Re: BOTNET timeouts?
John Hardin wrote ... (6/11/2009 4:21 PM): On Thu, 11 Jun 2009, John Rudd wrote: As I've said, I don't really have a plan to incorporate the patch into the main dist. You probably should. It doesn't prevent you from pursuing your design changes, and it would fix the problem for those who are experiencing the problem today. Is it truly *that* onerous to produce a 0.9 tarball that includes the patch, either as a standalone file or applied to the sources? As a plus, that would create a dist file with a newer date to reassure people that it's still an active development project. Frankly, it seems to me that it's taken more time to argue why it won't be incorporated into the dist than it would have taken just to have done it. Granted I understand the vision moving forward, but I suspect many more people have hit this issue than is reflected via complaints on this list. I know we had this issue and never posted about it. It only takes a couple minutes at best to fix. John makes a very solid point about a new build / date indicating it is still an active plugin. I've seen questions on other lists asking if it was still actively maintained.
Re: Phishing
Hi Thomas! Casartello, Thomas wrote ... (4/24/2009 8:05 PM): One major issue we’ve been having lately is with phishing emails being targeted at us. They’re being sent to us from hacked accounts at other educational institutes. The message usually is about “Your EDU webmail account is expiring. Please send us your username and password to fix it.” We’ve had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it’s been very difficult to block these messages. I’ve been trying to write phrase rules with common words used in the message, but whoever’s responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? I've discovered that most folks outside .EDU address space don't face the dozen of variations of these message each day. Sad part is they do in fact come from legitimate users and domains, just from a compromised account. The best advice is to use ClamAV with the SaneSecurity Databases. There is a ClamAV plugin which makes it trivial to add to spam assassin: ClamAv Plugin: http://wiki.apache.org/spamassassin/ClamAVPlugin SaneSecurity Phishing Signatures: http://sanesecurity.com/ I also have setup some rather crude SA rules that seem effective for us. When you really break down a large sampling of these you will find there are also a couple of very common words, like WebMail, Password, Warning, etc. Feel free to try the following and adjust scoring as needed for your environment. # # SPEAR ATTACKS 12/10/2008 # bodyEDU_SPEAR_S /Edu Email Support Team/i descrbe EDU_SPEAR_S Email Attempting to get User Logins score EDU_SPEAR_S 15.0 body EDU_SPEAR_WM /WEBMAIL/i describe EDU_SPEAR_WM Email Contains WebMail scoreEDU_SPEAR_WM 0.1 body EDU_SPEAR_P /password/i describe EDU_SPEAR_P Email Contains password scoreEDU_SPEAR_P 0.1 meta EDU_SPEAR EDU_SPEAR_WM EDU_SPEAR_P describe EDU_SPEAR Potenital Phish WebMail / Password scoreEDU_SPEAR 7.5 body EDU_SPEAR_U /username|user name/i describe EDU_SPEAR_U Email Contains username scoreEDU_SPEAR_U 0.1 body EDU_SPEAR_W /warning/i describe EDU_SPEAR_W Email Contains warning scoreEDU_SPEAR_W 0.1 body EDU_SPEAR_C /confirm/i describe EDU_SPEAR_C Email Contains confirm scoreEDU_SPEAR_C 0.1 body EDU_SPEAR_F /failure/i describe EDU_SPEAR_F Email Contains failure scoreEDU_SPEAR_F 0.1 meta EDU_SPEAR_1 EDU_SPEAR_U EDU_SPEAR_P EDU_SPEAR_W describe EDU_SPEAR_1 Potenital Phish Username, Password, Warning scoreEDU_SPEAR_1 5.0 meta EDU_SPEAR_2 EDU_SPEAR_U EDU_SPEAR_P EDU_SPEAR_C describe EDU_SPEAR_2 Potenital Phish Username, Password, Confirm scoreEDU_SPEAR_2 5.0 meta EDU_SPEAR_3 EDU_SPEAR_U EDU_SPEAR_P EDU_SPEAR_F describe EDU_SPEAR_3 Potenital Phish Username, Password, Failure scoreEDU_SPEAR_3 5.0
Re: Phishing
John Hardin wrote ... (4/25/2009 12:06 PM): A phisher would send emails to a large number of people saying, literally, I am your email administrator, your account is to be suspended, please send me your username and password. DKIM will not work, BAYES should work quite well. Actually it doesn't. The message text varies too much. While you can mass learn a single version during a particular campaign, we often see a dozen or more variations every day. BAYES can't cope with that. The SaneSecurity ClamAV DB's have been the best defense I've found to date..
Re: 20_dnsbl_tests.cf
Michael Hutchinson wrote ... (4/7/2009 7:09 PM): I have made some changes to my SA 3.1.7 20_dnsbl_tests.cf when I compared it to the 3.2.5 release. I basically just removed 2 DNSBL lookups that are redundant. This is done in attempt to solve an issue random scan times of 30 seconds plus. When was the last time you used sa-update? Not that it will be but so effective on a 3.1.x install. Is there a particular reason you can not upgrade this sever to 3.2.x? 3.1.7 is quite old now, and many rbls have gone away or changed since then. Two immediately changes come to mind, spamhaus changed to their zen rbl, and whois is gone. I believe in addition to these, list.dsbl.org is now gone. I am sure others here can give you more changes or reasons to update! ;-)
Re: accept only gpg/pgp mail
dmdm wrote ... (3/7/2009 2:07 PM): What lines lines would need to be added and in which file to accept only gpg/pgp encrypted and non-ecrypted signed emails to my admin account? (debian lenny mail server amavisd-new) dmdm Wrong list. SA does not accept nor reject emails, it only scans and scores them for MTA action. This would be a question for your MTAs listserve.
Re: SURBL Usage Policy change
Jeff Chan wrote ... (11/11/2008 7:33 PM): Hi Micah, Thanks very much for the feedback. Does anyone know how many non-profits have more than 1,000 users (i.e., users with mailboxes)? The non-profit pricing is below ISPs and half that of regular end users. There are many non-profits out there that will hit your limits... I don't think anyone knows how many there are. 1,000 users is fairly trivial, and most non profits won't even be able to fill in your forms second required field of how many messages on Average they send a day. I can tell you that most all small 'private' not for profit schools and colleges will get hit hard by your new fees. In fact, your new fees are more than we spend on our email server per year, and as a result will never happen. Given this change in SURBL in policy and pricing, I would strongly suggest removing their rules from the SA rule base. Otherwise, you will likely get lots of complaints from users of systems that have embedded SA installs, or others who do not monitor this list. I can see many Barracuda users not having a clue why they are now being blocked and their systems are processing messages slower as a result. Sorry Jeff, but this is much too expensive for us and many others I suspect.
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Joseph Brennan wrote ... (9/23/2008 2:37 PM): No, they don't, really. They 'may' do that (see below). Try it. Effective immediately: AOL 220- may no longer accept connections from IP addresses which 220 have no reverse-DNS (PTR record) assigned. According to AOL's Policy page, they say they WILL block connections with no rDNS. See http://postmaster.aol.com/guidelines/standards.html * AOL's mail servers will reject connections from any IP address that does not have reverse DNS (a PTR record).
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Just an update. I contacted Barracuda and they have resolved their rDNS issue. They also provided a link so that those that did not receive their original confirmation emails can have it resent. Original Message Subject: RE: BarracudaCentral Contact Date: Tue, 23 Sep 2008 15:13:23 -0700 From: BCOrgInfo_Team Hi Dave, Thank you for contacting BarracudaCentral.org. We have resolved the rDNS/PTR record issue. Since you did not receive the initial confirmation email, you can request a second email to be sent here: http://www.barracudacentral.org/account/resend-vcode Or if you’ve forgotten your password, you can also request that it be resent here: http://www.barracudacentral.org/account/login If you have any additional questions, please feel free to contact us again at [EMAIL PROTECTED] Thank you for signing up for the BRBL service! We do appreciate your support. Regards, BarracudaCentral.org Team
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Justin Mason wrote ... (9/22/2008 11:29 AM): In fairness -- if you drop mail with no rDNS, you are dropping 3.6% of legit email in general, going by the test results for our RDNS_NONE rule... ;) --j. Thanks for that stat Justin. I was always curious what others were seeing here. As you know, many major ISP's like AOL have similar policies to not accept email from IP's with no PTR record. For us, it blocks well over 50% of spam right out of the gate, with very little to no false positives. (nowhere close to 1/10th a percent, much less the 3+ percent you cite). We have more issues with RBL and URIBL issues than no PRT records... those they too are extremely minimal. That said, you would think a company making their living selling antispam software/devices would understand the importance of rDNS records and other RFC rules. It would appear once you sign up and their email is blocked, you can not edit your own site information nor ask for another confirmation email. I have sent the following message on to Barracuda: I filled in their support form, and got an email back asking to respond to [EMAIL PROTECTED] Let's see how they respond. *From:* Dave Koontz *Sent:* Monday, September 22, 2008 11:56 AM *To:* [EMAIL PROTECTED] *Subject:* RE: Thank you for contacting BarracudaCentral.org I just signed up over the weekend for your new BRBL service. I never got a confirmation email (primary email [EMAIL PROTECTED] ). From the Apache SpamAssassin list, it looks like your confirmation server sending emails has no rDNS, so like many organizations our server does not accept such messages. I have tried to add your sending IP 216.129.105.40 to our whitelist, but if I try to sign up again, it say's it already setup. There is no link to EDIT our settings or ask for another confirmation email. Please advise. THANKS! PS: It looks rather bad when an AntiSpam company like yourself doesn't follow RFC and setup proper rDNS entries!
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Justin Piszcz wrote ... (9/22/2008 10:14 AM): Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail from them? What is the RBL name? Justin. Same here. For those currently running this, how long did it take to get confirmation email and setup? ~ Sparky ~
Re: New free blacklist: BRBL - Barracuda Reputation Block List
Rose, Bobby wrote ... (9/22/2008 10:24 AM): I had the same issue and found that the system that's relaying (216.129.105.40) those confirmation emails doesn't have a PTR record. You'd think someone selling a antispam/email appliance would be familiar with the RFCs. That would explain why I got no confirmation, we do not accept email from IP's without a PTR record. I agree, if true this looks pretty bad for a so called antispam company. I will check our logs when I return from vacation and verify what you are seeing. Can anyone else confirm in the mean time?
Re: Rule to block link to *.zip *.exe *.scr ...
Rejaine Monteiro wrote ... (8/1/2008 1:40 PM): Hi all How can I create a generic rule to block any e-mail with links to dangerous files ? Like http://.zip or http://***.exe or ***.doc.exe etc... This is one I wrote to deal with a large influx of Storm Worm's that got through once. uri DANGEROUS_URL/\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i describe DANGEROUS_URLURL contains executable content scoreDANGEROUS_URL7.5
Re: how to stop SPF checks from going past trusted host?
Jo, didn't you get your answer several times now? I don't understand why this thread continues. Jo Rhett wrote: On Jun 25, 2008, at 6:34 PM, Benny Pedersen wrote: then stop cc me X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=FM_FAKE_HELO_VERIZON,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of [EMAIL PROTECTED] designates 206.46.173.3 as permitted sender) Received: from [206.46.173.3] (HELO vms173003pub.verizon.net) (206.46.173.3) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Jun 2008 00:56:44 + What exactly does CCing someone have to do with bouncing back incorrect SPF failure messages? I'm sorry, but you're a constant source of backscatter, Benny. -- *Dave Koontz* (MCSE/GCIH) Associate Director Computer Information Services *Mary Baldwin College* Email: [EMAIL PROTECTED] Phone: (540) 887-7399 http://www.mbc.edu/
MailChannles SPAMMING List Members?
All, I never heard of mailchannels.com until it was a discussion here a few weeks ago. Now, auto-magically I get a feedback for free coffee offer? Interesting... a supposed anti-spam company gleaning addresses from an anti-spam list to spam them. What ever others thought of them before, I know what I think of them now. Well, I will share my response to them as well. :-) -Original Message- From: Dave Koontz Sent: Wednesday, June 11, 2008 7:02 PM To: 'Desmond Liao' Subject: RE: Request for Interview Boy, you are border line on SPAM by sending me this message to begin with. You are obviously sucking addresses from one listserve or another. I don't think you want my opinion. You will be lucky if I don't blacklist your company. -Original Message- From: Desmond Liao [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2008 6:47 PM To: [EMAIL PROTECTED] Subject: Request for Interview Hi Dave, Hope this message finds you well. The reason I contact you is to get your feedback on best practices in anti-spam technology. In exchange for your time, I can offer you a free coffee from Starbucks. Please let me know if you're available for a quick call. Best, Des -- Desmond Liao MailChannels - Email Traffic Shaping http://mailchannels.com 778 785 6148 tel 604 608 9490 fax
Re: MailChannels Traffic Control
Personally, I am tired of this entire thread. It has nothing to do with SA, so PLEASE move it to the MailChannels discussion forums or lists. Jo Rhett wrote: I'm tired of wasting time with this pointless conversation. Just stop making authoritative statements about products you haven't researched.
Re: Bayes not run ?
We use a single global Bayes DB. On that DB, we have months of learning tokens. Even creating a new one does not help. This is an odd problem! Justin Mason wrote: aha -- that's being added by SpamAssassin alright, then, due to the add_header line. Are you using 1 global Bayes db, or per-user dbs? if the latter, maybe there just isn't enough training for bayes to be active? Try getting debug logs from SpamAssassin -- they'll fill you in on the reason (although I'm not sure if MDaemon allows you to do that). --j. Dave Koontz writes: Justin Mason wrote: The only indication is SA's X-Spam-DataBase: Bayes not run. header. SpamAssassin doesn't add a header like that... what are you using: spamd, MailScanner, amavisd? --j. I use a product called MDaemon, which has a windows port of SA. Perhaps my header mapping in local.cf is creating that header (see below). Either way, there are no BAYES_XX hits on most of the messages processed. I would say about a third are getting proper hits, all others have no BAYES tag at all. clear_headers add_header all Report _REPORT_ add_header spam Flag _YESNOCAPS_ add_header all Status _YESNO_, score=_SCORE(0.00)_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ add_header spam Level _STARS(*)_ add_header all DataBase _TOKENSUMMARY_ add_header spam RBL _RBL_ add_header all Hits _SPAMMYTOKENS_
RE: Bayes not run ?
Thanks. We use a single site wide DB. After playing with lots of things, I noticed that the bayes journal file was being constantly consumed by 'something'. It would get created, get to 2K and gone. I think it's some sort of stupid 'windows' trick. Even after creating new DB files, the same thing happened. I copied over an old backup of the journal file and now it's working perfectly fine. The journal file now grows correctly, gets processed and recreated fine and EVERY message is now scored by bayes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, March 07, 2008 10:47 AM To: Dave Koontz Cc: Justin Mason; users@spamassassin.apache.org Subject: Re: Bayes not run ? aha -- that's being added by SpamAssassin alright, then, due to the add_header line. Are you using 1 global Bayes db, or per-user dbs? if the latter, maybe there just isn't enough training for bayes to be active? Try getting debug logs from SpamAssassin -- they'll fill you in on the reason (although I'm not sure if MDaemon allows you to do that). --j. Dave Koontz writes: Justin Mason wrote: The only indication is SA's X-Spam-DataBase: Bayes not run. header. SpamAssassin doesn't add a header like that... what are you using: spamd, MailScanner, amavisd? --j. I use a product called MDaemon, which has a windows port of SA. Perhaps my header mapping in local.cf is creating that header (see below). Either way, there are no BAYES_XX hits on most of the messages processed. I would say about a third are getting proper hits, all others have no BAYES tag at all. clear_headers add_header all Report _REPORT_ add_header spam Flag _YESNOCAPS_ add_header all Status _YESNO_, score=_SCORE(0.00)_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ add_header spam Level _STARS(*)_ add_header all DataBase _TOKENSUMMARY_ add_header spam RBL _RBL_ add_header all Hits _SPAMMYTOKENS_
Bayes not run ?
I just noticed that for some reason only some of my messages are actually being run through Bayesian classifying. I am not sure how long this has been occuring. I did a google search which did not turn up much as to what could cause this. One suggestion was there was not enough processing threads and/or connections. I have tried 6 / 200 and it still occurs. The other was related to file permissions, but there are no permission problems and some messages score just fine, and my autolearn is not complaining about permissions and is working fine. I am seeing this in both 3.2.3 and 3.2.4. I even tried creating a new bayes_toks database to no avail. I even removed 60_shortcircuit.cf thinking perhaps that was the culprit. The only indication is SA's X-Spam-DataBase: Bayes not run. header. Thanks in advance for any additional hints or tips!
Re: Bayes not run ?
Justin Mason wrote: The only indication is SA's X-Spam-DataBase: Bayes not run. header. SpamAssassin doesn't add a header like that... what are you using: spamd, MailScanner, amavisd? --j. I use a product called MDaemon, which has a windows port of SA. Perhaps my header mapping in local.cf is creating that header (see below). Either way, there are no BAYES_XX hits on most of the messages processed. I would say about a third are getting proper hits, all others have no BAYES tag at all. clear_headers add_header all Report _REPORT_ add_header spam Flag _YESNOCAPS_ add_header all Status _YESNO_, score=_SCORE(0.00)_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ add_header spam Level _STARS(*)_ add_header all DataBase _TOKENSUMMARY_ add_header spam RBL _RBL_ add_header all Hits _SPAMMYTOKENS_
Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
Re: [OT] Yahoo Deferred
Ditto, please share any resolve should you get one. This has been an ongoing problem for us for well over a year now. Ramprasad wrote: Tony Bunce wrote: Sorry for the Off Topic thread but I’m at a loss Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. BTW if you get any solution please share with me too :-) Thanks Ram
RE: Please help with rule
Thanks all for the info, the uri check is much better.
Joseph you were absolutely correct about it catching too wide. I modified
it to pattern check the end only and it now works a treat!
uri DANGEROUS_URL/\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URLURL contains executable content
scoreDANGEROUS_URL7.5
Joseph Brennan Wrote:
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED]
wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to pickup
any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL/http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
Re: URIBL
I remember there was a period of time when dozens of URI delist requests were submitted all together without any detail. Could that have been the case with your reports? Theo Van Dinter wrote: FWIW, I used to report FP domains to URIBL daily until I was told to stop because there were too many to deal with.
RE: BOTNET 0.8 + SA 3.2.3
I am running Botnet 0.8 with SA 3.2.3 without issue. Try a fresh install of all Botnet files. -Original Message- From: UxBoD [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 5:45 AM To: Arthur Dent Cc: users@spamassassin.apache.org Subject: Re: BOTNET 0.8 + SA 3.2.3 I am running it with SA 3.2.4 with no problems at all. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 11 January 2008 10:30:48 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: BOTNET 0.8 + SA 3.2.3
Arthur Dent wrote: Nope sorry.. Please confirm... that your botnet.pm file is where your other plugin PM modules reside. And that the botnet.cf file is where your custom rules live (may be a different path depending on configuration). Make sure the botnet.cf is in the same directory as your local.cf file and see if that works.
Re: Forward Conformed Reverse DNS troubleshooting tool
Umm... this is nice, however, your main page doesn't look so good. http://ipadmin.junkemailfilter.com/ returns: Fedora *Test Page* Might want to fix that! ;-) Marc Perkel wrote: http://ipadmin.junkemailfilter.com/rdns.php You might want to bookmark this page. Try it out and see if your RDNS is really correct.
Re: BAYES_99 on all mail
Do you have Auto Learning enabled? That helps balance the number of ham and spam messages your system learns. My experience has been that the Bayes database does this eventually if it's feed far more spam than ham. If your spam level is very high, you may want to look at both auto-learn as well as having your mta re-feed good messages back to sa-learn. You may need a cron job to remove the bayes_seen DB to accomplish this. Either way, you likely will need to remove the old bayes db and start fresh. The tips above just help it to maintain itself properly with a clean DB. A J Thew wrote: As reported in another thread and also in open bugs http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4787 sa-learn --dump magic gives 0.000 0 3 0 non-token data: bayes db version 0.000 02095462 0 non-token data: nspam 0.000 01360667 0 non-token data: nham 0.000 0 995727 0 non-token data: ntokens 0.000 0 1195121816 0 non-token data: oldest atime 0.000 0 1195831225 0 non-token data: newest atime 0.000 0 1195831080 0 non-token data: last journal sync atime 0.000 0 1195362090 0 non-token data: last expiry atime 0.000 0 76594 0 non-token data: last expire atime delta 0.000 0 750937 0 non-token data: last expire reduction count This runs on a machine that mainly gets spam which I realise will not help... Thanks A Thew
LashBack URL / BL?
Does anyone use the LashBack URL as an MTA BL block or SA rule? I just discovered them and they sound intriguing. Any feedback on their reliability and FP rate would be appreciated. I am a little concerned that I've never heard of them before.. http://www.lashback.com/support/UnsubscribeBlacklistSupport.aspx
Re: R: R: URIWhois-0.02
If nothing else, you should likely add a disclaimer to your rules as you can't control the threshold at which a site may be blocked for excessive queries. I doubt that most users on this list have email volumes as low as yours (100?), and will go well above the thresholds you've tested. I am a what I consider a small site, yet I know I would generate well in excess of 100,000 queries in 24 hours. So, what happens with your plugin should a timeout or ban occur? Giampaolo Tomassoni wrote: It depends upon how many e-mail you scan. In about 24h I just issued more or less 100 queries to the to several TLDs' whois servers. What is it, 10 queries per TLD? It doesn't seem too much to me... Also note today I'm probably not going to get the same numbers, thanks to caching. Of course, people scanning 1,000,000 messages a day would probably get banned: it would end in roughly 200,000 queries issued per day (say 8,000 per TLD).
Re: R: R: R: URIWhois-0.02
Thanks for the explanation, but I think you are missing the point here. What is reasonable and what will cause a block? An individual may well issue 100 queries a day for research. Not many have the time to do tens of thousands+ a day (or more). Any system that does will likely fall into the AUTOMATED clause. If your script/pm file can not exit quickly on lookup failure, you could be stacking up delivery queues on servers everywhere. Giampaolo Tomassoni wrote: My rate is more or less 500 per day. Most is spam, which comes in more copies (for free!), or regular mail with no URIs, or URIs in signature but common contacts (more mails per day with the very same URIs). Thereby yesterday I had to issue only 100 queries over a volume of 500 mails. Today I expect more or less the same volume, but much less queries (I would bet on 40). Giampaolo
Re: OT - massive newsletter
If I might ask, where are you getting the list SEED addresses from? It's hard for me to imagine you have such a large number of users that have already requested information you have not configured to send yet. If this is a purchased list of addresses ... you may have some problems quickly. Remember, it's not just giving users an OPT out option, but ensuring you are only sending to those that specifically requested information from you in advance. mizzio wrote: Thank you to everyone for the support. Maurizio
Re: bayes_seen = 256GB
Theo and all. I know this topic comes up on occasion, but I am not sure I've ever seen an explanation as to why the bayes_seen file is not auto pruned along with the bayes db file. Since tokens expire in the main DB file, what is the purpose of having a seen file to unlearn tokens which may have long ago been purged? IMO, it would seem logical to also purge the seen file at some sort of cycle so it can't grow so excessively large. Theo Van Dinter wrote: On Wed, Sep 19, 2007 at 03:23:50PM -0600, Mr. Gus wrote: The file bayes_seen has grown in size to 256GB! (274992939008) How do I cap the size limit of this file? I want to have it not grow larger then say 800mb at the most! You need to expire old bayes tokens. The limit is set not as a size, but as Expiring bayes tokens does nothing to the bayes_seen file. There is no expiry for bayes_seen. If the seen file is bigger than you'd like, I'd just rm the file.
Re: bayes_seen = 256GB
Thanks Michael. I don't see anything in bugzilla, so I am adding that this to the list. (see Bug 5652) BTW, the link on the submission page for bug writing guidelines generates a 404 error. So I will take my best guess here. My request is below. I'd love to take this on myself, but I am far from a perl expert. Any Perl / SA gurus out there who can look at this? Complaints from average users keep coming in to this list, generally after they run out of resources do they notice this flaw. Bugzilla #5652 - bayes_seen - auto expire http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5652 --- bayes_seen db grows without any purge cycle, even if previously learned tokens have long been expired for the main bayes db. Users non-sa saavy often complain of over sized seen db file sizes, at times from 250mb-4GB in size. Request for a new process and variable to control the seen db size... perhaps: Bayes_Unlearn_Threshold_days Where a user could enter a value for how many days to keep the seen DB tokens and expire those older than that threshold. Perhaps a DEFAULT value of 7 days would be in order as most spam campains last a single day at most. A 30 day purge should be more than safe for most anyone and bets a non-expiry system. Michael Parker wrote: Dave Koontz wrote: Theo and all. I know this topic comes up on occasion, but I am not sure I've ever seen an explanation as to why the bayes_seen file is not auto pruned along with the bayes db file. Since tokens expire in the main DB file, what is the purpose of having a seen file to unlearn tokens which may have long ago been purged? IMO, it would seem logical to also purge the seen file at some sort of cycle so it can't grow so excessively large. In order to expire from bayes_seen you have to know that there are no longer any tokens from a given msg in the bayes_token database. This is a hard problem, mapping tokens to msgs, so it wasn't done. Likewise no one ever did anything about expiring the bayes_seen entries. Sounds like a good project, there might even be a bugzilla enhancement opened already. Patches are welcome. Michael Theo Van Dinter wrote: On Wed, Sep 19, 2007 at 03:23:50PM -0600, Mr. Gus wrote: The file bayes_seen has grown in size to 256GB! (274992939008) How do I cap the size limit of this file? I want to have it not grow larger then say 800mb at the most! You need to expire old bayes tokens. The limit is set not as a size, but as Expiring bayes tokens does nothing to the bayes_seen file. There is no expiry for bayes_seen. If the seen file is bigger than you'd like, I'd just rm the file.
Re: Rule suggestion - smtp sanity
Most likely, Johnny Spammer monitoring this list will just add a FAKE header to take advantage of such a rule. Matt Kettler wrote: Matus UHLAR - fantomas wrote: On 13.07.07 17:04, arni wrote: From large providers i sometimes recieve messages through encrypted smtp, the header looks smth like this (qmail): ... with (AES256-SHA encrypted) SMTP; ... Would it be a good idea to give a minimal negative score on this -0.1 or -0.2 if this happens on the last hop? - It proves that the sending smtp server is very protocol sane, which spambots are usually not. it just proves that the mail was sent through sane server, but there could be spambod behind it. -0.1 and -0.2 is very small numbers. Do you encounter any case where that would help? Autolearning.
RE: Need a rule written - Can whitelisting be this easy?
Marc, how do you arrive at your list, through user submission or your own observation? I notice the list is mostly void of any .EDU organizations. As you probably know, .EDU domain registration is restricted to only those meeting certain criteria and must go through EduCause -- see http://www.educause.edu/edudomain/international.asp Obviously, as a .EDU domain, a substantial part of our legitimate traffic is to and from various .EDU domains. It would seem that at present your idea for reverse lookup matching to your whitelist would not work for us. -Original Message- From: Marc Perkel [mailto:[EMAIL PROTECTED] Sent: Thursday, July 12, 2007 5:14 PM To: users@spamassassin.apache.org Subject: Re: Need a rule written - Can whitelisting be this easy? Here's my list so far. These are host name - not from addresses. So it matches *.hostname.com I could use more to add to the list. 123greetings.com 123greetings.info 20min.ch 2checkout.com 2co.com 2wheelsuperstore.com 34sp.com 360degreeslawn.com 3dsystems.com 3kloffice.info 4342thomas.com aa.com aaflightinfo.com aalanis.com abanet.org about.com abstrax.com abuse.net accuweather.com acec.org acicoat.com acli.com acml.com acord.org acsysweb.com actuary.org adac.de adecco.com adfinis.com admail.net admin.ch adobe.com adp.com adrenaline-designs.com adultfriendfinder.com advancedpatientsupport.com aegon.com aemf.org aerodesignmfg.com aetna.com aexp.com af.mil afcflex.com aftenposten.no ag.ch agf.fr aia.org aicpa.org aig.com aiga.org aiiworldwide.com aimplas.es airbridge.net aircanada.ca akanoc.com akb.ch ala.org alabama.gov alantechinc.com algore.com aliancadobrasil.com.br aliroo.com allenovery.com allianz-suisse.ch allianz.de allstate.com alphasoftware.com alstom.com altavidasantander.cl altrec.com amadeus.net amag.ch amal.se amazon.com ambest.com amd.com americanautoexports.com americanautoexports.us americanautomotiveexports.com americanautomotiveexports.us americanexpress.com americanrestaurantconsultants.com americanstandard.com ameritrade.com amgen.com amv.se anamcaraconsulting.com annenbergfoundation.org anpost.ie anthem.com aon.com aopa.org apa.org apache.org apfn.org apple.com appriver.com aps.nl arcsight.com arenscontrols.com ariba.com aric.com arkansasweevil.org army.mil arrival.net asce.org asialco.cn aspectra.com aspevents.net astrology.com atabank.com atcassociates.com athena.ch atx.net auctionworks.com audi.de aurorahealthcare.org authorize.net autodesk.com autooneins.com avanade.com avantec.ch avast.com avenir-suisse.ch avis-europe.com awayawhile.com axa.com axa.com.au axa.com.sg bain.com bancaintesa.it bancomercantil.com bankatlantic.com bankcomm.com bankersonline.com bankisrael.net banknorth.com bankofamerica.com bankofoklahoma.com bankofthewest.com bankone.com banorte.com baominh.com.vn barclays.co.uk barclayscapital.com barnesandnoble.com basler.ch baz.ch bbandt.com bbc.co.uk be-salon.com be.ch bear.com beard.com bee.gr begasoft.ch bellnexxia.net benfieldgroup.com bentrutwin.com berlitz.us bestbuy.com bextpubs.com bfh.ch bigfootinteractive.com bikebandit.com bikeblast.com billspipes.com biotec.org.ar bitbind.com bittybooper.com bizjournals.com bkbusa.com bkd.com blackberry.com blackberry.net blastwave.org blauberg.de blizzard.com blkb.ch blockbuster.com bloomberg.com blue-bird.com bmesrv.com bmtmicro.com bmw.de bn.com bnm.gov.my bnpparibas.com boeing.com bofasecurities.com boh.com boisestate.edu bombardier.com boras.se borlange.se bosch.de bose.com boston.com bowmanconsulting.com bp00.com bradblog.com brainlab.com brassring.com brickerracing.com bridgesolutions.net britishairways.com brittneysgift.org broadbandsupport.net brockins.com brouhaha.com bs.ch bttech.org buchzentrum.ch buildgormanhomes.com buoyweather.com bupa.com burns-wilcox.com burpee.com buy.com buyhomesminnesota.com buzzcast.com bvb-bs.ch bvrp.com bvvo.be cableone.net cacert.org cadre.qc.ca california.com callwave.com cam.ac.uk campaignmonitor.com cancer.org canon.com capazoo.com capitalconsulting.com capitalone.com caravan.kz careerbuilder.com carlsonwagonlit.com carnival.com cat.com catalanaocci.es catholic.org cathypaper.com cba.com.au ccbill.com ccialerts.com cdc.gov cdw.com cede.ch cellpack.com cement.ca center.com centrepointpa.com centurytheatres.com cerious.com cexp.com cfe.gob.mx cfidc.org cfo.com chaosreigns.com charlestonhousing.com charterone.com charteronebank.com chase.com chealthpartners.com cheapflights.com cheaptickets.com cheetahmail.com chemie.de chicagoreader.com chiltington.co.uk chotel.com chubb.com churchofstphilip.org ciba.com cibasc.com cidca.org.ar cignastu.com.pl cimb.com cira.ca cisco.com citibank.com citibankcards.com citigroup.com citizensbank.com city.ac.uk cja-architects.com cl-int.com claimsmgmtservices.com claimspages.com clarkrealty.com clasemanns.com classmates.com cleanmail.ch clearchannel.com clearswift.de cls-communication.com cmp.com cmslaser.com cna.com cnet.com cnn.com cns.co.nz coachingrelationships.com codeproject.com
Re: Need a rule written - Can whitelisting be this easy?
Marc, please don't mis-read. Honestly, it was a simple question. Is the list from your own observation, or from user submissions? It's that simple. The rest is just why it may not work for us in it's present form! Marc Perkel wrote: Dave Koontz wrote: Marc, how do you arrive at your list, through user submission or your own observation? I notice the list is mostly void of any .EDU organizations. As you probably know, .EDU domain registration is restricted to only those meeting certain criteria and must go through EduCause -- see http://www.educause.edu/edudomain/international.asp Obviously, as a .EDU domain, a substantial part of our legitimate traffic is to and from various .EDU domains. It would seem that at present your idea for reverse lookup matching to your whitelist would not work for us. Before you all start criticizing the list I admit that it's not perfect. The concept behind having such a list is sound and once the concept is coded then people smarter than me can create a far better list.
Re: So what about rulesemporium.com and these anti-PDF rules?
For what it's worth, a solution to any new flood or tactic is most welcome IMO. In Dallas' defense here... Just as it takes time for the spammers to develop and adapt new tactics, so too does it take time to create counter-measures. The counter measures are often a work in progress until there is a CLEAR pattern established. I am not sure what all the noise is about in regard to Dallas' decision to keep this plug in private for a while. I suspect that he is currently only offering this download (after request) to those he knows and not just anyone who requests it. I believe we should respect his judgment here and let him decide if and when he feels comfortable releasing it to the public. Dallas Engelken wrote: Henrik Krohns wrote: On Wed, Jul 04, 2007 at 10:08:29AM +0100, Justin Mason wrote: Bear in mind that the spammer who is developing this PDF spam is only one person, and he/she probably has at least one non-spammy-looking email address at his disposal. What's to spot him/her from asking Dallas for a copy of the ruleset and plugin, same as any other SpamAssassin user, waiting a few days to cover his/her tracks, then fixing the spam to avoid it again? And if you think this isn't already happening, I have a bridge for sale ;) If I was a spammer, I couldn't care less if few people were using some secret PDF blocking stuff. It's not like AOL or some big companies are using it. :) Based on that logic, it makes no difference if it gets released or not You dont think big companies utilize SpamAssassin, SARE, or other open source products for solutions, or even ideas for similar solutions? I think you would be pleasantly surprised.
Re: Spam PDF
Eagerly awaiting your latest treat! ;-) Dallas Engelken wrote: The cats out of the bag now! :) More details on this will be made available later today hopefully.
Re: 404 while getting RDJ updates?
This anti-spam DDoS is being reported on SANS as well... Seems SpamHaus is also getting slammed. http://isc.sans.org/diary.html?storyid=2940 Wish we could find the bot master and turn the DNS pointers back to them. Gene Heskett wrote: On Thursday 07 June 2007, Chris Santerre wrote: -Original Message- From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: Thursday, June 07, 2007 12:02 PM To: users@spamassassin.apache.org Subject: Re: 404 while getting RDJ updates? guenther wrote: On Thu, 2007-06-07 at 17:45 +0200, Anders Norrbring wrote: Anyone else getting 404 errors from RDJ lately? Yes, this topic came up just a few hours ago. Probably a dDOS attack. Please disable all RDJ till further notice. guenther I would imagine this is related to www.uribl.com and surbl.org having issues as well. Both are now pointing to 127.0.0.1 in what I would assume was an attempt to stop the attack. Some spammer is pissed off it seems... Its true, scanners indicate klingon war vessels approaching our sector. We've dropped out of warp due to overuse of the dilythium crystals. Federation starships have been called in for assistance. Scottie has given us more power, but is not sure she will hold together much longer. All the while Ensen Alex won't stop dancing with a half naked green lady! Thanks, Good luck Chris. If you know who it is, maybe we should send Vinnie Luigi over to have a little talk with them? Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: 404 while getting RDJ updates?
jdow wrote: Should we arm them with a RFC-2321 compatible RITA, and a confident demeanor? Sic the RIAA lawyers on them. Since Microsoft recently claimed ALL open-source or free applications violated 250+ patents they own, maybe we can all sue M$ for BotNets??? Isn't that FREE software? evil grin
RE: Bayes db size....
I am sure this has been asked numerous times before, but what is the logic in having auto expiry on the bayes DB, and not seen? Seems that once tokens have been removed from the DB there is little to no use for 'unlearning' any associated messages. Besides on a busy system, this seen file gets large very fast. I'd vote for auto expiry and maintenance on seen as well as AWL. -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Friday, February 16, 2007 7:19 PM To: spam mailling list Subject: Re: Bayes db size On Fri, Feb 16, 2007 at 06:17:36PM -0600, Robert Nicholson wrote: So you're saying that right now seen isn't capped like tokens right? seen has no max size nor expiry features. -- Randomly Selected Tagline: Like any French restaurant in America, it was overpriced, noisy, moody, and would put you in mortal danger if you had an accident with anything larger than a croissant. - Unknown about the Renault LeCar
Re: Bayes db size....
Is there a consensus on this need? I deal with the seen db issue by scheduled deletion of that file. That said, with SA becoming more and more prominent all the time, I suspect the Average Joe will miss this oddity until they wind up with a sluggish system, out of drive space or other related issues. I was mostly curious of the logic on NOT doing maintenance on the Seen and AWL db files. If there is a consensus this needs to occur, then perhaps I can take the time to create a proper patch. I just want to make sure I am not missing something fundamental here Michael Parker wrote: Dave Koontz wrote: I am sure this has been asked numerous times before, but what is the logic in having auto expiry on the bayes DB, and not seen? Seems that once tokens have been removed from the DB there is little to no use for 'unlearning' any associated messages. Besides on a busy system, this seen file gets large very fast. I'd vote for auto expiry and maintenance on seen as well as AWL. Patches welcome. Michael
RE: Newsletter Help
First off, it looks like you are sending a copy of a web page as your message body and not a real newsletter. If you want help, I would suggest that you send your sample message as an attachment and not inline like you have done here. In this way, the orginal email message including all headers can be analysed. From: Ryan Barrett Hastings [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 06, 2007 1:21 PM To: users@spamassassin.apache.org Subject: Newsletter Help To Whom It May Concern, My company uses Kintera to generate our e-mail newsletters. We have recently redesigned the newsletter and our spam score has increased. I am looking for help with reducing our score, specifically within the area of HTML_IMAGE_RATIO_08 and MIME_HTML_ONLY. Can you review the newsletter I have included below to offer any suggestions. Thank you, Ryan Barrett Hasings Marketing Manager Emerald City Theatre [EMAIL PROTECTED] Your spam score is: 2.2 points Score Details: pts rule name description -- -- 0.1 HTML_FONTCOLOR_BLUEBODY: HTML font color is blue 0.2 HTML_MESSAGE BODY: HTML included in message 0.3 HTML_FONT_BIG BODY: HTML has a big font 0.6 HTML_IMAGE_RATIO_08BODY: HTML has a low ratio of text to image area 0.4 HTML_70_80 BODY: Message is 70% to 80% HTML 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts From: Ryan Hastings [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 06, 2007 11:50 AM To: [EMAIL PROTECTED] Subject: [Norton AntiSpam] Emerald City Theatre February eNewsletter (html version) Emerald City Theatre http://www.emeraldcitytheatre.com/images/topleft.jpg Magic So Close You Can Touch It http://www.emeraldcitytheatre.com/images/soclose.gif http://www.emeraldcitytheatre.com/index.shtml http://www.emeraldcitytheatre.com/ http://www.emeraldcitytheatre.com/ticketmain.shtml http://www.emeraldcitytheatre.com/ticketmain.shtml http://www.emeraldcitytheatre.comhttp/www.emeraldcitytheatre.com/ticketmain .shtml http://www.emeraldcitytheatre.com/current.shtml http://www.emeraldcitytheatre.com/current.shtml http://www.emeraldcitytheatre.comhttp/www.emeraldcitytheatre.com/current.sh tml http://www.emeraldcitytheatre.com/events.shtmlhttp:/ http://www.emeraldcitytheatre.com/events.shtml http://www.emeraldcitytheatre.com/events.shtml http://www.emeraldcitytheatre.com/events.shtml/ http://www.emeraldcitytheatre.com/mainclass.shtml http://www.emeraldcitytheatre.com/mainclass.shtml http://www.emeraldcitytheatre.com/mainclass.shtml/ http://www.emeraldcitytheatre.com/studentmat.shtml http://www.emeraldcitytheatre.com/studentmat.shtml http://www.emeraldcitytheatre.com/studentmat.shtml/ http://www.emeraldcitytheatre.com/tours.shtml http://www.emeraldcitytheatre.com/tours.shtml http://www.emeraldcitytheatre.com/tours.shtml/ http://www.emeraldcitytheatre.com/location.shtml http://www.emeraldcitytheatre.com/location.shtml http://www.emeraldcitytheatre.com/location.shtml/ http://www.emeraldcitytheatre.com/donate.shtml http://www.emeraldcitytheatre.com/donate.shtml http://www.emeraldcitytheatre.com/donate.shtml/ http://www.emeraldcitytheatre.com/location.shtml/ http://www.emeraldcitytheatre.com/location.shtml http://www.emeraldcitytheatre.com/location.shtml http://www.emeraldcitytheatre.com/nutcracker.shtml https://www.kintera.com/accounttempfiles/account100034/images/wacky.jpg In This Issue * Summer Camp 2007 * See The Stinky Cheese Man and Seussical the Musical Summer Camp 2007 Online Enrollment Starts Today at 10:00 am $375 per 2 week session (am or pm) Morning and Afternoon Sessions Available: * Monday - Friday: 9 am to 12 pm (morning session) * Monday - Friday: 1 pm to 4 pm (afternoon session) Follow our Yellow Brick Road to worlds of imagination and creative play. In each session, we will travel to a different and exciting storybook location. The day's activity will be themed around that magical locale including the theatre games we play and the crafts we create. This year please join us for these fantastic camps: * Narnia Camp (ages 4-8): June 18th - June 29th * Fairy Tale Forest (ages 4-8): July 9th - July 20th * Candyland (ages 4-8): July 23rd - August 3rd * Seussville (ages 4-8): August 6th - August 17th Enrollment for Summer Camp 2007 has already begun at our Administrative Office at 2936 N. Southport Ave., 3rd Floor. You may enroll in person or over the phone at (773) 529-2690 x 10. For more informaiton call us or visit us online http://www.emeraldcitytheatre.com/sumcamp07.shtml . Currently Showing Celebrate Reading This Winter With Emerald City The
RE: Drug spam, some caught some not - none caught by drug rules
Same here. I've been very impressed with this ruleset so far. -Original Message- From: Andy Figueroa [mailto:[EMAIL PROTECTED] Sent: Saturday, January 27, 2007 9:23 AM To: users@spamassassin.apache.org Subject: Re: Drug spam, some caught some not - none caught by drug rules Ben, or others. I've been experimenting with the KAM.cf rules and find them quite helpful. Is there a means of keeping these up-to-date, or are they possibly on their way in to the standard set of rules? Andy Figueroa Ben Wylie wrote: I recommend the KAM rules list which can be found here: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf This catches the drugs names in these emails. Cheers, Ben
RE: use or not use awl
IMO, all AWL needs is an auto expiry systems like bayes has. For us as a College, AWL makes a HUGE difference when students submit their thesis, term papers, etc. which at times may be on sexual debauchery, KP, internet scams etc. With AWL, it sees that all previous messages from this individaul over the last x years have been good and does not block this important email. We enabled this feature as a direct result of faculty complaints that some students most important / critical work sometimes appeared as spam and was missed as a result. -Original Message- From: Alex Woick [mailto:[EMAIL PROTECTED] Sent: Saturday, January 20, 2007 12:24 PM To: Matt Kettler Cc: Andy Figueroa; users@spamassassin.apache.org Subject: Re: use or not use awl Matt Kettler wrote: That said, I think the AWL is a great idea, but not ready for production use on servers with reasonable mail volume. I say that because it completely lacks any kind of useful (ie: atime based) expiry mechanism. The only way to prune the AWL database is by hitcount, using the check_whitelist script from the tools directory of the source tarball Not neccessarily. Put your awl on a sql database and add a timestamp column to the awl table, which gets automagically a new timestamp by the dbms each time a record is updated. The timestamp column type in Mysql is such a type. show create table awl: CREATE TABLE `awl` ( `username` varchar(100) collate latin1_german1_ci NOT NULL default '', `email` varchar(200) collate latin1_german1_ci NOT NULL default '', `ip` varchar(10) collate latin1_german1_ci NOT NULL default '', `count` int(11) default '0', `totscore` float default '0', `timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, PRIMARY KEY (`username`,`email`,`ip`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_german1_ci Then you can easily expire by date with a cron job, for example expire all that was not updated for the last 30 days: delete from awl where timestamp now() - interval 30 day If you are running that sql statement often and have a large awl table, you may want to add an index to the timestamp column. You can also make your custom sql statement with a combination of timestamp and totscore as purge criteria. Alex
RE: use or not use awl
-Original Message- From: Alex Woick [mailto:[EMAIL PROTECTED] Sent: Saturday, January 20, 2007 12:24 PM To: Matt Kettler Cc: Andy Figueroa; users@spamassassin.apache.org Subject: Re: use or not use awl Matt Kettler wrote: That said, I think the AWL is a great idea, but not ready for production use on servers with reasonable mail volume. I say that because it completely lacks any kind of useful (ie: atime based) expiry mechanism. The only way to prune the AWL database is by hitcount, using the check_whitelist script from the tools directory of the source tarball Not neccessarily. Put your awl on a sql database and add a timestamp column to the awl table, which gets automagically a new timestamp by the dbms each time a record is updated. The timestamp column type in Mysql is such a type. show create table awl: CREATE TABLE `awl` ( `username` varchar(100) collate latin1_german1_ci NOT NULL default '', `email` varchar(200) collate latin1_german1_ci NOT NULL default '', `ip` varchar(10) collate latin1_german1_ci NOT NULL default '', `count` int(11) default '0', `totscore` float default '0', `timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, PRIMARY KEY (`username`,`email`,`ip`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_german1_ci Then you can easily expire by date with a cron job, for example expire all that was not updated for the last 30 days: delete from awl where timestamp now() - interval 30 day If you are running that sql statement often and have a large awl table, you may want to add an index to the timestamp column. You can also make your custom sql statement with a combination of timestamp and totscore as purge criteria. Alex
RE: Rules always triggering.
Just a wild stab here, run a lint check on all your rules. I once fat fingered a rule in my local.cf file and got similar hit results as you are describing here. -Original Message- From: Daniel Staal [mailto:[EMAIL PROTECTED] Sent: Friday, January 12, 2007 9:05 PM To: Users-Spamassassin Subject: Re: Rules always triggering. --As of January 12, 2007 7:08:18 PM -0600, Shane Williams is alleged to have said: System is Darwin, running Postfix. The sign-up message for this list got those rules triggered. (_Everything_ triggers them.) This is just a guess, but is it possible that OS X's use of carriage returns is making the message look to spamassassin as if it's a single line of text? --As for the rest, it is mine. I said Darwin, not OS X, though I recognize it is a small distinction. ;) The mail files are all saved to my Maildir folders with unix line endings. In general Darwin handles files in the format it receives them, and unix-tools create unix-files. ...But it does raise the question of what _Perl_ thinks the line endings is... Hmm. Daniel T. Staal
RE: xbl.spamhaus.org
Is the PBL (codes 10 11) stable enough to run in production? I notice these are not in the current SA rulesets -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Monday, January 08, 2007 2:49 PM To: users@spamassassin.apache.org Subject: Re: xbl.spamhaus.org On Mon, Jan 08, 2007 at 08:46:31PM +0100, Benny Pedersen wrote: http://www.spamhaus.org/zen/index.lasso seems spamassassin missing 7 and 8 on the return codes ? should i make a bug on this ? I just pushed out an update for 3.1 which includes 7 and 8. Not sure why those weren't in there before. :( -- Randomly Selected Tagline: Death to all fanatics!
RE: FuzzyOcr 3.5.1 released
I am sure this is a long shot, but has anyone created a Win32 porting of this along with the necessary OCR utilities? -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: Sunday, January 07, 2007 9:17 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: FuzzyOcr 3.5.1 released -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, since 3.5.0 RC1 was released, we fixed many bugs, thanks to the many testers and bug reporters :) so big thanks. Now, the version seems stable enough to replace the 3.4.x branch, and I recommend everyone to upgrade to it :) For those that don't know yet, whats new in the 3.5 branch, read the changelog here: http://fuzzyocr.own-hero.net/wiki/Changelog-3.x#version3.5.0 You can download version 3.5.1 at http://fuzzyocr.own-hero.net/wiki/Downloads For those that try to upgrade from 3.4.x or even 2.3b, please read the installation manual carefully, the 3.5.x branch is very different to earlier branches. Unfortunately, I didn't have the time yet to create a FAQ, so if you run into problems, try searching our ticket system and our mailing list archives first. If you can't solve the problem then, please use our mailing list to get help. Please DO NOT use the ticket system to get help for your problems, the ticket system is meant for bug reports, not for support requests. If you think you've found a bug, feel free to create a ticket. The same applies for errors or missing statements in documentation. Best regards, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFoQDBJQIKXnJyDxURAmH4AJ96/QkNcVmKBdcqM4al8f2XaJ+yFQCgqqR1 eIWq2eAy3D/cCoR7P/TIrGw= =t0cr -END PGP SIGNATURE-
RE: Does AWL cancel Manual Whitelist?
Personally, I think the AWL function is poorly named as it really does not reflect what it is or does. I suspect this name leads to much confusion for most new users and/or those that do not work closely with SA consistently. I know when I first started using SA, it confused me in the beginning. Maybe something like SSAS (Sender Score Averaging System) would be more appropriate? White List implies postive scoring only, AWL can also move the score negatively depending upon sender. Just my 2 cents g -Original Message- From: Chris Purves [mailto:[EMAIL PROTECTED] Sent: Friday, January 05, 2007 5:31 PM To: users@spamassassin.apache.org Subject: Re: Does AWL cancel Manual Whitelist? skuba wrote: If my auto white list is on, does it mean that the manual white list won't work? Or could both be ON at the same time? See http://wiki.apache.org/spamassassin/AutoWhitelist for explanation of AWL. -- Chris
RE: Botnet-0.7 not working
John is absolutely correct here. Just be careful to ensure proper checking of the 2nd octect of the 172.x.x.x space, and ensure that it is in the 16-31 range. Otherwise you will be bypassing a very large chunk of AOL.com address space without checks. -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Thursday, January 04, 2007 5:49 PM To: John Rudd Cc: Jens Schleusener; Dimitri Yioulos; users@spamassassin.apache.org Subject: Re: Botnet-0.7 not working On Thu, 4 Jan 2007, John Rudd wrote: is the causer since the test server receives the mails from a mail relay that uses a private 172.x.x.x address. Debug extract with the default configuration: Is that a typo? Did you mean 127.x.x.x? Nope. 172.[16-31].x.x are reserved for uncoordinated private use the same way 10.x.x.x and 192.168.x.x are. See http://www.faqs.org/rfcs/rfc1918.html botnet should probably be ignoring them completely, just like is does 127.x.x.x -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Vista: Windows ME for the XP generation. --- 13 days until Benjamin Franklin's 301st Birthday
RE: sa-learn explained
I guess milage varies. Auto-Learn has been a life saver for us and has drastically reduced false postives we used to get with emails to our College's Health Care Research departments. We pass all local user email through SA as well, so this really helps the system learn what is 'good' email. I'd suggest that everyone should at least try it and monitor the results. -Original Message- From: Nigel Frankcom [mailto:[EMAIL PROTECTED] Sent: Friday, December 29, 2006 11:17 AM To: users@spamassassin.apache.org Subject: Re: sa-learn explained On Fri, 29 Dec 2006 09:51:05 -0500, Andy Figueroa [EMAIL PROTECTED] wrote: I still fee like a tyro with SpamAssassin, but my installation is catching better than 99% with perhaps 0.1% false positives (thanks in large part to things I've learned from this list), and I think I can tell you a couple of things better than just read the manual. (But, do read the manual!) My initial experience with SpamAssassin about a year ago was through a large web hosting company and I was limited to playing with SpamAssassin through cpanel, though till they moved SpamAssassin to its own server, I could also edit my own user preferences directly. The problem was, this big company never could get it right, so now I'm running my own mailserver(s) out of what seemed like necessity. I'm running Gentoo with SA 3.1.7. sa-learn is used to train and keep up-to-date the bayesian database. So, turn on autolearn in your /etc/mail/spamassassin/local.cf so the line reads: bayes_auto_learn 1 (should be on by default). This will cause selected spam and ham that you get to be used automagically to keep the bayesian database up-to-date. I'm using maildir and have two subdirectories in my .maildir called: 2-learn-spam 2-learn-ham I put missed spam in 2-learn-spam and ham misclassified as ham in 2-learn-ham. Then, whenever I have a few messages in one of those directories, I run one of the following scripts: learnspam.scr, which contains this line: sa-learn --spam --progress /home/figueroa/.maildir/.2-learn-spam/cur learnham.scr which contains this line: sa-learn --ham --progress /home/figueroa/.maildir/.2-learn-ham/cur This is on my personal mailserver. On the mailserver I run at a school, I run that script on each users 2-learn-spam/ham directories every night under crontab. Run an up-to-date version of SpmaAsssasin. I was having pretty good results with 3.1.3 (the unmasked version in Gentoo), but got immediately better results when I upgraded to the current version. Also, to keep your RULES up-to-date, run sa-update as root from time-to-time. Good luck! Happy spamassassaning! Personally, I'd disagree with auto-learn; having used SA in a production environment for some years I've found manual training to be a better solution. YMMV Just my 2 (pick your currency) worth. Nigel
RE: Image spam with inline jpeg image
Perhaps it could be as simple as only updating existing rules for your installation? In other words, you would have to download the CF file and install it first (but you would do this anyways to test!!!). Then sa-update could simply parse your rules directory and update rules found there accordingly. The only catch I see is 'locking' a particular CF rule file which could be addressed perhaps by a file preface? -Original Message- Stuart Johnston wrote: What if the channel contained all rule files but the default channel .cf would not include any of them. Then the user could add a file to their local rules directory that included just the files they want. It might look something like: include /var/lib/spamassassin/version/updates_rulesemporium_com/70_sare_html0.cf ... That's a little messy so perhaps SA could add a new include directive that looks in the local state directory. Something like: include_state updates_rulesemporium_com/70_sare_html0.cf
RE: ImageInfo plugin for SA
Many Thanks Dallas, this plugin Rocks! It's amazing how many image only spams this baby has flagged in the short time I've been running it. -Original Message- From: Dallas L. Engelken [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 4:14 PM To: dev@spamassassin.apache.org Cc: users@spamassassin.apache.org Subject: ImageInfo plugin for SA Greetings, For those of you that dont want the overhead or hassel of installing all extras to get OCR running, I give you a simpler (maybe less effective) option.. It basically determines pixel coverage similar to what eval:html_image_ratio() does, but html_image_ratio() actually reads height= and width= params from html, and in these stock spams and such, there is no height/width values to go off of. So, eval:pixel_coverage() will actually read the gif and png headers and calculate it from the actual image data. Put the .pm file that is attached in your M::SA::Plugins dir. Add to your init.pre (or v310.pre) the following line. loadplugin Mail::SpamAssassin::Plugin::ImageInfo And throw the imageinfo.cf ruleset in your local config dir (tweak rules/scores as needed). And dont forgot to restart spamd if you are running it. Feel free to tweak the ruleset you meet your needs. It has hit well for me today as is, but YMMV. # grep -c _LARGO spamd.log 868 No outside tools required... yeah! Sorry for the lack of documentation, but I just dont have enough time to do it, and I wanted share this. All those scores in the cf are just WAGs, since none have been masschecked. Theo, could you sandbox this? Cya, Dallas
RE: Blocking all inline GIF or JPG Images
John D. Hardin Wrote: inline is an HTML-format email with text and images interspersed. When the message is rendered the images will be embedded in the message body text. attached is the images attached like any other type of file. I have had exactly one instance to use inline images in the last five years. Just a For What It's Worth... Unfortunately, in our environment, inline images do get extensive use from our users (College Students, Faculty). Much of their email is for entertainment value, and many email jokes make use of Inline images of a variety of file types. GIF and JPG are just two types, you will also see PNG, BMP, etc. So, while I don't condone the usage, it does get used by a large percentage of other typical users Most of whom would not be too happy to have their email flagged as spam soley because it contained an inline image. Your network usage may vary Personally, I wish HTML/UU/MIME type message formats had never been implemented! ;-)
RE: Blocking all inline GIF or JPG Images
John, if you have absolute authority to your network and what format your users can receive/send email, then you may want to look at the 'DEMIME' project. Perhaps you can use it to convert all user email to plain text and remove any and all attachments as a part of your filtering. I use this tool to filter various addresses that need to receive ONLY plain text emails. Works well. -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 27, 2006 5:28 PM To: Kelson Cc: SpamAssassin Users Subject: Re: Blocking all inline GIF or JPG Images On Tue, 27 Jun 2006, Kelson wrote: Until something comes along that (a) handles all the formatting that people want to be able to do, including adding silly backgrounds, changing the font or color for no reason, Why in the world do we need to support/encourage *that* nonsense? and embedding images in a layout such that they can be captioned One argument (only one) for accepting HTML email. :)
