Re: URIBL
On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote: Ok, here's one that does fail: under 3.2.0: [16543] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_RHS_URIBL_BLACK): 127.0.0.2 [...] Under 3.1.8: [...] [19829] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_BLACK): 127.0.0.2 [19829] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.uribl.com.:theauthenticmemento.com) ... Based on your debug quoting, 3.2 does not show a URIBL_BLACK hit, it shows a hit for a different rule, URIBL_RHS_URIBL_BLACK. -- Randomly Selected Tagline: A programmer and his mind are soon parted. pgpMa6YuMOHVy.pgp Description: PGP signature
Re: URIBL
On Wed, May 30, 2007 at 12:33:16PM -0500, Daniel J McDonald wrote: Well, that doesn't show up in the list either... I haven't really looked at 3.2 in a while, but the rule seems to have a score 0. A random guess, without seeing the rest of your debug output, is that URIBL_BLACK is marked as a duplicate of this other rule (the config lines are identical), and so it gets removed. -- Randomly Selected Tagline: Zero equals Zero - Prof. Farr pgp41TweKirgg.pgp Description: PGP signature
Re: URIBL
On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote: On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote: Ok, here's one that does fail: under 3.2.0: [16543] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_RHS_URIBL_BLACK): 127.0.0.2 [...] Under 3.1.8: [...] [19829] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_BLACK): 127.0.0.2 [19829] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.uribl.com.:theauthenticmemento.com) ... Based on your debug quoting, 3.2 does not show a URIBL_BLACK hit, it shows a hit for a different rule, URIBL_RHS_URIBL_BLACK. Well, that doesn't show up in the list either... Is that because the rule is duplicated in 25_uribl.cf and 72_active.cf? [EMAIL PROTECTED] updates_spamassassin_org]$ sudo grep URIBL_BLACK * 25_uribl.cf:urirhssub URIBL_BLACK multi.uribl.com.A 2 25_uribl.cf:bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') 25_uribl.cf:describeURIBL_BLACK Contains an URL listed in the URIBL blacklist 25_uribl.cf:tflags URIBL_BLACK net 25_uribl.cf:#reuse URIBL_BLACK 50_scores.cf:score URIBL_RHS_URIBL_BLACK 0 # n=1 n=3 50_scores.cf:score URIBL_BLACK 0 1.961 0 1.955 # n=0 n=2 50_scores.cf~:score URIBL_RHS_URIBL_BLACK 0 # n=1 n=3 50_scores.cf~:score URIBL_BLACK 0 1.961 0 1.955 # n=0 n=2 72_active.cf:##{ URIBL_RHS_URIBL_BLACK 72_active.cf:urirhssub URIBL_RHS_URIBL_BLACK multi.uribl.com.A 2 72_active.cf:bodyURIBL_RHS_URIBL_BLACK eval:check_uridnsbl('URIBL_RHS_URIBL_BLACK') 72_active.cf:describeURIBL_RHS_URIBL_BLACK Contains an URI listed in [black] uribl.com 72_active.cf:tflags URIBL_RHS_URIBL_BLACK net 72_active.cf:##} URIBL_RHS_URIBL_BLACK since the score for URIBL_RHS_URIBL_BLACK is 0, but it still fired for that one, it looks like a problem. Let me remove that rule from 72 and see what happens... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: URIBL
On Wed, 2007-05-30 at 11:57 -0500, Daniel J McDonald wrote: On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote: On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote: Ok, here's one that does fail: Based on your debug quoting, 3.2 does not show a URIBL_BLACK hit, it shows a hit for a different rule, URIBL_RHS_URIBL_BLACK. Well, that doesn't show up in the list either... Is that because the rule is duplicated in 25_uribl.cf and 72_active.cf? [EMAIL PROTECTED] updates_spamassassin_org]$ sudo grep URIBL_BLACK * 25_uribl.cf:urirhssub URIBL_BLACK multi.uribl.com.A 2 72_active.cf:urirhssub URIBL_RHS_URIBL_BLACK multi.uribl.com. A 2 since the score for URIBL_RHS_URIBL_BLACK is 0, but it still fired for that one, it looks like a problem. Let me remove that rule from 72 and see what happens... I removed the rule from 72_active.cf and now I am detecting URIBL_BLACK for that message. [18212] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_OB_SURBL): 127.0.0.16 [18212] dbg: dns: URIBL_OB_SURBL lookup finished [18212] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.surbl.org.:theauthenticmemento.com) [18212] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_BLACK): 127.0.0.2 [18212] dbg: dns: URIBL_BLACK lookup finished [18212] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.uribl.com.:theauthenticmemento.com) [18212] dbg: check: tests=DKIM_POLICY_SIGNSOME,HTML_IMAGE_RATIO_04,HTML_MESSAGE,INVALID_DATE,L_P0F_W,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RELAY_US,SARE_UNA,URIBL_BLACK,URIBL_OB_SURBL [18212] dbg: check: subtests=__CD,__CT,__CTE,__CTYPE_HTML,__DOS_HAS_ANY_URI,__DOS_RCVD_WED,__DOS_SINGLE_EXT_RELAY,__EXCLAIM_SUBJ,__FB_MA,__FB_S_PRICE,__FM_MY_PRICE,__HAS_ANY_URI,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HTML_LINK_IMAGE,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MSGID_OK_HOST,__NAKED_TO,__NONEMPTY_BODY,__SANE_MSGID,__SARE_HAS_BG_COLOR,__SARE_HAS_FG_COLOR,__SARE_HTML_HAS_A,__SARE_HTML_HAS_BR,__SARE_HTML_HAS_DIV,__SARE_HTML_HAS_FONT,__SARE_HTML_HAS_IMG,__SARE_HTML_HAS_P,__SARE_HTML_HAS_TITLE,__SARE_URI_ANY,__SARE_WHITE_BG_COLOR,__SUBJ_3DIGIT,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS And other messages as well: [EMAIL PROTECTED] ~]$ sudo grep -o -P URIBL.+\?= /var/log/mail/info | sort | uniq -c 1 URIBL_AB_SURBL= 21 URIBL_BLACK= 4 URIBL_GREY= 157 URIBL_JP_SURBL= 202 URIBL_OB_SURBL= 8 URIBL_RED= 44 URIBL_RHS_DOB= 27 URIBL_SBL= 92 URIBL_WS_SURBL= So, the problem appears to be with the file 72_active.cf in version 535132 of updates.spamassassin.org -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
RE: URIBL
On Wednesday, May 30, 2007 1:41 PM Theo Van Dinter wrote: On Wed, May 30, 2007 at 12:33:16PM -0500, Daniel J McDonald wrote: Well, that doesn't show up in the list either... I haven't really looked at 3.2 in a while, but the rule seems to have a score 0. A random guess, without seeing the rest of your debug output, is that URIBL_BLACK is marked as a duplicate of this other rule (the config lines are identical), and so it gets removed. Where does this leave us for a fix? Does a bug need to be filed? If so, what is the root of the cause? Is it the duplicate rule in 72_active.cf or that the duplicate has a score of 0? Jason A. Bertoch Network Administrator [EMAIL PROTECTED] ElectroNet Intermedia Consulting 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
Re: URIBL
Jason Bertoch wrote: On Wednesday, May 30, 2007 1:41 PM Theo Van Dinter wrote: On Wed, May 30, 2007 at 12:33:16PM -0500, Daniel J McDonald wrote: Well, that doesn't show up in the list either... I haven't really looked at 3.2 in a while, but the rule seems to have a score 0. A random guess, without seeing the rest of your debug output, is that URIBL_BLACK is marked as a duplicate of this other rule (the config lines are identical), and so it gets removed. Where does this leave us for a fix? Does a bug need to be filed? If so, what is the root of the cause? Is it the duplicate rule in 72_active.cf or that the duplicate has a score of 0? I reopened and retitled bug 5487 about this. I hope to look into it tonight. Daryl
RE: URIBL
Jon Yes this functionality has been built in since SA version 3.0 (and via an additional 'plugin' since 2.6.?4?). Make sure you are using network tests, Net::DNS perl module is installed and the URI-RBL plugin is enabled in the *.pre files which are located in the same place as local.cf (normally /etc/mail/spamassassin). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Jon Bjorn Njalsson [mailto:[EMAIL PROTECTED] Sent: 17 January 2007 10:25 To: users@spamassassin.apache.org Subject: URIBL Is it possible to have SA find URL in a mail and lookup the ipaddress for the URL and check if that ipaddress is listed in some rbl zone and score acordingly. Example, I reveice lot of spam containing URL like http://www.thesillyguy.info or thenopers.info and these sites all resolve to the same ipaddress 216.40.47.17. Instead of writing rules based on these sites is it possible to write a rule based on the ipaddress ? ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
RE: URIBL
I have Net::DNS module installed. [14934] dbg: dns: is Net::DNS::Resolver available? yes [14934] dbg: dns: Net::DNS version: 0.57 and [14934] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [14934] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa5822f0) and in v310.pre i have loadplugin Mail::SpamAssassin::Plugin::URIDNSBL but still spam regarding penis enlargement (some) are getting through. any other ideas ? On mið, 2007-01-17 at 11:32 +, Martin.Hepworth wrote: Jon Yes this functionality has been built in since SA version 3.0 (and via an additional 'plugin' since 2.6.?4?). Make sure you are using network tests, Net::DNS perl module is installed and the URI-RBL plugin is enabled in the *.pre files which are located in the same place as local.cf (normally /etc/mail/spamassassin). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Jon Bjorn Njalsson [mailto:[EMAIL PROTECTED] Sent: 17 January 2007 10:25 To: users@spamassassin.apache.org Subject: URIBL Is it possible to have SA find URL in a mail and lookup the ipaddress for the URL and check if that ipaddress is listed in some rbl zone and score acordingly. Example, I reveice lot of spam containing URL like http://www.thesillyguy.info or thenopers.info and these sites all resolve to the same ipaddress 216.40.47.17. Instead of writing rules based on these sites is it possible to write a rule based on the ipaddress ? ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
RE: URIBL
Jon Dcc, pyzor (using a working server) and razor are useful.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Jon Bjorn Njalsson [mailto:[EMAIL PROTECTED] Sent: 17 January 2007 14:47 To: Martin.Hepworth Cc: users@spamassassin.apache.org Subject: RE: URIBL I have Net::DNS module installed. [14934] dbg: dns: is Net::DNS::Resolver available? yes [14934] dbg: dns: Net::DNS version: 0.57 and [14934] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [14934] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa5822f0) and in v310.pre i have loadplugin Mail::SpamAssassin::Plugin::URIDNSBL but still spam regarding penis enlargement (some) are getting through. any other ideas ? On mið, 2007-01-17 at 11:32 +, Martin.Hepworth wrote: Jon Yes this functionality has been built in since SA version 3.0 (and via an additional 'plugin' since 2.6.?4?). Make sure you are using network tests, Net::DNS perl module is installed and the URI-RBL plugin is enabled in the *.pre files which are located in the same place as local.cf (normally /etc/mail/spamassassin). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Jon Bjorn Njalsson [mailto:[EMAIL PROTECTED] Sent: 17 January 2007 10:25 To: users@spamassassin.apache.org Subject: URIBL Is it possible to have SA find URL in a mail and lookup the ipaddress for the URL and check if that ipaddress is listed in some rbl zone and score acordingly. Example, I reveice lot of spam containing URL like http://www.thesillyguy.info or thenopers.info and these sites all resolve to the same ipaddress 216.40.47.17. Instead of writing rules based on these sites is it possible to write a rule based on the ipaddress ? ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ** ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
Re: URIBL
On Wed, 17 Jan 2007 14:46:36 +, Jon Bjorn Njalsson [EMAIL PROTECTED] wrote: I have Net::DNS module installed. [14934] dbg: dns: is Net::DNS::Resolver available? yes [14934] dbg: dns: Net::DNS version: 0.57 and [14934] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [14934] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa5822f0) and in v310.pre i have loadplugin Mail::SpamAssassin::Plugin::URIDNSBL but still spam regarding penis enlargement (some) are getting through. any other ideas ? On mið, 2007-01-17 at 11:32 +, Martin.Hepworth wrote: Jon Yes this functionality has been built in since SA version 3.0 (and via an additional 'plugin' since 2.6.?4?). Make sure you are using network tests, Net::DNS perl module is installed and the URI-RBL plugin is enabled in the *.pre files which are located in the same place as local.cf (normally /etc/mail/spamassassin). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Jon Bjorn Njalsson [mailto:[EMAIL PROTECTED] Sent: 17 January 2007 10:25 To: users@spamassassin.apache.org Subject: URIBL Is it possible to have SA find URL in a mail and lookup the ipaddress for the URL and check if that ipaddress is listed in some rbl zone and score acordingly. Example, I reveice lot of spam containing URL like http://www.thesillyguy.info or thenopers.info and these sites all resolve to the same ipaddress 216.40.47.17. Instead of writing rules based on these sites is it possible to write a rule based on the ipaddress ? Net::DNS, version 0.59 is the current version. It upgrades clean through CPAN or yum 0.57 can have some odd effects. Nigel
Re: URIBL
Jon Bjorn Njalsson wrote: Is it possible to have SA find URL in a mail and lookup the ipaddress for the URL and check if that ipaddress is listed in some rbl zone and score acordingly. Example, I reveice lot of spam containing URL like http://www.thesillyguy.info or thenopers.info and these sites all resolve to the same ipaddress 216.40.47.17. Instead of writing rules based on these sites is it possible to write a rule based on the ipaddress ? Your e-mail hit the following rules for me: * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: thenopers.info thesillyguy.info] * 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: thenopers.info thesillyguy.info] I have 'loadplugin Mail::SpamAssassin::Plugin::URIDNSBL' set in init.pre. -- Chris
RE: URIBL false matches
From: Mark G. Thomas [mailto:[EMAIL PROTECTED] Hi, I have a problem with incorrect URIBL hits on incoming forwarded messages that have been mangled by Lotus Notes. I have a customer with the domain name Yimaging.com. (Not really Y). ng.com is on the URIBL blacklist. I think for awhile it has been removed, but it's there again now. ... Is there some easy way I can exclude just the one domain name ng.com from being looked up at all, but otherwise still use the URIBL? uridnsbl_skip_domain ng.com
RE: URIBL false matches
On Thu, 7 Sep 2006, Rosenbaum, Larry M. wrote: uridnsbl_skip_domain ng.com {raspberry} -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 10 days until The 219th anniversary of the signing of the U.S. Constitution
Re: URIBL false matches
On Thu, 7 Sep 2006, Mark G. Thomas wrote: Does anyone have suggestions other than discontinuing use of the URIBL or using a much lower score? Is there some way to fix this code to make it more resilient to Lotus Notes text mangling? Is there some easy way I can exclude just the one domain name ng.com from being looked up at all, but otherwise still use the URIBL? Don't touch the URIBL rules at all. Create a __LOTUS_NOTES rule that hits for message processed by Notes - there is probably something in the headers that you can look for. Then you can: (1) add a small negative score for that alone - not recommended, too easy to forge, or (2) combine it with other rules, e.g. the URIBL hits, to offset the score, e.g. meta LOTUS_URIBL_FP __LOTUS_NOTES (URIBL_WS_SURBL || ... ) score LOTUS_URBIL_FP -2.00 If it is consistently happening to just one domain then you could also look for the mangled domain (e.g. /\bng\.com\b/i) to reduce the false positives for this adjustment: meta LOTUS_URIBL_FP __LOTUS_NOTES __CHOPPED_DOMAIN (URIBL_WS_SURBL || ... ) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- 10 days until The 219th anniversary of the signing of the U.S. Constitution
Re: URIBL and SURBL no lnger hitting
On Monday, August 7, 2006, 1:56:41 PM, DAve DAve wrote: In frustration I edited /etc/resolv.conf and removed 127.0.0.1, URI lookups are completing and MailScanner is blasting through the queues on both machines exceedingly fast now. No idea what could have possibly changed, dnscache is normally bulletproof. I run it on a dozen servers as a local cache, it is a standard install on all my servers and all installs share the same config. Especially since dig worked, and still works to 127.0.0.1. Perhaps there's an incompatability between dnscache and the way SA 3.1 does DNSBL queries. Please open a bugzilla about it: http://issues.apache.org/SpamAssassin/ Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: URIBL and SURBL no lnger hitting
Jeff Chan wrote: On Monday, August 7, 2006, 1:56:41 PM, DAve DAve wrote: In frustration I edited /etc/resolv.conf and removed 127.0.0.1, URI lookups are completing and MailScanner is blasting through the queues on both machines exceedingly fast now. No idea what could have possibly changed, dnscache is normally bulletproof. I run it on a dozen servers as a local cache, it is a standard install on all my servers and all installs share the same config. Especially since dig worked, and still works to 127.0.0.1. Perhaps there's an incompatability between dnscache and the way SA 3.1 does DNSBL queries. Please open a bugzilla about it: http://issues.apache.org/SpamAssassin/ Jeff C. Hi, Unlikely to be a dnscache issue. I run over 10 SA servers, all with local djb dnscaches. Regards, Rick
Re: URIBL and SURBL no lnger hitting
Jeff Chan wrote: On Monday, August 7, 2006, 1:56:41 PM, DAve DAve wrote: In frustration I edited /etc/resolv.conf and removed 127.0.0.1, URI lookups are completing and MailScanner is blasting through the queues on both machines exceedingly fast now. No idea what could have possibly changed, dnscache is normally bulletproof. I run it on a dozen servers as a local cache, it is a standard install on all my servers and all installs share the same config. Especially since dig worked, and still works to 127.0.0.1. Perhaps there's an incompatability between dnscache and the way SA 3.1 does DNSBL queries. Please open a bugzilla about it: http://issues.apache.org/SpamAssassin/ Jeff C. I had no logging running on dnscache before so I don't *know* what was happening. I re-enabled logging and the issue went away. To be specific I changed my run file from exec setuidgid Gdnslog multilog -* to exec setuidgid Gdnslog multilog t ./main Which should make no difference. Oddly though restarting dnscache several times didn't help previously. I can open a bug report, and help troubleshoot, if you believe it smart to do so. But at this time I really don't think it is an SA issue. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
On Tuesday, August 8, 2006, 7:53:45 AM, Rick Macdougall wrote: Jeff Chan wrote: On Monday, August 7, 2006, 1:56:41 PM, DAve DAve wrote: In frustration I edited /etc/resolv.conf and removed 127.0.0.1, URI lookups are completing and MailScanner is blasting through the queues on both machines exceedingly fast now. No idea what could have possibly changed, dnscache is normally bulletproof. I run it on a dozen servers as a local cache, it is a standard install on all my servers and all installs share the same config. Especially since dig worked, and still works to 127.0.0.1. Perhaps there's an incompatability between dnscache and the way SA 3.1 does DNSBL queries. Please open a bugzilla about it: http://issues.apache.org/SpamAssassin/ Jeff C. Hi, Unlikely to be a dnscache issue. I run over 10 SA servers, all with local djb dnscaches. Aha, but do you use Linux or FreeBSD? I can't remember the details but I remember a FreeBSD/SA issue recently. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: URIBL and SURBL no lnger hitting
On Tuesday, August 8, 2006, 8:05:04 AM, DAve DAve wrote: I had no logging running on dnscache before so I don't *know* what was happening. I re-enabled logging and the issue went away. To be specific I changed my run file from exec setuidgid Gdnslog multilog -* to exec setuidgid Gdnslog multilog t ./main Which should make no difference. Oddly though restarting dnscache several times didn't help previously. I can open a bug report, and help troubleshoot, if you believe it smart to do so. But at this time I really don't think it is an SA issue. Hmm, well only file a bug report if it's a specific SA interaction. But it would still be nice to know what's causing it, even if it's not SA or an interaction with it. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: URIBL and SURBL no lnger hitting
Jeff Chan wrote: On Tuesday, August 8, 2006, 7:53:45 AM, Rick Macdougall wrote: Unlikely to be a dnscache issue. I run over 10 SA servers, all with local djb dnscaches. Aha, but do you use Linux or FreeBSD? I can't remember the details but I remember a FreeBSD/SA issue recently. Hi, Both. FreeBSD v4.8 - v6.0, Slackware, Centos and Fedora. No problems on any of them. Regards, Rick
Re: URIBL and SURBL no lnger hitting
Jeff Chan wrote: On Tuesday, August 8, 2006, 8:05:04 AM, DAve DAve wrote: I had no logging running on dnscache before so I don't *know* what was happening. I re-enabled logging and the issue went away. To be specific I changed my run file from exec setuidgid Gdnslog multilog -* to exec setuidgid Gdnslog multilog t ./main Which should make no difference. Oddly though restarting dnscache several times didn't help previously. I can open a bug report, and help troubleshoot, if you believe it smart to do so. But at this time I really don't think it is an SA issue. Hmm, well only file a bug report if it's a specific SA interaction. But it would still be nice to know what's causing it, even if it's not SA or an interaction with it. Jeff C. If it happens again I'll have some logs, provided I catch it in time, dnscache makes logs like bunnies make more bunnies. Until then I'm inclined to think it was a resource issue or anomaly on my system rather than an issue with SA or dnscache. I run dnscache on all my web/mail/SA/ftp servers on FreeBSD, Linux, and Solaris. Never had the slightest issue with any software making dns queries through it. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
DAve wrote: [snip] If it happens again I'll have some logs, provided I catch it in time, dnscache makes logs like bunnies make more bunnies. Until then I'm inclined to think it was a resource issue or anomaly on my system rather than an issue with SA or dnscache. I run dnscache on all my web/mail/SA/ftp servers on FreeBSD, Linux, and Solaris. Never had the slightest issue with any software making dns queries through it. DAve Dave, you might need to update the 'root/servers/@' file. IIRC, a couple of root servers have changed in the past few years. - dhawal
Re: URIBL and SURBL no lnger hitting
Dhawal Doshy wrote: DAve wrote: [snip] If it happens again I'll have some logs, provided I catch it in time, dnscache makes logs like bunnies make more bunnies. Until then I'm inclined to think it was a resource issue or anomaly on my system rather than an issue with SA or dnscache. I run dnscache on all my web/mail/SA/ftp servers on FreeBSD, Linux, and Solaris. Never had the slightest issue with any software making dns queries through it. DAve Dave, you might need to update the 'root/servers/@' file. IIRC, a couple of root servers have changed in the past few years. - dhawal We replace the @ file with one of our own on every server. I contains just our dns servers and our own caches. I know what you're thinking. I checked my DNS servers first and found them with plenty of resources, that is why I took dnscache out of /etc/resolv.conf yesterday, and then discovered the problem. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
On Tue, 8 Aug 2006, DAve wrote: Dhawal Doshy wrote: Dave, you might need to update the 'root/servers/@' file. IIRC, a couple of root servers have changed in the past few years. We replace the @ file with one of our own on every server. I contains just our dns servers and our own caches. Silly question, and veering off topic, but if you take away the list of root servers, how do your nameservers find things? If you want to find a node in a tree (or in a directed acyclic graph) it helps to start at the root (or roots). If your local DNS server doesn't have any way of finding the root, how can it find the nodes it needs to find? I suppose it's possible your organization's DNS servers and caches are giving authoritative responses for the . domain. Is that what you're saying? - Logan
Re: URIBL and SURBL no lnger hitting
Logan Shaw wrote: On Tue, 8 Aug 2006, DAve wrote: Dhawal Doshy wrote: Dave, you might need to update the 'root/servers/@' file. IIRC, a couple of root servers have changed in the past few years. We replace the @ file with one of our own on every server. I contains just our dns servers and our own caches. Silly question, and veering off topic, but if you take away the list of root servers, how do your nameservers find things? If you want to find a node in a tree (or in a directed acyclic graph) it helps to start at the root (or roots). If your local DNS server doesn't have any way of finding the root, how can it find the nodes it needs to find? I suppose it's possible your organization's DNS servers and caches are giving authoritative responses for the . domain. Is that what you're saying? - Logan It depends on why you are using dnscache. I am talking about running dnscache only for certain services on the box such as SA URIDNSBL lookups, Webalizer lookup on Apache logs, RBL checks at SMTP connect, etc. I simply want to retain and reuse the results of querying my own DNS servers without making a network connection outside my PIX (mailScanners inside, DNS servers outside). Do you have the list of root servers in your mail server's /etc/resolv.conf? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
DAve wrote: Good morning, I noticed this morning that I am no longer hitting any URIBL and SURBL. I did a test, host -tTXT test.uribl.com.multi.uribl.com and got the proper response. I also ran spamassassin -D testemail.txt which is a message with a URI known in the URIBL list and it provided the following, [11340] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a19be0) implements 'check_tick' [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:12 2006 [11340] dbg: check: running tests for priority: 500 [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:13 2006 [11340] dbg: dns: success for 0 of 2 queries [11340] dbg: dns: timeout for NO_DNS_FOR_FROM after 15 seconds [11340] dbg: dns: timeout for NO_DNS_FOR_FROM after 15 seconds [11340] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a19be0) implements 'check_post_dnsbl' [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:26 2006 [11340] dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:28 2006 [11340] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete [11340] dbg: uridnsbl: aborting remaining lookups Oddly the only thing I have changed is I began running sa-update. So out of curiosity I moved my updates.spamassassin.org* out to /tmp and reran the debug, same results. Logs show the last time I was getting hits was 4 days ago. What have I done wrong? DAve I should have included this in the debug output. [23441] dbg: dns: is Net::DNS::Resolver available? yes [23441] dbg: dns: Net::DNS version: 0.57 DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I noticed this morning that I am no longer hitting any URIBL and SURBL. I did a test, ... I should have included this in the debug output. [23441] dbg: dns: is Net::DNS::Resolver available? yes [23441] dbg: dns: Net::DNS version: 0.57 iirc (may not ...), there were some Net::DNS version issues causing probs. perhaps try upgrading Net::DNS: % perl -e 'use Net::DNS; print $Net::DNS::VERSION,\n' 0.58 richard - -- /\ \ / ASCII Ribbon Campaign X against HTML email, vCards / \ micro$oft attachments [GPG] OpenMacNews at gmail dot com fingerprint: 50C9 1C46 2F8F DE42 2EDB D460 95F7 DDBD 3671 08C6 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iEYEAREDAAYFAkTXXeAACgkQlffdvTZxCMbbSQCdGworLrHjuRCNXjXwEFlsT6oy wqYAnRoRX5LxbAULG0VfooHSAWDaynwg =9FNS -END PGP SIGNATURE-
Re: URIBL and SURBL no lnger hitting
DAve wrote: DAve wrote: Good morning, I noticed this morning that I am no longer hitting any URIBL and SURBL. I did a test, host -tTXT test.uribl.com.multi.uribl.com and got the proper response. I also ran spamassassin -D testemail.txt which is a message with a URI known in the URIBL list and it provided the following, [11340] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a19be0) implements 'check_tick' [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:12 2006 [11340] dbg: check: running tests for priority: 500 [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:13 2006 [11340] dbg: dns: success for 0 of 2 queries [11340] dbg: dns: timeout for NO_DNS_FOR_FROM after 15 seconds [11340] dbg: dns: timeout for NO_DNS_FOR_FROM after 15 seconds [11340] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a19be0) implements 'check_post_dnsbl' [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:26 2006 [11340] dbg: uridnsbl: waiting 2 seconds for URIDNSBL lookups to complete [11340] dbg: uridnsbl: select found no socks ready [11340] dbg: uridnsbl: queries completed: 0 started: 0 [11340] dbg: uridnsbl: queries active: DNSBL=2 NS=1 at Mon Aug 7 10:23:28 2006 [11340] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete [11340] dbg: uridnsbl: aborting remaining lookups Oddly the only thing I have changed is I began running sa-update. So out of curiosity I moved my updates.spamassassin.org* out to /tmp and reran the debug, same results. Logs show the last time I was getting hits was 4 days ago. What have I done wrong? DAve I should have included this in the debug output. [23441] dbg: dns: is Net::DNS::Resolver available? yes [23441] dbg: dns: Net::DNS version: 0.57 DAve OK, I'm digging now, Yahoo and Google show nothing useful. I did install the ImageInfo plugin so I will take it back out see what happens. Searching the archives again. I'm running SA 3.1.1 No spamc/spamd (called from MailScanner) Installed as FreeBSD port on FreeBSD 5 DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
Richard wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I noticed this morning that I am no longer hitting any URIBL and SURBL. I did a test, ... I should have included this in the debug output. [23441] dbg: dns: is Net::DNS::Resolver available? yes [23441] dbg: dns: Net::DNS version: 0.57 iirc (may not ...), there were some Net::DNS version issues causing probs. perhaps try upgrading Net::DNS: % perl -e 'use Net::DNS; print $Net::DNS::VERSION,\n' 0.58 richard I found a few messages of interest. One concerning teh ClamAV plugin, which I don't use though I have just installed the ImageInfo plugin. I removed it no change. I also found another message reporting a bug in URIDNSBL lookups. I don't think that is affecting me because it concerned the check loop finishing before the timeout. I can certainly see my timeout, it takes a full minutes before spamassassin -D --lint testemail.txt will finish. I've seen no recent messages about Net::DNS. Not sure where to go next. The delay in SA is causing my mail to backup. Though I threw some more children at MailScanner and it is catching up now, slowly. Dig works, host works. Not sure why SA can't get a lookup. I've restarted dnscache several times, and I have my normal dns servers listed under 127.0.0.1 in /etc/resolv.conf. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
DAve wrote: Richard wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I noticed this morning that I am no longer hitting any URIBL and SURBL. I did a test, ... I should have included this in the debug output. [23441] dbg: dns: is Net::DNS::Resolver available? yes [23441] dbg: dns: Net::DNS version: 0.57 iirc (may not ...), there were some Net::DNS version issues causing probs. perhaps try upgrading Net::DNS: % perl -e 'use Net::DNS; print $Net::DNS::VERSION,\n' 0.58 richard I found a few messages of interest. One concerning teh ClamAV plugin, which I don't use though I have just installed the ImageInfo plugin. I removed it no change. I also found another message reporting a bug in URIDNSBL lookups. I don't think that is affecting me because it concerned the check loop finishing before the timeout. I can certainly see my timeout, it takes a full minutes before spamassassin -D --lint testemail.txt will finish. I've seen no recent messages about Net::DNS. Not sure where to go next. The delay in SA is causing my mail to backup. Though I threw some more children at MailScanner and it is catching up now, slowly. Dig works, host works. Not sure why SA can't get a lookup. I've restarted dnscache several times, and I have my normal dns servers listed under 127.0.0.1 in /etc/resolv.conf. DAve [63142] dbg: dns: is Net::DNS::Resolver available? yes [63142] dbg: dns: Net::DNS version: 0.58 [63142] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete [63142] dbg: uridnsbl: aborting remaining lookups No change, still cannot complete uridnsbl lookups. But... this works. dig dadixus.com.multi.uribl.com I really hate spammers today. Really, really, hate spammers. Castration is too good for them. This last upgrade of SA and MailScanner has been brutal. I've no idea where to look next. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL and SURBL no lnger hitting
DAve wrote: DAve wrote: Richard wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 I noticed this morning that I am no longer hitting any URIBL and SURBL. I did a test, ... I should have included this in the debug output. [23441] dbg: dns: is Net::DNS::Resolver available? yes [23441] dbg: dns: Net::DNS version: 0.57 iirc (may not ...), there were some Net::DNS version issues causing probs. perhaps try upgrading Net::DNS: % perl -e 'use Net::DNS; print $Net::DNS::VERSION,\n' 0.58 richard I found a few messages of interest. One concerning teh ClamAV plugin, which I don't use though I have just installed the ImageInfo plugin. I removed it no change. I also found another message reporting a bug in URIDNSBL lookups. I don't think that is affecting me because it concerned the check loop finishing before the timeout. I can certainly see my timeout, it takes a full minutes before spamassassin -D --lint testemail.txt will finish. I've seen no recent messages about Net::DNS. Not sure where to go next. The delay in SA is causing my mail to backup. Though I threw some more children at MailScanner and it is catching up now, slowly. Dig works, host works. Not sure why SA can't get a lookup. I've restarted dnscache several times, and I have my normal dns servers listed under 127.0.0.1 in /etc/resolv.conf. DAve [63142] dbg: dns: is Net::DNS::Resolver available? yes [63142] dbg: dns: Net::DNS version: 0.58 [63142] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete [63142] dbg: uridnsbl: aborting remaining lookups No change, still cannot complete uridnsbl lookups. But... this works. dig dadixus.com.multi.uribl.com I really hate spammers today. Really, really, hate spammers. Castration is too good for them. This last upgrade of SA and MailScanner has been brutal. I've no idea where to look next. DAve In frustration I edited /etc/resolv.conf and removed 127.0.0.1, URI lookups are completing and MailScanner is blasting through the queues on both machines exceedingly fast now. No idea what could have possibly changed, dnscache is normally bulletproof. I run it on a dozen servers as a local cache, it is a standard install on all my servers and all installs share the same config. Especially since dig worked, and still works to 127.0.0.1. Very odd. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: URIBL False positive
On Tuesday, December 6, 2005, 1:26:32 PM, Brian Leyton wrote: I'm relatively new to SpamAssassin, but I've managed to get it working well in conjunction with MimeDefang. I'm having a strange problem though, which I hope someone can help me figure out. I'm on a hobby mailing list, and occasionally emails to this list are being tagged as spam by SpamAssassin, based on the website mentioned in the emails being on multiple URIBL lists. Strangely though, when I go to the SURBL checker at rulesemporium.com, the site is NOT shown as being listed on any of these lists. Bayes correctly considers these emails to NOT be spam, but the 4 URIBL positives are enough to put the score over the top. What version of SpamAssassin are you using? There is a bug in 3.0.x that can cause intermittent errors like this. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: URIBL False positive
Jeff Chan wrote: What version of SpamAssassin are you using? There is a bug in 3.0.x that can cause intermittent errors like this. Spamassassin -V reports: SpamAssassin version 3.0.4 running on Perl version 5.8.6 Brian Leyton IT Manager Commercial Petroleum Equipment
Re: URIBL False positive
On Wednesday, December 7, 2005, 8:14:43 AM, Brian Leyton wrote: Jeff Chan wrote: What version of SpamAssassin are you using? There is a bug in 3.0.x that can cause intermittent errors like this. Spamassassin -V reports: SpamAssassin version 3.0.4 running on Perl version 5.8.6 Brian Leyton IT Manager Commercial Petroleum Equipment OK I can't remember if that one has the bug fix or not. 3.1 definitely does. What was the specific FP domain? Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: URIBL False positive
Jeff Chan wrote: OK I can't remember if that one has the bug fix or not. 3.1 definitely does. What was the specific FP domain? Here's the scoring section of the SA report: Content analysis details: (5.5 points, 5.0 required) pts rule name description -- -- -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist [URIs: americanbroadcastdx.com] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: americanbroadcastdx.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: americanbroadcastdx.com] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: americanbroadcastdx.com] Brian Leyton IT Manager Commercial Petroleum Equipment
Re: URIBL False positive
On Wednesday, December 7, 2005, 8:31:06 AM, Brian Leyton wrote: Jeff Chan wrote: OK I can't remember if that one has the bug fix or not. 3.1 definitely does. What was the specific FP domain? Here's the scoring section of the SA report: Content analysis details: (5.5 points, 5.0 required) pts rule name description -- -- -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist [URIs: americanbroadcastdx.com] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: americanbroadcastdx.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: americanbroadcastdx.com] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: americanbroadcastdx.com] Brian Leyton IT Manager Commercial Petroleum Equipment Thanks. americanbroadcastdx.com was never on any SURBLs, so it's probably the bug. Please consider upgrading to 3.1 or possibly even 3.0.5 as this may fix the bug: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3997 The developers will know for sure about which versions the patch is in. Or you could perhaps apply the patch manually to 3.0.4. They would know that too. It may be worth asking if you have any unusual DNS arrangement such as proxying firewalls, etc. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: URIBL False positive
Jeff Chan wrote: Thanks. americanbroadcastdx.com was never on any SURBLs, so it's probably the bug. Please consider upgrading to 3.1 or possibly even 3.0.5 as this may fix the bug: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3997 The developers will know for sure about which versions the patch is in. Or you could perhaps apply the patch manually to 3.0.4. They would know that too. It may be worth asking if you have any unusual DNS arrangement such as proxying firewalls, etc. Nothing unusual there. It uses the firewall (IPCop) as a caching DNS server, and the ISP's DNS as a fallback (not that that would help if the firewall were down). I'll see what I need to do to update. I think I used yum to install it in the first place, but something's hosed in the package dependencies. I'll get to work on that see if I can get a newer spamassassin installed. Thanks for your help! Brian Leyton IT Manager Commercial Petroleum Equipment
Re: URIBL False positive
Brian Leyton wrote: I'm relatively new to SpamAssassin, but I've managed to get it working well in conjunction with MimeDefang. I'm having a strange problem though, which I hope someone can help me figure out. I'm on a hobby mailing list, and occasionally emails to this list are being tagged as spam by SpamAssassin, based on the website mentioned in the emails being on multiple URIBL lists. Strangely though, when I go to the SURBL checker at rulesemporium.com, the site is NOT shown as being listed on any of these lists. Are you sure you are checking the right domain at the surbl website? There could be many domains checked, did you check them all? Have you tried pumping the message through the command-line SA? Bayes correctly considers these emails to NOT be spam, but the 4 URIBL positives are enough to put the score over the top. I have included this domain in the whitelist in sa-mimedefang.cf, but that doesn't help. How, exactly, did you do this? whitelist_from? whitelist_from_rcvd? Either of those, if set properly, should cause a -100 point bias to the message, clearly way beyond the reach of URIBL FPs. That suggests to me you used something else, or it's not working due using the wrong second parameter on a whitelist_from_rcvd. What might cause these lookups to return false positives? It could be a short-term listing that got pulled from SURBL shortly after being added. However, if it's persistent, that's unlikely.
Re: URIBL?
Just to post back to the group on this one. It turns out the reason why these were not working is because the user that amavisd ran as didn't have permissions to see the directory that contained Net::DNS::Resolver For some reason cpan installed it with root only permissions. After I fixed the checks are now running like a charm. On 8/26/05 5:01 PM this was written: From: Thomas Deliduka [EMAIL PROTECTED] I couldn't find an answer to this in the archives. My apologies if this is there. I ran a test on a spam (spamassassin -t spam) and within the rules that matched it outputted these: 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist However, the mail server when using amavisd-new checks spam, it never checks against this SURBL blocklist. I see in init.pre this line: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL Which I think is related. But in either case. Why would it check within the testing system but not when the actual program checks? Is there a way to enable it? I don't know about amavisd-new from shucked corn; but, I understand it runs its own daemonized spamassassin. If so then you may have to restart it. With spamd you certainly have to restart the daemon to get it to read changes to the configuration files, with the exception of the user's configuration files. -- Thomas Deliduka Chief Technology Officer - Xenocast Street Smart Media Solutions http://www.xenocast.com/
Re: URIBL?
From: Thomas Deliduka [EMAIL PROTECTED] I couldn't find an answer to this in the archives. My apologies if this is there. I ran a test on a spam (spamassassin -t spam) and within the rules that matched it outputted these: 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist However, the mail server when using amavisd-new checks spam, it never checks against this SURBL blocklist. I see in init.pre this line: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL Which I think is related. But in either case. Why would it check within the testing system but not when the actual program checks? Is there a way to enable it? I don't know about amavisd-new from shucked corn; but, I understand it runs its own daemonized spamassassin. If so then you may have to restart it. With spamd you certainly have to restart the daemon to get it to read changes to the configuration files, with the exception of the user's configuration files. {^_^}
Re: URIBL?
Ask an amavisd-new expert. It's already part of SpamAssassin. Perhaps amavisd-new overrides some of the SpamAssassin configurations? Good luck with it. {^_^} From: Thomas Deliduka [EMAIL PROTECTED] But what configuration do I need to do to add it? On 8/26/05 5:01 PM this was written: From: Thomas Deliduka [EMAIL PROTECTED] I couldn't find an answer to this in the archives. My apologies if this is there. I ran a test on a spam (spamassassin -t spam) and within the rules that matched it outputted these: 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist However, the mail server when using amavisd-new checks spam, it never checks against this SURBL blocklist. I see in init.pre this line: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL Which I think is related. But in either case. Why would it check within the testing system but not when the actual program checks? Is there a way to enable it? I don't know about amavisd-new from shucked corn; but, I understand it runs its own daemonized spamassassin. If so then you may have to restart it. With spamd you certainly have to restart the daemon to get it to read changes to the configuration files, with the exception of the user's configuration files. -- Thomas Deliduka Chief Technology Officer - Xenocast Street Smart Media Solutions http://www.xenocast.com/
Re: URIBL?
jdow wrote the following on 26/08/2005 22:08: Ask an amavisd-new expert. It's already part of SpamAssassin. Perhaps amavisd-new overrides some of the SpamAssassin configurations? Good luck with it. {^_^} From: Thomas Deliduka [EMAIL PROTECTED] But what configuration do I need to do to add it? On 8/26/05 5:01 PM this was written: From: Thomas Deliduka [EMAIL PROTECTED] I couldn't find an answer to this in the archives. My apologies if this is there. I ran a test on a spam (spamassassin -t spam) and within the rules that matched it outputted these: 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist 3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist 2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist 1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist However, the mail server when using amavisd-new checks spam, it never checks against this SURBL blocklist. I see in init.pre this line: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL Which I think is related. But in either case. Why would it check within the testing system but not when the actual program checks? Is there a way to enable it? I don't know about amavisd-new from shucked corn; but, I understand it runs its own daemonized spamassassin. If so then you may have to restart it. With spamd you certainly have to restart the daemon to get it to read changes to the configuration files, with the exception of the user's configuration files. Spamd is not called from amavisd-new. It calls spamassassin directly. The configuration information with respect to individual SURBL's needs to go into SURBL.cf in the directory you store your spamassassin information (e.g. /etc/mail/spamassassin). To use SURBL's you need the load plugin statement in init.pre. So if it works from calling spamassasin on the command line it should be the same as when amavisd-new calls it. My last guess at why the difference, is that you were not logged in as the amavis user when you ran spamassassin. HTH Alan
RE: uribl
Check out http://www.uribl.com/. Click on the Usage link on the left. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Ron McKeating [mailto:[EMAIL PROTECTED] Sent: 21 June 2005 12:03 To: SPAMASSASSIN Subject: uribl A little confused here, just got a spammy email for dodgy watches and checked them on the surbl site, they were listed in black.uribl.com but it only got a score of 1.3 Our scores for surbl stuff is score URIBL_AB_SURBL 5.5 score URIBL_OB_SURBL 5.5 score URIBL_PH_SURBL 5.5 score URIBL_SBL 5.5 score URIBL_SC_SURBL 5.5 score URIBL_WS_SURBL 5.5 and the spam report gave 1.3 points, 6.0 required) pts rule name description -- -- 0.2 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date 1.1 RCVD_IN_SBLRBL: Received via a relay in Spamhaus SBL [222.65.54.104 listed in sbl-xbl.spamhaus.org] Do we need to do something for it to check the black.uribl list? Ron -- Ron McKeating Senior IT Services Specialist Computing Services Loughborough University 01509 222329
Re: URIBL Plugin
On Wed, Jun 01, 2005 at 11:02:14PM +0100, Ben Wylie wrote: For some reason I have had to put: loadpluginMail::SpamAssassin::Plugin::URIDNSBL into my 25_uribl.cf and my custom uribl file to get this to work. You definitely wouldn't need it twice, and you shouldn't be editing the default configs. They both have: ifplugin Mail::SpamAssassin::Plugin::URIDNSBL in them, but for some reason uridnsbl isn't automatically loaded. It doesn't seem to work if i load the plugin in local.cf either. Yeah, local.cf is after the ifplugin line, so the plugin isn't loaded then. Plugins need to be loaded in the init.pre file, which loads before all the *.cf files. -- Randomly Generated Tagline: ... leading to the greatest psychological problem of them all ... death. - From the movie Student Bodies pgprMydGwQujs.pgp Description: PGP signature
Re: URIBL scores
Rodney Green wrote: Hello, Where are URIBL scores configured? The same place all the scores are configured. The defaults are in /usr/share/spamassassin/50_scores.cf Your over-rides should probably go in /etc/mail/spamassassin/local.cf. You can edit the defaults, but if you edit 50_scores, it will be deleted and replaced in the next upgrade. It's also tougher to track down typo problems in such a large file. Be sure to run spamassassin --lint to check for syntax errors when you're done editing.
Re: URIBL score
On Monday, October 18, 2004, 4:18:54 AM, Asif Iqbal wrote: On Mon, Oct 18, 2004 at 02:14:27AM, Jeff Chan wrote: I am using SA 3.0. So I add this to a new file and name in spamcop.cf ? urirhssub URIBL_JP_SURBL multi.surbl.org.A 64 headerURIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL') describe URIBL_JP_SURBL Contains a URL listed in JP at http://www.surbl.org/lists.html tflagsURIBL_JP_SURBL net score URIBL_JP_SURBL3.0 and these will be caught. (JP will likely be added to the default SpamAssassin configuration in version 3.1.) Just add it to your existing configuration. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/