasonable performance for general server-side use.
Re: Debian and sa-update
echo test | spamassassin -D It'll give a load of debug output, scan through that and look at the paths of the files its using, there will be something like this to confirm it: [9392] dbg: config: using /var/lib/spamassassin/3.001003/updates_spamassassin_org/50_scores.cf for included file [9392] dbg: config: read file /var/lib/spamassassin/3.001003/updates_spamassassin_org/50_scores.cf [9392] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001003/updates_spamassassin_org/60_awl.cf [9392] dbg: config: using /var/lib/spamassassin/3.001003/updates_spamassassin_org/60_awl.cf for included file [9392] dbg: config: read file /var/lib/spamassassin/3.001003/updates_spamassassin_org/60_awl.cf On Wed, 11 Jul 2007 11:20:42 +0200 Emmanuel Lesouef [EMAIL PROTECTED] wrote: Sounds great. I'm currently using 3.1.7 version as I upgraded the server to Debian 4.0. How can I be sure Spamassassin and Amavis are using the updated rulesets ? Thanks for you help. Le mercredi 11 juillet 2007 à 10:12 +0100, Adam Wilbraham a écrit : You shouldn't need to add anything, it will pay attention to them automatically once they've downloaded. However, make sure you're using a new enough version of SpamAssassin that supports sa-update - the version in the standard Sarge repository doesn't, you'll have to get 3.1.7 from Backports. On Wed, 11 Jul 2007 09:22:08 +0200 Emmanuel Lesouef [EMAIL PROTECTED] wrote: Hi, I'm planning to use sa-update for my SA installation to be updated. I ran sa-update and it downloaded the updated rulesets in /var/lib/spamassassin/3.001007 along with some other files. In the previous directory, I found some configuration files : updates_spamassassin_org.cf which point to the rule sets. But, the problem is to add these rulesets to /etc/spamassassin/local.cf. Do I nedd to just : include /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf in local.cf ? More infos : I use Amavis to check emails incoming. Thanks for your help. -- Adam Wilbraham - Assistant Systems Administrator TechnoPhobia Limited The Workstation 15 Paternoster Row SHEFFIELD England S1 2BX t: +44 (0)114 2212123 f: +44 (0)114 2212124 e: [EMAIL PROTECTED] w: http://www.technophobia.com/ Registered in England and Wales Company No. 3063669 VAT registration No. 598 7858 42 ISO 9001:2000 Accredited Company No. 21227 ISO 14001:2004 Accredited Company No. E997 ISO 27001:2005 (BS7799) Accredited Company No. IS 508906 Investor in People Certified No. 101507 The contents of this email are confidential to the addressee and are intended solely for the recipients use. If you are not the addressee, you have received this email in error. Any disclosure, copying, distribution or action taken in reliance on it is prohibited and may be unlawful. Any opinions expressed in this email are those of the author personally and not TechnoPhobia Limited who do not accept responsibility for the contents of the message. All email communications, in and out of TechnoPhobia, are recorded for monitoring purposes.
Mails are not regarded as spam.
Hello All, I have set the German rules and its updating from a chennel file... however, mails are not regarded as spam because the bayes check rates it as non-spam, giving a high (-)tive score X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,NO_DNS_FOR_FROM, ZMIde_STOCKBLOCK1 autolearn=no version=3.1.7 Any suggestion how to get around this? Thanks and Regards Diptanjan -- View this message in context: http://www.nabble.com/Mails-are-not-regarded-as-spam.-tf4062102.html#a11540927 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Debian and sa-update
I'm currently using 3.1.7 version as I upgraded the server to Debian 4.0. How can I be sure Spamassassin and Amavis are using the updated rulesets ? Thanks for you help. Run amavisd-new in debug-sa mode for a minute (after stopping it): amavisd-new stop amavisd-new debug-sa Gary V _ http://newlivehotmail.com
Re: Rulesemporium
jdow wrote: From: Ken A [EMAIL PROTECTED] SARE Webmaster wrote: Daryl C. W. O'Shea wrote: div class=moz-text-flowed style=font-family: -moz-fixedLoren Wilton wrote: Mike Grau [EMAIL PROTECTED] 07/09/07 5:15 PM On 07/09/2007 04:01 PM the voices made Joe Zitnik write: I can't get here: http://www.rulesemporium.com/rules Is rulesemporium having issues again? I can rarely get there (via a browser). So rarely the site is almost useless. I've been having intermittent issues getting there from home for a while. Last time it happened, the site was down. I still can't get there Hum. I just tried again, and didn't have any problems this time either. Guess I'm lucky. Perhaps you are. I get 500 Server closed connection without sending any data back or 500 Can't connect to www.rulesemporium.com:80 (connect: timeout) at least once an hour out of three queries an hour. Ok, so the word is that the telia link is saturated with traffic from the ddos yet.. I'd like some traceroutes to www.rulesemporium.com for anyone that is having problems. darn spammers.. don't they have anything else to do? From both Northern California and N.E. Arkansas, I get nothing beyond 9 so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 75.275 ms so-7-0-0.gar1.Miami1.Level3.net (4.68.112.46) 78.995 ms so-6-0-0.gar1.Miami1.Level3.net (4.68.112.42) 81.046 ms Looks like maybe Level3 has dampend the route to you due to the problem. Time to get a mirror in Miami? Ken The issue with the html found in rulesets (the 0.1 refresh page) should be cleared up. If anyone is seeing this, please let me know immediately. I am in the Los Angeles area. The mtr utility reports: My traceroute [v0.71] morticia.wizardess.wiz (0.0.0.0) Tue Jul 10 19:05:13 2007 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings HostLoss% Snt Last Avg Best Wrst StDev 1. netblock-68-183-128-1.dslextreme 0.0% 3 23.3 23.4 23.3 23.4 0.0 2. LAX1.CR1.Gig9-0-3.dslextreme.com 0.0% 3 23.7 24.3 23.7 25.3 0.9 3. ge-5-1-115.ipcolo1.LosAngeles1.L 0.0% 3 23.6 24.2 23.6 24.6 0.5 4. ae-2-54.bbr2.LosAngeles1.Level3. 0.0% 3 24.2 24.4 24.2 24.6 0.2 5. as-1-0.mp1.Miami1.Level3.net 0.0% 3 87.8 98.4 87.2 120.1 18.8 6. so-7-0-0.gar1.Miami1.Level3.net 0.0% 3 87.6 87.6 87.6 87.6 0.0 7. ??? So as you see there already is a mirror in the Miami area. (It is probably the one that just worked. For the mtr check I probably got the address out of the DNS cache.) Put A DelayBetweenEachFileYouFetchor attempttofetch. Maybe typing slowly so you guys can read will help. {o.o} sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken -- Ken Anderson Pacific.Net
Re: Rulesemporium
sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken Yes, the rulesemporium site _is_ great. As are the rules themselves. That's why I'd like to use my browser and read just one page. Right now all I get (and this is my first attempt to browse the site since yesterday) is Waiting for www.rulesemporium.com I'm not talking about rules_du_jour or sa-update or seeing how fast I can manually click stop or cycle through pages with my browser. I just want to go to the one page I have bookmarked. Isn't that the point of having a website? Allowing people to view your content? I'd say the DDOS is still very effective one way or another. My sympathies to the rulesemporium folks. I wish I could help, but I'm just some slob who wants to view their website. Still waiting ... Mike
Re: Rulesemporium
Mike Grau wrote: sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken Yes, the rulesemporium site _is_ great. As are the rules themselves. That's why I'd like to use my browser and read just one page. Right now all I get (and this is my first attempt to browse the site since yesterday) is Waiting for www.rulesemporium.com I'm not talking about rules_du_jour or sa-update or seeing how fast I can manually click stop or cycle through pages with my browser. I just want to go to the one page I have bookmarked. Isn't that the point of having a website? Allowing people to view your content? I'd say the DDOS is still very effective one way or another. My sympathies to the rulesemporium folks. I wish I could help, but I'm just some slob who wants to view their website. Still waiting ... Mike If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Ken -- Ken Anderson Pacific.Net
Re: Rulesemporium
If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Ken Okay, done. We'll see if it helps. Mike
General question about SA default ruleset
Hi Folks, I can't get nowhere, Wiki, FAQ, mail archive, this thing. I'm looking for a kind of dictionnary providing an explanation for each rule of the default ruleset provided with spamassassin ... Sorry for my poor english. Let's have an exemple : RCVD_ILLEGAL_IP : In my .cf files, I only got Received: contains illegal IP address. I would like to know what exactly means an illegal IP (looks like it can sometimes be an IP block undefined or some other weird thing). In fact, if you know if this kind of index/dictionnary like this exists, and if so, where it can be found, I would really appreciate. If this doesn't exist, I would like to try to make one myself. If someone got any information, that would be nice. I precide I'm not looking for something like http://systems.cs.uoregon.edu/Solaris/spamassassin.php Or http://www.nesox.com/document/Spamassassin%20Explanation.asp That basically just rewrite what can be found on .cf files ... Thanks.
Changing scores/rules on the fly when calling SpamAssassin from MailScanner
Hi I am looking at writing an extension to MailScanner so that we can allow different settings to be applied. My primary objective is to allow different username to be used for bayes. If I am able to achieve scores and and rules as well this would be a bonus. I have mocked something up which uses the $t-copy_config() and $t-read_scoreonly_config(). I am saving the config (using freeze/thaws) to disk so that the other MailScanner processes can share them (using tie with a Tie::DB_Lock). I cause the tied hashfile to be recreated when MailScanner restarts causing a reload of the primary files. This is working but I was wondering if there was a better way to do it. It looks like http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3852 would help here but it doesn't look like any progress has been made :-) If I just want to change the bayes username I can (I assume) just do this: $f-signal_user_changed(username=newuser); But how do I revert back to the default? cheers Matt
Re: General question about SA default ruleset
On Wed, Jul 11, 2007 at 05:37:16PM +0200, Fabien GARZIANO wrote: I can't get nowhere, Wiki, FAQ, mail archive, this thing. I'm looking for a kind of dictionnary providing an explanation for each rule of the default ruleset provided with spamassassin ... There is no such thing, but we welcome people's help in making it. See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4771 for information about the idea. So far, we've setup a section of the wiki: http://wiki.apache.org/spamassassin/RulesList and people can put up descriptions of each rule, in standard wiki fashion. -- Randomly Selected Tagline: The bus had no heat, blew over in the wind and used the driver's legs as its first line of defense in an accident. - Unknown about the VW Bus pgpfi2QKZPBFq.pgp Description: PGP signature
Re: Random spamc crashes (problem solved)
We found the problem. The machine we're using is an LDAP client for all ~8000 users, and it seems that spamc/spamd is failing if the username is not cached in nscd - simply typing ls -l /home solves it temporarily until the cache timeout, since all objects are then cached. We fixed this by running that command via a cron script every 15 minutes. So would this be a bug in spamassassin? Ryan Thoryk System Administrator onShore Networks, LLC 1407 West Chicago Avenue Chicago, Illinois 60622 www.onshore.com -- View this message in context: http://www.nabble.com/Random-spamc-crashes-tf4053088.html#a11544409 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
OT: Motivating good behavior from negligent ISP's
We're seeing a lot of unwanted attempts to relay traffic through our site by Orange.fr, and we've reported this to their Abuse contact as well as their upstream provider (rain.fr): Jul 11 11:30:37 mail mimedefang.pl[31610]: relay: bad tld orange.fr Jul 11 11:30:37 mail mimedefang.pl[31610]: filter_relay rejected host 194.250.131.236 (smtp-wifi.orange.fr) Jul 11 11:30:37 mail sendmail[32044]: l6BHUb3j032044: Milter: connect: host=smtp-wifi.orange.fr, addr=194.250.131.236, rejecting commands No joy. We'd like to take escalatory measures now. What is a good RBL site (or as appropriate) to get them listed on until they start playing well with others? Would the FAQ's Reporting Spam section be a good place to mention the various sites that you can rat out offenders? Thanks, -Philip
Re: PDFInfo plugin with SA 3.1.7
Daniel J McDonald wrote: On Wed, 2007-07-11 at 14:49 +0530, Suhas Ingale wrote: Has anyone tried running PDFInfo plugin with 3.1.7 version? No, finally got it working yesterday evening using 3.2.1, but the initial results are underwhelming. Almost 100% overlap with TVD_SPACE_RATIO. Only one miss: First of all, TVD_SPACE_RATIO only applies for those running v3.2, whereas PDFInfo.pm can be used with any 3.x version.. Secondly, TVD_SPACE_RATIO can fire almost at will without a body. $ echo | spamassassin 2.9 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO Take the basic mime part from a pdf stock spam... it looks similar to this --050701020003040207010006 Content-Type: text/plain; charset=iso-8859-2; format=flowed Content-Transfer-Encoding: 7bit --050701020003040207010006 and it fires on TVD_SPACE_RATIO fine. $ cat /root/sample2.txt | spamassassin -D 21 | grep -i tvd [26686] dbg: tvd: word [SPAM-8.3]- Re: warning_6042146166.pdf [26686] dbg: tvd: len=39 [26686] dbg: tvd: spaces 2 nonspaces 37 [26686] dbg: tvd: pct = 5 [26686] dbg: tvd: final = 5 [26686] dbg: rules: ran eval rule TVD_SPACE_RATIO == got hit (1) change the mime part to --050701020003040207010006 Content-Type: text/plain; charset=iso-8859-2; format=flowed Content-Transfer-Encoding: 7bit tvd no longer fires now --050701020003040207010006 $ cat /root/sample2.txt | spamassassin -D 21 | grep -i tvd [26739] dbg: tvd: word [SPAM-8.3]- Re: warning_6042146166.pdf [26739] dbg: tvd: len=39 [26739] dbg: tvd: spaces 2 nonspaces 37 [26739] dbg: tvd: pct = 5 [26739] dbg: tvd: word tvd no longer fires now [26739] dbg: tvd: len=24 [26739] dbg: tvd: spaces 4 nonspaces 20 [26739] dbg: tvd: pct = 20 [26739] dbg: tvd: final = 20 ... and 20 isnt between tvd_vertical_words('0','10') Easy for spammy to avoid that. Even more, this rule has a good chance of falsing. I emailed myself a png from webalizer without any body text. # cat test | spamassassin -D 21 |grep -i tvd [27390] dbg: tvd: word hourly_usage_200706.png [27390] dbg: tvd: len=24 [27390] dbg: tvd: spaces 0 nonspaces 24 [27390] dbg: tvd: pct = 0 [27390] dbg: tvd: final = 0 [27390] dbg: rules: ran eval rule TVD_SPACE_RATIO == got hit (1) The fact is, email is FTP for Dummies... and IMHO, TVD_SPACE_RATIO may be a bit high at 2.9. BTW, v0.3 of PDFInfo.pm is now posted - so for those that have it already, you might want to sync up # countsGMD_PDF_HORIZ 135s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_HORIZ 31s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 # countsGMD_PDF_SQUARE 36s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_SQUARE 11s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 # countsGMD_PDF_VERT24s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_VERT10s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 # countsGMD_PDF_FUZZY1_T1 591s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_FUZZY1_T1 199s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 # countsGMD_PDF_FUZZY2_T1 199s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 # countsGMD_PDF_FUZZY2_T1 591s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_FUZZY2_T2 118s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_FUZZY2_T2 1s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 # countsGMD_PDF_FUZZY2_T3 0s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 # countsGMD_PDF_FUZZY2_T3 25s/0h of 5641 corpus (4064s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_FUZZY2_T4 105s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PDF_FUZZY2_T4 28s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 # countsGMD_AUTHOR_COLET1s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 # countsGMD_AUTHOR_COLET2s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_AUTHOR_MOBILE 2s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_AUTHOR_MOBILE 55s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 # countsGMD_AUTHOR_OOO 1s/0h of 10767 corpus (9986s/781h AxB2-TRAPS) 07/11/07 # countsGMD_AUTHOR_OOO 118s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_AUTHOR_HPADMIN 105s/0h of 6132 corpus (4555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_AUTHOR_HPADMIN 27s/0h of 11773 corpus (10988s/785h AxB2-TRAPS) 07/11/07 # countsGMD_PRODUCER_GPL227s/0h of 6132 corpus (555s/1577h AxB-MANUAL) 07/11/07 # countsGMD_PRODUCER_GPL85s/0h of 10767 corpus (9986s/781h AxB2-TRAPS)
Re: OT: Motivating good behavior from negligent ISP's
Philip Prindeville wrote: We're seeing a lot of unwanted attempts to relay traffic through our site by Orange.fr, and we've reported this to their Abuse contact as well as their upstream provider (rain.fr): Jul 11 11:30:37 mail mimedefang.pl[31610]: relay: bad tld orange.fr Jul 11 11:30:37 mail mimedefang.pl[31610]: filter_relay rejected host 194.250.131.236 (smtp-wifi.orange.fr) Jul 11 11:30:37 mail sendmail[32044]: l6BHUb3j032044: Milter: connect: host=smtp-wifi.orange.fr, addr=194.250.131.236, rejecting commands No joy. How long ago did you report it? -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: OT: Motivating good behavior from negligent ISP's
Michele Neylon :: Blacknight wrote: Philip Prindeville wrote: We're seeing a lot of unwanted attempts to relay traffic through our site by Orange.fr, and we've reported this to their Abuse contact as well as their upstream provider (rain.fr): Jul 11 11:30:37 mail mimedefang.pl[31610]: relay: bad tld orange.fr Jul 11 11:30:37 mail mimedefang.pl[31610]: filter_relay rejected host 194.250.131.236 (smtp-wifi.orange.fr) Jul 11 11:30:37 mail sendmail[32044]: l6BHUb3j032044: Milter: connect: host=smtp-wifi.orange.fr, addr=194.250.131.236, rejecting commands No joy. How long ago did you report it? Which time? It happens regularly, and it's been going on over a month. -Philip
Re: OT: Motivating good behavior from negligent ISP's
Philip Prindeville wrote: No joy. How long ago did you report it? Which time? It happens regularly, and it's been going on over a month. Ok. That changes things, but you didn't say anything in your post about it going on for a month -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
FP | SARE_BEASTUD
I'm seeing False Positives on the rule SARE_BEASTUD for a message that we are receiving. This rule is matching on the following text be a studio. I look forward to reading many more books, and when my voice goes, I will continue to be a studio monitor and technician. How does one go about getting this rule re-evaluated or modified to avoid these FPs in the 70_sare_adult configs? body SARE_BEASTUD /be a stud/i describe SARE_BEASTUD common spammer phrasing scoreSARE_BEASTUD 0.26 # Original name: RM_bpm_BeAStud # 53s/0h of 119325 corpus (98981s/20344h) 03/21/04 # 7s/0h of 15929 corpus (13729s/2200h) 03/23/04 #counts SARE_BEASTUD 73s/2h of 42056 corpus (34127s/7929h FVGT) 04/19/06 #counts SARE_BEASTUD 20s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 Thanks, Otto
Re: FP | SARE_BEASTUD
Otto TheBusDriver wrote: I'm seeing False Positives on the rule SARE_BEASTUD for a message that we are receiving. This rule is matching on the following text be a studio. I look forward to reading many more books, and when my voice goes, I will continue to be a studio monitor and technician. How does one go about getting this rule re-evaluated or modified to avoid these FPs in the 70_sare_adult configs? For a whopping score of 0.26 I wouldn't bother, but you could try the SARE users list. Daryl body SARE_BEASTUD /be a stud/i describe SARE_BEASTUD common spammer phrasing scoreSARE_BEASTUD 0.26 # Original name: RM_bpm_BeAStud # 53s/0h of 119325 corpus (98981s/20344h) 03/21/04 # 7s/0h of 15929 corpus (13729s/2200h) 03/23/04 #counts SARE_BEASTUD 73s/2h of 42056 corpus (34127s/7929h FVGT) 04/19/06 #counts SARE_BEASTUD 20s/1h of 140226 corpus (90162s/50064h DOC) 04/19/06 Thanks, Otto
Re: Rulesemporium
Ken A wrote: Mike Grau wrote: sarcasm A little misinformation tossed to spammers isn't bad here. I hear there's a mirror in Afghanistan too. And by all means.. when you browse the site.. click the stop button in your browser between it's loading each image on each page, then click the start button again. It's tricky, but if you do it just right, you can browse the whole site before the IDS blocks you. /sarcasm The rulesemporium site is great, and much thanks goes to the ninjas who operate it and write the rules, forcing spammers to read harry potter books. Ken Yes, the rulesemporium site _is_ great. As are the rules themselves. That's why I'd like to use my browser and read just one page. Right now all I get (and this is my first attempt to browse the site since yesterday) is Waiting for www.rulesemporium.com I'm not talking about rules_du_jour or sa-update or seeing how fast I can manually click stop or cycle through pages with my browser. I just want to go to the one page I have bookmarked. Isn't that the point of having a website? Allowing people to view your content? I'd say the DDOS is still very effective one way or another. My sympathies to the rulesemporium folks. I wish I could help, but I'm just some slob who wants to view their website. Still waiting ... Mike If your IP is blocked, for whatever reason, perhaps a proxy would help you until your IP is unblocked. http://translate.google.com/translate?u=http%3A%2F%2Fwww.rulesemporium.com%2Flangpair=fr%7Cen I bet the 'donate' link would help :-) Hmm, I doubt it, seeing that SARE has received 3 donations in 2007, $90 all total (yet 31k unique ips pull rules from the site every week.. ugh). Anyone want to sell us a VPS on a DDoS proof network for $90? ;) Maybe if we had a buck for every one of those IPs we could afford one. However, we're running on donated bandwidth/hardware from vr.org, and frontended by ddos mitigation services from prolexic.com... so really, I'm just glad the sites comes up at all. Without those guys it would be long gone. There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. Speaking about lacking of resources... we need more good people who want to join SARE and contribute with rules, scripts, masscheckers, etc... anyone interested should email [EMAIL PROTECTED] Thanks, -- SARE Webmaster [EMAIL PROTECTED] http://www.rulesemporium.com
Re: Rulesemporium
Robert - eLists wrote: Praise God Almighty! We were able to spend more than a few seconds and many click on the rulesemporium website. Awesome. As it says, was it moved over to vr.org ??? A couple years ago... yup. Which is now netactuate.com -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
3.2 timeouts
Hi everyone, I'm curious to know if there's a bug of some sort with 3.2- These are the symptoms I experience I get spamd time-outs all over the place, and when I do a netstat I have dozens of connections to port 783 in the FIN_WAIT stage and it just hangs till they time out- I had this problem with my FreeBSD 5.5 box - but I thought it was just something wrong with the OS (since it was my first server I ever configured) so I went back to 3.1.8 and all went well. Now that I have my new server bsd 6.2 I have the same issues again- So I just downgraded to 3.1.8 and the time-outs stopped and everything is working. Is there something extra that I'm overlooking when running anything above 3.1.8 that maybe causeing this? I run site-wide config Bsd 6.2 Clamav 4.67 SA 3.1.8 Jean-Paul
Re: Rulesemporium
On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Maybe a DNS round robin? Just some ideas. -- Phil Barnett AI4OF SKCC #600
Re: OT: Motivating good behavior from negligent ISP's
On Wednesday 11 July 2007, Philip Prindeville wrote: Michele Neylon :: Blacknight wrote: Philip Prindeville wrote: No joy. How long ago did you report it? Which time? It happens regularly, and it's been going on over a month. Ok. That changes things, but you didn't say anything in your post about it going on for a month I note also that they aren't using exponential back-off with a 2 hour maximum retry interval as suggested by the RFC's: Jul 11 00:08:19 mail mimedefang.pl[26738]: filter_relay rejected host 194.250.131.236 (smtp-wifi.orange.fr) (snip) We've started to take defensive measures... That would earn them a rule in my firewall. -- Phil Barnett AI4OF SKCC #600
Re: Rulesemporium
On 7/12/2007 12:50 AM, Phil Barnett wrote: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Maybe a DNS round robin? Just some ideas. hey great ideas - who volunteers to setup the Torrent stuff and manage it all ? -- Spammer Hell has not DSL
Re: OT: Motivating good behavior from negligent ISP's
Phil Barnett wrote: On Wednesday 11 July 2007, Philip Prindeville wrote: Michele Neylon :: Blacknight wrote: Philip Prindeville wrote: No joy. How long ago did you report it? Which time? It happens regularly, and it's been going on over a month. Ok. That changes things, but you didn't say anything in your post about it going on for a month I note also that they aren't using exponential back-off with a 2 hour maximum retry interval as suggested by the RFC's: Jul 11 00:08:19 mail mimedefang.pl[26738]: filter_relay rejected host 194.250.131.236 (smtp-wifi.orange.fr) (snip) We've started to take defensive measures... That would earn them a rule in my firewall. But back to my original question: What are the websites to get them RBL blacklisted? How does one nominate them to a place of infamy? -Philip
Re: Rulesemporium
Phil Barnett wrote: How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Or another thing would be to look at anycast, http://en.wikipedia.org/wiki/Anycast matt
Re: Rulesemporium
On Wednesday 11 July 2007, Yet Another Ninja wrote: On 7/12/2007 12:50 AM, Phil Barnett wrote: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Maybe a DNS round robin? Just some ideas. hey great ideas - who volunteers to setup the Torrent stuff and manage it all ? Thinking further, torrent is not exactly what is needed. Torrents need to be reseeded for every change, so that's a maintenance nightmare. RSS has some of the pieces, but i'm not sure if it can be just a file delivery method. rsync has obvious benefist in reducing bandwidth, but doesn't have any security built into it. I think some brainstorming to come up with a peer distributed subscription service is the starting point. If there isn't one, that's the next battle. We can't be the first people to come up against this problem. How have others solved it? -- Phil Barnett AI4OF SKCC #600
Re: Rulesemporium
At 04:00 PM 7/11/2007, Yet Another Ninja wrote: hey great ideas - who volunteers to setup the Torrent stuff and manage it all ? I wouldn't know how to do that, but would be willing to offer some of my tiny server and bandwidth to the cause. Current system is OS X Server, but will be ported to Ubuntu when I get new hardware. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand
PDF Decoder - Show of concept
Hi, what i'm going to show you is purely show or prove of concept - there is no way you should use the code in a productional environment, because it most likely has exploitable bugs as well as inacuracies that will not be able to parse all mail properly. I put this together within an around an hour to show how its possible to cope with pdf spam - the script compeltely decodes the pdf attachment into text and images and reattaches them. Like this the text is fully available to all means of sa processing, as well as the images to FuzzyOCR, if installed. The code is php, because thats easiest for me to write. It also has a nice side effect, that you are able to see the text from a pdf without having to open it ;-) If someone could make a sa plugin that can do the same thing in a clean and safe manner, this would be great, arni Content-type: text/html X-Powered-By: PHP/4.3.9 ? $mail = str_replace("\n\r", "\n", join('',file("test.eml"))); list($header, $body) = explode("\n\n", $mail, 2); preg_match("/boundary=\"([^\"]*)\"/m", $mail, $border); $border = $border[1]; $parts = preg_split("/-*$border-*/", $body); array_shift($parts); array_pop($parts); $mailout = $header . "\n\n"; foreach($parts AS $part) { list($phead, $pbody) = explode("\n\n", $part, 2); $mailout .= "--$border"; $mailout .= $part; if(strpos($phead, "pdf") !== false) { $binary = base64_decode($pbody); $tmpname = rand("1", "9"); $out = fopen("$tmpname.pdf", "w"); fputs($out, $binary); fclose($out); exec("pdftotext -htmlmeta -nopgbrk $tmpname.pdf $tmpname.txt 2 /dev/null"); $text = join('', file("$tmpname.txt")); unlink("$tmpname.txt"); if(trim(strip_tags($text)) != "") { $mailout .= "--$border\n"; $mailout .= "Content-Type: text/html; charset = \"iso-8859-1\"\nContent-Transfer-Encoding: 8bit\nContent-Disposition: attachment; filename=\"pdftext.htm\"\n\n"; $mailout .= $text."\n"; } exec("pdfimages -j $tmpname.pdf $tmpname 2 /dev/null"); $cnt = 0; $handle=opendir('.'); while ($file = readdir($handle)) { if($file != "." $file != ".." is_file($file)) { if(substr($file, 0, strlen($tmpname)) == $tmpname) { @list($name, $ext) = explode(".",$file); if($ext == "ppm") { exec("ppmtogif $file $file.gif 2 /dev/null"); $binary = join('', file("$file.gif")); unlink("$file.gif"); $mailout .= "--$border\n"; $mailout .= "Content-Type: image/gif;\nContent-Transfer-Encoding: base64\nContent-Disposition: attachment; filename=\"pdfimage$cnt.gif\"\n\n"; $cnt++; $mailout .= wordwrap(base64_encode($binary), 76, "\n", 1)."\n"; } elseif($ext == "jpg") { $binary = join('', file($file)); $mailout .= "--$border\n"; $mailout .= "Content-Type: image/jpeg;\nContent-Transfer-Encoding: base64\nContent-Disposition: attachment; filename=\"pdfimage$cnt.jpg\"\n\n"; $cnt++; $mailout .= wordwrap(base64_encode($binary), 76, "\n", 1)."\n"; } unlink($file); } } } closedir($handle); } } $mailout .= "--$border--\n"; $out = fopen("out.eml", "w"); fputs($out, $mailout);
Re: Rulesemporium
From: Phil Barnett [EMAIL PROTECTED] On Wednesday 11 July 2007, Yet Another Ninja wrote: On 7/12/2007 12:50 AM, Phil Barnett wrote: On Wednesday 11 July 2007, SARE Webmaster wrote: There has been discussion of taking down the public site, opening something new ( private access, invite only, acl by ip, etc), in hopes to avoid ddos and provide better services, more requent rule updates, and so on. We are trying our best to keep it alive, but there is only so much we can do with the limited time and resources we have. How about releasing the ruleset via torrent or something similar. Anything that you could do to distribute the load and location would make a ddos attack less effective. While there might not be a lot of people on this list who can use their server to take on the entire DDOS for you, there are a LOT of servers here that could participate in a pool. Maybe a DNS round robin? Just some ideas. hey great ideas - who volunteers to setup the Torrent stuff and manage it all ? Thinking further, torrent is not exactly what is needed. Torrents need to be reseeded for every change, so that's a maintenance nightmare. RSS has some of the pieces, but i'm not sure if it can be just a file delivery method. rsync has obvious benefist in reducing bandwidth, but doesn't have any security built into it. I think some brainstorming to come up with a peer distributed subscription service is the starting point. If there isn't one, that's the next battle. We can't be the first people to come up against this problem. How have others solved it? If the file already exists: /usr/bin/wget -r -l 1 -nd -N $source$file else /usr/bin/wget -l 1 -nd -N $source$file source is the host URL directory eg. http://www.rulesemporium.com/rules/ file is the file eg. 88_FVGT_subject.cf Several times in the last day or so - nary a problem if I have that silly one second delay in there between files. {o.o}
Re: PDF Decoder - Show of concept
On Thu, Jul 12, 2007 at 04:00:33AM +0200, arni wrote: I put this together within an around an hour to show how its possible to cope with pdf spam - the script compeltely decodes the pdf attachment into text and images and reattaches them. Like this the text is fully available to all means of sa processing, as well as the images to FuzzyOCR, if installed. Please don't do that (adding in new message parts), btw. There's a 3.2 plugin call (post_message_parse, per bug 5069) which was specifically added such that plugins can manipulate messages after the initial parse has completed. This allows for things like OCR of images and PDF-text, and the rendered text can go right in the message part, and then gets included automatically by SA as body text and so is available for body rules, uri parsing, etc. -- Randomly Selected Tagline: Never go off on tangents, which are lines that intersect a curve at only one point and were discovered by Euclid, who live in the 6th century, which was an era dominated by the Goths, who lived in what we now know as Poland. - Unknown from Nov. 1998 issue of Infosystems Executive. pgpWoyScSQErx.pgp Description: PGP signature