I'm trying to improve the effectiveness of a spamassassin installation,
and there's one user who gets a lot of spam that is forwarded from
another address, which effectively kills the network tests and in some
cases messes with the BAYES score as well. I want to get rid of it.
My solution to
* Matt Kettler wrote (31/07/08 11:25):
Chris Lear wrote:
I'm trying to improve the effectiveness of a spamassassin
installation, and there's one user who gets a lot of spam that is
forwarded from another address, which effectively kills the network
tests and in some cases messes
* Matus UHLAR - fantomas wrote (31/07/08 14:07):
On 31.07.08 11:05, Chris Lear wrote:
I'm trying to improve the effectiveness of a spamassassin installation,
and there's one user who gets a lot of spam that is forwarded from
another address, which effectively kills the network tests
* Jo Rhett wrote (16/08/07 07:41):
Since nobody is paying attention
Or they're asleep. Your messages were at 23:44 and 07:41 here.
, let me clarify. The current rule is
wrong:
mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i
mimeheader __TVD_MIME_ATT_AOPDF Content-Type
Jo Rhett wrote:
Chris Lear wrote:
* Jo Rhett wrote (16/08/07 07:41):
Since nobody is paying attention
Or they're asleep. Your messages were at 23:44 and 07:41 here.
, let me clarify. The current rule is wrong:
mimeheader __TVD_MIME_ATT_APContent-Type =~ /^application\/pdf/i
Jo Rhett wrote:
Note: yes, uribl has their own mailing list. That server has been down
for quite some time, so I gave up and posted it here in case someone is
dual listed and can fix it.
There's no URL in this message. What is it mis-matching against?
This has been answered, but, if
* Matt Kettler wrote (19/04/07 14:49):
Matt Kettler wrote:
If you try to build it off a live feed and use SA's marking as the spam
criteria, your statistics are useless. Any rule with a high enough score
would get perfect results.. all the mail it matched would be spam, and
no nonspam. You
* Jonathan Nichols wrote (15/02/07 05:19):
Maciej Friedel wrote:
On 02/14/07 Jonathan wrote:
http://www.pbp.net/~jnichols/spam2.txt
0.0 BOTNET_NORDNS IP address has no PTR record
0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
0.0 HTML_MESSAGE BODY: HTML included in message
1.0
* Loren Wilton wrote (08/02/07 19:46):
As for LW_STOCK_SPAM4, it's being triggered by the fact that the message
is base-64 encoded text AND has a Date: header that's missing a proper
timezone. Apparently a batch of stock spam went out at some point with
both of these abnormal features. I have
Tony Finch wrote:
On Thu, 11 Jan 2007, Michael Scheidell wrote:
I don't think I see any sudden drop, was the worlds #1 spammer in that
hut in fluga that got bombed last night?
I haven't seen any drop recently either. For my systems (daily legit
volume 300,000 and spam 10x that) the spam peak
* Chris Lear wrote (01/12/06 16:57):
* Adam Stephens wrote (01/12/06 16:10):
Chris Lear wrote:
* Loren Wilton wrote (01/12/06 14:54):
The html contains this sort of thing:
http://www#46;easyjet#46;com/EN/Members/
Which looks like the culprit. In fact, every full stop in the html
* Oliver Schulze L. wrote (18/12/06 15:42):
Nice stats!
How do you generate them in SA 3.1.7 ?
I use this: http://www.rulesemporium.com/programs/sa-stats-1.0.txt
Chris
Thanks
Oliver
Chris Lear wrote:
Here's some sa-stats output:
TOP SPAM RULES FIRED
Bret Miller wrote:
I'm more interested in the Image signatures it has. If
they're really
useful and reliable. I expect that keeping up with image
spam wouldn't
be very scalable, but it might at least help reduce some load
(since we
do virus scanning before letting Spam Assassin see a
* John Rudd wrote (07/12/06 18:33):
(I had a bout of insomnia last night, and got more done than I had
pre-announced yesterday...)
The next version of the Botnet plugin for Spam Assassin is ready. The
install instructions are in the Botnet.txt file, and in the INSTALL file.
For those
* [EMAIL PROTECTED] wrote (07/12/06 12:03):
The list managers are the first ones who have to change.
Yes, you are probably right. But: there must be a reason why the
rule no_real_name exists? And if there is a rule (written or not)
that From: headers should contain a real name, I want to
I got an EasyJet confirmation E-mail that scored like this:
BAYES_00=-2.599
DNS_FROM_RFC_ABUSE=0.2
FORGED_RCVD_HELO=0.135
HTML_FONT_FACE_BAD=0.156
HTML_MESSAGE=0.001
HTML_TINY_FONT=2.324
MARKETING_PARTNERS=1.765
MIME_HTML_MOSTLY=1.102
SARE_OBFU_AMP2B=2.555
SARE_SPEC_LEO_LINE03a=0.408
Which adds
* Loren Wilton wrote (01/12/06 13:57):
HTML_FONT_FACE_BAD=0.156
HTML_MESSAGE=0.001
HTML_TINY_FONT=2.324
MARKETING_PARTNERS=1.765
MIME_HTML_MOSTLY=1.102
SARE_OBFU_AMP2B=2.555
SARE_SPEC_LEO_LINE03a=0.408
I think the Received: from mail pickup service line is causing the
SARE_OBFU_AMP2B
* Loren Wilton wrote (01/12/06 14:54):
The html contains this sort of thing:
http://www#46;easyjet#46;com/EN/Members/
Which looks like the culprit. In fact, every full stop in the html is
represented as #46; for some reason.
Still wondering though... how do you solve a problem like EasyJet?
* Adam Stephens wrote (01/12/06 16:10):
Chris Lear wrote:
* Loren Wilton wrote (01/12/06 14:54):
The html contains this sort of thing:
http://www#46;easyjet#46;com/EN/Members/
Which looks like the culprit. In fact, every full stop in the html is
represented as #46; for some reason
* John Rudd wrote (20/11/06 15:46):
John Tice wrote:
On Nov 20, 2006, at 10:00 AM, Nathan Zabaldo wrote:
I am getting pounded by these types of emails. Does anyone else get
these? What rule can I apply to have them killed. It's driving me
nuts. Please help!!!
These are scoring at
* Tony Finch wrote (05/11/06 17:43):
On Sat, 4 Nov 2006, Michael Scheidell wrote:
So? Build something better. Its open source. Don't use the RFCI scores,
drop them, stop bithing about somehting YOU can change.
Well, I've added a -2 for email from Amazon, but I thought other people
might
jdow wrote:
From: Chris Lear [EMAIL PROTECTED]
* Tony Finch wrote (05/11/06 17:43):
On Sat, 4 Nov 2006, Michael Scheidell wrote:
So? Build something better. Its open source. Don't use the RFCI scores,
drop them, stop bithing about somehting YOU can change.
Well, I've added a -2 for email
. Unfortunately,
neither of these things is illegal in any country as far as I can tell.
Chris Lear wrote:
* Marc Perkel wrote (23/10/06 19:34):
I'm considering filing a lawsuit against Microsoft to try to get an
order to make them make public security updates for Windows to
everyone, registered
* Debbie D wrote (25/10/06 04:48):
Matt Kettler [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Debbie D wrote:
I'm just not getting it.. I have a whole list of custom rules, I use
RulesDuJour, I have custom scores to mark stuff higher.. I have
reasonable
limits set.. the users
* Marc Perkel wrote (23/10/06 19:34):
I'm considering filing a lawsuit against Microsoft to try to get an
order to make them make public security updates for Windows to everyone,
registered or not.
The idea is that their product Windows creates a toxic byproduct
(spam,ddos zombies) that
* Chris Santerre wrote (20/10/06 15:30):
-Original Message-
From: David B Funk [mailto:[EMAIL PROTECTED]
Sent: Friday, October 20, 2006 1:20 AM
To: users@spamassassin.apache.org
Subject: Re: Psst!
On Thu, 19 Oct 2006, Matt Kettler wrote:
Another thing I've been noticing
* Jo Rhett wrote (19/10/06 08:55):
Mark wrote:
We cannot really say SA's autodetection is broken, because SA is designed
to be called post-SMTP. Nor that a milter is broken per se for not adding
a Received: header, as that is the responsibility of the MTA itself. But a
milter using SA *can* be
* David B Funk wrote (19/10/06 03:47):
On Wed, 18 Oct 2006, Sandy S wrote:
Daryl -
I switched back to 3.1.5 after my last post, and am sorry to report that I'm
still seeing the same issue under 3.1.5. After running a while, the
processes in a state of K start building up until I manually kill
* Bill wrote (19/10/06 14:03):
Since I installed FuzzyOCR I've noticed I'm having a lot of files named
similar to .spamassassin8932mZBFrtmp left in my /tmp folder. These are
from FuzzyOCR, correct? The content of these files has lots of spaces,
hyphens, commas with a few readable words and
* Bill wrote (19/10/06 15:29):
I'm using FuzzyOcr-2.3b and I can't find any reference to this option in
any of the FuzzyOCR software I downloaded.
focr_keep_bad_images 0
Here's a sample of the items in my /tmp folder. You said your's were
folders, mine's not. All of these files are
* Chris Lear wrote (16/10/06 10:32):
The problem I'm having is that spamd doesn't seem to be able to clean up
unwanted idle child processes.
[...]
I've had a look in the spamd code, and I'm now wondering whether my
problem is related to logging bugs (eg
http://issues.apache.org/SpamAssassin
Subject sounds unpleasantly like incitement to filicide, for which I
apologise.
The problem I'm having is that spamd doesn't seem to be able to clean up
unwanted idle child processes.
Here's the logfile evidence:
Oct 16 00:12:59 marvin spamd[6351]: prefork: child states: III
Oct 16 00:13:09
* Gregory T Pelle wrote (09/08/06 15:14):
What is the procedure to have a rule score reviewed?
I have been looking over the scoring for version 3.1.x at
http://spamassassin.apache.org/tests_3_1_x.html
and think that a score of 1.6 is high for the DEAR_SOMETHING rule. I
know that
* Marc Perkel wrote (03/08/06 14:39):
Tony Finch wrote:
The reason that message submission is done with SMTP is because of the
number of SMTP extensions that the MUA will want to use, in particular
DSNs, deliver-by, deliver-after, message tracking, and whatever else may
be invented in the
* Zinski, Steve wrote (27/07/06 02:50):
Not sure how to get exim to pass the initial scan to spamd using a
different user. I've gone through my exim.conf file and changed every
single user = entry to a known user and it still insists on using
nobody for the first pass.
Another thing that
* Marc Perkel wrote (12/07/06 18:30):
Catchy subject line eh?
OK - so what I mean by this is that I now use SA for about 5% of all
incoming email. The reaso of spam is rejected before I get to SA through
a fairly large number of tricks that allow me to determine with near
100% accuracy
* Nicholas Payne-Roberts wrote (11/07/06 11:58):
Does anybody know a good way to script sa-learn to daily check on junk
e-mail folders? i'm currently trying the following line in a cron.daily
script, but its throwing up an error:
find /home/vpopmail/domains -name .Junk E-mail -exec sa-learn
I was entertained by this. A score of 5.491 added to an e-mail because
of a Yahoo! advert stuck on the bottom by the Yahoo! MTA.
And the advert is for SpamGuard.
[... headers chopped... ]
X-Spam-Score: 2.9
X-Spam-Level: ++
X-Spam-Report: Spam report: Score = 2.9.
* Leigh Sharpe wrote (29/06/06 03:03):
This was my first suspicion. I turned off Bayes tests temporarily and
it had little effect. I'm seriously considering resetting the bayes
and starting again
I can recommend that. I had a situation a while ago where the bayes
database got mysteriously
* jdow wrote (14/05/06 02:09):
From: Gary W. Smith [EMAIL PROTECTED]
On another paw, Craig, do consider who is the injured party. Marc is
not. The final recipient, the addressee, is an injured party for the
spam in her mailbox. The addressee's ISP is also an injured party due
to the
I run a fairly uncompromising spamassassin, which rejects mail scoring
5.5 or above (and in my own mailbox, I treat anything scoring over 0 as
suspect). I find that almost all false negatives that slip through are
the result of a not-perfectly-trained site-wide bayes database
[Basically, I train
* Ole Nomann Thomsen wrote (03/02/06 09:27):
Hi, can I ask a small favor from some of you running SA with Bayes enabled:
Please run the following perl-oneliner on your SA-log (mine is current):
perl -ne 'if (/result:/) {$n++; $b++ if (/BAYES/);} } print $b/$n,\n; {'
current
(I promise
* Jeff Chan wrote (10/01/2006 15:42):
On Tuesday, January 10, 2006, 6:17:38 AM, Larry Rosenbaum wrote:
I found this obfuscated URL in a drug spam:
A href=3Dhttp://gozifo .upze5otbbutzanbb655k685ys5nn%2Eridgykh=
comFONT SIZE=3D2/FONT
Good grief, does any mail client actually parse that as
* Loren Wilton wrote (24/12/2005 00:23):
Does anyone have any suggestions, apart from simply reducing the score
for SARE_URI_EQUALS? Is this a spamassassin bug, or is there no way to
guarantee that only real uris are parsed as such?
Several.
Hi. Thanks for the response. I'm replying rather
I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
therefore skewing the scoring of some mail quite badly.
The weird thing is that the uris that spamassassin is complaining about
aren't uris at all. The mail in question is auto-created reports of cvs
diffs, so it's slightly
* jdow wrote (23/12/05 11:26):
From: Chris Lear [EMAIL PROTECTED]
I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
therefore skewing the scoring of some mail quite badly.
The weird thing is that the uris that spamassassin is complaining about
aren't uris at all
* jdow wrote (23/12/05 12:06):
From: Chris Lear [EMAIL PROTECTED]
* jdow wrote (23/12/05 11:26):
From: Chris Lear [EMAIL PROTECTED]
I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
therefore skewing the scoring of some mail quite badly.
The weird thing is that the uris
* Matt Kettler wrote (10/11/05 19:37):
Alessio wrote:
I have received this mail, the heading from is blank! Is possible?
Yes, it's quite normal and is called a message with a null return path.
Is it? I thought the return path (or envelope sender) was quite distinct
from the From: header in
* mouss wrote (10/12/05 13:13):
Chris Lear a écrit :
* Matt Kettler wrote (10/11/05 19:37):
Alessio wrote:
I have received this mail, the heading from is blank! Is possible?
Yes, it's quite normal and is called a message with a null return path.
Is it? I thought
I'm running a reasonably small site-wide spamassassin, and I use a
site-side bayes db. Spamassassin runs as the user spamd.
I noticed that I got spam last night with no BAYES_XX markup. I looked
into it this morning, and discovered that the bayes db only has 47 spam
messages in it (nspam from
* Chris Lear wrote (09/23/05 10:34):
I'm running a reasonably small site-wide spamassassin, and I use a
site-side bayes db. Spamassassin runs as the user spamd.
I noticed that I got spam last night with no BAYES_XX markup. I looked
into it this morning, and discovered that the bayes db only
* Duane Hill wrote (07/15/05 10:49):
On Friday, July 15, 2005 at 9:45:17 AM, [EMAIL PROTECTED] confabulated:
I am shortly to go on hols for 2 weeks and so was planning to
unsubscribe until I get back. I notice on the web page at
http://wiki.apache.org/spamassassin/MailingLists
it tells
* Loren Wilton wrote (07/15/05 12:02):
X-Spam-Status: Yes, score=2.2 required=2.0
tests=HTML_BACKHAIR_8,HTML_MESSAGE,
HTML_OBFUSCATE_05_10,MIME_HTML_ONLY autolearn=no version=3.0.4
The easiest way to eliminate this FP would be to take your spam threshold
back to 5, or at least something
I've been running quite a lot of sare rules on a site-wide SA
installation for a month or two now. I've been keeping a fairly close
eye on it, and there have been few false positives generally.
But today I noticed that several e-mails are hitting both
SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251.
* John Wilcock wrote (05/20/05 10:51):
Chris Lear wrote:
But today I noticed that several e-mails are hitting both
SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251. These are ham, sent from
(one specific address in) Ukraine to a Ukrainian in England, written in
English.
The scoring
* John Wilcock wrote (05/20/05 12:15):
Chris Lear wrote:
They're in my header0.cf from sare/rules du jour. And in header.cf with
a lower score as well. Have I got the wrong files?
Methinks you have an old header0.cf that is no longer being updated -
these rules aren't in the current
* Evan Platt wrote (10/05/2005 05:21):
At 09:16 PM 5/9/2005, you wrote:
I'm testing the SA but my server can't connect to outside world. Thus,
i've to send mail from localhost to myself to find how accurate SA is.
Unfortunately, SA don't scan mails that sent from localhost.
how can I reconfig
* Stewart, John wrote (05/06/05 15:55):
[... excellent story chopped ...]
Do I:
- Never go there again, as I said would be the case in my previous email?
- Show up and try to convince her what a horrible thing she is doing?
- Just screw with their (horribly insecure) online site,
* arnaud wrote (27/04/2005 23:06):
Kris Deugau wrote:
[...]
In my case, for instance, SA is called from procmail just before the
message is written to a mailbox. In my .procmailrc file, I have a
number of procmail recipes that look something like this:
# SATalk
:0:
* ^List-Id:
59 matches
Mail list logo
