Re: Possible to move spam on server with spamassassin?
If you use procmail it should be relatively easy. {^_^} - Original Message - From: alex [EMAIL PROTECTED] Hi I have an IMAP-server and I can't sort mail with kmail so it is possible that spamassassin not only rewrite the subject and move mail on server to SPAM? thx alex
Re: Need for a new rule?
On Wednesday, April 13, 2005, 1:42:10 PM, Stuart Johnston wrote: body L_STOX2 /st0ck\d{2}\s{0,[EMAIL PROTECTED],4}yahoo.com/i FWIW, the st0ckNN @ yahoo.com spammer seems to have changed back to 4 digits: If you wish to stop future mailings, or if you fee| you have been wrongful|y p|aced in our membership, p|ease go here or send a blank e mail with No Thanks in the subject to st0ck1007 @yahoo.com So it's time to adjust/modify that filter again. (I guess he was behind on his reading. Hi spammy! ;-) Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Fwd: Note to SA authors and Mail::SpamAssassin::Message
On Sat, Apr 16, 2005 at 05:07:43PM -0500, Robert Nicholson wrote: Only a minor annoyance there being an inconsistency with the way the extra new line is present from get_pristine_header. There is no designed Mail::Audit compatibility in M::SA::Message. I'd be surprised if this is the only difference there is between the two. -- Randomly Generated Tagline: Like any French restaurant in America, it was overpriced, noisy, moody, and would put you in mortal danger if you had an accident with anything larger than a croissant. - Unknown about the Renault LeCar pgpMRTdkOTIRX.pgp Description: PGP signature
Re: Note to SA authors and Mail::SpamAssassin::Message
My point would be that What will Mail::Internet get_header return? Will it have the new line or not? I guess it says pristine which means what? If it said get_header then I'd take issue because it also includes the separate b/w header and body. Clearly in SA there are very few occurrences where you actually need the header _without_ the separator On Apr 17, 2005, at 8:33 AM, Theo Van Dinter wrote: On Sat, Apr 16, 2005 at 05:07:43PM -0500, Robert Nicholson wrote: Only a minor annoyance there being an inconsistency with the way the extra new line is present from get_pristine_header. There is no designed Mail::Audit compatibility in M::SA::Message. I'd be surprised if this is the only difference there is between the two. -- Randomly Generated Tagline: Like any French restaurant in America, it was overpriced, noisy, moody, and would put you in mortal danger if you had an accident with anything larger than a croissant. - Unknown about the Renault LeCar
Re: What is better DCC or Razor2?
Robert Nicholson wrote .. I currently run DCC and since adding if ($rules =~ /DCC_CHECK/) { log_mbox($check_mail, Spamassassin has determined this mail is SPAM ignor ing because of DCC_CHECK\n\n); $mail-ignore(); to my spam filtering script it's dramatically cut down on my spam. But what benefit is there in running razor2? I run both for the simple reason that IMHO, more is better. I use a combination of RBL checks, DCC, Razor, Pyzor and various rulesets. I am currently catching close to 99% of spam that hits our server with less than 1% false positives. Ed . . . . . . . . . . . . . . . Randomly generated quote: My belief is that we did not come from God so much as that we are going towards God. ~ Jane Duncan
Re: Note to SA authors and Mail::SpamAssassin::Message
On Sun, Apr 17, 2005 at 10:20:41AM -0500, Robert Nicholson wrote: What will Mail::Internet get_header return? Will it have the new line or not? Don't know. Why does this matter wrt SA? We don't use Mail::Internet. I guess it says pristine which means what? The pristine functions return the data as passed in originally to M::SA::Message. No whitespace folding is dealt with, no decoding, etc. If it said get_header then I'd take issue because it also includes the separate b/w header and body. b/w ? -- Randomly Generated Tagline: I won't use Windows, I won't use Windows ... pgpbai7fVtXhk.pgp Description: PGP signature
Re: What is better DCC or Razor2?
On Sun 17 Apr 05 08:55, Ed Kasky [EMAIL PROTECTED] wrote: Robert Nicholson wrote .. I currently run DCC and since adding if ($rules =~ /DCC_CHECK/) { log_mbox($check_mail, Spamassassin has determined this mail is SPAM ignor ing because of DCC_CHECK\n\n); $mail-ignore(); to my spam filtering script it's dramatically cut down on my spam. But what benefit is there in running razor2? I run both for the simple reason that IMHO, more is better. I use a combination of RBL checks, DCC, Razor, Pyzor and various rulesets. I am currently catching close to 99% of spam that hits our server with less than 1% false positives. I was just about to write the same thing, except I use pretty much default rulesets. If I ran a SA for more than myself I'd probably also tweak the rulesets. At first I wasn't using any online checks, but when they're all turned on the accuracy is improved significantly in my case. I haven't tried them individually, though they are scored differently in the defaults, so not all of them hold the same weight. - jt
spamc/d not doing SURBL lookups vs spamassassin w/ same config
I've looked throught the Wiki, Faq's, Readme's, and GMANE's archives searches on this list. Oh, and Google.. and haven't found anything that would describe or fix what's happening. Problem being seen: I recently switched to spamd / spamc from running spamassassin out of my procmail. This is on a mail system I administer, but with the switch, i saw an upsurge in spam making it's way through. I've been keeping a watch on the various tests being triggered, and haven't seen any of the DNSRBL's or SURBL's. I look at the older spam emails i've captured, and they were frequently being triggered. I managed to go ahead and take an old email, strip off everything that SA had added, and ran it through both spamassassin spamc. I came up with different results. Here's the current configs, and then I'll go into my testing methodology. I'm running spamassassin 3.02, on a Mac OS X 10.2.8 machine. It has razor2 installed, along with the various cpan parts needed for net tests. Just to give the current config: Spamd is run as root with: /usr/bin/spamd -d --socketpath=/var/run/spamd.sock spamc is run by the user from procmail with: :0fw: spamassassin.lock * 256000 | /usr/bin/spamc -U /var/run/spamd.sock - spamassassin used to run with: | /usr/bin/spamassassin - I only have 2 things in my user_prefs score RCVD_IN_BL_SPAMCOP_NET3 score RAZOR2_CHECK 3 - I've confirmed that the spamd daemon is dropping to the right user by watching the logs: Apr 17 18:22:54 neuromancer spamd[26173]: got connection over /var/run/spamd.sock Apr 17 18:22:54 neuromancer spamd[26173]: info: setuid to mbarr succeeded Apr 17 18:22:54 neuromancer spamd[26173]: processing message [EMAIL PROTECTED] for mbarr:501. Apr 17 18:22:57 neuromancer spamd[26173]: clean message (-2.5/5.0) for mbarr:501 in 2.7 seconds, 12724 bytes. Apr 17 18:22:57 neuromancer spamd[26173]: result: . -2 - BAYES_00,MSGID_FROM_MTA_HEADER,NO_REAL_NAME scantime=2.7,size=12724,mid=[EMAIL PROTECTED] org,bayes=0,autolearn=no -- I took an old spam (from about 2 weeks ago), and stripped the SA envelope from it to get the original message. I captured that to a file, and looked it over to make sure it had Recieved-Froms:, etc. I then ran it through these 2 programs, from the command line: cat ~/mail/123 | spamassassin -t cat ~/mail/123 | /usr/bin/spamc -U /var/run/spamd.sock I got a drastically different result. From spamassassin, i got this: X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on xxx.xxx.net X-Spam-Level: X-Spam-Status: Yes, score=28.2 required=5.0 tests=AWL,BAYES_99, DNS_FROM_RFC_BOGUSMX,DNS_FROM_RFC_POST,HTML_IMAGE_ONLY_16, HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,MPART_ALT_DIFF, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP_MISMATCH, RCVD_ILLEGAL_IP,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL, RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_HTTP,RCVD_IN_SORBS_MISC, RCVD_IN_SORBS_WEB,RCVD_IN_XBL,RCVD_NUMERIC_HELO,URIBL_AB_SURBL, URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=unavailable version=3.0.2 From spamc, i got this: X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on xxx.xxx.net X-Spam-Level: X-Spam-Status: Yes, score=16.2 required=5.0 tests=AWL,BAYES_99, HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI, MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK, RCVD_HELO_IP_MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO autolearn=no version=3.0.2 (with an associated log of spamd of: Apr 17 18:46:37 neuromancer spamd[26073]: got connection over /var/run/spamd.sock Apr 17 18:46:37 neuromancer spamd[26073]: info: setuid to mbarr succeeded Apr 17 18:46:37 neuromancer spamd[26073]: processing message [EMAIL PROTECTED] for mbarr:501. Apr 17 18:46:38 neuromancer spamd[26073]: identified spam (16.2/5.0) for mbarr:501 in 1.0 seconds, 2472 bytes. Apr 17 18:46:38 neuromancer spamd[26073]: result: Y 16 - AWL,BAYES_99,HTML_IMAGE_ONLY_16,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ON LY_MULTI,MPART_ALT_DIFF,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_HELO_IP _MISMATCH,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO scantime=1.0,size=2472,mid=[EMAIL PROTECTED] oo.com,bayes=1,autolearn=no ) So, i'd say that something is happening that's not supposed to be. I'm running the network tests, as I'm twigging the razor2 rules. It must be something else... Anyone have any thoughts? Matthew Matthew Barr Managing Partner Datalyte Consulting, LLC Apple Authorized Reseller mailto:[EMAIL PROTECTED] cell: (646) 765-6878