amavisd
Hi there. I'm getting the following in my maillog, can someone please help me: postfix/qmgr[25394]: warning: connect to transport smtp-amavis: Connection refused Thanks Maccie Roux [EMAIL PROTECTED]
Re: amavisd
On 17-nov-2006, at 9:26, Maccie Roux wrote: Hi there. I'm getting the following in my maillog, can someone please help me: postfix/qmgr[25394]: warning: connect to transport smtp-amavis: Connection refused Well, that is about as clear as a warning can get. What don't you understand about it? Leander
Re: amavisd
Leander Koornneef schrieb: On 17-nov-2006, at 9:26, Maccie Roux wrote: Hi there. I'm getting the following in my maillog, can someone please help me: postfix/qmgr[25394]: warning: connect to transport smtp-amavis: Connection refused Well, that is about as clear as a warning can get. What don't you understand about it? ;-). (Yes i wish all sw would provide such ideal logging). Try telnet to the amavis-port (you configured it in master.cf/main.cf, amavisd.conf). Is amavisd running, are you able to connect? Any typos in your config? Leander hth MH
RE: FuzzyOCR question
I'm brainstorming here tonight and I'm curious of something. When you're using FuzzyOCR, is it called for every message that goes through SA, or just ones with gif attachments? FuzzyOcr is invoked on every image on a message whenever the message itself doesn't reach a score threshold by other means. Ie: if a spam is detected as such before running FuzzyOcr, the latter is not invoked. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community
Re: MailScanner not using /usr/share/spamassassin?
Peter H. Lemieux wrote: OK, I've ransacked mailing lists for over an hour now and have yet to find an answer to this question. Until a couple of months ago I was running SA 2.64 under MailScanner 4.36.4, both installed from RPMs on a RedHat 7.3 system. I've been migrating to a CentOS 4.4 box running SA 3.1.7 and MailScanner 4.56.8, both again installed from RPMs. I began to get suspicious about the new installation when I ran a couple of spams through spamassassin -t. Rules like DATE_IN_PAST showed up in those tests, but they didn't get tripped when the message was scanned by SA under MailScanner. It looked as though MailScanner was simply ignoring the default rules in /usr/share/spamassassin. A few scans of maillog for some of the default rule names didn't show any hits over a period of weeks. For instance, there are no log entries in the new installation for commonly-hit rules like 'HTML_[0-9]+' or 'DATE_IN'. Except... I do get hits for the URIBL rules in /usr/share/spamassassin/20_dnsbl_tests.cf. A locate dnsbl search doesn't turn up any other copies of these rules in the directory tree. So I tried an experiment based on the approach described in http://article.gmane.org/gmane.mail.virus.mailscanner/4499 of running spamassassin -D --lint -C /etc/MailScanner/spam.assassin.rules.conf and the output showed that only /etc/mail/spamassassin was used. I also get a lot of non-existent rule errors that don't appear if I just run spamassassin -D --lint. Running a normal lint without the config file specified shows rules being read from both /etc/mail/spamassassin and /usr/share/spamassassin. I've looked all over the system to see if I can find some setting that differentiates between these two situations. I've even tried it with an empty /etc/MailScanner/spam.assassin.rules.conf. I've looked in places like /root/.spamassassin, /var/spool/MailScanner/spamassassin, and the like, and can't find anything that would divert SA from using /usr/share/spamassassin when invoked by MailScanner. I read a bunch of postings to the MailScanner list and found nothing helpful. My next step is to run MailScanner in debugging mode, I guess, but I'd prefer not to have to interrupt production. If any of you have any clues about what my problem is, I'd appreciate it. If not, I off to debugging land. Peter Peter one for the MailScanner list really but in MaiLScanner.conf what's your setting for SpamAssassin Local State Dir, but as SA is displaying the same simptoms when run outside of MailScanner it could be something wrong with the spam.assassin.rules.conf settings. BTW /etc/mail/spamassassin/mailscanner.cf should now be a symbolic to spam.assassin.rules.conf so you shouldn't need to put in in -C when running spamassassin from the command line anymore. I'd ask on the IRC channel or mailscanner email list as it sounds like your install has problems... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
bayes before spamassassin?
Hi List It is possible that each incoming mail goes first to bayes and later to spamassassin? Do you think that this procedure is good? __ (Incoming mail) -- | (bayes) |(yes)(delete it) | it's spam?| |__| (no, goes to) | | | (spamassassin)-(move the message to folder /mailbox_user/.spam ) I've attached the textart anyway if you can't see it How do I do it? Thanks JeAn begin 666 textArtProcedure.txt [EMAIL PROTECTED]5X=%R= T*#0H@( @( @( @( @( @( @( @(!?7U]?7U]? M7U]?7U]?#0HH26YC;VUI;F@;6%I;[EMAIL PROTECTED]/B!\(AB87EERD@(!\ M#0H@( @( @( @( @( @( @( @(!\(ET)W,@W!A;3]\*'EERDM M+2TM/BAD96QE=4@:70I#0H@( @( @( @( @( @( @( @(!\7U]? M7U]?7U]?7U]\#0H@( @( @( @( @( @( @( @( H;F\L(=O97,@ M=\I#0H@( @( @( @( @( @( @( @( @( @(!\#0H@( @( @ M( @( @( @( @( @( @( @(!\#0H@( @( @( @( @( @( @ M( @( @( @(!\#0H@( @( @( @( @( @( @( @( HW!A;6%S MV%SVEN*2TM+2TM/BAM;W9E('1H92!M97-S86=E('1O(9O;1EB O;6%I 5;)O%]UV5R+RYS%M(D-@T* ` end __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
Re: amavisd
postfix/qmgr[25394]: warning: connect to transport smtp-amavis: Connection refused Well, that is about as clear as a warning can get. What don't you understand about it? Is amavisd running, are you able to connect? Any typos in your config? This warning is not about amavisd daemon not being there, but about a Postfix service smtp-amavis not being there. A smtp-amavis service is to be defined in master.cf, see README.postfix. Mark
Re: Thoughts on using DCC
On Friday 17 November 2006 02:44, Chris wrote: On Thursday 16 November 2006 9:21 am, Magnus Holmgren wrote: So basically you're right and I haven't added anything. What I can add is that I don't use DCC myself, for precisely the aforementioned reason, i.e. that it requires to much fiddling with mailing lists. If you happen to be running procmail its easy to have your list mail processed into the correct folders before spamassassin is even called. Not so easy if you call SpamAssassin after end of DATA to be able to reject spam at SMTP time... -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpBWFIev8VKL.pgp Description: PGP signature
Re: Rules Du Jour briken?
Being as the link http://www.exit0.us/index.php?pagename=RulesDuJour is still down, could someone that uses Rules Du Jour take a look at this other link to some Rules Du Jour stuff and let me know if you think this site contains valid info / process or not for installing RDJ? Am I just being to cautious? http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Spam_Assassin_Rules_Du_Jour_Configuration Thanks for checking it out. Wes twofers [EMAIL PROTECTED] wrote: http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Spam_Assassin_Rules_Du_Jour_Configuration Forgot it... Then what about this link to a RDJ ? Is it valid? I don't want to mistakenly put something on my server that will give me problems. Wes twofers [EMAIL PROTECTED] wrote: Then what about this link to a RDJ ? Is it valid? I don't want to mistakenly put something on my server that will give me problems. Wes Raquel [EMAIL PROTECTED] wrote: On Thu, 16 Nov 2006 15:28:06 -0500 Chris Santerre wrote: -Original Message- From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: Thursday, November 16, 2006 1:51 PM To: twofers Cc: users@spamassassin.apache.org Subject: Re: Rules Du Jour briken? twofers wrote: Is this link having problems that anyone knows of? http://www.exit0.us/index.php?pagename=RulesDuJour I can't get to Rules Du Jour. Actually, the whole exit0.us site doesnt work. Its been down for almost 2 weeks. I thought it would come back up, but it may be gone for good :( --Chris Then what do we do for rule updates? -- Raquel Whoever kindles the flames of intolerance is lighting a fire underneath his own home. --Harrold Stassen - Sponsored Link Mortgage rates near 39yr lows. $310,000 Mortgage for $999/mo - Calculate new house payment - Sponsored Link Don't quit your job - take classes online and earn your degree in 1 year. Start Today - Sponsored Link Mortgage rates near 39yr lows. $510,000 Mortgage for $1,698/mo - Calculate new house payment
Re: amavisd
Mark Martinec schrieb: postfix/qmgr[25394]: warning: connect to transport smtp-amavis: Connection refused Well, that is about as clear as a warning can get. What don't you understand about it? Is amavisd running, are you able to connect? Any typos in your config? This warning is not about amavisd daemon not being there, but about a Postfix service smtp-amavis not being there. A smtp-amavis service is to be defined in master.cf, see README.postfix. i bet its a typo ... (Something similar happened here not long ago i was overlooking an additional 0 in master.cf, in smtp-amavis definition ...) Mark thx for your correction MH
Re: bayes_seen on MySQL, growing and growing
Jim Maul wrote: I dont use mysql with SA, but you should be able to use truncate instead of delete. It may very well be faster with all those rows. From MySQL 4.x manual: For InnoDB, TRUNCATE TABLE is mapped to DELETE, so there is no difference. We're using InnoDB rather than MyISAM, so there's apparently no big difference. It doesn't free disk space, though, so an OPTIMIZE TABLE should be issued. Still no input from developers/maintainers can I empty the bayes_seen table without breaking DB consistency? Thanks, Paolo
MIMEHeader question
Hi all, I have a question about the MIMEHeader plugin: if I have multiple mimeheader rules, are they all checked against the same part in a multipart message? So let me give an example: Let's say an email has 2 separate mime header sections (perhaps one is TXT and the other is HTML, or perhap there are 2 file attachments, or whatever). They might look like this: --=_NextPart_000_0062_01C7099B.069AFD30 Content-Type: image/gif; name=Blank Bkgrd.gif Content-Transfer-Encoding: base64 --=_NextPart_001_0063_01C7099B.069AFD30 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Then let's say I have a couple of mimeheader rules as follows: mimeheader __RULE1 Content-Type =~ /image\/gif/ mimeheader __RULE2 Content-Transfer-Encoding =~ /quoted-printable/ meta MY_META_RULE (RULE1 RULE2) My question is, will the meta rule trigger, or not? Because as you can see, only the first mime header section contains Content-Type: image/gif, and only the second mime header section contains Content-Transfer-Encoding: quoted-printable. So are my two mimeheader rules being run against each header section separately from each other, or are they only run against the header sections together, and thus BOTH must fire on the SAME header section in order for the meta rule to work?? Cheers, Jeremy
Re: Spam surge tied to SpamThru Trojan botnet
Peter H. Lemieux writes: From this article at eWeek: http://www.eweek.com/print_article2/0,1217,a=194218,00.asp The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers. Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan. Definitely. As far as I can tell, the SpamThru upsurge: that's the FHARMACY economize more with http://URL; stuff -- is hitting HDR_ORDER_FTSDMCXX*, MID_START_001C, and XBL and URIBL rules. There's also another spammer who's creating another very large batch, separately: the C*na Petroleum stock spammer, hitting RCVD_FORGED_WROTE and TVD_STOCK1. The two sets are quite distinct and on a large scale, and if you look at the rules freqs by contributor, various people have massively differing hitrates on their corpora. For example, HDR_ORDER_FTSDMCXX3 (SpamThru traffic) is 56% of Daryl's corpus, but only 3.4% of zmi's: http://ruleqa.spamassassin.org/20061116-r475642-n/HDR_ORDER_FTSDMCXX3/detail#DETAILS_all_mass_check_date_rev_20061116_r475642_n And RCVD_FORGED_WROTE, the stock spammer, is 6.3% of my corpus and only 0.42% of Michael's: http://ruleqa.spamassassin.org/20061116-r475642-n/RCVD_FORGED_WROTE/detail#DETAILS_all_mass_check_date_rev_20061116_r475642_n Interesting. Not quite sure what that implies though. ;) --j.
Re: MIMEHeader question
Jeremy Fairbrass writes: Hi all, I have a question about the MIMEHeader plugin: if I have multiple mimeheader rules, are they all checked against the same part in a multipart message? So let me give an example: Let's say an email has 2 separate mime header sections (perhaps one is TXT and the other is HTML, or perhap there are 2 file attachments, or whatever). They might look like this: --=_NextPart_000_0062_01C7099B.069AFD30 Content-Type: image/gif; name=Blank Bkgrd.gif Content-Transfer-Encoding: base64 --=_NextPart_001_0063_01C7099B.069AFD30 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Then let's say I have a couple of mimeheader rules as follows: mimeheader __RULE1 Content-Type =~ /image\/gif/ mimeheader __RULE2 Content-Transfer-Encoding =~ /quoted-printable/ meta MY_META_RULE (RULE1 RULE2) My question is, will the meta rule trigger, or not? Because as you can see, only the first mime header section contains Content-Type: image/gif, and only the second mime header section contains Content-Transfer-Encoding: quoted-printable. So are my two mimeheader rules being run against each header section separately from each other, or are they only run against the header sections together, and thus BOTH must fire on the SAME header section in order for the meta rule to work?? the former.
amavisd
Hi all. My spam is being block with amavis but it does not send it to my junk mail box. Here is my amavisd.conf file: # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) $virus_admin = [EMAIL PROTECTED]; # notifications recip. $mailfrom_notify_admin = [EMAIL PROTECTED]; # notifications sender $mailfrom_notify_recip = [EMAIL PROTECTED]; # notifications sender $mailfrom_notify_spamadmin = [EMAIL PROTECTED]; # notifications sender #$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_banned_maps = ('banned'); @addr_extension_spam_maps = ('spam'); @addr_extension_bad_header_maps = ('badh'); # $recipient_delimiter = '+'; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # $dspam = 'dspam'; I think you only need this part.
Re: bayes before spamassassin?
[EMAIL PROTECTED] wrote: Hi List It is possible that each incoming mail goes first to bayes and later to spamassassin? Do you think that this procedure is good? __ (Incoming mail) -- | (bayes) |(yes)(delete it) | it's spam?| |__| (no, goes to) | | | (spamassassin)-(move the message to folder /mailbox_user/.spam ) I've attached the textart anyway if you can't see it How do I do it? You could do that, but you'd have to use a separate bayes-only spam tool. At that point, why bother? SA has it's own bayes system that it will run when the message is fed to SA.
Re: Spam surge tied to SpamThru Trojan botnet
On Thursday 16 November 2006 10:59 pm, Steve Lake wrote: Oh joy. So what do we do about this? Are they going to try and bust these guys? Or can't they touch them? At 08:16 PM 11/16/2006 -0500, Peter H. Lemieux wrote: From this article at eWeek: http://www.eweek.com/print_article2/0,1217,a=194218,00.asp The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers. Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan. Peter Well as of this morning it 'appears' to have slowed considerably, instead of the 200 or so I was seeing at 6am, I have only 40 and only one of those is a subject from the recent flood. -- Chris pgpBj3O8u3ceE.pgp Description: PGP signature
Re: amavisd
On 17-nov-2006, at 12:59, Maccie Roux wrote: Hi all. My spam is being block with amavis but it does not send it to my junk mail box. Here is my amavisd.conf file: # $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; # defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) $virus_admin = [EMAIL PROTECTED]; # notifications recip. $mailfrom_notify_admin = [EMAIL PROTECTED]; # notifications sender $mailfrom_notify_recip = [EMAIL PROTECTED]; # notifications sender $mailfrom_notify_spamadmin = [EMAIL PROTECTED]; # notifications sender #$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef @addr_extension_virus_maps = ('virus'); @addr_extension_banned_maps = ('banned'); @addr_extension_spam_maps = ('spam'); @addr_extension_bad_header_maps = ('badh'); # $recipient_delimiter = '+'; # undef disables address extensions altogether # when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/ bin'; # $dspam = 'dspam'; I think you only need this part. Maccie, why are you sending amavisd questions to the Spamassassin list, while it seems to me that you would be better served when asking the amavisd list about these things? Leander
amavisd
Can someone please help me with this message in my maillog. ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: Connection refused) Thanks Maccie Roux [EMAIL PROTECTED]
Re: bayes before spamassassin?
Matt Kettler writes: [EMAIL PROTECTED] wrote: Hi List It is possible that each incoming mail goes first to bayes and later to spamassassin? Do you think that this procedure is good? __ (Incoming mail) -- | (bayes) |(yes)(delete it) | it's spam?| |__| (no, goes to) | | | (spamassassin)-(move the message to folder /mailbox_user/.spam ) I've attached the textart anyway if you can't see it How do I do it? You could do that, but you'd have to use a separate bayes-only spam tool. At that point, why bother? SA has it's own bayes system that it will run when the message is fed to SA. in SpamAssassin 3.2.0, you'll be able to do it with SpamAssassin's bayes -- short-circuit to spam with a high score if BAYES_99 hits, for example. --j.
Hi !
Hi .. I am new to this list. I need some help. I have installed qmail with qmail-scan, spamassassin and clamav. The installation was going well. The clamav and spamassassin is running under qscand user. The mails what came with virus attachment, the attachment is deleted by the clamav. But the spam not. I want the subject to be rewrited what's not happen. In my local.cf I have: rewrite_header Subject SPAM(_SCORE_) required_score 20.0 required_hits 20 what I thing is what I need to spamassassin rewrite the subject. The same settings I have added to homedir in qscand In user_prefs. Can anyone help me in how to setup the spamassassin to rewrite the subject ? Thanks! PS. I use p5-Mail-SpamAssassin-3.1.7_1 and a FreeBSD 6.1 AMD64
RE: amavisd
Can someone please help me with this message in my maillog. ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: Connection refused) Your clamd is not running OR it is not listening on /var/spool/amavisd/clamd.sock socket. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100 MAI inviare una e-mail a: NEVER send an e-mail to: [EMAIL PROTECTED] Thanks Maccie Roux [EMAIL PROTECTED]
Re: bayes before spamassassin?
I mean, I want the sa-learn examine the message before the spamassassin and then goes to spamassassin The reasons for that: -I think the incoming mail maybe a spam, but this is relative because the concept to spam for an user is not equal to another one ( I have many users on my domain ) -At the next time the incoming message like the last one could be processed like spam by spamassassin -If the sa-learn determine it's spam the message will be deleted --else, the message goes to spamassassin, -The spamassassin mark the message spam or not spam --if spam put it on the folder /mailbox/.spam --else put it on the inbox and the user can define if this is spam or not according to his own criteria JeAn - Original Message - From: Matt Kettler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: spam lista users@spamassassin.apache.org Sent: Friday, November 17, 2006 1:00 PM Subject: Re: bayes before spamassassin? [EMAIL PROTECTED] wrote: Hi List It is possible that each incoming mail goes first to bayes and later to spamassassin? Do you think that this procedure is good? __ (Incoming mail) -- | (bayes) |(yes)(delete it) | it's spam?| |__| (no, goes to) | | | (spamassassin)-(move the message to folder /mailbox_user/.spam ) I've attached the textart anyway if you can't see it How do I do it? You could do that, but you'd have to use a separate bayes-only spam tool. At that point, why bother? SA has it's own bayes system that it will run when the message is fed to SA. __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
bayes?
Hello, It seems bayes is not working properly for me. I have sendmail/MailScanner/Spamassassin setup for my users. MailScanner version 4.56.8 Spamassassin version 3.1.3 autolearn is on -- sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 487135 0 non-token data: nspam 0.000 0 560705 0 non-token data: nham 0.000 0 139626 0 non-token data: ntokens 0.000 0 1163723330 0 non-token data: oldest atime 0.000 0 1163767343 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1163766599 0 non-token data: last expiry atime 0.000 0 43200 0 non-token data: last expire atime delta 0.000 0 49483 0 non-token data: last expire reduction count -- The last journal sync being 0 doesn't seem correct...shouldn't this be some positive number? I even ran sa-learn --force-expire. When I use 'spamassassin -D spamtest' to feed through a known spam, this is one section of the debug with respect to bayes that I am confused about. The score is 0.996 before bayes. Bayes score is 1.11022302462516e-16 What causes this type of score? Is this why this message ends up getting -1.603 after the bayes tests? -- [26760] dbg: rules: running body-text per-line regexp tests; score so far=0.996 [26760] dbg: rules: ran body rule __NONEMPTY_BODY == got hit: D [26760] dbg: uri: running uri tests; score so far=0.996 [26760] dbg: rules: ran uri rule __SARE_URI_ANY == got hit: m [26760] dbg: rules: ran uri rule __URI_ABOUT_COM == got hit: about.com [26760] dbg: bayes: DB journal sync: last sync: 0 [26760] dbg: bayes: corpus size: nspam = 487131, nham = 560694 [26760] dbg: bayes: score = 1.11022302462516e-16 [26760] dbg: bayes: DB journal sync: last sync: 0 [26760] dbg: bayes: untie-ing [26760] dbg: bayes: untie-ing db_toks [26760] dbg: bayes: untie-ing db_seen [26760] dbg: plugin: registering glue method for check_uridnsbl (Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x1c5a020)) [26760] dbg: rules: ran eval rule __SARE_BODY_BLANKS_5_100 == got hit [26760] dbg: rules: ran eval rule BAYES_00 == got hit [26760] dbg: rules: ran eval rule __SARE_BODY_BLNK_5_100 == got hit [26760] dbg: rules: running raw-body-text per-line regexp tests; score so far=-1.603 [26760] dbg: rules: ran rawbody rule __VIRUS_WARNING268F == got hit: From: Daryl Milton [EMAIL PROTECTED] [26760] dbg: rules: running full-text regexp tests; score so far=-1.603 --- Thanks, Curt
Re: bayes before spamassassin?
[EMAIL PROTECTED] wrote: I mean, I want the sa-learn examine the message before the spamassassin and then goes to spamassassin snip -If the sa-learn determine it's spam the message will be deleted But there's the problem. sa-learn doesn't determine if a message is spam or not. In fact, you have to explicitly tell it if the message is spam or not. sa-learn isn't a bayes evaluator. It's a bayes trainer.
Re: RelayChecker 0.3
On Thu, 16 Nov 2006 17:56:21 -0800 Derek Harding [EMAIL PROTECTED] wrote: On Sun, 2006-11-12 at 17:26 -0800, John Rudd wrote: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar I've been running this for a few days now and am finding it to be pretty effective, especially against the bots that are producing all the image spam. Currently it's running about 87.55% hit rate with only two false positives so far (one a company on adsl, the other a mail server with no reverse DNS). For reasons that I haven't investigated closely, I'm finding RelayChecker consistently tags mail from the dojo toolkit's mailing list as well as the catalyst toolkit's mailing list. I lowered the score from 6 to 4.5, though, and it's continued to be effective, while letting those emails through. Mike.
failed to run FUZZY_OCR test, skipping:
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Since upgrading my FuzzyOcr from version 2.3b to version 3.4.2 I am seeing these entries in the logs: spamd[27790]: rules: failed to run FUZZY_OCR test, skipping: spamd[27790]: Insecure dependency in require while running with -T switch at /usr/lib/perl5/site_perl/5.8.5/MLDBM/Serializer/Storable.pm line 20 My SpamAssassin runs as UID 'spamd'. Any ideas would be appreciated. Thanks Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 [EMAIL PROTECTED] http://www.chem.utoronto.ca PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=indexsearch=Frank+Bures -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQFFXal9ih0Xdz1+w+wRAjsAAKDVUuCHMjagqDdO2iEidtrfenLSnQCglT/p VdZ7lrVUS9RszeBlcMCAbFY= =0FmH -END PGP SIGNATURE-
Re: bayes?
Netlink Tech wrote: Hello, It seems bayes is not working properly for me. I have sendmail/MailScanner/Spamassassin setup for my users. MailScanner version 4.56.8 Spamassassin version 3.1.3 autolearn is on -- sa-learn --dump magic The last journal sync being 0 doesn't seem correct...shouldn't this be some positive number? Maybe.. perhaps your bayes has never needed to create a journal, thus never needed to sync one. I by default SA only uses journaling for atime updates. However, I'd venture to guess it only does so if there's lock contention. If your system is really non-busy, there may never be a journal. It's a little odd, but not impossible. I even ran sa-learn --force-expire. When I use 'spamassassin -D spamtest' to feed through a known spam, this is one section of the debug with respect to bayes that I am confused about. The score is 0.996 before bayes. Bayes score is 1.11022302462516e-16 What causes this type of score? note that the bayes score isn't a score in points. Its a percentage expressed as a range from 1.0 to 0. In this case, it's damn close to 0. That means this message closely matches your bayes training for nonspam messages. If you want more bayes information use 'spamassassin -D bayes spamtest' Is this why this message ends up getting -1.603 after the bayes tests? Yes. that would cause the BAYES_00 rule to match, which has a negative score.
Re: Hi !
On Friday 17 November 2006 13:52, Cristi Tudose wrote: Hi .. One tip for the future: Hi ! is not a good subject line. I have installed qmail with qmail-scan, spamassassin and clamav. The installation was going well. The clamav and spamassassin is running under qscand user. The mails what came with virus attachment, the attachment is deleted by the clamav. But the spam not. I want the subject to be rewrited what's not happen. In my local.cf I have: rewrite_header Subject SPAM(_SCORE_) required_score 20.0 required_hits 20 It appears that Qmail-scanner can be run in one of two modes, and in the fast mode it adds its own headers, just like Amavis. See http://qmail-scanner.sourceforge.net/FAQ.php#cs, points 16 and 17. Also lower the required_score to something more normal. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpQwXj1IMzTf.pgp Description: PGP signature
RE: Hi !
What else do you have in your local.cf? Wes Cristi Tudose [EMAIL PROTECTED] wrote: v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} HI .. I never tried with 5 or 7. But! When I send to mysef from yahoo.com a spam message, And I check the full header I see this: eturn-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 66234 invoked from network); 17 Nov 2006 13:25:46 - Received: from 68.142.236.83 by mail.prosportequipment.ro (envelope-from [EMAIL PROTECTED], uid 1004) with qmail-scanner-2.01 (clamdscan: 0.88.5/2160. spamassassin: 3.1.6. Clear:RC:0(68.142.236.83):SA:1(102.8/20.0):. Processed in 8.861972 secs); 17 Nov 2006 13:25:46 - X-Spam-Status: Yes, score=102.8 required=20.0 X-Spam-Level: Received: from web57805.mail.re3.yahoo.com (68.142.236.83) by prosportequipment.ro with SMTP; 17 Nov 2006 13:25:37 - Received: (qmail 4186 invoked by uid 60001); 17 Nov 2006 13:25:30 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type; b=YcAocynBVNVztHvfRsfhaWeSV7bkd2BonJSwagVO9rJ3j9i6yc5JgM6K+XS7uIXW9sCSaWu9/45WIrQlMbAlEXttygutOM5Cnn3fgJvJMredHuQP30HsOPTYJ0gsYAd4GKIHHpvIBiYLv001mitxXCLmO28tV/Gn2n7yuvXltKM= ; Message-ID: [EMAIL PROTECTED] Received: from [80.97.65.247] by web57805.mail.re3.yahoo.com via HTTP; Fri, 17 Nov 2006 05:25:30 PST Date: Fri, 17 Nov 2006 05:25:30 -0800 (PST) From: Anti Piracy [EMAIL PROTECTED] Subject: dsada To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=0-1106431873-1163769930=:3976 the score is 102.8 what is huge ! I have set the Subject to subject .. but this not helps me. :( Any suggestion ? Thank you! - From: twofers [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 3:18 PM To: users@spamassassin.apache.org Subject: Re: Hi ! Cristi, Have you tried lowering your required_score to something like between 5 and 7 ? also change rewrite_header Subject SPAM(_SCORE_) to: rewrite_header subject SPAM(_SCORE_) Keep it lower case. You can also run spamassassin -D --lint to check for syntax errors. Wes Depending on what version of SA you are using required_hits is depreciated and not used. Cristi Tudose [EMAIL PROTECTED] wrote: Hi .. I am new to this list. I need some help. I have installed qmail with qmail-scan, spamassassin and clamav. The installation was going well. The clamav and spamassassin is running under qscand user. The mails what came with virus attachment, the attachment is deleted by the clamav. But the spam not. I want the subject to be rewrited whats not happen. In my local.cf I have: rewrite_header Subject SPAM(_SCORE_) required_score 20.0 required_hits 20 what I thing is what I need to spamassassin rewrite the subject. The same settings I have added to homedir in qscand In user_prefs. Can anyone help me in how to setup the spamassassin to rewrite the subject ? Thanks! PS. I use p5-Mail-SpamAssassin-3.1.7_1 and a FreeBSD 6.1 AMD64 - Sponsored Link Mortgage rates near 39yr lows. $510,000 Mortgage for $1,698/mo - Calculate new house payment - Sponsored Link Mortgage rates near 39yr lows. $510,000 Mortgage for $1,698/mo - Calculate new house payment
Re: MIMEHeader question
Justin Mason [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Jeremy Fairbrass writes: Hi all, I have a question about the MIMEHeader plugin: if I have multiple mimeheader rules, are they all checked against the same part in a multipart message? So let me give an example: Let's say an email has 2 separate mime header sections (perhaps one is TXT and the other is HTML, or perhap there are 2 file attachments, or whatever). They might look like this: --=_NextPart_000_0062_01C7099B.069AFD30 Content-Type: image/gif; name=Blank Bkgrd.gif Content-Transfer-Encoding: base64 --=_NextPart_001_0063_01C7099B.069AFD30 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Then let's say I have a couple of mimeheader rules as follows: mimeheader __RULE1 Content-Type =~ /image\/gif/ mimeheader __RULE2 Content-Transfer-Encoding =~ /quoted-printable/ meta MY_META_RULE (RULE1 RULE2) My question is, will the meta rule trigger, or not? Because as you can see, only the first mime header section contains Content-Type: image/gif, and only the second mime header section contains Content-Transfer-Encoding: quoted-printable. So are my two mimeheader rules being run against each header section separately from each other, or are they only run against the header sections together, and thus BOTH must fire on the SAME header section in order for the meta rule to work?? the former. Okay - so you're saying that the two mimeheader rules will actually run separately from each other, on each header section, and thus the meta rull WILL trigger? That's actually not how I'd want it to work. Is it possible, then, to have a meta rule (or some other method) using the mimeheader rules, that will ONLY trigger if both mimeheader rules trigger against the SAME header section? ie. all elements searched for by all mimeheader rules, must exist within the same header section - is this possible? Or do I have to resort to a 'full' rule or something?
Re: RelayChecker 0.3
Michael Alan Dorman wrote: On Thu, 16 Nov 2006 17:56:21 -0800 Derek Harding [EMAIL PROTECTED] wrote: On Sun, 2006-11-12 at 17:26 -0800, John Rudd wrote: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar I've been running this for a few days now and am finding it to be pretty effective, especially against the bots that are producing all the image spam. Currently it's running about 87.55% hit rate with only two false positives so far (one a company on adsl, the other a mail server with no reverse DNS). For reasons that I haven't investigated closely, I'm finding RelayChecker consistently tags mail from the dojo toolkit's mailing list as well as the catalyst toolkit's mailing list. I lowered the score from 6 to 4.5, though, and it's continued to be effective, while letting those emails through. Mike. Can you post the Received headers for messages from those two mailing lists? (maybe send them to me off-list) I'll figure out something to put in the readme file to help mitigate it. (someone else contacted me off list for a feature suggestion of keywords that indicate a host that should NOT be triggered, such as mail or smtp in the hostname; I'll be trying to work that into the next version too)
Re: MIMEHeader question
On Fri, Nov 17, 2006 at 03:46:28PM +0100, Jeremy Fairbrass wrote: mimeheader __RULE1 Content-Type =~ /image\/gif/ mimeheader __RULE2 Content-Transfer-Encoding =~ /quoted-printable/ meta MY_META_RULE (RULE1 RULE2) Okay - so you're saying that the two mimeheader rules will actually run separately from each other, on each header section, and thus the meta rull WILL trigger? That's actually not how I'd want it to work. Yes. Is it possible, then, to have a meta rule (or some other method) using the mimeheader rules, that will ONLY trigger if both mimeheader rules trigger against the SAME header section? ie. all elements searched for by all mimeheader rules, must You can't force where MIMEHeader looks. exist within the same header section - is this possible? Or do I have to resort to a 'full' rule or something? You'd want to write an eval rule. -- Randomly Selected Tagline: Today I set a motherboard on fire. Now the bizarre thing is that after the smoke cleared it still worked. - Alan Cox
Ignoring outgoing mail
I have looked through the SA list archives for any method to make SA ignore outgoing emails but nothing found that helped. I'm using the flag that I thought helped do this when I load the scanner spamass-milter: -i 127.0.0.1 (plus a few more IPs) I do not see any flages on spamd to help with this either. This may be more of a spamass-milter question, but I have been using spamd spamass-milter for years and thought I knew all of the tricks. The scans are slowing down the send out of emails signficantly and ad to remove one custom rule I found that was causing a 19 sec timeout related delay -- ixhash was the culprit. Once I disable that ruleset, the delay dropped from 19 secs to only 3 sec. I have used spamc-milter before and had pretty good results with that one and see that it has had further updates -- still don't know if I can bypass the outgoing tho. Any tips appreciated, pleaase. Thanks, Jack (^_^) Happy trails, Jack L. Stone System Admin Sage-american
Re: Bayes failure on hi, it's Somebody spam
On 11/16/06, Jon Trulson [EMAIL PROTECTED] wrote: Hmm, that has not been my experience at all... Bayes (99) is still catching every one for me. In this instance, SpamAssassin is running after POP download from gmail, so I'm only seeing the samples that have already made it through google's filters. That may have something to do with it.
Re: RelayChecker 0.3
John Rudd wrote: Stuart Johnston wrote: Peter H. Lemieux wrote: Billy Huddleston wrote: Reverse DNS is a must. I'm surprised at how many people still haven't got that yet in the IT world.. (Consultants mostly..) It's not uncommon outside the industrialized world. Last few days I got a few false positives for a client that was corresponding with folks in the Caribbean. One of the few services I believe AOL provided the rest of us was deciding a few years' back not to accept mail from servers without reverse DNS. Suddenly lots of admins had to deal with the problem of correct server configuration because you couldn't fail to deliver mail to the millions of AOL users worldwide. Unfortunately, AOL only validates in one direction and some people only do the bare minimum. So, they only look to see that the IP address has a PTR record, but don't verify that the PTR record's hostname resolves back to the IP address? That's correct. You can test it here: http://postmaster.aol.com/tools/rdns.html You can put in for example: 209.74.97.115 whose rdns resolves back to a different IP. AOL specifically says: If the sender's domain is the only domain sending mail from a specific IP address, we recommend that the reverse DNS entry (PTR Record) match the domain name (A Record), but we do not require it.
Re: Thoughts on using DCC
Hi, Magnus Holmgren wrote: On Thursday 16 November 2006 12:59, Anthony Peacock wrote: I realise that DCC is not a direct indicator of spamminess but an indicator of bulkiness. And I also realise that the correct answer to my question is 'it depends on your local needs'... Given that what are people's thoughts on using DCC in SA? DCC gives a high hit rate on SPAM here, but also contributes highly to false positives. Since setting up DCC I seem to have lots of list emails reported as false positives, and spend a fair amount of time checking and tweaking whitelisting settings for these. And in most cases a combination of DCC and a highish Bayes score is enough to tip these over. I know I could adjust the DCC score, but was wondering what other people do? The thing with DCC is that it combines checking and reporting, which is why it is an indicator of bulkiness and not spamminess, as you say. To get around that you should whitelist all mailing lists so that mailing list mail isn't checked against DCC, both to avoid false positives yourself and to help others avoid false positives. So basically you're right and I haven't added anything. What I can add is that I don't use DCC myself, for precisely the aforementioned reason, i.e. that it requires to much fiddling with mailing lists. Thanks for your comments. This confirms where I had reached in my thinking about DCC. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
RE: amavisd
Can someone please help me with this message in my maillog. ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/spool/amavisd/clamd.sock (Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: Connection refused) Your clamd is not running OR it is not listening on /var/spool/amavisd/clamd.sock socket. --- Giampaolo Tomassoni - IT Consultant This may help: http://www200.pair.com/mecham/spam/clamav-amavisd-new.html Gary V _ Get FREE company branded e-mail accounts and business Web site from Microsoft Office Live http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/
Re: RelayChecker 0.3
Michael Alan Dorman wrote: On Thu, 16 Nov 2006 17:56:21 -0800 Derek Harding [EMAIL PROTECTED] wrote: On Sun, 2006-11-12 at 17:26 -0800, John Rudd wrote: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar I've been running this for a few days now and am finding it to be pretty effective, especially against the bots that are producing all the image spam. Currently it's running about 87.55% hit rate with only two false positives so far (one a company on adsl, the other a mail server with no reverse DNS). For reasons that I haven't investigated closely, I'm finding RelayChecker consistently tags mail from the dojo toolkit's mailing list as well as the catalyst toolkit's mailing list. I just noticed that SourceForge's list sever has a kinda funky rdns. Can RelayChecker handle an alias in rdns? (66.35.250.225) It looks like neither of the lists you mention use SF but it might cause problems for other lists.
email appears to que all the time - sendmail,spamssassin,amavis-new
I seem to be getting significant delays in delivery (queue times are set to 15m). I am currently using amavis-new to hook SA with sendmail (tx and rx queue). What would be the best approach to minimizing delays beyond more RAM. TIA Pat... [EMAIL PROTECTED] CocoNet Corporation SW Florida's First ISP 825 SE 47th Terrace Cape Coral, FL 33904 (239) 540-2626 Voice
New Spam
I'm getting some new spam coming through.. It's ASCII art (using nothing but numbers) and spells out TORA.08 and nothing else.. It looks to be coming from a Bot-Net.. Anyone seen this? Thanks, Billy
Re: New Spam
Hi Billy, I got one of these for the first time just 15 minutes ago. TORA.08 as well. James Billy Huddleston wrote: I'm getting some new spam coming through.. It's ASCII art (using nothing but numbers) and spells out TORA.08 and nothing else.. It looks to be coming from a Bot-Net.. Anyone seen this? Thanks, Billy
Funny spamd failure... (Maybe SARE/rules-du-jour related?)
The other night my default gentoo RulesDuJour for Spamassassin acquired new Adult and General rule-sets from SARE. Thereafter spamd refused all connections and subsequently received mail was not spam filtered. Issuing '/etc/init.d/spamd restart' as root resolved the situation... but I don't want to have to do this every time a rule-set is automatically updated overnight. This is a (sanitised) extract from /var/log/messages : -- Nov 15 03:20:00 svr fcron[5328]: process already running: root's /usr/bin/test -x /usr/sbin/run-crons /usr/sbin/run-crons Nov 15 03:20:14 svr postfix/pickup[11065]: ...: uid=0 from=root Nov 15 03:20:14 svr postfix/cleanup[11232]: ...: message-id=... Nov 15 03:20:15 svr spamd[7808]: spamd: connection from localhost [127.0.0.1] at port 1125 Nov 15 03:20:15 svr spamd[7808]: spamd: setuid to foouser succeeded Nov 15 03:20:15 svr spamd[7808]: spamd: processing message .. for foouser:1000 Nov 15 03:20:18 svr spamd[7808]: spamd: clean message (-2.9/5.0) for foouser:1000 in 3.1 seconds, 647 bytes. Nov 15 03:20:18 svr spamd[7808]: spamd: result: . -2 - AWL,BAYES_00 scantime=3.1,size=647,user=foouser,... Nov 15 03:20:18 svr postfix/local[11237]: ... Nov 15 03:20:18 svr postfix/qmgr[5607]: ...: removed Nov 15 03:20:19 svr spamd[5462]: prefork: child states: II Nov 15 03:20:26 svr postfix/pickup[11065]: ...: uid=0 from=root Nov 15 03:20:26 svr postfix/cleanup[11232]: ... Nov 15 03:20:27 svr spamd[7808]: spamd: setuid to foouser succeeded Nov 15 03:20:27 svr spamd[7808]: spamd: processing message ... for foouser:1000 Nov 15 03:20:29 svr spamd[7808]: spamd: clean message (-2.2/5.0) for foouser:1000 in 2.7 seconds, 612 bytes. Nov 15 03:20:29 svr spamd[7808]: spamd: result: . -2 - AWL,BAYES_05 scantime=2.7,size=612,user=foouser,uid=1000,... Nov 15 03:20:29 svr postfix/local[11237]: EEA5F3B945: to=[EMAIL PROTECTED], orig_to=root, relay=local, delay=3, status=sent (delivered to command: /usr/bin/proc Nov 15 03:20:29 svr postfix/qmgr[5607]: EEA5F3B945: removed Nov 15 03:20:30 svr spamd[5462]: prefork: child states: II Nov 15 03:21:05 svr spamd[5462]: spamd: server killed by SIGTERM, shutting down Nov 15 03:21:11 svr rc-scripts: Failed to stop spamd Nov 15 03:30:00 svr fcron[5328]: process already running: root's /usr/bin/test -x /usr/sbin/run-crons /usr/sbin/run-crons Nov 15 03:40:00 svr fcron[11746]: Job /usr/bin/test -x /usr/sbin/run-crons /usr/sbin/run-crons started for user root (pid 11747) Nov 15 03:50:00 svr fcron[11759]: Job /usr/bin/test -x /usr/sbin/run-crons /usr/sbin/run-crons started for user root (pid 11760) Nov 15 03:50:24 svr postfix/smtpd[11772]: connect from localhost[127.0.0.1] Nov 15 03:50:24 svr postfix/smtpd[11772]: ...: client=localhost[127.0.0.1] Nov 15 03:50:24 svr postfix/cleanup[11775]: ...: message-id=... Nov 15 03:50:24 svr postfix/qmgr[5607]: 73FAA3B4FB: from=... Nov 15 03:50:24 svr postfix/smtpd[11772]: disconnect from localhost[127.0.0.1] Nov 15 03:50:24 svr spamc[11779]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused Nov 15 03:50:25 svr spamc[11779]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#2 of 3): Connection refused -- Does anyone else have this problem? Can it be attributed to fcron or RulesDuJour or something peculiar to my setup? I don't understand the process already running messages from fcron - but my cron jobs all seem to be executed normally. The script which was run immediately prior to spamd stopping accepting connections is the standard one supplied for Gentoo - a copy of the version I'm using is here : http://temporary.shic.dynalias.net/rules_du_jour --
I've got TORA.08 spelled with numbers?
I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Regards Jeff Moss
Re: New Spam
At 07:40 AM 11/17/2006, you wrote: I'm getting some new spam coming through.. It's ASCII art (using nothing but numbers) and spells out TORA.08 and nothing else.. It looks to be coming from a Bot-Net.. Anyone seen this? Thanks, Billy Just got 2 also to 2 different e-mail addresses.
RE: I've got TORA.08 spelled with numbers?
Even I have started getting it. Have any one cracked any rules for this? Warm Regards, Suhas System Administrator QualiSpace - A QuantumPages Enterprise An ICANN Accredited Domain Registrar === Tel India: +91 (22) 6792 - 1480 Tel US: +1 (614) 827 - 1224 Fax India: +91 (22) 2530 - 3166 URL: http://www.qualispace.com === For Any Technical Query Please Use: http://helpdesk.qualispace.com QualiSpace Community Discussion forum: http://forum.qualispace.com -Original Message- From: Jeff Moss [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 9:15 PM To: users@spamassassin.apache.org Subject: I've got TORA.08 spelled with numbers? I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Regards Jeff Moss
Re: I've got TORA.08 spelled with numbers?
At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: I've got TORA.08 spelled with numbers?
Hey I got the same thing. On 11/17/06, Evan Platt [EMAIL PROTECTED] wrote: At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: email appears to que all the time - sendmail,spamssassin,amavis-new
Patrick Sherrill wrote: I seem to be getting significant delays in delivery (queue times are set to 15m). I am currently using amavis-new to hook SA with sendmail (tx and rx queue). What would be the best approach to minimizing delays beyond more RAM. Reject more messages with (good) DNSBLs and/or (selective) greylisting before they get to amavis.
Re: New Spam
Evan Platt wrote: At 07:40 AM 11/17/2006, you wrote: I'm getting some new spam coming through.. It's ASCII art (using nothing but numbers) and spells out TORA.08 and nothing else.. It looks to be coming from a Bot-Net.. Anyone seen this? Thanks, Billy Just got 2 also to 2 different e-mail addresses. Yep. Saw this just within the past ten mins. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: I've got TORA.08 spelled with numbers?
So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
RE: Funny spamd failure... (Maybe SARE/rules-du-jour related?)
The other night my default gentoo RulesDuJour for Spamassassin acquired new Adult and General rule-sets from SARE. Thereafter spamd refused all connections and subsequently received mail was not spam filtered. Issuing '/etc/init.d/spamd restart' as root resolved the situation... but I don't want to have to do this every time a rule-set is automatically updated overnight. This is a (sanitised) extract from /var/log/messages : ...omissis... Does anyone else have this problem? Can it be attributed to fcron or RulesDuJour or something peculiar to my setup? I don't understand the process already running messages from fcron - but my cron jobs all seem to be executed normally. Yep! That's a well-known issue to me, but with amavis. When the rulesdujour script issues a '/etc/init.d/amavis restart', the gentoo's init script doesn't wait enough for amavis termination and times out. I had to overcame the problem by configuring ruledujour to restart amavis through a simple, my-hand-made, script. That's it: #!/bin/bash AMV_NM=amavisd AMV_RC=/etc/init.d/amavisd # Get the amavis' processes pids PIDS=$( /sbin/pidof ${AMV_NM} ) if [[ ! -z ${PIDS} ]]; then # Stop amavis ${AMV_RC} stop # Check for amavis termination while [[ ! -z ${PIDS} ]]; do sleep 1 PIDS=$( /sbin/pidof ${AMV_NM} ) done # (Re)start amavis ${AMV_RC} restart fi Please note that, since the stop action is prone to fail, you can't just use a start action later. Use a restart instead: it will detect amavis as not running anymore and will start it as required. Of course, this script may be adapted to your needs: simply set AMV_NM e AMV_RC to the name and init script's path of spamd. Regards, giampaolo The script which was run immediately prior to spamd stopping accepting connections is the standard one supplied for Gentoo - a copy of the version I'm using is here : http://temporary.shic.dynalias.net/rules_du_jour --
Re: I've got TORA.08 spelled with numbers?
I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. lordy, lordy! i'm just *SURE* i'm missing the whole point of this sort of spam ... ... but WHY do these spammers even bother with this sort of stuff? even if it *does* temporarily get past filters -- who in their right mind clicks on this stuff? or, worse, would send/invest $$$?
Re: RelayChecker 0.3
Stuart Johnston wrote: Michael Alan Dorman wrote: On Thu, 16 Nov 2006 17:56:21 -0800 Derek Harding [EMAIL PROTECTED] wrote: On Sun, 2006-11-12 at 17:26 -0800, John Rudd wrote: http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar I've been running this for a few days now and am finding it to be pretty effective, especially against the bots that are producing all the image spam. Currently it's running about 87.55% hit rate with only two false positives so far (one a company on adsl, the other a mail server with no reverse DNS). For reasons that I haven't investigated closely, I'm finding RelayChecker consistently tags mail from the dojo toolkit's mailing list as well as the catalyst toolkit's mailing list. I just noticed that SourceForge's list sever has a kinda funky rdns. Can RelayChecker handle an alias in rdns? (66.35.250.225) It looks like neither of the lists you mention use SF but it might cause problems for other lists. Off the top of my head, I don't know. I'll be sure to test it before the next release. John
Re: I've got TORA.08 spelled with numbers?
Evan Platt wrote: At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something? AH HA! It is not a url, its a stock symbol! http://finance.yahoo.com/q?s=TORA.OB
RE: I've got TORA.08 spelled with numbers?
So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! I guess it is a (japanese?) nickname. Maybe the nickname of the bot/worm/virus maker? It is possible that this advertising is targeted to spammers, not to real customers: it looks like Ehy, see? I can flood people's mailboxes with it! Come and buy my services. Ah, these business people... giampaolo - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
RE: I've got TORA.08 spelled with numbers?
From: Stuart Johnston [mailto:[EMAIL PROTECTED] Evan Platt wrote: At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something? AH HA! It is not a url, its a stock symbol! http://finance.yahoo.com/q?s=TORA.OB So, it's not 08 but OB. What does OB stands for? OBnubilated? OBfuscating? OBsessive? giampaolo
Re: I've got TORA.08 spelled with numbers?
On Fri, 17 Nov 2006 09:03:54 -0700, [EMAIL PROTECTED] wrote: | Wasn't there a stock image spam with TORA.TORA or something? | | AH HA! It is not a url, its a stock symbol! | | http://finance.yahoo.com/q?s=TORA.OB Trading up 4.5%! Geez... At a rough guess that would be 'salt' money. So when someone does click on it/look it up they see rising stock and buy. Check it again in a few days. Nigel
Re: Real fix for stock spams - pick up a pen
Coffey, Neal wrote: Bookworm wrote: Pick up a pen, and write to your local congressman, or even to the SEC, and insist that they penalize those companies who are being pimped and pumped through spam emails. Why should they? The companies being advertised in the stock spams aren't responsible. In fact, a good pump-and-dump stock scam can be very harmful to the target company. This depends on whether it's a pump and dump for the initial IPO (In which case, the company knows straight out who they're dealing with), or whether it's a pump and dump for an existing stock. (In which case, the spammer stands out big-time, and can be backtracked by the SEC for sending out the spam - possibly for pump and dump. I don't know if those are illegal or not, but using spam to do it definitely is) Either way, it's a Go for the money. BW
Re: I've got TORA.08 spelled with numbers?
this seems to catch them: header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta JM_TORA_XM (__MAILER_OL_6626 __MOLE_2962) --j. Billy Huddleston writes: So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
RE: I've got TORA.08 spelled with numbers?
Lol Warm Regards, Suhas System Administrator QualiSpace - A QuantumPages Enterprise An ICANN Accredited Domain Registrar === Tel India: +91 (22) 6792 - 1480 Tel US: +1 (614) 827 - 1224 Fax India: +91 (22) 2530 - 3166 URL: http://www.qualispace.com === For Any Technical Query Please Use: http://helpdesk.qualispace.com QualiSpace Community Discussion forum: http://forum.qualispace.com -Original Message- From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 9:36 PM To: users@spamassassin.apache.org Subject: RE: I've got TORA.08 spelled with numbers? So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! I guess it is a (japanese?) nickname. Maybe the nickname of the bot/worm/virus maker? It is possible that this advertising is targeted to spammers, not to real customers: it looks like Ehy, see? I can flood people's mailboxes with it! Come and buy my services. Ah, these business people... giampaolo - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: I've got TORA.08 spelled with numbers?
On Fri, 17 Nov 2006 17:09:21 +0100, Giampaolo Tomassoni [EMAIL PROTECTED] wrote: From: Stuart Johnston [mailto:[EMAIL PROTECTED] Evan Platt wrote: At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something? AH HA! It is not a url, its a stock symbol! http://finance.yahoo.com/q?s=TORA.OB So, it's not 08 but OB. What does OB stands for? OBnubilated? OBfuscating? OBsessive? giampaolo - If this is a preferred stock, the letters PR and the letter denoting the class will typically be added. For example, a fictional preferred stock called Cory's Tequila Corporate Preferred T's would have a symbol such as CTC.PR.T. - If the company has more than one type of stock currently trading, then it will have the class added to its suffix. For instance, Berkshire Hathaway comes in two forms: BRK.A and BRK.B. - If a stock is trading on the Pink Sheets or the Over-the-Counter Bulletin Board, a PK or OB will be added to the stock symbol. - On the Nasdaq, a fifth symbol is added to stocks that are delinquent in certain exchange requirements. For example, the letter Q will be added to the stock symbol of a company presently in bankruptcy proceedings. From http://www.investopedia.com/ask/answers/03/061903.asp Nigel
Re: I've got TORA.08 spelled with numbers?
Will that not get legit mail from someone sending via Microsoft Outlook ? - Original Message - From: Justin Mason [EMAIL PROTECTED] To: Billy Huddleston [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Friday, November 17, 2006 11:10 AM Subject: Re: I've got TORA.08 spelled with numbers? this seems to catch them: header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta JM_TORA_XM (__MAILER_OL_6626 __MOLE_2962) --j. Billy Huddleston writes: So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: I've got TORA.08 spelled with numbers?
| | | | http://finance.yahoo.com/q?s=TORA.OB | | Trading up 4.5%! | | Geez... | | At a rough guess that would be 'salt' money. So when someone does | click on it/look it up they see rising stock and buy. Check it again | in a few days. | | Nigel Hey...there is money to be made! Let's all short TORA.OB
Re: Real fix for stock spams - pick up a pen
Robert Braver wrote: On Thursday, November 16, 2006, 8:00:09 PM, Michael Scheidell wrote: MS It was $500, and the law changed to make it impossible to collect MS anymore. MS Before, it was a 'first strike' and you owe $500. Now you have to 'opt MS out' (they can still send you one) Opt-out applies only if there is an existing business relationship with the recipient, and several other requirements are met. The rules haven't changed w/r/t typical junk faxes... you can(and indeed we are) nailing them for the first fax, last fax, and every fax in between. Yes - Opt-out _used_ to sometimes be a valid excuse, but especially since the change last summer, it's basically Unless you have a piece of paper saying that you can send them faxes, you can't send them faxes. The only exception to that rule is a fax saying We'd like to send you information X. - you can't include any of the information, just the request. Then they have to send that back. Faxes are opt-in only, unless you already have a prior business relationship (that piece of paper. Two of my customers that faxed to various construction companies (legitimately, they never hid, and they always removed), spent weeks sending out if you'd like to continue receiving these faxes, please fill this out and send it back papers) BW
RE: I've got TORA.08 spelled with numbers?
Is this safe to try? Warm Regards, Suhas System Administrator QualiSpace - A QuantumPages Enterprise An ICANN Accredited Domain Registrar === Tel India: +91 (22) 6792 - 1480 Tel US: +1 (614) 827 - 1224 Fax India: +91 (22) 2530 - 3166 URL: http://www.qualispace.com === For Any Technical Query Please Use: http://helpdesk.qualispace.com QualiSpace Community Discussion forum: http://forum.qualispace.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 9:41 PM To: Billy Huddleston Cc: users@spamassassin.apache.org Subject: Re: I've got TORA.08 spelled with numbers? this seems to catch them: header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta JM_TORA_XM (__MAILER_OL_6626 __MOLE_2962) --j. Billy Huddleston writes: So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: I've got TORA.08 spelled with numbers?
Wouldn't a better solution to be check the e-mail for NOT having any alpha chars? All numbers seems like a no-brainer to me, but I'm fairly new at this. :) Something like Body ~= /[^a-zA-A]/ ? Cheers, -=Ray Justin Mason wrote: this seems to catch them: header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta JM_TORA_XM (__MAILER_OL_6626 __MOLE_2962) --j. Billy Huddleston writes: So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
Re: I've got TORA.08 spelled with numbers?
Ray Anderson wrote: Wouldn't a better solution to be check the e-mail for NOT having any alpha chars? All numbers seems like a no-brainer to me, but I'm fairly new at this. :) Something like Body ~= /[^a-zA-A]/ ? Too many false positives with that one. You'd need to be sure you didn't hit real short emails containing only numbers, like phone numbers, passwords, etc.. The one below also FPs on the real outlook client. The Date header seems to be a bit messed up.(space,tab,date) Might look at that too. ;-) Ken A Pacific.Net Cheers, -=Ray Justin Mason wrote: this seems to catch them: header __MAILER_OL_6626 X-Mailer =~ /^Microsoft Outlook, Build 10\.0\.6626$/ header __MOLE_2962 X-MimeOLE =~ /^Produced\ By\ Microsoft\ MimeOLE\ V6\.00\.2900\.2962$/ meta JM_TORA_XM (__MAILER_OL_6626 __MOLE_2962) --j. Billy Huddleston writes: So, here is a question... Why spam everyone with TORA.08, I don't even know what the heck that means!!! - Original Message - From: Evan Platt [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Friday, November 17, 2006 10:48 AM Subject: Re: I've got TORA.08 spelled with numbers? At 07:44 AM 11/17/2006, you wrote: I'm getting a bunch of spams this morning that have TORA.08 spelled out with numbers like this. 4216775 0611576 215556 7 3308011 3258576 6 7 5 153 85 2 7 3 8 3 6 50 4 1 2 7 0 5 7 2 2 257873 5 7 4 1 3387715 6 2 5 7 1 111500075 8 6 2 2 8 2 2 7 7 3 2 656 0 3 0 8 0 6430533 44 8 6 207 5412501 7637213 Does anybody know what this is about. Got 2 also. Wasn't there a stock image spam with TORA.TORA or something?
RE: New Spam
TORA TECHNOLOGIES (TORA.OB) ??? - Darren. -Original Message- From: Bob McClure Jr [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 11:18 AM To: users@spamassassin.apache.org Subject: Re: New Spam On Fri, Nov 17, 2006 at 10:40:17AM -0500, Billy Huddleston wrote: I'm getting some new spam coming through.. It's ASCII art (using nothing but numbers) and spells out TORA.08 and nothing else.. It looks to be coming from a Bot-Net.. Anyone seen this? Thanks, Billy Yes, one of my virtual mailboxes just got one. Came from impsat.net.ar. I sent off a nastygram to the network admin. somewhat off-topic Speaking of which, I have a policy such that if I have to deal with a piece of spam, I use whois to find the abuse reporting point for the network the zombie is on, and send them a copy of the spam, headers and all. Am I spitting (to use a nicer term) in the ocean, or is it worthwhile? In particular, this is an issue with a closed mailing list I manage, which, alas, is not on my server, so I have no control over how the MTA is set up. So I get (as of a couple of days ago) 40 or 50 spams per day I have to moderate. So if I have to deal with it, the spammer pays with (I hope) a shutdown zombie. In case the spammer is reading this, it's hammered_dulcimers (at) lists.fmp.com. /somewhat off-topic Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
Re: Funny spamd failure... (Maybe SARE/rules-du-jour related?)
Giampaolo Tomassoni wrote: # Check for amavis termination while [[ ! -z ${PIDS} ]]; do sleep 1 PIDS=$( /sbin/pidof ${AMV_NM} ) done In cases like this I usually just put the sleep command in the init script like this: ... case $1 in ... restart|reload) stop sleep 5 = start RETVAL=$? ;; ... I'm not a gentoo user, though, so YMMV. I'm using RedHat/CentOS. Still I'd bet the init scripts aren't that different. Peter
procmail and virtual domain
Hi list I have postfix with a virtual domain, where I have to create a .procmailrc file for procmail? ( I have to create a file or a directory? ) How to configure a system wide? Thanks JeAn __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
image exception with FuzzyOCR??
Hello everybody... there is a way to do a exception to some image that isn't a SPAM... but the FuzzyOCR thinks that it is a spam image?? i really dont want to disable the Hashdb...
RE: Funny spamd failure... (Maybe SARE/rules-du-jour related?)
From: Peter H. Lemieux [mailto:[EMAIL PROTECTED] Giampaolo Tomassoni wrote: # Check for amavis termination while [[ ! -z ${PIDS} ]]; do sleep 1 PIDS=$( /sbin/pidof ${AMV_NM} ) done In cases like this I usually just put the sleep command in the init script like this: ... case $1 in ... restart|reload) stop sleep 5 = start RETVAL=$? ;; ... I'm not a gentoo user, though, so YMMV. I'm using RedHat/CentOS. Still I'd bet the init scripts aren't that different. The init script fails because it uses something like your way: a single sleep 5 :) The guy who made the script did simply test shutting and restarting the amavis/spamd daemon up and down in its own test environment, which basicly is low mail load or even no mail at all. After a while amavis is doing it's dirty job, I noticed it needs a lot of time to shut down. It takes to me something around 10 secs in the average and sometimes it takes even more. So, a 'sleep 5' simply wouldn't fit. I don't know why (and I even don't care to know), but the script I'm using introduces a delay of at most 1 more sec than the strictly needed in restarting amavis and it never failed to me. Giampaolo Peter
Re: I've got TORA.08 spelled with numbers? - Tora Acquires www.makeup.com
http://biz.yahoo.com/iw/061020/0175176.html TORA TECHNOLOGIES INC. Robert E. Rook - President Contact: Contacts: Tora Technologies Inc. Robert E. Rook President 1-866-347-5057
Re: Funny spamd failure... (Maybe SARE/rules-du-jour related?)
The guy who made the script did simply test shutting and restarting the amavis/spamd daemon up and down in its own test environment, which basicly is low mail load or even no mail at all. After a while amavis is doing it's dirty job, I noticed it needs a lot of time to shut down. It takes to me something around 10 secs in the average and sometimes it takes even more. So, a 'sleep 5' simply wouldn't fit. To shut down amavisd, use the command: amavisd stop To restart amavisd, use the command: amavisd reload These commands will only exit after they have completed their job, i.e. waiting for the existing daemon to have stopped. Fiddling directly with pid file, kill, sleep, etc., is unwise, and most likely much less careful compared to how amavisd does it. Mark
RE: Funny spamd failure... (Maybe SARE/rules-du-jour related?)
The guy who made the script did simply test shutting and restarting the amavis/spamd daemon up and down in its own test environment, which basicly is low mail load or even no mail at all. After a while amavis is doing it's dirty job, I noticed it needs a lot of time to shut down. It takes to me something around 10 secs in the average and sometimes it takes even more. So, a 'sleep 5' simply wouldn't fit. To shut down amavisd, use the command: amavisd stop To restart amavisd, use the command: amavisd reload These commands will only exit after they have completed their job, i.e. waiting for the existing daemon to have stopped. Ah, Mark. Really many many thanks for this perl of wisdom. So, I don't have a Linux distribution running on my servers? May you suggest to me the kind of OS brand I'm running? Fiddling directly with pid file, kill, sleep, etc., is unwise, and most likely much less careful compared to how amavisd does it. Hopefully, amavisd doesn't shuts or starts by itself. It even installs by itself... Mark giampaolo
Sending Marked up mail to another address
I just got my system going. For the short term I would like to send all mail marked as spam to another address (not served from the box spam assassin is on). I am using sendmail/procmail/spamassissin Here is my .spamassassin.rc file. Any ideas why this won't work? When the forward rule is in place, the first rule doesn't work. I'm new to this so my apologies if this is a trivial/silly error on my part. Thanks for the help, Luke # (250 * 1024 = 256000 bytes) are processed by SpamAssassin. :0fw * 256000 | /usr/bin/spamassassin --prefs-file=/home/spamfolder/.user_prefs # All mail tagged as spam (eg. with a score higher than the set threshold) # is forwarded to admin :0 * ^X-Spam-Status: Yes /usr/sbin/sendmail -oi [EMAIL PROTECTED] # Work around procmail bug: any output on stderr will cause the F in From # to be dropped. This will re-add it. :0 * ^^rom[ ] { LOG=*** Dropped F off From_ header! Fixing up. :0 fhw | sed -e '1s/^/F/' }
Re: procmail and virtual domain
On Fri, November 17, 2006 10:08 am, [EMAIL PROTECTED] wrote: Hi list I have postfix with a virtual domain, where I have to create a .procmailrc file for procmail? ( I have to create a file or a directory? ) How to configure a system wide? Thanks I recommend searching on the internet for 'procmail howto' and find one of the many very good recommendations there. I chose to put all procmail recipies for users in ~/.procmail.d/ with a symlink from ~/.procmailrc to ~/.procmail.d/.procmailrc Then I have /etc/procmailrc where I call SpamAssassin with spamc, among other things. I learned it all from a good howto I found on google.com. Good luck and I hope that helps. Karl JeAn __ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m?viles desde 1 c?ntimo por minuto. http://es.voice.yahoo.com -- karl _/ _/ _/ _/_/_/ __o _/ _/ _/ _/_/ _-\._ _/_/_/ _/_/_/ (_)/ (_) _/ _/ _/ _/ .. _/ _/ arl _/_/_/ _/ earson[EMAIL PROTECTED] --- Senior Consulting Sys/DB Analyst http://consulting.ourldsfamily.com --- My Thoughts on Terrorism In America right after 9/11/2001: http://www.ourldsfamily.com/wtc.shtml --- The world is a dangerous place to live... not because of the people who are evil, but because of the people who don't do anything about it. - Albert Einstein ---
Re: Sending Marked up mail to another address
On Fri, Nov 17, 2006 at 01:41:03PM -0500, Luke Shannon wrote: I just got my system going. For the short term I would like to send all mail marked as spam to another address (not served from the box spam assassin is on). I am using sendmail/procmail/spamassissin Here is my .spamassassin.rc file. You mean .procmailrc file? Any ideas why this won't work? When the forward rule is in place, the first rule doesn't work. I'm new to this so my apologies if this is a trivial/silly error on my part. Thanks for the help, Luke # (250 * 1024 = 256000 bytes) are processed by SpamAssassin. :0fw * 256000 | /usr/bin/spamassassin --prefs-file=/home/spamfolder/.user_prefs # All mail tagged as spam (eg. with a score higher than the set threshold) # is forwarded to admin :0 * ^X-Spam-Status: Yes /usr/sbin/sendmail -oi [EMAIL PROTECTED] You need a pipe in front of that: | /usr/sbin/sendmail -oi [EMAIL PROTECTED] The other way is to just put a bang in front of the email address: ! [EMAIL PROTECTED] See man procmailex and man procmailrc. # Work around procmail bug: any output on stderr will cause the F in From # to be dropped. This will re-add it. :0 * ^^rom[ ] { LOG=*** Dropped F off From_ header! Fixing up. :0 fhw | sed -e '1s/^/F/' } Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Where you go in the hereafter depends on what you were after here. - Thanks to Graffiti, 2 March 2004
RE: image exception with FuzzyOCR??
Ofcourse, save the image, calculate the hash and then use the fuzzy-find.pl script to delete it from the bad hash db. Next you'll have to use a little trick to get it into the good hash db, as that's not possible from the fuzzy-find.pl script. Simply make an empty word list and yank the image through FuzzyOcr again. It'll put it into the known good db. -Sietse From: Thiago LPS [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 18:25 To: users@spamassassin.apache.org Subject: image exception with FuzzyOCR?? Hello everybody... there is a way to do a exception to some image that isn't a SPAM... but the FuzzyOCR thinks that it is a spam image?? i really dont want to disable the Hashdb...
Re: image exception with FuzzyOCR??
Sietse van Zanen wrote: Ofcourse, save the image, calculate the hash and then use the fuzzy-find.pl script to delete it from the bad hash db. Next you’ll have to use a little trick to get it into the good hash db, as that’s not possible from the fuzzy-find.pl script. Simply make an empty word list and yank the image through FuzzyOcr again. It’ll put it into the known good db. It is planned to include this feature, it is really something that is missing... maybe I'll hack it up right now and release it :) Regards, Chris -Sietse *From:* Thiago LPS [mailto:[EMAIL PROTECTED] *Sent:* Friday, November 17, 2006 18:25 *To:* users@spamassassin.apache.org *Subject:* image exception with FuzzyOCR?? Hello everybody... there is a way to do a exception to some image that isn't a SPAM... but the FuzzyOCR thinks that it is a spam image?? i really dont want to disable the Hashdb...
RE: image exception with FuzzyOCR??
To be more exact, the procedure would be: 1. Save the image file, and the message 2. Calculate the hash and delete it from the bad hash db with the fuzzy-find.pl script 3. Create an empty wordlist, or fill it with some bogus words, that don't appear in the image 4. Update the FuzzyOcr.cf file to point to the new wordlist. If you're using spamd don't restart, it'll keep using the correct wordlist. Otherwise you might want to stop incoming mail for a little while. 5. Pipe the message through FuccyOcr.pm directly, it'll put the hash into the known good db. 6. Correct the config. (and restart maild). 7. Send in a feature request to update the fuzzy-find.pl script to insert hashes into a db. ;-) -Sietse From: Sietse van Zanen [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 20:09 To: Thiago LPS; users@spamassassin.apache.org Subject: RE: image exception with FuzzyOCR?? Ofcourse, save the image, calculate the hash and then use the fuzzy-find.pl script to delete it from the bad hash db. Next you'll have to use a little trick to get it into the good hash db, as that's not possible from the fuzzy-find.pl script. Simply make an empty word list and yank the image through FuzzyOcr again. It'll put it into the known good db. -Sietse From: Thiago LPS [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 18:25 To: users@spamassassin.apache.org Subject: image exception with FuzzyOCR?? Hello everybody... there is a way to do a exception to some image that isn't a SPAM... but the FuzzyOCR thinks that it is a spam image?? i really dont want to disable the Hashdb...
Re: I've got TORA.08 spelled with numbers? - Tora Acquires www.makeup.com
i've got this spam too looks like a ASCI ART with TORA writed in the body of mail... :( On 11/17/06, [EMAIL PROTECTED] wrote: http://biz.yahoo.com/iw/061020/0175176.html TORA TECHNOLOGIES INC. Robert E. Rook - President Contact: Contacts: Tora Technologies Inc. Robert E. Rook President 1-866-347-5057 -- -- Thiago LPS C.E.S.A.R - Administrador de Sistemas msn: [EMAIL PROTECTED] 0xx 81 8735 2591 --
Re: I've got TORA.08 spelled with numbers? - Tora Acquires www.makeup.com
how to block this ascii art spams?? i've got many spams with this tora.ob too... Thiago LPS escreveu: i've got this spam too looks like a ASCI ART with TORA writed in the body of mail... :( On 11/17/06, ** [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: http://biz.yahoo.com/iw/061020/0175176.html TORA TECHNOLOGIES INC. Robert E. Rook - President Contact: Contacts: Tora Technologies Inc. Robert E. Rook President 1-866-347-5057 -- -- Thiago LPS C.E.S.A.R - Administrador de Sistemas msn: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 0xx 81 8735 2591 --
would SA benefit from port to Java
Thinking about the GPL Java announcement some, and trying to imagine the kinds of opportunities this allows for, it occurs to me that SpamAssassin might be a natural fit for Java. I'm just thinking out loud here, not advocating anything... Would it run better? Would it be faster, have smaller memory footprint, better reclamation, better hooks for plugins etc? OTOH, would it be harder to build, given the dependence of SA on perl modules? Thoughts? -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
RE: New Spam
We've all got at least one. We've been talking about it on other lists. Either a goof or a spammer got haxored. The real question is, how soon before we see You one a free Playstation 3! spam? :-) --Chris (No, I didn't wait in line for one. )
TORA.08 rule
Is safe to use this?? Seems to work... body ASCIISPAM /([0123456789] ){5}/i describe ASCIISPAM ASCII SPAM score ASCIISPAM 1.0
Can it get any simpler and not work?
I'm just doing some basic testing and what I think should be tagged as spam just goes right on thru. I've added this to local.cf headerMY_RULESubject =~ /test/i describe MY_RULE There is test in the Subject score MY_RULE100 I restart spamassassin. Then from a different ISP I send an email to one of the accounts guarded by spamassassin with one word, test, in the Subject. Doesn't even slow it down, then at the same time other email gets tagged as spam for the same account. What could I be doing wrong? Wes - Sponsored Link Mortgage rates near 39yr lows. $510,000 Mortgage for $1,698/mo - Calculate new house payment
Re: image exception with FuzzyOCR??
On 11/17/06, Sietse van Zanen [EMAIL PROTECTED] wrote: To be more exact, the procedure would be: 1. Save the image file, and the message 2. Calculate the hash and delete it from the bad hash db with the fuzzy-find.pl script 3. In the body of mail marked as spam , i have the hash value... so.. i removed this hash from hashdb... it was happen because i didnt yet apply the Patch to only include in hasb db pictures matched as pic-spam.. after removed the hash and applied the patch... the picture wasn't include in the hasb db anymore.. but.. the question is: even with patch applied if some good-picture be included in the hashdb nothing better than a white-hashdb to solve it.. :D im not expert with perl.. but it doesnt sounds dificult to do.. :D Create an empty wordlist, or fill it with some bogus words, that don't appear in the image 4. Update the FuzzyOcr.cf file to point to the new wordlist. If you're using spamd don't restart, it'll keep using the correct wordlist. Otherwise you might want to stop incoming mail for a little while. 5. Pipe the message through FuccyOcr.pm directly, it'll put the hash into the known good db. 6. Correct the config. (and restart maild). 7. Send in a feature request to update the fuzzy-find.pl script to insert hashes into a db. ;-) -Sietse *From:* Sietse van Zanen [mailto:[EMAIL PROTECTED] *Sent:* Friday, November 17, 2006 20:09 *To:* Thiago LPS; users@spamassassin.apache.org *Subject:* RE: image exception with FuzzyOCR?? Ofcourse, save the image, calculate the hash and then use the fuzzy-find.pl script to delete it from the bad hash db. Next you'll have to use a little trick to get it into the good hash db, as that's not possible from the fuzzy-find.pl script. Simply make an empty word list and yank the image through FuzzyOcr again. It'll put it into the known good db. -Sietse *From:* Thiago LPS [mailto:[EMAIL PROTECTED] *Sent:* Friday, November 17, 2006 18:25 *To:* users@spamassassin.apache.org *Subject:* image exception with FuzzyOCR?? Hello everybody... there is a way to do a exception to some image that isn't a SPAM... but the FuzzyOCR thinks that it is a spam image?? i really dont want to disable the Hashdb... -- -- Thiago LPS C.E.S.A.R - Administrador de Sistemas msn: [EMAIL PROTECTED] 0xx 81 8735 2591 --
RE: Can it get any simpler and not work?
A subject like: I'm attesting your knowledge of SA would match. See? atTESTing matches. You probably would do something like Subject =~ /\wtest\w/i (\w means word boundary). Which subjects got matched? giampaolo -Original Message- From: twofers [mailto:[EMAIL PROTECTED] Sent: Friday, November 17, 2006 8:47 PM To: users@spamassassin.apache.org Subject: Can it get any simpler and not work? I'm just doing some basic testing and what I think should be tagged as spam just goes right on thru. I've added this to local.cf headerMY_RULESubject =~ /test/i describe MY_RULE There is test in the Subject score MY_RULE100 I restart spamassassin. Then from a different ISP I send an email to one of the accounts guarded by spamassassin with one word, test, in the Subject. Doesn't even slow it down, then at the same time other email gets tagged as spam for the same account. What could I be doing wrong? Wes -- Sponsored Link Mortgage rates near 39yr lows. $510,000 Mortgage for $1,698/mo - Calculate new house payment
Could THIS have doubled my SA Speed...
RE: Could THIS have doubled my SA Speed... First, I'm using a windows Port of SA... and I use this as a helper application in addition to my own custom programmed spam filter. Along these lines, I purposely have RBL checks and URI checks disabled in SA because I do these myself. But I **do** have Razor2 and DCC enabled. Anyways, I was trying to see what I could do to speed SA up as it seemed slower than it used to be. I tried adding a resolv.conf file (which wasn't previously there) and entered my local DNS caching server there. Then, I restarted SpamD and ran a corpus of 50 test files through SA (using a batch file, processing them one-by-one)... and this 2nd time it processed twice as fast. I ask if these results sound correct because I figure that my results might be anidotal. Does this type of speedup sound correct? I know that using a local DNS caching server can speed things up, but I was only specifying the SAME one what was already the default DNS server in my NIC card setup... so I would have thought that this would have already been the one chosen. But I have another question: It stands to reason that, even though I have RBLs and URI-checked turned off, there must be something ELSE that is getting checked across the network (via DNS)... or OTHER DNS traffic besides just RAZOR and DCC. Any ideas what that might be? I guess I was a bit surprised at this speedup since I have most of these DNS-type checks disabled. (But maybe there is still more going on via DNS that I realize?) Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: would SA benefit from port to Java
Thinking about the GPL Java announcement some, and trying to imagine the kinds of opportunities this allows for, it occurs to me that SpamAssassin might be a natural fit for Java. I'm just thinking out loud here, not advocating anything... Would it run better? Would it be faster, have smaller memory footprint, better reclamation, better hooks for plugins etc? It would probably run better. I wouldn't say it would work faster. I know for shure it would have a much bigger memory footprint... :) OTOH, would it be harder to build, given the dependence of SA on perl modules? This is the main reason for not just starting with it. Besides, if there wasn't SA pluging, I would prefer a C/C++ version of SA. Wouldn't it run better? Wouldn't it be faster, wouldn't have a smaller memory footprint, better reclamation, better hooks for plugins etc? :) giampaolo Thoughts? -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: would SA benefit from port to Java
Giampaolo Tomassoni wrote: Thinking about the GPL Java announcement some, and trying to imagine the kinds of opportunities this allows for, it occurs to me that SpamAssassin might be a natural fit for Java. I'm just thinking out loud here, not advocating anything... Would it run better? What does that even mean? Run better?
Re: Rules Du Jour briken?
I emailed the maintainer of exit0.us asking about the wiki site. Here is what he said: Thanks for the concern Chris, I appreciate it. To make a long story short, the person that offered to host the site (Matt) no longer works at that company. So without contacting me, they removed the site. Matt is going to get me the database from the site. So what I'm going to work on, now that I have time, is repairing the site and moving it back out to a server. I have no idea as to how long that will take since I plan on moving it to different wiki software that will hopefully be less prone to wiki vandalism. You can forward this out to the SA community if you want. AltGrendel I am trying to piece together the information that was in the wiki using google cache, wayback, etc. In the meantime, you can get the script itself from http://sandgnat.com/rdj/rules_du_jour Chris Thielen twofers wrote: Is this link having problems that anyone knows of? http://www.exit0.us/index.php?pagename=RulesDuJour I can't get to Rules Du Jour. Thanks, Wes Sponsored Link $420,000 Mortgage for $1,399/month - Think You Pay Too Much For Your Mortgage? Find Out! http://www.lowermybills.com/lre/index.jsp?sourceid=lmb-9135-16417moid=4116
more ascii art spam
I just got a new one with the usual drugs displayed in larged ascii art. It was nearly unreadable, and it didn't pass my SA checks either. Peter
RE: Bayes column 'token'
-Original Message- From: Mark [mailto:[EMAIL PROTECTED] Sent: woensdag 15 november 2006 18:15 To: 'users@spamassassin.apache.org' Subject: RE: Bayes column 'token' Well, bayes_mysql.sql does not specify collation; so, like you said, the collation will be your MySQL server-set default. And searches in MySQL are case-insensitive by default. Might indeed perhaps be a good idea to convert to latin1_bin or some such. There will be any problem if I convert the current data to the new collation? I see no indication (or reason) in the code that tokens are to be handled in an case-insensitive manner. The opposite, ere. So, I'm inclined to say that latin1_bin collation is better. I don't wanna be responsible for messing up your database, though. :) So I will test this a bit on my Vmware box. Did the testing; and it works very smooth with latin1_bin. PRIMARY for `id` and `token` should not have INDEX for `id` and `token` added, too. I don't understand what you mean. The couple (id, token) is PRIMARY, not INDEX... Where exactly is the problem? PRIMARY, like UNIQUE, always implies INDEX, too. So, adding an extra INDEX for `id` and `token` basically gives you a double INDEX for them. There's a double INDEX for `atime` too. So, I'd say, in bayes_mysql.sql, replace this: CREATE TABLE bayes_token ( id int(11) NOT NULL default '0', token char(5) NOT NULL default '', spam_count int(11) NOT NULL default '0', ham_count int(11) NOT NULL default '0', atime int(11) NOT NULL default '0', PRIMARY KEY (id, token), INDEX bayes_token_idx1 (token), INDEX bayes_token_idx2 (id, atime) ) TYPE=MyISAM; With: CREATE TABLE bayes_token ( id int(11) NOT NULL default '0', token char(5) COLLATE latin1_bin NOT NULL default '', spam_count int(11) NOT NULL default '0', ham_count int(11) NOT NULL default '0', atime int(11) NOT NULL default '0', PRIMARY KEY (id, token), INDEX bayes_token_idx1 (atime) ) TYPE=MyISAM; - Mark
Re: image exception with FuzzyOCR??
Thiago LPS wrote: On 11/17/06, *Sietse van Zanen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: To be more exact, the procedure would be: 1. Save the image file, and the message 2. Calculate the hash and delete it from the bad hash db with the fuzzy-find.pl script 3. In the body of mail marked as spam , i have the hash value... so.. i removed this hash from hashdb... it was happen because i didnt yet apply the Patch to only include in hasb db pictures matched as pic-spam.. after removed the hash and applied the patch... the picture wasn't include in the hasb db anymore.. but.. the question is: even with patch applied if some good-picture be included in the hashdb nothing better than a white-hashdb to solve it.. :D im not expert with perl.. but it doesnt sounds dificult to do.. :D I'm not sure if I understand you correctly, but FuzzyOcr 3.x has already a whitelist hashdb :) And for all the others, I just checked in revision 40, which contains a modified fuzzy-find script, to be found at http://fuzzyocr.own-hero.net/browser/trunk/devel/Utils/fuzzy-find Please note that this is bleeding edge, if you want to try it out, go for it, but backup the database first in case something breaks... The script now features --learn-spam, and --learn-ham which will manually add the hash of a given image file, i.e. fuzzy-find --learn-ham somepic.gif Best regards, Chris Create an empty wordlist, or fill it with some bogus words, that don't appear in the image 4. Update the FuzzyOcr.cf file to point to the new wordlist. If you're using spamd don't restart, it'll keep using the correct wordlist. Otherwise you might want to stop incoming mail for a little while. 5. Pipe the message through FuccyOcr.pm directly, it'll put the hash into the known good db. 6. Correct the config. (and restart maild). 7. Send in a feature request to update the fuzzy-find.pl script to insert hashes into a db. ;-) -Sietse *From:* Sietse van Zanen [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *Sent:* Friday, November 17, 2006 20:09 *To:* Thiago LPS; users@spamassassin.apache.org mailto:users@spamassassin.apache.org *Subject:* RE: image exception with FuzzyOCR?? Ofcourse, save the image, calculate the hash and then use the fuzzy-find.pl script to delete it from the bad hash db. Next you'll have to use a little trick to get it into the good hash db, as that's not possible from the fuzzy-find.pl script. Simply make an empty word list and yank the image through FuzzyOcr again. It'll put it into the known good db. -Sietse *From:* Thiago LPS [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *Sent:* Friday, November 17, 2006 18:25 *To:* users@spamassassin.apache.org mailto:users@spamassassin.apache.org *Subject:* image exception with FuzzyOCR?? Hello everybody... there is a way to do a exception to some image that isn't a SPAM... but the FuzzyOCR thinks that it is a spam image?? i really dont want to disable the Hashdb... -- -- Thiago LPS C.E.S.A.R - Administrador de Sistemas msn: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 0xx 81 8735 2591 --
Re: Bayes column 'token'
Mark wrote: -Original Message- From: Mark [mailto:[EMAIL PROTECTED] Sent: woensdag 15 november 2006 18:15 To: 'users@spamassassin.apache.org' Subject: RE: Bayes column 'token' Well, bayes_mysql.sql does not specify collation; so, like you said, the collation will be your MySQL server-set default. And searches in MySQL are case-insensitive by default. Might indeed perhaps be a good idea to convert to latin1_bin or some such. There will be any problem if I convert the current data to the new collation? I see no indication (or reason) in the code that tokens are to be handled in an case-insensitive manner. The opposite, ere. So, I'm inclined to say that latin1_bin collation is better. I don't wanna be responsible for messing up your database, though. :) So I will test this a bit on my Vmware box. Did the testing; and it works very smooth with latin1_bin. PRIMARY for `id` and `token` should not have INDEX for `id` and `token` added, too. I don't understand what you mean. The couple (id, token) is PRIMARY, not INDEX... Where exactly is the problem? PRIMARY, like UNIQUE, always implies INDEX, too. So, adding an extra INDEX for `id` and `token` basically gives you a double INDEX for them. There's a double INDEX for `atime` too. So, I'd say, in bayes_mysql.sql, replace this: CREATE TABLE bayes_token ( id int(11) NOT NULL default '0', token char(5) NOT NULL default '', spam_count int(11) NOT NULL default '0', ham_count int(11) NOT NULL default '0', atime int(11) NOT NULL default '0', PRIMARY KEY (id, token), INDEX bayes_token_idx1 (token), INDEX bayes_token_idx2 (id, atime) ) TYPE=MyISAM; With: CREATE TABLE bayes_token ( id int(11) NOT NULL default '0', token char(5) COLLATE latin1_bin NOT NULL default '', spam_count int(11) NOT NULL default '0', ham_count int(11) NOT NULL default '0', atime int(11) NOT NULL default '0', PRIMARY KEY (id, token), INDEX bayes_token_idx1 (atime) ) TYPE=MyISAM; Those are multi-column indexes not duplicates. INDEX bayes_token_idx1 (id, atime) is NOT the same as: INDEX bayes_token_idx1 (id) INDEX bayes_token_idx2 (atime) Unless you've verified that the SQL used by the Bayes modules doesn't need these indexes, you probably shouldn't change these. (sorry I didn't notice this earlier in the thread)
Re: Rules Du Jour briken?
Thanks Chris, Appreciate the effort. I emailed him yesterday but just with notification that the link was broken. I didn't hear back, but my request was informative, not inquisitive. Wes Chris Thielen [EMAIL PROTECTED] wrote: I emailed the maintainer of exit0.us asking about the wiki site. Here is what he said: Thanks for the concern Chris, I appreciate it. To make a long story short, the person that offered to host the site (Matt) no longer works at that company. So without contacting me, they removed the site. Matt is going to get me the database from the site. So what I'm going to work on, now that I have time, is repairing the site and moving it back out to a server. I have no idea as to how long that will take since I plan on moving it to different wiki software that will hopefully be less prone to wiki vandalism. You can forward this out to the SA community if you want. AltGrendel I am trying to piece together the information that was in the wiki using google cache, wayback, etc. In the meantime, you can get the script itself from http://sandgnat.com/rdj/rules_du_jour Chris Thielen twofers wrote: Is this link having problems that anyone knows of? http://www.exit0.us/index.php?pagename=RulesDuJour I can't get to Rules Du Jour. Thanks, Wes Sponsored Link $420,000 Mortgage for $1,399/month - Think You Pay Too Much For Your Mortgage? Find Out! - Everyone is raving about the all-new Yahoo! Mail beta.
FuzzyOcr failing 'png' tests
(seems like the 'action' is over here ...) i'm running SA v3.1.8-r454679, with the FuzzyOCR v3.4.2-release $SA --lint is error-free. testing the plugin with provided test messages, $SA -t -x /tmp/ocr-gif.eml $SA -t -x /tmp/ocr-jpg.eml $SA -t -x /dev/FuzzyOcr-3.4.2/samples/animated-gif.eml $SA -t -x /dev/FuzzyOcr-3.4.2/samples/corrupted-gif.eml $SA -t -x /dev/FuzzyOcr-3.4.2/samples/jpeg.eml $SA -t -x /dev/FuzzyOcr-3.4.2/samples/ocr-animated.eml all show hits/scores with FuzzyOCR rules, as expected. but, $SA -t -x /tmp/ocr-png.eml $SA -t -x /dev/FuzzyOcr-3.4.2/samples/png.eml both complete without apparent error, and score numerous other SA-rule hits, but no FuzzyOCR scores at all. i have verified that i'm not auto-disabling FuzzyOcr, grep focr_autodisable_score FuzzyOcr.cf focr_autodisable_score 999 and, since a number of examples seem to be scoring properly, i'm guessing either FuzzyOcr itself or my config have a problem. 1st question -- can anyone verify success/failure of those png examples with their own SA+FuzzyOcr setup? thanks.