Re: New spam-to me-and how do I stop.
On Tue, Jan 06, 2009 at 02:07:38PM -0600, Craig wrote: Hello All- I have recently been getting MANY spam slipping through Spamassassin and I am looking for help on how to stop. I have used Spamassassin with Bayes successfully for many years now and once I train the system on new spam, the system does an excellent job of stopping. These messages are very short and include a link. The subject is usually regarding watches, or are thinly disguised viagra ads. Many are sent from aim.com Below is header info and below that is the Spamassassin output of an email that has slipped through. Specs: SA 3.17 With Bayes integration, DNS testing. Thanks Craig To: gillian.gr...@btinternet.com Subject: Private Message. Date: Tue, 06 Jan 2009 14:36:43 -0500 X-AOL-IP: 81.37.21.218 X-MB-Message-Source: WebUI MIME-Version: 1.0 From: omqdwc63...@aim.com X-MB-Message-Type: User Content-Type: multipart/alternative; boundary=MB_8CB3E4D3D238A60_FE4_95E_Webmail-mg02.sim.aol.com X-Mailer: AIM WebMail 40627-STANDARD Received: from 81.37.21.218 by Webmail-mg02.sim.aol.com (64.12.142.150) with HTTP (WebMailUI); Tue, 06 Jan 2009 14:36:43 -0500 Message-Id: 8cb3e4d3d212802-fe4-...@webmail-mg02.sim.aol.com X-Spam-Flag:YES --MB_8CB3E4D3D238A60_FE4_95E_Webmail-mg02.sim.aol.com Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Don't fail in the bed games. Try THIS. 50 percent add present gt;gt;gt;?http://www.ecbdollar.com/sp.php?lt;lt;lt; ___ Spam detection software, running on the system spam_server.unitedwayqc.lcl, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see ccanfi...@unitedwayqc.org for details. Content preview: Breakthrough formula for men 50 percent add present gt;gt;gt;?http://www.canada-cz.com/sp.php?lt;lt;lt; [...] Content analysis details: (3.3 points, 5.0 required) pts rule name description -- -- 1.0 NO_REAL_NAME From: does not include a real name 2.2 FROM_HAS_MIXED_NUMSFrom: contains numbers mixed in with letters 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] Directly from our local.cf: = 8 snip - # We've (or at least the webmaster has) had a problem with spam # from aim.com users, coming from AOL servers. After much training, # they hit BAYES_99, but not enough other rules to go over the edge. # These are designed to handle that. header __RLM_RCVD_FROM_AOL Received =~ /from .*\.aol\.com/ header __RLM_FROM_AIM_USER From =~ /\...@aim\.com/ meta RLM_AIM_SPAM (__RLM_RCVD_FROM_AOL __RLM_FROM_AIM_USER) # Most of this already scores 3.5. score RLM_AIM_SPAM 1.6 = 8 snip - Set your score to push them over the threshold. Much more than that and you risk FPs. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. b...@bobcatos.com http://www.bobcatos.com My son, do not despise the LORD's discipline and do not resent his rebuke, because the LORD disciplines those he loves, as a father the son he delights in. Proverbs 3:11-12 (NIV)
Re: had it with spaces spam and idiots at hotmail
On Wed, Oct 29, 2008 at 08:13:34AM -0400, Michael Scheidell wrote: I have had it with spaces live random url spam. we get thousands of them, most from zombots, and idiots at hotmail want a valid live account to process the complaint Thank you for reporting spam to the Windows Live Hotmail Support Team. This is an auto-generated response to inform you that we have received your submission. Please note that you will not receive a reply if you respond directly to this message. Unfortunately, in order to process your request, Hotmail Support needs a valid Windows Live Hotmail hosted account. Me, too. There's a good reason they are listed on rfc-ignorant.org. However, after some digging, I found a place to report the stuff. Go to https://support.live.com/eform.aspx?productKey=wlspacesabusect=eformts Fill in your name and email. For the offender's email, which I don't know, I put [EMAIL PROTECTED]. Then fill in the URL of the spamsite. For the two selection boxes, I put other since none of the other things fit. In the Please provide as much detail ... textarea box, I put Spamvertised web site: and follow that with a cut-and-paste of the entire spam with full headers. Have at it. this looks for it, assigns some reasonable scores, and if (add your favorite shortcut) bumps it up another 5. uri ST_SPACES /\.spaces\.live\.com/$ score ST_SPACES 5 3 4 2 meta ST_SPACES_BUMP (ST_SPACES (RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_XBL || RCVD_IN_BL_SPAMCOP_NET || DCC_CHECK)) tflags ST_SPACES_BUMP net score ST_SPACES_BUMP 5 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The Lord says: These people come near to me with their mouth and honor me with their lips, but their hearts are far from me. Their worship of me is made up only of rules taught by men. Therefore once more I will astound these people with wonder upon wonder; the wisdom of the wise will perish, the intelligence of the intelligent will vanish. Isaiah 29:13-14 (NIV)
Re: Strange behavior - load high when scanning mail from one specific user
On Thu, Oct 09, 2008 at 05:45:12AM -0700, martinezpt wrote: Hi! I've noticed a strange behavior on a server I maintain and after 2 days trying to figure it out by monitoring the server and searching the web I still cannot determine the cause of the problem. I'm running cPanel with Exim+Spamassassin. In the last few days, during some specific periods we noticed that the server load was unusually high (7). After a few hours monitoring it we noticed that every time the load went up, there was a spamd processed owned by a specific user that never finished. Once we killed it the load returned to normal values. For the past 2 days we were able to confirm this: whenever the server had a high load, there was a spam assassin process owned by that specific user hanging around and with a lot of cpu % time. Once we kill it, the server load drops dramatically. We have almost 100 accounts at that server so it must not be a coincidence that it is always that user that owns the offending process. The only clue we have is that the user had SpamAssassin disabled for a while, but enabled it again last week. He has sufficient disk quota and is not receiving an abnormal amount of emails. We tried disabling spam assassin and re-enabling it later. Any clues as to where I should next? any test I can perform? -- View this message in context: http://www.nabble.com/Strange-behavior---load-high-when-scanning-mail-from-one-specific-user-tp19898283p19898283.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com. We had this happen to a user a couple months ago. When we sa-learn -u userid --dump magic I think it complained about a DB version mismatch or something like that. There's probably a more elegant solution, but we renamed (or deleted) his bayes_* files, and that cured the problem, though he had to start over on Bayes. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Those whom I love I rebuke and discipline. So be earnest, and repent. Revelation 3:19 (NIV)
Re: Mailer DAEMON Returns Body Check on Multipart
On Mon, Aug 25, 2008 at 09:13:16PM +0200, Hachmann wrote: SM schrieb: Hi Alexander, At 06:35 25-08-2008, Alexander Hachmann wrote: I am currently having the problem with a lot of mails returning from daemons in response to mails I did now write. Does anyone have a .cf solution for this issue. I am getting more than a hundred per week of these f.ng Mails. Have you tried http://wiki.apache.org/spamassassin/VBounceRuleset Regards, -sm Thank you for your reply. This seems to be exactly what I want. Unfortuneatly I am running 3.0.4 and this only works from 3.1 on. I am not that familiar with upgrading SA. Is there an easy and safe way? If the original was installed from CPAN, that's the best way to upgrade. Just (as root) # cpan cpan install Mail::SpamAssassin or you can download (as you did below - BTW the latest is v3.2.5), blow up the tarball, and then $ perl Makefile.PL $ make $ make test $ su - # make install Then restart spamd. For RedHat-ish distros and some others: # service spamassassin restart All that said, if it was installed from the distro, best to update from the distro. You _can_ overwrite it with the method above, but be aware that if a distro upgrade is applied, it will overwrite your tarball upgrade. Still, you can do the tarball upgrade again (just make install if the build directory is still lying about). I yet downloaded 3.2.4 and run perl Makefiel.PL without installing. This for example starts telling me, that modules like SPF are not present. Any hints on that? The SPF modules are not required, but helpful. You can install them from CPAN, and then rerun your perl Makefile.PL for SA. Regards, Alexander Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com To the Jews who had believed him, Jesus said, If you hold to my teaching, you are really my disciples. Then you will know the truth, and the truth will set you free. John 8:31-32 (NIV)
Re: [OT] Odd spammer tactic?
On Tue, Jul 22, 2008 at 11:37:39AM -0400, Kevin Parris wrote: snippage The spammers are spending other people's money, since much of their work is done by hijacked machines, thus they do not care how 'expensive' their project might be, and any responses they do get are practically pure profit. So to probe a million targets and find even one vulnerable is worth the trouble since it is not their own trouble. The flaw in your logic is that you are thinking logically, working from the premise that any intelligent administrator (such as yourself) would never create a machine that is susceptible to this particular attack. Maybe YOUR server is not a viable avenue for the spammer, but there are SO many servers out there - finding a few that ARE viable is almost a certainty, since some people who connect systems to the internet are not so well-informed as we here. I believe that until a technique is discovered to eliminate ignorance and gullibility from the human population, there will be no solution to the spam problem. If I may extend this OT thread, I'd like to know how draconian admins get with their mail servers. Without considering RBLs, how much do you limit client connections: Allow only those with (PTR and/or A) DNS records? Allow only those with MX records? I figure only the latter will be the Final Solution to spam. But there are probably only two chances of that - slim and none. snippage -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/ Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Jesus turned and saw her. Take heart, daughter, he said, your faith has healed you. And the woman was healed from that moment. Matthew 9:22 (NIV)
Re: [OT] Odd spammer tactic?
On Tue, Jul 22, 2008 at 08:38:09PM +0200, mouss wrote: Bob McClure Jr wrote: On Tue, Jul 22, 2008 at 11:37:39AM -0400, Kevin Parris wrote: snippage The spammers are spending other people's money, since much of their work is done by hijacked machines, thus they do not care how 'expensive' their project might be, and any responses they do get are practically pure profit. So to probe a million targets and find even one vulnerable is worth the trouble since it is not their own trouble. The flaw in your logic is that you are thinking logically, working from the premise that any intelligent administrator (such as yourself) would never create a machine that is susceptible to this particular attack. Maybe YOUR server is not a viable avenue for the spammer, but there are SO many servers out there - finding a few that ARE viable is almost a certainty, since some people who connect systems to the internet are not so well-informed as we here. I believe that until a technique is discovered to eliminate ignorance and gullibility from the human population, there will be no solution to the spam problem. If I may extend this OT thread, I'd like to know how draconian admins get with their mail servers. Without considering RBLs, how much do you limit client connections: Allow only those with (PTR and/or A) DNS records? unfortunately, this would - block silly networks with misconfigured DNS, but from which you still want to get mail. Yeah, I know that, and, in fact, one of my clients' DNS was misconfigured (not in my power to fix) until recently. Be nice if there were some suitable mechanism to feed such info back to owner besides the distant end calling/emailing to say, Hey, did you know your DNS is fubar? I'm still not all that far from imposing such a restriction on my own server. - delay (or block, depending on your implementation) good networks in case of DNS problems. (the dspam domain was once under DDoS. delaying their _sollicted_ mail is not really nice). Yeah, bummer. Maybe make an exception if DNS is unavailable, or soft fail. Allow only those with MX records? if the envelope sender domain has no MX nor A record (or has an invalid or borked MX), you can block. but this doesn't catch much junk. It does however catch legitimate mail in case of misconfiguration. No, I don't mean that of the envelope sender - that means nothing. I mean that the client machine must be listed as an MX. That said, yes, I know, many installations (e.g. two of my clients) have separate IPs for sending and receiving mail, so the sender is not listed as an MX. And if it were so listed as a (secondary) MX and did not accept mail, then it's busted for being a bogus MX. sigh Never mind. I figure only the latter will be the Final Solution to spam. final what? fussp? since spammers forge the sender, sender checks don't buy you much. But there are probably only two chances of that - slim and none. Where is the Lone Ranger when you need him? (Silver bullet reference.) Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Jesus turned and saw her. Take heart, daughter, he said, your faith has healed you. And the woman was healed from that moment. Matthew 9:22 (NIV)
Re: general questions abour spamc/spamd
On Thu, May 01, 2008 at 04:06:02PM -0700, Ibrahim Hashem wrote: hi all, i think this is my 1st mail.. here's the problem i'm facing i want to know how to setup or configure spamc in detailed and is it related that much to configuring the procmail ?? You don't mention your OS or distribution, so it's hard to provide specifics. The way I run it on RedHat/Fedora/CentOS is to run spamd and call spamc from each user's .procmailrc like this: 8 - PATH=/bin:/usr/bin:/usr/local/bin MAILDIR=$HOME/Mail # LOGFILE=$MAILDIR/from LOGFILE=/dev/null # Put any rules to bypass SA here, e.g. :0: * ^List-Id: users\.spamassassin\.apache\.org /var/spool/mail/$LOGNAME :0fw | spamc # Any spam with 9 or more * will be summarily punted. :0 H * ^X-Spam-Level: \*\*\*\*\*\*\*\*\* /dev/null # Uncomment this to divert remaining spam to a spam bucket. # Else it goes to your mailbox. # :0: # * ^X-Spam-Status: Yes # $HOME/Mail/caughtspam 8 - another question who recieves the mail from the clients as first time?? is it spamc or spamd?? Not sure I understand, but I think the answer is spamc, which feeds it to spamd. Then spamd filters it and returns it with the desired spam markup. then how does it cycle to get to the recipient client?? After it comes back from spamc, what happens depends on the following procmail recipes. You can divert it, delete it (to /dev/null), or send it on to the recipient. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Now I, Nebuchadnezzar, praise and exalt and glorify the King of heaven, because everything he does is right and all his ways are just. And those who walk in pride he is able to humble. Daniel 4:37 (NIV)
Re: logrotate query !
On Tue, Mar 04, 2008 at 09:12:56AM +0530, Agnello George wrote: On 3/4/08, Martin Gregorie [EMAIL PROTECTED] wrote: On Mon, 2008-03-03 at 17:54, Agnello George wrote: hi I have set up a spamassissin server . I need to rotate the logs in the /var/log/spamd.log file . I added the following directives in the /etc/logrotate.conf # system-specific logs may be also be configured here. # added by agnello 4 march 08 /var/log/spamd.log { weekly compress rotate 4 } Well i jsut want to verify what rotate 4 really means --- according to the man pages it says The number of times to rotate a logfile before removing it. Sounds pretty straight forward to me - you get the log set: log log.1 log.2 log.3 log.4 So what would happen after log.4 . would it get deleted frm the system?? Yes, everything ripples down like this: log.3 becomes log.4 (the old log.4 falls into the bit bucket) log,2 becomes log.3 log.1 becomes log.2 log becomes log.1 and a new log is created. -- Regards Agnello Dsouza www.linux-vashi.blogspot.com www.bible-study-india.blogspot.com Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com For great is your love, reaching to the heavens; your faithfulness reaches to the skies. Psalm 57:10 (NIV)
Re: Logging with SA/procmail standalone (no spamd)
On Tue, Jan 29, 2008 at 02:41:06AM -0500, Jason Antman wrote: Hi, I'm a student at Rutgers University. I've been running SA on my own mailserver (handling 3 users) for a few years now. I recently came into some new hardware, and replaced the old mailserver with a new one running Solaris 10. I'm using SpamAssassin 3.02 in the blastwave.org package. I'm using Postfix for an MTA and Procmail as MDA, with mail being filtered through SA by procmail. I can't seem to find much verbose documentation on this method - I gather that it's nowhere near as preferred as running spamd. However, I can't help but notice that SA doesn't seem to be logging anything anywhere. Spam is getting caught and dealt with by procmail (moved to .spam folder) and the SA headers are there and correct. But I was wondering if there is some way to get SA to log to a central log file? Thanks for any suggestions, Jason Probably not. If I understand correctly, you are calling the stand-alone spamassassin from procmail. At that point, SA is running as a mere mortal, which never can log to someplace like /var/log. Is there any reason you can't run spamd (which can log, usually to someplace like /var/log/maillog) and have procmail call spamc instead of spamassassin? Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Therefore no one will be declared righteous in God's sight by observing the law; rather, through the law we become conscious of sin. Romans 3:20 (NIV)
Re: exclude emails with Japanese chars [not spam]
On Wed, Nov 21, 2007 at 12:01:59PM -0800, W S wrote: Hi, Im running SpamAssassin+MailScanner+Postfix on Linux and Im receiving some legit emails with Japanese/Chinese characters. Unfortunately combined score is too high and they get marked as SPAM. Is there any easy way to tweak SpamAssassin in order to exclude these emails? TIA, --WS Assuming not many senders are involved, use whitelist_from_rcvd. Run man Mail::SpamAssassin::Conf and then search for that option for details. If this is just for you, put it in your ~/.spamassassin/user_prefs. If it should apply site-wide, put it in /etc/mail/spamassassin/local.cf and restart MailScanner. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Then Jesus said, Did I not tell you that if you believed, you would see the glory of God? John 11:40 (NIV)
Re: Maillog shows a few errors
On Fri, Nov 16, 2007 at 11:46:39PM +, night duke wrote: Hi i saw this errors at my mailog file. Does anyone know how can i fix them? Thanks Nightduke Nov 17 00:38:21 bcl00641 spamd[21558]: logger: removing stderr method Nov 17 00:38:21 bcl00641 spamd[21562]: Can't locate Tie/Cache.pm in @INC (@INC contains: .. /etc/mail/spamassassin lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at (eval 57) line 1. Nov 17 00:38:21 bcl00641 spamd[21562]: Can't locate Tie/Cache.pm in @INC (@INC contains: .. /etc/mail/spamassassin lib ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at (eval 57) line 1. Nov 17 00:38:21 bcl00641 spamd[21562]: BEGIN failed--compilation aborted at (eval 57) line 1. Nov 17 00:38:21 bcl00641 spamd[21562]: plugin: failed to parse plugin (from @INC): Bareword Mail::SpamAssassin::Constants::CHARSETS_LIKELY_TO_FP_AS_CAPS not allowed while strict subs in use at /usr/local/share/perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm line 967. Nov 17 00:38:21 bcl00641 spamd[21562]: Compilation failed in require at (eval 74) line 1. Nov 17 00:38:21 bcl00641 spamd[21562]: Can't locate object method new via package Mail::SpamAssassin::Plugin::HeaderEval at /usr/local/share/perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm line 39. Nov 17 00:38:21 bcl00641 spamd[21562]: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::HeaderEval: Can't locate object method new via package Mail::SpamAssassin::Plugin::HeaderEval at /usr/local/share/perl/5.8.8/Mail/SpamAssassin/Plugin/HeaderEval.pm line 39. Nov 17 00:38:22 bcl00641 spamd[21562]: Subroutine new redefined at /etc/spamassassin/FuzzyOcr.pm line 48. Nov 17 00:38:22 bcl00641 spamd[21562]: Subroutine dummy_check redefined at /etc/spamassassin/FuzzyOcr.pm line 59. Nov 17 00:38:22 bcl00641 spamd[21562]: Subroutine fuzzyocr_check redefined at /etc/spamassassin/FuzzyOcr.pm line 63. Nov 17 00:38:22 bcl00641 spamd[21562]: Subroutine fuzzyocr_do redefined at /etc/spamassassin/FuzzyOcr.pm line 101. Nov 17 00:38:22 bcl00641 spamd[21562]: Can't locate object method word_is_in_dictionary via package Mail::SpamAssassin::PerMsgStatus at /usr/share/perl5/Mail/SpamAssassin.pm line 1197. I'd use CPAN to install the Tie::Cache module to start with. Then see what falls out. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com For I command you today to love the LORD your God, to walk in his ways, and to keep his commands, decrees and laws; then you will live and increase, and the LORD your God will bless you in the land you are entering to possess. Deuteronomy 30:16 (NIV)
Re: re the 419 scam apologizing for 419 scams
On Thu, Sep 13, 2007 at 11:57:23AM -0700, Loren Wilton wrote: Guess that's not a throwaway dial up connection then. Wow. I'd think that size would make the cost/benefit analysis skew even further to making a spam run unprofitable as they'd be sending so many fewer before they're shut down. Does anyone actually shut down zombies these days? You mean ISPs? We certainly do. When we find out there's a spambot on the network we disable his login account if he's dial-in, or track down his DSL card and pull the (virtual) plug on it. He's not turned on again until he tells us he has cleaned his machine. That might mean shutting down the legitimate client too, and they could try to sue for lack of service. I believe that is covered in the Terms Of Service that the subscriber agrees to in order to get service. Loren Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com O God, you are my God, earnestly I seek you; my soul thirsts for you, my body longs for you, in a dry and weary land where there is no water. Psalm 63:1 (NIV)
Re: Maybe I'm dense...
On Thu, Sep 06, 2007 at 10:44:27AM -0700, winkerbean wrote: but I cannot find anything to tell me whether I can use SpamAssassin in my situation. I download my messages from my ISP. I don't have my own server or anything like such. Can I use SpamAssassin to filter/score my incoming e-mail or does it need to be installed on my ISP's server to work? You can do it locally. Just install SA, and call spamassassin (or spamc if you choose to run spamd) from your .procmailrc. The SA distribution has a sample set of procmail recipes. Back when I had an earthlink account, I picked up my mail with fetchmail, which used procmail to put it in my mailbox. I punted anything that scored 9 or more, put the rest of the spam in a caughtspam box for review, and the rest went to my mailbox. Thanks for any help. -- View this message in context: http://www.nabble.com/Maybe-I%27m-dense...-tf4393677.html#a12527794 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com May the Lord direct your hearts into God's love and Christ's perseverance. 2 Thessalonians 3:5 (NIV)
Re: OT blacklist check
On Tue, Aug 28, 2007 at 03:31:44PM -0400, Jean-Paul Natola wrote: Hi, Jean Paul, check this site: http://www.robtex.com/rbl.html It does multi RBL checks, saved my butt a few times ;) Peace, Luis 2007/8/28, Jean-Paul Natola [EMAIL PROTECTED]: Hi all, I saw that my server wound up on http://spamcop.net/bl.shtml so I had my server removed- however , I think I may on other blacklist(s) as I roadrunner *.rr.com is not accepting emails from our server- Is there a way I can check my IP to see if I've been blacklisted anywhere else? Thanx- I'm not listed anywhere - so why am I getting errors like An SMTP protocol error occurred- And The connection was dropped by the remote host Is just a single mail server (or set of servers) dropping you? Maybe you are on their local blacklist. I've had several problems like that with mxlogic.{net,com} servers. If so, you will have to look them up and give them a ringy-dingy and anything else that's appropriate. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com If you do not listen, and if you do not set your heart to honor my name, says the LORD Almighty, I will send a curse upon you, and I will curse your blessings. Yes, I have already cursed them, because you have not set your heart to honor me. Malachi 2:2 (NIV)
Re: Using SpamAssassin to filter port 110
On Mon, Aug 20, 2007 at 07:55:07AM -0700, Patman wrote: Hello, New to the forum. Question, what I would like to do, is filter incoming traffic on port 110, with a spamassassin server. Our organization is provided email by an outside provider, as a service for doing our web page. What I would like to know is if SpamAssassin can be configured to go between my Cisco Pix box and say the network to filter port 110 for spam? Or does SpamAassassin have to be the IP that port 110 is routed to? I have used SpamAssassin on a in house email server but never as I am attempting. Can it be done and how? Thanks -- If you are picking up your mail from the mail server using your mail client, I don't know how to wire SA into the flow that way. You would do better to call your mail server with fetchmail or similar, and deliver to your local mailboxw with procmail. Then you can run spamd and call spamc from each user's .procmailrc. The SA distribution includes examples of how to do that. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Therefore, as God's chosen people, holy and dearly loved, clothe yourselves with compassion, kindness, humility, gentleness and patience. Bear with each other and forgive whatever grievances you may have against one another. Forgive as the Lord forgave you. And over all these virtues put on love, which binds them all together in perfect unity. Colossians 3:12-14 (NIV)
Re: Post cart spams
On Tue, Jul 17, 2007 at 02:30:05PM -0500, Igor Chudov wrote: Ken, I just downloaded clamav, it seems to be a file scanning tool? How do you use it from procmail? Thanks a lot! i I installed clamassassin http://jameslick.com/clamassassin/ and run the daemonized clamd. Then I call it from the system /etc/procmailrc this way: = snip 8- PATH=/bin:/usr/bin:/usr/local/bin # LOGFILE=/var/log/procmail.log LOGFILE=/dev/null # Virus trap :0fw | /usr/local/bin/clamassassin :0 * ^X-Virus-Status: Yes /dev/null = snip 8- Of course you can divert it to some quarantine bin, instead of /dev/null. Be sure to set up ClamAV as daemon or stand-alone first, before you build clamassassin. clamassassin figures out for itself whether it needs to call clamscan or clamdscan during the build process. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Instead of their shame my people will receive a double portion, and instead of disgrace they will rejoice in their inheritance; and so they will inherit a double portion in their land, and everlasting joy will be theirs. Isaiah 61:7 (NIV)
Re: Post cart spams
On Wed, Jul 18, 2007 at 03:42:31AM +0300, Jari Fredriksson wrote: Bob McClure Jr wrote: I installed clamassassin What a dumb name for software. Does it want to assassin ClamAV? I think its intention was to make ClamAV as easy to use as SpamAssassin, and it succeeds very well. I'd also say that's a compliment to SA, and well deserved, indeed. lol I don't know it, may be a good one though. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Instead of their shame my people will receive a double portion, and instead of disgrace they will rejoice in their inheritance; and so they will inherit a double portion in their land, and everlasting joy will be theirs. Isaiah 61:7 (NIV)
Re: sa-learn --forget
On Fri, Jul 13, 2007 at 05:35:04PM -0400, [EMAIL PROTECTED] wrote: I got a message that has tagged as spam. Received a score of 5.2. This mail is a ham mail for me/us. So i ran --forget and received this: sa-learn --forget --mbox /var/opt/hula/netmail/users/forget Forgot tokens from 0 message(s) (1 message(s) examined) There was only 1 message/email in this folder. I expected to see Forgot tokens from 1 message(s) (1 message(s) examined) but this was not the case. What did i do wrong? SA 3.2.1 with sles9 and spamd running without any options With that score, it probably was not cataloged in bayes. What you probably should have done is to have SA learn it as ham rather than just forget any (spam) tokens it learned. That is, you should sa-learn --ham --mbox /var/opt/hula/netmail/users/forget as the user who got the mail. Had it been learned as spam, that will automatically forget its spamminess and learn it as ham. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Who is a God like you, who pardons sin and forgives the transgression of the remnant of his inheritance? You do not stay angry forever but delight to show mercy. Micah 7:18 (NIV)
Re: Confused about which bayes db gets used with spamc?
On Sat, Jun 30, 2007 at 05:41:19AM -0700, CptanPanic wrote: Hello, I run spamc from my procmail on incoming messages. Does this mean that all messages are using root bayes_db? No. If so why do the clients have stuff updated in their db in their home directories? Because spamc (actually spamd) does a setuid to the user. I am trying to figure this out so I can do sa-learn correctly. With your setup (same as mine) you should sa-learn as the user, or use the -u or --username option to set the user. Thanks, CP -- View this message in context: http://www.nabble.com/Confused-about-which-bayes-db-gets-used-with-spamc--tf4004657.html#a11373245 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The Lord says: These people come near to me with their mouth and honor me with their lips, but their hearts are far from me. Their worship of me is made up only of rules taught by men. Therefore once more I will astound these people with wonder upon wonder; the wisdom of the wise will perish, the intelligence of the intelligent will vanish. Isaiah 29:13-14 (NIV)
Re: Setting up an email rule for these posts
On Tue, May 15, 2007 at 07:54:24PM +0200, Chris wrote: Hi all, I'm new to this board, so please go easy on me ;-) I can see that this forum is an excellent source of useful information with some very helpful members, but am having a bit of a problem at my end, with organising the emails coming in from the forum. Been using message boards and forums for about 6 years, on all sorts of subjects, and usually setup my email program to put posts from certain groups into certain folders - normally, there's rules setup in the email program to filter to the various folders, based on either the from field, or the subject field, but I'm noticing that the emails coming in don't have anything consistent with them ;-( How do the others here do it please ? Is there anyway, that perhaps every email/post that goes out, has the word Spamassassin in the subject line ? Turn on full headers and you will see a line: List-Id: users.spamassassin.apache.org Filter on that. That works with many lists. Any help appreciated. Chris. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Pride only breeds quarrels, but wisdom is found in those who take advice. Proverbs 13:10 (NIV)
Re: Increase of spam?
On Thu, May 03, 2007 at 11:51:36AM -0400, Rob McEwen wrote: K. asked: A while ago I implemented graylisting, which works quite well. But since 2 days ago I'm seeing loads of mails which are passing by the greylisting (so they are being sent again by a real mailserver). Anybody knows if there is a new windows virus on the loose that retries to deliver mails? The mails are coming from all kinds of hosts, all kinds of countries but mostly from dialup or adsl accounts (so, not hijacked corporate mailservers). I've noticed a recent jump in the number of Nigeria/419 lottery scams. These are often sent via mailservers which will easily bypass graylisting due to retries. Also, in general, these are also among the most difficult types of spams to catch. Rob McEwen PowerView Systems [EMAIL PROTECTED] I suppose many regard this as effective as peeing in the ocean to raise the water level, but any spam I have to touch, I turn on full headers, and report it back to abuse address for the top-most untrusted client in the Received lines. If he has a legit mail server, then he should trace back to the client that sent to his server, and ultimately shut the blighter down. I do that for mailing list postings I have to moderate on a list server I don't control, and mail sent to postmaster at my domain. Am I not correct in not filtering mail to postmaster? Sorry, I think I digressed a bit, there. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com I am the Alpha and the Omega, says the Lord God, who is, and who was, and who is to come, the Almighty. Revelation 1:8 (NIV)
Re: Increase of spam?
On Thu, May 03, 2007 at 09:13:33AM -0800, John Andersen wrote: On Thursday 03 May 2007, Bob McClure Jr wrote: If he has a legit mail server, then he should trace back to the client Yes, its widely known that every mail system administrator has hours of idle time on his hands to track this stuff down manually and handle each case personally. Hmm. Your sarcasm implies that the opposite is widely known. Well, I didn't just fall off a turnip truck so I submit that it's not widely known. I'm a sysadmin and web developer and can find the time to help our local ISP trace down a customer with a botted machine, when it's so reported to us. It's part of my job. If you are a sysadmin or mail system administrator, and you don't pursue abuse reports, then you're not doing your job. You, sir, are the reason abuse addresses are universally ignored these days. You add to the problem. If you now its spam, trash it and move on. That, sir, is a non-sequitur. Abuse addresses are stipulated by RFCs. Because I use them, they ignore them? That doesn't follow at all. And if abuse mail is ignored, then rfc-ignorant.org may as well fold up its tents and go home. In fact, about 30% of the abuse reports I send get at least a return from an auto-responder. I don't care whether they respond to my mail or not, as long as they take some action on it. And if my one abuse email causes a bot to be shut down, thus preventing several hundred spam from hitting the 'Net, I'd say that's a net reduction of 'Net traffic. Abuse addresses exist to provide a means of correcting problems in the Internet. I use them, believing it will improve the Internet. So call me a Pollyanna. If the admins ignore my abuse mail, then I submit that they have contributed to the problem, not I. -- _ John Andersen Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com I am the Alpha and the Omega, says the Lord God, who is, and who was, and who is to come, the Almighty. Revelation 1:8 (NIV)
Re: Fowarding spams to the list.... Not good???
On Mon, Apr 30, 2007 at 04:03:13PM -0700, Eric Goforth wrote: Hey all, I have a quick thought about something we may want to all consider. For those of us that use SA (all of us right?) and we use Bayes (most of us I assume) and that have whitelisted this list (a few anyhow) that get people forwarding their spam messages to the list (only a couple I think...) I think your throwing our Bayes out of whack... We are trying to train our systems to drop the stuff your forwarding the list... I may be off since I am still a newbie to SA and in particular how Bayes does its job... But... Food for thought. Can we avoid forwarding spam messages to the list? I call spamc in my ~/.procmailrc. I have a recipe that diverts SA List traffic directly to my mailbox before it gets to the call to spamc. My Bayes never sees SA List traffic. Eric J. Goforth [EMAIL PROTECTED] Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com For since the creation of the world God's invisible qualities -- his eternal power and divine nature -- have been clearly seen, being understood from what has been made, so that men are without excuse. Romans 1:20 (NIV)
Re: cannot install it on BSD
On Sun, Apr 29, 2007 at 01:00:10AM +0800, Mailing List wrote: Hi guys, I cannot install spamassassin on FreeBSD. Does anyone experienced with this before? Not here. any advices will be appreciated. Any clues besides it doesn't work? thx Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Hatred stirs up dissension, but love covers over all wrongs. Proverbs 10:12 (NIV)
Re: IP - Responsible Person
On Tue, Apr 24, 2007 at 09:03:51PM -0700, Marc Perkel wrote: Is there an algorithm that one can feed an IP address into and return the email address of the responsible person for the IP to report spam to? There is the command-line whois, as well as the ARIN web site http://www.arin.net/whois/index.html whois is quicker and easier and drills down to foreign registries, but doesn't always return what you need. The ARIN web site isn't as easy to use, but always returns useful information for North American networks, and provides links to foreign registries like it. I have a policy of reporting any spam I have to touch, such as that sent to my postmaster address and submissions to my closed mailing list. I have developed a script to automate as much of the look-up as I can. I herewith offer it. I call it ew for extended whois. It sorts the email addresses found, so abuse is easily found at the beginning of the list. =8 #!/usr/bin/perl -w use strict; my $myname = $0; $myname =~ [EMAIL PROTECTED]/@@; @ARGV || die(usage: $myname IPaddr_or_netname\n); whois(shift); exit 0; sub whois { my($arg) = @_; # Strip out IPV6 stuff. $arg =~ s/^::://; my($line, $head, %ip, $val); my(%email) = (); my $state = ; my $country = ; my $netname = ; if(open(WHO, whois $arg|)) { while(defined($line = WHO)) { chop $line; # Some of these have CRs, too. $line =~ s/\r//g; # Look for any net names in parens. $line =~ /\((NET-[\w-]+)\)/ do { $netname = $1; }; next unless (($arg, $val) = split(/ *: */, $line, 2)); # Extract any email addresses; $arg =~ /mail/i do { $email{$val} = 1; # If it's the abuse email, that's enough for us. last if $arg =~ /abuseemail/i; }; $arg =~ /trouble/i do { $val =~ /([EMAIL PROTECTED])/ ($email{$1} = 1); next; }; $arg =~ /remarks/i do { $val =~ /([EMAIL PROTECTED])/ ($email{$1} = 1); next; }; # Take the first state entry. $line =~ /state/i do { $state = $val unless $state; next; }; # Take the first country entry. $line =~ /country/i do { $country = $val unless $country; next; }; # Catch-all $line =~ /([EMAIL PROTECTED])/ ($email{$1} = 1); } close WHO; ($state || $country) print Owner is in $state, $country\n; %email print Email to , join(, , sort keys %email), \n; } else { warn Could not run whois: $!\n; } $netname do { # warn netname found: $netname; $netname ne $arg whois($netname); } } =8 Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com If my people, who are called by my name, will humble themselves and pray and seek my face and turn from their wicked ways, then will I hear from heaven and will forgive their sin and will heal their land. 2 Chronicles 7:14 (NIV)
Re: IP - Responsible Person
On Wed, Apr 25, 2007 at 09:10:04AM -0700, Marc Perkel wrote: My thinking on this is that if we had better automated reporting then spammers could be shut down at the source and we could reduce spam that way. I think what needs to happen is to develop some sort of auto-reporting of spam process that's easy and tie in ISPs and the big boys into the databse so that a surge of reports could auto shutdown spammers. That's my thinking, too. I'm trying an experiment with Yahoo, Gmail, Hotmail, etc. where I'm forwarding all Hotmail spam to [EMAIL PROTECTED], yahoo spam to [EMAIL PROTECTED] with the idea of shutting down the perps at the source. You _are_ going to the IP address in the Received: line(s) and not the From: address or the envelope sender, right? What do you all think of this. Can we build a tool or a web service that gathers and stores abuse info and turns IP addresses and domain names into abuse addresses and do automatic reporting? Looks like abuse.net has a good start on it. Have a look at http://www.abuse.net/using.phtml In my (abundant) spare time, I'm going to wire that into my ew tool, and if that works reliably enough, I'm going to build a more automated tool. In my best of all possible worlds, instead of throwing away obvious spam (scoring 10 or more), I'm going to identify the sending IP and auto-report the stuff. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com If my people, who are called by my name, will humble themselves and pray and seek my face and turn from their wicked ways, then will I hear from heaven and will forgive their sin and will heal their land. 2 Chronicles 7:14 (NIV)
Re: Spamd dieing for no apparent reason
On Tue, Apr 17, 2007 at 08:40:20AM -0700, Don O'Neil wrote: My spamd process is dieing about every 1-2 days for no apparent reason. Anyone have any suggestions on how to debug this? I'm not seeing anything in the logs, it just dies, and then of course I get bounces back that the connection was dropped and I have to restart the process. I've had to put a daemon monitor of sorts in place to restart it automatically. I'm running the latest released version on FreeBSD 6.1. Thanks! I had that problem on a shared FreeBSD server sometimes when I got a SARE update and the restart of spamd didn't work right. Found I had to stop spamd, sleep for a few seconds, and then start it. If I did a plain restart, the start part didn't work because some of the children were still alive. There is doubtless a more elegant solution, but that worked. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Come to me, all you who are weary and burdened, and I will give you rest. Matthew 11:28 (NET)
Re: spam test
On one server I manage, I found Botnet to be a tremendous help in tagging spam, but does produce some FPs, almost entirely because of misconfigured DNS. After notifying several mail/network admins of their fubar DNS, I got tired of trying to clean up the Internet and throttled Botnet back to 4.5 points, since it was often the only spammy factor in the FP. The only other thing I've had to do was whitelist_from_rcvd a couple of remote users who want to send mail directly through our server. I'm still a big fan of Botnet. On a related note, I once set up a new Postfix server for our local ISP to require an rDNS of a connecting client, but got a number of complaints, so I dropped that requirement. I can't fix everyone's screwed up DNS. Be nice if someone could hold their feet to the fire. IIRC, there is a major player on this list who says mail admins without a proper rDNS can go suck a rock, ... or something to that effect. Rave on, brother. On Tue, Apr 10, 2007 at 10:19:06AM +1000, Peter Russell wrote: I have my trusted network setup correctly - but botnet fires on so many domains, domains which would normally like to trust. Yes its entirely possible its not set up right...but i followed the instructions as best i could. Bill Landry wrote: Robert Fitzpatrick wrote the following on 4/9/2007 4:37 PM -0800: Bill Landry wrote: Peter Russell wrote the following on 4/9/2007 3:41 PM -0800: We dont use Botnet anymore, it fires on anything/everything and drives me nuts. You must not have Botnet and/or your trusted_networks setup correctly then. Bill I am running Postfix+Amavisd-new+SA 3.1.7 gateways on two different public networks. My trusted networks are setup with those networks where these gateways operate. Most delivery is also on those networks, however, I have several off-network locations being delivered to and several users using these gateways as smarthost for their own MS Exchange servers. Is it safe for me to use Botnet with my trusted networks setup as described? Sure, your setup is much like mine and botnet runs fine in our environment. Just take a bit of time to setup botnet and your trusted_networks correctly and all will run just fine. Bill Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Therefore, as God's chosen people, holy and dearly loved, clothe yourselves with compassion, kindness, humility, gentleness and patience. Colossians 3:12 (NIV)
Re: Change from new mail mode to add to the existing header
On Tue, Apr 03, 2007 at 03:44:31PM -0700, pcbugfixer wrote: John D. Hardin wrote: On Tue, 3 Apr 2007, pcbugfixer wrote: The SpamAssassin setting needs to be changed to add to the existing header rather than attaching the incoming spam as an attachment. Quick response: check your report_safe setting... Not that I am not greatfull for the reply - however all the attached junk just to tell me Quick response: check your report_safe setting... when these report_safe setting are not in the SpamAssassin Configuration does not help. Obviously the setting would have to be in the rewrite_header subject field entry box if I am not mistaken and I need to know what to enter to make the change ? In the FAQ, the indicator is ChangingMarkup I think, http://wiki.apache.org/spamassassin/ChangingMarkup which does not explain what does which and how - so what do I enter please ?? Is Dan Kohn about to answeer this please. If I understand your problem correctly, what you need to do is put report_safe 0 in your local.cf (probably in /etc/mail/spamassassin or similar). Details are in man Mail::SpamAssassin::Conf. -- View this message in context: http://www.nabble.com/Change-from-%22new-mail-mode%22-to-%22add-to-the-existing-header%22-tf3515321.html#a9827762 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com A new command I give you: Love one another. As I have loved you, so you must love one another. By this all men will know that you are my disciples, if you love one another. John 13:34-35 (NIV)
Re: Sunday Morning Email Geek
On Sun, Apr 01, 2007 at 05:41:03AM -0700, dougp23 wrote: Here it is Sunday morning and I'm playing with the email server!!! lol! Oh well! Anyways, here's a question: I edited my local.cf to change the spam score from 7.5 to 5.0 When I tail maillog, I still see required score 7.5. I am using sendmail, spamd, spamass-milter. When I make a change, is their some required series of steps I am not doing and that is why the spam score is not lowering?? Did you restart spamd? -- View this message in context: http://www.nabble.com/Sunday-Morning-Email-Geek-tf3500970.html#a9777388 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Let us not become weary in doing good, for at the proper time we will reap a harvest if we do not give up. Galatians 6:9 (NIV)
Re: whitelist_from_rcvd
On Wed, Mar 21, 2007 at 05:03:49PM -0400, Robert Fitzpatrick wrote: I have this in my local.cf file... whitelist_from_rcvd [EMAIL PROTECTED] *.blackberry.com Shouldn't this not get tagged? Change that to whitelist_from_rcvd [EMAIL PROTECTED] blackberry.com You don't need or want the glob on the server domain. Return-Path: Delivered-To: spam-quarantine X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED], [EMAIL PROTECTED] X-Quarantine-ID: AoDSTJF3q8ee X-Spam-Flag: YES X-Spam-Score: 6.705 X-Spam-Level: ** X-Spam-Status: Yes, score=6.705 tag=-999 tag2=4.6 kill=4.6 tests=[AWL=-5.090, BAYES_00=-2.599, FROM_EXCESS_BASE64=1.309, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=2.5, URIBL_JP_SURBL=4.087, URIBL_SC_SURBL=4.498] Received: from esmtp.webtent.net ([127.0.0.1]) by localhost (esmtp.webtent.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AoDSTJF3q8ee; Wed, 21 Mar 2007 16:14:53 -0400 (EDT) Received: from smtp01.bis.na.blackberry.com (smtp01.bis.na.blackberry.com [216.9.248.48]) by esmtp.webtent.net (WebTent ESMTP Postfix Internet Mail Gateway) with ESMTP id 1F5867F2BB; Wed, 21 Mar 2007 16:14:52 -0400 (EDT) Message-ID: [EMAIL PROTECTED] Content-Transfer-Encoding: quoted-printable Reply-To: [EMAIL PROTECTED] Sensitivity: Normal Importance: Normal To: Bruce Orand [EMAIL PROTECTED] Subject: Fw: breathtaking then selfish From: =?UTF-8?B?SmVyZW15IENoYXBtYW4=?= [EMAIL PROTECTED] Date: Wed, 21 Mar 2007 21:22:48 + Content-type: text/plain MIME-Version: 1.0 -- Robert Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The wicked man earns deceptive wages, but he who sows righteousness reaps a sure reward. Proverbs 11:18 (NIV)
Re: sendmail's vacation(1) Precedence: junk headers
On Tue, Mar 13, 2007 at 01:30:01PM +1030, Damon McMahon wrote: Greetings, I'd like to integrate SpamAssassin with the sendmail vacation(1) autoresponder program. According to sendmail's vacation(1) man page: 'Messages will not be replied to if any of the following conditions are true: ... - A ``Precedence: bulk'', ``Precedence: list'', or ``Precedence: junk'' line is included in the mail headers.' I note that SpamAssassin has a add_header configuration option, but according to Mail::SpamAssassin::Conf(3), '...All headers begin with X-Spam- (so a header_name Foo will generate a header called X-Spam-Foo).' What is the best way to configure SpamAssassin and vacation(1) to prevent auto-replies to messages that SpamAssassin has identified as spam? Well, this list already has Precedence: bulk in the header. Isn't that sufficient? And thanks for being concerned about how vacation works. Any advice will be appreciated, Damon Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Humble yourselves, therefore, under God's mighty hand, that he may lift you up in due time. 1 Peter 5:6 (NIV)
Re: [2] Auto-whitelist Errors others.
On Thu, Mar 08, 2007 at 04:46:30PM -0800, Andrew Rosolino wrote: Why does a directory need execute permissions? For directories, the x bit makes it traversable. That means if /foo/ has permissions drw-rw-rw-, then you can read (and write) the directory but you can't get to any of any of the files in the directory, and you cannot get into /foo/bar/ even if the latter has permissions drwxrwxrwx. Theo Van Dinter-2 wrote: On Thu, Mar 08, 2007 at 11:44:31AM -0800, Andrew Rosolino wrote: Mar 8 14:42:32 penguin spamd[15553]: spamd: setuid to root succeeded Mar 8 14:42:32 penguin spamd[15553]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/bin/spamd line 1147, GEN15 line 4. don't call spamd (via spamc) as root. Here is the permissions for the folder: drw-rw-rw-2 root nobody 4096 Mar 8 14:35 spamassassin/ That's definitely not going to work. 0777, not 0666 (directory, not a file). -- Randomly Selected Tagline: You can't build a reputation on what you are going to do. - Henry Ford Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com And without faith it is impossible to please God, because anyone who comes to him must believe that he exists and that he rewards those who earnestly seek him. Hebrews 11:6 (NIV)
Re: whitelist problem
On Fri, Mar 02, 2007 at 12:41:14AM +0530, deepak wrote: Hello, I'm having a very strange problem with whilte listing in Spamassassin. I've one domain in whiltelist (along with other domains) of spamassassin. it looks that whitelist feature works some time while some times it doesnt. please suggest something. Provide an example header, scoring, and applicable whitelist entry? Regards .. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Every house is built by someone, but God is the builder of everything. Hebrews 3:4 (NIV)
Re: SA successfully installed, but it doesn't work. Can't locate Digest/SHA1.pm?
On Sun, Feb 25, 2007 at 05:14:40PM -0800, Wen Wang wrote: The log file says that can't locate Digest/SHA1.pm, but I do have /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/Digest/SHA1.pm in my system. Why? Following is the log file: Feb 25 18:10:38 laika qmail: [ID 748625 mail.info] 1172448638.837731 delivery 126011: success: procmail:_Error_while_writing_to_/usr/tmp/procmail.log/Can't_locate_Digest/[EMAIL PROTECTED](@INC_contains:_/usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris_/usr/local/lib/perl5/site_perl/5.8.7_/usr/local/lib/perl5/5.8.7/sun4-solaris_/usr/local/lib/perl5/5.8.7_/usr/local/lib/perl5/site_perl)_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/EvalTests.pm_line_34./BEGIN_failed--compilation_aborted_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/EvalTests.pm_line_34./Compilation_failed_in_require_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/PerMsgStatus.pm_line_57./BEGIN_failed--compilation_aborted_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/PerMsgStatus.pm_line_57./Compilation_failed_in_require_at_/usr/local/lib/perl5/ Feb 25 18:10:38 laika qmail: [ID 986938 mail.info] 1172448638.837731+site_perl/5.8.7/Mail/SpamAssassin.pm_line_72./BEGIN_failed--compilation_aborted_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin.pm_line_72./Compilation_failed_in_require_at_/usr/local/bin/spamassassin_line_82./BEGIN_failed--compilation_aborted_at_/usr/local/bin/spamassassin_line_82./procmail:_Error_while_writing_to_spamassassin/procmail:_Rescue_of_unfiltered_data_succeeded/did_0+0+1/ Thanks in advance, Wen Because /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris is not in your @INC. But why is _/usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris_ in your @INC? What's up with that? Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com If you really keep the royal law found in Scripture, Love your neighbor as yourself, you are doing right. James 2:8 (NIV)
Re: SA successfully installed, but it doesn't work. Can't locate Digest/SHA1.pm?
On Sun, Feb 25, 2007 at 08:22:05PM -0800, Wen Wang wrote: Thanks, Bob. But I don't think this is the problem. I think it's syslog use _ to replace the blank space in the message. Oh. I do find the message in spamassassin's website. But not so understand what it means. What's new parse( ) API ? Beats me. You're way deeper into SA than I. I've never used the API. Looks like you've written some local code that works with pre-v3.x SA. I'd look at the man page for Mail::SpamAssassin and see what function does what you want in the (apparently newer) version you are using. = The 'Can't locate Mail/SpamAssassin/NoMailAudit.pm' error In SpamAssassin 3.0.0, we switched over to a new message-parsing public API. This means that tools which use the SpamAssassin perl modules will need to update to use the new interface. A typical symptom is this error message: Can't locate Mail/SpamAssassin/NoMailAudit.pm in @INC (@INC contains: lib /home/jm/ftp/spamassassin/lib /etc/perl /usr/local/lib/perl/5.8.3 /usr/local/share/perl/5.8.3 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl /usr/local/lib/perl/5.8.2 /usr/local/share/perl/5.8.2 .) at /home/jm/bin/handlespam line 66. BEGIN failed--compilation aborted at /home/jm/bin/handlespam line 66. To fix this, the calling code needs to be updated to use the new parse() API on the Mail::SpamAssassin object. You should check the web site where you obtained that code, to see if they've released an update to support 3.0.0. If the script in question is part of the SpamAssassin distribution, such as 'spamassassin' or 'spamd', it's very likely that you're not running the 3.0.0 version of that tool, and instead the older 2.x version is still installed on your system, and still in the PATH. - Original Message From: Bob McClure Jr [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Sunday, February 25, 2007 9:57:18 PM Subject: Re: SA successfully installed, but it doesn't work. Can't locate Digest/SHA1.pm? Because /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris is not in your @INC. But why is _/usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris_ in your @INC? What's up with that? Cheers, -- Bob McClure, Jr. On Sun, Feb 25, 2007 at 05:14:40PM -0800, Wen Wang wrote: The log file says that can't locate Digest/SHA1.pm, but I do have /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/Digest/SHA1.pm in my system. Why? Following is the log file: Feb 25 18:10:38 laika qmail: [ID 748625 mail.info] 1172448638.837731 delivery 126011: success: procmail:_Error_while_writing_to_/usr/tmp/procmail.log/Can't_locate_Digest/[EMAIL PROTECTED](@INC_contains:_/usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris_/usr/local/lib/perl5/site_perl/5.8.7_/usr/local/lib/perl5/5.8.7/sun4-solaris_/usr/local/lib/perl5/5.8.7_/usr/local/lib/perl5/site_perl)_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/EvalTests.pm_line_34./BEGIN_failed--compilation_aborted_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/EvalTests.pm_line_34./Compilation_failed_in_require_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/PerMsgStatus.pm_line_57./BEGIN_failed--compilation_aborted_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/PerMsgStatus.pm_line_57./Compilation_failed_in_require_at_/usr/local/lib/perl5/ Feb 25 18:10:38 laika qmail: [ID 986938 mail.info] 1172448638.837731+site_perl/5.8.7/Mail/SpamAssassin.pm_line_72./BEGIN_failed--compilation_aborted_at_/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin.pm_line_72./Compilation_failed_in_require_at_/usr/local/bin/spamassassin_line_82./BEGIN_failed--compilation_aborted_at_/usr/local/bin/spamassassin_line_82./procmail:_Error_while_writing_to_spamassassin/procmail:_Rescue_of_unfiltered_data_succeeded/did_0+0+1/ Thanks in advance, Wen Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com If you really keep the royal law found in Scripture, Love your neighbor as yourself, you are doing right. James 2:8 (NIV)
Re: SpamAssassin using spamc but not using rules correctly? Is my time being wasted changing local.cf etc?
On Tue, Feb 13, 2007 at 11:42:22AM +1300, Philip Seccombe wrote: Hi everyone, I've taken over a mail server from a previous technician and he's modified qmail to call spamassassin and the problem is I make changes to local.cf but I don't think they get used. Reasoning is that mail.info shoes it saying that required score is 5.0 but I've changed this to 4.5 spamassassin --lint -D will say that 4.5 is required: [21280] dbg: rules: running full-text regexp tests; score so far=1.046 [21280] dbg: check: is spam? score=1.046 required=4.5 [21280] dbg: check: tests=BAYES_05,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [21280] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,_ _SANE_MSGID,__UNUSABLE_MSGID /var/log/mail.info shows the following: Feb 13 11:26:53 nibbler spamd[14048]: spamd: connection from localhost [127.0.0.1] at port 44594 Umm, did you restart spamd? remainder snipped Does anyone have any idea what on earth is going on here? I'm not a huge linux guru so I'm a little confused, qmail appears to download the message, check if it is a virus, then call spamc and check if it is spam, if it is then it puts it on a pop mailbox on the server else it forwards the message onto the customers mail server Appologies on the huge email, I wanted to give as much detail as I could Kind Regards, Philip Seccombe Turnstone Technologies NZ Limited Phone: +64 9 970 5550 Fax: +64 9 970 5559 DDI: +64 9 970 5552 Email: [EMAIL PROTECTED] Web: www.turnstone.co.nz Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com This day I call heaven and earth as witnesses against you that I have set before you life and death, blessings and curses. Now choose life, so that you and your children may live. Deuteronomy 30:19 (NIV)
Re: sa-update gives error message Insecure dependency in open while running with -T switch
On Fri, Feb 09, 2007 at 12:02:52PM +1300, Philip Seccombe wrote: This is what happens: commit: wrote /etc/perl/CPAN/Config.pm CPAN: Storable loaded ok CPAN: LWP::UserAgent loaded ok Fetching with LWP: ftp://ftp.perl.org/pub/CPAN/authors/01mailrc.txt.gz LWP failed with code[500] message[LWP::Protocol::MyFTP: Bad hostname 'ftp.perl.org'] Fetching with Net::FTP: ftp://ftp.perl.org/pub/CPAN/authors/01mailrc.txt.gz Going to read /root/.cpan/sources/authors/01mailrc.txt.gz CPAN: Compress::Zlib loaded ok Fetching with LWP: ftp://ftp.perl.org/pub/CPAN/modules/02packages.details.txt.gz Going to read /root/.cpan/sources/modules/02packages.details.txt.gz Database was generated on Wed, 07 Feb 2007 23:09:31 GMT There's a new CPAN.pm version (v1.8802) available! [Current version is v1.7601] You might want to try install Bundle::CPAN reload cpan without quitting the current session. It should be a seamless upgrade while we are running... Fetching with LWP: ftp://ftp.perl.org/pub/CPAN/modules/03modlist.data.gz Going to read /root/.cpan/sources/modules/03modlist.data.gz Going to write /root/.cpan/Metadata Warning: Cannot install File::IO, don't know what it is. Try the command i /File::IO/ That should be IO::FILE. to find objects with matching identifiers. nibbler:~# Kind Regards, Philip Seccombe Turnstone Technologies NZ Limited Phone: +64 9 970 5550 Fax: +64 9 970 5559 DDI: +64 9 970 5552 Email: [EMAIL PROTECTED] Web: www.turnstone.co.nz -Original Message- From: Doc Schneider [mailto:[EMAIL PROTECTED] Sent: Friday, 9 February 2007 11:53 a.m. To: Philip Seccombe Cc: users@spamassassin.apache.org Subject: Re: sa-update gives error message Insecure dependency in open while running with -T switch Philip Seccombe wrote: Hi everyone, Tried Googling this but no success Any advise would be greatly appreciated Is it updating or is that error mean it is stopping at the end and not updating? When I run sa-update -D I get the following: [9013] dbg: channel: extracting archive Insecure dependency in open while running with -T switch at /usr/lib/perl/5.8/IO/File.pm line 70. You can more than likely re-install File::IO which is part of the perl base but seems to me to be borked. #perl -MCPAN -e 'install File::IO' Should work. from your directory is appears you're using perl 5.8.?? Do a perl -v and if that install fails send along the version info. -- -Doc SA/SARE/URIBL/SURBL -- Ninja 4:48pm up 5 days, 8:14, 17 users, load average: 0.40, 0.67, 0.66 SARE HQ http://www.rulesemporium.com/ Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Ah, Sovereign LORD, you have made the heavens and the earth by your great power and outstretched arm. Nothing is too hard for you. Jeremiah 32:17 (NIV)
Re: sa-update gives error message Insecure dependency in open while running with -T switch
On Fri, Feb 09, 2007 at 12:26:31PM +1300, Philip Seccombe wrote: I ran perl -MCPAN -e 'install Bundle:CPAN' and went through all the updates using defaults Now it says: nibbler:~# perl -MCPAN -e 'install File::IO' Don't forget that should be IO::File. CPAN: File::HomeDir loaded ok Sorry, we have to rerun the configuration dialog for CPAN.pm due to the following indispensable but missing parameters: mbuild_arg, mbuild_install_arg, mbuild_install_build_command, mbuildpl_arg The next questions deal with Module::Build support. A Build.PL is run by perl in a separate process. Likewise we run './Build' and './Build install' in separate processes. If you have any parameters you want to pass to the calls, please specify them here. Parameters for the 'perl Build.PL' command? Typical frequently used settings: --install_base /home/xxx # different installation directory Your choice: [] Oops :s Okay, you're just running the setup for CPAN. Take most of the defaults, but I recommend you specify UNINST=1 for the install option, as suggested, and then select the CPAN server(s) you want. Then it will proceed with the install of IO::File. Kind Regards, Philip Seccombe Turnstone Technologies NZ Limited Phone: +64 9 970 5550 Fax: +64 9 970 5559 DDI: +64 9 970 5552 Email: [EMAIL PROTECTED] Web: www.turnstone.co.nz major snippage Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Ah, Sovereign LORD, you have made the heavens and the earth by your great power and outstretched arm. Nothing is too hard for you. Jeremiah 32:17 (NIV)
Re: sa-update gives error message Insecure dependency in open while running with -T switch
On Fri, Feb 09, 2007 at 12:47:54PM +1300, Philip Seccombe wrote: Running through that gets me to this: Typical frequently used setting: --uninst 1 # uninstall conflicting files Your choice: [] --uninst 1 Please remember to call 'o conf commit' to make the config permanent! CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Wed, 07 Feb 2007 23:09:31 GMT Test::Harness is up to date (2.64). ExtUtils::CBuilder is up to date (0.18). Module::Build is up to date (0.2806). File::Spec is up to date (3.24). File::Temp is up to date (0.18). Scalar::Util is up to date (1.19). Test::More is up to date (0.67). Data::Dumper is up to date (2.121). Digest::SHA is up to date (5.44). File::HomeDir is up to date (0.63). Compress::Zlib is up to date (2.003). Archive::Tar is up to date (1.30). Archive::Zip is up to date (1.18). Net::Cmd is up to date (2.27). Net::FTP is up to date (2.77). Term::ReadKey is up to date (2.30). Term::ReadLine::Perl is up to date (1.0302). YAML is up to date (0.62). Text::Glob is up to date (0.07). CPAN is up to date (1.8802). File::Which is up to date (0.05). nibbler:~# And there's just nothing happening Well, you're back at the shell script. Everything you did should be saved in your local configuration, so go back and run the perl -MCPAN -e 'install IO::File' command line (note correction). Also note that on most installations you can run it interactively by just putting this on the command line: cpan Then, at the cpan prompt, put install IO::File or whatever else you want to do. Kind Regards, Philip Seccombe Turnstone Technologies NZ Limited Phone: +64 9 970 5550 Fax: +64 9 970 5559 DDI: +64 9 970 5552 Email: [EMAIL PROTECTED] Web: www.turnstone.co.nz -Original Message- From: Bob McClure Jr [mailto:[EMAIL PROTECTED] Sent: Friday, 9 February 2007 12:41 p.m. To: users@spamassassin.apache.org Subject: Re: sa-update gives error message Insecure dependency in open while running with -T switch On Fri, Feb 09, 2007 at 12:26:31PM +1300, Philip Seccombe wrote: I ran perl -MCPAN -e 'install Bundle:CPAN' and went through all the updates using defaults Now it says: nibbler:~# perl -MCPAN -e 'install File::IO' Don't forget that should be IO::File. CPAN: File::HomeDir loaded ok Sorry, we have to rerun the configuration dialog for CPAN.pm due to the following indispensable but missing parameters: mbuild_arg, mbuild_install_arg, mbuild_install_build_command, mbuildpl_arg The next questions deal with Module::Build support. A Build.PL is run by perl in a separate process. Likewise we run './Build' and './Build install' in separate processes. If you have any parameters you want to pass to the calls, please specify them here. Parameters for the 'perl Build.PL' command? Typical frequently used settings: --install_base /home/xxx # different installation directory Your choice: [] Oops :s Okay, you're just running the setup for CPAN. Take most of the defaults, but I recommend you specify UNINST=1 for the install option, as suggested, and then select the CPAN server(s) you want. Then it will proceed with the install of IO::File. Kind Regards, Philip Seccombe Turnstone Technologies NZ Limited Phone: +64 9 970 5550 Fax: +64 9 970 5559 DDI: +64 9 970 5552 Email: [EMAIL PROTECTED] Web: www.turnstone.co.nz major snippage Cheers, -- Bob McClure, Jr. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Ah, Sovereign LORD, you have made the heavens and the earth by your great power and outstretched arm. Nothing is too hard for you. Jeremiah 32:17 (NIV)
Re: Botnet FP
On Thu, Feb 01, 2007 at 05:21:08PM +0100, Jonas Eckerman wrote: [botnet0.7,ip=66.251.54.6,hostname=outbox2.onceanddone.com,maildomain=onceanddone.com,baddns] host 66.251.54.6 6.54.251.66.in-addr.arpa domain name pointer outbox2.onceanddone.com. host outbox2.onceanddone.com outbox2.onceanddone.com has address 66.251.51.6 host 66.251.51.6 Host 6.51.251.66.in-addr.arpa not found: 3(NXDOMAIN) Ah, I failed to check that. Therein lies the source of the carp. - Is that a screwy server setup? Looks like a mistake by whoever configured their DNS. Mistakes happen (wich is why I've lowered the score here). What should I do in the long term? - Send a nastygram to [EMAIL PROTECTED] Why not a nice mail pointing out the mistake (a 1 instead of a 4) in their reverse DNS config (unless something indicates that the error is intentional)? Yeah, I didn't really mean a nasty nastygram, more of an aw_nuts_gram. But I wanted to get a sanity check (I failed :-) before I shot my mouth, er keyboard, off. I'll send him a heads-up. Thanks. Regards /Jonas -- Jonas Eckerman, FSDB Frukttr�det http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/ Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The mind of sinful man is death, but the mind controlled by the Spirit is life and peace. Romans 8:6 (NIV)
Re: sa-update correctly done?
On Sun, Jan 28, 2007 at 11:31:02PM -0800, Sharman Tiladu wrote: My first day with Spamassassin. As root, I ran sa-update. Then I created the file sare-sa-update-channels.txt that contain these lines: 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri.cf.sare.sa-update.dostech.net 70_sare_obfu.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net Then I ran: sa-update --channelfile /var/lib/spamassassin/3.001007/updates_spamassassin_org/sare-sa-update-channels.txt --gpgkey 856AA88A and I noticed that my /var/lib/spamassassin/3.001007 directory now contains these: 70_sare_adult_cf_sare_sa-update_dostech_net 70_sare_adult_cf_sare_sa-update_dostech_net.cf 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf 70_sare_obfu_cf_sare_sa-update_dostech_net 70_sare_obfu_cf_sare_sa-update_dostech_net.cf 70_sare_oem_cf_sare_sa-update_dostech_net 70_sare_oem_cf_sare_sa-update_dostech_net.cf 70_sare_specific_cf_sare_sa-update_dostech_net 70_sare_specific_cf_sare_sa-update_dostech_net.cf 70_sare_stocks_cf_sare_sa-update_dostech_net 70_sare_stocks_cf_sare_sa-update_dostech_net.cf 70_sare_unsub_cf_sare_sa-update_dostech_net 70_sare_unsub_cf_sare_sa-update_dostech_net.cf 70_sare_uri_cf_sare_sa-update_dostech_net 70_sare_uri_cf_sare_sa-update_dostech_net.cf 72_sare_bml_post25x_cf_sare_sa-update_dostech_net 72_sare_bml_post25x_cf_sare_sa-update_dostech_net.cf 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf updates_spamassassin_org updates_spamassassin_org.cf updates_spamassassin_org.pre Am I doing these correctly ? Please advise. Yes, that is correct. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Let everything that has breath praise the LORD. Praise the LORD. Psalm 150:6 (NIV)
Re: bayes sql initialization
On Thu, Jan 25, 2007 at 05:20:27AM -0500, Tom Allison wrote: Bob McClure Jr wrote: On Wed, Jan 24, 2007 at 09:01:58PM -0500, Tom Allison wrote: Am I correct in understanding that I have to run sa-learn for every user who is going to have a bayes token store? If you are running per-user Bayes (nothing else makes much sense, IMHO), yes, but only if they want to train their Bayes with mis-marked ham and spam, or want to pre-load Bayes with some corpus. Just to initialize their databases I have to do this? Not if you're not going to pre-load the Bayes DBs, which you don't have to do. If you have not turned off Bayes (it is on by default), and you are calling spamc at delivery time, say, with the user's .procmailrc, then SA will initialize the Bayes DBs. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Whatever you do, work at it with all your heart, as working for the Lord, not for men, since you know that you will receive an inheritance from the Lord as a reward. It is the Lord Christ you are serving. Colossians 3:23-24 (NIV)
Re: bayes sql initialization
On Wed, Jan 24, 2007 at 09:01:58PM -0500, Tom Allison wrote: Am I correct in understanding that I have to run sa-learn for every user who is going to have a bayes token store? If you are running per-user Bayes (nothing else makes much sense, IMHO), yes, but only if they want to train their Bayes with mis-marked ham and spam, or want to pre-load Bayes with some corpus. Standardize shouldbeham and shouldbespam boxes, and cron is your friend. I'd say Bob's your uncle, but I'm not. :-) Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Whatever you do, work at it with all your heart, as working for the Lord, not for men, since you know that you will receive an inheritance from the Lord as a reward. It is the Lord Christ you are serving. Colossians 3:23-24 (NIV)
Re: sa-update exclude some rulesets
On Tue, Jan 23, 2007 at 10:53:23AM +1100, Rolf wrote: Hello Using sa-update successfully. I'd like however to be able to exclude some of the rules it retrieves. Is there a configurable way to do this? I suppose after it runs I could manually remove the fie of the ruleset in question, but if the programme takes an option somehow, that would be better. In your local.cf, put score rule_you_dont_want 0 thanks rolf. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com When they saw the courage of Peter and John and realized that they were unschooled, ordinary men, they were astonished and they took note that these men had been with Jesus. Acts 4:13 (NIV)
Re: sa-stats.pl blows up on maillog covering turn of year
On Thu, Jan 04, 2007 at 07:09:54PM -0600, Chris wrote: On Wednesday 03 January 2007 10:18 pm, Bob McClure Jr wrote: I run sa-stats.pl written by Dallas: # file: sa-stats.pl # date: 2005-07-27 # version: 0.9 # author: Dallas Engelken [EMAIL PROTECTED] # desc: SA 3.x log parser on my 3.1.7 SA version with no problems. -- Chris KeyID 0xE372A7DA98E6705C http://learn.to/quote So do I. In fact I use the new and improved v1.02 for SA v3.1.x. For those just tuning in, it's here: http://www.rulesemporium.com/programs/sa-stats-1.0.txt It and the sa-stats.pl included with SA produce very different reports, and I find both reports useful. Pity they have the same name. I renamed Dallas' script sa-stats-sare.pl to keep them straight. Hmm. I shoulda called it sare-stats.pl. You didn't say if you're still having problems or not. I probably am, but have disabled the scripts until the logs with Dec 2006 data are rotated out. I just downloaded, configured and ran the new version as root from the cli and had no problems: [EMAIL PROTECTED] SAStuff]# ./sa-stats-1.0.pl Email: 148 Autolearn: 0 AvgScore: 35.43 AvgScanTime: 8.13 sec Spam: 113 Autolearn: 0 AvgScore: 48.18 AvgScanTime: 8.28 sec Ham: 35 Autolearn: 0 AvgScore: -5.74 AvgScanTime: 7.66 sec Time Spent Running SA: 0.33 hours Time Spent Processing Spam:0.26 hours Time Spent Processing Ham: 0.07 hours TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1SAGREY11074.32 97.350.00 2BOTNET10068.92 88.505.71 3BAYES_99 9664.86 84.960.00 4RAZOR2_CHECK 8054.05 70.800.00 5RAZOR2_CF_RANGE_51_100 7953.38 69.910.00 remainder snipped -- Chris KeyID 0xE372A7DA98E6705C http://learn.to/quote That's not the one I'm having trouble with. Both of Dallas' scripts work fine. It's the sa-stats.pl script that is bundled with SA (produces a quite different report) that does unpleasant things when used with the current (v1.09) Parse::Syslog module on a maillog that crosses the year boundary. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Whatever you have learned or received or heard from me, or seen in me -- put it into practice. And the God of peace will be with you. Philippians 4:9 (NIV)
Re: sa-stats.pl blows up on maillog covering turn of year
On Wed, Jan 03, 2007 at 05:44:34PM -0600, Chris wrote: On Tuesday 02 January 2007 3:54 pm, Bob McClure Jr wrote: sa-stats.pl as distributed with SA v3.1.7 blows out a ton of WARNING: ignoring future date in syslog line: Dec 31 20:26:56 bubba spamd[7149]: prefork: child states: II and the like, and ends up reporting zeros for results. Another machine with the same sa-stats.pl (and an earlier version as well) works just fine. Both machines are running Fedora Core 4 with Perl v5.8.6, but the one difference I found is in Parse::Syslog. The machine that works has v1.03. The one that blows up has v1.09. I run sa-stats.pl written by Dallas: # file: sa-stats.pl # date: 2005-07-27 # version: 0.9 # author: Dallas Engelken [EMAIL PROTECTED] # desc: SA 3.x log parser on my 3.1.7 SA version with no problems. -- Chris KeyID 0xE372A7DA98E6705C http://learn.to/quote So do I. In fact I use the new and improved v1.02 for SA v3.1.x. For those just tuning in, it's here: http://www.rulesemporium.com/programs/sa-stats-1.0.txt It and the sa-stats.pl included with SA produce very different reports, and I find both reports useful. Pity they have the same name. I renamed Dallas' script sa-stats-sare.pl to keep them straight. Hmm. I shoulda called it sare-stats.pl. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Whatever you have learned or received or heard from me, or seen in me -- put it into practice. And the God of peace will be with you. Philippians 4:9 (NIV)
sa-stats.pl blows up on maillog covering turn of year
sa-stats.pl as distributed with SA v3.1.7 blows out a ton of WARNING: ignoring future date in syslog line: Dec 31 20:26:56 bubba spamd[7149]: prefork: child states: II and the like, and ends up reporting zeros for results. Another machine with the same sa-stats.pl (and an earlier version as well) works just fine. Both machines are running Fedora Core 4 with Perl v5.8.6, but the one difference I found is in Parse::Syslog. The machine that works has v1.03. The one that blows up has v1.09. I can't tell if it's Parse::Syslog that is broken, or sa-stats.pl is failing to take advantage of a new feature of Parse::Syslog. On both machines, sa-stats.pl is called from a script in /etc/cron.daily/sa-stats thusly: #!/bin/sh # Set a 24-year period. start=`date -d yesterday` # to today end=`date` /usr/local/sbin/sa-stats -s $start -e $end Has anyone else experienced or fixed this? Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Whatever you have learned or received or heard from me, or seen in me -- put it into practice. And the God of peace will be with you. Philippians 4:9 (NIV)
Re: How best to restart SpamAssassin with RDJ
On Tue, Dec 12, 2006 at 12:38:02AM -, Geoff Soper wrote: I'm moving from calling SA on a per message basis to using spamc. This means I need to specify a value for SA_RESTART. Should I being using /usr/bin/spamassassin or /etc/rc.d/init.d/spamassassin and reload or restart? What's the difference between the two different files? /usr/bin/spamassassin is a stand-alone spam checker (as opposed to the client/server spamc/spamd). /etc/rc.d/init.d/spamassassin is a script that starts, stops, restarts, etc. spamd. Assuming this is a Linux box, you can either /etc/rc.d/init.d/spamassassin restart or /sbin/service spamassassin restart for SA_RESTART. They are functionally identical. Thanks, Geoff Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: Systemwide Procmail usage
On Fri, Dec 01, 2006 at 05:56:06AM -0500, Will Nordmeyer wrote: I know this isn't the procmail list, but had a quick question. My server is running SA 3.1.7 and has the following systemwide procmailrc: SHELL=/bin/sh #LOGFILE=$HOME/.procmail-log #VERBOSE=on DROPPRIVS=yes :0fw * 256000 | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock If I want to lower the load on SA by not having emails to/from THIS list (and select other lists) processed through SpamAssassin, could I simply change it to this? SHELL=/bin/sh #LOGFILE=$HOME/.procmail-log #VERBOSE=on DROPPRIVS=yes :0fw * 256000 * ! To: users@spamassassin.apache.org | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock I don't think that will work because the To: line isn't always just that way, and the sender might have the address in the Cc: line. Rather filter on the line: List-Id: users.spamassassin.apache.org because it's always, always, always in that format. FWIW, I use a different logic because I have many things I want to exclude from SA scanning, so before the call to spamc, I have recipes like: :0: * ^List-Id: users\.spamassassin\.apache.org /var/spool/mail/bob which diverts such mail directly to my mailbox without going through SA. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: Systemwide Procmail usage
On Fri, Dec 01, 2006 at 09:38:38AM -0700, [EMAIL PROTECTED] wrote: On Fri, December 1, 2006 8:06 am, Bob McClure Jr wrote: On Fri, Dec 01, 2006 at 05:56:06AM -0500, Will Nordmeyer wrote: I know this isn't the procmail list, but had a quick question. My server is running SA 3.1.7 and has the following systemwide procmailrc: SHELL=/bin/sh #LOGFILE=$HOME/.procmail-log #VERBOSE=on DROPPRIVS=yes :0fw * 256000 | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock If I want to lower the load on SA by not having emails to/from THIS list (and select other lists) processed through SpamAssassin, could I simply change it to this? SHELL=/bin/sh #LOGFILE=$HOME/.procmail-log #VERBOSE=on DROPPRIVS=yes :0fw * 256000 * ! To: users@spamassassin.apache.org | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock I don't think that will work because the To: line isn't always just that way, and the sender might have the address in the Cc: line. Rather filter on the line: List-Id: users.spamassassin.apache.org because it's always, always, always in that format. FWIW, I use a different logic because I have many things I want to exclude from SA scanning, so before the call to spamc, I have recipes like: :0: * ^List-Id: users\.spamassassin\.apache.org /var/spool/mail/bob which diverts such mail directly to my mailbox without going through SA. Just a thought, but when I place rules in /etc/procmailrc, I do something like: :0: *^List-ID: users.spamassassin.apache.org /var/spool/mail/$USER That way, if someone else on the server joins the affected list, it is put in the correct inbox. Karl Good point. I'm working from my personal .procmailrc. The only thing I put in /etc/procmailrc is the call to clamassassin. Everyone else calls spamc from ~/.procmailrc, per-user bayes and all that. Cheers, -- Bob McClure, Jr. -- karl _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- Senior Consulting Sys/DB Analyst http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- The world is a dangerous place to live... not because of the people who are evil, but because of the people who don't do anything about it. - Albert Einstein --- Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: Skip spamd for certain users
On Thu, Nov 23, 2006 at 01:21:15AM -0900, John Andersen wrote: On Thursday 23 November 2006 01:00, Kim Christensen wrote: That's what I'm doing, sorry for not being totally clear about that. Thank you for your quick reply! Well if a user has a (dot) .procmailrc script in their directory it will over-ride the one in /etc. That way those users that don't want to miss a single little blue pill spam can just choose to accept all of them. Umm, actually the man page for procmail says, in part: If no rcfiles and no -p have been specified on the command line, proc- mail will, prior to reading $HOME/.procmailrc, interpret commands from /etc/procmailrc (if present). Care must be taken when creating /etc/procmailrc, because, if circumstances permit, it will be executed with root privileges (contrary to the $HOME/.procmailrc file of course). Lots of people use system wide procmailrc scripts (in /etc) to toss out what is obviously and incontestably spam, such as something scoring over 20, and let the rest flow through to the user. I think there are examples of this on the SA website, and the wiki. -- _ John Andersen Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: Sending Marked up mail to another address
On Fri, Nov 17, 2006 at 01:41:03PM -0500, Luke Shannon wrote: I just got my system going. For the short term I would like to send all mail marked as spam to another address (not served from the box spam assassin is on). I am using sendmail/procmail/spamassissin Here is my .spamassassin.rc file. You mean .procmailrc file? Any ideas why this won't work? When the forward rule is in place, the first rule doesn't work. I'm new to this so my apologies if this is a trivial/silly error on my part. Thanks for the help, Luke # (250 * 1024 = 256000 bytes) are processed by SpamAssassin. :0fw * 256000 | /usr/bin/spamassassin --prefs-file=/home/spamfolder/.user_prefs # All mail tagged as spam (eg. with a score higher than the set threshold) # is forwarded to admin :0 * ^X-Spam-Status: Yes /usr/sbin/sendmail -oi [EMAIL PROTECTED] You need a pipe in front of that: | /usr/sbin/sendmail -oi [EMAIL PROTECTED] The other way is to just put a bang in front of the email address: ! [EMAIL PROTECTED] See man procmailex and man procmailrc. # Work around procmail bug: any output on stderr will cause the F in From # to be dropped. This will re-add it. :0 * ^^rom[ ] { LOG=*** Dropped F off From_ header! Fixing up. :0 fhw | sed -e '1s/^/F/' } Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: FW: Cron [EMAIL PROTECTED] /usr/local/etc/mail/spamassassin/update-rules.sh
On Fri, Nov 10, 2006 at 08:25:48AM -0600, Larry Rosenman wrote: Cron Daemon wrote: config: warning: score set for non-existent rule PART_CID_STOCK config: warning: score set for non-existent rule PART_CID_STOCK_LESS channel: lint check of update failed, channel failed Just got this from a SA-UPDATE run. Ideas? Known bug in v3.1.6. Upgrade to v3.1.7 or downgrade to v3.1.5 LER -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893 Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: sa-learn in background
On Wed, Oct 11, 2006 at 01:05:36PM -0400, Bowie Bailey wrote: Bob McClure wrote: My client built a script that runs sa-learn for each user's (about 15 of them) spam and ham boxes. That's easy enough. I do that here as well. We're having some problems with the script that make the client think that sa-learn pushes some of its work into the background. What kind of problems? They are, so far as I know, unrelated to SA. We mount a Win2K3 share where the Outhouse PST spam/ham buckets are, and for each user, run readpst on them, and then process the results with sa-learn. When it's over with, the script umounts the share and sometimes that reports umount: /var/spamtmp: device is busy No, it isn't sitting on /var/spamtmp - it previously did a cd /. Little by little, I'm adding more instrumentation to the script to figure out where the problem is. If that happens very many times, /var/spamtmp attains an indeterminate state such that any attempt to do anything with it (ls, for instance) results in input/output error. The only thing we've found to resolve that is to reboot the machine. Ugh. I know the script itself does not do that. I told him I didn't think sa-learn does anything in the background. Am I not correct? sa-learn does not run any processes in the background if that is what you mean. It simply does its thing and exits when it is finished. That's what I thought. Thanks for the confirmation. You can force it into the background like this: sa-learn --spam /directory But that shouldn't cause any problems (except load if you try to run too many of them in parallel). The system is a RedHat ES4 box running postfix and spamd/spamc and procmail. Thanks for all your good work. Cheers, -- Bowie Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: sa-learn in background
On Wed, Oct 11, 2006 at 02:00:42PM -0400, Theo Van Dinter wrote: On Wed, Oct 11, 2006 at 12:23:28PM -0500, Bob McClure Jr wrote: it's over with, the script umounts the share and sometimes that reports umount: /var/spamtmp: device is busy No, it isn't sitting on /var/spamtmp - it previously did a cd /. IMO, the script should catch the failure, perhaps run fuser w/ the appropriate flags, and either deal with the process or try umount -lf. Good idea. I'll try that. But yeah, if sa-learn returns, then sa-learn is finished. Thanks. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: local.cf
On Mon, Oct 09, 2006 at 01:11:39PM -0400, Stas Khromoy wrote: hey folks is there a way to take the list of 'whitelist_from' from local.cf and have local.cf reference the new file ? Why not just put them in a separate file, say, whitelist.cf? No need to reference it in local.cf. All files in (presumably) /etc/mail/spamassassin/ with .cf extension will be read. Don't forget to restart spamd if you are using it. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: sa-learn: option to delete learn-mails
On Mon, Oct 09, 2006 at 08:08:59PM +0200, Daniel Seichter wrote: Hello, Is there a way to delete all learned mails out of a mbox folder? I want to add a standard folder on my IMAP server which is called spam_learn and the user (at the moment only myself) can move messages to this folder in his mailreader. A cronjob now check this folder and learns what is spam. At the moment it works fine, but the problem is, that I want to delete this messages after they are read. But within the help of sa-learn I didn't find an option like --delete-learned or something else. Do you have any ideas how to resolve this? Using: Spamassassin 3.1.3 on ubuntu 6.06.1 Thank you Daniel Why not add ; $myuser/spam_learn (where $myuser is the path to the directory containing spam_learn) to then end of the cronjob? That will leave the file intact with existing perms, but make it zero length. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: sa-learn: option to delete learn-mails
On Mon, Oct 09, 2006 at 02:38:41PM -0700, John D. Hardin wrote: On Mon, 9 Oct 2006, Bob McClure Jr wrote: Why not add ; $myuser/spam_learn $myuser/spam_learn would be better. means only execute if the preceding step completed successfully. That way if sa-learn fails you won't delete an unlearned mailbox. Good point. I was hasty. Also the OP emailed me directly asking (implying, actually) about the need for locking. I thought the risk pretty small, but suggested lockmail available in the maildrop package. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: The grey hats are at it in force
On Thu, Aug 31, 2006 at 08:20:58PM -0400, Gino Cerullo wrote: On 31-Aug-06, at 8:08 PM, Chris wrote: This is even better than the last one: http://194-144-135-77.du.xdsl.is/~ingi/.change/index.php? MfcISAPICommand=ChangeFPP Who are these masked avengers? ;-) -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 I have, from time to time, alerted a network admin of a phishing page on a machine on his network. He may well have handled it directly. I would have. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Blessed is the nation whose God is the LORD. - Psalm 33:12 Righteousness exalts a nation. - Proverbs 14:34
Re: What is normal period for SA retraining ?
On Thu, Jun 15, 2006 at 01:17:51PM -0700, Harris, Jason (DIS) wrote: I'm wanting to know many times per year do SA admins have to retrain ? Our setup sends mail to SA client for a score, then depending on score stores a backup of the mail in spam/ham mail folders for later review in case a mistake is made. We train SA and it detects flawlessly at this beginning time; the good mail numbers about 2000 per day and the spam rates at about 1 per day. In three months of time, SA is letting most of the spam through, the rates I've listed above being reversed. We keep a month of mail around for retraining, which is lot of work to go through. I was just wondering how ofter others have to do the same thing. Thanks! SA Version 2.64 skip_rbl_checks 0 bayes_auto_learn_threshold_spam 7 use_bayes 1 Jason Harris I've never had to. All my clients use per-user Bayes, and those that care feed sa-learn anything that's mis-categorized. I have a very low false rate. Currently using v3.1.1. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Jesus wasn't (and isn't) politically correct. Send complaints to [EMAIL PROTECTED]
Re: Which Operating Systems Do You Use and Why?
On Fri, Apr 07, 2006 at 11:51:05AM -0700, Gary W. Smith wrote: Now we get to watch the body part's fly across the room. :) You know there are 3 things in life which you never ever talk about in public; religion, politics and what OS is best. You forgot editors. No, wait, that is a religion. :-) Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The best things in life aren't things.
Re: Updated Pump and Dump rules. 2006-02-23
On Fri, Feb 24, 2006 at 12:25:02AM -0500, Gene Heskett wrote: On Thursday 23 February 2006 23:20, Bob McClure Jr wrote: On Thu, Feb 23, 2006 at 10:59:02PM -0500, Gene Heskett wrote: A snippet or 3 from a 'crontab -l' as root: [EMAIL PROTECTED] 06 22 * * * /etc/init.d/asmb restart 40 4 * * 0 /root/bin/fetchmail-restart 37 6 * * * /usr/local/sbin/rules_du_jour And I am getting email from the first 2 of those, but not the third. The 2nd one is to allow logrotate to close the logfiles and reopen them. However, I may have to delay that more than 4 minutes it appears. You might check your maillog for clues timestamped around 0637 every morning. There's probably a forehead slapper in there. (Most of my trips to /var/log/maillog result in a slap to the forehead.) Check also your wrapper (I use my_rules_du_jour to call rules_du_jour) or config file (normally /etc/rulesdujour/config) for settings of MAIL_ADDRESS, SINGLE_EMAIL_ONLY, EMAIL_RDJ_UPDATE_ONLY, and MAILCMD. If those aren't set, and there's an alias for root in /etc/aliases that gets to you, it should work sensibly. There is absolutely nothing in them back to maillog.4 that references rules_du_jour. But a study did show me two problems, first although its running as the user, it was bitching about the existance of a procmailrc file in /etc/procmail, so I just renamed that which seems to have taken care of that bitch. One less line in the logs per message per spamd client. However, I'm also left with litterally megabytes of this below snippet since it occurs for every incoming message processed by spamd, and its something that I'd expect to see in procmail.log since its the spamd caller, but I am not. I was not aware that spamd kept it mutterings in maillog. My bad of course. Feb 24 00:09:27 coyote spamd[31012]: Can't locate IP/Country/Fast.pm in @INC (@INC contains: ../lib /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl) at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Plugin/RelayCountry.pm line 66, GEN224 line 57. I'm reasonably sure all that stuff is installed *someplace* cause I got a whole wagonload of them from cpan at the time I installed spamassassin. So where do I look to see whats mis-configured at lines 66 and 57? Probably a /usr vs /usr/local thing I'd guess. I'd assume it would work better but even slower if the spamd children could find their stuff... Do this: cpan install IP::Country That should stop that yipe. -- Cheers, Gene Cheers, -- Cheers, Gene Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The best things in life aren't things.
Re: Updated Pump and Dump rules. 2006-02-23
On Thu, Feb 23, 2006 at 10:36:19PM -0500, Gene Heskett wrote: snippage I don't seem to be getting any email from RDJ recently. Maybe since the time I switch this system from fetchmail to a mailfile, and from there had kmail running SA which was a cpu killer. Now I have fetchmail handing it off to procmail, which is doing the SA application and things are quite a bit happier. I didn't play with sendmail so its still supposedly handling the locally generated emails, and I just looked in /var/spool/mail and all accounts there are at 0 length so kmail is indeed picking up everything put there. If RDJ is sending me email from its early morning run, its getting lost someplace. Also, where would it put it if it did dl a new version of itself? Probably in /etc/mail/spamassassin/RulesDuJour/. -- Cheers, Gene Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The best things in life aren't things.
Re: Updated Pump and Dump rules. 2006-02-23
On Thu, Feb 23, 2006 at 10:59:02PM -0500, Gene Heskett wrote: On Thursday 23 February 2006 22:45, Bob McClure Jr wrote: On Thu, Feb 23, 2006 at 10:36:19PM -0500, Gene Heskett wrote: snippage Also, where would it put it if it did dl a new version of itself? Probably in /etc/mail/spamassassin/RulesDuJour/. And you are correct, its the same length anyway, as the one I dl'd DBY and installed by hand. Now to figure out why its not sending me email. A snippet or 3 from a 'crontab -l' as root: [EMAIL PROTECTED] 06 22 * * * /etc/init.d/asmb restart 40 4 * * 0 /root/bin/fetchmail-restart 37 6 * * * /usr/local/sbin/rules_du_jour And I am getting email from the first 2 of those, but not the third. The 2nd one is to allow logrotate to close the logfiles and reopen them. However, I may have to delay that more than 4 minutes it appears. You might check your maillog for clues timestamped around 0637 every morning. There's probably a forehead slapper in there. (Most of my trips to /var/log/maillog result in a slap to the forehead.) Check also your wrapper (I use my_rules_du_jour to call rules_du_jour) or config file (normally /etc/rulesdujour/config) for settings of MAIL_ADDRESS, SINGLE_EMAIL_ONLY, EMAIL_RDJ_UPDATE_ONLY, and MAILCMD. If those aren't set, and there's an alias for root in /etc/aliases that gets to you, it should work sensibly. -- Cheers, Gene Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The best things in life aren't things.
Re: Updated Pump and Dump rules. 2006-02-18
On Tue, Feb 21, 2006 at 09:28:13AM -0500, Mike Pepe wrote: Doc Schneider wrote: I just committed version 01.00.06 of this ruleset to: http://rulesemporium.com/rules/70_sare_stocks.cf It should appear within the hour. Enjoy. -Doc (SA/SARE/URIBL/SURBL -- Ninja) Why can't I add this to rules_du_jour? I added SARE_STOCKS to the rulesets thusly: TRUSTED_RULESETS=TRIPWIRE SARE_ADULT SARE_OBFU0 SARE_OBFU1 SARE_URI0 \ SARE_URI1 SARE_FRAUD SARE_FRAUD_PRE25X SARE_SPOOF SARE_OEM \ SARE_RANDOM SARE_SPECIFIC SARE_STOCKS ...but when I run it I get this: No index found for ruleset named SARE_STOCKS. Check that this ruleset is still valid. am I doing something wrong? You need a new rules_du_jour. SARE_STOCKS was added in version 1.28. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com The best things in life aren't things.
Re: seeing a few new spams with low SA scoring
On Tue, Dec 06, 2005 at 05:27:07PM -, Obantec Support wrote: ok so its a virus on some else's PC but i see quite a few incoming in the last week. my AV dropped the attached zip. I call my anti-virus (ClamAV via clamassassin, BTW) from /etc/procmailrc. If it says it's a virus, it goes straight to /dev/null. SA never sees it. so SA does not trap it, should i be looking at a procmail rule to dump the emails. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
Re: RulesDuJour problem
On Sun, Dec 04, 2005 at 10:41:07PM -0500, Gene Heskett wrote: Greetings folks; I just installed RulesDuJour, and ran it once by hand. It wasn't labeling the subject line, so I edited my local.cf to turn that on, didn't change anything else, but now a 'service spamd restart' fails with this error message nomograph: Starting spamd: [20715] warn: Value ax-conn-per-child=50 invalid for option m (number expected) [20715] warn: Unknown option: a [20715] warn: Unknown option: c And spits out the rest of its --help message. However, 'spamassassin --lint' returns clean in about 4 seconds. Humm, /etc/sysconfig/spamassassin had an .rpmnew appended, fixed that. Which is odd as removeing that startup SPAMDOPTION in the /etc/init.d/spamd file didn't get rid of the message. Odd indeed. Also, the startup says there should be 5 (-m5) copies of spamd running, but a ps -ea|grep spamd only finds 3. Another one of those things that make you go hu, I guess. Any comments on how to reduce the hu? -- Cheers, Gene The spamd options are located in two places - in /etc/sysconfig/spamassassin and in the main script, /etc/rc.d/init.d/spamd (or whatever you called it). Long option names are preceded by two dashes. Somewhere you have -max-conn-per-child=50 where you should have --max-conn-per-child=50 Look over man spamd and check your options against that. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
Re: Help with install and config
On Wed, Oct 19, 2005 at 10:52:40AM -0500, Liam-PrintingAutomation wrote: Menno van Bennekom wrote: Well you need to call spamassassin (or spamc, that's a better option) somehow. You'll need amavis, mail-scanner, procmail or some other method of calling SA. Can't be much more help than that I'm afraid as I don't run sendmail. Ah, OK. I'll look into those things and see what I can find. Thanks for the tips! Liam Thanks all who replied. Karl P. helped me out with pointing out that procmailrc needed to be in /etc/ and more importantly, because I'm not finding this piece of info on the Web site anywhere, it needs to be CHMOD'ed to 755. I wouldn't have guessed that. For good reason. It should be 644. No reason to have it executable. Thanks again Liam Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
Re: Problem to start spamd as a user
Please update your address book. The current address is [EMAIL PROTECTED] On Fri, Aug 26, 2005 at 10:23:57AM +0200, Patrick Steiner wrote: Hi I have the problem that i can't start spamd under another user Umm, why do you want to do that? spamd is supposed to be started as root, after which it changes ID to a non-priveledged user, like nobody. Also, what OS are you using? How are you planning to call spamc? If you really must use SpamAssassin as a mere mortal, then you should call spamassassin, not spamc/spamd. Naw, even that doesn't make sense. Here the debug output: Here when i start normal: mybag:/tmp# spamd -D trying to connect to syslog/unix... no error connecting to syslog/unix logging enabled: facility: mail socket: unix output: syslog creating INET socket: Listen: 128 LocalAddr: 127.0.0.1 LocalPort: 783 Proto: 6 ReuseAddr: 1 Type: 1 debug: SpamAssassin version 3.0.4 debug: Score set 0 chosen. debug: Storable module v2.13 found debug: Preloading modules with HOME=/tmp/spamd-20946-init debug: ignore: test message to precompile patterns and load modules debug: using /etc/spamassassin/init.pre for site rules init.pre debug: config: read file /etc/spamassassin/init.pre debug: using /usr/share/spamassassin for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf _ Here when i start as the user p3scan: __ mybag:/tmp# spamd -D -u p3scan trying to connect to syslog/unix... no error connecting to syslog/unix logging enabled: facility: mail socket: unix output: syslog creating INET socket: Listen: 128 LocalAddr: 127.0.0.1 LocalPort: 783 Proto: 6 ReuseAddr: 1 Type: 1 debug: SpamAssassin version 3.0.4 debug: Score set 0 chosen. debug: Storable module v2.13 found debug: Preloading modules with HOME=spamd-20968-init fatal: Can't create spamd-20968-init: Permission denied at /usr/sbin/spamd line 1871. __ can somebody help me??? Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
[EMAIL PROTECTED]: Bruno Della Ducata is out of the office.]
If there's someone here in control of the list, this user's vacation responder is sending these to those who post to the list. - Forwarded message from [EMAIL PROTECTED] - Subject: Bruno Della Ducata is out of the office. From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: 26-Aug-2005 16:01:23 CEDT X-MIMETrack: Serialize by Router on RothDomino2/SPTINTERNET(Release 6.5.4FP1 | June 19, 2005) at 08/26/2005 16:01:17 X-ELNK-AV: 0 X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.2 with clamdscan / ClamAV 0.86.2/1042/Fri Aug 26 03:00:27 2005 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on bobcat.bobcatos.com X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_40,INVALID_DATE, NO_REAL_NAME autolearn=no version=3.0.4 I will be out of the office until 05.09.2005. - End forwarded message - Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
Re: Problem to start spamd as a user
On Fri, Aug 26, 2005 at 02:03:53PM -0400, Matt Kettler wrote: At 09:58 AM 8/26/2005, Bob McClure Jr wrote: Umm, why do you want to do that? spamd is supposed to be started as root, after which it changes ID to a non-priveledged user, like nobody. Erm, bob.. Patrick IS starting it as root.. he's just using spamd -u to get spamd to setuid to a non-privileged user.. Read the original message more closely and see that the prompt for the failed startup is a # Sorry. Failed to Read The Full Question. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
Re: Error in starting spamd
On Mon, Aug 22, 2005 at 03:16:28AM -0700, jdow wrote: From: suresh kumar [EMAIL PROTECTED] hi, I have installed spamassassin and when I tried to start the spamd it says the following error message. Starting spamd: The -a option has been removed. Please look at the use_auto_whitelist config option instead. I could not understand and I don't know where and how to enable this option .If any body knows kindly help me. Thanks in advance Suresh Well, if you are running with initscripts support then you'd want to go into /etc/rc.d/init.d/spamassassin and edit the file. Look for the options line and remove the -a from it. {^_^} Check also /etc/sysconfig/spamassassin. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
Re: Where should I adjust scoring
On Mon, Aug 15, 2005 at 03:03:11PM -0400, Sloan, Craig wrote: I've inherited a SA ver 3.0.1 box that is running great (thus my lack of intimacy with it). I would like to adjust some of the scoring, and I want to make sure that I change it in the correct location. I've seen a couple of locations suggested and I not sure which would be preferred and/or better. The spamd daemon is running under the user 'spamfilter'. Should I adjust it in /home/spamfilter/.spamassassin/user_prefs or in /etc/mail/spamassassin/local.cf? The latter. SA won't read /home/spamfilter/.spamassassin/user_prefs unless it's processing email for spamfilter, and it's being called from something like ~spamfilter/.procmailrc. Thanks, Craig Sloan Also, you should upgrade to v3.0.4. Versions 3.0.1-3 have a DOS vulnerability. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God doesn't have (or need) a Plan B.
Re: Not delivering Spam with Procmail
On Tue, Aug 09, 2005 at 09:29:07AM +0200, Joe Borg wrote: Hi, I've setup procmail so as to not deliver mails with a Spam score of 10 or greater, as follows: #Mail that scores 10 or more is not delivered to users. :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* /var/spool/mail/spam As may be observed from the above, mails with a Spam score of 10 or greater should be delivered to a special mailbox /var/spool/mail/spam. So far, however, only one spam mail has been delivered to this mailbox. Moreover, spam that should have ended up in this mailbox (such as one with the header below) is instead still being delivered to the user mailboxes. X-Spam-Level: X-Spam-Status: Yes, score=16.2 required=5.0 I find this behaviour very odd. Does anyone know what I should do to get this to work properly? Thanks, Joe Is this recipe in /etc/procmailrc or in each user's .procmailrc? If the former, I don't know what the problem is. If the latter, at that point procmail assumes the UID of the user. So the first user's email that creates /var/spool/mail/spam owns it and no one else can write to it. You may need to make it world-writable. You can review that stuff if you want to, but if I went for a month without finding anything salvageable, I'd change things to summarily punt anything that scores that high. I punt anything above 9.0. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God doesn't have (or need) a Plan B.
Re: spamd failded to start after upgrade to version 3.0.4
On Wed, Aug 10, 2005 at 12:31:50PM +1000, Hanh Dao wrote: After upgrading SpamAssassin from version 2.5x to 3.0.4 I can't start spamassassin. Error [EMAIL PROTECTED] init.d]# ./spamassassin start Starting spamd: The -a option has been removed. Please look at the use_auto_whitelist config option instead. [FAILED] I verify that the -a option is removed from /etc/init.d/spamassassin and added the use_auto_whitelist config option 1 in the /etc/mail/spamassassin/local.cf. However the problem persists. There are two places where spamd options may be specified. One is in /etc/init.d/spamassassin and the other is in /etc/sysconfig/spamassassin. Check there. Please help. Hanh Dao ACL Pty Limited tel: +61 2 9025 4736 fax: +61 2 9252 3799 email: [EMAIL PROTECTED] internet: www.acl.edu.au brainless disclaimer punted Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God doesn't have (or need) a Plan B.
Re: /etc/rc.d/init.d/spamassassin restart
On Sat, Aug 06, 2005 at 09:42:48AM -0500, Chris wrote: I run a crojob every six hours to shutdown and restart spamassassin. The below has appeared twice in the past week, on the fourth and this morning. What I see as odd is that SA is apparently still running as spam is still being tagged. Is it possible that on a previous shutdown command that all the running spamd processes were not killed thus causing this? -- Forwarded Message -- Shutting down spamd: [ OK ] Starting spamd: Could not create INET socket on 127.0.0.1:783: Address already in use (IO::Socket::INET: Address already in use) [FAILED] --- -- Chris Registered Linux User 283774 http://counter.li.org 09:37:29 up 2 days, 18:13, 2 users, load average: 0.69, 0.26, 0.18 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk Here's some anecdotal evidence, for whatever it's worth. I manage six mail servers (three clients plus my own) running spamd. Four are Fedora Core 1 or 3 (one of the threes is heavily loaded - over 18K mails per day) and the other two are FreeBSD. I have had problems with spamd going away on the very lightly loaded (15-20 mails per day) FreeBSD machine. After some testing, I determined that, after the morning updating of rules_du_jour, the restart was not getting the job done, even after I extended the sleep between stop and start. I changed the RDJ script to use reload instead of restart, and it hasn't gone down since. I know your problem isn't RDJ. I related that vignette to illustrate that there may be some kind of odd race condition that causes spamd not to restart properly. I would think it would be more effective to reduce the max number of connections per child, if you're trying to hold down memory consumption. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God doesn't have (or need) a Plan B.
Re: spamassassin restart
On Sat, Aug 06, 2005 at 04:24:55PM -0500, Chris wrote: On Saturday 06 August 2005 10:13 am, Bob McClure Jr wrote: Shutting down spamd: [ OK ] Starting spamd: Could not create INET socket on 127.0.0.1:783: Address already in use (IO::Socket::INET: Address already in use) [FAILED] --- Here's some anecdotal evidence, for whatever it's worth. I manage six mail servers (three clients plus my own) running spamd. Four are Fedora Core 1 or 3 (one of the threes is heavily loaded - over 18K mails per day) and the other two are FreeBSD. I have had problems with spamd going away on the very lightly loaded (15-20 mails per day) FreeBSD machine. After some testing, I determined that, after the morning updating of rules_du_jour, the restart was not getting the job done, even after I extended the sleep between stop and start. I changed the RDJ script to use reload instead of restart, and it hasn't gone down since. I know your problem isn't RDJ. I related that vignette to illustrate that there may be some kind of odd race condition that causes spamd not to restart properly. I would think it would be more effective to reduce the max number of connections per child, if you're trying to hold down memory consumption. Cheers, Bob, first I'm going to slightly edit the subject so that the reply doesn't go into my cronjob folder. I thought I'd try the 'reload' instead of 'restart' however, however it seems like 'reload' is not an option: [EMAIL PROTECTED] root]# service spamassassin reload Usage: /etc/init.d/spamassassin {start|stop|restart|status} [EMAIL PROTECTED] root]# so guess I'll stick with the restart and see how it goes. I think the only reason I was doing the restart was back when running 2.63 I only had 256mb ram and I did it to free ram up. Thanks Chris -- Chris Registered Linux User 283774 http://counter.li.org 16:17:45 up 3 days, 54 min, 3 users, load average: 0.43, 0.51, 0.37 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk Hmm. The provided init script for Linux doesn't have it, but what is provided for NetBSD includes this function: sig_reload=HUP . . . spamd_reload() { if [ -z ${the_spamd_pid} ]; then echo ${command} not running? (check ${pidfile}). return 1 fi echo Reloading spamd kill -${sig_reload} ${the_spamd_pid} } Nevertheless, if you're trying to minimize memory consumption, reload won't do what you want. That's good only for re-reading config files. I don't think that will free up memory unless SIGHUP causes it to re-execute itself. I've not seen the code, so I don't know. Generally, the point of a reload is to get a re-read of the config files without the overhead of a restart. The point of relating my experience was just to point out that restart might not be bulletproof. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God doesn't have (or need) a Plan B.
Re: Basic Questions
On Wed, Jul 27, 2005 at 10:45:10PM -0500, John D. Maag wrote: Ok, If I put preferences in the user_prefs file in $HOME/.spamassassin, do I call the file the same thing in /etc/mail/spamassassin? No. The traditional filename is local.cf, but any file named *.cf in /etc/mail/spamassassin will be read and used. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God doesn't have (or need) a Plan B.
Re: RDJ from cron - is it safe?
On Mon, Jun 27, 2005 at 08:48:25AM -0400, Ben Hanson wrote: QUOTE___ /etc/init.d/spamassassin restart Shutting down spamd: [ OK ] Starting spamd: Could not create INET socket on 127.0.0.1:783: Address already in use (IO::Socket::INET: Address already in use) [FAILED] __ I got exactly this same thing randomly, and coming in to work with ten calls queued to let me know so and so had a bucket of spam on a Monday morning prompted me to comment out the auto-restart portion of the RDJ. I let it run and do nightly updates, email me the results, and then I simply manually restart if any rules prompt me to. I've thought of putting a check to see if any child processes are running, and simply loop a few times if so, as I'm pretty sure that would take care of it, but so far that seems like more energy than just restarting it by hand. Ben Of five Linux and two FreeBSD machines I administer, only the lightest-loaded FreeBSD has given me a problem with restart not starting up properly. I changed it to do a reload (SIGHUP) instead, and (so far) have no more problems with it Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God doesn't have (or need) a Plan B.
Re: Exceptions to all_spam_to?
On Fri, Jun 17, 2005 at 11:39:50AM +0930, Tom Lanyon wrote: Hi All, Forgive me if this is a common question or one which has been answered elsewhere, but I cannot find the answer anywhere. I want to enable spamassassin on our production mail server, however I only want to filter for spam on selected email accounts. I was thinking of doing an all_spam_to *, and then creating exceptions to this rule. However, I can't seem to find an unall_spam_to or unwhitelist_to command in the docs to achieve this. Does anyone have any suggestions? Thanks, Tom -- Tom Lanyon Systems Administrator NetSpot Pty Ltd 183 Melbourne Street, North Adelaide, 5006 Ph: +618 8361 6800 Fax: +618 8361 6811 Email: [EMAIL PROTECTED] Why not call spamassassin (or better, spamc) from the .procmailrc of the users who should have it? That's what we do at our ISP with over 1000 email accounts. Some punt all spam. Some punt spam that scores 9 or more. Some just mark spam without punting any of it. Not hard to manage at all. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God is more interested in our availability than our ability.
Re: OT : How to 'nomail' this list
On Mon, Jun 13, 2005 at 10:06:22AM -0400, Theo Van Dinter wrote: On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote: I want to interact with this list via nntp (gmane), but since this list is member-only, I must subscribe to post. I didn't find the way to set the option not to receive messages from the list. I don't believe this is possible via ezmlm. Either you're subscribed (and receive mails) or you're not. Check with your list owner, but I believe you can send an empty email to listname-allow-subscribe@list_addr. I own an ezmlm list and I use that to allow a subscriber to post from an alternate address but not have list traffic sent there, since they already get it at their primary address. -- Randomly Generated Tagline: Well, you know boys, a nuclear reactor is a lot like a woman. You just have to read the manual and press the right button. -- Homer Simpson Homer Defined Homer didn't happen to mention where he found the manual (for women) did he? Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God is more interested in our availability than our ability.
Re: debug output to file?
On Tue, Jun 07, 2005 at 10:42:07AM -0400, Mike Schrauder wrote: pardon my complete unix ignorance, I have been trying to figure out how to get debug output to a file so I can go back and look at it. I also want to look at the marked up email w/ report so I am using this: spamassassin -D -t test2.txt test2.out How could I also redirect the debug output to a file. i've also tried spamassassin -D -t test2.txt test2.out | more just so I could look, but that doesn't work. Can you give a windows user a clue? TIA spamassassin -D -t test2.txt test2.out 2 dbug.out 2 is the file handle for stderr. Mike Schrauder Specialty Blades, Inc. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God is more interested in our availability than our ability.
Re: (OT, slightly) dealing with AOL spam reports?
On Wed, May 18, 2005 at 09:16:15AM -0700, Mike Jackson wrote: A couple days ago, I set up AOL's feedback loop (though the loop part is a misnomer, since you can't actually respond to the messages) so I could monitor complaints against my employer's servers. Looking through the messages AOL says their members reported as spam, I noticed that none of them actually originated on my servers; they were all messages that were sent to addresses at the servers, then forwarded to AOL accounts, and since AOL records the IPs of all servers the message touched, I'm tainted by them. So, how do you deal with this? My setup on the servers is like this: * Sendmail * Using Spamhaus SBL/XBL to deny listed servers at MTA level * Most of the AOL forwarding is done via Sendmail's virtusertable * Mail passed to SA via procmail on a per-user basis (not site-wide, yet, but that's in the plans) The solutions I've already thought of and rejected: * Invoking SA via milter and denying spam at the MTA level, but few customers would want spam denied outright (heck, I know I wouldn't). Of all these possible solutions, though, it's the only one that wouldn't leave my server's mark on the message. * Setting up user accounts for the users with AOL forwards, filtering the mail through SA, then delivering it only if SA didn't mark it as spam, but that's a lot of users to set up. * Doing the preceding with a single user account and redirecting the mail to the right addresses via procmail and/or formail, but that wouldn't scale well and would wind up being a mess. * Invoking a policy of not forwarding to AOL accounts, but we're a web design/hosting firm with about 200 domains, and a handful of customers have AOL addresses, and that sort of policy wouldn't stand. Any other workable suggestions? (And please, no suggestions that involve changing MTAs. It's not going to happen.) As I understand it, once you have your server listed on the AOL feedback loop, it is whitelisted, so that may solve the immediate problem. rant The big problem with AOL's system is clueless (l)users who hit the report as spam button accidentally or intentionally. I am the owner of a mailing list hosted on the server of an IPP. We started getting postings rejected by AOL's servers. I voluntarily listed myself as the stuckee to get the feedback for the list server. I found that the vast majority of feedback I got was from some subscriber to one of the other lists, who, I guess, thinks hitting the spam button is a good way to get unsubscribed from the list, because s/he has about half the brains of a good fence post and can't figure out how to unsubscribe him/herself. The other problem is that, for privacy reasons, AOL expunges the recipient's address, so we have no idea whom to unsubscribe. It's a stupid system. I heard of one list owner who solved his problem by unsubscribing all his AOL listers, I think, after posting or emailing them that all of them need to subscribe themselves. /rant Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com God is more interested in our availability than our ability.
Re: Spamassasin false positive review
On Mon, Apr 04, 2005 at 03:45:59PM -0400, Edward Diener wrote: I am a client who was able to configure my .procmailrc on a server to place spam messages in a file in my $HOME area. Going through this file I noticed a message that was not spam. I know I can whitelist this address, but what I really need to do immediately is recover the entire message. In the file I see part of the message with the actual message supposedly as an attachment. How do I find this actual message so that I can read it ? Eddie Just click on the attachment and read it. SA creates a new email with description, score listing, and then attaches the original message. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Everyone wants to harvest, but few want to plow.
Re: bogus-virus-warnings-cf
On Sat, Apr 02, 2005 at 05:09:40PM -0600, Chris wrote: I use RDJ to update rule sets, I only run it once a day. On the run for the 31st of March, RDJ reported: RulesDuJour Run Summary on cpollock.localdomain: The following rules had errors: Tim Jackson's (et al) bogus virus warnings was not retrieved because of: 403 from http://www.timj.co.uk/linux/bogus-virus-warnings.cf. clicking on the link and opening with Mozilla still shows a 403 - Permission Denied. Anyone else having problems getting this update? Yep, for several days now. -- Chris Registered Linux User 283774 http://counter.li.org 17:06:29 up 19 days, 21:41, 1 user, load average: 0.44, 0.46, 0.46 Mandrake Linux 10.1 Official, kernel 2.6.8.1-12mdk Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...). (Michael Beck, describing the PC-speaker sound device) Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Everyone wants to harvest, but few want to plow.
Re: EFF Newsletter as SPAM
On Thu, Mar 31, 2005 at 10:27:58PM -0600, Chris wrote: On Thursday 31 March 2005 08:56 pm, Jeff Chan wrote: On Thursday, March 31, 2005, 6:50:17 PM, Chris Chris wrote: I subscribe to the EFF Newsletter, it keeps repeatedly getting tagged as spam. I've put the 'from' address in my manual whitelist which has helped to lower the score to a tad above my spam threshold of 5.0. I've saved some of the previous editions and am wondering if I ran sa-learn --ham on these would it eventually make enough of a difference to have these tagged as ham? What is it triggering on? Jeff C. Here's the latest one to come in: X-Spam-Status: Yes, score=5.2 required=5.0 tests=AWL,BAYES_50,PYZOR_CHECK, SARE_MILLIONSOF,SARE_MONEYTERMS autolearn=disabled version=3.0.2 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 0.7 SARE_MONEYTERMS BODY: Talks about money in some way. * 0.3 SARE_MILLIONSOF BODY: Millions of something. * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 0.8 AWL AWL: From: address is in the auto white-list Looking at the previous months newsletter it hit on: X-Spam-Status: Yes, score=6.2 required=5.0 tests=AWL,BAYES_50,DCC_CHECK, DIGEST_MULTIPLE,PYZOR_CHECK,URIBL_SBL autolearn=disabled version=3.0.2 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: michaelgeist.ca] * 0.1 DIGEST_MULTIPLE Message hits more than one network digest check * -0.5 AWL AWL: From: address is in the auto white-list -- Chris Registered Linux User 283774 http://counter.li.org 22:26:27 up 18 days, 3:01, 1 user, load average: 0.39, 2.15, 1.94 Mandrake Linux 10.1 Official, kernel 2.6.8.1-12mdk By manual whitelist do you mean you have an entry in your ~/.spamassassin/user_prefs or /etc/mail/spamassassin/local.cf that says whitelist_from the from address If so, such an entry should subtract 100 points from the total score. It appears that whatever you put in the whitelist_from is not matching what's in the From: line. Could you show your whitelist_from line and a sample header of the subject email? Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Everyone wants to harvest, but few want to plow.
Re: EFF Newsletter as SPAM
On Fri, Apr 01, 2005 at 07:56:32AM -0600, Chris wrote: On Thursday 31 March 2005 11:55 pm, Bob McClure Jr wrote: Here's the latest one to come in: X-Spam-Status: Yes, score=5.2 required=5.0 tests=AWL,BAYES_50,PYZOR_CHECK, SARE_MILLIONSOF,SARE_MONEYTERMS autolearn=disabled version=3.0.2 X-Spam-Pyzor: Reported 0 times. X-Spam-Report: * 0.7 SARE_MONEYTERMS BODY: Talks about money in some way. * 0.3 SARE_MILLIONSOF BODY: Millions of something. * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5000] * 3.5 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 0.8 AWL AWL: From: address is in the auto white-list By manual whitelist do you mean you have an entry in your ~/.spamassassin/user_prefs or /etc/mail/spamassassin/local.cf that says whitelist_from the from address If so, such an entry should subtract 100 points from the total score. It appears that whatever you put in the whitelist_from is not matching what's in the From: line. Could you show your whitelist_from line and a sample header of the subject email? Cheers, Actually Bob in my /etc/mail/spamassassin I have a file called my-whitelist.cf which has been working quite well except for this one. Here is the entry for EFF: whitelist_fromEFFector list [EMAIL PROTECTED] And here are the msg headers: Status: U Return-Path: [EMAIL PROTECTED] Received: from pop.earthlink.net [207.217.121.212] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Thu, 31 Mar 2005 12:46:10 -0600 (CST) Received: from cluster2.convio.net ([66.45.103.61]) by mx-a065b05.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1dh4Fp5P13NZFpL0 for [EMAIL PROTECTED]; Thu, 31 Mar 2005 10:45:19 -0800 (PST) Received: from 10.0.2.170 ([10.0.2.50]) by cluster2.convio.net (8.12.6/8.12.6) with ESMTP id j2VIFWuO011886 for [EMAIL PROTECTED]; Thu, 31 Mar 2005 12:41:00 -0600 Date: Thu, 31 Mar 2005 12:41:00 -0600 Message-ID: [EMAIL PROTECTED] From: EFFector list [EMAIL PROTECTED] Reply-To: EFFector list [EMAIL PROTECTED] To: [EMAIL PROTECTED] -- Chris Registered Linux User 283774 http://counter.li.org 07:50:34 up 18 days, 12:25, 1 user, load average: 0.30, 0.14, 0.09 Mandrake Linux 10.1 Official, kernel 2.6.8.1-12mdk As I read the man page (man Mail::SpamAssassin::Conf), the argument to whitelist_from should contain only the email address or some file-glob-style variant of it. So try whitelist_from [EMAIL PROTECTED] or even whitelist_from [EMAIL PROTECTED] Don't forget to restart spamd, if applicable. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Everyone wants to harvest, but few want to plow.
Re: Scanning and deleting my probably-spam folder
On Tue, Mar 22, 2005 at 05:00:12PM -0800, Robert Markin wrote: This should probably be obvious, but I cannot seem to come up with an easy way to quickly scan and delete the email that makes it into my spam trap folders. RH9 machine (accessed via SSH, Webmin, IMAP or POP3). Procmail sends all mail detected as spam by SA 3.0.0 to a probably-spam file in the user's /home directory. (mbox format) Do you send _all_ marked spam to the spam bucket? You don't really have to. In my ~/.procmailrc, after spamc has been invoked and marked the mail, I have a recipe that summarily punts any spam that has scored over 9. Set your threshold wherever you are comfortable. Here's what it looks like: :0fw | spamc # Any spam with 9 or more * will be summarily punted. :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\* /dev/null That will get rid of a large chunk of it. Adjust the number of \* to suit your confidence. Since I only have five users I am currently using SSH to cd into their directory then pico the probably-spam file and start scanning. (Awkward to say the least) When I decide that the contents of the file is in fact spam, I rm then touch the file. I am sure that this is probably the worst way that there is to do this, but it is the best that I have come up with. Naw, not the worst. If you are starting as root and doing su - userid, you can use something like mutt (my preference) or elm to check out the spam bucket this way: mutt -f probably-spam It comes up with a simple display of sender and subject, one line per mail. Hit d to delete it, Return to view it, etc. You can usually tell what's spam, and if it all is, just lean on the d key until it hits bottom, then hit q to quit. Then touch the file if it's important. I don't think it is, because it will be re-created. Any ideas? Let me know if any of that's not clear. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Worry is a waste of the imagination.
a more effective spam defense
Two of the great things I have gleaned from this list are: 1. Greylisting is reported to stop upwards of 80-90% of the spam from even coming in the door. The downside is the likely delays imposed on the rest of the mail, maybe in terms of hours. 2. Spammers seem to be attracted to secondary MXs. This morning, in the shower (where many great ideas are born), it occurred to me that if one combined the two concepts, i.e. implement greylisting on (only) the secondary MX server, one might get all the benefits with no downside. Have I missed something? Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Worry is a waste of the imagination.
Re: How do I whitelist this list?
On Tue, Mar 22, 2005 at 07:20:32AM -0800, Robert Markin wrote: Hey everybody, RH9 SA 3.0.0 (invoked by procmail spamc/spamd) Sendmail 8 Procmail I tried to search for this on GMANE but was unsuccessful. I would like to know how some of you guys are whitelisiting this actual mailing list. I have the following in my local.cf, but I still get quite a few emails tagged mostly because of the cut paste content. whitelist_from [EMAIL PROTECTED] whitelist_from [EMAIL PROTECTED] whitelist_from mail.apache.org whitelist_from_rcvd [EMAIL PROTECTED] whitelist_from_rcvd [EMAIL PROTECTED] whitelist_from_rcvd mail.apache.org I find that it make the list a little hard to follow when a portion of the responses go into my spam trap. Any help would be appreciated, Robert I don't even allow mail from this list to go through SA. In my ~/.procmailrc, I have a recipe prior to the call to spamc like this: :0: * ^List-Id: .*spamassassin /var/spool/mail/bob :0fw | spamc . . . That way none of this affects my bayes db. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Worry is a waste of the imagination.
Re: Excessive DNS Requests
On Tue, Mar 22, 2005 at 04:49:24PM -0500, David Brodbeck wrote: On Tue, 22 Mar 2005 15:49:01 -0500, lister lynch wrote Our ISP, Covad, is periodically claiming that we have excessive DNS requests and is threatening to turn off our service. It's primarily due to SA, I think. Looked around for answers, and already set a bunch of the BL checks to 0.0 to turn off the rules. Any idea how to further prevent the excessive DNS requests? Run your own caching DNS server. A side benefit will be faster DNS lookups. You'll be able to turn your DNS-based blacklists back on, too. I can't give you specific instructions for FC1, but I know older versions of RedHat had a package specifically for this, all preconfigured. I think it was pdnsd, but it appears not to be in the FC sets. Google for it. It was very easy to set up. I still use it. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Worry is a waste of the imagination.
Re: upgrading methods
On Wed, Jan 12, 2005 at 10:42:42PM +0200, Hans du Plooy wrote: I was wondering what method you guys gals prefer for upgrading spamassassin on the more mainstream rpm based distros (MDK/Fedora/rh/SUSE). I have a SUSE 9.1 server, running spamassassin through amavisd-new. Works like a charm. I decided to give the CPAN thing a try. logged in, updated all the relevant perl things (acutally I was wishing to upgrade everything perl related listed in amavisd-new's logfile, sa being one of them). Somehow this broke spamassassin very badly. Couldn't even run sa-learn! So I downloaded the tarball and built rpms using the included spec file with rpmbuild - this fixed it nicely. Just curious Thanks -- Kind regards Hans du Plooy Newington Consulting Services hansdp at newingtoncs dot co dot za Hmm. I use CPAN all the time with no problems. I'm running (including clients) RedHat 9, Fedora Core 1, Fedora Core 2. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Wise men still seek Him.
Re: what about non-marked spam?
On Sat, Sep 11, 2004 at 08:42:22PM -0500, Predrag Lezaic wrote: What are you doing about spam that goes through being scored too low for spamassassin to get it? Do you create your own rules or try to block it some other way? Is there a way to get SA to train itself by telling it that certain message is a spam such as Thunderbird etc...? Thanks, redrag Two things: man sa-learn http://wiki.apache.org/spamassassin/ In the latter, look for Spam getting through? among other things. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Grace happens.
Re: Using the -l (log) option
On Sun, Sep 05, 2004 at 09:00:58PM -0500, Chris wrote: I'm sure this question will have an easy answer, but after reading man spamassassin, the conf man, spamd man, I can't find the answer. I'm calling spamassassin with spamd, Umm, you mean calling spamd with spamc. spamassassin is the run-once-per-email foreground application. spamd is the daemon version which is called by spamc once for each email for the same effect but faster performance. I'm curious as to what would be written to a log file using the -l option in spamassassin, however, I haven't the faintest idea where to place this. I thought putting it in my /etc/rc.d/init.d/spamassassin script file would do it, but no, that just gave me an error when I went to restart spamassassin. Any hints would be much appreciated. Thanks Chris You don't mention SA version or what platform, but on Red Hat/Fedora Core Linux with SA v2.6x, the stock /etc/rc.d/init.d/spam* has SPAMDOPTIONS=-d -c -a -m5 -H In my installations, spamc is called from each user's ~/.procmailrc. spamd normally logs to /var/log/maillog the user, score, and whether it was judged spam or ham. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Grace happens.