Re: The www[variations]continue....
On Sun, July 19, 2009 20:11, Mike Wallace wrote: It was Dan's rule, so I switched to your rule and it was caught. Sorry, first time posting on this list. thats okay, no one is imho perfekt here on this maillist :) i just sav that you have error in your spf record http://old.openspf.org/wizard.html?mydomain=optonline.netsubmit=Go! empty, called from http://old.openspf.org/wizard.html?mydomain=mlrw.comsubmit=Go! dont add empty spf zones 2 ways to make it valid: 1: add ?all to the included domain 2: remove the include in your domain sorry if this is already solved -- xpoint
sa-update errors
I get errors like this when I run sa-update from cron /usr/local/bin/setlock -n /tmp/cronlock.4051759.53932 sh -c $'/home/skipmorrow/bin/sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org' gpg: WARNING: unsafe ownership on homedir `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys' gpg: failed to create temporary file `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/.#lk0x5d7320.ps11651.23686': Permission denied gpg: keyblock resource`/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/secring.gpg': general error gpg: failed to create temporary file `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/.#lk0x5d7320.ps11651.23686': Permission denied gpg: keyblock resource `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/pubring.gpg': general error gpg: no writable keyring found: eof gpg: error reading `/home/skipmorrow/share/spamassassin/sa-update-pubkey.txt': general error gpg: import from `/home/skipmorrow/share/spamassassin/sa-update-pubkey.txt' failed: general error But when I run it from a login shell, it doesn't show those errors. So I wrote a cript to verify that the cron job is running as the correct user by putting in whoami, and indeed it is running as skipmorrow skipmor...@ps11651:~$ ls etc/mail/spamassassin/sa-update-keys/ -la total 28 drwx-- 2 skipmorrow pg652 4096 Jul 20 00:00 . drwxr-xr-x 3 skipmorrow pg652 4096 Jul 17 13:29 .. -rw--- 1 skipmorrow pg652 5123 Jul 17 14:29 pubring.gpg -rw--- 1 skipmorrow pg652 4505 Jul 17 13:32 pubring.gpg~ -rw--- 1 skipmorrow pg6520 Jul 17 13:29 secring.gpg -rw--- 1 skipmorrow pg652 1200 Jul 17 13:29 trustdb.gpg skipmor...@ps11651:~$ ls .gnupg/ -la total 24 drwx-- 2 skipmorrow pg652 4096 Jul 10 13:27 . drwxr-x--x 30 skipmorrow pg652 4096 Jul 20 03:48 .. -rw--- 1 skipmorrow pg652 4128 Jul 10 13:27 pubring.gpg -rw--- 1 skipmorrow pg652 3039 Jul 10 13:27 pubring.gpg~ -rw--- 1 skipmorrow pg6520 Jul 10 13:27 secring.gpg -rw--- 1 skipmorrow pg652 1200 Jul 10 13:27 trustdb.gpg should sa-update be looking for keys in ~/.gnupg? Or is it working correctly? What environment variable does sa-learn and gnupg look for that would be present in my login shell but not be present when running in a cron environment? -- View this message in context: http://www.nabble.com/sa-update-errors-tp24569115p24569115.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update errors
MrGibbage wrote: I get errors like this when I run sa-update from cron /usr/local/bin/setlock -n /tmp/cronlock.4051759.53932 sh -c $'/home/skipmorrow/bin/sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org' gpg: WARNING: unsafe ownership on homedir `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys' gpg: failed to create temporary file `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/.#lk0x5d7320.ps11651.23686': Permission denied gpg: keyblock resource`/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/secring.gpg': general error gpg: failed to create temporary file `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/.#lk0x5d7320.ps11651.23686': Permission denied gpg: keyblock resource `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/pubring.gpg': general error gpg: no writable keyring found: eof gpg: error reading `/home/skipmorrow/share/spamassassin/sa-update-pubkey.txt': general error gpg: import from `/home/skipmorrow/share/spamassassin/sa-update-pubkey.txt' failed: general error But when I run it from a login shell, it doesn't show those errors. So I wrote a cript to verify that the cron job is running as the correct user by putting in whoami, and indeed it is running as skipmorrow skipmor...@ps11651:~$ ls etc/mail/spamassassin/sa-update-keys/ -la total 28 drwx-- 2 skipmorrow pg652 4096 Jul 20 00:00 . drwxr-xr-x 3 skipmorrow pg652 4096 Jul 17 13:29 .. -rw--- 1 skipmorrow pg652 5123 Jul 17 14:29 pubring.gpg -rw--- 1 skipmorrow pg652 4505 Jul 17 13:32 pubring.gpg~ -rw--- 1 skipmorrow pg6520 Jul 17 13:29 secring.gpg -rw--- 1 skipmorrow pg652 1200 Jul 17 13:29 trustdb.gpg skipmor...@ps11651:~$ ls .gnupg/ -la total 24 drwx-- 2 skipmorrow pg652 4096 Jul 10 13:27 . drwxr-x--x 30 skipmorrow pg652 4096 Jul 20 03:48 .. -rw--- 1 skipmorrow pg652 4128 Jul 10 13:27 pubring.gpg -rw--- 1 skipmorrow pg652 3039 Jul 10 13:27 pubring.gpg~ -rw--- 1 skipmorrow pg6520 Jul 10 13:27 secring.gpg -rw--- 1 skipmorrow pg652 1200 Jul 10 13:27 trustdb.gpg should sa-update be looking for keys in ~/.gnupg? No, it should not be looking in .gnupg. That would be the location for keys you use. The keys used by sa-update are application specific, so why would you want them on the keyring you use for email? Or is it working correctly? Well, it's not working correctly, as you're having errors :) What environment variable does sa-learn and gnupg look for that would be present in my login shell but not be present when running in a cron environment? I don't think it's missing an enviornment variable. Are you sure the cronjob is running with an effective userid of skipmorrow? This message: gpg: failed to create temporary file `/home/skipmorrow/etc/mail/spamassassin/sa-update-keys/.#lk0x5d7320.ps11651.23686': Permission denied Strongly suggests you've got a permissions issue, where the cronjob is running as a user that can't create files in /home/skipmorrow/etc/mail/spamassassin/sa-update-keys/ . Since skipmorrow has rwx, that suggests the cronjob is running as some other userid (probably cron or some other system account).
Re: The www[variations]continue....
Benny, Thanks for noticing my spf error. I used the wizard to fix it. Mike
Re: sa-update errors
Thanks, Matt. I call my sa-update in a script from cron. I don't think I have a permissions problem, but I agree, that is what it looks like. Perhaps this will shed a little light. skipmor...@ps11651:~$ id uid=15203(skipmorrow) gid=588771(pg652) groups=588771(pg652) skipmor...@ps11651:~$ whoami skipmorrow skipmor...@ps11651:~$ crontab -l ###--- BEGIN DREAMHOST BLOCK ###--- Changes made to this part of the file WILL be destroyed! # sa-update JM_SOUGHT MAILTO=s...@pelorus.org @hourly /usr/local/bin/setlock -n /tmp/cronlock.4061564.53932 sh -c $'/home/skipmorrow/update_sa_rules.sh' ###--- You can make changes below the next line and they will be preserved! ###--- END DREAMHOST BLOCK skipmor...@ps11651:~$ tail sa_update.log Mon Jul 20 07:00:04 PDT 2009 Who Am I: skipmorrow id: uid=15203(skipmorrow) gid=588771(pg652) groups=588771(pg652) skipmor...@ps11651:~$ cat update_sa_rules.sh #!/bin/bash echo `date`/home/skipmorrow/sa_update.log echo Who Am I: `whoami`/home/skipmorrow/sa_update.log echo id: `id`/home/skipmorrow/sa_update.log echo /home/skipmorrow/sa_update.log /home/skipmorrow/bin/sa-update -D --gpgkey 6C6191E3 --channel sought.rules.yerp.org --gpghomedir /home/skipmorrow/etc/mail/spamassassin/sa-update-keys I just recently added the gpghomedir, but that didn't make a difference at all to the error messages, and I wouldn't have expected it to make a difference, since sa-update is finding that directory on its own anyway. I would be most appreciative of any other ideas that you may have. Skip -- View this message in context: http://www.nabble.com/sa-update-errors-tp24569115p24570739.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
how can I do the open-whois envelope check manually?
Spamassassin can do an envelope check against open-whois.org. How can I do such check manually (i.e. from command line, with host command)? -- Tomasz Chmielewski http://wpkg.org
Re: how can I do the open-whois envelope check manually?
On Mon, 2009-07-20 at 21:30 +0200, Tomasz Chmielewski wrote:
Spamassassin can do an envelope check against open-whois.org.
How can I do such check manually (i.e. from command line, with host
command)?
No need to debug any issues with open-whois.org lookups, no value
either. Do run sa-update instead.
open-whois.org has been cybersquatted. Bug 6157, FIXED [1].
guenther
[1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: how can I do the open-whois envelope check manually?
Karsten Bräckelmann wrote: On Mon, 2009-07-20 at 21:30 +0200, Tomasz Chmielewski wrote: Spamassassin can do an envelope check against open-whois.org. How can I do such check manually (i.e. from command line, with host command)? No need to debug any issues with open-whois.org lookups, no value either. Do run sa-update instead. open-whois.org has been cybersquatted. Bug 6157, FIXED [1]. guenther [1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157 Didn't know this, thanks for the info. Anyway, I guess lots of people will not update their spamassassin installations. Is there a way to check the envelope sender against open-whois.org (even if it's cybersquatted)? -- Tomasz Chmielewski http://wpkg.org
Re: how can I do the open-whois envelope check manually?
On Mon, 2009-07-20 at 21:51 +0200, Tomasz Chmielewski wrote:
Karsten Bräckelmann wrote:
No need to debug any issues with open-whois.org lookups, no value
either. Do run sa-update instead.
open-whois.org has been cybersquatted. Bug 6157, FIXED [1].
[1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157
Didn't know this, thanks for the info.
Anyway, I guess lots of people will not update their spamassassin
installations.
Then they are likely to get FPs on the open-whois rules, in case the
squatter acts maliciously. In the best case, just timeouts.
Is there a way to check the envelope sender against open-whois.org (even
if it's cybersquatted)?
The first step to gather that information is, to check the BLs website.
Generally, they do provide such details. You did not try that.
The site vanished. The entire domain is no longer controlled by the
previous BL operators. That includes DNS. You can NOT trust the result.
Seriously, please read up on the term cybersquatting.
Anyway, as with all urirhssub rules, you'd do a manual lookup like this:
$ host -t A spamassassin.org.bl.open-whois.org
spamassassin.org.bl.open-whois.org has address 127.0.0.2
According to that, spamassassin.org is registered to 11 Private
Registration, WHOIS_1AND1PR hit.
And for some more fun...
$ host -t A apache.org.bl.open-whois.org
apache.org.bl.open-whois.org has address 216.8.179.24
$ host -t A open-whois.org
open-whois.org has address 216.8.179.24
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RCVD_IN_VIRBL
Just noticed this in a fake bounce I received this morning that
contained Worm.Mydoom.M. Has this RBL been around for awhile or is it
something new? I see the site has a rule for SA:
header RCVD_IN_VIRBL eval:check_rbl_txt('virbl',
'virbl.dnsbl.bit.nl')
describeRCVD_IN_VIRBL Listed in virbl.dnsbl.bit.nl
tflags RCVD_IN_VIRBL net
score RCVD_IN_VIRBL 0 3.0 0 3.0
Chris
--
KeyID 0xE372A7DA98E6705C
signature.asc
Description: This is a digitally signed message part
Re: Return Path Safe whitelist UPDATE [was: Opt In Spam]
Robert wrote: the thing is, the SA community and the world at large should not be your free customer compliance labor force. Of course not! The SA community isn't part of the formal compliance process at all; there are automated processes running 24x7, and an human enforcement team investigating both alerts from our systems and complaints from outside. We like SpamAssassin, and we know that many of the participants on this list are good at recognizing spammy behavior, so when someone complains here we always take it seriously. If you don't want to tell our compliance team that you've seen a problem, that's fine. Keep it to yourself. Adjust your scoring as you feel is appropriate. But when you complain out loud -- here, or elsewhere in public -- we're likely to ask why, because it's important to us to keep the list clean and the list's users satisfied. There's nothing disingenuous going on here. -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: RCVD_IN_VIRBL
On Mon, 2009-07-20 at 17:51 -0500, Chris wrote:
Just noticed this in a fake bounce I received this morning that
contained Worm.Mydoom.M. Has this RBL been around for awhile or is it
something new?
This might a dumb question, but -- why didn't you bother to ask google?
Google virbl, first hit, click. First paragraph reads Virbl is a
project of which the idea was born during the RIPE-48 meeting with a
link, giving the answer...
A: Not before May 2004. If that translates to being around for a while
is up to you.
Or did you actually mean to ask for experiences and opinions? ;)
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: RCVD_IN_VIRBL
On Tue, 2009-07-21 at 03:25 +0200, Karsten Bräckelmann wrote: On Mon, 2009-07-20 at 17:51 -0500, Chris wrote: Just noticed this in a fake bounce I received this morning that contained Worm.Mydoom.M. Has this RBL been around for awhile or is it something new? This might a dumb question, but -- why didn't you bother to ask google? Google virbl, first hit, click. First paragraph reads Virbl is a project of which the idea was born during the RIPE-48 meeting with a link, giving the answer... A: Not before May 2004. If that translates to being around for a while is up to you. Or did you actually mean to ask for experiences and opinions? ;) I went to the site shortly after I saw it in the messages markup. I was curious whether it was a new addition since I'd not seen it prior to today. -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
