Re: Issue on disable ipv6

[Reindl Harald]

Am 01.07.2016 um 20:25 schrieb Massimo Sandolo:

I have an issue when try to disable ipv6.
I'm running Debian 8.3 with SpamAssassin version 3.4.0 (running on Perl
version 5.20.2).
In /etc/defualt/spamassassin the options line is the following:
OPTIONS="-4 --create-prefs --max-children 5 --helper-home-dir -x -u
usermail"

I tried also with --ipv4-only, but it doesn't work, I'm still receiving
the following error "spamc[22477]: connect to spamd on ::1 failed,
retrying (#1 of 3): Connection refused"


the better question is why are you using TCP instead a unix socket at 
all in case of localhost?




signature.asc
Description: OpenPGP digital signature

Re: Corpus of Spam/Ham headers(Source IP) for research

[Bill Cole]

On 29 Jun 2016, at 11:38, Shivram Krishnan wrote:


Hello Bill,

There has been enough research which has been done in this field were 
the

authors have obtained the data from network operators. This

for
instance is a paper from UPenn, which has collected over 31 million 
Mail

Headers (not only IP address) to validate their method.


As Anthony has pointed out, they got those from their own mail system. 
One mail system, coherent mail filtering practices, administrators with 
powerful disincentives to falsify data, and enough detail in the data 
that it would be extremely difficult to significantly falsify without 
being obvious.


We are trying to get HAM/SPAM lists from different networks, to 
validate

our technique, which curates Blacklists for specific Network.


I understand that. Unfortunately, you are trying to get data in a way 
that CANNOT get you trustworthy or even coherent data. Mail filtering 
statistics between different systems wouldn't just differ 
quantitatively, they would would be qualitatively different in scope and 
meaning. I help run multiple mail systems, each of which has a unique 
profile of how much and what sorts of mail reaches the point of 
SpamAssassin scoring (always the final line of defense) and the 
mechanisms by which attempts to send mail are stopped before the SMTP 
DATA command. In some cases, substantial shunning of address space known 
to be controlled by spammers happens in border routers and isn't really 
countable; even if we had persistent logs of every intentional port 25 
SYN packet drop, I couldn't know whether a trio of those from one IP in 
a minute represents one spam attempt or three.


Even stipulating that no one would feed you intentionally false data (a 
very dubious stipulation) if you received data from a diverse set of 
mail systems you would be getting datasets with divergent semantics.

Re: Issue on disable ipv6

[Benny Pedersen]

On 2016-07-01 23:52, Alarig Le Lay wrote:

On Fri Jul  1 23:13:36 2016, Benny Pedersen wrote:

::2 ipv6.localdomain ipv6


On IPv6, localhost is just ::1, not ::1/96 or something like that.

alarig@pikachu ~ % ip -6 route get ::2
::2 from :: via fe80::20d:b9ff:fe3a:1fa1 dev wlan1  src
2a01:cb08:898f:ab00:1c23:1474:a6ad:51c  metric 309  pref medium
alarig@pikachu ~ % mtr -c 1 -w ::2
Start: Fri Jul  1 23:51:04 2016
HOST: pikachu  Loss%   Snt
  Last   Avg  Best  Wrst StDev
  1.|-- 2a01cb08898fab01.ipv6.abo.wanadoo.fr  0.0%
13.2   3.2   3.2   3.2   0.0
  2.|-- ???  100.0
10.0   0.0   0.0   0.0   0.0


someday people understand me, i did not say change localhost

and /etc/hosts is very extensible to any problem

so you did not do your own homework here

sorry

Re: Issue on disable ipv6

[Alarig Le Lay]

On Fri Jul  1 23:13:36 2016, Benny Pedersen wrote:
> ::2 ipv6.localdomain ipv6

On IPv6, localhost is just ::1, not ::1/96 or something like that.

alarig@pikachu ~ % ip -6 route get ::2
::2 from :: via fe80::20d:b9ff:fe3a:1fa1 dev wlan1  src 
2a01:cb08:898f:ab00:1c23:1474:a6ad:51c  metric 309  pref medium
alarig@pikachu ~ % mtr -c 1 -w ::2
Start: Fri Jul  1 23:51:04 2016
HOST: pikachu  Loss%   Snt   Last   
Avg  Best  Wrst StDev
  1.|-- 2a01cb08898fab01.ipv6.abo.wanadoo.fr  0.0% 13.2 
  3.2   3.2   3.2   0.0
  2.|-- ???  100.0 10.0 
  0.0   0.0   0.0   0.0

-- 
alarig


signature.asc
Description: Digital signature

Re: Issue on disable ipv6

[Benny Pedersen]

On 2016-07-01 21:08, Ian Zimmerman wrote:

I tried also with --ipv4-only, but it doesn't work, I'm still 
receiving the
following error "spamc[22477]: connect to spamd on ::1 failed, 
retrying (#1

of 3): Connection refused".


What is the line or lines containing "localhost" in /etc/hosts?  You'll
need to comment out the one with the IPv6 address (::1), and leave the
one with IPv4 address (127.0.0.1) uncommented.

This is all assuming you run spamd and spamc on the same host.  If not,
please tell us about the network setup between the two hosts.


add ipv4 hostname to /etc/hosts

127.0.0.2 ipv4.localdomain ipv4
::2 ipv6.localdomain ipv6

now this can be used as hostname for dual stacking servers

do not change localhost being default dual stacked

http://ipv6bingo.com/ :=)

Re: Issue on disable ipv6

[Ian Zimmerman]

On 2016-07-01 20:25 +0200, Massimo Sandolo wrote:

> Hi,
> I have an issue when try to disable ipv6.
> I'm running Debian 8.3 with SpamAssassin version 3.4.0 (running on Perl
> version 5.20.2).
> In /etc/defualt/spamassassin the options line is the following:
> OPTIONS="-4 --create-prefs --max-children 5 --helper-home-dir -x -u
> usermail"
> 
> I tried also with --ipv4-only, but it doesn't work, I'm still receiving the
> following error "spamc[22477]: connect to spamd on ::1 failed, retrying (#1
> of 3): Connection refused".

What is the line or lines containing "localhost" in /etc/hosts?  You'll
need to comment out the one with the IPv6 address (::1), and leave the
one with IPv4 address (127.0.0.1) uncommented.

This is all assuming you run spamd and spamc on the same host.  If not,
please tell us about the network setup between the two hosts.

-- 
Please *no* private copies of mailing list or newsgroup messages.
Why does the arrow on Hillary signs point to the right?

Re: Issue on disable ipv6

[Massimo Sandolo]

Hi,
thanks a lot, it works

Max

2016-07-01 21:06 GMT+02:00 RW :

> On Fri, 1 Jul 2016 20:25:40 +0200
> Massimo Sandolo wrote:
>
> > Hi,
> > I have an issue when try to disable ipv6.
> > I'm running Debian 8.3 with SpamAssassin version 3.4.0 (running on
> > Perl version 5.20.2).
> > In /etc/defualt/spamassassin the options line is the following:
> > OPTIONS="-4 --create-prefs --max-children 5 --helper-home-dir -x -u
> > usermail"
>
> These are options to spamd.
>
> > I tried also with --ipv4-only, but it doesn't work, I'm still
> > receiving the following error "spamc[22477]: connect to spamd on ::1
> > failed, retrying (#1 of 3): Connection refused".
>
> You need to use spamc -4
>

Re: Issue on disable ipv6

[RW]

On Fri, 1 Jul 2016 20:25:40 +0200
Massimo Sandolo wrote:

> Hi,
> I have an issue when try to disable ipv6.
> I'm running Debian 8.3 with SpamAssassin version 3.4.0 (running on
> Perl version 5.20.2).
> In /etc/defualt/spamassassin the options line is the following:
> OPTIONS="-4 --create-prefs --max-children 5 --helper-home-dir -x -u
> usermail"

These are options to spamd.

> I tried also with --ipv4-only, but it doesn't work, I'm still
> receiving the following error "spamc[22477]: connect to spamd on ::1
> failed, retrying (#1 of 3): Connection refused".

You need to use spamc -4

Issue on disable ipv6

[Massimo Sandolo]

Hi,
I have an issue when try to disable ipv6.
I'm running Debian 8.3 with SpamAssassin version 3.4.0 (running on Perl
version 5.20.2).
In /etc/defualt/spamassassin the options line is the following:
OPTIONS="-4 --create-prefs --max-children 5 --helper-home-dir -x -u
usermail"

I tried also with --ipv4-only, but it doesn't work, I'm still receiving the
following error "spamc[22477]: connect to spamd on ::1 failed, retrying (#1
of 3): Connection refused".


Please may you help me?
thank you
Max

Re: Spamassassin default SHORT_URI list obsolete/outdated

[Axb]

On 07/01/2016 10:13 AM, Groach wrote:


On 01/07/2016 09:56, Axb wrote:



I then informed him that SA alreadyhas a URL_SHORTENER checking rule
found
in 72_ACTIVE.CF.  I was currently using this as a META rule thus:

meta MY_URI_URLSHORT __URL_SHORTENER  # defined in 72_active.cf


ATM it seems there is no such rule - pls verify the name after running
sa-update


As quoted, it is   "  __URL_SHORTENER  "

The entry reads as follows:

uri __URL_SHORTENER
/^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}\/?/


ok - found it... and must say this rule is pretty sloppy and should 
probably be deprecated. I hope whoever compiled this list takes  a look 
into this.
It includes  domains which are clearly not URI shorteners, or never used 
in spam, etc.


Imo, this rule can probably be deprecated in favour of network lookups


and is used in other META rules such as MONEY_FRAUD_5 (you see it is
preceeded with "__" )



URL shorteners aren't bad per se so it makes little sense to waste
cycles processing a long list which may or not be abused. Many of
these sites won't be around in 6 months, some  have zero abuse some
may even be NXDOMAIN


You can see from 72_ACTIVE that the idea of using a url shortener isnt
bad by itself and that SA rules do use it in conjunction with other
'more likely' postive matching (such as MONEY_FRAUD_5)


Such rules are best mantained/provided by interested third parties
which may or not commit to keep them up to date.
SA devs don't really have the time to chase sites/domains and to load
the default rule set with extra bloat doesn't sound very wise.

Why not make this YOUR project?


Ok, well, I will leave it as HIS project ;-)  (the guy who has already
applied his research to provided this surbl lookup).  He also has stated
that many of these sites come and go (as you imply).


His project is to mantain a domain list, similar to Spamhaus DBL's 
section "127.0.1.103 	abused spammed redirector domain"
To mantain a SA rule with that data seems like a redundant effort but if 
someone needs this in would be wiser to tackle it at source to avoid 
stale data.

Re: Spamassassin default SHORT_URI list obsolete/outdated

[Groach]

On 01/07/2016 09:56, Axb wrote:


I then informed him that SA alreadyhas a URL_SHORTENER checking rule 
found

in 72_ACTIVE.CF.  I was currently using this as a META rule thus:

meta MY_URI_URLSHORT __URL_SHORTENER  # defined in 72_active.cf


ATM it seems there is no such rule - pls verify the name after running 
sa-update


As quoted, it is   "  __URL_SHORTENER  "

The entry reads as follows:

uri __URL_SHORTENER 
/^http:\/\/(?:bit\.ly|tinyurl\.com|ow\.ly|is\.gd|tumblr\.com|formspring\.me|ff\.im|youtu\.be|tl\.gd|plurk\.com|migre\.me|j\.mp|cli\.gs|goo\.gl|yfrog\.com|lnk\.ms|su\.pr|fb\.me|alturl\.com|wp\.me|ping\.fm|chatter\.com|post\.ly|twurl\.nl|tiny\.cc|4sq\.com|ustre\.am|short\.to|u\.nu|flic\.kr|budurl\.com|digg\.com|twitvid\.com|gowal\.la|om\.ly|justin\.tv|icio\.us|p\.gs|loopt\.us|tcrn\.ch|xrl\.us|wpo\.st|bkite\.com)\/[^\/]{3}\/?/


and is used in other META rules such as MONEY_FRAUD_5 (you see it is 
preceeded with "__" )



URL shorteners aren't bad per se so it makes little sense to waste 
cycles processing a long list which may or not be abused. Many of 
these sites won't be around in 6 months, some  have zero abuse some 
may even be NXDOMAIN


You can see from 72_ACTIVE that the idea of using a url shortener isnt 
bad by itself and that SA rules do use it in conjunction with other 
'more likely' postive matching (such as MONEY_FRAUD_5)


Such rules are best mantained/provided by interested third parties 
which may or not commit to keep them up to date.
SA devs don't really have the time to chase sites/domains and to load 
the default rule set with extra bloat doesn't sound very wise.


Why not make this YOUR project?


Ok, well, I will leave it as HIS project ;-)  (the guy who has already 
applied his research to provided this surbl lookup).  He also has stated 
that many of these sites come and go (as you imply).


Thanks

Re: Spamassassin default SHORT_URI list obsolete/outdated

[Axb]

On 07/01/2016 09:35 AM, jimimaseye wrote:

Recently I was in discussion with the creator of a URI_SHORTENER black list
maintainer that created a list of domains handling short URLs.  (You can
find his full rule and details here:
http://snork.ca/posts/2016-06-24-surbl-of-url-shorteners-for-spamassassin/).
He has identified over 200 CURRENT url shorteners and maintains them
accordingly (viewable here:
http://snork.ca/posts/2016-06-24-surbl-of-url-shorteners-for-spamassassin/url_shorteners.txt).

I then informed him that SA alreadyhas a URL_SHORTENER checking rule found
in 72_ACTIVE.CF.  I was currently using this as a META rule thus:

meta MY_URI_URLSHORT __URL_SHORTENER  # defined in 72_active.cf


ATM it seems there is no such rule - pls verify the name after running 
sa-update



He quite rightly pointed out that the 43 included shortener domains that SA
checks for in the default rule is drastically short and outdated (some even
dont exist anymore) compared to his more current recently 200 researched
list.


URL shorteners aren't bad per se so it makes little sense to waste 
cycles processing a long list which may or not be abused. Many of these 
sites won't be around in 6 months, some  have zero abuse some may even 
be NXDOMAIN


Such rules are best mantained/provided by interested third parties which 
may or not commit to keep them up to date.
SA devs don't really have the time to chase sites/domains and to load 
the default rule set with extra bloat doesn't sound very wise.


Why not make this YOUR project?


Is there any way that maybe the default list that SA checks for in 72_ACTIVE
can be updated and how is this request made or implemented?  (Forgive me, I
dont know how these things work).


See above..

Spamassassin default SHORT_URI list obsolete/outdated

[jimimaseye]

Recently I was in discussion with the creator of a URI_SHORTENER black list
maintainer that created a list of domains handling short URLs.  (You can
find his full rule and details here:
http://snork.ca/posts/2016-06-24-surbl-of-url-shorteners-for-spamassassin/). 
He has identified over 200 CURRENT url shorteners and maintains them
accordingly (viewable here:
http://snork.ca/posts/2016-06-24-surbl-of-url-shorteners-for-spamassassin/url_shorteners.txt).

I then informed him that SA alreadyhas a URL_SHORTENER checking rule found
in 72_ACTIVE.CF.  I was currently using this as a META rule thus:

meta MY_URI_URLSHORT __URL_SHORTENER  # defined in 72_active.cf

He quite rightly pointed out that the 43 included shortener domains that SA
checks for in the default rule is drastically short and outdated (some even
dont exist anymore) compared to his more current recently 200 researched
list.

Is there any way that maybe the default list that SA checks for in 72_ACTIVE
can be updated and how is this request made or implemented?  (Forgive me, I
dont know how these things work).



--
View this message in context: 
http://spamassassin.1065346.n5.nabble.com/Spamassassin-default-SHORT-URI-list-obsolete-outdated-tp121584.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.