Re: Googlepages Livefilestore spams
John D. Hardin writes:
On Thu, 10 Jan 2008, Rosenbaum, Larry M. wrote:
Is it safe to use unbounded quantifiers like + and {2,} in uri
rules? I avoid them in regular body rules.
Probably. URIs are parsed out of the body, so they are going to be
fairly limited in length.
'course, if you've got the habit of writing bounded quantifiers, they
won't hurt in URI rules.
exactly ;)
--j.
Anybody else frustrated by the iphone Mail application?
If I'm not mistaken it doesn't show non standard headers and also doesn't appear to allow the viewing of mime attachments. So it's quite difficult to see exactly what the spam assassin headers/report look like from an iphone's native mail client.
Re: Googlepages Livefilestore spams
On Wed, 2008-01-09 at 22:56 -0500, Ben Lentz wrote:
but this URI redirection stuff isn't very friendly
when used by a spammer.
Ben, the key is the btnI param, which maps to the I'm feeling lucky
button.
This technique appeared last summer (I deployed my non-SA-based rule on
03-Jul-2007).
Thank you, this is very valuable. I wonder if Google will ever consider
turning it off, since it's being abused.
For now, I'm going with:
uri GOOG_REDIR_SLASH
m{^https?://(?:\w+\.)*google\.(com|co\.uk|tw)/{2,}search}
score GOOG_REDIR_SLASH1.0
describeGOOG_REDIR_SLASHGoogle URL has extra slashes
after domain
uri GOOG_REDIR_LUCKY
m{^https?://(?:\w+\.)*google\.(com|co\.uk|tw)/+search.*btnI}
score GOOG_REDIR_LUCKY3.0
describeGOOG_REDIR_LUCKYGoogle URL uses I'm Feeling
Lucky for blind redirect
uri GOOG_PAGES
m{^https?://(?:\w+\.)*googlepages\.(com|co\.uk|tw)}
score GOOG_PAGES 2.0
describeGOOG_PAGES URL hosted at GooglePages
...seems pretty safe.
I think You need to ignore case too GOOGLE.COM will not match here
I havent seen a spam with capitalized url but that will be trivial for
the spammer
Re: Spam Scored zero ?
On Fri, 11 Jan 2008, UxBoD wrote: Hi, I got this SPAM through this morning and it didn't trip on anything. Any ideas ? Looks like the sender address was NULL and maybe you don't filter that? Justin.
Re: spamassassin plugin / sorry wrong list
Robert Schetterer schrieb: Hi @ll, does anyone know some more recent spamassasin plugins for editing local users_pref ( not sql!!! ) i ve tested spamassassin SpamFilter (Frontend) version 2 and SpamAssassin Configuration but both did not work like they should ( lots of php problems ) specially spamassassin SpamFilter (Frontend) version 2 did not show up the array of whitelisted accounts , it only shows the last entry made perhaps anyone know this problem and has a fix? white and blacklisting entries are the only features i need sorry all, wrong list should went to squirrelmail plugin list -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
USER_IN_WHITELIST Rule
Why does spam continually get a hit on this rule? I noticed a lot more spam coming in off the upgrade to 3.2.4. Are spammers getting crafty with their mail messages to appear as coming from myself TO myself? I could always reduce the adjustment that USER_IN_WHITELIST makes. However, I'd like to avoid that if possible. What's up with that?
Spam Scored zero ?
Hi, I got this SPAM through this morning and it didn't trip on anything. Any ideas ? -- From: [EMAIL PROTECTED] To: undisclosed-recipients:; Sent: 11 January 2008 09:01:06 o'clock (GMT) Europe/London Subject: ATM Master CARD ATTENTION I have been waiting for you since to come down here and pick your Bank Draft but did not heard from you since that time then I went and deposited the Draft with INTERNATIONAL BANK OF BENIN here in Cotonou, Benin Republic, because I travelled to Japan to see my boss and will not come back till next month end. I have arranged with them to make your payment to you with their new ATM MASTER CARD which you can use to withdraw your money in any ATM MACHINE around the globe/world. You have to contact the International Bank of Benin with your full contact informations such as follows: 1. FULL NAME 2. ADDRESS WERE YOU WANT THEM TO SEND THE ATM CARD 3. PHONE AND FAX NUMBER 4. YOUR AGE AND CURRENT OCCUPATION 5. ATTACH COPY OF YOUR IDENTIFICATION However, Kindly contact the below person who is in position to release your ATM Master CARD. REV. DR. DUNGA OTUMBA DOUGLAS, DIRECTOR, ATM PAYMENT DEPARTMENT INTERNATIONAL BANK OF BENIN EMAIL: ([EMAIL PROTECTED]) I had paid for all the processing and delivery charges, the only money that your are going to pay to them is only $86 Dollars which they will use to open your ATM Account with the Bank and send the ATM Master CARD to your address. Try to contact them as soon as possible to quicken the process of your Card before your Draft gets Expired. Let me know as soon as you receive your ATM Master Card. Thanks. Mr.tony okou -- Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
spamassassin plugin
Hi @ll, does anyone know some more recent spamassasin plugins for editing local users_pref ( not sql!!! ) i ve tested spamassassin SpamFilter (Frontend) version 2 and SpamAssassin Configuration but both did not work like they should ( lots of php problems ) specially spamassassin SpamFilter (Frontend) version 2 did not show up the array of whitelisted accounts , it only shows the last entry made perhaps anyone know this problem and has a fix? white and blacklisting entries are the only features i need -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: BOTNET 0.8 + SA 3.2.3
Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD pgptBXkTxvvHm.pgp Description: PGP signature
Re: BOTNET 0.8 + SA 3.2.3
I am running it with SA 3.2.4 with no problems at all. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 11 January 2008 10:30:48 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: BOTNET 0.8 + SA 3.2.3
I am running Botnet 0.8 with SA 3.2.3 without issue. Try a fresh install of all Botnet files. -Original Message- From: UxBoD [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 5:45 AM To: Arthur Dent Cc: users@spamassassin.apache.org Subject: Re: BOTNET 0.8 + SA 3.2.3 I am running it with SA 3.2.4 with no problems at all. Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Original Message - From: Arthur Dent [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 11 January 2008 10:30:48 o'clock (GMT) Europe/London Subject: Re: BOTNET 0.8 + SA 3.2.3 Hello all, I'm so no nearer a solution to this... To recap: Since upgrading from SA 3.2.2 to SA 3.2.3 I have had no Botnet hits at all. I have checked with SA --lint -D and Botnet v.0.8 seem to be installed correctly. I have run an old message through my current setup that hit Botnet when running SA 3.2.2 and it did not hit now... Any ideas? Is Botnet 0.8 incompatible with SA 3.2.3? Thanks for your help... AD -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: DDOS, Dictionary Attack... not sure what it is...
Am 2008-01-08 10:12:28, schrieb Joseph Brennan: I don't understand how refusing after MAIL could take 6 times as much resources as accepting the message. By refusing, you don't receive the message body and you don't have to output the message to a mailer. That has to use less resources than accepting. I would be taking a close look at what your server is doing during rejection. This just seems very wrong to me. Can it be, that the RBL lookups are screwing up? I have installed bind9 (HP Vectra XA5, P1/200 with 384MByte) which is there for 7 domains (over 180 sudomains and arround 800 hosts) and as caching DNS but it seems, if I become spamed it become a bery heavy loaded... Normaly the load average is under 0.5 but if I become spamed over 10. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Authors wanted for Linux Technical Review...
Hello List, As an editor for the german Linux Magazine I am looking for an author who would want to write articles for our Linux Technical Review 07 Spam about solutions, possibilities and the current state-of-the-art of spamassassin, rules updates (rules du jour, sare,...) and its affiliated programs/libraries, and measures against Splog and Botnets. If you feel like you could write about 5+ pages on one of these topics with a a technically skilled audience in mind (most of our readers are experienced administrators, technicians and executives in IT departments ), I would be very happy to receive an email to: [EMAIL PROTECTED] . I can then provide more information, if you need. Don't worry about language, we will translate the article to German. The ultimate deadline would be in about 4 Weeks. Thank you! -- Best Regards - Mit freundlichen Gruessen Markus Feilner - Feilner IT Linux GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Koetztingerstr 6c93057 Regensburg Telefon:+49 941 8 10 79 89 Mobil: +49 170 3 02 70 92 WWW: www.feilner-it.net mail: [EMAIL PROTECTED] -- My new book - Out now: http://www.packtpub.com/openvpn/book OPENVPN : Building and Integrating Virtual Private Networks
Re: USER_IN_WHITELIST Rule
Matthew Goodman wrote: Why does spam continually get a “hit” on this rule? I noticed a lot more spam coming in off the upgrade to 3.2.4. Are spammers getting crafty with their mail messages to appear as coming from myself TO myself? I could always reduce the adjustment that USER_IN_WHITELIST makes. However, I’d like to avoid that if possible. What’s up with that? My guess is you did something many new users do: whitelist_from [EMAIL PROTECTED], or whitelist_from [EMAIL PROTECTED] Spammers *FREQUENTLY* forge your domain as either the From: or the Return-Path, both of which will match the whitelist_from, causing USER_IN_WHITELIST to trigger. In general, don't use whitelist_from. Period. It just looks at a single, trivially forged header. I'd generally suggest avoiding white lists, but if you must, whitelist_from_rcvd is substantially better as it takes a second parameter that checks the reverse-dns lookup of the first external host in the Received: headers. This is a little more difficult to configure properly, but it's also fairly difficult to forge if configured properly. Another good option if you have SPF enabled and the sending domain has SPF would be whitelist_from_spf. This takes a single parameter, but requires the email match the SPF specs for the sending domain. Regardless, USER_IN_WHITELIST will only trigger in response to a whitelist_from* type command, so it's definitely one of these that you explicitly added. There are some default white listings in SA, but they used the def_whitelist_* commands, which triggers USER_IN_DEF_WHITELIST instead. Check your configs and see which whitelist command the spammers are abusing.
Re: Spam Scored zero ?
Real headers please. Joseph Brennan Columbia University Information Technology --On Friday, January 11, 2008 9:41 + UxBoD [EMAIL PROTECTED] wrote: Hi, I got this SPAM through this morning and it didn't trip on anything. Any ideas ? -- From: [EMAIL PROTECTED] To: undisclosed-recipients:; Sent: 11 January 2008 09:01:06 o'clock (GMT) Europe/London Subject: ATM Master CARD ATTENTION I have been waiting for you since to come down here and pick your Bank Draft but did not heard from you since that time then I went and deposited the Draft with INTERNATIONAL BANK OF BENIN here in Cotonou, Benin Republic, because I travelled to Japan to see my boss and will not come back till next month end. I have arranged with them to make your payment to you with their new ATM MASTER CARD which you can use to withdraw your money in any ATM MACHINE around the globe/world. You have to contact the International Bank of Benin with your full contact informations such as follows: 1. FULL NAME 2. ADDRESS WERE YOU WANT THEM TO SEND THE ATM CARD 3. PHONE AND FAX NUMBER 4. YOUR AGE AND CURRENT OCCUPATION 5. ATTACH COPY OF YOUR IDENTIFICATION However, Kindly contact the below person who is in position to release your ATM Master CARD. REV. DR. DUNGA OTUMBA DOUGLAS, DIRECTOR, ATM PAYMENT DEPARTMENT INTERNATIONAL BANK OF BENIN EMAIL: ([EMAIL PROTECTED]) I had paid for all the processing and delivery charges, the only money that your are going to pay to them is only $86 Dollars which they will use to open your ATM Account with the Bank and send the ATM Master CARD to your address. Try to contact them as soon as possible to quicken the process of your Card before your Draft gets Expired. Let me know as soon as you receive your ATM Master Card. Thanks. Mr.tony okou -- Regards, --[ UxBoD ]-- // PGP Key: curl -s https://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: spamassassin 3.2.4, DKIM and DomainKeys
Pascal, it seems that since my upgrade to spamassassin 3.2.4, the DKIM an DomainKeys verifiers are no more used. All I see in the debug test are the following line : # spamassassin -D testmail.txt | grep -i dkim [4163] dbg: plugin: loading Mail::SpamAssassin::Plugin::DKIM from @INC DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=uclouvain.be; h=from:to: subject; Are the baseline rules there, and normally accessible to the program? Are there any failures reported in the debug log loading the rules? Are you using sa-update, and if yes, did you run it after an upgrade? The .cf files which activate Plugin::DKIM are in 25_dkim.cf and 60_whitelist_dkim.cf (and possibly elsewhere). Mark
spamassassin 3.2.4, DKIM and DomainKeys
hello it seems that since my upgrade to spamassassin 3.2.4, the DKIM an DomainKeys verifiers are no more used. All I see in the debug test are the following line : # spamassassin -D testmail.txt | grep -i dkim [4163] dbg: plugin: loading Mail::SpamAssassin::Plugin::DKIM from @INC DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=uclouvain.be; h=from:to: subject; the second one is from the email itself. What's wrong ? -- Pascal
Re: BOTNET 0.8 + SA 3.2.3
On Fri, Jan 11, 2008 at 06:49:19AM -0500, Dave Koontz wrote: I am running Botnet 0.8 with SA 3.2.3 without issue. Try a fresh install of all Botnet files. Well I have only recently upgraded my OS from FC6 to F8 (and that's what prompted me to check that everything was working properly). The upgrade of SA took place back in October and it seems that's when Botnet stopped working. However, when I upgraded the OS (last week) it would have included a fresh install of SA and at that time I installed the Botnet files. Correct me if I'm wrong but installing is simply a matter of copying the .pm and .cf files into /etc/mail/spamassassin directory no? I will do so again, but surely my --lint -D seems to indicate that it has installed correctly - or has it? Confused... AD pgpazC8ZKs9t1.pgp Description: PGP signature
Re: Spam Scored zero ?
Maybe just timed out? Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: spamassassin 3.2.4, DKIM and DomainKeys
On Fri, 2008-01-11 at 18:00 +0100, Mark Martinec wrote: Pascal, it seems that since my upgrade to spamassassin 3.2.4, the DKIM an DomainKeys verifiers are no more used. My 3.2.4 installation is working fine using Mail::DKIM version 0.29-4 Jan 11 11:20:35 sa amavis[14033]: (14033-16) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=13.178 tag=-99 tag2=4.5 kill=6.31 tests=[ACT_NOW_CAPS=0.001, DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001, L_P0F_Linux=-0.1, MIME_QP_LONG_LINE=1.819, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RELAY_US=0.01, SARE_EN_A_6XX_1=2, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLACK=1.961, URIBL_JP_SURBL=2.857, URIBL_OB_SURBL=2.132], autolearn=disabled, quarantine XTaDjzHYEhiO (spam-quarantine) -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
3.2.4 does not trigger any tests
3.2.3 worked fine, but after upgrading to 3.2.4 (via cpan) no test seem to work
and generate points. All messages get thru.
Only header that SA adds is
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on myservername
I have two servers, and the problem is now on the second of them. When I
upgraded my first server, the problem was there as well, but then suddenly
seemed to go away with no reason. So server#1 with 3.2.4 works ok.
As server#1 worked, I went on and upgraded server#2. No errors, and sa-update
and sa-compile went ok too.
But no triggered tests on server#2.
Attached is the output of spamassassin -D --lint
If anyone can get any constructive ideas from it, I would be ethernally
greatful!
--jarif
[1004] dbg: logger: adding facilities: all
[1004] dbg: logger: logging level is DBG
[1004] dbg: generic: SpamAssassin version 3.2.4
[1004] dbg: config: score set 0 chosen.
[1004] dbg: util: running in taint mode? yes
[1004] dbg: util: taint mode: deleting unsafe environment variables, resetting
PATH
[1004] dbg: util: PATH included '/usr/local/sbin', keeping
[1004] dbg: util: PATH included '/usr/local/bin', keeping
[1004] dbg: util: PATH included '/usr/sbin', keeping
[1004] dbg: util: PATH included '/usr/bin', keeping
[1004] dbg: util: PATH included '/sbin', keeping
[1004] dbg: util: PATH included '/bin', keeping
[1004] dbg: util: PATH included '/usr/bin/X11', keeping
[1004] dbg: util: PATH included '~/bin', which is not absolute, dropping
[1004] dbg: util: final PATH set to:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11
[1004] dbg: dns: no ipv6
[1004] dbg: dns: is Net::DNS::Resolver available? yes
[1004] dbg: dns: Net::DNS version: 0.53
[1004] dbg: diag: perl platform: 5.008004 linux
[1004] dbg: diag: module installed: Digest::SHA1, version 2.10
[1004] dbg: diag: module installed: HTML::Parser, version 3.47
[1004] dbg: diag: module installed: Net::DNS, version 0.53
[1004] dbg: diag: module installed: MIME::Base64, version 3.05
[1004] dbg: diag: module installed: DB_File, version 1.808
[1004] dbg: diag: module installed: Net::SMTP, version 2.29
[1004] dbg: diag: module installed: Mail::SPF, version 2.00
[1004] dbg: diag: module installed: Mail::SPF::Query, version 1.997
[1004] dbg: diag: module installed: IP::Country::Fast, version 604.001
[1004] dbg: diag: module installed: Razor2::Client::Agent, version 2.67
[1004] dbg: diag: module not installed: Net::Ident ('require' failed)
[1004] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[1004] dbg: diag: module not installed: IO::Socket::SSL ('require' failed)
[1004] dbg: diag: module installed: Compress::Zlib, version 1.41
[1004] dbg: diag: module installed: Time::HiRes, version 1.83
[1004] dbg: diag: module not installed: Mail::DomainKeys ('require' failed)
[1004] dbg: diag: module installed: Mail::DKIM, version 0.30
[1004] dbg: diag: module installed: DBI, version 1.48
[1004] dbg: diag: module installed: Getopt::Long, version 2.34
[1004] dbg: diag: module installed: LWP::UserAgent, version 2.033
[1004] dbg: diag: module installed: HTTP::Date, version 1.46
[1004] dbg: diag: module installed: Archive::Tar, version 1.26
[1004] dbg: diag: module installed: IO::Zlib, version 1.04
[1004] dbg: diag: module installed: Encode::Detect, version 1.00
[1004] dbg: ignore: using a test message to lint rules
[1004] dbg: config: using /etc/mail/spamassassin for site rules pre files
[1004] dbg: config: read file /etc/mail/spamassassin/init.pre
[1004] dbg: config: read file /etc/mail/spamassassin/v310.pre
[1004] dbg: config: read file /etc/mail/spamassassin/v312.pre
[1004] dbg: config: read file /etc/mail/spamassassin/v320.pre
[1004] dbg: config: using /var/lib/spamassassin/3.002004 for sys rules pre
files
[1004] dbg: config: using /var/lib/spamassassin/3.002004 for default rules dir
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_adult_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_genlsubj_eng_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_header0_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_header_eng_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_html0_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_html_eng_cf_sare_sa-update_dostech_net.cf
[1004] dbg: config: read file
/var/lib/spamassassin/3.002004/70_sare_obfu0_cf_sare_sa-update_dostech_net.cf
[1004] dbg:
Re: gpg keys?
On Friday 11 January 2008, McDonald, Dan wrote: On Fri, 2008-01-11 at 15:52 -0500, Gene Heskett wrote: On Friday 11 January 2008, Theo Van Dinter wrote: On Fri, Jan 11, 2008 at 02:34:29PM -0500, Gene Heskett wrote: Hope this helps. It doesn't Theo. Copy/paste from the shell I was using: [EMAIL PROTECTED] ~]# /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: BDE9DC10 Ok, so why are you refering to a different GPG key? Because its the one which has been working just fine for at least 6 months? Yeah, that's it... Here's how I call sa-update: [EMAIL PROTECTED] sysconfig]# cat sa-update-keys 5244EC45 856AA88A [EMAIL PROTECTED] sysconfig]# cat sa-update-channels updates.spamassassin.org 70_sare_evilnum0.cf.sare.sa-update.dostech.net bogus-virus-warnings.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html1.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net pdfinfo.cf.sare.sa-update.dostech.net sa-update --channelfile /etc/sysconfig/sa-update-channels --gpgkeyfile /etc/sysconfig/sa-update-keys I just went to the openprotect site and followed the instructions again, it reported that it was overwriting the same keys, but now it works without error, but doesn't report that anything was updated as your sample above shows either. This is now the command line I have setup in my crontab: /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com --channel updates.spamassassin.org All on one line of course. Takes about 4 or 5 seconds to exec, nothing reported. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Tracey: That call means you just murdered me! Mal: You murdered yourself, son. I just carried the bullet for a while. --Episode #12, The Message
Re: gpg keys?
On Friday 11 January 2008, Theo Van Dinter wrote: On Fri, Jan 11, 2008 at 02:34:29PM -0500, Gene Heskett wrote: Is there a fix in the works for those who use sa-update other than disabling it in our crontabs? You'd want to be more specific about what your problem is. If the issue is the cross-certify problem for the updates.spamassassin.org channel, there are at least two possibilities: a) import the new cross-certified key. The Bugzilla ticket https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5775 covers the problems. You can either grab the new pubkey file (http://svn.apache.org/repos/asf/spamassassin/trunk/rules/sa-update-pubkey. txt) and update it via: gpg --homedir /etc/mail/spamassassin/sa-update-keys --import sa-update-pubkey.txt or use a keyserver and download the update: gpg --homedir /etc/mail/spamassassin/sa-update-keys --keyserver pgp.mit.edu \ --recv-key 5244EC45 b) configure gpg to not look for the cross certification. it used to be an error, but newer gpg versions made it an error. I believe this is simply putting no-require-cross-certification in ~/.gnupg/gpg.conf. I'd do this if you can't do (a) for some reason. There hasn't been any talk yet of how to import the new key via the next release. I'm guessing it'll be a manual fix mentioned in the release notes through 3.3.0. If your problem is with other update channels, you'd need to either post more information or (if it's the same cross certify issue) talk to the channel publisher. Hope this helps. It doesn't Theo. Copy/paste from the shell I was using: [EMAIL PROTECTED] ~]# /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: BDE9DC10 Perhaps you need to import the channel's GPG key? For example: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY channel: GPG validation failed, channel failed [EMAIL PROTECTED] ~]# wget http://spamassassin.apache.org/updates/GPG.KEY --14:33:42-- http://spamassassin.apache.org/updates/GPG.KEY = `GPG.KEY.1' Resolving spamassassin.apache.org... 140.211.11.130 Connecting to spamassassin.apache.org|140.211.11.130|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3,304 (3.2K) [text/plain] 100%[===] 3,304 --.--K/s 14:33:43 (53.32 KB/s) - `GPG.KEY.1' saved [3304/3304] [EMAIL PROTECTED] ~]# sa-update --import GPG.KEY [EMAIL PROTECTED] ~]# /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: BDE9DC10 Perhaps you need to import the channel's GPG key? For example: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY channel: GPG validation failed, channel failed [EMAIL PROTECTED] ~]# gpg --homedir /etc/mail/spamassassin/sa-update-keys --import sa-update-pubkey.txt gpg: can't open `sa-update-pubkey.txt': No such file or directory gpg: Total number processed: 0 [EMAIL PROTECTED] ~]# ls /etc/mail/spamassassin/ init.pre sa-update-keys spamassassin-helper.sh v310.pre v320.pre local.cf spamassassin-default.rc spamassassin-spamc.rc v312.pre [EMAIL PROTECTED] ~]# ls /etc/mail/spamassassin/sa-update-pubkey.txt ls: cannot access /etc/mail/spamassassin/sa-update-pubkey.txt: No such file or directory [EMAIL PROTECTED] ~]# gpg --homedir /etc/mail/spamassassin/sa-update-keys --import sa-update-pubkey gpg: can't open `sa-update-pubkey': No such file or directory gpg: Total number processed: 0 [EMAIL PROTECTED] ~]# gpg --homedir /etc/mail/spamassassin/sa-update-keys --keyserver pgp.mit.edu \ --recv-key 5244EC45 gpg: requesting key 5244EC45 from hkp server pgp.mit.edu gpg: key 5244EC45: updates.spamassassin.org Signing Key [EMAIL PROTECTED] not changed gpg: Total number processed: 1 gpg: unchanged: 1 [EMAIL PROTECTED] ~]# ls .gnupg dirmngr-cache.d dirmngr.conf.gpgconf.bak optionspubring.gpg pubring.kbx random_seed trustdb.gpg dirmngr.conf gpgsm.confprivate-keys-v1.d pubring.gpg~ pubring.kbx~ secring.gpg [EMAIL PROTECTED] ~]# ls -R .gnupg .gnupg: dirmngr-cache.d dirmngr.conf.gpgconf.bak optionspubring.gpg pubring.kbx random_seed trustdb.gpg dirmngr.conf gpgsm.confprivate-keys-v1.d pubring.gpg~ pubring.kbx~ secring.gpg .gnupg/dirmngr-cache.d: DIR.txt .gnupg/private-keys-v1.d: [EMAIL PROTECTED] ~]# vim .gnupg/gpgsm.conf -added that phrase at the bottom of the
RE: Apache SpamAssassin 3.2.4
New upgrade is running GREAT here :) Running fine here on Windows Server 2003 with CommuniGate Pro. :) smime.p7s Description: S/MIME cryptographic signature
Re: gpg keys?
On Fri, Jan 11, 2008 at 02:34:29PM -0500, Gene Heskett wrote: Is there a fix in the works for those who use sa-update other than disabling it in our crontabs? You'd want to be more specific about what your problem is. If the issue is the cross-certify problem for the updates.spamassassin.org channel, there are at least two possibilities: a) import the new cross-certified key. The Bugzilla ticket https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5775 covers the problems. You can either grab the new pubkey file (http://svn.apache.org/repos/asf/spamassassin/trunk/rules/sa-update-pubkey.txt) and update it via: gpg --homedir /etc/mail/spamassassin/sa-update-keys --import sa-update-pubkey.txt or use a keyserver and download the update: gpg --homedir /etc/mail/spamassassin/sa-update-keys --keyserver pgp.mit.edu \ --recv-key 5244EC45 b) configure gpg to not look for the cross certification. it used to be an error, but newer gpg versions made it an error. I believe this is simply putting no-require-cross-certification in ~/.gnupg/gpg.conf. I'd do this if you can't do (a) for some reason. There hasn't been any talk yet of how to import the new key via the next release. I'm guessing it'll be a manual fix mentioned in the release notes through 3.3.0. If your problem is with other update channels, you'd need to either post more information or (if it's the same cross certify issue) talk to the channel publisher. Hope this helps. -- Randomly Selected Tagline: I hate going to the dentist. Everytime I go my tongue gets depressed. - Home Movies, Therapy pgpsizGZooCpR.pgp Description: PGP signature
Re: sa-update fails
Gene Heskett wrote: Even though I have followed the intructions in the error message twice now, I still have the same error when sa-update is run: Did you also follow the instructions for the channel you are trying to update? They are available at http://saupdates.openprotect.com/. # /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com The copmmand line above tries to update the channel saupdates.openprotect.com wich is not the official channel. Perhaps you need to import the channel's GPG key? For example: wget http://spamassassin.apache.org/updates/GPG.KEY sa-update --import GPG.KEY Note the important For example: in the error message. The actual key you need to import is specific to the channel you are using. The key in the *example* is probably the key for the official channel. The key used for the saupdates.openprotect.com channel, as speciefied in the instructions at http://saupdates.openprotect.com/ is http://saupdates.openprotect.com/pub.gpg. (Note: OpenProtect recommends you use gpg to fetch their key from a key server rather than fetch it with wget.) Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
gpg keys?
Is there a fix in the works for those who use sa-update other than disabling it in our crontabs? Thanks. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Never put off until tomorrow what you can do today. There might be a law against it by that time.
Re: gpg keys?
On Fri, 2008-01-11 at 15:52 -0500, Gene Heskett wrote: On Friday 11 January 2008, Theo Van Dinter wrote: On Fri, Jan 11, 2008 at 02:34:29PM -0500, Gene Heskett wrote: Hope this helps. It doesn't Theo. Copy/paste from the shell I was using: [EMAIL PROTECTED] ~]# /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: BDE9DC10 Ok, so why are you refering to a different GPG key? Here's how I call sa-update: [EMAIL PROTECTED] sysconfig]# cat sa-update-keys 5244EC45 856AA88A [EMAIL PROTECTED] sysconfig]# cat sa-update-channels updates.spamassassin.org 70_sare_evilnum0.cf.sare.sa-update.dostech.net bogus-virus-warnings.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html1.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net pdfinfo.cf.sare.sa-update.dostech.net sa-update --channelfile /etc/sysconfig/sa-update-channels --gpgkeyfile /etc/sysconfig/sa-update-keys -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: gpg keys?
now it works without error, but doesn't report that anything was updated Sounds like it's working then. You can check the exit code to see if there was an update (it's in the man page). /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com --channel updates.spamassassin.org That doesn't look right to me. Those two channels use different keys, so if you want to update both of them you should tell sa-update to trust both keys. Regards /Jonas PS. I'm very sceptical to the idea of --allowplugins. -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: gpg keys?
On Fri, 11 Jan 2008, Gene Heskett wrote: [EMAIL PROTECTED] ~]# wget http://spamassassin.apache.org/updates/GPG.KEY --14:33:42-- http://spamassassin.apache.org/updates/GPG.KEY = `GPG.KEY.1' Resolving spamassassin.apache.org... 140.211.11.130 Connecting to spamassassin.apache.org|140.211.11.130|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3,304 (3.2K) [text/plain] 100%[=] 3,304 --.--K/s 14:33:43 (53.32 KB/s) - `GPG.KEY.1' saved [3304/3304] [EMAIL PROTECTED] ~]# sa-update --import GPG.KEY Apart from all the other comments, you're not importing the key you just downloaded. (GPG.KEY.1 vs. GPG.KEY) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising.-- fwadling on Y! SCOX -- 6 days until Benjamin Franklin's 302nd Birthday
Re: sa-update fails
(Please keep it on the list...) Gene Heskett wrote: Did you also follow the instructions for the channel you are trying to update? They are available at http://saupdates.openprotect.com/. First time anybody has mentioned that in about 6 months, Maybe it is, but in that case it was mentioned before that. Anyway, I just found them through Google and it is the same address as for the channel so it's not that hard to find. I converted teh rules_du_jour thing to this per the instructions then. Is this newer yet? Is what newer? Newer than what? The saupdates.openprotect.com is newer than RDJ if that's what you mean. The instruction page isn't very new, but it's possible that the instructions have been changed recently. And the last I knew the official channel was squawking about the bandwidth, threatening to disallow us if we used it on a regular basis. I've never read anything like that anywhere. Quite the opposite actually. It is recommended to schedule regular runs of sa-update for the oficial channel. Since sa-update uses the DNS system to see if there are any updates available from the official channel updates.spamassassin.org it really doesn't require a problematic amount of bandwidth for regular checks. Also, this really isn't relevant in this case since the saupdates.openprotect.com channel has completely different content from the updates.spamassassin.org channel, so you really should update the official channel as well. Somebody should make up their mind as to who's desk has the buck stops here' sign on it. I really don't understand what you mean here. The SpamAssassin crew are responsible for the official channel only. Whoever publishes a third party channel is responsible for that channel. You are responible for choosing what channels you use. Personally I would not ever use a third party channel without first reading the published documentation about the channel and also checking the actual content to see wetrher it's a channel I want or not. That said, I do use OpenProtects channel in addition to the official channel. I believe that someplace over the last 72 hours I have done that, pulling the key from the keyserver at MIT IIRC. Have you checked in the key ring to see that it's really there? /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: gpg keys?
On Fri, 2008-01-11 at 15:52 -0500, Gene Heskett wrote:
[EMAIL PROTECTED] ~]# wget http://spamassassin.apache.org/updates/GPG.KEY
--14:33:42-- http://spamassassin.apache.org/updates/GPG.KEY
= `GPG.KEY.1'
[...]
14:33:43 (53.32 KB/s) - `GPG.KEY.1' saved [3304/3304]
^
[EMAIL PROTECTED] ~]# sa-update --import GPG.KEY
^^^
And you expect this to help... how? :-)
[EMAIL PROTECTED] ~]# /usr/bin/sa-update --allowplugins --gpgkey
D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com
error: GPG validation failed!
Besides, above key sure isn't used by openprotect.com.
guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: BOTNET 0.8 + SA 3.2.3
On Fri, Jan 11, 2008 at 03:56:03PM +, Arthur Dent wrote: On Fri, Jan 11, 2008 at 06:49:19AM -0500, Dave Koontz wrote: I am running Botnet 0.8 with SA 3.2.3 without issue. Try a fresh install of all Botnet files. Well I have only recently upgraded my OS from FC6 to F8 (and that's what prompted me to check that everything was working properly). The upgrade of SA took place back in October and it seems that's when Botnet stopped working. However, when I upgraded the OS (last week) it would have included a fresh install of SA and at that time I installed the Botnet files. Correct me if I'm wrong but installing is simply a matter of copying the .pm and .cf files into /etc/mail/spamassassin directory no? I will do so again, but surely my --lint -D seems to indicate that it has installed correctly - or has it? Confused... AD Nope sorry... Here's what I did: I removed the botnet files from /etc/mail/spamassassin and restarted spamd. I ran --lint which confirmed that no there was no botnet installation. I downloaded Botnet 0.8 *again* from http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar I untarred it into a fresh directory. I copied the .cf and .pm files into /etc/mail/spamassassin. I restarted spamd. I ran --lint which gave me exactly the same output as in my original post (confirming an apparently successful installion of Botnet). I ran a previously hitting mail through spamassassin. Nothing. Sigh... What now? Thanks for your help so far... AD pgpl6N0xyQ0OH.pgp Description: PGP signature
MSDN renewal reported as spam
I just found my MSDN renewal in my spam folder, and rightly so. It has all kinds of spam-sign in it. I'm pasting the offending headers below. Apparently these are being sent from some non-MS server with a long delivery delay, all-HTML. Any comments? (My company name replaced with mycompany.) X-Spam-Status: Yes, score=5.1 required=5.0 tests=DATE_IN_PAST_12_24, HELO_DYNAMIC_DHCP,HTML_MESSAGE,MIME_HTML_ONLY,RDNS_DYNAMIC autolearn=no version=3.2.3 X-Spam-Report: * 1.5 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) * 1.8 DATE_IN_PAST_12_24 Date: is 12 to 24 hours before Received: date * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.7 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.1 RDNS_DYNAMIC Delivered to trusted network by host with * dynamic-looking rDNS Received: from cmx03.servicemail24.de (cmx03.servicemail24.de [84.17.184.244]) by segw2.mpa.lan (8.13.8/8.13.8) with ESMTP id m09HfP9o029584 for [EMAIL PROTECTED]; Wed, 9 Jan 2008 09:41:30 -0800 Received: from bertelsmann.de (10.128.62.51) by cmx03.servicemail24.de (PowerMTA(TM) v3.2r9) id hgk3kk0bsgo9 for [EMAIL PROTECTED]; Wed, 9 Jan 2008 18:41:20 +0100 (envelope-from [EMAIL PROTECTED]) Date: Tue, 8 Jan 2008 23:41:48 +0100 (PST) (I just noticed my mail gateway is using its internal name in received headers. Off to fix)
RE: BOTNET 0.8 + SA 3.2.3
Nope sorry... Here's what I did: I removed the botnet files from /etc/mail/spamassassin and restarted spamd. I ran --lint which confirmed that no there was no botnet installation. I downloaded Botnet 0.8 *again* from http://people.ucsc.edu/~jrudd/spamassassin/Botnet-0.8.tar I untarred it into a fresh directory. I copied the .cf and .pm files into /etc/mail/spamassassin. I restarted spamd. I ran --lint which gave me exactly the same output as in my original post (confirming an apparently successful installion of Botnet). I ran a previously hitting mail through spamassassin. Nothing. Sigh... What now? Thanks for your help so far... AD AD, This may be totally off the wall, yet wouldn't file ownership and/or permissions on those files make any difference? Possibly even where those files are placed in reference to perl setup? I am wondering mainly in terms of executable file(s) If this theory doesn't help or fix, then I would setup a test machine from scratch and play. It really cannot be that hard to debug in a sandbox can it? :-) - rh
Re: BOTNET 0.8 + SA 3.2.3
Arthur Dent wrote: Nope sorry.. Please confirm... that your botnet.pm file is where your other plugin PM modules reside. And that the botnet.cf file is where your custom rules live (may be a different path depending on configuration). Make sure the botnet.cf is in the same directory as your local.cf file and see if that works.
Re: gpg keys?
On Fri, Jan 11, 2008 at 03:52:34PM -0500, Gene Heskett wrote: Hope this helps. It doesn't Theo. Copy/paste from the shell I was using: [EMAIL PROTECTED] ~]# /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: BDE9DC10 Other people have already responded I believe, but this is a third party channel, so you'll want to talk to them about their key. The official SA updates signing key isn't going to help with non-official updates. I'm guessing it's the same cross-certify issue we had on the SA updates channel, so it's probably just going to be the channel owner doing the cross-certify and publishing the new key, and then people can import the new key and go from there. This is round 15, and the winner is by a unanimous decision, the ID-10-T that changed it. :-) I think you upgraded GPG recently. :) Newer GPGs will fail the verification step if the key isn't cross certified. It was never required before, and was then turned into a warning until recently when it became an error. -- Randomly Selected Tagline: ... and what are you? I'm an otter. and what do you do? I swim around on my back and do cute little human things with my hands. - Denis Leary pgp6mCDJ0kVEj.pgp Description: PGP signature
Re: 3.2.4 does not trigger any tests
On Fri, Jan 11, 2008 at 11:13:58PM +0200, Jari Fredriksson wrote: If anyone can get any constructive ideas from it, I would be ethernally greatful! When you use third party rule updates, you need to also use the SA rule updates if you want those rules. ie: run just sa-update or specify multiple channels appropriately. [...] [1004] dbg: config: read file /var/lib/spamassassin/3.002004/70_sare_adult_cf_sare_sa-update_dostech_net.cf [...] [1004] dbg: config: read file /var/lib/spamassassin/3.002004/99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf [1004] dbg: config: using /etc/mail/spamassassin for site rules dir [1004] dbg: config: read file /etc/mail/spamassassin/local.cf [1004] dbg: config: using /root/.spamassassin/user_prefs for user prefs file [1004] dbg: config: read file /root/.spamassassin/user_prefs [...] -- Randomly Selected Tagline: The stalling problem was so bad that I had to take a clockwise route to work so I could make all right turns, and not risk stalling on a left turn in front of oncoming traffic. - Unknown about the Dodge Aspen/ Plymouth Volare pgpifWhH7OXiV.pgp Description: PGP signature
I'm still getting question marks in spam scores.
Hi, I updated from spamassassin 3.2.3 to 3.2.4 and I'm still getting these question marks in score from spamassassin. Here is a sample of the header I get with this message: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 23882 invoked by uid 501); 11 Jan 2008 03:03:53 -0800 Received: from 222.165.93.206 by s1.molsci.org (envelope-from [EMAIL PROTECTED], uid 509) with qmail-scanner-2.01st (clamdscan: 0.91.2/4787. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:0(222.165.93.206):SA:0(?/?):. Processed in 30.084638 secs); 11 Jan 2008 11:03:53 - X-Spam-Status: No, hits=? required=? Received: from unknown (HELO compaq) (222.165.93.206) by mail.molsci.org with SMTP; 11 Jan 2008 03:03:21 -0800 Received: from [222.165.93.206] by mailin.rzone.de; Fri, 10 Jan 2008 03:03:31 -0800 Date: Fri, 10 Jan 2008 03:03:31 -0800 From: Nancy Andersen [EMAIL PROTECTED] X-Mailer: The Bat! (v2.11) Educational Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Olny this 5 days special price on pharma for you dear customer MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--F46E35D35D3C25 Here is what I see in qmail-queue.log: Fri, 11 Jan 2008 03:03:22 PST:23794: +++ starting debugging for process 23794 (ppid=23314) by uid=509 Fri, 11 Jan 2008 03:03:22 PST:23795: +++ starting debugging for process 23795 (ppid=23315) by uid=509 Fri, 11 Jan 2008 03:03:22 PST:23794: w_c: Total time between DATA command and . was 0.000114 secs Fri, 11 Jan 2008 03:03:22 PST:23794: w_c: elapsed time from start 0.000114 secs Fri, 11 Jan 2008 03:03:22 PST:23794: g_e_h: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' Fri, 11 Jan 2008 03:03:22 PST:23794: from='Nancy Andersen [EMAIL PROTECTED]', subj='Olny this 5 days special price on pharma for you dear customer', via SMTP from 222.165.93.206 Fri, 11 Jan 2008 03:03:22 PST:23794: clamdscan: finished scan in 0.020176 secs Here is the maillog: Jan 11 03:03:23 s1 spamd[17667]: spamd: checking message [EMAIL PROTECTED] for qscand:510Jan 11 03:03:23 s1 spamd[23593]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37676 Jan 11 03:04:37 s1 spamd[17667]: spamd: identified spam (21.0/10.0) for qscand:510 in 74.4 seconds, 1894 bytes. Jan 11 03:04:37 s1 spamd[17667]: spamd: result: Y 20 - BAYES_99,BOTNET,DATE_IN_PAST_12_24,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=74.4,size=1894,user=qscand,uid=510,required_score=10.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37675,mid=[EMAIL PROTECTED],bayes=0.74,autolearn=spam Jan 11 03:04:37 s1 spamd[26231]: prefork: child states: III Jan 11 03:04:37 s1 spamd[26231]: spamd: handled cleanup of child pid 23593 due to SIGCHLD Jan 11 03:04:37 s1 spamd[26231]: prefork: child states: II Is it because that spamassassin is taking a such a long time and timing out so I'm getting these question mark in scores? How do I adjust the timeout? Thank you for any assistance, Frank
Re: gpg keys?
On Friday 11 January 2008, Theo Van Dinter wrote: On Fri, Jan 11, 2008 at 03:52:34PM -0500, Gene Heskett wrote: Hope this helps. It doesn't Theo. Copy/paste from the shell I was using: [EMAIL PROTECTED] ~]# /usr/bin/sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com error: GPG validation failed! The update downloaded successfully, but it was not signed with a trusted GPG key. Instead, it was signed with the following keys: BDE9DC10 Other people have already responded I believe, but this is a third party channel, so you'll want to talk to them about their key. The official SA updates signing key isn't going to help with non-official updates. I'm guessing it's the same cross-certify issue we had on the SA updates channel, so it's probably just going to be the channel owner doing the cross-certify and publishing the new key, and then people can import the new key and go from there. This is round 15, and the winner is by a unanimous decision, the ID-10-T that changed it. :-) I think you upgraded GPG recently. :) Newer GPGs will fail the verification step if the key isn't cross certified. It was never required before, and was then turned into a warning until recently when it became an error. That's possible I suppose. In watching what pup wants to update, I've had bigger fish than gpg to monitor. Is there a history file I can consult to find out? Bear in mind my fav pkg manager is smart, although yumex gets a bit of work here too cuz finding out howto info on setting up a new repo in smart is about as scarce as hens teeth, often made of pure ignorium or pure unobtainuim. I like smart, it does things much more intuitively than yumex, but its man pages need some tlc. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Dogs just don't seem to be able to tell the difference between important people and the rest of us.
Re: 3.2.4 does not trigger any tests
When you use third party rule updates, you need to also use the SA rule updates if you want those rules. ie: run just sa-update or specify multiple channels appropriately. I use sa-update, and multiple channels. My /etc/cron.daily/sa-update: --(8)-- #!/bin/sh /usr/bin/sa-update --allowplugins --channelfile /etc/spamassassin/channels.txt --nogpg /usr/bin/sa-compile # Somehow in Debian Sarge spamd looses it's pid, works in Etch much better # Have to use force.. killall spamd sleep 10 /etc/init.d/spamassassin start My /etc/spamassassin/channels.txt: --(8)-- update.spamassassin.org 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html_eng.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_header_eng.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net --(8)-- - Original Message - From: Theo Van Dinter [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Saturday, January 12, 2008 3:29 AM Subject: Re: 3.2.4 does not trigger any tests On Fri, Jan 11, 2008 at 11:13:58PM +0200, Jari Fredriksson wrote: If anyone can get any constructive ideas from it, I would be ethernally greatful! [...] [1004] dbg: config: read file /var/lib/spamassassin/3.002004/70_sare_adult_cf_sare_sa-update_dostech_net.cf [...] [1004] dbg: config: read file /var/lib/spamassassin/3.002004/99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf [1004] dbg: config: using /etc/mail/spamassassin for site rules dir [1004] dbg: config: read file /etc/mail/spamassassin/local.cf [1004] dbg: config: using /root/.spamassassin/user_prefs for user prefs file [1004] dbg: config: read file /root/.spamassassin/user_prefs [...]
Re: 3.2.4 does not trigger any tests
Top post, sorry! Now it works. I just ran sa-update; sa-compile without that channel-file! Puzzled, but works anyway. When you use third party rule updates, you need to also use the SA rule updates if you want those rules. ie: run just sa-update or specify multiple channels appropriately. I use sa-update, and multiple channels. My /etc/cron.daily/sa-update: --(8)-- #!/bin/sh /usr/bin/sa-update --allowplugins --channelfile /etc/spamassassin/channels.txt --nogpg /usr/bin/sa-compile # Somehow in Debian Sarge spamd looses it's pid, works in Etch much better # Have to use force.. killall spamd sleep 10 /etc/init.d/spamassassin start My /etc/spamassassin/channels.txt: --(8)-- update.spamassassin.org 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_html0.cf.sare.sa-update.dostech.net 70_sare_html_eng.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_header_eng.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_obfu0.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net --(8)-- - Original Message - From: Theo Van Dinter [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Saturday, January 12, 2008 3:29 AM Subject: Re: 3.2.4 does not trigger any tests On Fri, Jan 11, 2008 at 11:13:58PM +0200, Jari Fredriksson wrote: If anyone can get any constructive ideas from it, I would be ethernally greatful! [...] [1004] dbg: config: read file /var/lib/spamassassin/3.002004/70_sare_adult_cf_sare_sa-update_dostech_net.cf [...] [1004] dbg: config: read file /var/lib/spamassassin/3.002004/99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf [1004] dbg: config: using /etc/mail/spamassassin for site rules dir [1004] dbg: config: read file /etc/mail/spamassassin/local.cf [1004] dbg: config: using /root/.spamassassin/user_prefs for user prefs file [1004] dbg: config: read file /root/.spamassassin/user_prefs [...]
Re: 3.2.4 does not trigger any tests
On Sat, 12 Jan 2008 04:56:57 +0200 Jari Fredriksson [EMAIL PROTECTED] wrote: [snip] My /etc/spamassassin/channels.txt: --(8)-- update.spamassassin.org ^^^ I have: updates.spamassassin.org [snip] --- _|_ (_| |
Re: BOTNET 0.8 + SA 3.2.3
On Friday 11 January 2008 6:20 pm, Dave Koontz wrote: Arthur Dent wrote: Nope sorry.. Please confirm... that your botnet.pm file is where your other plugin PM modules reside. And that the botnet.cf file is where your custom rules live (may be a different path depending on configuration). Make sure the botnet.cf is in the same directory as your local.cf file and see if that works. FWIW, when updating from 0.7 to 0.8 I placed the Botnet.cf file in /etc/mail/spamassassin, and placed the .pm file there also. My log snippets showed that 0.7 was still being used then I remembered I had placed the 0.7 .pm file here after doing some reading about placement of plug-ins: /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/Botnet.pm Placing it here and restarting spamassassin now shows that 0.8 is being used. -- Chris KeyID 0xE372A7DA98E6705C pgp4tQ03HnbfV.pgp Description: PGP signature
Re: I'm still getting question marks in spam scores.
fchan wrote: Hi, I updated from spamassassin 3.2.3 to 3.2.4 and I'm still getting these question marks in score from spamassassin. Here is a sample of the header I get with this message: Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 23882 invoked by uid 501); 11 Jan 2008 03:03:53 -0800 Received: from 222.165.93.206 by s1.molsci.org (envelope-from [EMAIL PROTECTED], uid 509) with qmail-scanner-2.01st (clamdscan: 0.91.2/4787. spamassassin: 3.2.3. perlscan: 2.01st. Clear:RC:0(222.165.93.206):SA:0(?/?):. Processed in 30.084638 secs); 11 Jan 2008 11:03:53 - X-Spam-Status: No, hits=? required=? snip Here is what I see in qmail-queue.log: Fri, 11 Jan 2008 03:03:22 PST:23794: +++ starting debugging for process 23794 (ppid=23314) by uid=509 Fri, 11 Jan 2008 03:03:22 PST:23795: +++ starting debugging for process 23795 (ppid=23315) by uid=509 Fri, 11 Jan 2008 03:03:22 PST:23794: w_c: Total time between DATA command and . was 0.000114 secs Fri, 11 Jan 2008 03:03:22 PST:23794: w_c: elapsed time from start 0.000114 secs Fri, 11 Jan 2008 03:03:22 PST:23794: g_e_h: return-path='[EMAIL PROTECTED]', recips='[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]' Fri, 11 Jan 2008 03:03:22 PST:23794: from='Nancy Andersen [EMAIL PROTECTED]', subj='Olny this 5 days special price on pharma for you dear customer', via SMTP from 222.165.93.206 Fri, 11 Jan 2008 03:03:22 PST:23794: clamdscan: finished scan in 0.020176 secs Here is the maillog: Jan 11 03:03:23 s1 spamd[17667]: spamd: checking message [EMAIL PROTECTED] for qscand:510Jan 11 03:03:23 s1 spamd[23593]: spamd: connection from localhost.localdomain [127.0.0.1] at port 37676 Jan 11 03:04:37 s1 spamd[17667]: spamd: identified spam (21.0/10.0) for qscand:510 in 74.4 seconds, 1894 bytes. Jan 11 03:04:37 s1 spamd[17667]: spamd: result: Y 20 - BAYES_99,BOTNET,DATE_IN_PAST_12_24,HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SBL scantime=74.4,size=1894,user=qscand,uid=510,required_score=10.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=37675,mid=[EMAIL PROTECTED],bayes=0.74,autolearn=spam Jan 11 03:04:37 s1 spamd[26231]: prefork: child states: III Jan 11 03:04:37 s1 spamd[26231]: spamd: handled cleanup of child pid 23593 due to SIGCHLD Jan 11 03:04:37 s1 spamd[26231]: prefork: child states: II Is it because that spamassassin is taking a such a long time and timing out so I'm getting these question mark in scores? How do I adjust the timeout? Well, that's a qmail-scanner question really.. However a quick search on google for qmail-scanner tiemout turns up: http://www.mail-archive.com/[EMAIL PROTECTED]/msg06929.html Apparently qmail-scanner by default calls spamc with an absurdly short 30 second timeout. Given that SA needs to do bayes database management from time to time (once or twice a day), some messages could take several minutes to scan, as this one probably did. (bayes expiry can be slow if your system isn't fast and/or your database is large.) That post is about disabling timeouts, I'd just eliminate the -t option and let spamc manage its own timeouts at the default of 600 seconds.
Re: 3.2.4 does not trigger any tests
On Sat, 12 Jan 2008 04:56:57 +0200 Jari Fredriksson [EMAIL PROTECTED] wrote: [snip] My /etc/spamassassin/channels.txt: --(8)-- update.spamassassin.org ^^^ I have: updates.spamassassin.org Thanks! Must be it.
Problem with handle_user
I am also having this error in my spamd.log file. Spamd is being run with: SPAMD_OPTS=-c -d -v -m 40 -s local4 -q -u vpopmail --virtual-config-dir=/var/vpopmail/domains/%d/%l/.spamassassin/ -H /var/vpopmail And spamc is being called by qmail-scanner-2.01 with /usr/bin/spamc -t 30 NONE of my per-user files are being read, and every single e-mail that comes in I get the user unknown problem. This didn't happen when I was using SpamAssassin 3.2.3 -Original Message- From: Jason Frisvold [mailto:[EMAIL PROTECTED] Sent: Thursday, January 10, 2008 4:20 AM To: Stefan Suurmeijer Cc: users@spamassassin.apache.org Subject: Re: Problem with handle_user On Jan 9, 2008 3:23 PM, Stefan Suurmeijer [EMAIL PROTECTED] wrote: Well, I think you're now telling spamd it should always run as nobody, I can understand why that fixes the user unknown problem. But I need spamd to run as the user the mail is intended for so I can use per-user settings. It runs the spamd process as nobody, I believe. But the per-user settings still work, provided that spamc is called with the -u flag. I'll have a look at the milter-setup to see if that's where the problem is cheers Stefan -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
