RDJ error
Has someone experienced with this error during RDJ update? Lint output: [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: META HTTP-EQUIV=Pragma CONTENT=no-cache [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: META HTTP-EQUIV=Expires CONTENT=-1 [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: /HEAD/HTML [14250] warn: lint: 4 issues detected, please rerun with debug enabled for more information What is the action to be taken? Thanks, rocsca
RE: RDJ error
On 27.06.08 09:14, Rocco Scappatura wrote: Has someone experienced with this error during RDJ update? Lint output: [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: META HTTP-EQUIV=Pragma CONTENT=no-cache [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: META HTTP-EQUIV=Expires CONTENT=-1 [14250] warn: config: failed to parse line, skipping, in /etc/mail/spamassassin/70_sare_evilnum0.cf: /HEAD/HTML [14250] warn: lint: 4 issues detected, please rerun with debug enabled for more information What is the action to be taken? use sa-update, RDJ is afaik obsolete. OK. BTW, with RDJ I could choose which rulest update automatically and which not. How could I setup sa-learn so that it updates ruleset different the standard one's, such as 'sought ruleset'. Thanks, rocsca
RE: RDJ error
sa-update, not sa-learn. http://wiki.apache.org/spamassassin/RuleUpdates Sorry. Thanks. I have not found there the info needed by me.. :-( I lauch every night: sa-update rcamavisd restart I'ld like to do so also 'sought ruleset' will be installed in the future. Is there a way to do so? Tnx, rocsca
RE: RDJ error
I lauch every night: sa-update rcamavisd restart I'ld like to do so also 'sought ruleset' will be installed in the future. Is there a way to do so? To add other rule sets, you need a few parameters to sa-update. Here is how I do it: sa-update --channelfile /root/sare-sa-update-channels.txt --gpgkey 856AA88A /usr/local/etc/rc.d/amavisd restart Where the key 856AA88A is for the SARE rules. The sare-sa-update- channels.txt file is this: --cut here-- # sa-update --channelfile sare-sa-update-channels.txt --gpgkey 856AA88A # see also http://wiki.apache.org/spamassassin/SareChannels updates.spamassassin.org 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_evilnum1.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj1.cf.sare.sa-update.dostech.net 70_sare_header_0.cf.sare.sa-update.dostech.net 70_sare_header_1.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html1.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_obfu1.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_uri1.cf.sare.sa-update.dostech.net 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net --cut here-- So I get the spam assassin updates and SARE rules I want. If you want to add the sought rules, just add the necessary parts to the file and command line. var/lib/spamassassin/3.002004 # ls sought_rules_yerp_org updates_spamassassin_org sought_rules_yerp_org.cf updates_spamassassin_org.cf Great! Now every time that I launch sa-update rcamavisd restart also the ruleset listed in sought_rules_yerp_org.cf will be updated.. Right? Still thanks, rocsca
RE: SQL DB schema issue
On May 28, 2008, at 10:38 AM, Rocco Scappatura wrote: Hello, Hello, I'm using SA with SQL support under Amavid-new. My DBMS is MySQL. I 'm preparing one another Antispam server and I ve installed the latest stable software available. I ve dumped bayes DB (schema + data) from an already working machine and I ve restore them on the new machine. How did you do this dump? Which tables did you get? Thanks for your interesting.. It was a my fault.. Infact I have noted that the 'amavis' user could not access to all bayes DB tables other then 'awl'.. Anyway, now all works fine.. Still thanks, rocsca
SQL DB schema issue
Hello, I'm using SA with SQL support under Amavid-new. My DBMS is MySQL. I 'm preparing one another Antispam server and I ve installed the latest stable software available. I ve dumped bayes DB (schema + data) from an already working machine and I ve restore them on the new machine. But when I try to start amavisd in debug mode I get the following errors: May 28 17:37:29.010 av8.stt.vir /usr/local/sbin/amavisd[17102]: SpamAssassin debug facilities: info bayes: database version 0 is different than we understand (3), aborting! at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/BayesStore/SQL.pm line 136. bayes: database version 0 is different than we understand (3), aborting! at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/BayesStore/SQL.pm line 136. May 28 17:37:30.155 av8.stt.vir /usr/local/sbin/amavisd[17102]: (!!)TROUBLE in pre_loop_hook: check: no loaded plugin implements 'check_main': cannot scan! at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. Suicide () TROUBLE in pre_loop_hook: check: no loaded plugin implements 'check_main': cannot scan! at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. While the version specified in the database is really '3'. What it could be the source of this error? Thanks, rocsca
RE: Too false negative
--[ UxBoD ]-- wrote: policyd works a treat :) V2 is also in development aswell. it's not the same. I don't know why they call it V2. As far as I know, Cami is no more involved. so I would stick with the current (which is a single C threaded program). So you still prefer policyd not policydV2.. Some questions: - Does any web interface for policyd exist? - I have different SMTP gateways, on each of which I have to install policyd. Is it possible to share a single DB between the different policyd servers? For other possible question I will refer to policyd ML. :-) Thanks, rocsca
RE: Too false negative
And spammer are becoming more faster as the time goes on.. Is it convenient to use gray listing newer bots retry, so GL is only effective is the time interval is large enough, but that's not a neutral thing so should be restricted to suspicious mail. That's what I use GL for anyway. What do I need to set up GL? Only the command below or there is something other parameter that I could set up (eg: the time spent before a message is accepted and so on)? the spam you showed has: Received: from [125.128.59.158] (unknown [125.128.59.158]) which means the client is unknown and it helo'ed with a literal IP (it's from Korea too but let's ignore this). My postfix has a check_helo_acces with a pcre: /^[/ reject_unknown_client, policy_greylist This rejects mail if the client is unknown and helo's with a literal IP. It's very interesting.. In what restriction do I have to put the rulese above? I've not seen literal IPs in ham on an MX. Note that this test must not be applied on an MSA: MUAs like Thunderbird do helo with a literal IP. Infact.. Indeed I'm not using MSA.. So this complicates the things.. :-( The test is run before DNSBL checks, so it saves some cycles and reduces the load on DNSBL sites. these days, the test catches about 15% of mail rejected at MTA time. Note that reject_unknown_client returns a temp error, but unlike GL, you'll need to whitelist the client if you want to accept his mail). if this is a real issue, just remove the reject_unknown_client part and leave the greylisting check. but So you are saying that I have to WL the client that present himself to my server with an IP rather than a hostname? And how I could withelist that client? of course, this is mostly a temporary cure. if ratware learns to helo with a hostname, it won't be caught. but let's fight the spam of today for now ;-p I agree with.. Compliment for your exahustive argumentation.. rocsca
RE: Too false negative
policyd works a treat :) V2 is also in development aswell. I will take in account your judge.. :-) rocsca
RE: Too false negative
What do I need to set up GL? Only the command below or there is something other parameter that I could set up (eg: the time spent before a message is accepted and so on)? of course, you need to install a policy server! Cami's policyd is a good choice (it also has other features such throttling, blacklisting, ... etc). for postfix config see below. I already sow it quickly.. I hope it usage is not too 'invasive' with my current system.. Any way I will try to use it and I let you know.. Thanks, rocsca
Too false negative
Hello, Since some days the number of SMTP connections rejected by my server is increased (maybe doubled). It doesn't worry me. But there is a side effect because even the number of false negative is increased. For example, at the moment a spam message with this header is considered clean by Amavisd-new-2.5.3+SpamaAssiassin-3.2.4: Received: from myserver ([myserverip]) by ntfi10.hq.ignesti.it with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 Feb 2008 08:09:48 +0100 Received: from localhost (localhost [127.0.0.1]) by myserver (Postfix) with ESMTP id 9D8E775037D; Tue, 26 Feb 2008 08:09:48 +0100 (CET) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_004_01C87846.932E4D28 Received: from myserver ([127.0.0.1]) by localhost (av4.stt.vir [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgXmlG1zg5ao; Tue, 26 Feb 2008 08:09:46 +0100 (CET) X-MimeOLE: Produced By Microsoft Exchange V6.5 Received: from [125.128.59.158] (unknown [125.128.59.158]) by myserver (Postfix) with ESMTP id 9CF34750371; Tue, 26 Feb 2008 08:09:45 +0100 (CET) Received: from [125.128.59.158] by dator.plaahn.com; Tue, 26 Feb 2008 16:38:13 +0900 Content-class: urn:content-classes:message Subject: Comprate la forza per il pene, e salvate 85 %. Date: Tue, 26 Feb 2008 08:38:13 +0100 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Comprate la forza per il pene, e salvate 85 %. Thread-Index: Aca6QAN67HSGN9YGB40WPNS14XFFVQ== From: Wesley Hutchinson [EMAIL PROTECTED] To: Mosconi Raoul myemailaddress I use a PRE-LISTING : reject_rbl_client zen.spamhaus.org reject_rbl_client list.dsbl.org And I update SA ruleset regularly with rules_du_jour and sa-update. How I have to do to make my system more reliable? Thanks in advance, rocsca
RE: Too false negative
Since some days the number of SMTP connections rejected by my server is increased (maybe doubled). It doesn't worry me. But there is a side effect because even the number of false negative is increased. For example, at the moment a spam message with this header is considered clean by Amavisd-new-2.5.3+SpamaAssiassin-3.2.4: snip How I have to do to make my system more reliable? The provided information isn't sufficient. Can you post the X-Spam-Status for one of the affected emails? Sorry It was not the case to send the entire email.. Here the X-Spam-Status after running the message against 'spamassassin -D': X-Spam-Status: Yes, score=11.2 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU RBL, URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable version=3.2.4 But it is really strange from amavisd-new log I see that the message is passed as clean: Feb 26 08:09:48 av4 amavis[18267]: (18267-12) Passed CLEAN, [125.128.59.158] [125.128.59.158] [EMAIL PROTECTED] - mmori@mydomain,rbassilichi@mydomain,rmosconi@mydomain, Message-ID: [EMAIL PROTECTED], mail_id: kgXmlG1zg5ao, Hits: 3.558, size: 3731, queued_as: 9D8E775037D, 2132 ms rocsca
Re: Too false negative
Rocco Scappatura wrote: [snip] Sorry It was not the case to send the entire email.. Here the X-Spam-Status after running the message against 'spamassassin -D': X-Spam-Status: Yes, score=11.2 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU RBL, URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable version=3.2.4 But it is really strange from amavisd-new log I see that the message is passed as clean: the URL may have been added in $uri lists in the meantime. That said, make sure Bayes is using the right user. rerun spamassassin as the amavisd user. if your Bayes db is in mysql, use bayes_sql_override_username to force a single user. X-Spam-Status: Yes, score=6.3 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL, URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable version=3.2.4 What URL? What is $uri_list? I had already set bayes_sql_override_username: [EMAIL PROTECTED]:/tmp cat /etc/mail/spamassassin/local.cf | grep bayes_sql_override_username bayes_sql_override_username amavis Is it possible that there is a lack of spamhaus? I suppose that I query the DNSBL much more then 100.000 times per day.. :-( Thanks, rocsca
RE: URIBL
Quoting Rocco Scappatura [EMAIL PROTECTED]: Maybe, now is the case to set up a copy of zone locally on my server.. I ve about 1300K messages rejected per day!! Yes, you should not query 1.3 million messages per day on the public nameservers. That would be considered abusive. Je suis desolee.. I will try to to implement the SURBL zone copy during the next days.. Should this improve the performance of message scan? rocsca
Re: Too false negative
% telnet yourserver 25
...
EHLO somehostname
...
MAIL FROM:sender
...
RCPT TO:recipient
DATA
copy-patse the message with full headers except the Delivered-To that
contains your recipient address
end with a line containing a dot ('.') like this:
.
QUIT
Infact I get:
Feb 26 23:07:50 av4 amavis[17589]: (17589-03) Blocked SPAM,
[ipofmyserver] [ipofmyserver] [EMAIL PROTECTED] - myemailaddress,
quarantine: r/spam-rGPEbZ4mzhH4.gz, Message-ID:
[EMAIL PROTECTED], mail_id: rGPEbZ4mzhH4, Hits: 7.193,
size: 4063, 1874 ms
And spammer are becoming more faster as the time goes on.. Is it
convenient to use gray listing or there is something other effective
tecnique that I could use to reduce false negative?
Thanks,
rocsca
RE: URIBL
I have to enable only the plugin with loadPlugin. ... and it's enabled by default, so you should be all set. :) Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: ... the rules exist by default, so you should be all set. :) OK. So the SURBL on my gateway should already work.. But how could I check this fact? rocsca
RE: URIBL
Quoting Rocco Scappatura [EMAIL PROTECTED]: I have to enable only the plugin with loadPlugin. ... and it's enabled by default, so you should be all set. :) Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: ... the rules exist by default, so you should be all set. :) OK. So the SURBL on my gateway should already work.. But how could I check this fact? rocsca You should see many spams with the rules named SURBL hitting. You can also try: spamassassin -D message Infact.. X-Spam-Status: Yes, score=9.573 tag=2 tag2=6.2 kill=6.31 tests=[ALL_TRUSTED=-1.8, AWL=0.583, BAYES_80=2, HTML_MESSAGE=0.001, URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501, URIBL_OB_SURBL=1.5, URIBL_SBL=1.499, URIBL_SC_SURBL=0.474] SURBL works! Maybe, now is the case to set up a copy of zone locally on my server.. I ve about 1300K messages rejected per day!! Even though my customers complain a lot of false negative.. What I can do more?? Thanks, rocsca
RE: URIBL
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 20, 2008 8:08 PM
To: users@spamassassin.apache.org
Subject: Re: URIBL
On Wed, Feb 20, 2008 at 06:52:14PM +, Nigel Frankcom wrote:
Anyway I heard talking about URIBL, which as I have understod is a
quite different service (it blacklists 'domains' rather
'IPs'). But
is it maybe a dangerous practice to fight spam? Anyway,
does anyone
suggest me to use URIBL?
URI black lists have been around for several years now, and
are generally very helpful at detecting spam. URIBL is one
of the standard such black lists that are in use in SA, but
there are others: SURBL (the oldest and most well known
IMO) as well as Razor (also does message hashing but largely
uses domain detection these days). (I may be forgetting
someone else, sorry, these are just the ones that come to mind.)
Here are my results for the past 60 days for the different groups:
(you want the most spam% with the lowest ham%, aka: the
higher the S/O the
better)
OVERALLSPAM% HAM% S/ORANK SCORE NAME
0 769001570130.931 0.000.00 (all messages)
0.0 93.0978 6.90220.931 0.000.00 (all messages as %)
65.312 70.1541 0.00531.000 1.000.00 URIBL_JP_SURBL
54.979 59.0545 0.00181.000 0.990.00 URIBL_SC_SURBL
33.513 35.9976 0.00181.000 0.980.00 URIBL_AB_SURBL
58.407 62.7323 0.06670.999 0.940.00 URIBL_OB_SURBL
43.120 46.3111 0.07370.998 0.930.00 URIBL_WS_SURBL
1.385 1.4874 0.00350.998 0.870.00 URIBL_PH_SURBL
0.758 0.8091 0.07020.920 0.780.00 URIBL_RED
71.920 77.1604 1.23310.984 0.710.00 URIBL_BLACK
1.545 1.4891 2.30470.393 0.520.00 URIBL_GREY
69.598 74.7537 0.06140.999 0.950.00
RAZOR2_CF_RANGE_E8_51_100
So URIBL is a bit more problematic than the others by itself,
due to the high ham hit rate, but given SA's method of using
multiple data sources to determine ham/spam, the false
positive issue is minimized.
I have looked at the SURBL site. If I have well understood I have to
enable only the plugin with loadPlugin.
Then I have to use the command 'urirhssub' of the plugin URIDNSBL to
specify that I want to use SURBLs:
urirhssub URIBL_JP_SURBL multi.surbl.org.A 64
body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Has URI in JP at
http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL net
score URIBL_JP_SURBL3.0
Indeed, I have not understood a number of things:
1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an
arbitrary name or it exists a number of 'NAME_OF_RULE'?
2. Does the body command have to specify
'eval:check_uridnsbl('NAME_OF_RULE')' where 'NAME_OF_RULE' is the name
of the rule specified as parameter of the command 'urirhssub'?
3. tflags?
4. score?
5. Is there any simpler URIDNSBL plugin setting? Maybe a default one?
rocsca
RE: URIBL
Anyway I heard talking about URIBL, which as I have understod is a quite different service (it blacklists 'domains' rather 'IPs'). But is it maybe a dangerous practice to fight spam? Anyway, does anyone suggest me to use URIBL? Are you looking for a PRE QUEUE blacklist? Or a way to help score SpamAssassin emails? URIBL (I think from spamcop/ironport/cisco) is already included in modern SA builds. I don't know what you mean for 'PRE QUEUE blacklist'.. Anyway I would like to help SpamAssassin in scoring emails.. rocsca
RE: URIBL
HI, Rocco Hi Luis, I don't know what you mean for 'PRE QUEUE blacklist'.. Anyway I would like to help SpamAssassin in scoring emails.. He means a blacklist which runs IN the MTA, not at SA level, when the MTA has accepted the message. It rejects spammers as they connect, mostly based on their IP. I run Zen, from Spamhaus here, with very good results. Indeed, I'm using PRE QUEUE blacklist too (Zen from spamhaus, like you). I get appreciable results, but during the last days I get an huge increase of rejected emails, but at the same time I get a major number of false negative. So I want to lower the number of false negative. rocsca
RE: URIBL
Quoting Rocco Scappatura [EMAIL PROTECTED]:
I have looked at the SURBL site. If I have well understood
I have to
enable only the plugin with loadPlugin.
Then I have to use the command 'urirhssub' of the plugin
URIDNSBL to
specify that I want to use SURBLs:
urirhssub URIBL_JP_SURBL multi.surbl.org.A 64
body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL')
describe URIBL_JP_SURBL Has URI in JP at
http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL net
score URIBL_JP_SURBL3.0
Indeed, I have not understood a number of things:
1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an
arbitrary name or it exists a number of 'NAME_OF_RULE'?
2. Does the body command have to specify
'eval:check_uridnsbl('NAME_OF_RULE')' where 'NAME_OF_RULE'
is the name
of the rule specified as parameter of the command 'urirhssub'?
3. tflags?
4. score?
5. Is there any simpler URIDNSBL plugin setting? Maybe a
default one?
rocsca
If you want to use SURBL and URIBL all you need to do is
enable network tests:
http://www.surbl.org/faq.html#nettest
URI checking is built into SpamAssassin.
$sa_local_tests_only = 0;
I have already set in /etc/amavisd.conf:
$sa_local_tests_only = 0;
So you say that SURBL is already set?
rocsca
URIBL
During last days I have noticed an increasing of 'rejected' messages. I'm currently using 'zen.spamhaus.org' and 'list.dsbl.org' as reputation servers. At the same time, the number of false negative is growth. I would like to know if is there any better reputation server that anyone know (of course, it would be nice if it is a free service :-)). Anyway I heard talking about URIBL, which as I have understod is a quite different service (it blacklists 'domains' rather 'IPs'). But is it maybe a dangerous practice to fight spam? Anyway, does anyone suggest me to use URIBL? Thanks, rocsca
RE: URIBL
For what it's worth I'm seeing an escalation here in the UK and on US and AUS servers so it's not isolated. Admittedly it's not a large proportion but it is a rise. How do you have inferred this? rocsca
RE: RulesDuJour
But it is. RulesDuJour delivery is broken, and it gives only HTTP-error page, which causes the error. sa-update can deliver the rules without errors. However, I already use sa-update other than RulesDuJour, which is scheduled as follow: 22 14 * * 1,2,3,4,5 sa-update rcamavisd restart What channels sa-update updates? And if I use the '--channelfile' what happens? Maybe sa-update updates only the channels included in the file specifided for the argument '--channelfile' or it adds the file listed to the default list of channels maintained by sa-update? Thanks, rocsca
RulesDuJour
Hello, It is some weeks that I get errors while I try to updates the SA rulesets. For example recently I get an error after the update of TripWire and SARE rulesets: ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/tripwire.cf /tmp/RulesDuJour/99_FVGT_Tripwire.cf.2; mv -f /tmp/RulesDuJour/tripwire.cf.20070831-1530 /etc/mail/spamassassin/tripwire.cf; mv -f /etc/mail/spamassassin/70_sare_stocks.cf /tmp/RulesDuJour/70_sare_stocks.cf.2; mv -f /tmp/RulesDuJour/70_sare_stocks.cf.20070831-1530 /etc/mail/spamassassin/70_sare_stocks.cf; Lint output: [826] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [826] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Pragma CONTENT=no-cache [826] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Expires CONTENT=-1 [826] warn: config: failed to parse line, skipping: /HEAD/HTML [826] warn: lint: 4 issues detected, please rerun with debug enabled for more information I can't try how to solve this problem.. Maybe is there any outdates ruleset? If yes, who is it? Thanks, rocsca
RE: RulesDuJour
Using sa-update is the suggested method now: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt I don't think that this is related to the error discussed in this thread. rocsca
Greeting card
It is possible to block the spam sent by GreetingCards.com which invites the receiver to access an URL and browse the ecard? I mean that spam which has subject similar to: You've received a greeting ecard from a Colleague! BR, rocsca
Temporary dir
Hello, I have problem with the directory tmp inside the home directory of the user running amavisd-new (which use spamassassin). That directory is configured as temporary dir for Amavisd-new. I mounted on it a tmpfs file system. The size of the partition is the one suggested for this job (to do the temporary directory for amavisd-new). But Often it filled up. I saw the other files (directory) is contained inside that directory.. drwx-- 2 amavis amavis 180 May 21 13:01 .spamassassin5530r7wcrVtmp drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7237wyAuoBtmp drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7288uoiiXPtmp drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7289MYWBOwtmp drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7289QcqPY2tmp drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7289sijshHtmp drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7297BbAzmltmp drwx-- 2 amavis amavis 180 May 21 12:06 .spamassassin7418uqGnv3tmp and I can't figure out why they are there! Have someone an idea? thanks rocsca
RE: How are cllassified this?
But It won't be indiscriminant in my case.. Is there any other solution? Keep messages on the list. These are very simple messages that are exploiting an image hosting service. There are very few spam signs in them. I have decided that for the time being none of my users are affected by scoring purely on the imageshack.us url. In cases like these it is very difficult to come up with generic solutions that fit everyones requirements. Which is why I would recommend that you have a look at learning how to write very simple rules. That way you will be able to write something that meets your very specific needs. If you are uncertain of your rules, you should set a small score (say 0.1) first so that any misfires do not have a major affect on overall scoring, but you can see them in your results. You can also send your rules to this list and the regulars here will be able to check them out and give you advice. Failing that you will have to be very specific about your requirements for these spams, and someone might be able to suggest a rule that meets your needs. Thank you. You are very clear.. I'm going to think that I will try to use you're rule, and then I'll observ what happen.. rocsca
How are cllassified this?
Since this morning I'm receiving spam like that below.. What I can't figure out is if this is a new kind of spam or if I can update it using the available rulesets (with sa-update or RDJ). Can some one give an hint? Here one of the messages with it's haeder: From [EMAIL PROTECTED] Mon Apr 2 17:21:23 2007 Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: by posta.sttspa.it (Postfix, from userid 7011) id A7AC21098099; Mon, 2 Apr 2007 17:21:07 +0200 (CEST) Received: from av3.stt.vir (smtp02.sttspa.it [80.74.176.141]) by posta.sttspa.it (Postfix) with ESMTP id 765CD1098090 for [EMAIL PROTECTED]; Mon, 2 Apr 2007 17:21:07 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by av3.stt.vir (Postfix) with ESMTP id 5249F75010D for [EMAIL PROTECTED]; Mon, 2 Apr 2007 17:21:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at stt.vir Received: from av3.stt.vir ([127.0.0.1]) by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNwSusNccx3t for [EMAIL PROTECTED]; Mon, 2 Apr 2007 17:21:06 +0200 (CEST) Received: from dsl51B7EDE5.pool.t-online.hu (dsl51B7EDE5.pool.t-online.hu [81.183.237.229]) by av3.stt.vir (Postfix) with ESMTP id 315D47500F7 for [EMAIL PROTECTED]; Mon, 2 Apr 2007 17:21:05 +0200 (CEST) Received: from home ([116.192.136.130]) by dsl51B7EDE5.pool.t-online.hu (8.13.4/8.13.4) with SMTP id F9A70115F0EDB1; Mon, 2 Apr 2007 17:22:00 +0200 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 2 Apr 2007 17:21:23 +0200 To: [EMAIL PROTECTED] From: Nele jankuniene [EMAIL PROTECTED] Subject: All the Tablet PC Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Message-Id: [EMAIL PROTECTED] Search engine, fax scanting software? http://img133.imageshack.us/img133/5553/webvq2.gif )
RE: Big trouble
There is another discussion on this list about rules that catch these sorts of messages. Check that out for ideas. For what it is worth these are the rules I get: Content analysis details: (10.5 points, 5.0 required) pts rule name description -- -- 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.6 J_CHICKENPOX_14BODY: 1alpha-pock-4alpha 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] 1.0 RCVD_IN_JANET_RBL RBL: Relay in JANET MAPS RBL+ RBL [102.176.29.76 listed in rbl-plus.mail-abuse.ja.net] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay I get: pts rule name description -- -- 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.1 TW_GD BODY: Odd Letter Triples with GD 0.1 TW_LG BODY: Odd Letter Triples with LG -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3955] 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 0.6 AWLAWL: From: address is in the auto white-list But only after some hours that I have received the messages.. I suppose that at that time the score assigned by your SA was lower than you just report above.. (maybe at that time, the IP 102.176.29.76 was not-DNSBListed ). Anyway, I figure out that your SA use different rulesets of mine.. Could you instruct me about a good set of ruleset I have to use to lower the chance that spam pass trhough my spam-scanner, maintaining a good level of performance? TIA, rocsca
RE: Big trouble
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ? (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED, which are nonzero) rules/50_scores.cf : score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3 I don't understand.. maybe my remark is wrong, but I get this score for the rules above: 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] Anyway, what implies you that the score for RCVD_IN_WHOIS_BOGONS is 0? rocsca
Big trouble
Since some day, It's increased the number of spams which SA doesn't block. Every time I'm going to analyse the message: 1) Save the message in mbox format 'message.mbox' 2) su - amavis -c spamassassin -t message.mbox And I get that the score is greater the 5.0 and often I get: 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?71.175.150.184] That is, if the message is sent just now, the message is rejected (?). So I feel that every time that I receive a spam, the system spend a period of time to 'learn' that that message is spam. If this is the truth, I would like to figure out how I can block these messages in advance.. Could someone give me an hint? TIA, rocsca
RE: Big trouble
What MTA are you using ? Postfix+MySQL+Amavisd-new rocsca
RE: Big trouble
Before anyone can you give you a hint on how to block the messages, we would need to see what the messages are. Same form as before, save the message (with full headers) and place it somewhere where we can download it. http://www.rocsca.it/INBOX rocsca
RE: why I get it?
What version of SA are you running? If not 3.1.8 then upgrade. # spamassassin -V SpamAssassin version 3.1.8 running on Perl version 5.8.8 rocsca
RE: why I get it?
Well Rocco, without knowing a little bit more about your setup its hard to say. For instance, are you NEW to spamassassin? Thanks John. No, I'm using spamassassin for two years. But, I'm going in depth with the usage of spamassassin because I would like to reduce the spam that arrives in my mailboxes. I'm using a Postfix+MySQL+Amavisd-new setup. If so you might be under the mistaken impression that Spamassassin deletes spam. It doesn't. It just marks it. If you want it deleted you have to do that with some other means, such as with filters in your mail reader, or procmail or amavisd etc. It is clear. rocsca
RE: why I get it?
Chances are that your Bayesian database changed between the time you recieved this message and the time you rescanned it from the command line. Rescanning something is _not_ a reliable way to figure out what score SA gave it on receipt. You should use the _TESTSSCORES(,)_ macro in your add_header line to figure that out. I agree with you! Infact, today I get another spam and after seven hours that it was received I analyse it and I get again a score greater that 5.0 points: Content preview: Yes, I exactly heard it spoken flight of, self decision but I did not know the scorch And who man found brain this mark father for you? plead Half-past six o'clock has strod cold purpose just struck, M. Bertuccsucceed The week Count receive shoe of Monte Cristo. [...] Content analysis details: (5.6 points, 5.0 required) pts rule name description -- -- 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9680] 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif 0.7 MY_CID_AND_STYLE SARE cid and style But there is a strategy for preventing that this emails reaches the mailboxes before that spamassassin learns about them (maybe greylist?)? thanks, rocsca
why I get it?
Hello, I receiveid a spam message this morning in my mailbox. So I submit it to spamassassin to calculate the score that spamassassin give it. Here the result: Content preview: Diable! bird market light sort said Monte Cristo compassionately, it i Villefort pressed her plate earth hand to set long let her know it was Ah, true.theory skin Oh, no, sir, she blade slope answered; but you know, things [...] Content analysis details: (6.2 points, 5.0 required) pts rule name description -- -- 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9991] 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif 0.7 MY_CID_AND_STYLE SARE cid and style So it is clear at all why i have retreived the message in my mailbox.. If someone could give an explanation of this phaenomenon, I will apreciate it, BR, rocsca
RE: Another false negative
what it can be the reason of the different score assigned? why the second system doesn't assign an AWL score? They give different Bayes scores so the Bayes databases have been trained with different messages. Do you have autolearn switched on? # Bayesian classifier auto-learning (default: 1) # # bayes_auto_learn 1 Do I have to set it to 0? But Then how I have to instruct Spamassassin? What is the best way? Do I have a spam folder to instruct SA? And you must understand that the Bayes system is not a one shot and you have if fixed kind of system. Just training a single message will alter the scoring, but you may also need to train it with a few similar messages for it to significantly change its scoring. You're saying right. Now I understand. Thank you, rocsca
RE: Another false negative
Do I have to set it to 0? No, but that may explain why the two servers have different Bayes scores for similar messages. If they receive different message streams they will be learning a different view of the email world. OK. Thanks all clear for me!! But Then how I have to instruct Spamassassin? What is the best way? Do I have a spam folder to instruct SA? I don't think you need to turn off autolearn, you may want to adjust your threshholds, mine are set to this: bayes_auto_learn_threshold_nonspam -0.1 bayes_auto_learn_threshold_spam 12.0 I have autolearn switched on, but I also manually train with false negatives, and I occasionally train a bunch of recent ham as ham. OK. I will do that to! rocsca
Another false negative
Hello, SA have not blocked an email with this headers: Microsoft Mail Internet Headers Version 2.0 Received: from posta.sttspa.it ([80.74.176.144]) by srv5.stt.loc with Microsoft SMTPSVC(6.0.3790.1830); Wed, 14 Mar 2007 07:14:08 +0100 Received: by posta.sttspa.it (Postfix, from userid 7011) id 8F9A51098056; Wed, 14 Mar 2007 07:14:06 +0100 (CET) Received: from av6.stt.vir (smtp02.sttspa.it [80.74.176.141]) by posta.sttspa.it (Postfix) with ESMTP id 6858B1098004; Wed, 14 Mar 2007 07:14:06 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by av6.stt.vir (Postfix) with ESMTP id F7500A7; Wed, 14 Mar 2007 07:14:06 +0100 (CET) X-Virus-Scanned: amavisd-new at stt.vir Received: from av6.stt.vir ([127.0.0.1]) by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3LCVzlxLfiv; Wed, 14 Mar 2007 07:14:03 +0100 (CET) Received: from kbra3qsxm9mslhj (203-118-114-113.static.asianet.co.th [203.118.114.113]) by av6.stt.vir (Postfix) with SMTP id 362367500A2; Wed, 14 Mar 2007 07:13:14 +0100 (CET) Message-ID: [EMAIL PROTECTED] Reply-To: IParker NDickey [EMAIL PROTECTED] From: IParker NDickey [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: transmitting wolf Date: Wed, 14 Mar 2007 13:13:02 +0700 MIME-Version: 1.0 Content-Type: text/html Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 14 Mar 2007 06:14:08.0281 (UTC) FILETIME=[F9A5D890:01C765FF] which have in the body: Our Next Winner for March 14th and other contents.. Why SA doesn't block this email? Do I miss some important ruleset? I'have already configured Postfix to use some DNSBL. Here my SA configuration: [19689] dbg: logger: adding facilities: all [19689] dbg: logger: logging level is DBG [19689] dbg: generic: SpamAssassin version 3.1.8 [19689] dbg: config: score set 0 chosen. [19689] dbg: util: running in taint mode? yes [19689] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [19689] dbg: util: PATH included '/sbin', keeping [19689] dbg: util: PATH included '/usr/sbin', keeping [19689] dbg: util: PATH included '/usr/local/sbin', keeping [19689] dbg: util: PATH included '/opt/gnome/sbin', keeping [19689] dbg: util: PATH included '/root/bin', keeping [19689] dbg: util: PATH included '/usr/local/bin', keeping [19689] dbg: util: PATH included '/usr/bin', keeping [19689] dbg: util: PATH included '/usr/X11R6/bin', keeping [19689] dbg: util: PATH included '/bin', keeping [19689] dbg: util: PATH included '/usr/games', keeping [19689] dbg: util: PATH included '/opt/gnome/bin', keeping [19689] dbg: util: PATH included '/usr/lib/mit/bin', which doesn't exist, dropping [19689] dbg: util: PATH included '/usr/lib/mit/sbin', which doesn't exist, dropping [19689] dbg: util: final PATH set to: /sbin:/usr/sbin:/usr/local/sbin:/opt/gnome/sbin:/root/bin:/usr/local/bin :/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin [19689] dbg: message: MIME PARSER START [19689] dbg: message: main message type: text/plain [19689] dbg: message: parsing normal part [19689] dbg: message: added part, type: text/plain [19689] dbg: message: MIME PARSER END [19689] dbg: dns: is Net::DNS::Resolver available? yes [19689] dbg: dns: Net::DNS version: 0.59 [19689] dbg: config: using /etc/mail/spamassassin for site rules pre files [19689] dbg: config: read file /etc/mail/spamassassin/init.pre [19689] dbg: config: read file /etc/mail/spamassassin/v310.pre [19689] dbg: config: read file /etc/mail/spamassassin/v312.pre [19689] dbg: config: using /var/lib/spamassassin/3.001008 for sys rules pre files [19689] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org.pre [19689] dbg: config: using /var/lib/spamassassin/3.001008 for default rules dir [19689] dbg: config: read file /var/lib/spamassassin/3.001008/updates_spamassassin_org.cf [19689] dbg: config: using /etc/mail/spamassassin for site rules dir [19689] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf [19689] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf [19689] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf [19689] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [19689] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [19689] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf [19689] dbg: config: read file /etc/mail/spamassassin/local.cf [19689] dbg: config: read file /etc/mail/spamassassin/random.cf [19689] dbg: config: read file /etc/mail/spamassassin/tripwire.cf [19689] dbg: config: using /root/.spamassassin for user state dir [19689] dbg: config: using /root/.spamassassin/user_prefs for user prefs file [19689] dbg: config: read file /root/.spamassassin/user_prefs [19689] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [19689] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x835e338) [19689] dbg:
RE: Another false negative
If you can post the full email (headers and body), I'll run it over my system which has lots and lots of third party add on rules from www.rulesemporium.com and others and see if I can make SA score it high enough for Amavisd-new to block the email.. Thanks. http://www.rocsca.it/INBOX I get the following score: From [EMAIL PROTECTED] Wed Mar 14 07:13:02 2007 Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on av6.stt.vir X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,BAYES_50,HTML_30_40, HTML_MESSAGE,HTML_TEXT_AFTER_BODY,MIME_HTML_ONLY,SARE_PROLOSTOCK_SYM3 autolearn=no version=3.1.8 X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: by posta.sttspa.it (Postfix, from userid 7011) id 8F9A51098056; Wed, 14 Mar 2007 07:14:06 +0100 (CET) Received: from av6.stt.vir (smtp02.sttspa.it [80.74.176.141]) by posta.sttspa.it (Postfix) with ESMTP id 6858B1098004; Wed, 14 Mar 2007 07:14:06 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by av6.stt.vir (Postfix) with ESMTP id F7500A7; Wed, 14 Mar 2007 07:14:06 +0100 (CET) X-Virus-Scanned: amavisd-new at stt.vir Received: from av6.stt.vir ([127.0.0.1]) by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3LCVzlxLfiv; Wed, 14 Mar 2007 07:14:03 +0100 (CET) Received: from kbra3qsxm9mslhj (203-118-114-113.static.asianet.co.th [203.118.114.113]) by av6.stt.vir (Postfix) with SMTP id 362367500A2; Wed, 14 Mar 2007 07:13:14 +0100 (CET) Message-ID: [EMAIL PROTECTED] Reply-To: IParker NDickey [EMAIL PROTECTED] From: IParker NDickey [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: transmitting wolf Date: Wed, 14 Mar 2007 13:13:02 +0700 MIME-Version: 1.0 Content-Type: text/html html head /head body p align=centerbOur Next Winner forfont color=#FF March 14th/fontbr font color=#FFCEO AMERICA INC /fontbr Tick : CEOAbr font color=#008080Priced : $0.07/fontbr Won't last long at this stage, This one is going tofont color=#008080 $1.00/fontbr Grab yourself somefont color=#FF tomorrow /fontavoid the rushbr And experience a font color=#00808010 bagger./font/p p align=centerbr font size=2FAA said the rule change -- a temporary one -- was made for safety reasons. The NTSB'sbr of starting that fire with murder. A light wind was cited by federal investigators = San Benardino National Forest to its very core and shocked the entire world.br October 26 in Southern California's San Jacinto Mountains.=ttempted a U-turn with only 1,300 feet of room for the turn. To make a successful turn, /font/b/p /body /html ) Spam detection software, running on the system av6.stt.vir, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Our Next Winner for March 14th CEO AMERICA INC Tick : CEOA Priced : $0.07 Won't last long at this stage, This one is going to $1.00 Grab yourself some tomorrow avoid the rush And experience a 10 bagger. [...] Content analysis details: (2.5 points, 5.0 required) pts rule name description -- -- 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5547] 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.3 AWLAWL: From: address is in the auto white-list
RE: Another false negative
http://www.rocsca.it/INBOX Could someone give me an hint on how to block email like the one above? Thanks, rocsca I get the following score: From [EMAIL PROTECTED] Wed Mar 14 07:13:02 2007 Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on av6.stt.vir X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,BAYES_50,HTML_30_40, HTML_MESSAGE,HTML_TEXT_AFTER_BODY,MIME_HTML_ONLY,SARE_PROLOSTOCK_SYM3 autolearn=no version=3.1.8 X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: by posta.sttspa.it (Postfix, from userid 7011) id 8F9A51098056; Wed, 14 Mar 2007 07:14:06 +0100 (CET) Received: from av6.stt.vir (smtp02.sttspa.it [80.74.176.141]) by posta.sttspa.it (Postfix) with ESMTP id 6858B1098004; Wed, 14 Mar 2007 07:14:06 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by av6.stt.vir (Postfix) with ESMTP id F7500A7; Wed, 14 Mar 2007 07:14:06 +0100 (CET) X-Virus-Scanned: amavisd-new at stt.vir Received: from av6.stt.vir ([127.0.0.1]) by localhost (av6.stt.vir [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3LCVzlxLfiv; Wed, 14 Mar 2007 07:14:03 +0100 (CET) Received: from kbra3qsxm9mslhj (203-118-114-113.static.asianet.co.th [203.118.114.113]) by av6.stt.vir (Postfix) with SMTP id 362367500A2; Wed, 14 Mar 2007 07:13:14 +0100 (CET) Message-ID: [EMAIL PROTECTED] Reply-To: IParker NDickey [EMAIL PROTECTED] From: IParker NDickey [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: transmitting wolf Date: Wed, 14 Mar 2007 13:13:02 +0700 MIME-Version: 1.0 Content-Type: text/html html head /head body p align=centerbOur Next Winner forfont color=#FF March 14th/fontbr font color=#FFCEO AMERICA INC /fontbr Tick : CEOAbr font color=#008080Priced : $0.07/fontbr Won't last long at this stage, This one is going tofont color=#008080 $1.00/fontbr Grab yourself somefont color=#FF tomorrow /fontavoid the rushbr And experience a font color=#00808010 bagger./font/p p align=centerbr font size=2FAA said the rule change -- a temporary one -- was made for safety reasons. The NTSB'sbr of starting that fire with murder. A light wind was cited by federal investigators = San Benardino National Forest to its very core and shocked the entire world.br October 26 in Southern California's San Jacinto Mountains.=ttempted a U-turn with only 1,300 feet of room for the turn. To make a successful turn, /font/b/p /body /html ) Spam detection software, running on the system av6.stt.vir, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Our Next Winner for March 14th CEO AMERICA INC Tick : CEOA Priced : $0.07 Won't last long at this stage, This one is going to $1.00 Grab yourself some tomorrow avoid the rush And experience a 10 bagger. [...] Content analysis details: (2.5 points, 5.0 required) pts rule name description -- -- 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5547] 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.3 AWLAWL: From: address is in the auto white-list
RE: Another false negative
I get the following: Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts Please, could you tell me what do I miss? TIA, rocsca
RE: Another false negative
Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts Please, could you tell me what do I miss? Maybe I have to update the list of ruleset? What I have to installa other that the default set of ruleset delivered with SA 3.1.8? TIA, rocsca
RE: Another false negative
Assuming this is your score line: X-Spam-Status: No, score=2.5 required=5.0 tests=AWL,BAYES_50,HTML_30_40, HTML_MESSAGE,HTML_TEXT_AFTER_BODY,MIME_HTML_ONLY,SARE_PROLOSTOCK_SYM3 autolearn=no version=3.1.8 Then the biggest difference is that my Bayesian scoring gives it a BAYES_99 score and your's gives it a BAYES_50 score. So you are saying that I have to train SA? rocsca
RE: Another false negative
So you are saying that I have to train SA? That would be how you would improve your Bayes accuracy, yes. I have trained SA on my server but I still get a score lower than 5.0.. Content analysis details: (4.3 points, 5.0 required) pts rule name description -- -- 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.8738] 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.2 AWLAWL: From: address is in the auto white-list while on another server (that I have instructed with the same messages) I get: Content analysis details: (5.7 points, 5.0 required) pts rule name description -- -- 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 0.9996] 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts what it can be the reason of the different score assigned? why the second system doesn't assign an AWL score? rocsca
RE: veryfing the score of a message
Well what puzzles me is, is the message in queue, waiting to be sent to someone within your domain, or is it outbound? to be sent outbound.. Why are you wanting to manually scan it? A user of mine try to send an email using my SMTP server, but he can't send me the message which is blocked by my spam scanner (SA), in mbox format.. (so that I can analyse it and find the cause of the blocking) Neverthless I know the right way to control the scanning of that message.. So I said it to send to an outbound address such that it remains on the queue of the mail server and I can analyse it... If you have a better method to solve my problem, it is wellcome! rocsca
veryfing the score of a message
Hello, I would like to verify the score of a message that sendmail left in queue for some reason. Normally, I have two messages in queue directory: - qfX - dfX Could I 'cat' qfX and dfX in a temp file 'tmp' and than calculate the score so: spamassassin -t tmp ? Or I will get a wrong score? TIA, rocsca
RE: ANTIDRUG rulesets
I didn't want to cloud the situation, as we were progressing in very small steps in improving the scoring of the OPs SA. As he was already using RDJ for the SARE rules I thought the easiest first step would be to get sa-update set up for the default ruleset and then once the OP was happy with that worry about moving his existing mechanism if neccessary. I agree with you.. rocsca
RE: ANTIDRUG rulesets
Put a full email (including all headers) on a web page somewhere. http://www.rocsca.it/it_by_confocal.out That's not a drug spam, that's a stock spam. It just happens to be for a pharmacutical company. Sorry! I'm not very experienced with the kinds of spam.. I'ld very to learn to classify the spam per content.. I need a few documentation.. Get the SARE stocks ruleset and you will have some better luck. Often these are GIF images, so ImageInfo and FuzzyOCR can both help a lot. OK. I will do.. Indeed I already use FuzzyOCR.. but it often miss to block this email.. I'm afraid that I use a bad dictonary (the default) and I'm looking for a better one.. rocsca
RE: ANTIDRUG rulesets
Enable network tests. You may have to set up several things correctly to get this to work, but just removing -L from the spamd startup line may be enough as a start. I don' understand.. If I have a message in mbox format, what I have to do so that I can see what score SA should assign to it? I have seen the sintax of spamd command but It doesn't accept any kind of message as input parameter.. Should I run it in demonized mode and send the message on the the listening port? Looking at this my Bayes scores it highly, but so does a rules from the SARE_STOCKS rule set. There are also a number of network tests which get this. And so? How do you justify this? What I miss? Add-on rulesets. In this case the SARE stocks ruleset. Thanks, rocsca
RE: ANTIDRUG rulesets
Can you so us which tests these emails hit on your system? Please tell me how I have to do.. rocsca
RE: ANTIDRUG rulesets
If you have the email saved in a text file called email.txt, run this command making sure that you are logged in as the user who spamd run as. spamassassin -t email.txt If you want a lot more information you can use the debug switch spamassassin -D -t email.txt Thanks. Here the output on my system.. Spam detection software, running on the system av5.stt.vir, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: BULLISH REPORT! Campaign for: MISJPrice: $0.17Target: $0.95Market: hellish! SOMEBODY KNOWS SOMETHING. [...] Content analysis details: (0.3 points, 5.0 required) pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message 0.3 HTML_FONT_BIG BODY: HTML tag for a big font size
RE: ANTIDRUG rulesets
I think the next thing you need to do is run the command with the -D switch. The output is attached.. It doesn't look like you are running any network tests, you are certainly not running any Bayes tests. I have executed the command you've sayed me after lauching spamd.. Can you remind us what OS this is on, what version of spamasssassin, how you installed SA, how you call SA? I call SA via amavisd-new-2.4.4 # /usr/bin/spamassassin --version SpamAssassin version 3.1.7 running on Perl version 5.8.8 OS: SLES 10 Linux av5 2.6.16.21-0.8-bigsmp #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux rocsca it_by_confocal.out.debug Description: it_by_confocal.out.debug
RE: ANTIDRUG rulesets
The other thing to do is to run sa-update to make sure you are running the latest versions of the standard SA rules. http://spamassassin.apache.org/full/3.1.x/doc/sa-update.html I already use rules_du_jour.. It's OK? Or I can obtain further improvement using sa-update? rocsca
ANTIDRUG rulesets
Hello, SA doesn't blocks emails cointaining spam email with pharmaceutical contents.. I think of missing some ruleset. I cant figure out what.. I think that the more appropriate is antidrug.cf but on SA site I have read that it is unnecessary.. But if I look into the dir of conf file of spamassassin I can't find it.. Is it normal? Or I have to install it? TIA, rocsca
RE: ANTIDRUG rulesets
Antidrug has been mereged into 20_drugs.cf from the standard ruleset. If you read through the file, you'll find the antidrug rules. It's about halfway down. OK. Now Its all clear!! I have an old 'antidrug.cf' file in SA config dir.. maybe this overcome 20_drugs.cf? I don't know.. but I have removed it as well and restarted Amavisd-new, as Docs state for SA3.0.1 (I have SA 3.1.7). But I note that some 'pharma message' still is not blocked.. Do I have to install some other ruleset? (If yes how I have to configure automatic update with rdj?) thanks, rocsca
RE: ANTIDRUG rulesets
Put a full email (including all headers) on a web page somewhere. http://www.rocsca.it/it_by_confocal.out
RE: ANTIDRUG rulesets
My scores: Content analysis details: (10.4 points, 5.0 required) pts rule name description -- -- 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 1.7 SARE_PROLOSTOCK_SYM3 BODY: Last week's hot stock scam 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 100] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 1.0 RCVD_IN_JANET_DUL RBL: Relay in JANET MAPS RBL+ DUL [60.215.113.19 listed in rbl-plus.mail-abuse.ja.net] 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?60.215.113.19] How I have to do to get the score for the same message on my platform? Looking at this my Bayes scores it highly, but so does a rules from the SARE_STOCKS rule set. There are also a number of network tests which get this. And so? How do you justify this? What I miss? Thanks, rocsca
RE: Spamassassin does block some email
Speaking of ninjas one slipped in here and whispered in my ear that the original problem rocsca had might benefit from the anti drug rules on the SARE web site. He should read the various rule set descriptions and pick those which fit his situation best. Fine! I agree with you!! But I can't figure out what SARE rules I I have to use to block that email that SA does not block.. Moreover, could I update it with rules_du_jour? PS: I have the following conf for rules_du_jour.. TRUSTED_RULESETS=TRIPWIRE RANDOMVAL BOGUSVIRUS; BR, rocsca
RE: Spamassassin does block some email
Speaking of ninjas one slipped in here and whispered in my ear that the original problem rocsca had might benefit from the anti drug rules on the SARE web site. He should read the various rule set descriptions and pick those which fit his situation best. Fine! I agree with you!! But I can't figure out what SARE rules I I have to use to block that email that SA does not block.. Moreover, could I update it with rules_du_jour? PS: I have the following conf for rules_du_jour.. TRUSTED_RULESETS=TRIPWIRE RANDOMVAL BOGUSVIRUS; Maybe I have to use 70_sare_obfu*.cf ruleset files? It seems to me that my SA configuration doesn't load them.. Infact I have this only cf files other that in SA dir (/etc/mail/spamassassin): path_to_SA/10_misc.cf path_to_SA/20_advance_fee.cf path_to_SA/20_anti_ratware.cf path_to_SA/20_body_tests.cf path_to_SA/20_compensate.cf path_to_SA/20_dnsbl_tests.cf path_to_SA/20_drugs.cf path_to_SA/20_fake_helo_tests.cf path_to_SA/20_head_tests.cf path_to_SA/20_html_tests.cf path_to_SA/20_meta_tests.cf path_to_SA/20_net_tests.cf path_to_SA/20_phrases.cf path_to_SA/20_porn.cf path_to_SA/20_ratware.cf path_to_SA/20_uri_tests.cf path_to_SA/23_bayes.cf path_to_SA/25_accessdb.cf path_to_SA/25_antivirus.cf path_to_SA/25_body_tests_es.cf path_to_SA/25_body_tests_pl.cf path_to_SA/25_dcc.cf path_to_SA/25_dkim.cf path_to_SA/25_domainkeys.cf path_to_SA/25_hashcash.cf path_to_SA/25_pyzor.cf path_to_SA/25_razor2.cf path_to_SA/25_replace.cf path_to_SA/25_spf.cf path_to_SA/25_textcat.cf path_to_SA/25_uribl.cf PS: What other cf file is worth to use without overload the server? BR, rocsca
Token expiration and MySQL
Hello, I have two different SpamAssassin installed on two different server. Thet store information on two different MySQL server database. On both I have scheduled several jobs for forcing expiration of tokens. In crontab I have the following lines: 30 4 * * 0 sa-learn -u amavis --dump magic 40 4 * * 0 sa-learn --sync --force-expire 50 4 * * 0 sa-learn -u amavis --dump magic 0 5 * * 0 echo optimize table bayes_expire, bayes_seen, bayes_token, awl; | mysql -u bayes -h mysql2.sttspa.intranet -p* bayes While on one server I get that regularly tokens are expired (for example: Date: Sun, 17 Dec 2006 04:40:38 +0100 From: Cron Daemon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Cron [EMAIL PROTECTED] sa-learn --sync --force-expire expired old bayes database entries in 37 seconds 18682012 entries kept, 76418 deleted token frequency: 1-occurrence tokens: 1.83% token frequency: less than 8 occurrences: 0.33% ) on the other one I get always that the token are not expired (for example: Date: Sun, 4 Feb 2007 04:40:01 +0100 From: Cron Daemon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Cron [EMAIL PROTECTED] sa-learn --sync --force-expire X-Cron-Env: SHELL=/bin/sh X-Cron-Env: HOME=/var/amavis X-Cron-Env: PATH=/usr/bin:/bin X-Cron-Env: LOGNAME=amavis X-Virus-Scanned: by amavisd-new [16717] warn: FuzzyOcr: Cannot find executable for ocrad [16717] warn: FuzzyOcr: Cannot find executable for pamthreshold [16717] warn: FuzzyOcr: Cannot find executable for tesseract expired old bayes database entries in 617 seconds 13109996 entries kept, 0 deleted token frequency: 1-occurrence tokens: 79.61% token frequency: less than 8 occurrences: 16.04% ) Could someone explai why on the secon machine the tokens are never expired? PS: The local.cf is the the same on both machine and I don't get any error message.. BR, rocsca
Spamassassin does block some email
Hello, SA doesn't succeed in blocking some email (lately are many!) expecially that email with pharmaceutical contents, where the name is disguised and the link are changed adding then a comment for obtaining the right link to digit in the address bar of the browser to reach the cheating site.. Someone could instruct me such kind of spam? BR, rocsca
RE: Spamassassin does block some email
There has been quite a bit of discussion of these spams recently. See the current TVD_SILLY_URI_OBFU thread. I will do.. Thanks, rocsca
RE: Token expiration and MySQL
Not without seeing -D output. My guess is most of your tokens are within a very small timestamp band. Tonight I will collect the verbose debug output and submit it to you.. Thanks, rocsca
Mail sent from Lotus Notes blocked
Hello, I use amavisd-new. When I send emails from Lotus Notes they get blocked. Even If they are plain messages. Indeed they are however MIME messages. I would like to verify if there is a way to analyse what is the tokens whose raise the score so that the message is considered spam while the message is really a false positive. TIA; rocsca
AWL question
Hello, I use SA storing data on MySQL databases. I have seen the awl contains email address with the value 'none' in the field 'IP'. Why this field for some entriesis not correctly filled? Thanks, rocsca
Expiring tokens in SA database
Hello, I'm using SA with MySQL. I have to Amavisd-new server, each talking with a different MySQL server. I run every night regularly this command: sa-learn --sync --force-expire for datbase maintaining. I have noticed that on the first the 'bayes_token' table occupies always about 1GB and the size never decrease even after I execute the command above (se the output in the file attached), while on the second database the same table occupies less space (about 250 MB). It seems to me the the expiring doesn't works at all and I can't figure out why. Can sombody give an explanation? TIA, rocsca sa-learn.out Description: sa-learn.out
RE: Expiring tokens in SA database
Do you compact the database afterwards? Nigel No. How I have to do? rocsca
RE: AWL question
Thanks for your answer, I have seen the awl contains email address with the value 'none' in the field 'IP'. Why this field for some entriesis not correctly filled? Perhaps it could be that mail was submitted locally (not with SMTP), over IPv6 or that the IP address couldn't be extracted for some other reason. No the email is not submited locally and over TCP. So I think that is the second reason you have said.. But why the IP could not be exctracted? (I have many such cases!!!) BR, rocsca
RE: Expiring tokens in SA database
Hello, Do you compact the database afterwards? Nigel No. How I have to do? rocsca From the CL use something like this: mysql -u root --password=yourpassword -e USE spamassassin;OPTIMIZE TABLE awl, bayes_expire, bayes_seen, bayes_token, bayes_vars; Your tables may differ slightly from mine, and some may have no content at all; initially try compacting the one that's biggest. Infact, that was the problem!! Many thanks, rocsca
