Re: bayes learning '0 messages found'
John Hardin wrote: On Sat, 13 Feb 2010, smfabac wrote: Is there a message size limit for sa-learn? Yes, there is, and sadly sa-learn does not explicitly tell you a message has been skipped because it's too large. If there's a non-text attachment try deleteing it and re-learning the message. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- End users want eye candy and the ooo's and hhh's experience when reading mail. To them email isn't a tool, but an entertainment form. -- Steve Lake --- 9 days until George Washington's 278th Birthday Ok. It's a size problem: I edited the notspam message and deleted 1000 lines from line 3000 to 4000, saved the file and then reprocessed notspam. I continued getting 0 messages examined until I had deleted 3000 lines of the message: Message size as received: $ wc -l notspam 6408 notspam -- sa-learn --ham failed on notspam folder with one message of 6000+ lines $ After deleting 3003 lines: $ wc -l notspam 3405 notspam $ vi notspam 1 ^A^A^A^A 2 From smf Thu Feb 11 01:30:02 2010 3 From: Boyd Lynn Gerber gerb...@zenez.com 4 To: distribut...@registry.ca 5 Subject: Quarterly ASCII posting of SCO UnixWare 7/OpenUNIX 8/OpenServer6 FAQ 6 Date: Thu, 11 Feb 2010 00:05:18 -0700 (MST) 7 Message-Id: ou8faqqt_1265871...@news.xmission.com 3395 3396 filepriv -f setuid programfile.exe 3397 3398 -- 3399 Boyd Gerber gerb...@zenez.com 801 849-0213 3400 ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 3401 3402 3403 =_4B73B21B.8398EDEC-- 3404 3405 ^A^A^A^A $ sa-learn --showdots --ham --mbox notspam . Learned tokens from 1 message(s) (1 message(s) examined) $ $ wc notspam lines: 3405 words: 18735 characters: 130876 notspam So, does the documentation on sa-learn indicate that there is a size limit on the message to be processed? -- View this message in context: http://old.nabble.com/bayes-learning-%270-messages-found%27-tp27358517p27590620.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: MTAMark Re: MTX plugin functionally complete?
dar...@chaosreigns.com wrote: I have to say keep in mind that MTAMark does not tie the spam to a domain, and MTX does, which makes it easier to track down the spammer, and blacklist by domain instead of IP. I'm not quite sure what that means: how does MTX tie spam to a domain? Regardless, your proposal and MTAmark clearly have a lot in common, to me it seems to make a lot of sense to work with the two guys who wrote that RFC. Purpose - leverage their work, perhaps merge your two proposals, and most importantly: find out why MTAmark never really took off. /Per Jessen, Zürich
Re: RES: SA 3.3 w/MailScanner
Noel Butler wrote on Mon, 15 Feb 2010 07:33:38 +1000: Replacing the old /var/lib setting (which has worked for best part of a decade) with /var/lib/spamassassin resolved this (and it seems other) issues. Well, compare default settings on http://mailscanner.info/MailScanner.conf.index.html#SpamAssassin Local State Dir and it's been this way for at least six years. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
dar...@chaosreigns.com wrote: On 02/14, dar...@chaosreigns.com wrote: Now should I use _mtx, or MTAMark style _smtp._srv? DNS records containing underscores are apparently a pain. In my Bind config I had to add check-names ignore;. My secondary DNS provider is responding with REFUSED (I asked them to fix it). Change provider. There is absolutely nothing wrong with having an underscore in DNS records. They're used for several things - _sip and _domainkey for instance. Also see RFC2181. /Per Jessen, Zürich
Re: sa-update channel problem
On Mon, Feb 15, 2010 at 07:46, mbeis mb...@xs4all.nl wrote: John Hardin wrote: On Sun, 14 Feb 2010, mbeis wrote: Feb 14 22:12:46.522 [11706] dbg: dns: query failed: 0.3.3.updates.spamassassin.org = NOERROR Feb 14 22:12:46.525 [11706] dbg: dns: query failed: mirrors.updates.spamassassin.org = NOERROR channel: no 'mirrors.updates.spamassassin.org' record found, channel failed Feb 14 22:12:46.525 [11706] dbg: diag: updates complete, exiting with code 4 I've no idea where to look to solve this. Has anyone here have an idea what causes this? Silly, basic question: does DNS work from that host? What does dig +short -t TXT 0.3.3.updates.spamassassin.org return? I have this computer running like this for 6 years now, and I've never had a problem like this before. When I enter the command it returns nothing, doesn't seem ok to me? The most likely scenario is that your /etc/resolv.conf file specifies an incorrect value for the first nameserver. Ensure the first IP listed in that file is a working recursive NS. if you don't have working DNS at the site, maybe download the rules tarball from the download site and use sa-update --install. -- --j.
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
On 02/13, Matus UHLAR - fantomas wrote: So the only effect of MTX should be confirmation that a machine may send mail? On 13.02.10 14:40, dar...@chaosreigns.com wrote: Yes. In such case you should not compare MTX with SPF and or DKIM, instead you should clearly state that MTX is designed to do something very different than SPF and DKIM are trying to do. They both were designed to prevent address forging, which is different and often worse problem than spam itself. You can compare MTX to mtamark and CSA but just please don't say it's better than SPF/DKIM. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Re: _mtx MTX plugin functionally complete?
dar...@chaosreigns.com wrote on Sun, 14 Feb 2010 20:06:56 -0500: Please let me know if there is some evidence I'm missing that it's reasonable to use an underscore in this context. Underscores are explicitly forbidden in internet hostnames. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: bayes learning '0 messages found'
Smfabac wrote on Mon, 15 Feb 2010 00:20:06 -0800 (PST): So, does the documentation on sa-learn indicate that there is a size limit on the message to be processed? Why not check yourself? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: sa-update channel problem
On Sun, 2010-02-14 at 23:46 -0800, mbeis wrote: John Hardin wrote: On Sun, 14 Feb 2010, mbeis wrote: Feb 14 22:12:46.522 [11706] dbg: dns: query failed: 0.3.3.updates.spamassassin.org = NOERROR Feb 14 22:12:46.525 [11706] dbg: dns: query failed: mirrors.updates.spamassassin.org = NOERROR channel: no 'mirrors.updates.spamassassin.org' record found, channel failed Feb 14 22:12:46.525 [11706] dbg: diag: updates complete, exiting with code 4 I've no idea where to look to solve this. Has anyone here have an idea what causes this? Silly, basic question: does DNS work from that host? What does dig +short -t TXT 0.3.3.updates.spamassassin.org return? I have this computer running like this for 6 years now, and I've never had a problem like this before. When I enter the command it returns nothing, doesn't seem ok to me? From here traceroute spamassassin.org works but ping reports 'unknown host' and traceroute reports 'Name or service not known' for updates.spamassassin.org and 0.3.3.updates.spamassassin.org This looks like a network problem inside spamassassin.org to me. To the OP: what results did you get with ping or traceroute? Martin
Re: _mtx Re: MTX plugin functionally complete?
On 2010-02-15 02:06, dar...@chaosreigns.com wrote: Thank you for contacting us. An underscore is only legal for specific types of DNS records, such as 'SRV'. 'A' records should only contain letters, numbers and dashes. You may want to consider using '-' as a substitute. I hope this helps. Please don't hesitate to contact us should you have any further questions or concerns. I'm finding *nothing* else that uses underscores in the names of A records. I'm thinking I should stick with mtx instead of _mtx. Please let me know if there is some evidence I'm missing that it's reasonable to use an underscore in this context. The point of using an underscore in special records is that the host is *not* a normal hostname. DKIM (including ADSP) uses _domainkey.domain.example: http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.7.4 http://www.rfc-editor.org/rfc/rfc5617.txt According to the DKIM and OpenSPF folks (and, less important, WikiPedia), underscore is forbidden in hostnames only: http://domainkeys.sourceforge.net/underscore.html http://www.openspf.org/DNS/Underscore http://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names I could use TXT records. I kind of like the A records. Well established for DNS BLs and WLs and all. TXT records might be, prinicpally, the correct way to do this, but A records are more efficcient and some caching only DNS proxies might be set up to cache A record lookups (negative and positive) better than TXT records. If there is to be a policy record, maybe that should be a TXT record, but I too like the A record for the actual MTX lookup. Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
Re: MTX plugin created (Re: Spam filtering similar to SPF, less breakage)
On Sat, Feb 13, 2010 at 11:01, Per Jessen p...@computer.org wrote: Justin Mason wrote: On Thu, Feb 11, 2010 at 03:00, dar...@chaosreigns.com wrote: http://www.chaosreigns.com/mtx/ It might be useful to compare with MTA MARK and see what the status of that proposal currently is: http://tools.ietf.org/draft/draft-stumpf-dns-mtamark/ http://tools.ietf.org/draft/draft-stumpf-dns-mtamark/draft-stumpf-dns-mtamark-04.txt Amazing. Justin, you must have known about that one - you can't possibly have just googled it? I could vaguely recall it, then someone else reminded me of the exact name. There have been a lot of MARID proposals in the past... --j. -- --j.
Re: MTAmark (was: MTX plugin functionally complete?)
Per Jessen wrote: Jonas Eckerman wrote: (And of course, if this catches on, you'll have to provide RFC style documentation.) See Justins posting from two days back: http://tools.ietf.org/draft/draft-stumpf-dns-mtamark/ http://tools.ietf.org/draft/draft-stumpf-dns-mtamark/draft-stumpf-dns-mtamark-04.txt That proposal does not appear to have caught a lot of interest in 2004/2005, but perhaps it might now. I went to google mtamark, and came across a few discussions on mailing lists (e.g. at www.sage.org) as well as an article in iX (German IT magazine) in 2005. The proposal was certainly discussed quite a bit, but it's not very clear what then happened. I also saw a few links to personal pages at space.net, but they're long gone. /Per Jessen, Zürich
Re: sa-update channel problem
On Mon, 2010-02-15 at 10:38 +, Martin Gregorie wrote: On Sun, 2010-02-14 at 23:46 -0800, mbeis wrote: John Hardin wrote: What does dig +short -t TXT 0.3.3.updates.spamassassin.org return? I have this computer running like this for 6 years now, and I've never had a problem like this before. When I enter the command it returns nothing, doesn't seem ok to me? Yup -- it should return the TXT record. From here traceroute spamassassin.org works but ping reports 'unknown host' and traceroute reports 'Name or service not known' for updates.spamassassin.org and 0.3.3.updates.spamassassin.org This looks like a network problem inside spamassassin.org to me. To the OP: what results did you get with ping or traceroute? It's not a real host, it's not supposed to have an IP. This is not an issue and doesn't help diagnose the problem. Try dig'ing for the TXT record as John mentioned. The returned value is the rules' version. guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Outbound SPAM filter
On Sun, 2010-02-14 at 18:18 -0800, the Nabble user shawn...@hotmail.com once again replied off-list: config files included show how the mail is flowing. Karsten Bräckelmann wrote: Nabble allows off-list replies, and apparently even makes it easy to use? WTF, shouldn't the default be list reply, and anything else guarded by serious confirmation dialogs? Awesome, and it even breaks threading. How utterly annoying. Please keep the thread on-list, replying to the list. Do not reply to the sender, unless you got a good reason and *really* mean to. Wow, you did it again. DO NOT REPLY OFF-LIST, even less so from Nabble! Obviously, you didn't even care to read my post carefully before replying with no additional information. With such an attitude, I am not going to waste my time on you. End of thread for me. Quoted from: http://old.nabble.com/Outbound-SPAM-filter-tp27578583p27587528.html Sic. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
On 02/14, dar...@chaosreigns.com wrote: Now should I use _mtx, or MTAMark style _smtp._srv? dar...@chaosreigns.com wrote: DNS records containing underscores are apparently a pain. In my Bind config I had to add check-names ignore;. My secondary DNS provider is responding with REFUSED (I asked them to fix it). On 15.02.10 10:19, Per Jessen wrote: Change provider. There is absolutely nothing wrong with having an underscore in DNS records. They're used for several things - _sip and _domainkey for instance. Also see RFC2181. note that BIND does support such names for some time, without problems. I have check-namees reject but my BIND accepts such names. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The box said 'Requires Windows 95 or better', so I bought a Macintosh.
Re: sa-update channel problem
On Mon, 2010-02-15 at 13:34 +0100, Karsten Bräckelmann wrote: dig +short -t TXT 0.3.3.updates.spamassassin.org That gets 903765 from here. Martin
Re: MTX public blacklist implemented Re: MTX plugin functionally complete?
On 02/14, Jonas Eckerman wrote: 1: The participation record is optional, so you only use it if you want everything else to be rejected. On 14.02.10 14:48, dar...@chaosreigns.com wrote: Yeah. I'm thinking of using the 4th octet to indicate participation, and the third octet to indicate delegation. If you want to check participation, you should do it on different level, e.g. check chaosreigns.com before mail.chaosreigns.com. It of course requires more DNS lookups, but note that people who do not participate, will not set ANY record so checking 127.* won't help you. Check for the MTX record first, and if it is 127.0.0.1 or 127.0.0.0 you can skip this. 4th octet: 0 Not participating. 1 (or record not defined) Participating, everything not defined is valid (like SPF neutral). 2 Participating, other stuff might be valid (like SPF softfail). 3 Participating, everything else is invalid (SPF fail). 3rd octet: 1 All MTX records are at this level. 2 All MTX records are at a subdomain. 3 Check MTX records at this level and then the subdomain. If the value of the 4th octet changes when going to a subdomain, you could say to only check the 4th octet for participating or not if the 3rd octet is 2 (all delegated to subdomain). Or you could use the most restrictive of the two records. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft]
HELO SPF + FCDNS (was: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage)
On 2010-02-14 19:20, dar...@chaosreigns.com wrote: On 02/14, Jonas Eckerman wrote: The SPF record above says that a host using panic.chaosreigns.com in HELO should not be allowed to send mail unless it has the IP address 64.71.152.40, regardless of the domain in the envelope from, From: header, etc.. You're right, I missed that, thank you. The complication, of course, is where a spammer owns the (forgable) HELO domain but not the IP (PTR). Full circle DNS handles that. Has the combination been implemented? I've no idea wether any software actually checks the combination of HELO SPF and FCDNS. It does seem a logical thing to do in software like SpamAssassin or MIMEDefang. Maybe I should implement it in my MIMEDefang filter just to log the results and see if it'd be a good idea to reject on it... Possibly a lack of separate SPF records for HELO and MAIL FROM if they are the same. Agreed. I think they should have separated those records. But then I also think they should have created an _spf subdomain from the start instead of using the TXT record for the domain without any special qualifier... Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
Matus UHLAR - fantomas wrote: On 02/14, dar...@chaosreigns.com wrote: Now should I use _mtx, or MTAMark style _smtp._srv? dar...@chaosreigns.com wrote: DNS records containing underscores are apparently a pain. In my Bind config I had to add check-names ignore;. My secondary DNS provider is responding with REFUSED (I asked them to fix it). On 15.02.10 10:19, Per Jessen wrote: Change provider. There is absolutely nothing wrong with having an underscore in DNS records. They're used for several things - _sip and _domainkey for instance. Also see RFC2181. note that BIND does support such names for some time, without problems. I have check-namees reject but my BIND accepts such names. I checked my bind setup too, and I have the default for check-names - no complaints. It is however, perhaps, worth noting that my _sip and _domainkey names are for SRV records, not A records. /Per Jessen, Zürich
Re: SA 330 compile error. where do I start looking
On Sun, 2010-02-14 at 18:27 -0500, Michael Scheidell wrote: On 2/14/10 9:50 AM, Karsten Bräckelmann wrote: Bad RAM? well, it didn't start till SA 3.30, and deleting those two rules stopped the seg fault and crash.. Well, I've seen bad RAM do strange things like that before. In the middle of a full desktop build, the build randomly crapped out. Resuming the build helped, and I eventually got to the end. Yes, the entire time I was working on that machine with no issue... It was the description and the identical setup of a bunch of machines, with *one* only showing the issue that triggered my suspicion. more likely a bad ST 504 controller. Maybe. *shrug* I'd check the RAM nonetheless. You know, it usually just takes a few seconds for memtest to light up like a Christmas tree if the RAM is faulty. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
On 2010-02-14 19:20, dar...@chaosreigns.com wrote: On 02/14, Jonas Eckerman wrote: * I think there should be a way to tell the world wether you are using the scheme for a domain (not host) or not. This could easily be done in DNS. I need to think about this more, thanks for the suggestion. (More on registrar boundaries below.) * I think you should follow conventions in DNS naming, using an underscore to signify that the DNS record is a special type of record. This is quite common. That's probably a good idea, hmm. You could use SpamAssassins registrar boundaries stuff for getting the domain in a SA plugin, and score higher for missing MTX host record if there is an MTX domain record. How good is SA's registrar boundaries stuff? Not sure, but it's used in various places if you use SA, so if it isn't good that will have effects on SA anyway. I don't think Use SpamAssassin's registrar boundaries would be good in an RFC. I only meant that SA's Mail::SpamAssassin::Util::RegistrarBoundaries could be used for this in an SA plugin. In the RFC I'd suggest it be specified that domain policy's should be checked based on domain registry boundaries (but with better wording than mine). I don't even know where the record should be for wildlife.state.nh.us. www.state.nh.us exists, which would indicate mtx.state.nh.us. Mail::SpamAssassin::Util::RegistrarBoundaries::trim_domain returns wildlife.state.nh.us for wildlife.state.nh.us (and for whatever.wildlife.state.nh.us), suggesting that a policy record should be policy._mtx.wildlife.state.nh.us or similar. Wether that makes sense or not, I don't know. It does trim for example mail.microsoft.us to microsoft.us, so I guess there's a special reason for it to trim the state.nh.us subdomains to more than two levels. Even if SA's registrar boundaries pointed to mtx.wildlife.state.nh.us, you'd still need to be able to delegate to another subdomain. Yes, you'd need that. As I see it, there are two simple ways to do this. * Make it possible to indicate plicy delegation in the policy record. I see you thought about this one allready. :-) * Or, make a MTX checker traverse domain from the one it checks towards the registry boundary when checking for policy. This means more DNS lookups but might be easier to administrate. (I have a vague recollection that DKIM or ADSP works this way... Not sure though) Or maybe participant._mtx.frukt.org. Giving an A record to the _mtx subdomain itself seems potentially problematic, Agreed. And seeing as a hostname should not contain underscore, that wasn't a very good idea of mine. Any suggestions other than participant? policy seems better than participant to me. Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
Re: sa-update channel problem
On Mon, 2010-02-15 at 05:45 -0800, mbeis wrote: When I enter dig 0.3.3.updates.spamassassin.org, I get: Once again, there is no IP for these, and it isn't supposed to have one. You are missing the TXT type in your query. By default, dig performs a a lookup for an A record. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: MTX public blacklist implemented Re: MTX plugin functionally complete?
On Sun, 14 Feb 2010, Jonas Eckerman wrote: 1: The participation record is optional, so you only use it if you want everything else to be rejected. This is why I would support mtamark... It permits the sysadmin to determine the default behaviour for his IP range, rather than defining a dangerous default in the client. And I quote: This subdomain MAY be inserted at any level in the DNS tree for IPv4 IN-ADDR.ARPA reverse zones. For IPv6, to limit the number of DNS queries, _srv is only queried at the /128 (host), /64 (subnet) and / 32 (site) level. That way it can either provide information for a specific IP address or for a whole network block. More specific information takes precedence over information found closer to the top of the tree. The beauty of this mechanism is that we can 'sell' large ISP's on it by saying you only need to create one 'allow' entry for each legitimate MTA and one 'deny' entry for each netblock. And for SA there is no need to give it 'starting' scores, like SPF, the mechanism is effective as soon as it is used, and ignorable if not... - C
Re: sa-update channel problem
Karsten Bräckelmann-2 wrote: On Mon, 2010-02-15 at 05:45 -0800, mbeis wrote: When I enter dig 0.3.3.updates.spamassassin.org, I get: Once again, there is no IP for these, and it isn't supposed to have one. You are missing the TXT type in your query. By default, dig performs a a lookup for an A record. dig -t TXT mirrors.updates.spamassassin.org ; DiG 9.6.1-P1 -t TXT mirrors.updates.spamassassin.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 39274 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mirrors.updates.spamassassin.org. IN TXT ;; Query time: 1 msec ;; SERVER: 10.0.0.138#53(10.0.0.138) ;; WHEN: Mon Feb 15 15:29:07 2010 ;; MSG SIZE rcvd: 50 -- View this message in context: http://old.nabble.com/sa-update-channel-problem-tp27587078p27594578.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update channel problem
On Mon, 2010-02-15 at 06:30 -0800, mbeis wrote: Karsten Bräckelmann wrote: Once again, there is no IP for these, and it isn't supposed to have one. You are missing the TXT type in your query. By default, dig performs a a lookup for an A record. dig -t TXT mirrors.updates.spamassassin.org ; DiG 9.6.1-P1 -t TXT mirrors.updates.spamassassin.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 39274 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 7 As has been pointed out before, you seem to have DNS issues. Note the answer and authority sections missing from your query. ;; QUESTION SECTION: ;mirrors.updates.spamassassin.org. IN TXT ;; Query time: 1 msec ;; SERVER: 10.0.0.138#53(10.0.0.138) Maybe want to go see that server? ;) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: MTX public blacklist implemented Re: MTX plugin functionally complete?
On Sun, 14 Feb 2010, Jonas Eckerman wrote: 1: The participation record is optional, so you only use it if you want everything else to be rejected. On 15.02.10 09:04, Charles Gregory wrote: This is why I would support mtamark... It permits the sysadmin to determine the default behaviour for his IP range, rather than defining a dangerous default in the client. And I quote: This subdomain MAY be inserted at any level in the DNS tree for IPv4 IN-ADDR.ARPA reverse zones. For IPv6, to limit the number of DNS queries, _srv is only queried at the /128 (host), /64 (subnet) and / 32 (site) level. That way it can either provide information for a specific IP address or for a whole network block. More specific information takes precedence over information found closer to the top of the tree. The beauty of this mechanism is that we can 'sell' large ISP's on it by saying you only need to create one 'allow' entry for each legitimate MTA and one 'deny' entry for each netblock. well, the ipv6 addresses are (were?) expected to be allocated by /48 blocks, so we could need check on this level too, imho. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
Re: sa-update channel problem
Karsten Bräckelmann-2 wrote: ;; QUESTION SECTION: ;mirrors.updates.spamassassin.org. INTXT ;; Query time: 1 msec ;; SERVER: 10.0.0.138#53(10.0.0.138) Maybe want to go see that server? ;) This is the IP adress of my DSL router. I haven't touched it for a decade or so and I have never had a DNS problem before. What can I change in it to make DNS work for spamassassin? -- View this message in context: http://old.nabble.com/sa-update-channel-problem-tp27587078p27595138.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: HELO SPF + FCDNS (was: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage)
On 2010-02-14 19:20, dar...@chaosreigns.com wrote: Possibly a lack of separate SPF records for HELO and MAIL FROM if they are the same. On 15.02.10 13:58, Jonas Eckerman wrote: Agreed. I think they should have separated those records. I don't see any reason. Why should we allow someone to use given name in HELO if we won't allow them to send mail with this name in mail from (and vice versa)? But then I also think they should have created an _spf subdomain from the start instead of using the TXT record for the domain without any special qualifier... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: bayes learning '0 messages found'
Kai Schaetzl wrote: Smfabac wrote on Mon, 15 Feb 2010 00:20:06 -0800 (PST): So, does the documentation on sa-learn indicate that there is a size limit on the message to be processed? Why not check yourself? Kai -- Get your web at Conactive Internet Services: http://www.conactive.com Thanks for your help Kai. After checking http://spamassassin.apache.org/full/3.0.x/dist/doc/sa-learn.html I see that there is no official answer to the question. what is the message size limit where sa-learn fails. The question So, does the documentation on sa-learn indicate that there is a size limit on the messages to be processed? is a veiled request to the SA developers/maintainers that people may be interested in that information. -- View this message in context: http://old.nabble.com/bayes-learning-%270-messages-found%27-tp27358517p27595445.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: MTX public blacklist implemented Re: MTX plugin functionally complete?
Matus UHLAR - fantomas wrote: well, the ipv6 addresses are (were?) expected to be allocated by /48 blocks, so we could need check on this level too, imho. We got an IPv6 range allocated late last year, it is a /48 block. /Per Jessen, Zürich
Re: sa-update channel problem
After installing the tarball manually, spamd now starts. Leaves figuring out what is wrong with my DNS. But it's nice to have SpamAssassin working again. Thanks for all your help! Regards, Marco -- View this message in context: http://old.nabble.com/sa-update-channel-problem-tp27587078p27595955.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-update channel problem
Karsten Bräckelmann-2 wrote: ;; QUESTION SECTION: ;mirrors.updates.spamassassin.org. IN TXT ;; Query time: 1 msec ;; SERVER: 10.0.0.138#53(10.0.0.138) Maybe want to go see that server? ;) On 15.02.10 07:04, mbeis wrote: This is the IP adress of my DSL router. I haven't touched it for a decade or so and I have never had a DNS problem before. What can I change in it to make DNS work for spamassassin? try replacing with another one for a while if it helps. Or maybe installing a new firmware or new DSL router could help... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!.
Re: bayes learning '0 messages found'
Smfabac wrote on Mon, 15 Feb 2010 07:27:19 -0800 (PST): The question So, does the documentation on sa-learn indicate that there is a size limit on the messages to be processed? is a veiled request to the SA developers/maintainers that people may be interested in that information. If you want to ask for better documentation of this for instance in the man file or even an option to override the default size limit you should ask on https://issues.apache.org/SpamAssassin/ Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: sa-update channel problem
Mbeis wrote on Mon, 15 Feb 2010 07:04:35 -0800 (PST): What can I change in it to make DNS work for spamassassin? how should we know? Maybe it's not doing TXT field lookups or a server in the chain doesn't do them or a firewall doesn't like that. It's best you talk to your service provider and ask for the nameservers you should use. Then compare with what you have set. There might also be some caching involved, so a reboot might help. It seems you are not getting any answers back to TXT type queries. Correct answers are: ;; ANSWER SECTION: mirrors.updates.spamassassin.org. 3600 IN TXT http://spamassassin.apache.org/updates/MIRRORED.BY; and for the original query: ;; ANSWER SECTION: 0.3.3.updates.spamassassin.org. 3600 IN TXT 903765 Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
On 02/15, Per Jessen wrote: Change provider. There is absolutely nothing wrong with having an underscore in DNS records. They're used for several things - _sip and _domainkey for instance. Also see RFC2181. RFC 2181 section 11 does seem to agree. However, I still haven't found evidence of it ever being used in an A record. Also, I have SRV records with underscores that they accept just fine. And I'm not willing to change providers for this. If I need to change provider, it's too great a barrier to general adoption. On 02/15, Per Jessen wrote: I checked my bind setup too, and I have the default for check-names - no complaints. It is however, perhaps, worth noting that my _sip and _domainkey names are for SRV records, not A records. Yup, no problems with SRV records - either with my secondary DNS provider, or bind before I changed check-names to ignore. On 02/15, Matus UHLAR - fantomas wrote: In such case you should not compare MTX with SPF and or DKIM, instead you should clearly state that MTX is designed to do something very different than SPF and DKIM are trying to do. Good point. I did not ever intend to say that MTX is better than SPF or DKIM, just that MTX is better at what it is intended for which the others are not intended for. On 02/15, Justin Mason wrote: I could vaguely recall it, then someone else reminded me of the exact name. There have been a lot of MARID proposals in the past... MTA Authorization Records in DNS. Good acronym for me to know, thanks. It was an IETF Working Group that was terminated in 2004: http://www.networkworld.com/news/2004/092704ietfspam.html -- I'd rather be happy than right any day. - Slartiblartfast, The Hitchhiker's Guide to the Galaxy http://www.ChaosReigns.com
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
I'm about to post about MTX to the Anti-Spam Research Group's discussion mailing list: http://asrg.sp.am/about/lists.shtml This appears to be the best next step toward RFC. MTX HELO - need to comment on this On 02/15, Jonas Eckerman wrote: * Or, make a MTX checker traverse domain from the one it checks towards the registry boundary when checking for policy. This means more DNS lookups but might be easier to administrate. (I have a vague recollection that DKIM or ADSP works this way... Not sure though) Icky. policy seems better than participant to me. Sounds good to me. It's shorter. On 02/14, Jonas Eckerman wrote: If anyone connects from a host where reverse lookup or HELO puts it in frukt.org domain, you know that your should reject or score high unless it has FCDNS and a matching MTX record. How useful do you think it is to validate the HELO against MTX? I'm thinking I don't really care, and it adds extra complication. Sure, in the short term, it would catch some spam, but a spammer can set the HELO to anything they want, without consequence, and can just as easily set it to match the IP they're sending from. Also, SPF HELO covers it. -- For gasoline vapor, the explosive range is from 1.3 to 6.0% vapor to air...useful against soft targets such as...armored vehicles...and bunkers. - http://www.fas.org/man/dod-101/sys/dumb/fae.htm http://www.ChaosReigns.com
Re: bayes learning '0 messages found'
On Mon, 2010-02-15 at 07:27 -0800, smfabac wrote: I see that there is no official answer to the question. what is the message size limit where sa-learn fails. If you use something spamc rather than using sa_learn you can gain some flexibility due to the places and hosts where you can run spamc plus you get the ability to set the max message size yourself. Here's an extreme example: for f in spam/* do l=$(wc $f | gawk '{ print $3 }') spamc --learntype=spam --max-size=$l $f done where the limit is set to the size of each spam message in turn. Martin
Re: _mtx MTX plugin functionally complete?
On 02/15, Kai Schaetzl wrote: Underscores are explicitly forbidden in internet hostnames. That's the point. MTX records are not host names. That's why _mtx would be good, to differentiate it. RFC 1101 section 4 includes using A records for subnet mapping. So there appears to be no requirement that A records only contain host names. However, I'm still concerned about the difficulty in implementation with the underscore due to default configurations (which appear to violate RFC 2181 section 11). On 02/15, Per Jessen wrote: I'm not quite sure what that means: how does MTX tie spam to a domain? The MTX record is an A record in the domain listed in the PTR record. That's the domain it's tied to. Regardless, your proposal and MTAmark clearly have a lot in common, to me it seems to make a lot of sense to work with the two guys who wrote that RFC. Purpose - leverage their work, perhaps merge your two proposals, and most importantly: find out why MTAmark never really took off. Yes. On 02/15, Charles Gregory wrote: This is why I would support mtamark... It permits the sysadmin to determine the default behaviour for his IP range, rather than defining a dangerous default in the client. That dangerous default in MTX is an SA score 0.001. Or of course 0, if you don't want the information. Let me know what you think of the participant / policy records, and if they satisfy your desire for determining default behavior (being renamed from participant to policy): http://www.chaosreigns.com/mtx/policy/ -- People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf. - George Orwell http://www.ChaosReigns.com
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
dar...@chaosreigns.com wrote: On 02/15, Per Jessen wrote: I checked my bind setup too, and I have the default for check-names - no complaints. It is however, perhaps, worth noting that my _sip and _domainkey names are for SRV records, not A records. Yup, no problems with SRV records - either with my secondary DNS provider, or bind before I changed check-names to ignore. Hmm, there does seem to be some minor issue with the underscore in A records, but I still think it would be the most appropriate way to go. /Per Jessen, Zürich
Re: MTX plugin functionally complete? Re: Spam filtering similar to SPF, less breakage
On 02/15, Per Jessen wrote: Hmm, there does seem to be some minor issue with the underscore in A records, but I still think it would be the most appropriate way to go. Technically I agree. However, practically, I think it might be important to go without underscores purely due to implementation difficulties, mostly Bind's apparent default RFC violation. -- every time I race I see god - tsuwa, #motorcycles, EFNet, 7/19/06 http://www.ChaosReigns.com
Re: v3.3.x Rule installs/updates from updates.spamassassin.org sought.rules.yerp.org FAIL @ dns query (NXDOMAIN); other channels resolve work fine.
On 15/02/2010 8:11 AM, Karsten Bräckelmann wrote: On Fri, 2010-02-12 at 09:35 -0800, Ben DJ wrote: I've installed, spamassassin -V SpamAssassin version 3.3.1-r905461 running on Perl version 5.10.0 Attempts to pull rules from updates.spamassassin.org, (1), sought.rules.yerp.org, (2), channels FAIL w/ dns: query fails: ... NXDOMAIN. (1) sa-update -D -v --channel updates.spamassassin.org --gpgkey 5244EC45 --gpghomedir /root/.gnupg ... Feb 12 09:24:37.457 [31615] dbg: dns: query failed: 1.3.3.updates.spamassassin.org = NXDOMAIN $ dig +short -t TXT 0.3.3.updates.spamassassin.org 903765 $ dig +short -t TXT 1.3.3.updates.spamassassin.org Hrm, yeah -- no version response for 3.3.1. :/ Yeah. That'll be corrected RSN. Daryl
[Solved] Re: sa-update channel problem
Matus UHLAR - fantomas wrote: try replacing with another one for a while if it helps. Or maybe installing a new firmware or new DSL router could help... Thank you Matus for your hint. I upgraded my modem with a new firmware and now sa-update works! Thanks everybody for your help. Regards, Marco -- View this message in context: http://old.nabble.com/sa-update-channel-problem-tp27587078p27600668.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: MTX public blacklist implemented Re: MTX plugin functionally complete?
On 2010-02-15 15:04, Charles Gregory wrote: On Sun, 14 Feb 2010, Jonas Eckerman wrote: 1: The participation record is optional, so you only use it if you want everything else to be rejected. This is why I would support mtamark... It permits the sysadmin to determine the default behaviour for his IP range, rather than defining a dangerous default in the client. In what way does the above define a dangerous default? The default in the statement above is to consider a domain as *not* participating unless otherwise stated by whoever manages the DNS for the domain. If the domain does not participate it should not be punished when a MTX record isn't found. Regards /Jonas -- Jonas Eckerman Fruktträdet Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
MTX Policy records implemented.
http://www.chaosreigns.com/mtx/policy/ Be sure to check out the flow chart at the bottom. It doesn't include delegation. Thanks to Jonas Eckerman for getting me to do it. The SA plugin is still on http://www.chaosreigns.com/mtx/ MTX Policy enables new tests which can be used in place of MTX_FAIL: MTX_NONE MTX_NEUTRAL MTX_SOFTFAIL MTX_HARDFAIL If you don't use them, and use MTX_FAIL instead, it skips the policy check. The values are determined by A records named policy.mtx.example.com. The value of that record also indicates whether the subdomain should be checked. My implementation has an arbitrary limit of 20 levels of domains to avoid abuse. Mail::SpamAssassin::Util::RegistrarBoundaries::trim_domain has been great for picking the domain level to start out at. Thanks again to Jonas for pointing me to it. MTX's debug output showing policy delegation: mtx: Doing the necessary DNS lookups. mtx: Testing IP: 159.134.118.53 (last untrusted relay). mtx: Host name ('A' record) is mail24.svc.cra.dublin.eircom.net. mtx: Relevant MTX record is: 53.118.134.159.mtx.mail24.svc.cra.dublin.eircom.net mtx: Checking blacklist. mtx: Failed to get A record for 53.118.134.159.mtx.mail24.svc.cra.dublin.eircom.net. mtx: Checking MTX Policy. mtx: Policy mindepth: 2, maxdepth: 6 mtx: MTX Policy record name: policy.mtx.eircom.net, depth: 2 mtx: MTX Policy record value: 127.0.1.2. mtx: Delegated. mtx: Found HardFail. mtx: MTX Policy record name: policy.mtx.dublin.eircom.net, depth: 3 mtx: MTX Policy record value: 127.0.1.1. mtx: Delegated. mtx: Found SoftFail. mtx: MTX Policy record name: policy.mtx.cra.dublin.eircom.net, depth: 4 mtx: MTX Policy record value: 127.0.0.0. mtx: Not delegated. mtx: Found Neutral. rules: ran eval rule MTX_FAIL == got hit (1) rules: ran eval rule MTX_NEUTRAL == got hit (1) My post to the Anti-Spam Research Group's list: http://www.ietf.org/mail-archive/web/asrg/current/msg16232.html -- To my mind it is wholly irresponsible to go into the world incapable of preventing violence, injury, crime, and death. How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic. - Ted Nugent http://www.ChaosReigns.com
Re: MTX public blacklist implemented Re: MTX plugin functionally complete?
On Tue, 16 Feb 2010, Jonas Eckerman wrote: 1: The participation record is optional, so you only use it if you want everything else to be rejected. This is why I would support mtamark... It permits the sysadmin to determine the default behaviour for his IP range, rather than defining a dangerous default in the client. In what way does the above define a dangerous default? It doesn't. My comment refers to early messages where the author of 'mtx' said that the 'standard' behaviour in the absence of any mtx record as being equivalent to a 'deny' condition. That is, the domain would be scored as 'spammish' if it did not participate. The default in the statement above is to consider a domain as *not* participating unless otherwise stated by whoever manages the DNS for the domain. Correct. And my comment was that this was a much better alternative to the 'dangerous default' of having 'not participating' mean 'spammy'. If the domain does not participate it should not be punished when a MTX record isn't found. You got it. Exactly. And that's why I gave up on MTX. Because the author was insisting that exactly that should happen. - C