Re: rbl/dnsbl seems to use wrong ip sometimes
On Sat, Jul 11, 2009 at 08:10:47PM -0700, dmy wrote: As I mentioned this problem often leads to emails with scores around 3 and if this problem woudn't be there I could lower the the threshold to 1.5 Such action makes no sense. You should be raising scores for rules that work well for you. Also you should be adding more/better rules, use FreeMail plugin for example.
Re: Razor2 just won't work... sigh *SOLVED*
*SOLVED* Well, I go in and add a couple lines of code to get it to work. Really strange. I first re-installed both razor packages (using PREFIX=$HOME), which always installs my libraries into $home/lib. I then added the following two lines of code to my Razor2.pm file (around line 66): # figure out if razor is even available or not ... $self-{razor2_available} = 0; if ($mailsaobject-{local_tests_only}) { dbg(razor2: local tests only, skipping Razor); } else { use lib /home/skipmorrow/lib/perl/5.8.8; #added line here push @INC, /home/skipmorrow/lib/perl/5.8.8; #added line here if (eval { require Razor2::Client::Agent; }) { $self-{razor2_available} = 1; dbg(razor2: razor2 is available, version . $Razor2::Client::Version::VERSION . \n); } It's working great for me now. Thanks to everyone who tried helping over email :) Skip MrGibbage wrote: I have been trying to install Razor2 for two days now. I am on a Dreamhost VPS, but I don't have root access, so my perl modules go in ~/share/perl. I have that in my PERL5LIB environment variable. And yet, when I receive an email, I get the following types of messages in my logs: [20377] dbg: config: read file /home/skipmorrow/share/spamassassin/25_razor2.cf [20377] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [20377] dbg: razor2: razor2 is not available I have found that if I move/remove the Razor2.pm from my Plugins directory, I don't get any new error messages in my log, because Razor2 is also installed on the machine in /usr/share/perl5/Mail/SpamAssassin/Plugin But I did find that if I deleted a pluin from my installation that was not pre-installed in the /usr, that I get a nice warning message here: [2874] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URICountry.pm in @INC (@INC contains: lib /home/skipmorrow/share/perl/5.8.8 /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl) at (eval 80) line 1. Ah ha, so my perl environment looks like that when procmail is running. It looks to me that if I have any perl modules that I want procmail/SA to recognize that aren't pre-installed, then I need to put them in /home/skipmorrow/share/perl/5.8.8. Keep that in mind... Looking at the source code for Razor2.pm, I see the line that generates the razor2 is not available error message. if (eval { require Razor2::Client::Agent; }) { $self-{razor2_available} = 1; dbg(razor2: razor2 is available, version . $Razor2::Client::Version::VERSION . \n); } else { dbg(razor2: razor2 is not available... looking for Razor2::Client::Agent); } I made a small change to the text that is output when Razor2::Client::Agent is not found, and indeed, the new error message appears. So, now we know that Razor2 is looking for Razor2::Client::Agent. And it has to be in /home/skipmorrow/share/perl/5.8.8 in order for SA to find it. And that's where mine is: skipmor...@ps11651:~$ pwd /home/skipmorrow skipmor...@ps11651:~$ ls share/perl/5.8.8/ . .. Bundle CPANPLUS.pm IP Mail Razor2 spamassassin-run.pod skipmor...@ps11651:~$ ls share/perl/5.8.8/Razor2/ . .. Client Engine Errorhandler.pm Logger.pm Preproc Signature String.pm Syslog.pm skipmor...@ps11651:~$ ls share/perl/5.8.8/Razor2/Client/ . .. Agent.pm Config.pm Core.pm Engine.pm Version.pm Thanks to the great tips I received in the other thread I posted about the different environments between when logged in as a shell user, and when procmail is running, I added a few commands to my .procmailrc to get the userid and environment settings (http://www.nabble.com/OT--Linux-environment-tt24427323.html): User: uid=15203(skipmorrow) gid=588771(pg652) groups=588771(pg652) Environment: LINEBUF=2048 LOGNAME=skipmorrow HOME=/home/skipmorrow ORGMAIL=/var/mail/skipmorrow PROCMAIL_VERSION=3.22 SENDMAILFLAGS=-oi SHELLFLAGS=-c MSGPREFIX=msg. LOCKEXT=.lock SHELLMETAS=|~;?*[ HOST=ps11651 PATH=/home/skipmorrow/bin:/usr/local/bin:/usr/bin:/bin DEFAULT=/home/skipmorrow/Maildir/ MAILDIR=/home/skipmorrow/Maildir PMDIR=/home/skipmorrow/Procmail LOGFILE=/home/skipmorrow/Procmail/log SHELL=/bin/sh SENDMAIL=/usr/sbin/sendmail FORMAIL=/usr/bin/formail I can run the razor-* scripts in home/skipmorrow/bin, so I know it *will* work, but I just can't get it to work when SA/Procmail is running it. skipmor...@ps11651:~$ ./bin/razor-check -d email_saves/msg.ulg0E email.debug And I see nothing remarkable in the email.debug (the mail I piped in is found to be known spam) snip Jul 11 11:19:46.978415 check[10659]: [ 3] mail 1 is known spam. Jul 11 11:19:46.978454 check[10659]: [ 5] disconnecting from server c301.cloudmark.com Jul 11 11:19:46.978523 check[10659]: [ 4] c301.cloudmark.com 5 Jul 11
Re: rbl/dnsbl seems to use wrong ip sometimes
On Sat, 11 Jul 2009 20:10:47 -0700 (PDT) dmy i...@dwsa.de wrote: Well, if I take a look at http://combined.njabl.org/listing.html it says that Being a dial-up port IP or other dynamic address is reason enough to become listed. So therefore I don't want the last IPs to score on that list because they are almost always dynamic... There's more than one njabl list, an address wouldn't get into the open proxy list just by being dynamic. If the DUL list were checked, it would be on the last hop only - it isn't used because it's been obsoleted by SPAMHAUS PBL.
trusted_networks and internal_networks
I have read the help pages for those two settings over and over, and I guess I'm just not smart enough. I can't figure out what I should put for those two settings. Can one of you give me a hand by looking at the headers from an email? I can tell you that my SA installation is on ps11651.dreamhostps.com and the way I receive email is I my email is sent to my public email address, s...@pelorus.org and I have an auto-forwarder which sends the mail to my SA box via email, at skip-mor...@psoneonesixfiveone.dreamhostps.com (mangled here). I never receive mail directly to skip-mor...@psoneonesixfiveone.dreamhostps.com. If I did, it would have to be spam because they scraped the address from somewhere. pelorus.org and ps11651.dreamhostps.com are the same box. All the appriver stuff below is done on the sending side of my company's exchange server. Anyway, maybe I got it, but these two settings seemed too important to get wrong, so I just want to be sure. #ps11651.dreamhostps.com and pelorus.org internal_networks 75.119.219.171 trusted_networks 75.119.219.171 #I think this is wrong So is the idea that I could add more trusted_networks to the list, sort of like a whitelist. Perhaps adding my work ip addresses below? Isn't that trusted_networks setting above saying **ALL** mail is trusted to not be spam since **ALL** mail comes in on that IP address? And what about the Received: from homiemail-mx7.g.dreamhost.com (balanced.mail.policyd.dreamhost.com [208.97.132.119])? I have checked and I do receive all mail from one of 208.97.132.* Should that be on my internal_networks? Sorry for all the questions, but like I said, I don't want to dork this up. From skip.mor...@work.com Sun Jul 12 05:22:04 2009 Return-Path: skip.mor...@work.com X-Original-To: skip-mor...@psoneonesixfiveone.dreamhostps.com Delivered-To: skip-mor...@psoneonesixfiveone.dreamhostps.com Received: from homiemail-mx7.g.dreamhost.com (balanced.mail.policyd.dreamhost.com [208.97.132.119]) by ps11651.dreamhostps.com (Postfix) with ESMTP id 9C6C14DE06DC for skip-mor...@psoneonesixfiveone.dreamhostps.com; Sun, 12 Jul 2009 05:22:04 -0700 (PDT) Received: from server107.appriver.com (server107d.exghost.com [69.20.5.102]) by homiemail-mx7.g.dreamhost.com (Postfix) with ESMTP id 6F902CF634 for s...@pelorus.org; Sun, 12 Jul 2009 05:22:04 -0700 (PDT) Received: by server107.appriver.com (CommuniGate Pro PIPE 5.2.14) with PIPE id 182484323; Sun, 12 Jul 2009 08:21:38 -0400 Received: from [207.97.230.106] (HELO FE08.exg3.exghost.com) by server107.appriver.com (CommuniGate Pro SMTP 5.2.14) with ESMTP id 182484322 for s...@pelorus.org; Sun, 12 Jul 2009 08:21:35 -0400 Received: from be45.exg3.exghost.com ([207.97.230.87]) by FE08.exg3.exghost.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 12 Jul 2009 08:22:00 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01CA02EB.5B2A3938 Subject: Header Test Date: Sun, 12 Jul 2009 08:21:40 -0400 Message-ID: 0ed59d8edb04bd4cb3e9201be3f267faa0d...@be45.exg3.exghost.com X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Header Test Thread-Index: AcoC60+YGmL4fY9YTc6J+g06GWRCsQ== From: Morrow, Skip skip.mor...@work.com To: s...@pelorus.org X-OriginalArrivalTime: 12 Jul 2009 12:22:00.0441 (UTC) FILETIME=[5B376E90:01CA02EB] X-Policy: GLOBAL - work.com X-Primary: skip.mor...@work.com X-Note: This Email was scanned by AppRiver SecureTide X-ALLOW: skip.mor...@work.com ALLOWED X-Virus-Scan: V- X-Note: Spam Tests Failed: X-Country-Path: UNITED STATES-UNITED STATES-UNITED STATES X-Note-Sending-IP: 207.97.230.106 X-Note-Reverse-DNS: fe08.exg3.exghost.com X-Note-WHTLIST: skip.mor...@work.com X-Note: User Rule Hits: X-Note: Global Rule Hits: 119 120 121 122 126 127 138 219 X-Note: Mail Class: ALLOWEDSENDER -- View this message in context: http://www.nabble.com/trusted_networks-and-internal_networks-tp24448374p24448374.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: [NEW SPAM FLOOD] www.shopXX.net
2009/7/11 Sim simvi...@gmail.com: New rules: body __MED_BEG_SP /\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i body __MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i body __MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i body __MED_BEG_BOTH /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i body __MED_END_SP /[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_PUNCT /[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_DOT /[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body __MED_END_BOTH /[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i meta AE_MED42 (__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) ! (__MED_BEG_DOT __MED_END_DOT ) describe AE_MED42 rule to catch still more spam obfuscation score AE_MED42 4.0 Hi Dan, very very thanks! It's perfect for all variant! Regards Hi! Again tipology. Rpace Against the Clocck.www_ze44_com :-( Spammer observe us!
Re: rbl/dnsbl seems to use wrong ip sometimes
On Sat, 2009-07-11 at 20:10 -0700, an anonymous Nabble user wrote: The problem is have is that sometimes I get RBL hits eventhrough the sender is using a valid smarthost. BTW, using that relay is not being punished in any way, and actually entirely irrelevant to this NJABL PROXY hit. Some DNSBLs are *meant* to do deep parsing. PBL style ones are not, [...] Well, if I take a look at http://combined.njabl.org/listing.html it says that Being a dial-up port IP or other dynamic address is reason enough to become listed. So therefore I don't want the last IPs to score on that list because they are almost always dynamic... That's a different list than the PROXY hit -- and that particular NJABL list is deprecated in favor of Spamhaus PBL anyway. See NJABL usage info. Apparently it's an open proxy, ready and willing to relay ANY spam to ANYone. That *is* worth scoring. Fix the open proxy. What are you talking about? The web.de server is definitely not an open proxy and the other IP doesn't even have port 25 open (OK, since it's a I am talking about the first hop being an open proxy. I am not talking about the web.de relay, neither any relay at all. Open port 25 ready to relay mail unconditionally would be OPEN RELAY, which is NOT the same as PROXY. Again, see the usage info. dynamic IP that could have been different in the past but that is exactly the reason why I don't want these first ips to be checked...) Frankly, it does appear to be a dynamic end-user IP. Listed years ago, so I jut went ahead and requested de-listing of that IP. Probably an outdated listing. If it still does open proxying, though, it will be re-listed very shortly. However, see NJABL FAQ 11. Spam sent via a proxy means, that it is the very first hop, completely masking the original source. Thus, this test MUST include the first hop. Nope. You're understanding wrong, some tests are deliberately meant to do deep-parsing. My question again: Is it possible to change this default behaviour somehow and just have the Yes, it is possible to change this, by overriding the rule similar to other rules found in the *sigh* Score -0.4. What do you feel like fixing? As I mentioned this problem often leads to emails with scores around 3 and if this problem woudn't be there I could lower the the threshold to 1.5 I agree with Henrik here -- that does not make sense Actually, it is harmful. All scores have been evaluated according to a threshold of 5 -- lowering it that drastically is just begging for FPs. Instead, raise some good performing rule's scores, or add third-party rule-sets. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: rbl/dnsbl seems to use wrong ip sometimes
On Sun, 2009-07-12 at 05:57 +0100, rich...@buzzhost.co.uk wrote: The pro's and cons aside, a finer degree of control would be very welcome and very useful. It probably exists for those people who know SA inside out - but fine control for the rest of us would be nice too! If you don't grok how to do this by looking at other DNSBL rules, you definitely shouldn't be mocking with this in the first place. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [NEW SPAM FLOOD] www_nu26_com
On Sat, 11 Jul 2009, Jason L Tibbitts III wrote: I still wonder, though, if we shouldn't be turning these back into hostnames and looking them up in the regular URI blacklists Given the obvious objections to having the primary URIBL mechanism try to parse obfuscations, I once again question why we cannot have some sort of mechanism for 'capturing' the values of ordinary tests (such as the overly comnplex rule to catch these uribl obfuscations) and then have that value to manually feed to another test? There would be some interesting details to such a thing, for instance, if a rule matches more than one obfuscated URI, the 'capture' mechansim would have to somehow 'deliver' each captured value as an iteration of any check/test that included it But for cases like this URI stuff, something 'flexible' is needed - Charles
Re: OT: Website protection
schmero...@gmail.com wrote: One of our client's websites gets hacked frequently - 1x per month - usually with some kind of phishing scam. We've also had some problems lately. After deep investigations we saw that in 100% of the cases there were no break-ins at all. Not in the old fashioned manner anyway. The ftp usernames and passwords were stolen from the client's PC with keylogger or spyware. The hacker could then log in to the ftp account and make changes to the website. To prevent this: Change ftp passwords often and check client PC machines for viruses. Security aware companies will after an incident like this be aware of the risks to use MS Windows to upload their website content. If they can't live with that risk, then they have an option to switch - perhaps only the machines used for ftp transactions. Mikael
Re: trusted_networks and internal_networks
On Sun, 12 Jul 2009 05:54:35 -0700 (PDT) MrGibbage s...@pelorus.org wrote: I have read the help pages for those two settings over and over, and I guess I'm just not smart enough. I can't figure out what I should put for those two settings. Can one of you give me a hand by looking at the headers from an email? I can tell you that my SA installation is on ps11651.dreamhostps.com and the way I receive email is I my email is sent to my public email address, s...@pelorus.org and I have an auto-forwarder which sends the mail to my SA box via email, at skip-mor...@psoneonesixfiveone.dreamhostps.com (mangled here). I never receive mail directly to skip-mor...@psoneonesixfiveone.dreamhostps.com. If I did, it would have to be spam because they scraped the address from somewhere. pelorus.org and ps11651.dreamhostps.com are the same box. All the appriver stuff below is done on the sending side of my company's exchange server. Anyway, maybe I got it, but these two settings seemed too important to get wrong, so I just want to be sure. #ps11651.dreamhostps.com and pelorus.org internal_networks 75.119.219.171 trusted_networks 75.119.219.171 #I think this is wrong You don't need this address, the server adds the final received header, so the address never appears in the headers. Generally forwarders should go into your internal networks, unless they rewrite the return-path or there is a possibility of mail submission, in which case thing get a bit more complicated. If you want to add other addresses to trusted remember that they must be an unbroken chain.
Re: trusted_networks and internal_networks
On Sun, July 12, 2009 16:21, RW wrote: Generally forwarders should go into your internal networks, no no, internal networks is your own wan ips nothing more, imho forwarders is trusted/msa unless they rewrite the return-path why does this change ? or there is a possibility of mail submission, msa networks in which case thing get a bit more complicated. indeed :) If you want to add other addresses to trusted remember that they must be an unbroken chain. best is always to check a giving msg a test like spamassassin 21 -D -t msg | grep untrusted | less to see the untrusted ips and then whois the ips to find the good ips that is not dynamic/untrusted -- xpoint
Re: OT: Website protection
Mikael Bak wrote: schmero...@gmail.com wrote: One of our client's websites gets hacked frequently - 1x per month - usually with some kind of phishing scam. We've also had some problems lately. After deep investigations we saw that in 100% of the cases there were no break-ins at all. Not in the old fashioned manner anyway. The ftp usernames and passwords were stolen from the client's PC with keylogger or spyware. The hacker could then log in to the ftp account and make changes to the website. I've seen this myself on three different client machines (each hosting multiple sites). I have yet to discover what spyware was responsible as the owners of the different sites contacted the users in question themselves. Regards, Rick
RE: [NEW SPAM FLOOD] www.shopXX.net
On Fri, 10 Jul 2009, McDonald, Dan wrote: They have. They are using underscores, which are a [:punct:], but don't form a \b break. New rules: body__MED_BEG_SP/\bw{2,3}[[:space:]][[:alpha:]]{2,6}\d{2,6}/i body__MED_BEG_PUNCT /\bw{2,3}[[:punct:]]{1,3}[[:alpha:]]{2,6}\d{2,6}/i body__MED_BEG_DOT /\bw{2,3}\.[[:alpha:]]{2,6}\d{2,6}/i body__MED_BEG_BOTH /\bw{2,3}[[:punct:][:space:]]{2,5}[[:alpha:]]{2,6}\d{2,6}\b/i body__MED_END_SP /[[:alpha:]]{2,6}\d{2,6}[[:space:]](?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body__MED_END_PUNCT /[[:alpha:]]{2,6}\d{2,6}[[:punct:]]{1,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body__MED_END_DOT /[[:alpha:]]{2,6}\d{2,6}\.(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i body__MED_END_BOTH /[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,5}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i metaAE_MED42(__MED_BEG_SP || __MED_BEG_PUNCT || __MED_BEG_DOT || __MED_BEG_BOTH ) (__MED_END_SP || __MED_END_PUNCT || __MED_END_DOT || __MED_END_BOTH) ! (__MED_BEG_DOT __MED_END_DOT ) describe AE_MED42 rule to catch still more spam obfuscation score AE_MED424.0 I think that can be simplified somewhat by reversing the obfuscation matches: body URI_OBFU_WWW /\bw{2,3}[^[:alnum:]]{1,3}\w{1,20}(?:(?!\.[[:alnum:]])[^[:alnum:]]{1,3})(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i describe URI_OBFU_WWW Obfuscated URI -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The world has enough Mouse Clicking System Engineers. -- Dave Pooser --- 4 days until the 64th anniversary of the dawn of the Atomic Age
Re: Am I fscking up my bayes db?
On 09.07.09 09:30, Daniel Schaefer wrote: I have a similar setup. If a Spam message makes it to my inbox with less than the required_score, I put it into a SPAM folder and run sa-learn on the folder. Should I also implement the following ignore rules? bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam...etc. Not needed, these are already ignored by spamassassin itself. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: trusted_networks and internal_networks
On Sun, 12 Jul 2009 17:29:07 +0200 (CEST) Benny Pedersen m...@junc.org wrote: On Sun, July 12, 2009 16:21, RW wrote: Generally forwarders should go into your internal networks, no no, internal networks is your own wan ips nothing more, imho forwarders is trusted/msa If you do it that way SPF, XBL, DUL etc run against a server that's inside your trusted network and not against the responsible IP address. unless they rewrite the return-path why does this change ? Ideally you want SPF to run against the IP address that delivered to first MX server; and unless that MX server adds usable SPF headers, you need to put it into the internal network. If the forwarding server does Sender Rewriting, SA may not be able to get the original smtp mail from address, and you may want to use the trusted network instead to run SPF against the rewritten address.
processing of mail considered spam
Hi there, Some spam is getting past the spamassassin. So I;d like to devise a scheme where I manually place the emails not caught by spamassass in my 'spam-mail' folder. Is there any way to get spamassassin to process the contents of the folder so I those accepted messages are considered spam in the future? Cheers, Noah
Re: processing of mail considered spam
Hi there, Some spam is getting past the spamassassin. So I;d like to devise a scheme where I manually place the emails not caught by spamassass in my 'spam-mail' folder. Is there any way to get spamassassin to process the contents of the folder so I those accepted messages are considered spam in the future? It depends. If the spam-mail folder is a folder in a POP3 client, it is not easy to automate it. if the spam-mail folder is a folder in a IMAP-server, and the server uses Maildir format under Linux or other Unix, it is easy. The mails are plain text files in the server file system, and a cron job can easily run sa-learn --spam with that folder. If the server is some MS Exchange I have no idea. Maybe the folder could be downloaded periodically with fetchmail or such, and fed to sa-learn. Anyway, SpamAssassin itself does not help besides sa-learn, so this needs scripting on your part.
Re: processing of mail considered spam
Jari Fredriksson wrote: Hi there, Some spam is getting past the spamassassin. So I;d like to devise a scheme where I manually place the emails not caught by spamassass in my 'spam-mail' folder. Is there any way to get spamassassin to process the contents of the folder so I those accepted messages are considered spam in the future? It depends. If the spam-mail folder is a folder in a POP3 client, it is not easy to automate it. if the spam-mail folder is a folder in a IMAP-server, and the server uses Maildir format under Linux or other Unix, it is easy. The mails are plain text files in the server file system, and a cron job can easily run sa-learn --spam with that folder. If the server is some MS Exchange I have no idea. Maybe the folder could be downloaded periodically with fetchmail or such, and fed to sa-learn. Anyway, SpamAssassin itself does not help besides sa-learn, so this needs scripting on your part. okay how do I script sa-learn to learn the contents of a particular file. Cheers, Noah
bayes: cannot open bayes databases /home/user/.spamassassin/bayes_* R/W: tie failed: No such file or directory
Hi there, Any clues how I can fix the following error? sa-learn is failing $ sa-learn --no-sync --spam --mbox ~/mail/Spam bayes: cannot open bayes databases /home/user/.spamassassin/bayes_* R/O: tie failed: bayes: cannot open bayes databases /home/user/.spamassassin/bayes_* R/O: tie failed: Bad file descriptor bayes: cannot open bayes databases /home/user/.spamassassin/bayes_* R/W: tie failed: No such file or directory Learned tokens from 0 message(s) (1 message(s) examined) ERROR: the Bayes learn function returned an error, please re-run with -D for more information Cheers, Noah
Re: How to set up spam box?
Benny Pedersen wrote: On Fri, July 10, 2009 13:03, HerbEppel wrote: Yes, I had wondered who I should pester with my question :blush: Thanks for the clarification. also make them clearify why use pop3 and folders :) pop3 is only for getting mails not for remote store of mails, use imap in thunderbird and discover more On 10.07.09 04:15, HerbEppel wrote: Thanks, but pop3 works well for me, actually. The point is that I want to divert messages flagged as spam into a web-based spam folder that I can visit occasionally for assessment, thereby preventing these messages from being downloaded via pop3. It would be much better just to move them to subfolder that could be accessed by IMAP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: How to set up spam box?
Matus UHLAR - fantomas wrote: On 10.07.09 04:15, HerbEppel wrote: Thanks, but pop3 works well for me, actually. The point is that I want to divert messages flagged as spam into a web-based spam folder that I can visit occasionally for assessment, thereby preventing these messages from being downloaded via pop3. It would be much better just to move them to subfolder that could be accessed by IMAP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. Thanks, I dare say you are right - I really ought to look into IMAP and try and understand it! :blush: -- View this message in context: http://www.nabble.com/How-to-set-up-spam-box--tp24422252p24451547.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Annoying auto_whitelist
RW wrote: The much more common scenario is that the first spam hits BAYES_50 and subsequent BAYES_99 hits are countered by a negative AWL score. On Fri, 10 Jul 2009 08:09:04 -0400 Matt Kettler mkettler...@verizon.net wrote: Technically, this only counters half the score. It also gets paid back later. It raises the stored average that will apply to subsequent messages. On 10.07.09 18:57, RW wrote: So what's the point of including BAYES_99 in AWL? The point is not excluding very usefull info like score of BAYES_00 or BAYES_99 for later e-mail. but there's only a benefit if the BAYES_XX score falls, otherwise the distortion to the score just gets less bad - I don't see how you can describe that as paid back. I'd also argue it's a rather rare case. Most of my spam hits BAYES_99 the first shot around, and most has varying sender address and IP. The odds of one having increasing score and the same sender address/ip seems extraordinarily unlikely to me. If something scarcely every makes a difference, and on the occasion it does, gets it wrong more often then it gets it right, I don't see the point in keeping it. That paragraph was about AWL as a whole, not about including/excluding BAYES scores into. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: trusted_networks and internal_networks
Wow, I had a feeling I was opening a can of worms here. This is one area where I really feel the SA documentation could benefit by having some real world examples. Right now I am just going with the one internal_networks set to the ip of my SA server. I'm not setting any trusted_networks. I figure there's no harm in not trusting anyone, right? Just a few extra CPU cycles while SA checks out all the IP addresses in the email. Or is there more impact than just that? Skip RW-15 wrote: On Sun, 12 Jul 2009 17:29:07 +0200 (CEST) Benny Pedersen m...@junc.org wrote: On Sun, July 12, 2009 16:21, RW wrote: Generally forwarders should go into your internal networks, no no, internal networks is your own wan ips nothing more, imho forwarders is trusted/msa If you do it that way SPF, XBL, DUL etc run against a server that's inside your trusted network and not against the responsible IP address. unless they rewrite the return-path why does this change ? Ideally you want SPF to run against the IP address that delivered to first MX server; and unless that MX server adds usable SPF headers, you need to put it into the internal network. If the forwarding server does Sender Rewriting, SA may not be able to get the original smtp mail from address, and you may want to use the trusted network instead to run SPF against the rewritten address. -- View this message in context: http://www.nabble.com/trusted_networks-and-internal_networks-tp24448374p24451803.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: processing of mail considered spam
Jari Fredriksson wrote: Hi there, Some spam is getting past the spamassassin. So I;d like to devise a scheme where I manually place the emails not caught by spamassass in my 'spam-mail' folder. Is there any way to get spamassassin to process the contents of the folder so I those accepted messages are considered spam in the future? It depends. If the spam-mail folder is a folder in a POP3 client, it is not easy to automate it. if the spam-mail folder is a folder in a IMAP-server, and the server uses Maildir format under Linux or other Unix, it is easy. The mails are plain text files in the server file system, and a cron job can easily run sa-learn --spam with that folder. If the server is some MS Exchange I have no idea. Maybe the folder could be downloaded periodically with fetchmail or such, and fed to sa-learn. Anyway, SpamAssassin itself does not help besides sa-learn, so this needs scripting on your part. okay how do I script sa-learn to learn the contents of a particular file. Cheers, Noah If the user used to call spamc is noah, then this might do it. The last parameter is file name or a folder name, in which case all files in the folder will be learnt. man sa-learn will tell more.. #!/bin/sh /usr/bin/sa-learn -u noah --spam /home/noah/Maildir/spam-mail/cur
Re: processing of mail considered spam
Hi Noah, Am 2009-07-12 11:58:23, schrieb Admin: okay how do I script sa-learn to learn the contents of a particular file. I use courier (Maildir) with procmail and if I have spams, then I move it to the folder INBOX.Learn_IS_Spam and if I have ham found in the spamfolders, I move it to INBOX.Learn_NO_Spam. [ '/home/michelle.konzack/bin/check_sa_learn' ]- #!/bin/bash VAL_USERS=$(cut -d ':' -f1,3,6 /etc/passwd |tr ':' ' ') HN=$(hostname -s) LOG=/var/log/check_sa_learn.$(date +%Y-%m-%d).log touch ${LOG} chown root:adm ${LOG} chmod 660 ${LOG} (echo ${VAL_USERS} ; echo) | while read VAL_USER VAL_UID VAL_HOME do if [ -n ${VAL_USER}${VAL_UID}${VAL_HOME} ] ; then if [ ${VAL_UID} -ge 1000 ] [ ${VAL_UID} -lt 65000 ] ; then NUM_SPAM=$(ls ${VAL_HOME}/Maildir/.Learn_IS_Spam/{cur,new}/* 2/dev/null |wc -l) NUM_HAM=$(ls ${VAL_HOME}/Maildir/.Learn_NO_Spam/{cur,new}/* 2/dev/null |wc -l) NUM=$((${NUM_SPAM}+${NUM_HAM})) if [ ${NUM} -gt 0 ] ; then echo Working on user: ${VAL_USER} 12 DATE=$(date +%Y-%m-%d %H:%M:%S) echo -n ${DATE} [${HN}] USER=${VAL_USER}, NUM_SPAM=${NUM_SPAM}, NUM_HAM=${NUM_HAM} ${LOG} if [ -d ${VAL_HOME}/Maildir/.Learn_IS_Spam ] ; then LIST_SPAM=$(find ${VAL_HOME}/Maildir/.Learn_IS_Spam/cur -type f -mmin +2 ; find ${VAL_HOME}/Maildir/.Learn_IS_Spam/new -type f -mmin +2) echo -n , SPAM= ${LOG} if [ -n ${LIST_SPAM} ] ; then for MSG in ${LIST_SPAM} ; do su - ${VAL_USER} -c sa-learn --spam ${MSG} ; if [ $? -eq 0 ] ; then procmail ${MSG} ; if [ $? -eq 0 ] ; then rm -f ${MSG} ; fi ; fi done echo -n scaned ${LOG} else echo -n none ${LOG} fi fi if [ -d ${VAL_HOME}/Maildir/.Learn_NO_Spam ] ; then LIST_HAM=$(find ${VAL_HOME}/Maildir/.Learn_NO_Spam/cur -type f -mmin +2 ; find ${VAL_HOME}/Maildir/.Learn_NO_Spam/new -type f -mmin +2) echo -n , HAM= ${LOG} if [ -n ${LIST_HAM} ] ; then for MSG in ${LIST_HAM} ; do DE=$(date +%s) for CNT in $(seq --equal-width 1 100) ; do if [ ! -f ${VAL_HOME}/Maildir/new/${DE}.${CNT}.${HN} ] ; then su - ${VAL_USER} -c sa-learn --ham ${MSG} ; if [ $? -eq 0 ] ; then mv -f ${MSG} ${VAL_HOME}/Maildir/new/${DE}.${CNT}.${HN} ; fi break fi done done echo scaned ${LOG} else echo none ${LOG} fi fi fi fi fi done and a cronjob: [ '/etc/cron.d/check_sa_learn' ] MAILTO=cron */10 * * * *root/home/michelle.konzack/bin/check_sa_learn and works perfectly... on more then 2000 user! Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack c/o Shared Office KabelBW ICQ #328449886 +49/177/9351947Blumenstasse 2 MSN LinuxMichi +33/6/61925193 77694 Kehl/Germany IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: bayes: cannot open bayes databases /home/user/.spamassassin/bayes_* R/W: tie failed: No such file or directory
On Sun, July 12, 2009 21:04, Admin wrote: $ sa-learn --no-sync --spam --mbox ~/mail/Spam ls -l ~/mail/Spam ls -l /mail/Spam bayes: cannot open bayes databases /home/user/.spamassassin/bayes_* R/O: tie failed: does the dir .spamassassin exists with the same user ? have you set some path global where it needed to be in just user_prefs ? spamassassin 21 -D --lint | less to see -- xpoint