Re: 2 strange fatal SA errors
Christoph Petersen wrote: Hey guys, got some strange problem during my vacation the last week. For once it seems that the network stack of SA crashed so no new processes could be spawned or that the spamd crashed and blocked the port. The second problem looks very cryptic to me maybe some Perl guru's can help me pointing in the right direction to look for the problem. My guess is that the machine runs out of memory and strange things happen but I want to be sure not that the machine will kill itself during my next vacation which will be longer than a week P.S.: Sorry only got screenshots as I wasn't around... BR Christoph Petersen the segfault makes me suspect that your memory may be failing. You might want to switch it out for known good memory, then run a memory tester on the sticks.
Re: Help with SED [OT]
Bill Randle wrote: On Sat, 2008-04-26 at 11:17 -0700, Marc Perkel wrote: Trying to do something that should be simple. Using sed to remove the first part of a hostname but not working. I want: abc.def.com to become def.com I tried a lot of variations of the following but it's either greedy or does nothing. sed -e 's/^.*?[.]//' Here are two options: 1) sed -e 's/^[^.]*\.//' It has a limitation that only the first host part is removed. I.e.: abc.def.com becomes def.com and xyz.abc.def.com becomes abc.def.com 2) sed -e 's/^.*\.\([^.]*\.[^.]*\)/\1/' This effectively strips out everything prior to the last portion before the last period. In essence, it reduces to the domain name. xyz.abc.def.com becomes def.com. -Bill Hmm.. Might want to consider adding something to check to see if the part after the last period is only two characters long. I.E. www.domain.com.uk or great.spammer.com.ru
Re: Extra long domain names rule?
Randy Ramsdell wrote: Bookworm wrote: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. I was going to put in the web address that I received as an example, but I think that's why this is a second attempt - the first one never went through. Basically, it's a 'colonial bank' scam - it uses eleven sections to the domain name - 10 periods. (What would that be - I mean, we have TLD for the .com/net/etc, second level domain names for the bleah.com domains.. what would you say it is for an 11th level?) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW I noticed you started a thread a few days ago with he exact same body and a changed subject. There are 10-20 replies to that thread so I am not sure why start a new exactly the thread a week later. My suggestion would be to read that thread. Because I'm not seeing the thread at all - I even searched for the information through all 10,790 emails that I have in my SpamAssassin folder, and double checked against the original email I sent out. (before resending)
Extra long domain names rule?
I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. I was going to put in the web address that I received as an example, but I think that's why this is a second attempt - the first one never went through. Basically, it's a 'colonial bank' scam - it uses eleven sections to the domain name - 10 periods. (What would that be - I mean, we have TLD for the .com/net/etc, second level domain names for the bleah.com domains.. what would you say it is for an 11th level?) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW
S-P-A-M Extra long domain names rule?
I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW
Blogspot spam update information (NetCraft statistics)
According to the Netcraft News for March, 2008, they showed some interesting growth in Blogspot. Google increases its developer share by gaining 842 thousand hostnames; most of which are used for blogspot.com blogs. I wonder how many of those 842,000 blogspot.com blogs were autocreated spam sites? Also, if that will drop next month as Google hopefully figures out how to slow down the bots, and deletes the existing spamsites.
Re: What to do about address spoofing
Bowie Bailey wrote: R.Smits wrote: Hello, Is there something I can do that our company addresses cannot be used for sending spam ? Is DKIM an answer ? A lot of our users get delivery failed messages. So a spammer is sending spam with our addresses :-( A difficult problem I think ? Greetings... Richard Smits There is really nothing that you can do to prevent spammers from using your address. You can do things like DKIM and SPF to attempt to validate good mail from your domain, but this relies on the receiving server doing the necessary checks. We are having the same problem. One of our addresses has been used consistently by spammers for the past couple of years. Recently the problem has gotten much worse. This address has received over 57,000 bounce messages in the past two weeks! I now have a rule in my mail server to detect and drop these messages. At least _part_ of this problem could be fixed by more sites using a valid rcptto check _before_ they accept the message, rather than taking any and all messages to their domain, THEN spamming everyone with rejections. I used to have hundreds of 'can't send the failure message' messages in my queue prior to enabling this for most customers. Now it's down to two or three, at most, from people inside the customer site doing strange things.
Re: Bulk spam scan
Theo Van Dinter wrote: --mbox Specify that the input message(s) are in mbox format. mbox is a standard Unix message folder format. [...] To pick a very small nit - 'mbox' isn't referring to a folder. It's a file. 'maildir' could be called a folder format. 'mbox' is a file format. http://homepages.tesco.net./~J.deBoynePollard/FGA/mail-mbox-formats.html Actually, it's _several_ file formats. BW
Re: DDOS, Dictionary Attack... not sure what it is...
Joseph Brennan wrote: Michelle Konzack [EMAIL PROTECTED] wrote: since the server rejects unknown recipients right away. Here too, but it eats nearly 100% of System- and CPU-Resources... It might be worth looking for a couple of addresses that get hit repeatedly and temporarily activating them I have tried this too and it reduce the load down to 15% but they are coming in realy fast I don't understand how refusing after MAIL could take 6 times as much resources as accepting the message. By refusing, you don't receive the message body and you don't have to output the message to a mailer. That has to use less resources than accepting. I would be taking a close look at what your server is doing during rejection. This just seems very wrong to me. Joseph Brennan Columbia University Information Technology Or he could talk with the folks at SpamCop about piping those emails straight to them for those phony addresses.
Re: Plagued by spamassassin
Cedartech Administrator wrote: I have asked before but have been unable to get a usable solution. I am running qmail, spamassassin, clamav, etc from the qmr package on one of our FBSD 6.2 servers. If you email via squirrelmail, your outbound email does not get labeled spam. If you send out via a client with smtp, it labels 95% of it as spam...so when you email someone, they get it with :SPAM: in the subject. These days with the spammers and the ammount of users I can not kill off spamassassin all together. I really do not want to have to pay for a subscription to postini either. Can someone help me stop spamassassin from scanning my users smtp sessions and only scan mail coming in? Cedar Springs Technologies As Robert has already mentioned, you need to make it that your client's SMTP connections don't feed through SpamAssassin. The process to fix this is not truly a SA problem; it's an issue in the SMTPD process itself. I see you're already getting answers on the QMR list. That's properly where it belongs, no matter what John Johnstone says. In short, you need to use daemontools, create _two_ smtpd processes. One is the normal SMTPD that doesn't require authentication, and receives email for your local domains. This _should_ process through qmail-scanner or simscan. The other should be an authenticated ONLY (preferably SSL, of course) SMTPD on port 465 (as I recall). That one can either receive email and not scan it at all, or you can try creating a second scanner install that stores separately from the first, and only calls the antivirus. (I'd suggest, at your apparent level, that you don't try to create the second scanner to start). Yes, they will authenticate against the same user database. They're the same program, they're just spawned with different configurations. BW
Re: DDOS, Dictionary Attack... not sure what it is...
Mike Cisar wrote: Hi All, A bit off topic since the users are all unknown so the traffic never makes it to my spamassassin. But I am hoping that someone here may have seen the same thing and have a solution for making the problem go-away :-) I'm not sure whether it's supposed to be a DDOS attack, a dictionary attack, bunch-o-bots or what. Since about the 26th of Dec I've had one particular mailserver that has been dealing with a constant stream of crap... all emails to unknown users, all of the email addresses seem consistent (either 3 'syllables'... an uppercased 'syllable', a lowercased 'syllable' and another uppercased 'syllable'... or 2 uppercased 'syllables'). They don't seem to be coming from any consistent IP address (or region). Problem is of course that the mailserver's connections get tied up processing rejecting this crap (and of course it's chewing up my transfer allocation bit by tiny bit). The addresses are similar to these... IgnaciogalvestonBriggs@ DallasexhibitionAlvarado@ ReginaldFleming@ Even tried yanking the IP address off of the server over the holidays in the hope that whatever it was would just give up. No such luck, within a minute of reactivating the IP to the server this morning the traffic was back to full flow. I don't know that it will really help, but I know that on the qmail servers that I've been building, John Simpson wrote a patch that looks for that. It's called validrcptto. It looks for users existing on the system before accepting any emails (using a cdb file format), and rejects those instantly that don't exist.For situations like yours, it has a 'strikes' rule that you can enable. That is, if a specific IP address tries sending to bad users more than X number of times, it then blocks that IP address from connecting at all for a set period of time. Whatever your MTA might be, there may be similar functionality that you can build into the SMTPD process, or at least, that you can put in FRONT of the SMTPD process. Good luck with it!
Re: SPF is hopelessly broken and must die!
John Rudd wrote: Spam Assassin wrote: Why was this topic not started on the SPF list? Was the original poster of this topic looking to get MORE attention on the SpamAssassin list? Whether you and the other amateur-topic-police* like it or not, the subject is related to the more general subject matter of the list (fighting spam) even if it doesn't relate to the more focused subject matter of the list (spamassassin specifically). And, even then, I would say that since there is an SPF module that comes with the base SA packaging, the subject does have a bearing on the more focused subject matter. I hope I am speaking for those of us who are not completely anal about mailing list topics when I say: quit it with the attacks on only-partially-off-topic message threads. You're worse than the threads themselves. (* for people who are actual maintainers of the list, and thus are actual-topic-police, if any of them want to correct me, contradict me, etc., no problem ... but I am more weary of the amateur-topic-police than I am of the highly charged/highly biased agenda oriented message threads) I think I can say that even as a casual user of the list (I only take care of about 10 smaller mail systems), I find the discussions more useful than not. I would have little to no use for the direct SPF mailing list - but in so far as it applies to anti-spam, I'm more than interested in pros and cons. Marc's brought up some arguments that are useful to me, so have others (both for and against) To throw in my two bits (inflation), I have no published an SPF record for any of my domains. BW
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
Adam Wilbraham wrote: To follow up on this, the message in question is flagged as spam if i run it through spamassassin, however if I run it through spamc its not. spamc is what Qmail Scanner invokes. Is there a separate configuration for spamc / spamd to spamassassin? I thought not... It sounds like you have the spamd bayes database, and then you have the database for whatever user you're actually running the test from. I ran into this problem as well - it's a known issue, and I wish the SA folks would come up with a way to run, as root, sa-learn for a NON-ROOT bayes database. Vpopmail directories aren't readable by spamd. One possible fix is to look in /root/.spamassassin and check the bayes information there against /home/spamd/.spamassassin (or whatever the home directory is for the user that's running spamd for Qmail Scanner) (It SHOULD be possible to make it so that a cron job could run a sa-learn -u spamd variation for learning stuff in directories unreadable by the 'spamd' user) BW
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
Adam Wilbraham wrote: On Wed, 29 Nov 2006 08:22:13 -0600 Bookworm [EMAIL PROTECTED] wrote: It sounds like you have the spamd bayes database, and then you have the database for whatever user you're actually running the test from. I ran into this problem as well - it's a known issue, and I wish the SA folks would come up with a way to run, as root, sa-learn for a NON-ROOT bayes database. Vpopmail directories aren't readable by spamd. I'm not running vpopmail on this server. spamd is running as qscand, however I've got my /etc/spamassasin/local.cf set to use a site wide bayes database. I also have auto_whitelist configured, and I'm wondering if this is such a good idea: bayes_path /etc/mail/spamassassin/bayes bayes_file_mode0770 auto_whitelist_path/etc/mail/spamassassin/auto-whitelist auto_whitelist_file_mode 0770 use_bayes 1 bayes_auto_learn 1 I have a script that runs every night that sa-learn's data from each users SpamTrain folder into this site wide database. Now I seriously hope that spamd isn't reading its bayes data from qscands home, as this data hasn't been touched for 2 years: ls -alh ~/qscand/.spamassassin drwxr-xr-x 2 qscand qscand 4.0K 2004-07-07 11:01 . drwxr-xr-x 4 qscand root 4.0K 2006-07-26 11:28 .. -rw-r--r-- 1 qscand qscand 20K 2004-01-06 16:43 auto-whitelist -rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.dir -rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.pag -rw--- 1 qscand qscand 47K 2004-07-07 11:01 bayes_journal -rw-r--r-- 1 qscand qscand 10M 2004-07-07 11:01 bayes_seen -rw--- 1 qscand qscand 4.2M 2004-07-07 11:01 bayes_toks -rw-r--r-- 1 qscand qscand 1.5K 2006-07-06 09:53 user_prefs Maybe I should delete that and symlink in the files to the sitewide bayes, just in case? When I ran spamassassin on the item of spam I referred to earlier, it was using my own user account. I don't even have any data in my .spamassassin folder, so I can only assume that it was using the site wide bayes for its checks then. Or could my bayes data be completely messed up, and spamassassin was doing a better job of identifying spam under my user account with no bayes data at all? Once again many thanks for the suggestions and help... Wilb If you're running it as yourself, and spamassassin isn't running as your username, then it's probably not working. Check /home/spamd (or whatever user spamassassin runs as). See if there's a bayes database in there. Also check YOUR home directory, and see if you have bayes files. (locate -i bayes_journal works well for this sort of thing) BW
Re: Percentage of email that is spam after filtering?
John Tice wrote: I am always amazed to hear how much gets through on corporate systems. My wife works in a corporate office with a dedicated IT department and she says 60-70% of their total received is spam. I would think that number to be intolerable. For instance, I have a VPS and host about a dozen sites for small companies and non-profits and I am able to keep the received percentage below 10% using only spamassassin (catching 99+ percent). On three personal accounts (well known to spammers) I get a couple thousand spams per week. In the past week I've had two spams get through and one false positive. And the FP almost doesn't count because was borderline spammy and had a forged rcvd. I guess if you must have zero FP for a diverse group then you naturally have to give vermin a lot latitude, but I'd be cracking on the IT department pretty hard. The biggest problem is that if I really turn the screws on what would hit spam, but not ham - I end up hammering a lot of people that deal with the US government and shipping in general. Customs brokers, freight forwarders, shipping lines, and similar all have to deal with US Customs. The emails that fly back and forth (and there can be thousands of them, just as notifications for tracking) are almost all CAPS LOCK ON. The people haven't figured out that all caps is harder to read than lower case. I've just recently managed to make a lot of them straight ASCII text, rather than html mail, and getting them to break loose from Outlook composed 'Word Mail' was a pain. I also don't have quite enough time (or get paid specifically for it) to spend three to six days a month doing nothing but adjusting spam filters for 30+ machines. What I do is enough for most of my customers, especially since I do it more as an adjunct to my main service business - I don't make money off of hosting. BW
Re: Percentage of email that is spam after filtering?
Marc Perkel wrote: Kelly Jones wrote: I know that most (90%+) email sent now is spam, but what are the numbers for people who use spam filtering? I realize it varies by user, sensitivity to false positives, tools used, etc, but do people who use spam filtering find that only 10% of the messages they receive are spam? 25%? 50%? higher? I'd like something quasi-official if possible, so I can tell my bosses: according to this report, even with diligent spam filtering, xx% of the email people receive is still spam. If fewer than xx% of your email is spam, we're ahead of the curve. Well, I'm in the spam filtering business and it varies creatly per domain. I have a few domain that only 1 in 10,000 messages are good. By those with the worst spam tend to need my services more. I'm not in the spam filtering business - I just maintain about 40 domains on 10 different servers, and run basic filtering on each. At a guess (if anything, it'll be a low guess, because I'm not going to overestimate), I manage to block, delete, or mark approximately 70% of the spam that attempts to get into my servers. 33,104 emails entered into the server (approximately 2000 a day are blocked immediately with rblsmtpd - it varies day by day, this last 30 hours it was only 1,600) in the last 17 days. (adding those in, it was probably about 65,000 spams) Of those 33104, 22311 were marked or deleted as spam, and another 227 were zapped by ClamAV. Thus, from the original, we know we've tagged 67% of the incoming email as spam. If you add in the immediately blocked emails (of which, I've received zero false positive reports, and zero reports of 'didn't get my email' - and this company complains CONSTANTLY about any email issues), then the percentage of emails blocked/marked is 83.9% of total incoming. Mind you, that means that I'm missing a lot of spam - of those 11,000 emails that were left, probably half to three quarters were spam, but that's a lot better than they would see if they were with just about any other mail provider. (most hosting companies are CRAP for filtering). Bookworm Computing
Re: Real fix for stock spams - pick up a pen
Coffey, Neal wrote: Bookworm wrote: Pick up a pen, and write to your local congressman, or even to the SEC, and insist that they penalize those companies who are being pimped and pumped through spam emails. Why should they? The companies being advertised in the stock spams aren't responsible. In fact, a good pump-and-dump stock scam can be very harmful to the target company. This depends on whether it's a pump and dump for the initial IPO (In which case, the company knows straight out who they're dealing with), or whether it's a pump and dump for an existing stock. (In which case, the spammer stands out big-time, and can be backtracked by the SEC for sending out the spam - possibly for pump and dump. I don't know if those are illegal or not, but using spam to do it definitely is) Either way, it's a Go for the money. BW
Re: Real fix for stock spams - pick up a pen
Robert Braver wrote: On Thursday, November 16, 2006, 8:00:09 PM, Michael Scheidell wrote: MS It was $500, and the law changed to make it impossible to collect MS anymore. MS Before, it was a 'first strike' and you owe $500. Now you have to 'opt MS out' (they can still send you one) Opt-out applies only if there is an existing business relationship with the recipient, and several other requirements are met. The rules haven't changed w/r/t typical junk faxes... you can(and indeed we are) nailing them for the first fax, last fax, and every fax in between. Yes - Opt-out _used_ to sometimes be a valid excuse, but especially since the change last summer, it's basically Unless you have a piece of paper saying that you can send them faxes, you can't send them faxes. The only exception to that rule is a fax saying We'd like to send you information X. - you can't include any of the information, just the request. Then they have to send that back. Faxes are opt-in only, unless you already have a prior business relationship (that piece of paper. Two of my customers that faxed to various construction companies (legitimately, they never hid, and they always removed), spent weeks sending out if you'd like to continue receiving these faxes, please fill this out and send it back papers) BW
Real fix for stock spams - pick up a pen
Pick up a pen, and write to your local congressman, or even to the SEC, and insist that they penalize those companies who are being pimped and pumped through spam emails. Today, I got one for Mobicom Communications. If that company had their chance to go public yanked, you could be sure that they'd be much more careful the next time around who they dealt with for spreading the word. I know that when the 'junk fax' companies started being SERIOUSLY penalized, and that you could take them to court yourself ($150 per fax). We started seeing far fewer of them. Don't bother targeting the spammers, that's not helping. Target the folks paying the spammers (producers of the products). Note - the bulk of those stock scams are US 'penny' stocks. They are required to file with the SEC, even if they aren't on the main stock exchange. BW
Re: Any comments of the SpamHaus lawsuit?
Christopher Martin wrote: And, lastly, as much as US citizens hate to hear it, .org is NOT a US domain, .org.us is. The .com, .org, etc domains are international domains. The convention of assuming that the non country coded domains are US domains is simply a result of American hubris. It would actually be great to see international domains be means tested (you have to have offices in two or more countries before you can get one), but I would assume that the bitchfest that would ensue wouldn't be worth it. That's my 2 cents, anyway. Trimmed for brevity. Just as a FYI, .com, .org, .edu, .mil, .gov, and .net were developed by the US when DNS was first being conceptualized. There were enough computers on the (D)ARPNET backbone that it was getting confusing to track hosts files. At that point, there wasn't a .us, .au, .gb, .de, or the others. Those came slightly later. All .edu meant was 'educational institution'(involved in defense research to start). .com was 'commercial entity' (specifically involved in defense contracting), .org was 'undetermined or non-profit organization'(same), and .net meant 'network services provider'(not really sure if this was used much before the 90's). (paraphrasing, of course) However, since the US government deregulated their control over the Internet in the mid 1990's (I was at university at that point, I remember the hooraw over it. The concept of regular people being able to get domain names was flabbergasting) and created INTERNIC (Internic.net, for example, was created in 1993. netsol.com was also 1993. uh.edu, however (the University of Houston) was created in 1987. purdue.edu (Purdue University) was created in 1985. Boeing.com - 1986. ibm.com - 1986. dec.com - 1985. Harvard and Cornell - 1985. Quoted from http://www.dns.net/dnsrd/tld.html - .EDU, .INT, .MIL and .GOV have restrictive conditions on who can register names in those domains (respectively, four-year degree granting institutions in North America, organisations that were established by international treaty, the USA military, and the USA federal government) ccTLD's, it seems, weren't much used until 1993, nor widely used until the late 1990's - http://www.iso.ch/iso/en/prods-services/iso3166ma/04background-on-iso-3166/iso3166-past-present-and-future.html (Now, I remember mailing to friends at .au universities while gaming in the early 1990's, so they were in use. I just don't remember seeing many other than western Europe, eastern Asia and Australia, and North America, until 1993-1994 - then the Estonians erupted on the scene - talk about 'newbies') So therefore, yes, .org, .net, .com and .edu are, on the whole, US domains. .net, .org, and .com, however, were sort of 'thrown open' to anyone after the mid 1990's. Trying to call them 'international', however, is a bit silly. BW
[OT] Re: Domain names (Was: Any comments of the SpamHaus lawsuit?)
Jo Rhett wrote: Bookworm wrote: Just as a FYI, .com, .org, .edu, .mil, .gov, and .net were developed by the US when DNS was first being conceptualized. There were enough computers on the (D)ARPNET backbone that it was getting confusing to track hosts files. At that point, there wasn't a .us, .au, .gb, .de, or the others. Those came slightly later. (trimmed) Incorrect. .us has existed for nearly as long, but had really a fixed 3-layer structure that prevented most people from using it. The three layers only had structure for states, cities, etc. It meant to simplify, but it mostly confused non-techy people. Only recently was .us normalized so that it could be used by .us companies. Nearly as long - but not as long. Remember, when this started, all of the people involved were inside of the US. That's why I said 'slightly' later. (further in the email, I pointed to the site listing the document that was used to come up with the country codes) Troy
Spamassassin from CPAN and sa-update location.
When I build SpamAssassin using the CPAN method, it installs the test files (20_anti_ratware.cf and similar) in /usr/share/spamassassin. However, sa-update shoves updates into /var/lib/spamassassin/3.001005/updates_spamassassin_org (with extra crap in /var/lib/spamassassin/3.001005/ ) I suspect that one or the other behavior is actually wrong. Either the CPAN method has a bad configuration script, or the sa-update has never been matched to the configure script. Either way, can anyone give me a suggestion on the best way to deal with this issue? (Besides the fact that the CPAN should probably use the same default site rules directory as sa-update?) Bookworm
Re: Spamassassin from CPAN and sa-update location.
Bowie Bailey wrote: Bookworm wrote: When I build SpamAssassin using the CPAN method, it installs the test files (20_anti_ratware.cf and similar) in /usr/share/spamassassin. However, sa-update shoves updates into /var/lib/spamassassin/3.001005/updates_spamassassin_org (with extra crap in /var/lib/spamassassin/3.001005/ ) I suspect that one or the other behavior is actually wrong. Either the CPAN method has a bad configuration script, or the sa-update has never been matched to the configure script. Either way, can anyone give me a suggestion on the best way to deal with this issue? (Besides the fact that the CPAN should probably use the same default site rules directory as sa-update?) Is this an FAQ yet? Both are correct. The default rules are installed in /usr/share/spamassassin these are created when you install/update spamassassin. Rules updated by sa-update are placed in /var/lib/spamassassin/(version)/. SA will use the updated rules if they exist. Otherwise, it uses the default rules. Best suggestion: Don't worry about it. It will work fine. And that's exactly what I needed to know. Thanks. I've read all the replies up to this point, and yes, I read the man files for spamassassin itself and for sa-update. It didn't really answer the question. However, I now have an answer! I will admit, I didn't go to the web site and read through it. I wasn't in a position to bring up lynx and try to bang around on the SpamAssassin apache web site. BW
Re: Delete all emails tagged by SA.
Shahzad Abid wrote: Dear Ed Kasky Thanks for such a nice suggetion and guidance currently I am using qtrap for my Qmail Server. Is there any other tool available ? Shahzad Abid You obviously haven't read the information on qmail-scanner. If you add the ST patch to qmail-scanner, you can have a sa-delete variable, which defines the spam score above tagged that you delete the messages. I have a 'base' spam score of 5 - that gets marked. At 14, it gets deleted - sa-delete=9 BW
Re: Razor removal
Robert Swan wrote: These guys are having lots of trouble sending email to people, they are using an exchange 2003 server and are not listed on any SPAM database anywhere, per.. http://www.dnsstuff.com/ Robert They may be using an Exchange Server for actually forwarding emails out, but it looks to be a Windows Mobile issue. See http://www.emailaddresses.com/forum/showthread.php?postid=367505 (thirty second search on google) I would suggest talking with your customers, and see if you can reconfigure the exchange server to properly format the email messages before sending them out. I'd offer to help, but I doubt I'm local to your area :) BW
Re: Problem with user_white_list
Matt Kettler wrote: Theo Van Dinter wrote: On Fri, Sep 22, 2006 at 04:01:20AM -0400, Matt Kettler wrote: The moral here is NEVER use whitelist_from. ...does this indicate that whitelist_from should be obsoleted? should, yes.. will be, probably not. Well, there is a need and are uses for whitelist_from, specifically when the other options aren't available. Have a customer who sends you mail, but they don't have proper rDNS setup nor SPF nor ... ? I do agree with your point, and that's the reason why I said it probably will not be obsoleted. However, the guy with no rDNS nor SPF isn't very likely to be able to send mail to very many places at all. Now that major ISPs (ie: AOL) are blocking servers with no RDNS, it's only a matter of time before this becomes standard practice and he won't be able to send mail anywhere. Also, I personally view ANY spamassassin whitelisting feature as a measure of last resort. It's generally better to whitelist by configuring your tools to not call SA in the first place. You have more reliable envelope information, AND you gain CPU usage benefits. Unfortunately, I've never had to use whitelist_from for RDNS/SPF problems. What I've had to use it for is that shipping companies (Customs Brokers, freight forwarders, warehousers) tend to write _everything_ in all caps, no matter what. Forms for the government, online databases, you name it, it's one case, and that's upper. Needless to say, that causes SA to blow up on it, and claim that all of the emails going in and out are spam. Since I _want_ caps to generally set off SA, I end up with a list of shipping related companies that I whitelist_from by default. BW
Re: Using SA to prevent bouncing spam?
Ole Nomann Thomsen wrote: Den 15.08.2006 kl. 12:01 skrev Andreas Pettersson [EMAIL PROTECTED]: While I don't really see why ldap isn't an option, even with an 99% load, callout might be the solution. However, I don't run qmail but here's how it works with exim http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch39.html#SECTcallver Yeah, that is pretty neat. But the Firstclass system is running at 99% capacity on the E-mail injection too. I mean, we are really pumping it in, trying to level the peak-priod and everything. Performing callouts will probably cause it to emit strange noises and smoke. If your usernames don't change a lot, there's a validrcptto patch that seems to work quite well. John Simpson - http://www.jms1.net - has some good information on this (don't use IE to go there) I'm using a modified QmailRocks installation (modified because I helped with the Slackware writeup for QMR). I'm modifying further to try to squeeze better performance out of spamassassin and daemonizing. BW
Re: dreaming of a plugin ....
[EMAIL PROTECTED] wrote: that analyzes and scores email addresses: we have big companies that give their employees more or less random strings as email addresses (but length will not be extremely long) Otherwise we have email addresses that somehow are built from a person's name, (e.g first.last, f.last, last17f or similar), and we have addresses that are a person's nick, or otherwise relate to its hobby or profession. In rare cases someone would make an email address from the name of some celebrity. Now something that seems to be typical for spam are display names that look like a person's name along with email addresses that look like a different person's name, and often seems to belong to a different language. The hypothhetical plugin would have to find out whether the mail addy looks like a name, whether the display name looks like a name as well, and only in that case determine whether the names have anything in common Wolfgang Hamann Or simply a plugin that scans for more than three numeric characters in the first portion of the email address. On one of the boards I host and maintain, I frequently see things like [EMAIL PROTECTED] (yes, plural). I get them in spams as well. The reason I said more than three is that I know that with AOL and similar, you get stuff like [EMAIL PROTECTED] - because of all the bobs. Of course, you could simply tell it to ignore @aol/hotmail/excite - the major boards that do this. If nothing else, it'd be a nice test to increase the probability of spam. BW
Re: Net::DNS problem?
[EMAIL PROTECTED] wrote: Irina wrote: I decided to downgrade it by downloading TAR. Installed prerequisites and the module itself just fine. Running spamassassin --lint and see the complaint about version of it is not numeric (0.49_03), therefore it can not compare 2 versions Argument 0.49_03 isn't numeric in numeric lt () at /usr/local/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Dns.pm line 1230 But 0.49_03 IS numeric. Perl allows embedded _'s in numeric literals. Even if you put it in quotes - 0.49_03 - it's STILL numeric. perl -e print 1 if 1 1.2_3 1 perl -e print 1 if 1 '1.2_3' 1 I ran across this as well, I'd have to dig a bit to find the exact reference, but one of the perl modules that's used by the spamassassin CPAN compile actually spits out the error - not perl itself. I think it was one of the Test:: sub modules. Might have been Digest::MD5, however. (I did it three days ago, and I didn't write down which one was related to it) BW
using sa-learn as a different user problem.
Most of the email I'm trying to run sa-learn on is owned by vpopmail, and my spamassassin runs as the user 'spamd'. Even when I try sa-learn -u spamd, it continually learns as 'root' - filling a bayes database in the root directory. Is there anyway to stop this? I REALLY don't want to have to keep either 1) moving databases around, or 2) chmod and chowning directories and files so that the spamd user can learn from 'unlearned' spam. BW
Startup scripts
Has anyone written a new startup script for Slackware? I hacked up a kludge that does the job, but it's not very good. BW
Re: new meds spam agaianst SARS viruses? this may help
List Mail User wrote: Follow the trail; Chris Terrebonne's NFP Inc. - snakeoil and spam/scammers of Slidell, LA - (985) 726-0928. They've been around a very long time (domains change weekly, but a few constants like remain conradpromotions. com, rednecks. com and myownemail.com). They used to sell (but not deliver) pills - now mostly snakeoil. Paul Shupak [EMAIL PROTECTED] Just as a chuckle - Last October, an NFP domain (winningteam.com) was involved with a Green Card lottery scam. (They probably got just a little bit investigated by the State Department for that). However, here's the chuckle part. It's a quote from a NY Times article. But apparently even the swindlers have sometimes been stung. We accept Western Union Money Transfer as the only payment method due to some reasons from our past experiences, the fraudulent message says. Credit card is not acceptable, please. BW
Re: --lint tells me I need 0.34 dns
Tim Jackson wrote: On Fri, 20 May 2005 20:48:26 -0400 Eric Wood [EMAIL PROTECTED] wrote: [on Fedora Core 1] 2. What is the easiest way to update Net::DNS to 0.34 ? This was very easy: perl -MCPAN -e shell[as root] o conf prerequisites_policy ask install Net::DNS quit Whilst certainly a *quick* way of updating, I think it's worth pointing out that this is not a very *good* way of updating Perl modules on an RPM-based system such as Fedora, unless you particularly enjoy painful and unpredictable system management in future. I'd suggest either using an RPM- based distro and installing everything as RPMs, or using a non-package-based distro and installing everything from source; doing a mixture of both will lead to pain in the future when you have RPM telling you version 'X' of something is installed, but in fact you've manually obliterated it with version 'Y'. Especially when you're trying to install an RPM-based package that requires 'Y' and you then have to start forcing installs etc. - it just makes the whole RPM thing mostly pointless. A better way is to use cpan2rpm to package the CPAN module as an RPM for you: http://perl.arix.com/cpan2rpm/ Once installed, it's as simple as cpan2rpm Net::DNS and bingo - you have a nice package. Tim Yes, this exact problem is why I prefer to stick with Slackware. I administer RedHat and FreeBSD boxes, and they are both REALLY painful to keep updated, especially since I have a number of packages I do specialized compile options for - and need to keep updated. I also agree with Tim - don't use straight CPAN unless that's the only way you're going to keep those modules up to date (which is generally what I do. Since the bulk of those modules are only used by SpamAssassin (for me), I simply run the updates at the same time as the SA updates). Use RPM's/packages instead. BW
Re: (OT, slightly) dealing with AOL spam reports?
Mike Jackson wrote: A couple days ago, I set up AOL's feedback loop (though the loop part is a misnomer, since you can't actually respond to the messages) so I could monitor complaints against my employer's servers. Looking through the messages AOL says their members reported as spam, I noticed that none of them actually originated on my servers; they were all messages that were sent to addresses at the servers, then forwarded to AOL accounts, and since AOL records the IPs of all servers the message touched, I'm tainted by them. So, how do you deal with this? My setup on the servers is like this: snipped * Setting up user accounts for the users with AOL forwards, filtering the mail through SA, then delivering it only if SA didn't mark it as spam, but that's a lot of users to set up. snipped This is NOT a suggestion to change MTA. On my server, which is using Qmail, all emails are filtered through spamassassin and ClamAV, even those which are forwards. Might there be a similar method to drop a process in between the receive and delivery steps of sendmail? It seems rather strange that sendmail would receive the email and then pass it on without it going through at least your system spamassassin. I guess the question here would be: At what point is spamassassin currently being called in your mail system. BW
Re: [OT]Appropriate OS and other software to work with SA
Bowie Bailey wrote: From: Ben Wylie [mailto:[EMAIL PROTECTED] Currently I am running my mailserver on a windows box. I have just bought a new server and will probably be running CentOS on it. I would like to migrate my mailserver onto this linux box so that hopefully I will be able to get a faster, more stable system. I'm looking for advice as to what the 'standard' setup is for a linux based mailserver if there is such a thing. I'm looking for a comprehensive mailserver setup with pop3, smtp, imap supporting multiple domains, users and aliases, with the ability to make filtering rules, rules to backup all messages, SA integration with mysql. I have heard of things like procmail and milter and other things, but don't really know anything about them. I know I have a lot of learning to do as the only experience I have of linux so far is cygwin. Is there a standard combination programs used as a mailserver as I hope? As others have said, there is no standard. Everyone has their favorite setups. I use Courier-MTA (smtp, pop3, imap, and webmail), SpamAssassin, and ClamAV (via Amavisd-new). Currently this is running on Fedora Core 3, but I am planning to move to CentOS soon. I don't use mysql on my system, but I know there are quite a few others who do use mysql for both the virtual user list and SA. I find that Courier is easier to configure than some of the others. It also helps that the pop3, imap, and webmail are integrated in and don't require much extra configuration. The only downside that I see to Courier is that the smtp filters cannot modify the messages. That means that if you want to reject mail based on SpamAssassin's scoring, you would need to run the messages through SA a second time to add the markup. This is not really a problem for me because I don't like to reject spam due to the threat of false positives. I let the system reject viruses and then call SA to mark the messages during delivery. www.courier-mta.org Bowie If you're really looking for a 'HOWTO' for putting a linux mailserver together, there is a good one at http://www.qmailrocks.org Note, this is not a sendmail install - it's a qmail install. However, it does include spamassassin, antivirus, and webmail, without having to kill yourself. Even if you decide you WANT sendmail, it might be a good place to start. There aren't instructions for CentOS, but the mailing list has covered it a few times. There are instructions for Slackware, FreeBSD, RedHat/Mandrake, and Debian. BW
Re: Question about Bayes training - mozilla specifically
Jo wrote: Bookworm wrote: I've read through the archives several times, and hoped that over the last year or so someone would build the functionality, or at least mention it one way or another - I haven't seen it. Is there any way to take an already trained Mozilla bayes structure and hand it directly off to SpamAssassin? For me, at least, that would eliminate almost all of the spam my server is receiving - Mozilla spots it instantly, but SpamAssassin is missing at least half. Troy Belding Bookworm Computing Mozilla stores its mail in mbox format, so you can simply use your good folders (one mbox each) for training HAM and your Junk folders for training SPAM. Just go and have a look in the file system, where Mozilla stores its files. mbox-files typically don't have an extension. Jo The issue is not so much that - I've dumped all my ham/spam through spamassassin - it's still not as good. The only thing I can see that's different is that Mozilla MUST have it's own bayes database that isn't dependant upon the actual email folders themselves. (I stopped storing all the junk mail when I reached about 15,000). I have no clue where that is, but I thought maybe someone here did, and knew how to convert it to something that spamassassin could use. Oh well - I'll try the mbox deal later. I only have about 80,000 emails I could process through.. Thanks! Troy
Question about Bayes training - mozilla specifically
I've read through the archives several times, and hoped that over the last year or so someone would build the functionality, or at least mention it one way or another - I haven't seen it. Is there any way to take an already trained Mozilla bayes structure and hand it directly off to SpamAssassin? For me, at least, that would eliminate almost all of the spam my server is receiving - Mozilla spots it instantly, but SpamAssassin is missing at least half. Troy Belding Bookworm Computing
