Re: RDJ handling question
Bowie Bailey wrote:
RDJ is supposed to download to the RulesDuJour directory. After it
downloads
the files there, it moves them from ${TMPDIR} to ${SA_DIR}. ${TMPDIR} is
RDJ's
working directory. You don't want SA reading it's rules from there. RDJ
may
have multiple copies of each rule file stored there.
This is correct.
To the OP, try deleting all the SARE rules from /etc/spamassassin then
run RDJ once more. All the latest versions of the SARE rules should
then appear in /etc/spamassassin.
Rules du Jour (RDJ) and AntiDrug
To all RDJ users: I have removed ANTIDRUG from the script because the author requested it. The antidrug ruleset is included in SpamAssassin 3.0 and above, and is not being actively updated for use with SpamAssassin 2.64. After updating your system with RDJ version 1.30 or higher you will receive occasional warnings until you remove ANTIDRUG from the TRUSTED_RULESETS in the RDJ config file. Also, sorry for releasing so many updates to RDJ in such a short time period! Chris Thielen
Re: RulesDuJour 1.29 - SARE Stocks Ruleset) not found (404)
Sorry about that! It's fixed now and 1.29b is available on the web site.
Max Matslofva wrote:
Hi
RulesDuJour 1.29 tries to fetch 70_sare_stocks.cf from
http://www.rulesemporium.com/rules/rules/70_sare_stocks.cf
The correct URL for 70_sare_stocks.cf is
http://www.rulesemporium.com/rules/70_sare_stocks.cf
See patch below
/Max
--- rules_du_jour Wed Dec 6 08:45:55 2006
+++ rules_du_jour.org Wed Dec 6 08:45:36 2006
@@ -565,7 +565,7 @@
PARSE_NEW_VER_SCRIPTS[69]=${PERL} -ne 'print if
/^\s*#.*(version|rev|revision)[:\.\s]*[0-9]/i ;' | ${HEAD};
SARE_STOCKS=70;
- CF_URLS[70]=${RULESEMPORIUM}/70_sare_stocks.cf;
+ CF_URLS[70]=${RULESEMPORIUM}/rules/70_sare_stocks.cf;
CF_FILES[70]=70_sare_stocks.cf;
CF_NAMES[70]=SARE Stocks Ruleset);
PARSE_NEW_VER_SCRIPTS[70]=${PERL} -ne 'print if
/^\s*#.*(version|rev|revision)[:\.\s]*[0-9]/i ;' | ${HEAD};
Re: Rules Du Jour briken?
I emailed the maintainer of exit0.us asking about the wiki site. Here is what he said: Thanks for the concern Chris, I appreciate it. To make a long story short, the person that offered to host the site (Matt) no longer works at that company. So without contacting me, they removed the site. Matt is going to get me the database from the site. So what I'm going to work on, now that I have time, is repairing the site and moving it back out to a server. I have no idea as to how long that will take since I plan on moving it to different wiki software that will hopefully be less prone to wiki vandalism. You can forward this out to the SA community if you want. AltGrendel I am trying to piece together the information that was in the wiki using google cache, wayback, etc. In the meantime, you can get the script itself from http://sandgnat.com/rdj/rules_du_jour Chris Thielen twofers wrote: Is this link having problems that anyone knows of? http://www.exit0.us/index.php?pagename=RulesDuJour I can't get to Rules Du Jour. Thanks, Wes Sponsored Link $420,000 Mortgage for $1,399/month - Think You Pay Too Much For Your Mortgage? Find Out! http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9135-16417moid=4116
Re: Where to submit SARE rule patches?
Peter H. Lemieux wrote: Is this a good place for this? I caught it, but a better place would be sare-users list http://lists.maddoc.net/mailman/listinfo/sare-users If so, I'd like to propose the following fix to 70_sare_adult.cf: I'm not the maintainer of that ruleset, but I will run the proposed change through the masscheckers. Thanks for the patch! Chris Thielen
Re: Fix for RDJ update issue
Thank you for posting this. Unfortunately after RDJ downloaded all those parking pages, their timestamps were then LATER THAN the timestamps on the real rules files. Because of this, the if-modified-since checks all returned false and the real rulesets didn't clobber the broken ones. Chris Bowie Bailey wrote: The fix was to simply delete the contents of the directory and try again. rm /etc/mail/spamassassin/RulesDuJour/* ./rules_du_jour -- Bowie
Re: sa-update versus rulesdujour questions
Jo Rhett wrote: Is there any difference here that I'm overlooking? Any advantage to RDJ? And leading to my next point, given that sa-update is working fine -- isn't rdj going to be slimmed down to just the part that restarts the process after running sa-update? Hi Jo, I'm the author of RDJ. I wrote it for the purpose of updating the then blossoming field of 3rd party rulesets at a time when there was no official update mechanism in SA. Now that there/ is/ an official SA update mechanism, I have no plans to further enhance RDJ. I will continue to fix bugs and add rulesets to the default list, if people request so. There will be no slimming-down since I see no reason to surprise 5000 users by making them change what works fine for them now :). The discussion of pros and cons for implementing sa-update or rdj has already been handled nicely by other people, so I won't go into that. Want my advice as the RDJ author? Use sa-update. If you want to update a ruleset which has no sa-update channel then set up RDJ at that time and use it conjunction with sa-update. Chris T. PS sorry I got into this conversation so late. I tend to track my mailing lists infrequently
Re: sa-update versus rulesdujour questions
Theo Van Dinter wrote: FWIW, it happens to be the official tool since no one ever submitted RDJ to be the official tool, so we had to write our own. I would have offered, had I known there was any interest. Chris T.
Re: Antidrug.cf, call to cease RDJ updates.
Matt Kettler wrote: Chris Thielen wrote: Does antidrug still get updates? If you are going to continue Well, eventually I might do some updates and split antidrug into antidrug-pre30.cf, antidrug-30x.cf, antidrug-31x.cf, etc. But my spare time is near zero nowdays. I've got a 7-week old and a very busy job. However, antidrug.cf by that exact name will never be updated except when I put up the error-text. I feel your pain on the freetime problem... I'm trying to decide the best way to deprecate your old URL and/or ruleset name in RDJ. Since antidrug.cf is currently the pre30 ruleset (AFAIK) it seems to make sense to use the existing RDJ name ANTIDRUG for antidrug-pre30.cf whenever you put it somewhere, then add new RDJ names for the additional antidrug files you create (eventually). If hosting the antidrug-pre30.cf is a problem for you in the short term, I can host the *existing* copy of antidrug.cf on my sandgnat.com server, rename it to antidrug-pre30.cf, and point the RDJ name ANTIDRUG to the new URL. Then when you get a new host and have the files back online I can change the URL to wherever you are hosting it. Let me know what you think. Chris PS congrats on the baby!
Re: Antidrug.cf, call to cease RDJ updates.
Matt, Does antidrug still get updates? If you are going to continue publishing updates to antidrug I will change the URL in RDJ to wherever eventually move it. If, however, there are no additional updates foreseen it should probably be removed from RDJ altogether. LMK. Chris Thielen Matt Kettler wrote: Although not yet definite, I am likely switching ISPs starting next Friday. It is my intent to keep the Comcast account active for about 4 weeks as a fall-back if the new ISP doesn't work out. However, this means antidrug.cf will be moving, and at some point after I shut down the account the web hosting will become inactive. It also means that eventually someone else might get assigned the same username. This person could possibly pick up on the fact that their account is being accessed by auto-updaters and attempt to publish a rule file of a hostile nature (ie: beneficial to spammers, or attempting to exploit the rule parser). So, here's your first (of 3) warning to disable RDJ for antidrug until the move is completed. (If you have SA 3.0.0 or higher you shouldn't be using antidrug.cf anyway). I will post another warning 2 weeks before I disconnect the account. By that time I should also have the new home for antidrug set up and will post that link. At 1 week prior, I will post a third warning, and change the file to a file that will cause errors when loaded into SA and contain warning text telling them what's going on. I know it's not very nice, but RDJ should roll the file back just fine, and I really want to make sure folks know to stop auto-updating. I'm significantly more concerned about leaving folks vulnerable to an untrusted person adding hostile rules to their config than any chance of RDJ screwing up the roll-back. (For reference, I'm switching to Verizon FIOS. FIOS is the only other practical service available at my address besides Comcast cable. Satellite, dialup or 640k DSL with twice-daily service outages due to poor line quality are also options, but all impractical. And yes, I know Verizon is a bunch of evil, greedy bastards with horrible customer service, loads of spambots on their lines, and a tendency to spam their own customers. All of the same is true of Comcast, and at least Verizon is a bit cheaper and possibly less prone to 2-week outages following thunderstorms.)
Re: fetchmail and HELO_DYNAMIC_IPADDR when sender is local
Oooh, reply to multiple emails at once? I so crzy! jdow wrote: For brute force solutions you could use whitelist_from_rcvd. But even that is awkward. Is your office server on your trusted list? Yeah, I tried with and without the office server on the trusted list with no apparent change. Daryl C. W. O'Shea wrote: On Wed, August 16, 2006 18:16, Chris Thielen wrote: CoWorker (dialup) -- mail server (office) -- fetchmail (home) -- I tried this just now and found that removing the fetchmail headers doesn't change the received header parsing. The fetchmail headers are being ignored because they are found outside the trusted area. [2866] dbg: received-header: found fetchmail marker outside trusted area, ignored [2866] dbg: received-header: parsed as [ ip=24.245.33.51 rdns=c-24-245-33-51.hsd1.mn.comcast.net helo=c-24-245-33-51.hsd1.mn.comcast .net by=mywork.com ident= envfrom= intl=0 id= auth= ] If the fetchmail headers are being ignored then your trust path isn't configured right, even to that relay, so you've got no chance at fixing anything beyond that until you get that taken care of. Understood... You need to trust the following (don't bother even setting internal networks): - you server (private and public IPs are good) - your MXes if any - you office mail server That is precisely how I have my trusted_networks configured. After that, hopefully your coworker's submission relay is leaving auth tokens that will further extend your trust path. If it's not (which looks like is the case) then, iff your office mail server is only a submission server and not an incoming MX you can use this patch [1] and configure that server IP using msa_networks. [1] http://people.apache.org/~dos/sa-patches/msa_networks.3.1 So it seems the root of my problem is that users are connecting to the office smtp server (also our primary MX) without authentication. That seems to be a legitimate hit for the dynamic ip lists. However it is also the only legitimate smtp server for these people to use. I guess the fix is to *require* authentication for users, but then I don't think I could use that same server for MX. I guess for now I'll continue to use the hack-ish workaround that munges the headers to indicate an authenticated connection even though it's not really authenticated.
fetchmail and HELO_DYNAMIC_IPADDR when sender is local
I am using fetchmail to retrieve messages from my work account. However, messages sent to my work account from coworkers are being tagged with various dynamic IP rules. My setup is something like this: CoWorker (dialup) -- mail server (office) -- fetchmail (home) -- spamassassin When a message of this sort is retrieved, I get these rule hits: 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1) 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) [SPF failed: Please see http://spf.pobox.com/why.html?sender=blahblahblah] -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [24.245.33.51 listed in dnsbl.sorbs.net] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [24.245.33.51 listed in combined.njabl.org] -0.1 AWLAWL: From: address is in the auto white-list From reading this thread: http://thread.gmane.org/gmane.mail.spam.spamassassin.general/83423/focus=83423 it looks like there isn't a simple workable solution. It seems like the sender is in the right by sending mail through my work's SMTP server (the problem would go away if they sent through a relay first, but I can't dictate how people send messages TO me). As Raimar tried in the thread above, I added my work server to trusted_networks, and internal_networks but that's not the right way to handle this, apparently. Is there a workable solution that doesn't require me to whitelist all my coworker's IP ranges? Chris
Re: fetchmail and HELO_DYNAMIC_IPADDR when sender is local
Thanks for the response. Benny Pedersen wrote: 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) [SPF failed: Please see http://spf.pobox.com/why.html?sender=blahblahblah] update Mail::SPF::Query domain is not pobox but openspf duly noted... I am using debian sarge which has version 1.997-2, so unless there are other major problems I'll just live with an older version right now. On Wed, August 16, 2006 18:16, Chris Thielen wrote: CoWorker (dialup) -- mail server (office) -- fetchmail (home) -- you can make fetchmail so it does not add the its own recieved headers I tried this just now and found that removing the fetchmail headers doesn't change the received header parsing. The fetchmail headers are being ignored because they are found outside the trusted area. [2866] dbg: received-header: found fetchmail marker outside trusted area, ignored [2866] dbg: received-header: parsed as [ ip=24.245.33.51 rdns=c-24-245-33-51.hsd1.mn.comcast.net helo=c-24-245-33-51.hsd1.mn.comcast .net by=mywork.com ident= envfrom= intl=0 id= auth= ] I am going to work around the problem for now with a procmail recipe. I am going to munge the received headers and replace the with SMTP to a false authenticated header. That isn't a pretty solution, nor reliable, but it will serve my purposes for now. Thanks for listening
Re: Looking for advice on rule creation regular expressions
Coffey, Neal wrote: I'm trying to create a rule to catch some of the perscription drug references that come into our system. We're not in pharmaceuticals, so I'm not too concerned about false positives :) Some examples of what I'm looking for (using an innocent drug so I don't trip someone else's filters): ADVwIL ADxDVIL ADxV1L Advjjl Have a look at the ReplaceTags plugin: http://wiki.apache.org/spamassassin/ReplaceTags Also, I have a script that will generate a rule that catches a lot of this type of spam in a similar manner to the ReplaceTags plugin: http://sandgnat.com/cmos/cmos.jsp?words=advilmatchobfuonly=truemultigapenabled=truemultigap=2duplicatecharsenabled=trueduplicatechars=2 I've come up with a rule that'll match every one of those instances, but also has the unfortunate consequence of matching plain old ADVIL: /A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/ You probably want to add a negative lookahead, like so: /(?!\badvil\b)A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/ This will look ahead for \badvil\b and if found, stop testing the rest of the pattern and the match fails.
Re: sa-update and channels
Michael Monnerie wrote: On Mittwoch, 15. März 2006 19:32 Theo Van Dinter wrote: A channel is essentially a set of rules published by some organization, which is accessed and downloaded via dns/http. ie: Would that be a possible replacement for RulesDuJour? I love that script, but not having to install something extra saves some energy and time, and that is always appreciated *g* mfg zmi I'm the RDJ guy. I admit I haven't been very active lately and haven't even looked at how sa-update is implemented. That said, my opinion is that YES indeed this is a replacement for RDJ in at least the SARE. I'm sorta waiting for the sa-update framework to gel a bit more before we tackle getting the SARE rules published as channels. However, RDJ may still be useful for those single rulesets here and there who's authors maybe don't have access to a DNS server, etc. Again, I haven't taken the time to see how sa-update is actually implemented so I may be off base with this comment. Chris
Re: regexp visualizer
Way cool! Thanks Justin Justin Mason wrote: You might find this interesting -- it's a regexp visualizer, which compiles a regexp into its NFA/DFA, then presents it for viewing in a Flash app! It's amazing. http://osteele.com/tools/reanimator/ --j.
Re: Over-scoring of SURBL lists...
I'm also catching up on this thread and wasn't sure where to reply so I'll make my observations here. Matt, I think you have a legitimate concern. I think I can sum up the points of view as follows: 1. For grey URIs (perhaps scott's, for example) and/or FPs due to non-spam URIs being listed, a user's bayes_00 score should be capable of dropping the spam below the 5.0 threshold. As it sits right now, the high scores of the uribls mean this cannot happen. 2. No, the uribls work great at *overriding* an erronious bayes_00 score caused by short URI-only spam messages. It works well because the URIs are collected in a unique manner by each list and hand-verified. 3. WTF, the uribls can't possibly FP!!! Er, what I really mean is, why haven't you been reporting these URIs as FPs? Now for my opinion: I agree with Matt that the potential for FPs due to multiple listings of grey URIs or even non-spam URIs exists and I think he's shown that it is more than theoretical. However, even in a strictly theoretical argument I would still argue that the uribls together should not be so powerful that they simply cannot be countered. I think it's fair to say that SpamAssassin has been designed such that no one spam sign by itself should be utterly overpowering. I would tend to group the uribls together as a single type of spam-sign, even though the vectors for getting listed happen to be different. On the other hand, it certainly helps accuracy that each URI is hand-checked. On the other other hand, as we know there will always be a grey area. With that said, I think the idea of a base uribl score, plus additional points per uribl has some merit. Something like meta (URIBL_WS_SURBL | URIBL_JP_SURBL etc) 3 score URIBL_WS_SURBL 1.5 ... etc as an example (I think this may have been suggested already but I have read so many posts now I can't remember what came from my head and what came from yours) Now for a scoring question: isn't the perceptron supposed to factor out decisively overlapping rules? If so, why the enormously high scores for all the different uribls? From my stats, I get 50% of spam that hits SURBL hitting 4 or 5 of the SURBL lists. Shouldn't the perceptron have noticed that and lowered the scores? Or is the bug in mass-check which Theo mentioned causing the scores to not be deflated? OK I think I'm done rambling now! Chris Thielen
Re: Over-scoring of SURBL lists...
Matt Kettler wrote: Jeff Chan wrote: There may be some value in not lumping together URIBL.com and SURBL.org lists. As you can see the performance of the lists are different, and the way they're created is different too. That makes it harder for us to respond to comments that seem to not take those differences into account. Did you see Theo's test data from yesterday? 35.418 41.1930 0.1.000 0.900.00 URIBL_JP_SURBL 34.665 40.3177 0.1.000 0.880.00 URIBL_SC_SURBL 26.069 30.3204 0.1.000 0.800.00 URIBL_AB_SURBL 28.024 32.5464 0.29150.991 0.610.00 URIBL_OB_SURBL 48.113 55.7492 1.28730.977 0.550.00 URIBL_BLACK 0.293 0.3406 0.1.000 0.470.00 URIBL_PH_SURBL 0.000 0. 0.0.500 0.420.00 URIBL_RED 0.000 0. 0.0.500 0.420.01 T_URIBL_XS_SURBL 37.539 42.4763 7.26260.854 0.380.00 URIBL_WS_SURBL 0.548 0.3446 1.79740.161 0.030.00 URIBL_GREY I consider that highly similar for JP, SC, AB, OB and WS. Also, even if there are some differences, even 10% overlap would have the effect I'm talking about. I personally would like to see some statistics, but at this point, we don't have any test data on this so we're arguing your theory vs mine. I'd love to see some results for some meta tests: meta SURBL_MULTI2 ((URIBL_JP_SURBL + URIBL_SC_SURBL + URIBL_AB_SURBL + URIBL_OB_SURBL+ URIBL_WS_SURBL) 2) meta SURBL_MULTI3 ((URIBL_JP_SURBL + URIBL_SC_SURBL + URIBL_AB_SURBL + URIBL_OB_SURBL+ URIBL_WS_SURBL) 3) meta SURBL_MULTI4 ((URIBL_JP_SURBL + URIBL_SC_SURBL + URIBL_AB_SURBL + URIBL_OB_SURBL+ URIBL_WS_SURBL) 4) I whipped up a short script to calculate these stats on my spam corpus (realtime data). First of all, the hit rate is quite impressive. The last 3 months I had 67%, 74% and 72% hit rates. However, it looks like about 45-50% of the spam hit 4 or 5 SURBL lists. My ham corpus looked clean of URIBL hits. Sorry for the ugly formatting. Note: the month buckets listed aren't exactly accurate because they use the Date header sent from the spammer, not the Date received header. This should be good enough to get an idea though. Chris Thielen Stats for SPAM 38 months old: 0: 98.5% ( 268 / 272 ) 1: 0.0% ( 0 / 272 ) 2: 0.0% ( 0 / 272 ) 3: 0.7% ( 2 / 272 ) 4: 0.0% ( 0 / 272 ) 5: 0.7% ( 2 / 272 ) 6: 0.0% ( 0 / 272 ) Stats for SPAM 37 months old: 0: 96.6% ( 281 / 291 ) 1: 0.7% ( 2 / 291 ) 2: 0.0% ( 0 / 291 ) 3: 0.3% ( 1 / 291 ) 4: 1.4% ( 4 / 291 ) 5: 1.0% ( 3 / 291 ) 6: 0.0% ( 0 / 291 ) Stats for SPAM 36 months old: 0: 96.5% ( 277 / 287 ) 1: 0.7% ( 2 / 287 ) 2: 0.3% ( 1 / 287 ) 3: 0.3% ( 1 / 287 ) 4: 1.0% ( 3 / 287 ) 5: 1.0% ( 3 / 287 ) 6: 0.0% ( 0 / 287 ) Stats for SPAM 35 months old: 0: 97.5% ( 234 / 240 ) 1: 0.4% ( 1 / 240 ) 2: 0.4% ( 1 / 240 ) 3: 0.0% ( 0 / 240 ) 4: 0.8% ( 2 / 240 ) 5: 0.8% ( 2 / 240 ) 6: 0.0% ( 0 / 240 ) Stats for SPAM 34 months old: 0: 39.5% ( 118 / 299 ) 1: 11.7% ( 35 / 299 ) 2: 11.7% ( 35 / 299 ) 3: 11.0% ( 33 / 299 ) 4: 25.8% ( 77 / 299 ) 5: 0.3% ( 1 / 299 ) 6: 0.0% ( 0 / 299 ) Stats for SPAM 33 months old: 0: 24.0% ( 76 / 317 ) 1: 20.8% ( 66 / 317 ) 2: 11.7% ( 37 / 317 ) 3: 12.0% ( 38 / 317 ) 4: 30.9% ( 98 / 317 ) 5: 0.6% ( 2 / 317 ) 6: 0.0% ( 0 / 317 ) Stats for SPAM 32 months old: 0: 23.6% ( 66 / 280 ) 1: 18.2% ( 51 / 280 ) 2: 13.6% ( 38 / 280 ) 3: 13.2% ( 37 / 280 ) 4: 30.7% ( 86 / 280 ) 5: 0.7% ( 2 / 280 ) 6: 0.0% ( 0 / 280 ) Stats for SPAM 31 months old: 0: 27.4% ( 80 / 292 ) 1: 9.2% ( 27 / 292 ) 2: 10.6% ( 31 / 292 ) 3: 19.9% ( 58 / 292 ) 4: 32.9% ( 96 / 292 ) 5: 0.0% ( 0 / 292 ) 6: 0.0% ( 0 / 292 ) Stats for SPAM 30 months old: 0: 27.4% ( 83 / 303 ) 1: 14.9% ( 45 / 303 ) 2: 14.9% ( 45 / 303 ) 3: 10.6% ( 32 / 303 ) 4: 32.3% ( 98 / 303 ) 5: 0.0% ( 0 / 303 ) 6: 0.0% ( 0 / 303 ) Stats for SPAM 29 months old: 0: 27.1% ( 82 / 303 ) 1: 13.5% ( 41 / 303 ) 2: 11.6% ( 35 / 303 ) 3: 15.8% ( 48 / 303 ) 4: 19.8% ( 60 / 303 ) 5: 12.2% ( 37 / 303 ) 6: 0.0% ( 0 / 303 ) Stats for SPAM 28 months old: 0: 14.4% ( 40 / 277 ) 1: 11.9% ( 33 / 277 ) 2: 17.7% ( 49 / 277 ) 3: 15.2% ( 42 / 277 ) 4: 16.6% ( 46 / 277 ) 5: 24.2% ( 67 / 277 ) 6: 0.0% ( 0 / 277 ) Stats for SPAM 27 months old: 0: 18.3% ( 56 / 306 ) 1: 9.2% ( 28 / 306 ) 2: 18.6% ( 57 / 306 ) 3: 15.4% ( 47 / 306 ) 4: 13.7% ( 42 / 306 ) 5: 24.8% ( 76 / 306 ) 6: 0.0% ( 0 / 306 ) Stats for SPAM 26 months old: 0: 21.8% ( 49 / 225 ) 1: 10.2% ( 23 / 225 ) 2: 20.0% ( 45 / 225 ) 3: 14.2% ( 32 / 225 ) 4: 12.0% ( 27 / 225 ) 5: 21.8% ( 49 / 225 ) 6: 0.0% ( 0 / 225 ) Stats for SPAM 25 months old: 0: 22.2% ( 59 / 266 ) 1: 13.9% ( 37 / 266 ) 2: 19.2% ( 51 / 266 ) 3: 13.2% ( 35 / 266 ) 4: 18.0% ( 48 / 266 ) 5: 13.5% ( 36 / 266 ) 6: 0.0% ( 0 / 266 ) Stats for SPAM 24 months old: 0: 20.4% ( 51 / 250 ) 1: 13.2% ( 33 / 250 ) 2: 17.6% ( 44 / 250 ) 3: 16.8% ( 42 / 250 ) 4: 14.0% ( 35 / 250 ) 5: 18.0% ( 45 / 250 ) 6: 0.0% ( 0 / 250 ) Stats for SPAM
Re: combined distribution of email list
Barton L. Phillips wrote: Is there a combined list distribution? Many other email lists distribute one combined email per day instead of dozens of separate email. The volume of emails makes it hard to keep up . One thing you can do is set up a separate folder for each mailing list you subscribe to. Use your mail client's filtering capabilities to move the incoming emails into their own folder. With this list, you can match on the following email header: List-ID: users.spamassassin.apache.org signature.asc Description: OpenPGP digital signature
Re: Pump and Dump SARE rules
Doc Schneider wrote: http://rulesemporium.com/rules/70_sare_stocks.cf Is the latest addition to the SARE rule sets. -Doc (SARE Ninja) Added to RDJ version 1.28 as SARE_STOCKS signature.asc Description: OpenPGP digital signature
Re: New RDJ configs..
Martin Hepworth wrote:
Hi all (and Chris Thielen specifically)
I'm try to create some new RDJ config sets ... here's an example
JG_badhosts=9006;
CF_URLS[9006]=http://files.grayonline.id.au/rules/local_badhosts.
cf;
CF_NAMES[9006]=James Gray's badhost rules;
PARSE_NEW_VER_SCRIPTS[9006]=${PERL} -ne 'print if
/^\s*#.*(version|rev|revision
|,v)[:\.\s]*[0-9]/i ;' | sort | tail -1;
#CF_MUNGE_SCRIPTS[9006]=nothing for this ruleset.;
(watch those line breaks!)
Anyway when IO run RDJ with this In the trusted ruleset I get the following
file in /etc/mail/spamsassassin
local_badhosts.cf.2
(NB the .2 at the end of filename)
Why?
In /etc/mail/spamsassassin/RulesDuJour the filename is correct with the .cf
at the end not the .2?
Hi Martin,
Add a CF_FILES[9006]=local_badhosts.cf to your conf file; that should
do the trick. Give that a shot and let me know.
Chris
signature.asc
Description: OpenPGP digital signature
Re: New RDJ configs..
Martin Hepworth wrote:
Why?
In /etc/mail/spamsassassin/RulesDuJour the filename is correct with the .cf
at the end not the .2?
Sorry for the rapid fire response.
As for why?:
The script doesn't currently autodetect the filename being downloaded.
If no filename is set, the CF_FILE var is empty. The line that is
causing your issue is:
[ -f ${TMPDIR}/${CF_BASENAME}.2 ] mv -f
${TMPDIR}/${CF_BASENAME}.2 ${SA_DIR}/${CF_FILE};
Since CF_FILE is empty, it simply moves CF_BASENAME.2 to SA_DIR/
(instead of SA_DIR/CF_FILE)
HTH
signature.asc
Description: OpenPGP digital signature
Re: Real-Time Stats Plugin Released
James Keating wrote:
Well the simplest fix is the one that I did not implement in the first
place, using ON DUPLICATE KEY. However, I did not implement that
because of its only being in version 4.1 of MySQL and I still use
Debian stable for most production machines, which runs 4.0.x.
Anyway, I will poke at it some more.
Read on for a portable fix called optimistic locking.
Pseudocode follows. I assume you are doing something like this:
select ham from table where user = $user;
$ham++;
update table set ham = $ham where user = $user;
You can instead do something like this:
while (!success) {
select ham from table where user = $user;
$newham = $currentham + 1;
update table set ham = $newham where user = $user and ham = $currentham;
success = (getRowsUpdated() 0);
}
What this does is update the row only if the value of table.ham has not
changed. The updated row count is checked. If it is greater than 0
(your row was indeed updated) then you set the success flag and
continue. If the updated row count is 0 you know the data has changed
unexpectedly and must redo the entire read/modify/write cycle.
Usually this approach is done by adding a separate version column that
is tested and updated, but in this case the ham or spam counters can be
substituted. It is called optimistic locking because you assume
(optimistically) that your update will usually succeed; eg: that nobody
else has updated the data without you knowing. It's not really locking,
but rather a concurrent update detection mechanism which the application
then must handle programatically.
signature.asc
Description: OpenPGP digital signature
Re: Rules_du_hour and SAREs rules
LuKreme wrote: what I get is: No index found for ruleset named SARE_HTML. Check that this ruleset is still valid. No index found for ruleset named SARE_OBFU. Check that this ruleset is still valid. No index found for ruleset named SARE_URI_ENG. Check that this ruleset is still valid. The first four items dl and check just fine, but not the last three. Needless to say, I am a bit puzzled. Two of them are general listings (SARE_HTML and SARE_OBFU and the other is a subcategory (SARE_URI_ENG) Hrm, now that *is* puzzling! Are you using RDJ version 1.27 (latest release)? Would you send me your config file as an attachment? Chris signature.asc Description: OpenPGP digital signature
Re: Antidrug.cf deprecated and no longer maintained.
Matt Kettler wrote: At 08:57 AM 12/1/2005, Bowie Bailey wrote: Doesn't RDJ have a rule renaming feature? I seem to remember getting a message from RDJ at one point saying that one of the SARE rules had changed names. Renaming is quite different. If you re-name, at least your users will know about it because their downloads will fail. Replacing the file contents with nothing comments will generate no warnings, no errors, and no one will notice. Indeed, RDJ allows a ruleset name to be changed with no end user intervention. You could change your ruleset name from antidrug.cf to antidrug_pre300.cf (and notify me, of course) and it wouldn't cause 404s or any other visible errors to RDJ users. This doesn't really solve the problem though, except that you can then reuse the antidrug.cf filename for further post-3.00 releases. Did SA 2.6x support any if* statements in rulesfiles like 3.0 does (eg: ifplugin)? signature.asc Description: OpenPGP digital signature
Re: Subject only rewritten sometimes?
Hi James, James Feger wrote: I have set my local.cf to look for a hit score of 7.0 or higher. I am receiving email and spamd is processing it as spam, attaching a score, and adding the default message at the top of the email (Email has been tagged as possible spam by the system...or whatever). However, the Subject rewrite is not getting performed. For some emails, the rewrite occurs, but not all of them. Nothing looks horribly wrong to me with your setup. See if you can reproduce the no-rewrite state with an email you have received which did not get the subject rewritten. Remove the spamassassin markup and re-send the message through spamassassin (pipe a marked-up email through spamassassin -d). Then, run it through spamc once, twice, three times. Does it fail to rewrite the header here each time? If it doesn't fail, the problem may be outside SA. If it does fail to rewrite the header each time, then try passing it through spamassassin (not spamc). Does it fail? Also, enable -D when passing it to spamassassin and look for any problems in the debug output. If you don't know, spamc/spamd are the client/server version of the spamassassin command. The spamassassin command itself launches a perl interpreter each and every time it's run. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: SARE stock ruleset? (Re: custom rule help)
Wolfgang Zeikat wrote: SARE is about to release a stock ruleset. Looks really good. I was going to work on one, Then I saw the ninjas have it under control, and I'm just sitting back and watching the fun. Not sure on the release date. GO, ninjas, GO! Any news when that one is going to be available? It's looking really good, it seems ready to go to me. I'll ping the other ninjas. signature.asc Description: OpenPGP digital signature
Re: Rules Du Jour Script Error
Hi Tracey! Tracey Gates wrote: I have followed the installation steps from the Rules Du Jour site (_http://www.exit0.us/index.php?pagename=RulesDuJour_) and am trying to run the script manually but I get the following error: [EMAIL PROTECTED] sbin]# ./rules_du_jour : bad interpreter: No such file or directory That is usually due to bad line endings. Are you using cygwin? Open the file in vi and do: :set fileformat=unix :wq -or- :set fileformat=dos :wq depending on cygwin or not (cygwin == dos, other == unix). It doesn't see to like the #!/bin/bash line. I haven't changed any of the script and have it executable. I have my configuration file as /etc/rulesdujour/config as stated in the installation steps. I have also made sure that bash is located in the /bin directory and it is there. I am trying to run the script at root so there shouldn't be any permissions problems. I'm not sure why I'm getting this error or what to do to correct it. Can someone please help me? HTH! Chris signature.asc Description: OpenPGP digital signature
Re: First time home made rule not doing what I was thinkin....
James Lay wrote: Here's the rule: bodyGATEWAY_001 /tripod\.com/i score 5 describematch tripod.com Here's the result: Nov 9 13:42:03 gateway spamd[17880]: spamd: result: . -2 -ALL_TRUSTED,AWL,BAYES_00,GATEWAY_001 scantime=0.6,size=1213,user=spamfilter,uid=1004,required_score=3.4,rhost=localhost,raddr=127.0.0.1,rport=/var/spool/spamfilter/spamd,mid=[EMAIL PROTECTED],bayes=0,autolearn=ham Did I totally miss something? Thanks! James You want this: bodyGATEWAY_001 /tripod\.com/i score GATEWAY_001 5 describeGATEWAY_001 match tripod.com signature.asc Description: OpenPGP digital signature
Re: [OTAnn] Feedback
Matt Kettler wrote: shenanigans wrote: I was interested in getting feedback from current mail group users. We have mirrored your mail list in a new application that provides a more aggregated and safe environment which utilizes the power of broadband. Roomity.com v 1.5 is a web 2.01 community webapp. Our newest version adds broadcast video and social networking such as favorite authors and an html editor. It?s free to join and any feedback would be appreciated. Oh, joy.. just what the world needs.. YAFWATSNRP. (Yet Another -- Web Applet That Serves No Real Purpose.) Actually, it's even better. It's a full fledged java app that requires full system privs to run' Of course I'll download and launch your trusted application, mr 'shenanigans', why not?! signature.asc Description: OpenPGP digital signature
Re: [RDJ] rules_du_jour changelog?
Josh Trutwin wrote: Is there a full changelog available online or otherwise for the rules_du_jour script? I'm going to upgrade to the latest version but I'm skipping a number of versions and I want to make sure I'm on top of all the updates. Thx, Josh Hi Josh, No there isn't, but I can make one for ya back to version 1.18b (attached). Chris # Version 1.27 Removed deprecated SARE rulest: SARE_RATWARE (thanks to both Patrick Eisenacher and Andrea G, independantly). Added sanity check for write permissions before doing anything (thanks Richard). Added lint check at the BEGINNING as a sanity check. Added German Rules from Michael Monnerie # Version 1.26 Removed deprecated SARE rulest: SARE_RATWARE (thanks to both Patrick Eisenacher and Andrea G, independantly). Added sanity check for write permissions before doing anything (thanks Richard). Added lint check at the BEGINNING as a sanity check. # Version 1.25 Fixed PARSE_NEW_VERSION_SCRIPT for all SARE rulesets to use 'head -n 1' instead of 'sort | tail -n 1'. This fixes some SARE rulesets updating, but the RDJ report email not showing the correct version number. Thanks for the bug report Patrick # Version 1.24 Added SARE_WHITELIST_SPF and SARE_WHITELIST_RCVD (new network-test whitelists) # Version 1.23 Updated William Stearns' SA-Blacklist URLs # Version 1.22 Modified MAILCMD to use sh -c so full pipes may be used to pre-process mail messages. Switched from 'tail -1' to 'tail -n 1' (same with 'head -1'). Solaris users who don't have POSIX tail/head in /bin will still use 'tail -1' (incorporated patch from Robin Johnson, thanks!). # Version 1.22 Modified MAILCMD to use sh -c so full pipes may be used to pre-process mail messages. # Version 1.21 Added ALL SARE rulesets to default registry (I should have done this LOONG ago!). Please email me directly with new rulesets to add to the standard registry. [EMAIL PROTECTED] (Chris Thielen) # Version 1.20 Updated Tim Jackson's Bogus Virus warnings URL. Update to this version of RDJ if you use Tim Jackson's Bogus Virus Warnings. # Version 1.19 Updated SARE evilnumbers (file name(s) changed from evilnumbes.cf to 70_sare_evilnum0.cf through 70_sare_evilnum2.cf). If you were using evilnumbers.cf previously, you will now be using 70_sare_evilnum0.cf, which is the least risky of the three sets. # Version 1.18b Added kluge to specify configfile location: RDJ_CONFIGFILE. Fixed SARE_HEADER version extraction. signature.asc Description: OpenPGP digital signature
Re: Problem with 70_sare_header.cf 01.03.16
Doc Schneider wrote: You need to re-download this rule set. I believe this was fixed **last yesterday*. * hehe, that made me laugh out loud, thanks doc :) signature.asc Description: OpenPGP digital signature
Re: Would like to rewrite arbitrary headers
[EMAIL PROTECTED] wrote: Greetings, battlers. I would like to rewrite headers on incoming spam without having SA prepend X-Spam- to them. Two reasons: I'm not sure what your set up is, but I use procmail and formail to rewrite headers. signature.asc Description: OpenPGP digital signature
Re: SARE german rules version 1.00
Michael Monnerie wrote: Hello list, I tried hard to receive more german text SPAM, and succeeded :-) Therefore, I was able to start to write german text based rules, which I put in an extra file. This file already contains the actual netbanking.at phishing rules, and should be quite helpful. I'd like to make it available on SARE, and maintain it. Hopefully others will contribute. Who should I speak with? mfg zmi Hi Michael, If you would like, I can add your german rules to RDJ if they're available on a reasonably connected web site. Chris signature.asc Description: OpenPGP digital signature
Re: Need help with a simple problem
[EMAIL PROTECTED] wrote: Hmmm... is it possible that you're running the email through SpamAssassin, attaching the report, and then running it through SpamAssassin again? I agree, this is very likely what you are doing. signature.asc Description: OpenPGP digital signature
Re: Spamd / RDJ
Rosenbaum, Larry M. wrote: Try editing /etc/rulesdujour/config and change what’s assigned to SA_RESTART, so that RDJ doesn’t try to restart spamd. Perhaps it should be restarting MailScanner instead, or run a do-nothing command. *From:* Casey King [mailto:[EMAIL PROTECTED] *Posted At:* Wednesday, October 05, 2005 3:57 PM *Posted To:* sa-users *Conversation:* Spamd / RDJ *Subject:* Spamd / RDJ Because RDJ –lints SA, I have tried to create a cron job that would stop Spamd from running. I do not want it using up so much memory since MailScanner calls SA on its own. My crontab looks like this: Hi Casey, Larry and Dhawal are correct, you shouldn't be restarting spamd if you don't use it (spamassassin --lint does NOT require spamd). I recommend changing SA_RESTART to a command that will restart MailScanner, or cause MailScanner to reload its config files. Note: I don't know that mailscanner can actually reload SpamAssassin config files, I just assume it might have the capability. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: Spamd / RDJ
Michele Neylon :: Blacknight.ie wrote: Chris Thielen wrote: Hi Casey, Larry and Dhawal are correct, you shouldn't be restarting spamd if you don't use it (spamassassin --lint does NOT require spamd). I recommend changing SA_RESTART to a command that will restart MailScanner, or cause MailScanner to reload its config files. If you are using MailScanner you should _never_ run spamd/spamc Chris - you still need to run --lint on the SA rules. Yep, RDJ will still --lint the rules using 'spamassassin --lint' before restarting anything as long as you don't change the value of the SA_LINT variable. The way to get MS working with RDJ is to make a minor change to the script SA_RESTART=/etc/init.d/MailScanner restart; # Command used to restart spamd Awesome, thanks for posting the appropriate restart command (I don't use MS obviously). However, don't edit the script itself. Instead just put that in the RDJ config file. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: RDJ Blacklist
Aha!
I see you've found a bug in Rules du Jour! Bill is returning a 302 http
response code which indicates a temporary URL change. However, RDJ is
incorrectly interpreting the 302 as a not changed.
Short term solution is to upgrade to the new RDJ with the current URL as
you've stated. I need to fix RDJ with curl though to do the right thing.
Casey King wrote:
I think I now see the problem. The url to retrieve the blacklist-uri
has been changed, and this is reflected in version 1.24. I also see
there is a change form random.cf. The interesting thing I am not sure
of….is why System B does not reflect the changes of version 1.24, but
was till downloading the current version of blacklist-uri.cf
-Original Message-
*From:* Casey King [mailto:[EMAIL PROTECTED]
*Sent:* Thursday, September 29, 2005 9:29 AM
*To:* SpamAssassin Users
*Subject:* RDJ Blacklist
While checking RDJ on my systems. I noticed, blacklist-uri last
updated on 9.21.2005 on two of my systems, and on my third system, it
is current as of today. The version of RDJ I am running on all three
systems is 1.21. I know there is a 1.24, but I would like to get this
working again before I decide to change to another version. I ran the
update from the command line and piped it to a test file. Everything
looks the same until reaching the blacklist.uri part. For some reason
systemA says blacklist does not need updated, and systemB updates to
the most current version. Below are snips from systemA and systemB. As
I said before, system A is current to 9.21.2005, and system B is 9.29.2005
System A
[snip] (top of piped information)
exec: curl -w %{http_code} --compressed -O -R -s -S -z
/etc/mail/spamassassin/RulesDuJour/rules_du_jour
http://sandgnat.com/rdj/rules_du_jour 21
curl_output: 304
[snip]
-- BLACKLIST_URI --
RULESET_NAME=BLACKLIST_URI
INDEX=10
CF_URL=http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
CF_FILE=blacklist-uri.cf
CF_NAME=William Stearn's URI blacklist
PARSE_NEW_VER_SCRIPT=grep -i '^#.*sa-blacklist.uri: 200' | sort | tail -1
CF_MUNGE_SCRIPT=
Old sa-blacklist.current.uri.cf already existed in
/etc/mail/spamassassin/RulesDuJour...
Retrieving file from
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf...
exec: curl -w %{http_code} --compressed -O -R -s -S -z
/etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf 21
curl_output: 302
sa-blacklist.current.uri.cf was up to date [skipped downloading of
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf ] ...
System B
[snip] (top of piped information)
Curl version is 7.9 (Not 7.10 or greater). Falling back to wget.
exec: wget -N http://sandgnat.com/rdj/rules_du_jour
/etc/mail/spamassassin/RulesDuJour/wget.log 21
wget_output: --08:36:06-- http://sandgnat.com/rdj/rules_du_jour
= `rules_du_jour'
Resolving sandgnat.com... done.
Connecting to sandgnat.com[208.42.148.125]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 60,691 [application/octet-stream]
Server file no newer than local file `rules_du_jour' -- not retrieving.
[snip]
-- BLACKLIST_URI --
RULESET_NAME=BLACKLIST_URI
INDEX=10
CF_URL=http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
CF_FILE=blacklist-uri.cf
CF_NAME=William Stearn's URI blacklist
PARSE_NEW_VER_SCRIPT=grep -i '^#.*sa-blacklist.uri: 200' | sort | tail -1
CF_MUNGE_SCRIPT=
Old sa-blacklist.current.uri.cf already existed in
/etc/mail/spamassassin/RulesDuJour...
Retrieving file from
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf...
exec: wget -N
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
/etc/mail/spamassassin/RulesDuJour/wget.log 21
wget_output: --08:36:08--
http://www.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
= `sa-blacklist.current.uri.cf'
Resolving www.stearns.org... done.
Connecting to www.stearns.org[66.59.111.182]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location:
http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
[following]
--08:36:09--
http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
= `sa-blacklist.current.uri.cf'
Resolving www.sa-blacklist.stearns.org... done.
Connecting to www.sa-blacklist.stearns.org[147.102.222.211]:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,820,512 [text/plain]
Remote file is newer, retrieving.
--08:36:09--
http://www.sa-blacklist.stearns.org/sa-blacklist/sa-blacklist.current.uri.cf
= `sa-blacklist.current.uri.cf'
Connecting to www.sa-blacklist.stearns.org[147.102.222.211]:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,820,512 [text/plain]
0K .. .. .. .. .. 1% 60.17 KB/s
50K .. .. .. .. .. 3% 83.89 KB/s
Re: RDJ Blacklist
William Stearns wrote: I see you've found a bug in Rules du Jour! Bill is returning a 302 http response code which indicates a temporary URL change. However, RDJ is incorrectly interpreting the 302 as a not changed. Short term solution is to upgrade to the new RDJ with the current URL as you've stated. I need to fix RDJ with curl though to do the right thing. I do understand that you need to check the output of curl in general to handle situations like this in the future. As for this current issue with my random.cf and sa-blacklistcf files, I thought you had updated the urls for this in rules du jour already? Is it just a case that people are still using old versions on rdj? Yep, I have updated the URLs already and Yep Casey just hasn't installed the new version yet! I really am sorry to have to do that redirect, but I don't know of a more elegant way to move people over to the mirror sites. Seems like the most elegant method to me, as long as all the clients (*cough*) respond properly :) Chris signature.asc Description: OpenPGP digital signature
Re: RDJ newbie prob
John Fleming wrote: Thanks, Chris. I'm sure this is something trivial - I've had it working in the past! Here's my /etc/rulesdujour/config John, I think this is simply due to the TRUSTED_RULESETS= being on a separate line. You have: TRUSTED_RULESETS= TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 ... Try it like this: TRUSTED_RULESETS=TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 Chris Thielen signature.asc Description: OpenPGP digital signature
Re: [SARE] rules update
Robert Menschel wrote: SARE's General Subject rules files and the Whitelist rules files have been updated. snip Note that RDJ has not yet been updated for these two new files. RDJ is now updated. The new ruleset names are: SARE_WHITELIST_SPF and SARE_WHITELIST_RCVD Chris Thielen signature.asc Description: OpenPGP digital signature
Re: RDJ newbie prob
Hi John,
First off, did you modify the rules_du_jour script in any way? It
appears that it is trying to execute the names of the rulesets as
commands. May I see your config file? Are you by chance using this on
cygwin?
John Fleming wrote:
I've had such good results with SA that I haven't worried about
rulesets, updating rulesets etc. Lately I've had a few getting
through and decided it must be time to update my rulesets. I've
decided to use RDJ, but below is what I get when I run the bash
script. Would someone kindly tell me what's probably wrong? I might
not really use all the rules below - This was just a trial run of the
script. Tnx! - John
# ./rules_du_jour
./rules_du_jour: line 54: TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
BLACKLIST
BLACKLIST_URI
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_RATWARE
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER0
SARE_HEADER1
SARE_HEADER2
SARE_HEADER3
SARE_HEADER_ENG
SARE_HTML
SARE_HTML0
SARE_HTML1
SARE_HTML2
SARE_HTML3
SARE_HTML4
SARE_HTML_ENG
SARE_SPECIFIC
SARE_OBFU
SARE_OBFU0
SARE_OBFU1
SARE_OBFU2
SARE_OBFU3
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ0
SARE_GENLSUBJ1
SARE_GENLSUBJ2
SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI2
SARE_URI3
SARE_URI_ENG
SARE_WHITELIST: command not found
./rules_du_jour: line 54: TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
BLACKLIST
BLACKLIST_URI
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_RATWARE
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER0
SARE_HEADER1
SARE_HEADER2
SARE_HEADER3
SARE_HEADER_ENG
SARE_HTML
SARE_HTML0
SARE_HTML1
SARE_HTML2
SARE_HTML3
SARE_HTML4
SARE_HTML_ENG
SARE_SPECIFIC
SARE_OBFU
SARE_OBFU0
SARE_OBFU1
SARE_OBFU2
SARE_OBFU3
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ0
SARE_GENLSUBJ1
SARE_GENLSUBJ2
SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI2
SARE_URI3
SARE_URI_ENG
SARE_WHITELIST: command not found
exec: curl -w %{http_code} --compressed -O -R -s -S -z
/etc/spamassassin/RulesDuJour/rules_du_jour
http://sandgnat.com/rdj/rules_du_jour 21
curl_output: 304
No files updated; No restart required.
Rules Du Jour Run Summary:RulesDuJour Run Summary on [snip]
#
signature.asc
Description: OpenPGP digital signature
Re: [PLEASE NOTE] Change in location for sa-blacklist downloads
William Stearns wrote: Good day, all, (Summary - the sa-blacklist content is moving to new machines. If you're downloading any of the 15 versions of this list, you'll need to change the hostname you use in your download; see What you need to do below for instructions.) Rules du Jour has been updated to point to the new domain. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: Rules_Du_Jour Site down?
Larry Starr wrote: Martin, It appears that a problem, with one of my internal mail servers, may have contributed to the confusion on this issue. It looks like it's queue runner was not working, and messages that were not forwarded immediately were never forwarded. I kicked that queue this morning (this was one of the more recent messages). The problem that I was seeing was back on Sept 12. At that time I was unable to reach sandgnat.com, either with the rules_du_jour script or via web browser. Whatever was going on seems to have cleared up since then. The web site was indeed down. For some reason some sa-learn processes keep eating all available memory which my server doesn't seem to like! signature.asc Description: OpenPGP digital signature
Re: Availability for Debian
Christoph Petersen wrote: Hi, I've tried to upgrade to SA 3.1 on my Debian Sarge. But there is no Debian package avalable. Neither in Sarge nor in Sid... When that package is via apt available? I installed it via the unstable archive. I think, perhaps, a better question may be: when will we get a backports.org or similar repository for sarge? (or maybe I am misinformed and backports.org is useful on sarge?) signature.asc Description: OpenPGP digital signature
Re: Availability for Debian
Momo wrote: Christoph Petersen [EMAIL PROTECTED] a écrit : Hi, I've tried to upgrade to SA 3.1 on my Debian Sarge. But there is no Debian package avalable. Neither in Sarge nor in Sid... When that package is via apt available? It will come very soon in unstable, but you can grab the Release Candidate 2 on the experimental repo if you can't wait. http://packages.debian.org/experimental/mail/spamassassin Momo Ah yes, thank you for reminding me that I did NOT in fact install 3.1 from unstable as I stated earlier. I did install RC2 from experimental as you mentioned. Chris T signature.asc Description: OpenPGP digital signature
Re: RDJ/Curl issue...
Jamie, Jamie Pratt wrote: Fred wrote: Yes we are aware of this issue, the site has changed owners a couple times and during those transitions we had to change the way we updated the pages, from SSH to FTP to CVS.. Not all of us have kept up on how the changes need to be made. At one point we were talking of having a php page read the dates and make the page dynamic, we just never got around to that. FreddyT Ok.. Thanks ... But are you saying there are different latest rulesets floating about, or just that they page that reflects them needs work? Where are the correct rulesets, and how do we fix this? ...I just need the latest rules, regardless of RDJ... :-( Fred can correct me if I'm wrong, but he's saying that the web page that shows the latest version, description, etc is not up to date. The latest SARE rulesets are always found at http://www.rulesemporium.com/rules/ . I did a quick check of the rulesets you pasted in an earlier mail and they all appear up to date. Those sets just haven't been updated. I will assume RDJ is working correctly :) signature.asc Description: OpenPGP digital signature
Re: Backhair ruleset and current Microsoft e-mail
Matthew Newton wrote: Hi, Just had to remove the backhair ruleset from use here because it is triggering on real e-mail from Outlook. It seems possibly that Outlook is creating XML mail with some strange tags in certain places, and this is triggering the backhair rules because they are not correct HTML tags. Is the backhair ruleset still recommended, or does this current type of e-mail make its use obsolete? Thanks! Matthew I still use backhair myself, although I'm not certain it's still supported. The original author is still lurking around somewhere ;) . If there is an example email that isn't too private, could you send it as an attachment to me? I'd like to see how it's FPing and possibly see about updating backhair. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: SpamAssassin perceptron curiousity
Hi Felix, [EMAIL PROTECTED] wrote: I got a bit of curiousity in my brain about neural networks, and someone suggested I take a look at how SpamAssassin trains itself. I have been looking into .../masses and come across some things which set off warning bells. I don't think I have actually found any bugs, but it isn't clear to me what is going on, there are some unused variables, and I pathetically justify my intrusion on your time with the thought that there *might* be a bug ... :-) You may want to try sending this to the dev list as most of the developers don't have time to track the users list in depth. Chris signature.asc Description: OpenPGP digital signature
Re: RDJ/Curl issue...
Hi Jamie,
Jamie Pratt wrote:
Hi. RDJ has broken on me apparently - no updates in a month(?)..
Seems to be a curl issue ?...
-- RANDOMVAL --
RULESET_NAME=RANDOMVAL
INDEX=11
CF_URL=http://www.stearns.org/sa-blacklist/random.current.cf
CF_FILE=random.cf
CF_NAME=William Stearn's RANDOM WORD Ruleset
PARSE_NEW_VER_SCRIPT=grep -i '^#release' | tail -n 1
CF_MUNGE_SCRIPT=
Old random.current.cf already existed in
/etc/mail/spamassassin/RulesDuJour...
Retrieving file from
http://www.stearns.org/sa-blacklist/random.current.cf...
exec: curl -w %{http_code} --compressed -O -R -s -S -z
/etc/mail/spamassassin/RulesDuJour/random.current.cf
http://www.stearns.org/sa-blacklist/random.current.cf 21
curl_output: 304
random.current.cf was up to date [skipped downloading of
http://www.stearns.org/sa-blacklist/random.current.cf ] ...
No files updated; No restart required.
Any ideas why curl is seeming to have issues? (wget doesnt' seem to
work either?)
How have you determined curl is failing? The output I see above looks
normal for a RDJ run where nothing has been updated. The curl_output:
304 indicates a HTTP 304 response, which means not modified, use local
copy.
Chris Thielen
signature.asc
Description: OpenPGP digital signature
Re: Debian Packages for 3.1.0-rc2
Duncan Findlay wrote: On Mon, Aug 29, 2005 at 11:41:39PM -0400, Duncan Findlay wrote: Debian packages or 3.1.0-rc2 are available from the experimental distibution (version 3.0.99pre3.1.0+rc2-1). I'd appreciate help testing them, so that all the bugs in the packaging can be worked out by the time 3.1.0 is uploaded to unstable. Hi Duncan, Installed cleanly for me on my Sarge box. I merged my local.cf into the updated package one. Aug 31 14:04:27 ns1 spamd[4269]: Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: ../lib /usr/share/perl5 /etc/perl /usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/lib/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at /usr/share/perl5/Mail/SPF/Query.pm line 328, GEN12 line 64. I'm getting these in mail.log, but that's because libmail-spf-query-perl only suggests libsys-hostname-long-perl (which I don't have installed). I believe this is a warning at worst since the package is only suggested, and I assume it is out of your control. I am seeing some other anomalous messages in the log, but I believe they are not packaging related. Chris signature.asc Description: OpenPGP digital signature
Re: question on meta rules
Chris Santerre wrote: -- Bizzaro-Chris (I know all of the real Chris's dark secrets!) Bizarro! Bizarro! Bizarro! eom signature.asc Description: OpenPGP digital signature
Re: V-drug resurgent
Daniel Bentley wrote: We've been getting more emails with our favorite V-named drug, that have been getting through SA. The header includes the V-word, usually upper case, with vowels that have the extended ASCII charset (umlauts, circumflexes and other diacritical marks), while the body appears to be mish-mashed snippets of Project Gutenburg texts. Has anyone else seen these, any suggestions on existing rulesets to pick up? I'd hate to 're-invent the wheel' if there are rule-sets for this already. Thanks. Hi, Try the rules generated (in the fourth section) here: http://sandgnat.com/cmos/cmos.jsp?multigapenabled=truemultigap=2duplicatecharsenabled=trueduplicatechars=2words=viagra You will want to rename the rule, score, and description because it generates too-long rule names. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: RulesDuJour - position of rulesets in config file
Hiya Thijs, Thijs Koetsier | Exception IT wrote: Hi all, I'm using spamassassin 3.0.4-2 on Debian 3.1 with Exim4, together with RulesDuJour. I have a question about the last, which I just installed for the first time. I believe it's a fairly beginners-one, which I hope someone can help me with. In the config-file of rulesdujour (/etc/rulesdujour/config) which I've created, I've put the text which I found at http://koivi.com/exim4-config/: TRUSTED_RULESETS=put your rules here; SA_DIR=/etc/spamassassin; MAIL_ADDRESS=root; SA_RESTART=/etc/init.d/spamassassin restart; My question is, where exactly do I put those rules; exactly between those double quotes, the whole set of them, who are so properly ordered on http://www.exit0.us/index.php?pagename=RulesDuJourRuleSets? It seems like the thing to do, but somehow it also seems wrong. Close, but not quite. TRUSTED_RULESETS gets a list of ruleset identifiers separated by spaces. The list of built-in identifiers is found at the bottom of http://www.exit0.us/index.php?pagename=RulesDuJour . The wiki page you referenced is really for addon ruleset information that isn't't included with the standard RDJ script. So, for example, your TRUSTED_RULESETS may look like this: TRUSTED_RULESETS=TRIPWIRE BOGUSVIRUS SARE_ADULT SARE_RANDOM SARE_HTML (I just picked some random rulesets from the list). Chris Thielen signature.asc Description: OpenPGP digital signature
Re: generating rule stats from spamd logs
Dallas L. Engelken wrote: BAYES_00 hits 15.27 of spam on yours, the %ofspam on top ham rules and %ofham on top spam rules must be buggy. i'm not running that version with the 5th column. It must be buggy. i play with it after bit. Dallas Dallas, Did you see the patch I sent to the SARE list? Just need to swap two hash lookups. Chris T signature.asc Description: OpenPGP digital signature
Re: New plugin - asking for feedback
Hi Dirk, Dirk Bonengel wrote: Hi all, maybe this list can give me some feedback on a plugin I've written a few weeks ago. The Plugin is based on parts of the 'NiXSpam' project by the German IT magazine iX. NiXSpam is an elaborate procmail recipe (for more info see http://www.heise.de/ix/nixspam/ - it's German, though), and it uses a cool way of computing hashes from the body of mails to detect highly similar ones (which - propably - are spam). Correct me if I'm wrong, but this sounds very similar to razor/pyzor/dcc! Chris T signature.asc Description: OpenPGP digital signature
Re: www.rulesemporium.com unreachable
wolfgang wrote: Hi, http connections to www.rulesemporium.com are timing out here. Maybe someone in charge is reading this and can fix it ... regards, wolfgang There seems to be an issue with the filesystem on that box. Email sent to the appropriate people, but it looks like a manual power cycle will be necessary. signature.asc Description: OpenPGP digital signature
Re: (14.6) How can I correctly detect these spams?
Hi Thomas,
Your email scored nearly 25 on my system. Chickenpox contributed 4.2,
uribls contributed tons.
HTH :)
Thomas Booms wrote:
Spam detection software, running on the system ns1.sandgnat.com, has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi all, I have set all BAYES tests to default values
and put in the $GLOBAL all SORBS test in my users database. But since
the last hours I got these following listed spams through without
tagging as spam: [...]
Content analysis details: (14.6 points, 5.0 required)
pts rule name description
-- --
-0.0 SPF_PASS SPF: sender matches SPF record
1.8 SPLEL_NLN BODY: Obfuscated 'online' in body
0.6 J_CHICKENPOX_34BODY: {3}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_14BODY: {1}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_44BODY: {4}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_56BODY: {5}Letter - punctuation - {6}Letter
0.6 J_CHICKENPOX_64BODY: {6}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_102 BODY: {10}Letter - punctuation - {2}Letter
1.8 LOBO_NLN BODY: Obfuscated 'online' in body
0.6 J_CHICKENPOX_53BODY: {5}Letter - punctuation - {3}Letter
0.1 TW_DF BODY: Odd Letter Triples with DF
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: timestipulatecool.com treasureyourdevelopment.com militopnig.com]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: timestipulatecool.com militopnig.com]
3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: timestipulatecool.com treasureyourdevelopment.com militopnig.com]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: timestipulatecool.com]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: militopnig.com]
-10 AWLAWL: From: address is in the auto white-list
Hi all,
I have set all BAYES tests to default values and put in the $GLOBAL
all SORBS test in my users database.
But since the last hours I got these following listed spams through
without tagging as spam:
signature.asc
Description: OpenPGP digital signature
Re: How can I correctly detect these spams?
Andy Jezierski wrote: Chris Thielen [EMAIL PROTECTED] wrote on 07/07/2005 01:15:24 AM: Hi Thomas, Your email scored nearly 25 on my system. Chickenpox contributed 4.2, uribls contributed tons. HTH :) As has been pointed out, make sure your network tests are turned on. I am surprised that I only got two chickenpox hits on my system though. Chris, what version do you have running? Mine is 1.18 dated 2004-4-5 Mine is actually older, h.. ver 1.15 dated 2004-02-06. Perhaps Jennifer revised it later to get rid of false positives? X-Spam-Status: Yes, score=45.4 required=5.7 tests=BAYES_99,FUZZY_MILLION, HTML_80_90,HTML_FONT_BIG,HTML_MESSAGE,J_CHICKENPOX_102, J_CHICKENPOX_56,LG_4C_2V_3C,MIME_QP_LONG_LINE,PRIORITY_NO_NAME, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, SARE_HEAD_XUNSENT,SARE_OBFU_PART_ING,URIBL_AB_SURBL,URIBL_BLACK, URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=unavailable version=3.1.0-pre4-r208823 Andy signature.asc Description: OpenPGP digital signature
Re: rules_du_jour SA_RESTART interpretation?
Allo, Dr Robert Young wrote: In configuring the rules_du_jour script for rule updates, I am a bit concerned over my interpretation of the SA_RESTART parameter. It sounds like it is a call to the routine to stop and then re-start the spamd daemon. But the rules_du_jour example kills the spamd process with killall (ie no restart). The example on the wiki is killall -HUP spamd. There are two things to note. kill doesn't actually 'kill' a process, it simply sends it a signal (except when you send -KILL or -9). Secondly, the HUP signal is typically used to tell a daemon to reload its configuration files without restarting. Thats why the example on the wiki reads as it does, but it's only an example. Side note: I think there might be some problems with sending ALL spamd processes including the children a HUP signal now, but I'm not sure. For this parameter, should one instruct the script to stop the process or stop and then restart the process? You want it to restart (or reload config files, if possible) I would normally do these via the sample scripts provided with SpamAssassin such as /etc/rc.d/init.d/spamd stop or /etc/rc.d/init/d/spamd restart That's fine, use that. The default built into the script is actually /etc/init.d/spamassassin restart, if I remember correctly. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: FW: Strange Rules Du Jour error
Hi Dave,
What os are you on and what version of curl do you have installed?
[EMAIL PROTECTED]:~$ curl --version
curl 7.13.2 (i386-pc-linux-gnu) libcurl/7.13.2 OpenSSL/0.9.7e zlib/1.2.2
libidn/0.5.13
Protocols: ftp gopher telnet dict ldap http file https ftps
Features: IDN IPv6 Largefile NTLM SSL libz
Can you send me the output of RDJ launched interactively? I'm primarily
interested in the debug output that shows the curl command and output, eg:
exec: curl -w %{http_code} --compressed -O -R -s -S -z
/etc/spamassassin/RulesDuJour/99_FVGT_Tripwire.cf
http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf 21
curl_output: 304
Also, try taking the exec line and running it directly from a shell, eg:
[EMAIL PROTECTED]:~$ curl -w %{http_code} --compressed -O -R -s -S -z
/etc/spamassassin/RulesDuJour/70_sare_evilnum2.cf
http://www.rulesemporium.com/rules/70_sare_evilnum2.cf
(more below)
Dave Duffner - PSCGi wrote:
Greetings,
Sent this to the MailScanner List, didn't realize
my subscription to the SA List had taken a hike for some reason!
Anyone with a clue, I'm all ears!
Ok,
Determined Curl Error 7, Socket Error 110 to
be a failure to connect to the 'Host' to retrieve
the stuff. That's rulesemporium.com and I can not
only go there in a browser, but if I screw with
the RDJ code enough to force it to fallback to
wget (not without errors mind you) both will access
the site and attempt to pull the code.
Odd.
Ports are opened, the proper IP's are allowed
full traffic in/out so that's not it. It seems to
be a Curl call error and here's where I find the
mystery:
${CURL_OPTS} CURL_OPTS=-w %{http_code} --compressed
-O -R -s -S -z; # Parameters of the curl program
(note, this is a bit mangled to get it to pass)
What is %{http_code}?? There's no other
reference to this in the script, no outside scripts
The parameter -w %{http_code} tells curl to print the http return code
on stdout. The %{http_code} is passed literally to curl, it's not a
variable reference.
'included' that
could pass this parameter so I can't see how Curl could be called
properly with that in there. Took it out, still the same error,
but I'd swear there's something missing or improperly
coded in that line. Seems more like it should be
${CURL_HTTP_CODE} or something similar?
When I run this the thing I note in the
flow/logs is that it states 'now connecting () to
www. rulesemporuim .com : 80 ' where it seems something like
'localhost' should be in that () and the
improper coding is causing the system not to accept
the connection command and thus the socket error?
Anyone with any clues? I can't find a hint of
this beyond my posts out in the Net as to how to
get it fixed. Curl docs state any % commands are
Windows (I'm Linux), so could that be part of the
problem?
I don't think so... the manpage simply indicates that on winders you
must doublequote the percent signs (%%):
-w/--write-out format
snip
The variables present in the output format will be
substituted by the value or text that curl thinks fit, as described
below. All variables are speci-
fied like %{variable_name} and to output a normal % you
just write them like %%. You can output a newline by using \n, a
carriage return with \r and a
tab space with \t.
NOTE: The %-letter is a special letter in the
win32-environment, where all occurrences of % must be doubled when using
this option.
Dave
-Original Message-
From: MailScanner mailing list
[mailto:[EMAIL PROTECTED]
On Behalf Of Dave
Duffner - PSCGi
Sent: Wednesday, July 06, 2005 11:07 AM
To: [EMAIL PROTECTED]
Subject: Strange Rules Du Jour error
Greetings,
Running RDJ 1.21, the apparent latest version
I can find. It was falsing out with an SA lint error
that's been
corrected, but is still generating this set of errors
when run in
cron:
The following rules had errors:
TripWire had an unknown error:
curl exit code: 7
curl: (7) socket error: 110
000
EvilNumber had an unknown error:
curl exit code: 7
curl: (7) socket error: 110
000
SARE Random Ruleset for SpamAssassin 2.5x and higher had
an unknown
error: curl exit code: 7
curl: (7) socket error: 110
000
There was an issue where apparently the script
had updated, and returned the SA_DIR variable to the
wrong default
location. Fixed that, running it from the command line
produces
the same error response above except for the fact it
now says '404
Error' at the end of the Subject line?
Looks like this may be getting blocked by
either port or IP, but I can't find where we're
doing that in either of our firewall setups, nor
Re: 70_sc_top200.cf not updated
SARE has started using SVN to maintain the rulesets, however the top200
script hasn't been updated to commit to SVN. The maintainer of the
script is starting a business right now and hasn't had time to update
the script!
Shelley Waltz wrote:
The 70_sc_top200.cf on rulesemporium has not been updated
since May 27. This is supposed to be automatically generated.
I could not find a contact on the rulesemporium page - anyone
know why this rule is no longer updated?
{ Shelley Waltz;
Center for Advanced Biotechnology and Medicine;
Rutgers University/UMDNJ;
679 Hoes Lane;
Piscataway, NJ 08854;
732 235 3346 }
signature.asc
Description: OpenPGP digital signature
Re: special chars in subject + .procmailrc
Pál László (Sq.) wrote: It looks this entry has been skipped somehow. Other rule moving spam police messages to /dev/nul works fine. SA invoked by amavisd L: Hi, Sorry, I don't know anything about amavisd... I assume SA is being called BEFORE procmail kicks in for delivery? Also, please keep this conversation on the list, that way others who do know stuff can chime in! Chris signature.asc Description: OpenPGP digital signature
Re: A Central 'Rules' site?
Regarding RDJ and windows, I did put together a short HOWTO for setting up RDJ on cygwin: http://www.exit0.us/index.php?pagename=InstallRdjOnCygwin Evan Platt wrote: At 02:04 AM 6/29/2005, you wrote: RulesDuJour. Loren doesn't do French well. (Erm, neither do I for that matter.) Oui. Me neither. http://www.exit0.us/index.php?pagename=RulesDuJour That is a way of pulling rules down. I can't give any opinion about it. Before it was up and running I was already pulling rules with my own little script. Do you or anyone else have a more *doze friendly script? I have wget, cron and perl, so a lot of the other stuff in the rdj isn't needed - chmod, etc. Maybe a simple batch file that wget's the files? Thanks. Evan signature.asc Description: OpenPGP digital signature
Re: Is rules_du_jour working?
Dr Robert Young wrote: Interactively, there are a lot of messages saying no such file or directory and command not found. Is this normal? I am uncertain as to how I can tell the update is actually occurring (or not) . Hi Robert, No, this is not normal. Feel free to email me the entire output of your interactive run and I can probably help diagnose the problem. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: A Central 'Rules' site?
[EMAIL PROTECTED] wrote: Wolfgang Zeikat wrote: On 06/29/05 20:19, Evan Platt wrote: wget -N URL only downloads a file if the copy on the server is newer than your local one. Presumably, by adding an HTTP If-Modified-Since header with a value corresponding to the modified-time of the local file. Yeah, well sorta :) It actually issues a HEAD request, checks Last-Modified, then issues a GET if it needs to. curl behaves more sanely. signature.asc Description: OpenPGP digital signature
Re: special chars in subject + .procmailrc
Pál László (Sq.) wrote: I also would like to remove spams over a certain level, so I'v created the following .procmailrc entry :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* /dev/null It seems not working. What is the problem? Looks fine to me. Is that recipe in your procmailrc AFTER spamassassin is called? Or is it being skipped for some reason? Here's mine: :0H *^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* Maildir/.Junk.2bLearnt/ signature.asc Description: OpenPGP digital signature
Re: special chars in subject + .procmailrc
Pál László (Sq.) wrote:
It looks this entry has been skipped somehow. Other rule moving spam
police messages to /dev/nul works fine.
I'm not seeing where SA is called. It appears that SA is being invoked
from outside procmail.
Can you give more info about your system's processing chain?
Here is my complete .procmailrc
Is there any way to set-up this /dev/nul behaviour systemwide?
There should be an /etc/procmailrc where you can specify global procmail
recipes.
# Please check if all the paths in PATH are reachable, remove the ones
that
# are not.
PATH= $PATH:$HOME/bin:/usr/bin:/usr/local/bin:.
MAILDIR=$HOME/mail # You'd better make sure it exists
#DEFAULT=$MAILDIR/egyeb
LOGFILE=$MAILDIR/procmail.log
LOCKFILE=$HOME/.lockmail
:0
* ^From.*spamassassin.apache.org
spamassassin
:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
/dev/null/
:0
* [EMAIL PROTECTED]
/dev/null
:0
* ^To: [EMAIL PROTECTED]
Bp_Free
:0
* ^To.*lotuszpagoda*
Pagoda
:0
* [EMAIL PROTECTED]
Rendszer
:0
* [EMAIL PROTECTED]
Rendszer
:0
* ^From.*randivonal*
Randivonal
:0
* !^Content-Type: message/
* !^Content-Type: multipart/
* !^Content-Type: application/pgp
{
:0 fBw
* ^-BEGIN PGP MESSAGE-
* ^-END PGP MESSAGE-
| formail \
-i Content-Type: application/pgp; format=text; x-action=encrypt
:0 fBw
* ^-BEGIN PGP SIGNED MESSAGE-
* ^-BEGIN PGP SIGNATURE-
* ^-END PGP SIGNATURE-
| formail \
-i Content-Type: application/pgp; format=text; x-action=sign
}
:0 fBw
* ^-BEGIN PGP PUBLIC KEY BLOCK-
* ^-END PGP PUBLIC KEY BLOCK-
| formail -i Content-Type: application/pgp-keys; format=text;
# Mail that is very likely spam (15) can be dropped on the floor.
# Move the # up one line to save it on the server instead.
# Note that dropping mail on the floor is a *bad*
# idea unless you really, really believe no false positives will
# have a score greater than 15.
signature.asc
Description: OpenPGP digital signature
Re: RDJ from cron - is it safe?
John Horne wrote: Many thanks for all the replies, which all seem positive. However, we have been seeing problems with restarting the daemon recently, which is why I am wary about starting to run RDJ from cron. In trying to restart spamassassin, on a fedora core 4 and core 3 system, we see: /etc/init.d/spamassassin restart Shutting down spamd: [ OK ] Starting spamd: Could not create INET socket on 127.0.0.1:783: Address already in use (IO::Socket::INET: Address already in use) [FAILED] It seems that a single child procees is left running: ps auxww|grep -i spamd mail 4156 0.0 2.7 61532 57152 ?S17:28 0:00 spamd child root 4169 0.0 0.0 3756 736 pts/1S+ 17:28 0:00 grep -i spamd If we run 'restart' again then it works okay. If we do a stop and then a start, that too works okay. Hi John, Maybe try changing your SA_RESTART to killall -HUP spamd. I think spamd will correctly reload configuration files with a HUP signal. Chris Thielen PS. two copies of this email may appear. I accidentally sent the first from a non-subscribed address. PPS. I also just found out I have an open proxy on my mail server (fixed). naughty naughty me :) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCvFCEu+NW2kiW8d0RAqHVAKCSKDEQflY6/0GhbzQcyxNyeiqi7gCg2kE/ b1RqMIopMm/Jpxv2Ij9HT0Q= =zSkw -END PGP SIGNATURE- signature.asc Description: OpenPGP digital signature
Re: OT : How to 'nomail' this list
Theo Van Dinter wrote: On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote: I want to interact with this list via nntp (gmane), but since this list is member-only, I must subscribe to post. I didn't find the way to set the option not to receive messages from the list. I don't believe this is possible via ezmlm. Either you're subscribed (and receive mails) or you're not. There should, however, be a digest mode available. That would reduce the frequency of emails to once per day (you could then add a MUA rule to delete the email automatically). signature.asc Description: OpenPGP digital signature
Re: SA/RDJ/Bogus Virus Warnings Problem
Hi Tim, Dimitri, Sorry to resurrect such an old thread! I'm a bit concerned with the 500 error code being downloaded into the SA_DIR. Tim Jackson wrote: Lint output: config: SpamAssassin failed to parse line, skipping: html config: SpamAssassin failed to parse line, skipping: head config: SpamAssassin failed to parse line, skipping: titleError 500 Internal Server Error [timj.co.uk]/title ... This bothers me a lot (and it looks like a generalised problem) and I am cc'ing Chris the RDJ maintainer. Chris, how is it that a download which has had a 500 error is managing to get saved to disk as a ruleset which SA then tries to use? Surely any 5xx error should mean that the downloaded page is discarded? Or did I screw something up? (a page with the title of Error 500 certainly *should* have been sent with a HTTP 500 code) RDJ does include code for both curl and wget to only copy rulesets that have been downloaded. The test for downloaded is if the server returned a 200 code or not. Error messages are sent back to the administrator if the codes are 4xx or 5xx. Dimitri or any other RDJ users, have you continued to see this behavior with a relatively recent version of RDJ? Chris Thielen signature.asc Description: OpenPGP digital signature
Re: RDJ errors
Thomas Cameron wrote: Hey all - I am brand new to RDJ. I just set up my script and I am getting the no index errors below. Is this normal? Nope, it's not normal. You are missing some configuration entries for those rulesets. Those are not included in the stock RDJ config file so you have to tell RDJ what and where they are. There are links on the www.rulesemporium.com web site that explain how to add the configuration entries, however I am noticing that they are all missing (404) at the moment! I'll see if we can track down the relavent information. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: RDJ errors
Chris Thielen wrote: Thomas Cameron wrote: Hey all - I am brand new to RDJ. I just set up my script and I am getting the no index errors below. Is this normal? Nope, it's not normal. You are missing some configuration entries for those rulesets. Those are not included in the stock RDJ config file so you have to tell RDJ what and where they are. There are links on the www.rulesemporium.com web site that explain how to add the configuration entries, however I am noticing that they are all missing (404) at the moment! I'll see if we can track down the relavent information. The RDJ snippet files should be restored to the web site within the hour. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: RulesDuJour Best Practices
Jason Marshall wrote: When a new rules_du_jour is released, it downloads it, and i have to manually add the Personal Rule snippets to the script again. Is there a way to put those in the /etc/rulesdujour/config file so that they don't need to be re-added all the time? Yes! You should be able to add these directly to the config file in the same way you are (I believe) currently adding them to the built-in registry. Also, is the /etc/rulesdujour directory similar to /etc/mail/spamassassin whereby it will read all the files in that directory rather than just a specifically-named one? Nope, it looks for specifically named files. Chris signature.asc Description: OpenPGP digital signature
Re: RulesDuJour Best Practices
Jason Marshall wrote: Yes! You should be able to add these directly to the config file in the same way you are (I believe) currently adding them to the built-in registry. Thanks, Chris, do they just get added to the bottom, or do they need to be contained in some kind of $variable= declaration? Just add them to the bottom (copy and paste should work) Nope, it looks for specifically named files. Cool, thanks. signature.asc Description: OpenPGP digital signature
Re: rulesdujour and old copies of rule files
Hi Peter, Peter Kiem wrote: Hi, I've noticed there is a buildup of old rules in my /etc/mail/spamassassin/RulesDuJour directory like this 109543 May 10 19:07 bogus-virus-warnings.cf 92609 Aug 10 2004 bogus-virus-warnings.cf.20040819-0402 93896 Aug 19 2004 bogus-virus-warnings.cf.20040823-0423 94241 Aug 23 2004 bogus-virus-warnings.cf.20040909-0403 94292 Sep 9 2004 bogus-virus-warnings.cf.20041101-0453 100387 Oct 30 2004 bogus-virus-warnings.cf.20041103-0434 100389 Nov 2 2004 bogus-virus-warnings.cf.20041109-0406 100721 Nov 8 2004 bogus-virus-warnings.cf.20041217-0418 103643 Dec 16 08:23 bogus-virus-warnings.cf.20041218-0453 103635 Dec 17 10:44 bogus-virus-warnings.cf.20050103-0436 104973 Jan 2 05:22 bogus-virus-warnings.cf.20050114-0501 105986 Jan 13 18:43 bogus-virus-warnings.cf.20050520-0903 Since it seems to be just a history of the script changes can I delete all these except for the first file? Yes, you may delete everything in that directory (even the first file, if you feel like it). Also, does spam assassin ONLY look in the /etc/mail/spamassassin folder and no deeper or does it recurse into all subdirectories in there as well? Correct, SA only reads /etc/mail/spamassassin/*.cf and does not recurse. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: FW: tablets and chemists
Chuck Campbell wrote: Is there any way to run both the old 2.6.4 SA and 3.0.3 in parallel on the same machine? If I rename the old spamassassin executable to, say sa-old, will it still work? I want to switch, but will need to get Bayes up to speed before cutting over to the newer version for production. I guess I could just hold a week's worth of email copies, and feed them through after I get it all working... thanks, -chuck I sorta run both on my system. However, I only use 3.x for masschecking. All I did was extract the source tarball to a directory, then make sure the user_prefs for mc override all the paths that typically point to /etc or ~/.spamassassin. Heres an example of how I am launching spamassassin: ../spamassassin.raw --lint --prefs-file=./to-test/user_prefs --siteconfigpath=./to-test/fake_etc lint.out 21 # check for rules errors Hope this helps. Chris Thielen PS: By the way, I'm still running 2.60 (!!!) on debian and have easily 99% detection (probably more, but I've never run stats... it just works). I rarely get FPs as well and then typically in the questionable area (spam that I've opted in to from, for example, directv). I verify any spam below 10 pts, but even these are very rare. I'm using: 70_sare_adult.cf 70_sare_bayes_poison_nxm.cf 70_sare_evilnum0.cf 70_sare_evilnum1.cf 70_sare_evilnum2.cf 70_sare_header.cf 70_sare_html.cf 70_sare_oem.cf 70_sare_random.cf 70_sare_ratware.cf 70_sare_specific.cf 70_sare_spoof.cf 72_sare_bml_post25x.cf 99_sare_biz_market_learn_post25x.cf 99_sare_fraud_post25x.cf antidrug.cf backhair.cf badstyles.cf bigevil.cf bogus-virus-warnings.cf chickenpox.cf redirect.cf tripwire.cf weeds.cf 99_local.obfu.cf 99_local.obfuonly.cf Wow, thats a lot of rulesets! Also I'm using a patch from quite some time ago that checked where URIs were hosted and assigned points for that (eg: adds XX.XX points for hosted at ChinaNet, XX.XX for hosted at AboveNet) signature.asc Description: OpenPGP digital signature
Re: Net::DNS trouble
Hi Craig, Craig Baird wrote: Quoting Jeff Chan [EMAIL PROTECTED]: The usual way problems like this happen is when upgrades are done using different mechanisms, i.e. CPAN vs tarball vs Subversion, etc. The different upgrade mechanisms have different ways of keeping track of versions, paths, etc. and if those methods are mixed *for the same program* they can get confused. One solution is to always use CPAN, always use tarballs, always use subversion, etc. I.e. pick one and stick with it. However, I still don't know how to fix this problem. As I mentioned, I installed Net::DNS using CPAN. When that didn't work, I also tried re- installilng using the tarball. I tried tarballs for 0.49 and 0.48 with the same results. Any suggestions? If this is another debian box, I recommend sticking with debian packages for everything. Use CPAN to remove the package, then install it via apt-get. ii libnet-dns-perl 0.48-1 Perform DNS queries from a Perl script If it claims you have this package installed, try apt-get install --reinstall libnet-dns-perl HTH signature.asc Description: OpenPGP digital signature
Re: rules du jour and windows
Hi Ben, Ben Wylie wrote: I run spamassassin on windows. I like the SARE rules and would love to be able to automatically keep them up to date. Is there a windows alternative for rules do jour? I do have cygwin installed. Is it easy to set it up with that? I guess I would prefer to do it in windows, but if cygwin is the only way I could do it, I would. Are there instructions on how to set it up with cygwin? Theoretically there should be few problems getting RDJ running on cygwin, although I don't actually know of anyone who's done so yet (I'm the author of RDJ). If that's something you want to try, I'll walk through it with you and we can come up with a HOWTO. Feel free to contact me offlist. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: [RD] evilnumbers update changes
Matt Yackley wrote: Hi all, I've released a new version of evilnumbers and there are several changes in the new version. snip RulesDuJour: A new version of RDJ will be released soon to handle these changes, but here is a manual fix. I've updated RDJ with the new names for evilnumbers. There are now three names available, EVILNUMBERS, EVILNUMBERS1, and EVILNUMBERS2. RDJ users should receive RDJ 1.19 during the next update (as usual, RDJ does not automatically update itself, only download the new version for you). snip Cheers, matt signature.asc Description: OpenPGP digital signature
Re: [RD] evilnumbers update changes
Hi Martin, Martin Hepworth wrote: Matt myrdj not downloading the files as it can't get the file sizes for some reason... Can you give me the error messages? I just downloaded the new evilnumbers using RDJ 1.19 (which I just uploaded) and it went off without a hitch. I use curl (not wget), by the way. signature.asc Description: OpenPGP digital signature
Re: Millions and Billions
Hi,
[EMAIL PROTECTED] wrote:
Stuart Johnston wrote:
[EMAIL PROTECTED] wrote:
Stuart Johnston wrote:
body L_MILLBILL /[mb]i(?:\|l|l\||\|\|)ions?/i
body L_MILLBILL /[mb]i[l|][l|]ions?/i
I started with something similar to that but it will also match
millions which we don't want.
Touché!
OK, how about
body L_MILLBILL /[mb]il?\|+l?ions?/i
Also catches mi|ions, mil||ions
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Not to get super fancy or anything, but try this (with negative lookahead):
body LOCAL_OBFU_ONLY_MLLNS
/(?!\bmillions\b)(?:\bm|\Brn|\/V\\|\/\\\/\\|\xCE\x9C|\xD0\x9C|\xD0\xBC)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[l1I\|\xA3]|(?:\xC5[\x80-\x82]|\xC4[\xB9-\xBF]))[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[l1I\|\xA3]|(?:\xC5[\x80-\x82]|\xC4[\xB9-\xBF]))[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5]\b|[\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F\B)/i
body LOCAL_OBFU_ONLY_BLLNS
/(?!\bbillions\b)(?:\b[b8]|\B[\xDF]|\xCE\x92|\xCE\xB2|\xD0\x92|\xD0\xB2)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[l1I\|\xA3]|(?:\xC5[\x80-\x82]|\xC4[\xB9-\xBF]))[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[l1I\|\xA3]|(?:\xC5[\x80-\x82]|\xC4[\xB9-\xBF]))[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[il1:\|\*\xCC-\xCF\xEC-\xEF\xA6]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[o0\*\xB0\xBA\xD8\xF8\xD2-\xD6\xF2-\xF6]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[n\xD1\xF1]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)[\x01-\x2F\x3A-\x40\x5B-\x60\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]?(?:[s5]\b|[\$\xA7]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F\B)/i
signature.asc
Description: OpenPGP digital signature
Re: [SARE] header rules updated
George, Maybe the way RDJ does the roll back needs be addressed? I know version 2 is nearing release, and this wouldn't be difficult to add: It could check the cf file for a grep-able, commented, this release changes entry, which may include a rules.htm#ChangesVerX url. RDJ has always reported the version line of the updated ruleset. Ruleset authors can use this feature to get a one-line change description to RDJ users when they are emailed. Based on my RDJ run logs, it seems that this used to happen more than it does now, but of course that's up to the Ruleset authors... I suppose I could broaden the scope of the text returned for version reporting to allow for multiple lines, or explicitly code for changelog support. Then if some change broke your site, you get a likely indicator why, right there beside the roll back commands, near the lint output. And if your update is multiple revisions behind, you have a url to get started on finding changes at the relevant revision. When I get time I will revisit --lint. I also want to process linting each new file one at a time to try to isolate the broken files. Actually, I like this proposed way of reporting changes a lot. I've always wondered the point of email notifications, ruleset x has changed.. They kinda suggest I should do a diff and figure out if everything is really okay. I'd just assume see a change log as part of the notification that new rules have been loaded (or that lint prevented those changes from happening). I don't understand... I assume you would prefer the notification to not knowing it was updated at all...? signature.asc Description: OpenPGP digital signature
Re: THANKS - Re: AWL problem??
Hi Chris, Chris Thielen wrote: John Fleming wrote: Bayes in the current version will not autolearn against itself (will not auto-learn as ham something it thought was spam, or v.v.) -- it might be a good enhancement to also have bayes look at AWL if active, and if AWL disagrees with the auto-learn judgment, then do not auto-learn. Looking at http://bugzilla.spamassassin.org/show_bug.cgi?id=3418, Thanks Bob and Matt and others for the education. SA never ceases to amaze me with it's intelligence. I should've mentioned that I'm using v2.64, patiently awaiting 3+ to enter Debian testing (Sarge). - John I wouldn't hold my breath. Since sarge is in release mode, you will probably have better luck finding a backport. I should also mention that I'm using sarge and am still on 2.60-2! Open slot mouth. Insert tab foot. Look what came across the wire today: [EMAIL PROTECTED]:~$ apt-cache policy spamassassin spamassassin: Installed: 1:2.60-2 Candidate: 1:2.60-2 Version Table: *** 1:2.60-2 0 100 /var/lib/dpkg/status 3.0.2-1 0 900 http://http.us.debian.org sarge/main Packages 600 http://http.us.debian.org unstable/main Packages Thanks Duncan? signature.asc Description: OpenPGP digital signature
Re: THANKS - Re: AWL problem??
John Fleming wrote: Bayes in the current version will not autolearn against itself (will not auto-learn as ham something it thought was spam, or v.v.) -- it might be a good enhancement to also have bayes look at AWL if active, and if AWL disagrees with the auto-learn judgment, then do not auto-learn. Looking at http://bugzilla.spamassassin.org/show_bug.cgi?id=3418, Thanks Bob and Matt and others for the education. SA never ceases to amaze me with it's intelligence. I should've mentioned that I'm using v2.64, patiently awaiting 3+ to enter Debian testing (Sarge). - John I wouldn't hold my breath. Since sarge is in release mode, you will probably have better luck finding a backport. I should also mention that I'm using sarge and am still on 2.60-2! signature.asc Description: OpenPGP digital signature
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
Darren Coleman wrote: Hi Loren, Firstly, thanks for your help. I have searched around rulesemporium without much success trying to find these LOCAL_OBFU_* rules. I don't suppose you could tell me the filename that they occur in could you? (I assume they will be in /etc/mail/Spamassassin or wherever your local.cf file is for your install). These rules were generated by my obfu rule generator: http://sandgnat.com/cmos/cmos.jsp I'm not sure where Loren's badword list came from, however. I have two badword lists you may use, however I haven't been maintaining them (they're about a year old). Here are two links to invocations of cmoscript using my badwordlists as input (copy each Generated Rules file section to a new .cf file): http://tinyurl.com/3rrrl(obfuscated only wordlist for words like mortgage) http://tinyurl.com/4wmzt (badwords wordlist) Chris signature.asc Description: OpenPGP digital signature
Re: RulesDuJour problem - help please
Hi Dimitri, Dimitri Yioulos wrote: Happy New Year to all. Ive searched the list archive, and found some references to my problem, but no solutions, so here goes again (sorry for the long post, but I want to provide as much info. as necessary): I recently upgraded to spamassassin 3.0.2 running on CentOS 3.3. Im also running sendmail-8.12.11-4.RHEL3.1 and mailscanner-4.37.7-1. Ive been using RulesDuJour since before the latest versions of the above software, and it worked fine. However, after upgrading to spamassassin 3.0.2, RulesDuJour now fails. Heres some of the more salient output from running the script: ***WARNING***: spamassassin --lint failed. snip Lint output: config: SpamAssassin failed to parse line, skipping: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN config: SpamAssassin failed to parse line, skipping: HTMLHEAD config: SpamAssassin failed to parse line, skipping: TITLE Rate limiting in effect/TITLE config: SpamAssassin failed to parse line, skipping: /HEADBODY config: SpamAssassin failed to parse line, skipping: H1Rate limiting in effect/H1 config: SpamAssassin failed to parse line, skipping: Your request could not be processed because you have exceeded the maximum request rate for the requested document. This is a temporary condition; you will be permitted to submit another request in a few hours. config: SpamAssassin failed to parse line, skipping: BRBRTo avoid triggering the rate limiter in future, please make less frequent requests for this document. You should not request the same document more than once every 24 hours. Please also note that continuing to re-request the document while rate limiting is in effect will further increase the amount of time before the file becomes available to you again. snip Check which files have the string Rage limiting in them. [EMAIL PROTECTED] grep -l Rate limiting /usr/share/spamassassin/* [EMAIL PROTECTED] grep -l Rate limiting /usr/share/spamassassin/RulesDuJour/* Delete those files. In fact you can delete everything in /usr/share/spamassassin/RulesDuJour/ and it should rebuild itself. Finally, you should not have RDJ pointing to /usr/share/spamassassin. The proper place for local configuration (local.cf) and local rulesets (rules_du_jour managed rulesets) is /etc/spamassassin or /etc/mail/spamassassin (or similar... based on OS conventions) Id really like to get RuulesDuJour working again. Can anybody help? Thanks. Dimitri Hope this helps. Chris Thielen signature.asc Description: OpenPGP digital signature
Rules du Jour 2 (beta) -- Testers Wanted
contact me if interested signature.asc Description: OpenPGP digital signature
Re: Recent Debian Package
Hi, http://www.backports.org/package.php?search=spamassassin Regards, Chris Thielen Rakotomandimby (R12y) Mihamina wrote: Hello, I'm looking for a recent package of Spamassassin for Debian STABLE (Woody) please. Either 2.64 or 3.x ? The apt-get.org has no one. Where could I find ? [This is a crosspost to SA and Debian list so please set the Reply-to:] signature.asc Description: OpenPGP digital signature
RE: RDJ Questing... Followup
Hi Robert, (response inline) On Wed, 2004-09-22 at 10:44 -0700, Robert Leonard wrote: As a follow-up to my previous post... The error I see is like this.. When I run the rdj script it tries to locate itself in the default /etc/spamassassin folder.. ignoring the fact that in the RDJ_CONFIGFILE I changed the SA default to /etc/mail/spamassassin.. I have the config file in the correct location, as per where Chris searches for it.. the permissions are 777 on it... RDJ just doesn't seem to see it, so it goes with it's own defaults.. Does that help my case at all?? __ From: Robert Leonard [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 8:56 AM To: users@spamassassin.apache.org Subject: RDJ Questing... I've gotten SA 3.0 in and running, but am having trouble installing RDJ! I expected just the opposite! :) For some reason the current rules_du_jour script just can't or won't see my config file.. Anybody out there point me in the right direction here?? Thanks I've got the following setup: The RDJ Script is at: /etc/mail/spamassassin/RulesDuJour/rules_du_jour The config file is at: /etc/mail/rulesdujour/RDJ_CONFIGFILE Try moving your config file from /etc/mail/rulesdujour/RDJ_CONFIGFILE to /etc/mail/rulesdujour (a file named rulesdujour, not a file located in a dir named rulesdujour) or any of the other locations hardcoded in the script: /etc/rulesdujour/config /etc/rulesdujour /etc/mail/rulesdujour /etc/sysconfig/RulesDuJour /etc/sysconfig/rulesdujour Finally, if you don't like any of those locations, you can invoke RDJ with the RDJ_CONFIGFILE environment variable pre-set, eg: [EMAIL PROTECTED]:~$ RDJ_CONFIGFILE=/etc/mail/rulesdujour/RDJ_CONFIGFILE /etc/mail/spamassassin/RulesDuJour/rules_du_jour My Config file looks like this... SA_DIR=/etc/mail/spamassassin; SA_RESTART=/etc/init.d/spamassassin restart; MAIL_ADDRESS=[EMAIL PROTECTED]; SINGLE_EMAIL_ONLY=true; TRUSTED_RULESETS=TRIPWIRE EVILNUMBERS SARE_RANDOM; -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ Keep up to date with the latest third party SpamAssassin Rulesets: http://www.exit0.us/index.php/RulesDuJour signature.asc Description: This is a digitally signed message part
Re: [RDJ] Weird Rules Du Jour Warning
Hi Josh,
On Wed, 2004-09-15 at 15:57 -0500, Josh Trutwin wrote:
Hi,
Every time I run rules_du_jour (latest version) I get a warning/error
message, but I cannot tell where it is. I changed perl to
/usr/bin/perl -w and this is what it displays:
# /root/bin/rules_du_jour
/root/bin/rules_du_jour: [: too many arguments
Odd. Try adding set -v on a blank to the top of the rules_du_jour
script (a line or two after the #!/bin/bash) and run it again.
\1 better written as $1 at -e line 1.
The latter warning seems related to the CURL detection.
As near as I can guess the [: is coming from one of these lines:
PARSE_NEW_VER_SCRIPTS[0]=${PERL} -ne 'print if
/^\s*#.*(vers?|version|rev|revision)[:\.\s]*[0-9]/i;' | sort |
${TAIL};
The error occurs right away before the bulk of output messages for
each rule.
I tried turning on -v on /bin/bash and it appears the message comes
from parsing:
[ ${PARSE_NEW_VER_SCRIPTS} ] || \
declare -a PARSE_NEW_VER_SCRIPTS; # Command to
run on the file to retrieve new version info
/root/bin/rules_du_jour: [: too many arguments
Tried to put this all on one line - same result.
Any thoughts? My /etc/mail/rulesdujour can be found at:
http://www.netbits.us/rulesdujour
Oh - perl 5.6.1 on debian
Thanks,
Josh
--
Chris Thielen
Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/
Keep up to date with the latest third party SpamAssassin Rulesets:
http://www.exit0.us/index.php/RulesDuJour
signature.asc
Description: This is a digitally signed message part
Re: [RDJ] Weird Rules Du Jour Warning
Hi Josh,
Would you try removing all the lines such as:
[ ${VARIABLE} ] || declare -a VARIABLE;
and then re-running?
I'm clueless what is causing this. I'm not certain that
[ ${PARSE_NEW_VER_SCRIPTS} ] syntax is proper, but it's been working for
me for quite some time.My system is also Debian (sarge). I'm using
bash 2 now, but I just tried it on bash 3 and it worked with that as
well.
On Thu, 2004-09-16 at 12:09 -0500, Josh Trutwin wrote:
On Thu, 16 Sep 2004 10:59:56 -0500
Chris Thielen [EMAIL PROTECTED] wrote:
Hi Josh,
On Wed, 2004-09-15 at 15:57 -0500, Josh Trutwin wrote:
Hi,
Every time I run rules_du_jour (latest version) I get a
warning/error message, but I cannot tell where it is. I changed
perl to/usr/bin/perl -w and this is what it displays:
# /root/bin/rules_du_jour
/root/bin/rules_du_jour: [: too many arguments
Odd. Try adding set -v on a blank to the top of the rules_du_jour
script (a line or two after the #!/bin/bash) and run it again.
Ok, did that though I'm not sure it helped with the output. The full
output of this command is available at http://www.netbits.us/rdj.txt
Search for too many to find the error.
Josh
--
Chris Thielen
Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/
Keep up to date with the latest third party SpamAssassin Rulesets:
http://www.exit0.us/index.php/RulesDuJour
signature.asc
Description: This is a digitally signed message part
