RE: [LinkedIn Spam] Re: unwhitelist from_dkim?
At 15:11 19-03-10, Chris Richman wrote: If anyone knows of a reliable way to identify mailing list addresses, I'd love to know so we could block mail to them. Currently, we just do it when it's reported to us. I suppose one approach might be to block list.* domains or email addresses in the format *-l...@.* or other common mailing list address formats. It wouldn't catch all of them, I'm sure (m...@gnome.org, for example), but it might help. There isn't a reliable way to identify mailing list addresses. Regards, -sm
Re: Installation error on Windows Server 2008 / 64-bit
Bret Miller-4 wrote: I worked on it for a while on Windows Server 2008R2, and concluded that I was not going to get it running in 64-bit ActivePerl. There were just too many dependencies that would not compile or were missing features in x64 mode. So I cleared it all off, reinstalled ActivePerl 32-bit and proceeded to install spamassassin without incident on my 64-bit server running in 32-bit mode. I am having occasional issues with spamassassin just dying. Not sure what that's about since restarting it always allows it to scan whatever message caused it to crash in the first place. Other things have been priority, so haven't gotten back to trying to track down the cause of the crash. Bret I'm pretty sure he didn't use ActivePerl x64: He mentioned the x86 path (assuming defaults). weirdbeardmt wrote: So I'm at a loss! The only thing I'm doing that might be slightly peculiar, but not sure why, is installing NetAddr::IP using perl -MCPAN -e install('NetAddr::IP') as opposed to ppm. Is there a reason why you use CPAN? If adding the right repositories there is no need for that. 3.3.1 has just been released, so first download this from the official site. Then try the following: 1. Stop the Windows Installer service. This can be accomplished from the command prompt using the following command: c:\ net stop Windows Installer 2.Temporarily remove or rename PERLLIB and PERL5LIB environment variables in the system environment. 3. Temporarily remove or rename the following registry values: [\\HKEY_LOCAL_MACHINE\Software\Perl] lib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] lib-PerlVersion = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib-PerlVersion = directory(REG_SV) 4. Install ActivePerl 5.10 (x86) 5. Open Dos Box, type the following ppm remove --area perl DB_File ppm repo add bribes ppm repo add trouchelle ppm install Prompt-Timeout ppm install Net-DNS ppm install NetAddr-IP ppm install DB_File ppm install Mail-SPF ppm install IP-Country ppm install IO-Socket-INET6 ppm install Mail-DKIM 6. go to SA Source and type perl makefile.pl nmake nmake install If this fails again, it has definitely nothing to do with your perl installation or some modules. -- View this message in context: http://old.nabble.com/Installation-error-on-Windows-Server-2008---64-bit-tp27950951p27984259.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Pathological messages causing long scan times
John Hardin, 2010-03-21 01:01: The offending rule is FILL_THIS_FORM_LONG from 72_active.cf. I'll look into it. Fix is in local masscheck testing. Fix committed. But not online yet? At least not with 3.3.1's sa-update, it still takes nearly 5 minutes to scan this message (last hit is TIME_LIMIT_EXCEEDED). Btw, shouldn't --timeout-child on spamd limit the time spent? I have set it to 30, but that does not seem to work.
Re: [LinkedIn Spam] Re: unwhitelist from_dkim?
At 15:11 19-03-10, Chris Richman wrote: If anyone knows of a reliable way to identify mailing list addresses, I'd love to know so we could block mail to them. Currently, we just do it when it's reported to us. I suppose one approach might be to block list.* domains or email addresses in the format *-l...@.* or other common mailing list address formats. It wouldn't catch all of them, I'm sure (m...@gnome.org, for example), but it might help. On 21.03.10 23:06, SM wrote: There isn't a reliable way to identify mailing list addresses. Correct, but these services could cooperate with mailing lists so these invitations would not pass. Is there reliable way to detect the type of mail that shouldn't go to mailing list? So the list could refuse it, apparently with SA's help? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
Warren Togami wrote on Sun, 21 Mar 2010 22:13:10 -0400: I highly recommend NOT building the RPM package from the spec file contained within the spamassassin tarball. It has never been tested to work on Fedora or Red Hat Enterprise Linux. Well, it works perfectly on CentOS, so I assume on RHEL as well. And it doesn't contain unwanted dependencies (like the one from rpmforge, don't know about yours) or adds spamd as a service or such that I don't want. So, it's perfect for me and it has worked for me for years and still does. So, I don't recommend not using it :-) Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Rules correct ?
Hi i am new in Spamassassin, anyone can say me if this rules are correct ? header MY_FILTRAGE_FROM_93 From =~ /txxa\.px...@makk\.fi/ header MY_FILTRAGE_TO_93 To =~ /exxent\.net/ meta MY_FILTRAGE_93 (MY_FILTRAGE_FROM_93 MY_FILTRAGE_TO_93) score MY_FILTRAGE_93 200 (xx it's my change) i want that a email from txxa.p...@makk.fi to all email of @exxent.net have a +200 in score my synthaxe are correct .? Thanks Stephane
Re: Rules correct ?
Stephane MAGAND wrote: Hi i am new in Spamassassin, anyone can say me if this rules are correct ? header MY_FILTRAGE_FROM_93 From =~ /txxa\.px...@makk\.fi/ header MY_FILTRAGE_TO_93 To =~ /exxent\.net/ meta MY_FILTRAGE_93 (MY_FILTRAGE_FROM_93 MY_FILTRAGE_TO_93) score MY_FILTRAGE_93 200 (xx it's my change) i want that a email from txxa.p...@makk.fi to all email of @exxent.net have a +200 in score my synthaxe are correct .? Thanks Stephane Looks good :) If you add two underscores to the start of the two rules making up the meta rule, then they will be evaluated but not scored otherwise I think both rules would have a default score of 1.0. Also, you should probably add the @ sign to exxent.net. header__MY_FILTRAGE_FROM_93 From =~ /txxa\.px...@makk\.fi/ header__MY_FILTRAGE_TO_93 To =~ /\...@exxent\.net/ meta MY_FILTRAGE_93 (__MY_FILTRAGE_FROM_93 __MY_FILTRAGE_TO_93) scoreMY_FILTRAGE_93 200
Re: Rules correct ?
Ned Slider wrote: Stephane MAGAND wrote: Hi i am new in Spamassassin, anyone can say me if this rules are correct ? header MY_FILTRAGE_FROM_93 From =~ /txxa\.px...@makk\.fi/ header MY_FILTRAGE_TO_93 To =~ /exxent\.net/ meta MY_FILTRAGE_93 (MY_FILTRAGE_FROM_93 MY_FILTRAGE_TO_93) score MY_FILTRAGE_93 200 (xx it's my change) i want that a email from txxa.p...@makk.fi to all email of @exxent.net have a +200 in score my synthaxe are correct .? Thanks Stephane Looks good :) If you add two underscores to the start of the two rules making up the meta rule, then they will be evaluated but not scored otherwise I think both rules would have a default score of 1.0. Also, you should probably add the @ sign to exxent.net. header__MY_FILTRAGE_FROM_93 From =~ /txxa\.px...@makk\.fi/ header__MY_FILTRAGE_TO_93 To =~ /\...@exxent\.net/ meta MY_FILTRAGE_93 (__MY_FILTRAGE_FROM_93 __MY_FILTRAGE_TO_93) scoreMY_FILTRAGE_93 200 Oops, should probably make the rules case-insensitive too: header__MY_FILTRAGE_FROM_93 From =~ /txxa\.px...@makk\.fi/i header__MY_FILTRAGE_TO_93 To =~ /\...@exxent\.net/i meta MY_FILTRAGE_93 (__MY_FILTRAGE_FROM_93 __MY_FILTRAGE_TO_93) scoreMY_FILTRAGE_93 200
Re: Pathological messages causing long scan times
On Monday March 22 2010 11:49:22 Jakob Hirsch wrote: Btw, shouldn't --timeout-child on spamd limit the time spent? I have set it to 30, but that does not seem to work. The signal handling in 3.3 is left at perl default of 'safe handling', which means that alarm signal cannot interrupt evaluation of a single regular expression, which is what is happening here. If there is a series of slow rules, or some other non-CPU bound slow rule, the time limit works alright. It is possible to run SA with unsafe signal handling by setting a PERL_SIGNALS environment variable to the string 'unsafe'. This was considered too risky for the distribution, but you can do it if runaway rules occur frequently and perl crashes rarely :- Dynamically switching between two modes was considered to be implemented in module Mail::SpamAssassin::Timeout, but didn't work as desired, it needs more investigation. Mark
Re: Rules correct ?
header__MY_FILTRAGE_TO_93 To =~ /\...@exxent\.net/i This matches if @exxent.net is in the To: header line. It doesn't match all mail sent to recipients at exxent.net-- only mail with their address in the To: header line. Of course this may be exactly what you want to do. Joseph Brennan Columbia University Information Technology
Re: need to uninstall Spamassassin 3.3.1
On Sun, 21 Mar 2010, Security Admin (NetSec) wrote: Have tried upgrading Spamassassin 3.2.5 to 3.3.1 and the result was a disaster. Currently have the spamassin* of one version and perl-Mail-spamassassin* of another. Precisely how did you go about upgrading? If you upgrade using a different method than SA was originally installed (e.g. 3.2.5 was installed from RPM and 3.3.1 was installed from CPAN) then you will likely have problems. Running rpm -e spam* I get the following error: error: package spamassassin-3.2.5-1.x86_64.rpm is not installed error: package spamassassin-3.3.1-1.x86_64.rpm is not installed I want to get spamassassin OFF completely and go back to 3.2.5 which I know works How can I accomplish this? At this point, since your system doesn't have a working SA at all, I'd suggest you uninstall all SA packages and go straight to 3.3.1 And, as was pointed out, rpm -e {fileglob} doesn't work because the fileglob returns filenames, _not_ package names. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I would buy a Mac today if I was not working at Microsoft. -- James Allchin, Microsoft VP of Platforms --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: Botnet plugin still relevant?
On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd jr...@ucsc.edu wrote: Some people need to put in some alternate values for DNS timeouts, but if you've got a local caching name server, you typically don't need that. There aren't any actual bugs in it that I'm aware of, so I haven't released a new version. As I see it, there isn't a need (and that is a somewhat controversial statement with some of the more opinionated people around here). I do still see some things that get nailed by it ... but there's lots of those same hosts that get caught by the Spamhaus PBL. So, it kind of depends on what you're doing with PBL and/or Zen, as to whether or not you need Botnet. But, there are still plenty of things coming from that class of hosts, so if you don't use one, I'd definitely recommend using the other. Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 listed in zen.dnsbl] * 1.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL * [213.6.61.151 listed in b.barracudacentral.org] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [213.6.61.151 listed in bb.barracudacentral.org] * 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [213.6.61.151 listed in dnsbl.sorbs.net] * 0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=213.6.61.151,rdns=a61-151.adsl.paltel.net,maildomain=palnet.com,client,ipinhostname,clientwords] * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. No amount of explanation to these users about this is going to assuage their feelings, and there isn't really anything that can be done by them. They can complain to their ISP I guess, they could also find another ISP, but these are not particularly productive steps towards resolving this problem. I'm interested in other suggestions that I offer people as alternatives, but until then I think I may need to remove Botnet from the equation. micah pgpOYcMscG6vB.pgp Description: PGP signature
FREEMAIL_REPLY
I recently received a FP complaint on a message that hit FREEMAIL_REPLY. The FP complaint is not in a format that would be useful for posting, but I don't believe that's going to be necessary. Here's what happened: some_u...@comcast.net saves a web page and sends it as an e-mail attachment to my customer. The attached web page includes a reference to a yahoo.com e-mail address. I believe the intent of FREEMAIL_REPLY was to catch phishing scams that come from one freemail address, but ask you to reply to another. In that case, a score of 1.9 seems almost generous. Yet in my case, where the second freemail address is contained in an attachment, that score may be a little high. Should FREEMAIL_REPLY really be looking in attachments, or should there be a second rule that deals with this specific case? -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Botnet plugin still relevant?
On 22.3.2010 16:51, micah anderson wrote: On Wed, 17 Mar 2010 14:45:53 -0700, John Rudd jr...@ucsc.edu wrote: Some people need to put in some alternate values for DNS timeouts, but if you've got a local caching name server, you typically don't need that. There aren't any actual bugs in it that I'm aware of, so I haven't released a new version. As I see it, there isn't a need (and that is a somewhat controversial statement with some of the more opinionated people around here). I do still see some things that get nailed by it ... but there's lots of those same hosts that get caught by the Spamhaus PBL. So, it kind of depends on what you're doing with PBL and/or Zen, as to whether or not you need Botnet. But, there are still plenty of things coming from that class of hosts, so if you don't use one, I'd definitely recommend using the other. Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 listed in zen.dnsbl] * 1.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL * [213.6.61.151 listed in b.barracudacentral.org] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [213.6.61.151 listed in bb.barracudacentral.org] * 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [213.6.61.151 listed in dnsbl.sorbs.net] * 0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=213.6.61.151,rdns=a61-151.adsl.paltel.net,maildomain=palnet.com,client,ipinhostname,clientwords] * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. No amount of explanation to these users about this is going to assuage their feelings, and there isn't really anything that can be done by them. They can complain to their ISP I guess, they could also find another ISP, but these are not particularly productive steps towards resolving this problem. I'm interested in other suggestions that I offer people as alternatives, but until then I think I may need to remove Botnet from the equation. micah It looks like the sender has operated his own smtp server and not used his ISP as a smart host. That is bad practice, with a real server not a single of those rules would have triggeted. Especially Botnet does not have any knowledge about earlier spamming. Botnet does not care. -- http://www.iki.fi/jarif/ Q: What is purple and concord the world? A: Alexander the Grape. signature.asc Description: OpenPGP digital signature
RE: Sa-update
In my environment, postfix passes the message onto the exchange server so once it releases the message, I don't have anything to train bayes with since it's deleted. Add an 'always_bcc' directive to your Postfix configuration to grab a copy of all mail passing through it and send it to a capture mailbox. Use a procmail recipe to classify mail arriving in the capture mailbox as ham, spam or indeterminate and file it appropriately for input to sa_learn. Martin That is perfect! I've done that and it saves the mail locallly. The only problem is that when I open the file for the users mailbox, it makes all of the email as one large text file with one email after the next. Is that normal? I wouldn't have to go through it and separate each mail would I? Kaleb
Re: Botnet plugin still relevant?
On Mon, Mar 22, 2010 at 07:51, micah anderson mi...@riseup.net wrote: From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. No amount of explanation to these users about this is going to assuage their feelings, and there isn't really anything that can be done by them. They can complain to their ISP I guess, they could also find another ISP, but these are not particularly productive steps towards resolving this problem. I'm interested in other suggestions that I offer people as alternatives, but until then I think I may need to remove Botnet from the equation. Or you could just put that relay into your botnet cf file so that it doesn't get scored by botnet. That's what the botnet_pass_ip entries are there for. Using the example you just gave, you could just do: botnet_pass_ip^213\.6\.61\.151$ Then just do whatever you need to in your spamassassin environment to make that live (reload something, etc.). Then that particular host wont ever trigger botnet again.
Re: Yahoo/URL spam
On Mon, 22 Mar 2010, Alex wrote: rawbody __BODY_ONLY_URI /^[^a-z]{0,10}(http:\/\/|www\.)(\w+\.)+(com|net|org|biz|cn|ru)\/?[^ ]{0,20}[^a-z]{0,10}$/msi This allows for some amount (up to ten chars?) of text before and after the URI if I'm reading that right, correct? Nope. With the /ms flags ^ and $ at beginning and end match the *whole* body as a single 'string' and permit 'any character' (. or [^x]) matches to also match newlines. So the above regex translates to: /^ - Beginning of body [^a-z]{0,10} - match 0-10 non-alpha characters *including* newlines (http:\/\/|www\.) - match a uri beginning with http *or* www (\w+\.)+ - match multiple occurences of word followed by . (this will match 'domain.' *or* 'www.domain.') (com|net|biz|org|cn|ru) - match TLD (adjust to fit your mail) \/? - match a slash if there is one [^ ]{0,20} - match 0-20 non-blank characters (page name, if given) [^a-z]{0,10} - match 0-10 non-alpha chars including newlines (did I TYPO in my OP and leave out the '^'?) $ - match end of body /msi Is it possible to determine the beginning of the line with a body rule? Insert '\n' into the above regex where you want to match newline. I didn't think that was possible. I believe this is also what this is trying to do? It's possible, but NOT what this regex does. Essentially this regex matches against a complete body that consists of nothing more than a single URI on a line, with possible blank lines before or after. Rather than test for newlines, I test for non-alpha so that a stray space or tab or LF code does not fail to match. This simple regex can also be 'dressed up' with elements of the form (\[^\\]+\ +)+ to match any HTML code inserted before or after the URI. A regex could also check for a link consisting of text enclosed by a href=... ... /a They key is to be sure that you don't use '*' or '+' in any context where it could 'run away' and try to match large message bodies This way as soon as the body exceeds 40 characters on either side of an unbroken string of characters it stops the test. Relatively efficient for a rawbody test - C
Re: Botnet plugin still relevant?
On Mon, 22 Mar 2010, micah anderson wrote: Many users are complaining and when I finally get some useful messages with headers to analyze I am finding something like the following: X-Spam-Report: * 3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [213.6.61.151 listed in zen.dnsbl] * 1.0 RCVD_IN_BRBL RBL: Received via relay listed in Barracuda RBL * [213.6.61.151 listed in b.barracudacentral.org] * 1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT * [213.6.61.151 listed in bb.barracudacentral.org] * 0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [213.6.61.151 listed in dnsbl.sorbs.net] * 0.8 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) * 5.0 BOTNET Relay might be a spambot or virusbot * [botnet0.8,ip=213.6.61.151,rdns=a61-151.adsl.paltel.net,maildomain=palnet.com,client,ipinhostname,clientwords] * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP that previously was used by a spammer. If your users are connecting from random public Internet dynamic-IP hosts, are you using SMTP authentication? If so, there should be data about that authentication in the Received: headers that you can use within SA to whitelist them and offset legitimate results like those above. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: FREEMAIL_REPLY
On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: FREEMAIL_REPLY
On 2010/03/22 12:26 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? I understand the benefit of looking in attachments, but wonder if it would make a difference in masscheck results to separate the two cases. The message also hit on FREEMAIL_ENVFROM_END_DIGIT, BAYES_50, and MPART_ALT_DIFF pushing the score to 5.1. I posted a question about scoring of FREEMAIL_ENVFROM_END_DIGIT directly to the dev list as I didn't feel it made much sense here. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Botnet plugin still relevant?
micah anderson mi...@riseup.net wrote: Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. Are you using the PBL appropriately? http://www.spamhaus.org/pbl/ says-- Caution: Because the PBL lists normal customer IP space, do not use PBL on smarthosts or SMTP AUTH outbound servers for your own customers (or you risk blocking your own customers if their dynamic IPs are in the PBL). Do not use PBL in filters that do any deep parsing of Received headers, or for other than checking IP addresses that hand off to your mailservers. Joseph Brennan Columbia University Information Technology
Re: FREEMAIL_REPLY
On Mon, 22 Mar 2010, Jason Bertoch wrote: On 2010/03/22 12:26 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? I understand the benefit of looking in attachments, but wonder if it would make a difference in masscheck results to separate the two cases. Ah. Possibly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
On Mon, March 22, 2010 9:01 am, Bill Landry wrote: On 3/22/2010 4:31 AM, Kai Schaetzl wrote: Warren Togami wrote on Sun, 21 Mar 2010 22:13:10 -0400: I highly recommend NOT building the RPM package from the spec file contained within the spamassassin tarball. It has never been tested to work on Fedora or Red Hat Enterprise Linux. Well, it works perfectly on CentOS, so I assume on RHEL as well. And it doesn't contain unwanted dependencies (like the one from rpmforge, don't know about yours) or adds spamd as a service or such that I don't want. So, it's perfect for me and it has worked for me for years and still does. So, I don't recommend not using it :-) I tried it with Fedora 12, and would *not* install/upgrade due to a number of unwanted dependencies. Thanks for providing a working RPM install/upgrade for Fedora, Warren! I seem to have pissed Warren off with this reply, so I just wanted to make sure that no one else misinterpreted my reply. What I was attempting to do was confirm what Warren had said in his original post (and direct in response to Kai's comment that the spec file works fine for him with CentOS), that the spec file included with the tar.gz distribution does not build and install without issue on Fedora 12, but that Warren's RPM build *does* install cleanly and without issue on Fedora 12. My apologies if this was not understood in my previous post. Bill
Re: FREEMAIL_REPLY
On 2010/03/22 1:03 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: On 2010/03/22 12:26 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? I understand the benefit of looking in attachments, but wonder if it would make a difference in masscheck results to separate the two cases. Ah. Possibly. Another possibly interesting item of note, there are two scores for FREEMAIL_REPLY: 20_freemail.cf:scoreFREEMAIL_REPLY 0.5 50_scores.cf:score FREEMAIL_REPLY 2.499 2.499 1.788 1.929 -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: Botnet plugin still relevant?
On Mon, 22 Mar 2010 10:51:20 -0400 micah anderson mi...@riseup.net wrote: Yeah, I've been having problems recently which I think are related to me using both Zen/PBL along with the Botnet plugin weighted to score level 5, even if I were to have it lower at 3 it would still be too much. If you look in the BOTNET documentation, it's possible to have BOTNET as a meta rule rather than have the logic inside the plugin. IMO it would be sensible to score PBL at 0.001 and bring it inside a BOTNET meta rule, and rescore BOTNET at the current value of the PBL score.
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
Kai Schaetzl wrote: Well, it works perfectly on CentOS, so I assume on RHEL as well. And it doesn't contain unwanted dependencies (like the one from rpmforge I'm curious about these unwanted dependencies, since I've never had trouble with that using the RPMForge package. About the only things I see that are not absolutely strictly **REQUIRED** are Net::DNS and gnupg - and TBH, I can't see why someone would do without either for long. -kgd
Re: Botnet plugin still relevant?
Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses nowadays. If you combine this with John Hardin's suggestion you don't need the botnet plugin or do RBL lookups for these clients at all (I guess you would need a new plugin for this, though). Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
Bill Landry wrote on Mon, 22 Mar 2010 09:01:26 -0700: I tried it with Fedora 12 I didn't say anything about Fedora. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
On Mon, March 22, 2010 10:31 am, Kai Schaetzl wrote: Bill Landry wrote on Mon, 22 Mar 2010 09:01:26 -0700: I tried it with Fedora 12 I didn't say anything about Fedora. But Warren certainly did in his original post. And BTW, he didn't say anything about CentOS is his original post, but that didn't stop you from replying. My response was to confirm Warren's original statements. Bill
Re: Installation error on Windows Server 2008 / 64-bit
Actually, I was using the x64 bit version of AP, hence the need to use the CPAN route for NetAddr-IP as I couldn't find a repo that included it for x64. Have tried your suggestions below using x86 AP, and, still not working. Nmake fails with the same error. quote=Error optional module missing: Razor2 optional module missing: Net::Ident optional module missing: IO::Socket::SSL optional module missing: Encode::Detect warning: some functionality may not be available, please read the above report before continuing! Checking if your kit is complete... Looks good Writing Makefile for Mail::SpamAssassin Makefile written by ExtUtils::MakeMaker 6.55 C:\Program Files (x86)\Neolane\Neolane v5\bin\SpamAssassinnmake Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. syntax error at -e line 1, next char ) Missing right curly or square bracket at -e line 1, at end of line Execution of -e aborted due to compilation errors. NMAKE : fatal error U1077: 'C:\Windows\system32\cmd.exe' : return code '0xff' Stop. Dmake (installed via PPM) also fails. The only thing that's slightly weird is the makefile complaining about a lack of nmake on my path, despite C:\perl\bin; being set in PATH, PERLLIB and PERL5LIB. What else can I try? C:\Program Files (x86)\Neolane\Neolane v5\bin\SpamAssassinperl makefile.pl Set up gcc environment - 3.4.5 (mingw-vista special r3) It looks like you don't have either nmake.exe or dmake.exe on your PATH, so you will not be able to execute the commands from a Makefile. Is there a reason why you use CPAN? If adding the right repositories there is no need for that. 3.3.1 has just been released, so first download this from the official site. Then try the following: 1. Stop the Windows Installer service. This can be accomplished from the command prompt using the following command: c:\ net stop Windows Installer 2.Temporarily remove or rename PERLLIB and PERL5LIB environment variables in the system environment. 3. Temporarily remove or rename the following registry values: [\\HKEY_LOCAL_MACHINE\Software\Perl] lib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] lib-PerlVersion = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib-PerlVersion = directory(REG_SV) 4. Install ActivePerl 5.10 (x86) 5. Open Dos Box, type the following ppm remove --area perl DB_File ppm repo add bribes ppm repo add trouchelle ppm install Prompt-Timeout ppm install Net-DNS ppm install NetAddr-IP ppm install DB_File ppm install Mail-SPF ppm install IP-Country ppm install IO-Socket-INET6 ppm install Mail-DKIM 6. go to SA Source and type perl makefile.pl nmake nmake install If this fails again, it has definitely nothing to do with your perl installation or some modules. -- View this message in context: http://old.nabble.com/Installation-error-on-Windows-Server-2008---64-bit-tp27950951p27989924.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Botnet plugin still relevant?
On Mon, 22 Mar 2010, Kai Schaetzl wrote: Micah anderson wrote on Mon, 22 Mar 2010 10:51:20 -0400: This brings it over the 8 threshold, although it is a legitimate email From a user who has unfortunately been saddled with a dynamic IP Most ISPs reject direct mail from non-static IP addresses nowadays. If you combine this with John Hardin's suggestion you don't need the botnet plugin or do RBL lookups for these clients at all (I guess you would need a new plugin for this, though). How do you reject mail from a non-static IP without doing a DNSBL lookup (e.g. Zen)? If you're suggesting most ISPs are doing egress filtering on port 25 from their dynamic spaces, that's good for them, but until _all_ ISPs do that DNSBLs will still be useful. My suggestion doesn't involve discarding botnet or DNSBLs, it involves offsetting their scores for those instances where you _know_ the mail from a suspicious IP address is legitimate and wanted. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: Installation error on Windows Server 2008 / 64-bit
On Mon, 22 Mar 2010, weirdbeardmt wrote: What else can I try? Running it on a *NIX box like God intended? GDR... :) To be serious, have you considered setting up a Linux VM that is dedicated to hosting spamd? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: Installation error on Windows Server 2008 / 64-bit
I didn't try to make spamc with mine. If you're doing that, it is possible that there could be a configuration situation that prevents it. I'm not sure why else it would fail. For the few items I had to manually compile and install I used Visual Studio 2008 Express. Bret On 3/22/2010 10:40 AM, weirdbeardmt wrote: Actually, I was using the x64 bit version of AP, hence the need to use the CPAN route for NetAddr-IP as I couldn't find a repo that included it for x64. Have tried your suggestions below using x86 AP, and, still not working. Nmake fails with the same error. quote=Error optional module missing: Razor2 optional module missing: Net::Ident optional module missing: IO::Socket::SSL optional module missing: Encode::Detect warning: some functionality may not be available, please read the above report before continuing! Checking if your kit is complete... Looks good Writing Makefile for Mail::SpamAssassin Makefile written by ExtUtils::MakeMaker 6.55 C:\Program Files (x86)\Neolane\Neolane v5\bin\SpamAssassinnmake Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. syntax error at -e line 1, next char ) Missing right curly or square bracket at -e line 1, at end of line Execution of -e aborted due to compilation errors. NMAKE : fatal error U1077: 'C:\Windows\system32\cmd.exe' : return code '0xff' Stop. Dmake (installed via PPM) also fails. The only thing that's slightly weird is the makefile complaining about a lack of nmake on my path, despite C:\perl\bin; being set in PATH, PERLLIB and PERL5LIB. What else can I try? C:\Program Files (x86)\Neolane\Neolane v5\bin\SpamAssassinperl makefile.pl Set up gcc environment - 3.4.5 (mingw-vista special r3) It looks like you don't have either nmake.exe or dmake.exe on your PATH, so you will not be able to execute the commands from a Makefile. Is there a reason why you use CPAN? If adding the right repositories there is no need for that. 3.3.1 has just been released, so first download this from the official site. Then try the following: 1. Stop the "Windows Installer" service. This can be accomplished from the command prompt using the following command: c:\ net stop "Windows Installer" 2.Temporarily remove or rename PERLLIB and PERL5LIB environment variables in the system environment. 3. Temporarily remove or rename the following registry values: [\\HKEY_LOCAL_MACHINE\Software\Perl] lib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] lib-PerlVersion = directory (REG_SV) [\\HKEY_LOCAL_MACHINE\Software\Perl] sitelib-PerlVersion = directory(REG_SV) 4. Install ActivePerl 5.10 (x86) 5. Open Dos Box, type the following ppm remove --area perl DB_File ppm repo add bribes ppm repo add trouchelle ppm install Prompt-Timeout ppm install Net-DNS ppm install NetAddr-IP ppm install DB_File ppm install Mail-SPF ppm install IP-Country ppm install IO-Socket-INET6 ppm install Mail-DKIM 6. go to SA Source and type perl makefile.pl nmake nmake install If this fails again, it has definitely nothing to do with your perl installation or some modules.
Re: Botnet plugin still relevant?
John Hardin wrote on Mon, 22 Mar 2010 10:47:35 -0700 (PDT): How do you reject mail from a non-static IP without doing a DNSBL lookup (e.g. Zen)? we are talking about lookups from SA here ;-) And these you can disable if you reject such mail, anyway. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Installation error on Windows Server 2008 / 64-bit
If only it was that simple. SA is actually required as a component of a bigger system which actually has NO business being near a Windows server, but unfortunately our sys admin team have no experience of admin-ing Linux... nor any desire to learn. So I'm afraid I'm stuck with it. What is strange is that we had it running perfectly on a Win2K3 32 bit machine with AP 5.8 / SA 3.2.5. John Hardin wrote: On Mon, 22 Mar 2010, weirdbeardmt wrote: What else can I try? Running it on a *NIX box like God intended? GDR... :) To be serious, have you considered setting up a Linux VM that is dedicated to hosting spamd? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 164 days since President Obama won the Nobel Not George W. Bush prize -- View this message in context: http://old.nabble.com/Installation-error-on-Windows-Server-2008---64-bit-tp27950951p27992139.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
Kris Deugau wrote on Mon, 22 Mar 2010 13:25:34 -0400: I'm curious about these unwanted dependencies, since I've never had trouble with that using the RPMForge package. I can't tell you as this was at least one year ago. I would have to change my priorities settings and then pull down an rpm from rf to see what it was. I can just tell you that once when building new VM templates I installed the one from rpmforge out of curiosity to see if I could use these instead of mine and found it pulled in dependencies I didn't want to install, maybe it was razor/pyzor, I really don't know. If it works for you that is just fine. It doesn't for me. And the one in the tarball works very well. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: spamassassin-3.3.1 RPM packages for Fedora and RHEL5
Bill Landry wrote on Mon, 22 Mar 2010 10:37:12 -0700: But Warren certainly did in his original post. If you didn't reply to me I would ask you to reply to the message you reply to instead and don't quote me ;-) And BTW, he didn't say anything about CentOS is his original post, but that didn't stop you from replying. I suggest you read his post and then mine again, the first sentence would suffice. Kai -- Get your web at Conactive Internet Services: http://www.conactive.com
Re: Installation error on Windows Server 2008 / 64-bit
On Mon, 22 Mar 2010, weirdbeardmt wrote: John Hardin wrote: To be serious, have you considered setting up a Linux VM that is dedicated to hosting spamd? If only it was that simple. SA is actually required as a component of a bigger system which actually has NO business being near a Windows server, but unfortunately our sys admin team have no experience of admin-ing Linux... nor any desire to learn. So I'm afraid I'm stuck with it. What is strange is that we had it running perfectly on a Win2K3 32 bit machine with AP 5.8 / SA 3.2.5. How about W2k3 32-bit AP5.8 SA3.3.1 on the VM... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How can you reason with someone who thinks we're on a glidepath to a police state and yet their solution is to grant the government a monopoly on force? They are insane. --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: Rules correct ?
On 3/22/2010 9:11 AM, Joseph Brennan wrote: header__MY_FILTRAGE_TO_93 To =~ /\...@exxent\.net/i This matches if @exxent.net is in the To: header line. It doesn't match all mail sent to recipients at exxent.net-- only mail with their address in the To: header line. Of course this may be exactly what you want to do. True, you could change it to ToCc =~ if you wanted to match both To: and Cc: headers. header__MY_FILTRAGE_TO_93 ToCc =~ /\...@exxent\.net/i Not much you can do for BCC'ed mail (or mailing list mail) though. Another thing which might be useful would to be to add the :addr modifier. This will cause it to match the email address part of the header, but not the descriptive text part. However, beware that the :addr modifier limits you to only one address, so it makes ToCc useless. In: j...@irs.govbad...@example.com, :addr will extract the example.com address, not the irs.gov part. This might be overkill, but there are situations where it is useful. header__MY_FILTRAGE_TO_93 To:addr =~ /\...@exxent\.net/i