Hi,
I've been feeding spamassassin spam and ham. But the Bayesian filter is
not having any effect on my e-mail account. Now, I've been feeding the
bayesian filter logged in as one user A on my server and the soft
linking the 'bayes_seen', 'bayes_toks' and 'user_prefs' files for user
B over
Thanks, Thomas. Did I do the right thing by soft linking the files?
Thomas Arend wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Am Freitag, 4. Februar 2005 22:57 schrieb Steve Dondley:
Hi,
I've been feeding spamassassin spam and ham. But the Bayesian filter is
not having any effect
I'm trying to train SpamAssassin. I've set up two mailboxes on my server.
One for spam and one for non-spam. I'm trying to figure out how to deliver
mail there from my client (Outlook 2000).
There is some advice given on the SpamAssassin web site to not forward mail
but to resend it. I do
I'm using sa-learn for the first time. I uploaded mail from my t-bird
mail client on my Windows machine to my Linux box in ascii mode. There
was a little over 200 message in each of the two mailboxes I uploaded.
When I ran sa-learn --ham and sa-learn --spam on the boxes, I got a
report that
I want to extract the first part of an email address from the
"Delivered-To" header and use it witin a custom rule.
Example pseudo code:
my ($first_part) = $email_file =~ /^Deliver-To: (.*)/;
body __LOCAL_AWKWARD_INTRO /hi $first_part/i
How can I do this in my .cf file?
On 2021-05-07 10:33 AM, Henrik K wrote:
On Fri, May 07, 2021 at 10:19:49AM -0400, Steve Dondley wrote:
I want to extract the first part of an email address from the
"Delivered-To"
header and use it witin a custom rule.
Example pseudo code:
my ($first_part) = $email_file =~
On 2021-04-27 01:19 PM, Dave Wreski wrote:
-2.5 RCVD_IN_HOSTKARMA_W RBL: Sender listed in HOSTKARMA-WHITE
[185.41.28.7 listed in
hostkarma.junkemailfilter.com]
We've reduced this score to -1 locally.
-1.0 BAYES_00 BODY: Bayes spam probability is 0
On 2021-04-27 01:12 PM, Greg Troxel wrote:
As always, if you have a problem stemming from a dns-based or similar
reputation list, you need to report problems to those lists.
If you aren't running greylisting with aggressive delays for SBL/XBL
and
moderate for dialup, do that too.
What does
Got this: https://pastebin.com/Gfz951dh
Spam report:
Content analysis details: (-2.3 points, 5.0 required)
pts rule name description
--
--
-2.5 RCVD_IN_HOSTKARMA_WRBL: Sender listed in
On 2021-04-27 02:23 PM, Reindl Harald wrote:
Am 27.04.21 um 19:57 schrieb Steve Dondley:
On 2021-04-27 01:19 PM, Dave Wreski wrote:
Investigate adding the SEM_FRESH rules - this domain was created less
than five days ago.
https://spameatingmonkey.com/services
OK, how do I get those rules
On 2021-04-27 03:03 PM, Dave Wreski wrote:
Invalid List-ID. You can then use that with other weirdness in a
meta.
header __LIST_ID_DOMAIN_IN_BRACKETS List-id =~
/<([\w-]+)(\.[\w-]+)+>/
meta LIST_ID_IMPROPER_FORMAT __HAS_LIST_ID &&
!__LIST_ID_DOMAIN_IN_BRACKETS
score
I could add another point between BAYES_999 and BAYES_99 scores but
that seems reactionary. Is there a better way? Should I thrown in
another point for certain keywords in marketing emails like these?
add score to tags that score possitive 0.0
until it gives 5.0 and above
I like this
I'm looking at KAM.cf. There is this rule:
body__KAM_WEB2 /INDIA based
IT|indian.based.website|certified.it.company/i
I'm wondering if there is a good reason why a singe period is used
instead of something like \s+ which would catch multiple spaces whereas
a singe period doesn't.
On 2021-04-23 01:02 PM, mau...@gmx.ch wrote:
> Hello
>
> Please how its possible to disable the spam check from sending mails from
> "privat to public" network?
>
> I was realy thinking if enable the trusted network this will pass over.
>
> trusted_networks 192.168.28.
>
> thanks
On 2021-04-23 01:37 PM, Henrik K wrote:
On Fri, Apr 23, 2021 at 01:03:33PM -0400, Steve Dondley wrote:
I'm looking at KAM.cf. There is this rule:
body__KAM_WEB2 /INDIA based
IT|indian.based.website|certified.it.company/i
I'm wondering if there is a good reason why a singe period is used
Sorry if this is a bit off-topic.
I'm looking into installing DCC (Distributed Checksum Clearninghouse)
software.
The page at https://www.dcc-servers.net/dcc/INSTALL.html says:
"The free license is intended to cover individuals and organizations
including Internet service providers using
The DCC FAQ at https://www.dcc-servers.net/dcc/FAQ.html#license
describes the definitive ways to get any questions answered regarding
DCC licensing. Any answers you could get here would be conjecture and
anecdote.
I found a form on their website for licensing questions. Waiting to hear
I'm experimenting with writing a library of my own SA rules and scores.
I'd like to be sure that the rules I write don't turn ham into spam and
vice versa. I figured the best way to do this would be to run SA against
an existing collection of ham and spam to make sure emails are still
scored
On 2021-04-25 01:00 AM, John Hardin wrote:
On Sun, 25 Apr 2021, Steve Dondley wrote:
I'm running the same version of SA on the same email on two different
machines and getting different scores in for some rules in the report:
Machine A gives: 0.0 FSL_BULK_SIG Bulk signature
I'm running the same version of SA on the same email on two different
machines and getting different scores in for some rules in the report:
Machine A gives: 0.0 FSL_BULK_SIG Bulk signature with no
Unsubscribe
Machine B gives: 1.0 FSL_BULK_SIG Bulk signature with no
On 2021-04-23 05:41 PM, Martin Gregorie wrote:
On Fri, 2021-04-23 at 16:28 -0400, Steve Dondley wrote:
I'm experimenting with writing a library of my own SA rules and
scores.
I do this on a separate computer, which has Spamassassin installed but
not linked into anything else. It also has
And if you want to test your rules against a corpus rather than
testing against a few one-off spamples, then look into setting up a
local masscheck instance. You don't need to upload the results to SA,
but it will give you a good overview of how a rule behaves against
multiple messages.
I'm
On 2021-04-25 10:19 AM, RW wrote:
On Sun, 25 Apr 2021 00:40:59 -0400
Steve Dondley wrote:
On both machines, /usr/share/spasmassassin/72_active.cf has this rule
which is commented out:
This is the legacy rule directory from before sa-update existed.
Have you not got another directory
I'm running this command:
./mass-check -n --rules='^LOCAL_AWK_INTRO' -o
ham:dir:/spam/Maildir/.INBOX* -c=/etc/spamassassin/ | grep '. 1'
Everything appears to work as expected but I'm getting this
warning/error when I do:
"config: registryboundaries: no tlds defined, need to run
On 2021-04-25 05:57 AM, Reindl Harald wrote:
Am 25.04.21 um 07:09 schrieb Steve Dondley:
That rule has this line in the 72_active.cf file:
Look in 72_scores.cf and compare the modification dates on that file.
Their scores as of today (saturday):
72_scores.cf:score FSL_BULK_SIG
> On Apr 25, 2021, at 1:31 PM, Axb wrote:
>
> What are you trying to do?
> run masscheck for your rules or for the SA project?
I’m experimenting with writing my own rules. My machines are using SA 3.4.4 so
I want to use the 3.4.4 rules.
spamassassin -V reports: "SpamAssassin version 3.4.4"
I imagine I have to checkout an older 3.4.4 point version from SVN and
use the mass-check command from that. It's been ages since I've used
SVN.
How can I get to the older version via SVN?
I solved this by downloading version 3.4.4 of
On 2021-04-25 01:47 PM, Henrik K wrote:
On Sun, Apr 25, 2021 at 01:28:31PM -0400, Steve Dondley wrote:
> mass-check -c parameter expects to find every config file in that single
> directory. Now it's missing spamassassin updates and specifically
> 20_aux_tlds.cf from there. You c
mass-check -c parameter expects to find every config file in that
single
directory. Now it's missing spamassassin updates and specifically
20_aux_tlds.cf from there. You could copy it to /etc/spamassassin
temporarily, but I'd rather make a completely separate directory that
should
include
The email below slipped through my spam filter.
It has malicious content attached which purports to be a voicemail from
comcast (I've snipped the attachment from the example) but it is
actually a phishing attack. The attachment contains a link that goes to
a web page at an obscure domain that
On 2021-04-06 02:55 PM, Steve Dondley wrote:
On 2021-04-06 02:32 PM, Bill Cole wrote:
PLEASE NOTE:
I read the mailing list obsessively and DO NOT NEED (or want) the
extra copies sent when you send both to me and to the list.
Sorry, I still haven't figured out how to properly respond. When I
It seems to have done so. Thank you.
Some MUAs have a "Reply to List" function that uses the List-Post
header (and sometimes heuristics when that header is missing) to send
replies only to a list itself.
I've recently switched to Roundcube from gmail. I didn't see that option
but I think
On 2021-04-06 04:19 PM, Steve Dondley wrote:
It seems to have done so. Thank you.
Some MUAs have a "Reply to List" function that uses the List-Post
header (and sometimes heuristics when that header is missing) to send
replies only to a list itself.
I've recently switched to Roun
On 2021-04-06 02:32 PM, Bill Cole wrote:
PLEASE NOTE:
I read the mailing list obsessively and DO NOT NEED (or want) the
extra copies sent when you send both to me and to the list.
Sorry, I still haven't figured out how to properly respond. When I hi
"reply all" it cc's the list and sends to
Some MUAs have a "Reply to List" function that uses the List-Post
header (and sometimes heuristics when that header is missing) to send
replies only to a list itself.
Ah! I see that option now under the little down arrow next to "Reply
all". My day is made. Thanks!
It can only do so if report_safe is set to 0. With non-zero
report_safe settings, the original mail is encapsulated as an
attachment inside a wrapper message also including the report. That
wrapper message containing the SA report is "safe" because it is fully
local, the text/plain part won't
When I run spamc without -R option like this:
spamc -u some_user < some_email
I get the following output:
This is a multi-part message in MIME format.
Content analysis details: (5.2 points, 5.0 required)
I have emails that have been flagged as spam in the past but that are
still getting through, presumably because the servers are on some DNSWL.
Example:
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999,
DATE_IN_PAST_03_06,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
Can you provide a working example message AND the operative user prefs?
OK, I was being very stupid. It finally dawned on me that the SA scores
that appeared above the message body and below the headers when spamc
was run without the -R option were SA scores embedded in the message by
the
I have a few different mail servers. I harvest mail from the servers and
periodically sort them into ham/spam folders and then share the sorted
mail back out to the servers and run sa-learn on each of the servers to
coach spamassassin. After doing this a few days, I notice that stuff
that I
I *think* I now I have site-wide bayes filtering working now for all
users on a server. I've edited /etc/spamassassin/local.cf to include
"bayes_path" and "bayes_file_mode" and I don't see any errors about
permissions being wrong from debian-spamd in mail.log.
But rather than guessing, I'm
Are there any BAYES hits on their messages, ham or spam? BAYES_{not
50} would be a positive confirmation. I'm not sure offhand if BAYES_50
hits when bayes is enabled but insufficiently trained...
In one email, I'm seeing this:
3.0 BAYES_95 BODY: Bayes spam probability is 95 to
I'm learning to understand how to properly set up a site-wide bayes
database on my server. Thanks for everyone's help and patience so far.
I've discovered that the SA score assigned to a user's incoming email is
different than the SA score run through the "spamc" or "spamassassin"
command.
I'm noticing a fair amount of spam getting through using letters in the
subject line that are outside the standard set of ASCII characters in an
effort to bypass spam filters. For example, instead of a capital "R",
there will be a letter that closely approximates a capital "R" but when
you
OK, thanks for the additional info. It looks like I was having a
permissions issue and the bayes_* files were not both r/w for users
despite having bayes_file_mode set to 0666. I'm thinking probably
because the bayes_path was originally created manually with root.
spamassassin reads site-wide
You covered a lot of ground here. Thanks.. If you have some spare
cycles, I have follow up questions to get an understanding of how you
process your email:
21 seconds at that includes fetch the samples via imap from two
folders, fire them against a bayes-only spamassasin instance,
What is a
I've read through
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html which
states that "anything over about 5000 messages does not improve accuracy
significantly in our tests."
So once I hit 5,000, what do? Do I run --forget on say the 500 oldest
emails, delete those from my
On 2021-03-09 08:28 AM, Greg Troxel wrote:
Steve Dondley writes:
I've read through
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html which
states that "anything over about 5000 messages does not improve
accuracy significantly in our tests."
I would take that with a gra
I'm learning a bit about spamassassin rules and taking a peek at how my
inbound mail is scored. I noticed that PF_NONE scores zero points by
default. I'm wondering if there is a good reason for not giving it a
score and whether I should set that to something much higher like 1.0.
I'm curious
I have been accumulating spam/ham samples and sorting them out into
different directories on my server. As new spam/ham comes in, I throw it
into the existing pile and then run "sa-learn --spam|--ham" on the whole
pile.
It dawned on me that this will get very slow as I eventually collect
However, in 50_scores.cf, this line is commented out:
#score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
Maybe that's the problem?
no, there are other SORBS lists used:
score RCVD_IN_SORBS_DUL 0 0.001 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_HTTP 0 2.499 0 0.001 # n=0 n=2
score RCVD_IN_SORBS_MISC 0 # n=0
On 2021-04-12 03:11 AM, Matthias Leisi wrote:
> -2.0 RCVD_IN_DNSWL_HI RBL: Sender listed at
> https://www.dnswl.org/,
> high trust
> [203.160.71.180 listed in list.dnswl.org [1]] I looked up this, and the other
> one, and didn't find them in dnswl. As
> others said, if you are using
It would be helpful to post an entire actual set of headers --
unmodified -- along with the spamassassin -t report. I can't figure
out (from what you posted) the IP address of the server that was in
DNSWL_HI that delivered mail to your internal/trusted network.
OK, here is the entire output
You should fix URIBL_BLOCKED first.
You need a local, caching, non-forwarding DNS server for SpamAssassin.
Yeah, setting up a DNS server for SA is on my todo list. Thanks.
When you say local, it doesn't have to be on the same machine as
spamassassin, does it? I assume I can have the DNS
On 2021-04-06 11:48 AM, Steve Dondley wrote:
I have emails that have been flagged as spam in the past but that are
still getting through, presumably because the servers are on some
DNSWL.
Example:
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,BAYES_999,
DATE_IN_PAST_03_06
On 2021-04-10 12:10 PM, Greg Troxel wrote:
Steve Dondley writes:
Here are the headers from some egregious spam. It scored a whopping
20.8 point despite being flagged with "RCVD_IN_DNSWL_HI."
Return-Path:
Delivered-To: s...@example.com
Received: from email.e
I have been looking at this issue a little more. I just grepped my
spam folder. Out of 1000 emails I have flagged as spam, 321 have been
flagged with RCVD_DNSWL_HI, a rule which adds -5 points to the eamil.
That's almost 1 out of 3 emails which seems pretty insane.
Here are the headers from
I'm very, very sorry to beat a dead horse, but I'm deeply confused by
the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly on
my system.
I ran this command:
sudo -u s -- spamassassin -t -d < some_email
It gives me this report:
pts rule name description
On 2021-04-10 03:20 PM, Bill Cole wrote:
On 10 Apr 2021, at 14:53, Steve Dondley wrote:
I'm very, very sorry to beat a dead horse, but I'm deeply confused by
the "RCVD_IN_DNSWL_HI" rule which appears to be reporting incorrectly
on my system.
STOP USING ANY PUBLIC DNS RESOLVERS WIT
First, thanks to everyone on the list how has given me a hand over the
past couple of weeks as I get my "sea legs" with spamassassin. It's
working well for me now but I obviously still have more to learn.
For one, I'm still uncertain on the best way to fine tune SA to beat
back some tricky
On 2021-04-11 09:34 AM, Benny Pedersen wrote:
On 2021-04-11 15:13, Steve Dondley wrote:
What do you think?
pyzor is usefull if running pyzord localy, design of pyzor was imho
ment to be local pyzord and have the pyzor client query local, but
pyzord could be get results from other pyzord
I just installed pyzor and did a random spot check of about 10 spam
emails to try to evaluate it using this command:
pyzor check < some_spam
Only one message gave me a hit on pyzor.
But I take my results with a grain of salt because I may not have pyzor
configured optimally.
For one, I'm
value of "1". By the way, anyone know of a CLI utility for extracting
the original spam email from these files?
Here's a very crude perl script that does the trick:
#!/usr/bin/perl
use strict;
use warnings;
my $email;
while (<>) {
$email .= $_;
}
my ($boundary) = $email =~
On 2021-04-11 03:09 PM, Bill Cole wrote:
On 11 Apr 2021, at 13:21, Steve Dondley wrote:
value of "1". By the way, anyone know of a CLI utility for extracting
the original spam email from these files?
spamassassin -d < wrappedspam.eml
Ah, ok. I was familiar with the -d o
On 2021-04-11 04:19 PM, Benny Pedersen wrote:
On 2021-04-11 22:09, Steve Dondley wrote:
Content analysis details: (4.4 points, 5.0 required)
pts rule name description
--
--
3.5 BAYES_99
Second, I'm not sure if my tests will work on my spam samples which
have the spam encapsulated with the "report_safe" setting set to a
value of "1".
I wouldn't expect it to work at all. "report_safe" encapsulation
creates a new email which isn't a spam.
From what I read on pyzor's home
I've received about a dozen phishing attack emails from Microsoft's
sharepoint service within the last couple of weeks. Only one of them was
identified by SA as spam. After running the emails through sa-learn,
they still only score a 4 to 4.5. But I could see that it would be easy
for these
sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?
How would I check if it's turned on? I tried grepping in
/etc/spamassassin on "sorb" (case insensitive) and found nothing. So I
guess it's not in my default config.
I see many
Also, I've heard of sorbs over the years but I'm not sure exactly what
it is. Is this the same block list run by Cisco?
OK, I was getting SORBS confused with SenderBase Reputation Score
(SBRS). That's the one run by Cisco, I believe.
I actually have an account on the SORBS website that I
sorbs dnsbl missing, have you denied sorbs.net results ?, or is
spamassassin not testing sorbs.net anymore ?
Best I can tell, my SA config should be testing for sorbs. I've got this
line in /etc/spamassassin/v3220.pre:
loadplugin Mail::SpamAssassin::Plugin::DNSEval
And in
On 2021-04-22 02:31 PM, Matus UHLAR - fantomas wrote:
On 22.04.21 14:21, Steve Dondley wrote:
pts rule name description
--
--
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
https://www.dnswl.org
For whatever reason, solicitations from marketers for various web
development services are easily slipping through my defenses. I figured
bayes filtering would eventually do the job but after a reporting them
for many days now, I'm still getting like 3 to half dozen a day. Here's
one example:
On 2021-04-21 11:00 AM, Eric Broch wrote:
Does anyone one have a solution to this:
spamd[]: pyzor: check failed: internal error, python traceback
seen in response
I have this in my local.cf
#pyzor
use_pyzor 1
pyzor_path /usr/bin/pyzor
I don't have this in my config at all. Maybe you are
73 matches
Mail list logo
