Re: IADB, 70_iadb.cf and multiple A records returned

[Theo Van Dinter]

On Sat, Feb 10, 2007 at 12:42:53AM -0300, Raul Dias wrote:
> eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.1$')
> 
> Doesn't this prevents the test if more than one A record is returned (^
> and $)??

No.  They're not all in a string, the match happens against each response
individually.

> Or each check_rbl_sub is called for each A record returned??

No, just one call.

> If this is set because it is an RE, doesn it need the / / too?

Nope.  The code does that for us.

> If the last one is true, is the ^ $ really necessary? 
[...]
> If it really is a RE, what preventes '127.0.0.1' to not match
> 127.0.0.10? Or 127.1.0.1 to not match 127.120.1.1 ?

You answered your own question. :)

> Shouldn't the dots be escaped too?

Arguably, yes.  It works out that things like /^127.0.0.1$/ won't match
any other valid IP though, so in the end it's ok, but technically the
dots should be escaped.  Note: I don't recall if the code escapes the
dots for us, but I don't think so.

-- 
Randomly Selected Tagline:
"Integrity is doing the right thing when nobody is watching you."
 - Infonaut on Slashdot


pgp1shllGv5wM.pgp
Description: PGP signature

IADB, 70_iadb.cf and multiple A records returned

[Raul Dias]

Looking at the IADB page: http://www.isipp.com/iadbcodes.php , it says:
"... When queried, the IADB will return one or more A records 
for any site which is listed in the IADB ..."

Now looking at the 70_iadb.cf file from sa-update, most rules are like
this:

eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.1$')

Doesn't this prevents the test if more than one A record is returned (^
and $)??

Or each check_rbl_sub is called for each A record returned??

If the last one is true, is the ^ $ really necessary? 

If this is set because it is an RE, doesn it need the / / too?
If it really is a RE, what preventes '127.0.0.1' to not match
127.0.0.10? Or 127.1.0.1 to not match 127.120.1.1 ? Shouldn't the dots
be escaped too?


Thats enought for now :)


- Raul Dias

Re: RE: More stock spam + strange cf files

[Loren Wilton]

*  2.7 SARE_PROLOSTOCK_SYM4 BODY: Last week's hot stock scam
*  1.7 SARE_LWSYMFMT BODY: SARE_LWSYMFMT

I don't know if these SARE rules have been written since you posted this 
email though...


Nope.  They are rather old.  About the same age as LW_STOCK_SPAM4 that is 
annoying the Blackberry crowd, in fact.  ;-)


   Loren

Re: Re[2]: More stock spam + strange cf files

[Loren Wilton]

Pardon my ignorance here, but it is full of mis-spellings and phrases that
you wouldn't normally see, so why not just hit those?
"aid you to know"
"C O S T"
"brroker"
"ama zing"

Peter


1) Most people can't spell these days.  These phrases might hit all over the 
place on ham.
2) These hadn't been used before in spam (except maybe the cost spelling) so 
there was no need for rules for them.


Summary: It would need a mass-check on new rules to see if they were good. 
That said, I expect that new rules will show up soon if this isn't a one-off 
spam.


   Loren

Re: spamassassin learning method

[John D. Hardin]

On Sat, 10 Feb 2007, Rizal Ferdiyan wrote:

> I want to create "spamassassin learning 
> method", if my client find any spam for their email they can forward it 

The act of forwarding completely changes the message.

The best way is for them to move the message to a folder that you have 
access to. What is the mail server that the messages eventually end up 
on? Sendmail with standard mbox/maildir? Exchange?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.-- Red Drag Diva
---
 3 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays

Re: dns query failed for 1.1.3.saupdates.openprotect.com

[Daryl C. W. O'Shea]

Stephen Carter wrote:

On Fri, 2007-02-09 at 17:49 -0500, Daryl C. W. O'Shea wrote:

Stephen Carter wrote:

Hi guys,

I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I try to 
run sa-update on this channel with the debug switch turned on I get the error:

dbg: dns: query failed: 1.1.3.saupdates.openprotect.com => NXDOMAIN

Is SA 3.1.1 still supported with this channel?

It appears that they're only publishing updates for 3.1.3 to 3.1.7.



I know I need to udpate SA to 3.1.7 but can't do it just at the moment.
Either update SA or use a different SARE ruleset channel provider.  The 
one I know of will work for 3.1.1. ;)



Daryl

Thanks for the reply Daryl. Looks like I'll have to push through that SA
upgrade then 


...or use the channels I provide (see SARE website or SA wiki) that will 
work with 3.1.1.  Of course, an upgrade wouldn't hurt.




How do you know what versions are supported? Is it
simply performing DNS queries on each version of SA?


Yeah.


Daryl

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Matt Kettler]

Jo Rhett wrote:
>
>>> Why do I need a custom rule to work around an FP in the ruleset?
>> See above.
>
> It's really hard not to be really annoyed with this answer.  

If you don't like my answers, you're free to not accept my help.

But please keep in mind two things:
1) I often come across as more rude than I'm intending to be because I,
like you might be, am a busy person. I'm often pressed for time, and my
answers tend to be terse, and a bit blunt.
2) I don't also have enough spare time to both offer free help, and
spend time considering my choices of wording. As such, you'll often see
my current moods, knee-jerk reactions, and opinions regarding technical
matters biasing my overall verbiage.

Those are character flaws on my part, and being busy isn't much of an
excuse, but at least I'm working for free.

I also assure you that had I meant to insult you, it would be rather
obvious.

Also consider:
1) I've already spent the time to write a rule for you in an effort to
try to help out.
2) your own choice of wording isn't exactly devoid of annoyances either.

So, if my response was annoying, it's because I slept poorly last night,
had a morning meeting to go to,  found it obnoxious that you insisted an
obviously non-stock configuration was, and my attempt to help was met
with indignation. So my minor annoyance showed through.
> What kind of nonsense did you think my question was?
>
> If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to
> the SARE rule.  Why on the gods green earth would you assume that I
> wanted a fix in the base distribution for a SARE rule?
Fair enough.. However, the custom rule I came up with doesn't deal with
this LW_STOCK_SPAM. It deals with MIME_BASE64_TEXT, which IS a base
distribution rule, but isn't generally a problem for most folks. I would
not want to to suggest the devs should commit a modification to the base
ruleset to fix how this rule interacts with crackberry, because the base
ruleset isn't much of a problem.

As for making a change to the SARE ruleset to fix LW_STOCK_SPAM. Sure..
That said, as noted elsewhere, this rule shouldn't have fired for this
message, which makes me wonder why it fired.

spamassassin learning method

[Rizal Ferdiyan]

Hi all,
Iam rizal, iam newbie

I have a SMTP proxy server, before any email enter my company, they must 
past via my "smtp proxy server".My smtp server consist of 2 machine, one 
work with postfix and the other work with spamassaasin + clamav.  It 
serve about 2000 clients. I want to create "spamassassin learning 
method", if my client find any spam for their email they can forward it 
to one address i create for receive spam, example: [EMAIL PROTECTED] After 
that i can do "sa-learn" to [EMAIL PROTECTED] mailbox or maildir. But when 
i read spamassassin documentacy, they also learn email header. Cause my  
[EMAIL PROTECTED] mailbox consist of email forward from my client, so it 
have a header (from, to, cc,msg-id, etc) from my client. I affraid if i 
use this method, my client will be a spammers. How do u think, any idea ?


Are there any configuration from SA, so they can remove forward header 
from they learning method?


--
Best Regards,
-Rizal Ferdiyan 

Re: dns query failed for 1.1.3.saupdates.openprotect.com

[Stephen Carter]

On Fri, 2007-02-09 at 17:49 -0500, Daryl C. W. O'Shea wrote:
> Stephen Carter wrote:
> > Hi guys,
> > 
> > I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I 
> > try to run sa-update on this channel with the debug switch turned on I get 
> > the error:
> > 
> > dbg: dns: query failed: 1.1.3.saupdates.openprotect.com => NXDOMAIN
> > 
> > Is SA 3.1.1 still supported with this channel?
> 
> It appears that they're only publishing updates for 3.1.3 to 3.1.7.
> 
> 
> > I know I need to udpate SA to 3.1.7 but can't do it just at the moment.
> 
> Either update SA or use a different SARE ruleset channel provider.  The 
> one I know of will work for 3.1.1. ;)
> 
> 
> Daryl
Thanks for the reply Daryl. Looks like I'll have to push through that SA
upgrade then How do you know what versions are supported? Is it
simply performing DNS queries on each version of SA?

-- 
Stephen Carter
Retrac Networking Limited
www: http://www.retnet.co.uk
Ph: +44 (0)7870 218 693
Fax: +44 (0)870 7060 056
CNA, CNE 6, CNS, CCNA, MCSE 2003

Re: Spam Scam - childsafenetwork.org

[David Cary Hart]

On Fri, 9 Feb 2007 16:32:27 -0500 , Bowie Bailey
<[EMAIL PROTECTED]> opined:
> David Cary Hart wrote:
> > As a violent crime victims advocate, I might be overreacting to
> > this issue. OTOH, I can write, with absolute certainty, that
> > anyone using any of the services from childsafenetwork.org is
> > opting in for a considerable volume of commercial spam (from
> > hoodia to credit reports).
> > 
> > In point of fact, the domain is registered to Paradigm Direct
> > which seems to be an affiliate of JBR Media Ventures, They, and
> > their affiliates, have done a remarkable job of seeding Google
> > search results. The real deal seems to be CSN.org. The home pages
> > are remarkably similar in context.
> > 
> > If you agree with my point of view, feel free to make some noise.
> > I have written to Starbucks without reply. More information is
> > available at http://tqmcube.com/childsafe.php .
> 
> Interesting.  What happens if you try to opt out of these mailings?
> 
Since putting up the page, I have received three (unverified)
complaints that opt-outs are not honored. JBR Media used to spam
SwitchMyCellPhone.com. 

BTW, all of our escalated ranges are now available in real time on
our site.

-- 
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
   Don't Subsidize Criminals: http://boulderpledge.org

Re: RE: More stock spam + strange cf files

[Ben Wylie]

Chris Santerre wrote:

 > These guys are just rolling in scott free except for bayes.
 > See http://2chronicles36.org/stock.txt
 >
 > I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf & KAM.cf

I must say, that a pretty well done spam. Whoever wrote it put some 
thought into the phrasing. This one might take a bit. The wording is 
gonna be hard to tag.



I get a decent score on this. These are the rules it hit.

X-Spam-Status: Yes, score=10.4 version=3.1.7
X-Spam-Report:
*  2.0 BOTNET Relay might be a spambot or virusbot
*  [botnet0.7,ip=218.157.62.185,maildomain=gcpower.net,nordns]
*  2.7 SARE_PROLOSTOCK_SYM4 BODY: Last week's hot stock scam
*  1.7 SARE_LWSYMFMT BODY: SARE_LWSYMFMT
*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM

I don't know if these SARE rules have been written since you posted this 
email though...


Ben

Re: dns query failed for 1.1.3.saupdates.openprotect.com

[Daryl C. W. O'Shea]

Stephen Carter wrote:

Hi guys,

I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I try to 
run sa-update on this channel with the debug switch turned on I get the error:

dbg: dns: query failed: 1.1.3.saupdates.openprotect.com => NXDOMAIN

Is SA 3.1.1 still supported with this channel?


It appears that they're only publishing updates for 3.1.3 to 3.1.7.



I know I need to udpate SA to 3.1.7 but can't do it just at the moment.


Either update SA or use a different SARE ruleset channel provider.  The 
one I know of will work for 3.1.1. ;)



Daryl

dns query failed for 1.1.3.saupdates.openprotect.com

[Stephen Carter]

Hi guys,

I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I try to 
run sa-update on this channel with the debug switch turned on I get the error:

dbg: dns: query failed: 1.1.3.saupdates.openprotect.com => NXDOMAIN

Is SA 3.1.1 still supported with this channel?

I know I need to udpate SA to 3.1.7 but can't do it just at the moment.

Thanks!

Stephen Carter
Retrac Networking Limited
www: http://www.retnet.co.uk
Ph: +44 (0)7870 218 693
Fax: +44 (0)870 7060 056
CNA, CNE 6, CNS, CCNA, MCSE 2003

Re: Does exist a public database of spam content?

[Evan Platt]

At 01:35 PM 2/9/2007, Alejandro Lengua wrote:


I would like to know if there is a public database of spam
content that I could use to update my SpamAssassin
Bayes database.

There is still a lot of spam that is not catched by
SpamAssassin, so I was thinking that it could be an
alternative for improving its effectiveness.

It could also be a business oportunity.
Think of it as an antivirus signature update service
or the way Sourcefire makes profit with Snort rules.


Post to a usenet group, using a real e-mail address. Have that e-mail 
address go to a mailbox you can run sa-learn on. 

Re: Does exist a public database of spam content?

[Michele Neylon :: Blacknight]

How much spam do you want?

/me stares at the millions of emails in his quarantines

--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239

Does exist a public database of spam content?

[Alejandro Lengua]

I would like to know if there is a public database of spam
content that I could use to update my SpamAssassin
Bayes database.

There is still a lot of spam that is not catched by
SpamAssassin, so I was thinking that it could be an
alternative for improving its effectiveness.

It could also be a business oportunity.
Think of it as an antivirus signature update service
or the way Sourcefire makes profit with Snort rules.


Regards
Alejandro Lengua

RE: Spam Scam - childsafenetwork.org

[Bowie Bailey]

David Cary Hart wrote:
> As a violent crime victims advocate, I might be overreacting to this
> issue. OTOH, I can write, with absolute certainty, that anyone using
> any of the services from childsafenetwork.org is opting in for a
> considerable volume of commercial spam (from hoodia to credit
> reports).
> 
> In point of fact, the domain is registered to Paradigm Direct which
> seems to be an affiliate of JBR Media Ventures, They, and their
> affiliates, have done a remarkable job of seeding Google search
> results. The real deal seems to be CSN.org. The home pages are
> remarkably similar in context.
> 
> If you agree with my point of view, feel free to make some noise. I
> have written to Starbucks without reply. More information is
> available at http://tqmcube.com/childsafe.php .

Interesting.  What happens if you try to opt out of these mailings?

-- 
Bowie

20_porn.cf/SUBJECT_SEXUAL not picking up new subjects

[Bubba Wilson]

I've been getting many sexy subject emails lately that are not getting 
properly categorized by the SUBJECT_SEXUAL rule in 20_porn.cf.  These 
new-to-me subjects are:


SEUAL-EXPLCIT:
SEEUAL-EXPLlClT:

I've modified my rule locally but figured I'd pass along my changes should 
the rule actually be updated:


Subject =~ 
/[EMAIL PROTECTED]|1](

?:[l!|1]y)?.{0,3}[e3\xE8-\xEB]xp[l!|1][i1!|l\xEC-\xEF]?c[i1!|l\xEC-\xEF]t/i

Thanks,
Bubba

Re: TVD_ENVFROM_APOST

[Larry Starr]

It checks the Envelope from, NOT the Header "From:".

On Friday 09 February 2007 14:57, Mathieu Bouchard wrote:
> Two questions about TVD_ENVFROM_APOST :
>
> 1. Is its execution conditional in any way? Because I have many posts that
> have an apostrophe in the "From:" yet don't trigger this flag. I can't
> figure out when it's applied or not.
>
> 2. Wouldn't it be better to check for apostrophe s ? It seems like what
> that test catches is mostly addresses made up from random dictionary
> words, from dictionaries that consider each genitive case to be a word in
> itself. E.g. open /usr/share/dict/words and search for apostrophes.
>
>   _ _ __ ___ _  _ _ ...
>
> | Mathieu Bouchard - tél:+1.514.383.3801 - http://artengine.ca/matju
> | Freelance Digital Arts Engineer, Montréal QC Canada

-- 
Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED]
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347  FAX: 608-831-6330
===
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway

Re: TVD_ENVFROM_APOST

[Mathieu Bouchard]

On Fri, 9 Feb 2007, Mathieu Bouchard wrote:

Two questions about TVD_ENVFROM_APOST :

1. Is its execution conditional in any way? Because I have many posts that 
have an apostrophe in the "From:" yet don't trigger this flag. I can't figure 
out when it's applied or not.


I just checked it again, and it may have to do with EnvelopeFrom vs 
From:addr. However, my mail program hides the EnvelopeFrom (the very first 
line of the message, if I'm not mistaken) even when in "full headers" 
mode. Fortunately, I can export any message to a file in which the first 
line will be the EnvelopeFrom.


So, I found an email that had "'s" in the "From:" but not tagged 
TVD_ENVFROM_APOST, and I exported it, and looked at the first line. It 
contained an "'s" too. So, that possibility is eliminated, and I have no 
other idea what it could be.


(I don't have any experience writing rules in SpamAssassin. I know 
Regexps, Perl, etc., but I don't know much SA-specific information)


 _ _ __ ___ _  _ _ ...
| Mathieu Bouchard - tél:+1.514.383.3801 - http://artengine.ca/matju
| Freelance Digital Arts Engineer, Montréal QC Canada

Spam Scam - childsafenetwork.org

[David Cary Hart]

As a violent crime victims advocate, I might be overreacting to this
issue. OTOH, I can write, with absolute certainty, that anyone using
any of the services from childsafenetwork.org is opting in for a
considerable volume of commercial spam (from hoodia to credit
reports).

In point of fact, the domain is registered to Paradigm Direct which
seems to be an affiliate of JBR Media Ventures, They, and their
affiliates, have done a remarkable job of seeding Google search
results. The real deal seems to be CSN.org. The home pages are
remarkably similar in context.

If you agree with my point of view, feel free to make some noise. I
have written to Starbucks without reply. More information is
available at http://tqmcube.com/childsafe.php . 
-- 
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
   Don't Subsidize Criminals: http://boulderpledge.org

TVD_ENVFROM_APOST

[Mathieu Bouchard]

Two questions about TVD_ENVFROM_APOST :

1. Is its execution conditional in any way? Because I have many posts that 
have an apostrophe in the "From:" yet don't trigger this flag. I can't 
figure out when it's applied or not.


2. Wouldn't it be better to check for apostrophe s ? It seems like what 
that test catches is mostly addresses made up from random dictionary 
words, from dictionaries that consider each genitive case to be a word in 
itself. E.g. open /usr/share/dict/words and search for apostrophes.


 _ _ __ ___ _  _ _ ...
| Mathieu Bouchard - tél:+1.514.383.3801 - http://artengine.ca/matju
| Freelance Digital Arts Engineer, Montréal QC Canada

RE: updating 3.1.1 to 3.1.7

[Bret Miller]

> using the DAG site and rpm -U, I updated spamassassin and
> spamassissin-tools to
> 3.1.7-1
> Things don't look so good. Here is what happened when I
> restarted spamd
>
>  spamd[26917]: spamd: server killed by SIGTERM, shutting down
>  spamd[27082]: persistent_udp: no such method at
> /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/DnsResolver
> .pm line 99
>  spamd[27082]: logger: removing stderr method
>  spamd[27084]: config: failed to parse line, skipping:
> rewrite_subject 1
>  spamd[27084]: config: failed to parse line, skipping: subject_tag [:]
>  spamd[27084]: config: failed to parse line, skipping:
> check_mx_delay 3
>  spamd[27084]: config: failed to parse line, skipping: report_header 1
>  spamd[27084]: config: failed to parse line, skipping:
> use_terse_report 1
>  spamd[27084]: config: failed to parse line, skipping:
> detailed_phrase_score 0
>  spamd[27084]: config: failed to parse line, skipping:
> spam_level_stars 0
>  spamd[27084]: config: failed to parse line, skipping: defang_mime 0
>  spamd[27084]: config: score: the non-numeric score (-.3) is
> not valid, a numeric
> score is required
>  spamd[27084]: config: SpamAssassin failed to parse line,
> "FROM_POSTOFFICE -
> .3" is not valid for "score", skipping: score FROM_POSTOFFICE -.3
>  spamd[27084]: config: failed to parse line, skipping: razor_timeout 1
>  spamd[27084]: config: failed to parse line, skipping: dcc_timeout 1
>  spamd[27084]: config: failed to parse line, skipping:
> pyzor_add_header 0
>  spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined
> dependency
> 'RAZOR2_CHECK'
>  spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined
> dependency
> 'DCC_CHECK'
>  spamd[27084]: rules: meta test DRUGS_ERECTILE has undefined
> dependency
> '__DRUGS_ERECTILE7'
>  spamd[27084]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined
> dependency 'VIRUS_WARNING_MYDOOM4'
>  spamd[27084]: rules: meta test SARE_OBFU_CIALIS has
> undefined dependency
> 'SARE_OBFU_CIALIS2'
>  spamd[27084]: spamd: server started on port 783/tcp (running
> version 3.1.7)
>  spamd[27084]: spamd: server pid: 27084
>  spamd[27084]: spamd: server successfully spawned child
> process, pid 27091
>  spamd[27084]: spamd: server successfully spawned child
> process, pid 27092
>  spamd[27084]: prefork: child states: IS
>  spamd[27084]: prefork: child states: II
>
> I don't see anything mentioned about this in
>  /usr/share/doc/spamassassin-3.1.7/UPGRADE

The "failed to parse line" warnings are all deprecated settings IIRC.
Check the documentation for current equivalents. I would be surprised if
3.1.1 didn't note those as well.

The score from "FROM_POSTOFFICE" should be -0.3 instead of -.3. Is that
in your local.cf?

The undefined dependency "info" messages are new in a recent version
(sorry-- don't remember which). However, the end result is the same as
before as far as processing goes. It's just the undefined dependencies
are actually noted somewhere now where they weren't before. If you
develop your own meta rules, having this is very helpful. For stardard
or other 3rd-party rules, it's just annoying.

Is your Net::DNS up-to-date per the release notes?

HTH,
Bret

updating 3.1.1 to 3.1.7

[.rp]

using the DAG site and rpm -U, I updated spamassassin and spamassissin-tools to 
3.1.7-1
Things don't look so good. Here is what happened when I restarted spamd

 spamd[26917]: spamd: server killed by SIGTERM, shutting down
 spamd[27082]: persistent_udp: no such method at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/DnsResolver.pm line 99
 spamd[27082]: logger: removing stderr method
 spamd[27084]: config: failed to parse line, skipping: rewrite_subject 1
 spamd[27084]: config: failed to parse line, skipping: subject_tag [:]
 spamd[27084]: config: failed to parse line, skipping: check_mx_delay 3
 spamd[27084]: config: failed to parse line, skipping: report_header 1
 spamd[27084]: config: failed to parse line, skipping: use_terse_report 1
 spamd[27084]: config: failed to parse line, skipping: detailed_phrase_score 0
 spamd[27084]: config: failed to parse line, skipping: spam_level_stars 0
 spamd[27084]: config: failed to parse line, skipping: defang_mime 0
 spamd[27084]: config: score: the non-numeric score (-.3) is not valid, a 
numeric 
score is required
 spamd[27084]: config: SpamAssassin failed to parse line, "FROM_POSTOFFICE -
.3" is not valid for "score", skipping: score FROM_POSTOFFICE -.3
 spamd[27084]: config: failed to parse line, skipping: razor_timeout 1
 spamd[27084]: config: failed to parse line, skipping: dcc_timeout 1
 spamd[27084]: config: failed to parse line, skipping: pyzor_add_header 0
 spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 
'RAZOR2_CHECK'
 spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 
'DCC_CHECK'
 spamd[27084]: rules: meta test DRUGS_ERECTILE has undefined dependency 
'__DRUGS_ERECTILE7'
 spamd[27084]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined 
dependency 'VIRUS_WARNING_MYDOOM4'
 spamd[27084]: rules: meta test SARE_OBFU_CIALIS has undefined dependency 
'SARE_OBFU_CIALIS2'
 spamd[27084]: spamd: server started on port 783/tcp (running version 3.1.7)
 spamd[27084]: spamd: server pid: 27084
 spamd[27084]: spamd: server successfully spawned child process, pid 27091
 spamd[27084]: spamd: server successfully spawned child process, pid 27092
 spamd[27084]: prefork: child states: IS
 spamd[27084]: prefork: child states: II

I don't see anything mentioned about this in 
 /usr/share/doc/spamassassin-3.1.7/UPGRADE

Thanks.

SPamc not filtering all mail.

[Jai Rangi]

Hello,
I have this rule in my .procmailrc,

:0f
* ^[F|f]rom:.*ourdomain\.com
* 
^[m|M]essage-[i|I][D|d]:.*ourdomain\.com|^Received:.*(authenticated).*\.ourdomain\.com

| formail -A"X-Spam: none"

:0fw
* < 256000
* !^X-Spam: none
* !^FROM_DAEMON
| /usr/bin/spamc

We don't want SPAMASSASSIN to check any mails coming from our own 
domain. So every email must be tagged for

either X-Spam: none OR

X-Spam-Level: 
X-Spam-Status: No,


This seems to have been pretty good, but every once in a while we get 
few emails that dont get checked for spam. and neither get the tag 
X-SPAM: none.

For Example this one,

Return-Path: <[EMAIL PROTECTED]> 
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from node.ourdomain.com (node.ourdomain.com [OUR.PUBLIC.IP.ADDr])
by localmail.lan.aleks.com (Postfix) with ESMTP id 2CB3D60E26
for [EMAIL PROTECTED]; Fri, 9 Feb 2007 04:05:19 -0800 (PST)
Received: from sys1.hobarotua.com (66.63.190.191.oc3networks.com 
[66.63.190.191] (may be forged))

by node.ourdomain.aleks.com (8.11.6/8.11.6) with ESMTP id l19C5Ji11370
for < [EMAIL PROTECTED] > ; Fri, 9 Feb 2007 
04:05:19 -0800
Message-Id: <[EMAIL PROTECTED]> 
 //This 
message ID was forged to like like from our domain.
Received: by sys1.hobarotua.com id hphhnu0cq2g5 for < [EMAIL PROTECTED] 
> ; Fri, 9 Feb 2007 04:05:17 -0800 
(envelope-from <[EMAIL PROTECTED]> )

from: "Message in a Bottle"<[EMAIL PROTECTED]> 
to: " [EMAIL PROTECTED]
subject: Personalized Message in a Bottle
date: 2/9/2007 4:05:28 AM
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="Multipart-Boundary-xxcekeBKXHe7w---"

This is a multi-part message in MIME format.


Can anyone help me out what I might be doing wrong, how can I make sure 
that every email not from our domain must be checked for spam.

I am using postfix+spamassassin. version spamassassin-3.0.6-1.fc4


Thank you,
-Jai

spamc 3.1.1 and procmail

[.rp]

Hi,

In our system wide .procmail I have been using /usr/bin/spammassin. Recently 
the 
CPU usage has soared when spamassassin ran so I decided to use /usr/bin/spamc 
with spamd running as a dameon. 

well, it didn't quite work. here is a sample problem:
| /usr/bin/spamc -u $LOGNAME


 sendmail[21908]: l19HQGne021908: from=, size=18119, class=0, nrcpts=1, msgid=, proto=SMTP, 
daemon=Daemon0, relay=lists.now.org [198.65.157.134]
 spamd[17291]: spamd: connection from localhost [127.0.0.1] at port 56232
 spamd[17291]: spamd: setuid to xyzsom succeeded
 net spamd[17291]: spamd: creating default_prefs: 
/home/xyzsom/.spamassassin/user_prefs
 net spamd[17291]: mkdir /root/.spamassassin: Permission denied at 
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin.pm line 1469
 net spamd[17291]: config: cannot write to 
/home/xyzsom/.spamassassin/user_prefs: 
Permission denied

I also tried spamc with no parameters but that did not help.
So what changes do I need to make? Will this adversly affect running 
/usr/bin/spamassassin ?

Re: question about image spam

[Maciej Friedel]

On 02/09/07 Ivan wrote:

Hi

> First time posting here, we are running SA version 3.0.6 on centos
4.4, we
> have a lot of image spam and I would like to know if somebody can give
me an
> idea about how to deal with it?

http://www200.pair.com/mecham/spam/image_spam2.html
here is the best help to install FuzuOCR
FuzyOCR rekognize animated graphics

maciek

-- 
|_|0|_| Maciej Friedel <[EMAIL PROTECTED]>
|_|_|0| http://wwv.pl - usługi hostingowe
|0|0|0| http://eprogram.pl - projektowanie stron www

Re: question about image spam

[Evan Platt]

At 10:09 AM 2/9/2007, Ivan Arteaga wrote:


Hi List,



First time posting here, we are running SA version 3.0.6 on centos 4.4, we
have a lot of image spam and I would like to know if somebody can give me an
idea about how to deal with it?



Any comment will be appreciated.


Upgrading to 3.1.7 wouldn't be a bad idea.

FuzzyOCR would be another good idea.

http://wiki.apache.org/spamassassin/FuzzyOcrPlugin

Evan

question about image spam

[Ivan Arteaga]

Hi List,

 

First time posting here, we are running SA version 3.0.6 on centos 4.4, we
have a lot of image spam and I would like to know if somebody can give me an
idea about how to deal with it?

 

Any comment will be appreciated.

 

Regards,

 

--Ivan. 

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Adam Lanier]

On Fri, 2007-02-09 at 09:01 -0800, Jo Rhett wrote:
> On Feb 9, 2007, at 2:41 AM, Matt Kettler wrote:
> > Jo Rhett wrote:
> >>
> >> Again, I have a 100% stock SA configuration.
> > No you don't have a 100% stock config. There are at least two
> > differences relevant to them message you posted:
> >
> > 1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock
> > spamassasssin rule. It's part of an add-on ruleset, not a stock SA  
> > feature.
> >
> >> Why do I need a custom rule to work around an FP in the ruleset?
> > See above.
> 
> It's really hard not to be really annoyed with this answer.  What  
> kind of nonsense did you think my question was?
> 
> If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to  
> the SARE rule.  Why on the gods green earth would you assume that I  
> wanted a fix in the base distribution for a SARE rule?

Not to start a flame war or anything (yeah, right) but:

It's really hard not to be annoyed with your response.

If you want a change to a SARE rule, go talk to the SARE people.  If you
want help from the SA list, please provide accurate information in your
requests; it will go a long way towards getting accurate (and helpful)
responses.


signature.asc
Description: This is a digitally signed message part

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Jo Rhett]

On Feb 9, 2007, at 2:41 AM, Matt Kettler wrote:

Jo Rhett wrote:


Again, I have a 100% stock SA configuration.

No you don't have a 100% stock config. There are at least two
differences relevant to them message you posted:

1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock
spamassasssin rule. It's part of an add-on ruleset, not a stock SA  
feature.



Why do I need a custom rule to work around an FP in the ruleset?

See above.


It's really hard not to be really annoyed with this answer.  What  
kind of nonsense did you think my question was?


If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to  
the SARE rule.  Why on the gods green earth would you assume that I  
wanted a fix in the base distribution for a SARE rule?


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

RE: Re[2]: More stock spam + strange cf files

[Chris Santerre]

> >> 
> >> These guys are just rolling in scott free except for bayes.
> >> See http://2chronicles36.org/stock.txt
> >> 
> >> I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf & KAM.cf
> >> 
> >
> >I must say, that a pretty well done spam. Whoever wrote it put some
> thought
> >into the phrasing. This one might take a bit. The wording is 
> gonna be hard
> >to tag. 
> >
> >--Chris
> 
> 
> Pardon my ignorance here, but it is full of mis-spellings and 
> phrases that
> you wouldn't normally see, so why not just hit those?
> "aid you to know"
> "C O S T"
> "brroker"
> "ama zing"
> 
> Peter

Because if people learn anything from my posts, its that there are always
new ways to horribly misspell words! ;) 

Search for "C O S T" today, and tomorrow its "C,O,S,T". Search for
/c.?o.?s.?t.?/i and you FP and "CLOSET"

Taggnig spam is more of an art, then an exact science. Wellmore of an
artistic science withou tht pretty colors and swimsuit
modelswhen the hell are we gonna see some antispam swimsuit modelsoh
thats a bit sexist... well not really...I suppose we could have male models
as well.Justin is pretty sexydid I say that out loudmaybe no one
will notice.. swinsuit models.

--Chris

RE: Spam filtering on SA list?

[Bowie Bailey]

John D. Hardin wrote:
> On Fri, 9 Feb 2007, Bowie Bailey wrote:
> 
> > This has been discussed a few times.  The short version is that
> > this list is hosted by apache.org.  They spam scan posts to their
> > mailling lists and they aren't interested in making changes to
> > accomodate a single list.
> 
> Fair enough.
> 
> > The net result is that if you want to include a spam sample, you
> > need to put it on a web server and link to it.  If you want to
> > refer to a spammy url, alter it so the url blacklists don't catch
> > it.
> 
> That's what puzzles me - there was no spam sample, just regular
> discussion.

If their rejection didn't specify hits, you can always take your
message, run it through SA and see what it hits.

Alternately, send it directly to me and I'll let you know what it hits
on my system.

-- 
Bowie

RE: Spam filtering on SA list?

[John D. Hardin]

On Fri, 9 Feb 2007, Bowie Bailey wrote:

> This has been discussed a few times.  The short version is that
> this list is hosted by apache.org.  They spam scan posts to their
> mailling lists and they aren't interested in making changes to
> accomodate a single list.

Fair enough.

> The net result is that if you want to include a spam sample, you
> need to put it on a web server and link to it.  If you want to
> refer to a spammy url, alter it so the url blacklists don't catch
> it.

That's what puzzles me - there was no spam sample, just regular 
discussion.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference is that Unix has had thirty years of technical
  types demanding basic functionality of it. And the Macintosh has
  had fifteen years of interface fascist users shaping its progress.
  Windows has the hairpin turns of the Microsoft marketing machine
  and that's all.-- Red Drag Diva
---
 3 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays

RE: Spamassassin does block some email

[Rocco Scappatura]

> > Speaking of ninjas one slipped in here and whispered in my ear that 
> > the original problem rocsca had might benefit from the anti 
> drug rules 
> > on the SARE web site. He should read the various rule set 
> descriptions 
> > and pick those which fit his situation best.
> 
> Fine! I agree with you!! But I can't figure out what SARE 
> rules I I have to use to block that email that SA does not block..
> 
> Moreover, could I update it with rules_du_jour?
> 
> PS: I have the following conf for rules_du_jour..
> 
> TRUSTED_RULESETS="TRIPWIRE RANDOMVAL BOGUSVIRUS";

Maybe I have to use 70_sare_obfu*.cf ruleset files?

It seems to me that my SA configuration doesn't load them.. Infact I
have this only cf files other that in SA dir (/etc/mail/spamassassin):

path_to_SA/10_misc.cf
path_to_SA/20_advance_fee.cf
path_to_SA/20_anti_ratware.cf
path_to_SA/20_body_tests.cf
path_to_SA/20_compensate.cf
path_to_SA/20_dnsbl_tests.cf
path_to_SA/20_drugs.cf
path_to_SA/20_fake_helo_tests.cf
path_to_SA/20_head_tests.cf
path_to_SA/20_html_tests.cf
path_to_SA/20_meta_tests.cf
path_to_SA/20_net_tests.cf
path_to_SA/20_phrases.cf
path_to_SA/20_porn.cf
path_to_SA/20_ratware.cf
path_to_SA/20_uri_tests.cf
path_to_SA/23_bayes.cf
path_to_SA/25_accessdb.cf
path_to_SA/25_antivirus.cf
path_to_SA/25_body_tests_es.cf
path_to_SA/25_body_tests_pl.cf
path_to_SA/25_dcc.cf
path_to_SA/25_dkim.cf
path_to_SA/25_domainkeys.cf
path_to_SA/25_hashcash.cf
path_to_SA/25_pyzor.cf
path_to_SA/25_razor2.cf
path_to_SA/25_replace.cf
path_to_SA/25_spf.cf
path_to_SA/25_textcat.cf
path_to_SA/25_uribl.cf

PS: What other cf file is worth to use without overload the server?

BR,

rocsca

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[SM]

At 01:00 09-02-2007, Loren Wilton wrote:
Now, that said, the forwarded Blackberry message you posted would 
not have hit the rule in the first place, unless someone took my 
original rule and modified it.  So you not only don't have a 
standard config, you have apparently locally-modified versions of 
rules you have picked up elsewhere. And it is that locally-modified 
rule that is hitting on your Blackberry messages.


Blackberry messages will hit the LW_STOCK_SPAM4 rule.  There is 
nothing wrong with the LW_STOCK_SPAM4 rule as such.  The overall 
score in a standard configuration with that rule added averages 
around two points.  It shouldn't cause any false positives as the score is low.


Regards,
-sm 

RE: Spamassassin does block some email

[Rocco Scappatura]

> Speaking of ninjas one slipped in here and whispered in my 
> ear that the original problem rocsca had might benefit from 
> the anti drug rules on the SARE web site. He should read the 
> various rule set descriptions and pick those which fit his 
> situation best.

Fine! I agree with you!! But I can't figure out what SARE rules I I have
to use to block that email that SA does not block..

Moreover, could I update it with rules_du_jour?

PS: I have the following conf for rules_du_jour..

TRUSTED_RULESETS="TRIPWIRE RANDOMVAL BOGUSVIRUS";

BR,

rocsca

Re[2]: More stock spam + strange cf files

[Peter Nitschke]

On 9/02/2007 at 10:06 AM Chris Santerre wrote:

>> -Original Message-
>> From: Andy Figueroa [mailto:[EMAIL PROTECTED]
>> Sent: Friday, February 09, 2007 9:31 AM
>> To: SpamAssassin Users List
>> Subject: More stock spam + strange cf files
>> 
>> 
>> These guys are just rolling in scott free except for bayes.
>> See http://2chronicles36.org/stock.txt
>> 
>> I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf & KAM.cf
>> 
>
>I must say, that a pretty well done spam. Whoever wrote it put some
thought
>into the phrasing. This one might take a bit. The wording is gonna be hard
>to tag. 
>
>--Chris


Pardon my ignorance here, but it is full of mis-spellings and phrases that
you wouldn't normally see, so why not just hit those?
"aid you to know"
"C O S T"
"brroker"
"ama zing"

Peter

RE: More stock spam + strange cf files

[Chris Santerre]

> -Original Message-
> From: Andy Figueroa [mailto:[EMAIL PROTECTED]
> Sent: Friday, February 09, 2007 9:31 AM
> To: SpamAssassin Users List
> Subject: More stock spam + strange cf files
> 
> 
> These guys are just rolling in scott free except for bayes.
> See http://2chronicles36.org/stock.txt
> 
> I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf & KAM.cf
> 

I must say, that a pretty well done spam. Whoever wrote it put some thought
into the phrasing. This one might take a bit. The wording is gonna be hard
to tag. 

--Chris

Re: More stock spam + strange cf files

[Matt Kettler]

Andy Figueroa wrote:
> These guys are just rolling in scott free except for bayes.
> See http://2chronicles36.org/stock.txt
>
> I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf & KAM.cf
>
> Oops, I just found the following in my /etc/mail/spamassassin
> directory, and I don't know where they came from:
>
> tripwire.cf
> random.cf
> bogus-virus-warnings.cf
> antidrug.cf
Probably an old version of RDJ. That said, don't use Antidrug with
versions of SA newer than 2.64. (I'm the author of this rulset, and I
contributed it as a part of the standard rules for 3.0.0 and higher)

>
> I'm running Gentoo, and I did emerge and unmerge SARE as a test around
> the time that these are dated.  Are these left overs?  They don't seem
> to be doing any harm that I can tell, but should I delete or keep them?

For antidrug, delete it. It's got the potential to do harm by
over-writing part of the standard ruleset with older versions.

More stock spam + strange cf files

[Andy Figueroa]

These guys are just rolling in scott free except for bayes.
See http://2chronicles36.org/stock.txt

I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf & KAM.cf

Oops, I just found the following in my /etc/mail/spamassassin directory, 
and I don't know where they came from:


tripwire.cf
random.cf
bogus-virus-warnings.cf
antidrug.cf

I'm running Gentoo, and I did emerge and unmerge SARE as a test around 
the time that these are dated.  Are these left overs?  They don't seem 
to be doing any harm that I can tell, but should I delete or keep them?


Andy Figueroa

RE: Spam filtering on SA list?

[Bowie Bailey]

John D. Hardin wrote:
> WTF, over?
> 
> On Thu, 8 Feb 2007, Mail Delivery Subsystem wrote:
> 
> > Date: Thu, 8 Feb 2007 12:55:22 -0800
> > From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Returned mail: see transcript for details
> > 
> > The original message was received at Thu, 8 Feb 2007 12:54:58 -0800
> > from localhost [127.0.0.1] 
> > 
> >- The following addresses had permanent fatal errors -
> > 
> > (reason: 552 spam score (10.0) exceeded threshold)
> > 
> >- Transcript of session follows -
> > ... while talking to herse.apache.org.:
> > > > > DATA
> > <<< 552 spam score (10.0) exceeded threshold
> > 554 5.0.0 Service unavailable
> 
> The message was in reply to Ramprasad's "Nuisance stock spams" email.

This has been discussed a few times.  The short version is that this
list is hosted by apache.org.  They spam scan posts to their mailling
lists and they aren't interested in making changes to accomodate a
single list.

The net result is that if you want to include a spam sample, you need to
put it on a web server and link to it.  If you want to refer to a spammy
url, alter it so the url blacklists don't catch it.

-- 
Bowie

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Chris Lear]

* Loren Wilton wrote (08/02/07 19:46):
>> As for LW_STOCK_SPAM4, it's being triggered by the fact that the message
>> is base-64 encoded text AND has a Date: header that's missing a proper
>> timezone. Apparently a batch of stock spam went out at some point with
>> both of these abnormal features. I have to admit, it's a pretty rare
>> combination.
>>
>>> Date: February 6, 2007 9:52:29 AM PST
>>
>> That should, properly, should read something like this:
>>   Date: Wed, 06 Feb 2007 09:52:29 -0800
> 
> Actually LW_STOCK_SPAM4 was written on 02/19/2006, and is looking for a 
> Base64 encoded message that has a valid timezone that is specifically 
> "\s\+", not an invalid time zone.
> 
> Internally I have it scored at 5 points and haven't had a problem with it, 
> but people don't send me messages from Blackberrys.
> 
> I suppose a blackberry might not have a clock so send all messages as though 
> they came from London regardless of where they are.  That would somewhat 
> surprise me, since cell phones certainly know where they are and what time 
> it is.  But if Verizon is involved then it is certainly possible that the 
> software has been deliberately crippled in a number of ways, and creating a 
> proper date header might be one of those deliberate malfunctions.


Just to confirm that this unmodified rule does hit some legit blackberry
e-mail, here's an example (apologies for the obfuscation, but I've only
messed with addresses. It's not my e-mail):

Return-path: 
Envelope-to: 
Delivery-date: Wed, 07 Feb 2007 17:21:42 +
Received: from smtp02.bis.eu.blackberry.com ([216.9.253.49])
by mail.barcombe.net with esmtp (Exim 4.63)
(envelope-from )
id 1HEqUG-0008Ku-IV
for my wife's address; Wed, 07 Feb 2007 17:21:41 +
Message-ID:
<[EMAIL PROTECTED]>
Content-Transfer-Encoding: base64
Reply-To: the sender
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Sensitivity: Normal
Importance: Normal
To: "My Wife" 
Subject: Re: 25th august
From: the sender
Date: Wed, 7 Feb 2007 17:22:58 +
Content-Type: text/plain; charset="Windows-1252"
MIME-Version: 1.0
X-AntiVirus: Clean
X-Spam-Score: 2.1
X-Spam-Level: ++
X-Spam-Report: Barcombe.net spam report: Score = 2.1.
Tests=BAYES_00=-2.599,LW_STOCK_SPAM4=1.66,MIME_BASE64_NO_NAME=0.224,MIME_BASE64_TEXT=1.885,NO_REAL_NAME=0.961

A bit of grepping suggests that LW_STOCK_SPAM4 has hit 5 ham and 3 spam
(all scoring 20+) on that server since about November. So its usefulness
is perhaps questionable. Normal disclaimer applies: this is only one
low-traffic server. I live in the UK which might make the + timezone
more likely.

[Also see the thread "Blackberry email"]

Chris (whose mail from blackberries has all been received OK)

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Matt Kettler]

Loren Wilton wrote:
>
>
> Now, that said, the forwarded Blackberry message you posted would not
> have hit the rule in the first place, unless someone took my original
> rule and modified it.  So you not only don't have a standard config,
> you have apparently locally-modified versions of rules you have picked
> up elsewhere. And it is that locally-modified rule that is hitting on
> your Blackberry messages.
Wow.. you're right Loren, LW_STOCK_SPAM4 should not have hit.

I just assumed the __RATWARE_0_TZ_DATE half was picking up on the lack
of a valid timezone. It's looking for the timezone to literally  be
"+", which it is not.

I over-looked that entirely.

Jo, can you check your copy of this rule? The relevant bits should be:

header  __RATWARE_0_TZ_DATE Date =~ /\s\+$/

metaLW_STOCK_SPAM4  __RATWARE_0_TZ_DATE && MIME_BASE64_TEXT
score   LW_STOCK_SPAM4  1.66
describeLW_STOCK_SPAM4  Yup, its a spam!

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Matt Kettler]

Jo Rhett wrote:
>
> Again, I have a 100% stock SA configuration. 
No you don't have a 100% stock config. There are at least two
differences relevant to them message you posted:

1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock
spamassasssin rule. It's part of an add-on ruleset, not a stock SA feature.
2) you have a lower threshold.

In a stock configuration, this message would have scored 2.574, and been
substantially less than 5.0. This is NOT a FP in the stock SA configuration.

> Why do I need a custom rule to work around an FP in the ruleset? 
See above.

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Nick Leverton]

On Friday 09 February 2007 09:00, Loren Wilton wrote:
> > Jo Rhett wrote:
>  As for LW_STOCK_SPAM4, it's being triggered by the fact that the
>  message

> No you don't.  I wrote that rule.  That's why it starts with my
> initials.  I didn't submit it to SA, and while it I think exists in SARE
> rules, it almost undoubtledly has a "SARE_" prefix in that rule set.

It's in 70_sare_stocks under the plain LW_ name.

Nick

Re: Re: Drug Spam

[Nick Leverton]

On Thursday 08 February 2007 15:21, Ben Wylie wrote:
> As I understand it, these undefined dependencies are errors where a meta
> rule has been written to depend on another rule, which does not exist.
> These don't have catastrophic consequences, it just means that rule may
> not be effective.

Google suggests these rules were once in the FVGT ruleset, this is what the 
FM_ ones looked like:

metaFM_NO_TO   (!__MY_TO)
describeFM_NO_TO   Message is missing To
score   FM_NO_TO   0.001
metaFM_NO_FROM_OR_TO   (!__MY_FROM && !__MY_TO)
describeFM_NO_FROM_OR_TO   Message is missing From and To
score   FM_NO_FROM_OR_TO   0.001

I don't have a copy of __URIBL_ANY anywhere but I don't think it's 
necessary, since KAM's rules that use it also name each individual URIBL 
as well.


Nick

Re: complete false hits for BASE64 and LW_STOCK_SPAM4

[Loren Wilton]

Jo Rhett wrote:


As for LW_STOCK_SPAM4, it's being triggered by the fact that the 
message

In the standard config? No.. It's not a FP in the standard config, so
there's no reason to modify it.


Can you explain how this isn't an FP in the standard config?  There's 
absolutely nothing custom about my config, so what "standard" are you 
applying here?


Again, I have a 100% stock SA configuration.  Why do I need a custom rule 
to work around an FP in the ruleset?



No you don't.  I wrote that rule.  That's why it starts with my initials.  I 
didn't submit it to SA, and while it I think exists in SARE rules, it almost 
undoubtledly has a "SARE_" prefix in that rule set.


So no, you DO NOT have a standard config, no matter what you may think.

Now, that said, the forwarded Blackberry message you posted would not have 
hit the rule in the first place, unless someone took my original rule and 
modified it.  So you not only don't have a standard config, you have 
apparently locally-modified versions of rules you have picked up elsewhere. 
And it is that locally-modified rule that is hitting on your Blackberry 
messages.


   Loren