He's back
[EMAIL PROTECTED] I'm VERY close to blocking anything from saudihub at all. {^_^}
Reporting spam with Spmassassin-run instead of sa-learn
At the moment I run sa-learn for learning new messages as spam/ham. The problem with this is that it just reports to bayes, not razor2, pyzor, dcc or spamcop. It is stated in the spamassassin-run manual that spamassassin-run is for reporting to these places, and to use sa-learn only if I want to report to bayes locally. My problem is that I use a DB for user preferences and different bays DBs for every user. This works with sa-learn by specifying -u username, but I can't seem to find this option in the spamassassin command. It defaults as root for me. So basicly, I want to run the spamassassin --revoke/--report commands as a specific username. How can I do that? -- View this message in context: http://www.nabble.com/Reporting-spam-with-Spmassassin-run-instead-of-sa-learn-tf4165350.html#a11850845 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
SA will segv on forged DomainKeys sig
Heads up to amavisd-new users: lots of emails in mailq, stuck at 127.0.0.1: B18A1524C2D 27169 Sat Jul 28 15:50:18 [EMAIL PROTECTED] (lost connection with 127.0.0.1[127.0.0.1] while sending end of data -- message may be sent more than once) [EMAIL PROTECTED] SpamAssassin users, maybe same thing, not sure if spamd would segv. Not sure where to start on this, if SA should not even pass the key to DKIM plugin (or mark it trashed and drop it) or maybe have clamav mark I as a virus first? Or if this is a bug in Mail-DKIM? I found several systems, running SA 3.2.1, and Mail-DKIM.pm .26 that will SEGV on a forged DomainKeys signature. (sample email available upon request) Run email through spamassassin -t, get this: spamassassin -t sample.eml [54400] warn: Premature end of base64 data at /usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm line 86. [54400] warn: Premature padding of base64 data at /usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm line 86. Spamassassin -tL file (because it only does local tests) Forged DomainKeys: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:Message-ID:Reply-To:From:To:References:Subject:Da te:MIM E-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE; b=7e82t8HLAQ0qfIC5km5S508y4E7i95SO0lvW9PSA1Z15PuY223b5fHH1W4P9whTcIcS2S6 K7ZM34 Uc96rMowPL81M64g1wdmNPF4w47UC6l0S4A93rI13Ma8JK6Gw62ItYBgr6O5lr2WRrw6M6V9 XqMvXdw4 5uxAKTERTph61= ; (note the \s\s; gap at end? I don't think DomainKey signatures have a \s\s; at end (not real ones) And, no, it didn't come from yahoo, but is forged to look like it did. Received: from c.mx.mail.yahoo.com (unknown [116.217.231.217]) by GSNJSPT01.galaxy.lan (Postfix) with ESMTP id 82BA9524C26 -- Michael Scheidell, CTO http://www.secnap.com/events for free and discounted seminar tickets _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Reporting spam with Spmassassin-run instead of sa-learn
Martin Schütte wrote: Magnus Anderson schrieb: So basicly, I want to run the spamassassin --revoke/--report commands as a specific username. How can I do that? man su For example: su vscan -c spamassassin --report ${train_dir_sa_spam}/* (Make sure the user has permission to read the mails.) The user is not exisiting on the system itself, just inside CommuniGate that I run. When I run now I run like sa-learn --spam --no-sync -u [EMAIL PROTECTED] /system-path-to-mbox Sorry if I wasn't explaining myself correctly. -- View this message in context: http://www.nabble.com/Reporting-spam-with-Spmassassin-run-instead-of-sa-learn-tf4165350.html#a11851371 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Reporting spam with Spmassassin-run instead of sa-learn
Magnus Anderson schrieb: So basicly, I want to run the spamassassin --revoke/--report commands as a specific username. How can I do that? man su For example: su vscan -c spamassassin --report ${train_dir_sa_spam}/* (Make sure the user has permission to read the mails.) -- Martin
RE: [AMaViS-user] SA will segv on forged DomainKeys sig
Followup to my post: I upgraded all the dependencies and while it still complains, SA no longer Segv's drwxr-xr-x 2 root wheel 512 Jul 29 09:13 p5-Digest-SHA-5.45 drwxr-xr-x 2 root wheel 512 Jul 29 09:13 p5-Crypt-OpenSSL-RSA-0.25 drwxr-xr-x 2 root wheel 512 Jul 29 09:13 p5-Crypt-OpenSSL-Bignum-0.04 drwxr-xr-x 2 root wheel 512 Jul 29 09:13 p5-Crypt-OpenSSL-Random-0.04 I will try to see which one of these fixed it and submit it to jason long as a dependency. If anyone wants to try my sample email, let me know and I'll zip and send it to you. -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: [AMaViS-user] SA will segv on forged DomainKeys sig
On 29.07.07 09:29, Michael Scheidell wrote: Followup to my post: I upgraded all the dependencies and while it still complains, SA no longer Segv's I'd say it should score, not complain about forged domainkeys signature :) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer.
Re: How to manage spam scores?
On 27.07.07 11:42, Justin Kim wrote: I am using amavisd-new which uses spamassassin with postfix+mysql setup. Amavisd-new is scanning messages and is reinjecting messages to postfix through smtp. I would like to know how can I manage spam scores so that certain domain like yahoo.com gets lower score. My user requested that there are false positive when it is sent from specific yahoo.com account. if that's from specific yahoo account, then probably owner of the accoune does something wrong. I'd look at the score to inspect the problem itself. Then, user can do whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com, which is a bit safer than pure whitelisting of from address. Unluckily, yahoo seems not to run SPF, which would make such whitelist even more safer. Or maybe the user from specific account is sending from different servers than yahoo's, which may cause the problem (if those are listed in RBL's) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
Re: How to manage spam scores?
On Jul 29, 2007, at 7:41 AM, Matus UHLAR - fantomas wrote: Then, user can do whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com, which is a bit safer than pure whitelisting of from address. Unluckily, yahoo seems not to run SPF, which would make such whitelist even more safer. I was thinking that yahoo.com was already whitelisted by SpamAssassin but all I found was: 60_whitelist.cf def_whitelist_from_rcvd [EMAIL PROTECTED]yahoo- inc.com def_whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com Shouldn't the second line leave out the -inc part to whitelist Y! ? This copy of the cf file is from /var/mail/spamassassin/3.002002/ updates_spamassassin_org
SOLVED: Re: SA/DKIM will segv on forged DomainKeys sig
This version of Crypt-OpenSSL-RSA is needed: p5-Crypt-OpenSSL-RSA=0.24 this won't work: p5-Crypt-OpenSSL-RSA-0.23_1 su vscan -c spamassassin -t sample.eml [650] warn: Premature end of base64 data at /usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm line 86. [650] warn: Premature padding of base64 data at /usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm line 86. Segmentation fault I will submit a patch to freebsd ports to include dependency for p5-Mail-DKIM, and cc'd Jason Long (CPAN maintainer of Mail-DKIM). if anyone wants a copy of the email with for broke DomainKeys, let me know. (or see below for 'that line', yes, it as two CWS and a ; at end of it! I also have the SA 3.22 freebsd ports ready to test (and it has the above minimum dependency), anyone needing the freebsd 3.2.2 SA port pkg let me know. DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:Message-ID:Reply-To:From:To:References:Subject:Date:MIME-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE; b=7e82t8HLAQ0qfIC5km5S508y4E7i95SO0lvW9PSA1Z15PuY223b5fHH1W4P9whTcIcS2S6K7ZM34Uc96rMowPL81M64g1wdmNPF4w47UC6l0S4A93rI13Ma8JK6Gw62ItYBgr6O5l r2WRrw6M6V9XqMvXdw45uxAKTERTph61= ; _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Reporting spam with Spmassassin-run instead of sa-learn
Magnus Anderson wrote: At the moment I run sa-learn for learning new messages as spam/ham. The problem with this is that it just reports to bayes, not razor2, pyzor, dcc or spamcop. It is stated in the spamassassin-run manual that spamassassin-run is for reporting to these places, and to use sa-learn only if I want to report to bayes locally. My problem is that I use a DB for user preferences and different bays DBs for every user. This works with sa-learn by specifying -u username, but I can't seem to find this option in the spamassassin command. It defaults as root for me. So basicly, I want to run the spamassassin --revoke/--report commands as a specific username. How can I do that? su -c username spamassassin --revoke...
Re: Reporting spam with Spmassassin-run instead of sa-learn
Matt Kettler wrote: Magnus Anderson wrote: At the moment I run sa-learn for learning new messages as spam/ham. The problem with this is that it just reports to bayes, not razor2, pyzor, dcc or spamcop. It is stated in the spamassassin-run manual that spamassassin-run is for reporting to these places, and to use sa-learn only if I want to report to bayes locally. My problem is that I use a DB for user preferences and different bays DBs for every user. This works with sa-learn by specifying -u username, but I can't seem to find this option in the spamassassin command. It defaults as root for me. So basicly, I want to run the spamassassin --revoke/--report commands as a specific username. How can I do that? su -c username spamassassin --revoke... Erk, that should be su username -c spamassassin --revoke.. Pardon my error.
How would you provide a 554 rejection notice for spam?
I've recently put SpamAssassin in front of my Exchange server as an SMTP proxy. Our previous spam filter would provide a 554 rejection notice for anything that was identified as spam. This meant that any FP would be notified so that email would not get silently ignored. Although a rejection notice was sent, we still retained the spam. This meant that when our users got a call from their customer about the rejected spam, they could quickly locate the message without it having to be resent. I would like to continue doing this with the new SA/Exchange setup. Right now I use spampd but I would like to change to Sendmail just because it is part of the default install for Redhat. How would you go about providing a 554 rejection notice? Would you do it on the SMTP proxy? On Exchange? Would you use Sendmail? Postfix? Something else? -- View this message in context: http://www.nabble.com/How-would-you-provide-a-554-rejection-notice-for-spam--tf4167751.html#a11857500 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
sa v32x + Mail::SPF are installed; Mail::SPF::Query still required. really, or typo?
i've sa v32-branch, r560837 installed. i have perl 588 + Mail::SPF installed, module_info Mail::SPF Name:Mail::SPF Version: v2.005 ... but NOT Mail::SPF::Query. reading @ SA/INSTALL, Either of Mail::SPF or Mail::SPF::Query can be used but Mail::SPF is preferred as it is the current reference implementation for RFC 4408. and comments here, http://www.gossamer-threads.com/lists/spf/devel/31745 i understand that M::S::Q is *no longer* required. but, on --lint, i note, ... [470] dbg: diag: module installed: Mail::SPF, version v2.005 [470] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) ... other than the above mention of failed, all tests/finishes ok. the 'require' failed originates @ ./lib/Mail/SpamAssassin/Util/DependencyInfo.pm ... foreach my $moddef (@MODULES, @OPTIONAL_MODULES) { my $module = $moddef-{module}; my $modver; if (eval ' require '.$module.'; $modver = $'.$module.'::VERSION; 1;') { $modver ||= '(undef)'; $out .= module installed: $module, version $modver\n; } else { $out .= module not installed: $module ('require' failed)\n; } ... but it' not immediately clear to me if M::S::Q *is* a *required* dependency anywhere else ... or just a typo. clarification? thanks.
Re: How would you provide a 554 rejection notice for spam?
If you're running sendmail, then spamass-milter is the way to go. On Sun, 29 Jul 2007, dalchri wrote: I've recently put SpamAssassin in front of my Exchange server as an SMTP proxy. Our previous spam filter would provide a 554 rejection notice for anything that was identified as spam. This meant that any FP would be notified so that email would not get silently ignored. Although a rejection notice was sent, we still retained the spam. This meant that when our users got a call from their customer about the rejected spam, they could quickly locate the message without it having to be resent. I would like to continue doing this with the new SA/Exchange setup. Right now I use spampd but I would like to change to Sendmail just because it is part of the default install for Redhat. How would you go about providing a 554 rejection notice? Would you do it on the SMTP proxy? On Exchange? Would you use Sendmail? Postfix? Something else? -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: How would you provide a 554 rejection notice for spam?
dalchri wrote: I've recently put SpamAssassin in front of my Exchange server as an SMTP proxy. Our previous spam filter would provide a 554 rejection notice for anything that was identified as spam. This meant that any FP would be notified so that email would not get silently ignored. Although a rejection notice was sent, we still retained the spam. This meant that when our users got a call from their customer about the rejected spam, they could quickly locate the message without it having to be resent. I would like to continue doing this with the new SA/Exchange setup. Right now I use spampd but I would like to change to Sendmail just because it is part of the default install for Redhat. How would you go about providing a 554 rejection notice? Would you do it on the SMTP proxy? On Exchange? Would you use Sendmail? Postfix? Something else? a milter from sendmail, provided you wish to stick with sendmail. mimedefang springs to mind, but I have no experience with it.
Re: How would you provide a 554 rejection notice for spam?
dalchri wrote: I've recently put SpamAssassin in front of my Exchange server as an SMTP proxy. Our previous spam filter would provide a 554 rejection notice for anything that was identified as spam. This meant that any FP would be notified so that email would not get silently ignored. Although a rejection notice was sent, we still retained the spam. This meant that when our users got a call from their customer about the rejected spam, they could quickly locate the message without it having to be resent. I would like to continue doing this with the new SA/Exchange setup. Right now I use spampd but I would like to change to Sendmail just because it is part of the default install for Redhat. How would you go about providing a 554 rejection notice? Would you do it on the SMTP proxy? On Exchange? Would you use Sendmail? Postfix? Something else? a milter from sendmail, provided you wish to stick with sendmail. mimedefang springs to mind, but I have no experience with it. Any idea for qmail?
Re: How would you provide a 554 rejection notice for spam?
On 7/30/2007 1:25 AM, Spamassassin List wrote: Any idea for qmail? use simscan. http://www.inter7.com/simcsan -- Jeremy Kister http://jeremy.kister.net./