Re: Whitelist blacklist order
I invoke spamassassin through Mailscanner v 4.38 I use Mailscanner with: - sendmail - clamav antivirus - spamassassin -- View this message in context: http://www.nabble.com/Whitelist+-+blacklist+order-t1649123.html#a4500915 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Searching SA mailing list
Chan, Wilson wrote: Is there a way to search the SA mailing list? Thanks! http://wiki.apache.org/spamassassin/MailingLists Under the users section, pick any one of the three archives linked next to Search.
Re: Problem compiling SpamAssassin (DB_file issue)
On Freitag, 19. Mai 2006 16:06 James Lay wrote: So far there are no good answers...anyone have anything? No - but at least you got an answer this time *g* mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpzBvji9oJ3Y.pgp Description: PGP signature
Re: checksumming image spam
I see in my webmin module, 'Location of DCC client program' but I don't think I have it installed, what package should I be looking for, i'm running rhel4 can i installed it from up2date or is there an rpm out there? Any information on using DCC with spamassassin and rhel would be great. http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html Matt Sergeant (of MessageLabs, and one of the early SpamAssassin committers too!) is interviewed about spam, with a bit of relevance regarding image checksumming (which we've been talking about recently): The spammers were trying to circumvent the world's junk-mail filters by embedding their messages -- whether peddling something called China Digital Media for $1.71 a share, or a Hot Pick! company called GroFeed for just 10 cents -- into images. It worked, but only briefly. Antispam developers at MessageLabs, one of several companies that essentially reroute their clients' e-mail traffic through proprietary spam-scrubbing servers before delivering it, quickly developed a checksum, or fingerprint, for the images, and created a filter to block them. [...] Shortly after MessageLabs created a filter to catch the stock spams, the images they contained changed again. They were now arriving with what looked to the naked eye like a gray border. Zooming in, however, the MessageLabs team discovered that the border was made up of thousands of randomly ordered dots. Indeed, every message in that particular spam campaign was generated with a new image of the border -- each with its own random array of dots. [...] We actually developed some technology to detect borders in images and figure out the entropy -- that is, to figure out if the border was random, Mr. Sergeant said. So that was fine. Of course, shortly afterward, they decided to stop using the borders, he added. From there, the senders began placing a small number of barely perceptible and, again, randomly placed dots -- a pink one here, a blue one there, a green one near the bottom -- throughout the images. Then they shifted to multiple images, with words spelled partially in plain text and partially as images, so that the content, when viewed on a common e-mail reader like Outlook or AOL, would look like an ordinary message. Aside from that techie stuff, it's a good interview too ;) --j. -- Paul Matthews Junior Network Technician | The Cathedral School Ph (07) 47222 194 | Fax (07) 47222 111 PO Box 944 Aitkenvale Q 4814 E: [EMAIL PROTECTED] W: www.cathedral.qld.edu.au Anglican coeducation | Day and Boarding | Early Childhood to Year 12 Educating for life-long success *** IMPORTANT NOTICE REGARDING CONFIDENTIALITY This electronic email message is intended only for the addressee and may contain confidential information. If you are not the addressee, you are notified that any transmission, distribution or photocopying of this email is strictly prohibited. The confidentiality attached to this email is not waived, lost or destroyed by reasons of a mistaken delivery to you.
RE: checksumming image spam
DCC is at: http://www.rhyolite.com/anti-spam/dcc/ Don't know about rpm's, you can try http://rpmfind.net (Don't think they have RH EL rpms) Or http://dag.wieers.com But probably you'll have to compile it yourself (As I did for my RH EL3), which is pretty simple. -Sietse From: Paul Matthews [mailto:[EMAIL PROTECTED] Sent: Mon 22-May-06 13:16 To: users@spamassassin.apache.org Subject: Re: checksumming image spam I see in my webmin module, 'Location of DCC client program' but I don't think I have it installed, what package should I be looking for, i'm running rhel4 can i installed it from up2date or is there an rpm out there? Any information on using DCC with spamassassin and rhel would be great. http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html Matt Sergeant (of MessageLabs, and one of the early SpamAssassin committers too!) is interviewed about spam, with a bit of relevance regarding image checksumming (which we've been talking about recently): The spammers were trying to circumvent the world's junk-mail filters by embedding their messages -- whether peddling something called China Digital Media for $1.71 a share, or a Hot Pick! company called GroFeed for just 10 cents -- into images. It worked, but only briefly. Antispam developers at MessageLabs, one of several companies that essentially reroute their clients' e-mail traffic through proprietary spam-scrubbing servers before delivering it, quickly developed a checksum, or fingerprint, for the images, and created a filter to block them. [...] Shortly after MessageLabs created a filter to catch the stock spams, the images they contained changed again. They were now arriving with what looked to the naked eye like a gray border. Zooming in, however, the MessageLabs team discovered that the border was made up of thousands of randomly ordered dots. Indeed, every message in that particular spam campaign was generated with a new image of the border -- each with its own random array of dots. [...] We actually developed some technology to detect borders in images and figure out the entropy -- that is, to figure out if the border was random, Mr. Sergeant said. So that was fine. Of course, shortly afterward, they decided to stop using the borders, he added. From there, the senders began placing a small number of barely perceptible and, again, randomly placed dots -- a pink one here, a blue one there, a green one near the bottom -- throughout the images. Then they shifted to multiple images, with words spelled partially in plain text and partially as images, so that the content, when viewed on a common e-mail reader like Outlook or AOL, would look like an ordinary message. Aside from that techie stuff, it's a good interview too ;) --j. -- Paul Matthews Junior Network Technician | The Cathedral School Ph (07) 47222 194 | Fax (07) 47222 111 PO Box 944 Aitkenvale Q 4814 E: [EMAIL PROTECTED] W: www.cathedral.qld.edu.au Anglican coeducation | Day and Boarding | Early Childhood to Year 12 Educating for life-long success *** IMPORTANT NOTICE REGARDING CONFIDENTIALITY This electronic email message is intended only for the addressee and may contain confidential information. If you are not the addressee, you are notified that any transmission, distribution or photocopying of this email is strictly prohibited. The confidentiality attached to this email is not waived, lost or destroyed by reasons of a mistaken delivery to you.
Re: Who wants my spam - seriously!
On Samstag, 20. Mai 2006 12:58 Andrzej Adam Filip wrote: You can use *separate* script to make spamcop.net send LARTs (munged or unmunged). e.g. http://anfi.homeunix.net/perl/spamcop-ack.pl or previous art mentioned in previous thread about spamcop-ack.pl How do I create that cookies file from konqueror for your script? Which format does it need? mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpxOwYgkYD4J.pgp Description: PGP signature
Re: A lot of these going around
On Thursday 18 May 2006 16:36, Ronald Nsubuga wrote: check the retry time and what os are u running pliz and the version you are using for spamassasin? retries less than 1 minute. Debian Sid, SA 3.1.1
RE: checksumming image spam
DCC is at: http://www.rhyolite.com/anti-spam/dcc/ Don't know about rpm's, you can try http://rpmfind.net (Don't think they have RH EL rpms) Or http://dag.wieers.com But probably you'll have to compile it yourself (As I did for my RH EL3), which is pretty simple. okay, i'll install it from source, were do I find the source? and can you also tell me what is Pyzor? and what do it do?
RE: checksumming image spam
Source can be found at the URL I gave you http://www.rhyolite.com/anti-spam/dcc/ http://www.rhyolite.com/anti-spam/dcc/ . Pyzor is basically the same as razor2. Major difference is that pyzor is written in python and raozr2 in perl. Don't know if there is much sense in using pyzor, as it seams close to dead. The main server is quite unresponsive and the project has not been updated for about 1.5 year. It can be found at http://pyzor.sourceforge.net Read the Mailing List before you decide to compile and use it. Somebody has set-up a new server recently and it does give me some positives, also nearly not as many as razor. Razor is also a good check, but it only free for personal use (same as dcc): http://razor.sourceforge.net Razor compile and install is a bit more difficult than dcc or pyzor, as it might need a whole lot of perl modules (depending on what is already there), so better get your CPAN right and use perl newer than 5.8.3. -Sietse From: Paul Matthews [mailto:[EMAIL PROTECTED] Sent: Mon 22-May-06 15:16 To: Sietse van Zanen Cc: users@spamassassin.apache.org Subject: RE: checksumming image spam DCC is at: http://www.rhyolite.com/anti-spam/dcc/ Don't know about rpm's, you can try http://rpmfind.net http://rpmfind.net/ (Don't think they have RH EL rpms) Or http://dag.wieers.com http://dag.wieers.com/ But probably you'll have to compile it yourself (As I did for my RH EL3), which is pretty simple. okay, i'll install it from source, were do I find the source? and can you also tell me what is Pyzor? and what do it do?
RE: checksumming image spam
Razor is also a good check, but it only free for personal use (same as dcc): http://razor.sourceforge.net Razor compile and install is a bit more difficult than dcc or pyzor, as it might need a whole lot of perl modules (depending on what is already there), so better get your CPAN right and use perl newer than 5.8.3. -Sietse As of March 30, 2006, Razor2 no longer has the Personal Use Only clause. http://sourceforge.net/mailarchive/forum.php?thread_id=10079360forum_id =4258 quote Folks, I am pleased to announce that with the release of razor-agents 2.81[1] a new service policy has been introduced, that makes the use of Razor2 service completely open and free. A license introduced in 2003 restricted usage by third party integrators, but the new license unencumbers all usage, commercial or otherwise. My company, Cloudmark, hosts and manages the backend infrastructure that Razor2 agents use for reporting spam and checking fingerprints. Cloudmark retains the right to deny service to anyone abusing the backend, but will not, under normal circumstances, restrict usage in any way. Share and Enjoy! vipul [1] http://prdownloads.sourceforge.net/razor/razor-agents-2.81.tar.bz2?downl Oad /quote
Re: spamc/spamd/bayes
On Montag, 22. Mai 2006 01:12 Sergei Gerasenko wrote: But I'm reading everywhere that it's not a paricularly good idea. There's not a single answer to whether which method is best. I use a sitewide bayes, and it works good. sitewide: + spam learned helps all users + good when trained with 100% correct spam/ham - dangerous when learning false spam/ham user: + each user can train themselves - users most often don't train good, or not at all, or false (YMMV) - performance - disk space mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpOzt85c2fgL.pgp Description: PGP signature
Re: New German ruleset failing lint
On Montag, 22. Mai 2006 03:57 Jonathan Nichols wrote: [19298] warn: config: invalid regexp for rule ZMIde_URI: [EMAIL PROTECTED]: Global symbol @freenet requires explicit package name My apoligies @all. Is somebody willing to write a wrapper script for me? I'd like to change to using subversion for the rules file, and after changing, I'd like to call a script that makes: sa --lint if OK { svn upload ; change version inside file to version that svn says; rsync or cp file to public location } else echo errormsg Shouldn't be hard, I just don't have time ATM. With such a script such stupid errors like above shouldn't happen anymore. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpKjiDsj3yoZ.pgp Description: PGP signature
RE: spamc/spamd/bayes
On Montag, 22. Mai 2006 01:12 Sergei Gerasenko wrote: But I'm reading everywhere that it's not a paricularly good idea. There's not a single answer to whether which method is best. I use a sitewide bayes, and it works good. sitewide: + spam learned helps all users + good when trained with 100% correct spam/ham - dangerous when learning false spam/ham user: + each user can train themselves - users most often don't train good, or not at all, or false (YMMV) - performance - disk space We use site-wise bayes here too. While users can report FN's and FP's, IT staff reviews the submissions prior to actual learning. This prevents people from learning various e-mail lists they've signed up for as SPAM-- we just send the report back and say, try unsubscribing first. The approach has worked fairly well for us here. The number of users that actually report anything is probably around 5%, so I'd say that a per-user system would be less effective for our users. (Either that or the other 95% of users get no spam ever.) Bret
Re: spamc/spamd/bayes
On Montag, 22. Mai 2006 17:28 Bret Miller wrote: Either that or the other 95% of users get no spam ever. *bruahaha* I just spit that nice coffee over my keyboard... mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgptHYl8tqYfv.pgp Description: PGP signature
Rules for that mutating subject drug mails
Hi, I´d like to know if it´s possible to filter efficiently all those emails about Viagra and friends with a subject that always changes and has different letters inserted between the letters of the drug name. I guess you know which ones I´m talking about (Re: test VhtAGGRA / CItAlLIS). Currently my spamassassin stops some of them, but there are others that keep getting through (with a 4/6 spam score), so I´d like to know what you guys have done regarding this messages. Thanks! Edo
Re: Who wants my spam - seriously!
Michael Monnerie [EMAIL PROTECTED] writes: On Samstag, 20. Mai 2006 12:58 Andrzej Adam Filip wrote: You can use *separate* script to make spamcop.net send LARTs (munged or unmunged). e.g. http://anfi.homeunix.net/perl/spamcop-ack.pl or previous art mentioned in previous thread about spamcop-ack.pl How do I create that cookies file from konqueror for your script? Which format does it need? I have designed the script to do spamcop login but if you prefere another way below please find the hints: 0) You can use http://www.spamcop.net/mcgi?action=loginform to get cookie valid for 1 year/1 month/1 week/... 1) How to extract cookie from browser *In firefox case*: menu Edit/Preferences; tab Privacy/Cookies; Button View Cookies *In konqueror case* menu Settings/Configure konqueror; section Cookies; tab management 2) Cookie file format used by the perl script by example cookie_file_sample lines=2 #LWP-Cookies-1.0 Set-Cookie3: code=; path=/; domain=www.spamcop.net; path_spec; expires=2006-05-22 21:17:40Z; version=0 /cookie_file_sample -- [pl2en Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/ http://www.linkedin.com/in/andfil
Re: Setting up my own RBL - How?
So - if I wanted to set up my own RBL for others to query me, how would I do that? I'm seriously thinking about it. Alternatively, I can stream my spam to anyone else who is already doing it. I've modified my spam stream to exclude stuff already listed in several other popular block lists. I'm no expert by any means, but I tried setting up an internal RBL for my company using some Perl scripts (to mangle the email upon receipt) and PDNS with a MySQL backend. I saved the last hop IP address from dictionary-attack emails sent to a particular domain that we host that gets hundreds of dictionary-attack type spams per day. It worked well, except that in my case it was nearly pointless - while I could verify that lookups were working, over the course of a 48 hour period it added hundreds of IPs but didn't flag any messages, since the spambot(s) sending to this domain would never send from the same IP address twice (which I verified in the logs), nor were they sending to any of the other 100+ domains we host. We're not fighting an enemy that's entirely stupid. Anyway, the entire point of this email was to suggest the (perhaps) obvious of using a DNS daemon that can read its zone info on the fly rather than requiring a restart. That's why I used PDNS, but I'm sure there's other DNS daemons that can do the same thing and are perhaps better suited to the task.
Vouching for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)
--On Saturday, May 20, 2006 4:54 PM -0700 jdow [EMAIL PROTECTED] wrote: Looking at your own email it comes from a COMCAST cable connection in Palmer Ranch Florida through the WFGB mailer. The WFGB mailer is not in SORBS anywhere. YOUR address most certainly is a dialup. So it WILL get tagged unless your mail goes through a machine that properly vouches for it. 68.32.0.0/11 (68.32.0.0-68.63.255.255) is a dynamic IP netblock. How does another machine properly vouch for it? If I route my mail to a colocated host under my control, how do I make that host vouch for the mail from my house?
Re: Who wants my spam - seriously!
Andrzej Adam Filip wrote: Michael Monnerie [EMAIL PROTECTED] writes: On Samstag, 20. Mai 2006 12:58 Andrzej Adam Filip wrote: You can use *separate* script to make spamcop.net send LARTs (munged or unmunged). e.g. http://anfi.homeunix.net/perl/spamcop-ack.pl or "previous art" mentioned in previous thread about spamcop-ack.pl How do I create that cookies file from konqueror for your script? Which format does it need? I have designed the script to do spamcop login but if you prefere another way below please find the hints: 0) You can use http://www.spamcop.net/mcgi?action=""> to get cookie valid for "1 year"/"1 month"/"1 week"/... 1) How to extract cookie from browser *In firefox case*: menu Edit/Preferences; tab Privacy/Cookies; Button "View Cookies" *In konqueror case* menu Settings/"Configure konqueror"; section "Cookies"; tab "management" 2) Cookie file format used by the perl script "by example" cookie_file_sample lines="2" #LWP-Cookies-1.0 Set-Cookie3: code=; path="/"; domain=www.spamcop.net; path_spec; expires="2006-05-22 21:17:40Z"; version=0 /cookie_file_sample I've already made an arrangement with Spamcop to forward the spam directly to an account they set up for me. I've sent them over 100,000 spams and they seem to like what they see. I'm told it will be a live feed sometime later today. These are the kinds of people who I want to feed spam to. People who can extract the right info and add it to popular block lists.
Help with rule for geocities spam
I just grepped my entire mail hierarchy for .geocities.com and the only legitimate stuff I see either uses the www or uk subdomains. How can I write a rule that matches on that? If it were just one subdomain I could write one rule for all subdomains and one for just the one subdomain and use a negative score for the latter to match the positive score for the all-subdomain rule. But how do I handle two good subdomains?
RE: Help with rule for geocities spam
Kenneth Porter wrote: I just grepped my entire mail hierarchy for .geocities.com and the only legitimate stuff I see either uses the www or uk subdomains. How can I write a rule that matches on that? If it were just one subdomain I could write one rule for all subdomains and one for just the one subdomain and use a negative score for the latter to match the positive score for the all-subdomain rule. But how do I handle two good subdomains? I assume you mean www.geocites.com and uk.geocities.com, right? Try this: /(?:www|uk)\.geocities\.com/ Add other anchors as appropriate... -- Bowie
Re: Setting up my own RBL - How?
Mike Jackson wrote: So - if I wanted to set up my own RBL for others to query me, how would I do that? I'm seriously thinking about it. Alternatively, I can stream my spam to anyone else who is already doing it. I've modified my spam stream to exclude stuff already listed in several other popular block lists. A combination of these 2 works wonders for me.. http://simple-evcorr.sf.net/ (simple event correlator) http://www.corpit.ru/mjt/rbldnsd.html (designed for serving DNSBL zones) SEC hooks onto the mailscanner logs checking for 3 spams or 2 viruses in a span of 60 seconds, this is then fed to rbldnsd, which serves it with little latency (though the latency has nothing to do with rbldnsd). - dhawal I'm no expert by any means, but I tried setting up an internal RBL for my company using some Perl scripts (to mangle the email upon receipt) and PDNS with a MySQL backend. I saved the last hop IP address from dictionary-attack emails sent to a particular domain that we host that gets hundreds of dictionary-attack type spams per day. It worked well, except that in my case it was nearly pointless - while I could verify that lookups were working, over the course of a 48 hour period it added hundreds of IPs but didn't flag any messages, since the spambot(s) sending to this domain would never send from the same IP address twice (which I verified in the logs), nor were they sending to any of the other 100+ domains we host. We're not fighting an enemy that's entirely stupid. Anyway, the entire point of this email was to suggest the (perhaps) obvious of using a DNS daemon that can read its zone info on the fly rather than requiring a restart. That's why I used PDNS, but I'm sure there's other DNS daemons that can do the same thing and are perhaps better suited to the task.
RE: Help with rule for geocities spam
On Monday, May 22, 2006 12:28 PM -0400 Bowie Bailey [EMAIL PROTECTED] wrote: I assume you mean www.geocites.com and uk.geocities.com, right? Try this: /(?:www|uk)\.geocities\.com/ Add other anchors as appropriate... Doh! That was too easy! :P BTW, in my corpus the only legit use of other subdomains are from samples a year or more in the past.
Re: Help with rule for geocities spam
On Montag, 22. Mai 2006 18:28 Bowie Bailey wrote: /(?:www|uk)\.geocities\.com/ Or the full line could be: uri ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com} describe ZMIgeocitiesGOOD probably good geocities site scoreZMIgeocitiesGOOD -1.2 or whatever score you want to give them. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgp0LKarl3svE.pgp Description: PGP signature
RE: Bayes not learning (autolearn=failed)
Still getting autolearn=failed but its no longer complaining about running spamd as root but its trying to create read files from root still even though I have the local.cf defined for the location of the bayes files. Any ideas? Thanks! May 22 08:13:57 localhost spamd[25519]: Creating default_prefs [/root/.spamassassin/user_prefs] May 22 08:13:57 localhost spamd[25519]: Cannot write to /root/.spamassassin/user_prefs: Permission denied May 22 08:13:57 localhost spamd[25519]: Couldn't create readable default_prefs for [/root/.spamassassin/user _prefs] I took everyone's advice and made theses changes below: /etc/sysconfig/spamassin *added -u spam to get rid of the previous error /etc/mail/spamassassin/local.cf *added bayes_path /home/spam/.spamassassin/bayes *added bayes_file_mode 0777 Wilson -Original Message- From: Sergei Gerasenko [mailto:[EMAIL PROTECTED] Sent: Sunday, May 21, 2006 1:04 PM To: users@spamassassin.apache.org Subject: Re: Bayes not learning (autolearn=failed) I think I'm dealing with a similar situation. Here's what you could try. Forget about changing the user that spamd runs as. The fact that it falls back to nobody maybe ok. Say your tokens are located in /home/admin/.spamassassin. Open /etc/spamassassin/local.cf and put these two lines in there: bayes_path /home/me/.spamassassin/bayes bayes_file_mode 0777 Make sure the directory /home/me/.spamassassin and files in that directory have write and read permissions for your nobody user. OK, then restart spamd and send yourself a test message. Look inside the message and look for the X-Spam-Status line. If it mentions BAYES, then it worked. If not, run spamd with the -D option. That will put debug messages in your syslog. Look at those messages and see what it's doing. It's pretty descriptive. Don't forget to remove the -D option after you're done :) By the way, where do you call spamc from? I'm not an expert on SA by any means, so take it with a grain of salt. On Sun, May 21, 2006 at 12:46:32PM -1000, Chan, Wilson wrote: I read the man docs and I need to specify -u username so the question is where do I put this? I create a username called spam and gave it full rights to where the bayes tok files are to be located. I tried to add it to SPAMDOPTIONS=-d -c -m5 -H -u spam Is this correct because after I restarted the service I still see the same error message. :( /etc/init.d/spamassassin #!/bin/sh # # spamassassin This script starts and stops the spamd daemon # # chkconfig: - 80 30 # processname: spamd # description: spamd is a daemon process which uses SpamAssassin to check \ # email messages for SPAM. It is normally called by spamc \ # from a MDA. # Source function library. . /etc/rc.d/init.d/functions prog=spamd # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = no ] exit 0 # Set default spamd configuration. SPAMDOPTIONS=-d -c -m5 -H -u spam SPAMD_PID=/var/run/spamassassin/spamd.pid # Source spamd configuration. if [ -f /etc/sysconfig/spamassassin ] ; then . /etc/sysconfig/spamassassin fi [ -f /usr/bin/spamd -o -f /usr/local/bin/spamd ] || exit 0 PATH=$PATH:/usr/bin:/usr/local/bin # By default it's all good RETVAL=0 # See how we were called. case $1 in start) # Start daemon. echo -n $Starting $prog: daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID RETVAL=$? echo if [ $RETVAL = 0 ]; then [ -n $SPAMD_PID ] ln -s $SPAMD_PID /var/run/spamd.pid touch /var/lock/subsys/spamassassin fi ;; stop) # Stop daemons. echo -n $Stopping $prog: killproc spamd RETVAL=$? echo if [ $RETVAL = 0 ]; then rm -f /var/lock/subsys/spamassassin rm -f /var/run/spamd.pid fi ;; restart) $0 stop $0 start ;; condrestart) [ -e /var/lock/subsys/spamassassin ] $0 restart ;; status) status spamd RETVAL=$? ;; *) echo Usage: $0 {start|stop|restart|status|condrestart} RETVAL=1 ;; esac exit $RETVAL Wilson -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Sunday, May 21, 2006 11:58 AM To: users@spamassassin.apache.org Subject: Re: Bayes not learning (autolearn=failed) On Sun, May 21, 2006 at 11:16:14AM -1000, Chan, Wilson wrote: By default on CentOS I think it runs as root. How do you change it so that spamd is not running as root? I assume I'd have to change a parameter in /etc/rc.d/init.d/spamassassin? Thanks! If you read the spamd man page, it tells you how to specify the user to run as. You will also want to check out the Mail::SpamAssassin::Conf man/pod to see configuration options related to
Re: Bayes not learning (autolearn=failed)
On Mon, May 22, 2006 at 08:17:57AM -1000, Chan, Wilson wrote: Still getting autolearn=failed but its no longer complaining about running spamd as root but its trying to create read files from root still even though I have the local.cf defined for the location of the bayes files. Any ideas? Thanks! May 22 08:13:57 localhost spamd[25519]: Creating default_prefs [/root/.spamassassin/user_prefs] May 22 08:13:57 localhost spamd[25519]: Cannot write to /root/.spamassassin/user_prefs: Permission denied May 22 08:13:57 localhost spamd[25519]: Couldn't create readable default_prefs for [/root/.spamassassin/user _prefs] I took everyone's advice and made theses changes below: /etc/sysconfig/spamassin *added -u spam to get rid of the previous error /etc/mail/spamassassin/local.cf *added bayes_path /home/spam/.spamassassin/bayes *added bayes_file_mode 0777 It's possible that spamd is running with the -c (--create-prefs ) option. Do ps ax | grep spamd and see if either -c or --create-prefs is one of the parameters. If it is, you need to edit, my guess, /etc/default/spamassassin and get rid of that option.
Re: Help with rule for geocities spam
On Monday, May 22, 2006 7:24 PM +0200 Michael Monnerie [EMAIL PROTECTED] wrote: Or the full line could be: uri ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com} describe ZMIgeocitiesGOOD probably good geocities site scoreZMIgeocitiesGOOD -1.2 or whatever score you want to give them. Does a uri rule count once per instance or for all matching uris? If, for instance, I have that rule and one matching *all* subdomains with a +1.2, does a spammer just have to insert a good uri to nullify the score for the bad one? Alternatively, is there regex syntax to match all patterns *except* the one given? Can I somehow express all geocities.com subdomains except www and uk as a regex?
RE: Bayes not learning (autolearn=failed)
That seemed to fix it. I guess the default is to create a prefs path. Thanks! /etc/sysconfig/spamasassin # Options to spamd SPAMDOPTIONS=-d -m5 -c -H -u spam --Removed -c Wilson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 22, 2006 8:42 AM To: users@spamassassin.apache.org Subject: Re: Bayes not learning (autolearn=failed) On Mon, May 22, 2006 at 08:17:57AM -1000, Chan, Wilson wrote: Still getting autolearn=failed but its no longer complaining about running spamd as root but its trying to create read files from root still even though I have the local.cf defined for the location of the bayes files. Any ideas? Thanks! May 22 08:13:57 localhost spamd[25519]: Creating default_prefs [/root/.spamassassin/user_prefs] May 22 08:13:57 localhost spamd[25519]: Cannot write to /root/.spamassassin/user_prefs: Permission denied May 22 08:13:57 localhost spamd[25519]: Couldn't create readable default_prefs for [/root/.spamassassin/user _prefs] I took everyone's advice and made theses changes below: /etc/sysconfig/spamassin *added -u spam to get rid of the previous error /etc/mail/spamassassin/local.cf *added bayes_path /home/spam/.spamassassin/bayes *added bayes_file_mode 0777 It's possible that spamd is running with the -c (--create-prefs ) option. Do ps ax | grep spamd and see if either -c or --create-prefs is one of the parameters. If it is, you need to edit, my guess, /etc/default/spamassassin and get rid of that option.
Re: A lot of these going around
On Thursday 18 May 2006 16:36, Ronald Nsubuga wrote: check the retry time and what os are u running pliz and the version you are using for spamassasin? retries less than 1 minute. Debian Sid, SA 3.1.1 Bunch of these error messages seem to happening every few (five?) hours.
Re: Who wants my spam - seriously!
Marc Perkel [EMAIL PROTECTED] writes: [...] I've already made an arrangement with Spamcop to forward the spam directly to an account they set up for me. I've sent them over 100,000 spams and they seem to like what they see. I'm told it will be a live feed sometime later today. These are the kinds of people who I want to feed spam to. People who can extract the right info and add it to popular block lists. 0) The script I posted is for personal spam [ 100/day]. It makes spamcop send netmasters notifications without any *special* arrangements with spamcop 1) Could you show us moment when you feed was accepted on the charts below? http://www.spamcop.net/spamgraph.shtml?spamweek http://www.spamcop.net/spamgraph.shtml?spammonth -- [pl2en Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/ http://www.linkedin.com/in/andfil
Re: Bayes not learning (autolearn=failed)
Also, I would add the path to your auto-whitelist file by adding this to your local.cf: auto_whitelist_path /home/spam/.spamassassin/auto-whitelist On Mon, May 22, 2006 at 09:07:48AM -1000, Chan, Wilson wrote: That seemed to fix it. I guess the default is to create a prefs path. Thanks!
Re: Vouching for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)
On Mon, 22 May 2006, Kenneth Porter wrote: How does another machine properly vouch for it? If I route my mail to a colocated host under my control, how do I make that host vouch for the mail from my house? Send it over an ssh tunnel so that to the MTA it appears to be coming from 127.0.0.1. That's how I do it. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The problem is when people look at Yahoo, slashdot, or groklaw and jump from obvious and correct observations like Oh my God, this place is teeming with utter morons to incorrect conclusions like there's nothing of value here.-- Al Petrofsky, in Y! SCOX ---
RE: Bayes not learning (autolearn=failed)
Do you have a sample local.cf file I can base my on? Right now this is what I have. /etc/mail/spamassassin/local.cf required_hits 5.0 report_safe 0 rewrite_header Subject** SPAM ** # Setup Bayesian Database Files bayes_path /home/spam/.spamassassin/bayes bayes_file_mode 0777 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning bayes_auto_learn1 Wilson -Original Message- From: Sergei Gerasenko [mailto:[EMAIL PROTECTED] Sent: Monday, May 22, 2006 9:20 AM To: users@spamassassin.apache.org Subject: Re: Bayes not learning (autolearn=failed) Also, I would add the path to your auto-whitelist file by adding this to your local.cf: auto_whitelist_path /home/spam/.spamassassin/auto-whitelist On Mon, May 22, 2006 at 09:07:48AM -1000, Chan, Wilson wrote: That seemed to fix it. I guess the default is to create a prefs path. Thanks!
Re: Bayes not learning (autolearn=failed)
On Mon, May 22, 2006 at 09:29:18AM -1000, Chan, Wilson wrote: Do you have a sample local.cf file I can base my on? Right now this is what I have. That sounds pretty good. Mine is even shorter because bayes is enabled by default and so is bayes_auto_learn. According to man Mail::SpamAssassin::Conf, required_hits is now deprecated in favor of required_score, but since 5 is the default value anyway, I wouldn't mention it in local.cf either. The rest seems OK, but again I'm no expert.
Appending spam-status at the bottom of message body
Hello! Is there any way to append certain spam status info (ie spam score, spam tests etc) after the last line of the original message body? I'm not interested in putting the original message body + spam status report in two separate attachments, as done with the safe_report-option. I read something about $status-rewrite_mail () and $messagestring = $status-get_full_message_as_text (), but I don't know if these will do the trick.. Neither do I know where/how to implement these commands. Thanks for your help! Best regards, chia3 -- View this message in context: http://www.nabble.com/Appending+spam-status+at+the+bottom+of+message+body-t1664723.html#a4511260 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Appending spam-status at the bottom of message body
On Mon, May 22, 2006 at 12:41:50PM -0700, chia3 wrote: Is there any way to append certain spam status info (ie spam score, spam tests etc) after the last line of the original message body? There's no way to do this with the standard SA (though you could fake it by running messages through spamassassin -t). If you wanted to do this with spamd, for instance, you'd have to modify the rewrite_mail() stuff in PerMsgStatus. There isn't even a plugin hook for rewriting, yet. I read something about $status-rewrite_mail () and $messagestring = $status-get_full_message_as_text (), but I don't know if these will do the trick.. Neither do I know where/how to implement these commands. Those are in the PerMsgStatus module. You'd have to modify the Perl code directly. -- Randomly Generated Tagline: lp1 on fire - Linux kernel error message pgpCBiigCGkHF.pgp Description: PGP signature
spam no longer being written
Hello, I am running SA 3.0.4 on FC3 with mailman 2.1.5. Until about a month ago everything was working well with my SA configuration. However, now the spam (that I am assuming still comes to my lists) is no longer being written to the spam folder for me to run sa-learn on it. No one has modified any files as I am the only maintainer. Here is my procmailrc if it will help. Any information would be greatly appreciated. # send mail through SpamAssassin #Spamassassin start :0fw * 256000 | /usr/bin/spamc -f PMDIR=/home/jeffd/.procmail LOGABSTRACT=all MAILDIR=/home/jeffd/mail #MAILDIR=/home/jeffd/ LOGFILE=$PMDIR/proclog VERBOSE=yes #DEFAULT=$MAILDIR/ham DEFAULT=$MAILDIR/mbox2 :0: H * ^X-Spam-Status: Yes spam/ :0: H mbox2/ Thank you, Jeff D
RE: Help with rule for geocities spam
Kenneth Porter wrote: On Monday, May 22, 2006 7:24 PM +0200 Michael Monnerie [EMAIL PROTECTED] wrote: Or the full line could be: uri ZMIgeocitiesGOOD m{(?:www|uk)\.geocities\.com} describe ZMIgeocitiesGOOD probably good geocities site scoreZMIgeocitiesGOOD -1.2 or whatever score you want to give them. Does a uri rule count once per instance or for all matching uris? If, for instance, I have that rule and one matching *all* subdomains with a +1.2, does a spammer just have to insert a good uri to nullify the score for the bad one? The URI rule just says does this exist in the message? So it will only hit once per message. And yes, spammers could take advantage of this rule. This is why there are not many negative scoring rules in SA. Alternatively, is there regex syntax to match all patterns *except* the one given? Can I somehow express all geocities.com subdomains except www and uk as a regex? That is a bit trickier because Perl does not currently support variable length look-behinds. But you can get around that by using two separate look-behinds like this: /(?!\bwww)(?!\buk)\.geocities\.com/ Note that you have to anchor both options separately. -- Bowie
Bypassing scan on locally originated mail
Hi, I can't seem to find this anywhere, so I guess it couldn't be too much of a faq :) I'd like spamassassin to be bypassed for mail which originates from the local server (sendmail running on freebsd) Is there a way to do this? Thanks! Rich
RE: Help with rule for geocities spam
Bowie Bailey wrote: Kenneth Porter wrote: Alternatively, is there regex syntax to match all patterns *except* the one given? Can I somehow express all geocities.com subdomains except www and uk as a regex? That is a bit trickier because Perl does not currently support variable length look-behinds. But you can get around that by using two separate look-behinds like this: /(?!\bwww)(?!\buk)\.geocities\.com/ In this specific case, this might suffice: /[^wu][^wk]\.geocities\.com/i ... but this pattern does not generalize well. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Bypassing scan on locally originated mail
On Mon, May 22, 2006 at 03:15:10PM -0500, Rich Winkel wrote: Hi, I can't seem to find this anywhere, so I guess it couldn't be too much of a faq :) I'd like spamassassin to be bypassed for mail which originates from the local server (sendmail running on freebsd) Is there a way to do this? It's actually a pretty frequently asked question as I recall, but the answer is that it's not up to SA. SA will scan anything sent to it, so you need to find a way to configure sendmail to not send local mail to it. -- Randomly Generated Tagline: We're 3 days in, and already you're asking for less work ... OK, noted and ignored. - Prof. Brown pgpWgCvMfa7ny.pgp Description: PGP signature
SA Milter problem
Any else having this problem with spamass-milter with spamassassin? Looks like spamass-milter locks up and dies randomly. Is there a simple script that I can write to check say service spamass-milter to see if it comes back as running? If it isn't then just restart the service as a temp solution while I track down what's wrong? Thanks! May 22 10:41:08 localhost sendmail[31120]: k4MKf8dD031120: Milter (spamassassin): to error state May 22 10:41:08 localhost sendmail[31119]: k4MKf84A031119: Milter (spamassassin): error connecting to filter: Connection refused by /var/run/spamass.sock Wilson
Re: Filtering windows-1252 charset
Kai Schaetzl wrote: Philip Prindeville wrote on Thu, 18 May 2006 08:47:48 -0600: How legitimate is email sent as windows-1252? Very, because broken Windows clients use it. Kai Ah, the Strong Arm school of standards enforcement. ;-) -Philip
Re: Vouching for mail from a dynamic IP (was: SPAM-LOW: Re: Spam Assassin Detecting our emails as spam)
On Monday, May 22, 2006 12:28 PM -0700 John D. Hardin [EMAIL PROTECTED] wrote: Send it over an ssh tunnel so that to the MTA it appears to be coming from 127.0.0.1. That's how I do it. Any way to do that with sendmail at both ends? Currently I use an AuthInfo entry in the sending MTA's access DB, and a mailertable entry (or smarthost in sendmail.mc) to direct mail to the receiving MTA for domains that don't like dynamic senders. So the dynamic IP in the Received headers should show up as authenticated for the host with static IP.
RE: Help with rule for geocities spam
[EMAIL PROTECTED] wrote: Bowie Bailey wrote: Kenneth Porter wrote: Alternatively, is there regex syntax to match all patterns *except* the one given? Can I somehow express all geocities.com subdomains except www and uk as a regex? That is a bit trickier because Perl does not currently support variable length look-behinds. But you can get around that by using two separate look-behinds like this: /(?!\bwww)(?!\buk)\.geocities\.com/ In this specific case, this might suffice: /[^wu][^wk]\.geocities\.com/i This is probably a less expensive regex, but it does not match quite the same thing. This will match any subdomain that does not end in ww, wk, uw, or uk. For instance, it will not match on squawk.geocities.com. ... but this pattern does not generalize well. True, but neither does mine once you get past two or three alternatives. -- Bowie
Re: Help with rule for geocities spam
As it turns out, I had a SARE rule installed that should catch these, but I found some spams leaking through due to the insecure dependency bug (bug 3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W. O'Shea's patch for that bug. Here's the SARE rule: http://www.rulesemporium.com/rules/70_sare_specific.cf (Look for __SARE_SPEC_XXGEOCITIE)
Re: SA Milter problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chan, Wilson wrote: Any else having this problem with spamass-milter with spamassassin? Nope. (ask a vague question...) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcjndMDDagS2VwJ4RApjPAJ9wIzFBnqp7lqgZVNkfTibksaU/uACfZe/n 5MUqsaJzNJkQc+4/pjkHn0U= =3Qkr -END PGP SIGNATURE-
Re: Bypassing scan on locally originated mail
Rich Winkel [EMAIL PROTECTED] writes: Hi, I can't seem to find this anywhere, so I guess it couldn't be too much of a faq :) I'd like spamassassin to be bypassed for mail which originates from the local server (sendmail running on freebsd) Is there a way to do this? How do you deployed spamassassin? * via a milter integrating SA with sendmail * via procmail (local sendmail mailer) * other method -- [pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/ http://www.linkedin.com/in/andfil
Spamd memory leak?
I don't know if I should call it a memory leak or not, or just a memory release problem with spamd. I currently have 8 gigs of ram in this machine, I am running 30 processes currently as indicated in the spamassassin options: SPAMDOPTIONS=-d -c -H -x -m30 -q -u spamfilter --round-robin I have played with the round-robin option and have not seen any real difference. Mem: 8108656k total, 5907792k used, 2200864k free, 218704k buffers Swap: 2031608k total,0k used, 2031608k free, 2867736k cached As you can see 6 gigs are being used. It increases over time. 16:37:45 up 5 days, 4:00, 1 user, load average: 3.89, 3.87, 5.25 5 days uptime and it's grown to that amount. I end up rebooting the machine to recover the memory. It starts out low then again works its way up higher. I don't see any errors in any logs, with the exception of occasionally it suggests I run more processes. The machine is a Dual Core Opteron 64, dual processor with 8 gigs of RAM. Currently running 64 bit version of Fedora 5. Anyone have any suggestions with this? OR could this be an issue with the Kernel? Thanks in advance. Alan Fullmer Zoobuh.com www.zoobuh.com
Re: conf file
On Mon, May 22, 2006 at 04:27:55PM -0600, Nathan Broderick wrote: Where does the local.cf file first get read in by SpamAssassin? What do you mean exactly? Your question doesn't really make sense. -- Randomly Generated Tagline: Know yourself. Don't accept your dog's admiration as conclusive evidence that you are wonderful. - Ann Landers pgpBdQie2hDrR.pgp Description: PGP signature
Re: Spamd memory leak?
On Mon, May 22, 2006 at 04:50:09PM -0600, Alan Fullmer wrote: Mem: 8108656k total, 5907792k used, 2200864k free, 218704k buffers Swap: 2031608k total,0k used, 2031608k free, 2867736k cached As you can see 6 gigs are being used. It increases over time. Sure. 5 days uptime and it's grown to that amount. I end up rebooting the machine to recover the memory. It starts out low then again works its way up higher. Absolutely, that's how memory management works in most OSes. It's not a problem and doesn't require a reboot. Basically having free memory means there's memory that's not being used, which isn't very efficient. So the OS will try to allocate most of the memory and then cache and stuff gets freed as processes need it. Now if you're seeing the memory increasing and then swap increases, etc, then that's potentially an issue. -- Randomly Generated Tagline: The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum. - Phil Zimmermann pgpPh6BenjVQi.pgp Description: PGP signature
error on starting spamd
Hi there, I'm having problem setting up the init scripts to start spamd on a RH linux box. I've installed Mail-SpamAssassin-3.1.1 using rpm: rpmbuild -tb Mail-SpamAssassin-3.1.1.tar.gz I've created spamd file and added in /etc/sysconfig, but when I tried to setup the init scripts to start spamd, I get error of no such file or dir on service spamassassin: [birn-holly]# /sbin/chkconfig --level 345 spamassassin on error reading information on service spamassassin: No such file or directory Any help is much appreciated! Thanks.
RE: SA Milter problem
This seems weird but as soon as I started specifying the location for the whitelist bayes SA-milter in local.cf SA-milter started to fail randomly. Could it be that SA-milter can't handle the all the email coming in? I also noticed it was more stable when I was using RBL's in sendmail. Any ideas? Wilson -Original Message- From: Craig McLean [mailto:[EMAIL PROTECTED] Sent: Monday, May 22, 2006 12:23 PM To: Chan, Wilson Cc: Spamassassin Users List Subject: Re: SA Milter problem -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chan, Wilson wrote: Any else having this problem with spamass-milter with spamassassin? Nope. (ask a vague question...) C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEcjndMDDagS2VwJ4RApjPAJ9wIzFBnqp7lqgZVNkfTibksaU/uACfZe/n 5MUqsaJzNJkQc+4/pjkHn0U= =3Qkr -END PGP SIGNATURE-
Debugging spamd
I just posted this: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4906 I'd like to throw a line into _handle_hit to log the rule name that's causing it. What's the Perl syntax for if $score isn't defined, log the rule name?
Re: error on starting spamd
On Mon, May 22, 2006 at 04:18:40PM -0700, Jana Nguyen wrote: I'm having problem setting up the init scripts to start spamd on a RH linux box. I've installed Mail-SpamAssassin-3.1.1 using rpm: rpmbuild -tb Mail-SpamAssassin-3.1.1.tar.gz That builds the RPM. Did you install the RPMs after they were built? -- Randomly Generated Tagline: Just wanted to let you know that pubexchange is down, something caught on fire inside the box.- Random problem ticket at work pgpyq1w6gCFRX.pgp Description: PGP signature
Naming conventions for tests
Hi All I've been approaching the problem of filtering spam at the email client end using the SpamAssassin (3.x) header. Our email server (over which I have no control) has a couple of server-side filters that reject emails with infected attachments and messages with a spam score 15. This leaves me with about 100 spam messages per day. Rather than rely on the numerical value of the X-Spam-Score header I've been looking at client side filters using text strings to pick out groups of SpammAssassin tests. Many tests that are similar in nature have common text strings, allowing you to create a filter for a single term that includes a wide number of tests. The effectiveness of this approach could be improved with a better naming scheme for the tests. The first filter I trialled picks up many tests for blacklisted domains/urls using two text strings: X-Spam-Score contains RCVD_IN OR contains BL_ Unfortunately RCVD_IN also includes some good tests so I had to split this into two filters: X-Spam-Score contains RCVD_IN AND does not contain _IADB_ AND does not contain _BSP_ X-Spam-Score contains BL_ While these two filters do not cover all blacklist tests (and includes other types of tests) they do pick up 90% of spam (for me), with numerical scores down to 0.35. The main problem with this approach is that it requires monitoring of the SPAM assassin tests being applied as the software is updated to ensure that it doesn't pick up additional tests for good email. On the positive side, the learning aspect of this filter is done by the various blacklists. If the SpamAssassin test could be named with more consistent text strings it would be simpler to set up client side filters. E.g. All tests for blacklists contain _BL_ All possible porn to start with PORN_ Cheers Ben Kreunen Imaging and IT Coordinator Department of Pathology The University of Melbourne
out of memory when receiving larger mails
Hi folks! I really need help installing SA 3.0.3 to my debian 3.1 vserver with 256MB RAM and lots of swap space. I am using SpamAssassing together with Qmail through the ifspamh script. I added a call to the ifspamh script to my user's .qmail file and it works quite well. The only problem is that I cannot receive mails above a certain size (usually mails with attachments). They simply dont get delivered. I can read the following error message in my syslog: qmail: 1148341842.937112 starting delivery 79: msg 61161737 to local [EMAIL PROTECTED] qmail: 1148341842.937179 status: local 1/10 remote 0/20 qmail: 1148341846.521070 delivery 79: deferral: /usr/bin/ifspamh:_line_75:_out_of_memory/ qmail: 1148341846.521146 status: local 0/10 remote 0/20 I have no idea what to do about it. THANKS for any help!! Cheers, Robin -- View this message in context: http://www.nabble.com/%22out+of+memory%22+when+receiving+larger+mails-t1666097.html#a4515012 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Help with rule for geocities spam
From: [EMAIL PROTECTED] Bowie Bailey wrote: Kenneth Porter wrote: Alternatively, is there regex syntax to match all patterns *except* the one given? Can I somehow express all geocities.com subdomains except www and uk as a regex? That is a bit trickier because Perl does not currently support variable length look-behinds. But you can get around that by using two separate look-behinds like this: /(?!\bwww)(?!\buk)\.geocities\.com/ In this specific case, this might suffice: /[^wu][^wk]\.geocities\.com/i ... but this pattern does not generalize well. jdow meh - simply use the easy rule for either www or uk. Give it a score of 0.001 if you want to monitor it. Then use it in a meta rule with a /geocities.com/ rule. If it is the latter and not the former give it 1000 points or whatever. If it is the latter AND the former be nice and only give it 999 + 1 points. {^_-}
Re: Help with rule for geocities spam
From: Justin Mason [EMAIL PROTECTED] Kenneth Porter writes: As it turns out, I had a SARE rule installed that should catch these, but I found some spams leaking through due to the insecure dependency bug (bug 3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W. O'Shea's patch for that bug. Here's the SARE rule: http://www.rulesemporium.com/rules/70_sare_specific.cf (Look for __SARE_SPEC_XXGEOCITIE) did it work? if so, please add a report to that bug -- there are still very few comments indicating success. (although I don't doubt that's just lack of comment, rather than a faulty patch.) It is still working for me, Justin. I've removed my procmail double tap work around that fed through a second time if the first time failed to create markup. {^_^}
Re: Vouching for mail from a dynamic IP
On 5/22/2006 12:16 PM, Kenneth Porter wrote: --On Saturday, May 20, 2006 4:54 PM -0700 jdow [EMAIL PROTECTED] wrote: Looking at your own email it comes from a COMCAST cable connection in Palmer Ranch Florida through the WFGB mailer. The WFGB mailer is not in SORBS anywhere. YOUR address most certainly is a dialup. So it WILL get tagged unless your mail goes through a machine that properly vouches for it. 68.32.0.0/11 (68.32.0.0-68.63.255.255) is a dynamic IP netblock. How does another machine properly vouch for it? If I route my mail to a colocated host under my control, how do I make that host vouch for the mail from my house? There's no vouching. SpamAssassin simply looks for one relay between your network and the sender. If there isn't a relay between the two (that is the sender sent mail directly to your MX) the mail is treated as direct-to-MX and its IP is looked up in various blacklists. Normally a sender would relay through their own mail server which would then relay the mail to your MX, thus avoiding having the sender's (end-user's MUA) IP looked up... their mail relay would be looked up though. When your sending mail to your own domain which uses the same mail server for everything this relay between the client and your MX doesn't exists and you run in to the problem described. As previously noted in this thread, it is explained here: http://wiki.apache.org/spamassassin/DynablockIssues Daryl
Re: out of memory when receiving larger mails
On 5/22/2006 8:09 PM, nxxs wrote: The only problem is that I cannot receive mails above a certain size (usually mails with attachments). They simply dont get delivered. I can read the following error message in my syslog: qmail: 1148341842.937112 starting delivery 79: msg 61161737 to local [EMAIL PROTECTED] qmail: 1148341842.937179 status: local 1/10 remote 0/20 qmail: 1148341846.521070 delivery 79: deferral: /usr/bin/ifspamh:_line_75:_out_of_memory/ qmail: 1148341846.521146 status: local 0/10 remote 0/20 I have no idea what to do about it. THANKS for any help!! Don't scan large messages (if you were using spamc/spamd it wouldn't scan messages larger than 256KB by default for this very reason). Daryl
Re: Help with rule for geocities spam
On 5/22/2006 6:14 PM, Kenneth Porter wrote: As it turns out, I had a SARE rule installed that should catch these, but I found some spams leaking through due to the insecure dependency bug (bug 3838), even though I'm running Perl 5.8.3. I'm applying Daryl C. W. O'Shea's patch for that bug. Here's the SARE rule: http://www.rulesemporium.com/rules/70_sare_specific.cf (Look for __SARE_SPEC_XXGEOCITIE) Just because someone spelling my entire name right caught my attention... If you've got the bandwidth and processing time to spare, you might as well get Yahoo! to serve up the spam sites they're hosting: http://wiki.apache.org/spamassassin/WebRedirectPlugin Daryl