Re: [Mimedefang] sending relay has no MX record?
Kevin A. McGrail wrote: I believe an MX was designed as a Mail Gateway record for machines not directly connected to the network. Therefore, since an A record is for machines that are connected to the network, an A record should be enough to allow for mail to be delivered. I know in practice that using only an A record works and is frowned upon. I also know that an MX record has been expanded more and more. But from an RFC perspective though, I'm not sure it's "incorrect" to just use an A record without an MX record. Hopefully someone else can comment but in the meantime, I'm not sure it's a legitimate test for spaminess. Sincerely, KAM Am seeing some spam where the sender's From_ address's domain doesn't have an MX record. Was considering noting that fact in the header as an extra X- field, and then letting SA score it negatively. Has anyone tried that sort of thing? Can you offer some prototype code that does something like that? I think Gary asking something different. He wants to check if the "from" domain has an MX record. I think this is a valid test, as how could you send an NDR to such a domain, and a simple "reply" obviously wouldn't work so well. I wouldn't think you'd get many hits on this sort of test, anyone who's gone through the trouble of setting up a domain has probably also defined an MX record. But let us know if you do get any hits, I'm curious. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Is it yet possible to run clamd (with mimedefang) as a different user?
If you are using the freebsd ports system, you can upgrade your clamav installation using portupgrade (which can be installed from /usr/ports/sysutils/portupgrade). Simply edit your /usr/local/etc/pkgtools.conf file and add: MAKE_ARGS = { 'security/clamav' => 'CLAMAVUSER=mailnull CLAMAV_CLAMD_SOCKET=/var/spool/MIMEDefang/clamd.sock', } Thanks Sven, I added the make arg to /etc/make.conf (along with CLAMAVGROUP) and that fixes things up nicely. I tried some other solutions but the DontBlameSendmail option just sounded too scary to turn on so I opted to run clamd as the same user that sendmail and MD run as. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Is it yet possible to run clamd (with mimedefang) as a different user?
Hi all, I just upgraded my clamav (freebsd, ports) and again, it changed the permissions on some of it's directories and caused it to not start as user 'mailnull' (the same user that sendmail and mimedefang run as). I would rather let clamd run as the user it wants to (clamav user) and configure mimedefang/sendmail to allow this but my efforts did not work. If clamd runs as clamav, it cannot access the mimedefang spool files to scan the mail. If I change permission on the spool directories, sendmail complains that "local socket" is unsafe. I did add clamav to the 'mailnull' group (I assume editing the /etc/group file is sufficient). So, I *think* the problem is how to convince sendmail that a group readable/writable mimedefang spool directory is kosher. Anyone know the answer to this? TIA, -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] What is USER_IN_DEF_WHITELIST?
> >Lee Dilkie wrote: >> Sorry for an SA question on a MD list but google didn't turn >up anything. > >http://www.spamassassin.org/ >http://wiki.apache.org/spamassassin/MailingLists > >(I'm pretty sure this has come up in the SA archives at least once.) > >> Question. What is the "default" whitelist? Where and how is >it set up? > >All default rules are in /usr/share/spamassassin (or equivalent >directory). Look in 60_whitelist.cf. Sorry for the late-ish reply. Indeed, in 60_whitelist.cf there is an entry @*.mypoints.com . And although the recipient didn't recall having signed up for anything on that web site, they did have a user account. So, sorry for the red herring but I learned stuff so it wasn't all in vain. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] What is USER_IN_DEF_WHITELIST?
Sorry for an SA question on a MD list but google didn't turn up anything. I just got a piece of spam with a low SA score. It would have been high except for a USER_IN_DEF_WHITELIST entry in the list which I didn't recognise. grepping through my disk yielded that test in /usr/local/share/spamassassin (this is freebsd) in 20_head_tests.cf which is: header USER_IN_DEF_WHITELISTeval:check_from_in_default_whitelist() describe USER_IN_DEF_WHITELIST From: address is in the default white-list tflags USER_IN_DEF_WHITELISTuserconf nice Now, I found the check_from_in_default_whitelist function in EvalTests.pm (under perl/mail/spamassassin) but it's cryptic perl for my skill level and so that's a dead end. Question. What is the "default" whitelist? Where and how is it set up? What mail header fields are matched to get it (looks like "from" if the description is correct but I couldn't tell from the function)? This email had a "from" that certainly wasn't anything I had explicity allowed and I don't use auto whitelisting. Can anyone offer answers? thanks! -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Greylisting code, now with mysql Backend
>-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Lucas >Albers >Sent: Tuesday, June 29, 2004 5:11 PM >To: [EMAIL PROTECTED] >Subject: Re: [Mimedefang] Greylisting code, now with mysql Backend > > > >Jeff Grossman said: >> [better] alternative to db_file with some of the corruption >that has been >> mentioned. >> If many people are doing fine with db_file, then I might >just stay with >Well it's used as the native bayesian db format for SA, and >their has not >been complaints of corruption on the SA mailing list... I've had tons of problems with db_file corruption. In fact, I'm in the middle of trying to fix my own greylisting db_file corruption problem. I also have a db_file problem somewhere in graphdefang, although it's using MLDBM with db_file. My problems arose when freebsd updated from perl 5.8.2(.3?) to 5.8.4 last month. My SA db got blown away. db_file that I had previously seems to have gotten replaced by bsdpan-DB_File, a version from cspan. AFAICT, SA is working but I'm definately having problem with db_file in my greylisting and in graphdefang. -lee >I would think theoretically a database format would have less possible >corruption. > >-- >Luke Computer Science System Administrator >Security Administrator,College of Engineering >Montana State University-Bozeman,Montana > >___ >Visit http://www.mimedefang.org and http://www.canit.ca >MIMEDefang mailing list >[EMAIL PROTECTED] >http://lists.roaringpenguin.com/mailman/listinfo/mimedefang > ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Whitelisting Outbound E-Mail Addresses
> >> I implemented this using the access.db feature of Sendmail, >> with scripts >> every five minutes scanning the logs and adding new entries. > >Any particular reason for doing it this way vs. implementing something >within the mimedefang-filter to do it real-time much as greylisting >does? I'm asking because the next item on my development list is >implementing something similar to what you are doing, but I >had intended >on doing it real-time in the mimedefang-filter with a separate >.db file. > >Any thoughts? > >Charles I modded up my (well, the code that was posted here some time ago) greylisting code to track authenticated outbound mail as well. Coupled with a db expiry scheme which deletes singleton inbound entries (one's that have a count of 1) after two days, decrements the count of non-singleton entries every 10 days and leaves any singleton entries that have a reverse entry (whitelist) alone. It was my first perl program from scratch after having cut my teeth on mimedefang-filter (with the o'reilly book in my lap). I run it as a cron every night. I like the results. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] bayes* R/O: tie failed: Inappropriate file type or format
Hi, I'm running FreeBSD 4.9, I upgraded to perl 5.8.4 (from 5.8.2), using the suggestions in the ports UPDATING, hopefully recompliing everything that depended on perl. SA had a minor upgrade at the same time (2.63_1 -> 2.63_2). Anyway, I restarted MD and my logs contain.. Jun 5 15:40:18 spock mimedefang-multiplexor[29236]: Slave 0 stderr: Cannot open bayes databases /var/spool/MD-Quarantine/bayes_* R/O: tie failed: Inappropriate file type or format Jun 5 15:40:22 spock mimedefang-multiplexor[29236]: Slave 0 stderr: Cannot open bayes databases /var/spool/MD-Quarantine/bayes_* R/W: tie failed: Inappropriate file type or format the MD-Quarantine dir looks like -rw--- 1 mailnull wheel - 73746 Jun 5 11:00 bayes_journal -rw--- 1 mailnull wheel - 2670592 Jun 5 10:52 bayes_seen -rw--- 1 mailnull wheel - 5373952 Jun 5 10:52 bayes_toks -rw--- 1 mailnull wheel - 5160960 Feb 27 07:10 bayes_toks.expire14326 -rw--- 1 mailnull wheel - 2392064 Feb 27 07:10 bayes_toks.expire14482 -rw--- 1 mailnull wheel - 49152 Feb 27 07:10 bayes_toks.expire22289 -rw--- 1 mailnull wheel - 2195456 Mar 1 14:24 bayes_toks.expire418 -rw--- 1 mailnull wheel - 1196032 Feb 27 08:02 bayes_toks.expire59670 -rw--- 1 mailnull wheel - 5144576 Mar 1 13:38 bayes_toks.expire6433 -rw--- 1 mailnull wheel - 2441216 Feb 27 08:31 bayes_toks.expire73038 which looks OK to me. Anyone have a clue what I've done wrong? Or how to correct it? TIA, -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Re: R/W: lock failed: File exists
>> It is trying to lock the bayes journal, and other mimedefang >threads can't >> read to it while it learns from the journal. >> This will solve your problem. >> >> My settings: >> bayes settings: >> bayes_learn_to_journal 1 >> bayes_journal_max_size 512 >> >> >> cronjob: >> */55 * * * *su -c 'sa-learn --rebuild' defang; echo defang > >> /dev/null > >Very well, but... > >What you suggest is a kinda workaround to be applied at the >sites where the >problem occurs. Now, since the nature of the problem seems to be quite >generic I'm just very curious why don't *others* complain??! Because it >looks as if only a *minority* of MD/SA installations (like >yours and mine) >get those nasty messages and so you offer a workaround for them. > >So now, just for my curiosity sake, I have a very basic >question: which of >these two points below is true and which is false. > >1. There is something weird with my installation but, OK, luckily > enough there's a workaround. >2. Everyone has the same problem so for each and every MD/SA >installation > a workaround like that is needed. > >And finally, is 2. is true then maybe something more than a workaround >should be invented? Well, I've had this problem since forever. It started a month or so after I turned Bayes on. Like you I did an investigation and my conclusion what that it wasn't particularly harmful... Although I don't think I arrived at the same conclusion as you folks. I seem to recall that the problem was that one bayes process (MD) had the file locked when the other bayes process (MD) was trying to trim out stale entries from the db and wasn't able to since the file was locked. My reading on the matter suggested it wasn't a big deal as the trim would occur again later. I didn't read anything that would suggest it actually interfered with the operation of bayes in the first place.. Perhaps I was wrong in that? -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] A Bit of Confusion - Solved but different problemwith CLAMD
> > I have tried running clamd as user "defang", but clamd won't > then start. check clamav.conf. the location of the pid file must be writable by the defang user as clamd is running as dfang. > > I have added the user "defang" to the group "clamav", but I > get errors when > sending/receiving mail saying "Could not connect to clamd daemon at > /var/spool/MIMEDefang/clamd.sock". > > This file does not exist either. also inclamav.conf. LocalSocket probably needs to be changed to point to where MD is expecting. Or you can leave it where it is and modify your mimedefnag-filter and stick $ClamdSock = "/var/run/clamav/clamd"; (this is the default place for clamd on freebsd). in the top of mimedefang-filter. This will override the default in mimedefang.pl hope this helps. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] minor upgrade of clamav, email not being scanned...
> > Worth saying that the version of clamav in the ports is old > (0.65), though > the clamav-devel port is somewhat more current. It looks like the > maintainers of the clamav ports aren't quite so active as > could be hoped > for. The clamav-devel port says it tracks the snapshots. I didn't think I was quite that brave. Should I be? > > If you up the log settings for clamd you'll find that the > problem is that > it's passed a directory to scan. As that directory is only > accessible to > the user mailnull you have to run clamd as mailnull. > I figured as much and things are working now. How do I "up the log settings" for clamav. I turned on "debug" in the clamav.conf and all it did was report lots of info when it started up, but nothing when it was running. But I'm still curious why group permissions wouldn't be good enough to get this going. There's something I'm not understanding here. Sorry for the off-topic. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] minor upgrade of clamav, email not being scanned...
> > Lee Dilkie wrote: > > > > > Is it a requirement that mimedefang/sendmail and clamd all > run as the same > > user? > > AFAIK, yes. Never been able to get it to run any other way. > Think its a socket's permission thing. > > Jon > -- well if that's the case then that explains it I'm somewhat new to this user/group permission stuff so I assumed that they could run as different users (since the install packages create the different users and install scripts that run them as those users). I thought group permissions would take care of all this but I guess not... any idea why mimedefang would complain (unsafe socket) if the /var/spool/MIMEdefang directory becomes group writable? -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] minor upgrade of clamav, email not being scanned...
> What FreeBSD port did you upgrade from? You may want to identify that > section and look at the FreeBSD port revision history, checking each > of the changes that have happened since. It should make for a nice > checklist of things that have changed. > > http://www.freshports.org/security/clamav/ it was just from 0.65-6 to -7. I've narrowed this down but I don't understand why... - if I run clamd as user "mailnull" (the same user that mimedefang runs as), it works. - if I run clamd as user "clamav", with clamav in the mailnull group, it doesn't work. /var/spool/MIMEDefang and MD-Quarentine are owned by "mailnull" (group "mailnull") but if I make the MIMEdefang directory group rw, then I get the "unsafe socket" error reported by mimedefang. Don't know if that is related but changing the clamd to run as "mailnull" works and I figured it needs access to the /var/spool/MIMEdefang dir to scan files. Is it a requirement that mimedefang/sendmail and clamd all run as the same user? ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] minor upgrade of clamav, email not being scanned...
Well I'm stumped. Using freebsd, upgraded clamav this morning to grab the latest version and just noticed a while ago that viruses are getting through. clamd is running, mimedefang will complain if I stop it. I suspect a permission problem but I don't see where (and I'm a bit of a dummy). Previously, I had run clamd as "mailnull", the same user that mimedefang runs as. But the new startup script that got installed used the user "clamav". So i left it at that and changed the mimedefang.pl to also look in a different location for the clamd socket. That all seems fine because like I said, if i disable clamd, mimedefang detects this and complains, tempfailing messages. i can run clamdscan from the command line and catch the eicar test but sending eicar as an attachment (or in the body) doesn't get caught (and neither do all the real virus's). No errors reported by mimedefang or clamd, it just looks like md isn't giving clamd anything to do.. Help please? -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Mimedefang/Spamassassin/bayesian
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Paul > Murphy > The problem is that the documentation suggests that you > enable the two options, > and sit back and watch the database being built as e-mail comes in. > > The reality is that the two options enable the use of the > bayesian filter, but > the database remains empty until you have trained it on a > suitably large dataset > of spam and "ham". > > Does anyone have a way of using Mimedefang to automatically > build the database, > even if that means forwarding a copy of every message to > either a spam or ham > mailbox, and then processing and deleting the mailbox daily? you can use the auto_learn and avoid the training. You just have to be patient. very patient... eventually you start seeing "BAYES_" showing up in your test result. For me, that amounted to almost 2 weeks of patience. But it was worth it. The bayes score is helping a lot now. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] making spamassassin less sensitive
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Muhammad Talha > Sent: Wednesday, February 04, 2004 2:54 AM ... > > i recently shifted my mail server to Mimedefang i have > following hardware > and software installed .using default mimedefang and spammassain rules > > Processor Pentitum III > RAM 256MB > Swap 512 > > Sendmail-8.11.12 > Mimedefang-2.39 > Clamav-0.65 > Spamaassain-2.63 I'm running the same config on a PII, 200Mhz, with 192MB of RAM. This config does use a lot of memory (and cpu) so I had to do the following. increase my swap!!! it's over 3G now. (unfortunately I had to uise a swapfile for the increase where I would have liked to use a swap partation). decrease max number of mimedefang slaves!!! I only allow 4 max. It tempfails mail sometimes but that's better than running out of memory+swap. Now this is no speed demon, i can handle maybe 1 mail per second with the pedel to the medal... ;) -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] $helo versus $ip
> No. It's safe to reject an outsider who claims to be your domain (if > you know for *sure* that it isn't), or who claims to have your IP > address, but anything else can yield false positives. > > Regards, > > David. And I think that's about as far as you can safely go without rejecting valid mail. I haven't, yet as far as I know, come across a valid mta that uses my ip address or my hostname in helo. But I don't do any lookups on the address supplied (if it was an address) because there are all sorts of valid cases where you cannot tell if some mta is trying to scam you. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] error: use of uninitialized variable in Bayes.pm
Gents, I got this error showing up in my logs. It's for the bayes.pm scipt (program?library?) b 2 10:54:27 spock mimedefang-multiplexor: Slave 1 stderr: Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 519. Feb 2 10:54:27 spock mimedefang-multiplexor: Slave 1 stderr: Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 521. Feb 2 10:54:27 spock mimedefang-multiplexor: Slave 1 stderr: Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 522. Feb 2 10:54:29 spock mimedefang-multiplexor: Slave 1 stderr: Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 519. Feb 2 10:54:29 spock mimedefang-multiplexor: Slave 1 stderr: Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 521. Feb 2 10:54:29 spock mimedefang-multiplexor: Slave 1 stderr: Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 522. My perl isn't very good yet. The lines referenced "look" like they are initialized to me (although the expression isn't one i can parse). sub pre_chew_content_type { my ($self, $val) = @_; # hopefully this will retain good bits without too many hapaxen if ($val =~ s/boundary=[\"\'](.*?)[\"\']/ /ig) { my $boundary = $1; 519-->$boundary =~ s/[a-fA-F0-9]/H/gs; # break up blocks of separator chars so they become their own tokens 521-->$boundary =~ s/([-_\.=]+)/ $1 /gs; 522-->$val .= $boundary; } # stop-list words for Content-Type header: these wind up totally gray $val =~ s/\b(?:text|charset)\b//; $val; } I'm thinking the $1 variable is not set to anything. I'm not sure what a $1 is, it looks kinda special This problem only started showing up today when my bayes auto-learn finally got enough "stuff" to be able to generate scores. can anyone help? thanks, -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] action_bounce - forget it!
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of David > F. Skoll > Sent: Saturday, January 31, 2004 11:21 AM > To: [EMAIL PROTECTED] > Subject: Re: [Mimedefang] action_bounce - forget it! ... > I can't believe that law would apply to private companies or, in fact, > to anyone other than ISPs or service providers. Surely a private > organization can do whatever it likes with its e-mail. > Don't confuse the notion of "private" as it applies in different countries. Our concept of a private company and the rights it has are very different from those in other countries. Heck, even between the US and Canada, the laws can be quite different. But many european countries have very strong labour laws and those can limit what lengths a company can go to when interfering with a worker rights. I remember a case in the 80's when we had a problem with one of our networks in germany (x.25 packet switching product). The network would occasionally go into a cascade failure and the customer (DBP as I recall) was very upset. We suspected that the cause was do to operator sabotage and so we asked for console logging to be turned on. It turned out that companies are not allowed to monitor their employees to that extent, it was against the law. Even enabling logs to simply track network configuration commands was not allowed. Eventually DBP did catch the offender but through other means. Contrast this with the US, where a company can pretty much do whatever it wants with it's equipment and it's employees. A "private" company can legally do all sorts of things that the goverment is not permitted to do. -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] greylisting and HABEAS_SWE
not related > > to those headers in any manner) The greylisting is working for > > numerous other spams. > > I am familiar with this Habeas test and have seen the exact spam and > problems you are referring to on our network. > > [...] > I am considering removing the negative score for their tag > because we have > seen an upswell of spam using this. The spammer either doesn't know, > doesn't care, or will get shutdown pretty quickly. > Following up on some advice given early this week, I installed the bigevil and other .cf's from the meglo-cf-mart (http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm). Interestingly enough, those pharma Habeas emails were being tagged with a negative score for the Habeas test but they were also being tagged with numerous positive scores from some of the new sa .cf's and that had the effect of overriding the Habeas score. net result was the spam still ended up in my spam folder. I'm very impressed. Only had to figure out that on freeBSD the folder to drop the .cf's into is /usr/local/etc/mail/spamassassin... My first guess at /usr/local/etc/mimedefang/spamasassin didn't work out so well ;) -lee ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang