Re: Re : Re: uri rules
In an older episode, on 2014-03-14 23:10, Leveau Stanislas wrote: I have tested this rule but it does not work, it's starnge uri __SPAMS_URI_7 /\.webs\.com\// describe __SPAMS_URI_7 url vers formulaire score __SPAMS_URI_7 15.0 rules with names starting with __ do _not_ get scored Try meta LOCAL_SPAMS_URI_7 __SPAMS_URI_7 score LOCAL_SPAMS_URI_7 15.0
Re: -D turns off Bayes in in 3.4.0?
In an older episode, on 2014-02-20 23:56, Bob Proulx wrote: spamassassin -d -t -D mail.file | less Note: in the above command you did _not_ redirect STDERR to STDOUT In an older episode, on 2014-02-21 19:20, Bob Proulx wrote: I picked a spam message and piped it into: spamassassin -d -t -D 21 | grep -i bayes | tee /tmp/sa.bayes-debug.out In this second command you _did_ redirect STDERR to STDOUT via 21 My experience has been that I need to redirect STDERR to STDOUT in order to catch the full output of spamassassin -D -t Hope this helps, wolfgang
Re: Spamassassin with single link in body
In an older episode, on 2013-06-25 19:37, Celene wrote: Hi, I am currently getting lots of messages with just a single url in them. Is there a way for spamassassin to match those? Are they different URLs/domains?
Re: New rule for HTML spam, using comments?
In an older episode, on 2013-06-14 01:36, Amir 'CG' Caspi wrote: (I am relatively new to SA's internal workings and don't know how to make such a rule, however.) For basics of writing SA rules, maybe look at http://wiki.apache.org/spamassassin/WritingRules Hope this helps, wolfgang
Re: Spam rule
Hi,
In an older episode, on 2013-06-06 23:54, Daniel McDonald wrote:
with body or
subject contains 'lalalalala' AND url with PDF NOT contains 'trusted.net'
body__LALA_B /la{5}/
header __LALA_H Subject =~ /la{5}/
shouldn't that be
/(la){5}/
???
I think /la{5}/ would match
la instead of lalalalala ...
Cheers,
wolfgang
Re: Spam rule
In an older episode, on 2013-06-07 00:17, Rejaine Monteiro wrote: tala was only an example, thanks for the tip, I will test here For basics of writing SA rules, maybe look at http://wiki.apache.org/spamassassin/WritingRules Hope this helps, wolfgang
Re: Bizarre and seemingly pointless spams
In an older episode, on 2013-06-02 16:16, David F. Skoll wrote: 3) Envelope sender is in the nacha.org domain 2 days ago, we received hundreds of mails with that envelope sender domain containing malware like Case_05312013_28192.exe extracted from the attachment Case_3375975.zip And currently, hundreds of mails with said sender domain are being rejected here due to RBLs. Regards, wolfgang
Re: Yahoo single-link spam common elements
In an older episode, on 2013-03-02 02:19, Benny Pedersen wrote:
Ned Slider skrev den 2013-03-02 02:11:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
as i read it, it fires if there is more then 4 domains, not only 5
recipients, just a wild guess from me since i am not good at perl yet
At least 3 domains rather. IMHO, the regexp means:
{3} repetitions of (@ followed by 5 to 30 characters that are _not_ @)
Hope this helps.
Cheers,
wolfgang
Re: Yahoo single-link spam common elements
In an older episode, on 2013-03-02 02:40, John Hardin wrote:
header __MANY_RECIPS ToCc =~ /(?:\@[^@]{5,30}){3}/
Can someone explain the regex and why it fails to fire for 7 recipients?
(@, followed by 5-30 non-@ characters) repeated three times.
Does that mean the same sequence of (@, followed by 5-30 non-@
characters), repeated 3 times?
I wasn't sure about that earlier.
Regards,
wolfgang
Re: IS there a simple way to add a rule of a body mail test? I have a pattern..
In an older episode, on 2013-02-06 09:53, Eliezer Croitoru wrote:
body __HBRW_ENCODING /charset=\windows-1255\/
score __HBRW_ENCODING -0.1
I use a rule
mimeheader LOCAL_1251_CHARSETContent-Type =~
/charset=.{0,3}windows-1251/i
IMHO, charset is a MIME header, not a part of the message body.
Hope this helps,
wolfgang
Re: Is this a new typoe of URI obfuscation?
On 2012-06-12 20:52, Martin Gregorie wrote: so its probably worth treating .gg the same way as .cn and .ru, though for slightly different reasons. Unless you're in .cn, .ru or vicinity or have correspondence partners there, you may be right. wolfgang
Re: Suddenly getting lots of false positives.
In an older episode, on 2012-05-26 22:06, Jeremy Morton wrote: OK I continue to get this problem - lots of spam is coming through now with: -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust We had so many false positives with that rule, that I - as others who replied to your post already (see below) - have come to the conclusion that www.dnswl.org is not a reliable source of trust for us and disabled the rule by configuring score RCVD_IN_DNSWL_MED RBL 0 0 is zero, not uppercase o I think it's likely to have something to do with me changing the machine's hostname to ip.game-point.net because it started happening just after that. I doubt that. Regards, wolfgang -- Forwarded Message -- Subject: Re: Suddenly getting lots of false positives. Date: Thursday, 24. May 2012 From: corpus.defero corpus.def...@idnet.com To: users@spamassassin.apache.org On Thu, 2012-05-24 at 10:14 +0100, Jeremy Morton wrote: I've gotten a lot of false positives coming into my inbox lately, and the principle reason for most of them seems to be that they are matching the following rule: -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust Given the connecting IP is listed with an number of anti-spam blocklists: 59.94.13.26 Listed in Spamhaus XBL (CBL Data) 59.94.13.26 Listed in Spamhaus PBL (ISP Maintained) 59.94.13.26 Listed in Barracuda Reputation List 59.94.13.26 Listed in dul.dnsbl.sorbs.net 59.94.13.26 Listed in UCE PROTECT LEVEL 2 59.94.13.26 Listed in UCE PROTECT LEVEL 3 and that bestinternetdancer.com Is listed in Spamhaus domain block list the multi.uribl.com block list you'd have to wonder why it gets a reduction from: www.dnswl.org I'm not 100% but isn't http://www.dnswl.org/ a 'DIY' whitelisting site that anyone can kind of abuse? The rule is tucked away in 72_active.cf, along with the other 'pay to spam' whitelists from the likes of Return Path. I suggest you add this to your local.cf to deal with such abuse: score RCVD_IN_DNSWL_MED 0 score RCVD_IN_RP_CERTIFIED 0 score RCVD_IN_RP_SAFE 0 But that's just my default settings on every instance of SA that I work on. Sometimes I add points for Return Path as it seems to help BLOCK spam rather than pass ham - but that's a can of worms and a different subject.
Re: Suddenly getting lots of false positives.
In an older episode, on 2012-05-26 22:38, Wolfgang Zeikat wrote: We had so many false positives Oops, I used your term false positives by accident. I and many others tend no call false Ham classifications false negatives (negative scores change the classification towards ham) So: We had so many false negatives with that rule, that I - as others who replied to your post already (see below) - have come to the conclusion that www.dnswl.org is not a reliable source of trust for us and disabled the rule by configuring score RCVD_IN_DNSWL_MED RBL 0 0 is zero, not uppercase o Cheers, wolfgang
Re: Initial setup of SA - please help.
In an older episode, on 2010-08-15 15:57, Marc Richter wrote: http://pastebin.com/Rhj2UMLS I don't understand 3 things: 1) Why is it recognized as not beeing spam, although the required score is 3.0 and the actual score is 101.0? It says score=-101.0, that is *not* the same as score=101.0. A negative score is positive == non spam. Is this because of points 2) and 3)? AFAIK, that is because of USER_IN_WHITELIST, yes. 3) Why does USER_IN_WHITELIST apply here? iyeboxfzpfj zyy...@alxhkv.com is noone I've put onto any whitelist. If I am not mistaken, a score of -100 indicates that a whitelist_from_rcvd rule has matched - that is a combination of sender address plus received header, see man Mail::SpamAssassin::Conf Maybe try to grep for whitelist_from_rcvd in your configuration direcotries. Hope this helps, wolfgang
Re: Cyrillic text isn't matched when quoted-printable (?!)
John Hardin wrote: On Fri, 19 Mar 2010, Wolfgang Zeikat wrote: I have written some body rules to catch cyrillic text, using a utf-8 aware editor. They work fine in mails with Content-Type: text/html; charset=UTF-8 They do not catch the same strings in mails like Content-Type: text/plain; charset=windows-1251 Save another version of your rules encoded in windows-1251? Frankly, I have no idea how to do that.
Re: Filtering eMails with certain subjects
Hans-Werner Friedemann wrote: how can I adjust in SA, that eMails with a certain subject are listed in my blacklist and filtered out? Have you read http://wiki.apache.org/spamassassin/WritingRules ? Hope this helps. wolfgang
Re: administra...@willspc.net bounces
In an older episode (Sunday, 24. January 2010), Benny Pedersen wrote: You are right, concerning mails to users-unsubscr...@spamassassin.org why did the bounce not go to apache.org ? As stated before: because the MTA of the recipient sends bounces to the address in the From: header line, not to the envelope sender address (which would be apache.org). not even the bounce email exists on the mta, so it will be bounce for anything sent to this domain, why did thay not remove that sucking domain from dns ? :) Harsh reply: why do you post that question here instead of asking them who would probably be the only ones able to answer that? Regards, wolfgang
Re: Filter question
Benny Pedersen wrote: postfix reject_unverified_sender does a vrfy Nope. It opens an SMTP connection and waits what the receiving MTA answers to RCPT TO Then it closes the connection. That is not vrfy. Hope this helps, wolfgang
Re: EmailBL plugin released
Hi On 05/12/2009 11:20 AM, Henrik K wrote: http://sa.hege.li/EmailBL.pm (see inside for documentation) ### About: # # This plugin creates rbl style DNS lookups for emails. does this plugin handle emails in the sense of email addresses? Or does it make md5hashes of emails in the sense of email messages? Regards, wolfgang
Re: Bombed by PNG spam and spamassassin say its HAM argh
Michelle Konzack wrote: Does someone know HOW to reject this crap eectively? SpamAssassin does not reject mail. But with the clamav plugin and the 3rd party clamav signatures from sanesecurity.com, it detects them pretty well here. Hope this helps, wolfgang
Re: URI with spaces are not recognized
I think the discussion is getting carried in a direction where we are missing a point: spam detection. Kevin Parris wrote: Artificial intelligence will never overcome natural stupidity (or the clever ingenuity of criminals) ... if people actually DO that (copy the url and remove the spaces) there is some temptation to say they get what they deserve ... but on the other hand most of the spam/scam stuff out there is based on the premise that plenty of people are greedy, gullible, uninformed, overly trusting, stupid, or some combination of the above. Franz Schwartau fr...@electromail.org 02/13/09 2:18 PM You won't solve a problem by defining there is no problem. In these spams people are requested to remove the spaces when entering the given string (url) in their browser. IMHO, the point here is: how can these obfuscated URI be detected as such and be submitted to URI(BL) rules, so that those mails can more easily be classified as what they are: spam - no matter what final recipients might deserve or do with them (or not). Regards, wolfgang
Re: Single URI spam not checked against URIBLs
Ned Slider wrote: Wolfgang Zeikat wrote: Ned Slider wrote: For those using RHEL5/CentOS5 and wanting to update, We use Scientific Linux 5 which is a re-compiled RHEL 5 *erm*, actually it's Scientific Linux 4 (RHEL 4), the rest is true tho ;) - with Dag's 3.56 rpm installed. I installed HTML::Parser 3.59 there from CPAN (with local make) without unistalling the rpm. The URI detection behavious didn't change, so I am interested in your procedure. Yes, I downloaded the perl-HTML-Parser-3.56 src.rpm package from RPMForge: http://dag.wieers.com/rpm/packages/perl-HTML-Parser/perl-HTML-Parser-3.56-1.rf.src.rpm Extract the SPEC file, edit the Version and Release lines to 3.59 and 1.el5, respectively. (no need for the latter here, see above) Download the HTML-Parser-3.59 tarball http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/HTML-Parser-3.59.tar.gz Copy the edited SPEC file to the /SPECS dir and the source tarball to the /SOURCES dir of your build environment, and build the package with: rpmbuild -ba --target=`uname -m` perl-HTML-Parser.spec and install the package with rpm. Hope that helps :) Worked like a charm, thank you very much! Regards, wolfgang
Re: Single URI spam not checked against URIBLs
Ned Slider wrote: Thanks for the heads up. it indeed works (HTML::Parser 3.59). For those using RHEL5/CentOS5 and wanting to update, We use Scientific Linux 5 which is a re-compiled RHEL 5 - with Dag's 3.56 rpm installed. I installed HTML::Parser 3.59 there from CPAN (with local make) without unistalling the rpm. The URI detection behavious didn't change, so I am interested in your procedure. I built a perl-HTML-Parser-3.59 RPM package from Dag's SPEC file (v3.56) on RPMForge by dropping in the 3.59 source tarball. It built cleanly and is now running on my system :) Could you describe more elaborately how you did that? Regards, wolfgang
Message size limit for sa-learn
We have set -s for spamc to 350k - and we can use spamassassin -t on messages of that size, but we can not sa-learn them, sa-learn -D -t puts out: [17460] info: archive-iterator: skipping large message Learned tokens from 0 message(s) (0 message(s) examined) Can we pass the 350k limit to sa-learn somehow? Regards, wolfgang
Re: Message size limit for sa-learn (oops)
Wolfgang Zeikat wrote: We have set -s for spamc to 350k - and we can use spamassassin -t on messages of that size, but we can not sa-learn them, sa-learn -D -t puts out: Sorry, it's late here. What I meant is sa-learn -D --spam puts out: [17460] info: archive-iterator: skipping large message Learned tokens from 0 message(s) (0 message(s) examined) Can we pass the 350k limit to sa-learn somehow? Regards, wolfgang
Long scan times with ctyme.ixhash.net
Adding
bodyCTYME_IXHASH eval:ixhashtest('ctyme.ixhash.net')
lets the scan times get significantly longer in SA 3.1.8 and 3.2.3 and
in SA 3.1.8 generates:
ixhash timeout reached at /etc/mail/spamassassin/iXhash.pm line 76
The timeout effect resembles last Wednesday when login-solutions was
apparently mostly unreachable for our SA machines.
Do others also see that effect with ctyme.ixhash.net?
Regards,
wolfgang
OT: Ongoing phishing mail flood
We are currently receiving lots of password phishing mails with envelope sender and From: header [EMAIL PROTECTED] and Reply-To: [EMAIL PROTECTED] The connecting mail servers que41.charter.net[209.225.8.24] que51.charter.net[209.225.8.25] do apparently *not* stop re-connecting after receiving REJECT (554) errors, but keep coming back with the same sender-recipient pairs. Regards, wolfgang
Re: [OT] ClamAV
On 30.04.2008 13:29, jpff wrote: Has something happened to msrbl.com ? I have been using the Image database with success for some time, but it seems to have vanished. We get a lot of these errors: rsync: getaddrinfo: rsync.mirror.msrbl.com 873: Name or service not known rsync error: error in socket IO (code 10) at clientserver.c(94) rsync: getaddrinfo: rsync.mirror.msrbl.com 873: Name or service not known rsync error: error in socket IO (code 10) at clientserver.c(94) But every now and then, it works: Tue Apr 29 00:47:11 2008 - new version of MSRBL-Images.hdb found Tue Apr 29 04:47:10 2008 - new version of MSRBL-Images.hdb found Tue Apr 29 11:47:32 2008 - new version of MSRBL-Images.hdb found Tue Apr 29 14:47:17 2008 - new version of MSRBL-Images.hdb found Tue Apr 29 15:47:09 2008 - new version of MSRBL-Images.hdb found Tue Apr 29 19:47:07 2008 - new version of MSRBL-Images.hdb found Tue Apr 29 21:47:12 2008 - new version of MSRBL-Images.hdb found Wed Apr 30 10:47:11 2008 - new version of MSRBL-Images.hdb found Wed Apr 30 12:47:43 2008 - new version of MSRBL-Images.hdb found Regards, wolfgang
Can't locate MLDBM.pm in @INC
With SpamAssassin version 3.1.8 running on Perl version 5.8.5, I get the spamd error Can't locate MLDBM.pm in @INC even after installing MLDBM.pm (on a redhat EL 4 based Scientific Linux system). # find / -iname MLDBM.pm /usr/lib/perl5/vendor_perl/5.8.5/IO/All/MLDBM.pm How can I fix that? Regards, wolfgang spamd error from maillog: spamd[8110]: Can't locate MLDBM.pm in @INC (@INC contains: .. /etc/mail/spamassassin lib ../lib /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-mul
Re: Can't locate MLDBM.pm in @INC
On 24.10.2007 17:08, Emmanuel Seyman wrote: How can I fix that? Install the perl-MLDBM rpm which should be provided by your distribution. Yep, it is. Thanks! wolfgang
Problem with clamav plugin
In SA 3.1.8, I am trying to use the clamav plugin from
http://wiki.apache.org/spamassassin/ClamAVPlugin
spamassassin -t -D output includes
dbg: ClamAV: Detected virus: Email.Stk.Gen596.Sanesecurity.07071900.pdf
It adds a header
X-Spam-Virus: Yes (Email.Stk.Gen596.Sanesecurity.07071900.pdf)
allright, but additional rules to check for sanesecurity virus names
are not matched.
Rules:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
meta MY_CLAMAV_SANE (__MY_CLAMAV __MY_CLAMAV_SANE)
score MY_CLAMAV_SANE 5
Any suggestions what is going wrong?
Regards,
wolfgang
Re: Problem with clamav plugin
On 07/24/07 15:43, OliverScott wrote:
You need to set a high priority for the meta rules as otherwise they are
evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in
how SA works, but I eventually came up with the following solution (for
using several different 3rd party clamav signatures):
In your case you could fix what you have done (which looks to be taken from
one of my previous messages while trying to get this to work myself?) by
making it:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE
meta MY_CLAMAV_SANE (__MY_CLAMAV __MY_CLAMAV_SANE)
score MY_CLAMAV_SANE 5
(typo fixed)
Hope this helps!
Yes, it does! Thanks a lot,
wolfgang
Re: Problem with clamav plugin
On 07/24/07 15:43, OliverScott wrote:
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001
If you don't want CLAMAV to score (high), apparently you can rename it
to __CLAMAV, works fine here.
To make the meta rule work too, I had to give it a higher priority
number than the header rules, so that my working clamav.cf is now:
loadplugin ClamAV /etc/mail/spamassassin/clamav.pm
full __CLAMAV eval:check_clamav()
describe __CLAMAV Clam AntiVirus detected a virus
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV 9998
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE 9998
meta MY_CLAMAV_SANE (__CLAMAV __MY_CLAMAV_SANE)
priority MY_CLAMAV_SANE
score MY_CLAMAV_SANE 5
wolfgang
Re: Writing a rule to access SA ClamAV Plugin Header
On 07/24/07 15:00, Wolfgang Zeikat wrote:
In SA 3.1.8, I am trying to use the clamav plugin from
http://wiki.apache.org/spamassassin/ClamAVPlugin
spamassassin -t -D output includes dbg: ClamAV: Detected virus:
Email.Stk.Gen596.Sanesecurity.07071900.pdf
It adds a header X-Spam-Virus: Yes
(Email.Stk.Gen596.Sanesecurity.07071900.pdf) allright, but additional
rules to check for sanesecurity virus names are not matched.
Rules:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
meta MY_CLAMAV_SANE (__MY_CLAMAV __MY_CLAMAV_SANE)
score MY_CLAMAV_SANE 5
Any suggestions what is going wrong?
On 07/24/07 15:43, OliverScott wrote:
# Give the above rules a very late priority so that they can see the
output
# of previous rules - otherwise they don't work! Not sure what the
correct # priority should be but this seems to work...
In your case you could fix what you have done (which looks to be
taken from
one of my previous messages while trying to get this to work myself?)
by making it:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE
meta MY_CLAMAV_SANE (__MY_CLAMAV __MY_CLAMAV_SANE)
score MY_CLAMAV_SANE 5
(typo fixed)
Hope this helps!
Yes it does, thanks again.
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001
If you don't want CLAMAV to score (high), apparently you can rename it
to __CLAMAV, works fine here.
To make the meta rule work too, I had to give it a higher priority
number than the header rules, so that my working clamav.cf is now:
loadplugin ClamAV /etc/mail/spamassassin/clamav.pm
full __CLAMAV eval:check_clamav()
describe __CLAMAV Clam AntiVirus detected a virus
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV 9998
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE 9998
meta MY_CLAMAV_SANE (__CLAMAV __MY_CLAMAV_SANE)
priority MY_CLAMAV_SANE
score MY_CLAMAV_SANE 5
I hereby add this important information (IMHO) to
this thread that is linked on
http://wiki.apache.org/spamassassin/ClamAVPlugin
Regards,
wolfgang
Re: FuzzyOcr output
On 07/18/07 01:21, René Berber wrote: Wolfgang Zeikat wrote: In an older episode (Tuesday, 17. July 2007 21:43), René Berber wrote: Wolfgang Zeikat wrote: You can add a line to FuzzyOcr.pm : use POSIX; That line is already there. Sorry, I should have said: use POSIX qw(SIGTERM); yes, that fixed it (or does at least suppress the output), thanks. wolfgang
Re: Errors with PDFInfo.pm
Hello again,
On 07/12/07 16:22, Dallas Engelken wrote:
Wolfgang Zeikat wrote:
I noticed that some of the latest pdf spam mails do not contain a
filename in the mime headers, could that be a reason for the above
behaviour?
Possibly, but seeing that line 300 is just a dbg() line itself, you can
either comment it out, or change it to something that will not through a
warn.
# dbg(pdfinfo: found part, type=$type file=$name cte=$cte);
dbg(pdfinfo: found part, type=.($type ? $type : ''). file=.($name
? $name : ''). cte=.($cte ? $cte : '').);
Thanks, that fixed those. Lately, I see a lot of:
Jul 17 14:27:10 spamlock2 spamd[9786]: Use of uninitialized value in
concatenation (.) or string at /etc/mail/spamassassin/PDFInfo.pm line
272, GEN25171 line 1579.
Jul 17 14:27:10 spamlock2 spamd[9786]: Use of uninitialized value in
hash element at /etc/mail/spamassassin/PDFInfo.pm line 283, GEN25171
line 1579.
Line 272 is (after the earlier changes):
dbg(pdfinfo: MD5 results for .($name ? $name : ''). - md5=$md5
fuzzy1=$fuzzy_md5 fuzzy2=$tags_md5);
Line 283 is:
$pms-{pdfinfo}-{fuzzy_md5}-{$tags_md5} = 1;
Regards,
wolfgang
Re: Errors with PDFInfo.pm
Hi Dallas,
On 07/17/07 15:17, Dallas Engelken wrote:
Wolfgang Zeikat wrote:
Line 272 is (after the earlier changes):
dbg(pdfinfo: MD5 results for .($name ? $name : ''). - md5=$md5
fuzzy1=$fuzzy_md5 fuzzy2=$tags_md5);
Line 283 is:
$pms-{pdfinfo}-{fuzzy_md5}-{$tags_md5} = 1;
I'd say $tags_md5 is undef then which is odd because if it made it
that far, then the message has a pdf in it and all pdfs have tag
structures.
as far as I can tell from our logs, there are not necessarily pdf's
involved each time the warnings occur.
Got samples that make that warn appear?
Yup, I have found one sample with pdf that triggers the warnings, I will
send it to you off list.
Thanks and best regards,
wolfgang
FuzzyOcr output
Hi, in a test installation of FuzzyOcr 3.5.1 in SA 3.1.8 I get the following output when running spamassassin some_message on the command line: Subroutine FuzzyOcr::O_CREAT redefined at /usr/lib/perl5/5.8.5/Exporter.pm line 65. at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_EXCL redefined at /usr/lib/perl5/5.8.5/Exporter.pm line 65. at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_RDWR redefined at /usr/lib/perl5/5.8.5/Exporter.pm line 65. at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19 1. Is that anything to worry about that should keep me from installing that on our productive machines? 2. What can I do to solve that? Regards, wolfgang
Errors with PDFInfo.pm
Hi, On 07/12/07 15:39, Robert Schetterer wrote: Hi, @ll the newest version of pdfinfo plugin matched some new pdf spam right now * 2.0 GMD_PDF_FUZZY2_T3 BODY: Fuzzy MD5 Match * 3D4E25DE4A05695681D694716D579474 yes it does that here too in SA 3.1.8, but I get errors like: Jul 12 15:59:53 spamlock3 spamd[13136]: Use of uninitialized value in concatenation (.) or string at /etc/mail/spamassassin/PDFInfo.pm line 300, GEN394 line 532. Jul 12 15:59:53 spamlock3 spamd[13136]: Use of uninitialized value in concatenation (.) or string at /etc/mail/spamassassin/PDFInfo.pm line 261, GEN394 line 532. Jul 12 15:59:53 spamlock3 spamd[13136]: Use of uninitialized value in concatenation (.) or string at /etc/mail/spamassassin/PDFInfo.pm line 262, GEN394 line 532. I noticed that some of the latest pdf spam mails do not contain a filename in the mime headers, could that be a reason for the above behaviour? Can I debug that closer to see what's going wrong? Cheers, wolfgang
Re: report_safe does not work
Hi, On 07/12/07 15:47, Helmut Schneider wrote: Hi, I use amavisd-new 2.52 and SA3.21 chroot'ed. Is there a setting that only mail with a hit greater than X is modified? Or did I miss anything else? AFAIK, amavisd-new has it's own ways of using SA, and that includes ignoring some local.cf options. You can try and put them into the amavisd config file with something like $sa_report_safe = 1; I don't have amavisd-new installed, but learned lately that the $sa_* way works with some options, see the sample / default cf files in the documentation. HTH, wolfgang
Re: Is there any way to score this?
On 10/13/06 17:12, Andreas Pettersson wrote:
Robert Swan wrote:
Is there anyway to get points added if the sending mail server has no
PTR record *(unknown [196.211.162.65])?*
I am using Redhat Fedora and Spamassassin 3.1.2 and Postfix
With a postfix mail gateway, I use a local SA rule like:
Received =~ /from \S{1,30} \(unknown
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.desy/
Replace your.smtp.server by your server's name ...
Cheers,
wolfgang
Re: Is there any way to score this?
On 10/13/06 17:34, Wolfgang Zeikat wrote:
Received =~ /from \S{1,30} \(unknown
\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)\s+by\s+your\.smtp\.server\.desy/
Replace your.smtp.server by your server's name ...
Oops, and leave out \.desy of course ;)
And - just to make sure - that's a header rule.
Cheers,
wolfgang
Re: ImageInfo plugin for SA
Will that work in SA 3.0.*? Sorry for first sending that question to you off list, Dallas. cheers, wolfgang
whitelist_from_spf (Re: Problems with AOL's TOS reports)
On 12/02/05 04:07, Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 you should _definitely_ whitelist AOL's scomp source address -- preferably using whitelist_from_spf, as they publish a reliable SPF record for aol.net. will whitelist_from_spf work in 3.0.4 without further changes? cheers, wolfgang
SARE stock ruleset? (Re: custom rule help)
On 10/20/05 17:57, Chris Santerre wrote: Company: Symbol: Price: SARE is about to release a stock ruleset. Looks really good. I was going to work on one, Then I saw the ninjas have it under control, and I'm just sitting back and watching the fun. Not sure on the release date. GO, ninjas, GO! Any news when that one is going to be available? cheers, wolfgang
Re: [OT] Public Folders in Exchange 2003
We finally solved the problem. On 05/23/05 17:09, Wolfgang Zeikat wrote: We are trying to use a public folder on an Exchange 2003 server to store spam for sa-learn. When a user copies a mail into that folder with outlook, plain text mails get converted to text and HTML. Copied with mozilla mail via IMAP, the mails stay unchanged. What are the necessary steps to prevent that reformatting via MAPI/outlook also? Our Exchange 2003 with SP1 needed a registry key being created, as described on http://support.microsoft.com/?id=817809 Seemingly, the problem only occurs on Exchange 2003 if you have SP1 for exchange installed. If you run into the problem, i bet you will be happy to find that solution ;) regards, wolfgang
Re: A Central 'Rules' site?
On 06/29/05 20:19, Evan Platt wrote: Do you or anyone else have a more *doze friendly script? I have wget, cron and perl, so a lot of the other stuff in the rdj isn't needed - chmod, etc. Maybe a simple batch file that wget's the files? wget -N URL only downloads a file if the copy on the server is newer than your local one.
Re: Couple of useful tests
On 06/01/05 20:50, Craig Jackson wrote:
Hi,
I created these tests which I find very accurate for detecting spam and
so thought I'd let the list have a view. Lots of numbers or consonants
in the reply-to usually bodes ill.
Good point about the reply-to, thanks!
header REPLY_TO_NUMS_CJ Reply-To =~ /[0-9]{6,}/
score REPLY_TO_NUMS_CJ 5.000
header RET_PATH_NUMS_CJ Return-path =~ /[0-9]{6,}/
score RET_PATH_NUMS_CJ 5.000
header REPLY_TO_CONSON_CJ Reply-To =~ /[bcdfghjklmnpqrstvwxyz]{5,}.*@/i
score RET_PATH_CONSON_CJ 5.000
header RET_PATH_CONSON_CJ Return-path =~ /[bcdfghjklmnpqrstvwxyz]{5,}.*@/i
score RET_PATH_CONSON_CJ 5.000
I'd suggest to remove the y there. Shouldn' that be Return-Path instead
of Return-path ?
Speaking of Return-Paths, have you checked your rules against mailing
list software (ezmlm?!) envelope sender adresses? IIRC, they slightly
resemble what you are trying to match ...
Regards,
wolfgang
http://bugzilla.spamassassin.org/show_bug.cgi?id=4337
Is there a way to apply the fix in 3.0.2 ? regards, wolfgang
Re: http://bugzilla.spamassassin.org/show_bug.cgi?id=4337
On 05/27/05 21:39, Stuart Johnston wrote: Wolfgang Zeikat wrote: Is there a way to apply the fix in 3.0.2 ? I've tried applying the patch but I'm not sure if it fixed the problem. Do you have an example of a URL that is supposed to be fixed? echo -e Subject: test\\n\\n'http://aeroseddicc.com\'|spamassassin echo -e Subject: test\\n\\n'http://aeroseddicc.com'|spamassassin
[OT] Public Folders in Exchange 2003
We are trying to use a public folder on an Exchange 2003 server to store spam for sa-learn. When a user copies a mail into that folder with outlook, plain text mails get converted to text and HTML. Copied with mozilla mail via IMAP, the mails stay unchanged. What are the necessary steps to prevent that reformatting via MAPI/outlook also? Regards, wolfgang
Re: [OT] Public Folders in Exchange 2003
On 05/23/05 17:44, Sloan, Craig wrote: Examining the properties of the servers public folders, I cannot see any settings that would change the format of the message. If I check the properties of the public spam folder w/Outlook, it is set to use IPM.post. Craig, in the Exchange System Manager, under Internet Message Formats, in the Properties of Default Advanced - what are your settings for Exchange rich-text format? I just changed them from Determined by individual user settings to Never use, and the re-formatting by outlook appears to have ceased ... Regards, wolfgang I hope this helps. Craig -Original Message- From: Wolfgang Zeikat [mailto:[EMAIL PROTECTED] Sent: Monday, May 23, 2005 11:09 AM To: users@spamassassin.apache.org Subject: [OT] Public Folders in Exchange 2003 We are trying to use a public folder on an Exchange 2003 server to store spam for sa-learn. When a user copies a mail into that folder with outlook, plain text mails get converted to text and HTML. Copied with mozilla mail via IMAP, the mails stay unchanged. What are the necessary steps to prevent that reformatting via MAPI/outlook also? Regards, wolfgang
Re: Where to report abuse?
On 04/29/05 03:16, David Velásquez Restrepo wrote: Someone know if there is a way to report spam so this will be used to create rules meant to be downloaded and included into spamassassin? like a dnsbl or spamcop, but for spamassassin rules anybody? If the spam contains URLs, you could check the included domains at http://www.rulesemporium.com/cgi-bin/uribl.cgi to see if they are caught by URIBLs, if not, there is a report feature available in the lookup result page.
