Hi,
Jack Gostl wrote:
I've been watching this for awhile, and there is now a pattern to
what I'm seeing.
I'm running a configuration with multiple users sharing a bayes
files. This is an interim move to facilitate the spamassassin
upgrades, and like many interim moves its been going on for
Hi.
I tried to migrate ~/.spamassassin to a new system but that failed.
I had to remove auto_whitelist and bayes_*.
Then I retrained the bayesian learner with sa-learn --ham and --spam
and now I get:
bayes: expire_old_tokens: child processing timeout at /usr/sbin/spamd line
1085
After googling
- Original Message -
From: Anthony Peacock [EMAIL PROTECTED]
To: SpamAssassin users@spamassassin.apache.org
Sent: Monday, February 05, 2007 3:56 AM
Subject: Re: Bayes resolution gettin weaker
Hi,
Jack Gostl wrote:
I've been watching this for awhile, and there is now a pattern to
Claude,
Here is a typical error report in the log file:
Feb 1 11:31:47 yellowsrv amavis[11701]: (11701-03) (!)collect_results
from [] (/usr/bin/ripole): exit 30 ripOLE: decoding of
/var/spool/amavisd/tmp/amavis-20070201T113001-11701/parts/p002 resulted
in error 30\n
Any idea ?
This
I read the post TVD_SILLY_URI_OBFU and I'm having the same problem with
http://www.zodrx*.com http://www.zodrx*.com/ - Remove * to make the
link working!
And
http://www.zodrx.%com http://www.zodrx*.com/ - Remove % to make the
link working!
I'm still very new to spam assassin. I
I've just received this email:
Received: from imo-m26.mx.aol.com ([64.12.137.7]) by mail.srv.pl with
esmtp
(Exim 4.50) id 1HE20n-0006d4-4J for ; Mon, 05 Feb
2007
12:27:53 +0100
Received: from [EMAIL PROTECTED] by imo-m26.mx.aol.com
(mail_out_v38_r7.6.) id
Simon
I use this rule to find URL's with illegal characters in it..
# 2007-01-24 new rules (adapted from Henrik Krohns
# [EMAIL PROTECTED] on SA list) # http:// [user [:password] @]
# legal uri characters + 1 illegal char + legal chars # + (end of
uri or / or ? or :port)
uri
Jarek
Looks like the spammers are trying to fool you into not checking email
based on this header - ie it's already been scanned so I'll let it
through..
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
-Original Message-
From: Jarek
Greetings;
I got an email from cron's attempt to run rules_du_jour this morning, full
of 404 messages, curl couldn't find www.rulesemporiam.com.
Re-running it by hand gets be the same thing, one stanza of this per rule:
SARE Spoof Ruleset had an unknown error:
curl exit code: 6
curl: (6)
Gene
Yup same for meI've just emailed Chris about it..
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
-Original Message-
From: Gene Heskett [mailto:[EMAIL PROTECTED]
Sent: 05 February 2007 14:14
To: users@spamassassin.apache.org
Subject:
Hey list,
I'm using SA in a qmail setup, thus invoking spamc through
qmail-queue-scanner.pl.
I've been using AWL through MySQL for a few hours now, and it works
great so far. However, it seems that SA doesn't really get the
correct username passed from qmail-queue-scanner.pl - every now and
Thank you very much Martin. It has already been trigged twice
Simon Marcil
mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
S3 Technologies inc.
3445 Parc Suite 201
Montreal (Québec)
Canada, H2X 2H6
T. (514) 284-6262
C. (514) 570-7066
F. (514) 281-8982
http://www.s3tech.ca
On Mon, Feb 05, 2007 at 03:24:54PM +0100, Jarek wrote:
there is X-Spam-Flag: NO. Is it possible, that this header caused
spamassassin not to check this email ? This is regular porn site ad.
SpamAssassin checks everything that is sent to it. Previously added headers
are meaningless.
--
Nigel Frankcom wrote:
On Sat, 03 Feb 2007 07:15:39 +, Nigel Frankcom
[EMAIL PROTECTED] wrote:
body Test_01 /remove \\*|\%|\!\/i
score Test_01 4.0
describe Test_01 Test remove asterisk for URL spams
and oops #2 the | doesn't work as expected :-/
This does tho...
SA allows to delete spam from server or deliver it tagged as spam.
What is the order that makes SA do so and where is that stored.
Cpanel has a link saying:
To simply have the server DELETE and NOT deliver emails that are tagged as
spam by SpamAssassin, click here now. where here points to
On Mon, Feb 05, 2007 at 10:51:21AM -0800, z3r0 wrote:
SA allows to delete spam from server or deliver it tagged as spam.
What gives you that idea? SA can only mark up mails, period.
Cpanel has a link saying:
To simply have the server DELETE and NOT deliver emails that are tagged as
spam by
z3r0 wrote:
SA allows to delete spam from server or deliver it tagged as spam.
What is the order that makes SA do so and where is that stored.
Cpanel has a link saying:
To simply have the server DELETE and NOT deliver emails that are tagged as
spam by SpamAssassin, click here now. where here
Anybody have a rule for these ones?
http://hasle.progenyid-com/ http://hasle.progenyid-com
Important: Replace - with . in the above link
_
From: Simon Marcil [mailto:[EMAIL PROTECTED]
Sent: February 5, 2007 10:07 AM
To: Martin.Hepworth
Cc: users@spamassassin.apache.org
Simon Marcil wrote:
Anybody have a rule for these ones?
http://hasle.progenyid-com http://hasle.progenyid-com/
Important: Replace - with . in the above link
Are you using SA 3.1.7? If so, do an sa-update there is a new rule that
should be catching these and all mutations.
--
snowcrash+spamassassin wrote:
BUT, if i open the message in Thunderbird2, the line-breaks in the
header are apparently stripped off; here's what it looks like.
...
As per RfC (2)822, header _values_ are always just *one* line.
To get around the (server) restriction of 998 usable characters
I'm running SpamAssassin version 3.1.3. Anything I should lookout for/beware
of when I upgrade.
Thanks
-Original Message-
From: Doc Schneider [mailto:[EMAIL PROTECTED]
Sent: February 5, 2007 3:27 PM
To: Simon Marcil
Cc: users@spamassassin.apache.org
Subject: Re: Spam making it through
On Mon, Feb 05, 2007 at 02:27:18PM -0600, Doc Schneider wrote:
http://hasle.progenyid-com http://hasle.progenyid-com/
Are you using SA 3.1.7? If so, do an sa-update there is a new rule that
should be catching these and all mutations.
Three things.
First, the spammer has gotten smarter and is
Simon Marcil wrote:
I'm running SpamAssassin version 3.1.3. Anything I should lookout for/beware
of when I upgrade.
Thanks
Nothing jumps out at me as far as gotchas upgrading from 3.1.3 to
3.1.7. Since they're both in the same branch 3.1.x. Course it all
depends on what OS you're using too.
From your screen shot, I'm guessing you're looking at it via
View-Headers-All.
actually, in any/all header 'views' ...
You can see the original formatting (even in
Thunderbird 2) using the Message Source function instead.
yup, aware of that. that's not the issue though ... rather, it's
Theo Van Dinter wrote:
On Mon, Feb 05, 2007 at 02:27:18PM -0600, Doc Schneider wrote:
http://hasle.progenyid-com http://hasle.progenyid-com/
Are you using SA 3.1.7? If so, do an sa-update there is a new rule that
should be catching these and all mutations.
Three things.
First, the spammer
How about this for testing whether a URL is obfuscated: just see if
the host resolves via DNS?
Pros:
No complex REs needed.
No more playing whack-a-mole chasing new obfuscation mechanisms.
Cons:
A DNS lookup.
It won't catch obfuscation in the filepath part. (But then, the reason
for the
- (a) It provides an easy way for a spammer to tell if a piece of mail
passes through a SpamAssassin filter, by monitoring hits on their NS.
- (b) it's pretty common in some groups to mail around unregistered
domains/unresolvable hostnames/XML DTD locations/etc.
--j.
John D. Hardin writes:
On Mon, 5 Feb 2007, Justin Mason wrote:
- (a) It provides an easy way for a spammer to tell if a piece of mail
passes through a SpamAssassin filter, by monitoring hits on their NS.
They will also get hits from people following the URL. Maybe this will
help to pollute their databases with a
How about this for testing whether a URL is obfuscated: just see if
the host resolves via DNS?
Pros:
No complex REs needed.
No more playing whack-a-mole chasing new obfuscation mechanisms.
Cons:
A DNS lookup.
It won't catch obfuscation in the filepath part. (But then, the
On 5 Feb 2007 [EMAIL PROTECTED] wrote:
How about this for testing whether a URL is obfuscated: just see if
the host resolves via DNS?
some valid messages talk about non-existing domains, e.g. about
example.com, mysite.com, yoursite.com, yourothersite.com (and, of
course, the .com could
Hello
Would it work if add to user_prefs this line
whitelist_subject good subject
I mean will that give me -100 score if an email comes with good subject, in
subject?
My question is about validity of writing that in user_prefs file.
Dhawal Doshy wrote:
John Horne wrote:
[SNIP]
On Mon, 05 Feb 2007, Bowie Bailey wrote:
body Test_01 /remove \\*\/i | /remove \\%\/i | /remove \\!\/i
score Test_01 4.0 describe Test_01 Test remove asterisk for URL
spams
How about this? (untested)
body Test_01 /remove \[*%!]\/i
Since Sunday after two new obfuscation chars
Hi
If I run : sa-update -D
After a long pause I get (at the end of the debug trace):
...
[8551] dbg: channel: attempting channel updates.spamassassin.org
[8551] dbg: channel: update directory
/var/lib/spamassassin/3.001007/updates_spamassassin_org
[8551] dbg: channel: channel cf file
I am running FC4 w/Plesk8, SA 3.0.6, Qmail +QMAILQUEUE Patch +qmail-scanner
+clamav. All seems to be going well, Spam is being identified wonderfully
with Pyzor, Razor2 and DCC, but one of the clients has reported a strange
problem. They received a 2.4mb IGES file (CAD file) from a customer and
Matthew Bickerton wrote:
Hi
If I run : sa-update -D
After a long pause I get (at the end of the debug trace):
...
[8551] dbg: channel: attempting channel updates.spamassassin.org
[8551] dbg: channel: update directory
/var/lib/spamassassin/3.001007/updates_spamassassin_org
[8551] dbg: channel:
On Mon, 5 Feb 2007, Steve Kamerman wrote:
They received a 2.4mb IGES file
Are you sure SA is even a part of this? Typically messages larger than
~250KB are not even passed to SA for scanning...
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]
Thanks for the prompt reply - I wasn't aware of that! I guess that's why SA
never gave it a score (?/?) and just passed it on as score 0. Perhaps this
is an issue with ClamAV then. I will have to look over the qmail-scanner
script and try to figure out the flow of email.
Is there some
On Monday, February 05, 2007 9:51 PM + Justin Mason [EMAIL PROTECTED]
wrote:
- (a) It provides an easy way for a spammer to tell if a piece of mail
passes through a SpamAssassin filter, by monitoring hits on their NS.
You could give the URIBL rules first shot at the raw name, then
I don't understand why EXTRA_MPART_TYPE is a spam indicator. It seems to be
required by RFC 2387:
http://www.ietf.org/rfc/rfc2387.txt
Here's the rule, from SA 3.1.7:
header EXTRA_MPART_TYPE Content-Type =~ /(?:\s*multipart\/)?.*
type=/i
describe EXTRA_MPART_TYPE Header has
On Mon, Feb 05, 2007 at 07:10:54PM -0800, Kenneth Porter wrote:
I don't understand why EXTRA_MPART_TYPE is a spam indicator. It seems to be
required by RFC 2387:
Yes. There's a whole discussion about this in
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5110
FWIW, lots of RFC
On Monday, February 05, 2007 10:14 PM -0500 Theo Van Dinter
[EMAIL PROTECTED] wrote:
Yes. There's a whole discussion about this in
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5110
FWIW, lots of RFC compliant things are spam indicators.
So does that mean he can't win?
It does
Kenneth Porter wrote:
On Monday, February 05, 2007 10:14 PM -0500 Theo Van Dinter
[EMAIL PROTECTED] wrote:
Yes. There's a whole discussion about this in
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5110
FWIW, lots of RFC compliant things are spam indicators.
So does that mean
On Mon, 5 Feb 2007 13:03:08 -0500 , Bowie Bailey
[EMAIL PROTECTED] wrote:
Nigel Frankcom wrote:
On Sat, 03 Feb 2007 07:15:39 +, Nigel Frankcom
[EMAIL PROTECTED] wrote:
body Test_01 /remove \\*|\%|\!\/i
score Test_01 4.0
describe Test_01 Test remove asterisk for URL spams
Steve Kamerman wrote:
I am running FC4 w/Plesk8, SA 3.0.6, Qmail +QMAILQUEUE Patch +qmail-scanner
+clamav. All seems to be going well, Spam is being identified wonderfully
with Pyzor, Razor2 and DCC, but one of the clients has reported a strange
problem. They received a 2.4mb IGES file (CAD
John D. Hardin wrote:
- (b) it's pretty common in some groups to mail around unregistered
domains/unresolvable hostnames/XML DTD locations/etc.
I would assume that your SA host has visibility to your internal
DNS...
Hmm - I would assume the opposite. Most people would run SA in
45 matches
Mail list logo