Re: Spamassassin tests help please
Dave Sherohman <[EMAIL PROTECTED]> writes: > > Then, my mail filters filter the spam based on the color. I have yet to > > find any false positives at yellow and above, so my comfort level is > > getting close to bit-bucketing orange and red, and rejecting yellow with > > a message that it's flagged as spam. > > So where can we download it? And (just to be on-topic) do you plan > to package it as a deb? As promised, I've released my assassind relay. You can download it from http://www.rudedog.org/assassind/. I've also packaged it as a .deb; you can just add the following line to your apt-sources list. deb http://www.rudedog.org/ debian/ Most of the perl packages needed by assassind are already in Debian/unstable and probably Debian/woody. Any that are missing are also available in the above archive. Enjoy. -- Dave Carrigan ([EMAIL PROTECTED])| Yow! I always liked FLAG DAY!! UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | Seattle, WA, USA| http://www.rudedog.org/ | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
Dave Sherohman <[EMAIL PROTECTED]> writes: > > Then, my mail filters filter the spam based on the color. I have yet to > > find any false positives at yellow and above, so my comfort level is > > getting close to bit-bucketing orange and red, and rejecting yellow with > > a message that it's flagged as spam. > > So where can we download it? And (just to be on-topic) do you plan > to package it as a deb? I've had a couple of requests for this. I will spend the weekend writing some documentation and making it presentable for public consumption. -- Dave Carrigan ([EMAIL PROTECTED])| Yow! Didn't I buy a 1951 Packard UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | from you last March in Cairo? Seattle, WA, USA| http://www.rudedog.org/ | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Fri, Apr 26, 2002 at 08:51:23AM -0700, Dave Carrigan wrote: > I just wrote my own processor. All mine does is add a X-Spam-Color > header. I use green, blue, yellow, orange and red, just like Tom Ridge's > terrorist alert system :-). > > Then, my mail filters filter the spam based on the color. I have yet to > find any false positives at yellow and above, so my comfort level is > getting close to bit-bucketing orange and red, and rejecting yellow with > a message that it's flagged as spam. So where can we download it? And (just to be on-topic) do you plan to package it as a deb? -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
Patrick Kirk <[EMAIL PROTECTED]> writes: > I've been wading through the documentation and cannot find how to stop > spamassassin rewriting the message bodies? Does anyone know how to do > this? I just wrote my own processor. All mine does is add a X-Spam-Color header. I use green, blue, yellow, orange and red, just like Tom Ridge's terrorist alert system :-). Then, my mail filters filter the spam based on the color. I have yet to find any false positives at yellow and above, so my comfort level is getting close to bit-bucketing orange and red, and rejecting yellow with a message that it's flagged as spam. -- Dave Carrigan ([EMAIL PROTECTED])| Yow! I can't think about that. UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | It doesn't go with HEDGES in the Seattle, WA, USA| shape of LITTLE LULU -- or http://www.rudedog.org/ | ROBOTS making BRICKS... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Fri, Apr 26, 2002 at 11:01:00AM +0100, Patrick Kirk wrote: > I've been wading through the documentation and cannot find how to stop > spamassassin rewriting the message bodies? Does anyone know how to do > this? Try something like 'report_header 1' and 'use_terse_report 1'. The documentation you probably want is in the Mail::SpamAssassin::Conf(3pm) man page. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Fri, Apr 26, 2002 at 11:01:00AM +0100, Patrick Kirk wrote: > I've been wading through the documentation and cannot find how to stop > spamassassin rewriting the message bodies? Does anyone know how to do > this? Yep, put: defang_mime 0 in the local or system wide prefs. I think it does not change the actual body, only puts the mime type to 'plain text'. HTH! -- Erik van der Meulen <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Thu, Apr 25, 2002 at 01:28:39PM +0100, My Personal Mail wrote: >On Thu, Apr 25, 2002 at 04:50:23AM -0500, Colin Watson wrote: I've been wading through the documentation and cannot find how to stop spamassassin rewriting the message bodies? Does anyone know how to do this? Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
on Thu, Apr 25, 2002, Craig Dickson ([EMAIL PROTECTED]) wrote: > begin Peter Ross quotation: > > > Why don't you look into http://www.spambouncer.org/ > > Why? Spamassassin, in my experience, is vastly more accurate and > effective than SpamBouncer. I used SpamBouncer for several months up > until March 2002. I could never get it to block even almost all spam > without also having a lot of false positives, even after extensive > tweaking of variables and even some customization of SpamBouncer's > procmail recipes. (Some of SpamBouncer's tests are utterly mad -- > block all mail from Telstra? That's most of Australia!) I switched to > Spamassassin plus Razor and found that even without customizing my > configuration at all, it did a much, much better job. It's quite rare > now for me to see spam other than in the "junk" folder to which I > redirect such things, and false-positives are even more rare. I've been keeping tabs on SA's specificity and sensitivity. On ~40k mails, ~3300 spams, adjusting for some exceptional cases (one mailbombing of 300+ items handled with a separate rule), since Feb 1: True positive: 95.5% False negative: 4.5% True negative: 99.82% False positive: 0.18% Damned good tool. Peace. -- Karsten M. Self http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? A guide to GNU/Linux backups: http://kmself.home.netcom.com/Linux/FAQs/backups.html pgpGHuh7TTpCu.pgp Description: PGP signature
Re: Spamassassin tests help please
Osamu Aoki <[EMAIL PROTECTED]> writes: > http://www.debian.org/doc/manuals/reference/examples/ Great!! Many thanks for this - good stuff. Glyn -- Debian Home http://www.debian.org Debian Planet http://www.debianplanet.org/ For the children http://www.debian.org/devel/debian-jr/ In a hurry??? http://qref.sourceforge.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Thu, Apr 25, 2002 at 11:36:10AM -0600, Robert L. Harris wrote: | > | 3. How can I blacklist specific names? For example, esavingszone send | > | me two messages every day and I want them automatically blocked. But | > | they use differing domain nemaes so I want to block | > | [EMAIL PROTECTED] [EMAIL PROTECTED] and every other | > | [EMAIL PROTECTED] | | how about a way instead of blacklisting, bounce it with a user unknown? If you use the 'fail' command in the exim system filter you'll bounce it (with whatever error message you specify). Alternatively, you can create a blacklist and have exim check it and bounce accordingly. | Bounce all the spam and you'll hopefully be taken off the mailing list. Might work. If the message arrives through another list (eg d-u) it doesn't work quite as nicely. (I now bounce ms-tnef and virus alerts too) | I was looking for a way to fail a message in mutt but didn't find one. The MTA is the one who can fail message deliveries. It has already been delivered by the time mutt has it. -D -- Commit to the Lord whatever you do, and your plans will succeed. Proverbs 16:3 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg pgpN1OnhsfavZ.pgp Description: PGP signature
Re: Spamassassin tests help please
> | 3. How can I blacklist specific names? For example, esavingszone send > | me two messages every day and I want them automatically blocked. But > | they use differing domain nemaes so I want to block > | [EMAIL PROTECTED] [EMAIL PROTECTED] and every other > | [EMAIL PROTECTED] > how about a way instead of blacklisting, bounce it with a user unknown? Bounce all the spam and you'll hopefully be taken off the mailing list. I was looking for a way to fail a message in mutt but didn't find one. :wq! --- Robert L. Harris| Micros~1 : Senior System Engineer |For when quality, reliability at RnD Consulting | and security just aren't \_ that important! DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote: Do you use exim? Some of this stuff can be done at that level. In /etc/exim/exim.conf include something like this (may need to be adjusted for version 3.x) : system_filter = /etc/exim/system.filter system_filter_user = nobody system_filter_group = nogroup Then put the snippets below in /etc/exim/system.filter. | I have given up on using my .forward as a spam filter because I've now | gone up to over 40 spam pieces a day and its a pain to keep adding | conditions on each .forward on each account. | | Just to make clear, my particular desire to stop stuff from Korean and | Taiwan is that I speak neither Korean nor Chinese. | | I wonder if anyone can help with these tests: | | 1. I am on numerous Korean spam lists. So I want to exclude all email | with Korean charsets. How do I set $h_Content-Type: contains | "ks_c_5601-1987" to score 20? # I actually have this in my filter if "$h_Content-Type: $h_Subject:" contains "ks_c_5601-1987" or $h_Content-Type: contains "EUC-KR" then # use 'fail' if you want to send back a bounce message #fail "<>" # this is a black hole seen finish endif | 3. How can I blacklist specific names? For example, esavingszone send | me two messages every day and I want them automatically blocked. But | they use differing domain nemaes so I want to block | [EMAIL PROTECTED] [EMAIL PROTECTED] and every other | [EMAIL PROTECTED] In SA use the blacklist_from directive. (this checks the From: header) In exim version 4 you can include this in an acl : deny senders = [EMAIL PROTECTED] (This checks the envelope sender.) If the envelope sender is predictable, then IMO this is the best solution, and can be extended to look up addresses from a file. In a system filter (exim 3 or 4) : if ${local_part:$sender_address} is "esavingszone" or ${local_part:$h_From:} is "esavingszone" then fail "<<$sender_address , $h_From:>> \ You have been blocked by the administrator." seen finish endif (this checks both the envelope sender and the From: header) | 2. I get a lot of stuff from Taiwan. Is it poossible to simply | blacklist all mail relayed from ISPs with .tw tld? | 4. The ISP that uses hanmail.net and daum.net is the single worst | offender. Can I block all mail relayed theough these domains? # I haven't tested this regex. Exim uses "pcre" (perl-compatible), but # I'm more familiar with the old-school dialect used by vim, sed and grep. if "$h_Received:" matches "[a-zA-Z_]+\.tw\b" or "$h_Received:" matches "(hanmail|daum)\.net\b" then seen finish endif As an alternative to checking Received: headers, if you receive the spam directly you can simply reject connections at SMTP time. (or even firewall them) HTH, -D -- Religion that God our Father accepts as pure and faultless is this: to look after orphans and widows in their distress and to keep oneself from being polluted by the world. James 1:27 GnuPG key : http://dman.ddts.net/~dman/public_key.gpg pgpFD9FFcHd7W.pgp Description: PGP signature
Re: Spamassassin tests help please
begin Peter Ross quotation: > Why don't you look into http://www.spambouncer.org/ Why? Spamassassin, in my experience, is vastly more accurate and effective than SpamBouncer. I used SpamBouncer for several months up until March 2002. I could never get it to block even almost all spam without also having a lot of false positives, even after extensive tweaking of variables and even some customization of SpamBouncer's procmail recipes. (Some of SpamBouncer's tests are utterly mad -- block all mail from Telstra? That's most of Australia!) I switched to Spamassassin plus Razor and found that even without customizing my configuration at all, it did a much, much better job. It's quite rare now for me to see spam other than in the "junk" folder to which I redirect such things, and false-positives are even more rare. Craig pgphQtHjcPA0g.pgp Description: PGP signature
Re: Spamassassin tests help please
On Thu, Apr 25, 2002 at 04:50:23AM -0500, Colin Watson wrote: >On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote: >> I have given up on using my .forward as a spam filter because I've now >.procmailrc now because it's faster): > >header BROKEN_KOREAN_CHARSETContent-Type =~ /charset="?ks_c_5601-1987/ >describe BROKEN_KOREAN_CHARSET I don't speak Korean >score BROKEN_KOREAN_CHARSET 20 > >'blacklist_from [EMAIL PROTECTED]' in ~/.spamassassin/user_prefs, I think I am trying to use /etc/spamassassin/local.cf for these tests. But I can't get spamassassin to see them. Is there anything I need to do? I've restarted the service so that's not it and there is nothing in my home directory that should cause it. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Thu, Apr 25, 2002 at 09:14:32AM +0100, My Personal Mail wrote: >Hi all, My question was a little verbose so here it is in short form: I want to add to the default set of Spamassassin tests. Does anyone have an example of for example, blocking al email from someone called 'esavings'? Procmail based solutions are not appropriate in that I have a spamassassin filter that works in conjuction with user level .forward files. Moving the user level filters to the spamassassin filter is the objective. Thanks. Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote: > I have given up on using my .forward as a spam filter because I've now > gone up to over 40 spam pieces a day and its a pain to keep adding > conditions on each .forward on each account. > > Just to make clear, my particular desire to stop stuff from Korean and > Taiwan is that I speak neither Korean nor Chinese. > > > I wonder if anyone can help with these tests: > > 1. I am on numerous Korean spam lists. So I want to exclude all email > with Korean charsets. How do I set $h_Content-Type: contains > "ks_c_5601-1987" to score 20? Something like this should do the job (although I just blackhole it in .procmailrc now because it's faster): header BROKEN_KOREAN_CHARSETContent-Type =~ /charset="?ks_c_5601-1987/ describe BROKEN_KOREAN_CHARSET I don't speak Korean score BROKEN_KOREAN_CHARSET 20 (I called it "BROKEN" because I understand real Koreans, as opposed to spammers, actually use a different character set - but I may be misinformed here.) > 2. I get a lot of stuff from Taiwan. Is it poossible to simply > blacklist all mail relayed from ISPs with .tw tld? You can probably match on Received: headers. Check /etc/spamassassin/20_head_tests.cf for examples. > 3. How can I blacklist specific names? For example, esavingszone send > me two messages every day and I want them automatically blocked. But > they use differing domain nemaes so I want to block > [EMAIL PROTECTED] [EMAIL PROTECTED] and every other > [EMAIL PROTECTED] 'blacklist_from [EMAIL PROTECTED]' in ~/.spamassassin/user_prefs, I think. > 4. The ISP that uses hanmail.net and daum.net is the single worst > offender. Can I block all mail relayed theough these domains? Again, you can probably do this by matching on Received: headers. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
patrick wrote: > > I have given up on using my .forward as a spam filter because I've now > gone up to over 40 spam pieces a day and its a pain to keep adding > conditions on each .forward on each account. > Why don't you look into http://www.spambouncer.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
On Thu, Apr 25, 2002 at 09:14:32AM +0100, Patrick Kirk wrote: > I wonder if anyone can help with these tests: > 1. I am on numerous Korean spam lists. So I want to exclude all email > with Korean charsets. How do I set $h_Content-Type: contains > "ks_c_5601-1987" to score 20? ... These Asian spams are annoying if you do not know how to filter. I use an good idea from http://www3.sympatico.ca/walter.dnes/email/chinese/ This is based on high bit characters. Usually these spam senders are not smart enough to use 7 bit Asian codings but use M$ encodings. So this is sufficient to block them. My kind-of-older implementation of .procmailrc is stored as _procmailrc http://www.debian.org/doc/manuals/reference/examples/ Good luck. -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki <[EMAIL PROTECTED]>, GnuPG-key: 1024D/D5DE453D . See "User's Guide": http://www.debian.org/doc/manuals/users-guide/ See "Debian reference": http://www.debian.org/doc/manuals/reference/ . "Debian reference" Project at: http://qref.sf.net . I welcome your constructive criticisms and corrections. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Spamassassin tests help please
dude -- you are SO ready for the open relay database. you sound pretty harried. that's where i was a few months ago. not to sound overly dramatic, but www.ordb.org changed my life. also, i've been compiling a list of networks that send spam from asian countries like china and korea. when i get 3 pieces of spam from the same network, and my letters of complaint go unanswered, i block the entire network using tcpwrappers. my /etc/hosts.deny contains a vast number of chinese and korean networks. you can manage exim connections with tcpwrappers by simply running exim as: smtp stream tcp nowait mail /usr/sbin/tcpd /usr/sbin/exim -bs in inetd.conf. my 3 pronged approach to spam is: 1. using ordb.org 2. running exim from tcpwrappers and dumping IP's into /ect/hosts.deny 3. spamcop how effective is this? i was getting *upwards* of 40 pieces of spam per day. today i got simply 4 pieces of spam, and this is what i would call a "heavy spam day". pete begin Patrick Kirk <[EMAIL PROTECTED]> > Hi all, > > I have given up on using my .forward as a spam filter because I've now > gone up to over 40 spam pieces a day and its a pain to keep adding > conditions on each .forward on each account. > > Just to make clear, my particular desire to stop stuff from Korean and > Taiwan is that I speak neither Korean nor Chinese. > > > I wonder if anyone can help with these tests: > > 1. I am on numerous Korean spam lists. So I want to exclude all email > with Korean charsets. How do I set $h_Content-Type: contains > "ks_c_5601-1987" to score 20? > > 2. I get a lot of stuff from Taiwan. Is it poossible to simply > blacklist all mail relayed from ISPs with .tw tld? > > 3. How can I blacklist specific names? For example, esavingszone send > me two messages every day and I want them automatically blocked. But > they use differing domain nemaes so I want to block > [EMAIL PROTECTED] [EMAIL PROTECTED] and every other > [EMAIL PROTECTED] > > 4. The ISP that uses hanmail.net and daum.net is the single worst > offender. Can I block all mail relayed theough these domains? > > > Thanks in advance, > > Patrick > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Spamassassin tests help please
Hi all, I have given up on using my .forward as a spam filter because I've now gone up to over 40 spam pieces a day and its a pain to keep adding conditions on each .forward on each account. Just to make clear, my particular desire to stop stuff from Korean and Taiwan is that I speak neither Korean nor Chinese. I wonder if anyone can help with these tests: 1. I am on numerous Korean spam lists. So I want to exclude all email with Korean charsets. How do I set $h_Content-Type: contains "ks_c_5601-1987" to score 20? 2. I get a lot of stuff from Taiwan. Is it poossible to simply blacklist all mail relayed from ISPs with .tw tld? 3. How can I blacklist specific names? For example, esavingszone send me two messages every day and I want them automatically blocked. But they use differing domain nemaes so I want to block [EMAIL PROTECTED] [EMAIL PROTECTED] and every other [EMAIL PROTECTED] 4. The ISP that uses hanmail.net and daum.net is the single worst offender. Can I block all mail relayed theough these domains? Thanks in advance, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]