Spamcop plugin

[Lefteris Tsintjelis]

Hi,

I am using SA 3.0.4. I was wondering if it is possible to turn off the spamcop
reporting plugin without recompiling, and how?

Thanks in advance

Re: SA 3.1.0-rc1 and rc2: Extra LF in headers

[jdow]

From: Maurice Lucas [EMAIL PROTECTED]


Hello,

I have a problem with both 3.1.0-rc1 and 3.1.0-rc2.

Some off my mail is checked by SA and marked as spam but gets an extra LF 
causing the rest of my tools to ignore the X-Spam-Status header field.


This is a sample message, I do have more for developers. This problem 
isn't occuring on every email but on a few a day.


--- Start sample ---
Received:  from MUNGLED ([MUNGLED]) by MUNGLED with Microsoft 
SMTPSVC(6.0.3790.1830); Tue, 13 Sep 2005 00:45:20 +0200

Received:  (qmail 1327 invoked from network); 12 Sep 2005 22:45:19 -
Received:  from localhost by MUNGLED with SpamAssassin (version 
3.1.0-rc2); Tue, 13 Sep 2005 00:45:19 +0200

Content-class: urn:content-classes:message
Subject: SPAM(43.8) Viagra letter for our subscribers
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Date: Tue, 13 Sep 2005 09:30:55 +0200
Message-ID: [EMAIL PROTECTED]
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: SPAM(43.8) Viagra letter for our subscribers
Thread-Index: AcW366dzQ7Zbq0hdSEuQ1d1ysB6ADA==
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
From: [EMAIL PROTECTED]
To: =?iso-8859-1?Q?Sjarlie_Dresm=E9?= [EMAIL PROTECTED]

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on=20
capella.taos-it.nl
X-Spam-Level: ***


THAT may explain what the mad Russian is doing with these high scoring 
spams.

He found a hole that affects systems that use the X-Spam-Flag for something
important. (I don't. I route via the spam message in the subject.)

I wonder if he is ending the line with lfcrlf to create that 
confusion.

Supposedly a lone lf not preceded by a cr is not really a newline for
email. But SpamAssassin, thinking 'ix-ishly, does. If so I gotta give the
guy credit for being passably clever.

{^_^}   Joanne 

Re: local.cf ignored?

[jdow]

From: [EMAIL PROTECTED]


Hi,
I have a mail server with qmail, qmailscanner, fetchmail, spamassassin,
clamav installed . My linux distribution is debian sarge.
When spamassasin check a mail  I notice  in the header of the mail  the
following:
X-Spam-Status: Yes, hits=10.2 required=4.0
The problem is the content of file /etc/mail/spamassassin/local.cf is:
rewrite_header Subject *SPAM*
required_hits 5
#rewrite_subject 1
report_header 1
report_safe 1
skip_rbl_checks 0
You can notice that the line required_hits 5 is different from mail
checked (required=4.0).
It seems that the file local.cf is ignored by spamassassin. How can
know  which is the file spamassasin  using when check mails?
I have already tried to force the configuration file with spamd -C
/etc/mail/spamassassin/local.cf but nothing change.
Someone have any ideas?


Overridden in ~/.spamassassin/user_prefs?

You are overriding the configuration directory when you start spamd or
run spamassassin?

{^_^}

Re: Spam with Re[2]: or Re[4]:

[jdow]

Um, yes. That is not unusual for either issue.

You've heard of Bcc?
{^_^}
- Original Message - 
From: Jeffrey N. Miller [EMAIL PROTECTED]



Go a lot of spam last night with subject lines Re[2] or [4] or [5]
Most are Cialis or sperm pill spam.  Also I received one of these emails 
that was addressed to another user???

Re: SA 3.1.0-rc1 and rc2: Extra LF in headers

[Daryl C. W. O'Shea]

Maurice Lucas wrote:

Hello,

I have a problem with both 3.1.0-rc1 and 3.1.0-rc2.

Some off my mail is checked by SA and marked as spam but gets an extra 
LF causing the rest of my tools to ignore the X-Spam-Status header field.


That's weird, X-Spam headers from 3.1 should be above a received header. 
 Does all of your mail have its X-Spam headers appended to the end of 
the existing headers?


Daryl

Re: Very simple user query...

[jdow]

From: Steve [Spamassasin] [EMAIL PROTECTED]


jdow wrote:


You do not say which version of spamassassin you are using. If it is not
3.04 an upgrade might help.


It's 3.04 - the latest stable build that's made it into Gentoo Portage


   * Is there somewhere where I can report spams which aren't caught by
 the default configuration in order to feed-back into future
 improvements?


There are places to report them manually.


I'm familiar with razor-report, for example - but it is a real pain to 
mess about with this command line tool when all my mail is managed 
remotely over IMAP



I have a strong personal bias against automating anything related to
spam REPORTING. Please examine the downsides of automatic reporting
before proceeding.


I absolutely do not want to report automatically - in the sense that I am 
adamant that I want human intervention before reporting.  Conversely - 
given the task of establishing a remote shell; finding the correct email 
in maildir - and verifying it is indeed the mail I determined was a spam 
in my email client - followed by manually reporting it individually to 
each service... I'm inclined not to bother.  If, for example I had an IMAP 
folder into which I drop spam that my mail server should report on my 
behalf -then reporting would become far less of a chore.


Simple matter of coding. That is how I handle ham and spam training. I 
simply

dunk it into ham and spam folders and let a cron job run sa-learn over the
two folders. In this case you'd probably have to code up something that 
takes

the folder apart properly, forwards the mail appropriately, then tosses it.
I haven't done such a thing. But there are perl tools for reading messages
via IMAP that could be used as the core of a new tool.
{^_^} 

Re: SA 3.1.0-rc1 and rc2: Extra LF in headers

[M. Lucas]

On Wed, 2005-09-14 at 03:17 -0400, Daryl C. W. O'Shea wrote:
 Maurice Lucas wrote:
  Hello,
  
  I have a problem with both 3.1.0-rc1 and 3.1.0-rc2.
  
  Some off my mail is checked by SA and marked as spam but gets an extra 
  LF causing the rest of my tools to ignore the X-Spam-Status header field.
 
 That's weird, X-Spam headers from 3.1 should be above a received header. 
   Does all of your mail have its X-Spam headers appended to the end of 
 the existing headers?

No and yes below is your message and some other spam of yesterday

The main difference is in the lines
ham:
X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on 
MUNGLED
X-Spam-Level: 

Spam:
Received: from localhost by MUNGLED with SpamAssassin (version
3.1.0-rc2);
Wed, 14 Sep 2005 03:38:25 +0200

The spam mail is received by SA while the ham is only checked by

--
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 19001 invoked by alias); 14 Sep 2005 07:16:58 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 18998 invoked from network); 14 Sep 2005 07:16:58 -
Received: from unknown (HELO MUNGLED) (MUNGLED) by
MUNGLED with SMTP; 14 Sep 2005 07:16:58 -
Received: (qmail 8858 invoked from network); 14 Sep 2005 07:17:22 -
X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on 
MUNGLED
X-Spam-Level: 
X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no 
version=3.1.0-rc2
Received: from MUNLED (MUNGLED [MUNGLED]) by
MUNGLED ([MUNGLED]) with ESMTP via TCP; 14 Sep 2005
07:17:22 -
Received: from MUNGLED
(MUNGLED [MUNGLED]) (authenticated user
MUNGLED) by MUNGLED (MUNGLED
[MUNGLED]) (Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R)
with
ESMTP id 63-md5000118.tmp for [EMAIL PROTECTED]; Wed, 14 Sep
2005
02:17:16 -0500
Received: from [MUNGLED] ([MUNGLED]) (authenticated bits=0)
by MUNGLED (8.12.8/8.12.8) with ESMTP id
j8E7HEKK014456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
bits=256
verify=NO); Wed, 14 Sep 2005 03:17:14 -0400
Message-ID: [EMAIL PROTECTED]
Date: Wed, 14 Sep 2005 03:17:13 -0400
From: Daryl C. W. O'Shea [EMAIL PROTECTED]
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Maurice Lucas 
CC: Spamassassin 
Subject: Re: SA 3.1.0-rc1 and rc2: Extra LF in headers
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: [EMAIL PROTECTED]
X-MDRemoteIP: MUNGLED
X-Return-Path: MUNGLED
X-MDaemon-Deliver-To: MUNGLED
-

SPAM message
-
Return-Path:
[EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 9032 invoked by alias); 14 Sep 2005 01:38:01 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 9029 invoked from network); 14 Sep 2005 01:38:01 -
Received: from unknown (HELO MUNGLED) (MUNGLED) by
MUNGLED with SMTP; 14 Sep 2005 01:38:01 -
Received: (qmail 23704 invoked from network); 14 Sep 2005 01:38:25 -
Received: from localhost by MUNGLED with SpamAssassin (version
3.1.0-rc2);
Wed, 14 Sep 2005 03:38:25 +0200
From: Earline Aguilar [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: SPAM(11.5) Become an employee of our company.
Date: Tue, 13 Sep 2005 10:42:16 -0700
Message-Id: [EMAIL PROTECTED]
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on 
capella.taos-it.nl
X-Spam-Level: ***
X-Spam-Status: Yes, hits=11.5 required=7.0 tests=BAYES_00=-2.599,
RCVD_IN_BL_SPAMCOP_NET=1.558,RCVD_IN_NJABL_DUL=1.946,
RCVD_IN_SORBS_DUL=2.046,RCVD_IN_WHOIS_BOGONS=2.43,
RCVD_IN_WHOIS_INVALID=2.234,RCVD_IN_XBL=3.897,UNPARSEABLE_RELAY=0.001 
autolearn=no version=3.1.0-rc2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=--=_43277F11.58AE5373

With kind regards,
Maurice Lucas

RE: Spamcop plugin

[Martin Hepworth]

Hi

Not sure what you mean by this, but if it's a true plugin then you can
comment out the entry in /etc/mail/spamassassin/init.pre and restart
spamd/amavis-new/MailScanner/whatever and it will disable the plugin.

--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

-Original Message-
From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED] 
Sent: 14 September 2005 07:21
To: users@spamassassin.apache.org
Subject: Spamcop plugin

Hi,

I am using SA 3.0.4. I was wondering if it is possible to turn off the
spamcop
reporting plugin without recompiling, and how?

Thanks in advance


**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   

**

Re: Spamcop plugin

[Lefteris Tsintjelis]

Hi Martin,

and thanks for your reply, I mean this:

...
debug: SpamCop - sent FROM [EMAIL PROTECTED]
debug: SpamCop - received 250 sender [EMAIL PROTECTED] ok
debug: SpamCop - sent TO [EMAIL PROTECTED]
debug: SpamCop - received 250 recipient [EMAIL PROTECTED] ok
debug: SpamCop - sent DATA
debug: SpamCop - received 250 go ahead
ok:  Message 1357171055 accepted
debug: SpamCop - sent QUIT
debug: SpamCop - received 221 vmx1.spamcop.net
debug: SpamAssassin: spam reported to SpamCop.
...

I have just checked the init.pre and there is no such thing. Now that you
mentioned it I do recall something there about SpamCop but that was, I 
believe, in previous releases (3.0.1 if I am not mistaken). It seems like
for every SPAM report there is a forced report generated to SpamCop. Can
I turn this off now that there is no such option in init.pre?

My init.pre:

loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
loadplugin Mail::SpamAssassin::Plugin::Hashcash
loadplugin Mail::SpamAssassin::Plugin::SPF

Martin Hepworth wrote:
 
 Hi
 
 Not sure what you mean by this, but if it's a true plugin then you can
 comment out the entry in /etc/mail/spamassassin/init.pre and restart
 spamd/amavis-new/MailScanner/whatever and it will disable the plugin.
 
 --
 Martin Hepworth
 Snr Systems Administrator
 Solid State Logic
 Tel: +44 (0)1865 842300
 
 -Original Message-
 From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED]
 Sent: 14 September 2005 07:21
 To: users@spamassassin.apache.org
 Subject: Spamcop plugin
 
 Hi,
 
 I am using SA 3.0.4. I was wondering if it is possible to turn off the
 spamcop
 reporting plugin without recompiling, and how?
 
 Thanks in advance

Re: Very simple user query...

[Steve [Spamassasin]]

jdow wrote:

I absolutely do not want to report automatically - in the sense that 
I am adamant that I want human intervention before reporting.  
Conversely - given the task of establishing a remote shell; finding 
the correct email in maildir - and verifying it is indeed the mail I 
determined was a spam in my email client - followed by manually 
reporting it individually to each service... I'm inclined not to 
bother.  If, for example I had an IMAP folder into which I drop spam 
that my mail server should report on my behalf -then reporting would 
become far less of a chore.




Simple matter of coding. That is how I handle ham and spam training. I 
simply
dunk it into ham and spam folders and let a cron job run sa-learn over 
the
two folders. In this case you'd probably have to code up something 
that takes
the folder apart properly, forwards the mail appropriately, then 
tosses it.
I haven't done such a thing. But there are perl tools for reading 
messages

via IMAP that could be used as the core of a new tool.



Hmmm - given that this seems such an obvious thing to want, and because 
I'm quite laz^H^H^Hbusy these days, I'd hoped that there such  thing 
pre-existed.  It strikes me that the best way to do this would be with a 
daemon which monitors the IMAP folders for user-identified spam; salearn 
and report it - then move it to the same folder as the automatically 
identified spam.  I realise that it wouldn't be a herculean effort to 
implement this but I'm very reluctant to re-invent the wheel.

RE: Spamcop plugin

[Martin Hepworth]

Hmm

Looking at the docs you can alter things like to the to/from addresses etc..

But there doesn't seem much of a way to turn this offhave you tried
setting the max size of these reports to zero in local.cf??

spamcop_max_report_size 0


--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
-Original Message-
From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED] 
Sent: 14 September 2005 09:54
To: Martin Hepworth
Cc: users@spamassassin.apache.org
Subject: Re: Spamcop plugin

Hi Martin,

and thanks for your reply, I mean this:

...
debug: SpamCop - sent FROM [EMAIL PROTECTED]
debug: SpamCop - received 250 sender [EMAIL PROTECTED] ok
debug: SpamCop - sent TO [EMAIL PROTECTED]
debug: SpamCop - received 250 recipient
[EMAIL PROTECTED] ok
debug: SpamCop - sent DATA
debug: SpamCop - received 250 go ahead
ok:  Message 1357171055 accepted
debug: SpamCop - sent QUIT
debug: SpamCop - received 221 vmx1.spamcop.net
debug: SpamAssassin: spam reported to SpamCop.
...

I have just checked the init.pre and there is no such thing. Now that you
mentioned it I do recall something there about SpamCop but that was, I 
believe, in previous releases (3.0.1 if I am not mistaken). It seems like
for every SPAM report there is a forced report generated to SpamCop. Can
I turn this off now that there is no such option in init.pre?

My init.pre:

loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
loadplugin Mail::SpamAssassin::Plugin::Hashcash
loadplugin Mail::SpamAssassin::Plugin::SPF

Martin Hepworth wrote:
 
 Hi
 
 Not sure what you mean by this, but if it's a true plugin then you can
 comment out the entry in /etc/mail/spamassassin/init.pre and restart
 spamd/amavis-new/MailScanner/whatever and it will disable the plugin.
 
 --
 Martin Hepworth
 Snr Systems Administrator
 Solid State Logic
 Tel: +44 (0)1865 842300
 
 -Original Message-
 From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED]
 Sent: 14 September 2005 07:21
 To: users@spamassassin.apache.org
 Subject: Spamcop plugin
 
 Hi,
 
 I am using SA 3.0.4. I was wondering if it is possible to turn off the
 spamcop
 reporting plugin without recompiling, and how?
 
 Thanks in advance


**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   

**

Re: Spamcop plugin

[Lefteris Tsintjelis]

Yes, I was very Hmm myself about this one... but anyway...

Great idea, just tried it but didn't work, can I assume then that there is
no proper way of turning this thing off other than hacking the code? Nothing
else is mentioned about the SpamCop plugin other than those three things and
googling around wasn't much help either.

Martin Hepworth wrote:

Hmm

Looking at the docs you can alter things like to the to/from addresses etc..

But there doesn't seem much of a way to turn this offhave you tried
setting the max size of these reports to zero in local.cf??

spamcop_max_report_size 0

Re: local.cf ignored?

[mberva]

Hi,

 I have a mail server with qmail, qmailscanner, fetchmail,
spamassassin,
 clamav installed . My linux distribution is debian sarge.
 When spamassasin check a mail  I notice  in the header of the
mail  the
 following:
 X-Spam-Status: Yes, hits=10.2 required=4.0
 The problem is the content of file
/etc/mail/spamassassin/local.cf is:
 rewrite_header Subject *SPAM*
 required_hits 5
 #rewrite_subject 1
 report_header 1
 report_safe 1
 skip_rbl_checks 0
 You can notice that the line required_hits 5 is different from mail
 checked (required=4.0).
 It seems that the file local.cf is ignored by spamassassin. How can
 know  which is the file spamassasin  using when check mails?
 I have already tried to force the configuration file with spamd -C
 /etc/mail/spamassassin/local.cf but nothing change.
 Someone have any ideas?





 Overridden in ~/.spamassassin/user_prefs?

 You are overriding the configuration directory when you start spamd or
 run spamassassin?

 {^_^}




 I can't find ~/.spamassassin/user_prefs file nowhere. I'm sure file
does not exist

Re: Very simple user query...

[Michael Monnerie]

On Dienstag, 13. September 2005 22:15 Markus Eskola wrote:
 Just a quick question regarding the reporting... Do you guys report
 all spam (including the once that SA allready caught) or only the
 ones that got thru the net?

All - because others may have other rules, probably not identifying this 
as SPAM. Imagine you get 5 points because your bayes is 100% sure, but 
there's no hit on DCC, razor, etc. It's good for the others to report 
it, so DCC and razor know it's SPAM, and therefore the next one who 
receives it knows for sure about it.

 Currently in my setup I have 3-4 diffrent users who move all the spam
 that got thru into certain folders eg SPAM under IMAP. These folders
 are scanned, emptied and reported once a night thru a script.
 If someone has a more effectie way, I'd appreciate a hint in the
 right direction.

I believe it should be done at least once per hour - so DCC and razor 
have it quickly detected. Otherwise, spammers have time until the night 
to send to a lot of servers. I currently do it in 10 minute intervals, 
as it doesn't really create too much load.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc  ---   it-management Michael Monnerie
// http://zmi.at   Tel: 0660/4156531  Linux 2.6.11
// PGP Key:   lynx -source http://zmi.at/zmi2.asc | gpg --import
// Fingerprint: EB93 ED8A 1DCD BB6C F952  F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879


pgpvkR51AknVN.pgp
Description: PGP signature

Re: Very simple user query...

[Lefteris Tsintjelis]

Michael Monnerie wrote:

On Dienstag, 13. September 2005 22:15 Markus Eskola wrote:


Just a quick question regarding the reporting... Do you guys report
all spam (including the once that SA allready caught) or only the
ones that got thru the net?


All, with no exceptions made.

I believe it should be done at least once per hour - so DCC and razor 
have it quickly detected. Otherwise, spammers have time until the night 
to send to a lot of servers. I currently do it in 10 minute intervals, 
as it doesn't really create too much load.


I prefer to send it immediately which makes the updates of DCC and
razor even faster. What I am not so sure of is the SpamCop reporting.
It seems that its a complete waste since the black list that maintains
is not getting updated by any of those reports.

Re: Very simple user query...

[Michael Monnerie]

On Mittwoch, 14. September 2005 14:40 Lefteris Tsintjelis wrote:
 I prefer to send it immediately which makes the updates of DCC and
 razor even faster. 

How do you do it? Do you report back automatically every detected SPAM? 
That shouldn't be done, as I read from the homepage.

 What I am not so sure of is the SpamCop reporting. 
 It seems that its a complete waste since the black list that
 maintains is not getting updated by any of those reports.

AFAIK, spamcop sends e-mail to the admins responsible for that IP, and 
so it should help that ISPs get reports of zombies, relays, and so on. 
It fights on another level, but that one should be quite effective.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc  ---   it-management Michael Monnerie
// http://zmi.at   Tel: 0660/4156531  Linux 2.6.11
// PGP Key:   lynx -source http://zmi.at/zmi2.asc | gpg --import
// Fingerprint: EB93 ED8A 1DCD BB6C F952  F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879


pgpBLTRnZZjQs.pgp
Description: PGP signature

Re: Very simple user query...

[Rob Skedgell]

On Tuesday 13 Sep 2005 21:15, Markus Eskola wrote:
[...]
 Just a quick question regarding the reporting... Do you guys report
 all spam (including the once that SA allready caught) or only the  
 ones that got thru the net? 
 
 Currently in my setup I have 3-4 diffrent users who move all the spam
 that got thru into certain folders eg SPAM under IMAP. These folders 
 are scanned, emptied and reported once a night thru a script. 
 If someone has a more effectie way, I'd appreciate a hint in the right 
 direction. 

Most of it (5.0 = score = 30.0) gets LARTed by a java program that 
goes through the confirmed spam IMAP folder to the contacts.abuse.net 
addresses for the IP address that sent to my MX, SpamCop and is also 
posted to NANAS. If it scores over 30 it hits a discard ACL in exim.

Anything that sneaks through under 5.0 or went to a role account is also 
singled out for extra vindictiveness and LARTed manually to anything 
SpamTool missed and whois data checked very carefully for RFCI whois 
eligibility (and a WDPRS report).

Oh, and I have a patched Mail::SpamAssassin::Plugin::URIDNSBL to pass 
the domain names scanned over UDP to another listening application that 
tests for missing entries in RFCI bogusmx and automatically sends the 
submission by email. It also sends BCCs to postmaster@ and abuse@ so 
that victims of friendly fire (through inadvertently using a CNAME 
for their MX rather then deliberately registering 127.0.0.1) can get 
unlisted.

-- 
Rob Skedgell [EMAIL PROTECTED]


pgpY8xMqwqXAW.pgp
Description: PGP signature

RE: HTML Spam messages with float tag ?

[Bowie Bailey]

From: Brian Ipsen 
 
 The number of messages like below has increased.  Unfortunately,
 they are not reported to SpamCop fast enough for SURBL to handle
 them Has anyone created some sort of filter to identify this
 type of messages ??
 
 STYLE/STYLE
 /HEAD
 BODY bgColor=#ff
 DIVnbsp;/DIV
 DIVA href=linklink to site/A/DIV
 DIVnbsp;/DIV
 DIV style=FLOAT: left;FONT
 face=CourierMeBRXaBRUlBRAmBRSTRONGCi/STRONGBRLe
 BRSTRONGVa
 /STRONGBRPrBRSTRONGVi/STRONGBRCe/FONT/DIV
 DIV style=FLOAT: left;FONT
 face=CourierriBRnaBRtrBRbiBRSTRONGal/STRONGBRvi
 BRSTRONGli
 /STRONGBRopBRSTRONGag/STRONGBRle/FONT/DIV
 DIV style=FLOAT: left;FONT
 face=CourierdiBRxBRamBRenBRSTRONGis/STRONGBRtr
 BRSTRONGum
 /STRONGBRecBRSTRONGra/STRONGBRbr/FONT/DIV
 DIV style=FLOAT: left;FONT
 face=CourieraBRBRBRBRnbsp;1.BRaBRnbsp;3.BRia
 BRnbsp;3.BR
 ex/FONT/DIV
 DIV style=FLOAT: left;FONT
 face=CourierBRBRBRBR21BRBR75BRBR33BR/FONT/DIV
 /BODY/HTML

I just did this:

rawbody BUC_FLOAT /DIV style=FLOAT:/
score BUC_FLOAT 1

I scored it at 1 because I wasn't sure about false positives.  The
blacklists and SURBL catch most of them now, so I never bothered to up
the score.  I haven't done any detailed research, but I do notice that
all but one of the mails that hit this rule in the last week also hit
URIBL_SBL or one of the SURBL rules, so it doesn't seem to produce too
many false positives (at least in my environment).

Bowie

Re: HTML Spam messages with float tag ?

[Ilan Aisic]

Hi Brian,
Look for the thread about Pharamcudical list of words in a table.
See: http://www.gossamer-threads.com/lists/spamassassin/users/59435?page=last
 
All these messages are probably coming from one evil source. 
Some say it's a guy called  Leo Kuvayev and he keeps chaning the messages and trying to fool SA.
You really should include SARE_OBFU and SARE_HTML (in
http://www.rulesemporium.com/). I see that these rule files
score some points on Leo's messages. But most of the points are
from all the network checks.
I also added my own personal rule to increase the total score on these tables:

# This one adopted from sare_html:
rawbody IA_HTML_MANY_BR
/br.{0,10}br.{0,10}br.{0,10}br.{0,10}br/i
describe IA_HTML_MANY_BR Tooo many close br's!
score IA_HTML_MANY_BR 0.500


 
On 9/14/05, Brian Ipsen [EMAIL PROTECTED]
 wrote:Hi, The number of messages like below has increased. Unfortunately, they are
not reported to SpamCop fast enough for SURBL to handle them Has anyonecreated some sort of filter to identify this type of messages ??STYLE/STYLE/HEADBODY bgColor=#ff
DIVnbsp;/DIVDIVA href="" to site/A/DIVDIVnbsp;/DIVDIV style=FLOAT: left;FONTface=CourierMeBRXaBRUlBRAmBRSTRONGCi/STRONGBRLeBRSTRONGVa
/STRONGBRPrBRSTRONGVi/STRONGBRCe/FONT/DIVDIV style=FLOAT: left;FONTface=CourierriBRnaBRtrBRbiBRSTRONGal/STRONGBRviBRSTRONGli
/STRONGBRopBRSTRONGag/STRONGBRle/FONT/DIVDIV style=FLOAT: left;FONTface=CourierdiBRxBRamBRenBRSTRONGis/STRONGBRtrBRSTRONGum
/STRONGBRecBRSTRONGra/STRONGBRbr/FONT/DIVDIV style=FLOAT: left;FONTface=CourieraBRBRBRBRnbsp;1.BRaBRnbsp;3.BRiaBRnbsp;3.BR
ex/FONT/DIVDIV style=FLOAT: left;FONTface=CourierBRBRBRBR21BRBR75BRBR33BR/FONT/DIV
/BODY/HTMLRegards,/Brian-- Ilan AisicRegistered Linux User 8124 http://counter.li.org

Re: Very simple user query...

[Lefteris Tsintjelis]

I prefer to send it immediately which makes the updates of DCC and
razor even faster. 


How do you do it? Do you report back automatically every detected SPAM? 
That shouldn't be done, as I read from the homepage.


Not out of the box, I agree with that. I am using 3 threshold levels
and tested, trained and fined tuned the whole system for a while
before I turn on the auto reporting. Everything above a level, is auto
reported with a hit rate of 99.99%. I use a dedicated machine to
redirect, report and hold that SPAM for a while for this job only.
Everything in the middle I pass it through a couple of scripts,
analyze it, and what is left of it (not really much) manually report
it or take action against it to not enter the site again, but that
depends on the case. Did I also mention the use of quite a few SPAM
traps and grey listing (both are very effective).

What I am not so sure of is the SpamCop reporting. 
It seems that its a complete waste since the black list that

maintains is not getting updated by any of those reports.


AFAIK, spamcop sends e-mail to the admins responsible for that IP, and 
so it should help that ISPs get reports of zombies, relays, and so on. 
It fights on another level, but that one should be quite effective.


Only if you are a registered (paid) user, then it is definetly worth
reporting and things are listed relativly fast (I have a few
objections to the exceptions he is making in favor of a large and
pretty well known site, SPAM is SPAM no matter where it comes from)
but I guess overall, its as you say it is. If you are not a
registered user though IMHO then its a waste of resources.

Re: Very simple user query...

[Michael Monnerie]

On Mittwoch, 14. September 2005 16:12 Lefteris Tsintjelis wrote:
 Did I also mention the use of quite a few SPAM
 traps and grey listing (both are very effective).

Oh I love those, too *beg*

 Only if you are a registered (paid) user, then it is definetly worth
 reporting and things are listed relativly fast (I have a few
 objections to the exceptions he is making in favor of a large and
 pretty well known site, SPAM is SPAM no matter where it comes from)
 but I guess overall, its as you say it is. If you are not a
 registered user though IMHO then its a waste of resources.

I registered, but do not pay. I just changed my script to use 
spamassin and not sa-learn, now it reports to spamcop too. The 
problem is, I get a mail per reported mail, where I have to click on a 
link and press confirm on that page - annoying. Anybody got an idea 
how to prevent that confirmation?

mfg zmi
-- 
// Michael Monnerie, Ing.BSc  ---   it-management Michael Monnerie
// http://zmi.at   Tel: 0660/4156531  Linux 2.6.11
// PGP Key:   lynx -source http://zmi.at/zmi2.asc | gpg --import
// Fingerprint: EB93 ED8A 1DCD BB6C F952  F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879


pgplIxh6b1nxf.pgp
Description: PGP signature

Re: OT Spam sources

[Michael Monnerie]

On Mittwoch, 14. September 2005 16:03 DAve wrote:
  the robots are just not smart enough to know that our forms
 don't work the way they suspect.

Maybe rename the script? Could be there's a script of that name which is 
vulnerable...

mfg zmi
-- 
// Michael Monnerie, Ing.BSc  ---   it-management Michael Monnerie
// http://zmi.at   Tel: 0660/4156531  Linux 2.6.11
// PGP Key:   lynx -source http://zmi.at/zmi2.asc | gpg --import
// Fingerprint: EB93 ED8A 1DCD BB6C F952  F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879


pgpKFelgLxme3.pgp
Description: PGP signature

Re: Very simple user query...

[Lefteris Tsintjelis]

Anybody got an idea
how to prevent that confirmation?


Use spamcop_to_address quick. instead of submit. but thats something
you have to activate. The site has further info about this.

testing spamassassin

[Steven Lamb]

I have a corpus of email and have been trying to get good metrics on it. I
have run the messages through with spamassassin -t but this only adds stuff
onto the ends of all of my messages. is there any way to get a summary of
the test. i.e. how many are spam how many are ham average score so on so
forth. or ever have it separate my messages into different folders. I know
this is a newbie-ish question but I am indeed a newbie.

I am running spamassassin version 3.0.4-1.fc4, on redhat fedora core 4  with
amavisd-new and clam-av

thanks in advance for any help you can provide

Re: testing spamassassin

[Matt Kettler]

Steven Lamb wrote:
 I have a corpus of email and have been trying to get good metrics on it. I
 have run the messages through with spamassassin -t but this only adds stuff
 onto the ends of all of my messages. is there any way to get a summary of
 the test. i.e. how many are spam how many are ham average score so on so
 forth. or ever have it separate my messages into different folders. I know
 this is a newbie-ish question but I am indeed a newbie.

If you unpack the source tarball, there's a directory called masses. This
contains the tools used by the developers to perform mass-checks.

You'll want to use mass-check first.
http://wiki.apache.org/spamassassin/MassCheck


from there, feed the spam.log and ham.log files to hit-frequencies which will
generate a table just like the STATISTICS-*.txt files that come with SA (check
the rules subdir of the tarball).

http://wiki.apache.org/spamassassin/HitFrequencies

Re: OT Spam sources

[Mike Jackson]

the robots are just not smart enough to know that our forms
don't work the way they suspect.


Maybe rename the script? Could be there's a script of that name which is 
vulnerable...


All our forms have odd names, we did that when the first Formmail.pl 
attacks showed up years ago.


This sounds a lot like the spamming attempts I've been seeing. They seem to 
go something like this:


* Attacker finds a form. I'm not sure if they use either a search engine or 
just random crawls of some sort. I'm thinking the latter; when I first saw 
it, it was on the servers at work (I'm the admin for a small web 
development/hosting firm) and the attempts came on sites on the same IP 
address (consecutive IPs at that, on two different servers; other sites on 
other IPs in another subnet were unaffected). Later, I saw a similar attempt 
on my personal site, hosted on my own server somewhere else entirely. I 
should note than not all of these forms had common mail form names; the one 
on my personal site was feedback.php, which could've just as easily 
submitted to the recipient via some other method, not just email. When I 
looked at the Apache logs for how they got to feedback form, they hit the 
index of the site first and followed a path almost directly to the feedback 
form, leading me to think they're crawling and looking for a wider variety 
of form name possibilities than you might think.


* Attacker submits the form with all the fields filled in with random 
addresses (gibberish usernames followed by the domain of the site), and some 
fields (that seem to indicate they'd be inserted into From:, To:, or 
Subject: lines) with additional header lines and MIME message separators. 
They don't seem to do much with this at first; from what I saw, they supply 
a drop account email somewhere in there to test if it worked...


* If the attacker received one of the messages to the drop account, they 
start using the form in a more direct spam-like way, supplying Bcc: 
addresses in the headers that do go to legitimate addresses. The messages 
still look like crap, depending on the original form and what it does.


That's as far as it escalated when I observed it. It was at that point that 
we caught the vulnerability in the form script used on the sites at work and 
plugged the holes. (I didn't write it, BTW; the one on my personal site only 
got a message to me.)


Here's a couple things I did from the server side as a first line of defense 
to stop this:


* All the attempts came from proxy servers. Well, I'll assume they were 
proxy servers and not individuals all around the world collaborating on the 
attacks! I installed an Apache module that would do RBL lookups 
(configurable, I use opn.blitzed.org) and deny based on a positive match. 
I'm sure the attacker's (or attackers') proxy list is fresher than the RBLs, 
but I just wanted to add enough stumbling blocks to deter the current and 
future attackers.


* All the attempts came in with blank user agent strings. This is more of a 
stretch (as I discovered), but I started denying requests with blank user 
agents. PHP's functions that open URLs as files don't send user agent 
strings either, so be careful with this one if anything on your server will 
be accessed that way. Attackers could just as easily extend their tools to 
use random user agent strings.


Hope this helps. I'd really love to track down the tool these attackers are 
using, but my hat isn't black enough for that. 

Re: SA 3.1.0-rc1 and rc2: Extra LF in headers

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I'd suggest opening a bug, and *attaching* some samples, without munging
them.  It's quite hard to figure out what's going on when half of the key
parts of the messages have been obfuscated.

- --j.

M. Lucas writes:
 On Wed, 2005-09-14 at 03:17 -0400, Daryl C. W. O'Shea wrote:
  Maurice Lucas wrote:
   Hello,
   
   I have a problem with both 3.1.0-rc1 and 3.1.0-rc2.
   
   Some off my mail is checked by SA and marked as spam but gets an extra 
   LF causing the rest of my tools to ignore the X-Spam-Status header field.
  
  That's weird, X-Spam headers from 3.1 should be above a received header. 
Does all of your mail have its X-Spam headers appended to the end of 
  the existing headers?
 
 No and yes below is your message and some other spam of yesterday
 
 The main difference is in the lines
 ham:
 X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on 
 MUNGLED
 X-Spam-Level: 
 
 Spam:
 Received: from localhost by MUNGLED with SpamAssassin (version
 3.1.0-rc2);
 Wed, 14 Sep 2005 03:38:25 +0200
 
 The spam mail is received by SA while the ham is only checked by
 
 --
 Return-Path: [EMAIL PROTECTED]
 Delivered-To: [EMAIL PROTECTED]
 Received: (qmail 19001 invoked by alias); 14 Sep 2005 07:16:58 -
 Delivered-To: [EMAIL PROTECTED]
 Received: (qmail 18998 invoked from network); 14 Sep 2005 07:16:58 -
 Received: from unknown (HELO MUNGLED) (MUNGLED) by
 MUNGLED with SMTP; 14 Sep 2005 07:16:58 -
 Received: (qmail 8858 invoked from network); 14 Sep 2005 07:17:22 -
 X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on 
 MUNGLED
 X-Spam-Level: 
 X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no 
 version=3.1.0-rc2
 Received: from MUNLED (MUNGLED [MUNGLED]) by
 MUNGLED ([MUNGLED]) with ESMTP via TCP; 14 Sep 2005
 07:17:22 -
 Received: from MUNGLED
 (MUNGLED [MUNGLED]) (authenticated user
 MUNGLED) by MUNGLED (MUNGLED
 [MUNGLED]) (Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R)
 with
 ESMTP id 63-md5000118.tmp for [EMAIL PROTECTED]; Wed, 14 Sep
 2005
 02:17:16 -0500
 Received: from [MUNGLED] ([MUNGLED]) (authenticated bits=0)
 by MUNGLED (8.12.8/8.12.8) with ESMTP id
 j8E7HEKK014456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
 bits%6
 verify=NO); Wed, 14 Sep 2005 03:17:14 -0400
 Message-ID: [EMAIL PROTECTED]
 Date: Wed, 14 Sep 2005 03:17:13 -0400
 From: Daryl C. W. O'Shea [EMAIL PROTECTED]
 User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
 X-Accept-Language: en-us, en
 MIME-Version: 1.0
 To: Maurice Lucas 
 CC: Spamassassin 
 Subject: Re: SA 3.1.0-rc1 and rc2: Extra LF in headers
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 X-Authenticated-Sender: [EMAIL PROTECTED]
 X-MDRemoteIP: MUNGLED
 X-Return-Path: MUNGLED
 X-MDaemon-Deliver-To: MUNGLED
 -
 
 SPAM message
 -
 Return-Path:
 [EMAIL PROTECTED]
 Delivered-To: [EMAIL PROTECTED]
 Received: (qmail 9032 invoked by alias); 14 Sep 2005 01:38:01 -
 Delivered-To: [EMAIL PROTECTED]
 Received: (qmail 9029 invoked from network); 14 Sep 2005 01:38:01 -
 Received: from unknown (HELO MUNGLED) (MUNGLED) by
 MUNGLED with SMTP; 14 Sep 2005 01:38:01 -
 Received: (qmail 23704 invoked from network); 14 Sep 2005 01:38:25 -
 Received: from localhost by MUNGLED with SpamAssassin (version
 3.1.0-rc2);
 Wed, 14 Sep 2005 03:38:25 +0200
 From: Earline Aguilar [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: SPAM(11.5) Become an employee of our company.
 Date: Tue, 13 Sep 2005 10:42:16 -0700
 Message-Id: [EMAIL PROTECTED]
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on 
 capella.taos-it.nl
 X-Spam-Level: ***
 X-Spam-Status: Yes, hits.5 required=7.0 testsºYES_00=-2.599,
 RCVD_IN_BL_SPAMCOP_NET=1.558,RCVD_IN_NJABL_DUL=1.946,
 RCVD_IN_SORBS_DUL=2.046,RCVD_IN_WHOIS_BOGONS=2.43,
 RCVD_IN_WHOIS_INVALID=2.234,RCVD_IN_XBL=3.897,UNPARSEABLE_RELAY=0.001 
 autolearn=no version=3.1.0-rc2
 MIME-Version: 1.0
 Content-Type: multipart/mixed; boundary=--=_43277F11.58AE5373
 
 With kind regards,
 Maurice Lucas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFDKE3oMJF5cimLx9ARAgyrAJ0RBa/RLoTVUgJUFKvLYle7UWZaAACfXfUK
j1vnBhLxYAtrCoqULhUPMJE=
=Dn1O
-END PGP SIGNATURE-

RE: Scanning outgoing email

[Bret Miller]

 We're in the need of checking parts of our outgoing email for
 spam (read:
 we've got unknown webmail users.. hugs lots of them,
 actually.. and some of
 them have this annoying habit of sending nigeria spam)

 My question is how to get SpamAssassin to identify the spam,
 as the network
 tests will be quite useless (all the email will be originating in a
 standard format, from our own servers).  Bayes will probably be quite
 efficient, and so will various other local checks - but I
 have this nagging
 feeling that the standard weighting of the rules will be too
 lax in this
 use-case (due to nothing but content-checks triggering).

 How do we re-weight the rules, and does anyone have any good
 suggestions on
 which checks to use?  Also, checking for certain blacklisted
 URLs in the
 messages will probably help (Someone recommended SURBL for
 this) .. but I
 think a re-weighting will still be in order.

 Suggestions?

I'd be inclined to try the SARE fraud rules (see www.rulesemporium.com)
in addition to the SA internal and bayes tests. If you find that doesn't
give you a high enough score, pushing the BAYES_99 score a little higher
might be in order.

Bret

spamc connection refused

[dave]

We recently needed to downgrade an underpowered solaris host to SA2.64

I start spamd with a max of 32 processes and some people get lots of mail. 
Users fire off spamc via their .procmailrc


I'm now seeing a lot of

[ID 702911 mail.error] connect(AF_INET) to spamd at 127.0.0.1 failed, 
retrying (#3 of 3): Connection refused


Can I presume these are just an indication of resource limits?

Thanks


 =-=-=-=-=-=-=-=-=-=-  generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=
 David SternUniversity of Maryland
   Institute for Advanced Computer Studies

Re: Very simple user query...

[Nix]

On Mon, 12 Sep 2005, Steve whispered secretively:
 Genius answer! For some reason it had completely escaped my notice
 that all of the spams missed by SA over the past month had a
 uk.geocities.com address!  I've opted for a score of 4 for any mail
 mentioning a uk.geocities.com URL - which is hopefully good enough

For me, Bayes catches them all, so a score of 1.1 for stuff mentioning
geocities is sufficient to push the evil emails over the 5.0 threshold.

-- 
`One cannot, after all, be expected to read every single word
 of a book whose author one wishes to insult.' --- Richard Dawkins

Re: HTML Spam messages with float tag ?

[M.Lewis]

The ones that get through here do so with a very low score. Around 1.00 
or below. I already have both the SARE_OBFU  SARE_HTML rules in place. 
I'm filtering on domains, but that is not extremely sucessful as he/she 
adds about 3-4 new ones every day. Current count is now 85. If you wish 
a list, mail me privately.


Thanks,
Mike

Ilan Aisic wrote:

Hi Brian,
Look for the thread about Pharamcudical list of words in a table.*
*See:* 
*http://www.gossamer-threads.com/lists/spamassassin/users/59435?page=last*

*All these messages are probably coming from one evil source.
Some say it's a  guy called Leo Kuvayev and he keeps chaning the 
messages and trying to fool SA.
You really should include SARE_OBFU and SARE_HTML (in 
http://www.rulesemporium.com/).   I see that these rule files score some 
points on Leo's messages.  But most of the points are from all the 
network checks.
I also added my own personal rule to increase the total score on these 
tables:


# This one adopted from sare_html:
rawbody   IA_HTML_MANY_BR
/br.{0,10}br.{0,10}br.{0,10}br.{0,10}br/i

describe  IA_HTML_MANY_BR  Tooo many close br's!
score IA_HTML_MANY_BR  0.500


  *
*
On 9/14/05, *Brian Ipsen* [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED]  wrote:


Hi,

The number of messages like below has increased. Unfortunately, they
are
not reported to SpamCop fast enough for SURBL to handle them Has
anyone
created some sort of filter to identify this type of messages ??

STYLE/STYLE
/HEAD
BODY bgColor=#ff
DIVnbsp;/DIV
DIVA href=linklink to site/A/DIV
DIVnbsp;/DIV
DIV style=FLOAT: left;FONT
face=CourierMeBRXaBRUlBRAmBRSTRONGCi/STRONGBRLeBRSTRONGVa

/STRONGBRPrBRSTRONGVi/STRONGBRCe/FONT/DIV
DIV style=FLOAT: left;FONT
face=CourierriBRnaBRtrBRbiBRSTRONGal/STRONGBRviBRSTRONGli

/STRONGBRopBRSTRONGag/STRONGBRle/FONT/DIV
DIV style=FLOAT: left;FONT
face=CourierdiBRxBRamBRenBRSTRONGis/STRONGBRtrBRSTRONGum

/STRONGBRecBRSTRONGra/STRONGBRbr/FONT/DIV
DIV style=FLOAT: left;FONT
face=CourieraBRBRBRBRnbsp;1.BRaBRnbsp;3.BRiaBRnbsp;3.BR

 ex/FONT/DIV
DIV style=FLOAT: left;FONT
face=CourierBRBRBRBR21BRBR75BRBR33BR/FONT/DIV
/BODY/HTML


Regards,
/Brian




--
Ilan Aisic
Registered Linux User 8124 http://counter.li.org

Re: OT Spam sources

[Christopher X. Candreva]

On Wed, 14 Sep 2005, DAve wrote:

 Just curious if anyone else was seeing this besides me. I suspect the spammers
 are making a new attempt to find web forms they can abuse and possibly the
 robots are just not smart enough to know that our forms don't work the way
 they suspect.

Seeing it too, others have described it in detail.

At this point it's just anoying, with users receiving many forms with this 
garbage. Since the requests seem to come in rapid succession, I've thought 
about an IP cache, and limiting the number of times an IP can submit the 
form per unit time. It hasn't gone past the idea stage.


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Turning On/Off SpamCop reporting for SpamAssassin 3.0.4

[Lefteris Tsintjelis]

The following patches apply to SA 3.0.4 only. Adds a new parameter to local.cf: 
use_spamcop ( 0 | 1 )

*** Conf.pm.origMon Jun  6 04:31:23 2005
--- Conf.pm Wed Sep 14 23:27:06 2005
***
*** 1108,1113 
--- 1108,1125 
  }
});

+ =item use_spamcop ( 0 | 1 )  (default: 1)
+
+ Whether to use SpamCop, if it is available.
+
+ =cut
+
+   push (@cmds, {
+ setting = 'use_spamcop',
+ default = 1,
+ type = $CONF_TYPE_BOOL
+   });
+
  =item spamcop_from_address [EMAIL PROTECTED]   (default: none)

  This address is used during manual reports to SpamCop as the From:

*** Reporter.pm.origSat Mar 19 02:06:27 2005
--- Reporter.pm Wed Sep 14 23:19:51 2005
***
*** 394,399 
--- 394,401 
  sub spamcop_report {
my ($self, $original) = @_;

+   if (!$self-{conf}-{use_spamcop}) { return 0; }
+
# check date
my $header = $original;
$header =~ s/\r?\n\r?\n.*//s;

Regards,

Lefteris

spamd maillog problem

[Boris Alemi]

I have set up spamassassin 3.0.4-1.el4 on a RedHat
Enterprise 4 with sendmail. This is the RPM supplied
by RedHat. The setup works properly and is able to
detect SPAM and HAM. However, I have not been able to
configure spamd properly to get the usual Clean
Message and identified spam lines to be added to my
/var/log/maillog file. I need these line to do the
usual stat analysis. I have tried all combination of
the following:

  - Turn off firewall
  - xinetd service on
  - -s /var/log/maillog spamd options
  - older spamassassin 2.55 on RedHat EL 3
  - download and recompiled SA 3.0.4 from source

Given the fact that I have tried all the above
options, I think I am doing something wrong and/or
missing something.

I would appreciate any help/suggestions regarding
this.

Thanks,
Boris Alemi


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

URIBL_SBL not being used?

[Sean Greene]

Hello,

This morning after having upgraded all installed ports on a FreeBSD mail
gateway machine running postfix, amavisd-new, clamav and spamassassin,
it appears that spamassassin is no longer working the way it had been.
Specifically it seems that the URIBL_SBL test isn't being applied,
though I do have score URIBL_SBL 4 in
/usr/local/etc/mail/spamassassin/local.cf. I don't know for sure that
this is the failure, however, looking at the headers of the spam
messages getting through none of them mention that test at all where
normally most of them would have tripped it.

SpamAssassin 3.0.4 was installed from the ports
(/usr/ports/mail/p5-Mail-SpamAssassin) and is invoked from amavisd-new.

Perl was upgraded from 5.8.6 to 5.8.7

I haven't any idea why this test should be failing now, nor what to do
to fix it. If any one has any guidance to offer I would very much
appreciate it, and whetever more information is needed do please let me
know and I'ld be happy to provide it.

Cheers,
Sean

Re: OT Spam sources

[jdow]

From: DAve [EMAIL PROTECTED]


Michael Monnerie wrote:

On Mittwoch, 14. September 2005 16:03 DAve wrote:


the robots are just not smart enough to know that our forms
don't work the way they suspect.



Maybe rename the script? Could be there's a script of that name which is 
vulnerable...


mfg zmi


All our forms have odd names, we did that when the first Formmail.pl 
attacks showed up years ago.


I could come up with a rule or two to stop the message from being 
delivered, but I much prefer the image verification test in the form so 
the message never gets sent.


All one mail at a time does is slow them down. How many parallel
connections can they make at any one time?
{^_^} 

Re: URIBL_SBL not being used?

[Matt Kettler]

Sean Greene wrote:
 Hello,
 
 This morning after having upgraded all installed ports on a FreeBSD mail
 gateway machine running postfix, amavisd-new, clamav and spamassassin,
 it appears that spamassassin is no longer working the way it had been.
 Specifically it seems that the URIBL_SBL test isn't being applied,
 though I do have score URIBL_SBL 4 in
 /usr/local/etc/mail/spamassassin/local.cf. 

Are other URIBL tests still being used?

Re: OT Spam sources

[jdow]

From: Christopher X. Candreva [EMAIL PROTECTED]


On Wed, 14 Sep 2005, DAve wrote:

Just curious if anyone else was seeing this besides me. I suspect the 
spammers
are making a new attempt to find web forms they can abuse and possibly 
the
robots are just not smart enough to know that our forms don't work the 
way

they suspect.


Seeing it too, others have described it in detail.

At this point it's just anoying, with users receiving many forms with this
garbage. Since the requests seem to come in rapid succession, I've thought
about an IP cache, and limiting the number of times an IP can submit the
form per unit time. It hasn't gone past the idea stage.


Has anybody observed the odd things you must go through to establish
or edit accounts with many larger forms based servers like e-bay or
yahoo? The read the text from an image and type it in forms are
about the only thing that slow down the spammers.

Although there is something to be said for requiring a user ID and a
password that cannot be automatically signed up for when using forms
that can send to addresses other than one that is hard wired in and
immutable. (If that is possible in all possible cases.)

{^_^} 

Re: Scanning outgoing email

[jdow]

From: Bret Miller [EMAIL PROTECTED]

We're in the need of checking parts of our outgoing email for 
spam (read: 
we've got unknown webmail users.. hugs lots of them, 
actually.. and some of 
them have this annoying habit of sending nigeria spam)


My question is how to get SpamAssassin to identify the spam, 
as the network 
tests will be quite useless (all the email will be originating in a 
standard format, from our own servers).  Bayes will probably be quite 
efficient, and so will various other local checks - but I 
have this nagging 
feeling that the standard weighting of the rules will be too 
lax in this 
use-case (due to nothing but content-checks triggering).


How do we re-weight the rules, and does anyone have any good 
suggestions on 
which checks to use?  Also, checking for certain blacklisted 
URLs in the 
messages will probably help (Someone recommended SURBL for 
this) .. but I 
think a re-weighting will still be in order.


Suggestions?


I'd be inclined to try the SARE fraud rules (see www.rulesemporium.com)
in addition to the SA internal and bayes tests. If you find that doesn't
give you a high enough score, pushing the BAYES_99 score a little higher
might be in order.

Bret

+
Another good technique is to count the number of addresses for message
receipt or the number of messages the user has sent and throttle based
on too many. For Way Too Many throttle back to one message every
five minutes.

{^_^}

Re: Very simple user query...

[jdow]

From: Rob Skedgell [EMAIL PROTECTED]

On Tuesday 13 Sep 2005 21:15, Markus Eskola wrote:
[...]

Just a quick question regarding the reporting... Do you guys report
all spam (including the once that SA allready caught) or only the  
ones that got thru the net? 


Currently in my setup I have 3-4 diffrent users who move all the spam
that got thru into certain folders eg SPAM under IMAP. These folders 
are scanned, emptied and reported once a night thru a script. 
If someone has a more effectie way, I'd appreciate a hint in the right 
direction. 


Most of it (5.0 = score = 30.0) gets LARTed by a java program that 
goes through the confirmed spam IMAP folder to the contacts.abuse.net 
addresses for the IP address that sent to my MX, SpamCop and is also 
posted to NANAS. If it scores over 30 it hits a discard ACL in exim.


Anything that sneaks through under 5.0 or went to a role account is also 
singled out for extra vindictiveness and LARTed manually to anything 
SpamTool missed and whois data checked very carefully for RFCI whois 
eligibility (and a WDPRS report).


Oh, and I have a patched Mail::SpamAssassin::Plugin::URIDNSBL to pass 
the domain names scanned over UDP to another listening application that 
tests for missing entries in RFCI bogusmx and automatically sends the 
submission by email. It also sends BCCs to postmaster@ and abuse@ so 
that victims of friendly fire (through inadvertently using a CNAME 
for their MX rather then deliberately registering 127.0.0.1) can get 
unlisted.


++
Ah, you are one of the people polluting the BLs. Thanks not.

Why not be a little saner and adopt a score higher than 5.0, a very
marginal spam score, for reporting. That way you are not reporting
false alarms and injuring innocent people.

{^_^}

Questions about sa-learn and report_safe encapsulation

[Nels Lindquist]

Hi there.

I'm trying to set up an IMAP based bayesian learner using the 
instructions in the SA wiki for RemoteIMAPFolder, etc.

I'm diverting messages to the IMAP mailstore from MIMEDefang, and I'm 
trying to set up MIMEDefang to replicate SA's report_safe 
encapsulation format so that sa-learn only learns the encapsulated 
message while ignoring the included SA report, etc.

I appear to have done something wrong, however.  Following the 
instructions in the wiki, I have fetchmail snagging messages from the 
appropriate IMAP folder and feeding them to sa-learn, but sa-learn 
doesn't appear to be properly detecting the message encapsulation.

As far as I can tell from looking at the code, sa-learn does a check 
for the existence of the X-Spam-Checker-Version header to decide 
whether or not to call remove_spamassassin_markup().  Within that 
subroutine it checks for a Content-Type header matching a regexp 
which includes multipart/mixed; and some other things I don't quite 
follow. :-)

As far as I can tell, though, the messages aren't being detected as 
encapsulated--I'm using the -D flag with sa-learn and Removing 
Markup never shows up in the dbg messages I expect from the code in 
remove_spamassassin_markup(), and the debug messages show URLs being 
parsed which are only present in the spamassassin report included in 
the body text, but not in the encapsulated message itself.

Is there some other trick that I'm missing while generating a message 
that sa-learn will recognize as report_safe encapsulated?

Thanks!

Working with SA 3.10rc1, by the way.


Nels Lindquist *
Information Systems Manager
Morningstar Air Express Inc.

Questions about sa-learn and

[Nels Lindquist]

Hi there.

I'm trying to set up an IMAP based bayesian learner using the 
instructions in the SA wiki for RemoteIMAPFolder, etc.

I'm diverting messages to the IMAP mailstore from MIMEDefang, and I'm 
trying to set up MIMEDefang to replicate SA's report_safe 
encapsulation format so that sa-learn only learns the encapsulated 
message while ignoring the included SA report, etc.

I appear to have done something wrong, however.  Following the 
instructions in the wiki, I have fetchmail snagging messages from the 
appropriate IMAP folder and feeding them to sa-learn, but sa-learn 
doesn't appear to be properly detecting the message encapsulation.

As far as I can tell from looking at the code, sa-learn does a check 
for the existence of the X-Spam-Checker-Version header to decide 
whether or not to call remove_spamassassin_markup().  Within that 
subroutine it checks for a Content-Type header matching a regexp 
which includes multipart/mixed; and some other things I don't quite 
follow. :-)

As far as I can tell, though, the messages aren't being detected as 
encapsulated--I'm using the -D flag with sa-learn and Removing 
Markup never shows up in the dbg messages I expect from the code in 
remove_spamassassin_markup(), and the debug messages show URLs being 
parsed which are only present in the spamassassin report included in 
the body text, but not in the encapsulated message itself.

Is there some other trick that I'm missing while generating a message 
that sa-learn will recognize as report_safe encapsulated?

Thanks!

Working with SA 3.10rc1, by the way.


Nels Lindquist *
Information Systems Manager
Morningstar Air Express Inc.

Further clarification RE: URIBL_SBL not being used?

[Sean Greene]

Hello,

 This morning after having upgraded all installed ports on a FreeBSD
mail
 gateway machine running postfix, amavisd-new, clamav and spamassassin,
 it appears that spamassassin is no longer working the way it had been.
 Specifically it seems that the URIBL_SBL test isn't being applied,

Sorry, upon closer examination it appears that only local tests are
being applied, despite amavisd-new being configured to allow network
tests:

$sa_local_tests_only = 0;

I'll be posting my question now to the amavisd-new list as well, but if
anyone here has any suggestions or advice I'ld very much like to hear
them.

Cheers,
Sean

Re: Very simple user query...

[Rob Skedgell]

On Wednesday 14 Sep 2005 22:44, jdow wrote:
 From: Rob Skedgell [EMAIL PROTECTED]

 On Tuesday 13 Sep 2005 21:15, Markus Eskola wrote:
 [...]

  Just a quick question regarding the reporting... Do you guys report
  all spam (including the once that SA allready caught) or only the
  ones that got thru the net?
 
  Currently in my setup I have 3-4 diffrent users who move all the
  spam that got thru into certain folders eg SPAM under IMAP. These
  folders are scanned, emptied and reported once a night thru a
  script. If someone has a more effectie way, I'd appreciate a hint
  in the right direction.

 Most of it (5.0 = score = 30.0) gets LARTed by a java program that
 goes through the confirmed spam IMAP folder to the
^ e.g. *manually* confirmed as spam, not 
  just scored/flagged as such
[...]
 Ah, you are one of the people polluting the BLs. Thanks not.

No.

It was entirely my fault for not making it clearer that I do check the 
confirmed spam folder very carefully first, before running the 
reporting tool. It most certainly doesn't do anything like running from 
cron, nor will it ever do that. If the IMAP seen flag isn't set on a 
mail in that folder, it gets skipped as a safeguard against 
carelessness on my part - the last thing I want is a mail that's just 
been delivered to be reported without checking.


 Why not be a little saner and adopt a score higher than 5.0, a very
 marginal spam score, for reporting. That way you are not reporting
 false alarms and injuring innocent people.

See above. It's actually (score=5.0  manually_confirmed_as_spam)

I should stress that any mails I report are checked manually *first*. 
False positives do *not* go to NANAS, SpamCop, the originating ISP etc.

False positives get dragged out of the spam folder, my whitelists fixed 
(sometimes via whitelist_from_rcvd, sometimes in the PostgreSQL 
database used by a couple of ACLs, depending on the context).

You can check the NANAS posts here 
http://groups.google.co.uk/groups?q=group:[EMAIL PROTECTED]start=0scoring=d
if you like. See many false positives? No, nor me.

I very rarely mis-identify a false positive as spam, and on those rare 
occasions the abuse contact who just got the LART in error gets a 
grovelling apology from me for wasting their time.

-- 
Rob Skedgell [EMAIL PROTECTED]


pgp6PTjZDTQMD.pgp
Description: PGP signature

Re: Scanning outgoing email

[David B Funk]

On Wed, 14 Sep 2005, Rune Kristian Viken wrote:

 We're in the need of checking parts of our outgoing email for spam (read:
 we've got unknown webmail users.. hugs lots of them, actually.. and some of
 them have this annoying habit of sending nigeria spam)

 My question is how to get SpamAssassin to identify the spam, as the network
 tests will be quite useless (all the email will be originating in a
 standard format, from our own servers).  Bayes will probably be quite
 efficient, and so will various other local checks - but I have this nagging
 feeling that the standard weighting of the rules will be too lax in this
 use-case (due to nothing but content-checks triggering).

 How do we re-weight the rules, and does anyone have any good suggestions on
 which checks to use?  Also, checking for certain blacklisted URLs in the
 messages will probably help (Someone recommended SURBL for this) .. but I
 think a re-weighting will still be in order.

 Suggestions?

Set up a separate instance of spamd that will be used just for
scanning your outgoing mail (obviously this will have to be done with
your local system configuration). Run that spamd with the '-L' option to
disable network checks. One effect of doing that is to cause SA to
choose an alternative scoring set that has been weighted for use in
a no-networks-test environment. See the discussion of the 4-part
'score' values in Mail::SpamAssassin::Conf.

Dave

-- 
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

ANNOUNCE: SpamAssassin 3.1.0 available!

[jm]

SpamAssassin 3.1.0 is released!  SpamAssassin 3.1.0 is a major update.
SpamAssassin is a mail filter which uses advanced statistical and
heuristic tests to identify spam (also known as unsolicited bulk email).


Highlights of the release
-

- Apache preforking algorithm adopted; number of spamd child processes is now
  scaled, according to demand.  This provides better VM behaviour when not
  under peak load.

- added PostgreSQL, MySQL 4.1+, and local SDBM file Bayes storage modules. SQL
  storage is now recommended for Bayes, instead of DB_File. NDBM_File support
  has been dropped due to a major bug in that module.

- detect legitimate SMTP AUTH submission, to avoid false positives on
  Dynablock-style rules.

- new plugins: DomainKeys (off by default), MIMEHeader: a new plugin to perform
  tests against header in internal MIME structure, ReplaceTags: plugin by Felix
  Bauer to support fuzzy text matching, WhiteListSubject: plugin added to
  support user whitelists by Subject header.

- Razor: disable Razor2 support by default per our policy, since the service is
  not free for non-personal use.  It's trivial to reenable (by editing
  '/etc/mail/spamassassin/v310.pre').

- DCC: disable DCC for similar reasons, due to new license terms.

- Net::DNS bug: high load caused answer packets to be mixed up and delivered as
  answers to the wrong request, causing false positives.  worked around.

- DNSBL lookups and other DNS operations are now more efficient, by using a
  custom single-socket event-based model instead of Net::DNS.


Downloading
---

Pick it up from:

  http://SpamAssassin.apache.org/

Note, it may take up to two hours from now for that mirror to update.

md5sum:

  d28bd7e83d01b234144e336bbfde0caa  Mail-SpamAssassin-3.1.0.tar.bz2
  f70c1fcab3d9563731bbc307eda7d69e  Mail-SpamAssassin-3.1.0.tar.gz
  65e9629ce255244fe3cb3d9772cdf239  Mail-SpamAssassin-3.1.0.zip

sha1sum:

  0185f076f619dd9e64e94b453017f9b08d4b0f04  Mail-SpamAssassin-3.1.0.tar.bz2
  d887cbae5962cb03e45aaf71cd93881a2799  Mail-SpamAssassin-3.1.0.tar.gz
  8b9494448782f910e573377bf226a8072f24bb3f  Mail-SpamAssassin-3.1.0.zip

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as
http://spamassassin.apache.org/released/GPG-SIGNING-KEY

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key [EMAIL PROTECTED]
 Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B


Important installation notes


- see the INSTALL and UPGRADE files in the distribution.


Summary of major changes since 3.0.x


- Apache preforking algorithm adopted; number of spamd child processes is now
  scaled, according to demand.  This provides better VM behaviour when not
  under peak load.

- Inclusion of sa-update script which will allow for updates of rules and
  scores in between code releases.

- added PostgreSQL, MySQL 4.1+, and local SDBM file Bayes storage modules. SQL
  storage is now recommended for Bayes, instead of DB_File. NDBM_File support
  has been dropped due to a major bug in that module.

- detect legitimate SMTP AUTH submission, to avoid false positives on
  Dynablock-style rules.

- new Advance Fee Fraud (419 scam) rules.

- removed use of the Storable module, due to several reported hangs on SMP
  Linux machines.

- Converted several rule/engine components into Plugins such as:
  AccessDB, AWL, Pyzor, Razor2, DCC, Bayes AutoLearn Determination, etc.

- new plugins: DomainKeys (off by default), MIMEHeader: a new plugin to perform
  tests against header in internal MIME structure, ReplaceTags: plugin by Felix
  Bauer to support fuzzy text matching, WhiteListSubject: plugin added to
  support user whitelists by Subject header.

- TextCat language guesser moved to a plugin.  (This means ok_languages
  is no longer part of the core engine by default.)

- Razor: disable Razor2 support by default per our policy, since the
  service is not free for non-personal use.  It's trivial to reenable.

- DCC: disable DCC for similar reasons, due to new license terms.

- Net::DNS bug: high load caused answer packets to be mixed up and delivered as
  answers to the wrong request, causing false positives.  worked around.

- DNSBL lookups and other DNS operations are now more efficient, by using a
  custom single-socket event-based model instead of Net::DNS.

- add support for accreditation services, including Habeas v2.

- better URI parsing -- many evasion tricks now caught.

- URIBL lookups are prioritized based on the location in the message
  the URI was found.

- mass-check now supports reusing realtime DNSBL hit results, and sample-based
  Bayes autolearning emulation, to reduce complexity.

- sa-learn, spamassassin and mass-check now have optional progress bars.

- 

Re: Further clarification RE: URIBL_SBL not being used?

[jdow]

From: mouss [EMAIL PROTECTED]


jdow a écrit :


Am I alone in having a perception that using mimedefang and amavis-new
is its own punishment?


why do you say so?


(I should have said or instead of and. And is REAL punishment even if
or is not. It may not even be possible.)

The short story:
I've been watching this list.

The long story:
I decided long ago that I was seeing too many people having problems
with auto-learning spam and ham back with 2.mumble. That led me to
decide never to use that abomination. This decision seems to have
served me very well. (I also never expire. I train sparingly and
carefully.)

Now the number of annoyances people report, not getting markups they
thought the should and the like, has me wondering the same thing
about these particular filters. At the time I started using SA what
I had available was procmail. My .procmailrc is still fairly small,
although my personal one is used to feed pests, chiefly list pests,
to their own dungeons. In theory if a dungeon is not updating from
time to time the rule is obsolete. But with only 6 or 10 of them,
who cares? As it is I get all my markup and I can even do custom
tweaks in procmail so that if spamd hits one of the perl eval bugs
triggered by PerMsgStatus.pm I can feed the message direct through
spamassassin itself.

{^_^}   I guess Joanne is a bare metal type at heart. 

Re: Further clarification RE: URIBL_SBL not being used?

[John Rudd]

On Sep 14, 2005, at 5:12 PM, jdow wrote:





jdow a écrit :

Am I alone in having a perception that using mimedefang and 
amavis-new

is its own punishment?



At the time I started using SA what
I had available was procmail.


Procmail works if your users have access to the right things for 
invoking procmail, or if you're using mail software for which procmail 
can be used as a local delivery agent, or something along those lines.


That doesn't include every mail server arrangement and software package 
out there.  Plus, if you're on a non-trivial mail server (you know, 
more than a few thousand active users), procmail is just an insane way 
to invoke spam assassin.


Further, mimedefang isn't all about invoking Spam Assassin.  It really 
seems to be more about protection against viruses, bad attachments, and 
other exploits.  It's ability to also deal with spam assassin seems to 
be frosting on the cake, not the cake itself (if I am digesting the 
history of mimedefang correctly).


And, last, some of us postmasters would rather not accept these types 
of messages in the first place.  Then we don't have to worry about 
idiot users replying to them, sending bounces back, or if their 
vacation implementation will reply to a virus or spam message 
(inevitably leaving large numbers of these replies stranded in our mail 
queues).  Relying upon users, even intelligent ones, to do the sensible 
thing is an exercise even less productive than masturbation.


Instead, we would rather reject the message during the SMTP 
transaction.  Try that with procmail (unless, of course someone writes 
a procmail-milter, in which case it's no different than using 
mimedefang or amavis).

New mail not being logged anywhere but /var/spool/qmailscan/mailstats.csv?

[Matthew Yette]

I've been running SA 3.04 / ClamAV 0.86.2 /qmail-scanner 1.25st for about 2 
months now. Things have been working perfectly. I wrote my own stats parsing 
script to dump things into a database so I can break down stats based on 
domains, spammers, etc...(I have two mail servers acting as load balancing...a 
3rd server is where the SQL db sits)

Today, we added a new client to our filtering system, and this client is 
receiving email from one address that seemed like a duplicate mysql insert at 
first to me, but after investigating further, the mails were actually listed in 
/var/spool/qmailscan/mailstats.csv. These are the lines in question in 
mailstats.csv:

8357:Wed, 14 Sep 2005 14:06:54 EDT  Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.68333810027   [EMAIL PROTECTED]  [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!   [EMAIL PROTECTED]   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8358:Wed, 14 Sep 2005 14:06:54 EDT  Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.68333810027   [EMAIL PROTECTED]  [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!   [EMAIL PROTECTED]   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8359:Wed, 14 Sep 2005 14:06:54 EDT  Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.68333810027   [EMAIL PROTECTED]  [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!   [EMAIL PROTECTED]   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8360:Wed, 14 Sep 2005 14:06:54 EDT  Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.68333810027   [EMAIL PROTECTED]  [EMAIL PROTECTED]   Utica 
Homeowners will soon offer Identity Theft Coverage!   [EMAIL PROTECTED]   
unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8361:Wed, 14 Sep 2005 14:06:54 EDT  Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.68333810027   [EMAIL PROTECTED]  [EMAIL PROTECTED] Utica 
Homeowners will soon offer Identity Theft Coverage!   [EMAIL PROTECTED]   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8362:Wed, 14 Sep 2005 14:06:54 EDT  Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.68333810027   [EMAIL PROTECTED]  [EMAIL PROTECTED]   Utica 
Homeowners will soon offer Identity Theft Coverage!   [EMAIL PROTECTED]   
unig45.gif:5863 1126721210.30212-0.MAILER-02:1109
8363:Wed, 14 Sep 2005 14:06:54 EDT  Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 
5.68333810027   [EMAIL PROTECTED]  [EMAIL PROTECTED]  Utica 
Homeowners will soon offer Identity Theft Coverage!   [EMAIL PROTECTED]   
   unig45.gif:5863 1126721210.30212-0.MAILER-02:1109


That's just an sample from mailstats.csv. As it says, SA deems it spam at 5.6 
points, and tags it and passes it along (I think). However, a few things 
confuse me with this. First of all, multiple entries under the same exact 
timestamp seems odd to me. Every piece of data in each line is identical. This 
doesn't seem normal, or correct. Secondly, there is NO record of the sender's 
email address in /var/spool/qmailscan/qmail-queue.log OR /var/log/maillog. It 
only appears in mailstats.csv. Furthermore, when adding the blacklist_from 
preference for this domain in my SQL database, I still see entries from this 
user in mailstats.csv with the score of 5.6, obviously ignoring my blacklist. 
Also, the 5.0 is telling as well, as I have a required_hits preference for this 
domain set to 4.0. Scanning through mailstats.csv shows that I have even more 
entries which set 5.0 as the bar for spam, incorrectly:

4278:Wed, 14 Sep 2005 09:41:25 EDT  
SA:SPAM-DELETE:RC:0(222.108.160.49):SA:1(21.1/5.0): 0   1385[EMAIL 
PROTECTED]  [EMAIL PROTECTED]   Solid Funding hassle free   [EMAIL 
PROTECTED] MAILER-02112670527972228950-unpacked:1385
4279:Wed, 14 Sep 2005 09:41:25 EDT  
SA:SPAM-DELETE:RC:0(222.108.160.49):SA:1(21.1/5.0): 0   1385[EMAIL 
PROTECTED]  [EMAIL PROTECTED]Solid Funding hassle free   [EMAIL 
PROTECTED] MAILER-02112670527972228950-unpacked:1385

However, there ARE lines that display correct information:

4298:Wed, 14 Sep 2005 09:41:58 EDT  
SA:SPAM-DELETE:RC:0(216.195.74.34):SA:1(10.8/4.0):  0   3658[EMAIL 
PROTECTED] [EMAIL PROTECTED]Undeliverable Mail  [EMAIL PROTECTED] 
 MAILER-02112670531272229114-unpacked:3658
4309:Wed, 14 Sep 2005 09:42:16 EDT  
Clear:RC:0(209.51.158.242):SA:0(-0.6/4.0):  5.5095053384[EMAIL 
PROTECTED]  [EMAIL PROTECTED]   Automatic message from SafestMail 
(c2FmZXN0bWFpbF9yZXBseQ==-OTkzMDE4MDE1)   [EMAIL PROTECTED]   
1126705331.29238-0.MAILER-02:2226

Note the 4.0. 

I'm so confused...I can't seem to find the reason why it isn't logging to 
qmail-queue.log for certain messages. There IS a correlation, however, between 
when it doesn't log to qmail-queue.log, and when it uses a base score of 5.0 
instead of the sql-deemed 4.0. IT seems 

Re: HTML Spam messages with float tag ?

[Robert Menschel]

Hello Brian,

Wednesday, September 14, 2005, 5:31:34 AM, you wrote:

BI Hi,

BI  The number of messages like below has increased. Unfortunately, they are
BI not reported to SpamCop fast enough for SURBL to handle them Has anyone
BI created some sort of filter to identify this type of messages ??

SARE rules under development.  Some will be published by this weekend,
come hell or ... well, I'm not in New Orleans.  Other rules we're less
sure of may wait a few more days.

Sample hit rates of the most promising rules:
#counts   LW_LEO_MAILER1   2332s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   LW_LEO_DOLLARS1  1451s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   LW_LEO_COST  1014s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   LW_LEO_DRUGS_DOWN2563s/0h of 679260 corpus (323056s/356204h 
RM) 09/13/05
#counts   SARE_LEO_SUB_MEDS1107s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_SUB_PHARM   487s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_SUB_PHARM2  877s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_LINE02  2028s/0h of 614805 corpus (315596s/299209h 
RM) 09/11/05
#counts   SARE_LEO_LINE03  59s/0h of 614805 corpus (315596s/299209h RM) 
09/11/05


Bob Menschel