RE: Regex help
On Thu, 2011-04-21 at 14:55 -0800, Kevin Miller wrote: I did get it to work from the CLI, and wrote the following rule: body CBJ_GiveMeABreak /\[br]{5,}/ This still is wrong. Something that has been mentioned, but not properly explained to you is the char class, denoted by square brackets. The RE /[bar]/ will match any char in the class, that is either a b, an a or an r. In this case (the rule above) it is NOT a char class though, because you backslash escaped the opening square bracket, turning it into the char itself. The reason the RE (the part inside the slash / delimiters) DID work with grep on the command line is, because the slash escaped the opening square bracket for your shell, preventing your *shell* from interpreting it -- but the RE passed to your grep features the square bracket, turning it again into a char class. Multiple levels of escaping. If you wanna test an RE with grep, seriously better 'single quote' the entire RE, rather than escaping single chars. This will prevent such issues. grep on your shell was looking for any char of the class [br], 5 times. That matches the string 'br'. For perl, with one less interpretation of the string (no shell), it looks for the string '[br]' Yes, the double-quotes prevented your shell from interpreting as STDIN, like it was breaking your command in the OP. Without the shell, it just is a char, though. Also, the {5,} operates on the thingy in front of it -- which is a single char here, because you did not (?:) group the leading sub-RE. What you want. The string 'br', repeated five times (or more). For the quantifier, you need to group the string. /(?:br){5}/ Besides the above, do not use {5,} as a quantifier, UNLESS there is something after that string you also want to match. If you do not want to match anything after that, exactly 5 times {5} will match always the same as five or more {5,} -- the latter just unnecessarily keeps on trying. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Regex help
Adam Katz wrote: On 04/21/2011 03:55 PM, Kevin Miller wrote: Thanks (also to Martin who replied). I posted one of the spams here: http://pastebin.com/9aBAxR7m You can see the long series of break codes in it. Yes I can. I can also see several other diagnostic bits in it, such as the domain: http://www.siteadvisor.com/sites/regionstargpsupdates.com How about this rule instead: blacklist_from *@regionstargpsupdates.com It's much faster and, given the report of the domain being that of a spammer, much much safer. Yes, but then I'm playing whack-a-mole. Looking at the spam in html format (i.e., in the original email) one can see a similarities in style - probably produced from a template. But the domain varies widely. I may get anywhere from a half dozen to several dozen from any one domain, then never see that domain again. Classic botnet behaviour. These guys cycle through domains and from addresses regularly. One thing that is consistant with all the spams is an exclaimation mark at the end of the subject line. Sadly, plenty of ham also displays that. Sorry for the confusion on the 10.10.10.10 - that isn't part of the spam, it was just a handy file for testing since it had a repeating string in it. It was a faulty test since '[10.]{3}' will match '10.10.10.10' but not in the way that you think; it matches the first three characters and will therefore also match the string '110.64.323.6' Right - caught that from your previous post. I did get it to work from the CLI, and wrote the following rule: body CBJ_GiveMeABreak /\[br]{5,}/ describe CBJ_GiveMeABreak Messages with multiple consecutave break characters score CBJ_GiveMeABreak 0.01 That will not match your sample. Please re-read my message. The regex is wrong and the rule type (body) is wrong. I'm wading through it, trying to understand it all. Printed some regex tutorial web pages as well. I added the rule before any replies showed up but am removing it since it's a valient effort but not hitting where I'd hoped... ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500
RE: Regex help
On Thu, 2011-04-21 at 14:55 -0800, Kevin Miller wrote: I know it may trigger on some ham which is why I set the initial score to 0.01. Better ideas are most welcome though! It may be a good idea to look at the headers, especially From, From: and Message-ID: and at body URIs to see if there are any recognisable patterns. If so, it may be easier to write rule(s) to match them. Martin
RE: Regex help
Stupid Outlook. Meant to reply to the list again. Sigh. Karsten Bräckelmann wrote: What you want. The string 'br', repeated five times (or more). For the quantifier, you need to group the string. /(?:br){5}/ Besides the above, do not use {5,} as a quantifier, UNLESS there is something after that string you also want to match. If you do not want to match anything after that, exactly 5 times {5} will match always the same as five or more {5,} -- the latter just unnecessarily keeps on trying. Great. I've changed my rule to that, and am going to look at Adam's somewhat enhanced version to understand what all it's doing. To wit: rawbody LOCAL_5X_BR_TAGS /(?:br\/?[\s\r\n]{0,4}){5}/mi I note that Adam used rawbody rather than body, so I presume that I should change my rule to that as well. Thanks... ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500
RE: Regex help
On Thu, 2011-04-21 at 15:47 -0800, Kevin Miller wrote: Karsten Bräckelmann wrote: What you want. The string 'br', repeated five times (or more). For the quantifier, you need to group the string. /(?:br){5}/ Great. I've changed my rule to that, and am going to look at Adam's somewhat enhanced version to understand what all it's doing. To wit: rawbody LOCAL_5X_BR_TAGS /(?:br\/?[\s\r\n]{0,4}){5}/mi That should do the trick indeed. After this, I strongly suggest to carefully re-read the entire thread, and read some docs specifically about the points raised. That includes RE peculiarities [1] you used with previous REs without knowing them, as well as my escaping notes with using the shell. I note that Adam used rawbody rather than body, so I presume that I should change my rule to that as well. Yup, he explained why you need that -- otherwise, HTML tags are not preserved verbatim, but HTML parts rendered and normalized. [1] PCRE flavor, Perl Compatible REs. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Regex help
Karsten Bräckelmann wrote: On Thu, 2011-04-21 at 15:47 -0800, Kevin Miller wrote: Karsten Bräckelmann wrote: What you want. The string 'br', repeated five times (or more). For the quantifier, you need to group the string. /(?:br){5}/ Great. I've changed my rule to that, and am going to look at Adam's somewhat enhanced version to understand what all it's doing. To wit: rawbody LOCAL_5X_BR_TAGS /(?:br\/?[\s\r\n]{0,4}){5}/mi That should do the trick indeed. After this, I strongly suggest to carefully re-read the entire thread, and read some docs specifically about the points raised. That includes RE peculiarities [1] you used with previous REs without knowing them, as well as my escaping notes with using the shell. I note that Adam used rawbody rather than body, so I presume that I should change my rule to that as well. Yup, he explained why you need that -- otherwise, HTML tags are not preserved verbatim, but HTML parts rendered and normalized. [1] PCRE flavor, Perl Compatible REs. Again, thanks very much to all that chimed in. Lots to digest here, and I'm sure I'll still miss some of the finer points, but having a real problem to solve is the best way to actually learn this stuff. Have a great day gentlemen... ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500
Re: Regex help
On Thu, 21 Apr 2011, Adam Katz wrote: rawbody LOCAL_5X_BR_TAGS /(?:br\/?[\s\r\n]{0,4}){5}/mi ...when does \s{0,4} not match the same text as [\s\r\n]{0,4} ? (i.e. \r and \n are whitespace, no?) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government wants to do everything it can for the children, except sparing them crushing tax burdens. --- 2 days until Max Planck's 153rd birthday
Re: Regex help
On Thu, 2011-04-21 at 16:08 -0800, Kevin Miller wrote: Karsten Bräckelmann wrote: That should do the trick indeed. After this, I strongly suggest to carefully re-read the entire thread, and read some docs specifically about the points raised. That includes RE peculiarities [1] you used with previous REs without knowing them, as well as my escaping notes with using the shell. Again, thanks very much to all that chimed in. Lots to digest here, and I'm sure I'll still miss some of the finer points, but having a real problem to solve is the best way to actually learn this stuff. True. But don't stop at understanding why the resulting rule works. Instead, try to understand why and where each and every previous attempt (avoiding the term RE here) failed. Of course, I am particularly back at the different levels of escaping. Think shell. It adds an additional level of interpretation and thus escaping. Basics, that really can bite your ass. Classic example: find . -name '*.pdf' *Without* the quotes, *.pdf will be expanded by the shell, IFF there are PDF files in the dir. If there are none, it just works as expected. If there are, however, the shell will expand the wildcard. Either leading to an error (here, with more than one PDF file), or silently ignoring anything that is not named exactly as the one PDF file in the current dir... Multiple levels of escaping. As shown in your OP. -- char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Regex Rule Help?
I'm trying to match any URL that points to a URL shortener. They typically consist of http(s) followed by a domain name, a slash and a small series of alphanumeric characters, *without a trailing / or file extension*. I seem to be having pretty good luck matching the URL, however I can't figure out how to make the regex explicity *not* match anything that ends in a slash or contains an extension. For example, I want to match http://asdf.ghi/j2kj4l23;, but not http://asdf.ghi/j2kj4l23/abc.html; or http://asdf.ghi/j2kj4l23/; I tried using the perl negative look-ahead as both : (?!/) and (?!\/) without success. Can anybody toss me a clue? Thanks! Terry
Re: Regex Rule Help?
On 3/21/2011 1:07 PM, Terry Carmen wrote: I'm trying to match any URL that points to a URL shortener. They typically consist of http(s) followed by a domain name, a slash and a small series of alphanumeric characters, *without a trailing / or file extension*. I seem to be having pretty good luck matching the URL, however I can't figure out how to make the regex explicity *not* match anything that ends in a slash or contains an extension. For example, I want to match http://asdf.ghi/j2kj4l23;, but not http://asdf.ghi/j2kj4l23/abc.html; or http://asdf.ghi/j2kj4l23/; I tried using the perl negative look-ahead as both : (?!/) and (?!\/) without success. Can anybody toss me a clue? Show us your current rule and we can tell you what you are doing wrong. -- Bowie
Re: Regex Rule Help?
On Mon, 2011-03-21 at 13:07 -0400, Terry Carmen wrote: I'm trying to match any URL that points to a URL shortener. They typically consist of http(s) followed by a domain name, a slash and a small series of alphanumeric characters, *without a trailing / or file extension*. I seem to be having pretty good luck matching the URL, however I can't figure out how to make the regex explicity *not* match anything that ends in a slash or contains an extension. For example, I want to match http://asdf.ghi/j2kj4l23;, but not http://asdf.ghi/j2kj4l23/abc.html; or http://asdf.ghi/j2kj4l23/; I tried using the perl negative look-ahead as both : (?!/) and (?!\/) without success. Can anybody toss me a clue? Have you looked at the DecodeShortURLs plugin? That would seem to do what you need *and* check whether the shortened URL points to anything harmful. Martin
Re: Regex Rule Help?
On 03/21/2011 10:07 AM, Terry Carmen wrote: I'm trying to match any URL that points to a URL shortener. They typically consist of http(s) followed by a domain name, a slash and a small series of alphanumeric characters, *without a trailing / or file extension*. I seem to be having pretty good luck matching the URL, however I can't figure out how to make the regex explicity *not* match anything that ends in a slash or contains an extension. For example, I want to match http://asdf.ghi/j2kj4l23;, but not http://asdf.ghi/j2kj4l23/abc.html; or http://asdf.ghi/j2kj4l23/; In this specific case, I think you want a simple end-of-line indicator, uri ASDF_GHI_SHORT m'^http://asdf\.ghi/[\w-]{1,12}$'i In order to match http://asdf.ghi/j2kj4l23#mno you might want: uri ASDF_GHI_SHORT m'^http://asdf\.ghi/[\w-]{1,12}(?:[^/.\w-]|$)'i ( I used m'' instead of // so I didn't have to escape the slashes. Any punctuation can be used in that manner, though the leading m is only optional in m// ). I tried using the perl negative look-ahead as both : (?!/) and (?!\/) without success. As to using a negative look-ahead operator: Though I'm not exactly sure about when it's needed, you sometimes have to put something after it, like /foo(?!bar)(?:.|$)/ ... this is not mentioned in the spec. signature.asc Description: OpenPGP digital signature
Re: Trying to help friend NOT get caught by spamassassin
On Wed, 2011-03-09 at 18:50 -0500, Robert Moskowitz wrote: Open Office might be worth it for him. It is what I use most of the time In that case one of you should suck a plain text newsletter body into oowriter, make it look tidy, save it as HTML and then run it through a validatoy, such as HTML-tidy, to make sure it isn't generating any incorrect HTML that my small test missed. Writing code that generates standards-compliant HTML needs a bit of care and attention - I've been there, done that a few times. I also know that looking at the output with a web browser or MUA, while necessary, isn't enough. Once the program is generating well formatted pages its output should be run through a validator and the cycle repeated until the HTML is both well-formatted and passes validation without errors or warnings. Judging by the results, most authors of HTML generating tools skip the validation checks. Martin
Re: Trying to help friend NOT get caught by spamassassin
On Thu, 10 Mar 2011, Martin Gregorie wrote: On Wed, 2011-03-09 at 18:50 -0500, Robert Moskowitz wrote: Open Office might be worth it for him. It is what I use most of the time In that case one of you should suck a plain text newsletter body into oowriter, make it look tidy, save it as HTML and then run it through a validatoy, such as HTML-tidy, to make sure it isn't generating any incorrect HTML that my small test missed. Be careful with that. I haven't been at all satisfied with the HTML that OOo produces for even simple documents. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 3 days until Daylight Saving Time begins in U.S. - Spring Forward
Re: Trying to help friend NOT get caught by spamassassin
On 3/9/11 6:50 PM, Robert Moskowitz wrote: On 03/09/2011 06:33 PM, Martin Gregorie wrote: On Wed, 2011-03-09 at 17:33 -0500, Robert Moskowitz wrote: It is almost better to build the html and have OE send it than to let OE do its own HTML building. I couldn't agree more - provided he uses something that generates valid HTML, which doesn't mean MS Office. I agree that sending plain text would be best though he could also try Open Office (a small test file with assorted formatting in it was perfect) or rendering the newsletter as PDF. His clientele are all older purchasing people at small companies, lacking generally in computer skills. Opening up a pdf would be a non-starter for some of them. That is partly why he has not converted to a web site. Open Office might be worth it for him. It is what I use most of the time consider using a third party service, some are free, or reasonably priced. if you want to pay extra, you can get one that is 'certified'. (you pay for that) for freeish/ and a pretty good reputation for canceling clients who are not confirmed opt-in... mailchimp. reason I say that, is that they are the only ESP I have dealt with that will respond back to a complaint, then respond back that they have banned the client for spamming.. others, even 'certified' ones, send back an auto ignore mail, saying they will look into it and get back to me, but never do. so, mailchimp: not certified, but not blacklisted either. If I didn't run my one listserver, I would use theirs. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Best Intrusion Prevention Product, Networks Product Guide * Certified SNORT Integrator * Hot Company Award, World Executive Alliance * Best in Email Security, 2010 Network Products Guide * King of Spam Filters, SC Magazine __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: Trying to help friend NOT get caught by spamassassin
On 03/09/2011 01:12 AM, John Hardin wrote: On Tue, 8 Mar 2011, Robert Moskowitz wrote: I have a friend that puts out a 'barter' list. He acts as a clearinghouse for some equipment wholesalers. He has been fighting getting tagged as spamming for some time and finally came to me for help. Oh, and I am looking at setting up a mailman server for him as an announce list. That, on a static IP, will be very good approach. EXCUSE_REMOVE=3.299 Once he's on the listserv, use unsubscribe rather than removed from mailings. It seems he should be able to reword it right now, while I work on setting up his domain on my mailman server. FILL_THIS_FORM=0.001,FILL_THIS_FORM_LONG=3.404, Can he avoid having a fill-in-your-personal-details form in the email body? I really don't think he has such. Something else in the emails is triggering this? MANY_SPAN_IN_TEXT=2.7, Tell him to clean up his HTML. His content is strictly text, coming from Outlook Express. So the culprit might be OE putting the text into an HTML mime part. LOTS_OF_MONEY=0.001 I take it the equipment is expensive? Yes. No way around that. If you'd like, he can put me on his bcc: list too for a while. I'll be able to see samples and maybe tune the rules a bit, and I'll also be able to add them to the masscheck ham corpus if justified. Just let me know his email address and the name of the newsletter and such so that I can look out for them. Look for private note.
Re: Trying to help friend NOT get caught by spamassassin
On 03/09/2011 12:37 AM, haman...@t-online.de wrote: I have a friend that puts out a 'barter' list. He acts as a clearinghouse for some equipment wholesalers. He has been fighting getting tagged as spamming for some time and finally came to me for help. I had helped some, but finally told him to add me to his distribution (he uses BCC lists; he has ~2000 wholesalers). I have spamassassin running with postfix and pretty much a default setup, and of course his notes got tagged as spam. Below is what I pulled out of the headers. Were do I go to learn what these mean and what he can do to 'clean up' his messages? Oh, and I am looking at setting up a mailman server for him as an announce list. Yes, score=10.206 tagged_above=2 required=4tests=[BAYES_50=0.8, EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001,FILL_THIS_FORM_LONG=3.404, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001,MANY_SPAN_IN_TEXT=2.7, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Yes, score=8.856 tagged_above=2 required=4 tests=[AWL=1.350, BAYES_50=0.8, EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001, FILL_THIS_FORM_LONG=3.404, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Hi, it seems your friend is putting stuff on the newsletter that SA considers as signs of commercial mass mails EXCUSE_REMOVE=3.299 FILL_THIS_FORM_LONG=3.404 Your friend is probably doing right (the REMOVE bit might be required by law) Maybe the fill_this_form part could be avoided, by directing the reader to a website instead He has unsubscribe instructions at the end directing people to email him to get off his newsletter. There is no form part there as such. It is the old dilemma: people subscribe to a newsletter and then let some system (be it spam filter, or some challenge-response idiocy) intercept them We gave up a lot running away REALLY FAST from X.400 (yes, I implemented some of that stuff), and with it we got some consequences. The idea to replace Bcc lists is perfect Now I've got to get that done.
Re: Trying to help friend NOT get caught by spamassassin
On Wed, 2011-03-09 at 16:45 -0500, Robert Moskowitz wrote: His content is strictly text, coming from Outlook Express. So the culprit might be OE putting the text into an HTML mime part. Historically, any HTML generated by any MS program has been terrible, what with proprietary attributes and tag sequences that violate nesting rules (such as pul/p/ul when character formatting regions should be entirely within a paragraph, e.g. pul/ul/p). Snipping the HTML part out of one of his messages and running it through HTML-tidy would be a worth-while exercise. So would fixing errors found by HTML-tidy in situ in the HTML part of the message and running the corrected message through SA to see how that affects the score. Martin
Re: Trying to help friend NOT get caught by spamassassin
On 03/09/2011 01:12 AM, John Hardin wrote: On Tue, 8 Mar 2011, Robert Moskowitz wrote: I have a friend that puts out a 'barter' list. He acts as a clearinghouse for some equipment wholesalers. He has been fighting getting tagged as spamming for some time and finally came to me for help. Oh, and I am looking at setting up a mailman server for him as an announce list. That, on a static IP, will be very good approach. EXCUSE_REMOVE=3.299 Once he's on the listserv, use unsubscribe rather than removed from mailings. FILL_THIS_FORM=0.001,FILL_THIS_FORM_LONG=3.404, Can he avoid having a fill-in-your-personal-details form in the email body? MANY_SPAN_IN_TEXT=2.7, Tell him to clean up his HTML. Actually, I am telling him to turn off sending HTML. His newsletter is strictly text and good old Outlook Express is sending it as BOTH text and HTML. All the HTML is created by OE, thank you very much. g (from someone that spent time working on SMTP/MIME standards long ago). LOTS_OF_MONEY=0.001 I take it the equipment is expensive? If you'd like, he can put me on his bcc: list too for a while. I'll be able to see samples and maybe tune the rules a bit, and I'll also be able to add them to the masscheck ham corpus if justified. Just let me know his email address and the name of the newsletter and such so that I can look out for them.
Re: Trying to help friend NOT get caught by spamassassin
On 03/09/2011 05:22 PM, Martin Gregorie wrote: On Wed, 2011-03-09 at 16:45 -0500, Robert Moskowitz wrote: His content is strictly text, coming from Outlook Express. So the culprit might be OE putting the text into an HTML mime part. Historically, any HTML generated by any MS program has been terrible, what with proprietary attributes and tag sequences that violate nesting rules (such aspul/p/ul when character formatting regions should be entirely within a paragraph, e.g.pul/ul/p). Snipping the HTML part out of one of his messages and running it through HTML-tidy would be a worth-while exercise. So would fixing errors found by HTML-tidy in situ in the HTML part of the message and running the corrected message through SA to see how that affects the score. Better would be to turn off HTML in OE, or use a better emailer :) I am working on this little pointer with him. It is almost better to build the html and have OE send it than to let OE do its own HTML building.
Re: Trying to help friend NOT get caught by spamassassin
On Wed, 2011-03-09 at 17:33 -0500, Robert Moskowitz wrote: It is almost better to build the html and have OE send it than to let OE do its own HTML building. I couldn't agree more - provided he uses something that generates valid HTML, which doesn't mean MS Office. I agree that sending plain text would be best though he could also try Open Office (a small test file with assorted formatting in it was perfect) or rendering the newsletter as PDF. Martin
Re: Trying to help friend NOT get caught by spamassassin
On 03/09/2011 06:33 PM, Martin Gregorie wrote: On Wed, 2011-03-09 at 17:33 -0500, Robert Moskowitz wrote: It is almost better to build the html and have OE send it than to let OE do its own HTML building. I couldn't agree more - provided he uses something that generates valid HTML, which doesn't mean MS Office. I agree that sending plain text would be best though he could also try Open Office (a small test file with assorted formatting in it was perfect) or rendering the newsletter as PDF. His clientele are all older purchasing people at small companies, lacking generally in computer skills. Opening up a pdf would be a non-starter for some of them. That is partly why he has not converted to a web site. Open Office might be worth it for him. It is what I use most of the time
Re: Trying to help friend NOT get caught by spamassassin
On Wed, 9 Mar 2011, Robert Moskowitz wrote: On 03/09/2011 01:12 AM, John Hardin wrote: On Tue, 8 Mar 2011, Robert Moskowitz wrote: MANY_SPAN_IN_TEXT=2.7, Tell him to clean up his HTML. Actually, I am telling him to turn off sending HTML. ...even better. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 4 days until Daylight Saving Time begins in U.S. - Spring Forward
Trying to help friend NOT get caught by spamassassin
I have a friend that puts out a 'barter' list. He acts as a clearinghouse for some equipment wholesalers. He has been fighting getting tagged as spamming for some time and finally came to me for help. I had helped some, but finally told him to add me to his distribution (he uses BCC lists; he has ~2000 wholesalers). I have spamassassin running with postfix and pretty much a default setup, and of course his notes got tagged as spam. Below is what I pulled out of the headers. Were do I go to learn what these mean and what he can do to 'clean up' his messages? Oh, and I am looking at setting up a mailman server for him as an announce list. Yes, score=10.206 tagged_above=2 required=4tests=[BAYES_50=0.8, EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001,FILL_THIS_FORM_LONG=3.404, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001,MANY_SPAN_IN_TEXT=2.7, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Yes, score=8.856 tagged_above=2 required=4 tests=[AWL=1.350, BAYES_50=0.8, EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001, FILL_THIS_FORM_LONG=3.404, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Re: Trying to help friend NOT get caught by spamassassin
I have a friend that puts out a 'barter' list. He acts as a clearinghouse for some equipment wholesalers. He has been fighting getting tagged as spamming for some time and finally came to me for help. I had helped some, but finally told him to add me to his distribution (he uses BCC lists; he has ~2000 wholesalers). I have spamassassin running with postfix and pretty much a default setup, and of course his notes got tagged as spam. Below is what I pulled out of the headers. Were do I go to learn what these mean and what he can do to 'clean up' his messages? Oh, and I am looking at setting up a mailman server for him as an announce list. Yes, score=10.206 tagged_above=2 required=4tests=[BAYES_50=0.8, EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001,FILL_THIS_FORM_LONG=3.404, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001,MANY_SPAN_IN_TEXT=2.7, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Yes, score=8.856 tagged_above=2 required=4 tests=[AWL=1.350, BAYES_50=0.8, EXCUSE_REMOVE=3.299, FILL_THIS_FORM=0.001, FILL_THIS_FORM_LONG=3.404, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no Hi, it seems your friend is putting stuff on the newsletter that SA considers as signs of commercial mass mails EXCUSE_REMOVE=3.299 FILL_THIS_FORM_LONG=3.404 Your friend is probably doing right (the REMOVE bit might be required by law) Maybe the fill_this_form part could be avoided, by directing the reader to a website instead It is the old dilemma: people subscribe to a newsletter and then let some system (be it spam filter, or some challenge-response idiocy) intercept them The idea to replace Bcc lists is perfect Wolfgang Hamann
Re: Trying to help friend NOT get caught by spamassassin
On Tue, 8 Mar 2011, Robert Moskowitz wrote: I have a friend that puts out a 'barter' list. He acts as a clearinghouse for some equipment wholesalers. He has been fighting getting tagged as spamming for some time and finally came to me for help. Oh, and I am looking at setting up a mailman server for him as an announce list. That, on a static IP, will be very good approach. EXCUSE_REMOVE=3.299 Once he's on the listserv, use unsubscribe rather than removed from mailings. FILL_THIS_FORM=0.001,FILL_THIS_FORM_LONG=3.404, Can he avoid having a fill-in-your-personal-details form in the email body? MANY_SPAN_IN_TEXT=2.7, Tell him to clean up his HTML. LOTS_OF_MONEY=0.001 I take it the equipment is expensive? If you'd like, he can put me on his bcc: list too for a while. I'll be able to see samples and maybe tune the rules a bit, and I'll also be able to add them to the masscheck ham corpus if justified. Just let me know his email address and the name of the newsletter and such so that I can look out for them. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Failure to plan ahead on someone else's part does not constitute an emergency on my part. -- David W. Barts in a.s.r --- 5 days until Daylight Saving Time begins in U.S. - Spring Forward
Help updating my spam assassin forum
I have a successfully running Spam Assassin installation on my home email server (running hMail for Windows). I installed the Spam Assassin a couple of years ago and have let it do it's thing. It is running great today, however, because it has been so long since I installed it I thought I would look into upgrading it. I can't remember half of what I did to get it running and have been piecing the upgrade process together through the various documentation available online - and not having much luck. So I thought I would post here and get some assistance. I am running SA through ActivePerl on the command line called by a vb script in hMail. I have ActivePerl version 5.8.8 Build 822 - I know there are newer versions out there - should I upgrade this or leave it as is? When I run an sa-diag the debug.log tells me I have version 3.2.4. I have downloaded 3.3.1. What I can't find are clear instructions on upgrading under Windows. I am concerned that I will mess up one of the configuration files so any help in this area would be appreciated! Thanks. -- View this message in context: http://old.nabble.com/Help-updating-my-spam-assassin-forum-tp30799793p30799793.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with new install
On 1/29/11 5:15 PM, Mark Martinec mark.martinec...@ijs.si wrote: On Saturday January 29 2011 15:51:25 James Lay wrote: Just did a new install and I'm seeing the below when spamassassin is checking an email: Jan 29 07:47:42 gateway spamd[15540]: dns: sendto() failed: Connection refused at /usr/lib64/perl5/site_perl/5.10.1/Mail/SpamAssassin/DnsResolver.pm line 411, GEN408 line 158. DNS is working fine on the machine, resolve.conf is set with the right information as well. Any hints on to why this is happening? Thanks all. The Net::DNS is looking only at the first 'nameserver' entry in your /etc/resolv.conf. Perhaps you have more than one DNS server listed and the first one is not alive. Test it with 'host' or 'dig' by explicitly specifying its IP address to the command. Mark Thanks Mark...checked settings and sure enough that was the issue...dig did work though which was weird. Working great now after a restart. Thanks again.
Help with new install
Hey all Just did a new install and I'm seeing the below when spamassassin is checking an email: Jan 29 07:47:42 gateway spamd[15540]: dns: sendto() failed: Connection refused at /usr/lib64/perl5/site_perl/5.10.1/Mail/SpamAssassin/DnsResolver.pm line 411, GEN408 line 158. Jan 29 07:47:42 gateway spamd[15540]: Use of uninitialized value in string ne at /usr/lib64/perl5/site_perl/5.10.1/Mail/SpamAssassin/AsyncLoop.pm line 174, GEN408 line 158. DNS is working fine on the machine, resolve.conf is set with the right information as well. Any hints on to why this is happening? Thanks all. James
Re: Help with new install
On Saturday January 29 2011 15:51:25 James Lay wrote: Just did a new install and I'm seeing the below when spamassassin is checking an email: Jan 29 07:47:42 gateway spamd[15540]: dns: sendto() failed: Connection refused at /usr/lib64/perl5/site_perl/5.10.1/Mail/SpamAssassin/DnsResolver.pm line 411, GEN408 line 158. DNS is working fine on the machine, resolve.conf is set with the right information as well. Any hints on to why this is happening? Thanks all. The Net::DNS is looking only at the first 'nameserver' entry in your /etc/resolv.conf. Perhaps you have more than one DNS server listed and the first one is not alive. Test it with 'host' or 'dig' by explicitly specifying its IP address to the command. Mark
help: bayes failed
Good morning List. Apologies for this post but I do not know what else to try. I am new to Suse Amavisd-new. (inherited system) As such, I appear to have a problem getting bayes to learn. I keep getting the errors autolearn=failed I have a feeling its a permission problem due to amavis but I am not sure. Has anyone else experienced issues with Amavisd-new spamassassin's bayes? my local.cf has: bayes_path /var/spool/amavis/.spamassassin/bayes Thanks Tom
Re: help: bayes failed: update
On 2010/11/30 10:07 AM, Tom Kinghorn wrote: Good morning List. Apologies for this post but I do not know what else to try. I am new to Suse Amavisd-new. (inherited system) As such, I appear to have a problem getting bayes to learn. Hi List. Further to my post, when using amavis, the autolearn fails, when i pass the same mail via spamassassin -t -D message, it shows autolearn=spam, so it looks like an amavis issue. I know its now OT, but any advice would be appreciated. Thanks Tom
Re: help: bayes failed: RESOLVED
Further to my post, when using amavis, the autolearn fails, when i pass the same mail via spamassassin -t -D message, it shows autolearn=spam, so it looks like an amavis issue. I know its now OT, but any advice would be appreciated. Thanks Tom Hi List Please ignore. Problem solved.user directory location error on my part logs now show: Nov 30 12:57:25 smtp4 amavis[9666]: (09666-01) spam_scan: score=9.934 autolearn=spam thanks Tom
custom rule help
Morning List. Firstly, apologies for posting this here. I have tried dozens of times to get this rule working, without success. I need to write a custom rule to score a message Subject. Subject: =?windows-1252?Q?100%_Finance_with_No_Deposit_Required_:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village?= I would like to match _Stands_in_a_Pristine_West_Coast_Beachside_Security_Village My last attempt was: header VM_WESTCOAST_SUB Subject =~ /.*:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village/ any help would be appreciated. Thanks Tom
RE: custom rule help
Try /\:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village/ Cheers, Phil -- Phil Randal | Infrastructure Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 From: Tom Kinghorn [mailto:thomas.kingh...@gmail.com] Sent: 24 November 2010 08:51 To: users@spamassassin.apache.org Subject: custom rule help Morning List. Firstly, apologies for posting this here. I have tried dozens of times to get this rule working, without success. I need to write a custom rule to score a message Subject. Subject: =?windows-1252?Q?100%_Finance_with_No_Deposit_Required_:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village?= I would like to match _Stands_in_a_Pristine_West_Coast_Beachside_Security_Village My last attempt was: header VM_WESTCOAST_SUB Subject =~ /.*:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village/ any help would be appreciated. Thanks Tom Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it.
Re: custom rule help
On Wed, 2010-11-24 at 10:50 +0200, Tom Kinghorn wrote: My last attempt was: header VM_WESTCOAST_SUB Subject =~ /.*:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village/ any help would be appreciated. How are you testing your rules? If you want to test and/or develop the regex outside of SA, try the following: - http://www.solmetra.com/scripts/regex/ is an online test harness - Current versions of grep have a -P option. This causes it to accept Perl regexes. Martin
Re: custom rule help
Le 24/11/2010 09:50, Tom Kinghorn a écrit : Subject: =?windows-1252?Q?100%_Finance_with_No_Deposit_Required_:_Stands_in_a_Pristine_West_Coast_Beachside_Security_Village?= I would like to match _Stands_in_a_Pristine_West_Coast_Beachside_Security_Village By default, header rules work on the *decoded* subject, not the raw quoted-printable-encoded subject you've quoted. So you need to replace the underscores with spaces in your regex. Alternatively (though not necessary here) you can append :raw to the header name to see the undecoded subject. John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: custom rule help
On 2010/11/24 02:55 PM, John Wilcock wrote: Le 24/11/2010 09:50, Tom Kinghorn a écrit : By default, header rules work on the *decoded* subject, not the raw quoted-printable-encoded subject you've quoted. So you need to replace the underscores with spaces in your regex. Alternatively (though not necessary here) you can append :raw to the header name to see the undecoded subject. John. Hi John Thanks for this. Worked 100% regards Tom
Re: Help! Filter spam with less than symbol in recipient
On Fri, 15 Oct 2010, Bowie Bailey wrote: header TO1To =~ /^\s*/ This will work with or without the space (or multiple spaces, or tabs...). You don't need to escape anything in this regex. None of those are special characters. I just got one of these spams too. Added to sandbox. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #4: If your shooting stance is good, you're probably not moving fast enough nor using cover correctly. --- 62 days until TRON Legacy
Help! Filter spam with less than symbol in recipient
Hello all, here's my problem: I'm receiving alot of spam which has a (less than symbol) in the recipient field. For example, I have this in the header: To: abo...@koala.it I'd need a spamassassin rule that's able to catch this spam, I had no success. The less than symbol seems to be uncatchable! (even if backslashed). I'm wondering if there's a rule to filter a recipient name. For the sender, I normally use this one: header FROM1 From:name =~ /EuroPrime Casino/i so I suppose that for the recipient it should be like this (I didn't find any documentation about it): header TO1 To:name =~ /EuroPrime Casino/i in particular (to filter the less than symbol): header TO1 To:name =~ /\/i but it seems no to work... Could you please help me? I'm desperate! Thanks :-) -- View this message in context: http://old.nabble.com/Help%21-Filter-spam-with-%22less-than%22-symbol-in-recipient-tp29970215p29970215.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help! Filter spam with less than symbol in recipient
On 15/10/2010 12:01, Niente0 wrote: Hello all, here's my problem: I'm receiving alot of spam which has a (less than symbol) in the recipient field. For example, I have this in the header: To: abo...@koala.it I'd need a spamassassin rule that's able to catch this spam, I had no success. The less than symbol seems to be uncatchable! (even if backslashed). I'm wondering if there's a rule to filter a recipient name. For the sender, I normally use this one: header FROM1 From:name =~ /EuroPrime Casino/i so I suppose that for the recipient it should be like this (I didn't find any documentation about it): header TO1 To:name =~ /EuroPrime Casino/i in particular (to filter the less than symbol): header TO1 To:name =~ /\/i but it seems no to work... Could you please help me? I'm desperate! Thanks :-) Have you tried escaping it with \x3c ? -- Best Regards, Giles Coochey NetSecSpec Ltd NL Mobile: +31 626 508 131 Gib Mobile: +350 5401 6693 Email/MSN/Live Messenger: gi...@coochey.net Skype: gilescoochey smime.p7s Description: S/MIME Cryptographic Signature
Re: Help! Filter spam with less than symbol in recipient
Giles Coochey wrote: Have you tried escaping it with \x3c ? Thanks for your suggestion, I tried it now but with no success. Here's my rule: header TO1 To:name =~ /\x3c/i score TO1 100 I have received other less than spam just now. :-( -- View this message in context: http://old.nabble.com/Help%21-Filter-spam-with-%22less-than%22-symbol-in-recipient-tp29970215p29970540.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help! Filter spam with less than symbol in recipient
On 2010-10-15 12:58, Niente0 wrote: Giles Coochey wrote: Have you tried escaping it with \x3c ? Thanks for your suggestion, I tried it now but with no success. Here's my rule: header TO1 To:name =~ /\x3c/i score TO1 100 I have received other less than spam just now. :-( pls post a spam sample on pastebin.com and send the link to the list
Re: Help! Filter spam with less than symbol in recipient
Yet Another Ninja wrote: On 2010-10-15 12:58, Niente0 wrote: pls post a spam sample on pastebin.com and send the link to the list Hi, I tried with 3 different browsers but pastebin.com shows only a blank page after submitting text. So I posted it here: http://snipt.org/koRn/ -- View this message in context: http://old.nabble.com/Help%21-Filter-spam-with-%22less-than%22-symbol-in-recipient-tp29970215p29971041.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help! Filter spam with less than symbol in recipient
On 2010-10-15 14:18, Niente0 wrote: Yet Another Ninja wrote: On 2010-10-15 12:58, Niente0 wrote: pls post a spam sample on pastebin.com and send the link to the list Hi, I tried with 3 different browsers but pastebin.com shows only a blank page after submitting text. So I posted it here: http://snipt.org/koRn/ Untested: # To: i...@aags.com header TO1 To =~ /^/
Re: Help! Filter spam with less than symbol in recipient
Yet Another Ninja wrote: On 2010-10-15 14:18, Niente0 wrote: Untested: # To: i...@aags.com header TO1 To =~ /^/ Thank you! I tested it but it still doesn't work. :-( For testing purposes, I created a fake user in my Outlook address book, with name and email equal to an alias of my email. I sent him (myself) a test message and it passed. I examined the header of the incoming message and there are spamassassin infos, so it passed through SA rules and ignored the less than filtering rule... -- View this message in context: http://old.nabble.com/Help%21-Filter-spam-with-%22less-than%22-symbol-in-recipient-tp29970215p29971224.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help! Filter spam with less than symbol in recipient
On 2010-10-15 14:49, Niente0 wrote: Yet Another Ninja wrote: On 2010-10-15 14:18, Niente0 wrote: Untested: # To: i...@aags.com header TO1 To =~ /^/ Thank you! I tested it but it still doesn't work. :-( For testing purposes, I created a fake user in my Outlook address book, with name and email equal to an alias of my email. I sent him (myself) a test message and it passed. I examined the header of the incoming message and there are spamassassin infos, so it passed through SA rules and ignored the less than filtering rule... works for me X-Spam-Report: * 0.0 HAS_SHORT_URL Message contains one or more shortened URLs * 1.0 SHORT_URL_404 Message has short URL that returns 404 * 3.0 SHORT_URL_CHAINED Message has shortened URL chained to other * shorteners * 0.0 SHORT_URL_LOOP Message has short URL that loops back to itself * 5.0 SHORT_URL_MAXCHAIN Message has shortened URL that causes more than * 10 redirections * 1.0 TO1 TO1 * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.8 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars * 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
Re: Help! Filter spam with less than symbol in recipient
On Fri, 2010-10-15 at 05:18 -0700, Niente0 wrote: Yet Another Ninja wrote: On 2010-10-15 12:58, Niente0 wrote: pls post a spam sample on pastebin.com and send the link to the list Hi, I tried with 3 different browsers but pastebin.com shows only a blank page after submitting text. So I posted it here: http://snipt.org/koRn/ That gets a score of 10.0 here: 0.0 HAS_SHORT_URL Message contains one or more shortened URLs 3.4 RCVD_ILLEGAL_IPReceived: contains illegal IP address 3.6 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL [115.240.47.73 listed in zen.spamhaus.org] 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [115.240.47.73 listed in bb.barracudacentral.org] 0.1 MG_OPTOUT BODY: Opting out required 0.0 HTML_MESSAGE BODY: HTML included in message 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 MG_WRONG_DOMAINMessage not received via example.com HAS_SHORT_URL is a rule related to the DecodeShortURLs 3rd party plugin My private rules (MG_OPTOUT, MG_WRONG_DOMAIN) have little effect on it because their scores are low (they are used as part of meta rules): body MG_OPTOUT /(if you do not want to receive|se non.{1,20}ricevere|not interested anymore.{1,60}unsubscribe)/i header __MG_WDD1 To !~ /example\.com/ header __MG_WDD2 List-id =~ /\S{1,40}/ meta MG_WRONG_DOMAIN (__MG_WDD1 !__MG_WDD2) I tested a slight variant, which allows whitespace after , on Yet Another Ninja's suggested rule, mainly because I'd previously guessed that the same regex would do the job and wanted to see if my guess was right: describe MG_MUNGE_TOUT'To:' header contains header MG_MUNGE_TOUTTo =~ /^s*\/ scoreMG_MUNGE_TOUT2.0 and this works as advertised. Martin
Re: Help! Filter spam with less than symbol in recipient
On Fri, 15 Oct 2010, Niente0 wrote: Yet Another Ninja wrote: On 2010-10-15 14:18, Niente0 wrote: Untested: # To: i...@aags.com header TO1 To =~ /^/ Thank you! I tested it but it still doesn't work. :-( For testing purposes, I created a fake user in my Outlook address book, with name and email equal to an alias of my email. I sent him (myself) a test message and it passed. I examined the header of the incoming message and there are spamassassin infos, so it passed through SA rules and ignored the less than filtering rule... Outlook may be putting a space like mailers are supposed to: mum...@example.com How about: header TO1 To =~ /\S/ Granted, it's not specific to but a one-character name is also somewhat suspicious. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- 63 days until TRON Legacy
Re: Help! Filter spam with less than symbol in recipient
On Fri, 15 Oct 2010, Niente0 wrote: header TO1 To:name =~ /\/i but it seems no to work... Could you please help me? I'm desperate! Thanks :-) That probably means the parser has a bug. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Sheep have only two speeds: graze and stampede. -- LTC Grossman --- 63 days until TRON Legacy
Re: Help! Filter spam with less than symbol in recipient
Yet Another Ninja wrote: On 2010-10-15 14:49, Niente0 wrote: works for me After some more tests, it seems to work for me too! I discovered that in my tests the server added a space after the second quote: (space) while in real spam it was not present. So here are my 2 new rules: header TO1 To =~ /^/ score TO1 100 header TO2 To =~ /^\\\ \/ score TO2 100 (the second one has the space inside!) A HUGE THANK YOU :handshake: -- View this message in context: http://old.nabble.com/Help%21-Filter-spam-with-%22less-than%22-symbol-in-recipient-tp29970215p29971873.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help! Filter spam with less than symbol in recipient
On 10/15/2010 10:00 AM, Niente0 wrote: Yet Another Ninja wrote: On 2010-10-15 14:49, Niente0 wrote: works for me After some more tests, it seems to work for me too! I discovered that in my tests the server added a space after the second quote: (space) while in real spam it was not present. So here are my 2 new rules: header TO1 To =~ /^/ score TO1 100 header TO2 To =~ /^\\\ \/ score TO2 100 (the second one has the space inside!) Simplified: header TO1To =~ /^\s*/ This will work with or without the space (or multiple spaces, or tabs...). You don't need to escape anything in this regex. None of those are special characters. -- Bowie
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On fre 08 okt 2010 03:18:35 CEST, John Hardin wrote But I believe we already crossed the line from meta to OT. ;) This braindead message munging won't happen on this list. Oh, agreed. one could change it to be more helpfull signatures :) To unsubscribe from this mailing list see the list-unsubscribe: header This braindead message munging won't happen on this list. -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
RE: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
I was going to suggest the footer should read: To unsubscribe from this mailing list see the list-unsubscribe: header Ahaha! I vote yes to it. ;)
OT (Was: Unsubscribe / help footer at the bottom of messages to this list.)
Le 07/10/2010 23:28, John Hardin a écrit : On Thu, 7 Oct 2010, Karsten Br�ckelmann wrote: On Thu, 2010-10-07 at 11:11 +0200, Shlomi Fish wrote: before I unsubscribe I should note that the incoming messages from this list should have an Unsubscribe / How-to-get-help footer at teh bottom of their messages. It's not a matter of missing information forced onto each and any post. Ultimately, it boils down to the subscribers' clue level, in particular understanding email and mailing lists. I was going to suggest the footer should read: To unsubscribe from this mailing list see the list-unsubscribe: header John, thanks for this one! (a chance I wasn't drinking coffee while reading...)
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On tor 07 okt 2010 11:11:09 CEST, Shlomi Fish wrote before I unsubscribe I should note that the incoming messages from this list should have an Unsubscribe / How-to-get-help footer at teh bottom of their messages. http://tools.ietf.org/html/rfc2919 eg using squirrelmail, roundcube, horde imp, it works -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On 07.10.10 11:11, Shlomi Fish wrote: before I unsubscribe I should note that the incoming messages from this list should have an Unsubscribe / How-to-get-help footer at teh bottom of their messages. They have standardized header: list-unsubscribe: mailto:users-unsubscr...@spamassassin.apache.org Don't blame the mailing list just because your mailer is not capable of processing that... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On Thursday 07 October 2010 11:46:58 Matus UHLAR - fantomas wrote: On 07.10.10 11:11, Shlomi Fish wrote: before I unsubscribe I should note that the incoming messages from this list should have an Unsubscribe / How-to-get-help footer at teh bottom of their messages. They have standardized header: list-unsubscribe: mailto:users-unsubscr...@spamassassin.apache.org Don't blame the mailing list just because your mailer is not capable of processing that... oh, but the kmail that shlomi's using is perfectly capable to process list headers... all you need is a filter to move mails from lists into separate folders, one per list, and then tell kmail that those folders contain mailing lists. so it all comes back to PEBKAC.
RE: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
Furthermore, I suggest having a footer with unsubscription / help information in addition to the header because the header may not be visible, not all E- mail clients may display it, and people may otherwise be unaware of it. I have often seen some unsubscribe messages sent to mailing lists and putting the ubsubscription information in the footer greatly reduces that. I see what you mean, but, well, I personally would vote no to this. I'm really tired of all that mailing lists which can't stay from attaching their own banners and general hints at the message tail. After all, the SA users list is not for the faint of heart and people (like you do, in example) should at least know how to unsubscribe from an ezmlm-managed list... Giampaolo so it all comes back to PEBKAC. I know how to unsubscribe - that's not the problem. Regards, Shlomi Fish -- - Shlomi Fish http://www.shlomifish.org/ Optimising Code for Speed - http://shlom.in/optimise rindolf She's a hot chick. But she smokes. go|dfish She can smoke as long as she's smokin'. Please reply to list if it's a mailing list post - http://shlom.in/reply .
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
Furthermore, I suggest having a footer with unsubscription / help information in addition to the header because the header may not be visible, not all E-mail clients may display it, and people may otherwise be unaware of it. I have often seen some unsubscribe messages sent to mailing lists and putting the ubsubscription information in the footer greatly reduces that. - the unsubscribe instructions are in the subscription confirming e-mail (you must send subscription request and confirm it back to get that mail) - I've seen unsubscribe requests even in lists that do have such footer On 07.10.10 13:28, Giampaolo Tomassoni wrote: I see what you mean, but, well, I personally would vote no to this. I'm really tired of all that mailing lists which can't stay from attaching their own banners and general hints at the message tail. not mentioning breakage of e.g. DKIM. btw, not to be off-topic at least once, can SA comply with this? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On 07.10.10 13:28, Giampaolo Tomassoni wrote: I see what you mean, but, well, I personally would vote no to this. I'm really tired of all that mailing lists which can't stay from attaching their own banners and general hints at the message tail. I fully agree. not mentioning breakage of e.g. DKIM. btw, not to be off-topic at least once, can SA comply with this? Not breaking DKIM signature? Yes, on both accounts: - the users@spamassassin.apache.org mailing list does not break signatures (thankfully it does not modify Subject or add footers/signatures); - DKIM signatures in messages passed through SpamAssassin are normally not invalidated, unless one configures SA to modify Subject or to add a report to the body of a message. Mark
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On Thu, 2010-10-07 at 11:11 +0200, Shlomi Fish wrote: before I unsubscribe I should note that the incoming messages from this list should have an Unsubscribe / How-to-get-help footer at teh bottom of their messages. Please tell me I am not the only one to see the irony. I can't even remember the last time I've seen an unsub request straight to this list. I do, however, frequently see them on some lists despite adding such a footer. It's not a matter of missing information forced onto each and any post. Ultimately, it boils down to the subscribers' clue level, in particular understanding email and mailing lists. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On tor 07 okt 2010 22:19:29 CEST, Karsten Bräckelmann wrote It's not a matter of missing information forced onto each and any post. Ultimately, it boils down to the subscribers' clue level, in particular understanding email and mailing lists. i see it as subscribers missing buttoms in there so smart gui to handle rfc2919 most so smart gui have enough buttoms to confuse the problem :) -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On Thu, 7 Oct 2010, Karsten Br?ckelmann wrote: On Thu, 2010-10-07 at 11:11 +0200, Shlomi Fish wrote: before I unsubscribe I should note that the incoming messages from this list should have an Unsubscribe / How-to-get-help footer at teh bottom of their messages. It's not a matter of missing information forced onto each and any post. Ultimately, it boils down to the subscribers' clue level, in particular understanding email and mailing lists. I was going to suggest the footer should read: To unsubscribe from this mailing list see the list-unsubscribe: header -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control enables genocide while doing little to reduce crime. --- 71 days until TRON Legacy
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On Thu, 2010-10-07 at 14:28 -0700, John Hardin wrote: On Thu, 7 Oct 2010, Karsten Bräckelmann wrote: It's not a matter of missing information forced onto each and any post. Ultimately, it boils down to the subscribers' clue level, in particular understanding email and mailing lists. I was going to suggest the footer should read: To unsubscribe from this mailing list see the list-unsubscribe: header Well, this still would be an intrusive disclaimer. And *really* not necessary with this list and its audience, as history shows. With other lists populated by non tech-savvy folks, it won't work either. You lost your audience by referring to a header. You would not assume people unable to comprehend a verbose how to unsub disclaimer, and still manage to send it straight to the list, to grok that, would you? Yes, I have seen helpful replies along the lines of the next paragraph tells you how to unsub. The full sender's text. The next paragraph would be the list-added disclaimer -- of course, also part of the OP's unsub request in the first place. But I believe we already crossed the line from meta to OT. ;) This braindead message munging won't happen on this list. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [Meta] Unsubscribe / help footer at the bottom of messages to this list.
On Thu, 7 Oct 2010, Karsten Br�ckelmann wrote: On Thu, 2010-10-07 at 14:28 -0700, John Hardin wrote: On Thu, 7 Oct 2010, Karsten Bräckelmann wrote: It's not a matter of missing information forced onto each and any post. Ultimately, it boils down to the subscribers' clue level, in particular understanding email and mailing lists. I was going to suggest the footer should read: To unsubscribe from this mailing list see the list-unsubscribe: header Well, this still would be an intrusive disclaimer. And *really* not necessary with this list and its audience, as history shows. Humor, Karsten; humor. :) But I believe we already crossed the line from meta to OT. ;) This braindead message munging won't happen on this list. Oh, agreed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #7: In ten years nobody will remember the details of caliber, stance, or tactics. They will only remember who lived. --- 71 days until TRON Legacy
Help installing spamassassin on ubuntu
Hi All, Am trying to install spamassassin on unbuntu without a smtp running on it. Is it mandatory to have a smtp server to run spam assassin. I want to install these modules and call specific subroutine to check my message for spammy content and give me the results . the calls will be made from web form. Am trying to build a tool which accepts a email message and checks it. Any help with the installation instructions and the details regarding the set up and modules will be appreciated. -- Thanks and Regards, Sabiha Fathima
Re: Help installing spamassassin on ubuntu
Hi On 25/08/10 11:30, Sabiha Fathima wrote: Hi All, Am trying to install spamassassin on unbuntu without a smtp running on it. Is it mandatory to have a smtp server to run spam assassin. No - on Ubuntu you can just apt-get install spamassassin spamc. I want to install these modules and call specific subroutine to check my message for spammy content and give me the results . the calls will be made from web form. cat message | spamc will return the results of the SA analysis. You'd really need to include or insert mail headers, unless you have a very clear idea indeed about body-only rules, and disable all the header related ones. Am trying to build a tool which accepts a email message and checks it. Are you *certain* it wouldn't be easier to do this on the mailserver? Running mail through SA from amavis/Postfix/Exim/... is really straightforward. If the mailserver is under someone else's control, then you could use e.g. fetchmail to send it on through a local mailserver. Any help with the installation instructions and the details regarding the set up and modules will be appreciated. -- Thanks and Regards, Sabiha Fathima Dominic
Re: Help installing spamassassin on ubuntu
On Wed, 2010-08-25 at 16:00 +0530, Sabiha Fathima wrote: Hi All, Am trying to install spamassassin on unbuntu without a smtp running on it. Is it mandatory to have a smtp server to run spam assassin. No. I run two copies of SA - one on my main mail server for normal production mail scanning and a second copy on this laptop for rule testing. I want to install these modules and call specific subroutine to check my message for spammy content and give me the results . the calls will be made from web form. In the test system: - spamd is installed as normal but is only started when I need to use it. - I use spamc in a normal user to feed test messages to spamd. I keep my test message collection in this user. - I keep the master copies of locally developed .cf files in same user where they're easy to edit. They are under version control as well. I use scripts to: (a) load the .cf files into the test spamd before running lint checks and tests (b) to install copies of the .cf files on the production mail server. This uses scp to install the files and ssh to remotely restart spamd I hope this suggests ideas that will work for you. Martin
Initial setup of SA - please help.
Hello, I'm using SA since 5 years now. Yesterday I was switching my Debian system to a gentoo Server and had to reinstall SA this way. I thought I transfered the config nearly identical, but it seems to not be the case, since I get results in filtering, which I dont understand: http://pastebin.com/Rhj2UMLS I don't understand 3 things: 1) Why is it recognized as not beeing spam, although the required score is 3.0 and the actual score is 101.0? Is this because of points 2) and 3)? 2) Why does ALL_TRUSTED hit here? I haven't configured mx0.gmx.net anywhere. 3) Why does USER_IN_WHITELIST apply here? iyeboxfzpfj zyy...@alxhkv.com is noone I've put onto any whitelist. In the user_prefs of user ww the only WHITE - Thing is: whitelist_from *...@web-factory.de whitelist_from *...@marketing-factory.de which is my company's domain. Here's my whole global SA config: http://pastebin.com/DixnLNmv Could anybody please give me a hint with this? Thank you. Best regards, Marc
Re: Initial setup of SA - please help.
In an older episode, on 2010-08-15 15:57, Marc Richter wrote: http://pastebin.com/Rhj2UMLS I don't understand 3 things: 1) Why is it recognized as not beeing spam, although the required score is 3.0 and the actual score is 101.0? It says score=-101.0, that is *not* the same as score=101.0. A negative score is positive == non spam. Is this because of points 2) and 3)? AFAIK, that is because of USER_IN_WHITELIST, yes. 3) Why does USER_IN_WHITELIST apply here? iyeboxfzpfj zyy...@alxhkv.com is noone I've put onto any whitelist. If I am not mistaken, a score of -100 indicates that a whitelist_from_rcvd rule has matched - that is a combination of sender address plus received header, see man Mail::SpamAssassin::Conf Maybe try to grep for whitelist_from_rcvd in your configuration direcotries. Hope this helps, wolfgang
Re: Initial setup of SA - please help.
On Sun, 15 Aug 2010, Marc Richter wrote: http://pastebin.com/Rhj2UMLS I don't understand 3 things: 1) Why is it recognized as not beeing spam, although the required score is 3.0 and the actual score is 101.0? Look a little closer. The actual score is -101.0 (negative). Is this because of points 2) and 3)? 2) Why does ALL_TRUSTED hit here? I haven't configured mx0.gmx.net anywhere. Odd. I'd have expected pop.gmx.net to have prevented ALL_TRUSTED. I can't suggest why this might have occurred, perhaps one of the devs a little closer to that code will comment. ALL_TRUSTED isn't by itself contributing to the problem, but it is useful as a symptom. 3) Why does USER_IN_WHITELIST apply here? iyeboxfzpfj zyy...@alxhkv.com is noone I've put onto any whitelist. In the user_prefs of user ww the only WHITE - Thing is: whitelist_from *...@web-factory.de whitelist_from *...@marketing-factory.de which is my company's domain. As I just recommended to someone else, do not use whitelist_from except as a last resort. It is trivially easy for a spammer to leverage as it does not verification that the From address is not forged. Here's my whole global SA config: http://pastebin.com/DixnLNmv I note you're using whitelist_from_rcvd in your global config. Good. However, changing the required_score to 3.0 is not recommended. All of the scores assigned by the masscheck system are targeted at a required_score of 5.0, and if you lower that without making any adjustment to rule scores then you are likely going to increase your false positive rate. Can you post the ww user's config too? Could anybody please give me a hint with this? The whitelist hit is what's hurting the most. You should also take a look at your bayes, after we resolve the whitelist problem. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista is at best mildly annoying and at worst makes you want to rush to Redmond, Wash. and rip somebody's liver out. -- Forbes --- Today: the 65th anniversary of the end of World War II
Re: Initial setup of SA - please help.
Hi @all, I just had a chat with wolfgang by phone, and we discovered, that a Webformular on my own site seems to deliver this spam to my GMX - Account richter_marc -at- gmx.net . This would explaid this result: When my own server is the initial sender, it's clear why the USER_IN_WHITELIST - Test hits. It seems as if I just read the header wrong, sorry. I'll have a closer look to this, and I'll write again if I'm still experiencing something, I don't get. Thank you all so far! Am 15.08.2010 16:46, schrieb John Hardin: On Sun, 15 Aug 2010, Marc Richter wrote: http://pastebin.com/Rhj2UMLS I don't understand 3 things: 1) Why is it recognized as not beeing spam, although the required score is 3.0 and the actual score is 101.0? Look a little closer. The actual score is -101.0 (negative). Yeah, I already saw my error, thank you. 1) is 100% solved because of that ;) Is this because of points 2) and 3)? 2) Why does ALL_TRUSTED hit here? I haven't configured mx0.gmx.net anywhere. Odd. I'd have expected pop.gmx.net to have prevented ALL_TRUSTED. I can't suggest why this might have occurred, perhaps one of the devs a little closer to that code will comment. ALL_TRUSTED isn't by itself contributing to the problem, but it is useful as a symptom. 3) Why does USER_IN_WHITELIST apply here? iyeboxfzpfj zyy...@alxhkv.com is noone I've put onto any whitelist. In the user_prefs of user ww the only WHITE - Thing is: whitelist_from *...@web-factory.de whitelist_from *...@marketing-factory.de which is my company's domain. As I just recommended to someone else, do not use whitelist_from except as a last resort. It is trivially easy for a spammer to leverage as it does not verification that the From address is not forged. You're right. Up till today (may be subject to change, since I told it here in public ;) ) there has not a single spam arrived my because of this whitelist. Here's my whole global SA config: http://pastebin.com/DixnLNmv I note you're using whitelist_from_rcvd in your global config. Good. However, changing the required_score to 3.0 is not recommended. All of the scores assigned by the masscheck system are targeted at a required_score of 5.0, and if you lower that without making any adjustment to rule scores then you are likely going to increase your false positive rate. I know, but the suggested 5.0 result in a too high false ham rate to me. I'm having an eye to the filtered ones. They're not deleted, but collected in a seperate box, which I check frequently. The FP - Rate is extreemely low (2-5 in a whole year!) and even when this happens, they had never been autolearned as spam up to today. Can you post the ww user's config too? I's nearly empty. Just the two whitelist_from entrys are from that file. Could anybody please give me a hint with this? The whitelist hit is what's hurting the most. You should also take a look at your bayes, after we resolve the whitelist problem. OK, I'll keep that in mind :) Thank you! Best Regards, Marc
Re: Initial setup of SA - please help.
On søn 15 aug 2010 15:57:57 CEST, Marc Richter wrote Could anybody please give me a hint with this? do you send spam to your own email address ? to solve it, remove any instance of whitelist_from or if you like to track this change score on user_in_whitelist to something that is not -100 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Initial setup of SA - please help.
If it looks like you send spam to you, I've simple solution. SPF record in your domain zone and you tell in your SPF record that for your domain could send email your servers and any others are possibly spammers - see http://www.openspf.org/ For example for my domain could send emails only two servers and any others are denied. Postfix controls SPF on recieving, if somebody from net could send me spam and from is my domain, by my policy in the SPF record - -all - this mail is rejected. SPF helped very much to us. Lot of spammers use the same To: and From: ... J.K. Cituji Benny Pedersen m...@junc.org: On søn 15 aug 2010 15:57:57 CEST, Marc Richter wrote Could anybody please give me a hint with this? do you send spam to your own email address ? to solve it, remove any instance of whitelist_from or if you like to track this change score on user_in_whitelist to something that is not -100 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html This message was sent using IMP, the Internet Messaging Program. binkmZG0noIy6.bin Description: Veřejný PGP klíč
Re: Initial setup of SA - please help.
Hi J.K. No, it seemes as if my server really sent it, not only that the from - matched. Seems as if an open Webformular sent it. But thank you anyway. Am 15.08.2010 18:54, schrieb Josef Karliak: If it looks like you send spam to you, I've simple solution. SPF record in your domain zone and you tell in your SPF record that for your domain could send email your servers and any others are possibly spammers - see http://www.openspf.org/ For example for my domain could send emails only two servers and any others are denied. Postfix controls SPF on recieving, if somebody from net could send me spam and from is my domain, by my policy in the SPF record - -all - this mail is rejected. SPF helped very much to us. Lot of spammers use the same To: and From: ... J.K. Cituji Benny Pedersen m...@junc.org: On søn 15 aug 2010 15:57:57 CEST, Marc Richter wrote Could anybody please give me a hint with this? do you send spam to your own email address ? to solve it, remove any instance of whitelist_from or if you like to track this change score on user_in_whitelist to something that is not -100 -- xpoint http://www.unicom.com/pw/reply-to-harmful.html This message was sent using IMP, the Internet Messaging Program.
Re: Please Help with SA Rule: FH_HOST_IN_ADDRARPA
On 6/17/2010 2:19 PM, gwilodailo wrote: I've discovered that some mail between two of my clients (on separate hosts) is getting flagged as spam, because of this rule (FH_HOST_IN_ADDRARPA). I'm not at all an expert with spamassassin, and I'm having some difficulty finding what this rule is about and what to do about it. On 17.06.10 14:47, Lee Dilkie wrote: the rule is flagging the fact that the servers are using non-assigned address space. no, it's flagging that some admin hhad a genial idea to point PTR to itself: 1.1.1.1.in-addr.arpa. PTR 1.1.1.1.in-addr.arpa. A 1.1.1.1 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!.
Please Help with SA Rule: FH_HOST_IN_ADDRARPA
Hello all, I've discovered that some mail between two of my clients (on separate hosts) is getting flagged as spam, because of this rule (FH_HOST_IN_ADDRARPA). I'm not at all an expert with spamassassin, and I'm having some difficulty finding what this rule is about and what to do about it. Any help would be greatly appreciated. Thanks! -- View this message in context: http://old.nabble.com/Please-Help-with-SA-Rule%3A-FH_HOST_IN_ADDRARPA-tp28917943p28917943.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Please Help with SA Rule: FH_HOST_IN_ADDRARPA
On Thu, 17 Jun 2010, gwilodailo wrote: I've discovered that some mail between two of my clients (on separate hosts) is getting flagged as spam, because of this rule (FH_HOST_IN_ADDRARPA). I'm not at all an expert with spamassassin, and I'm having some difficulty finding what this rule is about and what to do about it. Your reverse DNS lookup for the hostname resolves to a string containing 'in-addr.arpa'. This can be corrected by setting your reverse DNS zone to a real hostname for the IP. If you are not in control of the DSN you may have to talk to your upstream provider. If you are only doing this internally, and never send external mail from that host, you can just add a whteilst entry for that hostname. -Charles
Re: Please Help with SA Rule: FH_HOST_IN_ADDRARPA
the rule is flagging the fact that the servers are using non-assigned address space. On 6/17/2010 2:19 PM, gwilodailo wrote: Hello all, I've discovered that some mail between two of my clients (on separate hosts) is getting flagged as spam, because of this rule (FH_HOST_IN_ADDRARPA). I'm not at all an expert with spamassassin, and I'm having some difficulty finding what this rule is about and what to do about it. Any help would be greatly appreciated. Thanks!
Re: Help with new rule, and local.cf
On 03.06.10 20:45, cviebrock wrote: Thanks for the link. That'll help. In general, though, can I write a SA rule that looks at the raw message body with trying to decode attachments, etc.? I thought that would be the easiest way to catch these messages (and some other spam that comes in as PNG files). for images, there is FuzzyOcr plugin that can catch image spam. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: Help with new rule, and local.cf
On Thu, 2010-06-03 at 19:44 -0700, cviebrock wrote: I'm trying to write a rule to catch a bunch of spam I'm getting recently that contain only an .RTF file. The filename, subject line, and other details vary, but the raw message body is always the same i.e. the base64 encoded RTF file. See the headers and first few lines of the email here, plus my attempted rule (which doesn't seem to be firing). Are you certain that the string you're matching is common to all RTF spam messages without being common to all RTF messages, e.g. a standard RTF header? I'm trapping all the RTF spam I'm getting by firstly recognising the RTF attachment: describe MG_RTF RTF text file mimeheader MG_RTF Content-Type =~ /name\=\.{1,20}\.rtf\/i score MG_RTF 0.75 and using that in meta-rules that combine it with other information (I don't accept RTF attachments from some mailing lists or if they're sent to an address that I don't send mail from or use for subscriptions. Martin
Re: Help with new rule, and local.cf
You're right in that it *could* be a common RTF header, but a bit of decoding of the attachments on my end seems to indicate that it isn't. All these spam RTFs are practically identical except for a different URL link in the document, and a different (probably forged) generator Msftedit #.##.##.### line. I guess my question is more general: how do I write a rule that looks at the undecoded content of the emails, versus one that looks at the decoded parts? - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28780895.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with new rule, and local.cf
On Fri 04 Jun 2010 04:44:46 AM CEST, cviebrock wrote http://pastebin.com/xFddVaX8 http://sanesecurity.org/ dont know what clamav rules helps for this, but this is another way to stop spam attachements remember to make good choice of official sigs in clamd if using clamav milter, only reject official sigs, and i belive one can enabled it on call to deamon so all is being scored as spam, not tryed, but i belive it can be done -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Help with new rule, and local.cf
I'm trying to write a rule to catch a bunch of spam I'm getting recently that contain only an .RTF file. The filename, subject line, and other details vary, but the raw message body is always the same i.e. the base64 encoded RTF file. See the headers and first few lines of the email here, plus my attempted rule (which doesn't seem to be firing). http://pastebin.com/xFddVaX8 Any suggestions? Actually, I'm not sure if any of my rules in local.cf are firing. I'm running SA 3.3.0 via spampd 2.30-22 and Postfix 2.5.5, Perl 5.10.0 on Debian Lenny. I'll post any config settings needed to help. Thanks, and sorry if I'm being a newb! - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28775147.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with new rule, and local.cf
Hi, There is allready a few threads about this ... http://www.gossamer-threads.com/lists/spamassassin/users/153560?do=post_view_threaded mvh On Fri, Jun 4, 2010 at 4:44 AM, cviebrock colinviebr...@gmail.com wrote: I'm trying to write a rule to catch a bunch of spam I'm getting recently that contain only an .RTF file. The filename, subject line, and other details vary, but the raw message body is always the same i.e. the base64 encoded RTF file. See the headers and first few lines of the email here, plus my attempted rule (which doesn't seem to be firing). http://pastebin.com/xFddVaX8 Any suggestions? Actually, I'm not sure if any of my rules in local.cf are firing. I'm running SA 3.3.0 via spampd 2.30-22 and Postfix 2.5.5, Perl 5.10.0 on Debian Lenny. I'll post any config settings needed to help. Thanks, and sorry if I'm being a newb! - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28775147.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with new rule, and local.cf
Thanks for the link. That'll help. In general, though, can I write a SA rule that looks at the raw message body with trying to decode attachments, etc.? I thought that would be the easiest way to catch these messages (and some other spam that comes in as PNG files). - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28775423.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: SA-3.2 need help
This rule is in my /etc/mail/spamassassin/local.cf as FH_DATE_PAST_20XX 0 and in /var/lib/spmassassin//3.002004/updates_spamassassin_org as #score FH_DATE_PAST_20XX 2.075 3.384 3.554 3.188 # n=2 i've commented the line in /var/lib/spamassassin. How can i set spamassassin as to not check my local network or a group of ip's for not checking for spamming, if there is a way. i've put a HASH in this also in my /usr/share/spamassassin/50_scores.cf #score DNS_FROM_OPENWHOIS 0 2.431 0 1.130 # n=0 n=2 its not available in /var/lib/spamassassin/3.002004/updates_spamassassin_org. but here i'm a bit confused bcoz these same rules exists in /var/lib/spamassassin/3.002004/updates_spamassassin_org and /usr/share/spamassassin/ and so which rules i should edit This is the output of sa-update-D # sa-update -D [2941] dbg: logger: adding facilities: all [2941] dbg: logger: logging level is DBG [2941] dbg: generic: SpamAssassin version 3.2.4 [2941] dbg: config: score set 0 chosen. [2941] dbg: dns: is Net::DNS::Resolver available? yes [2941] dbg: dns: Net::DNS version: 0.63 [2941] dbg: generic: sa-update version svn607589 [2941] dbg: generic: using update directory: /var/lib/spamassassin/3.002004 [2941] dbg: diag: perl platform: 5.008008 linux [2941] dbg: diag: module installed: Digest::SHA1, version 2.07 [2941] dbg: diag: module installed: HTML::Parser, version 3.59 [2941] dbg: diag: module installed: Net::DNS, version 0.63 [2941] dbg: diag: module installed: MIME::Base64, version 3.07 [2941] dbg: diag: module installed: DB_File, version 1.814 [2941] dbg: diag: module installed: Net::SMTP, version 2.29 [2941] dbg: diag: module installed: Mail::SPF, version v2.006 [2941] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [2941] dbg: diag: module installed: IP::Country::Fast, version 604.001 [2941] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [2941] dbg: diag: module installed: Net::Ident, version 1.20 [2941] dbg: diag: module installed: IO::Socket::INET6, version 2.56 [2941] dbg: diag: module installed: IO::Socket::SSL, version 1.17 [2941] dbg: diag: module installed: Compress::Zlib, version 1.42 [2941] dbg: diag: module installed: Time::HiRes, version 1.9721 [2941] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [2941] dbg: diag: module installed: Mail::DKIM, version 0.32 [2941] dbg: diag: module installed: DBI, version 1.607 [2941] dbg: diag: module installed: Getopt::Long, version 2.35 [2941] dbg: diag: module installed: LWP::UserAgent, version 2.033 [2941] dbg: diag: module installed: HTTP::Date, version 1.47 [2941] dbg: diag: module installed: Archive::Tar, version 1.40 [2941] dbg: diag: module installed: IO::Zlib, version 1.09 [2941] dbg: diag: module installed: Encode::Detect, version 1.01 [2941] dbg: gpg: Searching for 'gpg' [2941] dbg: util: current PATH is: /usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [2941] dbg: util: executable for gpg was found at /usr/bin/gpg [2941] dbg: gpg: found /usr/bin/gpg [2941] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [2941] dbg: channel: attempting channel updates.spamassassin.org [2941] dbg: channel: update directory /var/lib/spamassassin/3.002004/updates_spamassassin_org [2941] dbg: channel: channel cf file /var/lib/spamassassin/3.002004/ updates_spamassassin_org.cf [2941] dbg: channel: channel pre file /var/lib/spamassassin/3.002004/updates_spamassassin_org.pre [2941] dbg: channel: metadata version = 895075 [2941] dbg: dns: 4.2.3.updates.spamassassin.org = 895075, parsed as 895075 [2941] dbg: channel: current version is 895075, new version is 895075, skipping channel [2941] dbg: diag: updates complete, exiting with code 1 this shows the its updating /var/lib/spamassassin/3.002004/updates_spamassassin_org rules and not /usr/share/spamassassin rules. Warm Regards, Anshul Chauhan Dream is not what you see while sleep, it's the thing that does not let you sleep. 2010/4/23 Karsten Bräckelmann guent...@rudersport.de On Fri, 2010-04-23 at 11:16 +0530, Tux Techie wrote: I've inserted score FH_DATE_PAST_20XX 0 without the quotes to the end of your local.cf file to disable the rule for 2010 bug. According to the timestamps the samples are older than your mail. Assuming you restarted spamd, these hits should now be gone and drastically lower your FP rate. I've googled all the stuff in my local.cf its not inherited from any setup. Err? The question was, if you added all that stuff to your local.cf, or if someone else who *was* in charge of the mail server added that earlier. Below is an example of a geniune mail from outside domain marked as ham for a user and spam for other user http://pastebin.com/33WGrJ4b Nope, it is not. It is not a mail, as we requested. That's log messages.
Re: SA-3.2 need help
Anshul Chauhan wrote: This rule is in my /etc/mail/spamassassin/local.cf http://local.cf as FH_DATE_PAST_20XX 0 and in /var/lib/spmassassin//3.002004/updates_spamassassin_org as #score FH_DATE_PAST_20XX 2.075 3.384 3.554 3.188 # n=2 i've commented the line in /var/lib/spamassassin. How can i set spamassassin as to not check my local network or a group of ip's for not checking for spamming, if there is a way. i've put a HASH in this also in my /usr/share/spamassassin/50_scores.cf http://50_scores.cf #score DNS_FROM_OPENWHOIS 0 2.431 0 1.130 # n=0 n=2 its not available in /var/lib/spamassassin/3.002004/updates_spamassassin_org. but here i'm a bit confused bcoz these same rules exists in /var/lib/spamassassin/3.002004/updates_spamassassin_org and /usr/share/spamassassin/ and so which rules i should edit You should only edit the files in /etc/mail/spamassassin (or whichever directory your system is using for the local rules). /var/lib/spamassassin/3.002004 is used to store updated rules from sa-update. It will be used rather than the rules in /usr/share/spamassassin (original rules from the distribution) if it exists. If you edit these files, your changes will be lost the next time you update your rules via sa-update. Rather than editing the files directly, make your changes in /etc/mail/spamassassin/local.cf (or make your own .cf file in that directory). Anything there will override the rules in /usr/share/spamassassin and /var/lib/spamassassin. To get rid of those two rules, put these lines in your local.cf file: score DNS_FROM_OPENWHOIS 0 score FH_DATE_PAST_20XX 0 (setting the score to 0 will disable the rule) -- Bowie A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: SA-3.2 need help
Tux Techie wrote: I've inserted score FH_DATE_PAST_20XX 0 without the quotes to the end of your local.cf http://local.cf file to disable the rule for 2010 bug. You need to double-check this entry and then restart spamd since the rule is still hitting on all of the examples you gave. If it is still hitting after that, then you need to make sure you are changing the right file. Below is an example of a geniune mail from outside domain marked as ham for a user and spam for other user http://pastebin.com/33WGrJ4b Differences are Bayes and AWL. It is normal for these to differ between users. Another example of a geniune yahoo.com http://yahoo.com mail marked as SPAM http://pastebin.com/VkJcj3XK Example of a mail from local network marked as SPAM http://pastebin.com/4FEMpc3G Post some example headers so we can see what the scores are for each rule (We can assume default scores, but you may have changed them in local.cf, so it is best to look at the spam report header). You can add this to your local.cf if you want to see the report on ham as well as spam: add_header all Report _REPORT_ I've entered my local lan series in trusted_networks in local.cf http://local.cf but still its catching my local mails as SPAMS. All of your local mail should hit the ALL_TRUSTED rule. If not, you should re-check your trusted_network settings. Adding your servers to trusted_networks does not exempt them from spam checking, it just exempts them from blacklist checks and such. If a local user sends a spammy message, it will still be caught (although the ALL_TRUSTED rule gives a -1 to the score, to help prevent false positives from your own network). Take an example mail and run in through SA manually to see exactly what is happening. $ spamassassin -D rules sample.msg This will give lots of output, but most of it is easily understandable. Keep in mind that you will get different results (particularly with Bayes and AWL) depending on which user you are when you run the test. If you can please guide me to some docs or how to for configuring and tuning SA to give gud results. The wiki is always a good starting point. http://wiki.apache.org/spamassassin/ -- Bowie
Re: SA-3.2 need help
On Fri, 2010-04-23 at 11:16 +0530, Tux Techie wrote: I've inserted score FH_DATE_PAST_20XX 0 without the quotes to the end of your local.cf file to disable the rule for 2010 bug. According to the timestamps the samples are older than your mail. Assuming you restarted spamd, these hits should now be gone and drastically lower your FP rate. I've googled all the stuff in my local.cf its not inherited from any setup. Err? The question was, if you added all that stuff to your local.cf, or if someone else who *was* in charge of the mail server added that earlier. Below is an example of a geniune mail from outside domain marked as ham for a user and spam for other user http://pastebin.com/33WGrJ4b Nope, it is not. It is not a mail, as we requested. That's log messages. At least we got the rules hit. And there's the second major issue. All your samples hit DNS_FROM_OPENWHOIS -- which is DEAD for almost 10 months. See bug 6157 [1]. BOTH your problems would NOT have come up, if you would run sa-update at least on a monthly basis. May I strongly suggest to run sa-update? It will fix a bunch of issues magically, after restarting your SA daemon. Hmm, in your previous post you said something about sa-update, and then went to list all stock rule-sets, plus some other files that are more likely to be in /etc/mail/spamassassin... these are default rules which i fetched from sa-update What do you mean, fetched? Where are all these *.cf files you listed on your system? You did not copy them into /etc/mail/spamassassin, did you? guenther [1] https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6157 -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
SA-3.2 need help
hi, I'm new to linux and Need help in configuring spamassassin on my mail server,I'm using spamassassin-3.2.4-1.el4.1 on CentOS4 with sendmail-8.13.1-3.3.el4 This is my local.cf # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # # Only a small subset of options are listed below # ### # Add *SPAM* to the Subject header of spam e-mails # rewrite_header Subject *SPAM* # Save spam messages as a message/rfc822 MIME attachment instead of # modifying the original message (0: off, 2: use text/plain instead) # report_safe 0 # Set which networks or hosts are considered 'trusted' by your mail # server (i.e. not spammers) # #trusted_networks 132. trusted_networks 132. # Set file-locking method (flock is not safe over NFS, but is faster) # #lock_method flock # Set the threshold at which a message is considered spam (default: 5.0) # required_score 6.0 #required_score 5.0 # Use Bayesian classifier (default: 1) # use_bayes 1 # Bayesian classifier auto-learning (default: 1) # bayes_auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. ok_languagesall # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales all # Set headers which may provide inappropriate cues to the Bayesian # classifier # bayes_ignore_header X-Bogosity bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status # # New Spam Settings urirhssub URLBL_RBLJP url.rbl.jp. A 2 body URLBL_RBLJP eval:check_uridnsbl('URLBL_RBLJP') describe URLBL_RBLJP Has URI in url.rbl.jp tflagsURLBL_RBLJP net score URLBL_RBLJP 2.0 uridnsblURLBL_IP_RBLJPurl.rbl.jp. TXT body URLBL_IP_RBLJP eval:check_uridnsbl('URLBL_IP_RBLJP') describe URLBL_IP_RBLJP Has IP URL in url.rbl.jp tflags URLBL_IP_RBLJPnet score URLBL_IP_RBLJP 2.0 header RCVD_IN_ALL_RBL_JP eval:check_rbl_txt('rbl.jp', 'all.rbl.jp.') describe RCVD_IN_ALL_RBL_JP Received via a relay in all.rbl.jp tflags RCVD_IN_ALL_RBL_JP net score RCVD_IN_ALL_RBL_JP 1.5 # the following config will only detect URLs which use hostnames urirhssub URLBL_RBLJP url.rbl.jp. A 2 #body URLBL_RBLJP eval:check_uridnsbl('URLBL_RBLJP') #describe URLBL_RBLJP Has URI in url.rbl.jp tflags URLBL_RBLJP net score URLBL_RBLJP 4.0 # the following config will only detect URLs which use IP addresses uridnsbl URLBL_IP_RBLJP url.rbl.jp. TXT #body URLBL_IP_RBLJP eval:check_uridnsbl('URLBL_IP_RBLJP') #describe URLBL_IP_RBLJP Has IP URL in url.rbl.jp tflags URLBL_IP_RBLJP net score URLBL_IP_RBLJP 4.0 uridnsbl_skip_domain livedoor.com reset.jp asahi-net.or.jp hi-ho.ne.jp 2ch.net hatena.ne.jp uridnsbl_skip_domain mixi.jp yahoo.co.jp header __RCVD_IN_JMF eval:check_rbl('JMF-lastexternal','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMF Sender listed in JunkEmailFilter tflags __RCVD_IN_JMF net header RCVD_IN_JMF_W eval:check_rbl_sub('JMF-lastexternal', '127.0.0.1') describe RCVD_IN_JMF_W Sender listed in JMF-WHITE tflags RCVD_IN_JMF_W net nice score RCVD_IN_JMF_W -5 header RCVD_IN_JMF_BL eval:check_rbl_sub('JMF-lastexternal', '127.0.0.2') describe RCVD_IN_JMF_BL Sender listed in JMF-BLACK tflags RCVD_IN_JMF_BL net score RCVD_IN_JMF_BL 3.0 header RCVD_IN_JMF_BR eval:check_rbl_sub('JMF-lastexternal', '127.0.0.4') describe RCVD_IN_JMF_BR Sender listed in JMF-BROWN tflags RCVD_IN_JMF_BR net score RCVD_IN_JMF_BR 1.0 #TEST RULES header LOCAL_DEMONSTRATION_SUBJECT Subject =~ /\b%\b/i score LOCAL_DEMONSTRATION_SUBJECT 0.1 # Set headers which may provide inappropriate cues to the Bayesian # classifier # bayes_ignore_header X-Bogosity bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status # Some shortcircuiting, if the plugin is enabled # ifplugin Mail::SpamAssassin::Plugin::Shortcircuit # # default: strongly-whitelisted mails are *really* whitelisted now, if the # shortcircuiting plugin is active, causing early exit to save CPU load. # Uncomment to turn this on # shortcircuit USER_IN_WHITELIST on shortcircuit USER_IN_DEF_WHITELIST on shortcircuit USER_IN_ALL_SPAM_TO on shortcircuit SUBJECT_IN_WHITELISTon # the opposite; blacklisted mails can also save CPU # shortcircuit USER_IN_BLACKLIST on shortcircuit USER_IN_BLACKLIST_TOon shortcircuit SUBJECT_IN_BLACKLISTon # if you have taken the time to correctly specify your trusted_networks, # this is another good way to save CPU
Re: SA-3.2 need help
Tux Techie wrote: hi, I'm new to linux and Need help in configuring spamassassin on my mail server,I'm using spamassassin-3.2.4-1.el4.1 on CentOS4 with sendmail-8.13.1-3.3.el4 This is my local.cf http://local.cf/ bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status These will be dealt with automatically, no need to ignore them. bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status Still no need to ignore them... :) You have quite a bit of stuff in your local.cf. Did you add all of this yourself, or did you inherit the current setup? This is my /etc/procmailrc DROPPRIVS=yes :0fw | /usr/bin/spamc :0 * ^X-Spam-Status: Yes /dev/null Don't know that I would delete all spam. You would probably be better off matching on the X-Spam-Level header and dropping based on a higher score. You can deliver the rest of the spam either to the inbox (you already put a marker on the subject line), or to a junkmail folder. I'll let a procmail guru supply the recipe for that. The main problem which i'm facing is false positives SA is marking my geniune mails as spams from gmail.com http://gmail.com/ and yahoo.co.in http://yahoo.co.in/ accounts and many of spams are not caught by SA, Please help me in tuning SA Post an example or two (with full headers) on www.pastebin.com and give us the links. Once we can see what rules SA is hitting on (and not hitting on), we may be able to give you some suggestions. -- Bowie
Re: SA-3.2 need help
On Thu, 2010-04-22 at 21:15 +0530, Tux Techie wrote: I'm new to linux and Need help in configuring spamassassin on my mail server,I'm using spamassassin-3.2.4-1.el4.1 on CentOS4 with sendmail-8.13.1-3.3.el4 [ massive snip ] This is my /etc/procmailrc DROPPRIVS=yes :0fw | /usr/bin/spamc :0 * ^X-Spam-Status: Yes /dev/null The main problem which i'm facing is false positives SA is marking my geniune mails as spams from gmail.com and yahoo.co.in accounts and many of spams are not caught by SA, Please help me in tuning SA Sure. Blatantly obvious help first: DO NOT DELIVER CLASSIFIED SPAM TO THE GREAT BIT-BUCKET, if you are having issues with false positives. After you have done that... Please do provide samples. There is absolutely nothing we can tell you, let alone help you, with your problem of *both* FPs and FNs, without samples and seeing the rules triggered. Raw messages, including the SA headers, as little munged as possible. Feel free to mask email addresses, but don't invalidate Received headers or IPs. Put them up on your own webspace somewhere, or use a pastebin, and provide the link. Do not send any spam samples to the list. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SA-3.2 need help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/22/10 10:45 AM, Tux Techie wrote: I'm new to linux and Need help in configuring spamassassin on my mail server,I'm using spamassassin-3.2.4-1.el4.1 on CentOS4 with My first guess without seeing real samples would be that you are hitting the 2010 bug: see http://spamassassin.apache.org/news.html Spam and virus filters need to change with the evolving threat, and your system is over two years old. It's not surprising that it is failing. - -- David Morton morto...@dgrmm.net Morton Software Design http://www.dgrmm.net - Ruby on Rails PHP Applications Maia Mailguard http://www.maiamailguard.com- Spam management for mail servers -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFL0ILOUy30ODPkzl0RApWrAJwJgpW26k4yHD23QQMoUpYLvOXcQACeKFQY 12YNEQyNxGPvu7U1j3+e/yg= =XznV -END PGP SIGNATURE-
Re: SA-3.2 need help
I've inserted score FH_DATE_PAST_20XX 0 without the quotes to the end of your local.cf file to disable the rule for 2010 bug. If i'm upgrading SA to 3.3.1, my mail processing is very slow and my server load average is going up. I've googled all the stuff in my local.cf its not inherited from any setup. Below is an example of a geniune mail from outside domain marked as ham for a user and spam for other user http://pastebin.com/33WGrJ4b Another example of a geniune yahoo.com mail marked as SPAM http://pastebin.com/VkJcj3XK Example of a mail from local network marked as SPAM http://pastebin.com/4FEMpc3G I've entered my local lan series in trusted_networks in local.cf but still its catching my local mails as SPAMS. If you can please guide me to some docs or how to for configuring and tuning SA to give gud results.
Re: Freemail Rule help
John Hardin wrote: On Tue, 6 Apr 2010, Ned Slider wrote: John Hardin wrote: On Tue, 6 Apr 2010, Ned Slider wrote: uriLOCAL_URI_BITLY m{https?://bit\.ly/\w{6}} describe LOCAL_URI_BITLY contains bit.ly link bit.ly is a legitimate URL-shortening service. Are you sure you want to penalize them? As I said, I use that rule in a meta rule combining with FROM_HOTMAIL. You _also_ use it in a meta. The rule quoted above assigns one point (by default) to any bit.ly URL, regardless of whether it appears in a message received from hotmail. Ah, I tend to remove the (my) score line when posting to this list so people do not copy my rules verbatim, but think about their own scoring. I had actually scored it at 0.001 for information (I originally wanted to check that it was hitting). I had forgotten the rules without a score will score 1 by default. Good point, and thank you for reminding me :)
Freemail Rule help
Hi, I'm having a problem with emails that are from a freemail domain with simply a shorturl in them, like this: bra href=http://bit.ly/aqI4o1http://bit.ly/aqI4o1/Benjamin/abrbrbrlovee yabr rawbodyLOC_BITLY /href\=http:\/\/bit\.ly\/.+\w{1,8}http:\/\/bit\.ly\/.+\w{1,15}\/.+\w{1,15}\/abrbr/ Is this the most effective and best way to accomplish this? I believe it works (reliably?) but am concerned about what seemed to be excessive memory usage and false positives, obviously. Do you have any suggestions to improve this? It also seems that no matter how many times I train these they don't score higher than BAYES_50, at least the FNs. Thanks, Alex
Re: Freemail Rule help
Alex wrote: Hi, I'm having a problem with emails that are from a freemail domain with simply a shorturl in them, like this: bra href=http://bit.ly/aqI4o1http://bit.ly/aqI4o1/Benjamin/abrbrbrlovee yabr rawbodyLOC_BITLY /href\=http:\/\/bit\.ly\/.+\w{1,8}http:\/\/bit\.ly\/.+\w{1,15}\/.+\w{1,15}\/abrbr/ Is this the most effective and best way to accomplish this? I believe it works (reliably?) but am concerned about what seemed to be excessive memory usage and false positives, obviously. Do you have any suggestions to improve this? It also seems that no matter how many times I train these they don't score higher than BAYES_50, at least the FNs. Thanks, Alex I'm seeing these mostly from hotmail accounts so I use a URI rule (rather than your rawbody example) and meta it with FROM_HOTMAIL. For example, uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}} describeLOCAL_URI_BITLY contains bit.ly link metaLOCAL_HOTMAIL_SPAM_URI (__FROM_HOTMAIL_COM LOCAL_URI_BITLY) describeLOCAL_HOTMAIL_SPAM_URI From hotmail.com and bit.ly I've been training these hotmail with links spam for months, and they all score BAYES_99 for me.
Re: Freemail Rule help
On Tue, 6 Apr 2010, Ned Slider wrote: uri LOCAL_URI_BITLY m{https?://bit\.ly/\w{6}} describeLOCAL_URI_BITLY contains bit.ly link bit.ly is a legitimate URL-shortening service. Are you sure you want to penalize them? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes --- 7 days until Thomas Jefferson's 267th Birthday