Re: Re[2]: Is Bayes Really Necessary?
... Hello List, Thursday, May 26, 2005, 10:05:26 AM, you wrote: LMU Though nobody seems to have said it exactly this way: It seems LMU to be becoming very obvious that the people who say the have problems LMU with Bayes are those who support a diverse group of users (e.g. ISPs LMU and email providers) and those who find it works well, even with autolearning LMU are those with either small numbers of users or users who are mostly of LMU a very specific categorization type (e.g. medical, legal, technical, or LMU just about any homogenous group). Sorry -- major email server here, serving several hundred domains, well over 1k users, all types from techical experts to business people to newspaper reporters to retailers to pharmacists to people with professions of various ages. Site-wide Bayes. Everyone has access to sa-learn via IMAP. Works marvelously. Bob Menschel Bob, I have actually many times specifically noted that you have said it works for you. I did not mean to imply that it doesn't always work in a heterogenous environment, just that all the people who say it doesn't work seem to fit that category (i.e. for some subset of people like yourself, there may be problems of some sort). Other people at large sites have also reported very good results and some of them also seem to be ISPs or email providers. For the other group, homogenous environments, there seems to be uniform agreement that it does work (now someone will speak up and point out a counter-example). I have notice a few time when you've posted scores, that you have a BAYES_80 where I take the posted message, run -D -t and get a BAYES_99, which might mean it does still work, and quite well - but not as `extremely' well as in other environments (80%+ of all email that hits SA on my servers ends up as either BAYES_00 or as BAYES_99 -- the rare exception I usually look at (they are mostly coming to my own accounts or are tagged as spam by other rules anyway), and they are either personal contacts, stock pumps or 419s -- mostly email from my marketing family members, whose writing style seems to be quite similar to some spam; I sure that I will eventually refuse some mail from my father, he often hits BAYES_80 and he mails from a MSN account - if it weren't for AWL, it already would have happened:-). A quick check of the last couple of days shows 72.96% at BAYES_00 and 10% at BAYES_99 and 11.29% at BAYES_50. I suspect the results are less extreme for you, but maybe not (that would be good to hear). Note: I have a lot of MTA level rejection, pre-filtering before SA that takes out most of the remaining spam and almost all mailing lists are set to use the bayes_ignore_to directive - so my results posted above are highly skewed by all these factors (e.g. 40% of valid email does not run through bayes, and things like nightly server reports generated internally do - I don't even trust my own firewall machines' reports). Finally, you seem to have done a good job of `training' your users to use sa-learn, which is probably itself more valuable than any tweaking a sysadmin could do alone. I'd also bet dollars to donuts, that your have more modifications to a stock install than I do (e.g. SARE rules, etc.) and probably far more than most people with BAYES problems. Paul Shupak [EMAIL PROTECTED] P.S. I know the account says List Mail User, but why is this the only mailing list that almost uniformly references me that way? Though, I do get called by the sobriquet Administrative User when I use accounts which are labeled like that. Maybe, it just this list's user base is ingrained in using the header label instead of the signature!? Anyway, I kind of like the LMU :)
Custom Black list question
I have a custom black list with rules like : blacklist_from [EMAIL PROTECTED] How can one make sure these rules are picked up by spamassassin as these emails are still getting through Spamassassin running on Freebsd.
Re[4]: Is Bayes Really Necessary?
Hello List, Thursday, May 26, 2005, 11:01:23 PM, you wrote: LMU P.S. I know the account says List Mail User, but why is this the only LMU mailing list that almost uniformly references me that way? Though, I do LMU get called by the sobriquet Administrative User when I use accounts LMU which are labeled like that. Maybe, it just this list's user base is LMU ingrained in using the header label instead of the signature!? Anyway, LMU I kind of like the LMU :) Don't know. Me, I kind of like responding to the list. :-) LMUA quick check of the last couple of days shows 72.96% at BAYES_00 LMU and 10% at BAYES_99 and 11.29% at BAYES_50. I suspect the results are less LMU extreme for you, but maybe not (that would be good to hear). Note: I have LMU a lot of MTA level rejection, pre-filtering before SA that takes out most LMU of the remaining spam and almost all mailing lists are set to use the LMU bayes_ignore_to directive - so my results posted above are highly skewed LMU by all these factors (e.g. 40% of valid email does not run through bayes, LMU and things like nightly server reports generated internally do - I don't LMU even trust my own firewall machines' reports). Interesting stats. Last month's ham (110,735): th - 00 - 110173 = 99.5% th - 01 - 4 th - 05 - 191 th - 20 - 164 th - 30 - 0 th - 40 - 144 th - 44 - 1 th - 50 - 6 th - 60 - 20 th - 80 - 8 th - 95 - 1 th - 99 - 23 = 0.02% Last month's spam: (79,749): ts - 00 - 16346 = 20.5% ts - 01 - 1 ts - 05 - 877= 1.1% ts - 20 - 1283 = 1.6% ts - 30 - 2 ts - 40 - 1607 = 2.0% ts - 44 - 8 ts - 50 - 415 ts - 60 - 3588 = 4.5% ts - 80 - 3695 = 4.6% ts - 95 - 2596 = 3.3% ts - 99 - 49331 = 61.9% Obviously Bayes does a whole lot better with ham than it does with spam here. Many of the spam that hit BAYES_00 are outscatter. I've identified at least 3,000 of those during the last month's work on the new obfu rules. Now that those obfu rules are in place, I suspect those percentages will shift nicely, but we'll probably continue to get 10% of spam at Bayes_00. Yes, you're right -- we do have a lot of other tricks in use here to get them flagged as spam. :-) I hadn't realized that as many as 23 ham had hit BAYES_99. I would have guessed it was only 5 or 6. We do have a lot of negative scoring rules which pulled those down as well. All of them were valid ham marketing emails from the likes of United Airlines and Staples, which are now covered by SARE's whitelist.cf. We did have 15 FPs during this period of time, none of which will repeat because of whitelist.cf Bob Menschel
Re[3]: [SARE] obfu.cf, specific.cf updated
header.cf and specific.cf files updated. Other than correcting version numbers and dates (used next version number, 5/27 as date), the only changes are moving two rules from header0 to header1. Anyone who does manual updates and has this morning's versions in place can leave them there. If you use header0 and NOT header1, then you'll remove two rules that hit ham this month if you update header0. Also updated obfu1.cf file -- two rules added, several enhanced. Bob Menschel Thursday, May 26, 2005, 5:39:05 PM, I wrote: RM Hello Joe, RM Thursday, May 26, 2005, 7:37:55 AM, you wrote: JZ Can someone get the file specific information straight for JZ those of us who download manually? ... RM Sure, someone could. Apparently not me. :-) RM Anyone got a good secretary available? RM Bob Menschel
Re: Re[4]: Is Bayes Really Necessary?
Bob, The Staples mention was of interest since I get their weekly ads to an account here. The very last one hit BAYES_50, but all the others were from BAYES_00 to (from a 3.0.1 install) BAYES_44. - Most were BAYES_20 (I looked back 4 months - how long that account's mail is kept locally; I could check archives for 10 years, but I think I've only been getting the Staples ads for about 4 years). All scored between .5 and 2.1 points. I've seen a few ads from other vendors come much closer to the limit on the accounts used (all vendors advertising intended for me goes to unique email addresses, but they get collected by aliases in groups by industry and use - e.g. Staples ads don't go to the same mailbox as ads for NLOS telecom gear). Oddly, some of the most obscure technical items often score the highest; There definitity is a `style' issue at work. It appears that both some legitimate companies and people who write copy that looks like spam and some spammers are good at generating messages that seems to be ham to bayes. Paul Shupak [EMAIL PROTECTED] P.S. The last Staples ad was from this Monday, May 23 and (for me) hit: score=0.5 required=5.0 tests=AWL,BAYES_50,EXCUSE_10, HTML_90_100,HTML_IMAGE_RATIO_04,HTML_MESSAGE,REMOVE_PAGE, URIBL_RHS_ABUSE,URI_REDIRECTOR I'd be curious is this was the same one that hit 99 for you (I had only one 44 and most were 10 or 20).
RE: Expiry issues, SPF, Trusted path and more
Where can I get the latest version for windows? Will this do: http://search.cpan.org/~freeside/Mail-SPF-Query-1.997/ When I do: F:\Perl\binppm verify --upgrade Mail-SPF-Query I get: Package 'Mail-SPF-Query' is up to date. Thanks Ben -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: 27 May 2005 01:17 To: Ben Wylie Cc: users@spamassassin.apache.org Subject: Re: Expiry issues, SPF, Trusted path and more Ben Wylie wrote: Now that I have got my trusted networks sorted out, may I ask this question again? = Secondly it appears that even when it has all the information to do the spf check, it can't find the module. I thought i had installed it, and when i go to f:\perl\bin and run ppm install Mail-SPF-Query it says: F:\Perl\binppm install Mail-SPF-Query Version 1.6 of 'Mail-SPF-Query' is already installed. Remove it, or use 'verify --upgrade Mail-SPF-Query' I'm not sure why it's not spitting out the message, but 1.6 won't cut it. To quote the source code of SPF.pm: Mail::SPF::Query 1.996 or later required, this is $Mail::SPF::Query::VERSION\n That message should appear right above the debug line you do get: debug: SPF: cannot load or create Mail::SPF::Query module
Re: Is Bayes Really Necessary?
From: Matt Kettler [EMAIL PROTECTED] (Sneaky one you are - you got around my Reply-To markup for this list. For that you get an extra copy. {^_-}) jdow wrote: One way to keep Bayes from running is to never train it. {^_^} You'd also disable autolearning. By default SA will eventually autolearn enough email to being using bayes. (and often these pure auto-learn only DBs end up with very bad results.) I said what you could do. I left how as an exercise for the student. I figure if he tries without Bayes for awhile (kill all training and move the bayes database into a corner somewhere that SA cannot find) he may find his one true answer for his question. {^_-} - Self has determined for her situation Bayes is necessary.
Re: Is Bayes Really Necessary?
From: List Mail User [EMAIL PROTECTED] Though nobody seems to have said it exactly this way: It seems to be becoming very obvious that the people who say the have problems with Bayes are those who support a diverse group of users (e.g. ISPs and email providers) and those who find it works well, even with autolearning are those with either small numbers of users or users who are mostly of a very specific categorization type (e.g. medical, legal, technical, or just about any homogenous group). I suspect you are right, Paul. And I restrict the group a little farther to suggest it is large ISPs with diverse customer bases and global Bayes who have the most trouble. Per user Bayes, a good set of SARE rules, and significantly widened autolearn thresholds from base install levels may be their solution. Global Bayes is probably the ISP poison proposition. And autolearn with normal thresholds is probably further poison. But then, I run manual learn, private Bayes, and LOTS of rules. (40 sets of SARE rules plus my own largish set of rules that apply to me but not others works nicely along with the private Bayes) {^_-}
Re: Is Bayes Really Necessary?
From: Jim Maul [EMAIL PROTECTED] Gotta stop smokin the green ;) Yeah, it's better if you shovel the random greens you find into the compost pit. Not many people will look for them in a compost pit when they get reported as missing persons. {O,o}
Re: [SARE] Whitelist.cf updated
On Thursday, May 26, 2005, 5:58:02 PM, Robert Menschel wrote: JC 2. Would they be appropriate to whitelist (i.e. exclude from JC listing) in SURBLs? Unlikely, since the web sites mentioned in the emails are rarely the same as the From address or routing server. However, the primary web sites within those emails might be good candidates for the SURBL whitelist. Bob Menschel Fair enough. You don't happen to have a list of those corresponding websites do you? :-) Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Custom Black list question
I have a custom black list with rules like : blacklist_from [EMAIL PROTECTED] How can one make sure these rules are picked up by spamassassin as these emails are still getting through You don't say if there are any indications of whether these rules are hitting and the mail is still getting through, or if they are not hitting at all. The rules should be in an *.cf file in the normal place for rules files on your system; ie: wherever local.cf is, for instance. You should run lint to make sure you don't have a problem somewhere. One lint error near the front of a rules file can blow out the rest of the file. If running spamd, you need to restart it after installing new rules. This goes for various other methods of integrating SA also, but it depends on how you are doing it, which you didn't say. Loren
Re: Re[2]: [SARE] obfu.cf, specific.cf updated
Sorry. If I'm not bitching, I'm not happy. Robert Menschel [EMAIL PROTECTED] 5/26/2005 8:39 PM Hello Joe,Thursday, May 26, 2005, 7:37:55 AM, you wrote:JZ Can someone get the file specific information straight forJZ those of us who download manually? ...Sure, someone could. Apparently not me. :-)Anyone got a good secretary available?Bob Menschel
Whitelisting Word or Phrases
Hi, it ist possible to whitlist word or phrases? In my blacklist i've got the most freemailer adresses like hotmail, gmx lycos a.s.o. But sometimes i got ebay responses or online contacts from people who uses freemail adresses. it is possible to whitelist phrases like Ebay antwort or online kontakt ... ? Thanks Peter
Re: Whitelisting Word or Phrases
it is possible to whitelist phrases like Ebay antwort or online kontakt ... ? Depends on what you mean by 'whitelist'. The specific answer is 'no'. The general answer is 'yes'. There is no whitelist random phrase command. But there are rules, which can look for random phrases in the body or header of a message. And you can give these rules a negative score, which will have an effect of whitelisting that word or phrase. Be VERY wary of doing this though. If a spammer can figure out that you have a particular phrase with a negative score, they can stick that into their spams and have a free ticket to getting them to you. (And there are spammers subscribed to this list, so they are reading this message.) All that said, you could make a rule like: body ONLINE_K /online kontakt/ score ONLINE_K -1 describe ONLINE_K Possibly from Ebay member Loren
Re: Comparison of SA and commercial solutions
JamesDR wrote: As far as ease of setup? When I first started with SA I was more of the doze admin than the Linux admin. I've been doing Linux stuff since around 1996/1997 and have my own dedicated server that I get to ruin^H^H^H^play with before rolling it across work-related matters. I'd been using SpamAssassin for some time in a personal capacity and in fact it was probably one of my first suggestsions at work that we use it. The typical argument of having people maintain it versus an appliance did come into play. Ironically, after many years of faithful Linux use we're going down the Exchange route and mail handling to be given over to another department. I doubt we'll see a SA Linux box there. Oh well. I'm used to disapointments over the years, so it wasn't too much of a surprise to me. As for upkeep, SA hasn't given me much work to do to be quite honest. It pretty much runs itself and the mail server hasn't so much as bulked with the workload yet. I've never had any complaints about it's ability to detect/catch spam or false positives. And has been said by a few others - you can't buy the kind of support (of which many of the appliance vendors wanted outrageous sums to be given over to them) that you get here or mostly any other public mailing list/forum/newsgroup for that matter. M.
RE: Comparison of SA and commercial solutions
Title: RE: Comparison of SA and commercial solutions 2 hours is better than an hour and a half? {O,o} (Yes, I know that you were free to do other stuff while on hold with SpamAssassin. The numbers just sort of tickled me.) Well, of course, let's assume another 30 minutes for the second level support person to finally fix my problem. So it works out to two hours either way, but in one way I have to listen to terrible hold music and put up with the annoyance of dealing with a first level support person who blindly follows a script: Please click start. Now click Shut down. Now click on restart. Also, while I know you were just being faecetious, part of what I wanted to point out was that when you use SA you have direct access to the developers themselves along with a host of users who administer SA in real world environments. You'll never NEVER get anything like that from a proprietary vendor.
problem with split line URL's
Hi I've been attempting to get the split line URL rule working - this one.. rawbody __LW_URI_CR1 /href=\[^]*\r[^\n]/is full __LW_URI_CR2 /href=\[^]*\r[^\n]/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri I get quite a few spams that have this kind of URL within them.. A href=h ttp:/ /bnonfotphbjf.orgleuhpma0tq75u076lha%2Eul liful l8%2Ecom/ Which dont seem to trigger the above rule. Any ideas? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: problem with split line URL's
Which dont seem to trigger the above rule. Any ideas? Not really. That's my rule and it works fine here, and many other places. However, you aren't the first to say it doesn't work for them. I'm guessing you are using something other than procmail/spamd to process mail, or maybe you are running on a windows/mac box? My guess is that something is taking the bare cr characters and helpfully either changing them to actual newlines or sticking newlines before or after them. Since I specifically check for a bare \r character rather than \r\n, if something is decorating the \r characters the rule won't fire. Just for grins try changing the rule to something like this and see if it works, and let us know: rawbody __LW_URI_CR1 /href=\[^]*\r\n?/is full __LW_URI_CR2 /href=\[^]*\r\n?/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri Loren
whitelist
I think i may be overlooking something to do with the white list here... I like a lot of you regularly get SA list traffic being diverted to the junk folder.. mydomain.com as a main focus in our examples... So step in whitelist_from Running sitewide (atm) for a university (may soon switch to deaprtmental scanning... but in the local.cf file i have the following whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] *.apache.org *.exim.org but list traffic is still coming in with spammy scores... /usr/share/spam../50_sco... score USER_IN_WHITELIST -100.000 what gives??? -- Regards Ronan McGlue Info. Services QUB
Re: problem with split line URL's
Loren ok I've added the alternative in with a slightly different name so I've got both in the setup. I note that if I run spamassassin -D test.eml on an example the rules don't fire either, so I don't think its MailScanner getting in the way. Running SA 3.0.3 (from CPAN) with perl 5.8.5 (from the FreeBSD ports tree) running on FreeBSD 4.10 if thats of any use. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Loren Wilton wrote: Which dont seem to trigger the above rule. Any ideas? Not really. That's my rule and it works fine here, and many other places. However, you aren't the first to say it doesn't work for them. I'm guessing you are using something other than procmail/spamd to process mail, or maybe you are running on a windows/mac box? My guess is that something is taking the bare cr characters and helpfully either changing them to actual newlines or sticking newlines before or after them. Since I specifically check for a bare \r character rather than \r\n, if something is decorating the \r characters the rule won't fire. Just for grins try changing the rule to something like this and see if it works, and let us know: rawbody __LW_URI_CR1 /href=\[^]*\r\n?/is full __LW_URI_CR2 /href=\[^]*\r\n?/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri Loren ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: problem with split line URL's
Loren Wilton wrote: Which dont seem to trigger the above rule. Any ideas? Not really. That's my rule and it works fine here, and many other places. However, you aren't the first to say it doesn't work for them. I'm guessing you are using something other than procmail/spamd to process mail, or maybe you are running on a windows/mac box? My guess is that something is taking the bare cr characters and helpfully either changing them to actual newlines or sticking newlines before or after them. Since I specifically check for a bare \r character rather than \r\n, if something is decorating the \r characters the rule won't fire. Just for grins try changing the rule to something like this and see if it works, and let us know: rawbody __LW_URI_CR1 /href=\[^]*\r\n?/is full __LW_URI_CR2 /href=\[^]*\r\n?/is meta LW_URI_CR __LW_URI_CR1 || __LW_URI_CR2 score LW_URI_CR 2 describe LW_URI_CR unescaped cr in uri Loren Loren yup I'm using MailScanner to drive SA. I'll try your alternative and see how we get on... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: whitelist
I may well be wrong, but I didn't think you could put more than one host identifier on a single whitelist_from command. So what you showed would take 4 lines. whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] *.apache.org *.exim.org whitelist_from [EMAIL PROTECTED] whitelist_from [EMAIL PROTECTED] whitelist_from *.apache.org whitelist_from *.exim.org Loren
RE: Comparison of SA and commercial solutions
2 hours is better than an hour and a half? {O,o} (Yes, I know that you were free to do other stuff while on hold with SpamAssassin. The numbers just sort of tickled me.) Well, of course, let's assume another 30 minutes for the second level support person to finally fix my problem. So it works out to two hours either way, but in one way I have to listen to terrible hold music and put up with the annoyance of dealing with a first level support person who blindly follows a script: Please click start. Now click Shut down. Now click on restart. Also, while I know you were just being faecetious, part of what I wanted to point out was that when you use SA you have direct access to the developers themselves along with a host of users who administer SA in real world environments. You'll never NEVER get anything like that from a proprietary vendor. __ UOL Fone: Fale com o Brasil e o Mundo com até 90% de economia. http://www.uol.com.br/fone
RE: Comparison of SA and commercial solutions
2 hours is better than an hour and a half? {O,o} (Yes, I know that you were free to do other stuff while on hold with SpamAssassin. The numbers just sort of tickled me.) Well, of course, let's assume another 30 minutes for the second level support person to finally fix my problem. So it works out to two hours either way, but in one way I have to listen to terrible hold music and put up with the annoyance of dealing with a first level support person who blindly follows a script: Please click start. Now click Shut down. Now click on restart. Also, while I know you were just being faecetious, part of what I wanted to point out was that when you use SA you have direct access to the developers themselves along with a host of users who administer SA in real world environments. You'll never NEVER get anything like that from a proprietary vendor. I have an interesting experience about MS: I have been using MS money (no jokes, please!) for years. Out of nowhere, I noticed it was reporting mad numbers about projected future budget in one or some of its built-in reports. Then, I had the wonderful idea to call MS support. I told them all info about my issue and it took a week or two for them to call me back (or I had to call them again, don't recall now). So, I was told only way to try to solve it was sending them my money file (5 years of all my transactions, investments, savings etc etc). NO WAY!! A few days later - not believing they don't have the answer - I found the issue/solution I had in their knowledge base. The point is: 1. I support open source because I believe many the solutions are much more stable and better in a general way than many, many commercial solutions - forget about those highly customized appliance using OS code. 2. There was never a problem I had that I wasn't able to solve posting to some list or searching for it. 3. I completely agree with commercial support that *really* works (does this exists?). Most of products/solutions - IT only, of course - have a support cost inside final product price. They charge you for that, but I haven't seen any good feedback when I needed it. (From my experience it was about 4-5 calls in my entire life! Never got a definitive answer for them...I found all answers browsing the web or testing myself) Because of answers I got from my post, we have that open source or SA itself is not visible to the market (MS market...you name it) as a solution to problems. You need to have it embedded in a solution for all your spam problems with 0 false positives garanteed for someone to take it serious. Unfortunately, I *need* to mention that open source is still in the hands of technicians (like me and many of you, I am sure ) all around and not really going into corporate/market *with reliability*. If they, out there, would take SA and open source as a seriuos, mature, stable etc solution they MUST SEE it as a real competitor to many appliance and spam engines available. Sorry folks, because I am quite fustated that such comparison did never take place. Regards. __ UOL Fone: Fale com o Brasil e o Mundo com até 90% de economia. http://www.uol.com.br/fone
[Fwd: My OECD paper on spam]
Original Message Subject: My OECD paper on spam Date: Fri, 27 May 2005 18:21:00 +0530 From: Suresh Ramasubramanian [EMAIL PROTECTED] To: [EMAIL PROTECTED] Downloadable from http://www.oecd.org/dataoecd/5/47/34935342.pdf This is linked from the OECD antispam toolkit page, as part of section 8 of the antispam toolkit (Outreach) http://www.oecd.org/sti/spam/toolkit/ Element 8 - Outreach Due to the international nature of spam, it is critical that the Toolkit have a global reach. The OECD is working in collaboration with ITU, APEC and APECTel, and with many OECD non-member economies. Further contributions and comments from all stakeholders are called for and appreciated. Comments and suggestions appreciated Operational - mentions a whole lot of things that are of concern to operators worldwide .. starting from whois and rDNS to sending people to attend NOG meetings, getting help from PCH / NSRC etc. regards -srs -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
RE: whitelist
Ronan, whitelist_from hits on the from header. This list sets the from header to the person sending the email (as it should). Therefore your whitelist_from entries won't work as you have them. I use whitelist_from_rcvd instead. This is my entry for this list: whitelist_from_rcvd [EMAIL PROTECTED] apache.org There might be a better way, but I'm not worried about getting spam from any of apache.org servers. Kris -Original Message- From: Ronan McGlue [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 7:39 AM To: users@spamassassin.apache.org Subject: whitelist I think i may be overlooking something to do with the white list here... I like a lot of you regularly get SA list traffic being diverted to the junk folder.. mydomain.com as a main focus in our examples... So step in whitelist_from Running sitewide (atm) for a university (may soon switch to deaprtmental scanning... but in the local.cf file i have the following whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] *.apache.org *.exim.org but list traffic is still coming in with spammy scores... /usr/share/spam../50_sco... score USER_IN_WHITELIST -100.000 what gives??? -- Regards Ronan McGlue Info. Services QUB
Re: Custom Black list question
At 11:19 AM 5/27/2005, Philip Wege wrote: I have a custom black list with rules like : blacklist_from [EMAIL PROTECTED] How can one make sure these rules are picked up by spamassassin as these emails are still getting through Hmm, sounds like the blacklist isn't matching. blacklist_from should give +100. Can you post an X-Spam-Status header from one that got through?
Logfile analyzer
Can anyone recommend a good logfile analyzer for Spamassassin?
embedded image spams
Hi I have been bugged a lot by embedded image spams recently, although some of these spams got trapped due URI checks, some managed to pass as well as the url wasn't yet blocked in the SURBLs. I probably found something tht i wanted to share with u guys and try and see if we can trap those spams further on the basis of tht. I have classified those embedded image spams into two classes. Class 1 of image of fulllist of viagra and other meds and Class 2 of image of one liner information on cheap softwares or viagra. I was thinking of if possibly we can understand a common pattern and try and make a ruleset on top of tht so tht we dont have to wait for updates at URIbl, then it would be really some thing good. These image only spams apparently have a prob tht we can trap on :). The loophole is in most of the cases the message id of the mail and the content id or cid of the embedded image is exactly same. For e.g. Message-ID: [EMAIL PROTECTED] Content-ID: [EMAIL PROTECTED] some variations also had something like this Message-ID: [EMAIL PROTECTED] Content-ID: sivjxu_onzvh_dzdohvo But thts applicable to class1 of the spams and in class 2 which are just images containing oneliners has some variations. In some cases the content id is smartly tampered but again there is a loophole and here is an example of tht Message-ID: [EMAIL PROTECTED] Content-ID: [EMAIL PROTECTED] the message id and the content id both contain the domain name of the sending server. And a valid mail that had embedded image in it but was sent from outlook had details something like this From Outlook Message-ID: [EMAIL PROTECTED] Content-ID: [EMAIL PROTECTED] Frankly I haven't seen how content id appears when images are embedded using other valid email clients like netscape or thunderbird. But if we compare the above set of patterns, what appears is tht if a image is embedded using a client like outlook then @ appears in the content id of the attachment but the latter part of @ is not the domain name, but has the name of the attachment itself and the messageid is different from the content id, whereas incase of the spammers content ids that appear are either exactly same to tht of the message id, or doesnt have a @ or has the domain name of the server as a latter part of the @ in content id. So my question is can we have rulesets in spamassassin that can compare the sending host domain with the latter part of @ of content id or look for @ in the content id. Any suggestions ? comments ? -- Regards, Rakesh B. Pal Project Leader Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is how high you reach after you hit the bottom. -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: Comparison of SA and commercial solutions
On 5/27/05, aecioneto [EMAIL PROTECTED] wrote: 2 hours is better than an hour and a half? {O,o} (Yes, I know that you were free to do other stuff while on hold with SpamAssassin. The numbers just sort of tickled me.) Hi there, Any idea how many 'commercial solutions' depend on SA ? Regards.
RE: Logfile analyzer
-Original Message- From: Jon Gray [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 9:25 AM To: SpamAssassin Users Subject: Logfile analyzer Can anyone recommend a good logfile analyzer for Spamassassin? Depends on what you want to analyze. One of the ninjas wrote a great script to parse the logs and show rule hit statistics. If you are looking for that I can see if I can find it my vast archive of ninja info. Let me know. There is also errdang brain can't remember sastats? Shows all your basic stats. Sorry I can't remember the name, I threw it into a script and only remember the script name. --Chris (Finaly saw Episode III!!)
Re: SpamAssassin-3.0.3 test failure
Hi, On Wed, May 25, 2005 at 06:38:00PM -0700, Robert Menschel wrote: Hello Mark, Wednesday, May 25, 2005, 10:29:16 AM, you wrote: ... MGT I had no troubles with SpamAssassin-3.0.2, but after following the same MGT configure and build steps, I'm getting a test failure on 3.0.3, for a MGT test that is fine in 3.0.2. I've repeated clean untar, configure, make, MGT and make test for both versions, and still get this new failure on 3.0.3, MGT but not 3.0.2. This is the only test that fails on my system. ... I am pleased to report the problem is solved. I obtained and installed the latest Berkeley DB from sleepycat.org, then the perl module DB_File-1.811. This resolved the problem. Mark -- Mark G. Thomas ([EMAIL PROTECTED]) voice: 215-591-3695 http://www.misty.com/ http://mail-cleaner.com/
Re: Is Bayes Really Necessary?
OK. I misunderstood. The URIBLS are working fine. Interestingly, although I use the SARE rules and URIBLS, some spam is still slipping through. This spam is fairly obvious spam some I am a bit surprised. Should I be tweaking the scoring? MK == Matt Kettler [EMAIL PROTECTED] writes: MK Jake Colman wrote: CS == Chris Santerre [EMAIL PROTECTED] writes: CS If you are using SA 3.x, support is already included. You simply have CS to create the config file, restart spamd, and *poof* way less spam. CS Net::Dns is required. I forget which version. I forget a lot of CS stuff. What was the question? Chris, Now I'm confused. The usage page on the site says to create a simple .cf file containing a number of lines. Is that it? If I have that .cf file in my /etc/mail/spamassassin directory it will all simply work? ...Jake MK Jake, that simple cf file *should* already included by default with SA 3.0.x. MK You really shouldn't have to create a config file, or do anything at all to get MK URIBL's going. MK http://www.surbl.org/ mentions suggestions about adding rules, but most of the MK surbl lists are already built into SA 3.0. The only one that's missing is the JP MK list, which came on-line to late to make it into the 3.0 release. Add it if you MK want, but do so AFTER you get the built-in ones going. MK If the URIBLs aren't going, check these two things: MK 1) check to make sure you have /etc/mail/spamassassin/init.pre. Some MK distribution packages left this file out when they converted the tarball (oops) MK Without the init.pre, the plugin for URIBL's doesn't get loaded. MK It should have this statement in it to support URIBLs: MK loadplugin Mail::SpamAssassin::Plugin::URIDNSBL Yes, I have Net::DNS since I am already doing all the other net checks. MK 2) Just because your copy of Net::DNS works for RBLs does not mean it will work MK for the URIBLs. You need a higher version of Net::DNS to support URIBLs than you MK need for normal net checks. MK Check spamassassin --lint -D to see if it's complaining about the version of MK Net::DNS. -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
Re: embedded image spams
On Friday, May 27, 2005, 6:24:08 AM, Rakesh Rakesh wrote: Hi I have been bugged a lot by embedded image spams recently, although some of these spams got trapped due URI checks, some managed to pass as well as the url wasn't yet blocked in the SURBLs. Please provide the URI and the timestamp it was first seen. We can use that information to see if we can get them into SURBLs sooner. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: Is Bayes Really Necessary?
-Original Message- From: Jake Colman [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 9:47 AM To: users@spamassassin.apache.org Subject: Re: Is Bayes Really Necessary? OK. I misunderstood. The URIBLS are working fine. Interestingly, although I use the SARE rules and URIBLS, some spam is still slipping through. This spam is fairly obvious spam some I am a bit surprised. Should I be tweaking the scoring? Need an example with header info. --Chris
Re: Logfile analyzer
Chris Santerre wrote: Can anyone recommend a good logfile analyzer for Spamassassin? Depends on what you want to analyze. One of the ninjas wrote a great script to parse the logs and show rule hit statistics. If you are looking for that I can see if I can find it my vast archive of ninja info. Let me know. pflogsumm.pl if using SA with Postfix... I also wrote a script that gives stats per domain of spam caught, if using SA with Postfix. If anyone's interested in joining my self beta-testing... Paolo -- QRPp-I #707 + www.paolocravero.tk + I QRP #476 \ Skype: pcravero /
Re: whitelist
Loren Wilton wrote: I may well be wrong, but I didn't think you could put more than one host identifier on a single whitelist_from command. So what you showed would take 4 lines. whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] *.apache.org *.exim.org whitelist_from [EMAIL PROTECTED] whitelist_from [EMAIL PROTECTED] whitelist_from *.apache.org whitelist_from *.exim.org Nope. (Unless something has changed for 3.x.) I've sucessfully used multi-entry whitelist_from lines since ~2.30 or so (when I started using SA). (On the other hand, I seem to have managed to avoid any number of other odd problems that other people have reported as well. g) whitelist_from_rcvd *is* one entry per line, due to requiring both an email address glob, and an rDNS glob or pattern. -kgd -- Get your mouse off of there! You don't know where that email has been!
SA Gateway - MS Exchange -- what if MSE down?
we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
RE: SA Gateway - MS Exchange -- what if MSE down?
Lik Evan has stated, it just queues locally. Same for Sendmail installs. If we a retalking VERY high traffic, with 1000s of users, then you better have more then one server. Or a big HD for the queue ;) --Chris -Original Message- From: E. Falk [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 12:16 PM To: spamassassin-users@incubator.apache.org Subject: Re: SA Gateway - MS Exchange -- what if MSE down? Hi Tony, I have this same setup, and due to the nature of Exchange it seems to go down a lot more often than the postfix box. What happens is that Postfix queues the e-mail locally and delivers it when the Exchange box comes back up. Works perfectly, no extra setup required. The mail just sits in Postfix's queue (note, it's useful to use Postfix's before-queue filtering in these cases so that all the Spamassassin work is done before it gets into the queue to avoid reprocessing the same messages later on if you requeue them). Evan Tony pace wrote: we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
RE: SA Gateway - MS Exchange -- what if MSE down?
Tony, Your main question has already been answered, but I noticed something in your proposed setup that concerns me. You state in your diagram that you plan to have the MSE box as the secondary MX record. This would not be a good idea. From experience, we have seen that spammers try the secondary MX first in hopes of finding a server that is not protected by a spam scanner. This obviously would not be what you want to happen. Kris -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Tony pace Sent: Friday, May 27, 2005 10:05 AM To: users@spamassassin.apache.org Subject: SA Gateway - MS Exchange -- what if MSE down? we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
Re: SA Gateway - MS Exchange -- what if MSE down?
Additionally, I was going to point you to a great How-To on setting up just such a system, but it looks like the wiki was taken over by spammers! Here's a link to a clean version of the wiki... http://flakshack.com/anti-spam/wiki/index.php?page=FairlySecureAntiSpamWikiversion=43 Explains the whole Postfix-Spamassassin-Exchange thing, using Amavisd-new to call Spamassassin (and anti-virus if you want it to). And Chris is absolutely right... you want to carefully consider volume of traffic and amount of time you expect your Exchange server to be down before relying on just the Postfix queue. For a couple thousand messages a day I've never had a problem (even once when Exchange went down for nearly an entire weekend). Evan Chris Santerre wrote: Lik Evan has stated, it just queues locally. Same for Sendmail installs. If we a retalking VERY high traffic, with 1000s of users, then you better have more then one server. Or a big HD for the queue ;) --Chris -Original Message- From: E. Falk [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 12:16 PM To: spamassassin-users@incubator.apache.org Subject: Re: SA Gateway - MS Exchange -- what if MSE down? Hi Tony, I have this same setup, and due to the nature of Exchange it seems to go down a lot more often than the postfix box. What happens is that Postfix queues the e-mail locally and delivers it when the Exchange box comes back up. Works perfectly, no extra setup required. The mail just sits in Postfix's queue (note, it's useful to use Postfix's before-queue filtering in these cases so that all the Spamassassin work is done before it gets into the queue to avoid reprocessing the same messages later on if you requeue them). Evan Tony pace wrote: we are looking to implement SA in our environment this best describes what we want to do. [SPAM/HAM] -- [ SA GATEWAY] - [MS EXCHANGE] - system wide filtering - all user mailboxes - postfix transport - MX SEC RECORD - MX PRI record the question that was posed --- if the MS Exchange is not accessible (network issue, down for maintenance) -- what happens to the email? My best understanding is the email will be rejected as mail-server not available, as SA is a filter not an MTA and that Postfix is a check/forwarding agent (not store forward). Would I be correct in assuming, in the event that if MS Exchange was down, in order to store mail -- I would need to have a backup MTA with all the users mailboxes replicated? Thanks, Tony
RE: SA Gateway - MS Exchange -- what if MSE down?
Kristopher Austin wrote: You state in your diagram that you plan to have the MSE box as the secondary MX record. This would not be a good idea. From experience, we have seen that spammers try the secondary MX first in hopes of finding a server that is not protected by a spam scanner. This obviously would not be what you want to happen. Bingo. I have a similar setup in place (s/postfix/sendmail/) and I don't have my Exchange box listed as an MX at all. I also have port 25 to the Exchange box firewalled off at the router to avoid portscanning. I do allow remote users to send via the Exchange server, using SMTP AUTH, but I'd recommend using port 587 or port 2525 for this. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: Comparison of SA and commercial solutions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lima Union writes: On 5/27/05, aecioneto [EMAIL PROTECTED] wrote: 2 hours is better than an hour and a half? {O,o} (Yes, I know that you were free to do other stuff while on hold with SpamAssassin. The numbers just sort of tickled me.) Hi there, Any idea how many 'commercial solutions' depend on SA ? The Wiki page http://wiki.apache.org/spamassassin/CommercialProducts lists a whole bunch. Anything listed there uses SpamAssassin, as that's a condition of listing ;) - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCl0vyMJF5cimLx9ARAlqXAJ42Hg7tzhHnOJBRvipzg96YbwAsjgCgvSQW JkpwRYoQQOFOXKL7+7BCsJo= =M15j -END PGP SIGNATURE-
70_sare_header.cf dupe
Title: 70_sare_header.cf dupe Checking for duplicate rules using the following command, cat *.cf | awk '/^score/ {print $2}' | sort | uniq -c | sort -nr | awk '{if ($1 1) print $0}' | more I found the following duplicate: # grep -n SARE_MSGID_LONG50 * | grep score 70_sare_header.cf:965:score SARE_MSGID_LONG50 1.666 70_sare_header.cf:2637:score SARE_MSGID_LONG50 1.666 -- I got an 'undeliverable' email when trying to send to [EMAIL PROTECTED], the email referenced in the cf file. -Original Message- From: Dawson, Donald Sent: Friday, May 27, 2005 11:45 AM To: '[EMAIL PROTECTED]' Subject: 70_sare_header.cf dupe Donald Dawson Database Admin Baker Botts L.L.P. 713-229-2183
Re: Comparison of SA and commercial solutions
David B Funk wrote: Yes, but don't forget, while Kevin was on hold waiting for his SA support message -he- got to pick the music that he listened to rather than being forced to listen to the commercial vender's 'elevator muzak' and ads, makes the price all the easier to take. ;) That probably makes SA worth it in employee mental health alone... :-D -- Kelson Vibber SpeedGate Communications www.speed.net
Do we need a Joe job bounce message blacklist?
My domain geekster.com has been Joe jobbed for the last couple of weeks. In spite of the fact that I responsibly created SPF records for my domain, I am getting flooded with bounce messages from other mail systems that don't understand most spam from addresses are forged. Fortunatly AOL seems to have wizened up since the last time this happened to me. It seems to me that email domains that email such bounce messages or spam fighting techniques that send back a confirmation message are now part of the problem rather than the solution, but since the confirmation messages do shield THEIR users from spam they don't care what it's doing to the rest of us. I'm wondering if a blacklist of known domains which send out stupid bounce messages or confirm emails would provide some incentive for cleaning them up. Any thoughts? Steve
Re: Comparison of SA and commercial solutions
Lima Union wrote: Any idea how many 'commercial solutions' depend on SA ? The Barracuda does IIRC and doesn't MessageLabs also use SA (amongst other things)? Regards, Martyn
Re: SA Gateway - MS Exchange -- what if MSE down?
Tony pace wrote: Thanks for all the input. The diagram was simplistic - the real MSE is a couple layers away. One thing that no one has mentioned is that it's vitally important that the edge gateway (the postfix system) have a way of knowing what users are valid. Otherwise you will end up with a lot of invalid user bounces caused by dictionary spammers, which will either linger in your queue or create backscatter spam. At work, where I have Exim - Exchange 5.5, I have Exim do an LDAP lookup to determine whether a user is valid. There are other ways to do it, though.
Re: dynamic IP range and good RBL?
list most of dynamic IPs not just the dynamic IPs sending spam. Ing. Alejandro Rodriguez Gerente Tecnico Cybercom Ryan L. Sun wrote: Does "dul.dnsbl.sorbs.net" list all the dynamic IPs? Or just the dynamic IPs which fall in spamtrap? Thanks. On 5/25/05, Ing. Alejandro Rodriguez [EMAIL PROTECTED] wrote: I have the same problem that you, with dsbl, record are keep over years, and the delist process is complex. So most of unskilled Net Admin never take care of this list. IMHO the dynamic IPs list is dul.dnsbl.sorbs.net In fact I'm rejecting mails at SMTP conection time using, sbl-xbl.spamhaus.org bl.spamcop.net dul.dnsbl.sorbs.net with this I'm rejecting 90% of the spam without a single complain. Ing. Alejandro Rodriguez Gerente Tecnico Cybercom Ryan L. Sun wrote: Hi, all I am using spamhaus sbl+xbl RBL and dsbl RBL. It seems they got too much false positive, especially dynamic IPs. Do you guys know how can I get all the dynamic IP range on internet, or is that possible? Any other RBL suggestion? False positive is critical to me. I can accept 40% catch ratio using a RBL with as low as possible false positive. Thanks. -Ryan
Re: Do we need a Joe job bounce message blacklist?
On Fri, May 27, 2005 at 12:16:52PM -0500, [EMAIL PROTECTED] wrote: I think this is an awesome idea! I hate getting stupid emails about how my spam or virus was rejected from someone I've never heard of. I can't very well be sending out Outlook viruses from a Linux box! Its just adding to the problem of wasting bandwith with worthless mail. You could probably do this with a SA rule. I do it with MIMEDefang milter. If an email is from or MAILER-DAEMON then I check the mail for a line that looks like /^Received.*one.of.our.ip.addresses/. If it doesn't have the line, then I reject the mail with a 554 and Bounced message did not originate here. This has eliminated all the bogus bounces of spam and bogus virus alerts. I think virtually all MTAs include original message headers when bouncing (even the ones that are sending the bogus spam and virus bounces) so we haven't had any issues with this for the 6 months we've been doing it. Theoretically a legitimate bounce that didn't include the original message headers would be rejected, but then it should end up with the postmaster of the original bouncer and they will see the cause of the error and fix their MTA. But if that has happened to us, no one has complained. Matt -- Matthew S. Cramer [EMAIL PROTECTED] Office: 717-396-5032 Infrastructure Security Analyst Fax:717-396-5590 Armstrong World Industries, Inc.Cell: 717-917-7099
Re: 70_sare_header.cf dupe
70_sare_header.cf dupe- Original Message - From: [EMAIL PROTECTED] Checking for duplicate rules using the following command, cat *.cf | awk '/^score/ {print $2}' | sort | uniq -c | sort -nr | awk '{if ($1 1) print $0}' | more I found the following duplicate: # grep -n SARE_MSGID_LONG50 * | grep score 70_sare_header.cf:965:score SARE_MSGID_LONG501.666 70_sare_header.cf:2637:score SARE_MSGID_LONG501.666 -- I also found dups for: VIRUS_WARNING436 - in bogus-virus-warnings.cf - (typo in score name) VIRUS_WARNING202 - in bogus-virus-warnings.cf - (two different rules) SARE_OBFU_BUY_SUB - in 70_sare_obfu.cf - (two different rules) Bill
RE: 70_sare_header.cf dupe
I sent an email to '[EMAIL PROTECTED]' about those the first two (VIRUS_WARN...) -Original Message- From: Bill Landry [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 12:47 PM To: users@spamassassin.apache.org Subject: Re: 70_sare_header.cf dupe 70_sare_header.cf dupe- Original Message - From: [EMAIL PROTECTED] Checking for duplicate rules using the following command, cat *.cf | awk '/^score/ {print $2}' | sort | uniq -c | sort -nr | awk '{if ($1 1) print $0}' | more I found the following duplicate: # grep -n SARE_MSGID_LONG50 * | grep score 70_sare_header.cf:965:score SARE_MSGID_LONG501.666 70_sare_header.cf:2637:score SARE_MSGID_LONG501.666 -- I also found dups for: VIRUS_WARNING436 - in bogus-virus-warnings.cf - (typo in score name) VIRUS_WARNING202 - in bogus-virus-warnings.cf - (two different rules) SARE_OBFU_BUY_SUB - in 70_sare_obfu.cf - (two different rules) Bill
Re: SA Gateway - MS Exchange -- what if MSE down?
Frank Coons wrote: Does Exim allows LDAP queries across a DMZ or do both machines need to be either inside or outside the DMZ for it to work? I've never tried it, but it's just a TCP connection. As far as I know it should work, as long as the firewall is not blocking the connection. I use the same method, but my Perl script will not send LDAP queries back and forth across a DMZ even if I have opened up every port. Are you sure the LDAP server doesn't have some kind of restriction set on what IP addresses are allowed to connect?
Re: SA Gateway - MS Exchange -- what if MSE down?
David Brodbeck wrote: Frank Coons wrote: Does Exim allows LDAP queries across a DMZ or do both machines need to be either inside or outside the DMZ for it to work? Exim (and anything else) shouldnt care if one machine is in the DMZ. They dont both need to be in the DMZ to work. However, DMZ is a one way setup. Machines in the DMZ can not access anything behind or in front of the firewall, but machines behind the firewall should be able to contact the machine in the DMZ. It really depends on the setup of the firewall device. I've never tried it, but it's just a TCP connection. As far as I know it should work, as long as the firewall is not blocking the connection. I use the same method, but my Perl script will not send LDAP queries back and forth across a DMZ even if I have opened up every port. Back and forth may not work for reasons explained above. However if the internal (behind the firewall) machine opens a connection to the DMZ machine, data should be able to flow back and forth over that connection. However the DMZ machine will not be able to open a connection to anything else. Are you sure the LDAP server doesn't have some kind of restriction set on what IP addresses are allowed to connect? -Jim
whitelist
Where I can find docs for local.cf and usaer_templates rules and tests. For instance, I have added some whitelist entries like this, whitelist_from_rcvd [EMAIL PROTECTED]google.com which is not working. The spam score is 5.0/5.0 so it is still tagged. Thanks, Craig Jackson
Re: Comparison of SA and commercial solutions
Eric A. Hall wrote: Every filtering system requires admin time, and if the reviews don't say as much then they're junk. There is a critical difference with SA, however, which is that the admins need to be proficient at stuff like CPAN, Perl, etc., while some of the packaged offerings provide simple click-the-button GUI, and those can have significantly lower salary associations. I know next to nothing about Perl, and trying to grok someone elses Perl makes my eyes bleed, and I have a rather bad-ass little SA box filtering mail like a banshee. It was easy to install... apt-get install exim4-daemon-heavy spamassassin clamav-daemon razor Debian is your friend. :) However, you make a good point. Setting up a box takes at least a little *nix knowledge, or at least the ability to look for good documentation and learn quickly. There are many howtos out there that can pretty much bring a newbie up to speed in a matter of hours. One thing that is definitely missing is a Linux-based CD-bootable distro that creates a mail filtering gateway, similar to some of the firewall distros (IP-Cop, for example). I won't even get into the whole salary association thing, I work at a private school, so I'm already on the low-end of the pay scale. Can't beat the hours, though. - S
Turn off AWL
I'd like to turn off AWL. I remember there used to be a switch in SA to do this but it's not there any more. I start spamd with -x -L Thanks, Craig Jackson
RE: Comparison of SA and commercial solutions
Steven Dickenson wrote: Eric A. Hall wrote: simple click-the-button GUI, apt-get install exim4-daemon-heavy spamassassin clamav-daemon razor Steven, I don't think you give yourself enough credit :) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: Comparison of SA and commercial solutions
Martyn Drake wrote: Ironically, after many years of faithful Linux use we're going down the Exchange route and mail handling to be given over to another department. I doubt we'll see a SA Linux box there. Oh well. I'm used to disapointments over the years, so it wasn't too much of a surprise to me. You might be able to get your security group to take responsibility for it. Many enterprises now consider first-line email servers something of an application-level proxy, particularly first-line servers that handle spam and malware filtering. In these cases, they're usually handled by the security department. I would imagine given the choice of an Exchange front-end server vs. a Linux-based SMTP gateway, they'd jump for the later. - S
Re: Turn off AWL
Craig Jackson wrote: I'd like to turn off AWL. I remember there used to be a switch in SA to do this but it's not there any more. I start spamd with -x -L It was moved to the configuration files in v3. Put use_auto_whitelist 0 in your local.cf. - S
Re: whitelist
Ronan McGlue wrote: I like a lot of you regularly get SA list traffic being diverted to the junk folder.. mydomain.com as a main focus in our examples... but in the local.cf file i have the following whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] *.apache.org *.exim.org Use whitelist_to. Or, my preference, all_spam_to in the event of a GTUBE post. - S
Re: SA Gateway - MS Exchange -- what if MSE down?
[EMAIL PROTECTED] wrote: Bingo. I have a similar setup in place (s/postfix/sendmail/) and I don't have my Exchange box listed as an MX at all. I also have port 25 to the Exchange box firewalled off at the router to avoid portscanning. Not a good idea, IMHO. What happens if your SA gateway goes down for the count, and you're not around to fix it? In our case, I've documented how to change the firewall rules to allow direct connections to our internal Exchange server should the SA box go down. That way if I'm out of town for a week, my desktop tech makes the change and email continues to flow. Listing your Exchange box as a higher-cost MX doesn't really hurt anything, especially since you've firewalled your Exchange server (as any good admin should do). Additionally, if you ever need to send directly from your Exchange server, not having an MX associated with that machine *can* cause your mail to look spammy to certain hard-line sites. - S
Re: Do we need a Joe job bounce message blacklist?
Matthew S. Cramer wrote: If an email is from or MAILER-DAEMON then I check the mail for a line that looks like /^Received.*one.of.our.ip.addresses/. If it doesn't have the line, then I reject the mail with a 554 and Bounced message did not originate here. This has eliminated all the bogus bounces of spam and bogus virus alerts. I think virtually all MTAs include original message headers when bouncing (even the ones that are sending the bogus spam and virus bounces) so we haven't had any issues with this for the 6 months we've been doing it. Theoretically a legitimate bounce that didn't include the original message headers would be rejected, but then it should end up with the postmaster of the original bouncer and they will see the cause of the error and fix their MTA. But if that has happened to us, no one has complained. This sounds too good to be true. Anyone care to collect some DSN's and NDR's from various MTA's and test this out? Matt, I assume you're rejected after DATA, so this in theory shouldn't throw off sender verification callouts? - S
Re: whitelist
Craig Jackson wrote: Where I can find docs for local.cf and usaer_templates rules and tests. For instance, I have added some whitelist entries like this, whitelist_from_rcvd [EMAIL PROTECTED]google.com which is not working. The spam score is 5.0/5.0 so it is still tagged. Thanks, Craig Jackson Nevermind. I found the docs here: perldoc Mail::SpamAssassin::Conf
http://bugzilla.spamassassin.org/show_bug.cgi?id=4337
Is there a way to apply the fix in 3.0.2 ? regards, wolfgang
Re: Do we need a Joe job bounce message blacklist?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve Prior writes: My domain geekster.com has been Joe jobbed for the last couple of weeks. In spite of the fact that I responsibly created SPF records for my domain, I am getting flooded with bounce messages from other mail systems that don't understand most spam from addresses are forged. Fortunatly AOL seems to have wizened up since the last time this happened to me. It seems to me that email domains that email such bounce messages or spam fighting techniques that send back a confirmation message are now part of the problem rather than the solution, but since the confirmation messages do shield THEIR users from spam they don't care what it's doing to the rest of us. I'm wondering if a blacklist of known domains which send out stupid bounce messages or confirm emails would provide some incentive for cleaning them up. A BL would probably be helpful -- but sadly some *really big* networks (Earthlink's challenge-response) and companies (Fortune 500s) produce these bounces, too, so it'd have serious FP potential, since those mail relay IP addresses produce both the bounces and the legit mail. There's a ruleset to catch bounces, challenges and bogus virus warnings; Tim Jackson's bogus-virus-warnings.cf. That's what I use (now heavily modified locally). We're also considering that it may be worthwhile to get some kind of ruleset for these as an official builtin part of SpamAssassin; this'd be optional, since it needs a little work on the user side to change from simple 2-class ham/spam classification to multi-class ham/spam/bogus-bounce/bogus-virus-warning/bogus-cr classification, but I think it'd be very useful in many places. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCl3FrMJF5cimLx9ARAhOYAJ4kImeXVYCsk/P0/+cJoJiySYMgoACdFkkP ghabLeTb+GfEKmMqHAWJ+9Q= =dIUe -END PGP SIGNATURE-
Re: http://bugzilla.spamassassin.org/show_bug.cgi?id=4337
On Fri, May 27, 2005 at 09:13:44PM +0200, Wolfgang Zeikat wrote: Is there a way to apply the fix in 3.0.2 ? First, it's http://bugzilla.spamassassin.org/show_bug.cgi?id=4213 that you want to look at (it has the patches). Second, you can try downloading the patches and applying to the 3.0.2 source tree. In theory, they should apply, but I haven't tried it. Third, you could just wait for 3.0.4 to be released which will include the patches. :) -- Randomly Generated Tagline: Oh My God! They Killed init! You Bastards! - Unknown pgp98uA7asD3F.pgp Description: PGP signature
Re: Do we need a Joe job bounce message blacklist?
Justin Mason wrote: A BL would probably be helpful -- but sadly some *really big* networks (Earthlink's challenge-response) and companies (Fortune 500s) produce these bounces, too, so it'd have serious FP potential, since those mail relay IP addresses produce both the bounces and the legit mail. - --j. My suggestion had a bit of activism included. I don't want to reject just the bounce messages from these mail systems, I want to reject ALL mail from those systems, but do so at the MTA level so I'm not causing the annoying bounce problem I'm trying to solve. Companies who have these bounce messages and confirmation emails are actually doing damage to innocent bystanders (at the moment myself, but it is ALWAYS happening somewhere), and the company producing the messages doesn't know or have incentive to care what they are doing to others. It really bugs me to get a message from a system claiming to be fighting spam and requiring confirmation when in fact I apparently do more to fight spam than they did (by implementing SPF for my domains and NOT sending back stupid incorrect bounces). I think that these companies need to see that all email from them is refused from their domains as long as they keep offending, and that will give them the required motivation to fix their systems. If I sound a bit ticked at the moment - I really am, not only do I get Mr Wiggly type spams intended for my domain, but I'm also getting it forwarded/bounced to me from lots of others and that much Mr Wiggly isn't good for anyone... Steve
Re: Do we need a Joe job bounce message blacklist?
Actually, you can forward viruses from a Linux box if the virus is an attachment or embedded in the message. It makes no difference what OS you are using when you send the message. Linux only protects us from the viruses that want to harm Windows. Thanks, Antonio DeLaCruz Quoting [EMAIL PROTECTED]: I think this is an awesome idea! I hate getting stupid emails about how my spam or virus was rejected from someone I've never heard of. I can't very well be sending out Outlook viruses from a Linux box! Its just adding to the problem of wasting bandwith with worthless mail. -- Evan Quoting Steve Prior [EMAIL PROTECTED]: My domain geekster.com has been Joe jobbed for the last couple of weeks. In spite of the fact that I responsibly created SPF records for my domain, I am getting flooded with bounce messages from other mail systems that don't understand most spam from addresses are forged. Fortunatly AOL seems to have wizened up since the last time this happened to me. It seems to me that email domains that email such bounce messages or spam fighting techniques that send back a confirmation message are now part of the problem rather than the solution, but since the confirmation messages do shield THEIR users from spam they don't care what it's doing to the rest of us. I'm wondering if a blacklist of known domains which send out stupid bounce messages or confirm emails would provide some incentive for cleaning them up. Any thoughts? Steve
Re: http://bugzilla.spamassassin.org/show_bug.cgi?id=4337
Wolfgang Zeikat wrote: Is there a way to apply the fix in 3.0.2 ? I've tried applying the patch but I'm not sure if it fixed the problem. Do you have an example of a URL that is supposed to be fixed?
a question for exiscan and exim users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Recently we've been seeing a *lot* of Exim users asking questions (here and on IRC) about spamd chewing up massive quantities of RAM. It appears that Exiscan has now become part of Exim by default, and it also appears that (at least in the default exiscan patch) it doesn't modify the config files directly to add itself to the MTA's flow. Is there a possibility that in default Exim setups, or default OS-specific Exim packages, the exiscan config lines are being inserted *without* the required message size limits, thereby allowing massive emails to be scanned by SpamAssassin? that would inflate scanner sizes nonlinearly (and is always a no-no with SpamAssassin). Here's what I mean. here's a good configuration stanza: deny message = Classified as spam (score $spam_score) condition = ${if {$message_size}{300k}{1}{0}} spam = nobody and here's a bad one: deny message = Classified as spam (score $spam_score) spam = nobody (note the lack of the {$message_size} condition line.) I'd appreciate if a few Exim wizzes -- and users of Exim/exiscan on various platforms -- take a quick grep for spam = in their config files and see if they're missing the key line anywhere. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCl3loMJF5cimLx9ARApxmAJoCLoBbeM4x4eYVF+JZe7LjmDYudQCbBe6u mxEL65GioSftGtAs5IeyKH0= =6yeL -END PGP SIGNATURE-
RE: SA Gateway - MS Exchange -- what if MSE down?
Steven Dickenson wrote: [EMAIL PROTECTED] wrote: Bingo. I have a similar setup in place (s/postfix/sendmail/) and I don't have my Exchange box listed as an MX at all. I also have port 25 to the Exchange box firewalled off at the router to avoid portscanning. Not a good idea, IMHO. What happens if your SA gateway goes down for the count, and you're not around to fix it? Hmmm... well, I have two of them, and they're linked in parallel. If one of them dies, I'm still OK. A bad automatic software update could take both of them down, it's true... but that's a risk I am willing to take. Additionally, if you ever need to send directly from your Exchange server, not having an MX associated with that machine *can* cause your mail to look spammy to certain hard-line sites. Actually, Exchange server DOES send mail, 24/7. It's covered by my SPF record. Any recipient server that considers my mail spammy because I don't list an outgoing mail server as an MX is misconfigured. But I haven't had a problem... as far as I know. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: http://bugzilla.spamassassin.org/show_bug.cgi?id=4337
On 05/27/05 21:39, Stuart Johnston wrote: Wolfgang Zeikat wrote: Is there a way to apply the fix in 3.0.2 ? I've tried applying the patch but I'm not sure if it fixed the problem. Do you have an example of a URL that is supposed to be fixed? echo -e Subject: test\\n\\n'http://aeroseddicc.com\'|spamassassin echo -e Subject: test\\n\\n'http://aeroseddicc.com'|spamassassin
Re: a question for exiscan and exim users
Justin Mason wrote: It appears that Exiscan has now become part of Exim by default, and it also appears that (at least in the default exiscan patch) it doesn't modify the config files directly to add itself to the MTA's flow. This is correct. The shipped configuration file doesn't include any exiscan features. In fact, as shipped Exim won't build with the content scanning features unless you add a statement to the local Makefile. Is there a possibility that in default Exim setups, or default OS-specific Exim packages, the exiscan config lines are being inserted *without* the required message size limits, thereby allowing massive emails to be scanned by SpamAssassin? that would inflate scanner sizes nonlinearly (and is always a no-no with SpamAssassin). As mentioned above, the shipped config files don't include any content scanning features. The 4.5 Debian packages include commented out options for specifying spamd's IP/socket, but don't include any ACL statements. Here's what I mean. here's a good configuration stanza: deny message = Classified as spam (score $spam_score) condition = ${if {$message_size}{300k}{1}{0}} spam = nobody and here's a bad one: deny message = Classified as spam (score $spam_score) spam = nobody It's entirelly possible someone configured their system this way. In fact, the examples shown in the 4.5 spec (documentation) don't include any size checks. However, the examples from the exiscan website do. I'll make mention of this to Phillip on the Exim list and see if he'll update the spec examples. - S
Spam
Hi there, Can anyone help me out with the attached message? To me this is obvious spam, but I dont know why it got through. I have my spamassassin score set to 5, but when I run spamassassin D on this, I only get a couple points. Im wondering if Im missing some important ruleset or something. The only thing that seems to fire on this is BAYES_50. Thanks for any help you can offer! Jason ---BeginMessage--- Title: gyroscopem Hydrophene DHk bell, my compliments to Mr. Dick, and beg him to come down. 7w3x2o9m8a5r3o2r8h2m3j9g3v1q4g8w3i8y5z6b5n2r8r8x3k5i4v6u8o9h5s6y3k8q9o5d3q8n3d2x8i3f8g8e9c9a3e5v7g5p8j8s2s8p Old Soldier resignedly, that, of course, he gave up altogether, 9k9x5l8y1t9t4j3r9o7d8i5k5o6h9h3w6t5x4h4u7t4q9r8a1a7v2d5a6p8e8u7z5z7q3n8e6e7u9k7c5y6y6z1l3o7g4s5r2a2z6x2r darling from a portrait on the wall, as if it were even something 1v1h8x8e3j3r6g3z7c6n4r7x4v5o9c9f1p1z2j2j1i1z7u4t5z5y7r5p1s5s8c6w7k9r6e7c4x3b5q8m2c5p3t2f9t4k5f5a6p7c7b7q6d 2a9e1b6t5a2n8h7f2r6p7x4x9s6c4q7i2r7o6n3b8w9j3g9c2b1u2i7o1t2c5b2d1v6c3c6b8c2j9b4z3h1y3i5i2t4y1a1i7g3n 4r9t6d5u9h5c1z8j1u7c3a7j8o6f7z2v1i6z2i4d8n4r3w7u5a2g9b3w1m7q7y7a7f4v9r3x9u6o9v8w7v5x5v9e1d4y8s8c2d5m7l3v8q4l7e Why, he is a sort of monkish attorney, replied Steerforth. He 9i9g9i3e5d6d2q7j7x9y9m1e8r6z6v8d4s9t1p7q9u1r2e3i8h5c9n6x5k5y1h4w9l7s8g3c8p4p6i1v4n8t1c5n8l4n9c1u1g7z5x7t2x garments with which I had been decorated on the first day, and 4p5p8k6e7r6b1a8y9u2t7x5b8g4o1s5p2l5i8y7l8t9h4p7h4i5j6e1b7x2n3u1v2b4q1g6z5c2l6f5k2n4d2b9q7r6k8c9o7s2z7v2n8r4t3s5y me, too, and entertained the probability of my running away again 7l2k3a1k2b2l4t8p6q5x3h1c4o8q8o5s3k1k6x9y8n6r6z2k5u4d7s4s3d1g6r6f1a4z8c6i8n9k1c5v8x5i1y8d5j8p9u6l6g4i3q4c2y7s3o7b2e7o4q1n1n5l7r4s except that, in passing up or down stairs, I always found her close 1f5x9o8j5u2c5i4d7t8l5h6i1u5b7r7v4m1d6m3h9d9x8n7z9f4d7v6d4d4e1h4s9b9j5v5q8r3l6u8t6t6y3y1h5q6o1e3n5g4x8a7u7p5c5p9g1l6c6z6m9x8m5r5l4a4q8w intermingle, he continued. I am owing you an apology for an 6a8a1w9a1d8t9k1x2k7z4m8v7g9r2f8k6n1j5y8k9r9t8g4s9n9f2r4a7l3g5t1n2n1c5t2w1l9o7u3y7k6x8o8j2w2c8j1r2e1j2x2w4j7q8k8z9t thinking it was morning, and find that the family were not yet gone 5d9x1q8p2z6c9c4a8m1g1c4e6f3x4f2m6p8u2b9f6m1w7e6e2m7c3r3m2u8b9b4i7x6s8z3q2s2n7t4h2c8l9j8c4c6o3o2e3c3h attachment: Gzq.GIF---End Message---
Re: Spam
Jason Bennett wrote: Hi there, Can anyone help me out with the attached message? To me this is obvious spam, but I dont know why it got through. I have my spamassassin score set to 5, but when I run spamassassin D on this, I only get a couple points. Im wondering if Im missing some important ruleset or something. The only thing that seems to fire on this is BAYES_50. Thanks for any help you can offer! Jason Subject: leeryq Saccharin Miscells From: [EMAIL PROTECTED] Date: Fri, 27 May 2005 14:25:15 -0600 To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] ** ** http://ereayfcoqcyr.orgivfhniwthpifecjpedsoh%2Epictilpict4.com/ ** bell, my compliments to Mr. Dick, and beg him to come down. 7w3x2o9m8a5r3o2r8h2m3j9g3v1q4g8w3i8y5z6b5n2r8r8x3k5i4v6u8o9h5s6y3k8q9o5d3q8n3d2x8i3f8g8e9c9a3e5v7g5p8j8s2s8p Old Soldier resignedly, that, of course, he gave up altogether, 9k9x5l8y1t9t4j3r9o7d8i5k5o6h9h3w6t5x4h4u7t4q9r8a1a7v2d5a6p8e8u7z5z7q3n8e6e7u9k7c5y6y6z1l3o7g4s5r2a2z6x2r darling from a portrait on the wall, as if it were even something 1v1h8x8e3j3r6g3z7c6n4r7x4v5o9c9f1p1z2j2j1i1z7u4t5z5y7r5p1s5s8c6w7k9r6e7c4x3b5q8m2c5p3t2f9t4k5f5a6p7c7b7q6d 2a9e1b6t5a2n8h7f2r6p7x4x9s6c4q7i2r7o6n3b8w9j3g9c2b1u2i7o1t2c5b2d1v6c3c6b8c2j9b4z3h1y3i5i2t4y1a1i7g3n 4r9t6d5u9h5c1z8j1u7c3a7j8o6f7z2v1i6z2i4d8n4r3w7u5a2g9b3w1m7q7y7a7f4v9r3x9u6o9v8w7v5x5v9e1d4y8s8c2d5m7l3v8q4l7e Why, he is a sort of monkish attorney, replied Steerforth. He 9i9g9i3e5d6d2q7j7x9y9m1e8r6z6v8d4s9t1p7q9u1r2e3i8h5c9n6x5k5y1h4w9l7s8g3c8p4p6i1v4n8t1c5n8l4n9c1u1g7z5x7t2x garments with which I had been decorated on the first day, and 4p5p8k6e7r6b1a8y9u2t7x5b8g4o1s5p2l5i8y7l8t9h4p7h4i5j6e1b7x2n3u1v2b4q1g6z5c2l6f5k2n4d2b9q7r6k8c9o7s2z7v2n8r4t3s5y me, too, and entertained the probability of my running away again 7l2k3a1k2b2l4t8p6q5x3h1c4o8q8o5s3k1k6x9y8n6r6z2k5u4d7s4s3d1g6r6f1a4z8c6i8n9k1c5v8x5i1y8d5j8p9u6l6g4i3q4c2y7s3o7b2e7o4q1n1n5l7r4s except that, in passing up or down stairs, I always found her close 1f5x9o8j5u2c5i4d7t8l5h6i1u5b7r7v4m1d6m3h9d9x8n7z9f4d7v6d4d4e1h4s9b9j5v5q8r3l6u8t6t6y3y1h5q6o1e3n5g4x8a7u7p5c5p9g1l6c6z6m9x8m5r5l4a4q8w intermingle, he continued. I am owing you an apology for an 6a8a1w9a1d8t9k1x2k7z4m8v7g9r2f8k6n1j5y8k9r9t8g4s9n9f2r4a7l3g5t1n2n1c5t2w1l9o7u3y7k6x8o8j2w2c8j1r2e1j2x2w4j7q8k8z9t thinking it was morning, and find that the family were not yet gone 5d9x1q8p2z6c9c4a8m1g1c4e6f3x4f2m6p8u2b9f6m1w7e6e2m7c3r3m2u8b9b4i7x6s8z3q2s2n7t4h2c8l9j8c4c6o3o2e3c3h Include the full headers for the email please -- Roman Volf Keystreams Internet Solutions [EMAIL PROTECTED]
Spam
Sorry all, let me try this again. Attached is the message I was referring to in my previous posting. Thanks Jason Microsoft Mail Internet Headers Version 2.0 Received: from calgty1.forzani.com ([172.16.112.6]) by CALMAIL01.fglcorporate.net with Microsoft SMTPSVC(5.0.2195.6713); Fri, 27 May 2005 13:29:31 -0600 Received: by calgty1.forzani.com (Postfix, from userid 5001) id 93DAC57D; Fri, 27 May 2005 13:29:09 -0600 (MDT) Received: from localhost (unknown [127.0.0.1]) by calgty1.forzani.com (Postfix) with ESMTP id 778C057C; Fri, 27 May 2005 13:29:09 -0600 (MDT) Received: from calgty1.forzani.com ([127.0.0.1]) by localhost (calgty1.forzani.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06187-08; Fri, 27 May 2005 13:29:09 -0600 (MDT) Received: from 80-219-248-164.dclient.hispeed.ch (80-219-248-164.dclient.hispeed.ch [80.219.248.164]) by calgty1.forzani.com (Postfix) with SMTP id 945A557B; Fri, 27 May 2005 13:28:22 -0600 (MDT) Received: from VAKVD (sjzxpkl.dnaco.net[157.71.161.242]) by vdrkmeuww.dnaco.net (Postfix) with SMTP id 4S2R2Q9636 for [EMAIL PROTECTED]; Fri, 27 May 2005 15:25:15 -0500 (envelope-from [EMAIL PROTECTED]) From: Neal Grant [EMAIL PROTECTED] To: Nova4 [EMAIL PROTECTED] Subject: leeryq Saccharin Miscells Date: Fri, 27 May 2005 15:25:15 -0500 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/related; boundary==_Part_27857750_19531241.1741543703695 X-Virus-Scanned: amavisd-new at forzani.com X-Filtered-With: renattach 1.2.2 X-RenAttach-Info: mode=badlist action=rename count=0 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 27 May 2005 19:29:32.0020 (UTC) FILETIME=[683A8340:01C562F2] --=_Part_27857750_19531241.1741543703695 Content-Type: multipart/alternative; boundary==_Part_24499137_16233341.1132971202644 --=_Part_24499137_16233341.1132971202644 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --=_Part_24499137_16233341.1132971202644 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7Bit --=_Part_24499137_16233341.1132971202644-- --=_Part_27857750_19531241.1741543703695 Content-Type: image/gif; name=Gzq.GIF Content-Disposition: attachment; filename=Gzq.GIF Content-Transfer-Encoding: base64 --=_Part_27857750_19531241.1741543703695-- http://ereayfcoqcyr.orgivfhniwthpifecjpedsoh%2Epictilpict4.com/ bell, my compliments to Mr. Dick, and beg him to come down. 7w3x2o9m8a5r3o2r8h2m3j9g3v1q4g8w3i8y5z6b5n2r8r8x3k5i4v6u8o9h5s6y3k8q9o5d3q8n3d2x8i3f8g8e9c9a3e5v7g5p8j8s2s8p Old Soldier resignedly, that, of course, he gave up altogether, 9k9x5l8y1t9t4j3r9o7d8i5k5o6h9h3w6t5x4h4u7t4q9r8a1a7v2d5a6p8e8u7z5z7q3n8e6e7u9k7c5y6y6z1l3o7g4s5r2a2z6x2r darling from a portrait on the wall, as if it were even something 1v1h8x8e3j3r6g3z7c6n4r7x4v5o9c9f1p1z2j2j1i1z7u4t5z5y7r5p1s5s8c6w7k9r6e7c4x3b5q8m2c5p3t2f9t4k5f5a6p7c7b7q6d 2a9e1b6t5a2n8h7f2r6p7x4x9s6c4q7i2r7o6n3b8w9j3g9c2b1u2i7o1t2c5b2d1v6c3c6b8c2j9b4z3h1y3i5i2t4y1a1i7g3n 4r9t6d5u9h5c1z8j1u7c3a7j8o6f7z2v1i6z2i4d8n4r3w7u5a2g9b3w1m7q7y7a7f4v9r3x9u6o9v8w7v5x5v9e1d4y8s8c2d5m7l3v8q4l7e Why, he is a sort of monkish attorney, replied Steerforth. He 9i9g9i3e5d6d2q7j7x9y9m1e8r6z6v8d4s9t1p7q9u1r2e3i8h5c9n6x5k5y1h4w9l7s8g3c8p4p6i1v4n8t1c5n8l4n9c1u1g7z5x7t2x garments with which I had been decorated on the first day, and 4p5p8k6e7r6b1a8y9u2t7x5b8g4o1s5p2l5i8y7l8t9h4p7h4i5j6e1b7x2n3u1v2b4q1g6z5c2l6f5k2n4d2b9q7r6k8c9o7s2z7v2n8r4t3s5y me, too, and entertained the probability of my running away again 7l2k3a1k2b2l4t8p6q5x3h1c4o8q8o5s3k1k6x9y8n6r6z2k5u4d7s4s3d1g6r6f1a4z8c6i8n9k1c5v8x5i1y8d5j8p9u6l6g4i3q4c2y7s3o7b2e7o4q1n1n5l7r4s except that, in passing up or down stairs, I always found her close 1f5x9o8j5u2c5i4d7t8l5h6i1u5b7r7v4m1d6m3h9d9x8n7z9f4d7v6d4d4e1h4s9b9j5v5q8r3l6u8t6t6y3y1h5q6o1e3n5g4x8a7u7p5c5p9g1l6c6z6m9x8m5r5l4a4q8w intermingle, he continued. I am owing you an apology for an 6a8a1w9a1d8t9k1x2k7z4m8v7g9r2f8k6n1j5y8k9r9t8g4s9n9f2r4a7l3g5t1n2n1c5t2w1l9o7u3y7k6x8o8j2w2c8j1r2e1j2x2w4j7q8k8z9t thinking it was morning, and find that the family were not yet gone 5d9x1q8p2z6c9c4a8m1g1c4e6f3x4f2m6p8u2b9f6m1w7e6e2m7c3r3m2u8b9b4i7x6s8z3q2s2n7t4h2c8l9j8c4c6o3o2e3c3h
sa-learn from imap
I needed to get this working this week and found the RemoteImapFolder wiki page. I decided to use that method here are the steps I did to make this work for me. I use qmail instead of cyrus so needed to change the redelivery method also. I don't have a username on the wiki and thought I see if anyone here had any improvements before I add it to the wiki. Create a .fetchmailrc file in the users home that the cron script will run from or maybe in /etc --- poll mail.domain.com user 'user1' there with password 'password' is user1 here user 'user2' there with password 'password' is user2 here --- Replace the mail server name on the first line and the 2 usernames and the password on each of the users lines, Duplicate for each user you want to learn from. What this does is make the script below not stop and ask for a password when it is run. It is run like this ./learnfromexchange user FOLDERNAME mail.bccks.com (spam|ham|forget) For the server I run we use sitewide bayes - so I talked to 4 of the users and got permission to learn from their spam and a non-personal good email folder that they will drag email to. Then I run the script from cron 02 4 * * * root /root/learnfromexchange user1 SPAM mail.domain.com spam 12 4 * * * root /root/learnfromexchange user1 CLEAN mail.domain.com ham 22 4 * * * root /root/learnfromexchange user2 SPAM mail.domain.com spam 32 4 * * * root /root/learnfromexchange user2 CLEAN mail.domain.com ham So here is the script it has check for the correct ammount or arguments - but not yet for valid values on the arguments - since I only needed to run it from cron #/bin/bash ARGS=4 # Script requires 4 arguments. E_BADARGS=65 # Exit value if incorrect number of args passed. test $# -ne $ARGS \ echo - \ echo Usage: `basename $0` username emailfolder type \ echo Like: learnfromexchange.sh jim SPAM mail.domain.com spam \ echo - \ exit $E_BADARGS username=$1 spamfolder=$2 imapserver=$3 foldertype=$4 /usr/bin/fetchmail -a -k -s -n -u $username -p IMAP \ --folder $spamfolder -m 'bash -c /usr/bin/tee \ (/usr/bin/sa-learn --spam --single /dev/null)|/usr/bin/spamc|/usr/bin/rsmtp'\ $imapserver
Re: whitelist
Hello Craig, Friday, May 27, 2005, 11:10:55 AM, you wrote: CJ Where I can find docs for local.cf and usaer_templates rules and tests. It would help to know which version of SA you're using, since syntax sometimes changes. CJ For instance, I have added some whitelist entries like this, CJ whitelist_from_rcvd [EMAIL PROTECTED]google.com CJ which is not working. The spam score is 5.0/5.0 so it is still tagged. For 3.0.x you'll find that at http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options first whitelist_from, then unwhitelist_from, then the whitelist_from_rcvd that you're asking about. Bob Menschel
Re: 70_sare_header.cf dupe
Hello Donald, Friday, May 27, 2005, 9:54:15 AM, you wrote: DDbc Checking for duplicate rules using the following command, DDbc cat *.cf | awk '/^score/ {print $2}' | sort | uniq -c | DDbc sort -nr | awk '{if ($1 1) print $0}' | more DDbc I found the following duplicate: DDbc # grep -n SARE_MSGID_LONG50 * | grep score DDbc 70_sare_header.cf:965:score SARE_MSGID_LONG50 1.666 DDbc 70_sare_header.cf:2637:score SARE_MSGID_LONG50 1.666 Yep. No harm done, since the rule runs only once, but you're right -- the rule is in both header0.cf and header1.cf; I'll fix that in the next release. DDbc I got an 'undeliverable' email when trying to send to DDbc [EMAIL PROTECTED], the email referenced in the cf DDbc file. That address used to work. I'll find one that does work and document it in the rules file also. Bob Menschel
Re[2]: 70_sare_header.cf dupe
Hello Bill, Friday, May 27, 2005, 10:46:32 AM, you wrote: BL 70_sare_header.cf dupe- Original Message - BL From: [EMAIL PROTECTED] Checking for duplicate rules using the following command, cat *.cf | awk '/^score/ {print $2}' | sort | uniq -c | sort -nr | awk '{if ($1 1) print $0}' | more I found the following duplicate: # grep -n SARE_MSGID_LONG50 * | grep score 70_sare_header.cf:965:score SARE_MSGID_LONG501.666 70_sare_header.cf:2637:score SARE_MSGID_LONG501.666 -- BL I also found dups for: BL SARE_OBFU_BUY_SUB - in 70_sare_obfu.cf - (two different rules) Sho'nuff. Both good rules. I'll merge them together in the next release. Bob Menschel
Re[2]: [SARE] Whitelist.cf updated
Hello Jeff, Friday, May 27, 2005, 1:06:46 AM, you wrote: JC On Thursday, May 26, 2005, 5:58:02 PM, Robert Menschel wrote: JC 2. Would they be appropriate to whitelist (i.e. exclude from JC listing) in SURBLs? Unlikely, since the web sites mentioned in the emails are rarely the same as the From address or routing server. However, the primary web sites within those emails might be good candidates for the SURBL whitelist. Bob Menschel JC Fair enough. You don't happen to have a list of those JC corresponding websites do you? :-) Not readily handy, but if you can find me a few extra hours :-), I can scan my corpus and put together a partial list. Bob Menschel (and no, this holiday weekend doesn't count -- I'll be back at the office for a network change at 9:00 tonight, spending 4 hours Sat/Sun on an A/P archival program, another 4 on Sunday for G/L and physical inventories, and preparing Monday for major changes to our credit authorization system)
Re: problem with split line URL's
Hello Martin, Friday, May 27, 2005, 3:52:25 AM, you wrote: MH Hi MH I've been attempting to get the split line URL rule working - this one.. I believe the working rule that matches all active spam using this trick is now active in 70_sare_obfu.cf Bob Menschel
Re: Spam
Hello Jason, Friday, May 27, 2005, 2:52:40 PM, you wrote: JB Sorry all, let me try this again. Attached is the message JB Iwas referring to in my previous posting. Here in SA 3.0.3 your example hits: Content analysis details: (9.0 points, 5.0 required) pts rule name description -- -- 0.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 0.1 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [80.219.248.164 listed in dnsbl.sorbs.net] 2.8 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [http://dsbl.org/listing?80.219.248.164] 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [80.219.248.164 listed in combined.njabl.org] 3.6 AWLAWL: From: address is in the auto white-list Ignoring the AWL which is site specific, the major points come from network tests. Do you have network tests enabled and active on your system? Other than that, I see one intended URL, which is obfuscated such that SA doesn't yet recognize it as a URL. If it had, I suspect we'd also see a SURBL report in there. One thing you could key on is a long word, something like body MY_LONGWORD /\w{100}/ describe MY_LONGWORD Excessively long string of characters score MY_LONGWORD 1 #rescore as needed on your system Bob Menschel
Re: Do we need a Joe job bounce message blacklist?
On Fri, 27 May 2005, Matthew S. Cramer wrote: You could probably do this with a SA rule. I do it with MIMEDefang milter. If an email is from or MAILER-DAEMON then I check the mail for a line that looks like /^Received.*one.of.our.ip.addresses/. If it doesn't have the line, then I reject the mail with a 554 and Bounced message did not originate here. care to share? :-) sounds like it should be simple to filter @ebay.com / @paypal.com announcements that dont originate from ebay.com too. -Dan
Re[6]: Is Bayes Really Necessary?
Hello List, Friday, May 27, 2005, 12:08:46 AM, you wrote: LMUBob, LMUThe Staples mention was of interest since I get their weekly ads LMU to an account here. The very last one hit BAYES_50, but all the others LMU were from BAYES_00 to (from a 3.0.1 install) BAYES_44. - Most were BAYES_20 LMU (I looked back 4 months - how long that account's mail is kept locally; I LMU could check archives for 10 years, but I think I've only been getting the LMU Staples ads for about 4 years). All scored between .5 and 2.1 points. LMU I've seen a few ads from other vendors come much closer to the limit on LMU the accounts used (all vendors advertising intended for me goes to unique LMU email addresses, but they get collected by aliases in groups by industry LMU and use - e.g. Staples ads don't go to the same mailbox as ads for NLOS LMU telecom gear). Oddly, some of the most obscure technical items often score LMU the highest; LMUThere definitity is a `style' issue at work. It appears that both LMU some legitimate companies and people who write copy that looks like spam LMU and some spammers are good at generating messages that seems to be ham to LMU bayes. LMUPaul Shupak LMU[EMAIL PROTECTED] LMU P.S. The last Staples ad was from this Monday, May 23 and (for me) hit: LMUscore=0.5 required=5.0 tests=AWL,BAYES_50,EXCUSE_10, LMU HTML_90_100,HTML_IMAGE_RATIO_04,HTML_MESSAGE,REMOVE_PAGE, LMU URIBL_RHS_ABUSE,URI_REDIRECTOR LMU I'd be curious is this was the same one that hit 99 for you (I had only LMU one 44 and most were 10 or 20). Nope. Date: Mon, 23 May 2005 17:03:08 -0400 From: Staples [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on pascal.ctyme.com X-Spam-Status: No, score=-102.4 required=5.0 tests=BAYES_00,CALL_FREE, CT_OFFERS_ETC,DCC_CHECK,EXCUSE_10,HTML_90_100,HTML_IMAGE_RATIO_04, HTML_MESSAGE,LINK_PHRASE,REMOVE_PAGE,SARE_HTML_URI_UNSUB, SP_HAM_EXTREME,URI_REDIRECTOR,USER_IN_WHITELIST autolearn=no version=3.0.3 Would have scored -2.4 without the whitelist. Actually had to go back to March to find a Staples emailing that would have flagged as spam: Date: Fri, 18 Mar 2005 06:25:18 -0500 From: Staples [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pascal.ctyme.com X-Spam-Status: No, score=-89.8 required=5.0 tests=BAYES_00,CALL_FREE, CT_ACT_NOW,CT_GREAT_OFFER,CT_OFFERS_ETC,CT_OFFER_2,DCC_CHECK, EXCUSE_10,HTML_90_100,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LINK_PHRASE, REMOVE_PAGE,SARE_HTML_URI_UNSUB,SAVE_BUCKS,SPF_HELO_PASS,SP_SPAM_VERY, TONER,URI_REDIRECTOR,USER_IN_WHITELIST autolearn=no version=3.0.1 Without the whitelist it would have scored 10.2 Date: Mon, 14 Mar 2005 19:31:56 -0500 From: Staples [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pascal.ctyme.com X-Spam-Status: No, score=-92.7 required=5.0 tests=BAYES_00,CALL_FREE, CT_ACT_NOW,CT_GREAT_OFFER,CT_OFFERS_ETC,CT_OFFER_2,DCC_CHECK, EXCUSE_10,HTML_90_100,HTML_IMAGE_RATIO_04,HTML_MESSAGE,LINK_PHRASE, REMOVE_PAGE,SARE_HTML_URI_UNSUB,SAVE_BUCKS,SPF_HELO_PASS,SP_SPAM_HIGH, URI_REDIRECTOR,USER_IN_WHITELIST,WHILE_SUPPLIES autolearn=no version=3.0.1 Date: Fri, 4 Mar 2005 07:43:08 -0500 From: Staples [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pascal.ctyme.com X-Spam-Status: Yes, score=14.7 required=5.0 tests=BAYES_00,CALL_FREE, CT_ACT_NOW,CT_OFFERS_ETC,DCC_CHECK,EXCUSE_10,HTML_90_100, HTML_IMAGE_RATIO_06,HTML_MESSAGE,LINK_PHRASE,REMOVE_PAGE, SARE_HTML_URI_UNSUB,SARE_REPLY_SPAMWORD0,SAVE_BUCKS,SPF_HELO_PASS, SP_SPAM_EXTREME,URI_REDIRECTOR autolearn=no version=3.0.1 This was the last one actually flagged as spam before I began the whitelist here. You'll note that BAYES_00 was correct about all of these. Bob Menschel
Re: [SPAM-TAG] Spam
On Friday, May 27, 2005, 2:41:50 PM, Jason Bennett wrote: Can anyone help me out with the attached message? To me this is obvious spam, but I don't know why it got through. I have my spamassassin score set to 5, but when I run spamassassin -D on this, I only get a couple points. I'm wondering if I'm missing some important ruleset or something. The only thing that seems to fire on this is BAYES_50. Please consider using SURBLs: http://www.surbl.org/ The spam advertised domain is heavily listed on SURBLs: pictilpict4 .com giving me the score: X-Spam-Status: Yes, hits=10.1 tagged_above=2.0 required=4.0 tests=AB_URI_RBL, BAYES_00, HTML_MESSAGE, HTML_TAG_BALANCE_A, HTTP_ESCAPED_HOST, JP_URI_RBL, OB_URI_RBL, SPAMCOP_URI_RBL, WS_URI_RBL Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: embedded image spams
So my question is can we have rulesets in spamassassin that can compare the sending host domain with the latter part of @ of content id or look for @ in the content id. Nice analysis! Yes, we can make rules that will (often, not always) catch this sort of thing. The problem is they require a capturing group, and that is relatively slow in Perl. Further, it is reputed by many to slow down ALL tests as soon as you put it into one test. I don't know if this is really true or not, but it is something that can be at least roughly measured in a mass-check. I'll see about doing some rules over the weekend to try this. Loren PS: A plugin would be another way of doing these, and theoretically would not slow things down. Someday I'm going to have to figure out how to write a plugin...
Re: SpamAssassin-3.0.3 test failure
I am pleased to report the problem is solved. I obtained and installed the latest Berkeley DB from sleepycat.org, then the perl module DB_File-1.811. This resolved the problem. Please open a bug in BZ showing the symptoms and documenting the fix, and give it a title of something like unuseful error messages for old DB_File version. There is supposed to be a check during the install that checks for the required version of everything SA might use, and complains if an old version is found. Clearly DB_FIle doesn't seem to be on that list, and clearly should be. Separately, there is an open bug for cleaning up useless perl error! error messages that describe an SA option with incorrect syntax. One could argue that your 'error message' falls into both of these camps. Loren
Re: Spam
Just to keep up; pictilpict4. com is the multitrade group, who now calls themselves omnicorporation. biz (since every domain with multitrade in its name has been suspended). These guys are *very* good at finding techniques to beat both SA and the SpamCop parser, but they don't really seem to even try to hide (i.e. this domain has a brand new name and address, but uses name servers in an old frozen domain). Paul Shupak [EMAIL PROTECTED]
RE: [SPAM-TAG] Spam
Hmm, then I must have something wrong because I have the URIDNSBL plugin installed and my network tests are active (not using -L on command line) and amavisd-new has $SALocalTestsOnly = 0; When I run this email against commandline spamassassin, I get this (can anyone point out what I may have wrong?): $ /usr/bin/spamassassin -D -t ~jason/message.txt debug: SpamAssassin version 3.0.2 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', which doesn't exist, dropping. debug: PATH included '/opt/bin', keeping. debug: Final PATH set to: /bin:/usr/bin:/opt/bin debug: using /etc/mail/spamassassin/init.pre for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using /usr/share/spamassassin for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: using /etc/mail/spamassassin for site rules dir debug: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf debug: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf debug: config: read file /etc/mail/spamassassin/70_sare_header.cf debug: config: read file /etc/mail/spamassassin/70_sare_random.cf debug: config: read file /etc/mail/spamassassin/70_sare_ratware.cf debug: config: read file /etc/mail/spamassassin/70_sare_spoof.cf debug: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf debug: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf debug: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf debug: config: read file /etc/mail/spamassassin/german.cf debug: config: read file /etc/mail/spamassassin/local.cf debug: config: read file /etc/mail/spamassassin/tripwire.cf debug: using /usr/local/amavisd/.spamassassin for user state dir debug: using /usr/local/amavisd/.spamassassin/user_prefs for user prefs file debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8cb766c) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8cb5998) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8cfce50) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8cb766c) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8cb5998) implements 'parse_config' debug: rewrite_header: ignoring 1, not From, Subject, or To debug: bayes: 27672 tie-ing to DB file R/O /usr/local/amavisd/.spamassassin/bayes_toks debug: bayes: 27672 tie-ing to DB file R/O /usr/local/amavisd/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: Score set 3 chosen. debug: dns_available set to yes in config file, skipping test debug: is Net::DNS::Resolver available? yes debug: Net::DNS version: 0.49 debug: IP is reserved, not looking up PTR: 172.16.112.6 debug: received-header: parsed as [ ip=172.16.112.6 rdns= helo=calgty1.forzani.com by=CALMAIL01.fglcorporate.net ident= envfrom= intl=0 id= auth= ] debug: IP is reserved, not looking up PTR: 127.0.0.1 debug: received-header: parsed as [ ip=127.0.0.1 rdns= helo=localhost by=calgty1.forzani.com ident= envfrom= intl=0 id=778C057C
open source blocklist
Hi, Anyone know of a open sourceproject which can create and manage an email blacklist and also run using qmail, rblsmtpd and even SpamAssassin rules. thanks
Re: embedded image spams
So my question is can we have rulesets in spamassassin that can compare the sending host domain with the latter part of @ of content id or look for @ in the content id. Hi, honestly the fact that outlook uses different strings and this spam uses similar strings for the boundary and the content id could be seen as a coincidence. I am using a few perl and php scripts for mail with attachments that more resemble the spam than the outlook case - and I dont think there are any recommendations in the RFC about how to create content id Wolfgang Hamann
RE: [SPAM-TAG] Spam
Thanks! Can you direct me to the patch? I downloaded and installed Spamassassin 3.1.0-r170109, but I still get the same results. Thanks again! Jason -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Friday, May 27, 2005 10:44 PM To: users@spamassassin.apache.org Subject: Re: [SPAM-TAG] Spam Hmm, then I must have something wrong because I have the URIDNSBL plugin installed and my network tests are active (not using -L on command line) and amavisd-new has $SALocalTestsOnly = 0; When I run this email against commandline spamassassin, I get this (can anyone point out what I may have wrong?): Yes: http://ereayfcoqcyr.orgivfhniwthpifecjpedsoh%2Epictilpict4.com/ What you have wrong is a clever hack url that ends in a slash and confuses SA so that it doens't run the URI tests. There is a patch in 3.1, and I think it may also be in the 3.0.4 stream. Loren
Re: [SPAM-TAG] Spam
Bug 4337. Loren