Re: [SAtalk] Local rules page

[Matt Kettler]

Excellent page. Here's some of my own local rules if anyone on the list 
wants em. I think most of these are pretty decent for general consumption, 
but who knows, I could be wrong :)


In several cases (ie: PORN_LOCAL_5 and EMAIL_PURCHASED_LIST) the syntax of 
the regexp could be more efficient, but I'm not very good with regexp. 
Recommendations for improvement are welcome.


body PORN_LOCAL_1   /\bhardcore.{1,10}animal.{1,15}site/i
describe PORN_LOCAL_1   custom porn rule
score PORN_LOCAL_1   0.5

body PORN_LOCAL_2   /\brape sex/i
describe PORN_LOCAL_2   custom porn rule
score PORN_LOCAL_2   1.0

body PORN_LOCAL_3   /\b(?:absolutely|completely|100\%) uncensored/i
describe PORN_LOCAL_3   custom porn rule
score PORN_LOCAL_3   0.8

body 
PORN_LOCAL_4 
/\buncensored.{1,15}(?:photos|pictures|videos|movies)/i
describe PORN_LOCAL_4   offers uncensored images or video
score PORN_LOCAL_4   1.0

body 
PORN_LOCAL_5 
/\b(?:16|17|18|19|20|21).year.{0,5}old.{1,10}(?:chick|teen|slut|fuck|puss|whore|lolita)/i
describe PORN_LOCAL_5   custom porn rule young females
score PORN_LOCAL_5  1.0


bodyADDRESS_WAS_OBTAINED /\baddress was obtained/i
describe ADDRESS_WAS_OBTAINED   claims an address was obtained from something
score ADDRESS_OBTAINED   0.5


bodyEMAIL_PURCHASED_LIST/\b(?:email|e-mail) .{0,30}purchased list/i
describe EMAIL_PURCHASED_LIST   describes a purchased email list
score EMAIL_PURCHASED_LIST   1.5

#I also noticed some copyrighted emails emails not hitting on the existing 
copyright rule

body COPYRIGHT_CLAIMED2 /\bcopyright.{0,30}200[0-9]/i
describe COPYRIGHT_CLAIMED2 Contains a claim of copyright in 200x
score COPYRIGHT_CLAIMED2-1.5

body COPYRIGHT_CLAIMED3 /\b\©.{0,20}200[0-9]/i
describe COPYRIGHT_CLAIMED3 Contains a claim of copyright in 200x html 
version
score COPYRIGHT_CLAIMED3   -1.5


At 10:56 AM 6/28/2002 +1200, Simon Lyall wrote:

>I've put up a little page of various local rules people have posted
>recently:
>
>http://www.darkmere.gen.nz/2002/0628.html
>
>Please lete me know if there are corrections, changes, updates.



---
This sf.net email is sponsored by:ThinkGeek
Bringing you mounds of caffeinated joy.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Talk mailing list Was: [SAdev] Weird "^M" in my mail?

[Matt Kettler]

Actually, it is listed on the web page at SF and it is the first mailing 
list for SpamAssassin listed. Unfortunately the link to SAtalk is not laid 
out in the same format as the other lists, so a quick visual scan tends to 
cause people to "skip past" it as being "header garbage text". Look 
closely.. it's there.. Fooled me the first time too ;)


The line of interest at http://spamassassin.taint.org/lists.html reads:

There's a mailing list for discussion of SpamAssassin, how it can be used, 
how to get it working, and features it needs. Join up (link)  or read the 
archives (link).

One of these days, someone should really fix that page so links all four 
mailing lists (saTalk, saAnnounce, saDev and saSightings) are all in a 
uniform form format and it's obvious there are 4 mailing lists, not 2.


>Cool, makes sense to me!  How do I subscribe?  It's not listed in the list of
>lists at SF.



---
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Body rules to help reduce flagging of off-list spamdiscussions as spam.

[Matt Kettler]

whitelist-to, more-spam-to and all-spam-to are great ways of preventing 
various mailing lists from not being tagged when sample spams are posted 
and discussed on them. However this doesn't really help much with off-list 
discussions that have spam content. So I made these three body text rules 
to try to bounce-down the scores of such emails. I think they're pretty 
good rules for general inclusion, particularly SPAMASSASSIN_MENTIONED (if a 
spammer is going to mention, and thus promote the use of SA, more power to em).

Now these rules won't help the really-high-scoring mails, but will help 
prevent the causal discussion of a handful of rules from going over the 
threshold. Prior to whitelisting the SA mailing lists, I was getting a 
pretty good number of mails scoring in the 5-10 range, and only a few that 
scored a lot higher, so I'm using 10 as a baseline for the scores I've put 
in. I figure some spammer somewhere might mention a project on sourceforge, 
so I put a little less faith in that rule.

Anyone see anything good/bad about these rules and how they're written? 
Anyone ever get a spam mail mentioning SA, bugtraq or sourceforge (I don't 
have any)?

body SPAMASSASSIN_MENTIONED  /\bSpamAssassin/i
describe SPAMASSASSIN_MENTIONED  mentions SpamAssassin in body
score SPAMASSASSIN_MENTIONED  -5.0

body BUGTRAQ_MENTIONED  /\bbugtraq/i
describe BUGTRAQ_MENTIONED  mentions Bugtraq in body
score BUGTRAQ_MENTIONED -5.0

body SOURCEFORGE_MENTIONED  /\bsourceforge/i
describe SOURCEFORGE_MENTIONED  mentions Sourceforge in body
score SORCEFORGE_MENTIONED  -3.0



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How to enable/disable message altering?

[Matt Kettler]

I don't think SpamAssassin will do what you want. Even the blacklisting 
feature only forces the email to have it's subject modified. In fact, the 
primary purpose SpamAssassin serves in life is to modify emails. It's not 
designed to stop delivery of emails in general (although I believe it can 
be made to do that for super-high scores).

If you control the UNIX server in question, try editing your 
/etc/mail/access file to prevent the email from being spooled on your UNIX 
server in the first place.


At 09:28 PM 7/15/2002 -0700, you wrote:

>Hi, I m new to UNIX and SpamAssassin, but I m wondering how I can disable 
>the way it s altering my email messages. I only want to use its 
>blacklisting feature so that my PC won t have to spend half an hour 
>downloading mail from the UNIX server.
>
>
>
>Thanks.



---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAdev] Repost from [SAtalk] Re: False Tagging

[Matt Kettler]

Moving this back to SA talk where it belongs.

I'd be very concerned that you might running mails through SA multiple 
times and not just once, particularly with your comments about 
SUBJ_HAS_Q_MARK. I think it's being run through SA once, being marked as 
spam, defanged, then sometime later being run through SA a second time, and 
not scoring as high because the mime has been defanged. It would appear 
that the second SA run is clobbering the headers added by the first one.



At 10:30 AM 7/16/2002 -0700, Dale wrote:

>On this last example, the subject gets tagged with SUBJ_HAS_Q_MARK, but
>that is only added by SpamAssassin.  I don't think that should count in
>the hit tally.  As a work around, I have removed the ? from local.cf
>for now.  Would upgrading to 2.40CVS fix my problems or is there
>another fix available.
>
>Thanks, and have a nice day.
>
>-Dale
>
>
>__
>Do You Yahoo!?
>Yahoo! Autos - Get free new car price quotes
>http://autos.yahoo.com
>
>
>---
>This sf.net email is sponsored by: Jabber - The world's fastest growing
>real-time communications platform! Don't just IM. Build it in!
>http://www.jabber.com/osdn/xim
>___
>Spamassassin-devel mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-devel



---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] razor port

[Matt Kettler]

(forgiving the ugly blue text HTML garbage)

 From a little bit of TCPdumping it would appear that the client connects 
to the outside servers on port 2702/tcp, with a random local port >1024 
(typical of most client connections).


At 04:08 PM 7/16/2002 -0400, you wrote:
>Oops, not what I am looking for
>Can anyone tell me what port(s) I need to allow in my firewall in order to 
>get Vipul's Razor to work?
>
>Thanks.
>
>
>v i n c e  p u z z e l l a
>s o f t w a r e  d e v e l o p e r
>http://bluecatnetworks.com
>-Original Message-
>From: Vince Puzzella
>Sent: Tuesday, July 16, 2002 3:31 PM
>To: [EMAIL PROTECTED]
>Subject: RE: [SAtalk] razor port
>
>Never mind.  Did a "man spamd" and it told me 783 by default.
>
>Thanks anyway.
>
>
>
>v i n c e  p u z z e l l a
>s o f t w a r e  d e v e l o p e r
>http://bluecatnetworks.com
>-Original Message-
>From: Vince Puzzella
>Sent: Tuesday, July 16, 2002 3:27 PM
>To: [EMAIL PROTECTED]
>Subject: [SAtalk] razor port
>
>Can anyone tell me what ports Vipul's Razor and DCC use by default?  I 
>have to configure my firewall accordingly.
>
>Thanks.
>
>v i n c e  p u z z e l l a
>s o f t w a r e  d e v e l o p e r
>http://bluecatnetworks.com



---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Where is the config file?

[Matt Kettler]

By default /etc/mail/spamassassin/local.cf is the place to go to make 
site-wide changes.

You could also edit the files in /usr/share/spammassassin, but that's 
probably not a good idea since they should be replaced when you upgrade.


At 02:06 PM 7/16/2002 -0700, Kevin Gagel wrote:
>Where exactly is the config file that spamassassin uses on a site wide
>configuration?
>
>I'm using root as the run as and spamd as a daimen. Spam is called via a 
>script.
>Spamd is loaded with the -x to prohibit user configs. What directory would the
>site config be in?
>--
>
>Kevin W. Gagel
>Network Administrator
>College of New Caledonia
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>(250)562-2131 loc. 448
>
>
>
>The College of New Caledonia
>Visit us at http://www.cnc.bc.ca
>
>
>
>---
>This sf.net email is sponsored by: Jabber - The world's fastest growing
>real-time communications platform! Don't just IM. Build it in!
>http://www.jabber.com/osdn/xim
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] newbie question about rule base

[Matt Kettler]

The rules are static, and hand made. The "AI" part is done by the 
developers to evolve the scores applied to rules, and is done prior to release.

/usr/share/spamassassin is the default location for the standard ruleset. 
You can add your own custom rules in /etc/mail/spamassassin/local.cf for 
site-wide application, or in /.spamasssassin/user_prefs 
for the user that SpamAssassin is run as.

You *can* edit the standard ruleset, but it is generally better to add your 
own rules, and score over-rides to one of the other locations since they 
will not be replaced when you upgrade your version of SA.

SA rules are in standard perl regexp format. If you have SA installed on 
your system man Mail::SpamAssassin::Conf. There's also a copy of this info at

http://spamassassin.taint.org/doc/Mail_SpamAssassin_Conf.html

In general your own rules are of the format

body TEST_NAME 
describe TEST_NAME 
score TEST_NAME 

instead of body you can also do header, rawbody and full to check the 
message in different places or different stages of decoding.


Here's a simple rule:

body SPAMASSASSIN_MENTIONED  /\bSpamAssassin/i
describe SPAMASSASSIN_MENTIONED  mentions SpamAssassin in body
score SPAMASSASSIN_MENTIONED  -5.0


This will search the decoded message body text and match any word-break (ie 
space, tab, newline, etc) followed by "spamassassin" in a case insensitive 
manner. Any message matching the rule gets 5 points knocked off it's score. 
(I use this rule to help off-list discussions of SA from being tagged as spam)

At 04:14 PM 7/17/2002 +0800, Sophia wrote:
>I'm considering whether to incoporate spamassassin
>into our main mailgateway (which is running amavis as email virus
>scan. The good thing is the new amavis has this spamassassin
>inclusion option) or not. My main concern is how difficult it is
>to configure its so called "rule base" which i think identifies
>how probable the mail is spam or not.
>
>I've read thru roughly the README and FAQ of SA on its web site. It does
>not mention anything about how to define the rule base. Is it really that
>intelligent (AI involved :-) that one usually doesn't need to customize
>the rules at all , and its default rules have very good guess on detecting
>spam ?
>
>Pui (Hongkong)
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Using user_prefs

[Matt Kettler]

You can make site_wide changes in /etc/mail/spamassassin/local.cf. I think 
this is probably what you really want, instead of trying to force the 
per-user files to all be the same.


At 03:22 PM 7/17/2002 +0200, Carlo Borelli wrote:
>I'm using spamd in daemon mode with vpopmail: daemon spamd -d -v -u
>vpopmail -F 0
>What's the exact sintax forcing to read one configuration and not in the
>vpopmail users own maildir ?
>I must rise score from 5 to 7 and I don't know how.
>
>TYA.
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] SMTPD_IN_RCVD test is unfair discrimination...?

[Matt Kettler]

Of 185 spams I have that were tagged correctly by SA, 10 have SMTPD32 
received headers, only one of which was an eval version. Looking at the 
headers, all of the SMTPD's were open-relays, and many operated on 
cable/dsl subnets. Perhaps it's popular for DSL/cable subscribers to pirate 
this app and run it misconfigured, but it doesn't seem to be all that common.

For comparison, a search of the headers for my current inbox of snort users 
matches 45 emails, from 8 different users, but that's a lot more email.

I'd say it's fair to say this rule isn't that good, but the cost of the app 
isn't really a consideration for wether or not spammers will use a tool, 
piracy is way too common.


At 03:55 PM 7/18/2002 -0400, Tom Grandgent wrote:
>That software costs $1000 minimum.  However, there is an evaluation
>version available.  I don't see why spammers would use the eval version
>of a full-fledged mail server instead of one of the great many free
>or cheap programs designed solely to do mass mailing, but I accept that
>it's within the realm of possibility.
>
>I would be interested in seeing the ratio of spams detected versus
>false-positives based on this test.  Is that what determines the
>"default score" for a test, by the way?  Or is it something else?
>
>
>Vince Puzzella ([EMAIL PROTECTED]) wrote:
> >
> > It's probably because a lot of small-time, DYI spammers use that
> > software to perform bulk mailing.
> >
> > -Original Message-
> > From: Tom Grandgent [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 18, 2002 3:30 PM
> > To: [EMAIL PROTECTED]
> > Subject: [SAtalk] SMTPD_IN_RCVD test is unfair discrimination...?
> >
> >
> > Hi,
> >
> > I run Ipswitch Mail Server, a popular mail server on Win32, and recently
> >
> > one of my users had a legitimate email he sent flagged as spam by
> > SpamAssassin running on the receiving server.  What caught my attention
> > was the line:
> >
> > SMTPD_IN_RCVD  (2.1 points)  Received via SMTPD32 server
> > (SMTPD32-n.n)
> >
> > (SMTPD32-n.n) is how IMail identifies itself.  So this test is saying
> > that
> > if the message is coming from an IMail server, it's probably spam.
> > Right?
> > To my knowledge, IMail is as secure against spammers as any other good
> > mail
> > server.  It's dirt simple to configure as a closed relay.  The
> > documentation strongly recommends doing this and explains the problems
> > with open relays in detail.
> >
> > I searched for more information on this test on the SpamAssassin web
> > site
> > and the list archives but couldn't find anything.  Can anyone explain
> > the
> > reasoning behind this test?
> >
> > Thanks,
> >
> > Tom
> >
> >
> > ---
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf ___
> > Spamassassin-talk mailing list [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> >
> >
> > ---
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > ___
> > Spamassassin-talk mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> >
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How to add rules?

[Matt Kettler]

In general the rules for SA are simple perl regexp format. You can also 
create functions and make them a rule, but I've not done that myself yet.

You can add  your rules to {HOME}/.spamassassin/user_prefs to add rules on 
a per-user basis (if your SA gets run as different users) or 
/etc/mail/spamassassin/local.cf for a site-wide set.

copy-pasting from a previous post I made about writing rules:

If you have SA installed on your system man Mail::SpamAssassin::Conf. 
There's also a copy of this info at

http://spamassassin.taint.org/doc/Mail_SpamAssassin_Conf.html

In general your own rules are of the format

body TEST_NAME 
describe TEST_NAME 
score TEST_NAME 

instead of body you can also do header, rawbody and full to check the 
message in different places or different stages of decoding.


Here's a simple rule:

body SPAMASSASSIN_MENTIONED  /\bSpamAssassin/i
describe SPAMASSASSIN_MENTIONED  mentions SpamAssassin in body
score SPAMASSASSIN_MENTIONED  -5.0


This will search the decoded message body text and match any word-break (ie 
space, tab, newline, etc) followed by "spamassassin" in a case insensitive 
manner. Any message matching the rule gets 5 points knocked off it's score. 
(I use this rule to help off-list discussions of SA from being tagged as spam)

You can also go to /usr/share/spamassassin and look at the various stock 
rules for some ideas on formatting, syntax, etc. The stock ruleset is split 
up into body rules, header rules, and scores all in separate files, but 
local rules are generally all lumped together like above. I think the only 
significant advantage of having the scores in a separate file is if you're 
going to run the GA over a corpus on them, but that's a little more 
advanced than most mail admins want to get into (myself included).




At 12:58 PM 7/22/2002 -0500, Joel Epstein wrote:
>Hey all...
>
>How exactly do you create rules? I ask because I seem to be getting tons 
>of email containing  words like incest, etc
>
>Any thoughts?
>
>Thanks
>--
>=
>Joel Epstein
>Manager of Systems Integration
>Integrated Warehousing Solutions
>3075 Highland Parkway  Suite 715
>Downers Grove, Illinois 60515
>Phone:  630.932.4300
>Fax:630.932.7652
>Email:  [EMAIL PROTECTED]
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Two rule suggestions

[Matt Kettler]

With a score as small as -0.036 the GA is giving more of a statement that 
this rule isn't much of an indicator of anything at all.

I'd agree with the original poster, almost anything coming out of the GA 
with a score between 0.05 and -0.05 is probably not worth running. 
Ultimately it is contributing less than 1% of the score needed to reach 
spam-tag levels (assuming the default of 5.0).

grepping 2 different 50_score.cf's out of CVS, SA has 416-632 rules. If a 
rule is contributing less than 1%, it would take ~1/6th of the total 
rulebase of similarly scored rules to create a spam-tag.  I think it's 
pretty obvious that such a low-scoring rule is statistically insignificant, 
particularly given the comparatively low number of total rules.

I believe if I created a rule matching the word "news", or other obviously 
poor indicator of spam, it too might get a similar GA score, which might be 
an interesting test to run :)

I think it would be great for SA to be able to "narrow in" scores within a 
threshold range to zero. Personally, I go through and hand-edit some of the 
near-zero entries to zero, since it's obvious to me that the rule in 
question is not worth 2-3 clock cycles (even if clock cycles are cheap, the 
rule in question has near zero value). I'd much rather add more rules which 
are good, strong indicators of spam/nonspam than have lots of rules which 
really don't correlate well.


At 07:28 AM 7/19/2002 +0200, Jesus Climent wrote:
>On Thu, Jul 18, 2002 at 05:57:11PM -0500, Shane Williams wrote:
> >
> > Also, if a single line of yelling scores -0.036, why not just round
> > it off to 0 and not have the test run at all?
>
>Because a single line of yelling seems to be a sign of a legitimate mail
>and thus is worth substracting some points to the tag?
>
>And since the scores are obtained using a GA, that's why the -0.036.
>
>J



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Microsoft developer newsletter tagged as spam

[Matt Kettler]

I'll apologize in advance for being a bit "strongly opinionated" but your 
viewpoint on this strikes me as wrongheaded.

There is clearly a strong obligation for the snort development efforts to 
reduce false positives. Heck, the whole reason snort uses a GA for score 
assignment in the first place is to tune the false positive rate by picking 
which strings commonly exist in non-spam mail while jacking up the scores 
of rules which match only in spam. To take the viewpoint that it is the 
obligation of the mailer to tune their mailing against SA completely 
negates the value of much of the design work that went into SpamAssassin. 
Heck, a lot of the effort in the rule design of SA is to *prevent* the 
tuning of a mailing (ie: to keep pr0n spammers from tuning their mailings 
to not hit).

I've not seen the content of that particular M$DN mailing, however AFAIK 
the development team for SA has defined "lists which you willfully 
subscribe to" as non-spam. So the fact that it is MSDN does make it 
non-spam. The MSDN lists are strictly opt-in, and being a MSDN subscriber 
does NOT require you to receive them.

The only rule which I think MSDN has an obligation to tune for is the 
MISSING_OUTLOOK_NAME one. The rest of the rules that email matched are 
pretty innocuous ones.

Let's face it, most of the rules they matched are a lot of weak indicators 
of spam, they just matched a lot of them.

CALL_FREE is not much of a sign of spam. Most large companies have 800 
numbers and mention them in even the most innocuous emails. Personally, 
I've got this rule manually 0'ed out.

FROM_NAME_NO_SPACES why did this rule ever come about? Most of my "personal 
friends only" accounts only use "Matt" as a name. It's only my more 
business/community oriented ones that I use "Matt Kettler". Sure, some 
spammers use one-word names, but my "spam" mailbox has by far more names 
that have 2 or more words in them than those that have no spaces. I guess 
that's why when this got GAed it got a very small negative score instead of 
a positive one. (june 6th cvs had 0.500 as a score, 2.31 and July 11 have 
-0.114)

FROM_HAS_MIXED_NUMS maybe, but lots of people create emails like this in 
crowded domains. Seems more like a hotmail/yahoo detection than much of a 
strong spam sign.

FREE_CAP
DO_IT_TODAY
SAVE_MONEY
SAVE_BUCKS - these might be good, but as of today's CVS, they hadn't been 
hit by the GA yet and all had a default score of 1.0 assigned. I bet the GA 
runs these down a bit once it starts getting some matching data in the 
corpus. 1.0 each seems a lot high to me, particularly in the case of 
FREE_CAP (strikes me as a 0.3 or 0.5ish thing) and DO_IT_TODAY (ie: mail 
from your boss telling you to get off your behind and do that project today).



OFFER
- yes, it's marketing, but it's requested marketing not garbage spam. It's 
probably acceptable to hit em with points for this anyway.

TO_BE_REMOVED_REPLY
MAILTO_WITH_SUBJ
UNSUB_PAGE - ok, lets face it, plain-jane unsubscribe footers aren't a 
strong indicator of spam. These scores go up and down wildly as different 
forms appear in the corpus as spam/nonspam. Every legitimate subscription 
mailing has em in one form or another, even this mailing list. I'd love to 
see a rule to catch mailto links that send remove mails to various 
"freemail" domains like hotmail/yahoo, with some caution to make sure you 
don't catch yahoo groups unsub addresses. It would certainly have a much 
lower "false positive" rate than these simple rules. TO_BE_REMOVED_REPLY is 
a great example of these going up and down a lot. v2.20 had a score -2.150 
and v2.31 had +3.985, and it did that without the rule changing at all, 
just the tide of what's in the corpus. MAILTO_WITH_SUBJ also did a -/+ 
flip. Such wild changes in GA score really indicate to me that these rules 
are pretty questionable and vary wildly in accuracy based on what direction 
the wind is blowing today.


LINES_OF_YELLING,LINES_OF_YELLING_3,LINES_OF_YELLING_2 - the worth of these 
is commonly disputed due to the large number of dense innocents who use all 
caps. Still probably ok to hit em with points for this.

SUPERLONG_LINE I'm guessing this was originally made to match spam, but the 
GA scores it more for the non-spam side. Seems like a strange rule when 
looking at the overall structure of HTML spam (long line likely), non HTML 
spam(long line unlikely), and personal mails from a variety of mailers 
(long line likely if mailer doesn't do wrapping, unlikely if it does).

DOUBLE_CAPSWORD - a good rule I think. Worth hitting em for some points

MISSING_OUTLOOK_NAME - ok, this one is foolish for MSDN to have matched on. 
MS clearly should not strip their X-Mailer headers when mailing their 
legitimate mailing lists.








At 12:18 PM 7/23/2002 -0500, SpamTalk wrote

Re: [SAtalk] the non spam sample gets 8.5 hits

[Matt Kettler]

In general I'd recommend not using 2.40 (or any CVS version) for any kind 
of "production" use. After all, it's still a devel/CVS version, so try the 
copy of 2.40 tomorrow and see if it still does it. For production use, go 
for 2.31, which is the latest actual release of SA.



At 02:09 PM 7/23/2002 -0400, John Covici wrote:
>I am using spamassassin 2.40 and I am getting 8.6 hits for the non
>spam sample -- should I change the threshold or what?
>
>Any assistance would be apreciated as I am new at this one.
>
>
>--
>  John Covici
>  [EMAIL PROTECTED]
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Virus Scanner Licensing Question (Naive)

[Matt Kettler]

In my experience that varies a lot from company to company. Your best bet 
is to contact the vendor in question and ask them.

for example this is some the results of some investigations I made into 
that question a few months ago:

one vendor has a "small business" license which seems to cover this kind of 
usage without any user limits.

another had a number-of-sendmail-accounts based license. (ie: up to 100 
users type deal)

a third vendor, who we have a site-license for our desktops with, said that 
since we had a site license the sendmail server could be treated as an 
extra client license.

So they pretty much run the gamut as far as what kind of licensing they want.

At 12:48 PM 7/25/2002 -0700, Russ Gilman-Hunt wrote:

>Good afternoon!
>
>I haven't been too worried about virii, because about 99 percent of my users
>are on Macintoshes. However, it's on my list.
>
>My question is: When I go to install AmaVis or MailScanner, it'll ask for the
>virus package I've chosen (which I haven't chosen yet). Am I looking for a
>SITE license (because i'm scanning all the emails, and it's for a small
>business ( 10 < small < 75) or am I looking for a single license because it's
>on one server?
>
>-Russ, Hot Off the Press



---
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Ignore System Messages - How?

[Matt Kettler]

Since those messages are generally sent from some dedicated account on a 
server, Whitelist_from is probably your best option.

whitelist_from  [EMAIL PROTECTED]

Another would be to add a body rule of your own that has a string highly 
unique to those messages and give it a negative score

bodySEC_REPORT  /Daily Security Violation Report for Server/
score   SEC_REPORT  -20.0


You can put either of these in /etc/mail/spamassassin/local.cf for 
site-wide effect or $HOME/.spamassassin/user_prefs to only affect the user 
that invokes spamassassin. (note: if your spamassassin is always run as 
root, then only the root users's user_pref's is ever used.)


At 03:38 PM 9/18/2002 -0500, vernon wrote:
>Some of my "Security Violations" and "Unusual System Events" are being
>tagged as SPAM by SpamAssassin. How do I get SA to ignore these messages?
>
>Thanks
>
>
>--
>This message has been scanned for viruses and
>dangerous content by Webb Solutions' MailScanner,
>and is believed to be clean.
>
>
>
>---
>This SF.NET email is sponsored by: AMD - Your access to the experts
>on Hammer Technology! Open Source & Linux Developers, register now
>for the AMD Developer Symposium. Code: EX8664
>http://www.developwithamd.com/developerlab
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source & Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Wrong (false positives) Razor entries?!

[Matt Kettler]

Yeah, that's the main reason why razor2 was designed with a submitter 
rating system. This way the people that wind up auto-submitting mailing 
lists and other non-spam get ignored. Razor1 has no built-in way of 
recognizing "this guy submits a lot of non-spam, ignore him". The best you 
can do is send a razor-revoke for the message.

Bugtraq is particularly prone to being razored, as some people still have 
razor auto-reporting based on spamassassin scores enabled.

Upgrade to SA 2.41 (use the scores and rules from the CVS head, they are 
much better than the stock ones IMO, due to some very diligent work by 
Justin Mason and the rest of the SAdev's) and use Razor2 with it.




At 08:57 AM 9/19/2002 +0200, Ralf G. R. Bergs wrote:
>Hi there,
>
>who on earth registers all these false positives in Razor?! Each day I get a
>couple of false positives over the Debian-User mailing list, messages that 
>are
>CLEARLY NO SPAM:



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How to integrate with razor?

[Matt Kettler]

You shouldn't need to do anything, other than restart spamd if you're using 
that.

Each time it starts Spamassassin checks for razor, and if you're using 2.40 
or greater, it checks for razor 2 as well.

If you've manually zeroed out the RAZOR_CHECK score in your scores, you'll 
have to put it back, of course.

At 10:21 AM 9/19/2002 +0200, Boniforti Flavio wrote:

>Hello!
>I installed SpamAssassin, but AFTER installing it I wanted to install
>Razor.
>I installed Razor, but now I'd like SpamAssassin to recognize it and use
>it, how do I do?



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Help with razor checking...

[Matt Kettler]

Did you check to see if that file (/root/.razor/identity) exists? What are 
the permissions?

Did you register as root (or did you do it as a non-root user, in which 
case they have an identity but not the root user)?

At 12:18 PM 9/19/2002 +0200, Boniforti Flavio wrote:
>Hy there!
>I was wondering why this message appears, after having installed and
>registered my Razor...
>
>t/razor2This test should have been skipped:
>razor-register has not been run, or /root/.razor/identity is unreadable.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] HUMOUR: annoying product

[Matt Kettler]

Of note, a thread over on   microsoft.public.windowsxp.general implies she 
thinks it's downloaded onto her PC and is running there :)

You might want to advise her that SpamAssassin runs on mailservers, so 
she'll have to contact her mailserver admin.



From: Sue G ([EMAIL PROTECTED])
Subject: SpammAssassin
Newsgroups: microsoft.public.windowsxp.general
View this article only
Date: 2002-09-21 17:14:02 PST

Some program named "SpammAssassin" has downloaded itself
(apparently) onto my PC.  Does anyone know how can I get
rid of it?


From: Marvin ([EMAIL PROTECTED])
Subject: Re: SpammAssassin
Newsgroups: microsoft.public.windowsxp.general
View this article only
Date: 2002-09-21 18:08:06 PST
Ad Aware from here should do it http://www.lavasoftusa.com/



At 11:51 AM 9/23/2002 +0100, Matt Sergeant wrote:
>I just got this in my inbox at home. Thought you guys would all get a kick 
>out of it...
>
>Date: Sat, 21 Sep 2002 12:43:23 -0700
>From: Sue Guss <[EMAIL PROTECTED]>
>To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
>Subject: spamassassin
>
>How do I make this very annoying product go away???
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Very amusing spam headers...

[Matt Kettler]

I just got yet another worldreach spam. However a couple of the headers in 
the message are so wildly malformed it's quite funny...

Such as this one:

X-MAILER: Excite InboxJuno 4.0.11mail.comMicrosoft Internet Mail 
4.70.1155Microsoft Outlook 8.5, Build 4.71.2173.0Microsoft Outlook Express 
5.00.2615.200Microsoft Outlook Express 5.50.4522.1200Microsoft Outlook 
Express for Macintosh - 4.01 (295)Microsoft Outlook Express Macintosh 
Edition - 4.5 (0410)Mozilla 4.07 [en] (Win98; U)Mozilla 4.72 
[en]C-PBI-NC404  (Win98; U)Mozilla 4.75 [en] (Macintosh; U)Mozilla 4.75 
[en] (Win95; U)MSN Explorer 6.00.0010.0901QUALCOMM Windows Eudora Pro 
Version 4.2.2  USANET web-mailer (34WB1.4A.01)


Wow.. speaking of a mail client with the features of them all!



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Why did 2.41 let this through?

[Matt Kettler]

1) 2.42 should help correct this kind of stuff, since it uses a from/ip 
combination, and should use it correctly. The behavior of the AWL in 2.41 
is somewhat broken. (albeit I can't see why it screwed that up, your 
headers are a bit strange see my comments on munging)

2) de-whitelist your own from address from the AWL using spamassassin -R in 
the interim.

I'm guessing that you wound up using spamassassin -W at one point or 
another to whitelist your own address, to keep mails from yourself to 
yourself from being tagged. Unfortunately this means that outside emails 
that forge you as the from also get a major benefit. The SMTP envelope from 
(not the .tw one contained in the message, the one in the envelope that you 
don't have posted) probably contained your own address, since the HELO was 
forged to pretend to be your own server. I'm guessing (albeit not certain) 
that the AWL acts on the envelope from not the one inside the message.


Personally, I'm not much of a fan of the AWL at all, but that's another matter.

Also your received headers look a lil weird.. did you manual munge them for 
privacy reasons? If not, where's your own MX's identity? 0!!??



At 08:43 PM 9/25/2002 -0400, Ollie Acheson wrote:
>Why did 2.41 let this through? Looks like AWL gave it a big credit,
>why? How do I correct this behavior?
>
>Ollie



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Osirusoft - trustworthy?

[Matt Kettler]

As far as trustworthy goes, I trust osirusoft to pretty much list everyone 
that's questionable and all their neighbors. I don't trust it to be low 
collateral damage, hence I don't use them as a flat-out blocklist, and I 
generally assign them fewer SA points than the default.

In your case, don't email osirusoft.. you're not in the lists they directly 
maintain. (there are some list they directly maintain, you're not on one)

Go to http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr=212.113.196.7

In specific, note:
If you're not listed as a 127.0.0.2 or 127.0.0.3 please don't bother the 
administrator of relays.osirusoft.com

You're listed 127.0.0.4, which is a composite of pretty much every 
blocklist out there, including high collateral damage ones.

The listing is actually by spews, a list osirusoft mirrors as a part of 
their composite, but does not directly maintain. Spews is fairly high 
collateral damage, but the spews record covering your netblock is:

http://spews.org/html/S1400.html

Sounds like your netblock has some very unwelcome neighbors, and an ISP 
(primekom.de) that is unwilling or unable to disconnect them. It would 
appear that at least one of the unsavory spammer's servers is still hosted 
via primekom.

mail.thebestpills.com.  86400   IN  A   213.139.79.81

A quick summary of primekom's position on the spammer:

 >From: "Gabrielides Georg" <[EMAIL PROTECTED]>
 >Date: Tue, 30 Apr 2002 18:20:06 +0200
 >Dear sirs,
 >
 >the problem is, that our customer is not acting against german or
 >european law, so it is difficult to close the domain, especially
 >it is not proof he is the origin of the spam.
 >
 >please tell the open-relays to close.
 >
 >
 >mfg
 >Georg Gabrielides


As far as I know, pretty much the only way out of SPEWS is to post to NANAE 
and survive the resulting public dismantling of your claims as to why you 
shouldn't be listed. In this case, you'll likely have to prove that 
Primekom is not a spam-friendly ISP, or that your netblock is not actually 
handled by Primekom. This is not going to be an easy task.

High collateral damage as it is, Spews takes the stand that if an ISP is 
knowingly hosting a spammer and is unwilling to disconnect them, the whole 
ISP is questionable. Of course, if the ISP really is willing to host 
spammers, more of them will quickly flock to their netblock. They are not 
likely to accept a "my ISP knowingly hosts spammers, but I'm not one" 
argument. Quite frankly, I'd question why I was doing business with Primekom.



At 12:31 PM 9/26/2002 +0100, Darren Coleman wrote:
>Hi,
>
>Having received several complaints from customers this morning I was shocked
>to discover that several of our mail servers are blacklisted on
>relays.osirusoft.com and spews.relays.osirusoft.com.  Further investigation
>showed that not only is our entire block of IPs (20 or so Class Cs) listed,
>but the ENTIRE 212.113.x.x Class B range as well.
>
>Has anyone had any experience of dealings with Osirusoft and can
>comment/suggest a course of action?  Their website doesn't seem to provide
>any specific contact information and - and this would be funny if it weren't
>tragic - attempting to email [EMAIL PROTECTED] in order to get our
>server automatically removed results in... yes, you've guessed it, a bounce
>message coming back because our server is listed.
>
>Daz



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Combination of SA rules

[Matt Kettler]

Look into the meta rules of SpamAssassin 2.40 and higher. You should be 
able to do what you want with those.

For example:
meta CASHCASHCASH  (!__ISO_2022_JP_DELIM && __THREE_DOLLARS)

Allows SA to tag anything with $$$ in it, but skips anything matching a 
Japanese delimiter that commonly contains it.


At 02:10 PM 9/26/2002 +0100, Adrian Hill wrote:
>Good afternoon,
>
>Just looking through all the spamassassin tests, I was wondering if there is
>any way to combine rules, so that spamassassin could search the recipient
>address AND the body for a certain word combination... For example, if a
>certain domain (perhaps vegans.co.uk) doesn't want any e-mail to do with,
>say, 'spam sausages', could I set up a rule which looks for vegans.co.uk in
>the recipients' domain and 'spam sausages' in the message body, but leaves
>all other domains (including perhaps spamsausagelovers.org) with an
>opportunity to receive mails with 'spam sausages' in it?
>
>Apologies for the poorness of the example, if anyone has any ideas on a
>possible rule though, it'd be much appreciated.
>
>Many thanks,
>
>
>Adrian Hill



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Another Mutated Nigerian email that hits zero body checks

[Matt Kettler]

It hits plenty of body rules in 2.41. Of course, some of the scores are a 
lil weird in 2.41, but 2.42 should fix some of that (I *think* the rule 
pruning and new GA results are going into 2.42)

But since it is positive-hit in 2.31, and positive hit in 2.41, I think 
it's a more-or-less moot point. This isn't a false-neg in either case, and 
I think the newer GA scores will do better for the body total points.

In any case, I'm generally not concerned with making sure each and every 
spam has a body-rule hit. Sure it's nice, but if it's tagged correctly 
anyway, I don't see it as being a big problem. Heck, well over half my spam 
gets tagged for just the headers anyway... INVALID_DATE or TZ_ABSURD are 
very common.

SPAM: Content analysis details:   (13.90 hits, 5.9 required)
SPAM: INVALID_DATE   (1.6 points)  Invalid Date: header (not RFC 2822)
SPAM: DEAR_SOMEBODY  (-1.0 points) BODY: Contains 'Dear Somebody'
SPAM: US_DOLLARS_2   (-0.5 points) BODY: Nigerian scam key phrase 
($NNN.N m/USDN
NN.N m/US$NN.N m)
SPAM: DEAR_SOMETHING (1.0 points)  BODY: Contains 'Dear (something)'
SPAM: SPAM_PHRASE_05_08  (0.7 points)  BODY: Spam phrases score is 05 to 08 
(medium)
SPAM:[score: 7]
SPAM: RAZOR2_CHECK   (3.9 points)  Listed in Razor2, see 
http://razor.sf.net/
SPAM: DATE_IN_PAST_06_12 (1.5 points)  Date: is 6 to 12 hours before 
Received: date
SPAM: SUBJ_ALL_CAPS  (1.3 points)  Subject is all capitals
SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points)  RBL: Received via a relay in 
relays.osirus
oft.com
SPAM:[RBL check: found 
18.64.181.213.relays.osirusoft.com., type
: 127.0.0.4]
SPAM: RCVD_IN_RFCI   (2.3 points)  RBL: Received via a relay in 
ipwhois.rfc-igno
rant.org
SPAM:[RBL check: found 
18.64.181.213.ipwhois.rfc-ignorant.org.,
type: 127.0.0.6]
SPAM: X_OSIRU_SPAM_SRC   (2.7 points)  RBL: DNSBL: sender is Confirmed Spam 
Source
SPAM:


At 10:41 AM 9/26/2002 -0700, Simon Matthews wrote:
>The attached email did not get any hits from body checks in SA 2.31.
>
>Anyone care to take a look at it?
>
>



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Some spam values (GA scoring)

[Matt Kettler]

The scores are assigned by a genetic algorithm. Essentially two piles of 
email are created, one of spam, one of nonspam. A SpamAssassin mass-check 
is run to generate a set of one-line reports as to what rules each email in 
each pile matches. The GA then has the task of examining these rule-match 
sets and trying to assign scores that correctly categorize the most mail.

Often a rule which sounds like it should be a sign of spam gets a negative 
score. There are several causes of this. The score set for 2.40/2.41 seemed 
to be plagued with a lot of them. I know the dev's have recently done a 
"pruning" of poor-performing rules and re-ran the GA with much better 
results. I think the new scores will be in 2.42.

As for cases that tend to cause unexpected negative scores, here's a few I 
can think of:

1) Something you thought only spammers did is done by lots of nonspammers 
too. This is probably the case in FROM_HAS_MIXED_NUMS. All those 
[EMAIL PROTECTED] email addresses that people use for their personal 
chatter aren't spam. Idi0ts maybe, but a lot of people have these as 
"disposable" addresses that aren't spammers.

2) Something you think at causal glance is a spam feature is also a feature 
of a few MUA's that spammer's generally don't use. SUPERLONG_LINE is in 
this category I think. Some spams match it but also some obscure MUA's do 
this to all emails (ie: some MUA's tend to send emails as one single line 
per paragraph). Also most spam consists of lots of single-line messages 
("buy now!") without a lot of lengthy paragraphs, but conversational emails 
tend to have very long paragraphs in them.

3) A typo or bug in a rule makes it match some common non-spam expression, 
instead of the spam phrase.. One such bug was an attempt to match "no 
credit" and some other common credit repair phrases which also matched 
"notice: your credit card will be billed when your order is shipped". It 
wasn't requiring a space or word-break after the "no" part :)

4) Sometimes a rule get's "weighed down on" to correct a common 
particularly high scoring false-positive case. If there's a common set of 
rules causing FP's, generally the one with the least spam matches will wind 
up being pushed negative to compensate.

5) some spam, or reports of spam slip into the nonspam pile during 
evaluation. Most of the time this is pretty low-impact, but If the rule 
doesn't have a lot of hits in general, a few mis-placed emails can wildly 
swing the score. (the mis-placed to correctly placed email ratio needs to 
be less than the degree to which the GA favors avoiding tagging nonspam, at 
the expense of missing a little spam)

6) Yes, there are some glitches in the GA itself, but those are getting better.


At 10:07 PM 9/26/2002 -0600, Danita Zanre wrote:
>I'm admittedly new to this stuff, so please bear with me.  I just got a 
>message with the following explanations:
>
>Trying to understand the "negative" values here - why would a line longer 
>than 199 characters "decrease" the score?  Also, why would the "From" 
>lines having mixed numbers/no real name decrease the value?
>
>I realize I can change these values for myself if I choose, but I guess 
>before I start messing with the values I'd like to understand the logic 
>behind these settings.
>
>Thanks.
>
>Danita
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] RBL Still Not Working

[Matt Kettler]

Are you having trouble getting any of the DNS blacklists to work, or just 
the MAPS RBL?

You should certainly see a lot of spam matching RCVD_IN_OSIRUSOFT_COM.

If you don't do you have the perl Net::DNS installed? I think that's needed 
to make the DNS blacklists to work, but can't say for sure. (insert place 
for someone that knows this better to correct me)

Also are you, or your ISP, pre-filtering at the MTA level with any DNS 
blacklists's? Obviously if you use sendmail to reject all mail from a DNS 
blacklisted server, SpamAssassin will never get em, and thus will not 
generally have a match (unless it's in one of the prior received from: 
headers).



At 09:45 AM 9/27/2002 -0700, Tom at ATT wrote:
>I moved my SA machine into production to see if that would cause RBL to
>start working but still no luck.
>
>Yes, I can do DNS lookups.
>
>I assume I'd see some Spam: Hit! messages referring to the RBL if it was
>working, right?
>
>I'm catching about 95% of all spam for a small company with the default
>rules with very few false positives, but no RBL hits at all in two weeks.
>
>Any tricks to getting RBL to work?
>
>Thanks,
>Tom



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Osirusoft - trustworthy?

[Matt Kettler]

Yes, going back up in the thread to my posting yesterday:

  http://relays.osirusoft.com/cgi-bin/rbcheck.cgi

This lists which blocklists that OSI uses are listing an IP, and in the 
case of spews, gives links over to spews where you can check the evidence 
file for the particular listing.

At 12:31 PM 9/27/2002 -0700, Kenneth Porter wrote:
>Can one query the TXT entry for a listed site to get more detail?



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Osirusoft - trustworthy?

[Matt Kettler]

For the record, I am aware of the point Dan makes, and in fact I have 
more-or-less the same point of view. My original posting mentions it 
specifically as being a "high collateral damage policy". It's unclear to me 
why Dan quoted this as if it was a counter-point to my message, but just to 
avoid confusion, we're on the same page :)

  I definitely agree that trying to separate out some of the lists might be 
a good thing, instead of using relays.osirusoft.com as a single query. Of 
course this also has the drawback of requiring more DNS lookups to get a 
good sampling of lists, but that's probably a worthwhile tradeoff.

Also of note regarding collateral damage, have you seen the commentary 
about spews on kernel.org's website? (it's right on the front page)

---
linux.kernel.org, our mailing list server, keeps getting listed in the 
SPEWS RBL due to numerical proximity with an alleged spammer. We have 
pointed this out to them on several occations, and they usually fix it -- 
but a couple of weeks later we find the same problem. For obvious reasons, 
we do not recommend that you use the SPEWS RBL or any site that derive from 
their information, including relays.osirusoft.com; see this page.

Please note that The Kernel Dot Org Organization do not endorse or support 
spam in any shape, way or form, and certainly do not recognize any sort of 
"right to spam." Spam is at the very least offensive and more often than 
not fraudulent, theft of service and invasion of privacy. We appreciate 
that it's a hard and thankless job to run after spammers, and appreciate 
the services that well-run RBL services provide.
---

The "this page" is a link to
http://relays.osirusoft.com/cgi-bin/rbcheck.cgi?addr=64.158.222.226


At 03:18 PM 9/27/2002 -0700, Daniel Quinlan wrote:
>Matt Kettler <[EMAIL PROTECTED]> writes:
>
> > Yes, going back up in the thread to my posting yesterday:
> >
> >   http://relays.osirusoft.com/cgi-bin/rbcheck.cgi
> >
> > This lists which blocklists that OSI uses are listing an IP, and in the
> > case of spews, gives links over to spews where you can check the evidence
> > file for the particular listing.
>
>Yes, but with SPEWS, you are listed if you share the same ISP as a
>spammer.  I help maintain a /27 network (32 consecutive IP addresses)
>used by several non-profit .org sites (no spammers!), but we are listed
>on SPEWS because there are spammers on other parts of the class C
>network (not at the same physical location).  The ISP bill (which is
>considerable) is 100% donated by a for-profit company (also not a
>spammer), so what exactly are we supposed to do?
>
>In other words, much of the inaccuracy of SPEWS is due to their policy,
>not administrative delay or errors.
>
>As an intermediate step, I might be okay with using SPEWS to see how
>their individual accuracy rates with the GA, but only as a separate
>rule, not co-mingled with other blacklists.  I'd rather just delete them
>and I don't see why we should support them.
>
>Dan



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] 2.42: est release?

[Matt Kettler]

"any day now" is about the best estimate anyone can give I think..

Currently, based on watching the traffic on saDev, there is currently some 
effort going on cleaning up some issues in Makefile.PL and some issues with 
the AWL path. Of course, all of this is pure speculation on my part. My 
involvement in saDev is mostly limited to analyzing rules, corpi and 
falsepos/neg cases.


I'd expect that as soon as all the serious issues are worked out, and no 
more crop up, 2.42 will be out within a day.
Some significant bugs that I think are currently holding up 2.42 (again 
speculating)

http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1039

http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1046

http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1033

At 10:03 AM 10/2/2002 -0500, Larry Rosenman wrote:
>Is there an estimated release date/time for the 2.42 release?
>
>Thanks,
>LER
>
>--
>Larry Rosenman http://www.lerctr.org/~ler
>Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
>US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Do "To:" rules check in "Cc: field as well?

[Matt Kettler]

AFAIK the header rules should only check the header specified. In the 
context of SpamAssassin it would seem to be a truly broken behavior for a 
regex that explicitly specifies one header to be matched against another.

If you wanted a CC rule, you'd need to make a CC rule, and you could Meta 
the two together as a single rule.


At 11:27 PM 10/2/2002 -0700, Vicki Brown wrote:
>Do "To:" rules check in "Cc: field as well?
>That is, does SpamAssassin treat its To rules similarly to procmail's TO
>rules?
>
>I want to have a rule that checks for whether my real name is in the address;
>mail to "[EMAIL PROTECTED]" without the "Vicki Brown" part is considered suspect
>(hint to anyone replying to me :-)
>
>Can I do this with a simple
> header TO_NOT_NAME  To =~ /^["\s]*\?\s*$/
>(borrowing the pattern from the NOT_REAL_NAME "From" rule so it can be used
>system-wide).
>
>Will this also check the Cc: field?  (If not, can I file a strongly worded
>request for "enhancement", i.e. bug report? :-)
>
>Please Cc: me with any replies (see why it matters? :-) as I have subscribed
>to the digest.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] RBL question

[Matt Kettler]

Yes, each RBL has it's own scores and rules. Setting the score of a given 
RBL rule disables it, setting it to anything but zero will enable it.

Maps, being a subscription service, is disabled per default.

Also note that if you're checking a given RBL at the MTA level, checking it 
again in SpamAssassin is pointless, since the mail will have already been 
denied by the MTA.

Scores you might want to over-ride in your local.cf (these are the default 
ones for SA 2.41 copied from 50_scores.cf)

# DNS blacklists

score RCVD_IN_RELAYS_ORDB_ORG0.61
score RCVD_IN_OSIRUSOFT_COM  0.38
score X_OSIRU_DUL0.62
score X_OSIRU_DUL_FH 0.36
score X_OSIRU_OPEN_RELAY 2.72
score X_OSIRU_SPAMWARE_SITE  0.30
score X_OSIRU_SPAM_SRC   2.73
score RCVD_IN_RFCI   2.28
score RCVD_IN_ORBS   2.25
score RCVD_IN_DSBL   3.25
score RCVD_IN_MULTIHOP_DSBL  0.81
score RCVD_IN_SBL3.18
score RCVD_IN_UNCONFIRMED_DSBL   0.77
score RCVD_IN_VISI   2.62
score RCVD_IN_BONDEDSENDER -10.0

# unscored by default -- commercial services.  If you pay for these,
# give them a score so they will be checked.
#
# 0.5 to 1.0 is probably good for the DUL scores
# 1.5 to 2.0 is probably good for the rest

score RCVD_IN_BL_SPAMCOP_NET 0.0
score RCVD_IN_DUL0.0
score RCVD_IN_DUL_FH 0.0
score RCVD_IN_RBL0.0
score RCVD_IN_RSS0.0

At 08:04 PM 10/3/2002 -0500, Rice, Kevin wrote:
>It looks like all of the different pages/posts I've seen on recommended SA 
>setup talk about turning off RBL lookups. I can understand this in that it 
>could cause things to timeout waiting on a response from a remote service. 
>I have a subscription to MAPS though and keep a local copy of their zone. 
>Is there any way in the local.cf to enable MAPS lookups, but disable the rest?



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] De-mime a message

[Matt Kettler]

Read the manpage.. defang_mime is the option you want.

At 09:20 AM 10/4/2002 -0700, Bill Anderson wrote:
>Can spamassassin convert an html email to text only if it is spam.  If so,
>how?  Thanks.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] White/Black lists not working

[Matt Kettler]

Well, you've not said what you've tried so far, but the following should be 
the proper procedure.

Note: It is strongly advised that you not edit the files in 
/usr/share/spamassassin unless you absolutely have to (ie: if unwhitelist 
is broken)

Edit /etc/mail/spamassassin/local.cf  if you want the changes site-wide or 
~/.spamasssassin/user_prefs if you want it per user that spamassassin runs 
as (note: there is a distinction here between who the mail is addressed to, 
and what user SA runs as).

Here you can add lines such as:

blacklist_from *@*spammer.com

whitelist_from  *@*friend.com

#note that there are three varieties of whitelist for to: addresses. In 
increasing order of strength:
whitelist-to[EMAIL PROTECTED]
more_spam_to  [EMAIL PROTECTED]
all_spam_to   [EMAIL PROTECTED]

if you use spamd, restart it after you edit the config.

At 08:17 AM 10/7/2002 -0400, Don Stafford wrote:
>SpamAssassin is working great!
>
>BUT - - - - -
>
>I cannot get my whitelist or blacklist file to work.  The
>almost-certainly-spam and probably-spam files (being created in
>/var/spool/mqueue) does have some valid emails
>
>The local.cf has the path to the lists, but SA is ignoring them.
>
>Could someone give me specifics on how to do this please??



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] White/Black lists not working

[Matt Kettler]

Perhaps I shouldn't be so ready to assist Don Stafford in the future, since 
his mailserver is so politely configured to block entire ISPs at the MTA 
level.


At 12:08 PM 10/7/2002 -0400, you wrote:
>The original message was received at Mon, 7 Oct 2002 12:05:02 -0400
>from tcp-4-021.evi-inc.com [10.0.4.21]
>
>- The following addresses had permanent fatal errors -
><[EMAIL PROTECTED]>
> (reason: 550 5.0.0 Refused SPAM from comcastbusiness.com)
>
>- Transcript of session follows -
>... while talking to mail.uavco.com.:
> >>> MAIL From:<[EMAIL PROTECTED]>
><<< 550 5.0.0 Refused SPAM from comcastbusiness.com
>554 5.0.0 Service unavailable
>Reporting-MTA: dns; xanadu-int.evi-inc.com
>Arrival-Date: Mon, 7 Oct 2002 12:05:02 -0400
>
>Final-Recipient: RFC822; [EMAIL PROTECTED]
>Action: failed
>Status: 5.0.0
>Diagnostic-Code: SMTP; 550 5.0.0 Refused SPAM from comcastbusiness.com



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] "offers" in header a good rule for trapping spam

[Matt Kettler]

At 01:28 PM 10/9/2002 -0500, SpamTalk wrote:
>Currently running 2.21, hopefully moving to 2.42 (3?) waiting to see how the
>current spamd failing issue works out.
>I have been trapping a number of low scoring spam using the rules wizard in
>outlook dump any message with the word "offers" in the headers (normally
>seen as "offers@" or offers.domain.com) into the spamola folder. I have
>trapped 5 (1 is a duplicate) today and it is only half over. Any chance this
>is a high-scoring flag in 2.42?

Hmm, doing a "grep -i offers *" this rule does not appear to exist in the 
default 2.42 ruleset. But it also doesn't exist in 2.40, or 2.20.

It might be a good rule to add and try stirring in the GA, but it's 
obviously too late for 2.42, since that's already released.

I also suspect this rule will be very good at detecting all commercial 
mail, as opposed to only unsolicited commercial mail, but a stir with the 
GA could quickly point that out.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] not whitelisting

[Matt Kettler]

Note that whitelist_from_rcvd also specifies a mailserver, the mailserver 
specified (whitney.pmail.biz) never appears in any of the Received: 
headers, thus it is a non-match.

Of course, the IP of that server does appear:
whitney.pmail.biz has address 206.231.144.172

but a reverse lookup takes forever, and does not match that name:

172.144.231.206.in-addr.arpa domain name pointer www.patronmail.com.

It appears that when your server got the message, the reverse lookup failed 
completely and you only got an IP.

I don't know if whitelist_from_rcvd allows IPs, but if it does, you might 
consider using that since this mailserver obviously doesn't have matching 
forward and reverse DNS entries. (xanadu here doesn't either, for that 
mater)  As an alternative you might consider a local hosts entry for it, 
but that has drawbacks too.



At 10:12 PM 10/9/2002 -0400, zeek wrote:

>My whitelist has the following entry:
>
>whitelist_from_rcvd *@whitney.pmail.biz whitney.pmail.biz
>
>But this got tagged as spam:
>
> >From [EMAIL PROTECTED]  Mon Oct  7
>09:17:45 2002
>Return-Path: <[EMAIL PROTECTED]>
>Received: from indigo.sparklehouse.com (smtp.sparklehouse.com [192.168.1.1])
> by mogwai.sparklehouse.com (8.11.6/8.11.6) with ESMTP id
>g97DHj024425
> for <[EMAIL PROTECTED]>; Mon, 7 Oct 2002 09:17:45 -0400
>Received: from [206.231.144.27] (helo=BULK3)
> by indigo.sparklehouse.com with esmtp (Exim 6.66 #1)
> id 17yXwc-00061c-00
> for [EMAIL PROTECTED]; Mon, 07 Oct 2002 09:29:10 -0400
>Message-ID: <6485251.1033997350853.JavaMail.root@BULK3>
>Date: Mon, 7 Oct 2002 09:29:07 -0400 (EDT)
>From: Whitney Museum of American Art <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>
>
>Am I still not getting something about the whitelists?
>
>
>-zeek
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: {SPAM} [SAtalk] Spam not tagged, and USER_IN_WHITELIST?

[Matt Kettler]

Well, your messages are missing complete headers, so it's hard to say what 
the problem is. I'd suggest reading this bugzilla however, then examining 
the complete message headers and look at what the return path is.

http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1038

At 05:23 PM 10/9/2002 -0700, Riley wrote:
>Hi all,
>
>Could some explain this to me?  Maybe I'm missing something obvious?  I
>can't find any reference to this in my whitelists, but the Status is No.
>
>Thanks,
>
>Riley
>
>  Always do right.  This will gratify some people and astonish the rest.
>  -- Mark Twain
>



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Spam not tagged, and USER_IN_WHITELIST?

[Matt Kettler]

Well, the particular bug is marked "WONTFIX" because it's not really a bug, 
it's an intentional behavior.

Someone was making the argument that SA should only examine the from: line 
for whitelists, and that's not practical.

In your case it sounds like you've checked to make sure that both the 
return path (surecom.com) and the from: (enhanced-dsl-offer.com) aren't in 
your whitelist, so you're not having the problem reported in bug 1038.

I re-assembled the message with these headers and I did not get a whitelist 
hit, so without seeing your whitelist, I'm really not sure what to say.. 
You could try running the message through command-line spamassassin -tLD to 
get some more info. It seems fairly obvious that this has something to do 
with SA being configured in a manner which does something you don't expect 
of it. For example, small typos in your user_prefs tend to wreak havoc.

I'd also recommend running spamassassin --lint to check your config files 
for errors.


Here's what I get for the re-assembled message on my test box (mostly stock 
2.42, no whitelist additions, a few score mods of my own to turn off some 
RBLs and some rules with sub 0.1 scores). I don't get a whitelist hit.

SPAM:  Start SpamAssassin results --
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (16.10 hits, 5.9 required)
SPAM: GAPPY_SUBJECT  (1.3 points)  'Subject' contains G.a.p.p.y-T.e.x.t
SPAM: SUBJ_FREE_CAP  (0.4 points)  Subject contains "FREE" in CAPS
SPAM: FREE_MONEY (-0.1 points) BODY: Free money!
SPAM: DEAR_SOMETHING (1.8 points)  BODY: Contains 'Dear (something)'
SPAM: MARKETING_PARTNERS (1.7 points)  BODY: Claims you registered with 
some kind of
  partner
SPAM: NO_COST(1.0 points)  BODY: No such thing as a free lunch (3)
SPAM: EXCUSE_3   (0.4 points)  BODY: Claims you can be removed from 
the list
SPAM: EXCUSE_7   (0.4 points)  BODY: Claims you can be removed from 
the list
SPAM: CLICK_BELOW(0.3 points)  BODY: Asks you to click below
SPAM: WHILE_SUPPLIES (0.3 points)  BODY: While Supplies Last
SPAM: GREAT_OFFER(0.2 points)  BODY: Trying to offer you something
SPAM: OFFER  (0.2 points)  BODY: Free Offer
SPAM: OFFER_EXPIRE   (0.1 points)  BODY: Offer Expires
SPAM: DEAR_SOMEBODY  (0.1 points)  BODY: Contains 'Dear Somebody'
SPAM: RESERVES_RIGHT (0.0 points)  BODY: Reserves the right
SPAM: SPAM_PHRASE_08_13  (1.4 points)  BODY: Spam phrases score is 08 to 13 
(medium)
SPAM:[score: 9]
SPAM: HTML_FONT_COLOR_GREEN (0.4 points)  BODY: HTML font color is green
SPAM: BIG_FONT   (0.3 points)  BODY: FONT Size +2 and up or 3 and up
SPAM: HTML_FONT_COLOR_GRAY (0.3 points)  BODY: HTML font color is gray
SPAM: HTML_FONT_FACE_ODD (0.3 points)  BODY: HTML font face is not a 
commonly used f
ace
SPAM: HTML_FONT_COLOR_RED (0.3 points)  BODY: HTML font color is red
SPAM: HTML_50_70 (0.3 points)  BODY: Message is 50-70% HTML tags
SPAM: HTML_FONT_COLOR_UNSAFE (0.3 points)  BODY: HTML font color not within 
safe 6x6
x6 palette
SPAM: LINES_OF_YELLING   (0.2 points)  BODY: A WHOLE LINE OF YELLING DETECTED
SPAM: HTML_FONT_COLOR_BLUE (0.2 points)  BODY: HTML font color is blue
SPAM: FRONTPAGE  (0.4 points)  BODY: Frontpage used to create the 
message
SPAM: CLICK_HERE_LINK(0.3 points)  BODY: Tells you to click on a URL
SPAM: MAILTO_LINK(0.2 points)  BODY: Includes a URL link to send an 
email
SPAM: MIME_LONG_LINE_QP  (0.3 points)  RAW: Quoted-printable line longer 
than 76 cha
racters
SPAM: NORMAL_HTTP_TO_IP  (1.3 points)  URI: Uses a dotted-decimal IP 
address in URL
SPAM: REMOVE_PAGE(0.7 points)  URI: URL of page called "remove"
SPAM: MANY_EXCLAMATIONS  (0.4 points)  Subject has many exclamations
SPAM: CTYPE_JUST_HTML(0.4 points)  HTML-only mail, with no text version
SPAM:
SPAM:  End of SpamAssassin results -



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Blackhole lists

[Matt Kettler]

1) first make sure you have Net::DNS installed. This is the most common 
cause of the blackhole lists not being checked by spamassassin

2) using the sample mail from the SpamAssassin distro, run
 spamassassin -tD How can I prove that spamassassin is using all the blackhole lists.  I saw 
>it the docs that it is configured to use them by default however I am not 
>seeing anything in my maillog.
>
>Louis
>
>--
>¤¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø¤º°`°º¤
>¤°`°Lightbridge, Inc
>¤°`°67 South Bedford St.
>¤°`°Burlington MA 01832
>¤°`°781.359.4795 mailto:[EMAIL PROTECTED]
>¤°`°http://www.lightbridge.com
>¤¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø¤º°`°º¤ø,¸¸,ø¤º°`°º¤øø¤º°`°º¤
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How AWL system works?

[Matt Kettler]

It's a known bug in SpamAssassin 2.42, already fixed in CVS.. see bugzilla

http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1071


At 05:25 PM 10/14/2002 +0300, Tanel Kokk wrote:
>I'm just trying to understand, how AWL works.
>
>As I have understood, AWL is like a longterm score for senders. When 
><[EMAIL PROTECTED]> sends a message with positive score (>5), then her 
>longterm score should increase. When <[EMAIL PROTECTED]> sends s message with 
>score below 5, then longterm score should decrease.
>
>I made some tests (required_hits = 5):
>0) cat sample-spam.txt | spamassassin -R  # clearing all AWL scores
>1) cat sample-spam.txt | spamassassin -aD
> Pre AWL score: 15.8, Post AWL score: 15.8
>2) cat sample-spam.txt | spamassassin -aD
> Pre AWL score: 15.8, Post AWL score: 15.8
>3) cat sample-spam.txt | spamassassin -aD
> Pre AWL score: 15.8, Post AWL score: 14.6
>4) cat sample-spam.txt | spamassassin -aD
> Pre AWL score: 15.8, Post AWL score: 13.3
>
>Honestly, I don't understand: the more spam-mail are sent, the lesser will 
>be scores! Why?
>
>
>Below are complete debug messages about those commands.
>--
>0) cat sample-spam.txt | spamassassin -R  # clearing all AWL scores
>1) cat sample-spam.txt | spamassassin -aD
>  debug: running meta tests; score so far=15.8
>  debug: 25300 Trying to get lock on /var/spool/MIMEDefang/awl/awl pass 0
>  debug: Tie-ing to DB file R/W in /var/spool/MIMEDefang/awl/awl
>  debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=63.10 scores 0/0
>  debug: auto-whitelist (db-based): [EMAIL PROTECTED] scores 0/0
>  debug: AWL active, pre-score: 15.8, mean: undef, originating-ip: 
> 63.10.249.142
>  debug: add_score: New count: 1, new totscore: 15.8
>  debug: Post AWL score: 15.8
>2) cat sample-spam.txt | spamassassin -aD
>  debug: running meta tests; score so far=15.8
>  debug: 25304 Trying to get lock on /var/spool/MIMEDefang/awl/awl pass 0
>  debug: Tie-ing to DB file R/W in /var/spool/MIMEDefang/awl/awl
>  debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=63.10 scores 1/15.8
>  debug: AWL active, pre-score: 15.8, mean: 15.8, originating-ip: 
> 63.10.249.142
>  debug: add_score: New count: 2, new totscore: 26.6
>  debug: Post AWL score: 15.8
>3) cat sample-spam.txt | spamassassin -aD
>  debug: running meta tests; score so far=15.8
>  debug: 25308 Trying to get lock on /var/spool/MIMEDefang/awl/awl pass 0
>  debug: Tie-ing to DB file R/W in /var/spool/MIMEDefang/awl/awl
>  debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=63.10 scores 2/26.6
>  debug: AWL active, pre-score: 15.8, mean: 13.3, originating-ip: 
> 63.10.249.142
>  debug: add_score: New count: 3, new totscore: 32.4
>  debug: Post AWL score: 14.6
>4) cat sample-spam.txt | spamassassin -aD
>  debug: running meta tests; score so far=15.8
>  debug: 25312 Trying to get lock on /var/spool/MIMEDefang/awl/awl pass 0
>  debug: Tie-ing to DB file R/W in /var/spool/MIMEDefang/awl/awl
>  debug: auto-whitelist (db-based): [EMAIL PROTECTED]|ip=63.10 scores 3/32.4
>  debug: AWL active, pre-score: 15.8, mean: 10.8, originating-ip: 
> 63.10.249.142
>  debug: add_score: New count: 4, new totscore: 33.2
>  debug: Post AWL score: 13.3
>--
>
>Tanel
>
>
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA score in subject?

[Matt Kettler]

I think what you are trying to do is let your users customize their 
filtering, so I'm going to operate under that assumption and suggest you 
look at the spam_level_stars option. It's much easier for most MUA's to handle.

As far as I know there's currently not an option to do what you're asking.

At 10:37 AM 10/14/2002 -0400, Mike Schrauder wrote:
>If I wanted to change the subject of spam to say *SPAM=14.3* 
>instead of
>*SPAM* site wide, is that possible?  Is there a way to use the 
>score as a variable in a config file?
>Where would I set up the way the subject gets altered by SA?  TIA
>
>Mike Schrauder



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Boneheaded SPAM advertising "My new Anti-Junk Mail Filter"

[Matt Kettler]

I've recently been receiving quite a few similar spams myself. Both at my 
work addresses (postmaster) and one of my home addresses that's on a 
personal website.

All of the ones here at work spamvertize "www.net-tran.com" which offers a 
product called "SpamCatchers" and are sent via a variety of mailservers. At 
home I think I'm getting some different ones, one of which claimed to be 
"the spam to end all spams!"

Even more funny, all of the ones at work were tagged as spam by 
SpamAsssassin :)

Here's the relays that they came in from:

9/27/02 Received: from exchange.lanakilahawaii.org 
(rrcs-west-66-91-143-26.biz.rr.com [66.91.143.26])
10/2/02 Received: from mg-exch.nursemate.com.tw (c148.h061013130.is.net.tw 
[61.13.130.148])
10/2/02 Received: from mg-exch.nursemate.com.tw (c148.h061013130.is.net.tw 
[61.13.130.148])
10/5/02 Received: from capu.net (capumail-b.capu.net [64.50.133.55])

I sent a note to capu.net, haven't gotten any since..



At 08:00 AM 10/15/2002 -0500, Mike Burger wrote:
>On Mon, 14 Oct 2002, Simon Matthews wrote:
>
> > On Tue, 15 Oct 2002, Mike Burger wrote:
> >
> > > keeping in mind, also, that you didn't include the headers, so from what
> > > you presented us, there was no way for us to know from whence it 
> came. 
> >
> > Hey, I just posted it because I thought it would be amusing. 
>
>Gotcha.
>
>--
>Mike Burger
>http://www.bubbanfriends.org
>
>Visit the Dog Pound II BBS
>telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000
>
>
>
>---
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] netscape and spamassassin

[Matt Kettler]

In general your best bet will to be to use fetchmail and call spamassassin 
from procmail and point netscape at the local mail pool.

There's not a whole lot of support for embedding SpamAssassin into MUA's 
(ie: clients) since it's really intended for use on MTAs (ie: servers). 
Some MUA's just happen to have enough features that it becomes possible to 
call SA from them without a great deal of effort, which is why there's some 
documentation about how to integrated it with a few MUAs.

Since you already posted this question once and got now answer I strongly 
suspect that nobody has done this for Netscape mail, most likely because 
Netscape mail doesn't have the necessary features to call SA.

AFAIK there's also an effort to get SA to work with Mozilla's mailer, but I 
don't know the status of that project.


At 08:37 PM 10/15/2002 +0200, lambert Bernard wrote:
>Hi
>
>I want to install spamassassin on my PC
>
>I run suse 8.0 , and I use Netscape as browser and email. my mail box is 
>froma provider
>
>I have read the install and faq
>
>I saw how to set kdemail or procamail but nothing about netscape
>
>It is possible to use spamassassin with netscape mail, and where i can 
>find how to set it ?
>
>regards



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Why the score is at -68.3

[Matt Kettler]

SA 2.42 has a bug in the AWL code that can severely jack down the score of 
spam mails, disable the AWL or use SA 2.43

At 09:43 AM 10/16/2002 +0200, Vincent Nainemoutou wrote:

> All, please find enclosed a message header I am trying to tag. It is
>working for all other blacklist_from. I don't understand why the score is
>negative. I did not notice any problem in my local.cf file.
>
> Thanks for any advice.
> --Vincent
>
>
>From: "Artprice.com" <[EMAIL PROTECTED]>
>To: 
>Subject: Cesar Baldaccini
>MIME-Version: 1.0
>Content-Type: text/html;charset=iso-8859-1
>Content-Transfer-Encoding: 8bit
>X-Spam-Status: No, hits=-68.3 required=5.0
>tests=AWL,CTYPE_JUST_HTML,EXCUSE_3,HTML_FONT_COLOR_RED,
>SPAM_PHRASE_05_08,USER_IN_BLACKLIST version=2.42
>X-Spam-Level:
>
>
>
>---
>This sf.net email is sponsored by: viaVerio will pay you up to
>$1,000 for every account that you consolidate with us.
>http://ad.doubleclick.net/clk;4749864;7604308;v?
>http://www.viaverio.com/consolidator/osdn.cfm
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] No need to answer : Where should whitelist_from entries be placed ?

[Matt Kettler]

No, do not edit any of the /usr/share/spamassasin/* files if you can avoid 
it. They will be obliterated when you upgrade.

/etc/mail/spamassassin/local.cf is the proper spot for site-wide applications
~/.spamassassin/user_prefs is the proper spot if you run SpamAssassin as 
different users and want different settings per user.

At 03:57 PM 10/16/2002 +0100, Usr Local wrote:
>I hate having to answer my own posts but I think I have found the right 
>file - 10_misc.cf appears to work.
>
>Apologies for the duplicate earlier.
>
>
>Toril



---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Grr..> more detailed information (fwd)

[Matt Kettler]

What about a rule hitting anything giving a strong or aggressive buy 
recommendation for any OTCBB traded stock?

body MK_OTC_STOCK_BUY /\b(?:aggressive|strong) buy 
recommendation.{1,100}\b(?-i:OTCBB)\b/i
score MK_OTC_STOCK_BUY  4.0

This might false pos for those who subscribe to a lot of legit investment 
newsletters specializing in low priced stocks, but for the rest of us this 
might be useful.

At 11:20 AM 10/16/2002 -0700, Jonathan Nichols wrote:
>These spams are so annoying. Any ideas for a rule that bit-buckets
>anything that says "Cal-Bay" in it? (with the exception of "Cal Bay
>sucks?") :P
>
>I get probably 5-7 of these a week on another address..



---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] scoring differences between versions.

[Matt Kettler]

Well, I can give you any fixed ratios, but I can tell you that this "score 
deviation" is likely to change when the GA is run. It's likely to change 
very substantially if the GA itself changes, as happened between 2.31 and 
2.4x, and it's likely to deviate more mildly as the content of the corpus 
and ruleset changes over time.

Really your best idea of what the spread for a given GA run is like is 
going to come from reading the top of the STATISTICS.txt. This will show 
things like average spam score, average nonspam score, average FP, average 
FN, etc. Comparing that information between releases will likely give you 
the best "feel" for how much to adjust your thresholds.

At 12:44 PM 10/23/2002 -0400, [EMAIL PROTECTED] wrote:
Hello,

I'm trying to determine how many spamassassin hits are appropriate for
tagging messages at different levels of it possibly being spam.

I have spamassassin 2.31 running on a production machine, and figured out
some good numbers for that situation. I installed 2.43 on a different
machine, and it's producing MUCH different results.

With the sample-spam.txt that ships with 2.43:
2.31 returns 30.1 hits
2.43 returns 14.7 hits
These were both run in the same way (spamassassin -t < sample-spam.txt)

The results output shows much lower point definitions for the items it
finds in 2.43, but both match the same 16 rules.

Can anyone offer some advice on how much existing filters for hit numbers
should be adjusted? For example, a score of 7 on 2.31 corrolates to X.X on
2.43? ...if I devide all my current client hit settings by 2.047 (ratio from
30.1/14.7) will I get the same results I'd expect from the previous version?

I was also wondering if the hit numbers returned normally change this much
much between releases. Is this something that will need adjusted on every
release? or was this something that changed once and isn't likely to
change for a while?

Thanks for your advice,
--
Josh I.
(if this is answered in a FAQ somewhere, please let me know, I couldn't
find it)



---
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Spammers list!!!

[Matt Kettler]

1) that's not something SpamAssassin does, it doesn't work based on sender 
domains, it tags based on content.

2) that's not something anyone does in text form, you can however do DNS 
queries for blocked servers in various DNS blacklists. SpamAssassin does 
use a few DNS blacklists by default. Most DNS blacklists do not allow 
"small" users to download their entire zonefile, mostly because it's huge. 
If you're checking in excess of 100,000 messages a day, zone transfer is 
likely a good idea, but if you're doing 1,000 a day, it's going to be more 
of a burden on the blacklist server than you simply making queries for 
every email.

At 05:01 PM 10/23/2002 +0100, [EMAIL PROTECTED] wrote:
Where can I get Text list of all blocked  spaers domain names?

So that I can download to my server
Thanks


Best Regards
O. TUNC ERESEN




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

OT: Re: [SAtalk] spamd uses a lot of CPU

[Matt Kettler]

Oh joy, this broken vacation rule even replies to the list sometimes! 
wonderful! The only way it could be "better" is if the rule engaged in 
conversations with itself posting to the list.

And people wonder why I feel that vacation rules should not be written by 
anyone without a decent background in both mailserver administration and 
network security.

At 01:09 AM 10/23/2002 -0400, tgwilt wrote:
I am out of the office from Monday, Oct 21st until Thursday, October 24th.

Tom




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] how to reduce CPU useage. 70,000 users

[Matt Kettler]

For high-volume I'd recommend a couple tweaks if your CPU load average is 
going too high.

1) disable razor, as you already suggested, along with razor2, dcc, and pyzor.

2) zero the scores for several, or all, of the DNSBLs. I personally took 
the approach of zeroing the scores of DNSBL's for ones which score under 
0.5, and I'm not high volume. If you do leave any DNSBLs on, make sure 
your  spamd server has FAST access to a nameserver. I'd even go as far as 
to recommend a caching nameserver running on the same server as the machine 
running spamd if it doesn't already have a normal DNS server on it.

3) I'd also consider zeroing some of the "very low scoring" rules. 
Particularly those with evals. My cutoff was anything less than 0.01, but 
you might want to take a wider swath if CPU usage is a problem for you.

4) Reduce some timeouts and retry counts. This helps a lot in preventing 
mail from backloging whenever a blacklist becomes unavailable or a email 
with "no mx for from" arrives.

The following are the score tweaks I use with 2.43, they outline the basic 
concepts above, but you might want to do this to a greater extent than I 
have. Your mileage may vary, but this might be a good start for what you 
want to do.

---
#Timeout reductions
#the following reduces the time for a run of SA
#but risks timing out valid blacklist data. Still far better to
#skip a blacklist sometimes than to choke a mailserver.
rbl_timeout 10
razor_timeout 10
#the following reduces the time for a run of SA
#but risks claiming a from: has no mx when it
#does indeed have one. This is a bit more risky
#as it increases chances of FPs.
check_mx_attempts 2
check_mx_delay  3

#disabling razor 1, but allow razor2, that works much better
score RAZOR_CHECK0
#score RAZOR2_CHECK   0

#first, zero some low-scoring DNS lists. <0.5 is NOT worth cost of lookup.
score RCVD_IN_OSIRUSOFT_COM  0
score X_OSIRU_DUL_FH 0
score X_OSIRU_SPAMWARE_SITE  0
#I don't like the idea of checking these, and the scores aren't very high
score RCVD_IN_MULTIHOP_DSBL  0
score RCVD_IN_UNCONFIRMED_DSBL   0

#default scores too low to be worth running
# kill anything > 0.01
#score EXPECT_TO_EARN 0.008
#score SUPERLONG_LINE 0.009
#score MIME_BOUND_DIGITS_30.009
#score BIG_BUCKS  0.003
#score GAPPY_TEXT 0.005
#score RESERVES_RIGHT 0.008
#score USER_AGENT_OUTLOOK -0.006
#score GIFT_CERTIFICATE   0.004

score EXPECT_TO_EARN 0
score SUPERLONG_LINE 0
score RISK_FREE  0
score MIME_BOUND_DIGITS_30
score BIG_BUCKS  0
score GAPPY_TEXT 0
score RESERVES_RIGHT 0
score USER_AGENT_OUTLOOK 0
score GIFT_CERTIFICATE   0

At 01:00 PM 10/23/2002 -0600, Gustave Eiffel wrote:

Hello all,

I am using spamc for all users through /etc/procmailrc on 4 servers and
spamassassin works great.  The problem is that it loads up the CPU to 4.0 and
often 10.0 or above.  How can I reduce this?  Eliminate razor check is one I
have seen on some other posts.  What would be the best to try?




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] DNS blacklists

[Matt Kettler]

look for "check_rbl" and "check_rbl_results_for" in the EvalTests.pm file 
for the code.

As for the list of blacklists checked, look for rules calling them in 
20_head_tests.cf.

For example:
header HABEAS_HIL   rbleval:check_rbl('hil', 'hil.habeas.com.')

At 12:31 PM 10/23/2002 -0700, Chris Fortune wrote:
Can somebody please point me to the lines of code where SA
does it's DNS blacklist lookups.  Can't seem to find it



- Original Message -
From: "Matt Kettler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, October 23, 2002 10:26 AM
Subject: Re: [SAtalk] Spammers list!!!


> 1) that's not something SpamAssassin does, it doesn't work
based on sender
> domains, it tags based on content.
>
> 2) that's not something anyone does in text form, you can
however do DNS
> queries for blocked servers in various DNS blacklists.
SpamAssassin does
> use a few DNS blacklists by default. Most DNS blacklists
do not allow
> "small" users to download their entire zonefile, mostly
because it's huge.
> If you're checking in excess of 100,000 messages a day,
zone transfer is
> likely a good idea, but if you're doing 1,000 a day, it's
going to be more
> of a burden on the blacklist server than you simply making
queries for
> every email.
>
> At 05:01 PM 10/23/2002 +0100, [EMAIL PROTECTED] wrote:
> >Where can I get Text list of all blocked  spaers
domain names?
> >
> >So that I can download to my server
> >Thanks
> >
> >
> >Best Regards
> >O. TUNC ERESEN
>
>
>
> ---
> This sf.net email is sponsored by: Influence the future
> of Java(TM) technology. Join the Java Community
> Process(SM) (JCP(SM)) program now.
> http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
>
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
>
https://lists.sourceforge.net/lists/listinfo/spamassassin-ta
lk
>



---
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] how to reduce CPU useage. 70,000 users

[Matt Kettler]

*NOTE: the following is HUMOR.. do not take this as serious advice on how 
/dev/null works*

Are you sure? Couldn't the contents of /dev/null get corrupted if multiple 
threads are writing to it without locking? I know I generally read the 
contents of my /dev/null out into a debug logfile as a part of my hourly 
cron jobs. Don't you?

At 12:59 PM 10/23/2002 -0700, Steve Thomas wrote:
suggestion:
You don't need to specify file locking (the trailing ":" in ":0:") when
writing to /dev/null. :)




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is Razor making me think that I was compromised?

[Matt Kettler]

Quote from razor-users:
--
razor-agents use TCP port 7 (TCP echo) to determine what servers are
closest to it.

cheers,
vipul.


Razor2 also generates outbound TCP traffic to port 2703 on the razor 
servers. Razor 1 uses 2702 if I recall correctly.

At 02:06 PM 10/21/2002 -0400, [EMAIL PROTECTED] wrote:
I am getting hits on my firewall showing outbound packets with destination
port 7. Is it possible that Razor is doing this? If so, is it at all
documented just what ports are required to be left open in order to
successfully run SA/Razor?

Here are (some of) my hits:

Oct 20 18:53:25 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147
DST=216.52.13.94 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP
SPT=43929 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 20 18:53:28 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147
DST=216.52.13.94 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP
SPT=43929 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 20 18:53:29 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147
DST=209.204.62.150 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP
SPT=43930 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 20 18:53:32 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147
DST=209.204.62.150 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP
SPT=43930 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 20 18:53:33 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147
DST=216.52.13.91 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP
SPT=43931 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 20 18:53:36 saturn kernel: DROP:IN= OUT=eth0 SRC=209.6.241.147
DST=216.52.13.91 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=17664 DF PROTO=TCP
SPT=43931 DPT=7 WINDOW=5840 RES=0x00 SYN URGP=0

Thanks guys.

--
-Time flies like the wind. Fruit flies like a banana. Stranger things have -
-happened but none stranger than this. Does your driver's license say Organ
-Donor?Black holes are where God divided by zero. Listen to me! We are all-
-individuals! What if this weren't a hypothetical question? [EMAIL PROTECTED]



---
This sf.net emial is sponsored by: Influence the future of
Java(TM) technology. Join the Java Community Process(SM) (JCP(SM))
program now. http://ad.doubleclick.net/clk;4699841;7576298;k?
http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net emial is sponsored by: Influence the future 
of  Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576298;k?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Odd intermittent failure, (RH8, SA 2.42, Perl 5.8) - Memory Leak?

[Matt Kettler]

Wait a second.. You're using 2.42 see this bug

http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1128

This bug appears to be fixed in 2.43.


At 02:17 PM 10/29/2002 -0600, James Bly wrote:

It looks like it may be some sort of memory leak in spamd.

A long ps gave me some additional relevant details to the problem. As you
can see, two spamd sessions are in lock_p state. There are also two spamc
connections in FIN_WAIT2.

000 S qd   22432 22431  0  75   0-   331 wait4  13:49 ?
00:00:00 /var/maildir/bin/qmail-qfilter /usr/bin/spamc -p
000 S qd   22352 22351  0  76   0-   331 wait4  13:42 ?
00:00:00 /var/maildir/bin/qmail-qfilter /usr/bin/spamc -p
000 S qd   22432 22431  0  75   0-   331 wait4  13:49 ?
00:00:00 /var/maildir/bin/qmail-qfilter /usr/bin/spamc -p
000 S qd   22352 22351  0  76   0-   331 wait4  13:42 ?
00:00:00 /var/maildir/bin/qmail-qfilter /usr/bin/spamc -p
000 S qd   22351  5516  0  75   0-   333 wait4  13:42 ?
00:00:00 /var/maildir/bin/qmail-smtpd
000 S qd   22431  5516  0  75   0-   333 wait4  13:49 ?
00:00:00 /var/maildir/bin/qmail-smtpd
140 S spamd  910 1  0  75   0-  4241 schedu Oct24 ?
00:00:40 /usr/bin/perl /usr/bin/spamd -u spamd -p 1212
040 D spamd22354   910 19  75   0- 33029 lock_p 13:42 ?
00:01:14 /usr/bin/perl /usr/bin/spamd -u spamd -p 1212
040 D spamd22434   910  2  75   0-  4299 lock_p 13:49 ?
00:00:00 /usr/bin/perl /usr/bin/spamd -u spamd -p 1212
000 S qd   22433 22432  0  76   0-   475 schedu 13:49 ?
00:00:00 /usr/bin/spamc -p 1212
000 S qd   22353 22352  0  76   0-   475 schedu 13:42 ?
00:00:00 /usr/bin/spamc -p 1212
000 R jbly 22436 22386  0  76   0-46 -  13:49 pts/2
00:00:00 grep spam

[jbly@boink jbly]$ ps -eo pid,min_flt,maj_flt,cmd | grep spam
  910 547971  15718 /usr/bin/perl /usr/bin/spamd -u spamd -p 1212 -d
22352 36316 /usr/mail/bin/qmail-qfilter /usr/bin/spamc -p 1212
22353 22152 /usr/bin/spamc -p 1212
22354  71900 197674 /usr/bin/perl /usr/bin/spamd -u spamd -p 1212 -d
22847 36316 /usr/mail/bin/qmail-qfilter /usr/bin/spamc -p 1212
22848 17122 /usr/bin/spamc -p 1212
22849   1383   1470 /usr/bin/perl /usr/bin/spamd -u spamd -p 1212 -d
22854 37148 grep spam

That 71900 minor page faults and and 197674 major is rather concerning to
me. (Oh and for the record yes, the system is crawling right now.)

I also now see why it's intermittent. Spamd is hitting its bounds for memory
allocation and gets killed. However this will not happen if enough of these
stray spamd processes get run at once. The system simply can't recover fast
enough at that point.

So now I need to figure out where the leak is. Stay tuned. Same bat-time,
same bat-channel.

-James

> -Original Message-
> ...
> For your problem, first check any local IPTables firewall rules you have
an
> make sure you're not doing something silly that will block fin packets
that
> don't have the ack bit set.
> ...
>


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] blacklist_from_rcvd?

[Matt Kettler]

Actually, whitelist_from_rcvd takes two parameters requires *both* a from 
line AND a received server match. It's not just a whitelisting of all mail 
delivered via a given server.

what you want would be blacklist_rcvd.. not blacklist_from_rcvd.

Unfortunately there's no direct support via whitelists and blacklists for 
accepting or blocking an entire server. All of the current 
whitelist/blacklist rules require a to or from line match. However you can 
do one of 2 things to get the effect you desire.:

1) reject all mail from the server using /etc/mail/access. This causes your 
MTA (sendmail in most cases) to refuse delivery of email from a given 
server, domain, etc.

2) create a quick SpamAssassin rule that matches their server. The 
following will effectively blacklist any email which has a Received header 
indicating it passed thru a mailserver belonging to example.com.

header MY_BLACKLISTED_RCVD  Received =~ /example.com/i
describe MY_BLACKLISTED_RCVDcustom rule
score MY_BLACKLISTED_RCVD   100

At 11:34 AM 10/31/2002 -0800, David Brossard wrote:

I would very much like to blacklist email coming from a 
particular server. Problem is they use a different from address every 
time for blacklist_from will not catch it. Is there a way to do a 
blacklist_from_rcvd *.lamailer.com similar to the whitelist_from_rcvd?



---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] AWL bug in 2.42?

[Matt Kettler]

Yes, the 2.42 AWL had a new feature that turned out to be a bug. It's also 
a problem that's already been recognized and is already fixed in CVS.

http://www.hughes-family.org/bugzilla/show_bug.cgi?id=1071

Relevant quotes:

--- Additional Comments From [EMAIL PROTECTED]  2002-10-08 06:51 ---
OK, it's a moot point; I've seen the light and reverted the change ;)

Kevin's point (dictionary attacks + a global AWL = whitelisting of
a spam-run while it happens) is the final nail in the coffin.  I
hadn't thought of that.

The code in CVS is now reverted.  mgm, fancy trying it out?


--- Additional Comments From Michael Moncur 2002-10-11 06:49 ---

OK, I did a quick test spamming myself. Seven messages in a row, same spam 
test
string, all scored 15.6. So the shrinking spam score issue is gone.

Then I sent myself some nonspam messages from the same account: scores 9.4,
8.7, 8.1... autoblacklist works.

Finally, sent myself nonspam from a different account, scored -2.7. Then 
sent a
10-point spam from that account, scored 2.3. So the autowhitelist works.

I'd say this one's fixed.



At 04:43 PM 10/12/2002 -0400, Ollie Acheson wrote:
Same here. Lots of obvious spam, many rules invoked, but AWL letting
the dirt in. Very disappointing.

Ollie


On Mon, Oct 07, 2002 at 12:07:36PM -0500, Rob.Remus wrote:
> Since upgrading from 2.40 to 2.42 we have been seeing some strange stuff
> with the AWL.  We're getting obvious spam matching numerous rules, 
including
> the AWL, which results in negative scores, some < -90.
>



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] What happened? hits 5.6 but not spam?

[Matt Kettler]

Aye, the appropriate contact address for bonded sender violators is 
apparently [EMAIL PROTECTED] At least according to  Andrew Flury in 
a  bugzilla bug discussing bondedsender. (bug 1052)

They've already canceled brassring's bondedsender status, so they 
apparently do take some action against violators. How much is hard to say 
since the website does not detail how much of a charge is applied against 
the bond per complaint.


At 11:27 AM 10/17/2002 -0500, Chris A. Kalin wrote:
Only thing I can see that would put it way under would be
RCVD_IN_BONDEDSENDER, which means that this sender is in the Bonder Sender
program (www.bondedsender.com), kind of a "white list" for non-spammers.  If
you believe this is spam, report it to the Bonded Sender guys and they'll
take action (so their web site says).

Chris Kalin




---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] What happened? hits 5.6 but not spam?

[Matt Kettler]

Bonded sender isn't a header, it's a DNS whitelist. So bonded sender lists 
the IP addresses of mailservers and SA checks the IPs in the received-from 
headers. I'm not sure how far back SA goes, but it presumably only checks 
the most recent few received-from headers, which makes it hard to spoof 
unless you find a server in bonded sender which is an open relay.

At 12:38 PM 10/17/2002 -0400, Mike Schrauder wrote:
Thanks Chris and John.  This address recieves 0 legit mail.  I only kept 
it around for testing SA.  But in truth, it is CNET mail that looks like 
legit opt-in email.  Might just be a legit glitch in CNETs db.  I had not 
heard of bondedsender.com.  Thanks for the info.  How do they prevent 
spammers from spoofing bonded sender headers?  Thanks.

Mike Schrauder



---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] What happened? hits 5.6 but not spam?

[Matt Kettler]

SpamAssassin certainly does check multiple received-from headers for 
DNSBLs, in fact, it's configurable. I'm not sure if this setting applies to 
bondedsender checks or not. In any event there is likely a limit on the 
number of reverse headers that are checked for bonded sender and that alone 
will make it by far more difficult to fake a bondedsender, which is the 
real point.

from the Mail::SpamAssassin::Conf manfile:

num_check_received { integer }   (default: 2)
   How many received lines from and including the original mail
   relay do we check in RBLs (you'd want at least 1 or 2).  Note
   that for checking against dialup lists, you can call check_rbl
   with a special set name of "set-firsthop" and this rule will
   only be matched against the first hop if there is more than one
   hop, so that you can set a negative score to not penalize people
   who properly relayed through their ISP.  See dialup_codes for
   more details and an example

Ideally you'd want bondedsender only checked back to the first 
received-from line added by one of your MTAs and not any others. For DNSBLs 
you might want to search back a bit further to catch blacklisted servers in 
multi-hop relays, etc. It would probably be a pain to have separate "dns 
whitelist" vs "dns blacklist" num_checked_received values, but that might 
be a worthwhile feature for SA to have.


At 01:16 PM 10/17/2002 -0500, [EMAIL PROTECTED] wrote:
Or a spammers adds a Received line that makes it appears as if the message
was relayed through bondedsender.com.  Easily done.  To the best of my
knowledge, I think DNSBl lookups are only done on the IP communicating
with your MTA.  That's what I've always experienced with the DNSBls I use
from Sendmail.  SA could very well look back through a couple Received
lines though.  Can't say for certain.  Seems unlikely to me though.

Justin




---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] What happened? hits 5.6 but not spam?

[Matt Kettler]

True, the past headers may be untrustworthy, however until bondedsender was 
added, all the "older" received-from headers could possibly do is hurt you, 
since they are used for dns blacklists. Hence digging deep was not a 
problem. Want to insert lots of forged headers on a blacklist only version 
of sa? knock yourself out, all you can do is wind up accidently adding an 
IP for a blacklisted server and decrease your score.

Only now that there's bondedsender (2.4.2 and higher?) can forging a 
received-from header actually help you by making you match a whitelist, 
hence my comment that it might be worthwhile to have separate black and 
whitelist search depths. Searching deep on blacklists is no big deal, all a 
spammer can do is hurt themselves, searching deep on whitelists allows them 
to forge their way into being through a bondedsender server, when in fact 
they are not.

In an ideal world you'd check all received from headers against the DNS 
blacklists, but only check the "trusted" ones (ie: ones generated by 
mailservers in your path) for whitelisting rules. But as I said, separating 
those might be a pain code wise.


At 02:01 PM 10/17/2002 -0500, [EMAIL PROTECTED] wrote:
Interesting.  I wouldn't have expected SA to do that.  It makes me wonder
if that's really a good thing.  The last (most recent) Received line is
usually the only one you can trust (unless you have a anti-virus or pure
email gateway ahead of your primary MTA).  Beyond that they are to be
taken with a 50lbs block of salt.  Going back into the Received lines past
the ones you know you can trust makes me leary.  I don't know that's it a
good thing.  I'm gonna have to think on that a bit.  The only real way I
can see that it could hurt you is if the forged Received line matches a
negative scoring rule like the bondedsender rule.  Other than that I guess
all it could really do is make you SA box work at little harder by doing
more DNS lookups.  If your DNS system is having load issues, this would be
a good thing to set to 1.  Other than that, I really can't think of any
other way it could hurt you.  Still, I might be more fond of only looking
up the last Received line unless you know that your MTA is 2-3 levels deep
in your own mail system.

Justin




---
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] (no subject)

[Matt Kettler]

Got any statistics to show it's got a good S/O?

I know several spammers forge eudora headers, so I don't know for sure that 
such a rule would wind up scoring negative when evaluated.

It might have even been a rule at one point and got dropped when they 
pruned all the nonspam rules with S/O over 0.3 (ie: 30% of the matches were 
spam matches)


At 06:20 PM 11/4/2002 -0500, Randall Blank wrote:
Is there a reason why I don't see an "X-Mailer header indicates a non-spam 
MUA" rule for Eudora?


--
Randall Blank
[EMAIL PROTECTED]




---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Custom Rule bein ignored

[Matt Kettler]

Re-read the suggested rule I gave you, it does NOT contain a *. In fact, 
it's a regex syntax error to have the * where you put it.

When adding custom rules I strongly recommed that you run spamassassin 
--lint so you can see it complain about syntactic errors like your version 
had. Under normal running conditions SA has no place to complain about the 
errors, so it just silently skips the rule.


The proper format would be:

header  MY_BLACKLISTED_RCVD Received=~/coolfunpages\.com/i
describeMY_BLACKLISTED_RCVD custom rule
score   MY_BLACKLISTED_RCVD 100


note: I've removed the *, added a \ in front of the . and I've added an i 
to the end.

The original rule I suggested didn't have the \. but that's a relatively 
minor bug. It did correctly have the i at the end and no *'s in it.


At 09:57 AM 11/4/2002 -0800, Brossard, David wrote:
I asked earlier about a way to block messages if they are
received from a certain set of servers. Someone very kindly provided me
with a custom rule to filter them out via header info. Unfortunately no
matter what I try the new custom rule is being ignored. I have other
custom headers with seem to work fine. Here is the non working rule:

header  MY_BLACKLISTED_RCVD Received=~/*coolfunpages.com/
describeMY_BLACKLISTED_RCVD custom rule
score   MY_BLACKLISTED_RCVD 100


Here is a snippet from the headers of this mail getting though:

---
Received: from mail109.coolfunpages.com (mail109.coolfunpages.com
[64.49.246.143])

X-Spam-Status: No, hits=3.6 required=7.0
tests=CLICK_BELOW,CLICK_HERE_LINK,EXCUSE_16,FOR_FREE,

HTML_FONT_COLOR_GRAY,HTML_FONT_COLOR_RED,MAILTO_LINK,OFFER,
  SPAM_PHRASE_13_21,SUPERLONG_LINE,WEB_BUGS
version=2.41
X-Spam-Level: ***
---

I have also tried ALL=~/*coolfunpages.com/
To make it easier for testing. It is still ignored when I put
coolfunpages.com in the subject line.
Does anyone see a typo or syntax error here that I am over looking?





---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Failed to run header SpamAssassin tests

[Matt Kettler]

run spamassassin --lint, and spamasssassin -tD 

It looks like one of your custom rules has a typo in it and spamassassin is 
barfing trying to read your rule files. In particular I'd look for a rule 
that's missing the ending / or /i, or anything containing ") ~" (minus the 
quotes).

spamassassin -tD 

The rule typo is going to be what causes those error messages, and is 
likely causing the custom rule you included in your email to be ignored. In 
general when SA encounters a typo it might wind up ignoring a LARGE number 
of rules before it can begin to parse again. This is particularly true for 
regex rules that "don't end" :)



At 11:08 AM 11/4/2002 -0800, Chris wrote:
Hello,

  Im getting the following error message when running spamd,
 --
(chris)(ralph|.spamassassin)$ Failed to run header SpamAssassin tests, 
skipping
some: syntax error at (eval 15) line 59, near ") ~"
syntax error at (eval 15) line 67, near ") ~"
syntax error at (eval 15) line 552, near ";
}"
 --
 I have no idea where to fix this. Any help would be appreciated.

 Also, I cannot tell if what is wrong with my test rules, I never get any 
matches
 no matter where I put them. How can I tell where the rules are being 
read from??
 -
 header THIS_IS_A_TEST   Subject =~ /this is a test/i
 score THIS_IS_A_TEST28
 --

Thanks, Chris


---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Understanding Spamassassin

[Matt Kettler]

Well I can answer some parts of your question. First I'll refer you to the 
man file.

man Mail::SpamAssassin::Conf

This will tell you how to format whitelist and blacklist commands.

Put your own custom rules/whitelists/blacklists in your 
~/.spamassassin/user_prefs (the one in your home directory) or 
/etc/mail/spamasassin/local.cf.

If you want some example rules, you can look at the standard rules in 
/usr/share/spamassassin/  (note: might be /usr/local/share/spamassassin on 
some setups). It is possible to edit these files directly however I'd 
strongly advise you not do so, since the changes will be obliterated when 
you upgrade. You can turn off any rules you don't like in the default set 
by forcing their score to 0 in your user_prefs or local.cf.


Since bayes isn't in the officially released version of SA, and I'm not 
running a CVS version, I can't help you with bayes configuration.


The big "modules" of SpamAssassin to be aware of when setting up your 
configuration are: (in rough order of importance, you probably won't need 
to think about all of these)

1) manual whitelist/blacklist entries.
2) the DNS blacklists (ie: RCVD_IN_OSIRUSOFT)
3) the auto-whitelist (if you have turned it on) also called the AWL
4) If you want to use them, the optional razor, razor2, pyzor, and 
DCC systems that SA is capable of calling.
5) the language/locality preferences of SA (also described in the 
above man page) if you want to use that feature to blacklist some languages.

There are a couple of others you shouldn't need to know much about, but 
might want to tinker with later on as you become an "advanced" user.
1) the bayesian filter, when it's released.
2) the regex based header/body/rawbody rules and their respective 
scores. (some users add their own regex rules, but there's no strict need 
for you to do so to make SA work)
3) the eval rules which call functions in evaltests.pm (note: this 
is pretty advanced and requires a good knowledge of perl, generally only 
developers need to work on this part)


At 07:40 PM 11/4/2002 +0100, Thomas Nyman wrote:
Hi

Thankfully spamassassin works without much configuration. However its very
hard to learn how to do special configurations. I have looked thouroughly
at the documents on the Spamassassin.org site, and I have also looked at
man spamassassin. Still I do not comprehend basics...I'm sure its my
fault, still it leaves me wanting.

What I can't seem to fathom is HOW configuration changes are made. What
are the different Mail_Spamassassin , Mail_Spamassassin_Bayes,
Mail_Spam_Assassin_Conf etc? Are they pearl scripts that do something?

Let me take an example..I was thinking of setting up whitelist and
blacklist ... but how seems hard to discover

I have noted my Spamassassin folder in my home directory and I know there
is a file for user configuration..but I need to get a feel for
Spamassassin and for any "modules" (for lack of a word).

I may not be making myself clear..english may ne a global language but it
isnt my native tounge.

Anyway, hopefully someone understands my problem and takes pity. Please
dont tell me to read the manual, because it hasnt helped so far :)

Thomas




---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: ApacheCon, November 18-21 in
Las Vegas (supported by COMDEX), the only Apache event to be
fully supported by the ASF. http://www.apachecon.com
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] AWL issue

[Matt Kettler]

What version of SA are we talking about?

if it's 2.43, the AWL tracks both the from address AND the orginating IP. 
it would be highly unlikely that a spammer could forge such a thing and 
drive their score up.

Can you provide some more detail about which SA you are running? there's 
major changes from 2.3.x to 2.4.0 and more in 2.4.2 and still more for 2.4.3.

I wouldn't trust the AWL in 2.4.2 any further than I could throw a server room.


At 10:55 AM 10/18/2002 -0400, Rose, Bobby wrote:
Should SA have a minimum message size check to counter an AWL score.  I
had someone sending test messages, but because their AWL score was 23.5
it was tagged as spam.  I'm still scratching my head on how they got
such a high AWL score.

My thought on that matter is that if a spammer was to send to their
external account using the user's email address as the return address
and that system forwards the message on, then the system here will
consider the message as SPAM under their address.  Does this sound
plausible?

-=B




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: Why the score is at -68.3

[Matt Kettler]

Aye, merely upgrading SA won't help, since your AWL database already has 
heavily biased scores.. it will just stop more from being created.

delete your awl database and let it start from scratch. This should be in 
the ~/.spamassassin directory for the user running SA.

At 09:15 AM 10/18/2002 +0200, Vincent Nainemoutou wrote:

I updated my SA config to 2.43, and the problem still occurs.
I try to remove the AWL, thank your for any oher suggestions.
--V



From: "Artprice.com" <[EMAIL PROTECTED]>
To: 
Subject: Art Market Watch - Surveillez le marche de l'Art
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, hits=-70.6 required=5.0
tests=AWL,BIG_FONT,CTYPE_JUST_HTML,EXCUSE_3,
HTML_COMMENT_UNIQUE_ID,HTML_FONT_COLOR_RED,
HTTP_WITH_EMAIL_IN_URL,MAILTO_LINK,SPAM_PHRASE_03_05, USER_IN_BLACKLIST
version=2.43
X-Spam-Level:

>
>   All, please find enclosed a message header I am trying to tag. It is
>working for all other blacklist_from. I don't understand why the score is
>negative. I did not notice any problem in my local.cf file.
>
>   Thanks for any advice.
>   --Vincent
>



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Nigerian spam scores 3.1 in SA 2.43?

[Matt Kettler]

The Nigerian scam rules need a serious revisiting. These spams are mutating 
to avoid the high-scoring rules, and the "general" rules like 
NIGERIAN_TRANSACTION1 hit a modest amount of nonspam so they don't wind up 
scoring high enough. They are also mutating heavily enough to avoid razor 
in many cases, which was another large contributor to SA's ability to catch 
Nigerian scams.

0.2080.8990.0720.930.510.20  NIGERIAN_TRANSACTION_1

In the past, all the strength was in this rule, but mutations have caused 
it to be a low-hit frequency rule. The GA didn't even score it it hit so 
rarely.

0.0010.0060.0001.000.481.00  NIGERIAN_SCAM

At 06:10 PM 10/18/2002 +0100, Tony Hoyle wrote:

It was obviously nigerian spam, and doesn't seem to be any different from
other ones (other than coming from the Nigerian National Petroleum
corporation
instead of the government).




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] 2.43 requirements

[Matt Kettler]

I'd just do:

perl -mCPAN -e shell

install HTML::Parser

and allow it to install dependencies as needed. If you set your cpan to not 
prompt for dependencies you might have to change that option.

At 03:23 PM 10/18/2002 -0400, Ryan wrote:
I am reading through the requirements, and see the need to
install HTML::Parser. Does anyone have a guide on installing
this? I tried to pull the individual modules down, but the
in turn have requirements. I am strapped for time, and can't
wander through source at the moment.

Thanks for any info,
Ryan




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA website

[Matt Kettler]

These pages are autogenerated from the rules files, and some rules have 
descriptions available in multiple languages, some do not. I'm guessing 
that the french language is the last on included and winds up over-writing 
the english descriptions when the page is auto-generated.

Oops :)

At 02:20 PM 10/25/2002 -0500, Frank Pineau wrote:
What's the deal with http://www.spamassassin.org/tests.html being half
english/half french?


---
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] TOD score for SPAM

[Matt Kettler]

No need to actually run the GA.. a simple mass-check would be enough to see 
if the S/O was reasonable. If you have a corpus (ie: a pile of spam and 
nonspam in unix mbox format) check the masses directory of the SA tarball.

I suspect against my corpus it will be horrid since some of the mailing 
lists I'm on are active 24-7. (saDev is a good example, but it's not part 
of my stock corpus due to it heavily biasing body tests). Any mailing lists 
with a good user-base spanning the globe (some in US, some in UK, some in 
various parts of Europe, some in Asia, some in Australia, etc, etc, etc) 
are going to have a lot of email on them at all hours of the day due to 
"prime time for normal email" being mid-day where ever the sender lives.


At 01:44 PM 10/24/2002 -0500, SpamTalk wrote:
Would the delivery time of day be a useful value for nudging the score for
spam. Is there an easy way to test this in the GA?




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] rbl checks appear to not be working

[Matt Kettler]

Is it possible your DNS server was wedged somehow?

If you get it to happen again, try the debug run of SA and see what you get.

At 01:45 PM 10/24/2002 -0400, Eric Mings wrote:


The strange thing is that it _was_ working fine until the last day or so.
I just restarted my mailserver and my dns server and now everything is
working again- spamassassin is doing rbl lookups. It seems very odd to
me. I cannot see what could have caused it to stop and now work after restart.
--
Regards,

Eric Mings




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] rbl checks appear to not be working

[Matt Kettler]

Ok, there's not a lot of detail about your problem, but here's some general 
things I'd suggest.

First, make sure you have Net::DNS installed and your DNS lookup works.

Run from the command line:
spamassassin -tD 

Look at the output to see if it even thinks it is trying or if it thinks 
DNS is unavailable.

If it just stopped recently, then something has likely changed with your 
config.
Have you been editing any files in /usr/share/spamassassin? or your 
local.cf or user_prefs? did you run spamasassin --lint afterwards? A typo 
in a rule can sometimes cause SA to skip large chunks of the rulefiles.. 
always run --lint afterwards to see if you've made errors.


At 09:49 AM 10/24/2002 -0400, Eric Mings wrote:

I noticed a dramatic increase in spam that was not being identified
properly by spam assassin on my setup in the last 24 hours. It appears
that for some unknown reason spamassassin is not doing the rbl checks
now. I see no spam that has rbl tags and my nameserver is not caching the
rbl listings as usual (indicating they had been queried). Any suggestions
as how to further investigate this or what to do would be greatly
appreciated. The server has been running continuously for a couple weeks
and this just developed the last day so it doesn't make any sense to me.
Thanks in advance for suggestions.

--
Regards,

Eric Mings



---
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] No score assigned > SpamAssassin ()

[Matt Kettler]

This is a MailScanner issue it happens when MailScanner times out 
SpamAssassin and kills it.
Unfortunately by default Mailscanner gives SA 30 seconds to run, and 
SpamAssassin gives a 30 second timeout to DNS blacklist lookups. Hence, 
anytime a DNSBL becomes unavailable, by default SA will get killed by MS.

Either decrease SpamAssassin's DNS blacklist timeout, or increase 
MailScanner's SpamAssassin timeout.

I changed SpamAssassin's timeout for DNSBLs editing MailScanner's 
spam.assassin.user.prefs to include:

#the following reduces the time for a run of SA
#but risks timing out valid blacklist data or falsely claiming no mx for from.
#it is still better to timeout a blacklist than
#to have mailscanner timeout SA and skip it entirely
check_mx_attempts 2
check_mx_delay  3
rbl_timeout 10
razor_timeout 10

I changed MailScanner's maximum SA run time by editing mailscanner.conf:
SpamAssassin Timeout = 40


At 10:59 AM 10/24/2002 -0400, Stephen Groundwater wrote:
I've been seeing a lot of messages slip into our system which have no SA
score assigned.
X-MailScanner-SpamCheck: not spam, SpamAssassin ()

Can someone shed light on how these are getting through? Enclosed is a
sample header.
I'd also be curious if others have seen this problem.
(I did try looking for answers in the mail archive, maybe I missed
something)

Thanks in advance.
Steve G

CLIP
---
Received: from webshield([10.1.1.21])
by pa-gwpri2.klehr.com; Sat, 19 Oct 2002 19:05:13 -0400
Received: FROM spambuster.klehr.com BY webshield ; Sat Oct 19 18:59:17
2002 -0400
Received: from servidor.altran.com.br
(IDENT:[EMAIL PROTECTED] [200.207.42.122])
by spambuster.klehr.com (8.11.6/8.11.6) with ESMTP id g9JN2dF27186;
Sat, 19 Oct 2002 19:02:39 -0400
Received: from lycoseumailbox.caramail.com
(ppp-63-198-17-135.dialup.chic01.pacbell.net [63.198.17.135])
by servidor.altran.com.br (8.9.3/8.8.7) with ESMTP id VAA04267;
Sat, 19 Oct 2002 21:10:14 -0200
Message-ID:
<177f3d23$2cfb$[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
From: "Jimmy Asher" <[EMAIL PROTECTED]>
Subject: i need to talk to you about your septic tank
VHDQXB
Date: Sat, 19 Oct 2002 15:53:16 -1900
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Reply-To: [EMAIL PROTECTED]
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck-SPAMBUSTER: not spam, SpamAssassin ()


---
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] how to reduce CPU useage. 70,000 users

[Matt Kettler]

Ok,  /usr/share/spamassassin/ files are NOT intended for you to edit. They 
will be obliterated when spamassassin is upgraded. And yes, you will 
eventualy want to upgrade. If for no reason other than the fact that the 
patterns present in spam change over time, and eventually old versions of 
SA become less and less effective against spam without extensive manual 
configuration.

Hence local.cf exists for the purpose of you making your own, custom 
changes on a site wide basis without getting wiped out when you upgrade. 
Any scores in local.cf take priority over those in /usr/share/spamasassin/*

I would Strongly recommend never editing your /usr/share/spamassasin files 
unless you don't care if those changes get wiped out. ie: if you know the 
latest CVS version has a bug fix for a typo in a rule, sure.. apply it, 
because that change will likely be in the next release, but don't go adding 
your own rules and site performance tuning settings there.


At 03:35 PM 10/23/2002 -0600, Gustave Eiffel wrote:
This may be a bit of a stupid question but...

I have all the config files in /usr/share/spamassassin/
eg 10_misc.cf and 20_body_tests.cf etc

Where does /etc/mail/spamassassin/locla.cf fit into this?

The config below should go where?  Into the locla.cf?

Some explanation of how this works would really be appreciated .


Mark

Quoting Matt Kettler <[EMAIL PROTECTED]>:




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Permanent whitelist--newbie Q's

[Matt Kettler]

/etc/mail/spamassassin/local.cf is the generally recommended filename

At 08:38 AM 10/24/2002 -0500, John Lederer wrote:

I am new to SA.  I am using, site wide, SA 2.43.

I want to preserve, from update to update, a few additions we have made to 
the whitelist.

I think I need to create a directory "/etc/mail/spamassassin" and create a 
.cf file with my additions in it.

What I am unclear on is what the name of this .cf file should be 
"60_whitelist.cf"? "65_whitelist.cf"? "mypermanentwhitelist.cf"?
I also do not understand whether sa adds the names in my 
/etc/mail/spamassassin/ cf file to those in /usr/share/spamasassin/ or 
susbtitutes them.

Thanks.

John Lederer



---
This sf.net email is sponsored by: Influence the future of Java(TM) 
technology. Join the Java Community Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is Razor making me think that I was compromised?

[Matt Kettler]

I doubt razor will fail, but it won't likely work as well as it should.

As far as security goes, I think you're over-stating the problem. (Yes, I 
will take the stand that I do know my hind-end from a hole in the wall on 
this topic, although I'm not an industry expert.)

You can't be part of a loop if nobody can connect to these daemons on your 
servers.

You can prevent local users from creating loops between pairs of outside 
servers by filtering all outbound packets with spoofed source IPs.

This is clearly client traffic to these daemons on outside servers from 
valid, unprivleged local ports on your servers. It's harmless, get over it 
and restructure your rules.

At 03:03 PM 10/21/2002 -0500, [EMAIL PROTECTED] wrote:
This is a bad choice for a port IMHO.  Frankly every firewall I set up
(and have seen up close) blocks tcp/udp 1-19.  Those services have no
purpose on the Internet at large IMHO.  They are plagued with security
issues and under-maintained source projects.

I wonder if Razor will fail if tcp/7 is blocked.  The box I'm testing SA
on (with Razor) isn't yet behind a firewall.

Justin

On Mon, 21 Oct 2002, Matt Kettler wrote:

> Quote from razor-users:
> --
> razor-agents use TCP port 7 (TCP echo) to determine what servers are
> closest to it.
>
> cheers,
> vipul.
> 
>
> Razor2 also generates outbound TCP traffic to port 2703 on the razor
> servers. Razor 1 uses 2702 if I recall correctly.
>
> At 02:06 PM 10/21/2002 -0400, [EMAIL PROTECTED] wrote:
> >I am getting hits on my firewall showing outbound packets with destination
> >port 7. Is it possible that Razor is doing this? If so, is it at all
> >documented just what ports are required to be left open in order to
> >successfully run SA/Razor?
> >
> >Here are (some of) my hits:






---
This sf.net emial is sponsored by: Influence the future 
of  Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4699841;7576298;k?http://www.sun.com/javavote
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] 2 spam message not caught even after reporting to Razor (4.80 hits)

[Matt Kettler]

I took the first message in this, removed the spammotel banner HTML and the 
SpamAssassin markups and ran in through 2.43. Are you running SpamAssassin 
with all the DNSBLs turned off? I get a lot of points hit for the DNSBLs 
alone and spamassassin does work without DNSBLs, but not nearly as well.

As for the razor report, it's usually advised to report unmunged emails, 
this email has clearly been munged by spammotel. You also may not yet have 
a sufficient trust rating to cause a email to be listed in razor2 based 
only on your single submission.


I got:
SPAM:  Start SpamAssassin results --
SPAM: This mail is probably spam.  The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details:   (9.90 hits, 5.9 required)
SPAM: CLICK_BELOW(0.3 points)  BODY: Asks you to click below
SPAM: SPAM_PHRASE_21_34  (1.9 points)  BODY: Spam phrases score is 21 to 34 
(high)
SPAM:[score: 22]
SPAM: WEB_BUGS   (0.2 points)  BODY: Image tag with an ID code to 
identify you
SPAM: CLICK_HERE_LINK(0.3 points)  BODY: Tells you to click on a URL
SPAM: UNSUB_SCRIPT   (0.3 points)  URI: URL of CGI script called 
"unsubscribe" or "remove"
SPAM: UNSUB_PAGE (0.1 points)  URI: URL of page called "unsubscribe"
SPAM: MSG_ID_ADDED_BY_MTA_2 (0.1 points)  'Message-Id' was added by a relay (2)
SPAM: RCVD_IN_OSIRUSOFT_COM (0.4 points)  RBL: Received via a relay in 
relays.osirusoft.com
SPAM:[RBL check: found 
108.181.238.157.relays.osirusoft.com., type: 127.0.0.4]
SPAM: RCVD_IN_SBL(3.2 points)  RBL: Received via SBLed relay, see 
http://www.spamhaus.org/sbl/
SPAM:[RBL check: found 108.181.238.157.sbl.spamhaus.org.]
SPAM: X_OSIRU_SPAM_SRC   (2.7 points)  RBL: DNSBL: sender is Confirmed Spam 
Source
SPAM: CTYPE_JUST_HTML(0.4 points)  HTML-only mail, with no text version
SPAM:
SPAM:  End of SpamAssassin results -



---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] AWL broken in 2.43?

[Matt Kettler]

Well, this sounds reasonable, unfortunately I suspect it would be rather 
difficult and kludgey for the AWL to be able to tell the difference. The 
AWL operates as a score averager, nothing more, nothing less.

Personally, I think the AWL is in general a fundamentally broken concept, 
however there are people out there who think otherwise. I will likely never 
use the AWL feature of SA in any form of production environment. I see very 
minimal benefit from it's use, and a very long history of severe problems 
with the AWL.

The greatest benefit in a corporate environment is derived when the AWL is 
run on "global" basis when all user's wind up running SA as the same user. 
This is because the email correspondence of people working for the same 
company is somewhat correlated and someone on the outside that mails in 
repeatedly usually mails multiple different people inside. ie: a large 
customer will be frequently contacting your sales, billing, and technical 
support departments.

Unfortunately this case (global AWL) also exacerbates the problems of the 
AWL. Your example of an "all_spam_to" user is a very striking example of 
this. If each user had their own AWL, the all_spam_to of one user wouldn't 
be a problem. A global AWL is really only possible in the absence of 
whitelisted users.

From what I can tell very few, if any at all, of the SpamAssassin 
developers use a global AWL. The fact that the severe 2.42 "white listing 
spammers using dictionary attacks against sites with global AWLs" wasn't 
caught prior to release strongly suggests they don't.



At 12:43 PM 10/28/2002 +, Tony Hoyle wrote:
IMHO AWL should not 'remember' mail sent via all_spam_to, otherwise you
eventually whitelist every spammer than sends to your mailserver.




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA using/not using the rbls

[Matt Kettler]

try running spamassassin -tD 

you should see from that why it can't do a RBL lookup.

AFAIK it should run unless one of 3 things happens:
1) you don't have the perl module Net::DNS installed
2) it can't do a MX lookup for a major domain. Note you can over-ride this 
check by forcing dns_available in your conf.
3) the RBL server in question isn't answering.

Note that in the case of MAPS RBL, you may need to pay fee to query their 
servers. (ie: individuals/hobby sites are free, but companies and 
non-profits need to pay a usage fee).

If you've not paid the appropriate fees and appear to be commercial they 
might be blocking you from query (unlikely, but wouldn't be unreasonable of 
them to do).


At 08:31 AM 11/13/2002 -0500, Louis Bohm wrote:
Can some one please tell me why it is that only some times SA uses the 
RBL's to decide the fate of mail.

The following is my configuration in local.cf:
required_hits 5.0
defang_mime 0
report_header 0
use_terse_report 1
subject_tag {*SPAM* * _HITS_ *}
score RCVD_IN_RBL   2
score RCVD_IN_RSS   2
score RCVD_IN_DUL   2
score RCVD_IN_BL_SPAMCOP_NET2

I am running SA 2.43 and when I look at the mail that is marked as spam 
most of the time I do not see it even trying the RBL's.  Only once in a 
while do I see RBL in the SA results.

Is this a rule I could modify?  I would love it if it would tally up the 
score and if the Spam score is still less then the required_hits it would 
use the RBL's.

Thanks,
Louis



---
This sf.net email is sponsored by: Are you worried about 
your web server security? Click here for a FREE Thawte 
Apache SSL Guide and answer your Apache SSL security 
needs: http://www.gothawte.com/rd523.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] RedHat 8.0 bundled Spam Assassin

[Matt Kettler]

I believe the RedHat SA package is pretty much just the same as installing 
SA.. it still doesn't integrate it into your sendmail, so you'll need some 
kind of milter, or procmail configuration to make sendmail use SA.

It makes sense for them to not automatically plug SA into sendmail, since 
there's at least 15 different ways to run SA against your email, each with 
different advantages/drawbacks. (milter, procmail, amavis, mailscanner, 
direct from kmail or mutt, just to name a few common ones).

Heck, in the cae of kmail/mutt SA doesn't even require that you use any MTA 
locally at all, much less sendmail.

At 12:15 PM 11/14/2002 -0700, Greg Jamison wrote:
What is required to get Spamassassin working with Sendmail when both were 
installed during the initial Redhat 8.0 installation? I have configured 
sendmail for local delivery, and that is working fine. When I send "test 
spam", everything comes thorough. Any help is appreciated. Thanks!!

Greg



---
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Odd intermittent failure, (RH8, SA 2.42, Perl 5.8)

[Matt Kettler]

It's surprising to me that connections from a local client to a local 
server are being trapped in FIN_WAIT2. There's nothing an application can 
really do to mess up the closing of connections, so I'd susspect a bug in 
your firewall rules, or your linux kernel. Connections for TCP should 
smoothly enter the TIME_WAIT state  when closing unless the fin packet from 
the server socket is somehow missed. For a loopback connection this should 
never happen.  The TIME_WAIT state is mandatory for the stable operation of 
TCP and is not avoidable.

For your problem, first check any local IPTables firewall rules you have an 
make sure you're not doing something silly that will block fin packets that 
don't have the ack bit set.

Next I would check for kernel upgrades. It's possible there's a subtle bug 
in the version of the kernel your running, but this seems like an unlikely 
case.

That aside, it is possible to adjust the fin timeout in /proc. This is 
DANGEROUS and not recommended, but is possible.
The entry you want to change to adjust this is tcp_fin_timeout, but be 
warned that the Linux kernel already uses the minimum "safe" value for this 
timeout, and that there are cases where even the defaults aren't safe.



At 11:32 AM 10/29/2002 -0600, James Bly wrote:
Perhaps someone has seen this before so I ask: Recently I rebuilt a relay 
using RedHat 8.0. Went with the latest version of SA at the time and I'm 
starting to see spamc intermittently fail. Iptables has been ruled out as 
being connected with this. (Was my first suspicion.)

Basically I see spamc connections coming up in a "trapped" FIN_WAIT2 
state. They will sit there and eventually fill up instances of qmail to 
where it stops taking requests off the network. (Note also that I'm 
running spamc from qmail-qfilter which is called through the qmail-queue 
patch. I am not currently able to attribute any of this to qmail.)

The netstat below and ps output is about all I've been able to gather so 
far. If anyone has any ideas on ways to trace this issue, let me know. The 
only hypothesis I can build thus far as that a particularly malformed mail 
is causing spamd to trip up and the spamc sessions to hang, but that's all 
conjecture.

Thanks in advance for any ideas people may have,
-James
 \



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] sendmail and spamassassin

[Matt Kettler]

What method of calling SpamAssassin from sendmail did you set up? procmail? 
mime-defang? milter? mailscanner? (and lots of others)

If you've not configured one of these mechanisms, that's why. Simply 
installing SpamAssassin only makes it available for things to use. It 
doesn't automatically force its way into your sendmail system.

At 01:18 PM 10/30/2002 +0200, Vasco Macaringue wrote:



Hi everybody
I'm a student and I'd like to know more about sendmail and spamassassin
I've already installed sendmail 8.12.3 and spamassassin 2.43 acording to the
readme and installation files in our test server. So my problem now is:
incoming and outgoing mail are not tagged by SpamAssassin . And here in
Mozambique I don't know where I can get help.

I'll be very glad if you have a solution for this problem

Thanks,

Vasco




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] This should go to the sightings list, but it brings up an important flaw

[Matt Kettler]

Another simple rule would be to detect emails which have both an X-Mailer 
and a User-Agents header. The OE rule actually detects an X-Mailer header, 
so the mail you got would have had to have both headers.

I did a casual search of my emails and didn't find any (spam or nonspam) 
with both, so this rule might not be useful unless spam of this type 
becomes more popular. Still might be worth having in the ruleset as it's 
highly unlikely to FP on any valid email.


Another aspect of this flaw is the heavy positive weights posessed by some 
mailers. This is easily added to a spam mail for bonus points, so I tend to 
view any USER_AGENT rule with a score less than -2 as being highly 
questionable, making an easy target for spam white listing.


At 12:37 PM 10/30/2002 -0500, Tim Helton wrote:

I got a spam today, that hit many rules, and still only got a 0.6

-Spam-Status: No, hits=0.6 required=5.0

  tests=BASE64_ENC_TEXT,CUSTOM_FREE_HD,CUSTOM_GET_FREE
  DATE_MISSING,FORGED_AOL_RCVD,IN_REP_TO,MISSING_MIMEOLE
  REMOVE_PAGE,SPAM_PHRASE_01_02,SUBJECT_HAS_DATE

SUB_FREE_OFFER,USER_AGENT,USER_AGENT_MUTT,USER_AGENT_OE
  WEB_BUG
version=2.41

It looks like it was abusing the "USER_AGENT" negative scoring to gain
-5.5 points
score USER_AGENT_OE  -0.3
score USER_AGENT_MUTT-4.109
score USER_AGENT -1.143


Maybe it would be beneficial to see if more than 1 user agent is
detected, and give it a +2, instead of a -5




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] This should go to the sightings list, but it brings up an important flaw

[Matt Kettler]

I wrote:

Another aspect of this flaw is the heavy positive weights posessed by some 
mailers. This is easily added to a spam mail for bonus points, so I tend 
to view any USER_AGENT rule with a score less than -2 as being highly 
questionable, making an easy target for spam white listing.

To further clarify that, 2.43 doesn't have such absurdly high negative 
scores, except kmail which is a little under -2. In fact, the scores of 
2.41 are bad enough in general that I question why anyone actually even 
runs 2.41 ;)

At 12:37 PM 10/30/2002 -0500, Tim Helton wrote:

I got a spam today, that hit many rules, and still only got a 0.6

-Spam-Status: No, hits=0.6 required=5.0

  tests=BASE64_ENC_TEXT,CUSTOM_FREE_HD,CUSTOM_GET_FREE
  DATE_MISSING,FORGED_AOL_RCVD,IN_REP_TO,MISSING_MIMEOLE
  REMOVE_PAGE,SPAM_PHRASE_01_02,SUBJECT_HAS_DATE

SUB_FREE_OFFER,USER_AGENT,USER_AGENT_MUTT,USER_AGENT_OE
  WEB_BUG
version=2.41

It looks like it was abusing the "USER_AGENT" negative scoring to gain
-5.5 points
score USER_AGENT_OE  -0.3
score USER_AGENT_MUTT-4.109
score USER_AGENT -1.143


Maybe it would be beneficial to see if more than 1 user agent is
detected, and give it a +2, instead of a -5




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] You have a secret admirer

[Matt Kettler]

1) yes the sa-talk mailing list is more-or-less wide open. The fact that 
the satalk list gets a Nigerian scam email about once every two months is a 
prime example.

2) no it probably should should not be closed, this is the official forum 
for posting technical problems and many posters aren't subscribed to the 
list. If spammers spam the list, it's just more test data for the 
development of SA as far as I'm concerned. Others might chime in differing 
opinions however.

3) most non-tech-support oriented mailing lists are closed, most mailing 
lists that desire to have the least barrier to feedback from users are 
generally open.

As far as the tagging of this particular email as spam or not, this is a 
"semi legitimate" service. They don't email anyone unless someone who is 
registered with their service enters you on their website. To find out "who 
admires you" you register and then enter all the people you like and if you 
discover the match by brute force you're told. Of course this also sends a 
"someone admires you" notice to everyone you entered. Also once you're 
registered they can sell your email address, but not the addresses of those 
you punch in who haven't registered yet.

It's certainly a nuisance site, well suited to the drooling on themselves 
masses, but it would be hard to call this email itself 'spam'. I can go to 
bluemountain.com and send you a post card without your solicitation either.

http://www.someonelikesyou.com/faq.html explains this bizarre system.

I submitted block requests when I got one, never got one since and I don't 
have any spams I can correlate to the service. In their privacy policy they 
claim that they do sell the email addresses of registered users, but not of 
unregistered users who just happened to get a notice.

So to some degree they are a spam service, They sell name and address lists 
of registered users, although you have to consent to it and they try hard 
to not make it clear that is what they are doing.

The other thing I find particularly annoying about someonelikesyou is that 
they refuse to identify who entered your address until you register and 
start feeding in other people's emails. This effectively makes it an 
anonymous means by which someone can send you a single unsolicited message, 
until you tell them where they can stuff all their "someone likes you" emails.


At 06:38 PM 10/30/2002 -0600, Jess Anderson wrote:
Does this mean that the salist is wide open? Why shouldn't
there be a restriction that only subscribers can post? I
thought most mailing lists were set up with that restriction.

FWIW, I got that same spam in my personal mailbox yesterday,
scored 3.5 of 5.0, with a different Subject: line (headers
attached).

The list mail gets through without being challenged, as procmail
scoops it off before SA could see it. But even if SA saw it, it
would pass as a false negative.




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Genealogy

[Matt Kettler]

Well, SpamAssassin by default isn't a mail bouncer, just a subject-line 
tagger. Some people do bounce mail based on it, but that's something the 
administrator of the mailserver has to configure himself.

SpamAssassin does consider things like all-caps headers suspicious, but it 
takes a lot more than just an all caps subject line and a couple instances 
of the word sex to get SA to tag an email. In fact, the word sex by itself 
isn't a rule for spamassassin at all, although some phrases regarding sex 
videos, and other obvious pornography subjects are in the rule set.

SpamAssassin tallies a score for a given email based on a large collection 
of rules each of which has it's own point value. The scores are evolved 
against real emails which are manualy split into spam and nonspam piles. 
Rules matching a lot of spam with few or no nonspam matches wind up getting 
high scores, and rules matching even moderate amounts of nonspam get low or 
negative scores. This causes lot of rules that at first glance would seem 
to be spam only wind up matching a lot of nonspam and wind up with very low 
scores. A recent case of this was a no_credit rule that was generic enough 
to match on "notice: your credit card will be billed when the order is 
shipped". The system evaluates how much of the nonspam test data the rule 
matches and inherently drives the score of those rules down. Bad or overly 
generic rules wind up causing relatively little collateral damage this way.

As you can see SA tries very hard to not be fooled by normal emails that 
contain potentially spammish phrases. If you do have some false positive 
cases that are tagged by SA 2.43 or 2.42, I'd be happy to analyze them and 
try to tweak the offending rules to not match on legitimate email. Just 
send me an email explaining you're about to send me a false pos spam, then 
forward them to me, or better yet, to [EMAIL PROTECTED] (my home email 
where I do SpamAssassin rule tweaking). If you can do it as an attached 
file in unix mbox format that's wonderful, otherwise I'll work with just a 
plain forwarded copy of the mail as best I can. I will try to take obvious 
precautions about not reposting sensitive personal information, but I am 
prone to human error so use your own discretion in deciding what to forward 
to me for evaluation.

My guess is you're more often being bounced by someone who has a handful of 
homebrewed procmail rules that reject any email containing the word sex at 
all, and other simple "obvious" rules that a lot of sysadmins that aren't 
thinking carefully wind up implementing. SpamAssassin isn't so foolish as 
to have such simple false-positive prone evaluation rules.

Heck, even most of the "dirty jokes" my friends forward me aren't tagged by 
SpamAssassin, but I do have one that is picking on telemarketing tactics 
and contains a large number of junk marketing quotes that does get tagged. 
I'm not exactly surprised that a 3 page email quoting all kinds of 
marketing mortgage refinance, credit repair, prize winning and other 
obvious borderline scam type marketing gets tagged. It would be hard to 
realize the difference, but the bayesian filter in future generations of SA 
might be smart enough if well trained.

At 02:47 AM 10/31/2002 +, [EMAIL PROTECTED] wrote:
Hi folks, I admin 28 or so Genealogy lists and message boards at 
Rootsweb.com,
recently, I've noticed a big increase in posts to the lists being 
"bounced" to
me as Admin, cause they are being rejected as S P A M..I don't want to even
talk about the bounces from my Essex County NY list... The larger ISP's
don't seem to have a problem, but the little folks seem to be inventing
somw "wonderful" antiSPAM rules...:-(  Last I heard, Genealogy was the 2nd or
3rd biggest internet activity, Genealogy presents email differently than most
other email...ALL CAPS in the subject is common, that is how Surnames are
entered, the word sex repeated for each person in a family group
sheet.etc...has there been any dialog about these things?

--
Regards, Fred Provoncha, Volunteer Rootsweb Admin
http://home.att.net/~unclefred
http://www.rootsweb.com/~nyessex
http://www.gencircles.com/users/unc
lefred
http://freepages.genealogy.rootsweb
.com/~unclefred/main.htm



---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Problem with SA 2.50

[Matt Kettler]

1) You didn't specify a version, however Razor 2.20 was recently released 
which claims to have made razor more "taint" friendly. This should prevent 
such problems.

2) This problem also cropped up when one of the early 2.4x's was released, 
and is a MAJOR subject in the FAQ http://www.spamassassin.org/faq.html

Also I'll point out that 2.50 is unstable and under development, if you 
really need a stable production version, go with 2.43 or the latest 
officially released version of SA, not a CVS snapshot of pre-release versions.

At 04:24 PM 10/31/2002 +0800, [EMAIL PROTECTED] wrote:
Hi,

I keep getting this message from the logfile:

Oct 31 16:17:08 dim spamd[56007]: razor2 check skipped: Permission
denied Can't call method "log" on unblessed reference at
/usr/local/lib/perl5/site_perl/5.005/Razor2/Client/Agent.pm line 211,
 chunk 175.

I'm running spamd using these options:

-a -c -d -m 20 -u filter -H /var/spool/filter -x

---
 francis a. vidal [bitstop network services] | http://www.bitstop.ph
 streaming media + web hosting   | http://www.keystone.ph
 v(02)330-2871,(02)330-2872; f(02)330-2873   | http://www.kuro.ph


---
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Differences between spamc/spamd and spamassassin...??

[Matt Kettler]

How big is the message? spamc by default skips messages over a certain size 
(250k?)

If that's not it, can you provide a lil more info about your setup? Like 
what version of spamassassin are we dealing with here? Have you checked 
that spamd is running? how did you check? etc.


At 02:11 PM 10/31/2002 -0800, Bill Long wrote:
*This message was transferred with a trial version of CommuniGate(tm) Pro*
Hi all,

I'm new to the list and new to SpamAssassin.  I'm working on getting it
integrated into my CommunigatePro server. I think I have most of it all
worked out, except if I run an email through SpamAssassin and it catches it
as spam, the spamc/spamd combination will not flag it as spam.  I'm
wondering if i missed something in the documentation?

basically, if i have a message 1050210.msg.tmp

If I run that Message through spamAssassin
spamassassin -t < /var/CommuniGate/1050210.msg.tmp

It comes back with all the stuff saying its spam.

However, if I run it through spamc
spamprep "/var/CommuniGate/1050210.msg.tmp" "<[EMAIL PROTECTED]>"
"<[EMAIL PROTECTED]>" | /usr/bin/spamc -d 65.216.115.105 -f >>
"/var/CommuniGate/Submitted/1050210.msg.tmp"

It just spits the message back to me with nothing being done.

My configuration files are in the normal places. Do I have to pass special
arguments to SpamC or SpamD?


Thank in advance,

bill



---
This sf.net email is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How do I know if razor-checking is active?

[Matt Kettler]

At the command line run:

spamassassin -tD < sample-spam.txt

At the top will be extensive debug output including any problems reading 
the rules file, any lack of DNS support, etc, as well as debug status while 
running razor.

At 11:34 AM 11/1/2002 -0800, Henry Kwan wrote:
Hi.

Have been using SA for a little while and with the 2.43 update, finally
decided to install razor as well.  But when I do 'make test', it reports
back that both razor tests have been skipped with no reason given.  When I
run the razor-client, it appears to be working so how can I tell if SA is
utilizing razor for checks?

Thanks.


---
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How do I know if razor-checking is active?

[Matt Kettler]

Well, it's a wide variety of IP's, but it is client-only type traffic. The 
razor servers do not need to initiate connections to port 2703 on your 
machine, so is there any significant risk in allowing your machine to 
initiate client connections to any outside machine on port 2703 (provided 
there's some careful TCP flags based filtering of inbound traffic to make 
sure it's not used to smuggle in connection requests)

rough pseudo-code firewall rules for a packet filter type firewall would be:


 deny outbound IP   from AnythingButMyNetwork to anywhere


allow  outbound TCP from myrazorserver any 
port >1023   to  anyip port 7
allow  outbound TCP from myrazorserver 
anyport >1023to  anyip port 2703


deny inbound IP from MyNetwork to anywhere


allow  inbound TCP  from anyip port 7   to  myrazorserver any 
port >1023required flag ACK
allow  inbound TCP  from anyip port 2703to  myrazorserver any 
port >1023required flag ACK


deny inbound tcp from anyip anyport to anyip any port < 20
deny inbound udp from anyip anyport to anyip any port < 20



For a stateful firewall require the connection to be established instead of 
requiring the ack flag on inbound traffic. Your exact syntax will vary 
depending on what packet filter/firewall tool you use, but that's the 
conditions you need to apply.

Note: As far as I know, and I'll admit to making mistakes sometimes but 
I've thought long and hard about this one, the above configuration does NOT 
allow your network to be used as a waypoint in tcp echo-charget loopback 
attacks. It also does not allow such attacks to be initiated against your 
network. It does not allow your network to send spoofed requests to 
initiate echo-chargen loopback attacks against other networks. All of this 
is true, as far as I can deduce, even if "myrazorserver" is running an 
otherwise unsecured echo and chargen server.

I can't guarantee that this is 100% hole-free, but I'd be hard pressed to 
picture a way to exploit the above configuration for DoS attacks. If anyone 
can point out an exploit, I'd love to hear it, but be wary of the fact that 
inbound syn-with-no-ack is needed to open a TCP socket.

At 01:14 PM 11/1/2002 -0800, Henry Kwan wrote:
>
> At the command line run:
>
> spamassassin -tD < sample-spam.txt
>
> At the top will be extensive debug output including any problems reading
> the rules file, any lack of DNS support, etc, as well as debug status 
while
> running razor.
>

Great.  Thanks to all for the tips.  I ran the sample text through and it
does appear that SA is invoking the razor2 test.

As an aside, does anyone know the range of IPs that you need to open for
razor?  I currently have 216.52.13.90 through 216.52.13.94 open for TCP Port
2703.

Thanks again.



---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Bayesian attack

[Matt Kettler]

Justin,

I expected the HTML parser might deal with the comment block attack. Will 
it also deal with the "white-on-white text" variant? (you didn't include 
both scenarios from my original email, so I'm adding the other back in below).

I wrote previously:
If you strip HTML prior to bayes this could also be done by using a 
white-on-white text in tiny font tag prior to the bogus ham, with lots of 
newlines, and then switch back to a readable color and begin their 
marketing. The final message once processed by the MUA as an HTML message 
will appear as if it has only a couple blank lines at the top (because the 
font is small, and HTML will ignore the newlines) but will miss bayes entirely.


At 04:02 PM 11/21/2002 +0000, Justin wrote:


Matt Kettler said:

> As a counter argument of this, what about HTML messages being abused to
> bypass bayes when only looking at the top N lines? (note:  think this 
is on
> the right track in principle, but I can see some resulting holes)
>
> The spammer could now bypass bayes by inserting a HTML comment at the
> beginning consisting of 200 bytes or 20 lines of ham, end the comment, and
> begin his spam message.

BTW we do have some very smart HTML parsing (thx Dan ;) which our Bayes
impl uses, so this will not be a prob for us.

--j.



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] howto spamassassim learns automatically

[Matt Kettler]

Have you looked at the ok_languages and ok_locales options in the SA config 
options?

man Mail::SpamAssassin::Conf

At 03:45 PM 11/5/2002 -0200, sandra wrote:
Hi ALL,

  I'm using postfix+amavisd(+spamassassim). But the majority of
the mail messages that we receive and that are spam are in
portuguese language.
 Is there a way to feed spamassassin database automatically with the
messages
that it considers a spam message? (sa_learn_spam you have to give the
message
as input, auto_learn didn't do what I would like to have).

   Is there any suggestion?

  thanks a lot.

Sandra





---
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] whitelist function - where is it?

[Matt Kettler]

Read man Mail::SpamAssassin::Conf

You probably want to add a whitelist_from_rcvd or whitelist_from to your 
/etc/mail/local.cf.

At 01:46 PM 11/5/2002 -0500, Vernon Webb wrote:
I've been trying to read through the web site in an attempt to remove an
email I am receiving from the SPAM list (yes I want to receive it). How the
heck so I do that?

Thanks




---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Custom Rule STILL being ignored

[Matt Kettler]

The most debug output you can get from spamassassin is by running:

spamassassin -tD 

Note that sample-nonspam.txt is included in the SpamAssassin tarball.

I'd run the debug output version of SA above and look at where spamasin 
is reading your user_prefs file and make sure that rule is in there or in 
local.cf. Also note that if you are using user_prefs you need to do this 
test while logged in as the same user that runs spamassasin.

Special note if you are using MailScanner (you don't appear to be) 
MailScanner uses it's own user_prefs file in it's own 
/usr/local/MailScanner/etc directory.



At 11:34 AM 11/5/2002 -0800, David Brossard wrote:
Is there a way to get more debug output from spamassassin (not spamd or
spamc)?




---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Reloading the configuration on the fly

[Matt Kettler]

At 12:50 AM 11/6/2002 +0100, Andreas Lund wrote:


Hi,

After receiving more and more spam over the past few years, I finally
installed SpamAssassin about a month ago. The results have been far better
than I could have hoped, so I'm a little afraid of tampering too much with the
default settings.

However, I have two questions that I can't find answers to in the docs:

1. Exactly how do I add my own spam phrases? Or, to be more specific, what
does the number N in 'spamphrase N foo bar' mean?


I'd not advise tinkering with spamphrases, I'd advise making body rules for 
your own custom stuff. The scoring of the spamphrases rule is strongly 
coupled to the content of the list, and adding or removing things from that 
list will completely invalidate the scores, requiring a GA run against a 
good corpus to get anything useful.

I don't know offhand exactly what the N represents, but I can tell you that 
If you really need to know how spamphrases works, read PhraseFreqs.pm, 
which contains the check_phrase_freqs sub which is called by the eval in 
EvalTests.pm.


2. Is there any way to make spamd reload the *.cf files on the fly? It doesn't
seem to react very well to -HUP


There isn't a way to do that short of killing and restarting spamd.

Really there's two models of running spamassassin
1) use spamassassin, and compile and parse everything per email
2) use spamd and compile and parse everything once per restart of 
spamd.

Since rule updates aren't intended to be a daily event, there's not 
currently any support for -HUPing spamd, although that might get added in 
the future.


Btw, it took me a while to figure out that my config files could be named
anything as long as they ended with .cf and I put them in the appropriate
directory. Maybe the docs could point that out more clearly... :-)


Well, really you in theory should only be editing 
/etc/mail/spamassassin/local.cf or ~/.spamasasssin/user_prefs unless you're 
doing really out-of-the-norm things. Dynamicaly updated rulesets, which 
seems to be what you're doing, is not exactly something that could be 
considered even remotely "normal" usage of SpamAssassin. (yes, spamassassin 
really is intended to be run with very few tweaks to the ruleset, and 
whole-version upgrades applied as needed. 99% of users should never need 
more than 20 custom rules).


What you are doing is possible, but not exactly within the scope of the 
original intent of original toolset, so I'm not too surprised that the docs 
aren't as helpful to you as you'd like. You're really engaging in activity 
that's really well into the bounds of "developer", and at that point, the 
source is what you should be referring to.


I agree however that the docs should should VERY clearly tell users NOT to 
mess with /usr/share/spamassassin (this seems to be what most users want to 
do the first time they try to add their own rules) and give them some 
guidance on how you can have multiple .cfs in /etc/mail/spamassassin if 
needed for advanced configurations.

I'd also suggest that if you are doing some kind of dynamic feed-back 
auto-rule-update system that you not spend too much effort on making a that 
utility set for SA until a version of SpamAssassin with bayes is released. 
Training a Bayesian filter inherently makes the rules pretty dynamic, and 
should eliminate the any need to be using scripts to hack the .cf files 
constantly.



---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Custom Rule STILL being ignored

[Matt Kettler]

Wait, are you trying to blacklist a subject or a received? The last time 
you posted this rule it was a received header rule.

Your rule for MY_BLACKLISTED_RCVD is changing quite drastically. Do you 
have multiple rules with this name?

Each of your own custom rules need to have their own distinct names 
otherwise only one of them will be applied and the others will be ignored 
silently.

 This is NOT a bug, but a deliberate feature of SpamAssassin that allows 
your local.cf to over-ride the rules, scores etc present in the default 
configuration without causing "duplicate rule" error messages.


At 09:32 AM 11/6/2002 -0800, David Brossard wrote:
Running the debug output shows no surprises. It is using my rules
directory and razor just fine. I can also test this because directly
about one of my custom rules another one is checked and found when
tested.

header  FFL_FOR_FREDsubject=~/FFL*/
score   FFL_FOR_FRED-20

works but

header  MY_BLACKLISTED_RCVD subject=~/lamailer/i
score   MY_BLACKLISTED_RCVD 100

(part of the custom rule I am trying to get to work) is completely
ignored.

Still stumped.




---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] DCC Or Razor2?

[Matt Kettler]

For what it's worth, here's a summary of what I've gleaned from my 
experience and the various lists:

DCC isn't really concerned with a message being spam or not, they only are 
concerned with it being "bulk". So they intend to match non-spam 
newsletters, etc.

Razor is intending to only list message which are unsolicited, and has a 
submitter rating system to downgrade those who submit lots of nonspam. This 
makes it's definition of spam a bit subject to public opinion, but it's 
certainly less prone to matching nonspam messages than DCC. However their 
servers have a history of downtime and slow processing. At least, I seem to 
hear people complaining about the razor servers being down/slow a lot more 
often than DCC.


At 11:33 AM 11/6/2002 -0700, Paul Fries wrote:
Right now I am running both DCC and Razor2...

The processing time is a little higher than I like it though.. I would
like it to be < 1 second for most messages. So, I want to drop one of
those tests. Which one is least beneficial?

Thanks!
-Paul



---
This sf.net email is sponsored by: See the NEW Palm
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] options -W -R

[Matt Kettler]

Well, first off -W and -R only apply to the auto-whitelist as it says. So 
unless you use SpamAssassin with the -a option all the time, using these 
commands does NOTHING (well, nothing that matters).


These commands are really intended more as a way of "fixing" problems with 
your AWL database, and aren't intended to be used as a way of regularly 
adding people to your blacklist.

The suggested method for hand-blacklisting or whitelisting is to add a 
whitelist_to, whitelist_from, whitelist_from_rcvd or blacklist_from rule to 
your local.cf or user_prefs for SpamAssassin.


And yes, -R, -W and --add-to-blacklist will extract ALL email addresses in 
the message including all of the following headers and the body of the 
email itself:
To, From, Cc, Reply-To, Sender, Errors-To, Mail-Followup-To

And will adjust the AWL appropriately for ALL of those addresses, including 
your address. See sub find_all_addrs_in_mail in SpamAssassin.pm for more 
explicit details.




At 12:27 PM 11/11/2002 -0500, Tom Allison wrote:
I was reading through the man pages and found a potential problem 
regarding the options to add-to-whitelist and add-to-blacklist.
According to the manpages:
-W, --add-to-whitelist
   Add all email addresses, in the headers and body of the mail 
message read from STDIN, to the auto­
   matic whitelist.  Note that you must be running "spamassassin" 
or "spamd" with the -a switch for this
   to work.

My question is this.
If I do -R or --add-to-blacklist them am I going to effectively remove 
myself from the whitelist or potentially add myself to the blacklist since 
my address is also listed in the Headers or Body of the email in question?

If I forward email to an alias on my server, then I'll blacklist myself to 
such an extent that I might not accept email anymore.

This is compounded if spam is sent to multiple users on the same server in 
one email.  Then we blacklist each other.

Or does spamassassin do something more intuitive than what is implied in 
the man pages?


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] what the...

[Matt Kettler]

A bit more clear of a hint since not all of us use the same font types (ie: 
on my MUA Theo mostly underlined SUB_FREE_OFFER):

score USER_IN_WHITELIST  -100

So it would appear the from: address was manually whitelisted, or was one 
of the few defaults that ships with SA.

Note that you might also want to add some unwhitelist commands to your 
local.cf to over-ride one or more of the entries in 60_witelist.cf. Or 
prune some of the whitelist_from commands you added yourself.


At 02:40 PM 11/12/2002 -0500, you wrote:
On Tue, Nov 12, 2002 at 02:35:04PM -0500, Phynias_CO wrote:
> any idea why this happened. Look at the score:

not without the whole message.

> X-Spam-Status: No, hits=-91.6 required=6.0
> SPAM_PHRASE_08_13,SUB_FREE_OFFER,USER_IN_WHITELIST
hint:  ^

--
Randomly Generated Tagline:
Hey!  Let's do that 2,000-pound man thing.  I'll be that Carl Reiner guy,
 and you be what's-his-face.

-- Homer Simpson
   Homer vs. Patty and Selma


---
This sf.net email is sponsored by:
To learn the basics of securing your web site with SSL,
click here to get a FREE TRIAL of a Thawte Server Certificate:
http://www.gothawte.com/rd522.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This sf.net email is sponsored by: 
To learn the basics of securing your web site with SSL, 
click here to get a FREE TRIAL of a Thawte Server Certificate: 
http://www.gothawte.com/rd522.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk