Re: SUBJECT_ENCODED_TWICE really wrong?

[alan premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 4/25/07 11:15 PM, John Wilcock wrote:
 Andy Spiegl wrote:

 But the score for SUBJECT_ENCODED_TWICE is pretty high:
  1.723
 How does that justify?
 
 No doubt it is justified by the fact that the corpora used to
 determine SpamAssassin scores don't contain enough non-English-language
 content.
 
 You'll almost certainly find that you want to lower the score for this
 rule (and other rules such as SUBJ_ILLEGAL_CHARS which tend to cause FPs
 on genuine non-English mail).
 
 John.
 

I've had to reduce the SUBJ_ENCODED_TWICE score (to .001 so i know it
hits but so it doesn't have any impact) because it's basically required
to handle long 2-byte subject encoding.

I've left SUBJ_ILLEGAL_CHARS as is because the subject really shouldn't
contain raw non-ascii characters, it should be encoded.

So far I haven't had any problems with this combination.

just my 2 yen worth.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGMpHtE2gsBSKjZHQRAsfMAJwO8iqLnF/BpAw5tX/YOm/tsSGCVQCfaJHP
JRPY+2PKlce6j0hKfKsoQ9Y=
=BEbK
-END PGP SIGNATURE-

Re: spam

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Coffey, Neal wrote:
 Rosenbaum, Larry M. wrote:
 This matches the spam message, but it also matches messages where the
 number is followed by a blank line and more text, which is a false
 positive.

 In all cases I got the same results.  What am I missing?
 
 Try a compound rule.  Look for the number, and then anything that's not
 a number. (Mind the line wrapping, of course.)
 
 body ORNL_B0RKEN1_SHORTNUM   /^\d{3,5}\n{1,3}$/s
 body ORNL_B0RKEN1_BODYTEXT   /[a-zA-Z]/
 meta ORNL_B0RKEN1(ORNL_B0RKEN1_SHORTNUM 
 ORNL_B0RKEN1_BODYTEXT)
 describe ORNL_B0RKEN1B0rken spamware, message just
 contains a short number
 scoreORNL_B0RKEN11.0
 
 That'll prevent the rule from matching if there's so much as a single
 letter in the body.
 

Actually, that'll only hit if there's a 3-5 digit number followed by 1
to 3 \n characters *AND* there *ARE* alphabetical characters in the body.

I'm guessing this isn't what you want.

your meta should probably look like (!ORNL_B0RKEN1_BODYTEXT 
ORNL_B0RKEN1_SHORTNUM)

(this is untested, but should work as expected)

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdiJQE2gsBSKjZHQRAtfXAJ9YMWfkxAx7Oq31DilaqdGCqA9WegCgvBaL
9ld47BoNnFo2ePYG3IlcK0k=
=DQ7t
-END PGP SIGNATURE-

Re: How to examine a system and determine the mail delivery agent.

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Don Saklad wrote:
 How would, where would a mail transfer agent tell you the
 mail delivery agent for a the system at hand?...
 
 Developing instructive information without acronyms,
 without industry jargon that complete novices, neophytes
 can use easily is the heart of the matter.

Don,

 to my knowledge, there is no way to determine the MDA (mail delivery
agent) without having access to the mail server's configuration files.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdNfxE2gsBSKjZHQRAlDCAJ4uSVmxnpkNzqWaWOiuDSVYiPYF+ACfbxD+
UgSh4d/dst6sC+AoruiCrxU=
=dP3a
-END PGP SIGNATURE-

Re: Problem with spam from non-existant users of my domain.

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Steven W. Orr wrote:
 On Tuesday, Nov 28th 2006 at 08:09 -0800, quoth John D. Hardin:
 
 =On Tue, 28 Nov 2006, Steven W. Orr wrote:
 =
 = Spam comes in to steveo from [EMAIL PROTECTED] and I want to
 = reject it because it's coming from an address that doesn't exist.
 = Sendmail does not support this; i.e., it can only reject mail *to*
 = an address that doesn't exist.
 = 
 = Is there a way to do this?
 =
 =First off, what exactly do you mean by does not exist? The domain
 =is not registered? Or the username is not valid within the domain?
 
 Sorry, I was afraid this might not be clear. I want to find a way to 
 reject/tag all messages that come From the syslang.net domain (I am that 
 domain) which are From a user which does not exist. I'm not talking about 
 messages coming in that have a From address that is not syslang.net.
 
 One more example to be clearerer. This message came in from someplace in 
 Russia (maybe), to syslang.net and claims to come from bs at syslang.net. 
 I don't have a bs on my machine. If it helps, I'd even be willing to 
 create a file with a list of all of my valid account names.
...snip...
 
 So this idea is to reject all mail from invalid accounts that claim to be 
 coming from my own domain.
...snip...

Steven,

 you should be able to do this pretty easily within MIMEDefang. you
could put a routine in the filter_sender() subroutine that does
something like a getpwent on the user portion of the sender address if
the domain portion is in your domain.  (there are probably plenty of
ways to do this)

on top of that, if you have any control over your DNS settings (and your
DNS provider supports TXT records) you may want to consider configuring
SPF.  SPF is designed (in part) to reduce this type of scenario.

so, with SPF what will happen is, some machine in RU connects to you and
sends a MAIL FROM: [EMAIL PROTECTED] ... the SPF checks will lookup
the SPF information from your DNS records and determine if that host in
RU is allowed to send mail for your domain. if not, it get a score
boost. (or with something like MIMEDefang you could just reject on
failed SPF if you chose to)

hope this helps,

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFb8lfE2gsBSKjZHQRAqenAKDrcNu7h2l7xZFKC09CgQERto3OEwCgo1x/
Ivq9yfQf8kWC0FUcouCi9xI=
=HN2v
-END PGP SIGNATURE-

Re: netset: cannot include w.x.y.z as it has already been included

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Kettler wrote:
 Gilles Hamel wrote:
 Hello,

 We are running v3.1.5 with mimedefang.
 Here is our setup :

  our own MTA with spamassassin ---/-- MTA at our ISP, our MX is HERE 
 w.x.y.z / INTERNET

 In the local.cf file we have :
 trusted_networks w.x.y.z # Our MX

 Every time mimedefang spawn a child, we get this warning in log file.
 If we remove the trusted_networks parameter, the warning vanishes.

 Can you explain the reason of this warning ?

 Thank you

   
 Is there a duplicate setting in some other config file, ie: sa-mimedfang.cf?
 


I've just done a new install of mimedefang 2.58 with spamassassin 3.17
and have confirmed that there are no duplicate settings in any of the
config files in /etc/mail/spamassassin.

also /etc/mail/sa-mimedefang.cf is a symbolic link to
/etc/mail/spamassassin/sa-mimedefang.cf for forwards compatibility.


the error happens once each for every network included in either
trusted_networks or internal_networks.

as an example in sa-mimedefang.cf:

trusted_networks 1.1.1.1/32 2.2.2.2/32
internal_networks 127.0.0.1/32 3.3.3.0/24

the error in my log files are:

mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
1.1.1.1/32 as it has already been included
mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
2.2.2.2/32 as it has already been included
mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
127.0.0.1/32 as it has already been included
mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include
3.3.3.0/24 as it has already been included

This doesn't appear to be causing any problems, however.

cross-posting to mimedefang list as well.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFUabbE2gsBSKjZHQRAsFfAKDs0jgr4mFGbI+dWTzUgILiuaSWiwCg4P79
RA2RFW42Ivnn0D9M33hQnv0=
=+BKD
-END PGP SIGNATURE-

Re: How do i catch this

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Suhas (QualiSpace) wrote:
 Hi,
 
  
 
 How do I catch these types of mails?
 
  
 
 Received: from wk-2022 [125.92.211.28] by ourdomain.com
   (SMTPD-8.22) id AF800E44; Wed, 01 Nov 2006 01:32:32 -0500
 Received: (qmail 1474 invoked by uid 0); Wed, 1 Nov 2006 14:30:22 -)
 Received: from unknown (HELO evmneyumjf) (192.168.1.7)
   by 192.168.1.21 with SMTP; Wed, 1 Nov 2006 14:30:22 -
 Date: Wed, 1 Nov 2006 14:25:22 +0800
 From: adam [EMAIL PROTECTED]
 http://mail.mirackle.com:8383/Xb8439bcf99989399cf9e911fc4cb/newmsg.cgi?mbx=Main[EMAIL
  PROTECTED]
 Mime-Version: 1.0
 To: [EMAIL PROTECTED]
 Subject: This is not shown on TV.
 Content-Type: multipart/mixed;
 boundary=---D502AA0C7D660BFD
 Message-Id: [EMAIL PROTECTED]
 http://mail.mirackle.com:8383/Xb8439bcf99989399cf9e911fc4cb/newmsg.cgi?mbx=Main[EMAIL
  PROTECTED]
 X-Envelope-From:[EMAIL PROTECTED]
 http://mail.mirackle.com:8383/Xb8439bcf99989399cf9e911fc4cb/newmsg.cgi?mbx=Main[EMAIL
  PROTECTED]
 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on server1
 X-Spam-Level: 
 X-Spam-Status: No, score=4.0 required=4.5 tests=BAYES_80,RCVD_BY_IP,
 SARE_GIF_ATTACH autolearn=no version=3.0.1

You're getting really close, I bet if you turned on network tests you'd
be fine.  You may also want to look into setting up DCC and/or Razor as
well.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFSGqGE2gsBSKjZHQRAqJ5AJ4w9uOGii11hsaiweqKbIvthah3qQCcDZeD
H1GXqjPxsVkVmQtqkVNXihU=
=rdkQ
-END PGP SIGNATURE-

Re: why this spam has a negative score?

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



[EMAIL PROTECTED] wrote:
 I edit my setting to:
 
 whitelist_from_rcvd * fw.muvalmez.cz
 
 the spam with negative score is coming through spamassassin again
 
 Return-Path: [EMAIL PROTECTED]
 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on fw.muvalmez.cz
 X-Spam-Status: No, score=-80.5 required=5.0 tests=BAYES_50,DC_GIF_UNO_LARGO,
 DC_IMAGE_SPAM_HTML,DC_IMAGE_SPAM_TEXT,DC_IMG_HTML_RATIO,
 DC_IMG_TEXT_RATIO,EXTRA_MPART_TYPE,HTML_90_100,HTML_IMAGE_ONLY_08,
 HTML_MESSAGE,MIME_HTML_MOSTLY,MY_CID_AND_CLOSING,MY_CID_AND_STYLE,
 SARE_GIF_ATTACH,SARE_GIF_STOX,UNPARSEABLE_RELAY,USER_IN_WHITELIST 
  ^^

You don't happen to have [EMAIL PROTECTED] in your whitelist do you?

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFSYrvE2gsBSKjZHQRAuIyAKDsNuKCRJF1cediMAhFrlj/EPTuuwCgg1si
//6OQ9JjPbissU9bTrm/8lI=
=CRaS
-END PGP SIGNATURE-

Re: Calling Regex Experts

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



D.J. wrote:
 OK, I'm stumped.  I need to create a regex that will match if anything
 other than two terms I've specified exist.
 
 So for example, I have two terms I like, say cat and dog.  I want
 the rule to match if a string contains anything other than cat or dog.
 
 I tried ...
 
 $value !~ /cat|dog/
 
 ...but this had the unintended consequence of still matching a string
 like cat dog bird or cat bird since the string does contain one of
 my two terms.  So what do I need to do?  Thanks in advance!
 
 - D.J.


D.J.,

 you're probably best off using META rules for this.  So you could have
something like (completely untested and off the top of my head in the
middle of the night):

body __CAT  /cat/
body __DOG  /dog/

meta NOT_CAT_AND_DOG(!__CAT  !__DOG)

you should definitely check the man pages and/or wiki about writing
rules to do this properly, but that should get you started.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7dfoE2gsBSKjZHQRAozpAKC+edJGc52qWz1qguOQReCLUy3z9ACgzFpn
V20guvwnlLaKHy3Aiy8FLQs=
=eGwC
-END PGP SIGNATURE-

Re: HUMOR: Gap needs to fire Marketing people.

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

snip...

 And the first thing in the Ham was about adding their address to your
 contacts to make sure you get their email. If they were so worried, they
 would write better marketing emails.
 
 --Chris
 

Maybe you should send them an email to tell them that.

Help educate the masses!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEmLR5E2gsBSKjZHQRApM4AJ4z3WayRJWqXYm7c3mlT2xwMPuTgACcCGwv
cVGA02JeQRszgiSGU6dclrI=
=hLBB
-END PGP SIGNATURE-

Re: How to detect current images-only messages?

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

jdow wrote:
 From: Chris Santerre [EMAIL PROTECTED]
 From: Yves Goergen [mailto:[EMAIL PROTECTED]

 Hello,
 I keep receiving messages that contain of nothing but composed images.
 They're HTML messages with only img/ tags in them. There seems to be a
 rule that checks if the message has *any* image and compares it to its
 length. That gave my spam some scores recently but not so today. I
 received a message that looks just like the others but has no score at
 all due to the fact that it only contains of images.

 Is there any way to detect this type of message with SpamAssassin? I
 cannot think of a regular expression that would do it, and even if I
 could, SA offered no way to match it reliably. (See the line-by-line
 problem with 'rawbody' and encoding problems with 'full'.)

 I keep hearing this is a problem, but I'm not seeing it on my end.
 Most are
 being caught:
 

 I'll have to adjust for those 2. :) 
 
 In case he means no score and no SA markup there is still a way this
 can happen. If an email comes in during a very tiny window when spamd
 is reloading its configuration (-HUP) the email can sneak through.
 
 {^_^}

Of course this can also happen if the message size is greater than the
upper size limit set (default 250k) ... being that it's an image only,
I'd say it's definitely a possibility.  (I've seen that happen on my
system in the past)

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEl45SE2gsBSKjZHQRAmKdAKCmcutB8fkoZZQCVMDsZSfBHXpwxACffS9X
5T96aD/02CijQdHB+uoy54c=
=XRir
-END PGP SIGNATURE-

Re: FP's on BAD_ENC_HEADER in bounces from Microsoft SMTPSVC

[alan premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nick Leverton wrote:
[snip]

 We don't have an M$ mail server (and I for one don't want one).  We're a 
 Unix shop, as qmail and qpsmtpd in our own headers shows :)  
 
 I'm quite prepared to believe this is a MS bug, it certainly looks like it.  
 But it seems to be a long term one - seen in emails from SMTPSVC versions 
 5.0.2195.6713 and 6.0.3790.1830.  Remote MS servers, configured for 
 foreign languages, sending genuine non-spam bounces to non-spam mails 
 cause SA to FP on this rule.
 
 Nick

Nick,

 As much as I'd like to say yeah, it's yet another bad MS program ...
i'm not entirely convinced of that.  We used to run Exchange 2000 with
Japanese DSN messages and I'm certain that we didn't have this problem.
 As such, I suspect that the organizations that are using these
particular Exchange servers have probably just mis-configured them.

Of course I find it curious that they would use utf-7 encoding instead
of utf-8 (which seems more widely accepted).

Alan


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEkjeVE2gsBSKjZHQRApMVAKCd4nBjHBPAPSDdy+ZYnbovP3YqTACgkEu/
vvA7PRzYcUULfx+kTp/aEoM=
=fv/m
-END PGP SIGNATURE-

Re: FP's on BAD_ENC_HEADER in bounces from Microsoft SMTPSVC

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nick Leverton wrote:
[snip]


 Subject: =3D?unicode-1-1-utf-7?Q?+kU1P4XK2YUuQGnfl- =20
   (+MKgw6TD8-)?=3D
 

Aside from the QP scatter, this subject doesn't look like it's properly
encoded.  if memory serves, if the encoded subject needs to be broken
across multiple lines, each line needs to have its own encoding
start/end tags.

so it should look something like:

Subject: =?unicode-1-1-utf-7?Q?encoded_part?=
=?unicode-1-1-utf-7?Q?more_encoded_part?=

(someone correct me if i'm wrong)

Of course it's hard to tell because of the QuotedPrintable encoding
artifacts, but it looks like your MS mail server is in some way
misconfigured.

Either that or something else is wrapping the headers and breaking the
encoding.

HTH

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEkMk5E2gsBSKjZHQRAtCkAKDaCCjpeUTVIzC/vYppbh8Bn0j66gCffW1v
27zlnRX/AbNzWsw7HgTj14I=
=IaOn
-END PGP SIGNATURE-

Re: RCVD_IN_WHOIS_BOGONS mis-firing since 3.13 upgrade

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rolf wrote:
 I have just noticed the same thing.
 
 Increase in false positives due to that rule telling me the upstream
 mail server addresses (which I don't control) have been listed in
 combined-HIB.dnsiplists.completewhois.com.
 
 Which is not right for any reason - they ought not be there. Looking
 around at www.completewhois.com I cannot find those addresses at all.
 
 I've had to change the score of the rule to zero as its hitting every
 piece of mail as they all pass through those upstream servers.
 
 Any suggestions would be appreciated.
 
 thanks
 
[snip]

I've filed a bug report on this issue, if you'd care to contribute any
details or useful information.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4951

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEjSv4E2gsBSKjZHQRAlB3AKCV48WtvKs4N4MbVHTzykjzKgTiOQCfbFQP
VPCbjK+UCT2GA7hpRg5Dj1s=
=SbWk
-END PGP SIGNATURE-

Re: TextCat and ok_languages

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ben Wylie wrote:
 With --lint, I am getting the following error:
 [2900] warn: config: failed to parse, now a plugin, skipping: ok_languages
 en fr es
 
 I have looked up the docs here:
 http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_
 TextCat.html
 and it seems to say that a setting of:
 ok_languages en fr es
 is acceptable.
 I have it in my local.cf
 
 Why am I getting this error message?
 
 Thanks
 Ben
 
 


Ben,

  make sure that you have the textcat plugin loaded in either your
init.pre or v3xx.pre files.

you don't want to load the plugin in your local.cf file as it'll load
after any of the rules that call it do and will therefor not be useable.

of course, after making those changes be sure to restart spamd if you're
using it.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEjTenE2gsBSKjZHQRAjh8AKCTz5Cwq1ikn0ore5b9k7h0jmRvNwCcCLMi
8GIRiFLFsPjx+x1kHhCX1Qw=
=sbLF
-END PGP SIGNATURE-

RCVD_IN_WHOIS_BOGONS mis-firing since 3.13 upgrade

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I was using 3.1.0 until today on my mail server at work and after the
upgrade suddenly I'm seeing a lot of RCVD_IN_WHOIS_BOGONS misfiring.

one example of a sender domain that triggered is d.dena.ne.jp which
doesn't directly resolve, but ns.dena.ne.jp resolves to 64.56.174.130
which shows as a network that appears in the
allocated-netrange-arin_after1995.txt on completewhois.com [1]

I've checked my trusted_networks and that seems to be OK... if i let the
trusted_network be auto-determined (i.e. not set manually) or if i set
it manually I get the same results.

The machine is on a global network with a separate interface on an
internal network.

DISGUISE_PORN_MUNDANE appears to be hitting on Japanese text as well.

I'm only seeing the tests in the mail logs so I don't have any actual
headers at the moment.

can anyone offer any ideas as to where I should look or what might be
happening?

here's some debug info that might be useful:

[4392] dbg: dns: is Net::DNS::Resolver available? yes
[4392] dbg: dns: Net::DNS version: 0.57
[4392] dbg: diag: perl platform: 5.008005 linux
[4392] dbg: diag: module installed: Digest::SHA1, version 2.11
[4392] dbg: diag: module installed: Net::SMTP, version 2.29
[4392] dbg: diag: module installed: Mail::SPF::Query, version 1.999001
[4392] dbg: diag: module installed: IP::Country::Fast, version 604.001
[4392] dbg: diag: module installed: Razor2::Client::Agent, version 2.67
[4392] dbg: diag: module not installed: Net::Ident ('require' failed)
[4392] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[4392] dbg: diag: module installed: IO::Socket::SSL, version 0.97
[4392] dbg: diag: module installed: Time::HiRes, version 1.87
[4392] dbg: diag: module installed: DBI, version 1.45
[4392] dbg: diag: module installed: Getopt::Long, version 2.34
[4392] dbg: diag: module installed: LWP::UserAgent, version 2.032
[4392] dbg: diag: module installed: HTTP::Date, version 1.46
[4392] dbg: diag: module installed: Archive::Tar, version 1.29
[4392] dbg: diag: module installed: IO::Zlib, version 1.04
[4392] dbg: diag: module installed: MIME::Base64, version 3.07
[4392] dbg: diag: module installed: HTML::Parser, version 3.54
[4392] dbg: diag: module installed: DB_File, version 1.810
[4392] dbg: diag: module installed: Net::DNS, version 0.57

Thanks,

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEjNs2E2gsBSKjZHQRAkMhAJ40RgtMeXak2enbljP0PQGQR4xh/wCgtmcd
dfZ7z+wtX2oVtrQR90L4lpI=
=BxhD
-END PGP SIGNATURE-

Re:

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dan Massey wrote:
 Hi All
  
 I hope somebody on the list can help me here. Our set-up is as follows:
  
 Internet --  Spam Gateway  -- pop server/exchange server
  
 we are using:
  
 FreeBSD 6.1
 Sendmail 8.13 forward s mail via smtp from mailertable
 spamass-milter
 spamassassin 3.1.3
  
 Our problem is that we want to send everything marked as spam to a
 separate smtp server to create customer spam traps but allow the rest of
 the mail to be forwaded by smtp to the original popserver or smtp server.
  
 Is this possible with sendmail?
  
 Thanks in advance for your time
 
 Dan
  


Dan,

 you could use a MILTER such as MIMEDefang as an alternative to
spamass-milter to give you the ability to do that fairly easily.
(assuming you're familiar with Perl programming to a certain degree)

HTH

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEiT/sE2gsBSKjZHQRAhJqAKDnSrG46HHnFxEvapqdK4/tYcZibgCgi0JF
iXHlzOYshx83Kajq5LlnIIw=
=FVwr
-END PGP SIGNATURE-

Re: LOCAL_RCVD

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Justin Mason wrote:
 Shelley Waltz writes:
 Spamassassin 2.63-1/amavisd-new-20030616-p8

 I am trying to configure spamassassin such that any email originating
 from my domain is not spam tagged.  I have tried in local.cf

 both these syntaxes.

 header LOCAL_RCVD Received =~ /.*\(\S+\.myhost\.mydom\.edu\s+\[.*\]\)/
 header LOCAL_RCVD Received =~ /\S+\.myhost\.mydom\.edu\s+\(.*\[.*\]\)/


 In each case only one rule will work for one particular received from
 header.  I have these two styles(one from mozilla, and one from webmail)

 Received: from [192.168.1.10] (myhost.mydom.edu [192.168.1.10])

 Received: from webmail.mydom.edu (localhost.localdomain [127.0.0.1])

 Is there a rule which will work for both, or is there a simpler way to
 achieve this result, ie, to not filter locallly originating mail?
 
 use trusted_networks; this is what ALL_TRUSTED is for.
 
 --j.

Justin,

 The OP is using SA version 2.63 which, if not mistaken, doesn't have
the trusted_networks settings in it. (I could be wrong)

That being said, You should definitely look into upgrading to at the
very least 2.64 as 2.63 is vunerable to DoS attacks in certain
situations. (if memory serves)

now, with regards to the rules, you could use meta rules to test for
either the first or the second pattern.  something like this (untested):
[beware of line wraps]

header __LOCAL_RCVD1 Received =~ /(?:\S+\.myhost\.mydom\.edu\s+\[.{,20}\])/
header __LOCAL_RCVD2 Received =~
/\S+\.myhost\.mydom\.edu\s+\(.{,20}\[.{1,15}\]\)/

meta LOCAL_RCVD (__LOCAL_RCVD1 || __LOCAL_RCVD2)
score LOCAL_RCVD 0.01

(score as appropriate)

HTH

alan

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEcSSzE2gsBSKjZHQRAtI6AKDt4HWxdQrpw4OgvvJcC91KO2uw5ACgkYTQ
aDtvjU/csAmS3BW+2nB8sBU=
=M+Fu
-END PGP SIGNATURE-

Re: Spam and the Internet [Was: xxxl spam]

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Kettler wrote:
...snip...

 Here's one, if you want to see it:
 
 http://mywebpages.comcast.net/mkettler/spam.jpg
 
 
 There's pretty close to zero chance that anyone in the US is going to hop on a
 plane and fly to Guatemala to buy ordinary lawn care products from a small
 store. But that's the kind of ads I'm getting.

but they've got heart-shaped pancake molds... you wouldn't fly to
guatamala for that?  and at Q.29?! what a bargain!


(heh, i couldn't resist)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEQ0keE2gsBSKjZHQRAjkKAJ9AnC7vS409cSYvoyczXPpK9NNa9QCgtZsb
68xY13eQIvXXLSrkT996/hM=
=rejD
-END PGP SIGNATURE-

Re: Non-English languages

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kenneth Porter wrote:
...snip...

 
 To those of you who've successfully learned 2nd and 3rd languages as an
 adult, what do you recommend for accomplishing that?

Kenneth,

  I started learning Japanese when I was 30. (I feel so old saying it
like that) ... anyways, I started with a teach yourself Japanese book
and a computer program to help.  after that I took courses after work at
my local community college.  *THEN* I moved to Japan and really started
to learn :p

Anyways, I've learned a number of programming languages since I was
young.  I applied the same techniques to learning Japanese (specifically
with reading/writing (or typing as the case may be)) and made sure I had
good reference materials handy.

also, I got involved with the Japanese communities on iVisit which
helped a lot too.

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEQ06tE2gsBSKjZHQRAutxAJ0SrBAWtgkt5fNVQdYG4VGGAMaXuACg4XrN
1kPOs6ScAZ3Gieb/sG323R8=
=Twyl
-END PGP SIGNATURE-

Re: 1.72 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kai Schaetzl wrote:
 I just saw that a normal Ebay outbid notice hit two high-score rules. One 
 is from sare-spoof and I already contacted the maintainer. But one is in 
 the default 3.1.1 ruleset and I think this rule should get completely 
 removed or get a score of 0. It's
 
 1.72 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice
 
 From grepping the rules it does what it says: it checks if there are two 
 B/Q encoding identifiers in the subject. Why is this scoring with 1.72 or 
 at all? This is absolutely valid Q/B encoding and actually *required* by 
 RFC if your subject line is longer than 80 (or was it 72?) characters 
 (minus the encoding, so it's actually more like a 60 raw character limit).
 This rule will hit on *lots* of non-ASCII mail and on almost all mail 
 coming from Ebay Germany.
 
 There are also the rules SUBJECT_EXCESS_QP and SUBJECT_EXCESS_BASE64 which 
 are similar. QP scores 0 and BASE64 scores 0.449. This is much more 
 reasonable.
 
 Kai
 

This utterly wreaks havoc on just about all Japanese email, so I dropped
the score to nearly nothing.

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEPfgmE2gsBSKjZHQRAt82AKDAY4xTmST0kaY5cje1xH1ScDajOACg6fMH
msifLKqJuv1IpudxbKGDcfQ=
=ZDQE
-END PGP SIGNATURE-

Re: 2nd mail server problem

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Joshua, C.S. Chen wrote:
  Looks like I have to enable SA in the 2nd server. It might be a spam
 hole if the spam sent to 2nd first, then forcily relayed to the primary.
 
 
Sorry for the late response, I'm just catching up on some backlog.

Here's my personal opinion:  your secondary mail server should have
stronger restrictions on it than your primary mail server.

The reason I say this is because for some time now it has been a common
spammer practice to hit your secondary, terciary, etc. MX servers first
with the assumption that they are typically configured with fewer
restrictions or merely, as yours is, as a store-and-forward.

For specific reasons I'm unable to implement greylisting on my primary
MX server however, it's perfectly acceptable for me to enable it on my
secondary MX server.

On top of that, I have value user checks, antivirus checks and share the
 bayes database (using MySQL) with the primary MX server for
spamassassin checks.

Because your secondary MX is in place for in case the primary mail
server fails you should have to have the same kind of horsepower.  my
secondary server is significantly lower powered than my primary MX server.

in the case that the primary server is still running, the secondary will
most likely only be dealing with SPAM anyways, and it won't matter if it
takes awhile to process those messages.  in the case that the primary
server is down, well, your users aren't going to be getting their email
anytime soon anyways so it shouldn't matter if it takes a bit more time
to process those incoming mails.

if the mail coming into the 2nd MX server is SPAM, it should reject it
(not bounce) properly either way, if it's not SPAM, it should accept it
and then pass it off to the primary MX server once it's back up and running.

this scenario has been working well for us here for the past 2 years or so.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFENj0vE2gsBSKjZHQRArxzAJwIZ3zyz00psNgFWTkgMqhua9fqDACg2ecD
R/So24Tv3qHBAjOI/Aqymxk=
=rZvg
-END PGP SIGNATURE-

Re: Couple of newbie questions... (repost)

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Philip Prindeville wrote:
 Matt Kettler wrote:
 
 Philip Prindeville wrote:
  

 I.e. any provider or country that doesn't have an institutional policy
 of prosecuting spam senders...
   
 Erm, so you're going to block all of the US, correct?
  

 
 No.  We have laws against spam that hopefully most legitimate ISP's attempt
 to conform to.
 

Interestingly enough, Japan also has laws against spam that most
legitimate ISPs attemp to conform to.  You probably weren't aware of that.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD6GovE2gsBSKjZHQRAlnIAKCVG92Hp7VPSw86rB+6RhuPPY/bzwCgzn1Q
7PGyS3eN8ekYWCkYBgxf058=
=/zRt
-END PGP SIGNATURE-

Re: OKAY I'am the black man !!!

[alan premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Kettler wrote:
 At 02:35 PM 12/3/2005, you wrote:
 
 :) ... shoot me! [this was 1 (one) line]greetings Chris :))
 
 
 
 I can't speak for others on the list, but it's not my intention to
 shoot, attack, or insult you.
 
 I've asked some pointed questions, and made some pointed suggestions
 about problems in your script, but I'm not doing so to insult you.
 
 I asked how it differed from RDJ because I seriously wanted to know.
 
 I pointed out you should remove antidrug.cf because everyone should
 unless they're using really old versions of SA. Regardless, antidrug.cf
 by that name will never be upgraded again, except to replace it with a
 warning message pointing out the new filenames. Hence, it's pointless to
 have an auto-update script checking it now, even for users of SA 2.64.
 That's not an attack, but an honest suggestion to fix an error in your
 script and improve it.
 
 
 
I think he was responding to Kai Schaetzl's Re: lint only on rule file
 HURRAAAYY its WORKING response in which he suggested Chris not send
1800 lines of text to the SA mailing list.

alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDkre2E2gsBSKjZHQRAtRzAJwNLN7CjbIuMiEZF8IITWlTkjBkeACff/sj
hjdkPV6NCTQTEghBsE47oAs=
=v0wE
-END PGP SIGNATURE-

Re: any extra language effort for SA? (esp. Asian SPAM)

[Alan Premselaar]

Jason Haar wrote:

Hi there

I just did a stat-run on email I received 31st Oct, and found that of
the mail SA scored lower than 5/5 (i.e. SA classified as ham), a large
amount was SPAM. In fact it only caught 80% of the SPAM I received that
day (this is with SA 3.1.0)

Of that I was able to tell that the vast majority of missed SPAM was
actually Asian SPAM - the Subject: lines alone were 100% non-ASCII - bit
of a give-away as I am ignorant and can't speak anything but
Kiwi-English ;-)

If I removed that Asian SPAM from the figures, the effectiveness of SA
shot up to 98% - pretty darn good!

Now personally I can run SA on my workstation with ok_locales en and
bang extra points onto non-English mail - but I certainly can't do that
for our company as a whole - which has customers from every
country/nationality, etc.

So the only thing I can think of is that there appears to be a need for
more non-English rulesets to add points for different language usages of
viagra/porn/whatever.

Am I correct in my thinking, and if so is the SA group getting help from
non-English developers to make this happen? I see a couple of
body_test rules that appear to be for Spanish and Polish - but no others?



Jason,

 I know that I have personally contributed some rules to catch certain 
phrases in Japanese, however this seems like a really scenario for 
manual bayes training.


While the auto-learning is convenient and often good enough, I think 
the general concensus is that you should do at least a certain bit of 
manual training so that your bayes databases better represent your mail 
traffic patterns.


hope this helps,

alan

Re: Would like to rewrite arbitrary headers

[Alan Premselaar]

[EMAIL PROTECTED] wrote:

Greetings, battlers.

I would like to rewrite headers on incoming spam without having SA
prepend X-Spam- to them.  Two reasons:

First, I want to get rid of Disposition-Notification-To because many
of my users configure their Outlook to automatically honour delivery
notifications.  That creates an outgoing email when they read or
delete a spam message.

Second, I have a set of GroupWise users.  They cannot write rules on
arbitrary headers, such as X-Spam-Flag.  Instead, they can only
write rules based on a list of headers that Novell have chosen, none
of which begins with X-Spam-.

Sadly both of these reasons sound lame: daft Outlook users and a daft
Novell application.  However there's nothing I can do about that so
I'm going to hack SA instead.

Does anyone else have similar needs?  Is such a feature already in the
works?

Thanks in advance.



If you're using Sendmail as your MTA, you could use MIMEDefang (a 
milter) to do that very easily.


alan

Re: Using spam tools for viruses

[Alan Premselaar]

Thomas Cameron wrote:
 Howdy -
 
 I recently responded to a thread on a local LUG mailing list where a guy
 wanted to report a virus as spam.  I have always thought that using a
 spam tool to fight viruses was wrong, and I said so.  He asked why, and
 basically my response was use the right tool for the job, as in use a
 virus tool for viruses, and use a spam tool for spam.
 
 What is the conventional wisdom on this list?  Should viruses be
 reported as spam?  If so, why?  If not, why not?
 
 Thanks!
 Thomas
 

Thomas,

  here's my 2 cents worth.  It seems like you have two seperate
scenarios you're talking about here. actual virus protection and
seperate, reporting.

I personally think it's important (also) to use the right tools for the
right job, therefor I use both anti-virus software *AND* anti-spam
software.  It's also important to understand what these products do and
what their individual limitations are and how to get them to compliment
each other in your installation.

with regards to reporting a virus as spam, If the virus is sending an
email that is spammy, I think it doesn't hurt to records and report
those emails as spam.  It will help to train your bayesian database and
also help community services (i.e. DCC, Spamcop, Razor, etc) to provide
information about the characteristics of that mail.  HOWEVER; reporting
the virus signature is a different story.  I don't think the actual
virus signature should be reported as spam.

lastly, there's the general logic of do you want one product that does
a whole bunch of things but in a mediocre way? or do you want a bunch of
products that do one thing really really well?

alan

Re: Special rules ...

[alan premselaar]

Garry Glendown wrote:

I've run into kind of a problem at a customer installation, someone
suggested part of my problem could be solved w/ SpamAssassin, though at
the moment it might still miss some features required ...

Here we go ... This customer before had (and is still in the process of
changing over from) Novel w/ Tobit David. While the whole system might
be a POS considering a decent Unix system :) it had some features that
come in handy - specifically the customer had been able to define what
happened with certain mails. Before, he was able to:

- quarantine large files for admin approval
- quarantine certain file types for admin approval
- limit number of recipients, mails exceeding the number would be
quarantined again

plus a couple of other minor things that I could implement easily
w/MailScanner or similar tools. Now, I could limit the recipients, but
it's a all or nothing situation at the moment (running sendmail, which I
would rather not change if possible). From browsing the docs, I found
config options for the .cf files that might allow me to change the
recipient header to somebody else if certain rules are met.

What I did not find, either overlooked, by not knowing what to look for,
or because it's simply not there, are the points listed above. In that
combination (I can block files types w/ Mailscanner, but again, they
would not be brought to the admin's attention).

So, is there any chance of implementing the above features with
SpamAssassin, or does anybody happen to know a tool that might be able
to? I'd be willing to go through the sources to tweak them a bit for
added features, too, if someone could point me towards the general
direction ... (not really much of a Perl hacker, though, rather do C...)

Tnx, -garry


Garry,

 from what it sounds like, you should be able to accomplish all that 
(and more) with Can-IT Pro ... it's a commercial product based on the 
MIMEDefang engine.  You can probably do it all with MIMEDefang, but 
since you said you're not much of a Perl hacker, it'd be easier for you 
to go with the already-feature-rich commercial product. (at least look 
at it)


you can check out http://www.mimedefang.org/ or 
http://www.roaringpenguin.com/ for references for both respectively.


HTH

alan

TextCat usage and language dependent rules

[Alan Premselaar]

I've looked thru the documentation and the wiki, etc. and haven't found
any clear information on how to use the TextCat plugin.

previously I used the config file switch ok_languages en ja ko ...
after upgrading to 3.10 and uncommenting the textcat plugin spamassassin
-D --lint isn't returning any parsing errors on that line, but i'm not
sure if it's actually taking effect.

Also, tests like PLING_QUERY and GAPPY_SUBJECT which were properly
skipped for ISO-2022-JP encoded mail is starting to hit again.

additionally, SUBJECT_ENCODED_TWICE is hitting quite a lot, but
double-encoding is normal for Japanese mail. often the mail client used
to send mail will take a long subject and break it into multiple lines,
each with the iso-2022-jp encoding. This is more than likely due to the
2-byte characters and line length limitations. (do i need to file a bug
report on this?)

can someone give me some insight into how the textcat plugin stuff works
and what I should be expecting to see as a result of enabling it and
leaving the ok_languages directive set?

Thanks,

alan

Re: trusted_networks use

[alan premselaar]

NFN Smith wrote:

Thanks for the ongoing feedback

Bowie Bailey wrote:



Now that you've made those changes, post the headers from another
example email so we can see if anything changed.



See below.



Also, you may want to save your email into a file and manually run it
through SA to see what happens.  Just add '-t -D' to the option list



I did that, and found a couple of things.  I'm closer, but not there yet.

In reading the debugging output, I realized that I was putting my work 
in /etc/mail/sa-mimedefang.cf, and all my other local config settings 
are in /etc/mail/spamassassin/local.cf.  When I moved this work to 
local.cf, debug showed me getting further.


I also found that Net::DNS wasn't installed -- up until now, I haven't 
needed it, because I haven't been doing stuff that requires DNS queries. 
 I installed that, and am making further progress.


With the two changes, I'm getting correct designation of which hosts are 
trusted or not (which I wasn't getting before), but still not getting 
the ALL_TRUSTED rule.


By the way, I've also made sure that the $HOME/.spamassassin/user_prefs 
doesn't have any user-specific settings that may be interfering.


Debug output shows:


debug: using /usr/share/spamassassin for default rules dir
debug: using /etc/mail/spamassassin for site rules dir
debug: using /home/test-user/.spamassassin for user state dir
debug: using /home/test-user/.spamassassin/user_prefs for user prefs 
file
debug: Failed to parse line in SpamAssassin configuration, skipping: 
internal_networks 64.65.180.91
debug: Failed to parse line in SpamAssassin configuration, skipping: 
internal_networks 10.10.10.141

debug: Score set 1 chosen.
debug: Initialising learner
debug: received-header: parsed as [ ip=68.99.120.79 
rdns=lakecmmtao05.coxmail.com helo=lakecmmtao05.coxmail.com 
by=pulsar.lfa.com ident= ]
debug: received-header: parsed as [ ip=24.249.175.20 rdns=really 
helo=!192.168.1.100! by=lakecmmtao05.coxmail.com ident= ]

debug: received-header: relay 68.99.120.79 trusted? yes
debug: received-header: relay 24.249.175.20 trusted? no
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: running raw-body-text per-line regexp tests; score so far=5.733
debug: running uri tests; score so far=6.536
debug: uri tests: Done uriRE
debug: running full-text regexp tests; score so far=6.573
debug: Current PATH is: 
/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin

debug: all '*From' addrs: [EMAIL PROTECTED]
debug: all '*To' addrs: [EMAIL PROTECTED] [EMAIL PROTECTED]
debug: is Net::DNS::Resolver available? yes
debug: trying (3) kernel.org...
debug: looking up MX for 'kernel.org'
debug: MX for 'kernel.org' exists? 1
debug: MX lookup of kernel.org succeeded = Dns available (set 
dns_available to hardcode)

debug: is DNS available? 1
debug: DNS MX records found: 1
debug: forged-HELO: from=really helo=!192.168.1.100! by=coxmail.com
debug: running meta tests; score so far=6.573
debug: is spam? score=7.673 required=4 
tests=CLICK_BELOW,EXCUSE_3,FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY,NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE 


From [EMAIL PROTECTED]  Tue Sep 27 15:22:19 2005
Received: from localhost by pulsar.lfa.com
with SpamAssassin (2.64 2004-01-11);
Tue, 27 Sep 2005 15:24:16 -0700
From: NFN Smith [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: *SPAM* Sequential test #12a
Date: Tue, 27 Sep 2005 15:21:15 -0700
Message-Id: [EMAIL PROTECTED]
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pulsar.lfa.com
X-Spam-Level: ***
X-Spam-Status: Yes, hits=7.7 required=4.0 tests=CLICK_BELOW,EXCUSE_3,
FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY,
NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE 
autolearn=no version=2.64

MIME-Version: 1.0



Anything else obvious that I might be missing?  I think I'm close

Smith



If I'm not mistaken (and I could be, it's been awhile since I've used 
the 2.6x series), the ALL_TRUSTED rule wasn't introduced until the 3.0x 
series.  your headers show you're using 2.64.  also your debug output 
shows that spamassassin wasn't able to parse the internal_network 
settings (which also weren't introduced until the 3.0x series).


So, you either have some misconceptions about 2.64's capabilities, or 
you have 2 copies of spamassassin running in 2 different locations on 
your machine and the one in your path is 2.64, and causing you headaches.


HTH

alan

Re: trusted_networks use

[Alan Premselaar]

NFN Smith wrote:
Following up on my own post.  I'm still thrashing, and not getting any 
difference in results.



...snip...

Sorry, I just have to ask.  Since you're using MIMEDefang... you are 
remembering to restart (or reload) mimedefang after making your changes, 
right?  and you're making changes to the sa-mimedefang.cf file, right?


alan

Re: User Blacklist Spamassassin Behavior

[Alan Premselaar]

Paul R. Ganci wrote:
This is somewhat a philosophical question, but I will ask it anyways. 
Recent discussions have occurred on this list regarding what 
Spamassassin should do with Spam. The recent consensus seems to be that 
it is only Spamassassin's job to tag Spam and that some other program 
should decide what to do about it. I can accept this argument especially 
in regard to the old spam_action config option especially when set to 
delete.


However, I have a user who raises a good point. He has a blacklist in 
his user_prefs. Spamassassin processes his Email message and indeed 
finds this blacklisted message as USER_IN_BLACKLIST shows up in the 
header. In addition lots of other processing occurs before the final 
score of 99 is tallied. His question is simply this: Why does this 
message show up in his box at all? His point being the message was 
blacklisted. Why is it not a good idea for Spamassassin to immediately 
send to /dev/null a message flagged in somebody's blacklist ASAP ... 
i.e. no further processing? Is the only way to handle this via a 
procmail recipe? Similar what about a whitelist ... shouldn't it be sent 
on as Ham ASAP ... i.e. a minimal of processing? How do others handle 
these cases?




Paul,

 here's my take on it. keep in mind i'm in no way affiliated with the 
developers, it's just my opinion as a mail system administrator and 
SpamAssassin user.


for one thing, SA has been designed for specific reasons *not* to 
process the mail, but only to add headers as necessary.  One of these 
reasons is that SA can remain extremely versatile in this configuration.


for instance, I use SpamAssassin via a call from MIMEDefang which runs 
as a Sendmail Milter. Others may call spamassassin/spamc from procmail, 
others may integrate with qmail-scanner or amavis-new (neither of which 
am I familiar with, but they get quite a bit of mention on this and 
other lists)


For SpamAssassin to be able to do SMTP level rejections, it would have 
to *always* be integrated into the MTA.  Granted there are tools to 
allow the integration of SA into the MTA, but they are designed and 
supported by third parties (and in my opinion, rightfully so).


Philosophically, it makes more sense for SpamAssassin to focus on 
identifying SPAM, and let another application (MTA, procmail, etc) focus 
on what it was primarily designed for: processing 
(delivery,rejection,etc) of said email.  It's certainly no more of a 
hassle to add a procmail rule to dump a blacklist hit to /dev/null than 
it is to add a procmail rule for other delivery options.


There may be cases where it would be very inappropriate for *any* mail, 
blacklisted or not, to be dumped to /dev/null.  having SA have to 
account for all possible handlings of blacklisted mail would add more 
bloat and logic requirements to the code which, in my opinion, aren't 
necessary.


When you're dealing with mail delivery, you have to account for local 
delivery inconsistencies, whether the mail will be delivered to a remote 
machine anyways, etc.  again, these types of situations make it more 
appropriate for applications written specifically to handle them than to 
try to add them to SA and pull the focus away from identifying SPAM to 
delivering mail.



just my $.02 worth.

Alan

Re: User Blacklist Spamassassin Behavior

[Alan Premselaar]

Paul R. Ganci wrote:

Alan Premselaar wrote:

Philosophically, it makes more sense for SpamAssassin to focus on 
identifying SPAM, and let another application (MTA, procmail, etc) 
focus on what it was primarily designed for: processing 
(delivery,rejection,etc) of said email.  It's certainly no more of a 
hassle to add a procmail rule to dump a blacklist hit to /dev/null 
than it is to add a procmail rule for other delivery options.


There may be cases where it would be very inappropriate for *any* 
mail, blacklisted or not, to be dumped to /dev/null. 



I don't disagree with most of what you said. However, I don't 
necessarily agree with the above because while I can add a procmail rule 
to handle a specific user's blacklist I can't get back the wasted CPU 
cycles which spamassassin expended ... perhaps all I am really asking is 
if there is a way to allow spamassassin to just stop processing a 
message that is in a blacklist to save the cycles? I am not asking for 
spamassassin to become an MTA/MDA.


In that case it would be ultimately more efficient to add a rejection 
rule to your MTA (i.e. sendmail's access db) than to even rely on SA's 
blacklisting (even if it did stop processing after determining the 
blacklist hit)




Privately Ed Kasky raised the good point about spoofing. I believe 
whitelists have to have the full weight of a spamassassin scan to catch 
messages with spoofed addresses. But blacklists ... I don't believe 
suffer this problem. Yes I might receive a spam message from somebody 
spoofing an arbitrary Email address. If that address happens to have 
@ebay.com then I am highly unlikely to blacklist it. If it is from 
@anybody.com then unless I have some reason to believe that I should 
expect legitimate Email from that address, I argue that blacklisting it 
does no harm and that any message found to be on a blacklist could be 
processed with the minimal of effort by spamassassin. But then what do I 
know? :)


My (not so clear) point is that there may be situations such as 
Corporate Policy, for right or for wrong, disallowing the discarding of 
*any* mail prior to delivery.  We certainly don't have that policy here, 
but I've seen it come up in discussion before.


I'm certainly not saying it's a bad Idea, I'm merely expressing some of 
the points that have come up in conversation on the list previously.  On 
the flipside, I handle all my don't need to waste processing time by 
calling SA type transactions from within MIMEDefang and have been quite 
happy with my configuration.  I personally wouldn't benefit from this 
type of feature, but neither would I suffer.


anyways, just my opinion.

alan

Re: connect(AF_INET) to spamd at 127.0.0.1 failed

[alan premselaar]

Chris wrote:
I've seen this a couple of times the last few days in my syslog.  Tonight, I 
saw it after updating to 3.0.4:


Jun 11 19:38:21 cpollock spamd[7668]: server killed by SIGTERM, shutting down 
Jun 11 19:38:22 cpollock spamassassin: spamd shutdown succeeded
Jun 11 19:53:32 cpollock spamc[26370]: connect(AF_INET) to spamd at 127.0.0.1 
failed, retrying (#1 of 3): Connection refused
Jun 11 19:53:33 cpollock spamc[26370]: connect(AF_INET) to spamd at 127.0.0.1 
failed, retrying (#2 of 3): Connection refused


is it possible that you had some incoming mail that was trying to 
connect to spamd even after you shut it down for upgrading?




Prior to upgrading from .0.3 to .0.4 I ran #service spamassassin stop, and 
also shut down fetchmail so that nothing was processed, when the update was 
finished I started spamassassin and fetchmail.  The below is 'not' when I 
started SA


Jun 11 19:55:10 cpollock spamd[26754]: spamd starting 
Jun 11 19:55:11 cpollock spamd[26754]: server started on port 48373/tcp 
(running version 3.0.4) 
Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child 
process, pid 26760 
Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child 
process, pid 26761 
Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child 
process, pid 26762 
Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child 
process, pid 26763 
Jun 11 19:55:11 cpollock spamd[26754]: server successfully spawned child 
process, pid 26764 


Did these appear during the installation process?  if so, if you ran 
'make test' these are probably the results of that.




This is where I started SA and fetchmail

Jun 11 19:57:21 cpollock spamd[27144]: spamd starting 
Jun 11 19:57:21 cpollock spamassassin: spamd startup succeeded
Jun 11 19:57:30 cpollock fetchmail[27167]: starting fetchmail 6.2.5 daemon  
Jun 11 19:57:33 cpollock spamd[27146]: server started on port 783/tcp (running 
version 3.0.4) 


But between 19:55 and 19:57 there is this:

Jun 11 19:55:12 cpollock spamd[26760]: processing message 9PS291LhupY for 
root:0. 
Jun 11 19:55:12 cpollock spamd[26760]: identified spam (15.6/5.0) for root:0 
in 0.4 seconds, 3131 bytes. 
Jun 11 19:55:12 cpollock spamd[26760]: result: Y 15 - 
ALL_NATURAL,DATE_IN_FUTURE_03_06,DIET_1,DRUGS_ERECTILE,DRUGS_PAIN,EXCUSE_12,

EXCUSE_4,FORGED_YAHOO_RCVD,FROM_ENDS_IN_NUMS,FROM_HAS_MIXED_NUMS,
INVALID_DATE,INVALID_MSGID,NORMAL_HTTP_TO_IP,NO_REAL_NAME,SELECTED_YOU,
SUBJ_FREE_CAP,UNDISC_RECIPS 
scantime=0.4,size=3131,mid=9PS291LhupY,autolearn=spam 



again, this is probably the results of the 'make test' and actually 
running tests against spamd.


I use spamassassin in such a way that I do not use spamd (nor need it) 
yet during the 'make test' part of my CPAN install, i see spamd messages 
in my maillog (as a result).



I do 'not' have autolearn enabled.  Any ideas what may have happened?  
Googling the error in the first lines seems to mention something about 
spamassassin as a server and spamd not running.  Spamd is most certainly 
running as shown in running processes.


Sorry for the long msg with log cuts but not sure what, if anything is amiss.

Thanks
Chris



alan

Re: Question about SPF checks

[alan premselaar]

Ronny Nussbaum wrote:

Hello,
I've tried to find an answer to this, but couldn't.
 
I'm using SA 3.0.3, invoked by Amavisd-New (latest version), on Fedora 
Core 3.
 
I've installed the Mail::SPF::Query module, and it works fine.
 
My question is, how can I disable it from being used by SA?
 
I'm looking for another way besides giving the value of zero to all SPF 
tests in my local.cf http://local.cf.

In a way, I want to uninstall it, so that SA is not even aware of it.
 
Thanks
 
-RoNNY


Ronny,

 you should be able to comment out the loadplugin line for SPF in the 
init.pre file (in /etc/mail/spamassassin on my installation)


Alan

Re: Bombarded by German political spam

[Alan Premselaar]

Matias Lopez Bergero wrote:
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?

I'm being bombarded to!
Matías.

I'm mostly just getting the bogus MAILER-DAEMON bounces from being 
joe-jobbed.

I've litterally had 100's of these compared to the 2 or 3 actual spams.
(usually 50+ at a time)
alan

Re: Problem with mail being rejected by friends!

[alan premselaar]

Rick Macdougall wrote:

Neil Watson wrote:
On Fri, Apr 15, 2005 at 10:24:47AM -0400, Steven W. Orr wrote:
their mail rejected by sa. I have been adding whitelist entries like 
crazy but I really loathe having to disable spam rejection by 
spamass-milter.

Rejecting spam is not a good idea.  Most of the time you end up spamming
some poor sod who has been joe-jobbed.  Discard spam.  Don't add the to
problem.
Hi,
While this has been discussed before, I don't think rejecting spam at 
the smtp level is a bad idea, ie 551 - We think this is spam.  How ever, 
bouncing spam after the smtp acceptance is a bad idea.

Since most spam is coming either from infected PC's or spammers dsl 
connections, rejecting at the smtp level is usually not a bad idea.  It 
also allows for legitimate email that is marked as spam to be returned 
to the owner, if you just make spam vanish to /dev/null you may find you 
have some very unhappy clients further down the road who are wondering 
where that letter from the Legal department is.

Regards,
Rick
Not only that, but if Steve had been discarding spam, neither he nor his 
friends would have been aware of this problem.

Re: SQL install with mSQL driver

[alan premselaar]

Gary W. Smith wrote:
Hello,
Im using 3.0.x on RHEL 3 right now in our production environment and 
was looking at setting up a new test environment.  We use MySQL for the 
common bayes DB which is working well for us in production.

Today I tried installing the same packages for Perl that I did for our 
production installs which require DBD::mSQL.  When I do an install of 
this package it fails miserably.  Googling around it appears that this 
package is, or is being, deprecated or unsupported. 

Is there an alternate package that I should be using?  Some of the 
articles I have read recommend that we use DBD::mysql instead of 
DBD::mSQL.  Does anyone know if this will work in place of the other 
package?

Gary Wayne Smith
Gary,
  I'm not a database expert by any means, but I've done a bit with the 
DBI and MySQL.  My understanding is that DBD::mSQL is an interface to a 
different SQL server than MySQL, although I don't remember which one off 
the top of my head.

If you're using MySQL, you want to use the DBD::mysql module.  I'd be 
surprised if DBD::mSQL worked at all with MySQL.

hope this helps.
Alan

Re: SQL install with mSQL driver

[alan premselaar]

Gary W. Smith wrote:
Alan, 

I have installed DBD::mysql and it still doesn't work.  The install file
says that DBD::mSQL is required and the options that I specified when we
installed it was for mysql (as the mSQL diver is covers it as well).
It's funny though that AWL is logging to the DB.  Also, something to
note, is that in production we are running 3.0.1 and this is 3.0.2.
Maybe it's not required and the code is just broken.  Unfortunately my
older dev environment is down otherwise I would try upgrading the 3.0.2
to see if it has the same problems.
Here is the specific error:
Apr 12 17:22:44 pxtoakdev04 spamd[3378]: Use of uninitialized value in
concatenation (.) or string at
/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line
157, GEN2 line 2. 
Apr 12 17:22:44 pxtoakdev04 spamd[3378]: Use of uninitialized value in
numeric ne (!=) at
/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line
159, GEN2 line 2. 
Apr 12 17:22:44 pxtoakdev04 spamd[3378]: Use of uninitialized value in
concatenation (.) or string at
/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line
160, GEN2 line 2. 
Apr 12 17:22:44 pxtoakdev04 spamd[3378]: bayes: Database version  is
different than we understand (3), aborting! at
/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/BayesStore/SQL.pm line
160, GEN2 line 2.

Local.cf
auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList
user_awl_dsn DBI:mysql:spamassassin:10.0.0.41
user_awl_sql_usernamespamassassinuser
user_awl_sql_passwordspamassassinpass
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn  DBI:mysql:spamassassin:10.0.0.41
bayes_sql_username spamassassinuser
bayes_sql_password spamassassinpass
Gary,
  these calls (DBI:mysql:spamassassin) are definitely telling the 
system to use DBD::mysql  (not DBD::mSQL)

based on this line:
 Apr 12 17:22:44 pxtoakdev04 spamd[3378]: bayes: Database version  is
 different than we understand (3), aborting! at
it looks like the database either isn't configured properly or it's 
corrupted.

try running sa-learn --dump magic to see what it reports, and assuming 
it fails you may then want to try sa-learn -D --lint

are both your production (3.0.1) and this new (3.0.2) machine pointing 
to the same database?

alan

Re: question about greylisting

[alan premselaar]

Rob McEwen wrote:
I have a question about greylisting.
Does greylisting **always** involve blocking upon receipt of the SMTP
envelope and not accepting the rest of the message?
Or, can greylisting alternatively work where it **does** accept the
**entire** message (for auditing purposes, for example) and THEN returns the
temporary rejection code?
Thanks,
Rob McEwen
PowerView Systems

Rob,
 That depends on how you implement it.  Certainly if you're running 
Sendmail, a tool like MIMEDefang would allow you to implement 
greylisting in any manner you saw fit for your installation.

however, temporarily rejecting the message after fully receiving it and 
processing it kind of defeats the purpose of greylisting. (or at least 
one major purpose of it)

hth
alan

interesting problem with SQL backend

[alan premselaar]

Today I had an interesting situation.
This is more of an FYI in case anyone else has run into similar 
problems. (cross-posted to MIMEDefang list as well)

I use SpamAssassin with MIMEDefang.
I got notified by one of my users that they were unable to send mail 
suddenly.  after checking the logs I determined that MIMEDefang was 
timing out and returning errors.  the cause for this was very unclear 
(which is why i'm sharing my findings with all of you)...

After digging around (and some assistance from David Skoll on the 
MIMEDefang list) I was able to determine that the problem was caused by 
SpamAssassin not being able to connect to the database server where the 
bayes database is stored. (using MySQL on a remote host)

this caused all sorts of weirdness for no apparently good reason and 
was initially very confusing to diagnose.

The symptoms were:
* mimedefang started to return busy timeout errors.
* when restarting MIMEDefang (with embedded perl enabled) the 
multiplexor wouldn't complete loading and mimedefang wouldn't create the 
socket, causing sendmail to spit out file 
/path/to/mimedefang/socket/file unsafe errors.
* turning off embedded perl would allow mimedefang to start and create 
the socket, but then would spawn multiple instances of mimedefang.pl 
which just hung.
* mimedefang.pl -test and/or mimedefang.pl -features would hang 
indefinitely with no output.

the workaround:
  after determining the problem to be the connection to the SQL server, 
simply setting use_bayes 0 in sa-mimedefang.cf and restarting 
mimedefang resolved the problem. however, this obviously didn't utilize 
the bayes facilities.

the questions:
 I understand that the SQL code for SA is still 'experimental'.  is 
there any way currently to set a forced timeout to connect to the SQL 
server?

is this something I should open a BZ ticket about?
being that I'm definitely not an SQL guru, does anyone have any 
suggestions for configuring a high-availability MySQL server 
configuration that could failover to a backup server should the primary 
one become incapacitated by a low-level hard drive failure?

Currently I have 1 MySQL database server with the bayes databases on it 
(among other databases) and my primary and secondary mail servers both 
make connections to it to check the bayes database.

This may be somewhat specific to the MIMEDefang implentation, but I 
suspect that there is a possibility that this type of behavior could 
have negative impact in other types of SA implementations as well.
again, this is mostly an FYI, but any suggestions are welcome.

Thanks,
Alan

Re: back where I was: why is this rule misfiring?

[alan premselaar]

Vicki Brown wrote:
What is going on here?
The rule
 header CF_NOT_FOR_METoCc !~
/(?:[EMAIL PROTECTED]|[EMAIL PROTECTED])\.com/i
 score CF_NOT_FOR_ME 0.01
 describe CF_NOT_FOR_ME  Neither To nor Cc me
Vicki,
 You're using a negated OR test, you want to use a negated AND test.
so, you're saying if the mail isn't for vlb[at]cfcl OR the mail isn't 
for vicki.vlb[at]gmail then it's not for me

in this situation, if one of the tests is true, the other one is false 
and thus the entire test is true. because one of the criteria passes the 
!~ test.

This is why you're not seeing the expected results.
[...snip...]
hope this helps,
alan

Re: re-read the config file iff it has changed

[alan premselaar]

Vicki Brown wrote:
At 17:40 -0800 03/19/2005, jdow wrote:
There is a substantial hit, Vicki, on the order of a factor of two on
my machines.

We are talking about Only when the Config File has Changed_. OK, so you get a
factor of two, what, once a week?
Sendmail does this (you run newaliases or maketo trigger it).
For clarity's sake, sendmail has real-time access to certain db files 
(like aliases.db which is generated by 'newaliases'). since sendmail has 
real-time access to these files, re-creating the .db file from the text 
version is all that is necessary.

However; if you make changes to the sendmail.mc file and the run make to 
create the sendmail.cf file, you still need to restart sendmail for it 
to read those changes.

SpamAssassin reads in all its config files into memory and has no 
real-time file access for configuration files.

I simply do not believe there can be a substantial hit if spamd re-reads
the config file
Only When The Config File Has Changed
in order to read the config file in only when it has been changed you 
need to store state information somewhere (in memory or a real-time 
accessed db file, etc) for each config file.  Since SA will read in 
/path/to/configfiles/*.cf  there could be any number of files that state 
needs to be stored for.  Also, to be prudent, state would also need to 
be stored for /usr/share/spamassassin/*.cf since some people will change 
those config files even against recommendations.

when fine-tuning for performance, even a call to stat() on a file or 
group of files can introduce performance hits.  This is because it 
effectively still has to open and close the file-handle.

Then there's the matter of; in what way, and how often do you poll the 
.cf files to check for changes?  that in itself could add a lot of 
overhead to the program that is unnecessary.

[..snip..]
alan

Re: Spammers Target Secondary MX hosts?

[alan premselaar]

[EMAIL PROTECTED] wrote:
Kelson wrote:
Larry Starr wrote:
On Friday 18 March 2005 08:17, Alexander Bochmann wrote:
there are many setups where
the ISP or someone else runs a backup MX for his
customer's domains as a service. With this configuration,
the secondary MX will usually not know about valid users
in the destination domain.
That, in fact, is the setup that I am operating and, yes, most of
what comes through my secondary MX, at my ISP, is SPAM.   Some time
ago I implemented a rule that adds a (small) spam score for mail
received via my secondary MX. 
I'm on the flip side of that: we provide secondary MX services for
some of our customers, and I've started adding a small bonus score
for mail being sent *to* them through our server.  I've also added
meta-rules to treat certain rules more harshly.
The really annoying thing, from our standpoint, is the backscatter we
have to process:
1. Spammer sends to secondary MX (us).
2. We filter out some of the more obvious spam (for the most part
   using our regular criteria).
3. We relay what's left to the primary MX.
4. Primary MX rejects mail to nonexistant users and mail that trips
   their own spam filters.
5. We generate DSNs that go to third parties or nonexistant hosts,
   contributing to backscatter and cluttering up our outbound queue.
The backscatter becomes a real problem in the legitimate relay
situation, because it's basically unavoidable.  If the spam is sent
directly to you, you can accept it, discard it, or reject it, and it
stops.  But if you're relaying to someone, and *they* reject it, now
you have to decide whether to generate a DSN or not.  We've actually
set up a separate queue for bounces that aren't delivered
immediately, so that it won't bog down normal mail.

Two solutions occur to me:
1) Allow a way for the secondary MX to tell whether the primary MX is up - if 
it is, don't accept any connections
2) Allow a way for the secondary MX to tell what email addresses on the primary 
MX are valid (LDAP occurs to me)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, 

MIMEDefang can do both of these... I use it on my secondary MX server to 
check for valid users on the primary server.  as a safety, if the 
primary MX server is down, it'll accept and queue the mail.  if it can't 
validate the user on the primary server, yet the server is up, it'll 
fail with user unknown.

alan

Re: URI Tests and Japanese Chars (solved)

[Alan Premselaar]

List Mail User wrote:
(B...
(BTo: "Daryl C. W. O'Shea" [EMAIL PROTECTED]
(BCc: List Mail User [EMAIL PROTECTED], [EMAIL PROTECTED],
(B   users@spamassassin.apache.org
(BSubject: Re: URI Tests and Japanese Chars (solved) 
(BIn-Reply-To: [EMAIL PROTECTED] 
(BFrom: [EMAIL PROTECTED] (Justin Mason)
(B
(B 
(B   Justin,
(B 
(B 
(BDaryl C. W. O'Shea writes:
(B
(BList Mail User wrote:
(B
(BJeff,
(B
(BRFC 1630 make pretty clear that a email address in either a "mailto:"
(Bor "cid:" clause *is* a URI.  It does not address whether a bare email 
(Baddress
(Bwould count (it seems that it doesn't fit the RFC definition, but does fit
(Bsome other I found by Goggle).
(B
(BI could be convinced either way from a bare address (as it stand now,
(Bmaybe someone else has something to add).  But a "mailto:" "mail:" or "cid:"
(Bclause should (in my opinion) be looked up by the URI rules - they are URI,
(Bnot URL rules (though URLs are clearly the most common from of URIs).
(B
(BI was surprised to see that from the RFC, even "Msg-Id:" clauses
(Bare URIs.
(B
(BPaul Shupak
(B[EMAIL PROTECTED]
(B
(BI'd agree with Paul, what's the difference between doing the lookup of 
(Bthe domain listed in a mailto: link and a http: link -- both of which 
(Bare often found in someone's signature?
(B
(BEliminating the mailto: domain lookup could lead to spam such as "email 
(Bus at [EMAIL PROTECTED] for all the junk you don't really want".
(B
(BHowever, it's an impedance mismatch between what's going into the backends
(B(the SBL and SURBL uribls) and what we're matching on the other end.
(B
(BAt least for SBL, it's definitely problematic, since a SBL escalation
(B(of mail relays) will blocklist mail that *mentions* that domain!
(B 
(B 
(B   Thats not true in general.  Since the SBL is an IP based list,
(B a mail server escalation would have no effect on any other domain, only
(B on messages relayed through the servers.
(B 
(B   The more common case where a SBL escalation will affect other domains
(B is (the typical kind I've noticed) when they list all corporate servers and
(B some otherwise innocent domains use name servers within that space (this was
(B the Russian government/Rostelecom earlier this week).
(B 
(B   Still, you are correct, there is a big difference between the SURBL
(B policy of zero FPs and the SBL policy, which I can best state as "kill the
(B spammers".  SURBLs rarely have `collateral' damage and their default scores
(B reflect that;  The URIBL_SBL is only assigned scores of "0 0.629 0 0.996"
(B in 3.0.2 - Only URIBL_AB_SURBL with set 3 and URIBL_WS_SURBL with set 1 are
(B ever assigned lower scores than the URIBL_SBL.  All the other SURBL have
(B significantly higher scores - URIBL_SC_SURBL is many times what URIBL_SBL is.
(B (You may not know, but I even proposed adding back the SPEWS lists, though
(B with low scores, and I do use all the rfci lists with relatively low scores
(B except for bogusmx, which may be the best single indicator I have ever found,
(B and I still assign it fewer points than URIBL_SC_SURBL).
(B 
(B- --j.
(B{snipped PGP SIGNATURE]
(B 
(B 
(B   Paul Shupak
(B   [EMAIL PROTECTED]
(B 
(B P.S. I understand the political problems with the particular FPs that SPEWS
(B generates, but I do hope the rfci lists make it to the URIBL rulesets.
(B
(B
(BSince you mentioned the scores, please note the Bobby Rose, the original
(Bposter of this issue had modified the score for URIBL_SBL from its
(Bdefaults to 10 ...
(B
(BI had suggested that he reduce the score (possibly setting it back to
(Bthe defaults)
(B
(BWhile it doesn't negate the issues surrounding the way the URI lookups
(Bwork (or should possibly work) ... it's obvious that there is enough FP
(Bpotential to warrant not scoring it so high.
(B
(Balan

Re: rule didn't fire

[Alan Premselaar]

Vicki Brown wrote:
At 17:57 -0800 03/16/2005, Loren Wilton wrote:
Ok. What totally minless dumb thing did I do that I just can't see?
How are you running SA?

   spamd -d -c
at system startup
then, from procmailrc, I push each message through
   | /usr/local/bin/spamc -s 256000 -t 60

Did you restart spamd?

N.

I don't use spamd, but if memory serves, you'll need to at least HUP 
spamd to re-read the config file... a restart of spamd would guarantee 
it.  check the man pages for specifics.

alan

Re: Blacklisting embedded URLs

[alan premselaar]

Vicki Brown wrote:
Did the message you tested with
have a URI?  If so what was it?

Sigh. :-(
No. I naively thought it would list something anyway.
Back to circle 1.
OK, so I ran it again against a message with lots of URIs (specifically one
of my previous messages which got pummeled by dailyhills :-) and spamassassin
-D had a grand old time telling me which URLs were listed at which BL sites.
Yippee.  It works with spamassassin -D. :-(
This still doesn't explain why it doesn't work with my standard setup, i.e.
   spamd -d -c
in the background and
   /usr/local/bin/spamc -s 256000 -t 60
via procmail  :-(
For proof, here's the spam report on a (different) message I received tonight.
First, as it arrived in my inbox earlier this evening having passed through
spamd/spamc):
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com
 X-Spam-Level: ***
 X-Spam-Status: Yes, score=3.6 required=0.5 tests=BIZ_TLD,MSGID_DOLLARS
autolearn=no version=3.0.2
 X-Spam-Report:
*  0.5 BIZ_TLD URI: Contains an URL in the BIZ top-level domain
*  3.1 MSGID_DOLLARS Message-Id has pattern used in spam
And here's the spam report for the identical message after I pushed it
manually through spamassassin -D (cool, my URI rules are firing now; many
thanks to Loren Wilton and Matt Kettler ;-)
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on cfcl.com
 X-Spam-Level: 
 X-Spam-Status: Yes, score=16.8 required=0.5 tests=ALL_TRUSTED,BIZ_TLD,
CF_BAD_URL1,URIBL_AB_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,
URIBL_WS_SURBL autolearn=no version=3.0.2
 X-Spam-Report:
* -2.8 ALL_TRUSTED Did not pass through any untrusted hosts
*   10 CF_BAD_URL1 URI: XXX site
*  0.5 BIZ_TLD URI: Contains an URL in the BIZ top-level domain
*  0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
*  [URIs: a123s.biz]
*  2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
*  [URIs: a123s.biz]
*  0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
*  [URIs: a123s.biz]
*  2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
*  [URIs: a123s.biz]
*  3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
*  [URIs: a123s.biz]
Have you restarted or HUP'd spamd yet?
spamd will read the config files once on initial execution and retain it 
in memory until it's HUP'd or restarted.  Even if you make changes to 
the config file, the changes won't be loaded until HUP or restart.

spamc relies on spamd, and the config that spamd has in memory.
spamassassin will load the config files each time it's executed and does 
not rely on spamd to be running.

based on your results, I would say it's highly likely that restarting or 
HUPing spamd will solve your problems.

alan

Re: URI Tests and Japanese Chars

[alan premselaar]

Rose, Bobby wrote:
I have a user that is of Japanese origin and who converses with other
individuals in Japan in his same field of study.  The messages they send
are in Japanese and trip the URI_SBL rule.  These people are in
different .jp domains and I really don't want to get into the
administrative overhead of whitelisting. I don't see anything in the
message bodies that even looks like a URI.  Has anyone else ran into
this?
Bobby Rose
Wayne State University School of Medicine 


Bobby,
 That seems a little strange, especially if there are no URIs in the 
mail.  I live in Japan and have mail servers local and state-side that 
process Japanese email without this problem.

Can you provide more details about your setup/configuration and possibly 
provide a sample email that triggers the rule?

alan

Re: MRTG SPAM SYSLOG ?

[Alan Premselaar]

ip.guy wrote:
hi all
is anyone using a tool that can parse /var/log/messages to find 
identified SPAM and is able to then build MTRG graphs ?

i was using a tool that could do this a while ago but have totally 
forgotten the name of the project

any help appreciated
I've used graphdefang in conjunction with MIMEDefang... although I think 
 you can run it independantly of MIMEdefang.

alan

Re: X-Spam-Status/content analysis details inconsistencies.

[Alan Premselaar]

jeffrey.arnold wrote:
Hi users,
I have a weird problem here that i know i am not the only one to 
encounter, and have yet to see (in much searching) a solution for.

I am running spamassassin for all mail via spamd/spamc, and filtering on 
the X-Spam-Status: Yes header. The majority of my spam is getting 
caught, but quite a bit is getting through. The vast majority of the 
spam that gets through is tagged as spam in the subject line (i enable 
rewrite_header), but not tagged as spam in the X-Spam-Status header 
line. In an example spam, i get the following spamass header:

X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
phase.nyc.analogue.net
X-Spam-Level: 
X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_50,HTML_10_20,
HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_SBL
autolearn=no version=3.0.2

The subject/body, on the other hand, contains:
Subject: SPAM(10.9) Become the man that women desire
Content analysis details:   (10.9 points, 5.0 required)
...snip...
So it appears that spamassassin tagged this as spam with 10.9 points, 
but left out some of the rules when writing the X-Spam-Status header, 
claiming the email only received 4.8 points. Spamassassin is installed 
directly out of freebsd ports on a fbsd4.11 box with perl 5.8.5. My 
local.cf is included below. Why would spamassassin be dropping rules 
like this?

Thanks much,
-jba
Jeffrey,
  This type of symptom seems to be common to mail being scanned twice 
(or more) by spamassasin.  how do you have the call to spamd/spamc 
implemented?

alan

Re: SA 3.01 eventually stops noticing DNSBLs

[Alan Premselaar]

Jay Levitt wrote:
[SNIP]
I tried to create a test harness to see if I can replicate this outside 
of SA, but for some reason, even though I double-checked the code I 
copied from Dns.pm, I'm getting weird results - it's always giving me 
the root nameservers, instead of the name servers for each of the 
domains.  This is true with recurse = 0, recurse = 1, or recurse left 
out entirely as it is in Dns.pm.  I'm no Perl whiz; can anyone see my 
mistake? 

Code follows:
-
#!/usr/bin/perl
no strict;
no warnings;
require Net::DNS;
require Net::DNS::Resolver;
use strict;
use warnings;
my @EXISTING_DOMAINS = qw{
  adelphia.net
  akamai.com
  apache.org
  cingular.com
  colorado.edu
  comcast.net
  doubleclick.com
  ebay.com
  gmx.net
  google.com
  intel.com
  kernel.org
  linux.org
  mit.edu
  motorola.com
  msn.com
  sourceforge.net
  sun.com
  w3.org
  yahoo.com
};
my $res = Net::DNS::Resolver-new (
   recurse = 0,
   retry = 1,
   retrans = 0,
   dnsrch = 0,
   defnames = 0,
   tcp_timeout = 3,
   udp_timeout = 3,
   persistent_tcp = 1,
   persistent_udp = 1
  );
die unless defined $res;
for(;;) {
  my @domains = @EXISTING_DOMAINS;
  my $domain = splice(@domains, rand(@domains), 1);
  print trying '$domain'...\n;
  lookup_ns($domain);
}
sub lookup_ns {
  my ($self, $dom) = @_;
   Since you're not using this as a Perl Module (OOP) my 
guess is that $self contains the value you expect to be in $dom and $dom 
is NULL.

Try removing $self from your argument list and make it look like:
  my ($dom) = @_;
and see if that works for you.
debug statements are your friend. :)
hope this helps
alan

Re: Bayes for VoIP anyone?

[Alan Premselaar]

Richard Ozer wrote:
I can't wait to tell my customers that they need to get SpitAssassin.
RO
That just makes me think of 'Alumn' (referenced from the old Bugs Bunny 
/ Daffy Duck cartoons)

alan

Re: Bayes for VoIP anyone?

[Alan Premselaar]

Jim Maul wrote:
Chris Santerre wrote:
Autodialing for commercial solicitation to a residence without prior 
consent by a for-profit group that you're not already doing business 
with is automatically subject to a $500 minimum damage per-call.

I don't know of many residences with VoIP ;)
Also: LOL @ LoogieLauncher!
--Chris (On top of Mt. Wannahuckaloogie and the ring of fire!)


While there arent many homes with voip yet, there are more and more 
every day.  With vonage and optimum pushing their voip products hard, 
its only a matter of time.  Especially with optimum and their voip + 
cable tv + cable modem for $100/month deal.

I've had VOIP at home for over a year now. (included with my ADSL service)
alan

more ALL_TRUSTED issues?

[alan premselaar]

Today I got an email thru which hit ALL_TRUSTED.  My mail server isn't
(BNAT'd. I haven't specifically setup trusted_networks or
(Binternal_networks but this is the first I've had a problem with it.
(B
(BI'm running RH 9 with Sendmail 8.13.3, MIMEDefang 2.49, SpamAssassin 3.02.
(B
(Bthe Received headers look a little funky but I haven't really checked
(Bthem against any RFCs.  is this a problem with SA? or my setup?
(B
(Bany help is appreciated.
(B
(Bthanks,
(B
(Balan
(B
(Bhere are the unaltered headers of the email in question:
(B
(BReturn-Path: [EMAIL PROTECTED]
(BReceived: from sndr199.beta-ca.mxsvrbsminc.net
(B(sndr199.beta-ca.mxsvrbsminc.net [72.5.1.199])
(Bby mojo.12inch.com (8.13.3/8.13.0) with ESMTP id j1A1JvBx029323
(Bfor [EMAIL PROTECTED]; Thu, 10 Feb 2005 10:19:57 +0900
(BReceived: by sndr199.beta-ca.mxsvrbsminc.net id h1apo006574r; Wed, 9 Feb
(B2005 16:55:49 -0800 (envelope-from [EMAIL PROTECTED])
(BReceived: from localhost by BSMgateway.
(B()
(Bwith ESMTP id mid98433179.msg
(Bfor [EMAIL PROTECTED]; Wed, 9 Feb 2005 16:55:49 -0800
(BDate: Wed, 9 Feb 2005 16:55:49 -0800
(BFrom: "Little-Blue Pill." [EMAIL PROTECTED]
(BTo: "Online Consumer" [EMAIL PROTECTED]
(BReply-To: [EMAIL PROTECTED]
(BSubject: Is this what your life is like alien?
(BMessage-ID: [EMAIL PROTECTED]
(BX-envid: 98433179
(BX-Mailer: MOM Agent (v.9.8.433179)
(BX-CRC32ID: 38112EE1;AEF06669;D9F55A5F
(Bx-MOMID1: VFdZVl1FQlQJAQAHVFRYUlwA
(Bx-MOMID2: XF5dUFVHW14cCQcA
(Bx-MOMID3: XV1CVVdbRVgSAQYPWFpXUVpPICNjHQIGXVtaXVleQ10LBAQbWloA
(BMIME-Version: 1.0
(BContent-Type: multipart/alternative;
(Bboundary="--98433179_abFeb1029"
(BX-Spam-Scanner: SpamAssassin 3.02 (http://www.spamassassin.org/) on
(Bmojo.12inch.com
(BX-Spam-Score: 1.857 / 4.000: 26.857%
(BX-Spam-Tests:
(BDCC_CHECK(2.169),BAYES_99(1.886),URIBL_SBL(0.996),HTML_IMAGE_RATIO_04(0.105),HTML_MESSAGE(0.001),ALL_TRUSTED(-3.300)
(BX-SPF-Header: mojo.12inch.com: domain of
(B[EMAIL PROTECTED] designates 72.5.1.199 as permitted sender
(BX-Scanned-By: MIMEDefang 2.49 on 64.7.201.48

Re: How do I disable spews?

[alan premselaar]

Brenda Bell wrote:
I upgraded from 3.0.1 to 3.0.2 this morning and all of a sudden,
I can't send myself email from work because spews blacklisted an
entire block of uunet addresses and my company is in the middle
of the block.  (side note:  we do not spam and we fight it with
every bit of technology we have).
I've searched both local.cf and all of the rules files for spews
and for the life of me, I can't figure out why my SA is checking
spews.  Could someone please point me in the right direction?
Brenda,
  how are you calling SpamAssassin?  SA only tags mail that scores as 
spam, it doesn't (in and of itself) do any rejection or movement of mail 
. Another piece of the puzzle has to do those sort of things.

Chances are if your mail is being rejected (5xx errors), then there's 
something in your MTA configuration that's checking SPEWS and rejecting 
based on its results. (which I personally feel isn't such a great tactic 
for just THIS reason)

you should check that out, but considering the lack of any useful 
information, we can't offer you any further assistance.

alan

Re: MIT Spam conference

[alan premselaar]

Daniel Quinlan wrote:
William Stearns [EMAIL PROTECTED] writes:
...snip...
If you're ever in the SF Bay Area and would like to get together, drop
me a line.  I've met with Jeff a few times.
if any of you are ever in tokyo, i'd be down for meeting up for drinks 
or something.

alan

trying to install 3.0.2 via CPAN

[alan premselaar]

for some reason i'm getting SPF failures during the 'make test' phase:
t/spf...Not found: helo_pass =  SPF_HELO_PASS
# Failed test 1 in t/SATest.pm at line 530
Not found: pass =  SPF_PASS
# Failed test 2 in t/SATest.pm at line 530 fail #2
t/spf...FAILED tests 1-2 

Failed 2/2 tests, 0.00% okay
t/sql_based_whitelist...ok
SpamAssassin 3.0.1 is currently running on the systems (it's happening 
on 2 RedHat systems, one 7.2 and one 9.0).

Mail::SPF::Query is installed and the latest version.
the 7.2 system is running perl 5.6.1 and the 9.0 system is running perl 
5.8.0

I didn't find any information on bugzilla regarding this.
any ideas?
thanks,
alan

Re: trying to install 3.0.2 via CPAN

[alan premselaar]

Loren Wilton wrote:
for some reason i'm getting SPF failures during the 'make test' phase:
t/spf...Not found: helo_pass =  SPF_HELO_PASS
# Failed test 1 in t/SATest.pm at line 530
Not found: pass =  SPF_PASS
# Failed test 2 in t/SATest.pm at line 530 fail #2
t/spf...FAILED tests 1-2
Failed 2/2 tests, 0.00% okay
t/sql_based_whitelist...ok
I didn't find any information on bugzilla regarding this.

There were some comments on the dev list just last night or earlier today
about this problem, or one very much like it.  I didn't quite follow where
the comments led, since I'm not very interested in SPF myself.  But I think
this is something the devs have seen.
Loren
Loren,
 thanks for the response.  So, it's probably best if i just wait to 
upgrade to 3.0.2 until something about this is resolved?  I didn't see 
anything on bugzilla about it.

obviously I could force install, but i really prefer not doing that if I 
can avoid it.

alan

Re: spamd vs spamass-milter

[alan premselaar]

[EMAIL PROTECTED] wrote:
currently i'm using procmailrc to start spamd since i have 
a couple users who dont want their mails checked by SA, now 
i'm looking into spamass-milter.

Is their a option within the milter api to exclude certain users from SA
or is their another workaround to do so ?
many thanks
matt
Matt,
 I'm not all that familiar with spamass-milter, however I can say that 
you can do what you want to do with MIMEDefang (another milter)

alan

low scoring SPAM

[alan premselaar]

I've recently (about a month ago) installed a new mail server and 
upgraded to SA 3.01.  I've been training the bayes database by hand 
(most of our mail is japanese and the autolearning wasn't a good way to 
start the bayes learning)

anyways, I'm not using any custom or 3rd party rules.  I'm a little 
baffled why the following email scored so low.  i'm also a little 
puzzled why the BAYES_99 has such a low score.  i'm tempted to crank it 
up a bit, but concerned about how that will effect the system in general 
and also concerned about false positives.

can anyone give me some insight?
thanks
alan
P.S. in the past i've refrained from sending the why didn't this mail 
score higher types of messages to the list, but I've been seeing a 
pattern of hitting BAYES_99 and not many other rules.

 Original Message 
Return-Path: [EMAIL PROTECTED]
Received: from mail-3.tiscali.it (mail-3.tiscali.it [213.205.33.23])	by 
mail.mydomain.tld (8.13.1/8.13.1) with ESMTP id iB3HsScd004906	for 
[EMAIL PROTECTED]; Sat, 4 Dec 2004 02:54:29 +0900
Received: from [80.179.190.4] by mail-3.tiscali.it with HTTP; Fri, 3 Dec 
2004 18:49:21 +0100
Date: Fri, 3 Dec 2004 09:49:21 -0800
Message-ID: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Subject: DEAR lick, PLEASE I WANT YOU TO ACT AS THE NEXT OF KIN OF MR, 
WINSTON lick.
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-Spam-Scanner: SpamAssassin 3.01 (http://www.spamassassin.org/) on 
mail.mydomain.tld
X-Spam-Score: 3.339 / 5.000: 23.339%
X-Spam-Tests: 
BAYES_99(1.886),RCVD_IN_BL_SPAMCOP_NET(1.216),RISK_FREE(0.230),NO_REAL_NAME(0.007)
X-Spam-Level: ***
X-Spam-Disposition: Suspected
X-Scanned-By: MIMEDefang 2.49 on 127.0.0.1
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by 
mail.valueclick.jp id iB3HsScd004906



 FROM: THE DESK OF BARR, KEN MARK.
MARKLAWCHAMBERS
NO, 56 WARF ROAD APAPA
LAGOS NIGERIA.
Email; [EMAIL PROTECTED]
TO: lick,
I am Barrister Mark Ken green, a solicitor. I am the private Attorney to
Mr. Winston lick, a National of your country, who used to work with Strabag
Construction Company in Nigeria. On the 21st of April were involved in a
car accident along Sagbama Express Road. All occupants of the vehicle 
unfortunately
lost their lives.
Since then I have made several enquiries to your Embassy to locate any of
my client's relatives, this has also proved unsuccessful. After these 
several
unsuccessful attempts, I decided to trace his last name over the Internet,
to locate any member of his family hence I contacted you.
I have contacted you to assist in repatriating the money and property left
behind by my client before they get confiscated or declared unserviceable
by the Finance Company where this huge deposits were lodged where the 
deceased
had an account valued at about 10 Million Dollars has issued me a notice!
To provide the next of kin or have the account confiscated. Since I have
been unsuccessful in locating the relatives for over 2 years now I seek
your consent to present you as the next of kin of the deceased since you
have the same last name so that the proceeds of this account valued at 10
Million Dollars can be paid to you and then you and me can share the money.
50% for me and 40% for you and 10% will be used for any expenses that this
might cost on the process of this transaction. I have all necessary legal
documents that can be used to back up any claim we may make. All I required
is your honest co-operation to enable us see this deal through.
I guarantee that this transaction will be executed under a legitimate 
arrangement
that will protect you from any breach of the law. It is 100% risk-free.
Please get in touch with me by my private email address, 
[EMAIL PROTECTED]
to enable us discuss further
Awaiting to hear from you soon.
Thanks and God bless you,
Mark Ken green (Esq.


__
Tiscali Adsl 2 Mega Free: l'adsl piu' veloce e' gratis!
Naviga libero dai costi fissi con Tiscali Adsl 2 Mega Free, l'adsl Free
piu' veloce in Italia. In piu', se ti abboni entro il 13 dicembre 2004,
navighi gratis fino al 31 marzo 2005 e non paghi il costo di adesione.
http://abbonati.tiscali.it/adsl/

Re: spamd does not start

[alan premselaar]

xoops$B

Re: spamd does not start

[alan premselaar]

jdow wrote:
(B From: "alan premselaar" [EMAIL PROTECTED]
(B To: "xoops$B<B83<<4IM}?M(B" [EMAIL PROTECTED]
(B Cc: users@spamassassin.apache.org
(B Sent: 2004 December, 02, Thursday 23:27
(B Subject: Re: spamd does not start
(B 
(B 
(B 
(Bxoops$B<B83<<4IM}?M(B wrote:
(B
(BHi,
(B
(BI have newly installed spamassassin-3.0.1 into linux box 2.4.18-22
(B 
(B running qmail with qmail-queue patch.
(B 
(BHaving a trouble to start spamd with SPAMDOPTIONS="-x -u spamd -H
(B 
(B /home/spamd -d":
(B 
(B "Starting spamd: Bareword "SO_REUSEPORT" not allowed while "strict
(B 
(B subs" in use at /usr/lib/perl5/5.6.1/IO/Socket/INET.pm line 160.
(B 
(BCompilation failed in require at
(B 
(B /usr/lib/perl5/5.6.1/i386-linux-thread-multi/IO/Socket.pm line 21.
(B 
(BCompilation failed in require at /usr/bin/spamd line 38.
(BBEGIN failed--compilation aborted at /usr/bin/spamd line 38.
(B
(BI installed prerequisited modules, HTML::Parser, DB_File Net::DNS,
(B 
(B BerkeleyDB, Net::SMTP, Mail::SPF::Query, IP::Country::Fast.
(B 
(BAnd it's wonder another linux box with  the same configuration is
(B 
(B running allright.
(B 
(BThanks for any help.
(B
(BHodaka
(B
(B
(BHodaka-san,
(B
(B  what version of IO::Socket do you have installed? you may need to
(Bupdate it.  I haven't personally experienced this problem, but i've got
(Bthe latest IO::Socket installed from CPAN.
(B
(Bhope this helps
(B
(Balan
(B 
(B 
(B Please, could you use a smaller font. This one spreads the message all over
(B my screen and I can't read it. It's like
(B one word per line.
(B 
(B {O.O}(And that's sarcasm if you don't get it.)
(B 
(B 
(Bdon't know what you're talking about.  I only use plain text email so
(Bthere shouldn't be any font size control.  The only thing I can think of
(Bis that in replying to the original message, the charset (ISO-2022-JP)
(Bwas retained and perhaps you have really small fonts settings for
(BISO-2022-JP type mail in your mail client :p
(B
(Balan

Re: Test and Keep spam

[alan premselaar]

Kenneth Porter wrote:
Been getting a bunch of these lately, and they're falling on either side 
of the 5.0 margin. Two that came in under 5.0 today have unusual 
characteristics: The Bayes score on one is 60% and scores higher than 
one with an 80% Bayes score. You can see my current uncaught corpus here:

http://home.sewingwitch.com:8000/Stuff/UncaughtSpam.mbox
Kenneth,
  I've noticed with my corpus that BAYES_95 and BAYES_99 score less 
than say BAYES_80 ... which has been a little discouraging for me since 
most of the mail i'm filtering is japanese and other test don't hit 
often so I have to rely heavily on my (manually trained) Bayes database...

having items that hit BAYES_99 only scoring 1.8 and change compared to 
the 2 and change that BAYES_80 scores has been a little frustrating.

I'm tempted to change the scores for BAYES_95 and BAYES_99, but i'm 
concerned about what other effects that might have ...

not sure if this information will be helpful or not, but thought i'd 
share anyways.

alan
p.s. I'm using SA 3.01 with MIMEDefang 2.49 on this machine. no 3rd 
party rulesets installed.

Re: Japanese False Postives with Spam Assassin 3.01 and RH WS 3.0

[alan premselaar]

Johnson, Robert F wrote:
Hi,
I have been having a high occurrence of Japanese false positives since
upgrading from Spam Assassin 2.64 on RedHat 7.3 with MimeDefang 2.31 to
Spam Assassin 3.01 on RedHat Workstation 3.0 installed site wide via
MimeDefang 2.44.  I am wondering if this is due to the problem with Red
Hat 9.0 Unicode UTF-8.  I had no issues with Japanese false positives in
the RH 7.3 based environment.
I've a few articles regarding this issue, but need some help
understanding correct LANG configurations for Spam Assassin 3.01 on
RedHat Workstation 3.0 installed site wide via MimeDefang 2.44.
I currently have the following set in /etc/sysconfig/ i18n:  ( we are US
based)
LANG=en_US
SUPPORTED=en_US
I compiled Spam Assassin from tar ball with LANG set to en_US (export
LANG=en_US).  Are these settings correct?  Could this be causing the
Japanese false positives?  

Are there any other known issues that can cause Japanese false positives
using Spam Assassin 3.01?
Thanks for any help!
Rob

Rob,
  just a couple obvious questions.  what are your ok_locales and 
ok_languages settings in your sa-mimedefang.cf file set to?

what rules are the japanese emails hitting when they're tagged as false 
positives?

I'm based in Japan, just recently upgraded to SA 3.01 with MD 2.49 and 
using a MySQL based bayes database and I've been noticing some 
quirkiness with Japanese email as well, but haven't really pinned it 
down yet.

alan

Re: Japanese False Postives with Spam Assassin 3.01 and RH WS 3.0

[alan premselaar]

Daniel Quinlan wrote:
Johnson, Robert F [EMAIL PROTECTED] writes:

Based on spt checking of a couple of dozen examples, I didn't see any
significant pattern of out of the box rules being involved, mostly SARE
or WIKI rules.  The most heavily implicated were the following:
(MANGLED and SARE_SUB_CASH_CHAR were probably had the biggest impact.
SARE Rules
SARE_SUB_CASH_CHAR
SARE_RAND_2
WIKI Rules
MANGLED_LIST
MANGLED_LIPS
J_CHICKENPOX_12
J_CHICKENPOX_22
HTML_BACKHAIR_4

The last of those is a default rule, but it has almost a zero score.
 

Out of the Box:
GAPPY_SUBJECT
FREE_SAMPLE
OBSCURED_EMAIL

The problem doesn't sound like it's SpamAssassin despite the subject
line of this email, rather it's third-party rulesets.
Daniel
I hit GAPPY_SUBJECT and OBSCURED_EMAIL *A LOT* ... i don't have any 3rd 
party rulesets installed.

as a side note, i've been recently trying to update the 
JAPAN_UCE_SUBJECT rule as there's another phrase that's being used 
recently, and for some reason it hasn't been triggering.

I think part of the problem is that I have to enter it in ISO-2022-JP 
charset and it contains at least 2 escape(d) characters so the regex 
might night be accurate. (still working on that)

alan

Re: sa-learn problem

[alan premselaar]

Bob Mortimer wrote:
*snip*
#!/usr/bin/perl5.8.3 -T -w
which is clearly where the problem lies.
Correcting that to #!/usr/bin/perl5.8.5 -T -w solves the problem but still 
leaves me wondering how it happened in the first place.

Thanks for the help!

Bob,
  I'd suggest changing it to /usr/bin/perl -T -w (instead of 
/usr/bin/perl5.8.5) to prevent the same kind of confusion should you 
ever upgrade perl again.

alan

Re: sa-learn problem

[alan premselaar]

Bob Mortimer wrote:
I've run into a problem with sa-learn. I'm running SA 3.0.1, and since the 
RPMs always seem to lag behind the binaries it's compiled. I call 
spamassassin using amavsd. I think the problem has arisen since upgrading my 
Mandrake system from 10.0 to 10.1, it looks like 10.1 uses Perl 5.8.5, I 
think 10.0 was on 5.8.3

when I try to sa-learn my ham/spam I get the following:
/usr/bin/sa-learn: /usr/bin/perl5.8.3: bad interpreter: No such file or 
directory

I've tried recompiling spamassassin but it seems to have made no difference. 
ISTR I ran into a similar problem when the SURBL stuff came out and it 
involved moving some files around somewhere in 
the /usr/lib/perl5/vendor_perl/5.8.* tree but I seem to have run out of 
talent in trying to figure it out ;-)

Any help appreciated.
 
Regards,

Bob
Bob,
  what is the actual sa-learn command you're using? I ran into this 
using Maildir format by specifying sa-learn -D --spam /path/to/maildir/cur/*

and received /usr/bin/sa-learn: /usr/bin/perl: bad interpreter: too 
many arguments as an error. I found that doing find 
/path/to/maildir/cur/ -name * -exec sa-learn --spam {} ¥; mostly 
worked but had some unexpected results that make me think I didn't need 
to specify the * after my path. (although perl choked if i didn't)

this is on a system that I am running Perl 5.8.0 on (although it seems 
to be working now).  I had maybe 1300+ mail files in the directory.

anyways, it seems to me like either the file you're telling it to read 
is either not there, or it's been moved while it was open.

hope this helps
alan

Re: Configuring bayes lock file locations?

[alan premselaar]

brian wrote:
After upgrading to 3.0.1 I've been having problems with bayes.  This may 
be a question for the mimedefang guys, but I'll start here.

I have upgraded the databases, and its now reading correctly, as I get 
bayes scoring now.  However autoupdates are failing because of lock 
files...

In my config I have:
bayes_path  /var/spool/MIMEDefang
Maillog is reporting:
Nov 17 12:54:02 lithium mimedefang-multiplexor[35151]: Slave 0 stderr: 
bayes: lock: 35570 cannot create tmp lockfile 
/var/spool/MIMEDefang.lock.host.domain.com.35570 for 
/var/spool/MIMEDefang.lock: Permission denied

This seems to me a spamassassin error message.  It appears that I need 
to be able to configure where the lock file is written.  /var/spool is 
not an option since its not a very good idea to loosen permissions here 
for obvious security reasons (not to mention mimedefang will tell you to 
sod off until you fix it).

Brian,
  This has been discussed on the MIMEDefang list in the past.  It 
appears to be a timing issue between MIMEDefang and the SA locking 
mechanisms.  adding 'bayes_learn_to_journal 1' to your sa-mimedefang.cf 
file should resolve your problems. (at least it resolved the problem for me)

hope this helps.
alan

[Fwd: problems with CHARSET_FARAWAY_HEADER rule being triggered]

[alan premselaar]

[resending]
Hi,
 It's been awhile since i've participated on the list.  I've just
attempted to scour the entire net trying to find some information on
this, but I Haven't found anything.
I've just installed SpamAssassin 3.01 in conjunction with MIMEDefang
2.48 on a redhat enterprise server 3.0 machine.
The problem I'm encountering is that even with ok_languages en ja and
ok_locales en ja in my config file, mails that arrive with a japanese
(iso-2022-jp) subject are triggering the CHARSET_FARAWAY_HEADERS rule.
I'm running the same setup on a redhat 9 machine with version 3.0 of
SpamAssassin and 2.45 of MIMEDefang with the same configuration options
and i'm not experiencing this problem.
Is it possible that something broke in the 3.01 update?
for the time being, I've set the CHARSET_FARAWAY_HEADER score to really
low (so i can see if it's being triggered, but so it won't push the
score up) but i'd like to be able to set it back since we ocassionally
get UCE with chinese or other foreign charsets in the subject or header.
The bayes database doesn't currently have enough emails trained to be
active.  the system i'm not having the problem with, has an active bayes
database.
any assistance will of course be greatly appreciated.
Thanks,
alan

problems with CHARSET_FARAWAY_HEADER rule being triggered

[alan premselaar]

Hi,
 It's been awhile since i've participated on the list.  I've just 
attempted to scour the entire net trying to find some information on 
this, but I Haven't found anything.

I've just installed SpamAssassin 3.01 in conjunction with MIMEDefang 
2.48 on a redhat enterprise server 3.0 machine.

The problem I'm encountering is that even with ok_languages en ja and 
ok_locales en ja in my config file, mails that arrive with a japanese 
(iso-2022-jp) subject are triggering the CHARSET_FARAWAY_HEADERS rule.

I'm running the same setup on a redhat 9 machine with version 3.0 of 
SpamAssassin and 2.45 of MIMEDefang with the same configuration options 
and i'm not experiencing this problem.

Is it possible that something broke in the 3.01 update?
for the time being, I've set the CHARSET_FARAWAY_HEADER score to really 
low (so i can see if it's being triggered, but so it won't push the 
score up) but i'd like to be able to set it back since we ocassionally 
get UCE with chinese or other foreign charsets in the subject or header.

The bayes database doesn't currently have enough emails trained to be 
active.  the system i'm not having the problem with, has an active bayes 
database.

any assistance will of course be greatly appreciated.
Thanks,
alan