Re: Subject starts Re: but no References/In-Reply-To
Mike Cardwell wrote: How would I create a rule to match when a subject line begins /^Re: /i but the message contains no References or In-Reply-To headers? Hi Mike, I am doing that once in a while I read list mails at the office, but I have to reply through my home address, and it is just the easyest way to open a ssh connection and use copy/paste and plain mail to actually send the message. Of course there would be Re: matching the original question, but no related headers Wolfgang
sa-update.com expired ?
Hello list, I just configured sa-update on a server with some sare rule sets. And it couldn't download some sets because the MIRRORED.BY file has an entry with sa- update.com. In this case it was the 70_zmi_german rule set and the MIRRORED.BY file has the following content: http://daryl.dostech.ca/sa-update/zmi/70_zmi_german.cf/ http://updates.sa-update.com/zmi/70_zmi_german.cf/ sa-update tried the latter but there is nothing, because the domain seams to be expired. Is this temporary or are there plans to fix that? Greetings Stefan
Re: sa-update.com expired ?
Stefan wrote: Hello list, I just configured sa-update on a server with some sare rule sets. And it couldn't download some sets because the MIRRORED.BY file has an entry with sa- update.com. In this case it was the 70_zmi_german rule set and the MIRRORED.BY file has the following content: http://daryl.dostech.ca/sa-update/zmi/70_zmi_german.cf/ http://updates.sa-update.com/zmi/70_zmi_german.cf/ sa-update tried the latter but there is nothing, because the domain seams to be expired. Is this temporary or are there plans to fix that? Hmm, Interesting. Looks like it expired on August 8th. Perhaps Daryl can answer this (AFAIK, he's the owner of the sa-update.com domain. It is not owned by the ASF or the SpamAssassin team.)
RE: DKIM-Reputation list
-Original Message- From: R-Elists [mailto:list...@abbacomm.net] Sent: Saturday, August 15, 2009 8:06 PM To: users@spamassassin.apache.org Subject: RE: DKIM-Reputation list is this DKIM-Reputation setup for any *general* current spamassassin deployment or does it only work with certain MTA setups ??? i am asking because i believe what i saw was that Amavis was mentioned, and nothing else. TIA Hi TIA (Transient Ischemic Event?), AFAIK, Amavis is not involved: the Mail::SpamAssassin::Plugin::DKIMrep only uses DKIM signatures passed by Mail::SpamAssassin::Plugin::DKIM, which in turn uses Mail::DKIM to validate them. I believe Amavis do have independent DKIM code, which I would exclude is somehow involved in the process. Note, in example, that I'm testing DKIMrep by directly invoking SA on test messages and it seems to work to me. No scent of amavis around, then... Giampaolo - rh
RE: Barracuda RBL in first place
Hello All, Considering all of the interesting information that's being going around regarding Barracuda, and it's RBL's, I probably wouldn't use it. Not any time soon. But that's based purely on reputation, and has nothing to do with hit ratio. Our Spam gateway seems to do just fine without it. We query 3 RBLs, which get rid of a great deal of Spam: bl.spamcop.net zen.spamhaus.org cbl.abuseat.org Everything else (Spam) gets stopped by HELO rejections, Virus Scanning, Recipient Rejection and Spamassassin Scanning. Mail Stats since 4th June: Total Messages Processed: 5281347 RBL Rejected: 60.6 % HELO Rejected: 27.4 % Invalid Recipient Rejection: 2.8 % Viruses (detected by ClamAV, Kaspersky), and other Spam detected by Spamassassin: 1.1 % Clean Messages: 8.1 % What really makes a difference is the HELO rejections - we never did this before 4th June, and the amount of Spam that is delivered has dropped so significantly since then is... quite remarkable. (at a loss for other words). So perhaps instead of adding another RBL, maybe some admins need to consider adding in some HELO checking / rejection. Thanks and Cheers, Michael Hutchinson
received-header: unparseable:
I keep seeing this when running some messages throught spamassassin -D -t. Is this having an effect on whether or not short circuit works? received-header: unparseable: from spam01.embarq.synacor.com (LHLO smtpout01.embarq.synacor.com) (10.50.1.1) by md29.embarq.synacor.com with LMTP; Should this be in my trusted_networks in local.cf: 10.50.1/24 -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
RE: Barracuda RBL in first place
Quoting Michael Hutchinson mhutchin...@manux.co.nz: Hello All, Considering all of the interesting information that's being going around regarding Barracuda, and it's RBL's, I probably wouldn't use it. Not any time soon. But that's based purely on reputation, and has nothing to do with hit ratio. Our Spam gateway seems to do just fine without it. We query 3 RBLs, which get rid of a great deal of Spam: bl.spamcop.net zen.spamhaus.org cbl.abuseat.org You can remove cbl.abuseat.org as it is incorporated into zen.spamhaus.org. Everything else (Spam) gets stopped by HELO rejections, Virus Scanning, Recipient Rejection and Spamassassin Scanning. Mail Stats since 4th June: Total Messages Processed: 5281347 RBL Rejected: 60.6 % HELO Rejected: 27.4 % Invalid Recipient Rejection: 2.8 % Viruses (detected by ClamAV, Kaspersky), and other Spam detected by Spamassassin: 1.1 % Clean Messages: 8.1 % What really makes a difference is the HELO rejections - we never did this before 4th June, and the amount of Spam that is delivered has dropped so significantly since then is... quite remarkable. (at a loss for other words). So perhaps instead of adding another RBL, maybe some admins need to consider adding in some HELO checking / rejection.
RE: received-header: unparseable:
-Original Message- From: Chris [mailto:cpoll...@embarqmail.com] Sent: Monday, 17 August 2009 10:45 a.m. To: users@spamassassin.apache.org Subject: received-header: unparseable: I keep seeing this when running some messages throught spamassassin -D -t. Is this having an effect on whether or not short circuit works? received-header: unparseable: from spam01.embarq.synacor.com (LHLO smtpout01.embarq.synacor.com) (10.50.1.1) by md29.embarq.synacor.com with LMTP; Is LHLO a valid SMTP command? Perhaps this is causing the unparseable header problem.. Should this be in my trusted_networks in local.cf: 10.50.1/24 -- KeyID 0xE372A7DA98E6705C
Re: Barracuda RBL in first place
Hi, So perhaps instead of adding another RBL, maybe some admins need to consider adding in some HELO checking / rejection. Can you explain a bit more here? What are you checking for, that the host is valid? Thanks, Alex
Re: received-header: unparseable:
Chris a écrit : I keep seeing this when running some messages throught spamassassin -D -t. Is this having an effect on whether or not short circuit works? received-header: unparseable: from spam01.embarq.synacor.com (LHLO smtpout01.embarq.synacor.com) (10.50.1.1) by md29.embarq.synacor.com with LMTP; the format is not recognized. not really an issue since this is a local relay line. What software generateds this line? can you show the full header? Should this be in my trusted_networks in local.cf: no. this won't change anything. if SA says the line is not parsable, then the IP in the line isn't parsed. 10.50.1/24
Re: received-header: unparseable:
On Mon, 2009-08-17 at 01:22 +0200, mouss wrote: Chris a écrit : I keep seeing this when running some messages throught spamassassin -D -t. Is this having an effect on whether or not short circuit works? received-header: unparseable: from spam01.embarq.synacor.com (LHLO smtpout01.embarq.synacor.com) (10.50.1.1) by md29.embarq.synacor.com with LMTP; the format is not recognized. not really an issue since this is a local relay line. What software generateds this line? can you show the full header? Should this be in my trusted_networks in local.cf: no. this won't change anything. if SA says the line is not parsable, then the IP in the line isn't parsed. 10.50.1/24 I couldn't find the exact post but all in my inbox contain the similiar line. Here are all headers minus the SA markup: Received: from pop.embarqmail.com [208.47.184.129] by localhost.localdomain with POP3 (fetchmail-6.3.9) for cpoll...@localhost (single-drop); Sun, 16 Aug 2009 18:21:00 -0500 (CDT) Received: from spam05.embarq.synacor.com (LHLO smtpout01.embarq.synacor.com) (10.50.1.5) by md29.embarq.synacor.com with LMTP; Sun, 16 Aug 2009 19:19:56 -0400 (EDT) Return-path: owner-textbreakingn...@ema3lsv06.turner.com X-binding: md29.embarq.synacor.com X-cmae-whitelist: YES X_cmae_category: 0,0 Undefined,Undefined X-cnfs-analysis: v=1.0 c=1 a=HgbDHJuK:8 a=PNnWT_N-lLNevInYF7IA:9 a=TWuli8_fnVi7Vfb2VDcA:7 a=ctBsUv0MhcFH_AVhxCwKj_KngRoA:4 a=B9WObwvXIC4A:10 awl=host:1027 X-cm-score: 0 X-scanned-By: Cloudmark Authority Engine Authentication-results: spam05.embarq.synacor.com smtp.mail=owner-textbreakingn...@ema3lsv06.turner.com; spf=pass Received-spf: pass (spam05.embarq.synacor.com: domain EMA3LSV06.TURNER.COM designates 157.166.236.51 as permitted sender) Received: from [157.166.236.51] ([157.166.236.51:32777] helo=p17.web2.mail.cnn.com) by smtp.embarq.synacor.com (envelope-from owner-textbreakingn...@ema3lsv06.turner.com) (ecelerity 2.2.2.36 r(27513/27514)) with ESMTP id 0C/32-02964-C14988A4; Sun, 16 Aug 2009 19:19:56 -0400 Date: Sun, 16 Aug 2009 19:19:56 -0400 (18:19 CDT) Received: from ema3lsv06 (157.166.236.30) by p17.web2.mail.cnn.com (PowerMTA(TM) v3.5r6) id hh2a1s0j3k4l; Sun, 16 Aug 2009 19:10:29 -0400 (envelope-from owner-textbreakingn...@ema3lsv06.turner.com) X-Job: 20090816191016.textbreakingnews.18417 Message-id: 20090816191016.textbreakingn...@mail.cnn.com From: CNN Breaking News breakingn...@mail.cnn.com To: textbreakingn...@ema3lsv06.turner.com Subject: CNN Breaking News X-senderip: 157.166.236.51 X-asn: ASN-5662 X-cidr: 157.166.224.0/20 Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
OT: RE: Barracuda RBL in first place
-Original Message- From: MySQL Student [mailto:mysqlstud...@gmail.com] Sent: Monday, 17 August 2009 10:56 a.m. To: SpamAssassin Users List Subject: Re: Barracuda RBL in first place Hi, So perhaps instead of adding another RBL, maybe some admins need to consider adding in some HELO checking / rejection. Can you explain a bit more here? What are you checking for, that the host is valid? Thanks, Alex Sure. Firstly, the server requires that a HELO command is sent to start the SMTP session. Without that, the connection will be dropped - this in itself drops quite a bit of Spam. Secondly, the argument to the HELO command is checked as to whether it is in Fully Qualified Domain form - if not, the connection is dropped. Our clients are all setup for this to work properly. That's it. We have an additional option: Require resolvable hostnames for HELO arguments, but do not use that. We have made 6 exceptions for hosts that do not pass the HELO argument properly, that are out of our control, but known to our network (ie: trusted via VPN, etc). They haven't relayed any Spam either ;) Cheers, Michael Hutchinson
wierd from format
i was checking a server the other day and i noticed a bunch of these in the logs from='=?utf-8?Q?Joe=20Blow?= the Joe Blow part is what shows in the email as if it was a real name i changed it so it was more exaple'ish how should this be dealt with in a rule ? i would take that rule and put it in a meta combination thanks in advance - rh
Re: wierd from format
On Sun, 16 Aug 2009, R-Elists wrote: i was checking a server the other day and i noticed a bunch of these in the logs from='=?utf-8?Q?Joe=20Blow?= how should this be dealt with in a rule ? i would take that rule and put it in a meta combination That's a perfectly valid way to encode text that contains non-ASCII characters. Does it appear in mails that you know are spam, and that did not score very high from other rules? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 8 days until the 1930th anniversary of the destruction of Pompeii
RE: wierd from format
from='=?utf-8?Q?Joe=20Blow?= how should this be dealt with in a rule ? i would take that rule and put it in a meta combination That's a perfectly valid way to encode text that contains non-ASCII characters. Does it appear in mails that you know are spam, and that did not score very high from other rules? -- John Hardin KA7OHZ John here are 4 ones that are scoring like this (note: i removed a special 2.0 hit on a coupla them that gives away private info) also note, some get rejected as spam and some make it through below rejection levels -0.4 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE [208.66.204.133 listed in hostkarma.junkemailfilter.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 SPF_PASS SPF: sender matches SPF record 0.1 PHISH_05 BODY: Phishing for account information 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] -0.4 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE [208.66.204.133 listed in hostkarma.junkemailfilter.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9849] 1.5 SAGREY Adds 1.0 to spam from first-time senders 1.6 CKJ_META1 CKJ_META1 -0.4 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE [208.66.204.135 listed in hostkarma.junkemailfilter.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 SPF_PASS SPF: sender matches SPF record 2.6 EXCUSE_24 BODY: Claims you wanted this ad -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.2602] 0.0 HTML_MESSAGE BODY: HTML included in message 0.6 SARE_UNI RAW: SARE_UNI 1.7 FF_IHOPE_YOU_SINK FULL: Triple Floats, common viagra signs. 1.5 SAGREY Adds 1.0 to spam from first-time senders -0.4 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE [208.66.204.132 listed in hostkarma.junkemailfilter.com] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9961] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 SAGREY Adds 1.0 to spam from first-time senders 1.6 CKJ_META1 CKJ_META1 thanks - rh