Re: Still need to work on Mail SpamAssassin 3.1.0
On Tue, Jul 05, 2005 at 09:01:25PM -0600, The Doctor wrote: > On Tue, Jul 05, 2005 at 10:23:45PM -0400, Matt Kettler wrote: > > At 08:41 PM 7/5/2005, The Doctor wrote: > > >Spam Assassin 3.0.4 works with milter-spamc 0.25, smf-spamd and MailScanner > > >Current. > > > > > >Spam Assassin 3.1.0 only works MailScanner Current less than 10% . > > > > > >How can I help to determine where the source of the problem is? > > > > > > There is no such thing as 3.1.0 yet... > > > > did you mean 3.1.0-pre1, 3.1.0-pre2 or 3.1.0-pre3 or a SVN build? > > > > In general, all of these are unreleased, so may have some minor issues. > > Certainly MailScanner is most likely to be impacted by these, as > > MailScanner is an API layer caller. You might also check on the MailScanner > > mailing list to see if Julian is working on some adjustments for 3.1.0 > > support. > > > > Also what do you mean by "only works MailScanner Current less than 10%?". > > Do you mean it is only marking 10% of your spam? > > > > > > > > > > > > pre3 and yes about the marking. > FOund the problem. From the logs: Thu Jul 7 21:55:45 2005 [4390] dbg: spamd: initial attempt to change real uid failed, trying BSD workaround Thu Jul 7 21:55:45 2005 [4390] error: setruid() not implemented at /usr/contrib/bin/spamd line 870. BSD HATES setruid(). I had to disable this in openwebmail for me to get openwebmail to work. You may want to add code that disables setruid in BSD. > -- > Member - Liberal International > This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] > God Queen and country! Beware Anti-Christ rising! > Canada Day 1 July, USA Day 4 July - PARTY ON! -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Canada Day 1 July, USA Day 4 July - PARTY ON!
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 7, 2005, at 10:59 PM, Loren Wilton wrote: > Procmail will act as the pop3 server Not quite. My belief (and Joanne set this up, so she has the actual details) is that Fetchmail is feeding procmail, possibly going through Sendmail to do this. Procmail has a 2-line recipe that calls SA as part of the delivery process for local deliery to an account on the Linux box. Fetchmail can deliver to procmail directly, or any MDA for that matter (I've heard of people using maildrop as well). I don't know if Clam can be integrated using Procmail or not. If it can be executed as a normal Unix stdin-stdout filter, I don't know why it wouldn't be possible to do it that way. So you should (I think!) be able to feed to clam, and then to SA (actually spamd), and have the resulting mail end up sitting in user mailboxes ready to be grabbed by the users using pop3. If you're interested in doing AV scanning in addition to spam scanning / tagging, then you're probably better off to have fetchmail deliver POP'ed mail to an MTA like Postfix or Exim, and have it do the spam / AV scanning. I use Exim exclusively, and have this exact set up running on my home server for friends and family. Works great. I don't recall if you said your users are windows-types or unixen, but I'm assuming they are windows users. If you want to enable Bayes with this setup you should be able to do it either per-user or site-wide fairly easily. There is a plethora of information on setting up some imap ham/spam drop boxes that users can easily get to from either OE or Outlook to use for training the Bayes database. Works like a charm here. Since he's lost the ability to do SMTP-time rejection, what with using fetchmail and all, I'd go with per-user bayes databases. Just make sure your users spend a little time training it up front. You might want to look at a web-based front-end to handle bayes training and per-user settings. Check the wiki for options. Steven - --- Steven Dickenson <[EMAIL PROTECTED]> http://www.mrchuckles.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCzfwx5L54ch7cA1QRArNfAKDDVl69AoHZ36uXXyujx5NGkgazEwCeJMeG XuhV3RdBE6siuuxB0sd3F7Y= =qvJS -END PGP SIGNATURE-
Re: SA training
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 7, 2005, at 9:30 PM, Jean-Paul Natola wrote: Here's what I did, Installed Freebsd, then installed exim, then clamav and finally SA, All were done via passive ftp The default Exim configuration files do not do any SA scanning, so you must have modified them in some way. If you're unfamiliar with Exim it might be helpful to check out Tim Jackson's howto. It's a little out of date, but for the most part should work fine. http://www.timj.co.uk/linux/Exim-SpamAndVirusScanning.pdf Steven - --- Steven Dickenson <[EMAIL PROTECTED]> http://www.mrchuckles.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFCzfo25L54ch7cA1QRAgo0AJoChHV76Ec9n1i/VD6rKrdjj5QbmQCg0qtM 1OPN2u+yTdVV8wJn/zVFsB0= =PBol -END PGP SIGNATURE-
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
We have 9 site and around 20 users who need e-mail on average per site. What I really want in the end is a SpamAssassin, ClamAV, setup. I want to make it so that the users can either grab their filtered mail from a linux box inside each site that has already pulled their mail from the ISP's mail server, or a linux box at each site that just acts as a filter and the clients connect through it to receive their SpamAssassined/ClamAV filtered mail. At a maximum I just want to have to change the clients e-mail settings, not install a program to get this working. I also need this to work in Debian Knoppix. This is due to the auto hardware configuration it offers. Right now I am gathering information on the possibilities of this and getting documentation on how it can be implemented. I plan on getting a lot of the base stuff out of the way in the next few days. This involves the Knoppix install, network configuration, webmin install, and then the spamassassin/clamav install. From there I will need to configure it all to work in one of the two ways I mentioned earlier. I am just trying to sort all this information and decide on the most efficient route to reach this goal. I appreciate all the help given so far.On 7/7/05, Loren Wilton <[EMAIL PROTECTED]> wrote: > Procmail will act as the pop3 server Not quite. My belief (and Joanne set this up, so she has the actual details) is that Fetchmail is feeding procmail, possibly going through Sendmail to do this. Procmail has a 2-line recipe that calls SA as part of the delivery process for local deliery to an account on the Linux box. Then the standard Linux pop3 server is used to let users pull mail from this mailbox. We don't use Clam here, since we have Semantic on the final destination Windoze boxen, and this seems to work well enough. We're also pulling from Earthlink accounts using pop3, and they have a first level of virus buster there, so things actually get virus scanned twice. I don't know if Clam can be integrated using Procmail or not. If it can be executed as a normal Unix stdin-stdout filter, I don't know why it wouldn't be possible to do it that way. So you should (I think!) be able to feed to clam, and then to SA (actually spamd), and have the resulting mail end up sitting in user mailboxes ready to be grabbed by the users using pop3. I don't recall if you said your users are windows-types or unixen, but I'm assuming they are windows users. If you want to enable Bayes with this setup you should be able to do it either per-user or site-wide fairly easily. There is a plethora of information on setting up some imap ham/spam drop boxes that users can easily get to from either OE or Outlook to use for training the Bayes database. Works like a charm here. Loren - Original Message - From: Jesse Shumaker To: users@spamassassin.apache.org Sent: Thursday, July 07, 2005 7:14 PM Subject: Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server... Loren,So with doing it this way and setting up user accounts for each e-mail account on the linux box and using Fetchmail which is installed on the Linux box to grab each users mail from the ISP, Procmail will act as the pop3 server to allow these users to grab their mail internally from the linux box, and SpamAssassin would filter all the spam due to being installed on the central Linux box? Does your organization use ClamAV to remove filter virus's from the e-mail as well?Thanks a lot for this. On 7/7/05, Loren Wilton <[EMAIL PROTECTED]> wrote: I don't immediately see that anyone more knowledgable replied, so I'll toss out some possibilities/confirmations: Yes, you need something like a Linux box. It will run SA, and will retrieve mail using pop3 from your current provider. Pop3proxy is one possibility. Another possibility is Fetchmail feeding into a local mail system. I don't recall if you said how many users you have, but my impression is it is no more than a few thousand, perhaps only a few hundred. At this size it would be feasible to set up an account on the linux box for each user, and deliver mail into these accounts. Basically you can use Fetchmail to grab the mail from your current pop3 server and stick it into the standard unix mail files for each user on the system. Then you can use a pop3 server on the linux box so your user can grab their mail out of these accounts. SA would be in the middle of that process, probably something like Fetchmail->procmail->SA->mailbox->pop3server. You users don't need actual access to these accounts, or even know that they exist, and I think you can set them up as no login. All the users will have to do is change the hostname in their pop3 mail configuratios for where they grab mail. Unless you want to run outbound through SA als
Re: Tsunami warning hits the spam barrier
> All we hope for is that a system is in place by the time half of > LaPalma slides into the ocean. If the predictions are correct, our > gulf coast/florida real estate will need all new maps. The > Indonesian tsunami was a ripple in the bathtub in comparison > according to some doomsayers. Google for LaPalma. You must not be referring to the La Palma in/near Los Angeles. A number of us would be rather pleased to see it slide into the ocean. Loren
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
> Procmail will act as the pop3 server Not quite. My belief (and Joanne set this up, so she has the actual details) is that Fetchmail is feeding procmail, possibly going through Sendmail to do this. Procmail has a 2-line recipe that calls SA as part of the delivery process for local deliery to an account on the Linux box. Then the standard Linux pop3 server is used to let users pull mail from this mailbox. We don't use Clam here, since we have Semantic on the final destination Windoze boxen, and this seems to work well enough. We're also pulling from Earthlink accounts using pop3, and they have a first level of virus buster there, so things actually get virus scanned twice. I don't know if Clam can be integrated using Procmail or not. If it can be executed as a normal Unix stdin-stdout filter, I don't know why it wouldn't be possible to do it that way. So you should (I think!) be able to feed to clam, and then to SA (actually spamd), and have the resulting mail end up sitting in user mailboxes ready to be grabbed by the users using pop3. I don't recall if you said your users are windows-types or unixen, but I'm assuming they are windows users. If you want to enable Bayes with this setup you should be able to do it either per-user or site-wide fairly easily. There is a plethora of information on setting up some imap ham/spam drop boxes that users can easily get to from either OE or Outlook to use for training the Bayes database. Works like a charm here. Loren - Original Message - From: Jesse Shumaker To: users@spamassassin.apache.org Sent: Thursday, July 07, 2005 7:14 PM Subject: Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server... Loren,So with doing it this way and setting up user accounts for each e-mail account on the linux box and using Fetchmail which is installed on the Linux box to grab each users mail from the ISP, Procmail will act as the pop3 server to allow these users to grab their mail internally from the linux box, and SpamAssassin would filter all the spam due to being installed on the central Linux box? Does your organization use ClamAV to remove filter virus's from the e-mail as well?Thanks a lot for this. On 7/7/05, Loren Wilton <[EMAIL PROTECTED]> wrote: I don't immediately see that anyone more knowledgable replied, so I'll toss out some possibilities/confirmations: Yes, you need something like a Linux box. It will run SA, and will retrieve mail using pop3 from your current provider. Pop3proxy is one possibility. Another possibility is Fetchmail feeding into a local mail system. I don't recall if you said how many users you have, but my impression is it is no more than a few thousand, perhaps only a few hundred. At this size it would be feasible to set up an account on the linux box for each user, and deliver mail into these accounts. Basically you can use Fetchmail to grab the mail from your current pop3 server and stick it into the standard unix mail files for each user on the system. Then you can use a pop3 server on the linux box so your user can grab their mail out of these accounts. SA would be in the middle of that process, probably something like Fetchmail->procmail->SA->mailbox->pop3server. You users don't need actual access to these accounts, or even know that they exist, and I think you can set them up as no login. All the users will have to do is change the hostname in their pop3 mail configuratios for where they grab mail. Unless you want to run outbound through SA also, they won't have to change the current smtp info pointing to your external provider. This is essentially how we have things set up here. Loren - Original Message - From: Jesse Shumaker To: users@spamassassin.apache.org Sent: Wednesday, July 06, 2005 11:07 PM Subject: Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server... Let me try and summarize what I have recieved from all these e-mails as well as put together myself. Then you guys could give me some feedback if I'm on the right trail. What I need to do is install SpamAssassin w/pop3proxy on a linux box. Then setup the pop3proxy to point to my external pop3 server. On the client side I will need to setup each client's login to include their login name and the SpamAssassin/pop3proxy server (I'm not sure if I can only do this if I use the SAproxy utility for windows). Thats how I understand this should work. Now configuring this is another situation. How does it look to you guys? I have just noticed that there are a lot of utilities and stuff to use and am trying to piece it all together.thank
Re: Tsunami warning hits the spam barrier
On Thursday 07 July 2005 22:16, Daryl C. W. O'Shea wrote: >Gene Heskett wrote: >> On Thursday 07 July 2005 21:15, Daryl C. W. O'Shea wrote: >>>Justin Mason wrote: however, it'd be nice to get a copy with full headers so we could think about whitelisting it ;) - --j. >The problem arises if the open source filter is installed > straight out of the box; the messages (usually written in upper > case) are not considered spam. >>> >>>According to the article, we should think about blacklisting the >>>message. ;) >> >> And just exactly what would that accomplish? And no, I'm not >> asking that tongue in cheek. How many might be able to get clear >> if the message was delivered in a timely manner? > >*That* is what the article said -- "the problem arises if [SA] is >installed straight out of the box, the messages are NOT considered > spam". > >The article, not I, says it's a problem that the message isn't > tagged as spam by default. Personally, I think that the fact that > the message isn't thought to be spam by SpamAssassin is a good > thing. > >As to how many might be able to get clear... unfortunately I don't >expect that email notifications (even if delivered immediately) > would help a substantial number of people. That's not to say it's > not a worthwhile cause, I certainly think that it is a good idea no > matter how many or few people it may potential help and I'm glad > that SpamAssassin, by default, correctly marks the mail as wanted > mail. Well, considering that in any one 50 yard wide, 100 yard stretch of the beachfront, there may be .1 computers receiving email in real time, the problem is so far down in the noise as to be negligent. Computers & email facilities tend to be installed/used at more permanent locations than a beach bar/tent or chair & umbrella on the sand. That half a hundred meter seperation is probably as important as anything else in being the barrier to getting the info to the people that need it. And of course we can waste countless electrons trying to come up with a solution from halfway around the planet, but if it doesn't work _there_, its of use only as discussion material to keep professional conference committee members in supply of subject matter. All we hope for is that a system is in place by the time half of LaPalma slides into the ocean. If the predictions are correct, our gulf coast/florida real estate will need all new maps. The Indonesian tsunami was a ripple in the bathtub in comparison according to some doomsayers. Google for LaPalma. >Daryl -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: Tsunami warning hits the spam barrier
From: "Gene Heskett" <[EMAIL PROTECTED]>
> On Thursday 07 July 2005 21:15, Daryl C. W. O'Shea wrote:
> >Justin Mason wrote:
> >> however, it'd be nice to get a copy with full headers so we could
> >> think about whitelisting it ;)
> >>
> >> - --j.
> >>
> >>>The problem arises if the open source filter is installed straight
> >>> out of the box; the messages (usually written in upper case) are
> >>> not considered spam.
> >
> >According to the article, we should think about blacklisting the
> > message. ;)
> >
> And just exactly what would that accomplish? And no, I'm not asking
> that tongue in cheek. How many might be able to get clear if the
> message was delivered in a timely manner?
In general nothing can be done about it. All upper case is pretty
good spam-sign. The source of the messages could reduce it to usual
sentence capitalization and solve the problem right out. I would
suggest that the SARE whitelist have the source of these warnings
included. But the rules used by any given site are up to the site
manager's whims and prerogative, as are the scores ultimately.
It would also help if the bozoids involved understood how SA works.
All caps is not a word or letter count sensitive rule.
{^_^}
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
No, it doesn't. We go fetchmail to procmail to mailbox and local POP3
server. AV filtering is done on the local machines via a standard AV
tool that is maintained up to date automatically. I don't trust tools
like ClamAV to be as up to the minute as the email scanners. (Besides,
SA filters here as combined with Earthlink's AV filters, leave me with
no spam getting through except to the spam mailbox which gets discarded
mostly unread.
{^_^} (I'm doing Loren's mini-ISP service here locally pullout our
mail down as described.)
- Original Message -
From: "Jesse Shumaker" <[EMAIL PROTECTED]>
Loren,
So with doing it this way and setting up user accounts for each e-mail
account on the linux box and using Fetchmail which is installed on the Linux
box to grab each users mail from the ISP, Procmail will act as the pop3
server to allow these users to grab their mail internally from the linux
box, and SpamAssassin would filter all the spam due to being installed on
the central Linux box? Does your organization use ClamAV to remove filter
virus's from the e-mail as well?
Thanks a lot for this.
On 7/7/05, Loren Wilton <[EMAIL PROTECTED]> wrote:
>
> I don't immediately see that anyone more knowledgable replied, so I'll
> toss out some possibilities/confirmations:
> Yes, you need something like a Linux box. It will run SA, and will
> retrieve mail using pop3 from your current provider. Pop3proxy is one
> possibility. Another possibility is Fetchmail feeding into a local mail
> system.
> I don't recall if you said how many users you have, but my impression is
> it is no more than a few thousand, perhaps only a few hundred. At this
size
> it would be feasible to set up an account on the linux box for each user,
> and deliver mail into these accounts.
> Basically you can use Fetchmail to grab the mail from your current pop3
> server and stick it into the standard unix mail files for each user on the
> system. Then you can use a pop3 server on the linux box so your user can
> grab their mail out of these accounts. SA would be in the middle of that
> process, probably something like
> Fetchmail->procmail->SA->mailbox->pop3server.
> You users don't need actual access to these accounts, or even know that
> they exist, and I think you can set them up as no login. All the users
will
> have to do is change the hostname in their pop3 mail configuratios for
where
> they grab mail. Unless you want to run outbound through SA also, they
won't
> have to change the current smtp info pointing to your external provider.
> This is essentially how we have things set up here.
> Loren
>
> - Original Message -
> *From:* Jesse Shumaker <[EMAIL PROTECTED]>
> *To:* users@spamassassin.apache.org
> *Sent:* Wednesday, July 06, 2005 11:07 PM
> *Subject:* Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
>
> Let me try and summarize what I have recieved from all these e-mails as
> well as put together myself. Then you guys could give me some feedback if
> I'm on the right trail. What I need to do is install SpamAssassin
> w/pop3proxy on a linux box. Then setup the pop3proxy to point to my
external
> pop3 server. On the client side I will need to setup each client's login
to
> include their login name and the SpamAssassin/pop3proxy server (I'm not
sure
> if I can only do this if I use the SAproxy utility for windows). Thats how
I
> understand this should work. Now configuring this is another situation.
How
> does it look to you guys? I have just noticed that there are a lot of
> utilities and stuff to use and am trying to piece it all together.
>
> thanks
>
> On 7/6/05, Jesse Shumaker <[EMAIL PROTECTED]> wrote:
> >
> > So you must have SAproxy on each client to do this? I know that is
> > another product that I have heard of. If so do you have a download link
> > where I can get SAproxy? If that is just the name you are calling the
> > SpamAssassin proxy it looks like all I would need to do is specify the
> > destination server in the login box and I'm set. All I have to do on the
> > server end is setup the POP3proxy. Is this correct?
> >
> > On 7/6/05, Paolo Cravero as2594 < [EMAIL PROTECTED] > wrote:
> > >
> > > Jesse Shumaker wrote:
> > >
> > > Hi
> > >
> > > > This looks good and I think I may try this perl module. It seems
> > > that
> > > > it's geared towards a single workstation and not a network of
> > > machines.
> > > > They say that you point your client to localhost, which means that
> > > each
> > > > machine must have this installed. How are you guys running this so
> > > that
> > > > you can have one centralized SA server? Also, how does the SA box
> > > > authenticate with the ISP's POP servers for each e-mail client? In
> > > my
> > > > organization each user has their own password and username for their
> > >
> > > > e-mail account.
> > >
> > > We installed it on a linux box with SA, and run it as a deamon. It
> > > supports concurrent connections, altought we haven't tested it
> > > t
Re: Tsunami warning hits the spam barrier
Gene Heskett wrote: On Thursday 07 July 2005 21:15, Daryl C. W. O'Shea wrote: Justin Mason wrote: however, it'd be nice to get a copy with full headers so we could think about whitelisting it ;) - --j. The problem arises if the open source filter is installed straight out of the box; the messages (usually written in upper case) are not considered spam. According to the article, we should think about blacklisting the message. ;) And just exactly what would that accomplish? And no, I'm not asking that tongue in cheek. How many might be able to get clear if the message was delivered in a timely manner? *That* is what the article said -- "the problem arises if [SA] is installed straight out of the box, the messages are NOT considered spam". The article, not I, says it's a problem that the message isn't tagged as spam by default. Personally, I think that the fact that the message isn't thought to be spam by SpamAssassin is a good thing. As to how many might be able to get clear... unfortunately I don't expect that email notifications (even if delivered immediately) would help a substantial number of people. That's not to say it's not a worthwhile cause, I certainly think that it is a good idea no matter how many or few people it may potential help and I'm glad that SpamAssassin, by default, correctly marks the mail as wanted mail. Daryl
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
Loren, So with doing it this way and setting up user accounts for each e-mail account on the linux box and using Fetchmail which is installed on the Linux box to grab each users mail from the ISP, Procmail will act as the pop3 server to allow these users to grab their mail internally from the linux box, and SpamAssassin would filter all the spam due to being installed on the central Linux box? Does your organization use ClamAV to remove filter virus's from the e-mail as well? Thanks a lot for this.On 7/7/05, Loren Wilton <[EMAIL PROTECTED]> wrote: I don't immediately see that anyone more knowledgable replied, so I'll toss out some possibilities/confirmations: Yes, you need something like a Linux box. It will run SA, and will retrieve mail using pop3 from your current provider. Pop3proxy is one possibility. Another possibility is Fetchmail feeding into a local mail system. I don't recall if you said how many users you have, but my impression is it is no more than a few thousand, perhaps only a few hundred. At this size it would be feasible to set up an account on the linux box for each user, and deliver mail into these accounts. Basically you can use Fetchmail to grab the mail from your current pop3 server and stick it into the standard unix mail files for each user on the system. Then you can use a pop3 server on the linux box so your user can grab their mail out of these accounts. SA would be in the middle of that process, probably something like Fetchmail->procmail->SA->mailbox->pop3server. You users don't need actual access to these accounts, or even know that they exist, and I think you can set them up as no login. All the users will have to do is change the hostname in their pop3 mail configuratios for where they grab mail. Unless you want to run outbound through SA also, they won't have to change the current smtp info pointing to your external provider. This is essentially how we have things set up here. Loren - Original Message - From: Jesse Shumaker To: users@spamassassin.apache.org Sent: Wednesday, July 06, 2005 11:07 PM Subject: Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server... Let me try and summarize what I have recieved from all these e-mails as well as put together myself. Then you guys could give me some feedback if I'm on the right trail. What I need to do is install SpamAssassin w/pop3proxy on a linux box. Then setup the pop3proxy to point to my external pop3 server. On the client side I will need to setup each client's login to include their login name and the SpamAssassin/pop3proxy server (I'm not sure if I can only do this if I use the SAproxy utility for windows). Thats how I understand this should work. Now configuring this is another situation. How does it look to you guys? I have just noticed that there are a lot of utilities and stuff to use and am trying to piece it all together.thanks On 7/6/05, Jesse Shumaker <[EMAIL PROTECTED]> wrote: So you must have SAproxy on each client to do this? I know that is another product that I have heard of. If so do you have a download link where I can get SAproxy? If that is just the name you are calling the SpamAssassin proxy it looks like all I would need to do is specify the destination server in the login box and I'm set. All I have to do on the server end is setup the POP3proxy. Is this correct? On 7/6/05, Paolo Cravero as2594 < [EMAIL PROTECTED] > wrote: Jesse Shumaker wrote:Hi> This looks good and I think I may try this perl module. It seems that > it's geared towards a single workstation and not a network of machines.> They say that you point your client to localhost, which means that each> machine must have this installed. How are you guys running this so that > you can have one centralized SA server? Also, how does the SA box> authenticate with the ISP's POP servers for each e-mail client? In my> organization each user has their own password and username for their > e-mail account.We installed it on a linux box with SA, and run it as a deamon. Itsupports concurrent connections, altought we haven't tested itthoroughly (hundreds of simultaneous connections...). So, rather than installing it locally on each machine, use a shared POP proxy.The client sends SAproxy the user/password, that then SAproxy submits tothe remote server. It is a proxy for POP3 protocol (no support forPOP3*S*), just that before sending the message to the client it is scanned by SA.It is also very flexible, since the destinaton server has to bespecified as part of the login string ([EMAIL PROTECTED]to retrieve mail with login [EMAIL PROTECTED] from pop.domain.comserver): your colleagues can use the same proxy box for retrieving mail fr
Re: Tsunami warning hits the spam barrier
On Thursday 07 July 2005 21:15, Daryl C. W. O'Shea wrote: >Justin Mason wrote: >> however, it'd be nice to get a copy with full headers so we could >> think about whitelisting it ;) >> >> - --j. >> >>>The problem arises if the open source filter is installed straight >>> out of the box; the messages (usually written in upper case) are >>> not considered spam. > >According to the article, we should think about blacklisting the > message. ;) > And just exactly what would that accomplish? And no, I'm not asking that tongue in cheek. How many might be able to get clear if the message was delivered in a timely manner? >Daryl -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
RE: SA training
I wish I can Answer That with 100% certainty, Here's what I did, Installed Freebsd, then installed exim, then clamav and finally SA, All were done via passive ftp -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Thursday, July 07, 2005 8:33 PM To: users@spamassassin.apache.org Subject: Re: SA training > at the header like this one for example which I don't know WHY it says > "possible spam" as it scored a ZERO > > X-Spam-Score: 0.0 (/) Is that directly out of SA? Or do you have sometrhing else like qmail or some such in the path? If that is straight out of SA, something looks broken as all heck. A more reasonable guess seems to be that you have one of the programs that parse and discard the SA headers and supply their own versions, and this program failed to parse the SA line correctly when it made its own version. Loren
Re: Tsunami warning hits the spam barrier
Justin Mason wrote: however, it'd be nice to get a copy with full headers so we could think about whitelisting it ;) - --j. The problem arises if the open source filter is installed straight out of the box; the messages (usually written in upper case) are not considered spam. According to the article, we should think about blacklisting the message. ;) Daryl
Re: ALL_TRUSTED and Razor, DCC and Pyzor
On Thu, Jul 07, 2005 at 07:24:02PM -0500, Kenneth S. wrote: > Skip DNS tests (Default option = 0) > ->Skip Razor, Pyzor and DCC checks and the above tests (option = 1) > ->Skip all checks (option = 2) > > How does that look? Also what would the option be called? This really belongs on dev, but... I wrote up a bunch of thoughts last year about how short circuit should work. A simple option really doesn't do it, unfortunately. The general idea/short version, was to have a short circuit plugin which would reorder the rules automatically and drop out at the end of the priority run. The thoughts about what to do by default for short circuit is included in the short thread at: http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200411.mbox/[EMAIL PROTECTED] -- Randomly Generated Tagline: One of Bender's kids: Can we have Bender burgers again? Bender: No, the cat shelter's onto me. pgpeuKUSMkcZq.pgp Description: PGP signature
Re: Tsunami warning hits the spam barrier
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yeah, I saw that -- the message scores 3.7 according to the report, well under 5. It's pretty reckless to lower the threshold enough to cause that to hit as spam. however, it'd be nice to get a copy with full headers so we could think about whitelisting it ;) - --j. Dan Kohn writes: > http://www.computerworld.com.au/index.php/id;1807582661;fp;16;fpid;0 > > Tsunami warning hits the spam barrier > > Michael Crawford > > 07/07/2005 07:29:27 > > The first live run of the Indian Ocean Tsunami warning system earlier > this month turned out to be a bit of a disaster. > > Not a natural disaster, but it provided an unexpected result for some > users of Apache's SpamAssassin. > > Subscribers to the automated e-mail warning system, which sent out an > alert for an earthquake off Northern Sumatra that rated 6.7 on the > Richter scale, found the Tsunami warning notification deferred as spam. > > The problem arises if the open source filter is installed straight out > of the box; the messages (usually written in upper case) are not > considered spam. > > But for anyone who locks down the spam filter, SpamAssassin categorizes > the e-mail as spam due to a combination of upper case text in a > clear-cut format forwarded by a hidden sender. > > With the spam filters locked down, the warning message - written in the > original in upper case letters, of: "THERE IS A VERY SMALL POSSIBILITY > OF A DESTRUCTIVE LOCAL TSUNAMI IN THE INDIAN OCEAN", rates a spam score > of 3.7 out of 10. > > Australian National University (ANU) visiting Computer Science Fellow, > Tom Worthington, said anything that rates over five is considered to be > spam and a 10 is absolutely spam. > > "There is also a general concern that the more words the message uses > will make the rating go even higher," he said. > > "The indicators on the message are typical of what spam software uses - > if you work in a government agency there is less of a concern, because > the system is set up to receive the warnings but there is always the > risk that computer support will install a spam filter for mail and these > messages won't get through." > > Put simply, these dire warnings of a natural disaster will be blocked > because they will be regarded as spam. > > "With these sorts of messages you want to make sure they get through ... > the other interesting thing is previous tests had this exact problem > with the spam filters," Worthington said. > > "The Tsunami messages are very official and use clear-cut wording which > is setting off the spam filters - they need to change format because > part of the problem is that spammers also try to make messages look > official." > > Worthington said he has since been in contact with the Japan > Meteorological Agency which issues bulletins for the Indian Ocean, and > with the United Nations Educational, Scientific and Cultural > Organization requesting them to redesign the mailouts. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCzdIPMJF5cimLx9ARArQ0AJ9Ww7KkqoBNaSYFUnIZdtm0fJM4WwCeK7Uf ckn84nDpPdMM8htu5vrFxtQ= =nWyP -END PGP SIGNATURE-
RE: ALL_TRUSTED and Razor, DCC and Pyzor
Hello, Man, I can't wait till these kinds of features get implemented. Another similar idea would be to stop SA scanning if the score gets to a certain number. On heavily hit mail servers, these kinds of features would help with CPU usage. As it stands now, SA goes through all of the scannning steps no matter what, right? Regards, Devin At 12:58 AM +0200 7/8/05, Sander Holthaus - Orange XL wrote: I think that is an excellent idea! I call spamc from maildrop, so I can filter out some message's that do not need to be processed by SpamAssassin. But it would be much easier for most installations if such behaviour can be done from within SpamAssassin. You might want to add even an extra option that doesn't scan local messages (things like daily/weekly/monthly outputs), e.g. mail from the box itself that spamassassin is running on An option that disables scanning from or to certain addresses entirely (for instance, if you have an mail-account friends can send you some sample spam to which doesn't require filtering nor anything like AWL(learning or Bayes(learning)). Kind Regards, Sander Holthaus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, July 08, 2005 12:33 AM To: Theo Van Dinter Cc: users@spamassassin.apache.org Subject: Re: ALL_TRUSTED and Razor, DCC and Pyzor -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter writes: > On Thu, Jul 07, 2005 at 04:34:03PM -0500, Kenneth S. wrote: > > Is there anyway to configure SA so that if the ALL_TRUSTED rule is > > hit it skips the Razor, DCC and Pyzor tests? > > Not without modifying code. However, it is something we've been thinking of. patches welcome! ;) ps: fwiw, we were considering that rules like ALL_TRUSTED that are 100% trustworthy would be set to run at a higher priority (that's implemented) and cause the check to exit immediately (that's not). - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCza2bMJF5cimLx9ARAt5OAJ9J/AOBFbr8g3ii6dC2xxc64ouO0QCdGLX2 4LU3Kh861VAxZGv5Hs6TTM0= =IgAN -END PGP SIGNATURE-
Tsunami warning hits the spam barrier
http://www.computerworld.com.au/index.php/id;1807582661;fp;16;fpid;0 Tsunami warning hits the spam barrier Michael Crawford 07/07/2005 07:29:27 The first live run of the Indian Ocean Tsunami warning system earlier this month turned out to be a bit of a disaster. Not a natural disaster, but it provided an unexpected result for some users of Apache's SpamAssassin. Subscribers to the automated e-mail warning system, which sent out an alert for an earthquake off Northern Sumatra that rated 6.7 on the Richter scale, found the Tsunami warning notification deferred as spam. The problem arises if the open source filter is installed straight out of the box; the messages (usually written in upper case) are not considered spam. But for anyone who locks down the spam filter, SpamAssassin categorizes the e-mail as spam due to a combination of upper case text in a clear-cut format forwarded by a hidden sender. With the spam filters locked down, the warning message - written in the original in upper case letters, of: "THERE IS A VERY SMALL POSSIBILITY OF A DESTRUCTIVE LOCAL TSUNAMI IN THE INDIAN OCEAN", rates a spam score of 3.7 out of 10. Australian National University (ANU) visiting Computer Science Fellow, Tom Worthington, said anything that rates over five is considered to be spam and a 10 is absolutely spam. "There is also a general concern that the more words the message uses will make the rating go even higher," he said. "The indicators on the message are typical of what spam software uses - if you work in a government agency there is less of a concern, because the system is set up to receive the warnings but there is always the risk that computer support will install a spam filter for mail and these messages won't get through." Put simply, these dire warnings of a natural disaster will be blocked because they will be regarded as spam. "With these sorts of messages you want to make sure they get through ... the other interesting thing is previous tests had this exact problem with the spam filters," Worthington said. "The Tsunami messages are very official and use clear-cut wording which is setting off the spam filters - they need to change format because part of the problem is that spammers also try to make messages look official." Worthington said he has since been in contact with the Japan Meteorological Agency which issues bulletins for the Indian Ocean, and with the United Nations Educational, Scientific and Cultural Organization requesting them to redesign the mailouts.
Re: SA training
> at the header like this one for example which I don't know WHY it says > "possible spam" as it scored a ZERO > > X-Spam-Score: 0.0 (/) Is that directly out of SA? Or do you have sometrhing else like qmail or some such in the path? If that is straight out of SA, something looks broken as all heck. A more reasonable guess seems to be that you have one of the programs that parse and discard the SA headers and supply their own versions, and this program failed to parse the SA line correctly when it made its own version. Loren
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
I don't immediately see that anyone more knowledgable replied, so I'll toss out some possibilities/confirmations: Yes, you need something like a Linux box. It will run SA, and will retrieve mail using pop3 from your current provider. Pop3proxy is one possibility. Another possibility is Fetchmail feeding into a local mail system. I don't recall if you said how many users you have, but my impression is it is no more than a few thousand, perhaps only a few hundred. At this size it would be feasible to set up an account on the linux box for each user, and deliver mail into these accounts. Basically you can use Fetchmail to grab the mail from your current pop3 server and stick it into the standard unix mail files for each user on the system. Then you can use a pop3 server on the linux box so your user can grab their mail out of these accounts. SA would be in the middle of that process, probably something like Fetchmail->procmail->SA->mailbox->pop3server. You users don't need actual access to these accounts, or even know that they exist, and I think you can set them up as no login. All the users will have to do is change the hostname in their pop3 mail configuratios for where they grab mail. Unless you want to run outbound through SA also, they won't have to change the current smtp info pointing to your external provider. This is essentially how we have things set up here. Loren - Original Message - From: Jesse Shumaker To: users@spamassassin.apache.org Sent: Wednesday, July 06, 2005 11:07 PM Subject: Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server... Let me try and summarize what I have recieved from all these e-mails as well as put together myself. Then you guys could give me some feedback if I'm on the right trail. What I need to do is install SpamAssassin w/pop3proxy on a linux box. Then setup the pop3proxy to point to my external pop3 server. On the client side I will need to setup each client's login to include their login name and the SpamAssassin/pop3proxy server (I'm not sure if I can only do this if I use the SAproxy utility for windows). Thats how I understand this should work. Now configuring this is another situation. How does it look to you guys? I have just noticed that there are a lot of utilities and stuff to use and am trying to piece it all together.thanks On 7/6/05, Jesse Shumaker <[EMAIL PROTECTED]> wrote: So you must have SAproxy on each client to do this? I know that is another product that I have heard of. If so do you have a download link where I can get SAproxy? If that is just the name you are calling the SpamAssassin proxy it looks like all I would need to do is specify the destination server in the login box and I'm set. All I have to do on the server end is setup the POP3proxy. Is this correct? On 7/6/05, Paolo Cravero as2594 < [EMAIL PROTECTED] > wrote: Jesse Shumaker wrote:Hi> This looks good and I think I may try this perl module. It seems that > it's geared towards a single workstation and not a network of machines.> They say that you point your client to localhost, which means that each> machine must have this installed. How are you guys running this so that > you can have one centralized SA server? Also, how does the SA box> authenticate with the ISP's POP servers for each e-mail client? In my> organization each user has their own password and username for their > e-mail account.We installed it on a linux box with SA, and run it as a deamon. Itsupports concurrent connections, altought we haven't tested itthoroughly (hundreds of simultaneous connections...). So, rather than installing it locally on each machine, use a shared POP proxy.The client sends SAproxy the user/password, that then SAproxy submits tothe remote server. It is a proxy for POP3 protocol (no support forPOP3*S*), just that before sending the message to the client it is scanned by SA.It is also very flexible, since the destinaton server has to bespecified as part of the login string ([EMAIL PROTECTED]to retrieve mail with login [EMAIL PROTECTED] from pop.domain.comserver): your colleagues can use the same proxy box for retrieving mail from other POP3 accounts as well.PC--|QRPp-I #707 + www.paolocravero.tk + I QRP #476 || SpamAssassin-based email antispam/antivirus solutions | \Italian/English-to/from-Croatian translations/ \ Skype: pcravero /
Re: ALL_TRUSTED and Razor, DCC and Pyzor
Well this works out. I started putting something together after Theo's response. I already have it working and skipping the checks based on ALL_TRUSTED but did not add any debug code. Since it looks like this is something that you want in SA I'll add debug code and put a patch together. I was thinking of putting an option in local.cf that would skip checks as follows. Skip DNS tests (Default option = 0) ->Skip Razor, Pyzor and DCC checks and the above tests (option = 1) ->Skip all checks (option = 2) How does that look? Also what would the option be called? -Kenneth On Thu, 7 Jul 2005, Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter writes: On Thu, Jul 07, 2005 at 04:34:03PM -0500, Kenneth S. wrote: Is there anyway to configure SA so that if the ALL_TRUSTED rule is hit it skips the Razor, DCC and Pyzor tests? Not without modifying code. However, it is something we've been thinking of. patches welcome! ;) ps: fwiw, we were considering that rules like ALL_TRUSTED that are 100% trustworthy would be set to run at a higher priority (that's implemented) and cause the check to exit immediately (that's not). - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCza2bMJF5cimLx9ARAt5OAJ9J/AOBFbr8g3ii6dC2xxc64ouO0QCdGLX2 4LU3Kh861VAxZGv5Hs6TTM0= =IgAN -END PGP SIGNATURE-
RE: ALL_TRUSTED and Razor, DCC and Pyzor
I think that is an excellent idea! I call spamc from maildrop, so I can filter out some message's that do not need to be processed by SpamAssassin. But it would be much easier for most installations if such behaviour can be done from within SpamAssassin. You might want to add even an extra option that doesn't scan local messages (things like daily/weekly/monthly outputs), e.g. mail from the box itself that spamassassin is running on An option that disables scanning from or to certain addresses entirely (for instance, if you have an mail-account friends can send you some sample spam to which doesn't require filtering nor anything like AWL(learning or Bayes(learning)). Kind Regards, Sander Holthaus > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, July 08, 2005 12:33 AM > To: Theo Van Dinter > Cc: users@spamassassin.apache.org > Subject: Re: ALL_TRUSTED and Razor, DCC and Pyzor > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Theo Van Dinter writes: > > On Thu, Jul 07, 2005 at 04:34:03PM -0500, Kenneth S. wrote: > > > Is there anyway to configure SA so that if the > ALL_TRUSTED rule is > > > hit it skips the Razor, DCC and Pyzor tests? > > > > Not without modifying code. > > However, it is something we've been thinking of. patches welcome! ;) > > ps: fwiw, we were considering that rules like ALL_TRUSTED > that are 100% trustworthy would be set to run at a higher > priority (that's > implemented) and cause the check to exit immediately (that's not). > > - --j. > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.5 (GNU/Linux) > Comment: Exmh CVS > > iD8DBQFCza2bMJF5cimLx9ARAt5OAJ9J/AOBFbr8g3ii6dC2xxc64ouO0QCdGLX2 > 4LU3Kh861VAxZGv5Hs6TTM0= > =IgAN > -END PGP SIGNATURE- >
Re: ALL_TRUSTED and Razor, DCC and Pyzor
Theo Van Dinter wrote: On Thu, Jul 07, 2005 at 04:34:03PM -0500, Kenneth S. wrote: Is there anyway to configure SA so that if the ALL_TRUSTED rule is hit it skips the Razor, DCC and Pyzor tests? Not without modifying code. You could probably create a set of meta-rules to counteract the scoring. Something like... meta TRUSTED_RAZOR RAZOR2_CHECK && ALL_TRUSTED score TRUSTED_RAZOR -(scores assigned to RAZOR2_CHECK) It won't save time or processing, but it will reduce the chances of FPs. -- Kelson Vibber SpeedGate Communications
Re: ALL_TRUSTED and Razor, DCC and Pyzor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter writes: > On Thu, Jul 07, 2005 at 04:34:03PM -0500, Kenneth S. wrote: > > Is there anyway to configure SA so that if the ALL_TRUSTED rule is hit it > > skips the Razor, DCC and Pyzor tests? > > Not without modifying code. However, it is something we've been thinking of. patches welcome! ;) ps: fwiw, we were considering that rules like ALL_TRUSTED that are 100% trustworthy would be set to run at a higher priority (that's implemented) and cause the check to exit immediately (that's not). - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCza2bMJF5cimLx9ARAt5OAJ9J/AOBFbr8g3ii6dC2xxc64ouO0QCdGLX2 4LU3Kh861VAxZGv5Hs6TTM0= =IgAN -END PGP SIGNATURE-
Re: SORBS_DUL and NJABL_DUL
[EMAIL PROTECTED] wrote: Sorry for the slight delay, replies inline: At 01:39 07-07-05, Daryl C. W. O'Shea - [EMAIL PROTECTED] wrote: Received: from host-212-158-194-14.bulldogdsl.com (HELO phoenix.example.com) (212.158.194.14) by secure.example.name with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Jul 2005 10:00:52 +0100 What SMTP service generates this header? I use QMail configured mainly via Plesk. The SMTP connection in this particular case is using TLS for transfer between Eudora and my mail server. I remember going through this before now. Below you say you use SMTP auth, but here you don't mention it, so it's not clear how new the SMTP auth patch to qmail you are using is (I'm assuming you are using SMTP auth above and you've got the oldest patch). Originally there were no auth tokens present, then the patch included something that looked like this: Received: from host-212-158-194-14.bulldogdsl.com (HELO phoenix.example.com) ([EMAIL PROTECTED]@212.158.194.14) by secure.example.name with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Jul 2005 10:00:52 +0100 As you'll notice, the SMTP auth username is prepended to the client IP. This isn't RFC 3848 compliant though, so a later patch (which is compliant) includes the auth method like this: Received: from host-212-158-194-14.bulldogdsl.com (HELO phoenix.example.com) (212.158.194.14) by secure.example.name with ESMTPA; 1 Jul 2005 10:00:52 +0100 Now, I don't know what qmail does if you've got both TLS and SMTP auth in the RFC 3848 complaint patch. SpamAssassin currently won't support it if it looks like this (and I'd appreciate someone letting me know so I can get it changed before 3.1.0 is released): Received: from host-212-158-194-14.bulldogdsl.com (HELO phoenix.example.com) (212.158.194.14) by secure.example.name with (DHE-RSA-AES256-SHA encrypted) ESMTPA; 1 Jul 2005 10:00:52 +0100 ...which actually isn't strictly RFC 3848 compliant, so I'm hoping it looks like this (which is strictly RFC 3848 compliant): Received: from host-212-158-194-14.bulldogdsl.com (HELO phoenix.example.com) (212.158.194.14) by secure.example.name with ESMTPSA; 1 Jul 2005 10:00:52 +0100 Anyway, I'm not familiar with qmail releases, so I don't know if you can get a complete tarball, RPM or whatever with the updated (RFC 3848 compliant) SMTP auth patches. If you can, that's your best bet. I'm sure somebody here or on the qmail list can fill you in on this. If you can use SMTP auth (which I really hope you are, or are at least using an IP based auth list) and if whatever server you are using will place a supported auth token in the received header your problem will magically go away (actually SpamAssassin will automatically extend the trust boundary to authenticated clients). Note that the (DHE-RSA-AES256-SHA encrypted) token isn't used since it's not an authentication token. You want to see something like "authenticated user" or "authenticated x bits" immediately before the "by" section of the header or "ESMTPA", "ESMTPSA", "LSMTPA", "LSMTPSA" or "HTTP" as the "with" method. Thanks for that tip. I do use SMTP auth, except that as you pointed out, the current config doesn't seem to insert this in any way into the header. Shall do some digging to see how to configure Qmail to do this. If anyone has any pointers relevant to Qmail, which hopefully won't involve recompiling Qmail, would be quite useful. Probably not much help, but it does explain what I wrote above (and may tell you about how to get an updated release -- I haven't read the whole page): http://www.fehcom.de/qmail/smtpauth.html The relevant auth token info is about half way down the page. That section ends with an incorrect assessment of how Apache SpamAssassin (3.0.2+, before then auth tokens were completely ignored) extends its trust boundary. In actuality, the trust boundary is extended one host at a time from your network back to the senders. If at any time a received header does not included an SMTP auth token the trust boundary extension is immediately stopped. Even if an SMTP auth token is present in a later received header (after a non SMTP auth'd received header) the trust boundary will NOT be extended to that host since SpamAssassin cannot trust that the received header was not forged. This method fully addresses the qmail SMTP auth patch author's concerns. I've been meaning to write him about it, but forgot. Daryl
Re: SA training
Jean-Paul Natola wrote:
-Original Message-
From: JamesDR [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 07, 2005 5:42 PM
To: users@spamassassin.apache.org
Subject: Re: SA training
Jean-Paul Natola wrote:
OK I found the documentation for using IMAP2mbox to train,
Now its quite simple to tell a user "if its spam , drag it here"
But how is the user to know if they have a false positive, unless they look
at the header like this one for example which I don't know WHY it says
"possible spam" as it scored a ZERO
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software, running on the system "mfilter",
has
identified this incoming email as possible spam. The original
message
has been attached to this so you can view it (if it isn't spam) or
label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Yes! It works! As of snapshot 5.4-STABLE-SNAP005 it
gets successfully to the sysinstall menu without any flags. Thanks a
lot! Alejandro [...]
Content analysis details: (0.0 points, 5.0 required)
pts rule name description
I'm also curious as to why a 0 would get flagged as possible spam?
This is my setup (keep in my mind I'm a total NOVICE)
I have freeBSD 5.4 installed with EXIM CLAMAV SA
I'm not quite sure what you mean by "tools" and "calling"
I think* its EXIM calling it?
Assuming you are using Exiscan, you should have a section in your Exim
config that looks like:
warn message = X-Spam-Report: $spam_report
condition = ${if <{$message_size}{100k}{1}{0}}
spam = nobody:true
This says to add the Spam-Report header to every message (this is useful
for debugging). The default report text assumes that the report will
only be added to messages with a score above a certain threshold to be
considered spam. So, if the text bothers you, you can either change the
text or only add the report for messages with higher scores.
warn message = X-Spam-Report: $spam_report
condition = ${if <{$message_size}{100k}{1}{0}}
spam = nobody:true
condition = ${if >{$spam_score_int}{50}{1}{0}}
This will add the report for messages scoring over 5. Exiscan
multiplies the score by 10 to get an integer.
Re: SORBS_DUL and NJABL_DUL
Sorry for the slight delay, replies inline: At 01:39 07-07-05, Daryl C. W. O'Shea - [EMAIL PROTECTED] wrote: Received: from host-212-158-194-14.bulldogdsl.com (HELO phoenix.example.com) (212.158.194.14) by secure.example.name with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Jul 2005 10:00:52 +0100 What SMTP service generates this header? I use QMail configured mainly via Plesk. The SMTP connection in this particular case is using TLS for transfer between Eudora and my mail server. If you can use SMTP auth (which I really hope you are, or are at least using an IP based auth list) and if whatever server you are using will place a supported auth token in the received header your problem will magically go away (actually SpamAssassin will automatically extend the trust boundary to authenticated clients). Note that the (DHE-RSA-AES256-SHA encrypted) token isn't used since it's not an authentication token. You want to see something like "authenticated user" or "authenticated x bits" immediately before the "by" section of the header or "ESMTPA", "ESMTPSA", "LSMTPA", "LSMTPSA" or "HTTP" as the "with" method. Thanks for that tip. I do use SMTP auth, except that as you pointed out, the current config doesn't seem to insert this in any way into the header. Shall do some digging to see how to configure Qmail to do this. If anyone has any pointers relevant to Qmail, which hopefully won't involve recompiling Qmail, would be quite useful. TIA, Roshan
Re: ALL_TRUSTED and Razor, DCC and Pyzor
On Thu, Jul 07, 2005 at 04:34:03PM -0500, Kenneth S. wrote: > Is there anyway to configure SA so that if the ALL_TRUSTED rule is hit it > skips the Razor, DCC and Pyzor tests? Not without modifying code. -- Randomly Generated Tagline: "It is far more impressive when others discover your good qualities without your help." - Zen Musings pgpXN9tXOQry8.pgp Description: PGP signature
RE: SA training
-Original Message- From: JamesDR [mailto:[EMAIL PROTECTED] Sent: Thursday, July 07, 2005 5:42 PM To: users@spamassassin.apache.org Subject: Re: SA training Jean-Paul Natola wrote: > OK I found the documentation for using IMAP2mbox to train, > > Now its quite simple to tell a user "if its spam , drag it here" > > But how is the user to know if they have a false positive, unless they look > at the header like this one for example which I don't know WHY it says > "possible spam" as it scored a ZERO > > X-Spam-Score: 0.0 (/) > X-Spam-Report: Spam detection software, running on the system "mfilter", has > identified this incoming email as possible spam. The original > message > has been attached to this so you can view it (if it isn't spam) or > label > similar future email. If you have any questions, see > the administrator of that system for details. > Content preview: Yes! It works! As of snapshot 5.4-STABLE-SNAP005 it > gets successfully to the sysinstall menu without any flags. Thanks a > lot! Alejandro [...] > Content analysis details: (0.0 points, 5.0 required) > pts rule name description > > I'm also curious as to why a 0 would get flagged as possible spam? > > > > > -Original Message- > From: JamesDR [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 07, 2005 4:53 PM > To: users@spamassassin.apache.org > Subject: Re: SA training > > Jean-Paul Natola wrote: > >>Hi everyone, >> >>I'm new to SA so I need a bit of help in configuring /training >> >>SA- >> >>The problem I have is that I do not keep any mail in the SA box- it > > forwards > >>to my mail server- >> >>What method can I use to train it? >> >> >> >> >> >> >> >> >>Jean-Paul Natola >>Network Administrator >>Information Technology >>Family Care International >>588 Broadway Suite 503 >>New York, NY 10012 >>Phone:212-941-5300 xt 36 >>Fax: 212-941-5563 >>Mailto: [EMAIL PROTECTED] >> >> >> > > Since you are forwarding onto an exchange server, some have setup imap > folders for users to drag spam/ham to to be trained. There is some stuff > in the Wiki about how to do just this with an exchange server, also > there has been quite a bit of discussion on this list as well. There are > many options open to you... > Which tool(s) are you using to call SA? -- Thanks, JamesDR This is my setup (keep in my mind I'm a total NOVICE) I have freeBSD 5.4 installed with EXIM CLAMAV SA I'm not quite sure what you mean by "tools" and "calling" I think* its EXIM calling it?
Re: SA training
Jean-Paul Natola wrote: OK I found the documentation for using IMAP2mbox to train, Now its quite simple to tell a user "if its spam , drag it here" But how is the user to know if they have a false positive, unless they look at the header like this one for example which I don't know WHY it says "possible spam" as it scored a ZERO X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "mfilter", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Yes! It works! As of snapshot 5.4-STABLE-SNAP005 it gets successfully to the sysinstall menu without any flags. Thanks a lot! Alejandro [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description I'm also curious as to why a 0 would get flagged as possible spam? -Original Message- From: JamesDR [mailto:[EMAIL PROTECTED] Sent: Thursday, July 07, 2005 4:53 PM To: users@spamassassin.apache.org Subject: Re: SA training Jean-Paul Natola wrote: Hi everyone, I'm new to SA so I need a bit of help in configuring /training SA- The problem I have is that I do not keep any mail in the SA box- it forwards to my mail server- What method can I use to train it? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED] Since you are forwarding onto an exchange server, some have setup imap folders for users to drag spam/ham to to be trained. There is some stuff in the Wiki about how to do just this with an exchange server, also there has been quite a bit of discussion on this list as well. There are many options open to you... Which tool(s) are you using to call SA? -- Thanks, JamesDR smime.p7s Description: S/MIME Cryptographic Signature
ALL_TRUSTED and Razor, DCC and Pyzor
Is there anyway to configure SA so that if the ALL_TRUSTED rule is hit it skips the Razor, DCC and Pyzor tests? Thanks, Kenneth
RE: SA training
OK I found the documentation for using IMAP2mbox to train, Now its quite simple to tell a user "if its spam , drag it here" But how is the user to know if they have a false positive, unless they look at the header like this one for example which I don't know WHY it says "possible spam" as it scored a ZERO X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "mfilter", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Yes! It works! As of snapshot 5.4-STABLE-SNAP005 it gets successfully to the sysinstall menu without any flags. Thanks a lot! Alejandro [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description I'm also curious as to why a 0 would get flagged as possible spam? -Original Message- From: JamesDR [mailto:[EMAIL PROTECTED] Sent: Thursday, July 07, 2005 4:53 PM To: users@spamassassin.apache.org Subject: Re: SA training Jean-Paul Natola wrote: > Hi everyone, > > I'm new to SA so I need a bit of help in configuring /training > > SA- > > The problem I have is that I do not keep any mail in the SA box- it forwards > to my mail server- > > What method can I use to train it? > > > > > > > > > Jean-Paul Natola > Network Administrator > Information Technology > Family Care International > 588 Broadway Suite 503 > New York, NY 10012 > Phone:212-941-5300 xt 36 > Fax: 212-941-5563 > Mailto: [EMAIL PROTECTED] > > > Since you are forwarding onto an exchange server, some have setup imap folders for users to drag spam/ham to to be trained. There is some stuff in the Wiki about how to do just this with an exchange server, also there has been quite a bit of discussion on this list as well. There are many options open to you... -- Thanks, James
Re: spamassassin --lint ....how long does it take?
Dr Robert Young wrote: > I am just becoming familiar with SpamAssassin, so I am sure this may > appear to be an "obvious" issue to those familiar with the tool. I am > just learning the ins and outs however. > > I downloaded many of the SARE rulesets (not bigevil however), and I am > running "spamassassin -D --lint". It seems like it is taking a very > long time to run. Is this typical or am I "hosed"? Typical would be somewhere in the 5-10 second range. This test is in general slower than scanning a message with spamc/spamd, as a new perl instance gets invoked and the config files are parsed from scratch. (for reference, I used time and a spamassassin --lint run takes 6.948 seconds on my box, piping a message through spamc took 3.183s. SA 2.64 with network tests, bayes, spamcopuri, and several add-on rulesets in use.) Suggestions for debugging why it's taking a long time: 1) try disabling network tests with -L, as Theo suggested. If it suddenly becomes fast when you add -L, post here, and we should be able to make further suggestions to debug the problem. 2) If -L doesn't help, try removing your SARE rulesets by moving them to a temporary directory, and see if that fixes it. If it does, try copying the rulesets back a few at a time and see which file is the culprit.
Re: SORBS_DUL and NJABL_DUL
Rick Macdougall wrote: Daryl C. W. O'Shea wrote: [EMAIL PROTECTED] wrote: Received: from host-212-158-194-14.bulldogdsl.com (HELO phoenix.example.com) (212.158.194.14) by secure.example.name with (DHE-RSA-AES256-SHA encrypted) SMTP; 1 Jul 2005 10:00:52 +0100 What SMTP service generates this header? Hi Daryl, That's a tls connection with a qmail server (or so it appears when I send a test between to qmail servers here). Regards, Rick Thanks Rick. That was my guess, I just wanted to be sure in the event that Roshan says that he is using SMTP auth (and qmail doesn't report it like Postfix doesn't). Then again, maybe he's just using TLS, I don't know, I haven't heard back from him yet. Daryl
RE: spamassassin --lint ....how long does it take?
> I downloaded many of the SARE rulesets (not bigevil > however), and I am running "spamassassin -D --lint". It > seems like it is taking a very long time to run. Is this > typical or am I "hosed"? I am running it on a test system > (non-production) so it is not currently a serious problem, > but I want to be sure of what's up before I try anything on > production (probably in a few days). How many? Or better, can you specify which you downloaded?
Re: SA training
JamesDR wrote: Jean-Paul Natola wrote: Hi everyone, I'm new to SA so I need a bit of help in configuring /training SA- The problem I have is that I do not keep any mail in the SA box- it forwards to my mail server- What method can I use to train it? Since you are forwarding onto an exchange server, some have setup imap folders for users to drag spam/ham to to be trained. There is some stuff in the Wiki about how to do just this with an exchange server, also there has been quite a bit of discussion on this list as well. There are many options open to you... Another option would be to use something like Maia Mailguard which temporarily stores all messages on the filtering server. Users can log into the web interface periodically to check the quarantine and train the other messages. http://www.renaissoft.com/maia/
Re: spamassassin --lint ....how long does it take?
From: "Jim Maul" <[EMAIL PROTECTED]>
> Theo Van Dinter wrote:
> > On Thu, Jul 07, 2005 at 11:43:10AM -0700, Justin Mason wrote:
> >
> >>eh, Theo, --lint doesn't require a message, it uses one of its own!
> >
> >
> > Oh. Hahaha. I forgot about that. ;)
> > Never mind me, brain is scattered right now due to work.
> >
> > My second suggestion is to do local-only in case there's a network
> > check hanging. Try "spamassassin -LD --lint".
> >
>
> Then why does the manpage state to pass it a message?
>
> spamassassin [options] < mailmessage > output
> spamassassin -d < mailmessage >
> spamassassin -r [-w addr] < mailmessage
> spamassassin -k [-w addr] < mailmessage
> spamassassin -W|-R < mailmessage
>
> All examples show "< mailmessage" after [options]. --lint doesnt say
> anything about not needing a message passed to it.
>
-Jim, "spamassassin --lint" is sufficient unto itself. The other examples
up there require input to process. The lint command simply checks that
all the rules are formatted correctly without actually running them.
{^_^}
Re: spamassassin --lint ....how long does it take?
From: "Theo Van Dinter" <[EMAIL PROTECTED]>
> I think you're not passing it a message so it's waiting on STDIN.
> Try "spamassassin -D --lint < /dev/null".
Er, Theo, --lint does not take any parameters.
{o.o}
Re: spamassassin --lint ....how long does it take?
From: "Dr Robert Young" <[EMAIL PROTECTED]>
> I am just becoming familiar with SpamAssassin, so I am sure this may
> appear to be an "obvious" issue to those familiar with the tool. I am
> just learning the ins and outs however.
>
> I downloaded many of the SARE rulesets (not bigevil however), and I am
> running "spamassassin -D --lint". It seems like it is taking a very
> long time to run. Is this typical or am I "hosed"? I am running it on
> a test system (non-production) so it is not currently a serious
> problem, but I want to be sure of what's up before I try anything on
> production (probably in a few days).
On a 166MHz Pentium with limited memory it takes 20 to 30 seconds,
sometimes more if the machine is loaded down with other processes
at the moment.
With the 1GHz 1GiB Athlon machine I have it's more like 1 to 2 seconds,
sometimes more if I am doing something silly like several parallel
kernel recompiles or the like.
{^_^}
Re: SA training
Jean-Paul Natola wrote: Hi everyone, I'm new to SA so I need a bit of help in configuring /training SA- The problem I have is that I do not keep any mail in the SA box- it forwards to my mail server- What method can I use to train it? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED] Since you are forwarding onto an exchange server, some have setup imap folders for users to drag spam/ham to to be trained. There is some stuff in the Wiki about how to do just this with an exchange server, also there has been quite a bit of discussion on this list as well. There are many options open to you... -- Thanks, James
SA training
Hi everyone, I'm new to SA so I need a bit of help in configuring /training SA- The problem I have is that I do not keep any mail in the SA box- it forwards to my mail server- What method can I use to train it? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: spamassassin --lint ....how long does it take?
Theo Van Dinter wrote: On Thu, Jul 07, 2005 at 11:43:10AM -0700, Justin Mason wrote: eh, Theo, --lint doesn't require a message, it uses one of its own! Oh. Hahaha. I forgot about that. ;) Never mind me, brain is scattered right now due to work. My second suggestion is to do local-only in case there's a network check hanging. Try "spamassassin -LD --lint". Then why does the manpage state to pass it a message? spamassassin [options] < mailmessage > output spamassassin -d < mailmessage > spamassassin -r [-w addr] < mailmessage spamassassin -k [-w addr] < mailmessage spamassassin -W|-R < mailmessage All examples show "< mailmessage" after [options]. --lint doesnt say anything about not needing a message passed to it. -Jim
Re: spamassassin --lint ....how long does it take?
On Thu, Jul 07, 2005 at 11:43:10AM -0700, Justin Mason wrote: > eh, Theo, --lint doesn't require a message, it uses one of its own! Oh. Hahaha. I forgot about that. ;) Never mind me, brain is scattered right now due to work. My second suggestion is to do local-only in case there's a network check hanging. Try "spamassassin -LD --lint". -- Randomly Generated Tagline: "A committee is a life form with 6 or more legs and no brain." - Robert Heinlein pgpbIjPNo2w0L.pgp Description: PGP signature
Re: rules_du_jour & SA_RESTART interpretation?
Allo, Dr Robert Young wrote: In configuring the rules_du_jour script for rule updates, I am a bit concerned over my interpretation of the SA_RESTART parameter. It sounds like it is a call to the routine to "stop and then re-start" the spamd daemon. But the rules_du_jour example "kills" the spamd process with killall (ie no restart). The example on the wiki is "killall -HUP spamd". There are two things to note. kill doesn't actually 'kill' a process, it simply sends it a signal (except when you send -KILL or -9). Secondly, the HUP signal is typically used to tell a daemon to reload its configuration files without restarting. Thats why the example on the wiki reads as it does, but it's only an example. Side note: I think there might be some problems with sending ALL spamd processes including the children a HUP signal now, but I'm not sure. For this parameter, should one instruct the script to "stop" the process or "stop and then restart" the process? You want it to restart (or reload config files, if possible) I would normally do these via the sample scripts provided with SpamAssassin such as /etc/rc.d/init.d/spamd stop or /etc/rc.d/init/d/spamd restart That's fine, use that. The default built into the script is actually "/etc/init.d/spamassassin restart", if I remember correctly. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: spamassassin --lint ....how long does it take?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter writes: > On Thu, Jul 07, 2005 at 02:27:32PM -0400, Dr Robert Young wrote: > > I downloaded many of the SARE rulesets (not bigevil however), and I am > > running "spamassassin -D --lint". It seems like it is taking a very > > long time to run. Is this typical or am I "hosed"? I am running it on > > a test system (non-production) so it is not currently a serious > > problem, but I want to be sure of what's up before I try anything on > > production (probably in a few days). > > I think you're not passing it a message so it's waiting on STDIN. > Try "spamassassin -D --lint < /dev/null". eh, Theo, --lint doesn't require a message, it uses one of its own! - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCzXe+MJF5cimLx9ARAtemAJ9ySH5n4jhFA0G+55kN1YhqSgcyCACgj+5x Aucgb/Qhk8RZxn8J1JI2f8U= =hPnH -END PGP SIGNATURE-
Re: spamassassin --lint ....how long does it take?
> I am just becoming familiar with SpamAssassin, so I am > sure this may appear to be an "obvious" issue to those > familiar with the tool. I am just learning the ins and > outs however. > > I downloaded many of the SARE rulesets (not bigevil > however), and I am running "spamassassin -D --lint". It > seems like it is taking a very long time to run. Is this > typical or am I "hosed"? I am running it on a test > system (non-production) so it is not currently a serious > problem, but I want to be sure of what's up before I try > anything on production (probably in a few days). It should only take a few seconds. As it works you'll see output about what its doing, which works also as a progress indicator. The output lets you know what is working and what is not. = Kevin W. Gagel Network Administrator Information Technology Services (250) 561-5848 local 448 --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: spamassassin --lint ....how long does it take?
Dr Robert Young wrote: > I am just becoming familiar with SpamAssassin, so I am sure this may > appear to be an "obvious" issue to those familiar with the tool. I am > just learning the ins and outs however. > > I downloaded many of the SARE rulesets (not bigevil however), and I am > running "spamassassin -D --lint". It seems like it is taking a very > long time to run. Is this typical or am I "hosed"? I am running it on a > test system (non-production) so it is not currently a serious problem, > but I want to be sure of what's up before I try anything on production > (probably in a few days). > What do you mean by "a very long time"? On our servers it takes a few seconds.
Re: spamassassin --lint ....how long does it take?
On Thu, Jul 07, 2005 at 02:27:32PM -0400, Dr Robert Young wrote: > I downloaded many of the SARE rulesets (not bigevil however), and I am > running "spamassassin -D --lint". It seems like it is taking a very > long time to run. Is this typical or am I "hosed"? I am running it on > a test system (non-production) so it is not currently a serious > problem, but I want to be sure of what's up before I try anything on > production (probably in a few days). I think you're not passing it a message so it's waiting on STDIN. Try "spamassassin -D --lint < /dev/null". -- Randomly Generated Tagline: "Veni, Vidi, Visa" - I came, I saw, I bought pgp0hd28EHyoc.pgp Description: PGP signature
spamassassin --lint ....how long does it take?
I am just becoming familiar with SpamAssassin, so I am sure this may appear to be an "obvious" issue to those familiar with the tool. I am just learning the ins and outs however. I downloaded many of the SARE rulesets (not bigevil however), and I am running "spamassassin -D --lint". It seems like it is taking a very long time to run. Is this typical or am I "hosed"? I am running it on a test system (non-production) so it is not currently a serious problem, but I want to be sure of what's up before I try anything on production (probably in a few days).
rules_du_jour & SA_RESTART interpretation?
In configuring the rules_du_jour script for rule updates, I am a bit concerned over my interpretation of the SA_RESTART parameter. It sounds like it is a call to the routine to "stop and then re-start" the spamd daemon. But the rules_du_jour example "kills" the spamd process with killall (ie no restart). For this parameter, should one instruct the script to "stop" the process or "stop and then restart" the process? I would normally do these via the sample scripts provided with SpamAssassin such as /etc/rc.d/init.d/spamd stop or /etc/rc.d/init/d/spamd restart
Re: How can I correctly detect these spams?
Andy Jezierski wrote: Chris Thielen <[EMAIL PROTECTED]> wrote on 07/07/2005 01:15:24 AM: > Hi Thomas, > > Your email scored nearly 25 on my system. Chickenpox contributed 4.2, > uribls contributed tons. > > HTH :) > As has been pointed out, make sure your network tests are turned on. I am surprised that I only got two chickenpox hits on my system though. Chris, what version do you have running? Mine is 1.18 dated 2004-4-5 Mine is actually older, h.. ver 1.15 dated 2004-02-06. Perhaps Jennifer revised it later to get rid of false positives? X-Spam-Status: Yes, score=45.4 required=5.7 tests=BAYES_99,FUZZY_MILLION, HTML_80_90,HTML_FONT_BIG,HTML_MESSAGE,J_CHICKENPOX_102, J_CHICKENPOX_56,LG_4C_2V_3C,MIME_QP_LONG_LINE,PRIORITY_NO_NAME, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, SARE_HEAD_XUNSENT,SARE_OBFU_PART_ING,URIBL_AB_SURBL,URIBL_BLACK, URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=unavailable version=3.1.0-pre4-r208823 Andy signature.asc Description: OpenPGP digital signature
Re: How can I correctly detect these spams?
Chris Thielen <[EMAIL PROTECTED]> wrote on 07/07/2005 01:15:24 AM: > Hi Thomas, > > Your email scored nearly 25 on my system. Chickenpox contributed 4.2, > uribls contributed tons. > > HTH :) > As has been pointed out, make sure your network tests are turned on. I am surprised that I only got two chickenpox hits on my system though. Chris, what version do you have running? Mine is 1.18 dated 2004-4-5 X-Spam-Status: Yes, score=45.4 required=5.7 tests=BAYES_99,FUZZY_MILLION, HTML_80_90,HTML_FONT_BIG,HTML_MESSAGE,J_CHICKENPOX_102, J_CHICKENPOX_56,LG_4C_2V_3C,MIME_QP_LONG_LINE,PRIORITY_NO_NAME, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, SARE_HEAD_XUNSENT,SARE_OBFU_PART_ING,URIBL_AB_SURBL,URIBL_BLACK, URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=unavailable version=3.1.0-pre4-r208823 Andy
Re: RFKINDY false positives on faxes
Martin Lee wrote: We've had some false positives with the X_LIBRARY, MIME_BOUND_RKFINDY rules being tripped on e-faxes received through www.myvfm.com. Fairly obviously the service has been built using the Indy.Sockets library (www.indyproject.org). The Indyproject knowledge base admits that headers similar to those produced by their library have been found in worms and spams sent with some spamware. Has anyone else experienced this problem ? I could create a rule to decrease the score for emails generated by myvfm.com, but do the format of emails from this service change ? How likely is it for spammers to spoof mails from this service in order to reduce their SA scores using such a rule ? FYI I have handled an email today that hit these 2 rules as well (being ham) with this header: X-Library: Indy 9.00.10 So it looks like those rules needs to be adjusted down in the score quite alot as this is already 3.7 2.3 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy) 1.4 X_LIBRARY Message has X-Library header Regards Bjorn Jensen -- A: Because it messes up the order in which people normally read text. Q: Why is it such a bad thing? A: Top-posting
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
OK. This is what I thought I needed to do. Just to clarify, SAproxy is the same as pop3proxy.pl correct? I've looked around and can't find a download for these. It looks like they have been discontinued. I saw that a new one which is only windows based has sprung up called SpamFu. I need it to be Linux based. Could you send me the perl files or the tar.gz of SAproxy or pop3proxy.pl? so you don't need procmail for any of this, or a way to process the mail. Only SpamAssassin and the SAproxy or pop3proxy.pl are required? I have thought about integrating ClamAV into this so that anti-virus is filtered as well. I really appreciate your help in all of this. As a side note I found a file called "pop3proxy-1.2.0.tar.gz". Is this the correct proxy? I've looked at the original link you gave me and it's made for windows, not linux. I can see the principles but still need the files to test this out. I don't mean to be difficult in all of this, I just want to understand the process and make sure I know how to do things. thanksOn 7/6/05, Paolo Cravero as2594 <[EMAIL PROTECTED]> wrote: Jesse Shumaker wrote:> So you must have SAproxy on each client to do this? I know that is> another product that I have heard of. If so do you have a download link> where I can get SAproxy? If that is just the name you are calling the > SpamAssassin proxy it looks like all I would need to do is specify the> destination server in the login box and I'm set. All I have to do on the> server end is setup the POP3proxy. Is this correct? Jesse,please see the link in my first reply. I believe the documentation ofthe software is complete enough.You need to install beforehand SpamAssassin on the box where you'll runSAproxy. Then install SAproxy and run it as a daemon. I know it works under Linux because I've done it, but it might work under other OSesprovided they have Perl.Finally reconfigure each POP3 client to point to your server rather thanyour ISP's, and modify each login (in the client) to include ISP's POP3 server address.Good luck,Paolo
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
Jesse Shumaker wrote: Let me try and summarize what I have recieved from all these e-mails as [...] use and am trying to piece it all together. Correct, except that the remote POP3 server is specified on client configuration and not wired statically on the pop3 proxy box. At least with the SApop3proxy we're using. Ciao, pc
Re: (14.6) How can I correctly detect these spams?
Hi Thomas,
Your email scored nearly 25 on my system. Chickenpox contributed 4.2,
uribls contributed tons.
HTH :)
Thomas Booms wrote:
Spam detection software, running on the system "ns1.sandgnat.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi all, I have set all BAYES tests to default values
and put in the $GLOBAL all SORBS test in my users database. But since
the last hours I got these following listed spams through without
tagging as spam: [...]
Content analysis details: (14.6 points, 5.0 required)
pts rule name description
-- --
-0.0 SPF_PASS SPF: sender matches SPF record
1.8 SPLEL_NLN BODY: Obfuscated 'online' in body
0.6 J_CHICKENPOX_34BODY: {3}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_14BODY: {1}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_44BODY: {4}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_56BODY: {5}Letter - punctuation - {6}Letter
0.6 J_CHICKENPOX_64BODY: {6}Letter - punctuation - {4}Letter
0.6 J_CHICKENPOX_102 BODY: {10}Letter - punctuation - {2}Letter
1.8 LOBO_NLN BODY: Obfuscated 'online' in body
0.6 J_CHICKENPOX_53BODY: {5}Letter - punctuation - {3}Letter
0.1 TW_DF BODY: Odd Letter Triples with DF
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: timestipulatecool.com treasureyourdevelopment.com militopnig.com]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: timestipulatecool.com militopnig.com]
3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist
[URIs: timestipulatecool.com treasureyourdevelopment.com militopnig.com]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: timestipulatecool.com]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: militopnig.com]
-10 AWLAWL: From: address is in the auto white-list
Hi all,
I have set all BAYES tests to default values and put in the $GLOBAL
all SORBS test in my users database.
But since the last hours I got these following listed spams through
without tagging as spam:
signature.asc
Description: OpenPGP digital signature
Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...
Let me try and summarize what I have recieved from all these e-mails as well as put together myself. Then you guys could give me some feedback if I'm on the right trail. What I need to do is install SpamAssassin w/pop3proxy on a linux box. Then setup the pop3proxy to point to my external pop3 server. On the client side I will need to setup each client's login to include their login name and the SpamAssassin/pop3proxy server (I'm not sure if I can only do this if I use the SAproxy utility for windows). Thats how I understand this should work. Now configuring this is another situation. How does it look to you guys? I have just noticed that there are a lot of utilities and stuff to use and am trying to piece it all together. thanksOn 7/6/05, Jesse Shumaker <[EMAIL PROTECTED]> wrote: So you must have SAproxy on each client to do this? I know that is another product that I have heard of. If so do you have a download link where I can get SAproxy? If that is just the name you are calling the SpamAssassin proxy it looks like all I would need to do is specify the destination server in the login box and I'm set. All I have to do on the server end is setup the POP3proxy. Is this correct?On 7/6/05, Paolo Cravero as2594 < [EMAIL PROTECTED] > wrote:Jesse Shumaker wrote:Hi> This looks good and I think I may try this perl module. It seems that > it's geared towards a single workstation and not a network of machines.> They say that you point your client to localhost, which means that each> machine must have this installed. How are you guys running this so that > you can have one centralized SA server? Also, how does the SA box> authenticate with the ISP's POP servers for each e-mail client? In my> organization each user has their own password and username for their > e-mail account.We installed it on a linux box with SA, and run it as a deamon. Itsupports concurrent connections, altought we haven't tested itthoroughly (hundreds of simultaneous connections...). So, rather than installing it locally on each machine, use a shared POP proxy.The client sends SAproxy the user/password, that then SAproxy submits tothe remote server. It is a proxy for POP3 protocol (no support for POP3*S*), just that before sending the message to the client it is scanned by SA.It is also very flexible, since the destinaton server has to bespecified as part of the login string ([EMAIL PROTECTED]to retrieve mail with login [EMAIL PROTECTED] from pop.domain.comserver): your colleagues can use the same proxy box for retrieving mail from other POP3 accounts as well.PC--|QRPp-I #707 + www.paolocravero.tk + I QRP #476 || SpamAssassin-based email antispam/antivirus solutions | \Italian/English-to/from-Croatian translations/ \ Skype: pcravero /
