Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : On 20.02.09 19:26, Matt Kettler wrote: Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. I'm not rejecting your ISP. I'm rejecting mail from addresses I could not complain back to. Fix your own domain's over-zealous behaviors first. Fix your domain's RFC conformity first so you're complaining about a high score for an invalid helo coupled with extremely weired 3-domains in a hop mail and at the same time rejecting mail from a large ISP because of rfci listing? if you're fighting for rfc compliance, reject both, and the issue is closed ;-p
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : On 21.02.09 12:18, mouss wrote: Matus UHLAR - fantomas a écrit : On 20.02.09 19:26, Matt Kettler wrote: Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. I'm not rejecting your ISP. I'm rejecting mail from addresses I could not complain back to. Fix your own domain's over-zealous behaviors first. Fix your domain's RFC conformity first so you're complaining about a high score for an invalid helo coupled with extremely weired 3-domains in a hop mail and at the same time rejecting mail from a large ISP because of rfci listing? if you're fighting for rfc compliance, reject both, and the issue is closed ;-p rejecting because HELO does not match violates RFC. case open. I said invalid. a bare IP is invalid in helo, and has been since 822.
sa-update isn't changing date stamp.
Hi all,
I have running sa-update out of my weekly cron since you guys told me
how to, early last year!! I noticed things aren't as good as they
were.. so ran the sa-update -D and noticed that there was a few
things that said failed, and the date stamps didn't alter on
updates_spamassassin_org.xxx
did i miss somthing, or has somthing brokenm, or is there just no
updates? since dec last year??
Did a -D for you to see..
goaway:/var/lib/spamassassin/3.001007# ls -al
total 20
drwxr-xr-x 3 root root 4096 2008-12-03 18:01 .
drwxr-xr-x 3 root root 4096 2008-09-22 09:21 ..
drwxr-xr-x 2 root root 4096 2008-12-03 18:01 updates_spamassassin_org
-rw-r--r-- 1 root root 2200 2008-12-03 18:01 updates_spamassassin_org.cf
-rw-r--r-- 1 root root 43 2008-12-03 18:01 updates_spamassassin_org.pre
goaway:/var/lib/spamassassin/3.001007# sa-update -D
[9278] dbg: logger: adding facilities: all
[9278] dbg: logger: logging level is DBG
[9278] dbg: generic: SpamAssassin version 3.1.7-deb
[9278] dbg: config: score set 0 chosen.
[9278] dbg: message: MIME PARSER START
[9278] dbg: message: main message type: text/plain
[9278] dbg: message: parsing normal part
[9278] dbg: message: added part, type: text/plain
[9278] dbg: message: MIME PARSER END
[9278] dbg: dns: is Net::DNS::Resolver available? yes
[9278] dbg: dns: Net::DNS version: 0.59
[9278] dbg: generic: sa-update version svn454083
[9278] dbg: generic: using update directory: /var/lib/spamassassin/3.001007
[9278] dbg: diag: perl platform: 5.008008 linux
[9278] dbg: diag: module installed: Digest::SHA1, version 2.11
[9278] dbg: diag: module installed: HTML::Parser, version 3.55
[9278] dbg: diag: module installed: MIME::Base64, version 3.07
[9278] dbg: diag: module installed: DB_File, version 1.814
[9278] dbg: diag: module installed: Net::DNS, version 0.59
[9278] dbg: diag: module installed: Net::SMTP, version 2.29
[9278] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[9278] dbg: diag: module not installed: IP::Country::Fast ('require' failed)
[9278] dbg: diag: module not installed: Razor2::Client::Agent
('require' failed)
[9278] dbg: diag: module not installed: Net::Ident ('require' failed)
[9278] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[9278] dbg: diag: module not installed: IO::Socket::SSL ('require' failed)
[9278] dbg: diag: module installed: Time::HiRes, version 1.86
[9278] dbg: diag: module installed: DBI, version 1.53
[9278] dbg: diag: module installed: Getopt::Long, version 2.35
[9278] dbg: diag: module installed: LWP::UserAgent, version 2.033
[9278] dbg: diag: module installed: HTTP::Date, version 1.47
[9278] dbg: diag: module installed: Archive::Tar, version 1.30
[9278] dbg: diag: module installed: IO::Zlib, version 1.04
[9278] dbg: gpg: Searching for 'gpg'
[9278] dbg: util: current PATH is:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr
/bin:/sbin:/bin
[9278] dbg: util: executable for gpg was found at /usr/bin/gpg
[9278] dbg: gpg: found /usr/bin/gpg
[9278] dbg: gpg: release trusted key id list:
5E541DC959CB8BAC7C78DFDC4056A61A52
44EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B
0C2B1D7175B852C64B3CDC716C553978
24F434CE
[9278] dbg: channel: attempting channel updates.spamassassin.org
[9278] dbg: channel: update directory
/var/lib/spamassassin/3.001007/updates_spa
massassin_org
[9278] dbg: channel: channel cf file
/var/lib/spamassassin/3.001007/updates_spam
assassin_org.cf
[9278] dbg: channel: channel pre file
/var/lib/spamassassin/3.001007/updates_spa
massassin_org.pre
[9278] dbg: channel: metadata version = 699146
[9278] dbg: dns: 7.1.3.updates.spamassassin.org = 699146, parsed as 699146
[9278] dbg: channel: current version is 699146, new version is 699146, skipping
channel
[9278] dbg: diag: updates complete, exiting with code 1
goaway:/var/lib/spamassassin/3.001007# ls -al
total 20
drwxr-xr-x 3 root root 4096 2008-12-03 18:01 .
drwxr-xr-x 3 root root 4096 2008-09-22 09:21 ..
drwxr-xr-x 2 root root 4096 2008-12-03 18:01 updates_spamassassin_org
-rw-r--r-- 1 root root 2200 2008-12-03 18:01 updates_spamassassin_org.cf
-rw-r--r-- 1 root root 43 2008-12-03 18:01 updates_spamassassin_org.pre
Any advice??
N
Re: HELO checks give too high score together
Matus UHLAR - fantomas wrote: I've received e-mail that received score 4.9 just because of the same problem - invalid HELO. * 2.8 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO Received: from 88.102.6.114 (67.kcity.telenet.cz [194.228.203.67]) by 8.hotelulipy.cz (Postfix) with SMTP id censored for censored; date I think that combination above hits way too much. On 20.02.09 08:56, Matt Kettler wrote: Why is a bogous HELO being generated in the first place? i.e.: why is an address literal used, but not the correct address literal? Matus UHLAR - fantomas a écrit : I guess this happenns for hosts behing NAT, that do not know the real IP address under which they are accessing the internet. On 21.02.09 02:19, mouss wrote: $ host 88.102.6.114 114.6.102.88.in-addr.arpa domain name pointer 114.6.broadband7.iol.cz. Are - iol.cz - telenet.cz - hotelulipy.cz the same organisation? if not, this is direct to MX junk. ...your presumption that the Received: header is the only one is false. BTW. which (legitimate and not outdated) mail clients helo with a bare IP? However I may look at the e-mail again and more deeply, if you think. I've not seen a legitimate mail client do this, so I'm actually rather curious as to what happened. In the set0 mass-checks, this rule had a S/O of 0.996, which is *VERY* good. I've just seen another one... However the main problem is that most HELO rules fire independently together Ohh, that should be more, not most. Rephrasing: More rules checking the very similar thing fire independently together. I guess that _the same_ error (invalid HELO) should not cause firing more rules with total score of nearly 5 (sum of those two: 5.0 4.919 4.899 4.904) I have already filed similar bug and it got resolved by removing one of those rules (5682). You may also see bug 5488 concerning similar issue. try a meta that uses an AND and run a mass check. I'm sure I would get a score of 5 :) I doubt so, unluckily I don't have corpus big enough to masschecks :( If there were two rules checking for exactly the same thing, both scoring 2.5 (we'd wonder if they has different score, right?), their combination would score 5.0, while meta rule matching both of them would get -2.5. Can someone please try to do meta RCVD_HELO_NUMERIC_MISMATCH (RCVD_HELO_IP_MISMATCH RCVD_NUMERIC_HELO) and check, or should I fill -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: HELO checks give too high score together
On 21.02.09 12:18, mouss wrote: Matus UHLAR - fantomas a écrit : On 20.02.09 19:26, Matt Kettler wrote: Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. I'm not rejecting your ISP. I'm rejecting mail from addresses I could not complain back to. Fix your own domain's over-zealous behaviors first. Fix your domain's RFC conformity first so you're complaining about a high score for an invalid helo coupled with extremely weired 3-domains in a hop mail and at the same time rejecting mail from a large ISP because of rfci listing? if you're fighting for rfc compliance, reject both, and the issue is closed ;-p Matus UHLAR - fantomas a écrit : rejecting because HELO does not match violates RFC. case open. On 21.02.09 12:32, mouss wrote: I said invalid. a bare IP is invalid in helo, and has been since 822. good point, another thing to check for. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: HELO checks give too high score together
Matus UHLAR - fantomas wrote: If there were two rules checking for exactly the same thing, both scoring 2.5 (we'd wonder if they has different score, right?), their combination would score 5.0, while meta rule matching both of them would get -2.5. Can someone please try to do meta RCVD_HELO_NUMERIC_MISMATCH (RCVD_HELO_IP_MISMATCH RCVD_NUMERIC_HELO) and check, or should I fill I don't really see the issue here. The mail failed on two counts and received a score for each. Each are separate issues and each are indicative of spam (or a grossly mis-configured MTA). IMHO they are scored appropriately. If YOU want to adjust the scoring or write a meta rule to only trigger if both rules hit then of course YOU are free to do so. Personally I would just reject mail outright at the smtp level that's not helo'ing correctly at the smtp level and not even let it near SA to start with. If a MTA can't conform to basic RFCs about how to correctly helo then it has no place sending mail. If it's legitimate mail then I suspect the senders experience a lot of their mail not getting through. You'd think that would give them some incentive to fix things and conform to the RFCs.
Re: sa-update isn't changing date stamp.
On Sat, 21 Feb 2009, Nathan wrote: I have running sa-update out of my weekly cron since you guys told me how to, early last year!! I noticed things aren't as good as they were.. so ran the sa-update -D and noticed that there was a few things that said failed, and the date stamps didn't alter on updates_spamassassin_org.xxx did i miss somthing, or has somthing brokenm, or is there just no updates? since dec last year?? There are no updates for your old version of SA. You can query (via DNS) for the latest update per SA version: % dig +short TXT 7.1.3.updates.spamassassin.org 699146 ... and this information is also given to you in your sa-update output: [...] [9278] dbg: channel: metadata version = 699146 [9278] dbg: dns: 7.1.3.updates.spamassassin.org = 699146, parsed as 699146 [9278] dbg: channel: current version is 699146, new version is 699146, skipping channel If you had been running 3.2.5, the latest update would be 730418 which, AFAIK, was back on Jan 3. % dig +short TXT 5.2.3.updates.spamassassin.org 730418 -- Sahil Tandon sa...@tandon.net
Re: sa-update isn't changing date stamp.
On Sat, 2009-02-21 at 11:37 +, Nathan wrote:
I have running sa-update out of my weekly cron since you guys told me
how to, early last year!! I noticed things aren't as good as they
were.. so ran the sa-update -D and noticed that there was a few
things that said failed, and the date stamps didn't alter on
updates_spamassassin_org.xxx
There are no failures in your debug output -- other than failed
requires, loading of optional Perl modules. That's harmless.
did i miss somthing, or has somthing brokenm, or is there just no
updates? since dec last year??
There are no updates. Rule updates usually are done very infrequently
only, whenever there's something urgent to push. Also, they are done
manually, so depend on the time of the devs.
goaway:/var/lib/spamassassin/3.001007# sa-update -D
[...]
[9278] dbg: channel: metadata version = 699146
[9278] dbg: dns: 7.1.3.updates.spamassassin.org = 699146, parsed as 699146
[9278] dbg: channel: current version is 699146, new version is 699146,
skipping channel
[9278] dbg: diag: updates complete, exiting with code 1
That's correct. Updates tend to be done even less frequently for old
versions. ;) Even though that particular update has been pushed to both
the 3.1 and 3.2 channels, IIRC.
Rather than using sa-update with your aging 3.1.x, updating SA to the
latest version 3.2.5 will give you better spam detection.
guenther
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Missing pieces of perl?
From an sa-update -D:
[28466] dbg: diag: module not installed: IP::Country::Fast ('require' failed)
[28466] dbg: diag: module not installed: Razor2::Client::Agent ('require'
failed)
[28466] dbg: diag: module not installed: Net::Ident ('require' failed)
[28466] dbg: diag: module not installed: Mail::DomainKeys ('require' failed)
I don't use Pyzor or Razor (the 2nd one, and don't want to), but what about
the other 3?
Fedora 8. What packages should I install?
Also:
[28466] dbg: gpg: calling gpg
gpg: WARNING: unsafe ownership on homedir
`/etc/mail/spamassassin/sa-update-keys'
What perms are supposed to be set there?
I have also fed probably 100 megabytes of 200 byte viagra/cialis type messages
to sa-learn, and the bayes score is still usually 0. Is there a way to see
if that is miss-firing somehow? One would think bayes would learn however
many ways there is to spell it by now and score accordingly.
--
Cheers, Gene
There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
The man who runs may fight again.
-- Menander
Re: false positive on X-Mailer: Microsoft Outlook
On Sat, 2009-02-21 at 03:56 +, Brian J. Murrell wrote:
I have a message in hand that is triggering false positives based on the
ratware rules in 3.2.4.
The specific headers are:
Message-ID: blu0-smtp74e123fde12343a12de12bd1...@phx.gbl
X-Mailer: Microsoft Outlook, Build 10.0.6838
Sounds like bug 5962 and it's friends.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5962
P.S. I do see that trunk is handling this combination of headers in a
fairly different manner. But that doesn't change the fact that this MUA
is causing false positives on 3.2, even with the latest (sa-
update_3.2_20081231172858 according to SVN) 3.2 udpate.
Hmm, that fix also landed in the 3.2 branch, and even has been pushed
out to the updates. So it isn't that one?
Brian, can you please check bugzilla for similar reports [1], closed or
still open, and file a new bug, if none of them is your issue? There
definitely are quite a few bugs filed regarding this. Thanks!
guenther
[1] This one should do, in particular the more recent ones.
https://issues.apache.org/SpamAssassin/buglist.cgi?long_desc_type=allwordssubstrlong_desc=blu
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Missing pieces of perl?
On Sat, 2009-02-21 at 10:30 -0500, Gene Heskett wrote:
[28466] dbg: gpg: calling gpg
gpg: WARNING: unsafe ownership on homedir
`/etc/mail/spamassassin/sa-update-keys'
What perms are supposed to be set there?
What perms do you have?
# ls -ld /etc/mail/spamassassin/sa-update-keys
I have also fed probably 100 megabytes of 200 byte viagra/cialis type
messages
to sa-learn, and the bayes score is still usually 0. Is there a way to see
if that is miss-firing somehow? One would think bayes would learn however
many ways there is to spell it by now and score accordingly.
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
See the section Hammytokens/Spammytokens Tag Format. Or provide a link
to samples.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Missing pieces of perl?
On Sat, 2009-02-21 at 10:30 -0500, Gene Heskett wrote:
From an sa-update -D:
According to a quick grep, initially to verify my recollection of the
IP::Country usage, turns out I did remember correctly...
And M::SA::Util::DependencyInfo.pm is your friend. Nice module. :)
[28466] dbg: diag: module not installed: IP::Country::Fast ('require' failed)
Used by the RelayCountry plugin (not enabled by default) to determine
the domain country codes of each relay in the path of an email.
[28466] dbg: diag: module not installed: Net::Ident ('require' failed)
Only used by spamd, optional. If you plan to use the --auth-ident option
to spamd, you will need to install this module.
[28466] dbg: diag: module not installed: Mail::DomainKeys ('require' failed)
If this module is installed, and you enable the DomainKeys plugin,
SpamAssassin will perform Domain Key lookups when Domain Key information
is present in the message headers. (Note that new versions of
Mail::DKIM render this module superfluous.)
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
cpan question
Using cpan, trying to install Net::Ident (the other bits except razor were nominal from the same source) Checking for Apache.pm... not found Writing Makefile for Net::Ident cp Ident.pm blib/lib/Net/Ident.pm Manifying blib/man3/Net::Ident.3pm JPC/Net-Ident-1.20.tar.gz /usr/bin/make -- OK Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make test PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 'blib/lib', 'blib/arch') t/*.t t/0use.t Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/0use.t ok t/apache.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/apache.t .. skipped: (no reason given) t/compat.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/compat.t .. skipped: (no reason given) t/Ident.t ... Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/Ident.t ... Failed 3/8 subtests Test Summary Report --- t/Ident.t (Wstat: 0 Tests: 8 Failed: 3) Failed tests: 1-3 Files=4, Tests=9, 112 wallclock secs ( 0.04 usr 0.01 sys + 1.61 cusr 0.42 csys = 2.08 CPU) Result: FAIL Failed 1/4 test programs. 3/9 subtests failed. make: *** [test_dynamic] Error 255 JPC/Net-Ident-1.20.tar.gz /usr/bin/make test -- NOT OK //hint// to see the cpan-testers results for installing this module, try: reports JPC/Net-Ident-1.20.tar.gz Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make install make test had returned bad status, won't install without force Failed during this command: JPC/Net-Ident-1.20.tar.gz: make_test NO This YAML does not appear to be available via yum if that's important Suggestions please? Many thanks too, I forgot to add that to the other message I sent a few minutes ago. My apologies. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) modesty, n.: Being comfortable that others will discover your greatness.
Re: Missing pieces of perl?
On Saturday 21 February 2009, Karsten Bräckelmann wrote: ls -ld /etc/mail/spamassassin/sa-update-keys drwx-- 2 gene mail 4096 2009-02-21 10:17 /etc/mail/spamassassin/sa-update-keys Thanks -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The lesser of two evils -- is evil. -- Seymour (Sy) Leon
Re: Missing pieces of perl?
On Saturday 21 February 2009, Karsten Bräckelmann wrote: On Sat, 2009-02-21 at 10:30 -0500, Gene Heskett wrote: [28466] dbg: gpg: calling gpg gpg: WARNING: unsafe ownership on homedir `/etc/mail/spamassassin/sa-update-keys' What perms are supposed to be set there? What perms do you have? # ls -ld /etc/mail/spamassassin/sa-update-keys I have also fed probably 100 megabytes of 200 byte viagra/cialis type messages to sa-learn, and the bayes score is still usually 0. Is there a way to see if that is miss-firing somehow? One would think bayes would learn however many ways there is to spell it by now and score accordingly. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html It appears I do not have that installed either, the first check I did, which was to grep the spamassassin directories (/etc/mail/spamassassin/* and /usr/share/spamassassin/*) for 'use_bayes' come up empty. So far in my reading of the two pages the link above leads to, I am not seeing the actual name of the file this config option is to be entered in. I would assume local.cf, but there is that word again (assume) But when I ask cpan to install it, I'm installed and up to date. ??? See the section Hammytokens/Spammytokens Tag Format. Or provide a link to samples. I've read that, and will do so again as I seem to be missing its message on a quick read. Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Work continues in this area. -- DEC's SPR-Answering-Automaton
Re: Missing pieces of perl?
On Sat, 2009-02-21 at 11:20 -0500, Gene Heskett wrote:
On Saturday 21 February 2009, Karsten Bräckelmann wrote:
gpg: WARNING: unsafe ownership on homedir
ls -ld /etc/mail/spamassassin/sa-update-keys
drwx-- 2 gene mail 4096 2009-02-21 10:17
/etc/mail/spamassassin/sa-update-keys
Yup, as I expected. :) Err, remembered from previous discussions
regarding ownership of files with you. ;)
Let me take a guess. You ran sa-update as root?
Confirmed here. Running sa-update as root, that one line seems to be the
difference, if it is owned by someone else. IFF there are updates,
doesn't even call gpg otherwise.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Missing pieces of perl?
On Sat, 2009-02-21 at 11:46 -0500, Gene Heskett wrote:
On Saturday 21 February 2009, Karsten Bräckelmann wrote:
On Sat, 2009-02-21 at 10:30 -0500, Gene Heskett wrote:
I have also fed probably 100 megabytes of 200 byte viagra/cialis type
messages to sa-learn, and the bayes score is still usually 0. Is there a
way to see if that is miss-firing somehow? One would think bayes would
^^
learn however many ways there is to spell it by now and score accordingly.
http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html
It appears I do not have that installed either, the first check I did, which
was to grep the spamassassin directories (/etc/mail/spamassassin/*
and /usr/share/spamassassin/*) for 'use_bayes' come up empty. So far in my
reading of the two pages the link above leads to, I am not seeing the actual
name of the file this config option is to be entered in. I would assume
local.cf, but there is that word again (assume)
But when I ask cpan to install it, I'm installed and up to date. ???
What are you talking about, Gene? How is that related to your question?
Anyway, use_bayes defaults to 1, enabled. If you don't see it, it is
enabled. Can be verified by the existence of BAYES_XX hits. use_bayes
can be found in Learning Options, a sub-section of the section User
Preferences. The latter begins with these words, which apply to the
entire section:
The following options can be used in both site-wide (local.cf) and
user-specific (user_prefs) configuration files to customize how
SpamAssassin handles incoming email messages.
See the section Hammytokens/Spammytokens Tag Format. Or provide a link
to samples.
I've read that, and will do so again as I seem to be missing its message on a
quick read.
That's how you can investigate the Bayes tokens for the messages that
score neutral, despite learning. Isn't that what you asked for?
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
emails from blackberry cause FP
(well, lots of them do, someone send blackberry a copy of the RFC's?) one of our users keeps blocking emails from blackberry users due to this: blackberry server does a 'helo 67.223.83.81' in violation of RFC's (when it should at LEAST do a helo [67.223.83.81]) Spamassassin score (correctly) this as 'RCVD_NUMERIC_HELO' as it really IS an invalid helo. I have seen a lot of strange things blackberry does. including go for the highest mx record FIRST (every time), when several lower mx record servers are available and idle, strange DNS stuff, mashing and munging of headers. if this had been send to a system that checks RFC's carefully, and drops ignorant servers on the floor it would not even have gotten in. received:from 67.223.83.81 ([67.223.83.81]) by 2k3exchange.local ([192.168.1.3]) with Microsoft Exchange Server HTTP-DAV ; Fri, 20 Feb 2009 22:33:48 + x-rim-org-msg-ref-id:1281710162 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors * Finalist 2009 Network Products Guide Hot Companies _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: Missing pieces of perl?
On Saturday 21 February 2009, Karsten Bräckelmann wrote:
On Sat, 2009-02-21 at 10:30 -0500, Gene Heskett wrote:
From an sa-update -D:
According to a quick grep, initially to verify my recollection of the
IP::Country usage, turns out I did remember correctly...
And M::SA::Util::DependencyInfo.pm is your friend. Nice module. :)
[28466] dbg: diag: module not installed: IP::Country::Fast ('require'
failed)
Used by the RelayCountry plugin (not enabled by default) to determine
the domain country codes of each relay in the path of an email.
[28466] dbg: diag: module not installed: Net::Ident ('require' failed)
Only used by spamd, optional. If you plan to use the --auth-ident option
to spamd, you will need to install this module.
[28466] dbg: diag: module not installed: Mail::DomainKeys ('require'
failed)
If this module is installed, and you enable the DomainKeys plugin,
SpamAssassin will perform Domain Key lookups when Domain Key information
is present in the message headers. (Note that new versions of
Mail::DKIM render this module superfluous.)
This latter is installed according to the -D output.
Thanks. I have everything but the Net::Ident installed now, and that fails
the build.
I take it that enabling this in user_prefs will use some bandwidth do these
checks, so I'll see how the spammy_tokens thing works for a couple of days
first.
Thanks again.
--
Cheers, Gene
There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
Windows Tip of the Day:
Add DEVICE=FNGRCROS.SYS to your CONFIG.SYS file.
Chuckle, now that's a sig line I haven't seen before. Apropo.
Re: Missing pieces of perl?
On Saturday 21 February 2009, Karsten Bräckelmann wrote: On Sat, 2009-02-21 at 11:20 -0500, Gene Heskett wrote: On Saturday 21 February 2009, Karsten Bräckelmann wrote: gpg: WARNING: unsafe ownership on homedir ls -ld /etc/mail/spamassassin/sa-update-keys drwx-- 2 gene mail 4096 2009-02-21 10:17 /etc/mail/spamassassin/sa-update-keys Yup, as I expected. :) Err, remembered from previous discussions regarding ownership of files with you. ;) Let me take a guess. You ran sa-update as root? Guilty. I think I have it in roots crontab too. Confirmed here. Running sa-update as root, that one line seems to be the difference, if it is owned by someone else. IFF there are updates, doesn't even call gpg otherwise. I'll try to remember that. I run everything SA related as an unprivildged user, me. What can I saw except 'Duh'? :) -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) My philosophy is: Don't think. -- Charles Manson
Re: Missing pieces of perl?
On Saturday 21 February 2009, Karsten Bräckelmann wrote: On Sat, 2009-02-21 at 11:46 -0500, Gene Heskett wrote: On Saturday 21 February 2009, Karsten Bräckelmann wrote: On Sat, 2009-02-21 at 10:30 -0500, Gene Heskett wrote: I have also fed probably 100 megabytes of 200 byte viagra/cialis type messages to sa-learn, and the bayes score is still usually 0. Is there a way to see if that is miss-firing somehow? One would think bayes would ^^ learn however many ways there is to spell it by now and score accordingly. http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.htm l It appears I do not have that installed either, the first check I did, which was to grep the spamassassin directories (/etc/mail/spamassassin/* and /usr/share/spamassassin/*) for 'use_bayes' come up empty. So far in my reading of the two pages the link above leads to, I am not seeing the actual name of the file this config option is to be entered in. I would assume local.cf, but there is that word again (assume) But when I ask cpan to install it, I'm installed and up to date. ??? What are you talking about, Gene? How is that related to your question? Anyway, use_bayes defaults to 1, enabled. If you don't see it, it is enabled. Can be verified by the existence of BAYES_XX hits. use_bayes can be found in Learning Options, a sub-section of the section User Preferences. The latter begins with these words, which apply to the entire section: The following options can be used in both site-wide (local.cf) and user-specific (user_prefs) configuration files to customize how SpamAssassin handles incoming email messages. See the section Hammytokens/Spammytokens Tag Format. Or provide a link to samples. I've read that, and will do so again as I seem to be missing its message on a quick read. That's how you can investigate the Bayes tokens for the messages that score neutral, despite learning. Isn't that what you asked for? Something like that. I interpreted that as to expand the headers with a more verbose line. I just checked a recently treated (and cleared) incoming header, and the line is added, but its otherwise empty. So is the sa status box kmail gives me. Duh. But I'd expect to see some details there if its a 4 star message. Thanks -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) My philosophy is: Don't think. -- Charles Manson
Re: Missing pieces of perl?
On Sat, 2009-02-21 at 12:10 -0500, Gene Heskett wrote:
On Saturday 21 February 2009, Karsten Bräckelmann wrote:
[28466] dbg: diag: module not installed: Net::Ident ('require' failed)
Only used by spamd, optional. If you plan to use the --auth-ident option
to spamd, you will need to install this module.
Thanks. I have everything but the Net::Ident installed now, and that fails
the build.
I take it that enabling this in user_prefs will use some bandwidth do these
You don't enable that in user_prefs, neither local.cf. Net::Ident is
*only* necessary with a particular spamd option. See 'man spamd'.
checks, so I'll see how the spammy_tokens thing works for a couple of days
first.
They are entirely unrelated -- and the latter can be used to investigate
Bayes performance and tokens. As discussed in the other part of our
ping-pong style thread... ;)
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Missing pieces of perl?
On Saturday 21 February 2009, Karsten Bräckelmann wrote:
On Sat, 2009-02-21 at 12:10 -0500, Gene Heskett wrote:
On Saturday 21 February 2009, Karsten Bräckelmann wrote:
[28466] dbg: diag: module not installed: Net::Ident ('require' failed)
Only used by spamd, optional. If you plan to use the --auth-ident option
to spamd, you will need to install this module.
Thanks. I have everything but the Net::Ident installed now, and that
fails the build.
I take it that enabling this in user_prefs will use some bandwidth do
these
You don't enable that in user_prefs, neither local.cf. Net::Ident is
*only* necessary with a particular spamd option. See 'man spamd'.
checks, so I'll see how the spammy_tokens thing works for a couple of days
first.
They are entirely unrelated -- and the latter can be used to investigate
Bayes performance and tokens. As discussed in the other part of our
ping-pong style thread... ;)
Thank you Karsten, I'll take a break now. Till my next question...
--
Cheers, Gene
There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
History repeats itself only if one does not listen the first time.
Re: Missing pieces of perl?
That's how you can investigate the Bayes tokens for the messages that
score neutral, despite learning. Isn't that what you asked for?
Something like that. I interpreted that as to expand the headers with a more
verbose line. I just checked a recently treated (and cleared) incoming
header, and the line is added, but its otherwise empty. So is the sa status
box kmail gives me. Duh.
Hmm, did you --lint your changes?
Rather than immediately applying this to all incoming mail, I'd try this
with the offenders only. That is, run them through 'spamassassin'
manually, adding the specific options using --cf. Maybe adding them to
local.cf temporarily, without restarting spamd.
That way, you can specifically investigate the under-performers.
But I'd expect to see some details there if its a 4 star message.
The overall score of the message is unrelated to the Bayes tokens, other
than getting a score for Bayes rules. But you're probably right that the
header should hold at least some information.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Missing pieces of perl?
drwx-- 2 gene mail 4096 2009-02-21 10:17
/etc/mail/spamassassin/sa-update-keys
Yup, as I expected. :) Err, remembered from previous discussions
regarding ownership of files with you. ;)
Let me take a guess. You ran sa-update as root?
Guilty. I think I have it in roots crontab too.
^
I'll try to remember that. I run everything SA related as an unprivildged
user, me. What can I saw except 'Duh'? :)
Seems you don't. :-)
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Missing pieces of perl?
On Sat, 2009-02-21 at 12:28 -0500, Gene Heskett wrote:
Thank you Karsten, I'll take a break now. Till my next question...
You're welcome. I should do the same. :)
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Missing pieces of perl?
On Sat, 2009-02-21 at 10:30 -0500, Gene Heskett wrote: Fedora 8. What packages should I install? I use spamc/spamd with Fedora 8. If your system has been kept fully updated you should see this: # yum list perl spamassassin Installed Packages perl.i386 4:5.8.8-41.fc8 installed spamassassin.i386 3.2.5-1.fc8 installed If not, run 'yum upgrade' and try 'yum list perl spamassassin' again. If one or both are missing, 'yum install perl spamassassin' will soon fix that. Also: [28466] dbg: gpg: calling gpg gpg: WARNING: unsafe ownership on homedir `/etc/mail/spamassassin/sa-update-keys' What perms are supposed to be set there? I have: drwx-- 2 root root 4096 2009-01-04 04:59 sa-update-keys I run spamd as root using the issued daemon start script. The command 'service spamassassin start' runs it and, of course, its started at boot. Martin
Re: HELO checks give too high score together
Matus UHLAR - fantomas wrote: On 20.02.09 19:26, Matt Kettler wrote: Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. I'm not rejecting your ISP. I'm rejecting mail from addresses I could not complain back to. Very well, but you're also using a RBL with a known high risk of blocking nonspam email. This list was actually dropped from SA because the false positive rate became unacceptable, it actually matched more nonspam than it did spam! (51% of matches were nonspam and a total of 0.684% of all nonspam email matched this rule ) https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4628 And you're doing this while requesting SA adjust a rule with very rare false positive. (0.4% of matches are nonspam, and a total of 0.0078% of all nonspam email hits this rule), on emails with garbage in the HELO. It seems clear to me that policies with false positives of up to 50% of their hits are acceptable to you, so the 0.4% false positive rate of the HELO message should be acceptable to you. Fix your own domain's over-zealous behaviors first. Fix your domain's RFC conformity first I do not control this domain, it's a national ISP with only a few million subscribers. My other option here is Comcast, who has by far more egregious in their behaviors. Regardless, I'm disinclined to help someone complaining about rare false positive cases in SA while engaging in aggressive configurations for the rest of their systems that have false positive rates that are 2 orders of magnitude larger.
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : On 21.02.09 12:18, mouss wrote: Matus UHLAR - fantomas a écrit : On 20.02.09 19:26, Matt Kettler wrote: Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. I'm not rejecting your ISP. I'm rejecting mail from addresses I could not complain back to. Fix your own domain's over-zealous behaviors first. Fix your domain's RFC conformity first so you're complaining about a high score for an invalid helo coupled with extremely weired 3-domains in a hop mail and at the same time rejecting mail from a large ISP because of rfci listing? if you're fighting for rfc compliance, reject both, and the issue is closed ;-p Matus UHLAR - fantomas a écrit : rejecting because HELO does not match violates RFC. case open. On 21.02.09 12:32, mouss wrote: I said invalid. a bare IP is invalid in helo, and has been since 822. correction: since RFC 821, and not (year ;-) 822 ;-p good point, another thing to check for.
Re: HELO checks give too high score together
Matus UHLAR - fantomas a écrit : [snip] Are - iol.cz - telenet.cz - hotelulipy.cz the same organisation? if not, this is direct to MX junk. ...your presumption that the Received: header is the only one is false. I didn't presume that. I was only looking at that one Received header, because it meant: some client in the .telenet.cz domain connected to a server in the .hotelulipy.cz domain and helo'ed with an IP in the .iol.cz domain. I would understand this if these domains belong to the same organisation, in which case NAT is a possible explanation. BTW. which (legitimate and not outdated) mail clients helo with a bare IP? a quick grep shows that something called Gmexim (is this a sort of gmane patched exim?) does so. [snip] Can someone please try to do meta RCVD_HELO_NUMERIC_MISMATCH (RCVD_HELO_IP_MISMATCH RCVD_NUMERIC_HELO) I now realize that RCVD_NUMERIC_HELO also fires on valid literal IP helo, not only on bare IP helo. the helo rules may need a review... and check, or should I fill yes, please fill (I guess you meant a PR ;-p).
Re: emails from blackberry cause FP
Michael Scheidell a écrit : (well, lots of them do, someone send blackberry a copy of the RFC's?) one of our users keeps blocking emails from blackberry users due to this: blackberry server does a 'helo 67.223.83.81' in violation of RFC's are you sure? This is rejected at smtp level in many places. (when it should at LEAST do a helo [67.223.83.81]) Spamassassin score (correctly) this as 'RCVD_NUMERIC_HELO' as it really IS an invalid helo. I have seen a lot of strange things blackberry does. including go for the highest mx record FIRST (every time), when several lower mx record servers are available and idle, strange DNS stuff, mashing and munging of headers. if this had been send to a system that checks RFC's carefully, and drops ignorant servers on the floor it would not even have gotten in. received:from 67.223.83.81 ([67.223.83.81]) by 2k3exchange.local ([192.168.1.3]) with Microsoft Exchange Server HTTP-DAV ; Fri, 20 Feb 2009 22:33:48 + x-rim-org-msg-ref-id:1281710162 hmm. This is with HTTP-DAV, so SMTP RFCs are irrelevant.
Re: Missing pieces of perl?
On Saturday 21 February 2009, Karsten Bräckelmann wrote: drwx-- 2 gene mail 4096 2009-02-21 10:17 /etc/mail/spamassassin/sa-update-keys Yup, as I expected. :) Err, remembered from previous discussions regarding ownership of files with you. ;) Let me take a guess. You ran sa-update as root? Guilty. I think I have it in roots crontab too. ^ I'll try to remember that. I run everything SA related as an unprivildged user, me. What can I saw except 'Duh'? :) Seems you don't. :-) I script everything else, and the scripts run as me. Fetchmail, procmail, SA. The only thing running as root is me when I'm reading it with kmail. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Eat drink and be merry, for tomorrow we diet.
NO_RELAYS FP on relayed mail via IPv6
This is a funny case, since the message in question is generated by a machine that I would set as TRUSTED. I am the moderator for regional-bos...@netbsd.org, and it gets spam, stunningly enough. The mail is sent to me over IPv6, and SA appears not to parse postfix's IPv6 received lines. Is anyone else seeing this problem, and is it specific to postfix? Any hints for where in the sources to read to fix? Return-Path: bounces-regional-boston-owner-regional-boston-owner=netbsd@netbsd.org X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fnord.ir.bbn.com X-Spam-Level: X-Spam-Status: No, score=-18.3 required=1.0 tests=AWL,BAYES_00,IP_LINK_PLUS, NORMAL_HTTP_TO_IP,NO_RELAYS,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK autolearn=no version=3.2.5 X-Original-To: g...@ir.bbn.com Delivered-To: g...@ir.bbn.com Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:4:7:2e0:81ff:fe52:9ab6]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by fnord.ir.bbn.com (Postfix) with ESMTPS id 65A6252A8 for g...@ir.bbn.com; Sat, 21 Feb 2009 18:44:45 -0500 (EST) Received: by mail.netbsd.org (Postfix) id 91CCE63B19B; Sat, 21 Feb 2009 23:44:44 + (UTC) Delivered-To: regional-boston-ow...@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 0) id 8289563B192; Sat, 21 Feb 2009 23:44:44 + (UTC) To: regional-boston-ow...@netbsd.org From: regional-boston-ow...@netbsd.org Subject: BOUNCE regional-bos...@netbsd.org:Global taboo body match /\bmala direta\b/i at line 1 Message-Id: 2009022123.8289563b...@mail.netbsd.org Date: Sat, 21 Feb 2009 23:44:44 + (UTC) X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0.1 (fnord.ir.bbn.com [0.0.0.0]); Sat, 21 Feb 2009 18:44:45 -0500 (EST) pgpIt7tDF3p11.pgp Description: PGP signature
Re: NO_RELAYS FP on relayed mail via IPv6
On Sat, Feb 21, 2009 at 7:11 PM, Greg Troxel g...@ir.bbn.com wrote:
This is a funny case, since the message in question is generated by a
machine that I would set as TRUSTED. I am the moderator for
regional-bos...@netbsd.org, and it gets spam, stunningly enough. The
mail is sent to me over IPv6, and SA appears not to parse postfix's IPv6
received lines. Is anyone else seeing this problem, and is it specific
to postfix? Any hints for where in the sources to read to fix?
At the last check, SA doesn't have a lot of support for IPv6 yet. For
example, here's some code from the Received header parser in 3.2.x:
$ip = Mail::SpamAssassin::Util::extract_ipv4_addr_from_string ($ip);
if (!$ip) {
dbg(received-header: could not parse IPv4 address, assuming IPv6);
return 0; # ignore IPv6 handovers
}
Taking a quick look at the 3.3 code, it seems the code now handles
IPv6, but I'm not sure if it's complete support or if partial, how
much, etc.
The code is all in .../lib/Mail/SpamAssassin/Message/Metadata/Received.pm
Everything gets a score of 0
Hi, I've been googling and trying to figure out why my SA isn't working for 2 days now. I even found a bug report over on the gentoo bugzilla with a person having the same issue, but no solution (http://bugs.gentoo.org/show_bug.cgi?id=237397). This is a clean install on a gentoo hardened box. I'm using SA 3.2.5 and have learned about 15k worth of mails for the bayes filter. I only started to use sa-learn yesterday as someone suggested that this would 'fix' things. I used sa-learn --spam on my 'junk' folder and --ham on my inbox that should be about spam free. No change. I am using the sa-update channel from SA and openprotect (which explains the 70 rules below). The only thing I seem to be missing in the dbg output is inclusion of the rules from the default path: '/usr/share/spamassassin/'. From what I can tell, SA is loading up the rules just fine, but then awards no points for them? There seem to be also some strange dependency issues from the rules, but I found that that shouldn't be really an issue. I used the sample-spam.txt as input to let SA figure it out. Appart from SA, i'm using amavis to do virus/spam handling and postfix as my MTA. If I left out any additional required info, I'll be more then happy to supply. Thanks in advance for any pointers. Oliver enterprise ~ # spamassassin -tD sample-spam.txt [26970] dbg: logger: adding facilities: all [26970] dbg: logger: logging level is DBG [26970] dbg: generic: SpamAssassin version 3.2.5 [26970] dbg: config: score set 0 chosen. [26970] dbg: util: running in taint mode? no [26970] dbg: dns: is Net::DNS::Resolver available? yes [26970] dbg: dns: Net::DNS version: 0.63 [26970] dbg: config: using /etc/mail/spamassassin for site rules pre files [26970] dbg: config: read file /etc/mail/spamassassin/init.pre [26970] dbg: config: read file /etc/mail/spamassassin/v310.pre [26970] dbg: config: read file /etc/mail/spamassassin/v312.pre [26970] dbg: config: read file /etc/mail/spamassassin/v320.pre [26970] dbg: config: using /var/lib/spamassassin/3.002005 for sys rules pre files [26970] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com.pre [26970] dbg: config: using /var/lib/spamassassin/3.002005 for default rules dir [26970] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com.cf [26970] dbg: config: using /etc/mail/spamassassin for site rules dir [26970] dbg: config: read file /etc/mail/spamassassin/local.cf [26970] dbg: config: read file /etc/mail/spamassassin/secrets.cf [26970] dbg: config: using /root/.spamassassin for user state dir [26970] dbg: config: using /root/.spamassassin/user_prefs for user prefs file [26970] dbg: config: read file /root/.spamassassin/user_prefs [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [26970] dbg: pyzor: network tests on, attempting Pyzor [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [26970] dbg: razor2: razor2 is not available [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [26970] dbg: reporter: network tests on, attempting SpamCop [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [26970] dbg: config: fixed relative path: /var/lib/spamassassin/3.002005/saupdates_openprotect_com/loadplugins.pre [26970] dbg: config: using /var/lib/spamassassin/3.002005/saupdates_openprotect_com/loadplugins.pre for included file [26970] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com/loadplugins.pre [26970] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [26970] dbg:
Re: Everything gets a score of 0
According to the debug output, you just have the openprotect channel and not the SA updates channel. Hence, none of the standard rules exist. Run sa-update. :) On Sat, Feb 21, 2009 at 8:15 PM, oliver oli...@schinagl.nl wrote: This is a clean install on a gentoo hardened box. I'm using SA 3.2.5 and have learned about 15k worth of mails for the bayes filter. I only started to use sa-learn yesterday as someone suggested that this would 'fix' things. I used sa-learn --spam on my 'junk' folder and --ham on my inbox that should be about spam free. No change. I am using the sa-update channel from SA and openprotect (which explains the 70 rules below). The only thing I seem to be missing in the dbg output is inclusion of the rules from the default path: '/usr/share/spamassassin/'. From what I can tell, SA is loading up the rules just fine, but then awards no points for them? There seem to be also some strange dependency issues from the rules, but I found that that shouldn't be really an issue. I used the sample-spam.txt as input to let SA figure it out. enterprise ~ # spamassassin -tD sample-spam.txt [...] [26970] dbg: dns: Net::DNS version: 0.63 [26970] dbg: config: using /etc/mail/spamassassin for site rules pre files ok pre files, then the sa-update dir for rules ... [26970] dbg: config: using /var/lib/spamassassin/3.002005 for default rules dir [26970] dbg: config: read file /var/lib/spamassassin/3.002005/saupdates_openprotect_com.cf and that's it... [26970] dbg: config: using /etc/mail/spamassassin for site rules dir [...]
Re: cpan question
Gene Heskett wrote: Using cpan, trying to install Net::Ident (the other bits except razor were nominal from the same source) Checking for Apache.pm... not found Writing Makefile for Net::Ident cp Ident.pm blib/lib/Net/Ident.pm Manifying blib/man3/Net::Ident.3pm JPC/Net-Ident-1.20.tar.gz /usr/bin/make -- OK Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make test PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 'blib/lib', 'blib/arch') t/*.t t/0use.t Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/0use.t ok t/apache.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/apache.t .. skipped: (no reason given) t/compat.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/compat.t .. skipped: (no reason given) t/Ident.t ... Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/Ident.t ... Failed 3/8 subtests Test Summary Report --- t/Ident.t (Wstat: 0 Tests: 8 Failed: 3) Failed tests: 1-3 Files=4, Tests=9, 112 wallclock secs ( 0.04 usr 0.01 sys + 1.61 cusr 0.42 csys = 2.08 CPU) Result: FAIL Failed 1/4 test programs. 3/9 subtests failed. make: *** [test_dynamic] Error 255 JPC/Net-Ident-1.20.tar.gz /usr/bin/make test -- NOT OK //hint// to see the cpan-testers results for installing this module, try: reports JPC/Net-Ident-1.20.tar.gz Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make install make test had returned bad status, won't install without force Failed during this command: JPC/Net-Ident-1.20.tar.gz: make_test NO This YAML does not appear to be available via yum if that's important Suggestions please? Many thanks too, I forgot to add that to the other message I sent a few minutes ago. My apologies. Try cpan install YAML (yes, in all caps). Bill
Re: cpan question
On Saturday 21 February 2009, Bill Landry wrote: Gene Heskett wrote: Using cpan, trying to install Net::Ident (the other bits except razor were nominal from the same source) Checking for Apache.pm... not found Writing Makefile for Net::Ident cp Ident.pm blib/lib/Net/Ident.pm Manifying blib/man3/Net::Ident.3pm JPC/Net-Ident-1.20.tar.gz /usr/bin/make -- OK Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make test PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 'blib/lib', 'blib/arch') t/*.t t/0use.t Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/0use.t ok t/apache.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/apache.t .. skipped: (no reason given) t/compat.t .. Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/compat.t .. skipped: (no reason given) t/Ident.t ... Net::Ident::_export_hooks() called too early to check prototype at /root/.cpan/build/Net-Ident-1.20-FRTCAm/blib/lib/Net/Ident.pm line 29. t/Ident.t ... Failed 3/8 subtests Test Summary Report --- t/Ident.t (Wstat: 0 Tests: 8 Failed: 3) Failed tests: 1-3 Files=4, Tests=9, 112 wallclock secs ( 0.04 usr 0.01 sys + 1.61 cusr 0.42 csys = 2.08 CPU) Result: FAIL Failed 1/4 test programs. 3/9 subtests failed. make: *** [test_dynamic] Error 255 JPC/Net-Ident-1.20.tar.gz /usr/bin/make test -- NOT OK //hint// to see the cpan-testers results for installing this module, try: reports JPC/Net-Ident-1.20.tar.gz Warning (usually harmless): 'YAML' not installed, will not store persistent state Running make install make test had returned bad status, won't install without force Failed during this command: JPC/Net-Ident-1.20.tar.gz: make_test NO This YAML does not appear to be available via yum if that's important Suggestions please? Many thanks too, I forgot to add that to the other message I sent a few minutes ago. My apologies. Try cpan install YAML (yes, in all caps). Bill 2 questions then. 1) what is it? and 2) do I need it for SA? Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) ... relaxed in the manner of a man who has no need to put up a front of any kind. -- John Ball, Mark One: the Dummy
Re: Custome rule problem.
On Thu, February 19, 2009 15:50, Nigel Frankcom wrote: Am I missing something stupid? (Wouldn't be the 1st time) read 25_uribl.cf (google.com is in there) spamassassin 21 -D -t spammsg | less see skib domains header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 another reason for use uribl.com actively -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
On Sat, February 21, 2009 02:38, mouss wrote: Matt Kettler a écrit : Since you're bouncing any off-list emails because you reject my entire ISP, I'm going to drop out of aiding on this matter. probably a rule that considers vms173007pub.verizon.net as a dynamic name... why does a smtp server have dynamic hostname alike in the first place ? and why did the recipient not test spf ? http://old.openspf.org/wizard.html?mydomain=verizon.netsubmit=Go! Fix your own domain's over-zealous behaviors first. 42 -- http://localhost/ 100% uptime and 100% mirrored :)
Re: HELO checks give too high score together
On Sat, February 21, 2009 12:32, mouss wrote: rejecting because HELO does not match violates RFC. case open. I said invalid. a bare IP is invalid in helo, and has been since 822. just use all helo rules that postfix can do pr default is better gives the answer on this one if i remember postfix right: helo 127.0.0.1 is invalid helo [127.0.0.1] is valid maybe i am wroung again :))) -- http://localhost/ 100% uptime and 100% mirrored :)
