Re: help lowering score on a specific email list situation

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/28/2009 04:32 PM, RobertH wrote:
 hello
 
 i have problems with the cabletv.org email list.
 
 it is hosted on a charter static and has wierd reverse dns etc etc blah.
 
 so, almost always scores as spam
 
 here is what it is tripping on...
 
   0.7 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
   1.2 HOST_EQ_STATIC HOST_EQ_STATIC
   0.7 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d
   1.3 HOST_EQ_CHARTERHOST_EQ_CHARTER
   1.9 TVD_RCVD_IPTVD_RCVD_IP
   0.5 FROM_NOT_REPLYTO   From: does not match Reply-To:
  -2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
  [score: 0.]
   1.5 SAGREY Adds 1.0 to spam from first-time senders
 
 pastebin said the headers tripped the spam filter so i have to post this
 way...
 
 here are some headers.
 
 http://www.abbacomm.net/temp/salisthdr1.txt
 
 can someone help me formulate a good rule to reduce scoring.
 
 i tried this, yet it is obviously not working because of my faulty logic i
 presume.
 
 header SPEC_DOMAIN_CABLE From =~ /\...@cabletv\.org/
 describe SPEC_DOMAIN_CABLE   Reduce score for domain cabletv.org
 score SPEC_DOMAIN_CABLE  -5.0
 
 i am looking for something reliable to key on and i am certainly not a rule
 creation expert yet...
 
 ..and i need help from you much more expert people please?
 
 :-)
 
 thanks in advance...
 
  - rh
 
 
 

How about

whitelist_from_spf @cabletv.org  (if it passes SPF tests) or
whitelist_from @cabletv.org

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknOnhQACgkQeERILVgMyvBvkwCfdeDPb9o4B3A8vk2wgxEj8JAk
zhEAn3EFPDcLwhs2didDppVXLnaIw99n
=0RjQ
-END PGP SIGNATURE-

unable to find user?

[Steven Stern]

We're running Spamassasin on three machines, two Fedora 8 and one the
latest CENTOS. We're trying to move all of the SA installations to
CENTOS. These are MX servers that front an Exchange server.

The systems are all set up using the same .cf and init.d files, but
we're seeing a difference.  We run a single user system -- all mail
should be processed by one set of rules and bayes is handled as the user
'root' through MySQL.

On CENTOS, we see this in maillog:

 spamd: handle_user unable to find user 'abc'

for each incoming message.  We do not see that message under Fedora.

Aside from just ignoring it, what should be we be looking at?


#ps -ef |grep spam

sa-milt   8512 1  0 12:14 ?00:00:02 /usr/sbin/spamass-milter
-p /var/run/spamass-milter/spamass.sock -f -u sa-milt -i
127.0.0.1,10.0.0.0/8 -r 10 -- -d localhost -p 783
root 11501 1  0 13:28 ?00:00:03 /usr/bin/spamd -d -u
spamass --max-children=20 --min-children=6 --max-spare=8 -r
/var/run/spamassassin/spamd.pid

Re: sa-learn from internal mail server ?

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/26/2008 04:14 PM, Sam Ami wrote:
 hi all
 
 our current setup.
 primary mx for all out email domains installation: qmail,spamassasin,clamav
 all email is inline scanned and then relayed to the internal server
 for delivery to users mailbox
 
 question.
 is it possible to use sa-learn in this situtation ?
 we still get a lot of spam and i'd like to teach SA if possible ny
 using sa-learn.
 
 any suggestions ?
 

Here's how we handle it with Exchange

http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkktzDoACgkQeERILVgMyvC/+wCeLNbijG3RpsSqzkGmhxPfS8Uk
w0AAnjKWoP4EmZi7wE0kS2PvtvHCaGlF
=ggNo
-END PGP SIGNATURE-

Re: sa-learn with IMAP

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/01/2008 01:29 PM, Raymond Jette wrote:
 Good afternoon,
 
 I am trying to use sa-learn with a Microsoft Exchange server. The users
 move spam / ham message from there Inbox to a Public folder. The public
 folder is accessable via IMAP.
 
  
 
 How can I get the message from Exchange for sa-learn to work using IMAP?
 
  
 
 Thanks for any help you may provide.
 

http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAki8QrYACgkQeERILVgMyvDw3QCfTNW2iyWqg198KhMH3Dw0J67S
l9IAn3YMcco4yzKKz/m7eQFNGmbey89r
=3Kra
-END PGP SIGNATURE-

What is current version of Botnet plugin?

[Steven Stern]

I've found Botnet 0.6 and references to Botnet 0.8(ebuild). What's the 
preferred version for this plugin?

Re: MySQL Unreliable

[Steven Stern]

Marc Perkel wrote:

Need a little help for MySQL users.

I'm running several servers that are using a common MySQL server for 
bayes for all the SA servers. What I'm seeing is that MySQL is just 
plain unreliable. The database is often corrupted and it does so in a 
manner that basically causes SA to hang until it times out. I'm not sure 
what I'm doing wrong or if there's some my.cnf settings I'm missing. I 
could use some tips from those of you who are hitting MySQL hard or 
might suggest something other than MySQL that I should use for bayes.


Thanks in advance.



We use innodb for all the sa_bayes tables.  Here's some tuning settings 
we use in  my.cnf for the server:


query_cache_limit = 1M
query_cache_size = 12M
query_cache_type = 1
innodb_additional_mem_pool_size=12M
innodb_buffer_pool_size=70M
innodb_log_file_size=10M

Re: Integrating Spam assasin with exchange server.

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/15/2008 07:33 AM, ejml wrote:
| Hello Steven,
|
| I'm very interesting about how I can forward the message with the header
| rewritten to final user because I get only a warning spam arrival message.
| Is there some parameters that I'm forgetting?.
|
| Thanks.
|
| Steven Stern wrote:
| Crespillo, Matias wrote:
| I apologize in advance for making a lazy question, but is there a quick
| guide somewhere as to how to integrate Spam Assassin with an exchange
| server? Or maybe some way to set it in a way it will get the mails
| before,
| filter and then forward them to exchange unchanged?.
|
| Thanks a lot in advance.
|
| We have spamassassin sitting in front of the exchange server.
|
| Basically, the MX record for our domains point to Linux boxes. On each
| of those boxes, we're running SpamAssassin and ClamAV. SpamAssassin uses
| a site wide, SQL based Bayes database local to each box, with a few
| tricks to help synchronize mail reclassified by Exchange users as ham or
| spam.
|
| Only after passing through the MX servers does mail arrive at Exchange.
|  (The firewall permits SMTP connections from the MX servers only.)  On
| Exchange, we're using Symantec AV to provide another layer of virus
| protection.
|
| We don't forward the mail unchanged. If mail is spam, the headers are
| re-written to put *SPAM?* at the front of the subject line and to make
| the original message an attachment.  Of course, if the mail isn't marked
| as spam, it's transparent to the users.
|


In /etc/mail/spamassassin/local.cf:

# Whether to change the subject of suspected spam
~ rewrite_header subject *SPAM _SCORE_*
# Encapsulate spam in an attachment
report_safe 1



- --

~  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFILC+ieERILVgMyvARAq8mAJ4wEBGrEpMdgD8g578WeB+hgTvPuQCcDchi
i2A9Nv/TTUq82ceXfRNkEB8=
=km1L
-END PGP SIGNATURE-

Re: AWL Database Cleanup

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/25/2008 06:32 PM, listmail wrote:
| I noticed that the AWL database was getting rather large, so I used the
| check_whitelist script to remove the stale entries. While this seems
to have
| removed a lot of entries from the database, it did not reduce the
database size.
|
| Does anyone know what kind of a database this is, and in particular,
how to do
| a cleanup that will remove unused records? The database is currently
located
| on a RAM drive, so space is important due to scarcity as well as the
potential
| speed issues from letting it grow too large.
|

I use MySQL for the AWL database and added a timestamp, lastupdate
column to the table.  I then have a script that runs every night:

DELETE FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 2 MONTH);
DELETE FROM awl WHERE count = 1 AND lastupdate = DATE_SUB(SYSDATE(),
INTERVAL 1
5 DAY);



- --

~  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIEm3seERILVgMyvARAsADAJ9F+lgHlIkzP6Ny91FzR7F1xbt81wCfTeTn
SDK/TIP6FKhcpCXIBHNMrNk=
=Tvf1
-END PGP SIGNATURE-

Re: AWL Database Cleanup

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/25/2008 06:57 PM, listmail wrote:
| This looks like a good way of dealing with the AWL database, but I don't
| see anything in the documentation - did you hack in the MySQL support
| yourself, or is there an option that I missed?
|
| For the moment, I'm trying to find a simple solution, such as locating
a tool
| that is capable of managing whatever database SA uses by default for
the AWL.
|From looking at the scripts, it appears to be something built in to Perl.
|
| On Fri, 25 Apr 2008 18:49:01 -0500, Steven Stern wrote
| On 04/25/2008 06:32 PM, listmail wrote:
| | I noticed that the AWL database was getting rather large, so I
| used the | check_whitelist script to remove the stale entries. While
| this seems to have | removed a lot of entries from the database, it
| did not reduce the database size. | | Does anyone know what kind of
| a database this is, and in particular, how to do | a cleanup that
| will remove unused records? The database is currently located | on a
| RAM drive, so space is important due to scarcity as well as the potential
| | speed issues from letting it grow too large.
| |
|
| I use MySQL for the AWL database and added a timestamp, lastupdate
| column to the table.  I then have a script that runs every night:
|
| DELETE FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 2
| MONTH); DELETE FROM awl WHERE count = 1 AND lastupdate =
| DATE_SUB(SYSDATE(), INTERVAL 1 5 DAY);
|

http://search.cpan.org/src/FELICITY/Mail-SpamAssassin-3.0.2/sql/README.bayes



then just add a timestamp column lastupdate to AWL.

- --

~  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIEnhqeERILVgMyvARAsnuAJ0f3cfqiYV16BCS5HdWhdMgwarbIgCfexe4
FQ9QZREmnRpZknVSlHcd0pg=
=1wT/
-END PGP SIGNATURE-

Perl problem (Scalar::Util)

[Steven Stern]

I'm getting the following error from various perl programs:

$sa-update
Use of uninitialized value in concatenation (.) or string at 
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/Scalar/Util.pm line 30.


OK... maybe we need an update:


[EMAIL PROTECTED] ~]# perl -MCPAN -e shell
cpan install Scalar::Util
CPAN: Storable loaded ok
Going to read /root/.cpan/Metadata
  Database was generated on Fri, 29 Feb 2008 15:31:08 GMT
Scalar::Util is up to date.

Anyone have a solution?

Re: Perl problem (Scalar::Util)

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/29/2008 03:57 PM, Bill Landry wrote:
| Steven Stern wrote:
| I'm getting the following error from various perl programs:
|
| $sa-update
| Use of uninitialized value in concatenation (.) or string at
| /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/Scalar/Util.pm line 30.
|
| OK... maybe we need an update:
|
|
| [EMAIL PROTECTED] ~]# perl -MCPAN -e shell
| cpan install Scalar::Util
| CPAN: Storable loaded ok
| Going to read /root/.cpan/Metadata
|   Database was generated on Fri, 29 Feb 2008 15:31:08 GMT
| Scalar::Util is up to date.
|
| Anyone have a solution?
|
|
| For some reason yum perl updates on Fedora 8 cause this to happen for
| me.  Even though CPAN reports that you have the latest version of
| Scalar:Util, you will still need to download, compile, and install
| Scalar-List-Utils-1.19.tar.gz.  This should resolve the issue for you,
| at least it has worked for me the last few perl updates.
|
| GL,
|
| Bill
|
I found out this also works:

~ $cpan
~  force install Scalar::Util
- --

~  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHyJzyeERILVgMyvARAvdWAJ9Br+Tb2elljt2QiOGIC4peiXgevgCfZ6md
DVovqagwclYoUTF3q93YdR8=
=dZWU
-END PGP SIGNATURE-

Re: -max-child setting not obeyed?

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/28/2008 05:16 PM, fchan wrote:
| Hi,
| I have set my --max-child to 30 but I look at my logs and it appears
| that this is not obeyed.
|
| Here is my spamd options:
| SPAMDOPTIONS=-d -m 30 -H
|
| Here is what I see in the logs:
| Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45480
| Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for
| qscand:510 in 2.8 seconds, 862 bytes.
| Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 -
|
BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL

|
scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=spam

|
| Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45485
| Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for
| qscand:510 in 8.3 seconds, 1725 bytes.
| Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 -
|
BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL

|
scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=spam

|
| Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45491
| Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for
| qscand:510
| Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for
| qscand:510 in 8.0 seconds, 2605 bytes.
| Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 -
|
AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL

|
scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam

|
| Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45492
| Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for
| qscand:510 in 9.9 seconds, 1642 bytes.
| Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 -
|
BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL

|
scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=spam

|
| Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45493
| Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for
| qscand:510 in 8.1 seconds, 784 bytes.
| Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 -
|
BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL

|
scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45479,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=unavailable

|
|
| It appears I hit 5 child processes as shown 

Re: -max-child setting not obeyed?

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/28/2008 05:16 PM, fchan wrote:
| Hi,
| I have set my --max-child to 30 but I look at my logs and it appears
| that this is not obeyed.
|
| Here is my spamd options:
| SPAMDOPTIONS=-d -m 30 -H
|
| Here is what I see in the logs:
| Feb 28 10:57:29 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:29 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:29 s1 spamd[15740]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45480
| Feb 28 10:57:29 s1 spamd[15740]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:31 s1 spamd[15740]: spamd: identified spam (106.3/8.0) for
| qscand:510 in 2.8 seconds, 862 bytes.
| Feb 28 10:57:31 s1 spamd[15740]: spamd: result: Y 106 -
|
BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DIGEST_MULTIPLE,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPEURIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL

|
scantime=2.8,size=862,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45480,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=spam

|
| Feb 28 10:57:32 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:32 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:32 s1 spamd[15740]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45485
| Feb 28 10:57:32 s1 spamd[15740]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:32 s1 spamd[15592]: spamd: identified spam (27.6/8.0) for
| qscand:510 in 8.3 seconds, 1725 bytes.
| Feb 28 10:57:32 s1 spamd[15592]: spamd: result: Y 27 -
|
BAYES_99,BOTNET,DATE_IN_PAST_06_12,DNS_FROM_RFC_DSN,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL

|
scantime=8.3,size=1725,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45475,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=spam

|
| Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:33 s1 spamd[15592]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45491
| Feb 28 10:57:33 s1 spamd[15592]: spamd: checking message (unknown) for
| qscand:510
| Feb 28 10:57:33 s1 spamd[15742]: spamd: identified spam (34.2/8.0) for
| qscand:510 in 8.0 seconds, 2605 bytes.
| Feb 28 10:57:33 s1 spamd[15742]: spamd: result: Y 34 -
|
AWL,BAYES_50,MANHOOD,MISSING_MID,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL

|
scantime=8.0,size=2605,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45477,mid=(unknown),bayes=0.49,autolearn=spam

|
| Feb 28 10:57:33 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:33 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:33 s1 spamd[15742]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45492
| Feb 28 10:57:33 s1 spamd[15742]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:34 s1 spamd[15739]: spamd: identified spam (26.1/8.0) for
| qscand:510 in 9.9 seconds, 1642 bytes.
| Feb 28 10:57:34 s1 spamd[15739]: spamd: result: Y 26 -
|
BAYES_99,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,HTML_MESSAGE,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,SUBJ_YOUR_DEBT,URIBL_BLACK,URIBL_JP_SURBL

|
scantime=9.9,size=1642,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45476,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=spam

|
| Feb 28 10:57:35 s1 spamd[15535]: prefork: child states: B
| Feb 28 10:57:35 s1 spamd[15535]: prefork: server reached --max-children
| setting, consider raising it
| Feb 28 10:57:35 s1 spamd[15739]: spamd: connection from
| localhost.localdomain [127.0.0.1] at port 45493
| Feb 28 10:57:35 s1 spamd[15739]: spamd: checking message
| [EMAIL PROTECTED] for qscand:510
| Feb 28 10:57:35 s1 spamd[15591]: spamd: identified spam (102.3/8.0) for
| qscand:510 in 8.1 seconds, 784 bytes.
| Feb 28 10:57:35 s1 spamd[15591]: spamd: result: Y 102 -
|
BAYES_99,BODY_ENHANCEMENT,BODY_ENHANCEMENT2,BOTNET,DATE_IN_PAST_06_12,DOS_OE_TO_MX,FORGED_MUA_OUTLOOK,INVALID_MSGID,PYZOR_CHECK,RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE,STOX_REPLY_TYPE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL

|
scantime=8.1,size=784,user=qscand,uid=510,required_score=8.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=45479,mid=[EMAIL
 PROTECTED],bayes=1.00,autolearn=unavailable

|
|
| It appears I hit 5 child processes as shown 

Re: Expiry problem

[Steven Stern]

Michael Parker wrote:


On Jan 23, 2008, at 9:54 PM, Steven Stern wrote:



It's finally started to remove tokens, so I think I'm OK. We use SQL
bayes, so it was an easy matter to use

~  delete from bayes_token where atime  UNIX_TIMESTAMP();

to clean up the stuff from the future.




But now your bayes_vars table is broken/off.  You might want to update 
those counts as well.




I did that, too.

Expiry problem

[Steven Stern]

We had a server go crazy last night and reset its date into August of 
2277.  In any case, we've resolved that, but now I can't get bayes to 
expire.


After the clocks was correctly set, I deleted all tokens that had a 
lastupdate in the future, and also removed similar bayes_seen rows.  I 
then reset the the token count in bayes_vars to the correct value.


When I try to run sa-learn --force-expire, nothing gets expired and the 
token list keeps growing.  Will this get better on its own or do I need 
to intervene?


[14256] dbg: bayes: using username: root
[14256] dbg: bayes: database connection established
[14256] dbg: bayes: found bayes db version 3
[14256] dbg: bayes: Using userid: 1
[14256] dbg: config: score set 3 chosen.
[14256] dbg: learn: initializing learner
[14256] dbg: bayes: bayes journal sync starting
[14256] dbg: bayes: bayes journal sync completed
[14256] dbg: bayes: expiry starting
[14256] dbg: bayes: expiry check keep size, 0.75 * max: 112500
[14256] dbg: bayes: token count: 443162, final goal reduction size: 330662
[14256] dbg: bayes: first pass? current: 1201117198, Last: 1201117194, 
atime: 43200, count: 1231, newdelta: 160, ratio: 268.612510154346, 
period: 43200
[14256] dbg: bayes: can't use estimation method for expiry, unexpected 
result, calculating optimal atime delta (first pass)

[14256] dbg: bayes: expiry max exponent: 9
[14256] dbg: bayes: atime token reduction
[14256] dbg: bayes:  ===
[14256] dbg: bayes: 43200 528
[14256] dbg: bayes: 86400 0
[14256] dbg: bayes: 172800 0
[14256] dbg: bayes: 345600 0
[14256] dbg: bayes: 691200 0
[14256] dbg: bayes: 1382400 0
[14256] dbg: bayes: 2764800 0
[14256] dbg: bayes: 5529600 0
[14256] dbg: bayes: 11059200 0
[14256] dbg: bayes: 22118400 0
[14256] dbg: bayes: couldn't find a good delta atime, need more token 
difference, skipping expire

[14256] dbg: bayes: expiry completed

Re: Expiry problem

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/23/2008 07:35 PM, Matt Kettler wrote:
| Steven Stern wrote:
| We had a server go crazy last night and reset its date into August of
| 2277.  In any case, we've resolved that, but now I can't get bayes to
| expire.
|
| After the clocks was correctly set, I deleted all tokens that had a
| lastupdate in the future, and also removed similar bayes_seen rows.  I
| then reset the the token count in bayes_vars to the correct value.
| d
| When I try to run sa-learn --force-expire, nothing gets expired and
| the token list keeps growing.  Will this get better on its own or do I
| need to intervene?
| You might need to ditch your bayes database.
|
| The database will, over time, partially fix itself, but right now any
| one off tokens learned while the date was off are stuck in your bayes
| DB until 2277. SA's expiry method is based on the age of a token,
| based on when it was last accessed. That method has absolutely no way to
| deal with atimes that are in the future, so it will never try to expire
| those tokens.
|
| It can partially fix itself, because every time a token gets accessed,
| its atime gets updated. So as the more common tokens get used, they'll
| start rotating out as they would normally. However, any unique tokens
| are stuck there.
|
| If you're *really* desperate to preserve the bayes DB, you could wait a
| couple days, do a sa-learn --backup, use grep to remove all the lines
| with absurd atimes, then use sa-learn --restore. That's a good bit of
| work to go through...
|
| If you decide to go this route:  For reference, and assuming my
| scratchpad math is right, the atimes for 2277 should be around 9.6
| billion, while the ones for 2008 should be around 1.2 billion. Of
| course, that's assuming the atimes are stored 64 bit and aren't wrapping
| as 32 bit numbers.. However, if that were the case, they'd be wrapping
| to 2004, and your expire numbers should show really high token
| eliminations, not really low..
|

It's finally started to remove tokens, so I think I'm OK. We use SQL
bayes, so it was an easy matter to use

~  delete from bayes_token where atime  UNIX_TIMESTAMP();

to clean up the stuff from the future.


- --

~  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHmAwSeERILVgMyvARAmkBAJ4od1lX/wXYdadek1deySDYZi4SQgCfcskW
dOHVuSkn5UeKZUGYJjA6J2A=
=c5W9
-END PGP SIGNATURE-

Re: sa-learn error message

[Steven Stern]

Theo Van Dinter wrote:

On Thu, Jan 17, 2008 at 03:28:06PM -0600, Steven Stern wrote:

bayes db version 0  indicates your bayes file is corrupt. It should be
version 3.  Do you have a backup?  SQL or .db?


It doesn't necessarily mean there's corruption,
in fact, since the learning continued and seemed
to finish ok, it's unlikely to be corruption.  See
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3563 for a possible
libdb issue which causes it.



Thanks. I ran into this when I hosed the sa_bayes MySQL database as we 
were cloning one of our MX servers.

Re: Is it? Blocked by SpamAssassin

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/15/2008 07:24 AM, Umar Murtaza wrote:
|
|
|
|
|
|
|
| Who exactly is blocking this email?
| Can i have a settings to keep a copy/archive of this email, if it is
| blocked?
|
|
| Logs:
| Jan 15 18:18:43 mailserver sendmail[20774]: m0FDIbQ2020774:
| from=[EMAIL PROTECTED], size=772, class=0, nrcpts=1,
| msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA,
| relay=20178105070.someotherdomaine.br [201.78.105.70] (may be forged)
| Jan 15 18:18:43 mailserver sendmail[20774]: m0FDIbQ2020774: Milter add:
| header: X-Virus-Status: Clean
| Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774: Milter add:
| header: X-Spam-Flag: YES
| Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774: Milter add:
| header: X-Spam-Status: Yes, score=19.3 required=5.0
|
tests=BAYES_50,DCC_CHECK,\n\tHTML_MESSAGE,HTML_TAG_BALANCE_BODY,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,\n\tRCVD_IN_PBL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,\n\tURIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL

| autolearn=spam\n\tversion=3.2.4
| Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774: Milter:
| data, reject=550 5.7.1 Blocked by SpamAssassin
| Jan 15 18:18:46 mailserver sendmail[20774]: m0FDIbQ2020774:
| to=[EMAIL PROTECTED], delay=00:00:05, pri=30772, stat=Blocked by
| SpamAssassin

Your system is blocking the incoming message.  What milter are you
using?  If you are using spamass-milter, then you cannot both reject a
message and keep a copy.

- --

~  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHjLU4eERILVgMyvARAmlHAJ9LYNNMaC4csIpqOiONmKl/WsOjWgCfScRE
uPcbh+ay2o9fGVCYoILoV/w=
=JSBq
-END PGP SIGNATURE-

Re: Get HAM's from Exchange / Outlook

[Steven Stern]

Jason Bertoch wrote:

On Thursday, December 20, 2007 5:49 PM Steven Stern wrote:

  

Jason Holbrook wrote:


Hello all, anyone have an idea of how to get HAM's from an exchange /
Outlook environment back to SA?


  

I've posted a howto at

http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/



Steven,

Would you mind elaborating on the spamiam.fetchmailrc script?  What
interpreter are you using and what packages are prerequisites?
  
All you need is fetchmail, and it's probably already installed in your 
distro.  spamiam.fetchmailrc is read by fetchmail, giving it the 
necessary instructions to fetch mail from a public folder on the 
Exchange server.


||

Re: Get HAM's from Exchange / Outlook

[Steven Stern]

Jason Holbrook wrote:


Hello all, anyone have an idea of how to get HAM’s from an exchange / 
Outlook environment back to SA?


My incoming is scanned by a SA gateway but outgoing goes straight from 
exchange to the cloud.


Best Regards,

Jason Holbrook

Chief Technology Integrator / Partner

Empower Information Systems

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

weblog.empoweris.com http://weblog.empoweris.com/

www.empoweris.com http://www.empoweris.com

Skype: holbrook.jason

Gtalk: jaholbrook

757-320-2667 (Direct)

757-273-9399 (office)

757-715-1944 (cell)

866-477-1544 (toll free)


I've posted a howto at

http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/

Re: Virus found in this message, probe?

[Steven Stern]

Kenneth Porter wrote:
Anyone seen these? text/plain and HTML parts, seem to have same 
content, saying there's a virus, please delete, and some gibberish. 
I'm guessing it's some kind of probe.

There was a web address hidden by a malformed CSS tag.

Re: spamd throughput issues

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12/09/2007 03:27 PM, Mark Rigby-Jones wrote:
 On 9 Dec 2007, at 21:03, Paweł Sasin wrote:
 are you using network tests?
 Try to evaluate spamd performance when run with the -L flag.
 
 We are running network tests. Disabling them helps somewhat, in that the
 emails which were already scanning relatively quickly do so even faster.
 However, once the number of child processes is increased, there are
 still a significant proportion which are taking several minutes to scan...
 

Have you tried running a local caching name server? That can cut down on
times to do repetitive name lookups.


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHXGDieERILVgMyvARAnlLAJkB8NDU7ZsYy6PhyXFAg8emyP5CDQCfc2Y7
cEwCMBwVGz4D+LnqqQlM2oA=
=9QIN
-END PGP SIGNATURE-

Re: Unique Blacklist Whitelist configuration or an allow only list

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/17/2007 09:35 AM, robgeo730 wrote:
 Hello I'm a new user, I have used the search function but wasn't able to find
 a situation like mine.
 
 I am fighting an uphill battle against a crappy hosting company that I can't
 change from.  We have our mail filtered via a Barracuda device (which is
 working really well) that is on our MX, it then routes good email to the
 SMTP server.  The problem is that the SMTP server needs to be accessible for
 our users to relay mail through it.  Spammers are just doing port scans,
 finding our SMTP server and sending spam directly to it bypassing the
 Barracuda on the MX.  The SMTP server has Spamassassin 2.63 on it (hosting
 company wants to charge $200 to put 3.x on it and we can't upgrade it
 ourselves)
 
 
 1. Would any legitimate email be sent directly to our IP or is it just
 spammers who bypass the MX to send spam? I think it would just be spammers
 as bypassing the MX is probably a violation of the SMTP RFC.
 
 2. Since Spamassassin is on our SMTP server can a rule be created to only
 allow email to be delivered to the users if it comes from the Barracuda MX?
 This is with the assumption that email bypassing the MX has to be spam.
 
 Keep in mind that I don't have full access to the server.  I can put a rule
 in place and then I need to request the hosting company to restart the
 spamd.
 
 I appreciate any input
 
 Thanks,

Wny not require SMTP authentication unless mail comes from your MX?
You'd have to walk your users through enabled SMTP authentication, but
that's just a one-time headache.

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHPy7ReERILVgMyvARAkhUAJ9mEPGbC7c1zRRGhYzkpIfzVjkkJgCfdD/+
6Z9GLh1RIYaXraEC8sbv9UU=
=XBhH
-END PGP SIGNATURE-

Robert Sexton filter

[Steven Stern]

We get many, many emails from a Robert Sexton who claims he'll do 
wonders with search engine placement.  As fast as I add an address to 
the blacklist, he comes in with another.  For example, from the AWL 
tables on one of our MX servers:


+--+-+-+---+--+-+
| username | email   | ip  | count | 
totscore | lastupdate  |

+--+-+-+---+--+-+
| root | [EMAIL PROTECTED] | 66.174  |11 
|   37.181 | 2007-08-18 13:24:14 |
| root | [EMAIL PROTECTED] | 70.213  | 5 
|   -7.428 | 2007-10-02 10:36:15 |
| root | [EMAIL PROTECTED] | 72.130  | 5 
|2.525 | 2007-09-05 09:21:09 |
| root | [EMAIL PROTECTED] | 75.215  | 2 
|2.186 | 2007-09-19 23:56:19 |
| root | [EMAIL PROTECTED]  | 66.174  |13 
|   35.819 | 2007-08-12 18:33:04 |
| root | [EMAIL PROTECTED]  | 75.213  | 3 
|   17.766 | 2007-08-13 12:25:43 |
| root | [EMAIL PROTECTED]  | 66.174  | 2 
|5.389 | 2007-08-17 22:39:47 |
| root | [EMAIL PROTECTED]  | 70.213  | 5 
|   29.189 | 2007-08-23 22:04:17 |
| root | [EMAIL PROTECTED]  | 75.213  | 2 
|3.428 | 2007-08-23 01:01:28 |
| root | [EMAIL PROTECTED]  | 75.214  |11 
|   11.003 | 2007-08-24 17:14:00 |
| root | [EMAIL PROTECTED]  | 75.215  | 9 
|   79.981 | 2007-08-21 04:13:11 |
| root | [EMAIL PROTECTED]

Does anyone have a rule handy that would replace my blacklist_from 
entries with something more versatile?

Re: Robert Sexton filter

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/02/2007 11:06 AM, Theo Van Dinter wrote:
 On Tue, Oct 02, 2007 at 10:58:26AM -0500, Steven Stern wrote:
 We get many, many emails from a Robert Sexton who claims he'll do 
 wonders with search engine placement.  As fast as I add an address to 
 the blacklist, he comes in with another.  For example, from the AWL 
 tables on one of our MX servers:
 
 Sounds like a good use of a MX block.
 
 Does anyone have a rule handy that would replace my blacklist_from 
 entries with something more versatile?
 
 Such as?  You can match all of these with a single blacklist_from.
 

Theo:  My regex experience is limited and often wrong. How would I best
do that?

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHAs+XeERILVgMyvARAouRAJ0TBAyqWX+9sb06mFVYe0CazYjOJgCfVTGn
i67q6OAlUkD/wd9WzLKupCY=
=pFuJ
-END PGP SIGNATURE-

Re: bayes_seen = 256GB

[Steven Stern]

mfahey wrote:

SpamAssassin-3.2.0
Freebsd6.2

The file bayes_seen has grown in size to 256GB!  (274992939008)
How do I cap the size limit of this file? I want to have it not grow larger
then say 800mb at the most!

Thanks.

  
You can 'rm' the file or use MySQL for your backend and write a 
maintenance query that deletes rows over 2 weeks old.

Re: Question - How many of you run ALL your email through SA?

[Steven Stern]

Marc Perkel wrote:
OK - it's interesting that of all of you who responded this is the 
only person who is doing it right. I have to say that I'm somewhat 
surprised that so few people are preprocessing their email to reduce 
the SA load. As we all know SA is very processor and memory expensive.


Personally, I'm filtering 1600 domains and I route less than 1% of 
incoming email through SA. SA does do a good job on the remaining 1% 
that I can't figure out with blacklists and whitelists and Exim 
tricks, but if I ran everything through SA I'd have to have a rack of 
dedicated SA servers.


[EMAIL PROTECTED] wrote:

Am Donnerstag, 16. August 2007 schrieb Marc Perkel:
  

As opposed to preprocessing before using SA to reduce the load. (ie.
using blacklist and whitelist before SA)



I use:

At rcpt time:
callout to recipient
zen.spamhaus.org- Catches 90%
bl.spamcop.net
list.dsbl.org
callout to sender

At data time:
clamd (malware is rejected)
spamassassin (10 Rejected, 10 add headers) 


I think i will lower the spamassassin scores to 8 in the near future.

At the moment less then 5% spam reaches spamassasin.

  
   I had great results from grey-listing but my users didn't like 
having to wait 30-60-90 minutes for mail, and I understand that. When 
you're on the phone with someone and they say Just sent it, they 
expect you to have it in a matter of seconds.  As I'm often in that 
positition, I had to support that view and remove the grey-list.  I've 
tried aboslute RBL blocking, but I'm happier having RBL as a weighted 
factor counting for or against the spamminess of an email.  We only 
process about 5,000 non-spam messages per day (out of about 45,000/day 
total) and are doing OK on a couple of old dual-processor systems 
running it through clamd and spamd with sendmail. 

Re: Mail server hosted by Comcast

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/16/2007 10:43 AM, Matt wrote:
 I'm on Comcast and am having no problems.  I set the smarthost for
 sendmail to smtp.comcast.net and, at least so far, have not triggered
 anything that would block incoming or outgoing mail.  All mail from me
 goes through the official comcast mail server and does not appear to
 come from a dynamic address.
 
 If you use smtp.comcast.net as outgoing I doubt you even need reverse
 DNS on your IP.  Just be sure you update your SPF record to include
 smtp.comcast.net or something.  Everyone has an SPF record, right?
 
 Matt
 

As a matter of fact, I'm trying to figure out what my SPF record should
be. It should be Comcast's, but they don't seem to have published one.

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGxNfUeERILVgMyvARAmqFAJ9chrB/r8O2P59uovGKxhMgX947fwCeOLOK
sdKFOpN1ZTl6ugOMcDgWxgE=
=5Ti8
-END PGP SIGNATURE-

Re: Mail server hosted by Comcast

[Steven Stern]

Igor Chudov wrote:
 I am considering a local deal related to hosting by Comcast cable
 (8mbps down, 1 mbps up).

 I am concerned, however, with me sending email and being on comcast IP
 range, due to bad rap that Comcast has due to spamming by Comcast
 hosted zombies. 

 Do you think that my mailserver will have issues if I host it on
 comcast netwrk?

 That would be a static IP and, hopefully, I can get comcast to reverse
 resolve it to a hostname on one of my domains.

 i
   
I'm on Comcast and am having no problems.  I set the smarthost for
sendmail to smtp.comcast.net and, at least so far, have not triggered
anything that would block incoming or outgoing mail.  All mail from me
goes through the official comcast mail server and does not appear to
come from a dynamic address.

Re: Sa-update question

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Skip Brott wrote:
 Using the recommended actions from this list, I run this:
 
 sa-update --channelfile
 /etc/mail/spamassassin/saupdate/sare-sa-update-channels.txt -D
 
 I get this result from each channel:
 
 [29610] dbg: gpg: gpg: Signature made Mon 04 Jun 2007 08:14:08 PM CDT
 using DSA key ID 856AA88A
 [29610] dbg: gpg: [GNUPG:] SIG_ID vAQaZijSKL/MKS3+hHVCDl3GfgY 2007-06-05
 1181006048
 [29610] dbg: gpg: [GNUPG:] GOODSIG 3C5C05EB856AA88A Daryl C. W. O'Shea
 [EMAIL PROTECTED]
 [29610] dbg: gpg: gpg: Good signature from Daryl C. W. O'Shea
 [EMAIL PROTECTED]
 [29610] dbg: gpg: [GNUPG:] VALIDSIG
 ABE0C8743B87262E5FB04F2B3C5C05EB856AA88A 2007-06-05 1181006048 0
 [29610] dbg: gpg: [GNUPG:] TRUST_UNDEFINED
 [29610] dbg: gpg: gpg: WARNING: This key is not certified with a trusted
 signature!
 [29610] dbg: gpg: gpg: There is no indication that the signature belongs
 to the owner.
 [29610] dbg: gpg: Primary key fingerprint: ABE0 C874 3B87 262E 5FB0 4F2B
 3C5C 05EB 856A A88A
 [29610] dbg: gpg: found signature made by key
 ABE0C8743B87262E5FB04F2B3C5C05EB856AA88A
 [29610] dbg: gpg: key id 856AA88A is not release trusted
 error: GPG validation failed!
 The update downloaded successfully, but the GPG signature verification
 failed.
 channel: GPG validation failed, channel failed
 
 
 I assume I am not the only one who sees this error (or at least who has
 seen it).  Has anyone successfully addressed this?  Or do you simply use
 the --nogpg option when running it?
 
 - Skip
 

Did you import his key with sa-update --import his.key.file.here


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGoQzJeERILVgMyvARAm19AJsEcglKuytcgFS7Ro9EjseOLJ0ilQCeNUSl
LUwsW/O8YR2r1cleqOdwmDo=
=V48J
-END PGP SIGNATURE-

Re: not everyone is happy with SA

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John Rudd wrote:

 
 Further, I as the sender have no obligation to participate in your
 anti-spam mechanism.  It's YOUR mechanism.  You feed it, you configure
 it, your CPU cycles are spent on it.  I have no obligation to
 participate in the program you use for deciding is this spam or not. I
 have no obligation to devote my time and my CPU cycles to your anti-spam
 program.  It's rather rude for you to assume otherwise.
 

My company's website has a click here and we'll send you your password
(or something similar).  You'd be amazed how many calls we get claiming
it doesn't work. When I track through the logs, I find most come from
people with CR systems.  You can't use a CR when you're talking to a
robot.  These things make me sooo mad.

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGoURoeERILVgMyvARAgeSAJ9Cwu/vRWEgskKwXF5QAg4QbpDB+QCfRNU0
Ya/NuKWXYspVpCIzNvN8zxs=
=oLbD
-END PGP SIGNATURE-

Re: Spam PDF

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wael Shahin wrote:
 On Wed, 2007-06-27 at 09:18 +0200, Robert Schetterer wrote:
 Stéphane LEPREVOST schrieb:
 Hi,

 Got one yesterday too here. Seems to be a new way for spammers ... 

 I have two servers one is running DCC and one is not, the one that is
 running DCC didn't pass the message or maybe I am mistaken but it didn't
 go through (Maybe didn't get there at all from the first place).
 On the other server that is not running DCC the email went through and
 it was an empty email body with a PDF attachment
 -Message d'origine-
 De : Raymond Myren [mailto:[EMAIL PROTECTED] 
 Envoyé : mercredi 27 juin 2007 08:09
 ì : users@spamassassin.apache.org
 Objet : Spam PDF

 Hello,

 Just today I started receiving spam mails with attached .pdf files with a
 spam image.
 Any ideas how to stop this spam type?

 \raymond 

 Hi Stephane,
 unless the mail isnt caught by other rules
 or bayes, i still dont know any way to mark this,
 so yesterday on got trough at my server too
 i ve asked on the list what to do aginst it , but havent got any usefull
 answer.
 Perhaps it would be easier to use clamav to filter
 such mails out, i think i will asked there
 
 Wael

We just caught one:

Content analysis details:   (5.0 points, 4.0 required)

 pts rule name  description
-  --
- --
 0.6 SPF_SOFTFAIL   SPF: sender does not match SPF record
(softfail)
 0.4 BAYES_60   BODY: Bayesian spam probability is 60 to 80%
[score: 0.7404]
 2.2 TVD_SPACE_RATIOBODY: TVD_SPACE_RATIO
 0.9 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
[201.32.227.251 listed in dnsbl.sorbs.net]
 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[201.32.227.251 listed in zen.spamhaus.org]

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGglxneERILVgMyvARAtK4AJ944YGr+IfI+3FYEkonqklmyNgj2wCeLGKK
oXS7J7pypbbL/6ADur+rhAg=
=Rxu9
-END PGP SIGNATURE-

Re: mySQL bayes not working correctly

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gary V wrote:
 I'm running amavisd-new with spamassassin and setup bayes and mysql
 earlier
 today. It seems to connect to the db fine with user vscan when running
 spamassassin -d. I ran sa-learn --spam/ham  spam.txt (full email headers
 too) a few times and those are the only entires in the db, the ones
 that I
 added, all other email is untouched. What's the deal? Here is my local.cf
 file... awl seems to work fine, but it scores mail funky sometimes.

 # Enable the Bayes system
 use_bayes 1
 bayes_store_moduleMail::SpamAssassin::BayesStore::SQL
 bayes_sql_dsn DBI:mysql:bayes
 bayes_sql_usernamevscan
 bayes_sql_passwordvscan
 bayes_sql_override_username   vscan

 # Enable awl
 auto_whitelist_factoryMail::SpamAssassin::SQLBasedAddrList
 user_awl_dsn  DBI:mysql:bayes
 user_awl_sql_username vscan
 user_awl_sql_password vscan

 -- 
 
 You probably ran the commands as root, so you are only looking at root's
 data. Add this in local.cf:
 
 bayes_sql_override_username vscan
 
 That way everyone will see the same data (site wide configuration). You
 want to always run spamassassin and sa-learn commands as the vscan user
 but adding this seting means that even if you learn spam or ham as root,
 vscan's data will be updated.
 
 su vscan -c 'sa-learn --spam  spam.txt'
 
 Gary V


As for the funky AWL values, you need to do some AWL expiry.

Add a field to the AWL table that shows the last time that address got hit:
  ALTER TABLE awl ADD lastupdate timestamp(14) NOT NULL;
  UPDATE awl SET lastupdate = NOW( ) WHERE lastupdate  1;

Then set up a script to clean up awl entries:

  /usr/bin/mysql -usa_user -psa_user_psw  /usr/local/bin/trim-awl.sql

  USE sa_bayes;
  DELETE FROM awl WHERE lastupdate = DATE_SUB(SYSDATE(), INTERVAL 2 MONTH);
  DELETE FROM awl WHERE count = 1 AND lastupdate = DATE_SUB(SYSDATE(),
   INTERVAL 15 DAY);

(reference: http://www200.pair.com/mecham/spam/fc4-spamassassin-sql.html)
- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFGbBlSeERILVgMyvARAuQ4AJjmzxS8+XmQwclH1/2alQlx+slUAJ9m/EpM
M+0aSAR00llWR5ROGdp/kw==
=H68i
-END PGP SIGNATURE-

Re: sa-compile error

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

diptanjan wrote:
 Hi Friends,
 
 I am getting an error when ever I am usinf sa-compile. can you please
 checkout and tell me the reason behind it?
 
 # sa-compile
 [4846] info: generic: base extraction starting. this can take a while...
 [4846] info: generic: extracting from rules of type body_0
 100% [===]  39.01 rules/sec
 00m11s DONE
 100% [===] 100.14 bases/sec
 00m10s DONE
 [4846] info: body_0: 683 base strings extracted in 23 seconds
 [4846] info: rules: meta test HS_PHARMA_1 has dependency
 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score
 cd /tmp/.spamassassin4846ilcSlDtmp
 cd Mail-SpamAssassin-CompiledRegexps-body_0
 re2c -i -b -o scanner1.c scanner1.re
 Can't exec re2c: No such file or directory at /usr/bin/sa-compile line
 274, $fh line 985.
 command failed! at /usr/bin/sa-compile line 275, $fh line 985.
 

You need to install re2c

http://re2c.org/

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGaT0DeERILVgMyvARAhlyAJ98qUtbGMDlTT1Jn9SZIECfsJdz7wCfSUkR
8gzVwOYOytU4pzXakEZyfqI=
=RLw/
-END PGP SIGNATURE-

Rulesemporium down?

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

My systems all were unable to connect for their daily RDJ update
yesterday.  I time out trying to reach http://rulesemporium.com.  Does
anyone know what's happening?
- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZ/oCeERILVgMyvARAn97AJ9l8c5quPSKjAKNpM6/teMD5MK7bQCfcf+q
G9D0bJrX/gOz4yx7MDUNq6s=
=uEUU
-END PGP SIGNATURE-

Re: spamassassin upgrade

[Steven Stern]

night duke wrote:

Currently i have this version of spamassassin
 
SpamAssassin version 3.1.7-deb
 
Can i update it to the last version?

Apt-get or yum or howto?

Thanks


I prefer to download the .tgz file from spamassassin.apache.org and 
create the rpm myself via


  rpmbuild -tb file-just-downloaded.tgz

I find the installable RPMs in /usr/src/redhat/RPMS/i386

On a debian system, they may wind up elsewhere, but you'll see the 
location roll by as the rpm file is being built.


--

  Steve

Re: spamassassin upgrade

[Steven Stern]

night duke wrote:

I have debian...

*/Steven Stern [EMAIL PROTECTED]/* escribió:

night duke wrote:
  Currently i have this version of spamassassin
 
  SpamAssassin version 3.1.7-deb
 
  Can i update it to the last version?
  Apt-get or yum or howto?
 
  Thanks

I prefer to download the .tgz file from spamassassin.apache.org and
create the rpm myself via

rpmbuild -tb file-just-downloaded.tgz

I find the installable RPMs in /usr/src/redhat/RPMS/i386

On a debian system, they may wind up elsewhere, but you'll see the
location roll by as the rpm file is being built.

-- 


Steve


See http://spamassassin.apache.org/downloads.cgi?update=200705021400 in 
the Debian Users section.



--

  Steve

sa-compile error

[Steven Stern]

I've set up sa-compile successfully on two of our three servers. The 
third gives this error:


Insecure dependency in mkdir while running with -T switch at 
/usr/bin/sa-compile line 321, $fh line 1.


Googling around, there are references to editing a perl .pm file, but 
this error points to the sa-compile source itself.  How do I fix this?

Re: SA 3.2.0 install and/or upgrade

[Steven Stern]

Abba Communications - www.abbacomm.net wrote:


Greetings,

We have looked over the 3.2.0 install and upgrade docs as best we can so
far...

Situation:

running a Redhat 4.x or Centos 4.x server
SA 3.1.8
Everything is currently run site-wide and not user configurable
No MySQL in use.

Question(s)

when installing 3.2.0 via RPM, should it be done is an rpm -Uvh upgrade or
should 3.1.8 be removed and then 3.2.0 installed from scratch?

Any gotcha's that others have experienced doing this?

Has anyone installed SA 3.2.0 on Redhat or CentOS 5 without problems?

Feedback please?


I've installed  on RH EL3 and RH EL4, as well as FC5 and FC6 using -Uvh. 
 Aside from having to upgrade a couple of perl modules (as noted by the 
rpm process), there were no problems.


--

  Steve

Help with rule

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm trying to flag a type of spam that seems to be slipping through with
a very low score

The common factor is that all of the messages have something linke

Just type www [.] pillking [.] org
Just type FONT color=#ffwww/FONT [.]
STRONGFONT color=#ffpillking/FONT/STRONG [.] FONT
color=#fforg/FONT/FONT

   Just type www [dot] pilldoc [dot] org

I suspect a rule that looks for www*pill*org would work. How do I turn
that into a regex?


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGG4BveERILVgMyvARAvKDAJ40E2quDemGCoFIheL8XFkgjRcWegCfSDiI
hmR+79G9K1DQJHIN0lI8I6g=
=yqRq
-END PGP SIGNATURE-

Re: Bayes MySQL users

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Marc Perkel wrote:
 Looking at the bayes_vars table and seeing 2 entries, spamd, and root.
 I'd like to get rid of and per user info so that all learing is common.
 Not sure why this is happening. What do I need to do to force everything
 to one user?
 
 Thanks in advance.
 

Add to local.cf:

bayes_sql_override_username root


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGBadEeERILVgMyvARAlEYAJ4wtzXlehpKtkJW6k8f/K8CTOFnGwCeKKrt
HyXWHXO5vewZSUGRgho+Y7M=
=Nrg9
-END PGP SIGNATURE-

Re: Bayes training question

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

yossim wrote:
 Hi folks, Hi can i learn miss identified junk mail that is store on
 exchange or at the otulook clients? Can i simply copy those mails to a
 folder on my Linux server and run sa-learn with the required parameters?
 Kindly regards, Yossi Mor

see http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFF1ay5eERILVgMyvARAk2JAJ4rXyGAcdzv14vcTreJmSpnNLP1LwCffXiS
zoIrJH2UIIUawBbshrVJ8Sc=
=4mR1
-END PGP SIGNATURE-

Re: [2] Bayes training question

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

yossim wrote:
 Steve, I am not sure that i have anderstand the first script starting
 with get_ham_spam were you use fetchmail (where the data is kept?) and
 the last one get-ham-spam when you used wget command to get all the
 ham.spam emails. Kindly regards, Yossi
 

fetchmail is used to bring the mail from the Exchange server to the
Linux server via IMAP.

The wget commands are used to copy the resulting ham and spam files to
our other MX servers so they all get the same feedback. If you have only
one MX server, then that part isn't necessary.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFF1kmOeERILVgMyvARApP3AJ9aNJjvx1O5/gO5ibAfyX0ifaWMPACeMFNC
MwcShbLbfInoWs/ETsbgiKk=
=i5H8
-END PGP SIGNATURE-

How do I whitelist this?

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm having problems whitelisting mail sent through web sites with a from
address supplied by the user.

Case in point, I send an article from huffingtonpost.com to myself.  I
used a whitelist from huffingtonpost.com, but that doesn't reduce the
spam score.

The headers are:

Return-Path: [EMAIL PROTECTED]
Received: from tipsy.huffingtonpost.com (tipsy.huffingtonpost.com
[72.3.232.108])
by mooch.sterndata.com (8.13.8/8.13.7) with ESMTP id l0V0iikW024618
for [EMAIL PROTECTED]; Tue, 30 Jan 2007 18:44:44 -0600
Received: by tipsy.huffingtonpost.com (Postfix, from userid 48)
id D26494A85A6; Tue, 30 Jan 2007 18:44:43 -0600 (CST)
Subject: [ HuffingtonPost.com ] Recommendation: Najaf Battle Not Sunni,
Shia But Shia, Shia
Mime-Version: 1.0
Content-Type: text/html; charset=utf-8
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]


What should I use in local.cf to whitelist mail sent to my server by
anyone through huffingtonpost.com (or for that matter, any website that
has a send article feature)?


- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFv+cpeERILVgMyvARAkZJAJ4z8SJ7I5CpnKzCTgsa9q+Oc18O2wCfXfi9
IjsvmtZ5WWpvv5CcBIRcVoQ=
=FdwR
-END PGP SIGNATURE-

Re: Should I use greylisting

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matthew Bickerton wrote:
 Thanks, but does this mean I have to keep/maintain a list of all the mail
 farms. Keeping this list up to date sounds horrid/impossible.
 
 Matthew  
 
 -Original Message-
 From: --[ UxBoD ]-- [mailto:[EMAIL PROTECTED] 
 Sent: 25 January 2007 12:49
 To: users@spamassassin.apache.org
 Subject: Re: Should I use greylisting
 
 Check out http://policyd.sourceforge.net/ then as it allows you to
 specify Servers/IP that should not be greylisted. Works very well.
 
 On Thu, 25 Jan 2007 12:33:19 -
 Matthew Bickerton [EMAIL PROTECTED] wrote:
 
 Hi,

 I am setting up a new server, so have a chance to make big changes to
 my email server.

 I have been thinking about implementing Greylisting. However, I am
 worried about blocking/long delays with e-mails from mail farms
 (gmail, yahoo etc.)

 I would very much appreciate other people's recommendations on
 Greylisting or other approaches to reducing the load on my server by
 rejecting spam early.


I tried out greylisting for several months for a select group of users
using greylist-milter.  Their unanimous opinion was that they wanted to
receive mail instantly. The 10 - 60 minute delay for first-time
senders was unacceptable. The reduction in spam was not noticeable as we
get great results using a combination of ClamAV ans SpamAssassin with a
global bayes filter and many RDJ rules.

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFuK5OeERILVgMyvARAoUEAJ9LhlgxkvoktjH88rlFpE9B39Zy0ACfVJF9
nBF1MCNsvLkCKlOoyTVP7+Q=
=CzLb
-END PGP SIGNATURE-

sa-update errors with 3.1.7

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- From this morning's log from three of our MX servers running SA 3.1.7.
Does the channel for 3.1.7 have the wrong rules?

config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_advance_fee.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_body_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_compensate.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_dnsbl_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file /tmp/.spamassassin8654JTlidztmp/20_drugs.cf
requires version 3.002000 of SpamAssassin, but this is code version
3.001007. Maybe you need to use the -C switch, or remove the old config
files? Skipping this file at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_fake_helo_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_head_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_html_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_meta_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_net_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_phrases.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file /tmp/.spamassassin8654JTlidztmp/20_porn.cf
requires version 3.002000 of SpamAssassin, but this is code version
3.001007. Maybe you need to use the -C switch, or remove the old config
files? Skipping this file at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/20_uri_tests.cf requires version
3.002000 of SpamAssassin, but this is code version 3.001007. Maybe you
need to use the -C switch, or remove the old config files? Skipping this
file at /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm
line 345.
config: configuration file /tmp/.spamassassin8654JTlidztmp/23_bayes.cf
requires version 3.002000 of SpamAssassin, but this is code version
3.001007. Maybe you need to use the -C switch, or remove the old config
files? Skipping this file at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345.
config: configuration file
/tmp/.spamassassin8654JTlidztmp/72_active.cf requires version 3.002000
of SpamAssassin, but this is code version 3.001007. Maybe you need to
use the -C switch, or remove the old config files? Skipping this file at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Conf/Parser.pm line 345.
config: warning: score set for non-existent rule 

Re: Google open relay?

[Steven Stern]

laradji nacer wrote:

Steven Stern a écrit :
I've been getting lots of these get out of debt messages. It looks 
like the last stop before getting here is a gmail server.  Could they 
have an open relay?

No but gmail host personal domain not only @gmail.com .


Google Apps for Your Domain (GAYD) require SMTP authentication over SSL 
on port 465 to pass mail from a sending system.  That means that 
whatever's sending this mail is smart enough to handle the GAYD SMTP 
auth and SSL access.

Re: local.cf

[Steven Stern]

Andrea Bencini wrote:

I am looking for local.cf documentation to understand which are the
variables to set in this file.
Can you help me?
Thank
Andrea
  

man Mail::SpamAssassin::Conf

Google open relay?

[Steven Stern]

I've been getting lots of these get out of debt messages. It looks 
like the last stop before getting here is a gmail server.  Could they 
have an open relay?


Received: from ccim-mx2.cciminstitute.com ([10.0.2.10]) by 
ccim-exchange.cciminstitute.com with Microsoft SMTPSVC(6.0.3790.1830);
 Thu, 7 Dec 2006 16:17:53 -0600
Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183])
by ccim-mx2.cciminstitute.com (8.13.8/8.13.6) with ESMTP id 
kB7MHojp020673
for x; Thu, 7 Dec 2006 16:17:50 -0600
Received: by py-out-1112.google.com with SMTP id f31so317551pyh
   for x; Thu, 07 Dec 2006 14:17:46 -0800 (PST)
Received: by 10.35.99.17 with SMTP id b17mr4277287pym.1165529866966;
   Thu, 07 Dec 2006 14:17:46 -0800 (PST)
Received: by 10.35.99.17 with SMTP id b17mr4277286pym.1165529866955;
   Thu, 07 Dec 2006 14:17:46 -0800 (PST)
Received: from shawcable.net (S0106000ea6a66e9b.vc.shawcable.net [24.81.32.62])
   by mx.google.com with SMTP id j7si945230nzd.2006.12.07.14.17.34;
   Thu, 07 Dec 2006 14:17:46 -0800 (PST)
Received-SPF: pass (google.com: domain of [EMAIL PROTECTED] designates 
24.81.32.62 as permitted sender)
Message-ID: [EMAIL PROTECTED]
Date: Thu, 07 Dec 2006 19:10:30 -0400
Reply-To: spring freeman [EMAIL PROTECTED]
From: spring freeman [EMAIL PROTECTED]
MIME-Version: 1.0
To: Lawanna x
Cc: Laci x
Subject: TotallyCardDebtFree Overnight

Re: Google open relay?

[Steven Stern]

John D. Hardin wrote:

On Thu, 7 Dec 2006, Steven Stern wrote:

  

I've been getting lots of these get out of debt messages. It
looks like the last stop before getting here is a gmail server.  
Could they have an open relay?



Have you notified [EMAIL PROTECTED]?

  

You betcha!  And also reported through spamcop.

Re: Google open relay?

[Steven Stern]

David B Funk wrote:
 On Thu, 7 Dec 2006, Steven Stern wrote:
 
 John D. Hardin wrote:
 On Thu, 7 Dec 2006, Steven Stern wrote:

 I've been getting lots of these get out of debt messages. It
 looks like the last stop before getting here is a gmail server.
 Could they have an open relay?
 Have you notified [EMAIL PROTECTED]?

 You betcha!  And also reported through spamcop.
 
 Ony problem with reporting it thru spamcop is that they will very
 industriously drill down thru the Received: chain, breeze right
 thru all the Google entries, latch onto that shawcable.net IP
 and only send a report to them (IE not bother Google at all).
 
 This is a good thing in that they try very hard to not cause collateral
 damage and only send reports to the real culprits, but the down-side
 is that potential 'enablers' don't get notified too.
 
 If you buy into the spamcop premium service one of the things that
 you gain is the ability to modify their report and add such notices.
 Best to send it directly to Google's abuse address.
 
 Dave
 

Spamcop sent a report to both shawcable and [EMAIL PROTECTED]  I paid
spamcop $25 several years ago for 25MB of reports (however that's
measured) and I still have 8.3MB left in my pool.

-- 

  Steve

Re: sa-update

[Steven Stern]

Thomas Bolioli wrote:
when I run sa-update it puts new copies of the tests in 
/var/lib/spamassassin/3.001005/updates_spamassassin_org which I 
understand from the docs is the correct location. However, the default 
tests remain in /usr/share/spamassassin/ and I believe they are still 
being used. How is this supposed to work? Am I supposed to manually 
move them into /usr/share? I do not see any reference to the updated 
tests in the cf files anywhere.

Tom
IF there are files in 
/var/lib/spamassassin/version/updates_spamassassin_org, they'll be used 
instead of the ones in /usr/share/spamassassin.


If you do spamassassin -D --lint, you'll see that they're picked up.

Re: rules_du_jour not working confusion?

[Steven Stern]

Bazooka Joe wrote:
 rules_du_jour seems to fail on lint. I am trying to figure that out
 now but I have a different question.  Has channels replaced
 rules_du_jour? Should I be using something else to update my sare
 rules?
 
 thx
 
 -bazooka
 
 ps I am using SpamAssassin 3.1.4
 
 pps below are the lint errors if anyone has come across it before I
 delve into it.
 
 

[snip]

Do your current rules pass a lint test?


-- 

  Steve

Re: How to upgrade spamassassin in Mandrake 10.1

[Steven Stern]

Fajar Priyanto wrote:
 Hi all,
 I try to upgrade my SA in mandrake 10.1.
 I've downloaded the latest SA and build the rpm. But, when I tried to upgrade 
 it, it errored:
 rpm -Uvh spamassassin-3.1.7-1.i586.rpm perl-Mail-SpamAssassin-3.1.7-1.i586.rpm
 error: Failed dependencies:
 spamassassin = 3.0.4-0.1.101mdk is needed by (installed) 
 spamassassin-spamd-3.0.4-0.1.101mdk
 perl-Mail-SpamAssassin = 3.0.4-0.1.101mdk is needed by (installed) 
 spamassassin-tools-3.0.4-0.1.101mdk
 
 I notice that my mandrake 10.1 contains several rpms regarding SA:
 spamassassin-tools-3.0.4-0.1.101mdk
 spamassassin-3.0.4-0.1.101mdk
 spamassassin-spamd-3.0.4-0.1.101mdk
 spamassassin-spamc-3.0.4-0.1.101mdk
 
 Can someone help me how to upgrade it? Should I (forced) remove all previous 
 SA?
 
 Thank you very much,

Are you using a sql-based Bayes db?  I found that the upgrade of
perl-MailSpamAssassin failed with a MySQL bayes. When I removed the
password for 'root'@'localhost', the upgrade succeeded. (I then put the
password back.)

-- 

  Steve

Re: sa-update installation

[Steven Stern]

Odhiambo Washington wrote:
 Hello List,
 
 I have successfully (I hope) installed and run sa-update, and
 I see that it installed files in /var/lib/spamassassin/3.001007/
 
 In my FreeBSD box, I am used to the rules being in 
 /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin.
 
 Do I just go out for a cold beer and hope that SA will be reading
 these rules as well?
 
 What happens when I run sa-update? Does it update the rules files in
 /usr/local/share/spamassassin or what?
 
 

after sa-update runs, restart spamassassin and it will use the new rules
in /var/lib/spamassassin.

I have this as a cron job:

30 3 * * *  sa-update  spamassassin --lint  /etc/init.d/spamassassin
restart


-- 

  Steve

Re: Help with sa-learn when using Outlook 2003.

[Steven Stern]

thekillerbean wrote:
 We currently have an Exchange 2003 server that is under heavy burden due to
 excessive SPAM.  The company is not willing to spend $$$ to resolve the
 issue if it can be done on Linux - especially being that we have several
 Linux boxes lying idle!  Hence, my plan is to implement Sendmail as a front
 end mail server for Exchange that will do the SPAM fighting (and possible
 virus scanning as well once I learn how to) then forward e-mail to Exchange.
 
 My dilemma is that since all user accounts are on Exchange, how do I bring
 these missed SPAM e-mail messages back to the Linux box for use with
 sa-learn?
 
 Cheers,
 tkb.
 

See this:

http://sstern.ccim.com/2006/07/14/training-sitewide-spam-filters/

It shows how I set up sitewide Bayes on 3 Linux MX servers using
Exchange/Outlook.

-- 

  Steve

Re: spamd error -- max-children?

[Steven Stern]

Ron Freidel wrote:
 Hi All,
 
 We run a relatively small (amount of clients) freebsd email hosting
 server, was running spamassassin: 3.0.2 on a qmail server. We took on a
 new client who was recieving alot of spam, as their old provider kept
 telling them there was nothing that could be done about spam.
 
 Well, our server easily handled the spam prior to this client, then
 suddenly the spam level increased from around 300 a day to about 6000 a
 day. The server itself is a quad xeon with 1Gig of ram, I plan to
 upgrade the ram tomorrow.
 
 I upgraded spamassassin to 3.1.7 to take advantage of the
 features/fixes, and to take care of the fact that while running 3.0.2
 spamassassin eventually took all available ram and swap, then died, I
 had to reboot anyway so did the upgrade.
 
 After the upgrade I began seeing errors like...
 prefork: server reached --max-children setting, consider raising it
 
 This was while running spamassassin under freebsd's stock sa-spamd.sh,
 and during a spam attack.
 
 I made this change...
 command_args=-d -m 10 -r ${pidfile}
 
 So it is now running as...
 /usr/local/bin/spamd -c -d -m 10 -r /var/run/spamd/spamd.pid
 (perl5.8.5) root  
 
 Now the error has changed to...
 spamd[2817]: spamd: handled cleanup of child pid 9679 due to SIGCHLD
 spamd[2817]:Use of uninitialized value in numeric
 eq (==)
 at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm
 line 689
 
 And here's line 689
 687   foreach my $pid (@pids) {
 688 my $k = $kids-{$pid};
 689 if ($k == PFSTATE_IDLE) {
 690   $statestr .= 'I';
 691   $num_idle++;
 
 Is this truely a problem with spamassassin? Or could I have a problem
 elsewhere? Do I need to make an additional change in how it is running?
 
 All perl mods and cpan have been updated to latest versions, --lint
 contains no errors.
 


--
This may seem dumb, but change -m 10 to -m10.  My command line has
-m5 with no space.

  Steve

Odd error (or is it an error)

[Steven Stern]

The following appears periodically in my maillog. I think it has to do
with an attempt to do a cpan upgrade or SpamAssassin that I had to back
out and replace with the Fedora RPM.  In any case, is this anything to
worry about?


Sep 10 11:12:30 mooch spamd[26250]: (?:(?=[\s,]))* matches null string
many times in regex; marked by -- HERE in m/\G(?:(?=[\s,]))* -- HERE
\Z/ at /usr/lib/perl5/5.8.8/Text/Wrap.pm line 46.


-- 

  Steve

Whitelist ebay

[Steven Stern]

Lint keeps throwing out this line:

whitelist_from_rcvd [EMAIL PROTECTED]

Is there something special about ebay?

Re: Train from Outlook?

[Steven Stern]

Christopher Mills wrote:
 Tell me something, is there a pluggin for outlook that would allow me to
 train spamassassin on the web server?
 Eg, messages come in, end up in my Junk Mail folder, can i somehow
 select them, and click a button with this 'addin' and have it find our
 web server and train spam assassin with the data in my local inbox? 
 That would be a very cool addon if someone could develop it.

Is Outlook talking to an Exchange server?  If so, see
http://sstern.ccim.com/index.php/2006/07/14/training-sitewide-spam-filters/

-- 

  Steve

Problems after upgrade to 3.1.4

[Steven Stern]

These occur with spamassassin -D --lint.  RDJ is up to date, as is
sa-update.

[6837] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
'DCC_CHECK'
[6837] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency
'MIME_QP_LONG_LINE' with a zero score
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_XMAIL_SUSP2'
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_HEAD_XAUTH_WARN'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_MKSHRT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_GT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_TINY'
[6837] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency
'SARE_OBFU_CIALIS2'
[6837] info: rules: meta test FP_MIXED_PORN3 has undefined dependency
'FP_PENETRATION'

-- 

  Steve

Using a # character in a spam report

[Steven Stern]

In our standard spam report, we have a line like

report For more info, see http://our.server/infopage.html

I'm adding content to the page and would like to add links to local anchors

report For more info, see http://our.server/infopage.html#anchor

It appears that SA treats the # as the start of a comment and leaves
#anchor out of the resulting report. Is there a way to escape the #?

-- 

  Steve

Re: Using a # character in a spam report

[Steven Stern]

Duane Hill wrote:
 On Wed, 19 Jul 2006, Steven Stern wrote:
 
 In our standard spam report, we have a line like

 report For more info, see http://our.server/infopage.html

 I'm adding content to the page and would like to add links to local
 anchors

 report For more info, see http://our.server/infopage.html#anchor

 It appears that SA treats the # as the start of a comment and leaves
 #anchor out of the resulting report. Is there a way to escape the #?

 
 I believe you should be able to use:
 
   http://our.server/infopage.html\#anchor
 
 I've escaped chars in the report before myself.

Uh-oh... This is how the report comes out:

http://www.ccim.com/members/help/bcastfaq.html\#spam

Not quite what I wanted.

-- 

  Steve

Re: Image only spam

[Steven Stern]

Jack Gostl wrote:
  
 - Original Message -
 *From:* Steven Stern mailto:[EMAIL PROTECTED]
 *Cc:* Spamass mailto:users@spamassassin.apache.org
 *Sent:* Thursday, July 13, 2006 6:52 PM
 *Subject:* Re: Image only spam
 
 Jack Gostl wrote:

 - Original Message - From: Steven Stern
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 To: Spamass users@spamassassin.apache.org
 mailto:users@spamassassin.apache.org
 Sent: Wednesday, July 12, 2006 4:31 PM
 Subject: Re: Image only spam


 Jack Gostl wrote:
 Thanks for the response.

 Take it slow with me, spamassassin has been running so well for so
 long that I haven't had to fiddle with it in ages and I don't
 remember the details. Do I add these rules to my user_prefs? Or to my
 /etc/mail/local.cf files?

 - Original Message - From: Steven Stern
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 To: Spamass users@spamassassin.apache.org
 mailto:users@spamassassin.apache.org
 Sent: Wednesday, July 12, 2006 9:13 AM
 Subject: Re: Image only spam


 Jack Gostl wrote:
 I'm running SpamAssassin version 3.0.3   running on Perl version 5.8.2
 under AIX 5.3. Starting a few months ago, I have been absolutely
 inundated with image only spam.  I've gone from catching 99% of the
 spam with almost no false positives to less than 85%. I asked about
 this
 awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running
 on Perl version 5.8.0, and didn't see much improvement, so I left the
 prod machine alone.

 I'm sure I'm not the only one with this problem. Has anyone had any
 success with it?

 Thanks...

 Jack


 Are you using the SARE_STOCK rules from RulesDuJour at
 rulesemporium.com?  We catch more than 99% of the image only stuff with
 the standard RBLs and 70_sare_stock.cf.

 In case  you ask, these are the SARE rules we're using:

 TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300
 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD
 SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS;

 --

  Steve

 Hop over to the Rules Emporium (http://rulesemporium.com) and read
 about RulesDuJour.  Install that and set up cron job to look for
 updates once a day.  That's about it.  It's about 30 minutes of think
 work up front to understand the documentation and install it. After
 that, set it and forget it.

 http://www.exit0.us/index.php?pagename=RulesDuJour

 I think you'll be happy with the trusted ruleset line above.

 wanted to tell you how this all turned out.

 I installed the new rules, incorrectly as Dimitri observed, and then
 restarted spamassassin. (spamd actually). The spam capture rate has
 zoomed from 85% into the high 90s. Looking back I see that we replaced
 our processor about a year ago, and have been exceptionally stable since
 then. We haven't IPLed in almost a year, which also means that
 spamassassin probably hasn't been started in almost as long.

 Obviously the new rules weren't the reason for the improvement, since
 they were installed wrong. So it must have been the restart. This makes
 me wonder, was it a corruption, or is there a cumulative effect. I
 wonder if anyone has any thoughts on that.


 
 I have a cron job scheduled for every Sunday

   sa-update  spamassassin --lint  /etc/init.d/spamassassin restart

 This will pick up updates to the basic SA rules if they update them.
 Is sa-update a script you wrote? And why run the --lint on a regular basis?
  

sa-update is part of the SpamAssassin 3.1 package.  See man sa-update.

The string of commands executes sa-update. If it returns a non-error
result, indicating it downloaded something, then the new rules are
linted.  I do this to make sure that there's nothing broken in any of
the dozens of rules in my ruleset. If the ruleset is OK, then
spamassassin is restarted to pick up the new rules from sa-update.
-- 

  Steve

Re: Image only spam

[Steven Stern]

Jack Gostl wrote:
 
 - Original Message - From: Steven Stern
 [EMAIL PROTECTED]
 To: Spamass users@spamassassin.apache.org
 Sent: Wednesday, July 12, 2006 4:31 PM
 Subject: Re: Image only spam
 
 
 Jack Gostl wrote:
 Thanks for the response.

 Take it slow with me, spamassassin has been running so well for so
 long that I haven't had to fiddle with it in ages and I don't
 remember the details. Do I add these rules to my user_prefs? Or to my
 /etc/mail/local.cf files?

 - Original Message - From: Steven Stern
 [EMAIL PROTECTED]
 To: Spamass users@spamassassin.apache.org
 Sent: Wednesday, July 12, 2006 9:13 AM
 Subject: Re: Image only spam


 Jack Gostl wrote:
 I'm running SpamAssassin version 3.0.3   running on Perl version 5.8.2
 under AIX 5.3. Starting a few months ago, I have been absolutely
 inundated with image only spam.  I've gone from catching 99% of the
 spam with almost no false positives to less than 85%. I asked about
 this
 awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running
 on Perl version 5.8.0, and didn't see much improvement, so I left the
 prod machine alone.

 I'm sure I'm not the only one with this problem. Has anyone had any
 success with it?

 Thanks...

 Jack


 Are you using the SARE_STOCK rules from RulesDuJour at
 rulesemporium.com?  We catch more than 99% of the image only stuff with
 the standard RBLs and 70_sare_stock.cf.

 In case  you ask, these are the SARE rules we're using:

 TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300
 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD
 SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS;

 -- 

  Steve

 Hop over to the Rules Emporium (http://rulesemporium.com) and read
 about RulesDuJour.  Install that and set up cron job to look for
 updates once a day.  That's about it.  It's about 30 minutes of think
 work up front to understand the documentation and install it. After
 that, set it and forget it.

 http://www.exit0.us/index.php?pagename=RulesDuJour

 I think you'll be happy with the trusted ruleset line above.
 
 wanted to tell you how this all turned out.
 
 I installed the new rules, incorrectly as Dimitri observed, and then
 restarted spamassassin. (spamd actually). The spam capture rate has
 zoomed from 85% into the high 90s. Looking back I see that we replaced
 our processor about a year ago, and have been exceptionally stable since
 then. We haven't IPLed in almost a year, which also means that
 spamassassin probably hasn't been started in almost as long.
 
 Obviously the new rules weren't the reason for the improvement, since
 they were installed wrong. So it must have been the restart. This makes
 me wonder, was it a corruption, or is there a cumulative effect. I
 wonder if anyone has any thoughts on that.
 
 

I have a cron job scheduled for every Sunday

  sa-update  spamassassin --lint  /etc/init.d/spamassassin restart

This will pick up updates to the basic SA rules if they update them.

-- 

  Steve

Re: Image only spam

[Steven Stern]

Jack Gostl wrote:
 I'm running SpamAssassin version 3.0.3   running on Perl version 5.8.2
 under AIX 5.3. Starting a few months ago, I have been absolutely
 inundated with image only spam.  I've gone from catching 99% of the
 spam with almost no false positives to less than 85%. I asked about this
 awhile ago, and tried to upgrade to SpamAssassin version 3.1.1   running
 on Perl version 5.8.0, and didn't see much improvement, so I left the
 prod machine alone.
 
 I'm sure I'm not the only one with this problem. Has anyone had any
 success with it?
 
 Thanks...
 
 Jack
 

Are you using the SARE_STOCK rules from RulesDuJour at
rulesemporium.com?  We catch more than 99% of the image only stuff with
the standard RBLs and 70_sare_stock.cf.

In case  you ask, these are the SARE rules we're using:

TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300
SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD
SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS;

-- 

  Steve

Re: Image only spam

[Steven Stern]

Jack Gostl wrote:

Thanks for the response.

Take it slow with me, spamassassin has been running so well for so 
long that I haven't had to fiddle with it in ages and I don't remember 
the details. Do I add these rules to my user_prefs? Or to my 
/etc/mail/local.cf files?


- Original Message - From: Steven Stern 
[EMAIL PROTECTED]

To: Spamass users@spamassassin.apache.org
Sent: Wednesday, July 12, 2006 9:13 AM
Subject: Re: Image only spam



Jack Gostl wrote:

I'm running SpamAssassin version 3.0.3   running on Perl version 5.8.2
under AIX 5.3. Starting a few months ago, I have been absolutely
inundated with image only spam.  I've gone from catching 99% of the
spam with almost no false positives to less than 85%. I asked about 
this
awhile ago, and tried to upgrade to SpamAssassin version 3.1.1   
running

on Perl version 5.8.0, and didn't see much improvement, so I left the
prod machine alone.

I'm sure I'm not the only one with this problem. Has anyone had any
success with it?

Thanks...

Jack



Are you using the SARE_STOCK rules from RulesDuJour at
rulesemporium.com?  We catch more than 99% of the image only stuff with
the standard RBLs and 70_sare_stock.cf.

In case  you ask, these are the SARE rules we're using:

TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300
SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD
SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS;

--

 Steve

Hop over to the Rules Emporium (http://rulesemporium.com) and read about 
RulesDuJour.  Install that and set up cron job to look for updates once 
a day.  That's about it.  It's about 30 minutes of think work up front 
to understand the documentation and install it. After that, set it and 
forget it.


http://www.exit0.us/index.php?pagename=RulesDuJour

I think you'll be happy with the trusted ruleset line above.

Re: Bayes autolearn configuration

[Steven Stern]

Richard E. Bewley, Jr. wrote:
 Hi,
 
 I'm using SpamAssassin version 3.1.3 running on Perl version 5.8.0.  My
 autolearn is enabled, and I'm getting the below headers, which according
 to spamassassin documentation means that autolearn is enabled, but not
 meeting required criteria to learn.  I am using the default thresholds. 
 Can anyone shed some light on why no messages are being autolearned?
 
 My lint is clean.
 When I debug:
 [24212] dbg: bayes: database connection established
 [24212] dbg: bayes: found bayes db version 3
 [24212] dbg: bayes: Using userid: 102
 [24212] dbg: bayes: not available for scanning, only 12 spam(s) in bayes
 DB  100
 [24212] dbg: bayes: not scoring message, returning undef
 [24212] dbg: bayes: DB expiry: tokens in DB: 2639, Expiry max size:
 18, Oldest atime: 1117030672, Newest atime: 1151309839, Last expire:
 0, Current time: 1152068718
 
 X-Spam-Status: Yes, score=16.6 required=5.0 tests=SARE_OEM_AND_OTHER,
   
 SARE_OEM_PRODS_1,SARE_OEM_PRODS_FEW,SARE_OEM_PRO_DOL,SARE_PRODUCTS_02,
SARE_PRODUCTS_03,UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL,
URIBL_SBL,URIBL_SC_SURBL,URI_NOVOWEL autolearn=no version=3.1.1
 

It appears that you do not yet have enough spam and ham in your database
to enable learning.  You need to use sa-learn to push some spam and ham
through the system.

  not available for scanning, only 12 spam(s) in bayes DB  100

There are only 12 spam, but your local.cf file says not to autolearn
until there are at least 100.

-- 

  Steve

Re: spamassassin-3.0.4-1.el4

[Steven Stern]

Kaushal Shriyan wrote:
 Hi ALL
 
 I have spamassassin-3.0.4-1.el4 installed by default in RHEL4 Linux
 box, How do i configure spamassassin and integrate it with Sendmail
 
 Thanks and Regards
 
 Kaushal
 

Install spamass-milter to link spamassassin and Sendmail.

-- 

  Steve

Re: spamassassin-3.0.4-1.el4

[Steven Stern]

Kaushal Shriyan wrote:

On 7/3/06, Steven Stern [EMAIL PROTECTED] wrote:

Kaushal Shriyan wrote:
 Hi ALL

 I have spamassassin-3.0.4-1.el4 installed by default in RHEL4 Linux
 box, How do i configure spamassassin and integrate it with Sendmail

 Thanks and Regards

 Kaushal


Install spamass-milter to link spamassassin and Sendmail.

--

 Steve


Hi Steve

Thanks for the quick turn around.I got it installed and how do i
proceed and test for spams

[EMAIL PROTECTED] kaushal]# rpm -qa | grep sendmail
sendmail-8.13.1-2
sendmail-cf-8.13.1-2
[EMAIL PROTECTED] kaushal]# rpm -qa | grep spamass-milter
spamass-milter-0.3.0-1.2.el4.rf
[EMAIL PROTECTED] kaushal]# rpm -qa | grep spamassassin
spamassassin-3.0.4-1.el4
[EMAIL PROTECTED] kaushal]#

Thanks and Regards

Kaushal
Be sure to read the document files that ship with it. You'll need to 
modify sendmail.mc to enable the milter and make some decisions on what 
you want to do with spam. 

man spamass-milter is a good place to start, as well as 
/usr/share/doc/spamass-milter-0.3.1/README


Please keep replies on the list. (It would be nice if they configured it 
to work that way by default.)

Re: spamassassin-3.0.4-1.el4

[Steven Stern]

jdow wrote:
 From: Steven Stern [EMAIL PROTECTED]
 
 Kaushal Shriyan wrote:
 Hi ALL

 I have spamassassin-3.0.4-1.el4 installed by default in RHEL4 Linux
 box, How do i configure spamassassin and integrate it with Sendmail

 Thanks and Regards

 Kaushal


 Install spamass-milter to link spamassassin and Sendmail.
 
 Procmail also works nicely.
 {^_^}
 


The OP needs to clarify if he's using SA for a few accounts on his own
machine or operating an MX server fronting something else.

There are many paths

-- 

  Steve

Re: ham and spam

[Steven Stern]

John D. Hardin wrote:
 On Tue, 20 Jun 2006, Michael Di Martino wrote:
 
 How does one feed bayes ham and spam on an smpt gateway(no local
 deliverey). All sever does is accetp mail for one 2 domains scrub
 for virus and spam and then forward it to its nastly littly
 exchange server.
 
 Can you set up shared Exchange folders that can be exported to mbox
 format? If so, set up learn-ham and learn-spam folders, tell people to
 train to them, then periodically export them, transfer them to the SA
 host, and run sa-learn on them.
 
 Perhaps someone sufficiently motivated could write an sa-learn -
 IMAP client utility to train from arbitrary IMAP folders hosted
 remotely...
 

We have trained users to put misclassified ham and spam into two public
folders, should-be-spam and should-be-ham.  We created an exchange user,
spamiam, that has full rights to these folders.

At the top of every hour, this script is run on the one MX server:


# more get_ham_spam
#! /bin/sh
rm -f /var/spool/mail/spamiam
touch /var/spool/mail/spamiam
chown spamiam:mail /var/spool/mail/spamiam
su  spamiam -c 'fetchmail -a -K -f
/usr/local/scripts/spamiam.fetchmailrc -r Public Folders/should-
be-spam'
cat /var/spool/mail/spamiam  /var/www/html/spamstuff/should-be-spam
sa-learn --spam --mbox /var/www/html/spamstuff/should-be-spam
rm -f /var/spool/mail/spamiam
touch /var/spool/mail/spamiam
chown spamiam:mail /var/spool/mail/spamiam
su  spamiam -c 'fetchmail -a -K -f
/usr/local/scripts/spamiam.fetchmailrc -r Public Folders/should-
be-ham'
cat /var/spool/mail/spamiam  /var/www/html/spamstuff/should-be-ham
sa-learn --ham --mbox /var/www/html/spamstuff/should-be-ham

# more spamiam.fetchmailrc
pollexchange..com
proto imap
user spamiam
password x
is spamiam here

At 15 past each hour, the two other mail servers use wget to grab the
should-be files to their local /tmp and run sa-learn.

The files are included in logrotate, so they get zero'd every Sunday
morning.

-- 

  Steve

sa-update: then what

[Steven Stern]

I've run sa-update and have files in /var/lib/spamassassin/3.001001,
002, and 003.

Am I supposed to move these somewhere?
Should all but the latest directory be deleted?
Is it necessary to run sa-update after installing 3.1.3?
-- 

  Steve

Re: Integrating Spam assasin with exchange server.

[Steven Stern]

Crespillo, Matias wrote:
 I apologize in advance for making a lazy question, but is there a quick
 guide somewhere as to how to integrate Spam Assassin with an exchange
 server? Or maybe some way to set it in a way it will get the mails before,
 filter and then forward them to exchange unchanged?.
 
 Thanks a lot in advance.
 

We have spamassassin sitting in front of the exchange server.

Basically, the MX record for our domains point to Linux boxes. On each
of those boxes, we're running SpamAssassin and ClamAV. SpamAssassin uses
a site wide, SQL based Bayes database local to each box, with a few
tricks to help synchronize mail reclassified by Exchange users as ham or
spam.

Only after passing through the MX servers does mail arrive at Exchange.
 (The firewall permits SMTP connections from the MX servers only.)  On
Exchange, we're using Symantec AV to provide another layer of virus
protection.

We don't forward the mail unchanged. If mail is spam, the headers are
re-written to put *SPAM?* at the front of the subject line and to make
the original message an attachment.  Of course, if the mail isn't marked
as spam, it's transparent to the users.

-- 

  Steve

Re: Bypassing scan on locally originated mail

[Steven Stern]

Rich Winkel wrote:
 According to Andrzej Adam Filip:
 How do you deployed spamassassin?
 
 I use a milter ...
 

If you're using spamass-milter, edit /etc/sysconfig/spamass-milter and
add excluded addresses with the -i paramater:


 EXTRA_FLAGS=-i 192.168.1.0/24,127.0.0.1



-- 

  Steve

Re: AutoWhitelist

[Steven Stern]

Pablo Allietti wrote:
 On Sat, May 20, 2006 at 10:23:04PM +0200, Magnus Holmgren wrote:
 Saturday 20 May 2006 21:54 skrev Pablo Allietti:
 hi all, i have spamassassin for freebsd running in my system and i want
 to modify a score but i dont have a 50_score
 How i modify this score?

 7.5 AWLAWL: From: address is in the auto white-list
 AWL is not a normal rule. Please read 
 http://wiki.apache.org/spamassassin/AutoWhitelist.

 
 perfect. i have this in the check_auto_whitel\ist
 0.2 (0.5/2)  --  [EMAIL PROTECTED]|ip=201.212
  1.0 (3.0/3)  --  [EMAIL PROTECTED]|ip=201.160
  6.9(20.8/3)  --  [EMAIL PROTECTED]|ip=201.125
  1.1 (6.7/6)  --  [EMAIL PROTECTED]|ip=191.0
 
 i need to remove this line is that possible?
  6.9(20.8/3)  --  [EMAIL PROTECTED]|ip=201.125
 

Are you using SQL or .db files? If SQL, it's easy.


-- 

  Steve

Re: Spamd Children

[Steven Stern]

[EMAIL PROTECTED] wrote:
 Ok, fair enough...i downloaded and ran
 
 rpmbuild -tb Mail-SpamAssassin-3.1.1.tar.gz
 
 As descibed on the site.  I don't see any changes in the version number, is
 there more I have to do ?
 


That just creates the RPM files in /usr/src/redhat/RPMS. Did you install
them?


-- 

  Steve

Re: Spamd Children

[Steven Stern]

[EMAIL PROTECTED] wrote:
 Doh, no...can you point me in the direction of how to do that?
 
 
 
 on 5/12/06 8:23 AM, Steven Stern at [EMAIL PROTECTED] wrote:
 
 [EMAIL PROTECTED] wrote:
 Ok, fair enough...i downloaded and ran

 rpmbuild -tb Mail-SpamAssassin-3.1.1.tar.gz

 As descibed on the site.  I don't see any changes in the version number, is
 there more I have to do ?


 That just creates the RPM files in /usr/src/redhat/RPMS. Did you install
 them?

 

Please don't top post and reply to the list. Thanks.

cd /usr/src/redhat/RPMS/i386  (I presume)
rpm -Uvh *3.1.1-1.i386.rpm

Verify nothing's broken:

spamassassin -D --lint

Then, restart spamassassin

/etc/init.d/spamassassin restart


-- 

  Steve

Re: Big Idiot Needs Instructions

[Steven Stern]

Chris Edwards wrote:
 Hola,
 
 I have spent two days trying to figure out how to get the following to
 work.  I have set up Spamassassin and ClamAV, I am running sendmail on
 the Solaris 10 platform.  I would like to be able to scan for all spam
 and virus (in, out and relayed email).  Can someone please point me in
 the right direction?  Do I use procmail or something else.  I set this
 particular combination up years ago on a Linux box but I have had a lot
 of gigo since then.
 

You need to install spamass-milter and clamav-milter to integrate them
with sendmail.

-- 

  Steve

Bayes not working

[Steven Stern]

On a new SA installation that's as identical to the other 3 we have
running as possible, bayes is not running.

spamassassin -D --lint indicates that all is normal. The test message
generates a Bayes score.  sa-learn is able to talk to the mysql
database:  We're able to update the database using sa-learn.

However, in production, spamassassin does not report any BAYES_ scores.
 When the spam value exceeds the threshold that would normally cause
autolearning, autolearn=no changes to autolearn=unavailable.
Similarly, AWL entries are not being created.

Can anyone see what's wrong?

[3320] dbg: config: read file /usr/share/spamassassin/23_bayes.cf
[3320] dbg: bayes: using username: root
[3320] dbg: bayes: database connection established
[3320] dbg: bayes: found bayes db version 3
[3320] dbg: bayes: Using userid: 1
[3320] dbg: bayes: corpus size: nspam = 178, nham = 168
[3320] dbg: bayes: tok_get_all: token count: 20
[3320] dbg: bayes: score = 0.913557143318889
[3320] dbg: rules: ran eval rule BAYES_80 == got hit
[3320] dbg: auto-whitelist: sql-based connected to
DBI:mysql:sa_bayes:ccim-mx2
[3320] dbg: auto-whitelist: sql-based finish: disconnected from
DBI:mysql:sa_bayes:ccim-mx2
[3320] dbg: check:
tests=BAYES_80,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE



# grep -i bayes local.cf
# Enable the Bayes system
use_bayes   1
# Enable Bayes auto-learning
bayes_auto_learn1
bayes_min_ham_num   100
bayes_min_spam_num  100
# bayes_path/var/spool/spamassassin/bayes
bayes_store_module  Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn   DBI:mysql:sa_bayes:ccim-mx2
bayes_sql_username  spamass
bayes_sql_password  xxx
bayes_sql_override_username root
bayes_auto_expire   0
user_awl_dsnDBI:mysql:sa_bayes:ccim-mx2

# grep -i awl local.cf
user_awl_dsnDBI:mysql:sa_bayes:ccim-mx2
user_awl_sql_table   awl
user_awl_sql_username   spamass
user_awl_sql_password   xxx
user_awl_sql_override_username  root


]# ps -ef |grep spam
root  2170 1  0 07:01 ?00:00:04 /usr/bin/spamd -d -c -m5
-H -r /var/run/spamd.pid
root  2247  2170  1 07:01 ?00:00:20 spamd child
root  2248  2170  0 07:01 ?00:00:00 spamd child
sa-milt   3264 1  0 07:15 pts/000:00:00 /bin/bash
/usr/sbin/spamass-milter-wrapper -p
/var/run/spamass-milter/spamass-milter.sock -P
/var/run/spamass-milter.pid -i 127.0.0.1 -r 10 -- -d localhost -p 783
sa-milt   3265  3264  0 07:15 pts/000:00:00 /usr/sbin/spamass-milter
-p /var/run/spamass-milter/spamass-milter.sock -P
/var/run/spamass-milter.pid -i 127.0.0.1 -r 10 -- -d localhost -p 783


SpamAssassin version 3.1.1
  running on Perl version 5.8.6
spamass-milter - Version 0.3.1


-- 

  Steve

Re: Bayes not working

[Steven Stern]

Andy Spiegl wrote:

[3320] dbg: bayes: corpus size: nspam = 178, nham = 168


Probably because your corpus is still too small.

man Mail::SpamAssassin::Conf
...
   bayes_min_ham_num(Default: 200)
   bayes_min_spam_num   (Default: 200)
   To be accurate, the Bayes system does not activate until a
   certain number of ham (non-spam) and spam have been learned.
   The default is 200 of each ham and spam, but you can tune these
   up or down with these two settings.
  
I imported a corpus of about 2 messages total and it wasn't working. 
I blew it all away and started from scratch thinking that was the 
problem.  For now, local.cf has a minimum of 100 messages of each type. 
The current database exceeds that.

Re: Bayes not working

[Steven Stern]

Michael Monnerie wrote:

On Mittwoch, 10. Mai 2006 16:01 Steven Stern wrote:
  

I imported a corpus of about 2 messages total and it wasn't
working. I blew it all away and started from scratch thinking that
was the problem.  For now, local.cf has a minimum of 100 messages of
each type. The current database exceeds that.



I've had such an issue. In ancient times I had done sudo -H -u 
spamscanner sa-learn , but that doesn't work now. I really have to 
do su -l spamscanner and then sa-learn. Maybe that's your problem.


Try to sa-learn --dump magic|grep token to see how many ham/spam there 
really are  - as that user.



  
Everything's tweaked to use root as the user. We do sitewide 
processing since this sits on an MX server.

errors on 3.1.1

[Steven Stern]

After installing 3.1.1 by building the RPM from the .tar.gz file, I get 
the following in my log:


Mar 11 22:51:52 mooch spamd[15660]: List::Util object version 1.14 does 
not match bootstrap parameter 1.18 at 
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/XSLoader.pm line 92.
Mar 11 22:51:52 mooch spamd[15660]: List::Util object version 1.14 does 
not match bootstrap parameter 1.18 at 
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/List/Util.pm line 30.
Mar 11 22:51:53 mooch spamd[15660]: Undefined subroutine 
Scalar::Util::weaken called at 
/usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/DBI.pm line 279.


I don't know what to update:


cpan install List::Util
List::Util is up to date (1.18).

cpan install Scalar::Util:weaken
Warning: Cannot install Scalar::Util:weaken, don't know what it is.
Try the command

i /Scalar::Util:weaken/

to find objects with matching identifiers.

--

  Steve

Re: errors on 3.1.1

[Steven Stern]

Theo Van Dinter wrote:

On Sat, Mar 11, 2006 at 10:54:50PM -0600, Steven Stern wrote:
After installing 3.1.1 by building the RPM from the .tar.gz file, I get 
the following in my log:


Hrm.  None of these are SpamAssassin related, fwiw.

Mar 11 22:51:52 mooch spamd[15660]: List::Util object version 1.14 does 
not match bootstrap parameter 1.18 at 


You have multiple versions of List::Util installed, 1.14 and 1.18.

Mar 11 22:51:53 mooch spamd[15660]: Undefined subroutine 
Scalar::Util::weaken called at 
/usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/DBI.pm line 279.


DBI is looking for a function that apparently doesn't exist in Scalar::Util.


cpan install List::Util
List::Util is up to date (1.18).


I think you will want to delete all List::Util related files, and then
reinstall.  Basically List::Util is an XS module, and you have one
version of perl and one of the compiled XS.


I can't find anything with rpm -qa |grep perl tha tlooks like list-util 
or anything similar. Where would the XS file be?





cpan install Scalar::Util:weaken
Warning: Cannot install Scalar::Util:weaken, don't know what it is.
Try the command


weaken is the function name, you can try install Scalar::Util.



cpan tells me that's up to date, too.

--

  Steve

Re: bayes DBM versus SQL

[Steven Stern]

Webmaster wrote:
Those of you you have used both native DBM and new SQL bayesian, 
can you comment on benefits of one versus the other please.


Much appreciated!



I  have three MX servers fronting our Exchange box.  The fastest of the 
MX servers is also handling the MySQL server for both bayes and AWL. 
It's surprisingly fast and all three boxes are working from the same set 
of information so the path the mail takes doesn't affect scoring.  Most 
of the spam comes through the non-preferred MX server.


--

  Steve

Re: Bayes question

[Steven Stern]

M. Lewis wrote:

I recently lost a hard drive and have had to setup everything again.

I'm seeing a fair amount of spam that is getting through my filters. 
 From what I can see in the headers of messages, bayes does not seem to 
be used at all. I'm reasonable sure this is the reason I'm seeing spam.


If I do #spamassassin -t -D  spam.txt   I can clearly see bayes is 
being used.


Suggestions for what to check?

Thanks for any ideas.
M



sa-learn --dump magic

What does it say?

--

  Steve

Re: Bayes question

[Steven Stern]

M. Lewis wrote:

Thanks Steve,

# sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0  57468  0  non-token data: nspam
0.000  0  16419  0  non-token data: nham
0.000  0 181931  0  non-token data: ntokens
0.000  0 1139892654  0  non-token data: oldest atime
0.000  0 1140583854  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal 
sync atime

0.000  0 1140584727  0  non-token data: last expiry atime
0.000  0 691200  0  non-token data: last expire 
atime delta
0.000  0   1510  0  non-token data: last expire 
reduction count





Please keep replies on the list

I was wondering if you'd had enough ham and spam to get past the 
minimums.  Looks like you have.


How about posting the output from

   spamassassin -D --lint


--

  Steve

[Fwd: re: rpm of Spam Assassin]

[Steven Stern]

 Original Message 
Subject: re: rpm of Spam Assassin
Date: Fri, 10 Feb 2006 12:23:35 -0600
From: Skip [EMAIL PROTECTED]


Steven,

Thanks for the reply re: the rpm build of SpamAssassin 3.1.0.  I also
did the build on my system, but I can't find the location of where the
build was sent so I can install it.  When I restart spamassassin I still
only am getting version 2.55.  I am pretty new overall to linux, so I
have been flying by the seat of my pants, so to speak.  My goal is to
get my spam blocking functionality as good as my current system
(windows).  I am forwarding all my blocked spam to see if the rules are
as good and I am only catching roughly 2/3rds.  Thus, I feel my first
goal is the new version of spamassassin.

Any help you could provide would be great.  Thanks.

- Skip

Please keep all replies on the list.

The build is in /usr/src/redhat/RPMS/i386, at least on my system.

--

  Steve

Re: How to delete Spam automatically

[Steven Stern]

Al Bogner wrote:
My hoster offers cpanel to configure spamassassin, which has only a few 
options to configure, like white and blacklist. But I have shell-access to my 
account and maybe I could try out how to delete spam automatically. It looks 
like amavis isn't used on this RedHat machine with kernel 2.4.21-37.0.1.EL


Any ideas?

Al

If you can edit sendmail.mc and make a new sendmail configuration, then 
you could install spamass-milter.  You can then set a reject condition 
for some spam score.


--

  Steve

Re: Could you scan your logs for me?

[Steven Stern]

Ole Nomann Thomsen wrote:

Hi, can I ask a small favor from some of you running SA with Bayes enabled:
Please run the following perl-oneliner on your SA-log (mine is current):

perl -ne 'if (/result:/) {$n++; $b++ if (/BAYES/);} } print $b/$n,\n; {' 
current

(I promise it's not a rootkit :-)

I get:
0.710109622411693

I suspect you really ought to see 1, always. What do you get?

Thanks, Ole.





1

--

  Steve

perl error

[Steven Stern]

I just installed an update for Perl for Fedora 4 and now...


Dec 17 11:08:02 mooch spamd[3144]: List::Util object version 1.14 does 
not match bootstrap parameter 1.18 at 
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/XSLoader.pm line 92.
Dec 17 11:08:02 mooch spamd[3144]: List::Util object version 1.14 does 
not match bootstrap parameter 1.18 at 
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/List/Util.pm line 30.
Dec 17 11:08:04 mooch spamd[3144]: Undefined subroutine 
Scalar::Util::weaken called at 
/usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/DBI.pm line 279.



using CPAN, I updated DBI.  Scalar::Util is up to date as is List::Util


--

  Steve

Whitelist one, whitelist all

[Steven Stern]

I have one user who insists on seeing all mail sent to her. (OK, it's my 
wife.)


I added all_spam_to [EMAIL PROTECTED] to local.cf and that makes it work 
for her. However, if there are other recipients bcc'd on the the email, 
then the all_spam_to negative score gets applied to the message and it 
goes through to everyone. Is there a way around this?  (Applying a patch 
or update to the wife is not an option.)




--

  Steve

Re: Whitelist one, whitelist all

[Steven Stern]

Matt Kettler wrote:

Steven Stern wrote:


I have one user who insists on seeing all mail sent to her. (OK, it's my
wife.)

I added all_spam_to [EMAIL PROTECTED] to local.cf and that makes it work
for her. However, if there are other recipients bcc'd on the the email,
then the all_spam_to negative score gets applied to the message and it
goes through to everyone. Is there a way around this?  



Depends on your setup.

If you're filtering at the MDA layer (procmail), you'll need to start doing
per-user configuration, and only have said all_spam_to in the user_prefs of the
respective user, or better yet, just bypass calling SA for them entirely.


If you are filtering using a site-wide configuration at the MTA layer (milter,
etc), you probably can't fix this without some difficulty. The sticky issue here
is there's one email, sent to two users, and SA has to either tag it or not.

The usual approach to fixing this is to use a MTA layer integration that is
capable of splitting-up multi-recipient messages into a bunch of
single-recipient messages, bypass SA altogether for one copy, and give the
others to SA. Not pretty, but some tools can do it (I forget which ones 
offhand).


Both of the approaches involving bypassing SA will work a whole lot better than
using all_spam_to anyway. all_spam_to will, for example, not prevent mail bcc'ed
to your wife from getting tagged. It's just a whitelist based on what's in the
To: and Cc: headers, and nothing more. While this can be useful, most of the
time it's a kludge.




I'm doing this via spamass-milter at the MTA stage.
--

  Steve

Re: Problems with AOL's TOS reports

[Steven Stern]

Robert Menschel wrote:

Hello Steven,

Thursday, December 1, 2005, 6:57:45 PM, you wrote:

SS In order to keep our mail flowing to AOL members, I've signed up through
SS the AOL postmaster service to receive TOS reports. Basically, whenever
SS someone reports mail from our domains as spam, AOL forwards it to me.

SS Anyhow, when it arrives, SA classifies it as spam. What's the reason for
SS the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I
SS overrode them by whitelisting the sender ([EMAIL PROTECTED])?

The reason is that people on our systems here that have not subscribed
to this service are receiving spam with exactly these characteristics.
I believe that some spammer (or ratware) is mimicking the AOL
service's characteristics in order to get their spam through people's
whitelists.

When I put these rules together, I wasn't aware of AOL's service and
its email characteristics, and nobody else in any of the several SARE
mass-checks had any hits at all, so there was no indication through
that means that this was a Bad Rule (tm).

1) If you subscribe to this service, or any domain you process mail
for does, zero the score on these rules.

2) As soon as I get back from vacation, I'll zero the scores on those
rules in the production files, and see if I can figure out how to
identify the spammer as opposed to the service.

3) Yes, whitelist [EMAIL PROTECTED], but do so through an unforgeable
means, such as SPF or RCVD.  Do not use a simple whitelist from, since
that's what the spammer is hoping you will do.

Bob Menschel





Thanks. I'm using the whitelist_from_spf successfully.



--

  Steve

Problems with AOL's TOS reports

[Steven Stern]

In order to keep our mail flowing to AOL members, I've signed up through 
the AOL postmaster service to receive TOS reports. Basically, whenever 
someone reports mail from our domains as spam, AOL forwards it to me. 
(They delete the addressee from the headers, although not completely so 
sometimes.)


Anyhow, when it arrives, SA classifies it as spam. What's the reason for 
the SARE_SPEC_CLIENT rules? Would it be a problem for other spam if I 
overrode them by whitelisting the sender ([EMAIL PROTECTED])?


 pts rule name  description
 -- 
--

 2.2 SARE_SPEC_CLIENT_TOS2  known spammer address
 1.0 NO_REAL_NAME   From: does not include a real name
 2.2 SARE_SPEC_CLIENT_TOS   high tech impulse spam sign
-0.0 SPF_PASS   SPF: sender matches SPF record
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
[score: 0.]
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
 1.7 DNS_FROM_RFC_POST  RBL: Envelope sender in
postmaster.rfc-ignorant.org
 1.6 FORGED_MSGID_AOL   Message-ID is forged, (aol.com)
-1.2 AWLAWL: From: address is in the auto white-list


The headers look like this:

Microsoft Mail Internet Headers Version 2.0
Received: from enoch.cciminstitute.com ([10.0.2.195]) by 
eve.cciminstitute.com with Microsoft SMTPSVC(5.0.2195.6713);

 Thu, 1 Dec 2005 18:29:18 -0600
Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20])
by enoch.cciminstitute.com (8.13.1/8.13.1) with ESMTP id jB20TD75022197;
Thu, 1 Dec 2005 18:29:13 -0600
Received: from  scmp-m23.mail.aol.com (scmp-m23.mail.aol.com 
[172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id 
RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400
Received: from  imo-d21.mx.aol.com (imo-d21.mail.aol.com 
[172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id 
RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400

Received: from [EMAIL PROTECTED]
by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677)
 for [EMAIL PROTECTED]; Thu, 1 Dec 2005 19:28:45 -0500 (EST)
From: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Date: Thu, 1 Dec 2005 19:28:45 EST
Subject: *SPAM* Client TOS Notification
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=--=_438F955B.164385DC
X-Mailer: 9.0 for [EMAIL PROTECTED]
X-AOL-COUNTRY-CODE: US
X-Spam-Flag: YES
X-AOL-IP: 172.21.28.106
X-Loop: scomp
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 
(enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600 
(CST)
X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on 
enoch.cciminstitute.com

X-Virus-Status: Clean
X-Spam-Status: Yes, score=5.2 required=4.0 tests=AWL,BAYES_00,
DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_MSGID_AOL,HTML_MESSAGE,
NO_REAL_NAME,SARE_SPEC_CLIENT_TOS,SARE_SPEC_CLIENT_TOS2,SPF_PASS
autolearn=no version=3.1.0
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on
enoch.cciminstitute.com
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 02 Dec 2005 00:29:18.0390 (UTC) 
FILETIME=[6E99C560:01C5F6D7]


=_438F955B.164385DC
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

=_438F955B.164385DC
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: attachment
Content-Transfer-Encoding: 8bit

X-Envelope-From: [EMAIL PROTECTED]
X-Envelope-To: [EMAIL PROTECTED]
Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.138.20]) by 
enoch.cciminstitute.com;

X-Envelope-To: [EMAIL PROTECTED]
Received: from  scmp-m23.mail.aol.com (scmp-m23.mail.aol.com 
[172.21.28.106]) by omr-m08.mx.aol.com (v107.10) with ESMTP id 
RELAYIN7-8438f95576; Thu, 01 Dec 2005 19:29:11 -0400
Received: from  imo-d21.mx.aol.com (imo-d21.mail.aol.com 
[172.18.157.195]) by scmp-m23.mail.aol.com (v98.19) with ESMTP id 
RELAYIN2-3438f95441a; Thu, 01 Dec 2005 19:28:52 -0400

Received: from [EMAIL PROTECTED]
by imo-d21.mx.aol.com (mail_out_v38_r6.3.) id f.2b7.128060a (58677)
 for [EMAIL PROTECTED]; Thu, 1 Dec 2005 19:28:45 -0500 (EST)
From: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
Date: Thu, 1 Dec 2005 19:28:45 EST
Subject: Client TOS Notification
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/mixed; 
boundary=part1_2b7.128060a.30c0ef3d_boundary

X-Mailer: 9.0 for [EMAIL PROTECTED]
X-AOL-COUNTRY-CODE: US
X-AOL-IP: 172.21.28.106
X-Loop: scomp
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 
(enoch.cciminstitute.com [10.0.2.195]); Thu, 01 Dec 2005 18:29:13 -0600 
(CST)
X-Virus-Scanned: ClamAV version 

Re: Problems with AOL's TOS reports

[Steven Stern]

Justin Mason wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


you should _definitely_ whitelist AOL's scomp source address -- preferably
using whitelist_from_spf, as they publish a reliable SPF record
for aol.net.

- --j.


Thanks.  That did the trick:


X-Spam-Status: No, score=-94.8 required=4.0 tests=AWL,BAYES_00,
DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FORGED_MSGID_AOL,HTML_MESSAGE,
NO_REAL_NAME,SARE_SPEC_CLIENT_TOS,SARE_SPEC_CLIENT_TOS2,SPF_PASS,
USER_IN_SPF_WHITELIST autolearn=no version=3.1.0
Return-Path: [EMAIL PROTECTED]

Re: How effective is it?

[Steven Stern]

John Woolsey wrote:

Is SA more effective than popfile? And can you manually train it (if you have 
root access)?

  - thanx - JAW

I set up popfile on clients' computers to help them both with spam and 
categorization, but it's not the best solution to spam.


1. Yes.  It has access to more tests.  Popfile is only (only?) a Bayes 
analysis filter.  SpamAsssassin uses a wide variety of tests, some 
coming with the system, some self-made, and some from places like Rules 
Emporium.


2. Yes, but root access is not required.  I set up IMAP folders 
should-be-spam and should-be-ham for each user and have them drag 
messages that are misclassified into them. A scheduled job (run as root) 
executes  sa-learn to update Bayes filters.


For example:

sa-learn --spam --mbox /home/*/mail/should-be-spam
sa-learn --ham --mbox /home/*/mail/should-be-ham

--

  Steve

Re: Error when attempting to run sa-stats

[Steven Stern]

Jason Kratzer wrote:
Do I need to install the module or can I run it from the install 
directory. I was unable to find the documentation for it.


 

 


[EMAIL PROTECTED] tools]# ./sa-stats.pl

Can't locate Parse/Syslog.pm in @INC (@INC contains: 




perl -MCPAN -e shell
install Parse::Syslog


That should do it.

However, I get a lot of zeros from sa-stats. It's looking a 
/var/log/maillog, but not seeing the spam reports there.  What's the trick?


--

  Steve

Re: Error when attempting to run sa-stats

[Steven Stern]

jdow wrote:

From: Steven Stern [EMAIL PROTECTED]


Jason Kratzer wrote:

Do I need to install the module or can I run it from the install 
directory. I was unable to find the documentation for it.


 

 


[EMAIL PROTECTED] tools]# ./sa-stats.pl

Can't locate Parse/Syslog.pm in @INC (@INC contains:




perl -MCPAN -e shell
install Parse::Syslog


That should do it.

However, I get a lot of zeros from sa-stats. It's looking a 
/var/log/maillog, but not seeing the spam reports there.  What's the 
trick?



Set the start and end times. sa-stats.pl --help

{^_^}



How odd... If I don't set start/end, it shows the same dates in the left 
column but puts zeros in the right. With the dates, it shows the correct 
info.


--

  Steve

Re: why doesn't this email get detected as spam?

[Steven Stern]

Andreas Kotowicz wrote:

attached email doesn't get any score. why is that?

cheers,
andreas



What rules are you using?  This is what I got from your email.  Seems 
like a little bit of bayes training should catch it.


result:

X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO,
OPTING_OUT_CAPS,SPF_PASS,URIBL_JP_SURBL,URIBL_OB_SURBL autolearn=no
version=3.1.0


--

  Steve