ifspamh error logs
Hi, I am trying to get ifspamh working within my .qmail-user file but there is obviously an error either with the vars set up within the ifspamh file or somewhere else as the emails are just looping until I change the .qmail-user file back. I want to maybe try and run the ifspamh command from the line to see if I can get it work there and if not it should present me with the relevant error messages..? Is this possible and if so how would I feed the message into it? Would there be any error logs saved from the .qmail-user script that I can look at now? My .qmail-user script looks like this: |/usr/bin/ifspamh s...@address.com u...@address.com Any help would be appreciated, Thanks Dave -- View this message in context: http://www.nabble.com/ifspamh-error-logs-tp23329974p23329974.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Almost no score
Hi! mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/ Looks like they've changed from DSL to DSC! I have a few with DSC in today's quarantine, but they were caught by BOTNET rules. Methinks its time to update the above rule to look for DS[A-Z][0-9]{4}\.png or maybe even [A-Z]{3}[0-9]{4}\.png Make that 4,5 since they also vary the size of the filenames... Bye, Raymond.
spamassassin block *.png
Hello, How to use spamassassin block *.png so that going to the quarantine? 100% of spam that gets to me a plain e-mail with attachment *.png -- View this message in context: http://www.nabble.com/spamassassin-block-*.png-tp23330686p23330686.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamassassin block *.png
On Fri, 1 May 2009, vibi wrote: From: vibi ml...@go2.pl To: users@spamassassin.apache.org Date: Fri, 1 May 2009 02:56:34 -0700 (PDT) Subject: spamassassin block *.png How to use spamassassin block *.png so that going to the quarantine? 100% of spam that gets to me a plain e-mail with attachment *.png One poossible tool to help reduce this is the FuzzyOcr plugin: http://fuzzyocr.own-hero.net/ You'll need other graphics software used by the above plugin. For example, a message I receive a couple of days ago scored: X-Spam-Report: 1.0/6.0 Start SpamAssassin results * 1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio End SpamAssassin results With the addition of the FuzzyOcr plugin it scored: X-Spam-Status: Yes, score=12.1 required=6.0 tests=FUZZY_OCR,RDNS_NONE autolearn=disabled version=3.2.5 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 12 FUZZY_OCR BODY: Mail contains an image with common spam text insi de * [Words found:] [viagra in 5 lines] [profit in 1 lines] [(9 word occurrences found)] -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
RE: my emailBL is live!
The chance of a collision really is much smaller than I thought, even including the birthday paradox. But rather than just say it's small and ask you to take my word for it I'm providing a link. The Wikipedia page for Birthday Attack has a chart that shows the probability of collision for hashes of various lengths. http://en.wikipedia.org/wiki/Birthday_attack Well nuts. Unless my estimation is wrong, my half-length MD5sum would be 64-bit and thus the 10^-18 probability of collisions would require a db of 190 entries rather than full-length MD5sum's 820 billion. Unless corrected, I'll revise my algorithm this evening. Well, a 64-bit hash with a 10^-18 probability of collisions would only require 6 entries in the DB. However a 10^-12 probability should be good enough because there probably aren't a trillion unique email addresses. A 10^-12 probability of collision would allow 6 million entries in the DB. This is not to suggest that I ever understood the part about using half-length MD5. Jeff Moss
Re: spamassassin block *.png
I use FuzzyOCR and a large portion of spam is cleared to image. But the news from *. png does not want to cut out: ( I made a record: mimeheader GIF_ATTACHMENT Content-Type =~ /image\/gif;\s*(\n\s+)?name=/ mimeheader PNG_ATTACHMENT Content-Type =~ /image\/png;\s*(\n\s+)?name=/ How do I send a test e-mail account of his attachment to the *. png to go in quarantine. But spam and so I see that goes to the mailbox:( Dennis Davis wrote: On Fri, 1 May 2009, vibi wrote: From: vibi ml...@go2.pl To: users@spamassassin.apache.org Date: Fri, 1 May 2009 02:56:34 -0700 (PDT) Subject: spamassassin block *.png How to use spamassassin block *.png so that going to the quarantine? 100% of spam that gets to me a plain e-mail with attachment *.png One poossible tool to help reduce this is the FuzzyOcr plugin: http://fuzzyocr.own-hero.net/ You'll need other graphics software used by the above plugin. For example, a message I receive a couple of days ago scored: X-Spam-Report: 1.0/6.0 Start SpamAssassin results * 1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio End SpamAssassin results With the addition of the FuzzyOcr plugin it scored: X-Spam-Status: Yes, score=12.1 required=6.0 tests=FUZZY_OCR,RDNS_NONE autolearn=disabled version=3.2.5 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 12 FUZZY_OCR BODY: Mail contains an image with common spam text insi de * [Words found:] [viagra in 5 lines] [profit in 1 lines] [(9 word occurrences found)] -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101 -- View this message in context: http://www.nabble.com/spamassassin-block-*.png-tp23330686p2218.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
emailBL code
Jeff Moss wrote: This is not to suggest that I ever understood the part about using half-length MD5. No need. I'm using full-length hashes now, plus the SURBL/chmod style IP addresses. I must have lost the email I was composing on the topic, but it's fully propagated by now. I've attached my code. Note that the code still supports the old truncated string. I'll rip that out soon. Also note that I'm not an advanced perl coder (almost all of my perl scripts start as POSIX shell scripts, including this one) ... so while I'm happy to get *suggestions*, I'm not so eager for the insults and hash words this list tends to give instead. #!/usr/bin/perl ## Generates bind data with the data from the anti-phishing-email-reply project. ## Usage: emailbl [SUBDOMAIN] DOMAIN ## Example: emailbl emailbl khopesh.com ## emailbl v0.6 Copyright (C) 2009 by Adam Katz scriptsATkhopiscom, AGPL v3+ use warnings; use strict; use Digest::MD5 md5_hex; use LWP::Simple get; my $subdomain = $ARGV[0]; my $domain = $ARGV[1]; if ($domain !~ /./) { $domain = $subdomain; $subdomain = ''; } else { $domain = $subdomain.$domain; } $subdomain = . . $subdomain; # six lines for this? ... $dummy_last_seen=`TZ=UTC date +%Y%m%d` my @date = gmtime(time); my $dummy_last_seen = $date[5]+1900; if ($date[4] 10) { $dummy_last_seen .= 0; } $dummy_last_seen .= $date[4]+0; # adding to zero in case it's already padded if ($date[3] 10) { $dummy_last_seen .= 0; } $dummy_last_seen .= $date[3]+0; # adding to zero in case it's already padded my $list = phishing_reply_addresses; my $bindconf = emailbl.db; open(LIST, , $list) or die $!; print LIST EOF; te...@example.com,ABCD,$dummy_last_seen te...@emailbl.khopesh.com,ABCD,$dummy_last_seen hidd...@example.com,ABCDZ,$dummy_last_seen hidd...@emailbl.khopesh.com,ABCDZ,$dummy_last_seen EOF # TODO: use subversion! my $antiphishing_url = http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses;; print LIST get($antiphishing_url); # saved for debug purposes close(LIST); open(BIND, , $bindconf) or die $!; print BIND ; $domain BIND named, . gmtime() . (UTC) from\n; print BIND ; $antiphishing_url\n\n; print BIND ; SPF record (just in case)\n; my $spf = $subdomain; $spf =~ s/^\.//; if (!$spf) { $spf = @; } print BIND $spf\tIN\tTXT\t\v=spf1 -all\\n\n; # more test points - hidden and test can be used as if hashes of themselves. print BIND hidden.hash$subdomain IN\tTXT\t\\...@hidden\@\\n; print BIND test.hash$subdomain IN TXT \te...@$domain\\n; foreach (2.0.0.127,hidden.example.com,test.$domain,test.example.com) { print BIND $_$subdomain IN TXT $dummy_last_seen\n; print BIND $_$subdomain IN A 127.0.0.15\n; #for (my $t=1; $t5; $t++) { # print BIND $_$subdomain IN A 127.0.0.$t\n; #} } print BIND \n\n; open(LIST, $list) or die $!; while(LIST) { next if (!/^[^#@,]...@[^#@,]+,[A-DZ]+,[0-9]{8}\s*$/); chomp; my ($hash, $usr, $email, $ans, $start, $ustart, $type_list, $last_seen); $hash = $email = $start = $type_list = $last_seen = $_; $ans = ; . $_ . \n; # copy original as a comment $hash =~ s/@.*//; $hash =~ tr [A-Z] [a-z]; $usr = $hash; #$hash = substr(Digest::MD5::md5_hex($hash),16); # 2nd 16 of 32 chars $hash = Digest::MD5::md5_hex($hash); # 1:3.2e11 collisions vs 1:190 above $usr =~ s/^([...@+]{1,16})[...@]*@.*/$1/; # truncate to 16 characters $usr =~ s/^[^a-z0-9]+|[^a-z0-9]+$//g; # fix leading/trailing chars $usr =~ s/[^-a-z.0-9]/-/g; # fix illegal chars $email =~ s/,.*//; $email = $hash.hash$subdomain\tIN\tTXT\t\$email\\n; $start =~ s/^...@]+@([^,]+),.*/$hash.$1$subdomain\tIN/; $ustart = $start; $ustart =~ s/$hash/$usr/; $type_list =~ s/.*,([A-IZ]+),.*/$1/; if ($type_list =~ /Z/) { $email =~ s/\t.*/\t\...@hidden\@/; # hide the email address $type_list =~ s/Z//g; } $type_list =~ s/(?=.)/+/g; $type_list =~ tr [ABCD] [1248]; # this needs rewriting when we get an E! $type_list = eval 0 . $type_list; $type_list = \tA\t127.0.0.$type_list\n; $type_list = $start . $type_list . $ustart . $type_list; #my @types = split(/(?=.)/, $type_list); $last_seen =~ s/^.*,([0-9]+)\s*$/$start\tTXT\t$1\n/; $ans .= $email . $last_seen; $last_seen =~ s/$hash/$usr/; $ans .= $last_seen . $type_list; #foreach (@types) { # $ans .= $start . \tA\t127.0.0. . $_ . \n; # $ans .= $ustart . \tA\t127.0.0. . $_ . \n; #} print BIND $ans; } close(LIST); close(BIND);
Re: emailBL code
On 5/1/2009 3:56 PM, Adam Katz wrote: Jeff Moss wrote: This is not to suggest that I ever understood the part about using half-length MD5. No need. I'm using full-length hashes now, plus the SURBL/chmod style IP addresses. I must have lost the email I was composing on the topic, but it's fully propagated by now. I've attached my code. Note that the code still supports the old truncated string. I'll rip that out soon. Also note that I'm not an advanced perl coder (almost all of my perl scripts start as POSIX shell scripts, including this one) so while I'm happy to get *suggestions*, I'm not so eager for the insults and hash words this list tends to give instead. I'm trying hard to convince myself this data is really useful. the whole http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses file has 4518 entries, including vintage 2008 compared to the big_boyz my trap feed is quite small and I collected 1598 entries during the last 4 hrs hm does anybody have any hit metrics?
Re: emailBL code
Yet Another Ninja wrote: This is not to suggest that I ever understood the part about using half-length MD5. No need. I'm using full-length hashes now, plus the SURBL/chmod style IP addresses. I must have lost the email I was composing on the topic, but it's fully propagated by now. I've attached my code. Note that the code still supports the old truncated string. I'll rip that out soon. Also note that I'm not an advanced perl coder (almost all of my perl scripts start as POSIX shell scripts, including this one) so while I'm happy to get *suggestions*, I'm not so eager for the insults and hash words this list tends to give instead. I'm trying hard to convince myself this data is really useful. the whole http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses file has 4518 entries, including vintage 2008 compared to the big_boyz my trap feed is quite small and I collected 1598 entries during the last 4 hrs hm does anybody have any hit metrics? The list was set up to satisfy a very specific group of users that were being targetted by a very specific scam. Spear Phishing against Higher Education institutions in the UK and USA. It was originally discussed on a mailing list run by nd.edu which can only be subscribed to by people who are in that particular sector. For that particular group, the list has been useful. How useful it is for people outside of that scenario, I don't know. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/)
Re: emailBL code
Yet Another Ninja wrote: I'm trying hard to convince myself this data is really useful. the whole http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses file has 4518 entries, including vintage 2008 compared to the big_boyz my trap feed is quite small and I collected 1598 entries during the last 4 hrs Well, this is different from traps ... though admittedly not by much. The fact that it's updated so frequently is a merit, and the reason dates are noted is so that you can adjust accordingly. The emailBL mechanism could easily be populated by a spamtrap, but the danger from false positives (forged sender addresses) would be quite real. Maybe only publish addresses that pass or fail SPF/DKIM/etc, so that domains without a way to verify authenticity are immune to it? does anybody have any hit metrics? Mike Cardwell responded: The list was set up to satisfy a very specific group of users that were being targetted by a very specific scam. Spear Phishing against Higher Education institutions in the UK and USA. It was originally discussed on a mailing list run by nd.edu which can only be subscribed to by people who are in that particular sector. For that particular group, the list has been useful. How useful it is for people outside of that scenario, I don't know. This is why I set up the emailbl in the first place: to see what it does. We need an SA plugin next.
Re: 'anti' AWL
On Thu, 30 Apr 2009, LuKreme wrote: No, the senders AWL HURTS new spam. If the score is -2 from the AWL then -2 * -0.2 = 0.4 Ah. Missed the negative. Then this particular piece of the logic is good. The odds of any AWL(perIP) other than the legit sender having a negative average are vanishingly small. So you would gain the benefit of positive adjusting spam with almost no chance of an FP Though again, legit senders that average negative are relatively rare (well, on my system, anyways). So in the unlikely event that spam (from a different server) precedes legitimate mail, the legit sender gets a postitive adjustment before they have a chance to score negative... As I understand it the AWL is added after all others, but yes, the FIRST legitimate mail will be penalized. Why only the first? Unless the user's message (and continuing average) scores negative, all messages will continue to be affected Note that this logic will also be problematic when sender has multiple mail servers. Many senders get a few points positive... This will only be an issue if those multiple servers have positive AWL scores. Which is very likely. Spamassassin is constructed on the premise that all mail has a 'few' spam signs, but does not score high enough to be considered 'spam'. Now let's presume that the sender is spoofed by spammers on ten different IP's, producing ten different AWL entries. How will you distinguish the legit sender's IP (except by hoping they have scored negative?)... You will simply add up ALL the IP AWL's and score *any* mail from the sender with a significant positive adjustment As far as I can tell, though it's not easy to be sure, legitimate senders have negative AWL scores. No, the *effect* of their average may be a negative adjustment to messages that otherwise score high, but the stored 'average' is most likely positive. And for me, it's easy to be sure because I have the score printed on the subject line of all my mail. Less than half my ham scores zero, and very few (other than the messages from this list which are helped by a DNS whitelist) score negative. But how often does that really happen? As I said, most people get a *few* points on legit mail. But it's not the points on the mail, it is only the AWL listing that we're looking at. And the AWL listing is an average of the points on all mail. Yes? OK, how do we parse out the AWL numbers then so we can see what sorts of AWL numbers exist for legit senders. As I understand it, if an email comes in from a know sender who was average 0.8 and this email scores 3.0, a negative AWL will be applied to normalize the email closer to 0.8, right? The AWL score is not 0.8, but 3.0 - (AWL value)? As I understand it, if the AWL has recorded 20 messages (arbitrary number, always increasing) with an average of 0.8, and a new message scores 3.0 then the AWL function does a bit of math and the new average (now on 21 messages) will be something like 0.9 while the AWL's effect on that one message will be to apply a negative adjustment. But the average stored in the database would be the average of all scores. Er.. ok. Perhaps I am misunderstanding the AWL. As I understand it, if a bunch of spam comes in from a server with average scores of 7.0 and a new message comes in with a score of 4, it will have a POSITIVE AWL applied to normalize at 7.0. If a message comes from a know sender with an average score of 2, and this email scores 4, it will get a NEGATIVE AWL score to normalize closer to 2.0, right? Since this is a negative AWL 2.a.ii would not apply because the AWL is negative, so section 2 is skipped entirely and we are at 3. AWL is negative = {crickets}. But in the long term, a user's messages will be distributed around the average, and so half their mail will score 'positive AWL' using your above terminology. Still not a good way to determine how/when to apply an adjustment. Also, please keep in mind that the whole reason we are discussing this addition to the rules is because we are looking for a way to deal with messages that otherwise score very low. So for the 'target class' of mail, we are MORE likely to have the spam score equal or lower to the legit sender's mail not a pretty picture :( OK, if the value is 0.1 then it would take up to 50 outbound servers with even distribution to add 5.0 points. But they are adding it to an existing score that may already be slightly spammy. So that mail may only need another 2 points to exceed someone's chosen threshold. That's quite possible. As I said initially, it's jut an idea I had to make the AWL penalize botnets much more. If it can't be done, that's fine. I think there's some promise here though. While it's easy to think of rules that fit 'most cases', the exceptions really make it difficult. Like the user who sends mail normally via Outlook via a primary server, but occasionally uses an
Re: Almost no score
Uh, what do these 'ratware' rules trigger on? How effective are they, and what are the chances of false positives? - Charles On Thu, 30 Apr 2009, LuKreme wrote: (single lines) header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_BOUNDARYALL =~ /^Message-Id: ([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi # score KB_RATWARE_BOUNDARY 2.0 score KB_RATWARE_OUTLOOK_16 0.1 -- Exit, pursued by a bear.
Re: emailBL code
Yet Another Ninja wrote: I'm trying hard to convince myself this data is really useful. the whole http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses file has 4518 entries, including vintage 2008 compared to the big_boyz my trap feed is quite small and I collected 1598 entries during the last 4 hrs Hello Yet Another Ninja, big_boyz: as in a small collection of university postmasters? I guess we should be honored, but I have a feeling that you were being condescending. What exactly are you collecting? Keep in mind that the APER project is very focused on preventing email replies to phishing (hence the name). We aren't trying to stop the phishing itself (directly); there are others that do that. If you are the opposite of a big_boy, that must mean that your domain is smaller than a large university's, so you must have less than, say, 50,000 unique active users. Are you truly saying that every 4 hours you have 1598 unique (as in the reply-to is unique) phishing attempts, in which the phisher asks one of your users to reply with their credentials? If what you are saying is true, then you are standing on a gold mine. Would you mind contributing to the project? Even the largest password-reply phishing campaign we've seen was only sent to 2500 of our users (and that was using the same reply-to). On average, we see around 200 messages (30 unique reply-to's; not all new) of this type of phishing attempt every day. I assume that the other universities see something similar. As for the vintage of the addresses. No, I don't have metrics. But most of the addresses are in the freemail domains, and we have no indication that the freemail providers are shutting down this type of account. I don't mind scanning logs for, or blocking mail to, the old addresses. But we do include the date (however accurate it is) so you can choose to filter the list any way you desire. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thomp...@doit.wisc.edu smime.p7s Description: S/MIME Cryptographic Signature
Re: Almost no score
On Thu, 30 Apr 2009, LuKreme wrote: A tip: the PNG takes up considerably more disk space (and thus loading time) and you're not increasing any quality (since it was originally lossy). Actually, the PNGs load considerably faster for me as desktop images, which is why I convert them. I agree that bmp or png loads faster for a desktop, but I would suggest, just as a courtesy to people's bandwidth, that you retain the original jpg, and mail *that* when you want to send your images to people. And that's the reason I wouldn't worry about false positives with the DSL.png rule - most people won't (shoudln't?) be mailing them. - Charles -- It was intended that when Newspeak had been adopted once and for all and Oldspeak forgotten, a heretical thought...should be literally unthinkable, at least so far as thought is dependent on words.
RE: Almost no score
On Thu, 2009-04-30 at 09:23 -0400, Jean-Paul Natola wrote: Hi all, I just upgraded to 3.2.5 ran sa-update and I got this message with only one rule tripped I'm putting a link to the message as well as the headers If anyone can shed some light here , I would appreciate it. ftp://ftp.fcimail.org/IT/SA/headers.txt ftp://ftp.fcimail.org/IT/SA/Would%20you%20imagine%20your%20life%20having%20no %20pain%20and%20dysfunctions.htm TIA J I couldn't get the whole message so just ran against the headers: 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [85.75.94.188 listed in zen.spamhaus.org] 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL [85.75.94.188 listed in bb.barracudacentral.org] 1.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by Barracuda 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=85.75.94.188,rdns=athedsl-132893.home.otenet.gr,maildomain=jaak iekkolaakarit.com,client,clientwords] 4.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.8897] -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [localhost 1117; Body=1] 1.0 SAGREY Adds 1.0 to spam from first-time senders -- KeyID 0xE372A7DA98E6705Cn --- Evidently Im missing A LOT of rulesets as I only scored .8 - one rule Im running sa-update daily where are these other rules that you all running?
Re: Almost no score
I could be asking the same thing as Charles, if I am I apologize. I installed the rules below, ran the headers.txt file- thru SA and the rules did not trigger. Do I need to configure something else? Thanks Craig Charles Gregory cgreg...@hwcn.org 5/1/2009 9:48 AM Uh, what do these 'ratware' rules trigger on? How effective are they, and what are the chances of false positives? - Charles On Thu, 30 Apr 2009, LuKreme wrote: (single lines) header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_BOUNDARYALL =~ /^Message-Id: ([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi # score KB_RATWARE_BOUNDARY 2.0 score KB_RATWARE_OUTLOOK_16 0.1 -- Exit, pursued by a bear.
Looks like sa-learn --spam troubles
Greetings all; I have a script that runs daily against whatever I put in the spam folder, and it is suddenly having a hard time. The error: bayes: unknown packing format for bayes db, please re-learn: 73 at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 1883. This seems to be repeated at about 3x for every spam I put in the spam folder. Obviously someone has figured out a way to poison the bayes_db. Is there a fix? Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Do you know the difference between a yankee and a damyankee? A yankee comes south to *_visit*.
Re: emailBL code
On 5/1/2009 4:52 PM, Jesse Thompson wrote: Yet Another Ninja wrote: I'm trying hard to convince myself this data is really useful. the whole http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses file has 4518 entries, including vintage 2008 compared to the big_boyz my trap feed is quite small and I collected 1598 entries during the last 4 hrs Hello Yet Another Ninja, big_boyz: as in a small collection of university postmasters? I guess we should be honored, but I have a feeling that you were being condescending. Feel as you please. I manage a relatively small trap space compared to some of the players here, so I meant what I said. Traps never correlate to a number of specific rcpt addresses, only. If you are the opposite of a big_boy, that must mean that your domain is smaller than a large university's, so you must have less than, say, 50,000 unique active users. I'm definitely smaller, that doesn't mean that trap traffic can't be huge. Traps aren't active - they sit there and get hammered. Are you truly saying that every 4 hours you have 1598 unique (as in the reply-to is unique) phishing attempts, in which the phisher asks one of your users to reply with their credentials? nope - I'm collecting generic drop boxes type of stuff and not specific phishes for a specific group. these include phishes, lotto scams, etc using specific domains. (not rcpt domains) If what you are saying is true, then you are standing on a gold mine. Would you mind contributing to the project? every school, corp,ISP, soho server, etc is standing on a similar gold mine, I'm not re-inventing the wheel. Only little drawback is how to centralize (or not) all this gold to make it useful to more than me and my dog. Until I have some minimal metrics I can't say. As for the vintage of the addresses. No, I don't have metrics. But most of the addresses are in the freemail domains, and we have no indication that the freemail providers are shutting down this type of account. I don't mind scanning logs for, or blocking mail to, the old addresses. But we do include the date (however accurate it is) so you can choose to filter the list any way you desire. no need to got thru that trouble - you guys know its value, once apps are here to test the data, then others outside your space will report, I'm sure. We have different targets. I misunderstood APER's this is all work in progress so keep tuned Axb
Re: Almost no score
From: Charles Gregory cgreg...@hwcn.org Date: Fri, 1 May 2009 10:48:00 -0400 (EDT) Uh, what do these 'ratware' rules trigger on? The rules trigger on spam with a particular Message-Id and boundary pattern. How effective are they, and what are the chances of false positives? For last month the KB_RATWARE_OUTLOOK_08 rule hits 21% of spam (4665 hits out of 21748 spam). It works great here. I haven't seen any FP. Your mileage may vary. I got the rules from Karsten's sandbox: http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/kb/70_misc.cf I would imagine that these rules will eventually show up in sa-update. -jeff On Thu, 30 Apr 2009, LuKreme wrote: (single lines) header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_BOUNDARYALL =~ /^Message-Id: ([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi # score KB_RATWARE_BOUNDARY 2.0 score KB_RATWARE_OUTLOOK_16 0.1 -- Exit, pursued by a bear.
Re: Looks like sa-learn --spam troubles
I would say it's less someone poisoning your DB and more your DB becoming corrupt. As it says, a pack format of dec(73) is not a valid value. It's set by the BayesStore module itself, not influenced by the token in question. You can try to do a dump/verify/restore ... ala: sa-learn --sync sa-learn --backup db-dump vi db-dump [... make sure things look as expected, etc ...] [... backup your db, however appropriate, depending on your setup ...] sa-learn --restore db-dump On Fri, May 1, 2009 at 11:23 AM, Gene Heskett gene.hesk...@verizon.net wrote: The error: bayes: unknown packing format for bayes db, please re-learn: 73 at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 1883. This seems to be repeated at about 3x for every spam I put in the spam folder. Obviously someone has figured out a way to poison the bayes_db. Is there a fix?
Re: Looks like sa-learn --spam troubles
On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote: bayes: unknown packing format for bayes db, please re-learn: 73 at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 1883. This seems to be repeated at about 3x for every spam I put in the spam folder. Obviously someone has figured out a way to poison the bayes_db. No. No poison, not triggered externally. After a brief look at the code, this is a warning in an internal function that unpacks the DBM bayes store internal format. Looks like a corrupted token entry in your DBM format bayes store DB. Please don't scream exploit, unless you had a look at the code. Is there a fix? Frankly, dunno. If it's just a few token entries, it should be fixable by dropping them. Though if a large part of your Bayes DB is corrupted, I'm afraid it's time to start fresh. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Bombed by PNG spam and spamassassin say its HAM argh
Dave Funk wrote: Bob Proulx wrote: I was about to write the list and ask if there is a rule that could be triggered when a message [contains] only an image part but no text parts. There should already be rules for that exact format. Which rules? I see no rule hits here. I see that I can use ImageInfo and can create a ONE_IMAGE rule. But I don't see a similar TextInfo module and so can't create a similar ONE_TEXT rule. Is there an existing way to do this? We see FPs on them when users e-mail in a windows screen capture to show us a particular error they're getting. They'll put the complaint in the subject line, paste the image into their Outlook hit 'send'. Yes. It is well documented that people will do the darnedest things! I don't doubt that they would have FPs as a general case. But that is why I included the weasel words here in my note. But even if not 100% assured everywhere then scoring it appropriately for general distribution should still allow it to increase the effectiveness of the rules for the masses. And then I could score it up. As far as I can tell that would work great here and for me no false positives. Specifically here that would be okay. It might not be good for other people but it would be good here and would really help with the current image only spam. Bob
Re: ifspamh error logs
On Fri, 2009-05-01 at 01:38 -0700, an anonymous Nabble wrote: I am trying to get ifspamh working within my .qmail-user file but there is obviously an error either with the vars set up within the ifspamh file or somewhere else as the emails are just looping until I change the .qmail-user file back. I want to maybe try and run the ifspamh command from the line to see if I can get it work there and if not it should present me with the relevant error messages..? Slightly off-topic, I guess -- at least it is an old script meant to call SA... Is this possible and if so how would I feed the message into it? Would there be any error logs saved from the .qmail-user script that I can look at now? Now that's off-topic. :) My .qmail-user script looks like this: |/usr/bin/ifspamh s...@address.com u...@address.com Err -- are you *forwarding* mail back to the *same* user? Yeah, sounds like a loop indeed... Any help would be appreciated, Please note that I do *not* know qmail -- just got curious, and looked up some info on that script and the dot-qmail man page. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Almost no score
On Fri, 1 May 2009, Raymond Dijkxhoorn wrote: mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/ Make that 4,5 since they also vary the size of the filenames... You might also want to use \d instead of [0-9]. Bytes don't grow on trees, y'know. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault. --- 7 days until the 64th anniversary of VE day
Re: emailBL code
On Fri, 1 May 2009, Adam Katz wrote: The emailBL mechanism could easily be populated by a spamtrap, but the danger from false positives (forged sender addresses) would be quite real. How would the phisher collect the password info from their target using a forged sender address? Suggestion: ignore the sender address if there is a Reply-To: header or if there is an email address in the body of the message. There might need to be some logic around detecting the contact address in the message body - there could be garbage addresses inserted to get the phishtrap to ignore the sender address... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault. --- 7 days until the 64th anniversary of VE day
Re: Almost no score
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/ It seems a wave of image spam is going out. Would it be reasonable to push this rule (with suitable modifications for length, etc.) and/or the ImageInfo version out as a base SA update so that the most people can benefit? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault. --- 7 days until the 64th anniversary of VE day
Re: emailBL code
On Fri, 1 May 2009, Yet Another Ninja wrote: Only little drawback is how to centralize (or not) all this gold to make it useful to more than me and my dog. I (and I'm sure others) would be willing to feed phishing corpa from our quarantines, so long as it's easy to do. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Warning Labels we'd like to see #1: If you are a stupid idiot while using this product you may hurt yourself. And it won't be our fault. --- 7 days until the 64th anniversary of VE day
Re: [SA] emailBL code
John Hardin wrote: How would the phisher collect the password info from their target using a forged sender address? A web form.
Virtual Postfix Users move SPAM to .Junk
Hello, I have been trying to find a way to automatically move messages that have been tagged as spam by SA to my virtual users' .Junk folder. I need this to happen server-side because my users use IMAP, and most email clients don't allow filtering rules to deposit mail into an IMAP folder. My MTA is Postfix, and it will not allow me to call procmail for virtual accounts for Security Reasons. I have extensively searched the net and mailing lists and have not found a solution. As a last resort I am considering creating a grep-based filter, but that seems expensive. I am really hoping someone can point me in the right direction. spamassassin-3.2.5-1 postfix-2.3.3-2.1 dovecot-1.0.7-7 procmail-3.22-17.1 CentOS 5.1 Thanks so much, --Jason -- View this message in context: http://www.nabble.com/Virtual-Postfix-Users-move-SPAM-to-.Junk-tp23336817p23336817.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Re: Bombed by PNG spam and spamassassin say its HAM argh
Hi Bob, Am 2009-04-30 21:41:30, schrieb Bob Proulx: I was about to write the list and ask if there is a rule that could be triggered when a message no only an image part but no text parts. I have no idea how to create it but that would be very useful for me and this type of spam. As far as I can tell that would work great here and for me no false positives. Currently I am trying to get in courier localmailfilter running by using a procmail rule: :0 * 16500 * 18500 * H ?? ^Content-Type: multipart/mixed * B ?? ^Content-Type: image/png .Spam_png/ This rule has already collected over 480 MByte... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ Apt. 917 http://www.flexray4linux.org/ 50, rue de Soultz Jabber linux4miche...@jabber.ccc.de 67100 Strasbourg/France IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: [SA] emailBL code
On Fri, 1 May 2009, Adam Katz wrote: John Hardin wrote: How would the phisher collect the password info from their target using a forged sender address? A web form. Hrm. Okay, I'll buy that. If you're going to spearfish a specific organization then it would be reasonable to put the effort into forging a password capture website that looks plausible. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance doesn't make stuff not exist. -- Bucky Katt --- 7 days until the 64th anniversary of VE day
Re: Virtual Postfix Users move SPAM to .Junk
At 10:23 AM 5/1/2009, you wrote: I have been trying to find a way to automatically move messages that have been tagged as spam by SA to my virtual users' .Junk folder. I need this to happen server-side because my users use IMAP, and most email clients don't allow filtering rules to deposit mail into an IMAP folder. My MTA is Postfix, and it will not allow me to call procmail for virtual accounts for Security Reasons. I have extensively searched the net and mailing lists and have not found a solution. As a last resort I am considering creating a grep-based filter, but that seems expensive. I am really hoping someone can point me in the right direction. spamassassin-3.2.5-1 postfix-2.3.3-2.1 dovecot-1.0.7-7 procmail-3.22-17.1 CentOS 5.1 As Spamassassin is not capable of this, your best bet is to ask on a postfix group. postfix-us...@postfix.org.
Re: Virtual Postfix Users move SPAM to .Junk
On Fri, 1 May 2009, jason_quick wrote: I have been trying to find a way to automatically move messages that have been tagged as spam by SA to my virtual users' .Junk folder. Strictly speaking that isn't the province of SA. SA is only a scoring tool. procmail-3.22-17.1 If procmail is your LDA, that's the place to make delivery decisions. If you search the SA list archives for procmail you'll probably get lots of ways to do that. You could probably also search the procmail list archives for spamassassin and get lots of ways as well. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance doesn't make stuff not exist. -- Bucky Katt --- 7 days until the 64th anniversary of VE day
Re: Virtual Postfix Users move SPAM to .Junk
jason_quick wrote: Hello, I have been trying to find a way to automatically move messages that have been tagged as spam by SA to my virtual users' .Junk folder. I need this to happen server-side because my users use IMAP, and most email clients don't allow filtering rules to deposit mail into an IMAP folder. My MTA is Postfix, and it will not allow me to call procmail for virtual accounts for Security Reasons. I have extensively searched the net and mailing lists and have not found a solution. As a last resort I am considering creating a grep-based filter, but that seems expensive. I am really hoping someone can point me in the right direction. SNIP Hi Jason, I use procmail to achieve just this, can you provide some log extracts on where you are seeing Security Reasons? Kind Regards, Dave Walker
Re: Virtual Postfix Users move SPAM to .Junk
On Fri, 1 May 2009, John Hardin wrote: On Fri, 1 May 2009, jason_quick wrote: I have been trying to find a way to automatically move messages that have been tagged as spam by SA to my virtual users' .Junk folder. Strictly speaking that isn't the province of SA. SA is only a scoring tool. procmail-3.22-17.1 If procmail is your LDA, that's the place to make delivery decisions. Whoops. I skipped over the part where this won't work for your virtuals. Sorry! -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Ignorance doesn't make stuff not exist. -- Bucky Katt --- 7 days until the 64th anniversary of VE day
Re: [SA] Almost no score
John Hardin wrote: mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/ It seems a wave of image spam is going out. Would it be reasonable to push this rule (with suitable modifications for length, etc.) and/or the ImageInfo version out as a base SA update so that the most people can benefit? My dialog with aixenv on irc://irc.freenode.net/#spamassassin (and other parts of this thread) yielded a slightly more flexible regex, matched with the fact that the image always has the same dimensions: mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/ body __PNG_240_400 eval:image_size_exact('png',240,400) meta DSCL4DIG_PNG __DSCL4_PNG __PNG_240_400 describe DSCL4DIG_PNG Supposed digital camera photo is a PNG Probably the mimeheader check alone is enough. -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
Re: [SA] Almost no score
On Fri, 2009-05-01 at 14:04 -0400, Adam Katz wrote: mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/ body __PNG_240_400 eval:image_size_exact('png',240,400) meta DSCL4DIG_PNG __DSCL4_PNG __PNG_240_400 describe DSCL4DIG_PNG Supposed digital camera photo is a PNG Probably the mimeheader check alone is enough. Just got the first one I've seen in this spam campaign. The mimeheader in this case has no image name, which strikes me as a sure fire spam recogniser, or can drag'n drop cause that with some MUAs? Combining a noname image with no body text and/or the usual collection of meds/porno words/phrases in the subject line should be fairly reliable. Martin
Re: emailBL code
John Hardin wrote: On Fri, 1 May 2009, Adam Katz wrote: The emailBL mechanism could easily be populated by a spamtrap, but the danger from false positives (forged sender addresses) would be quite real. On a related note: you also need to worry about the phishers intentionally forging the Reply-To with normal addresses in an attempt to poison the list. Suggestion: ignore the sender address if there is a Reply-To: header or if there is an email address in the body of the message. There might need to be some logic around detecting the contact address in the message body - there could be garbage addresses inserted to get the phishtrap to ignore the sender address... That's what we do. We've had lengthy discussions about this issue. It all boils down accurately gauging the intention of the phisher, which is essentially impossible to automate. It gets tricky when you consider the situation where the phisher intended the user to reply to the address included in the body, but the user doesn't pay attention and replies to the From instead, *and* the phisher happens to still have access to the original compromised account (the From address) used to send the phish. So, it makes sense to add the From to the list in this case. However, the account in question is usually cleaned up by the email provider quickly, so now a normal user's address is on the list. And... to make matters worse, that user will potentially start receiving credentials from other users that are replying to the phish messages. Anyway, here is the current state of how we classify the addresses: Possible values for TYPE: A: The ADDRESS was used in the Reply-To header. B: The ADDRESS was used in the From header. C: The content of the phishing message contained the ADDRESS. D: The content of the phishing message contained the ADDRESS, and it was obfuscated. E: The ADDRESS (usually in the From header) might receive replies but it was not intended to receive the replies. Note: unless otherwise specified, in order for the ADDRESS to qualify for each TYPE, it must have been intended to receive the replies. Jesse -- Jesse Thompson Division of Information Technology, University of Wisconsin-Madison Email/IM: jesse.thomp...@doit.wisc.edu smime.p7s Description: S/MIME Cryptographic Signature
Re: Almost no score
On 1-May-2009, at 08:48, Charles Gregory wrote: Uh, what do these 'ratware' rules trigger on? Spammish message IDs with spammish MIME boundary tags. Message-ID: 000d01c9c74c$bc2f05d0$6400a...@venomousf From: Shannon England venomo...@blackmanlawoffice.com Subject: We hae the best alarm-clocks for your little buddy down there. Date: Mon, 27 Apr 2009 11:27:54 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0075_01C9C74C.BC2F05D0 matches, for example. How effective are they, They catch quite a lot of spam that otherwise does not score high enough to be caught. and what are the chances of false positives? I've not had any myself. YMMV. -- The most perfidious way of harming a cause consists of defending it deliberately with faulty arguments.
Re: Almost no score
On 1-May-2009, at 12:04, Adam Katz wrote: mimeheader __DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.png\/ body __PNG_240_400 eval:image_size_exact('png',240,400) meta DSCL4DIG_PNG __DSCL4_PNG __PNG_240_400 describe DSCL4DIG_PNG Supposed digital camera photo is a PNG Probably the mimeheader check alone is enough. What are you scoring this at? I think with the dimensions that could safely score quite high. I ended up with something like this after adding your image size. mimeheaderDIGI_PNGContent-Type =~ /name\=\[a-z]{3,4}_? \d{4,5}\.png\/ body __PNG_240_400 eval:image_size_exact('png',240,400) meta META_DIGI_PNG DIGI_PNG __PNG_240_400 describe META_DIGI_PNG 240,400 PNG DIGICAM describe DIGI_PNG Digital camera pic name, but png score DIGI_PNG 1.0 score META_DIGI_PNG 2.0 -- Ten Minutes ago you beat a man senseless. He was senseless before I beat him.
Re: Virtual Postfix Users move SPAM to .Junk
On 1-May-2009, at 11:23, jason_quick wrote: I have been trying to find a way to automatically move messages that have been tagged as spam by SA to my virtual users' .Junk folder. I use procmail to do this on the server. I need this to happen server-side because my users use IMAP, and most email clients don't allow filtering rules to deposit mail into an IMAP folder. What? I don't think I've ever used a client that didn't allow filtering messages to an IMAP folder. My MTA is Postfix, and it will not allow me to call procmail for virtual accounts Works for me. /etc/postfix/main.cf virtual_transport = procmail /etc/postfix/master.cf procmail unix - n n - - pipe -o flags=uhFORD user=vpopmail argv=/usr/local/bin/procmail -t -m USER=${recipient} EXTENSION=${extension} /usr/local/etc/ procmailrc.common -- Against stupidity the gods themselves contend in vain.
Re: Virtual Postfix Users move SPAM to .Junk
jason_quick a écrit : Hello, I have been trying to find a way to automatically move messages that have been tagged as spam by SA to my virtual users' .Junk folder. I need this to happen server-side because my users use IMAP, and most email clients don't allow filtering rules to deposit mail into an IMAP folder. My MTA is Postfix, and it will not allow me to call procmail for virtual accounts for Security Reasons. I have extensively searched the net and mailing lists and have not found a solution. As a last resort I am considering creating a grep-based filter, but that seems expensive. I am really hoping someone can point me in the right direction. spamassassin-3.2.5-1 postfix-2.3.3-2.1 dovecot-1.0.7-7 procmail-3.22-17.1 CentOS 5.1 your best choice is to upgrade dovecot and use dovecot-sieve. if that's not possible, maildrop may be a good choice, depending on your setup (it's easy if all your mailstore belongs to a single uid...) finally, another option is to use amavisd-new. you can configure it to redirect spam to user+s...@domain (add extension). then you can play with postfix and possibly dovecot, depending on how you deliver mail. in any case, this is not related to spamassassin. depending on your choice, the appropriate list is one or more of: dovecot courier-maildrop postfix-users amavis-user
Re: Looks like sa-learn --spam troubles
On Friday 01 May 2009, Theo Van Dinter wrote: I would say it's less someone poisoning your DB and more your DB becoming corrupt. As it says, a pack format of dec(73) is not a valid value. It's set by the BayesStore module itself, not influenced by the token in question. You can try to do a dump/verify/restore ... ala: sa-learn --sync sa-learn --backup db-dump vi db-dump [... make sure things look as expected, etc ...] [... backup your db, however appropriate, depending on your setup ...] sa-learn --restore db-dump On Fri, May 1, 2009 at 11:23 AM, Gene Heskett gene.hesk...@verizon.net wrote: The error: bayes: unknown packing format for bayes db, please re-learn: 73 at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 1883. This seems to be repeated at about 3x for every spam I put in the spam folder. Obviously someone has figured out a way to poison the bayes_db. Is there a fix? I haven't tried that, but did recover that users .spamassassin tree from this morning when it was ok. Didn't help. Where is that db kept? Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) You have a will that can be influenced by all with whom you come in contact.
Re: emailBL code
On Fri, May 1, 2009 at 7:52 AM, Jesse Thompson jesse.thomp...@doit.wisc.edu wrote: Yet Another Ninja wrote: I'm trying hard to convince myself this data is really useful. I work for a Canadian provincial government, on a system with about 50,000 mailboxes. I scanned our outbound mail logs over the past 6 months with this data. There were 31 replies to Your webmail is expired!! ! type messages in that period. If we had had been blocking outbound mail based on this list, the two compromised accounts we had to deal with (one of which made the list in its turn) wouldn't have happened. I definitely see value here. compared to the big_boyz my trap feed is quite small and I collected 1598 entries during the last 4 hrs Hello Yet Another Ninja, big_boyz: as in a small collection of university postmasters? I guess we should be honored, but I have a feeling that you were being condescending. I got the impression he was talking about the major RBL providers (spamhaus, spamcop), and the commercial filtering vendors. [snip] Even the largest password-reply phishing campaign we've seen was only sent to 2500 of our users (and that was using the same reply-to). On average, we see around 200 messages (30 unique reply-to's; not all new) of this type of phishing attempt every day. I assume that the other universities see something similar. After I spend some more time evaluating things, and looking for this specific type of campaign, I'm planning to start blocking outbound mail based on your list. If I develop some tools for finding the campaigns I'd be happy to contribute the messages. Austin.
Re: Looks like sa-learn --spam troubles
On Friday 01 May 2009, Karsten Bräckelmann wrote: On Fri, 2009-05-01 at 11:23 -0400, Gene Heskett wrote: bayes: unknown packing format for bayes db, please re-learn: 73 at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 1883. This seems to be repeated at about 3x for every spam I put in the spam folder. Obviously someone has figured out a way to poison the bayes_db. No. No poison, not triggered externally. After a brief look at the code, this is a warning in an internal function that unpacks the DBM bayes store internal format. Looks like a corrupted token entry in your DBM format bayes store DB. Please don't scream exploit, unless you had a look at the code. Is there a fix? Frankly, dunno. If it's just a few token entries, it should be fixable by dropping them. Though if a large part of your Bayes DB is corrupted, I'm afraid it's time to start fresh. The other email procedure I did, and basically, except or a few really long lines that I nuked, all ending in @casabyte.com, it looks rather blah. Is this a clue of something I might be able to find with vim's /str finder? I do note that it sometimes stores the address in the clear, and sometimes in a hash that looks like an md5sum or similar. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) If you have nothing to do, don't do it here.
Re: Looks like sa-learn --spam troubles
On Friday 01 May 2009, Theo Van Dinter wrote: I would say it's less someone poisoning your DB and more your DB becoming corrupt. As it says, a pack format of dec(73) is not a valid value. It's set by the BayesStore module itself, not influenced by the token in question. You can try to do a dump/verify/restore ... ala: sa-learn --sync check sa-learn --backup db-dump check vi db-dump [... make sure things look as expected, etc ...] Using vim I found about 10 lines that were really long, 200+ chars, all ending in @casabyte.com, and nuked them. That is very close to a 1 million line file! [... backup your db, however appropriate, depending on your setup ...] sa-learn --restore db-dump Did this twice, the first time I found spamc trying to use it, so I waited till it was done and repeated this operation. Didn't help, maillog is still about 2 screens full of this error for every message processed. Next? Thanks. On Fri, May 1, 2009 at 11:23 AM, Gene Heskett gene.hesk...@verizon.net wrote: The error: bayes: unknown packing format for bayes db, please re-learn: 73 at /usr/lib/perl5/vendor_perl/5.10.0/Mail/SpamAssassin/BayesStore/DBM.pm line 1883. This seems to be repeated at about 3x for every spam I put in the spam folder. Obviously someone has figured out a way to poison the bayes_db. Is there a fix? -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Sand fleas eating the Internet cables
Re: emailBL code
Mandy wrote: I work for a Canadian provincial government, on a system with about 50,000 mailboxes. I scanned our outbound mail logs over the past 6 months with this data. There were 31 replies to Your webmail is expired!! ! type messages in that period. If we had had been blocking outbound mail based on this list, the two compromised accounts we had to deal with (one of which made the list in its turn) wouldn't have happened. I definitely see value here. Can you determine how many of those were out-of-office messages? Then again, even at just two, if you can stop such compromises, it's worth it (and then some). I'd still rather block the offending message than intercept responses to it (as that means it has suckered users, which means it has wasted their time). I see APER as a possible aid in that pursuit, though as Jesse has mentioned, it is not fully reliable (as to be determined). Still, these little checks add up, so even if APER gives a message 0.1 points, that might be enough to mark it as spam or even block it at the door. As a secondary defense, blocking replies sounds like a grand idea.
Re: Almost no score
LuKreme wrote: This is what I have in local.cf (single lines) header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id: ([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary==_NextPart_000__\1\.\2/msi # header KB_RATWARE_BOUNDARYALL =~ /^Message-Id: ([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary==_NextPart_000__\1\./msi # score KB_RATWARE_BOUNDARY 2.0 score KB_RATWARE_OUTLOOK_16 0.1 Can you please explain the rationale behind your scoring. I've just installed these 3 rules to test and so far either all 3 are being triggered on spam, or none at all. Presumably BOUNDARY is deemed safer (less FP potential) than OUTLOOK_12 or OUTLOOK_16.
Re: Almost no score
On Fri, 1 May 2009, Ned Slider wrote: Can you please explain the rationale behind your scoring. I've just installed these 3 rules to test and so far either all 3 are being triggered on spam, or none at all. Presumably BOUNDARY is deemed safer (less FP potential) than OUTLOOK_12 or OUTLOOK_16. Didn't Karsten say they were incremental refinements of the same rule? Meaning, you'd only use one... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- One death is a tragedy; thirty is a media sensation; a million is a statistic. -- Joseph Stalin, modernized --- 7 days until the 64th anniversary of VE day
Re: Almost no score
John Hardin wrote: On Fri, 1 May 2009, Ned Slider wrote: Can you please explain the rationale behind your scoring. I've just installed these 3 rules to test and so far either all 3 are being triggered on spam, or none at all. Presumably BOUNDARY is deemed safer (less FP potential) than OUTLOOK_12 or OUTLOOK_16. Didn't Karsten say they were incremental refinements of the same rule? Meaning, you'd only use one... Quite possibly John, I may well have missed that. I only picked up on this today :)