Re: Spoofed From: names
On Thu, 2020-04-09 at 10:02 -0600, Grant Taylor wrote: > Please elaborate > on what else SpamAssassin needs to know about and do. I don't know. I'm no SA expert, but I've worked with DMARC mitigation code and would assume that a RFC-2822 compliant understanding of the >From address would be the first step. > I also quite frequently see "name via ". But sadly that doesn't > give the email address information. Mailman's DMARC mitigation code uses something very similar to "name at domain via" which retains all the information from the original From address while providing a functional From address using a domain name which passes SPF, a sufficient condition for passing DMARC. -- Lindsay Haisley | "The world is full of monsters with friendly FMP Computer Services | faces and angels with scars." 512-259-1190 | http://www.fmp.com| - Heather Brewer
Re: Spoofed From: names
On Thu, 2020-04-09 at 10:47 -0400, Rick Cooper wrote: > I wrote my own plugin for that but I don't score very high anymore because > of things likes this: > (obviously Mr Bill is not real but the netsuite address is) > > From: "Mr Bill (mb...@legitemail.com)" > > I find more and more companies, I believe intuit is doing something like > that, that do this. This is actually a common, legitimate technique for dealing with DMARC mitigation issues on mailing lists and mail redirections. I don't know if SA has the ability to fully parse an email address based on RFC-2822 criteria, but this would be what's necessary. GNU Mailman uses a From address rewrite of this sort when the sending poster to a list has an email address for which the domain DMARC policy is "reject". I've re-written the Mailman code (Python) for use with email redirection via the Courier MTA. The Mailman code substitutes the word "at" in the comment field for the ampersand to avoid this sort of problem, but other implementation may not. -- Lindsay Haisley | "The world is full of monsters with friendly FMP Computer Services | faces and angels with scars." 512-259-1190 | http://www.fmp.com| - Heather Brewer
Re: Two types of new spam
On Thu, 2020-01-02 at 16:08 -0700, Philip Prindeville wrote: > I’m getting the following Spam. > > http://www.redfish-solutions.com/misc/bluechew.eml > > And this is notable for having: > > > > GUID1 > GUID2 > GUID3 > GUID4 > … > I've also been getting a number of these, and someone else on this list reported the same format. I haven't seen a SA rules solution to blocking these. -- Lindsay Haisley | "The first casualty when FMP Computer Services | war comes is truth." 512-259-1190 | http://www.fmp.com| -- Hiram W Johnson
Re: SPAM message format, or not ?
On Thu, 2019-12-19 at 16:56 +, Chip M. wrote: > On Wed, 18 Dec 2019, John Hardin wrote: > > Can you post a spample > > This is a very interesting pattern that I've seen in a few (9) spams > this week. > Here's a spample (with only the To header MUNGED): > > http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt > Lindsay, is that what you're seeing? Exactly. All of these verifiably come from Amazon IP addresses. I filed one abuse report with Amazon, jumping through all the hoops spec'd in their whois listing, but I doubt if it does any good. The Big Guys don't need to allocate any of their hard-earned resources to clamping down on spam sent trom their customers' accounts :( -- Lindsay Haisley | "UNIX is user-friendly, it just FMP Computer Services | chooses its friends." 512-259-1190 | -- Andreas Bogk http://www.fmp.com|
SPAM message format, or not ?
I've been getting a lot of spams here with a format similar to: [snip] d171f2b7-af04-5a8-5a8-cee259c46b8f 9fc2adda-9160-c56-c56-feadd16b0acc cec5f152-fd8b-9a9-9a9-c5e5c0e676cb 3aaf4ded-e0ec-31d-31d-efec2dbb3f8a b4804f85-ac57-2d2-2d2-f1c275fd8a0f 4a8cccf0-e0ea-eb7-eb7-beef48d34ff9 edaf0f77-a5b3-bdc-bdc-bdf3aac36bf5 66cef8f7-3be7-3c3-3c3-eefbb04d1f3d feeac7ae-bda4-476-476-bd68dd935701 a1f2a14d-2beb-390-390-71b7c8933ae7 18c00d8b-b6ba-66d-66d-bf1abff7564b 35c0a27b-cd0d-e5c-e5c-3277bdd93ed3 a2d15cc1-b785-5c2-5c2-7eeff43c1e3a etc. [rest of spam] ... perhaps a couple hundred lines of these random hex number sequences. These lines are almost certainly intended to avoid spam filtration. I have a couple of questions. * What's the nature of this style block (obviously not legit HTML styles)? * Are there any characteristics of these emails which can be singled out for the purpose of blocking them? * Has anyone developed any rules to deal with these, either for SpamAssassin or any other filtering platform? I frequently just block IP addresses, however these come from amazonaws.com (Amazon) IP addresses, which may well overlap with legitimate amazon.com mail sources, so I'm looking for a way to block them with a finer tool. -- Lindsay Haisley | "The first casualty when FMP Computer Services | war comes is truth." 512-259-1190 | http://www.fmp.com| -- Hiram W Johnson
Re: DNS Terminology
On Sat, 2016-09-24 at 00:15 -0500, Dave Funk wrote: > On Fri, 23 Sep 2016, Lindsay Haisley wrote: > > > > > On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net > > wrote: > > > > > > consider that, to do the work described as "forwarding" in many of > > > these references, the nameserver must perform a recursive query [e.g. > > > it must perform a query with the rd bit set]. > > "A forwarding DNS server offers the same advantage of maintaining a > > cache to improve DNS resolution times for clients. However, it actually > > does none of the recursive querying itself. Instead, it forwards all > > requests to an outside resolving server and then caches the results to > > use for later queries." > > > > What am I missing? > > > > Justin Ellingwood, who wrote the DigitalOcean piece, is a very > > experienced documenter. From his rather impressive resume, I'd be > > inclined to trust what he posts. > This is the difference between asking a question (formulating a query > potentially with the "want recursion" bit set) and then doing the work of > chasing down all the different stake-holders necessary to answer the > question (performing the recursive query) > VS handing the query off to a 3'rd party and letting them do the dirty > work (forwarding) Exactly! I apologize for double posting, and for missing responses to my posts. I'm busy, and only got onto this list to inquire about blocking a particular kind of spam with which I've been having a problem. I shouldn't have gotten involved in a discussion on name servers. I'm outa here :) Ciao -- Lindsay Haisley | "It is better to bite a single FMP Computer Services |cannibal than to curse the doggies" 512-259-1190 | http://www.fmp.com|-- John Day
Re: DNS Terminology
On Fri, 2016-09-23 at 19:03 -0400, listsb-spamassas...@bitrate.net wrote: > consider that, to do the work described as "forwarding" in many of > these references, the nameserver must perform a recursive query [e.g. > it must perform a query with the rd bit set]. "A forwarding DNS server offers the same advantage of maintaining a cache to improve DNS resolution times for clients. However, it actually does none of the recursive querying itself. Instead, it forwards all requests to an outside resolving server and then caches the results to use for later queries." What am I missing? Justin Ellingwood, who wrote the DigitalOcean piece, is a very experienced documenter. From his rather impressive resume, I'd be inclined to trust what he posts. -- Lindsay Haisley |"Friends are like potatoes. FMP Computer Services |If you eat them, they die" 512-259-1190 | http://www.fmp.com| - Aaron Edmund
Re: DNS Terminology
On Fri, 2016-09-23 at 17:10 -0400, btb wrote: > > http://serverfault.com/questions/661821/what-s-the-difference-betwe > en-recursion-and-forwarding-in-bind > > this is bad information. it's unfortunate it has a green check mark > next to it. at least it only has a 6 though. So why is this bad informaton? -- Lindsay Haisley | "The voice of dissent was arrested before FMP Computer Services | the president cleared his throat to 512-259-1190 |speak of freedom" http://www.fmp.com| |-- Chris Chandler
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote: > On a more theoretical level, the > fact that BIND is able to do virtually anything that anyone would ever > want to do with a DNS server means that it is has a broader potential > attack surface in itself and is a richer prize if hijacked, either > directly or as a consequence of a general system compromise. Well bind9 seems to show up relatively rarely in CERT bulletins and pushed upgrades are rare enough to indicate to me that the current release for my server OS (BIND 9.9.5-3ubuntu0.8-Ubuntu (Extended Support Version)), which has been stable for 6 months, is pretty solid. Exploit exposure is only as extensive with a package of this sort as what one makes it to be. Both Canonical and ISC, the upstream maintainer, are fastidious about security, but it's always possible, through ignorance or carelessness, to make secure software insecure through misconfiguration. Setting stock bind9 up as a simple recursive name server is a no-brainer, however, as I noted. I'd be very happy to hear about exploits of bind9 set up with simple configuration as a recursive name server, with a proper acl. I keep my ear to the ground and haven't heard of such. FWIW, I'm far less impressed with the general level of system administration knowledge on this SA forum than I am with the apparent knowledge of people whose postings and offerings elsewhere on the Internet re. subjects such as named have been vetted and reviewed by competent peers, as is the way of the world with open source software. -- Lindsay Haisley | "The first casualty when FMP Computer Services | war comes is truth." 512-259-1190 | http://www.fmp.com| -- Hiram W Johnson
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
Almost every week on this list you can see examples of people who are
> nominally and operationally sysadmins who have followed poor config
> advice found in dubious corners of the net or even on stale pages of the
> SA wiki, and the same class of error is a big risk of using BIND because
> of its age and breadth of capability. On a more theoretical level, the
> fact that BIND is able to do virtually anything that anyone would ever
> want to do with a DNS server means that it is has a broader potential
> attack surface in itself and is a richer prize if hijacked, either
> directly or as a consequence of a general system compromise.
>
> On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
> >
> >
> > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> > >
> > >
> > > As much as I love BIND (no, seriously, I do) it's very hard to
> > > recommend
> > > it as the first choice for a simple recursive resolver.
> > Setting up bind as a "simple recursive resolver" is simplicity itself.
> Simplicity is generally a subjective, relative quality.
>
> Start Unbound with literally no explicit configuration and you get a
> working, safe, reasonably-configured resolver for localhost: the simple
> sort of resolver that a plurality of freestanding mail servers should
> have, perfect as a fix for the mistake of using dnsmasq locally. It's
> very hard to typo a config that doesn't exist.
>
> >
> >
> > acl goodclients {
> > 1.2.3.0/24;
> > 4.5.6.0/24;
> > 127.0.0.1;
> > etc
> > };
> >
> > options {
> > ..
> >
> > recursion yes;
> > allow-query { goodclients; };
> >
> > etc...
> > };
> That's more than most mail server resolvers need and the real devil is
> in what could be in those ellipses...
The lines represented by ellipses are what's in the stock
/etc/bin/named.conf.options file and aren't relevant to the issue of
setting up a recursive DNS server. Check out the URL I sent, or the
standard bind config on Debian or Ubuntu Server.
> Almost every week on this list you can see examples of people who are
> nominally and operationally sysadmins who have followed poor config
> advice found in dubious corners of the net or even on stale pages of the
> SA wiki, and the same class of error is a big risk of using BIND because
> of its age and breadth of capability. On a more theoretical level, the
> fact that BIND is able to do virtually anything that anyone would ever
> want to do with a DNS server means that it is has a broader potential
> attack surface in itself and is a richer prize if hijacked, either
> directly or as a consequence of a general system compromise.
Well, these few config options for bind9 work fine for me :) And they
always have. I've never had a problem.
This ain't rocket science, as they say, and there's plenty of
documentation out there. I'm not scared of bind configuration. I know
how to make bind9 stand up and make pancakes for breakfast ;)
--
Lindsay Haisley | "Humor will get you through times of no humor
FMP Computer Services | better than no humor will get you through
512-259-1190 | times of humor."
http://www.fmp.com|- Butch Hancock
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 20:21 -0400, Bill Cole wrote:
> On 23 Sep 2016, at 16:10, Lindsay Haisley wrote:
>
> >
> > On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> > >
> > > As much as I love BIND (no, seriously, I do) it's very hard to
> > > recommend
> > > it as the first choice for a simple recursive resolver.
> > Setting up bind as a "simple recursive resolver" is simplicity itself.
> Simplicity is generally a subjective, relative quality.
>
> Start Unbound with literally no explicit configuration and you get a
> working, safe, reasonably-configured resolver for localhost: the simple
> sort of resolver that a plurality of freestanding mail servers should
> have, perfect as a fix for the mistake of using dnsmasq locally. It's
> very hard to typo a config that doesn't exist.
>
> >
> > acl goodclients {
> > 1.2.3.0/24;
> > 4.5.6.0/24;
> > 127.0.0.1;
> > etc
> > };
> >
> > options {
> > ..
> >
> > recursion yes;
> > allow-query { goodclients; };
> >
> > etc...
> > };
> That's more than most mail server resolvers need and the real devil is
> in what could be in those ellipses...
The lines represented by ellipses are what's in the stock
/etc/bin/named.conf.options file and aren't relevant to the issue of
setting up a recursive DNS server. Check out the URL I sent, or the
standard bind config on Debian or Ubuntu Server.
> Almost every week on this list you can see examples of people who are
> nominally and operationally sysadmins who have followed poor config
> advice found in dubious corners of the net or even on stale pages of the
> SA wiki, and the same class of error is a big risk of using BIND because
> of its age and breadth of capability. On a more theoretical level, the
> fact that BIND is able to do virtually anything that anyone would ever
> want to do with a DNS server means that it is has a broader potential
> attack surface in itself and is a richer prize if hijacked, either
> directly or as a consequence of a general system compromise.
Well, these few config options for bind9 work fine for me :) And they
always have. I've never had a problem.
This ain't rocket science, as they say, and there's plenty of
documentation out there. I'm not scared of bind configuration. I know
how to make bind9 stand up and make pancakes for breakfast ;)
--
Lindsay Haisley | "The only unchanging certainty
FMP Computer Services |is the certainty of change"
512-259-1190 |
http://www.fmp.com| - Ancient wisdom, all cultures
Re: DNS Terminology
On Fri, 2016-09-23 at 17:10 -0400, btb wrote: > On 2016.09.23 16.16, Lindsay Haisley wrote: > > > > On Fri, 2016-09-23 at 18:43 +0100, RW wrote: > > > > > > Right, but the question here is why isn't a forwarding server also a > > > recursive server? Why is the use of iteration the defining feature of > > > a recursive server and not the support for recursion. > > http://serverfault.com/questions/661821/what-s-the-difference-between-recursion-and-forwarding-in-bind > this is bad information. it's unfortunate it has a green check mark > next to it. at least it only has a 6 though. What do you think is bad about it? I've been working with DNS for 20 years and this is about as straightforward an explanation of the difference as I can think of, and jibes with my understanding. Am I misinformed? <http://www.techexams.net/forums/net-infra-70-291/29238-dns-recursion-forwarding.html> says pretty much the same thing. Is this also bad information? Or how about <https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04>? What this article defines as a "caching" name server is rather the same as a recursive server, but the definition of a forwarding server is the same - basically a proxy server. Programmers don't like the use of the term "recursion" when applied to a name server, but the word has a general meaning that can be applied in a lot of contexts, some of them in a variety of IT fields. -- Lindsay Haisley | "We have met the enemy and he is us." FMP Computer Services | 512-259-1190 | -- Pogo http://www.fmp.com|
Re: DNS Terminology
On Fri, 2016-09-23 at 18:43 +0100, RW wrote: > Right, but the question here is why isn't a forwarding server also a > recursive server? Why is the use of iteration the defining feature of > a recursive server and not the support for recursion. http://serverfault.com/questions/661821/what-s-the-difference-between-recursion-and-forwarding-in-bind -- Lindsay Haisley | "The difference between a duck is because FMP Computer Services |one leg is both the same" 512-259-1190 | - Anonymous http://www.fmp.com|
Re: Spam by IP-address? Spamassassin with geoiplookup?
On Fri, 2016-09-23 at 15:28 -0400, Bill Cole wrote:
> As much as I love BIND (no, seriously, I do) it's very hard to recommend
> it as the first choice for a simple recursive resolver.
Setting up bind as a "simple recursive resolver" is simplicity itself.
acl goodclients {
1.2.3.0/24;
4.5.6.0/24;
127.0.0.1;
etc
};
options {
..
recursion yes;
allow-query { goodclients; };
etc...
};
--
Lindsay Haisley | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190 |
http://www.fmp.com| -- Hiram W Johnson
Re: DNS Terminology
On Fri, 2016-09-23 at 21:25 +0200, Axb wrote:
> On 09/23/2016 09:11 PM, RW wrote:
> >
> > Whatever the right and wrongs of this I think the term recursive is
> > best avoided in this list. "Non-forwarding" is a lot clearer IMO.
> Can we agree to:
> "servers running SA should use a local non forwarding resolver".
>
> That should rule out dnsmasq.
Huh? So what's the problem with "recursion"? That's the name of the
boolean configuration option in bind9. It's about as descriptive and
clear a word as it can be.
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
etc
};
--
Lindsay Haisley | "Never expect the people who caused a problem
FMP Computer Services | to solve it." - Albert Einstein
512-259-1190 |
http://www.fmp.com|
Style Gibberish spammers are one step ahead of me !!!!
No sooner did I complete a small python filter to divert untrapped style gibberish spams than I started getting these without the
Re: Anyone else just blocking the ".top" TLD?
On Thu, 2016-09-08 at 13:44 +, Chip M. wrote: > On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote: > > > > i get a diff-output per mail each time the mailserver configs > > are changing > That's a completely valid approach, and I am a big fan of > pre-emptive first strike (only as applied to potentially evil > email). > > However, the vast majority of those TLDs will never > "go rogue", so I prefer to block on actual abuse > (Jason's approach), or likelihood of abuse, specifically, very > low cost. Jason appears to have much higher volume than I do, > so he'd be a good source of data for me and others. The issue is much more nuanced. There are registrars who offer what's called "domain name tasting", on newly created TLDs. Under this policy, a name may be registered and put into service _before_ payment is made for the registration. At one time Network Solutions had this policy even for the common TLDs, .com, .org, etc. Spammers pay nothing for the use of such a name, and discard it for a new one before payment for the name is required. One of the choke-points for commercial spammers is the provision of an authoritative name server for their domain names, and I've found it very effective to do a recursive sequence of server look-ups on the DN in the helo or ehelo addresses until a name server is found with a DN for which the authoritative name server has the same DN. This boils down to a list of less than 10 domain names. I apply a rather strict form of rate limiting to messages originating from the same /24 IP address group if the helo DN gets resolved to a name on this list. This has so far been 100% effective with no evidence of false positives. This may be out of the realm of SA. I apply this test using a python program written to work with Gordon Messmer's courier-pythonfilter for Courier-MTA. -- Lindsay Haisley | "We have met the enemy and he is us." FMP Computer Services | 512-259-1190 | -- Pogo http://www.fmp.com|
Stuff slipping through STYLE_GIBBERISH filter!
I'm getting a _lot_ of spam slipping through the STYLE_GIBBERISH filter, probably more than is getting caught (although some of it _is_ getting caught). An example body is http://82.145.55.127//ql.html?r=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln;>http://82.145.55.127//4001/pm14379ecoverage.jpg;> http://82.145.55.127//ql.html?o=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln;>http://82.145.55.127//4001/pm14379ecoverage_uns.jpg;> http://82.145.55.127//ql.html?u=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln;>http://82.145.55.127//cn55-1.png;> http://82.145.55.127//ql.html?i=ref_02*mbsEcorbeag1039osdfrj=oth.sh4a.j6ujae.44yoh.c0497__0sv4Yb82/ln"width=1/>;
Re: netlawyers: why is this patentable?
On Fri, 2009-02-20 at 16:54 -0500, Chris Hoogendyk wrote: Perhaps just because someone has the Chutzpah to try to patent it and the patent office hasn't a clue. Technology of all sorts has moved too quickly for the patent office and/or the patent laws to keep up. Another example is a U.S. company that uses recombinant DNA to put an unusual color in a bean. Then they patent it and sue a Mexican company and block imports of a bean that the Mexicans have been growing for generations. That's just nucking futs. Sounds like Monsanto at work. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Is anyone minding the store ????
I've been getting bounce messages _to me_ from an address on the list, in response to my posts, and apparently in violation of RFC 2822. So I sent an email to users-ow...@spamassassin.apache.org and _that_ bounced. It seems that the registered owner of the list, msquad...@gmx.net, is also an unknown user. I would expect that a list devoted to making the Internet mail system run to everyone's benefit rather than to everyone's detriment would be operated in a more professional manner! Is anyone minding the store -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Is anyone minding the store ????
I've been getting bounce messages _to me_ from an address on the list, in response to my posts, and apparently in violation of RFC 2822. So I sent an email to users-ow...@spamassassin.apache.org and _that_ bounced. It seems that the registered owner of the list, msquad...@gmx.net, is also an unknown user. I would expect that a list devoted to making the Internet mail system run to everyone's benefit rather than to everyone's detriment would be operated in a more professional manner! Is anyone minding the store -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Is anyone minding the store ????
On Wed, 2009-02-18 at 14:14 +0100, Matus UHLAR - fantomas wrote: I would expect that a list devoted to making the Internet mail system run to everyone's benefit rather than to everyone's detriment would be operated in a more professional manner! Is anyone minding the store Michael, it's American slang for isn't there someone here responsible for keeping things in order?. Sorry if it didn't communicate. It's understandable to have lusers on a list (I admin several so I do know) and even understandable, although regrettable, that there are MTAs and MTA admins out there who don't understand RFCs 822 and 2822, what got under my skin was writing to the list owner of this list and having _that_ bounce. Oh well I was receiving similar messages until I blocked their source (and sent postmaster a nice mail). They were related to SPF. I'm rejecting much mail at smtp level so I can't confim if I there were such attempts unless you'll tell me who's sending it... The problem address on the list is j...@redux.org.uk. The From header on the bounces is mailer-dae...@linda.intranet which is obviously bogus, likewise violating RFCs. The envelope sender on the bounces is , which is correct. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: KnujOn - Registrars
On Tue, 2009-02-17 at 17:44 +0100, Karsten Bräckelmann wrote: The recent list as of Feb 2009 is the first one. (Just in case someone else understands your post like I did, and has a look at the wrong list quoted.) The 83% is a current number with data collected AFTER June 2008. True. So what? The list Michael posted (which I snipped) shows the old data collected BEFORE June 2008. The link referenced does have the recent stats. The OP does not. I have very mixed reaction to having name registrars enforce anti-spamming regs and laws. This is kind of like sanctioning a gun shop because someone bought a gun there and used it in a robbery. GoDaddy caught a _lot_ of flack recently for shutting down domain names based on website content, and rightly so, IMHO. This is a very slippery slope. Sanction the operators of the designated name servers, maybe, or the systems which host the accounts which do the spam distribution, but coming down on registrars seems rather big-brotherish. Once a name is registered, it's on the root name servers and all the registrar does is maintain it in their whois database, although they do have the authority to disable a name for which they're the registrar of record. I'm as offended by spam to me and my customers as anyone, but I'm also a big proponent of open source and net neutrality, and like to see pressure applied where the actual functional responsibility for a mis-deed lies. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: KnujOn - Registrars
Well, perhaps so Joanne. Registrars are bound by the rules laid out by
ICANN, and ICANN requires legitimate contact information in the whois
database, along with other procedures. The problem with ICANN is that
it's pretty well fubar these days and does horrible stuff. I wouldn't
be surprised if they'd take money from spammers. I know they're in bed
with the major players in the domain name business at the expense of the
little folken.
I'm alarmed at some of the stuff GoDaddy did, completely on their own
without orders from ICANN. See http://www.nodaddy.com. I don't want
the domain name registration system turned into a nanny-state tool. The
proper forum through which to lodge complaints against registrars is the
ICANN, and ICANN needs to be held accountable for a _lot_ of strange
stuff. It's a zoo out there!
On Tue, 2009-02-17 at 20:25 -0800, jdow wrote:
From: Lindsay Haisley fmo...@fmp.com
Sent: Tuesday, 2009, February 17 09:47
On Tue, 2009-02-17 at 17:44 +0100, Karsten Bräckelmann wrote:
The recent list as of Feb 2009 is the first one. (Just in case
someone
else understands your post like I did, and has a look at the wrong
list
quoted.)
The 83% is a current number with data collected AFTER June 2008.
True. So what? The list Michael posted (which I snipped) shows the old
data collected BEFORE June 2008.
The link referenced does have the recent stats. The OP does not.
I have very mixed reaction to having name registrars enforce
anti-spamming regs and laws. This is kind of like sanctioning a gun
shop because someone bought a gun there and used it in a robbery.
GoDaddy caught a _lot_ of flack recently for shutting down domain names
based on website content, and rightly so, IMHO. This is a very slippery
slope. Sanction the operators of the designated name servers, maybe, or
the systems which host the accounts which do the spam distribution, but
coming down on registrars seems rather big-brotherish. Once a name is
registered, it's on the root name servers and all the registrar does is
maintain it in their whois database, although they do have the authority
to disable a name for which they're the registrar of record.
I'm as offended by spam to me and my customers as anyone, but I'm also a
big proponent of open source and net neutrality, and like to see
pressure applied where the actual functional responsibility for a
mis-deed lies.
Lindsay, with due respect I think your opinion above is incomplete.
It's correct as far as it goes.
But once a fertilizer dealer learns that a customer is making bombs
and setting them off in shopping malls I'd expect the dealer to cease
selling to that customer or be indicted as a co-conspirator.
I would expect the same behavior on the part of YouTube for illegal
videos, Slashdot for illegal content (egregious copyright violation),
and registrars for aiding identified spammers.
I would expect all those who need to be in the supply path for a
misdeed to work to remove themselves from that supply path upon proper
notification. I would NOT expect them to be proactive in this regard.
Reactive is fine and proper.
{^_^} Joanne
--
Lindsay Haisley | Everything works|Accredited
FMP Computer Services | if you let it | by the
512-259-1190 |(The Roadie) | Austin Better
http://www.fmp.com| | Business Bureau
Re: DNS MX Question [OT]
On Sat, 2009-02-14 at 22:18 -0800, Marc Perkel wrote: See http://en.wikipedia.org/wiki/Wildcard_DNS_record and in particular the quote from RFC 1912. Is that going to tell me what I need to know to do what I asked to do? Possibly. It may explain exactly why it didn't work when you tried it. It'll take you less time to read the relatively short section than it will to reply to this email :-) -- Lindsay Haisley |Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |http://pubkeys.fmp.com http://www.fmp.com| dandelions | | (Pamela Jones) |
Re: Two servers, one database. A question
On Sat, 2009-02-14 at 15:04 -0600, Bob Proulx wrote: I would bet on Bayes/userpref queries being more efficient than the spamc/spamd traffic. I like that you are asking the question. But I hate to guess at which is better though. The weakest benchmark data point is better than the strongest guess. Too often I have taken my best guess and been wrong. In this case I would guess the opposite would be more efficient, that the one spamc-spamd connection per message would be more efficient than the many mysql queries per message, which is why I bring this up. Well that's something to consider. I had hoped when I subscribed to this list to ask this question that I'd find people, possibly SA developers on it, who had benchmarked the options I presented for decision and could give me some definitive answers based on this, but it appears that this isn't the case. Instead I've found several people of good will who don't seem to know a whole lot more about SA than I do, but have given me some good points to think about. Do you have any idea where I might inquire to get advice from people with more precise knowledge? -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: DNS MX Question [OT]
On Sat, 2009-02-14 at 22:06 -0800, Marc Perkel wrote: Dave Funk wrote: Yes, it -is- that simple. ;) Not recommended for normal use but if you understand the risks involved, it does work that way. Thanks Dave, but I already tried that and it didn't work. See http://en.wikipedia.org/wiki/Wildcard_DNS_record and in particular the quote from RFC 1912. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Last-5-percent tuning
On Fri, 2009-02-13 at 17:43 +, Martin Gregorie wrote: I've heard it said that IPV6 will put paid to privacy for whistle-blowers etc because, with that fully implemented, NAT will vanish and all IPs will be unique. Mail servers, of necessity, _do_ use unique IPs, whether v4 or v6. By implication they'd be unspoofable, though I'm not sure I believe that. If you want to learn more about IPv6, I suggest IPv6 Essentials by Silvia Hagen, pub. by O'Reilly Assoc. You can always spoof an IP address of any type. The only email header you can trust absolutely is the topmost Received header in an email. This address can't be spoofed. If it were, it would have been technically impossible to send the email. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Last-5-percent tuning
On Fri, 2009-02-13 at 12:43 -0600, McDonald, Dan wrote: On Fri, 2009-02-13 at 12:20 -0600, Lindsay Haisley wrote: On Fri, 2009-02-13 at 17:43 +, Martin Gregorie wrote: I've heard it said that IPV6 will... You can always spoof an IP address of any type. The only email header you can trust absolutely is the topmost Received header in an email. This address can't be spoofed. Never say never or always, since never will always get you in trouble... Oooh, good point :-) Pigs _may_ someday fly. If it were, it would have been technically impossible to send the email. It might be hard to spoof, but not impossible if you are able to intercept the data path somewhere along the way. Otherwise, there would be no reason to block bogons... You can block a bogon, but you can't carry on a IP dialog using it because by definition a bogon is an IP packet claiming to be from an un-allocated IP address. If an SMTP request comes in to your server with a bogus originating address then there's no way to carry on an SMTP exchange with the client on the other end, and hence no email. QED. DoS packets frequently use bogus origination addresses but these aren't intended to establish two-way communication. Yes, you can intercept the path and re-originate the IP traffic, which is what firewalls often do, but in this case the originating IP address is indeed a true address, and if the traffic is malicious, then said address is implicated, either through intent or technical compromise (hacked!). -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Two servers, one database. A question
On Fri, 2009-02-13 at 15:24 -0600, Lindsay Haisley wrote: Although I appreciate your advice, my question here is not _whether_ I should do the integration, but which of the two methods of integrating the databases will be most efficient of bandwidth and other resources. After thinking about it, Kris, I do think you're right about the choice, although not for the reasons you gave. spamc must pass an entire copy of each email over the Internet to spamd on the 2nd box. If I keep the SA configurations synchronized between boxes, then the only thing which needs to be shared across the Internet is Bayes processing, plus several per-user choices as represented in the userpref table. This _seems_ on the face of it more efficient that passing off the entire email traffic, which would have to transit the Internet connection between the boxes twice. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Two servers, one database. A question
On Fri, 2009-02-13 at 15:21 -0500, Kris Deugau wrote: Lindsay Haisley wrote: I have two servers. Currently they're both running instances of spamd with separate mysql databases, however I'd like run both instances from the same database on one of the servers. There are two ways to do this: 1. I can give the -d option to spamc where it's invoked in the mail system, with the target being spamd on the master spamassassin server via the VPN that connects the two boxes. spamd is already configured to listen to it. Mm, I don't think this does what you're hoping. spamd on any given system will use the configured database (local or otherwise) - this is **NOT** something the client can request. From man spamc: -d host[,host2], --dest=host[,host2] In TCP/IP mode, connect to spamd server on given host (default: localhost). Several hosts can be specified if separated by commas. This only affects which spamd server the client asks to process the message; it doesn't affect any aspect of the actual processing. I think you misunderstand me. If spamc on machine A is invoked with -d IP address of machine B then spamc will use whatever databases and configurations are in effect for spamd on machine B. This is what the -d option is for. The actual processing is done by spamd, whichever instance (machine A or B) is addressed by the spamc client, so I do have a choice here, and that's what I want to decide on. spamc is basically just a passive client which reads and writes emails and passes off the job of spam processing to spamd, wherever it may be. If spamc on machine B uses it's local spamd instance (the same one machine A is using) as a server, then the task I'm trying to do is accomplished since both machines are ultimately using the same database. Does anyone with some experience with spamassassin know which of these two approaches would be better? Which would be fastest? Which would be most conservative of bandwidth between the boxes? A lot depends on the hardware you're using. If you're trying to squeeze some last bits of performance out of a heavily-loaded system by eliminating the SQL duplication, you'll probably have to tune the spamd instances differently as well (eg, the system running MySQL won't be able to support as many spamd children as the other one). You haven't said what's in MySQL for SA; IME anything more than a couple of hundred users suck up too much IO for per-user Bayes and/or AWL (not to mention the staggering disk requirements - even at today's disk prices). The current load on what I've defined above as machine B and is quite manageable, and this is the box that's now handling over 90% of traffic to probably a couple of hundred mailboxes on the system. The MySQL tables used by SA are at well less than a gig on a box that has close to half a TB of drive space on it, and SA has been running there for over a year. The system load avg runs consistently under 1 except when cron-initiated maintenance happens. The cluster I'm doing most of my SA tuning on these days currently has 3 machines running spamd, and a fourth running MySQL (and some other unrelated services, otherwise it would run spamd as well). Each machine has the same SA config pointing to the same database on that fourth machine - but clients don't see this, and can't affect it. If the machines are not on the same local Ethernet segment, you're probably better off leaving well enough alone, because any gains you make in eliminating the SQL duplication will be lost waiting for data to move across the network. Or worse. My intention here is to optimize administration, both for migration and for those parts of SA for which I've programmed customer UIs. Considering the number of checks involved in email by the MTA, what with top level RBL checking (done by the MTA) and hitting SA twice, I don't think waiting for one more transaction will be problematic. Although I appreciate your advice, my question here is not _whether_ I should do the integration, but which of the two methods of integrating the databases will be most efficient of bandwidth and other resources. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Two servers, one database. A question
On Fri, 2009-02-13 at 14:27 -0800, John Hardin wrote: If I may try: The question is which is better, sending the message body (spamc - spamd traffic) or database queries (spamd - mysql traffic) over the expensive link? Implicit point well make :-) I think I agree with you. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Two servers, one database. A question
On Fri, 2009-02-13 at 17:26 -0500, Kris Deugau wrote: *nod* I don't know what kind of data size the Bayes SQL queries run, but it probably averages out somewhere close to a order of magnitude less than the full email. I think I misread your original email, and I'm still not sure I understand exactly what your current configuration is, and what you're trying to achieve though. Currently I have two servers, A and B. B is the older of the two and currently hosts _most_ of the mail accounts. They are functionally identical boxes. Currently _both_ are running spamd and _both_ have AWL/Bayes/userpref database tables on MySQL which are accessed locally and identically by the spamd instance on each box. My objective is only to unify the database tables supporting Bayes and user preferences so that there's only one set of MySQL tables for the users on both boxes. Whether this involves the use of two spamd daemons or one is the question. Scenario 1: spamc on box A communicates _over the network_ with spamd on box B, which uses its _local_ config and Bayes/usrpref database to do its work. Scenario 2: spamc on box A communicates with a _local_ spamd, which accesses local config files but uses a MySQL connection _over the network_ to box A to access the Bayes/userpref database. Sorry if I wasn't entirely clear before. I hope this clarifies the choice, which looks at this point as if I'd be better off with #2. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Two servers, one database. A question - a correction.
On Fri, 2009-02-13 at 16:51 -0600, Lindsay Haisley wrote: Scenario 2: spamc on box A communicates with a _local_ spamd, which accesses local config files but uses a MySQL connection _over the network_ to box A to access the Bayes/userpref database. Sorry, this should read: Scenario 2: spamc on box A communicates with a _local_ spamd, which accesses local config files but uses a MySQL connection _over the network_ to box B to access the Bayes/userpref database. - My bad. -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: Two servers, one database. A question
On Fri, 2009-02-13 at 18:11 -0500, Kris Deugau wrote: I would bet on Bayes/userpref queries being more efficient than the spamc/spamd traffic. I think we have a consensus here :-) I didn't get any definitive answers here but the folks who responded made me think about the problem a little more intelligently. Thanks! -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Two servers, one database. A question
I have two servers. Currently they're both running instances of spamd with separate mysql databases, however I'd like run both instances from the same database on one of the servers. There are two ways to do this: 1. I can give the -d option to spamc where it's invoked in the mail system, with the target being spamd on the master spamassassin server via the VPN that connects the two boxes. spamd is already configured to listen to it. 2. I can let spamc invoke spamd on the local system but set the various dsn params in secrets.cf to point to the MySQL database on the master spamassassin server. The mysql server on this box is already listening for queries from the other system via the VPN that connects them. Does anyone with some experience with spamassassin know which of these two approaches would be better? Which would be fastest? Which would be most conservative of bandwidth between the boxes? -- Lindsay Haisley | Everything works|Accredited FMP Computer Services | if you let it | by the 512-259-1190 |(The Roadie) | Austin Better http://www.fmp.com| | Business Bureau
Re: USER_IN_WHITELIST ??
Matt, looks like you hit that target on this. There are tons of whitelist_from_rcvd directives in /etc/spamassassin/70_sare_whitelist.cf including the problem addresses. I'll need to figure out a way to override these. Does blacklist_from take precedence over whitelist_from or whitelist_from_rcvd? Thanks! On Sun, 2007-07-15 at 20:26 -0400, Matt Kettler wrote: Lindsay nHaisley wrote: I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1) with USER_IN_WHITELIST and assigned score components of -100 accordingly according to 50_scores.cf on the basis of a call to eval:check_from_in_whitelist() in 60_whitelist.cf. What about whitelist_from_rcvd, or whitelist_from_spf? Do you have any whitelist commands at the site config level (ie: local.cf or add-on rulesets)? -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
USER_IN_WHITELIST ??
I've recently discovered a couple of emails tagged by SA (v3.2.1-gr1) with USER_IN_WHITELIST and assigned score components of -100 accordingly according to 50_scores.cf on the basis of a call to eval:check_from_in_whitelist() in 60_whitelist.cf. I would assume that this would only be possible if I had configured 'whitelist_from xxx' in my user prefs (which are stored in a MySQL database), but I have no such settings, so I don't have a manual whitelist as described at http://wiki.apache.org/spamassassin/ManualWhitelist. On the other hand, both errant addresses _were_ in my AWL database which should assign a much smaller (possibly positive) spam score, and shouldn't evoke a hit on USER_IN_WHITELIST. Am I missing something here, or is this a SA bug? -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: *****SPAM***** Re: DNS list service to detect the registrar barrier
Nope, you're not. Marc's first example line quoted by Mouss hit 4 different spam rules for the same error, for a total of 9.3 points. Odd that the original post by Marc did't get flagged. The reference to perkel.com.rb . outht to flag 1 hit, not 4 for the same line in the email! If any one of these rules had not piled on, BAYES_00 would have brought the score down to a non-spam level. On Mon, 2007-07-02 at 22:06 +0200, arni wrote: am i the only one getting a pretty solid false positive on the previous post? X-Spam-Report: * 0.0 DKIM_POLICY_SIGNSOME Domain Keys Identified Mail: policy says domain * signs some mails * 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com * 2.0 SPOOF_COM2OTH URI: URI contains .com in middle * 2.5 SARE_SPOOF_COM2OTH URI: a.com.b.c * 2.3 SPOOF_COM2COM URI: URI contains .com in middle and end * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: config clarification
On Sat, 2007-06-30 at 07:07 -0400, Tom Allison wrote: For configuration options listed in perldoc Mail::SpamAssassin can I put the settings into local.cf? Mail::SpamAssassin::Conf says yes, but it doesn't say it applies to args for Mail::SpamAssassin-new(); According to the perldoc If none of rules_filename, site_rules_filename, user- prefs_filename, or config_text is set, the Mail::SpamAssassin module will search for the configuration files in the usual installed locations using the below variable definitions which can be passed in. PREFIX Used as the root for certain directory paths such as: '__prefix__/etc/mail/spamassassin' '__prefix__/etc/spamassassin' Defaults to /usr. DEF_RULES_DIR Location where the default rules are installed. Defaults to /usr/share/spamassassin. LOCAL_RULES_DIR Location where the local site rules are installed. Defaults to /etc/mail/spamassassin. If your local.cf is in /etc/mail/spamassassin, then apparently the answer is yes. My undersanding is that everything in that directory gets read. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: Patch for rules_du_jour
On Fri, 2007-06-29 at 06:46 -0700, jdow wrote: You will have to wait for up to a day for the Prolexic block to go away. I got blocked for checking out their anti-DDoS measures. The block went away in about 15 minutes. -- Lindsay Haisley |Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |http://pubkeys.fmp.com http://www.fmp.com| dandelions | | (Pamela Jones) |
Re: Rulesemporium
On Fri, 2007-06-29 at 16:36 +0100, Nigel Frankcom wrote: Is it worth adding mirrors for the rules? I'm more than happy to do so and can probably rope in a few others. I should imagine a fair few others on list would be prepared to act as mirrors too. It's worth mentioning that, as someone pointed out to me yesterday, there's a mirroring service for SARE rules at http://saupdates.openprotect.com, along with instructions on incorporating these into sa-update, thus avoiding problems with rules_du_jour altogether. -- Lindsay Haisley |Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate |http://pubkeys.fmp.com http://www.fmp.com| dandelions | | (Pamela Jones) |
Re: RulesDuJour lint failed. Updates rolled back.
This problem is probably due to the way Rules Emporium is handling
traffic. If requests come too fast from the same address, or if their
server is busy, they send an HTML redirect page instructing the client
to try again in 0.1 second. Curl and wget don't understand meta
http-equiv=Refresh ... and simply store the refresh page as the
output of the request. rules_du_jour is just a shell script so a proper
fix should be pretty easy. The following is a quick and dirty patch
which sort of solves the problem, at least for the next run of
rules_du_jour.
cut here
--- /root/rules_du_jour.orig2007-06-17 21:01:24.0 -0500
+++ /var/lib/spamassassin/rules_du_jour 2007-06-18 12:37:44.0 -0500
@@ -907,6 +907,8 @@
[ ${SEND_THE_EMAIL} ] echo -e ${MESSAGES} | sh -c ${MAILCMD} -s
\RulesDuJour Run Summary on ${HOSTNAME}\ ${MAIL_ADDRESS};
fi
+grep -il 'META HTTP-EQUIV' ${TMPDIR}/*|xargs -n1 rm -f
+
cd ${OLDDIR};
exit;
cut here
rules_du_jour will still fail, but this will clean up the mess and next
time (hopefully) it'll run properly. A proper fix would sense when this
happens and retry the download after a suitable short wait. It may also
be helpful to insert some sleep .5 instructions at appropriate points
(or sleep 1 if your implementation of sleep(1) doesn't understand
floating point numbers).
On Thu, 2007-06-28 at 11:22 +0100, Nigel Frankcom wrote:
On Wed, 27 Jun 2007 16:42:39 -0400, Daryl C. W. O'Shea
[EMAIL PROTECTED] wrote:
Nigel Frankcom wrote:
On Wed, 27 Jun 2007 08:48:02 -0400, David Boltz [EMAIL PROTECTED]
wrote:
I?ve been getting the lint failures found below on my Rules Du Jour
updates for a few weeks now. Yes this would be since the DDoS attacks
on rulesemporium. It looks like the same problem people have been
having with the tripwire but for me it?s the adult and since just
recently the spoof rules. The solutions I've seen don't seem to work
for me. I see that my cron job (run nightly) is pulling some HTML
source instead of the rules. I?ve tried removing the faulty
70_sare_adult.* from etc/mail/spamassassin/RulesDuJour/ and manually
replacing it with the ?actual? file using wget. I?ve even manually
updated the used /etc/mail/spamassassin/70_sare_adult.cf to ensure
that it was correct. When I us ?wget
http://rulesemporium.com/rules/70_sare_adult.cf? to grab the file it
works without problems. Does anyone have any ideas on how I might fix
this problem?
snip
***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is: mv -f /etc/mail/spamassassin/70_sare_adult.cf
The quick cure is to delete anything in the
/etc/mail/spamassassin/RulesDuJour/ directory and rerun RDJ by hand.
That worked for me on CentOS 4.5
The bug has been reported and a fix is due in 3.2.2 I believe.
Huh? What's SA have to do with RDJ triggering Prolexic's DoS protection?
Daryl is right, there is no fix due in 3.2.2 - I got the RDJ and the
sa-update errors confused. I guess maybe I should dye my hair blonde.
Apologies for any confusion I've caused.
Kind regards
Nigel
--
Lindsay Haisley [EMAIL PROTECTED]
FMP Computer Services
Patch for rules_du_jour
Attached is a proposed patch for /var/lib/spamassassin/rules_du_jour
which addresses the problem of the refresh URL which Rules Emporium
sometimes sends out instead of a valid cf file. Basically, this patch
greps the downloaded file for the string META HTTP-EQUIV, which should
never occur in a valid rules file, but is part if the refresh URL. If
the downloaded file is a refresh URL, it's deleted, the script waits 1
second and tries again, up to 3 times. If the download fails after 3
tries, the bad file is deleted and the script moves on.
You might try running rules_du_jour from a cron job with the -D option
and redirecting the output to a /tmp file and see if you get any notices
about Download of FAILED after 3 tries, in which case I've
mis-diagnosed the problem somewhat. In any event, the problem file
should be deleted rather than causing a --lint failure in spamassassin.
--
Lindsay Haisley |Fighting against human | PGP public key
FMP Computer Services | creativity is like | available at
512-259-1190 | trying to eradicate |http://pubkeys.fmp.com
http://www.fmp.com| dandelions |
| (Pamela Jones) |
--- /root/rules_du_jour.orig2007-06-17 21:01:24.0 -0500
+++ /var/lib/spamassassin/rules_du_jour 2007-06-28 14:07:37.0 -0500
@@ -780,7 +780,30 @@
[ ${DEBUG} ] echo Retrieving file from ${CF_URL}...;
# send wget output to a temp file for grepping
- HttpGet ${CF_URL} ${TMPDIR}/${CF_BASENAME};
+ #
+ # This while loop is a fix for Rules Emporium honey-pot DDoS
+ # shield as of 6/28/07. Send comments and bugs to Lindsay Haisley,
+ # [EMAIL PROTECTED]
+ GET_COUNT=1;
+ MAX_GET_COUNT=4;
+ while [ ${GET_COUNT} -lt ${MAX_GET_COUNT} ]; do
+ HttpGet ${CF_URL} ${TMPDIR}/${CF_BASENAME};
+ if ${GREP} -iq 'META HTTP-EQUIV' ${TMPDIR}/${CF_BASENAME} ; then
+ rm -f ${TMPDIR}/${CF_BASENAME};
+ sleep 1;
+ [ ${DEBUG} ] echo Got refresh URL, pass
${GET_COUNT}...;
+ GET_COUNT=`expr ${GET_COUNT} + 1`;
+ else
+ [ ${DEBUG} ] echo Rules file OK, pass
${GET_COUNT}...;
+ GET_COUNT=`expr ${MAX_GET_COUNT} + 1`;
+ fi
+ done
+ if ${GREP} -iq 'META HTTP-EQUIV' ${TMPDIR}/${CF_BASENAME} ; then
+ rm -f ${TMPDIR}/${CF_BASENAME};
+ GET_COUNT=`expr ${GET_COUNT} - 1`;
+ [ ${DEBUG} ] echo Download of ${CF_BASENAME} FAILED after
${GET_COUNT} tries. Skipping ...;
+ fi
+
# Append these errors to a variable to be mailed to the admin (later
in script)
[ ${FAILED} ] RULES_THAT_404ED=${RULES_THAT_404ED}\n${CF_NAME}
had an unknown error:\n${HTTP_ERROR};
Re: No Bayes!!
So what's the best fix for this? Should one just freeze SA at an earlier version on a production server until this is fixed upstream? Is upstream aware of the problem and working on a fix for it? On Thu, 2007-06-28 at 13:51 -0500, John Thompson wrote: Eray Aslan wrote: On 28.06.2007 08:14, Lindsay Haisley wrote: On Wed, 2007-06-27 at 22:24 -0500, Lindsay Haisley wrote: I just upgraded from SA 3.1.8-gr1 to SA 3.2.1-gr1 (Gentoo) and notice that I'm no longer getting any BAYES_NN test notices in my X-Spam-Status summary in my mail headers, or in the content analysis details in intercepted spam. Well I backed out to SA version 3.1.8 and I'm getting activity from my Bayes filters again. Maybe someone can give me some pointers on how to debug this problem so I can get back up to v3.2.1. Probably a gentoo bug. I've run into the same problem. Downgrading mysql from 5.0.42 to 5.0.40 solved the problem for me. In other words, SA 3.2.1 and mysql 5.0.42 resulted in no BAYES scores. SA 3.2.1 and mysql 5.0.40 works as expected. I'm not sure this is limited to gentoo. I'm missing BAYES_?? checks since updating to 3.2.1 from the FreeBSD ports collection. -- Lindsay Haisley | We are all broken | PGP public key FMP Computer Services | toasters, but we | available at 512-259-1190 | still manage to make |http://pubkeys.fmp.com http://www.fmp.com|toast| |(Cheryl Dehut)|
Re: Patch for rules_du_jour
On Thu, 2007-06-28 at 15:39 -0400, Theo Van Dinter wrote: Why not just use sa-update and not deal with this? sa-update and rules_du_jour deal with different rules repositories. I use both. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: No Bayes!!
On Thu, 2007-06-28 at 21:33 +0200, Mark Martinec wrote: So what's the best fix for this? Should one just freeze SA at an earlier version on a production server until this is fixed upstream? Is upstream aware of the problem and working on a fix for it? Find out where the problem lies. When the component that needs fixing is known, then something can be done about it. This is the cost of using F/OSS software, but the work will have to go on hold until I have more time for it. In the meantime, my question is address specifically to John Thompson, Eray Aslan and anyone else who may have had this problem and know more about it than I do. If the SA developers are aware of the problem and already working on it then my own efforts might well be a waste of my time. In the meantime I'm happy to use an older version of SA which works just fine on my installation. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: Patch for rules_du_jour
On Thu, 2007-06-28 at 23:18 +0300, Jari Fredriksson wrote: sa-update and rules_du_jour deal with different rules repositories. I use both. sa-update can use both, if I'm not mistaken. I distantly remember configuring it to do so. http://saupdates.openprotect.com/ has instructions for this, I see. I may try this. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: No Bayes!!
On Thu, 2007-06-28 at 15:43 -0400, Theo Van Dinter wrote: On Thu, Jun 28, 2007 at 02:27:36PM -0500, Lindsay Haisley wrote: So what's the best fix for this? Should one just freeze SA at an earlier version on a production server until this is fixed upstream? Is upstream aware of the problem and working on a fix for it? You need to debug your installation and figure out what the problem is. Bayes works fine in 3.2. Obvously, for some of us, it doesn't. I can take the time to determine the conditions that cause the failure, but I don't have a lot of time to work on debugging this kind if thing if my installation works fine with an earlier version of SA. If the developers upstream are aware of the problem and working on it, then any debugging I might do would very likely be a waste of my time - hence my question. As for on a production server -- you do some testing before doing a major upgrade in production, right? :) SpamAssassin itself is only in beta as far as its use for my customers. I'm not going to deploy it for everyone on my servers until problems such as this are addressed. Start by running a message through spamassassin -D and see what is going on. I'm not using spamassassin, I'm using spamd/spamc. spamc takes a -u option and gets passed the email address of a virtual mail user by the MDA. the 'spamassassin' executable takes no such option. On top of that, there's no documentation re. getting the 'spamassassin' executable to read per-user Bayes data and userprefs from a MySQL database (as there is for spamd) and my understanding is that it probably won't. I could be wrong in this, and would be happy to be educated about it. Do you have config errors? Not loading the Bayes plugin? Bayes can't access the DB? Not enough tokens to make Bayes usable? Debug mode helps answer all of these questions, and more. As I stated in my original post, there are plenty of stored Bayes tokens to get reliable Bayes scores. The _only_ change in the setup here was upgrading the SpamAssassin verision, and backversioning solved the problem, which probably rules out a configuration problem. Please re-read my original post and the follow-up posts by Eray Aslan and John Thompson which indicate that this is probably a bug, not a configuration issue. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: Patch for rules_du_jour
On Thu, 2007-06-28 at 15:46 -0400, Phil Barnett wrote: I'm going to try this, but with a 5 minute wait. I run it in the middle of the night anyway, who cares how long it takes. Actually, the proper response might be a random wait. The HTML that gets sent by SARE is: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 META HTTP-EQUIV=Pragma CONTENT=no-cache META HTTP-EQUIV=Expires CONTENT=-1 /HEAD/HTML If this were downloaded to a browser, it would cause the browser to refresh the page after .1 second and the page would not be cached. A five minute wait should certainly be more than adequate and might be appropriate if the refresh page were sent in response to excessive server load. I suspect, though, that it may be a pacer of some sort designed to deflect the kind of DDoS attack that brought down Rules Emporium earlier this month. I don't know what would be gained by a random wait. As a couple of people have pointed out to me, though, you can use sa-update to retrieve the same rules data as per the instructions at http://saupdates.openprotect.com . -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: No Bayes!!
On Thu, 2007-06-28 at 16:32 -0500, Michael Parker wrote: I can't recall a bug open for anything like this. Please visit http://issues.apache.org/SpamAssassin/ and file a complete bug report. Please describe the exact problem you are seeing as well as full debug output. A random thread on the users list won't necessarily get developers attention. I'm currently doing what Eray Aslan suggested and backversioning MySQL to 5.0.40 and upversioning to SA 3.2.1-r1 and I'll see if the problem persists there. That'll tell a lot. I'll then upgrade MySQL again and see if that makes any difference. The developers are not aware of such a problem, best bet is to make them aware. I'll see what I can do. I myself have been using Bayes SQL longer than anyone and have had no problems recently upgrading from 3.1.8 to 3.2. Also, the Bayes code has been very stable, with little to no changes over the last few releases, especially in the storage code, so its likely a config or environment issue. Without proper debugging it will be hard to tell what exactly is the cause. Well my original post asked for some suggestions on how best to do this, so specific suggestions will be welcome. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: No Bayes!! - found it!
Apparently SA 3.2.1 is more finicky than 3.1.8 about the user the daemon runs as. If no -u option is given to spamd when it starts, then its child processes run as root, which works, but the bayes module won't cooperate. If a spamd child is running as root, the bayes filter uses the user spec'd to spamc -u, but before it reports, spamd falls back to running as a non-priv user (in my case 'nobody'), the bayes scanner re-runs as user 'nobody' and it finds nothing. If I start spamd with -u nobody, the spamd children run as this user and the bayes filter runs happily and reports a usable score based on the bayes tokens recorded for the user spec'd to spamc. So this _was_ a configuration error, but one that was the result of tightened security between SA 3.1.8 and 3.2.1. Thanks to everyone who responded on this! Running spamd with -D and looking at my log files produced the answer. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: RulesDuJour lint failed. Updates rolled back.
On Thu, 2007-06-28 at 17:31 -0500, Dallas Engelken wrote:
This must be an issue that needs to be raised with Prolexic, as they are
doing the DDoS protection for rulesemporium.com.
Can anyone reproduce this redirect outside of RDJ, and give me a dump of
the full transaction including http headers?
Dallas,
By running a curl hit repeatedly on the RE server I reproduced the
problem. The cmd sent was:
curl -w %{http_code} --compressed -D /tmp/curl_headers -O -R -s -S
http://www.rulesemporium.com/rules/99_FVGT_Tripwire.cf
The headers sent back were as follows:
HTTP/1.0 200 OK
Connection: Close
Pragma: no-cache
cache-control: no-cache
Content-Type: text/html; charset=iso-8859-1
The page body returned was:
HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1
META HTTP-EQUIV=Pragma CONTENT=no-cache
META HTTP-EQUIV=Expires CONTENT=-1
/HEAD/HTML
A normal fetch of the actual .cf file returns these headers:
HTTP/1.1 200 OK
Age: 882
Date: Thu, 28 Jun 2007 22:41:08 GMT
Connection: Keep-Alive
Via: NS-CACHE-7.0: 1
ETag: 389f7-dbae-eb58c6c0
Server: Apache/2.0.54 (Gentoo/Linux) DAV/2 SVN/1.2.0 PHP/4.3.11
Last-Modified: Thu, 02 Jun 2005 00:00:03 GMT
Accept-Ranges: bytes
Content-Length: 56238
Keep-Alive: timeout=15, max=99
Content-Type: text/plain; charset=ISO-8859-1
I'd rather fix the actual problem and not patch around it.
Absolutely!!
--
Lindsay Haisley | In an open world,| PGP public key
FMP Computer Services |who needs Windows | available at
512-259-1190 | or Gates| http://pubkeys.fmp.com
http://www.fmp.com| |
Re: RulesDuJour lint failed. Updates rolled back.
On Thu, 2007-06-28 at 18:56 -0500, Lindsay Haisley wrote: By running a curl hit repeatedly on the RE server I reproduced the problem. By running this test a couple of times I'm apparently now blocked by RE :-P Oh well . Hope the info I sent was useful. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Bayes filters an SA 3.2.1-gr1 not active
I just upgraded from SA 3.1.8-gr1 to SA 3.2.1-gr1 (Gentoo) and notice that I'm no longer getting any BAYES_NN test notices in my X-Spam-Status summary in my mail headers, or in the content analysis details in intercepted spam. Under 3.1.8 I was getting Bayesian filter scores on everything since I'm well over the minimum required count of both spam and ham. Is there something I need to do to turn this on? I have all Bayes stuff in MySQL, and seem to remember someone else posting with a similar problem a while back with 3.2.0. Where should I look for the answer to this? -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
No Bayes!!
On Wed, 2007-06-27 at 22:24 -0500, Lindsay Haisley wrote: I just upgraded from SA 3.1.8-gr1 to SA 3.2.1-gr1 (Gentoo) and notice that I'm no longer getting any BAYES_NN test notices in my X-Spam-Status summary in my mail headers, or in the content analysis details in intercepted spam. Under 3.1.8 I was getting Bayesian filter scores on everything since I'm well over the minimum required count of both spam and ham. Is there something I need to do to turn this on? I have all Bayes stuff in MySQL, and seem to remember someone else posting with a similar problem a while back with 3.2.0. Where should I look for the answer to this? Well I backed out to SA version 3.1.8 and I'm getting activity from my Bayes filters again. Maybe someone can give me some pointers on how to debug this problem so I can get back up to v3.2.1. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
New patch for rules_du_jour re HTML redirect pages
It seems as if the problem HTML redirect page is hiding somewhere when
rules_du_jour gets to its SA lint check, and it doesn't show up until
the rollback is done, so the patch I sent earlier isn't effective. I'll
need to read the code more thoroughly and don't have time now, so here's
a quicker-n-dirtier patch which will zap the problem file after SA
--lint has failed so it'll run properly next time.
cut here
--- /root/rules_du_jour.orig2007-06-17 21:01:24.0 -0500
+++ /var/lib/spamassassin/rules_du_jour 2007-06-18 12:37:44.0 -0500
@@ -907,6 +907,8 @@
[ ${SEND_THE_EMAIL} ] echo -e ${MESSAGES} | sh -c ${MAILCMD} -s
\RulesDuJour Run Summary on ${HOSTNAME}\ ${MAIL_ADDRESS};
fi
+grep -il 'META HTTP-EQUIV' ${TMPDIR}/*|xargs -n1 rm -f
+
cd ${OLDDIR};
exit;
cut here
rules_du_jour will still fail, but this will clean up the mess and next
time (hopefully) it'll run properly. I'm plumb out of time to figure
this out today so I'll revisit it later and submit a better patch.
--
Lindsay Haisley | In an open world,| PGP public key
FMP Computer Services |who needs Windows | available at
512-259-1190 | or Gates| http://pubkeys.fmp.com
http://www.fmp.com| |
Re: Turning the Screws
On Sun, 2007-06-17 at 19:24 -0400, Michael B Allen wrote: Although rule_du_jour is still giving me HTML for SARE_OEM. Delete /etc/mail/spamassassin/RulesDuJure/70_sare_oem* (or /etc/spamassassin/RulesDuJure/70_sare_oem*) and run rules_du_jour again. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: rules_du_jour script and HTML files
Whats the deal with this?
It looks as if periodically RulesEmporium gets busy and sends a refresh
file instead of a real .cf file, probably with the intent of asking the
requesting client to try again. curl can't deal intelligently with a
http-equiv refresh, so rather than trying again, it simply stores the
refresh file as the result and spamassassin --lint fails. The errant
file retrieved looks like:
HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1
META HTTP-EQUIV=Pragma CONTENT=no-cache
META HTTP-EQUIV=Expires CONTENT=-1
/HEAD/HTML
This happens with relative frequency on 99_FVGT_Tripwire.cf but
apparently (see below) with other files too.
When this happens (perhaps after it's happened twice), two files are
produced in /etc/spamassassin/RulesDuJour; 99_FVGT_Tripwire.cf and
99_FVGT_Tripwire.cf.2. Apparently the rules_du_jour script can't
recover from this and consistently fails on successive runs until the
bad files are manually deleted.
I haven't gone over the bash script in rules_du_jour in detail, but has
anyone looked at this problem in detail? Is there a known fix?
This shouldn't really be hard. A Quick-n-Nasty Unix-style solution
would be to run
grep -il 'META HTTP-EQUIV=Refresh' ${TMPDIR}/* |xargs -n1 rm
before running spamassassin --lint
here's a suggested patch:
*
--- tmp/rules_du_jour~ 2007-06-17 21:01:24.0 -0500
+++ /var/lib/spamassassin/rules_du_jour 2007-06-17 21:01:24.0 -0500
@@ -864,7 +864,7 @@
done
-
+grep -il 'META HTTP-EQUIV=Refresh' ${TMPDIR}/* |xargs -n1 rm
*
This won't pick up the problem file on the current run, but will clear
the way for it to be retrieved next time.
On Sun, 2007-06-17 at 19:43 -0500, Lindsay Haisley wrote:
On Sun, 2007-06-17 at 19:24 -0400, Michael B Allen wrote:
Although rule_du_jour is still giving me HTML for SARE_OEM.
Delete /etc/mail/spamassassin/RulesDuJure/70_sare_oem*
(or /etc/spamassassin/RulesDuJure/70_sare_oem*) and run rules_du_jour
again.
--
Lindsay Haisley | In an open world,| PGP public key
FMP Computer Services |who needs Windows | available at
512-259-1190 | or Gates| http://pubkeys.fmp.com
http://www.fmp.com| |
Testing Bayes filters
I saw a number of posts on this list earlier indicating that Bayesian filter learning and/or application of learned information wasn't working properly if the Bayesian analysis data were stored in a MySQL database, as is the case on my server at fmp.com. I have a couple of questions. What's the status of this bug, if it is one, or if it's a misconfiguration issue, what should I know to avoid it? Is there any simple method to test Bayesian filter learning and filtering so that I can see the results in a spam score before and after a spam is learned? My SA installation here is on a commercial server, and is in beta until I can determine whether or not it's working as expected. My wife and I are beta testers until I determine that everything is working properly, at which point I'll turn it loose on my customers :-) -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: Turning the Screws
On Sat, 2007-06-16 at 17:53 -0400, Michael B Allen wrote: When I run ./rules_du_jour I just get a mess of errors about trying to write to /etc/spamassassin which does not exist. Make /etc/spamassassin a symlink to /etc/mail/spamassassin. This is how Gentoo Linux has it set up. Apparently CentOS uses /etc/mail/spamassassin/ and more so /usr/share/spamassassin/ for cf files. Is there any documentation for this script? /var/lib/spamassassin/rules_du_jour has copious comments with usage instructions and commented settable options in the script itself. Take a look at it with your favorite text editor. -- Lindsay Haisley | We are all broken | PGP public key FMP Computer Services | toasters, but we | available at 512-259-1190 | still manage to make |http://pubkeys.fmp.com http://www.fmp.com|toast| |(Cheryl Dehut)|
Re: Turning the Screws
Rules Emporium has been having some issues with a DDoS attack and made some configuration changes pursuant to overcoming this and probably balancing their load. Looks like they had a redirect and curl doesn't understand a http-equiv=refresh or else the HTML was incorrect and curl just barfed on it, which looks more likely from the error. Go to /etc/spamassassin/RulesDuJour (or /etc/mail/spamassassin/RulesDoJour) and delete all the 99_FVGT_Tripwire* files and re-run rules_du_jour. All should be well. I noticed the same problem here and this solved it. On Sat, 2007-06-16 at 18:07 -0400, Michael B Allen wrote: But now I see the TRIPWIRE config is croaking on some HTML in the cf: ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/tripwire.cf /etc/mail/spamassassin/RulesDuJour/99_FVGT_Tripwire.cf.2; rm -f /etc/mail/spamassassin/tripwire.cf; mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; rm -f /etc/mail/spamassassin/70_sare_evilnum0.cf; mv -f /etc/mail/spamassassin/70_sare_random.cf /etc/mail/spamassassin/RulesDuJour/70_sare_random.cf.2; rm -f /etc/mail/spamassassin/70_sare_random.cf; Lint output: [7529] warn: config: failed to parse line, skipping: HTMLHEADMETA HTTP-EQUIV=Refresh CONTENT=0.1 [7529] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Pragma CONTENT=no-cache [7529] warn: config: failed to parse line, skipping: META HTTP-EQUIV=Expires CONTENT=-1 [7529] warn: config: failed to parse line, skipping: /HEAD/HTML [7529] warn: lint: 4 issues detected, please rerun with debug enabled for more information Removing it from TRUSTED_RULESETS resolved the problem but apparently something is not optimal.
Re: Turning the Screws
On Sat, 2007-06-16 at 15:49 -0700, SM wrote: Unfortunately, nobody reads that or else we would not be seeing one week of messages about SARE RBJ failures. Oh well I guess you have to be an old-time UNIX geek to know to look in script files for clues on how to use them. -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: Testing Bayes filters
On Sun, 2007-06-17 at 01:41 +0200, Alex Woick wrote: My bayes and awl tables were created according to the manual, but I added a timestamp column to the awl table and to the bayes_seen table to be able to expire them by date. I've added these fields, with default=CURRENT_TIMESTAMP. When do you expire these records? Additionally, I added a feature to learn from spam and nonspam imap folders, where I manually copy spam or ham that was not already auto-learnt. I didn't change anything with the default scores: 5 is still the spam threshold and 3.5 is still the bayes_99 score when used together with network tests. I've put together a similar setup using Courier's maildrop filtering and some python scripts, still under development. An interesting observation: The spam messages that contain half spam and half mumbo-jumbo of unrelated random text that should probably irritate bayes filters, score in fact almost always bayes_99. I can only imagine that the additional random text is not really random but taken from a fixed library that is not very big and not changed very often. Interesting! -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
Re: missing tag
On Thu, 2007-06-14 at 17:09 -0700, Jerry Durand wrote: This came in with no tag or subject modification. Any idea what's up? Amavis log follows the message. My guess is that you're using spamc and for some reason it couldn't connect with spamd. If this is the case, spamc will return the email unmodified, as it should. I've only been using SpamAssassin for a couple of days and have seen one such instance already. -- Lindsay Haisley | We are all broken | PGP public key FMP Computer Services | toasters, but we | available at 512-259-1190 | still manage to make |http://pubkeys.fmp.com http://www.fmp.com|toast| |(Cheryl Dehut)|
Selectively disabling RBL services in SpamAssassin
I'm setting up SpamAssassin 3.1.8 to run with the Courier MTA (0.55.1) on a server running Gentoo Linux. Courier provides a facility to reject email in the SMTP dialog using queries to RBL lists based on the connecting IP address, which prevents the MTA from ever having to deal with such spams, or issue DSNs to forged addresses, etc. Many of the same RBL services are configured into 20_dnsbl_tests.cf in /usr/share/spamassassin. There's no need for me to query these RBLs twice and I'd like to selectively disable some of these tests in /etc/spamassassin/local.cf, while leaving others enabled. I can set skip_rbl_checks to 1 to disable _all_ these tests, but I only want to disable some of them, not all of them. I can comment out the tests in /usr/share/spamassassin/20_dnsbl_tests.cf, however this file gets re-written when SpamAssassin gets upgraded, so I need to do this in one of the files in /etc/spamassassin. The Mail::SpamAssassin::Conf is silent on this issue. Is there a way to do this? -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| |
