RE: Pyzor errors after upgrade
From: Chris cpoll...@embarqmail.com Sent: Monday, September 01, 2014 10:25 PM To: users@spamassassin.apache.org Subject: Pyzor errors after upgrade System is Ubuntu 14.04 LTS I use fetchmail linked with procmail. Once mail is tossed to my other folders what's left is run through SA and tossed either into my Inbox or my Spam folder. Yesterday morning I upgraded to the newest version of Pyzor using this command: pip install --upgrade pyzor Since then I've been seeing this in my syslog: Aug 31 10:02:43 localhost spamd[2645]: pyzor: check failed: internal error, python traceback seen in response Aug 31 10:07:02 localhost spamd[2645]: pyzor: check failed: internal error, python traceback seen in response Aug 31 10:35:38 localhost spamd[2645]: pyzor: check failed: internal error, python traceback seen in response The version of Pyzor shown is: /usr/local/bin/pyzor 0.8.0 Permissions on the ~/.pyzor/servers files and directory is: drwxr-x--- 2 chris chris 4096 Jul 17 09:28 .pyzor -rw-r- 1 chris chris 23 Jul 17 09:28 servers Any assistance would be appreciated even a 2x4 upside the head. I'm not sure how to get to the python traceback that's mentioned. Same thing happened to me a while back. This is in my local.cf: ifplugin Mail::SpamAssassin::Plugin::Pyzor pyzor_path /usr/local/bin/pyzor pyzor_options --homedir /etc/mail/spamassassin endif The --homedir line above solved the problem for me. Not sure why since my permissions seemed to be good too. Be sure to move the 'servers' file to /etc/mail/spamassassin. Chris -- Chris 31.11°N 97.89°W (Elev. 1092 ft) 22:14:39 up 2 days, 18 min, 2 users, load average: 0.05, 0.10, 0.22 Ubuntu 14.04 LTS, kernel 3.13.0-35-generic
RE: drop of score after update tonight
From: Ian Zimmerman i...@buug.org Sent: Monday, August 25, 2014 5:02 PM To: users@spamassassin.apache.org Subject: Re: drop of score after update tonight On Mon, 25 Aug 2014 19:50:20 +, David Jones djo...@ena.com wrote: Ian I definitely have FNs today (about 10 by now today, normally 0). Ian Looks like some/all RBLs tests are not working. I have not changed Ian my configuration at all. Ian Sample here: Ian http://pastebin.com/dsqaVA9Z David This hit DCC_CHECK, BAYES_50, CRM114, BOGOFILTER and KAM_EU rules David and would have been blocked on my SA 3.4.0 servers. Isn't it a bit odd that SA has rules for all these other Bayes powered backends? Why not give a bit more weight to its own Bayes instead, rather than make users forage for other tools that do essentially the same thing? Based on my testing, I have found that having BAYES, CRM114, and BOGOFILTER together provides very good checks and balances. Spammers pay spam shops for new spam campaigns that get through standard spam systems including SA. I have often seen new spam score low on BAYES but CRM114 and/or BOGOFILTER correctly score it as spam. So they do similar things but aren't identical. If you don't have other indicators like DCC, RAZOR, CRM114, BOGOFILTER, RBLs, etc., how else will you hit the bayes_auto_learn_threshold_nonspam and bayes_auto_learn_threshold_spam levels to make BAYES more accurate and detect new spam campaigns quickly? David (I understand that the DCC_CHECK hit could have also hit on your David mail server too after time had passed if you have DCC enabled.) Don't you need non-free software for DCC? DCC is free for your own filtering or if you are an ISP that participates in the DCC network. We participate in the DCC network. http://www.rhyolite.com/dcc/ (Meanwhile, more spam came in. This is definitely a crisis for me.) -- Please *no* private copies of mailing list or newsgroup messages. Local Variables: mode:claws-external End:
RE: drop of score after update tonight
From: Ian Zimmerman i...@buug.org Sent: Monday, August 25, 2014 2:28 PM To: users@spamassassin.apache.org Subject: Re: drop of score after update tonight I definitely have FNs today (about 10 by now today, normally 0). Looks like some/all RBLs tests are not working. I have not changed my configuration at all. Sample here: http://pastebin.com/dsqaVA9Z -- Please *no* private copies of mailing list or newsgroup messages. Local Variables: mode:claws-external End: This hit DCC_CHECK, BAYES_50, CRM114, BOGOFILTER and KAM_EU rules and would have been blocked on my SA 3.4.0 servers. (I understand that the DCC_CHECK hit could have also hit on your mail server too after time had passed if you have DCC enabled.)
RE: Domain ages (was Re: SPAM from a registrar)
If SEM was able to detect newly registered domains more quickly then that would solve the problem. From: John Hardin jhar...@impsec.org Sent: Monday, June 09, 2014 2:24 PM To: users@spamassassin.apache.org Subject: Re: Domain ages (was Re: SPAM from a registrar) On Mon, 9 Jun 2014, David F. Skoll wrote: On Mon, 9 Jun 2014 11:51:21 -0700 (PDT) John Hardin jhar...@impsec.org wrote: So there is merit in building a distributed look-up system using SA. Distributed lookup of *what*, though? Can you clarify that part of your idea? Are you referring to distributed whois queries for a domain name, to determine its age? The clever part is that once lots of sites begin using this in their SA setups, we'll very quickly build up quite an accurate database of newly-seen domains that's completely independent of any registrar for a data source. Ah, ok, that's where I was confused. The proposal is for a distributed network gathering newly-SEEN domain names, rather than newly-REGISTERED domain names. Thanks for the clarification. I was focusing on the latter. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You can't reason a person out of a position if he didn't use reason to get there in the first place. -- Kristopher, at Marko's --- 739 days since the first successful private support mission to ISS (SpaceX)
RE: SPAM from a registrar
We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html From: James B. Byrne byrn...@harte-lyne.ca Sent: Wednesday, May 14, 2014 11:51 AM To: users@spamassassin.apache.org Subject: SPAM from a registrar This AM we received (and are continuing to receive) numerous spam messages from multiple domains that were all registered today (2014-05-14) with a company called enom, inc. This firm is also the registrar for the the mail server domain BOSJAW.com that is ending some if not all of the UCEM. That server is hosted in CZ. It seems likely that this is a planned UCEM campaign designed to use disposable domains, probably registered with stolen credit cards or some other form of fraud, in order to escape blacklisting services. No doubt by tomorrow they will be abandoned. Is there any test to check how long a domain name has been in existence and set a spam score with that information? Along the same lines, is there any test to determine the country of origin of the IP address in the last hop before it connects to our servers? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
RE: SPAM from a registrar
On Thu, May 15, 2014 09:08, David Jones wrote: We use the fresh15.spameatingmonkey.net RBL. http://spameatingmonkey.com/lists.html I checked three domain names used by the spam messages received yesterday. All of the domains were registered yesterday as well. None of them report as being in any of the fresh lists at spameatingmonkey.com. Nor are they listed in DOB at support-intelligence.net. I have to wonder how soon after creation new domains are added to the fresh lists. Over 20% of the coverage period is already over for fresh.spameatingmonkey.net and I suspect that the domain used yesterday has already been abandoned. At least we are getting the exact same messages today from a bunch of different domains all registered with the same registrar: enom.com. SEM does provide value even if it's not completely up to date. That being said, I guess I have the same problem you do and need to do some more research. At this point I would be willing to implement a rule to block all domains registered with that registrar and be done with it. Is there a spamassassin whois plug-in that can parse and check the registrar and the domain creation date? Enom is a very large registrar that has sub-registrars so this could be risky.
RE: Bayes refinement
On 05/14/2014 11:08 PM, James B. Byrne wrote: Is there any way to limit Bayes content checking to only the first X characters of the message body? I ask this because it is clear that the spam messages getting through contain text meant to poison the tests but this gibberish always trails the main message and is separated by a large white space in most cases. There isn't such a way to limit content checking. If you keep Bayes well trained (assuming you have enough ham to do so) Bayes poisoning is a myth. I'm not sure I agree with the myth statement. I just had to reset my Bayes DB after years of it slowly drifting due to bad user input and such. I added CRM114 and BOGOFILTER plugins as a balance of power to Bayesian and it's working very well again.
RE: sa-learn from a cronjob?
fetchmail works well. Use procmail if needed. From: Dan Mahoney, System Admin d...@prime.gushi.org Sent: Sunday, April 20, 2014 2:14 PM To: users@spamassassin.apache.org Subject: sa-learn from a cronjob? All, Most of my users aren't command-line friendly. I'd like to basically have my IMAP server default to handing out two imap mailboxes that get auto-crontabbed to training bayes. Ideally, I'd also like to make it so that things dropped in the learn_spam folder are deleted, and stuff in the learn_ham folder (mistake-based training) are de-tagged and moved back to the inbox. Alternatively, a single learned folder would do. Perl's Mail::Box seems like a heavy tool for this simple task. Does anyone else have any recommendations? -Dan -- Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
