Re: [OT] lottery spams
* 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * 1.2 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419) * 2.9 KAM_LOTTO1 Likely to be a e-Lotto Scam Email Is your header formatted like this in Thunderbird or are you using a different MUA? If Thunderbird, how do you get it formatted like that? -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: [OT] lottery spams
* 4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * 1.2 ADVANCE_FEE_2 Appears to be advance fee fraud (Nigerian 419) * 2.9 KAM_LOTTO1 Likely to be a e-Lotto Scam Email Is your header formatted like this in Thunderbird or are you using a different MUA? If Thunderbird, how do you get it formatted like that? I think I may have answered my own question. Correct me if I'm wrong but you have report_safe = 1 or 2 -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: use save_pattern_hits to debug Mail::SpamAssassin?
So what I want is to get a list of all performed check and the score of this check. If you want to see the scores of the successful checks in all emails, put this in your cf file: add_header all Report _REPORT_ -- Dan Schaefer Application Developer Performance Administration Corp.
Re: custom rule no work (as expected) and log score
any idea why this rule never works for domain1 or domain2 but only domain3 header whitelist_from_luser From =~ /domain1\.com/i header whitelist_from_luser From =~ /domain2\.com/i header whitelist_from_luser From =~ /domain3\.com/i score whitelist_from_luser -2.5 How do I log the score for each rule that is triggered? -bazooka Perhaps it's being overwritten by the 3rd rule? Try one of the following, depending on what your actual domain names are. I'm still learning REs, so please someone correct me if I'm wrong. header whitelist_from_luser From =~ /(domain[1-3]\.com)/i header whitelist_from_luser From =~ /(domain1\.com|domain2\.com|domain3\.com)/i -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: questions about my SA configuration
Second, I don't want to keep adding/modifying rules/scores in /.spamassassin/user_prefs if it's not the correct way. As I am constantly tweaking my spam scores, can I add scores to a config file and make them become active without having to restart SA? Right now, adding them to /.spamassassin/user_prefs works correctly without having to restart SA. per-user files are afaik being read when mail is scanned, while for changing global config file you have to reload spamd. I'm afraid it won't be different. But I think that if you are permanently changing scores, something goes wrong there. Be very careful about playing with scores! I guess it would make sense to change the scores in a load time loaded file as opposed to a run time loaded file, because of syntax errors and such. This would give me a chance to run run SA with the lint option. -- Dan Schaefer Application Developer Performance Administration Corp.
questions about my SA configuration
I'm running SA daemonized. I know that it reads /.spamassassin/user_prefs (not a typo), /etc/mail/spamassassin/local.cf, and /usr/share/spamassassin/ for configuration. I know I don't have something set right, because /.spamassassin/user_prefs is being read because spamd is run with user=nobody and nobody's home is /. I just created the directory because the maillog was complaining. I will also mention that all the email addresses are virtual (not system accounts, just to be clear). First of all (and I've Google half a day away trying to find an answer), how do I configure spamd so that each virtual email address can have their own user_prefs file and perhaps a global user_prefs file? Second, I don't want to keep adding/modifying rules/scores in /.spamassassin/user_prefs if it's not the correct way. As I am constantly tweaking my spam scores, can I add scores to a config file and make them become active without having to restart SA? Right now, adding them to /.spamassassin/user_prefs works correctly without having to restart SA. The below commented out lines were failed attempts at my first question. [r...@pony ~]# cat /etc/sysconfig/spamassassin # Options to spamd SPAMDOPTIONS=-d -c -m10 -H #SPAMDOPTIONS=-d -c -m5 -H -s /var/log/spamd.log -u nobody -x --virtual-config-dir=/var/vmail/%d/%u/spamassassin #SPAMDOPTIONS=-d -c -m5 -H -x -u nobody --virtual-config-dir=/var/vmail/%d/%u/spamassassin I received something like this in my maillog Jul 7 15:53:26 pony spamd[4732]: spamd: connection from localhost.localdomain [127.0.0.1] at port 59780 Jul 7 15:53:26 pony spamd[4732]: spamd: using default config for nobody: /var/vmail//nobody/spamassassin/user_prefs Jul 7 15:53:26 pony spamd[4732]: spamd: processing message 4a53a7b3.9090...@performanceadmin.com for nobody:99 Jul 7 15:53:26 pony spamd[4732]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /var/vmail//nobody/spamassassin/auto-whitelist.lock.pony.performanceadmin.c om.4732 for /var/vmail//nobody/spamassassin/auto-whitelist.lock: Permission denied -- Dan Schaefer Application Developer Performance Administration Corp.
Re: unsubscribe
David Lomax wrote: Did ANYONE read Evan's response? -- Dan Schaefer Application Developer Performance Administration Corp.
Re: USER_IN_WHITELIST Not Scoring
boogybren wrote: Any suggestions would be greatly appreciated. Attached is my local.cf Simple solution, but you may not have tried it...restart spamassassin -- Dan Schaefer Application Developer Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
McDonald, Dan wrote:
Yes, remove the outer parentheses.
Here are the rules I am using:
bodyAE_MEDS35 /w{2,4}\s(?:meds|shop)\d{1,4}\s(?:net|com|org)/
describe AE_MEDS35 obfuscated domain seen in spam
score AE_MEDS35 3.00
bodyAE_MEDS38
/\(\s?w{2,4}\s[[:alpha:]]{4}\d{1,4}\s(?:net|com|org)\s?\)/
describe AE_MEDS38 rule to catch next wave of obfuscated domains
score AE_MEDS38 1.0
bodyAE_MEDS39
/\bw{2,3}[[:punct:][:space:]]{2,3}[[:alpha:]]{2,6}\d{2,6}[[:punct:][:space:]]{2,3}(?:c\s?o\s?m|n\s?e\s?t|o\s?r\s?g)\b/i
describe AE_MEDS39 rule to catch still more spam obfuscation
score AE_MEDS39 4.0
Since we're sharing rules for this recent Spam outbreak, here is my rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|com)/
score DRUG_SITE 0.5
describe DRUG_SITE Test to find spam drug sites in recent emails
Notice my score is low, because I'm not sure it's 100% accurate.
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
Gerry Maddock wrote:
McDonald, Dan wrote:
Since we're sharing rules for this recent Spam outbreak, here is my
rule:
body DRUG_SITE /www(\.|\
)*(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\ )*(net|
com)/
You should avoid the use of *, as it allows spammers to consume all of
your memory and cpu. limit it using the {} syntax. You also should
tell perl to not keep the results of your () with (?:\.|\ ) instead of
(\.|\ ). And with single characters, the [ab] syntax is faster to
process than (?:a|b).
Perhaps you could attach an example showing exactly what your stating for
this rule?
This is my new rule. I think this is what he means:
body DRUG_SITE /www[\.\
]*(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\
]*(?:net|com)/
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
John Hardin wrote:
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Gerry Maddock wrote:
McDonald, Dan wrote:
body DRUG_SITE /www(\.|\
) *(med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}(\.|\
) )*(net|com)/
You should avoid the use of *, as it allows spammers to consume
all of your memory and cpu. limit it using the {} syntax. You
also should tell perl to not keep the results of your () with
(?:\.|\ ) instead of (\.|\ ). And with single characters, the
[ab] syntax is faster to process than (?:a|b).
Perhaps you could attach an example showing exactly what your stating
for this rule?
This is my new rule. I think this is what he means:
body DRUG_SITE /www[\.\ ]
*(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)[0-9]{2}[\.\
*(?:net|com)/
You missed some of the suggestions.
Try this:
body DRUG_SITE
/\bwww[.\s]{1,3}(?:med|meds|gen|pill|shop|via|cu|co|ba|da|bu|ba)\d{2}[.\s]{1,3}(?:net|com)\b/
Also, if the spammers start registering three-digit domain names, this
will start missing. Something like \d{2,5} would be better.
Doesn't the . (period) need escaped in this? [.\s]{1,3}
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: [NEW SPAM FLOOD] www.shopXX.net
John Hardin wrote:
On Fri, 10 Jul 2009, Daniel Schaefer wrote:
Doesn't the . (period) need escaped in this? [.\s]{1,3}
Nope. [] means explicit set of characters, and . = any
character conflicts with that context.
Thanks for the clarification. I'm still learning REs.
--
Dan Schaefer
Application Developer
Performance Administration Corp.
Re: Am I fscking up my bayes db?
Mike Cardwell wrote: Steve Bertrand wrote: Hi everyone, I aggregate my work and personal email accounts within the same email client. All accounts are IMAP-based. My $work employs a Barracuda cluster, and of course my box runs SA. From time-to-time, I'll get a SPAM message come through the 'cuda's. From there, I move the message from one IMAP folder in my MUA into another SPAM folder, which essentially is a transfer from a work storage server onto my server. Every few days, I run sa-learn against the collected SPAM messages. My question is, given that the messages have already been processed by the 'cuda's (with their header stamps in place), am I damaging, or at risk of confusing the learning process of SA when I classify these messages as SPAM? Are there any negative consequences by doing this? You should configure bayes to ignore those headers. In your local.cf, list each of the cuda headers like this: bayes_ignore_header X-CudaHeader1 bayes_ignore_header X-CudaHeader2 bayes_ignore_header X-CudaHeader3 I have a similar setup. If a Spam message makes it to my inbox with less than the required_score, I put it into a SPAM folder and run sa-learn on the folder. Should I also implement the following ignore rules? bayes_ignore_header X-Spam-Flag bayes_ignore_header X-Spam-Level bayes_ignore_header X-Spam-Status bayes_ignore_header X-Spam...etc. -- Dan Schaefer
ending rule score result
Now that I have a SA Daily Summary report for the rule hits, now I'm looking for a command(s) to run that will show me the end score that will be applied to a successful hit after reading all cf files and user_prefs files. For example: /usr/share/spamassassin/50_scores.cf may contain: score BAYES_00 0 0 -2.312 -2.599 but, /etc/mail/spamassassin/local.cf may contain: score BAYES_00 -3 I want the output to have BAYES_00 = 3 Also, can someone explain or send me a link to a *full* explanation of the 4 different scores (local, net, with bayes, with bayes+net)? Thanks, Dan Schaefer
Re: ending rule score result
Forgot reply all. Ok, when all I have is 1 score, is that used for all four scenarios? Dan Schaefer Application Developer Performance Administration Corp. Bowie Bailey wrote: Daniel Schaefer wrote: Also, can someone explain or send me a link to a *full* explanation of the 4 different scores (local, net, with bayes, with bayes+net)? It's fairly simple. Here is the description from the Mail::SpamAssassin::Conf man page: If four valid scores are listed, then the score that is used depends on how SpamAssassin is being used. The first score is used when both Bayes and network tests are disabled (score set 0). The second score is used when Bayes is disabled, but network tests are enabled (score set 1). The third score is used when Bayes is enabled and network tests are disabled (score set 2). The fourth score is used when Bayes is enabled and network tests are enabled (score set 3).
Re: ending rule score result
I just installed that and it works nicely. However, we're getting off track a little... My second question was answered with RTFMP, but my first question about a script that will show me the ending score after all config files have been read, has not been answered. If anyone knows of any kind of script, please let me know. Also, again off the subject...is it common practice in this user list to reply at the bottom of emails, or can I continue to reply at the top? Dan Schaefer Bowie Bailey wrote: Benny Pedersen wrote: On Tue, July 7, 2009 19:53, Jari Fredriksson wrote: Reply button replies only to the sending individual. should be okay thunderbird can have a plugin to fix this problem ? The plugin is called Reply to mailing list. It adds a Reply list button that works quite well.
good Spamassassin Summary report
I have searched far and wide for a good Spamassassin report using numerous keywords in Google searches, but I can't find the one that fits my needs. I am looking for a script that can be run via cron job on a daily basis. I would pass the script the location of the mail log. The output will show me for each rule, how many times that rule passed the test. It will only show me the rules where the count is more than 0. For example: ALL_TRUSTED 287 BAYES_00 67 BAYES_10 43 BAYES_20 23 ... RCVD_IN_PBL 25 If you have found something similar to this, good. If you have created your own script to do this, better. If Spamassassin has this script created already and I missed it, even better. Thanks in advance, Dan Schaefer Application Developer Performance Administration Corp.
Re: good Spamassassin Summary report
Yes, actually it is exactly what I'm looking for. I saw another sa-stats script that only showed the %'s for HAM and SPAM and the average score and what not. Thank you sir for sending me this. Dan Schaefer Application Developer Performance Administration Corp. Rick Macdougall wrote: Daniel Schaefer wrote: I have searched far and wide for a good Spamassassin report using numerous keywords in Google searches, but I can't find the one that fits my needs. I am looking for a script that can be run via cron job on a daily basis. I would pass the script the location of the mail log. The output will show me for each rule, how many times that rule passed the test. It will only show me the rules where the count is more than 0. For example: ALL_TRUSTED 287 BAYES_00 67 BAYES_10 43 BAYES_20 23 ... RCVD_IN_PBL 25 Hi, Does this do what you want ? http://www.rulesemporium.com/programs/sa-stats.txt Sample Output Time Spent Running SA: 1.68 hours Time Spent Processing Spam:0.29 hours Time Spent Processing Ham: 1.39 hours TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1HTML_MESSAGE 82477.07 88.13 74.20 2RAZOR2_CHECK 77219.61 82.573.32 3RAZOR2_CF_RANGE_51_10075318.21 80.532.08 4RAZOR2_CF_RANGE_E8_51_100 71317.19 76.261.91 5URIBL_BLACK 65216.03 69.732.13 6MIME_HTML_ONLY60929.64 65.13 20.45 Regards, Rick
Re: good Spamassassin Summary report
I guess there's one thing missing. I can't enter a date range...(today, yesterday, etc). Dan Schaefer Application Developer Performance Administration Corp. Daniel Schaefer wrote: Yes, actually it is exactly what I'm looking for. I saw another sa-stats script that only showed the %'s for HAM and SPAM and the average score and what not. Thank you sir for sending me this. Dan Schaefer Application Developer Performance Administration Corp. Rick Macdougall wrote: Daniel Schaefer wrote: I have searched far and wide for a good Spamassassin report using numerous keywords in Google searches, but I can't find the one that fits my needs. I am looking for a script that can be run via cron job on a daily basis. I would pass the script the location of the mail log. The output will show me for each rule, how many times that rule passed the test. It will only show me the rules where the count is more than 0. For example: ALL_TRUSTED 287 BAYES_00 67 BAYES_10 43 BAYES_20 23 ... RCVD_IN_PBL 25 Hi, Does this do what you want ? http://www.rulesemporium.com/programs/sa-stats.txt Sample Output Time Spent Running SA: 1.68 hours Time Spent Processing Spam:0.29 hours Time Spent Processing Ham: 1.39 hours TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1HTML_MESSAGE 82477.07 88.13 74.20 2RAZOR2_CHECK 77219.61 82.573.32 3RAZOR2_CF_RANGE_51_10075318.21 80.532.08 4RAZOR2_CF_RANGE_E8_51_100 71317.19 76.261.91 5URIBL_BLACK 65216.03 69.732.13 6MIME_HTML_ONLY60929.64 65.13 20.45 Regards, Rick
Re: good Spamassassin Summary report
Cool. Having it as part of the Logwatch report would be just fine with me. I have created a short logwatch script to count and show me a running total of each spam score number, but your script I'm sure is a lot better than mine. Would you be willing to release yours to the open source community, or would you ask for some sort of compensation? Dan Schaefer Application Developer Performance Administration Corp. Martin Gregorie wrote: On Fri, 2009-07-03 at 12:03 -0400, Daniel Schaefer wrote: If you have found something similar to this, good. If you have created your own script to do this, better. If Spamassassin has this script created already and I missed it, even better. I wrote my own but it is somewhat specialized because: - it runs as part of the logwatch report rather than being a cron job. This is the easiest way I know to restrict the scan to the last 24 hours of the maillog. - one section of its report comes from maillog entries generated by my spamkiller utility, but this just shows totals for clean, spam and total messages. - it is designed to monitor only my own custom rules. It reads local.cf to get a list of them and ignores everything else. - by default it only reports the top ten firing rules. - it has options to list all rules alphabetically or ranked by hit rate. - written in Perl, but what else would you expect from an SA reporting tool? Martin
