Re: RelayChecker (now Botnet ) 0.4
Sven Schuster wrote: sorry to get more OT here, but may I ask two questions regarding p0f, as we seem to some knowledgable people here :-) 1. does anybody know if there are any problems regarding running the mail server with p0f behind a Cisco PIX firewall?? I have two locations (where I just wanted to do some fingerprint logging for now) where I only get UNKNOWN in the p0f logs...on the other hand, connecting from the local net (no firewall in between) gives me correct results in the logs...could there be some options on the pix to twiddle to turn off some kind of traffic normalization?? I don't have a real answer except to say that I have the same problem behind a PIX, so it is not just you.
Re: Using SpamAssassin variables
John W Mickevich wrote: Hello all! ... I would like to know now to use a variable within SpamAssassin. For example, how would I “capture” the last name of the From header field for use in comparisons elsewhere? Here is a sample: From: Molly Owens [EMAIL PROTECTED] Subject: Me again Owens I am sure a lot of folks have been seeing this spam coming thru lately. I would like to check if the last name in From (Owens) shows up in the Subject header. There may or may not be a better way to catch this specific example, but being able to define a variable and use it elsewhere would be great. I have to assume that SpamAssassin allows for this, but I just can’t seem to figure out how to do it. I have seen mention of eval and $1, $2, etc, and assume they have something to do with defining or using a variable, but I can find no specifics on how to use them. SpamAssassin only supports captured variables within a single rule. This means that you have to write a single rule that matches over all headers. This is not very efficient or easy to write and usually it is better to look for spam signs to trigger on. If you were running a recent version of SA kept up to date with sa-update and SARE rules you would see this messages hitting on a lot more rules. Tom Brown posted this header rule to the sare-users list yesterday that tries to do what you are talking about: ALL =~ m/(?:^|\n)From: \S+ (\S+?)(?: |).*\nSubject:.*\1\n/s Also, I am curious if using variables has a significant impact on performance. Yes, using variables does impact performance. In particular, the type of rules you often need to make use of variables, matching over long areas of text, are inefficient as well. It would be interesting if SA added the ability to capture variable in one rule and match against them in another. It would certainly have a negative impact on performance at least for the rules that used it. And someone would have to write the code to implement it. Could allow for some pretty nifty rules though.
Re: getting mail directly and not via mail-relay
Leon Kolchinsky wrote: Hello, There is a Mail-Relay administered by another person and its MX record stand before MX record of my mail server, so theoretically mail should go first through Mail-Relay to my server. The thing is that for some reason there are much e-mails (and spam among them of course) getting to my server directly and not via Mail-Relay. What could be the reason for that? Is this behavior avoidable at all? Spammers will take advantage of any opportunity you leave open. Remove the MX record and close off that server!
Re: How To Turn Off ALL Network Tests (except DCC Razor)
Rob McEwen (PowerView Systems) wrote: RE: How To Turn Off ALL Network Tests (except DCC Razor) In SpamAssassin, how do you turn off ALL Network tests, including ALL DNS and **all** rDNS lookups, but leave DCC Razor running? ... If there anything ELSE that should be done to tell SA to NOT do any other network or DNS checking (and NOT do an rDNS lookup!), except still do DCC and Razor checking? I think you'd want to set 'dns_available no' to disable the rDNS lookups. Out of curiosity though, why would you want to cripple yourself so badly?
Re: Help with sa-learn when using Outlook 2003.
thekillerbean wrote: We currently have an Exchange 2003 server that is under heavy burden due to excessive SPAM. The company is not willing to spend $$$ to resolve the issue if it can be done on Linux - especially being that we have several Linux boxes lying idle! Hence, my plan is to implement Sendmail as a front end mail server for Exchange that will do the SPAM fighting (and possible virus scanning as well once I learn how to) then forward e-mail to Exchange. My dilemma is that since all user accounts are on Exchange, how do I bring these missed SPAM e-mail messages back to the Linux box for use with sa-learn? One option would be to use Maia Mailguard on the Linux box. It can temporarily store a copy of all incoming mail. When a user wants to report a message as spam, they log into the Maia web interface. This way you can be certain that the message will not have been munged by the MUA.
Re: sa-learn for normal users
Richard van der Hoff wrote: I know this has come up before, but I've not really been able to find a satisfactory answer to it. The problem I have is that there is no way for sa-learn to update scores in a Bayes or AWL SQL database without having full SELECT, INSERT, UPDATE and DELETE privileges on the relevant databases - which basically means that every user can see and alter every other user's data. Is it possible to use spamd to help with the learning such that privileges are appropriately restricted? I'd prefer to avoid solutions involving storing spam in temporary mailboxes if possible. You can learn with spamc and the -L switch.
Re: RelayChecker 0.3
John Rudd wrote: Stuart Johnston wrote: Peter H. Lemieux wrote: Billy Huddleston wrote: Reverse DNS is a must. I'm surprised at how many people still haven't got that yet in the IT world.. (Consultants mostly..) It's not uncommon outside the industrialized world. Last few days I got a few false positives for a client that was corresponding with folks in the Caribbean. One of the few services I believe AOL provided the rest of us was deciding a few years' back not to accept mail from servers without reverse DNS. Suddenly lots of admins had to deal with the problem of correct server configuration because you couldn't fail to deliver mail to the millions of AOL users worldwide. Unfortunately, AOL only validates in one direction and some people only do the bare minimum. So, they only look to see that the IP address has a PTR record, but don't verify that the PTR record's hostname resolves back to the IP address? That's correct. You can test it here: http://postmaster.aol.com/tools/rdns.html You can put in for example: 209.74.97.115 whose rdns resolves back to a different IP. AOL specifically says: If the sender's domain is the only domain sending mail from a specific IP address, we recommend that the reverse DNS entry (PTR Record) match the domain name (A Record), but we do not require it.
Re: RelayChecker 0.3
Michael Alan Dorman wrote: On Thu, 16 Nov 2006 17:56:21 -0800 Derek Harding [EMAIL PROTECTED] wrote: On Sun, 2006-11-12 at 17:26 -0800, John Rudd wrote: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar I've been running this for a few days now and am finding it to be pretty effective, especially against the bots that are producing all the image spam. Currently it's running about 87.55% hit rate with only two false positives so far (one a company on adsl, the other a mail server with no reverse DNS). For reasons that I haven't investigated closely, I'm finding RelayChecker consistently tags mail from the dojo toolkit's mailing list as well as the catalyst toolkit's mailing list. I just noticed that SourceForge's list sever has a kinda funky rdns. Can RelayChecker handle an alias in rdns? (66.35.250.225) It looks like neither of the lists you mention use SF but it might cause problems for other lists.
Re: email appears to que all the time - sendmail,spamssassin,amavis-new
Patrick Sherrill wrote: I seem to be getting significant delays in delivery (queue times are set to 15m). I am currently using amavis-new to hook SA with sendmail (tx and rx queue). What would be the best approach to minimizing delays beyond more RAM. Reject more messages with (good) DNSBLs and/or (selective) greylisting before they get to amavis.
Re: I've got TORA.08 spelled with numbers?
Evan Platt wrote: At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something? AH HA! It is not a url, its a stock symbol! http://finance.yahoo.com/q?s=TORA.OB
Re: would SA benefit from port to Java
Giampaolo Tomassoni wrote: Thinking about the GPL Java announcement some, and trying to imagine the kinds of opportunities this allows for, it occurs to me that SpamAssassin might be a natural fit for Java. I'm just thinking out loud here, not advocating anything... Would it run better? What does that even mean? Run better?
Re: Bayes column 'token'
Mark wrote: -Original Message- From: Mark [mailto:[EMAIL PROTECTED] Sent: woensdag 15 november 2006 18:15 To: 'users@spamassassin.apache.org' Subject: RE: Bayes column 'token' Well, bayes_mysql.sql does not specify collation; so, like you said, the collation will be your MySQL server-set default. And searches in MySQL are case-insensitive by default. Might indeed perhaps be a good idea to convert to latin1_bin or some such. There will be any problem if I convert the current data to the new collation? I see no indication (or reason) in the code that tokens are to be handled in an case-insensitive manner. The opposite, ere. So, I'm inclined to say that latin1_bin collation is better. I don't wanna be responsible for messing up your database, though. :) So I will test this a bit on my Vmware box. Did the testing; and it works very smooth with latin1_bin. PRIMARY for `id` and `token` should not have INDEX for `id` and `token` added, too. I don't understand what you mean. The couple (id, token) is PRIMARY, not INDEX... Where exactly is the problem? PRIMARY, like UNIQUE, always implies INDEX, too. So, adding an extra INDEX for `id` and `token` basically gives you a double INDEX for them. There's a double INDEX for `atime` too. So, I'd say, in bayes_mysql.sql, replace this: CREATE TABLE bayes_token ( id int(11) NOT NULL default '0', token char(5) NOT NULL default '', spam_count int(11) NOT NULL default '0', ham_count int(11) NOT NULL default '0', atime int(11) NOT NULL default '0', PRIMARY KEY (id, token), INDEX bayes_token_idx1 (token), INDEX bayes_token_idx2 (id, atime) ) TYPE=MyISAM; With: CREATE TABLE bayes_token ( id int(11) NOT NULL default '0', token char(5) COLLATE latin1_bin NOT NULL default '', spam_count int(11) NOT NULL default '0', ham_count int(11) NOT NULL default '0', atime int(11) NOT NULL default '0', PRIMARY KEY (id, token), INDEX bayes_token_idx1 (atime) ) TYPE=MyISAM; Those are multi-column indexes not duplicates. INDEX bayes_token_idx1 (id, atime) is NOT the same as: INDEX bayes_token_idx1 (id) INDEX bayes_token_idx2 (atime) Unless you've verified that the SQL used by the Bayes modules doesn't need these indexes, you probably shouldn't change these. (sorry I didn't notice this earlier in the thread)
Re: Bayes column 'token'
Mark wrote: -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: vrijdag 17 november 2006 23:30 To: users@spamassassin.apache.org Subject: Re: Bayes column 'token' CREATE TABLE bayes_token ( id int(11) NOT NULL default '0', token char(5) COLLATE latin1_bin NOT NULL default '', spam_count int(11) NOT NULL default '0', ham_count int(11) NOT NULL default '0', atime int(11) NOT NULL default '0', PRIMARY KEY (id, token), INDEX bayes_token_idx1 (atime) ) TYPE=MyISAM; Those are multi-column indexes not duplicates. INDEX bayes_token_idx1 (id, atime) is NOT the same as: INDEX bayes_token_idx1 (id) INDEX bayes_token_idx2 (atime) The multi-column INDEX actually *does* appear to be used. My bad. Though it still doesn't justify the existence of: INDEX bayes_token_idx1 (token) I haven't looked at the SQL but does it not do something like: WHERE token = ?
Re: RelayChecker 0.3
Peter H. Lemieux wrote: Billy Huddleston wrote: Reverse DNS is a must. I'm surprised at how many people still haven't got that yet in the IT world.. (Consultants mostly..) It's not uncommon outside the industrialized world. Last few days I got a few false positives for a client that was corresponding with folks in the Caribbean. One of the few services I believe AOL provided the rest of us was deciding a few years' back not to accept mail from servers without reverse DNS. Suddenly lots of admins had to deal with the problem of correct server configuration because you couldn't fail to deliver mail to the millions of AOL users worldwide. Unfortunately, AOL only validates in one direction and some people only do the bare minimum.
Re: adjust rules and whitelist_from_rcvd
This should be fixed if you install SA 3.1: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3236 Leon Kolchinsky wrote: Hi, My server runs with static IP and have a legitimate MX record. Squirrelmail runs on the same mail server. So I don't think that this is the problem. Regards, Leon -Original Message- From: Benny Pedersen [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 10:01 AM To: users@spamassassin.apache.org Subject: Re: adjust rules and whitelist_from_rcvd On Tue, November 14, 2006 14:08, Leon Kolchinsky wrote: X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** you are running a mail server with dynamic ip ranges with means that mail from you will ALWAYS being seen as spam on other mailservers :/( to fix this search for a mail server that can smart-host for you, eg send all mail outgoing to your isp will do ask you isp about a static assigned ip will be perfect :-) the NO_REAL_NAME fix is here http://www.squirrelmail.org/plugin_view.php?id=142
Re: Processes are backing up
Marc Perkel wrote: Got a strange problem with spamd that started on it's own. Processes are backing up - but spamd seems to be stuck not processing them or taking a very long time. Still have free memory and processor loads are not that high. It's as if spamd is waiting on something that isn't responding. Not sure what to look for. Usually a network test. Try running a message through 'spamassassin -D' and watch to see if it hangs up somewhere.
Re: adjust rules and whitelist_from_rcvd
It is probably this header generated by SquirrelMail that is causing the problem. Received: from 217.132.226.2 (SquirrelMail authenticated user ronits) by mail.mydomain.ac.il with HTTP; Tue, 14 Nov 2006 13:11:52 +0200 (IST) I'm not really sure what the solution is though. What version of SA are you running? Leon Kolchinsky wrote: Hello All, I'm running several virtual domains on Cyrus+Postfix+SquirrelMail+Amavisd-new+Spamassassin+ClamAV system. There are several users sending their legitimate mails via SquirrelMail on the same mail server but getting scored as spam. Here are 2 examples of X-Spam-Status for such mails. X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** Below full headers for an example mail: Return-Path: [EMAIL PROTECTED] Received: from mail.mydomain.ac.il ([unix socket]) by mail.mydomain.ac.il (Cyrus v2.2.3) with LMTP; Tue, 14 Nov 2006 13:11:57 +0200 X-Sieve: CMU Sieve 2.2 Received: from localhost (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id 3212A1B370 for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:57 +0200 (IST) X-Envelope-To: [EMAIL PROTECTED] X-Envelope-From: [EMAIL PROTECTED] X-Quarantine-id: spam-cf0b98c2a09b009790747cb05ba473a0-20061114-131157-00416-10 Received: from mail.mydomain.ac.il (localhost [127.0.0.1]) by mail.mydomain.ac.il (Postfix) with ESMTP id D0AB71C5CD for [EMAIL PROTECTED]; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Received: from 217.132.226.2 (SquirrelMail authenticated user ronits) by mail.mydomain.ac.il with HTTP; Tue, 14 Nov 2006 13:11:52 +0200 (IST) Message-ID: [EMAIL PROTECTED] Date: Tue, 14 Nov 2006 13:11:52 +0200 (IST) Subject: =?utf-8?B?15fXqNeT15nXldeqINeR16DXmSDXkdeo16c=?= From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] User-Agent: SquirrelMail/1.4.7 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Status: Yes, hits=6.2 tag1=-999.0 tag2=5.0 kill=5.0 tests=BAYES_00, NO_REAL_NAME, PRIORITY_NO_NAME, RCVD_IN_DSBL, RCVD_IN_NJABL_DUL, RCVD_IN_NJABL_PROXY, RCVD_IN_SORBS_DUL, RCVD_IN_XBL X-Spam-Level: ** 1) Could you please tell me what rules should I adjust (and what score give to those rules in local.cf) so these kinds of mails score below 5. 2) I've tried to add whitelist_from_rcvd to local.cf, but it didn't help: whitelist_from_rcvd [EMAIL PROTECTED] virtualdomain1.ac.il Should this line look like this? whitelist_from_rcvd [EMAIL PROTECTED] mydomain.ac.il Or this? whitelist_from_rcvd [EMAIL PROTECTED] mail.mydomain.ac.il Best Regards, Leon Kolchinsky
Re: maint question
Dmitri wrote: Platform: fedora core 4 spamd version: 3.0.6 spamd invoked: runs as a service Greetings, Spamasassin is a great product and has been very useful to us. However I would like to ask what maintenance should/can be done to have spamd work more effectively (i.e. filter out more spam). Currently my users get between 5-15 spam messages per day. I spend my time extracting the spam mail out of their mailboxes and then doing spamassassin -r on those messages. Is there anything else I can and should do? My last question is about the new version 3.1.7, does it filter and catch spam better then 3.0.6. Is it stable yet? Yes, you should definitely upgrade to 3.1.7. Then run sa-update to get the latest rules. Also consider getting some SARE rules via sa-update: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Also be sure that you are running with network tests.
Re: change spamhaus.org's score
Payal Rathod wrote: On Tue, Nov 14, 2006 at 08:40:36PM -0500, Matt Kettler wrote: That's the un-scored parent rule that causes the DNS query. There are two child rules that don't perform a DNS lookup, they just use the results fetched by the rule above. The Two scored rules are *DIRECTLY* below the rule above in 20_dnsbl_tests.cf. I still don't get where they are. See this, # grep -i score 20_dnsbl_tests.cf # echo $? 1 grep RCVD_IN_XBL * Where are the scores kept? 50_scores.cf But make your changes in your local files. /etc/mail/spamassassin/local.cf The actual scores for these rules are (assuming SA 3.1.x): score RCVD_IN_XBL 0 3.114 0 3.897 score RCVD_IN_SBL 0 2.712 0 3.160 Also, which of these numbers are the scores? All of them. http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#scoring_options
Re: maint question
Dmitri wrote: just tried typing in sa-update and it said it wasn't a valid command, I downloaded some rules yesterday for the stock spam and that worked great. sa-update is part of 3.1. will my SpamAssassin database get erased upon upgrade to the new version? Do you mean the Bayes database? It won't get erased but I think there is a command you have to run to upgrade it. Check the upgrade file. Thanks, Dmitri - Original Message - From: Stuart Johnston [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, November 15, 2006 10:48 AM Subject: Re: maint question Dmitri wrote: Platform: fedora core 4 spamd version: 3.0.6 spamd invoked: runs as a service Greetings, Spamasassin is a great product and has been very useful to us. However I would like to ask what maintenance should/can be done to have spamd work more effectively (i.e. filter out more spam). Currently my users get between 5-15 spam messages per day. I spend my time extracting the spam mail out of their mailboxes and then doing spamassassin -r on those messages. Is there anything else I can and should do? My last question is about the new version 3.1.7, does it filter and catch spam better then 3.0.6. Is it stable yet? Yes, you should definitely upgrade to 3.1.7. Then run sa-update to get the latest rules. Also consider getting some SARE rules via sa-update: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Also be sure that you are running with network tests.
Re: change spamhaus.org's score
Nigel Frankcom wrote: On Tue, 14 Nov 2006 14:35:33 -0500, Peter H. Lemieux [EMAIL PROTECTED] wrote: Matt Kettler wrote: Should be something like this in 50_scores.cf: score RCVD_IN_BL_SPAMCOP_NET 0 1.332 0 1.558 Just add score RCVD_IN_BL_SPAMCOP_NET 1.0 in your local.cf. That said, I would NOT advise raising the score of spamcop.. lots of FPs for me lately. I've reduced the score on this rule to 0.5 just recently myself. Peter On spamhaus or spamcop? This thread is getting confusing. Personally I drop on a spamhaus sbl-xbl hit at the smtp point. To date I've not had a complaint/problem. Though my userbase is pretty static in send/receives. I don't have much faith in spamcop. I also drop on sbl-xbl. FPs on spamhaus seem pretty rare but recently I've had problems with messages getting blocked from salary.com. bigip.salary.com[12.130.48.10] is listed on XBL (CBL).
Re: Is there a release date for 3.1.8?
The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Exim4 / spamd --username question
Exim does not actually run spamc, it connects directly to spamd. spamd does run as root. Exim can connect as nobody depending on your configuration. Generally though, you want to have a writable home directory so it is easiest to create a user for this purpose that Exim can connect as. Bill Moseley wrote: I'm not clear if I need to run spamd as a specific user or run as root and use spamd -H dir. This is a single mail server running Debian Stable with the packages listed below. SA configuration is system-wide, that is, there's no user-specific configurations to worry about. ii exim4-daemon-h 4.50-8sarge2 exim MTA (v4) daemon with extended features, ii pyzor 0.4.0+cvs20030 spam-catcher using a collaborative filtering ii razor 2.670-1sarge2 spam-catcher using a collaborative filtering ii spamassassin 3.1.3-0bpo1Perl-based spam filter using text analysis ii spamc 3.0.3-2sarge1 Client for SpamAssassin spam filtering daemo ii dcc-client 1.2.74-2 Distributed Checksum Clearinghouse - client ii dcc-common 1.2.74-2 Distributed Checksum Clearinghouse - common If I (should I?) run spamd as, say, user spamd do I have to also setup exim to run spamc as that user? It will it not matter what user is running spamc since spamd can't setuid if not running as root Also, does the user spamd need a home directory, or can I use -H (or --helper-home-dir) to specify the directory and that will work for any feature that needs to read/write to the disk? Currently, I have spamd running as root with the following options: OPTIONS=--max-children 5 --max-conn-per-child=20 In exim4.conf I have: deny message = This message scored $spam_score spam points. spam = nobody:true condition = ${if {$spam_score_int}{100}{1}{0}} Now, correct me if I'm wrong. Exim is running spamc as user nobody. spamd is running as root -- so when Exim passes a message to spamc, spamd will setuid to nobody. The home directory for nobody is /nonexistent: $ fgrep nobody /etc/passwd nobody:x:65534:65534:nobody:/nonexistent:/bin/sh which causes all sorts of complaints in syslog since /nonexistent is, well, nonexistent. I guess why I'm confused is that the Debian install runs spamd as root, and has the exim config running spamc as nobody with a non-existent home -- which means spamd can't read/write as needed. I did see that adding dcc created a dcc user in /etc/passwd.
Re: Is there a release date for 3.1.8?
If you want to try the trunk version, I would suggest you keep it on a separate server. Robert Nicholson wrote: Are the configuration files backward compatible? If I add short circuit entries to my config file will that file only work with the trunk code? ie. are unrecognised configuration directives simply ignored? I want to try the trunk code and I can setup some symlinks for the perl modules but I want to know if I have to have a separate version specific configuration also. likewise I assume bayes hasn't changed? so in short I want to use some symlinks to try the trunk code and I want to know what has to be version specific and what does not. Probably safer to assume everything is version specific. On Nov 12, 2006, at 11:28 AM, Stuart Johnston wrote: The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Is there a release date for 3.1.8?
You could browse the messages on the dev list or the commit logs from svn. Robert Nicholson wrote: Also since the Changes file doesn't appear to have been updated in a long while how can I learn the differences b/w each release/trunk code? On Nov 12, 2006, at 11:28 AM, Stuart Johnston wrote: The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Is there a release date for 3.1.8?
Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January.
Re: Is the current spam war a Microsoft creation?
Steve Lake wrote: Just wanted your guys' feedback on an article I wrote just the other day that talks about a possible source of this current spam war. It talks about how its all too convenient that Microsoft got smacked down hard on their Sender ID system recently, and then this starts shortly afterwards. Almost like they want to weary us and wear us down to the point that we capitulate and take their system. http://www.raiden.net/?cat=2aid=162 - The article is here. Read it and then share your thoughts. If it is somehow provable and Microsoft is somehow in the middle of this, what could be done to them in retaliation for this sudden flood of spam? Assuming it is them of course. And no, I'm not trying to promote any of my stuff. I'm just trying to get a good dialogue going on this and see what others think about this topic. If it turns out I'm wrong, which I'd like to be, then I'll happily eat my words. But if I'm right, something definitely needs to be done. I thought the Sender ID thing was over a long time ago but apparently they recently opened it up: http://news.google.com/news?q=sender+id
Re: Relay Checker plugin v0.2
John Rudd wrote: I've put up a new version of Relay checker, in ... I expect I might, at some point, switch from using a dynamic score in the plugin, to a normal score. But that's the only change I expect to make, aside from bug fixes (if there are any), and/or a switch to using Net::DNS. I wonder if there is any way for a plugin to hook into SA's DNS routines. That might be better than calling Net::DNS directly.
Re: R: BIG increase in spam today
Federico Giannici wrote: François Rousseau wrote: Greylisting is not always good... The greylisting insert delay in delevery and sometimes the email have to be delever fast. I don't trust enough DNSBLs to completely block an email only based on them. What about combining BlackListing and GreyListing? I'd like to use GreyLists (with long delay) for BlackListed emails only. Has anybody already implemented it? Is there already something able to implement it? This was asked on the Postfix list recently: http://groups.google.com/group/list.postfix.users/browse_thread/thread/5146269c41c5ca9d The best answer was: http://www.orangegroove.net/code/marbl/
Re: How to disable IADB
Henk van Lingen wrote: On Fri, Nov 03, 2006 at 03:06:10PM -0500, Theo Van Dinter wrote: On Fri, Nov 03, 2006 at 09:02:46PM +0100, Henk van Lingen wrote: Is there a way to disable this 'feature', without editting those files? Set the rule scores to 0. Oke, of course. There are however 28 such rules at the moment. grep IADB /var/lib/spamassassin/3.001007/*/* | grep score | wc 28 872879 They all get tested every time. I'd hoped for a 'skip_rbl_checks alike' check, or something. Thanks anyways, How about: perl -n -e 'if(/(score RCVD_IN_IADB\w*)/){ print $1 0\n }' \ /var/lib/spamassassin/3.001003/updates_spamassassin_org/70_iadb.cf \ /etc/mail/spamassassin/disable_iadb.cf
Re: Relay Checker plugin v0.2
John Rudd wrote: Stuart Johnston wrote: John Rudd wrote: I've put up a new version of Relay checker, in ... I expect I might, at some point, switch from using a dynamic score in the plugin, to a normal score. But that's the only change I expect to make, aside from bug fixes (if there are any), and/or a switch to using Net::DNS. I wonder if there is any way for a plugin to hook into SA's DNS routines. That might be better than calling Net::DNS directly. If anyone knows of a way, I'd look into it. I need to do both fwd and reverse lookups though. The simple version might look like: # Get resolver my $dns = $pms-{parser_dns_pms}; # Reverse $hostname = $dns-lookup_ptr ($ip); # Forward my @addrs = $dns-lookup_a ($hostname); I'm not sure if the above code is really in any way better than the way you have it now. There are also functions for doing dns in the background but I don't know if that would be practical or helpful for your plugin. You also might consider using the rdns that SA has already calculated to save one query: $hostname = $relay-{ip};
Re: Compromised computer IP list downloadable?
Ben Wylie wrote: Obviously there are many different DNS block lists and some of these are specifically for blocking compromised computers used as drones to send spam. However I have experienced a massive attack on my server by some bot network, trying to send spam through my server, and i would like to be able to download a list of ip addresses or ranges of ip addresses to plug into a firewall to block all of this traffic automatically. Is there such a list, or is this kind of service only available from DNS block lists? Spamhaus has the DROP (Don't Route Or Peer) list which is specifically intended for use on routers and firewalls. It is fairly small though so it may not help in your situation. http://www.spamhaus.org/drop/
Re: Simple script that rejects mail from spammers
sa-russian wrote: Hi to all! I made a simple script that scans sendmail log files, finds IP from which several spam messages were received, and blocks them in sendmail access file. The backgroung is as follows: Once I found that our MX is nearly down. Running top exposed a lot of spamd instances, cosuming almost all CPU time. Examining maillog showed, that one of our subscribers sent about 4000 messages within approximately 15 minutes, and all them were spam. I manually banned that subscriber in /etc/mail/access and informed their personel about possible zombie infection. Now I have script that runs from cron and instantly blocks hosts that have sent us more than some maximum number of spam messages within last hour (or any duration of your choice). The script is availble from http://sa-russian.narod.ru/block_spammers.bash Understanding of some fundamentals of BASH scripting is expected. The only MTA supported is sendmail. Look at the comments inside the script to tailor it to your installation. Best regargs, Alan M. Makoev Here's something similar: http://fut.patch.com/
Re: Simple script that rejects mail from spammers
Evan Platt wrote: At 09:36 AM 10/31/2006, you wrote: Here's something similar: http://fut.patch.com/ I'd be interested in something for postfix / ipfw... :) Currently analyzes log files based on behavior of OpenSSH v4.2, Postfix v2.2.4, and ProFTPD v1.2 as packaged for Debian systems.
Re: Relay Checker Plugin (code review please?)
John Rudd wrote: Stuart Johnston wrote: John Rudd wrote: 2) This sort of replaces the other set of rules I created, that did this with metarules instead of a plugin. This made some of the checks less useful. You probably don't need to use both methods. So, what is the point of doing this as a plugin instead of using existing rules? The obvious disadvantage is the additional dns lookups. The advantages are: a) being sure that the hostname in RDNS points back to the IP address you started with. Thus detecting forgeries (which shouldn't happen with _any_ legitimate service) Postfix does this for you. It is easy enough to write an SA rule to look at the Postfix headers. I don't know about other MTAs. b) just using the rules version of what I wrote, you can only check if the decimal IP address, in individual segments, is in the hostname. You can't check if the entire decimal IP address (one large number) is in the IP address, nor can you check if the hexidecimal segments are in the hostname. (a) requires more DNS work, yes. (b) does not. It just requires a bit more math. This is just my opinion, of course, but: I'd probably make the plugin just do (b). It might be nice if SA did (a) as part of its standard checks although in my experience, way too many legitimate mail servers fail on this for it to be useful anyway.
Re: Scoring base64 blob messages
Peter H. Lemieux wrote: Theo Van Dinter wrote: On Thu, Oct 26, 2006 at 09:46:28AM -0400, Peter H. Lemieux wrote: Also is there an SA rule that scores messages that contain only a single base64 part (as opposed to a base64-encoded attachment)? I doubt many legitimate messages arrive with only a single base64 part. No, because there are going to be a lot of mails that would hit that. Really? Maybe it's because I live in the US, but I can't think of a legitimate message I've ever received consisting only of a base64 blob. Our of curiosity, how frequently does this appear in the SA ham corpus? Rather than making anyone else do the work for me, is there something I can read about how to determine the frequency of different message features appearing in the corpus? Most messages sent from a Blackberry would hit this rule, for example.
Re: URIXBL?
Jeff Hardy wrote: Hello all, I've been diddling with some tests and wondered why there is a spamhaus URIBL_SBL, but not URIBL_XBL (or better yet, combined URIBL_SBL-XBL). I can create this myself easy enough, but wondered if there was a reason XBL is not included. Thanks. XBL is mostly infected PCs. These systems are used to send spam but not generally to host spam domains.
Re: Spam isn't getting caught, can anyone help please?
Have you restarted spamd? Is it running? Brian S. Meehan wrote: I know y'all are smart, just looking for a little help on this one. In addition to the below info, spamassassin -lint works fine and quietly. Thanks, Brian Original Message Subject: upgraded, now no spam is caught From:Brian S. Meehan [EMAIL PROTECTED] Date:Wed, October 25, 2006 09:51 To: list_spamassassin users@spamassassin.apache.org -- I upgraded spamassassin from 3.0.4 to 3.1.7 and now no spam is getting caught. My mail server (courier-MTA) is still sending mail through spamc before it hits maildrop, so I know it's being processed. I found one header in a single message out of about fifty: X-Spam: Not detected I'm still running sa-learn on my mail folders as before and it's seen well over 100 spam. bayes_seen and bayes_toks are growing in size so they must be updating. Before upgrade, I preserved my bayesfiles, then copied them back over. I also preserved the old spamassassin folder and updated the new local.cf with the prevoius settings: rewrite_header SUBJECT **SPAM** dns_available yes required_score 4.0 bayes_path /etc/mail/spamassassin/bayesfiles/bayes use_bayes 1 bayes_auto_learn 1 bayes_auto_learn_threshold_spam 10 bayes_file_mode 0777 report_safe 0 trusted_networks 192.168.1.101 bayes_ignore_header X-purgate bayes_ignore_header X-purgate-ID bayes_ignore_header X-purgate-Ad bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-Antispam bayes_ignore_header X-Spamcount bayes_ignore_header X-Spamsensitivity Anyone have any helpful hints? I'm out of ideas. Thanks much, Brian
Re: How to filter these spam messages
Jonas Eckerman wrote: R Lists06 wrote: A minute or two delay from grelisting matters that much Greylisting usually delay a mail for more than two minutes (when it delays, a good implementation can excempt most mail from the delay after a while). Even if the greylist implementation only enforces a one minute delay, most servers will wait longer than that before retrying. 5-15 minutes seems to be pretty common (seems because I havent collected any statistics). Just had a thought... Haven't thought it through or checked any stats for it, so it may not be a good one. The greylist code could be to do a reverse lookup and/or a DNS-list check on the sending host before deciding wether it should be subjected to the greylist or not. If it's in a dial-up-list, or the hostname fits a pattern for dial-up and dyanamic addresses the host can be subjected to the greylist, and otherwise it could be excempted from it. This is sometimes referred to as selective greylisting. See for example: http://www.tahina.priv.at/~cm/spam/
Re: 3.1.6, local scores, and sa-update
Daryl C. W. O'Shea wrote: Mike Grau wrote: Since upgrading to SpamAssassin 3.1.6, running sa-update yields # sa-update config: warning: score set for non-existent rule BAYES_50 config: warning: score set for non-existent rule BAYES_05 ... error: lint check of current site config failed, cannot continue. I assume this is because sa-update now include local site config in sa-update lint checks. Previously I've set some custom scores for stock rules in /etc/mail/spamassassin/whatever.cf without changing the rule definitions or descriptions. Can I not do this and need to define the body BAYES_99 and describe BAYES_99 in wahtever.cf also, or is this a bug in sa-update? Sigh. None of the machines I tested the change on redefined any scores. I forgot that this actually causes an error and not info, so I didn't even think of trying it. For now you'll have to disable the score lines while you do sa-update. Temporarily renaming whatever.cf to whatever.cf-disabled is probably the easiest way to go about it. Could you just add appropriate ifplugin lines for a more permanent fix?
ImageInfo Bug
Dallas, I think there is a bug in the image_size_range function. my $name = $type.'_dems'; Should probably be more like: my $name = dems_$type; Thanks, Stuart
Re: Stock spam in images
Theo Van Dinter wrote: On Mon, Oct 02, 2006 at 03:18:58PM +0100, Randal, Phil wrote: undetected). Wouldn't it be better to inject the detected text back to SA? There should be enough variants of spam worlds to let SA fuzzily catch the ones from images. I think so. Some of the words would be perfectly legitimate in the text of emails but rarely found in attached legitimate images. Quite apart from the fact that Spamassassin isn't designed for reinjection. FWIW, 3.2 adds in support to have rendering of non-text parts. So a plugin could, for instance, OCR text from an image, and then the normal body rules and such would be able to use that information. Would it also be possible to create a rule that matches on text rendered specifically from a non-text part and not the whole body? That way you could get the benefit of Bayes and existing body rules in the general case while still taking advantage of the fact the certain words in an image have more spammy-weight than the same words in text.
Re: Q. about spam directed towards highest MX Record?
Rob McEwen (PowerView Systems) wrote: Jon Trulson said: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. Jon, please tell me, what portion of your overall spams attempt to comes in through this secondary MX compared to all spam that you catch which are headed to your primary MX record. Here are some rough numbers from my systems: Yesterday on the secondary MX: Connections: 24601 Blocked for RBL: 22841 Roughly similar time period on primary MX: Connections:176668 Blocked for RBL: 79994 Delivered: 17168
Re: Bayes test in spamassassin.bat
The most common cause for this type of problem is that your mail server is not running as the same user as when you are testing or learning. IOW, it can't find the bayes DB. Floyd wrote: Hi, I am using Spamassassin with Exchange and i noticed I was getting different scores using spamassassin.bat(There was a previous post by me to this question) I have done some addtional tests and I noticed that when spamassassin.bat is run automatically on every incoming message there are no tests for bayes e.g Start - ID: PreFile: C:\ESA\NEW\msg060911101328_51EC4.in.eml PostFile: C:\ESA\NEW\msg060911101328_51EC4.out.eml SpamAssassin:C:\PERL\BIN\SPAMASSASSIN.BAT C:\ESA\NEW\msg060911101328_51EC4.in.eml C:\ESA\NEW\msg060911101328_51EC4.out.eml SpamAssassin result: 0 Checking for PERL in Path... Reloading Stream... Reading OUT file XSpamFlag: XSpamStatus: No, score=0.0 required=6.0 *tests=AWL,HTML_MESSAGE * autolearn=disabled version=3.1.4 Added header urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4 (2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com) 1.2.76 on myserver SPAM: False SpamAssassin Value: 0 File: msg060911101328_51EC4 Moving to HAM : End But when I run spamassassin.bat manually there is a test for bayes in addition to the other testse.g. X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on my server X-Spam-Level: X-Spam-Status: No, score=-2.0 required=6.0 tests=*BAYES_00*,HTML_40_50, HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4 thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA== Could someone please help me with this is there a setting somewhere i missed in local.cf maybe?? Thanks for your help in advance View this message in context: Bayes test in spamassassin.bat http://www.nabble.com/Bayes-test-in-spamassassin.bat-tf2252897.html#a6248273 Sent from the SpamAssassin - Users http://www.nabble.com/SpamAssassin---Users-f195.html forum at Nabble.com.
Re: Marking Mail in the future as SPAM?
[EMAIL PROTECTED] wrote: When using a web client like IMP from Horde it seems the Date header is kept in the original format and never converted to my local timezone. I figure that if I converted the Date to my local timezone I would have people leaving messages in the future that always sit at the top of my Inbox. For instance it's still the 8th here in CDT but elsewhere it's the 9th and those messages now sit at the top of the list of messages to be read. The IMP4 install on my server (which I don't generally use) does convert dates to local timezone. However, sorting by arrival is the only sensible default sort for an Inbox. Now, ascending vs. descending is a different matter.
Re: Marking Mail in the future as SPAM?
John Rudd wrote: On Sep 8, 2006, at 5:59 PM, Stuart Johnston wrote: [EMAIL PROTECTED] wrote: When using a web client like IMP from Horde it seems the Date header is kept in the original format and never converted to my local timezone. I figure that if I converted the Date to my local timezone I would have people leaving messages in the future that always sit at the top of my Inbox. For instance it's still the 8th here in CDT but elsewhere it's the 9th and those messages now sit at the top of the list of messages to be read. The IMP4 install on my server (which I don't generally use) does convert dates to local timezone. However, sorting by arrival is the only sensible default sort for an Inbox. Now, ascending vs. descending is a different matter. I sort by position in the mail folder, regardless of any date stamps. But I don't know of any webmail clients that do something that sensible. I generally stick to using IMAP clients that support that feature (such as Apple Mail). Hmm. All of the webmail apps I use do: IMP4, Hastymail, CGP. Sorting by arrival generally means the same as by folder position.
Re: [Bump] No log to syslog after upgrade
Kurt Buff wrote: I've requested an account, and am waiting for the password. I understand about command line tools and their use, but SA is a bit of a special case, as it's used as more than simply a command line tool - especially when you consider its use with Amavis, etc. amavisd-new has its own logging facilities including the option to log to syslog or a separate log file. There is also an option to log debugging output from SA. You should ask on the amavis list if you need more details.
Re: Perfect spamassassin setup?
jdow wrote: From: Stuart Johnston [EMAIL PROTECTED] Eric Persson wrote: This might be a shot in the dark, but after running a patched qmail, qmailscanner with spamassassin and mysqlsupport for a while and a selfdeveloped webinterface, we've started to look around what others are using? Is there any project that combines the strength of spamassassin, mysql and a good webinterface to act as a antispamfrontend of a normal mailserver? Any suggestions, in terms of packages or bundled systems is appreciated. Preferrably open source and free to use. Thanks, Eric http://www.maiamailguard.com/ ...web-based interface... is where it lost me on the first line of text. I will not voluntarily use web-based email interfaces. They are the direct spawn of Satan. Well that's fine but I was not recommending Maia to *you*. I was recommending it to Eric Persson who specifically asked for a good webinterface.
Re: Perfect spamassassin setup?
Eric Persson wrote: This might be a shot in the dark, but after running a patched qmail, qmailscanner with spamassassin and mysqlsupport for a while and a selfdeveloped webinterface, we've started to look around what others are using? Is there any project that combines the strength of spamassassin, mysql and a good webinterface to act as a antispamfrontend of a normal mailserver? Any suggestions, in terms of packages or bundled systems is appreciated. Preferrably open source and free to use. Thanks, Eric http://www.maiamailguard.com/
Re: Train from Outlook?
Christopher Mills wrote: Tell me something, is there a pluggin for outlook that would allow me to train spamassassin on the web server? Eg, messages come in, end up in my Junk Mail folder, can i somehow select them, and click a button with this 'addin' and have it find our web server and train spam assassin with the data in my local inbox? That would be a very cool addon if someone could develop it. There is a Summer of Code project for this but the guy's blog hasn't been updated in a while. http://code.google.com/soc/asf/appinfo.html?csaid=DF01D8A7A5E102D7
Re: RBL Rules Misfiring
As a quick guess, you probably need to fix your Trust Path: http://wiki.apache.org/spamassassin/TrustPath D.J. wrote: Hello all. I searched my archive of the list, and couldn't find a similar issue. This is probably something I've misconfigured, but here goes. Running SA 3.14 via the Mail::SpamAssassin Perl plugin from amavisd-new. Have been running into a problem where some dynamic RBL lists are firing just because the IP is in the headers, not necessarily because it's the IP talking to my MTA. They are indeed IPs in the list but shouldn't be firing because they're really using their ISP's mail servers as you can see later in the headers. I'm *really* hoping this isn't intended operation and it's just something I've blundered somehow. Below is a piece of one of the message notifications I receive. I've been watching this on a couple small domains I own before putting it on our main one, and it's a good thing! Thanks in advance for the help. - D.J. Content analysis details: (10.9 points, 5.0 required) pts rule name description -- -- 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally -0.0 SPF_PASS SPF: sender matches SPF record 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4964] 2.2 RCVD_IN_SORBS_SOCKSRBL: SORBS: sender is open SOCKS proxy server [24.140.8.46 http://24.140.8.46 listed in dnsbl.sorbs.net http://dnsbl.sorbs.net] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [24.140.8.46 http://24.140.8.46 listed in dnsbl.sorbs.net http://dnsbl.sorbs.net] 2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org http://list.dsbl.org [http://dsbl.org/listing?24.140.8.46] 0.7 RCVD_IN_NJABL_PROXYRBL: NJABL: sender is an open proxy [24.140.8.46 http://24.140.8.46 listed in combined.njabl.org http://combined.njabl.org] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [24.140.8.46 http://24.140.8.46 listed in combined.njabl.org http://combined.njabl.org] 1.8 MISSING_SUBJECTMissing Subject: header -1.8 AWLAWL: From: address is in the auto white-list Return-Path: protected Received: from smtp-1.sssnet.com http://smtp-1.sssnet.com (nat-147.sssnet.com http://nat-147.sssnet.com [24.140.1.147 http://24.140.1.147]) by test.sssnet.com http://test.sssnet.com (Postfix) with ESMTP id 663292B803E for protected; Wed, 23 Aug 2006 14:58:41 -0400 (EDT) Received: (qmail 11376 invoked by uid 507); 23 Aug 2006 18:58:42 - Received: from 24.140.8.46 http://24.140.8.46 by smtp-1.sssnet.com http://smtp-1.sssnet.com (envelope-from protected, uid 501) with qmail-scanner-1.25st (clamdscan: 0.88.2/1715. spamassassin: 3.0.3. perlscan: 1.25st. Clear:RC:1(24.140.8.46 http://24.140.8.46):SA:0(1.2/14.0):. Processed in 0.727458 secs); 23 Aug 2006 18:58:42 - X-Spam-Status: No, hits=1.2 required=14.0 X-Spam-Level: + Received: from cable-8-46.sssnet.com http://cable-8-46.sssnet.com (HELO SERVER) ([24.140.8.46 http://24.140.8.46]) (envelope-sender protected) by 0 (qmail-ldap-1.03) with SMTP for protected; 23 Aug 2006 18:58:41 - From: Sue Repp protected To: 'Mary Richardson' protected Subject: Date: Wed, 23 Aug 2006 14:58:53 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000__01C6C6C4.ABD60F20 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcbG5izxOwnp3dUpR7iOx6AZ33ceQQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Qmail-Scanner-Message-ID: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Re: How can I (we) get rid of this?
Vivek Khera wrote: On Aug 21, 2006, at 11:04 AM, Stuart Johnston wrote: Anders Norrbring wrote: Hiya all! I'm getting really sick on recieving 10-100 of the attached mails every day. Any suggestions on how to get rid of them? Apparently my Amavis-new and SpamAssassin only tags them from 0 to 1.6 points. FuzzyOCR, ImageInfo, SARE, sa-update. Well sa-update and SARE (at least the sets I use -- you should be more specific) don't help. The specific message that was posted hit for me on: SARE_OBFU_SOFT from 70_sare_obfu.cf SARE_GIF_ATTACH from 70_sare_stocks.cf TVD_FW_GRAPHIC_ID3 from sa-update
Re: How can I (we) get rid of this?
Anders Norrbring wrote: Hiya all! I'm getting really sick on recieving 10-100 of the attached mails every day. Any suggestions on how to get rid of them? Apparently my Amavis-new and SpamAssassin only tags them from 0 to 1.6 points. FuzzyOCR, ImageInfo, SARE, sa-update.
Re: a new kind of spam (with images)
decoder wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Spamassassin List wrote: Stephane Bentebba wrote: hi all, i am more or less happy with my spamassassin configuration works good for one year but i have problem with a new kind of spam which easylly go throught it : spam which has poor text, poor token, or none, and a subject always changing the only thing which remain the same is the image incoporated in it it get always very low hit (bellow 3) subject on the image in the body is either breaking news concerning... or we have a runner ! would it be possible to find a solution ? add / modify a test to look at first bytes of an attachement and recognize the image ? i can send you samples of this spam if you like... (prefer not to attach them) Have a look at FuzzyOCR http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Works very well for me - I'm using it in conjuction with ImageInfo and since I'm using them those image spams get through VERY rarely They will also block off legit emails too How so? I wouldn't expect any from FuzzyOCR but ImageInfo certainly has the chance to block legit mail.
Re: SPAM: Increase in targeted spams
John D. Hardin wrote: On Sat, 12 Aug 2006, Michael Scheidell wrote: (can we come up with an RBL for domains registered with jokers?) A while back I suggested a more-general spammer-friendly-registrar RBL. Can anyone give me a seed list of the registrars we would consider spammer-friendly? I want to try some ideas out for how this could be implemented... REGISTERFLY.COM, INC. MONIKER ONLINE SERVICES, INC. BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN SPOT DOMAIN LLC DBA DOMAINSITE.COM I'd also like to see a dnsbl of spammer-friendly name servers.
Re: SPAM: Increase in targeted spams
John D. Hardin wrote: On Sat, 12 Aug 2006, Michael Scheidell wrote: (can we come up with an RBL for domains registered with jokers?) A while back I suggested a more-general spammer-friendly-registrar RBL. Can anyone give me a seed list of the registrars we would consider spammer-friendly? I want to try some ideas out for how this could be implemented... REGISTERFLY .COM, INC. MONIKER ONLINE SERVICES, INC. BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS .COM .CN SPOT DOMAIN LLC DBA DOMAINSITE .COM I'd also like to see a dnsbl of spammer-friendly name servers.
Re: breaking out: thinking abt the 'sa-update *VS* rdj' thread .. .
Chris Santerre wrote: We write rules, not delivery systems. You can print out the rulesets from our webpage, and retype them into your system if you like. You can have someone encrypt ROT13, RAR, ZIP, and send you the torrent link. How you get your rules is your choice. It looks like SARE rules are Artistic licensed so redistribution shouldn't be a problem, I suppose. Someone has already volunteered to provide an sa-update channel of SARE rules. When a resonible solution to the channel vs ruleset problem comes to light, SARE will most definetly help to aid in whatever way we can. As of now, we provide cf files via port 80. I believe two solutions have been suggested. Both of them seem pretty reasonable to me: 1) One channel for each ruleset. Channels can be autogenerated with scripts. Multiple channels can be easily handled with the --channelfile option. 2) One channel for all rules, all disabled by default. Users 'include' the rulesets they want. Of course, either of these options still require the work of a distributor whether that is SARE, the SA project, or some other volunteer.
Re: Image spam with inline jpeg image
Bowie Bailey wrote: Michael Scheidell wrote: From: Bowie Bailey [mailto:[EMAIL PROTECTED] Possibly. It depends on the overhead involved in setting up the channels. Plus, not all of us want ALL 62 files! Some of the *[0-3] files say to use 70_abcd0.cf , or _1, or_2, or_3. Would need tome cf file for sa-update to decide which of the 62 files we want, and it could be per site. (some sites with huge email volume might want to cur down on sa/perl overhead) Right. Since there is currently no way to tell sa-update to get only certain files from a channel, you would need 62 sa-update channels in order to have the same flexibility you currently have with RDJ. Each channel would contain a single .cf file and you can pick which channels to use. What if the channel contained all rule files but the default channel .cf would not include any of them. Then the user could add a file to their local rules directory that included just the files they want. It might look something like: include /var/lib/spamassassin/version/updates_rulesemporium_com/70_sare_html0.cf ... That's a little messy so perhaps SA could add a new include directive that looks in the local state directory. Something like: include_state updates_rulesemporium_com/70_sare_html0.cf
Re: Spam came from users in whitelist
Reginaldo Bray Mendoza wrote: Good day. I have spamassassin working with MailScanner in a redhat linux machine. Recently, we are receiving SPAM that claims to be from some users that are on whitelist and, for that reason, spamassassin marks them as NOT SPAM (user in whitelist rule scores -100). What can we do to avoid this??.. is there another way we can secure our whitelist users rather than use spamassassin's whitelist_from rule??? whitelist_from_rcvd whitelist_from_spf whitelist_from_dkim
Re: Broken images in mails
Logan Shaw wrote: On Wed, 9 Aug 2006, John D. Hardin wrote: Could the image-size calculation stuff from the ImageInfo plugin be merged into this? I was envisioning all of those tests in a single plugin, with configuration options to control whether or not the OCR itself (fuzzy or not) takes place and whether the size analysis takes place and... There are lots of analyses that can be made of images; should there be multiple plugins, or should there be a more generic ImageAnalysis plugin (that perhaps has its own support for plugins...)? How many times do you want to do the image extract/paste-together/convert processing for a given message? Is there a way there could be one plugin to do the image decoding and N plugins to do various forms of analysis? That seems like the cleanest way. Of course, this presupposes that all the different analysis plugins need access to the same set of data. And it presupposes that one plugin can create data for another plugin to use. I don't know that either of those is necessarily true. Have you noticed how impressively short both of this plugins are? The only significant function they have in common is decoding the image attachments which is already handled by SA core modules. I'm assuming that SA only decodes an attachment once and reuses it for any plugin that needs it.
Internal Networks Not Trusted?
Shouldn't internal_networks be automatically trusted? When I use this config: internal_networks 127/8 10. trusted_networks 216.65.194.186 I get this: [15275] dbg: received-header: parsed as [ ip=10.2.100.6 rdns= helo= by=ebby.com ident= envfrom= intl=0 id=25268392 auth= ] [15275] dbg: received-header: relay 10.2.100.6 trusted? no internal? no [15275] dbg: received-header: parsed as [ ip=127.0.0.1 rdns=gateway.ebby.com helo=localhost by=gateway.ebby.com ident= envfrom= intl=0 id=9C24A14E5D3 auth= ] [15275] dbg: received-header: relay 127.0.0.1 trusted? no internal? no [15275] dbg: received-header: parsed as [ ip=127.0.0.1 rdns= helo=gateway.ebby.com by=localhost ident= envfrom= intl=0 id=10731-01-4 auth= ] [15275] dbg: received-header: relay 127.0.0.1 trusted? no internal? no [15275] dbg: received-header: parsed as [ ip=217.70.59.152 rdns=m152.zicom.pl helo=m152.zicom.pl by=gateway.ebby.com ident= envfrom= intl=0 id=3A7C514E5F6 auth= ] [15275] dbg: received-header: relay 217.70.59.152 trusted? no internal? no Nobody is trusted or internal! Is there any reason you would want something internal but not trusted? It doesn't look like that would work anyway. If I repeat the internal_networks as trusted_networks, it gets what I want but seems unnecessarily redundant. Am I missing something?
Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Davin Flatten wrote: Just thought this might help someone out. Thanks to M. Blapp for an excellent SA Plugin. Optical Character Recognition (OCR) can be used to nab those pesky spam messages that are hidden in gif,jpeg, or png images... This OCR stuff looks promising. Any comments on performance? How much extra load does it put on a server?
Re: exim4 + forwarding + spamassassin
jdow wrote: From: Chr. v. Stuckrad [EMAIL PROTECTED] On Thu, 27 Jul 2006, jdow wrote: From: Loren Wilton [EMAIL PROTECTED] ... I've never seen the logic of placing SpamAssassin inside the incoming transaction before the termination of the SMTP connection rather than down the pipe in the MDA. If you want to 'reject spam' (wih score over a given threshold) and because you do not want to generate bounces, you have to check 'inside the transaction', to tell the sending MTA, that you do not accept the current mail becaus of spam. That's fine. But you can't do it and make it work right. It also makes each email transaction a second or more longer. If your mail load can tolerate this, I suppose it is barely workable. But you double your machine load doing so. You are better off using block lists with a small score for each BL and then grey list for questionable scores and block for known bad. SpamAssassin is way too much code to traverse just for that small function. It works great on my 2 user personal system. It would probably require a little more hardware for my 2k+ user work system. ;) This only works with site-wide bayes and global setup, except if you make sure, that you know the (then exactly one?) recipient of the message at the end of incoming data (the single '.' in the SMTP-Protocol, the 'acl_smtp_data' in exim4). Parsing on the fly for recipient means you need something to do this before it gets to Bayes. That's even more code to run. How hard is it to parse an RCPT TO:? Besides, most servers will have already parsed this to make sure it is a valid recipient. Beware of 'overloading the system' if you check incoming mails 'durig arrival', you will have to restrict the number of concurrent SMTP-connections by the maximum of spamchecks your system can handle. Of course, so greylisting is better with far less throughput damage. I've only started to think about implementing (selective) greylisting on my systems but I hear that the spammers are starting to wise up to it. Stucki PS.: I too prefer 'only to tag' the spams, and let the user decide do discard them. I tested both ways and to me the only safe way to never crowd the system ist to spamcheck on the inside in an exim-queuerunner. The nr. of queuerunners can then simply be adjusted to the capabilites of the server. Score only and pass to recipient with a clear XXX.X score in the subject markup. That allows easy sorting by score and elimination even in stupid tools like OutlookExpress. The logic for running SA before the SMTP transaction is complete is more wishful thinking than practical. This is probably especially true with smtp tools like PostFix that run in a chroot jail. I don't really like the idea of sending spam to a black hole (quarantining). Only tagging as you suggest puts the responsibility on the users but knowing the limited tech-savy-ness of most of my users and the volume of spam they would receive makes that option less attractive to me. Even sorting by score or creating filters is asking a bit much of many of my users. Anyway, that's why I like the idea of SMTP-time rejection - not accepting the responsibility of the message in the first place. Plus, if a legit mail does get blocked, the recipient will get notified. (Even though I haven't been able to implement it on a large scale.)
Re: Spamassassin -r on Already Spam?
John Andersen wrote: Am I messing up my Bayes in an attempt to help out razor and spamcop? No, it helps.
Re: spam
I think you may be misreading the headers. This mail came from pro75-3-82-234-174-1.fbx.proxad.net [82.234.174.1] (a French ISP). Thomas Lindell wrote: Gah just when I thought I had spam problems resolved not it appears someones able to send spam directly from the server Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.airbornedatalink.com [127.0.0.1]) by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id 19D3A34004 for [EMAIL PROTECTED]; Wed, 26 Jul 2006 10:41:52 -0500 (CDT) X-Virus-Scanned: amavisd-new at adlmail.com Received: from adlsrv4.airbornedatalink.com ([127.0.0.1]) by localhost (adlsrv4.airbornedatalink.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63sUVcMA5Y1h for [EMAIL PROTECTED]; Wed, 26 Jul 2006 10:41:47 -0500 (CDT) Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net [82.234.174.1]) by adlsrv4.airbornedatalink.com (Postfix) with SMTP id 402AB34001 for [EMAIL PROTECTED]; Wed, 26 Jul 2006 10:41:47 -0500 (CDT) Message-ID: [EMAIL PROTECTED] Reply-To: Wojciech Doucette [EMAIL PROTECTED] From: Wojciech Doucette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: keiyqVjlAGRA Date: Wed, 26 Jul 2006 08:37:50 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C6B08E.C7334B30 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399 Based on this header I believe it’s some sort of bounce attack or local attack Anyone have any thoughts I’m at my wits end Tom
Re: spam
Huh? The first received header (read from the bottom up): Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net [82.234.174.1]) by adlsrv4.airbornedatalink.com (Postfix) with SMTP id 402AB34001 for [EMAIL PROTECTED]; Wed, 26 Jul 2006 10:41:47 -0500 (CDT) I suppose you might say that the HELO (burkeauto.com) is faked. Thomas Lindell wrote: Does that mean they just faked the headers? I am new to mail administration only been doing it a couple of months now and I appreciate all the help. Thanks Tom -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2006 11:00 AM To: Thomas Lindell Cc: 'Spamassassin Users List' Subject: Re: spam I think you may be misreading the headers. This mail came from pro75-3-82-234-174-1.fbx.proxad.net [82.234.174.1] (a French ISP). Thomas Lindell wrote: Gah just when I thought I had spam problems resolved not it appears someones able to send spam directly from the server Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.airbornedatalink.com [127.0.0.1]) by adlsrv4.airbornedatalink.com (Postfix) with ESMTP id 19D3A34004 for [EMAIL PROTECTED]; Wed, 26 Jul 2006 10:41:52 -0500 (CDT) X-Virus-Scanned: amavisd-new at adlmail.com Received: from adlsrv4.airbornedatalink.com ([127.0.0.1]) by localhost (adlsrv4.airbornedatalink.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63sUVcMA5Y1h for [EMAIL PROTECTED]; Wed, 26 Jul 2006 10:41:47 -0500 (CDT) Received: from burkeauto.com (pro75-3-82-234-174-1.fbx.proxad.net [82.234.174.1]) by adlsrv4.airbornedatalink.com (Postfix) with SMTP id 402AB34001 for [EMAIL PROTECTED]; Wed, 26 Jul 2006 10:41:47 -0500 (CDT) Message-ID: [EMAIL PROTECTED] Reply-To: Wojciech Doucette [EMAIL PROTECTED] From: Wojciech Doucette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: keiyqVjlAGRA Date: Wed, 26 Jul 2006 08:37:50 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C6B08E.C7334B30 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Antivirus: AVG for E-mail 7.1.394 [268.10.4/399 Based on this header I believe it's some sort of bounce attack or local attack Anyone have any thoughts I'm at my wits end Tom
Re: Should this hit more rules?
Dimitri Yioulos wrote: On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote: Dimitri Yioulos wrote: Hello to all. I'm wondering why the following isn't hitting more rules: Return-Path: [EMAIL PROTECTED] Received: from braunconsult.com (216-130-126-2.cimcoisp.net [216.130.126.2] (may be forged)) by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with SMTP id k6QG52CZ028664 for [EMAIL PROTECTED]; Wed, 26 Jul 2006 12:05:02 -0400 Message-ID: [EMAIL PROTECTED] Reply-To: Janele Kinyon [EMAIL PROTECTED] From: Janele Kinyon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: {Spam?} Re: qutugVjlAGRA Date: Wed, 26 Jul 2006 09:01:21 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C6B092.10472690 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to: [EMAIL PROTECTED] X-First1-MailScanner-Information: Please contact First 1 Financial Corporation for more information X-First1-MailScanner: Found to be clean X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not cached, score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14) X-First1-MailScanner-SpamScore: sss X-MailScanner-From: [EMAIL PROTECTED] Status: R X-Status: NC X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: CIjALIlS from 3 , 75 $ VlljAGRA from 3 , 35 $ AMjBlIEN VAjLIlUM from 1 , 25 $ I'm using the following rules in my setup: TRIPWIRE SARE_RANDOM BOGUSVIRUS SARE_EVILNUMBERS0 SARE_SPOOF SARE_BAYES_POISON_NXM SARE_SPECIFIC SARE_ADULT SARE_UNSUB SARE_URI0 SARE_GENLSUBJ0 SARE_WHITELIST_RCVD SARE_WHITELIST_SPF SARE_REDIRECT_POST300 SARE_FRAUD SARE_HEADER0 SARE_BML SARE_OEM SARE_OBFU along with Bayes, DCC, Razor, and Pyzor. Forgive my ignorance, but I would think that this would trip more rules. I seem to be getting an increasing number of obvious spam which only hit bayes, DCC and/or Razor and/or Pyzor, and RBLs (and, of course, I'm grateful for that!). Few, if any, other rules are hit. Running spamassassin -D --lint shows all of my rules being read, and throws no errors. Oh, yeah, this is a CentOS 3.7 box, running sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3, and mailscanner-4.54.6-1. Thanks. Dimitri Dimitri here's what hit with me on my SA 3.1.3 with lots of extra SARE etc rules.. Content analysis details: (28.5 points, 5.0 required) pts rule name description -- -- 2.5 MISSING_HB_SEP Missing blank line between message header and body 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3 0.6 J_CHICKENPOX_33BODY: {3}Letter - punctuation - {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3 0.9 URI_NOVOWELURI: URI hostname has long non-vowel sequence 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.8279] 1.8 MISSING_SUBJECTMissing Subject: header 5.9 HELO_LEO_PILLS HELO_LEO_PILLS 0.3 SARE_URI_CONS7 body contains link to probable spammer 0.1 TO_CC_NONE No To: or Cc: header 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO 0.5 FM_NO_TO FM_NO_TO 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3 Martin, What rules are you using that I'm not? Your result are much more what I have in mind for my setup. Looks like he is using some unofficial SARE rules. http://rulesemporium.com/rules/99_FVGT_meta.cf http://www.rulesemporium.com/rules/88_FVGT_body.cf
Re: Should this hit more rules?
Dimitri Yioulos wrote: On Wednesday July 26 2006 2:10 pm, Stuart Johnston wrote: Dimitri Yioulos wrote: On Wednesday July 26 2006 12:57 pm, Martin Hepworth wrote: Dimitri Yioulos wrote: Hello to all. I'm wondering why the following isn't hitting more rules: Return-Path: [EMAIL PROTECTED] Received: from braunconsult.com (216-130-126-2.cimcoisp.net [216.130.126.2] (may be forged)) by mail1.firstbhph.com (8.12.11.20060308/8.12.11) with SMTP id k6QG52CZ028664 for [EMAIL PROTECTED]; Wed, 26 Jul 2006 12:05:02 -0400 Message-ID: [EMAIL PROTECTED] Reply-To: Janele Kinyon [EMAIL PROTECTED] From: Janele Kinyon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: {Spam?} Re: qutugVjlAGRA Date: Wed, 26 Jul 2006 09:01:21 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0001_01C6B092.10472690 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Synonym: Copied by Synonym (http://www.modulo.ro/synonym) to: [EMAIL PROTECTED] X-First1-MailScanner-Information: Please contact First 1 Financial Corporation for more information X-First1-MailScanner: Found to be clean X-First1-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not cached, score=7.414, required 6, BAYES_99 3.50, HTML_50_60 0.13, HTML_MESSAGE 0.00, URIBL_SBL 1.64, URIBL_WS_SURBL 2.14) X-First1-MailScanner-SpamScore: sss X-MailScanner-From: [EMAIL PROTECTED] Status: R X-Status: NC X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: CIjALIlS from 3 , 75 $ VlljAGRA from 3 , 35 $ AMjBlIEN VAjLIlUM from 1 , 25 $ I'm using the following rules in my setup: TRIPWIRE SARE_RANDOM BOGUSVIRUS SARE_EVILNUMBERS0 SARE_SPOOF SARE_BAYES_POISON_NXM SARE_SPECIFIC SARE_ADULT SARE_UNSUB SARE_URI0 SARE_GENLSUBJ0 SARE_WHITELIST_RCVD SARE_WHITELIST_SPF SARE_REDIRECT_POST300 SARE_FRAUD SARE_HEADER0 SARE_BML SARE_OEM SARE_OBFU along with Bayes, DCC, Razor, and Pyzor. Forgive my ignorance, but I would think that this would trip more rules. I seem to be getting an increasing number of obvious spam which only hit bayes, DCC and/or Razor and/or Pyzor, and RBLs (and, of course, I'm grateful for that!). Few, if any, other rules are hit. Running spamassassin -D --lint shows all of my rules being read, and throws no errors. Oh, yeah, this is a CentOS 3.7 box, running sendmail-8.12.11-4.RHEL3.6, spamassassin-3.0.4-1, clamav-0.88.3, and mailscanner-4.54.6-1. Thanks. Dimitri Dimitri here's what hit with me on my SA 3.1.3 with lots of extra SARE etc rules.. Content analysis details: (28.5 points, 5.0 required) pts rule name description -- -- 2.5 MISSING_HB_SEP Missing blank line between message header and body 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 3.7 FB_VIAGRA_LEO3 BODY: FB_VIAGRA_LEO3 0.6 J_CHICKENPOX_33BODY: {3}Letter - punctuation - {3}Letter 3.3 FB_CIALIS_LEO3 BODY: FB_CIALIS_LEO3 2.7 FB_VALIUM_LEO3 BODY: FB_VALIUM_LEO3 0.9 URI_NOVOWELURI: URI hostname has long non-vowel sequence 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.8279] 1.8 MISSING_SUBJECTMissing Subject: header 5.9 HELO_LEO_PILLS HELO_LEO_PILLS 0.3 SARE_URI_CONS7 body contains link to probable spammer 0.1 TO_CC_NONE No To: or Cc: header 2.5 FM_NO_FROM_OR_TO FM_NO_FROM_OR_TO 0.5 FM_NO_TO FM_NO_TO 1.1 FM_MULTI_ODD2 FM_MULTI_ODD2 0.7 FM_MULTI_ODD3 FM_MULTI_ODD3 Martin, What rules are you using that I'm not? Your result are much more what I have in mind for my setup. Looks like he is using some unofficial SARE rules. http://rulesemporium.com/rules/99_FVGT_meta.cf http://www.rulesemporium.com/rules/88_FVGT_body.cf I'll try 'em. Are those the only rules that contribute to Martin's score, other than the ones I already have? I believe that all of the FM and FB rules are from those files. You can easily search for the others. This is curious, too - URI_NOVOWEL is tripped in his setup, but not on mine (I know that this is installed on my system). Why would that be? Since the sample you attached is not really scanable and does not actually include any urls, I would guess that he probably used a sample from his own mail system that had a different url. Differences could also be caused by the fact that you are using a version of SA that is (essentially) nearly 2 years old.
dns?.name-services.com - uridnsbl without the bl
It seems like for the vast majority of spam that gets through my system with a url in it, the name server is one of name-services.com. Is there any way to create a rule that check a url's name server against a static list? Like uridnsbl without the bl?
Re: exim4 + forwarding + spamassassin
Your first scan is running as nobody (that's bad) but the second is running as szinski. That would explain the BAYES_99. I'm not sure about the FORGED_RCVD_HELO and HTML_50_60 though. Zinski, Steve wrote: I need some help trying to figure out why spamassassin scores the same message differently. I am using an ACL with exim4 to scan email during the actual smtp connection (so I can reject spam before my server accepts it). It's pretty straightforward. My ACL looks like this: # Reject messages with a SpamAssassin score 7 deny message = Rejected: Flagged as spam ($spam_score). spam = nobody:true condition = ${if {$spam_score_int}{70}{1}{0}} Everything works just fine for mail destined to local accounts, but there seems to be a discrepancy in spamassassin when mail is delivered to a forwarded account (the forwarder directs mail to another local account; i.e., [EMAIL PROTECTED] -- [EMAIL PROTECTED]). What happens is that spamassassin scores the message low (non-spam) when it accepts it from the Internet, but then scores it higher (as spam) when the message is rerouted to the local mailbox. Here is a snippet from maillog that illustrates this: Jul 26 07:58:20 vps spamd[7361]: spamd: connection from localhost [127.0.0.1] at port 56458 Jul 26 07:58:20 vps spamd[7361]: spamd: setuid to nobody succeeded Jul 26 07:58:20 vps spamd[7361]: spamd: checking message [EMAIL PROTECTED] for nobody:99 Jul 26 07:58:20 vps spamd[7361]: spamd: clean message (2.6/5.0) for nobody:99 in 0.1 seconds, 2230 bytes. Jul 26 07:58:20 vps spamd[7361]: spamd: result: . 2 - HTML_MESSAGE,URIBL_SBL,URIBL_WS_SURBL scantime=0.1,size=2230,user=nobody,uid=99,required_score=5.0,rhost=local host,raddr=127.0.0.1,rport=56458,mid=[EMAIL PROTECTED] 8,autolearn=no Jul 26 07:58:20 vps spamd[26587]: prefork: child states: II Jul 26 07:58:21 vps spamd[7361]: spamd: connection from localhost [127.0.0.1] at port 56459 Jul 26 07:58:21 vps spamd[7361]: spamd: setuid to szinski succeeded Jul 26 07:58:21 vps spamd[7361]: spamd: processing message [EMAIL PROTECTED] for szinski:503 Jul 26 07:58:21 vps spamd[7361]: spamd: identified spam (7.5/5.0) for szinski:503 in 0.6 seconds, 2183 bytes. Jul 26 07:58:21 vps spamd[7361]: spamd: result: Y 7 - BAYES_99,FORGED_RCVD_HELO,HTML_50_60,HTML_MESSAGE,URIBL_SBL,URIBL_WS_SUR BL scantime=0.6,size=2183,user=szinski,uid=503,required_score=5.0,rhost=loc alhost,raddr=127.0.0.1,rport=56459,mid=[EMAIL PROTECTED] hn8,bayes=0.97051713734,autolearn=no As you can see, during the initial smtp pass (accepting from remote host) the message is deemed clean with a score of 2.6. Then, when the same message is delivered to the local account, it's identified as spam with a score of 7.5. Unfortunately, my ACL only kicks in during the first pass so the message gets accepted and delivered instead of rejected. Anyone know what I might be doing wrong here? Any help would be greatly appreciated. Steve Zinski University of Richmond
Re: traveling user unable to email
Jean-Paul Natola wrote: Hi all I have a user that is now in Africa and she is unable to send to any external user using outlook , and when attempting to use Eudora she gets a your message scored 6.7 points I have whitelisted her in my local.cf but Eudora stills gives her the message congratulations blah blah blah This is what I'm not following 1.9 FORGED_MUA_EUDORA Forged mail pretending to be from Eudora 1.7 INVALID_MSGID Message-Id is not valid, according to RFC 2822 And here are the headers Message-Id: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Mon, 24 Jul 2006 12:16:49 -040 It is probably that space at the end of the message id (between the 4 and ). That really should be there. Is Eudora really putting a space in the message id or is something munging it along the way? I see why my whitelisting doesn't work as I have whitelisted her email address [EMAIL PROTECTED] [EMAIL PROTECTED] now in case you are wondering ekb is her windows login on the laptop, but the eudora and outlook are set to ebrazier I doubt that the whitelisting has anything to do with the X-Sender. So Forged MUA appeaers to be due to the fact that something is registering her as ekb not ebrazier but what is the invalidity in the MSGID? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: traveling user unable to email
Jean-Paul Natola wrote: I'm really getting frustrated here I whitelisted all her email addresses and aliases whitelist_from_rcvd [EMAIL PROTECTED] fcimail.org whitelist_from_rcvd [EMAIL PROTECTED] familycareintl.org whitelist_from_rcvd [EMAIL PROTECTED] fcimail.org whitelist_from_rcvd [EMAIL PROTECTED] familycareintl.org whitelist_from_rcvd [EMAIL PROTECTED] 68.167.21.154 and she just got rejected again is this not the correct way to whitlist this is the local.cf in /usr/local/etc/mail/spamassassin And I did run --lint as wel as restart spamd If you could give us the full headers of a message we would be more likely to be able to tell you why this isn't working.
Re: traveling user unable to email
Jean-Paul Natola wrote: -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 4:19 PM To: Jean-Paul Natola Cc: users@spamassassin.apache.org Subject: Re: traveling user unable to email Jean-Paul Natola wrote: I'm really getting frustrated here I whitelisted all her email addresses and aliases whitelist_from_rcvd [EMAIL PROTECTED] fcimail.org whitelist_from_rcvd [EMAIL PROTECTED] familycareintl.org whitelist_from_rcvd [EMAIL PROTECTED] fcimail.org whitelist_from_rcvd [EMAIL PROTECTED] familycareintl.org whitelist_from_rcvd [EMAIL PROTECTED] 68.167.21.154 and she just got rejected again is this not the correct way to whitlist this is the local.cf in /usr/local/etc/mail/spamassassin And I did run --lint as wel as restart spamd If you could give us the full headers of a message we would be more likely to be able to tell you why this isn't working. F=[EMAIL PROTECTED] rejected after DATA: This message scored 8.8 points. Congratulations! Envelope-from: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] P Received: from [196.201.130.183] (helo=anglo-t22yp.familycareintl.org) by mail.familycareintl.org with esmtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1G5T2J-000Eja-2T for [EMAIL PROTECTED]; Tue, 25 Jul 2006 15:57:50 -0400 I Ok, here is the problem. The message is coming from 196.201.130.183 but your whitelist_from_rcvd is requiring it to come from familycareintl.org. You could do simply: whitelist_from [EMAIL PROTECTED] But that would of course be abusable. A better option would probably involve SMTP-Auth.
Re: traveling user unable to email
Jean-Paul Natola wrote: -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 4:53 PM To: Jean-Paul Natola Cc: users@spamassassin.apache.org Subject: Re: traveling user unable to email Jean-Paul Natola wrote: -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 4:19 PM To: Jean-Paul Natola Cc: users@spamassassin.apache.org Subject: Re: traveling user unable to email Jean-Paul Natola wrote: I'm really getting frustrated here I whitelisted all her email addresses and aliases whitelist_from_rcvd [EMAIL PROTECTED] fcimail.org whitelist_from_rcvd [EMAIL PROTECTED] familycareintl.org whitelist_from_rcvd [EMAIL PROTECTED] fcimail.org whitelist_from_rcvd [EMAIL PROTECTED] familycareintl.org whitelist_from_rcvd [EMAIL PROTECTED] 68.167.21.154 and she just got rejected again is this not the correct way to whitlist this is the local.cf in /usr/local/etc/mail/spamassassin And I did run --lint as wel as restart spamd If you could give us the full headers of a message we would be more likely to be able to tell you why this isn't working. F=[EMAIL PROTECTED] rejected after DATA: This message scored 8.8 points. Congratulations! Envelope-from: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] P Received: from [196.201.130.183] (helo=anglo-t22yp.familycareintl.org) by mail.familycareintl.org with esmtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1G5T2J-000Eja-2T for [EMAIL PROTECTED]; Tue, 25 Jul 2006 15:57:50 -0400 I Ok, here is the problem. The message is coming from 196.201.130.183 but your whitelist_from_rcvd is requiring it to come from familycareintl.org. You could do simply: whitelist_from [EMAIL PROTECTED] But that would of course be abusable. A better option would probably involve SMTP-Auth. So I should remove the _rcvd from my current lists? whitelist_from_rcvd [EMAIL PROTECTED] fcimail.org whitelist_from_rcvd [EMAIL PROTECTED] familycareintl.org This is only temporary till I implement the auth Remove the received and the server: whitelist_from [EMAIL PROTECTED] whitelist_from [EMAIL PROTECTED]
Re: Bug in sa-learn (Debian :3.0.3-2sarge1)
This is just a warning that you can ignore. If it bothers you, the best solution would be to upgrade to 3.1.3. Alternately, you could try this on your lib/Mail/SpamAssassin/HTML.pm: 182c182,189 $hp-parse(pack ('C0A*', $text)); --- { local $SIG{__WARN__} = sub { warn @_ unless (defined $_[0] $_[0] =~ /^Parsing of undecoded UTF-/); }; $hp-parse(pack ('C0A*', $text)); } I don't know if this will apply cleanly to your Debian version, though. If not, you should probably be able to edit it manually. Johann Spies wrote: I have found this in the archives, but I did not find a solution yet. On a mailserver that I have upgraded to Debian Sarge, the following warning appears when I am running sa-learn: Parsing of undecoded UTF-8 will give garbage when decoding entities at /usr/share/perl5/Mail/SpamAssassin/HTML.pm line 182. I have found the following patch but it does not apply successfully using patch: --- lib/Mail/SpamAssassin/HTML.pm (revision 178588) +++ lib/Mail/SpamAssassin/HTML.pm (working copy) @@ -107,6 +107,15 @@ ], marked_sections = 1); + # enable UTF-8 mode, + # http://search.cpan.org/~gaas/HTML-Parser-3.45/Parser.pm#$p-%3Eutf8_mode , + # if we're running perl 5.8 and HTML::Parser supports it. bug 4046. + if ($] = 5.008 $self-can(utf8_mode)) { +if (!eval { $self-utf8_mode(); 1; }) { + dbg (html: failed to enable UTF-8 mode (perl ver $] h:p ver $HTML::Parser::VERSION)); +} + } + $self; } How do I solve this? Regards Johann
Re: Problem with exim and spamd set for my own user (fall back to nobody?)
Are you using exiscan? If so, you need something like this in your acl: spam = spamd See for full examples: http://duncanthrax.net/exiscan-acl/exiscan-acl-examples.txt Giorgio Volpe wrote: I'm running spamassassin SpamAssassin Server version 3.1.1 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 0.97) on a debian whith exim 4.62 I've set in /etc/defaults -u spamd (a user I created ...) and correctly I can see: # ps aux | grep spamd root 32646 0.1 4.8 28576 24820 ?Ss 19:27 0:00 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -u spamd -d --pidfile=/var/run/spamd/spamd.pid 102 32647 2.5 5.1 30720 26752 ?S19:27 0:11 spamd child 102 32648 0.0 4.5 28576 23348 ?S19:27 0:00 spamd child root 306 0.0 0.1 2348 792 pts/2S+ 19:35 0:00 grep spamd But when exim tries to call spamd ... I get: Jul 14 19:28:01 movi spamd[32647]: spamd: connection from movifvg [127.0.0.1] at port 43554 Jul 14 19:28:01 movi spamd[32647]: spamd: creating default_prefs: /nonexistent/.spamassassin/user_prefs Jul 14 19:28:01 movi spamd[32647]: config: cannot write to /nonexistent/.spamassassin/user_prefs: No such file or directory Jul 14 19:28:01 movi spamd[32647]: spamd: failed to create readable default_prefs: /nonexistent/.spamassassin/user_prefs Jul 14 19:28:01 movi spamd[32647]: mkdir /nonexistent: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469 Jul 14 19:28:01 movi spamd[32647]: spamd: checking message [EMAIL PROTECTED] for nobody:102 ^ Jul 14 19:28:06 movi spamd[32647]: mkdir /nonexistent: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469 Jul 14 19:28:06 movi spamd[32647]: locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for /nonexistent/.spamassassin/auto-whitelist.lock: No such file or directoryJul 14 19:28:06 movi spamd[32647]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for /nonexistent/.spamassassin/auto-whitelist.lock: No such file or directory why it falls back to nobody? (but correctly reporting 102, nobody on my system is 65534) Any hint? thanks Giorgio
Re: body speedups using new features in perl 5.9.x
Bowie Bailey wrote: [EMAIL PROTECTED] wrote: While I doubt it'd have quite the performance gains that A-C can offer, Regexp::Assemble certainly sounds like something worth trying... the coderef trick, in particular, is very nifty. It can work well. After reading about it here, I tried it on one of my programs that compares about 1600 words and phrases against a document. My scan time dropped by 30%. This doesn't count the time taken to assemble the regex (about .27 seconds), but since this program runs as a daemon and only has to do the assembly once, it wasn't relevant to me. Wouldn't assembling all rules into one regex make it impossible to have per rule scores?
Re: spamassassin and sql
Martin Schiøtz wrote: Hi I'm trying to setup spamassassin with postgres for with bayes_sql, awl_sql, dcc, razor using sql user_pref etc. I have configured the database with: http://spamassassin.apache.org/full/3.1.x/dist/sql/awl_pg.sql wget http://spamassassin.apache.org/full/3.1.x/dist/sql/bayes_pg.sql wget http://spamassassin.apache.org/full/3.1.x/dist/sql/userpref_pg.sql I'm using: spamassassin-3.1.3 postgresql-8.1.4 I can see that spamd is using the right sql user_pref but I get a lot of postgres encoding errors when scanning mails. From mailllog: Jul 6 04:07:48 BlackPete spamd[4192]: bayes: tok_get: SQL error: ERROR: invalid byte sequence for encoding UTF8: 0xc829 Jul 6 04:07:48 BlackPete spamd[4192]: bayes: _put_token: SQL error: ERROR: invalid byte sequence for encoding UTF8: 0xc829 I guess this has something to do with string-escaping in postgres. How do I solv this problem? Do you have a line like this in your local.cf? bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL
Re: Dev list on an RBL
Daryl C. W. O'Shea wrote: Chris Santerre wrote: dev@spamassassin.apache.org mailing list Blockedby cbl.abuseat.org Oh noes! :) Both the users@ and dev@ lists use the same servers, so I don't see how you'd have one listed and not the other. Any particular IP that you see listed? I received a warning from ezmlm that 209.237.227.199 was listed. It does not seem to be listed any longer.
Re: Blocking all inline GIF or JPG Images
Matt wrote: 1 - No legit e-mail should have in-line gifs.. they should be attached. I guess I'm missing something. What is the difference between an inline gif and an attached gif?
Re: Blocking all inline GIF or JPG Images
Matt wrote: An inline gif is INLINE with HTML.. an attached GIF is attached to the message and the message is in MIME-text format. HTML does not belong in e-mails. Well, that's easy then. If you want to block all html messages, just score up: HTML_MESSAGE If you want to only hit those with html inline images (attached or remote), use: __HTML_LINK_IMAGE
Re: Start it up
Brian Hamlin wrote: I am putting along with Perl. I just wrote a script that loops through my mail, reads a msgs, sends it to SA, then writes it out to a nw mbox. When it is done, it copies the new mbox into the system one. * horribly slow * will miss mails * mayeb I made more mistakes but it is better than the alternative at the moment ideas still welcome. -Brian ps- yes, I am just a user here.. If I had somethin gvery specific to ask an admin, maybe I could get them to do it for me.. I am not sure what that might be in terms of the filter account, but I appreciate the cycles... Normally, you would run a new message through SA before it gets to your mailbox. If you need to do this at the user level (rather than in the MTA) the common method is with procmail: http://wiki.apache.org/spamassassin/UsedViaProcmail You can pass a whole mailbox to spamassassin with the --mbox option but you are still going to have the problem of overwriting an active mailbox file and possibly loosing mail. Procmail would be a better way to go for future mail.
Re: How to avoid MSGID_DOLLARS, PRIORITY_NO_NAME, RATWARE_OUTLOOK _NONAME
markwolk wrote: Thanks for giving me the benefit of the doubt. I am by no means a spammer; I send an average of 40 mails a day, most replies to enquiries and regular day-to-day correspondence. Worrying about being mistaken for a spammer is more than watchmaker's perfectionism when I see that the spam scores of messages I sent from myself to myself as a test are around 5.8, whereas the default threshold on Mailsnare is 7. That means my mails (replies to enquiries - not spam!) are very close to being mistaken for spam - a worrying possibility given that my average sale is ca $35,000. I use mailsnare.net and runbox.com services to send and receive my messages. My domains have a catchall that redirects (forwards) at DNS level (dnspark.net is my DNS host) all mails to my Mailsnare and Runbox boxes. I have performed tests sending emails from one of my domains using OE6, either by Mailsnare or Runbox SMTP, to another of my domains. Messages received by Mailsnare arrive with the following X-Spam-Status: No, hits=5.892 tagged_above=3 required=9 tests=BAYES_00, MSGID_DOLLARS, PRIORITY_NO_NAME, RATWARE_OUTLOOK_NONAME, SPF_PASS Messages received by Runbox arrive with the following X-Spam-Status: No, score=4.3 required=5.0 tests=MSGID_DOLLARS, PRIORITY_NO_NAME autolearn=disabled version=3.0.3 I have also tried to send a message via Mailsnare's webmail interface and it scored 0: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled version=3.0.3 Also messages sent from my domains directly to my Mailsnare and Runbox addresses score 0. So it would seem I have a problem with my Outlook Express or other Explorer settings, which, when used together with mail forward (Mail guiding as called by DNSPark) trigger these Spamassassin filters. I am not really willing to swap OE for another client, but I'd prefer to know how to avoid these potential problems. Any ideas? Looks like something is stripping your X-Mailer header.
Re: Virtual Users
http://www.exim.org/eximwiki/ExiscanExamples#head-962411f515d3c420ace6c0672cd70e91224f4355 David O'Brien wrote: Hello, Thanks for the reply. I am quite new at this. I didn't actually know a lot about spamc. Well I still don't but I have read a little bit about it now. I am calling SpamAssassin from an Exim ACL. I have the following lines uncommented in my exim.conf warnspam = nobody message = X-Spam_score: $spam_score\n\ X-Spam_score_int: $spam_score_int\n\ X-Spam_bar: $spam_bar\n\ X-Spam_report: $spam_report I was thinking that I need to change nobody to be the email address of the recipient... however now I am not so sure. I see that that '$local_part' and '$domain' variables are not set in DATA ACL, and this is because you can have multiple recipients to an email. Therefore it is not possible to change nobody to the recipient email address? Is this because an email is only scanned once even if it is going to multiple recipients? If I change nobody to be [EMAIL PROTECTED], then %d and %l do expand correctly in my log file. So I can see that it works, but I don't know how to pass the email address to spamd... So I guess I am a little confused now... 1. It seems logical that you only want to scan an email once, no matter how many people it is sent to. 2. But if you setup user_prefs, doesn't that mean that an email would be scanned once for each user based on their preferences? Tom, I have spamassassin logging to its own log file /var/log/spamassassin I followed the instructions here and it seems to be working ok : http://wiki.apache.org/spamassassin/SeparateLogFile Thanks David.
Re: Another example...
Looks like you have [EMAIL PROTECTED] whitelisted somewhere. That's probably a bad idea. Spam usually uses a spoofed address. NW7US, Tomas wrote: Here are headers from another example of spam, that is marked STRONGLY as NOT being spam. What is VERY interesting about THIS one, is that it seems to actually be FROM me!!! However, it made its rounds on other servers, first. Is it possible someone is spoofing my email address?? Or, is there a gateway e-mail hole on my server? Here are the headers: (and, I deleted my whitelists, like the auto learn one, etc.) Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on helios.hfradio.org X-Spam-Level: X-Spam-Status: No, score=-86.2 required=1.0 tests=HTML_MESSAGE, MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO, UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.3 Received: from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org (8.12.11/8.12.11) with ESMTP id k586UPVE019859 for [EMAIL PROTECTED]; Wed, 7 Jun 2006 23:30:28 -0700 Envelope-to: [EMAIL PROTECTED] Delivery-date: Thu, 08 Jun 2006 18:36:11 +1200 Received: from [242.112.30.100] (helo=86678721) by 60.234.111.150 with smtp (Exim 4.60 (FreeBSD)) (envelope-from [EMAIL PROTECTED])id W3mNJ-2xnyDQA-8Kx for [EMAIL PROTECTED];Thu, 08 Jun 2006 18:36:11 +1200 Received: from gallery48.freeserve.co.uk (02055232 [17238173668]) by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for [EMAIL PROTECTED]; Thu, 08 Jun 2006 17:36:07 +1200 Date: Thu, 08 Jun 2006 17:36:07 +1200 From: Jon R. Pirrello Jr [EMAIL PROTECTED] X-Mailer: The Bat! (v2.12.00) Personal X-Priority: 3 Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: General health store X-IMAPbase: 1148015368 4545 Status: O X-UID: 4545 Content-Length: 11005 X-Keywords: X-Antivirus: AVG for E-mail 7.1.394 [268.8.2/357] Mime-Version: 1.0 Content-Type: multipart=mixed; b0undaryAVGMAIL-4487C4C83823=== (I changed the last header, in case it might case a problem... the message has an attachment that contained a virus or trojan.) I could really use some help in figuring out how to end this sort of activity. Thanks, 73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ ) : Propagation Editor for CQ, CQ VHF, Popular Communications : : Creator; live propagation center http://prop.hfradio.org/ : : Associate Member of Propagation Studies Committee of RSGB : : 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI : : 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 : : Technical Writer for http://entirenet.net (Microsoft KB) :
Re: How to handle your domain in received from field
Ronald I. Nutter wrote: I am fighting a situation where two vendors used by my college are sending email out authorized by the college (remote distance learning situations) where the email looks like it came from us because it has our domain name in the from field. I had been using a global blacklist of [EMAIL PROTECTED] but drop that because of these two cases. I have been able to look for a way to allow email to come through for selected addresses but keep a global block in place - none found so far. Is there a way to do what I am trying to accomplish ? Have you tried adding a whitelist entry for those two addresses, after the blacklist. I'm guessing that the whitelist score would cancel out the blacklist score.
Re: Bad quoting
Philip Prindeville wrote: I noticed the following message (well, I'll just put a fragment): !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1252 META content=3DMSHTML 6.00.2900.2670 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVFONT face=3DArial size=3D2IMG alt=3D hspace=3D0=20 src=3Dcid:000e01c68b04$73437a90$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:000f01c68b04$73437aaa$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001001c68b04$73437ac4$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001101c68b04$73437ade$41e45853@qop align=3Dbaseline=20 border=3D0IMG alt=3D hspace=3D0=20 src=3Dcid:001201c68b04$73437af8$41e45853@qop align=3Dbaseline=20 border=3D0/FONT/DIV Note that the '=' got escaped as '=3D' they probably entered the text and their HTML editor escaped it, not figuring it was raw HTML being entered directly... =3D comes from quoted-printable encoding. HTML messages are often QP encoded.
Re: Stock Spams; aka Pump and Dump part 2
Ben Lentz wrote: Thanks, I'll definitely have to give that KAM ruleset a spin on our system. Any chance you could tell me where that TVD tag is coming from? Is that another SARE rule? That's from sa-update. (TVD = Theo Van Dinter) If you are worried about sa-update breaking your system, you can run: sa-update --updatedir /tmp/updates to download the updates to a temp directory and then copy 80_additional.cf to your local rules directory - that's were the new rules seem to be. I can't promise that wont break something else, though.
Re: Negative lookaround?
Dan wrote: Sick of obsfucation, I'm going to town on spacing and letter variations, with one problem: body __OBSFU_FRE1a /\bFREE\b/i body __OBSFU_FRE1b /\bF(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E\b/i meta __OBSFU_FRE1 (!__OBSFU_FRE1a __OBSFU_FRE1b) Every variation includes the whole world: FREE. To exclude the whole word, I created a meta exception but as you might guess, this also finds the whole word elsewhere in the same message. While its odd to have one word mangled and another not, spammers do it. I'm told a negative lookaround will solve this problem, but I can't figure out how to do it. Everything I've read relates to neighboring text, not the same text. How do I write a single regex that includes every variation except a single specific one? Do you mean negative lookahead? body __OBSFU_FRE1 /(?!FREE)\bF(\s|\s\s|\s\S...
Re: New Obfuscation Technique?
Bret Miller wrote: I hadn't seen this type of obfuscation before, though I admit I don't watch the dropped spam very closely. This one got returned to me via my AOL feedback loop, so was looking to see how to catch it. Any ideas? Get a sample message here: http://webmail.wcg.org/~support/16-02-01-P.txt It is pretty easy to write some rules that match the text part of this message. The basic obfuscation is space letter space inserted between each letter in the word. Lets say your word is SPAM. You regex might look like: /S [a-z] P [a-z] A [a-z] M/ -Stuart
Re: Comment Crashes
Dan wrote: I'm running into more comment counting problems: This crashes SA: full FloatingTags1 /(\s?[\$%A-Z0-9]\s?.*?){90,}/is This does not: full FloatingTags2 /(\s?[\$%A-Z0-9]\s?.*?){30,}/is while this doesn't crash, but also doesn't function: full FloatingTags3 /(?\s?[\$%A-Z0-9]\s?.*?){90,}/is Based on Matt's recent comments: Yes, but across the entire message body using .* in a rule is REALLY slow. I didn't say that counting was impossible with rules, I said it is not good at it. Counting occurrences of something across the entire body of the message is not something SA is good at with just rules. You'd need a plugin to do it. My premise is wrong. Do I just need to give up regex for this and find a way to eval it (I havn't learned Pearl yet!)? If you could give us a sample of what you are trying to match, maybe we could suggest an alternate route. -Stuart
Re: Comment Crashes
Dan wrote: If you could give us a sample of what you are trying to match, maybe we could suggest an alternate route. Stuart, Its lines and lines of this kind of thing: DIV STRONG V/STRONG/DIV DIV L/DIV DIV A/DIV DIV STRONG V/STRONG/DIV DIV P/DIV DIV X/DIV DIV STRONG C/STRONG/DIV /DIV DIV I generally find it much easier to match against the text part. Or do your messages not have text parts? -Stuart
Re: Spam auto-learning by message resending
Jerome Delamarche wrote: Hi, I'm configuring SA and I'm looking for an easy way for the end users to improve their own Bayesian filters. Users do not have interactive account on the Linux servers. They cannot use sa-learn or any other Linux tools. It could be fine if they could automatically resend to their own mailbox spams not been filtered by SA. SA could (?) determine it has already analyzed the message and automatically consider it was a previous spam. Then it could use the auto-learn feature to add it to the user spam database ? Or is there another way to do it ? If your users can use IMAP, you can create a special folder where they copy spam messages. The Linux server can sa-learn from these folders. Or, you can use a system on the Linux server, such as Maia Mailguard, that temporarily stores all message on the server and provides a web-interface for user training. Another option is to provide a special address
Re: Spam auto-learning by message resending
Jerome Delamarche wrote: Hi, I'm configuring SA and I'm looking for an easy way for the end users to improve their own Bayesian filters. Users do not have interactive account on the Linux servers. They cannot use sa-learn or any other Linux tools. It could be fine if they could automatically resend to their own mailbox spams not been filtered by SA. SA could (?) determine it has already analyzed the message and automatically consider it was a previous spam. Then it could use the auto-learn feature to add it to the user spam database ? Or is there another way to do it ? If your users can use IMAP, you can create a special folder where they copy spam messages. The Linux server can sa-learn from these folders. Or, you can use a system on the Linux server, such as Maia Mailguard, that temporarily stores all message on the server and provides a web-interface for user training. Another option is to provide a special address that users forward spam messages to. The main problem here is that the message must be forwarded as an attachment in a way that a script on the Linux server can extract the attachment and get something reasonably close to the original spam. Thunderbird does a pretty good job with this. Outlook, not so much. -Stuart
Re: Those Re: good obfupills spams
Bart Schaefer wrote: The largest number of spam messages currently getting through SA at my site are short text-only spams with subject Re: good followed by an obfuscated drug name (so badly mangled as to be unrecognizable in many cases). The body contains a gappy-text list of several other kinds of equally unreadable pharmaceuticals, a single URL which changes daily if not more often, and then several random words and a short excerpt from a novel. They usually hit RCVD_IN_BL_SPAMCOP_NET,URIBL_SBL but those alone aren't scored high enough to classify as spam, and I'm reluctant to crank them up just for this. However, the number of spams getting through SA has tripled in the last four days or so, from around 14 for every thousand trapped, to around 40. I'm testing out RdJ on the SARE_OBFU and SARE_URI rulesets but so far they aren't having any useful effect. Other suggestions? The ReplaceTags plugin can be very useful for creating rules to match these. Let's say you get a message with text that looks like: S b P u A z M where the lower-case letters vary. A traditional rule might look like: /S [a-z] P [a-z] A [a-z] M/ Which is really not too bad. However, ReplaceTags allows you to create short hand. Something like: replace_tag WS ( [a-z] ) And your rule becomes: /SWSPWSAWSM/ For this to work, you'll also need to add your rule name to a replace_rules line. Using parentheses in your regex will create wasted captures so you'll probably want to use a different method to mark off the whitespace. You also might want to add a negative lookahead although in this case you probably wouldn't need it. For more on ReplaceTags: http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_ReplaceTags.html -Stuart
Re: having trouble with SA
Matt Kettler wrote: Jeff Portwine wrote: The spam levels are getting high again, users are complaining, and so today I did an apt-get spamassassin to upgrade to version 3.1.0. I then used the configuration tool at http://www.yrex.com/spam/spamconfig.php to create a new local.cf and replaced the old one, which was outdated even for our previous version. Now however, when I try to start he spamassassin daemon I get the message: SpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin and I'm really not sure what's wrong there. So what does /etc/default/spamassassin look like? My guess is this file is a debian-specific file that configures the startup script, and it's probably set to disable spamd. However, I'm not a debian user, so it's a guess, but it would be helpful to see what's there. Yes, Matt is right. There is a line that says 'ENABLED=0'. Change that 0 to 1 and it will work. You can also set options such as max-children in this file. -Stuart
Re: Pyzor
M.Lewis wrote: Is there a way to check that Pyzor (and Razor) are working? I'm running SA 3.1.1. I never see any Razor or Pyzor information in the headers of spam. spamassassin -D --lint shows in part: [8310] dbg: plugin: registering glue method for check_pyzor (Mail::SpamAssassin::Plugin::Pyzor=HASH(0x9dfdd80)) [8310] dbg: util: current PATH is: /usr/kerberos/sbin:/usr/kerberos/bin:/opt/jre1.5.0_06/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin [8310] dbg: util: executable for pyzor was found at /usr/bin/pyzor [8310] dbg: pyzor: pyzor is available: /usr/bin/pyzor [8310] dbg: info: entering helper-app run mode [8310] dbg: pyzor: opening pipe: /usr/bin/pyzor check /tmp/.spamassassin8310IHD3gbtmp [8312] dbg: util: setuid: ruid=0 euid=0 [8310] dbg: pyzor: killed stale helper [8312] [8310] dbg: pyzor: [8312] terminated: exit=0x000f [8310] dbg: info: leaving helper-app run mode [8310] dbg: pyzor: check timed out after 5 seconds There is only one pyzor server and it does tend to timeout a lot even if you are configured correctly. I've set my pyzor_timeout to 1 second to avoid the wasted lookups. To make sure you are configured correctly, login as the same user spamd runs as and run 'pyzor discover'. Then run 'pyzor ping' a couple of times. If you get: 66.250.40.33:24441 (200, 'OK'), then it is working. -Stuart
Re: Rewriting header fields help please. anyone??
I'm not sure I understand what the problem is. It looks like SA is putting the spam tag in the comment part of the From header which seems like a reasonable place to put it. Are you saying that you want to put it in the full name section instead? Perhaps your MUA won't display both a comment and full name? That would require new code in PerMsgStatus.pm. -Stuart Brian S. Meehan wrote: So, no one is going to tackle this one? Must be too easy for y'all to answer. ;-) (a little friday humor) Brian Original Message Subject: Rewriting header fields help please From:Brian S. Meehan [EMAIL PROTECTED] Date:Wed, April 19, 2006 12:09 To: list_spamassassin users@spamassassin.apache.org -- Hi, There's the option rewrite_header Subject in the local.cf file, however, I've been observing when looking through the spam folder that sorting by subject is more helpful when looking for incorrectly caught emails since many emails often have the same subject and different from fields, including the display name and the email address. Upon seeing that, I decided it might be more beneficial and easier to read if the From display name were to be rewritten so I changed it to: rewrite_header From ***SPAM(_SCORE_)*** While this works, it only works when there is no display name: examples: header field from email in spamfolder that shows Gary A. Gray: From: (***SPAM[36.1]***) Gary A. Gray [EMAIL PROTECTED] header field from email in spamfolder that shows ***SPAM[36.1]***: From: (***SPAM[36.1]***) [EMAIL PROTECTED] The difference is obviously the quoted name. I tried using: rewrite_header From ***SPAM(_SCORE_)*** (note the quotation before the asterisks) but that didn't yield different results nor did using an ending quotation. On ones that work, it shows up while reading the email as: From: ***SPAM[36.1]*** [EMAIL PROTECTED] Is there any way I can rewrite the From field to display the spam score while keeping the sending email address as in the one that works just above? Thanks, Brian
Re: Upgrade info
[EMAIL PROTECTED] wrote: Hello all! I am new to spamassassin and in need of upgrade how-to. I am using Novell's OES SP1 with hula mailserver r1211 and spamassassin 2.63. I downloaded mail-spamassassin-3.1.1.tar.gz and built an rpm using rpmbuild -tb Mail-Spamassassin-3.1.1.tar.gz. This process completed but i do not see the rpm. A more direct question, how do i upgrade to 3.1.1? Thanks for any help. I've never used rpmbuild to install spamassassin or Novell OES. However, on RedHat, rpmbuild puts built rpms into: /usr/src/redhat/RPMS. I assume it would be similar for OES (SuSE?). -Stuart
Re: SpamAssassin Woes
Although I am not specifically familiar with MailWatch, there is Maia Mailguard which uses a customized version of amavisd-new 2.2.0. There is also MailZu but it only does quarantine management. http://www.maiamailguard.com/ http://www.mailzu.org/ JD Smith wrote: Does amavisd-new happen to have a pre-built front-end similar to MailWatch? If not then it's no use to me as I don't have time to build one from scratch, especially not after the time I've already spent customizing MailWatch. Best regards, JD Smith -Original Message- From: Sipos Gabor [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 4:40 AM To: users@spamassassin.apache.org Subject: Re: SpamAssassin Woes Hello, If you are using postfix, don't use mailscanner, it uses a non-documented (and therefore not supported) access to the postfix queue files. Use amavisd-new instead to integrate postfix and spamassassin. Anyways, the default rules in spamassassin will NOT get you anything much than 70% in caught spam - that's what bayes is for. Train it with YOUR spam, not someone else's! Gabor Sipos Greetings List: My name is JD Smith and I have been put in charge of setting up a spam solution for my organization. I have chosen to go with MailScanner + Postfix + SA + MailWatch. I have everything pretty much setup and it is working, however my spam filtering is far from the 90th percentile.. I think I'm actually only catching around 70% or something which is worse than our old solution. I trained the bayes with a corpus of common spam that was recommended to me by someone somewhere (I forget) when I first got started. Maybe I need new updated rules? Does anyone have any suggestions on where I might find a list of good, suggested rules to implement? Best regards, JD Smith