RE: [SAtalk] test
Matt Thoene Sent: Saturday, January 24, 2004 2:09 PM Sorry for this, I stopped receiving spamassassin-talk emails late Friday night... Doesn't look like anyone's been getting them. Either that or we all decided to take a break this weekend. Any theories? There's nothing in the archive at gmane.org so who knows. If y'all are in the eastern US, enjoy the snow... cheers, Colin Colin A. Bartlett Kinetic Web Solutions www.kineticweb.biz --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test hit results report or log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Chris, Tuesday, December 16, 2003, 9:34:48 PM, you wrote: CA Is there a way to get a report or log of the test CA results hits that spamassasin finds. ... I've begun to do something like this using the mass-check functionality within SA's masses directory. I run a mass-check test against my private rules file to verify that there are NO false positives generated by those rules and scores, and if any appear I modify my scores to avoid them. Repeat until clean. The next step will be to do this using ALL rules, distribution set and my own. Bob Menschel -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBP+EOvpebK8E4qh1HEQK4SQCeOmq7881kjrtBMmN1FrXe91+fnuEAn3wN YNDch7oLUcCQ0DLJy7vuPnig =LsmS -END PGP SIGNATURE- --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Test hit results report or log
From: Chris A Sent: Tuesday, December 16, 2003 9:35 PM Is there a way to get a report or log of the test results hits that spamassasin finds. The idea is I want to better fine tune the values assigned to cretin tests. However it is hard to narrow down just which test are getting hits. Right now I have to look at each of the emails SA headers and try to extrapolate a good sampling. If there was a way to generate a log or report of each hit then it would really help to tune the scores to my email. I've been doing something like this, running it against either the ham or spam mailbox of your choosing, you can change the fields you're looking for: formail -s sh -c 'formail -c -X From: -X Subject: -X Date: -X X-Spam-Status:' mbox where mbox is the collection of mail to be analyzed. For spam, if you're using SA default report_safe, where the spam is copied into a separate attachment, it simplifies things to copy the headers you want to analyze up into the containing mail header (see perldoc Mail::SpamAssassin::Conf for details): # in local.cf report_safe 1 report_safe_copy_headers Received X-Spam-Status Here's the example output: From: Timmy Battle [EMAIL PROTECTED] Subject: Online Doctors approve Vicodin, Xanax, Valiumwatergate Date: Wed, 10 Dec 03 20:08:29 GMT X-Spam-Status: Yes, hits=35.6 required=5.0 tests=AF_MEDICAMENTOS,BAYES_99, DATE_IN_PAST_06_12,DATE_SPAMWARE_Y2K,FORGED_MUA_OIMO, FORGED_OUTLOOK_TAGS,FROM_HAS_MIXED_NUMS,FROM_HAS_MIXED_NUMS3, FVGT_combo_IMAGEONLY1,FVGT_u_ODD_PORT,HTML_60_70,HTML_IMAGE_ONLY_04, HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI, MISSING_MIMEOLE,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RM_hx_from, WEIRD_PORT,X_MSMAIL_PRIORITY_HIGH,X_PRIORITY_HIGH autolearn=spam version=2.61 The X-spam-status data would need to be post processed. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Test Suggestion
Or perhaps you can use the existing HTML_FONT_INVISIBLE rule? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Sent: 15 November 2003 22:37 To: [EMAIL PROTECTED] Subject: [SAtalk] Test Suggestion HTML_FONT_COLOR_WHITE I've noticed that some spammers hide text in white so that the message looks legit by having more than just a link; they message will have a higher count based on the amount of text (even though you can't see it) and should bypass any filters that are setup to ignore/delete any link only messages. --- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test rule in spamassassin blocks my domains
Kristoffersen wrote: As you can see kristOFFERSen.us/.no would match this rule. Create a rule matching exact you domain with the same negative score. Or add your domain to whitelist. Klaus --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test rule in spamassassin blocks my domains
On Wednesday, September 17, 2003, at 10:14 AM, Klaus Mueller wrote: Kristoffersen wrote: As you can see kristOFFERSen.us/.no would match this rule. Create a rule matching exact you domain with the same negative score. Or add your domain to whitelist. Klaus I'm not sure this helps him. His problem is that other people can't get his mail. Are you proposing that he provide all his correspondents with a rule that would make it possible for his email to circumvent SA? How will he let them know? Send them an email enclosing the rule? --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test rule in spamassassin blocks my domains
Ken Gordon wrote: I'm not sure this helps him. His problem is that other people can't get his mail. Are you proposing that he provide all his correspondents with a rule that would make it possible for his email to circumvent SA? How will he let them know? Send them an email enclosing the rule? Ups, my fault. :( Should read and think before answer. But may occur with other domain names and similar rules also. I do not know if the following rule exists, but for example CarsExtreme.whatever may match a sex domain name rule. Or the site may be denied by a proxy if used with web. There are a lot examples. It's a common problem. Best way ist to change the default score of these rules with next release of SA. I does not remember any mail from an offer domain name. Static domain name checks should score low because of these problems. Bye Klaus --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test rule in spamassassin blocks my domains
spamassassin-talk wrote: Odd-Jarle, How about just incorporating the Habeas warrant mark http://www.habeas.com/faq/index.htm in your e-mail headers? According to http://www.spamassassin.org/tests.html HABEAS_SWE is worth -4.6 points, more than enough to offset FROM_OFFERS. I think it's not the right way to fake a header. Some spamers set the Reference header and SA scores this with a negative value. That's the same. It does help a shot time but it does not solve the general problem. Klaus --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Test rule in spamassassin blocks my domains
Odd-Jarle, How about just incorporating the Habeas warrant mark http://www.habeas.com/faq/index.htm in your e-mail headers? According to http://www.spamassassin.org/tests.html HABEAS_SWE is worth -4.6 points, more than enough to offset FROM_OFFERS. (Presuming you're not actually sending spam of course ;-)). Balam -Original Message- From: Kristoffersen [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2003 1:17 PM To: [EMAIL PROTECTED] Subject: Re: [SAtalk] Test rule in spamassassin blocks my domains Maybe it would be an idea to add domains that have problems like this to a common whitelist, if one exists in the SA distribution? I don't know if such a list is provided or exists. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test rule in spamassassin blocks my domains
On Wed, 17 Sep 2003, Kristoffersen wrote: Hi, Though I don't use spamassassin (yet), I've encountered some problems with others who use it. Mails that I send from my two domains: kristoffersen.us and kristoffersen.no are automatically marked as spam by spamassassin. After investigating the issue further, when I discovered that a lot of my mails never got read or replied to, I found that the following rule is the one that triggers the problem; header From address is at something-offers FROM_OFFERS 4.300 4.299 4.300 4.299 As you can see kristOFFERSen.us/.no would match this rule. So I am wondering if there will be a rewrite of this rule? Thanks for your time, Odd-Jarle Kristoffersen The previous version of SA has that problem, the newest one (v 2.60) fixes it. So tell your recipients that they need to update their SA installations. To help out sites that can't (or won't) update, consider adding the Habeas warrant mark to your messages or getting registered with BondedSender. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{ --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test rule in spamassassin blocks my domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Kristoffersen, Wednesday, September 17, 2003, 8:00:07 AM, you wrote: K Mails that I send from my two domains: kristoffersen.us and K kristoffersen.no are automatically marked as spam by spamassassin. K After investigating the issue further, when I discovered that a lot of K my mails never got read or replied to, I found that the following rule K is the one that triggers the problem; K header From address is at something-offers FROM_OFFERS 4.300 K 4.299 4.300 4.299 On a 5.0 threshold (or lower), that is an obvious problem. I've raised the FROM_OFFERS score to a flat 5.0 here, but that's out of a 9.0 threshold, so your emails would need an additional 4.0 spam points to get flagged here. K So I am wondering if there will be a rewrite of this rule? - From later emails I've seen, apparently that has already been done, or at least is being done. False positives among rules of this kind are inevitable. The three solutions I know of are 1) Notify the development team, so they can improve the rules in later versions (via bugzilla is probably the best approach). 2) Sign up with a service like BondedSender.com or Habeas.com and balance out the may be spam score with a almost definitely not spam score. 3) Make sure emails from your domains are included in the primary corpus, so the score determination process run at the beginning of each version's official release does its best to avoid false positives from your domains. A fourth approach is to register your domains with a distributed whiltelist similar to William Stearns' blacklist at http://www.stearns.org/sa-blacklist/sa-blacklist.current -- that will need to be a whitelist which uses the whitelist_from_rcvd parameter, which then requires a reliable reverse DNS lookup, if I understand it correctly. That whitelist doesn't yet exist, but shouldn't be hard to put together, especially if it deals specifically with those domains like yours subject to problems with more general domain rules. Bob Menschel -BEGIN PGP SIGNATURE- Version: PGP 8.0 iQA/AwUBP2k6cZebK8E4qh1HEQLddgCdE0HaW91D18p2oeMZKYpOe/XyrjMAoKWS kDmV368aMoL9pDIlJyANpLlH =K/6V -END PGP SIGNATURE- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test for FORGED_JUNO_RCVD
At 04:58 PM 8/4/2003 -0700, Justin Mason wrote: Theoretically Theo Van Dinter fixed this a long time ago in this bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=1475 But looking at the code, the fix isn't in 2.43, 2.44, 2.50, 2.52, 2.54 or 2.55. it is in 2.60 though ;) Ouch.. it's been a long time since 2.55 was released, and that bug was nailed right after it.. For some reason I was mis-reading the bugzilla page.. I read it as saying 2.43 was the target milestone instead of the affected version.. oops :) --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test for FORGED_JUNO_RCVD
Fred I-IS.COM writes: Hello, I noticed an issue with 2.55 and the test for FORGED_JUNO_RCVD, The reverse dns for juno customers is: untd.com This causes a false positive for juno customers. Yeah, I think we have that fixed in 2.60. --j. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test for FORGED_JUNO_RCVD
At 03:49 PM 8/4/2003 -0400, Fred I-IS.COM wrote: Hello, I noticed an issue with 2.55 and the test for FORGED_JUNO_RCVD, The reverse dns for juno customers is: untd.com This causes a false positive for juno customers. Thanks, Theoretically Theo Van Dinter fixed this a long time ago in this bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=1475 But looking at the code, the fix isn't in 2.43, 2.44, 2.50, 2.52, 2.54 or 2.55. At least, looking at check_for_forged_juno_received_headers in EvalTests.pm has no reference to untd.com, despite Theo's last comment that he added it. Did this somehow get mis-synched in CVS? A quick set of greps shows this isn't anywhere in any part of the code: [Mail-SpamAssassin-2.55]$ grep -ri untd * [Mail-SpamAssassin-2.55]$ [Mail-SpamAssassin-2.50]$ grep -ri untd * [Mail-SpamAssassin-2.50]$ [Mail-SpamAssassin-2.44]$ grep -ri untd * [Mail-SpamAssassin-2.44]$ [Mail-SpamAssassin-2.43]$ grep -ri untd * [Mail-SpamAssassin-2.43]$ If you could attach a comment to the bug, and a file that the developers can test against, it may help them fix it. But please don't change the status of the bug to reopened, let one of the developers do that (they get grumpy about it in some cases). --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test for FORGED_JUNO_RCVD
Matt Kettler writes: At 03:49 PM 8/4/2003 -0400, Fred I-IS.COM wrote: Hello, I noticed an issue with 2.55 and the test for FORGED_JUNO_RCVD, The reverse dns for juno customers is: untd.com This causes a false positive for juno customers. Thanks, Theoretically Theo Van Dinter fixed this a long time ago in this bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=1475 But looking at the code, the fix isn't in 2.43, 2.44, 2.50, 2.52, 2.54 or 2.55. it is in 2.60 though ;) --j. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] test suggestion
On Mon, Nov 04, 2002 at 12:58:55PM -0800, Daniel Quinlan wrote: Yeech. Exempting broken MUAs is getting old. *sigh* Well, I certainly have never done a systematic study, but, is it worth it at all?? Every single false positive I've ever recieved, tripped over because of an MUA test. And not by a small margain - those tests seem to mostly net at least 4 points. Are they really worth it? -- Ross Vandegrift [EMAIL PROTECTED] A Pope has a Water Cannon. It is a Water Cannon. He fires Holy-Water from it.It is a Holy-Water Cannon. He Blesses it. It is a Holy Holy-Water Cannon. He Blesses the Hell out of it. It is a Wholly Holy Holy-Water Cannon. He has it pierced.It is a Holey Wholly Holy Holy-Water Cannon. Batman and Robin arrive. He shoots them. --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] test suggestion
linus larsson wrote: I noticed a lot of spams have the header Mime-Version: *.* missing Maybe it should be rated. Theo Van Dinter wrote: Mime-Version isn't a required header, so I'm not surprised to find lots of mails without it. Bart Schaefer [EMAIL PROTECTED] writes: The thing to check for is the combination of the presence of Content-Disposition or Content-Transfer-Encoding _with_ the absence of Mime-Version. Mime-Version _is_ a required header for MIME-formatted messages. Hmm... it seems like a promising area and I tried some of the above ideas, but only one worthwhile version so far. OVERALL% SPAM% NONSPAM% S/ORANK SCORE NAME 12603 4910 76930.390 0.000.00 (all messages) 100.000 38.9590 61.04100.390 0.000.00 (all messages as %) 2.174 5.4786 0.06500.988 0.910.01 T_MIME_NO_VERSION_ODD 2.539 5.8045 0.45500.927 0.750.01 T_MIME_NO_VERSION_LONER 4.523 9.8167 1.14390.896 0.680.01 T_MIME_NO_VERSION_CTYPE 4.523 9.8167 1.14390.896 0.680.01 T_MIME_NO_VERSION_ANY 2.349 4.3381 1.07890.801 0.480.01 T_MIME_NO_VERSION_CTE 2.349 4.3381 1.07890.801 0.480.01 T_MIME_NO_VERSION_CD_OR_CTE 2.349 4.3381 1.07890.801 0.480.01 T_MIME_NO_VERSION_TWO 0.000 0. 0.0.500 0.120.01 T_MIME_NO_VERSION_ALL 0.000 0. 0.0.500 0.120.01 T_MIME_NO_VERSION_CD 0.000 0. 0.0.500 0.120.01 T_MIME_NO_VERSION_CD_AND_CTE Some other combinations might be worth testing. It's now in CVS for other people to test. A separate rule might test for Content-Type without Mime-Version but there are some broken MUAs that do that, so it wouldn't be as good an indicator. Perhaps combined with some of the USER_AGENT tests ... Yeech. Exempting broken MUAs is getting old. *sigh* -- Daniel Quinlan Linux, open source, and http://www.pathname.com/~quinlan/anti-spam consulting --- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] test suggestion
On Mon, Nov 04, 2002 at 01:52:42PM +0100, linus larsson wrote: I noticed a lot of spams have the header Mime-Version: *.* missing Maybe it should be rated. Mime-Version isn't a required header, so I'm not surprised to find lots of mails without it. In a quick check of my corpus: Spam: 1641 of 8940 without the header : 18.36% Ham : 4050 of 13919 without the header: 29.10% -- Randomly Generated Tagline: BS (bee ess): n. An uninformed statement. msg09878/pgp0.pgp Description: PGP signature
Re: [SAtalk] test failure- spamd_maxchildren.t
On Sunday 06 October 2002 04:58 CET Will Glass-Husain wrote: I'm having trouble installing SpamAssassin. I followed the directions to install the CPAN module (using Perl 5.8) but got the following error t/reportheader..ok t/spam..ok t/spamd.ok t/spamd_maxchildren.ok 27/33# Failed test 28 in t/spamd_maxchildren.t at line 44 t/spamd_maxchildren.NOK 28Got SIGTERM, leaving Any suggestions for next steps? Do you try to install SpamAssassin 2.42? This bug should be fixed in that version... Malte -- --- Coding is art. -- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test if user is listed recipient ...
On Sun, 2002-02-17 at 22:02, Craig Hughes wrote: For the envelope TO, there seem to be 2 standards, depending on when the info is added to the message header. One is added on SMTP-reception (such as with exim I think), in which case the header used is Envelope-To. Actually any header additions/deletions in exim take place at transport (ie final delivery from the point of view of the MTA) time. What might confuse this a little is SA is often called as a final delivery, which happens to reinject mail into the system afterwards. Nigel. -- [ Nigel Metheringham [EMAIL PROTECTED] ] [ Phone: +44 1423 85 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Test if user is listed recipient ...
On 17 Feb 2002, Craig Hughes wrote: So, for envelope from checking, we should use the Return-Path header. I'll make a rule which compares Return-Path to From: and see how it does at differentiating spam from nonspam. Hadn't even thought of checking the sender - interesting. I'm curious to hear how this goes. In a few seconds of checking I notice that lots of mailing lists will trip this up. I do see that some spam might get caught, though. Worth feeding to the GA. For the envelope TO, there seem to be 2 standards, depending on when the info is added to the message header. One is added on SMTP-reception (such as with exim I think), in which case the header used is Envelope-To. Erm, I don't know about that. I doubt that anything will add envelope recipients to a message during SMTP, because of the Bcc privacy issue. That might work for single-recipient messages, but doesn't work for multi-recipient ones. In fact, postfix does exactly that for the Received line. Single-recipient: Received: from tisch.mail.mindspring.net (tisch.mail.mindspring.net [207.69.200.157]) by cadmium.frontier.net (Postfix) with ESMTP id B113D7A6D5 for [EMAIL PROTECTED]; Sun, 17 Feb 2002 15:03:43 -0700 (MST) Multi-recipient: Received: from cadmium.frontier.net (localhost [127.0.0.1]) by cadmium.frontier.net (Postfix) with ESMTP id EAE2A7A717; Sun, 17 Feb 2002 14:32:00 -0700 (MST) Oops, looking at the Exim docs - yes, Exim does support it correctly. Hrm. http://www.fr.exim.org/exim-html-1.90/doc/html/spec_15.html#SEC365 ]Option: envelope_to_add ]Type: boolean ]Default: true ] ]If this option is true, an `Envelope-to:' header is added to the message. ]This gives the original address(es) in the incoming envelope that caused ]this delivery to happen. More than one address may be present if `batch' ]or `bsmtp' is set, or if more than one original address was aliased or ]forwarded to the same final address. As this is not a standard header, ]Exim has a configuration option (`envelope_to_remove') which requests its ]removal from incoming messages, so that delivered messages can safely be ]resent to other recipients. The other is added during delivery, after local alias resolution, etc, and is called Delivered-To -- qmail does this, and it's basically what Charlie is doing too. I didn't realize how close this was to that ... but yes, my stamping comes after local rewriting. With the problem you mention ... I think what we really want to do for spam-id purposes is to compare the RCPT TO: info from SMTP to the To:/Cc: fields in the message header. If you compare To/Cc to the delivery address, then you'll think messages To: [EMAIL PROTECTED] are spam (assuming that postmaster is an alias for a real user), because the delivery-to will be [EMAIL PROTECTED] not [EMAIL PROTECTED], which will be the envelope-to value. Yes, absolutely. However, I don't (without major heroics) have any way to modify the message until after local re-writing. If a message comes into the system, To: cewatts, Bcc: bob, the message is only -one message- until it is split out for local delivery. So even if I had access to it, I couldn't tag it yet because that would break Bcc: privacy. In fact ... it looks to be nearly impossible w/ Postfix: http://archives.neohapsis.com/archives/postfix/2000-12/1119.html So, Charlie, I would suggest altering your mail system to insert a Envelope-To instead of X-Delivery-To (or at least standardize and use Delivery-To). I'll implement Charlie's patch below but using Envelope-To and add it to the SA distro. Then people can just make sure their mail system adds the right header, and they'll automatically get this feature. It does look like postfix's local delivery agent can prepend a Delivered-To header upon local delivery. I'm just not using the local delivery agent, so I made my own one up. I'll switch it to just use Delivered-To. But, using Postfix, I can't get an Envelope-To header. So ... perhaps we should support both. Envelope-To (which can have multiple addresses in it, remember) for folks who can use it, and Delivered-To for folks who can't. Simple enough. The nice thing about doing it with headers (instead of command-line args, that sort of thing) is that the GA will be able to use it. -- Charlie Watts [EMAIL PROTECTED] Frontier Internet, Inc. http://www.frontier.net/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk