Re: Annoying stocks scams
[EMAIL PROTECTED] wrote: Hi List! I'm getting hit by a bunch of annoying stock scams which aren't found by any of my sare lists, they keep on scoring low. So I decided to write a custom rule, which seem to work pretty well for my case: body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ Price|Price)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|High|Sale|Price)/i body __HILO_STOCKS2 /(hotlist|r[e3]cord|publicity|n[e3]ws|invest|incr[e3]as[e3]|[e3]xplosion|pric[e3]|high|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol)/i meta HILO_STOCKS ( __HILO_STOCKS1 __HILO_STOCKS2 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.5 It's my first meta rule, which only gives a score if both conditions are true, and I was wondering if there's a possibility to make the score more intelligent : - if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5 - if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make it 3.5 You could define: body HILO_STOCKS1 ... desc HILO_STOCKS1 ... score HILO_STOCKS1 ... body __HILO_STOCKS2 ... and create a meta meta HILO_STOCKS ( HILO_STOCKS1 __HILO_STOCKS2 ) You could also rename __HILO_STOCKS2 to HILO_STOCKS2 to make it a stand-alone rule..
Re: Annoying stocks scams
Rick Cooper wrote: Sorry to mess up the thread, I lost the original -Original Message- From: Dhawal Doshy [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 06, 2007 9:39 AM To: users@spamassassin.apache.org Subject: Re: Annoying stocks scams [EMAIL PROTECTED] wrote: Hi List! [ ... ] meta HILO_STOCKS ( __HILO_STOCKS1 __HILO_STOCKS2 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.5 It's my first meta rule, which only gives a score if both conditions are true, and I was wondering if there's a possibility to make the score more intelligent : - if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5 - if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make it 3.5 [ ... ] Define two metas, the first one hits only when 1 is true and 2 is false The second hits when both are true. You have to use the negation for 2 In meta one or you would double dip whenever both are true. meta HILO_STOCKS_1 ( __HILO_STOCKS1 !__HILO_STOCKS2 ) meta HILO_STOCKS_2 ( __HILO_STOCKS1 __HILO_STOCKS2 ) describe HILO_STOCKS_1 Looks like stocks scam First Hit Only describe HILO_STOCKS_2 Looks like stocks scam Both Hit score HILO_STOCKS_1 0.5 score HILO_STOCKS_2 3.5 If you wanted to score the 0.5 whenever either 1 or 2 is true and the other is false meta HILO_STOCKS_1 ( (__HILO_STOCKS1 !__HILO_STOCKS2) || (!__HILO_STOCKS1 __HILO_STOCKS2) ) Hi Rick, Though this looks simpler, you are effectively adding an extra meta.. you could simply replicate the AND/OR effect by modifying the scores. body HILO_STOCKS_1 whatever1 body __HILO_STOCKS_2 whatever2 meta HILO_STOCKS ( HILO_STOCKS1 __HILO_STOCKS2 ) score HILO_STOCKS_1 0.5 score HILO_STOCKS 3.0 Only HILO_STOCKS_1 == 0.5 Only __HILO_STOCKS2 == Nothing Both == 0.5 + 3.0 Though i'm not sure how much overhead one extra meta will have??
Re: 4.64 compile problem on Linux 2.6.19.1
George R. Kasica wrote: Trying to compile 4.64 here using the same settings as 4.63 (which compiles just fine) and am seeing the following error during make: gcc transport.c In file included from transport.c:17: /usr/local/include/sys/sendfile.h:26:3: error: #error sys/sendfile.h cannot be used with _FILE_OFFSET_BITS=64 make[1]: *** [transport.o] Error 1 make[1]: Leaving directory `/mnt/scsi-1/Linux/exim-4.64/build-Linux-i386' make: *** [go] Error 2 wrong list.. perhaps you meant to post it to the exim list?
Re: Filtering THIS list [OT]
Dhawal Doshy wrote: Make that 2 of us. I for one would like to filter out all mails/threads originated by perkel (yeah which would include this mail as well).. i *really* would like to filter this list for obvious reasons based on sender / thread originated by sender while continuing to receive other mails.. does ezmlm provide such a feature? A mail to [EMAIL PROTECTED] doesn't help at all. I use mailscanner with postfix, so any pointers in that direction would help as well. Of course this is OT and i really ought to send this request to the postfix list OR the mailscanner list, but who cares?? TIA, - dhawal
trusted_networks why /16 network
My organization is allocated a /19 network by apnic. My trusted mail servers (mx, smtp and delivery) all fall under a single /24 that i could set manually using the trusted_network setting but i'd prefer it to be automated out-of-the-box. From Mail::SpamAssassin::Conf if the 'from' IP address is on the same /16 network as the top Received line's 'by' host, it's trusted Why does SA default to a /16 network and why not a /24 to be safer? OR am i missing something? - dhawal
Filtering THIS list (Re: Breaking up the Bot army - we need a plan)
Steve Thomas wrote: Once again, Perkel clutters the SpamAssassin list with a non-SpamAssassin discussion. One which, IIRC, he's just rehashing from a year or so ago (are we going to see a rehash of the the future of email storage is sql thread, too?). There are FAR more appropriate forums for these non-SA related things. Is anyone else getting tired of this? Forty eight messages on the SA list today that have nothing to do with SA. What's the point of having a topical mailing list if nobody cares that the discussion is off-topic? St- Make that 2 of us. I for one would like to filter out all mails/threads originated by perkel (yeah which would include this mail as well).. i too am tired of him trying to discuss things that don't belong to SA. - dhawal
Re: Filtering THIS list (Re: Breaking up the Bot army - we need a plan)
Jeff Chan wrote: On Tuesday, December 12, 2006, 12:29:26 AM, Rob McEwen wrote: It is just these types of discussions which led to things like SURBL and fuzzyOCR. In the interests of preserving some history, SURBLs were not created as a result of discussions here. We created SURBLs concurrently with Eric Kolve writing his SA plugin SpamCopURI to use them. Then we persuaded the SpamAssassin developers to look into supporting SURBLs directly, which they apparently did by modifying the uridnsbl command into urirhsbl. Some of the messages are at: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200410.mbox/[EMAIL PROTECTED] Jeff C. Also from my limited memory, a fuzzyocr like implementation existed on antispan.imp.ch long before it was discussed on the sa-users list. Someone can correct me if this is incorrect information. - dhawal
Re: Filtering THIS list (Re: Breaking up the Bot army - we need a plan)
Rob McEwen wrote: Dhawal said: Also from my limited memory, a fuzzyocr like implementation existed on antispan.imp.ch long before it was discussed on the sa-users list. Someone can correct me if this is incorrect information. And, like SURBL, regardless of the official origin of the idea, I know for a fact that fuzzyocr benefited tremendously from discussions on the SA list and I'd bet money that the author would happily agree. I also recall the author of fuzzyocr at one point saying something like, hey guys, sorry I'm hogging your list... here is my new list especially devoted to fuzzyocr... (that wasn't an exact quote... but he said something to that effect)... and that was totally appropriate and polite for him to do that. Up to that point, I don't think anyone minded the frequent discussions of fuzzyocr... but it did make sense, like SURBL, for fuzzyocr to have out to its own list for detailed discussions. But I have recent memories of tremendously good feedback on the SA list regarding fuzzyocr which also benefited fuzzyocr... particularly before the official fuzzyocr list began. Like SURBL, fuzzyocr would have suffered had discussion about it on the SA list been clamped down with off-topic complaints. Rob McEwen I am not against off-topic discussions (and also indulge in a few when appropriate), what i am tired of is 'Perkel', have a look at some of the threads started by him.. Breaking up the Bot army - we need a plan Who wants my spam - seriously! About the SpamHaus lawsuit? I'm thinking about suing Microsoft What's with UCEPROTECT List? Allowing IMAP/POP to Send Email What changes would you make to stop spam? - United Nations Paper SPF breaks email forwarding The best way to use Spamassassin is to not use Spamassassin The Future of Email is SQL Tricky DNS Question - Advanced Who wants my spam - seriously! Suing Spammers Fighting spam by public education? End of topic for me. Good day to you all. - dhawal
Re: Sorry Dhawal - no personal attacks allowed [OT]
Marc Perkel wrote: Well - if you don't like me then why don't you write a filter rule to delete message coming from me? I'm not going away so get used to it. If my threads weren't so damn interesting it wouldn't generate so much interest. I think that your personal attack is not appropriate for this forum. This is a tech forum and there are lots of ideas that you aren't going to like. You're just going to have to get used to it. Sincere apologies..
Re: Distributed Bayes DB?
Matthias Leisi wrote: Matt Kettler wrote: Do you see additional options? Use a SQL server backend. If you must have a no-failure option for the bayes DB, use a cluster of SQL servers. [..] Also see the SQL readme: http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes I already took a look at using SQL, but this quote: | NB: This should be considered BETA, and the interface, schema, or | overall operation of SQL support may change at any time with future | releases of SA. stops me from using it. Unfortunately, I can not run software officially considered Beta on this system. Like Matt mentioned.. this is an oops. I've been using global sql bayes ever since the 3.0.0 release (about 2 years now).. same for awl (which i later disabled for lack of janitor tools). It's rock stable and quite fast (though on a dedicated server).. for redundancy look at DRBL or something similar. - dhawal
Re: Distributed Bayes DB?
Dhawal Doshy wrote: Matthias Leisi wrote: Matt Kettler wrote: Do you see additional options? Use a SQL server backend. If you must have a no-failure option for the bayes DB, use a cluster of SQL servers. [..] Also see the SQL readme: http://wiki.apache.org/spamassassin/BetterDocumentation/SqlReadmeBayes I already took a look at using SQL, but this quote: | NB: This should be considered BETA, and the interface, schema, or | overall operation of SQL support may change at any time with future | releases of SA. stops me from using it. Unfortunately, I can not run software officially considered Beta on this system. Like Matt mentioned.. this is an oops. I've been using global sql bayes ever since the 3.0.0 release (about 2 years now).. same for awl (which i later disabled for lack of janitor tools). It's rock stable and quite fast (though on a dedicated server).. for redundancy look at DRBL or something similar. that should be DRBD - dhawal
Re: --lint ok but still have errors
Nigel Frankcom wrote: On Thu, 2 Nov 2006 12:03:14 -0500, Debbie D [EMAIL PROTECTED] wrote: Last week I made some changes to my rules and I performed -- lint which showed no errors.. Yesterday AM there was a HUGE influx of spam and I SSH'd in when I saw the loads jumping up. The first thing I did after verifying I had loads up over 30% was shut down exim, which normally brings the loads down very quickly.. yesterday it did not.. I had to do a reboot to accomplish the task.. when I went and looked at the maillog files when things calmed down I saw the following errors when exim (and consequently spamd, clamd, SA, blahblah) started back up. If -- lint showed no errors.. whats up with this??? [SNIP] Not sure if this is related, but I have these appearing under --lint -D... [6209] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'PYZOR_CHECK' [6209] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' They're not causing any issues (so far), but only seem to have appeared since my upgrade to 3.1.7 There's been some discussion about scores with 0 rating popping similar so I wonder if that's related. Not much help I know, but apparently not so rare either. Not errors, informational warnings and quite clear. This ought to be seen in SA 3.1.6+, previous versions would simply ignore these. f.i.: DIGEST_MULTIPLE is probably a meta_rule dependent on probably razor, pyzor and DCC. The rule check doesn't fail but simply throws an informational warning. IIRC, it's mentioned in the changelog somewhere. - dhawla
Re: Image spam with inline jpeg image
Ramprasad wrote: All my rulesets and the LARGO rules are for catching inline png and inline gif. Now I am getting stock spams with images like --=_NextPart_001_000C_01C6BBE8.11C02650-- --=_NextPart_000_000B_01C6BBE8.11BB4450 Content-Type: image/jpeg; name=militarism.jpg Content-Transfer-Encoding: base64 Content-ID: ICRPXHAOOE Are you using the updated version OR the one originally posted? http://www.rulesemporium.com/plugins.htm#imageinfo Updates: - added optimization changes by Theo Van Dinter - added jpeg support - added function image_named() - added function image_size_exact() - added function image_size_range() - added function image_to_text_ratio() - dhawal
Re: URIBL and SURBL no lnger hitting
DAve wrote: [snip] If it happens again I'll have some logs, provided I catch it in time, dnscache makes logs like bunnies make more bunnies. Until then I'm inclined to think it was a resource issue or anomaly on my system rather than an issue with SA or dnscache. I run dnscache on all my web/mail/SA/ftp servers on FreeBSD, Linux, and Solaris. Never had the slightest issue with any software making dns queries through it. DAve Dave, you might need to update the 'root/servers/@' file. IIRC, a couple of root servers have changed in the past few years. - dhawal
Re: Looking for advice on rule creation regular expressions
Coffey, Neal wrote: Logan Shaw wrote: For what it's worth, I thought all spams of that form were prescription drug spams, but recently I got one like this as well: [snip: rolex, tiffany, etc...] Come to think of it, I've seen one or two of these ones, too, and totally forgot. Guess I'll be making rules for these as well... However, there is one obvious way to do it. Like this: ... Since the first and last characters of all four branches are always the same, you can optimize it a tiny bit by factoring out the common parts of the branches: /A(?:.DVI|D.VI|DV.I|DVI.)L/ Ok. This is looking a little better, then... I've taken your suggestion, and added the possibilities of repeated characters and substitutions for I into it.. /A(?:.A?DV[Iilj]|D.D?V[Iilj]|DV.V?[Iilj]|DV[Iilj].[Iilj]?)L/ The little bit of testing I threw at it looks good so far. I'll try it with the actual prescription drug names, do a bit of testing, and share my results. More suggestions for improving the regex are still welcome, of course :) How about.. http://www.sandgnat.com/cmos/ - dhawal
Re: Allowing IMAP/POP to Send Email United Nations etc....
Nigel Frankcom wrote: I'll put on my flameproof underwear for this There's been a huge amount of crossfire on these/this subject, but I don't see how it has anything to do with SA; or am I missing the point? Different protocols, yet another level of policing, but nothing about the fact that SA does a damned fine job of stopping what exists now, not what may or may not happen (n) years in the future. Just my 2 pence worth 2 more units of whatever currency.. kill the threads. NOW!!
Re: bottleneck analsyis on spamassassin
Ramprasad wrote: I can tell you right now, its either Net tests or poorly written rules. Otherwise SA runs pretty darn good. Darn good is how good ? On a Dual Xeon with 4GB ram can SA scan 30k mails per hour. Today at 15k the machine starts signalling problems , 20k is the max it can do beyond which there are unacceptable delays Spammassassin -D --lint some_test_email How do I know what percentage of time is taken by individual tests ? Try installing mailwatch in a limited manner (mailwatch.sf.net, works only with mailscanner), you do not have to use it for quarantine management or any other thing.. under tools you have a link for a lint test which gives you nicely formatted html page with the time taken for each test. As Chris mentioned.. network tests (especially razor/pyzor) could be responsible for SA delay. If you have a lot of servers try running a local only pyzord (see pyzor.sf.net). - dhawal Thanks Ram
Re: Whitelist_subject and Blacklist_Subject
John Horne wrote: [SNIP] Hello, I'm guessing here that this is an SA 3.1 thing (subject whitelisting)? We are running 3.0.6. My question though is does whitelisting something cause SA to abort trying the other tests? That (aborting other tests) is called short-circuiting and doesn't exist in SpamAssassin releases except on the dev lists as a discussion (and possibly a POC). So no, the other tests won't abort.. but the whitelisting score (default -100) ought to override the score of the other tests. - dhawal
Re: Stock Spams; aka Pump and Dump
DAve wrote: Nigel Frankcom wrote: This may be a daft question, if so, apologies in advance; but, do you train these spam into sa? Nope, been down the Bayes road a few times and the load on the server never justified the spam it caught. When using bayes we always end up babysitting it too much. This could likely be a result of the large variance in the type and content of mail we handle (we are an ISP). Personally, right/wrong/regardless, I've always felt bayes was just never production ready. Issues always seem to crop up. Maybe that will change in the future. We receive a large number of these daily and, to date, very, very few get through. What version of SA are you running? Currently 3.0.4 on the toasters, 3.0.2 on the MailScanner boxes. These may or may not get updates this month. I've never been fond of update as a solution to a problem unless I know the change in version will directly improve my use of the product. Right now SA is working wonderfully, I have no complaints. But I am getting n thousands of these messages, if even a few get past SA, it amounts to a lot of messages. Samples can be seen here, http://pixelhammer.com/spam/spam1.txt http://pixelhammer.com/spam/spam2.txt http://pixelhammer.com/spam/spam3.txt http://pixelhammer.com/spam/spam4.txt http://pixelhammer.com/spam/spam5.txt http://pixelhammer.com/spam/spam6.txt Dave, I don't see bayes getting used in all except one of the above mails.. i don't think its normal. You *should* have a BAYES score for every mail (even HAM) unless you use the skip option. - dhawal Thanks, DAve KR Nigel On Thu, 01 Jun 2006 12:48:50 -0400, DAve [EMAIL PROTECTED] wrote: Doc Schneider wrote: DAve wrote: Howdy, My users are just about tired of the stock spams, we are getting many now that are barely hitting any stock rules at all. The funny thing is they are pretty much a legit email. No obfuscation, no funky headers, no URL. I am nearly ready to just stomp any and all stock messages and force the few users who need them to whitelist the sender. Has anyone else already been down this road? Any suggestions? Thanks, DAve Sure is a stock spam rule set. http://www.rulesemporium.com/rules/70_sare_stocks.cf Had it running 10 minutes after it was announced. My problem is worse than that. Possibly I could create a meta rule in my local.cf that says a sare_stock hit plus any other rule, add 5 points. Thanks though, I should have mentioned I use it. Dave
Re: Setting up my own RBL - How?
Mike Jackson wrote: So - if I wanted to set up my own RBL for others to query me, how would I do that? I'm seriously thinking about it. Alternatively, I can stream my spam to anyone else who is already doing it. I've modified my spam stream to exclude stuff already listed in several other popular block lists. A combination of these 2 works wonders for me.. http://simple-evcorr.sf.net/ (simple event correlator) http://www.corpit.ru/mjt/rbldnsd.html (designed for serving DNSBL zones) SEC hooks onto the mailscanner logs checking for 3 spams or 2 viruses in a span of 60 seconds, this is then fed to rbldnsd, which serves it with little latency (though the latency has nothing to do with rbldnsd). - dhawal I'm no expert by any means, but I tried setting up an internal RBL for my company using some Perl scripts (to mangle the email upon receipt) and PDNS with a MySQL backend. I saved the last hop IP address from dictionary-attack emails sent to a particular domain that we host that gets hundreds of dictionary-attack type spams per day. It worked well, except that in my case it was nearly pointless - while I could verify that lookups were working, over the course of a 48 hour period it added hundreds of IPs but didn't flag any messages, since the spambot(s) sending to this domain would never send from the same IP address twice (which I verified in the logs), nor were they sending to any of the other 100+ domains we host. We're not fighting an enemy that's entirely stupid. Anyway, the entire point of this email was to suggest the (perhaps) obvious of using a DNS daemon that can read its zone info on the fly rather than requiring a restart. That's why I used PDNS, but I'm sure there's other DNS daemons that can do the same thing and are perhaps better suited to the task.
FP with FORGED_HOTMAIL_RCVD
Running SA 3.1.1 on centos 4.3 with original rules (no sa-update).. The mail is genuine ham. Are more details required?? Received: from bay0-omc1-s5.bay0.hotmail.com (unknown [65.54.246.77]) by mx1.netmagicians.com (Postfix) with ESMTP id 00D46CB9E2 for [EMAIL PROTECTED]; Tue, 16 May 2006 19:04:28 +0530 (IST) Received: from BAY111-W8 ([64.4.17.108]) by bay0-omc1-s5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 16 May 2006 06:34:34 -0700 X-Originating-IP: [xxx.xx.xx.xxx] X-Originating-Email: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 From: Full Name [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Pending invoice in domain control panel.. Date: Tue, 16 May 2006 19:04:34 +0530 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: quoted-printable X-OriginalArrivalTime: 16 May 2006 13:34:34.0982 (UTC) FILETIME=[786FE860:01C678ED] - dhawal
Re: bayes db issue
JD Smith writes: I recently switched to using mysql bayes. I am getting a [1135] dbg: bayes: unable to initialize database for root user, aborting! When I do spamassassin -d --lint any idea what I need to change? Try a select id,username,spam_count,ham_count from bayes_vars on your bates database to find the username under which your bayes exists.. Next use the username in the above query to add this line in your local.cf bayes_sql_override_username username hth, - dhawal Best regards, JD Smith -- CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail requesting deletion of the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize the risk of virus infection spam, but is not liable for any damage, you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the NetMagic Solutions Pvt. Ltd.'s e-mail system. * End of Disclaimer ***
Re: Cannot install SA-3.1.1 FreeBSD 5.4
Marc Dufresne wrote: Downloaded install-Clam-SA for 0.88.1 and SA3.1.1 When I run the ./install.sh You'll be better off asking this question on the mailscanner list.. i don't use the install-sa-clam package but a lot others on the mailscanner list do so. In any case (purely speculating here) i think you need to use it as: ./install.sh --perl=/usr/local/bin/perl #(path to the perl binary) - dhawal It says I have two copies of perl one located in /usr/bin and the other located in /usr/local It strongly recommends that I remove /usr/local. But if I choose to contnue then run ./install.sh --perl=/path/to/perl When I ran ./install.sh --perl=/usr/bin I receive numerous errors saying Attempting to install module name of module .install.sh : /usr/bin: Permission Denied If I run ./install.sh --perl=/usr/local Attempting to install module name of module .install.sh : /usr/bin: Permission Denied Nothing installs. Any ideas? Marc Dufresne, Corporate IT Officer St. Lawrence Parks Commission 13740 County Road 2 Morrisburg, ON K0C 1X0 E-mail: [EMAIL PROTECTED] Voice: 613-543-3704 Ext#2455 Fax: 613-543-2847 Corporate website: www.parks.on.ca BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Marc Dufresne TEL;WORK:613-543-3704 ORG:;Information Technology TEL;PREF;FAX:613-543-2847 EMAIL;WORK;PREF;NGW:[EMAIL PROTECTED] N:Dufresne;Marc TITLE:Corporate IT Officer END:VCARD
Re: Spamassassin Appliances?
Paul Hutchings writes: I currently run a Linux relay based around Postfix and Spamassassin. The hardware is getting old so I'm considering replacing it with an entry level rack mount server. I wondered if anyone had any suggestions on appliances that might be worth looking at that are based around Spamassassin (and preferably Postfix as the underlying MTA) so I can do a cost comparison? Basically if I'm not around, if it breaks and it's not hardware nobody would have much idea where to begin, so I'm wondering what might be out there that gives the benefits and flexibility of Spamassassin but with a friendly front-end etc. Basically what I have now but without the home brew factor? See if this helps.. http://www.fsl.com/defender5.html Sendmail (and not postfix though) along with spamassassin and mailscanner, the software edition worked like a charm in my test runs.. - dhawal TIA, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:[EMAIL PROTECTED] CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail requesting deletion of the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize the risk of virus infection spam, but is not liable for any damage, you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the NetMagic Solutions Pvt. Ltd.'s e-mail system. * End of Disclaimer ***
Re: FP with MSGID_DOLLARS_RANDOM
Dhawal Doshy wrote: Hello, The following Message ID causes a '+3.78' (bayes+network) score for hitting a meta rule MSGID_DOLLARS_RANDOM, SA Version 3.1.x Message-ID: [EMAIL PROTECTED] X-Mailer: Intrapop 1.4 SMTP Component 1.0 It is a regular mail and the sender appears to be using a mailserver developed by cyberoam.com Should i be raising an issue with bugzilla? i could provide more details as required.. How do i take this forward? - dhawal -- CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the NetMagic Solutions Pvt. Ltd.'s e-mail system. * End of Disclaimer ***
FP with MSGID_DOLLARS_RANDOM
Hello, The following Message ID causes a '+3.78' (bayes+network) score for hitting a meta rule MSGID_DOLLARS_RANDOM, SA Version 3.1.x Message-ID: [EMAIL PROTECTED] X-Mailer: Intrapop 1.4 SMTP Component 1.0 It is a regular mail and the sender appears to be using a mailserver developed by cyberoam.com Should i be raising an issue with bugzilla? i could provide more details as required.. thanks, - dhawal -- CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the NetMagic Solutions Pvt. Ltd.'s e-mail system. * End of Disclaimer ***
Re: more pharmacy woes
Payal Rathod wrote:
On Fri, Mar 10, 2006 at 04:07:34PM +0530, Dhawal Doshy wrote:
Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative
network tests like razor/pyzor/dcc?
No, can you please tell in short how to use surbl exactly? I am very new
to SA.
What is your SA version? You'll need a recent Net::DNS installed for any
network tests. You can also add 'dns_available yes' to your local.cf if
you have Net::DNS installed. If you're using spamd, make sure it's
started without the -L or --local flags.
SURBL support is built into spamassassin version 3.x onwards.. (see
Jeff's reply)
For URIBL, see http://www.uribl.com/usage.shtml OR add this to your local.cf
urirhssub URIBL_BLACK multi.uribl.com.A 2
bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 3.0
urirhssub URIBL_GREY multi.uribl.com.A 4
bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describeURIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.25
Also the pasted spam originates from a korean IP address.. you could
try scoring mails from korea a bit more.. using either
countries.nerds.dk OR korea.services.net
Which file do I put it exactly?
Add something like this to your local.cf
# This part will add +2.0 for mail from korea
headerX_KOREAN_RELAY eval:check_rbl('relay','korea.services.net.')
describe X_KOREAN_RELAY Received via a relay in Korea
score X_KOREAN_RELAY 2.0
Finally, get around to training your bayesian database to 200 or more
spam and ham mails each..
We have trained 40,000+ of each.
That ought to be good enough for a start..
Do a lint test 'spamassassin -D --lint' before you make your changes
production.
Hope that helps,
- dhawal
With warm regards,
-Payal
--
CAUTION - Disclaimer *
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are
not to copy, disclose, or distribute this e-mail or its contents to any other
person and any such actions are unlawful. This e-mail may contain viruses.
NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize
this risk, but is not liable for any damage you may sustain as a result of any
virus in this e-mail. You should carry out your own virus checks before
opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the
right to monitor and review the content of all messages sent to or from this
e-mail address.
Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
* End of Disclaimer ***
Re: more pharmacy woes
Payal Rathod wrote: Hi all, I need help in decoding pharmacy spam again. I am getting 100s of them. I have attached them at, http://pastebin.ca/45108 Do you use SURBL (surbl.org), URIBL (uribl.com) and collaborative network tests like razor/pyzor/dcc? Also the pasted spam originates from a korean IP address.. you could try scoring mails from korea a bit more.. using either countries.nerds.dk OR korea.services.net Finally, get around to training your bayesian database to 200 or more spam and ham mails each.. - dhawal Can someone tell how to block these things out? With warm regards, -Payal -- CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the NetMagic Solutions Pvt. Ltd.'s e-mail system. * End of Disclaimer ***
Re: rules better than bayes?
Robert Bartlett writes: Ok I confused myself. Im sorry for being an idiot. I get it now. Everytime an email comes in it tries to access it as the user, since bayes is being feed to just the root account it doesn't see anything for the users in bayes. With the override I force it to use the root account for all emails coming in. Boy am I stupid. Thanks Robert Try out this to find the right value for bayes_sql_override_username. SELECT id, username, spam_count, ham_count, token_count FROM bayes_vars; - dhawal -Original Message- From: Robert Bartlett [mailto:[EMAIL PROTECTED] Sent: Monday, January 09, 2006 1:52 PM To: users@spamassassin.apache.org Subject: RE: rules better than bayes? Sorry for the confusion, I do use a site wide bayes database, I thought the information I sent below was the site wide information the system uses to access the bayes database. Thanks Robert -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Monday, January 09, 2006 1:47 PM To: Robert Bartlett Cc: users@spamassassin.apache.org Subject: Re: rules better than bayes? Robert Bartlett wrote: This is what I have in my local.cf file: bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsnDBI:mysql:**:localhost:3306 bayes_sql_username bayes_sql_password Obviously I hid the data that I didn't want to show with *. When I run sa-learn it trains into the mysql database just fine, I assume SA connects to it just fine because of that. That's all the database login information. That doesn't mean you have a single sitewide bayes database. Again, I suggest looking at the bayes_sql_override_username option.
Re: Google search as spam URI
Dallas L. Engelken writes: adding a redirector_pattern will catch this. redirector_pattern /^https?:\/\/(?:www\.)?google\.com\/search\?q=site:([A-Za-z0-9\-\.]+)$/I better write a rule for google translate as well.. i see it being abused soon. http://translate.google.com/translate?u=www.domain.tldlangpair=en%7Cenhl=e n - dhawal
Re: DCC stops working.
User for SpamAssassin Mail List writes: I've noticed when my mail server starts taking a big load hit that the DCC stop working. I get lines like this in the syslog: Jan 4 10:59:21 mail dccproc[1051]: continue not asking DCC 227 seconds after failure Jan 4 10:59:21 mail dccproc[1052]: continue not asking DCC 227 seconds after failure Jan 4 10:59:27 mail dccproc[1113]: continue not asking DCC 221 seconds after failure Most of the time it works fine. Any ideas why it stops working? try recreating your dcc maps (make a backup of both map and map.txt just in case..) cdcc info /var/dcc/map.txt cdcc “load /var/dcc/map.txt” - dhawal
Re: SpamAssassin 3.0.5 RELEASED
Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (NOTE: this is a maintainance release of the 3.0.x branch. If you are already running the more up-to-date, stable 3.1.0, pay no attention! This is only for people who are stuck on 3.0.x for some reason.) We got enough votes for those tarballs we voted on last week, so it's an official release now. Here are the checksums: Someone forgot to update the spec file. [EMAIL PROTECTED] ~]# rpmbuild -ta Mail-SpamAssassin-3.0.5.tar.gz error: File /root/Mail-SpamAssassin-3.0.4.tar.gz: No such file or directory - dhawal
Re: SpamAssassin 3.0.5 RELEASED
Theo Van Dinter writes: On Thu, Dec 08, 2005 at 09:30:42PM +0530, Dhawal Doshy wrote: Someone forgot to update the spec file. [EMAIL PROTECTED] ~]# rpmbuild -ta Mail-SpamAssassin-3.0.5.tar.gz error: File /root/Mail-SpamAssassin-3.0.4.tar.gz: No such file or directory Yeah, I unfortunately only noticed that after the release occurred. Sorry. To fix it, we'd have to release 3.0.6, and I don't know if anyone'd be interested in that simply for the spec file. :( Shouldn't be a problem, i used rpm2cpio on 3.0.4.src.rpm to create the 3.0.5 RHEL4 rpms. As long as packagers (eg: Warren) can take care of this, most end users wouldn't notice. You might want to let others on the sa-dev know about this. - dhawal
Re: spam stats
Pál László wrote: Hi, I'm looking for some stat maker which can analyse my mail log. I'm using SA 3.1.0 with Mailscanner and Postfix and I've tried spamstats-0.6b on my mail.log but it does not produce any output. Could you please recommend a working solution? Thank you Laszlo See (all on one line) http://wiki.mailscanner.info/doku.php?id=idx=documentation:related_software:stats - dhawal
Re: GERMAN ruleset updated
Michael Monnerie writes: On Samstag, 12. November 2005 16:04 Dhawal Doshy wrote: warning: description for ZMIfish_VOLKSBANK2 is over 50 chars warning: rule 'ZMIde_EMAIL_CAREERBULLDER' is over 22 chars warning: rule 'ZMIfish_NETBANKING_FROM' is over 22 chars Oh sorry. I got a report once about some names being too large. That warnings are not displayed in 3.1 anymore, which is what I use. Either way, I'll fix it done. New update is in, should be without length warnings. Thank you, worked fine this time.. - dhawal
Re: GERMAN ruleset updated
Michael Monnerie wrote: Hello list, http://zmi.at/x/70_zmi_german.cf contains the newest rules to catch german SPAM. Also available automagically via rules du jour name ZMI_GERMAN Also documented here: http://wiki.apache.org/spamassassin/CustomRulesets Please report your german SPAM with full headers to [EMAIL PROTECTED] mfg zmi Michael, A lint test with SA 3.0.4 gives me this, also did so for the previous version(s). I could live with it but rdj can't, could you possibly change this or let me know of a workaround (none that i could see in rdj). warning: description for ZMIfish_VOLKSBANK2 is over 50 chars warning: rule 'ZMIde_EMAIL_CAREERBULLDER' is over 22 chars warning: rule 'ZMIfish_NETBANKING_FROM' is over 22 chars thanks, - dhawal
Re: new rules for stock spam?
Bill Randle wrote: Does anyone have any rules to squash the recent spate of stock alert spam that I've been seeing? The messages are coming from multiple sources, although some can be traced back to IPs belonging to kornet.net. There are no URLs in the message body. Bayes is probably the best bet, but on my global db it's scoring only BAYES_50. The last batch had scores like this: X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50, FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE The FSR_MASKED_FINANCIAL rule (from here http://www.wormbytes.ca/software/spamassassin/rules.cf) and a well trained bayes takes care of most stock spams. You could expand the rule to include pr*fit, auth*rity and l*w. Also see the 72_sare_bml_post25x.cf rule from SARE. Also since you have a lot of these spams, use them train the bayes db. - dhawal
Re: OT: DB connections coming from unqualified hostname
email builder wrote: Hello, When we connect to our bayes/awl/user_scores databases, the connections are being made by clients with unqualified hostnames. If we try to use GRANTs such as 'user'@'%.example.com', connections are refused since only the hostname portion is being used to connect I guess. For example, if a hostname is gaia, a GRANT of 'user'@'gaia' works correctly, but not the above wildcard. Our connections are all over a local area network. Can anyone shed light on how to force connecting clients to be recognized with a fully qualified hostname so we don't have to keep track of GRANTs for every one of our spamd client machines? Thanks! /etc/hosts is your friend.. have a simple mapping of the IP to Hostname (assuming that the IP address doesn't change) and a corresponding entry for the hostname in the mysql (db/user) tables. Also make sure you have this in /etc/nsswitch.conf, to ensure that /etc/hosts gets a higher priority over /etc/resolv.conf hosts: files dns - dhawal
Re: HUGE bayes DB (non-sitewide) advice?
email builder wrote: In-memory storage: All data stored in each data node is kept in memory on the node's host computer. For each data node in the cluster, you must have available an amount of RAM equal to the size of the database times the number of replicas, This refers to the first line: In-memory storage. Of course you can't do that with 160GB DBs. You can still cluster - look at DRBD http://www.drbd.org/ I guess the relevant point for this thread is that I don't necessarily think that this is the silver bullet as implied. Even if you use a high-availability clustering technology that can mirror writes and reads, you are STILL dealing with the possibility of a database that is just massive. Processing this size of database will still be disk-bound unless you have an unheard-of amount of memory; I don't think there's any reason to think that clustering the problem will make it go away. So I still wonder if anyone has any musings on my earlier questions? A few spamassassin hacks could help. 1. Have multiple mysql servers, split your users into A-J, K-S, T-Z OR smaller units and distribute them over different servers, with some HA / failover mechanism (possibly drbd). 2. Have 2 level of bayes, one large global and the other smaller per user if thats possible. Of course SA will need to be changed to use both the bayes'. This way you could have 2 large servers for the global bayes db and 2 for the per user bayes dbs. Also see if this SQL failover patch can help you in any way. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=2197 Finally to speed up the database have a look at this, the people at wikimedia / livejournal seem to be happy using it. http://www.danga.com/memcached/ Hope that helps, - dhawal
Re: MailScanner, SpamAssassin and Bayes rebuilds
Pierre Thomson wrote: I just upgraded to MailScanner 4.46.2 (current stable version) and SpamAssassin 3.1.0. I have five MailScanner child processes, and they restart themselves every 4 hours. On startup, the first of the five MS processes discovers that a Bayes rebuild is due, and proceeds to run it. Thereafter, that thread gets SA timeouts almost every time, and after the limit of consecutive SA timeouts is reached it just passes everything. Needless to say, we had a spammy weekend. Anyone else seeing this sort of behavior? Any suggestions? For now, I have turned off automatic Bayes rebuilds, and it seems to be working OK... thanks Pierre Thomson BIC Expire tokens through a cronjob rather than using the controls in mailscanner, and see if it makes a difference (not that i recommend doing this but it's worth a try.) Something like: sa-learn --force-expire --sync -p /path/to/spam.assassin.prefs.conf Also shoot off a mail to the mailscanner list and find out what is the recommended method for rebuilds. - dhawal
Re: Managing a personal SURBL list
Chris Santerre writes: -Original Message- From: Ramprasad A Padmanabhan [mailto:[EMAIL PROTECTED] Subject: Managing a personal SURBL list Hi all, We are running spamassassin 3.1 with Mailscanner. The SURBL checks are very efficient in catching spams ( without risk of FP's). Sometimes we get a lot of spam with URI's not listed in SURBL's , probably because they are too specific to our domain / locality. To make sure that these spams too get caught .. we plan to run our own SURBL list. Whats the best way of achieving this ? Any inputs ? Thanks Ram At the risk of being flamed, try www.uribl.com as well. --Chris Folks, he appears to be asking about creating hiw own uribl data.. meaning run some script through confirmed spam (specific to his geographical location), extract the URIs and create a local zone to be used through rbldnsd (and preferably share it as well!!). - dhawal
Re: Spamd / RDJ
Casey King writes: Because RDJ -lints SA, I have tried to create a cron job that would stop Spamd from running. I do not want it using up so much memory since MailScanner calls SA on its own. My crontab looks like this: [snip] Does anyone have another idea of what I can do to shutdown SA after RDJ lints SA? I am getting tired of stopping SA from the command line. Where do you define your trusted_rulesets? i define mine in /etc/sysconfig/rulesdujour, which also contains a line like this: SA_RESTART=/scripts/do_nothing.sh Content of /scripts/do_nothing.sh #!/bin/bash # This script takes care of the SA_RESTART parameter in rules_du_jour exit 0 Works like a charm, so far.. - dhawal
Re: {SPAM} Re: new type of spam
wolfgang wrote:
In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote:
Attached is a subset of some porn rules I've been working on. They're
experimental, but the seem to work pretty well with fairly low FP rate.
They might have some FP cases I haven't noticed yet, so be careful with
them,
but you might want to try them out.
Thanks, they look promising, one problem tho:
after adding them, --lint gives me:
Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval
64) line 547, near ) {
syntax error at (eval 64) line 634, near ;
}
in two different 3.0.4 installations. Maybe you find the problem faster than i
could (and want to :)
cheers,
Failed to run meta SpamAssassin tests, skipping some: syntax error at
(eval 62) line 830, near ) {
syntax error at (eval 62) line 1288, near ;
}
make that 2 of us getting the same error on SA 3.0.4
- dhawal
Re: Running spamd under daemontools
Matthew Yette wrote: I've looked on Google for a while now - I haven't been able to find directions or references to having spamd monitored under daemontools. Specifically where I would find how to create the supervise directory for spamd. Has anyone successfully done this? Matt See if this helps.. http://www.shupp.org/toaster/#spamassassin, some modifications and downloading the toaster-scripts will be required. BTW did you really search? google for spamd daemontools on the very first page lists this link. - dhawal
Re: Running spamd under daemontools
Markus Eskola wrote: Where your log go?, maybe you don't have logging enabled. Try '-s /var/log/spamd.log' Logging should be handled by deamontools aswell better check the log/run script under the supervise directory. /markus From: http://spamassassin.apache.org/full/3.1.x/dist/doc/spamd.html -s facility, --syslog=facility Specify the syslog facility to use (default: mail). If stderr is specified, output will be written to stderr. (This is useful if you're running spamd under the *daemontools* package.) With a facility of file, all output goes to spamd.log. facility is interpreted as a file name to log to if it contains any characters except a-z and 0-9. null disables logging completely (used internally). More details and examples in the spamd.html page.. - dhawal
Re: 3.0.4 hotmail FP's?
Warren Togami wrote: Is anyone else seeing consistent hits of DNS_FROM_RFC_POST from legitimate hotmail mail? Warren Togami [EMAIL PROTECTED] most of us do since thats the correct behaviour.. check http://www.rfc-ignorant.org/tools/lookup.php?domain=hotmail.com they've been listed in rfc_post for quite some time now and looks like they recently also got into rfc_abuse as well. - dhawal
