Re: Filtering zip spam
Hi, Here's an example: http://pastebin.com/h9JwTQ9T The score is very low. Does someone have an idea of other characteristics that I can flag on? Hits for me on this: Sanesecurity.Junk.22048.UNOFFICIAL FOUND Ah, very good. I think that might be what I'm missing. How are you implementing this? From here? http://www.sanesecurity.co.uk/download_scripts_linux.htm Or are you using the clamav SA plugin-in? I'm using amavisd with clam-0.96 and sa-3.2.5. 9.0 RELAYCOUNTRY_FR Relayed through France 5.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net I wish I could use scores like that :-) Might as well just block all of \.fr at smtp time for that matter :-) Poor France :( Thanks, Alex
Re: How to I disable spam checking for a domain
Hi, Does anyone know where the best reference for doing this with amavisd and postfix would be, btw? I'd like to include it in some docs I'm putting together. I think my doc might be helpful: http://www200.pair.com/mecham/spam/bypassing.html Yes, definitely. Thanks for the great work. It's going to take some time to go through all of that. Best, Alex
Re: Filtering zip spam
On Tue, 2010-04-27 at 02:16 -0400, Alex wrote: Hi, Here's an example: http://pastebin.com/h9JwTQ9T The score is very low. Does someone have an idea of other characteristics that I can flag on? Hits for me on this: Sanesecurity.Junk.22048.UNOFFICIAL FOUND Ah, very good. I think that might be what I'm missing. How are you implementing this? From here? http://www.sanesecurity.co.uk/download_scripts_linux.htm Or are you using the clamav SA plugin-in? Using clamav-milter ahead of SA with Postfix with SANE but any implementation that uses clam/sane will do the same. I'm using amavisd with clam-0.96 and sa-3.2.5. 9.0 RELAYCOUNTRY_FRRelayed through France 5.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net I wish I could use scores like that :-) Might as well just block all of \.fr at smtp time for that matter :-) Poor France :( I mostly do... au revoir Le France Thanks, Alex
Re: Filtering zip spam
On Mon, 26 Apr 2010, Alex wrote:
Hi,
I'm seeing an increase in zip attachment spam, and hoped someone could
help me figure out why it isn't being properly tagged. Are others
seeing this? Is BAYES_99 being triggered or is it lower?
Here's an example:
http://pastebin.com/h9JwTQ9T
The score is very low. Does someone have an idea of other
characteristics that I can flag on?
FWIW, here's what I'm getting for that message:
Content analysis details: (15.5 points, 6.0 required, autolearn=no)
pts rule name description
-- --
1.7 RATWARE_GECKO_BUILDBulk email fingerprint (Gecko faked) found
0.1 RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@)
1.1 SPF_FAIL SPF: sender does not match SPF record (fail)[SPF
failed: Please see
http://www.openspf.org/why.html?sender=debenture%40us.randstad.comip=80.12.242.26receiver=server37.icaen.uiowa.edu]
4.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
5.0 L_CLAMAV Clam AntiVirus detected a virus
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see http://www.spamcop.net/bl.shtml?80.14.188.63]
2.0 MY_CLAMAV MY_CLAMAV
0.0 T__MY_CLAMAV_SANE T__MY_CLAMAV_SANE
Major hits are BAYES_99 Sane-Security sigs in ClamAV, minor hits from
spamcop spf-fail plus some custom rules. Without the Sane hits it
still would have made it over my threshold.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Whitelisting local domain (spamassassin qmail)
Sorry for the confusion. I am talking about connecting from an untrusted IP. We do have authentication enabled on our SMTP server to disable relaying for unknown users but as far as I can tell there's nothing in the headers that seems to show this. ie: pc - smtp1 - inbox (just shows the PCs IP (dynamic) and receiving server info) ie: pc - smtp2 - smtp1 - inbox (shows info from my sending smtp2 server which I can use for whitelisting for a domain name that is external to smtp1). I'll take a look at the headers again and see if there's any sort of rule I can match against the header of the internal email. -- View this message in context: http://old.nabble.com/Whitelisting-local-domain-%28spamassassin---qmail%29-tp28364411p28374803.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Whitelisting local domain (spamassassin qmail)
On 27.04.10 02:26, Martin Caine wrote: Sorry for the confusion. I am talking about connecting from an untrusted IP. We do have authentication enabled on our SMTP server to disable relaying for unknown users but as far as I can tell there's nothing in the headers that seems to show this. ie: pc - smtp1 - inbox (just shows the PCs IP (dynamic) and receiving server info) ie: pc - smtp2 - smtp1 - inbox (shows info from my sending smtp2 server which I can use for whitelisting for a domain name that is external to smtp1). I'll take a look at the headers again and see if there's any sort of rule I can match against the header of the internal email. what MTA do you use? many MTAs support adding authentication headers that can be processed by spamassassin. Check for this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
Re: Whitelisting local domain (spamassassin qmail)
We're using qmail with qmail-scanner (personally I'd prefer switching to postfix but it's not practical to do that at the moment. I'll see if I can find out how to add the auth information into the headers. Thanks -- View this message in context: http://old.nabble.com/Whitelisting-local-domain-%28spamassassin---qmail%29-tp28364411p28375077.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: new kind of spam (apparently from mailer daemon)
On Mon, 26 Apr 2010, Joseph Brennan wrote: empty and there was a single attachment transcript.zip. Very old-school, using pif and scr file extensions and the name with a lot of spaces in it (actually more spaces than I show here). After posting, I found that a few other passed through, and a few were blocked, all coming from 113.167.75.53, which curiously responds to a reverse DNS query as localhost, and is in an IP range in Vietnam. It's almost like a very old virus that got reactivated somehow. How many email viruses do you even see these days? Did antivirus provide a name for this thing? We are currently running with antivirus disabled, because the most recent clamav is incompatible with our OS version and we cannot upgrade soon. But looking around, I suspect it could be w32.mydoom...@mm. -- Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy) For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
Re: IP reputation DB vendors
Hi Jernej, - Jernej Porenta jernej.pore...@arnes.si wrote: Heya, I am searching for commercial IP reputation DB access which I could use with SpamAssassin. I know that there is DCC with IP reputation, but there aren't many others that I could use with SA (or frontend postfix server). I also found out MailSpike (http://mailspike.org), but I believe they are expiriencing some technical issues at the moment. I'm not aware of any issues. Are you sure you're using the correct DNS zone? I know that TrustedSource and IronPort use their implementation of IP reputation, but it is unavailable outside their MTAs/hardware. Do you know any other IP reputation databases (not RBLs), which operate through DNS, and what is your expirience with them? thank you in advance, regards, Jernej -- João Gouveia
Score overriding and behaviour
Hi everybody. Recently I updated my Gentoo installations to spamassassin-3.3.1-r1 (the 'r1' thing means a 'stock' SA-3.3.1 with some -often few - patches applied). Everything worked fine after upgrading, but now I see that some rules I have in my local.cf doesn't seem to work anymore. Since they are very simple, I'm wondering why. These rules were used to reverse the score points added by the FRT_SOMA and FRT_SOMA2 rules when the text was in Italian and the word somma (which means amount in English) was present. You may understand that this word is quite common in business messages, so I had to place these: ... body __SOMMA m'\Wsomma\W'i meta SOMMA ( FRT_SOMA __IN_ITALIAN __SOMMA ) describe SOMMA E' somma... score SOMMA -2.300 score FRT_SOMA 2.300 meta SOMMA2( FRT_SOMA2 __IN_ITALIAN __SOMMA ) describe SOMMA2E' sempre somma... score SOMMA2-2.200 score FRT_SOMA2 2.200 ... Now the problem I see. First, __SOMMA doesn't trigger anymore, thereby SOMMA and SOMMA2 don't too. The second problem is that the FRT_SOMA and FRT_SOMA2 score override don't work too: I see they respectively score 2.871 and 0.001, which are the ones assigned to them by the current 3.003001/updates_spamassassin_org/50_scores.cf file by sa-update. Both the effects are quite weird to me. Maybe I didn't pay attention to some post in this list announcing a different behaviour of the body rules and a new score override mechanism? Thank you, Giampaolo
Re: Score overriding and behaviour
On Tue, 2010-04-27 at 14:21 +0200, Giampaolo Tomassoni wrote:
Everything worked fine after upgrading, but now I see that some rules I have
in my local.cf doesn't seem to work anymore.
The second problem is that the FRT_SOMA and FRT_SOMA2 score override don't
work too: I see they respectively score 2.871 and 0.001, which are the ones
assigned to them by the current
3.003001/updates_spamassassin_org/50_scores.cf file by sa-update.
Both the effects are quite weird to me. Maybe I didn't pay attention to some
post in this list announcing a different behaviour of the body rules and a
new score override mechanism?
No change in this logic and behavior.
Did you --lint check? Does it complain perhaps? To see which cf files
are used, feed a mail to spamassassin -D.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: Score overriding and behaviour
Both the effects are quite weird to me. Maybe I didn't pay attention to some post in this list announcing a different behaviour of the body rules and a new score override mechanism? No change in this logic and behavior. Did you --lint check? Does it complain perhaps? To see which cf files are used, feed a mail to spamassassin -D. Right, I do it when I change something. It doesn't complain at all. I see this in the --lint -D output: Apr 27 14:50:12.384 [31432] dbg: config: read file /var/lib/spamassassin/3.003001/updates_spamassassin_org.cf then, few lines below, I see: Apr 27 14:50:12.385 [31432] dbg: config: read file /etc/mail/spamassassin/local.cf but I see the output talks about scores much later: Apr 27 14:50:13.759 [31432] dbg: config: fixed relative path: /var/lib/spamassassin/3.003001/updates_spamassassin_org/50_scores.cf Apr 27 14:50:13.759 [31432] dbg: config: using /var/lib/spamassassin/3.003001/updates_spamassassin_org/50_scores.cf for included file Apr 27 14:50:13.760 [31432] dbg: config: read file /var/lib/spamassassin/3.003001/updates_spamassassin_org/50_scores.cf Which may probably be why scores in local.cf are disregarded? Are they basically overridden by 50_scores.cf, instead of being the contrary? But then I can't remember any post about this matter... Also, why body __SOMMA m'\Wsomma\W'i doesn't fire? I have the Rule2XSBody plugin active. Maybe somehow it wasn't compiled? But why, then? Giampaolo
Re: new kind of spam (apparently from mailer daemon)
On Tue, 27 Apr 2010, Lucio Chiappetti wrote: On Mon, 26 Apr 2010, Joseph Brennan wrote: empty and there was a single attachment transcript.zip. Very old-school, using pif and scr file extensions and the name with a lot of spaces in it (actually more spaces than I show here). After posting, I found that a few other passed through, and a few were blocked, all coming from 113.167.75.53, which curiously responds to a reverse DNS query as localhost, and is in an IP range in Vietnam. That's apparently pretty common for sites in VN. That by itself should have gotten 3.7 points. Is RDNS_LOCALHOST in your base rules? If not, you might want to run sa-update. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The one political issue that strips all politicians bare is individual gun rights. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: new kind of spam (apparently from mailer daemon)
On Tue, 27 Apr 2010, John Hardin wrote: On Tue, 27 Apr 2010, Lucio Chiappetti wrote: On Mon, 26 Apr 2010, Joseph Brennan wrote: empty and there was a single attachment transcript.zip. Very old-school, using pif and scr file extensions and the name with a lot of spaces in it (actually more spaces than I show here). After posting, I found that a few other passed through, and a few were blocked, all coming from 113.167.75.53, which curiously responds to a reverse DNS query as localhost, and is in an IP range in Vietnam. That's apparently pretty common for sites in VN. That by itself should have gotten 3.7 points. Is RDNS_LOCALHOST in your base rules? If not, you might want to run sa-update. Whoops. 3.7 points in scoreset zero, but only 0.1 in scoreset 3. Bummer. You might want to explicitly set the score for RDNS_LOCALHOST higher. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The one political issue that strips all politicians bare is individual gun rights. --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: Score overriding and behaviour
On Tue, 27 Apr 2010, Giampaolo Tomassoni wrote: Also, why body __SOMMA m'\Wsomma\W'i doesn't fire? I have the Rule2XSBody plugin active. Maybe somehow it wasn't compiled? But why, then? Do ANY of the rules in your local.cf fire? Try putting a test rule that will 'always' fire (like 'header From =~ /\@/') at the end of local.cf, then if it doesn't fire, start moving it up, to see if you can home in on a line that is perhaps aborting further reading of local.cf - C
RE: Score overriding and behaviour
Do ANY of the rules in your local.cf fire? Yes, they do. The __IN_ITALIAN rule referred by SOMMA and SOMMA2, in example. However, Try putting a test rule that will 'always' fire (like 'header From =~ /\@/') at the end of local.cf, then if it doesn't fire, start moving it up, to see if you can home in on a line that is perhaps aborting further reading of local.cf bottom of local.cf: header ECERTO From =~ /\@/ Score results: pts rule name description -- -- ... 1.0 ECERTO ECERTO 2.9 FRT_SOMA BODY: ReplaceTags: Soma 0.0 FRT_SOMA2 BODY: ReplaceTags: Soma (2) ...
Never mind... (Was: RE: Score overriding and behaviour)
It turn out I put this and other stuff in a if(0) endif block, such that it of course didn't fire... Thanks everybody! Giampaolo
Re: [sa] RE: Score overriding and behaviour
On Tue, 27 Apr 2010, Giampaolo Tomassoni wrote: Do ANY of the rules in your local.cf fire? Yes, they do. The __IN_ITALIAN rule referred by SOMMA and SOMMA2, in example. Just a side thought, but are we checking for SOMMA or SOMA? One 'm' or two? FRT_SOMA2 Try 'retyping' the __SOMMA rule without the m' body __SOMMA /\Wsomma\W/i Also, look for a 'runaway' unclosed quote on a prior rule (though I would expect such a condition to barf error messages like crazy) - C
RE: [sa] RE: Score overriding and behaviour
On Tue, 27 Apr 2010, Giampaolo Tomassoni wrote: Do ANY of the rules in your local.cf fire? Yes, they do. The __IN_ITALIAN rule referred by SOMMA and SOMMA2, in example. Just a side thought, but are we checking for SOMMA or SOMA? One 'm' or two? FRT_SOMA2 Try 'retyping' the __SOMMA rule without the m' body __SOMMA /\Wsomma\W/i Also, look for a 'runaway' unclosed quote on a prior rule (though I would expect such a condition to barf error messages like crazy) I was checking for m/\Wsomma\W/i in body, but maybe the leading 'm' got somehow removed in my typing. Or I should say reoved, then? However, you've probably already seen that I'm a dumb fish, since I forgot I had disabled these (and others) rules by enclosing them in a if(0)...endif block. This happened many months ago. You know, now spamassassin is much more robust than at its starts. Now it is a lot like a setup-and-forget product. I accomplished to this by forgetting having disabled rules... :) Sorry for bothering you and others, Giampaolo
Re: Filtering zip spam
Hi, Might as well just block all of \.fr at smtp time for that matter :-) Poor France :( I mostly do... au revoir Le France Somewhat off-topic, but in the interest of increasing awareness, India reportedly ranks first: http://www.dnaindia.com/mumbai/report_india-ranks-first-in-sending-spam-mails_1374118 Regards, Alex
spamc output
Hi, Using SA v3.3.1 spamc command-line client : the message analyzed being either spam or ham, can I have the message left untouched except for the X-Spam headers ? For example, in case of a spam message, I'd like to have: From: Test t...@example.com To: t...@example.com Subject: Test Date: Thu, 7 May 2009 01:10:09 -0600 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on webmail-2 X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=50.5 required=7.0 tests=DOS_OE_TO_MX, FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_MESSAGE, KB_RATWARE_OUTLOOK_MID,MIME_QP_LONG_LINE,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_WEB,RDNS_NONE, SANE_7429530a7398f43f1f1b795f9420714e,T_SURBL_MULTI1,T_SURBL_MULTI2, T_SURBL_MULTI3,T_URIBL_BLACK_OVERLAP,URIBL_AB_SURBL,URIBL_BLACK, URIBL_DBL_SPAM,URIBL_GREY,URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_SC_SURBL, URIBL_WS_SURBL autolearn=spam version=3.3.1 X-Custom-1: x X-Custom-2: x X-Custom-3: x and in the case of a ham message : From: Test t...@example.com To: t...@example.com Subject: Test Date: Thu, 7 May 2009 01:10:09 -0600 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on webmail-2 X-Spam-Level: * X-Spam-Status: No, score=1 required=7.0 tests=DOS_OE_TO_MX autolearn=spam version=3.3.1 X-Custom-1: x X-Custom-2: x X-Custom-3: x When a spam, since the message is rewritten, my X-Custom headers are removed, which breaks the rest of the processing of the message in my MTA. I've tried the different options available according to the 'spamc --help' output (-c, -y, -r, ..) but none fits my needs. Thanks for your help. Christian
Re: Filtering zip spam
On Tue, 2010-04-27 at 11:08 -0400, Alex wrote: Hi, Might as well just block all of \.fr at smtp time for that matter :-) Poor France :( I mostly do... au revoir Le France Somewhat off-topic, but in the interest of increasing awareness, India reportedly ranks first: http://www.dnaindia.com/mumbai/report_india-ranks-first-in-sending-spam-mails_1374118 Regards, Alex Not in my logs it doesn't ;-) but each user and server has different experiences.
Re: spamc output
On Tue, 2010-04-27 at 16:35 +, Christian Gregoire wrote:
Using SA v3.3.1 spamc command-line client : the message analyzed being
either spam or ham, can I have the message left untouched except for
the X-Spam headers ?
When a spam, since the message is rewritten, my X-Custom headers are
removed, which breaks the rest of the processing of the message in my
MTA.
SA does not remove headers. Even less so spamc. :)
I guess you're only looking at the wrapper mail for spam. All your
original, untouched headers are in the attached message. This behavior,
wrapping classified spam, is a configuration option. For SA, not spamc.
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
# report_safe 1
I believe report_safe 0 in local.cf is what you want.
guenther
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spamc output
Christian Gregoire wrote: Hi, Using SA v3.3.1 spamc command-line client : the message analyzed being either spam or ham, can I have the message left untouched except for the X-Spam headers ? For example, in case of a spam message, I'd like to have: From: Test t...@example.com To: t...@example.com Subject: Test Date: Thu, 7 May 2009 01:10:09 -0600 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on webmail-2 X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=50.5 required=7.0 tests=DOS_OE_TO_MX, FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_MESSAGE, KB_RATWARE_OUTLOOK_MID,MIME_QP_LONG_LINE,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_WEB,RDNS_NONE, SANE_7429530a7398f43f1f1b795f9420714e,T_SURBL_MULTI1,T_SURBL_MULTI2, T_SURBL_MULTI3,T_URIBL_BLACK_OVERLAP,URIBL_AB_SURBL,URIBL_BLACK, URIBL_DBL_SPAM,URIBL_GREY,URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_SC_SURBL, URIBL_WS_SURBL autolearn=spam version=3.3.1 X-Custom-1: x X-Custom-2: x X-Custom-3: x and in the case of a ham message : From: Test t...@example.com To: t...@example.com Subject: Test Date: Thu, 7 May 2009 01:10:09 -0600 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on webmail-2 X-Spam-Level: * X-Spam-Status: No, score=1 required=7.0 tests=DOS_OE_TO_MX autolearn=spam version=3.3.1 X-Custom-1: x X-Custom-2: x X-Custom-3: x When a spam, since the message is rewritten, my X-Custom headers are removed, which breaks the rest of the processing of the message in my MTA. I've tried the different options available according to the 'spamc --help' output (-c, -y, -r, ..) but none fits my needs. The option you want isn't a spamc option, but a general SpamAssassin option. Add this line to your local.cf file and then restart spamd: report_safe 0 Take a look at the man page for Mail::SpamAssassin::Conf for details. http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html -- Bowie
Re: Score overriding and behaviour
On Tue, 27 Apr 2010, Giampaolo Tomassoni wrote: Also, why body __SOMMA m'\Wsomma\W'i doesn't fire? This is more a sylistic comment, but: you don't need to alter the delimiters on that RE. Does this behave any better? body __SOMMA /\Wsomma\W/i That also won't hit if somma appears at the beginning or end of a line. Perhaps this would work better? body __SOMMA /\bsomma\b/i -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 13 days since a sunspot last seen - EPA blames CO2 emissions
RE: Score overriding and behaviour
On Tue, 27 Apr 2010, Giampaolo Tomassoni wrote: Also, why body __SOMMA m'\Wsomma\W'i doesn't fire? This is more a sylistic comment, but: you don't need to alter the delimiters on that RE. Does this behave any better? body __SOMMA /\Wsomma\W/i John, problem solved: these rows were all disabled being in a if(0)...endif block. I already posted a I'm a dumb fish statement about it. I'm used to use m'...' because occasionally I have regexp with some '/' in it, so my special regexp rules are almost all that way. That also won't hit if somma appears at the beginning or end of a line. Perhaps this would work better? body __SOMMA /\bsomma\b/i It would be almost always counter-productive. Somma is (like in english) a noun, so if it is early in a line, it is at least prefixed by an article: LA somma è ... (The amount is ...) It very seldom may appear last in a row, since it would instead be followed by some '.,;': Questa è la somma:. I may accept the writer to be an accountant/salesman. I can't accept he/she writes in bad italian. If he/she does... well, it's FRT_SOMA time, which is no big deal after all (a couple of spam points)... ;) Thank you, anyway, Giampaolo
RE: Score overriding and behaviour
On Tue, 27 Apr 2010, Giampaolo Tomassoni wrote:
On Tue, 27 Apr 2010, Giampaolo Tomassoni wrote:
Also, why
body __SOMMA m'\Wsomma\W'i
doesn't fire?
This is more a sylistic comment, but: you don't need to alter the
delimiters on that RE. Does this behave any better?
body __SOMMA /\Wsomma\W/i
John, problem solved: these rows were all disabled being in a if(0)...endif
block. I already posted a I'm a dumb fish statement about it.
Yeah, and I saw that just after hitting {send} on the above. :)
I'm used to use m'...' because occasionally I have regexp with some '/' in
it, so my special regexp rules are almost all that way.
That's reasonable, until you want to write a RE with a single quote in
it... :)
That also won't hit if somma appears at the beginning or end of a
line. Perhaps this would work better?
body __SOMMA /\bsomma\b/i
It would be almost always counter-productive. Somma is (like in english) a
noun, so if it is early in a line, it is at least prefixed by an article:
LA somma è ... (The amount is ...)
It very seldom may appear last in a row, since it would instead be followed
by some '.,;': Questa è la somma:.
OK.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad. -- James Madison, 1799
---
13 days since a sunspot last seen - EPA blames CO2 emissions
Re : spamc output
Great, that's it. Thanks you both Bowie and Karsten. - Message d'origine De : Bowie Bailey bowie_bai...@buc.com À : users@spamassassin.apache.org Envoyé le : Mar 27 avril 2010, 18 h 59 min 07 s Objet : Re: spamc output Christian Gregoire wrote: Hi, Using SA v3.3.1 spamc command-line client : the message analyzed being either spam or ham, can I have the message left untouched except for the X-Spam headers ? For example, in case of a spam message, I'd like to have: From: Test t...@example.com To: t...@example.com Subject: Test Date: Thu, 7 May 2009 01:10:09 -0600 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on webmail-2 X-Spam-Flag: YES X-Spam-Level: ** X-Spam-Status: Yes, score=50.5 required=7.0 tests=DOS_OE_TO_MX, FH_HELO_EQ_D_D_D_D,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_MESSAGE, KB_RATWARE_OUTLOOK_MID,MIME_QP_LONG_LINE,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL, RCVD_IN_SORBS_DUL,RCVD_IN_SORBS_WEB,RDNS_NONE, SANE_7429530a7398f43f1f1b795f9420714e,T_SURBL_MULTI1,T_SURBL_MULTI2, T_SURBL_MULTI3,T_URIBL_BLACK_OVERLAP,URIBL_AB_SURBL,URIBL_BLACK, URIBL_DBL_SPAM,URIBL_GREY,URIBL_JP_SURBL,URIBL_PH_SURBL,URIBL_SC_SURBL, URIBL_WS_SURBL autolearn=spam version=3.3.1 X-Custom-1: x X-Custom-2: x X-Custom-3: x and in the case of a ham message : From: Test t...@example.com To: t...@example.com Subject: Test Date: Thu, 7 May 2009 01:10:09 -0600 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on webmail-2 X-Spam-Level: * X-Spam-Status: No, score=1 required=7.0 tests=DOS_OE_TO_MX autolearn=spam version=3.3.1 X-Custom-1: x X-Custom-2: x X-Custom-3: x When a spam, since the message is rewritten, my X-Custom headers are removed, which breaks the rest of the processing of the message in my MTA. I've tried the different options available according to the 'spamc --help' output (-c, -y, -r, ..) but none fits my needs. The option you want isn't a spamc option, but a general SpamAssassin option. Add this line to your local.cf file and then restart spamd: report_safe 0 Take a look at the man page for Mail::SpamAssassin::Conf for details. http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Conf.html -- Bowie
Spamd children sporadically aborting with glibc error
Hello, We are experiencing a sporadic error running SA 3.3.1 on an Ubuntu distro, with the following behavior: a message is being processed and a spamd child dies allowing the spam message to go through to the qmail queue. The spam goes through, unfortunately, but then processing continues normally and catches the next few spam messages before being brought down again by this bug. The parameters we are using are: exec /usr/bin/spamd --round-robin --min-spare=1 --min-children=5 --max-spare=10 --max-children=20 --max-conn-per-child=999 -x -u vpopmail -s stderr 21 The contents of out local.cf file are: report_safe 0 rewrite_header Subject ***SPAM*** required_hits 2 bayes_file_mode 0700 bayes_path /etc/mail/spamassassin/.spamassassin/bayes_ bayes_auto_learn_threshold_spam 6.0 ok_locales all add_header spam Flag _YESNOCAPS_ use_bayes 1 bayes_ignore_header X-Greylist bayes_ignore_header X-SMTP-Vilter-Backend bayes_ignore_header X-SMTP-Vilter-Status bayes_ignore_header X-SMTP-Vilter-Version bayes_ignore_header X-Scanned-By bayes_ignore_header X-Virus-Scan razor_timeout 15 razor_config/etc/razor/razor-agent.conf # Raise the scores on certain rules. score MIME_HTML_ONLY2.0 score OBFUSCATING_COMMENT 2.0 score RAZOR2_CF_RANGE_51_1005.0 score BAYES_50 1.5 score BAYES_60 2.0 score BAYES_80 2.5 score BAYES_95 3 score BAYES_99 4 score RCVD_IN_BSP_TRUSTED 0.001 The contents of the spamd log file each time this occurs is something like this: @40004bd7466922cfe744 *** glibc detected *** spamd child: free(): invalid next size (fast): 0x0a9c3028 *** @40004bd7466922d50bac === Backtrace: = @40004bd7466922d5c344 /lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x17b591] @40004bd7466922d66b3c /lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0x17cde8] @40004bd7466922d71b04 /lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x17fecd] @40004bd7466922d7f9ac /usr/lib/libdb-4.8.so(__os_free+0x40)[0x1124d00] @40004bd7466922d89204 /usr/lib/libdb-4.8.so(__env_region_detach+0x74)[0x10f77e4] @40004bd7466922d9228c /usr/lib/libdb-4.8.so(__memp_env_refresh+0x1f1)[0x111e951] @40004bd7466922d9af2c /usr/lib/libdb-4.8.so(__env_refresh+0x156)[0x10f4336] @40004bd7466922da37e4 /usr/lib/libdb-4.8.so(__env_close+0x68)[0x10f4de8] @40004bd7466922dad424 /usr/lib/libdb-4.8.so(__db_close+0xe6)[0x10b5e96] @40004bd7466922db7064 /usr/lib/libdb-4.8.so(__db_close_pp+0xec)[0x10d0b8c] @40004bd7466922dba32c /usr/lib/perl/5.10/auto/DB_File/DB_File.so(XS_DB_File_DESTROY+0x288)[0x742c98] @40004bd7466922dc379c spamd child(Perl_pp_entersub+0x533)[0x80d5af3] @40004bd7466922dcc054 spamd child(Perl_call_sv+0x5a8)[0x807c028] @40004bd7466922dd607c spamd child(Perl_sv_clear+0xa3)[0x80e7c33] @40004bd7466922de00a4 spamd child(Perl_sv_free2+0x4a)[0x80e835a] @40004bd7466922dea0cc spamd child(Perl_sv_clear+0x3cf)[0x80e7f5f] @40004bd7466922df40f4 spamd child(Perl_sv_free2+0x4a)[0x80e835a] @40004bd7466922dfdd34 spamd child(Perl_sv_unmagic+0xca)[0x80e86fa] @40004bd7466922e08cfc spamd child(Perl_pp_untie+0x5f)[0x811f1ef] @40004bd7466922e12d24 spamd child(Perl_runops_standard+0x18)[0x80d3ee8] @40004bd7466922e1b9c4 spamd child(perl_run+0x225)[0x807c7c5] @40004bd7466922e23aac spamd child(main+0xed)[0x806437d] @40004bd7466922e2c364 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x126bd6] @40004bd7466922e34c1c spamd child[0x80641f1] @40004bd7466922e35004 === Memory map: @40004bd7466922e46174 0011-00263000 r-xp fb:00 6554010 /lib/tls/i686/cmov/libc-2.11.1.so @40004bd7466922e46944 00263000-00264000 ---p 00153000 fb:00 6554010 /lib/tls/i686/cmov/libc-2.11.1.so @40004bd7466922e47114 00264000-00266000 r--p 00153000 fb:00 6554010 /lib/tls/i686/cmov/libc-2.11.1.so @40004bd7466922e474fc 00266000-00267000 rw-p 00155000 fb:00 6554010 /lib/tls/i686/cmov/libc-2.11.1.so @40004bd7466922e47ccc 00267000-0026a000 rw-p 00:00 0 @40004bd7466922e480b4 0026a000-00273000 r-xp fb:00 6554013 /lib/tls/i686/cmov/libcrypt-2.11.1.so @40004bd7466922e49ff4 00273000-00274000 r--p 8000 fb:00 6554013 /lib/tls/i686/cmov/libcrypt-2.11.1.so @40004bd7466922e4a7c4 00274000-00275000 rw-p 9000 fb:00 6554013 /lib/tls/i686/cmov/libcrypt-2.11.1.so @40004bd7466922e4af94 00275000-0029c000 rw-p 00:00 0 @40004bd7466922e4b37c 0029c000-002a3000 r-xp fb:00 7475551 /usr/lib/perl5/auto/Socket6/Socket6.so @40004bd7466922e4ced4 002a3000-002a4000 r--p 6000 fb:00 7475551 /usr/lib/perl5/auto/Socket6/Socket6.so @40004bd7466922e4d6a4 002a4000-002a5000 rw-p 7000 fb:00 7475551 /usr/lib/perl5/auto/Socket6/Socket6.so @40004bd7466922e4de74 002a5000-002af000 r-xp fb:00 6554020 /lib/tls/i686/cmov/libnss_files-2.11.1.so @40004bd7466922e53464 002af000-002b r--p 9000 fb:00
Re: Spamd children sporadically aborting with glibc error
On Tue, 2010-04-27 at 13:43 -0700, PaulYo wrote:
We are experiencing a sporadic error running SA 3.3.1 on an Ubuntu distro,
with the following behavior: a message is being processed and a spamd child
dies allowing the spam message to go through to the qmail queue. [...]
required_hits 2
This is seriously low.
score BAYES_50 1.5
score BAYES_60 2.0
And not a good idea (to avoid stronger words) with *these* scores. A
bayes value of 0.5 means unsure. It is between 0 (ham) and 1.0 (spam).
The contents of the spamd log file each time this occurs is something like
this:
@40004bd7466922cfe744 *** glibc detected *** spamd child: free():
invalid next size (fast): 0x0a9c3028 ***
SA is written in Perl, not C. It doesn't use glibc directly. So this
issue most likely is either a bug in Perl, or your specific binaries of
Perl or glibc.
I've read isolated reports of Ubuntu having malloc() issues possibly related
to their switch from glibc to eglibc, but unfortunately I'm not versed
enough in the C language to be sure.
sic ;)
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Postifx and Spamassassin w/o Clamav/Amavis-new
On 4/26/10, Christian Gonzalez ch...@chf.info.tm wrote: Hence I had to disable Amavis-new/Clamav in order to keep receiving my emails but this also disabled SpamAssassin. I would like to keep at least SpamAssassin working, I found some howtos and guides [1][2] about it but none of them worked for me. Until you get ClamAV fixed, you can disable virus scanning inside of amavisd-new. So, you can keep SA by putting things back the way they were, and setting this in in amavisd.conf: @bypass_virus_checks_maps = (1); -- Gary V From David B Funk Suggestions; completely kill and restart Amavis-new, see if it loads and uses the new LibClamAV library. If that doesn't fix it, find -all- instances of LibClamAV on your system, remove them, re-do the 0.96 install and restart. If it still isn't working, ask your question on the Amavis list as there may be some update for Amavis-new that is also needed. I tried your first suggestion but didn't work. I'll try to completely get rid of Clamav installation and see what happens. I'll let you know. From Gary V Until you get ClamAV fixed, you can disable virus scanning inside of amavisd-new. So, you can keep SA by putting things back the way they were, and setting this in in amavisd.conf: @bypass_virus_checks_maps = (1); Yes sir! That did the trick! That was what I was looking for! Also I had to uncomment content_filter = smtp-amavis:[127.0.0.1]:10024 from main.cf and that completed the circle. Many thanks to all! Christian
Re: Postifx and Spamassassin w/o Clamav/Amavis-new
From David B Funk Suggestions; completely kill and restart Amavis-new, see if it loads and uses the new LibClamAV library. If that doesn't fix it, find -all- instances of LibClamAV on your system, remove them, re-do the 0.96 install and restart. If it still isn't working, ask your question on the Amavis list as there may be some update for Amavis-new that is also needed. Yes! Yes! Yes! You were right!! I get rid of every file related to Clamav and reinstalled it. Now it's working again! Yes sir! Thank you again!! I asked a question and in less than 24 hours you guys helped me to resolve this issue. What a great community! Christian r...@mailserver2:/usr/src/packages# installpkg clamav-0.96-i686-3_SBo.tgz Installing package clamav-0.96-i686-3_SBo... PACKAGE DESCRIPTION: clamav: clamav (a GPL-ed virus scanner) clamav: clamav: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose clamav: of this software is the integration with mail servers (attachment clamav: scanning). The package provides a flexible and scalable multi-threaded clamav: daemon, a command line scanner, and a tool for automatic updating via clamav: Internet. clamav: Most importantly, the virus database is kept up to date . clamav: For setup, see README.slackware in the /usr/doc/clamav-* directory. clamav: clamav: clamav info at http://www.clamav.net/ Executing install script for clamav-0.96-i686-3_SBo... r...@mailserver2:/usr/src/packages# freshclam ClamAV update process started at Tue Apr 27 22:05:57 2010 main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 194.8.197.22) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (194.47.250.218)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 194.47.250.218): Operation now in progress WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (194.186.47.19)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 194.186.47.19) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.us.clamav.net (199.184.215.2)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 199.184.215.2): Operation now in progress WARNING: Can't download daily.cvd from db.us.clamav.net Trying again in 5 secs... ClamAV update process started at Tue Apr 27 22:07:05 2010 main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Trying host db.us.clamav.net (207.57.106.31)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 207.57.106.31) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (208.72.56.53)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 208.72.56.53): Operation now in progress WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (209.209.47.66)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 209.209.47.66) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.us.clamav.net (209.222.131.222)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 209.222.131.222): Operation now in progress WARNING: Can't download daily.cvd from db.us.clamav.net Trying again in 5 secs... ClamAV update process started at Tue Apr 27 22:08:12 2010 main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Trying host db.us.clamav.net (213.165.80.159)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 213.165.80.159) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (150.214.142.197)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 150.214.142.197) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (155.98.64.87)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 155.98.64.87) ERROR: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.us.clamav.net (168.143.19.95)... Downloading daily.cvd [100%] daily.cvd updated (version: 10847, sigs: 54161, f-level: 51, builder: ccordes) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: 12, sigs: 2, f-level: 51, builder: nervous) Database updated (758890 signatures) from db.us.clamav.net (IP: 168.143.19.95) WARNING: Clamd was NOT notified: Can't connect to clamd
Re: REMOVE my email , Thanks
Dear Sir, Please REMOVE my email address from your list, everyday have too many email forward to me. Thanks Best Regards, Billy Lau Direct Line:(852) 3969 0684 / Cell Phone:(852) 9220 1286 Email: sal...@fashionable.com.hk Nicer Fashion Ltd. Tel:(852) 3969 0688 FAX:(852) 2361 9964 URL: www.fashionable.com.hk 9/F, Full View Factory Building, 50-52, Tong Mi Road, Mong Kok, Kowloon, Hong Kong. - Original Message - From: Christian Gonzalez ch...@chf.info.tm To: users@spamassassin.apache.org Sent: Wednesday, April 28, 2010 9:26 AM Subject: Re: Postifx and Spamassassin w/o Clamav/Amavis-new From David B Funk Suggestions; completely kill and restart Amavis-new, see if it loads and uses the new LibClamAV library. If that doesn't fix it, find -all- instances of LibClamAV on your system, remove them, re-do the 0.96 install and restart. If it still isn't working, ask your question on the Amavis list as there may be some update for Amavis-new that is also needed. Yes! Yes! Yes! You were right!! I get rid of every file related to Clamav and reinstalled it. Now it's working again! Yes sir! Thank you again!! I asked a question and in less than 24 hours you guys helped me to resolve this issue. What a great community! Christian r...@mailserver2:/usr/src/packages# installpkg clamav-0.96-i686-3_SBo.tgz Installing package clamav-0.96-i686-3_SBo... PACKAGE DESCRIPTION: clamav: clamav (a GPL-ed virus scanner) clamav: clamav: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose clamav: of this software is the integration with mail servers (attachment clamav: scanning). The package provides a flexible and scalable multi-threaded clamav: daemon, a command line scanner, and a tool for automatic updating via clamav: Internet. clamav: Most importantly, the virus database is kept up to date . clamav: For setup, see README.slackware in the /usr/doc/clamav-* directory. clamav: clamav: clamav info at http://www.clamav.net/ Executing install script for clamav-0.96-i686-3_SBo... r...@mailserver2:/usr/src/packages# freshclam ClamAV update process started at Tue Apr 27 22:05:57 2010 main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 194.8.197.22) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (194.47.250.218)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 194.47.250.218): Operation now in progress WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (194.186.47.19)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 194.186.47.19) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.us.clamav.net (199.184.215.2)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 199.184.215.2): Operation now in progress WARNING: Can't download daily.cvd from db.us.clamav.net Trying again in 5 secs... ClamAV update process started at Tue Apr 27 22:07:05 2010 main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Trying host db.us.clamav.net (207.57.106.31)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 207.57.106.31) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (208.72.56.53)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 208.72.56.53): Operation now in progress WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (209.209.47.66)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 209.209.47.66) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.us.clamav.net (209.222.131.222)... nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 209.222.131.222): Operation now in progress WARNING: Can't download daily.cvd from db.us.clamav.net Trying again in 5 secs... ClamAV update process started at Tue Apr 27 22:08:12 2010 main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Trying host db.us.clamav.net (213.165.80.159)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 213.165.80.159) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (150.214.142.197)... WARNING: getfile: daily-10678.cdiff not found on remote server (IP: 150.214.142.197) WARNING: getpatch: Can't download daily-10678.cdiff from db.us.clamav.net Trying host db.us.clamav.net (155.98.64.87)...
Re: REMOVE my email , Thanks
On ons 28 apr 2010 03:25:26 CEST, BILLY/NICER wrote Please REMOVE my email address from your list, everyday have too many email forward to me. List-Help: users-h...@spamassassin.apache.org List-Unsubscribe: users-unsubscr...@spamassassin.apache.org List-Post: users@spamassassin.apache.org try sending to other email then post :) remember to do this as the email you forward from ! -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Spamassassin rewriting headers of messages that are not marked Spam
On Tue, 27 Apr 2010, Sitapati wrote: My spamassassin installation suddenly (since March) starting rewriting the headers of messages that are not spam. Here's an example: X-Spam-Status: No, score=3.9 required=5.0 tests=AWL,BAYES_50, DNS_FROM_OPENWHOIS,FH_DATE_PAST_20XX,HTML_MESSAGE,URG_BIZ autolearn=no version=3.2.5 Not that this will fix your header-rewriting problem, but if you're seeing FH_DATE_PAST_20XX hits you _really_ ought to run sa-update and get your rules updated. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Of the twenty-two civilizations that have appeared in history, nineteen of them collapsed when they reached the moral state the United States is in now. -- Arnold Toynbee --- 13 days since a sunspot last seen - EPA blames CO2 emissions
Re: Spamassassin rewriting headers of messages that are not marked Spam
Hi, My spamassassin installation suddenly (since March) starting rewriting the headers of messages that are not spam. March isn't so suddenly. Why is it a problem now and not last month? Are you sure it is your system that is rewriting the headers? Is it happening on every email? X-Spam-Status: No, score=3.9 required=5.0 tests=AWL,BAYES_50, DNS_FROM_OPENWHOIS,FH_DATE_PAST_20XX,HTML_MESSAGE,URG_BIZ autolearn=no That says that it isn't spam, so it doesn't seem likely that your system would be rewriting the subject header to say that it's spam. What setting do you have in local.cf for reporting? Check these variables: report_safe clear_report_template report add_header all It's SpamAssassin 3.2.5 (2008-06-10) running on RHEL 5.5. Anyone have any ideas on what it might be or what to look for? You should also verify the method by which the regular updates are being applied, as the FH_DATE_PAST_20XX could be a sign of an outstanding bug in the default v3.2.5 72_active.cf file. Regards, Alex
spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1
Hi i have recently update from 3.2.X to 3.3.X when i restart i get this message spamd[18549]: config: failed to parse line, skipping, in /etc/mail/spamassassin/local.cf: use_auto_whitelist 1 any suggestions Ram
