Help installing spamassassin on ubuntu
Hi All, Am trying to install spamassassin on unbuntu without a smtp running on it. Is it mandatory to have a smtp server to run spam assassin. I want to install these modules and call specific subroutine to check my message for spammy content and give me the results . the calls will be made from web form. Am trying to build a tool which accepts a email message and checks it. Any help with the installation instructions and the details regarding the set up and modules will be appreciated. -- Thanks and Regards, Sabiha Fathima
Re: Help installing spamassassin on ubuntu
Hi On 25/08/10 11:30, Sabiha Fathima wrote: Hi All, Am trying to install spamassassin on unbuntu without a smtp running on it. Is it mandatory to have a smtp server to run spam assassin. No - on Ubuntu you can just apt-get install spamassassin spamc. I want to install these modules and call specific subroutine to check my message for spammy content and give me the results . the calls will be made from web form. cat message | spamc will return the results of the SA analysis. You'd really need to include or insert mail headers, unless you have a very clear idea indeed about body-only rules, and disable all the header related ones. Am trying to build a tool which accepts a email message and checks it. Are you *certain* it wouldn't be easier to do this on the mailserver? Running mail through SA from amavis/Postfix/Exim/... is really straightforward. If the mailserver is under someone else's control, then you could use e.g. fetchmail to send it on through a local mailserver. Any help with the installation instructions and the details regarding the set up and modules will be appreciated. -- Thanks and Regards, Sabiha Fathima Dominic
Problem scanning mails with Spam Assassin on Postfix
Hello I have a spam assassin server setup on postfix and I can scan mails from mail clients configured with the server as the smtp outgoing settings but when I change the settings to smtp.mail.yahoo.com the mail is sent without being scanned by the server and there is no log of the transcation in /var/log/maillog. The spam server is sitting in front of a firewall that redirects all port 25 traffic through it. Pleas I need assistance urgently.
Re: russian spam with only two lines in the body
On Wed, 2010-08-25 at 14:29 +1200, Jason Haar wrote: On 08/25/2010 10:06 AM, Ibrahim Harrani wrote: Hi, Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4 All of their characteristic is that there are two line in the body. First is a sentence, second is url ending with .ru/ This is an example of what I reported a couple of weeks ago, Subject: short pharma spam shoots straight through The content changes per message, along with the link. The From and Subject lines intent scream I am spam - but are changed every time making blocking on string matches time consuming and a losing battle I've now tested the rule I published last night against my collection of 280 odd examples of spam. It seems as specific as I'd hoped. It hit all four example texts and doesn't touch anything else in the collection. BTW, I'm now starting to see spam that doesn't contain any URIs or other ways of identifying a source for the goods being advertised. So far its been for examination aids and footware and has all been sent via a mailing list. Is anybody else seeing anything similar? Martin
query own sbl
Hello together, I've set up my own sbl and want spamassassin to check this rbl but it doesn't work. My rule is IN_SBL_OOS_ORG rbleval:check_rbl('oos', 'sbl.o-o-s.de.') describe IN_SBL_OOS_ORG Received via a blocked site in sbl.o-o-s.de tflags IN_SBL_OOS_ORG net score IN_SBL_OOS_ORG 5.0 is there anything wrong? My Spamassassin Version is spamassassin 3.2.5-2+lenny2 Chris
Re: Problem scanning mails with Spam Assassin on Postfix
On 25/08/10 12:22, Cimoni Enwis Ogwujiakwu wrote: Hello I have a spam assassin server setup on postfix and I can scan mails from mail clients configured with the server as the /smtp outgoing settings /but when I change the settings to smtp.mail.yahoo.com the mail is sent without being scanned by the server and there is no log of the transcation in /var/log/maillog. The spam server is sitting in front of a firewall that redirects all port 25 traffic through it. Pleas I need assistance urgently. It sounds like some part of your firewall redirection isn't working. There are three possibilities that come to mind: 1) The clients are using another port to contact smtp.mail.yahoo.com (465 or 587, for example) 2) The firewall doesn't do what you think (e.g. it doesn't match those source addresses) 3) The clients aren't going through the firewall. For (1) Checking ports in use is trivial. For (2) try telnetting to some server on port 25 from behind the firewall and see who HELOs For (3) try a traceroute from one client to smtp.mail.yahoo.com to see if the firewall is one of the hops. Hope that helps. Dominic
Re: query own sbl
On 2010-08-25 13:44, Christian Scholz wrote: Hello together, I've set up my own sbl and want spamassassin to check this rbl but it doesn't work. My rule is IN_SBL_OOS_ORG rbleval:check_rbl('oos', 'sbl.o-o-s.de.') describe IN_SBL_OOS_ORG Received via a blocked site in sbl.o-o-s.de tflags IN_SBL_OOS_ORG net score IN_SBL_OOS_ORG 5.0 is there anything wrong? My Spamassassin Version is spamassassin 3.2.5-2+lenny2 Chris first thought... seems there's something missing in IN_SBL_OOS_ORG rbleval:check_rbl('oos', 'sbl.o-o-s.de.') header IN_SBL_OOS_ORG rbleval:check_rbl('oos', 'sbl.o-o-s.de.')
Re: Help installing spamassassin on ubuntu
On Wed, 2010-08-25 at 16:00 +0530, Sabiha Fathima wrote: Hi All, Am trying to install spamassassin on unbuntu without a smtp running on it. Is it mandatory to have a smtp server to run spam assassin. No. I run two copies of SA - one on my main mail server for normal production mail scanning and a second copy on this laptop for rule testing. I want to install these modules and call specific subroutine to check my message for spammy content and give me the results . the calls will be made from web form. In the test system: - spamd is installed as normal but is only started when I need to use it. - I use spamc in a normal user to feed test messages to spamd. I keep my test message collection in this user. - I keep the master copies of locally developed .cf files in same user where they're easy to edit. They are under version control as well. I use scripts to: (a) load the .cf files into the test spamd before running lint checks and tests (b) to install copies of the .cf files on the production mail server. This uses scp to install the files and ssh to remotely restart spamd I hope this suggests ideas that will work for you. Martin
Re: Whitelist question
[just realized my response was inadvertently sent directly to Matt, sorry] Hi, What am I missing? Shouldn't there be an ip= entry for smtp01.example.com? I have trusted_networks defined in local.cf, and it includes the smtp01.example.com server. Um, no. smtp01.example.com is your own box. Yes, but it is among the relays in the Received: headers, so I thought this is how it determines the last external server, or the first trusted server, as the case may be? Do you have some kind of system that queues and re-delivers mail locally over a SMTP loopback? Yes, amavisd-new. Regardless, it does look like your DNS server isn't answering reverse lookups for 127.0.0.1. That should be fixed by adding a reverse zone for 0.0.127.in-addr.arpa. Most OS distros come with a sample zone file for this as part of their stock config. # nslookup 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 1.0.0.127.in-addr.arpa name = localhost. Isn't that sufficient and correct? Thanks, Alex
Re: How the hell barracuda behaves?
no Perkel, everthing posted is not necessarily acceptable, helpful and/or relevant. especially when spamming the list for your tarbaby stuff, free or not. So I must not be the only one tired of this. Q
RE: After upgrade the SA to 3.3.1, Mail scanning stop working partially
On Wed, 2010-08-25 at 08:10 +0530, Suhag Desai wrote: Aug 25 08:07:12 spd spamd[3776]: spamd: clean message (4.0/5.0) for clamav:46 in 10.7 seconds, 2792 bytes. Aug 25 08:07:12 spd spamd[3776]: spamd: result: . 4 - ALL_TRUSTED,HTML_MESSAGE,LOCAL_DEMONSTRATION_RULE,MIME_HTML_MOSTLY,TVD_SPACE_RATIO scantime=10.7,size=2792,user=clamav,uid=46,required_score=5.0,rhost=spd,raddr=127.0.0.1,rport=59296,mid=00fb01cb43fe$5e706710$1b5135...@com,autolearn=no It seems that it consider test.cf file (LOCAL_DEMONSTRATION_RULE) while processing the mail..but still not consider it as a mail... SA uses a scoring system. The fact a single rule hit has a score equal the required_score threshold is irrelevant. The *sum* of all hit rules' scores is what determines a message to be spam or ham. ALL_TRUSTED has a score of -1. The other rules account for 0.001 each (network tests enabled, no Bayes because it hasn't been trained sufficient.) So the overall score for that test message is 4.0 (rounded), exactly as the log shows. Below the required_score threshold. There is nothing wrong with your SA, it works just as expected. After upgrade the SpamAssassin Server version to 3.3.1, my mail scanning stop working partially. Let me explain in details. When I set the required score to 5.0, mail scanning is not working properly. When I send the mail with “test123” with required score 5, SA not consider it spam but when I set the required score to 4, SA consider it spam the same mail. I have check the same with many other test. What do the X-Spam headers read SA generates? You are using a test rule with a score of 5.0, which is the same as the required_score threshold. Odds are, there are other rules firing on the message a well. If the sum of these other rules is less than 0, but greater than -1, you'd get exactly what you just described. q.e.d. :) -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: How the hell barracuda behaves?
no Perkel, everthing posted is not necessarily acceptable, helpful and/or relevant. especially when spamming the list for your tarbaby stuff, free or not. On 25.08.10 09:08, wrote: So I must not be the only one tired of this. there are more of us, I just didn't want to complain in the public, yet. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: How the hell barracuda behaves?
On ons 25 aug 2010 17:52:18 CEST, Matus UHLAR - fantomas wrote So I must not be the only one tired of this. there are more of us, I just didn't want to complain in the public, yet. and now we did :( -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: russian spam with only two lines in the body
On Wed, 2010-08-25 at 20:04 +0200, Benny Pedersen wrote: On ons 25 aug 2010 13:37:57 CEST, Martin Gregorie wrote BTW, I'm now starting to see spam that doesn't contain any URIs or other ways of identifying a source for the goods being advertised. So far its been for examination aids and footware and has all been sent via a mailing list. Is anybody else seeing anything similar? i like to see them if possible write REQUEST-81 case sensitive in body I've dug the most recent one out of my rule test messages collection: http://pastebin.com/JAEuCSnC I didn't keep the other recent one - it didn't contain anything interesting apart from a good page of lines like: ugg boots ugg shoes clark shoes with typically 5 - 6 such phrases per line. Martin
Re: russian spam with only two lines in the body
On Wed, 2010-08-25 at 19:56 +0100, Martin Gregorie wrote: BTW, I'm now starting to see spam that doesn't contain any URIs or other ways of identifying a source for the goods being advertised. So far its been for examination aids and footware and has all been sent via a mailing list. Is anybody else seeing anything similar? http://pastebin.com/JAEuCSnC Uhm, that's not typical spam. It's actually forum / blog comment spam, helpfully and automatically converted to a mail. Received: from www-data by wine.codeweavers.com with local (Exim 4.69) (envelope-from www-d...@wine.codeweavers.com) id 1Oo5Ji-0002X7-Gy for wine-us...@winehq.org; Tue, 24 Aug 2010 21:02:18 -0500 And indeed, the Wine Users forum description on http://forum.winehq.org/ reads: This forum is linked to the wine-users mailing list. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: russian spam with only two lines in the body
On Wed, 2010-08-25 at 01:06 +0300, Ibrahim Harrani wrote: Recently, I am getting russian spam like at http://pastebin.com/Yf3AusJ4 All of their characteristic is that there are two line in the body. First is a sentence, second is url ending with .ru/ Hmm, I don't seem to have any problems with these. In fact, the samples I just checked are scoring rather high. :) Please do provide some full, raw samples with all headers, including the SA headers. Without that information it is impossible to discuss possible reasons. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: russian spam with only two lines in the body
On Wed, 2010-08-25 at 21:16 +0200, Karsten Bräckelmann wrote: http://pastebin.com/JAEuCSnC Uhm, that's not typical spam. It's actually forum / blog comment spam, helpfully and automatically converted to a mail. Sure, but its off topic and, however ineptly, its certainly advertising. That makes it spam in my book, no matter how it got into the mail stream. A high proportion of the spam I receive arrives via Wine mailing list, usually originating from the Wine forum or Nabble: stuff from the Codeweavers forum is rare. This is probably because none of the Wine moderators/maintainers seem to give a toss about spam filtering. Martin
Samples? (was: Re: Sought False Positives)
On Fri, 2010-08-20 at 17:47 +0200, Karsten Bräckelmann wrote: On Fri, 2010-08-20 at 17:12 +0200, Jan P. Kessler wrote: false-positives hitting on the rules JM_SOUGHT_1 and JM_SOUGHT_2. Unfortunaley I can not give examples as these messages contain confidental customer data (assurance company). We had more than 100 false-positives with these rules in the last 2 days. I hope you can tell us the __SEEK_* sub-rules triggered, though. That Jan, any chance you could provide the paragraphs or text parts corresponding to the seeks? Just to clarify: We do *not* require the full message, even though it makes things simpler. In fact, no headers (other than Subject) are ever used in the sought process. Anonymizing any personal data is perfectly fine. Moreover, the ham corpus for sought is not available publicly, but restricted to a few SA developers only. The rendered and normalized body text is used to prevent seeks from appearing in the automatically generated rules -- strings directly extracted from spam. Thus, by its nature, the FP string itself cannot possibly be confidential. :) Please feel free to send FPs to me off-list. However, please do protect them inside an archive, or send a link where I can pick them up. I'll take care about adding them to the sought ham corpus. would help already. To extract these, either (a) pipe such a message to spamassassin -D, and get the sub-rule from the debug output, or (b) add a specific header only showing the sub-rules. spamassassin --cf=add_header all Subtests _SUBTESTS(,)_ Odds are, the FPs are some sort of stupid disclaimer that sneaked into the spam corpus. Once we know which sub-rule causes the FPs, and preferably get the full, original string, we can add the sample to the ham corpus, preventing the automated sought process from picking it up. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: russian spam with only two lines in the body
On Wed, 2010-08-25 at 21:31 +0100, Martin Gregorie wrote: On Wed, 2010-08-25 at 21:16 +0200, Karsten Bräckelmann wrote: http://pastebin.com/JAEuCSnC Uhm, that's not typical spam. It's actually forum / blog comment spam, helpfully and automatically converted to a mail. Sure, but its off topic and, however ineptly, its certainly advertising. That makes it spam in my book, no matter how it got into the mail stream. IMHO, this is not entirely correct. SA and its rules are designed to identify spam sent by mail. Not forum spam. The important difference is, that the latter is *only* the text. As a consequence, none of the header checks possibly apply. Which is a very vital part of identifying spam. No DNSBLs, no forged or mangled headers, no ratware patterns. But a valid(!) sender. The only thing left in this case is the body. Effectively, you are trying to use SA as a spam filter for a forum. Which pretty much equals the situation that has come up recently a few times: Check text entered in web-form. That is not what SA is designed to do. A high proportion of the spam I receive arrives via Wine mailing list, usually originating from the Wine forum or Nabble: stuff from the Codeweavers forum is rare. This is probably because none of the Wine moderators/maintainers seem to give a toss about spam filtering. There's your problem. The forum-to-mail gateway has generated a message you consider spam. The spammer did not generate a mail message, and probably didn't even intend it. It's just an additional bonus. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}