Re: OT - Hotmail/Outlook.com marking most of our email as Junk

2022-02-22 Thread Chris 
Agreed, it seems to be deliberate to get people moved over to the big
providers, they are clearly discouraging independent email servers as
they clearly scored differently.

I have even been doing tests on various spare unused ip's and the
amount that get blocked by microsoft (but no other providers) is
unreal.

Also to mention their own outlook software part of office, if I even
set low level filtering, it has insane levels of false positives.

On Sat, 19 Feb 2022 at 11:12, Marc  wrote:
>
> Complain to the European Union. It is not in Microsoft's and google's 
> interest to fix this. By frustrating/sabotaging other providers services, 
> they create an environment where users are forced to switch to the 
> outlook.com/gmail.com cloud. Eg. what you have done is already more than 
> gmail.com is doing, they are still working with an spf ~all.
>
> This companies have billions in cash, so there is no reason not to fix this 
> problem. This is just a management decision.
>
>
> >
> >
> >   I am also having a world of trouble getting my emails to Outlook
> > users.  For reference, my work domain has one user (me).  I have had the
> > account for about 9 months and I have not yet sent 100 emails.  I
> > typically send an email to a single recipient, although I will
> > occasionally CC a handful of people.
> >
> >
> >
> >   What I’ve tried:
> >
> >
> >
> >   1.  I have also set up SPF, DKIM, and DMARC.  I’m *pretty sure*
> > they’re solid.  Emails still go to junk.
> >   2.  Initially, I didn’t have anything actually at the website for
> > my domain, so I threw my executive summary into a google site.  Emails
> > still go to junk
> >   3.  I've checked our public IP and the domain name at
> > mxtoolbox.com   – no errors, but it warns that a) my
> > DMARC policy isn’t q or r, and b) it doesn’t care for my SOA
> >   4.  I tried to get on Microsoft’s SDNS and JMRP, but I was not
> > able.  I am pretty sure I have a shared IP, but I don’t know how I would
> > check that.  Microsoft also suggested I join the Return Path Safe Senders
> > program, but I am pretty sure I would need a dedicated IP for that.  In
> > any case, I don’t love the idea of paying to get whitelisted so I can send
> > 11 emails a month.
> >   5.  I’ve checked several sites and my domain isn’t on any
> > blacklists.  However, I did register the domain through NameCheap, which
> > is on the UCEPROTECT_LVL3 list
> >   6.  The domain is relatively new, as I said, but I don’t send any
> > bulk mail of any kind from it.  All mail is either to people I
> > specifically know, people to whom I have received a personal introduction,
> > or people listed as contacts for their organization on public websites
> >   7.  My mail is handled by Zoho Mail, so I haven’t done anything
> > fancy with the mail server.  If there’s anything I should try, I will, but
> > I might need the instructions at a fifth-grade level
> >   8.  I am fairly careful with my words, and the emails are
> > appropriately long, so I would be surprised if they were getting flagged
> > for trigger words.   I have tried mail-tester.com 
> > and it did not object to the body of my emails
> >   9.  Mail-tester.com claims to test emails against SA, although I
> > know this is a contentious point around here.  I bring it up, though,
> > because the fact that my TLD is “.space” raised some flags
> >   10. When I have called my contacts, they have been as confused as
> > I am that they did not receive my emails
> >   11. Emails I send to any other domains are never a problem spam-
> > wise
> >
>

Re: message size, mark if too large?

2020-12-27 Thread Chris 
Is that what you were after?
> > > 
> > > > What glue are you using to call SA?
> > > > 
> > > > On Sat, Dec 26, 2020, 14:12 Joe Acquisto-j4 <
> > > > j...@j4computers.com>
> > > wrote:
> > > > > Some mail with attached suspect files are larger than can be
> > > > > processed.
> > > > > Looking for a way to flag such "oversize" messages as suspect
> > > > > even if
> > > not
> > > > > processed.
> > > > > 
> > > > > Is there a simple way?  SpamAssassin version 3.4.2
> > > > > 
> > > > > 
> > > > > 
Here's a procmail recipe I use to mark large files

:0 fh w
* > 10
* ^Subject:\/.*
| formail -I "Subject: {* -BIG- *} $MATCH"

You can change the file size in the 2nd line to meet your needs.

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
08:07:17 up 14 days, 23:10, 1 user, load average: 3.29, 2.60, 1.69
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-58-generic

channel 'kam.sa-channels.mcgrail.com': GPG validation failed, channel failed

2020-12-12 Thread Chris 
I've downloaded and imported the gpg key per instructions here
https://mcgrail.com/template/kam.cf_channel

The command I run for updates is:

/usr/bin/sa-update -v  --channelfile /etc/mail/spamassassin/sare-sa-
update-channels.txt --gpgkey 6C6191E3 --gpgkey 24C063D8 &&
/etc/init.d/spamassassin restart

What I'm getting for output of the cronjob is:

Update available for channel kam.sa-channels.mcgrail.com: -1 ->
1607355384
http: (curl) GET http://sa-update-kam.snb.it/1607355384.tar.gz, success
http: (curl) GET http://sa-update-kam.snb.it/1607355384.tar.gz.sha512,
success
http: (curl) GET http://sa-update-kam.snb.it/1607355384.tar.gz.asc,
success
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel 'kam.sa-channels.mcgrail.com': GPG validation failed, channel
failed
Update failed, exiting with code 4

This is Ubuntu 20.04.1 LTS Spamassassin
spamassassin -V
SpamAssassin version 3.4.4
  running on Perl version 5.30.0

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
20:00:37 up 11:04, 1 user, load average: 1.50, 1.16, 1.02
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-58-generic

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-07 Thread Chris 
On Wed, 2020-10-07 at 13:58 +, Riccardo Alfieri wrote:
> Please use only the latest github package before submitting bugs.
> 
> We are really community focused, but, as already said, we can support
> only the latests release
> 
> On 07/10/20 15:04, Damian wrote:
> > That is indeed v1.0.1
> > 
> > > It's old, 20190704
Riccardo, after updating the issue has been resolved.

Thank you
Chris

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
19:43:53 up 1 day, 3:38, 1 user, load average: 1.10, 0.74, 0.71
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-07 Thread Chris 
On Wed, 2020-10-07 at 13:58 +, Riccardo Alfieri wrote:
> Please use only the latest github package before submitting bugs.
> 
> We are really community focused, but, as already said, we can support
> only the latests release
> 
> On 07/10/20 15:04, Damian wrote:
> > That is indeed v1.0.1
> > 
> > > It's old, 20190704
I picked up 20200825 last night, just waiting for my new key.

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
09:37:02 up 17:31, 1 user, load average: 0.53, 0.39, 0.47
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-07 Thread Chris 
On Wed, 2020-10-07 at 08:52 +0200, Damian wrote:
> What version of spamassassin-dqs do you run?
It's old, 20190704. I got the newest last night and after entering my
key I'll see if it makes a difference. I'd like to note that this is my
home desktop.

> 
> Make sure it is at least v1.0.2, i.e. has the rdns chop [1] in the
> module.
> 
> > Here's the message complete with body - 
> > https://pastebin.com/CW7Vj7Yh 
> > This written to my syslog - https://pastebin.com/M12PS1fK
> 
> [1] 
> https://github.com/spamhaus/spamassassin-dqs/blob/master/SH.pm#L666

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
07:30:17 up 15:24, 1 user, load average: 1.51, 1.22, 0.62
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-06 Thread Chris 
On Tue, 2020-10-06 at 20:52 -0700, John Hardin wrote:
> On Wed, 7 Oct 2020, Riccardo Alfieri wrote:
> 
> > Hi Chris,
> > 
> > 
> > > > > > > spamd[435769]: dns: new_dns_packet
> > > > > > > (domain=o279.send.iheartdogs.com..xxx
> > > > > > > xxx/db
> > > > > > > l.dq
> > > > > > > .spamhaus.net. type=A class=IN) failed: a domain name
> > > > > > > contains
> > > > > > > a null
> > > > > > > label
> > Can you check how the DQS lookups are defined in the .cf files?
> > 
> > The correct sytax would be, ie:
> > 
> > urirhssub URIBL_DBL_SPAM .dbl.dq.spamhaus.net. A
> > 127.0.1.2
> > 
> > From what appears in the logs it may be that you have an extra dot
> > somewhere, 
> > possibly before the DQS key
> 
> That's *very* plausible if the "x" stuff in what you've been 
> providing is your obfuscated key.
Yes it is.
> 
> Please note when you do things like that - not all of us have
> experience 
> with paid feeds, and wouldn't be able to detect the obfuscation...
> (like 
> me, for instance. I got to the same place but it wasn't as direct for
> me 
> as it was for Riccardo.)
> 
> If that is indeed the cause, then it might be worthwhile to open a
> bug to 
> strip leading dot(s) from urirhssub config lines to avoid this, or
> at 
> least generate a lint warning if they are present.
> 
> 
As I just told Riccardo I've inspected my sh.cf file and I see no extra
'.' anywhere. If either of you wish I can send you my sh.cf file for
you to look at however I've pulled it up with a txt editor and searched
for either '..' or even a . before the beginning of my key.
-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
22:57:24 up 6:51, 1 user, load average: 2.04, 0.73, 0.52
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-06 Thread Chris 
On Wed, 2020-10-07 at 03:40 +, Riccardo Alfieri wrote:
> Hi Chris,
> 
> 
> > > > > > spamd[435769]: dns: new_dns_packet
> > > > > > (domain=o279.send.iheartdogs.com..x
> > > > > > x/db
> > > > > > l.dq
> > > > > > .spamhaus.net. type=A class=IN) failed: a domain name
> > > > > > contains
> > > > > > a null
> > > > > > label
> > > >  
> 
> Can you check how the DQS lookups are defined in the .cf files?
> 
> The correct sytax would be, ie:
> 
> urirhssub URIBL_DBL_SPAM   .dbl.dq.spamhaus.net. A
> 127.0.1.2
> 
> From what appears in the logs it may be that you have an extra dot
> somewhere, possibly before the DQS key

I checked my sh.cf in /etc/mail/spamassassin Riccardo and see no extra
'.' anywhere. 
-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
22:46:46 up 6:41, 1 user, load average: 0.22, 0.35, 0.49
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-06 Thread Chris Pollock 
On Tue, 2020-10-06 at 19:49 -0700, John Hardin wrote:
> On Tue, 6 Oct 2020, Chris wrote:
> 
> > On Tue, 2020-10-06 at 18:54 -0700, John Hardin wrote:
> > > On Tue, 6 Oct 2020, Chris wrote:
> > > 
> > > > The complete error looks like this:
> > > > 
> > > > spamd[435769]: dns: new_dns_packet
> > > > (domain=o279.send.iheartdogs.com..xx/db
> > > > l.dq
> > > > .spamhaus.net. type=A class=IN) failed: a domain name contains
> > > > a null
> > > > label
> > John, I'm running 3.4.4 - Installed: 3.4.4-1ubuntu1
> 
> That should be an info-level message in 3.4.4 - where did you see it?
> Is 
> your logging turned up?
> 
> > here's the paste
> > https://pastebin.com/9CXBM4nG
> 
> I don't see any body on that...
> 
Here's the message complete with body - https://pastebin.com/CW7Vj7Yh 
This written to my syslog - https://pastebin.com/M12PS1fK


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
22:19:13 up 6:13, 1 user, load average: 1.70, 1.17, 0.61
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic


signature.asc
Description: This is a digitally signed message part

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-06 Thread Chris 
On Tue, 2020-10-06 at 19:49 -0700, John Hardin wrote:
> On Tue, 6 Oct 2020, Chris wrote:
> 
> > On Tue, 2020-10-06 at 18:54 -0700, John Hardin wrote:
> > > On Tue, 6 Oct 2020, Chris wrote:
> > > 
> > > > The complete error looks like this:
> > > > 
> > > > spamd[435769]: dns: new_dns_packet
> > > > (domain=o279.send.iheartdogs.com..xx/db
> > > > l.dq
> > > > .spamhaus.net. type=A class=IN) failed: a domain name contains
> > > > a null
> > > > label
> > John, I'm running 3.4.4 - Installed: 3.4.4-1ubuntu1
> 
> That should be an info-level message in 3.4.4 - where did you see it?
> Is 
> your logging turned up?
> 
> > here's the paste
> > https://pastebin.com/9CXBM4nG
> 
> I don't see any body on that...
> 
Here's the message complete with body - https://pastebin.com/CW7Vj7Yh 
This written to my syslog - https://pastebin.com/M12PS1fK


-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
22:25:28 up 6:19, 1 user, load average: 1.66, 1.31, 0.81
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-06 Thread Chris 
On Tue, 2020-10-06 at 18:54 -0700, John Hardin wrote:
> On Tue, 6 Oct 2020, Chris wrote:
> 
> > The complete error looks like this:
> > 
> > spamd[435769]: dns: new_dns_packet
> > (domain=o279.send.iheartdogs.com..xx/dbl.dq
> > .spa
> > mhaus.net. type=A class=IN) failed: a domain name contains a null
> > label
> > 
> > This doesn't seem to happen each and every incoming message and I
> > guess
> > it really doesn't hurt anything however I'm just curious as to what
> > might be causing it. It appears to have been going on all year so
> > far
> > but as I said not with every incoming message just from certain
> > domains
> > it seems.
> > 
> > Any ideas?
> 
> It's the dot-dot in that request.
> 
> (1) Do you happen to have a spample that does that? If so, could you 
> upload it to pastebin and post the URL for it here?
> 
> (2) What version of SpamAssassin are you running?
> 
> See:
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7156
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6896
> 
> That was converted from a warning to an info, so it looks like your
> SA 
> version may be a bit stale.
> 
> I don't think we ever pulled the trigger on normalizing ".." ⇒ "."
> for 
> URIBL lookups as a URL with a malformed FQDN like that doesn't work
> in a 
> browser.
> 
John, I'm running 3.4.4 - Installed: 3.4.4-1ubuntu1 here's the paste
https://pastebin.com/9CXBM4nG 

Chris

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
21:11:44 up 5:06, 1 user, load average: 0.95, 0.74, 0.86
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

spamhaus.net. type=A class=IN) failed: a domain name contains a null label

2020-10-06 Thread Chris 
The complete error looks like this:

spamd[435769]: dns: new_dns_packet
(domain=o279.send.iheartdogs.com..xx/dbl.dq.spa
mhaus.net. type=A class=IN) failed: a domain name contains a null label

This doesn't seem to happen each and every incoming message and I guess
it really doesn't hurt anything however I'm just curious as to what
might be causing it. It appears to have been going on all year so far
but as I said not with every incoming message just from certain domains
it seems.

Any ideas?

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
20:12:39 up 4:07, 1 user, load average: 1.47, 1.11, 0.88
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: DNS issues or something else?

2020-10-05 Thread Chris 
On Mon, 2020-10-05 at 16:14 +0100, RW wrote:
> On Mon, 05 Oct 2020 09:17:09 -0500
> Chris wrote:
> 
> > Since my update to Ubuntu 20.04 last Wed I've been seeing this in
> > every message that's run through spamassassin. 
> > 
> > https://pastebin.com/hy6WGXYH
> > 
> > I run bind as a caching nameserver here on my desktop and have had
> > no
> > issues in the past just since the upgrade it seems.
> 
> 
> See:
> 
> <
> http://spamassassin.1065346.n5.nabble.com/3-4-4-Lots-of-DNS-no-callback-messages-FreeBSD-td157817.html
> >

Thanks, appreciate the info. Will not worry about it then.

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
10:20:33 up 18:58, 1 user, load average: 0.99, 0.90, 0.96
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

DNS issues or something else?

2020-10-05 Thread Chris 
Since my update to Ubuntu 20.04 last Wed I've been seeing this in every
message that's run through spamassassin. 

https://pastebin.com/hy6WGXYH

I run bind as a caching nameserver here on my desktop and have had no
issues in the past just since the upgrade it seems. Any suggestions on
where I should begin my research on this would be appreciated.

Thanks
Chris

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
09:05:49 up 17:43, 1 user, load average: 1.64, 1.39, 1.28
Description:Ubuntu 20.04.1 LTS, kernel 5.4.0-48-generic

Re: DKIM invalid

2020-02-05 Thread Chris Conn 



age a few plugins of my own for installation on other systems


and hence you mangle the spamassassin package itself?
oh my lord..

[root@mail-gw:~]$ rpm -qa | grep spamassassin | sort
spamassassin-3.4.4-1.fc31.x86_64
spamassassin-bogofilter-1.0-8.fc31.20200204.rh.noarch
spamassassin-clamav-3.0-7.fc31.20200204.rh.noarch
spamassassin-iXhash2-2.05-16.fc31.noarch
spamassassin-mxpf-1.0-7.fc31.20200204.rh.noarch


I will respectfully bow out of this discussion as I don't care to, nor 
is it pertinent to this  mailing list, for me to discuss my system 
topology.  And when I said I use fedora, that is not quite accurate 
either, but again, outside the scope of this mailing list.


thank you for your input on my abilities, duly noted.  I did not mean to 
trigger anyone.


C.

Re: DKIM invalid

2020-02-05 Thread Chris Conn 




smart people would have opened koji, enter spamasssin,, select the F31
package from
https://koji.fedoraproject.org/koji/packageinfo?packageID=554 and
downloaded
https://kojipkgs.fedoraproject.org//packages/spamassassin/3.4.4/1.fc31/x86_64/spamassassin-3.4.4-1.fc31.x86_64.rpm

or just used "dnf --enablerepo=updates-testing upgrade spamassassin"


I package a few plugins of my own for installation on other systems, not 
sure why it is necessary to use personal adjectives. Sorry this question 
had to irk some sensibilities.


Cheers

Re: DKIM invalid

2020-02-05 Thread Chris Conn 




On 2/4/2020 5:12 PM, Chris Conn wrote:



On 2/4/2020 5:09 PM, Damian wrote:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7785 maybe?




Hello,

You were correct; using 3.4.3  on fedora with milter-spamc, pretty much 
every email would match DKIM_INVALID when handled by the MTA and 
correctly from commandline.  I built 3.4.4-1.fc32 source RPM and 
upgraded and the DKIM_INVALID issue is gone, I score VALID now on 
outlook gmail and others.


Thanks for the tip,

Chris

Re: DKIM invalid

2020-02-04 Thread Chris Conn 




On 2/4/2020 5:09 PM, Damian wrote:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7785 maybe?


Hello,

HM, very possible.  I am using milter-spamc but the behaviour might be 
similar.  I will look to build 3.4.4 and see if I get better DKIM 
returns.  Thanks for this.


Chris


I am running SA3.4.3 and I noticed that I am scoring DKIM_INVALID on
pretty much each and every email handled by the MTA.  However, if I take
the raw .eml and pipe it through spamassassin -t -D, I receive a
DKIM_VALID score.

DKIM invalid

2020-02-04 Thread Chris Conn 

Hello,

I am running SA3.4.3 and I noticed that I am scoring DKIM_INVALID on 
pretty much each and every email handled by the MTA.  However, if I take 
the raw .eml and pipe it through spamassassin -t -D, I receive a 
DKIM_VALID score.


Any tips on how I could go about to troubleshoot why the MTA-level scan 
by the milter would score it invalid and a commandline test of the  .eml 
would return a different value on the same spamassassin daemon?


Thanks in advance,

Chris

Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

2020-01-30 Thread Chris 
On Thu, 2020-01-30 at 15:05 -0800, John Hardin wrote:
> On Thu, 30 Jan 2020, Matus UHLAR - fantomas wrote:
> 
> > > > On 29.01.20 15:21, Kevin A. McGrail wrote:
> > > > > Correct, it's a policy issue.  ASF Projects must stop
> > > > > providing SHA-1
> > > > > signatures and we negotiated that deadline.
> > > On Thu, Jan 30, 2020 at 10:44:09AM +0100, Matus UHLAR - fantomas
> > > wrote:
> > > > do you mean, not having updates is better than using sha-1?
> > 
> > On 30.01.20 11:55, Henrik K wrote:
> > > People using legacy SA versions are at risk from multiple
> > > vulnerabilities.
> > > Doesn't hurt making them upgrade to samething sane.
> > 
> > so should I understand that as a force move "upgrade or don't get
> > upates"?
> > 
> > are you aware that some distro maintainers prefer to backport
> > security fixes
> > to former versions to prevent from functional surprises?

That's what Ubuntu did. I filed a bug report to upgrade to 3.4.3 and
listed the CVE's involved. Instead of rolling out 3.4.3 they backported
the fixes to 3.4.2. I'm getting ready to file another bug report
requesting upgrade to 3.4.4 listing the CVE's affected and see what
happens.

> 
> Then they would presumably backport the SHA-256 checksum handling,
> as 
> it is a security issue...
> 
> 
-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
17:12:12 up 2 days, 8:39, 1 user, load average: 1.41, 0.72, 0.54
Description:Ubuntu 18.04.3 LTS, kernel 5.3.0-28-generic

Re: Use of uninitialized value $r in scalar chomp at /usr/local/share/perl/5.26.1/File/Scan/ClamAV.pm line 224

2020-01-10 Thread Chris 
On Fri, 2020-01-10 at 00:56 -0500, Bill Cole wrote:
> On 9 Jan 2020, at 17:32, Chris wrote:
> 
> > Since upgrading my Ubuntu 18.04.3 to ClamAV version 0.102.1
> > yesterday
> > I've been seeing this in my syslog:
> > 
> > spamd[2455]: Use of uninitialized value $r in scalar chomp at
> > /usr/local/share/perl/5.26.1/File/Scan/ClamAV.pm line 224
> > 
> > spamd[2455]: Use of uninitialized value $r in pattern match (m//)
> > at
> > /usr/local/share/perl/5.26.1/File/Scan/ClamAV.pm line 227
> > 
> > Line 224 - chomp(my $r = $conn->getline);
> > Line 227 - if($r =~ /stream:\ (.+)\ FOUND/ix){
> 
> How is this a SpamAssassin question?
> 
> Note that the "ClamAV Plugin" on the SA Wiki is not a supported 
> component of SA. It is decade-old sample code of unclear provenance. 
> Virus scanning really does not belong inside SA, so it isn't. SA is 
> designed to aggregate a lot of independent imperfect criteria for 
> judging mail as spam or ham into a single numeric score, while AV is 
> designed to make a highly accurate binary judgment.
> 
> 
> > Is this an issue with ClamAV.pm or with ClamAV itself?
> 
> ClamAV.pm AND either ClamAV itself or its config.
> 
Thanks Bill, I'll ask over on the ClamAV users list then.

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
09:22:53 up 39 days, 5 min, 1 user, load average: 1.41, 0.73, 0.78
Description:Ubuntu 18.04.3 LTS, kernel 5.0.0-37-generic

Re: rpm of centos

2020-01-10 Thread Chris Conn 




On 1/9/2020 10:10 PM, Amir Caspi wrote:

On Jan 9, 2020, at 6:59 PM, Rick Gutierrez  wrote:

Hi  everyone, someone from the list who can share the rpm of the
latest version of spamassassin for centos 7 and 6  of x64, I want to
update to the latest version and I can't find the rpm.

SA 3.4.2 is available for Fedora, and you can build it from the SRPM pretty 
easily for RHEL/CentOS 7 or 6 with no modifications.



Hello,

I just built SA 3.4.3 on Centos8 using the fedora 32 .srpm 
spamassassin-3.4.3-2.fc32.src.rpm


First of all, make sure you have a good backup you can revert to, or are 
running it on a system that you can trash/snapshot/revert or whatever.


you need the development tools package at a minimum

yum -y groupinstall "Development tools"

make sure you have all the plugins and libraries and tools for your 
distro (I haven't done this on Centos6) and choose a srpm from Fedora 
32/31/30 that works using



rpmbuild --rebuild spamassassin-3.4.3-2.fc32.src.rpm  (my example on 
Centos8)


watch the output of the build process when it is running ./configure as 
it will tell you if you are missing any libraries or tools or whatnot it 
will be most evident here.  It will build you a RPM if successful you 
can upgrade to.



I rebuilt SA3.4.3 on Centos8 because I wanted to continue with SHA-2 
signatures and also benefit from 3.4.3 new features and plugins.  As 
well, for some reason on the stock Centos8 SA rpm, sa-compile does not 
seem to be included and I am a fan of the Rule2XSBody plugin. Maybe 
thats old fashioned, I don't know; but Centos/RHEL being so strict on 
their versioning, Centos8 is stuck with 3.4.2 forever so I am happily 
running 3.4.3 on it.


Best of luck in your build, hope this helps,

Chris

Use of uninitialized value $r in scalar chomp at /usr/local/share/perl/5.26.1/File/Scan/ClamAV.pm line 224

2020-01-09 Thread Chris 
Since upgrading my Ubuntu 18.04.3 to ClamAV version 0.102.1 yesterday
I've been seeing this in my syslog:

spamd[2455]: Use of uninitialized value $r in scalar chomp at
/usr/local/share/perl/5.26.1/File/Scan/ClamAV.pm line 224

spamd[2455]: Use of uninitialized value $r in pattern match (m//) at
/usr/local/share/perl/5.26.1/File/Scan/ClamAV.pm line 227

Line 224 - chomp(my $r = $conn->getline);
Line 227 - if($r =~ /stream:\ (.+)\ FOUND/ix){

Is this an issue with ClamAV.pm or with ClamAV itself?

Chris

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
16:27:34 up 38 days, 7:10, 1 user, load average: 1.15, 0.71, 0.51
Description:Ubuntu 18.04.3 LTS, kernel 5.0.0-37-generic

Ubuntu bug report for SA 3.4.3

2019-12-19 Thread Chris 
I've submitted a bug report to Ubuntu to get SA upgraded by the newest
version:

https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1856248


-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
19:49:22 up 17 days, 10:32, 1 user, load average: 1.20, 0.91, 0.60
Description:Ubuntu 18.04.3 LTS, kernel 5.0.0-37-generic

Re: Spamassassin reporting

2019-12-05 Thread Chris 
On Thu, 2019-12-05 at 14:47 -0500, Dave Goodrich wrote:
> That looks very familiar, and exactly what I am looking for. I can
> make that script work with our log files, thank you.
> 
> DAve
> 
You're welcome.

-- 
Chris
31.11972; -97.90167 (Elev. 1092 ft)
17:28:20 up 3 days, 8:11, 1 user, load average: 1.75, 0.79, 0.68
Description:Ubuntu 18.04.3 LTS, kernel 5.0.0-37-generic

Re: Custom rule help

2019-12-05 Thread Chris Mulcahy 
On Wed, 4 Dec 2019 12:40:27 -0800
Chris Mulcahy wrote:

> Hi.
>
> I’m relatively new to complex custom rules. I have plenty of simple
> and some multi-condition rules but need something custom.
>
> My approach to using my domain name is bad but I started it in the
> 90s so… I have some sites where I gave them my email address as “
> sitename@mydomain.com” so I would know who sold my address.
> Obviously, now there are a bunch of leaked lists so I get spam to
> those addresses even though it wasn’t really sold.
>
> I want a rule that scores if “sitename” is not in the From: line.

I think this should work:

header ABUSED_CONTACT_ADDRESS ALL =~
/\A(?=.*^To:\s(?:[^\n]*[<.\s])?([a-z0-9-]+)\.(?:com|net|org)\@yourdomain\.com).*^From:\s(?![^\n]+\1)/ism


Adapt the list of TLDs as necessary, and substitute your own domain for
yourdomain\.com.


That is absolutely perfect.  After extensive testing, I can confirm that it
does exactly what I wanted.

Thank you very much!

Re: Spamassassin reporting

2019-12-04 Thread Chris Pollock 
On Wed, 2019-12-04 at 11:22 -0500, Dave Goodrich wrote:
> Good morning,
> 
> Many years ago, in previous jobs, I used several scripts to report
> spam statistics daily. Some I wrote, some I downloaded. I need to
> create some reporting on our current zimbra/postfix/spamassassin
> server. The supplied stats are pretty for managers if you have Flash,
> but not useful.
> 
> Can anyone recommend a ready to run OSS script, or set of scripts,
> for basic maillog stats concerning Spam? Just thought I would ask
> before I wrote something. Internet searching is not turning up
> anything for me.
> 
> Thanks,
> 
> DAve
> 
Forgot to add what the output looks like
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:11:09 up 2 days, 9:54, 1 user, load average: 0.66, 0.42, 0.39
Description:Ubuntu 18.04.3 LTS, kernel 5.0.0-37-generic



WebKitWebProcess_job__1__ng_non-Linux-generated_files.pdf
Description: Adobe PDF document


signature.asc
Description: This is a digitally signed message part

Re: Spamassassin reporting

2019-12-04 Thread Chris Pollock 
On Wed, 2019-12-04 at 11:22 -0500, Dave Goodrich wrote:
> Good morning,
> 
> Many years ago, in previous jobs, I used several scripts to report
> spam statistics daily. Some I wrote, some I downloaded. I need to
> create some reporting on our current zimbra/postfix/spamassassin
> server. The supplied stats are pretty for managers if you have Flash,
> but not useful.
> 
> Can anyone recommend a ready to run OSS script, or set of scripts,
> for basic maillog stats concerning Spam? Just thought I would ask
> before I wrote something. Internet searching is not turning up
> anything for me.
> 
> Thanks,
> 
> DAve
> 
Here's what I use for my home system

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
18:06:20 up 2 days, 8:49, 1 user, load average: 0.90, 0.81, 0.84
Description:Ubuntu 18.04.3 LTS, kernel 5.0.0-37-generic



sa-stats-1.0.pl
Description: Perl program


signature.asc
Description: This is a digitally signed message part

Re: Custom rule help

2019-12-04 Thread Chris Mulcahy 
From: Martin Gregorie  
Reply: mar...@gregorie.org  
Date: December 4, 2019 at 4:12:22 PM
To: users@spamassassin.apache.org 

Subject:  Re: Custom rule help

On Wed, 2019-12-04 at 12:40 -0800, Chris Mulcahy wrote:
> I want a rule that scores if “sitename” is not in the From: line. If
> they send from i...@sitename.com, I’ll assume it’s legit. If sitename
> does not exist, I’ll tick up the score a bit. I have done this for
> some specific domains but they are all individual rules hardcoding the
> domain name.
>
Presumably, you mean that if it matches, add a positive value to push it
toward spam. If no match, ignore.

One way would be to build a giant list of alternates along the lines of

header MYRULE M:addr =~ /(site1\.com\@mydomain\.com|
site2@mydomain.com|)/
...
I did something similar some years back, but I first designed a
definition file that was easy to edit: it has fixed details such as the
descriptive comments, the rule name and score on a set of lines at the
front of the file. This is followed by the list of alternates, each on a
separate line. It helps maintenance and the addition of new terms if you
keep the alternates in alphabetic sequence too.

Then I wrote a script that reads the definition and spits out a .cf file
containing a correctly formatted SA rule. This is a bash script that
runs a gawk script to do the heavy lifting. I used gawk because i know
and like it, but any scriptable language should do: Perl, Python or even
Javascript or BASIC are all possibilities.

You can download my solution from here:
libelle-systems.com/free/portmanteau/portmanteau.tgz

...

Martin


Thanks for the quick reply!

Actually, I want it to score if there ISN’T a match. If I get an email
addressed to slashdot@example.com from an address that isn’t from
slashdot, it’s likely spam.

Currently, I am doing like you mentioned with a bunch of individual rules
that look like this:
header   __CRM_FAMAZON   From =~ /amazon/i
header   __CRM_TAMAZON   To =~ /amazon/i
meta CRM_AMAZON  (!__CRM_FAMAZON && __CRM_TAMAZON)
describe CRM_AMAZON  amazon in to address but not from
scoreCRM_AMAZON  1.5

But I have to edit the rules every time I find a new one that comes in. I
failed to keep the list because at the time I never anticipated spam would
be as prevalent as it is.

I did grab your solution and will look through it. It may make this a less
painful process.

Thanks,
Chris

Custom rule help

2019-12-04 Thread Chris Mulcahy 
Hi.

I’m relatively new to complex custom rules.  I have plenty of simple and
some multi-condition rules but need something custom.

My approach to using my domain name is bad but I started it in the 90s so…
 I have some sites where I gave them my email address as “
sitename@mydomain.com” so I would know who sold my address. Obviously,
now there are a bunch of leaked lists so I get spam to those addresses even
though it wasn’t really sold.

I want a rule that scores if “sitename” is not in the From: line.  If they
send from i...@sitename.com, I’ll assume it’s legit. If sitename does not
exist, I’ll tick up the score a bit. I have done this for some specific
domains but they are all individual rules hardcoding the domain name. I
want it to search "To =~ /(.*)\.com\@mydomain\.com/i" and find the match in
the From: line.

Any advice?
Thanks

Re: Spamhaus Technology contributions to SpamAssassin

2019-07-03 Thread Chris Conn 



On 7/3/2019 5:43 AM, Riccardo Alfieri wrote:


The plugin works with our Data Query Service (DQS). The DQS provides 
you with additional feeds: Zero Reputation Domain & AuthBL, and it 
also receives updates in 'realtime.' This last point is key, because, 
as you can see in the latest Virus Bulletin report 
(https://www.virusbulletin.com/testing/results/latest/vbspam-email-security), 
DQS catches 42% more spam than our RSYNC service or public mirrors.


On 7/3/2019 5:43 AM, Riccardo Alfieri wrote:


The plugin works with our Data Query Service (DQS). The DQS provides 
you with additional feeds: Zero Reputation Domain & AuthBL, and it 
also receives updates in 'realtime.' This last point is key, because, 
as you can see in the latest Virus Bulletin report 
(https://www.virusbulletin.com/testing/results/latest/vbspam-email-security), 
DQS catches 42% more spam than our RSYNC service or public mirrors.




Hello,

I am having a quick look over the config as am intrigued by this plugin; 
what is the motivation to change the RCVD_IN_XXX dnsbl lookups to 
utilize the per-user key system?  Is this a pre-cursor to an eventual 
phase-out of the typical 20_dnsbl_tests.conf mecanisms?


Cheers and thanks,

Chris

Re: SA-Update cronjob output rejected by ISP for containing spam

2019-06-22 Thread Chris Pollock 
On Sat, 2019-06-22 at 16:10 -0700, John Hardin wrote:
> On Sat, 22 Jun 2019, Chris Pollock wrote:
> 
> > On Sat, 2019-06-22 at 10:29 -0700, John Hardin wrote:
> > > On Sat, 22 Jun 2019, Chris Pollock wrote:
> > > 
> > > > I'm not sure how to exactly word the problem so the subject is
> > > > the
> > > > best
> > > > I can do for now. Whenever a crojob is run a message is sent
> > > > out
> > > > via
> > > > postfix to me with the contents of that cronjob. This morning
> > > > when
> > > > the
> > > > SA-Update cronjob was run I didn't receive the output back
> > > > (this
> > > > has
> > > > been going on since 7 June but that's another story). I looked
> > > > at
> > > > my
> > > > syslog and saw this:
> > > > 
> > > > https://pastebin.com/hHR0Rvii
> > > > 
> > > > Since I can't see the debug output of SA-Update I have no idea
> > > > what
> > > > CenturyLinks spam filter hit on. I looked back through a weeks
> > > > worth of
> > > > syslogs and this is the only time that the message was rejected
> > > > for
> > > > containing spam. Any ideas what was in the latest rule updates
> > > > to
> > > > cause
> > > > this?
> > > 
> > > Not without seeing the message itself. Is there any way for you
> > > to
> > > pastebin a copy of the message that was sent?
> > 
> > Sorry John, it's been removed from the queue
> > > 
> > > Can you twiddle the aliasing so that the message is (temporarily,
> > > at
> > > least) delivered to a local mailbox in addition to the regular
> > > recipients?
> > 
> > I've been trying to figure that out. What I have done is switch
> > postfix
> > over to using my GMail account however I've run into a tiny
> > roadblock.
> 
> How about delivery to a local mailbox?
> 
Amazingly I've got it working. What fixed it was adding [] around
smtp.gmail.com in my sasl_passwd file. I just let sa-update run and the
postfix output is:

Jun 22 22:12:01 localhost CRON[13838]: (root) CMD (/usr/bin/sa-
update  -D --channelfile /etc/mail/spamassassin/sare-sa-update-
channels.txt --gpgkey 6C6191E3 && /etc/init.d/spamassassin restart # --
gpgkey E8B493D6 )
Jun 22 22:12:01 localhost postfix/pickup[11566]: C76F41000BA1: uid=0
from=
Jun 22 22:12:01 localhost postfix/cleanup[13842]: C76F41000BA1:
message-id=<20190623031201.C76F41000BA1@cpollock.localdomain>
Jun 22 22:12:01 localhost postfix/qmgr[11567]: C76F41000BA1: from=<
chris.pollock1...@gmail.com>, size=5707, nrcpt=1 (queue active)
Jun 22 22:12:01 localhost postfix/local[13844]: C76F41000BA1: to=<
root@cpollock.localdomain>, orig_to=, relay=local, delay=0.13,
delays=0.07/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to command:
/usr/bin/procmail -Y -a $DOMAIN)
Jun 22 22:12:01 localhost postfix/qmgr[11567]: C76F41000BA1: removed

So, it looks like to me in this case it's sending local, but I'm
probably wrong. However, the message hasn't made it to my cron folder
yet. 

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
22:16:17 up 2 days, 4:26, 1 user, load average: 1.37, 1.26, 1.33
Description:Ubuntu 18.04.2 LTS, kernel 4.18.0-22-generic



signature.asc
Description: This is a digitally signed message part

Re: SA-Update cronjob output rejected by ISP for containing spam

2019-06-22 Thread Chris Pollock 
On Sat, 2019-06-22 at 16:10 -0700, John Hardin wrote:
> On Sat, 22 Jun 2019, Chris Pollock wrote:
> 
> > On Sat, 2019-06-22 at 10:29 -0700, John Hardin wrote:
> > > On Sat, 22 Jun 2019, Chris Pollock wrote:
> > > 
> > > > I'm not sure how to exactly word the problem so the subject is
> > > > the
> > > > best
> > > > I can do for now. Whenever a crojob is run a message is sent
> > > > out
> > > > via
> > > > postfix to me with the contents of that cronjob. This morning
> > > > when
> > > > the
> > > > SA-Update cronjob was run I didn't receive the output back
> > > > (this
> > > > has
> > > > been going on since 7 June but that's another story). I looked
> > > > at
> > > > my
> > > > syslog and saw this:
> > > > 
> > > > https://pastebin.com/hHR0Rvii
> > > > 
> > > > Since I can't see the debug output of SA-Update I have no idea
> > > > what
> > > > CenturyLinks spam filter hit on. I looked back through a weeks
> > > > worth of
> > > > syslogs and this is the only time that the message was rejected
> > > > for
> > > > containing spam. Any ideas what was in the latest rule updates
> > > > to
> > > > cause
> > > > this?
> > > 
> > > Not without seeing the message itself. Is there any way for you
> > > to
> > > pastebin a copy of the message that was sent?
> > 
> > Sorry John, it's been removed from the queue
> > > 
> > > Can you twiddle the aliasing so that the message is (temporarily,
> > > at
> > > least) delivered to a local mailbox in addition to the regular
> > > recipients?
> > 
> > I've been trying to figure that out. What I have done is switch
> > postfix
> > over to using my GMail account however I've run into a tiny
> > roadblock.
> 
> How about delivery to a local mailbox?
> 
I'll have to work on doing that tomorrow John, burned out from messing
with this all day. It should be a lot easier than trying to figure out
the GMail problem.

> 
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:22:30 up 2 days, 2:32, 1 user, load average: 1.12, 1.04, 1.01
Description:Ubuntu 18.04.2 LTS, kernel 4.18.0-22-generic



signature.asc
Description: This is a digitally signed message part

Re: SA-Update cronjob output rejected by ISP for containing spam

2019-06-22 Thread Chris Pollock 
On Sat, 2019-06-22 at 10:29 -0700, John Hardin wrote:
> On Sat, 22 Jun 2019, Chris Pollock wrote:
> 
> > I'm not sure how to exactly word the problem so the subject is the
> > best
> > I can do for now. Whenever a crojob is run a message is sent out
> > via
> > postfix to me with the contents of that cronjob. This morning when
> > the
> > SA-Update cronjob was run I didn't receive the output back (this
> > has
> > been going on since 7 June but that's another story). I looked at
> > my
> > syslog and saw this:
> > 
> > https://pastebin.com/hHR0Rvii
> > 
> > Since I can't see the debug output of SA-Update I have no idea what
> > CenturyLinks spam filter hit on. I looked back through a weeks
> > worth of
> > syslogs and this is the only time that the message was rejected for
> > containing spam. Any ideas what was in the latest rule updates to
> > cause
> > this?
> 
> Not without seeing the message itself. Is there any way for you to 
> pastebin a copy of the message that was sent?

Sorry John, it's been removed from the queue
> 
> Can you twiddle the aliasing so that the message is (temporarily, at 
> least) delivered to a local mailbox in addition to the regular
> recipients?

I've been trying to figure that out. What I have done is switch postfix
over to using my GMail account however I've run into a tiny roadblock.
I keep getting 

localhost postfix/smtp[14383]: 893FD1000B19:
to=, relay=smtp.gmail.com[209.85.235.109]:587,
delay=0.48, delays=0.1/0.04/0.31/0.03, dsn=5.5.1, status=bounced (host
smtp.gmail.com[209.85.235.109] said: 530-5.5.1 Authentication Required.
Learn more at 530 5.5.1  
https://support.google.com/mail/?p=WantAuthError k99sm2494546otk.12 -
gsmtp (in reply to MAIL FROM command))

And I can't for the life of me figure out why. I've gone over my
postifx main.cf and other files for the past 4hrs and still can't find
a problem with any of them.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
17:54:24 up 2 days, 4 min, 1 user, load average: 1.69, 1.46, 1.32
Description:Ubuntu 18.04.2 LTS, kernel 4.18.0-22-generic



signature.asc
Description: This is a digitally signed message part

SA-Update cronjob output rejected by ISP for containing spam

2019-06-22 Thread Chris Pollock 
I'm not sure how to exactly word the problem so the subject is the best
I can do for now. Whenever a crojob is run a message is sent out via
postfix to me with the contents of that cronjob. This morning when the
SA-Update cronjob was run I didn't receive the output back (this has
been going on since 7 June but that's another story). I looked at my
syslog and saw this:

https://pastebin.com/hHR0Rvii

Since I can't see the debug output of SA-Update I have no idea what
CenturyLinks spam filter hit on. I looked back through a weeks worth of
syslogs and this is the only time that the message was rejected for
containing spam. Any ideas what was in the latest rule updates to cause
this?


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
11:56:52 up 1 day, 18:07, 1 user, load average: 1.21, 0.70, 0.65
Description:Ubuntu 18.04.2 LTS, kernel 4.18.0-22-generic


signature.asc
Description: This is a digitally signed message part

Re: Ransom spam body is .jpg

2019-05-24 Thread Chris Pollock 
On Fri, 2019-05-24 at 18:29 -0700, John Hardin wrote:
> On Fri, 24 May 2019, Chris Pollock wrote:
> 
> > This is the 2nd of these ransom spams I've received where the body
> > of
> > the message is a .jpg. Below is the body and also a link to the
> > headers
> > and body
> > 
> > https://photos.app.goo.gl/DGcjySsnEHL3uKBa7
> > 
> > https://pastebin.com/xNRZ5UeC
> 
> There's not a whole lot that can help with that other than DCC/Razor.
> 
> There were bitcoin extortion spams using images to avoid text
> matching a 
> while ago, but the fact that the spam doesn't include the bitcoin
> wallet 
> ID in the body (for cut and paste) makes it harder to comply with
> the 
> extortion demand. They didn't last too long, and I'm surprised that
> they 
> are popping up again.
> 
> About the only way to deal with this would be an OCR plugin that,
> rather 
> than trying to match specific words as the old FuzzyOCR did, instead
> scans 
> the entire image and pastes the text into a body element similar to
> what 
> is done for HTML body parts.
> 
> There are a few things that might add enough points to push it over
> the 
> spam threshold; I notice for instance the List-Help and potentially 
> List-ID headers.
> 
Thanks John, fortunately both of these that I've received have hit
above the 5 point threshold due to other rules hit.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
21:01:41 up 9 days, 13:20, 1 user, load average: 1.50, 1.20, 1.09
Description:Ubuntu 18.04.2 LTS, kernel 4.15.0-50-generic



signature.asc
Description: This is a digitally signed message part

Ransom spam body is .jpg

2019-05-24 Thread Chris Pollock 
This is the 2nd of these ransom spams I've received where the body of
the message is a .jpg. Below is the body and also a link to the headers
and body

https://photos.app.goo.gl/DGcjySsnEHL3uKBa7

https://pastebin.com/xNRZ5UeC

The SA Markup is:

Content analysis details:   (12.2 points, 5.0 required)

 pts rule name  description
 -- -
-
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at 
https://www.dnswl.org/,
 no trust
[54.240.8.24 listed in list.dnswl.org]
 0.8 BAYES_50   BODY: Bayes spam probability is 40 to 60%
[score: 0.5590]
 3.3 KB_FORGED_MOZ4 Mozilla 4 uses X-Mailer
 0.0 SPF_HELO_NONE  SPF: HELO does not publish an SPF Record
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
mail domains are different
 0.0 HTML_MESSAGE   BODY: HTML included in message
 1.7 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of
words
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not
necessarily
valid
-0.0 DCC_CHECK_NEGATIVE Not listed in DCC
 2.2 DCC_CHECK  listed in DCC (
http://rhyolite.com/anti-spam/dcc/)
 0.1 DKIM_INVALID   DKIM or DK signature exists, but is not
valid
 0.8 KAM_INFOUSMEBIZPrevalent use of .info|.us|.me|.me.uk|.biz
domains in spam/malware
 2.3 FORGED_MUA_MOZILLA Forged mail pretending to be from Mozilla
 1.0 SAGREY Adds 1.0 to spam from first-time senders

DCC Results are localhost 104; Body=1 Fuz1=1 Fuz2=many
DCC Brand is x.dcc-servers
PYZOR Results are Reported 0 times.

I don't know if a rule exists for something like this or not. 
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:04:36 up 9 days, 12:23, 1 user, load average: 1.15, 1.15, 1.12
Description:Ubuntu 18.04.2 LTS, kernel 4.15.0-50-generic


signature.asc
Description: This is a digitally signed message part

Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-13 Thread Chris Pollock 
On Thu, 2018-12-13 at 17:08 -0500, Bill Cole wrote:
> On 13 Dec 2018, at 16:24, Chris Pollock wrote:
> 
> > On Thu, 2018-12-13 at 15:14 -0600, Chris Pollock wrote:
> > > On Tue, 2018-12-11 at 19:00 -0500, Bill Cole wrote:
> > > > On 11 Dec 2018, at 16:37, Chris Pollock wrote:
> > > > 
> > > > > On Mon, 2018-12-10 at 13:09 -0500, Bill Cole wrote:
> > > > 
> > > > [...]
> > > > > > Anyway, as of today I've capped those 2 subrules at levels
> > > > > > which
> > > > > > leave ample space to still match the target spam. Should
> > > > > > show
> > > > > > up
> > > > > > in
> > > > > > tomorrow's update.
> > > > 
> > > > I was wrong. The addition of a 'maxhits' parameter to the two
> > > > subrules apparently didn't get committed in time for the
> > > > nightly
> > > > rule
> > > > promotion run. It was in r1848602 and the current ruleset is
> > > > still
> > > > at
> > > > r1848555. Assuming all goes well tonight, the change will
> > > > appear
> > > > tomorrow.
> > > > 
> > > 
> > > Shouldn't this have stopped by now - 
> > > https://pastebin.com/7260daT3
> > > Today's update was '1848731'.
> > > 
> > 
> > Hit send too fast. Doing a compare between 72_active.cf dated the
> > 11th
> > and the one dated today I do see:
> > 
> > Dated 11 Dec
> > if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
> >   ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
> > body__E_LIKE_LETTER //
> > tflags  __E_LIKE_LETTER multiple
> > 
> > if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
> >   ifplugin
> > Mail::SpamAssassin::Plugin::ReplaceTags
> > body__LOWER_E
> > /e/i
> > tflags  __LOWER_E   multiple
> > 
> > Dated today 13 Dec
> > if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
> >   ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
> > body__E_LIKE_LETTER //
> > tflags  __E_LIKE_LETTER multiple maxhits=400
> > 
> > if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
> >   ifplugin
> > Mail::SpamAssassin::Plugin::ReplaceTags
> > body__LOWER_E
> > /e/
> > tflags  __LOWER_E   multiple maxhits=250
> > 
> > IIUC then __E_LIKE_LETTER can hit a max of 400 times in one message
> > and
> > __LOWER_E a max of 250 times in one message.
> 
> For now, yes. Those numbers were the result of a mis-think on my part
> and will be 320 and 230 once the current rev works its way through.
> 
> > Therefore I may still have
> > a large listing of subtest ran.
> 
> Yes.
> I don't expect that behavior to change. SA has always tallied rules
> and sub-rules with multiple matches and the 'multiple' tflag this way
> and I see no compelling reason to change that. It almost certainly
> will not change for 3.4.3, which should be the last 3.4.x release.
> If there's a bug opened and someone is willing to work on code for
> whatever changes need to be made to collapse duplicate hit names in
> the lists of rule matches into a single citation with a count of
> hits, I expect that change would be accepted for v4, even though it
> may impact existing users' tooling.
> 
Thanks very much Bill, appreciate the explanation. 

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:47:20 up 5 days, 21:11, 1 user, load average: 0.91, 0.77, 0.67
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic



signature.asc
Description: This is a digitally signed message part

Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-13 Thread Chris Pollock 
On Thu, 2018-12-13 at 15:14 -0600, Chris Pollock wrote:
> On Tue, 2018-12-11 at 19:00 -0500, Bill Cole wrote:
> > On 11 Dec 2018, at 16:37, Chris Pollock wrote:
> > 
> > > On Mon, 2018-12-10 at 13:09 -0500, Bill Cole wrote:
> > 
> > [...]
> > > > Anyway, as of today I've capped those 2 subrules at levels
> > > > which
> > > > leave ample space to still match the target spam. Should show
> > > > up
> > > > in
> > > > tomorrow's update.
> > 
> > I was wrong. The addition of a 'maxhits' parameter to the two
> > subrules apparently didn't get committed in time for the nightly
> > rule
> > promotion run. It was in r1848602 and the current ruleset is still
> > at
> > r1848555. Assuming all goes well tonight, the change will appear
> > tomorrow.
> > 
> 
> Shouldn't this have stopped by now - https://pastebin.com/7260daT3
> Today's update was '1848731'.
> 
Hit send too fast. Doing a compare between 72_active.cf dated the 11th
and the one dated today I do see:

Dated 11 Dec
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body__E_LIKE_LETTER //
tflags  __E_LIKE_LETTER multiple

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin
Mail::SpamAssassin::Plugin::ReplaceTags
body__LOWER_E   
/e/i
tflags  __LOWER_E   multiple

Dated today 13 Dec
if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body__E_LIKE_LETTER //
tflags  __E_LIKE_LETTER multiple maxhits=400

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin
Mail::SpamAssassin::Plugin::ReplaceTags
body__LOWER_E   
/e/
tflags  __LOWER_E   multiple maxhits=250

IIUC then __E_LIKE_LETTER can hit a max of 400 times in one message and
__LOWER_E a max of 250 times in one message. Therefore I may still have
a large listing of subtest ran.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:16:48 up 5 days, 19:40, 1 user, load average: 1.25, 0.89, 0.67
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic


signature.asc
Description: This is a digitally signed message part

Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-13 Thread Chris Pollock 
On Tue, 2018-12-11 at 19:00 -0500, Bill Cole wrote:
> On 11 Dec 2018, at 16:37, Chris Pollock wrote:
> 
> > On Mon, 2018-12-10 at 13:09 -0500, Bill Cole wrote:
> 
> [...]
> > > Anyway, as of today I've capped those 2 subrules at levels which
> > > leave ample space to still match the target spam. Should show up
> > > in
> > > tomorrow's update.
> 
> I was wrong. The addition of a 'maxhits' parameter to the two
> subrules apparently didn't get committed in time for the nightly rule
> promotion run. It was in r1848602 and the current ruleset is still at
> r1848555. Assuming all goes well tonight, the change will appear
> tomorrow.
> 
Shouldn't this have stopped by now - https://pastebin.com/7260daT3
Today's update was '1848731'.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:07:23 up 5 days, 19:31, 1 user, load average: 0.64, 0.73, 0.51
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic


signature.asc
Description: This is a digitally signed message part

Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-11 Thread Chris Pollock 
On Tue, 2018-12-11 at 19:00 -0500, Bill Cole wrote:
> On 11 Dec 2018, at 16:37, Chris Pollock wrote:
> 
> > On Mon, 2018-12-10 at 13:09 -0500, Bill Cole wrote:
> 
> [...]
> > > Anyway, as of today I've capped those 2 subrules at levels which
> > > leave ample space to still match the target spam. Should show up
> > > in
> > > tomorrow's update.
> 
> I was wrong. The addition of a 'maxhits' parameter to the two
> subrules apparently didn't get committed in time for the nightly rule
> promotion run. It was in r1848602 and the current ruleset is still at
> r1848555. Assuming all goes well tonight, the change will appear
> tomorrow.
> 
> Rule updates never work quite as fast as I hope...

Ah, thanks for that Bill. I'll be sure to check the debug output when
sa-update is run tomorrow for the update version.

> 
> > I see in today's update that the subrule was changed from this:
> > 
> > if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
> >   ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
> > metaT_MIXED_ES( __LOWER_E > 20 ) && (
> > __E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( (
> > __E_LIKE_LETTER /
> > __LOWER_E ) < 10 )
> > describeT_MIXED_ESToo many es are not es
> 
> That's the functional meta-rule.
> 
> 
> > To this:
> > 
> > if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
> >   ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
> > body__E_LIKE_LETTER //
> > tflags  __E_LIKE_LETTER multiple
> 
> That's one subrule. Once my change filters through the update
> process, the 'tflags' lines for __E_LIKE_LETTER and __LOWER_E will
> be:
> 
> tflags  __LOWER_E   multiple maxhits=250
> tflags  __E_LIKE_LETTER multiple maxhits=400
> 
> 

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:24:10 up 3 days, 23:48, 1 user, load average: 1.21, 0.58, 0.31
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic



signature.asc
Description: This is a digitally signed message part

Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-11 Thread Chris Pollock 
On Mon, 2018-12-10 at 13:09 -0500, Bill Cole wrote:
> On 9 Dec 2018, at 18:23, Chris Pollock wrote:
> 
> > On Sun, 2018-12-09 at 13:06 -0500, Bill Cole wrote:
> > > On 9 Dec 2018, at 12:04, Chris Pollock wrote:
> > > 
> > > > This is probably very trivial and doesn't affect anything
> > > > except
> > > > maybe
> > > > the size of the headers but I have to ask. When looking at the
> > > > headers
> > > > of some ham I noticed - https://pastebin.com/H7euxqVX the two
> > > > rules
> > > > I
> > > > mention above are in 72_active.cf. Is there a reason for the
> > > > number
> > > > of
> > > > times it's listed? Couldn't each subtest be listed just once
> > > > instead
> > > > of
> > > > multiple times?
> > > 
> > > Not with the current documented behavior of the code, given the
> > > way
> > > those sub-rules are designed to work together. The goal is to
> > > identify
> > > messages which use Latin-script 'e' characters but also use many
> > > non-Latin-script characters which look like 'e' but are not. To
> > > make
> > > this determination, the rules require the 'multiple' flag without
> > > a
> > > cap
> > > on thne number of matches which a 'maxhits' parameter would set.
> > 
> > Got it, thanks Bill. I've never noticed this before. I also noticed
> > that according to my daily sa-update output this subtest is
> > apparently
> > new or at least it didn't appear in the output until this past Fri.
> 
> Correct. See the thread with the subject "No longer just embedded =9D
> characters in blackmail emails" here last week for the background.
> 
> > > 
> > > It is not recommended to routinely add the list of matched sub-
> > > rules
> > > to
> > > scanned messages.
> > > 
> > 
> > Any specific reason why? This is just on my home system.
> 
> It's got the potential to be VERY noisy (as you've discovered) while
> not really providing much useful info.  Not a big deal on a small
> system.
> 
> 
> Anyway, as of today I've capped those 2 subrules at levels which
> leave ample space to still match the target spam. Should show up in
> tomorrow's update.

I see in today's update that the subrule was changed from this:

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
metaT_MIXED_ES( __LOWER_E > 20 ) && (
__E_LIKE_LETTER > ( (__LOWER_E * 14 ) / 10) ) && ( ( __E_LIKE_LETTER /
__LOWER_E ) < 10 )
describeT_MIXED_ESToo many es are not es

To this:

if can(Mail::SpamAssassin::Conf::feature_bug6558_free)
  ifplugin Mail::SpamAssassin::Plugin::ReplaceTags
body__E_LIKE_LETTER //
tflags  __E_LIKE_LETTER multiple

SA-update was run at 12:03pm here on my box. A message that came in
well after the update still shows nearly the same output as before

https://pastebin.com/aSXVj5ri

I can't see where the update made any difference Bill. However, maybe I
don't understand the rule and it's doing what it's supposed to.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:24:32 up 3 days, 19:48, 1 user, load average: 0.54, 0.55, 0.33
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic


signature.asc
Description: This is a digitally signed message part

Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-11 Thread Chris Pollock 
On Mon, 2018-12-10 at 13:09 -0500, Bill Cole wrote:
> On 9 Dec 2018, at 18:23, Chris Pollock wrote:
> 
> > On Sun, 2018-12-09 at 13:06 -0500, Bill Cole wrote:
> > > On 9 Dec 2018, at 12:04, Chris Pollock wrote:
> > > 
> > > > This is probably very trivial and doesn't affect anything
> > > > except
> > > > maybe
> > > > the size of the headers but I have to ask. When looking at the
> > > > headers
> > > > of some ham I noticed - https://pastebin.com/H7euxqVX the two
> > > > rules
> > > > I
> > > > mention above are in 72_active.cf. Is there a reason for the
> > > > number
> > > > of
> > > > times it's listed? Couldn't each subtest be listed just once
> > > > instead
> > > > of
> > > > multiple times?
> > > 
> > > Not with the current documented behavior of the code, given the
> > > way
> > > those sub-rules are designed to work together. The goal is to
> > > identify
> > > messages which use Latin-script 'e' characters but also use many
> > > non-Latin-script characters which look like 'e' but are not. To
> > > make
> > > this determination, the rules require the 'multiple' flag without
> > > a
> > > cap
> > > on thne number of matches which a 'maxhits' parameter would set.
> > 
> > Got it, thanks Bill. I've never noticed this before. I also noticed
> > that according to my daily sa-update output this subtest is
> > apparently
> > new or at least it didn't appear in the output until this past Fri.
> 
> Correct. See the thread with the subject "No longer just embedded =9D
> characters in blackmail emails" here last week for the background.
> 
> > > 
> > > It is not recommended to routinely add the list of matched sub-
> > > rules
> > > to
> > > scanned messages.
> > > 
> > 
> > Any specific reason why? This is just on my home system.
> 
> It's got the potential to be VERY noisy (as you've discovered) while
> not really providing much useful info.  Not a big deal on a small
> system.
> 
I could just go through and comment out this line in my local.cf
add_header all Subtest Ran _SUBTESTS(,)_
but I periodically like to see what's going on.

> 
> Anyway, as of today I've capped those 2 subrules at levels which
> leave ample space to still match the target spam. Should show up in
> tomorrow's update.
Thanks Bill, I'll see how it looks after today's update.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:51:45 up 3 days, 13:15, 1 user, load average: 0.27, 0.59, 0.64
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic


signature.asc
Description: This is a digitally signed message part

Re: Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-09 Thread Chris Pollock 
On Sun, 2018-12-09 at 13:06 -0500, Bill Cole wrote:
> On 9 Dec 2018, at 12:04, Chris Pollock wrote:
> 
> > This is probably very trivial and doesn't affect anything except
> > maybe
> > the size of the headers but I have to ask. When looking at the
> > headers
> > of some ham I noticed - https://pastebin.com/H7euxqVX the two rules
> > I
> > mention above are in 72_active.cf. Is there a reason for the number
> > of
> > times it's listed? Couldn't each subtest be listed just once
> > instead 
> > of
> > multiple times?
> 
> Not with the current documented behavior of the code, given the way 
> those sub-rules are designed to work together. The goal is to
> identify 
> messages which use Latin-script 'e' characters but also use many 
> non-Latin-script characters which look like 'e' but are not. To make 
> this determination, the rules require the 'multiple' flag without a
> cap 
> on thne number of matches which a 'maxhits' parameter would set.

Got it, thanks Bill. I've never noticed this before. I also noticed
that according to my daily sa-update output this subtest is apparently
new or at least it didn't appear in the output until this past Fri. 
> 
> It is not recommended to routinely add the list of matched sub-rules
> to 
> scanned messages.
> 
Any specific reason why? This is just on my home system.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:26:13 up 1 day, 20:50, 1 user, load average: 1.37, 0.78, 0.54
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic


signature.asc
Description: This is a digitally signed message part

Subtest __E_LIKE_LETTER and __LOWER_E listed many times in message header

2018-12-09 Thread Chris Pollock 
This is probably very trivial and doesn't affect anything except maybe
the size of the headers but I have to ask. When looking at the headers
of some ham I noticed - https://pastebin.com/H7euxqVX the two rules I
mention above are in 72_active.cf. Is there a reason for the number of
times it's listed? Couldn't each subtest be listed just once instead of
multiple times? 

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
10:58:20 up 1 day, 15:22, 1 user, load average: 0.67, 0.49, 0.31
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic


signature.asc
Description: This is a digitally signed message part

Re: Cannot install SpamAssassin on Ubuntu 18.04.1 (gpg not found?)

2018-10-26 Thread Chris Pollock 
On Thu, 2018-10-25 at 15:23 +0100, Dominic Raferd wrote:
> 
> 
> On Thu, 25 Oct 2018 at 15:16, RW  wrote:
> > On Thu, 25 Oct 2018 16:07:02 +0200
> > Matus UHLAR - fantomas wrote:
> > 
> > > >On Thu, 25 Oct 2018 08:37:45 -0400 Alexander Lieflander wrote:  
> > > >> As a side-note, it seems like the error message returned by
> > dpkg
> > > >> (and thus SpamAssassin, I guess) is incorrect. Where it
> > mentions
> > > >> “sa-compile”, it should really be mentioning “sa-update”, as
> > the
> > > >> man page for sa-update contains the “--nogpg” option, and the
> > man
> > > >> page for sa-compile does not.  
> > > 
> > > where did it say sa-compile? 
> > 
> > It failed when sa-compile was being installed
> > 
> > > nothing with sa-compile.
> > > 
> > > On 25.10.18 14:37, RW wrote:
> > > >This is a consequence of Ubuntu (or Debian) splitting off sa-
> > compile
> > > >into a separate  package. The error occurred  while checking
> > > >sa-compile's dependency, the spamassassin package.  
> > > 
> > > this should not happen at all. when sa-compile is installed,
> > > spamassassin (and sa-update) should be installed and configured.
> > 
> > I would guess that there was no problem when spamassassin was
> > installed
> > and sa-compile was installed later.
> 
> I am using SA on Ubuntu 18.04 without any such problems. Looking at
> the package changelogs for SA 3.4.1-8 under Debian/Ubuntu they are
> identical except that, for Ubuntu 18.04, SA was rebuilt
> against openssl1.1. The only sadness is that Ubuntu 18.04 is
> currently stuck with 3.4.1 (3.4.2 is available on 18.10).

FWIW back on 9 Oct I submitted a bug report regarding 3.4.2 for 18.04

https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1796863

I'm hoping that it will be available soon.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:23:12 up 3 days, 16:37, 1 user, load average: 1.08, 0.96, 0.75
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-38-generic


signature.asc
Description: This is a digitally signed message part

Current update channels

2018-09-19 Thread Chris Pollock 
I noticed in a post that Kevin McGrail made that the 'sought' rules are
no longer published. So, my update-channels file that SA-Update reads
should have only one entry:

updates.spamassassin.org

Is that correct

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
14:38:23 up 3 days, 21:09, 1 user, load average: 0.73, 0.72, 0.41
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-34-generic

signature.asc
Description: This is a digitally signed message part

Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available

2018-09-16 Thread Chris 
On Sun, 2018-09-16 at 20:54 -0400, Kevin A. McGrail wrote:
> Please point them here if they need help.  It is a good drop in
> upgrade.

I would assume it being a security update they'd be on the ball. I'll
wait a few days before I ask about it. I could install via cpan but
would rather wait on the package since that's what was installed when I
did the 16.04->18.04 upgrade.
apt-cache policy spamassassinspamassassin:  Installed: 3.4.1-8build1 
Candidate: 3.4.1-8build1Version table: *** 3.4.1-8build1 500500
http://us.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
> On Sun, Sep 16, 2018, 20:45 Chris  wrote:
> > On Sun, 2018-09-16 at 11:03 -0400, Kevin A. McGrail wrote:
> > 
> > > Good Morning,
> > 
> > > 
> > 
> > > On behalf of the Apache SpamAssassin Project Management
> > Committee, I
> > 
> > > am
> > 
> > > very pleased to announce the release of Apache SpamAssassin
> > v3.4.2. 
> > 
> > > This release contains security bug fixes.  A security
> > announcement
> > 
> > > will
> > 
> > > follow within the next 24 hours.
> > 
> > > 
> > 
> > > Apache SpamAssassin can be downloaded from
> > 
> > > https://spamassassin.apache.org/downloads.cgi and via cpan
> > 
> > > (Mail::SpamAssassin).
> > 
> > > 
> > 
> > I assume that once the Ubuntu folks get the security announcement
> > 
> > they'll build and release the 3.4.2 package?
> > 
> > 
> > 
> > > 
> > 
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:02:34 up 1 day, 2:33, 2 users, load average: 0.99, 0.79, 0.87
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-34-generic


signature.asc
Description: This is a digitally signed message part

Re: [ANNOUNCE] Apache SpamAssassin 3.4.2 available

2018-09-16 Thread Chris 
On Sun, 2018-09-16 at 11:03 -0400, Kevin A. McGrail wrote:
> Good Morning,
> 
> On behalf of the Apache SpamAssassin Project Management Committee, I
> am
> very pleased to announce the release of Apache SpamAssassin v3.4.2. 
> This release contains security bug fixes.  A security announcement
> will
> follow within the next 24 hours.
> 
> Apache SpamAssassin can be downloaded from
> https://spamassassin.apache.org/downloads.cgi and via cpan
> (Mail::SpamAssassin).
> 
I assume that once the Ubuntu folks get the security announcement
they'll build and release the 3.4.2 package?

> 
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:44:06 up 1 day, 2:14, 2 users, load average: 0.89, 1.11, 1.00
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-34-generic


signature.asc
Description: This is a digitally signed message part

Re: KAM.cf update script

2018-08-18 Thread Chris 
On Sat, 2018-08-18 at 18:46 +0100, jpff wrote:
> I have an entry in /etc/cron.daily
> 
> #!/bin/csh
> 
> cd /etc/spamassassin
> 
> mv KAM.cf KAM.cf.old
> /usr/bin/wget http://www.pccc.com/downloads/SpamAssassin/contrib/KAM.
> cf
> /usr/bin/diff KAM.cf KAM.cf.old | /usr/bin/mail -s KAM_changes jpff
> /bin/systemctl -l reload spamassassin.service
> 
> exit 0
> 
> Sems to work OK; noting special
> 
Thanks, looks good, I'll give it a try.

> 
> On Sat, 18 Aug 2018, Chris wrote:
> 
> > Does anyone have a script that I can run as a cron job to update
> the
> > KAM.cf file?
> >
> > Thanks
> > Chris
> >
> > -- 
> > Chris
> > KeyID 0xE372A7DA98E6705C
> > 31.11972; -97.90167 (Elev. 1092 ft)
> > 12:27:45 up 14:39, 1 user, load average: 8.88, 3.45, 1.40
> > Description:  Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic
> >
> 
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
12:49:37 up 15:01, 2 users, load average: 1.67, 3.06, 2.44
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic


signature.asc
Description: This is a digitally signed message part

KAM.cf update script

2018-08-18 Thread Chris 
Does anyone have a script that I can run as a cron job to update the
KAM.cf file?

Thanks
Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
12:27:45 up 14:39, 1 user, load average: 8.88, 3.45, 1.40
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

2018-08-17 Thread Chris 
On Fri, 2018-08-17 at 23:00 +0100, RW wrote:
> On Fri, 17 Aug 2018 16:25:14 -0500
> Chris wrote:
> 
> > Early on when SA-Compile was run I did manage to capture this:
> > 
> > Running sa-compile (may take a long time)
> > Unescaped left brace in regex is deprecated here (and will be fatal
> > in
> > Perl 5.30), passed through in regex; marked by <-- HERE in
> > m/(?is)(POWERBALL LOTTO|freelotto group|Royal Heritage
> > Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand
> > Promotions|Lottery Department UK|Euromillion Loteria|Luckyday
> > International Lottery|International Lottery|Euro - Afro Asian
> > Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION
> > DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale
> > Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA
> > JACKPOT|MICROSOFT
> > EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National
> > Lottery|claim.{1,10}your.gbp|won.you.{ <-- HERE 1,10]gbp)/ at
> > /usr/share/perl5/Mail/SpamAssassin/Conf/Parser.pm line 1391.
> 
> 
> 
> This looks like a straightforward typo in one of your own rules
> 
>won.you.{1,10]gbp
> 
> instead of 
> 
>won.you.{1,10}gbp

Not in one of my rules:

/etc/mail/spamassassin$ grep -i "POWERBALL" KAM.cf
body__KAM_LOTTO5/(POWERBALL LOTTO|freelotto
group|Royal Heritage Lottery|(British|UK) National( Online)?
Lottery|U\.?K\.? Grand Promotions|Lottery Department UK|Euromillion
Loteria|Luckyday International Lottery|International Lottery|Euro -
Afro Asian Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION
DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale
Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT
EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National
Lottery|claim.{1,10}your.gbp|won.you.{1,10]gbp)/is
header  __KAM_LOTTO8From =~
/Lottery|powerball|western.union/i


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
17:40:12 up 1:39, 1 user, load average: 1.32, 1.09, 2.13
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

2018-08-17 Thread Chris 
On Fri, 2018-08-17 at 14:46 -0700, John Hardin wrote:
> On Fri, 17 Aug 2018, Chris wrote:
> 
> > Early on
> > when SA-Compile was run I did manage to capture this:
> > 
> > Running sa-compile (may take a long time)
> > Unescaped left brace in regex is deprecated here (and will be fatal
> > in
> > Perl 5.30), passed through in regex; marked by <-- HERE in
> > m/(?is)(POWERBALL LOTTO|freelotto group|Royal Heritage
> > Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand
> > Promotions|Lottery Department UK|Euromillion Loteria|Luckyday
> > International Lottery|International Lottery|Euro - Afro Asian
> > Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION
> > DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale
> > Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA
> > JACKPOT|MICROSOFT
> > EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National
> > Lottery|claim.{1,10}your.gbp|won.you.{ <-- HERE 1,10]gbp)/ at
> > /usr/share/perl5/Mail/SpamAssassin/Conf/Parser.pm line 1391.
> 
> That doesn't appear to be a stock rule. Do you know where it came
> from?
> 
No, not sure John but here are the two channels I query for updates

updates.spamassassin.org
sought.rules.yerp.org

I just noticed looking at the output of my rules update cronjob I see:

module not installed: Digest::SHA1 ('require' failed)
module not installed: Razor2::Client::Agent ('require' failed)

They were there prior to my upgrade last night. I'll install them and
maybe that will fix the issue?

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:58:24 up 58 min, 1 user, load average: 0.82, 0.80, 1.23
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic

signature.asc
Description: This is a digitally signed message part

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

2018-08-17 Thread Chris 
On Fri, 2018-08-17 at 17:54 +0100, Dominic Raferd wrote:
> 
> 
> On Fri, 17 Aug 2018 at 17:34, Chris  wrote:
> > I noticed last night while updating to 18.04.1 that there were
> > warnings
> > about SA Compile. I tried to copy to the clipboard however that
> > didn't work. I did manage to capture this:
> > 
> > installed sa-compile package post-installation script subprocess
> > returned error exit status 13
> > 
> > What I'm seeing in my syslog now is this:
> > 
> > Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run CLAMAV
> > test, skipping:
> > Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
> > "check_clamav" via package "Mail: [...]:SpamAssassin::PerMsgStatus"
> > at
> > (eval 1894) line 19.
> > Aug 17 09:01:43 localhost spamd[1837]: )
> > Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run __F_DM1
> > test, skipping:
> > Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
> > "from_domains_mismatch" via package "Mail:
> > [...]:SpamAssassin::PerMsgStatus" at (eval 1899) line 19.
> > 
> > Any suggestions on a fix? Installed info below:
> > 
> > apt-cache policy spamassassin
> > spamassassin:
> >   Installed: 3.4.1-8build1
> >   Candidate: 3.4.1-8build1
> >   Version table:
> >  *** 3.4.1-8build1 500
> > 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64
> > Packages
> > 500 http://us.archive.ubuntu.com/ubuntu bionic/main i386
> > Packages
> > 100 /var/lib/dpkg/status
> 
> A short answer as I am in a hurry but may help you get started. I hit
> this problem on one machine. For future reference for anyone, run
> 'sudo -u debian-spamd sa-compile' immediately *before* attempting
> upgrade to 18.04, because it is run automatically during the upgrade
> and if it fails (because of a prior error, in my case it was my bad
> syntax in /etc/spamassassin/local.cf) the whole upgrade aborts. In my
> case the final stage (removing old/redundant packages) had not
> happened.
> 
> There should be a track of what happened during the upgrade in log
> files in /var/log/dist-upgrade. Look especially at the last say 300
> lines of screenlog.0.
> 
> The way I fixed it afterwards was to follow instructions in the first
> answer at https://askubuntu.com/questions/539235/how-to-remove-obsole
> te-packages-after-failed-release-upgrade-via-do-release-upgr.
> Then found what had prevented sa-compile from completing and ran it
> through without error.
> 
> Now 18.04 plays nicely. HTH

Thanks Dominic, that was a great help. I can't believe how many old
files were on the system. I think about 500k were removed. Early on
when SA-Compile was run I did manage to capture this:

Running sa-compile (may take a long time)
Unescaped left brace in regex is deprecated here (and will be fatal in
Perl 5.30), passed through in regex; marked by <-- HERE in
m/(?is)(POWERBALL LOTTO|freelotto group|Royal Heritage
Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand
Promotions|Lottery Department UK|Euromillion Loteria|Luckyday
International Lottery|International Lottery|Euro - Afro Asian
Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION
DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale
Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT
EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National
Lottery|claim.{1,10}your.gbp|won.you.{ <-- HERE 1,10]gbp)/ at
/usr/share/perl5/Mail/SpamAssassin/Conf/Parser.pm line 1391.

I did fix the ClamAV.pm issue, as usual during an upgrade the
File::Scan::ClamAV module doesn't get installed for some unknown
reason.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:25:06 up 24 min, 1 user, load average: 1.11, 1.50, 2.55
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: Update to Ubuntu 18.04.1 seems to have partially broken SA

2018-08-17 Thread Chris 
On Fri, 2018-08-17 at 17:54 +0100, Dominic Raferd wrote:
> 
> 
> On Fri, 17 Aug 2018 at 17:34, Chris  wrote:
> > I noticed last night while updating to 18.04.1 that there were
> > warnings
> > about SA Compile. I tried to copy to the clipboard however that
> > didn't work. I did manage to capture this:
> > 
> > installed sa-compile package post-installation script subprocess
> > returned error exit status 13
> > 
> > What I'm seeing in my syslog now is this:
> > 
> > Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run CLAMAV
> > test, skipping:
> > Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
> > "check_clamav" via package "Mail: [...]:SpamAssassin::PerMsgStatus"
> > at
> > (eval 1894) line 19.
> > Aug 17 09:01:43 localhost spamd[1837]: )
> > Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run __F_DM1
> > test, skipping:
> > Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
> > "from_domains_mismatch" via package "Mail:
> > [...]:SpamAssassin::PerMsgStatus" at (eval 1899) line 19.
> > 
> > Any suggestions on a fix? Installed info below:
> > 
> > apt-cache policy spamassassin
> > spamassassin:
> >   Installed: 3.4.1-8build1
> >   Candidate: 3.4.1-8build1
> >   Version table:
> >  *** 3.4.1-8build1 500
> > 500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64
> > Packages
> > 500 http://us.archive.ubuntu.com/ubuntu bionic/main i386
> > Packages
> > 100 /var/lib/dpkg/status
> 
> A short answer as I am in a hurry but may help you get started. I hit
> this problem on one machine. For future reference for anyone, run
> 'sudo -u debian-spamd sa-compile' immediately *before* attempting
> upgrade to 18.04, because it is run automatically during the upgrade
> and if it fails (because of a prior error, in my case it was my bad
> syntax in /etc/spamassassin/local.cf) the whole upgrade aborts. In my
> case the final stage (removing old/redundant packages) had not
> happened.
> 
> There should be a track of what happened during the upgrade in log
> files in /var/log/dist-upgrade. Look especially at the last say 300
> lines of screenlog.0.
> 
> The way I fixed it afterwards was to follow instructions in the first
> answer at https://askubuntu.com/questions/539235/how-to-remove-obsole
> te-packages-after-failed-release-upgrade-via-do-release-upgr.
> Then found what had prevented sa-compile from completing and ran it
> through without error.
> 
> Now 18.04 plays nicely. HTH

Thanks Dominic, that was a great help. I can't believe how many old
files were on the system. I think about 500k were removed. Early on
when SA-Compile was run I did manage to capture this:

Running sa-compile (may take a long time)
Unescaped left brace in regex is deprecated here (and will be fatal in
Perl 5.30), passed through in regex; marked by <-- HERE in
m/(?is)(POWERBALL LOTTO|freelotto group|Royal Heritage
Lottery|(British|UK) National( Online)? Lottery|U\.?K\.? Grand
Promotions|Lottery Department UK|Euromillion Loteria|Luckyday
International Lottery|International Lottery|Euro - Afro Asian
Sweepstake|urawinner|Free Lotto Sweepstakes|PROMOTION
DEPARTMENT|PROMOTION\/PRIZE AWARD|Nederlandse Internationale
Loterij|EURO MILLIONS|APPLE LOTTERY ONLINE|MSW MEGA JACKPOT|MICROSOFT
EMAIL PROMO|MSNlottery|ECOWAS|Nigeria|National
Lottery|claim.{1,10}your.gbp|won.you.{ <-- HERE 1,10]gbp)/ at
/usr/share/perl5/Mail/SpamAssassin/Conf/Parser.pm line 1391.

I did fix the ClamAV.pm issue, as usual during an upgrade the
File::Scan::ClamAV module doesn't get installed for some unknown
reason.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:15:46 up 15 min, 1 user, load average: 1.55, 3.95, 3.76
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic


signature.asc
Description: This is a digitally signed message part

Update to Ubuntu 18.04.1 seems to have partially broken SA

2018-08-17 Thread Chris 
I noticed last night while updating to 18.04.1 that there were warnings
about SA Compile. I tried to copy to the clipboard however that
didn't work. I did manage to capture this:

installed sa-compile package post-installation script subprocess
returned error exit status 13

What I'm seeing in my syslog now is this:

Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run CLAMAV
test, skipping:
Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
"check_clamav" via package "Mail: [...]:SpamAssassin::PerMsgStatus" at
(eval 1894) line 19.
Aug 17 09:01:43 localhost spamd[1837]: )
Aug 17 09:01:43 localhost spamd[1837]: rules: failed to run __F_DM1
test, skipping:
Aug 17 09:01:43 localhost spamd[1837]:  (Can't locate object method
"from_domains_mismatch" via package "Mail:
[...]:SpamAssassin::PerMsgStatus" at (eval 1899) line 19.

Any suggestions on a fix? Installed info below:

apt-cache policy spamassassin
spamassassin:
  Installed: 3.4.1-8build1
  Candidate: 3.4.1-8build1
  Version table:
 *** 3.4.1-8build1 500
500 http://us.archive.ubuntu.com/ubuntu bionic/main amd64
Packages
500 http://us.archive.ubuntu.com/ubuntu bionic/main i386
Packages
    100 /var/lib/dpkg/status
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
11:18:49 up 13:48, 1 user, load average: 1.43, 1.26, 1.07
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-32-generic

signature.asc
Description: This is a digitally signed message part

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-20 Thread Chris Conn 



Yeah, because 3.4.x implements maxhits.

So, should I disable the __GENERATE_LEADS family for < 3.4.0? I 
suspect it would be prudent, but I am surprised the other 
tflags=multiple rules aren't also problematic in the same manner...





Hello,

I don`t think I am in a position to comment on where to go from here for 
SA < 3.4.0 .  I am just glad I found the cause and was able to find and 
share a workaround and findings to the mailing list.


This is perhaps one of many loops, I would have to check other emails; 
however, over the last 2-3 weeks, we have noted that SA started to 
become a huge memory and cpu hog, with a growing number of timeouts in 
emails not completing within 300 seconds of scan and also occasionally 
servers running out of RAM; this could be coincidence, or new rules in 
the sa-update?  In any case, here without Rule2XBody I am able to 
operate until I can get 3.4.x deployed.


Thanks again,

Chris

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-20 Thread Chris Conn 


WTF? If tflags=multiple is supported at all, it should behave properly 
(i.e. not hitting over and over on the *same bit of text*).


maxhits was implemented after 3.3.1; is it possible that there are 
just a *lot* of instances of "your business" in that test message, and 
it's simply hitting all of them?


Can anyone else confirm this on 3.3.1? Run through a test message with 
*one* instance of "your business" and get repeated hits on it in 
__GENERATE_LEADS?


While __GENERATE_LEADS is recent, there are a lot of tflags=multiple 
rules in the base ruleset that have been there for a long time - I'd 
expect this to have come up much earlier.


I tested on Centos7 with sa-update done and rules compiled, this rule 
does not trigger a loop.


You tested 3.3.1 on C7? Or the native 3.4.0, which does implement 
maxhits?


Are the SA 3.3.1 sources different between the C6 and C7 packages?


Hello,

To follow up; if I disable Rule2XSBody plugin (rule compilation), on 
Centos6 SA 3.3.1-3 there is no loop;



Apr 20 14:14:05.138 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "G"
Apr 20 14:14:05.138 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "A"
Apr 20 14:14:05.138 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "M"
Apr 20 14:14:05.139 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "W"
Apr 20 14:14:05.139 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "T"
Apr 20 14:14:05.139 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "G"
Apr 20 14:14:05.139 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "A"
Apr 20 14:14:05.139 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "I"
Apr 20 14:14:05.139 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "A"
Apr 20 14:14:05.139 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "I"
Apr 20 14:14:05.140 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "N"
Apr 20 14:14:05.140 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: "C"
Apr 20 14:14:05.140 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: " L"
Apr 20 14:14:05.140 [27778] dbg: rules: ran body rule __BODY_TEXT_LINE 
==> got hit: " T"
Apr 20 14:14:05.789 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.790 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.790 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.791 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.791 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.792 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.792 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.793 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.796 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.797 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.797 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.798 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.798 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.799 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.799 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.799 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:05.799 [27778] dbg: rules: ran body rule __GENERATE_LEADS 
==> got hit: "your business"
Apr 20 14:14:06.444 [27778] dbg: rules: ran body rule __HIGHBITS ==> 
got hit: "â?¢ â?? "
Apr 20 14:14:06.590 [27778] dbg: rules: running uri tests; score so 
far=4.



however, with Rule2XSBody enabled, on SA 3.3.1 on Centos6, it loops forever.

With or witout Rule2XSBody on Centos7 SA 3.4.0-2 bundled SA rpm, it 
works correctly.



I am disabling Rule2XSBody for now while I rebuild Centos7 boxes.


Chris

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-20 Thread Chris Conn 



On 4/18/2018 10:32 AM, Benny Pedersen wrote:

Chris Conn skrev den 2018-04-18 16:00:


this is a relatively old install, SA 3.3.1 on Centos6 (stock RPMs)


maybe solved in centos7 ?

i do not use precompiled problems


Hello,

I believe I found the issue.  On my Centos6 boxes with SA 3.3.1 (the 
maintained version by RedHat/CentOS), using sa-update rules, there is a 
loop;


Apr 20 13:29:48.636 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.637 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.637 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.637 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.637 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.638 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.638 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.638 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.639 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.639 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.639 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.640 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.640 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.640 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.640 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.641 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.641 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.641 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.642 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.642 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.642 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.642 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.643 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.643 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.643 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.644 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.644 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.644 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.644 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.645 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.645 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.645 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.646 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.646 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.646 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.646 [18363] dbg: rules: ran one_line_body rule 
__GENERATE_LEADS ==> got hit: "your business"
Apr 20 13:29:48.647 [18363] dbg: rules: ran o

Re: plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-18 Thread Chris Conn 




maybe solved in centos7 ?

i do not use precompiled problems

Hello,

I guess I will soon find out.  Not using bayes or anything, most plugins 
are disabled actually.  Just trying to figure out which one is 
misbehaving, as spamd grows to 4Gb of resident memory usage, at 100% 
CPU, and eventually croaks with that msg.


Thanks folks,

Chris

plugin: eval failed: __alarm__ignore__(xxx) how to troubleshoot

2018-04-18 Thread Chris Conn 

Hello,

We recently started having problems on a few servers with spamd 
processes starting to hog RAM (3G++ per child) and we are noting some 
timeouts in the logs.  as well,  we are seeing this msg


Apr 18 08:48:24 spamd[2451]: plugin: eval failed: __alarm__ignore__(156)
Apr 18 08:58:25 spamd[11283]: plugin: eval failed: __alarm__ignore__(156)
Apr 18 09:05:28 spamd[17774]: plugin: eval failed: __alarm__ignore__(156)
Apr 18 09:09:06 spamd[21486]: plugin: eval failed: __alarm__ignore__(156)
Apr 18 09:11:56 spamd[23412]: plugin: eval failed: __alarm__ignore__(156)
Apr 18 09:13:50 spamd[24872]: plugin: eval failed: __alarm__ignore__(156)
Apr 18 09:14:11 spamd[25147]: plugin: eval failed: __alarm__ignore__(246)
Apr 18 09:19:37 spamd[29797]: plugin: eval failed: __alarm__ignore__(246)
Apr 18 09:28:54 spamd[5298]: plugin: eval failed: __alarm__ignore__(246)
Apr 18 09:40:00 spamd[13590]: plugin: eval failed: __alarm__ignore__(246)
Apr 18 09:40:28 spamd[13847]: plugin: eval failed: __alarm__ignore__(246)
Apr 18 09:41:21 spamd[14389]: plugin: eval failed: __alarm__ignore__(246)
Apr 18 09:50:45 spamd[24479]: plugin: eval failed: __alarm__ignore__(331)

This alarm__ignore seems to be a function in Timeout.pm

this is a relatively old install, SA 3.3.1 on Centos6 (stock RPMs)

Any tips on how to troubleshoot the essence or root of this issue?

Thanks in advance,

Chris

Re: smtp.centurylink.net 206.152.134.66

2018-02-11 Thread Chris 
On Sun, 2018-02-11 at 13:37 -0600, David Jones wrote:
> Anyone on this list that knows the mail admins/contacts for 
> centurylink.net and embarqmail.com?  This mail server has legit
> email 
> for centurylink.net and embarqmail.com plus a lot of other spam
> coming 
> out of it.
> 
David, as you can see I use embarqmail (centurylink as my ISP). I got
this email address off of DSLreports.com - talkt...@centurylink.com as
the name of the CenturyLink tech who posts there so you might give them
a try. I've found that their Tech Support is pretty lame especially
when it comes to problems I've had before in regards to anything
dealing with Linux or mailer issues. They're also on Twitter
- @CenturyLinkHelp and I've sent them DMs before and pretty much get a
quick reply however they've never been helpful except to shake their
virtual heads and tell me to go into chat (which was useless also) or
call. You might try them though. 

Sorry I couldn't be of more help.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:31:38 up 9 days, 23:04, 1 user, load average: 0.94, 0.83, 0.74
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: SA-Update exits with code 4

2018-01-31 Thread Chris 
On Wed, 2018-01-31 at 13:09 -0600, David Jones wrote:
> On 01/30/2018 09:37 PM, Chris wrote:
> > 
> > > 
> > > 
> > > rules: failed to run FORGED_GMAIL_RCVD test, skipping:
> > >   (Can't locate object method
> > > "check_for_forged_gmail_received_headers" via package
> > > "Mail::SpamAssassin::PerMsgStatus" at (eval 1327) line 1447.
> > > )
> > > 
> 
> FYI.  If you have a new installation of SA that doesn't have a
> ruleset 
> and won't install them via sa-update for another 12 hours or so, you
> can 
> run this to manually install a ruleset from Sunday.
> 
> REV=1822449
> wget http://sa-update.ena.com/${REV}.tar.gz
> wget http://sa-update.ena.com/${REV}.tar.gz.sha1
> wget http://sa-update.ena.com/${REV}.tar.gz.asc
> sa-update -v --install ${REV}.tar.gz
> 
> Sa-update should resume working properly tomorrow.
> 
Thanks David, my SA setup is up-to-date with all rule sets. Looking
forward to tomorrow.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
17:55:53 up 1 day, 39 min, 1 user, load average: 1.30, 1.78, 2.32
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: SA-Update exits with code 4

2018-01-30 Thread Chris 
On Tue, 2018-01-30 at 21:15 -0600, David Jones wrote:
> On 01/30/2018 08:04 PM, Chris wrote:
> > 
> > Yesterday there were no issues with my once a day update. Today it
> > exited with a code 4. Here is the output:
> > 
> > https://pastebin.com/aXvk0QQu
> > 
> > Any ideas on what seems to be the problem?
> > 
> > Chris
> > 
> 
> rules: failed to run FORGED_GMAIL_RCVD test, skipping:
>  (Can't locate object method 
> "check_for_forged_gmail_received_headers" via package 
> "Mail::SpamAssassin::PerMsgStatus" at (eval 1327) line 1447.
> )
> 
> This was already mentioned about 13 hours ago on this list.  I
> committed 
> a patch to trunk where the SA rulesets are built from that has a .pm 
> dependency from SA 3.4.2 that hasn't been released yet.  I added a 
> version check around the new ruleset to resolve this problem but
> it's 
> going to take another 36 hours or so to work itself out.  You will
> see 
> another problem tomorrow but it should be OK the next day.
> 
Thanks David, I totally missed that when scrolling through the output.
I see it now and also the previous comments.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
21:36:28 up 4:19, 1 user, load average: 0.99, 1.60, 2.05
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

SA-Update exits with code 4

2018-01-30 Thread Chris 
Yesterday there were no issues with my once a day update. Today it
exited with a code 4. Here is the output:

https://pastebin.com/aXvk0QQu

Any ideas on what seems to be the problem?

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:02:58 up 2:46, 1 user, load average: 0.76, 0.61, 0.57
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: ClamAV.pm question

2018-01-30 Thread Chris 
On Tue, 2018-01-30 at 20:55 +0100, Daniele Duca wrote:
> It looks like apparmor is preventing clamav to create it's temporary
> files.
> 
> Two solutions, disable apparmor or fix the config file in 
> /etc/apparmor.d/usr.sbin.clamd
> 
> Daniele
> 
Thanks Daniele, it worked after I changed the tmp dir to /var/tmp
instead of /var/lib/clamav/tmp

> On 30/01/2018 17:50, Chris wrote:
> > 
> > I'm seeing this - https://pastebin.com/86s7cVBj and I'm not sure if
> > it's an SA issue or a ClamAV issue.
> > 
> > apt-cache policy clamav
> > clamav:
> >    Installed: 0.99.3-0ubuntu1~chris+1
> >    Candidate: 0.99.3-0ubuntu1~chris+1
> > 
> > apt-cache policy spamassassin
> > spamassassin:
> >    Installed: 3.4.1-3
> >    Candidate: 3.4.1-3
> > 
> > Chris
> > 
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:54:10 up 2:37, 1 user, load average: 0.37, 0.50, 0.58
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

ClamAV.pm question

2018-01-30 Thread Chris 
I'm seeing this - https://pastebin.com/86s7cVBj and I'm not sure if
it's an SA issue or a ClamAV issue. 

apt-cache policy clamav
clamav:
  Installed: 0.99.3-0ubuntu1~chris+1
  Candidate: 0.99.3-0ubuntu1~chris+1

apt-cache policy spamassassin
spamassassin:
  Installed: 3.4.1-3
  Candidate: 3.4.1-3

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
10:39:19 up 11:25, 1 user, load average: 0.65, 0.67, 0.62
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: From name containing a spoofed email address

2018-01-26 Thread Chris 
On Fri, 2018-01-26 at 16:26 -0600, sha...@shanew.net wrote:
> Just a hunch, but did you make sure to add the "$self->register..."
> line inside the "sub new {" block with all the others in
> HeaderEval.pm?
> 
Yep, sure did, thanks for that. All is well now.

> 
> On Fri, 26 Jan 2018, Chris wrote:
> 
> > On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote:
> >> This is my current solution for a problem that has been discussed
> >> many times in this list. 
> >> I wrote it last year, and it serves me well. Feel free to use it,
> if
> >> you find it useful. 
> >>
> >> This part goes into your local.cf:
> >>
> >> header   __F_DM1 eval:from_domains_mismatch()
> >> header   __F_DM2 From:addr =~
> >> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
> >> meta   F_DM ( __F_DM1 && ! __F_DM2 )
> >> describe   F_DM From:name domain mismatches From:addr domain
> >> priority   F_DM -1
> >> score  F_DM 5.0
> >>
> >> This part goes into the general HeaderEval.pm:
> >>
> >> $self->register_eval_rule("from_domains_mismatch");
> >> [...]
> >> sub from_domains_mismatch {
> >>   my ($self, $pms) = @_;
> >>   my $temp;
> >>   $temp = $pms->get('From:addr');
> >>   $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
> >>   $temp = $pms->get('From:name');
> >>   $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain =
> >> "$1";
> >>   dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
> >> fromAddrDomain=$fromAddrDomain");
> >>   if ( $fromNameDomain eq "" ) {
> >>  return 0; # all well
> >>   } else {
> >>  if( $fromNameDomain eq $fromAddrDomain ) {
> >>     return 0; # all well, they match
> >>  } else {
> >>     return 1; # mismatch, possibly spam
> >>  }
> >>   }
> >> }
> >>
> >> R.G.
> >>
> > Just for the heck of it I added the above to my SpamAssassin setup
> at
> > home. However my syslog shows:
> >
> > rules: failed to run __F_DM1 test, skipping:
> > (Can't locate object method "from_domains_mismatch" via package
> "Mail:
> > [...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.)
> >
> > I did restart SA after adding this. SA version 3.4.1
> >
> >
> 
> -- 
> Public key #7BBC68D9 at    | Shane Williams
> http://pgp.mit.edu/    |  System Admin - UT CompSci
> =--+---
> All syllogisms contain three lines |  sha...@shanew.net
> Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:48:06 up 8:35, 1 user, load average: 0.42, 0.38, 0.39
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: From name containing a spoofed email address

2018-01-26 Thread Chris 
On Mon, 2018-01-22 at 10:05 -0500, Rupert Gallagher wrote:
> This is my current solution for a problem that has been discussed
> many times in this list. 
> I wrote it last year, and it serves me well. Feel free to use it, if
> you find it useful. 
> 
> This part goes into your local.cf:
> 
> header   __F_DM1 eval:from_domains_mismatch()
> header   __F_DM2 From:addr =~
> /\@(pec|legalmail|telecompost)(\.[^\.]+)?\.it/
> meta   F_DM ( __F_DM1 && ! __F_DM2 )
> describe   F_DM From:name domain mismatches From:addr domain
> priority   F_DM -1
> score  F_DM 5.0
> 
> This part goes into the general HeaderEval.pm:
> 
> $self->register_eval_rule("from_domains_mismatch");
> [...]
> sub from_domains_mismatch {
>   my ($self, $pms) = @_;
>   my $temp;
>   $temp = $pms->get('From:addr');
>   $temp =~ /@(.+)/; my $fromAddrDomain; $fromAddrDomain = "$1";
>   $temp = $pms->get('From:name');
>   $temp =~ /@([^\@\"\s]+)/; my $fromNameDomain; $fromNameDomain =
> "$1";
>   dbg("from_domains_mismatch: fromNameDomain=$fromNameDomain,
> fromAddrDomain=$fromAddrDomain");
>   if ( $fromNameDomain eq "" ) {
>  return 0; # all well
>   } else {
>  if( $fromNameDomain eq $fromAddrDomain ) {
>     return 0; # all well, they match
>  } else {
>     return 1; # mismatch, possibly spam
>  }
>   }
> }
> 
> R.G.
> 
Just for the heck of it I added the above to my SpamAssassin setup at
home. However my syslog shows:

rules: failed to run __F_DM1 test, skipping:
(Can't locate object method "from_domains_mismatch" via package "Mail:
[...]:SpamAssassin::PerMsgStatus" at (eval 1816) line 19.)

I did restart SA after adding this. SA version 3.4.1

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:53:56 up 7:41, 1 user, load average: 0.42, 0.71, 0.69
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part

Re: skipping nameserver '0.ns.spamhaus.org' because it is a CNAME

2018-01-14 Thread Chris 
On Sun, 2018-01-14 at 19:30 +, Alex Lasoriti wrote:
> On 2018-01-14 17:20, Ian Zimmerman wrote:
> > 
> > On 2018-01-14 17:07, Per Jessen wrote:
> > 
> > > 
> > > AFAIK, bind does not accept NS records with CNAMEs, only A or
> > > 
> > > records.  It looks like spamhaus updated their nameserver config
> > > and
> > > added cloudflare by way of CNAME.
> Hi all,
> 
> this was a "sunday experiment" done on only one of our current 20 NS
> records,
> addressing in total about 75 nameservers.  So it affected more of
> less 5% of the
> lookups (that did not fail, just had to be retried).  It's my fault
> and you
> can blame me personally :)  We are now back to the normal setup - the
> CNAME
> is no longer there and will not come back.  Sorry for the extra noise
> in
> logs; I am quite confident that nothing was really seriously broken,
> but I understand that it may have annoyed some people.
> 
Thanks for the explanation Alex, I wasn't annoyed, just baffled. As you
said, everything is back to normal.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:18:27 up 4 days, 6:06, 1 user, load average: 0.21, 0.25, 0.30
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-26-generic


signature.asc
Description: This is a digitally signed message part

skipping nameserver '0.ns.spamhaus.org' because it is a CNAME

2018-01-14 Thread Chris 
I started seeing this yesterday evening - https://pastebin.com/Q01t63uf
 AFAICT it's happening on every message that is processed by SA. This
is:

spamassassin -V
SpamAssassin version 3.4.1
  running on Perl version 5.22.1

Any ideas?

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:59:26 up 3 days, 23:47, 1 user, load average: 0.43, 0.36, 0.42
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-26-generic


signature.asc
Description: This is a digitally signed message part

Re: error: unable to refresh mirrors file for channel updates.spamassassin.org

2017-11-30 Thread Chris 
On Thu, 2017-11-30 at 13:17 -0600, David Jones wrote:
> On 11/30/2017 01:09 PM, Chris wrote:
> > 
> > Over the past few days I've been seeing the above. The complete
> > output
> > is:
> > 
> > /etc/cron.daily/spamassassin:
> > error: unable to refresh mirrors file for channel
> > updates.spamassassin.org, using old file
> > 
> > This just seemed to have started this past Sunday. Anyone know of
> > any
> > possible reason for this?
> > 
> > Chris
> > 
> What version of SA are you running?  Maybe post the output of "sa-
> update 
> -D" to give us a little more detail.
> 
Nov 30 17:35:25.717 [9127] dbg: logger: adding facilities: all
Nov 30 17:35:25.717 [9127] dbg: logger: logging level is DBG
Nov 30 17:35:25.717 [9127] dbg: generic: SpamAssassin version 3.4.1
Nov 30 17:35:25.717 [9127] dbg: generic: Perl 5.022001, PREFIX=/usr,
DEF_RULES_DIR=/usr/share/spamassassin,
LOCAL_RULES_DIR=/etc/spamassassin,
LOCAL_STATE_DIR=/var/lib/spamassassin
Nov 30 17:35:25.717 [9127] dbg: config: timing enabled
Nov 30 17:35:25.718 [9127] dbg: config: score set 0 chosen.
Nov 30 17:35:25.724 [9127] dbg: generic: sa-update version svn1652181
Nov 30 17:35:25.724 [9127] dbg: generic: using update directory:
/var/lib/spamassassin/3.004001
Nov 30 17:35:25.857 [9127] dbg: diag: perl platform: 5.022001 linux
Nov 30 17:35:25.857 [9127] dbg: diag: [...] module installed:
Digest::SHA1, version 2.13
Nov 30 17:35:25.857 [9127] dbg: diag: [...] module installed:
HTML::Parser, version 3.72
Nov 30 17:35:25.857 [9127] dbg: diag: [...] module installed: Net::DNS,
version 0.81
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
NetAddr::IP, version 4.078
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Time::HiRes, version 1.9726
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Archive::Tar, version 2.04
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed: IO::Zlib,
version 1.10
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Digest::SHA1, version 2.13
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
MIME::Base64, version 3.15
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed: DB_File,
version 1.835
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Net::SMTP, version 3.05
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Mail::SPF, version v2.009
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed: Geo::IP,
version 1.45
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Net::CIDR::Lite, version 0.21
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Razor2::Client::Agent, version 2.84
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
IO::Socket::IP, version 0.37
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
IO::Socket::INET6, version 2.72
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
IO::Socket::SSL, version 2.024
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Compress::Zlib, version 2.068
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Mail::DKIM, version 0.4
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed: DBI,
version 1.634
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Getopt::Long, version 2.45
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
LWP::UserAgent, version 6.15
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
HTTP::Date, version 6.02
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Encode::Detect::Detector, version 1.01
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Net::Patricia, version 1.22
Nov 30 17:35:25.858 [9127] dbg: diag: [...] module installed:
Net::DNS::Nameserver, version 1276
Nov 30 17:35:25.859 [9127] dbg: gpg: Searching for 'gpg'
Nov 30 17:35:25.859 [9127] dbg: util: current PATH is:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Nov 30 17:35:25.859 [9127] dbg: util: executable for gpg was found at
/usr/bin/gpg
Nov 30 17:35:25.859 [9127] dbg: gpg: found /usr/bin/gpg
Nov 30 17:35:25.883 [9127] dbg: gpg: release trusted key id list:
0C2B1D7175B852C64B3CDC716C55397824F434CE
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45
Nov 30 17:35:25.884 [9127] dbg: util: secure_tmpfile created a
temporary file /tmp/.spamassassin9127cUcrl1tmp
Nov 30 17:35:25.884 [9127] dbg: channel: attempting channel
updates.spamassassin.org
Nov 30 17:35:25.884 [9127] dbg: channel: using existing directory
/var/lib/spamassassin/3.004001/updates_spamassassin_org
Nov 30 17:35:25.884 [9127] dbg: channel: channel cf file
/var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
Nov 30 17:35:25.884 [9127] dbg: channel: channel pre file
/var/lib/spamassassin/3.004001/updates_spamassassin_org.pre
Nov 30 17:35:25.884 [9127] dbg: channel: metadata version = 1816686,
from file /var/lib/spamassassin/3.004001/updates_spamassassin_org.cf
No

error: unable to refresh mirrors file for channel updates.spamassassin.org

2017-11-30 Thread Chris 
Over the past few days I've been seeing the above. The complete output
is:

/etc/cron.daily/spamassassin:
error: unable to refresh mirrors file for channel
updates.spamassassin.org, using old file

This just seemed to have started this past Sunday. Anyone know of any
possible reason for this?

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
13:05:38 up 8 days, 2:06, 1 user, load average: 0.45, 0.72, 0.80
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-40-generic


signature.asc
Description: This is a digitally signed message part

Re: SA-Update not updating DB

2017-11-16 Thread Chris 
On Thu, 2017-11-16 at 09:06 -0600, David Jones wrote:
> On 11/16/2017 08:57 AM, Chris wrote:
> > 
> > On Thu, 2017-11-16 at 07:22 -0600, David Jones wrote:
> > > 
> > > Great news!  Last night's run finally produced a full
> > > 72_scores.cf.
> > > Big
> > > thanks to Merijn van den Kroonenberg for helping track down the
> > > remaining issues!  There were about 3 rules difference which
> > > could
> > > be
> > > expected with 8 months difference.
> > > 
> > > # cat disappeared_rules.txt
> > > ADVANCE_FEE_4_NEW
> > > CN_B2B_SPAMMER
> > > URI_GOOGLE_PROXY
> > > 
> > > # wc -l 72_scores.cf
> > > 149 72_scores.cf
> > > 
> > > Now 149 lines and we were stuck at around 100 before.
> > > 
> > > https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/scores/
> > > 
> > > WE REALLY NEED TESTERS NOW TO APPLY THIS UPDATE AND PROVIDE
> > > FEEDBACK.  I
> > > would like to enable DNS updates again for sa-update on Sunday or
> > > Monday
> > > depending on the feedback.
> > > 
> > > REV=1815298
> > > wget http://sa-update.ena.com/${REV}.tar.gz
> > > wget http://sa-update.ena.com/${REV}.tar.gz.sha1
> > > wget http://sa-update.ena.com/${REV}.tar.gz.asc
> > > sa-update -v --install ${REV}.tar.gz
> > > 
> > > (reload/restart whatever is calling SA -- spamd, amavis-new,
> > > mimedefang,
> > > MailScanner, etc.)
> > > 
> > > I have applied this ruleset to my platforms and will monitor
> > > scoring/blocking over the next couple of days.
> > > 
> > Hmm, the file doesn't seem to be able to be found unless of course
> > I
> > did something incorrectly:
> > 
> > chris@localhost:~/Downloads$ wget http://sa-update.ena.com/${REV}.t
> > ar.g
> > z
> > --2017-11-16 08:51:50--  http://sa-update.ena.com/.tar.gz
> > Resolving sa-update.ena.com (sa-update.ena.com)... 96.4.1.5,
> > 96.5.1.5
> > Connecting to sa-update.ena.com (sa-update.ena.com)|96.4.1.5|:80...
> > connected.
> > HTTP request sent, awaiting response... 404 Not Found
> > 2017-11-16 08:51:50 ERROR 404: Not Found.
> > 
> Make sure you ran the "REV=1815298" line first to set the variable
> that 
> the next 4 lines use with "${REV}".
> 
I got it David and Dave. Thanks for straightening me out.
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:20:55 up 9 days, 7:52, 1 user, load average: 1.10, 0.72, 0.74
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-38-generic


signature.asc
Description: This is a digitally signed message part

Re: SA-Update not updating DB

2017-11-16 Thread Chris 
On Thu, 2017-11-16 at 07:22 -0600, David Jones wrote:
> Great news!  Last night's run finally produced a full 72_scores.cf.
> Big 
> thanks to Merijn van den Kroonenberg for helping track down the 
> remaining issues!  There were about 3 rules difference which could
> be 
> expected with 8 months difference.
> 
> # cat disappeared_rules.txt
> ADVANCE_FEE_4_NEW
> CN_B2B_SPAMMER
> URI_GOOGLE_PROXY
> 
> # wc -l 72_scores.cf
> 149 72_scores.cf
> 
> Now 149 lines and we were stuck at around 100 before.
> 
> https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/scores/
> 
> WE REALLY NEED TESTERS NOW TO APPLY THIS UPDATE AND PROVIDE
> FEEDBACK.  I 
> would like to enable DNS updates again for sa-update on Sunday or
> Monday 
> depending on the feedback.
> 
> REV=1815298
> wget http://sa-update.ena.com/${REV}.tar.gz
> wget http://sa-update.ena.com/${REV}.tar.gz.sha1
> wget http://sa-update.ena.com/${REV}.tar.gz.asc
> sa-update -v --install ${REV}.tar.gz
> 
> (reload/restart whatever is calling SA -- spamd, amavis-new,
> mimedefang, 
> MailScanner, etc.)
> 
> I have applied this ruleset to my platforms and will monitor 
> scoring/blocking over the next couple of days.
> 
Hmm, the file doesn't seem to be able to be found unless of course I
did something incorrectly:

chris@localhost:~/Downloads$ wget http://sa-update.ena.com/${REV}.tar.g
z
--2017-11-16 08:51:50--  http://sa-update.ena.com/.tar.gz
Resolving sa-update.ena.com (sa-update.ena.com)... 96.4.1.5, 96.5.1.5
Connecting to sa-update.ena.com (sa-update.ena.com)|96.4.1.5|:80...
connected.
HTTP request sent, awaiting response... 404 Not Found
2017-11-16 08:51:50 ERROR 404: Not Found.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:55:52 up 9 days, 27 min, 1 user, load average: 7.24, 2.93, 1.31
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-38-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-21 Thread Chris 
On Thu, 2017-09-21 at 11:58 +0100, Martin Gregorie wrote:
> On Wed, 2017-09-20 at 19:39 -0500, Chris wrote:
> > 
> > It was installed by default when upgrading from 14.04LTS to
> > 16.04LTS
> > 
> Then it may be best to just leave it there.
> 
> > 
> > I have stopped Network Manager. I've not disabled or removed it yet
> > as I'm watching to see how named does the queries now.
> > 
> I didn't suggest removing it - just following the advice from others
> to
> change its configuration so it doesn't try to start dnsmasq or bind:
> leave starting the daemons that should always be running to systemd.
My mistake, I must have read somewhere yesterday about disabling or
removing it. 

> 
> Your named configuration looks fine to me. About the only extra items
> you might want in options are:
> 
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;
> 
> In the ISC[*] website it says:
> - If you put “dnssec-validation auto” in named.conf, named will read
>   the root key from bind.keys the first time it executes.
> - If you put “dnssec-lookaside auto” in named.conf, named will read
> the
>   DLV key from bind.keys the first time it executes.
> - If you don’t have anything in named.conf and there is no bind.keys
>   file, named will use the compiled in keys.
> 
> so having these set as ISC suggests should mean that bind will
> automatically pick up changes to bind keys. They don't change very
> often but there are changes from time to time.
> 
> [*] Internet Systems Consortium: https://www.isc.org/ - a non-profit
> that supports the Internet infrastructure. It is the source for
> downloading Root Trust Anchors, aka bind-keys.
> 
Thanks for the above Martin. I'm still waiting for a query to isipp to
happen since I stopped network manager. Seems like when you're waiting
for something it never happens. 
> Martin
> 
Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:35:00 up 1 day, 11:47, 1 user, load average: 1.05, 0.42, 0.33
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-20 Thread Chris 
On Wed, 2017-09-20 at 15:22 -0700, Ian Zimmerman wrote:
> On 2017-09-20 17:02, Chris wrote:
> 
> > 
> > So, IIUC it would be a good idea to remove the resolv.conf symlink
> > in
> > /run/resolvconf ?
> Definitely _not_ a good idea while the resolvconf package is
> installed.
> 
> What I meant was remove the package first, then clean up.
> 
Understand Ian, thanks

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:40:09 up 22:52, 1 user, load average: 0.60, 0.58, 0.50
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-20 Thread Chris 
On Wed, 2017-09-20 at 19:05 +0100, Martin Gregorie wrote:
> On Wed, 2017-09-20 at 08:48 -0500, Chris wrote:
> > 
> > On Wed, 2017-09-20 at 11:15 +0100, Martin Gregorie wrote:
> > > 
> > > On Tue, 2017-09-19 at 19:32 -0500, Chris wrote:
> > > > 
> > > > 
> > > > Hi Martin, here's what I see:
> > > > 
> > > > sudo systemctl status dnsmasq
> > > > [sudo] password for chris: 
> > > > ● dnsmasq.service
> > > >    Loaded: not-found (Reason: No such file or directory)
> > > >    Active: inactive (dead)
> > > > chris@localhost:~$ sudo systemctl enable dnsmasq
> > > > Failed to execute operation: No such file or directory
> > > > chris@localhost:~$ sudo systemctl status dnsmasq
> > > > ● dnsmasq.service
> > > >    Loaded: not-found (Reason: No such file or directory)
> > > >    Active: inactive (dead)
> > > > 
> > > Yes, that agrees with systemd not knowing about dnsmasq.
> > > 
> > > > 
> > > > 
> > > > I then installed dnsmasq (apparently it wasn't installed)
> > > > 
> > > I don't know why you'd want to do that since you should be
> > > running
> > > named instead of dnsmasq.
> > > 
> > I was tired and getting po'd at the whole mess. I installed via apt
> > then removed via apt and also ran apt purge.
> > 
> > > 
> > > Delete the version you just installed via the apt package manager
> > > and
> > > do a search and destroy mission to get rid of both the other copy
> > > of
> > > it
> > > and the associated configuration.
> > > 
> > > Running "updatedb; locate dnsmasq" is probably the fastest way of
> > > finding it and its associated files. Anything with a similar name
> > > in
> > > /etc/init.d is probably its launcher script, so that can go too.
> > > If
> > > you
> > > have an /etc/rc.local file, check its contents because its run as
> > > part
> > > of the sysVinit process. It shouldn't have anything about dnsmasq
> > > in
> > > it
> > > but you never know...
> > > 
> > From the locate command I found these - https://pastebin.com/ECjZGX
> > 1M
> >  
> > I'm not sure what to do with those that are associated with
> > /snap/core.
> > 
> Can't help there as I've not seen a /snap directory structure before.
> I
> don't believe any RedHat distros use it and nor does Raspbian.
> 
> How was it installed in the first place? That may give you some
> clues,
> or somebody who is more familiar Debian and its clones may know a
> safe
> way to remove it: I'd be inclined to just remove the lot but then I
> tend to go in boots and all in this sort of situation. Just take a
> backup first.
It was installed by default when upgrading from 14.04LTS to 16.04LTS

> 
> OTOH, since there's apparently nothing that starts dnsmasq at boot
> time
> apart from NetworkManager you can always just leave it there and
> accept
> that it will continue to occupy space on disk. Then:
> 
> - do as others have said and reconfigure NetworkManager so it doesn't
>   start anything.
> 
I have stopped Network Manager. I've not disabled or removed it yet as
I'm watching to see how named does the queries now.

> - configure named as a recursive nameserver if that isn't already
> done
> 
> - set up systemd to start named at boot time:
>    systemctl enable named# This makes it start at boot time
>    systemctl start named # Start it now
>    systemctl status named# see if it started OK
> 
It already starts at boot.

> - if it didn't like the current /etc/named.conf or it it isn't doing
>   what you want, modify its configuration and:
> 
>    systemctl restart named# kills named and restarts it with
> the
>   # new config
>    systemctl status named # See what its gdoing
> 
>   and repeat until its right
> 
> 
> Martin
> 
systemctl status bind9
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor
preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
   └─50-insserv.conf-$named.conf
   Active: active (running) since Wed 2017-09-20 17:57:18 CDT; 3min 6s
ago
 Docs: man:named(8)
  Process: 19195 ExecStop=/usr/sbin/rndc stop (code=exited,
status=0/SUCCESS)
 Main PID: 19203 (named)
   CGroup: /system.slice/bind9.service
   └─19203 /usr/sbin/named -4 -f -u bind

localhost named[19203]: automatic empty zone: EMPTY.AS112.ARPA

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-20 Thread Chris 
On Wed, 2017-09-20 at 08:01 -0700, Ian Zimmerman wrote:
> On 2017-09-20 11:15, Martin Gregorie wrote:
> 
> > 
> > I don't know why you'd want to do that since you should be running
> > named instead of dnsmasq.
> > 
> > Delete the version you just installed via the apt package manager
> > and
> > do a search and destroy mission to get rid of both the other copy
> > of
> > it and the associated configuration.
> > 
> > Running "updatedb; locate dnsmasq" is probably the fastest way of
> > finding it and its associated files. Anything with a similar name
> > in
> > /etc/init.d is probably its launcher script, so that can go too. If
> > you have an /etc/rc.local file, check its contents because its run
> > as
> > part of the sysVinit process. It shouldn't have anything about
> > dnsmasq
> > in it but you never know...
> Another thing to check in this kind of mess (and I think it wasn't
> mentioned yet) is the state of /etc/resolv.conf.  In Debian (and so
> in
> Ubuntu, too) packages that provide DNS daemons, whether authoritative
> or
> caching only, attempt to manage that file automatically, if the
> resolvconf (traditionally) or openresolv package is also
> installed.  If
> you do something "unexpected" you can end up with /etc/resolv.conf in
> a
> strange state.
> 
Hi Ian, my /etc/resolv.conf is linked to /run/resolvconf/resolv.conf.
Both appear to be the same. I don't know why the nameserver line is
there twice.

/run/resolvconf/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 127.0.0.1
search PK5001Z

The /etc/resolv.conf is exactly the same. 
> To avoid that, on my Debian hosts I usually purge
> resolvconf/openresolv,
> make sure that /etc/resolv.conf is a real file (not a symlink), and
> manually edit it to the correct state.  If the host is on DHCP I also
> make sure the ISC DHCP client is in use (not dhcpcd which seems to be
> much less flexible), and change /etc/dhcp/dhclient.conf to not
> request
> (or override) the DNS info provided by DHCP, as that also messes with
> resolv.conf.
> 
So, IIUC it would be a good idea to remove the resolv.conf symlink in
/run/resolvconf ?

> Finally (and getting really OT), it helps to keep relevant /etc files
> under version control, so you know when the system helpfully shifts
> the
> ground under you.
> 
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:42:52 up 19:55, 1 user, load average: 0.65, 0.59, 0.83
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-20 Thread Chris 
On Tue, 2017-09-19 at 21:32 -0700, Ian Zimmerman wrote:
> On 2017-09-19 19:53, David B Funk wrote:
> 
> > 
> > So now you have -two- dnsmasq kits, one installed by "apt" and
> > managed
> > thru the "systemctl" tools, and another one that somebody put there
> > which is outside the realm of "apt" & "systemctl" (thus they don't
> > know how to manange it).
> > 
> > You should really pick one method of installing/managing software
> > and
> > stick with it.
> > 
> > This is similar to the mess you get when you mix CPAN with
> > yum/yast/rpm/apt for installing Perl modules.
> Similar but worse, as you can have a safe CPAN + distro mix with
> local::lib.
> 
As I've said in a previous post I 'only' install official Ubuntu pkgs
via apt except I have a beta of fetchmail currently in use.

I'm not sure if removing certain snap pkgs I have installed will also
remove dnsmasq or not or if it was automatically installed when 'core'
was installed.

/snap/core/2925/etc/dnsmasq.d
/snap/core/2925/etc/dbus-1/system.d/dnsmasq.conf
/snap/core/2925/etc/dnsmasq.d/ubuntu-fan
/snap/core/2925/run/dnsmasq
/snap/core/2925/usr/sbin/dnsmasq
/snap/core/2925/usr/share/dnsmasq-base
/snap/core/2925/usr/share/dnsmasq-base/trust-anchors.conf

core 16-2.28~rc3 2925  canonical  core
dwarf-fortress   0.43.05 2 mterry -
nethack  3.4.2-2 2 ogra   -
pubip0.6 28thibran-
snappy-debug 0.31.4-snapd2.26.9  70canonical  -
snapweb  0.26-11-dev 307   canonical  -
speed-test   1.8.0   16bartaz -
wallpaperdownloader  2.8 16egarcia-

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:58:22 up 12:11, 1 user, load average: 0.47, 0.57, 0.71
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-20 Thread Chris 
On Tue, 2017-09-19 at 23:04 -0400, Bill Cole wrote:
> On 19 Sep 2017, at 22:36, Chris wrote:
> 
> > 
> > On Wed, 2017-09-20 at 04:31 +0200, Reindl Harald wrote:
> > > 
> > > 
> > > Am 20.09.2017 um 02:32 schrieb Chris:
> > > > 
> > > > 
> > > > I then installed dnsmasq (apparently it wasn't installed)
> > > frankly clean up your mess - you recently posted dnsmasq as well
> > > as 
> > > named listening on different interfaces for DNS, now you say
> > > dnsmasq
> > > was 
> > > not installed
> > Will do, sorry for all the noise the last few days. I'll see if I
> > can
> > figure this out myself.
> Everyone here started clueless and when we obtained a little
> knowledge, got dangerous: mostly to ourselves. No apologies needed.

Thanks Bill, I guess in my 68yrs I've really gotten dangerous.

> 
> You have clearly done something on your system that confuse the
> specific problem you're having with SpamAssassin. I suspect the root
> issue is installing dnsmasq from the upstream source distribution
> (and maybe BIND also?) rather than using the Debian/Ubuntu package(s)
> via the apt and/or dpkg tools. That's not an uncommon class of
> mistake, but it is an especially risky move on a systemd-managed
> platform and especially on anything Debian-based because Debian makes
> substantial changes to some open source software which can cause
> unusual problems which are unique to the platform. The bottom line:
> on Ubuntu, use the Ubuntu software installation tools and do not try
> to install anything from upstream source that has a Ubuntu package.
> 
Both BIND and last night dnsmasq were installed via apt and dnsmasq was
removed via apt remove and apt purge. In fact I make it a point to
install packages via apt unless it can't be helped such as the beta of
fetchmail I'm currently running. The odd/bad thing about this whole
mess is that the issue of queries to isipp and bb.barracuda have been
going on for quite awhile now. I just finally decided to try and do
something about it. The issue with the isipp query going to the
incorrect ip only started a few days ago though.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:49:39 up 12:02, 1 user, load average: 2.38, 1.31, 0.93
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-20 Thread Chris 
On Wed, 2017-09-20 at 11:15 +0100, Martin Gregorie wrote:
> On Tue, 2017-09-19 at 19:32 -0500, Chris wrote:
> > 
> > Hi Martin, here's what I see:
> > 
> > sudo systemctl status dnsmasq
> > [sudo] password for chris: 
> > ● dnsmasq.service
> >    Loaded: not-found (Reason: No such file or directory)
> >    Active: inactive (dead)
> > chris@localhost:~$ sudo systemctl enable dnsmasq
> > Failed to execute operation: No such file or directory
> > chris@localhost:~$ sudo systemctl status dnsmasq
> > ● dnsmasq.service
> >    Loaded: not-found (Reason: No such file or directory)
> >    Active: inactive (dead)
> > 
> Yes, that agrees with systemd not knowing about dnsmasq.
> 
> > 
> > I then installed dnsmasq (apparently it wasn't installed)
> > 
> I don't know why you'd want to do that since you should be running
> named instead of dnsmasq.
> 
I was tired and getting po'd at the whole mess. I installed via apt
then removed via apt and also ran apt purge.

> Delete the version you just installed via the apt package manager and
> do a search and destroy mission to get rid of both the other copy of
> it
> and the associated configuration.
> 
> Running "updatedb; locate dnsmasq" is probably the fastest way of
> finding it and its associated files. Anything with a similar name in
> /etc/init.d is probably its launcher script, so that can go too. If
> you
> have an /etc/rc.local file, check its contents because its run as
> part
> of the sysVinit process. It shouldn't have anything about dnsmasq in
> it
> but you never know...
> 
From the locate command I found these - https://pastebin.com/ECjZGX1M 
I'm not sure what to do with those that are associated with /snap/core.
There's nothing in /etc/init.d for dnsmasq.

Chris


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:07:59 up 11:20, 1 user, load average: 0.08, 0.07, 0.08
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Wed, 2017-09-20 at 04:31 +0200, Reindl Harald wrote:
> 
> Am 20.09.2017 um 02:32 schrieb Chris:
> > 
> > I then installed dnsmasq (apparently it wasn't installed)
> frankly clean up your mess - you recently posted dnsmasq as well as 
> named listening on different interfaces for DNS, now you say dnsmasq
> was 
> not installed

Will do, sorry for all the noise the last few days. I'll see if I can
figure this out myself.


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
21:35:17 up 48 min, 1 user, load average: 0.58, 0.39, 0.38
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Tue, 2017-09-19 at 19:32 -0500, Chris wrote:
> On Wed, 2017-09-20 at 00:40 +0100, Martin Gregorie wrote:
> > 
> > On Tue, 2017-09-19 at 16:44 -0500, Chris wrote:
> > > 
> > > 
> > > 
> > > Thanks Martin, here's what I get, it appears to not be running.
> > > 
> > > sudo systemctl stop dnsmasq
> > > [sudo] password for chris: 
> > > Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.
> > > 
> > OK, that makes sense
> >  
> > > 
> > > 
> > > sudo systemctl disable dnsmasq
> > > Failed to execute operation: No such file or directory
> > > 
> > That's interesting: I've never seen that before:
> > 
> > Here's what I see of I enable dnsmasq, check its status, disable it
> > and
> > check status again:
> > 
> > $ sudo systemctl enable dnsmasq
> > Created symlink /etc/systemd/system/multi-
> > user.target.wants/dnsmasq.service →
> > /usr/lib/systemd/system/dnsmasq.service.
> > 
> > $ sudo systemctl status dnsmasq
> > ● dnsmasq.service - DNS caching server.
> >    Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service;
> > enabled;
> > vendor preset: disabled)
> >    Active: inactive (dead)
> > 
> > $ sudo systemctl disable dnsmasq
> > Removed /etc/systemd/system/multi-
> > user.target.wants/dnsmasq.service.
> > 
> > $ sudo systemctl status dnsmasq
> > ● dnsmasq.service - DNS caching server.
> >    Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service;
> > disabled;
> > vendor preset: disabled)
> >    Active: inactive (dead)
> > 
> > This is a Fedora 25 system which I use, amongst other things, as my
> > SA
> > and test system. My live Postfix and SA are on another system which
> > runs named. I don't use dnsmasq at all but it turns out to be part
> > of
> > the standard software installed by F25.
> > 
> > It would be interesting to know what 'systemctl status' shows on
> > your
> > system, though its quite possible it looks similar to what
> > 'systemctl
> > disable' showed. I can only guess that your system is a
> > transitional
> > systemd setup, i.e. systemctl is used for service management but
> > some
> > services (dnsmasq for one) are still running under the old systemV
> > init
> > scripts. Fedora installations used to work that way for some
> > services,
> > but that was a few versions ago (F21 or 22 at the latest).
> > 
> > 
> > Martin
> >  
> Hi Martin, here's what I see:
> 
> sudo systemctl status dnsmasq
> [sudo] password for chris: 
> ● dnsmasq.service
>    Loaded: not-found (Reason: No such file or directory)
>    Active: inactive (dead)
> chris@localhost:~$ sudo systemctl enable dnsmasq
> Failed to execute operation: No such file or directory
> chris@localhost:~$ sudo systemctl status dnsmasq
> ● dnsmasq.service
>    Loaded: not-found (Reason: No such file or directory)
>    Active: inactive (dead)
> 
> I then installed dnsmasq (apparently it wasn't installed)
> 
> Results are here - https://pastebin.com/MRR4NCMp

After a restart - status now shows:

● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor
preset: enabled)
  Drop-In: /run/systemd/generator/dnsmasq.service.d
   └─50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf
   Active: active (running) since Tue 2017-09-19 19:56:46 CDT; 4min 11s
ago
  Process: 1215 ExecStartPost=/etc/init.d/dnsmasq systemd-start-
resolvconf (code=exited, status=0/SUCCESS)
  Process: 1040 ExecStart=/etc/init.d/dnsmasq systemd-exec
(code=exited, status=0/SUCCESS)
  Process: 963 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited,
status=0/SUCCESS)
 Main PID: 1214 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
   └─1214 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u
dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-
dist,.dpkg-old,.dpkg-new --local-service --trust-a

Sep 19 19:56:40 localhost dnsmasq[963]: dnsmasq: syntax check OK.
Sep 19 19:56:46 localhost dnsmasq[1214]: started, version 2.75
cachesize 150
Sep 19 19:56:46 localhost dnsmasq[1214]: compile time options: IPv6
GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth
DNSSEC loop-detect inotify
Sep 19 19:56:46 localhost dnsmasq[1214]: no servers found in
/var/run/dnsmasq/resolv.conf, will retry
Sep 19 19:56:46 localhost dnsmasq[1214]: read /etc/hosts - 6 addresses
Sep 19 19:56:46 localhost systemd[1]: Started dnsmasq - A lightweight
DHCP and caching DNS server.
Sep 19 19:57:05 localhost dnsmasq[1214]: reading
/var/run/dnsmasq/resolv.conf
Sep 19 19:57:05 localhost dnsmasq[1214]: using nameserver
192.168.0.1#53
Sep 19 19:57:05 localhost dnsmasq[1214]: using nameserver
205.171.2.226#53
Sep 19 19:57:05 localhost dnsmasq[1214]: ignoring nameserver 127.0.0.1
- local interface


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:01:58 up 6 min, 1 user, load average: 5.08, 5.51, 2.71
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Wed, 2017-09-20 at 00:40 +0100, Martin Gregorie wrote:
> On Tue, 2017-09-19 at 16:44 -0500, Chris wrote:
> > 
> > 
> > Thanks Martin, here's what I get, it appears to not be running.
> > 
> > sudo systemctl stop dnsmasq
> > [sudo] password for chris: 
> > Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.
> > 
> OK, that makes sense
>  
> > 
> > sudo systemctl disable dnsmasq
> > Failed to execute operation: No such file or directory
> > 
> That's interesting: I've never seen that before:
> 
> Here's what I see of I enable dnsmasq, check its status, disable it
> and
> check status again:
> 
> $ sudo systemctl enable dnsmasq
> Created symlink /etc/systemd/system/multi-
> user.target.wants/dnsmasq.service →
> /usr/lib/systemd/system/dnsmasq.service.
> 
> $ sudo systemctl status dnsmasq
> ● dnsmasq.service - DNS caching server.
>    Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled;
> vendor preset: disabled)
>    Active: inactive (dead)
> 
> $ sudo systemctl disable dnsmasq
> Removed /etc/systemd/system/multi-user.target.wants/dnsmasq.service.
> 
> $ sudo systemctl status dnsmasq
> ● dnsmasq.service - DNS caching server.
>    Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled;
> vendor preset: disabled)
>    Active: inactive (dead)
> 
> This is a Fedora 25 system which I use, amongst other things, as my
> SA
> and test system. My live Postfix and SA are on another system which
> runs named. I don't use dnsmasq at all but it turns out to be part of
> the standard software installed by F25.
> 
> It would be interesting to know what 'systemctl status' shows on your
> system, though its quite possible it looks similar to what 'systemctl
> disable' showed. I can only guess that your system is a transitional
> systemd setup, i.e. systemctl is used for service management but some
> services (dnsmasq for one) are still running under the old systemV
> init
> scripts. Fedora installations used to work that way for some
> services,
> but that was a few versions ago (F21 or 22 at the latest).
> 
> 
> Martin
>  
Hi Martin, here's what I see:

sudo systemctl status dnsmasq
[sudo] password for chris: 
● dnsmasq.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)
chris@localhost:~$ sudo systemctl enable dnsmasq
Failed to execute operation: No such file or directory
chris@localhost:~$ sudo systemctl status dnsmasq
● dnsmasq.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

I then installed dnsmasq (apparently it wasn't installed)

Results are here - https://pastebin.com/MRR4NCMp

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:25:14 up 1 day, 3:04, 2 users, load average: 0.37, 0.26, 0.19
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Tue, 2017-09-19 at 15:40 -0500, Chris wrote:
> On Tue, 2017-09-19 at 08:41 -0500, David Jones wrote:
> > 
> > On 09/19/2017 08:25 AM, Chris wrote:
> > > 
> > > 
> > > On Tue, 2017-09-19 at 08:16 -0500, Chris wrote:
> > > > 
> > > > 
> > > > On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote:
> > > > > 
> > > > > 
> > > > > 
> > > > > On 09/18/2017 06:03 PM, Chris wrote:
> > > > [snip]
> > > > > 
> > > > > 
> > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > localhost dnsmasq[2323]: started, version 2.75 cachesize
> > > > > > 150
> > > > > > localhost dnsmasq[2323]: compile time options: IPv6 GNU-
> > > > > > getopt
> > > > > > DBus
> > > > > > i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth
> > > > > > DNSSEC
> > > > > > loop-
> > > > > > detect inotify
> > > > > > localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2
> > > > > > --
> > > > > > 192.168.122.254, lease time 1h
> > > > > > localhost dnsmasq-dhcp[2323]: DHCP, sockets bound
> > > > > > exclusively
> > > > > > to
> > > > > > interface virbr0
> > > > > > localhost dnsmasq[2323]: reading /etc/resolv.conf
> > > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > > localhost dnsmasq[2323]: read /etc/hosts - 7 addresses
> > > > > > localhost dnsmasq[2323]: read
> > > > > > /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
> > > > > > localhost dnsmasq-dhcp[2323]: read
> > > > > > /var/lib/libvirt/dnsmasq/default.hostsfile
> > > > > > 
> > > > > > I'm not really running a mail server in the true sense of
> > > > > > the
> > > > > > word
> > > > > > I
> > > > > > believe. Fetchmail queries my email accounts and pipes the
> > > > > > messages
> > > > > > through procmail. Anything that doesn't already have a
> > > > > > recipe
> > > > > > is
> > > > > > run
> > > > > > through SA. I'm just using Bind to speed up the queries
> > > > > > that
> > > > > > SA
> > > > > > makes.
> > > > > > I believe I'm stating that correctly but who knows could be
> > > > > > way
> > > > > > off.
> > > > > > 
> > > > > > If I can give any other information I'll be glad to do it.
> > > > > > Again,
> > > > > > I
> > > > > > have no idea why the queries are going to 168.150.251.35.
> > > > > > There
> > > > > > hasn't
> > > > > > been another query to isipp since a bit after noon. I'll
> > > > > > see
> > > > > > what
> > > > > > happens the next time there is one.
> > > > > > 
> > > > > Run 'netstat -tunlap | grep ":53 "' and see what is listening
> > > > > on
> > > > > port
> > > > > 53
> > > > > as your DNS server.  You probably need to remove/uninstall
> > > > > dnsmasq.
> > > > > 
> > > > > Here's my output:
> > > > > 
> > > > > # netstat -tunlap | grep ":53 "
> > > > > tcp0  0 127.0.0.1:530.0.0.0:*
> > > > >  LISTEN  24019/pdns_recursor
> > > > > udp0  0 127.0.0.1:530.0.0.0:*
> > > > >  24019/pdns_recursor
> > > > > 
> > > > > Once you know you are only running named on port 53, then
> > > > > make
> > > > > sure
> > > > > your
> > > > > named.conf doesn't have any forwarders defined in the options
> > > > > section.
> > > > > 
> > > > > Now check your logs and see if you are still getting a lot of
> > > > > refused
> > > > > responses.  BIND sho

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Tue, 2017-09-19 at 14:47 -0700, John Hardin wrote:
> On Tue, 19 Sep 2017, Chris wrote:
> 
> > I'm getting different outputs each time I run dig +trace
> > 65.43.116.208.iadb.isipp.com
> >
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.1.255
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.0.2
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.3
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.101.202.10
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.0.1
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.1
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.4
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.101.201.10
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.3.100.10 
> > ;; Received 201 bytes from 147.75.64.146#53(c.auth-ns.sonic.net) in
> 67
> > ms
> >
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.0.2
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.3.100.10
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.4
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.0.1
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.101.202.10
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.1
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.3
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.101.201.10
> > 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.1.255
> 
> That just looks like sorting.
>   Today: Talk Like a Pirate day

Aargh, I guess that makes sense

Thanks

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
17:08:56 up 1 day, 48 min, 1 user, load average: 1.37, 1.07, 0.84
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Tue, 2017-09-19 at 22:07 +0100, Martin Gregorie wrote:
> On Tue, 2017-09-19 at 15:40 -0500, Chris wrote:
> 
> > 
> > > 
> > > > 
> > > > > 
> > > > > > 
> > > > > > > 
> > > > > > > I've disable dnsmasq in my
> > > > > > > /etc/NetworkManager/NetworkManager.conf
> > via
> > #dns=dnsmasq
> > 
> > However, when restarting the network I see:
> > dnsmasq[2323]: reading /etc/resolv.conf
> > dnsmasq[2323]: using nameserver 127.0.0.1#53
> > dnsmasq[2323]: using nameserver 127.0.0.1#53 
> > 
> > NetworkManager[24113]:   [1505852393.3238]   nameserver
> > '192.168.0.1'
> > NetworkManager[24113]:   [1505852393.3238]   nameserver
> > '205.171.2.226'
> > 
> If you want dnsmasq dead and assuming you're using systemd, do this:
> 
> sudo systemctl stop dnsmasq
> sudo systemctl disable dnsmasq
> 
> ...then it won't be restarted under any circumstances including a
> reboot.
> 
> If you're still on the old sysVinit system, do its equivalent so that
> dnsmasq isn't started at any runlevel.   
> 
> 
> Martin
> 
Thanks Martin, here's what I get, it appears to not be running.

sudo systemctl stop dnsmasq
[sudo] password for chris: 
Failed to stop dnsmasq.service: Unit dnsmasq.service not loaded.

sudo systemctl disable dnsmasq
Failed to execute operation: No such file or directory

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:33:34 up 1 day, 12 min, 1 user, load average: 0.28, 0.46, 0.76
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Tue, 2017-09-19 at 08:41 -0500, David Jones wrote:
> On 09/19/2017 08:25 AM, Chris wrote:
> > 
> > On Tue, 2017-09-19 at 08:16 -0500, Chris wrote:
> > > 
> > > On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote:
> > > > 
> > > > 
> > > > On 09/18/2017 06:03 PM, Chris wrote:
> > > [snip]
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > localhost dnsmasq[2323]: started, version 2.75 cachesize 150
> > > > > localhost dnsmasq[2323]: compile time options: IPv6 GNU-
> > > > > getopt
> > > > > DBus
> > > > > i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC
> > > > > loop-
> > > > > detect inotify
> > > > > localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2 --
> > > > > 192.168.122.254, lease time 1h
> > > > > localhost dnsmasq-dhcp[2323]: DHCP, sockets bound exclusively
> > > > > to
> > > > > interface virbr0
> > > > > localhost dnsmasq[2323]: reading /etc/resolv.conf
> > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > > > localhost dnsmasq[2323]: read /etc/hosts - 7 addresses
> > > > > localhost dnsmasq[2323]: read
> > > > > /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
> > > > > localhost dnsmasq-dhcp[2323]: read
> > > > > /var/lib/libvirt/dnsmasq/default.hostsfile
> > > > > 
> > > > > I'm not really running a mail server in the true sense of the
> > > > > word
> > > > > I
> > > > > believe. Fetchmail queries my email accounts and pipes the
> > > > > messages
> > > > > through procmail. Anything that doesn't already have a recipe
> > > > > is
> > > > > run
> > > > > through SA. I'm just using Bind to speed up the queries that
> > > > > SA
> > > > > makes.
> > > > > I believe I'm stating that correctly but who knows could be
> > > > > way
> > > > > off.
> > > > > 
> > > > > If I can give any other information I'll be glad to do it.
> > > > > Again,
> > > > > I
> > > > > have no idea why the queries are going to 168.150.251.35.
> > > > > There
> > > > > hasn't
> > > > > been another query to isipp since a bit after noon. I'll see
> > > > > what
> > > > > happens the next time there is one.
> > > > > 
> > > > Run 'netstat -tunlap | grep ":53 "' and see what is listening
> > > > on
> > > > port
> > > > 53
> > > > as your DNS server.  You probably need to remove/uninstall
> > > > dnsmasq.
> > > > 
> > > > Here's my output:
> > > > 
> > > > # netstat -tunlap | grep ":53 "
> > > > tcp0  0 127.0.0.1:530.0.0.0:*
> > > >  LISTEN  24019/pdns_recursor
> > > > udp0  0 127.0.0.1:530.0.0.0:*
> > > >  24019/pdns_recursor
> > > > 
> > > > Once you know you are only running named on port 53, then make
> > > > sure
> > > > your
> > > > named.conf doesn't have any forwarders defined in the options
> > > > section.
> > > > 
> > > > Now check your logs and see if you are still getting a lot of
> > > > refused
> > > > responses.  BIND should be doing full recursive lookups
> > > > directly to
> > > > the
> > > > authoritative DNS servers just like you saw with the "dig
> > > > +trace"
> > > > command.
> > > > 
> > > David, here's my output. I ran as sudo to see all inclusive:
> > > 
> > > sudo netstat -tunlap | grep ":53"
> > > [sudo] password for chris:
> > > tcp0  0
> > > 192.168.122.1:530.0.0.0:*   LISTEN  1245/
> > > name
> > > d
> > >   
> > > tcp0  0
> > > 127.0.1.1:530.0.0.0:*   LISTEN  1316/
> > > dnsm
> > > as
> > > q
> > > tcp0  0
> > > 192.168.0.51:53 0.

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Tue, 2017-09-19 at 08:16 -0500, Chris wrote:
> On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote:
> > 
> > On 09/18/2017 06:03 PM, Chris wrote:
> [snip]
> > 
> > > 
> > > 
> > > localhost dnsmasq[2323]: started, version 2.75 cachesize 150
> > > localhost dnsmasq[2323]: compile time options: IPv6 GNU-getopt
> > > DBus
> > > i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC
> > > loop-
> > > detect inotify
> > > localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2 --
> > > 192.168.122.254, lease time 1h
> > > localhost dnsmasq-dhcp[2323]: DHCP, sockets bound exclusively to
> > > interface virbr0
> > > localhost dnsmasq[2323]: reading /etc/resolv.conf
> > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > > localhost dnsmasq[2323]: read /etc/hosts - 7 addresses
> > > localhost dnsmasq[2323]: read
> > > /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
> > > localhost dnsmasq-dhcp[2323]: read
> > > /var/lib/libvirt/dnsmasq/default.hostsfile
> > > 
> > > I'm not really running a mail server in the true sense of the
> > > word
> > > I
> > > believe. Fetchmail queries my email accounts and pipes the
> > > messages
> > > through procmail. Anything that doesn't already have a recipe is
> > > run
> > > through SA. I'm just using Bind to speed up the queries that SA
> > > makes.
> > > I believe I'm stating that correctly but who knows could be way
> > > off.
> > > 
> > > If I can give any other information I'll be glad to do it. Again,
> > > I
> > > have no idea why the queries are going to 168.150.251.35. There
> > > hasn't
> > > been another query to isipp since a bit after noon. I'll see what
> > > happens the next time there is one.
> > > 
> > Run 'netstat -tunlap | grep ":53 "' and see what is listening on
> > port
> > 53 
> > as your DNS server.  You probably need to remove/uninstall dnsmasq.
> > 
> > Here's my output:
> > 
> > # netstat -tunlap | grep ":53 "
> > tcp0  0 127.0.0.1:530.0.0.0:* 
> > LISTEN  24019/pdns_recursor
> > udp0  0 127.0.0.1:530.0.0.0:* 
> > 24019/pdns_recursor
> > 
> > Once you know you are only running named on port 53, then make sure
> > your 
> > named.conf doesn't have any forwarders defined in the options
> > section.
> > 
> > Now check your logs and see if you are still getting a lot of
> > refused 
> > responses.  BIND should be doing full recursive lookups directly to
> > the 
> > authoritative DNS servers just like you saw with the "dig +trace"
> > command.
> > 
> David, here's my output. I ran as sudo to see all inclusive:
> 
> sudo netstat -tunlap | grep ":53"
> [sudo] password for chris: 
> tcp0  0
> 192.168.122.1:530.0.0.0:*   LISTEN  1245/name
> d 
>  
> tcp0  0
> 127.0.1.1:530.0.0.0:*   LISTEN  1316/dnsm
> as
> q
> tcp0  0
> 192.168.0.51:53 0.0.0.0:*   LISTEN  1245/name
> d 
>  
> tcp0  0
> 127.0.0.1:530.0.0.0:*   LISTEN  1245/name
> d 
>  
> tcp0  0
> 192.168.0.51:56697  192.52.178.30:53TIME_WAIT   -
>   
>  
> tcp1  1
> 192.168.0.51:33475  198.97.190.53:53CLOSING -
>   
>  
> tcp0  0
> 192.168.0.51:52483  192.5.6.30:53   TIME_WAIT   -
>   
>  
> tcp0  0
> 192.168.0.51:57335  192.5.6.30:53   TIME_WAIT   -
>   
>  
> tcp0  0
> 192.168.0.51:56609  192.52.178.30:53TIME_WAIT   -
>   
>  
> tcp0  0
> 192.168.0.51:36143  199.19.56.1:53  TIME_WAIT   -
>   
>  
> tcp0  0
> 192.168.0.51:47629  199.7.83.42:53  TIME_WAIT   -
>   
>  
> tcp0  0
> 192.168.0.51:58201  192.48.79.30:53 TIME_WAIT   -
>   
>  
> tcp0  0
> 192.168.0.51:53145  199.19.56.1:53  TIME_WAIT   -
>   
>  
> tcp0  0
> 192.168.0.51:55073  199.7.83.42:53  TIME_WAIT   -
>   
>  

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-19 Thread Chris 
On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote:
> On 09/18/2017 06:03 PM, Chris wrote:
[snip]
> > 
> > localhost dnsmasq[2323]: started, version 2.75 cachesize 150
> > localhost dnsmasq[2323]: compile time options: IPv6 GNU-getopt DBus
> > i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-
> > detect inotify
> > localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2 --
> > 192.168.122.254, lease time 1h
> > localhost dnsmasq-dhcp[2323]: DHCP, sockets bound exclusively to
> > interface virbr0
> > localhost dnsmasq[2323]: reading /etc/resolv.conf
> > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53
> > localhost dnsmasq[2323]: read /etc/hosts - 7 addresses
> > localhost dnsmasq[2323]: read
> > /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses
> > localhost dnsmasq-dhcp[2323]: read
> > /var/lib/libvirt/dnsmasq/default.hostsfile
> > 
> > I'm not really running a mail server in the true sense of the word
> > I
> > believe. Fetchmail queries my email accounts and pipes the messages
> > through procmail. Anything that doesn't already have a recipe is
> > run
> > through SA. I'm just using Bind to speed up the queries that SA
> > makes.
> > I believe I'm stating that correctly but who knows could be way
> > off.
> > 
> > If I can give any other information I'll be glad to do it. Again, I
> > have no idea why the queries are going to 168.150.251.35. There
> > hasn't
> > been another query to isipp since a bit after noon. I'll see what
> > happens the next time there is one.
> > 
> Run 'netstat -tunlap | grep ":53 "' and see what is listening on port
> 53 
> as your DNS server.  You probably need to remove/uninstall dnsmasq.
> 
> Here's my output:
> 
> # netstat -tunlap | grep ":53 "
> tcp0  0 127.0.0.1:530.0.0.0:* 
> LISTEN  24019/pdns_recursor
> udp0  0 127.0.0.1:530.0.0.0:* 
> 24019/pdns_recursor
> 
> Once you know you are only running named on port 53, then make sure
> your 
> named.conf doesn't have any forwarders defined in the options
> section.
> 
> Now check your logs and see if you are still getting a lot of
> refused 
> responses.  BIND should be doing full recursive lookups directly to
> the 
> authoritative DNS servers just like you saw with the "dig +trace"
> command.
> 
David, here's my output. I ran as sudo to see all inclusive:

sudo netstat -tunlap | grep ":53"
[sudo] password for chris: 
tcp0  0
192.168.122.1:530.0.0.0:*   LISTEN  1245/named 
 
tcp0  0
127.0.1.1:530.0.0.0:*   LISTEN  1316/dnsmas
q
tcp0  0
192.168.0.51:53 0.0.0.0:*   LISTEN  1245/named 
 
tcp0  0
127.0.0.1:530.0.0.0:*   LISTEN  1245/named 
 
tcp0  0
192.168.0.51:56697  192.52.178.30:53TIME_WAIT   -  
 
tcp1  1
192.168.0.51:33475  198.97.190.53:53CLOSING -  
 
tcp0  0
192.168.0.51:52483  192.5.6.30:53   TIME_WAIT   -  
 
tcp0  0
192.168.0.51:57335  192.5.6.30:53   TIME_WAIT   -  
 
tcp0  0
192.168.0.51:56609  192.52.178.30:53TIME_WAIT   -  
 
tcp0  0
192.168.0.51:36143  199.19.56.1:53  TIME_WAIT   -  
 
tcp0  0
192.168.0.51:47629  199.7.83.42:53  TIME_WAIT   -  
 
tcp0  0
192.168.0.51:58201  192.48.79.30:53 TIME_WAIT   -  
 
tcp0  0
192.168.0.51:53145  199.19.56.1:53  TIME_WAIT   -  
 
tcp0  0
192.168.0.51:55073  199.7.83.42:53  TIME_WAIT   -  
 
tcp0  0
192.168.0.51:41719  192.48.79.30:53 TIME_WAIT   -  
 
tcp1  1
192.168.0.51:40633  198.97.190.53:53CLOSING -  
 
udp0  0
192.168.122.1:530.0.0.0:*   2323/dnsmas
q
udp0  0
192.168.122.1:530.0.0.0:*   1245/named 
 
udp0  0
127.0.1.1:530.0.0.0:*   1316/dnsmas
q
udp0  0
192.168.0.51:53 0.0.0.0:*   1245/named 
 
udp0  0
127.0.0.1:530.0.0.0:*   1245/named 
 
udp0  0
0.0.0.0:53530.0.0.0:*   1533/snapwe
b    
udp 

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-18 Thread Chris 
On Mon, 2017-09-18 at 12:32 -0500, David Jones wrote:
> On 09/18/2017 11:52 AM, Chris wrote:
> > 
> > On Mon, 2017-09-18 at 11:40 -0500, David Jones wrote:
> > > 
> > > On 09/18/2017 11:14 AM, Chris wrote:
> > > > 
> > > > 
> > > > On Mon, 2017-09-18 at 11:11 -0400, Bill Cole wrote:
> > > > > 
> > > > > 
> > > > > On 18 Sep 2017, at 10:57, Chris wrote:
> > > > > 
> > > > > [...]
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > I am receiving many hits on *_IADB_* rules just fine
> > > > > > > recently
> > > > > > > for
> > > > > > > emails
> > > > > > > from constantcontact.com and others.
> > > > > > I'm receiving rule hits:
> > > > > > 
> > > > > > TOP HAM RULES FIRED
> > > > > > RANKRULE NAME   COUNT  %OFMAIL
> > > > > > %OFSPAM  %OFHAM
> > > > > > 40RCVD_IN_IADB_SPF4 4.260.0
> > > > > > 0
> > > > > >   4.5
> > > > > > 5
> > > > > > 43RCVD_IN_IADB_LISTED 4 4.260.0
> > > > > > 0
> > > > > >   4.5
> > > > > > 5
> > > > > > 48RCVD_IN_IADB_DK 4 4.260.0
> > > > > > 0
> > > > > >   4.5
> > > > > > 5
> > > > > > 51RCVD_IN_IADB_RDNS   3 3.190.0
> > > > > > 0
> > > > > >   3.4
> > > > > > 1
> > > > > > 55RCVD_IN_IADB_SENDERID   3 3.190.0
> > > > > > 0
> > > > > >   3.4
> > > > > > 1
> > > > > > 81RCVD_IN_IADB_OPTIN  1 1.060.0
> > > > > > 0
> > > > > >   1.1
> > > > > > 4
> > > > > > 
> > > > > > Yesterday instead of seeing host unreachable as I posted
> > > > > > above
> > > > > > I'm
> > > > > > seeing this
> > > > > > 
> > > > > > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected
> > > > > > RCODE
> > > > > > resolving 'isipp.com/NS/IN': 168.150.251.35#53
> > > > > > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected
> > > > > > RCODE
> > > > > > resolving 'concerto.isipp.com/A/IN': 168.150.251.35#53
> > > > > > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected
> > > > > > RCODE
> > > > > > resolving '10.232.124.38.iadb.isipp.com/A/IN':
> > > > > > 168.150.251.35#53
> > > > > Why are you asking 168.150.251.35 to do DNS resolution for
> > > > > you?
> > > > > It is
> > > > > not authoritative for isipp.com, so presumably you have a
> > > > > specific
> > > > > local config causing you to use it. It is explicitly refusing
> > > > > to
> > > > > do
> > > > > DNS resolution for you.
> > > > I honestly have no idea where that came about. I know that on
> > > > Saturday
> > > > I was seeing this:
> > > > 
> > > > SERVFAIL unexpected RCODE resolving
> > > > '121.244.54.142.iadb.isipp.com/A/IN': 67.227.187.192#53
> > > > 
> > > > Then yesterday I started seeing
> > > > 
> > > > named[1284]: REFUSED unexpected RCODE resolving
> > > > 'isipp.com/NS/IN':
> > > > 168.150.251.35#53
> > > > 
> > > > So to be honest I have no idea where it's coming from.
> > > > Something
> > > > appears to be messed up somewhere to be sure. However, I've
> > > > made
> > > > absolutely no changes to anything.
> > > > 
> > > Check your /etc/resolv.conf and make sure that something didn't
> > > change
> > > it.  Most SA instances should have a local DNS caching server so
> > > /etc/resolv.conf should be pointing to 127.0.0.1 and the local
> > > DNS
> > > server should be doing it's own recu

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-18 Thread Chris 
On Mon, 2017-09-18 at 11:40 -0500, David Jones wrote:
> On 09/18/2017 11:14 AM, Chris wrote:
> > 
> > On Mon, 2017-09-18 at 11:11 -0400, Bill Cole wrote:
> > > 
> > > On 18 Sep 2017, at 10:57, Chris wrote:
> > > 
> > > [...]
> > > > 
> > > > 
> > > > > 
> > > > > 
> > > > > I am receiving many hits on *_IADB_* rules just fine recently
> > > > > for
> > > > > emails
> > > > > from constantcontact.com and others.
> > > > I'm receiving rule hits:
> > > > 
> > > > TOP HAM RULES FIRED
> > > > RANKRULE NAME   COUNT  %OFMAIL
> > > > %OFSPAM  %OFHAM
> > > > 40RCVD_IN_IADB_SPF4 4.260.00   
> > > >  4.5
> > > > 5
> > > > 43RCVD_IN_IADB_LISTED 4 4.260.00   
> > > >  4.5
> > > > 5
> > > > 48RCVD_IN_IADB_DK 4 4.260.00   
> > > >  4.5
> > > > 5
> > > > 51RCVD_IN_IADB_RDNS   3 3.190.00   
> > > >  3.4
> > > > 1
> > > > 55RCVD_IN_IADB_SENDERID   3 3.190.00   
> > > >  3.4
> > > > 1
> > > > 81RCVD_IN_IADB_OPTIN  1 1.060.00   
> > > >  1.1
> > > > 4
> > > > 
> > > > Yesterday instead of seeing host unreachable as I posted above
> > > > I'm
> > > > seeing this
> > > > 
> > > > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
> > > > resolving 'isipp.com/NS/IN': 168.150.251.35#53
> > > > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
> > > > resolving 'concerto.isipp.com/A/IN': 168.150.251.35#53
> > > > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
> > > > resolving '10.232.124.38.iadb.isipp.com/A/IN':
> > > > 168.150.251.35#53
> > > Why are you asking 168.150.251.35 to do DNS resolution for you?
> > > It is
> > > not authoritative for isipp.com, so presumably you have a
> > > specific
> > > local config causing you to use it. It is explicitly refusing to
> > > do
> > > DNS resolution for you.
> > I honestly have no idea where that came about. I know that on
> > Saturday
> > I was seeing this:
> > 
> > SERVFAIL unexpected RCODE resolving
> > '121.244.54.142.iadb.isipp.com/A/IN': 67.227.187.192#53
> > 
> > Then yesterday I started seeing
> > 
> > named[1284]: REFUSED unexpected RCODE resolving 'isipp.com/NS/IN':
> > 168.150.251.35#53
> > 
> > So to be honest I have no idea where it's coming from. Something
> > appears to be messed up somewhere to be sure. However, I've made
> > absolutely no changes to anything.
> > 
> Check your /etc/resolv.conf and make sure that something didn't
> change 
> it.  Most SA instances should have a local DNS caching server so 
> /etc/resolv.conf should be pointing to 127.0.0.1 and the local DNS 
> server should be doing it's own recursive lookups -- not forwarding
> to 
> any other DNS server so your queries don't get combined with others
> and 
> go over daily usages limits that many RBLs have.  This has been
> covered 
> extensively on this list if you want to search the archives for 
> URIBL_BLOCKED.
> 
> Run a "dig +trace" from the SA server where the /etc/resolv.conf is 
> pointed to 127.0.0.1 to troubleshoot and you should get some
> responses 
> similar to this:
> 
> dig +trace 65.43.116.208.iadb.isipp.com
> 
> ...
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.0.1
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.3
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.4
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.0.2
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.101.202.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.3.100.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.2.255.1
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.101.201.10
> 65.43.116.208.iadb.isipp.com. 3600 IN A   127.0.1.255
> 
> If you don't get some 127.xx.xx.xx responses then look at the dig
> output 
> to see where things stop.  The first "hop" should be from 127.0.0.1
> then 
> start walking down the DNS tree from right to left.
> 
Here's what I see:

65.43.116.208.iadb.isipp.com. 3600 IN   A   127.2.255.1
65.43.116.208.iadb.isipp.com. 3600 IN   A

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-18 Thread Chris 
On Mon, 2017-09-18 at 11:11 -0400, Bill Cole wrote:
> On 18 Sep 2017, at 10:57, Chris wrote:
> 
> [...]
> > 
> > > 
> > > I am receiving many hits on *_IADB_* rules just fine recently for
> > > emails 
> > > from constantcontact.com and others.
> > I'm receiving rule hits:
> > 
> > TOP HAM RULES FIRED
> > RANKRULE NAME   COUNT  %OFMAIL
> > %OFSPAM  %OFHAM
> > 40RCVD_IN_IADB_SPF4 4.260.004.5
> > 5
> > 43RCVD_IN_IADB_LISTED 4 4.260.004.5
> > 5
> > 48RCVD_IN_IADB_DK 4 4.260.004.5
> > 5
> > 51RCVD_IN_IADB_RDNS   3 3.190.003.4
> > 1
> > 55RCVD_IN_IADB_SENDERID   3 3.190.003.4
> > 1
> > 81RCVD_IN_IADB_OPTIN  1 1.060.001.1
> > 4
> > 
> > Yesterday instead of seeing host unreachable as I posted above I'm
> > seeing this
> > 
> > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
> > resolving 'isipp.com/NS/IN': 168.150.251.35#53
> > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
> > resolving 'concerto.isipp.com/A/IN': 168.150.251.35#53
> > Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
> > resolving '10.232.124.38.iadb.isipp.com/A/IN': 168.150.251.35#53
> Why are you asking 168.150.251.35 to do DNS resolution for you? It is
> not authoritative for isipp.com, so presumably you have a specific
> local config causing you to use it. It is explicitly refusing to do
> DNS resolution for you.

I honestly have no idea where that came about. I know that on Saturday
I was seeing this:

SERVFAIL unexpected RCODE resolving
'121.244.54.142.iadb.isipp.com/A/IN': 67.227.187.192#53

Then yesterday I started seeing

named[1284]: REFUSED unexpected RCODE resolving 'isipp.com/NS/IN':
168.150.251.35#53

So to be honest I have no idea where it's coming from. Something
appears to be messed up somewhere to be sure. However, I've made
absolutely no changes to anything.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
11:04:17 up 1:42, 1 user, load average: 0.53, 0.34, 0.38
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: ISIPP - Re: bb.barracudacentral.org

2017-09-18 Thread Chris 
On Mon, 2017-09-18 at 09:28 -0500, David Jones wrote:
> On 09/18/2017 09:12 AM, Kevin A. McGrail wrote:
> > 
> > On 9/16/2017 4:36 PM, Chris wrote:
> > > 
> > > I'm also seeing issues with ISIPP which is in 20_dnsbl_tests.cf.
> > > I've
> > > attached the message I sent them as well as their reply. Another
> > > issue
> > > I noticed with ISIPP is
> > > 
> > > Sep 16 12:09:38 localhost named[1284]: host unreachable resolving
> > > 'ns1.ns.isipp.com/A/IN': 67.227.190.38#53
> > > Sep 16 12:09:38 localhost named[1284]: host unreachable resolving
> > > 'ns2.ns.isipp.com/A/IN': 67.227.190.38#53
> > > 
> > > My network is up
> > > 
> > > chris@localhost:~$ time host isipp.com
> > > isipp.com has address 67.227.187.192
> > > isipp.com mail is handled by 5 smtp.secureserver.net.
> > > isipp.com mail is handled by 0 concerto.isipp.com.
> > > isipp.com mail is handled by 10 mailstore1.secureserver.net.
> > > 
> > > real    0m0.866s
> > > user    0m0.008s
> > > sys    0m0.004s
> > > chris@localhost:~$ time host isipp.com
> > > isipp.com has address 67.227.187.192
> > > isipp.com mail is handled by 0 concerto.isipp.com.
> > > isipp.com mail is handled by 10 mailstore1.secureserver.net.
> > > isipp.com mail is handled by 5 smtp.secureserver.net.
> > > 
> > > real    0m0.010s
> > > user    0m0.008s
> > > sys    0m0.000s
> > > 
> > > Problem, or something I shouldn't concern myself about?
> > Good question.  Perhaps another rate-limit issue or they block
> > dynamic IPs.
> > 
> > I took this off-list by accident but Chris has low volume and uses
> > a 
> > Dynamic IP.  I wonder if ISIPP is similar to barracuda in that it
> > should 
> > be considered for removal from the default rules. Anyone have any
> > feedback?
> > 
> > regards,
> > KAM
> I am receiving many hits on *_IADB_* rules just fine recently for
> emails 
> from constantcontact.com and others.

I'm receiving rule hits:

TOP HAM RULES FIRED
RANKRULE NAME   COUNT  %OFMAIL %OFSPAM  %OFHAM
40RCVD_IN_IADB_SPF4 4.260.004.55
43RCVD_IN_IADB_LISTED 4 4.260.004.55
48RCVD_IN_IADB_DK 4 4.260.004.55
51RCVD_IN_IADB_RDNS   3 3.190.003.41
55RCVD_IN_IADB_SENDERID   3 3.190.003.41
81RCVD_IN_IADB_OPTIN  1 1.060.001.14

Yesterday instead of seeing host unreachable as I posted above I'm
seeing this

Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
resolving 'isipp.com/NS/IN': 168.150.251.35#53
Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
resolving 'concerto.isipp.com/A/IN': 168.150.251.35#53
Sep 17 09:30:41 localhost named[1284]: REFUSED unexpected RCODE
resolving '10.232.124.38.iadb.isipp.com/A/IN': 168.150.251.35#53

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
09:47:45 up 26 min, 1 user, load average: 0.30, 0.44, 0.97
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic


signature.asc
Description: This is a digitally signed message part

Re: bb.barracudacentral.org

2017-09-16 Thread Chris 
On Sat, 2017-09-16 at 16:32 +0200, Reindl Harald wrote:
> 
> Am 16.09.2017 um 16:27 schrieb Chris:
> > 
> > named[1284]: REFUSED unexpected RCODE resolving
> > '165.170.166.108.iadb.isipp.com/A/IN': 168.150.251.35#53
> > named[1284]: host unreachable resolving
> > '165.170.166.108.iadb.isipp.com/A/IN': 67.227.190.38#53
> > named[1284]: SERVFAIL unexpected RCODE resolving
> > '165.170.166.108.iadb.isipp.com/A/IN': 67.227.187.192#53
> works here
> 
> > 
> > $ grep -ri isipp
> > /var/lib/spamassassin/3.004001/updates_spamassassin_org
> > Binary file
> > /var/lib/spamassassin/3.004001/updates_spamassassin_org/30_text_pt_
> > br.c
> > f matches
> > /var/lib/spamassassin/3.004001/updates_spamassassin_org/20_dnsbl_te
> > sts.
> > cf:header __RCVD_IN_IADB   eval:check_rbl('iadb-
> > firsttrusted',
> > 'iadb.isipp.com.')
> > /var/lib/spamassassin/3.004001/updates_spamassassin_org/20_dnsbl_te
> > sts.
> > cf:describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for
> > sender
> > 
> > I notice that they're a 'pay for use' service or at least that's
> > what I
> > can see on their webpage.
> this is a WHITELIST and you pay for get listed, pay for use it would 
> make no sense at all because in that case it becomes meaningsless
> and 
> nobody would pay to get listed
> 
Ok, I see now. That makes more sense to pay to get listed, not to use.
My mistake, I misread it.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
09:35:08 up 7 days, 17:03, 1 user, load average: 0.88, 0.83, 0.70
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-33-generic


signature.asc
Description: This is a digitally signed message part

Re: bb.barracudacentral.org

2017-09-16 Thread Chris 
On Sat, 2017-09-16 at 09:45 -0400, Kevin A. McGrail wrote:
> Chris & all,
> I have opened a bug about this: 
> https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7471
> 
> I believe scoring it 0 for now will disable the rule but that's just 
> hiding the issue.
> 
> Thanks for bringing it to the list, Chris.
> 
> Regards,
> KAM
> 
The 0 score did disable the list Kevin, thanks for suggesting it and
thanks for filing the bug. I had been focusing on the bb.barracuda
issue and neglected to notice this one also:

named[1284]: REFUSED unexpected RCODE resolving
'165.170.166.108.iadb.isipp.com/A/IN': 168.150.251.35#53
named[1284]: host unreachable resolving
'165.170.166.108.iadb.isipp.com/A/IN': 67.227.190.38#53
named[1284]: SERVFAIL unexpected RCODE resolving
'165.170.166.108.iadb.isipp.com/A/IN': 67.227.187.192#53

This is found

$ grep -ri isipp
/var/lib/spamassassin/3.004001/updates_spamassassin_org
Binary file
/var/lib/spamassassin/3.004001/updates_spamassassin_org/30_text_pt_br.c
f matches
/var/lib/spamassassin/3.004001/updates_spamassassin_org/20_dnsbl_tests.
cf:header __RCVD_IN_IADB   eval:check_rbl('iadb-firsttrusted',
'iadb.isipp.com.')
/var/lib/spamassassin/3.004001/updates_spamassassin_org/20_dnsbl_tests.
cf:describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for
sender

I notice that they're a 'pay for use' service or at least that's what I
can see on their webpage. 

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
09:10:31 up 7 days, 16:38, 1 user, load average: 0.70, 0.41, 0.45
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-33-generic


signature.asc
Description: This is a digitally signed message part

Re: bb.barracudacentral.org

2017-09-15 Thread Chris 
On Fri, 2017-09-15 at 20:35 -0400, Kevin A. McGrail wrote:
> On 9/15/2017 8:22 PM, RW wrote:
> > 
> > $ grep -ri barracudacentral /var/db/spamassassin/
> > /var/db/spamassassin/3.004001/updates_spamassassin_org/72_active.cf
> > :header RCVD_IN_BRBL_LASTEXT   eval:check_rbl('brbl-
> > lastexternal','bb.barracudacentral.org')
> > 
> That sounds like a mistake.  Does it meet our default RBL inclusion 
> policy?  Will look into this.

Ok, I see now that in 72_active.cf there is

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_BRBL_LASTEXT   eval:check_rbl('brbl-
lastexternal','bb.barracudacentral.org')
tflags RCVD_IN_BRBL_LASTEXT   net
endif
##} RCVD_IN_BRBL_LASTEXT ifplugin Mail::SpamAssassin::Plugin::DNSEval

The DNSEval plugin is called here:

# Plugins which used to be EvalTests.pm
# broken out into separate plugins
loadplugin Mail::SpamAssassin::Plugin::Bayes
loadplugin Mail::SpamAssassin::Plugin::BodyEval
loadplugin Mail::SpamAssassin::Plugin::DNSEval
loadplugin Mail::SpamAssassin::Plugin::HTMLEval
loadplugin Mail::SpamAssassin::Plugin::HeaderEval
loadplugin Mail::SpamAssassin::Plugin::MIMEEval
loadplugin Mail::SpamAssassin::Plugin::RelayEval
loadplugin Mail::SpamAssassin::Plugin::URIEval
loadplugin Mail::SpamAssassin::Plugin::WLBLEval

in /etc/mail/spamassassin/v320.pre

I can't just comment this out

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header
RCVD_IN_BRBL_LASTEXT   eval:check_rbl('brbl-
lastexternal','bb.barracudacentral.org')
tflags
RCVD_IN_BRBL_LASTEXT   net
endif

since whenever a new 72_active.cf rule is downloaded it will be overwritten 
anyway. In the same token I can't just turn off the DNSEval plugin since there 
are other rules that use that plugin. It looks to me that I'll just ignore it 
since as I said at first it's not causing any other issues it's just something 
that had been nagging at me since I keep seeing it and wondering why.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:44:07 up 7 days, 3:12, 1 user, load average: 0.55, 2.25, 2.56
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-33-generic


signature.asc
Description: This is a digitally signed message part

Re: bb.barracudacentral.org

2017-09-15 Thread Chris 
On Fri, 2017-09-15 at 18:20 -0400, Kevin A. McGrail wrote:
> On 9/15/2017 5:50 PM, Chris wrote:
> > 
> > It's not a 'show stopper' it's just annoying to keep seeing this
> > and
> > wondering what the cause is.
> You have configured your installation with the Baraccuda Reputation 
> Black List but likely not subscribed your IP address.
> 
> See http://barracudacentral.org/rbl
> 
> I don't think rules are enabled for that by default.
> 
Thanks Kevin, problem is I have a dynamic IP therefore unless I'm
misunderstanding something I can't list IP addresses on the access
form. Here is the only rule that I can find in my local.cf referencing
Barracuda but I have it commented out:

# header __RCVD_IN_BRBL   eval:check_rbl('brbl',
'bb.barracudacentral.org')
# describe __RCVD_IN_BRBL received via a relay in
bb.barracudacentral.org
# header RCVD_IN_BRBL_RELAY   eval:check_rbl_sub('brbl',
'127.0.0.2')
# tflags RCVD_IN_BRBL_RELAY   net
# describeRCVD_IN_BRBL_RELAY  received via a relay rated as
poor by Barracuda
# score   RCVD_IN_BRBL_RELAY  0

# header RCVD_IN_BRBL eval:check_rbl('brbl-
lastexternal', 'b.barracudacentral.org.', '127.0.0.2')
# describe RCVD_IN_BRBL   Received via relay listed in
Barracuda RBL
# score RCVD_IN_BRBL  0
# tflags RCVD_IN_BRBL net 


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
17:40:56 up 7 days, 1:09, 1 user, load average: 0.69, 0.79, 0.72
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-33-generic


signature.asc
Description: This is a digitally signed message part

bb.barracudacentral.org

2017-09-15 Thread Chris 
I wasn't quite sure what to put for the subject line. I didn't want to
include the whole issue I'm seeing as I wanted to put it below. Every
time SA is run on a message I'm seeing:

spamd[15128]: spamd: processing message <1f44a5c57d9ff7ab8a90e109b.6708
c37fa7.20170915204926.d9a014b97f.eaede...@mail190.atl81.rsgsv.net> for
chris:1000
localhost named[1284]: connection refused resolving
'190.129.2.198.bb.barracudacentral.org/A/IN': 64.235.154.72#53

Is this an issue with an SA rule or some kind of an issue with Bind?
I'm only using it as a caching name server. When running the message
through spamassassin -D -t I see:

dns: checking RBL bb.barracudacentral.org., set brbl-lastexternal

async: launching A/190.129.2.198.bb.barracudacentral.org for
dns:A:190.129.2.198.bb.barracudacentral.org

dns: providing a callback for id:
28604/IN/A/190.129.2.198.bb.barracudacentral.org

async: starting: DNSBL-A, dns:A:190.129.2.198.bb.barracudacentral.org
(timeout 10.0s, min 2.0s)

dns: dns reply to 28604/IN/A/190.129.2.198.bb.barracudacentral.org:
NXDOMAIN

async: calling callback on key
dns:A:190.129.2.198.bb.barracudacentral.org

async: completed in 1.024 s: DNSBL-A,
dns:A:190.129.2.198.bb.barracudacentral.org

async: timing: 1.024 . dns:A:190.129.2.198.bb.barracudacentral.org

It's not a 'show stopper' it's just annoying to keep seeing this and
wondering what the cause is.


-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
16:38:35 up 7 days, 6 min, 1 user, load average: 0.72, 0.61, 0.66
Description:Ubuntu 16.04.3 LTS, kernel 4.10.0-33-generic


signature.asc
Description: This is a digitally signed message part

  1   2   3   4   5   6   7   8   9   10   >