He's back

2007-07-29 Thread jdow 

[EMAIL PROTECTED]

I'm VERY close to blocking anything from saudihub at all.

{^_^}

Reporting spam with Spmassassin-run instead of sa-learn

2007-07-29 Thread Magnus Anderson 

At the moment I run sa-learn for learning new messages as spam/ham. The
problem with this is that it just reports to bayes, not razor2, pyzor, dcc
or spamcop.

It is stated in the spamassassin-run manual that spamassassin-run is for
reporting to these places, and to use sa-learn only if I want to report to
bayes locally.

My problem is that I use a DB for user preferences and different bays DBs
for every user. This works with sa-learn by specifying -u username, but
I can't seem to find this option in the spamassassin command. It defaults as
root for me.

So basicly, I want to run the spamassassin --revoke/--report commands as a
specific username. How can I do that?
-- 
View this message in context: 
http://www.nabble.com/Reporting-spam-with-Spmassassin-run-instead-of-sa-learn-tf4165350.html#a11850845
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

SA will segv on forged DomainKeys sig

2007-07-29 Thread Michael Scheidell 
Heads up to amavisd-new users:  lots of emails in mailq, stuck at
127.0.0.1:

B18A1524C2D   27169 Sat Jul 28 15:50:18  [EMAIL PROTECTED]
(lost connection with 127.0.0.1[127.0.0.1] while sending end of data --
message may be sent more than once)
 [EMAIL PROTECTED]

SpamAssassin users, maybe same thing, not sure if spamd would segv.

Not sure where to start on this, if SA should not even pass the key to
DKIM plugin (or mark it trashed and drop it) or maybe have clamav mark I
as a virus first? Or if this is a bug in Mail-DKIM?

I found several systems, running SA 3.2.1, and Mail-DKIM.pm .26 that
will SEGV on a forged DomainKeys signature.
(sample email available upon request)

Run email through spamassassin -t, get this:

 spamassassin -t  sample.eml
[54400] warn: Premature end of base64 data at
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
line 86.
[54400] warn: Premature padding of base64 data at
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
line 86.

Spamassassin -tL file (because it only does local tests)

Forged DomainKeys:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
 
h=Received:X-YMail-OSG:Message-ID:Reply-To:From:To:References:Subject:Da
te:MIM
E-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE;
 
b=7e82t8HLAQ0qfIC5km5S508y4E7i95SO0lvW9PSA1Z15PuY223b5fHH1W4P9whTcIcS2S6
K7ZM34
Uc96rMowPL81M64g1wdmNPF4w47UC6l0S4A93rI13Ma8JK6Gw62ItYBgr6O5lr2WRrw6M6V9
XqMvXdw4
5uxAKTERTph61=  ;

(note the \s\s; gap at end?

I don't think DomainKey signatures have a \s\s; at end (not real ones)

And, no, it didn't come from yahoo, but is forged to look like it did.

Received: from c.mx.mail.yahoo.com (unknown [116.217.231.217])
by GSNJSPT01.galaxy.lan (Postfix) with ESMTP id 82BA9524C26

-- 
Michael Scheidell, CTO
http://www.secnap.com/events for free and discounted seminar tickets 
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: Reporting spam with Spmassassin-run instead of sa-learn

2007-07-29 Thread Magnus Anderson 



Martin Schütte wrote:
 
 Magnus Anderson schrieb:
 So basicly, I want to run the spamassassin --revoke/--report commands
 as a
 specific username. How can I do that?
 
 man su
 
 For example: su vscan -c spamassassin --report ${train_dir_sa_spam}/*
 (Make sure the user has permission to read the mails.)
 

The user is not exisiting on the system itself, just inside CommuniGate that
I run.
When I run now I run like sa-learn --spam --no-sync -u [EMAIL PROTECTED]
/system-path-to-mbox

Sorry if I wasn't explaining myself correctly.

-- 
View this message in context: 
http://www.nabble.com/Reporting-spam-with-Spmassassin-run-instead-of-sa-learn-tf4165350.html#a11851371
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Reporting spam with Spmassassin-run instead of sa-learn

2007-07-29 Thread Martin Schütte 
Magnus Anderson schrieb:
 So basicly, I want to run the spamassassin --revoke/--report commands as a
 specific username. How can I do that?

man su

For example: su vscan -c spamassassin --report ${train_dir_sa_spam}/*
(Make sure the user has permission to read the mails.)

-- 
Martin

RE: [AMaViS-user] SA will segv on forged DomainKeys sig

2007-07-29 Thread Michael Scheidell 
Followup to my post:

I upgraded all the dependencies and while it still complains, SA no
longer Segv's

drwxr-xr-x  2 root  wheel  512 Jul 29 09:13 p5-Digest-SHA-5.45
drwxr-xr-x  2 root  wheel  512 Jul 29 09:13
p5-Crypt-OpenSSL-RSA-0.25
drwxr-xr-x  2 root  wheel  512 Jul 29 09:13
p5-Crypt-OpenSSL-Bignum-0.04
drwxr-xr-x  2 root  wheel  512 Jul 29 09:13
p5-Crypt-OpenSSL-Random-0.04

I will try to see which one of these fixed it and submit it to jason
long as a dependency.
If anyone wants to try my sample email, let me know and I'll zip and
send it to you.

-- 
Michael Scheidell, CTO
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts:
http://www.secnap.com/news
 
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: [AMaViS-user] SA will segv on forged DomainKeys sig

2007-07-29 Thread Matus UHLAR - fantomas 
On 29.07.07 09:29, Michael Scheidell wrote:
 Followup to my post:
 
 I upgraded all the dependencies and while it still complains, SA no
 longer Segv's

I'd say it should score, not complain about forged domainkeys signature :)

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.

Re: How to manage spam scores?

2007-07-29 Thread Matus UHLAR - fantomas 
On 27.07.07 11:42, Justin Kim wrote:
 I am using amavisd-new which uses spamassassin with postfix+mysql setup.
 
 Amavisd-new is scanning messages and is reinjecting messages to postfix
 through smtp.
 
 I would like to know how can I manage spam scores so that certain domain
 like yahoo.com gets lower score.
 
 My user requested that there are false positive when it is sent from
 specific yahoo.com account.

if that's from specific yahoo account, then probably owner of the accoune
does something wrong. I'd look at the score to inspect the problem itself.

Then, user can do whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com, which is a
bit safer than pure whitelisting of from address. Unluckily, yahoo seems not
to run SPF, which would make such whitelist even more safer.

Or maybe the user from specific account is sending from different servers
than yahoo's, which may cause the problem (if those are listed in RBL's)
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]

Re: How to manage spam scores?

2007-07-29 Thread Jerry Durand 

On Jul 29, 2007, at 7:41 AM, Matus UHLAR - fantomas wrote:
Then, user can do whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com,  
which is a
bit safer than pure whitelisting of from address. Unluckily, yahoo  
seems not

to run SPF, which would make such whitelist even more safer.


I was thinking that yahoo.com was already whitelisted by SpamAssassin  
but all I found was:


60_whitelist.cf
def_whitelist_from_rcvd  [EMAIL PROTECTED]yahoo- 
inc.com
def_whitelist_from_rcvd  [EMAIL PROTECTED] 
yahoo.com


Shouldn't the second line leave out the -inc part to whitelist Y!  ?

This copy of the cf file is from /var/mail/spamassassin/3.002002/ 
updates_spamassassin_org

SOLVED: Re: SA/DKIM will segv on forged DomainKeys sig

2007-07-29 Thread Michael Scheidell 

This version of Crypt-OpenSSL-RSA is needed:


p5-Crypt-OpenSSL-RSA=0.24

this won't work:
p5-Crypt-OpenSSL-RSA-0.23_1
  



su vscan -c spamassassin -t  sample.eml
 [650] warn: Premature end of base64 data at 
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm line 86.
 [650] warn: Premature padding of base64 data at 
/usr/local/lib/perl5/site_perl/5.8.8/Mail/DKIM/Algorithm/dk_rsa_sha1.pm line 86.
Segmentation fault

  
I will submit a patch to freebsd ports to include dependency for 
p5-Mail-DKIM, and cc'd Jason Long (CPAN maintainer of Mail-DKIM).
if anyone wants a copy of the email with for broke DomainKeys, let me 
know. (or see below for 'that line', yes, it as two CWS and a ; at end 
of it!


I also have the SA 3.22 freebsd ports ready to test (and it has the 
above minimum dependency), anyone needing the freebsd 3.2.2 SA port pkg 
let me know.


DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 s=s1024; d=yahoo.com;
h=Received:X-YMail-OSG:Message-ID:Reply-To:From:To:References:Subject:Date:MIME-Version:Content-Type:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE;  
b=7e82t8HLAQ0qfIC5km5S508y4E7i95SO0lvW9PSA1Z15PuY223b5fHH1W4P9whTcIcS2S6K7ZM34Uc96rMowPL81M64g1wdmNPF4w47UC6l0S4A93rI13Ma8JK6Gw62ItYBgr6O5l

r2WRrw6M6V9XqMvXdw45uxAKTERTph61=  ;





_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

_

Re: Reporting spam with Spmassassin-run instead of sa-learn

2007-07-29 Thread Matt Kettler 
Magnus Anderson wrote:
 At the moment I run sa-learn for learning new messages as spam/ham. The
 problem with this is that it just reports to bayes, not razor2, pyzor, dcc
 or spamcop.

 It is stated in the spamassassin-run manual that spamassassin-run is for
 reporting to these places, and to use sa-learn only if I want to report to
 bayes locally.

 My problem is that I use a DB for user preferences and different bays DBs
 for every user. This works with sa-learn by specifying -u username, but
 I can't seem to find this option in the spamassassin command. It defaults as
 root for me.

 So basicly, I want to run the spamassassin --revoke/--report commands as a
 specific username. How can I do that?
   
su -c username spamassassin --revoke...

Re: Reporting spam with Spmassassin-run instead of sa-learn

2007-07-29 Thread Matt Kettler 
Matt Kettler wrote:
 Magnus Anderson wrote:
   
 At the moment I run sa-learn for learning new messages as spam/ham. The
 problem with this is that it just reports to bayes, not razor2, pyzor, dcc
 or spamcop.

 It is stated in the spamassassin-run manual that spamassassin-run is for
 reporting to these places, and to use sa-learn only if I want to report to
 bayes locally.

 My problem is that I use a DB for user preferences and different bays DBs
 for every user. This works with sa-learn by specifying -u username, but
 I can't seem to find this option in the spamassassin command. It defaults as
 root for me.

 So basicly, I want to run the spamassassin --revoke/--report commands as a
 specific username. How can I do that?
   
 
 su -c username spamassassin --revoke...


   
Erk, that should be su username -c spamassassin --revoke.. Pardon my
error.

How would you provide a 554 rejection notice for spam?

2007-07-29 Thread dalchri 

I've recently put SpamAssassin in front of my Exchange server as an SMTP
proxy.  Our previous spam filter would provide a 554 rejection notice for
anything that was identified as spam.  This meant that any FP would be
notified so that email would not get silently ignored.  Although a rejection
notice was sent, we still retained the spam.  This meant that when our users
got a call from their customer about the rejected spam, they could quickly
locate the message without it having to be resent.

I would like to continue doing this with the new SA/Exchange setup.  Right
now I use spampd but I would like to change to Sendmail just because it is
part of the default install for Redhat.

How would you go about providing a 554 rejection notice?  Would you do it on
the SMTP proxy?  On Exchange?  Would you use Sendmail?  Postfix?  Something
else?
-- 
View this message in context: 
http://www.nabble.com/How-would-you-provide-a-554-rejection-notice-for-spam--tf4167751.html#a11857500
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

sa v32x + Mail::SPF are installed; Mail::SPF::Query still required. really, or typo?

2007-07-29 Thread snowcrash+sa 
i've sa v32-branch, r560837 installed.

i have perl 588 + Mail::SPF installed,

module_info Mail::SPF
Name:Mail::SPF
Version: v2.005
...

but NOT Mail::SPF::Query.

reading @ SA/INSTALL,

Either of Mail::SPF or Mail::SPF::Query can be used but Mail::SPF is
 preferred as it is the current reference implementation for RFC 4408.

and comments here,

http://www.gossamer-threads.com/lists/spf/devel/31745

i understand that M::S::Q is *no longer* required.

but, on --lint, i note,

...
[470] dbg: diag: module installed: Mail::SPF, version v2.005
[470] dbg: diag: module not installed: Mail::SPF::Query ('require' 
failed)
...

other than the above mention of failed, all tests/finishes ok.

the 'require' failed originates @
./lib/Mail/SpamAssassin/Util/DependencyInfo.pm

  ...
  foreach my $moddef (@MODULES, @OPTIONAL_MODULES) {
my $module = $moddef-{module};
my $modver;
if (eval ' require '.$module.'; $modver = $'.$module.'::VERSION; 1;')
{
  $modver ||= '(undef)';
  $out .= module installed: $module, version $modver\n;
} else {
  $out .= module not installed: $module ('require' failed)\n;
}
  ...

but it' not immediately clear to me if M::S::Q *is* a *required*
dependency anywhere else ... or just a typo.

clarification?

thanks.

Re: How would you provide a 554 rejection notice for spam?

2007-07-29 Thread Shane Williams 

If you're running sendmail, then spamass-milter is the way to go.

On Sun, 29 Jul 2007, dalchri wrote:



I've recently put SpamAssassin in front of my Exchange server as an SMTP
proxy.  Our previous spam filter would provide a 554 rejection notice for
anything that was identified as spam.  This meant that any FP would be
notified so that email would not get silently ignored.  Although a rejection
notice was sent, we still retained the spam.  This meant that when our users
got a call from their customer about the rejected spam, they could quickly
locate the message without it having to be resent.

I would like to continue doing this with the new SA/Exchange setup.  Right
now I use spampd but I would like to change to Sendmail just because it is
part of the default install for Redhat.

How would you go about providing a 554 rejection notice?  Would you do it on
the SMTP proxy?  On Exchange?  Would you use Sendmail?  Postfix?  Something
else?



--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT iSchool
=--+---
All syllogisms contain three lines |  [EMAIL PROTECTED]
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: How would you provide a 554 rejection notice for spam?

2007-07-29 Thread Matt Kettler 
dalchri wrote:
 I've recently put SpamAssassin in front of my Exchange server as an SMTP
 proxy.  Our previous spam filter would provide a 554 rejection notice for
 anything that was identified as spam.  This meant that any FP would be
 notified so that email would not get silently ignored.  Although a rejection
 notice was sent, we still retained the spam.  This meant that when our users
 got a call from their customer about the rejected spam, they could quickly
 locate the message without it having to be resent.

 I would like to continue doing this with the new SA/Exchange setup.  Right
 now I use spampd but I would like to change to Sendmail just because it is
 part of the default install for Redhat.

 How would you go about providing a 554 rejection notice?  Would you do it on
 the SMTP proxy?  On Exchange?  Would you use Sendmail?  Postfix?  Something
 else?
   
a milter from sendmail, provided you wish to stick with sendmail.

mimedefang springs to mind, but I have no experience with it.

Re: How would you provide a 554 rejection notice for spam?

2007-07-29 Thread Spamassassin List 

dalchri wrote:

I've recently put SpamAssassin in front of my Exchange server as an SMTP
proxy.  Our previous spam filter would provide a 554 rejection notice for
anything that was identified as spam.  This meant that any FP would be
notified so that email would not get silently ignored.  Although a 
rejection
notice was sent, we still retained the spam.  This meant that when our 
users
got a call from their customer about the rejected spam, they could 
quickly

locate the message without it having to be resent.

I would like to continue doing this with the new SA/Exchange setup. 
Right
now I use spampd but I would like to change to Sendmail just because it 
is

part of the default install for Redhat.

How would you go about providing a 554 rejection notice?  Would you do it 
on
the SMTP proxy?  On Exchange?  Would you use Sendmail?  Postfix? 
Something

else?


a milter from sendmail, provided you wish to stick with sendmail.

mimedefang springs to mind, but I have no experience with it.


Any idea for qmail?

Re: How would you provide a 554 rejection notice for spam?

2007-07-29 Thread Jeremy Kister 
On 7/30/2007 1:25 AM, Spamassassin List wrote:
 Any idea for qmail? 


use simscan.  http://www.inter7.com/simcsan


-- 

Jeremy Kister
http://jeremy.kister.net./