Re: sender name same as recipient name
>> What are the file names? > > CentOS is RHEL-based, right? Likely > /etc/rc.d/init,d/spamassassin /etc/init.d/spamassassin more propably.
Re: sender name same as recipient name
On Wed, 26 Sep 2007, John Calvert wrote: > I have decided to restart this whole process... setting the bayes > database back to its initial state & deleting auto-whitelist file. > > Is it good to use a bayes starter DB ? If so, where can I get a > good one. It's not generally a good idea to use *somebody else's* data for your starter DB - the nature of their email traffic is not likely to be similar to yours. This is why it's a good idea to keep the messages you use to train your bayes, if you're doing manual training - so that you can correct training errors, and retrain from scratch if necessary. Of course, that doesn't scale too well if you have large numbers of users and are autolearning... If your users retrieve their email from your server using IMAP, here's one thing you can do: set up a SpamAssassin-SPAM and SpamAssassin-HAM mail folder in each user's mailbox. Have them move missed spams to the SpamAssassin-SPAM folder, and *copy* false positives (SA says it's spam when it isn't) to the SpamAssassin-HAM folder. They can (and ideally *should*) also copy some legitimate messages to their SpamAssassin-HAM folder so that SA can get an idea of what "ham" looks like. You can then train off those folders, and retrain as needed. To manage the training work, you can rotate those files on a schedule - e.g. on October 1, everybody's SpamAssassin-HAM becomes SpamAssassin-HAM-200709, etc. I have some scripting for that sort of thing here: http://www.impsec.org/~jhardin/antispam/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 242 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
John D. Hardin wrote: On Wed, 26 Sep 2007, John Calvert wrote: I see no "-L" or "--local" anywhere. See below... # Source spamd configuration. if [ -f /etc/sysconfig/spamassassin ] ; then . /etc/sysconfig/spamassassin fi You'll also want to look in /etc/sysconfig/spamassassin Just contains: SPAMDOPTIONS="-d -c -H --max-children=1" I have decided to restart this whole process... setting the bayes database back to its initial state & deleting auto-whitelist file. Is it good to use a bayes starter DB ? If so, where can I get a good one. thanks, JC
Re: sender name same as recipient name
On Wed, 26 Sep 2007, John Calvert wrote: > I see no "-L" or "--local" anywhere. See below... > # Source spamd configuration. > if [ -f /etc/sysconfig/spamassassin ] ; then > . /etc/sysconfig/spamassassin > fi You'll also want to look in /etc/sysconfig/spamassassin -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 242 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
John D. Hardin wrote: On Tue, 25 Sep 2007, feral wrote: Where is this configuration file? Probably under /etc/mail/spamassassin John Hardin wrote: Look for the command line that starts SA. If "-L" or "--local" appears, network tests have been disabled. You may be able to check this using "ps -fax" to see what the currently-running SA instance has for its command line. /usr/bin/spamd --username=popuser --daemonize --nouser-config --helper-home-dir=/var/qmail --max-children 1 --create-prefs --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock Odd, it looks like network tests *should* be running... Also: your bayes database files will probably be under popuser's home directory. See anything there? cd /var/qmail/mailnames/blah.com/mark/.spamassassin [EMAIL PROTECTED] .spamassassin]# ls total 1691 1 ./ 1 ../ 408 auto-whitelist 97 bayes_journal 141 bayes_seen 1042 bayes_toks 1 user_prefs This auto-whitelist file looks very suspicious. It is filled with spammer addresses... the mark@ addresses I was talking about. Evan Platt wrote: Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests. " What are the file names? CentOS is RHEL-based, right? Likely /etc/rc.d/init,d/spamassassin I see no "-L" or "--local" anywhere. See below... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ Here is my SA startup file: [EMAIL PROTECTED] init.d]# more spamassassin #!/bin/sh # # spamassassin This script starts and stops the spamd daemon # # chkconfig: - 78 30 # processname: spamd # description: spamd is a daemon process which uses SpamAssassin to check \ # email messages for SPAM. It is normally called by spamc \ # from a MDA. # Source function library. . /etc/rc.d/init.d/functions prog="spamd" # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 # Set default spamd configuration. SPAMDOPTIONS="-d -c -m5 -H" SPAMD_PID=/var/run/spamd.pid # Source spamd configuration. if [ -f /etc/sysconfig/spamassassin ] ; then . /etc/sysconfig/spamassassin fi [ -f /usr/bin/spamd -o -f /usr/local/bin/spamd ] || exit 0 PATH=$PATH:/usr/bin:/usr/local/bin # By default it's all good RETVAL=0 # See how we were called. case "$1" in start) # Start daemon. echo -n $"Starting $prog: " daemon $NICELEVEL spamd $SPAMDOPTIONS -r $SPAMD_PID RETVAL=$? echo if [ $RETVAL = 0 ]; then touch /var/lock/subsys/spamassassin fi ;; stop) # Stop daemons. echo -n $"Stopping $prog: " killproc spamd RETVAL=$? echo if [ $RETVAL = 0 ]; then rm -f /var/lock/subsys/spamassassin rm -f $SPAMD_PID fi ;; restart) $0 stop sleep 3 $0 start ;; condrestart) [ -e /var/lock/subsys/spamassassin ] && $0 restart ;; status) status spamd RETVAL=$? ;; *) echo "Usage: $0 {start|stop|restart|status|condrestart}" RETVAL=1 ;; esac exit $RETVAL
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > Hmmm... deepest thread here w/ John Hardin somehow got > broken... nabble hiccup? My pruning stuff. > Where is this configuration file? Probably under /etc/mail/spamassassin > John Hardin wrote: > > > Look for the command line that starts SA. If "-L" or "--local" > > appears, network tests have been disabled. > > > > You may be able to check this using "ps -fax" to see what the > > currently-running SA instance has for its command line. > > /usr/bin/spamd --username=popuser --daemonize --nouser-config > --helper-home-dir=/var/qmail --max-children 1 --create-prefs > --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin > --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock Odd, it looks like network tests *should* be running... Also: your bayes database files will probably be under popuser's home directory. See anything there? > Evan Platt wrote: > > > Edit your spamd start-up script, or start-up options file (depending on > > which OS you're running, these may be different). There should be a -L or > > --local switch in that file. Remove it to enable network tests. " > > What are the file names? CentOS is RHEL-based, right? Likely /etc/rc.d/init,d/spamassassin -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
I am stopping using Nabble and just emailing my posting and responses. Evan Platt wrote: I'm pretty close to killfiling Nabble posters. Nabble is to spamassassin as Google Groups is to usenet. Seriously. At 12:15 PM 9/25/2007, feral wrote: Hmmm... deepest thread here w/ John Hardin somehow got broken... nabble hiccup? So I am posting response here:
Re: sender name same as recipient name
I'm pretty close to killfiling Nabble posters. Nabble is to spamassassin as Google Groups is to usenet. Seriously. At 12:15 PM 9/25/2007, feral wrote: Hmmm... deepest thread here w/ John Hardin somehow got broken... nabble hiccup? So I am posting response here:
Re: sender name same as recipient name
On Tue, 2007-09-25 at 12:15 -0700, feral wrote: > > Hmmm... deepest thread here w/ John Hardin somehow got > broken... nabble hiccup? > > So I am posting response here: > > Daniel McDonald wrote: > > > > basically, ensure it can resolve DNS. You can force it with > > > > dns_available yes [...] > Where is this configuration file? On my box, /etc/mail/spamassassin/local.cf but if /etc/resolv.conf doesn't have any dns servers, it won't work anyway...
Re: sender name same as recipient name
Hmmm... deepest thread here w/ John Hardin somehow got broken... nabble hiccup? So I am posting response here: Daniel McDonald wrote: > basically, ensure it can resolve DNS. You can force it with > > dns_available yes > use_bayes_rules > If you want to turn bayes off: > > use_bayes 0 > or maybe: > use_bayes_rules 0 (if you want it to attempt to continue to update the > bayes database) > Where is this configuration file? John Hardin wrote: > >> > How do I enable network tests? > > They should be enabled by default, you explicitly DISable them. > > Look for the command line that starts SA. If "-L" or "--local" > appears, network tests have been disabled. > > You may be able to check this using "ps -fax" to see what the > currently-running SA instance has for its command line. > /usr/bin/spamd --username=popuser --daemonize --nouser-config --helper-home-dir=/var/qmail --max-children 1 --create-prefs --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock Evan Platt wrote: > Edit your spamd start-up script, or start-up options file (depending on > which OS you're running, these may be different). There should be a -L or > --local switch in that file. Remove it to enable network tests. " > What are the file names? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12885692 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > How do I enable network tests? ...and make sure your DNS on that box is configured and working, and you will probably want to install a local caching DNS server as well. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 > autolearn=no version=3.1.9 > > So BAYES_00 brought the score down to negative .6 ? Probably. > Methinks the BAYES is not even functional (database absent). It wouldn't give you BAYES_00 (high confidence ham) if that were the case. You'd either see BAYES_50 or no BAYES_* hits at all. > How do I enable network tests? They should be enabled by default, you explicitly DISable them. Look for the command line that starts SA. If "-L" or "--local" appears, network tests have been disabled. You may be able to check this using "ps -fax" to see what the currently-running SA instance has for its command line. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
On Tue, 2007-09-25 at 11:38 -0700, feral wrote: > > > John D. Hardin wrote: > > > > On Tue, 25 Sep 2007, feral wrote: > > > >> Whatever the case, global bayes or not, or even bayes or not, how > >> could an email with the obvious porn words in the subject (as in > >> my examples) NOT get flagged? > > > > If bayes was mistrained to consider such words hammy, then BAYES_00 > > could drag the score back down below the threshold, cancelling out the > > points added by HOT_NASTY and PORN_16. > > > > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 > autolearn=no version=3.1.9 > > So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is > not > even functional (database absent). > > How do I enable network tests? basically, ensure it can resolve DNS. You can force it with dns_available yes use_bayes_rules If you want to turn bayes off: use_bayes 0 or maybe: use_bayes_rules 0 (if you want it to attempt to continue to update the bayes database) > > thanks -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com
Re: sender name same as recipient name
At 11:45 AM 9/25/2007, feral wrote: X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is not even functional (database absent). How do I enable network tests? http://wiki.apache.org/spamassassin/UsingNetworkTests "How to turn on network tests: Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests. "
Re: sender name same as recipient name
John D. Hardin wrote: > > On Tue, 25 Sep 2007, feral wrote: > >> Whatever the case, global bayes or not, or even bayes or not, how >> could an email with the obvious porn words in the subject (as in >> my examples) NOT get flagged? > > If bayes was mistrained to consider such words hammy, then BAYES_00 > could drag the score back down below the threshold, cancelling out the > points added by HOT_NASTY and PORN_16. > > One response would be to make the HOT_NASTY and PORN_16 rules "poison > pills" by raising their scores well above the threshold (i.e. to 20 or > 30 or even 100) - but you would have to *really trust* those rules to > do that. > > And I note that those rules didn't even hit on your first two > examples. > > Both of the domains in those spams are listed in SURBL (but may not > have been at the time you received them). URIBL network tests probably > would have hit. > > So it looks to me like two major problems are present: > > 1) mistrained bayes > > 2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.) > > And possibly: > > 3) not enough rules - add some from SARE? > http://www.rulesemporium.com > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is not even functional (database absent). How do I enable network tests? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12885647 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
John D. Hardin wrote: > > On Tue, 25 Sep 2007, feral wrote: > >> Whatever the case, global bayes or not, or even bayes or not, how >> could an email with the obvious porn words in the subject (as in >> my examples) NOT get flagged? > > If bayes was mistrained to consider such words hammy, then BAYES_00 > could drag the score back down below the threshold, cancelling out the > points added by HOT_NASTY and PORN_16. > > One response would be to make the HOT_NASTY and PORN_16 rules "poison > pills" by raising their scores well above the threshold (i.e. to 20 or > 30 or even 100) - but you would have to *really trust* those rules to > do that. > > And I note that those rules didn't even hit on your first two > examples. > > Both of the domains in those spams are listed in SURBL (but may not > have been at the time you received them). URIBL network tests probably > would have hit. > > So it looks to me like two major problems are present: > > 1) mistrained bayes > > 2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.) > > And possibly: > > 3) not enough rules - add some from SARE? > http://www.rulesemporium.com > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 So BAYES_00 brought the score down to negative .6 ? Methinks the BAYES is not even functional (database absent). How do I enable network tests? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12885642 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
On Tue, 25 Sep 2007, feral wrote: > Whatever the case, global bayes or not, or even bayes or not, how > could an email with the obvious porn words in the subject (as in > my examples) NOT get flagged? If bayes was mistrained to consider such words hammy, then BAYES_00 could drag the score back down below the threshold, cancelling out the points added by HOT_NASTY and PORN_16. One response would be to make the HOT_NASTY and PORN_16 rules "poison pills" by raising their scores well above the threshold (i.e. to 20 or 30 or even 100) - but you would have to *really trust* those rules to do that. And I note that those rules didn't even hit on your first two examples. Both of the domains in those spams are listed in SURBL (but may not have been at the time you received them). URIBL network tests probably would have hit. So it looks to me like two major problems are present: 1) mistrained bayes 2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.) And possibly: 3) not enough rules - add some from SARE? http://www.rulesemporium.com -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
John D. Hardin wrote: > > On Mon, 24 Sep 2007, feral wrote: > >> RE: training. I don't know. My experience w/ SA is that >> it just works and I haven't dealt with it at this level yet. >> What is strange is that SA appeared to be working fine >> for my client, then all of the sudden this spike in spam >> occurred... and as I said, 99% of the spams have the >> sender name same as recipient name (see original post). >> >> Below is the result of sa-learn -D --dump magic. I see >> that "bayes: no dbs present" ... that looks bad. Maybe >> this SA was not installed properly. Thanks for your help. > >> [24475] dbg: bayes: no dbs present, cannot tie DB R/O: >> /root/.spamassassin/bayes_toks >> [24475] dbg: config: score set 1 chosen. >> [24475] dbg: bayes: no dbs present, cannot tie DB R/O: >> /root/.spamassassin/bayes_toks > > This doesn't look like global bayes, and I don't use per-user so my > advice may be a little inaccurate... > > Is there a .spamassassin subdirectory in that user's home directory? > Does it have bayes_* files? > > If so, log in as that user (e.g. "su - mark") and run "sa_learn --dump > magic" and see what the ham/spam token balance looks like. > > You should try to find out how bayes is being trained. I still think > your problem stems (at least partly) from badly mistrained bayes. > > As others have suggested, make sure you are *not* using > "whitelist_from". That particular option is a last-resort fallback > option because it's so easy to bypass through forgery. However, as the > header samples you posted did not say a whitelist rule was hitting, > and the scores were not large and negative, that's probably not a > cause of this particular problem. > > -- > John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ > There is a .spamassassin subdirectory, but it doesn't have anything in it. I suspect that SA was not installed properly on this server. I am using a VPS with Plesk and per-user preferences is selected, so I should be able to configure SA on a per-user basis. I'm going to bug my server provider for help on this... it's their responsibility to properly install SA. Whatever the case, global bayes or not, or even bayes or not, how could an email with the obvious porn words in the subject (as in my examples) NOT get flagged? thanks JC -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12884935 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: sender name same as recipient name
On Tue, 25 Sep 2007, Leon Kolchinsky wrote: > As Dave said it seems that your problem in whitelist > configuration. Please use whitelist_from_rcvd instead of whatever > you are using. How so? The samples he posted did not say that whitelist rules were hitting. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
On Mon, 24 Sep 2007, feral wrote: > RE: training. I don't know. My experience w/ SA is that > it just works and I haven't dealt with it at this level yet. > What is strange is that SA appeared to be working fine > for my client, then all of the sudden this spike in spam > occurred... and as I said, 99% of the spams have the > sender name same as recipient name (see original post). > > Below is the result of sa-learn -D --dump magic. I see > that "bayes: no dbs present" ... that looks bad. Maybe > this SA was not installed properly. Thanks for your help. > [24475] dbg: bayes: no dbs present, cannot tie DB R/O: > /root/.spamassassin/bayes_toks > [24475] dbg: config: score set 1 chosen. > [24475] dbg: bayes: no dbs present, cannot tie DB R/O: > /root/.spamassassin/bayes_toks This doesn't look like global bayes, and I don't use per-user so my advice may be a little inaccurate... Is there a .spamassassin subdirectory in that user's home directory? Does it have bayes_* files? If so, log in as that user (e.g. "su - mark") and run "sa_learn --dump magic" and see what the ham/spam token balance looks like. You should try to find out how bayes is being trained. I still think your problem stems (at least partly) from badly mistrained bayes. As others have suggested, make sure you are *not* using "whitelist_from". That particular option is a last-resort fallback option because it's so easy to bypass through forgery. However, as the header samples you posted did not say a whitelist rule was hitting, and the scores were not large and negative, that's probably not a cause of this particular problem. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Mahmoud Ahmadeinejad clumsily dodges a question (60 minutes interview, 9/20/2007) --- 243 days until the Mars Phoenix lander arrives at Mars
RE: sender name same as recipient name
> RE: training. I don't know. My experience w/ SA is that > it just works and I haven't dealt with it at this level yet. > What is strange is that SA appeared to be working fine > for my client, then all of the sudden this spike in spam > occurred... and as I said, 99% of the spams have the > sender name same as recipient name (see original post). > As Dave said it seems that your problem in whitelist configuration. Please use whitelist_from_rcvd instead of whatever you are using. Leon Kolchinsky
Re: sender name same as recipient name
RE: training. I don't know. My experience w/ SA is that it just works and I haven't dealt with it at this level yet. What is strange is that SA appeared to be working fine for my client, then all of the sudden this spike in spam occurred... and as I said, 99% of the spams have the sender name same as recipient name (see original post). Below is the result of sa-learn -D --dump magic. I see that "bayes: no dbs present" ... that looks bad. Maybe this SA was not installed properly. Thanks for your help. [24475] dbg: logger: adding facilities: all [24475] dbg: logger: logging level is DBG [24475] dbg: generic: SpamAssassin version 3.1.9 [24475] dbg: config: score set 0 chosen. [24475] dbg: util: running in taint mode? yes [24475] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [24475] dbg: util: PATH included '/sbin', keeping [24475] dbg: util: PATH included '/bin', keeping [24475] dbg: util: PATH included '/usr/local/sbin', keeping [24475] dbg: util: PATH included '/usr/local/bin', keeping [24475] dbg: util: PATH included '/sbin', keeping [24475] dbg: util: PATH included '/bin', keeping [24475] dbg: util: PATH included '/usr/sbin', keeping [24475] dbg: util: PATH included '/usr/bin', keeping [24475] dbg: util: PATH included '/usr/X11R6/bin', keeping [24475] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [24475] dbg: util: final PATH set to: /sbin:/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [24475] dbg: message: MIME PARSER START [24475] dbg: message: main message type: text/plain [24475] dbg: message: parsing normal part [24475] dbg: message: added part, type: text/plain [24475] dbg: message: MIME PARSER END [24475] dbg: dns: is Net::DNS::Resolver available? yes [24475] dbg: dns: Net::DNS version: 0.48 [24475] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [24475] dbg: config: read file /etc/mail/spamassassin/init.pre [24475] dbg: config: read file /etc/mail/spamassassin/v310.pre [24475] dbg: config: read file /etc/mail/spamassassin/v312.pre [24475] dbg: config: using "/var/lib/spamassassin/3.001009" for sys rules pre files [24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org.pre [24475] dbg: config: using "/var/lib/spamassassin/3.001009" for default rules dir [24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org.cf [24475] dbg: config: using "/etc/mail/spamassassin" for site rules dir [24475] dbg: config: read file /etc/mail/spamassassin/local.cf [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8bc694c) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8b86890) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8c060b4) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [24475] dbg: pyzor: network tests on, attempting Pyzor [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x8c1fed0) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [24475] dbg: razor2: razor2 is not available [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x8c3db44) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [24475] dbg: reporter: network tests on, attempting SpamCop [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x8cbbc20) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x8cde6ec) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x8ce8e2c) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x8cec704) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x8cff50c) [24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x8cf5c58) [24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/empty.pre [24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/empty.pre" for included file [24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/10_misc.cf [24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/10_misc.cf" for included file [24475] dbg: confi
Re: sender name same as recipient name
On Mon, 24 Sep 2007, feral wrote: > Here are the headers & bodies of 3 of the spams that got through > (and are continuing to come through at a high rate): > tests=BAYES_00,HELO_DYNAMIC_IPADDR2 > autolearn=no version=3.1.9 > tests=BAYES_00,HELO_DYNAMIC_IPADDR2, > HELO_DYNAMIC_SPLIT_IP autolearn=no version=3.1.9 > X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 > autolearn=no version=3.1.9 Observations: (1) Hardly any rules are hitting. (2) Everything is getting BAYES_00. The very first thing to look at is your Bayes database. How are you training it, and how has it gotten so badly mistrained? Are you using a Bayes database that is global to all your clients, or per-user Bayes databases? How are you training? Is the user actually responsible training, and the problem is basically their own fault? Can you run "sa-learn --dump magic" and send us the output? As Dave said, do you have network tests disabled? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Teflon Mahmoud in a 60 Minutes interview (9/20/2007) --- 244 days until the Mars Phoenix lander arrives at Mars
Re: sender name same as recipient name
Dave Pooser wrote: > >> plus any address @blah.com > > This is an extremely ill-advised practice; spammers have tried using > @example.com addresses to send to example.com users for years. Hopefully > you're using whitelist_from_rcvd or checking authentication or similar > techniques. > > Also, are you using network tests? Assuming your timestamps are accurate > all > of these should have hit on one or more URIBL rules. > -- > Dave Pooser > I am a newbie when it comes to SA settings. I am using a Plesk interface and it doesn't go into this level of detail. But I am shell savvy and can edit config files. BUT... how could that 2nd spam example possibly get through with that subject line!! How do I go about checking/setting: whitelist_from_rcvd, network tests ? thanks -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12869963 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
> plus any address @blah.com This is an extremely ill-advised practice; spammers have tried using @example.com addresses to send to example.com users for years. Hopefully you're using whitelist_from_rcvd or checking authentication or similar techniques. Also, are you using network tests? Assuming your timestamps are accurate all of these should have hit on one or more URIBL rules. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna
Re: sender name same as recipient name
The only whitelist addresses I have defined for him are my own email addresses, plus any address @blah.com. Here are the headers & bodies of 3 of the spams that got through (and are continuing to come through at a high rate): Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on localhost.localdomain X-Spam-Level: * X-Spam-Status: No, score=1.2 required=4.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2 autolearn=no version=3.1.9 ... From: "mark" <[EMAIL PROTECTED]> To: "mark" <[EMAIL PROTECTED]> Subject: Anything goes down at these illegal. Date: Mon, 24 Sep 2007 20:07:47 - MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Here ONLY! Hot content! Galleries with HQ-photos and HD-DVD movies. Hurry up! http://himhz.com/fa Join Now! === Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on localhost.localdomain X-Spam-Level: *** X-Spam-Status: No, score=3.4 required=4.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2, HELO_DYNAMIC_SPLIT_IP autolearn=no version=3.1.9 ... From: "mark" <[EMAIL PROTECTED]> To: "mark" <[EMAIL PROTECTED]> Subject: Gorgeous young hottie getting banged in her asshole Date: Mon, 24 Sep 2007 18:23:29 -0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Antivirus: avast! (VPS 000776-0, 24/09/2007), Outbound message X-Antivirus-Status: Clean You have never seen this. Get inside and enjoy our models! http://jokhome.com/hp Get Unlimited access now = Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on localhost.localdomain X-Spam-Level: X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16 autolearn=no version=3.1.9 ... From: "mark" <[EMAIL PROTECTED]> To: "mark" <[EMAIL PROTECTED]> Subject: Hot teen sluts double fuck of highest quality site... Date: Mon, 24 Sep 2007 23:25:19 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="us-ascii"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 24 Hours a Day, 7 Days a Week, 365 Days a Year -We offer all our Porn content for you. Check it: http://jokhome.com/sb1 and get it today.. -- View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12869685 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sender name same as recipient name
Hi, feral 2007/9/24, feral <[EMAIL PROTECTED]>: > > > Sorry if this is a well-known issue... first I have encountered it. > > I am using SA 3.1.9 installed on a CentOS Linux system. > > One of my clients just noticed a huge spike in spam getting > through, even though SA is turned on for his email account at > sensitivity level 4. > > For the sake of anonymity, let's say my client's domain is blah.com. > > His address is [EMAIL PROTECTED] 99% of the spam emails > he received during this spike were from [EMAIL PROTECTED] > (where "something" represents various domains.) > > Question: is SA not filtering out these obvious spams because > the name "mark" is the same as the name on my client's > account? > > thanks, > Feral > -- > View this message in context: > http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12868410 > Sent from the SpamAssassin - Users mailing list archive at Nabble.com. > > Do you have a sample of these spams? Have you whitelisted something like "marc@"? Show us a sample of the sapmm y meesages, with all and headers, and more could be told Luis -- - GNU-GPL: "May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: sender name same as recipient name
On Mon, 24 Sep 2007, feral wrote: > Question: is SA not filtering out these obvious spams because the > name "mark" is the same as the name on my client's account? That depends on the rules in use. If a rule like From ~= /mark\@/ with a high negative score was defined, sure! Would it be possible for you to post all of the headers from one of his false negatives, so we can see what rules are hitting? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Pelley: Will you pledge not to test a nuclear weapon? Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib! -- Teflon Mahmoud in a 60 Minutes interview (9/20/2007) --- 244 days until the Mars Phoenix lander arrives at Mars