-Original Message-
From: wolfgang [mailto:[EMAIL PROTECTED]
Sent: Sunday, May 15, 2005 7:04 PM
To: users@spamassassin.apache.org
Cc: users@spamassassin.apache.org
Subject: Re: Bombarded by German political spam
In an older episode (Monday 16 May 2005 00:17), List Mail User
On Monday, 16-May-2005 09:53, Elizabeth Schwartz wrote:
Does anyone have any good generic german spam filter rulesets? We
have some legitimate German users, so I don't want to start
blacklisting, and I worry that filtering one specific header at a
time is a lost cause...
This link showed up
Thanks for all the pointers to the cf files for this particular virus.
We have one installed and it is working fine - for this time.
Since I have legitimate users communicating all over the world, I am
very interested in other rulesets that would block spam in languages
besides English. Not sure
What file do I need to edit to change the score on
ALL_TRUSTED?
Thank you
OK, I uninstalled SA 3.0.0 and did a clean install of 3.0.3, downloaded new
SARE rules and tried again. I am still not getting any URI results. Can any one
explain what happens in the
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2982e68) implements
'check_post_dnsbl'
section
How can I make spamassassin not look at the blacklist_from addresses if it finds
a user listed in whitelist_from? Or another way, how can I exclude one user
from getting the USER_IN_BLACKLIST score?
I have in my user_prefs file:
whitelist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
I thought I would leave you with a random thought from my head :)
I would think the tech of SA would transfer over completely well to crime
fighting. Rules and Bayes designed to filter thru new criminal records and
pull up flags that might link them to other crimes. Could be used on a
record
Hi,
OS - Fedora Core 2
SpamAssassin - version 3.0.3
I have the following options set for spamd in /etc/sysconfig/spamassassin:
SPAMDOPTIONS=-d -c -m5 -H
But I keep getting this message in my logs:
spamd[19758]: info: setuid to root succeeded
spamd[19758]: Still running as root: user not specified
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
I've been getting hit with a lot of german spam that has two exact words, and
then .de urls. This rule handles them well.
rawbody __XM_Pash01 /^(?:Lese\s*selbst|Full\s*Article):$/i
rawbody __XM_Pash02 m{^http://[^/\n]+\.de/(?.*)$}i
rawbody __XM_Pash03
On Mon, May 16, 2005 at 02:05:09PM -0400, Elizabeth Schwartz wrote:
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
- the often seen Lese selbst is scored 4
Just curious, what's that mean to the spammers? google translates it
as vintage
It means read by yourself.
--
...
...
whitelist at surbl dot org
Jeff, thanks for the submission address, i'll send a Bcc there and also post
the list below to uribl's submission form.
frankly, i find it too much effort to check if they are blacklisted, so i will
just list some more german domains that i consider worth
At 07:21 AM 5/8/2005, jdow wrote:
This text sailed right through all the SARE rules except one ratware
rule:
===8---
X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_80,DATE_IN_PAST_12_24,
RATWR10a_MESSID,URIBL_SBL autolearn=disabled version=3.0.2
Status:
You will see how great this
At 01:01 PM 5/16/2005, James R wrote:
Take a look at Thunderbirds redirect plugin. It works well, and only adds
a few lines to the message, along with your mail server's lines. I have a
script that strips those lines off, and the message as delivered to the
client is now what is trained upon.
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
- the often seen Lese selbst is scored 4
Just curious, what's that mean to the spammers? google translates it
as vintage
Never trust automatic translators it is rather read yourself
Wolfgang Hamann
From: Matt Kettler [EMAIL PROTECTED]
At 07:21 AM 5/8/2005, jdow wrote:
This text sailed right through all the SARE rules except one ratware
rule:
===8---
X-Spam-Status: No, score=4.4 required=5.0
tests=BAYES_80,DATE_IN_PAST_12_24,
RATWR10a_MESSID,URIBL_SBL autolearn=disabled
Which config was all that in? local.cf, or user_prefs?
local.cf
Maybe I forgot something?
What does sa-learn --dump magic say?
I understood the problem. Amavisd starts spamassassin with user cyrus.
I'm learning spamassassin under each user with sa-learn option -u.
I just wanted that
On Mon, 9 May 2005, Matt Kettler wrote:
At 07:21 AM 5/8/2005, jdow wrote:
This text sailed right through all the SARE rules except one ratware
rule:
===8---
X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_80,DATE_IN_PAST_12_24,
RATWR10a_MESSID,URIBL_SBL autolearn=disabled
From: Elizabeth Schwartz
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
Do you see the following problems with this Ruleset? If I move the
99_sober.cf, it lint runs w/o error.
debug: URIDNSBL: domains to query:
debug: Running tests for priority: 0
debug: running header
At 04:19 PM 5/16/2005, Jay Ehrhart wrote:
What file do I need to edit to change the score on
ALL_TRUSTED?
In /etc/mail/spamassassin/local.cf (or similar):
score ALL_TRUSTED -1.0
But before you do that, make sure you are adjusting the score for the right
reason. If you've got ALL_TRUSTED matching
Since I have legitimate users communicating all over the world, I am
very interested in other rulesets that would block spam in languages
besides English. Not sure how big of a problem this is - I know we get
I believe there is a Chinese project to make a ruleset for chinese spam.
I've seen
Elizabeth Schwartz wrote:
As a university we have legitimate correspondance with people in
*every* country so I have to be very careful about blocking IP's or
character sets or other such broad applications.
I think a good help for that is amavisd-new and his new policy banks.
wolfgang wrote:
there is one online that is based on the typical message-ids
used by that current virus based spam wave and on a few
additonal indicators from those mails. i find it a bit risky -
anyway, here is the URL:
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
regards,
Hi all,
I have just install SA 3.0.3 running perl 5.6.1.
When i test it with spamassassin -D --lint, i've got this message.
Do i have to worry, because i've no clue how to debug it?
Does anyone also got this error?
...
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c8e3d4)
Can someone check if 3.03 or 3.1 catches this URI obfuscation
spotted in recent spams:
PA
href=3Dhttp://hyahlarzvz96ckva9nsn9zvs9.tnashbsv.com\;Check
it Out/A/PBR/DIV/TD/TR
Apparently the backslash at the end of the URI throws off some
parsers such as (unpatched) 3.0.1.
Something about handling more than 1 messages a day has made me decide
to run spamd on a different box and go client/server with this thing, with
full SQL.
Anyway, silly basic question. Is there something automagic about expiry
of AWL entries? Or is there just some query I can run
I sent this in on Friday last week and didn't attract any responses.
Any insight would be appreciated. I've seen this behaviour once since
then, despite my cronjob restarting spamd every 4 hours.
Should I just open a bug report?
I'm running spamassassin 3.0.3 as a proxy on three mail
Hi!
I've got some rules in place (thank you guys!) that blocks a lot of
this spam, but now my director is getting emails on her blackberry with
bogus TO addresses that doesn't seem to be going thru SpamAssassin.
Any ideas?
What one are you using, the one with the generic header checks may cause
OK, I uninstalled SA 3.0.0 and did a clean install of 3.0.3, downloaded new
SARE rules and tried again. I am still not getting any URI results. Can any one
explain what happens in the
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2982e68) implements
'check_post_dnsbl'
section
I'm doing the upgrade to 3.03 through CPAN. I shut down
spamd for the install process. I dutifully fill in the
report address, then put in to skip network, Bayes, and
AWL tests during make test. I get a warning for an old
version of Razor2 (2.34, not 2.4) and then everything runs
fine
At 04:55 PM 5/16/2005, Antonio DeLaCruz wrote:
How can I make spamassassin not look at the blacklist_from addresses if it
finds
a user listed in whitelist_from?
You can't. (read on)
Or another way, how can I exclude one user
from getting the USER_IN_BLACKLIST score?
No.
I have in my user_prefs
Hi everyone.
I've just set up a new mail server running the latest version of
spamassassin.
I'm getting ready to add some extra rules, and RDJ.
I ran lint -D on the basic config file I have for sa to see what I get
before adding a bunch of rule files, and got the following errors: (I
believe
On Tue, May 17, 2005 at 09:37:26AM -0500, Kayne Kruse wrote:
From: Elizabeth Schwartz
Thanks, just put it in!
http://www.citecs.de/99_sober.cf
Do you see the following problems with this Ruleset? If I move the
99_sober.cf, it lint runs w/o error.
I linted it right now. Can't
Saurabh Barve wrote:
Hi,
I'm having problems with SpamAssassin-3.0.3 on a Fedora Core 2 machine
along with Sendmail. SpamAssassin is able to identify mail as spam, and
adds its headers to the mail. However, it does not rewrite the subject
header with the `[SPAM]' tag.
Here's what
Matt Kettler wrote:
Saurabh Barve wrote:
Hi,
I'm having problems with SpamAssassin-3.0.3 on a Fedora Core 2 machine
along with Sendmail. SpamAssassin is able to identify mail as spam, and
adds its headers to the mail. However, it does not rewrite the subject
header with the `[SPAM]' tag.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dan Mahoney, System Admin wrote:
Something about handling more than 1 messages a day has made me
decide to run spamd on a different box and go client/server with this
thing, with full SQL.
No automatic AWL expiry.
Anyway, silly basic
Hello!
I want to use sa-learn on a diffrent server than spamd is running. How can I
tell sa-learn to connect to the right spamd?
Ingo
Tim B wrote:
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming from
trojaned PCs. Other than the specific URLs in the messages havn't
found any easily identified parts to create rules for.
Does anyone know the logic behind this spam bombing? I have a friend
who has a gmx.de account and he has gotten 0 german spam in it... yet
here in the u.s. we are getting bombarded by the spam.
Which config was all that in? local.cf, or user_prefs?
local.cf
Maybe I forgot something?
What does sa-learn --dump magic say?
I understood the problem. Amavisd starts spamassassin with user cyrus.
I'm learning spamassassin under each user with sa-learn option -u.
I just wanted
What file do I need to edit to change the score on
ALL_TRUSTED?
trusted_networks. See the wiki or man pages.
Loren
Matt Kettler wrote:
At 05:42 PM 5/16/2005, Saurabh Barve wrote:
To fix this, I tried to run spamd as the user `mail'. However, when I
try that, I get the error that 'spamd does not have permissions to
write to /root'. How do I get spamd to know that mail's home directory
is at /var/spool/mail.
Matt Kettler wrote:
At 01:01 PM 5/16/2005, James R wrote:
Take a look at Thunderbirds redirect plugin. It works well, and only
adds a few lines to the message, along with your mail server's lines.
I have a script that strips those lines off, and the message as
delivered to the client is now
wrote:
I understood the problem. Amavisd starts spamassassin with user cyrus.
I'm learning spamassassin under each user with sa-learn option -u.
I just wanted that each user had it's own spam base. Then I don't
understand for what purposes option -u is used.
-u should work for that,
David Velásquez Restrepo [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
You can use identify command to obtain some info about an image.
If you have linux (i hope you do), just type: identify [IMAGE_FILENAME]
If you need the size of the file just type: ls -l [FILENAME]
David A.
At 05:42 PM 5/16/2005, Saurabh Barve wrote:
To fix this, I tried to run spamd as the user `mail'. However, when I try
that, I get the error that 'spamd does not have permissions to write to
/root'. How do I get spamd to know that mail's home directory is at
/var/spool/mail.
Set mail's homedir
Matt Kettler wrote:
I've never played with thunderbird's forward as a attachment feature, but
you might be able to use that. In this situation you'd need to set up a
script that strips off the attachment and feeds the attachment to sa-learn.
It creates a message/rfc822 attachment, just
I'm trying to debug why a specific domain is not triggering
USER_IN_WHITELIST even though the domain is listed in sa-mimedefang as
whitelist_from *@domain.com.
White listing is working in general. What conditions does
USER_IN_WHITELIST look for? For example, is it just the From: header or
trying to train bayes with german spam
so i take a mail out of my imap folder and put it into a sile on the
spamD server..
I Vee-eye it and take out the spamassassin headers ( is this the right
move?) then run the following
[EMAIL PROTECTED]:/home/ronan# sa-learn --spam -D spam1
debug:
Hi!
I have seen a couple of requests for reading the auto-whitelist file in plain
text. You can use at least two database formats, but this command worked for me:
dbmmanage auto-whitelist view
See man dbmmanage for more info (available in most Linux distributions). It
is
written to Create
Antonio DeLaCruz wrote:
How can I make spamassassin not look at the blacklist_from addresses if it
finds
a user listed in whitelist_from? Or another way, how can I exclude one user
from getting the USER_IN_BLACKLIST score?
I have in my user_prefs file:
whitelist_from [EMAIL PROTECTED]
Anton Krall wrote:
Any SA rules out there that can catch the german spam mails?
I am only needing to filter on the subjects I quoted because Mailman
has no other option and the mailing list is not using spamassassin.
Simply filtering on the subject is not a great method. But since I am
stuck
Matias Lopez Bergero wrote:
David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules
FYI, so far I only found 3 of these right-wing mails in my company.
It seems almost all have been blocked by the RBL's in postfix:
- dynablock.njabl.org
- dul.dnsbl.sorbs.net
- and a lot of dsl* dial* provider-domain-names I blocked in postfix.
This helps for all kinds of spam from infected pc's
Got this one today. It hit SpamCop but nothing else:
Dear manager:
I have viewed your company profile through internet, and found there
exists an opportunity of establishing business cooperation between two
of us.
We are a Chinese senior precision foundry which producing all kinds of
Kevin Peuhkurinen wrote:
Having gotten the spam under control, I found that I was getting
bombed with tons of bounces as well. So I made up a quick ruleset
to stop undeliverables due to the german spam, using Raymond's
ruleset as a starting point. You can get it here:
I was working on
Matt Kettler wrote:
wrote:
I understood the problem. Amavisd starts spamassassin with user cyrus.
I'm learning spamassassin under each user with sa-learn option -u.
I just wanted that each user had it's own spam base. Then I don't
understand for what purposes option -u is used.
wrote:
Matt Kettler wrote:
wrote:
I understood the problem. Amavisd starts spamassassin with user cyrus.
I'm learning spamassassin under each user with sa-learn option -u.
I just wanted that each user had it's own spam base. Then I don't
understand for what purposes option
Matt Kettler wrote:
Saurabh Barve wrote:
Hi,
I'm having problems with SpamAssassin-3.0.3 on a Fedora Core 2 machine
along with Sendmail. SpamAssassin is able to identify mail as spam, and
adds its headers to the mail. However, it does not rewrite the subject
header with the `[SPAM]' tag.
Guys,
Forgive me but what was the fix for URL's with a carriage return? I have this
one that keeps sneaking by:
A href=h
ttp:/
/kgkkrsfbdwmp.netgvms5k8gr65layn41f8%2Ebut
tonag
ncm%2Ecom/
TIA,
jimsheffer wrote:
config: SpamAssassin failed to parse line, skipping: rewrite_subject 0
config: SpamAssassin failed to parse line, skipping:
always_add_headers 1 config: SpamAssassin failed to parse line,
skipping: auto_learn 1
Those 3 config options are no longer supported.
In the readme
jimsheffer wrote:
Hi everyone.
I've just set up a new mail server running the latest version of
spamassassin.
I'm getting ready to add some extra rules, and RDJ.
I ran lint -D on the basic config file I have for sa to see what I get
before adding a bunch of rule files, and got the following
jimsheffer wrote:
Hi everyone.
I've just set up a new mail server running the latest version of
spamassassin.
I'm getting ready to add some extra rules, and RDJ.
I ran lint -D on the basic config file I have for sa to see what I get
before adding a bunch of rule files, and got the
jimsheffer wrote:
Hi everyone.
I've just set up a new mail server running the latest version of
spamassassin.
I'm getting ready to add some extra rules, and RDJ.
I ran lint -D on the basic config file I have for sa to see what I get
before adding a bunch of rule files, and got the
config: SpamAssassin failed to parse line, skipping: rewrite_subject 0
Deprecated. Just remove the line since you don't want to rewrite
anything.
config: SpamAssassin failed to parse line, skipping:
always_add_headers 1
Deprecated. Now you should manually define which headers to add, and if
On Tue, May 17, 2005 at 03:53:38AM -0700, Jeff Chan wrote:
Apparently the backslash at the end of the URI throws off some
parsers such as (unpatched) 3.0.1. Hopefully the same patch that
catches just : at the end of URIs, etc. also catches these.
Not really. 3.0 doesn't deal with it, 3.1
In article [EMAIL PROTECTED], Loren Wilton
[EMAIL PROTECTED] writes
Since I have legitimate users communicating all over the world, I am
very interested in other rulesets that would block spam in languages
besides English. Not sure how big of a problem this is - I know we get
I believe there
news [EMAIL PROTECTED] wrote on 05/16/2005
02:07:55 PM:
Hi,
I'm having problems with SpamAssassin-3.0.3 on a Fedora Core 2 machine
along with Sendmail. SpamAssassin is able to identify mail as spam,
and
adds its headers to the mail. However, it does not rewrite the subject
header with
Hi,
I have been searching around with no luck. I have been playing with
mass-checks on my corpus using some the SARE rules sets and wanted to do a
sanity check against someone else's mass checks. The particular rules sets
are
70_sare_adult.cf
70_sare_bayes_poison_nxm.cf
70_sare_evilnum0.cf
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ingo Reinhart wrote:
I want to use sa-learn on a diffrent server than spamd is running. How
can I tell sa-learn to connect to the right spamd?
sa-learn doesn't connect to spamd, it manipulates the database directly,
either file based DBM or SQL
Ingo Reinhart wrote:
Hello!
I want to use sa-learn on a diffrent server than spamd is running. How
can I tell sa-learn to connect to the right spamd?
Ingo
sa-learn doesn't connect to spamd. Period. The only thing that ever connects to
spamd in the SA package is spamc.
If you're using
OK, I uninstalled SA 3.0.0 and did a clean install of 3.0.3, downloaded new
SARE rules and tried again. I am still not getting any URI results. Can any one
explain what happens in the
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2982e68) implements
'check_post_dnsbl'
section
Did this suddendly stop today for anyone else and now your just dealing
with the NDR's?
Actually it suddenly *started* for me today. Before that only one stupid
zombie somplace thought I was in Germany. Now they all seem to.
And the faked sender names all start with the letter J.
OK, I uninstalled SA 3.0.0 and did a clean install of 3.0.3, downloaded new
SARE rules and tried again. I am still not getting any URI results. Can any one
explain what happens in the
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x2982e68) implements
'check_post_dnsbl'
section
Does anyone know the logic behind this spam bombing? I have a friend
who has a gmx.de account and he has gotten 0 german spam in it... yet
here in the u.s. we are getting bombarded by the spam.
There is logic behind spamming ? News to me ;-)
Personally I think it's incredibly arrogant of
On Tue, May 17, 2005 at 08:49:21AM +, Ronan McGlue wrote:
[EMAIL PROTECTED]:/home/ronan# sa-learn --spam -D spam1
Try sa-learn --spam -D spam1
debug: refresh: 14319 refresh /home/spam/.spamassassin/bayes.mutex
debug: refresh: 14319 refresh /home/spam/.spamassassin/bayes.mutex
debug:
Johnson, Robert F wrote:
I'm trying to debug why a specific domain is not triggering
USER_IN_WHITELIST even though the domain is listed in sa-mimedefang as
whitelist_from*@domain.com.
White listing is working in general. What conditions does
USER_IN_WHITELIST look for? For
Ronan McGlue wrote:
trying to train bayes with german spam
so i take a mail out of my imap folder and put it into a sile on the
spamD server..
I Vee-eye it and take out the spamassassin headers ( is this the right
move?) then run the following
[EMAIL PROTECTED]:/home/ronan# sa-learn
Fredrik Bjork wrote:
Hi!
I have seen a couple of requests for reading the auto-whitelist file in plain
text. You can use at least two database formats, but this command worked for
me:
dbmmanage auto-whitelist view
snip
Surely there is a better way, but nobody seems to be willing to
On Tue, May 17, 2005 at 09:09:39AM +, Fredrik Bjork wrote:
Surely there is a better way, but nobody seems to be willing to post it...
tools/check_whitelist? Been part of the standard distro for ages. Output is:
0.0 (0.0/2) -- [EMAIL PROTECTED]|ip=66.92
Average Score
When linting my rules with debug, I get the following in the output:
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8c0d3a4)
implements 'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8bf0e74)
implements 'parse_config'
Argument isn't numeric in addition (+)
--On Tuesday, May 17, 2005 11:59 AM +0200 Menno van Bennekom
[EMAIL PROTECTED] wrote:
It has been said before but I still would appreciate it very much if ISP's
would only allow SMTP traffic to go through the provider's mail-servers,
not directly from dsl/cable to the Internet.
It would stop
I was curious if anyone had used Spamassassin caller for Imail?
One of my clients is currently running Imail 8.05 on a windows 2000
machine. I installed Perl 5.8.4 (downloaded recommended modules), SA
3.0.1, and SAC 1.1.0.
Spamassassin sample-spam.txt return everything that it should,
Hello John,
Tuesday, May 17, 2005, 2:02:16 PM, you wrote:
J Hi,
J I have been searching around with no luck. I have been playing with
J mass-checks on my corpus using some the SARE rules sets and wanted to do a
J sanity check against someone else's mass checks. The particular rules sets
J are
On Tue, May 17, 2005 at 05:50:32PM -0700, John Schneider wrote:
Argument isn't numeric in addition (+) at
/usr/local/lib/perl5/site_perl/5.8.2/Mail/SpamAssassin/Conf.pm line 743.
I've searched .. What could it be?
Bad config line. Looking at the code, a bad report_safe line.
--
Randomly
85 matches
Mail list logo
