Re: blizzard (and others) faux messages
On 28-Jun-2010, at 15:11, Karsten Bräckelmann wrote: > On Mon, 2010-06-28 at 15:02 -0600, LuKreme wrote: >> On 28-Jun-2010, at 04:51, Mark Martinec wrote: >>> The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there. > >> I assume I am looking in the wrong place? >> >> $ perldoc Mail::SpamAssasin::Plugin::DKIM >> No documentation found for "Mail::SpamAssasin::Plugin::DKIM". >^^^ > Yes, wrong place. That doesn't translate to UBE-butt-butt-in. Ah, I hate that word! Thanks :) -- All I know is that using the strap makes me feel lie a hot woman in sunglasses. :-) ~jeffcarlson
Re: blizzard (and others) faux messages
On Mon, 2010-06-28 at 15:02 -0600, LuKreme wrote:
> On 28-Jun-2010, at 04:51, Mark Martinec wrote:
> > The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there.
> I assume I am looking in the wrong place?
>
> $ perldoc Mail::SpamAssasin::Plugin::DKIM
> No documentation found for "Mail::SpamAssasin::Plugin::DKIM".
^^^
Yes, wrong place. That doesn't translate to UBE-butt-butt-in.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: blizzard (and others) faux messages
On 28-Jun-2010, at 04:51, Mark Martinec wrote: > The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there. perldoc Mail::DKIM was not in anyway helpful. I assume I am looking in the wrong place? $ perldoc Mail::SpamAssasin::Plugin::DKIM No documentation found for "Mail::SpamAssasin::Plugin::DKIM". $ perldoc Plugin::DKIM No documentation found for "Plugin::DKIM". > In this case all you need (since 3.3.0) is an ADSP override, > no need for whitelisting: > > score DKIM_ADSP_CUSTOM_HIGH 100 > > adsp_override battle.net custom_high > adsp_override email.blizzard.com custom_high > > or more general: > > adsp_override blizzard.com custom_high > adsp_override *.blizzard.com custom_high > > Adjust scores as needed, the defaults are very cautious > (just in case someone is running SpamAssassin behind a > mail path which clobbers messages, invalidating signatures): OK, and than I just do that for every doamin? Sorry for the confusion, but I seem to have wiped the memory banks on all of this in the last 3 years or so. What I want: 1) Message from blizzard that has no dkim gets scored +10 2) Message from blizzard that passes dkim gets scored -1 (or something) 3) Message from random idiot that passes dkim gets scored -0.1 4) message that FAIL DKIM (or SPF hard fail) get scored +5 5) Message from random idiot that passes SPF gets scored -0.001 I think that's about what I had in 3.2.5, only blizzard was a list of 'known' senders, like paypal, amazon, citibanc, apple.com, ebay, &c. adsp_override battle.net custom_high adsp_override blizzard.com custom_high adsp_override amazon.com custom_high adsp_override *.ebay.com custom_high adsp_override ebay.com custom_high and so on? And, since I'm here, how do I setup DKIM signing on my outbound mail? -- Thunder rolled... It is said that the gods play games with the fates of men. But what games, and why, and the identities of the actual pawns, and what the game is, and what the rules are - who knows? Best not to speculate. Thunder rolled... It rolled a six. --Guards! Guards!
Re: me.com as freemail?
On 28-Jun-2010, at 14:41, Daniel J McDonald wrote: > I notice that me.com (Apple's "mobile me") is now offering a "free 60 > day trial" What do you mean, "now"? They have always offered a 60 day trial. > for their mail solution. About half the mail from me.com has > been spam here lately, so I've added it to my local list of freemail > domains. Anyone seen anything similar? I *get* a lot of spam at me.com, I don't get much FROM me.com, and what I do get seems to be of the "put 20 addresses in the Cc: header" variety. I let procmail deal with those. -- "You never really understand a person until you see things from his point of view, until you climb inside of his skin and walk around in it."
me.com as freemail?
I notice that me.com (Apple's "mobile me") is now offering a "free 60 day trial" for their mail solution. About half the mail from me.com has been spam here lately, so I've added it to my local list of freemail domains. Anyone seen anything similar? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
sane values for size of bayes_token database in MySQL
I'm sort of pulling at straws here, but I'm reading the manpage for sa-learn and it says that sa-learn will try to expire bayes tokens according to this: - the number of tokens in the DB is> 100,000 - the number of tokens in the DB is> bayes_expiry_max_db_size - there is at least a 12 hr difference between the oldest and newest token atimes I haven't changed bayes_expiry_max_db_size and I run sa-learn --force-expire every night via cron and I have bayes_auto_expire set to 0. That said, my bayes_token database is huge: | Name | Engine | Version | Row_format | Rows | Avg_row_length | Data_length | Max_data_length | Index_length | Data_free | Auto_increment | Create_time | Update_time | Check_time | Collation | Checksum | Create_options | Comment | +---++-++---++-+-+--+---++-+-++---+--++--+ | bayes_expire | InnoDB | 9 | Fixed | 1 | 16384 | 16384 |NULL |16384 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | | bayes_global_vars | InnoDB | 9 | Dynamic| 1 | 16384 | 16384 |NULL |0 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | | bayes_seen| InnoDB | 9 | Dynamic| 90902320 |175 | 15980298240 |NULL |0 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | | bayes_token | InnoDB | 9 | Fixed | 596422823 | 83 | 49507483648 |NULL | 40946384896 | 0 | NULL | 2006-07-06 11:25:28 | NULL| NULL | latin1_swedish_ci | NULL || InnoDB free: 29522944 kB | particularly bayes_token which is almost 50GB and has WAY more then 150,000 rows. Is this sane?
Re: Searched but did not find any info re scores for squirrelmail inbound
On Mon, 2010-06-28 at 14:57 -0400, Alex wrote:
> > Nope, spamd does not do anything with the email either.
>
> Thanks for correcting me. I use amavisd. For those who use spamd, how
> do they determine the email destiny based on the score? With just
> procmail?
Yes, or any other MDA, probably using sieve. Note though, that such MDA
usually delivers identified spam into a dedicated "quarantine" folder
*per* *user*, rather than globally.
Moreover, merely focussing on the delivery folder is not all to it. How
do they "use spamd" in the first place?
Just like you integrate Amavisd-new with your MTA, you also need to do
this in any other case. Procmail can do the spamc filter calling. In a
general case (including any sieve MDA, IIRC) you once again need to
integrate SA with the MTA.
> I thought spamd also managed the quarantine, but I guess not.
Nope, it doesn't.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Searched but did not find any info re scores for squirrelmail inbound
Hi, >> [...] spamassassin itself only does the scoring -- it's up to another >> program, such as amavisd-new (separate application) or spamd (included >> with spamassassin) to do something with the email once it has been >> determined to be spam. > > Nope, spamd does not do anything with the email either. Thanks for correcting me. I use amavisd. For those who use spamd, how do they determine the email destiny based on the score? With just procmail? I thought spamd also managed the quarantine, but I guess not. Thanks, Alex
Re: Learning and reporting with spamc in a single step?
On Mon, 2010-06-28 at 13:53 -0400, Dan Mahoney, System Admin wrote:
> On Mon, 28 Jun 2010, Karsten Bräckelmann wrote:
> > If you actually can use both options at the same time, I don't know.
> > Maybe you wanna try it, and let us know. :)
Ah, having spamc talk to netcat just showed it nicely. Both -L and -C do
use the same TELL command, with a difference in the Set header. While -L
learn is Set: local only, -C report is Set: local,remote.
So, yes, reporting with spamc -C does work the same as spamassassin -r
does. Both also do Bayes training. A quick glimpse through the spamd
code confirms this, btw.
However, as can be trivially observed by just trying it and providing
*both* options, -C and -L, results in an error. Exit code 64, EX_USAGE,
command line usage error.
No need to anyway, as -C report includes -L learn.
> I wonder what the logs show (or are supposed to show) during these
> operations.
Maybe... Try it and watch your logs?
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa-list] Re: Learning and reporting with spamc in a single step?
On Mon, 28 Jun 2010, Karsten Bräckelmann wrote: On Sun, 2010-06-27 at 16:52 -0400, Dan Mahoney, System Admin wrote: Can spamc do this, or must it be forked to "tee" or something. Ideally I'd like to both report and learn in a single step (such as in a pipe from alpine). I note that spamassassin -r also has the option to learn (by default!), but spamc doesn't for some reason. Or if it does, the manpage neglects to mention it. Hmm, man spamc shows -L learn type and -C report type right next to each other. Yours doesn't? It shows them top to bottom, but does not say whether they're exclusive or not. As for the usage summary... %spamc -V SpamAssassin Client version 3.2.3 compiled with SSL support (OpenSSL 0.9.7e-p1 25 Oct 2004) SYNOPSIS spamc [options] < message is less than helpful in determining which options work together. If you actually can use both options at the same time, I don't know. Maybe you wanna try it, and let us know. :) I wonder what the logs show (or are supposed to show) during these operations. -Dan -- "You're a daddy. I'm a mommy. She's our baby. Deal with it." -Cali, 11/7/02, about 1:35 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: regex for short messages
Daniel Lemke wrote:
> Hmm, I've just noticed that my rule is working fine for simple text
> messages, but is also been triggered when checking mails containing html
> (http://pastebin.com/xB7SKnFV).
>
> rawbody T__SHORT_MAIL /\A.{0,150}\z/s
>
> -D reports:
> Jun 28 13:32:40.961 [4200] dbg: rules: ran rawbody rule T__SHORT_MAIL
> ==> got hit: "
>
> Any hints on this?
The best idea was suggested by someone else. Instead of trying to match
a short segment, do a negative match on a longer one.
rawbody T__LONG_MAIL /.{151}/s
meta T_SHORT_MAIL !T__LONG_MAIL
Once you've tested the rule, you can remove the "T" from the T_LONG_MAIL
rule so that it becomes a subrule and will not be scored or show in the
reports.
--
Bowie
Re: Basic Setup Questions
My default config does not appear to be using bayes. How do I enable it? use_bayes and bayes_auto_learn are on by default. I think using the packages on a Ubuntu system they'll default to off. There could be others that do that. The documentation simply says "run sa-learn". Does the creation of the bayes db files effectively enable bayes? No. You also need to "teach" enough ham and spam tokens to Bayes. By default, you should train bayes with at least 200 ham messages and 200 spam messages. At that point, you should start seeing bayes scoring your messages. I actually relied exclusively on auto learning for awhile. Mostly because I didn't know how to do the manual training. Bayes does seem to have a positive effect without manual training although I know it's recommended to suplement the auto learning with manual training for better accuracy.
Re: Searched but did not find any info re scores for squirrelmail inbound
On Sun, 2010-06-27 at 21:34 -0400, Alex wrote:
> [...] spamassassin itself only does the scoring -- it's up to another
> program, such as amavisd-new (separate application) or spamd (included
> with spamassassin) to do something with the email once it has been
> determined to be spam.
Nope, spamd does not do anything with the email either.
As you correctly stated, SpamAssassin itself only does the scoring. Same
for spamd, the SpamAssassin daemon. SA can score a message, classify
based on a threshold, add headers, optionally rewrite a few select
headers, or wrap the original, unaltered (spam) message in a new
message.
Or in short -- score, classify and report.
That's it. That's what SA does.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Searched but did not find any info re scores for squirrelmail inbound
On Sun, 2010-06-27 at 18:22 -0700, bongomania wrote:
> My email server, squirrelmail, has spamassassin already installed. To
> configure, it says to enter the score above which emails should be
> quarantined. Unfortunately nowhere on that page, nor in the SA FAQ, nor in
> the SA WIKI, nor in a search of old messages, can I find any mention of what
> scores are normal to choose.
That is probably because SA does not know about quarantining. SA scores
a message. Quarantining, rejecting, delivering into a dedicated spam
folder -- all actions that SA does not do.
As you correctly stated yourself, you are not configuring SA by choosing
a quarantine threshold. You want to read the docs of the software you
are actually configuring.
> Looking at the scoring system, it seems most
> flags are worth less than 2 points. But the max is 999! So what is the
> right range between 1 and 999 for normal usage?
These limits are not imposed by SA, but that other software you are
trying to set up.
> And, honestly, why is such basic info missing from the entry-level usage
> notes and FAQ?
Cause it ain't a SA thang.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Learning and reporting with spamc in a single step?
On Sun, 2010-06-27 at 16:52 -0400, Dan Mahoney, System Admin wrote:
> Can spamc do this, or must it be forked to "tee" or something.
>
> Ideally I'd like to both report and learn in a single step (such as in a
> pipe from alpine). I note that spamassassin -r also has the option to
> learn (by default!), but spamc doesn't for some reason. Or if it does,
> the manpage neglects to mention it.
Hmm, man spamc shows -L learn type and -C report type right next to each
other. Yours doesn't?
If you actually can use both options at the same time, I don't know.
Maybe you wanna try it, and let us know. :)
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Basic Setup Questions
> >> The documentation simply says "run sa-learn". Does the creation of
> >> the bayes db files effectively enable bayes?
> >
> > No. You also need to "teach" enough ham and spam tokens to Bayes. By
> > default, you should train bayes with at least 200 ham messages and
> 200 spam
> > messages. At that point, you should start seeing bayes scoring your
> > messages.
>
> Hi Giampaolo,
>
> That's an important fact. I have plenty of ham but I think I'll wait
> for fresh uncaught spam to properly generate bayes data.
As Matus already said, you can train on caught spam as well.
> >> I have LearnAsSpam IMAP folders for everyone to drag spam that get's
> >> through into. How can I run sa-learn so that it builds a /single/
> >> database from all of these folders and so that spamd uses that
> single
> >> database for scoring everyone's mail?
> >
> > Huh, using spamd --nouser-config ?
>
> I seem to have this working by running spamd as the user "spamd" and
> then in local.cf I used:
>
> bayes_path /home/spamd/.spamassassin/bayes
>
> At least when it looks like spamd is updating those bayes files and
> when I run sa-learn, the same files are updated. So it looks like I
> have the single database scenario working.
>
> My intention is to run the following manually every once in a while:
>
> # cat ~/LearnAsSpam.sh
> #!/bin/sh
>
> sa-learn --no-sync --spam /home/user1/Maildir/.LearnAsSpam/{cur,new}
> sa-learn --no-sync --spam /home/user2/Maildir/.LearnAsSpam/{cur,new}
> sa-learn --no-sync --spam /home/user3/Maildir/.LearnAsSpam/{cur,new}
> sa-learn --sync
>
> rm /home/user1/Maildir/.LearnAsSpam/{cur,new}/*
> rm /home/user2/Maildir/.LearnAsSpam/{cur,new}/*
> rm /home/user3/Maildir/.LearnAsSpam/{cur,new}/*
This seems fine to me. Only, if you plan to use some hashing SA plugin (DCC,
Razor, Pyzor, HashCash) *and* you trust enough your users, you may think to
instead use the reporting facility from spamassassin:
spamassassin -r >> Once upon a time I used a third-party set of rules that could be
> >> updated once in a while. Is that still around and is it worth it?
> >
> > Actually, there are so many SA supplies a specific tool to update
> them:
> > sa-update.
> >
> > Regularly scheduled, sa-update may update the "stock" SA ruleset, as
> well as
> > third-party, sa-update-compatible ones.
>
> I ran sa-update before but I will run it occasionally in the future
> and see if the "stock" SA ruleset can do the job before I seek out a
> third party ruleset.
If you like, I can send you off-list my /etc/sa-update.conf file. It would
only be a spin-off hint, since everybody here runs his/her own preferred set
of external rules.
> > Are you quitting the Java mess to enter into the Perl one? ;)
>
> Every language has it's niche. Filtering SPAM seems like the ideal
> task for the Pathologically Eclectic Rubbish Lister.
>
> Mike
Right. :)
Giampaolo
Re: Does spamd support ipv6 yet?
"Dan Mahoney, System Admin" writes: > I previously asked this question and was told the best answer might be > to wait for 3.3. > > Was there ever support ratified for ipv6 including proper -A ipv6 > access lists, and proper ability to listen on both the ipv6 default > and the v4 default at the same time, when specifying -i? > > I'm not sure which bugs to look at to ascertain this. I am not trying to access spamd over v6. It's listening only on 127.0.0.1, not ::1 :-( Not what you asked, but for me far more important: I have v6 addresses in internal_networks and trusted_networks and it seems to be parsing the addresses and treating them correctly. pgpPdwTPqYWl6.pgp Description: PGP signature
Re: regex for short messages
Bowie Bailey wrote:
>
> Bowie Bailey wrote:
>> Daniel Lemke wrote:
>>
>>> Hi,
>>>
>>> I want to check some mails for their char count (will be part of a meta
>>> rule) but spamassassin does hit the rule, even if the mail has less
>>> chars
>>> than defined in regex.
>>>
>>> The regex was tested in Perl and was working fine, so what did I miss?
>>>
>>> bodyMY_BODY_SHORT_MAIL /\A.{0,150}\z/s
>>> describeMY_BODY_SHORT_MAIL Short Mail
>>> score MY_BODY_SHORT_MAIL 0.1
>>>
>>>
>>
>> I assume you meant to say that it does NOT hit?
>>
>> Don't know what the problem is. It works fine for me.
>>
>
> I see now. It's hitting on long messages too. I saw it match the
> subject line rather than the body. I'm not quite sure why. It works if
> you change it to a rawbody match.
>
> --
> Bowie
>
>
Hmm, I've just noticed that my rule is working fine for simple text
messages, but is also been triggered when checking mails containing html
(http://pastebin.com/xB7SKnFV).
rawbody T__SHORT_MAIL /\A.{0,150}\z/s
-D reports:
Jun 28 13:32:40.961 [4200] dbg: rules: ran rawbody rule T__SHORT_MAIL
==> got hit: "
Any hints on this?
Daniel
--
View this message in context:
http://old.nabble.com/regex-for-short-messages-tp28880387p29008540.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: blizzard (and others) faux messages
LuKreme, > Been getting a lot of messages form hotmail and others claiming to be from > Blizzard account management or Aeon account services, or a whole host of > others. > > They are not pegging SA at all, scoring usually close to 0 (they will get > Bayes_00 and sometimes a spamcop hit to balance out, but nothing else). > > Has anyone come up with anything to catch these without tripping on really > messages from blizzard and whomever? > > Blizzard, at least, publishes DKIM records, so is the syntax for dealing > with that still the same in 3.3? > > whitelist_from_dkim *...@blizzard.com > whitelist_from_dkim *...@battle.net The syntax hasn't changed - the DKIM plugin docs is up-to-date, see there. Note that the above does not imply their subdomains (e.g. email.blizzard.com), these may be whitelisted separately is desired. > As I recall, however, what I actually want to do is blacklist anything from > blizzard.com that FAILS (or lacks) DKIM, right? > > I know I used to do this crap for paypal and citibanc and a few others, but > now I don't remember what, exactly, I did. In this case all you need (since 3.3.0) is an ADSP override, no need for whitelisting: score DKIM_ADSP_CUSTOM_HIGH 100 adsp_override battle.net custom_high adsp_override email.blizzard.com custom_high or more general: adsp_override blizzard.com custom_high adsp_override *.blizzard.com custom_high Adjust scores as needed, the defaults are very cautious (just in case someone is running SpamAssassin behind a mail path which clobbers messages, invalidating signatures): score DKIM_ADSP_CUSTOM_LOW 0.001 score DKIM_ADSP_CUSTOM_MED 0.001 score DKIM_ADSP_CUSTOM_HIGH 0.001 score DKIM_ADSP_ALL 0 1.1 0 0.8 score DKIM_ADSP_DISCARD 0 1.8 0 1.8 Mark
Re: blizzard (and others) faux messages
On Mon 28 Jun 2010 12:37:57 PM CEST, Ned Slider wrote Why not - that looks fine to me? its less strong on something that one dont know what is, its still valid yes, but never shot animals with atom bomps :) The only real difference I see between whitelist_from_dkim and def_whitelist_from_dkim is that they have different scores so one is 'more whitelisted' than the other excatly my point def_* can most of the time solve it -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: blizzard (and others) faux messages
Yes, I do exactly the same - whitelist by dkim (or spf) the domain that is being abused and then wack all mail from that domain that isn't signed. On 28/06/10 10:07, Benny Pedersen wrote: whitelist_from_dkim *...@blizzard.com whitelist_from_dkim *...@battle.net first dont use wildcard Why not - that looks fine to me? but as you want can be done like this blacklist_from f...@example.net whitelist_from_dkim f...@example.net if wildcard is needed do def_blacklist_from and def_whitelist_from_dkim The only real difference I see between whitelist_from_dkim and def_whitelist_from_dkim is that they have different scores so one is 'more whitelisted' than the other There is some good documentation here: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-sa
Re: Autoreplies from RT are hitting on ANY_BOUNCE_MESSAGE
On 2010-06-28 11:33, Dan Mahoney, System Admin wrote: Hey there, Perhaps this is by design, but rt replies are, strictly speaking, not bounce messages. Message attached, let me know if it looks "normal". -Dan from what I see it looks normal if someone really makes an effort to "tune" SA scores. my 50_scores.cf deault says: score ANY_BOUNCE_MESSAGE 0.1 score SHORTCIRCUIT 0
Autoreplies from RT are hitting on ANY_BOUNCE_MESSAGE
Hey there, Perhaps this is by design, but rt replies are, strictly speaking, not bounce messages. Message attached, let me know if it looks "normal". -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- From s...@isc.org Thu Jun 3 20:29:04 2010 From: ISC Systems via RT To: d...@prime.gushi.org Date: Fri, 4 Jun 2010 00:28:53 + Subject: SPAM(120.1) [ISC-Ops #28368] AutoReply: Live from new york Spam detection software, running on the system "quark.gushi.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see The administrator of that system for details. Content preview: Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: "Live from new york", a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [ISC-Ops #28368]. [...] Content analysis details: (120.1 points, 5.0 required) pts rule name description -- -- 0.1 BOUNCE_MESSAGE MTA bounce message 100 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule 20 ANY_BOUNCE_MESSAGE Message is some kind of bounce message [ Part 2: "original message before SpamAssassin" ] X-Envelope-To: UNKNOWN From: ISC Systems via RT To: d...@prime.gushi.org Date: Fri, 4 Jun 2010 00:28:53 + Subject: [ISC-Ops #28368] AutoReply: Live from new york Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: "Live from new york", a summary of which appears below. There is no need to reply to this message right now. Your ticket has been assigned an ID of [ISC-Ops #28368]. Please include the string: [ISC-Ops #28368] in the subject line of all future correspondence about this issue. To do so, you may reply to this message. Thank you, s...@isc.org - It's ISC live. -Dan -- Christ almighty... my EYES! They're melting! -Zaren, Efnet #macintosh, in response to: www.geocities.com/CollegePark/Classroom/1944 The WEBSITE DESIGN class that gave my fiancee a D. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: blizzard (and others) faux messages
whitelist_from_dkim *...@blizzard.com whitelist_from_dkim *...@battle.net first dont use wildcard but as you want can be done like this blacklist_from f...@example.net whitelist_from_dkim f...@example.net if wildcard is needed do def_blacklist_from and def_whitelist_from_dkim -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
blizzard (and others) faux messages
Been getting a lot of messages form hotmail and others claiming to be from Blizzard account management or Aeon account services, or a whole host of others. They are not pegging SA at all, scoring usually close to 0 (they will get Bayes_00 and sometimes a spamcop hit to balance out, but nothing else). Has anyone come up with anything to catch these without tripping on really messages from blizzard and whomever? Blizzard, at least, publishes DKIM records, so is the syntax for dealing with that still the same in 3.3? whitelist_from_dkim *...@blizzard.com whitelist_from_dkim *...@battle.net As I recall, however, what I actually want to do is blacklist anything from blizzard.com that FAILS (or lacks) DKIM, right? I know I used to do this crap for paypal and citibanc and a few others, but now I don't remember what, exactly, I did. -- 'There's stranger people in this world than Corporal Nobbs, my lad.' Carrot's expression slid into a rictus of intrigued horror. 'Gosh.' --Men at Arms
Re: Basic Setup Questions
> On Sun, Jun 27, 2010 at 12:45 PM, Giampaolo Tomassoni > wrote: > > No. You also need to "teach" enough ham and spam tokens to Bayes. By > > default, you should train bayes with at least 200 ham messages and 200 spam > > messages. At that point, you should start seeing bayes scoring your > > messages. On 27.06.10 14:41, Michael B Allen wrote: > That's an important fact. I have plenty of ham but I think I'll wait > for fresh uncaught spam to properly generate bayes data. you can train on cought spam as well, if you have any. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
