Re: How to write a rule to block phishing?

[LuKreme]

On Jun 19, 2020, at 06:06, Daryl Rose  wrote:
> I thought that a 5 was an average number and lowering it improves spam hits, 
> I may end up getting legitimate emails flagged as spam but I can add the 
> address to a whitefrom_list.  I read that in more than one location.  
> 
> I believe that I have the required score set to 2.0 or 2.5, or somewhere 
> around that.  I'm not able to look at this moment.   But you're saying that 
> if I change it back to the default score of 5, then I'll catch more spam?

You said a message scored 5 and was not classified as spam. The only way this 
happens is if you INCREASE the score from 5.0 to a higher number.

Setting your score to 2 will mark a huge amount of perfectly legitimate email 
as spam, but that is not what you described above.

Re: Spamass milter question

[LuKreme]

On May 27, 2020, at 20:08, John Hardin  wrote:
> 
> On Wed, 27 May 2020, @lbutlr wrote:
>>> On 27 May 2020, at 18:27, RW  wrote:
>>> I should have added that if  whitelist_from_rcvd *@* server.example.com
>>> (without the colon) is only only failing occasionally on mail from
>>> server.example.com, it's probably just an rDNS lookup failure of some
>>> sort.
>> 
>> Well, I do not get anything that I consider spam from that server, so how 
>> often is this happening? Is it every time spamass-milter thinks the message 
>> is spam or is it some odd rdns issue? And how could I possibly try? The name 
>> and IP of the server show up in postfix logs.
> 
> Consider telling your MTA to skip SA entirely for that IP.

This is my server running my Postfix, bind, Spamassassin, and spamass-milter. I 
am trying to stop SA from checking mail from that domain (not a single IP).

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now

Re: Something much BETTER that Setting Threshold

[LuKreme]

On Sep 27, 2019, at 23:11, Ramon F Herrera  wrote:
> What I need is simply to remove all traffic coming from the domains: icu, 
> info, etc. That simple step would go a long way to solving my SPAM problem.

I do this in postfix helo checks. I reject most tlds before I even get to the 
data phase of the smtp transaction. 

Sent from my iPhone

Re: Setting Threshold

[LuKreme]

On Sep 27, 2019, at 13:14, Jerry Malcolm  wrote:
> I am trying to change the results threshold from 5.0 to 4.0. 

Do you have a really good reason that you have researched  and really examined 
for doing this based on years of experience with SpamAssassin? If so, great.

But otherwise, in nearly all cases, this is a bad idea born out of a 
misunderstanding of how SA works.

Hint: for most servers and most users, lowering the threshold will simply mark 
legitimate mail as spam, annoying everyone. It is not a panacea to tag “mo’ 
spam”.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: perl core dumping

[LuKreme]

On May 29, 2019, at 21:08, Bill Cole  
wrote:
>> On 29 May 2019, at 20:34, @lbutlr wrote:
>>> On 29 May 2019, at 18:26, @lbutlr  wrote:
>>> Seeing a lot of this in the messages log
>>> 
>>> May 29 18:03:01 mail kernel: pid 99745 (perl), uid 0: exited on signal 11 
>>> (core dumped)
>> 
>> Could these be a result of the __STYLE_GIBBERISH_1 fault discussed in other 
>> threads?
> 
> Unlikely. Signal 11 is a segfault, while the __STYLE_GIBBERISH_1 issue causes 
> a busy hang that in most cases is caught by SA's internal timeout. On the 
> other hand, the fact that I saw 3 different behaviors across 3 different 
> regex(3) implementations makes it conceivable that yet another version/flavor 
> of libc could yield a segfault rather than a hang. Is my recollection correct 
> that you're running FreeBSD?

It is, FreeBSD 11.2. Disabling the gibberish check didn’t stop the core dumps 
though, so I think the issue lies elsewhere.

meta __STYLE_GIBBERISH_1 0

In local.cf?

Re: bad arg length for Socket::unpack_sockaddr_in

[LuKreme]

Giovanni Bechis  wrote:
> there should be message like
> "spamd: connection from %s [%s]:%s to port %d, fd %d" in your log files at 
> that time, could you post the relevant info ?

The three log lines I posted are the only spamd log lines I see when I grep all 
files in /var/log/ for spamd.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: Filtering at border routers: Is it possible?

[LuKreme]

On Mar 24, 2019, at 18:51, Reindl Harald  wrote:
>> Am 25.03.19 um 01:45 schrieb @lbutlr:
>>> On 24 Mar 2019, at 13:12, Grant Taylor  wrote:
>>> Okay, what do you think the difference is in "smtps" and "SMTPS"?
>> 
>> Oh, look, Wikip[edia has some details.
>> 
>> 
> IDIOT

Stop replying to me, ok? In fact, never email me again.

> When describing the IANA service registration, the official
> capitalization is "smtps". When describing the network protocol, the
> capitalization "SMTPS" is often used (similar to how HTTPS is capitalized)

No, try reading for comprehension. Lowercase describes a server to server 
connection.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: Spammers, IPv6 addresses, and dnsbls

[LuKreme]

On Mar 2, 2018, at 03:54, Daniele Duca  wrote:
> I've started to notice that some (not saying names) VPS providers, when 
> offering v6 connectivity, sometimes tends to not follow the best practice of 
> giving a /64 to their customer, routing to them much smaller v6 subnets, 
> while still giving to them the usual /30 or /29 v4 subnets.

I have heard of at least one provider that assigns a single IPv6 (/128) to each 
machine, and uses a single /64 for their entire server farm (possibly a 
different /64 for each location).

The simplest solution is blacklist them until they are forced to gain clue 
points. Might not be realistic for some people, but if you don't cut them off 
from the Internet, how will they learn?

The stupid, it burns.

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: Email filtering theory and the definition of spam

[LuKreme]

On Feb 7, 2018, at 06:17, David Jones  wrote:
> 
> Hypothetical question: If you signed up for a new account on a website and 
> they had a small checkbox that was enabled to receive emails from them and 
> you didn't see it to uncheck it, when you get an email from them a month 
> later, is that spam?

Yes, because i didn't ask for it. Now, will I blackhole all such emails? Eh, 
probably not. When I bought a t-shirt and the company sent me marketing emails, 
I went in and un subbed because, frankly, that was the simplest laziest thing I 
could do.

Now, if I  un sub and they send more mail, or tell me it will take 30 days to 
remove my email, THEN I nuke them.

But if it's commercial mail i didn't specifically ask to receive, it's spam.

-- 
This is my signature. There are many like it, but this one is mine.

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

[LuKreme]

On Nov 1, 2017, at 00:52, Rupert Gallagher  wrote:
> By local policy, we *reject* e-mail to undisclosed recipient, so this is not 
> a problem for us. 

You are rejecting legitimate mail then.

-- 
This is my signature. There are many like it, but this one is mine.

Re: Spamassassin not capturing obvious Spam

[LuKreme]

On May 31, 2016, at 00:18, Shivram Krishnan  wrote:
> It is not on production. I am using this to evaluate spamassassin.

You are not testing or evaluating properly when you break the configuration.

-- 

Re: Spamassassin not capturing obvious Spam

[LuKreme]

On May 30, 2016, at 20:24, Shivram Krishnan  wrote:
> I have followed the guidelines on 
> https://wiki.apache.org/spamassassin/ImproveAccuracy .

No, you really haven't.

> Content analysis details:   (3.9 points, -10.0 required)

This makes no sense at all. Either you have set the spam scores negative, which 
makes no sense, or you have set it to 10, which makes no sense.

Train more spam and don't muck with the levels.

Re: Lots of Polish spam

[LuKreme]

On Feb 24, 2015, at 15:24, Axb axb.li...@gmail.com wrote:
 *.pdf.zip is a dangerous one to block on sight - FP risk is huge

Really? I've never seen a .pdf.zip that was legitimate.

Re: Uptick in spam (bayes stats script)

[LuKreme]

On Feb 18, 2015, at 6:20 AM, Reindl Harald h.rei...@thelounge.net wrote:
 
 bayes-stats.txt

That is a lot cleaner and more obvious, thank you for sharing


-- 
Once again I teeter at the precipice of the generation gap.

Training new spamass-milter setup

[LuKreme]

OK, so I have spamass-milter running, but I need to train it. What is the 
proper way to do this?

-- 
What beep from yonder speaker sounds?

Re: Uptick in spam

[LuKreme]

On 16 Feb 2015, at 12:01 , Reindl Harald h.rei...@thelounge.net wrote:
 given that 24266 messages had BAYES_00 with a total number of 30401 delivered 
 mails in the current month that training strategy seems to work well
 
 [root@mail-gw:~]$ bayes-stats.sh

What is bayes-stats.sh?

-- 
I have a cunning plan.

Re: Training new spamass-milter setup

[LuKreme]

On 17 Feb 2015, at 08:27 , Robert Schetterer r...@sys4.de wrote:
 Am 17.02.2015 um 16:13 schrieb LuKreme:
 OK, so I have spamass-milter running, but I need to train it. What is the 
 proper way to do this?
 
 you dont train spamass-milter, you should train spamassassin

spamassassin has existing user-specific training already in place. 
Spamass-milter isn’t using the user DBs.


-- 
Don't just *do* something: *sit* there!

Re: spamass-milter and multiple local domains

[LuKreme]

On 16 Feb 2015, at 02:38 , Reindl Harald h.rei...@thelounge.net wrote:
 Am 16.02.2015 um 10:32 schrieb LuKreme:
 I have several local domains that resolve (via virtual) to local users in 
 addition to virtual domains that resolve to sql users.
 with spamass-milter, these secondary local domains (like kreme.com) fail to 
 find the user:
 spamd: handle_user (userdir) unable to find user: 'krem...@kreme.com’
 
 you must have a strange setup

Yes, it sort of grew that way over time as I started with only local users many 
years ago even as I added domains before switching new domains over to a SQL 
setup. I suppose I should move all the accounts to SQL but there are several 
issues with that on some accounts.

 normally the milter uses a global bayes and settings living in the 
 milter-users home (given the milter service and spamd are running as the same 
 users) and hence it don't need to know anything about users

Well, it is using -u and e flags to process the mail as the user, but when it 
checks for the user ‘krem...@kreme.com’ it can’t find it, because the user is 
‘kremels’. The SQL users show up just fine.

 postfix needs to know and would reject non existing email long before the 
 milter and milters job is just pass or reject messages

These are real users. It’s just that spamass-milter is only setup to look at 
one local domain and assumes that all other users will be u...@domain.tld.

Basically, the milter runs before the virtual expansion done by postfix. If I 
could run the milter after postfix checked virtual there wouldn’t be an issue, 
but I suspect that the virtual check is considerably later in the transaction 
phase and that I can’t change that ordering.

-- 
'I cannot! He has been kindness itself to me!' 'And you can be Death
itself to him.'

spamass-milter and multiple local domains

[LuKreme]

I have several local domains that resolve (via virtual) to local users in 
addition to virtual domains that resolve to sql users.

with spamass-milter, these secondary local domains (like kreme.com) fail to 
find the user:

spamd: handle_user (userdir) unable to find user: 'krem...@kreme.com’

Other than converting these other domains to mysql virtual domains, is there 
anyway that I can get certain domains to simply pass ‘user’ while other domains 
pass ‘u...@domain.tld’?

Since I have more than one of these domains, I can’t just use the -e flag.


-- 
Penny, I'm a physicist. I have a working knowledge of the entire
universe and everything it contains.

Quick spamass-milter question

[LuKreme]

Spamass-milter is (as designed, I’m sure) checking outbound mail. When it does 
this, SPF checks fail and a lot of outbound mail is getting scored as spam 
because of it.

The domains in question *do* have SPF records.

-- 
Why can't you be in a good mood? How hard is it to decide to be in a
good mood and be in a good mood once in a while?

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 04:29 , Reindl Harald h.rei...@thelounge.net wrote:
 attached a local.cf from the submission server 

I just have the one server handling submission and outbound mail.

 # postconf -n | grep milter
milter_default_action = accept
smtpd_milters = unix:/var/run/spamass-milter.sock

 # grep milter /etc/rc.conf 
spamass_milter_socket_owner=spamd
spamass_milter_socket_group=mail
spamass_milter_socket_mode=664
spamass_milter_enable=Yes
spamass_milter_localflags=-r 9 -u spamd -e covisp.net -- -s 5242880”

 # grep -i milter mail.covisp.net.mc
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter.sock, F=, 
T=C:15m;S:4m;R:4m;E:10m')


-- 
He'd never felt really at home with swords, but a cleaver was a different
matter. A cleaver had weight. It had purpose. A sword might have a certain
nobility about it, unless it was the one belonging for example to Nobby, which
relied on rust to hold it together, but what a cleaver had was a tremendous
ability to cut things up.

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 04:01 , Robert Schetterer r...@sys4.de wrote:
 Am 15.02.2015 um 01:29 schrieb LuKreme:
 Spamass-milter is (as designed, I’m sure) checking outbound mail. When it 
 does this, SPF checks fail and a lot of outbound mail is getting scored as 
 spam because of it.
 
 works like designed
 dont use spamass-milter for outbound

OK, but it seems to be setup to do that “out of the box” so to speak. How do i 
set it to only scan the incoming mail?


-- 
Some books are undeservedly forgotten; none are undeservedly remembered

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 11:44 , Reindl Harald h.rei...@thelounge.net wrote:
 by set -o receive_override_options=no_milter for your submission service in 
 “master.cf

I tried that already.

mail submit-tls/smtpd[46597]: fatal: unknown receive_override_options value 
no_milter in no_milter

submission   inet  n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_path=private/auth
  -o receive_override_options=no_milter
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_data_restrictions=
  -o 
smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_helo_restrictions=
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o syslog_name=submit-tls

-- 
The fact that Bob and John are married does nothing to diminish anyone
else's marriage any more than a black woman marrying a white man, a Jew
marrying a Catholic, or an ugly Lyle marrying a Pretty Woman

Re: Quick spamass-milter question

[LuKreme]

On 15 Feb 2015, at 12:05 , Reindl Harald h.rei...@thelounge.net wrote:
 Am 15.02.2015 um 20:00 schrieb LuKreme:
 
   -o receive_override_options=no_milter
 
 sorry - copypaste error
 no_milterS

Funny we were both making the same typo at the same time… Sigh.

Thanks, sorted now. Yay.

 http://www.postfix.org/postconf.5.html#receive_override_options

Yep, that’s where I’d been and was about to report the failure when I saw your 
message. “I typed it right, right? Yep, same in master.cf as what Reindl typed.”


-- 
If a pig loses its voice, is it disgruntled?

Re: Amazon phishing spam

[LuKreme]

On 12 Feb 2015, at 17:58 , Dave Pooser dave...@pooserville.com wrote:
 Also, I score
 blacklist_from at 80 points so an address that's both blacklisted and
 whitelisted will be effectively whitelisted, thanks to a net -20 score.

Quick stupid question:

Is this the right syntax in local.cf to change the scores for blacklist_from 
and whitelist_auth:

score blacklist_from 5.0
score whitelist_auth -10.0

-- 
Turning and turning in the widening gyre
The falcon cannot hear the falconer;

Re: Amazon phishing spam

[LuKreme]

On Feb 13, 2015, at 5:42 PM, Benny Pedersen m...@junc.eu wrote:
 
 problem with lists is that a spammer just create a new free domain and spam 
 with it, so be in front, list all as spam until it known not to be

In this specific case,the list is a list of known domains that will pass 
whitelist_auth, which means you can blacklist them and when they pass auth, 
they magically get through.

As Dave Pooser posted:
 whitelist_auth *@bankofamerica.com
 blacklist_from *@bankofamerica.com
 
 I score blacklist_from at 80 points so an address that's both blacklisted and 
 whitelisted will be effectively whitelisted, thanks to a net -20 score

When BOA sends an email, it hits the blacklist and gets a score of +80, but if 
the mail passes whitelist_auth (meaning it’s really from BOA), then it gets a 
-100. So anyone who is not BOA ends up with a score of +80. It doesn’t matter 
how many random domains they create.

A list really would be helpful in this case.

-- 
'I don't like to ask them questions.' 'Why not?' 'They might give me
answers. And then what would I do?'

Re: Amazon phishing spam

[LuKreme]

On 14 Feb 2015, at 05:27 , Reindl Harald h.rei...@thelounge.net wrote:
 Am 14.02.2015 um 10:40 schrieb LuKreme:
 On Feb 13, 2015, at 5:42 PM, Benny Pedersen m...@junc.eu wrote:
 
 problem with lists is that a spammer just create a new free domain and spam 
 with it, so be in front, list all as spam until it known not to be
 
 In this specific case,the list is a list of known domains that will pass 
 whitelist_auth, which means you can blacklist them and when they pass auth, 
 they magically get through.
 
 As Dave Pooser posted:
 whitelist_auth *@bankofamerica.com
 blacklist_from *@bankofamerica.com
 
 I score blacklist_from at 80 points so an address that's both blacklisted 
 and whitelisted will be effectively whitelisted, thanks to a net -20 score
 
 When BOA sends an email, it hits the blacklist and gets a score of +80, but 
 if the mail passes whitelist_auth (meaning it’s really from BOA), then it 
 gets a -100. So anyone who is not BOA ends up with a score of +80. It 
 doesn’t matter how many random domains they create.
 
 and when BOA makes a mistake in their DNS (typo in the SPF as it happens way 
 too often ending in PERMERROR which is *not* a reason for a reject) or other 
 DNS issues are happening you would block all legit mail

It would block THEIR legit mail until they fixed their DNS. 

 in other words: you make your mailserver to a gambling machine with such 
 rules as long it's not for domains you maintain and can be sure that DNS 
 works unconditionally (no internet and foreign ISP involved)

I wasn’t suggesting you implement it on your machine. That said, I would very 
much like a list of hosts that pass whitelist_auth.

I suppose I could set a temporary score for whitelist_auth of -0.1 and see how 
many hits it gets int eh next month or two.

-- 
Aren't you a little short for a stormtrooper?

Re: Amazon phishing spam

[LuKreme]

On 14 Feb 2015, at 16:00 , Dave Pooser dave...@pooserville.com wrote:
 On 2/14/15 4:23 PM, LuKreme krem...@kreme.com wrote:
 
 I wasn¹t suggesting you implement it on your machine. That said, I would
 very much like a list of hosts that pass whitelist_auth.
 
 whitelist_auth isn't a host-level check, it's an email address or
 domain-level check. If a message can be authenticated as being from this
 email address, then accept it. Mine is a short list, almost exclusively
 financial:
 
 blacklist_from *@wellsfargo.com
 whitelist_auth *@wellsfargo.com
 
 blacklist_from *@chase.com
 whitelist_auth *@chase.com
 
 blacklist_from *@bankofamerica.com
 whitelist_auth *@bankofamerica.com
 
 blacklist_from *.aexp.com
 whitelist_auth *.aexp.com
 
 blacklist_from *@americanexpress.com
 blacklist_from *.americanexpress.com
 whitelist_auth *@americanexpress.com
 whitelist_auth *.americanexpress.com
 
 blacklist_from *@atmosenergy.com
 whitelist_auth *@atmosenergy.com
 
 blacklist_from*@citibank.com
 whitelist_auth*@citibank.com

Thanks for the list.

 And Reindl is right that I'm assuming these senders won't suddenly decide
 to quit sending authenticated email.

Yes, I know he’s right, I just don’t really care. I’d rather stop the flood of 
scammer mails. I’m going to check on amazon, paypal, and apple as those are 
frequent phishing sources. Also, I do not delete received mail, regardless of 
how spammy it is (well, I do if it’s *my* mail and the spam score is over 10). 
It all gets delivered to the user where they are able to scan the Junk folder 
and recover any messages that were mistagged.

 If they do, I'll notice it in my logs pretty quickly and get it resolved, but 
 I understand that for some mail admins that's a risk they can't take.

Right.

 For myself, Id rather reject barely-possibly-valid mail from those senders 
 than accept probable-phishing emails claiming to be from those senders;

Yes, exactly.

I will probably do something akin to what you did, with smaller numbers (like 
+5 and -10).

-- 
No sense being pessimistic. It wouldn't work anyway.

Re: Amazon phishing spam

[LuKreme]

On 13 Feb 2015, at 07:55 , Benny Pedersen m...@junc.eu wrote:
 On 13. feb. 2015 02.35.30 LuKreme krem...@kreme.com wrote:
 
  whitelist_auth *@bankofamerica.com
  blacklist_from *@bankofamerica.com
 
 Care you share your list, Dave?
 
 blacklist_from *@*.*
 whitelist_auth *@*.*
 
 untested :)

Heh. Nice one.

But seriously, a working set of these pairs would be great to have. It is 
surprising how much of the spam is faked from various companies.

It’s also something that is a little tricky to test, since a mistake means the 
domain is blacklisted.


-- 
Im finding's you'r mis'use of apostrophe's disturbing.

NYTimes hitting Bayes_99?

[LuKreme]

An email from the New York times daily headlines service is hitting Bayes_99 
and Bayes_999

pts rule name  description
 -- --
 4.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
[score: 1.]
 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
[score: 1.]
 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE   BODY: HTML included in message
-0.1 DKIM_VERIFIED  No description available.
-0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
author's
domain
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not necessarily 
valid
 3.0 DCC_CHECK  Detected as bulk mail by DCC (dcc-servers.net)
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
 0.5 MISSING_MIDMissing Message-Id: header

I’m curious about the two bayes hits and also the 3 points for bulk mail for 
something that I can’t see anyone would consider to be actual spam. Oh, and why 
is babes_999 so low scoring?

Here are the headers:

X-Envelope-From: bou...@ms3.lga2.nytimes.com
X-Envelope-To: *munged*
Received: from pmta01.sea1.nytimes.com (unknown)
by mail.covisp.net(Postfix 2.11.3/8.13.0) with SMTP id unknown;
Thu, 05 Feb 2015 02:49:50 -0700
(envelope-from bou...@ms3.lga2.nytimes.com)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=paperboy-1024; 
d=nytimes.com;
 
h=From:Reply-To:Date:To:Subject:List-Unsubscribe:Content-Type:Content-Transfer-Encoding:Mime-version;
 i=nytdir...@nytimes.com;
 bh=QBBvEngh4H4VJh+esN1V9ZXrEvM=;
 b=nEM/BXRsjVQS6eg8IbBlkoGyDkkvdum/HTeAHs23BWniftrODk69nY1G7aD/hyiSZ8Mt1mfugICd
   46Eo90oUmNPbl+PZG7gWQgJBu3Gzpy81GXM/WP/IiUe+rJAu3niemR2PLCHbAgB89JsfmuEM5cz4
   MvOqLffdWt61lyniYcA=
Received: by pmta01.sea1.nytimes.com (PowerMTA(TM) v3.5r3) id hqcubs0hstka for 
*munged*; Thu, 5 Feb 2015 04:48:51 -0500 (envelope-from 
bou...@ms3.lga2.nytimes.com)
X-SegmentId: 68668
X-CampaignId: 129
X-InstanceId: 53489
X-ClientId: 34527544
From: NYTimes.com nytdir...@nytimes.com
Reply-To: nytdir...@nytimes.com
Date: Thu, 05 Feb 2015 04:48:51 -0500
To: *munged*
X-job: TH-20150205
Subject:  Today's Headlines: Claims Against Saudis Cast New Light on Secret 
Pages of 9/11 Report
List-Unsubscribe: 
mailto:nyt_unsubscr...@lga2.nytimes.com?subject=http://www.nytimes.com/gst/unsub.html?email=*munged*id=34527544segment=68668group=nlproduct=TH,
 
http://www.nytimes.com/gst/unsub.html?email=*munged*id=34527544segment=68668group=nlproduct=TH
Content-Type: text/html; charset=utf-8; 
Content-Transfer-Encoding: quoted-printable
Mime-version: 1.0


-- 
'Listen,' said Rincewind. 'It's all over, do you see? You can't put the
spells back in the book, you can't unsay what's been said, you can't-'
'You can try!' --The Light Fantastic

Re: Amazon phishing spam

[LuKreme]

On 12 Feb 2015, at 17:58 , Dave Pooser dave...@pooserville.com wrote:
 On 2/12/15, 6:48 PM, Alex Regan wrote:
 
 So shouldn't there be a rule for a rule that claims to come from Amazon
 but does not pass through any of its servers?
 
 I have a series of rules like:
 
 whitelist_auth *@bankofamerica.com
 blacklist_from *@bankofamerica.com

Interesting. What hits whitelist_auth? That is to say, what domains and/or 
email addresses can you use that with? Paypal? iTunes/Apple? 
Random-ecommerce-site.tld?

Care you share your list, Dave?

 So any bankofamerica.com address will be blacklisted, but for an
 authenticated address it's canceled by the whitelisting. (Also, I score
 blacklist_from at 80 points so an address that's both blacklisted and
 whitelisted will be effectively whitelisted, thanks to a net -20 score.)

This is interesting. I have a long list of blacklist_from for invalid tlds like 
.local or .lan, etc, but I’ve never seen this method before.

-- 
'What ho, b'zugda-hiara.' (Footnote: A killing insult in Dwarfish. It
means 'Lawn ornament'.)  --Wyrd Sisters

Re: NYTimes hitting Bayes_99?

[LuKreme]

 On 12 Feb 2015, at 19:05 , David B Funk dbf...@engineering.uiowa.edu wrote:
 
 On Thu, 12 Feb 2015, LuKreme wrote:
 
 An email from the New York times daily headlines service is hitting Bayes_99 
 and Bayes_999
 
 pts rule name  description
  -- 
 --
 4.0 BAYES_99   BODY: Bayes spam probability is 99 to 100%
   [score: 1.]
 0.2 BAYES_999  BODY: Bayes spam probability is 99.9 to 100%
   [score: 1.]
 0.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE   BODY: HTML included in message
 -0.1 DKIM_VERIFIED  No description available.
 -0.1 DKIM_VALID_AU  Message has a valid DKIM or DK signature from 
 author's
   domain
 0.1 DKIM_SIGNEDMessage has a DKIM or DK signature, not 
 necessarily valid
 3.0 DCC_CHECK  Detected as bulk mail by DCC (dcc-servers.net)
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK 
 signature
 0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay lines
 0.5 MISSING_MIDMissing Message-Id: header
 
 I’m curious about the two bayes hits and also the 3 points for bulk mail for 
 something that I can’t see anyone would consider to be actual spam. Oh, and 
 why is babes_999 so low scoring?
 
 Where'd you get that score of 3.0 for DCC_CHECK, mine is 1.1. DCC is a bulk 
 mail
 detection service, not spam detection.

Probably in local.cf then. I’ve commented out all the score adjustments in 
there for right now.

 Those BAYES_99  BAYES_999 hits for a bulk-but-solicted mail really say
 mis-trained Bayes.
 For New York Times subscriptions my users usually hit either BAYES_00 or 
 BAYES_05.

Yeah, in my own email NYT hits bayes_00.

I just switched to using spamass-milter:

/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock -u spamd -r 9 
-- -s 5242880

And it occurs to me that maybe it is not picking up bayes properly.

Should I train bayes as the spamd user?

use_bayes 1
bayes_auto_learn 1
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:mysql:bayes:localhost:3306
bayes_sql_username user
bayes_sql_password *pass*
bayes_sql_override_username user

 That BAYES_999 is an addition to BAYES_99 thus the small score. It's more
 intended to be used as meta fodder (or re-scored based on your trust of
 your Bayes).

OK, that makes sense.

When I make changes to local.cf do I need to restart SA or does it relied that 
file if it sees it’s changed?

-- 
Any man who says he can see through women is really missing a lot. -
Groucho Marx

Re: sa-update cron failure

[LuKreme]

 On Feb 5, 2015, at 1:03 AM, Bob Proulx b...@proulx.com wrote:
 
 LuKreme wrote:
 The front actin simply calls sa-update. Do I just 
 
 16  1  *  *  *  PATH=/usr/bin:/bin:/usr/local/bin /usr/local/bin/sa-update 
  /usr/local/bin/sa-compile  /usr/local/etc/rc.d/sa-spamd restart
 
 ?
 
 Or is there a reason not to do that?
 
 The syntax variable=value command is a /bin/sh syntax which sets the
 variable for just that command.  In the above sa-update would get the
 PATH setting.  But then  terminates that command.

I’m actually not positive that is the case. The  syntax chains the commands 
into a dependent chain (sa-update only triggers if sa-update succeeded and 
sa-spamd restart only triggers if both previous commands succeeded, so it would 
certainly make sense that some state like setting variables is preserver. 
Haven’t tested this, but it’s pretty trivial.

 # /bin/sh
 # PATH=/bin:/usr/local/bin echo $PATH  echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin

Hm. That’s odd.

Something else going on there.

 The next two commands sa-compile and sa-spamd would not get PATH set 
 differently for them.  Is that important to you?

No idea. I don’t know about the internals of sa-compile. I can’t think of any 
reason it could need gpg though.

  # The default vixie-cron PATH is /usr/bin:/bin, overriding the environment.
  PATH=/usr/local/bin:/usr/bin:/bin:/usr/games”

That does seem better (well, minus /usr/games)

 Then PATH will be set for all commands started from that crontab.
 
 Personally I prefer to use a file /etc/cron.daily/spamassassin which
 then calls all of the individual programs.  The /etc/cron.daily is a
 directory of scripts (not crontabs) where each script is run once
 daily one after the other.  Since that is a script you can set PATH in
 that script and again it would be set for all subsequent invocations.

That also sound good, but my crontab is actually quite simple. Sa-update, 
portsnap, and some deleting aging emails.



-- 
'I really should talk to him, sir. He's had a near-death experience!'
'We all do. It's called living.'

Re: sa-update cron failure

[LuKreme]

On Feb 5, 2015, at 2:28 AM, Reindl Harald h.rei...@thelounge.net wrote:
 [root@srv-rhsoft:~]$ cat /etc/crontab
 SHELL=/usr/bin/bash
 PATH=/usr/bin:/usr/sbin
 LANG=en_GB.UTF-8
 MAILTO=root
 HOME=/
 PODCAST_THREADS=6

Ah, no, I’ve never touched /etc/crontab. I use sudo crontab -e to edit the 
user-level crontab for root. I consider /etc/crontab the system level crontab 
for root and I don’t touch that one.

The PATH in /etc/crontab is not the PATH that was returned above, so it doesn’t 
look like the path in /etc/crontab carries forward to the other user crontabs.

Setting the path explicitly a the top of the root user’s crontab worked.

On Feb 5, 2015, at 7:03 AM, Benny Pedersen m...@junc.eu wrote:
 Kevin A. McGrail skrev den 2015-02-05 14:18:
 Rather than learning more about how path and cron works, perhaps just
 symlink things like gpg to /usr/bin might be easier. Gpg is used to
 verify the authenticity of the update.
 
 or remove bad installers of gpg ? :=)
 
 http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard

That may be, but both SA and gpg are installed by ports, and ports puts most 
everything under /usr/local which contains within it a /etc /sbin /bin /lib 
/libexec c. At least I think that gig comes from gnupg1-1.4.18_2.

On Feb 5, 2015, at 10:28 AM, Bob Proulx b...@proulx.com wrote:
 LuKreme wrote:
 # /bin/sh
 # PATH=/bin:/usr/local/bin echo $PATH  echo $PATH
 /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
 /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
 
 Hm. That’s odd.
 
 Something else going on there.
 
 Yes.  Something else is going on.  :-)


Damnit. Yes, of course. Grr.

Here is a real test without my being stupid. As stupid.

 # PATH=/usr/local/bin:/usr/bin:bin whichgpg  whichgpg 
/usr/local/bin:/usr/bin:bin
/usr/local/bin/gpg
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/bin:/usr/local/sbin/:/sw/bin:/usr/X11R6/bin
/usr/local/bin/gpg

So, yes, the variable setting does NOT get carried through to the second 
command as you said.

-- 
On 30 Jul 2013, Wietse Venema wrote:
Think 100MHz Pentium, 33k6 analog modem. Even I have stopped using that.

sa-update cron failure

[LuKreme]

Cron is sending me an error:

error: gpg required but not found!  It is not recommended, but you can use 
sa-update with the --no-gpg to skip the verification.

However, if I run sa-update -D from the command line, it succeeds:

Feb  4 08:48:26.885 [48573] dbg: logger: adding facilities: all
Feb  4 08:48:26.885 [48573] dbg: logger: logging level is DBG
Feb  4 08:48:26.885 [48573] dbg: generic: SpamAssassin version 3.4.0
Feb  4 08:48:26.885 [48573] dbg: generic: Perl 5.020001, PREFIX=/usr/local, 
DEF_RULES_DIR=/usr/local/share/spamassassin, 
LOCAL_RULES_DIR=/usr/local/etc/mail/spamassassin, 
LOCAL_STATE_DIR=/var/db/spamassassin
Feb  4 08:48:26.885 [48573] dbg: config: timing enabled
Feb  4 08:48:26.886 [48573] dbg: config: score set 0 chosen.
Feb  4 08:48:26.893 [48573] dbg: generic: sa-update version svn1475932
Feb  4 08:48:26.893 [48573] dbg: generic: using update directory: 
/var/db/spamassassin/3.004000
Feb  4 08:48:27.425 [48573] dbg: diag: perl platform: 5.020001 freebsd
Feb  4 08:48:27.425 [48573] dbg: diag: [...] module installed: Digest::SHA, 
version 5.88
Feb  4 08:48:27.425 [48573] dbg: diag: [...] module installed: HTML::Parser, 
version 3.71
Feb  4 08:48:27.425 [48573] dbg: diag: [...] module installed: Net::DNS, 
version 0.82
Feb  4 08:48:27.425 [48573] dbg: diag: [...] module installed: NetAddr::IP, 
version 4.069
Feb  4 08:48:27.425 [48573] dbg: diag: [...] module installed: Time::HiRes, 
version 1.9726
Feb  4 08:48:27.425 [48573] dbg: diag: [...] module installed: Archive::Tar, 
version 1.96
Feb  4 08:48:27.425 [48573] dbg: diag: [...] module installed: IO::Zlib, 
version 1.10
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module not installed: Digest::SHA1 
('require' failed)
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module installed: MIME::Base64, 
version 3.14
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module installed: DB_File, version 
1.831
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module installed: Net::SMTP, 
version 2.33
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module installed: Mail::SPF, 
version v2.009
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module not installed: Geo::IP 
('require' failed)
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module not installed: 
Razor2::Client::Agent ('require' failed)
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module installed: IO::Socket::IP, 
version 0.36
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module installed: 
IO::Socket::INET6, version 2.72
Feb  4 08:48:27.426 [48573] dbg: diag: [...] module installed: IO::Socket::SSL, 
version 2.009
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module installed: Compress::Zlib, 
version 2.064
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module installed: Mail::DKIM, 
version 0.4
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module installed: DBI, version 
1.633
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module installed: Getopt::Long, 
version 2.42
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module not installed: 
LWP::UserAgent ('require' failed)
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module installed: HTTP::Date, 
version 6.02
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module installed: Encode::Detect, 
version 1.01
Feb  4 08:48:27.427 [48573] dbg: diag: [...] module not installed: 
Net::Patricia ('require' failed)
Feb  4 08:48:27.428 [48573] dbg: gpg: Searching for 'gpg'
Feb  4 08:48:27.428 [48573] dbg: util: current PATH is: 
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/bin:/usr/local/sbin:/home/syth/bin
Feb  4 08:48:27.428 [48573] dbg: util: executable for gpg was found at 
/usr/local/bin/gpg
Feb  4 08:48:27.429 [48573] dbg: gpg: found /usr/local/bin/gpg
Feb  4 08:48:27.429 [48573] dbg: gpg: release trusted key id list: 
5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 
0C2B1D7175B852C64B3CDC716C55397824F434CE
Feb  4 08:48:27.430 [48573] dbg: channel: attempting channel 
updates.spamassassin.org
Feb  4 08:48:27.430 [48573] dbg: channel: using existing directory 
/var/db/spamassassin/3.004000/updates_spamassassin_org
Feb  4 08:48:27.430 [48573] dbg: channel: channel cf file 
/var/db/spamassassin/3.004000/updates_spamassassin_org.cf
Feb  4 08:48:27.430 [48573] dbg: channel: channel pre file 
/var/db/spamassassin/3.004000/updates_spamassassin_org.pre
Feb  4 08:48:27.430 [48573] dbg: channel: metadata version = 1655961, from file 
/var/db/spamassassin/3.004000/updates_spamassassin_org.cf
Feb  4 08:48:27.611 [48573] dbg: dns: 0.4.3.updates.spamassassin.org = 
1655961, parsed as 1655961
Feb  4 08:48:27.611 [48573] dbg: channel: current version is 1655961, new 
version is 1655961, skipping channel
Feb  4 08:48:27.612 [48573] dbg: diag: updates complete, exiting with code 1

 # which sa-update
/usr/local/bin/sa-update
 # crontab -l |grep sa-update
16  1  *  *  *  /usr/local/bin/sa-update  /usr/local/bin/sa-compile  
/usr/local/etc/rc.d/sa-spamd restart


-- 
LOOSE TEETH DON'T NEED MY HELP Bart chalkboard Ep. AABF16

Re: sa-update cron failure

[LuKreme]

 On Feb 4, 2015, at 8:34 PM, David B Funk dbf...@engineering.uiowa.edu wrote:
 
 On Wed, 4 Feb 2015, LuKreme wrote:
 
 On Feb 4, 2015, at 8:57 AM, Joe Quinn jqu...@pccc.com wrote:
 Perhaps /usr/local/bin is not on PATH for the cron user?
 
 I don’t understand what you are saying. The crontab lists the full path.
 
 # crontab -l |grep sa-update
 16  1  *  *  *  /usr/local/bin/sa-update  /usr/local/bin/sa-compile  
 /usr/local/etc/rc.d/sa-spamd restart
 
 You are right but the things -inside- that sa-update script do not have the 
 full path for each of their tools they use. Thus the gpg utility must
 be in a directory included in the $PATH variable that the script inherits.

Ah, right.

The script returns 

PATH=/usr/bin:/bin

Seems the sa-update script should be able to figure out the location for gpg.

Now what?

-- 
A good friend will come and bail you out of jail but a true friend will
be sitting next to you saying, Dang, that was fun.

Re: sa-update cron failure

[LuKreme]

On Feb 4, 2015, at 8:57 AM, Joe Quinn jqu...@pccc.com wrote:
 Perhaps /usr/local/bin is not on PATH for the cron user?

I don’t understand what you are saying. The crontab lists the full path.

  # crontab -l |grep sa-update
 16  1  *  *  *  /usr/local/bin/sa-update  /usr/local/bin/sa-compile  
 /usr/local/etc/rc.d/sa-spamd restart

-- 
Happy Jack wasn't tall, but he was a man

Re: sa-update cron failure

[LuKreme]

On Feb 4, 2015, at 9:21 PM, Kevin A. McGrail kmcgr...@pccc.com wrote:
 Define your path in the cron script.

The front actin simply calls sa-update. Do I just 

16  1  *  *  *  PATH=/usr/bin:/bin:/usr/local/bin /usr/local/bin/sa-update  
/usr/local/bin/sa-compile  /usr/local/etc/rc.d/sa-spamd restart

?

Or is there a reason not to do that?

-- 
Mac OSX - Because making Unix user-friendly was easier than fixing
Windows.

Re: after months of training still most messages treated as SPAM

[LuKreme]

On Jan 23, 2015, at 6:55 AM, Wolf Drechsel drech...@verkehrsplanung.com wrote:
 2.0 BAYES_50   BODY: Spamwahrscheinlichkeit nach Bayes-Test: 
 40-60%

This is incorrect.

Bayes_50 should be scored at about 0.5, or lower.

-- 
Your stepmom is cute
Shut up, Ted
Remember when she was a senior and we were freshmen?
Shut up Ted!

Re: Can't change SpamAssassin score without enabling the Spam Auto-Delete function

[LuKreme]

On Dec 15, 2014, at 10:20 AM, Herbert Eppel h...@hetranslations.co.uk wrote:
 In view of the fact that some of my domains are increasingly inundated with 
 spam, I would like to reduce the SpamAssassin score from the default value of 
 5 to a lower value, in order to make SpamAssassin more 'aggressive'

This is not the way to go, though it seems to make sense. The rulesets are 
designed around the idea that pushing past a 5.0 indicates a strong possibility 
that the message is spam and that a sore of 4.5 is not. If you drop the score 
to 4.5, you are not making SA more aggressive, you are intentionally marking 
message that SA says are not spam as spam.

A better way is to adjust scores. Carefully.

The best way is to train babes, but train it well. If your host doesn’t allow 
this, maybe you can find a host that does?

Also, what is your server doing BEFORE receiving the message to block spam? 
Most mail providers with cPanel seem to do either nothing or nearly nothing.

Good filters and postscreen (or postscreen-like) before SMTP transaction will 
do *far* more to alleviate your spam problem.

-- 
you cannot code around infinite implementations of OCD -John C Welch

Re: Honeypot email addresses

[LuKreme]

On Dec 1, 2014, at 10:28 PM, Ted Mittelstaedt t...@ipinc.net wrote:
 This is assuming of course that your instantly blocking everything from a 
 sender that happens to email a honeypot.

Right. That i the *point* of a honeypot. The only thing going to a honeypot is 
going to be a spammer.

 Most honeypots are not used in such a draconian fashion.

Every single one I’ve ever seen has.

-- 
You're just impressed by any pretty girl who can walk and talk. She
doesn't have to talk.

Re: Honeypot email addresses

[LuKreme]

 On Dec 2, 2014, at 10:24 AM, Ted Mittelstaedt t...@ipinc.net wrote:
 
 
 
 On 12/2/2014 6:19 AM, LuKreme wrote:
 On Dec 1, 2014, at 10:28 PM, Ted Mittelstaedtt...@ipinc.net  wrote:
 This is assuming of course that your instantly blocking everything from a 
 sender that happens to email a honeypot.
 
 Right. That i the *point* of a honeypot. The only thing going to a honeypot 
 is going to be a spammer.
 
 Most honeypots are not used in such a draconian fashion.
 
 Every single one I’ve ever seen has.
 
 
 i see tons of spam relayed through throwaway accounts on Yahoo, and even some 
 from Gmail and Microsoft's various domains.  This is to all manner of 
 accounts, both valid and invalid, former accounts and accounts that never 
 existed.  So your saying it's OK to block those because you get a piece of 
 spam from them to a honeypot?

If a message claims to come from Yahoo and comes from xyz.tl it is already 
rejected.

 Or are you saying that with your honeypots that the large providers get a 
 free pass to spam you when they email your honeypots?

I don’t recall ever saying I had my own honeypots.

-- 
Some books are undeservedly forgotten; none are undeservedly remembered

Re: Honeypot email addresses

[LuKreme]

 On Dec 2, 2014, at 11:28 AM, Reindl Harald h.rei...@thelounge.net wrote:
 
 
 Am 02.12.2014 um 19:22 schrieb Niamh Holding:
 Hello Reindl,
 
 Tuesday, December 2, 2014, 6:14:26 PM, you wrote:
 
 RH no, i am saying nobody right in his mind is rejecting mails because
 RH *one* RBL
 
 You do say the sweetest things!
 
 Should I be offended given that we block at SMTP time if an IP address
 is listed in just one of a chosen selection of RBLs... known senders
 are whitelisted prior to RBL checking.
 
 you should re-consider that, your users problems
 
 as said:
 the linux.com newsletter get blocked by b.barracudacentral.org which is 
 normally a trustful blacklist (their URIBL's on the devices are crap playing 
 lottery with email) a since we replaced the device i receive it again 
 (b.barracudacentral.org is still used, but as *one* RBL in the postscreen mix)

I have *never* considered Barracuda to be reliable. At least they have stopped 
their practice of listing my server and then sending me spam offering to sell 
me their crapware to keep it off blacklists for  per month.

 another recent example:
 Spamhaus blocked GMX/11/Web.de completly *by a mistake*, no problem in case 
 of scoring, a ruined weekend if we had used it as only source

The extremely occasional mistaken black is more than made up for by the vast 
quantities of spam that are blocked every day. I reject at SMTP based on zen. 
If zen is mistaken, at least the sender doesn’t think the mail as delivered and 
f they (and their MUA) are competent, they know WHY their mail didn’t go 
through.

-- 
Oh, the sweet wine of youth goes sour over time
Seems like the more that you lose, the more you ache to find

Re: New spam / phishing rule?

[LuKreme]

On Nov 7, 2014, at 10:03 AM, Benny Pedersen m...@junc.eu wrote:
 
 What mua clients shows invalid mimetypes ?

Most all of them.

-- 
He'd never asked for an exciting life. What he really liked, what he
sought on every occasion, was boredom. The trouble was that boredom
tended to explode in your face. Just when he thought he'd found it he'd
be suddenly involved in what he supposed other people - thoughtless,
feckless people - would call an adventure. And he'd be forced to visit
many strange lands and meet exotic and colourful people, although not
for very long because usually he'd be running. He'd seen the creation of
the universe, although not from a good seat, and had visited Hell and
the afterlife. He'd been captured, imprisoned, rescued, lost and
marooned. Sometimes it had all happened on the same day.

Re: New spam / phishing rule?

[LuKreme]

On Nov 8, 2014, at 5:54 PM, Reindl Harald h.rei...@thelounge.net wrote:
 Am 09.11.2014 um 01:48 schrieb Dave Pooser:
 On 11/8/14, 5:57 PM, Reindl Harald h.rei...@thelounge.net wrote:
 
 what is that garbage worth for?
 
 It's from a book by Terry Pratchett. Are we really so hard up for things to 
 talk about that we're going to have a .sig flamewar now?
 
 it's not a matter of hard
 it's a matter of sending 1 line followed by 10 or more garbage

Feel free to bin/killfile/spam-tag my my posts. Makes less than no difference 
to me. That would be far more effective than complaining about it.

-- 
'It's a lovely morning, lads,' he said. 'I feel like a million dollars.
Don't you?' There was a murmur of reluctant agreement. 'Good,' said
Cohen. 'Let's go and get some.' --Interesting Times

spamc causing Duplicate emails

[LuKreme]

I am seeing duplicate emails when saved off into my Maildirs. My normal mail 
application ignores these duplicates, but iOS 8 does not, so I need to figure 
out what's going on.


 1412808979.M904650P22299.mail.covisp.net,S=65189,W=66526:2,S
 1412808979.M904651P22299.mail.covisp.net,S=65197,W=66534:2,S

 $ diff 1412808979.M904651P22299.mail.covisp.net\,S\=65197\,W\=66534\:2\,S 
1412808979.M904650P22299.mail.covisp.net\,S\=65189\,W\=66526\:2\,S 
7c7
   RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,URIBL_GREY autolearn=unavailable
---
   RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS,URIBL_GREY autolearn=ham
9a10,11
   *  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
   *  [URIs: mailchimp.com]
13,14d14
   *  0.4 URIBL_GREY Contains an URL listed in the URIBL greylist
   *  [URIs: mailchimp.com]

Does this indicate that it's spamassassin that is somehow creating a duplicate?

There are no 'c' flags in my procmailrc:

$ grep :0 .procmailrc 
:0
:0fw
:0E
:0
:0
:0
:0 hf
:0 fw
:0
:0 
  :0
  :0
  :0
:0
   :0
   :0
   :0

Looking through my mailspool it look like this started Sep 25, but I last 
updated SA on 30 August.

my local.cf is (no comments)
allow_user_rules 1
rewrite_header Subject (Spam? _SCORE(0)_)
report_safe 1
add_header all Report _REPORT_
report_contact ad...@covisp.net
trusted_networks 75.148.37.66
trusted_networks 75.148.37.67
trusted_networks 75.148.37.68
trusted_networks 75.148.37.69
lock_method flock
required_score 5.0
use_bayes 1
bayes_auto_learn 1
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:mysql:bayes:localhost:3306
bayes_sql_username bayesuser
bayes_sql_password 1vJWe4ms0a23EGRpM
bayes_sql_override_username bayesuser
score DKIM_ADSP_CUSTOM_HIGH 10
score DKIM_ADSP_DISCARD 5
score DKIM_ADSP_ALL 3
 ... a bunch of ads overrides ... 
bayes_ignore_header X-Spam-Flag
bayes_ignore_header X-Spam-Status
score HABEAS_ACCREDITED_COI 0.1
score HABEAS_ACCREDITED_SOI 0.5
score HABEAS_CHECKED 0
score BAYES_99 4.0
score BAYES_95 2.5
score BAYES_80 2
score BAYES_60 1.00
score BAYES_50 0.50
score BAYES_40 -0.50
score BAYES_20 -2.50
score BAYES_05 -3.50
score BAYES_00 -4.00
score USER_IN_DEF_DKIM_WL -0.3
score DKIM_VERIFIED -0.1
score DKIM_SIGNED 0.1
score URIBL_DBL_SPAM 3.1
score DCC_CHECK 2.0
rawbody LOCAL_U_UNESCAPE /[+=(]\s*unescape\s*\(\s*[']%(6[1-9A-F]|7[0-9A])/
describe LOCAL_U_UNESCAPE Suspicious use of JS unescape function
score LOCAL_U_UNESCAPE 2.8
rawbody LOCAL_U_STRCONCAT /[+=(]\s*(['])[a-zA-Z0-9\.]{1,16}\1 
?\+?\1[a-zA-Z0-9\.]{0,16}\1/
describe LOCAL_U_STRCONCAT Suspicious unnecessary string concatenation
score LOCAL_U_STRCONCAT 2.7
rawbody LOCAL_HIDE_FROMCHARCODE /=\s*String\.fromCharCode\b/
describe LOCAL_HIDE_FROMCHARCODE Obfuscated used of JS fromCharCode function
score LOCAL_HIDE_FROMCHARCODE 0.6
rawbody LOCAL_HIDE_URL /[+=(]\s*(['])(?!http)h(\1 ?\+ ?\1)?t(\1 ?\+?\1)?t(\1 
?\+ ?\1)?p(\1 ?\+ ?\1)?(?!:\/\/):(\1 ?\+ ?\1)?\/(\1 ?\+ ?\1)?\//
describe LOCAL_HIDE_URL Obfuscated HTTP link eg. 'ht'+'tp:'+'//'
score LOCAL_HIDE_URL 1.9
rawbody LOCAL_JS_REDIR1 
/[Ss][Cc][Rr][Ii][Pp][Tt]\s*(type=[^]+\s*)?\s*(window|self|(var\s+)?([a-z]+)\s*=\s*window\s*;?\s*\4)?\.?(location|\[[']location[']\])(\.href)?\s*[=(]/
describe LOCAL_JS_REDIR1 Code for a JS redirect
score LOCAL_JS_REDIR1 0.5
body LOCAL_FILLER_TEXT /([A-Z][a-z]*(\s[a-z]+){4,6}\.?\s?){18}/
describe LOCAL_FILLER_TEXT Long sequence of 5-7 word sentences with capital 
only at start
score LOCAL_FILLER_TEXT 1.4
score RP_MATCHES_RCVD -0.1
score RCVD_IN_BRBL_LASTEXT 2.7
score DCC_CHECK 3.0
report BAYES_HT _HAMMYTOKENS(50)_
report BAYES_ST _SPAMMYTOKENS(50)_
... a bunch of blacklist_from ...

spamassasin -D --lint it very long


-- 
ALL WORK AND NO PLAY MAKES BART A DULL BOY ALL WORK AND NO PLAY MAKES
BART A DULL BOY ALL WORK AND NO PLAY MAKES BART A DULL BOY Bart
chalkboard Ep. 1F07

Re: spamc causing Duplicate emails

[LuKreme]

 On 22 Oct 2014, at 19:38 , John Hardin jhar...@impsec.org wrote:
 
 On Wed, 22 Oct 2014, LuKreme wrote:
 
 I am seeing duplicate emails when saved off into my Maildirs. My normal mail 
 application ignores these duplicates, but iOS 8 does not, so I need to 
 figure out what's going on.
 
 1412808979.M904650P22299.mail.covisp.net,S=65189,W=66526:2,S 
 1412808979.M904651P22299.mail.covisp.net,S=65197,W=66534:2,S
 
 How separated in time are the two message files?

They aren't. the first blog is the ephod time stamp, so they are in the same 
second.

 Do you have any kind of procmail logging turned on?

Yes. All I see is that when the message comes in to my procmailrc, it comes in 
twice, so the duplication is happening up stream (which probably means dovecot, 
but It looked like spamc initially, so I posted here first).

 Are all messages duplicated, or only some?

All of them across multiple accounts.

 Is the message addressed to you and also to an alias that also resolves to 
 you, or something else that would cause the system to duplicate the message 
 upstream of procmail?
 
 Does this indicate that it's spamassassin that is somehow creating a 
 duplicate?
 
 Doubtful. SA only scores and may rewrite the headers a bit. It's vaguely 
 possible that the glue is doing it somehow. Is procmail your glue, or 
 something else upstream (a milter or some such)?

The more I look at it, the more it looks like it must be dovecot somehow.

Thanks, the questions help me focus on what is really happening.

-- 
Let the Wookiee win.

Re: spamc causing Duplicate emails

[LuKreme]

 On 22 Oct 2014, at 20:39 , John Hardin jhar...@impsec.org wrote:
 
 On Wed, 22 Oct 2014, LuKreme wrote:
 
 Thanks, the questions help me focus on what is really happening.
 
 Happy to help.

Aha. It was procmail. but it was /usr/local/etc/procmailrc

:0c
/backups/imap.backups

if that FAILS, the duplicate message falls through, and that folder was moved 
but procmailrc was not updated. doh!


-- 
...but the senator, while insisting he was not intoxicated, could not
explain his nudity.

Re: Site-wide bayes and individual bayes

[LuKreme]

On 10 Oct 2014, at 06:49 , RW rwmailli...@googlemail.com wrote:
 And, if not, is it generally better to do sitewide?
 
 It's hard to say, there are advantages and disadvantages either way.

OK, so specific example then.

Small server with a few dozen email users spread over several domains. Almost 
none of these users does any spam training at all, the rest just delete 
unwanted messages (not even marking them as junk) or even worse, just ignore 
them. One user is very aggressive in marking Spam and in keeping the Inbox 
clear of all spam.

I am of two minds. First, that everyone else would benefit from this user’s 
actions or, alternatively, that the user’s aggressive tagging will actually 
‘poison’ the bayes db for the other users who maybe do not think that endless 
emails from pinterest or some political candidate are actually spam.

-- 
You see, in this world there's two kinds of people, my friend: Those
with loaded guns and those who dig. You dig.

Re: spamd does not start

[LuKreme]

 On 08 Oct 2014, at 16:23 , Duane Hill duih...@gmail.com wrote:
 
 On Wednesday, October 8, 2014, 3:11:06 PM, LuKreme wrote:
 
 On 08 Oct 2014, at 04:56 , Duane Hill duih...@gmail.com wrote:
 
 On Tuesday, October 7, 2014, 10:56:54 PM, LuKreme wrote:
 
 On 07 Oct 2014, at 11:45 , Jari Fredrisson ja...@iki.fi wrote:
 I ran sa-update  sa-compile.
 
 Should sa-compile be run after sa-update?
 
 I have a crontab entry:
 
 16  1  *  *  *  /usr/local/bin/sa-update 
 /usr/local/etc/rc.d/sa-spamd restart
 
 should I add an sa-compile call?
 
 I am on FreeBSD here. This is what I use:
 
 Content of sa_update.sh:
 
 #!/bin/sh
 
 /usr/local/bin/sa-update -D --nogpg
 
 if [ $? -eq 0 ] ; then
 /usr/local/bin/sa-compile
 /usr/local/etc/rc.d/sa-spamd restart
 exit 0
 else
 exit 0
 fi
 
 This  way, sa-compile is ran and spamd is restarted only when there is
 an update. I then use the script in a cron which runs once per day.
 
 I  believe  the  way  you have it, spamd will get restarted every time
 your cron is ran whether there is an update or not.
 
 It will get restarted if the sa-update process finishes cleanly
 (that’s what  does) which I think is the same as if [ $? -eq 0];
 
 So, I’ll add an sa-compile in there, thanks.
 
 No.is  a  way  of chaining commands together. Your cron says run
 sa-update  and  then  restart  spamd.  In  other words, when sa-update
 finishes  running,  regardless  if there was an update applied or not,
 restart spamd.

No, that is not what it says.

$ man 1 bash
…
The  control  operators   and || denote AND lists and OR lists, respectively. 
 An AND list has the form

  command1  command2

command2 is executed if, and only if, command1 returns an exit status of zero.


-- 
What if there were no hypothetical questions?

Re: spamd does not start

[LuKreme]

On 09 Oct 2014, at 18:35 , LuKreme krem...@kreme.com wrote:
 No, that is not what it says.
 
 $ man 1 bash
 …
 The  control  operators   and || denote AND lists and OR lists, 
 respectively.  An AND list has the form

Sorry for duplicating other’s posts, I replied to the original message out of 
the “replies to me” folder without checking the overall list folder.

-- 
'The gods,' he said. 'Imprisoned in a thought. And perhaps they were
never more than a dream.' --Sourcery

Re: spamd does not start

[LuKreme]

 On 08 Oct 2014, at 04:56 , Duane Hill duih...@gmail.com wrote:
 
 On Tuesday, October 7, 2014, 10:56:54 PM, LuKreme wrote:
 
 On 07 Oct 2014, at 11:45 , Jari Fredrisson ja...@iki.fi wrote:
 I ran sa-update  sa-compile.
 
 Should sa-compile be run after sa-update?
 
 I have a crontab entry:
 
 16  1  *  *  *  /usr/local/bin/sa-update 
 /usr/local/etc/rc.d/sa-spamd restart
 
 should I add an sa-compile call?
 
 I am on FreeBSD here. This is what I use:
 
 Content of sa_update.sh:
 
  #!/bin/sh
 
  /usr/local/bin/sa-update -D --nogpg
 
  if [ $? -eq 0 ] ; then
  /usr/local/bin/sa-compile
  /usr/local/etc/rc.d/sa-spamd restart
  exit 0
  else
  exit 0
  fi
 
 This  way, sa-compile is ran and spamd is restarted only when there is
 an update. I then use the script in a cron which runs once per day.
 
 I  believe  the  way  you have it, spamd will get restarted every time
 your cron is ran whether there is an update or not.

It will get restarted if the sa-update process finishes cleanly (that’s what  
does) which I think is the same as if [ $? -eq 0];

So, I’ll add an sa-compile in there, thanks.

-- 
Internet was down last night. Turns out I have two kids. They seem
pretty well-behaved

Site-wide bayes and individual bayes

[LuKreme]

Is it possible to have a site-wide bayes AND individual bayes for some users 
(or all users)?

And, if not, is it generally better to do sitewide?

And, is it possible to take all the individual bayes and combine them into a 
stitewide db?

-- 
You've got to dance like nobody's watching. - Kathy Mattea

Re: spamd does not start

[LuKreme]

On 07 Oct 2014, at 11:45 , Jari Fredrisson ja...@iki.fi wrote:
 I ran sa-update  sa-compile.

Should sa-compile be run after sa-update?

I have a crontab entry:

16  1  *  *  *  /usr/local/bin/sa-update  /usr/local/etc/rc.d/sa-spamd restart

should I add an sa-compile call?

-- 
'It's still a lie. Like the lie about masks.' 'What lie about masks?'
'The way people say they hide faces.' 'They do hide faces,' said Nanny
Ogg. 'Only the one on the outside.' --Maskerade

Re: half-OT: please remove [spam]-markers from subjects

[LuKreme]

On 03 Oct 2014, at 11:42 , Reindl Harald h.rei...@thelounge.net wrote:
 
 Am 03.10.2014 um 19:34 schrieb LuKreme:
 [SPAM] is not a spam marker I’ve ever seen so it seems perfectly OK to me
 You are assuming, I think wrongly, that the [SPAM] tag is being used because 
 of a content filter and not simply a tag to identify the name of the list
 
 it is the *default* tag for a lot of commercial spamfilters
 if a message was detected as spam but not high enough to drop

Those are very stupid filters then. Let me guess, the shitpile that is 
Barracuda? Honestly, shitpile implies a much higher value than I believe 
Barracuda has, at leas t ahit pile can be used to fertilize.

 there is a reason why i had that sieve-filter and i saw
 that tagging over many years from a lot of other users
 not only the one with Barracuda Networks products

You should never filter on Subject. Period.

-- 
A musicologist is a man who can read music but can't hear it. -  Sir
Thomas Beecham (1879 - 1961)

Re: half-OT: please remove spam-markers from subjects

[LuKreme]

 On 29 Sep 2014, at 11:19 , Reindl Harald h.rei...@thelounge.net wrote:
 
 
 Am 29.09.2014 um 19:14 schrieb Nels Lindquist:
 On 9/29/2014 10:54 AM, Reindl Harald wrote:
 
 please remove markers like [SPAM] if a mesage was flagged before
 reply - they lead often that a message goes to junk- instead the
 list-folder :-)
 
 Please teach your users to filter on the List-ID: header rather than
 Subject: for this list.  The issue can be entirely avoided without
 requiring everyone else in the world to alter their behaviour
 
 the [SPAM] marker comes *before* all other sieve-filters
 otherwise it would not catch faked From-Headers

You should not be filtering on Subject. Scoring on subject is fine, but 
filtering on it is a terrible idea.

-- 
Get your facts first, and then you can distort them as much as you
please. - Mark Twain

Re: half-OT: please remove spam-markers from subjects

[LuKreme]

 On 03 Oct 2014, at 11:21 , Reindl Harald h.rei...@thelounge.net wrote:
 
 
 Am 03.10.2014 um 19:11 schrieb LuKreme:
 On 29 Sep 2014, at 11:19 , Reindl Harald h.rei...@thelounge.net wrote:
 
 Am 29.09.2014 um 19:14 schrieb Nels Lindquist:
 On 9/29/2014 10:54 AM, Reindl Harald wrote:
 
 please remove markers like [SPAM] if a mesage was flagged before
 reply - they lead often that a message goes to junk- instead the
 list-folder :-)
 
 Please teach your users to filter on the List-ID: header rather than
 Subject: for this list.  The issue can be entirely avoided without
 requiring everyone else in the world to alter their behaviour
 
 the [SPAM] marker comes *before* all other sieve-filters
 otherwise it would not catch faked From-Headers
 
 You should not be filtering on Subject. Scoring on subject is fine, 
 but filtering on it is a terrible idea
 
 i try to explain the intention of the thread a last time:
 
 * what i filter or not don't matter, i look in my junk-folder
 * it was meant as friendly reminder if somebody don't whitelist
  the SA list which is the reason [SPAM] appears in *his* incoming
  mail it is a good idea after press reply remove that marker

His is whose?

A lot of people add [TAGS] to their incoming mail. If someone adds [SPAM] to 
list coming from here that’s fine.

No one should be running SA on messages to this list anyway.

 * i just don't get what needs a discussion about such a hint

It doesn’t sound like a hint, and it’s not useful, and it doesn’t do anything 
that I can see other than annoy people who’ve replied to you.

 * it is a bad idea to write mails with spam-markers in the subject

[SPAM] is not a spam marker I’ve ever seen so it seems perfectly OK to me. If 
they were adding something like (Spam? 7.9) then you might, maybe, just 
possibly, have an argument.

  because you never know how they are treated in case of the different
  RCPT's on a mailing list and since *your intention as sender* is
  that the list-members reveive your mail *it is in your intention*
  to not put things in the subject making that more unlikely

How mail is treated by the recipient is up to the recipient.

 again:
 it is not a matter of talking about spam on the SA list
 it is just a matter if you already made the mistake pass
 the list mail through your contentfilter don't amplify it
 by bounce back the marker in your response

You are assuming, I think wrongly, that the [SPAM] tag is being used because of 
a content filter and not simply a tag to identify the name of the list.

 do i personally care?
 no - why should i?

Then why have you gone on so long about it?

 it's not my mail which may get not the attention the sender likes

Then I suggest you take a page from Bobby McFerrin, “Don’t worry, be happy” and 
just assume the people subscribed to this mailing list know what they are doing.

-- 
It was all very well going about pure logic and how the universe was
ruled by logic and the harmony of numbers, but the plain fact was that
the disc was manifestly traversing space on the back of a giant turtle
and the gods had a habit of going round to atheists' houses and smashing
their windows.

Re: block invalid From-domains

[LuKreme]

On 30 Sep 2014, at 15:14 , Reindl Harald h.rei...@thelounge.net wrote:
 nevermind - *.tld just works
 misunderstood the documentation
 
 BLOCKED: t...@crap.domain.tld.local
 FINE:t...@crap.domain.tld.local.com

Did you put this in local.cf or user_prefs?

-- 
From deep inside the tears that I'm forced to cry From deep inside the
pain I--I chose to hide

Re: Spamassasin not as effective anymore

[LuKreme]

On 26 Sep 2014, at 20:59 , Lorenzo Thurman lore...@thethurmans.com wrote:
 I’ve be using spamassasin for a number of years with excellent results.

I recently updated my SA version to 3.4.0_13 and found that it caught much more 
than it had been. It’s not enough to run sa-update, you need to keep the 
install version up to date as well.

-- 
Hard work pays off in the future. Laziness pays off now.

Re: Spamassasin not as effective anymore

[LuKreme]

On 28 Sep 2014, at 12:41 , Jason Haar jason_h...@trimble.com wrote:
 On 29/09/14 04:11, LuKreme wrote:
 I recently updated my SA version to 3.4.0_13 and found that it caught
 much more than it had been. It’s not enough to run sa-update, you need
 to keep the install version up to date as well. 
 
 What is 3.4.0_13?

That’s the version reported by ports. Normally that means something like 
“Version 3.4.0 patch 13.”

-- 
A good friend will come and bail you out of jail but a true friend will
be sitting next to you saying, Dang, that was fun.

Re: sa-learn strip last Received: header for own MDA

[LuKreme]

On 19 Sep 2014, at 09:06 , Marcus Schopen li...@localguru.de wrote:
 still playing with sa-learn. If I feed sa-learn do I have to strip the
 last Received: header which is the Received header for my own MDA
 (imap-backend) before piping the message into sa-learn?

All you need to do is make sure that you feed both ham and spam into sa-learn. 
A mistake many people make is to train only spam.

-- 
The Salvation Army Band played and the children drunk lemonade and the
morning lasted all day, all day. And through an open window came like
Sinatra in a younger day pushing the town away

Re: 10_MBL.cf

[LuKreme]

 On 16 Sep 2014, at 12:13 , Axb axb.li...@gmail.com wrote:
 
 On 09/16/2014 06:57 PM, jcb wrote:
 For the last few days, I have noticed that I have been getting this
 update, and it is about 12mb long. When it automatically updates, it
 manages to hang spamassassin, thereby stopping amavisd from processing.
 Any Ideas? I am temporarily deleting this, till something is found.
 
 MBL has a history of borked ClamAV signatures exploding .cf files
 
 The idea of creating HUGE static files for URIs is reminds be of the times 
 when Bill Stearns and Chris Santerre did something like it named BigEvil.cf , 
 before the SpamcopURI plugin and SURBL showed  up... when was that? 2002? 
 2003?

Oh wow, I remember BigEvil. It must have been around there. Yeah, 2003 sounds 
right.


-- 
When and where does this real world occur?!

Re: Dumping email with blank To: header ?

[LuKreme]

 On 04 Sep 2014, at 12:36 , Joe Quinn jqu...@pccc.com wrote:
 
 On 9/4/2014 1:51 PM, John Hardin wrote:
 On Thu, 4 Sep 2014, LuKreme wrote:
 
 For the record, using sql for babes is considerably faster.
 
 Is that anything like SQL for Dummies?
 
 I've heard good things about the Derek Zoolander Center for Kids who can't 
 SQL Good and who Wanna Learn to do Other Stuff Good too.

I think I've gotten more comments on that not-typo, both onlist and off, than 
any email in recent memory.

OS X autocorrect doesn't like the word bayes much. Heh.

-- 
'I don't see why everyone depends on me. I'm not dependable. Even I
don't depend on me, and I'm me.'

Re: Dumping email with blank To: header ?

[LuKreme]

 On 04 Sep 2014, at 13:56 , Timothy Murphy gayle...@alice.it wrote:
 
 On Thursday, September 04, 2014 11:26:01 AM LuKreme wrote:
 
 Is there a simple check to make sure salearn is working?
 (I get the message that 192 messages have been examined,
 and ~/.spamassassin/bayes_seen and bayes_tok are pretty large,
 300kB and 5MB.)
 
 For the record, using sql for babes is considerably faster.
 
 Do you mean using SQL in some way would speed up salearn?

More importantly, it speeds up the bayes checks on incoming spam.

-- 
you'd think you could trust a horde of hungarian barbarians

Re: Dumping email with blank To: header ?

[LuKreme]

 On 04 Sep 2014, at 05:32 , Timothy Murphy gayle...@alice.it wrote:
 
 1) Is there a simple way of dumping email with an empty To: header?
 This seems invariably to be spam, and I'm surprised SA doesn't seem
 to score it highly.

You may be surprised if you actually check spam and ham.

 2) Does autolearn actually remove spam with a very high score?
 Or does it still get marked as spam by SA and passed on?

SA never removes mail under any circumstances.

 Is there a simple check to make sure salearn is working?
 (I get the message that 192 messages have been examined,
 and ~/.spamassassin/bayes_seen and bayes_tok are pretty large,
 300kB and 5MB.)

For the record, using sql for babes is considerably faster.

 4) I haven't found a short and simple SA tutorial,
 explaining how SA works,
 with a few tests that one might add to the default,
 and a couple of checks one could try to make sure it is working.

If you see X-Spam headers, it’s working. If in the X-Spam-Report you see BAYES_ 
then that is working.

-- 
she [Esk] was already learning that if you ignore the rules people will,
half the time, quietly rewrite them so they don't apply to you. --Equal
Rites

Re: sa-learn and find

[LuKreme]

 On 03 Sep 2014, at 02:05 , Matus UHLAR - fantomas uh...@fantomas.sk wrote:
 
 On Sat, 30 Aug 2014 08:23:02 -0600
 LuKreme wrote:
 
  if test -d $J_PATH; then
MYFIND=`find $J_PATH/ -type f -mtime -7|grep -v dovecot`
 
 On 30.08.14 22:32, RW wrote:
 mtime may not be the best choice. Ideally what you want is the the time
 since the spam was moved to Junk, rather than the time since it was
 delivered.
 
 ctime should provide this information - it's changed when sa file is moved. 
 For example courier-imap uses ctime ifnormation for deleting old mail from
 trash and spam (and whatever you configure to TRASH variable.

I agree that it should. However, I’ve had very poor luck with -ctime.

For example, I have a command O run to delete files in my ~/tmp that are more 
than 30 days old. If I use -ctime, none of the files are ever deleted, while if 
I use -mtime, everything works as expected.
 
 Note that something that manipulates file status can break this feature,
 e.g.  a backup system that reads files and resets atime back will cause
 resetting the ctime.  Setting it _not_ to reset atime (nobody uses atime
 nowadays) should fix the problem.

That may be what is happening then, since the system is backed up with 
rsnapshot.

-- 
Personal isn't the same as important

Re: SA works great!

[LuKreme]

On 02 Sep 2014, at 01:57 , Ted Mittelstaedt t...@ipinc.net wrote:
 On 8/31/2014 5:11 PM, LuKreme wrote:
 
 On 31 Aug 2014, at 08:08 , Ted Mittelstaedtt...@ipinc.net  wrote:
 Google does it.  It's not impossible.
 
 [snip]
 
 My experience is that the commercial providers like Gmail are now
 so aggressive that false positives are VERY common on their systems,
 this leads to people nowadays quite commonly saying check your
 spam folder on their websites and such that send feedback messages.
 
 These two statements do not go together.
 
 Only because your stubbornly sticking your head in the sand.
 
 Google has well over 90% catch rate on spam out of the box.

Out of the box? What does that even mean for Google? Do you mean that when 
the introduced their gmail service they had 90% spam catch rate? I don't recall 
that being the case at all.

 Google ALSO has a 1-2% False Positive rate out of the box.  Their catch
 rate is so high because they are willing to accept a high false positive rate.

That is one reason. The other reason, of course, is that they have literally 
BILLIONS of mail messages to train from. In fact, Google has so much mail to 
train from, that it is shocking to me they have any false positives at all.

The fact is, if 2% of my mail ends up in my spam folder then I have to spend a 
lot more time in my spam folder than I want to, and enough time that it makes 
my spam folder useless because not only do I have to scan it constantly, but I 
have to then go jump through some sorts of hoops to train it to hopefully not 
be spam in the future.

Spread that 2% error rate over a half dozen email addresses and I am back to 
the bad old days of the late 90s when the majority of the time I spent in email 
was spent dealing with the spam.

-- 
No matter how fast light travels it finds the darkness has always got
there first, and is waiting for it.

bayes_token is marked as crashed

[LuKreme]

I am getting the following error repeated many times a second:

/usr/local/libexec/mysqld: Table './bayes/bayes_token' is marked as crashed and 
should be repaired


-- 
My parents were unwilling to secure the necessary eagle's eggs and lion
semen

Re: bayes_token is marked as crashed

[LuKreme]

On 02 Sep 2014, at 17:16 , Reindl Harald h.rei...@thelounge.net wrote:
 Am 03.09.2014 um 01:07 schrieb LuKreme:
 I am getting the following error repeated many times a second:
 
 /usr/local/libexec/mysqld: Table './bayes/bayes_token' is marked as crashed 
 and should be repaired
 
 well, repair table bayes_token in MySQL

That's, I tried that, but I think I forgot to \u hayes to select the right 
database.

I ended up doing

myisamchk --recover './bayes/bayes_token'

 or use the following option in /etc/my.cnf to have that happening
 automatically since you can't really do anything else then
 restore a backup you should have anyways automatd with a history
 
 myisam-recover-options = FORCE

Interesting. I don't seem to HAVE a my.cnf. I'll check on that and add this.

-- 
The only reason for walking into the jaws of Death is so's you can steal
His gold teeth. --Colour of Magic

Re: Bayes autolearn questions

[LuKreme]

On 02 Sep 2014, at 19:11 , Alex mysqlstud...@gmail.com wrote:

 However, spam with scores greater than 9.0 aren't being autolearned:

I believe the score threshold is the base score WITHOUT bayes.

Try running the email through with a -D flag and see what you get.

(And that is only a partial answer, the threshold number ignores certain 
classes of tests beyond bayes,but I don't remember which ones. It's unfortunate 
that the learn_threshold_spam uses a number that appears to be related to the 
spam score, because it isn't.
 
-- 
It's like a cow's opinion. It just doesn't matter. It's moo

Re: Bayes autolearn questions

[LuKreme]

On 02 Sep 2014, at 20:50 , Karsten Bräckelmann guent...@rudersport.de wrote:

 On Tue, 2014-09-02 at 20:22 -0600, LuKreme wrote:
 On 02 Sep 2014, at 19:11 , Alex mysqlstud...@gmail.com wrote:
 
 However, spam with scores greater than 9.0 aren't being autolearned:
 
 I believe the score threshold is the base score WITHOUT bayes.
 
 Try running the email through with a -D flag and see what you get.
 
 (And that is only a partial answer, the threshold number ignores
 certain classes of tests beyond bayes,but I don't remember which ones.
 It's unfortunate that the learn_threshold_spam uses a number that
 appears to be related to the spam score, because it isn't.
 
 It is. Using the accompanying, non-Bayes score-set. To avoid direct
 Bayes self-feeding, and other rules indirect self-feeding due to Bayes-
 enabled scores.
 
 BTW, if one knows of that mysterious (bayes_auto_) learn_threshold_spam
 you mentioned, one found the AutoLearnThreshold doc mentioning exactly
 that: Bayes auto-learning is based on non-Bayes scores.

But that is not the case, You can have a score without bayes that exceeds the 
threshold and still have the message not auto learned.


-- 
'They're the cream!' Rincewind sighed. 'Cohen, they're the cheese.'

Re: sa-learn and find

[LuKreme]

On 31 Aug 2014, at 18:16 , Ian Zimmerman i...@buug.org wrote:

 find /home/${i}/Maildir/.notspam -type f -mtime -7 | xargs -r sa-learn --ham 
 -u ${i}

Right. Doh. I got so held up in running find under sa-learn...

Well, that does make thins a lot easier, doesn't it.

Thanks for your patience.

-- 
There will always be women in rubber flirting with me.

Re: sa-learn and find

[LuKreme]

On 31 Aug 2014, at 14:46 , Ian Zimmerman i...@buug.org wrote:

 On Sat, 30 Aug 2014 19:59:53 -0600,
 LuKreme krem...@kreme.com wrote:
 
 RW This may run into shell argument limits if you have to learn a lot
 RW of spam. Consider piping the output of find to xargs, or using -exec
 RW ...{} + in find.
 
 LuKreme Yes, I tried to do that, but as I said in my first post, if I
 LuKreme do the find as part of the sa-learn command, then it stall when
 LuKreme the find command returns null.
 
 xargs (the GNU one at least) has an option to not run the inferior when
 there are no args to give it.

The interior is the find:

This was my original command:

sa-learn --ham -u ${i} `find /home/${i}/Maildir/.notspam -type f -mtime -7`

Which stalls if find returns nothing. I am not seeing how xargs would help this.

(FreeBSD xargs never runs the command if the input is empty)

-- 
'I really should talk to him, sir. He's had a near-death experience!'
'We all do. It's called living.'

Re: Give a penalty to messages with non latin UTF-8 characters?

[LuKreme]

On 31 Aug 2014, at 14:38 , Ian Zimmerman i...@buug.org wrote:

 Doesn't ok_languages and ok_locales do the job?  It does for me.

Not with UTF-8 encoding, that setting only seems to apply to old-stye character 
declarations.

-- 
showing snuffy is when Sesame Street jumped the shark

Re: SA works great!

[LuKreme]

On 31 Aug 2014, at 08:08 , Ted Mittelstaedt t...@ipinc.net wrote:
 Google does it.  It's not impossible.

[snip]

 My experience is that the commercial providers like Gmail are now
 so aggressive that false positives are VERY common on their systems,
 this leads to people nowadays quite commonly saying check your
 spam folder on their websites and such that send feedback messages.

These two statements do not go together.


-- 
People only think for themselves if you tell them to.

Re: Give a penalty to messages with non latin UTF-8 characters?

[LuKreme]

On 29 Aug 2014, at 20:52 , jdebert jdeb...@garlic.com wrote:
 On Fri, 29 Aug 2014 11:41:48 +0200 Michael Opdenacker 
 michael.opdenac...@free-electrons.com wrote:
 I find it hard to believe I'm the only one getting spam in Chinese
 characters ;)
 
 And legitimate messages as well. (Here, at least.) BLocking merely
 messages have more than just the Roman alphabet in them is a bit too
 much.

I would welcome rules that would reliably penalize messages that use chinese, 
japanese, korean, thai, or any other characters in the UTF-8 address space that 
I don’t read. I would put them in user_prefs.

I get a lot more spam into my inbox in the last few months than I have in many 
years (20+ a day, into each of 6 inboxes). To be fair, most of the chinese 
comes to my gmail address. 

-- 
Last night - you were unhinged. You were like some desperate, howling
demon. You frightened me. - Do it again!

sa-learn and find

[LuKreme]

The following command seems to get stuck if there is no result from the find. 
Any suggestions on how to avoid passing an empty find result to spamd?

sa-learn --ham -u ${i} `find /home/${i}/Maildir/.notspam -type f -mtime -7` 

(where user $i has no emails in notspam that are new in the last 7 days)

I am already testing for the presence of the folder. Checking if the folder is 
empty isn’t going to help because the folder may have mail in it, just old mail.

The only thing I can think of to do is something like this:

MYFIND= `find $H_PATH/cur -type f -mtime -7` 
if [ -n $MYFIND ]; then
   /usr/local/bin/sa-learn --ham -u ${i} $MYFIND
fi

but I haven’t gotten that to work as I can seem to pass the test with a string 
that on echo “\”$MYFIND\”” returns “”.

-- 
Why, you stuck-up, half-witted, scruffy-looking... NERFHERDER!
Who's Scruffy looking?

Re: sa-learn and find

[LuKreme]

On 30 Aug 2014, at 07:49 , LuKreme krem...@kreme.com wrote:
 MYFIND= `find $H_PATH/cur -type f -mtime -7` 
 if [ -n $MYFIND ]; then
   /usr/local/bin/sa-learn --ham -u ${i} $MYFIND
 fi

Doh!

if [ -n “$MYFIND” ]; then

or

if test -n “$MYFIND”; then

Sigh. Feeling extra stupid this Saturday morning.

It works, and is no longer processing thousands of old messages for no reason.

#/bin/sh
#
# Straightforward shell script to be run as root.  This parses the /home
# directory for mailboxes named .Junk and learns those as spam, and then
# parses the inbox (cur, not new) for ham.

# sa-learn-script (sal) v2.1  Lewis Butler, released to the Public Domain 2012

UROOT=/home/
echo Running SAL
for i in `ls $UROOT` ; do
  J_PATH=${UROOT}${i}/Maildir/.Junk;
  H_PATH=${UROOT}${i}/Maildir”;

  if test -d $J_PATH; then
MYFIND=`find $J_PATH/ -type f -mtime -7|grep -v dovecot`
if test -n $MYFIND; then
  /usr/local/bin/sa-learn --spam -u ${i} $MYFIND #/dev/null 21
fi
  else
 echo No $J_PATH for $i
  fi
  
  if test -d $H_PATH; then
MYFIND=`find $H_PATH/cur -type f -mtime -7|grep -v dovecot`
if test -n $MYFIND; then
  echo Processing $H_PATH
 /usr/local/bin/sa-learn --ham -u ${i} $MYFIND #/dev/null 21
fi
  #else
  #  echo No $H_PATH for $i”
  fi
done

If I were feeling really clever, I’d make sure the user existed first, but I’m 
not feeling that clever today.

-- 
A marriage is always made up of two people who are prepared to swear
that only the other one snores.

Re: sa-learn and find

[LuKreme]

 On 30 Aug 2014, at 15:32 , RW rwmailli...@googlemail.com wrote:
 
 On Sat, 30 Aug 2014 08:23:02 -0600
 LuKreme wrote:
 
  if test -d $J_PATH; then
MYFIND=`find $J_PATH/ -type f -mtime -7|grep -v dovecot`
 
 mtime may not be the best choice. Ideally what you want is the the time
 since the spam was moved to Junk, rather than the time since it was
 delivered. What I see with dovecot when I move mail with claws mail is
 that  a new file is created with the mtime preserved at the
 delivery time and the current epoch time in the filename. In that case
 the ideal would be Btime if your OS supports it, or failing that
 ctime. 
 
 You could also use the time in the filename. Note that epoch times are
 10 digits until long after we're dead so simple lexicographical
 comparisons between maildir filenames or between a maildir filename and
 an epoch time will work.

On my system the file is not renamed when it is moved.

 You may want to check what happens with whatever you use to move the
 spam.

Spam is delivered to the junk box at delivery time, or is manually moved via 
IMAP by the user.

Is there a way to actually show the mtime and ctime of a file?

if test -n $MYFIND; then
  /usr/local/bin/sa-learn --spam -u ${i} $MYFIND #/dev/null 21
 
 This may run into shell argument limits if you have to learn a lot of
 spam. Consider piping the output of find to xargs, or using 
 -exec ...{} + in find.

Yes, I tried to do that, but as I said in my first post, if I do the find as 
part of the sa-learn command, then it stall when the find command returns null.


-- 
The fact that Bob and John are married does nothing to diminish anyone
else's marriage any more than a black woman marrying a white man, a Jew
marrying a Catholic, or an ugly Lyle marrying a Pretty Woman

Re: Certain types of spam seem to get through SA

[LuKreme]

On 28 Aug 2014, at 17:38 , Martin Gregorie mar...@gregorie.org wrote:
 http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz
 
 This file is a compressed source archive that includes documentation for
 the tool and the definition file format.

Any reason not to include your dataset?

-- 
If at first you don't succeed, destroy all evidence that you tried.

Certain types of spam seem to get through SA

[LuKreme]

I’ve been getting a lot of auto sales, windows install, and pharma spam 
recently that is getting through SA. Here are headers for one from this morning:

Return-Path: installationnot...@windowmate-832.us
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.covisp.net
X-Spam-Level: *
X-Spam-Status: No, score=1.7 required=5.0 tests=URIBL_BLACK autolearn=no
version=3.3.2
X-Spam-Report: 
*  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
*  [URIs: windowmate-832.us]
X-Original-To: mun...@null.com
Delivered-To: lbut...@covisp.net
Received: from windowmate-832.us (108.168.239.180-static.reverse.softlayer.com 
[108.168.239.180])
by mail.covisp.net (Postfix) with ESMTP id CEE0D50D40B
for mun...@null.com; Thu, 28 Aug 2014 08:48:51 -0600 (MDT)
Date: Thu, 28 Aug 2014 07:45:10 -0700
To: munged@null
Content-Type: text/plain
CMDAuthCode: 10-6414818373-install-75d769e5b2e49dd09bd8c43836b66aaf
From: Installation Notice installationnot...@windowmate-832.us
Mime-Version: 1.0
Subject: Re: Your Home Depot window installation appt. is coming up...
Message-ID: windw-88937059726.23-14818373-...@windowmate-832.us-sp-066

or this one:

Return-Path: autoinsurancenotice...@auto-cover-id66121.us
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.covisp.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS
autolearn=ham version=3.3.2
X-Spam-Report: 
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
X-Original-To: mun...@null.com
Delivered-To: lbut...@covisp.net
Received: from auto-cover-id66121.us 
(108.168.239.177-static.reverse.softlayer.com [108.168.239.177])
by mail.covisp.net (Postfix) with ESMTP id 926A150D40B
for mun...@null.com; Thu, 28 Aug 2014 08:09:39 -0600 (MDT)
Date: Thu, 28 Aug 2014 07:08:27 -0700
RTS-Auto: 14911343-3244-14507179-97
Content-Type: text/plain
Message-ID: car-52214911343.1215-14507179-...@auto-cover-id66121.us-12004
Subject: Re: Your Updated Auto-Policy Payment Rate Info: 08/28/14
From: Auto Insurance Notice autoinsurancenotice...@auto-cover-id66121.us
Mime-Version: 1.0
To: munged@null


(I am currently updating SA to 3.4 $CURRENT)

-- 
'I'll tell you this!' shouted Rincewind. 'I'd rather trust me than
history! Oh, shit, did I just say that?'

Re: Certain types of spam seem to get through SA

[LuKreme]

On 28 Aug 2014, at 09:21 , Antony Stone 
antony.st...@spamassassin.open.source.it wrote:
 Please post pastebin samples of the actual email content (as well as 
 minimally-anonymised headers) so that others can check on known-working 
 configurations.

The only thing I changed was the mail address it was sent to.

http://pastebin.com/3agBfQT2

-- 
i wasn't born a programmer. i became one because i was impatient. - Dave
Winer

Re: Certain types of spam seem to get through SA

[LuKreme]

 On Aug 28, 2014, at 12:00, Martin Gregorie mar...@gregorie.org wrote:
 
 The only obvious oddity, compared with my local main stream is its
 direct one-hop delivery. I'd regard this as UCE rather than spam per se.
 I only take measures against this type of mail if I see it more
 frequently than every 6 months or so and/or if it has an 'unsubscribe'
 facility which fails to work.

I get a lot of these, and they are in no way anything that was signed up for. 
It looks like your scores are mostly from hitting known bad URL recipes, 
Which were not hit when it arrived. I can try rerunning it.

Restarting spamd?

[LuKreme]

After I run sa-learn, I noticed that spamd did not apply the changed rules.

If I setup sa-learn to run automatically, I need to setup spamd to restart 
afterwards, I suppose. What's a reasonable interval for running sa-learn out of 
crontab? (I have it setup for weekly)

Or should I be doing something else?

-- 
I've never seen religious faith move mountains, but I've seen what it does
to skyscrapers.

Re: Restarting spamd?

[LuKreme]

On 10 Nov 2013, at 09:46 , RW rwmailli...@googlemail.com wrote:

 On Sun, 10 Nov 2013 08:19:36 -0700
 LuKreme wrote:
 
 After I run sa-learn, I noticed that spamd did not apply the changed
 rules.
 
 I assume that everywhere you have written sa-learn, you actually mean
 sa-update.

doh. Yes, I did.

   sa-update  /etc/init.d/spamassassin reload

Perfect.

 It doesn't matter if you run it frequently since it tests whether your
 rules are up to date by a simple dns query which can be cached by your
 local cache. 

I'll run it daily in that case. I still remember the old days of, don't check 
too often and don't check at 0 0 or 1 1.

-- 
The older you get the more you need the people you knew when you were
young.

Scoring in user_prefs

[LuKreme]

I would like to add a score in user_prefs based on the To header (I have an 
email that collects several email addresses and I want to add some spamishness 
indicators).

Does the user_prefs understand the same syntax as the local.cf file? And what 
would be the best way to say:

If the to field is u...@example.com add 1.0 top the spam score

header __TO_EXAMPLE To =~ /user\@example.com/
score  __TO_EXAMPLE 1.0

?

-- 
It was intended that when Newspeak had been adopted once and for all and
Oldspeak forgotten, a heretical thought...should be literally
unthinkable, at least so far as thought is dependent on words.

RP_MATCHES_RCVD

[LuKreme]

Some spam has been matching the rule RP_MATCHES_RCVD which is worth -2.8 
points. I wanted to look at this rule, so I went to 
/usr/local/etc/mail/spamassassin and gripped for the name, but no hits.

Where's the rule defined? I thought there was a rules folder, but the only one 
I can find it one in the source for SA 3.0 (`locate 10_misc.cf`).


 # find /usr/local -name *cf  | grep -v postfix
/usr/local/etc/mail/spamassassin/local.cf
/usr/local/etc/mail/spamassassin/whitelist.cf
 #

/usr/local/share/spamassassin contains a template, a txt file of the public 
key., and a file named languages, no rules.

/usr/share/spamassassin does not exist

SpamAssasin version is 3.3.2

-- 
He was Igor, son of Igor, nephew of several Igors, brother of Igors and
cousin of more Igors than he could remember without checking up in his
diary. Igors did not change a winning formula. {Footnote: Especially if
it was green, and bubbled.}

Re: Scoring in user_prefs

[LuKreme]

On 08 Nov 2013, at 13:42 , Kris Deugau kdeu...@vianet.ca wrote:

 If you want to put full rules in user_prefs files, you'll need to set
 allow_user_rules in the main configuration.
 
 man Mail::SpamAssassin::Conf and scroll down to the RULE DEFINITIONS
 AND PRIVILEGED SETTINGS section.

Thank you!

-- 
It wasn't that her [Susan's] parents didn't believe in such things. They
didn't need to believe in them. They knew they existed. They just wished
they didn't.

Re: RP_MATCHES_RCVD

[LuKreme]

On 08 Nov 2013, at 13:53 , Kris Deugau kdeu...@vianet.ca wrote:

 SA is installed from package, this looks something like
 /var/lib/spamassassin.

Ah, /var/db/spamassassin

I would never have found them. thanks!

-- 
Everything you read on the Internet is false -- Glenn Fleishman

Re: Scoring in user_prefs

[LuKreme]

On 08 Nov 2013, at 13:42 , Kris Deugau kdeu...@vianet.ca wrote:

 man Mail::SpamAssassin::Conf and scroll down to the RULE DEFINITIONS
 AND PRIVILEGED SETTINGS section.

Oh, well, crap. Yeah, that's not going to happen.

OK, time to come up with another way of doing this...
ZZ

er.. right. 

-- 
What if your DOPE was on fire?
Impossible, sir, it's in Johnson's underwear.

Re: RP_MATCHES_RCVD

[LuKreme]

On 08 Nov 2013, at 13:53 , Kris Deugau kdeu...@vianet.ca wrote:

 It's also been scored down in more recent rule updates;  as of a few
 minutes ago it looks like it's *way* down:
 
 score RP_MATCHES_RCVD   -1.501 -0.001 -1.501 -0.001

I saw that after I ran sa-update, which was shortly after I posted.

I've set it to -0.1 for now.

-- 
Every absurdity has a champion to defend it.

Re: RP_MATCHES_RCVD letting in SPAM

[LuKreme]

On 21 Aug 2013, at 16:33 , Joe Acquisto-j4 j...@j4computers.com wrote:

 OK.  That's what I thought.   However, lint shows it reading
 /etc/mail/spamassassing/local.cf
 near the top of lint output and all the others, further down,
 which suggests it is reading them after.
 
 Perhaps that is a poor conclusion.

I can't think of a reason that --lint would need to check the files in the same 
order than SA applies them.

-- 
Adolescence is the period between childhood and adultery

More on learning from imap folders

[LuKreme]

I built the following script:

#/bin/bash

VROOT=/usr/local/virtual/;

for i in `ls -d ${VROOT}*@*` ; do
   echo `date`
   echo Processing ${i}
   J_PATH=${i}/.Junk
   H_PATH=${i}/NotJunk

  if test -d ${J_PATH}; then
/usr/local/bin/sa-learn --spam -u vpopmail $J_PATH/{new,cur}
  else
echo No $J_PATH
  fi

  if test -d ${H_PATH}; then
/usr/local/bin/sa-learn --ham -u vpopmail $H_PATH
mv $H_PATH/{cur,new}/* ${VROOT}${i}/cur
  else
echo No $H_PATH
  fi

  echo 
done

And it appears to work fine, except that it takes 20 seconds to process an 
entirely empty folder

---OUTPUT
Sun Mar 11 13:17:24 MDT 2012
Processing /usr/local/virtual/ben@…
Learned tokens from 0 message(s) (0 message(s) examined)

Sun Mar 11 13:17:44 MDT 2012
---END

# ls -lsR /usr/local/virtual/ben\@…/.Junk/
total 6
2 drwx--  2 root  vpopmail  512 Mar  8 04:21 cur
2 drwx--  2 root  vpopmail  512 Mar  8 04:21 new
2 drwx--  2 root  vpopmail  512 Mar  8 04:21 tmp

/usr/local/virtual/b...@xanmax.com/.Junk/cur:
total 0

/usr/local/virtual/b...@xanmax.com/.Junk/new:
total 0

/usr/local/virtual/b...@xanmax.com/.Junk/tmp:
total 0

This seems like a lot of time for sa-learn to process 0 files. Long enough that 
I probably need to add some logic to check for actual files before passing the 
directory to sa-learn. Is this sort of delay normal?

As for the logic, I was thinking of something like this:

ISSPAM=`find $J_PATH/{cur,new} -type f`
if [ ! $ISSPAM ]; then
  /usr/local/bin/sa-learn --spam -u vpopmail $J_PATH/{new,cur}
fi


-- 
I can't die, I haven't seen The Jolson Story

Re: Allowing IMAP users to train spam/ham

[LuKreme]

On 09 Mar 2012, at 17:07 , RW wrote:

 It's been demonstrated on Bogofilter that train-on-everything outperforms 
 train-on-error on the same corpora. They both end-up with similar accuracy, 
 but train-on-everything gets there very much faster.

But training is exceedingly slow. Under normal load, sa-learn putters along at 
2.5-4 mesg/sec, and under load it can drop to under 1.

Now, sure, perhaps I should throw a quad core i7 at it, but REALLY?

-- 
I NO LONGER WANT MY MTV Bart chalkboard Ep. 3G02

Re: dccifd error

[LuKreme]

On Mar 4, 2012, at 21:34, xTrade Assessory xtr...@matik.com.br wrote:

 you can disable the plugin or setup use_dcc 0 in local.cf

The plugin *was* disabled in v310, but the errors still showed up in the 
maillog, which is what started this. As far as I can see, dcc was never running 
though there was a very old install of it in /var/dcc.

Re: Some rules I created for suspicious Javascript practices

[LuKreme]

On 16 Feb 2012, at 18:11 , neon_overload wrote:
 I have been hard at work on tweaking these rules and have come up with new
 versions which appear more effective.  Have not spent much time on
 performance though.

Curious how you arrived at the scoring. For example, I would thing that 
LOCAL_U_UNESCAPE would be scored much higher as, at least as it looks to me, no 
one would ever do that legitimately.

-- 
You know, Calculus is sort of like measles. Once you've had it, you
probably won't get it again, and you're glad of it. -- W. Carr

Re: Spamassassin detect my mails as spam

[LuKreme]

On 25 Feb 2012, at 11:17 , Michelle Konzack wrote:
 There is something in spamassassin which does recursive rDNS lookups  on
 all Received: headers

No there isn’t.

-- 
Exit, pursued by a bear.

Allowing IMAP users to train spam/ham

[LuKreme]

I sued to have a setup where IMAP users could put mail into either SPAM or Junk 
mailboxes to have it auto trained and then I had a script that stepped through 
and did the training, and it also processed non-new mail in the inbox as ham.

USERROOT=$HOME;
MAILP=Maildir;

   J_PATH=$USERROOT/${MAILP}/.Junk;
   S_PATH=$USERROOT/${MAILP}/.SPAM;
   H_PATH=$USERROOT/${MAILP}/cur;

if [ `test -d $J_PATH` ]; then
   /usr/local/bin/sa-learn --spam --progress $i $J_PATH/{new,cur}
fi

if [ `test -d $S_PATH` ]; then
   /usr/local/bin/sa-learn --spam --progress $i $S_PATH/{new,cur}
fi

if [ `test -d $H_PATH` ]; then
   /usr/local/bin/sa-learn --ham $H_PATH
fi

This all worked fine, but it was very resource intensive, and it only worked 
with the very few shell users. I tried to run it (manually) a few times with 
the virtual users, but I ended up with a process that ground the computer to a 
halt and generated a bayes database that was massively large (GBs).

So, other than throwing more iron at the problem, is there something I can do 
to make this process a little smarter? Make it work with the virtual users 
without generating a massive db file?

-- 
'What can I do? I'm only human,' he said aloud.  Someone said, Not all
of you. --Pyramids

Re: Allowing IMAP users to train spam/ham

[LuKreme]

On 04 Mar 2012, at 03:55 , xTrade Assessory wrote:

 what do you think of something less complex?

Yeah, I went with Junk/NotJunk, anything placed in Junk gets trained as spam, 
anything in NotJunk trained as ham. What I’d like to do though is move the 
messages that are in NotJunk to the inbox maildir as they are processed.

Possible?

-- 
Belief is one of the most powerful organic forces in the multiverse. It
may not be able to move mountains, exactly. But it can create someone
who can. 

Re: dccifd error

[LuKreme]

On 04 Mar 2012, at 05:38 , xTrade Assessory wrote:

 not sure but probably the dccifd is the remote daemon and since DCC is a
 commerial service you might not have a account there, so you cannot
 connect ... ?

http://www.rhyolite.com/dcc/
The non-commercial DCC software is distributed under a license that is free 
only to organizations that do not sell filtering devices or services except to 
their own users and that participate in the global DCC network. ISPs that use 
DCC to filter mail for their own users are intended to be covered by the free 
license. “

But here’s the thing, if dcc is not enabled by spamassassin, I get a spamd 
error for every message.

-- 
BILL: I can't get behind the Gods, who are more vengeful, angry, an
dangerous if you don't believe in them!  HENRY: Why can't all these God
just get along? I mean, they're omni- potent and omnipresent, what's the
problem?