Re: mass check tips and tricks - need advice
Damn, I thought I had you in my junk list - play nice spammer and keep one address? On Sun, 17 Feb 2013 08:34:15 -0800, Marc Perkel supp...@junkemailfilter.com wrote: OK - I'm getting mass checking set up and working. I'm still in the testing phase. Right now the process of selecting spam and ham is automated. It's not manually selected. Is that a problem? I'm only including email streams that I'm sure of. The spam comes from sources that are on multiple black lists, URIBL links, and committed other sins that only spammers do, and SA scores over 15.. The white list is from 100% trusted sources. Eventually I hope to include some hand sorting of messages in the middle but for now these are extreme ham and spam. Looks like it takes me 70 minutes to process 46k messages. I'll probably process 100k messages nightly and they will all be fresh. Right now I'm going through to verify the ham and spam just to ensure it's accurate and doesn't contain anything that shouldn't be there. Not reading every message but not finding any errors. Looking for advice at this point about anything I should be doing that I'm not, or any useful feedback.
Re: Bayes database in mysql on multiple servers
On Wed, 30 Nov 2011 15:14:33 + (UTC), Walter Hurry walterhu...@lavabit.com wrote: On Wed, 30 Nov 2011 09:11:49 +0100, Robert Schetterer wrote: Am 30.11.2011 09:06, schrieb Matus UHLAR - fantomas: On 30.11.11 00:17, Alex wrote: I have two fedora15 boxes that process mail for a few domains, and recently set up bayes in mysql for each of them. The servers are in geographically different locations, a few hops from each other. Since they both process mail for the same domains, I thought it made sense to share the database between them. What's the best way to do this? Set one as a master and the other as a slave, or perhaps replication between them? I also thought about something like drbd, but that seems a bit excessive for just a database. dont use drbd with mysql store, you dont need it I think this is question for MySQL mailing list, not for SA. you can use i.e master-master replication ( which i do ), but be aware you might get doubles with bayes store, this should be ignored but i am told PostgreSQL is better in replacation stuff Why replicate? Why not just share the same database? No failover with shared. Distributed adds redundancy. KR Nigel
Re: Not sure if this is old or new
On Wed, 21 Sep 2011 17:08:42 +0200, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 20.09.11 18:57, Nigel Frankcom wrote: I moved SA to a newer box and have the following output in my logs: http://pastebin.com/VvZfXwAC Apologies if I'm being dense, but is there a way to trace what may be causing this, not the specifics of parentheses or == but the particular rule? All (printable) help gratefully received. # Compile was succesful. Restarting spamd # Stopping spamd: [ OK ] # Starting spamd: [ OK ] I don't see your problem. Lines 46 to 63. I am guessing one of my rules has an issue, Wondering if there is a way to figure out which rule is triggering this. body_0.xs: In function 'XS_Mail__SpamAssassin__CompiledRegexps__body_0_scan': body_0.xs:123: warning: suggest parentheses around assignment used as truth value
Re: RCVD_IN_SORBS_DUL on my own emails to self
On Sun, 10 Apr 2011 00:59:29 +0200, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Hello rstarkov, Am 2011-04-09 15:50:36, hacktest Du folgendes herunter: Does your header definitely include an ESMTP marker as per the RFC? Mine didn't; that was the real issue. We didn't find a bug in this rule. So I guess SpamAssassin doesn't have a way to find out that you were authenticated and that it was your own message. Yes, look into my previous message... However, I find SORBS too errorprone and not very reliabel! Thanks, Greetings and nice Day/Evening Michelle Konzack I'd agree that one in spades. I'm still getting stuff bounce from cached entries months after I cleared the last SORBS issue. That was the 3rd time I've had to do so and I've been on static from the get go (15 years +). My ISP didn't help overly. BT decided that all issues relating to rbl's are abuse issues and should be dealt with by that department; it might have helped if they told said department and actually trained the poor sods. Saying that, no amount of training helps with SORBS. IMVHO SORBS gives rbl's an undeserved bad name. Additionally, BT's approach of 'we are big ergo you do what we say' doesn't add much in the way of help either. After many years I'm moving off BT, though that is because of their billing and the incompetence there makes their rbl handling look like it's 6 sigma. I've defended BT for years, seems I was naive. Expect to see me in SORBS soon :-D Nigel
Re: Performance on Spear Phishing?
On Fri, 18 Mar 2011 04:22:40 +0100, Karsten Bräckelmann guent...@rudersport.de wrote: On Thu, 2011-03-17 at 12:58 +, Nigel Frankcom wrote: Unrelated but reminded me I hadn't posted a thanks to all those that responded about the sa-update rules. That's partly because I'm awaiting permission from clients to add their mails to the corpus. Unrelated indeed. ;) That short rant of mine was not meant as a broad reminder to send your 'thank you's after each post, less so to collect them now -- but really triggered by that one particular instance. There are a bunch of circumstances (some slightly buried down the end) outlined in my previous post, which, each on their own, if avoided, are likely to not have triggered my reaction in the first place. In other words, just try to engage in the community, and don't forget basic (old-school) net-iquette, and we all should get along just fine. :) So, thanks all. Apologies for forgetting my manners. Have no clue about Spear Phishing other than it's best to be the one with the spear. :-) Or the hammer. Hi Karsten, Having been using this list for more years than I care to think about I ought to know my manners better. It was a timely reminder, it's easy to take the help one gets here for granted. I don't tend to post so much nowadays with workloads etc, but it's the only list I stay subscribed to. I do on occasion sit with a beer on a boring evening and amble through the posts, and, occasionally, I note things with my setup that seem a bit off. Without wishing to tempt fate, my setup works well for me and works well. Often as not because of advice given in the past by list members; anyway, manners cost nothing and they do have a value for the recipients. All the best Nigel
Re: Performance on Spear Phishing?
Unrelated but reminded me I hadn't posted a thanks to all those that responded about the sa-update rules. That's partly because I'm awaiting permission from clients to add their mails to the corpus. So, thanks all. Apologies for forgetting my manners. Have no clue about Spear Phishing other than it's best to be the one with the spear. :-) On Thu, 17 Mar 2011 04:38:29 +0100, Karsten Bräckelmann guent...@rudersport.de wrote: So this actually is a reply to the last post to your previous thread how to disable network tests. Merely changing the subject and pruning the quote from the body -- surprise -- does NOT make it a new thread. On the up-side, it appears you at least did read (I mean keep here) the thread. Encouraging. There has been a lot of help, advice, and questions concerning your previous topic, however. The down-side. You did not care to even get back to a single one of them. Very discouraging. Do you really expect anyone to care and try to help a single-shot question you vent on the list again? I for one, bloody don't. On Thu, 2011-03-17 at 06:08 +0400, Hamad Ali wrote: Hi folks -- wondering if anyone has monitored SA's performance against phishing mails. SA is able to detect 86% of phishing emails my clients So you got paying clients. But won't communicate with the community. get, with 0.5% false positives on all the ham. It seems non-phish-SPAM is easier to be detected than phish (~99% for non-phish spam). Probably I need to participate on nightly checks to improve phish and lower false positives. Participating in the mass-checks!? Without any communication (hint, two ways) at all? I don't see that happening.
sa-updates
Hi All, Apologies if this has been covered, an admittedly fairly cursory Google showed nothing new. My local sa-update hasn't updated in the better part of a month. Is it that there have been no updates or do I need to dig into my systems to see what I broke, how and when? Regards to all Nigel
Re: [Asrg] draft-levine-iprangepub-01
On Wed, 29 Dec 2010 15:26:07 -0500, David F. Skoll d...@roaringpenguin.com wrote: On Wed, 29 Dec 2010 21:09:42 +0100 Matthias Leisi matth...@leisi.net wrote: I'm not sure whether that would be more appropriate for the dev list, but I guess this is relevant/of interest to the SpamAssassin project, and I don't know whether this has caught attention here yet. In the draft, John asserts: For blacklists, an obvious approach would be to limit the granularity of DNSBLs, so that, say, each /64 had a separate listing, and the queries only used the high 64 bits of each address. While this might limit the damage from DNSBL queries, it is not helpful for DNS whitelists, which by their nature list individual IP addresses I'm not sure I agree with that. The smallest unit of IPv6 address space allocated by a provider (even to an end-user) is likely to be a /64, so I don't see why whitelists can't list /64's too. Essentially, I disagree with the phrase which by their nature list individual IP addresses. Regards, DAvid. I'd wonder at the DNS traffic, I may be wrong but this looks like between 4 and 24 look-ups per check. DoS? Nigel
Re: Comment - GFI/SORBS
This is a long and somewhat complex story. I've been running my own mail for 15+ years or so, always on a fixed IP. A few years ago business picked up so I got some additional IP's from my supplier (BT); it turned out that they were decommissioned DUL's renewed as statics. Initially we jumped the hoops (both BT I) and after several fraught weeks the issue was resolved. Now we hit November 27th this year, suddenly I'm in SORBS again. Nothing changed this end, same IP, same RIPE entry, same everything... apart from SORBS, who, apparently, redid their db at the end of November. Happily I am now clean and clear. How did I really end up there? I've no real idea, I suspect the reload. I really do appreciate the work RBL's do, mostly; it's a thankless task and if the same wit were applied adversely a lot of money could be made. That they are moral and work as they do makes the life of all legit server admins much easier until they get too rabid. For those of you that supply reliable rbl's, please accept my profound thanks. Some maybe could do better, perhaps those should be carefully judged before inclusion into sa, or perhaps made an optional? All that said, SA isn't the direct problem. Admins blocking purely on, for example, SORBS, should maybe rethink their strategy and adjust scoring on rules within SA. All of the above is my opinion only; I don't think SORBS do a bad job, I just think they could do it better, and maybe accept that we all get it wrong sometimes... Just my 2.5p worth :-D Kind regards Nigel On Tue, 14 Dec 2010 22:41:40 -0500, Jason Bertoch ja...@i6ix.com wrote: On 12/14/2010 8:06 PM, Bart Schaefer wrote: http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful-part-5/ I've seen the headaches of getting off SORBS, but how did you really end up there? While I agree that SORBS is not reliable enough for use at the MTA level, I've not seen one complaint from my customers over using SORBS in SA. Isn't the beauty of SA the fact that you can score gray areas and not be stuck with black or white? In case it's a mystery, SA scores are automatically generated based on results from the corpus. If those results weren't productive, the rules would either be disabled or their scores adjusted even lower. However, if the corpus isn't representative, the generated scores are in error, and that means we need more trusted submitters. Or maybe your traffic is relatively unique and you should already be generating your own scores? Ultimately, this seems to be more of a witch hunt against SORBS than a SA issue. Although I'm not opposed to a SORBS witch hunt, I don't think it belongs here. /$.02
Re: Comment - GFI/SORBS
On Wed, 15 Dec 2010 07:04:18 +, corpus.defero corpus.def...@idnet.com wrote: Ultimately, this seems to be more of a witch hunt against SORBS than a SA issue. Although I'm not opposed to a SORBS witch hunt, I don't think it belongs here. Indeed, and it's Lynford and his money grabbing cronies mostly behind it - hence it lacks sophistication. I guess we all have our opinions based on our experiences. Personally, I've had no issue with zen, though cbl does seem sometimes to have an issue with back-scatter. That said, proper spf should help stop back-scatter. Kind regards Nigel
Comment - GFI/SORBS
Hi All, Is sorbs going to be continued as a scoring option in SA? Having hit yet more problems with them I've zeroed their scoring. I found this a couple of days ago, maybe it can add weight. http://blog.wordtothewise.com/2010/12/gfi-sorbs-considered-harmful/ Best to all Nigel
Re: SpamAssassin service file missing after installation
Those are not optional modules. You can either install them from CPAN or from yum (depending on the repo you use) As a rule if it says REQUIRED, it probably is :-) Apologies if this is teaching you to suck eggs: In CPAN type: install Digest::SHA Or in yum, do yum list available and look in the Perl modules for the correct ones then do: yum install Perl-Digest-SHA Hope that helps Nigel On Wed, 27 Oct 2010 01:13:56 -0700 (PDT), Gnanam gna...@zoniac.com wrote: Hi, I'm trying to install SpamAssassin version 3.3.1 on CentOS release 5.2 (Final). During installation, it reported the following REQUIRED optional module missing: REQUIRED module missing: Digest::SHA REQUIRED module missing: HTML::Parser REQUIRED module missing: Net::DNS REQUIRED module missing: Archive::Tar REQUIRED module missing: IO::Zlib optional module missing: Digest::SHA optional module missing: Mail::SPF optional module missing: IP::Country optional module missing: Razor2 optional module missing: Net::Ident optional module missing: IO::Socket::INET6 optional module missing: IO::Socket::SSL optional module missing: Compress::Zlib optional module missing: Mail::DKIM optional module missing: DBI optional module missing: LWP::UserAgent optional module missing: HTTP::Date optional module missing: Encode::Detect I then installed all REQUIRED modules along with it's dependencies. But, I've not installed the optional modules. My question is, after installation, spamassassin service file is not available in the location /etc/init.d/spamassassin. Because of this 'service spamassassin start' says spamassassin: unrecognized service. What could be the reason for spamassassin service file missing after installation? Because this service file is not automatically installed as part of installation, I've little doubt/fear/confusion whether it would create any other implications during course of usage. NOTE: 1. I'm installing as 'root' user here. 2. Also, I've installed this on RHEL4 and RHEL5, but I don't find this issue (missing spamassassin service file). 3. I also tried to copy the 'spamassassin' service file from one of my RHEL5 to this CentOS. It is working fine. Regards, Gnanam
ot/possibly
I've not been paying much attention to the list, silly season and work/home preassures. Of late I've had some truly horrific backscatter issues, enough to pretty much drop my primary mail. I suspect it's an artifact of the server, which is being swapped out, since it only happens on the rdns domain (many other virtuals, all correctly (I think) spf'd). Now I'm seeing stuff walk through looking like this StartWith 200SlotSpins ;+4;;crivitzlippiest.com/41614436r271074362e17874825c/ SponsorUn-subscribe ;+4;;crivitzlippiest.com/30101624u271074362e17874825c/ TransmitterUn-subscribe ;+4;;crivitzlippiest.com/30101625u271074362e17874825c/ Raw mail looks the same so nothing hidden. Anyone else seeing similar, Is there perhaps a rule already done or should I write one? As always, all help appreciated. Kind regards Nigel
Re: [OT] was SORBS
On Fri, 30 Apr 2010 14:22:16 +0100, Martin Gregorie mar...@gregorie.org wrote: On Fri, 2010-04-30 at 08:43 -0400, Lee Dilkie wrote: First, I'd like to point out that not everyone has the option of changing ISP's. Believe it or not, there are many folks who have only one choice for high-speed internet access (myself included). However, that doesn't apply to the OP, who is using British Telecom as his ISP. My broadband connection goes through the local BT exchange and copper after that, but BT has never been my ISP. I initially used Demon as my ISP, switching to my current ISP (who subcontract broadband connectivity to a third party, *not* BT) when I discovered that Demon didn't offer a suitable package that included domain registration. The OP can do exactly what I did. Out of pure curiosity, what is there about the broadband set-up in your locality that could prevent you from doing something similar? Are both your broadband provider and your ISP monopolies? Martin We're on a BT only exchange here so it's them or nothing, well not quite, I could go CoLo... hmmm maybe not, or satellite, I was involved in setting that up in Cyprus. I guess the bottom line is that this is always going to be an issue and it's as much to do with how you deal with your upline suppliers as how you deal with the lists (rbl etc). I may not agree with them all on an individual basis, but life is what it is, I have to work within the constraints imposed on me. I cannot complain about SORBS, though I did, they have a fixed set of rules. If I or my upline provider fails.. well, such is life. BT for what it's worth are very aware of their market and the issues, with luck they and SORBS will open a dialogue. As admins we face and deal with issues every day, sometimes it's nice to know that others out there are listening and, where they can, acting. I have a lot of karma to repay :-D Now, if the SA list would let me post from 'home'. I'd be copacetic :-D All the best Nigel
Re: [OT] was SORBS
On Fri, 30 Apr 2010 16:59:57 +0100, corpus.defero corpus.def...@idnet.com wrote: On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote: We're on a BT only exchange here so it's them or nothing, well not quite, I could go CoLo... hmmm maybe not, or satellite, I was involved in setting that up in Cyprus. Nigel Is there such a thing? I appreciate many are not unbundled, but the BTW agreement means you should have no problems getting a wires-only with someone like Zen, IDNET or Newnet. Believe me, the service just pee's over BT. Fair point. I live in a small village right on the end of a spur. After being burgled at my town offices I moved the whole dammed shebang home and now run it from my own server room. BT may not be the best, but they (or rather OpenReach) own the lines, exchange and pretty much all else... plus they have helped. If I go through a third party I end up with at least one more level of 'have you re-booted your router' etc. Bottom line, I'd rather solve a problem than work round it. As it happens I have a second IP off the range that I could have used, but that would have meant a lot of DNS work etc (and DNS and I are not good friends). IMHO solving is better than blaming. My original post was a request for advice and help. I got a lot of both... plus a lot of opinion. Kind regards Nigel
Re: [OT] was SORBS
On Fri, 30 Apr 2010 17:48:49 +0100, corpus.defero corpus.def...@idnet.com wrote: On Fri, 2010-04-30 at 17:19 +0100, Nigel Frankcom wrote: On Fri, 30 Apr 2010 16:59:57 +0100, corpus.defero corpus.def...@idnet.com wrote: On Fri, 2010-04-30 at 16:50 +0100, Nigel Frankcom wrote: We're on a BT only exchange here so it's them or nothing, well not quite, I could go CoLo... hmmm maybe not, or satellite, I was involved in setting that up in Cyprus. Nigel Is there such a thing? I appreciate many are not unbundled, but the BTW agreement means you should have no problems getting a wires-only with someone like Zen, IDNET or Newnet. Believe me, the service just pee's over BT. Fair point. I live in a small village right on the end of a spur. After being burgled at my town offices I moved the whole dammed shebang home and now run it from my own server room. There is nothing wrong with that - it makes good environmental sense as well as security sense. BT may not be the best, but they (or rather OpenReach) own the lines, exchange and pretty much all else... plus they have helped. Having spent 16 years with them I know the ins and outs. Openreach were not allowed to show any favouritism to BT customers and went out of their way for 'other licensed operators'. Many BT folk of X years service found the notion of Openreach rather unpalatable and went out of their way to be awkward to native BT customers. I'm not sure if that attitude subset still exists but there really was an attitude towards all things BT. But good on your for sticking with them. If I go through a third party I end up with at least one more level of 'have you re-booted your router' etc. That depends on who you go with. People like Zen, IDNET, aaisp, Newnet are actually much better than BT at dealing with issues - and usually much more knowledgeable. This SORBS issue would not even be an issue with them as they had the brains to sort out their space - rather than just try and cluelessly blindmug sell it so SOHO's. Bottom line, I'd rather solve a problem than work round it. As it happens I have a second IP off the range that I could have used, but that would have meant a lot of DNS work etc (and DNS and I are not good friends). I admire the spirit and good luck with it. If the Lib Dems win the election they may find a whole in their mad ideas to offer treatment for those with delusional misguided belief in BT syndrome. (DMBBT). IMHO solving is better than blaming. My original post was a request for advice and help. I got a lot of both... plus a lot of opinion. You knew that would happen. Being a BT customer is nearly as bad as being a spammer {joke} have a good weekend. Kind regards Nigel The world 'aint perfect, but we work with what we have. I'm just happy it's sorted. With luck anyone that hits similar issues will pick up on this and yell. I may take a line or two off different suppliers to se how close promises and actuality meet. Best to all Nigel
SORBS
Hi All, Am I the only one incabale of figuring out the SORBS interface? I'm told by various mailserver that sorbs is blocking me (including this list hence mailing from my gmail account). When I log on to sorbs, give my details I get a nice email back saying: $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. Best regards. SORBS It's now Day 6. and I'm still listed. If anyone has any ideas - please let me know? Kind regards Nigel
Re: SORBS
On 20 April 2010 14:13, corpus.defero corpus.def...@idnet.com wrote: On Tue, 2010-04-20 at 14:04 +0100, Nigel Frankcom wrote: Hi All, Am I the only one incabale of figuring out the SORBS interface? I'm told by various mailserver that sorbs is blocking me (including this list hence mailing from my gmail account). When I log on to sorbs, give my details I get a nice email back saying: $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. Best regards. SORBS It's now Day 6. and I'm still listed. If anyone has any ideas - please let me know? Kind regards Nigel Since when did the Spamassassin list become a place for people to bitch about SORBS ;-) The link is clear enough - get delisted/support here it is in case you can't see it amoungst all that clutter: http://www.au.sorbs.net/cgi-bin/support 217.36.54.209 listed in the Dynamic IP Space (LAN, Cable, DSL Dial Ups) Following your erudite link... that has been followed at least 4 times before I get: $Id: Act.pm,v 1.16 2006/11/27 03:36:09 lem Exp $ I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. ...And I'm STILL in the damned list SORBS seems to have an issue, SORBS scores are used in SA - ergo it is relevant to this list. Again, please, can someone offer a sensible suggestion as to how I might resolve this problem. Or, a means of not disrupting SA lists, and suggesting where I may find help relating to my particular issue. Nigel
Re: SORBS
My IP has full rDNS supplied by my ISP - please feel free to ping -a 217.36.54.209 and tell me what exactly is wrong wit that? On 20 April 2010 16:08, Benny Pedersen m...@junc.org wrote: On tir 20 apr 2010 15:04:53 CEST, Nigel Frankcom wrote If anyone has any ideas - please let me know? if your isp give you dul ip, then you must use isp smtp servers as relay not a fault of sorbs some isp is badly informing users on howto if you really want to use you ip as server make sure it relly is allowed from your isp, the report from sorbs says me its not a static ip ps: if you need to have mail sent from home server make it use smtp auth to gmail, and the problem is totaly gone, if that is not possible change isp ! -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: SORBS
On 20 April 2010 18:07, Benny Pedersen m...@junc.org wrote: On tir 20 apr 2010 18:56:37 CEST, John Hardin wrote not correct, hotmail gmail yahoo works without isp dependice, why care ? You're kidding, right, Benny? does it looks so ? Why care that the ISP providing my IP addresses can't be bothered to properly manage it? manage what ?, dynamic ip ranges changes to static ? Are you saying that freemail services or ISP-provided mail accounts are all anyone needs? in a perfekt world yes this thread here flames sorbs for listning dul ranges and users dont understand what it means :( flames should really go to isps selling over prissed internet lines that does not work as expected to users that paid -- xpoint http://www.unicom.com/pw/reply-to-harmful.html SORBS checked that IP range last in 2006
Re: SORBS
On 20 April 2010 18:29, Benny Pedersen m...@junc.org wrote: On tir 20 apr 2010 19:17:10 CEST, Nigel Frankcom wrote My IP has full rDNS supplied by my ISP - please feel free to ping -a 217.36.54.209 and tell me what exactly is wrong wit that? http://www.db.ripe.net/whois?form_type=simplefull_query_string=searchtext=217.36.54.209do_search=Search seems static to me :) its still your isp that should talk to sorbs but okay reverse dns is not things that make it worse -- xpoint http://www.unicom.com/pw/reply-to-harmful.html Thanks for that info. It apparently disagrees with mine. mail.blue-canoe.net has address 217.36.54.209 host 217.36.54.209 209.54.36.217.in-addr.arpa domain name pointer mail.blue-canoe.org.uk. host mail.blue-canoe.org.uk mail.blue-canoe.org.uk has address 217.36.54.209 Which of us is wrong? Nigel
Any known issues with Razor2?
Hi All, Apologies if this has already been asked. A hunt through Google didn't help much nor did any digging around the SA site. That's not to say it's not there, just that I can't find it :-/ I have Razor2 installed via CPAN, though without a version number. When I try and install the new SA I get: Error: Missing Dependency: perl(Razor2) = 2.61 is needed by package spamassassin Is this stupidity on my part or, is there a simple work round, or is there an updated version of Razor2? All help gratefully received. Kind regards Nigel
Re: Any known issues with Razor2?
On Tue, 23 Mar 2010 09:12:16 +, Nigel Frankcom ni...@blue-canoe.com wrote: Hi All, Apologies if this has already been asked. A hunt through Google didn't help much nor did any digging around the SA site. That's not to say it's not there, just that I can't find it :-/ I have Razor2 installed via CPAN, though without a version number. When I try and install the new SA I get: Error: Missing Dependency: perl(Razor2) = 2.61 is needed by package spamassassin Is this stupidity on my part or, is there a simple work round, or is there an updated version of Razor2? All help gratefully received. Kind regards Nigel Never mind, it appears to have fixed itself not sure how or why, now I have another mystery.
Re: Bayes help
On Sun, 14 Mar 2010 12:08:17 -0400, Alex mysqlstud...@gmail.com wrote: Hi, I'm concerned that my bayes database may contain incorrect information. I performed a search on all of the messages in the quarantine, and pulled out the ones that contained BAYES_00 in their score. There weren't all that many of them, but enough that I want to investigate further. Simply deleting the database and starting over isn't really the best option. Is it possible to unlearn the tokens in these messages from the database, and then re-learn them as spam messages? How should this really be handled? Thanks, Alex Do you have Autolearn On?
Re: Bayes help
On Sun, 14 Mar 2010 12:08:17 -0400, Alex mysqlstud...@gmail.com wrote: Hi, I'm concerned that my bayes database may contain incorrect information. I performed a search on all of the messages in the quarantine, and pulled out the ones that contained BAYES_00 in their score. There weren't all that many of them, but enough that I want to investigate further. Simply deleting the database and starting over isn't really the best option. Is it possible to unlearn the tokens in these messages from the database, and then re-learn them as spam messages? How should this really be handled? Thanks, Alex Watch for line breaks, your answer should be amongst this lot. http://www.google.co.uk/search?hl=ensafe=offclient=firefox-ahs=sdBrls=org.mozilla%3Aen-GB%3Aofficialq=spamassassin+unlearnmeta=aq=faqi=aql=oq=
Re: Bayes help
On Sun, 14 Mar 2010 12:20:14 -0400, Alex mysqlstud...@gmail.com wrote: Hi, Do you have Autolearn On? Yes. Here is the bayes config from my local.cf: use_bayes 1 bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam -0.9 bayes_auto_learn_threshold_spam 16.0 bayes_expiry_max_db_size 100 Thanks, Alex Based on a good few years use I've not found autolearn to be that helpful. Manual input seems to be a much better idea alongside the rulesets you use and keeping a close eye on what gets marked as spam. Note. After you unlearn stuff in one category it is useful to relearn it in the other - so spam - ham and ham - spam. Just observations, not suggestions; except that they have worked for me. KR Nigel
Re: Parallelizing Spam Assassin
I'm assuming you run a tad more messages than I, but on a quad with a failover I have never seen the failover kick in 4 years. This is not disputing your observations, just noting mine. I claim absolutely no knowledge about the core processing/stacking though I would assume (perhaps incorrectly) that the parsing would be part of the software (MTA). I freely admit I only picked up what seems the tail end of this thread but having used SA for so many years I think I have at least a handle on how it plays (hence the failover). My failover SA is in place to handle slow queries from the primary SA. Assuming (again) that mail size has been factored and any AV is running remotely? Just a few thoughts based on a very cursory read of a few posts, sadly - or happily, work make my contributions here limited. I'd be interested in the results of this though. Kind regards Nigel PS - apologies if I'm repeating prior observations. On Fri, 31 Jul 2009 10:41:47 -0700 (PDT), poifgh abhinav.pat...@gmail.com wrote: Henrik K wrote: Yeah, given that my 4x3Ghz box masscheck peaks at 22 msgs/sec, without Net/AWL/Bayes. But that's the 3.3 SVN ruleset.. wonder what version was used and any nondefault rules/settings? Certainly sounds strange that 1 core could top out the same. Anyone else have figures? Maybe I've borked something myself.. The problem is not with 22 being a low number, but when we have other free cores to run different SA parallely why doesnt the throughput scale linearly .. I expect for 8 cores with 8 SA running simultaneously the number to be 150+ msgs/sec but it is 1/3rd at 50 msgs/sec
Re: Parallelizing Spam Assassin
OK - I can see what metrics you are trying to ascertain - I think. I'm not sure that your test and real life are 'right'. For obvious reasons I don't want to carry this one on via list - I would suggest you ask Justin and I will be happy to give info on my local setup (this assumes Justin can grab time away from toxic nappies/daipers) There is a lot you can do to ameliorate load. On bad days my quad does 50 a second so it's doable. I will freely admit I have no clue quite how this came to be, but it is (a case of having colleagues knowing more than I do - for which I am eternally grateful; the usual culprits know who they are) Kind regards Nigel On Fri, 31 Jul 2009 11:41:14 -0700 (PDT), poifgh abhinav.pat...@gmail.com wrote: In my tests - there was not MTA. The mails/spam were collected from some server in mbox format and fed to SA using --mbox switch. The size of msgs was not altered in any fashion - just the usual size of incoming spam/mails There are no AV [you mean Anti Virus right?] running on the machine Would be back with results -- Nigel Frankcom-2 wrote: I'm assuming you run a tad more messages than I, but on a quad with a failover I have never seen the failover kick in 4 years. This is not disputing your observations, just noting mine. I claim absolutely no knowledge about the core processing/stacking though I would assume (perhaps incorrectly) that the parsing would be part of the software (MTA). I freely admit I only picked up what seems the tail end of this thread but having used SA for so many years I think I have at least a handle on how it plays (hence the failover). My failover SA is in place to handle slow queries from the primary SA. Assuming (again) that mail size has been factored and any AV is running remotely? Just a few thoughts based on a very cursory read of a few posts, sadly - or happily, work make my contributions here limited. I'd be interested in the results of this though. Kind regards Nigel PS - apologies if I'm repeating prior observations. On Fri, 31 Jul 2009 10:41:47 -0700 (PDT), poifgh abhinav.pat...@gmail.com wrote: Henrik K wrote: Yeah, given that my 4x3Ghz box masscheck peaks at 22 msgs/sec, without Net/AWL/Bayes. But that's the 3.3 SVN ruleset.. wonder what version was used and any nondefault rules/settings? Certainly sounds strange that 1 core could top out the same. Anyone else have figures? Maybe I've borked something myself.. The problem is not with 22 being a low number, but when we have other free cores to run different SA parallely why doesnt the throughput scale linearly .. I expect for 8 cores with 8 SA running simultaneously the number to be 150+ msgs/sec but it is 1/3rd at 50 msgs/sec
Re: sa-update error
On Mon, 8 Jun 2009 03:30:59 -0700 (PDT), snowweb pe...@snowweb.co.uk wrote: I've just heard about sa-update and tried to run it. I was thinking of setting up a cron to do it daily, however, I got the following error message when I ran it manually: [r...@s1 spamassassin]# sa-update service spamassassin restart Can't locate Archive/Tar.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/per l5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thr ead-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_per l/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-mult i /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /us r/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386 -linux-thread-multi /usr/lib/perl5/5.8.8) at /usr/bin/sa-update line 81. BEGIN failed--compilation aborted at /usr/bin/sa-update line 81. Any ideas please? pete I think the Tar package is available via yum if you want an easy way to keep it current. If not Install it via CPAN. You may need to restart SA after, not sure. It may also be worth running spamassassin --lint -D to see if you are missing any other packages. HTH Nigel
Custome rule problem.
Hi All, I've written the following rule to deal with spam a particular set of users are getting hit by that very few of my rules are hitting. Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 Any help greatly received. Kind regards Nigel
Re: Custome rule problem.
On Thu, 19 Feb 2009 16:16:48 +0100, Karsten Bräckelmann guent...@rudersport.de wrote: On Thu, 2009-02-19 at 14:50 +, Nigel Frankcom wrote: Using --lint the rule come back clean but on testing it appears to be ignored. It's in the spamassassin directory. Am I missing something stupid? (Wouldn't be the 1st time) You're missing a lot of details. How do you test your rules? Try using the -D debugging, to see if the sub-rules actually hit. No sample, so we can't tell if your rules are correct. header __NFheader ALL =~ /live\.com/i score __NFheader 0.1 Meta-match sub-rules don't score. uri __NFuri /www\.google\.com\/groups\// score __NFuri 0.1 meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam score NFheader_Details 5.0 Testing was done through spamassassin --lint and with debug. I used a mail that *should* have hit the rules. Tried it with and without scores for meta's... just in case. I'll post up a sample of a test mail once the current round of other network screw ups are resolved. TIA Nigel
Re: Custome rule problem. Resolved
On Thu, 19 Feb 2009 08:01:48 -0800 (PST), John Hardin jhar...@impsec.org wrote: On Thu, 19 Feb 2009, Nigel Frankcom wrote: Testing was done through spamassassin --lint and with debug. I used a mail that *should* have hit the rules. --lint is not for testing rule performance, as it uses an internally-generated test message. It's just to check for syntax errors. As has been requested, can you post a complete sample message on pastebin for us to see? Many thanks to all... I have the rule working. As usual it was a syntactical error (typo). For anyone else getting the live.com emails with google groups links the following works: # Live.com spam #rev: #Nigel Frankcom: 19/02/2009 12:56:07~ works with 3.0.x, 3.1.x, 3.2.x # Tested on 3.0.4, 3.0.5, 3.1.0, 3.2.x header __NFheader ALL =~ /live\.com/i uri __NFuri m{^https?\://www\.google\.com/groups?}i meta NFheader_Details (__NFheader __NFuri) describe NFheader_Details live dot com spam. score NFheader_Details 7.0 My default is 5.0 but the AWL puts live with a positive score. I'm noting stuff from yahoo as well so will adjust this to suit. Feel free to mangle it, I'd appreciate a copy of any wider ranging working versions though. Kind regards and many thanks to all. Nigel
Re: html experts: empty style tags.
On Thu, 29 Jan 2009 18:00:47 -0800, Kelson kel...@speed.net wrote: On the subject of style vs style type=text/css *Technically* the TYPE attribute is required in HTML 4, but in practice, no one really uses anything other than CSS, and most browsers will assume it. The current draft of HTML 5 recognizes this, and makes TYPE explicitly optional for STYLE, defaulting to text/css if not present: http://www.whatwg.org/specs/web-apps/current-work/#the-style-element So in HTML 5, this is perfectly valid: style h1 {font-family: Arial} /style It is only allowed within HEAD (though again in practice, most browsers are lenient about this), but if I'm reading the HTML 5 spec correctly, it will also allow style within the body, but *only* if it contains the SCOPED attribute, and only at the beginning of a section, like this: div style scoped h2 {color: green} /style Bunch of content /div But this would not be: div Some content style scoped h2 {color: red} /style More content /div As far as I was aware style within the body is only valid as part of an element e.g. p style=font-family: serif;some text/p. It's my understanding that you'd only have style dir/lang/media/title/type= Inline in something like a php etc page... which would be a tad pointless. Not entirely sure what my point is here but it filled up some time until dinner was ready :-D Best to all Nigel
Re: Central and common rules
On Tue, 27 Jan 2009 21:51:13 +, Nigel Frankcom ni...@blue-canoe.com wrote: Hi All, Is there are central point for links or dissemination of 'best practice' rules? I freely admit this is my 1st port of call. I'm wondering if there is a simple (i.e works for a muppet like me) page that lists details of how to synch non sa-update rules. The question is based on the sad and slow demise of the ninjas. If no such central repository exists I'd be interested in setting up one; hopefully with some info for new users. Kind regards Nigel Many thanks to all for your replies. Also to those that have taken the time and trouble to set up channels. Kind regards Nigel
Central and common rules
Hi All, Is there are central point for links or dissemination of 'best practice' rules? I freely admit this is my 1st port of call. I'm wondering if there is a simple (i.e works for a muppet like me) page that lists details of how to synch non sa-update rules. The question is based on the sad and slow demise of the ninjas. If no such central repository exists I'd be interested in setting up one; hopefully with some info for new users. Kind regards Nigel
Re: custom post-processing. Howto?
On Thu, 8 Jan 2009 21:05:52 +0300, JVlad d...@yandex.ru wrote: Hi, Spamassassin 3.2 works very good for me. Now I want to write a plugin in Perl that will be executed by spamassassin after each email is processed. This script would have to know sender address, sender ip, and score assigned by SA. Is it possible? Many mail packages have built in SA support. What are you using? (apologies if this has been stated I missed the start of this thread) Amavis, Qmail and even some widoze mail app's have options. Also spamc (I think) may be worth a look - mine has all this built in so I get to manually trawl marked spam for fp/fn and adjust accordingly, such fun. The plus side is that an SA hit auto greylists and a clam hit auto blacklists (for defined periods). KR Nigel
Re: custom post-processing. Howto?
On Thu, 8 Jan 2009 23:12:47 +0300, JVlad d...@yandex.ru wrote: sendmail + spamassassin milter (written by Georg C. F. et al) everything works great so far, except I need to save the spamassassin results (score+sender) and do this synchronously, right after the score is calculated. How about a perl script that opens a reader on tail --follow=/var/log/maillog --max-unchanged-stats=10 ? Thanks, but is there a way to get this perl script executed as part of Spamassassin work and pass there score, ip, and address? Does spamassassin support such post-processing plugins? Synchronously is doubtful. SA works as a series in the mail chain - in my case mail is passed from the MTA to SA, it in turn scores the mail and from there my MTA reads the score and acts accordingly - as do many others. If your mail load is high then you would presumably run multiple SA servers, here if SA1 is busy it (the MTA) passes to SA2 etc. Based on all the above the mail is either dropped into the /suspect folder for manual checking, bounced as greylisted or passed. HTH KR Nigel
Re: From: and To: Spamers
aside Does DynDNS allow SPF records? On Mon, 29 Dec 2008 15:08:38 +0100, Matthias Haegele mhaeg...@linuxrocks.dyndns.org wrote: Michelle Konzack schrieb: Hello *, since arrount 5 days I am hit by several 10.000 very small (~2 kByte) messages which use my email addresse in From: and To:... Does anyone know, how to stop this shit effectively? 1st mail server is courier-mts + courier-imap + spamassassin + clamav 2nd mail server is postfix + dovecot + spamassassin + clamav search for backscatter: http://www.postfix.org/BACKSCATTER_README.html
Re: Preconfigured Spamassassin image/setup ?
A box is trained for a particular network need. For example a bank would need aver different ruleset/bayes than a 'normal' user. it's easy enough to create an image, however, that image will only apply to the network is was trained for. You can't shortcut training. It's an integral part of SA. If you don't have the time or inclination go and sign up with message labs. That said, on testing my own SA conf against Message labs I consistently hit higher; maybe it's luck. Nigel On Mon, 22 Dec 2008 14:54:18 +0100, Matthias Haegele mhaeg...@linuxrocks.dyndns.org wrote: Frank DeChellis schrieb: Is there an image file out there that has a unix server and spamassassin config on it, all in one sort of thing? I have configured spamassassin a few times (one running now) on various servers and it does the job ³better than OK² but I have the feeling it is a lot better then what I¹m getting out of it. I¹m talking like a preconfigured image that the end product is of the Barracuda spam server genre. First: I dont know of such a config out there, there may be several howtos around which could help ... Such a thing is not only about Spamassassin its configuring your MTA, iptables/Firewall, maybe using a policy service (for MTA), and it strongly depends on your organisation, so imho there is no jack of all trades device that solves all your problems ... Sure one could spend alot of money for such a wonder box if the knowledge of configuring it is not there but i dont know if it is worth it ... Thanks Frank -- Gruesse/Greetings MH Dont send mail to: ubecatc...@linuxrocks.dyndns.org
Re: sought rules updates
I haven't seen an update from sa-update in months. What version is current? I have dbg: dns: 5.2.3.updates.spamassassin.org = 709395, parsed as 709395 showing here. This even after a dns crash and replace. Nigel On Tue, 9 Dec 2008 09:39:11 +0100, Leveau Stanislas [EMAIL PROTECTED] wrote: Hi I have the same problem regards Stan Has anyone seen any updates to the sought rules lately? It seems like it's been about 4 or 5 days now since I've seen any via sa-update. -- Chris KeyID 0xE372A7DA98E6705C
Re: skew the AWL on spam report
On Wed, 3 Dec 2008 09:56:58 -0500, Jeff Mincy [EMAIL PROTECTED] wrote: From: Matt Kettler [EMAIL PROTECTED] Date: Tue, 02 Dec 2008 23:48:57 -0500 Brian J. Murrell wrote: If I get a spam and I need to have SA learn that it's spam with sa-learn, wouldn't it be useful to also skew the AWL for that sender so that future uses of the AWL for that spammer will push the overall spam score up? Thots? You can use spamassassin --add-to-blacklist. There isn't much of a point though, since the email address isn't likely to ever be reused. Only 5% of my spam is in the AWL. If a spammer is using the same sending address over and over again, blacklist them entirely. Yep. That said, I've never seen a spammer re-use the same address twice. The sagrey plugin addresses this. Sagrey hits on the 95% of spam that is from a new email+IP. -jeff Is Mail::SpamAssassin::Plugin::SAGrey part of the stat SA set? Neither yum nor CPAN seem to be able to find it here... though that could easily be down to user error. Hasn't appeared in sa-update either from what I've seen. Nigel
Re: [admin] new SpamAssassin PMC chair
Ahh the joys of administration (paperwork)... lovely meetings, comfy chairs, free coffee... some people just don't know when they are well off! ;-D Welcome back to the land of the living Justin. On Thu, 21 Aug 2008 11:40:11 +, [EMAIL PROTECTED] (Justin Mason) wrote: Hi all -- just a quick note to announce some administrivia. When the SpamAssassin project moved to the Apache Software Foundation, we made an informal decision that it'd be nice if the position of project chair [1] cycled between the members of the SpamAssassin Project Management Committee every so often. This turned out to happen -- 2 years (or so) ago, I took over from Daniel Quinlan as PMC chair, after his ~2-year stint. And now, I'm handing it on in turn, to Daryl O'Shea; so as of last night, Daryl is now the PMC chair and an officer of the ASF -- Vice President, Apache SpamAssassin. Congrats Daryl! (Of course, this doesn't mean I'll be lessening my work on SpamAssassin; it just means that Daryl now has to handle the boring admin stuff like reporting to the ASF board and so on ;) [1]: http://www.apache.org/foundation/how-it-works.html --j.
Re: Being Buried In Returned Email - Need To Mark Certain IPs
On Sun, 29 Jun 2008 07:07:58 -0700 (PDT), thadcoco [EMAIL PROTECTED] wrote: Hi All, My server CentOS 4, Sendmail, MailScanner (SA ClamAV) is being buried by spoofed emails that are bounced back to my domain by the recipient's servers. Virtually all these emails are being sent from a zombie at a single IP. i.e.: All the messages contain the following line somewhere within: Received: from d04m-89-83-98-193.d4.club-internet.fr ([89.83.98.193]) I can't figure out how to mark any messages that originally sourced from that IP so that that can be dropped by Procmail (that approach would appears to be my only hope, as junk is arriving faster than my mail client can pull it off the server. I have tried to write a rule that would mark any message with that particular IP, but nothing seems to work. An example that doesn't work (but does --lint just fine) is: header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam score ANNOYING_SPAMMER 15 Does SA only scan the most recent Received Header line? If so, the Header - Received syntax wouldn't work because the bad IP is in the original Received line. In case that was the problem, I also tried the Rawbody operator to no avail. Note that other than this issue, SA appears to be doing everything else just fine. So I am desperate and would be grateful for any suggestions. For reference, here are my full procmailrc and local.cf files for reference. /etc/procmailrc - DROPPRIVS=yes :0fw * 256000 | /usr/bin/spamc -f :0 * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null /etc/mail/spamassassin/local.cf - # Change the subject of suspected spam rewrite_header subject *SPAM* # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 header ANNOYING_SPAMMER Received =~ /89\-83\-98\-193/ describe ANNOYING_SPAMMER Mark mail touched by specific IP as spam score ANNOYING_SPAMMER 15 --- Can you not block them at your router or firewall? Then they are not taking up threads either. It's how I deal with heavy hitters. Nigel
Re: trusted_networks set in local.cf, but not according to sa-update
On Sat, 21 Jun 2008 01:10:53 -0400, Sahil Tandon [EMAIL PROTECTED] wrote: I see the following when running sa-update with debug flags: [20528] dbg: conf: trusted_networks are not configured; it is recommended that you configure trusted_networks manually However: # grep trusted /usr/local/etc/mail/spamassassin/local.cf trusted_networks 69.55.228.210 I could be very wrong here, it wouldn't be the 1st time; but isn't the main local.cf in /etc/mail/spamassassin/ Per user may work differently, I'm not sure, my version of per user is handled by the MTA and a MySQL Database for users (Windows based mail server -- CentOS based SA) Might that be why sa-update is showing the error? --lint does not complain, and I know that local.cf is being otherwise interpreted by SA because custom rules contained therein are scoring.
Re: whitelisting webmail application
On Sat, 03 May 2008 12:51:32 -0300, Leonardo Rodrigues Magalhães [EMAIL PROTECTED] wrote: Hello Guys, im running SA 3.2.4 and, on the same machine, horde/imp as webmail application. Sometimes, mails sent through imp are getting flagged as SPAM because of RBL checks, for example: Content analysis details: (8.4 points, 8.0 required) pts rule name description -- -- 0.3 TVD_RCVD_SINGLETVD_RCVD_SINGLE 3.0 BOTNET_IPINHOSTNAMEHostname contains its own IP address [botnet_ipinhosntame,ip=201.67.93.102,rdns=201-67-93-102.gnace704.dsl.brasiltelecom.net.br] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 0.0 HTML_MESSAGE BODY: HTML included in message 5.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [201.67.93.102 listed in zen.spamhaus.org] 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS Content analysis details: (11.7 points, 8.0 required) pts rule name description -- -- 5.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [201.11.150.2 listed in zen.spamhaus.org] 5.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL Before you worry about whitelisting your own stuff, the Spamhaus listing would need to be resolved. If you are on a static IP you might ask your isp to supply an rdns entry and then attempt to get things resolved with Spamhaus. If you do both of those you will probably not hit either of the issues you show above (and below). 1.6 TVD_RCVD_IPTVD_RCVD_IP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS Well in fact i would like my webmail sent applications to be considered 'trusted' and not pass through SA rules, but i dont know how to do that. I think i'm having this kind of behavior because IMP is inserting Received: headers with real ip users apparently when remote IP has reverse and always with X-Originating-IP (with remote IP address as X-Originating-IP) Return-Path: [EMAIL PROTECTED] Received: from ( [unknown]) by correio.solutti.com.br (Horde MIME library) with HTTP; Sat, 03 May 2008 11:34:55 -0300 Message-ID: [EMAIL PROTECTED] Date: Sat, 03 May 2008 11:34:55 -0300 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: proposta comercial MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_1j9plxzuetq8 Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) X-Originating-IP: 201.67.93.102 X-Remote-Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) (with remote IP address sa Received: header) Return-Path: [EMAIL PROTECTED] Received: from 201-11-150-2.gnace702.dsl.brasiltelecom.net.br (201-11-150-2.gnace702.dsl.brasiltelecom.net.br [201.11.150.2]) by correio.solutti.com.br (Horde MIME library) with HTTP; Sat, 03 May 2008 12:22:55 -0300 Message-ID: [EMAIL PROTECTED] Date: Sat, 03 May 2008 12:22:55 -0300 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: teste MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_2pwudsfd55c0 Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) X-Originating-IP: 201.11.150.2 X-Remote-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; Alexa; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Question is ... how would be the correct way of whitelisting my local sent messages through webmail ?
Re: [OT] ClamAV
On Wed, 30 Apr 2008 12:29:34 +0100, jpff [EMAIL PROTECTED] wrote: Has something happened to msrbl.com ? I have been using the Image database with success for some time, but it seems to have vanished. ==John ffitch Hi John, seems OK from here. Checking for .ndb files Updated: phish.ndb Wed Apr 30 12:20:01 BST 2008 Updated: scam.ndb Wed Apr 30 12:20:01 BST 2008 No Update for: MSRBL-SPAM.ndb Available Wed Apr 30 12:20:01 BST 2008 Checking for .hdb files Updated: MSRBL-Images.hdb Wed Apr 30 12:20:01 BST 2008 Stopping Clam AntiVirus Daemon: [ OK ] Starting Clam AntiVirus Daemon: [ OK ]
Re: how to unsubscribe to this group
From the headers of all list emails list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org oh and for VBounce look at the documentation in your vbounce.cf... so try locate vbounce.cf you will probably have more than one version if you've run sa-update. HTH Nigel On Wed, 02 Apr 2008 14:18:28 +0200, mouss [EMAIL PROTECTED] wrote: Agnello George wrote: how to unsubscribe to this group grin It is amzaing how many people succeed to subscribe and can't find out how to unsubscribe... /grin a Google search would easily lead to http://wiki.apache.org/spamassassin/MailingLists and reading that page shows how to unsubscribe (search for the string unsubscribe inside that page). And if Google is not your friend, all the list messages contain the following headers: list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org the second header above means that you need to send a message to [EMAIL PROTECTED]
Scoring unexpectedly low
Hi All, A user received the spam below. The scoring on it seems very low. Does it score consistently for others? If not, what rules is it tagging? Any help gratefully received. Received: by blue-canoe.org.uk (MTSPro MTSAgent 1.60.20) ; Fri, 28 Mar 2008 07:06:43 - for redacted X-Spam-RBLReport: dns:mail.usf.edu [131.247.100.11] dns:mail.usf.edu?type=MX [1 mailgate.acomp.usf.edu.] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on ratsnest.bleh X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_60=1 autolearn=disabled version=3.2.4 X-Spam-Pyzor: Received: from mailgate.acomp.usf.edu (copper.acomp.usf.edu [131.247.100.216]) by blue-canoe.org.uk (envelope-sender [EMAIL PROTECTED]) with ESMTP (MTSPro MTSSmtp 1.61) for redacted; Fri, 28 Mar 2008 07:06:33 - Received: from mailbox2.acomp.usf.edu (hydrogen.acomp.usf.edu [131.247.100.91]) by mailgate.acomp.usf.edu (Postfix) with ESMTP id 4C304590732; Fri, 28 Mar 2008 03:06:11 -0400 (EDT) Received: from 81.199.63.41 (SquirrelMail authenticated user aventura) by mailbox2.acomp.usf.edu with HTTP; Fri, 28 Mar 2008 03:06:12 -0400 (EDT) Message-ID: [EMAIL PROTECTED] Date: Fri, 28 Mar 2008 03:06:12 -0400 (EDT) Subject: Re: REFERENCE NUMBER: MA/02/453876752/NL From: Online Promo [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 (Normal) Importance: Normal To: undisclosed-recipients:; Content-Transfer-Encoding: quoted-printable X-Abuse-Report-URL: http://www.blue-canoe.net/abuse X-Envelope-Sender: [EMAIL PROTECTED] X-Envelope-Receiver: redacted You have won the sum of =A3500,000.00 (Our grand Prize).in cash. To file for your claims, contact Mrs. [EMAIL PROTECTED] With all the following information. Full Name: Address: Phone Number: Occupation: Country of residence: Nationality: Sex: Age: Amount Won: REFERENCE NUMBER: MA/02/453876752/NL. ticket number IL353/04/46,serial numberIL35376EW. Yours Truly, Mrs.Godwin Crow Co-ordinator(Online Promo Programme)
Re: Your Industry profile
On Thu, 20 Mar 2008 17:18:03 +0530, Agnello George [EMAIL PROTECTED] wrote: On 3/20/08, Arvid Ephraim Picciani [EMAIL PROTECTED] wrote: nice. spam on the spamassassin ml. anyone got a rule for those already? :D On Thursday 20 March 2008 11:13:09 agnello george wrote: Hi, I started your industry profile on Orglex by adding you as my contact and joined Management Consulting, Commercial Banks, Mobile Operators, Magazines, Social Networking, Software Testing Hubs. Orglex delivers relevant news, information, networking and jobs within your Industry Hubs. The more industry contacts and influence you have, the better your access to industry recruiters, jobs and business opportunities. Click on the below link to accept my Invitation and increase both your Industry connections and influence. http://www.orglex.com/joinhubs/0306184118f09fe4a7f1/ Thanks -- best regards Arvid Ephraim Picciani SO SORRY!! THIS IS A BIG MISTAKE ON MY BEHALF !!! DIDN'T KNOW IT TOOK ALL MY ADDRESSES IN MY ADDRESS BOOK!! THERE IS NOTHING I CAN DO TO REVERSE I DO APOLOGIES AGAIN !! AGNELLO I wouldn't worry about it too much, that you followed up with an apology speaks volumes and I suspect many of us have been bitten by similar things on networking sites, I know I have. That said, remind me not to book on a flight you're on; of all the lists to do that on you probably picked the worst :-D That kind of luck is best avoided! Have a good Easter Nigel
Re: URIBL
On Wed, 20 Feb 2008 16:40:33 +0100, Rocco Scappatura [EMAIL PROTECTED] wrote: During last days I have noticed an increasing of 'rejected' messages. I'm currently using 'zen.spamhaus.org' and 'list.dsbl.org' as reputation servers. At the same time, the number of false negative is growth. I would like to know if is there any better reputation server that anyone know (of course, it would be nice if it is a free service :-)). Anyway I heard talking about URIBL, which as I have understod is a quite different service (it blacklists 'domains' rather 'IPs'). But is it maybe a dangerous practice to fight spam? Anyway, does anyone suggest me to use URIBL? Thanks, rocsca Hi, Try Googling spamassassin backscatter or take a look at http://www.rulesemporium.com/rules.htm there's some handy stuff there but READ THE DOCS... For what it's worth I'm seeing an escalation here in the UK and on US and AUS servers so it's not isolated. Admittedly it's not a large proportion but it is a rise. HTH Nigel
Re: Time to make multi.uribl.org optional rather than default?
On Wed, 20 Feb 2008 10:59:58 -0500, Chris Santerre [EMAIL PROTECTED] wrote: -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: 2008-02-20 07:59 To: users@spamassassin.apache.org Subject: Re: Time to make multi.uribl.org optional rather than default? If you think blacklists should be free, then you should set up your own, spend thousands of hours per year on it, undergo constant threats of DDOs or worse, and listen to complaints if you dare to consider being partially paid for your work. Jeff, ... I think I might love you again. :) --Chris Santerre (Who an I kidding, I never stopped loving you!) Just my 2(pick your currency) worth, anyone prepared to put in the effort folks like sorbs, ordb, spamhaus, Jeff and many that have gone before. Altruistic people who have put horrific amounts of time, money and effort into making the lives of us mere mortals easier, deserve recognition, gratitude and PAYMENT! Would you pay for and rebuild a strangers house for them? Because (imo) that's about the equivalent Some stick a donate option on their sites, which I suspect is rarely used. Others don't even do that. If phone companies let us have free lines and ISPs give us free hosting, maybe then we can wonder about free uribl's. The absolute least we can do is add our thanks and put some money in the pot - or our money where our mouths are. I for one am quite prepared to both proffer my thanks and put my money where my mouth is. I'm also prepared (as are my users) to add a small sum, which on a per user basis it would be, to each sale the benefits land me. I must admit to being horrified that anyone EXPECTS this for free. Nigel
Re: blacklist.cf needs to die (was Re: Help figuring our why SA is taking like 1.5 minutes to filter...)
On Fri, 26 Oct 2007 09:43:37 -0700 (PPT), John D. Hardin [EMAIL PROTECTED] wrote: On Fri, 26 Oct 2007, Duane Hill wrote: But people don't read logs, or they would know... I'd suggest die-ing instead. Why not make it a configurable option in local.cf defaulting to die. That way for those of us who create custom .cf files that have the system resources can do so and not have to split them up into more than one file. No, the size-to-die-at should be configurable, not whether you die or warn. If you *want* to support large custom config files, then up the limit. Perhaps a little more info about each rule would be helpful? I've ended up with mine through a variety of trial and error and list post comments and suggestions. I run SA on a dedicated machine and it has had problems in the past, though admittedly some of those could have been attributed to a combination of remote DNS and remote MySQL. Still, some explanation regarding the caveats (which _are_ included in some rules info) could help the process some? Just my 2p worth. Kind regards Nigel. BTW - 5 days to Halloween and the little buggers are knocking my door already - some things American should remain American! :-D
Re: Top spam hosters, how to decline email mentioning them
On Sat, 20 Oct 2007 23:27:41 -0500, Igor Chudov [EMAIL PROTECTED] wrote: I was looking at this article http://en.wikipedia.org/wiki/E-mail_spam It claims that only five countries are hosting 99.68% of the global spammer websites, of which the foremost is China, hosting 73.58% of all web sites referenced within spam.[30] I already refuse all email coming from China (and Korea). Never regretted this. Now, I also want to ignore all emails mentioning all China and Korea hosted websites (not just .cn, but also .coms and so on that have Chinese IPs). I will have to not do so with Russia hosted sites, due to me being a Russian by origin. Is there some tool that I could use to accomplish that? Perhaps it's a translation thing; but I was under the impression he wanted to drop these early, not run them through the entire mail/sa process first? (In defence of my MTA comments :-D) Nigel
Re: Top spam hosters, how to decline email mentioning them
On Mon, 22 Oct 2007 00:07:17 -0700, Bill Landry [EMAIL PROTECTED] wrote: I don't how one could determine the IP address associated with a URL in the body of a message at the MTA level without accepting the message first for further processing. The best you could do at the MTA level is block URLs that have a certain extension like .cn, but that's not what the OP was asking for, and explicitly stated as much. A very good point I'll shut up now :-D Nigel
Re: Top spam hosters, how to decline email mentioning them
On Sat, 20 Oct 2007 23:27:41 -0500, Igor Chudov [EMAIL PROTECTED] wrote: I was looking at this article http://en.wikipedia.org/wiki/E-mail_spam It claims that only five countries are hosting 99.68% of the global spammer websites, of which the foremost is China, hosting 73.58% of all web sites referenced within spam.[30] I already refuse all email coming from China (and Korea). Never regretted this. Now, I also want to ignore all emails mentioning all China and Korea hosted websites (not just .cn, but also .coms and so on that have Chinese IPs). I will have to not do so with Russia hosted sites, due to me being a Russian by origin. Is there some tool that I could use to accomplish that? Blocks of that type are more usually done at the MTA level. You'd need to post your server details before anyone could offer advice. If I recall right there are lists of netblocks you can use, though I think they integrate differently with different servers. In short, post your mail server details and perhaps someone will be able to offer some suggestions. Mine allows keyword blocking but that can come back and bite you. HTH Nigel
Re: unsubscribed
On Thu, 18 Oct 2007 00:16:06 +0200, mouss [EMAIL PROTECTED] wrote: Rob Sterenborg wrote: Steve Ingraham wrote: I cannot help but comment on this post. Neither can I. I am one of those ignorant people that is subscribed to this list (along with several others) for the purpose of asking questions of you experts out there because I do not fully understand how it is working. By all accounts everyone of you out there would label me as a novice. The truth of the matter is I am a novice. As the saying goes; I know enough about this stuff to be dangerous. Sorry, but this is the SpamAssassin list and the subject has nothing to do with how it's working. If the OP had a question about how it's working, he'd get an answer - I'm quite sure of that and I think you know that. This specific thread has become a rant because the OP did not show that he searched for himself first on how to do something simple: unsubscribe from this list. If he put the least effort in finding information on how to do that (how hard can it be to just go to the SA website and click Lists to find the info?), he wouldn't have sent the email that started all this. A lot of people don't see the difference between [EMAIL PROTECTED] and [EMAIL PROTECTED] (replace owner by unsubscribe, admin', 'request, ... depending on the list). They think these are the same addresses. you can't blame them, really. nasty idea for someone to post, he must subscribe, then unsubscribe, then resubscribe. only then can he post a message. Unfortunately, even this won't work (besides annoying us with an N steps procedure) as people will anyway forget... /nasty I have already seen message saying Please help me unsubscribe from your group...blah blah, and this was a reply to to group message, which signature contains the procedure to unsubscribe! (so if the guy just read the message before hitting the send button...). In short, he quoted a message that responds to his question. but if people were to search for information effectively, they wouldn't buy from spammers, and that alone would reduce spam! What I would like to say by posting this is; why don't all you experts out there relax a bit? I, for one, acknowledge your superiority over me in this spam stuff. I don't think this has anything to do with anyones superiority in this spam stuff (certainly not mine as I'm not). This has something to do with willing to take the effort and finding things out for yourself instead of just doing something and bother others with it (well, in this case it would be bother I suppose). Having started this in the 1st place by questioning why users didn't check the headers, I'd like to apologise to anyone who's taken offence. My comment was just that, a comment. Several of the responses have been of the 'we use it for quick help' variety; which is fine and something I personally have no problem with. For it to get blown up to this proportion seems a little over the top all things considered. So, for any that took offence from my post, again, I apologise. I still think checking mail headers is a basic part of manual mail checking but hey, I guess others feel differently. Live and let live. Regards Nigel
Re: unsubscribed
I am amazed at the number of list users that unsubscribe from an anti spam list and yet they fail to look at the headers of the mails they receive list-unsubscribe: mailto:[EMAIL PROTECTED] Not sure what the message says though, I don't speak German :-) On Fri, 12 Oct 2007 12:15:31 +0200, Sebastian Graf [EMAIL PROTECTED] wrote: Mit freundlichen Grüßen Sebastian Graf |N |O |C | --|--|--|--| | GROVE Network Operation Center | | Firma:NOC Grove GmbH Co. KG | Firmensitz: Auf der Stücke 6, 35708 Haiger - Rodenbach | Handelsregister: Amtsgericht Wetzlar, HRA 5311, HRB 3391 | USt-IdNr: DE 184305615 | Geschäftsführer: Burkhard Greeb, Reiner Grove, Stefan Grove | | Telefon: (+49) 2773 / 8167 - 0 | Fax: (+49) 2773 / 8167 - 20 | eMail:[EMAIL PROTECTED] | Firmenseite: http://www.grove.de |
Re: unsubscribed
/Me laughs OK - enough! I've had over 30 replies now telling me what it means. Many thanks to all those linguists, I'm now slightly better educated in German salutations :-D Kind regards Nigel On Fri, 12 Oct 2007 06:14:53 -0700, Evan Platt [EMAIL PROTECTED] wrote: According to babelfishm Mit freundlichen Grüßen means yours sincerely. At 04:33 AM 10/12/2007, Nigel Frankcom wrote: I am amazed at the number of list users that unsubscribe from an anti spam list and yet they fail to look at the headers of the mails they receive list-unsubscribe: mailto:[EMAIL PROTECTED] Not sure what the message says though, I don't speak German :-) On Fri, 12 Oct 2007 12:15:31 +0200, Sebastian Graf [EMAIL PROTECTED] wrote: Mit freundlichen Grüßen
Re: [users] Clash of 2 SPF packages
On Thu, 4 Oct 2007 19:43:00 +0200 (CEST), Dag Wieers [EMAIL PROTECTED] wrote: On Thu, 4 Oct 2007, Hugo van der Kooij wrote: On Thu, 4 Oct 2007, Dag Wieers wrote: That said, I wouldn't mind removing spfquery from one of the packages in order to allow both packages to be co-installed. I would prefer to remove it from perl-Mail-SPF-Query. Anyone minds ? Isn't that counter intuitive? The package name after all suggests SPF Query? Right, but the tool in perl-Mail-SPF-Query is from february 2006, while the one from perl-Mail-SPF is from may 2007. Besides the name is not always the best indication. At least perl-Mail-SPF is a more correct and complete implementation and therefor is more likely to provide better results. I still ship spfquery and spfd from perl-Mail-SPF-Query, but in /usr/share/doc/ instead. I'd agree with the removal of perl-Mail-SPF-Query, as has been pointed out to me by Michael Mansour... since it's already been announced by the author that it will _never_ be updated again, since as mentioned earlier, Mail::SPF follows RFC and should be migrated to by anyone using Mail::SPF::Query. This is cross posted to the SA list to see what comment it brings from there. Hopefully some of the SA admins are on this list and I won't have to re-cover the entire thread :-D Kind regards Nigel
Re: Bayes innodb problems
On Sat, 29 Sep 2007 03:24:17 +0200, Alex Woick [EMAIL PROTECTED] wrote: processing has ground down to really slow. I'm seeing some incredibly long queries now in my slow-query log, such as: Try an optimize table tabname for each of the sa tables. You just filled the database from scratch, so perhaps the counters/statistics do not reflect the actual value distribution yet. Optimize table does not work with InnoDB. Surely it does. According to the Mysql documentation, it defragments the indexes (it probably rebuilds them) and it updates the index statistics. I use the MySQL Tools to handle compacting and repair etc. For other jobs I use DBTools. Neither is perfect, but between them they get the job done. I do most of my admin from windows but afaik the MySQL tools are cross platform. Despite the above, I was (perhaps mistakenly) under the impression that the daily admin for bayes handled compaction etc. Perhaps your problem lies elsewhere in your system? I know form ages back that lack of a PTR for the SQL server can slow things significantly if your DB is on a different box to your SA. HTH Nigel
Re: unsubscribe
On Thu, 27 Sep 2007 11:59:26 +0400, Livitin Sergey [EMAIL PROTECTED] wrote: unsubscribe list-unsubscribe: mailto:[EMAIL PROTECTED]
Re: FW: List of 700,000 IP addresses of virus infected computers
On Fri, 14 Sep 2007 09:07:32 -0700, Jeff Shepherd [EMAIL PROTECTED] wrote: My my - I criticize one of the noise makers by pointing out the meta-troll's silliness so Marc responds by blacklisting me. This is getting interesting in a psychological sense. {^_-}I'm still giggling over it. He he, at the rate he's going, he'll have the whole list blacklisted on his end. -Jeff We can live in hope :-D
Re: List of 700,000 IP addresses of virus infected computers
Don't feed the animals ? I must have been dreaming when I saw the post about this and OT posts (said he joining in an OT post)
Re: required module out of date (revised, sorry)
On Sun, 9 Sep 2007 08:32:29 -0700 (PDT), Geno [EMAIL PROTECTED] wrote: I sent the email too soon. My apologies. I'm not the owner of the server. My host uses Redhat Linux Enterprise 3 and I'm trying to install Spamassassin 3.2.3. I don't know much about linux and I'm trying to install this for the first time. Again my apologies for not including my platform and Spamassassin version. The problem is: Upon running perl Makefile.PL PREFIX=$HOME I get this at the end of the report: REQUIRED module out of date: HTML::Parser REQUIRED module out of date: Net::DNS optional module missing: Mail::SPF optional module missing: Mail::SPF::Query optional module missing: IP::Country optional module missing: Razor2 optional module missing: Net::Ident optional module missing: IO::Socket::INET6 optional module missing: IO::Socket::SSL optional module missing: Mail::DomainKeys optional module missing: Mail::DKIM optional module missing: Archive::Tar optional module missing: IO::Zlib optional module missing: Encode::Detect warning: some functionality may not be available, please read the above report before continuing! hence when i do make it says no target or makefile found. I've tried searching on the website and through google but can't find a fix for this. how can i fix this? thanks. Depending on the level of access you have; load cpan and do: install HTML::Parser install Net::DNS If those fail you may be able to use yum to install them. Do yum list available to see if they are listed under the perl modules. HTH Nigel
Re: Listowner?
On Mon, 13 Aug 2007 06:33:04 -0700, Evan Platt [EMAIL PROTECTED] wrote: I didn't see a header for a listowner contact.. I did see a 'help', but not sure if that goes to a human or not. I'm getting a OOO e-mail for every post to the list (yes, 3 so far, this will make 4) from Tom Stockton. I can e-mail the headers if there's no Tom Stockton subscribed.. But can nhe please be unsubscribed? Thanks. :) Evan I just blacklisted him at the MTA, as I do with all auto-responders that hit me more than once. As I believe Lauren once said it makes me want to crawl back up the line and hit them in the face with a spade though I'm not certain the comment was aimed at auto responders the sentiment is reflected :-D Nigel
Re: MS outlook can't read parsed email... HELP!!
On Sun, 12 Aug 2007 21:52:28 -0700, Evan Platt [EMAIL PROTECTED] wrote: At 08:19 PM 8/12/2007, lynk wrote: I'm totally confused re this spamassassin thingy... i can't seem to get MS outlook to read the email i received (spam/ham) after spamassassin(3.1.9) scanned the message. You posted this 2 days ago. If no one answers again, I have two suggestions: First would be ask in a Outlook / Microsoft forum. Perhaps not a lot of people here use OutHouse / Outhouse Distress. View this message in context: http://www.nabble.com/MS-outlook-can%27t-read-parsed-email...-HELP%21%21-tf4247467.html#a12087709 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Second would be ditch Nabble. Nabble is simply a web based forum that's a link to a e-mail group - [EMAIL PROTECTED] I for one am close to killfiling any posts from them, so I'm sure others perhaps already are. For what it's worth a colleague of mine is throwing many curses at the spamc component for SA. His comments are not repeatable in polite company. Some of *his* problems stem from the way the spamc connector is written... Below is an extract of the irc rant he had on the subject [20:24] !JamesDR damn it [20:25] !JamesDR the exchange plugin is adding 3 CR's [20:25] !JamesDR hmm [20:52] !JamesDR sa 3.2.3 is out [21:13] !JamesDR Grr. [21:14] !JamesDR I think I'm going to replace the exchange spamc junk with what I know works [21:14] !JamesDR mtsmilter code [20:35] !JamesDR man, who ever wrote this ExchangeSpamC NEVER use option explicit, therefore almost all of his vars (that he didn't copy/paste from) weren't dimensioned [21:31] !JamesDR seems to be sorted now :-D [21:31] !JamesDR converted my old code to the new code [21:44] !JamesDR PITA, cause it was adding CR's to messages, namely 3 mroe [21:44] !JamesDR more [21:44] !JamesDR but outlook and OWA displayed the messages OK, but blackberries didn't [21:45] !JamesDR I figured out why, he blindly replaced CR's with CRLF's then replaced LF's with CRLF's [21:45] !JamesDR then for good measure [21:45] !JamesDR before writing back to exchange, replaced Cr's again with CrLF's I have no idea if this is related to your problem, what I can say is that many of my users use Outlook and they have had no issues (that said, I don't use Exchange). It may be worth your while upgrading to a later version of SA (3.2.3) and seeing if that helps at all. Also take SA back to absolute bare bones, read all the docs carefully and see how far you get before problems start to appear/reappear. As the man says, talk to the OL people, see if they have any helpful input (I wouldn't hold your breath on that one). Check you logs, see what info is being posted there for any clues. Apologies if this is teaching you to suck eggs but I'm of the opinion it's best to start with the obvious and simple and work up from there. Just my 2p worth. KR Nigel
Re: lottery spam as .doc files
On Wed, 08 Aug 2007 17:59:41 +0100, Martin.Hepworth [EMAIL PROTECTED] wrote: It's huge 660KB for the attachments... I'll dig out a place to drop it to.. I did wonder when the size trump card was gonna get played with SA. I guess it's now. Here's hoping the folk at SANE can help - they've done marvels with the pdf problems. Nigel
Problem with 3.2.2 and mail headers in the email
Hi All, This morning I upgraded to 3.2.2 on CentOS 64 via yum. I'm now getting a copy of all email headers inside the body of the email. Everything --lint's clean and apart from this it's working fine. As an example I've copied in a list post below I received since the upgrade. Any help or workaround suggestions would be greatly appreciated. Kind regards Nigel. Spamassassin List wrote: Any idea for qmail? Look on www.qmail.org for links - e.g. Qmail-Scanner allows you the option of generating the bounce - or SMTP-level rejecting it as mentioned in this thread. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 SPAMD/1.1 0 EX_OK Content-length: 3802 X-Spam-RBLReport: dns:spamassassin.apache.org [140.211.11.130] dns:spamassassin.apache.org?type=MX [10 mx1.us.apache.org., 20 mail.apache.org.] dns:2.11.211.140.list.dnswl.org [127.0.4.2] X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on ratsnest.bleh X-Spam-Level: X-Spam-Status: No, score=-200.5 required=5.0 tests=BAYES_99=3.5, DKIM_POLICY_SIGNSOME=0,RCVD_IN_DNSWL_MED=-4,SPF_PASS=-0.001, USER_IN_SPF_WHITELIST=-100,USER_IN_WHITELIST=-100 autolearn=disabled version=3.2.2 Received: from mail.apache.org (hermes.apache.org [140.211.11.2]) by blue-canoe.org.uk (envelope-sender [EMAIL PROTECTED]) with ESMTP (MTSPro MTSSmtp 1.61) for [EMAIL PROTECTED]; Mon, 30 Jul 2007 09:49:03 +0100 Received: (qmail 41753 invoked by uid 500); 30 Jul 2007 08:48:53 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 41743 invoked by uid 99); 30 Jul 2007 08:48:53 - Received: from Unknown (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jul 2007 01:48:53 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS Received-SPF: pass (athena.apache.org: local policy) Received: from [218.101.54.16] (HELO mailsrv1.trimble.co.nz) (218.101.54.16) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jul 2007 08:48:43 + Received: (qmail 10376 invoked by uid 502); 30 Jul 2007 20:48:20 +1200 Received: from 10.3.254.3 by mailsrv1.trimble.co.nz (envelope-from [EMAIL PROTECTED], uid 107) with qmail-scanner-2.02 (clamdscan: 0.90.3/3819. trophie: 8.310-1002/623/211940. sophie: 3.06/2.47.0/4.19. spamassassin: 3.2.1. Clear:RC:1(10.3.254.3):SA:0(0.1/5.0):. Processed in 3.957727 secs); 30 Jul 2007 08:48:20 - Received: from webmail.trimble.co.nz (10.3.254.3) by mailsrv1.trimble.co.nz with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 Jul 2007 20:48:16 +1200 Received: (qmail 12405 invoked from network); 30 Jul 2007 20:48:16 +1200 Received: from unknown (HELO tnz-jhaar-lt.ap.trimblecorp.net) (222.154.246.214) by webmail.trimble.co.nz with (DHE-RSA-AES256-SHA encrypted) SMTP (cert [EMAIL PROTECTED]); 30 Jul 2007 20:48:16 +1200 Message-ID: [EMAIL PROTECTED] Date: Mon, 30 Jul 2007 20:48:10 +1200 From: Jason Haar [EMAIL PROTECTED] Organization: Trimble Navigation Ltd. User-Agent: Thunderbird 2.0.0.5 (X11/20070719) MIME-Version: 1.0 To: users@spamassassin.apache.org Subject: Re: How would you provide a 554 rejection notice for spam? References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Old-Spam-Status: No, score=0.1 required=5.0 X-Abuse-Report-URL: http://www.blue-canoe.net/abuse X-Envelope-Sender: [EMAIL PROTECTED] X-Envelope-Receiver: [EMAIL PROTECTED] Spamassassin List wrote: Any idea for qmail? Look on www.qmail.org for links - e.g. Qmail-Scanner allows you the option of generating the bounce - or SMTP-level rejecting it as mentioned in this thread. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 SPAMD/1.1 0 EX_OK Content-length: 3802 X-Spam-RBLReport: dns:spamassassin.apache.org [140.211.11.130] dns:spamassassin.apache.org?type=MX [10 mx1.us.apache.org., 20 mail.apache.org.] dns:2.11.211.140.list.dnswl.org [127.0.4.2] X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on ratsnest.bleh X-Spam-Level: X-Spam-Status: No, score=-200.5 required=5.0 tests=BAYES_99=3.5, DKIM_POLICY_SIGNSOME=0,RCVD_IN_DNSWL_MED=-4,SPF_PASS=-0.001, USER_IN_SPF_WHITELIST=-100,USER_IN_WHITELIST=-100 autolearn=disabled version=3.2.2 Received: from mail.apache.org (hermes.apache.org [140.211.11.2]) by blue-canoe.org.uk (envelope-sender [EMAIL
Re: Problem with 3.2.2 and mail headers in the email
I'm top posting this since bottom posting is pointless. As far as I can tell each mail is being dealt with twice. I'm really unsure what to do; whether my mailserver is the problem or SA. Or, more accurately, what change in the way SA handles headers has caused this problem to appear on my server now (I'm assuming it's idiosyncratic to my server since the list isn't deluged with HELP messages). I tried dropping back to 3.2.1 but couldn't find a port for it anywhere. I'll keep digging and see if I can find one since that didn't exhibit this issue with my server. Any help at all would be massively appreciated since I have a good few customers who are a tad concerned (not least of which being me). I did manage to pull a 3.1.9 version to test but that pretty much 'blew up' and refused to accept any connections at all even though it --lint's clean. I really am at a loss and desperately in need of some advice. If you look at the stuff below this bit you'll see pretty clearly the problem I've got. If the dev's need to see raw messages (before SA gets them, let me know) TIA Nigel On Mon, 30 Jul 2007 11:56:53 +0100, Nigel Frankcom [EMAIL PROTECTED] wrote: Hi All, This morning I upgraded to 3.2.2 on CentOS 64 via yum. I'm now getting a copy of all email headers inside the body of the email. Everything --lint's clean and apart from this it's working fine. As an example I've copied in a list post below I received since the upgrade. Any help or workaround suggestions would be greatly appreciated. Kind regards Nigel. Spamassassin List wrote: Any idea for qmail? Look on www.qmail.org for links - e.g. Qmail-Scanner allows you the option of generating the bounce - or SMTP-level rejecting it as mentioned in this thread. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 SPAMD/1.1 0 EX_OK Content-length: 3802 X-Spam-RBLReport: dns:spamassassin.apache.org [140.211.11.130] dns:spamassassin.apache.org?type=MX [10 mx1.us.apache.org., 20 mail.apache.org.] dns:2.11.211.140.list.dnswl.org [127.0.4.2] X-Spam-Checker-Version: SpamAssassin 3.2.2 (2007-07-23) on ratsnest.bleh X-Spam-Level: X-Spam-Status: No, score=-200.5 required=5.0 tests=BAYES_99=3.5, DKIM_POLICY_SIGNSOME=0,RCVD_IN_DNSWL_MED=-4,SPF_PASS=-0.001, USER_IN_SPF_WHITELIST=-100,USER_IN_WHITELIST=-100 autolearn=disabled version=3.2.2 Received: from mail.apache.org (hermes.apache.org [140.211.11.2]) by blue-canoe.org.uk (envelope-sender [EMAIL PROTECTED]) with ESMTP (MTSPro MTSSmtp 1.61) for [EMAIL PROTECTED]; Mon, 30 Jul 2007 09:49:03 +0100 Received: (qmail 41753 invoked by uid 500); 30 Jul 2007 08:48:53 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 41743 invoked by uid 99); 30 Jul 2007 08:48:53 - Received: from Unknown (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jul 2007 01:48:53 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS Received-SPF: pass (athena.apache.org: local policy) Received: from [218.101.54.16] (HELO mailsrv1.trimble.co.nz) (218.101.54.16) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Jul 2007 08:48:43 + Received: (qmail 10376 invoked by uid 502); 30 Jul 2007 20:48:20 +1200 Received: from 10.3.254.3 by mailsrv1.trimble.co.nz (envelope-from [EMAIL PROTECTED], uid 107) with qmail-scanner-2.02 (clamdscan: 0.90.3/3819. trophie: 8.310-1002/623/211940. sophie: 3.06/2.47.0/4.19. spamassassin: 3.2.1. Clear:RC:1(10.3.254.3):SA:0(0.1/5.0):. Processed in 3.957727 secs); 30 Jul 2007 08:48:20 - Received: from webmail.trimble.co.nz (10.3.254.3) by mailsrv1.trimble.co.nz with (DHE-RSA-AES256-SHA encrypted) SMTP; 30 Jul 2007 20:48:16 +1200 Received: (qmail 12405 invoked from network); 30 Jul 2007 20:48:16 +1200 Received: from unknown (HELO tnz-jhaar-lt.ap.trimblecorp.net) (222.154.246.214) by webmail.trimble.co.nz with (DHE-RSA-AES256-SHA encrypted) SMTP (cert [EMAIL PROTECTED]); 30 Jul 2007 20:48:16 +1200 Message-ID: [EMAIL PROTECTED] Date: Mon, 30 Jul 2007 20:48:10 +1200 From: Jason Haar [EMAIL PROTECTED] Organization: Trimble Navigation Ltd. User-Agent: Thunderbird 2.0.0.5 (X11/20070719) MIME-Version: 1.0 To: users@spamassassin.apache.org Subject: Re: How would you provide a 554 rejection notice for spam? References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Old-Spam-Status: No, score=0.1 required=5.0 X-Abuse-Report-URL: http://www.blue
Re: Problem with 3.2.2 and mail headers in the email
Hi Justin, Just a note to say I *think* your mods have worked... they're currently running on a backup SA server and appear to be behaving as expected. I'm including the off list posts below so any others that hit this problem stand a chance of getting an answer. Again, many, many thanks for your time and patience. Apologies to all for top posting. Best to all Nigel yep, unfortunately it'd take a manual build. if you're not comfortable doing that already, it may not be a good idea to start now, it can be a little tricky to get the hang of. :( If you want to give it a try anyway, it goes like this: wget http://.../Mail-SpamAssassin-3.2.2.tar.gz tar xvfz Mail-SpamAssassin-3.2.2.tar.gz cd Mail-SpamAssassin-3.2.2 [that patch command] perl Makefile.PL PREFIX=/usr make sudo make install --j. Nigel Frankcom writes: Ahh - so I'm guessing I need to pull the tar.gz and run a manual build? My install came down from yum so AFAI can see there's no src dir (at least locate Mail-SpamAssassin-3.2.2 came back a blank). My sincere apologies for taking up your time like this. If you are aware of any reference material I can use I'm happy to do that rather than waste more of your time. Kind regards many thanks for your patient help thus far. Nigel On Mon, 30 Jul 2007 16:23:04 +0100, [EMAIL PROTECTED] (Justin Mason) wrote: in the source directory (Mail-SpamAssassin-3.2.2), run patch -p0 filename.patch Just apply the 2nd and 3rd attachment, not the 1st. --j. Nigel Frankcom writes: Please excuse an embarrassingly dumb question, but, how do I apply that patch? I've never applied one to anything before now. Also, do I need to install all 3? Red-faced Nigel On Mon, 30 Jul 2007 15:36:24 +0100, [EMAIL PROTECTED] (Justin Mason) wrote: could you try adding the 3.2.2 patch from http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5574 ? it could be some buggy error-handling code is being triggered. --j. On Mon, 30 Jul 2007 15:36:24 +0100, [EMAIL PROTECTED] (Justin Mason) wrote: could you try adding the 3.2.2 patch from http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5574 ? it could be some buggy error-handling code is being triggered. --j. Nigel Frankcom writes: I'm top posting this since bottom posting is pointless. As far as I can tell each mail is being dealt with twice. I'm really unsure what to do; whether my mailserver is the problem or SA. Or, more accurately, what change in the way SA handles headers has caused this problem to appear on my server now (I'm assuming it's idiosyncratic to my server since the list isn't deluged with HELP messages). I tried dropping back to 3.2.1 but couldn't find a port for it anywhere. I'll keep digging and see if I can find one since that didn't exhibit this issue with my server. Any help at all would be massively appreciated since I have a good few customers who are a tad concerned (not least of which being me). I did manage to pull a 3.1.9 version to test but that pretty much 'blew up' and refused to accept any connections at all even though it --lint's clean. I really am at a loss and desperately in need of some advice. If you look at the stuff below this bit you'll see pretty clearly the problem I've got. If the dev's need to see raw messages (before SA gets them, let me know) TIA Nigel On Mon, 30 Jul 2007 11:56:53 +0100, Nigel Frankcom [EMAIL PROTECTED] wrote: Hi All, This morning I upgraded to 3.2.2 on CentOS 64 via yum. I'm now getting a copy of all email headers inside the body of the email. Everything --lint's clean and apart from this it's working fine. As an example I've copied in a list post below I received since the upgrade. Any help or workaround suggestions would be greatly appreciated. Kind regards Nigel.
Re: graphic spam
On Tue, 24 Jul 2007 11:04:23 +0800, Spamassassin List [EMAIL PROTECTED] wrote: Hi, Other than FuzzyOCR, is there other way to filter graphic spams? I had ImageInfo but seem like it is not working. regards LC ClamD with http://www.sanesecurity.co.uk/ work pretty well here. Be sure and read http://www.sanesecurity.co.uk/clamav/usage.htm Hope that helps Kind regards Nigel
Re: graphic spam
On Tue, 24 Jul 2007 11:04:23 +0800, Spamassassin List [EMAIL PROTECTED] wrote: Hi, Other than FuzzyOCR, is there other way to filter graphic spams? I had ImageInfo but seem like it is not working. regards LC PS... also check out ImageInfo.pm http://www.rulesemporium.com/plugins.htm Nigel
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: which MTA are you using? The clamav plugin should reject the e-mail the same way SA plugin does that (with much less CPU time spent) On 22.07.07 15:32, Robert - eLists wrote: Uhlar ... and I thought that spelling my surname in capitals would preserver from this title ... :) I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. Umm, I may be missing the point here, but SA doesn't bounce mail, it just scores it. Considering the time that can be taken up with various scans it's not really feasible to hold open the smtp connection that long, so even if it could, bouncing may well not work. You then hit the problem that the chances of the sending address being legit are pretty low. So some poor sod is going to cop umpteen gazzilion bounce messages. I use a simpler solution here. If you send an email that gets tagged as a virus by any of the av scanners your IP address is put into a blocklist for a set period. The thought behind this is that viruses very rarely come in one at a time; if a host is infected it will send again and again. The blocking is done at MTA level. HTH Nigel
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On Mon, 23 Jul 2007 11:32:21 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: On 22.07.07 15:32, Robert - eLists wrote: I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. On 23.07.07 10:19, Nigel Frankcom wrote: Umm, I may be missing the point here, you seem to be :-) but SA doesn't bounce mail, it just scores it. however according to his informations, his qmail queue scanner rejects the mail if it's spam, but not if it's virus (which is sick and a bug imho) Considering the time that can be taken up with various scans it's not really feasible to hold open the smtp connection that long, should not be a problem if scaning does not count more than ~4 minutes (after 5 minutes many clients close connection and re-try, which results into a multiple mail delivery). I use a simpler solution here. If you send an email that gets tagged as a virus by any of the av scanners your IP address is put into a blocklist for a set period. The thought behind this is that viruses very rarely come in one at a time; if a host is infected it will send again and again. this solution can be done as additional to , but imho should not be done instead of, virus checking. Ahh - it's not unheard of for me to miss the salient points :-) I don't think bouncing spam is such a good idea though, just my opinion, but it rarely originates from wherever it *says* it originates from. As far as AV scanning is concerned here, all mail that gets past the mta gets checked. My mta does various blocks and greylistings based on previous emails sent. This does throw up a very few fp's but in several years of running clam and 5 years plus of running my other virus scanners it's never happened with a virus. Still, never say never, it's bound to bite me in the ass one day. :-) Kind regards Nigel
Re: Iron Port experiences
On Sun, 15 Jul 2007 20:03:23 -0400, Patrick Sherrill [EMAIL PROTECTED] wrote: Has anyone any Iron Port experiences they could share? We appear to be losing a larger account to Iron Port and am curious regarding their No FP claims. Pat... I'd personally be very dubious of anyone claiming no fp/fn's. I have noted mails with Iron Port headers that have been tagged as (and indeed were) spam. Admittedly, those headers could be forged easily enough. As has been said many times here, there are no perfect answers to spam since any anti spam system needs something to tag off. If Iron Port are making claims like that I'd be inclined to ask them to prove it. They must have some metric they can demonstrate if they are making such a claim. Quite apart from that, if Iron Port were so perfect, there wouldn't be a SpamAssassin list? Just my 2 pence worth. Kind regards Nigel
Re: Iron Port experiences
On Mon, 16 Jul 2007 02:22:40 -0500, Jeff Chan [EMAIL PROTECTED] wrote: Quoting Nigel Frankcom [EMAIL PROTECTED]: Quite apart from that, if Iron Port were so perfect, there wouldn't be a SpamAssassin list? Not quite sure I understand your comments. IronPort is one of many companies that use open source technologies in their products, modifying, adding to, or improving them in various, usually proprietary ways. They leverage open source and enhance it in their own products. Many of these companies also find ways to give back to the open source communities, for example by allowing their employees to work on open source projects on company time. For many it's a two way street. Jeff C. A fair comment Jeff. I wasn't aware that Iron Port gave back. I am aware that some do, however, the original claim of 100% seems unlikely at best. The larger the user base the larger the margin for false positives/negatives? Thanks for correcting me about the positives though, that is one I'd overlooked; I'm sure there are many more. Kind regards Nigel
Re: AWL disabled... maybe not
On Sun, 08 Jul 2007 19:30:29 +0200, Oenus Tech Services [EMAIL PROTECTED] wrote: Hi there! I've always had AWL disabled in my v310.pre file since sa 3.1.7. We recently moved from 3.1.8 to 3.2.1. It still is commented out in the cf file, but I'm getting AWL scores in messages. spamassassin -D --lint shows one line stating the plugin has been loaded. does anyone know why this is happenning? does anyone know how to force-disable it? TIA Ignacio Have you checked *all* your .pre files and also any rules? iirc there are some whitelist rules that are on rulesemporium, perhaps you have one installed? HTH Nigel
bayes bayes_sql_override_username
Hi All, Apologies if this has been mentioned and I've missed it, but I noted today that since upgrading from 3.2.0 to 3.2.1 bayes stopped working, or rather, bayes started ignoring the username etc passed from the local.cf. Using bayes_sql_override_username has resolved the issue. My worry is that this is a complete reversal of all previous versions of SA. I am not sure if it's something I've done wrong (entirely possible) or if it's an inherent problem. Either way, for those running 3.2.1 check your bayes stuff. To complicate matters further, it will --lint correctly. I only noticed after a few spam got through and noticed they had no bayes test header. Hope that helps someone else. If I've been a muppet I'm sure someone will let me know soon enough :-D Kind regards Nigel
Re: Patch for rules_du_jour
On Fri, 29 Jun 2007 10:13:24 -0500, Lindsay Haisley [EMAIL PROTECTED] wrote: On Fri, 2007-06-29 at 06:46 -0700, jdow wrote: You will have to wait for up to a day for the Prolexic block to go away. I got blocked for checking out their anti-DDoS measures. The block went away in about 15 minutes. Firstly, thanks for picking up on this. Your's (and others) inputs have been invaluable. Secondly, if anyone gets a working version running could they CC me a copy please? :-) Kind regards Nigel
Re: Rulesemporium
On Fri, 29 Jun 2007 16:30:25 +0100, --[ UxBoD ]-- [EMAIL PROTECTED] wrote: Same here :( On Fri, 29 Jun 2007 11:28:51 -0400, Joe Zitnik [EMAIL PROTECTED] wrote: Is it having troubles again? I'm having problems reaching the site. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] Is it worth adding mirrors for the rules? I'm more than happy to do so and can probably rope in a few others. I should imagine a fair few others on list would be prepared to act as mirrors too. Just a thought. Kind regards Nigel
Re: Rulesemporium
On Fri, 29 Jun 2007 08:38:48 -0700, Jerry Durand [EMAIL PROTECTED] wrote: On Jun 29, 2007, at 8:30 AM, -- [ UxBoD ] -- wrote: Same here :( He announces a new, super dandy spam killing plugin and you think he wouldn't get a DoS attack? That's what happens when you do good work. :( True - but there's more of us than there are of them. OK, we play catch-up, but the user base is worldwide and there are some very, very sharp people doing the hard work. I guess the best we can do is support them however we can... unless we want to be inundated with spam. Ha! - my stats for year to date run at 82 ish% spam. Since that's spam stopped I reckon SA isn't doing too badly at all - admittedly not as much gets through to SA - a lot is stopped by various 'toys' my MTA has but SA still accounts for a hell of a lot. Even so - life without SA? McDonalds applications anyone? :-D Kind regards Nigel
Re: RulesDuJour lint failed. Updates rolled back.
On Wed, 27 Jun 2007 16:42:39 -0400, Daryl C. W. O'Shea [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: On Wed, 27 Jun 2007 08:48:02 -0400, David Boltz [EMAIL PROTECTED] wrote: I?ve been getting the lint failures found below on my Rules Du Jour updates for a few weeks now. Yes this would be since the DDoS attacks on rulesemporium. It looks like the same problem people have been having with the tripwire but for me it?s the adult and since just recently the spoof rules. The solutions I've seen don't seem to work for me. I see that my cron job (run nightly) is pulling some HTML source instead of the rules. I?ve tried removing the faulty 70_sare_adult.* from etc/mail/spamassassin/RulesDuJour/ and manually replacing it with the ?actual? file using wget. I?ve even manually updated the used /etc/mail/spamassassin/70_sare_adult.cf to ensure that it was correct. When I us ?wget http://rulesemporium.com/rules/70_sare_adult.cf? to grab the file it works without problems. Does anyone have any ideas on how I might fix this problem? snip ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_adult.cf The quick cure is to delete anything in the /etc/mail/spamassassin/RulesDuJour/ directory and rerun RDJ by hand. That worked for me on CentOS 4.5 The bug has been reported and a fix is due in 3.2.2 I believe. Huh? What's SA have to do with RDJ triggering Prolexic's DoS protection? Daryl is right, there is no fix due in 3.2.2 - I got the RDJ and the sa-update errors confused. I guess maybe I should dye my hair blonde. Apologies for any confusion I've caused. Kind regards Nigel
Re: RulesDuJour lint failed. Updates rolled back.
Daryl is right, there is no fix due in 3.2.2 - I got the RDJ and the sa-update errors confused. I guess maybe I should dye my hair blonde. Apologies for any confusion I've caused. Geez - blonde it is - it's sa-compile not sa-update! I wonder if McDonalds have any jobs going :-/ Kind regards Nigel
Re: RulesDuJour lint failed. Updates rolled back.
On Wed, 27 Jun 2007 08:48:02 -0400, David Boltz [EMAIL PROTECTED] wrote: I?ve been getting the lint failures found below on my Rules Du Jour updates for a few weeks now. Yes this would be since the DDoS attacks on rulesemporium. It looks like the same problem people have been having with the tripwire but for me it?s the adult and since just recently the spoof rules. The solutions I've seen don't seem to work for me. I see that my cron job (run nightly) is pulling some HTML source instead of the rules. I?ve tried removing the faulty 70_sare_adult.* from etc/mail/spamassassin/RulesDuJour/ and manually replacing it with the ?actual? file using wget. I?ve even manually updated the used /etc/mail/spamassassin/70_sare_adult.cf to ensure that it was correct. When I us ?wget http://rulesemporium.com/rules/70_sare_adult.cf? to grab the file it works without problems. Does anyone have any ideas on how I might fix this problem? snip ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_adult.cf The quick cure is to delete anything in the /etc/mail/spamassassin/RulesDuJour/ directory and rerun RDJ by hand. That worked for me on CentOS 4.5 The bug has been reported and a fix is due in 3.2.2 I believe. Regards Nigel
Re: RulesDuJour lint failed. Updates rolled back.
On Wed, 27 Jun 2007 16:18:28 +0200, Matthias Haegele [EMAIL PROTECTED] wrote: Nigel Frankcom schrieb: On Wed, 27 Jun 2007 08:48:02 -0400, David Boltz [EMAIL PROTECTED] wrote: I?ve been getting the lint failures found below on my Rules Du Jour updates for a few weeks now. Yes this would be since the DDoS attacks on rulesemporium. It looks like the same problem people have been having with the tripwire but for me it?s the adult and since just recently the spoof rules. The solutions I've seen don't seem to work for me. I see that my cron job (run nightly) is pulling some HTML source instead of the rules. I?ve tried removing the faulty 70_sare_adult.* from etc/mail/spamassassin/RulesDuJour/ and manually replacing it with the ?actual? file using wget. I?ve even manually updated the used /etc/mail/spamassassin/70_sare_adult.cf to ensure that it was correct. When I us ?wget http://rulesemporium.com/rules/70_sare_adult.cf? to grab the file it works without problems. Does anyone have any ideas on how I might fix this problem? snip ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_adult.cf The quick cure is to delete anything in the /etc/mail/spamassassin/RulesDuJour/ directory and rerun RDJ by hand. That works, until the next run, then same error here ... That worked for me on CentOS 4.5 The bug has been reported and a fix is due in 3.2.2 I believe. Regards Nigel I had that a couple of times initially, but repeating the process and since running RDJ manually I haven't had a recurrence. RDJ doesn't change that often and it is no big deal here to add a manual RDJ to my manual morning admin chores (spam checks, logs, updates etc.) KR Nigel
Re: no headers in email despite add_headers option
On Tue, 26 Jun 2007 08:01:46 +0200 (CEST), zbigniew szalbot [EMAIL PROTECTED] wrote: Hello, I am new to SA but hope you will be able to guide me. I have in my local.cf the following line: add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ exim's log shows this: Jun 26 07:54:23 szalbot spamd[738]: spamd: connection from localhost.homedns.org [127.0.0.1] at port 56486 Jun 26 07:54:23 szalbot spamd[738]: spamd: setuid to spamd succeeded Jun 26 07:54:23 szalbot spamd[738]: spamd: checking message [EMAIL PROTECTED] for spamd:58 Jun 26 07:54:28 szalbot spamd[738]: spamd: clean message (0.0/5.0) for spamd:58 in 5.4 seconds, 47392 bytes. Jun 26 07:54:28 szalbot spamd[738]: spamd: result: . 0 - HTML_MESSAGE,SPF_PASS scantime=5.4,size=47392,user=spamd,uid=58,required_score=5.0,rhost=localhost.homedns.org,raddr=127.0.0.1,rport=56486,mid=[EMAIL PROTECTED],autolearn=ham and yet SA does not add any headers to the emails. What am I missing? Thank you in advance! Zbignie Szalbot I have the following that does show headers. I don't know if exim will be suppressing them on your setup. required_score 5 rbl_timeout15 rewrite_header subject [SPAM] fold_headers 1 skip_rbl_checks0 report_safe 1 dns_available yes #Headers add_header spam Flag _YESNOCAPS_ add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ autolearn=_AUTOLEARN_ version=_VERSION_ add_header all Level _STARS(*)_ add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_ add_header all RBLReport _RBL_ HTH Nigel
Re: training SA
On Wed, 27 Jun 2007 07:35:01 +0200 (CEST), zigniew szalbot [EMAIL PROTECTED] wrote: Hello, I tried to learn SA and used the following syntax: sa-learn --spam -f /usr/home/zbyszek/june.txt archive-iterator: unable to open Dear Valued Customer,: No such file or directory june.txt is a spam email message downloaded from squirrelmail for the purpose of feeding to SA. I only got unable to open message. And at the end: Learned tokens from 0 message(s) (0 message(s) examined) I guess I made a mistake with the syntax but how should I change it so that I can train SA? Hi, Have you double checked the path for typos? Also, you may well need the -u switch. I use: sa-learn --spam -u sauser /downloads/spam mv -f /downloads/spam/*.Mail /downloads/spam/fn The last bit mv -f /downloads/spam/*.Mail /downloads/spam/fn is just copying the file to a dir so I can track what's been trained and is probably surplus to your requirements. I have mine as a script so I just call ./ham or ./spam as required. HTH Nigel
Re: Setup SA to use mysql DB
S'cuse the top post but If you're going to the trouble of tarball -- RPM, why not just do yum install spamassassin? KR Nigel On Fri, 22 Jun 2007 10:11:14 -0500, Jonn R Taylor [EMAIL PROTECTED] wrote: What version of SA? When you built SA from a tarball you did rpmbuild -tb Mail-SpamAssassin-3.2.1.tar.gz. You may want to rebuild SA from source and then do a rpm -Uvh to install. Jonn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 22, 2007 9:25 AM To: users@spamassassin.apache.org Subject: RE: Setup SA to use mysql DB Jonn R Taylor wrote: Verify that you do not have 2 versions of perl installed and that part of your SA install did not go in the wrong version. What OS and how did you build SA? Jonn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 22, 2007 8:22 AM To: users@spamassassin.apache.org Subject: RE: Setup SA to use mysql DB Jonn R Taylor wrote: This is what I use and it has been working for the last 3 years. # MySQL Setup use_razor2 1 use_bayes_rules 1 allow_user_rules 1 use_auto_whitelist 1 user_scores_dsn DBI:mysql:spamassassin:127.0.0.1 user_scores_sql_usernamex user_scores_sql_passwordx bayes_store_module Mail::SpamAssassin::BayesStore::MySQL bayes_sql_dsn DBI:mysql:spamassassin:127.0.0.1 bayes_sql_username x bayes_sql_password x bayes_sql_override_username @GLOBAL auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList user_awl_dsnDBI:mysql:spamassassin:127.0.0.1 user_awl_sql_username x user_awl_sql_password x Jonn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 21, 2007 2:23 PM To: users@spamassassin.apache.org Subject: Setup SA to use mysql DB OK, i have gotten a little further after searching some other email. This is what i get when i run spamassassin --lint [3069] warn: config: failed to parse line, skipping: bayes_store_dsn DBI:mysql:sadb:Spamassassin Can't locate Mail/Spamassassin/BayesStore/MySQL.pm in @INC (@INC contains: lib /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/5.8.3/i586-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i586-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl) at (eval 2266) line 2. This is what my local.cf looks like: bayes_store_dsnDBI:mysql:sadb:Spamassassin*what does this signify? Can someone break this line down? bayes_sql_username nameis this the user of the mysql DB? bayes_sql_password passwordis this the password for the user of the mysql DB? bayes_sql_override_username vscan*is this suppose to be here? bayes_store_module Mail::Spamassassin::BayesStore::MySQL OK, it seems i have the MySQL.pm missing. But when i search for that pm on the spamassassin apache site, no go. I do see the DBI pm and have installed that thinking it may have taken the place of mysql.pm but i still get the same error when running spamassassin --lint. You do need the mysql.pm, right? The doco seems a little sparse when it comes to getting this to work. Chris We use perl 5.8.3 and SLES9. As far as i can remember, SA was installed with an rpm that was built from tarball?
Re: Fwd: RulesDuJour Run Summary on taz5.fiberhosting.net
On Thu, 21 Jun 2007 03:07:52 -0400, Phil Barnett [EMAIL PROTECTED] wrote: Is anyone else getting these failed messages on their tripwire.cf updates? I've been getting this message for several days now. It looks to me like the new tripwire.cf is very broken. -- Forwarded Message -- Subject: RulesDuJour Run Summary on taz5.fiberhosting.net Date: Thursday 21 June 2007 02:26 From: To: RulesDuJour Run Summary on taz5.fiberhosting.net: TripWire has changed on taz5.fiberhosting.net. Version line: ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /usr/share/spamassassin/tripwire.cf /usr/share/spamassassin/RulesDuJour/99_ --- FVGT_Tripwire.cf.2; mv -f /usr/share/spamassassin/RulesDuJour/tripwire.cf.20070621-0225 /usr/share/spamassassin/tripwire.cf; Lint output: [24363] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [24363] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Pragma CONTENT=no-cache [24363] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Expires CONTENT=-1 [24363] warn: config: failed to parse line, skipping: /HEAD/HTML [24363] warn: lint: 4 issues detected, please rerun with debug enabled for more information I've been getting the same for weeks. I ended up manually updating rules; especially the stock one since more and more seem to be slipping through. The problems seemed to start after the DDoS on rulesemporium; since then I've not been able to get any sense out of it via RDJ. When I manually update it all lint's clean. Time consuming but it works Hope that helps Nigel
Re: Fwd: RulesDuJour Run Summary on taz5.fiberhosting.net
On Thu, 21 Jun 2007 03:30:00 -0400, Daryl C. W. O'Shea [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: I've been getting the same for weeks. I ended up manually updating rules; especially the stock one since more and more seem to be slipping through. The problems seemed to start after the DDoS on rulesemporium; since then I've not been able to get any sense out of it via RDJ. When I manually update it all lint's clean. Time consuming but it works Note that there haven't been any updates to 70_sare_stocks.cf since May 7th and no updates at all since June 5th, so manual updates probably aren't worth the bother. Daryl [EMAIL PROTECTED] channels]$ ls -l | grep -P May|Jun drwxrwxr-x 2 dos dos 4096 May 21 10:14 70_sare_adult.cf drwxrwxr-x 2 dos dos 4096 Jun 5 11:14 70_sare_obfu.cf drwxrwxr-x 2 dos dos 4096 Jun 4 21:14 70_sare_obfu0.cf drwxrwxr-x 2 dos dos 4096 Jun 4 21:14 70_sare_obfu1.cf drwxrwxr-x 2 dos dos 4096 May 7 00:24 70_sare_stocks.cf drwxrwxr-x 2 dos dos 12288 May 24 12:14 70_sc_top200.cf drwxrwxr-x 2 dos dos 4096 May 21 10:14 72_sare_bml_post25x.cf [EMAIL PROTECTED] channels]$ It's good to know there's been no updates; though I'd guessed that from the file time stamps on rulesemporium. There still seems to be a problem with RDJ though. It looks like it's pulling an entire page not just rules; I can't see any other reason for the table etc elements in the debug. I'm still curious as to why so many stock spam are getting through (so many being relative to normal). On the surface they don't look any different from those that have been caught for ages. Samples available if required. Kind regards Nigel
Re: Fwd: RulesDuJour Run Summary on taz5.fiberhosting.net
On Thu, 21 Jun 2007 09:38:03 +0200, Matthias Keller [EMAIL PROTECTED] wrote: Nigel Frankcom wrote: On Thu, 21 Jun 2007 03:07:52 -0400, Phil Barnett [EMAIL PROTECTED] wrote: Is anyone else getting these failed messages on their tripwire.cf updates? I've been getting this message for several days now. It looks to me like the new tripwire.cf is very broken. -- Forwarded Message -- Subject: RulesDuJour Run Summary on taz5.fiberhosting.net Date: Thursday 21 June 2007 02:26 From: To: RulesDuJour Run Summary on taz5.fiberhosting.net: TripWire has changed on taz5.fiberhosting.net. Version line: ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /usr/share/spamassassin/tripwire.cf /usr/share/spamassassin/RulesDuJour/99_ --- FVGT_Tripwire.cf.2; mv -f /usr/share/spamassassin/RulesDuJour/tripwire.cf.20070621-0225 /usr/share/spamassassin/tripwire.cf; Lint output: [24363] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [24363] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Pragma CONTENT=no-cache [24363] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Expires CONTENT=-1 [24363] warn: config: failed to parse line, skipping: /HEAD/HTML [24363] warn: lint: 4 issues detected, please rerun with debug enabled for more information I've been getting the same for weeks. I ended up manually updating rules; especially the stock one since more and more seem to be slipping through. The problems seemed to start after the DDoS on rulesemporium; since then I've not been able to get any sense out of it via RDJ. When I manually update it all lint's clean. Time consuming but it works Just try to delete the downloaded files in your rules_du_jour folder (for example /etc/mail/spamassassin/rules_du_jour/* ), respectively just the rule(s) that go wrong.I then redownloads the rules correctly and you're clear to go with RDJ again Matt Give that man a cigar! Seemed to work OK. Thanks Matt. Kind regards Nigel
Question about sa-compile
Hi All, Whenever I run sa-compile I get the following... body_0.xs: In function `XS_Mail__SpamAssassin__CompiledRegexps__body_0_scan': body_0.xs:43: warning: ISO C90 forbids mixed declarations and code body_0.xs:51: warning: ISO C90 forbids mixed declarations and code body_0.xs:59: warning: ISO C90 forbids mixed declarations and code body_0.xs:67: warning: ISO C90 forbids mixed declarations and code body_0.xs:75: warning: ISO C90 forbids mixed declarations and code body_0.xs:83: warning: ISO C90 forbids mixed declarations and code body_0.xs:91: warning: ISO C90 forbids mixed declarations and code body_0.xs:99: warning: ISO C90 forbids mixed declarations and code body_0.xs:107: warning: ISO C90 forbids mixed declarations and code If anyone has the time and or inclination could they tell me what may be amiss and what the message actually means? My assumption is that one of my stock rules has something awry, though which one I've no idea. I'm guessing based on previous posts that this is to do with perl, I'm running 5.8.8 and all modules are up to date (I think). A clue as to how to track down which rule/s may be causing this would be equally appreciated. All help gratefully received. All the best Nigel
RDJ Continued
Hi All, Apologies if this has been posted under another thread. If so can someone point me to it? As per recent instructions I'm running RDJ manually and getting this: Lint output: [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: html [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: head [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: titleError - Prolexic/title [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: style [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: td { [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: font-family: arial, sans-serif, verdana; [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: font-size: 19px; [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: } [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: a:visited {color: navy; } [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: .errorTable [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: { [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: border: 1px solid [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: background-color: [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: background-repeat: no-repeat; [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: } [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: /style [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: /head [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: body bgcolor= [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: table class=errorTable width=80% height=20% valign=center align=center cellpadding=15 cellspacing=5 [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: tr [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: td valign=top align=center width=70% height=10% style=font-size: 40px; font-weight: bold; [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: brSite Temporarily Unavailable. [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: /td [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: /tr [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: tr [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: td valign=top [27805] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_adult.cf: Sorry, the site you requested is currently unavailable. It will be avaiable as soon as possible. Please try again later. Any suggestions bar 'bury head in sand'? As an aside I noted Mail::SPF was missing when I did --lint -D, I could have sworn I installed that. It's certainly ticked off on my checklist. Anyone got an idea why that might 'disappear off the radar'? I had similar with Encode::Detect, though that wasn't on my checklist I do *seem* to recall installing it because I had to do it through yum, cpan blew a raspberry at it. Same again this time... cpan didn't want to know but yum installed it OK. KR Nigel
Re: www.uribl.com
On Thu, 7 Jun 2007 10:33:15 +0100, Randal, Phil [EMAIL PROTECTED] wrote: www.rulesemporium.com isn't happy either :-( Cheers, Phil Yeah - I got this earlier The following rules had errors: TripWire had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE Adult Content Ruleset had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE Fraud Detection Ruleset (for SA ver. 2.5x and greater) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE BIZ/Marketing/Learning Ruleset (for SA ver. 2.5x and greater) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE Obfuscation catching Ruleset (both sets 0 and 1) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE URI Ruleset (set 0 -- hits mostly spam) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE Whitelist Ruleset (for SA 3.10 and up with SPF enabled) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE Whitelist Ruleset (for SA 3.10 and up with network tests) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE Stocks Ruleset) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000 SARE General Subject Ruleset (set 0 -- hits mostly spam) had an unknown error: curl exit code: 7 curl: (7) couldn't connect 000
Re: Difficulty trying to create a rule
On Thu, 7 Jun 2007 12:11:11 -0400, D.J. [EMAIL PROTECTED] wrote: Hello all! I've tried and tried, and can't get a rule I've handwritten to work. Hopefully you all can help. I've got a user using Alltel's picture messaging that keeps getting whacked every time he sends a message. It consistently scores about a 12.3 with my setup, where a 10 will get you dumped. My only solution is to create a rule to specifically allow the Alltel address. I know that a valid address will always be a ten digit number followed by @mms.alltel.com, so I created the following rule in local.cf: header Alltel_Pics From =~ /[EMAIL PROTECTED]/ describeAlltel_Pics Fixing Alltel's Picture Mail score Alltel_Pics -100 However, they are still getting whacked. I hesitate to use whitelist_from [EMAIL PROTECTED], because then any address there will work and I'll be open to a lot of spam. At least if they have to hit a ten digit number, it will be less. What am I doing wrong with the rule? Thanks in advance everyone! - D.J. If it's a single user why not: whitelist_from [EMAIL PROTECTED] Nigel
Re: A bit off topic for spamassassin but whats up with rulesemporium.com?
On Thu, 07 Jun 2007 19:26:59 +0200, arni [EMAIL PROTECTED] wrote: Kevin W. Gagel schrieb: I'm not able to get to www.rulesemporium.com, what's up there? Any one know? Do you read also or just write? rulesemporium is under suspected DDOD. They have requested that all users suspend automated downloads until further notice. KR Nigel
Re: A bit off topic for spamassassin but whats up with rulesemporium.com?
On Thu, 07 Jun 2007 18:41:49 +0100, Nigel Frankcom [EMAIL PROTECTED] wrote: On Thu, 07 Jun 2007 19:26:59 +0200, arni [EMAIL PROTECTED] wrote: Kevin W. Gagel schrieb: I'm not able to get to www.rulesemporium.com, what's up there? Any one know? Do you read also or just write? rulesemporium is under suspected DDOD. They have requested that all users suspend automated downloads until further notice. KR Nigel That would be DDOS it's been a long day
Re: www.uribl.com
On Wed, 6 Jun 2007 20:07:20 +0200 (CEST), Raymond Dijkxhoorn [EMAIL PROTECTED] wrote: Hi! Anyone else having trouble getting to uribl ? www not coming up. I hope we aren't seeing another anti-spam casualty. :-( I unplugged the server so I could play Forza 2 on the 360 at work. I'll plug it back in after this endurance race. :) I'm kidding... I'll prbly keep playing after this race. ;) Ok. Plug in surbl also while it seems to race along ;) A couple of my locally hosted domains have been hammered the last couple of days in the region of 500+% increase in what appears to be a dictionary attack. Since my servers only accept incoming for valid users it's been annoying rather than crippling. I'd strongly suggest that anyone fool enough to have catch-all accounts disable them. I had one domain with that enabled (an oversight) and it logged 14k+ hits in 5 hours. URIBL was running very slow so I assume I wasn't the only one getting hit. On an odd note my local.cf has a timeout of 10 seconds, but I saw many scans hitting 40+ seconds Anyway, point being - watch those catch-alls. Hope that helps somebody Kind regards Nigel
sa-compile
Hi All, This may well have been covered before, if so my apologies and can someone point me to the relevant thread. Is there anything to be concerned about with this lot? In particular the body_0.xs:43: warning: ISO C90 forbids mixed declarations and code lines [EMAIL PROTECTED] ~]# sa-compile [13273] info: zoom: able to use 477/477 'body_0' compiled rules (100%) [13273] info: generic: base extraction starting. this can take a while... [13273] info: generic: extracting from rules of type body_0 100% [=] 86.02 rules/sec 00m13s DONE 100% [=] 61.92 bases/sec 00m34s DONE [13273] info: body_0: 1631 base strings extracted in 48 seconds [13273] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score cd /tmp/.spamassassin13273KGsGSotmp cd Mail-SpamAssassin-CompiledRegexps-body_0 re2c -i -b -o scanner1.c scanner1.re re2c -i -b -o scanner2.c scanner2.re re2c -i -b -o scanner3.c scanner3.re re2c -i -b -o scanner4.c scanner4.re re2c -i -b -o scanner5.c scanner5.re re2c -i -b -o scanner6.c scanner6.re re2c -i -b -o scanner7.c scanner7.re re2c -i -b -o scanner8.c scanner8.re re2c -i -b -o scanner9.c scanner9.re /usr/bin/perl Makefile.PL PREFIX=/tmp/.spamassassin13273KGsGSotmp/ignored INSTALLSITEARCH=/var/lib/spamassassin/compiled/3.002000 Writing Makefile for Mail::SpamAssassin::CompiledRegexps::body_0 make cp body_0.pm blib/lib/Mail/SpamAssassin/CompiledRegexps/body_0.pm /usr/bin/perl /usr/lib/perl5/5.8.8/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.8/ExtUtils/typemap body_0.xs body_0.xsc mv body_0.xsc body_0.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE body_0.c body_0.xs: In function `XS_Mail__SpamAssassin__CompiledRegexps__body_0_scan': body_0.xs:43: warning: ISO C90 forbids mixed declarations and code body_0.xs:51: warning: ISO C90 forbids mixed declarations and code body_0.xs:59: warning: ISO C90 forbids mixed declarations and code body_0.xs:67: warning: ISO C90 forbids mixed declarations and code body_0.xs:75: warning: ISO C90 forbids mixed declarations and code body_0.xs:83: warning: ISO C90 forbids mixed declarations and code body_0.xs:91: warning: ISO C90 forbids mixed declarations and code body_0.xs:99: warning: ISO C90 forbids mixed declarations and code body_0.xs:107: warning: ISO C90 forbids mixed declarations and code gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner1.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner2.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner3.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner4.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner5.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner6.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner7.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include
Re: sa-compile
Thanks Justin. Been a tad manic here and I've not kept up with the lists lately. Kind regards Nigel On Wed, 30 May 2007 19:02:58 +0100, [EMAIL PROTECTED] (Justin Mason) wrote: Nigel Frankcom writes: Hi All, This may well have been covered before, if so my apologies and can someone point me to the relevant thread. Is there anything to be concerned about with this lot? In particular the body_0.xs:43: warning: ISO C90 forbids mixed declarations and code lines nope, that seems fine. We will be fixing those anyway, but they're harmless in this case. --j. [EMAIL PROTECTED] ~]# sa-compile [13273] info: zoom: able to use 477/477 'body_0' compiled rules (100%) [13273] info: generic: base extraction starting. this can take a while... [13273] info: generic: extracting from rules of type body_0 100% [=] 86.02 rules/sec 00m13s DONE 100% [=] 61.92 bases/sec 00m34s DONE [13273] info: body_0: 1631 base strings extracted in 48 seconds [13273] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score cd /tmp/.spamassassin13273KGsGSotmp cd Mail-SpamAssassin-CompiledRegexps-body_0 re2c -i -b -o scanner1.c scanner1.re re2c -i -b -o scanner2.c scanner2.re re2c -i -b -o scanner3.c scanner3.re re2c -i -b -o scanner4.c scanner4.re re2c -i -b -o scanner5.c scanner5.re re2c -i -b -o scanner6.c scanner6.re re2c -i -b -o scanner7.c scanner7.re re2c -i -b -o scanner8.c scanner8.re re2c -i -b -o scanner9.c scanner9.re /usr/bin/perl Makefile.PL PREFIX=/tmp/.spamassassin13273KGsGSotmp/ignored INSTALLSITEARCH=/var/lib/spamassassin/compiled/3.002000 Writing Makefile for Mail::SpamAssassin::CompiledRegexps::body_0 make cp body_0.pm blib/lib/Mail/SpamAssassin/CompiledRegexps/body_0.pm /usr/bin/perl /usr/lib/perl5/5.8.8/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.8/ExtUtils/typemap body_0.xs body_0.xsc mv body_0.xsc body_0.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE body_0.c body_0.xs: In function `XS_Mail__SpamAssassin__CompiledRegexps__body_0_scan': body_0.xs:43: warning: ISO C90 forbids mixed declarations and code body_0.xs:51: warning: ISO C90 forbids mixed declarations and code body_0.xs:59: warning: ISO C90 forbids mixed declarations and code body_0.xs:67: warning: ISO C90 forbids mixed declarations and code body_0.xs:75: warning: ISO C90 forbids mixed declarations and code body_0.xs:83: warning: ISO C90 forbids mixed declarations and code body_0.xs:91: warning: ISO C90 forbids mixed declarations and code body_0.xs:99: warning: ISO C90 forbids mixed declarations and code body_0.xs:107: warning: ISO C90 forbids mixed declarations and code gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner1.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner2.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner3.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner4.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner5.c gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -DVERSION=\1.0\ -DXS_VERSION=\1.0\ -fPIC -I/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE scanner6.c gcc -c