Re: Advice
On 07/03/2012 12:51 PM, Bowie Bailey wrote: On 7/3/2012 12:25 PM, Kevin A. McGrail wrote: On 7/3/2012 12:19 PM, Robert Fitzpatrick wrote: Looking for some advice, hope it's OK to ask here. I have a few customers over the past several months start getting an unusual amount of messages being blocked or returned when sending via our SMTP servers. I have checked that none of our servers are listed on any databases, but after some querying of the customers involved, I have found that they all have recently been sending mailing to their customer lists. Even though all of them assure me that these lists are only of the opt-in variety, it is the only thing they all have in common and seems to be the problem. I have also noticed that every time one of these mailings is sent with several AOL users, our servers will be temporarily blocked. Are there some precautions I should take to possible get their mails trusted? Any other advice? I would likely look at setting up feedback loops for Spam complaints such as: http://postmaster.aol.com/Postmaster.FeedbackLoop.php I've had this set up for a while. I find the emails they send to be almost useless. I don't know if there is any benefit to simply being signed up. You get emails that basically say, someone thinks your email is junk, but we're not going to tell you who. And they obfuscate the email addresses in the attached email. So unless you have something else in the email to tell you who the recipient was, you can't even take the person off your list. The always redact the email address so you have to tag a unique ID for that customer. In addition, once you are on the feedback list, then apply for the whitelist.
Help blocking this type of spam
Each message uses a different server with different server name and I see no patterns except the style. http://pastebin.com/sJp7Gb75 Thanks, RRCR
Re: Help blocking this type of spam
On 09/13/11 10:08, Martin Gregorie wrote: On Tue, 2011-09-13 at 09:48 -0400, Randy Ramsdell wrote: Each message uses a different server with different server name and I see no patterns except the style. http://pastebin.com/sJp7Gb75 That scored around 12.6 here and all from the standard SA 3.3.2 ruleset. However, quite a bit of the score was from blacklists. Martin It scored 3+ here . Using 3.2.5 ( opensuse patched ) . I am looking for some way to score this higher on our setup. Maybe posting your rule hits would help. Thanks, RCR
Re: Help blocking this type of spam
On 09/13/11 10:27, Stefan König wrote: Randy Ramsdell schrieb: On 09/13/11 10:08, Martin Gregorie wrote: On Tue, 2011-09-13 at 09:48 -0400, Randy Ramsdell wrote: Each message uses a different server with different server name and I see no patterns except the style. http://pastebin.com/sJp7Gb75 That scored around 12.6 here and all from the standard SA 3.3.2 ruleset. However, quite a bit of the score was from blacklists. Martin It scored 3+ here . Using 3.2.5 ( opensuse patched ) . I am looking for some way to score this higher on our setup. Maybe posting your rule hits would help. Thanks, RCR I ran it through my SA servers and it hit these rules: 17.9/5.0 Score: 17.9 Required: 5.0 Tests: BAYES_80,DG_SPAMMER_EMAIL_F,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_BRBL_LASTEXT,RDNS_NONE,TO_MALFORMED,TO_NO_BRKTS_NORDNS,T_REMOTE_IMAGE,URIBL_DBL_SPAM,URIBL_WS_SURBL 2.1 TO_MALFORMED To: has a malformed address 2.6 DG_SPAMMER_EMAIL_F DG_SPAMMER_EMAIL_F 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [184.171.166.16 listed in bb.barracudacentral.org] 2.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: lbethity.com] 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist [URIs: lbethity.com] 5.5 BAYES_80 BODY: Bayes spam probability is 80 to 95% [score: 0.8623] 0.4 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different 0.8 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 T_REMOTE_IMAGE Message contains an external image 0.0 TO_NO_BRKTS_NORDNS To: misformatted and no rDNS Hope this helps. bye SK Your BAYES_80 is real high scoring. Did you change that? RCR
Re: join
Max Dunlap wrote: Haha, I'm sorry I accidently sent a message. But while I'm at it, I was going to ask a question. I just set up a healthy postfix server on ubuntu, I've been looking at the wiki and I'm not sure which way is the best to get myself setup with SA. My old method doesnt work anymore, the wiki says it causes backscatter and is no longer supported. I was looking into using spampd. http://wiki.apache.org/spamassassin/IntegratePostfixViaSpampd or am I just making this too hard for myself? Help would be appreciated. On Thu, 2011-06-30 at 19:31 +0200, Benny Pedersen wrote: On Thu, 30 Jun 2011 12:28:20 -0500, Max Dunlap wrote: join the fun ? * You have to configure postfix to send to the spamassassin daemon. * Then configure a way for spamassassin to send back to postfix. Postfix can be configured in the master.cf what is listens to and in main.cf configure the content_filter. main.cf : configure the content filter ( What ip:port spamassasin listens to for incoming. master.cf : set up port postfix listens to for the spamassassin return connection.
Re: Irony
David F. Skoll wrote: On Tue, 01 Feb 2011 07:30:19 -0700 Danita Zanre dan...@caledonia.net wrote: Messages from this list have been bouncing since I started enforcing Reverse DNS lookups on my server. The irony is that you think that's a good idea. -- David. Not sure. If our mail servers did not have reverse, we would be rejected all over the place. Seems like a common setting. Or is it? RCR
Re: Irony
David F. Skoll wrote: On Tue, 01 Feb 2011 09:43:40 -0500 Randy Ramsdell rramsd...@activedg.com wrote: Not sure. If our mail servers did not have reverse, we would be rejected all over the place. Seems like a common setting. Or is it? Microsoft Windows is very common, but that doesn't make it a good idea. We add a small score [1.2 points, to be precise] for sending relays that lack reverse-DNS. I can guarantee we'd get a high number of false-positives if we outright rejected such relays. Regards, David. We do not reject either, but many do. i.e Yahoo
Re: Irony
Michael Scheidell wrote: On 2/1/11 9:49 AM, David F. Skoll wrote: On Tue, 01 Feb 2011 09:43:40 -0500 Randy Ramsdellrramsd...@activedg.com wrote: Not sure. If our mail servers did not have reverse, we would be rejected all over the place. Seems like a common setting. Or is it? so we should reject your email if you are on the rfc-ignorant. org list? 220 beattock.caledonia.net ESMTP ready. helo mx1.secnap.com.ionspam.net 250 beattock.caledonia.net Hello mx1.secnap.com.ionspam.net [204.89.241.253] mail from: 250 OK rcpt to: ab...@caledonia.net 550 Missing, invalid or expired BATV signature Connection closed by foreign host. No
mycingular listed on xbl/pbl
It appears mycingular ( iphone ) ips are listed on spamhaus ( XBL and PBL ) for 8 days. I have reject at the smtpd level if found. May want to look out for this. Thanks, RCR
Re: mycingular listed on xbl/pbl
Benny Pedersen wrote: On tir 21 dec 2010 18:39:52 CET, Randy Ramsdell wrote It appears mycingular ( iphone ) ips are listed on spamhaus ( XBL and PBL ) for 8 days. I have reject at the smtpd level if found. May want to look out for this. iphone ? if mobile phones not using smtp auth it will fail, have no problem here with Ios, so what problem is there ? The problem was on my end. I had a client restriction which checked xbl without referencing sasl auth. It is a legit listing on spamhaus and cingular did nothing wrong on their setup either. Granted, my spamassassin setup with probably hit on a xbl rule.
Re: Odd yahoo spam
Michael Scheidell wrote: On 12/9/10 9:33 AM, Randy Ramsdell wrote: I have been receiving bounces to my yahoo account for email I did not send. From the pastebin, you see the email did originate from the yahoo servers but is not in my sent directory. This is an interesting case and I cannot determine how this happened. One thing could be my account was compromised, but I really doubt that given the password I chose and the fact they did not change it to lock me out. I did change the password however. Each address in this e-mail are people I have sent to from yahoo, but these people are not connected to each other except for the work accounts. The common thread is me. of course. we have seen lots of this lately. if you catch it really quickly, you might see it in the sent folder. I will (under separate email since I don't want to 'spam' the list) send you an alert we did on it. anyone wanting it, can email me and I'll send it to you. I have seen these for years but I do not see how the cracked my account brute force. I am not implying it is impossible but ... My password uses letters and numbers. It would take a long time to crack this and why bother when they would get million of account before cracking my account? It seems more like they compromised yahoo and stole accounts. Anyway, is there any other way to send mail as in the pastebin.
Re: new headers rule
Lawrence @ Rogers wrote: On 04/11/2010 8:11 PM, Karsten Bräckelmann wrote: Moving back on-list, since it doesn't appear to be personally directed at me. On Thu, 2010-11-04 at 19:22 -0230, Lawrence @ Rogers wrote: On 04/11/2010 7:13 PM, Karsten Bräckelmann wrote: No, that requires the Subject to consist of exactly one whitespace. Read it out load. The ^ beginning of the string, followed by exactly one whitespace char [2]. Followed by the $ end of the string. No offense, but I am a C and PHP programmer and Perl's documentation is lacking, to put it politely. Too much theory and far too few actual real world examples. This is not about Perl, but Regular Expressions. The much more feature- rich (and widely adopted) Perl flavor, out of all the existing variants. But that's actually irrelevant in this case, cause you would need a very limited sub-set only, pretty much available in any tool sporting REs. Any introduction to REs would do, no need to tend to the Perl docs you don't like. Though it sounds like you didn't even had a look at the docs I pointed you to. That is exactly what I am trying to match, and according to my tests, it works as expected. When the To and Subject are empty, all that's there (before the newline) is one whitespace. Are you referring to the whitespace delimiter between the Header: and its content? It's not part of the content. What I am looking to check is a situation where both the To: and Subject: headers contain nothing at all, but are set (I've seen this in several spam e-mails recently) Now you're confusing me. Do you want to match a single whitespace, or a completely empty header? If there's a better way of doing this, I would appreciate you providing an example. Well, better way... One that does what you just described. Assuming you want to match headers containing nothing at all, as per your previous paragraph. That would be nothing between the beginning and end. header __FOO Foo =~ /^$/ Or, negated, not anything. header __FOO Foo !~ /./ Now, since you specifically constrained this, you might want to check for the header's existence. Probably not worth it, though. The following is copied from stock 20_head_tests.cf, and documented in SA Conf. header __HAS_SUBJECT exists:Subject Anyway, in cases like these it's best to provide a *raw* sample, showing the headers in question completely un-munged and exactly as seen by SA. (Otherwise our help often is limited to guessing and an informal description.) This prohibits copy-n-paste from your MUA, which too often changes subtle but important details. One easy way to come to a conclusion whether you want to match whitespace or not, is the following ad-hoc header rule with spamassassin debug. The matching header's contents are shown in double quotes. spamassassin -D --cf=header FOO To =~ /^.*/ msg 21 | grep FOO And just for reference, 'grep' uses REs... Thanks Karsten, One of these days when I get some free time, I will be sitting down and reading up on REs :) Using your examples, and some hackery, I came up with this. It checks for the existence of the To header as well, as SA doesn't seem to have a rule for doing this on it's own (a grep -r exists:To * on the rules pulled in from updates.spamassassin.org produced nothing). # Message has empty To: and Subject: headers # Likely spam header __LW_HAS_TO exists:To header __LW_EMPTY_TO To =~ /^$/ header __LW_EMPTY_SUBJECT Subject =~ /^$/ meta LW_EMPTY_SUBJECT_TO (__HAS_SUBJECT __LW_HAS_TO __LW_EMPTY_SUBJECT __LW_EMPTY_TO) describe LW_EMPTY_SUBJECT_TO Message has empty To and Subject headers score LW_EMPTY_SUBJECT_TO 2.5 I added this to my custom .cf rules file and ran spamassassin --lint and got no complaints. I ran it over a sample spam, and it hit. I took another spam where both headers had information in them, and it didn't hit. Guess it works as expected :) Cheers, Lawrence Am I missing something?' [29480] dbg: check: tests=AWL,BAYES_99,MISSING_SUBJECT snip Content-Transfer-Encoding: quoted-printable Subject: X-MB-Message-Source: WebUI /snip
Re: new headers rule
Lawrence @ Rogers wrote: On 05/11/2010 10:58 AM, Randy Ramsdell wrote: X-MB-Message-Source: WebUI You appear to have records of the same spam influencing your bayes results (it hits BAYES_99, which is good). What are your Bayes threshold settings? Cheers, Lawrence I am not sure what you are asking me. Our spam cutoff is around 5. Note that the above example was from a ssubject modified message that made it through spamassassin. I simply removed the Subject.
Re: new headers rule
Lawrence @ Rogers wrote: On 05/11/2010 6:00 PM, Randy Ramsdell wrote: Lawrence @ Rogers wrote: On 05/11/2010 10:58 AM, Randy Ramsdell wrote: X-MB-Message-Source: WebUI You appear to have records of the same spam influencing your bayes results (it hits BAYES_99, which is good). What are your Bayes threshold settings? Cheers, Lawrence I am not sure what you are asking me. Our spam cutoff is around 5. Note that the above example was from a ssubject modified message that made it through spamassassin. I simply removed the Subject. In your SpamAssassin configuration, what you you have the following options set to: bayes_auto_learn_threshold_nonspam bayes_auto_learn_threshold_spam Cheers, Lawrence Default Oh an when you reply-all, just remove the To: $myemailaddress and change the Cc: to a To:users@spamassassin.apache.org cuz you are sending 2 messages.
Re: new headers rule
Lawrence @ Rogers wrote: Hi, I've noticed a bunch of spams coming in recently that have no To: and Subject: and have cobbled together the following rule to combat them. Any feedback would be appreciated. # Message has empty To: and Subject: headers # Likely spam header __LW_EMPTY_SUBJECT Subject =~ /[[:space:]]$/ meta LW_EMPTY_SUBJECT_TO (__LW_EMPTY_SUBJECT MISSING_HEADERS) describe LW_EMPTY_SUBJECT_TO Message has empty To and Subject headers score LW_EMPTY_SUBJECT_TO 2.5 If anyone would like to test this as part of the mass corpus, please feel free to do so. I am curious to know how it performs. Regards, Lawrence Williams LCWSoft www.lcwsoft.com Are the Subject lines blank or missing from the body? And that goes for the To also.
Re: new headers rule
Lawrence @ Rogers wrote: On 04/11/2010 6:35 PM, Randy Ramsdell wrote: Are the Subject lines blank or missing from the body? And that goes for the To also. In the spam I am seeing, there are both present and empty. Example To: Subject: I ran a email through spamc and it hits missing and empty Subject. I have not tested the To
Re: .info spam from Hotmail
John Hardin wrote: On Wed, 3 Nov 2010, Kris Deugau wrote: DNSBLs are pretty much useless, since the message *was* legitimately relayed in from Hotmail. A couple of times I've seen enough examples with similar enough URLs to create a uri rule something like: uri MISC_INFOm|https?://rita..sa..ly\.info/?$| but the latest batch vary too much. You're trying to be too selective. How often do you receive a _legitimate_ email from hotmail referring to a .info website? Try a meta combining from hotmail (or from _any_ freemail domain) with a uri containing m|://[^/]+\.info/|i This is correct. The rule would need to address the fact that they do change the url and we are seeing a lot of this. I created a metarule for these cases.
Re: .info spam from Hotmail
Randy Ramsdell wrote: John Hardin wrote: On Wed, 3 Nov 2010, Kris Deugau wrote: DNSBLs are pretty much useless, since the message *was* legitimately relayed in from Hotmail. A couple of times I've seen enough examples with similar enough URLs to create a uri rule something like: uri MISC_INFOm|https?://rita..sa..ly\.info/?$| but the latest batch vary too much. You're trying to be too selective. How often do you receive a _legitimate_ email from hotmail referring to a .info website? Try a meta combining from hotmail (or from _any_ freemail domain) with a uri containing m|://[^/]+\.info/|i This is correct. The rule would need to address the fact that they do change the url and we are seeing a lot of this. I created a metarule for these cases. I should add. You may see these from yahoo too. Therefore the meta rule could account for that. I have a meta rule that checks from, received, dkim, and the url for yahoo and hotmail.
Re: SpamAssassin service file missing after installation
Gnanam wrote: Hi, My question is, after installation, spamassassin service file is not available in the location /etc/init.d/spamassassin. Because of this 'service spamassassin start' says spamassassin: unrecognized service. What could be the reason for spamassassin service file missing after installation? Because this service file is not automatically installed as part of installation, I've little doubt/fear/confusion whether it would create any other implications during course of usage. NOTE: 1. I'm installing as 'root' user here. 2. Also, I've installed this on RHEL4 and RHEL5, but I don't find this issue (missing spamassassin service file). 3. I also tried to copy the 'spamassassin' service file from one of my RHEL5 to this CentOS. It is working fine. Regards, Gnanam Appears you are implying this init.d script existed, then was removed after installation which does not make sense to me. 1.Determine the spamassassin package name. ( rpm -gvf $some_spamassassin_file ) 2. Then rpm -qvl $package name Does it show an init script? OpenSuse uses spamd. Also note that Redhat wrote the rpm and it is up to them to determine what is included. I have seen more than one broken or incomplete package in my career.
Re: autolearn : lock_file
Cédric Jeanneret wrote: Hello, I have an error with SA using autolearn plugin: Sep 20 12:25:06 hostname spamd[6157]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /home/USER/.spamassassin/bayes.lock.host.domain.ltd.6157 for /home/USER/.spamassassin/bayes.lock: Permission denied Is it possble to define the lockfile to, say, /tmp/ ? As I don't have only one user, it can be nice to set the lockfile somewhere else on the system, where SA process can write. I didn't see anything about such a configuration variable SA runs as vmail user, if it can help. Thank you ! C. SA can write to the users directories. You have something mis-configured or you hosed the perms in the directory.
Local rules trigger bug
I found an bug in spamassassin that can be reliably reproduced when using our local rules. What would be interesting is to track down where this bug is exactly. 1. The process runs @ 100% cpu and hangs there. Has t o be kill -9 'ed 2. I see no errors in spamassassin -D For the time being I have removed our rules until this problem is resolved. My question is is what would be the best way to determine what bug I am hitting when the process simply hangs?
Re: Local rules trigger bug
Ralf Hildebrandt wrote: * Randy Ramsdell rramsd...@activedg.com: I found an bug in spamassassin that can be reliably reproduced when using our local rules. What would be interesting is to track down where this bug is exactly. 1. The process runs @ 100% cpu and hangs there. Has t o be kill -9 'ed 2. I see no errors in spamassassin -D For the time being I have removed our rules until this problem is resolved. My question is is what would be the best way to determine what bug I am hitting when the process simply hangs? Add first halve of your rules, test if it exposes the error, split in two halves and test each halve. etc. Yeah that is the fastest way. :) I used a little diff formula and found the issue. My I think this may not be the rule we were going for but ... body__RCR_MEGADK/.*(M.*E.*G.*A.*D.*K).*/
Re: Local rules trigger bug
Dominic Benson wrote: On 06/08/10 17:18, Randy Ramsdell wrote: Yeah that is the fastest way. :) I used a little diff formula and found the issue. My I think this may not be the rule we were going for but ... body__RCR_MEGADK/.*(M.*E.*G.*A.*D.*K).*/ There are a few things that strike me as peculiar about that rule. Not least of which is that it would appear to match the following - hypothetical, but plausible - message. The presence of seven unrestricted greedy specifiers makes it perfectly plausible to me that it would take quite a long time to process any moderately long message. Dear Mr. Edwards, Gary passed your suggestion to me, and I believe that the AMD system would be best. Kind Regards, Matches Uppercase It does take a long time to process a message and a very short message to boot. In fact, it never finishes and runs the cpus to 100% so the rule has been removed. I still wonder if this is a bug.
Re: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Suhag P Desai wrote: No even when I try to do spamd at very first time after reboot the server, I get the same message,... huh? See below. Below are the output of [r...@spd ~]# ps -ef | grep spamd root 3519 3516 0 12:44 ?00:00:00 supervise spamd root 3544 3519 0 12:44 ?00:00:02 /usr/bin/perl -T -w /usr/bin/spamd -x -u vpopmail -s stderr qmaill3548 3520 0 12:44 ?00:00:00 /usr/bin/multilog t s100 n100 /var/log/qmail/spamd vpopmail 4035 3544 0 12:45 ?00:00:00 spamd child vpopmail 4036 3544 0 12:45 ?00:00:00 spamd child root 4586 4549 0 12:59 pts/100:00:00 grep spamd [r...@spd ~]# Am I missing something? It is running.
Re: NO_RELAYS spam
Karsten Bräckelmann wrote: On Fri, 2010-06-18 at 23:54 +0200, Karsten Bräckelmann wrote: Your issue is kind of weird and far less than common. Read, I cannot recall coming across such a report *ever* on this list. Thus, the collective list's lack of pin-pointing the cause with the info given. The very reason we need you to dig deeper, provide debug logs, header dumps at all stages -- or any evidence at all this might be SA. Randy, any results? Did you find the cause for the issue? At this time, I have not. Since the messages are originally scanned with all the headers in tact and not having the time, I will look into this later. I am still not sure how to go about troubleshooting this however. Thanks, RCR
Re: Nonsense spam
RW wrote: On Thu, 24 Jun 2010 15:59:24 -0400 Michael Scheidell scheid...@secnap.net wrote: On 6/24/10 3:51 PM, Ned Slider wrote: The danger comes when people use the PBL incorrectly and deep parse all headers which *will* lead to copious FPs. Either way, I'd have no hesitation blocking outright on PBL or scoring very highly in SA. The current scores are actually: RCVD_IN_PBL 0 3.558 0 3.335 I show these current scores which are much lower than what you have. It this because of the spamassassin version we use or maybe I did not use sa-update properly. It is odd that the scores increased by this margin. What changed about the PBL that would necessitate this? RCVD_IN_PBL 0 0.509 0 0.905
Re: Nonsense spam
Michael Scheidell wrote: On 6/24/10 12:07 PM, Randy Ramsdell wrote: Anyone receiving these? It is either a borked spam script or they are probing. They come in with different headers and different body each time so I am not sure how to mark or block them. Any suggestions would be appreciated. http://pastebin.com/kQJ0SPti at least for THIS one, RCVD_IN_PBL if you are using this BL, you might just want to block it at the MTA level and not even scan it. (I suspect the spam/vs ham scoring on that rule is so low because the people submitting spam corpus probally block it at the MTA level and never see it. My understanding of PBL is that its at least 99.999% free of FP's) Yet spamassassin scores it with a .9. I have been reluctant to block and this is compounded by spamassassin scoring it low as if it weren't as accurate as you state.
Re: NO_RELAYS spam
Michelle Konzack wrote: Hello Randy Ramsdell, Am 2010-06-17 10:38:08, hacktest Du folgendes herunter: We are getting a ton of this type and it scores low because there are no received headers. What is this type of mail? I do not recall seeing these in the past. Hehehe... sounds like a new customer of me... His mailserver was accessd through telnet using scripts to generate the spam messages, hence, it had no Received: headers... Thanks, Greetings and nice Day/Evening Michelle Konzack Even so, all email should have a received header. In this case, the emails are sent to a content filter which will add received headers.
Re: NO_RELAYS spam
David B Funk wrote: On Thu, 17 Jun 2010, Randy Ramsdell wrote: get us added to lists, but Michael stated then, check the blacklists to see how to get removed. as if we are already on a list. We are not. Back to the main issue. Here is an example pastbin. http://pastebin.com/mJqRPzkv I found this message in the logs and it comes from yahoo. I don't think I will focus on our forms because general mail also has its received headers stripped. So the question is is what is doing this? I need help to determine how to isolate this problem down. If it is postfix, I will go to there lists etc... I have not implemented any rules that strip received headers nor do I want to. Thanks, RCR Given that it looks like something is taking the original To: header, mutating it into X-Original-To: then adding that bogus To: undisclosed recipients: and adding a X-Virus-Scanned: amavisd-new at activedatatech.net header I would guess that it's your amavisd-new process (or something in its path) that is doing the header damaging. Check the Amavisd site/list for trouble-shooting hints tips. There may be a way to put a 'tee' filter before after amavisd in your postfix confiuration. However, all the emails without the received header field do not show this. It is in this specific pastbin example that you see this. Using sendmail without certain areguments will cause the To: field to show up as undisclosed recipients:.
Re: NO_RELAYS spam
Matus UHLAR - fantomas wrote: On Thu, 17 Jun 2010, Randy Ramsdell wrote: The original email did not hit the NO_RELAYS rule but subsequent runs through do hit this rule and it isn't on all email. Charles Gregory wrote: This sounds to me like you are 'resending' the mail from a local address to your mail server, rather than 'feeding' the original mail back into spamassassin. If this is the case, then you would naturally produce a new set of headers, and there would be no external relays, thus triggering the NO_RELAYS rule On 17.06.10 12:13, Randy Ramsdell wrote: Hmmm, this mail came in and went straight to the users inbox. 1. Postfix --- 2. Amavis ( Spamd/Clamd) --- 3. Postfix --- 4. Dovecot-deliver in this case, this problem belongs more to amavis mailing list, not to spamassassin one. I have no problem going over there but I am not convinced that the Amavis program is the problem. The header field is changed by spamassassin. Doesn't the email simply get handed to Spamassasin by Amavis where the headers are modified by spam report etc...?
Re: [sa] Re: NO_RELAYS spam
Charles Gregory wrote: On Fri, 18 Jun 2010, Randy Ramsdell wrote: I have no problem going over there but I am not convinced that the Amavis program is the problem. The header field is changed by spamassassin. Doesn't the email simply get handed to Spamassasin by Amavis where the headers are modified by spam report etc...? The headers are missing. Spamassassin records this fact, but is not responsible for it. So find out what happens to your message BEFORE spamassassin is called. Amavis is just a suggested starting place. And if it is to blame, someone on their list will reocgnize your query as soon as you post it. Suggestion: After each step of your mail processing, if you can, save a copy of the mail to a log file. At least that way you get a quick overview of *which* component removes those headers - C Not exactly. Spamassassin sees the original messages including the received headers, then it modifies those headers with its information. I see these issues when running subsequent tests with spamassasin. So this is why I am not convinced that spamassassin is not causing the problem. Just clarifying the issue here. So it could be amavis, spamassassin or postfix but I am leaning towards spamassassin at the moment. From an earlier post in which I wrote: ( You see that the original scan saw the headers, but after delivery they were gone. ) Example: Original rules hit. X-Spam-Status: No, score=-0.394 tagged_above=- required=5tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.619,URG_BIZ=1.585] After running spamassassin -D X-Spam-Status: No, score=4.2 required=5.0 tests=AWL,BAYES_80,HTML_MESSAGE,NO_RECEIVED,NO_RELAYS,TO_MALFORMED,URG_BIZ autolearn=no version=3.2.5
NO_RELAYS spam
We are getting a ton of this type and it scores low because there are no received headers. What is this type of mail? I do not recall seeing these in the past. Thanks, RCR
Re: NO_RELAYS spam
Michael Scheidell wrote: On 6/17/10 10:38 AM, Randy Ramsdell wrote: We are getting a ton of this type and it scores low because there are no received headers. What is this type of mail? I do not recall seeing these in the past. its coming from you then :-( or, your mail server is stripping out or not adding headers. RFC's require your mail server to add the header for the SMTP server that connected to you and add a header. check your 'contact us' forms on your web site for holes. then, check the blacklists to see how to get removed. Thanks, RCR Blacklists? What makes you think we are on a blacklist? As far as I can tell we are not on any lists. Well looks like you are correct regarding the mail server stripping these. It makes no sense because we do not have rules that do this. The modifications done are done by spamassassin when it rewrites the header with a report and score. The original email did not hit the NO_RELAYS rule but subsequent runs through do hit this rule and it isn't on all email. Example: Original rules hit. X-Spam-Status: No, score=-0.394 tagged_above=- required=5tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.619,URG_BIZ=1.585] After running spamassassin -D X-Spam-Status: No, score=4.2 required=5.0 tests=AWL,BAYES_80,HTML_MESSAGE,NO_RECEIVED,NO_RELAYS,TO_MALFORMED,URG_BIZ autolearn=no version=3.2.5 Any ideas how this could happen?
Re: NO_RELAYS spam
Michael Scheidell wrote: On 6/17/10 10:38 AM, Randy Ramsdell wrote: We are getting a ton of this type and it scores low because there are no received headers. What is this type of mail? I do not recall seeing these in the past. its coming from you then :-( or, your mail server is stripping out or not adding headers. RFC's require your mail server to add the header for the SMTP server that connected to you and add a header. check your 'contact us' forms on your web site for holes. then, check the blacklists to see how to get removed. Thanks, RCR I just checked our spam reports and this rule never hits. It is not locally generated email either or I can not find any coming from us. This is an strange issue and I am not where to begin to determine what is doing this.
Re: NO_RELAYS spam
Michael Scheidell wrote: On 6/17/10 11:31 AM, Randy Ramsdell wrote: I just checked our spam reports and this rule never hits. It is not locally generated email either or I can not find any coming from us. This is an strange issue and I am not where to begin to determine what is doing this. if you have an insecure web form, contact form, 'email us' form, the spammers will use it to send spam. MAYBE it is coming from that. (and if it is, and spammers are using you, you will get on blacklists :-( ) do you need packet dumps? what about mail logs? does your mail server tell you where these emails are coming from? I understand how letting spammers send mail through our systems could get us added to lists, but Michael stated then, check the blacklists to see how to get removed. as if we are already on a list. We are not. Back to the main issue. Here is an example pastbin. http://pastebin.com/mJqRPzkv I found this message in the logs and it comes from yahoo. I don't think I will focus on our forms because general mail also has its received headers stripped. So the question is is what is doing this? I need help to determine how to isolate this problem down. If it is postfix, I will go to there lists etc... I have not implemented any rules that strip received headers nor do I want to. Thanks, RCR
Re: NO_RELAYS spam
Charles Gregory wrote: On Thu, 17 Jun 2010, Randy Ramsdell wrote: The original email did not hit the NO_RELAYS rule but subsequent runs through do hit this rule and it isn't on all email. This sounds to me like you are 'resending' the mail from a local address to your mail server, rather than 'feeding' the original mail back into spamassassin. If this is the case, then you would naturally produce a new set of headers, and there would be no external relays, thus triggering the NO_RELAYS rule Hmmm, this mail came in and went straight to the users inbox. 1. Postfix --- 2. Amavis ( Spamd/Clamd) --- 3. Postfix --- 4. Dovecot-deliver So the problem is somewhere during the 2 --- 3 or step 3 or 4. Step 4 it is unlikely since Deliver simply send the file to a directory location. Original rules hit. X-Spam-Status: No, score=-0.394 tagged_above=- required=5tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_SORBS_WEB=0.619,URG_BIZ=1.585] Right there, we see 'RCVD_IN_SORBS'. This would not happen even if your own server was blacklisted with SORBS. There *was* a Received header for a relay, and somehow you have 'removed' it, either via a filtering mechanism outside SA, or by 'resending' or 'forwarding' the mail. After running spamassassin -D If this is what you used, then the forwarding and header rewriting must have occurred prior to this. Did someone 'forward' the spam to you as a complaint? Users often fail to properly forward with full headers enclosed. - C No, I run a script on the mail server manually that simply moves the files. Then I check with spamassassin.
Sa-learn huh
[09:23] botboy sa-learn { forget,spam,ham} SHOULD change the BAYES
scores correct?
[09:24] botboy We upgraded spamassassin and it just does not work like
it did before.
[09:24] botboy I would normally be able to learn as spam and change
the bayes score to a 3.5
[09:25] botboy but now i relearn as sapm it the score stay at 0.0
BAYES_50
I do get one error when learning.
netset: cannot include 127.0.0.1/32 as it has already been included
vscan@:/home/vscan_salearn sa-learn --forget
1275414726.M714825P12557.dfbbl16,W=9799:2,Sb
netset: cannot include 127.0.0.1/32 as it has already been included
Forgot tokens from 1 message(s) (1 message(s) examined)
vscan@:/home/vscan_salearn sa-learn --spam
1275414726.M714825P12557.dfbbl16,W=9799:2,Sb
netset: cannot include 127.0.0.1/32 as it has already been included
Learned tokens from 1 message(s) (1 message(s) examined)
I appears to learn the message as spam, but BAYES score does not change.
Re: Sa-learn huh
Michael Scheidell wrote:
On 6/2/10 11:39 AM, Randy Ramsdell wrote:
[09:23] botboy sa-learn { forget,spam,ham} SHOULD change the BAYES
scores correct?
[09:24] botboy We upgraded spamassassin and it just does not work
like it did before.
[09:24] botboy I would normally be able to learn as spam and change
the bayes score to a 3.5
[09:25] botboy but now i relearn as sapm it the score stay at 0.0
BAYES_50
I do get one error when learning.
netset: cannot include 127.0.0.1/32 as it has already been included
that means nothing.
Forgot tokens from 1 message(s) (1 message(s) examined)
vscan@:/home/vscan_salearn sa-learn --spam
1275414726.M714825P12557.dfbbl16,W=9799:2,Sb
netset: cannot include 127.0.0.1/32 as it has already been included
Learned tokens from 1 message(s) (1 message(s) examined)
I appears to learn the message as spam, but BAYES score does not change.
hopefully, it takes more then one set of tokens to change a properly
trained Bayesian database. if not, then all the poison emails would
trash it.
No, one email isn't going to take Bayesian from bayes_0 to bayes_95
IIRC, when I sent messages through sa-learn on the old mail server as
spam, then checking with spamassassin debug, this would show a 3.5
BAYES score. I will double check this, but I would hope to at least add
a positive score when training a spam message.
Thanks,
RCR
Re: Hostkarma whitelist problem
Marc Perkel wrote: err...@junkemailfilter.com will work. If you have suggestions for automation I'm interested. Bowie Bailey wrote: That one also hit DNSWL_MED and actually ended up with a negative score. I reported to dnswl via their website. It would be useful to have a reporting mechanism on your website so we don't have to send these to the list. Bowie Marc Perkel wrote: No list is perfect. Thanks for reporting it. Although I try to get everything right there will always be mistakes. Sometimes I do get to leaning white because false positives are 100 times worse than a few spams getting through. Probably what happened with that is that the sender does a pretty good job of stopping spam and after we get 25 good emails and no spam they get white listed. So what a spam sneaks through is gets past. I need to build up my yellow list more. My yellow list is for ISPs and freemail providers that are mostly non-spam but some spam gets through. I'm always looking for new tricks to build up these lists. Bowie Bailey wrote: I couldn't find any place on junkmailfilter website to report this, so I'll put it here. I received a 419 scam email with this whitelist hit: * -3.0 RCVD_IN_JMF_W RBL: Sender listed in JMF-WHITE * [213.4.129.18 listed in hostkarma.junkemailfilter.com] It can be automated by creating a web form and having the form, do input validation, and ... 1. Send and e-mail to you or other maintainers. 2. Automatically removing the incorrect entry. 3. Removing it and then parse through your list to see if the domain is currently sending spam. ( If you have logs etc... ) 4. Removing it and sending an e-mail to the maintainers. There are so many ways to handle this.
Re: Spam volumes down since last week
ram wrote: I am seeing a clear downtrend in the number for spams hitting our servers, I am not sure why ? Since Last week spams are at 50% of what they used to be last month. Is this what you all are seeing But the irritant 419's are still coming in ( and some get past SA ), in many new variants. I have seen scamsters are sending targetted spams to people of hotel industry , holiday industry etc Thanks Ram Our spam levels are 1/2 to 1/3 of what they were two weeks ago. Also, virus e-mails are also very very low. Low enough for me to start reviewing the e-mail logs for anomalies.
Re: Clamav Plugin for Spamassassin
metamorph wrote: James Lay wrote: On 6/22/08 9:30 PM, metamorph [EMAIL PROTECTED] wrote: Spamassassin/Clamav/Ubuntu/PHP5/Apache2/citadel/ I just installed spamassasin and tested it with gtube and it worked, but when I tried to install clamav it still lets the EICAR files through. I read through old posts and everything on the spamassassin site and still cannot get it to work. Any suggestions on what I am not doing correctly are greatly appreciated. The steps I took: filescanclamav is a pearl module, so I had to use CPAN to install it. Then, I created the files clamav.cf and clamav.pm with the text from http://wiki.apache.org/spamassassin/ClamAVPlugin. Placed the two files in the /etc/spamassassin directory. Made the recommended change to clamav.pm: our $CLAMD_SOCK = /var/run/clamav/clamd.ctdl; # changed Restarted spamassassin. grep shows spamassassin. Sent EICAR AV text test and it still doesn't do anything. Got any headers to show that it's actually piping through ClamAV? (hint: look for X-Spam-Virus:) J~ Citadel does not support headers, so it just sends the email back or deletes it. Any other suggestions on how to check if it is piping through clamav and how to set it if it is not are greatly appreciated. Do I need to post any other info NOOB? 1. Create test file with the EICAR test included. 2. Run spamassassin -D $testfile 3. Read through the output thoroughly or 1. spamassassin -D --lint : this should show if the plugin loaded. rcr
Re: skip inbox ?
almaren wrote: Is it possible to somehow tell spamassassin to move all messages marked as spam directly into the spam/ham/trash folders ? The thing is I'm running backups on my mailbox and although I omit spam/ham/trash I do collect the mails from my inbox, and in most cases there are 40-50 messages with subjects starting with *SPAM*. I don't want to have theme there. Spamassassin uses a local delivery agent to do this. We use procmail and created a recipe ( regex ) that moves all spam messages to the users spam folder. If you use a local ( not system wide ) setup, then simply create a filter in the e-mail client.
OT: Re: skip inbox ?
almaren wrote: well first of all - thanks for the quick response :) John Hardin wrote: You didn't explain your MTA tool chain, so we have no idea how to recommend configuring it to change where messages scored as spammy get saved. Tell us what does delivery (e.g. procmail) in your environment and someone may be able to tell you how to configure delivery of spammy messages to a spam folder. I'm running qmail as MTA and courier-imap, there is also procmail on the server. /etc/procmailrc SPAMIT=$HOME/Maildir/.SPAM/ :0: * ^X-Spam-Status: Yes $SPAMIT This will send messages to a users .SPAM directory. You will have to create the directory in each users directory.
Re: skip inbox ?
Jari Fredriksson wrote: almaren wrote: Is it possible to somehow tell spamassassin to move all messages marked as spam directly into the spam/ham/trash folders ? The thing is I'm running backups on my mailbox and although I omit spam/ham/trash I do collect the mails from my inbox, and in most cases there are 40-50 messages with subjects starting with *SPAM*. I don't want to have theme there. Spamassassin uses a local delivery agent to do this. We use procmail and created a recipe ( regex ) that moves all spam messages to the users spam folder. If you use a local ( not system wide ) setup, then simply create a filter in the e-mail client. SpamAssassin does NOT use local delivery agent. But local delivery agent may use SpamAssassin, and then forward messages according to SA originated headers. Yes. I should have written that spamassassin sends the message back to postfix or whatever and this is what sends to the local delivery agent.
Re: uri rules
Matt Kettler wrote: Joseph Brennan wrote: I was surprised that this rule... uri CU_CN_LINK /http:..\w+\.cn\b/ matches not only this... a href=http://foobar.cn; but also this... a href=http://www.columbia.edu/foo.html;KooXoo Buys Kuxun.cn Domain/a First, I did not realize that SpamAssassin's idea of uri includes not only the uri, but the start tag, end tag, and all in between. That's useful but not real clear in Mail::SpamAssassin::Conf. Actually, it doesn't.. your second example has two URIs as far as SpamAssassin is concerned. http://www.columbia.edu/foo.html; and http://Kuxun.cn;. Two separate URIs. Since many email clients auto-link domains in text portions, like www.google.com, SpamAssassin tries to find text strings that clients will treat as URIs and use them in the URI tests as well. How so? How does spamassassin URI check determine Kuxun.cn in a URI as opposed to someone who forgot to add a space after a sentence end? Is it because it is located within the a tag? Second, I can't figure out how \w+ matches the punctuation and spaces! It doesn't. :)
Re: Google docs spam
ram wrote: Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram I am slow. How are they doing this? I couldn't even figure it out looking at the example e-mail.
Re: FORGED_MUA_OUTLOOK 4.1
Philippe Couas wrote: Hi, I have an Server programm sending mail to an PC. This PC reading mail then forward it to user group. Mails are reading correctly, but when it was forwarded, it is SPAMMED with FORGED_MUA_OUTLOOK 4.1 How could i avoid it ? Regards Philippe Find out why it is being flagged. ( Read the rule then compare it to the message header ) How else?
Re: False positive on forged_mua_outlook
Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE(__OE_MUA !__OE_MSGID_1 !__OE_MSGID_2 !__OE_MSGID_3 !__OE_MSGID_4 !__UNUSABLE_MSGID) meta __FORGED_OUTLOOK_DOLLARS (__OUTLOOK_DOLLARS_MUA !__OE_MSGID_2 !__OUTLOOK_DOLLARS_OTHER !__VISTA_MSGID !__IMS_MSGID !__UNUSABLE_MSGID) meta FORGED_MUA_OUTLOOK (__FORGED_OE || __FORGED_OUTLOOK_DOLLARS) at least Message-Id and X-Mailer... btw do do you update rules periodically? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. Best Regards, Jeff Koch, Intersessions Could you include the whole complete header including the spam report because this looks like a valid M$ outlook/express header?
Re: False positive on forged_mua_outlook
Jeff Koch wrote: Hi Randy - here's the whole thing: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 - Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4 Received: from localhost by libra..com with SpamAssassin (version 3.2.4); Tue, 06 May 2008 15:13:09 -0400 From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: *SPAM* Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on libra..com X-Spam-Level: * X-Spam-Status: Yes, score=5.3 required=3.0 tests=FORGED_MUA_OUTLOOK,RDNS_NONE, TVD_PDF_FINGER01 autolearn=no version=3.2.4 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4820ADC5.A4580A7F This is a multi-part message in MIME format. =_4820ADC5.A4580A7F Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system libra.xxx.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: [...] Content analysis details: (5.3 points, 3.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_4820ADC5.A4580A7F Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. --=_NextPart_000_0039_01C8AF72.8920CD60 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit --=_NextPart_000_0039_01C8AF72.8920CD60 At 04:29 PM 5/9/2008, Randy Ramsdell wrote: Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta __FORGED_OE
Re: False positive on forged_mua_outlook
Randy Ramsdell wrote: Jeff Koch wrote: Hi Randy - here's the whole thing: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 26003 invoked by uid 89); 6 May 2008 19:13:09 - Received: by simscan 1.3.1 ppid: 25931, pid: 25942, t: 2.6786s scanners: clamav: 0.88/m:45/d:5939 spam: 3.2.4 Received: from localhost by libra..com with SpamAssassin (version 3.2.4); Tue, 06 May 2008 15:13:09 -0400 From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: *SPAM* Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on libra..com X-Spam-Level: * X-Spam-Status: Yes, score=5.3 required=3.0 tests=FORGED_MUA_OUTLOOK,RDNS_NONE, TVD_PDF_FINGER01 autolearn=no version=3.2.4 X-Spam-Report: * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS * 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint * 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_4820ADC5.A4580A7F This is a multi-part message in MIME format. =_4820ADC5.A4580A7F Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system libra.xxx.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: [...] Content analysis details: (5.3 points, 3.0 required) pts rule name description -- -- 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS 1.0 TVD_PDF_FINGER01 Mail matches standard pdf spam fingerprint 4.2 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. =_4820ADC5.A4580A7F Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: attachment Content-Transfer-Encoding: 8bit Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.araxxx.com [216.99.214.161]) by jade.aracnet.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. --=_NextPart_000_0039_01C8AF72.8920CD60 Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Content-Transfer-Encoding: 7bit --=_NextPart_000_0039_01C8AF72.8920CD60 At 04:29 PM 5/9/2008, Randy Ramsdell wrote: Jeff Koch wrote: Hi Matus: Here's the header. We're seeing a lot of these now: Received: from unknown (HELO jade.xx.com) (216.99.193.136) by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 6 May 2008 19:13:06 - Received: from server (216-99-214-161.dsl.aracnet.com [216.99.214.161]) by jade.xx.com (8.13.6/8.12.8) with SMTP id m46JD528000907 for [EMAIL PROTECTED]; Tue, 6 May 2008 12:13:05 -0700 Message-ID: [EMAIL PROTECTED] From: Aindrea [EMAIL PROTECTED] To: warehouse [EMAIL PROTECTED] Subject: Camden Grey order 373 Date: Tue, 6 May 2008 12:13:04 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0039_01C8AF72.8920CD60 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133 This is a multi-part message in MIME format. At 01:05 PM 5/9/2008, Matus UHLAR - fantomas wrote: On 09.05.08 12:08, Jeff Koch wrote: Our users are getting false positives with hits on 4.2 FORGED_MUA_OUTLOOK and are saying they are 100% certain that the email was sent from MS Outlook Express. Is this a known problem or are these users doing something wrong? may be... can you show us headers of such e-mail? meta
Re: Experimental - use my server for your high fake MX record
DAve wrote: Marc Perkel wrote: Looking for a few volunteers who want to reduce their spambot spam and at the same time help me track spambots for my black list. This is free and mutual benefit. I (junkemailfilter.com) want to be your highest numbered fake MX record. Here's how you would configure your domain: A generous offer and an admirable effort. But if you think I or my clients are going to route mail to your servers you are mistaken. Even if I knew you personally, I don't think ethics or common sense would allow me to do so. DAve Not taking a position on this, but isn't outsourcing spam filtering normal? Although I would think one would consider carefully about outsourcing their e-mail filtering, I don' think common sense or ethics have a whole lot to do with it. mail.yourdomain.com MX 10 tarbaby.junkemailfilter.com MX 20 I will never actually receive your email. The recipient all always get a 451 error just after the DATA command. So if your servers are down you won't lose anything. A 451 error is a I'm not ready, come back later error. This will help you reduce your spambot spam generally by half. Many spambots try the highest number MX records first and never try again. So these attempts just go away. Your system load drops, your spam is reduced, spamassassin doesn't have to work as hard. And some spammers will actually blacklist you because when they see a junkemailfilter,com host in the MX they don't even try because they know that it will only reduce their spambot army to even attenpt to send a spam. I have developed an extremely accurate way of detecting spambots and getting them listed on the first attempt to send spam. It involves detecting a combination of several sins that if they hit this combination, and most do, it's a virus infected spambot. Without going into great detail one of the unique things I look for is hosts not closing the connection with quit but rather allowing the connection to time out after receiving the 451 error. When you combine that it's the highest MX, no QUIT, and several other tests on HELO and other things I can get these hosts blacklisted which blacks their spam for everyone who uses my blacklists. And - unless you are huge - you can use my blacklists for free. Here's what an SMTP session to my tarbaby server looks like. telnet tarbaby.junkemailfilter.com 25 Trying 65.49.42.79... Connected to tarbaby.junkemailfilter.com. Escape character is '^]'. 220 tarbaby.junkemailfilter.com ESMTP Exim 4.68 Wed, 07 May 2008 08:20:24 -0700 helo mydomain.com 250 tarbaby.junkemailfilter.com Hello vps8.ctyme.com [65.49.42.18] mail from: 250 OK rcpt to:[EMAIL PROTECTED] 250 Accepted data 451 DEFER - Try a lower numbered MX record - http://www.junkemailfilter.com So - if you are interested all you have to do is set your highest numbered MX to tarbaby.junkemailfilter.com. If you want to know more about my lists you can read about them here. http://wiki.junkemailfilter.com/index.php/Main_Page This is experimental. I'm looking to see what kind of useful data I can derive from this to see how well it work and if I'll continue it. Send me a private email if you have any questions.
Re: Experimental - use my server for your high fake MX record
Marc Perkel wrote: Randy Ramsdell wrote: DAve wrote: Marc Perkel wrote: Looking for a few volunteers who want to reduce their spambot spam and at the same time help me track spambots for my black list. This is free and mutual benefit. I (junkemailfilter.com) want to be your highest numbered fake MX record. Here's how you would configure your domain: A generous offer and an admirable effort. But if you think I or my clients are going to route mail to your servers you are mistaken. Even if I knew you personally, I don't think ethics or common sense would allow me to do so. DAve Not taking a position on this, but isn't outsourcing spam filtering normal? Although I would think one would consider carefully about outsourcing their e-mail filtering, I don' think common sense or ethics have a whole lot to do with it. Thanks Randy, I am in the outsourced spam filtering business so this all seems natural to me. And I look at it as win/win. I get useful data, the person letting me use their high numbered MX record gets some spam reduction. I'm not interested in the content of the message or anything other than catching the IP addresses of virus infected spam bots. That's all I want to do. I think sender score does something similar, but I am not very familiar with how they obtain stats. I recall something about an isp, etc... providing log data and then use the data to rate domains. Comcast started using them. Personally, I wasn't impressed with the data they had for certain domains, especially our own and I see a need to improve that actually. As DAve pointed out, getting someone to redirect corporate e-mail to you for testing may not be something people could or would do. As a paid vendor for someone with appropriate agreements, it becomes more reasonable.
Re: Connection timed out
Ross Boylan wrote: On Thu, 2008-05-01 at 13:54 -0400, Jean-Paul Natola wrote: OPTIONS=--create-prefs --max-children 5 --helper-home-dir \ --username=mail --socketpath=/var/run/spamd/socket I'm running on a Pentium 4 with hyperthreading, which appears as 2 CPU's to the OSs. There's really only 1 CPU. I wonder if that could have something to do with the trouble. How much ram do you have, are you exceeding your physical mem? 2G physical + 2G swap. I don't think I'm exceeding it. Ross Look for OOM messages in /var/log/messages. If you run out of swap you will see errors as it kills off processes.
Re: Extra long domain names rule?
Bookworm wrote: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. I was going to put in the web address that I received as an example, but I think that's why this is a second attempt - the first one never went through. Basically, it's a 'colonial bank' scam - it uses eleven sections to the domain name - 10 periods. (What would that be - I mean, we have TLD for the .com/net/etc, second level domain names for the bleah.com domains.. what would you say it is for an 11th level?) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW I noticed you started a thread a few days ago with he exact same body and a changed subject. There are 10-20 replies to that thread so I am not sure why start a new exactly the thread a week later. My suggestion would be to read that thread. rcr
Re: S-P-A-M Extra long domain names rule?
Bookworm wrote: I'm starting to see some new phishing/scam attempts. What I was thinking was that it might be worthwhile to add a rule to not so much check links, but count periods. Here's the example that just came in my email - (removing http:// ) - connect.colonialbank.webbizcompany.c6b5r64whf623lx426xq.secureserv.onlineupdatemirror81105.colonial.certificate.update.65tw.com/logon.htm Notice that there are ten periods. That makes it be an eleventh level domain name? :) In general, you see fewer than four periods in a domain name - but I've seen this sort of behavior in spams before. Thoughts? (I'm just a general administrator. I use other people's rules, I haven't had time to learn to make my own) BW I haven't, but I think a rule for this would be a good idea. I always write rules then check them every so often with a custom perl script.
Re: False Negatives
mouss wrote: Koopmann, Jan-Peter wrote: http://pastebin.com/m16055c85 Content analysis details: (9.6 points, 6.0 required) pts rule name description -- -- 1.5 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: diroma.us] 0.5 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?id=mail4.go-concepts.comip=10.1.5.17receive r=proxy.intern.seceidos.de] 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 2.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.7 SARE_BANK_URI_IP SARE_BANK_URI_IP 0.1 CRM114_CHECK CRM114: message is UNSURE with crm114-score -2.0200 unwanted language It was not on uribl/surbl when OP sent it, and unwanted language isn't appropriate for everybody. I ran a test on the first (when OP sent it) and it scored a little less than 5 (I don't remember if DCC was hit, but razor was). It really doesn't matter to me whether it was on urisbl/surbl when he sent it. I provided what our server marked this as as an example of rules that he could look at as to why it was scored low. Other people that don't use unwanted language may not need it, but in some cases it helps, specifically this case. I ran a test on our log and could not find one incident of hitting the unwanted rule, so maybe he should use it. I also stated that bayes would help mostly in the cases he provided. thanks. rcr
Re: False Negatives
Tony Bunce wrote: Hi everyone, I'm starting to see a noticeable amount of message sneak by spamassassin with scores mostly the 3-4 range but some as low as 1 point. I'm running 3.2.4 with SARE, sough, and Botnet. We don't use bayes. Here are some samples of messages that have got through: http://pastebin.com/m16055c85 http://pastebin.com/m52635526 http://pastebin.com/m491c4882 http://pastebin.com/m7c1240f2 Anyone have any suggestions? Thanks in advance! --- Tony Bunce: [EMAIL PROTECTED] Sr. Programming Systems Administrator - GO Concepts Inc. I think in our case, bayes would put these above the top. Without bayes or custom rules, these messages would not be marked as spam currently. For the first: Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 0.2 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 0.0 URIBL_RED Contains an URL listed in the URIBL redlist [URIs: 71.187.15.19] -0.4 AWLAWL: From: address is in the auto white-list
Re: Blank messages
Ed Kasky wrote: I can't seem to catch these emails with blank bodies. I upped the BLANK_LINES_80_90 score to 3 but the email below didn't get a hit off the rule. Is there another rule that I don't know about that is designed for blank message bodies? Thanks in advance on this one. These things have been plaguing me for some time and no matter how many I run through sa-learn, they never seem to score above a 5... Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on yoda.wrenkasky.com X-Spam-Level: * X-Spam-Status: No, score=5.3 required=6.9 tests=BAYES_99,HTML_MESSAGE, RDNS_DYNAMIC,SARE_OBFU_MILLIONS autolearn=no version=3.2.4 Ed Kasky ~ Randomly Generated Quote (758 of 1229): Lots of times you have to pretend to join a parade in which you're not really interested in order to get where you're going. -Christopher Morley, writer (1890-1957) It scored 5, but your cutoff is 6.3.
Re: Not scoring high enough on this spam...
Andrew Hearn wrote: http://pastebin.ca/961075 I've only seen one so far but apart from the 0.0 BAYES_50 (I will learn this message), does anyone have rules that pushes this kind of message over 5.0? thanks! Andrew If you learn the message which = 3.5 wouldn't that put the score +5?
Re: Improving a spam report?
mouss wrote: Matus UHLAR - fantomas wrote: On 11.03.08 12:16, Jay Langley wrote: Below I have offered the content of my spam score report generated by Spam Assassin. We are Kintera subscribers. Problem is I don't know how to make changes in the text that will result in a better score. you should turn on network rules, allow plugins and instal apropriate software (razor, pyzor, DCC). see *.pre settings in spamassassin config directory. Note that using some network checks (DCC, spamhaus filters) require additional steps when receiving many (100k) mails per day. my understanding is that he sends mail and wants to know how to get a lower score. In other words, his question is how to make sure my mail won't be tagged as spam by others?. Ok then I would change the email so that HTML_TITLE_UNTITLED BODY: HTML title contains Untitled 0.7 this rule doesn't trigger. I don't know for sure, but it says that the title is untitled so I would add a title. Randy Ramsdell
Re: Scanning without attachments
Drew Burchett wrote: I've noticed a new trend in spam on my mail server that is getting by SpamAssassin. The spammer is creating his message and then attach a couple of garbage PDFs to the email. These PDFs make it too large for SpamAssassin to scan the message, so it gets by the system. I have tried turning up the size so SpamAssassin will scan it, but it takes WAY too long to scan a message. Does anyone have any suggestions on how I could catch/scan these messages without putting too much of a load on SpamAssassin? Drew Burchett United Systems Software Ph: (270)527-3293 Fax: (270)527-3132 And it works too. I suppose more spammers don't use this technique more often and so far, I have not found a nice way to deal with it.
Re: SpamAssassin GUI
Peter Kingsbury wrote: Hello, Since installing SpamAssassin on my company’s Exchange server, I wanted to make kludging through potential spam/ham messages faster than using the slow remote desktop interface that is in place. I wrote a program which allows an admin to quickly scan SA-filtered messages, and move them to the Learn-Ham or Learn-Spam directories with single keystrokes. I have found the program quite useful, and want to share it (source and application) with whomever is interested. I coded the application in VB.NET using MS’s free Visual Studio.NET Express 2008, so I guess it could be ported to other OS’s that use Mono too. Not sure if it would be totally useful in that environment, but as I strongly believe in open source software, I want to contribute where I can. If you’re interested, please drop me a line at [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Best regards, - Peter Sincerely, thank you for this effort. If you want to support OSS then why code it in a patent encumbered language. I actually don't know what licenses the software uses, but I do know that I would never ask my company to use it simply based on the fact that I wouldn't want some patent issues creeping in. Randy Ramsdell
Re: Scanning without attachments
Henrik K wrote: On Wed, Mar 12, 2008 at 09:48:37AM -0400, Randy Ramsdell wrote: Drew Burchett wrote: I've noticed a new trend in spam on my mail server that is getting by SpamAssassin. The spammer is creating his message and then attach a couple of garbage PDFs to the email. These PDFs make it too large for SpamAssassin to scan the message, so it gets by the system. I have tried turning up the size so SpamAssassin will scan it, but it takes WAY too long to scan a message. Does anyone have any suggestions on how I could catch/scan these messages without putting too much of a load on SpamAssassin? Drew Burchett United Systems Software Ph: (270)527-3293 Fax: (270)527-3132 And it works too. I suppose more spammers don't use this technique more often and so far, I have not found a nice way to deal with it. Probably ClamAV is the way to go for big messages. Try Sanesecurity signatures if you don't already. You can use spamassassin and clamav with or without Amavis, but to check the message, you must make a system wide change that will affect every message. Bypassing file size limits with any of those setups might not be an ideal solution. After a brief read on Sanesecurity signatures, it appears that the size limits will still come into the equation and again, a system wide setting change is required. Randy Ramsdell
Re: Scanning without attachments
Henrik K wrote: On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote: You can use spamassassin and clamav with or without Amavis, but to check the message, you must make a system wide change that will affect every message. Bypassing file size limits with any of those setups might not be an ideal solution. After a brief read on Sanesecurity signatures, it appears that the size limits will still come into the equation and again, a system wide setting change is required. What are you talking about? I have no limits on size for ClamAV scans. I am talking about message/attachment size limits or was that a rhetorical question? You can set the size limit which I believe is StreamMaxLength. From the docs, this should be set to the mail server size limit so maybe it isn't a factor. The addon for clamav does seem to be interesting given this. rcr
Re: Scanning without attachments
Henrik K wrote: On Wed, Mar 12, 2008 at 11:16:32AM -0400, Randy Ramsdell wrote: Henrik K wrote: On Wed, Mar 12, 2008 at 10:23:14AM -0400, Randy Ramsdell wrote: You can use spamassassin and clamav with or without Amavis, but to check the message, you must make a system wide change that will affect every message. Bypassing file size limits with any of those setups might not be an ideal solution. After a brief read on Sanesecurity signatures, it appears that the size limits will still come into the equation and again, a system wide setting change is required. What are you talking about? I have no limits on size for ClamAV scans. I am talking about message/attachment size limits or was that a rhetorical question? You can set the size limit which I believe is StreamMaxLength. From the docs, this should be set to the mail server size limit so maybe it isn't a factor. The addon for clamav does seem to be interesting given this. Ofcourse it's not a factor. StreamMaxLength is only applied when the clamd daemon is on a separate server. And even more, the default is 10MB which is more than enough for what we are talking about. I really doubt spammers would be sending _that_ big files. I agreed that size does not matter. :) But I was mostly responding to your statement I have no limits on size for ClamAV scans, but there are message size limits that can be set. So you do have limits. Just get the Sanesecurity signatures and be done with it, it will help a lot in any case. Maybe it has signatures for these big spams too. Also if you are using amavisd-new, you should set virus_name_to_spam_score_maps accordingly. Just get Sanesecurity signatures even though it has nothing to do with the large file attachments directly? I actually looked into this technology because of the thread, but it doesn't help in my case.
Re: Whitelist Question
[EMAIL PROTECTED] wrote: Here is the header info. What is the alternate solution to using whitelist_from ? I been also trying to setup AWL via MySQL.no luck on that. I use Exim for mail then , it relays to Lotus Domino.if that helps. Content analysis details: (5.7 points, 10.0 required) pts rule name description -- -- -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [199.67.179.116 listed in list.dnswl.org] 1.0 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.8 SUBJ_ALL_CAPS Subject is all capitals -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 1.4 SARE_GIF_ATTACHFULL: Email has a inline gif 1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2 This isn't the full header. A full header will show exactly what to whitelist. 1. Did you restart spamd or amavis/spamd? On Tue, 11 Mar 2008, [EMAIL PROTECTED] wrote: I add users to whitelist in the local.cf file whitelist_from [EMAIL PROTECTED] but they still get tagged as Spam, is there a altnerative solution. (2) Post *all* the headers from a message that was incorrectly marked as spam, as well as the whitelist command you put in that you think should have whitelisted that message.
Re: China TLD links
Karsten Bräckelmann wrote: On Thu, 2008-02-28 at 18:04 -0500, Daryl C. W. O'Shea wrote: Of course, now that I've used the word whore three times and quoted it once I'm sure I'll get a deluge of bounces (not rejects) from people running Microsoft's Antigen for SMTP. http://daryl.dostech.ca/blog/2008/02/22/microsoft-antigen-brain-dead-content-filter/ Yes! There's at least one user on this list, somewhere behind an MS Antigen for SMTP, apparently run by psp.com (thank you, Sony), which has been bugging me a couple times already when answering questions. The OP dared to munge private email addresses: Filter name: KEYWORD= spam: xxx I would not have expected anyone on *this* list to run such a stupid single-word content filter. But hey, the subscriber is unlikely to get a lot of traffic from this list anyway passed beyond that wall... I'm curious to see the reason for /dev/null'ing this mail and instead send out a useless and annoying note. Which one will win the race, whore or triple x? :) guenther Blocking is one thing, but scoring is another. Aren't single words defined in many rules for spamassassin? I know fsck and v%%gra are which are not part of a meta rule. I do agree, however, anything M$ does is stupid.
Re: aren't SPF_ rules network?
Matus UHLAR - fantomas wrote: Hello, I wonder if SPF rules shouldn't be considered network... they require DNS lookups, don't they? Yes. Network related.
AWL - BAYES_99/ general questions
Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? 2. I also noticed that when using spamassassin -D on a message, I sometimes see a nice report like below (2nd example) but other times it doesn't show report formatted. Any ideas on this one? Here are an example of two spam report headers for the same message. Before sa-learn: X-Spam-Status: No, score=3.982 tagged_above=- required=5 tests=[ADVANCE_FEE_1=0, BAYES_60=1, SUB_HELLO=2.141, UNDISC_RECIPS=0.841] X-Spam-Score: 3.982 X-Spam-Level: *** After sa-learn: Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 2.1 SUB_HELLO Subject starts with Hello 0.8 UNDISC_RECIPS Valid-looking To undisclosed-recipients 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -1.2 AWLAWL: From: address is in the auto white-list Thanks, Randy Ramsdell
Re: AWL - BAYES_99/ general questions
Jari Fredriksson wrote: Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? 2. I also noticed that when using spamassassin -D on a message, I sometimes see a nice report like below (2nd example) but other times it doesn't show report formatted. Any ideas on this one? If I understood you correctly.. In your samples, the first run gets 3.9 points, which is less than needed to classify the post as spam. The second run (after the learning) gets 5.2 points, which is more than needed to classify the post as spam. No. What I wanted to know is why do messages that are passed through sa-learn include AWL as well as BAYES_99. Notice the message did not hit AWL initially, but did so after the sa-learn process. giving a message a AWL score of -1.2 and BAYES score of 3.5 compete with each other to mark this message as spam. Your configuration prints the formatted report only for spam. There is no point in delivering reports to users for email which is not spam. Sweet thanks for this. The limit for spam is 5.0 points (as the report says, 5.0 required), which is the default and a pretty good value. Here are an example of two spam report headers for the same message. Before sa-learn: X-Spam-Status: No, score=3.982 tagged_above=- required=5 tests=[ADVANCE_FEE_1=0, BAYES_60=1, SUB_HELLO=2.141, UNDISC_RECIPS=0.841] X-Spam-Score: 3.982 X-Spam-Level: *** After sa-learn: Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 2.1 SUB_HELLO Subject starts with Hello 0.8 UNDISC_RECIPS Valid-looking To undisclosed-recipients 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -1.2 AWLAWL: From: address is in the auto white-list Thanks, Randy Ramsdell
Re: AWL - BAYES_99/ general questions
Karsten Bräckelmann wrote: On Thu, 2008-02-28 at 09:21 -0500, Randy Ramsdell wrote: Hi, One thing I do not understand regarding AWL and BAYES. When a message is reported to me as spam and was not marked as spam, I test is using debug before and after sa-learn. Each time I do this, BAYES_99 does hit, but they will also include AWL. 1. Does anyone understand why this happens? AWL is a score averager. SA has seen that sender before. http://wiki.apache.org/spamassassin/AutoWhitelist Run it through SA again, and you will see the AWL score getting closer to 0, since the score without AWL is constant. The AWL score is negative, because previous scores have been lower. guenther I understand that AWL is averaging what it has seen before and it must have seen the message as ham, but why would one have to sa-learn the message as spam multiple times. This also means that a system wide approach to improving our SPAM effectiveness requires me parse the AWL score after sa-learning the message to determine if I need to run it again. This would a monumental task and very resource intensive. Wouldn't a better approach be to set AWL to max positive if I manually learn the message as spam? Or is there a way to modify the DB to correct the previous AWL hits on this message?
Re: China TLD links
JP Kelly wrote: any takers on this? On Feb 27, 2008, at 2:31 PM, Chip M. wrote: The main thing that stands out (to me) is the China TLD in the URL. We block all those on sight (unless they're in the recipient's domain skip list - so far, none of my users have any China TLDs in theirs). Perhaps one of the regex gurus will whip you up a rule. :) * Both should be run through a manual sa-learn. ( It would have caught the first example ) * As Chip wrote earlier, each message has China based links in them. Mark those. * If this is a company server, I would certainly not have an issue with blocking or adding a high score for the word Whore and could do something with the word Schoolgirl. Randy Ramsdell
Re: [OT] Yahoo Deferred
Matt wrote: Is anyone else having issues sending mail to Yahoo? Yes. I have heard using Domainkeys or DKIM helps greatly? Is that true? We have not implemented it yet but do use SPF records which are much easier to implement with Exim or any MTA and do mostly the same thing if you ask me. Matt We use Domainkeys and have used the newer DKIM and spf records and it does not work with yahoo.
Re: Email with no hits and required
Massimiliano Marini wrote: System: Debian with Qmail + QmailScanner + SpamAssassins + ClamAV Installation: qmailrocks.org I've updated SA (original from qmailrocks.org 3.0.2) to 3.2.4 my locale.cf is : rewrite_header Subject *SPAM* report_safe 0 required_score 4 required_hits 5 use_bayes 1 Question 1. The email still tagged like this: Received: from ... [snip] ... with qmail-scanner-1.25-st-qms (clamdscan: 0.83/705. spamassassin: 3.0.2. perlscan: 1.25-st-qms. ^^ I've updated to 3.2.4 spamd -V : SpamAssassin Server version 3.2.4 running on Perl 5.8.4 I can only guess that you still have two versions of spamassasin installed. I would search the disk for multiple copies of spamd/spamc/spamassassin and remove the older version. Also remember that spamassassin probably runs as non-root or at least, it should. Question 2. And some email have this tag X-Spam-Status: No, hits=? required=? Why? Cheers -- Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/ It's easier to invent the future than to predict it. -- Alan Kay
Re: [OT] Yahoo Deferred
SM wrote: At 08:54 25-02-2008, Tony Bunce wrote: Is anyone else having issues sending mail to Yahoo? No. They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. They are deferring connections from your mail servers due to spam or complaints. Regards, -sm Incorrect! They rate limit everyone. If you're mail isn't being delayed, then you do not send much mail to them. This has been an issue as long as I can remember and nothing works to help. Use DKIM/Domain Keys, rotor e-mail to different ips, fill out ALL there forms and comply with all their rules. This will not put you on their whitelist and they do not have a formal feedback loop. I have formally asked that we warn our users to no use yahoo email addresses for this reason. As a matter of fact, I have been able to work with every other large e-mail provider/ ISP (AOL/Comcast/Netzero , etc...) and work out e-mail issues with them. I even have several contact numbers directly the administrators of these companies. Yahoo simply sucks in this regard and they have not yet figured out a way to properly set up restrictions so bulk e-mailers may send e-mail. If you are going to store the largest numbered e-mail accounts, then you will receive bulk mail. Randy Ramsdell
Re: New credit card scams .. how to catch these
ram wrote: https://ecm.netcore.co.in/tmp/dinner.eml.txt The scam works like this: They send you a mail asking wether you accept credit cards at your hotel They get you to confirm you will accept credit card for payment. Once you agree they ask you to bill them extra fictional charges for taxis, etc on the card, and then wire transfer back (a portion) of the fictional overcharges. The victim thinks he will make some extra free money on top of the dinner charges. The people never show for dinner, and you are out the wire transfer amount. And my SA scores nothing on this spam ? Thanks Ram 1. bayes gave it -2.60, so relearn it. 2. Gather a few messages and look for similarities then create a meta rule that will match those and only those. 3. Since it comes from hotmail, report it. I really don't know how responsive they are so YMMV. Randy Ramsdell
Re: FORGED_YAHOO_RCVD
Loren Wilton wrote: score FORGED_YAHOO_RCVD 0 Loren Ok thanks turning it off works. I should edit the *.cf files or is there another way to turn it off instead of settings things up so updates kill off the setting? Anyway, I would think the rule is useful to some extent and if not, why is it included with spamassassin?
Re: FORGED_YAHOO_RCVD
Loren Wilton wrote: Ok thanks turning it off works. I should edit the *.cf files or is there another way to turn it off instead of settings things up so updates kill off the setting? Anyway, I would think the rule is useful to some extent and if not, why is it included with spamassassin? Put it in local.cf. That is where local adjustments to release rules and such should go. Which version are you running? I had vaguely thought that this rule had been dropped a while ago for poor hitrate, but I may be confusing it with some other rules. There have been problems with both Yahoo and AOL changing their configurations enough recently to end up getting FPs on these sort of rules. As a general thing, rules are added and scored because *at the time they are scored* they do well against spam on the test corpuses of spam. That is no guarantee that they will necessarily work for someone else with a much different mail stream, although of course we all hope that they will turn out fairly well in most cases. Also, the rules did well when they are scored. Depending on how fast things change, they may not do well at all years, months, or possibly even weeks later. If you are not using it, you should look into turning on spamassassin updates. There are updated rule sets available for the more recent releases that will change scores and add or subtract rules to match the latest corpus characteristics. Loren We are using 3.1.1 ( distro patched ) until we upgrade our servers to a newer version. Thanks, Randy
Manuel check vs. auto
Hi, I have doing some checking of spam messages that make it through our mail filtering systems and noticed that the spam score does not reflect what I get when checking manually. An example spam report: X-Spam-Status: No, score=3.068 tagged_above=- required=5 tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001] X-Spam-Score: 3.068 But when using spamassassin -D -lint $message it hits more rules: Content analysis details: (12.5 points, 5.0 required) pts rule name description -- -- 3.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) 2.0 TVD_FUZZY_DEGREE BODY: TVD_FUZZY_DEGREE 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [41.212.143.24 listed in zen.spamhaus.org] 0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [41.212.143.24 listed in zen.spamhaus.org] That is a big difference! Any ideas about why this is? Thanks, Randy Ramsdell
Re: Manuel check vs. auto
Theo Van Dinter wrote: On Thu, Dec 13, 2007 at 11:29:21AM -0500, Randy Ramsdell wrote: I have doing some checking of spam messages that make it through our mail filtering systems and noticed that the spam score does not reflect what I get when checking manually. An example spam report: X-Spam-Status: No, score=3.068 tagged_above=- required=5 tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001] X-Spam-Score: 3.068 But when using spamassassin -D -lint $message it hits more rules: [...] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL 0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL That is a big difference! Any ideas about why this is? It appears that the first results are a) using a different Bayes DB, and b) not using network tests (aka: local mode). This is a log message from our server which shows it checks sbl-xbl.spamhaus.org and rejects the message. Also it using a different bayes and I am not sure about that either. Actually I think I do and will check, but it looks like I need to sort out some things here. postfix/smtpd[10855]: NOQUEUE: reject: RCPT from acd34.internetdsl.tpnet.pl[83.16.55.34]: 554 Service unavailable; Client host [83.16.55.34] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=83.16.55.34; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=acd34.internetdsl.tpnet.pl
Re: Manuel check vs. auto
Randy Ramsdell wrote: Theo Van Dinter wrote: On Thu, Dec 13, 2007 at 11:29:21AM -0500, Randy Ramsdell wrote: I have doing some checking of spam messages that make it through our mail filtering systems and noticed that the spam score does not reflect what I get when checking manually. An example spam report: X-Spam-Status: No, score=3.068 tagged_above=- required=5 tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001] X-Spam-Score: 3.068 But when using spamassassin -D -lint $message it hits more rules: [...] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL 0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL That is a big difference! Any ideas about why this is? It appears that the first results are a) using a different Bayes DB, and b) not using network tests (aka: local mode). This is a log message from our server which shows it checks sbl-xbl.spamhaus.org and rejects the message. Also it using a different bayes and I am not sure about that either. Actually I think I do and will check, but it looks like I need to sort out some things here. postfix/smtpd[10855]: NOQUEUE: reject: RCPT from acd34.internetdsl.tpnet.pl[83.16.55.34]: 554 Service unavailable; Client host [83.16.55.34] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=83.16.55.34; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=acd34.internetdsl.tpnet.pl s Correction. 1.Obviously the log above was from postfix and not spamassassin and spamassassin is probably set up for local only! But this leads to an interesting question. How would postfix sbl-xbl checks miss this and spamassassin not? It does appear as if that is the case. 2. The bayes are different as one was root and the other was the user that spamassassin runs as. The root bayes seems much better for this particular e-mail. Is it recommended to swap these databases as I believe some learning was done as the wrong user?
Re: Manuel check vs. auto
Richard Frovarp wrote: Randy Ramsdell wrote: Randy Ramsdell wrote: Theo Van Dinter wrote: On Thu, Dec 13, 2007 at 11:29:21AM -0500, Randy Ramsdell wrote: I have doing some checking of spam messages that make it through our mail filtering systems and noticed that the spam score does not reflect what I get when checking manually. An example spam report: X-Spam-Status: No, score=3.068 tagged_above=- required=5 tests=[BAYES_50=0.001, HELO_DYNAMIC_DHCP=3.066, HTML_MESSAGE=0.001] X-Spam-Score: 3.068 But when using spamassassin -D -lint $message it hits more rules: [...] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL 0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL That is a big difference! Any ideas about why this is? It appears that the first results are a) using a different Bayes DB, and b) not using network tests (aka: local mode). This is a log message from our server which shows it checks sbl-xbl.spamhaus.org and rejects the message. Also it using a different bayes and I am not sure about that either. Actually I think I do and will check, but it looks like I need to sort out some things here. postfix/smtpd[10855]: NOQUEUE: reject: RCPT from acd34.internetdsl.tpnet.pl[83.16.55.34]: 554 Service unavailable; Client host [83.16.55.34] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=83.16.55.34; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=acd34.internetdsl.tpnet.pl s Correction. 1.Obviously the log above was from postfix and not spamassassin and spamassassin is probably set up for local only! But this leads to an interesting question. How would postfix sbl-xbl checks miss this and spamassassin not? It does appear as if that is the case. Postfix is looking at the connecting host. SA is looking in all the untrusted RCVD lines. Hence the rule name RCVD_IN_ Yep thanks.
