Re: DNSBL checks only on last untrusted host
On Fri, 2010-08-20 at 20:34 +0200, Jacek Politowski wrote:
On Fri, Aug 20, 2010 at 04:11:34PM +0200, Benny Pedersen wrote:
I'd really like limit SpamAssassin's RCVD_* DNSBL checks only to
hosts that directly deliver e-mails to our servers, but it seems I'm
missing something in SA documentation (I can hardly believe there is
no such possibility in SA).
change:
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop',
'bl.spamcop.net.', '(?i:spamcop)')
to:
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop-lastexternal',
'bl.spamcop.net.', '(?i:spamcop)')
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: X-Spam-Version-Checker reports 3.2.3 but running 3.3.1 - Why?
On Wed, 2010-08-04 at 14:18 -0700, Happy Chap wrote: Hi, I've just upgraded from SpamAssassin 3.2.3 to 3.3.1 and it all appeared to install correctly. However, X-Spam-Version-Checker is still coming up as 3.2.3 after restarting spamd. Can anyone suggest what I've done wrong? I think that's a mailscanner bug... There has been some discussion on this list about this in the past... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
me.com as freemail?
I notice that me.com (Apple's mobile me) is now offering a free 60 day trial for their mail solution. About half the mail from me.com has been spam here lately, so I've added it to my local list of freemail domains. Anyone seen anything similar? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: How do I filter out phishing email?
On Wed, 2010-04-14 at 11:18 -0700, yongke wrote: I installed all the channels in your post but I still get the same score! Is there anything else I can do? Are you running with compiled rules? Then you need to recompile them. Are you running a daemonized spamd or amavisd instance? You will need to restart it to load the new rules The commands I used are: [...] sa-update --channelfile sa-update-channels.txt --gpgkeyfile sa-update-keys.txt -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: Whitelists in 3.3.0
On Fri, 2010-01-29 at 09:18 -0500, Bowie Bailey wrote: McDonald, Dan wrote: Please excuse the top-post. This truly brain-damaged mua does not allow me to edit the body. Easiest way to disable whitelists is: grep -E score\ RCVD.+- /var/lib/spamassassin/updates_spamassassin_org/50_scores.cf | cut -d\ -f1-3 /etc/mail/spamassassin/no-whitelists.cf Does 3.3.0 get rid of the version number in that path, or did you just forget to include it? I forgot... was transcribing from screen to iPhone. So the path does need to be updated. I haven't gotten around to upgrading yet. Nice command line magic there! It took me a bit to figure out how it worked. It helps that whitelists are disabled in ruleset #1, so we can count on a zero in that position. As a one-liner, it is something that can be tacked on the end of a script that calls sa-update (or in the middle, if you follow up your sa-update with an sa-compile). Just watch out for the two spaces in the cut command `cut -d\ -f1-3` I never would have thought of doing it that way. cut is one of my favorite tools. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: hostkarma false positive
On Mon, 2010-01-11 at 06:46 -0800, Marc Perkel wrote: Christian Brel wrote: It's also listed in: 195.3.86.187BLACKLISTED:ips.backscatterer.org Backscatterer.org isn't a real blacklist. They have us blacklisted as well. Anyone using them is making a serious mistake. It's probably worth a point or so for blocking useless bounces: meta RCVD_IN_BACKSCATTER_RELAY (__BOUNCE_FROM_DAEMON __RCVD_IN_BACKSCATTER) ! __RCVD_IN_UCEWHITE tflags RCVD_IN_BACKSCATTER_RELAYnet describe RCVD_IN_BACKSCATTER_RELAY received from a host that does a lot of backscatter score RCVD_IN_BACKSCATTER_RELAY 1.30 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: habeas - tainted white list
On Fri, 2009-12-18 at 08:49 +, Christian Brel wrote: On Fri, 18 Dec 2009 03:44:32 -0500 Daryl C. W. O'Shea spamassas...@dostech.ca wrote: Please stop beating the -4 and -8 horse. We agree. Daryl Then fix it and show who really is in charge of this project? It's been fixed. Don't you know how to use bugzilla? http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460r2=891459pathrev=891460 The new scores will come out in 3.3.0, RC1 is very soon... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: habeas - tainted white list
On Fri, 2009-12-18 at 12:53 +, Christian Brel wrote: On Fri, 18 Dec 2009 06:49:41 -0600 Daniel J McDonald dan.mcdon...@austinenergy.com wrote: On Fri, 2009-12-18 at 08:49 +, Christian Brel wrote: On Fri, 18 Dec 2009 03:44:32 -0500 Daryl C. W. O'Shea spamassas...@dostech.ca wrote: Please stop beating the -4 and -8 horse. We agree. Daryl Then fix it and show who really is in charge of this project? It's been fixed. Don't you know how to use bugzilla? http://svn.apache.org/viewvc/spamassassin/trunk/rules/50_scores.cf?r1=891460r2=891459pathrev=891460 The new scores will come out in 3.3.0, RC1 is very soon... +score RCVD_IN_RP_CERTIFIED 0.0 -3.0 0.0 -3.0 +score RCVD_IN_RP_SAFE 0.0 -2.0 0.0 -2.0 This is 'fixed'? Have you read the bugzilla entry? huge discussion about how to fix it properly. You also ignored the five rules removed and replaced by these two. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 23:07 +0100, Yet Another Ninja wrote: On 12/14/2009 10:55 PM, Daniel J McDonald wrote: I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. someone, somewhere is alreay converting ClamV signatures to HUGE (slow) rule files, forgot where I saw them. Google around... That's not the issue. I have no problem scanning with clam and no problem associating some signature families with scores rather than blindly discarding. The issue is: how much should I trust the various sets of signatures? Although I have a fairly good feel for it based on intuition, there is nothing like a mass-check to settle the matter. That's the issue with pulling all of the whitelists out of the scoring mix - the whitelist components are part of the mix that allows 5 points to indicate spam. And I was trying to counter the argument that we should simply rip those pieces out and expect that, when people re-assemble them piecemeal, the end result will still be 5 points for spam... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: sa 3.3 problem with spec file?
On Tue, 2009-12-15 at 14:21 +0100, Kai Schaetzl wrote:
I just built and make tested the beta of SA 3.3 with good success and
wanted to build the rpm from it now. I get an error:
error: line 38: Illegal char '-' in version: Version: 3.3.0-beta1
Seems that Version: %{version} doesn't like hyphens.
or alpha characters of any sort.
What's the best way to overcome this? Change to _ for instance?
No, you have to convince it that everything is numeric. Here's what I
did in a similar situation:
%define beta p1
Summary:The ISC DHCP (Dynamic Host Configuration Protocol)
server/relay
agent/client
Name: dhcp
Epoch: 2
Version:3.1.2
Release:%mkrel 1
License:Distributable
Group: System/Servers
URL:http://www.isc.org/dhcp.html
Source0:ftp://ftp.isc.org/isc/%{name}/%{name}-%{version}%{beta}.tar.gz
Source1:
ftp://ftp.isc.org/isc/%{name}/%{name}-%{version}%{beta}.tar.gz.asc
Kai
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: emailreg.org - tainted white list
On Mon, 2009-12-14 at 16:09 +, Christian Brel wrote: If it's so clear cut, why is the option for the owner of the said Barracuda spam device *not* able to disable emailreg.org, but they *can* disable the Barracuda whitelist 'proper'? Not germane to the spamassassin list. Please redirect followups to alt.flame.bararacuda.bork.bork.bork This e-mail and any attachments may form pure opinion and may not have any factual foundation. Good to know. I'd hate to read an email full of facts. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations. Hereby requested that you not pass *any* information to any partner organisation. Or any partner organization. Or to any competitor. Or even to yourself. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 21:23 +, Martin Gregorie wrote: May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: The problem is scoring. masschecks are going to shape scores so that whitelists get a little boost if they are mediocre, and a large boost if they are good. Ditto for blacklists. And they two sets of scores will work in synergy. The big problem with make them all external and let the universe pick a score at random is that the relative effectiveness of the various lists isn't tested. I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. I'd hate to have to guess for everyone's whitelist... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
RE: UCEPROTECT questions
On Wed, 2009-11-25 at 10:53 -0800, R-Elists wrote: I'm interested in people's opinion of UCEPROTECT. I'm aware of how it works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I wondered if I was doing something wrong. Alex, we use all 3 and adjust score accordingly... Ditto. of more interest to me was the ips.backscatterer list. I configured it like so: meta RCVD_IN_BACKSCATTER_RELAY (__BOUNCE_FROM_DAEMON __RCVD_IN_BACKSCATTER) ! __RCVD_IN_UCEWHITE tflags RCVD_IN_BACKSCATTER_RELAYnet describe RCVD_IN_BACKSCATTER_RELAY received from a host that does a lot of backscatter score RCVD_IN_BACKSCATTER_RELAY 1.30 It's helped with some of the backscatter problems we were seeing. I also haven't been overly scientific about it, but I've not had any false-positive reports, and I recall at least one false-negative complaint where RCVD_IN_BACKSCATTER_RELAY had been triggered. (the total score was only about 4.6, IIRC). -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: HABEAS_ACCREDITED SPAMMER
@lists.3ho.org 1 @killerdana-alerts.com 1 @jewelrytv.rsys1.com 1 @i-say.com 1 @geicomail.com 1 @ga-mail.teamsterstakeaction.org 1 @ga-mail.action.earthjustice.org 1 @gaiam.rsys1.com 1 @e-rewards.net 1 @enews.potterybarnkids.com 1 @email.whitehat.com 1 @email.thermofisher.com 1 @email.quickenloans.com 1 @email.logisticstoday.com 1 @email.livenationent.com 1 @email.eepn.com 1 @e.macys.com 1 @e.hanes.com 1 @bounces.democratsenators.org 1 @bounces.amreg.com 1 @bounce.messages.bitdefender.com 1 @bounce.cordblood.com 1 @blingo.pch.bounce.ed10.net 1 @b.email.onestopplus.com 1 @arbys.fbmta.com 1 @americangirl-email.com 1 @agoravip.com 1 @actionnetwork.org 1 @1800petmeds.com -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: Getting off the Cloudmark formerly spamnet blacklist
On Mon, 2009-11-09 at 16:51 -0800, Ted Mittelstaedt wrote: Hi All, We have a customer who had a compromised mailserver, they fixed the server but are apparently still blacklisted by this company called CloudMark (www.cloudmark.com) that Comcast uses. In Googling around I see that Comcast just recently signed up this company a month ago. This company apparently sells a Spamassassin plugin, a spam filter for PC desktops, etc. Yes, the free plugin is razor2. I seem to recall they have a more-featured for-pay plugin, but razor2 uses cloudmark servers for all of its functionality. Anyway, our customer isn't delisted from this CloudMark blacklist, even though all of the RBL checkers on the Internet I can find claim that their IP address isn't spamming. I cannot find any delist request on their website either. Have you tried a razor-revoke? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: Mail not scanned
On Wed, 2009-10-21 at 18:59 +0200, Lars Ebeling wrote: I am running SA 3.2.5 on HP-UX 11.11. I am using postfix as MTA. http://pastebin.com/m612529a7 The interface is configured in master.cf It's 42K, so check that you don't have a size limit. When I scan it I get: X-Spam-Report: * 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see http://www.spamcop.net/bl.shtml?75.209.5.48] * 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [75.209.5.48 listed in zen.spamhaus.org] * 2.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * 2.0 RCVD_IN_BRBL_RELAY RBL: received via a relay rated as poor by * Barracuda * [75.209.5.48 listed in b.barracudacentral.org] * 4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split * IP) * 3.7 FH_HELO_ALMOST_IP Helo is almost an IP addr. * 0.0 RELAY_US Relayed through United States * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.3 RAZOR2_CF_RANGE_E4_100 Razor2 gives engine 4 confidence level of * 100% * [cf: 100] * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with * dynamic-looking rDNS * 1.5 JM_SOUGHT_3 Body contains frequently-spammed text patterns * 0.5 BOTNET_OTHER BOTNET_OTHER And it also is caught by clamav: $ clamscan lars.vir lars.vir: Sanesecurity.Malware.8825.UNOFFICIAL FOUND Regards Lars - Original Message - From: Kevin Parris kpar...@ed.sc.gov To: users@spamassassin.apache.org Sent: Wednesday, October 21, 2009 5:46 PM Subject: Re: Mail not scanned In this situation I believe Spock would say Insufficient Data . . . What o/s are you running? What is your mail handling software? How does that mail handling software interface to SpamAssassin? Are you sure the items were not scanned, or are you simply bothered that they were not marked as spam by the scan? Have you placed a complete sample with all headers on pastebin and given us the link to that so we can evaluate the message? Lars Ebeling lars.ebel...@leopg9.no-ip.org 10/21/09 11:40 AM Why aren't mail from United Parcel Service scanned? The last 24 hours have i got about 20 of them and none scanned.
Re: Constant Contact
On Fri, 2009-10-16 at 16:25 -0400, Adam Katz wrote: My own proposal to fixing this is to bring back Blue Security's do-not-email list, which is to say a freely available index of secure hashes representing email addresses that have opted out of bulk email. (Recall that the controversial aspect of Blue Security's methods is what they did to violators, which I'm not touching here.) The other problem with it is that it can be used to scrub lists and get a set of real users who don't want spam. There is no guarantee that spammers will be ethical and remove the DNE recipients - they may find a better return throwing out the addresses that don't match... And then there are hash collisions...
Re: Any one interested in using a proper forum?
On Tue, 2009-07-28 at 04:50 -0700, snowweb wrote: Jari Fredriksson wrote: What kind of a forum do you see? I use this as an email list, straight from my email application. I don't use Nabble or Google Groups (whatever those might be..). Quite convenient. Just subscribe and enjoy. I'm trying to view these threads online, it's obvious that this is more orientated to mailing list users, buy the two minutes effort that they spent building the online 'forum' type interface. There is no official forum type interface, so whatever you are looking at was hacked up by others. I notice that when you compare the install base of SpamAssassin which must be in the hundreds of thousands or more, with the number of support requests being added to this mailing list, it is clear that most requiring support are intimidated by this alien way of providing it. Who said this was a support forum? This is a users list, where users get together and commiserate about our tool, think of ways to improve it, bounce ideas off each other about our own implementations, and generally work as a team towards our end goal - the Final Ultimate Solution to the Spam Problem [1]. Yes, some of the developers lurk here and occasionally contribute. But they have busy lives and prefer to be working, spending time with their families, or coding. Not necessarily in that order. And some of the users here occasionally develop, but that's what bugzilla and the devel list are for. As for this format... well, I've been using mailing lists and usenet since about 1990, so this is the most comfortable way for me to communicate. SpamAssassin deals with raw mail, so it is expected that users will be comfortable using mail. [1]http://www.rhyolite.com/anti-spam/you-might-be.html -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: Low Scoring Lotto Spam
On Mon, 2009-07-27 at 17:31 +0300, Jari Fredriksson wrote:
On Mon, 2009-07-27 at 14:51 +0100, rich...@buzzhost.co.uk wrote:
I also used these local rules (some shamelessly copied off this
forum):
body__TRMB_YOUR_NAME
/(^|\W)(your(\s+|\s+\w+\s+)names?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email
Serial|Names?(\s+:|:)|Receiver name)(_|\W)/i
After I splatted these rules here, I saw that they were pretty
in-efficient perl-wise, and matched a bit much logic wise. I've
tightened them up, and I think this is better, but I'd appreciate
suggestions:
body__TRMB_YOUR_NAME
/\b(?:your.{0,10}\bnames?|last.name:|full.names?|surname|Prenom|fullname|names?
in full|with your.? Serial No|Confirmation Email Serial|Names?\s?:|Receiver
name)_{0,40}\b/i
body__TRMB_YOUR_ADDRESS
/\b(?:your|home|residen|contact|full|current).{0,20}\b(?:add[er]{2,4}sse?|location|country|marital
status|occupation)_{0,40}\b/i
body__TRMB_YOUR_PHONE
/\b(?:telephone|tel|phone)\s?(?:num(?:ber)?|\#)?[[:space:][:punct:]]{1,5}\D/i
body__TRMB_YOUR_AGE /\b(?:your\s)?age\s?[[:punct:]]{1,40}\b/i
body__TRMB_YOUR_OCCUPATION
/\b(?:your\s)?(?:occupation|profession)_{0,30}\b/i
body__TRMB_YOUR_BLOBBY_DETAILS /\b(?:full
names?.{1,20}address.{1,20}phone num|phone and fax number|your
telephone.fax|your full contact details|send us your fullnames? and
address|your mobile numbers?|please reply if you are willing to help me
save|send the following informations?|provide your email address.? phone
number)/i
body__TRMB_OTHER_DETAILS/\b(?:with your full contact
informations?|contact the application desk)\b/i
meta__TRMB_YOUR_DETAILS ((__TRMB_YOUR_NAME ||
__TRMB_OTHER_DETAILS) (__TRMB_YOUR_ADDRESS || __TRMB_YOUR_PHONE ||
__TRMB_YOUR_AGE || __TRMB_YOUR_OCCUPATION) || __TRMB_YOUR_BLOBBY_DETAILS )
metaAE_DETAILS_WITH_MONEY __TRMB_YOUR_DETAILS (MILLION_EURO ||
MILLION_USD || US_DOLLARS_3 || NA_DOLLARS || FRT_DOLLAR || AE_GBP ||
__FRAUD_DBI)
describe AE_DETAILS_WITH_MONEY Has form and mentions much money
metaAE_DETAILS_WITH_EMAIL __TRMB_YOUR_DETAILS __HAS_ANY_EMAIL
describe AE_DETAILS_WITH_EMAIL Has form and gives handy email to send it back
to
score AE_DETAILS_WITH_MONEY 2.0
score AE_DETAILS_WITH_EMAIL 2.5
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
www.austinenergy.com
Re: [NEW SPAM FLOOD] www.shopXX.net
On Thu, 2009-07-23 at 07:34 +0100, rich...@buzzhost.co.uk wrote:
It's catching on :-)
this new obfuscation is already caught by AE_MED45, but I can foresee a
variant that might not match...
How about:
body__MED_OB
/\bw{2,3}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})[[:alpha:]]{0,6}\d{2,6}(?:[[:punct:][:space:]]{1,5}|[[:space:][:punct:]]{1,3}dot[[:space:][:punct:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)[[:punct:]]?\b/i
body__MED_NOT_OB/\bw{2,3}\.[[:alpha:]]{0,6}\d{2,6}\.(?:com|net|org)\b/i
metaAE_MED46(__MED_OB ! __MED_NOT_OB)
describeAE_MED46Shorter rule to catch spam obfuscation
score AE_MED464.0
--
Dan McDonald, CCIE #2495, CISSP# 78281, CNX
www.austinenergy.com
Re: Lotto/Money email address spam
On Wed, 2009-07-22 at 18:05 -0400, MySQL Student wrote: Please use pastebin. Yes, will do, thanks. It hit BAYES_99, but that's it. Are there any rules that pertain to 'loan' or this type of mail that can somehow block these? FreeMail.pm and the SOUGHT_FRAUD rules. Some time ago you were speaking about the AOL tunome.com freemail domain, and that Dan was going to create an updated list. Any progress on that? I've given the list to two people who will publish it when they are ready. But this particular e-mail was not using tunome.com I thought FreeMail was part of SA proper, but apparently not. Who maintains that, and how do I find it? You need three files: http://sa.hege.li/FreeMail.pm http://sa.hege.li/FreeMail.cf http://sa.hege.li/freemail_domains.cf And it's also worthwhile to add the 90_sare_freemail.cf.sare.sa-update.dostech.net channel to sa-updates
Re: sa-update: determining last run? Not in /var/lib/spamassassin
On Mon, 2009-03-30 at 14:23 -0400, RWS* wrote: Thanks very much. Bad assumption (on my part too) ! spamassassin --version SpamAssassin version 3.2.4 Gawk ls -l /var/lib/spamassassin drwxr-xr-x 3 4096 Oct 16 18:27 compiled/3.002004 ... does not contain any .cf files! Not /compiled/... ls -l /var/lib/spamassassin/3.002004/updates_spamassassin_org.cf head -1 /var/lib/spamassassin/3.002004/updates_spamassassin_org.cf dig 4.2.3.updates.spamassassin.org txt +short ls -l /var/lib/spamassassin/compiled/3.002004/ Mail/ auto/ 76115 Oct 16 18:27 bases_body_0.pl dig 5.2.3.updates.spamassassin.org txt +short 759778 Any additional thoughts? On Mar 30, 2009, at 13:16, McDonald, Dan wrote: Asumming you are running 3.2.5, then: $ ls -l /var/lib/spamassassin/3.002005/updates_spamassassin_org.cf will tell you the date it last updated the rules $ head -1 /var/lib/spamassassin/3.002005/updates_spamassassin_org.cf will tell you the version last downloaded $ dig 5.2.3.updates.spamassassin.org txt +short will tell you the current version available On Sun, 2009-03-29 at 17:41 -0400, Dennis G German wrote: Is there a way I can determine when sa-update was last run? PS ALL: Sorry for multiple postings originally.
Re: Restarting processes after sa-update?
On Sun, 2009-03-22 at 12:30 +0100, mouss wrote: McDonald, Dan a écrit : On Fri, 2009-03-20 at 14:56 -0400, Bryan Lee wrote: My Spam assassin is run from /etc/mail/mimedefang-filter via the perl module. When running sa-update, do I need to run anything to make sure new rules get picked up? I.e. Do I need to restart mimedefang or somehow call the spam_assassin_init()-compile_now(1) ? Yes. When I update my rules for amavisd-new, I run sa-update, sa-compile, service amavisd reload, and postfix flush. why postfix flush? mail may be deferred for reasons unrelated to amavisd-new status. just let postfix do its job as usual. Everything in the queue tempfails when amavisd-new is restarted, since it can't reach the filter. There is less impact to the customers if I do a flush immediately after reloading amavisd -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: how to make a custom ruleset
On Thu, 2009-03-05 at 21:31 +0800, Adi Nugroho wrote: Dear all, I found that a lot of spam is using recipient email address as the sender. (from a...@internux.co.id to a...@internux.co.id, or from i...@apache.org to i...@apache.org). Since if we mail to our self, usually we have very low score, I hope it is save to give a BIG score (probably 2 or 3). Is there a hint how to make this custom rule set? Here's one way. I'm sure there will be many holes in this approach. 1. Define and publish SPF policies for your network. 2. Create a rule like this: header __OUR_DOMAIN_FROMFrom:addr example.com header __OUR_DOMAIN_ENVELOPEEnvelopeFrom:addr example.com meta OUR_DOMAIN (__OUR_DOMAIN_FROM || __OUR_DOMAIN_ENVELOPE) SPF_FAIL describe OUR_DOMAIN claims to be from our domain but fails SPF score OUR_DOMAIN 2.5 -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: please help, getting hammered with snowshoe spam
On Fri, 2009-01-23 at 07:56 -0800, Dennis Hardy wrote:
Hi, I'm getting hammered by snowshoe spam :-( I've added rules to try to
catch common formats of included URLs in the spam, but I'm wary of scoring
these rules too high because of the potential for false positives. It's
hard to come up with other rules as the spam e-mail content is so generic.
By default these spams score incredibly low (bayes, etc.) In many cases,
the low bayes values are scoring negative, which completely offsets the few
positive scoring rules that I have added.
I've been using this rule to knock some of these down:
uri AE_ASM /\/[[:alpha:]]{28,40}$/
describe AE_ASM long gibberish path used by ASM Marketing
score AE_ASM1
Highly unusual to have a url like that in ham...
I'm running a meta to bump up the score...
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Temporary 'Replacements' for SaneSecurity
On Wed, 2009-01-14 at 09:59 -0500, Rob McEwen wrote: Rasmus Haslund wrote: After a loud outcry from our users from the increasing level of spam in their inboxes, I installed the Botnet Plugin. Is this something that can be used with the SA in Icewarp Merak? Because Rasmus manages a mail server where B2B mail is routinely sent/received _globally_, Rasmus is the king of finding FPs. I could be wrong, but judging from previous reports about the Botnet Plugin, I predict that Rasmus will either (a) find the Botnet Plugin utterly unusable due to FPs, or (b) only be able to score it by a point or two due to excessive FPs. (Rasmus--by all means--please don't take my word for it--try it out and then let us know what happened!) I too found botnet to be a great source of FP. By combining it with p0f it's moderately useful. But sanesecurity would be more useful... a pity we can't replicate the incremental updates that the official clamav project uses. I seem to recall that they had problems scaling until they went to that process. -- Dan McDonald, CCIE #2495, CISSP# 78281, CNX www.austinenergy.com
Re: Improve the score of this mail?
On Mon, 2008-12-08 at 11:38 +, Tom Brown wrote: feed them to 'spamassassin -r' i do that when i get them ... do you use SOUGHT rules? i dont use these rules no - is there a howto regarding these as google is letting me down a bit? http://taint.org/2007/08/15/004348a.html -- Daniel J McDonald [EMAIL PROTECTED]
Re: Single URI spam not checked against URIBLs
On Sat, 2008-12-06 at 18:22 -0500, Theo Van Dinter wrote: On Sat, Dec 06, 2008 at 11:16:03PM +0100, Wolfgang Zeikat wrote: Could you describe more elaborately how you did that? You may wish to take a look at cpan2rpm, fwiw. deprecated. look at cpan2dist if you are running perl 5.10 -- Daniel J McDonald - CCIE #2495, CISSP # 78281, CNX
Re: rDNS problem
On Fri, 2008-11-21 at 18:22 -0500, Jeff Koch wrote: Hi All Hopefully another pair of eyes can help find the reason for this rDNS error. Here's SA header message: * 1.0 RDNS_NONE Delivered to trusted network by a host with no rDNS Received: from unknown (HELO cronus.intersessions.com) (74.220.16.65) As far as I can tell 'cronus.intersessions.com' has reverse setup and it matches 74.220.16.65. What am I missing? 74/8 was removed from the Bogon list in 2005, but maybe the recipient hasn't updated their bogon acl in bind... -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: OT: DNS restrictions for a mail server
On Wed, 2008-10-22 at 23:59 +0200, Jonas Eckerman wrote: Matus UHLAR - fantomas wrote: In my understanding, these are different concepts. In particular, RMX doesn't hijack the TXT record, which is one of the major sins of SPF. Yes, but they both were designed to do the same work. SPF however can do more. TXT was used because nothing else could, at least I think so. They could have used a prefix host to avoid hijacking the main TXT record. (So you'd query the TXT record for __spf__.domain.tld or something like that instead of the TXT record for domain.tld when checking SPF. Could of, but underscores are not a legal character in domain names. And now BIND 9.4 supports the SPF RR type, so we just have to wait a decade or two until everyone still running bind 4.0 has a chance to upgrade ;-) -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: New free blacklist: BRBL - Barracuda Reputation Block List
On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote: We're trying it today. For the same period of about 4.5 hours, zen had about 110 hits, while b.barracuda had about 165. In about 26 hours I had 885 hits on b.barracuda, and 309 hits on the various zen lists. Zen had only 18 unique hits, $ grep -c BRBL /var/log/mail/info 885 $ grep -c XBL /var/log/mail/info 270 $ grep -c -P BRBL.+XBL /var/log/mail/info 260 $ grep -c PBL /var/log/mail/info 4 $ grep -c -P BRBL.+PBL /var/log/mail/info 4 $ grep -c SBL /var/log/mail/info 35 $ grep -c -P BRBL.+SBL /var/log/mail/info 27 The numbers might be slightly worse for zen, since I had a couple of multiple-zen hits: $ grep -c -P BRBL.+[PSX]BL.+[PSX]BL /var/log/mail/info 3 I'm currently scoring it a 1.00, if it really is accurate I would like to increase it. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: New free blacklist: BRBL - Barracuda Reputation Block List
On Mon, 2008-09-22 at 10:14 -0400, Justin Piszcz wrote:
On Mon, 22 Sep 2008, Daniel J McDonald wrote:
On Sun, 2008-09-21 at 18:18 -0500, Len Conrad wrote:
We're trying it today.
Hmm I signed up for this 1-2 days ago but never got a confirmation e-mail
from them? What is the RBL name?
Here are the rules I'm using:
# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL eval:check_rbl('brbl', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY eval:check_rbl_sub('brbl', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY net
describeRCVD_IN_BRBL_RELAY received via a relay rated as poor by
Barracuda
score RCVD_IN_BRBL_RELAY 1.00
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: Spam volumes down since last week
On Tue, 2008-06-24 at 10:19 -0400, Randy Ramsdell wrote: ram wrote: I am seeing a clear downtrend in the number for spams hitting our servers, I am not sure why ? Since Last week spams are at 50% of what they used to be last month. Is this what you all are seeing Our spam levels are 1/2 to 1/3 of what they were two weeks ago. Also, virus e-mails are also very very low. Low enough for me to start reviewing the e-mail logs for anomalies. two weeks ago was a little higher than 8 weeks ago, but nothing dramatic. The whole quarter has been in the 10-14 spams per minute range I don't track the number of connections dropped by greylisting, so that might be masking anything anomalous. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: +++Spam+++: ***SPAM*** RBLs not functioning
On Mon, 2008-05-12 at 09:38 -0400, Matt Adair wrote: [84550] dbg: config: score set 0 chosen. Somehow you have turned off network tests. Are you calling spamassassin with -L ? Do you have the following in your local.cf file? dns_available yes skip_rbl_checks 0 dns_available might also be set to test -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: spamassassin 3.2.4, DKIM and DomainKeys
On Fri, 2008-01-11 at 18:00 +0100, Mark Martinec wrote: Pascal, it seems that since my upgrade to spamassassin 3.2.4, the DKIM an DomainKeys verifiers are no more used. My 3.2.4 installation is working fine using Mail::DKIM version 0.29-4 Jan 11 11:20:35 sa amavis[14033]: (14033-16) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=13.178 tag=-99 tag2=4.5 kill=6.31 tests=[ACT_NOW_CAPS=0.001, DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001, L_P0F_Linux=-0.1, MIME_QP_LONG_LINE=1.819, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RELAY_US=0.01, SARE_EN_A_6XX_1=2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLACK=1.961, URIBL_JP_SURBL=2.857, URIBL_OB_SURBL=2.132], autolearn=disabled, quarantine XTaDjzHYEhiO (spam-quarantine) -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: the opposit of ok_locales ??
On Fri, 2007-12-07 at 08:38 -0500, Matt Kettler wrote: Stefan Jakobs wrote: Let's assume you running a mailrelay for a university and your users are from different countries. Lets assume further on you have no Swedish people at your university (and you get a lot of spam from Sweden). Then it would be nice to have a not_ok_locales option, because you see immediately which locale character set is considered as possible spam. If you have a list of: af ax al dz as ad ao ai aq ag ar am aw ac au at az bs bh bb by be bz bm bt bo ba ... ve vn vg vi wf eh ye yu zm zw Do you see, that Sweden is the only country which is missing? I know it maybe, but what happens when I quit my job. And somebody else should find the mistake, why some mails from Sweden are considered as spam. This can be trap. I know this is a case with a lot of if, but I mean it is better to have good readable configuration than to prevent a second parameter which does nearly the same as the first one. Now that sounds like a valid reason to me. The only problem is if you use not_ok_locales, then you should not use ok_locales.. This might get confusing to someone who thinks they're white/blacklists. It would be a harmless confusion, but if you specified: not_ok_locales se ok_locales en The ok_locales would do nothing at all. We'll have to document that *very* carefully. Maybe something like: ok_locales !se all
Re: Multiple domains, only the first is tagged
On Thu, 2007-11-15 at 12:07 -0800, marcel458 wrote: I use Fedora Core 8, amavisd-new, clamav and spamassassin, all current releases. I have 3 domains (non commercial), only the first domain is tagged, the others not. Virus is checked for all domains. What can I try to fix this? I already googled and searched for it but did not found any working solution. This is an amavisd-new issue. You need to add all of the the domains to the @local_domains_maps variable in amavisd.conf Example: @local_domains_maps = ( [.$mydomain], example.com,example.org, example.net ); # list of all local domains Thanks in advance! -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: Spamassassin 2.6
On Fri, 2007-11-02 at 17:27 +0530, Ranjith Kumar wrote: Hello, Where can I get the spamassassin 2.6 version for download? Please help me. http://www.cpan.org/modules/by-module/Mail/ specifically: http://www.cpan.org/modules/by-module/Mail/Mail-SpamAssassin-2.64.tar.gz http://www.cpan.org/modules/by-module/Mail/Mail-SpamAssassin-2.63.tar.gz http://www.cpan.org/modules/by-module/Mail/Mail-SpamAssassin-2.62.tar.gz -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: whitelist_from_rcvd with numeric IP?
On Tue, 2007-10-30 at 11:57 -0400, Rosenbaum, Larry M. wrote: The documentation for whitelist_from_rcvd shows examples like this: whitelist_from_rcvd [EMAIL PROTECTED] example.com What if the sending server has no rDNS? They you can't use whitelist_from_rcvd, and the sender needs to fix their rDNS! Is there a way to use this feature with a numeric IP instead of a rDNS domain? No. If so, what is the syntax? If they are adamant that they can't fix rDNS, I usually ask for an SPF record, and then do a whitelist_from_spf. When they claim that they can fix neither rDNS or set their SPF record, I might use amavisd-new's soft-whitelisting to trim a couple of points, or I tell them to pound sand. Usually I can convince people to fix one or the other. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: Custom rules working, but not sa-updates
On Tue, 2007-10-30 at 08:35 -0500, Andy Norris wrote: Hi, I don't know if this is relevant for you or not, but on our mail server I could not get sa-update to work, either. I noticed that if the directory was not there, however, it would work. Sounds like a permissions issue. So a down and dirty approach I took was writing a crop job that removes that directory just before running sa-update. So, you delete it every time, even when there are no updates? And since updates occur about once or twice a month, you are downloading the same stuff over and over. Plus you are missing rules at certain points of the cycle I know this is going to be a bit much for some folks on here to handle, but I had to get on with life at some point! true, but you could just find the real problem (permissions) and fix it. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: blacklist.cf needs to die (was Re: Help figuring our why SA is taking like 1.5 minutes to filter...)
On Fri, 2007-10-26 at 08:16 -0400, Matt Kettler wrote: Justin Mason wrote: What else can we do? Add code to generate a lint warning any time a .cf file over 1mb is read unless a config option is set to silence it? But people don't read logs, or they would know... I'd suggest die-ing instead. Possibly even have this as as: warn_conffile_maxsize (speced in KB, default 1024) Users that want to use absurdly large files can just raise the number.. +1 -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: Discarding RBL-Mails, forwarding others
On Tue, 2007-09-25 at 12:39 +0200, Dietmar Braun wrote: Hi, I am working with Postfix and I am searching for a solution for the following issue: - all mails coming from hosts on a RBL should be /dev/nulled http://www.postfix.org/uce.html#smtpd_client_restrictions - all other mails should be forwarded to another email address not on the same server http://www.postfix.org/postconf.5.html#always_bcc -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: sender name same as recipient name
On Tue, 2007-09-25 at 11:38 -0700, feral wrote: John D. Hardin wrote: On Tue, 25 Sep 2007, feral wrote: Whatever the case, global bayes or not, or even bayes or not, how could an email with the obvious porn words in the subject (as in my examples) NOT get flagged? If bayes was mistrained to consider such words hammy, then BAYES_00 could drag the score back down below the threshold, cancelling out the points added by HOT_NASTY and PORN_16. X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is not even functional (database absent). How do I enable network tests? basically, ensure it can resolve DNS. You can force it with dns_available yes use_bayes_rules If you want to turn bayes off: use_bayes 0 or maybe: use_bayes_rules 0 (if you want it to attempt to continue to update the bayes database) thanks -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: sender name same as recipient name
On Tue, 2007-09-25 at 12:15 -0700, feral wrote: Hmmm... deepest thread here w/ John Hardin somehow got broken... nabble hiccup? So I am posting response here: Daniel McDonald wrote: basically, ensure it can resolve DNS. You can force it with dns_available yes [...] Where is this configuration file? On my box, /etc/mail/spamassassin/local.cf but if /etc/resolv.conf doesn't have any dns servers, it won't work anyway...
Re: zero score rules still show up in 3.2.2
On Sun, 2007-07-29 at 00:45 +0200, guenther wrote: On Thu, 2007-07-26 at 13:30 -0500, McDonald, Dan wrote: I may have dreamed it, but I thought I remembered a discussion about removing rules with a zero score from spam reports. I upgraded one of my systems to 3.2.2 today (Mandriva Corporate Server 4.0, perl 5.8.7, called from amavisd-new 2.5.2) and still see zero scores from plugins displayed: Bug 5519. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5519 Ah, there it is. Guess we'll wait for 3.2.3 and see if they disappear then guenther -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: where and how can I add new rule
On Thu, 2007-07-26 at 07:14 -0700, lochness wrote: hello all i'm new user of spamassassin and I'm looking how to add rules and what file to edit, excusme for my bad english thank for your help system wide, you can create a new file in /etc/mail/spamassassin. anything with a .cf ending will be read as a rules file. If you are just a user, not a sysadmin, you may be able to create rules in ~/.spamassassin/user_prefs, but that depends on a lot of variables that your sysadmin will be able to tell you about. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Upgrade problem from 3.1.7 to 3.2.1
On Mon, 2007-07-23 at 14:58 +0200, Balzi Andrea wrote: Hi In to my smtp-relay (debian dabsed) I've installed spamassassin from debian-package and after upgrade it by the follow command: /usr/bin/cpan Mail::SpamAssassin Now when I trying to upgrade spamassassin v3.1.7 to v3.2.1 with the same command I saw the following messages: t/spamc_optCNot found: reported spam = Message Bug 5510 At the follow error I've stop all. Which is it the problem? Lack some library? Can You suggest how can solve it? Don't compile it as root. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Why unsolicited bulk e-mail ?
On Tue, 2007-07-17 at 14:44 +0200, Salvatore wrote: Hi, I have a problem when I send mail to an mail address, my mail is considered unsolicited bulk e-mail but I don't know for what motiv, when I send mail then I receive this report: Your message to: - [EMAIL PROTECTED] was considered unsolicited bulk e-mail (UBE). [...] X-Virus-Scanned: Maia Mailguard 1.0.1 X-Spam-Status: Yes, hits=2.435 tag=2 tag2=2 kill=2 tests=[AWL=-0.677, BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135, HTML_MESSAGE=0.001, NO_REAL_NAME=0.961, SUBJECT_ENCODED_TWICE=1.723, TVD_FW_GRAPHIC_NAME_LONG=1.8] X-Spam-Score: 2.435 Kill level of 2? He apparently doesn't want to communicate with anyone. But you can lower your score easily, just by adding a real name to your e-mail address. Instead of From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] do: From: Tech support [EMAIL PROTECTED] Then your message will only score 1.5, and it will be below the fellow's ridiculously low scoring threshold. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
RE: Post cart spams
On Tue, 2007-07-17 at 15:33 -0700, John D. Hardin wrote: On Tue, 17 Jul 2007, Dan Barker wrote: http://www.impsec.org/~jhardin/antispam/ I don't see it in that directory. What's the filename? postcards.cf It takes a short while after I send the email for the file to sync out to the server. works like a champ for me: [EMAIL PROTECTED] ~]$ sudo grep -o -P POSTCARD.*?= /var/log/mail/info | sort | uniq -c 444 POSTCARD_01= That's in just 2 hours... Thanks! -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: PDFInfo plugin with SA 3.1.7
On Wed, 2007-07-11 at 14:49 +0530, Suhas Ingale wrote: Has anyone tried running PDFInfo plugin with 3.1.7 version? No, finally got it working yesterday evening using 3.2.1, but the initial results are underwhelming. Almost 100% overlap with TVD_SPACE_RATIO. Only one miss: sudo grep GMD_PDF /var/log/mail/info | grep -v TVD_SPACE_RATIO Jul 11 03:26:15 sa amavis[25324]: (25324-17) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=25.456 tag=-99 tag2=4.5 kill=6.31 tests=[BODY_8BITS=1.5, BOTNET_CLIENT=0.01, BOTNET_CLIENTWORDS=0, BOTNET_IPINHOSTNAME=0, BOTNET_W=2, DKIM_POLICY_SIGNSOME=0, FH_HELO_EQ_D_D_D_D=0.498, GMD_PDF_BAD_FUZZY=3.75, GMD_PDF_HORIZ=0.25, GMD_PDF_STOX=1, HELO_DYNAMIC_DHCP=1.52, HELO_DYNAMIC_IPADDR=2.935, L_P0F_W=1, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_BL_SPAMCOP_NET=2.188, RCVD_IN_PBL=0.509, RCVD_IN_XBL=2.896, RDNS_DYNAMIC=0.1, UNWANTED_LANGUAGE_BODY=2.8], autolearn=disabled That's out of [EMAIL PROTECTED] ~]$ sudo grep -o -P GMD_PDF.+?= /var/log/mail/info | sort | uniq -c 684 GMD_PDF_BAD_FUZZY= 43 GMD_PDF_HORIZ= 67 GMD_PDF_STOX= 24 GMD_PDF_VERT= -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Adding ruleset
On Tue, 2007-07-10 at 02:51 -0400, Daryl C. W. O'Shea wrote: Diptanjan wrote: Hello All, I would like to add a german ruleset: http://zmi.at/x/70_zmi_german.cf Should I put this into my channel file? and call a sa-update through a cronjob so that is updated regularely? If by this you mean 70_zmi_german.cf.zmi.sa-update.dostech.net, yeah. You'll also need to trust my GPG key, the same as the SARE channels. And how, precisely, do you set the trust on the GPG key? I've tried a number of methods, but I always end up having to either specify your key or just throw caution to the wind and use --nogpg. [EMAIL PROTECTED] ~]$ sudo gpg --homedir /etc/mail/spamassassin/sa-update-keys/ --edit-key daryl [...] Command list pub 1024D/856AA88A created: 2006-08-10 expires: never usage: SC trust: marginal validity: unknown sub 4096g/0A6B05C3 created: 2006-08-10 expires: never usage: E [ unknown] (1). Daryl C. W. O'Shea [EMAIL PROTECTED] So, it should be in my trustdb, but that doesn't mean that sa-update will use it... http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Botnet over aggressive?
On Tue, 2007-07-03 at 16:39 +0200, Cliff Stanford wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm still a bit vague on how the SpamAssassin rules fit together but I've noticed that, since upgrading to the latest version, I'm getting a lot of false positives. The common cause seems to be Botnet.cf. Botnet is very aggressive by default. Combining it with p0f it is almost useful. setting up p0f support is a non-trivial exercise, for which there are good articles in the archives that would explain it much better than I could do here. My rules are: meta BOTNET_WXP!DKIM_VERIFIED !DK_VERIFIED L_P0F_WXP (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) 0 score BOTNET_WXP 3.2 meta BOTNET_W!DKIM_VERIFIED !DK_VERIFIED ( L_P0F_W || L_P0F_UNKN) (BOTNET_CLIENT+BOTNET_BADDNS+BOTNET_NORDNS) 0 score BOTNET_W2.0 meta BOTNET_OTHER !BOTNET_W (BOTNET_CLIENT+BOTNET_BADDNS +BOTNET_NORDNS) 0 score BOTNET_OTHER 0.5 I'm still getting a trickle of false positives, but that seems to be much more realistic than 5 for everything. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: MD5 Hash of URL's
On Tue, 2007-07-03 at 10:11 -0500, Matt wrote: Why can't Spamassassin do like a MD5 hash of any URL's in a message and check them against a database? Well, not MD5, but Whiplash type 8 signatures in Razor-2 are pretty similar. I just think it would help catch things like: geocities.com/spamer123/ or spamer123.tripod.com and etc. Again, Razor does a fair job at finding this, as long as people report. It would also work for Tinyurl links and the like. Google recently came out with an anti-malware API that uses various MD5 hashes of URI's, but they have not yet licensed it for the world, and I only briefly thought about writing a plugin to call it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Automatic Whitelist Generation - Why wouldn't this work?
On Mon, 2007-06-25 at 06:25 -0700, Marc Perkel wrote: Clarification. When I say that spammers can't spoof RNDS what I mean is that if you do a reverse lookup and get a spoofed name then when you look up the spoofed name it won't resolve back to the IP you looked up. I'm testing this idea now. Of course, that's what the botnet plugin does. But if you are looking for known ham sources, that's bonded sender or some such. They at least have a financial incentive to not send spam. For anyone else it's just a matter of when they get pwn3d next. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Help in writing rules to catch SREA stock spams
On Fri, 2007-06-22 at 17:03 +0200, arni wrote: Marc Perkel schrieb: That doesn't answer his question though. He didn't ask for your opinion about if he needed it. If the rules were working for him he wouldn't be asking for help. When someone asks a question telling them they don't need it is generally the wrong answer and a waste of time. I was more trying to show him that installing the botnet plugin alone, together with a decent bayes or 1 or 2 more rules already does the job and instead of writing a new rule for each stock spam that comes out, this will catch almost all of it (all of it in my case) Well, bayes is very hard to implement on a mid-span spamassassin implementation (no feedback loop for missed spam or false ham). In my case, I use spamassassin under amavisd-new as a front-end filter, discard/quarantine the trash, then deliver to MS Exchange for end users to read. And I've been catching actual customers and vendors right-and-left with the botnet plugin. Too many false positives, even combining it with p0f, for me to feel very good about it. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: CPAN - failed install: t/spamc_optC t/spamc_optL errors
On Wed, 2007-06-20 at 12:04 +0100, Peter Farrell wrote: Having problems re-installing SA. Blew away my previous installation cat'ing the .packlist to xargs rm. As root, start perl -MCPAN -e shell and 'install SpamAssassin' All of the errors in t/logs/* relate to either one of three things: bugid 5510
Re: Turning the Screws
On Sat, 2007-06-16 at 17:01 -0400, Michael B Allen wrote: Hi, I just setup a new server with vanilla SA What version? on CentOS 5 and a lot of obvious drug/stock/foreign stuff is getting through. I have verified that DNSBL is being used. In general, I would like to know what the prevailing wisdom is as to increasing the agressiveness of my filter. Add the SARE rules. They tend to kill most of the drug and stock stuff. Are there certain plugins that I need to make sure are working? If so what are they? That depends. Will SA get better as it considers the input? If you have bayes enabled. Also, if I drag spam from the inbox into the Spam folder, will SA learn from that? If I drag non-spam out of the Spam folder will SA learn from that? That's up to your MUA , but not likely. Is there a way to add the X-Spam-Report to regular messages for a while so that I can see exactly why it's getting through? Yes. See http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#basic_message_tagging_options How do I properly activate filtering based on character encodings used in messages? Basically I want to severely penalize non-Latin1 encodings. In 3.1.x, just set ok_locales en in 3.2.x, set ok_locales and also enable the Textcat plugin. Details in http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html#language_options Mike -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
RE: These are getting through SA...
On Fri, 2007-06-15 at 22:08 +0100, Randal, Phil wrote:
Bill,
The problem is that Botnet uses Net::DNS::Resolver's default retry and
timeout values, which are way too high.
Spamassassin's DnsResolver.pm uses these values:
udp_timeout:3
tcp_timeout:3
retrans:0
retry:1
And a few others... Might as well be completely consistent. Try this
patch:
--- Botnet.pm.orig 2007-06-15 16:47:33.0 -0500
+++ Botnet.pm 2007-06-15 16:52:13.0 -0500
@@ -703,7 +703,16 @@
($type =~ /^(?:A|MX)$/)
(defined $max)
($max =~ /^-?\d+$/) ) {
- $resolver = Net::DNS::Resolver-new();
+ $resolver = Net::DNS::Resolver-new(
+ udp_timeout = 3,
+ tcp_timeout = 3,
+ retrans = 0,
+ retry = 1,
+ persistent_tcp=0,
+ persistent_udp=0,
+ dnsrch=0,
+ defnames=0,
+ );
if ($query = $resolver-search($name, $type)) {
# found matches
$i = 0;
@@ -826,7 +835,18 @@
sub get_rdns {
my ($ip) = @_;
my ($query, @answer, $rr);
- my $resolver = Net::DNS::Resolver-new();
+ my $resolver = Net::DNS::Resolver-new(
+ udp_timeout = 3,
+ tcp_timeout = 3,
+ retrans = 0,
+ retry = 1,
+ persistent_tcp=0,
+ persistent_udp=0,
+ dnsrch=0,
+ defnames=0,
+ );
+ if ($query = $resolver-search($name, $type)) {
+ # found matches
my $name = ;
if ($query = $resolver-query($ip, 'PTR', 'IN')) {
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
Re: These are getting through SA...
On Fri, 2007-06-15 at 15:27 -0700, Bill Landry wrote:
Daniel J McDonald wrote the following on 6/15/2007 2:54 PM -0800:
On Fri, 2007-06-15 at 22:08 +0100, Randal, Phil wrote:
And a few others... Might as well be completely consistent. Try this
patch:
--- Botnet.pm.orig 2007-06-15 16:47:33.0 -0500
+++ Botnet.pm 2007-06-15 16:52:13.0 -0500
Daniel, here is a snippet of my debug output with this patch applied to
Botnet.pm, version 0.7:
[23898] warn: plugin: failed to parse plugin
/etc/mail/spamassassin/Botnet.pm: Global symbol $name requires
explicit package name at /etc/mail/spamassassin/Botnet.pm line 848.
[23898] warn: Global symbol $type requires explicit package name at
/etc/mail/spamassassin/Botnet.pm line 848.
[23898] warn: Missing right curly or square bracket at
/etc/mail/spamassassin/Botnet.pm line 875, at end of line
[23898] warn: syntax error at /etc/mail/spamassassin/Botnet.pm line 875,
at EOF
[23898] warn: Compilation failed in require at
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/PluginHandler.pm line 97.
Oops, yanked an entra line. Try this one instead:
--- Botnet.pm.orig 2007-06-15 16:47:33.0 -0500
+++ Botnet.pm 2007-06-15 17:35:33.0 -0500
@@ -703,7 +703,16 @@
($type =~ /^(?:A|MX)$/)
(defined $max)
($max =~ /^-?\d+$/) ) {
- $resolver = Net::DNS::Resolver-new();
+ $resolver = Net::DNS::Resolver-new(
+ udp_timeout = 3,
+ tcp_timeout = 3,
+ retrans = 0,
+ retry = 1,
+ persistent_tcp=0,
+ persistent_udp=0,
+ dnsrch=0,
+ defnames=0,
+ );
if ($query = $resolver-search($name, $type)) {
# found matches
$i = 0;
@@ -826,7 +835,16 @@
sub get_rdns {
my ($ip) = @_;
my ($query, @answer, $rr);
- my $resolver = Net::DNS::Resolver-new();
+ my $resolver = Net::DNS::Resolver-new(
+ udp_timeout = 3,
+ tcp_timeout = 3,
+ retrans = 0,
+ retry = 1,
+ persistent_tcp=0,
+ persistent_udp=0,
+ dnsrch=0,
+ defnames=0,
+ );
my $name = ;
if ($query = $resolver-query($ip, 'PTR', 'IN')) {
Bill
Re: How Do I Enable RBLs
On Thu, 2007-06-14 at 11:44 -0700, Peter Pluta wrote: I see, I still get 5-6 spams per day or so, but I have bayes and auto white listing enabled. The DB so far has 2 hams and 14 spams recorded. I wonder how long it will take to see some good results from bayes and awl. Bayes is ignored until trained by at least 100 messages. Will Spamassassin dump a message if it fits the spam characteristcs from bayes? Like everything else, it is a factor, but not always a deciding factor. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
RE: ANNOUNCE: Apache SpamAssassin 3.2.1 available
On Mon, 2007-06-11 at 21:09 -0400, Rose, Bobby wrote: I'm seeing the same kind of messages mentioned after compiling from source on Redhat ES4 and running make test. I'm wondering if this is the reason: + make FULLPERL=/usr/bin/perl test /usr/bin/perl5.8.7 build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP no source directory found: exiting I don't see any other compilation errors. The build process complained about a few missing packages at the beginning Razor2, Mail::DKIM, and Encode::Detect. I was able to install all of those other than Encode::Detect (I can't get the perl-Encode-Detect srpm to recompile, and I can't figure out what pre-requisites it is missing, since it complained about not having ExtUtils::CBuilder, but installing that didn't seem to mollify it). I built 3.2.0 on this same box just a couple of weeks ago, and didn't see anything in the release notes, or the bugs that I read, telling me that I would need to make major changes, so I'm flummoxed. -Original Message- From: Daniel J McDonald [mailto:[EMAIL PROTECTED] Sent: Monday, June 11, 2007 6:35 PM To: users@spamassassin.apache.org Subject: Re: ANNOUNCE: Apache SpamAssassin 3.2.1 available On Mon, 2007-06-11 at 21:14 +0100, Justin Mason wrote: Apache SpamAssassin 3.2.1 is now available! This is a maintenance and security release of the 3.2.x branch. It is highly recommended that people upgrade to this version from 3.2.0. Whilst compiling the RPM for mandriva corporate server 4: t/spamc_optCNot found: reported spam = Message successfully reported/revoked # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamc_optC/out.1 t/spamc_optCNOK 2 Not found: revoked ham = Message successfully reported/revoked # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 t/spamc_optCNOK 4 Not found: failed to report spam = Unable to report/revoke message [...] Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 log/d.spamc_optC/out.7 t/spamc_optCFAILED tests 2, 4, 6, 8 Failed 4/9 tests, 55.56% okay t/spamc_optL# Failed test 1 in t/spamc_optL.t at line 20 Not found: learned spam = Message successfully un/learned [...] t/spamc_optLFAILED tests 1-16 Failed 16/16 tests, 0.00% okay Failed TestStat Wstat Total Fail Failed List of Failed --- t/spamc_optC.t94 44.44% 2 4 6 8 t/spamc_optL.t 16 16 100.00% 1-16 t/spamd_allow_user_rules.t51 20.00% 4 t/spamd_plugin.t 62 33.33% 4 6 17 tests skipped. Failed 4/129 test scripts, 96.90% okay. 23/1981 subtests failed, 98.84% okay. make: *** [test_dynamic] Error 255 error: Bad exit status from /var/tmp/rpm-tmp.45769 (%check) Any thoughts? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: ANNOUNCE: Apache SpamAssassin 3.2.1 available
On Tue, 2007-06-12 at 12:45 +0100, Justin Mason wrote: Daniel J McDonald writes: On Mon, 2007-06-11 at 21:09 -0400, Rose, Bobby wrote: I'm seeing the same kind of messages mentioned after compiling from source on Redhat ES4 and running make test. I'm wondering if this is the reason: + make FULLPERL=/usr/bin/perl test /usr/bin/perl5.8.7 build/mkrules --exit_on_no_src --src rulesrc --out rules --manifest MANIFEST --manifestskip MANIFEST.SKIP no source directory found: exiting nope, that can be ignored. I don't see any other compilation errors. The build process complained about a few missing packages at the beginning Razor2, Mail::DKIM, and Encode::Detect. I was able to install all of those other than Encode::Detect (I can't get the perl-Encode-Detect srpm to recompile, and I can't figure out what pre-requisites it is missing, since it complained about not having ExtUtils::CBuilder, but installing that didn't seem to mollify it). I built 3.2.0 on this same box just a couple of weeks ago, and didn't see anything in the release notes, or the bugs that I read, telling me that I would need to make major changes, so I'm flummoxed. There should be no major changes since 3.2.0 that'd require that... can you post the log files from t/log/d.spamc_optC/* ? I think the major error in the log files is: [27488] warn: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody [27488] warn: spamd: bayes: locker: safe_lock: cannot create tmp lockfile ./log/user_state/bayes.lock.ldap.austin-energy.net.27488 for ./log/user_state/bayes.lock: Permission denied So, you can't build the RPM as root. I just added all of the various groups to my user, set up a user build directory tree, compiled it under my username and it tested fine, at least to the point that it normally bombs
Re: Sa-
On Tue, 2007-06-12 at 02:17 -0700, Emre BALCI wrote: Hi All I have to make something after sa-update ? only if you used sa-compile, then you would have to run sa-compile again. like copy files to anywhere ? Nope. sa-update puts them in the correct place. If you are using a daemonized SpamAssassin (like spamd, or amavisd-new) you will need to restart the daemon after running sa-update. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
RE: ANNOUNCE: Apache SpamAssassin 3.2.1 available
On Tue, 2007-06-12 at 16:07 -0400, Rosenbaum, Larry M. wrote: From: Duncan Hill [mailto:[EMAIL PROTECTED] On Tue, June 12, 2007 13:33, Justin Mason wrote: Daniel J McDonald writes: So, you can't build the RPM as root. Very interesting, but I ran into this problem on a Solaris system and I wasn't trying to build an RPM. I was just trying to build SA from source with the usual perl Makefile.PL make make test (this step gave errors when run as root) Does the same logic apply when RPMs are not involved? Yes, unless your umask is 666. When it detects the root user, it tries to change to nobody. since Nobody can't write in the t/log/* directories, the test fails. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: ANNOUNCE: Apache SpamAssassin 3.2.1 available
On Mon, 2007-06-11 at 21:14 +0100, Justin Mason wrote: Apache SpamAssassin 3.2.1 is now available! This is a maintenance and security release of the 3.2.x branch. It is highly recommended that people upgrade to this version from 3.2.0. Whilst compiling the RPM for mandriva corporate server 4: t/spamc_optCNot found: reported spam = Message successfully reported/revoked # Failed test 2 in t/SATest.pm at line 635 Output can be examined in: log/d.spamc_optC/out.1 t/spamc_optCNOK 2 Not found: revoked ham = Message successfully reported/revoked # Failed test 4 in t/SATest.pm at line 635 fail #2 Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 t/spamc_optCNOK 4 Not found: failed to report spam = Unable to report/revoke message [...] Output can be examined in: log/d.spamc_optC/out.1 log/d.spamc_optC/out.3 log/d.spamc_optC/out.5 log/d.spamc_optC/out.7 t/spamc_optCFAILED tests 2, 4, 6, 8 Failed 4/9 tests, 55.56% okay t/spamc_optL# Failed test 1 in t/spamc_optL.t at line 20 Not found: learned spam = Message successfully un/learned [...] t/spamc_optLFAILED tests 1-16 Failed 16/16 tests, 0.00% okay Failed TestStat Wstat Total Fail Failed List of Failed --- t/spamc_optC.t94 44.44% 2 4 6 8 t/spamc_optL.t 16 16 100.00% 1-16 t/spamd_allow_user_rules.t51 20.00% 4 t/spamd_plugin.t 62 33.33% 4 6 17 tests skipped. Failed 4/129 test scripts, 96.90% okay. 23/1981 subtests failed, 98.84% okay. make: *** [test_dynamic] Error 255 error: Bad exit status from /var/tmp/rpm-tmp.45769 (%check) Any thoughts? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: Rulesemporium down?
On Thu, 2007-06-07 at 07:28 -0500, Steven Stern wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My systems all were unable to connect for their daily RDJ update yesterday. I time out trying to reach http://rulesemporium.com. Does anyone know what's happening? Apparently a DDOS attack. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: 404 while getting RDJ updates?
On Thu, 2007-06-07 at 17:03 -0400, Gene Heskett wrote: On Thursday 07 June 2007, Chris Santerre wrote: I would imagine this is related to www.uribl.com and surbl.org having issues as well. Both are now pointing to 127.0.0.1 in what I would assume was an attempt to stop the attack. Some spammer is pissed off it seems... Its true, scanners indicate klingon war vessels approaching our sector. We've dropped out of warp due to overuse of the dilythium crystals. Federation starships have been called in for assistance. Scottie has given us more power, but is not sure she will hold together much longer. All the while Ensen Alex won't stop dancing with a half naked green lady! Thanks, Good luck Chris. If you know who it is, maybe we should send Vinnie Luigi over to have a little talk with them? Should we arm them with a RFC-2321 compatible RITA, and a confident demeanor? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: URIBL
On Wed, 2007-05-30 at 11:02 -0400, Theo Van Dinter wrote: On Wed, May 30, 2007 at 10:52:09AM -0400, Jason Bertoch wrote: multi.surbl.org. The debug output below seems to confirm that SA is not going to query multi.surbl.org. Of course not... [25188] dbg: uridnsbl: domains to query: There are no domains to query for, so it doesn't. Ok, here's one that does fail: under 3.2.0: [16543] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_RHS_URIBL_BLACK): 127.0.0.2 [16543] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.uribl.com.:theauthenticmemento.com) [16543] dbg: async: queries completed: 1 started: 0 [16543] dbg: async: queries active: DNSBL-A=7 DNSBL-TXT=3 URI-DNSBL=3 URI-NS=1 at Wed May 30 11:25:11 2007 [16543] dbg: async: select found 1 socks ready [16543] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_OB_SURBL): 127.0.0.16 [16543] dbg: dns: URIBL_OB_SURBL lookup finished [16543] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.surbl.org.:theauthenticmemento.com) ... [16543] dbg: check: tests=DKIM_POLICY_SIGNSOME,HTML_IMAGE_RATIO_04,HTML_MESSAGE,INVALID_DATE,L_P0F_W,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RELAY_US,SARE_UNA,URIBL_OB_SURBL [16543] dbg: check: subtests=__CD,__CT,__CTE,__CTYPE_HTML,__DOS_HAS_ANY_URI,__DOS_RCVD_WED,__DOS_SINGLE_EXT_RELAY,__EXCLAIM_SUBJ,__FB_MA,__FB_S_PRICE,__FM_MY_PRICE,__HAS_ANY_URI,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HTML_LINK_IMAGE,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MSGID_OK_HOST,__NAKED_TO,__NONEMPTY_BODY,__SANE_MSGID,__SARE_HAS_BG_COLOR,__SARE_HAS_FG_COLOR,__SARE_HTML_HAS_A,__SARE_HTML_HAS_BR,__SARE_HTML_HAS_DIV,__SARE_HTML_HAS_FONT,__SARE_HTML_HAS_IMG,__SARE_HTML_HAS_P,__SARE_HTML_HAS_TITLE,__SARE_URI_ANY,__SARE_WHITE_BG_COLOR,__SUBJ_3DIGIT,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS Debug says URIBL BLACK matched, but it does not get scored Under 3.1.8: [19829] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_OB_SURBL): 127.0.0.16 [19829] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.surbl.org.:theauthenticmemento.com) [19829] dbg: uridnsbl: queries completed: 1 started: 0 [19829] dbg: uridnsbl: queries active: A=4 DNSBL=1 at Wed May 30 11:35:28 2007 [19829] dbg: uridnsbl: select found 1 socks ready [19829] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_BLACK): 127.0.0.2 [19829] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.uribl.com.:theauthenticmemento.com) ... [19829] dbg: check: tests=HTML_MESSAGE,HTML_TAG_EXIST_TBODY,INVALID_DATE,MANY_EXCLAMATIONS,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RELAYCOUNTRY_US,SARE_UNA,SPF_HELO_PASS,URIBL_BLACK,URIBL_OB_SURBL [19829] dbg: check: subtests=__CD,__CT,__CTE,__CTYPE_HTML,__ENV_AND_HDR_FROM_MATCH,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HTML_LINK_IMAGE,__MANY_EXCLS,__MIME_HTML,__MIME_VERSION,__MSGID_OK_HOST,__NAKED_TO,__NONEMPTY_BODY,__SANE_MSGID,__SARE_HAS_BG_COLOR,__SARE_HAS_FG_COLOR,__SARE_HTML_BEHTML2,__SARE_HTML_HAS_A,__SARE_HTML_HAS_BR,__SARE_HTML_HAS_DIV,__SARE_HTML_HAS_FONT,__SARE_HTML_HAS_IMG,__SARE_HTML_HAS_P,__SARE_HTML_HAS_TITLE,__SARE_URI_ANY,__SARE_WHITE_BG_COLOR,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS Debug says URIBL BLACK matched, and it is scored. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: URIBL
On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote:
On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote:
Ok, here's one that does fail:
under 3.2.0:
[16543] dbg: uridnsbl: domain theauthenticmemento.com listed
(URIBL_RHS_URIBL_BLACK): 127.0.0.2
[...]
Under 3.1.8:
[...]
[19829] dbg: uridnsbl: domain theauthenticmemento.com listed
(URIBL_BLACK): 127.0.0.2
[19829] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds
to look up (multi.uribl.com.:theauthenticmemento.com)
...
Based on your debug quoting, 3.2 does not show a URIBL_BLACK hit, it
shows a hit for a different rule, URIBL_RHS_URIBL_BLACK.
Well, that doesn't show up in the list either...
Is that because the rule is duplicated in 25_uribl.cf and 72_active.cf?
[EMAIL PROTECTED] updates_spamassassin_org]$ sudo grep URIBL_BLACK *
25_uribl.cf:urirhssub URIBL_BLACK multi.uribl.com.A 2
25_uribl.cf:bodyURIBL_BLACK
eval:check_uridnsbl('URIBL_BLACK')
25_uribl.cf:describeURIBL_BLACK Contains an URL listed in the URIBL
blacklist
25_uribl.cf:tflags URIBL_BLACK net
25_uribl.cf:#reuse URIBL_BLACK
50_scores.cf:score URIBL_RHS_URIBL_BLACK 0 # n=1 n=3
50_scores.cf:score URIBL_BLACK 0 1.961 0 1.955 # n=0 n=2
50_scores.cf~:score URIBL_RHS_URIBL_BLACK 0 # n=1 n=3
50_scores.cf~:score URIBL_BLACK 0 1.961 0 1.955 # n=0 n=2
72_active.cf:##{ URIBL_RHS_URIBL_BLACK
72_active.cf:urirhssub URIBL_RHS_URIBL_BLACK multi.uribl.com.A
2
72_active.cf:bodyURIBL_RHS_URIBL_BLACK
eval:check_uridnsbl('URIBL_RHS_URIBL_BLACK')
72_active.cf:describeURIBL_RHS_URIBL_BLACK Contains an URI listed in
[black] uribl.com
72_active.cf:tflags URIBL_RHS_URIBL_BLACK net
72_active.cf:##} URIBL_RHS_URIBL_BLACK
since the score for URIBL_RHS_URIBL_BLACK is 0, but it still fired for
that one, it looks like a problem. Let me remove that rule from 72 and
see what happens...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com
Re: URIBL
On Wed, 2007-05-30 at 11:57 -0500, Daniel J McDonald wrote: On Wed, 2007-05-30 at 12:46 -0400, Theo Van Dinter wrote: On Wed, May 30, 2007 at 11:39:15AM -0500, Daniel J McDonald wrote: Ok, here's one that does fail: Based on your debug quoting, 3.2 does not show a URIBL_BLACK hit, it shows a hit for a different rule, URIBL_RHS_URIBL_BLACK. Well, that doesn't show up in the list either... Is that because the rule is duplicated in 25_uribl.cf and 72_active.cf? [EMAIL PROTECTED] updates_spamassassin_org]$ sudo grep URIBL_BLACK * 25_uribl.cf:urirhssub URIBL_BLACK multi.uribl.com.A 2 72_active.cf:urirhssub URIBL_RHS_URIBL_BLACK multi.uribl.com. A 2 since the score for URIBL_RHS_URIBL_BLACK is 0, but it still fired for that one, it looks like a problem. Let me remove that rule from 72 and see what happens... I removed the rule from 72_active.cf and now I am detecting URIBL_BLACK for that message. [18212] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_OB_SURBL): 127.0.0.16 [18212] dbg: dns: URIBL_OB_SURBL lookup finished [18212] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.surbl.org.:theauthenticmemento.com) [18212] dbg: uridnsbl: domain theauthenticmemento.com listed (URIBL_BLACK): 127.0.0.2 [18212] dbg: dns: URIBL_BLACK lookup finished [18212] dbg: uridnsbl: query for theauthenticmemento.com took 2 seconds to look up (multi.uribl.com.:theauthenticmemento.com) [18212] dbg: check: tests=DKIM_POLICY_SIGNSOME,HTML_IMAGE_RATIO_04,HTML_MESSAGE,INVALID_DATE,L_P0F_W,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RELAY_US,SARE_UNA,URIBL_BLACK,URIBL_OB_SURBL [18212] dbg: check: subtests=__CD,__CT,__CTE,__CTYPE_HTML,__DOS_HAS_ANY_URI,__DOS_RCVD_WED,__DOS_SINGLE_EXT_RELAY,__EXCLAIM_SUBJ,__FB_MA,__FB_S_PRICE,__FM_MY_PRICE,__HAS_ANY_URI,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__HTML_LINK_IMAGE,__MIME_HTML,__MIME_VERSION,__MISSING_REF,__MSGID_OK_HOST,__NAKED_TO,__NONEMPTY_BODY,__SANE_MSGID,__SARE_HAS_BG_COLOR,__SARE_HAS_FG_COLOR,__SARE_HTML_HAS_A,__SARE_HTML_HAS_BR,__SARE_HTML_HAS_DIV,__SARE_HTML_HAS_FONT,__SARE_HTML_HAS_IMG,__SARE_HTML_HAS_P,__SARE_HTML_HAS_TITLE,__SARE_URI_ANY,__SARE_WHITE_BG_COLOR,__SUBJ_3DIGIT,__TAG_EXISTS_BODY,__TAG_EXISTS_CENTER,__TAG_EXISTS_HEAD,__TAG_EXISTS_HTML,__TAG_EXISTS_META,__TOCC_EXISTS And other messages as well: [EMAIL PROTECTED] ~]$ sudo grep -o -P URIBL.+\?= /var/log/mail/info | sort | uniq -c 1 URIBL_AB_SURBL= 21 URIBL_BLACK= 4 URIBL_GREY= 157 URIBL_JP_SURBL= 202 URIBL_OB_SURBL= 8 URIBL_RED= 44 URIBL_RHS_DOB= 27 URIBL_SBL= 92 URIBL_WS_SURBL= So, the problem appears to be with the file 72_active.cf in version 535132 of updates.spamassassin.org -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
sa-compile fails Make
When I run sa-compile, it breaks while trying to run make: [EMAIL PROTECTED] ~]$ sudo sa-compile [32101] info: generic: base extraction starting. this can take a while... [32101] info: generic: extracting from rules of type body_0 100% [===] 36.75 rules/sec 00m28s DONE 100% [===] 30.40 bases/sec 01m37s DONE [32101] info: body_0: 2404 base strings extracted in 126 seconds [...] re2c -i -b -o scanner13.c scanner13.re /usr/bin/perl5.8.7 Makefile.PL PREFIX=/tmp/.spamassassin32101UQHVCjtmp/ignored INSTALLSITEARCH=/var/lib/spamassassin/compiled/3.002000 Writing Makefile for Mail::SpamAssassin::CompiledRegexps::body_0 make cp body_0.pm blib/lib/Mail/SpamAssassin/CompiledRegexps/body_0.pm /usr/bin/perl5.8.7 /usr/lib/perl5/5.8.7/ExtUtils/xsubpp -typemap /usr/lib/perl5/5.8.7/ExtUtils/typemap body_0.xs body_0.xsc mv body_0.xsc body_0.c make: *** No rule to make target `/usr/lib/perl5/5.8.7/i386-linux/CORE/EXTERN.h', needed by `body_0.o'. Stop. command failed! at /usr/bin/sa-compile line 276. I have the proper version of re2c mentioned in the FAQ, but this symptom does not match at all. [EMAIL PROTECTED] ~]$ rpm - -b -e -F -i -q -t -U -V [EMAIL PROTECTED] ~]$ rpm -q re2c re2c-0.12.0-0.1.20060mlcs4 I've tried sa-compile on several flavors of Mandriva linux and have had similar results. This particular one is: [EMAIL PROTECTED] ~]$ uname -a Linux ca.austinenergy.com 2.6.12-29mdk #1 Wed Jan 3 12:05:41 MST 2007 i686 AMD Athlon(tm) XP 2400+ unknown GNU/Linux [EMAIL PROTECTED] ~]$ sudo cat /etc/mandriva-release Mandriva Linux Corporate Server release 2006.0 (Official) for i586 The package is from cooker, recompiled for Corporate Server 4: [EMAIL PROTECTED] ~]$ rpm -q perl-Mail-SpamAssassin perl-Mail-SpamAssassin-3.2.0-0.1.20060mlcs4 Any thoughts for getting sa-compile to work would be most appreciated.
