RE: False Negatives
It really doesn't matter to me whether it was on urisbl/surbl when he sent it. I provided what our server marked this as as an example of rules that he could look at as to why it was scored low. Other people that don't use unwanted language may not need it, but in some cases it helps, specifically this case. I was just about to send a reply myself but since you already stated 100% of what I wanted to say... :-)
Re: Returned mail spam
Richard Smits wrote: Hos safe is it to pump up the score for the ANY_BOUNCE_MESSAGE ? Is it bug free, so I can give it 5 or 10 points ? On 18.04.08 09:19, Jason Haar wrote: So you are wanting to mark ANY bounce, out of office, or mailing-list related email into your organization as spam? If you want to do that, then sure! :-) My own investigations would show that would not be a good idea. I think you meant BOUNCE_MESSAGE instead - but even that is catching stuff that isn't backscatter. yes, since (according to previous discussion) VBounce was not designed to mark backscatter as spam, but to mark (suspicious) bounces as bounces. It probably needs many changed to be reliable in the way most users expect - to catch baskscatter while not catch other ...and I don't think the Backscatter FAQ answers this question. IMHO VBounce tags *bounces* - not backscatter. Backscatter is a *subset* of bounces - so it tags stuff that isn't backscatter. whitelist_bounce_relays should whitelist non-backscatter bounces, but that might not be enough. For example, I wonder why does not VBounce look at Received: headers to see if it came from hosts in internal network, such bounces will surely not be backscatter imho. I'm working on a backscatter.cf to exclusively catch backscatter - but it's still tagging incorrect stuff. (all my Sourceforge moderator mail for starters). If I get it working reliably, I'll flick it up the food chain... good luck. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
Different vbounce results between 3.2.2 and 3.2.4
Hello list, I have two servers, one is running Spamassassin 3.2.2 and the other one is running 3.2.4. For each I have enabled the vbounce plug-in in v320.pre and have added the following line to my local.cf: whitelist_bounce_relays server.domain.tld If I now send this message (http://pastebin.org/30548) through spamassassin the one with version 3.2.4 will hit the rule BOUNCE_MESSAGE and the other one will not. The Mail is obviously not a bounce but with 3.2.4 I can not even whitelist it. Has somebody a suggestion how I can tune my Spamassassin 3.2.4 to accept my whitlelist settings? Greetings Stefan # spamassassin -tD ~/IDE-update_report.txt see: http://pastebin.org/30552 (with 3.2.4) pgp2wkeZuLR3j.pgp Description: PGP signature
Re: Returned mail spam
Matus UHLAR - fantomas writes: Richard Smits wrote: Hos safe is it to pump up the score for the ANY_BOUNCE_MESSAGE ? Is it bug free, so I can give it 5 or 10 points ? On 18.04.08 09:19, Jason Haar wrote: So you are wanting to mark ANY bounce, out of office, or mailing-list related email into your organization as spam? If you want to do that, then sure! :-) My own investigations would show that would not be a good idea. I think you meant BOUNCE_MESSAGE instead - but even that is catching stuff that isn't backscatter. yes, since (according to previous discussion) VBounce was not designed to mark backscatter as spam, but to mark (suspicious) bounces as bounces. It probably needs many changed to be reliable in the way most users expect - to catch baskscatter while not catch other this may be a matter of definition. In my opinion, out of office messages, C/R requests, etc. sent in response to spam forging your address as the sender -- I would define those as backscatter. As the packager of that ruleset -- yes, it is designed to catch backscatter. --j.
gpg failure on sa-update due to non-cross-certified key
I recently installed Mandriva 2008.1 on one of my spamfilters. It includes gpg version 1.4.9. When I try to run sa-update, I get: [EMAIL PROTECTED] ~]$ sudo sa-update Password: gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed When I ran sa-update in debug mode, I see this message: [1518] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.sha1 [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.asc [1518] dbg: sha1: verification wanted: 129293f2f748a7398442daf97a26e2af387192a6 [1518] dbg: sha1: verification result: 129293f2f748a7398442daf97a26e2af387192a6 [1518] dbg: channel: populating temp content file [1518] dbg: gpg: populating temp signature file [1518] dbg: gpg: calling gpg gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' [1518] dbg: gpg: gpg: Signature made Wed 16 Apr 2008 04:28:44 AM CDT using RSA key ID 24F434CE [1518] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [1518] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [1518] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1 [1518] dbg: gpg: gpg: Can't check signature: general error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed Looking at the gnupg faq, this appears to be a problem with the way the key is created. I was able to run sa-update with the --nogpg option, and sa-compile worked fine after sa-update ran, but I would like to know the best way to fix this long term. Is this a gnupg bug? or a spamassassin bug? Or... ? -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Different vbounce results between 3.2.2 and 3.2.4
On 18.04.08 12:54, Stefan Jakobs wrote: I have two servers, one is running Spamassassin 3.2.2 and the other one is running 3.2.4. For each I have enabled the vbounce plug-in in v320.pre and have added the following line to my local.cf: whitelist_bounce_relays server.domain.tld If I now send this message (http://pastebin.org/30548) through spamassassin the one with version 3.2.4 will hit the rule BOUNCE_MESSAGE and the other one will not. The Mail is obviously not a bounce but with 3.2.4 I can not even whitelist it. Has somebody a suggestion how I can tune my Spamassassin 3.2.4 to accept my whitlelist settings? it seems (to me) that whitelist only applies for Received: headers in message body, not in the headers... # spamassassin -tD ~/IDE-update_report.txt see: http://pastebin.org/30552 (with 3.2.4) looks like a false positive. vbounce tries to catch virus bounces too, so it catched messages from antivirus ... however this one is not the one that should be matched... It has to be reported and fixed imho -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: gpg failure on sa-update due to non-cross-certified key
Re-download a GPG key and import: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY This is in the wiki: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29 I had the same thing happen and all is well now. -d On Fri, 18 Apr 2008 at 08:24 -0500, [EMAIL PROTECTED] confabulated: I recently installed Mandriva 2008.1 on one of my spamfilters. It includes gpg version 1.4.9. When I try to run sa-update, I get: [EMAIL PROTECTED] ~]$ sudo sa-update Password: gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed When I ran sa-update in debug mode, I see this message: [1518] dbg: channel: selected mirror http://daryl.dostech.ca/sa-update/asf [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.sha1 [1518] dbg: http: GET request, http://daryl.dostech.ca/sa-update/asf/648641.tar.gz.asc [1518] dbg: sha1: verification wanted: 129293f2f748a7398442daf97a26e2af387192a6 [1518] dbg: sha1: verification result: 129293f2f748a7398442daf97a26e2af387192a6 [1518] dbg: channel: populating temp content file [1518] dbg: gpg: populating temp signature file [1518] dbg: gpg: calling gpg gpg: WARNING: unsafe permissions on homedir `/etc/mail/spamassassin/sa-update-keys' [1518] dbg: gpg: gpg: Signature made Wed 16 Apr 2008 04:28:44 AM CDT using RSA key ID 24F434CE [1518] dbg: gpg: gpg: WARNING: signing subkey 24F434CE is not cross-certified [1518] dbg: gpg: gpg: please see http://www.gnupg.org/faq/subkey-cross-certify.html for more information [1518] dbg: gpg: [GNUPG:] ERRSIG 6C55397824F434CE 1 2 00 1208338124 1 [1518] dbg: gpg: gpg: Can't check signature: general error error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed Looking at the gnupg faq, this appears to be a problem with the way the key is created. I was able to run sa-update with the --nogpg option, and sa-compile worked fine after sa-update ran, but I would like to know the best way to fix this long term. Is this a gnupg bug? or a spamassassin bug? Or... ? -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
help!
Wow, how's that for a vague title. Here's the situation, our server is crashing lately once a week. Purely for fun i decided to stop anything related to mail: 1057 /etc/rc.d/init.d/MailScanner stop 1058 /etc/init.d/sendmail stop 1059 service spamassassin stop Then I ran the TOP command again. The server load dropped from 5-10 where it was: load average: 5.88, 7.23, 8.05 Dropped down to under 1 Thoughts? Please email me back directly so I can get the response quicker
Re: help!
ToTheCenter.com schrieb: Wow, how's that for a vague title. Here's the situation, our server is crashing lately once a week. Purely for fun i decided to stop anything related to mail: 1057 /etc/rc.d/init.d/MailScanner stop 1058 /etc/init.d/sendmail stop 1059 service spamassassin stop Then I ran the TOP command again. The server load dropped from 5-10 where it was: load average: 5.88, 7.23, 8.05 Dropped down to under 1 Thoughts? Please email me back directly so I can get the response quicker you might read faqs about mailscanner an have a look in your mail log -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: help!
CC'd to the SA list for the archives. ToTheCenter.com wrote: Dave, Admittedly, I'm TOTALLY confused. :) What exactly should I be doing? :) My knowledge of unix is limited. Would you be willing to talk me through it? Would AIM be easier? I am up to my butt in alligators this morning, I suggest you first try a questions list for your OS, at this point you have no idea if the issue is your email software, hardware, power, etc. You will need to provide a lot more info unless you want to be ignored. I would be prepared to get any log info they request, the OS and kernel version, and versions of all software installed. DAve Dominick At 10:31 AM 4/18/2008, you wrote: ToTheCenter.com wrote: Wow, how's that for a vague title. Here's the situation, our server is crashing lately once a week. Purely for fun i decided to stop anything related to mail: 1057 /etc/rc.d/init.d/MailScanner stop 1058 /etc/init.d/sendmail stop 1059 service spamassassin stop Why are you running MailScanner and SA? MailScanner loads the SA libraries directly. You don't need or want spamd. /var/log/messages is your friend. DAve Then I ran the TOP command again. The server load dropped from 5-10 where it was: load average: 5.88, 7.23, 8.05 Dropped down to under 1 Thoughts? Please email me back directly so I can get the response quicker -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Re: help!
ToTheCenter.com wrote: Wow, how's that for a vague title. Here's the situation, our server is crashing lately once a week. Purely for fun i decided to stop anything related to mail: 1057 /etc/rc.d/init.d/MailScanner stop 1058 /etc/init.d/sendmail stop 1059 service spamassassin stop Why are you running MailScanner and SA? MailScanner loads the SA libraries directly. You don't need or want spamd. /var/log/messages is your friend. DAve Then I ran the TOP command again. The server load dropped from 5-10 where it was: load average: 5.88, 7.23, 8.05 Dropped down to under 1 Thoughts? Please email me back directly so I can get the response quicker -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins.
Re: gpg failure on sa-update due to non-cross-certified key
On Fri, 2008-04-18 at 13:51 +, D Hill wrote: Re-download a GPG key and import: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY This is in the wiki: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29 I had the same thing happen and all is well now. Ah, thank you. I dug around the wiki for an hour last night and didn't find this article... -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: ways to react faster to spam attacks
On Wed, March 19, 2008 13:53, Henrik K wrote: Also: http://ixhash.sourceforge.net/ Using all three lists works great here. it olso calc the md5 sum pr lists :/ so internal it can imho be speeded up by a rewrite :) flow: md5 sum rule test #1 test sum on all lists you define md5 sum rule test #2 test sum on all list you define md5 sum rule test #3 test sum on all list you define speed improvements, one thing is now left, what about the scores pr test ? i have disabled the ixhash, and enabled the myixhash with mysql backend, works better :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: gpg failure on sa-update due to non-cross-certified key
On Fri, 18 Apr 2008 at 10:30 -0500, [EMAIL PROTECTED] confabulated: On Fri, 2008-04-18 at 13:51 +, D Hill wrote: Re-download a GPG key and import: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY This is in the wiki: http://wiki.apache.org/spamassassin/SaUpdateKeyNotCrossCertified?highlight=%28update%29 I had the same thing happen and all is well now. Ah, thank you. I dug around the wiki for an hour last night and didn't find this article... A search for the word 'update' on the Wiki is how I found it.
Extend DNSEval.pm?
Is there anyway to extend this in DNSEval.pm locally without patching? Maybe with a plugin or something? my @originating = (); for my $header ('X-Originating-IP', 'X-Apparently-From') { my $str = $pms-get($header); next unless $str; push (@originating, ($str =~ m/($IP_ADDRESS)/g)); } I want to add a few headers here but I didn't want to have to patch on each upgrade. Thanks, William
Re: Extend DNSEval.pm?
William Taylor writes: Is there anyway to extend this in DNSEval.pm locally without patching? Maybe with a plugin or something? my @originating = (); for my $header ('X-Originating-IP', 'X-Apparently-From') { my $str = $pms-get($header); next unless $str; push (@originating, ($str =~ m/($IP_ADDRESS)/g)); } I want to add a few headers here but I didn't want to have to patch on each upgrade. hi William -- meant to reply to your private mail, but list mail is better ;) The best bet to get it into the mainline is to add a configuration setting to Conf.pm, specifying the names of additional headers to look up. Failing that, why not add your additional headers using X-Originating-IP in the first place? ;) --j.
Re: Extend DNSEval.pm?
On Fri, Apr 18, 2008 at 06:22:58PM +0100, Justin Mason wrote: William Taylor writes: Is there anyway to extend this in DNSEval.pm locally without patching? Maybe with a plugin or something? my @originating = (); for my $header ('X-Originating-IP', 'X-Apparently-From') { my $str = $pms-get($header); next unless $str; push (@originating, ($str =~ m/($IP_ADDRESS)/g)); } I want to add a few headers here but I didn't want to have to patch on each upgrade. hi William -- meant to reply to your private mail, but list mail is better ;) The best bet to get it into the mainline is to add a configuration setting to Conf.pm, specifying the names of additional headers to look up. Failing that, why not add your additional headers using X-Originating-IP in the first place? ;) --j. No worries Justin.. Thought about the list today lol Isn't Conf.pm overwritten when upgrading? Can you give me an example of what I would put in there or point me in the right direction? We need custom ones for internal reasons. Thanks, William
Re: SPF and Hotmail
I can't employ what you've told me as upgrading to 3.2.4 is out of the question until I rebuild the mail server (Debian Sarge), but the advice is appreciated. Cheers, Michael Hutchinson I have installed SpamAssassin on Debian Sarge Etch via cpan and no problem has followed. As long as you don't install perl via cpan, but only SpamAssassin.. and configured cpan so that it follows the dependencies you will be good. I consider cpan for SA as volatile for ClamAV, something one must do, and it usually works.
Another candidate for the hall of Shame: Eschelon
Well, I got a bunch of spams from 66.213.228.51 about some non-existent stock (that's considered Wire Fraud, and it's a federal felony offense in the US). It was also unsolicited. I went to Eschelon.com, the ISP, and provided them with examples and asked them to shutdown the spammer. They insisted that the client in this case (meaning their checks cash, even if they do spam) was a legitimate opt-in operator. I said, Fine, then have them furnish the proof that this user ever opted in, because he insists he didn't. A week later, no reply, despite my pinging them twice. They're either complicit, or else burying their head in the ground as to the legitimacy of the complaints (they did call them a major customer). Because it doesn't take over a week to dig out proof that someone opted into a list or didn't. So, what's the procedure for spanking an irresponsible ISP? How do you name him to the various RBL's? I suppose I could sign up for spamcop.net... Which S/X/RBL would be most effective in this case? Thanks, -Philip
Re: Another candidate for the hall of Shame: Eschelon
On Saturday 19 April 2008 03:10:42 Philip Prindeville wrote: Which S/X/RBL would be most effective in this case? spamhaus. If it's a known spammer, the ISP will get in trouble pretty fast. No clue how you submit anything to them though :/ mabe they already know, if the problem is big enough. If the problem is too small for spamhaus, try getting them on small but no-one-should-use lists like rfcignorant. Just to slap them around a little. And link back to the entries ;) -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani