Re: spoofed Received header

[David Brodbeck]

Nate Schindler wrote:
I do this for my personal server. It's easy to do this with sendmail. 
It's not so easy with Exchange/Outlook which is what work uses, 
unfortunately.
If you're the Exchange admin, you can do it.  Just add another SMTP 
address for the account.

SA 3.0 is eating up all my memory!!!

[Luis Hernán Otegui]

Well, I've migrated from 2.64 to 3.0, following all the hints in the
UPDATE file, and the ones given here, in the list. But still I'm
concerned about some messages I get when I run spamassassin --lint,
and because one of my servers, a Pentium III at 900 MHz with 512 MB of
RAM, cannot handle 20 mail requests at the same time! The setup looks
like this:
-Redhat 7.3 with XFS kernel, XFS version 1.3.1.
-Sendmail 8.12.7 compiled from source, with libmilter enabled.
-HBEDV AntiVir Milter  AvMilter-1.0.1.
-Spamass-Milter 0.2.0, patched to work correctly with SA 3.0.
-SpamAssassin 3.0, compiled from source.
-Procmail v3.22, compiled from source.
I've limited the number of incoming connections in Sendmail via
sendmail.mc (define(`confMAX_DAEMON_CHILDREN', `20')dnl), and via the
spamd init script (via the -m 20 option, I guess it doesn't work
anymore in 3.0, since I'm having 23 spamd childs running).
In teh other hand, I'm having 51 issues when I run spamassassin
--lint. I've clean the obsolete options from local.cf, but the rest of
the issues come (apparently) from badly defined rules in the local.cf
file, but I'm still getting this:

warning: description for VIRUS_WARNING251 is over 50 chars
warning: description for VIRUS_WARNING326 is over 50 chars
warning: description for VIRUS_WARNING308 is over 50 chars
warning: description for VIRUS_WARNING63A is over 50 chars
warning: description for VIRUS_WARNING16 is over 50 chars
warning: description for VIRUS_WARNING111 is over 50 chars
warning: description for VIRUS_WARNING241 is over 50 chars
warning: description for VIRUS_WARNING62 is over 50 chars
warning: description for VIRUS_WARNING301 is over 50 chars
warning: description for VIRUS_WARNING276 is over 50 chars
warning: description for VIRUS_WARNING180 is over 50 chars
warning: description for VIRUS_WARNING303 is over 50 chars
warning: description for VIRUS_WARNING153 is over 50 chars
warning: description for VIRUS_WARNING144 is over 50 chars
warning: description for VIRUS_WARNING164 is over 50 chars
warning: description for VIRUS_WARNING327 is over 50 chars
warning: description for VIRUS_WARNING278 is over 50 chars
warning: description for VIRUS_WARNING260 is over 50 chars
warning: description for VIRUS_WARNING166 is over 50 chars
warning: description for VIRUS_WARNING185 is over 50 chars
warning: description for VIRUS_WARNING224 is over 50 chars
warning: description for VIRUS_WARNING146 is over 50 chars
warning: description for VIRUS_WARNING177 is over 50 chars
warning: description for VIRUS_WARNING275 is over 50 chars
warning: description for VIRUS_WARNING23 is over 50 chars
warning: description for VIRUS_WARNING148 is over 50 chars
warning: description for VIRUS_WARNING237 is over 50 chars
warning: description for VIRUS_WARNING273 is over 50 chars
warning: description for EXCUSE_ES_03 is over 50 chars
warning: description for VIRUS_WARNING63 is over 50 chars
warning: description for VIRUS_WARNING312 is over 50 chars
warning: description for VIRUS_WARNING_EXE2 is over 50 chars
warning: description for VIRUS_WARNING47 is over 50 chars
warning: description for VIRUS_WARNING218 is over 50 chars
warning: description for VIRUS_WARNING165 is over 50 chars
warning: description for VIRUS_WARNING151 is over 50 chars
warning: description for VIRUS_WARNING265B is over 50 chars
warning: description for VIRUS_WARNING110 is over 50 chars
warning: description for VIRUS_WARNING309 is over 50 chars
warning: description for VIRUS_WARNING304 is over 50 chars
warning: description for VIRUS_WARNING280 is over 50 chars
warning: description for VIRUS_WARNING35 is over 50 chars
warning: description for VIRUS_WARNING265 is over 50 chars
warning: description for VIRUS_WARNING250 is over 50 chars
warning: description for VIRUS_WARNING143 is over 50 chars
warning: description for VIRUS_WARNING13 is over 50 chars
warning: description for VIRUS_WARNING277 is over 50 chars
warning: description for VIRUS_WARNING252 is over 50 chars
warning: rule 'VIRUS_WARNING_MIMEDEFANG' is over 22 chars
warning: rule 'VIRUS_WARNING_MYDOOM_BNCE' is over 22 chars
lint: 51 issues detected.  please rerun with debug enabled for more information.

I have an antivirus running as a milter, how do I disable the virus
tests in SA, and also, why do I have this warnings?

Thanks,

Luis
-- 
-
GNU-GPL: "May The Source Be With You...
-

Re: SA-Learn script

[Thomas Bolioli]

This is exactly the kind of starting point I needed to get me to get in
gear and write something similar for my system. For me however, I am
using the std UWash based IMAP and a few other differences but the
important difference/addition is that I want to automatically train my
users emails accross all of their boxes including inbox and train on
junk that gets picked up but not auto learned. This way things that
pass the spam test but do not get auto trained will get picked up and
trained and vice versa. Even if some things are falsely trained on
because the script ran before they manually classified their FP/FN
mail, when they use the FP/FN boxes sa-learn is smart enough to relearn
things so this should work. When I get the script done I will post it
back for you to merge in with yours. 
Thanks,
Tom

Rubin Bennett wrote:

  Hello all...
I figure I've asked enough questions of this list that it's about time I
gave something back... You may not want it,but here it is anyway :)

I've written a bash script that takes will run sa-learn against the
administrator specified False-Postive and False-Negative folders.

Run this script from cron, and have your users drag n' drop emails that
get misclassified by SA to the appropriate folders.  The script will act
in 2 ways:

1.) Run it as root, and it will parse the administrator specified
USERLIST and run the internally defined autoLearn() function as each
user.
2.) Run it as an ordinary user and it will only learn from that user's
email.

I wrote it this way so that I could have a wrapper around sa-learn that
would make sure that the directories exist, create them if they don't
using maildirmake++, and not try to learn from directories with no
messages in them.

This is written to work with Courier IMAP and Maildir; I have not tried
it with anything else.

Someday I may get around to rewriting it in php and using php-imap to do
the moving around etc, but as a dirty hack this works ok.  It also
doesn't need passwords etc. in config files...

I hope this benefits someone out there... if there's enough interest,
I'll put it on my website and do a proper CVS for it.

If anyone has ideas for making it better (or suck less), let me know. 
Patches are always welcome...
  
  

#!/bin/bash

# Copyright (c) 2004 by Rubin Bennett <[EMAIL PROTECTED]>
# All Rights reserved.

#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.


# Usage: IMAP users can move misclassified emails into the "False Negative"
# or "Flase Positive" folders, and this script will learn from them and put
# them where they belong.
# Spam will be moved to the designated Spam folder, and Ham will be moved to
# the user's Inbox.

# This script should be called by CRON or a similar scheduler.


# Requires:
#	 Maildir style email storage (i.e. Courier IMAP) and IMAP server

# Settings - tweak as necessary.
MAILDIR="/home/$USER/Maildir"
FALSE_NEG_FOLDER="Undetected Spam"
FALSE_POS_FOLDER="Not Spam"
SPAMFOLDER="Spam"

# List of users to run the autoLearn funtcion as (space separated)...
USERLIST=""



autoLearn() {
	# Checks to see if the specified FALSE_NEG_FOLDER and FALSE_POS_FOLDER exist,
	# and creates them if necessary.
	[ -d "${MAILDIR}/.${FALSE_NEG_FOLDER}" ] || /usr/bin/maildirmake++ -f "${FALSE_NEG_FOLDER}" "${MAILDIR}"
	[ -d "${MAILDIR}/.${FALSE_POS_FOLDER}" ] || /usr/bin/maildirmake++ -f "${FALSE_POS_FOLDER}" "${MAILDIR}"
	# Parses the designated Ham folder and then moves it's contents to the Inbox
	hamCount=`find "${MAILDIR}/.${FALSE_POS_FOLDER}/cur" | wc -l`
	if [ $hamCount -gt 2 ]
	then
	  echo "Learning from $hamCount HAM's"
  	  sa-learn --ham "${MAILDIR}/.${FALSE_POS_FOLDER}/cur/*"
  	  mv "${MAILDIR}/.${FALSE_POS_FOLDER}/cur/"* ${MAILDIR}/cur/
	fi
	
	# Parses the "Undetected Spam" folder and then moved it's contents to Spam
	spamCount=`find "${MAILDIR}/.${FALSE_NEG_FOLDER}/cur" | wc -l`
	if [ $spamCount -gt 2 ]
	then
	  echo "Learning from $spamCount SPAM's"
  	  sa-learn --spam "${MAILDIR}/.${FALSE_NEG_FOLDER}/cur/*"
  	  mv "${MAILDIR}/.${FALSE_NEG_FOLDER}/cur/"* ${MAILDIR}/.${SPAMFOLDER}/cur/
	fi
}

### End of function declaration ###
if [ "${USER}" == "root" ]
then
  for USER in $USERLIST;
  do
	echo "learning for $USER"
  	su - $USER -c sa-autolearn
  done
else
  autoLearn
fi

  

Re: 2.6 -> 3.0 migration questions

[Ben Rosengart]

On Thu, Sep 30, 2004 at 05:04:35PM -0400, Matt Kettler wrote:
> At 04:43 PM 9/30/2004, Ben Rosengart wrote:
> >we are pretty unhappy about the skimpy upgrade documentation
> 
> Hmm, true, but are you volunteering to help write better documentation? 

I would be happy to summarize whatever I learn and post it to this
list.  If someone wishes to modify that summary and/or make it
available for download, they have my blessing.

> >and the number of apparently-gratuitous changes ("hits" becomes "score"?).
> 
>  You'd not believe the number of  people who don't understand what SA 
> means by "hits" when they first encounter it.

I work for an ISP.  Are you sure I wouldn't believe it?  :-)

I don't take much exception to that change, because it's very easy
to accommodate in a backwards- and forwards-compatible way.  That
is our main concern here at Panix.

That is, all software that currently matches on "hits" can be
changed to match on "(hits|score)", and will work before and after
the upgrade without any difficulty.

To the extent that user_prefs files and (most) command-line options
are similarly backwards- and forwards-compatible, this upgrade will
be painless for us.  To be more explicit, I would like to make
necessary changes *before* the upgrade to the extent that I can, in
such a way that the system will behave as expected both before and
after the upgrade.

What I'm trying to determine here is to what extent that's possible,
and conversely to what extent I will have to synchronize various
parts of the upgrade procedure.

-- 
Ben Rosengart(212) 741-4400 x215

 Unix gives 0.35 t/ha extra yield.
 Can you afford to ignore the Unix difference?

RE: spoofed Received header

[Nate Schindler]

> Perhaps you might consider a disposable-email-address 
> factory.  Generate a disposable email address that forwards 
> to your real email address.  Then sign the disposable email 
> address up for the list.
> 
> If you start getting spam at that email address, discontinue 
> the email address.  If you want to remain subscribed to the 
> mailing list, generate another disposable email address.

I do this for my personal server. It's easy to do this with sendmail.  It's not 
so easy with Exchange/Outlook which is what work uses, unfortunately.  But 
yeah, it is a really great way to track where spammers get your address and 
keep your primary spam-free. :)

> 
> [EMAIL PROTECTED]  805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com Software Engineer
> perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
> 

Re: (off topic) PGP/GPG

[David Brodbeck]

Robin Lynn Frank wrote:
Right.  I want to get my key signed by someone I don't know from a hole
in the wall and, in return, sign his.  Fine.  Let's totally destroy the
value of signatures.  I don't think so.
 

This is a big problem with GPG, really.  If you're an isolated user 
there's no way to get a signature that means anything, trust-wise.  It 
makes it pretty useless.

RE: spoofed Received header

[Nate Schindler]

> -Original Message-
> From: Kris Deugau [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 30, 2004 3:24 PM
> To: users@spamassassin.apache.org
> Subject: Re: spoofed Received header
>
> Er, I think you're getting your terminology mixed up.  Those 
> are usually
> considered to be the same thing (ie, the SMTP "MAIL FROM:" == envelope
> sender).  I think you mean the "From:" field in the message headers
> instead of "envelope from".

Yeah, sorry.  I took a 50/50 shot at getting my terms right.  I'm not running 
for president. ;)

> Er...  You don't want mail that you send to the list to 
> appear as if you
> wrote it?  That's what you're asking for here...

Yes and no.  I think it should be clear that it wasn't sent directly by me, but 
show for informational purposes that I wrote the content.  This is somewhat 
done in practice by prepending [listname] to the message subject, and having 
the reply-to point to the list.
Anyway, my complaint wasn't about mailing list software, and this wouldn't be 
the place for that anyway.  What I was attempting to say, which somewhat 
applied to this original thead, was that we do block From headers that claim to 
be our domain.  It works wonders for combatting spam and viruses, but you don't 
get your own mail back from lists. *shrug*

Below is one example (I have quite a few) of why I do this - a social 
engineering attack sent before I put this policy in place.  I don't expect my 
regional sales managers to know that this wasn't legitimate, although I do my 
best to educate the users.  This appeared to come from [EMAIL PROTECTED]:



Dear user of Riconcorp.com gateway e-mail server,

We  warn  you about some attacks  on your  e-mail account. Your computer may
contain  viruses, in order  to keep your  computer and e-mail  account safe,
please, follow the instructions.

For details see the attached  file.

For  security reasons  attached file is password protected. The  password is 
"14083".

Sincerely,
 The Riconcorp.com team
http://www.riconcorp.com

Re: 2.6 -> 3.0 migration questions

[David Brodbeck]

Lucas Albers wrote:
Some options kick you in the face.
Such as -a for spamd which will prevent it from starting.
 

But it gives you an error message explaining exactly what you have to 
do, so that's pretty much self-documenting.

Re: 2.6 -> 3.0 migration questions

[snowjack]

Kelson wrote:
How about ROSS: Real Open Source Software?
Bitchin' Open Source Software: BOSS
:-)

RE: spoofed Received header

[Matthew.van.Eerde]

Kris Deugau wrote:
> Nate Schindler wrote:
>> I try to treat my e-mail address as if it were my personal phone
>> number.  I don't sign up with many mailing lists for this reason...
>> but I love SpamAssassin, so I've made an exception. ;)  Well, that,
>> and I wanted to track issues with v3.
...
>> Anyway, IMO, when my mail server hands a message off to another
>> external system, it's no longer a trusted message.  It shouldn't come
>> back in claiming to be from us anymore in either from field,
> 
> Er...  You don't want mail that you send to the list to
> appear as if you
> wrote it?  That's what you're asking for here...
> 
> -kgd

Perhaps you might consider a disposable-email-address factory.  Generate a 
disposable email address that forwards to your real email address.  Then sign 
the disposable email address up for the list.

If you start getting spam at that email address, discontinue the email address. 
 If you want to remain subscribed to the mailing list, generate another 
disposable email address.

[EMAIL PROTECTED]  805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

Re: scan times up!

[Ryan Moore]

Chris Santerre wrote:
Well...
ver avg scan time
2.4x2.7 seconds
3.0 30.4 seconds
OH MY! Network test :)
Any longer and I might just be doing greylisting by accident. ;)
My time is up a little since upgrading, but not that much. I also 
upgraded the hardware on the machine though too, dual 2.0ghz xeon 
upgraded to dual 2.4ghz, and upgraded to linux software raid5 from 
3xJBOD. Doing bayes in SQL, no AWL, most of the rules from 
rulesemporium, SURBL of course, under amavisd-new v2.1.2. Attached is a 
graph that is generate, the little blip in week 38 is when the upgrade 
happenned (server wasn't down that long, I just had to fix the graph).

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net
<>

Re: 2.6 -> 3.0 migration questions

[Kelson]

Kelson wrote:
Matt Kettler wrote:
Perhaps we need a new one.. NBSOSS.. No BS Open Source Software... :)
How about ROSS: Real Open Source Software?
Sorry to reply to my own post, but I came up with a few funnier ones:
TOSS - True Open Source Software.
FLOSS - Freely Licenced Open Source Software
U-DA-BOSS - Unrestricted Distribution Allowed By Open Source Software
We now return you to your regularly scheduled mailing list.
--
Kelson Vibber
SpeedGate Communications 

Re: 2.6 -> 3.0 migration questions

[Robert LeBlanc]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Matt Kettler wrote:
| I liked OSS better, but then several companies decided offering
| high-dollar licenses to their code made them "open source software" and
| diluted any meaning that expression had.
Actually, I believe the "Free" in FOSS was motivated by Stallman and the
Free Software Foundation, which has a somewhat different definition of
"free software".  The FSF is referring more to freedom in terms of
restrictions on redistribution and use than strictly monetary
definitions.  The "free software" and "open source" camps have been at
each other's throats for years now, squabbling over ideological
distinctions, and I think "FOSS" emerged as a generic term to describe both.
- --
Robert LeBlanc <[EMAIL PROTECTED]>
Renaissoft, Inc.
Maia Mailguard 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBXIicGmqOER2NHewRAlDqAJsGJOn/4MzKXPNJUxnao+yTulSy7ACgnRY1
lxiBlWyMDDv9Z5HUHxNnn1o=
=sQB3
-END PGP SIGNATURE-

Re: spoofed Received header

[Kris Deugau]

Nate Schindler wrote:
> There are two From lines in an incoming message, mail from, and the
> envelope from which is in the data portion.

Er, I think you're getting your terminology mixed up.  Those are usually
considered to be the same thing (ie, the SMTP "MAIL FROM:" == envelope
sender).  I think you mean the "From:" field in the message headers
instead of "envelope from".

>  We scan only the envelope from field for our domain name, because
> it's what users see.  For example, in your reply, my mail client says
> the message is from "[EMAIL PROTECTED]".

The "From:" header, not the envelope sender.  Any message sent to the
list should show up in your inbox with the sender's address as the
"From:" address (displayed by your mail client), and the listadmin
address ([EMAIL PROTECTED] for this list IIRC) as the
SMTP envelope sender.

>  When I click
> Reply, I have to change the To field so that it gets back to the
> list, instead of directly to you.

This is how SOME lists are configured;  this is not how all mailing
lists work.  Reply-To munging is a Holy War;  IIRC it was debated here a
while ago.  I specifically set my Reply-To to point to the list here,
because it's rare that anything I post has any reason to get a private
reply.

>  I know this is how list servers
> work, but I don't agree with it.

All decently-written mailing list software I know of will send mail as a
specific envelope sender ("rewriting" it from the original sender's
address) so that bounces don't spam the original sender.  There have
been a few misbehaved vacation programs used by people on this list, and
a few rather strange postmaster notices I've seen in reply to messages I
sent to the list (which should have gone, quite properly, to the list
manager address rather than to me personally).  The only case where I
should see a bounce for a mailing list message is if the list server
itself rejects my message for some reason.

> I try to treat my e-mail address as if it were my personal phone
> number.  I don't sign up with many mailing lists for this reason...
> but I love SpamAssassin, so I've made an exception. ;)  Well, that,
> and I wanted to track issues with v3.

Lists like this are pretty tame;  most list-archive software I've seen
in the past 4-5 years or so will happily blank out or otherwise
obfuscate most email addresses (some ignore the body;  some don't). 
Scraping mailing list archives is a pretty time-consuming way to get
email addresses- if any.  Websites and Usenet are far easier.

> Anyway, IMO, when my mail server hands a message off to another
> external system, it's no longer a trusted message.  It shouldn't come
> back in claiming to be from us anymore in either from field,

Er...  You don't want mail that you send to the list to appear as if you
wrote it?  That's what you're asking for here...

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

Re: 2.6 -> 3.0 migration questions

[Kelson]

Matt Kettler wrote:
Given that it's been around for at least 6 years (I spotted it in a May 
1998 post on usenet) I don't think FOSS is going anywhere.

I liked OSS better, but then several companies decided offering 
high-dollar licenses to their code made them "open source software" and 
diluted any meaning that expression had.

Perhaps we need a new one.. NBSOSS.. No BS Open Source Software... :)
How about ROSS: Real Open Source Software?
--
Kelson Vibber
SpeedGate Communications 

RE: scan times up!

[Chris Santerre]

>-Original Message-
>From: Matt Kettler [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 30, 2004 5:23 PM
>To: Chris Santerre; Spamassassin-Talk (E-mail)
>Subject: Re: scan times up!
>
>
>At 05:10 PM 9/30/2004, Chris Santerre wrote:
>>Well...
>>
>>ver avg scan time
>>2.4x2.7 seconds
>>3.0 30.4 seconds
>>
>>OH MY! Network test :)
>
>Ouch, that's slow.
>
>Some points of interest that may be a part of the difference:
>
>Do you have bayes enabled (a major consumer not present in 2.4, 
>particularly when autolearning and autoexpiring)?

No Bayes. IMHO not worth the work.

>
>Did you disable the AWL (defaults to ON in SA 3.0, unlike 2.4)?

No, but I will be doing that! I hate AWL!!

--Chris

Re: 2.6 -> 3.0 migration questions

[Matt Kettler]

At 05:11 PM 9/30/2004, Will Yardley wrote:
Side note - who came up with this horrible acronym (I can't bring myself
to repeat it), and can people stop using it already!
Given that it's been around for at least 6 years (I spotted it in a May 
1998 post on usenet) I don't think FOSS is going anywhere.

I liked OSS better, but then several companies decided offering high-dollar 
licenses to their code made them "open source software" and diluted any 
meaning that expression had.

Perhaps we need a new one.. NBSOSS.. No BS Open Source Software... :)

RE: spoofed Received header

[Nate Schindler]

> -Original Message-
> From: Will Yardley [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 30, 2004 12:58 PM
> To: users@spamassassin.apache.org
> Subject: Re: spoofed Received header
> 
> 
> On Thu, Sep 30, 2004 at 12:50:04PM -0700, Nate Schindler wrote:
> 
> > I actually block all incoming mail that claims to be from my domain.
> > The only problem is that I don't get copies of messages 
> that I send to
> > some lists, such as this one.  But... as far as I'm concerned, if a
> > mail server isn't listed as an MX for , it 
> should use
> >  in the mail from or envelope from feilds.  It's a
> > wide open hole for spam and social engineering attacks.
> 
> Should or should not?
> And what does being listed as an MX have to do with sending mail? It's
> completely reasonable for a server not listed as an MX for a domain to
> send mail "from" that domain. Or am I misunderstanding what you're
> saying?

Sorry, i meant should NOT. :)
According to the RFCs (from what I've seen) MX records are *not* required for 
sending servers.  This is a problem.  Unfortunately, it's difficult to validate 
a source machine when an MX record doesn't exist.  Even when we had a send-only 
server, we had a low-priority MX record for it.  Many anti-spam packages do RMX 
lookups, if not to validate 'mail from', to at least see if records exist for 
it at all to make it seem more like a legitimate mail host.

> 
> > I was actually surprised to see that even anti-spam lists 
> such as this
> > one spoof the envelope from field. :/
> 
> What are you talking about?
> 
> Any reasonable MLM (including the one used for this list, which I
> believe is EZMLM) rewrites the envelope address to its own.
> 
> Because the MLM used by this list uses VERP, your address is 
> embedded in
> the envelope-address - maybe your filters just aren't configured
> properly?
> 

There are two From lines in an incoming message, mail from, and the envelope 
from which is in the data portion.  We scan only the envelope from field for 
our domain name, because it's what users see.  For example, in your reply, my 
mail client says the message is from "[EMAIL PROTECTED]".  When I click Reply, 
I have to change the To field so that it gets back to the list, instead of 
directly to you.  I know this is how list servers work, but I don't agree with 
it.

I did mis-state what I said above.  Technically, it's not "spoofed".  Having 
the original sender in the envelope from field, even though the message isn't 
being delivered by the original mail server, is allowed according to the 
RFCs... but when it comes to getting a virus that uses my address in the 
envelope from field, should I say that wasn't spoofed either?
There's also the point that with these list archives, since address obfuscation 
is either very simple, or nonexistant, scouring bots can acquire our addresses.

I try to treat my e-mail address as if it were my personal phone number.  I 
don't sign up with many mailing lists for this reason... but I love 
SpamAssassin, so I've made an exception. ;)  Well, that, and I wanted to track 
issues with v3.

Anyway, IMO, when my mail server hands a message off to another external 
system, it's no longer a trusted message.  It shouldn't come back in claiming 
to be from us anymore in either from field, and I'll happily bounce it right 
back.  It's a flaw in the standard which is exploited by spammers and virus 
programmers.  There are ietf drafts for using rmx validation for sending hosts, 
but who knows if those'll ever become anything solid.

Nate


> From 
> [EMAIL PROTECTED]
> 
> 

Re: scan times up!

[Matt Kettler]

At 05:10 PM 9/30/2004, Chris Santerre wrote:
Well...
ver avg scan time
2.4x2.7 seconds
3.0 30.4 seconds
OH MY! Network test :)
Ouch, that's slow.
Some points of interest that may be a part of the difference:
Do you have bayes enabled (a major consumer not present in 2.4, 
particularly when autolearning and autoexpiring)?

Did you disable the AWL (defaults to ON in SA 3.0, unlike 2.4)?

Re: Whitelist to improve performance?

[Matt Kettler]

At 04:54 PM 9/30/2004, Tan, William wrote:
My
understanding is that the manual whitelist function in SA simply starts
the message scoring at -100.  Is there a way to have spamc/spamd
abort scoring a message if the sender is whitelisted?  I'd think
that this would improve performance on these messages since rbls, dcc,
razor, and pyzor would be skipped. 
Disclaimer: I'm not a dev, but this is based on my understanding of the
SA code. Justin/Theo/Dan/whoever, please feel free to correct and subtle
details I'm wrong on.
No, such things are generally implemented in the tool calling SA.

By the time SA figures out who a message is from/to, it's already parsed
most of the message headers anyway and the RBL queries are already
in-progress. Aborting the scan at this point saves some CPU time, but not
as much as you'd like. It would also likely result in an ugly kludge deep
in the heart of the rules engine, or a slowdown by forcing this check to
run before the DNSBL checks can start (instead of in parallel like they
are now) .
Really this is SO much better implemented by preempting the call at a
higher layer.
Besides, depending on what headers your MTA drops in, SA might not even
accurately know who a message is being delivered to in the first
place.
SA's whitelist features are really a bit of a kludge themselves, but they
exist for those who don't have any other option.
If not
(and this is more of a postfix question), is there a way to use
whitelists in postfix to bypass SA (or a content_filter in
general)?
This I can't answer, but I suspect there is a way.

RE: 2.6 -> 3.0 migration questions

[Chris Santerre]

>-Original Message-
>From: Matt Kettler [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 30, 2004 5:05 PM
>To: users@spamassassin.apache.org
>Subject: Re: 2.6 -> 3.0 migration questions
>
>
>At 04:43 PM 9/30/2004, Ben Rosengart wrote:
>>we are pretty unhappy about the skimpy upgrade documentation
>
>Hmm, true, but are you volunteering to help write better 
>documentation? 
>(General principle in FOSS: If you don't like it, volunteer to help if 
>you're able.)
>

Reminds me of something DQ says a lot, something like, "If you submit the
code for that, we will be happy to review it." :-) 

>At least this time there is an UPGRADE document. That never 
>happened before 
>in any other release, which is a small step forward. Prior 
>releases got a 
>few terse notes about the major issues added to README, but 
>nothing nearly 
>as in-depth as the still-sparse UPGRADE document from 3.0.

Yes, I was wuite happy to see an UPGRADE. That is a step forward. It also
says to see the wiki. They can't know everyones setups, but they give you
the basics.

>
>
>>and the number of apparently-gratuitous changes ("hits" 
>becomes "score"?).
>
>  You'd not believe the number of  people who don't understand what SA 
>means by "hits" when they first encounter it. Particularly 
>since SA used to 
>use "score" "hits" and "points" interchangeably and without 
>much consistency.
>
>A lot of naming convention changes come about after realizing that the 
>original naming isn't as clear as originally thought, or 
>inconsistent with 
>other parts of the software. It's painful to go through, but 
>makes life a 
>bit easier on the project in the long run by improving clarity.
>

I'm also happy to see this change. 

--Chris

Re: 2.6 -> 3.0 migration questions

[Will Yardley]

On Thu, Sep 30, 2004 at 05:04:35PM -0400, Matt Kettler wrote:
> At 04:43 PM 9/30/2004, Ben Rosengart wrote:

> > we are pretty unhappy about the skimpy upgrade documentation
> 
> Hmm, true, but are you volunteering to help write better documentation? 
> (General principle in FOSS: If you don't like it, volunteer to help if 

Side note - who came up with this horrible acronym (I can't bring myself
to repeat it), and can people stop using it already!

scan times up!

[Chris Santerre]

Well...

ver avg scan time
2.4x2.7 seconds
3.0 30.4 seconds

OH MY! Network test :)

Any longer and I might just be doing greylisting by accident. ;)

Chris Santerre 
System Admin and SARE Ninja
http://www.rulesemporium.com
http://www.surbl.org
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin 

Re: 2.6 -> 3.0 migration questions

[Matt Kettler]

At 04:43 PM 9/30/2004, Ben Rosengart wrote:
we are pretty unhappy about the skimpy upgrade documentation
Hmm, true, but are you volunteering to help write better documentation? 
(General principle in FOSS: If you don't like it, volunteer to help if 
you're able.)

At least this time there is an UPGRADE document. That never happened before 
in any other release, which is a small step forward. Prior releases got a 
few terse notes about the major issues added to README, but nothing nearly 
as in-depth as the still-sparse UPGRADE document from 3.0.


and the number of apparently-gratuitous changes ("hits" becomes "score"?).
 You'd not believe the number of  people who don't understand what SA 
means by "hits" when they first encounter it. Particularly since SA used to 
use "score" "hits" and "points" interchangeably and without much consistency.

A lot of naming convention changes come about after realizing that the 
original naming isn't as clear as originally thought, or inconsistent with 
other parts of the software. It's painful to go through, but makes life a 
bit easier on the project in the long run by improving clarity.

This lack of consistency has been in the buglist for a long time.
http://bugzilla.spamassassin.org/show_bug.cgi?id=1332 

Whitelist to improve performance?

[Tan, William]

My configuration is 
Postfix 2.1.5 and SpamAssassin 3.0.0.  We're using spamc as 
a content_filter in /etc/postfix/master.cf to call 
spamd.
 
My understanding is 
that the manual whitelist function in SA simply starts the message scoring at 
-100.  Is there a way to have spamc/spamd abort scoring a 
message if the sender is whitelisted?  I'd think that this 
would improve performance on these messages since rbls, dcc, razor, and pyzor 
would be skipped.
 
If not 
(and this is more of a postfix question), is there a way to use 
whitelists in postfix to bypass SA (or a content_filter in 
general)?
 
 
William W. TanChief Technology OfficerEze Castle 
Integration, Inc.50 Federal St., Suite 
400Boston, MA 02110(617) 217-3006[EMAIL PROTECTED] 
 

Re: Preferred DNSBL

[Ed Kasky]

At 05:01 AM Thursday, 9/30/2004, John Fleming wrote -=>
- Original Message -
From: "Ed Kasky" <[EMAIL PROTECTED]>
To: 
Sent: Monday, September 27, 2004 2:49 PM
Subject: Re: Preferred DNSBL
> Rejects Since Sunday 4:00 am via rbls:
>
> spamcop: 65
> maps rbl+: 154
> dsbl.org: 9
> njabl.org: 18
> spamhaus: 18
What/how are you guys gathering the data above?  Thanks - John
A simple shell script that I found somewhere and tweaked for my needs:
#!/bin/bash
#
# spam-stats  -- print counts of clean and spammy messages
#from spamassassin.
#echo -e "="
echo -e "SpamAssassin Results for:"
date
echo -e "spam:" `grep "identified spam" /var/log/maillog | wc -l`
echo -e "clean:" `grep "clean message" /var/log/maillog | grep spamd |wc -l`
echo -e "skipped:" `grep "skipped large" /var/log/maillog | wc -l`
echo -e "total:" `grep "spamd[[0-9]*]: connection from" /var/log/maillog | 
wc -l`
echo -e "processed:" `grep "processing message" /var/log/maillog | wc -l`
echo -e "="
echo -e "maps rbl+:" `grep "refused by blackhole site 
rbl-plus.mail-abuse.org" /var/log/maillog | wc -l`

Produces the following:
SpamAssassin Results for:
Thu Sep 30 13:44:03 PDT 2004
spam: 261
clean: 1715
skipped: 0
total: 1967
processed: 1976
=
maps rbl+: 625
I have more greps but you get the idea...
Ed
. . . . . . . .
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein, physicist, Nobel laureate (1879-1955)

Re: User rule found but sometimes not counted

[Arun Bhalla]

Matt Kettler writes:
> At 04:31 PM 9/30/2004, Arun Bhalla wrote:
> > > >Hi, about a week ago I upgraded to SA 3.0.0 from 2.64.  I run spamd (wit
> h
> > > >options "-d -c"), and call spamc from my .procmailrc.  SA is installed
> > > >systemwide (e.g., local.cf is in /etc/mail/spamassassin), but I
> > > >also have my own user_prefs file that I tweak.
> > >
> > >
> > > Is allow_user_rules set in local.cf? If not, spamd is required to ignore
> > > your rules in user_prefs, and it's a bug that they are being parsed at al
> l.
> >
> >Good question!  I should have mentioned that, but yes, it is.
> >
> >allow_user_rules1
> >
> >So it's not that.
> 
> Ok, next shot.. any complaints issued when you run spamassassin --lint?

Not now, but there were some warnings a little earlier today that I fixed.
Looks like it was just 2.6->3.0 warnings, and I commented all of the lines
out.  I wouldn't expect that they would cause any trouble.

% spamassassin --lint
config: SpamAssassin failed to parse line, skipping: rewrite_subject   0
config: SpamAssassin failed to parse line, skipping: use_terse_report   1
warning: score set for non-existent rule X_OSIRU_DUL_FH
warning: score set for non-existent rule X_OSIRU_DUL
warning: score set for non-existent rule X_OSIRU_SPAMWARE_SITE
warning: score set for non-existent rule X_OSIRU_SPAM_SRC
warning: score set for non-existent rule RCVD_IN_OSIRUSOFT_COM
warning: score set for non-existent rule X_OSIRU_OPEN_RELAY
lint: 8 issues detected.  please rerun with debug enabled for more information.

Arun

Re: 2.6 -> 3.0 migration questions

[Ben Rosengart]

On Wed, Sep 29, 2004 at 06:40:18PM -0600, Lucas Albers wrote:
> Some options kick you in the face.
> Such as -a for spamd which will prevent it from starting.

Ouch.

Is the list of deprecated options and directives in the UPGRADE
document definitive?

Here at Panix -- where we have a bunch of spamds, a bunch of spamcs,
a whole lot of automatically- and hand-generated customer
configurations, and no way to upgrade everything all at once -- we
are pretty unhappy about the skimpy upgrade documentation, and the
number of apparently-gratuitous changes ("hits" becomes "score"?).

-- 
Ben Rosengart(212) 741-4400 x215

 Unix gives 0.35 t/ha extra yield.
 Can you afford to ignore the Unix difference?

Re: User rule found but sometimes not counted

[Matt Kettler]

At 04:31 PM 9/30/2004, Arun Bhalla wrote:
> >Hi, about a week ago I upgraded to SA 3.0.0 from 2.64.  I run spamd (with
> >options "-d -c"), and call spamc from my .procmailrc.  SA is installed
> >systemwide (e.g., local.cf is in /etc/mail/spamassassin), but I
> >also have my own user_prefs file that I tweak.
>
>
> Is allow_user_rules set in local.cf? If not, spamd is required to ignore
> your rules in user_prefs, and it's a bug that they are being parsed at all.
Good question!  I should have mentioned that, but yes, it is.
allow_user_rules1
So it's not that.
Ok, next shot.. any complaints issued when you run spamassassin --lint?

Re: User rule found but sometimes not counted

[Arun Bhalla]

Matt Kettler writes:
> At 04:23 PM 9/30/2004, Arun Bhalla wrote:
> >Hi, about a week ago I upgraded to SA 3.0.0 from 2.64.  I run spamd (with
> >options "-d -c"), and call spamc from my .procmailrc.  SA is installed
> >systemwide (e.g., local.cf is in /etc/mail/spamassassin), but I
> >also have my own user_prefs file that I tweak.
> 
> 
> Is allow_user_rules set in local.cf? If not, spamd is required to ignore 
> your rules in user_prefs, and it's a bug that they are being parsed at all.

Good question!  I should have mentioned that, but yes, it is.

allow_user_rules1

So it's not that.


Thanks,
Arun

Re: User rule found but sometimes not counted

[Matt Kettler]

At 04:23 PM 9/30/2004, Arun Bhalla wrote:
Hi, about a week ago I upgraded to SA 3.0.0 from 2.64.  I run spamd (with
options "-d -c"), and call spamc from my .procmailrc.  SA is installed
systemwide (e.g., local.cf is in /etc/mail/spamassassin), but I
also have my own user_prefs file that I tweak.

Is allow_user_rules set in local.cf? If not, spamd is required to ignore 
your rules in user_prefs, and it's a bug that they are being parsed at all.

User rule found but sometimes not counted

[Arun Bhalla]

Hi, about a week ago I upgraded to SA 3.0.0 from 2.64.  I run spamd (with
options "-d -c"), and call spamc from my .procmailrc.  SA is installed
systemwide (e.g., local.cf is in /etc/mail/spamassassin), but I
also have my own user_prefs file that I tweak.

I happen to get a fair amount of spam that references a mail address in
Aruba.  Since I don't have much interest in Aruba, I use the following
rule. (I could tweak it to also look for "Oranjestad" to be more specific.)

body ARUBA /A\s?rub\s?a/
scoreARUBA 5.0
describe ARUBA "Oranjestad, Aruba"

This rule seems to work well, but I've noticed that sometimes SA will detect
the rule but not count the score.  This seems to only occur with spamc.
At the very least, when I run "spamassassin -t" on the same message, ARUBA's
score will be counted.

For instance, here's a snippet from a recently miscounted email:

X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on xxx
X-Spam-Status: No, score=2.1 required=3.8 tests=ARUBA,BAYES_50,HTML_40_50,
HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF autolearn=no
version=3.0.0
X-Spam-Level: **

The score should have been at least 7.1, but instead it's only 2.1.  Clearly
ARUBA was found but not scored.

This is slightly annoying, but it might be more troubling if this is happening
to other rules in one's user_prefs files, or maybe other rules in general.

If this sort of problem hasn't been noticed before, I'll be happy to help,
presumably by turning on -D for spamd.

Thanks,
Arun

Re: Rule problem (.exe attachments)

[LuKreme]

On 29 Sep 2004, at 16:10, Jay Hall wrote:
I changed the rules as you suggested, but e-mails with exe attachments 
are still not being marked as SPAM.  However, others are.  Following 
are the headers from an e-mail sent with an exe attachment.
These are not the headers you are looking for
You need the MIME headers from the body of the message to ensure that 
the name is, in fact, supposed to match.

To: [EMAIL PROTECTED]
Subject: EXE Test 1 - exe
Content-Type: multipart/mixed; 
boundary="050409040702070007040104"
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
mnea-hq.mnea.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
version=2.64
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 29 Sep 2004 22:12:44.0170 (UTC) 
FILETIME=[71AA06A0:01C4A671]

If I am reading the headers correctly, it appears the attachment tests 
were not done in this case.  The file attached to the message was 
vncviewer.exe.
Is the total size over 256K? (or whatever your threshold is set to)?
--
I'm sitting here with 4 Megs of RAM trying to figure out how to use it 
all... :-)  (Me, in 1990)



smime.p7s
Description: S/MIME cryptographic signature

Re: spoofed Received header

[Will Yardley]

On Thu, Sep 30, 2004 at 12:50:04PM -0700, Nate Schindler wrote:

> I actually block all incoming mail that claims to be from my domain.
> The only problem is that I don't get copies of messages that I send to
> some lists, such as this one.  But... as far as I'm concerned, if a
> mail server isn't listed as an MX for , it should use
>  in the mail from or envelope from feilds.  It's a
> wide open hole for spam and social engineering attacks.

Should or should not?
And what does being listed as an MX have to do with sending mail? It's
completely reasonable for a server not listed as an MX for a domain to
send mail "from" that domain. Or am I misunderstanding what you're
saying?

> I was actually surprised to see that even anti-spam lists such as this
> one spoof the envelope from field. :/

What are you talking about?

Any reasonable MLM (including the one used for this list, which I
believe is EZMLM) rewrites the envelope address to its own.

Because the MLM used by this list uses VERP, your address is embedded in
the envelope-address - maybe your filters just aren't configured
properly?

>From [EMAIL PROTECTED]

Re: Sorry Florida.

[Vivek Khera]

On Sep 30, 2004, at 3:27 PM, Chris Santerre wrote:
Yes, I asked SURBL a while back about this as well. I saw a slight 
decline
during the Huricane weeks.

coincidentally, I saw a trickle to ZERO fax spams during that time as 
well.  got one last week, though.  Always have the same "opt out" phone 
number, so i know it is the same idiots.

Vivek Khera, Ph.D.
+1-301-869-4449 x806

RE: spoofed Received header

[Nate Schindler]

I actually block all incoming mail that claims to be from my domain.  The only 
problem is that I don't get copies of messages that I send to some lists, such 
as this one.
But... as far as I'm concerned, if a mail server isn't listed as an MX for 
, it should use  in the mail from or envelope 
from feilds.  It's a wide open hole for spam and social engineering attacks.
I was actually surprised to see that even anti-spam lists such as this one 
spoof the envelope from field. :/
Oh, well... I still get everyone else's posts.

Nate

-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 29, 2004 3:22 PM
To: users@spamassassin.apache.org
Subject: Re: spoofed Received header


> Received: from 64.239.129.105 ([:::219.144.149.91])
> From: "Trina Parr" <[EMAIL PROTECTED]>
>
> where in Received: 1st ip is my mx, but 2nd is spammers host
> and in From: name is some arbitrary name with my email address
>
> is it possible to make regex in local.cf that would check that both ips in
Received are the same?

Yes, but it can get tricky, because there are so many received formats.

A very simple test could be something like

/64\.239\.129\.105 \(\[(?!64\.239\.129\.105).{1,20}\]\)/

Assuming I typed that right it will check for a double-dotquad format where
the second doesn't match and the first one matches.  Of course you could
have a hostname between the ([ characters, so you really should handle that
somehow.  Perhaps insert a [\w\.]{0,50} ir the like there.

I've got a cold and am not thinking too clearly at the moment, so I don't
know how many legit things that might declare to be bogus.  You could try it
with a real low score and see what sort of things it hits on.  Maybe it
would work for you.

Loren

Re: Sorry Florida.

[Raquel Rice]

On Thu, 30 Sep 2004 15:10:07 -0400
AltGrendel <[EMAIL PROTECTED]> wrote:

> I've noticed about at 10% decrease in spam since Florida started
> having all those problems with tropical weather.
> 
> Anyone else notice this?
> 
> I'm not trying to bash Florida, just something I noticed in the
> logs.
> 

I've been getting more in the last few days than during any period
in the past!

-- 
Raquel

All animals are equal but some animals are more equal than others.
  --George Orwell, "Animal Farm"

Re: 'Spam Forensics: Reverse-Engineering Spammer Tactics'

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Chris Santerre writes:
> Very nice. Page 13: Detecting Hashbusters, 2, who the hell figured that out?
> Damn!

;)

> SARE has run into the problem that there isn't much NEW in spam to tag on.
> SA, SURBL, and SARE have 99% of everything covered. Like you stated, most of
> their tricks now end up being tagged. I'm real curious as to what they try
> nextcause I'm kind of stumped as to how to get around this. Think like a
> spammer to catch one. 

Oh, I'm sure they'll think up something

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBXF/uQTcbUG5Y7woRAu0cAJ9mkkDL8vOeKUi2ScEmkfTycRnR1ACgweIB
AmylqUYqh0x5B66YxEQlewQ=
=iXJM
-END PGP SIGNATURE-

RE: Sorry Florida.

[Chris Santerre]

Yes, I asked SURBL a while back about this as well. I saw a slight decline
during the Huricane weeks. 

--Chris

>-Original Message-
>From: AltGrendel [mailto:[EMAIL PROTECTED]
>Sent: Thursday, September 30, 2004 3:10 PM
>To: users@spamassassin.apache.org
>Subject: Sorry Florida.
>
>
>I've noticed about at 10% decrease in spam since Florida started having
>all those problems with tropical weather.
>
>Anyone else notice this?
>
>I'm not trying to bash Florida, just something I noticed in the logs.
>
> 
>It's amazing how much better you feel once you've given up hope.
>
>

RE: 'Spam Forensics: Reverse-Engineering Spammer Tactics'

[Chris Santerre]

>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, September 29, 2004 6:37 PM
>To: users@spamassassin.apache.org
>Subject: 'Spam Forensics: Reverse-Engineering Spammer Tactics'
>
>
>My slides from the presentation I gave at Toorcon 2004, 'Spam 
>Forensics:
>Reverse-Engineering Spammer Tactics', are now up, if anyone's 
>interested
>in having a read ;)
>
>  http://spamassassin.apache.org/presentations/2004-09-Toorcon/html
>

Very nice. Page 13: Detecting Hashbusters, 2, who the hell figured that out?
Damn!

SARE has run into the problem that there isn't much NEW in spam to tag on.
SA, SURBL, and SARE have 99% of everything covered. Like you stated, most of
their tricks now end up being tagged. I'm real curious as to what they try
nextcause I'm kind of stumped as to how to get around this. Think like a
spammer to catch one. 

--Chris

Sorry Florida.

[AltGrendel]

I've noticed about at 10% decrease in spam since Florida started having
all those problems with tropical weather.

Anyone else notice this?

I'm not trying to bash Florida, just something I noticed in the logs.

 
It's amazing how much better you feel once you've given up hope.

Re: sql/bayes

[Robin Lynn Frank]

On Thu, 30 Sep 2004 18:42:59 +0200
Sune Kloppenborg Jeppesen <[EMAIL PROTECTED]> wrote:

> On Thursday 30 September 2004 18:05, Robin Lynn Frank wrote:
> > While I can see the advantage of keeping awl and prefs in a sql
> > database, I can't see an advantage to keeping bayes data in a sql
> > db.
> >
> > Can someone point out an advantage?  Would there be any disadvantage
> > in keeping everything except bayese in sql?
> You could have two front end servers using the same Bayes backend with
> SQL. This makes autolearning work easily across multiple servers.
> 
An interesting thought.  I'm not sure we'd need it, but I'll remember
it.  The reason I brought this up is because we'd once tested dspam with
mysql and found that mysql seemed more likely to slow down considerably
as disk i/o demands rose.  It appeared to me that berkeleydb was less
touchy that way, though I suspect issues of lock contention might be 
greater.

-- 
Robin Lynn Frank
Director of Operations
Paradigm-Omega, LLC
http://www.paradigm-omega.com
==
Sed quis custodiet ipsos custodes?


pgpE7Ad9dV9fy.pgp
Description: PGP signature

Re: Bayes scores in SA 3.0

[Nels Lindquist]

On 30 Sep 2004 at 9:00, Chip Paswater wrote:

> Does a human review the scores generated by the statistics engine?
> 
> Doesn't it make sense to have more of a bell curve on the 2nd set of bayes
> scores?
> 
> If not, why not?
> 
> The teeth seem seem to be taken out of BAYES_99 with it's low 1.9 score,
> and most of my spam is triggering .99 to 1.  That to me seems like an
> obvious oversight, and I'm just wondering what the thinking was to leave it
> at 1.9 for the 3.0 release.

I can't speak for the developers, but the discussion of how the GA 
evolved scores work has come up on previous releases as well.

Basically what you're seeing is that the network tests are so 
effective (most likely due to DNSURI tests) that the effect of high 
bayes scores becomes much less important when classifying the 
spammiest spam *during the GA run.*  That last bit is important--the 
GA run is processing a known corpus, rather than a live mail feed.  
In my opinion, it therefore gives more weight to the network tests 
than is directly applicable to a real-world SA setup because there is 
no GA-testable reporting delay.  

It takes some (admittedly quite short) period of time before specific 
spam is reported to Razor, SpamCop, etc. and makes its way onto the 
various DNSBL and hash-based servers, and if you happen to be one of 
the unlucky few at the front of a particular spam wave, many of the 
net-based tests can be missed.  There are ways of alleviating this--
many who have implemented MTA-based greylisting, for example, report 
that delivery delays of as short as five to fifteen minutes can 
provide enough time for spam reporting propogation and significantly 
increase net-test efficacy.

With SA alone, however, I agree that the distributed bayes scores 
should be bumped up.  I'm setting the bayes scores in ruleset 4 to be 
the same as ruleset 3 (bayes but no network tests) and I may even 
revert to the 2.6 bayes values.

If you do override scores for individual tests, make sure you do it 
in local.cf rather than 50_scores.cf.  That way, a future point 
release upgrade won't clobber your careful massaging. :-)


Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.

=?utf-7?q?RE: Cygwin SA3.0 Problems?=

[=?utf-7?q?Jason J Ellingson?=]

Yes, that sounds right... I remember that when I followed my exact same 
instuctions on a new server, that it had these problems.  Forgot about that.  I 
agree it is a problem with CygWin version.

I did notice some compiling issues with PERL 5.8 as well (even on the older, 
stable CygWin versions)... So I always installed PERL 5.6.1.

Thanks for jogging my memory.

The working CygWin version would be before March 2004 or so (when I had did 
that fresh install that had the same problems as you).  The install I did in 
November 2003 worked fine.

- Jason


- Original Message -
From:Robert Lacroix +ADw-rl+AEA-belacove.com+AD4-
Subject: RE: Cygwin SA3.0 Problems
Date:Thu, 30 Sep 2004 11:13:06 -05:00

It's definitely a problem with spamd, spamc running in cygwin had the
same problems as spamcpp, winspamc and my own custom spamc in .NET.
SpamD just sets the FIN flag before having sent the entire message.
Luckily I had an old Cygwin installation with Perl 5.8.0 where I just
installed SA3 and now the problem is gone on all machines. So it
definitely has something to do with any cygwin package version involved.
Any ideas which one :) ?

/robert

-Original Message-
From: Jason J. Ellingson +AFs-mailto:jason+AEA-ellingson.com+AF0- 
Sent: Thursday, September 30, 2004 4:05 AM
To: Robert Lacroix+ADs- users+AEA-spamassassin.apache.org+ADs- 'JamesDR'
Subject: RE: Cygwin SA3.0 Problems

What method are you connecting to your CygWin SpamD?

Perhaps the problem is not with SpamD, but with SpamC.  I noticed that
the new SA3.0 doesn't always fill the incoming TCP for your SpamC
calling application buffer... I use 1024 byte buffers.  This may be
throwing whichever SpamC you are using into confusion as it takes a
non-full buffer to mean that this is the last packet for the email
results.  I use the new Content-length header as a check for message
completeness...

I wrote my own custom SpamC in .NET as a plug-in for XMail and stopped
having those issues you are having.

I seem to remember having some issues with WinSpamC (on sourceforge.net)
not getting the entire emails either but had pretty good luck with
the SpamC compiled in CygWin.

Feel free to email me directly.  I'm happy to help where I can.

Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
jason+AEA-ellingson.com

Re: Net::DNS version is 0.23, but need 0.34

[Ryan Moore]

Maurice Lucas wrote:
Hello,
I have trouble with SURBL and think that it is related to above error
But if I test the module with CPAN or with the following script it says 
that i'm at 0.48.
(carefull i'm a complete perl newbie and a SA newbie)
#!/usr/bin/perl -T -w
use strict;
use Net::DNS;
print Net::DNS->version, "\n";

I use debian woody so Net::DNS version 0.19
I did install SA again from source but the results are the same
Does anybody have any glue
Or is this an error for the perl mailinglist?
You may have more than one version laying around, try running 'locate 
DNS.pm' if you use the slocate system on the machine. That will list the 
locations of that file.

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net

Re: sa-learn with SQL everything?

[Ryan Moore]

Daniel M. Drucker wrote:
I couldn't find anyone who has done this already, so I did it myself -

Nice work!
How does this interact with the use/nonuse of report_safe? It seems to
me that (with report_safe 1) you end up training bayes on the
encapsulation, or (with report_safe 0) you end up training it on the
reciprocal of the spamassassin-added headers.

To my knowledge, salearn removes/ignores any SpamAssassin headers, so it 
shouldn't skew your data.

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net

Re: 3.0 scanning delays

[Shane Hickey]

So, I take it that no one is seeing these weird spamd delays but me?  Rats.

Shane Hickey <[EMAIL PROTECTED]> [2004-09-29 14:11]:
> Howdy all.  I'm running version 3.0.0 on Gentoo Linux (using the
> 3.0.0-r1 ebuild).  The machine is a dual P3/450 and it is also running
> sendmail 8.12.11 and it handles mail for 20 or so domains with less
> than 20 users total.  So, the mail volume is pretty low.
> 
> I'm running spamd in the following manner:
> 
> /usr/sbin/spamd -d -r /var/run/spamd/spamd.pid -u mail -x -m 10 -L
> 
> I'm running spamc out of my /etc/procmailrc (with no options).
> 
> What I've noticed is that after spamd has been running for a little
> while, it starts to take longer and longer to check each message. 
> Here is a snippet of my times from 2.64:
> 
> clean message (-104.9/5.0) for user1:8 in 0.8 seconds, 1129 bytes.
> clean message (-104.9/5.0) for user2:8 in 0.9 seconds, 1231 bytes.
> clean message (-104.9/5.0) for user1:8 in 0.8 seconds, 1231 bytes.
> clean message (-4.9/5.0) for user1:8 in 1.1 seconds, 1046 bytes.
> 
> When I first start spamd, I see times that are very close to this. 
> But, within 10-20 minutes, they start to climb.  Here is how they look
> right now (I started spamd 40 minutes ago).
> 
> clean message (-102.8/5.0) for user1:8 in 5.8 seconds, 1282 bytes.
> clean message (-5.0/5.0) for user2:8 in 41.8 seconds, 2867 bytes.
> clean message (-100.0/5.0) for user3:8 in 37.8 seconds, 2250 bytes.
> 
> If I let spamd run for several hours, I'll see times near 200 seconds
> per message and it seems to keep increasing.
> 
> I have always had "skip_rbl_checks 1" in my local.cf.  But, I've been
> trying to isolate what's caused this new slowness, so I've also tried
> to first disable razor2, dcc and pyzor and that didn't seem to make
> much difference.  Then I set use_bayes to 0 and that seems to help a
> little bit, but I still see long delays.  The delayed times that I
> show above are for this configuration:
> 
> # Enable the Bayes system
> use_bayes   0
> 
> # Enable or disable network checks
> skip_rbl_checks 1 
> use_razor2  1
> use_dcc 1
> use_pyzor   1
> 
> I also tried "lock_method flock" and I didn't see much success their
> either.  Anyway, I was hoping someone else had seen this behavior and
> or maybe someone could shed some light on what might be the cause of
> this?
> 
> Thanks,
> Shane
> 
> -- 
> Shane Hickey <[EMAIL PROTECTED]>: Network/System Consultant
> GPG KeyID: 777CBF3F
> Key fingerprint: 254F B2AC 9939 C715 278C  DA95 4109 9F69 777C BF3F
> Listening to: The Courtship of Birdy Numnum - The
> Parapalegic-Homoerotic Episode
> 


-- 
Shane Hickey <[EMAIL PROTECTED]>: Network/System Consultant
GPG KeyID: 777CBF3F
Key fingerprint: 254F B2AC 9939 C715 278C  DA95 4109 9F69 777C BF3F
Listening to: The Styrenes - Cold Meat

Re: sa-learn with SQL everything?

[Daniel M. Drucker]

> I couldn't find anyone who has done this already, so I did it myself -

Nice work!

How does this interact with the use/nonuse of report_safe? It seems to
me that (with report_safe 1) you end up training bayes on the
encapsulation, or (with report_safe 0) you end up training it on the
reciprocal of the spamassassin-added headers.


-- 
Daniel Drucker / [EMAIL PROTECTED]

Re: sa-learn with SQL everything?

[Keith Hackworth]

I couldn't find anyone who has done this already, so I did it myself -
anyone who needs this is welcome to use my solution/code.  My solution
requires an IMAP server and bayes to be in mysql.  It also requires
SquirrelMail.  It also requires a /tmp directory.  Since squirrelmail
requires a unix-like system (I belive) and IMAP, you should be all set.

I'm not using Exim - I run Postfix, but that shouldn't make a difference.
I use amavis-new/sa with squirrelmail on top.  I downloaded the
squirrelmail amavisnewsql 0.7.2-1.4 plugin and modified it from there.

The plugin includes a "whitelist user" and other sa controls for the
specific user, but totally misses the bayes aspect of spamassassin.  The
plugin takes some time to configure, but is simple if you just follow the
directions.

Once you get that working, replace the setup.php and create a new
bayes.php in the plugins/amavisdnewsql directory.  I've attached the
bayes.php and setup.php files as .txt files, so remove the .txt extension.

Once you do that, on the top of every message, there will be a "This is
spam" and "This is NOT spam" link.  It will issue a
"/usr/local/bin/sa-learn -D --[sp|h]am", so make sure sa-learn is in this
directory.

***IMPORTANT:  One last thing - make sure you turn on the
"bayes_sql_override_username " in
local.cf or your bayes database will only work for the user that the
webserver runs as.  It took me a while to figure this one out...

If you have any questions or problems with this, please email me.

Keith Hackworth
[EMAIL PROTECTED]

>
> I'm trying to start using Bayes and sa-learn for the first time, now
> that Bayes supports SQL.
>
> I run a smallish system (about 80 users spread over three domains).
> The basic setup is Exim -> SpamAssassin 3 -> Exim -> amavis -> Exim ->
> delivery. (That is -- SA and amavis are Exim router-transport pipes;
> neither knows of the other's existence.)
>
> Apart from me, none of my users have home directories; Exim uses SQL
> for all account information. Mail is stored in Maildir format in
> /mail/DOMAIN/USER.
>
> The majority of my users use Squirrelmail.
>
> I would like to enable some sort of false-negative/false-positive
> reporting for them, as I would imagine that the Bayes system is not
> very useful if it's getting uncorrected FN/FP data. However, every
> piece of documentation I've seen for sa-learn assumes (1) a unix
> account to correspond to the mailbox owner, and (2) that SQL is not
> being used for anything.
>
> Can someone point me in the right direction? I'd really like to take
> advantage of Bayes, but the documentation is so haphazard right now
> that I just don't know what to do.
>
>
>
>
> --
> Daniel Drucker / [EMAIL PROTECTED]
>
>
rfc822_header;
$decodedfrom = $header->getAddr_s('from');

$IP_RegExp_Match = '\\[?[0-9]{1,3}(\\.[0-9]{1,3}){3}\\]?';
$Host_RegExp_Match = '(' . $IP_RegExp_Match . 
'|[0-9a-z]([-.]?[0-9a-z])*\\.[a-z][a-z]+)';
$Email_RegExp_Match = '[0-9a-z]([-_.+|]?[_0-9a-z|])*(%' . 
$Host_RegExp_Match . ')?@' . $Host_RegExp_Match;
$regs = array();
while (eregi($Email_RegExp_Match, $decodedfrom, $regs)) {
   $decodedfrom = substr(strstr($decodedfrom, $regs[0]), strlen($regs[0]));
   $fromaddress = urlencode($regs[0]);
}

echo " | ";
bindtextdomain ('amavisnewsql', SM_PATH . 'plugins/amavisnewsql/locale');
textdomain ('amavisnewsql');

displayInternalLink 
("plugins/amavisnewsql/amavisnewsql.php?action=add_edit_wb_address&WorB=W&priority=7&address=$fromaddress",
 _("Whitelist Sender"), 'right');
echo " | ";
bindtextdomain ('amavisnewsql', SM_PATH . 'plugins/amavisnewsql/locale');
textdomain ('amavisnewsql');
displayInternalLink 
("plugins/amavisnewsql/bayes.php?action=bayes_learn&type=s&passed_id=$passed_id&mailbox=$mailbox",
 _("This is Spam"), 'right');
echo " | ";
bindtextdomain ('amavisnewsql', SM_PATH . 'plugins/amavisnewsql/locale');
textdomain ('amavisnewsql');
displayInternalLink 
("plugins/amavisnewsql/bayes.php?action=bayes_learn&type=h&passed_id=$passed_id&mailbox=$mailbox",
 _("This is NOT Spam"), 'right');
echo " ";

bindtextdomain ('squirrelmail', SM_PATH . 'locale');
textdomain ('squirrelmail');


}


function amavisnewsql_optpage_register_block () {
  global $optpage_blocks;

bindtextdomain ('amavisnewsql', SM_PATH . 'plugins/amavisnewsql/locale');
textdomain ('amavisnewsql');

$optpage_blocks[] =
array (
   'name' => _("SpamAssassin Configuration"),
   'url'  => '../plugins/amavisnewsql/amavisnewsql.php',
   'desc' => _("Here you may define your own white/black lists and 
customize your spam scoring rules."),
   'js'   => FALSE);
bindtextdomain ('squirrelmail', SM_PATH . 'locale');
textdomain ('squirrelmail');

}


function amavisnewsql_spam_quarantine () {
bindtextdomain ('amavisnewsql', SM_PATH . 'plugins/amavisnewsql/locale');
textdomain ('amavisnewsql');

displayInternalLink ('pl

Re: SA+Postfix+SASL+Mysql+Maildrop Installation howto

[Luis Hernán Otegui]

ok, ok, my ponit wasn't exactly that, but I've managed to notice some
things, partly via Google.
My problem (or, to tell it better, the thing I didn't realize) was how
will SA get the username it is analizing mail for, since the vitual
users setting doesn't (at least to my knowledge) provide this info.
But looking closer to the maildrop configuration howto I have, I've
come to see that Maildrop REALLy knows whose user the mail is, or it
wouldn't be able to deliver it at all...
Sorry everybody, my mistake.

Thanks for the answer.

Luis


On Thu, 30 Sep 2004 12:13:41 -0400, Eric W. Bates
<[EMAIL PROTECTED]> wrote:
> We use SA+Postfix+SASL+Mysql+procmail for our system.
> 
> The SASL authentication doesn't have anything to do with SA.  It simply
> allows your smtpd to accept AUTH commands; so you can deal with those
> problems separately.
> 
> Also bear in mind that if you rig postfix to use mysql tables for it's
> config; that is separate from SA using mysql for the user's filtering
> options. postfix and SA may or may not use the same mysql server;
> probably not the same database; and definitely not the same authentication.
> 
> We use procmail after the MTA is done with the message to run the
> message thru SA and then sort it into inbox/spambox.
> 
> 
> 
> Luis Hernán Otegui wrote:
> > Hi, people, my first mail to the list, and I'm already asking for
> > something quite hard to me... Here it goes:
> > I want to set up a WBEL with SA 3.0, but with user preferences driven
> > by a Mysql database. Also, I want the MTA (PostFix) to run with SASL
> > authentication. I've found a good bunch of info on how to set up
> > Postfix+SASL+Maildrop+Mysql, but I don't know how to set up SA to work
> > with that, all I've seen about it is the howto on SA's site, but it
> > doesn't mention how to set it up against a vmail environment. Also,
> > this will be my fisrt attempt at Postfix (I've always ran SA through
> > Spamass-Milter over Sendmail), so any help or tips will be
> > appreciated.
> >
> > Thanks a lot,
> >
> > Luis.
> >
> 



-- 
-
GNU-GPL: "May The Source Be With You...
-

Net::DNS version is 0.23, but need 0.34

[Maurice Lucas]

Hello,
I have trouble with SURBL and think that it is related to above error
But if I test the module with CPAN or with the following script it says that 
i'm at 0.48.
(carefull i'm a complete perl newbie and a SA newbie)
#!/usr/bin/perl -T -w
use strict;
use Net::DNS;
print Net::DNS->version, "\n";

I use debian woody so Net::DNS version 0.19
I did install SA again from source but the results are the same
Does anybody have any glue
Or is this an error for the perl mailinglist?
With kind regards,
Met vriendelijke groet,
Maurice Lucas
TAOS-IT 

Re: SA 3.0.0 SURBL usage

[Jerry Gaiser]

On Wed, 2004-09-29 at 14:47, Raymond Dijkxhoorn wrote:
> > In fact, I cannot see anything in the headers that leads me to believe that 
> > SURBL is being used/enforced.
> 
> Do you have Net::DNS installed ? It looks to me you are not using RBL 
> checks at all?

And make sure you're running a recent version of Net::DNS. That bit me
when I upgraded. Had it installed, but too old to use.

-- 
[EMAIL PROTECTED]
"One should admire Windows users. It takes a great deal of courage to
trust Windows with your data." - Unknown

Re: SURBL in 3.0

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Theo Van Dinter writes:
> On Thu, Sep 30, 2004 at 09:44:20AM -0700, Justin Mason wrote:
> > if the init.pre is never read from what you specify as --siteconfigpath,
> > that's a bug -- could you report it to the bugzilla?(however I'm
> > pretty certain we have a test for that so that sounds odd.)
> 
> I think the issue is that init.pre isn't in the directory he's pointing to,
> not that it wouldn't be read if it existed there.  ie:
> 
> spamassassin --siteconfigpath /tmp/foo
> 
> if I don't put init.pre in /tmp/foo, spamassassin isn't going to go looking
> for the file in other places.

ah, ok, that's not a bug ;)

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBXDzVQTcbUG5Y7woRArLTAJ4v3vXHve1/bVrcayF7QRs+jrpe6wCfQZMB
6PgJ5qP5VgTvHupcjuH0sBg=
=SCmw
-END PGP SIGNATURE-

Re: SpamAssassin 3.0 and sa-learn problem.

[Andy Biddle]

I've done a CPAN "force install Digest::SHA1" and get the same issue...

On Thu, 30 Sep 2004, Theo Van Dinter wrote:

> On Thu, Sep 30, 2004 at 07:47:35AM -0700, Andy Biddle wrote:
> > Use of inherited AUTOLOAD for non-method Digest::SHA1::sha1_hex() is
> > deprecated at
> > /usr/local/lib/perl5/site_perl/5.8.2/Mail/SpamAssassin/Bayes.pm line 983.
> > Learned from 0 message(s) (1 message(s) examined).
> > Can't locate auto/Digest/SHA1/sha1_hex.al in @INC (@INC contains: lib
>
> This indicates that your Digest::SHA1 installation is botched.
>
> > SHA1 is installed and up to date.
>
> I'd blow away what you have and reinstall the module.
>
> --
> Randomly Generated Tagline:
> DOS: n., A small annoying boot virus that causes random spontaneous system
>   crashes, usually just before saving a massive project.  Easily cured by
>   UNIX.  See also MS-DOS, IBM-DOS, DR-DOS.
>  (from David Vicker's .plan)
>

Re: SURBL in 3.0

[Theo Van Dinter]

On Thu, Sep 30, 2004 at 09:44:20AM -0700, Justin Mason wrote:
> if the init.pre is never read from what you specify as --siteconfigpath,
> that's a bug -- could you report it to the bugzilla?(however I'm
> pretty certain we have a test for that so that sounds odd.)

I think the issue is that init.pre isn't in the directory he's pointing to,
not that it wouldn't be read if it existed there.  ie:

spamassassin --siteconfigpath /tmp/foo

if I don't put init.pre in /tmp/foo, spamassassin isn't going to go looking
for the file in other places.

-- 
Randomly Generated Tagline:
"Remember:  The difference between something that might go wrong and
 something that can't possibly go wrong is that something that can't
 possibly go wrong is impossible to fix."  - Peter Sagerson


pgp26ORAbASGB.pgp
Description: PGP signature

Re: SURBL in 3.0

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Theo Van Dinter writes:
> On Thu, Sep 30, 2004 at 01:42:51PM +0200, Maurice Lucas wrote:
> > >OK - I think I have narrowed down what is happening with this, though I 
> > >don't know why.  I have placed my local.cf file in a non-standard 
> > >directory and I am using the --siteconfigpath=path to point to that 
> > >directory (where my local.cf file and my own custom rules files are 
> > >located).  For some reason this breaks the SURBL checks.  If I run 
> > >spamassassin without that directive (and use local.cf in its standard 
> > >installation location), the SURBL checks work fine.  Can someone else 
> > >confirm this?  This is with 3.0.0.
> 
> The problem, I'm guessing, is that the init.pre file (loads the plugins)
> installs into the standard siteconfigpath directory.  So if you aim
> somewhere else, the plugins are never enabled, so no SURBL.

if the init.pre is never read from what you specify as --siteconfigpath,
that's a bug -- could you report it to the bugzilla?(however I'm
pretty certain we have a test for that so that sounds odd.)

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBXDfkQTcbUG5Y7woRAidhAJ9FsxYewBlknH06VRqnS0/FENVKUACgpHov
ctOOz/UtBffw/7WnXMgZDCo=
=WRw5
-END PGP SIGNATURE-

Re: sa-learn with SQL everything?

[Sune Kloppenborg Jeppesen]

On Thursday 30 September 2004 15:37, Daniel M. Drucker wrote:
> I'm trying to start using Bayes and sa-learn for the first time, now
> that Bayes supports SQL.
>
> I run a smallish system (about 80 users spread over three domains).
> The basic setup is Exim -> SpamAssassin 3 -> Exim -> amavis -> Exim ->
> delivery. (That is -- SA and amavis are Exim router-transport pipes;
> neither knows of the other's existence.)
>
> Apart from me, none of my users have home directories; Exim uses SQL
> for all account information. Mail is stored in Maildir format in
> /mail/DOMAIN/USER.
>
> The majority of my users use Squirrelmail.
>
> I would like to enable some sort of false-negative/false-positive
> reporting for them, as I would imagine that the Bayes system is not
> very useful if it's getting uncorrected FN/FP data. However, every
> piece of documentation I've seen for sa-learn assumes (1) a unix
> account to correspond to the mailbox owner, and (2) that SQL is not
> being used for anything.
>
> Can someone point me in the right direction? I'd really like to take
> advantage of Bayes, but the documentation is so haphazard right now
> that I just don't know what to do.
You could setup a dedicated SA user and have a site wide Bayes database.

-- 
Regards

Sune Kloppenborg Jeppesen

--
This email was scanned by MailPlus anti-virus at http://www.dir.dk
--


pgpqjKnkeDHo9.pgp
Description: PGP signature

Re: sql/bayes

[Sune Kloppenborg Jeppesen]

On Thursday 30 September 2004 18:05, Robin Lynn Frank wrote:
> While I can see the advantage of keeping awl and prefs in a sql
> database, I can't see an advantage to keeping bayes data in a sql db.
>
> Can someone point out an advantage?  Would there be any disadvantage in
> keeping everything except bayese in sql?
You could have two front end servers using the same Bayes backend with SQL. 
This makes autolearning work easily across multiple servers.

-- 
Regards

Sune Kloppenborg Jeppesen

--
This email was scanned by MailPlus anti-virus at http://www.dir.dk
--


pgpImWE8mVVPI.pgp
Description: PGP signature

FIXED - no report template found

[Slava Madrit]

The problem has been resolved. In case anyone else has this issue in the 
future, the problem was a blank clear_report_template definition in my 
local.cf.  removing it allowed SA to retrieve the info from 10_misc.cf 
correctly.  
 
-Slava>>> "Slava Madrit" <[EMAIL PROTECTED]> 
9/30/2004 10:53:09 AM >>>
When I run SA 3.0 from a command line, I get a message at the end of the SA 
output file, (no report template found), you can see it below.  I'm using 
the following options to launch SA.
 
spamassassin -D -t  test.txt
 
Has something changed with SA 3.0 or is there something wrong with my 
setup?  I have used this command line for all the previous versions and it 
worked fine.
 
 
-Slava
 
test.txt:
Received: from businesscross.net (moxmail10 [127.0.0.1]) by 
moxmail10.businessgive.com (Postfix) with ESMTP id C52F638BD3E02 for 
<[EMAIL PROTECTED]>; Wed, 29 Sep 
2004 06:37:29 -0700 (PDT)MIME-Version: 1.0From: "Camera Testing Center" 
<[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Product 
TestersWantedMessage-Id: <[EMAIL PROTECTED]>Content-Type: 
text/plainContent-Disposition: inlineContent-Transfer-Encoding: 
7bitDate: Wed, 29 Sep 2004 06:37:29 -0700 (PDT)X-Spam-Checker-Version: 
SpamAssassin 3.0.0 (2004-09-13) on guinevereX-Spam-Status: No, score=5.1 
required=5.5 tests=BAYES_95,RCVD_IN_XBL  autolearn=no 
version=3.0.0X-Spam-Level: *
 
we would like you to join our Product Research Panel. 
- join Now and Receive for no charge: 
Panasonic DVD Camcorder High quality digital 
video 18x Optical zoom 
500x Digital zoom $899 retail price, yours to keep 
free! - PRODUCT TESTERS WANTED! 
- please click here for more info: http://businesscross.net/r/2295/5302664/2r7q653p7p58 ProductResearchPanel, 
the new member incentive promotional offer, and the product testing program is 
an independent program for consumers and is not affiliated with the 
merchant/brands listed above. ProductResearchPanel is solely responsible for all 
incentive fulfillment
 
Click here: http://businesscross.net/r/2295/5302664/2r7q653p7p58
MO:tLWcG1YpimN1CAtfAueGWX0YTxkq1wh/sUV/hhC2csblfZUSmz0wVnLsSRRsOe20vBNRXA==:MO
This advertisement was sent by BonusBonez, 268 Bush Street #3437, San 
Francisco, CA 94104.Visit the BonusBonez Mailings Manager:http://businesscross.net/u/2295/5302664/2r7q653p7p58
 
MO:BDD+CLlyyHjJjwWT8WWqmz88aiCKR30l0HTj7dW6YyoD9JLVMRe+if7g185tvt3m9Tee9Q==:MO
(no report template 
found)_The 
information transmitted is intended only for the person orentity to which it 
is addressed and may contain confidential and/orprivileged material. Any 
review, retransmission, disseminationor other use of, or taking of any 
action in reliance upon, thisinformation by persons or entities other than 
the intended recipientis prohibited. If you received this transmission in 
error, pleasecontact the sender by reply e-mail or by telephone 
(+1(212)632-5500)and delete and destroy all copies of the material, 
including allcopies stored in the recipient's computer, printed or saved to 
disk. 

_

The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material.  Any review, retransmission, dissemination
or other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient
is prohibited.  If you received this transmission in error, please
contact the sender by reply e-mail or by telephone (+1(212)632-5500)
and delete and destroy all copies of the material, including all
copies stored in the recipient's computer, printed or saved to disk.

Re: SA+Postfix+SASL+Mysql+Maildrop Installation howto

[Eric W. Bates]

We use SA+Postfix+SASL+Mysql+procmail for our system.
The SASL authentication doesn't have anything to do with SA.  It simply 
allows your smtpd to accept AUTH commands; so you can deal with those 
problems separately.

Also bear in mind that if you rig postfix to use mysql tables for it's 
config; that is separate from SA using mysql for the user's filtering 
options. postfix and SA may or may not use the same mysql server; 
probably not the same database; and definitely not the same authentication.

We use procmail after the MTA is done with the message to run the 
message thru SA and then sort it into inbox/spambox.

Luis Hernán Otegui wrote:
Hi, people, my first mail to the list, and I'm already asking for
something quite hard to me... Here it goes:
I want to set up a WBEL with SA 3.0, but with user preferences driven
by a Mysql database. Also, I want the MTA (PostFix) to run with SASL
authentication. I've found a good bunch of info on how to set up
Postfix+SASL+Maildrop+Mysql, but I don't know how to set up SA to work
with that, all I've seen about it is the howto on SA's site, but it
doesn't mention how to set it up against a vmail environment. Also,
this will be my fisrt attempt at Postfix (I've always ran SA through
Spamass-Milter over Sendmail), so any help or tips will be
appreciated.
Thanks a lot,
Luis.

RE: Cygwin SA3.0 Problems

[Robert Lacroix]

It's definitely a problem with spamd, spamc running in cygwin had the
same problems as spamcpp, winspamc and my own custom spamc in .NET.
SpamD just sets the FIN flag before having sent the entire message.
Luckily I had an old Cygwin installation with Perl 5.8.0 where I just
installed SA3 and now the problem is gone on all machines. So it
definitely has something to do with any cygwin package version involved.
Any ideas which one :) ?

/robert

-Original Message-
From: Jason J. Ellingson [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 30, 2004 4:05 AM
To: Robert Lacroix; users@spamassassin.apache.org; 'JamesDR'
Subject: RE: Cygwin SA3.0 Problems

What method are you connecting to your CygWin SpamD?

Perhaps the problem is not with SpamD, but with SpamC.  I noticed that
the new SA3.0 doesn't always fill the incoming TCP for your SpamC
calling application buffer... I use 1024 byte buffers.  This may be
throwing whichever SpamC you are using into confusion as it takes a
non-full buffer to mean that this is the last packet for the email
results.  I use the new Content-length header as a check for message
completeness...

I wrote my own custom SpamC in .NET as a plug-in for XMail and stopped
having those issues you are having.

I seem to remember having some issues with WinSpamC (on sourceforge.net)
not getting the entire emails either but had pretty good luck with
the SpamC compiled in CygWin.

Feel free to email me directly.  I'm happy to help where I can.

Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
[EMAIL PROTECTED]

Re: Spamassassin 3.0 with mimedefang 2.37

[Larry Starr]

Thanks to all who replied.

Unfortunately it appears that I'll have to update more than I wanted at one 
time.

It does, however, seem worth the effort, based on the testing that I've been
doing with SA 3.0.  It's tagging about 50% of the mail that is passing all of 
my filters with with SA 2.6, and hand checking about 22,000 messages, it 
appears to be doing a very accurate job of this.


On Wednesday 29 September 2004 16:52, Larry Starr wrote:
> I am working to upgrade spamassassin, from 2.60 to 3.0, on my RedHat 8
> Mailserver.
>
> I'm currently running mimedefang 2.37.   I have found no references to a
> required version of Mimedefang in the docs, and would like to avoid
> changing the entire world at once.
>
> Does anyone know of any problems running SA 3.0 from MD 2.37?
>
> Thank you,

-- 
Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED]
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347  FAX: 608-831-6330
===
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway

sql/bayes

[Robin Lynn Frank]

While I can see the advantage of keeping awl and prefs in a sql
database, I can't see an advantage to keeping bayes data in a sql db.

Can someone point out an advantage?  Would there be any disadvantage in
keeping everything except bayese in sql?

-- 
Robin Lynn Frank
Director of Operations
Paradigm-Omega, LLC
http://www.paradigm-omega.com
==
Sed quis custodiet ipsos custodes?


pgpMxGVbE78c3.pgp
Description: PGP signature

Re: Bayes scores in SA 3.0

[Chip Paswater]

> >  Hey guys,
> >  
> >  I was looking at the Bayes scores in 3.0 and had a couple of questions:
> [...]
> 
> 
> ... the FAQ ... read the FAQ ...
> 

Great Bob, the FAQ says how the scores are generated, I surmised that.
But these questions aren't in the FAQ:

Does a human review the scores generated by the statistics engine?

Doesn't it make sense to have more of a bell curve on the 2nd set of bayes
scores?

If not, why not?

The teeth seem seem to be taken out of BAYES_99 with it's low 1.9 score,
and most of my spam is triggering .99 to 1.  That to me seems like an
obvious oversight, and I'm just wondering what the thinking was to leave it
at 1.9 for the 3.0 release.

Re: SURBL in 3.0

[Theo Van Dinter]

On Thu, Sep 30, 2004 at 01:42:51PM +0200, Maurice Lucas wrote:
> >OK - I think I have narrowed down what is happening with this, though I 
> >don't know why.  I have placed my local.cf file in a non-standard 
> >directory and I am using the --siteconfigpath=path to point to that 
> >directory (where my local.cf file and my own custom rules files are 
> >located).  For some reason this breaks the SURBL checks.  If I run 
> >spamassassin without that directive (and use local.cf in its standard 
> >installation location), the SURBL checks work fine.  Can someone else 
> >confirm this?  This is with 3.0.0.

The problem, I'm guessing, is that the init.pre file (loads the plugins)
installs into the standard siteconfigpath directory.  So if you aim
somewhere else, the plugins are never enabled, so no SURBL.

-- 
Randomly Generated Tagline:
"As for SUVs being used as family cars: If a family is too large to
 fit into a fuel efficient automobile it doesn't need an SUV, it needs
 birth control." - Unknown


pgpr1dSDOpWo1.pgp
Description: PGP signature

Re: SpamAssassin 3.0 and sa-learn problem.

[Theo Van Dinter]

On Thu, Sep 30, 2004 at 07:47:35AM -0700, Andy Biddle wrote:
> Use of inherited AUTOLOAD for non-method Digest::SHA1::sha1_hex() is
> deprecated at
> /usr/local/lib/perl5/site_perl/5.8.2/Mail/SpamAssassin/Bayes.pm line 983.
> Learned from 0 message(s) (1 message(s) examined).
> Can't locate auto/Digest/SHA1/sha1_hex.al in @INC (@INC contains: lib

This indicates that your Digest::SHA1 installation is botched.

> SHA1 is installed and up to date.

I'd blow away what you have and reinstall the module.

-- 
Randomly Generated Tagline:
DOS: n., A small annoying boot virus that causes random spontaneous system
  crashes, usually just before saving a massive project.  Easily cured by
  UNIX.  See also MS-DOS, IBM-DOS, DR-DOS.
 (from David Vicker's .plan)


pgp8ys0FEAAfo.pgp
Description: PGP signature

Re: Bayes scores in SA 3.0

[Bob Apthorpe]

On Thu, 30 Sep 2004 08:34:28 -0700 Chip Paswater <[EMAIL PROTECTED]> wrote:

>  Hey guys,
>  
>  I was looking at the Bayes scores in 3.0 and had a couple of questions:
[...]


... the FAQ ... read the FAQ ...


-- Bob

Bayes scores in SA 3.0

[Chip Paswater]

 Hey guys,
 
 I was looking at the Bayes scores in 3.0 and had a couple of questions:
 
 score BAYES_00 0 0 -1.665 -2.599
 score BAYES_05 0 0 -0.925 -0.413
 score BAYES_20 0 0 -0.730 -1.951
 score BAYES_40 0 0 -0.276 -1.096
 score BAYES_50 0 0 1.567 0.001
 score BAYES_60 0 0 3.515 0.372
 score BAYES_80 0 0 3.608 2.087
 score BAYES_95 0 0 3.514 2.063
 score BAYES_99 0 0 4.070 1.886
 
 I'm running the full load, bayes, network tests, AWL.. everything, so I'm
 using the second set of scores.  It seems odd to me that BAYES_99 scores
 lower than BAYES_95, and BAYES_40 scores lower than BAYES_05.
 
 I figured these scores were probably generated from a statistics engine
 that used a corpus of spam and ham.  Did a human approve these scores
 before they were put into SA?  If so, what was the thinking behind them?
 
 I'm tempted to manually edit the scores to show more of a bell curve, but
 if there is some method here that I'm overlooking, I'd love to know what it
 is.

RE: Upgrading SpamAsssassin from 2.64 to 3.0.0

[Ken Goods]

Matt Kettler scribbled on Wednesday, September 29, 2004 7:31 PM:

> At 07:37 PM 9/29/2004 -0500, SAtalk Mail User wrote:
>> I have a, possibly, easy question.  I have SpamAssassin 2.64 with a
>> ton of the rules that you have at rules emporium, and man they work
>> great, but I am wanting to upgrade my Spamassassin from 2.64 to
>> 3.0.0, the latest via CPAN.
> 
> 1) delete antidrug.cf if you use it, SA 3.0 includes it.
> 2) delete the .cf files referencing any spamcopURI rules, SA
> 3.0 has this
> built in, but handles it differently.
> 3) Read the UPGRADE file, and change or comment out any outdated
> config options which might be in your local.cf or user_prefs:
> http://spamassassin.apache.org/full/3.0.x/dist/UPGRADE
> 
> I'd also suggest moving *everything* out of
> /etc/mail/spamassassin on a
> temporary basis, then move the files back later. This will ensure a
> nice clean upgrade which passes make test.
> 
> After the update:
> 1) run sa-learn --sync to upgrade your bayes DB format 2) run
> spamassassin --lint 3) move the files you moved out of
> /etc/mail/spamassassin back a few at a time and run --lint between
> batches to make sure it's happy. 

Matt,
That is the best advice I've seen on upgrading SA to 3.0 from 2.6x. Simple
to understand and straight to the point. If you had posted this yesterday
morning it would have saved me a day of beating my head against the wall. I
don't like to post questions to the list until I've exhausted every other
resource I can think of. Learn a little more that way. But now that I've
been through it, (thanks to Ryan Moore for getting me over the last hurdle)
this advice is the ticket to a smooth upgrade and I think it should be added
to the update doc!

Thanks,
Ken

Ken Goods
Network Administrator
MIS Dept.
AIA Insurance, Inc.
111 Main Street
PO Box 538
Lewiston, ID  83501
Phone:  208-799-9023
Websites: http://www.cropusainsurance.com
 Email: [EMAIL PROTECTED]
 

SA+Postfix+SASL+Mysql+Maildrop Installation howto

[Luis Hernán Otegui]

Hi, people, my first mail to the list, and I'm already asking for
something quite hard to me... Here it goes:
I want to set up a WBEL with SA 3.0, but with user preferences driven
by a Mysql database. Also, I want the MTA (PostFix) to run with SASL
authentication. I've found a good bunch of info on how to set up
Postfix+SASL+Maildrop+Mysql, but I don't know how to set up SA to work
with that, all I've seen about it is the howto on SA's site, but it
doesn't mention how to set it up against a vmail environment. Also,
this will be my fisrt attempt at Postfix (I've always ran SA through
Spamass-Milter over Sendmail), so any help or tips will be
appreciated.

Thanks a lot,

Luis.

-- 
-
GNU-GPL: "May The Source Be With You...
-

no report template found

[Slava Madrit]

When I run SA 3.0 from a command line, I get a message at the end of the SA 
output file, (no report template found), you can see it below.  I'm using 
the following options to launch SA.
 
spamassassin -D -t  test.txt
 
Has something changed with SA 3.0 or is there something wrong with my 
setup?  I have used this command line for all the previous versions and it 
worked fine.
 
 
-Slava
 
test.txt:
Received: from businesscross.net (moxmail10 [127.0.0.1]) by 
moxmail10.businessgive.com (Postfix) with ESMTP id C52F638BD3E02 for 
<[EMAIL PROTECTED]>; Wed, 29 Sep 
2004 06:37:29 -0700 (PDT)MIME-Version: 1.0From: "Camera Testing Center" 
<[EMAIL PROTECTED]>To: [EMAIL PROTECTED]Subject: Product 
TestersWantedMessage-Id: <[EMAIL PROTECTED]>Content-Type: 
text/plainContent-Disposition: inlineContent-Transfer-Encoding: 
7bitDate: Wed, 29 Sep 2004 06:37:29 -0700 (PDT)X-Spam-Checker-Version: 
SpamAssassin 3.0.0 (2004-09-13) on guinevereX-Spam-Status: No, score=5.1 
required=5.5 tests=BAYES_95,RCVD_IN_XBL  autolearn=no 
version=3.0.0X-Spam-Level: *
 
we would like you to join our Product Research Panel. 
- join Now and Receive for no charge: 
Panasonic DVD Camcorder High quality digital 
video 18x Optical zoom 
500x Digital zoom $899 retail price, yours to keep 
free! - PRODUCT TESTERS WANTED! 
- please click here for more info: http://businesscross.net/r/2295/5302664/2r7q653p7p58 ProductResearchPanel, 
the new member incentive promotional offer, and the product testing program is 
an independent program for consumers and is not affiliated with the 
merchant/brands listed above. ProductResearchPanel is solely responsible for all 
incentive fulfillment
 
Click here: http://businesscross.net/r/2295/5302664/2r7q653p7p58
MO:tLWcG1YpimN1CAtfAueGWX0YTxkq1wh/sUV/hhC2csblfZUSmz0wVnLsSRRsOe20vBNRXA==:MO
This advertisement was sent by BonusBonez, 268 Bush Street #3437, San 
Francisco, CA 94104.Visit the BonusBonez Mailings Manager:http://businesscross.net/u/2295/5302664/2r7q653p7p58
 
MO:BDD+CLlyyHjJjwWT8WWqmz88aiCKR30l0HTj7dW6YyoD9JLVMRe+if7g185tvt3m9Tee9Q==:MO
(no report template found)

_

The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material.  Any review, retransmission, dissemination
or other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient
is prohibited.  If you received this transmission in error, please
contact the sender by reply e-mail or by telephone (+1(212)632-5500)
and delete and destroy all copies of the material, including all
copies stored in the recipient's computer, printed or saved to disk.

SpamAssassin 3.0 and sa-learn problem.

[Andy Biddle]

I recently sent out a request for help regarding always getting
"autolearn=unavailable" messages.  When I try to train it with sa-learn, I
get:

Use of inherited AUTOLOAD for non-method Digest::SHA1::sha1_hex() is
deprecated at
/usr/local/lib/perl5/site_perl/5.8.2/Mail/SpamAssassin/Bayes.pm line 983.
Learned from 0 message(s) (1 message(s) examined).
Can't locate auto/Digest/SHA1/sha1_hex.al in @INC (@INC contains: lib
/usr/local/lib/perl5/site_perl/5.8.2
/usr/local/lib/perl5/site_perl/5.8.2/mach
/usr/local/lib/perl5/site_perl/5.8.0/i386-freebsd
/usr/local/lib/perl5/site_perl/5.8.0 /usr/local/lib/perl5/site_perl/5.6.1
/usr/local/lib/perl5/site_perl/5.005 /usr/local/lib/perl5/site_perl
/usr/local/lib/perl5/5.8.2/BSDPAN /usr/local/lib/perl5/5.8.2/mach
/usr/local/lib/perl5/5.8.2) at
/usr/local/lib/perl5/site_perl/5.8.2/Mail/SpamAssassin/Bayes.pm line 983

SHA1 is installed and up to date.  SpamAssassin was installed via CPAN.
My system is FreeBSD...

Assuming no one jumps up and points out specifically how to fix this, I'm
considering just wiping out my installation and rebuilding. Am I correct
in thinking that if this is probably just something wrong with my
installation?

Is there a good way to blow away SpamAssassin and everything it requires?
If I use CPAN to re-install SpamAssassin, shouldn't it re-install anything
it then requires?

Sorry, can't figure out why I'm having dependancy issues and I really want
to get this fixed.  Ugh.

X-Failed-Recipients / Mail delivery failed [Kinda OT]

[Steve Dimoff]

Folks,

I'm running into a weird problem and I don't know what the cause is.
I'm running Qmail / Qmail-Scanner 1.22 / SA 2.63 / Clam AV 75.1

I have messages that all have the subject "Mail delivery failed", which the
message scores a negative number by SA and is delivered.

The problem is, each one of them contains a virus...  I'm confused on why SA
gives it a negative number (which doesn't show in the headers... just shows
the score) and why CLAM AV isn't finding it as a virus either.

Here at the headers from one of the emails:

Microsoft Mail Internet Headers Version 2.0
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Received: from blah.com ([removed]) by blah.com with Microsoft SMTPSVC();
Thu, 30 Sep 2004 09:27:20 -0400
Received: from removed.com ([removed]) by removed.com with Microsoft
SMTPSVC(); Thu, 30 Sep 2004 09:27:18 -0400
Received: (qmail 6149 invoked by uid 511); 30 Sep 2004 09:27:13 -0400
Received: from  by removed.com by uid 502 with qmail-scanner-1.22st
(clamdscan: 0.75.1. spamassassin: 2.63. perlscan: 1.22st.
Clear:RC:0(207.69.200.46):SA:0(-1.9/5.2):.  Processed in 20.275484 secs); 30
Sep 2004 13:27:13 -
X-Spam-Status: No, hits=-1.9 required=5.2
Received: from unknown (HELO removed) (removed)  by removed.com with SMTP;
30 Sep 2004 09:26:53 -0400
Received: from exim by removed with local (Exim 3.36 #4) id 1CD0xU-tT-00
for removed; Thu, 30 Sep 2004 09:26:56 -0400
X-Failed-Recipients: removed
From: "Mail Delivery System" 
To: < removed >
Subject: Mail delivery failed: returning message to sender
Message-ID: 
Date: Thu, 30 Sep 2004 09:26:56 -0400
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) removed
X-Spam-Level: 
Return-Path: <>
X-OriginalArrivalTime: 30 Sep 2004 13:27:18.0585 (UTC)
FILETIME=[355D4290:01C4A6F1]

Has anyone else run into this also?

sa-learn with SQL everything?

[Daniel M. Drucker]

I'm trying to start using Bayes and sa-learn for the first time, now
that Bayes supports SQL.

I run a smallish system (about 80 users spread over three domains).
The basic setup is Exim -> SpamAssassin 3 -> Exim -> amavis -> Exim ->
delivery. (That is -- SA and amavis are Exim router-transport pipes;
neither knows of the other's existence.)

Apart from me, none of my users have home directories; Exim uses SQL
for all account information. Mail is stored in Maildir format in
/mail/DOMAIN/USER.

The majority of my users use Squirrelmail.

I would like to enable some sort of false-negative/false-positive
reporting for them, as I would imagine that the Bayes system is not
very useful if it's getting uncorrected FN/FP data. However, every
piece of documentation I've seen for sa-learn assumes (1) a unix
account to correspond to the mailbox owner, and (2) that SQL is not
being used for anything.

Can someone point me in the right direction? I'd really like to take
advantage of Bayes, but the documentation is so haphazard right now
that I just don't know what to do.




-- 
Daniel Drucker / [EMAIL PROTECTED]

Re: [sa-list] Re: Preferred DNSBL

[Dan Mahoney, System Admin]

On Thu, 30 Sep 2004, John Fleming wrote:
I would say a simple "daemon" to tail -F the logfile (-F to cover 
rotations, etc), and parse strings for the specific blocklist messages.

-Dan

- Original Message -
From: "Ed Kasky" <[EMAIL PROTECTED]>
To: 
Sent: Monday, September 27, 2004 2:49 PM
Subject: Re: Preferred DNSBL

Rejects Since Sunday 4:00 am via rbls:
spamcop: 65
maps rbl+: 154
dsbl.org: 9
njabl.org: 18
spamhaus: 18
What/how are you guys gathering the data above?  Thanks - John

--
"Is Gushi a person or an entity?"
"Yes"
-Bad Karma, August 25th 2001, Ezzi Computers, Quoting himself earler, referring 
to Gushi
Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: Preferred DNSBL

[John Fleming]

- Original Message - 
From: "Ed Kasky" <[EMAIL PROTECTED]>
To: 
Sent: Monday, September 27, 2004 2:49 PM
Subject: Re: Preferred DNSBL


> Rejects Since Sunday 4:00 am via rbls:
> 
> spamcop: 65
> maps rbl+: 154
> dsbl.org: 9
> njabl.org: 18
> spamhaus: 18

What/how are you guys gathering the data above?  Thanks - John

RE: Problem with Bayes learner.

[John Stegenga]

How does one handle this in a shared server environment where there are many
domains on a single server with ONE mail instance?  Does one have to run
steps 2-3 for each domain before you can restart spamd?

John



-Original Message-
From: Erik Wickstrom [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 29, 2004 4:32 PM
To: users@spamassassin.apache.org
Subject: Re: Problem with Bayes learner.


Hi John,

I had a similar problem, and with the help of the list, I was able to
resolve it.  Here is what you have to do.

FIRST  kill spamd - if the process is running, it will mess everything
up!
Second: run sa-learn --sync -D
this may take a little while, but it will upgrade your database to version
3.

Third: run sa-learn --showdots --mbox --spam your_spam_box

Do the same for ham.

Fourth: spamd -d

You should be back in business!  Good luck!

Erik


On Wed, 29 Sep 2004 15:56:27 -0400, John Stegenga <[EMAIL PROTECTED]> wrote:
> Hi everyone.  I've read the wiki and googled for this, and no such luck.
>
> I'm not using Spam Assassin 3.x yet.
>
> Server info:
> Redhat 9 kernel 2.4.26-ow3
> Perl 5.8.1
>
> This is a "shared hosting" server using Cpanel 9.4.1
>
> The mailer is EXIM
> exim
>
(exim-4.42-60_cpanel_stmpcontrol_antivirus_rewrite_mailman2_maskedmailtrap_e
> xiscan)
>
> Until about 5 days ago, my Spam learner script was working.  I could never
> turn SA Autolearn on, but I could manually make a SPAM mailbox and a HAM
> mailbox and put stuff into them.  I currently have a library of about 6000
> spams that have been sent to my domain.
>
> Recently, however, SA stopped using bayes.  No more bayes scores
none...
>
> Here is my error:
>
> bayes: bayes db version 0 is not able to be used, aborting! at
> /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin/BayesStore/DBM.pm line
160.
>
> Now, that's odd to me because it appears to learn email...
> Learned from 42 message(s) (5231 message(s) examined)
>
> The wiki says this error has to do with SA 3.0..  but I'm not using 3.0:
> X-Spam-Status: No, hits=0.0 required=4.5 tests=none autolearn=ham
> version=2.64
> X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11)
>
> HELP?
>
>
> John Stegenga
>
>

Re: SURBL in 3.0

[Maurice Lucas]

OK - I think I have narrowed down what is happening with this, though I 
don't know why.  I have placed my local.cf file in a non-standard 
directory and I am using the --siteconfigpath=path to point to that 
directory (where my local.cf file and my own custom rules files are 
located).  For some reason this breaks the SURBL checks.  If I run 
spamassassin without that directive (and use local.cf in its standard 
installation location), the SURBL checks work fine.  Can someone else 
confirm this?  This is with 3.0.0.

So that's the reason why I don't see any SURBL checks in the headers 
(_TESTSSCORES_)

I do see  "uri tests; score so far=-2.599" in my debug logfile but never any 
line like:
2.0 URIBL_WS_SURBL Contains a URL listed in sa-blacklist
[URIs: ca-t.com]

I didn't change anything to Makefile.PL, so it's a simple install with 
a --siteconfigpath=path for starting spamd

A test message with
http://surbl-org-permanent-test-point-MUNGED.com/
without "-MUNGED"
Give the following result in the debug logfile
uri found: http://surbl-org-permanent-test-point-MUNGED.com/
And in the headers
X-Spam-Status: No, hits=-2.1 required=7.0 tests=ALL_TRUSTED=-3.3,AWL=3.193,
BAYES_20=-1.951 autolearn=ham version=3.0.0
With kind regards,
Met vriendelijke groet,
Maurice Lucas
TAOS-IT 

Re: Spamassassin 3.0 with mimedefang 2.37

[Doug Brott]

Justin Mason wrote:
Well, it would be *nice*.   I think it's reasonable to assume
that MIMEDefang and amavisd certainly need this, given the very
large amount of bug reports we've been getting.
 

Yes, it does make sense for MIMEDefang to list what version of 
SpamAssassin is supported.  I do not use amavisd, but will assume the 
same statement applies.  It doesn't, however, make sense for the 
inverse.  There's probably no more reason for SpamAssassin to list what 
version of MIMEDefang is needed than there is for Perl to list what 
version of SpamAssassin to use.

The good news is (and has already been reported here) that MIMEDefang 
does have this information listed: V2.42 and higher.

--
Doug Brott

Stupid lottery spam?

[Jonathan Nichols]

A.A.S Lottery Headquarters:
Customer Service
580 N. Tenth Street
Sacramento, CA 85914
Euro - Afro Asian Sweepstake Lottery
an Affiliate of Foundmoney International
Arena Complex Km 18 Route de Rufisque
I.P.P Award Dept.
johannesburg, south africa.
Ref: EAASL/941OYI/03
Batch: 03/06/MA34

--
Ok, SpamAssassin caught the lottery scam, but.. are these people really 
this stupid? (Probably a rhetorical question, I know..)

600 N. 10th Street, Sacramento, CA 95814 is a valid address - it's the 
California Lottery offices.

If I recall correctly, 580 N. 10th street is a parking lot or something. 
heh. And they got the ZIP code wrong. It's 95814. Morons.

Next time I'm in that area on the way to the firing range, maybe I 
oughta drop by 580 N 10th st. hm

-Crazy Jon

reporting to spamcop fails

[andrew collier]

hello,

i have just upgraded to spamassassin-3.0.0 and run it on a linux platform.

i have the following problem when reporting spam using "spamassassin -D -r",
towards the end of the output there is a delay (a few seconds) the i get:

debug: Razor2 is not available
SpamCop -> report to vmx2.spamcop.net failed: Net::SMTP error
SpamCop -> report to vmx1.spamcop.net failed: Net::SMTP error
debug: SpamAssassin: could not report spam to SpamCop.
SpamAssassin: no Internet hashing methods available, so couldn't report.

the delay is a bit annoying when i report a few messages from inside my mail
program. i think i have narrowed down the source of the problem to this bit of
code:   

if ($smtp = Net::SMTP->new($exchange,
   Hello => $hello,
   Port => 587,
   Timeout => 10))

now i am not sure what that does... is it perhaps trying to connect to an
external mail server (which will probably not work on our lan because we have a
proxy/firewall)? in which case, can i configure it to use a local sendmail
instance?

failing this, is it possible to turn of reporting to spamcop?

thanks,
andrew.

Re: sa-learn help!

[Andy Biddle]

Yeah, double-checked that first thing.  It's definitely installed and at
the latest rev.

On Wed, 29 Sep 2004, Matt Kettler wrote:

> At 03:55 PM 9/29/2004 -0700, Andy Biddle wrote:
> >Okay, so I'm at a loss.  I'm reasonably new to SpamAssassin and dealing
> >with spam filters in general, but I've tried to do my homework and I'm
> >still having some trouble.  If I look at all my headers, I never see the
> >autolearning work.  Often it gets "autolearn=unavailable".  I figure that
> >I need to teach it a bit through "sa-learn", but when I try to utilize
> >sa-learn, I get the following errors:
> >
> >Use of inherited AUTOLOAD for non-method Digest::SHA1::sha1_hex() is
>
> Do you have the perl module Digest::SHA1 installed? If not, use cpan or
> distribution packages to add it. SA 3.0 uses SHA1 hashes as a part of it's
> bayes token format.
>
>

Re: SURBL in 3.0

[Christopher Jett]

I forgot to mention that the only thing unusual about my local.cf file 
is that it rewrites the Subject header differently than the standard 
installed local.cf file.  This same problem is also repeatable with 
either spamassassin, or spamc/spamd when using the --siteconfigpath 
directive.
--
Chris Jett
[EMAIL PROTECTED]

On Sep 29, 2004, at 10:57 PM, Christopher Jett wrote:
OK - I think I have narrowed down what is happening with this, though 
I don't know why.  I have placed my local.cf file in a non-standard 
directory and I am using the --siteconfigpath=path to point to that 
directory (where my local.cf file and my own custom rules files are 
located).  For some reason this breaks the SURBL checks.  If I run 
spamassassin without that directive (and use local.cf in its standard 
installation location), the SURBL checks work fine.  Can someone else 
confirm this?  This is with 3.0.0.
--
Chris Jett
[EMAIL PROTECTED]

Re: (off topic) PGP/GPG

[Robin Lynn Frank]

On Wed, 29 Sep 2004 14:40:46 -0400 (EDT)
"Dan Mahoney, System Admin" <[EMAIL PROTECTED]> wrote:

> Guys,
> 
> I notice several people here use PGP.  If anyone wants to exchange
> PGP/GPG key signatures (i.e. "I'll sign yours if you sign mine") feel
> free to contact me via IM as "GushiDotOrg" or via phone at
> 1-866-LI-GUSHI (have your fingerprint available).
> 

Right.  I want to get my key signed by someone I don't know from a hole
in the wall and, in return, sign his.  Fine.  Let's totally destroy the
value of signatures.  I don't think so.

-- 
Robin Lynn Frank
Director of Operations
Paradigm-Omega, LLC
http://www.paradigm-omega.com
==
Sed quis custodiet ipsos custodes?


pgp6Z1a791jpW.pgp
Description: PGP signature

Re: SURBL in 3.0

[Christopher Jett]

OK - I think I have narrowed down what is happening with this, though I 
don't know why.  I have placed my local.cf file in a non-standard 
directory and I am using the --siteconfigpath=path to point to that 
directory (where my local.cf file and my own custom rules files are 
located).  For some reason this breaks the SURBL checks.  If I run 
spamassassin without that directive (and use local.cf in its standard 
installation location), the SURBL checks work fine.  Can someone else 
confirm this?  This is with 3.0.0.
--
Chris Jett
[EMAIL PROTECTED]

Re: sa-learn help!

[Matt Kettler]

At 03:55 PM 9/29/2004 -0700, Andy Biddle wrote:
Okay, so I'm at a loss.  I'm reasonably new to SpamAssassin and dealing
with spam filters in general, but I've tried to do my homework and I'm
still having some trouble.  If I look at all my headers, I never see the
autolearning work.  Often it gets "autolearn=unavailable".  I figure that
I need to teach it a bit through "sa-learn", but when I try to utilize
sa-learn, I get the following errors:
Use of inherited AUTOLOAD for non-method Digest::SHA1::sha1_hex() is
Do you have the perl module Digest::SHA1 installed? If not, use cpan or 
distribution packages to add it. SA 3.0 uses SHA1 hashes as a part of it's 
bayes token format.  

Re: Upgrading SpamAsssassin from 2.64 to 3.0.0

[Matt Kettler]

At 07:37 PM 9/29/2004 -0500, SAtalk Mail User wrote:
I have a, possibly, easy question.  I have SpamAssassin 2.64 with a ton
of the rules that you have at rules emporium, and man they work great, but
I am wanting to upgrade my Spamassassin from 2.64 to 3.0.0, the latest via
CPAN.
1) delete antidrug.cf if you use it, SA 3.0 includes it.
2) delete the .cf files referencing any spamcopURI rules, SA 3.0 has this 
built in, but handles it differently.
3) Read the UPGRADE file, and change or comment out any outdated config 
options which might be in your local.cf or user_prefs:
http://spamassassin.apache.org/full/3.0.x/dist/UPGRADE

I'd also suggest moving *everything* out of /etc/mail/spamassassin on a 
temporary basis, then move the files back later. This will ensure a nice 
clean upgrade which passes make test.

After the update:
1) run sa-learn --sync to upgrade your bayes DB format
2) run spamassassin --lint
3) move the files you moved out of /etc/mail/spamassassin back a few at a 
time and run --lint between batches to make sure it's happy.

RE: Cygwin SA3.0 Problems

[Jason J. Ellingson]

What method are you connecting to your CygWin SpamD?

Perhaps the problem is not with SpamD, but with SpamC.  I noticed that the
new SA3.0 doesn't always fill the incoming TCP for your SpamC calling
application buffer... I use 1024 byte buffers.  This may be throwing
whichever SpamC you are using into confusion as it takes a non-full buffer
to mean that this is the last packet for the email results.  I use the new
Content-length header as a check for message completeness...

I wrote my own custom SpamC in .NET as a plug-in for XMail and stopped
having those issues you are having.

I seem to remember having some issues with WinSpamC (on sourceforge.net) not
getting the entire emails either but had pretty good luck with the SpamC
compiled in CygWin.

Feel free to email me directly.  I'm happy to help where I can.

Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
[EMAIL PROTECTED]

Re: SURBL in 3.0

[Jeff Chan]

On Wednesday, September 29, 2004, 4:58:21 PM, Christopher Jett wrote:
> Still not seeing any hits from SURBL.  I do see hits from other RBL's.

[...]

> Tons of spam like this, but no SURBL hits at all.  I just verified that 
> my Net::DNS is up to date as well.  I am at a loss to figure out why 
> this is not working.  Everything seems in order, but it is stubbornly 
> not giving me any SURBL scores.

Can you resolve the SURBL domains from the server you're running
SpamAssassin on:

  dig test.surbl.org.multi.surbl.org

What happens when you send yourself a test message with one of
the SURBL test points in it:

  http://www.surbl.org/faq.html#test-uris

> SURBL test URLs are:
> 
>   http://surbl-org-permanent-test-point-MUNGED.com/
> 
> or:
> 
>   http://127.0.0.2-MUNGED/
> 
> without the "-MUNGED"s.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: SA 3.0.0 SURBL usage

[Jeff Chan]

On Wednesday, September 29, 2004, 3:31:22 PM, Nick Stephens wrote:
NS>> Raymond Dijkxhoorn ([EMAIL PROTECTED]) RD wrote today:

>> Do you have Net::DNS installed ? It looks to me you are not using RBL checks 
>> at all?

> I checked my perllocal.pod and saw no reference to NET::DNS on this box, 
> so I installed it.  After waiting a little while for some more spam to 
> come in, it is now working PERFECTLY!@

> I am a lean, clean, spam eating machine.

> Thank you so much for pointing out my oversight!  :)

Thanks for the feedback.  I'm adding that to the SURBL FAQ:

  http://www.surbl.org/faq.html#nettest

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Rule problem (.exe attachments)

[Jay Hall]

[EMAIL PROTECTED] wrote:
Jay Hall wrote:
I am experiencing a problem with one of my rules that I
cannot seem to find.
I have the following rules defined.
rawbody __RAW_EXE_ATTACHMENT/filename=\".*\.exe\"/i
rawbody __RAW_VBS_ATTACHMENT/filename=\".*\.exe\"/i
rawbody __RAW_COM_ATTACHMENT/filename=\".*\.com\"/i
rawbody __RAW_PIF_ATTACHMENT/filename=\".*\.pif\"/i
rawbody __RAW_CMD_ATTACHMENT/filename=\".*\.cmd\"/i
rawbody __RAW_BAT_ATTACHMENT/filename=\".*\.bat\"/i
meta ATTACHMENT_RULES (__RAW_EXE_ATTACHMENT || __RAW_VBS_ATTACHMENT ||
__RAW_COM_ATTACHMENT || __RAW_PIF_ATTACHMENT ||
__RAW_CMD_ATTACHMENT ||
__RAW_BAT_ATTACHMENT)
score ATTACHMENT_RULES 25.00
Any attachments listed above will be properly identified as and the
tests run with the exception of an EXE attachment.  A filename with an
.exe extension is not flagged.
I have added an additional rule that checks for an .exe
attachment, that
is not part of the meta rule, and I receive the same results.  This
leads me to believe there is something wrong with my test for .exe
attachments. 

I am running SA 2.64, spamd, and it is invoked from q-mail.
Any suggestions would be greatly appreciated.
Thanks in advance for your assistance.

Jay Hall

How about trying:
rawbody ATTACHMENT_RULES 
/filename=\"?.*\.(?:exe|vbs|com|pif|cmd|bat|cpl|scr)\"?\s*$/i
score ATTACHMENT_RULES 25.00
Note: added .cpl and .scr
added end-of-line test $ to avoid false positives on things like
"example.com contract.doc"
made quotes optional
[EMAIL PROTECTED]  805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

I went back through the e-mail logs this evening, and e-mails with an 
exe attachment were being scored correctly until last night about 7:00 
pm.  Is it possible there is something wrong with one of the bayes files?

Thanks for your help.
Jay

Re: Why such a low score?

[Jeff Chan]

On Wednesday, September 29, 2004, 11:44:28 AM, Chris Santerre wrote:
> Our testing for FPs has gotten
> extremely better over the past few weeks. New tools and such.

Better for the new records, but we seem to keep finding FPs in
the old ones.  We keep trying to track them down, but need
better tools or smarter use of them.  Could we start by checking
all domains older than 1 year?  I think that would have a big
payoff.

> Jeff ... just keeps
> mumbling "No eff pees, no eff pees". If he starts wearing nothing
> but a loin cloth and eating raw fishI'm calling a doctor. 

Better call him stat: I like sushi... in Hawaii...
Mmmm... Ahi  ;-)

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Why such a low score?

[Jeff Chan]

On Wednesday, September 29, 2004, 11:50:02 AM, Raymond Dijkxhoorn wrote:
> Yes very true. We also would like to include JP in the next mass checks,
> so we can see how scoring would look like in the current situation.

Yes, I believe Theo already added JP for scoring in 3.1.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Spamassassin 3.0 with mimedefang 2.37

[Lucas Albers]

Justin Mason said:
> Well, it would be *nice*.   I think it's reasonable to assume
> that MIMEDefang and amavisd certainly need this, given the very
> large amount of bug reports we've been getting.

We'll just make a wiki entry and naturally the popular software will be
updated with info on 3.0 compatibility.


-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana

Re: 2.6 -> 3.0 migration questions

[Lucas Albers]

Some options kick you in the face.
Such as -a for spamd which will prevent it from starting.

I guess we can add in a wiki entry for upgrades from 3.0 instead of
forcing the dev's to document every nit-picking thing.

Some options are just ignored, eg, no backward compatibility.
bayes autolearn changed syntax so you need to change the name if you set
your autolearn spam/ham level.

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana