Re: Improve the score of this mail?
feed them to 'spamassassin -r' i do that when i get them ... do you use SOUGHT rules? i dont use these rules no - is there a howto regarding these as google is letting me down a bit? thanks
Re: Improve the score of this mail?
On Mon, 2008-12-08 at 11:38 +, Tom Brown wrote: feed them to 'spamassassin -r' i do that when i get them ... do you use SOUGHT rules? i dont use these rules no - is there a howto regarding these as google is letting me down a bit? http://taint.org/2007/08/15/004348a.html -- Daniel J McDonald [EMAIL PROTECTED]
Re: Improve the score of this mail?
i dont use these rules no - is there a howto regarding these as google is letting me down a bit? sorry - i must be going mad as i do already use these rules.
Re: Improve the score of this mail?
On 08.12.08 10:51, Tom Brown wrote: I am getting a few mails through with the same format as the one thats attached. Is there much i can do to increase the scores on this type of mail? It triggered these scores as it stands. X-Spam-Status: No, score=3.2 tagged_above=-100 required=5 tests=[BAYES_50=2.5, RDNS_NONE=0.7] feed them to 'spamassassin -r' ... do you use SOUGHT rules? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: Single URI spam not checked against URIBLs
On Sat, 2008-12-06 at 18:22 -0500, Theo Van Dinter wrote: On Sat, Dec 06, 2008 at 11:16:03PM +0100, Wolfgang Zeikat wrote: Could you describe more elaborately how you did that? You may wish to take a look at cpan2rpm, fwiw. deprecated. look at cpan2dist if you are running perl 5.10 -- Daniel J McDonald - CCIE #2495, CISSP # 78281, CNX
Re: Improve the score of this mail?
On 08.12.08 13:13, Tom Brown wrote: i dont use these rules no - is there a howto regarding these as google is letting me down a bit? sorry - i must be going mad as i do already use these rules. and do you use spf, uribl, dcc, razor, pyzor and optionaly other network rules (e.g. ixhash)? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
need help with spamassassin URI rule
Hi, I was hoping someone on this list could help me with a custom rule for SpamAssassin. I'm not an expert at perl regexps by at all, and spent a lot of time trying to come up with a working match, all to no avail... What I would like to match on is URLs that do _not_ start with a third level domain entry, and end with .com, .biz, .info, etc. For example, http://hello.com/; (followed by more stuff) would match, and http://www.hello.com/{...}; would _not_ match. Actually another way of looking at it is just matching on a single domain, without any preceding ., so basically //domain.ext/ is what I want to match for, and if there is a preceding . in front of domain, that would cause it to not match. So http://foo.bar.net/; would not match, but http://bar.net/; would. Is this possible with perl regexps? I've spent hours trying variations of different URI rules, but none of them work (they always match the www. as well). Here are some of my feeble attempts: [^w]{3}.*\.com\/ ^(?:http?:\/\/)?[^\/]+(?!\/www)\.[^.]{7,}\.com\/ (?!www\.) ... [^\/]+(?!\/www)\.{1,}\.com\/ Some of the dot only checks I tried: (?!\.)\w+?\.com ([^\.])\w+.*\.com\/ Again none of these work :-( I really appreciate any any help you could provide! .dh -- View this message in context: http://www.nabble.com/need-help-with-spamassassin-URI-rule-tp20897907p20897907.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: need help with spamassassin URI rule
On Mon, 8 Dec 2008, Dennis Hardy wrote: What I would like to match on is URLs that do _not_ start with a third level domain entry, and end with .com, .biz, .info, etc. For example, http://hello.com/; (followed by more stuff) would match, and http://www.hello.com/{...}; would _not_ match. Some of the dot only checks I tried: (?!\.)\w+?\.com ([^\.])\w+.*\.com\/ Again none of these work :-( How about: /:\/\/[^.\/]+\.[^\.\/]+\// -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Perfect Security and Absolute Safety are unattainable; beware those who would try to sell them to you, regardless of the cost, for they are trying to sell you your own slavery. --- 7 days until Bill of Rights day
Re: need help with spamassassin URI rule
On Mon, Dec 08, 2008 at 08:52:46AM -0800, John Hardin wrote: On Mon, 8 Dec 2008, Dennis Hardy wrote: What I would like to match on is URLs that do _not_ start with a third level domain entry, and end with .com, .biz, .info, etc. For example, http://hello.com/; (followed by more stuff) would match, and http://www.hello.com/{...}; would _not_ match. Some of the dot only checks I tried: (?!\.)\w+?\.com ([^\.])\w+.*\.com\/ Again none of these work :-( How about: /:\/\/[^.\/]+\.[^\.\/]+\// To be more specific: Hostname may end optionally to a dot, with :port, /slash or nothing following m{^https?://[^.:/]+\.[^.:/]+\.?(?:$|[:/])}
Re: need help with spamassassin URI rule
How about: /:\/\/[^.\/]+\.[^\.\/]+\// Hi John, sweet, this seems to work! Could you help me with how to add a list of com|net|info|biz|etc before the closing /, so it will match against a list of known TLDs? Many thanks, you are awesome :-) .dh -- View this message in context: http://www.nabble.com/need-help-with-spamassassin-URI-rule-tp20897907p20899285.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: need help with spamassassin URI rule
On Mon, 8 Dec 2008, Dennis Hardy wrote: How about: /:\/\/[^.\/]+\.[^\.\/]+\// Hi John, sweet, this seems to work! Could you help me with how to add a list of com|net|info|biz|etc before the closing /, so it will match against a list of known TLDs? /:\/\/[^.\/]+\.(?:com|net|info|biz|etc)\// -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- 7 days until Bill of Rights day
Re: need help with spamassassin URI rule
Henrik K wrote: To be more specific: Hostname may end optionally to a dot, with :port, /slash or nothing following m{^https?://[^.:/]+\.[^.:/]+\.?(?:$|[:/])} Could anyone please provide a reference or explanation of the use of m{blah} in spamassassin uri rules? Thanks
Re: need help with spamassassin URI rule
Ned Slider wrote: Henrik K wrote: To be more specific: Hostname may end optionally to a dot, with :port, /slash or nothing following m{^https?://[^.:/]+\.[^.:/]+\.?(?:$|[:/])} Could anyone please provide a reference or explanation of the use of m{blah} in spamassassin uri rules? Thanks Answering my own question courtesy of a previous post (below) by Matt Kettler: [quote] They are the delimiters. Instead of using a pair of / to delimit the regex they used curly braces. It's somewhat rare to see this done, but it's sometimes convenient. When you prefix with the match operator (that m at the beginning) you can use almost any character you want as a delimiter instead of forward slash. This way you can do http:// without having to escape it as http:\/\/ like you would in most normal / delimited rule. [/quote] Thanks Matt!
RE: Auto-whitelist not closing file
On Mon, Dec 01, 2008 at 03:42:05PM -0500, Dan Barker wrote: This issue, apparently, has been a problem for me for several Spamassassin releases, but I just now figured out what may be happening. I've been closing spamd once per hour, just to make it read new local.cf, notice sa-update changes, etc., but occasionally my system can't start new tasks (usually error 0xC142, very occasionally 0xC005 - This is under Windoze, W2K Server/SP4). Closing/Opening spamd also forces closed all the file handles spamd appears to be abandoning un-closed. I'm currently running SpamAssassin 3.2.5 under Activestate perl 5.8.8.822. It appears that spamd fails to close the file handle to bayes_seen or auto-whitelist when it's done with it. spamd -x -D, filtered on auto-whitelist shows: --- 9 line(2) not displayed --- [1504] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [1504] dbg: auto-whitelist: DB addr list: file locked, breaking lock [1504] dbg: locker: safe_unlock: unlink C:\Documents and Settings\dbarker/.spamassassin/auto-whitelist.lock --- 370 line(2) not displayed --- [1504] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [1504] dbg: auto-whitelist: DB addr list: file locked, breaking lock [1504] dbg: locker: safe_unlock: unlink C:\Documents and Settings\dbarker/.spamassassin/auto-whitelist.lock --- 37 line(2) not displayed --- Process Explorer (from SysInternals-Great tool!) shows the file handle to C:\Documents and Settings\dbarker\.spamassassin\auto-whitelist remains open even after spamd is finished and remains so until spamd is closed. This occurs both for auto-whitelist and bayes_seen files. How do I go about trapping this error in locker? (Specifically, how do I figure out who Called locker, to find the code that's not closing the file it opened?) Has anyone else run into this sort of issue? On Mon, Dec 01, 2008 15:51 -0500 Theo Van Dinter wrote: The last time this sort of issue came up, it was traced back to a bug in DB_File. Specifically, the untie call would actually not let go of the DB. SA doesn't actually open the database files itself, it lets tie/untie (DB_File) deal with it. I've been unsuccessful in figuring out how even to trap this problem. My spamd's run about 200 messages before I cycle them to reclaim the resources. In that time, there are about 40 handles to the file c:\Imail\Visioncomm.net\bayes_seen not closed. There are occasional un-closed handles to auto-whitelist (I can cause this error at will - I can't seem to make bayes_seen remain open in a test setting - hopefully it's the same issue). Does anyone have any ideas about how I might (or even if I should) proceed on getting this bug resolved? Dan Barker
Re: Live.space and Sourceforge
--On Sunday, December 07, 2008 7:45 AM -0500 Michael Scheidell [EMAIL PROTECTED] wrote: Thanks for the uri rule. It is tighter then the one I cobbled together. I'm successfully using an even tighter one posted by Daryl C. W. O'Shea on October 18, with a minor adjustment: http://ruleqa.spamassassin.org/20081017-r705513-n/DOS_LIVE_SPACES_CID/detail My version: uri KP_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\// The variant part is a string of hex digits, so this could be even tighter.
Re: Live.space and Sourceforge
Kenneth Porter wrote: --On Sunday, December 07, 2008 7:45 AM -0500 Michael Scheidell [EMAIL PROTECTED] wrote: Thanks for the uri rule. It is tighter then the one I cobbled together. I'm successfully using an even tighter one posted by Daryl C. W. O'Shea on October 18, with a minor adjustment: http://ruleqa.spamassassin.org/20081017-r705513-n/DOS_LIVE_SPACES_CID/detail My version: uri KP_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\// The variant part is a string of hex digits, so this could be even tighter. I've seen plenty of variants that won't catch. A quick grep of my spam from the last month or so shows this would catch more: uri KP_LIVE_SPACES_CID /^http:\/\/.{6,20}\.spaces\.live\.com\// but may also catch more potential FPs too. I guess it depends how aggresive or caution you want to be.
Re: Live.space and Sourceforge
On Mon, 8 Dec 2008, Kenneth Porter wrote: uri KP_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\// The variant part is a string of hex digits, so this could be even tighter. Nothing else? Here's two versions: uri KP_LIVE_SPACES_CID /^http:\/\/cid-\w{10,20}\.spaces\.live\.com\// uri KP_LIVE_SPACES_CID /^http:\/\/cid-[:xdigit:]{10,20}\.spaces\.live\.com\// Also: case sensitivity? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the place of government to make right every tragedy and woe that befalls every resident of the nation. --- 7 days until Bill of Rights day
Inconsistent RBL checks
Hi all, I've run into a weird situation where spamassassin will (seemingly randomly) only do certain RBL checks. The following are all the same spam message (1.txt), executed ~30 seconds apart: $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RDNS_DYNAMIC,URI_HEX $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,URI_HEX $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RDNS_DYNAMIC,URI_HEX I've done it with spamd in debug mode and there's never any warnings or errors about it not doing certain checks, it seems to just leave them out. Any thoughts on why this might happen? Cheers, James -- James Grant Lightbox Technologies 312-240 Catherine St. Ottawa, ON. K2P 2G8 http://www.lightbox.org [EMAIL PROTECTED] 613-686-1661 x101
Re: Inconsistent RBL checks
On 08/12/2008 7:09 PM, James Grant wrote: Hi all, I've run into a weird situation where spamassassin will (seemingly randomly) only do certain RBL checks. The following are all the same spam message (1.txt), executed ~30 seconds apart: $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RDNS_DYNAMIC,URI_HEX $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,URI_HEX $ spamc -y 1.txt AWL,BAYES_50,DRUGS_ANXIETY,DRUGS_ANXIETY_EREC,DRUGS_ERECTILE,FR_ALMOST_VIAG2,FUZZY_VPILL,HTML_MESSAGE,RDNS_DYNAMIC,URI_HEX I've done it with spamd in debug mode and there's never any warnings or errors about it not doing certain checks, it seems to just leave them out. Any thoughts on why this might happen? Assuming the results were obtained in that order, my first guess would be an overloaded DNS recursive server and/or a congested Internet connection. What's the spamd DNS related timing debug output say? What are you using for DNS service for your spamd machine? Daryl
sought rules updates
Has anyone seen any updates to the sought rules lately? It seems like it's been about 4 or 5 days now since I've seen any via sa-update. -- Chris KeyID 0xE372A7DA98E6705C pgpqvBQu4d9qG.pgp Description: PGP signature
Re: Detecting Porn photos
Has anyone try this? http://prag.diee.unica.it/n3ws1t0/imageCerberus On Friday 28 November 2008 09:52:22 Karsten Bräckelmann wrote: On Thu, 2008-11-27 at 22:44 -0600, Luis Daniel Lucio Quiroz wrote: I wonder if there is any module for SA to detect pornographic photos, not only OCR. Not that I know -- and it wouldn't be easy to do... Anyway, unless you're just curious, it's the wrong question IMHO. The real question is, why do they slip by for you. We might be able to help and give some hints, if you provide some details about your setup and most importantly spamples [1]. Haven't seen porn in spam for a long time... guenther [1] Full spam message including headers. Put them up a pastebin that supports showing the *raw* paste or your own web server.