Re: ¿Qué tiene que ver Software Libre con edu cación?
On 18-Mar-2009, at 21:34, Jorge Cardona wrote: ¿Qué tiene que ver Software Libre con educación? Esta lista es solamente ingles. -- Advance and attack! Attack and destroy! Destroy and rejoice!
Re: interesting flash attack in spam
>>> Michael Scheidell wrote: than trys to load a binary: ref="http://www.spamcom.com.br/CartadeAmor.exe"; both files still exist on the hosts, and neither was identified by clamav, and neither triggered any ET (snort) rules, SA didn't trigger any rules except these: ClamAV nor F-Prot on Linux did not detect this, but AVG Free on Windows did, and quarantined it gracefully.
¿Qué tiene que ver Software Libre con educación?
¿Qué tiene que ver Software Libre con educación? Más tarde o más temprano, la computadora va a pasar a formar parte del herramental educativo. Una vez que se haya asentado el polvo levantado por los profetas de la panacea electrónica, que pretenden resolver dificultades estructurales del sistema educativo saturándolo de procesadores, podremos ver, sobriamente, que la computadora tiene aplicaciones útiles en el aula, como las tienen el libro y el mapa. Cuando encaramos la tarea de usar racionalmente recursos informáticos como parte de la experiencia de aprendizaje, hay un aspecto de la computadora que merece especial atención por parte de los educadores: los programas, el software. Hay quienes creen que el rol de la escuela es formar para el trabajo y la universidad. Si esto es así, si la misión de la escuela es entrenar trabajadores sumisos y baratos para mejorar la rentabilidad de las empresas, entonces no importa qué software usemos. Pero si la idea es educar a ciudadanos libres, conscientes de sus derechos y responsabilidades, capaces de cuestionar la verdad establecida, de apreciar el arte, de imaginar el mundo que desean y aportar a su concreción, entonces es ineludible usar Software Libre: programas que los estudiantes y educadores pueden usar, estudiar, modificar y distribuir a su antojo. Software para todos y todas Las escuelas que están comenzando a usar computadoras como herramienta educativa a menudo se encuentran con un obstáculo insalvable: si bien es posible conseguir (en virtud de cuestionables acuerdos confidenciales entre Ministerio de Educación y empresas monopólicas) licencias de algunos programas a bajo costo, las licencias de programas avanzados como servidores WWW, bases de datos, ofimática, procesamiento de imágenes, audio y video y muchos otros están fuera del poder adquisitivo de las escuelas. Alguna de ellas, ante la imposibilidad de comprar las licencias, prefieren incluso violar la ley antes que privar a los estudiantes del uso de los programas, lo que conforma un mensaje actitudinal al menos cuestionable. Estas escuelas pueden escapar a la disyuntiva, y ayudar a sus estudiantes a hacer lo mismo, usando Software Libre: hay una enorme colección de programas libres que pueden ser usados para infinidad de aplicaciones, sin más trámite que tomar la decisión de hacerlo. Sin compras, licitaciones, acuerdos de confidencialidad, ni compromiso de evitar que los estudiantes copien los programas. Todo lo contrario: el Software Libre está allí precisamente para que todos y todas lo usen sin ataduras, lo copien, lo lleven a sus casas, lo instalen en donde quieran. En lugar de servir de guardián de los intereses de una empresa, comprometiéndose a impedir la copia de los programas, la escuela recupera el rol de difusor de conocimiento a la comunidad, puede convertirse en el lugar de referencia donde la comunidad comparte programas, conocimiento y experiencia. ¡Viva la curiosidad! No todos los estudiantes desean convertirse en programadores, de la misma manera que pocos de ellos se dedicarán a la literatura, o a la matemática, la pintura o la música. Aún así, parte de la misión de la escuela es exponer a los niños a estas artes, para estimular su curiosidad, para ayudarlos a descubrir el mundo que los rodea, para darles los rudimentos básicos para desempeñarse en sociedad. El software no debe quedar al margen de este llamado a la curiosidad: cada vez que un estudiante desea aprender cómo funcionan los programas, la escuela debe alentarlo y apoyarlo en esa inquietud. Cuando esta llega a convertirse en habilidad, la escuela debe aprovecharla y difundirla, como hace con las virtudes artísticas de sus estudiantes en actos y eventos comunitarios. El Software Libre es un espacio fértil de estudio y experimentación, en el que no hay límites arbitrarios: cada uno puede elegir por sí mismo cuánto quiere aprender sobre los programas, limitado solamente por su propia capacidad y dedicación. Miles de programas de los que aprender, miles de oportunidades mediante las que participar, desde la misma escuela, en la construcción comunitaria más grande de la que tiene registro la humanidad. Si los programas que la escuela usa no son libres, en cambio, la escuela se encuentra nuevamente en una situación delicada: las licencias de los programas prohíben expresamente estudiar su funcionamiento, ni hablar de modificarlo. Aquellos estudiantes que den señas de curiosidad sobre el funcionamiento de los programas deberán ser reprimidos, con la indignante explicación de que no tienen derecho a adquirir el saber al que aspiran. Una nueva técnica cultural Imaginemos una clase de ciencias naturales en la que los estudiantes reciben una caja negra inviolable que, cuando se le aporta agua, hace germinar una semilla que no se ve, produciendo el tallo de una planta mediante un proceso que permanecerá por siempre misterioso. Imaginemos una clase de matemáticas en la que el docente explica el concepto de la división,
Re: Spam Assassin White List
On Wed, 18 Mar 2009, dsh979 wrote: I have found that when I add manually a user to the whitelist (in the SpamAssassin user preferences file) I get inconsistent results: ... I have also found that when I manually a user to the blacklist (in the SpamAssassin user preferences file) I get the following result: How _exactly_ are you adding users to the whitelist and blacklist? Give us examples of what you're adding to the config file. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...in the 2nd amendment the right to arms clause means you have the right to choose how many arms you want, and the militia clause means that Congress can punish you if the answer is "none." -- David Hardy, 2nd Amendment scholar --- 1327 days until the Presidential Election
Re: SpamAssassins bayes mechanism and message headers
From: Matt Kettler Date: Wed, 18 Mar 2009 19:49:53 -0400 Jeff Mincy wrote: >From: Matt Kettler >Date: Tue, 17 Mar 2009 21:30:02 -0400 > >fl...@pbartels.info wrote: >> Hello, >> >> instead of disabling a lot possibly set message headers using >> "bayes_ignore_header" and ending up in strange configs like: >> >> bayes_ignore_header Return-Path >... >> (found on the net) >Where? >> >> shouldn't SpamAssassins bayes mechanism just ignore the complete >> message header and just look at the body? >> This seems useful in my opinion. >It seems like a very misguided idea to me. > >Is there any reason to think headers make bad tokens? >Do you have any test data showing this improves your bayes accuracy? > > Yes - I think some headers make extremely bad tokens for bayes, for > example the X-Mailer/User-Agent headers. 40% of the spam I get > claims to have Microsoft Outlook as a x-Mailer. So bayes rapidly > determines that *UAMicrosoft (etc) is an extremely strong token. > These *UA tokens were enough to push a short ham message to BAYES_99. > When I added an bayes_ignore_header the score dropped to ~BAYES_40 > That seems rather extraordinarily strange. Did the messages match no other tokens at all? (ie: did you run it through spamaassassin -D bayes before and after?) This was the X-Spam-Bayes header that was added at the time: X-Spam-Bayes: bayes=1., N=27(19-0+13), ham=(), spam=(HTo:U*mincy, HTo:D*com, HTo:D*rcn.com, H*F:D*net, H*UA:Build) This header was added using: add_header all Bayes bayes=_BAYES_, N=_BAYESTC_(_BAYESTCLEARNED_-_BAYESTCHAMMY_+_BAYESTCSPAMMY_), ham=(_HAMMYTOKENS(5,short)_), spam=(_SPAMMYTOKENS(5,short)_) So, there are 27 tokens, 0 hammy, 13 spammy. I'd be very interested in what's going on there, because it makes very little sense unless the message really matched very, very little other existing training. 3 of the top 5 spammy tokens eg: HTo:U*mincy, HTo:D*com, HTo:D*rcn.com come from the To: mi...@rcn.com header. The H*UA:Build came from a 'X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)' header. As I recall, there were various H*UA:Outlook etc headers. Bayes was 100.000% sure that this message was spam based on the To, X-Mailer, and From headers. The envelope on all email message that I read at home are addressed to mi...@rcn.com (ignoring for the moment that mi...@starpower.net also happens to get to me). The 'To:' header is either going to be mi...@rcn.com or some made up email address that will never be repeated or it is my email address. So Bayes will see my email address in both spam and ham. At the time more than 80% of email I was getting at rcn.com was spam so, To: mi...@rcn.com was turned into three strong spam tokens. My real mi...@rcn.com email address in the To header says nothing about the spamminess of the message. This is in contrast to the mi...@starpower.net email address which is almost certainly spam and has been added to the blacklist_to). So my solution was to add 'bayes_ignore_header To From' and use blacklist_to/blacklist_from for the suspect email addresses. I came up with similar justification for adding 'bayes_ignore_header X-Mailer'. The body of the message was a single sentence asking me about my primary music software. If you want to see more detail lets take it off the public mailing list. -jeff
Re: SpamAssassins bayes mechanism and message headers
Jeff Mincy wrote: >From: Matt Kettler >Date: Tue, 17 Mar 2009 21:30:02 -0400 > >fl...@pbartels.info wrote: >> Hello, >> >> instead of disabling a lot possibly set message headers using >> "bayes_ignore_header" and ending up in strange configs like: >> >> bayes_ignore_header Return-Path >... >> (found on the net) >Where? >> >> shouldn't SpamAssassins bayes mechanism just ignore the complete >> message header and just look at the body? >> This seems useful in my opinion. >It seems like a very misguided idea to me. > >Is there any reason to think headers make bad tokens? >Do you have any test data showing this improves your bayes accuracy? > > Yes - I think some headers make extremely bad tokens for bayes, for > example the X-Mailer/User-Agent headers. 40% of the spam I get > claims to have Microsoft Outlook as a x-Mailer. So bayes rapidly > determines that *UAMicrosoft (etc) is an extremely strong token. > These *UA tokens were enough to push a short ham message to BAYES_99. > When I added an bayes_ignore_header the score dropped to ~BAYES_40 > That seems rather extraordinarily strange. Did the messages match no other tokens at all? (ie: did you run it through spamaassassin -D bayes before and after?) I'd be very interested in what's going on there, because it makes very little sense unless the message really matched very, very little other existing training.
Re: Sa-update problem
Bryan Lee a écrit : > I'm a new administrator at a site and have been tasked with updating > Spam Assassin, something I have never worked with before. > > I am running /usr/perl5/5.8.4/bin/sa-update daily as a cronjob, but I'm > not sure if this is accomplishing anything. > I have read through FAQs and documentation, but haven't found anything > relating to this issue. > > SpamAssassin version 3.2.3 > Platform Solaris 10 > Accessed through perl module interfaced by mimedefang > > At question is the statement > dbg: channel: current version is 752903, new version is 752903, > skipping channel > > I believe that 2 weeks ago when I first ran sa-update the version was > upgraded and exit status was 0, but since then the version has not > increased and all my exit statuses are 1. > > > Is version 3.2.3 completely out of date and not receiving updates > anymore? Are updates only done once every few weeks? > Do I have a configuration problem? > $ host -t txt 3.2.3.updates.spamassassin.org 3.2.3.updates.spamassassin.org descriptive text "752903" so you have the last official update. and it's the same version for 3.2.5: $ host -t txt 5.2.3.updates.spamassassin.org 5.2.3.updates.spamassassin.org descriptive text "752903" last update was on 13-03-2009. consider adding: sought.rules.yerp.org 90_2tld.cf.sare.sa-update.dostech.net to your channels list. see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt for how to do that. for sought rules, use: 6C6191E3 http://yerp.org/rules/GPG.KEY and for SARE rules, use 856AA88A http://daryl.dostech.ca/sa-update/sare/GPG.KEY
Re: interesting flash attack in spam
RobertH a écrit : > > >>> http://pastebin.com/m2fcbe7b5 >> Thanks for posting the sample. >> >> >> My email sanitizer successfuly defends against this attack. >> >> >> :) >> >> -- >> John Hardin > > no disrespect intended yet i would like to understand... > > u, if your "email sanitizer" caught it, why isnt that something > programmed "in another way" inside SA, or clamav, etc...? > > i mean we have viruses, we have spyware, we have spam, we have UCE, we have > all these different terms that describe the essentially the same stuff... > > cant this be dealt with in something that already exists like SA, Clamav, or > whateverm besides having another custom piece of coding ? > > i mean, John, at the very least get out some them there GUNS and shoot it a > bunch and make it stop or something! > spam contains a URL (the fact that it is flash is only half-relevant). That URL redirects to an exe file. you want tod do what? The approach that consists of getting the spam filter (SA here) access the URL has a lot of problems (easy DoS, address confirmation, higher latency, ... etc) Fixing the MUA may be good, but this still means that a file suffix is meaningful. however, the internet isn't windows. a ".exe" does nothing on a unix/linux system (assuming no windows support, be that wine or other). and to answer Ned's post, the problem isn't with flash running arbitrary programs (what's the alternative? display ascii text only?). The problem is elsewhere. I don't know much people who forbid .doc/xls/ppt in email, and these can do a lot of harm.
Spam Assassin White List
I am having trouble with the standard "White List" & "BlackList" configuration in the SpamAssassin user preferences file. The "Manual White List" user guide at http://wiki.apache.org/spamassassin/ManualWhitelist states "Adding a user to your whitelist gives them a -100 score, which has the effect of always marking their mail as non-spam". I have found that when I add manually a user to the whitelist (in the SpamAssassin user preferences file) I get inconsistent results: The first example: X-Spam-Status: No, score=-100.0 X-Spam-Score: -999 X-Spam-Bar: --- The second example (for the same address): X-Spam-Status: No, score=1.4 X-Spam-Score: 14 X-Spam-Bar: + X-Spam-Flag: NO I have also found that when I manually a user to the blacklist (in the SpamAssassin user preferences file) I get the following result: X-Spam-Status: No, score=-100.0 X-Spam-Score: -999 X-Spam-Bar: --- My Questions: (i) Is there an explanation for what I have observed above in relation to the manual whitelist entries (in the SpamAssassin user preferences file)? (ii) Why would the manual blacklist entry above (in the SpamAssassin user preferences file) give the same result as a manual whitelist entry (in the SpamAssassin user preferences file)? (iii) The administrator of our server has indicated that mail matching the whitelist entries and the blacklist entries (in the SpamAssassin user preferences file) will always be processed/assessed by SpamAssassin as spam/not spam. Is this the case? If so, what is the purpose of the whitelist and the blacklist entries in the SpamAssassin user preferences file? Any assistance would be greatly appreciated. -- View this message in context: http://www.nabble.com/Spam-Assassin-White-List-tp22589650p22589650.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: interesting flash attack in spam
> > > > http://pastebin.com/m2fcbe7b5 > > Thanks for posting the sample. > > > My email sanitizer successfuly defends against this attack. > > > :) > > -- > John Hardin no disrespect intended yet i would like to understand... u, if your "email sanitizer" caught it, why isnt that something programmed "in another way" inside SA, or clamav, etc...? i mean we have viruses, we have spyware, we have spam, we have UCE, we have all these different terms that describe the essentially the same stuff... cant this be dealt with in something that already exists like SA, Clamav, or whateverm besides having another custom piece of coding ? i mean, John, at the very least get out some them there GUNS and shoot it a bunch and make it stop or something! ;-) - rh
Sa-update problem
I'm a new administrator at a site and have been tasked with updating Spam Assassin, something I have never worked with before. I am running /usr/perl5/5.8.4/bin/sa-update daily as a cronjob, but I'm not sure if this is accomplishing anything. I have read through FAQs and documentation, but haven't found anything relating to this issue. SpamAssassin version 3.2.3 Platform Solaris 10 Accessed through perl module interfaced by mimedefang At question is the statement dbg: channel: current version is 752903, new version is 752903, skipping channel I believe that 2 weeks ago when I first ran sa-update the version was upgraded and exit status was 0, but since then the version has not increased and all my exit statuses are 1. Is version 3.2.3 completely out of date and not receiving updates anymore? Are updates only done once every few weeks? Do I have a configuration problem? Full output form my current sa-update command follows: [14806] dbg: logger: logging level is DBG [14806] dbg: generic: SpamAssassin version 3.2.3 [14806] dbg: config: score set 0 chosen. [14806] dbg: dns: is Net::DNS::Resolver available? yes [14806] dbg: dns: Net::DNS version: 0.60 [14806] dbg: generic: sa-update version svn540384 [14806] dbg: generic: using update directory: /usr/perl5/5.8.4/var/spamassassin/3.002003 [14806] dbg: diag: perl platform: 5.008004 solaris [14806] dbg: diag: module installed: Digest::SHA1, version 2.11 [14806] dbg: diag: module installed: HTML::Parser, version 3.56 [14806] dbg: diag: module installed: Net::DNS, version 0.60 [14806] dbg: diag: module installed: MIME::Base64, version 3.07 [14806] dbg: diag: module installed: DB_File, version 1.815 [14806] dbg: diag: module installed: Net::SMTP, version 2.31 [14806] dbg: diag: module installed: Mail::SPF, version v2.005 [14806] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [14806] dbg: diag: module installed: IP::Country::Fast, version 604.001 [14806] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [14806] dbg: diag: module installed: Net::Ident, version 1.20 [14806] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [14806] dbg: diag: module installed: IO::Socket::SSL, version 1.07 [14806] dbg: diag: module installed: Compress::Zlib, version 2.004 [14806] dbg: diag: module installed: Time::HiRes, version 1.59 [14806] dbg: diag: module installed: Mail::DomainKeys, version 1.0 [14806] dbg: diag: module installed: Mail::DKIM, version 0.26 [14806] dbg: diag: module installed: DBI, version 1.58 [14806] dbg: diag: module installed: Getopt::Long, version 2.34 [14806] dbg: diag: module installed: LWP::UserAgent, version 2.033 [14806] dbg: diag: module installed: HTTP::Date, version 1.47 [14806] dbg: diag: module installed: Archive::Tar, version 1.32 [14806] dbg: diag: module installed: IO::Zlib, version 1.05 [14806] dbg: diag: module installed: Encode::Detect, version 1.00 [14806] dbg: gpg: Searching for 'gpg' [14806] dbg: util: current PATH is: /usr/sbin:/usr/bin:/usr/local/bin [14806] dbg: util: executable for gpg was found at /usr/local/bin/gpg [14806] dbg: gpg: found /usr/local/bin/gpg [14806] dbg: gpg: release trusted key id list: 5E541DC959CB8BAC7C78DFDC4056A61A5244EC45 26C900A46DD40CD5AD24F6D7DEE01987265FA05B 0C2B1D7175B852C64B3CDC716C55397824F434CE [14806] dbg: channel: attempting channel updates.spamassassin.org [14806] dbg: channel: update directory /usr/perl5/5.8.4/var/spamassassin/3.002003/updates_spamassassin_org [14806] dbg: channel: channel cf file /usr/perl5/5.8.4/var/spamassassin/3.002003/updates_spamassassin_org.cf [14806] dbg: channel: channel pre file /usr/perl5/5.8.4/var/spamassassin/3.002003/updates_spamassassin_org.pre [14806] dbg: channel: metadata version = 752903 [14806] dbg: dns: 3.2.3.updates.spamassassin.org => 752903, parsed as 752903 [14806] dbg: channel: current version is 752903, new version is 752903, skipping channel [14806] dbg: diag: updates complete, exiting with code 1
RE: JoeJobbed - Vbounce plugin - SPF?.
-Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Tuesday, 17 March 2009 10:17 p.m. To: users@spamassassin.apache.org Subject: Re: JoeJobbed - Vbounce plugin - SPF?. On 17.03.09 14:02, Michael Hutchinson wrote: >> I'm running Spamassassin 3.1.7, with netqmail 1.05, ClamAv etc.. > old ! The current SA version is 3.2.5 - upgrade. Yes, I know it's old :) The upgrade is in the pipeline, but not for a couple of months yet. Mind you, it still runs pretty well and does catch a lot of Spam, for it's age. >> We initially tried 'riding out the storm' as it were, but were unable >> to keep on top of the load put on the servers by excessive E-Mail >> messages requiring scanning by SA. This got so bad that the mailserver >> had become unresponsive to our clients. > qmail is known for bouncing, instead of rejecting unknown recipients at SMTP leve. You filter unknown > recipients? If not, this is your problem. If an smtproutes entry forces me to accept unknown recipients for said affected domain, then Yes, and I would assume that this is the behaviour. >> How might I keep delivery flowing to valid recipients for the domain >> (smarthosted (smtproutes) to exchange) but reject the blowback at SMTP >> time? >So you do NOT reject invalid recipients? Change qmail, or at least its SMTP server. There are afaik some >that can do that. Yes, that can be done with a valid rcptto patch for qmail. I've not applied the patch, but have added it to the list. >And, optionally, consider some rules of rejecting before queeuing - block invalid HELO strings, senders in >some reliable blacklists etc. This helps. I will work at blocking invalid HELO and some certain subjects at SMTP time, for a while after a joe job. >> I was considering convincing the powers to let me setup SPF, but their >> requirement would be to have both v1 and v2 spf tags - and I'm not >> sure whether Q-Mail is up to both yet, but some kind of SPF >> implementation where we check the tags (not necessarily publish them) >> but I guess that's an MTA question:) >forget SPF v2. Use v1 but don't expect huge results, there's still many SMTP servers not checking the >SPF... OK, What's wrong with SPF v2 ? Thanks for your reply, Matus, I appreciate your help and ideas. Cheers, Michael Hutchinson Manux Solutions Limited.
Re: interesting flash attack in spam
>> >> Michael Scheidell wrote: >> > just saw this one in email. terra.com/ spamcop.com./br are hosting >> > trojans. >> > but this email uses flash to load this: >> > >> > http://www.terra.com.br/cartoes/datas/amor.swf";> >> > (which redirects to http://cartoes.terra.com.br/datas/amor.swf ) >> > >> > than trys to load a binary: >> > >> > ref="http://www.spamcom.com.br/CartadeAmor.exe"; >> > >> > both files still exist on the hosts, and neither was identified by >> > clamav, and neither triggered any ET (snort) rules, SA didn't trigger >> > any rules except these: >> > >> > HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809, >> > HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957, >> > >> > (and my private rule, looking for a uri ending in .exe) >> > >> > email that tries to get you to load these here: >> > >> > http://pastebin.com/m2fcbe7b5 >> > >> > >> > >> >> >> Oh lovely! >> >> We've seen flash ad based driveby attacks on websites for a year or so - >> this is the first time I've seen them inserted into an email (although >> I'm sure it's been happening for a while). >> >> I don't know what bright spark at Adobe thought it would be a good idea >> for the Flash API to have the functionality to download and execute >> remote arbitrary code, but it should be easy enough to write a SA rule >> to detect embedded flash-based content and score it. >> >> Thanks for posting the example. >> Hi, well, realistically, there is a harmless flash inside a html page (those who do not like flash may score it, but it does not indicate spamminess or malicious content) There is also a plain link "click here to find out..." inside the html. So SA, or some malware defense, should probably detect that link to an exe file The bad news: flash can redirect to a new webpage - any webpage, even one that tries to download malware via javascripts. It is pretty much like a meta refresh or a javascript call in a html page, just that a normal scanner would not detect that Wolfgang Hamann
Re: turn off bayes?
Dan, > I normally disable bayes, because without proper training it tends to make > spamassassin less reliable. But I've got one installation that is > stubbornly running bayes even though I have disabled it. > > I set use_bayes 0 in /etc/mail/spamassassin/local.cf > I set use_bayes 0 in ~/.spamassassin/user_prefs of the user running > amavisd-new I can't find any other places I can disable it. That should suffice, unless you have other .cf files there where it might be enabled. > I have verified that all these are set and restarted amavisd-new, but I > still get bayes_00=-2.599 Check what files SpamAssassin sees during startup: amavisd debug-sa > I also try very hard to kill of AWL, and it is > running as well! How can I disable these features? use_auto_whitelist 0 (or remove any: loadplugin Mail::SpamAssassin::Plugin::AWL in your .pre files) > Does amavisd-new over-ride local.cf for that setting some how? > I searched the amavisd-new site for clues. > I'm running spamassassin 3.2.5 and amavisd-new 2.6.2 No, should be all still according to SpamAssassin documentation. Just remember that everything runs under a dedicated username. Mark
Re: SpamAssassins bayes mechanism and message headers
From: Greg Troxel Date: Wed, 18 Mar 2009 15:33:31 -0400 Jeff Mincy writes: >From: Matt Kettler >Date: Tue, 17 Mar 2009 21:30:02 -0400 > >> shouldn't SpamAssassins bayes mechanism just ignore the complete >> message header and just look at the body? >> This seems useful in my opinion. >It seems like a very misguided idea to me. > >Is there any reason to think headers make bad tokens? >Do you have any test data showing this improves your bayes accuracy? > > Yes - I think some headers make extremely bad tokens for bayes, for > example the X-Mailer/User-Agent headers. 40% of the spam I get I think I'm having a similar problem, where I get spam via a mailinglist, and bayes gives the spam credit for having similar headers to the ham which arrives on the list. I'm not so concerned about including the headers as they arrive at the list server, but all the headers added from receipt by the list server seem inappropriate. I'll try bayes_ignore_header. Scanning mailing list email is more trouble that it's worth. It can be done, but you have to be very motivated and it is a lot of work to maybe catch a few mailing list spam messages. Bayes needs to ignore any headers and any special footer tokens added by the mailing list postings. You need to extend trusted_networks to the mailing list so that various tests are done on the submitter instead of the mailing list. DCC should be whitelisted for most mailing lists since the email messages are bulk. Any automatic reporting needs to be turned off. I'm sure there are other things that I'm forgetting. If the mailing list has reasonably good spam filtering then just skip running SpamAssassin. -jeff
Re: interesting flash attack in spam
John Hardin wrote: My email sanitizer successfuly defends against this attack. :) mine did too... but it quarantined it in my 'this was only stopped due to custom rules, maybe SA group would like to see it' pile. and, didn't see any SA rules (or SARES rules) except those given. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: SpamAssassins bayes mechanism and message headers
Jeff Mincy writes: >From: Matt Kettler >Date: Tue, 17 Mar 2009 21:30:02 -0400 > >> shouldn't SpamAssassins bayes mechanism just ignore the complete >> message header and just look at the body? >> This seems useful in my opinion. >It seems like a very misguided idea to me. > >Is there any reason to think headers make bad tokens? >Do you have any test data showing this improves your bayes accuracy? > > Yes - I think some headers make extremely bad tokens for bayes, for > example the X-Mailer/User-Agent headers. 40% of the spam I get I think I'm having a similar problem, where I get spam via a mailinglist, and bayes gives the spam credit for having similar headers to the ham which arrives on the list. I'm not so concerned about including the headers as they arrive at the list server, but all the headers added from receipt by the list server seem inappropriate. I'll try bayes_ignore_header. pgplsY88b2i7w.pgp Description: PGP signature
Re: SpamAssassins bayes mechanism and message headers
From: Matt Kettler Date: Tue, 17 Mar 2009 21:30:02 -0400 fl...@pbartels.info wrote: > Hello, > > instead of disabling a lot possibly set message headers using > "bayes_ignore_header" and ending up in strange configs like: > > bayes_ignore_header Return-Path ... > (found on the net) Where? > > shouldn't SpamAssassins bayes mechanism just ignore the complete > message header and just look at the body? > This seems useful in my opinion. It seems like a very misguided idea to me. Is there any reason to think headers make bad tokens? Do you have any test data showing this improves your bayes accuracy? Yes - I think some headers make extremely bad tokens for bayes, for example the X-Mailer/User-Agent headers. 40% of the spam I get claims to have Microsoft Outlook as a x-Mailer. So bayes rapidly determines that *UAMicrosoft (etc) is an extremely strong token. These *UA tokens were enough to push a short ham message to BAYES_99. When I added an bayes_ignore_header the score dropped to ~BAYES_40 Obfuscated words like 'st0ck' are 100% indications of spam (or of messages that discuss spam), so these words work great for bayes. A 'X-Mailer: Microsoft Office Outlook' header doesn't really tell you anything about the message, at least not to the extent that bayes treats these tokens. The Message-ID tokens are also low quality tokens. Most of these tokens are hapaxes that are never used by other messages. These just fill up the bayes database. Maybe if the Message-ID tokens were even more processed then maybe these could be more useful for bayes - eg - replace 1234.56789 with a format %4d.%5d, or throw out all of the timestamp numbers and keep the just the stuff after the @. -jeff
turn off bayes?
I normally disable bayes, because without proper training it tends to make spamassassin less reliable. But I've got one installation that is stubbornly running bayes even though I have disabled it. I set use_bayes 0 in /etc/mail/spamassassin/local.cf I set use_bayes 0 in ~/.spamassassin/user_prefs of the user running amavisd-new I can't find any other places I can disable it. I have verified that all these are set and restarted amavisd-new, but I still get bayes_00=-2.599 I also try very hard to kill of AWL, and it is running as well! How can I disable these features? Does amavisd-new over-ride local.cf for that setting some how? I searched the amavisd-new site for clues. I'm running spamassassin 3.2.5 and amavisd-new 2.6.2 -- Daniel J McDonald CCIE #2495, CISSP #78281
Re: What is AWL?
On 18-Mar-2009, at 12:07, John Hardin wrote: It's intended to allow an occasional spammy-looking message from a historically hammy correspondent to get through, hence "auto whitelist". Well, it works just as well to prevent the occasional hammy message from getting through from a spammy correspondent too. -- Critics look at actresses one of two ways: you're either bankable or boinkable.
Re: What is AWL?
On Wed, 18 Mar 2009, Georgy Goshin wrote: 6.6 AWLAWL: From: address is in the auto white-list another: 9.0 AWLAWL: From: address is in the auto white-list and another: 7.7 AWLAWL: From: address is in the auto white-list What is AWL rule? Why it gives so different amount of points? "Auto Whitelist" is a misleading name. It is actually a score averager. Since the points it applies are based on the historical scoring from that sender, the score will vary by who the sender is and when the message is processed (i.e. their history to-date). It's intended to allow an occasional spammy-looking message from a historically hammy correspondent to get through, hence "auto whitelist". How to resolve this? I don't use it so I don't have a complete understanding of the management options, but basically, either understand and accept it, or turn it off. If it's behaving badly for a given sender their history can be discarded. I'm not sure whether SA can be told to not perform AWL for a given sender. Somebody else will no doubt fill that bit in. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control laws cannot reduce violent crime, because gun control laws assume a violent criminal will obey the law. --- 1327 days until the Presidential Election
Re: What is AWL?
I understood the spelling of AWL, but why the scores is different? How to tune them? G. - Original Message - From: "Ralf Hildebrandt" To: Sent: Wednesday, March 18, 2009 7:47 PM Subject: Re: What is AWL? * Georgy Goshin : 7.7 AWLAWL: From: address is in the auto white-list What is AWL rule? Why it gives so different amount of points? How to resolve this? AutoWhiteList -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12200 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: What is AWL?
* Georgy Goshin : > 7.7 AWLAWL: From: address is in the auto white-list > > > > What is AWL rule? Why it gives so different amount of points? How to > resolve this? AutoWhiteList -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12200 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: interesting flash attack in spam
On Wed, 18 Mar 2009, Michael Scheidell wrote: both files still exist on the hosts, and neither was identified by clamav, and neither triggered any ET (snort) rules, SA didn't trigger any rules except these: HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957, Isn't there a rule for html mail with no or start tags? That should have fired, too. email that tries to get you to load these here: http://pastebin.com/m2fcbe7b5 Thanks for posting the sample. My email sanitizer successfuly defends against this attack. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 1327 days until the Presidential Election
Re: spamassassin freebsd amd64 bug? [Bug 5548] New: Spamassassin hangs with 100% CPU usage with 1 specific mail
On Tue, 2009-03-17 at 21:32 -0400, Matt Kettler wrote: > Michael Scheidell wrote: > > ram across this bug posting about a rumored problem with freebsd, > > amd64 and spamassassin. > > > > trying to follow the bug url, got 'you are not allowed to view this bug' FWIW, this bug is not made public due to sensitive, personal data accidentally attached to the bug. It is *not* related to the bug itself still being a security issue. > > anyone know if its fixed/changed/ > > > > anyone know if there are issues running the freebsd amd64 arch? > > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5548 Unrelated to FreeBSD, amd64. Actually unrelated to any OS or CPU architecture. The rumors are wrong. ;) > 5548 was fixed with the release of SA 3.2.2: > http://svn.apache.org/repos/asf/spamassassin/branches/3.2/build/announcements/3.2.2.txt -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: SpamAssassins bayes mechanism and message headers
On Wed, 2009-03-18 at 08:00 +0100, fl...@pbartels.info wrote: > Matt Kettler wrote: > > Is there any reason to think headers make bad tokens? > > For example the "X-Spam-Flag: NO" can cause Problems if you don't > remove it before parsing and don't set it yourself. (You'll never do > that and I don't know how SA really handle it internally but its a > good example, because its exactly a header that tells the mail is ham.) > > For me it seems bayes would think now all messages with "X-Spam-Flag: > NO" are not spam. Sure bayes is not a binary thinking system but this > header field would push the mail a bit to be treated as no spam. (Or > if all spammers set this Flag, no spam messages are pushed to be > treated as spam.) Nah, you're reading too much into that header, from a human point of view. Bayes does not understand the semantics of "Spam Flag == No" as you do... > Problem: > Now there could exist other fields that normally indicates the message > is no spam. If they are used by a spammer and it is not ignored by the > bayes system the message is handled more like no spam. You ignored Bayes in that example. :) If spammers start injecting previously innocent headers en masse, the Bayes spam probability for that token quickly will become neutral or even spammy, depending on the amount of ham and spam with that header, upon learning. > Using SAs Bayses mechanism sounds like a nice solution for unknown > headers or headers you specially want to be used by SA but there is my > problem above and because of it I'm feeling unsure if it's useful to > ignore some headers or not. It is useful to bayes_ignore_header custom headers you add *locally* (by your MDA, MUA, maybe MTA), which do not provide useful information or have been injected *after* scanning -- to prevent a subsequent manual sa-learn run from picking up those useless headers. By default, SA ignores commonly used, useless headers already. So this really applies to your custom headers only. > Actually I think some wrong identified tokens won't be a problem > because there would be some (hopefully more) tokens identifying the > message as spam. And thats just the way bayes works. So it seems you > don't have to deactivate headers yourself but why are some people > deactivating so much headers? You should ask those who do. We don't, and we don't advocate it. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: I think SpamAssassin does not check every mails
Thanks for your reply, I'll check my local.cf & amavisd.conf. Have a nice day =) -- View this message in context: http://www.nabble.com/I-think-SpamAssassin-does-not-check-every-mails-tp22576920p22579097.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: interesting flash attack in spam
Michael Scheidell wrote: just saw this one in email. terra.com/ spamcop.com./br are hosting trojans. but this email uses flash to load this: http://www.terra.com.br/cartoes/datas/amor.swf";> (which redirects to http://cartoes.terra.com.br/datas/amor.swf ) than trys to load a binary: ref="http://www.spamcom.com.br/CartadeAmor.exe"; both files still exist on the hosts, and neither was identified by clamav, and neither triggered any ET (snort) rules, SA didn't trigger any rules except these: HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957, (and my private rule, looking for a uri ending in .exe) email that tries to get you to load these here: http://pastebin.com/m2fcbe7b5 Oh lovely! We've seen flash ad based driveby attacks on websites for a year or so - this is the first time I've seen them inserted into an email (although I'm sure it's been happening for a while). I don't know what bright spark at Adobe thought it would be a good idea for the Flash API to have the functionality to download and execute remote arbitrary code, but it should be easy enough to write a SA rule to detect embedded flash-based content and score it. Thanks for posting the example.
Re: SpamAssassins bayes mechanism and message headers
John Hardin wrote: > On Tue, 17 Mar 2009, Matt Kettler wrote: > >> SA extensively parses the headers. It parses *all* headers, even >> nonstandard ones that I could randomly configure a server to add like >> "X-Matts-funky-header: Hi!". > > If at a later date you add a header to the ignore list, does Bayes > "forget" that it's previously seen that header? No. However SA it stops tokenizing it entirely, so it will never match an email. It will also never get its atime updated, so it should expire out reasonably quickly.
Re: SpamAssassins bayes mechanism and message headers
On Tue, 17 Mar 2009, Matt Kettler wrote: SA extensively parses the headers. It parses *all* headers, even nonstandard ones that I could randomly configure a server to add like "X-Matts-funky-header: Hi!". If at a later date you add a header to the ignore list, does Bayes "forget" that it's previously seen that header? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #4: If your shooting stance is good, you're probably not moving fast enough nor using cover correctly. --- 1327 days until the Presidential Election
Re: I think SpamAssassin does not check every mails
Sheeen, > We have an amavisd/spamassassin/clamav gateway before our Exchange server. > I've trained spamassassin with about 3500 hams / 3500 spams, it should work > correctly, and I'm training it regularly. > But we're receiving some spams yet. > > I've looked into the headers of spams received detected/undetected, and > some mails are tagged, some mails aren't tagged. > SPAM header : > Received: from localhost (localhost.localdomain [127.0.0.1]) > by gateway.domain.local (Postfix) with ESMTP id 0D5F0370C01 > for ; Wed, 18 Mar 2009 11:07:16 +0100 (CET) > X-Virus-Scanned: amavisd-new at cpa.local > X-Spam-Flag: YES > X-Spam-Score: 42.9 > X-Spam-Level: ** > X-Spam-Status: Yes, score=42.9 tagged_above=-99 required=3 > tests=[BAYES_99=3.5, HTML_IMAGE_ONLY_28=1.561, > HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, > RCVD_IN_BL_SPAMCOP_NET=1.96, URIBL_AB_SURBL=7, URIBL_BLACK=1.955, > URIBL_JP_SURBL=7, URIBL_OB_SURBL=7, URIBL_RHS_DOB=1.083, URIBL_SBL=5, > URIBL_WS_SURBL=5] > > NO SPAM header : > Received: from localhost (localhost.localdomain [127.0.0.1]) > by gateway.domain.local (Postfix) with ESMTP id 5B6EE370C01 > for ; Wed, 18 Mar 2009 11:37:06 +0100 (CET) > X-Virus-Scanned: amavisd-new at cpa.local > X-Spam-Flag: NO > X-Spam-Score: 2.22 > X-Spam-Level: ** > X-Spam-Status: No, score=2.22 tagged_above=-99 required=3 > tests=[BAYES_50=0.001, TVD_SPACE_RATIO=2.219] > And for others undetected spams, I can't see headers like this, in my > opinion, every mail should be tagged, even ham. For mail to be tagged, the following must hold true: - SpamAssassin must see it: mail size must be below $sa_mail_body_size_limit and @bypass_spam_checks_maps for these recipients must be false; - recipient must be local (outbound mail is not tagged), check your @local_domains_maps - spam score must be above tag_level, or tag_level must be undef; check your $sa_tag_level_deflt, it is undef by default Mark
I think SpamAssassin does not check every mails
Hi all, We have an amavisd/spamassassin/clamav gateway before our Exchange server. I've trained spamassassin with about 3500 hams / 3500 spams, it should work correctly, and I'm training it regularly. But we're receiving some spams yet. I've looked into the headers of spams received detected/undetected, and some mails are tagged, some mails aren't tagged. For example I can see this on headers : SPAM header : Received: from localhost (localhost.localdomain [127.0.0.1]) by gateway.domain.local (Postfix) with ESMTP id 0D5F0370C01 for ; Wed, 18 Mar 2009 11:07:16 +0100 (CET) X-Virus-Scanned: amavisd-new at cpa.local X-Spam-Flag: YES X-Spam-Score: 42.9 X-Spam-Level: ** X-Spam-Status: Yes, score=42.9 tagged_above=-99 required=3 tests=[BAYES_99=3.5, HTML_IMAGE_ONLY_28=1.561, HTML_IMAGE_RATIO_02=0.383, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_BL_SPAMCOP_NET=1.96, URIBL_AB_SURBL=7, URIBL_BLACK=1.955, URIBL_JP_SURBL=7, URIBL_OB_SURBL=7, URIBL_RHS_DOB=1.083, URIBL_SBL=5, URIBL_WS_SURBL=5] NO SPAM header : Received: from localhost (localhost.localdomain [127.0.0.1]) by gateway.domain.local (Postfix) with ESMTP id 5B6EE370C01 for ; Wed, 18 Mar 2009 11:37:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cpa.local X-Spam-Flag: NO X-Spam-Score: 2.22 X-Spam-Level: ** X-Spam-Status: No, score=2.22 tagged_above=-99 required=3 tests=[BAYES_50=0.001, TVD_SPACE_RATIO=2.219] And for others undetected spams, I can't see headers like this, in my opinion, every mail should be tagged, even ham. So, I think that spamassassin does not check everything, maybe it's a cpu issue (I don't think so, CPU charge is low), or maybe there is not enough child process of amavisd/spamassassin, I don't know. Is there a way to reach amavisd child process ? Is there a way to force scan for ALL mails, even if we have to activate a queue ? Thanks. -- View this message in context: http://www.nabble.com/I-think-SpamAssassin-does-not-check-every-mails-tp22576920p22576920.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
interesting flash attack in spam
just saw this one in email. terra.com/ spamcop.com./br are hosting trojans. but this email uses flash to load this: http://www.terra.com.br/cartoes/datas/amor.swf";> (which redirects to http://cartoes.terra.com.br/datas/amor.swf ) than trys to load a binary: ref="http://www.spamcom.com.br/CartadeAmor.exe"; both files still exist on the hosts, and neither was identified by clamav, and neither triggered any ET (snort) rules, SA didn't trigger any rules except these: HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957, (and my private rule, looking for a uri ending in .exe) email that tries to get you to load these here: http://pastebin.com/m2fcbe7b5 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: SpamAssassins bayes mechanism and message headers
Matt Kettler wrote: fl...@pbartels.info wrote: Hello, instead of disabling a lot possibly set message headers using "bayes_ignore_header" and ending up in strange configs like: bayes_ignore_header Return-Path bayes_ignore_header Received bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Level bayes_ignore_header X-purgate bayes_ignore_header X-purgate-ID bayes_ignore_header X-purgate-Ad bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-Resent-For bayes_ignore_header X-Resent-By bayes_ignore_header X-Resent-To bayes_ignore_header Resent-To bayes_ignore_header Sender bayes_ignore_header Precedence bayes_ignore_header X-Antispam bayes_ignore_header X-Sieve bayes_ignore_header X-Spamcount bayes_ignore_header X-Spamsensitivity bayes_ignore_header To bayes_ignore_header X-Sieve bayes_ignore_header X-WEBDE-FORWARD bayes_ignore_header X-purgate bayes_ignore_header X-purgate-ID bayes_ignore_header X-purgate-Ad bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-Antispam bayes_ignore_header X-Spamcount bayes_ignore_header X-Spamsensitivity (found on the net) Where? Just search bayes_ignore_header and you'll find a lot of results partially with long lists like the one above of bayes_ignore_header settings. Because if found it often I'm thinking if it's really useful or not. There is also an example in the default local.cf: # Set headers which may provide inappropriate cues to the Bayesian # classifier # # bayes_ignore_header X-Bogosity # bayes_ignore_header X-Spam-Flag # bayes_ignore_header X-Spam-Status shouldn't SpamAssassins bayes mechanism just ignore the complete message header and just look at the body? This seems useful in my opinion. It seems like a very misguided idea to me. Is there any reason to think headers make bad tokens? For example the "X-Spam-Flag: NO" can cause Problems if you don't remove it before parsing and don't set it yourself. (You'll never do that and I don't know how SA really handle it internally but its a good example, because its exactly a header that tells the mail is ham.) For me it seems bayes would think now all messages with "X-Spam-Flag: NO" are not spam. Sure bayes is not a binary thinking system but this header field would push the mail a bit to be treated as no spam. (Or if all spammers set this Flag, no spam messages are pushed to be treated as spam.) Problem: Now there could exist other fields that normally indicates the message is no spam. If they are used by a spammer and it is not ignored by the bayes system the message is handled more like no spam. Do you have any test data showing this improves your bayes accuracy? I'd expect a significant reduction in accuracy from this, but if you've got real data showing otherwise, I'd love to see it. My own informal testing shows header tokens are *VERY* useful, particularly Received: header tokens. No, I'm just thinking about it. SpamAssassin contains quite a bit of code to break the headers down when tokenize them in a useful way. It doesn't just extract a bunch of words from the headers and throw them in the database, it actually encodes things like what header a word exists in as a part of the token itself. ie: "Drug" in the From: header is a different token than "Drug" in the To: header which is different from "Drug" in the body. What do you mean? (Are static tests not good enough for the message headers?) No. Static rules are not any better for headers than they are for body text. Bayes allows SA to adapt to rapid mutations in spam. These mutations exist in both the headers, and the body. It seems also more useful for me to activate just special header fields and ignoring all other. I undestand for example From, To or the Subject may contain useful tokenizable informations but the most fields seems not interesing and hard to find out or to be sure you got them all. Is there a config option to tell SpamAssassins bayes mechanism not to look at the message header or does SpamAssassin still not look at the header by default? No, the entire design of the SA bayes mechanism intentionally tries to tokenize headers. A lot of work went into making it do this very well. Why would you want to disable it? See above. If you don't like bayes, by all means disable it, but why cut off its legs? If you're going to use the CPU and IO time to run bayes, let it run well. Perhaps there are regular expressions ? If it parses the message header, it seems you have to read the RFC's and look at some tools to find out what kind of message headers are set. SA extensively parses the headers. It parses *all* headers, even nonstandard ones that I could randomly configure a server to add like "X-Matts-funky-header: Hi!". There is no complete list of headers in the RFCs, because you can add a X- header with any name you can think of. Yes I know. But there is a list of standarized and a li