Re: Fwd: help please
brunope...@aol.com wrote: we need your help. Indeed ;-). Apparently yesterday I push the wrong button in my control panel which caused our email server to block all incoming emails. My mail server guy told me it is because of SpamAssassin . We are not spammers but business people, we don't know how to restore our email. hmm. Can you please help? Yes. Press the right button? How do you think we could guess which button you pressed? If you dont provide more info i bet no one could help you without a crystal ball... Maybe you could tell which buttons you had to configure or show your SA config? Thanks Bruno Perez [...] MH
Re: From: and To: Spamers
Michelle Konzack schrieb: Hello *, since arrount 5 days I am hit by several 10.000 very small (~2 kByte) messages which use my email addresse in From: and To:... Does anyone know, how to stop this shit effectively? 1st mail server is courier-mts + courier-imap + spamassassin + clamav 2nd mail server is postfix + dovecot + spamassassin + clamav search for backscatter: http://www.postfix.org/BACKSCATTER_README.html
Re: Preconfigured Spamassassin image/setup ?
Frank DeChellis schrieb: Is there an image file out there that has a unix server and spamassassin config on it, all in one sort of thing? I have configured spamassassin a few times (one running now) on various servers and it does the job ³better than OK² but I have the feeling it is a lot better then what I¹m getting out of it. I¹m talking like a preconfigured image that the end product is of the Barracuda spam server genre. First: I dont know of such a config out there, there may be several howtos around which could help ... Such a thing is not only about Spamassassin its configuring your MTA, iptables/Firewall, maybe using a policy service (for MTA), and it strongly depends on your organisation, so imho there is no jack of all trades device that solves all your problems ... Sure one could spend alot of money for such a wonder box if the knowledge of configuring it is not there but i dont know if it is worth it ... Thanks Frank -- Gruesse/Greetings MH Dont send mail to: ubecatc...@linuxrocks.dyndns.org --
Re: sa-update?
Gene Heskett schrieb: Greetings; I fired off this script, named sa-update.cron, but which has been disabled in the crontab since someone here said it was a waste of time, and now it seems to be hung. Running it as root this time. Maybe you want to run sa-update -D or check your logs for hints why it may be hung ... -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: How can I catch these?
Luis Hernán Otegui schrieb: Hi, I'm kinda getting tired of reporting these mails (both to my local SA and to SpamCop), and so are my customers. My problem is that the spammers are using a large ISP's mail server, and that particular ISP (as all the others here in Argentina) don't bother checking the abuse reports. What drives me crazy is the little score it lacks to go devnulled... I've tried adding blacklist_from [EMAIL PROTECTED] to my local.cf Anyway, here's a sample: http://pastebin.com/m3c0e5b9 Thanks in advance, X-Spam-Flag: YES # X-Spam-Score: 7.068 # X-Spam-Level: *** # X-Spam-Status: Yes, score=7.068 tagged_above=-100 required=5 # tests=[BAYES_99=3.5, DCC_CHECK=2.17, HTML_MESSAGE=0.001, # MIME_QP_LONG_LINE=1.396, NORMAL_HTTP_TO_IP=0.001 hmm, whats the problem you got some hits like: bayes_99 ... DCC ? Luis -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: How to update 3.1.7 to new version
Sg schrieb: Hi I am using SA 3.1.7 in MS Exchange Server. Yesterday 80,000 spam messages cloggin the system. Can anyone tell me, why suddenly getting lot of spam mails. we need to update the SA or update the rules.. Please tell me how to update SA in windows? http://wiki.apache.org/spamassassin/InstallingOnWindows seems you need gpg for windows too to run sa-update (described above). Never run it on windows (lucky me :-) ). -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: SpamAssassin GUI
Peter Kingsbury schrieb: Hello, Since installing SpamAssassin on my company's Exchange server, I wanted to make kludging through potential spam/ham messages faster than using the slow remote desktop interface that is in place. I wrote a program which allows an admin to quickly scan SA-filtered messages, and move them to the Learn-Ham or Learn-Spam directories with single keystrokes. I have found the program quite useful, and want to share it (source and application) with whomever is interested. I coded the application in VB.NET using MS's free Visual Studio.NET Express 2008, so I guess it could be ported to other OS's that use Mono too. Not sure if it would be totally useful in that environment, but as I strongly believe in open source software, I want to contribute where I can. If you're interested, please drop me a line at [EMAIL PROTECTED] Why not start a project at sourceforge.net or freshmeat e.g.? Best regards, - Peter -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: SA Windows Version stable? (was: How to update 3.1.7 to new version)
Sg schrieb: Hi I am using SA 3.1.7 in MS Exchange Server. Yesterday 80,000 spam messages cloggin the system. Can anyone tell me, why suddenly getting lot of spam mails. we need to update the SA or update the rules.. Please tell me how to update SA in windows? btw: What are your experiences with SA on Windows Platform, since i am not using it for now. Would you recommended it or are there too many caveats? (On a few Windows Servers i run a small SA/Postfix Server as a VMWare Guest ...) -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Training Q
John D. Hardin schrieb: On Wed, 16 Jan 2008 [EMAIL PROTECTED] wrote: So, all 3 categories include emails that SA has already seen and presumably included in its Bayesian filters, Only if you have autolearn enabled. Can we assume that you do from this question? You didn't explicitly say. and emails that it has never seen. My question is, should I write a program to take out emails that SA has already seen before I send them through Bayesian processing, or is it smart enough not to process those again? sa-learn won't re-learn messages it has already seen unless you change their classification (e.g. was ham, re-learn as spam). Don't worry about it. In addition, keeping a full corpus around helps re-learning from scratch should you ever need to do so. Some people advise not to relearn old spam what would you suggest, learn only last 6 month e.g.? -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Training Q
Matthias Haegele schrieb: Some people advise not to relearn old spam what would you suggest, learn only last 6 month e.g.? I meant if you must relearn from scratch how far you would go back? -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: False positives with Bayes_99
Merlin schrieb:
Hi there,
I am running a well trusted travel community page that sends system
e-mails like register, notice on comments etc. to its opt-in signed up
users.
Since two days all E-Mails from that server get an aditional spam score
of 3.5!! by Bayes_99. I looked it up and found that Spamassasin believes
that it is to 99% spam by training from users. I believe there is more
to it, as I can not believe that
users mark such msges as spam. I also received another e-mail from
another community page that was marked with Bayes_99 despite that it
never has before. How come?! I looked into several red lists for my
server, but the server is not listed anywhere. The only thing I found is
that the server was not set with reverse mapping to the correct
domain, but to the one the hostmaster has set before (it is a root
server). Changed it yesterday to the domain name but still no change
today. Still wrong host. Does this have something to do with Bayes_99?
I am wondering how to get rid of this Bayes_99 thing and how to get to
Bayes_00 that would be more suitable for that e-mail. Do I have to
configure Postfix as the sending instance somehow with anything like
truested server lists, or with anything else I might have overlooked by
configuring it?
Here is a header of a false positive:
Subject: {SPAM 03.5} Feedback: lost password - please help
X-Spam: spam
X-Spam-score: 3.5
X-Spam-hits: BAYES_99 3.5, BAYES_USED global
X-Spam-source: IP='87.106.60.58',
Host='s15229619.onlinehome-server.info', Country='DE',
FromHeader='net', MailFrom='net'
Thank you for any help,
afaik the bayes results comes only from manual training and autolearn?
So the reverse dns, missing Pointer record is hit by another rule ...
Perhaps you need to retrain the messages as ham (sa-learn --ham ...).
Or if your bayes-database is completely poisoned start from scratch.
Perhaps you could show the bayes_mumble ...
Merlin
--
Greetings hth
MH
Dont send mail to: [EMAIL PROTECTED]
--
Re: Rise up bayes tests
Paolo De Marco schrieb: Hi. Sometimes only bayes tests hit mails, so i recieve mail whit only bayes point (for exemple: X-Spam-Status: No, score=3.5 tagged_above=-999 required=5 tests=[BAYES_99=3.5]) Does anyone raise up the score of bayesan test? Is it safe? afaik it is not recommended to raise the Bayes Score You could do it but keep in mind if bayes is misguided your higher score hits. (With a well trained bayes it seems reasonable to me) Perhaps you could find some additional rules/network tests ... (sare-rules, razor, dcc, pyzor etc (watch licenses if you could use them)). On new few lines text spam i often get bayes_00 so it is not always useful. -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Deleting from server
Chris schrieb: Can anyone let me know how to delete from server, if the score is over 8 please ? Any help appreciated. Chris. on amavisd-new e. g. look for: sa_kill_level_deflt = 8.0; maybe you need to watch: sa_tag_level* SA doesnt delete, tagging that must be done by your filter (procmail, maildrop, amavis, whatever). If SA tags for score 8 right, configure your filter to delete/discard the message ... -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: False positives with Bayes_99
Merlin schrieb:
On Thu, 20 Dec 2007 03:08:34 -0800, Merlin [EMAIL PROTECTED] said:
On Thu, 20 Dec 2007 11:59:32 +0100, Matthias Haegele
[EMAIL PROTECTED] said:
Merlin schrieb:
Hi there,
I am running a well trusted travel community page that sends system
e-mails like register, notice on comments etc. to its opt-in signed up
users.
Since two days all E-Mails from that server get an aditional spam score
of 3.5!! by Bayes_99. I looked it up and found that Spamassasin believes
that it is to 99% spam by training from users. I believe there is more
to it, as I can not believe that
users mark such msges as spam. I also received another e-mail from
another community page that was marked with Bayes_99 despite that it
never has before. How come?! I looked into several red lists for my
server, but the server is not listed anywhere. The only thing I found is
that the server was not set with reverse mapping to the correct
domain, but to the one the hostmaster has set before (it is a root
server). Changed it yesterday to the domain name but still no change
today. Still wrong host. Does this have something to do with Bayes_99?
I am wondering how to get rid of this Bayes_99 thing and how to get to
Bayes_00 that would be more suitable for that e-mail. Do I have to
configure Postfix as the sending instance somehow with anything like
truested server lists, or with anything else I might have overlooked by
configuring it?
Here is a header of a false positive:
Subject: {SPAM 03.5} Feedback: lost password - please help
X-Spam: spam
X-Spam-score: 3.5
X-Spam-hits: BAYES_99 3.5, BAYES_USED global
X-Spam-source: IP='87.106.60.58',
Host='s15229619.onlinehome-server.info', Country='DE',
FromHeader='net', MailFrom='net'
Thank you for any help,
afaik the bayes results comes only from manual training and autolearn?
So the reverse dns, missing Pointer record is hit by another rule ...
Perhaps you need to retrain the messages as ham (sa-learn --ham ...).
Or if your bayes-database is completely poisoned start from scratch.
Perhaps you could show the bayes_mumble ...
Merlin
--
Greetings hth
MH
Dont send mail to: [EMAIL PROTECTED]
--
Hi,
thank you for your reply. I am not the one who can train ist. I am just
running the server with
the community that sends the messages. It is a big problem for me as if
those e-mails do get false
positive no more registration might be pssible etc.
The funny thing is, that e-mails with almost identical content (for
example notifications on forum
replies) from other sites get even a Bayes_00 while mine get Bayes_99
(that is true for the fastmail.fm e-mail
provider). How come? Do you believe it has to do with the content, or
the header? It must be the header as
for example feedback msgs. that I receive through an online form also
get marked with Bayes_99.
The e-mails are sent through the PHPmailer class (opensource). I also
looked there, but could not find a misconfig or so.
Hmm. If you couldnt influence the training process and therefore cant
rely on it,
you probably dont want to use Bayes scores or at least lower BAYES_99?
Perhaps you would like to use a pastebin-service like http://pastebin.com/
and show us some False Positive Samples (feel free to exchange
confidential parts, understandable plz).
Thank you for any help,
Merlin
--
Gruesse/Greetings
MH
Dont send mail to: [EMAIL PROTECTED]
--
Re: Is this a wiildcard ?
Theo Van Dinter schrieb: On Thu, Dec 20, 2007 at 04:57:25PM +0100, Chris wrote: Just looking through the SA setup on a couple of my accounts, and notice in the email filters, that this is in place : Destination $header_subject: contains * Discard Isn't * a wildcard ? Wouldn't that rule above discard all emails ? That isn't from a SpamAssassin config, so the meaning isn't clear. * is a glob character, so could mean anything. In regexp * means 0 or more of the thing proceeding it, which is nothing, so it's not valid regexp. It could also just mean the character *. You'd really need to look at the docs for what you're actually looking at to find out what it means. Perhaps header_subject is used in exim? Some People might mark Spam mails as *Spam but only * makes no sense for me ... but thats only a guess ... -- Gruesse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Turning off rules
John Rudd schrieb: In the past, turning off a rule was supposed to be as simple as setting its score to zero. Is that no longer the case? I set a rule to zero, and it's still showing up in my logs (but it looks like the value is correctly being recorded as zero, so it's not affecting my scores; I'm just concerned that it might be affecting performance, even if slightly). What's the current proper way to disable a rule? (the rule in question is BASE64_LENGTH_79_INF ; in my local.cf I gave it a score of 0 but not 0.00) http://svn.apache.org/repos/asf/spamassassin/branches/3.2/README Disabled code - To turn on tests disabled in 50_scores.cf, simply assign them a non-zero score Seems it didnt change. http://svn.apache.org/repos/asf/spamassassin/branches/3.2/UPGRADE btw: (I had a little difficulties to find the files i searched for a changelog ...) hth -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Best Practice to whitelist logcheck mailings?
Hi all! What you suggest would be best method to whitelist logcheck mails?: A sniplet of a quarantined message: Return-Path: [EMAIL PROTECTED] Delivered-To: spam-quarantine X-Envelope-From: [EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] X-Quarantine-ID: 1JtIvtWCm2i6 X-Spam-Flag: YES X-Spam-Score: 4.032 X-Spam-Level: X-Spam-Status: Yes, score=4.032 tag=x tag2=3.5 kill=3.5 tests=[AWL=-2.927, BAYES_99=4.5, J_CHICKENPOX_64=0.6, NO_RELAYS=-0.001, URIBL_AB_SURBL=1.86] Received: from myserver.dyndns.org ([127.0.0.1]) by localhost (myserver.dyndns.org [127.0.0.1]) (amavisd-new, po rt 10024) with ESMTP id 1JtIvtWCm2i6 for [EMAIL PROTECTED]; Sun, 2 Dec 2007 04:02:02 +0100 (CET) I considered putting [EMAIL PROTECTED] in whitelist but i am not sure if it is the only possible (and really good) solution? Thx for any tips. I know the 3.5 kill level is low but i want it there ... ;-). -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: russian spam
Jean-Paul Natola schrieb: Hi all, Is there a plugin and/or rule to block russian spam? Here's a sample [...] Jean-Paul I think the key is to give special score for cyrillic chars (unless this doesnt affect your regular mails). Perhaps: ok_locales e.g: ok_locales en But i dont expect too much of it ;-) (ok_languages is afair not that reliable, cmiiw). Perhaps the URICountryPlugin could help too. There was a message with a similar problem on the list but i dont find it now ... -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Testing with My Yahoo Account Spams
mozafar rowshan schrieb: Hi friends! I've installed SpamAssassin 3.2.3 in CentOS 5, now for testing purposes. I've checked SA (spamc/d) and It works for package spam and non-spam sample files. As far as I remember, I did not play with SA settings, so the configuration is default. Anyway, I tested SA with some spam mails from my Yahoo account Bulk folder and It did not identify them as spam. You should not forward mail to SA for spamchecking, try to use SA with your actual accounts not any other accounts, spam is individual. I like to know that what are reasons for this...?? For example, I think with myself that the loss of some headers like Received: headers in my Yahoo spams is such a reason (I should mention that my Yahoo spam mails have only four headers: Date:, From:, To: and Subject: ) or training is needed. For Training you need at least 200 ham/spam messages (messages from which sa-learn could learn, so if there are no new tokens to learn you need probably more messages), iirc. Headers are essential for SA ... Very thanks. http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions http://wiki.apache.org/spamassassin/SpamAssassin http://wiki.apache.org/spamassassin/TestingInstallation hth -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: white-list doubt
mouss schrieb: Morvan Daniel Müller wrote: I use amavisd-new, entries into amavisd.conf: @blacklist_sender_maps = read_hash($MYHOME/black_sender.lst); @whitelist_sender_maps = read_hash($MYHOME/white_sender.lst); read_hash(\%spam_lovers, '/var/spool/amavisd/spam_lovers.lst'); Into this files I put one entry per line. It doesn't work! I test with spam GTUBE signature and the message go to quarantine even if the sender is into the white_sender.lst or the recepient is into spam_lovers.lst! Something wrong with the sintaxe? Other Doubts: 1) Can I put entries like [EMAIL PROTECTED] or spam.com.br to deny/allow the entire domain, or How I do it? 2) This control (withe, black, spam_lovers) applyes for spam, badheaders and banned content, its OK? 3) For virus detected by amavisd-new/clamav module, white_sender.lst and spam_lovers.lst are sent to the user mailbox? you'll need to ask on the amavisd-new mailing list! Despite this, could it be that the score for whitelist is -100 but the GTUBE sample spam is 1000, so it would hit the treshold anyway and go to quarantine. http://wiki.apache.org/spamassassin/ManualWhitelist -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: TTAB Dismisses Hormel's Petition to Cancel SPAM ARREST Trademark
John Wilcock schrieb: Matt Kettler wrote: You can use generic words in trademarks (ie: Windows). However, the fact that your mark is generic will prevent you from trying to claim infringement against someone using it in a market outside the one you've registered the mark for. You can only do that if your mark is considered unique and non-generic. Let's see, vista is a generic word, windows is a generic word, so Microsoft would have no grounds for claiming infringement against a glazier registering Vista Windows as a trademark... scnr: He would be soon out of business cause people would expect his products to break easily?. John. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
How to catch these?
Hello! This one got through, any ideas?: Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by hermes.linuxrocks.dyndns.org (Postfix) with ESMTP id 9BE29764010 for [EMAIL PROTECTED]; Wed, 28 Nov 2007 00:04:09 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at localhost.localdomain X-Spam-Score: 2.794 X-Spam-Level: ** X-Spam-Status: No, score=2.794 required=3.5 tests=[BAYES_50=0.001, HTML_10_20=1.351, HTML_MESSAGE=0.001, J_CHICKENPOX_74=0.6, UNDISC_RECIPS=0.841] Received: from hermes.linuxrocks.dyndns.org ([127.0.0.1]) by localhost (hermes.linuxrocks.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKYikw4rF1n8 for [EMAIL PROTECTED]; Wed, 28 Nov 2007 00:03:49 +0100 (CET) Received: from blu139-omc2-s18.blu139.hotmail.com (blu139-omc2-s18.blu139.hotmail.com [65.55.175.188]) by hermes.linuxrocks.dyndns.org (Postfix) with ESMTP id B61BB764005 for [EMAIL PROTECTED]; Wed, 28 Nov 2007 00:03:41 +0100 (CET) Received: from BLU111-W50 ([65.55.162.186]) by blu139-omc2-s18.blu139.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 27 Nov 2007 15:03:40 -0800 Message-ID: [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=_a723c12f-5e49-4365-8d30-2ff0c7c47d4d_ X-Originating-IP: [41.207.195.150] Reply-To: [EMAIL PROTECTED] From: philip kakou [EMAIL PROTECTED] Subject: Attention S V P Date: Wed, 28 Nov 2007 00:03:40 +0100 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 27 Nov 2007 23:03:40.0250 (UTC) FILETIME=[BFEE53A0:01C83149] To: undisclosed-recipients:; Complete message on: http://pastebin.com/m77b30ea7 Using: SA 3.1.7 on Debian Etch, SARE-Rules, Sane-Security-Sigs for Clamav., Postfix 2.3.8 Thx for any help, tips. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: How to catch these?
Martin.Hepworth schrieb:
Matthias
My system on 3.1.8 scores this..
Meanwhile i upgraded to:
*** 3.2.3-0.volatile1 0
500 http://ftp.de.debian.org stable/volatile/main Packages
perhaps this helps too ...
Content analysis details: (7.1 points, 5.0 required)
pts rule name description
-- --
0.5 HELO_EQ_LOCALHOST HELO_EQ_LOCALHOST
0.8 UNDISC_RECIPS Valid-looking To undisclosed-recipients
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
-0.0 SPF_PASS SPF: sender matches SPF record
2.3 MANGLED_VIDEO BODY: mangled video(s)
0.6 J_CHICKENPOX_74BODY: {7}Letter - punctuation - {4}Letter
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.4796]
1.4 HTML_10_20 BODY: Message is 10% to 20% HTML
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see http://www.spamcop.net/bl.shtml?65.55.162.186]
The MANGLED_VIDEO is from one of Jennifier's rules on
http://www.rulesemporium.com/other-rules.htm - guess which one ;-)
Ty. Would you suggest to use all the other-rules?
(I didnt use them till now, cause i thought they might be outdated, but
it seems good old rules fit these days too ;-).
--
Grüsse/Greetings
MH
Dont send mail to: [EMAIL PROTECTED]
--
Re: Add Keyword
Emre BALCI schrieb: Hii All I want to add some keywords like replicas,rolex into a rule file which file and which rule that you advice ? I dont think this is neccessary?, your mail gets: X-Spam-Status: No, score=3.537-3 required=3.5 tests=[BAYES_00=-2.599, EM_ROLEX=1.57, REPLICA_WATCH=2.9, SARE_SPEC_ROLEX_REP=1.666] (I use some sare-rules here. From: http://www.rulesemporium.com/ ...) Regards -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: High Qmail-Server Load
Qnet .. schrieb: Hi Guys, I'm running a Qmail server with spamassassin + clamav + Simscam. The server i'm using is a HP ML110 CPU PIV (3.2 GHZ) 2mb chache , 1GB RAM. The problem is, the i'm getting very high load because spamd is the processes which take the most part of the load (invoked by spamassassin) si it's Spamassassin crash. i can stop spamassassin and them start it to work again. Do you know any way to solve it? sorry for my bad english . Perhaps you could tweak the number of processes (qmail/SA), adjust scanned message sizes? Do you use extra rulesets? What causes the high load? CPU, i/o wait, memory? Which SA Version? Thank you. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: SPAM tagging
Agnello George schrieb: Hi i have installed amavisd new on my postfix mailserver. Now i need to test spam , so I sent a mail with the following text in the body ( see link ) .. this is found at http://spamassassin.apache.org/gtube/ . As per the logs the mal is being blocked, but our requirement is that it should be be tagged as SPAM ( ***SPAM*** ) . Bellow is the logs ### Oct 30 11:50:08 fedora7 amavis[3784]: (03784-01) Blocked SPAM, MYNETS LOCAL [127.0.0.1] [ 127.0.0.1] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: itV2-9cTSct6, Hits: 1001.149, size: 807, 1698 msOct 30 11:50:08 fedora7 postfix/smtp[3749]: 80590464DE: to= [EMAIL PROTECTED], relay= 127.0.0.1[127.0.0.1]:10024, delay=1.8, delays=0.06/0/0.01/1.7, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=03784-01 - SPAM)Oct 30 11:50:08 fedora7 postfix/qmgr[3499]: 80590464DE: removed ## Do le me know how to tag SPAM mails Perhaps this is not a amavisd-new list ;-). You should read through the well commented amavisd config (located here on Debian/Etch): zless /usr/share/doc/amavisd-new/examples/amavisd.conf-sample.gz look for tag_level and which actions are taken especially on kill_level (default might be to quarantine or discard) $sa_tag_level_deflt $sa_kill_level_deflt -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: remove email
xou4 schrieb: Hello, I want to remove the mails on which a score above 30 Thank you in advance for your help spamassassin tags messages whatever filter you use could do this ... Xou -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: remove email
Matthias Haegele schrieb: xou4 schrieb: Hello, I want to remove the mails on which a score above 30 Thank you in advance for your help spamassassin tags messages whatever filter you use could do this ... Perhaps you want to use amavisd-new or procmail or ... (Using Postfix/amavisd-new/spamassassin here) Xou -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: How to block the bat!
Robert Braver schrieb: Hello Payne, On Wednesday, October 17, 2007, 9:43:25 PM, you wrote: c spam I am using is coming from the mail program. c http://www.ritlabs.com/en/products/thebat/ Just to be clear, I doubt highly that the spam you are seeing is coming from an actual copy of The Bat. Spamassassin will tag and score messages that claim to be from the Bat that it can tell isn't really (just as is does for obviously false Outlook x-mailer headers). The only problem is that this rule falsely fires sometimes on messages that have been relayed through a mailing list. Exactly. Is there a known workaround for this (false hits with Bat-Messages send through ML)? What would you suggest?. I am having this problem regarding a german mailinglist.: (AWL Score seems to be too quick and dirty ...) X-Spam-Status: No, score=2.763 required=3.5 tests=[AWL=0.521, BAYES_00=-2.599, FORGED_MUA_THEBAT_CS=2.2, REPTO_OVERQUOTE_THEBAT=2.641] X-Mailer: The Bat! (v3.99.24) Professional The user is known to me and he is using The Bat. btw: It seems to be the same with Microsoft Internet Mail Service. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: sa-update channel detail
Bowie Bailey schrieb: Is there any way to get sa-update to output detail about which channels were updated? I currently get an email when it updates something, but I can't tell which channels were updated without digging into the directory structure looking for timestamps. man sa-update? sa-update -D? -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: pyzor check failed (can't fork at Util.pm)
Frank Niedermann schrieb: Hi, on a fresh Debian 4.0 installation with Spamassassin 3.1.7 I get to following message: Oct 2 06:01:20 zoidberg spamd[17975]: spamd: connection from localhost [127.0.0.1] at port 58519 Oct 2 06:01:21 zoidberg spamd[17975]: spamd: processing message [EMAIL PROTECTED] for [EMAIL PROTECTED]:2000 Oct 2 06:01:25 zoidberg spamd[17975]: pyzor: check failed: Can't fork at /usr/share/perl5/Mail/SpamAssassin/Util.pm line 1308. [1] Oct 2 06:01:27 zoidberg spamd[17975]: spamd: identified spam (1001.9/6.5) for [EMAIL PROTECTED]:2000 in 6.3 seconds, 1959 bytes. Spam mail is getting recognized, I've tried with the GTUBE test. But something seems to be wrong with starting the pyzor checks, does anybody know why? How do you call pyzor? Perhaps you find hints with: spamassassin -D spamassassin -d [ mailmessage | path ... ] as described in man 3 spamassassin btw: Debian Etch too here: ii perl 5.8.8-7 ii perl-base 5.8.8-7The Pathologically Eclectic Rubbish Lister ii perl-modules 5.8.8-7Core Perl modules ii spamassassin 3.1.7-2Perl-based spam filter using text analysis But i call SA from: ii amavisd-new 2.4.2-6.1 dunno if it makes a difference in this case ... [1] Perhaps someone could help: How could i show/jump to line 1308 of Util.pm and more important are the comments ## counted as lines or not? (I tried less with the command g but not sure if it jumped to the exact position) Regards, Frank -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: pyzor check failed (can't fork at Util.pm)
Frank Niedermann schrieb: Hi Mark, Mark Martinec wrote: run mode Oct 2 09:16:02 localhost spamd[6032]: pyzor: check timed out after 5 seconds But I have no idea why pyzor get's terminated :( Because you told it to. You probably have a pyzor_timeout 5 somewhere in config files. Mark where do I have to look for this parameter? I grepped through /etc recursive but there was no value pyzor_timeout. Where did you configure it? with amavis its here: /var/lib/amavis/.pyzor/ man pyzor /usr/share/doc/pyzor/README.Debian FILES ~/.pyzor/config So its probably at the users home which runs pyzor. Frank -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Robert Sexton filter
Steven Stern schrieb: We get many, many emails from a Robert Sexton who claims he'll do wonders with search engine placement. As fast as I add an address to the blacklist, he comes in with another. For example, from the AWL tables on one of our MX servers: Its useless to filter for (forged) mail adresses. Perhaps you could provide a spam sample so people can check it and see which rules are hit (or not). You should provide more infos ... (Which Version of SA you use ...) +--+-+-+---+--+-+ | username | email | ip | count | totscore | lastupdate | +--+-+-+---+--+-+ | root | [EMAIL PROTECTED] | 66.174 |11 [...] Does anyone have a rule handy that would replace my blacklist_from entries with something more versatile? -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Every e-mail is now getting a new score, creating a lot of false postive.
cpayne schrieb: Guys, I am not sure when this started but now every e-mail that comes on to my box has this score... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I use amavisd, spamassassin, and postfix. What rule set this? Why would every email be getting this. Perhaps you could show a complete message? Maybe config errors (removed headers ...)? Without further details it is hard to guess ... Which versions you use ... Chuck -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Every e-mail is now getting a new score, creating a lot of false postive.
cpayne schrieb: Matthias Haegele wrote: cpayne schrieb: Guys, I am not sure when this started but now every e-mail that comes on to my box has this score... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header I use amavisd, spamassassin, and postfix. What rule set this? Why would every email be getting this. Perhaps you could show a complete message? Maybe config errors (removed headers ...)? Without further details it is hard to guess ... Which versions you use ... Chuck Ok, this message is spam, but I think this what you are looking for, if not please let me know. But those lines are showing up in every email. Perhaps the complete message would help more ... (Your MUA should have a button or opportunity to show Source Code with Thunderbird its CTRL-U, here) [Anatrim spam] Content analysis details: (6.9 points, 1.5 required) pts rule name description -- -- 1.1 HTML_20_30 BODY: Message is 20% to 30% HTML 0.2 HTML_SHOUTING3 BODY: HTML has very strong shouting markup 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9974] btw: 0.99 for Bayes_99 seems really low for me, but that depends on your policy ... 2.0 MISSING_SUBJECTMissing Subject: header -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header [...] -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Every e-mail is now getting a new score, creating a lot of false postive.
Daryl C. W. O'Shea schrieb: Matthias Haegele wrote: cpayne schrieb: 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9974] btw: 0.99 for Bayes_99 seems really low for me, but that depends on your policy ... 99.74% seems reasonable for BAYES_99 to me. Oops i exchanged the Score of 3.5 with the Probability of 0.9974 - 99,74xx%. Many thanks for your correction ;-). Daryl -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: SA only seeing certain mails
larkim schrieb: I own a couple of domains that are hosted on a shared hosting setup, for which I don't have shell access but do have cPanel access. For quite a while SA was working nicely, but recently it appears to have stopped filtering many mails. The reason I am saying this is that mails are arriving in my mailbox (on the server) for which a few have X-Spam headers written, but most of them don't. The hosting is running SA 3.2.3. My user_prefs file contains:- required_score 4 required_hits 4 rewrite_header subject MATTSPAM bayes_expiry_max_db_size 15 At which treshold are the headers inserted, i dont see that value here? I've had problems with toks files not expiring properly and the bayes_toks file growing to 40MB, as well as file locks sometimes not being removed, so daily I have two cronjobs running:- ls -l .spamassassin/ to give me a file listing so I can delete any locked files (get a lock about once every 5 days or so) sa-learn --force-expire -D to keep bayes_toks under control Both of these seem to work fine, and may be overkill. What I'm looking for is a way (behind cPanel) to debug what is or isn't happening with SA to cause some mails to be seen by SA and some not to be seen. I get about 5 ham mails per day, and about 1,000 spam mails, so its starting to irritate me!! Ooh, thats a bad ratio ;-). Any help gratefully received! (I don't pay anything for the shared hosting as I get it free from a mate who is a re-seller, so I'm not really in a position to hassle their help desk!) Some ideas: Check the logs (or maybe ask them to do so)? Perhaps mails without headers exceed some filesize tresholds? Without detailed info there may be only guesses ... TIA! Matt -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: RulesDuJour
Rocco Scappatura schrieb: Hello, It is some weeks that I get errors while I try to updates the SA rulesets. For example recently I get an error after the update of TripWire and SARE rulesets: ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/tripwire.cf /tmp/RulesDuJour/99_FVGT_Tripwire.cf.2; mv -f /tmp/RulesDuJour/tripwire.cf.20070831-1530 /etc/mail/spamassassin/tripwire.cf; mv -f /etc/mail/spamassassin/70_sare_stocks.cf /tmp/RulesDuJour/70_sare_stocks.cf.2; mv -f /tmp/RulesDuJour/70_sare_stocks.cf.20070831-1530 /etc/mail/spamassassin/70_sare_stocks.cf; Lint output: [826] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [826] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Pragma CONTENT=no-cache [826] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Expires CONTENT=-1 [826] warn: config: failed to parse line, skipping: /HEAD/HTML [826] warn: lint: 4 issues detected, please rerun with debug enabled for more information I can't try how to solve this problem.. Maybe is there any outdates ruleset? If yes, who is it? Using sa-update is the suggested method now: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt or read the lists archive you should find many posts on this ... Thanks, rocsca -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Sneaky [EMAIL PROTECTED] slipped through
Loren Wilton schrieb: It was written by Jennifer several years ago. http://www.rulesemporium.com/rules/chickenpox.cf Why it isn't in a regular sare rule? Does it behave well with non-english messages? I'm going on memory here, but I *think* that chickenpox had minor problems with some languages and some encodings. I would expect they might FP all over the place on Chinese or other ideographic languages. Getting FPs on logcheck messages. Very few regular Mailing-List-Mails (german language) get scored too, since the score here is only J_CHICKENPOX_37=0.6 its no real problem with FPs for me. Some of the other related rulesets (backhair, I believe, for one) are based on the frequency and requirements of letters in the English language, so will very likely FP on the non-romance languages, and possibly even on many romance languages. They will certainly be less effective than on English, which is what they were written for. Loren -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Please help me to improve SA perforformance
SA Lists schrieb: Matthias +all, Thank you very much. On Thu, Aug 16, 2007 at 01:02:53PM +0200, Matthias Haegele wrote: You only mentioned running sa-learn on spam you should also learn your hammessages, both is important. Bayes-Performance will only be good if learned on both, ham and spam. Yes, thank you. For the sake of brevity I did not describe fully what I do, but I do indeed run sa-learn on the ham too (I have a nightly cron job that collects all the mail from a selection of folders and concatenates it into one mbox; I then run sa-learn --ham on that and sa-learn --spam on the spam folder). ...and now I'm not so sure that it's a good idea to change the rules' scores. I suppose I could reduce the threshold to 4.5; but I don't know if that's a good thing either. I reduced the treshold too, but also watch quarantine regularly for FPs, it works fine for me ... I haven't yet done this (but am still thinking about it) see below... What's the best way for me to improve SA performance (bearing in mind that I'm really only an amateur spam fighter). Me too ;-). Thanks in advance perhaps you could use: clamav sanesecurity SARE Rules Botnet plugin too ... Well thanks for this. I do clam checking before SA so I guess clamav sanesecurity would be duplicating that... Dont think so: http://www.sanesecurity.co.uk/clamav/ Phishing and Scam Signatures for ClamAV I have just now included many of the SARE rules in my sa-update. I am almost looking forward to getting some spam to see if they work! :) ...I presume that simply adding the rules via sa-update (as per the instructions on the wiki) is enough - they don't have to be activated in any way do they? running sa-update (cron job) should do it... Having added all the extra SARE rules I haven't changed the overall threshold until I see what effect they have. Good idea, some of the rules might hit on HAM too ... Where can I find out more about the Botnet plugin? (There doesn't seem to be a reference to it on the wiki). http://people.ucsc.edu/~jrudd/spamassassin/ Download the latest version, untar it and read *txt and INSTALL ;-). You could search this mailing lists archive too for more infos on it. spamassassin users botnet plugin might give some results. Thanks again. NP, hf. AD -- Greetings hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: Question - How many of you run ALL your email through SA?
John Rudd schrieb: Marc Perkel wrote: As opposed to preprocessing before using SA to reduce the load. (ie. using blacklist and whitelist before SA) I do not. (greet-pause of 5 seconds; zen and dsbl as blacklists; local access type blocks; dangerous attachment filename blocker; and then clamav with Sanesecurity, MSRBL, MBL signatures; all of those _reject_ messages during the SMTP session before Spam Assassin gets to see them) Nearly same setup as John. If you have the opportunity to block at MTA level i think u *really should do this*. (Its around 80% rejects here). Additionaly i block some TLDs like .ar|br|cl|ru|pl|jp|hu which i dont have regular mail contact here ... btw: MTA is Postfix. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: normail marked as spam
Sg schrieb: Hi One of my client domain mail marked as spam. I want to receive normal mail from their domain. how to set rules that particular domain mails are not spam. Perhaps you want to search the spamassassin wiki for whitelist? -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Please help me to improve SA perforformance
SA Lists schrieb: Hello all, I am only a home user, but I am trying to provide a spam-free environment to all members of my household. I have SA (3.2.2) set up with bayesian rules and run sa-learn every night. SA's performance is average (having caught c.600 out of the 1,000 or so spam mails currently in my spam folder (used for sa-learning). Today I had a small rash of those spam mails that have about three lines of random words. SA let about 8 through and caught 2. Here are the headers from one of each: You only mentioned running sa-learn on spam you should also learn your hammessages, both is important. Bayes-Performance will only be good if learned on both, ham and spam. [Spam Samples removed] I thought perhaps that I would increase the scores on the bayes rules but then I read this on the SA wiki: Note: Scores for learn rules, such as BAYES_*, that rate the probability that a message is spam, are scored using the same method. This can produce confusing scores, for instance, that have BAYES_80 with a higher score than BAYES_99. There are a few reasons for this. 1) The score generation system does not understand that BAYES_* are related to one another, they're separate rules that need separate scores. 2) More importantly, the higher the probability from a learn rule, the higher likelihood that the message also hit a bunch of other rules. This lets the score generation system lower the learn rule score due to the inevitable false positive, while also still marking the message as spam via the sum of all rule scores. ...and now I'm not so sure that it's a good idea to change the rules' scores. I suppose I could reduce the threshold to 4.5; but I don't know if that's a good thing either. I reduced the treshold too, but also watch quarantine regularly for FPs, it works fine for me ... What's the best way for me to improve SA performance (bearing in mind that I'm really only an amateur spam fighter). Thanks in advance perhaps you could use: clamav sanesecurity SARE Rules Botnet plugin too ... AD -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Blacklist mail
Johnson, S schrieb: A few months ago I created a fake user and advertised it in a hidden mailto on our home page. It took a few weeks but I'm getting good spam messages being dropped into this box now. I know I can use the learn function to pull the messages from my exchange server, however I know these messages are strong spam. Should I just use the learn function or is there a way to blacklist the servers sending these messages? (or is there a better method?) Dont know if its useful (or worth it) to blacklist the servers (maybe they are lots of spambots or changing rapidly). sa-learn --spam ... works fine for my spamcatcher here ... -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: DCC Troubles
Matt schrieb: I am getting this continuously in my maillog log file running exim and sa. dccproc[18723]: open(/var/dcc/map): Permission denied ls -la ...? I have DCC installed. [EMAIL PROTECTED] ~]# rpm -qa | grep dcc -i dcc-1.3.57-0.rhel4 Any idea what is wrong? spamassassin --lint –D ? Show the settings regarding dcc in your local.cf? Matt -- hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: Delivery-Failure on Spam
Matus UHLAR - fantomas schrieb: On 26.07.07 15:13, Sebastian Ries wrote: I have the problem that I get Delivery Failure notice and such mails sent to one email address. This also includes Vacations Answeres an such stuff. Theese answeres are sent on Spam - so someone is faking the From: Reading the subject tells that is definitivly spam. Is there a possibility to catch this? It's about 20 mails per houre... I think there are some tests for delivery notices and autoresponses. (see 20_vbounce.cf in rules directory). You also can train bayes filter on them and probably to razor/pyzor (I think spamassassin -r will take care of all of that). Backscatter: http://en.wikipedia.org/wiki/Backscatter Section: Backscatter of email spam http://spamlinks.net/prevent-secure-backscatter.htm Perhaps you could also deal at MTA Level with this. Rarely it helped to contact the postmaster of backscatter sources. There are also some blacklists (no experience on this). -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: BAYES_99 and ham
Justin Mason schrieb: martin f krafft writes: Hi list, I just had a flood of spam coming through, which SA classified as ham. On closer inspection, it turns out that the only tests triggered for all those mails were HTML_MESSAGE and BAYES_99. HTML messages are commonplace today (unfortunately), so they don't add anything to the score. BAYES_99 yields 3.5 points. What's curious is that in this scenario, even though SA thinks that the message is 99%-100% likely to be spam, it will always classify it as ham, and further learning does not have any noticeable effect. I know how SA scores are computed. I do wonder how that algorithm applies to the BAYES_* tests though. Don't you think BAYES_99 should yield 5 points to trigger the threshold on default installs? Shouldn't thus BAYES_* be renormalised? The Bayes rules are too dependent on user training to be entirely trustworthy, and most users will not train them enough, or occasionally make mistakes, for them to be treated as such. However, if you've put in the effort to train them well, feel free to increase their score... Yes, most users wont train, but constantly complain about the bad performance of spam scoring ;-). Never seen False Scoring for BAYES_99 (well trained, manual). Spam rarely gets BAYES_50. So the higher score works fine (for me). Just my 2 cent. --j. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Configuring - local.cf and more
ChrisWilbur schrieb: I'm clearly only just approcahing the bottom of the nursery slopes of this learning curve... 1 I installed SA using apt-get install spamassassin on a Liux (?Debian?) server, running procmail. Seems so. Unless you use apt4rpm or likewise ... That's given me version 3.0.3. I'm reluctant to risk breaking things. Can I easily upgrade to something more current? (TOLD you I was on the nursery slopes...) Version 3.1.7 is stable in Debian (Etch). I assume you are using Sarge. Perhaps you want to upgrade your Base System before upgrading Spamassassin ... (Follow upgrade guides Release Notes on debian.org) -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: So what about rulesemporium.com and these anti-PDF rules?
Robert Schetterer schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Mason schrieb: Henrik Krohns writes: On Wed, Jul 04, 2007 at 10:08:29AM +0100, Justin Mason wrote: Bear in mind that the spammer who is developing this PDF spam is only one person, and he/she probably has at least one non-spammy-looking email address at his disposal. What's to spot him/her from asking Dallas for a copy of the ruleset and plugin, same as any other SpamAssassin user, waiting a few days to cover his/her tracks, then fixing the spam to avoid it again? And if you think this isn't already happening, I have a bridge for sale ;) If I was a spammer, I couldn't care less if few people were using some secret PDF blocking stuff. It's not like AOL or some big companies are using it. :) oh yeah -- good point. On one occasion in the past when spammers have evaded open-source-developed rules, I was able to find out later why they made those changes, and it had nothing to do with our little open source projects... instead it was to evade AOL's independently-developed, closed-source, secret-sauce filtering which used a similar method. The big guys are the spammers' targets. --j. Hi, i have the pdf rules up and running they are working nice. But i didnt recieved any pdf spam since days. On our big back mx mail hub , clam ( with some additional databases) gets delete ca. 10 of them a day. I think we will see other spam in the future in other file sorts, and it will always be a competition between spammers and antispam tecs. Ack. scnr: So what comes next?: After image-spam, pdf-spam it must be microsoft-office-documents-spam?. Just to be a step ahead this time i consider blocking these (ms-office-attachments) in advance ;-). I think we will never avoid spam in total as long smtp stays for mail, but we can make more difficult for spammers to reach there goals , so i recommend take it easy, no need for flames between the good boys http://sanesecurity.co.uk/ is working nice if youre in pressure with pdf spam Using this a few weeks too, had no FPs so far ... - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Blacklist a mailing list
Bob Proulx schrieb: dougp23 wrote: I am a member of a mailing list, and I can't get them to reply to me to remove me from the list. Because of what you are saying it is making me think this is matching a very common error pattern. Unfortunately it is human error and not a machine error. I assume this is a program managed mailing list such as Mailman, Listserv, SmartList, Majordomo, or other? Very often I have seen people claim that they cannot get off of a mailing list when in reality it was pilot error and they were not using the right control address. I have tried sending 'unsubscribe' to the list, to no avail. Hopefully you did not actually send that to the mailing list itself. That would be a breach of etiquette. Remember that for the typical mailing list sending to the MAILINGLIST-request address is the control robot to handle your control request automatically. Sending to the MAILINGLIST-owner address should go to a real live person who can help you if there is something not working right. Did you send an unsubscribe message to the MAILINGLIST-request address? Did you send a request for help to the MAILINGLIST-owner address? Those steps should always be done before sending administrative requests to the mailing list itself. Users on mailing lists usually can't affect any changes to it. Did you ever search the mailinglists E-Mails sourcecode (with all headers)? For example: -- Example for the Debian ISP-Mailinglist: List-Id: debian-isp.lists.debian.org List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] ^^ Thats what you probably searching for ... So in this example you direct your request to [EMAIL PROTECTED] with Subject: unsubscribe ... and *not* to the mailinglist adress! End of Example for the Debian ISP-Mailinglist -- @ OP: Perhaps if you provided the list name the chance is there that someone on this list could provide the mechanism to unsubscribe ... Bob -- Greetings hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: RulesDuJour lint failed. Updates rolled back.
David Boltz schrieb: I?ve been getting the lint failures found below on my Rules Du Jour updates for a few weeks now. Yes this would be since the DDoS attacks [RDJ Problems ...] btw: Are there any additional things to know/caveats if i want to use sa-update channels for RDJ: (besides adding the default channel as described in: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt) Regards, Dave B. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: RulesDuJour lint failed. Updates rolled back.
Nigel Frankcom schrieb: On Wed, 27 Jun 2007 08:48:02 -0400, David Boltz [EMAIL PROTECTED] wrote: I?ve been getting the lint failures found below on my Rules Du Jour updates for a few weeks now. Yes this would be since the DDoS attacks on rulesemporium. It looks like the same problem people have been having with the tripwire but for me it?s the adult and since just recently the spoof rules. The solutions I've seen don't seem to work for me. I see that my cron job (run nightly) is pulling some HTML source instead of the rules. I?ve tried removing the faulty 70_sare_adult.* from etc/mail/spamassassin/RulesDuJour/ and manually replacing it with the ?actual? file using wget. I?ve even manually updated the used /etc/mail/spamassassin/70_sare_adult.cf to ensure that it was correct. When I us ?wget http://rulesemporium.com/rules/70_sare_adult.cf? to grab the file it works without problems. Does anyone have any ideas on how I might fix this problem? snip ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_adult.cf The quick cure is to delete anything in the /etc/mail/spamassassin/RulesDuJour/ directory and rerun RDJ by hand. That works, until the next run, then same error here ... That worked for me on CentOS 4.5 The bug has been reported and a fix is due in 3.2.2 I believe. Regards Nigel -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: AW: Bayes became to work very bad
Joerg Reisslein schrieb: Mit freundlichen Gru?en Do you have a link for the botnet plugin? $searchmachine download botnet plugin spamassassin http://people.ucsc.edu/~jrudd/spamassassin/ Docs in tarball provide details for install. -- hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: Fwd: RulesDuJour Run Summary on taz5.fiberhosting.net
Phil Barnett schrieb:
On Thursday 21 June 2007 03:38, Matthias Keller wrote:
Just try to delete the downloaded files in your rules_du_jour folder
(for example /etc/mail/spamassassin/rules_du_jour/* ), respectively just
the rule(s) that go wrong.I then redownloads the rules correctly and
you're clear to go with RDJ again
Did that two days ago. And everything came in fine and worked. I linted it
then and tonight and the current ruleset lints fine.
The error messages are from the RDJ script pulling in a new file. It does look
like the RDJ script is pulling the wrong file because the lint error shows
html tags and there aren't any in my current tripwire.cf file.
If it is true that there are no updates, then why is the RDJ script trying to
update anything? Is the RDJ server still being DOS'd?
This (see post new patch for rules_du_jour ... (Lindsay
Haisley)/18.06.2007) works fine here.
But you probably have to delete the faulty .cf files manually.
cut here
--- /root/rules_du_jour.orig2007-06-17 21:01:24.0 -0500
+++ /var/lib/spamassassin/rules_du_jour 2007-06-18 12:37:44.0 -0500
@@ -907,6 +907,8 @@
[ ${SEND_THE_EMAIL} ] echo -e ${MESSAGES} | sh -c ${MAILCMD} -s
\RulesDuJour Run Summary on ${HOSTNAME}\ ${MAIL_ADDRESS};
fi
+grep -il 'META HTTP-EQUIV' ${TMPDIR}/*|xargs -n1 rm -f
+
cd ${OLDDIR};
exit;
cut here
--
Grüsse/Greetings
MH
Dont send mail to: [EMAIL PROTECTED]
--
Re: Bayes became to work very bad
Roman Sozinov schrieb: I'm using spamassassin about 1 year and for that period I already have good BAYES tokens base. But about 2 weaks ago began something wrong - my system became to catch spam very bad. About 80% of spam have BAYES_50 score :( What's wrong? You use sa-learn till now?. Some people suggest not to learn old spam/ham ... Think its pretty normal that bayes hits are not very good on new spam (spammer tweak their messages every day to slip the filters ...). Some new spam messages here only get BAYES_00 ... I'm using Spamassassin 3.1.8 with mysql backend (awl bayes) In my bayes base there are: spam_count - 17539 ham_count - 4895 token_count - 453505 Roman -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Bayes became to work very bad
Roman Sozinov schrieb: Matthias Haegele-2 wrote: You use sa-learn till now?. Some people suggest not to learn old spam/ham ... Think its pretty normal that bayes hits are not very good on new spam (spammer tweak their messages every day to slip the filters ...). Some new spam messages here only get BAYES_00 ... sa-learn sometimes use (~3 times in a week) So what about some advice? :) Use blacklists, the botnet plugin, SARE rules, sa-update ...? upgrade to a newer SA release? -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Commandline option to check cf file
ram schrieb: Hi, I have been downloading SARE rules via RDJ all this while. But since last week we have had files with site unavailable try later etc in the cf files I manually have to find and download these files on all my servers What I plan to do is to download all files to a temporary location , verify if proper and then move them to configpath afaik that is exactly what the RulesDuJour script does ... (If the --lint fails no changes are made) How can I check if a cf file is a proper ruleset file and not some HTML 404 page ?? spamassassin --lint? cmiiw Thanks Ram -- Greetings hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: sa-update channel file
diptanjan schrieb: Hi Friends, Hi! My question is, I am using update.spamassassin.org as well as other sources to update my rules. Is it possible default rules from update.spamassassin.org and other rules can conflict at any point. May be same rules set up in both places but scored different... then what? The last applied rule wins, afaik. (That depends on your environment, ...) further info man spamassassin (at: Configuration Files) TIA Diptanjan -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: iXhash list @ ix.dnsbl.manitu.net being ddos'ed
[EMAIL PROTECTED] schrieb: Hi, list, the DNS server of manitu.net, Germany, currently the only server hosting the iXhash blacklist @ ix.dnsbl.manitu.net, is apparently being ddos'ed. Admins using the iXhash plugin should either temporarily disable using that server or request being included in a whitelist the provider has set up. Mails should be directed at [EMAIL PROTECTED] Additional Info: [1] Dirk [1] http://www.heise.de/ix/nixspam/dnsbl_en/ -- hth MH Dont send mail to: [EMAIL PROTECTED] --
[OT] RDJ RulesDuJour Updates dont lint
Hello! Any tipps:? ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/tripwire.cf /etc/mail/spamassassin/RulesDuJour/99_FVGT_Tripwire.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/tripwire.cf.20070613-0836 /etc/mail/spamassassin/tripwire.cf; mv -f /etc/mail/spamassassin/blacklist.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist.cf.20070613-0836 /etc/mail/spamassassin/blacklist.cf; mv -f /etc/mail/spamassassin/blacklist-uri.cf /etc/mail/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/blacklist-uri.cf.20070613-0836 /etc/mail/spamassassin/blacklist-uri.cf; mv -f /etc/mail/spamassassin/70_sc_top200.cf /etc/mail/spamassassin/RulesDuJour/70_sc_top200.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sc_top200.cf.20070613-0836 /etc/mail/spamassassin/70_sc_top200.cf; mv -f /etc/mail/spamassassin/70_sare_genlsubj.cf /etc/mail/spamassassin/RulesDuJour/70_sare_genlsubj.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_genlsubj.cf.20070613-0836 /etc/mail/spamassassin/70_sare_genlsubj.cf; mv -f /etc/mail/spamassassin/70_sare_uri3.cf /etc/mail/spamassassin/RulesDuJour/70_sare_uri3.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_uri3.cf.20070613-0837 /etc/mail/spamassassin/70_sare_uri3.cf; Lint output: [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= 268980629;var coupon2= 304354668;var style1= 519728833;var style2= 192774663;var add = coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= 268980629;var coupon2= 304354668;var style1= 519728833;var style2= 192774663;var add = coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0SCRIPT Language=JavaScriptvar coupon1= 268980629;var coupon2= 304354668;var style1= 519728833;var style2= 192774663;var add = coupon1+coupon2+style1+style2;document.cookie=NSC_DOSP=+add+;path=/;window.location=window.location.href;window.focus();/SCRIPT/HEAD/HTML [18730] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [18730] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Pragma CONTENT=no-cache [18730] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Expires CONTENT=-1 [18730] warn: config: failed to parse line, skipping: /HEAD/HTML [18730] warn: lint: 7 issues detected, please rerun with debug enabled for more information -- Thx for your help! MH Dont send mail to: [EMAIL PROTECTED] --
Re: DCC and Razor
Chuck Payne schrieb: Hi, When I first got spamassassin working, I had dcc and razor, but some where a long the way, they have stop scanning. I am currently running... SpamAssassin Server version 3.1.8 � running on Perl 5.8.7 � with SSL support (IO::Socket::SSL 0.97) I know that ddcifd is running, because if I do a ps ax I see... 5331 ?��� Ss 0:00 /var/spool/amavis/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID �5332 ?��� Sl 0:00 /var/spool/amavis/dcc/libexec/dccifd -tCMN,5, -llog -wwhiteclnt -Uuserdirs -SHELO -Smail_host -SSender -SList-ID I know that SA still has them in the config... v310.pre # DCC - perform DCC message checks. # # DCC is disabled here because it is not open source.� See the DCC # license for more details. # loadplugin Mail::SpamAssassin::Plugin::DCC # Pyzor - perform Pyzor message checks. # loadplugin Mail::SpamAssassin::Plugin::Pyzor # Razor2 - perform Razor2 message checks. # loadplugin Mail::SpamAssassin::Plugin::Razor2 But I no longer in any messages see a stamp in my X-Spam headers. Any clue where I can start? This functionality is gone, at least it is not available any more without some nasty config, afaik. By the way, I have been updating ddc when I can, so it is up-to-date. You tried:? man 3 spamassassin spamassassin -D /path/to/messages ? (perhaps you want to press CTRL + D, shortly after the test started ...) spamassassin -D --lint Since you seem to use amavisd-new: amavisd-new debug-sa ... (after stopping amavis) -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Building a new mail server with SA - should I use apt-get or cpan?
Adam Wilbraham schrieb: Hi, Hi! I'm soon to be building two new mailservers which will be running Debian Etch, Qmail, Sophie and SpamAssassin, all plummed together using Qmail-Scanner. In the past, we've just installed SpamAssassin via apt-get, however apt-get - aptitude when we need to upgrade it means looking for a backport. I'm thinking of just installing from cpan instead on these new boxes, as the latest version should always easily available, making upgrades slightly easier. My only worry is that a cpan upgrade may go horribly wrong, when in the past upgrading to a newer debian package has always been faultless. Has anyone got any experience with the pros and cons? Or am I worrying too much about nothing? Personally i would prefer the Debian Way if need be with backports. Reason: It works ... ;-). Cheers, Wilb. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: what's that?
[EMAIL PROTECTED] schrieb: Hi, I found this message in my inbox - no image, attachment, etc. besides that: Outlook send cool enhanced emails. Inserted body place images specific location, want. Selection it inserted body place images specific location want! That reminds me: Beautiful sunglasses, cheap watches, want some? Would that mean someone is trying to get auto-whitelisted for future messages, or is that a sign of broken ratware? Perhaps you get future mails with prices for Outlook or other SW. Or it tries to fool bayes filters ... Or a broken spam message definitely spam for me ... Wolfgang Hamann -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: +36% incomining spam
Giampaolo Tomassoni schrieb: With respect to the previous Monday. Just wondering why. Are they close to vacation and need to rise some money to bring their children in vacation? Here i can always watch an increase through holidays, seems the botnets get new feed when kids power up their virus contaminated (Windows) boxes ... Also some new spambot-owners might be more aggressive around ... Around the weekend of Whitsun (Pfingsten in ger) it was really bad here ... Anybody knows which is the pattern behind this things? Regards, Giampaolo -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: How to avoid filtering twice when having mail-groups
Manu schrieb: Hi all, I'm using SpamAssassin 3.0.2 and Qmail on a Debian Sarge Server. Administrative hosting panel is Plesk 8.1. Imagine the following situation: [EMAIL PROTECTED] forwards to [EMAIL PROTECTED], [EMAIL PROTECTED],... Now if SpamAssassin checks [EMAIL PROTECTED] and each user has enabled spam filtering too, SpamAssassin will filter the same message once for mailgroup@ and then once again for each user. We'll get: 1 + #users scans. If I disable scanning of mailgroup@, we'll get #user scans for the very same message. What I would like to have: SpamAssassin scans for mailgroup@ and when the very same message has to be scanned for each user, SpamAssassin remembers that this message has already been scanned seconds ago and doesn't scan it again. SpamAssassin sometimes needs 15 seconds to process a message, so you can imagine that this will save much time and ressources for mailgroups with many recipients. Any chance to get this working? I cant imagine this could be done. Cause SA gets every single recipient from MTA, if possible i think you would have to put another filter/script in the chain to pass only 1 address if certain circumstances (aliases for a address are there). But perhaps a more experienced user here, might know more ... Thanks in advance. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: OBSCURED_EMAIL ?
Per Jessen schrieb: Matthias Haegele wrote: Not seen it here ... Perhaps you could paste the mail somewhere and send the link to the list? Not a bad idea, except it's a customer email, so that's pretty much out of the question ... So why not overwrite the confidential part and then paste it? The problem seems to be that it contains 4 attached JPEGs which have been attached without the proper MIME-type: Content-Type: ; name=PICT0089.JPG It looks like spamassassin decides to scan the binary content of the jpegs as body text which is perhaps why it comes up with these obscure hits. /Per Jessen, Zürich -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: So much spam
Rob Campbell schrieb: SpamAssassin version 3.2.0 I ran sa-update so I will see how that manages. Perhaps you additionally want to search the archives for: botnet plugin rules du jour network tests, dcc, razor, pyzor ... Thanks -- hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: spamass dcc Problem
Henrik Krohns schrieb: On Wed, May 23, 2007 at 09:02:34AM -0400, Thomas Mullins wrote: One more thing, I had to allow the DCC port out. Then I had to allow ICMP traffic out/in. DCC uses ping to determine the closest servers. I am not sure if this is the same problem you are having, but I had a similar problem and this was the solution. It doesn't need ICMP. What is needed is clearly stated here: http://www.rhyolite.com/anti-spam/dcc/dcc-tree/FAQ.html#firewall-ports Perhaps you additionally want to edit map.txt and let it point to server(s) near you ... -hk -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: avoid hostname in X-Spam-Checker-Version
Robert Schetterer schrieb:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hi all,
Hi!.
how can i avoid the hostname in X-Spam-Checker-Version?
I didnt find any option:
from:
man Mail::SpamAssassin::Conf
clear_headers
Clear the list of headers to be added to messages. You may use
this before any add_header options to prevent the default headers
from being added to the message.
Note that X-Spam-Checker-Version is not removable because the ver-
sion information is needed by mail administrators and developers to
debug problems. Without at least one header, it might not even be
possible to determine that SpamAssassin is running.
--
in amavisd-new there is something like this, but since you seem to use
only spamassassin
it is not possible it seems, cmiiw:
# $hdr_edits-add_header('X-Spam-Checker-Version',
# sprintf(SpamAssassin %s (%s) on %s, Mail::SpamAssassin::Version(),
# $Mail::SpamAssassin::SUB_VERSION, c('myhostname')));
--
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on test.host.de
- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer
--
hth
MH
Dont send mail to: [EMAIL PROTECTED]
--
Re: Tag Level for spam
Matt Kettler schrieb: Martin Hochreiter wrote: Hi! Is there something like a recommended tag level when to treat a mail as spam? (I actually use 1.7 as tag level for amavis/spamassassin) 5.0 is the recommended default. This level will tune SA to treat false positives (nonspam tagged as spam) as roughly 100 times worse than false negatives (spam that isn't tagged). Lowering the threshold will reduce the false negatives, thus catching more spam, but will also increase your false positive rate. If you look at the STATISTICS*.txt files, you can see what kind of effects lowering the threshold should have on these numbers. For example, set3 (bayes and network tests enabled) on SA 3.2: http://svn.apache.org/repos/asf/spamassassin/branches/3.2/rules/STATISTICS-set3.txt Shows these numbers for 5.0: # SUMMARY for threshold 5.0: # Correctly non-spam: 67508 99.94% # Correctly spam: 117303 98.51% # False positives:42 0.06% # False negatives: 1780 1.49% But these for 2.0: # SUMMARY for threshold 2.0: # Correctly non-spam: 66745 98.81% # Correctly spam: 118903 99.85% # False positives: 805 1.19% # False negatives: 180 0.15% Note that at 2.0, the number of missed spams has gone down by a factor of almost 10, from 1780 to 180. However, the number of false positives has increased by a factor of more than 19, from 42 to 805. Your exact results might be a little better, or rarely a little worse, depending on your use of whitelists, how aggressively you train bayes, what add-on rules you have, etc. However, these results should be typical for a stock config with no use of manual whitelists, no AWL, and relatively light bayes training. Thx, Matt for your detailed explanations. @all: Do you think it would be useful to adjust the Bayes_80 - Bayes_100 scores, to higher scores (e.g. 4.5 for bayes_100)? (Since they never where wrong here, i use well trained bayes cause every misclassified mail is relearned, even bayes_80 spammails are relearned ...) -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Black Lists
Daniel Aquino schrieb: Do I need special configurations to query dns black lists ? http://wiki.apache.org/spamassassin/UsingNetworkTests Additionally i would suggest a dns-cache like pdns-recursor ... -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Tag Level for spam
Martin Hochreiter schrieb: Hi! Hello! Is there something like a recommended tag level when to treat a mail as spam? perhaps the default is recommended? (I actually use 1.7 as tag level for amavis/spamassassin) I think that ... strongly depends. e.g.: What rules you use, which blacklists, how well adjusted your SA is. (Some rules (rarely) produce FPs here). Your (companys) policy ... and last what you do with spam tagged mails, only mark them or quarantine them ... Would suggest to set it to a high score first (if quarantined or rejected at tagging level). And to adjust it slowly down if it works well and the rules meet your requirements. btw: Personally i adjusted it to 3.5, which is aggressive, i can afford some FPs (since its my private Mailserver) ... (bayes_100 is 3.5 and i never got a FP for bayes 100 and if bayes is sure its spam i am too, besides i control manually through quarantine (and grep) for FPs ...) $sa_tag2_level_deflt = 3.5; # add 'spam detected' headers at that level $sa_kill_level_deflt = $sa_tag2_level_deflt; lg martin -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Does anyone catch this....
Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. -- hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: Does anyone catch this....
Rick Cooper schrieb: -Original Message- From: Matthias Haegele [mailto:[EMAIL PROTECTED] Sent: Monday, May 14, 2007 8:30 AM To: SpamAssassin Subject: Re: Does anyone catch this Dennis Davis schrieb: On Mon, 14 May 2007, Duncan Hill wrote: From: Duncan Hill [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Mon, 14 May 2007 11:41:24 +0100 (BST) Subject: Re: Does anyone catch this On Mon, May 14, 2007 11:32, Matt Hampton wrote: http://www.coders.co.uk/slipped.through.txt It has sailed through both a SA3.1.8 and SA3.2.0 (3.2.0-pre2-r512851) running on recent versions of MailScanner The ClamAV engine tends to work well on a large number of that type of phish. Local testing shows DCC hitting it, but that's about it. Doesn't help that Halifax don't publish SPF records. In particular the Sanesecurity additions to ClamAV detect this as: Html.Phishing.Bank.Sanesecurity.06030604 We've detected (and rejected) over 1300 copies of this particular phishing scam over the last couple of weeks or so. Link: http://sanesecurity.co.uk/clamav/usage.htm For Debian the example script (Example 1) had to be fixed (paths dont match), dont know if you need to fix it for other distris too ... For testing use the sample fishing attachment. I just sent Steve an updated script that accommodates the trailing back slash the debian adds to the clam db dir in the debug output and add -m 1 to the grep so it short circuits finding the clam db dir (so it now takes less than a second), and I added rsync for the MSRBL-* files since that site not only supports it but prefers it be handled that way. I would imagine Steve will have it up sometime today, I have been testing it since he made the last change to the mirroring methods last week. Ralf Hildebrandt Blog contains a download link to the (working) script: http://www.amazon.com/gp/blog/A1XJVH38GHOSHB thx, again for it good work... Rick -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Massive Spam Attack?
Jason Frisvold schrieb: Greetings, I'm seeing incoming spam at a rate of 2-3 a minute per user and I'm having trouble properly identifying these as spam with spamassassin. Or, alternatively, blocking them. Does anyone have any idea how I can trigger on these and block them? Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 25527 invoked by uid 89); 11 May 2007 22:24:10 - Received: by simscan 1.2.0 ppid: 25000, pid: 25501, t: 1.7225s scanners: clamav: 0.90/m:42 spam: 3.1.7 I am not sure if the botnet plugin would catch these, but are you using the botnet plugin at all and sare-rules (www.rulesemporium.com). this 2 do a great job here, along with some helo-checks at mta Level and dial-up blacklists ... dcc, razor, pyzor? Thanks, hth MH
Botnet Plugin Download Link?
Hello! http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar link seems to be dead, since John Rudd is not listed at people, the link perhaps moved? Any tips? -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Test?
Daniel Aquino schrieb: Is this how I send to the list ? Congratulations you have made it ;-). -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Botnet Plugin Download Link?
Kevin W. Gagel schrieb: Matthias, Worked fine for me. Try it again if it still doesn't work for you - I've uploaded a copy to my public share at: http://mail.cnc.bc.ca/users/gagel/Botnet.tar Thx alot. It was a temporarily problem, it is good to have an alternative download location. I'll keep it there till next week. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca --- -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Catching mail sent from number addresses?
Hello! Perhaps i overlooked some test i could use for giving extra scores to mail sent from addresses like this: X-Envelope-From: [EMAIL PROTECTED] e.g. i would think it useful if i could add a check for: address contains 4 or more digits, give it some extra score 1.x Perhaps someone is using such a rule already? -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: bayes not available ?
Noc Phibee schrieb: Hi when i start spamassassin -D --lint, i have: [20058] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks [20058] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen [20058] dbg: bayes: found bayes db version 3 [20058] dbg: bayes: DB journal sync: last sync: 0 [20058] dbg: bayes: not available for scanning, only 0 ham(s) in bayes DB 200 [20058] dbg: bayes: untie-ing [20058] dbg: bayes: untie-ing db_toks [20058] dbg: bayes: untie-ing db_seen It's a new server and in my local.conf: bayes_auto_learn1 bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 9.0 bayes_path /var/spool/spamassassin/bayes bayes_file_mode 0777 on antoher server, same config i have: [18780] dbg: bayes: DB journal sync: last sync: 1178611276 [18780] dbg: bayes: corpus size: nspam = 5668441, nham = 16242 [18780] dbg: bayes: score = 0.324607088968461 [18780] dbg: bayes: DB journal sync: last sync: 1178611276 [18780] dbg: bayes: untie-ing [18780] dbg: bayes: untie-ing db_toks [18780] dbg: bayes: untie-ing db_seen I don't understand why on my first server, the counter dont increase after 48h of work and 100 000 mails recevied. Into /var/log/mail, i have a big quantity of: May 8 10:03:23 spam-9 spamd[27832]: prefork: child states: BIIB May 8 10:03:24 spam-9 spamd[21462]: spamd: identified spam (11.2/4.9) for qscand:407 in 4.1 seconds, 3155 bytes. May 8 10:03:24 spam-9 spamd[21462]: spamd: result: Y 11 - BOTNET_SERVERWORDS,DCC_CHECK,DIGEST_MULTIPLE,DRUGS_ERECTILE,DRUGS_STOCK_MIMEOLE,DRUG_ED_CAPS,FB_VIAGRA_LEO3,HTML_FONT_BIG,HTML_MESSAGE,IMPOTENCE,J_CHICKENPOX_43,J_CHICKENPOX_65,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CHECK,SARE_MILLIONSOF,SARE_SXLIFE scantime=4.1,size=3155,user=qscand,uid=407,required_score=4.9,rhost=spam-9.mydomaine.org,raddr=127.0.0.1,rport=34255,mid=[EMAIL PROTECTED],autolearn=spam May 8 10:03:24 spam-9 spamd[27832]: prefork: child states: BIII May 8 10:03:24 spam-9 spamd[27832]: spamd: handled cleanup of child pid 21462 due to SIGCHLD May 8 10:03:24 spam-9 spamd[27832]: prefork: child states: BII May 8 10:03:25 spam-9 spamd[18315]: spamd: identified spam (9.9/4.9) for qscand:407 in 2.9 seconds, 2261 bytes. May 8 10:03:25 spam-9 spamd[18315]: spamd: result: Y 9 - BOTNET_SERVERWORDS,DCC_CHECK,FM_NO_STYLE,HTML_FONT_BIG,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB,SARE_LWTARGETP,SARE_MLB_Stock1,SARE_PROLOSTOCK_SYM1 scantime=2.9,size=2261,user=qscand,uid=407,required_score=4.9,rhost=spam-9.mydomaine.org,raddr=127.0.0.1,rport=34263,mid=[EMAIL PROTECTED],autolearn=spam Only to be sure: It´s the same user (for autolearning) and for spamassassin --lint? he put a big quantity og autolearn=spam Thanks for your help -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Increase of spam?
[EMAIL PROTECTED] schrieb: On Thu, 3 May 2007, Jerry Durand wrote: All DSL/dialup accounts get a 554 from us (using a couple of RBLs), so I've actually seen our spam decrease lately. I've used RBLs too, in the past. However, i've noticed legitimate mailservers sometimes turn up in such lists so we were missing mails, and there were quite a lot of complaints. I tried to put in less restrictive RBLs, but in the end I had to remove them. Now I'm thinking to enhance my greylisting to check RBLs, and if the IP is found in an RBL, to increase the greylisting time... I am not using greylisting so far, -and since recently it seems to get less effective - i consider not using it at all. What seems to work here: MTA-Level (Postfix): helo-checks (they are surprinsingly most effective), and sender_verify (address_verify_mumble). Some trusted RBLs. SA: Botnet Plugin: High-Scores for Inline-Images. RBLs, razor2, dcc, pyzor (pay attention to licenses) and a well trained bayes database ... btw: the rejection rate at MTA has gone up last days from approx 40% to 55% so its a increase of spam, here too ... K. hth -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: SARE rules
Max de Mendizábal wrote: Hi Max, hi all! Sorry for the thread hijacking... I tested the rules with spamassassin --lint and everything is OK, but stops scoring. Perhaps you could provide your rulesdujour config? which Version? Maybe some old prex rules (RulesDuJour)? Max de Mendizábal Matthias Haegele escribió: Max de Mendizabal schrieb: Dear all, I have a very rare problem: if I do not use the SARE rules everythings works ok but... If I run sa-update Then spamassassin stops working. You tried:? sa-update -D If I check it with spamassassin -D spam-mail.txt Works ok, but if I use spamc spam-mail.txt Shows the spamassassin version on the header, but doesn't make the scoring. Any Ideas? Yours Max Perhaps you could use some (no)paste-Service and put it there? hth MH
Re: Per User
Ali Hameed schrieb: I am using spamd on my linux system, I now want to give our users choice that they want to use spamd or not, if yes they can write their own rules, please help! What prevends you from reading:? http://wiki.apache.org/spamassassin/ -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Per User
Ali Hameed schrieb: I didnt find any help on the specified link, did u? Also what prevents you from giving me some specific link?If u cant help then you should not reply.I need help if any one can. As Magnus asked u could perhaps provide some additional information, afaik (i dont use it on per user) it depends on e.g. are u using shell accounts or virtual users stored in a mysql-database? -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
SARE rules (was: Re: SA Not Scoring)
Max de Mendizabal schrieb: Dear all, I have a very rare problem: if I do not use the SARE rules everythings works ok but... If I run sa-update Then spamassassin stops working. If I check it with spamassassin -D spam-mail.txt Works ok, but if I use spamc spam-mail.txt Shows the spamassassin version on the header, but doesn't make the scoring. Any Ideas? Yours Max On Wed, 2 May 2007, Keith De Souza wrote: Hello, I'm new to this mailing list, please let me know if I'm doing anything wrong with submitting A problem here. I'm running SpamAssassin version 3.1.8 running on Perl version 5.8.8 the OS that is running on Fedora Core 5. The problem that I'm having is every so often when mail come in, it seems to skip SA scanning. Here what the logs say: Sat, 28 Apr 2007 19:42:53 BST:21005: SA: required_hits ? / sa_quarantine +0.01 / sa_delete +2.4 Sat, 28 Apr 2007 19:42:53 BST:21005: SA: finished scan of dir /var/spool/qmailscan/tmp/ssdd117778517072221005 in 600.013176 secs - hits=?/? Sat, 28 Apr 2007 19:42:53 BST:21005: qmail-scanner: Clear:RC:0(67.186.37.67):SA:0(?/?): 602.343095 3106 overtaxingpinafore @internetdynamics.com [EMAIL PROTECTED] Re: [EMAIL PROTECTED] textfile0:46 textfile1:468 textfile2:1145 This does not happen all the time but once in a while my log show a batch of mail not being scanned and producing false negatives, I don't know why that is. Is there any possibility that my server is overloaded and spamd is unable to spawn sufficient child process to handle the incoming mail. Just a logical guess. Any help on this is much appreciated. spamassassin --lint should report you the broken rules ... Perhaps you use a new thread next time? ;-). Cheers Keith -- hth MH Dont send mail to: [EMAIL PROTECTED] --
Re: Any drawbacks of cron-scheduled bayesian leanring?
Arik Raffael Funke schrieb: Hi, Hello! I was wondering if it has any negative effects on my Bayes database if I regularly learn all spam/ham messages via a cron job. Sa-learn skips already learned messages. Am I thus right to assume that apart from the relatively high CPU load there are no drawbacks? Or should I keep a separate folder for new spam/ham? I.e. what about expiring tags, etc. Sa-learn would routinely re-encounter 5 year-old spam... Q: Would it be useful (regarding cpu and i/o performance) if only learned messages (copied from a maildir) that are new (e.g. not older than a week) or would checking this (date of file), be almost as bad as copying it for sa-learn? Cheers, Arik -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: SUBJECT_ENCODED_TWICE really wrong?
Andy Spiegl schrieb: Hi, several of my HAMs are tagged with SUBJECT_ENCODED_TWICE. Is this forbidden by any RFC? Even mutt, a usually very RFC-compliant MUA, does that. afaik no, but other things which spammers do are not forbidden too ;-)? It is the same here mainly MLs with Subject encoding and additional encoding like [OT] e.g. Chau, Andy. -- Grüsse/Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: Newbie Questions.
Bowie Bailey schrieb: Grant Peel wrote: I have not turned on bayes, is it critical (to catching spam)? Bayes is not critical, but it can be very useful. For best results, I suggest you do this: ACK. It can kick the spam over the treshold which is maybe not hit by other rules, a well trained Bayes is essential i think. (And it produces no false-positives if bayes was: BAYES_100 it was always right). Manually train the Bayes db with hand-sorted ham and spam at least until you get to the 200-ham/200-spam limit. After that, keep an eye on your incoming mail and retrain any messages that are mis-classified. Manual training works like this: sa-learn --ham /directory/with/nonspam sa-learn --spam /directory/with/spam You should run sa-learn with the proper user account e.g.: sudo -u amavis -H sa-learn --spam /path/to/spam-messages/ By default Bayes will also auto-learn incoming messages as either ham or spam based on certain criteria. Some people suggest adjusting the criteria to further prevent mis-training, but I have not had any problems with the default settings. However, on some of my accounts, I will disable the autolearning and manually sort and learn on all of my incoming mail each day. Autolearning is not failure proof i think, especially on less restrictive Mailinglists ... -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: add point to certain hosts
SMT - Geert van der Giessen schrieb: Hi, I wonder if its possible to add points to mail coming from certain hosts. I have exim+spamassassin running for some time now and my second MX host is hosted at my ISP. Most spam that passes my filters are routed via the second mx host. (grrr) I don't want to ignore the second host completely, but would like to add points when mail is routed via that host, is that possible? afaik spammers try to flood backup or low-priority mx cause they hope to meet less restrictive antispam-rules there. Perhaps it would be better to use the same restrictive rules there? (yes, it might be hard to do this (or impossible), that strongly depends on your isp.) i dont know if it is a good idea to give extra points since it would affect all traffic from that machine ... thanks, Geert. hth MH
Re: Mail Delivery
Maccie Roux schrieb: Hi there, I'm running Fedora core 5 with postfix spamassassin and amavis. The mail is being delivered to the mailbox and not the maildir. Can ^^ someone please help me. Mailbox (the users Mailbox or Inbox)? or mbox (the format)? maildir (the email-format)? You are using an pop3/imap server (courier,cyrus, ...) and the mail is not physically delivered where you expected it to be? Im not sure if i understood your question right ...? Are you using any additional filtersoftware like procmail,maildrop, ... Thanks Maccie hth MH, a little confused http://en.wikipedia.org/wiki/Maildir
Re: Multi-user bayes
Giampaolo Tomassoni schrieb: Dears, actually, I see the Bayes database in SA can be either per-user or system-wide. I would like to have a way to puts bayes tokens on a per-user basis, and fetch them on a more system-wide (or pheraps domain-wide) way. My intention is to have each user's bayes to contribute to scoring every other user's incoming mail, while still let each user's db be prominent in scoring mails delivered to the user's mailbox. i dont know if it is technically possible ... Is there anything like this? If there is not, do you think it would be something usefulf? It strongly depends on your users. Some mails might be spam for user A, while for user B it might be ham, or some users are lazy trainers or misclassify mails etc. If such a solution is possible it is up to you how much you rely on it ... Thanks, --- Giampaolo Tomassoni - IT Consultant hth MH
Re: amavisd
Leander Koornneef schrieb: On 17-nov-2006, at 9:26, Maccie Roux wrote: Hi there. I'm getting the following in my maillog, can someone please help me: postfix/qmgr[25394]: warning: connect to transport smtp-amavis: Connection refused Well, that is about as clear as a warning can get. What don't you understand about it? ;-). (Yes i wish all sw would provide such ideal logging). Try telnet to the amavis-port (you configured it in master.cf/main.cf, amavisd.conf). Is amavisd running, are you able to connect? Any typos in your config? Leander hth MH
Re: amavisd
Mark Martinec schrieb: postfix/qmgr[25394]: warning: connect to transport smtp-amavis: Connection refused Well, that is about as clear as a warning can get. What don't you understand about it? Is amavisd running, are you able to connect? Any typos in your config? This warning is not about amavisd daemon not being there, but about a Postfix service smtp-amavis not being there. A smtp-amavis service is to be defined in master.cf, see README.postfix. i bet its a typo ... (Something similar happened here not long ago i was overlooking an additional 0 in master.cf, in smtp-amavis definition ...) Mark thx for your correction MH
Re: Where to submit SARE rule patches?
Peter H. Lemieux schrieb: Is this a good place for this? If so, I'd like to propose the following fix to 70_sare_adult.cf: 329d328 body __HAS_PENETRATION /\bpenetration\b/i 331c330 meta FP_MIXED_PORN3 ((__HAS_COLLECTION + __HAS_HARDCORE + __HAS_YOUNGGIRL + __HAS_PENETRATION + __HAS_ADOLESCENT + __HAS_CHICKS) 2) --- meta FP_MIXED_PORN3 ((__HAS_COLLECTION + __HAS_HARDCORE + __HAS_YOUNGGIRL + FPS_PENETRAT + __HAS_ADOLESCENT + __HAS_CHICKS) 2) There is no rule called simply FPS_PENETRAT in the file. There is a header rule called __FPS_PENETRAT which might be what's intended, but the rest of the checks in the FP_MIXED_PORN3 meta are body rules. So I decided from the logic that you wanted to tag the word penetration in the body as well and created the __HAS_PENETRATION rule along the same lines as __HAS_HARDCORE. iirc: local.cf would be a good place since it overwrites other rules (which might get updated and your changes overwritten) ... Peter hth MH
Re: question about bayes database
pinoyskull schrieb: Matthias Haegele wrote: pinoyskull schrieb: will it be ok if i have 1000+ spam learned and only 300+ ham learned, will it still be effective? Dont know. But i think it´s better if you learn *all* spam and ham ... that's my problem, spams overwhelmed ham on our server (If your spam-ham-ratio is really that bad perhaps you want to use some MTA-level antispam, or blacklists?) could you give me an example of a MTA-level antispam, im kinda new to this, thanks If you use postfix, yes. general: some simple (helo)checks like dont use my hostname/IP-adress a google search for helo checks (your-mta-name) should help. (your-mta-name could be: postfix | qmail | exim ...) ;-). You could also use blacklists (DUL, abuse etc) for SA (advantage: imho scores no hard rejection like MTA-blacklist) or your MTA, choose blacklist(s) which meet your requirements. hth MH http://www.exit0.us/index.php?pagename=RulesDuJour http://www.rulesemporium.com/ http://wiki.apache.org/spamassassin/ http://wiki.apache.org/spamassassin/UsingSpamAssassin http://wiki.apache.org/spamassassin/UsingNetworkTests
Re: question about bayes database
pinoyskull schrieb: will it be ok if i have 1000+ spam learned and only 300+ ham learned, will it still be effective? Dont know. But i think it´s better if you learn *all* spam and ham ... (If your spam-ham-ratio is really that bad perhaps you want to use some MTA-level antispam, or blacklists?) hth MH
Re: Rule Updates
Patrick schrieb: I'm a little confused on rule updates. If you are using SA version 3.04 and run sa-update and/or rulesdujour, will the rules be updated only to the 3.0 branch or will they be updated to the most current branch and just fail if there are dependency issues? rulesdujour: You should not use (pre) 3.0 rules, what damage this does i dont know, (i assume some rules made it in later SA releases?). hth MH
Re: better solution?
[EMAIL PROTECTED] schrieb: Hi list, i'm new in spamassassin, I have all the system configured ( I think ) but I have a question, when a spam message arrive the spamassassin mark it as the **spam*, then the message going to my mailbox My question it's: I want that some of this spams, instead of going to the user's INBOX folder, go to their SPAM folder. Which the better solution to achieve this? and what's the name of the program? procmail, (alternative: maildrop (if you use courier), or sieve iirc (cyrus)) I have a debian sarge, postfix, spamassassin 3.0.3 btw: i would suggest to upgrade to a newer SA (backports or testing,requires new perl too ...). thanks jea hth MH
Re: better solution?
Leander Koornneef schrieb: On 30-okt-2006, at 10:03, Matthias Haegele wrote: [EMAIL PROTECTED] schrieb: Hi list, i'm new in spamassassin, I have all the system configured ( I think ) but I have a question, when a spam message arrive the spamassassin mark it as the **spam*, then the message going to my mailbox My question it's: I want that some of this spams, instead of going to the user's INBOX folder, go to their SPAM folder. Which the better solution to achieve this? and what's the name of the program? procmail, (alternative: maildrop (if you use courier), or sieve iirc (cyrus)) I have a debian sarge, postfix, spamassassin 3.0.3 btw: i would suggest to upgrade to a newer SA (backports or testing,requires new perl too ...). Correction: the 3.1.4 version of SA in Debian volatile (http://www.debian.org/devel/debian-volatile/) does not require a new version of perl: = leander:~# aptitude show spamassassin Package: spamassassin State: installed Automatically installed: no Version: 3.1.4-0volatile1 Priority: optional Section: mail Maintainer: Duncan Findlay [EMAIL PROTECTED] Uncompressed Size: 3068k Depends: perl (= 5.6.0-16), libhtml-parser-perl (= 3.31), libdigest-sha1-perl, libsocket6-perl, libarchive-tar-perl, libwww-perl = So the default perl 5.8 in Sarge will do fine... Thx, for it. So the chance is greater it is painless for the OP ;-). @jea perhaps you will provide us with more details? (What additional sw do you use, pop3/imap-server?, etc, (dpkg -l could help)). Leander Greetings MH
Re: Spamassassin effectiveness, BAYES_99
Michael Beckmann schrieb: Greetings! Hello! In the past few weeks, I have noticed significant amounts of spam passing through my filter. It is reaching a level that annoys me. I use Spamassassin 3.1.7. I used to get maybe one or two spam messages a day earlier this year with 200+ spams filtered. Now I get 10 to 20 spams per day that are not automatically filtered (while something like 300+ are filtered.) Did anybody else notice this? Are spammers becoming more effective in working around SpamAssassin? I examined the spam, and it seems that the majority of the messages score BAYES_99 and nothing or hardly anything else. BAYES_99 is not enough to filter the messages. I use the standard threshold of 5. Oh you are lucky, often such messages here only score BAYES_80 or BAYES_50 (bayes is trained nearly daily ...). I have been tempted to increase the BAYES_99 score to 5. I have seen that only very few ham messages of the newsletter type ever score BAYES_99 in my inbox. Do others make similar observations? How do you deal with this? As others suggested i would try to set the treshold near 4.0. (I had some false-positives with list-mails see bottom, (but bayes was BAYES_00) but with no regular-off-list-mails). I am considering a custom rule to give messages with urls e.g. a score of say 1.0, to get those message which hit no other rules but bayes_99 over the treshold. How do you think about this (i know it would also affect many ham-mails but since these usually dont get other scores it might not be dangerous?) Is someone using such a rule and can give an example? Thanks, Michael Greetings and hth MH a false-positive list-mail: Content preview: Yes, spamassassin definitely RULES! ;-D RE: Spamassassin Rules Yes, spamassassin definitely RULES! ;-D [...] Content analysis details: (4.3 points, 5.0 required) pts rule name description -- -- 1.7 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO -2.3 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0020] 1.5 HTML_SHORT_LENGTH BODY: HTML is extremely short 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 FORGED_OUTLOOK_TAGSOutlook can't send HTML in this format -0.1 AWLAWL: From: address is in the auto white-list
