Should I be worried about this?
Just noticed in the logs for updating the SA tables the following [15417] info: body_0: 1696 base strings extracted in 189 seconds Illegal octal digit '9' ignored at /usr/local/bin/sa-compile line 631, $fh line 1589. Wide character in print at /usr/local/bin/sa-compile line 385, $fh line 1589. Illegal octal digit '9' ignored at /usr/local/bin/sa-compile line 631, $fh line 1590. Wide character in print at /usr/local/bin/sa-compile line 385, $fh line 1590. Should I be concerned? The line of code is eval { print $re \t, fixup_re($regexp), {RET(\$reason\);}\n; $line++; }; ==John ffitch
Problem with whitelist_from_rcvd and forged reverse lookup
Hi, I was under the impression that whitelist_from_rcvd checks if the reverse lookup is forged. But still with the following rule whitelist_from_rcvd *...@alita.karotte.org localhost the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? Regards, Sebastian From ntc...@accuridecorp.com Thu Jul 30 13:49:11 2009 Return-Path: ntc...@accuridecorp.com X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on alita.karotte.org X-Spam-Level: X-Spam-Status: No, score=-77.7 required=5.0 tests=BAYES_60=1, HTML_IMAGE_ONLY_04=2.041,HTML_MESSAGE=0.001,HTML_SHORT_LINK_IMG_1=0.001, MIME_HTML_ONLY=1.457,RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5,RCVD_IN_BL_SPAMCOP_NET=1.96,RCVD_IN_PBL=0.905, RCVD_IN_SORBS_WEB=0.619,RCVD_IN_XBL=3.033,SARE_HTML_A_BODY=0.742, SARE_HTML_IMG_ONLY=1.666,SPF_FAIL=0.693,TVD_SPACE_RATIO=2.219, URIBL_BLACK=1.955,URIBL_JP_SURBL=1.501,USER_IN_WHITELIST=-100 autolearn=no bayes=0.7770 version=3.2.5 Received: from alside.com (localhost [220.231.127.15] (may be forged)) by alita.karotte.org (8.14.3/8.14.3/Debian-5) with SMTP id n6UBn1BJ021997 for webmas...@alita.karotte.org; Thu, 30 Jul 2009 13:49:05 +0200 X-DKIM: Sendmail DKIM Filter v2.8.2 alita.karotte.org n6UBn1BJ021997 Date: Thu, 30 Jul 2009 13:49:01 +0200 Message-Id: 200907301149.n6ubn1bj021...@alita.karotte.org To: webmas...@alita.karotte.org Subject: Delivery Status Notification From: webmas...@alita.karotte.org MIME-Version: 1.0 Importance: High Content-Type: text/html Status: RO Content-Length: 324 Lines: 6 !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN [..] -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: How to Disable ALL CAPS OPTION
On Thu, 2009-07-30 at 18:29 +0530, ganesh payelkar wrote: As per your instruction i did same setting but it is not working, Kindly let me know any other setting. On Thu, Jul 30, 2009 at 5:52 PM, Daniel J McDonald dan.mcdon...@austinenergy.com wrote: On Thu, 2009-07-30 at 17:49 +0530, ganesh payelkar wrote: Will it work if i put below entry in /etc/mail/spamassassin/local.cf yes. On Thu, Jul 30, 2009 at 5:43 PM, McDonald, Dan dan.mcdon...@austinenergy.com wrote: On Thu, 2009-07-30 at 17:36 +0530, ganesh payelkar wrote: Kindly help me to disable ALL CAPS option in spamassassin I assume you are talking about SUBJ_ALL_CAPS. just add to your local rules: score SUBJ_ALL_CAPS 0 Perhaps you could post a copy of a message in which this doesn't work on pastebin so that we can see what the problem might be. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: How to Disable ALL CAPS OPTION
On Thu, July 30, 2009 14:06, ganesh payelkar wrote: Dear All, thats not very dear Kindly help me to disable ALL CAPS option in spamassassin explain more in detail what CAPS is in spamassassin -- xpoint
Re: Problem with whitelist_from_rcvd and forged reverse lookup
* Matus UHLAR - fantomas uh...@fantomas.sk [2009-07-30 16:35]: On 30.07.09 14:03, Sebastian Wiesinger wrote: I was under the impression that whitelist_from_rcvd checks if the reverse lookup is forged. But still with the following rule whitelist_from_rcvd *...@alita.karotte.org localhost the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? a bug apparently. JFYI, I created a bugreport for this: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169 Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 30 Jul 2009, Sebastian Wiesinger wrote: So how can I whitelist mails which come from the server where my SpamAssassin is running? Tell your glue layer that messages originating on that server should not be passed to SA at all. If you describe how SA is glued to your MTA we might be able to offer specific suggestions. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 6 days until the 274th anniversary of John Peter Zenger's acquittal
Re: How to Disable ALL CAPS OPTION
You can assing the value of that rule in /path-spamassassin/local.cf. For example I have it in /usr/local/etc/mail/spamassassin/local.cf: score SUBJ_ALL_CAPS 0.2 Regards. On Thu, 2009-07-30 at 17:36 +0530, ganesh payelkar wrote: Dear All, Kindly help me to disable ALL CAPS option in spamassassin Regards, Ganesh Luis Croker MTI - SCSA - SCNA Administrador de Sistemas Megacable Comunicaciones GPG Key1024D/48C1764B Key fingerprint = E8B6 E84F ECE4 661E 30C7 7208 042D BD09 48C1 764B
Re: Problem with whitelist_from_rcvd and forged reverse lookup
* John Hardin jhar...@impsec.org [2009-07-30 17:24]: On Thu, 30 Jul 2009, Sebastian Wiesinger wrote: So how can I whitelist mails which come from the server where my SpamAssassin is running? Tell your glue layer that messages originating on that server should not be passed to SA at all. If you describe how SA is glued to your MTA we might be able to offer specific suggestions. Hi, sure: Sendmail - Procmail - SA (spamc) Kind Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, July 30, 2009 16:46, Sebastian Wiesinger wrote: * Matus UHLAR - fantomas uh...@fantomas.sk [2009-07-30 16:35]: On 30.07.09 14:03, Sebastian Wiesinger wrote: I was under the impression that whitelist_from_rcvd checks if the reverse lookup is forged. But still with the following rule whitelist_from_rcvd *...@alita.karotte.org localhost the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? a bug apparently. However, the whitelist_from_rcvd *...@alita.karotte.org localhost should never work, because it works at network boundary, while localhost should always be in your networks (trusted and internal too) It does work for me. Every mail from the local server gets whitelisted. So how can I whitelist mails which come from the server where my SpamAssassin is running? I have the problem that I get logfiles which sometimes contain spam URLS and such things. I don't want this to be scored as spam. whitelist_from_rcvd did seem to do the trick except for this bug. http://old.openspf.org/wizard.html?mydomain=ml.karotte.orgsubmit=Go! http://old.openspf.org/wizard.html?mydomain=karotte.org go -all when all is ok and use pypolicyd-spf from this site on mta, remember to whitelist ip that is known to you as a forwarder in pypolicyd-spf in sa remove whitelist_from_rcvd change score for user_in_whitelist to not be just -100, it is bad used mostly, and there is better ways to make sure you dont get forged emails and add all your own wan ip to trusted_networks reduce the spf problems some says are there the above mail you posted have spf_fail, why did you accept it in mta ? -- xpoint
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, July 30, 2009 17:17, Sebastian Wiesinger wrote: the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? non working dns is not a spamassassin bug a bug apparently. JFYI, I created a bugreport for this: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6169 well lets see -- xpoint
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 30 Jul 2009, Sebastian Wiesinger wrote: * John Hardin jhar...@impsec.org [2009-07-30 17:24]: On Thu, 30 Jul 2009, Sebastian Wiesinger wrote: So how can I whitelist mails which come from the server where my SpamAssassin is running? Tell your glue layer that messages originating on that server should not be passed to SA at all. If you describe how SA is glued to your MTA we might be able to offer specific suggestions. Sendmail - Procmail - SA (spamc) Cool, that should be simple. Can you send: (1) the Received: headers from an email generated on that box, and (2) the procmail stanza where you call SA? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 6 days until the 274th anniversary of John Peter Zenger's acquittal
Re: Problem with whitelist_from_rcvd and forged reverse lookup
* Benny Pedersen m...@junc.org [2009-07-30 17:37]: On Thu, July 30, 2009 17:17, Sebastian Wiesinger wrote: the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? non working dns is not a spamassassin bug [sebast...@alita:~]$ host 220.231.127.15 15.127.231.220.in-addr.arpa domain name pointer localhost. [sebast...@alita:~]$ host localhost localhost has address 127.0.0.1 It seems my DNS is working just fine. I think spamassassin should detect this. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 30 Jul 2009, Benny Pedersen wrote: On Thu, July 30, 2009 17:17, Sebastian Wiesinger wrote: the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? non working dns is not a spamassassin bug How do you get non-working DNS from that report? I'd say it looks more like malicious rDNS or incompetently-administered rDNS... jhar...@mercury ~ $ dig -x 220.231.127.15 ; DiG 9.4.3-P2 -x 220.231.127.15 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2699 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;15.127.231.220.in-addr.arpa. IN PTR ;; ANSWER SECTION: 15.127.231.220.in-addr.arpa. 43200 IN PTR localhost. ;; Query time: 741 msec ;; WHEN: Thu Jul 30 08:43:25 2009 ;; MSG SIZE rcvd: 68 The IP is assigned to Vietnam, for whatever that's worth. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If guards and searches and metal detectors can't keep a gun out of a maximum-security solitary confinement prisoner's cell, how will a disciplinary policy and some signs keep guns out of a university? --- 6 days until the 274th anniversary of John Peter Zenger's acquittal
Re: Problem with whitelist_from_rcvd and forged reverse lookup
From: Sebastian Wiesinger spamassassin.us...@ml.karotte.org Date: Thu, 30 Jul 2009 17:48:09 +0200 * John Hardin jhar...@impsec.org [2009-07-30 17:39]: Sendmail - Procmail - SA (spamc) Cool, that should be simple. Can you send: (1) the Received: headers from an email generated on that box, and (2) the procmail stanza where you call SA? I could create a procmail rule that excludes local mail from SA, but I would much rather like to whitelist this in spamassassin. Nevertheless thanks for your offer to help with procmail. Processing locally generated email that contain spam URLs through SpamAssassin is not a particularly good idea. If you have Bayes enabled then you are training your Bayes that spam URLs and whatever else is in the log files are hammy tokens. You really do want to skip SpamAssassin processing on messages like this in your procmail. -jeff
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 30 Jul 2009, Jeff Mincy wrote: From: Sebastian Wiesinger spamassassin.us...@ml.karotte.org Date: Thu, 30 Jul 2009 17:48:09 +0200 * John Hardin jhar...@impsec.org [2009-07-30 17:39]: Sendmail - Procmail - SA (spamc) Cool, that should be simple. Can you send: (1) the Received: headers from an email generated on that box, and (2) the procmail stanza where you call SA? I could create a procmail rule that excludes local mail from SA, but I would much rather like to whitelist this in spamassassin. Nevertheless thanks for your offer to help with procmail. Processing locally generated email that contain spam URLs through SpamAssassin is not a particularly good idea. If you have Bayes enabled then you are training your Bayes that spam URLs and whatever else is in the log files are hammy tokens. ...if you have Bayse _autolearn_ enabled... You really do want to skip SpamAssassin processing on messages like this in your procmail. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I'm seriously considering getting one of those bright-orange prison overalls and stencilling PASSENGER on the back. Along with the paper slippers, I ought to be able to walk right through security. -- Brian Kantor in a.s.r --- 6 days until the 274th anniversary of John Peter Zenger's acquittal
Upgrading perl modules for SA
Hi, I recently upgraded perl from 5.6.0 to perl-5.10.0, along with all the modules necessary for sa-3.2.5 and amavisd-new (an old version still). I'm now having a problem that I really don't understand: Jul 30 14:24:30 bigship amavis[1757]: (01757-175) TROUBLE in check_mail: decoding2-get-file-types FAILED: 'file' utility (/usr/bin/file) failed, status=1 (256 ) at /usr/sbin/amavisd line 4019. Jul 30 14:24:30 bigship amavis[1757]: (01757-175) PRESERVING EVIDENCE in /var/amavis/amavis-20090730T142430-01757 The amavisd children are running as a regular user. When I su to that user and run /usr/bin/file with the files listed above, it successfully returns the correct type of file. The lines in amavisd surrounding 4019 are: $file ne '' or die Unix utility file(1) not available, but is needed; for my $part (@$partslist) { my($filename) = $tempdir/parts/$part; my($filetype) = ''; my($proc_fh) = run_command(undef, undef, $file, $filename); while( defined($_ = $proc_fh-getline) ) { $filetype .= $_ } my($err); $proc_fh-close or $err=$!; my($ret) = retcode($?); = 4019 $ret==0 or die 'file' utility ($file) failed, status=$ret ($? $err); chomp($filetype); my($taint) = substr($filetype,0,0); # remove file name $filetype = $1.$taint if $filetype=~/^.+?:[\t ](.*)$(?!\n)/s; section_time('get-file-type'); local($_) = $filetype; my($ty); # try to classify some common types and give them short type name # _last_ match wins! Running spamassassin --lint returns no errors or warnings. Amavis complains that I'm missing a few modules, like SPF, DKIM, and IO::Socket::SSL, but I don't think they're related, and I guess they weren't on there before when it was working fine. Thanks, Alex
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 2009-07-30 at 09:39 -0700, John Hardin wrote: On Thu, 30 Jul 2009, Jeff Mincy wrote: Processing locally generated email that contain spam URLs through SpamAssassin is not a particularly good idea. If you have Bayes enabled then you are training your Bayes that spam URLs and whatever else is in the log files are hammy tokens. ...if you have Bayse _autolearn_ enabled... It won't poison your Bayes, not even then. See 60_whitelist.cf and the AutoLearnThreshold docs. tflags USER_IN_WHITELIST userconf nice noautolearn -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, July 30, 2009 17:41, Sebastian Wiesinger wrote: * Benny Pedersen m...@junc.org [2009-07-30 17:37]: On Thu, July 30, 2009 17:17, Sebastian Wiesinger wrote: the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? non working dns is not a spamassassin bug [sebast...@alita:~]$ host 220.231.127.15 15.127.231.220.in-addr.arpa domain name pointer localhost. this is your dns error, it does not make sense [sebast...@alita:~]$ host localhost localhost has address 127.0.0.1 this is ok, but the other above is not, not even for splitted dns view It seems my DNS is working just fine. I think spamassassin should detect this. detect what ? -- xpoint
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 2009-07-30 at 16:46 +0200, Sebastian Wiesinger wrote: * Matus UHLAR - fantomas uh...@fantomas.sk [2009-07-30 16:35]: On 30.07.09 14:03, Sebastian Wiesinger wrote: I was under the impression that whitelist_from_rcvd checks if the reverse lookup is forged. But still with the following rule SA does not do the DNS lookup, but depends on the MTA doing so and recording the result in the Received header. whitelist_from_rcvd *...@alita.karotte.org localhost the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? should never work, because it works at network boundary, while localhost should always be in your networks (trusted and internal too) I believe this is correct, these whitelist tests are performed against the header where the mail entered your network. It does work for me. Every mail from the local server gets whitelisted. I believe you shouldn't get a hit on internal-only mail, unless your internal network is mis-configured. You should get ALL_TRUSTED instead, or something. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Upgrading perl modules for SA
On Thu, 30 Jul 2009, MySQL Student wrote: Jul 30 14:24:30 bigship amavis[1757]: (01757-175) TROUBLE in check_mail: decoding2-get-file-types FAILED: 'file' utility (/usr/bin/file) failed, status=1 (256 ) at /usr/sbin/amavisd line 4019. Jul 30 14:24:30 bigship amavis[1757]: (01757-175) PRESERVING EVIDENCE in /var/amavis/amavis-20090730T142430-01757 The amavisd children are running as a regular user. When I su to that user and run /usr/bin/file with the files listed above, it successfully returns the correct type of file. I would suggest that's a question for the amavis list... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC --- 6 days until the 274th anniversary of John Peter Zenger's acquittal
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 30 Jul 2009, Benny Pedersen wrote: On Thu, July 30, 2009 17:41, Sebastian Wiesinger wrote: * Benny Pedersen m...@junc.org [2009-07-30 17:37]: On Thu, July 30, 2009 17:17, Sebastian Wiesinger wrote: the attached mail is whitelisted because 220.231.127.15 resolves to localhost. Am I doing something wrong or is this a bug? non working dns is not a spamassassin bug [sebast...@alita:~]$ host 220.231.127.15 15.127.231.220.in-addr.arpa domain name pointer localhost. this is your dns error, it does not make sense You are correct, but the problem is not in Sebastian's DNS - it is in the rDNS of the IP that contacted his MTA. [sebast...@alita:~]$ host localhost localhost has address 127.0.0.1 this is ok, but the other above is not, not even for splitted dns view It seems my DNS is working just fine. I think spamassassin should detect this. detect what ? Detect a last-untrusted with rDNS localhost and an IP address not in 127/8 While not necessarily a spam sign, it's sure not kosher. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Activist: Someone who gets involved. Unregistered Lobbyist: Someone who gets involved with something the MSM doesn't approve of. -- WizardPC --- 6 days until the 274th anniversary of John Peter Zenger's acquittal
Re: Upgrading perl modules for SA
On Thu, 2009-07-30 at 14:36 -0400, Alex wrote: I recently upgraded perl from 5.6.0 to perl-5.10.0, along with all the modules necessary for sa-3.2.5 and amavisd-new (an old version still). I'm now having a problem that I really don't understand: Jul 30 14:24:30 bigship amavis[1757]: (01757-175) TROUBLE in ^^ check_mail: decoding2-get-file-types FAILED: 'file' utility (/usr/bin/file) failed, status=1 (256 ) at /usr/sbin/amavisd line 4019. The amavisd children are running as a regular user. When I su to that user and run /usr/bin/file with the files listed above, it successfully returns the correct type of file. The lines in amavisd ^^^ surrounding 4019 are: How's this a SA question? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Problem with whitelist_from_rcvd and forged reverse lookup
[sebast...@alita:~]$ host 220.231.127.15 15.127.231.220.in-addr.arpa domain name pointer localhost. this is your dns error, it does not make sense You are correct, but the problem is not in Sebastian's DNS - it is in the rDNS of the IP that contacted his MTA. Not quite the same thing, but I've just had some mail bounce from a domain which has 127.0.0.1. as its only MX record. Makes it quite difficult to send mail there! Anthony -- www.fonant.com - Quality web sites
Number of rules
I'm using maia-mailguard with spamassassin 3.2.5. For the most part it seems to be working ok but I feel like too many messages are hitting BAYES_00 (roughly 3.7% of all messages) and BAYES_99 is only hitting about 1.7%. I have bayes autolearn on with ham being learned at -1.0 and spam learned at 8.0 I'm sort of thinking part of my problem is I just don't have enough rules so I'm curious how many rules do other users out there have in their spamassassin setup? I currently have about 2558 rules consiting of stock rules, SOUGHT, KHOP, SARE, some customer rules I wrote and various rules I've seen posted on this list and other sites. I have a few plugins enabled as well (FreeMail, iXhash, Botnet, ASN, Pyzor, Razor2, DCC) I know some of it is just training of the bayes but I'm wondering if just lack of rules might be causing some of my problems. Thanks, --Dennis
Re: Number of rules
On Thu, 2009-07-30 at 15:28 -0500, Dennis B. Hopp wrote: I'm using maia-mailguard with spamassassin 3.2.5. For the most part it seems to be working ok but I feel like too many messages are hitting BAYES_00 (roughly 3.7% of all messages) and BAYES_99 is only hitting about 1.7%. I have bayes autolearn on with ham being learned at -1.0 and spam learned at 8.0 I'm sort of thinking part of my problem is I just don't have enough rules so I'm curious how many rules do other users out there have in their spamassassin setup? That's not the problem. I currently have about 2558 rules consiting of stock rules, SOUGHT, KHOP, SARE, some customer rules I wrote and various rules I've seen posted on this list and other sites. I have a few plugins enabled as well (FreeMail, iXhash, Botnet, ASN, Pyzor, Razor2, DCC) I know some of it is just training of the bayes but I'm wondering if just lack of rules might be causing some of my problems. Exactly. I seriously doubt lack of rules is your problem. Instead, you should do more manual Bayes training. In particular, (a) do feed sa-learn all spam messages with a low Bayes score regardless of the overall SA score, and (b) train with all generally low-ish scoring spam. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Any one interested in using a proper forum?
Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. And I wonder, what has REALLY gotten better since the '80s? Google, cell phones, and Priuses is all I can think of off the top of my head. Powershell seems like Bash finally invented for Windows... -- View this message in context: http://www.nabble.com/Any-one-interested-in-using-a-proper-forum--tp24697144p24747242.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Any one interested in using a proper forum?
On Thursday, July 30, 2009 2:01 PM -0700 ktn j_engl...@kawasaki-tn.com wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. Or you could use a news reader pointed at Gmane's news server and subscribe to the SA newsgroups. A web interface is available here: http://news.gmane.org/gmane.mail.spam.spamassassin.general
header_rewrite To: Field
I am currently using the header_rewrite for the subject. Wondering if it is possible to use header_rewrite to change the To: field to a sub-domain? Example Mail comes in for u...@domain.com Spamassassin flags message as Spam, rewrites the subject to include ***SPAM*** then rewrites the To: field to be u...@sub.domain.com Is this possible? Thanks Bryan This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society.
Re: Any one interested in using a proper forum?
On Thu, Jul 30, 2009 at 14:01, ktnj_engl...@kawasaki-tn.com wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. If you're an RSS reader, I'd suggest getting an RSS feed from gmane. You can pick 4 types of feed: 1) full articles, 1 article per email 2) full articles, 1 article per thread 3) summary articles, 1 article per email 4) summary articles, 1 article per thread (I prefer the second one) My only remaining hurdle is ... figuring out how to be subscribed to this list, from any of my 3 email addresses, but not receive ANY email from the list itself. I know how to do that with some email lists, but not with the apache lists. I read the -help output, but it didn't give me the information I want (it told me how to be subscribed from multiple locations, but it sounded like I'd receive the same email at all of them, or at least still remain receiving email at the primary one). I also emailed the list owner, with no response at all. My goal is: read the initial message of a thread via RSS, if I'm interested in more, read the rest via gmane, reply via gmane, and receive submissions to my replies via being CC'ed on the replies. Have to wait and see how possible/plausible that is. I might have to switch to option 3. We'll see.
Re: Any one interested in using a proper forum?
On Jul 30, 2009, at 3:01 PM, ktn wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. I dunno, I looked at Nabble once when i was away from my computer and wanted to see quickly if there was a reply to a thread. The only word that came to mind was 'cesspit'. It's better than phpBB, but that is what is known as 'damning with faint praise'. But then again, I am naturally inclined against web-boards and the like. And I wonder, what has REALLY gotten better since the '80s? Google, cell phones, and Priuses is all I can think of off the top of my head. Powershell seems like Bash finally invented for Windows... Well, bash has gotten a lot better since the 80's. And OS X is a lot better than System V. FreeBSD is quite nice. I'll take slrn over rn/ trn any day, and just about any mail client over mail/mailx/pine/elm. Also, vim/nvi is a lot nicer than vi and nano is better than either unless you are hardwired for vi like I am. We have procmail now, long- in-the-tooth as it is, and well, OS X over any 80's OS, not even close. In the 80's I was using 300baud modems and 1200 (!!!) baud modems to get online, and that was in the LATE 80's. Today I have ~20Mbit downstream. Yes, a little over 2 Megabytes per SECOND. Cameras are a lot better and don't need film. TV is better (both in image quality and quality and quantity of shows). I have an 80 screen for my projector, that's better. Eyeglasses are a lot better, as are casts for broken bones and pretty much every surgery you can think of. MRIs are better, heck, the entire medical field has gone through a sea change in the 30 years. In fact, not much has gotten worse. Music, especially the music business is a lot worse, but it was already on the downslope by the early 80's. Politics, yeah... big slide there. but in terms of technology? I would never go back. -- Don't ride in anything with a Capissen-38 engine, they fall right out of the sky
Re: Problem with whitelist_from_rcvd and forged reverse lookup
On Thu, 30 Jul 2009, Sebastian Wiesinger wrote: Received: from alside.com (localhost [220.231.127.15] (may be forged)) by alita.karotte.org (8.14.3/8.14.3/Debian-5) with SMTP id n6UBn1BJ021997 for webmas...@alita.karotte.org; Thu, 30 Jul 2009 13:49:05 +0200 That nonsense should be worth a point: header RDNS_LOCALHOST X-Spam-Relays-External =~ /^\[ ip=(?!127)\d+\.\d+\.\d+\.\d+ rdns=localhost(?:\.localdomain)? /i -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Vista: because the audio experience is *far* more important than network throughput. --- 6 days until the 274th anniversary of John Peter Zenger's acquittal
RE: Any one interested in using a proper forum?
Gidday Peter, I don't know about anyone else, but I'm getting a bit hacked of with this 1980's style forum. I'm trying to get to the bottom of an SA issue and this list/forum thing is giving me a bigger headache than SA! It's a bit like that when you're using Mailing lists, just another thing to get used to in I.T life! Spamassassin has more than one or two users now and I personally think that it should have a support forum to match the class of software, which is now world class. I know it's free and all that, but even so, if this is the only form of support they provide, I'm thinking that I'll just start an alternative support forum, using standard, full featured forum software (like SMF). Is there any support for this (I already know there will be opposition from those who are 'resident' here. Sorry guys, I just want do something to help those who just dive in when they have an urgent problem. No hard feelings I hope.) FWIW I think you're driving at creating a forum that would be easier to use or understand for the average joe-bloggs user. This is all very well, but Mailing Lists aren't exactly hard to stay on top of. As for using E-Mail to discuss problems with Spamassassin, I can think of nothing more applicable. Anyone being an Admin of a Spamassassin enabled Mail Server server, should be familiar enough with E-Mail to be able to handle Mailing Lists without too much fuss. If this is such a big problem perhaps they shouldn't be Administering a Mail Filtering system at all. Just my 2cents. Michael Hutchinson.
Re: Number of rules
On Thu, 30 Jul 2009 15:28:49 -0500 Dennis B. Hopp dh...@coreps.com wrote: I'm using maia-mailguard with spamassassin 3.2.5. For the most part it seems to be working ok but I feel like too many messages are hitting BAYES_00 (roughly 3.7% of all messages) 3.7% of all messages sounds far too *low*, most of your ham should be hitting BAYES_00. and BAYES_99 is only hitting about 1.7%. I have bayes autolearn on with ham being learned at -1.0 and spam learned at 8.0 Bear in mind that autolearning uses it's own version of the score that excludes whitelisting and Bayes, which means that very little ham will reach the -1 threshold unless you've added your own site-specific rules for identifying it.
Re: Number of rules
Quoting RW rwmailli...@googlemail.com: Bear in mind that autolearning uses it's own version of the score that excludes whitelisting and Bayes, which means that very little ham will reach the -1 threshold unless you've added your own site-specific rules for identifying it. Yeah I knew that. I have a few negative scoring rules but not many (outside of what might be in the misc rules sets I have). What is a good threshold for ham then? --Dennis
Re: header_rewrite To: Field
On Thu, 30 Jul 2009, Bryan Haase wrote: I am currently using the header_rewrite for the subject. Wondering if it is possible to use header_rewrite to change the To: field to a sub-domain? Example Mail comes in for u...@domain.com Spamassassin flags message as Spam, rewrites the subject to include ***SPAM*** then rewrites the To: field to be u...@sub.domain.com Is this possible? Thanks Bryan What, specifically, are you trying to achieve? Changing the 'To:' HEADER would be a cosmetic change but will -not- affect mail routing. To change the address that a message gets delivered to you need to change what's called the ENVELOPE to address. Doing that will depend upon your MTA and how SA is glued into your system. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Any one interested in using a proper forum?
On Thu, Jul 30, 2009 at 5:01 PM, ktnj_engl...@kawasaki-tn.com wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. This list generates less than 50 messages per day on average: http://gmane.org/plot-rate.php/plot.png?group=gmane.mail.spam.spamassassin.generalplot.png I've got to ask, what type of system are you using that can't handle this traffic? And does SA even run on such a thing :)? And I wonder, what has REALLY gotten better since the '80s? Google, cell phones, and Priuses is all I can think of off the top of my head. Powershell seems like Bash finally invented for Windows... -- View this message in context: http://www.nabble.com/Any-one-interested-in-using-a-proper-forum--tp24697144p24747242.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: header_rewrite To: Field
On Thu, 2009-07-30 at 16:50 -0500, Bryan Haase wrote: I am currently using the header_rewrite for the subject. Wondering if it is possible to use header_rewrite to change the To: field to a sub-domain? Nope. Which part of the docs [1] isn't clear? See rewrite_header, first item in the Basic Message Tagging Options section. For the From or To headers, this will take the form of an RFC 2822 comment following the address in parantheses. I believe I've written something like this a few months ago. You can change the comment (or real name), but you cannot change the address. As David said, this is syntactic sugar only anyway, and does not have any impact whatsoever, where the mail gets delivered to. [1] http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Number of rules
On Thu, 2009-07-30 at 19:12 -0500, Dennis B. Hopp wrote: Quoting RW rwmailli...@googlemail.com: Bear in mind that autolearning uses it's own version of the score that excludes whitelisting and Bayes, which means that very little ham will reach the -1 threshold unless you've added your own site-specific rules for identifying it. Yeah I knew that. I have a few negative scoring rules but not many (outside of what might be in the misc rules sets I have). What is a good threshold for ham then? The default of 0.1. It's a default for a reason. But that *really* is not your problem. Your problem is with learning spam, not learning even more ham. Just as you mentioned in your original report. See my previous response for a solution. You want to learn more spam. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Any one interested in using a proper forum?
On Thu, Jul 30, 2009 at 17:54, Aaron Wolfeaawo...@gmail.com wrote: On Thu, Jul 30, 2009 at 5:01 PM, ktnj_engl...@kawasaki-tn.com wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. This list generates less than 50 messages per day on average: http://gmane.org/plot-rate.php/plot.png?group=gmane.mail.spam.spamassassin.generalplot.png I've got to ask, what type of system are you using that can't handle this traffic? And does SA even run on such a thing :)? You say that as though this list is all we read. If this list was ALL I read, instead of 100's of emails per day from all of my list, work, personal, etc. correspondence, then that'd be different. Further, this list has one of the lowest signal to noise ratios of any of the lists I'm on (don't get me wrong, when I say noise here, I don't mean totally worthless, I mean not relevant to me). So, the logical choice of reducing the flood of traffic is by cutting back on how many of those 50-100 emails per day hit my inbox.
Network Tests / Rule Files Directories
Hello Before I begin with my questions, here is a description of my setup: I am using the latest version of SpamAssassin (3.2.5). My perl version is perl-5.8.3-32.9 - the distribution (Suse 9.1) is rather old, most of the packages I actually use are self-compiled. I use getmail 4.9.1 to fetch the emails, which are then handed to procmail 3.22-39.7, which calls spamassassin with the following rules: :0fw: spamassassin.lock | spamassassin :0 * ^X-Spam-Status: Yes spam My first problem is that there is still a lot of spam coming through. I have enabled and configured Razor, DCC and Pyzor but even though most spam is recognized by DCC it doesn't give enough points to classify the mail as spam. I have tried adding the appropriate lines, which I believe should be score DCC_CHECK 5.0 if I want all emails which pass the DCC-Check to get 5 points. Unfortunately this is not working, neither for DCC nor for Razor. I know the config file /home/stefan/.spamassassin/user_prefs is read and working since my blacklist-entries are recognized, as is report_safe 0. So which lines do I have to add in order for all mails which are recognized by either DCC, Razor or Pyzor to be classified as Spam? My second question is much simpler: Locate lists two directories with SpamAssassin-Rules: /var/lib/spamassassin/3.002005/updates_spamassassin_org/ /usr/share/spamassassin Running spamassassin -D sample-spam.txt seems to indicate that only the directory under /var/lib is used. Can I delete the old files in /usr/share/spamassassin or are they still needed? Why does SpamAssassin place the updates rules in a different directoy than the one in which the original rules are installed? Bye Stefan -- View this message in context: http://www.nabble.com/Network-Tests---Rule-Files-Directories-tp24750149p24750149.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
alpha2? beta1?
Could we please schedule a desired date to release the next pre-release of 3.3.0? Time based releases help us to stay on track. Warren Togami wtog...@redhat.com
Re: Any one interested in using a proper forum?
On Thu, Jul 30, 2009 at 10:07 PM, John Ruddjr...@ucsc.edu wrote: On Thu, Jul 30, 2009 at 17:54, Aaron Wolfeaawo...@gmail.com wrote: On Thu, Jul 30, 2009 at 5:01 PM, ktnj_engl...@kawasaki-tn.com wrote: Actually I think Nabble is great for those of us who can't handle the traffic of the whole mailing list. This list generates less than 50 messages per day on average: http://gmane.org/plot-rate.php/plot.png?group=gmane.mail.spam.spamassassin.generalplot.png I've got to ask, what type of system are you using that can't handle this traffic? And does SA even run on such a thing :)? You say that as though this list is all we read. I interpretted the phrase handle the traffic to mean something the mail server was doing, not a human :) If this list was ALL I read, instead of 100's of emails per day from all of my list, work, personal, etc. correspondence, then that'd be different. Further, this list has one of the lowest signal to noise ratios of any of the lists I'm on (don't get me wrong, when I say noise here, I don't mean totally worthless, I mean not relevant to me). So, the logical choice of reducing the flood of traffic is by cutting back on how many of those 50-100 emails per day hit my inbox.
Re: Upgrading perl modules for SA
Hi, check_mail: decoding2-get-file-types FAILED: 'file' utility (/usr/bin/file) failed, status=1 (256 ) at /usr/sbin/amavisd line How's this a SA question? Yes, my apologies. I don't know enough about amavis yet, and thought it may be related to all the modules I upgraded, and not amavis itself. I've since reverted my changes back to perl-5.6.0, and going to subscribe to that list too. I also upgraded Berkeley DB to db4 and have left db3, db2, and db1 on the system too. However, now I'm having a problem with bayes: [10496] dbg: bayes: tie-ing to DB file R/O /home/sscan/.spamassassin/bayes_toks [10496] dbg: bayes: tie-ing to DB file R/O /home/sscan/.spamassassin/bayes_seen [10496] dbg: bayes: found bayes db version 0 [10496] warn: bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/BayesStore/DBM.pm line 196. I guess I don't understand the logic, because around 196 is the following, which appears to say that if $self-_check_db_version doesn't equal zero, then fail, but we know it equals version zero from what is stated above... $self-{db_version} = ($self-get_storage_variables())[6]; dbg(bayes: found bayes db version .$self-{db_version}); # If the DB version is one we don't understand, abort! if ($self-_check_db_version() != 0) { warn(bayes: bayes db version .$self-{db_version}. is not able to be used, aborting!); $self-untie_db(); return 0; } Thanks, Alex