Re: Bayes in V4 compared to V3

[Antony Stone]

On Friday 13 September 2024 at 15:13:58, Benny Pedersen wrote:

> Bill Cole skrev den 2024-09-13 15:03:
> > Please send any replies to the list only.
> 
> unsubscribe listarchivers ?
> and make archived on apache.org with bugzilla login
> don't know if it will help or not, but chicken and egg

I don't think we want to do anything to make list archives less available to 
people with questions in the future.  They should be open, public and 
unencumbered with any sort of login or access control.


Antony.

-- 
Perfection in design is achieved not when there is nothing left to add, but 
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

   Please reply to the list;
 please *don't* CC me.

Re: kam fails if askdns is disabled

[Antony Stone]

On Saturday 25 May 2024 at 16:57:21, Benny Pedersen wrote:

> Antony Stone skrev den 2024-05-25 16:52:
> > Is this a reply to something?
> 
> something ?, try disable askdns plugin, then do spamassassin --lint
> 
> succes ?
> 
> hopefully kam know why
> 
> there should not be lint errors if just check plugin is enabled, where
> all other plugins is disabled

I apologise for not having worked that out from "+1".

Antony.

-- 
I lay awake all night wondering where the sun went, and then it dawned on me.

   Please reply to the list;
 please *don't* CC me.

Re: kam fails if askdns is disabled

[Antony Stone]

On Saturday 25 May 2024 at 16:51:07, Benny Pedersen wrote:

> +1

Is this a reply to something?

Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.

Re: OT: Trigger words in email addresses?

[Antony Stone]

On Monday 08 April 2024 at 05:15:58, Grant Taylor via users wrote:

> Below is my opinion, it's worth everything you paid for it.  But I do
> suggest you read it and think about it for a few minutes.

For what it's worth, I thoroughly agree with these opinions.

 - don't alienate people by sending from a DoNotReply address - it's rude

 - maximise the efficiency of your ticketing system by making it work for 
people 
who like browsers and also for people who like email

 - never send out HTML-only emails - always include a plaintext equivalent

 - make your systems transparent so that people feel they understand what's 
happening and when at different stages in the process - don't create a 
"corporate black box" which customers can't understand


Antony.

-- 
"Life is just a lot better if you feel you're having 10 [small] wins a day 
rather than a [big] win every 10 years or so."

 - Chris Hadfield, former skiing (and ski racing) instructor

   Please reply to the list;
 please *don't* CC me.

Re: symlinking config files

[Antony Stone]

On Friday 05 January 2024 at 19:53:00, Thomas Krichel wrote:

>   I'm running version 4.0.0-8 on debian testing. This is for
>   Mailman. I have a script that creates a welcomelist for all my
>   Mailman members. I include it via a symlink.

>   Clearly spamassassin follows the symlink and reads the file.

>   But
> 
> # spamc -R < /tmp/test.mail
> 
>   does not see the welcomelisted user. It's only when I remove the
>   syslink, and replace it with the file

>   and restart that
> 
> # spamc -R < /tmp/test.mail
> 
>   sees the welcomelisted user. I am puzzled by this.

I would look at the ownership / permissions of the file, and the directories it 
is under, in both cases.

Check the user which spamc runs as and ensure that this user can read the file 
which is symlinked to.

Testing stuff as root can be misleading.


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.

Re: Beginner Setting up Spam Assassin

[Antony Stone]

On Saturday 30 December 2023 at 11:54:33, FalconChristopher wrote:

> The comment by Michael Grant ?

Yes, the comment I quoted below.  He is suggesting how you can deal with this 
problematic user you want to "eliminate spam coming in from".

> On 12/30/2023 5:52 AM, Antony Stone wrote:
> > On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote:
> >> Hi, can I not ask how to set up Spam Assassin in this mailing group it
> >> is a group for Spam Assassin.
> > 
> > That comment was a recommendation of how you can achieve what you want
> > to.
> > 
> >> On 12/30/2023 4:30 AM, Michael Grant wrote:
> >>> Can you ban this user in whatever your equivalent of the access file
> >>> is so instead of putting the messages into a spam folder, you reject
> >>> messages from that address at delivery time (SMTP)?
> > 
> > Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please *don't* CC me.

Re: Beginner Setting up Spam Assassin

[Antony Stone]

On Saturday 30 December 2023 at 11:48:30, FalconChristopher wrote:

> Hi, can I not ask how to set up Spam Assassin in this mailing group it
> is a group for Spam Assassin.

That comment was a recommendation of how you can achieve what you want to.

> On 12/30/2023 4:30 AM, Michael Grant wrote:
> > Can you ban this user in whatever your equivalent of the access file
> > is so instead of putting the messages into a spam folder, you reject
> > messages from that address at delivery time (SMTP)?


Antony.

-- 
Users don't know what they want until they see what they get.

   Please reply to the list;
 please *don't* CC me.

Re: external API request

[Antony Stone]

On Friday 27 October 2023 at 17:07:41, John Hardin wrote:

> On Fri, 27 Oct 2023, Antony Stone wrote:
> > On Friday 27 October 2023 at 16:56:36, DEMBLANS Mathieu wrote:
> >> Hi,
> >> Anyone know if there is a way to request an external API throught a
> >> spamsassassin plugin ? It will be to search an URL extracted by SA from
> >> a body of a mail and check if it's referenced with an API request on an
> >> external service (virustotal or other). We receive some mails with URL
> >> inside whose page contains malware. One day, a user will click on it...
> >> If I can junk it before, it would be great.
> > 
> > You may want to be cautious about "checking" URLs in this way, because
> > some emails will contain things like "to unsubscribe, click here" or
> > "accept meeting invitation?" and so on.
> > 
> > You do not really want some automated system "clicking" on URLs like that
> > and triggering external events either without the user's knowledge (they
> > haven't even seen the email at this stage) or indeed doing something
> > they do not want.
> 
> It doesn't sound like it will *visit* the link, just ask some service if
> the like has a reputation.

Fair enough; I still think it's something worth keeping in mind, though, 
depending on what the OP meant by "virustotal or other" :)

Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

   Please reply to the list;
 please *don't* CC me.

Re: external API request

[Antony Stone]

On Friday 27 October 2023 at 16:56:36, DEMBLANS Mathieu wrote:

> Hi,
> Anyone know if there is a way to request an external API throught a
> spamsassassin plugin ? It will be to search an URL extracted by SA from a
> body of a mail and check if it's referenced with an API request on an
> external service (virustotal or other). We receive some mails with URL
> inside whose page contains malware. One day, a user will click on it...
> If I can junk it before, it would be great.

You may want to be cautious about "checking" URLs in this way, because some 
emails will contain things like "to unsubscribe, click here" or "accept 
meeting invitation?" and so on.

You do not really want some automated system "clicking" on URLs like that and 
triggering external events either without the user's knowledge (they haven't 
even seen the email at this stage) or indeed doing something they do not want.


Antony.

-- 
Because it messes up the order in which people normally read text.
> Why is top-posting such a bad thing?
> > Top-posting.
> > > What is the most annoying way of replying to e-mail?

   Please reply to the list;
 please *don't* CC me.

Re: My apologies

[Antony Stone]

On Wednesday 02 August 2023 at 21:39:31, Thomas Cameron via users wrote:

> I was notified privately that Reindl Harald is blocked on this list. I 
> replied to him and accidentally polluted the list with more of his
> toxicity. I apologize, and I've blocked him on my mail server, as well.

We've all had to learn about him (sometimes on several lists) at some time or 
other.  Thanks for the apology, but his attitude is his own, and you've done 
nothing to cause that.  He responds to almost everybody in the same anti-
social (to put it mildly) manner.

Don't worry about it - just carry on with talking to reasonable people 
instead.


Antony.

-- 
If you were ploughing a field, which would you rather use - two strong oxen or 
1024 chickens?

 - Seymour Cray, pioneer of supercomputing

   Please reply to the list;
 please *don't* CC me.

Re: Install plugins into embedded spamassassin

[Antony Stone]

On Saturday 25 February 2023 at 15:30:13, hg user wrote:

> Hi,
> I'd like to install at least one plugin in my embedded spamassassin,
> installed inside Zimbra.
> I'm a bit afraid of breaking stuff, about missing dependencies and so on.
> 
> I'm on SA 3.4.5 and - as a test - I'd like to install ESP plugin.

You might well be better off asking the Zimbra people, assuming that this 
"embedding" was done by them.

People here will know about "standard SA" but how it's been integrated into 
another product is going to be that other product's area of expertise.


Antony.

-- 
The GNU General Public Licence was first published on this day in 1989
https://www.gnu.org/licences/gpl.html

   Please reply to the list;
 please *don't* CC me.

Re: [ANNOUNCE] Apache SpamAssassin 4.0.0 available

[Antony Stone]

On Tuesday 20 December 2022 at 13:13:20, Benny Pedersen wrote:

> there is 2 kind of people, one that do understand jokes, and the other

In general I find that it helps greatly if the person telling a joke is clear 
that that is what they are doing.

In speech / face-to-face situations this can be achieved by tone of voice 
and/or body language, but those being missing from pure text communications 
means that most people have adopted the use of :) and similar to indicate that 
they would smile whilst saying it if you could see them.

Also, bear in mind that the word "funny" in English does not only mean 
"amusing" - it can also indicate some degree of "strange" - as in "hm, it's 
very quiet - that's funny".


Hope that helps,


Antony.

PS: There are 10 types of people in the world.
Those who understand binary, and those who don't.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

   Please reply to the list;
 please *don't* CC me.

Re: Txrep, add-addr-to-whitelist

[Antony Stone]

On Thursday 16 December 2021 at 21:43:04, Peter wrote:

> Thanks, I hadn't thought about that.
> 
> I am curious though, I normall hit Reply rather than Reply to All, and with
> your email Reply just uses your own address,

That, I find strange.

For me, selecting my own reply on the list, and then clicking on Reply, gives 
me "users@spamassassin.apache.org"

> I need to hit Reply to All to get it on the list.

In my opinion, Reply-to-all on a mailing list is usually a bad idea.

Anyone who has sent a message to the list is subscribed to the list, so if you 
reply to the list (only), they will see your reply.  They do not need their 
own copy.

For example, see my sig below (and on every other posting I have made to this 
this and every other list) "Please reply to the list, and please don't CC me"

> Is that what has been happening with mine, and why does it happen with
> replies to your posts?

I don't know, but take a look at headers on my reply:
https://mail-archives.apache.org/mod_mbox/spamassassin-
users/202112.mbox/raw/<202112162128.27630.antony.st...@spamassassin.open.source.it>

Nowhere there does it say "reply to my personal address", therefore I would 
expect your mail client simply to reply to the list.

However, this is not answering the original point, which is that your mail 
client *is* inserting a Reply-To header, therefore some people reply to you 
alone and not to the list:

https://mail-archives.apache.org/mod_mbox/spamassassin-
users/202112.mbox/raw/<202112170116100961.03849...@nx33.ace.net.au>

> Is this post better?

No, because it was sent both to the list and to me personally.  Quite 
redundant.


I can only suggest that this is one of the many ways in which MS Outlook is a 
disappointing mail client.

I cannot help you to fix that, beause I have never used it.


Antony.

-- 
"I find the whole business of religion profoundly interesting.  But it does 
mystify me that otherwise intelligent people take it seriously."

 - Douglas Adams

   Please reply to the list;
 please *don't* CC me.

Re: Txrep, add-addr-to-whitelist

[Antony Stone]

On Thursday 16 December 2021 at 21:21:28, Peter wrote:

> I was thinking that replies would show up here.

> Perhaps I should create an account on a mail server without RBL blocking?

Either that, or (preferably) stop your email client from enforcing a Reply-To 
address which is different from the mailing list.

Then you will receive replies from people via the list.


Antony.

-- 
Python is executable pseudocode.
Perl is executable line noise.

   Please reply to the list;
 please *don't* CC me.

Re: problems updating when using a cron job on debian 11

[Antony Stone]

On Friday 03 September 2021 at 11:23:19, Jean-François Bachelet wrote:

> Le 03/09/2021 à 09:11, Bob Proulx a écrit :
> > Jean-François Bachelet wrote:
> >
> >> user create
> >> 'useradd -u 5001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin
> >> spamd' mkdir /var/lib/spamassassin
> >> chown -R spamd:spamd /var/lib/spamassassin
> > 
> > At that moment the installation was broken by these actions!
> > Permissions and ownership were set so as to prevent it from working.
> 
> ok, so what should be the right things to do here ? without explaining
> what's wrong that doesn't help.

Install the package and do not create users or modify ownerships / permissions 
afterwards.


Antony.

-- 
"Hi, I've found a fault with the English language and I need an entomologist."
"I think you mean an etymologist."
"No.  It's a bug, not a feature."

   Please reply to the list;
 please *don't* CC me.

Re: problems updating when using a cron job on debian 11

[Antony Stone]

On Thursday 02 September 2021 at 12:03:22, Jean-François Bachelet wrote:

> Hello folks ^^)
> 
> 
> I've installed the latest spamassassin version on a new Debian 11 server

How did you install it?


Antony.

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

   Please reply to the list;
 please *don't* CC me.

Re: Customise hostname shown in X-Spam-Checker-Version?

[Antony Stone]

On Saturday 31 July 2021 at 21:02:12, David Bürgin wrote:

> > add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on
> > mail.mydomain.ch

> > X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
> > mail.mydomain.ch
> 
> A final remark: This solution has a side effect. It changes the order of
> inserted headers so that X-Spam-Checker-Version is now the last instead
> of the first X-Spam- header … … all right then.

Maybe any "added" headers always go at the end, and anything they replace 
simply gets deleted from where it otherwise would have been?


Antony.

-- 
Don't procrastinate - put it off until tomorrow.

   Please reply to the list;
 please *don't* CC me.

Re: Customise hostname shown in X-Spam-Checker-Version?

[Antony Stone]

On Friday 30 July 2021 at 21:13:43, David Bürgin wrote:

> Is there a way to customise the hostname shown in the line:
> 
> X-Spam-Checker-Version:

No.

https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html
#BASIC-MESSAGE-TAGGING-OPTIONS

"Here are some examples (these are the defaults, note that Checker-Version can 
not be changed or removed)"

Antony.

-- 
"If I've told you once, I've told you a million times - stop exaggerating!"

   Please reply to the list;
 please *don't* CC me.

Re: Identifying Amazon hosts...

[Antony Stone]

On Wednesday 28 July 2021 at 19:51:49, Pedro David Marco wrote:

> Hi!
> i have spam with this header:
> 
>  Received: from a48-115.smtp-out.amazonses.com (HELO
> a48-115.smtp-out.amazonses.com) (54.240.48.115)
> 
> Is there any way, based on its fqdn, to know whether an Amazon smtp host is
> public or dedicated?

Apologies for what may seem like a silly question, but what's the difference?


Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

   Please reply to the list;
 please *don't* CC me.

Re: SPAM scanned twice

[Antony Stone]

On Monday 12 July 2021 at 20:07:16, Joe Acquisto-j4 wrote:

> SpamAssassin 3.4.5 (2021-03-20) on Suse Leap 15.2 (their distro IIRC)
> 
> Noticed that mail marked as SPAM was scanned again by SA after it had been
> "disposed" as an attachment.
> 
> I uncommented  "report_safe 0" and did a restart of SA.   Next SPAM came
> through as a normal email, still marked as SPAM and only scanned once.

I think we'd need to know a bit more about how you have SpamAssassin connected 
in with your MTA, and what your delivery paths are, to be able to comment 
usefully.


Antony

-- 
GIT/E d- s+:--(-) a+ C$(---) UL$ P+(---)>++ L+++()$ !E W(-) N(-) 
o? w--(---) O !M V+++(--) !PS !PE Y+ PGP+> t- !tv@ b+++ DI++ D--- e+++(*) h++ 
5? !X- !R K--? G-

   Please reply to the list;
 please *don't* CC me.

Re: My 10 years old domain have a bad TLD

[Antony Stone]

On Wednesday 05 May 2021 at 12:15:41, Denis Chenu wrote:

> Hi Dominic,
> 
> Le 03/05/2021 à 09:28, Dominic Raferd a écrit :
> > I have another personal rule which adds +6 for 'unusual' domains -
> > including .pro - so your chance of getting an email through to my users
> > is zero (sorry), unless indirectly (e.g. via mailing list).
> 
> I have a question about this : you don't offer any way to postmaster of
> «unusual» domain to contact you postmaster ?
> 
> I hope you send a SMTP error code to inform clean user you disallow them
> to send email.

Why not just send a private email and find out?  You could even send it to the 
postmaster address.


Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

   Please reply to the list;
 please *don't* CC me.

Re: Why does SA add SPF check fail to this message?

[Antony Stone]

On Saturday 24 April 2021 at 12:22:15, Yuri wrote:

> All messages from the FreeBSD mailing list are labeled as 'SPF check fail'.

I would firstly observe that you (or whomever runs mail0.{redacted}.com) are 
running SpamAssassin version 3.3.1 (eleven years old now), so therefore i 
wonder how up-to-date your rulesets are.

I also agree with Mr Paeps' observation that 1.0 for an SPF fail, even if 
incorrect, is making very little difference compared to the 8.4 you're getting 
from the Chickenpox tests.

Are you aware of any other subscribers to the FreeBSD list with more current 
releases of SA encountering the same problem?

> Here is the message:
> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=224393
> 
> People said that SA does this by mistake:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255356
> 
> Is it a mistake? A bug in SA? Or can something be done to fix this?

Regards,


Antony.

-- 
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

   Please reply to the list;
 please *don't* CC me.

Re: How do you set nomail for the List?

[Antony Stone]

On Tuesday 20 April 2021 at 23:27:14, Bob Proulx wrote:

> I was not aware that this mailing list requires one to be subscribed
> to post to it.  Does it?  It's not necessary on most technical mailing
> lists.

I would in fact say the exact opposite: most mailing lists do require 
subscription in order to post, primarily in order to reduce spam from random 
addresses.

After all, if just anyone, without subscription, can post to a list, then it's 
open to the entire Internet, and then, as we all know, anarchy ensues...

At least if you have to subscribe first:

a) the subscription process itself is a barrier to bots

b) a list admin can block unwanted posters.


Antony.

-- 
I know I always wanted to be somebody, but I guess I should have been more 
specific.

   Please reply to the list;
 please *don't* CC me.

Re: How do you set nomail for the List?

[Antony Stone]

On Tuesday 20 April 2021 at 22:54:29, RW wrote:

> On Tue, 20 Apr 2021 10:21:57 -0600 Bob Proulx wrote:
> > Don Saklad wrote:
> > > How do you set nomail for the List?
> > 
> > To unsubscribe send an email message to this address.  Followed by a
> > pre-mangled address for the web archive readers that hide email
> > addresses.
> > 
> > users-unsubscr...@spamassassin.apache.org
> 
> I think the question was getting no mail without unsubscribing and
> losing the ability to post. This is useful if you read a list by other
> means, e.g. via NNTP.

I thought the question was for someone being away for some time and not 
wanting to build up list emails which wouldn't be replied to, and therefore 
probably also wouldn't be worth reading upon the return.

mailman supports this on its web interface; I can't see the equivalent 
function on what this list runs on.

Incidentally, I had no idea what "a pre-mangled address for the web archive 
readers" meant.


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.

Re: Spoofed amazon order email

[Antony Stone]

On Friday 16 April 2021 at 17:26:40, Dave Wreski wrote:

> > And how the hell is google letting this crap flow out of its email
> > service, anyway?
> 
> Because they're in the email business, not the email security business.

I would add that Google do spam filtering on *inbound* mail, because that means 
they can tell their users (customers) that Google is protecting them.

For *outbound* email going to the rest of the world, that's their (rest of 
world) lookout.


Antony.

-- 
I thought I had type A blood, but it turned out to be a typo.

   Please reply to the list;
 please *don't* CC me.

Re: Spoofed amazon order email

[Antony Stone]

On Friday 16 April 2021 at 17:10:14, Steve Dondley wrote:

> First, thanks to everyone on the list how has given me a hand over the
> past couple of weeks as I get my "sea legs" with spamassassin. It's
> working well for me now but I obviously still have more to learn.
> 
> For one, I'm still uncertain on the best way to fine tune SA to beat
> back some tricky spam. Like this one that comes from a gmail account but
> spoofs a fake, expensive order on amazon to try to phish the user.

Not an answer to your question, but a piece of advice about asking questions 
like this:

Don't paste the (suspect) spam email into what you post to the list:

1. The formatting may get corrupted either by your sending mail client or by 
recipients' mail clients, making it hard to read accurately

2. Many people on this list run spam filters (!) meaning that your posting may 
not reach them at all, because of its content

Far better to put the suspect mail onto pastebin.com or similar and then 
provide a link to that on this list.

Regards,


Antony.

-- 
Heisenberg, Gödel, and Chomsky walk in to a bar.
Heisenberg says, "Clearly this is a joke, but how can we work out if it's 
funny or not?"
Gödel replies, "We can't know that because we're inside the joke."
Chomsky says, "Of course it's funny. You're just saying it wrong."

   Please reply to the list;
 please *don't* CC me.

Re: Is pyzor recommended by folks on this list?

[Antony Stone]

On Sunday 11 April 2021 at 23:27:26, Benny Pedersen wrote:

> On 2021-04-11 23:20, RW wrote:
> > 
> > I don't see the advantage. You might just as well submit to the shared
> > server so everyone benefits.
> > 
> > Pyzor is not a realistic substitute for Bayes.
> 
> and centralizion on prolems is just another problem

Why do you say that?  Surely sharing a larger common pool of spam indicators 
is in everyone's interests?

Every individual trying to solve the same problems each on their own is 
certaily the least efficient solution possible?

> i prefer jabber over irc or any other solotions,

I don't understand the relevance of that comment?

> my point is valid as writed, remote pyzor servers dont know what is spam or
> not localy, but it could share results if wanted, but this was never
> implemented into pyzord or pyzor client

I must be confused then - what do you believe *is* the purpose of pyzor?


Antony.

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

   Please reply to the list;
 please *don't* CC me.

Re: Problem installing sa on my pi 3b+

[Antony Stone]

On Wednesday 07 April 2021 at 12:05:42, spamassas...@mach2.franken.de wrote:

> Ok so it seems I cant do anything to get it running on my side.
> Funny enough that I use the official raspian which I kept up to date
> with 'sudo apt-get update'
> and now the 'sudo apt-get install that claims to use the newest version
> (3.4.2-1+deb10u3) keeps running into such an error.
> How to find out who the packet maintainer is?

You said somewhere else:

> I am running said packet install from an internet tutorial.

Who wrote that tutorial and where does it point you to get the packages from?


Antony.

-- 
There are 10 types of people in the world:
those who understand binary notation,
and those who don't.

   Please reply to the list;
 please *don't* CC me.

Re: How do I efficiently share a database with all users?

[Antony Stone]

On Thursday 11 March 2021 at 18:42:59, Steve Dondley wrote:

> I have a few different mail servers. I harvest mail from the servers and
> periodically sort them into ham/spam folders and then share the sorted
> mail back out to the servers

> How can I run sa-learn once on the system and then share the generated
> database with each user?

Frankly, I would say: you shouldn't.

In general, running a single SpamAssassin filter on a mail server with multiple 
users (especially if their email addresses are in multiple domains) gives far 
poorer results than doing per-user Bayes learning.

By combining the spam / ham folders over multiple machines, you're just 
exacerbating the problem.

So, my recommendation is to keep each user's mail feed separate, run 
SpamAssassin so that it uses per-user Bayes databases, and save yourself the 
work of combining the folders from multiple servers.


Antony.

-- 
Douglas was one of those writers who honourably failed to get anywhere with 
'weekending'.  It put a premium on people who could write things that lasted 
thirty seconds, and Douglas was incapable of writing a single sentence that 
lasted less than thirty seconds.

 - Geoffrey Perkins, about Douglas Adams

   Please reply to the list;
 please *don't* CC me.

Re: SA's bayes with the Redis backend?

[Antony Stone]

On Thursday 11 February 2021 at 17:21:41, deano-spamassas...@areyes.com wrote:

> Is there an easy/efficient way of converting an existing mariadb bayes
> database to redis?
> 
> Perhaps "sa-learn --backup", set up redis, then restore?

https://www.mail-archive.com/users@spamassassin.apache.org/msg107512.html 
answers this for you, I think :)


Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

   Please reply to the list;
 please *don't* CC me.

Re: apache.org is blacklisted

[Antony Stone]

On Wednesday 27 January 2021 at 17:00:49, RW wrote:

> On Wed, 27 Jan 2021 13:40:36 +0100
> 
> Matus UHLAR - fantomas wrote:
> > while we're here, was anyone able to get their page in english
> > language?
> > 
> > https://spfbl.net/en/project/
> 
> Yes, at the top right of the page you can select language. If you put
> your mouse pointer over it a menu appears - it can take a few seconds.

The selector is there, yes, but it doesn't change the language of the page.


Antony.

-- 
I bought a book on memory techniques, but I've forgotten where I put it.

   Please reply to the list;
 please *don't* CC me.

Re: What does that rule mean "SUBJ_OBFU_PUNCT FEW"

[Antony Stone]

On Wednesday 13 January 2021 at 16:57:55, Philipp Ewald wrote:

> Hello,
> 
> we try to deliver mails to GMX/WEB but we got frequency blocked because
> "ro-reply@ Mails" hits following rules:

Sorry, but what do you mean by "ro-reply@ Mails"?

> SUBJ_OBFU_PUNCT_FEW -> Possible punctuation-obfuscated Subject: header
> 
> SUBJ_OBFU_PUNCT_MANY ->  Punctuation-obfuscated Subject: header

Can you give us an example of the Subject line you're trying to send the 
emails with?


Antony.

-- 
"I think both KDE and Gnome suck - I'm quite unbiased in that, because I use a 
Mac."

 - Jason Isitt

   Please reply to the list;
 please *don't* CC me.

Re: UNSUBSCRIBE

[Antony Stone]

On Wednesday 23 December 2020 at 22:29:50, Alan wrote:

> On 2020-12-23 16:22, Richard Ozer wrote:
> 
> To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org
> 
> For additional commands, e-mail: users-h...@netbeans.apache.org
> 

Hm, strange - I thought it was (quoting from the headers of any email on this 
list):

list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 


Antony.

-- 
"If I've told you once, I've told you a million times - stop exaggerating!"

   Please reply to the list;
 please *don't* CC me.

Re: What can one do abut outlook.com?

[Antony Stone]

On Sunday 25 October 2020 at 17:05:26, Marc Roos wrote:

> Google, Amazon and Microsoft have billions of cash. It is indeed a
> wonder how they are not spending it on outgoing mail detection.

Why do they need to?

Customers use their services anyway, and are either:

a) spammers, in which case they're happy that the above does not happen, or

b) non-spammers, in which case they don't really care whether their outbound 
email is filtered, so long as it gets delivered.

In the (b) case, if there *were* filtering, any false positives (ie: legitimate 
emails which got blocked) would harm the provider's reputation and customer 
satisfaction.

Also in the (b) case, anyone who blocks email from the provider is "obviously" 
causing the problem themselves, and therefore doing themselves harm.

> Nobody was saying so. Best is to block just the ip addresses that your
> receive spam from.

How does that help?  Those providers don't set up different IP addresses for 
email from different customers.  Everyone's email (spammers and non-spammers) 
gets processed by the entire farm of outbound MTAs.

> if their ip addresses a randomly blocked by many other providers. All their
> queues will start using more resources bouncing around mails,

I doubt that is much of a concern for these size organisations.

> having to explain to their clients why sometimes a mail is send and
> sometimes rejected,

Ha.  I don't think their support staff extend to that level of assistance.

> costs increase, thus more incentive to kick out spammers or spend more
> on prevention.

No.  Email is a cheap service to provide alongside all the other services 
they're charging their customers the real money for,

> > If you block something, you have to ask yourself: How many innocent,
> > unsuspecting legitimate senders
> 
> Who cares, these "unsuspecting legitimate senders" should take their
> business somewhere else.

I suspect you don't have any of them as customers.  Telling them to change 
their mail service provider is simply going to tell them to use another 
organisation instead of yours.  If you block their email you clearly don't 
want to do business with them.

> > If you block even one innocent sender as collateral damage, you should
> > not block that email provider, regardless how annoying it is.
> 
> What a non-sense. This is how spammers currently work, mix legitimate
> mail with spam. Just block ip's, it is not your fault they are sending
> you spam. Nobody can blame you, if you do not want to do the work that
> Amazon, Google and Microsoft should be doing.

Blocking IPs cannot work in a commercial environment (by which I mean, you 
want to receive emails from legitimate enquireres for your commercial 
services, or from existing customers).


Antony.

-- 
Atheism is a non-prophet-making organisation.

   Please reply to the list;
 please *don't* CC me.

Re: The most efficient SPAM implementation ever

[Antony Stone]

On Sunday 11 October 2020 at 16:28:12, Rick Macdougall wrote:

> Hi,
> 
> Are you running sa-learn as the same user that spamd runs as ?
> 
> Running sa-learn as root won't help the scores.

I've been aware of this advice / requirement almost since I started using SA.

However, I've never been quite sure of:

1. If you run it as the wrong user, does the data get stored in the wrong 
place, or is it simply lost?

2. If it's stored in the wrong place, is there any way of transferring or 
merging it back in to where it should be instead?


Thanks,


Antony.

-- 
https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for 
talking to yourself.

   Please reply to the list;
 please *don't* CC me.

Re: Spamassassin Email Alert

[Antony Stone]

On Wednesday 02 September 2020 at 12:35:15, KADAM, SIDDHESH wrote:

> Hi,
> 
> I want to send a mail to local admin If any mail body matches a content
> of a specific words.

Have you considered https://www.mailscanner.info/ ?


Regards,


Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.

Re: Constructive solution to the blacklist thread

[Antony Stone]

On Thursday 23 July 2020 at 22:44:51, Michael Orlitzky wrote:

> The Apache foundation has some cash laying around. Make whatever wording
> changes you like, but **at the same time**, donate a meaningful amount
> of money to a cause like the ACLU or the defense/medical funds for the
> protestors.

Don't you have that the wrong way around?

All these IT companies, groups and foundations who are changing their wording 
to make the world a better place are doing what the ACLU has been trying to do 
for years, so surely the ACLU should be funding the IT support people who have 
to deal with the extra workload of managing these changes?

The oppressed societal groups get the improvement they've been waiting for, 
the ACLU doesn't have to work so hard, and the IT support staff get compensated 
for the extra work they have to do for the benefit of society.

Of course, that model all breaks down if you don't really believe that these 
changes are going to make the world a better place, or that the oppressed 
societal groups are not in fact going to be better off as a result of changing 
the word black to block an an email filtering system, but nobody really thinks 
that, do they?

Note for those challenged by sarcasm or irony: I do not agree with the change 
and I do not think it will have the effects it is being done in the name of.


Antony.

-- 
"Good health" is merely the slowest rate at which you can die.

   Please reply to the list;
 please *don't* CC me.

Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change

[Antony Stone]

On Thursday 23 July 2020 at 04:36:41, Olivier wrote:

> I am wondering what grey list should be renamed...

Why - has the zombie population started complaining about racial slurs?


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.

Re: IMPORTANT NOTICE: Rules referencing WHITELIST or BLACKLIST in process of being Renamed

[Antony Stone]

On Sunday 19 July 2020 at 19:56:34, Kevin A. McGrail wrote:

> We only publish one set of rules so you will see that become welcome
> instead of white.

My feeling on this is that such a breaking change requires a fairly lengthy 
backward-compatible transition period (with appropriate warning messages for 
those still using the old terminology, but not such that it no longer works), 
rather than just switching over suddenly from "old" to "new" with no "dual 
use" interim period.

In other words, support both "black" and "block", and "white" and "welcome", 
for at least 3 months, I suggest.


Antony.

-- 
What do you call a dinosaur with only one eye?  A Doyouthinkesaurus.

   Please reply to the list;
 please *don't* CC me.

Re: Screwed-up scoring

[Antony Stone]

On Sunday 19 July 2020 at 17:44:27, Linkcheck wrote:

> Thanks to those responsible for screwing up the scoring of my
> spamassassin installation. It's been working well for years but now my
> changes to scoring have been cancelled due to renaming
> whitelist/blacklist to whatever.
> 
> I noticed it purely by accident this morning: USER_IN_WHITELIST_TO no
> longer gave me the expected score because it has now been replaced by
> USER_IN_WELCOMELIST_TO.

I think you must quite possibly be the only person on this list who has not 
noticed the 223 emails containing "IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK" 
in the subject line over the past 9 days discussing precisely this change.

I sympathise with you - I really do - I do not agree with the changes which 
have occurred, the reasons for them, or the lack of discussion with the 
community before they were implemented, but I find the fact that you haven't 
noticed they have already been done and have been announced here quite 
remarkable.

> Can someone post a list of ALL the new names, with their originals, please?

Excellent request - I'm surprised that the powers-that-be who have implemented 
these changes haven't simply done this as a matter of course.

I see no mention of such a list in the bug report (how ironic that a bug 
report gets filed to announce the introduction of a bug into the software...) 
which was quoted in the original announcement of this fait accompli to the 
list:

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7826


Regards,


Antony.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

   Please reply to the list;
 please *don't* CC me.

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Antony Stone]

On Friday 17 July 2020 at 19:17:42, Ted Mittelstaedt wrote:

> this entire "movement" about changing language boiled down is nothing more
> than yet another example of white people deciding what is best for people of
> color - like has been going on for centuries.

I applaud your comment, but I have to say that I think that where it matters 
it is falling on deaf ears.
 
> Let me be the first white man to extend an apology to the few people of
> color on these projects that we never actually bothered asking your
> opinions on something we had no business mucking around with.

Me 2°


Antony.

-- 
Why are sea-faring brigands unable to calculate the circumference of a circle?
Because they guess the value of Pi.
(Sorry, this joke only really works well in German).

   Please reply to the list;
 please *don't* CC me.

Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change

[Antony Stone]

On Friday 17 July 2020 at 12:50:57, Noel Butler wrote:

> ahhh ye ol  "your opinion differs from mine,  so I want you gone"

No, I don't mind you having a different opinion, or even expressing it 
reasonably, but the language and attitude towards other individuals which you 
displayed in the comment below is not in my opinion acceptable on a mailing 
list.

> yes, sums your type up rather nicely, desperate for approval and
> pathetic...
> 
> On 17/07/2020 18:44, Antony Stone wrote:
> > On Friday 17 July 2020 at 00:58:05, Noel Butler wrote:
> >> I did 24 hours back wanker, but just for you, I'll continue it
> > 
> > I request that anyone with this attitude to the list, and to people on
> > it, be removed.
> > 
> > Antony.

-- 
Pavlov is in the pub enjoying a pint.
The barman rings for last orders, and Pavlov jumps up exclaiming "Damn!  I 
forgot to feed the dog!"

   Please reply to the list;
 please *don't* CC me.

Re: Thanks to Guardian Digital & LinuxSecurity for the nice post about SpamAssassin's upcoming change

[Antony Stone]

On Friday 17 July 2020 at 00:58:05, Noel Butler wrote:

> I did 24 hours back wanker, but just for you, I'll continue it

I request that anyone with this attitude to the list, and to people on it, be 
removed.


Antony.

-- 
"There is no reason for any individual to have a computer in their home."

 - Ken Olsen, President of Digital Equipment Corporation (DEC, later consumed 
by Compaq, later merged with HP)

   Please reply to the list;
 please *don't* CC me.

Re: spamhaus enabled by default

[Antony Stone]

On Tuesday 14 July 2020 at 23:23:29, Martin Gregorie wrote:

> On Tue, 2020-07-14 at 22:59 +0200, Antony Stone wrote:
> > On Tuesday 14 July 2020 at 21:46:11, Martin Gregorie wrote:
> > > This info should include lots of black (hashmarks, asterisks etc).
> > 
> > You should be careful of the language you use these days, especially
> > on this list.
> > 
> > Yes, I am being sarcastic about what you wrote, but I'm also being
> > serious about the apparent power of the language police.
> 
> I don't underestimate the power of the thought police (McCarthy was the
> standout example of *THAT*) or their, sometimes wilful, ignorance. You
> know what I meant, but if I'd written something like "include big blocks
> of attention-getting high-density characters", might that be interpreted
> as an attack  on the comprehensionally challenged?

1. Yes, and those sectors of society defending the mentally deficient might be 
somewhere back in the queue waiting their turn to have a bit of a go at us for 
talking like this

2. My comment was not aimed at you in any way at all - it was an observation 
to other people on this list about a different discussion thread which you may 
have noticed in recent days (which, ironically enough, does include big blocks
of attention-getting high-density characters in its subject line).


Antony.

-- 
https://tools.ietf.org/html/rfc6890 - providing 16 million IPv4 addresses for 
talking to yourself.

   Please reply to the list;
 please *don't* CC me.

Re: spamhaus enabled by default

[Antony Stone]

On Tuesday 14 July 2020 at 21:46:11, Martin Gregorie wrote:

> This info should include lots of black (hashmarks, asterisks etc).

You should be careful of the language you use these days, especially on this 
list.

Yes, I am being sarcastic about what you wrote, but I'm also being serious 
about the apparent power of the language police.


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it means it doesn't work.

   Please reply to the list;
 please *don't* CC me.

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Antony Stone]

On Friday 10 July 2020 at 14:37:09, Mauricio Tavares wrote:

>   How long until we have to rename electrical and mechanical
> connectors?

Shortly after the astrophysicists have found an inoffensive term for black 
holes, various military agencies have stopped running black ops, all the 
various meanings of https://en.wikipedia.org/wiki/Black_friday have been 
changed, and my poodle has been re-defined as "extreme dark grey".

I'd also just like to remind people:

On Friday 10 July 2020 at 10:30:51, Dan Malm wrote:

> https://en.wikipedia.org/wiki/Blacklisting#Origins_of_the_term
> The term has nothing to do with race.


Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

   Please reply to the list;
 please *don't* CC me.

Re: IMPORTANT NOTICE FOR PEOPLE RUNNING TRUNK re: [Bug 7826] Improve language around whitelist/blacklist and master/slave

[Antony Stone]

On Saturday 11 July 2020 at 12:42:43, hospice admin wrote:

> Concentrating on the technical issues below ...
> 
> I think there's a fairly wide consensus among those posting on this thread,
> myself included,  that this does not 'make the technology better'.
> 
> That's the point I was attempting to make about Mercedes ... painting their
> cars a different colour does nothing to make it better or worse ... just
> different [in a way that has nothing to do with practical support for
> diversity of any kind].
> 
> For me, the risks of messing up Spam Assassin [or anything else] for months
> to come completely outweighs the benefits of a token 'tip of the hat'
> towards diversity.

Unfortunately you speak with the voice of reason, and that is never welcome 
when people are bent on enforcing "political correctness" on the world.

Any dissenting opinion is regarded as "missing the point" or being 
"insensitive to the oppressed", whether the situation in which the correctness 
police are enforcing their views has anything to do with the oppressed or not.

I wish you luck in asking people to debate the real question of whether there 
is in fact any problem to be solved, and if there is, what is the sensible way 
to solve it.

For my part, until anyone can show that the use of words such as blacklist or 
master/slave in technology has anything to do with racial references and are 
therefore being used in an offensive way, rather than as standard terms for the 
industry with no reference at all to human social groups, they're just 
demonstrating themselves as stirring up trouble and heated debate where there 
is no real problem.


Antony.

-- 
I conclude that there are two ways of constructing a software design: One way 
is to make it so simple that there are _obviously_ no deficiencies, and the 
other way is to make it so complicated that there are no _obvious_ 
deficiencies.

 - C A R Hoare

   Please reply to the list;
 please *don't* CC me.

Re: Really simple setup guide

[Antony Stone]

On Friday 10 July 2020 at 11:02:23, Matthew Broadhead wrote:

> i tried to set up bayes training before but i feel that i was unsuccessful.

It would be helpful to know what gives you that feeling.

How are you training and how are you testing?

> is there a definitive guide on setting this up on postfix with amavis?  if my
> user were the one that was training it for the other users that would be
> ideal

In general, Bayes works best when each user trains for the ham and the spam 
that *they* receive - you can share Bayes databases between users, but it's 
less effective.

Do remember also that Bayes *needs* to be fed ham as well as spam for it to be 
able to learn the difference - it's not just a question of giving it all the 
spam you receive and assuming it can work out from that what isn't spam.


Regards,


Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

   Please reply to the list;
 please *don't* CC me.

Re: Technically not spam

[Antony Stone]

On Friday 29 May 2020 at 17:40:42, @lbutlr wrote:

> How do people deal with lists that a user subscribed to that require
> logging in to an account to unsubscribe?

Well, as you say in your Subject, this isn't spam; it's just email that the 
user asked for but has decided they no longer want.

> Most legitimate mails have a simple unsubscribes list, but many online
> stores seem to "forget" to do this.

Surely they do not forget to have a "forgot my password" option, though?

> I can't just blacklist the IPs because some people want these emails.

My opinion is: it's not your (as email admin) problem - it's the user's 
problem.  They signed up for it; they can sign out of it.  If they no longer 
know their password, they can use the "forgot password" mechanism to get back 
in again, and turn off the emails they no longer want.

Basically, I don't think this is a problem you need to try to solve, because 
it's something the users did themselves - it's not like some miscreant has 
discovered their email address and is sending stuff they *really* don't want to 
see (and is probably sending to several other of your users too) - that you 
can block, but this is genuine email which the user signed up for, and is 
responsible for signing out of.


Antony.

-- 
3 logicians walk into a bar. The bartender asks "Do you all want a drink?"
The first logician says "I don't know."
The second logician says "I don't know."
The third logician says "Yes!"

   Please reply to the list;
 please *don't* CC me.

Re: Is PDS_TONAME_EQ_TOLOCAL_SHORT new?

[Antony Stone]

On Wednesday 30 October 2019 at 20:23:37, RW wrote:

> On Wed, 30 Oct 2019 14:09:11 -0400
> 
> Mark London wrote:
> > Is PDS_TONAME_EQ_TOLOCAL_SHORT new?  I see it hitting real emails
> > here, but hitting no spam emails.  Thanks.
> 
> It's one of several rules based on __PDS_TONAME_EQ_TOLOCAL, which is
> looking for To headers that look like this:
> 
>   To: foo 
> 
> A problem with this is that such headers look unprofessional, and so
> are likely to be underrepresented in a ham corpus dominated by
> corporate mail.

Pardon my ignorance, but what is "unprofessional" about this?

Is it the fact that "foo" is just a single word, rather than "forename 
surname", or is it just that "foo" on its own matches the username in 
"f...@example.com"?

I have plenty of "professional" contacts (mainly in small businesses) where 
they use first names only, and also plenty of examples such as "Helpdesk 
" and "Accounts " which are 
perfectly legitimate.


Thanks in advance for any explanation,


Antony.

-- 
"The problem with television is that the people must sit and keep their eyes 
glued on a screen; the average American family hasn't time for it."

 - New York Times, following a demonstration at the 1939 World's Fair.

   Please reply to the list;
 please *don't* CC me.

Re: announcement about invaluement (or more like a tease?)

[Antony Stone]

On Monday 26 August 2019 at 13:29:45, Axb wrote:

> On 8/26/19 3:24 AM, Rob McEwen wrote:
> > announcement about invaluement (or more like a tease?)
> > 
> > https://www.linkedin.com/feed/update/urn:li:activity:6571558988201148416/
> 
> I don't do linkedin - what is it?

Social networking for professional people.

https://en.wikipedia.org/wiki/Linkedin


Antony.

-- 
#define SIX 1+5
#define NINE 8+1

int main() {
printf("%d\n", SIX * NINE);
}
- thanks to ECB for bringing this to my attention

   Please reply to the list;
 please *don't* CC me.

Re: Zero-width rules?

[Antony Stone]

On Friday 28 June 2019 at 19:26:32, John Hardin wrote:

> On Fri, 28 Jun 2019, Bill Cole wrote:
> > 
> > Also FWIW: ZWNJ and ZWJ appear chronically and prolifically in messages
> > sent by a small fraction of entirely legitimate mailing lists. I expect
> > to start seeing ZWS characters in opt-in B2C mail in 5... 4... 3... 2...
> > 1...
> > 
> > Any second now.
> 
> You mean like this insanity?
> 
>  ‌ ‌ ‌  ...ad nauseum

Indeed - people even promote its use:

https://litmus.com/blog/the-little-known


Antony.

-- 
"When you talk about Linux versus Windows, you're talking about which 
operating system is the best value for money and fit for purpose. That's a very 
basic decision customers can make if they have the information available to 
them. Quite frankly if we lose to Linux because our customers say it's better 
value for money, tough luck for us."

 - Steve Vamos, MD of Microsoft Australia

   Please reply to the list;
 please *don't* CC me.

Re: Rules for invisible div and 0pt font?

[Antony Stone]

On Monday 17 June 2019 at 21:14:36, Amir Caspi wrote:

> Hi all,
> 
> In reviewing today's FNs I came across the following spample:
> https://pastebin.com/9QQVwUY6
> 
> There is a div here with display:none, as well as font-size:0px.  The
> spample hits HTML_FONT_LOW_CONTRAST but does not appear to hit any rule
> relating to a hidden div or tiny font.
> 
> Does LOW_CONTRAST include font-size too small, or just color too light?  Is
> there a rule for matching display:none?

Is display:none ever used for instructiosn to screen readers for the blind / 
visually impaired?

I have no idea whether it is, but it's a potentially legitimate use which 
comes to mind.  If not, what is "display:none" actually for?

> If not, may I propose that the following rules be sandboxed?
> 
> rawbody   AC_HIDDEN_ELEMENT   /display\s*:\s*none\s*;/
> 
> rawbody   AC_HIDDEN_FONT  /font-size\s*:\s*0\s*(?:em|pt|px|%)\s*;/
> 
> The font one above could be modified for [0-3] or similar, if we want to
> catch tiny versus literally hidden fonts.

If this feature *is* used for screenreaders, you could be creating a false 
positive trap here...


Antony.

-- 
Wanted: telepath.   You know where to apply.

   Please reply to the list;
 please *don't* CC me.

Re: Meta for bogus MIME with DKIM valid?

[Antony Stone]

On Thursday 13 June 2019 at 17:45:02, Joseph Brennan wrote:

> We've been refusing mail based on this stupid error for a year and a half
> (local rule) and no false positive has ever come to attention. The volume
> averages about 50,000 a day here.

What's that as a percentage of total inbound mail?

> Yesterday it was 72,000 from 69.16.199.0/24. It comes from 1 to 3 IP subnets
> each day, changing daily, except that the spammer does not send on Sundays.

That's not something I've ever come across - more spam during US daylight 
time, yes, but less spam on Sundays!?

Fascinating.


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.

Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Antony Stone]

On Wednesday 13 March 2019 at 19:21:47, Jari Fredriksson wrote:

> What would it result for this:
> 
> I have a couple domains that do not have any services for the root domain
> name. How ever, the server the A points do have a web server that acts as
> a reverse proxy for many subdomains that will be served a web page. A http
> 503 is returned by the pound reverse for the root domains.

What is a "pound reverse"?

Antony.

> gladiator:~ jarif$ curl -v http://bitwell.biz
> * Rebuilt URL to: http://bitwell.biz/
> *   Trying 138.201.119.25...
> * TCP_NODELAY set
> * Connected to bitwell.biz (138.201.119.25) port 80 (#0)
> 
> > GET / HTTP/1.1
> > Host: bitwell.biz
> > User-Agent: curl/7.54.0
> > Accept: */*
> 
> * HTTP 1.0, assume close after body
> < HTTP/1.0 503 Service Unavailable
> < Content-Type: text/html
> < Content-Length: 53
> < Expires: now
> < Pragma: no-cache
> < Cache-control: no-cache,no-store
> <
> * Closing connection 0
> 
> Br. Jarif

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.

Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Antony Stone]

On Friday 01 March 2019 at 17:37:18, Mike Marynowski wrote:

> Quick sampling of 10 emails: 8 of them have valid A records on the email
> domain. I presumed SpamAssassin was already doing simple checks like that.

That doesn't sound like a good idea to me (presuming, I mean).


Antony.

-- 
"The future is already here.   It's just not evenly distributed yet."

 - William Gibson

   Please reply to the list;
 please *don't* CC me.

Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Antony Stone]

On Thursday 28 February 2019 at 20:33:42, Mike Marynowski wrote:

> But scconsult.com does in fact have a website so I'm not sure what you
> mean. This method checks the *root* domain, not the subdomain.

How do you identify the root domain, given an email address?

For example, for many years in the UK, it was possible to get something.co.uk 
or something.org.uk (and maybe something.net.uk), but now it is also possible 
to get something.uk

So, I'm just wondering how you determine what the "root" domain for a given 
email address is.


Antony.

-- 
"It is easy to be blinded to the essential uselessness of them by the sense of 
achievement you get from getting them to work at all. In other words - and 
this is the rock solid principle on which the whole of the Corporation's 
Galaxy-wide success is founded - their fundamental design flaws are completely 
hidden by their superficial design flaws."

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.

Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Antony Stone]

On Thursday 28 February 2019 at 20:25:36, Bill Cole wrote:

> On 28 Feb 2019, at 13:43, Mike Marynowski wrote:
> > On 2/28/2019 12:41 PM, Bill Cole wrote:
> >> You should probably put the envelope sender (i.e. the SA
> >> "EnvelopeFrom" pseudo-header) into that list, maybe even first. That
> >> will make many messages sent via discussion mailing lists (such as
> >> this one) pass your test where a test of real header domains would
> >> fail, while it it is more likely to cause commercial bulk mail to
> >> fail where it would usually pass based on real standard headers.
> >> (That's based on a hunch, not testing.)
> > 
> > Can you clarify why you think my currently proposed headers would fail
> > with the mailing list? As far as I can tell, all the messages I've
> > received from this mailing list would pass just fine. As an example
> > from the emails in this list, which header value specifically would
> > cause it to fail?
> 
> If I did not explicitly set the Reply-To header, this message would be
> delivered without one. The domain part of the From header on messages I
> post to this and other mailing lists has no website and never will.

The same applies to my messages as well.  I use a list-specific "subdomain" on 
all my various list subscription addresses, however unlike Bill, I never set a 
Reply-To address, because I expect all list replies to go to the list (which I 
then receive as a subscriber).

Any emails which are sent to my list-subscription addresses directly (ie: not 
via the mailing list server, which adds its own identifiable headers) are 
discarded.


Regards,


Antony.

-- 
It may not seem obvious, but (6 x 5 + 5) x 5 - 55 equals 5!

   Please reply to the list;
 please *don't* CC me.

Re: Spam rule for HTTP/HTTPS request to sender's root domain

[Antony Stone]

On Thursday 28 February 2019 at 17:14:04, Ralph Seichter wrote:

> * Grant Taylor:
> > Why would you do it per email? I would think that you would do the
> > test and cache the results for some amount of time.
> 
> I would not do it at all, caching or no caching. Personally, I don't see
> a benefit trying to correlate email with a website, as mentioned before,
> based on how we utilise email-only-domains.

Each to their own.

If a mail admin finds a good correlation between no-website and spam, it's a 
good check to add into the mix

Nothing should be a poison pill in itself, and if you use email-only domains, 
you (they) still won't get blocked provided the emails they send don't 
otherwise look spammy.

Mike has already said:

On Thursday 28 February 2019 at 15:25:39, Mike Marynowski wrote:

> as a 100% ban rule this is obviously a bad idea. As a score modifier I think
> it would be highly effective.
> 
> I found several "email only" domains in my sampling but all the big ones
> still had landing pages at the root domain saying "this domain is only
> used for serving email" or similar. I'm sure there are exceptions and
> some people will have email only domains, but that's why we don't put
> 100% confidence into any one rule.

Personally I'm very interested in such a rule and its real-world effectiveness.


Antony.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

   Please reply to the list;
 please *don't* CC me.

Re: spamassassin trunk

[Antony Stone]

On Thursday 28 February 2019 at 15:26:57, Benny Pedersen wrote:

> Antony Stone skrev den 2019-02-28 14:56:
> > On Thursday 28 February 2019 at 14:44:05, Benny Pedersen wrote:
> >> where is it ?
> > 
> > A Google search for "spamassassin trunk" gives me
> > https://wiki.apache.org/spamassassin/DownloadFromSvn as the first
> > result, and
> > following the "Trunk" link there takes me to
> > http://svn.apache.org/viewcvs.cgi/spamassassin/trunk/?root=Apache-SVN
> > 
> > Or were you looking for something else?
> 
> yes, i will like to build trunk on gentoo, so the svn url with https
> would be fine, or last resort only http link to svn command to issue
> 
> last url you showed is web browsing content, dont know if svn can get
> download from this ?

See instructions further down the page at 
https://wiki.apache.org/spamassassin/DownloadFromSvn ?


Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennett

   Please reply to the list;
 please *don't* CC me.

Re: spamassassin trunk

[Antony Stone]

On Thursday 28 February 2019 at 14:44:05, Benny Pedersen wrote:

> where is it ?

A Google search for "spamassassin trunk" gives me 
https://wiki.apache.org/spamassassin/DownloadFromSvn as the first result, and 
following the "Trunk" link there takes me to 
http://svn.apache.org/viewcvs.cgi/spamassassin/trunk/?root=Apache-SVN

Or were you looking for something else?


Antony.

-- 
BASIC is to computer languages what Roman numerals are to arithmetic.

   Please reply to the list;
 please *don't* CC me.

Re: Semi Off-topic: VFEMail destroyed

[Antony Stone]

On Friday 22 February 2019 at 21:44:07, Alex Woick wrote:

> In the end, it comes back to trust. Don't employ people you don't trust.

How do you know you don't trust them until you find out you can't?


Antony.

-- 
The truth is rarely pure, and never simple.

 - Oscar Wilde

   Please reply to the list;
 please *don't* CC me.

Re: mail with HUNDREDS of links not being checked

[Antony Stone]

On Sunday 27 January 2019 at 12:20:02, LegendGamesMaster wrote:

> Hi Folks - i've tried to post this several times with no success.

Have you had any indication of what the failure is (eg: any error messages, 
bounces back to you), or have you simply not seen your mail appear on the 
list?

> 1) my cf file is set to add X-Spam headers to all.
> 2) it is clearly doing this for most email
> 3) is is NOT doing this for the following:
> 
> email with a hidden DIV containing HUNDREDS of links in succession.
> 
> i'm assuming SA is timing out checking so many links, and giving up!
> there are NO X-Spam headers at all in the mails

How is SA connected in to your MTA?

Which MTA are you using?

What do you see in your mail processing log files?

> on my desktop, Bitdefender takes upto 45 seconds to scan each email, which
> makes me think SA is timing out?

Are you running SA on your desktop?  Is BitDefender involved in the processing 
on your MTA in any way?

> I can provide headers and content if needed.

Indeed - put an example on pastebin or similar.


Antony.

-- 
Why is "dylexia" so difficult to spell, and why can I never remember "aphasia" 
when I want to?

   Please reply to the list;
 please *don't* CC me.

Re: PLEASE UNSUBSCRIBE ME!

[Antony Stone]

On Tuesday 15 January 2019 at 21:08:17, RALPH HAUSER wrote:

> SOMEONE PLEASE UNSUBSCRIBE ME FROM THIS! I DONT KNOW WHAT THAT IS! Thank
> you! PLEASE PLEASE!

As I replied to someone only on Sunday...

See the headers of every message on this list:

list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 

Antony.

-- 
Most people have more than the average number of legs.

   Please reply to the list;
 please *don't* CC me.

Re: unsubscribe me please.

[Antony Stone]

On Sunday 13 January 2019 at 22:03:58, Esteban L wrote:

> unsubscribe please

See the headers of every message on this list:

list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 

Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

   Please reply to the list;
 please *don't* CC me.

Bayes

[Antony Stone]

Hi.

I thought http://xkcd.org/2059 was appropriate to highlight on this list :)

Antony.

-- 
"It would appear we have reached the limits of what it is possible to achieve 
with computer technology, although one should be careful with such statements; 
they tend to sound pretty silly in five years."

 - John von Neumann (1949)

   Please reply to the list;
 please *don't* CC me.

Re: ip address reputation

[Antony Stone]

On Monday 08 October 2018 at 12:14:17, Gokan Atmaca wrote:

> How can I query the reputation of Spamassassin ip address?

Please explain the question more fully - I do not know what you are trying to 
do.

Which IP address are you trying to look up, and what do you mean by 
"reputation"?


Antony.

-- 
Don't procrastinate - put it off until tomorrow.

   Please reply to the list;
 please *don't* CC me.

Re: spamassassin

[Antony Stone]

On Monday 08 October 2018 at 12:12:22, Gokan Atmaca wrote:

> Hello
> 
> I'm querying the SPF record. However, the SPF record is either present
> or absent.

Yes, it is a TXT record in the DNS entry for the domain you're looking up.

> I want to query the MX and IP address of the SPF record.

You mean you want to look up the MX record for a domain, and you want to look 
up some IP address (but for what hostname?)

There are no such things as "the MX and IP address of the SPF record".

> Can you help with this ?

What are you trying to achieve?

How does this fit in with SpamAssassin?


Antony.

-- 
Warum können Seeräuber nicht den Umfang eines Kreises berechnen?
Weil sie Piraten...


   Please reply to the list;
 please *don't* CC me.

Re: Bitcoin update

[Antony Stone]

On Friday 05 October 2018 at 23:26:12, Rupert Gallagher wrote:

> > https://pastebin.com/TRD7FzRQ
> > 
> > I have a sample here
> 
> There are at least three reasons to reject that e-mail upfront, with no
> need to parse its body.

Hints might be appreciated for the uninitiated.


Antony.


PS: Please do NOT set Reply-To to your own address on list postings.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.

Re: Rule for multiple paragraphs

[Antony Stone]

On Monday 17 September 2018 at 17:29:48, Pedro David Marco wrote:

> Hi!
> is there any trick to make a rule work along different body paragraphs?? or
> maybe the only way is via plugins...

Give us a bit more of a clue what you are trying / hoping to do?

In what way do you want to identify different paragraphs in an email, and how 
should the rules be applied differently?

> Regards,
> 
> -PedroD


Antony.

-- 
Why is "dylexia" so difficult to spell, and why can I never remember "aphasia" 
when I want to?

   Please reply to the list;
 please *don't* CC me.

Re: Non-ascii subjects with images

[Antony Stone]

On Monday 03 September 2018 at 18:40:44, Pedro David Marco wrote:

> On Sunday, September 2, 2018, 6:02:55 AM GMT+2, Bill Cole wrote:
> > SA "header" rules match against decoded headers, not the Base64 or QP 
> > encoded text.
> 
> Maybe he can try with "rawbody" as the subject is the first line...
> 
> Many rules to cover all emojis may be poitnless but covering "most" may be
> enough and regex ranges are asy to manage... PedroD

It still sounds like a strange way of identifying spam to me:

1. surely there are far stronger indicators in the Received headers and/or the 
body itself

2. people are going to be using glyphs such as this more and more commonly in 
non-spam emails

There may be an argument for "every little helps", but that sounds like 
something better left to Bayes to me.


Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

   Please reply to the list;
 please *don't* CC me.

Re: Non-ascii subjects with images

[Antony Stone]

On Saturday 01 September 2018 at 14:09:52, Rupert Gallagher wrote:

> On Sat, Sep 1, 2018 at 09:35, Pedro David Marco wrote:
> > 
> >> On Saturday, September 1, 2018, 7:02:20 AM GMT+2, Rupert Gallagher wrote:
> > >
> > > Do you have an SA rule for it?
> >
> > Do you have any sample, Rupert?
>
> Of course I do.

Would you care to show us?

Antony.


-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

Re: Issues with Yahoo/AOL emails and RCVD_NUMERIC_HELO

[Antony Stone]

On Sunday 29 July 2018 at 12:17:07, Sebastian Arcus wrote:

> I've been having a number of emails recently from Yahoo and AOL senders
> hitting the RCVD_NUMERIC_HELO rule. I'm trying to understand what is
> going on:
> 
> 1. First off, the rule hits on the EHLO line - which means the it is an
> authenticated SMTP submission.

Er, what?

No, EHLO simply means "Hello, I'm capable of doing ESMTP".

"HELO" means "Hello, I can talk SMTP".

> After all, if it is EHLO, it probably is an MUA,

No; MTAs also speak E/SMTP to each other, and some of those Received headers 
indicating handover of the mail from one server to another will contain the 
HELO or EHLO greetings.

> 2. Or maybe this is caused by Yahoo's end - in which case would some
> sort of exception be a good idea?

Yes, I would do that.

> Or maybe I am misunderstanding completely what is going on? I've
> uploaded a set of headers here: https://pastebin.com/KDV1f0wW

Given that the example you've posted is from a machine with a public IP 
82.132.242.82, but thinks it has a private IP 10.7.54.227, I'm not entirely 
surprised there is no rDNS set up for the private address.


Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

   Please reply to the list;
 please *don't* CC me.

Re: Replicating bayes in mariadb over multiple systems

[Antony Stone]

On Friday 20 July 2018 at 02:52:48, Alex wrote:

> Hi,
> 
> On Thu, Jul 19, 2018 at 8:05 PM, Antony Stone wrote:
> > On Friday 20 July 2018 at 01:47:38, Alex wrote:
> >> Hi,
> >> 
> >> I'm trying to configure bayes in mariadb to have a central database
> >> that is replicated across multiple systems so they can all share the
> >> same database.

> > If you want more than two machines, all replicating to each other, and
> > any of which can be written to, I would only consider doing this with
> > MariaDB + Galera, since the alternative (MySQL or MariaDB in
> > Master-Master ring- replication) is too fragile and difficult to recover
> > from breakages in the network connectivity (in my opinion).
> 
> I wasn't aware I needed Galera to do that.

It's certainly the easiest way to get multiple writeable masters set up.

> This ensures that all content is sync'd to all systems at all times?

Yes.

> >> How can I configure it to either fallback to the local replicated copy
> >> or otherwise configure it to be more resilient in case of failure?
> > 
> > It sounds like Galera (which is automatically installed if you're using
> > MariaDB 10.1 or later) is the solution to your problem.
> 
> Tips on how to get that going would be appreciated.

I found these helpful:

https://mariadb.com/kb/en/library/getting-started-with-mariadb-galera-cluster/

http://galeracluster.com/documentation-webpages/

> I followed the basic mariadb replication instructions

Okay, that'll be traditional MySQL-style Master-Slave replication (which can 
be extended easily enough to Master-Master for a single pair, but gets very 
"delicate" once you try to have more than two Masters which can be written 
to).

> This is on fedora28 x86_64.
>
> # rpm -q mariadb-server
> mariadb-server-10.2.16-1.fc27.x86_64

Looks good.  It's even a later version than I use with Debian Stretch.

> after using this guide to set up bayes in mariadb:
> https://svn.apache.org/repos/asf/spamassassin/branches/3.4/sql/README
> 
> No bayes autolearn.

Good luck :)


Antony.

-- 
Just when you think you're done, a cat floats by with buttered toast strapped 
to its back.

 - Steve Krug, "Don't make me think"

   Please reply to the list;
 please *don't* CC me.

Re: Replicating bayes in mariadb over multiple systems

[Antony Stone]

On Friday 20 July 2018 at 01:47:38, Alex wrote:

> Hi,
> 
> I'm trying to configure bayes in mariadb to have a central database
> that is replicated across multiple systems so they can all share the
> same database.

Are you using Galera for the replication?

> I thought the best way to do that would be to have one master with
> multiple slaves that all write to the master. I've configured the two
> other systems as slaves and replicated the databases between them.

That sounds like strange terminology - "slave" usually means a machine which 
replicates *from* a master, but can't write back to it.

Two machines replicating to each other, either of which can be written to, 
would generally be called "master-master replication" (and can be done with 
MariaDB or MySQL, without using Galera).

If you want more than two machines, all replicating to each other, and any of 
which can be written to, I would only consider doing this with MariaDB + 
Galera, since the alternative (MySQL or MariaDB in Master-Master ring-
replication) is too fragile and difficult to recover from breakages in the 
network connectivity (in my opinion).

> However, when the master goes off-line, the slaves are still looking
> to the master.

What do you mean by "looking to"?  Are the slaves able to accept local 
updates, or are they dependent on the master to be able to resolve queries and 
apply updates to the DB?

> How can I configure it to either fallback to the local replicated copy or
> otherwise configure it to be more resilient in case of failure?

It sounds like Galera (which is automatically installed if you're using 
MariaDB 10.1 or later) is the solution to your problem.


Give us a few more details about:

 - the version of MariaDB you're using
 - the distribution (and version) you've installed this on
 - the replication setup you're using between the "master" and the "slaves"

That may give us more ideas about how you can achieve what you want.


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it means it doesn't work.

   Please reply to the list;
 please *don't* CC me.

Re: Score from command line is different from the one in the webmail

[Antony Stone]

On Sunday 15 July 2018 at 13:41:34, daniel_1...@protonmail.com wrote:

> Dear list,
> 
> I am running spamassassin through amavis as a content filter for postfix.

Which user/s do those processes run as?

> But when I scan the mail from the command line I have a different score of
> only 0.9 and no URIBL_BLACK match :
> 
> root@messagerie

So, you test the message as root (which I seriously hope is not the user your 
MTA and SA are being run as during normal mail processing).

> Why do I have different scores and how do I get same score on both
> configurations ?

Try running the SA check as the correct user; if the scores and tests are 
still different, feel free to report back here.

Regards,


Antony.

-- 
What do you call a dinosaur with only one eye?  A Doyouthinkesaurus.

   Please reply to the list;
 please *don't* CC me.

Re: List From and Reply-To

[Antony Stone]

On Thursday 31 May 2018 at 17:35:11, Rupert Gallagher wrote:

> Beware of the GDPR. If a current or former subscriber wants their address
> deleted, you are in hell. The mailing-list server can cleanup before
> itself with a reply-to the list only, and obfuscating the addresses, and
> deleting people's own banners and signatures.

In my opinion this is just one example of why parts of the GDPR are ridiculous 
and were clearly not thought through before coming into legislation.

PS: I notice you choose to take the opposite approach with your own Reply-To 
header, deliberately making it more difficult for people to reply to the list :)


Antony.

-- 
A user interface is like a joke.
If you have to explain it, it means it doesn't work.

   Please reply to the list;
 please *don't* CC me.

Re: Fwd: List From and Reply-To

[Antony Stone]

On Thursday 31 May 2018 at 12:16:04, Palvelin Postmaster wrote:

> > Begin forwarded message:
> > 
> > From: Ian Zimmerman 

> Are you and Bill Cole doing something different from other list members
> because your emails appear to have a Reply-To header?

Anyone is free to set a Reply-To header in the emails they send.  This will be 
preserved by the list server.

I believe both Ian and Bill are doing this, yes.

> --
> Palvelin.fi  Hostmaster
> postmas...@palvelin.fi 

The sig separator for email should have a space after the two dashes, so that 
MUAs can strip this automatically from the replies.

Also, a bit off-topic, but the URL in your sig does not accept connections, 
just in case you weren't aware.


Antony.

-- 
I want to build a machine that will be proud of me.

 - Danny Hillis, creator of The Connection Machine

   Please reply to the list;
 please *don't* CC me.

Re: [Offtopic] List From and Reply-To

[Antony Stone]

On Wednesday 30 May 2018 at 15:33:13, Palvelin Postmaster wrote:

> > On 30 May 2018, at 16:06, Matus UHLAR - fantomas 
> > wrote:
> > 
> > On 30.05.18 15:49, Palvelin Postmaster wrote:
> >> Hitting reply sends the response to poster directly
> > 
> > get a mail client that supports mailing lists. Mozilla should do.
> 
> I see, the 'Mozzilla or stfu' policy ;D

No, Mozilla was just one example; there are many.

I, for example, use KMail, and in the headers of your original posting in the 
thread I see:

From: Palvelin Postmaster 
List-Post: 

There is no Reply-To header.

When I click on "Reply" my MUA automatically offers me 
users@spamassassin.apache.org


Regards,


Antony.

-- 
Police have found a cartoonist dead in his house.  They say that details are 
currently sketchy.

   Please reply to the list;
 please *don't* CC me.

Re: MSGID_SPAM_CAPS fp's hitting messages from The Pension Regulator in UK

[Antony Stone]

On Saturday 07 April 2018 at 18:10:18, Sebastian Arcus wrote:

> On 07/04/18 16:52, Reindl Harald wrote something.

> Thank you for answering, but really, in effect you haven't answered at
> all my question.

> And the way I customise the scores are based on the type of emails
> received at this particular site. It might seem "idiotic" to you, but
> there are reasons for those scores. Not everyone receives the same mix
> of email - so it isn't constructive to start calling other people's
> scoring "idiotic" just because they are not the same as your own or the
> defaults.

Please note that there are good reasons why you received only a private 
response from this person, and that he is no longer permitted to post to the 
list.

My personal recommendation is to consider carefully anything he says, judge 
whether you find it useful, and not to reply.


Regards,


Antony.

-- 
This sentence contains exacly three erors.

   Please reply to the list;
 please *don't* CC me.

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

[Antony Stone]

On Tuesday 03 April 2018 at 16:43:09, Leandro wrote:

> 2018-04-03 11:35 GMT-03:00 RW:
> > On Tue, 3 Apr 2018 11:09:38 -0300 Leandro wrote:
> > > 2018-04-03 10:34 GMT-03:00 Antony Stone:
> > > > "IMPORTANT: Current limit is 100 ms per IP block. Lower frequencies
> > > > require contribution. Please contact us informing your IP or range,
> > > > for further details."
> > > 
> > > This means, for example, your system do 10 queries at same second,
> > > then the query frequency is 100ms.
> > 
> > Then the frequency is 10 per second, not 100ms. Querying more often
> > is a higher frequency.
> 
> That is it! 10 per second or one every 100ms. The first is a flow rate and
> the second is a frequency.

One every 100ms is a frequency, agreed.

Two every 100ms is a higher frequency, and means faster requests.

One every 50ms is the same rate as two every 100ms, therefore it is also a 
higher frequency than one every 100ms.

Regards,


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

[Antony Stone]

On Tuesday 03 April 2018 at 16:09:38, Leandro wrote:

> 2018-04-03 10:34 GMT-03:00 Antony Stone:
> > On Tuesday 03 April 2018 at 15:27:11, Leandro wrote:
> > > Hey guys. We just created an URL signature algorithm to be able to
> > > query an entire URL at our URIBL:
> > > 
> > > https://spfbl.net/en/uribl/
> > 
> > I don't think I understand the following statement on that page:
> > 
> > "IMPORTANT: Current limit is 100 ms per IP block. Lower frequencies
> > require contribution. Please contact us informing your IP or range, for
> > further details."
> 
> This means, for example, your system do 10 queries at same second, then the
> query frequency is 100ms.

Yes, I got that bit.

How big is an IP block?

> > Please could you explain what this means; what limitations are imposed on
> > use of this service - specifically what is an "IP block", and do you really
> > mean "lower frequencies require contribution"?  Surely that should be
> > "higher"?
> 
> Yes, I am sure. Lets use the same example above, but now your system do 20
> queries at same second, then the query frequency becomes 50ms, less than
> first case.

Ah; I would call 50ms the interval and 20 queries per second the frequency.

Thanks for the explanation.


Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

   Please reply to the list;
 please *don't* CC me.

Re: The "goo.gl" shortner is OUT OF CONTROL (+ invaluement's response)

[Antony Stone]

On Tuesday 03 April 2018 at 15:27:11, Leandro wrote:

> Hey guys. We just created an URL signature algorithm to be able to query an
> entire URL at our URIBL:
> 
> https://spfbl.net/en/uribl/

I don't think I understand the following statement on that page:

"IMPORTANT: Current limit is 100 ms per IP block. Lower frequencies require 
contribution. Please contact us informing your IP or range, for further 
details."

Please could you explain what this means; what limitations are imposed on use 
of this service - specifically what is an "IP block", and do you really mean 
"lower frequencies require contribution"?  Surely that should be "higher"?


Thanks,


Antony.

-- 
There's a good theatrical performance about puns on in the West End.  It's a 
play on words.

   Please reply to the list;
 please *don't* CC me.

Re: Blacklist for reply-to?

[Antony Stone]

On Monday 19 February 2018 at 01:55:45, Rupert Gallagher wrote:

> Question time! You receive spam with a reply-to your own address. What do
> you do?

I take it that this is now a rather different question that the one you 
originally asked in this thread, where the reply-to address was clearly not 
your own?

> A: you blacklist your own address

Is there any reason why inbound mail should have your own address (and, by the 
way, do you mean address, or domain?) as the reply-to?

For some people yes, for others, no.  Your experience may not be standard.

> B: you ask around to do A for you

I'm not sure what that means.

> C: you ask for advice

Good idea; let's see what other replies you get.


Antony.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please *don't* CC me.

Re: Email filtering theory and the definition of spam

[Antony Stone]

On Sunday 11 February 2018 at 23:04:52, Bill Cole wrote:

> On 11 Feb 2018, at 16:20 (-0500), Antony Stone wrote:
> > Strange that I can't find SMTP under
> > www.rfc-editor.org/rfc/std/std-index.txt
> > ‎though, other than STD0060 and STD0071, which are both extensions.
> 
> STD10 is SMTP (RFC821), STD11 is message format(RFC822).

Ah, thank you.  Stupid of me not to search for the expansion of the 
abbreviation :)

However, it's good to see confirmed that STD0010 is "Obsoleted by RFC2821" and 
that STD0011 is "Obsoleted by RFC2822" (and we already know that those have in 
turn been subsequently obsoleted), so anyone still using RFC822 as the 
standard is just not recognising the reality of how RFCs and Internet 
Standards work


Antony.

-- 
This sentence contains exacly three erors.

   Please reply to the list;
 please *don't* CC me.

Re: Email filtering theory and the definition of spam

[Antony Stone]

On Sunday 11 February 2018 at 19:15:59, Rupert Gallagher wrote:

> Who is the ignorant here?
> 
> Rfc 822, standard: usa

https://tools.ietf.org/html/rfc822 "Obsoleted by: 2822"

What do you mean by "Standard: USA"?  I know what an IETF Standard is, and 
it's quite different from an RFC, which we were discussing.  What does "USA" 
mean in the context you used it above?

Strange that I can't find SMTP under www.rfc-editor.org/rfc/std/std-index.txt
‎though, other than STD0060 and STD0071, which are both extensions.

> Rfc 2822, *proposed standard*: usa

https://tools.ietf.org/html/rfc2822 "Obsoleted by: 5322"

> Rfc 5321, *draft standard*: usa

https://tools.ietf.org/html/rfc5321 "Updated by: 7504"

> Rfc 5322, *draft standard*: usa

https://tools.ietf.org/html/rfc5322 "Updated by: 6854"

> ...
> 
> The list goes on.

It does indeed, because RFCs get revised, modified, updated, replaced and 
obsoleted.

> To you, and those like you, who claim better knowledge, read twice
> yourself, because the actual standard is still rfc 822.

Use it if you want, but don't expect the rest of the Internet to be compatible 
with you.  It's not the way things work.


Antony.

-- 
I love deadlines.   I love the whooshing noise they make as they go by.

 - Douglas Noel Adams

   Please reply to the list;
 please *don't* CC me.

Re: Email filtering theory and the definition of spam

[Antony Stone]

On Sunday 11 February 2018 at 08:35:42, Rupert Gallagher wrote:

> We are not in USA, where RFC loopholes are written

Er, RFCs are written by IETF Working Groups, which are open to *anyone* to 
contribute to, have members from many different countries and companies around 
the world, and are not run by any government organisation.

RFCs are not a product of America, whether you are paranoid about American 
products or not.


Antony.

-- 
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

   Please reply to the list;
 please *don't* CC me.

Re: Maxium URL acceptable length

[Antony Stone]

On Tuesday 23 January 2018 at 09:11:06, Pedro David Marco wrote:

> Hi,
> What is, in your opinion, the maximum URL acceptable length?

Acceptable for what?

Acceptable for a human to be able to remember?

Acceptable for pasting into an email?

Acceptable for expecting someone to type?

> I am not speaking about RFCs or defacto browsers limits, etc

Okay, so you don't mean maximum permissible or maximum functional...

> i am just asking you for personal opinions, please...

I don't like URLs longer than 80 characters because they often wrap in emails 
and some MUAs don't allow split URLs to be clicked on.

> Many browsers do not bookmark over 300 octets (aprox), and do not show in
> address-bar over 2500 octets (aprox). Opinions, please??? does it make sense
> an URL of 100.000 octets, for example???

Please define "sense".

If a URL embedded in a web page works when a user clicks on it, then it's 
functional; I don't know whether it's then automatically sensible.

What's your definition for "acceptable"?  That might help get some useful 
answers.


Antony.

-- 
Numerous psychological studies over the years have demonstrated that the 
majority of people genuinely believe they are not like the majority of people.

   Please reply to the list;
 please *don't* CC me.

Re: From name containing a spoofed email address

[Antony Stone]

On Friday 19 January 2018 at 07:40:07, Rupert Gallagher wrote:

> See my post of 25/20/2017 to this list.

My calendar doesn't go that far :(


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

Re: moving spam to junk folder

[Antony Stone]

On Saturday 13 January 2018 at 09:35:47, Matthew Broadhead wrote:

> i am using CentOS 7, spamassassin-3.4.0-2.el7.x86_64,
> postfix-2.10.1-6.el7.x86_64, with amavisd.
> 
> i set my local.cf to use MySQL as a bayes store and it seems to work
> fine setting ham and spam in the database when a message is flagged. 
> however it has had no impact on spam received to the inboxes.  we are
> still receiving a large amount of junk email.

What do you expect to happen to spam instead of it being delivered to inboxes?

> i originally installed spamassassin according to this guide
> http://forums.sentora.org/showthread.php?tid=1118 and it does indeed
> filter the test message so it should be working ok?

That set of steps is designed to do is to change the subject line of spam 
emails to contain (it's not clear to me whether it then becomes the only 
content, or whether the original content is also retained) the phrase 
"***SPAM***"

Are the spam emails which are still arriving in your inbox/es labelled in this 
way?  If they are, then what you have installed is working as expected.

Also, you say you "originally installed spamassassin according to that guide" 
- what have you changed since then?  How does your current setup differ from 
what those steps create?


Antony.

-- 
"I think both KDE and Gnome suck - I'm quite unbiased in that, because I use a 
Mac."

 - Jason Isitt

   Please reply to the list;
 please *don't* CC me.

Re: Malformed spam email gets through.

[Antony Stone]

On Wednesday 03 January 2018 at 02:39:54, Alex wrote:

> Hi,
> 
> Is it possible to at least enforce that the message-ID has a valid domain?

If by "enforce" you mean "require" (in other words, you look at whatever 
message-ID the incoming email has, and you decide that if it doesn't contain a 
valid domain, then it is suspicious), then yes, you can.

However, this requirement is not stipulated by current RFCs, therefore you may 
well be falsely marking legitimate email.

Only a check of the incoming mail you receive, to see whether "message ID 
contains no valid domain" is a reliable indicator of spam, can tell you 
whether it's a good idea to do this on your mail filtering.

The example quoted below is entirely RFC-conformant.


Antony.,

> Received: from thomas-krueger.local
> (221.208.196.104.bc.googleusercontent.com. [104.196.208.221])
> by smtp-relay.gmail.com with ESMTPS id
> r16sm1186220uai.7.2017.12.28.18.04.13
> for 
> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
> Thu, 28 Dec 2017 18:04:14 -0800 (PST)
> X-Relaying-Domain: janda02.com
> Message-ID: <5b974eb73ed9c2d1b630f4b600191771@zfimvuyb.gwbba>
> From: "Apple Store" 
> To: 
> 
> On Tue, Jan 2, 2018 at 5:41 PM, @lbutlr  wrote:
> > On 2 Jan 2018, at 04:26, Rupert Gallagher r...@protonmail.com> wrote:
> >> Note taken. We still abide to the duties and recommendations, and expect
> >> well-behaved servers do the same, by identifying themselves. We
> >> cross-check, and if they lie, we block them.
> > 
> > rejecting because they spoof a domain in the MID is one thing. Rejecting
> > an email because you misunderstood the RFC and don't see a valid domain
> > name is an entirely different thing.

-- 
"I estimate there's a world market for about five computers."

 - Thomas J Watson, Chairman of IBM

   Please reply to the list;
 please *don't* CC me.

Re: Malformed spam email gets through.

[Antony Stone]

On Tuesday 02 January 2018 at 11:12:57, Rupert Gallagher wrote:

> This is the normative reference.

I've picked out the significant parts from your email...

> RFC 5322, pg. 27, section 3.6.4
> ---
> 
> <<  The message identifier (msg-id) itself MUST be a globally unique
>identifier for a message.

>a good method

Note: not the required method, not the only method, just "a good method".

>is to put the domain name (or a domain literal IP address) of the host
>on which the message identifier was created on the right-hand side of
>the "@" (since domain names and IP addresses are normally unique)

>Though other algorithms will work, it is RECOMMENDED

Note, recommended, not required.

>that the right-hand side contain some domain identifier (either of
>the host itself or otherwise)

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

   Please reply to the list;
 please *don't* CC me.

Re: Mailsploit

[Antony Stone]

On Wednesday 13 December 2017 at 21:41:04, Groach wrote:

> Is there any suggestions on a rule or procedure to implement that will
> help defend against the MAILSPLOIT type of spoofing?

See https://marc.info/?l=spamassassin-users&m=151265708616825&w=2 and follow-
ups?


Antony.

-- 
"Linux is going to be part of the future. It's going to be like Unix was."

 - Peter Moore, Asia-Pacific general manager, Microsoft

   Please reply to the list;
 please *don't* CC me.

Re: Rule to detect mailsploit

[Antony Stone]

On Wednesday 06 December 2017 at 18:15:55, John Hardin wrote:

> On Wed, 6 Dec 2017, Kevin A. McGrail wrote:
> > 
> > Something like this:
> > 
> > header__KAM_MAILSPLOIT1   From =~ /[\0]/
> > describe__KAM_MAILSPLOIT1RFC2047 Exploit
> > https://www.mailsploit.com/index
> > 
> > And a paired rules for \n looking for maxhits.  Beyond that, what's a
> > good control character regex?
> 
> From memory (sorry, in a meeting):  [\x00-\x19]

Why not up to 0x1F?


Antony.

-- 
Don't procrastinate - put it off until tomorrow.

   Please reply to the list;
 please *don't* CC me.

Re: Off-topic, was: [Re: MailChimp with link to javascript/zip malware]

[Antony Stone]

On Friday 20 October 2017 at 19:54:08, Anne P. Mitchell Esq. wrote:

> > On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:
> >> Anne P. Mitchell,
> >> Attorney at Law
> > 
> > I'm intrigued as to what the "Esq." in your From address indicates?
> 
> In the U.S., Esq. (short for 'Esquire') means specifically a person who has
> been admitted to the practice of law and who is permitted to represent
> clients

Aha - thank you for that explanation.

I speak British English, and here the word has a quite different meaning, 
specifically relating to men only - hence my confusion when seeing it used by 
someone called Anne :)

See the first paragraph of https://en.wikipedia.org/wiki/Esquire


Thanks,


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


   Please reply to the list;
 please *don't* CC me.

Off-topic, was: [Re: MailChimp with link to javascript/zip malware]

[Antony Stone]

On Friday 20 October 2017 at 19:29:31, Anne P. Mitchell Esq. wrote:

> Anne P. Mitchell,
> Attorney at Law

I'm intrigued as to what the "Esq." in your From address indicates?

Please feel free to reply offlist if appropriate.

Thanks,


Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

Re: USER_IN_WHITELIST shortcircuits VBOUNCE, please help...

[Antony Stone]

On Saturday 07 October 2017 at 16:27:00, djkraz wrote:

> I have a user that is getting thousands of backscatter a minute for a
> couple days now.  I've tried everything I can find on the web to get
> vbounce working with no luck as the user is obviously in the whitelist
> since they exist on the server.  I've tried setting the priority of
> vbounce higher but it doesn't seem to make any difference.  Does anyone
> have any experience in resolving this?  FYI, I'm running Exchange 2013 on
> Win2kR2 with Exchange Server Toolbox.  Thanks in advance!

Put an example (full headers as minimum, body not really important for this I 
think) on pastebin or similar, post the link here and also show us your 
vbounce settings so we can have an opinion.


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

   Please reply to the list;
 please *don't* CC me.

Re: Test

[Antony Stone]

On Wednesday 02 August 2017 at 13:17:42, Jari Fredriksson wrote:

> Just testing, as the list has been silent for me for a week or so.

See https://mail-archives.apache.org/mod_mbox/spamassassin-users/


Antony.

-- 
I conclude that there are two ways of constructing a software design: One way 
is to make it so simple that there are _obviously_ no deficiencies, and the 
other way is to make it so complicated that there are no _obvious_ 
deficiencies.

 - C A R Hoare

   Please reply to the list;
 please *don't* CC me.

Re: reason why sendmail w/ SA3.4.1 scantime=15.0, delay=00:01:06 w/ SquirrelMail?

[Antony Stone]

On Monday 17 July 2017 at 14:25:17, Robert Kudyba wrote:

> > On Jul 14, 2017, at 4:00 AM, Matus UHLAR - fantomas  
wrote:
> >> Robert Kudyba  wrote:
> >>> Over the past few days sending mail via SquirrelMail has become
> >>> glacial. The load on the server is under 1. I've restarted the SA,
> >>> sendmail and dovecot processes several times. Here are some logs I can
> >>> provide any settings if desired.
> > 
> > tried to run a message through "spamassassin -D" ?
> > that should give you debug/timing info.
> 
> OK here is the pastebin of spamassassin -D < gtube.txt:
> https://pastebin.com/iZtm2hhy


Jul 16 09:01:42.796 [29903] dbg: dns: entering helper-app run mode
Jul 16 09:01:47.806 [29903] dbg: dns: leaving helper-app run mode
Jul 16 09:01:47.806 [29903] dbg: razor2: razor2 check timed out after 5 
seconds


Antony.

-- 
René Descartes walks in to a bar.
The barman asks him "Do you want a drink?"
Descartes says "I think not," and disappears.

   Please reply to the list;
 please *don't* CC me.

Re: ramsonware URI list

[Antony Stone]

On Saturday 15 July 2017 at 11:19:54, mastered wrote:

> Hi Nicola,
> 
> I'm not good at SHELL script language, but this might be fine:
> 
> 1 - Save file into lista.txt
> 
> 2 - trasform lista.txt in spamassassin rules:
> 
> cat lista.txt | sed s'/http:\/\///' | sed s'/\/.*//' | sed s'/\./\\./g' |
> sed s'/^/\//' | sed s'/$/\\b\/i/' | nl | awk '{print "uri;RULE_NR_"$1";"$2"
> describe;RULE_NR_"$1";Url;presente;nella;Blacklist;Ramsonware
> score;RULE_NR_"$1";5.0" }' > listone.txt ;for i in $(sed -n p listone.txt)
> ; do echo "$i" ; done | sed s'/;/ /g' > blacklist.cf
> 
> 
> If anyone can optimize it, i'm happy.

My first comment would be "useless use of cat" :)

My second comment would be that you can combine sed commands into a single 
string, separated by ; so that you only have to call sed itself once at the 
start of all that:

sed "s'/http:\/\///'; s'/\/.*//'; s'/\./\\./g'; s'/^/\//'; s'/$/\\b\/i/'" 
lista.txt | nl .

My only other comment is that you might want to adjust the spelling of 
Ransomware :)

Maybe other people have further optimisations.


Antony.

-- 
The gravitational attraction exerted by a single doctor at a distance of 6 
inches is roughly twice that of Jupiter at its closest point to the Earth.

   Please reply to the list;
 please *don't* CC me.