[SAtalk] sa-learn --rebuild --force-expire stuck using huge memory?

[Alain Fauconnet]

Hello readers,

I've googled around but I've failed to find  anything  that  resembles
what our mail gateway has suddenly started experiencing:  the  nightly
sa-learn --rebuild --force-expire stuck forever (shows with 'D'  state
in  'ps  auxw' -> uninterruptible IO wait) and using _huge_ amounts of
memory (600+ Mb). Can't strace it.

This  machine  has  been  rock  stable  for  quite  some  time  and no
significant change has been made lately.

Is  this  just  a  case of 'your Bayes DB is corrupt, delete it' or is
there something else to try first? 

Info:

- Linux RH 7.3 w/ 2.4.20 kernel and most patches
- Perl 5.6.1
- SA v2.54 (yes I know, old... but it's been so stable)
- Amavisd-new with global flat-file settings
- Postfix

The  sa-learn  --rebuild  --force-expire is run nightly at 4AM without
stopping amavisd-new (could that be the problem?). 

Our  local.cf  has  only  local  whitelist entries, a couple of simple
tune-ups probably not relevant, and:

bayes_expiry_scan_count 50
bayes_expiry_use_scan_count 1

Any hints quite appreciated, even 'been there, zapped the whole DB'.

Greets,
_Alain_


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD] Updated Corn

[jennifer]

Hi Peeps,

Fresh popcorn if you would like some.  I had one come through today
(which I actually had anticipated, just had to figure out how to write
the rule.) If you use this set, I'd update.  It catches quite a lot more
in the tag.

http://spamhammers.nxtek.net

Weeds update in the works, but still tweaking.

Enjoy,

Jennifer




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] (semi)automatic Razor reporting options? anyone don e it like thi s before?

[mwestern]

Ah.sadly we have winblows here and outhouse so spam will get modified as
i forward it.  i do have several unused mailboxes which fill with spam quite
a bit and i tried to submit a mailbox full which i checked to be all spam to
razor and it seemed to work, with a few perl errors here and there as it
found a strange message or something.  

is there anyway to view the status of your account with which you submit
with?  like i've submitted 300 messages and 5 were new spam and the rest
we're already there...



-Original Message-
From: Chip Paswater [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 11, 2003 4:04 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] (semi)automatic Razor reporting options? anyone
done it like thi s before?


> my problem is how would i deal with the FW: on the front of messages etc?
> perhaps i should write a little script that munges the mailbox and removes
> the FW: and the few extra lines in each message and the >'s that get
> created.  

As far as razor goes, subject lines don't matter, so don't worry about
appended FW or RE in your subject lines.

However, the body of the message should be untouched.  Don't try to strip
out ">" or whatever, because it's highly unlikely you'll be able to return
the message to it's original composition.  Instead, try to forward or
"bounce" the message unedited.  Mutt has this feature.

> also i thought what we should do is create a mailbox that is darn easy to
> guess, subscribe it to many spam lists somehow to get it full of spam and
> then have this automatically reported to razor.  makeing sure that no-one
> uses it or sends any real mail to it?  does this also sound viable?   i
have
> read that razor should only be submitted by humans so i wouldn't like to
> mess up the network by automatic stuff not working, but surely this is
> something that should be considered?

That's called a spamtrap, and razor frowns on your auto-submitting
spamtraps to them (as do other services like Spamcop).  The best way to keep
everyone happy is to human-review everything before you submit it.

I maintain a spamtrap.  It gets about 300 spams per day, and I submit them
in batches after I've taken a look at them to make sure there's nothing
collateral in there, and occasionally something DOES sneak in that is not
spam.  

In fact, Spamcop turned off their "quick" reporting feature because too
many people were reporting the latest Microsoft virus emails as spam.  I
can only assume this was a direct result of too many people "auto"
submitting emails that came into their spamtrap.  


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] New Obfuscation Technique?

[Kenneth Porter]

--On Monday, November 10, 2003 8:20 PM -0500 Matt Kettler 
<[EMAIL PROTECTED]> wrote:

It did however use a trick to avoid the standard FROM_AND_TO_SAME so your
rule can help out by adding some score.. However, 104.1 is a bit
excessive, since there's no white list to over-ride. (Bret is smart and
did not whitelist_from himself).
One I've been seeing lately is that use of another name with my address as 
the sender (eg. "henry <[EMAIL PROTECTED]>").

Also, I looked at the code for check_for_from_to_same() (EvalTests.pm) and 
it looks like there's no return statement at the end. Does Perl return 0 by 
default? (I'm a C coder and return type mismatches are a no-no in that 
language.)

---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Razor/SA integration

[Edward Shornock]

Ken Bass wrote:

Several people recommended "formail -s spamassassin -r < mbox_full_of_spam".


Oops, sorry to have done the same (I didn't see this message when I 
wrote my reply)...





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Razor/SA integration

[Edward Shornock]

Ken Bass wrote:

Since the messages are received post spamassassin processing
they contain all the spamassassin stuff (marked-up-and put-in-an-attachment
version). My understanding was that sa-learn is smart enough to ignore all
its marked up stuff. I hope that it true even when it is given the '--mbox'
option. The sa-learn man page doesn't say the --mbox changes the behaviour
and the documentation for the --spam option states: " If the messages have
already been filtered through SpamAssassin, the learner will ignore any
modifications SpamAssassin may have made."
How about:

formail -s spamassassin -r < mbox

?



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Razor/SA integration

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Ken Bass writes:
>So I guess my original question turns into a request, can spamassassin be
>changed so that '-r' option accepts an mbox file and it iterates over the
>messages to submit them. Or could sa-learn be changed so that it becomes the
>top level program for spam reporting and if given the correct options it
>would perform the bayesian learning as well as additonal reporting.

Yeah, the -r option *should* handle mboxes, but doesn't yet. :(

Patches to implement this, using the ArchiveIterator code that sa-learn
uses, gratefully accepted though ;)

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/sExuQTcbUG5Y7woRAp0ZAKDafKG3CcvuNNZarmpzfn7SFERJ2ACgtEzs
3F/b0ZVFR4mJV4DnhHYIgNM=
=FIHd
-END PGP SIGNATURE-



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Is punctuation really needed? (fwd)

[Keith C. Ivey]

Chris Santerre <[EMAIL PROTECTED]> wrote:

> > -Original Message-
> > From: Bill Larson [mailto:[EMAIL PROTECTED]

> > 1.Spamassassins reads in the message
> > 2. It then stores the original message in two variables
> > 3. In the second variable remove all punctuation, spaces,
> > special encoded characters, foreign language characters, html
> > including html comments, and other methods used for
> > obscufaction.
>
> This will cause other problems.like if people don't space
> properly.Have you seen my pen.Is it on my desk? I cu!NT server
> died today.

Not only that, but some characters should be stripped out, as
in "pe-nis", while others should be converted to other
characters, as in "p3nis" or "penís".  Sometimes "0" is
inserted into the middle of a word, but sometimes it
substitutes for an "o".  Sometimes "." is used to separate
words, and sometimes it interrupts a word -- should it be
stripped out or changed into a space?  Sometimes multiple
characters are substituted for a single letter ("se><").
Sometimes one letter is substituted for another ("PayPaI").
Sometimes the same character is used in different words to
represent different letters ("[EMAIL PROTECTED]", "[EMAIL PROTECTED]").

The solution is anything but simple.

--
Keith C. Ivey <[EMAIL PROTECTED]>
Washington, DC



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] New Obfuscation Technique?

[Matt Kettler]

At 03:00 PM 11/10/2003, Chris Santerre wrote:

This is the spammer trick of saying the email is from you, to you. So it got
Whitelisted.
No it did not Chris.. Read The Fine List of rules it matched.. no 
WHITELIST_* or AWL rules match this.

X-Spam-Tests: tests=BANG_MORE,BAYES_60,HTML_FONTCOLOR_RED, 
HTML_FONTCOLOR_UNKNOWN,HTML_FONT_BIG,HTML_MESSAGE,MIME_HTML_ONLY, 
NORMAL_HTTP_TO_IP,UPPERCASE_25_50

Also, if it was whitelisted, the score would have been much lower than this:
X-Spam-Score: 3.7
It did however use a trick to avoid the standard FROM_AND_TO_SAME so your 
rule can help out by adding some score.. However, 104.1 is a bit excessive, 
since there's no white list to over-ride. (Bret is smart and did not 
whitelist_from himself).

Really, my suggestion to Bret would be to train his bayes on this... 
BAYES_60 is pretty weak.







---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Razor/SA integration

[Ken Bass]

Several people recommended "formail -s spamassassin -r < mbox_full_of_spam".
Thanks. While this works I don't like that it does not provide status from
its invocation of sa-learn such as 'Learned from 10 message(s) 13 message(s)
examined)'. I ended up calling sa-learn --mbox first, then the above
formail. This duplicates the sa-learning but at least I get a feedback that
I can mail back to the user as a confirmation. 

As a side note, formail didn't work unless I converted the mbox file from
DOS to UNIX (CR/LF vs CR). [tr -d '\r']

So I guess my original question turns into a request, can spamassassin be
changed so that '-r' option accepts an mbox file and it iterates over the
messages to submit them. Or could sa-learn be changed so that it becomes the
top level program for spam reporting and if given the correct options it
would perform the bayesian learning as well as additonal reporting.

On Mon, 10 Nov 2003 16:18:28 -0500, Ken Bass <[EMAIL PROTECTED]> wrote:

>  My question is how to report a *mailbox* of spam to razor2. I just added
>razor2 to my configuration and wanted to contribute.
>
>  I currently receive spam into my mail reader (Forte Agent) and they get
>moved to a SPAM folder based on the header tags. I periodically visit that
>SPAM folder and using 'Save as' I generate an 'mbox' format file with all
>the SPAM messages. I then send an email with the 'mbox' format file as an
>attachment to a mailalias I have setup on my mailserver. A procmail recipe
>is waiting which decodes the attachment (which is base64 encoded) into the
>original mbox format. I then call 'sa-learn --mbox --spam' on the input
>file, generate a reply 'SPAM training' confirmation message which has the
>output output of the 'sa-learn' command. This works well.
>
>  What I would like to do is send these filtered spams to razor2. It would
>seem that we need a '-r' reporting option on the sa-learn. The FAQ indicates
>that the message should be sent to 'spamassassin -r' which reports and
>additionally learns it. However, I'm not dealing with one message, I'm
>dealing with an 'mbox format' group of messages. It seems 'sa-learn' already
>knows how to handle the 'mbox' format - shouldn't/couldn't it handle the
>reporting for 'spam' (not ham). I assume 'spamassassin -r' will only work
>for a single message.
>
>  Any suggestion on how to accomplish this? Or could spamassassin add an
>'mbox' option to process/iterate over a group of messages that works in
>conjunction with the '-r' reporting option?
>
>
>---
>This SF.Net email sponsored by: ApacheCon 2003,
>16-19 November in Las Vegas. Learn firsthand the latest
>developments in Apache, PHP, Perl, XML, Java, MySQL,
>WebDAV, and more! http://www.apachecon.com/
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] unable to disable AWL

[Matt Kettler]

At 09:47 AM 11/10/2003, matthias zeichmann wrote:
is it possible that this messes up other behaviour of SA?
That type of error is unlikely to cause problems with other lines, but it 
is possible.

Usually the ones that kill half your local.cf are missing terminators for 
regexes.





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Looking for Rules

[Dan Kohn]

Note that #1 would have acted the way naïve users (nothing personal, Bob) expect it 
to, if the SA developers accept 
.  Others 
 
 will continue to get confused 
by this until it's fixed.

  - dan
--
Dan Kohn 
  
-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 10, 2003 14:56
To: Bob Rosenberg; Spamassassin mailing list
Subject: Re: [SAtalk] Looking for Rules

At 04:36 PM 11/10/2003, Bob Rosenberg wrote:
>I have a number of gripes about this.
>
>   1) I only get 5 points not 5.1 when I add them together.

One word.. rounding.. The report only displays the rule score down to the 
nearest tenth of a point, however the rules are scored down further in 
precision.

The real, unrounded, scores are:
0.53 RCVD_IN_NJABL_DIALUP
0.100   RCVD_IN_NJABL
2.55RCVD_IN_DYNABLOCK
1.91FORGED_MUA_EUDORA
-
5.09

And 5.09 rounds to 5.1



>   2) I am getting penalized multiple times for the same "offence" - ie: 
> Using a Cable Connection to send my mail to the CORRECT SMTP Server (ie: 
> The designated Server for the ISP whose account my mail is addressed from 
> instead of the "Smart Host" of my Cable ISP).
>
>I get both a RCVD_IN_NJABL_DIALUP and a RCVD_IN_DYNABLOCK for being a 
>Cable User (3 points) and an extra .1 point for sending to my ISP's SMTP 
>Server when not using that ISP's Connectivity. I object to this multi 
>charging for the same thing. Both of the NJABL rules key off the same 
>table and I then get clobbered with 2.5 points for not having a static IP 
>Address (after being charged .5 points for being a "Dial-Up" user which as 
>a Cable User I AM NOT).

 From the perspective of dynablock and NJABL, *any* end-user IP address is 
listed.. these list dialups, dsls, cable modems, or whatever, for a 
home-user type address that should be sending mail via a mail relay and not 
directly sending mail.

In your case, you're being penalized for one of two reasons:

 1) the spamassassin box is misconfigured and nobody set their 
trusted_networks in a situation that needs it (hint: any box running a 
NATed IP address MUST set trusted_networks by hand, autodiscovery does NOT 
work)

 2) you really are directly injecting mail to a server that runs SA 
from your home address, instead of using your ISP's mail relay. If you want 
SA to not tag these messages, either get that admin to reconfigure his 
trusted_networks, or start using your ISP's SMTP relay.

>I know that there is nothing that I can do about this (except 
>Mis-Configure my Mail Client to route all my mail through my CURRENT 
>Connectivity provider [and do it again when I alter my connectivity]) even 
>though all the mail is going via SMTP AUTH links to PORT587 and thus is 
>being Authenticated by the Injection SMTP Host (in MSA Mode due to it 
>coming in via Port 587.
>
>   3) My major gripe is with the adding insult-to-injury 1.9 point invalid 
> rejection of my X-Mailer Header. I use a Macintosh version of Eudora 
> which does NOT have the Hardcoded X-Mailer constant that Spamassassin is 
> looking for. In Mac Eudora the X-Mailer Header is created (as are all 
> other X-* headers) by the user coding what the data in the header should be.

Aye, unfortunately since there's no standard for X-Mailers for the MAC 
version of Eudora, a lot of them look to SA like the windows version. Try 
using an X-Mailer header that starts with "Eudora for Macintosh" or "Eudora 
for Mac OS X". SA does recognize those strings as MAC versions.. it 
currently doesn't recognize the format you're using, so it assumes it must 
be a windows version, and then realizes the message was clearly not 
generated by Eudora for Windows (which it wasn't but SA is confused and 
thinks it is)..


There's a bug open on this issue.
http://bugzilla.spamassassin.org/show_bug.cgi?id=2598

Personally, I'm hoping to spend some time revamping these rules so that MAC 
versions of Eudora are never thought to be forged no matter what they read. 
Basically this will involve characterizing the message-id's of Eudora for 
Mac's and always checking both windows and mac versions of the message-id, 
no matter what the x-mailer header reads. It will be better this way in the 
long run and will have fewer holes in it for spammers to abuse, or end 
users to fall in accidentally.

However, my spare time is limited, so it's possible Justin and friends will 
beat me to the punch.






---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL P

[SAtalk] Re: filebased whitelisting

[Lukreme]

On 10 Nov 2003, at 01:32, peter pilsl wrote:
to avoid false posetives (which is at a rate of approx. 0.2% now) I'd 
like to
whitelist my whole adressbook. My adressbook is changing/growing, so I 
would
like not to implement it using 500 "whitelist_from"-configs but put it 
to a file
and have a single "whilelist_fromfile"-statement in my local.cf. 
Unfortunately I
did not find such a statement. Did I miss it or is there any trick ?
Or, better, is there a way to integrate with LDAP?

--
Do not meddle in the affairs of wizards for they are subtle and quick 
to anger.



smime.p7s
Description: S/MIME cryptographic signature

[SAtalk] Re: scoring system and values...

[Lukreme]

On 10 Nov 2003, at 07:33, Terry Milnes wrote:
The typical user is capable of making toast in his electric toaster, 
but when it comes to the overwhelming complexities involved in 
operating a computer he is totally lost. He will become extremely 
agitated when he looses the *REALLY IMPORTANT* email that was tagged 
as spam, put into his spam mailbox and which he subsequently deleted 
because he didn't pay close enough attention to what *HE* was doing, 
that instantly becomes our fault!
Simple, I give users a choice, not SA or SA.  If they choose to NOT use 
SA, I ignore complaints about spam.  If they chose to use SA, they are 
told to check before they delete, if they don't I remind them I told 
them to check before they delete and suggest they get the mail resent.  
If they continue to have problems we give them the option of not using 
SpamAssassin.

Blaming SA for user's deleting suspicious mail is a bit like blaming 
the hammer for you hitting your thumb.

When someone posts to this list asking how he can improve the hit 
ratio for his customers/users, cites examples or ideas that may 
improve the success ratio for his situation, (multiple user, many 
morons) the last thing he wants to hear about is how good spamassassin 
is without any of his kind of modification and that if he use bayes or 
spends a little time tweaking he can see results like these  He is 
probably already aware of that
"Training Bayes" is not something that users need to do.  It simply 
happens as the Bayes filters learn their email.

If you don't want false positives set your default threshold at 9.0 for 
users new to SA and lower it to 5.0 after a few months, once bayes has 
a chance to learn.  My server _discards_ mail scoring 9+ unless a user 
specifically asks us not to.  mail that scores 5.0-8.99 is marked as 
possible spam (Spam? 5.60), and users are told to sort their Spam 
folders (if they have them) by subject, so the lowest scoring potential 
spams are listed first.  Makes it easy for them to check.

And I haven't seen a single "important" mail get tagged as Spam since 
the SA 2.3 days.  Usually the false positives are mails that are 
indistinguishable spam, just spam that user happens to want (like my 
ads from ezydvd).

--
Hey, baby, I've got just the cure for that penis envy back at my 
apartment...


smime.p7s
Description: S/MIME cryptographic signature

Re: [SAtalk] rule to whitelist Listserv (tm) list traffic

[David B Funk]

On Mon, 10 Nov 2003, Chris Barnes wrote:

> I am in need of a rule that will tell SpamAssassin to whitelist all
> email traffic which comes from our local Listserv (tm - www.lsoft.com)
> lists.
>
> The problem is that messages from the Listserv list have the original
> author's email address in the From: line.  The Listserv list address is
> in a header tag of:
>
> Sender: Name-of-list [EMAIL PROTECTED]
>
>
> In other words, SA needs to look at a header tag of SENDER:, not FROM:
> How would this rule look?
>
> (my guess)
> header LISTSERV_GOOD_SENDER Sender =~listserv.tamu.edu
> score  LISTSERV_GOOD_SENDER -100
>
> Would that work?

Almost. It needs to be a valid perl pattern-match regex:

  header LISTSERV_GOOD_SENDER Sender =~ /listserv.tamu.edu/

Only problem with that is that it will be suceptable to spammer abuse
if they ever find out about it. (note that emperical evidence points
to spammers reading this list ;().

What would be better is if you could use 'whitelist_from_rcvd' as it's
much more difficult for an external agent to abuse.
However this would require the predictable envelope-from address
being accesssable to SA.
In addition to the "From:" header SA looks for "from" address info in
the headers:

  Envelope-Sender:
  Resent-Sender:
  X-Envelope-From:
  Return-Path:
  Resent-From:

Any chance you could get your listserv to put it's Sender info into
one of these?

If you are only concerned about local SA filtering of these messages,
you could customize the 'EvalTests.pm' file in your SA instalation
and add "Sender:" to that recognized "from" header list.

One other possibility depends upon how you call SA. If your method of
processing the mail has access to the envelope-sender, you could hack it
to synthesize a 'Envelope-Sender' header to pass that info in to SA.

I use spamd with sendmail and miltrassassin. I hacked the miltrassassin
code to synthesize a 'Envelope-Sender' header and it makes whitelisting
mailing lists va whitelist_from_rcvd much easier.

If you do go the whitelist_from_rcvd route be sure to set your
trusted_networks parameter.

FWIW, I prefer to use def_whitelist_from_rcvd instead of
whitelist_from_rcvd. Makes mistakes and successful forgeries less
damaging. ;)

Dave

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] spam threshold value?

[Matt Kettler]

At 04:14 PM 11/10/2003, you wrote:
What's the lowest spam threshold value you are managing to get away with
(without false positives) ?
There's always FP's at pretty much any threshold that's no absurdly high 
(ie, 1.0).

However, I have yet to notice any significant amount of FP's at 5.0.. 
Occasionally I get some sa-talk posts that go over.

Note: I'm using 2.60 w/ bayes, razor, and dnsbls. bayes is greatly 
improving the accuracy of SA.



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Installation problems...

[Tomas Hood]

I was running a very effective version 2.54 of SpamAssassin on Linux with 
procmail.  I have it using spamd.  I upgraded today to 2.60.  I did the 
three makes - and restarted spamd.  Things went well for a short while, then 
my server bogged down to a grinding halt.  Now I see I need to add the -m 
switch.  Fine.

However, while watching my logs, I saw these:

Nov 10 14:53:27 accessnow spamd[5823]: Use of uninitialized value in null 
operation at /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/BayesStore.pm 
line 354.
Nov 10 14:53:27 accessnow spamd[5823]: Use of uninitialized value in null 
operation at /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/BayesStore.pm 
line 355.
Nov 10 14:53:27 accessnow spamd[5823]: Use of uninitialized value in null 
operation at /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/BayesStore.pm 
line 356.
Nov 10 14:53:39 accessnow spamd[5823]: Argument "" isn't numeric in numeric 
gt (>) at /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/BayesStore.pm 
line 1240.
Nov 10 14:53:39 accessnow spamd[5823]: Argument "" isn't numeric in numeric 
lt (<) at /usr/lib/perl5/site_perl/5.6.0/Mail/SpamAssassin/BayesStore.pm 
line 1245.
Nov 10 14:53:46 accessnow last message repeated 171 times

What do I do about this problem??

Thanks,

Tomas

_
Great deals on high-speed Internet access as low as $26.95.  
https://broadband.msn.com (Prices may vary by service area.)



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] New Obfuscation Technique?

[Bret Miller]

> This is the spammer trick of saying the email is from you, to
> you. So it got Whitelisted. Here is _A_ solution. I believe
> the newest version of SA also solves this:


Actually, if you'd checked the SA headers, you'd notice that AWL didn't
seem to come into play here. It just didn't hit enough with BAYES or
other rules to score it high enough.

* X-Spam-Score: 3.7
* X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
mail.dmz.wcg.org
* X-Spam-Tests: tests=BANG_MORE,BAYES_60,HTML_FONTCOLOR_RED,
HTML_FONTCOLOR_UNKNOWN,HTML_FONT_BIG,HTML_MESSAGE,MIME_HTML_ONLY,
NORMAL_HTTP_TO_IP,UPPERCASE_25_50
* X-Spam-Level: +++

Bret





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Installation problems...

[Theo Van Dinter]

On Mon, Nov 10, 2003 at 03:24:46PM -0800, Tomas Hood wrote:
> What do I do about this problem??

did you read the instructions (ala, make sure you have DB_File installed
and run "sa-learn --import")?

those look like DB-related issues.

-- 
Randomly Generated Tagline:
"Before his State of the Union speech, the president's niece was arrested
 for trying to fill a fake prescription for the anti-anxiety drug Xanax. If
 you're not familiar with Xanax, the best way to describe it is, after
 taking three or four with a wine cooler, you become a really, really
 compassionate conservative."- Bill Maher, Politically Incorrect


pgp0.pgp
Description: PGP signature

Re: [SAtalk] Looking for Rules

[Matt Kettler]

At 04:36 PM 11/10/2003, Bob Rosenberg wrote:
I have a number of gripes about this.

  1) I only get 5 points not 5.1 when I add them together.
One word.. rounding.. The report only displays the rule score down to the 
nearest tenth of a point, however the rules are scored down further in 
precision.

The real, unrounded, scores are:
0.53 RCVD_IN_NJABL_DIALUP
0.100   RCVD_IN_NJABL
2.55RCVD_IN_DYNABLOCK
1.91FORGED_MUA_EUDORA
-
5.09
And 5.09 rounds to 5.1



  2) I am getting penalized multiple times for the same "offence" - ie: 
Using a Cable Connection to send my mail to the CORRECT SMTP Server (ie: 
The designated Server for the ISP whose account my mail is addressed from 
instead of the "Smart Host" of my Cable ISP).

I get both a RCVD_IN_NJABL_DIALUP and a RCVD_IN_DYNABLOCK for being a 
Cable User (3 points) and an extra .1 point for sending to my ISP's SMTP 
Server when not using that ISP's Connectivity. I object to this multi 
charging for the same thing. Both of the NJABL rules key off the same 
table and I then get clobbered with 2.5 points for not having a static IP 
Address (after being charged .5 points for being a "Dial-Up" user which as 
a Cable User I AM NOT).
From the perspective of dynablock and NJABL, *any* end-user IP address is 
listed.. these list dialups, dsls, cable modems, or whatever, for a 
home-user type address that should be sending mail via a mail relay and not 
directly sending mail.

In your case, you're being penalized for one of two reasons:

1) the spamassassin box is misconfigured and nobody set their 
trusted_networks in a situation that needs it (hint: any box running a 
NATed IP address MUST set trusted_networks by hand, autodiscovery does NOT 
work)

2) you really are directly injecting mail to a server that runs SA 
from your home address, instead of using your ISP's mail relay. If you want 
SA to not tag these messages, either get that admin to reconfigure his 
trusted_networks, or start using your ISP's SMTP relay.

I know that there is nothing that I can do about this (except 
Mis-Configure my Mail Client to route all my mail through my CURRENT 
Connectivity provider [and do it again when I alter my connectivity]) even 
though all the mail is going via SMTP AUTH links to PORT587 and thus is 
being Authenticated by the Injection SMTP Host (in MSA Mode due to it 
coming in via Port 587.

  3) My major gripe is with the adding insult-to-injury 1.9 point invalid 
rejection of my X-Mailer Header. I use a Macintosh version of Eudora 
which does NOT have the Hardcoded X-Mailer constant that Spamassassin is 
looking for. In Mac Eudora the X-Mailer Header is created (as are all 
other X-* headers) by the user coding what the data in the header should be.
Aye, unfortunately since there's no standard for X-Mailers for the MAC 
version of Eudora, a lot of them look to SA like the windows version. Try 
using an X-Mailer header that starts with "Eudora for Macintosh" or "Eudora 
for Mac OS X". SA does recognize those strings as MAC versions.. it 
currently doesn't recognize the format you're using, so it assumes it must 
be a windows version, and then realizes the message was clearly not 
generated by Eudora for Windows (which it wasn't but SA is confused and 
thinks it is)..

There's a bug open on this issue.
http://bugzilla.spamassassin.org/show_bug.cgi?id=2598
Personally, I'm hoping to spend some time revamping these rules so that MAC 
versions of Eudora are never thought to be forged no matter what they read. 
Basically this will involve characterizing the message-id's of Eudora for 
Mac's and always checking both windows and mac versions of the message-id, 
no matter what the x-mailer header reads. It will be better this way in the 
long run and will have fewer holes in it for spammers to abuse, or end 
users to fall in accidentally.

However, my spare time is limited, so it's possible Justin and friends will 
beat me to the punch.





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Razor/SA integration

[Ken Bass]

Since the messages are received post spamassassin processing
they contain all the spamassassin stuff (marked-up-and put-in-an-attachment
version). My understanding was that sa-learn is smart enough to ignore all
its marked up stuff. I hope that it true even when it is given the '--mbox'
option. The sa-learn man page doesn't say the --mbox changes the behaviour
and the documentation for the --spam option states: " If the messages have
already been filtered through SpamAssassin, the learner will ignore any
modifications SpamAssassin may have made."


On Mon, 10 Nov 2003 14:05:24 -0800, Kelson Vibber <[EMAIL PROTECTED]> wrote:

>Ken Bass wrote:
>>   My question is how to report a *mailbox* of spam to razor2. I just 
>> added razor2 to my configuration and wanted to contribute.
>...
>>I then call 'sa-learn --mbox --spam' on the input file
>
>If I understand correctly, this means that at this point you have the 
>messages in their original state.  (IIRC sa-learn expects to get the 
>original messages, not the marked-up-and-put-in-an-attachment version.)  If 
>that's the case, then you can just pipe the mailbox to "razor-report --mbox".
>
>
>Kelson Vibber
>SpeedGate Communications  
>
>
>
>
>---
>This SF.Net email sponsored by: ApacheCon 2003,
>16-19 November in Las Vegas. Learn firsthand the latest
>developments in Apache, PHP, Perl, XML, Java, MySQL,
>WebDAV, and more! http://www.apachecon.com/
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Looking for Rules

[Chris Thielen]

Here are bits of the EUDORA rules you're hitting:
20_ratware.cf:meta FORGED_MUA_EUDORA(__EUDORA_MUA &&
!__EUDORA_MSGID && !__UNUSABLE_MSGID && !__HAS_X_LOOP &&
!__HAS_X_MAILING_LIST && !__MAC_EUDORA_MUA && !__PALM_EUDORA_MUA &&
!__OLD_EUDORA1 && !(__OLD_EUDORA2 && !__ANY_QUALCOMM_MUA))
20_ratware.cf:describe FORGED_MUA_EUDORAForged mail pretending to
be from Eudora

20_ratware.cf:header __EUDORA_MUA   X-Mailer =~
/\b(?:QUALCOMM|Eudora)\b/

20_ratware.cf:header __MAC_EUDORA_MUA   X-Mailer =~ /Eudora for
(?:Macintosh|Mac OS X)/


FORGED_MUA_EUDORA is a meta rule meaning it is based on other rules.

Putting "Eudora for Mac OS X" somehwere in your X-Mailer like the
__MAC_EUDORA_MUA has it should do the trick, methinks.

Disclaimer:
I'm probably wrong.

--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/


Bob Rosenberg said:
> I have been informed that all my mail is being flagged by
> Spamassassin (as shown below with a message I sent out).
>
>>X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
>>  mailspool2.panix.com
>>X-Spam-Status: Yes, hits=5.1 required=5.0 tests=FORGED_MUA_EUDORA,
>>  RCVD_IN_DYNABLOCK,RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP autolearn=no
>>  version=2.60
>>X-Spam-Level: *
>>
>>Content analysis details:   (5.1 points, 5.0 required)
>>
>>  pts rule name  description
>> --
>> --
>>  0.5 RCVD_IN_NJABL_DIALUP   RBL: NJABL: dialup sender did non-local SMTP
>> [67.80.44.212 listed in dnsbl.njabl.org]
>>  0.1 RCVD_IN_NJABL  RBL: Received via a relay in dnsbl.njabl.org
>> [67.80.44.212 listed in dnsbl.njabl.org]
>>  2.5 RCVD_IN_DYNABLOCK  RBL: Sent directly from dynamic IP address
>> [Dynamic/Residential IP range listed by]
>> [easynet.nl DynaBlock -
>> ]
>>  1.9 FORGED_MUA_EUDORA  Forged mail pretending to be from Eudora
>
> I have a number of gripes about this.
>
>   1) I only get 5 points not 5.1 when I add them together.
>
>   2) I am getting penalized multiple times for the same "offence" -
> ie: Using a Cable Connection to send my mail to the CORRECT SMTP
> Server (ie: The designated Server for the ISP whose account my mail
> is addressed from instead of the "Smart Host" of my Cable ISP).
>
> I get both a RCVD_IN_NJABL_DIALUP and a RCVD_IN_DYNABLOCK for being a
> Cable User (3 points) and an extra .1 point for sending to my ISP's
> SMTP Server when not using that ISP's Connectivity. I object to this
> multi charging for the same thing. Both of the NJABL rules key off
> the same table and I then get clobbered with 2.5 points for not
> having a static IP Address (after being charged .5 points for being a
> "Dial-Up" user which as a Cable User I AM NOT).
>
> I know that there is nothing that I can do about this (except
> Mis-Configure my Mail Client to route all my mail through my CURRENT
> Connectivity provider [and do it again when I alter my connectivity])
> even though all the mail is going via SMTP AUTH links to PORT587 and
> thus is being Authenticated by the Injection SMTP Host (in MSA Mode
> due to it coming in via Port 587.
>
>   3) My major gripe is with the adding insult-to-injury 1.9 point
> invalid rejection of my X-Mailer Header. I use a Macintosh version of
> Eudora which does NOT have the Hardcoded X-Mailer constant that
> Spamassassin is looking for. In Mac Eudora the X-Mailer Header is
> created (as are all other X-* headers) by the user coding what the
> data in the header should be.
>
> I went to www.spamassassin.org but not only was I unable to locate a
> description of the Rule Template (so I can pacify Spamassassin into
> accepting the X-Header by using the correct format and thus allowing
> me an extra 2 points [over the 3 that my Cable User using MSA Servers
> Status penalizes me] for other erroneous offences) but the list of
> Rules and Scores does not even acknowledge this supposed rule by
> name. Can someone here please supply me with the Rule Template or
> suggest what I should use other than just outright lying by claiming
> to be a Windows Eudora User by saying:
>
> X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
>
> For reference purposes (as can be seen in my headers) my current header
> is:
>
> X-Mailer: Eudora Pro 6.0.1 PPC (MacOS 10.3)
>
> Thank you.
>
> --
>
> Bob Rosenberg
> [EMAIL PROTECTED]
> Computer Help for the Computer Challenged
>
>
> ---
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> ___
> Spamassassin-talk mailing list
> [EMA

[SAtalk] spam threshold value?

[Rick [Kitty5]]

What's the lowest spam threshold value you are managing to get away with
(without false positives) ?

-- 
Rick

Kitty5 NewMedia http://Kitty5.com
POV-Ray News & Resources http://Povray.co.uk
TEL : +44 (01270) 501101 - ICQ : 15776037

PGP Public Key
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x231E1CEA





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Panix dynablock issue

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Bob Rosenberg writes:
>I have been informed that all my mail is being flagged by 
>Spamassassin (as shown below with a message I sent out).
>
>>X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
>>  mailspool2.panix.com
>>X-Spam-Status: Yes, hits=5.1 required=5.0 tests=FORGED_MUA_EUDORA,
>>  RCVD_IN_DYNABLOCK,RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP autolearn=no
>>  version=2.60
>>X-Spam-Level: *
>>
>>Content analysis details:   (5.1 points, 5.0 required)
>>
>>  pts rule name  description
>> -- --
>>  0.5 RCVD_IN_NJABL_DIALUP   RBL: NJABL: dialup sender did non-local SMTP
>> [67.80.44.212 listed in dnsbl.njabl.org]
>>  0.1 RCVD_IN_NJABL  RBL: Received via a relay in dnsbl.njabl.org
>> [67.80.44.212 listed in dnsbl.njabl.org]
>>  2.5 RCVD_IN_DYNABLOCK  RBL: Sent directly from dynamic IP address
>> [Dynamic/Residential IP range listed by]
>> [easynet.nl DynaBlock - ]
>>  1.9 FORGED_MUA_EUDORA  Forged mail pretending to be from Eudora

Ick!

I notice this:

  Received: from [192.168.1.11] (ool-43502cd4.dyn.optonline.net
[67.80.44.212]) by mailspool2.panix.com (Postfix) with ESMTP id
96A57194700 for <[EMAIL PROTECTED]>; Mon,
10 Nov 2003 16:36:47 -0500 (EST)

Presumably you're authenticating with mailspool2.panix.com somehow --
using SMTP AUTH or similar.

Then Panix is checking mail going *from* an authenticated address *to* a
Panix address; this fails, because there's no way for SpamAssassin to tell
that that didn't arrive from an unauthenticated sender out on the 'net
somewhere.

Really, Panix need to whitelist this situation, by adding a local rule
to offset the Dynablock hit for authenticated users.   Or just skip
messages that came via authenticated submission to Panix from
spam-scanning.

BTW -- non-Panix users don't get that DYNABLOCK hit.  f'rexample,
I see:

X-spam-status: No, hits=-1.8 required=5.0 tests=BAYES_00,FORGED_MUA_EUDORA,
RCVD_IN_NJABL autolearn=no version=2.70-cvs

Regarding the FORGED_MUA_EUDORA hit: this bug is open for that issue:
http://bugzilla.spamassassin.org/show_bug.cgi?id=2654
I've moved the milestone so we can try to fix it for 2.61.

- --j.

>I have a number of gripes about this.
>
>  1) I only get 5 points not 5.1 when I add them together.
>
>  2) I am getting penalized multiple times for the same "offence" - 
>ie: Using a Cable Connection to send my mail to the CORRECT SMTP 
>Server (ie: The designated Server for the ISP whose account my mail 
>is addressed from instead of the "Smart Host" of my Cable ISP).
>
>I get both a RCVD_IN_NJABL_DIALUP and a RCVD_IN_DYNABLOCK for being a 
>Cable User (3 points) and an extra .1 point for sending to my ISP's 
>SMTP Server when not using that ISP's Connectivity. I object to this 
>multi charging for the same thing. Both of the NJABL rules key off 
>the same table and I then get clobbered with 2.5 points for not 
>having a static IP Address (after being charged .5 points for being a 
>"Dial-Up" user which as a Cable User I AM NOT).
>
>I know that there is nothing that I can do about this (except 
>Mis-Configure my Mail Client to route all my mail through my CURRENT 
>Connectivity provider [and do it again when I alter my connectivity]) 
>even though all the mail is going via SMTP AUTH links to PORT587 and 
>thus is being Authenticated by the Injection SMTP Host (in MSA Mode 
>due to it coming in via Port 587.
>
>  3) My major gripe is with the adding insult-to-injury 1.9 point 
>invalid rejection of my X-Mailer Header. I use a Macintosh version of 
>Eudora which does NOT have the Hardcoded X-Mailer constant that 
>Spamassassin is looking for. In Mac Eudora the X-Mailer Header is 
>created (as are all other X-* headers) by the user coding what the 
>data in the header should be.
>
>I went to www.spamassassin.org but not only was I unable to locate a 
>description of the Rule Template (so I can pacify Spamassassin into 
>accepting the X-Header by using the correct format and thus allowing 
>me an extra 2 points [over the 3 that my Cable User using MSA Servers 
>Status penalizes me] for other erroneous offences) but the list of 
>Rules and Scores does not even acknowledge this supposed rule by 
>name. Can someone here please supply me with the Rule Template or 
>suggest what I should use other than just outright lying by claiming 
>to be a Windows Eudora User by saying:
>
>X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
>
>For reference purposes (as can be seen in my headers) my current header is:
>
>X-Mailer: Eudora Pro 6.0.1 PPC (MacOS 10.3)
>
>Thank you.
>
>-- 
>
>Bob Rosenberg
>[EMAIL PROTECTED]
>Computer Help for the Computer Challenged
>
>
>---
>This SF.Net em

Re: [SAtalk] Looking for Rules

[Terry Milnes]

Yeah RCVD_IN_DYNABLOCK etc. is annoying, and it is a bug, that is 
scheduled to be fixed in version 2.7 (the last time I looked)

In the meantime maybe notify whoever informed you that spamassassin has 
a bug (# 2537 dialup dnsbl's don't skip first hop).  They can add 
"score RCVD_IN_DYNABLOCK  0" etc. to their local.cf to ignore this feature.

Dial up isn't literal it means for the most part you belong to a 
residential class dynamic ip address.

Dunno nuttin' about the eudora thing though...

Terry...

Bob Rosenberg wrote:
I have been informed that all my mail is being flagged by Spamassassin 
(as shown below with a message I sent out).

X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
mailspool2.panix.com
X-Spam-Status: Yes, hits=5.1 required=5.0 tests=FORGED_MUA_EUDORA,
RCVD_IN_DYNABLOCK,RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP autolearn=no
version=2.60
X-Spam-Level: *
Content analysis details:   (5.1 points, 5.0 required)

 pts rule name  description
 -- 
--
 0.5 RCVD_IN_NJABL_DIALUP   RBL: NJABL: dialup sender did non-local SMTP
[67.80.44.212 listed in dnsbl.njabl.org]
 0.1 RCVD_IN_NJABL  RBL: Received via a relay in dnsbl.njabl.org
[67.80.44.212 listed in dnsbl.njabl.org]
 2.5 RCVD_IN_DYNABLOCK  RBL: Sent directly from dynamic IP address
[Dynamic/Residential IP range listed by]
[easynet.nl DynaBlock - 
]
 1.9 FORGED_MUA_EUDORA  Forged mail pretending to be from Eudora


I have a number of gripes about this.

 1) I only get 5 points not 5.1 when I add them together.

 2) I am getting penalized multiple times for the same "offence" - ie: 
Using a Cable Connection to send my mail to the CORRECT SMTP Server (ie: 
The designated Server for the ISP whose account my mail is addressed 
from instead of the "Smart Host" of my Cable ISP).

I get both a RCVD_IN_NJABL_DIALUP and a RCVD_IN_DYNABLOCK for being a 
Cable User (3 points) and an extra .1 point for sending to my ISP's SMTP 
Server when not using that ISP's Connectivity. I object to this multi 
charging for the same thing. Both of the NJABL rules key off the same 
table and I then get clobbered with 2.5 points for not having a static 
IP Address (after being charged .5 points for being a "Dial-Up" user 
which as a Cable User I AM NOT).

I know that there is nothing that I can do about this (except 
Mis-Configure my Mail Client to route all my mail through my CURRENT 
Connectivity provider [and do it again when I alter my connectivity]) 
even though all the mail is going via SMTP AUTH links to PORT587 and 
thus is being Authenticated by the Injection SMTP Host (in MSA Mode due 
to it coming in via Port 587.

 3) My major gripe is with the adding insult-to-injury 1.9 point invalid 
rejection of my X-Mailer Header. I use a Macintosh version of Eudora 
which does NOT have the Hardcoded X-Mailer constant that Spamassassin is 
looking for. In Mac Eudora the X-Mailer Header is created (as are all 
other X-* headers) by the user coding what the data in the header should 
be.

I went to www.spamassassin.org but not only was I unable to locate a 
description of the Rule Template (so I can pacify Spamassassin into 
accepting the X-Header by using the correct format and thus allowing me 
an extra 2 points [over the 3 that my Cable User using MSA Servers 
Status penalizes me] for other erroneous offences) but the list of Rules 
and Scores does not even acknowledge this supposed rule by name. Can 
someone here please supply me with the Rule Template or suggest what I 
should use other than just outright lying by claiming to be a Windows 
Eudora User by saying:

X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22

For reference purposes (as can be seen in my headers) my current header is:

X-Mailer: Eudora Pro 6.0.1 PPC (MacOS 10.3)

Thank you.



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Razor/SA integration

[Kelson Vibber]

Ken Bass wrote:
  My question is how to report a *mailbox* of spam to razor2. I just 
added razor2 to my configuration and wanted to contribute.
...
I then call 'sa-learn --mbox --spam' on the input file
If I understand correctly, this means that at this point you have the 
messages in their original state.  (IIRC sa-learn expects to get the 
original messages, not the marked-up-and-put-in-an-attachment version.)  If 
that's the case, then you can just pipe the mailbox to "razor-report --mbox".

Kelson Vibber
SpeedGate Communications  



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA-Learn Count Question

[Ken Bass]

My guess - if you examine the headers of your spam messages you will see
that some message are 'autolearned'. Message that generate a high enough
'spam value' get internally fed to 'sa-learn' and are marked with
'autolearn=spam' in the X-Spam-Status header. Once a message has been
trained via sa-learn it will not be 'learned from' again. To test this:

1)Submit a new spam/ham message to sa-learn and it will report
   Learned from 1 message(s) (1 message(s) examined)
2) Resubmit the same thing and you will get
   Learned from 0 message(s) (1 message(s) examined)

This is my understanding - hope it is correct and that it helps.

Summary: there are 2 ways a message will by 'examined' by sa-learn but not
'learned from'. a) if it was autolearned b) if it was trained previously

On Mon, 10 Nov 2003 12:58:55 -0800, "Scott Renda" <[EMAIL PROTECTED]> wrote:

>We have been using Spamassassin 2.60 since it came out.  Prior to that, we
>were using SA 2.54.  I do have a question regarding sa-learn.
>
>It seems that the numbers I receive from sa-learn just don't add up.  See
>below for an example.  I have a cron job that runs once a day that will run
>usr/bin/sa-learn --spam --dir /var/spool/spam on a directory with all my
>spam.  Postfix is my MTA and I use a combo of Anomy/SA per the Advosys
>scripts to dump all spam above a threshold into one directory for all users.
>There are no per user SA settings at all.  Since we upgraded from SA 2.54 to
>2.60, the number of messages leanred and number of messages examined
>differs.  Below are the results of the cron job run this past three
>mornings:
>
>Learned from 304 message(s) (30419 message(s) examined)
>Learned from 253 message(s) (30430 message(s) examined)
>Learned from 301 message(s) (30452 message(s) examined)
>
>It's says it's learning from the xxx # of messages, but not incrementing the
>total amount examined by the same #.  I have never manually deleted a
>message out of this folder, and do not have any cron jobs doing this
>automatically.  I did successfully upgrade the Bayes DB as part of my
>upgrade, and can query the Bayes DB successfully.  Is there a way I can
>check on the Bayes DB to see if it corrupt?  Am I missing something?
>Anybody else have a similar experience?  TIA.
>
>Scott
>
>
>
>---
>This SF.Net email sponsored by: ApacheCon 2003,
>16-19 November in Las Vegas. Learn firsthand the latest
>developments in Apache, PHP, Perl, XML, Java, MySQL,
>WebDAV, and more! http://www.apachecon.com/
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Sa-stats.pl

[rich-lists]

Using RedHat 9 and SA 2.60 installed from RPMS, I found the source for
the sa-stats.pl perl script on the SA site. When I try to run it after
verifying the config settings, I keep getting all zeros for my report.
The report is generating, but the figures are not there. Any ideas what
is going on? An egrep on 'identified spam' clearly shows spam being
caught, but the report is not reflecting Spam/Ham at all.


Richard Humphrey



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Is punctuation really needed? (fwd)

[Chris Santerre]

> -Original Message-
> From: Bill Larson [mailto:[EMAIL PROTECTED]
> Sent: Monday, November 10, 2003 2:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [SAtalk] Is punctuation really needed? (fwd)
> 
> 
> Simple solution

Not so simple :)

> 
> 1.Spamassassins reads in the message
> 2. It then stores the original message in two variables
> 3. In the second variable remove all punctuation, spaces, 
> special encoded
> characters, foreign language characters, html including html 
> comments, and
> other methods used for obscufaction.

This will cause other problems.like if people don't space properly.Have you
seen my pen.Is it on my desk? I cu!NT server died today.


> 4. Then run the standard filters on it.
> 5. If it was clean then process the message using standard 
> rules again in
> the unmodified state.

That was another problem. You may end up doubling the process time. I only
know these arguments, because I asked for the same thing a while back :)

> 
> If it is spam then mark the original unmodified message as 
> such and send it
> through. This will leave their only option being html image only spam.
> 

Now, having said all those things.there is already work being tested on
eval rules that remove punctuation. :-) I can't tell you anymore until
later. "The first rule of fightclub is you don't talk about fightclub."  ;)

--Chris Santerre


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Razor/SA integration

[Ken Bass]

  My question is how to report a *mailbox* of spam to razor2. I just added
razor2 to my configuration and wanted to contribute.

  I currently receive spam into my mail reader (Forte Agent) and they get
moved to a SPAM folder based on the header tags. I periodically visit that
SPAM folder and using 'Save as' I generate an 'mbox' format file with all
the SPAM messages. I then send an email with the 'mbox' format file as an
attachment to a mailalias I have setup on my mailserver. A procmail recipe
is waiting which decodes the attachment (which is base64 encoded) into the
original mbox format. I then call 'sa-learn --mbox --spam' on the input
file, generate a reply 'SPAM training' confirmation message which has the
output output of the 'sa-learn' command. This works well.

  What I would like to do is send these filtered spams to razor2. It would
seem that we need a '-r' reporting option on the sa-learn. The FAQ indicates
that the message should be sent to 'spamassassin -r' which reports and
additionally learns it. However, I'm not dealing with one message, I'm
dealing with an 'mbox format' group of messages. It seems 'sa-learn' already
knows how to handle the 'mbox' format - shouldn't/couldn't it handle the
reporting for 'spam' (not ham). I assume 'spamassassin -r' will only work
for a single message.

  Any suggestion on how to accomplish this? Or could spamassassin add an
'mbox' option to process/iterate over a group of messages that works in
conjunction with the '-r' reporting option?


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] SA-Learn Count Question

[SRH-Lists]

> Learned from 304 message(s) (30419 message(s) examined)
> Learned from 253 message(s) (30430 message(s) examined)
> Learned from 301 message(s) (30452 message(s) examined)

I bet you are seeing some spam re-learning after it has fallen off of
the expiry backend.
so the line:
Learned from 253 message(s) (30430 message(s) examined)
learned 11 new messages (30430 - 30419) and re-learned 242 messages that
had expired.

-steve


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Looking for Rules

[Bob Rosenberg]

I have been informed that all my mail is being flagged by 
Spamassassin (as shown below with a message I sent out).

X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
mailspool2.panix.com
X-Spam-Status: Yes, hits=5.1 required=5.0 tests=FORGED_MUA_EUDORA,
RCVD_IN_DYNABLOCK,RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP autolearn=no
version=2.60
X-Spam-Level: *
Content analysis details:   (5.1 points, 5.0 required)

 pts rule name  description
 -- --
 0.5 RCVD_IN_NJABL_DIALUP   RBL: NJABL: dialup sender did non-local SMTP
[67.80.44.212 listed in dnsbl.njabl.org]
 0.1 RCVD_IN_NJABL  RBL: Received via a relay in dnsbl.njabl.org
[67.80.44.212 listed in dnsbl.njabl.org]
 2.5 RCVD_IN_DYNABLOCK  RBL: Sent directly from dynamic IP address
[Dynamic/Residential IP range listed by]
[easynet.nl DynaBlock - ]
 1.9 FORGED_MUA_EUDORA  Forged mail pretending to be from Eudora
I have a number of gripes about this.

 1) I only get 5 points not 5.1 when I add them together.

 2) I am getting penalized multiple times for the same "offence" - 
ie: Using a Cable Connection to send my mail to the CORRECT SMTP 
Server (ie: The designated Server for the ISP whose account my mail 
is addressed from instead of the "Smart Host" of my Cable ISP).

I get both a RCVD_IN_NJABL_DIALUP and a RCVD_IN_DYNABLOCK for being a 
Cable User (3 points) and an extra .1 point for sending to my ISP's 
SMTP Server when not using that ISP's Connectivity. I object to this 
multi charging for the same thing. Both of the NJABL rules key off 
the same table and I then get clobbered with 2.5 points for not 
having a static IP Address (after being charged .5 points for being a 
"Dial-Up" user which as a Cable User I AM NOT).

I know that there is nothing that I can do about this (except 
Mis-Configure my Mail Client to route all my mail through my CURRENT 
Connectivity provider [and do it again when I alter my connectivity]) 
even though all the mail is going via SMTP AUTH links to PORT587 and 
thus is being Authenticated by the Injection SMTP Host (in MSA Mode 
due to it coming in via Port 587.

 3) My major gripe is with the adding insult-to-injury 1.9 point 
invalid rejection of my X-Mailer Header. I use a Macintosh version of 
Eudora which does NOT have the Hardcoded X-Mailer constant that 
Spamassassin is looking for. In Mac Eudora the X-Mailer Header is 
created (as are all other X-* headers) by the user coding what the 
data in the header should be.

I went to www.spamassassin.org but not only was I unable to locate a 
description of the Rule Template (so I can pacify Spamassassin into 
accepting the X-Header by using the correct format and thus allowing 
me an extra 2 points [over the 3 that my Cable User using MSA Servers 
Status penalizes me] for other erroneous offences) but the list of 
Rules and Scores does not even acknowledge this supposed rule by 
name. Can someone here please supply me with the Rule Template or 
suggest what I should use other than just outright lying by claiming 
to be a Windows Eudora User by saying:

X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22

For reference purposes (as can be seen in my headers) my current header is:

X-Mailer: Eudora Pro 6.0.1 PPC (MacOS 10.3)

Thank you.

--

Bob Rosenberg
[EMAIL PROTECTED]
Computer Help for the Computer Challenged
---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] SA-Learn Count Question

[Scott Renda]

We have been using Spamassassin 2.60 since it came out.  Prior to that, we
were using SA 2.54.  I do have a question regarding sa-learn.

It seems that the numbers I receive from sa-learn just don't add up.  See
below for an example.  I have a cron job that runs once a day that will run
usr/bin/sa-learn --spam --dir /var/spool/spam on a directory with all my
spam.  Postfix is my MTA and I use a combo of Anomy/SA per the Advosys
scripts to dump all spam above a threshold into one directory for all users.
There are no per user SA settings at all.  Since we upgraded from SA 2.54 to
2.60, the number of messages leanred and number of messages examined
differs.  Below are the results of the cron job run this past three
mornings:

Learned from 304 message(s) (30419 message(s) examined)
Learned from 253 message(s) (30430 message(s) examined)
Learned from 301 message(s) (30452 message(s) examined)

It's says it's learning from the xxx # of messages, but not incrementing the
total amount examined by the same #.  I have never manually deleted a
message out of this folder, and do not have any cron jobs doing this
automatically.  I did successfully upgrade the Bayes DB as part of my
upgrade, and can query the Bayes DB successfully.  Is there a way I can
check on the Bayes DB to see if it corrupt?  Am I missing something?
Anybody else have a similar experience?  TIA.

Scott



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] instalation problems on freebsd

[Maximo Lopez]

> I already installed but its not working , I think I haven't activate
> procmail to filter all my mails , honestly I don't know where the problem
> resides
> 
> but I follow the install procedure without problem , but now I don't know
> what's next
> 
> can you help me ???
> 
> 
> regards




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] spam sentences

[Colin A. Bartlett]

Mike Kuentz Sent: Monday, November 10, 2003 2:46 PM

> The usefulness of these rules came in handy today, thanks!

I got a plethora of these emails this weekend and today, too. Looks like
that spammer ratcheted up his operations. I had to change the rules to
remove the double ' and " characters. I thought one needed to escape quotes
in regex but I was mistaken. I just posted new rules without the double '
and " characters in response to "Is punctuation really needed?" since his
query was specifically in response to that spammer. Be sure to check that
post or change your rules manually for 100% accuracy.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Is punctuation really needed? (fwd)

[Colin A. Bartlett]

Lyle Evans Sent: Monday, November 10, 2003 2:51 PM

> Yes I am being hit hard by he same type of spam.

I too am getting them. My SPAM_SENTENCE rules are catching all of these
messages from this spammer. I was getting FN's from these messages so I
added these rules which catch all of the weird sentences at the bottom. I'm
getting sent MANY MANY more than I originally was but they're all being
caught by these rules. Plus the bayes autolearning has caused these type of
messages to be learned as spam by bayes and the rules are barely necessary
anymore.

They are attached.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz


spamsentence.cf
Description: Binary data

Re: [SAtalk] Is punctuation really needed? (fwd)

[Chris Thielen]

Sorry for replying to my own message, but that should have read:
http://sandgnat.com/cmos/cmos.jsp?sourceRules=body+CUM+/\bcum\b/

(http, not https)


Chris Thielen said:
> Lyle Evans said:
>> At 10:52 AM 11/10/03, Jason wrote:
>>
>>>...
>>>
>>>I was thinking today wouldn't it be better to just ignore all the
>>> periods,
>>>commas, and what have you in the text?  Inside SA we could just drop
>>> those
>>>and then search the message from that.
>>>
>>>I've had one spammer who just puts a random period in the message and it
>>>doesn't get tagged.  Taking out all the periods in the message and it
>>>scored a 10.6 just from the body of the message.
>>
>> Yes I am being hit hard by he same type of spam.
>>
>> While I think chasing variants is in general a losing battle
>> and that instead more general rules are needed such as ones to eliminate
>> internal periods, I just did a quick and dirty rule:
>>
>> body LE_bp_Naughtydot   / CU\.M/i
>> describe LE_bp_Naughtydot   Body Naughty word with inserted dot
>> scoreLE_bp_Naughtydot   2.85
>>
>> The score is more or less arbitrary. The logic is tackle the
>> the short words that can't have as many variants.
>> A N letter word can have N-1 internal single dot variants.
>> Suggestions for improvement strongly encouraged.
>
> Try this:
>
> https://sandgnat.com/cmos/cmos.jsp?sourceRules=body+CUM+/\bcum\b/
>
> tweak as necessary.. I'm still trying to track down some false positives I
> have as the generated rules catch many permutations.




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is punctuation really needed? (fwd)

[Chris Thielen]

Lyle Evans said:
> At 10:52 AM 11/10/03, Jason wrote:
>
>>...
>>
>>I was thinking today wouldn't it be better to just ignore all the
>> periods,
>>commas, and what have you in the text?  Inside SA we could just drop
>> those
>>and then search the message from that.
>>
>>I've had one spammer who just puts a random period in the message and it
>>doesn't get tagged.  Taking out all the periods in the message and it
>>scored a 10.6 just from the body of the message.
>
> Yes I am being hit hard by he same type of spam.
>
> While I think chasing variants is in general a losing battle
> and that instead more general rules are needed such as ones to eliminate
> internal periods, I just did a quick and dirty rule:
>
> body LE_bp_Naughtydot   / CU\.M/i
> describe LE_bp_Naughtydot   Body Naughty word with inserted dot
> scoreLE_bp_Naughtydot   2.85
>
> The score is more or less arbitrary. The logic is tackle the
> the short words that can't have as many variants.
> A N letter word can have N-1 internal single dot variants.
> Suggestions for improvement strongly encouraged.

Try this:

https://sandgnat.com/cmos/cmos.jsp?sourceRules=body+CUM+/\bcum\b/

tweak as necessary.. I'm still trying to track down some false positives I
have as the generated rules catch many permutations.




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is punctuation really needed? (fwd)

[Lyle Evans]

At 10:52 AM 11/10/03, Jason wrote:

...

I was thinking today wouldn't it be better to just ignore all the periods,
commas, and what have you in the text?  Inside SA we could just drop those
and then search the message from that.
I've had one spammer who just puts a random period in the message and it
doesn't get tagged.  Taking out all the periods in the message and it
scored a 10.6 just from the body of the message.
Yes I am being hit hard by he same type of spam.

While I think chasing variants is in general a losing battle
and that instead more general rules are needed such as ones to eliminate
internal periods, I just did a quick and dirty rule:
body LE_bp_Naughtydot   / CU\.M/i
describe LE_bp_Naughtydot   Body Naughty word with inserted dot
scoreLE_bp_Naughtydot   2.85
The score is more or less arbitrary. The logic is tackle the
the short words that can't have as many variants.
A N letter word can have N-1 internal single dot variants.
Suggestions for improvement strongly encouraged.
The body of the spam in question follows.
Thanks,
Lyle Evans
[EMAIL PROTECTED]
rackmount brackets for many Networking and ISP equipment chassis
http://www.rackears.com


S.URPRISE YOUR L.OVER TODAY! COVER HER WHOLE FAC.E WITH CU.M!

How w.ould you like to
SHOOT LIKE THE PO.RN-STARS?
Up_to 500% m.ore S.PERM!
   * ADD UP_TO 500% M.ORE SPER.M
   * MALE MULTIPLE ORGAS.MS
   * HAVE M.ORE INTENSE 0.RGASMS
   * PRODUCE ST.RONGER E.RECTIONS
   * HAVE A STRONGER 5.EXUAL DESIRE
   * 1.NCREASED S.E..XUAL STAMINA
FULLY DO.CTOR APP.ROVED! L.EARN MORE!
100% MON.EY BAC.K SATISF.ACTION GUA.RANTEE!


To get off our list, Here

146I59T6V11B0L00V405196o41376z2z959T4I8043nU
T5j9117RX0250485Kv1o36349Xy5UJp55Yo1272W832C
116097kn286FD5n90146I5
This sentence is made to use the word cabala.
My boyfriend crouched down as I came near so he wouldn't get beaten.
9T6V11B0L00V405196o41376z2z959T4I8043nUT5j9117RX0250485Kv1o36349Xy
5UJp55Yo1272W832C11609


This sentence is made to use the word cabala.This sentence is made to use 
the word cabala.My boyfriend crouched down as I came near so he wouldn't 
get beaten.This sentence is made to use the word cabala.









---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] New Obfuscation Technique?

[Chris Santerre]

> 
> Saw a few of these come through last week. Guess I need a 
> rule upgrade to catch this?
> 
> 
>   --- the forwarded message follows ---

This is the spammer trick of saying the email is from you, to you. So it got
Whitelisted. Here is _A_ solution. I believe the newest version of SA also
solves this:

header __CS_FROM_ME  From =~ /[EMAIL PROTECTED]/i
header __CS_TO_ME To =~ /[EMAIL PROTECTED]/i
meta CS_SPAM_TRICK __CS_FROM_ME && __CS_TO_ME
describe CS_SPAM_TRICK Spammer forged From + To my domain.
score CS_SPAM_TRICK 104.11 # Silly, isn't it?

Change the munged address to your own. Also You may need to increse the
score!!! Yup, if you use AWL then after a while, it may have decided to take
even more points off for you! :-) 

Really really crazy!

*If Spamassassin and Spamhaus.org had a baby, what do you think it would
look like?*

--Chris Santerre 


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is punctuation really needed? (fwd)

[Bill Larson]

Simple solution

1.Spamassassins reads in the message
2. It then stores the original message in two variables
3. In the second variable remove all punctuation, spaces, special encoded
characters, foreign language characters, html including html comments, and
other methods used for obscufaction.
4. Then run the standard filters on it.
5. If it was clean then process the message using standard rules again in
the unmodified state.

If it is spam then mark the original unmodified message as such and send it
through. This will leave their only option being html image only spam.


- Original Message - 
From: "Evan Platt" <[EMAIL PROTECTED]>
To: "SpamAssassin" <[EMAIL PROTECTED]>
Sent: Monday, November 10, 2003 11:01 AM
Subject: Re: [SAtalk] Is punctuation really needed? (fwd)


>
> Plus, there's very few ga<---BLAH--->ppy p<-blah->orn spams making it too.
>
> Spammers are catching on that they can't simply spam you anymore - to make
> a spam past filters, it's gotta be pretty damn [EMAIL PROTECTED] t0 [EMAIL 
> PROTECTED] for the spam
> filters, and almost as hard for the end user to read too.
>
> Evan



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] [RD] spam sentences

[Mike Kuentz (2)]

The usefulness of these rules came in handy today, thanks! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Colin A. Bartlett
Sent: Wednesday, November 05, 2003 9:49 AM
To: Chris Santerre; [EMAIL PROTECTED]
Subject: [SAtalk] [RD] spam sentences


[this is a repost. yesterday i posted this and it never showed up on the
list. lost on sf.net? sorry if it's a duplicate. -cb]

Chris Santerre Sent: Tuesday, November 04, 2003 4:42 PM

> THe idea is that you WILL stop more spam in total if you share them.
> Sorry, I got a little excited! Share your rules!

My rules are attached. Here's the story behind them. Over the past month
I
got about 15 FN's in my personal account that all were clearly from the
same
spammer. They all had the same format... red headline, black body, blue
link. They all obfuscated with periods and they all had a bunch of WEIRD
sentences at the bottom that were probably to throw off bayes.

I searched the web for these sentences and found them all on some high
school girl's web page. They were all vocab sentences for some homework
assignment. This spammer had clearly stolen the text of her page and was
adding random sentences from this list to his emails. I just made a list
of
rules to match each sentence (Which are REALLY obscure and I doubt would
ever match ham. Admittedly, I didn't test them as I'm still working out
my
Outlook corpus issues). I scored them super high in a fit of rage. You
may
want to adjust scores so they are not so drastic.  They have worked
great
for me in the past few days to catch a handful of messages that would
have
slipped through otherwise.

YMMV but enjoy. And by all means: I know about this much || about regex
so
all suggestions are MORE than welcomed. I don't even know if I escaped
the
right characters.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Anyone ISP know of a Windows package that uses Spamassassin ...

[jenni baier]

You might look at www.ima.com -- They have Windows and Linux versions of 
their servers.  I'm using the Linux version for my ISP, and it has some 
excellent features for integrating spamassissin and other options 
(blacklists, whitelists, authenticated SMTP)

--jenni

On Mon, 10 Nov 2003, Andy Paluch wrote:

> and would be able to work at the ISP level, not the desktop level?
> 
> We are currently using Mdaemon 6.8.5 with Spamassassin and it almost
> does everything we need, except whitelisting by user name or domain
> BEFORE the RBL check. We are using this in front of about 150 domains we
> do mail for (mail servers are on a different machine)
> 
> We are doing our own RBL (with the aid of Spamassassin and some content
> filtering ) and want to have the ability to whitelist the FROM address,
> Mdaemon only allows whitelisting the IP address of the sender which
> sucks since many ISP's use multiple outgoing mail servers and adding
> whole blocks is out of the question.
> 
> We do like Spamassassin over any other previous content filtering
> anti-spam scheme we have used and want to make sure that whatever we end
> up uses it as well.
> 
> Any suggestions are welcome...
> 
> Thanks!
> Andy
> 
> 
> 
> ---
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] How to make SA store SPAM in special mailbox?

[Yackley, Matt]

 Hello Volker,

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Volker
> Sent: Monday, November 10, 2003 12:06 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] How to make SA store SPAM in special mailbox?
> 
> Hi,
> 
> I have 2 questions related to SA 2.60:
> 
> 1) At the moment spam is "only" tagged! How can I define that those
> tagges spam messages are delivered to one of my other mail 
> boxes? Then I
> could check out that POP only at the weekend or so!

This step will depend on how your local mail delivery is handled, you'll
probably need procmail recipe or something similar to deliver it to a
separate mail folder or possibly user.


> 2) I would like to untag mails that include certain keywords. 
> Similar to
> the whitelist_from option but concerning the body!
> I found an option "body SYMBOLIC_TEST_NAME /pattern/modifiers" which
> obviously is only good for marking up a message as spam.

Nope, tests like this work great for lowering a score, just assign negative
points :)
Place your custom rules into your local.cf file:
body MY_GOOD_TEXT /your phrase here/i
describe MY_GOOD_TEXT Message contains known "good" phrase
scoreMY_GOOD_TEXT -2.0

> Thanks and best regards
> 
> Volker

No problem, your welcome,
matt


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] New Obfuscation Technique?

[Bret Miller]

Saw a few of these come through last week. Guess I need a rule upgrade to catch this?

 --- the forwarded message follows ---
--- Begin Message ---
Title: The money was subsidized to nothing when I made up a stupid sentence.
The Rock's biggest devotee has got to be Laura.7758Xn3565V852B1z6097jmJeec7n92e38n95533381032aIHS9qo864676y

S.URPRISE YOUR L.OVER TODAY! COVER HER WHOLE FACE WITH C.UM!
How w.ould you like to
SHOOT LIKE THE PO.RN-STARS?
Up to 500% more S.PERM! 
ADD UP_TO 500% MORE SPER.M
INCREASED SE.XUAL DESIRE
HAVE M.ORE INTENSE 0.RGASMS
PRODUCE ST.RONGER E.RECTIONS
HAVE A STRONGER 5.EXUAL DESIRE
1.NCREASED S.E..XUAL STAMINA
FULLY DO.CTOR APP.ROVED! L.EARN MORE!
WE NEVER LEAVE A CUSTOMER UNSATISFIED! 100% MONE.Y BACK GUARAN.TEE!
5z259S424LO79TT427g65S6cC50687J81Se6369Xy8UIo58Xn3565V852B1z6097jmJeec7n92e38n95533381032aIHS9qo864676y5z259S424LO7The money was subsidized to nothing when I made up a stupid sentence.The Rock's biggest devotee has got to be Laura.9TT427g65S6cC50687J81Se6369Xy8UIo58Xn3565V852B1z6097jmJeec7n92e38n95533381032aIHS9qo864676y5
to stop all future mailings, HereThe money was subsidized to nothing when I made up a stupid sentence.The money was subsidized to nothing when I made up a stupid sentence.The Rock's biggest devotee has got to be Laura.The money was subsidized to nothing when I made up a stupid sentence.
--- End Message ---

[SAtalk] .spamassasin dir creation issues..

[Mitchell Baker]

Question about where spamassassin gets the UID for creation of the
.spamassassin dir and the .lock files in there.. They are being created
with the UID of 32766.. This is causing unlock issues since they can't
be deleted...  Where is this UID coming from? can it be changed?

See-ya
Mitch




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] How to make SA store SPAM in special mailbox?

[Evan Platt]

--On Monday, November 10, 2003 7:05 PM +0100 Volker <[EMAIL PROTECTED]>
wrote:


> At the moment spam is "only" tagged! How can I define that those
> tagges spam messages are delivered to one of my other mail boxes? Then I
> could check out that POP only at the weekend or so!

Not with SpamAssassin. Perhaps with your MUA or Procmail.

Evan


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] MYSql user prefs

[Terry Milnes]

Paul Hirschorn wrote:
I wanted to allow my users to be able to change there user prefs via the
mysql interface.  The problem I am facing is most of my users have 3-6 email
addresses.  
Sure there is...

I have multiple email accounts but only one user in mysql that each 
account uses. This is accomplished in the procmailrc file, the user for 
the preferences is defined there.

### Spam Assassin
:0fw
| /usr/bin/spamc -u tez -f
  ^
When I make changes to my preferences logging in as "tez" covers all my 
email accounts.

We have multiple domains so we have [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]  Is there any way to "link" these
addresses together?  I am thinking of possibly exporting the email address
fields via my exchange 5.5 server and scp'ing them over to the gateway
server and somehow importing and linking the email addresses together. Has
anyone done anything like this before? Am I reaching too far outside the
functionality  of spamassassin?  This may be more of a development question
if so.
Not sure what you want to accomplish with this, if it mean you want all 
mail delivered to ne mail box then that too can be done with the procmailrc.

(I get confused when someone mentions "Exchange Server")

Terry



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] How to make SA store SPAM in special mailbox?

[Volker]

Hi,

I have 2 questions related to SA 2.60:

1) At the moment spam is "only" tagged! How can I define that those
tagges spam messages are delivered to one of my other mail boxes? Then I
could check out that POP only at the weekend or so!

2) I would like to untag mails that include certain keywords. Similar to
the whitelist_from option but concerning the body!
I found an option "body SYMBOLIC_TEST_NAME /pattern/modifiers" which
obviously is only good for marking up a message as spam.


Thanks and best regards

Volker



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Sa-learn Count Question

[Scott Renda]

We have been using Spamassassin 2.60 since it came out.  Prior to that, we
were using SA 2.54.  I do have a question regarding sa-learn.

It seems that the numbers I receive from sa-learn just don't add up.  See
below for an example.  I have a cron job that runs once a day that will run
usr/bin/sa-learn --spam --dir /var/spool/spam on a directory with all my
spam.  Postfix is my MTA and I use a combo of Anomy/SA per the Advosys
scripts to dump all spam above a threshold into one directory for all users.
There are no per user SA settings at all.  Since we upgraded from SA 2.54 to
2.60, the number of messages leanred and number of messages examined
differs.  Below are the results of the cron job run this past three
mornings:

Learned from 304 message(s) (30419 message(s) examined)
Learned from 253 message(s) (30430 message(s) examined)
Learned from 301 message(s) (30452 message(s) examined)

It's says it's learning from the xxx # of messages, but not incrementing the
total amount examined by the same #.  I have never manually deleted a
message out of this folder, and do not have any cron jobs doing this
automatically.  I did successfully upgrade the Bayes DB as part of my
upgrade, and can query the Bayes DB successfully.  Is there a way I can
check on the Bayes DB to see if it corrupt?  Am I missing something?
Anybody else have a similar experience?  TIA.

Scott



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] logging issues... found answer to my prob..but why?

[Mitchell Baker]

Found the problem.. user error.. I thought I had taken the -t option off
of the syslog startup.. So sometime after the first time, when I
manually started syslogd to test this.. I restarted syslogd from the
init script and started running again with the -t option disallowing
connections 

Why would spamd use a network connection for the logging and not just
directly call syslog to write local like everything else I have logging
on the system?

See-ya
Mitch

On Mon, 2003-11-10 at 10:49, Mitchell Baker wrote:
> I'm having a problem with spamd and logging Here is my startup line
> on my mail system running solaris 8:
> 
> OPTIONS="-d -a -L --max-children=50
> --siteconfigpath=/opt/mail/spamassassin --syslog=local1"
> 
> I did have it set to use the default facility and it worked for a while
> then just stopped after a restart...  
> 
> Have checked everything under the syslog facility and everything else is
> logging fine...  Can't get logging via local1 or default mail facility.
> 
> See-ya
> Mitch
> 
> 
> 
> 
> ---
> This SF.Net email sponsored by: ApacheCon 2003,
> 16-19 November in Las Vegas. Learn firsthand the latest
> developments in Apache, PHP, Perl, XML, Java, MySQL,
> WebDAV, and more! http://www.apachecon.com/
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-- 
//
/# Mitchell "Buzz" Baker   "To Infinity And Beyond..."  #/
/# Sr. Systems/Security Admin  Rose-Hulman Institute of Technology  #/ 
/# [EMAIL PROTECTED]www.rose-hulman.edu  #/
/#For PGP Public key, check out www.keyserver.net   #/
//



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Anyone ISP know of a Windows package that uses Spamassassin ...

[Andy Paluch]

and would be able to work at the ISP level, not the desktop level?

We are currently using Mdaemon 6.8.5 with Spamassassin and it almost
does everything we need, except whitelisting by user name or domain
BEFORE the RBL check. We are using this in front of about 150 domains we
do mail for (mail servers are on a different machine)

We are doing our own RBL (with the aid of Spamassassin and some content
filtering ) and want to have the ability to whitelist the FROM address,
Mdaemon only allows whitelisting the IP address of the sender which
sucks since many ISP's use multiple outgoing mail servers and adding
whole blocks is out of the question.

We do like Spamassassin over any other previous content filtering
anti-spam scheme we have used and want to make sure that whatever we end
up uses it as well.

Any suggestions are welcome...

Thanks!
Andy



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] I Spamassassin

[Chip Paswater]

Guys, 

Awesome product!

I've been hiding my email address for years.  Also, years ago I turned off
my webmaster@ hostmaster@ and other email addresses because the spam level
was getting insane.  Not to mention my global @chipware.net which would
catch everything else.

Now with spamassassin, all the spam gets caught.  I'm no longer afraid of
getting spammed.  I've gone back to an email configuration that allows me
to actually monitor my administrative addresses without being worried about
being flooded with spam.  You guys are awesome!  

I'm doing my part by submitting to razor.  I wish spamcop would turn
back on their quick reporting method, which I used religiously.  Are there
any other RBL type services out there I can "fire and forget" my spam reports
to?

Should I also consider reporting to DCC and Pyzor?




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] MYSql user prefs

[Paul Hirschorn]

I wanted to allow my users to be able to change there user prefs via the
mysql interface.  The problem I am facing is most of my users have 3-6 email
addresses.  We have multiple domains so we have [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]  Is there any way to "link" these
addresses together?  I am thinking of possibly exporting the email address
fields via my exchange 5.5 server and scp'ing them over to the gateway
server and somehow importing and linking the email addresses together. Has
anyone done anything like this before? Am I reaching too far outside the
functionality  of spamassassin?  This may be more of a development question
if so.
  


Paul Hirschorn
BraveLine Technology
136 W21 Street 8th Floor
New York, NY 10003

[EMAIL PROTECTED]
web:www.braveline.com
voice:  212.376.4000 x311
fax:212.843.3204




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is punctuation really needed? (fwd)

[Frank Pineau]

On Mon, 2003-11-10 at 12:01, Evan Platt wrote:
>[EMAIL PROTECTED] t0 [EMAIL PROTECTED]

Maybe SA needs to run it once through a leet-speek filter? :-)


-- 
Frank Pineau
Hey, you know those Roman hackers?  Man, were they I III III VII!


signature.asc
Description: This is a digitally signed message part

RE: [SAtalk] rule to whitelist Listserv (tm) list traffic

[Scott Sprunger]

I'm still a beginner myself, but I believe that you could use the
"whitelist_from_rcvd" option.

whitelist_from_rcvd*listserv.tamu.edu

It seems that this would allow any from address so long as the received
headers contained your domain.

Complete information is at
http://spamassassin.rediris.es/doc/Mail_SpamAssassin_Conf.html#whitelist%20a
nd%20blacklist%20options


-- Scott

-Original Message-
From: Chris Barnes [mailto:[EMAIL PROTECTED]
Sent: Monday, November 10, 2003 11:45 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] rule to whitelist Listserv (tm) list traffic


I am in need of a rule that will tell SpamAssassin to whitelist all
email traffic which comes from our local Listserv (tm - www.lsoft.com)
lists.

The problem is that messages from the Listserv list have the original
author's email address in the From: line.  The Listserv list address is
in a header tag of:

Sender: Name-of-list [EMAIL PROTECTED]


In other words, SA needs to look at a header tag of SENDER:, not FROM:
How would this rule look?

(my guess)
header LISTSERV_GOOD_SENDER Sender =~listserv.tamu.edu
score  LISTSERV_GOOD_SENDER -100

Would that work?

--

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Chris Barnes   AOL IM: CNBarnes
[EMAIL PROTECTED]Yahoo IM: chrisnbarnes
Computer Systems Manager   ph: 979-845-7801
Department of Physics fax: 979-845-2590
Texas A&M University





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] (semi)automatic Razor reporting options? anyone done it like thi s before?

[Chip Paswater]

> my problem is how would i deal with the FW: on the front of messages etc?
> perhaps i should write a little script that munges the mailbox and removes
> the FW: and the few extra lines in each message and the >'s that get
> created.  

As far as razor goes, subject lines don't matter, so don't worry about
appended FW or RE in your subject lines.

However, the body of the message should be untouched.  Don't try to strip
out ">" or whatever, because it's highly unlikely you'll be able to return
the message to it's original composition.  Instead, try to forward or
"bounce" the message unedited.  Mutt has this feature.

> also i thought what we should do is create a mailbox that is darn easy to
> guess, subscribe it to many spam lists somehow to get it full of spam and
> then have this automatically reported to razor.  makeing sure that no-one
> uses it or sends any real mail to it?  does this also sound viable?   i have
> read that razor should only be submitted by humans so i wouldn't like to
> mess up the network by automatic stuff not working, but surely this is
> something that should be considered?

That's called a spamtrap, and razor frowns on your auto-submitting
spamtraps to them (as do other services like Spamcop).  The best way to keep
everyone happy is to human-review everything before you submit it.

I maintain a spamtrap.  It gets about 300 spams per day, and I submit them
in batches after I've taken a look at them to make sure there's nothing
collateral in there, and occasionally something DOES sneak in that is not
spam.  

In fact, Spamcop turned off their "quick" reporting feature because too
many people were reporting the latest Microsoft virus emails as spam.  I
can only assume this was a direct result of too many people "auto"
submitting emails that came into their spamtrap.  


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Irritating address verifier

[Bob Apthorpe]

Hi,

On Mon, 10 Nov 2003, Frank Pineau wrote:

> So, I get this message in my inbox this morning.  Unless I'm totally
> misreading the headers, it appears that it actually is from oem-cd.biz.

Nope, it's from an AOL dialup [172.190.115.221]:

$ nslookup 221.115.190.172.dynablock.easynet.nl
Non-authoritative answer:
Name:221.115.190.172.dynablock.easynet.nl
Address:  127.0.0.2

The RR address given (69.75.80.125) is either a forgery or a disposed-of
exploited cable modem.

oem-cd.biz has a bunch of A records associated with it:

; <<>> DiG 8.3 <<>> oem-cd.biz
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;  oem-cd.biz, type = A, class = IN

;; ANSWER SECTION:
oem-cd.biz. 1m34s IN A  24.158.204.50
oem-cd.biz. 1m34s IN A  193.77.243.158
oem-cd.biz. 1m34s IN A  68.158.76.242
oem-cd.biz. 1m34s IN A  68.61.178.172
oem-cd.biz. 1m34s IN A  68.61.212.199

;; AUTHORITY SECTION:
oem-cd.biz. 20m16s IN NSNS2.HOST-800.INFO.
oem-cd.biz. 20m16s IN NSNS1.HOST-800.INFO.

;; ADDITIONAL SECTION:
NS2.HOST-800.INFO.  19h45m28s IN A  63.246.140.60
NS1.HOST-800.INFO.  17h42m32s IN A  216.185.57.42

;; Total query time: 0 msec
;; FROM: soyokaze to SERVER: default -- 0.0.0.0
;; WHEN: Mon Nov 10 10:17:46 2003
;; MSG SIZE  sent: 28  rcvd: 189

Note the obscenely low TTL on the A records (94 seconds) and NS records
(1216 seconds.) The A records have got to point at 0wnz0r3d cablemodem/DSL
boxes. Let's check their rDNS:

193.77.243.158 :
158.243.77.193.IN-ADDR.ARPA domain name pointer
BSN-77-243-158.dsl.siol.net

216.185.57.42 :
Host not found.

(No rDNS: here's the whois() info from ARIN)
OrgName:AO Technologies
OrgID:  AOTK
Address:8314 Harlem Road, Suite 200
City:   Westerville
StateProv:  OH
PostalCode: 43081
Country:US

NetRange:   216.185.32.0 - 216.185.63.255
CIDR:   216.185.32.0/19
NetName:AOTECH
NetHandle:  NET-216-185-32-0-1
Parent: NET-216-0-0-0-0
NetType:Direct Allocation
NameServer: NS1.CMH.AOTECH.NET
NameServer: NS2.CMH.AOTECH.NET

24.158.204.50 :
50.204.158.24.IN-ADDR.ARPA domain name pointer 24-158-204-50.chartertn.net

63.246.140.60 :
Host not found.

(No rDNS: here's the whois() info from ARIN)
CustName:   North America Internet Exchange, Inc.
Address:325M Sharon Park Drive, #442
City:   Menlo Park
StateProv:  CA
PostalCode: 94025
Country:US
RegDate:2003-02-21
Updated:2003-02-21

NetRange:   63.246.128.0 - 63.246.143.255
CIDR:   63.246.128.0/20
NetName:ASN-NAIX-NET-01
NetHandle:  NET-63-246-128-0-2
Parent: NET-63-246-128-0-1
NetType:Reassigned
Comment:
RegDate:2003-02-21
Updated:2003-02-21

AbuseHandle: ABUSE185-ARIN
AbuseName:   Abuse
AbusePhone:  +1-888-993-9339
AbuseEmail:  [EMAIL PROTECTED]

68.158.76.242 :
242.76.158.68.IN-ADDR.ARPA domain name pointer
adsl-158-76-242.asm.bellsouth.net

68.61.178.172 :
172.178.61.68.IN-ADDR.ARPA domain name pointer
pcp01119246pcs.flshng01.mi.comcast.net

68.61.212.199 :
199.212.61.68.IN-ADDR.ARPA domain name pointer
pcp0605pcs.flint01.mi.comcast.net

> A quick google on the address reveals it to be yet another marketing
> firm.  This one touts
>
> "You Can Stop Cold Calling Business Prospects & Battling Voice Mail -
> And Make Them Chase You Instead"
>
> Oh, really?  Is that how you get them to chase you?  Curse at them and
> accuse them of being spammers themselves?  Nice.  Anyone else get
> anything like this?

Congratulations! You appear to have found one of the Russian
proxy-virus/spam gangs:

Domain Name: OEM-CD.BIZ
Domain ID:   D5625791-BIZ
Sponsoring Registrar:DIRECT INFORMATION PVT. LTD.,
(D.B.A. DIRECTI.COM)
Domain Status:   clientTransferProhibited
Registrant ID:   DI_213625
Registrant Name: Andrey Gurkov
Registrant Organization: ZAO ??
Registrant Address1: novie cheremushinskaya str.
15a-7-77
Registrant City: Tula
Registrant Postal Code:  101671
Registrant Country:  Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.671811
Registrant Email:[EMAIL PROTECTED]
...
Name Server: NS2.HOST-800.INFO
Name Server: NS1.HOST-800.INFO

Maybe the best you can do is alert the ISPs of the exploited DSL/Cable
boxes and ask Hotmail to nuke oem-cd.biz's contact address
([EMAIL PROTECTED]).

Don't bother with host-800.info; that's the spammer himself (same contact
info as oem-cd.biz.) There 

Re: [SAtalk] Is punctuation really needed? (fwd)

[Evan Platt]

--On Monday, November 10, 2003 10:52 AM -0500 Jason <[EMAIL PROTECTED]> wrote:

> I've had one spammer who just puts a random period in the message and it
> doesn't get tagged.  Taking out all the periods in the message and it
> scored a 10.6 just from the body of the message.

I think the keyword is ONE. I've had just one too. Of all the "INC.REASE
YOU.R P.EN.IS SIZE" spams, only ONE has made it through, so I think SA is
doing something right, otherwise we'd be seeing a ton more. 

Plus, there's very few ga<---BLAH--->ppy p<-blah->orn spams making it too.

Spammers are catching on that they can't simply spam you anymore - to make
a spam past filters, it's gotta be pretty damn [EMAIL PROTECTED] t0 [EMAIL PROTECTED] 
for the spam
filters, and almost as hard for the end user to read too.

Evan


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] rule to whitelist Listserv (tm) list traffic

[Chris Barnes]

I am in need of a rule that will tell SpamAssassin to whitelist all
email traffic which comes from our local Listserv (tm - www.lsoft.com)
lists.

The problem is that messages from the Listserv list have the original
author's email address in the From: line.  The Listserv list address is
in a header tag of:

Sender: Name-of-list [EMAIL PROTECTED]


In other words, SA needs to look at a header tag of SENDER:, not FROM:
How would this rule look?

(my guess)
header LISTSERV_GOOD_SENDER Sender =~listserv.tamu.edu
score  LISTSERV_GOOD_SENDER -100

Would that work?

--

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Chris Barnes   AOL IM: CNBarnes
[EMAIL PROTECTED]Yahoo IM: chrisnbarnes
Computer Systems Manager   ph: 979-845-7801
Department of Physics fax: 979-845-2590
Texas A&M University





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] sa-learn

[Theo Van Dinter]

On Sat, Nov 08, 2003 at 11:18:46PM -0500, Jack Gostl wrote:
> I'm trying to find the token counts. In version 2.55, what is the
> equivalent of:
> 
>   sa-learn --dump magic

there is no direct equivilent, but you can run the check_bayes_db (I
can't even remember what the full name is) script in the tools directory.

-- 
Randomly Generated Tagline:
"You can stick whatever you want wherever you want to stick it so long as
 what you stick it in wants to get stuck."   - Daniel Klein


pgp0.pgp
Description: PGP signature

RE: [SAtalk] spamd consumes huge amounts of memory

[Upwood, Jim]

Upgrade your version of perl to 5.8.x

-Jim

Jim Upwood
System Administrator
Bond, Schoeneck, and King
Syracuse, NY


-Original Message-
From: Margit Meyer [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 10, 2003 9:41 AM
To: [EMAIL PROTECTED]
Subject: [SAtalk] spamd consumes huge amounts of memory


Hi all,

I used spamd/spamc 2.55 with procmail on a Solaris 8 box successfully
for
several months. Now I tried to upgrade to spamd / spam 2.60 but now
spamd
(one single process!) consumes more than 2 GB of memory. There are only
a
few spamd processes running - the problem is not the amount of spamd
processes. My perl version is 5.6.1.
I searched the web and recognized that others have similar problems -
but I
didn't yet find a suitable solution. 

Any help would be very welcome.

Best regards
Margit Meyer




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Is punctuation really needed? (fwd)

[Marcio Merlone]

On Mon, 10 Nov 2003 10:52:11 -0500 (EST)
Jason <[EMAIL PROTECTED]> wrote:

(...)
> I've had one spammer who just puts a random period in the message and it
> doesn't get tagged.  Taking out all the periods in the message and it
> scored a 10.6 just from the body of the message.
(...)

I've seen things like:

e}{treme
p3n1s
s3x
p0rn

The best one I think is }{ as x. They are getting desperate. There will
hopefully a day when their spam will not be readable. :)

Your idea looks really nice for some spam. Those above are not appliable
though.



--
Marcio Merlone


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Delete spam mails

[Frank Pineau]

On Mon, 2003-11-10 at 10:58, Chris Santerre wrote:

> 
>  sips for every [EMAIL PROTECTED]@ spam you stop. 

I don't get spam with that any more.  Mine all comes advertising sildenafil citrate. :/


signature.asc
Description: This is a digitally signed message part

RE: [SAtalk] Re: Accumulator rules (Re: 'random' character sets)

[Chris Santerre]

I'm WAY behind in list readings today. So forgive me if this has been said.
But since J.M. has told us that eval rules are boolean, is this idea dead in
the water, or did I miss a post?

Was there talk of maybe testing accum rules for future SA versions? Is that
what this thread is now? 

Just looking for some clarification.

--Chris Santerre


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Is punctuation really needed? (fwd)

[Jason]

We all know that a human is far better than a proram at detecting spam.
The computer has to make guesses at it.  So to make it harder spammers add
all sorts of junk in that will make it harder for the computer to
recognize.  This is while still maintaining some sort of readability for
the victims. Either in gappy text, periods / other marks seperation,
taking advantage of HTML code, and other things.

I was thinking today wouldn't it be better to just ignore all the periods,
commas, and what have you in the text?  Inside SA we could just drop those
and then search the message from that.

I've had one spammer who just puts a random period in the message and it
doesn't get tagged.  Taking out all the periods in the message and it
scored a 10.6 just from the body of the message.

Just a thought.

Jason Portwood
[EMAIL PROTECTED]



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Delete spam mails

[Chris Santerre]

> -Original Message-
> From: ian douglas [mailto:[EMAIL PROTECTED]
> Sent: Friday, November 07, 2003 5:33 PM
> To: Spam Assassin
> Subject: RE: [SAtalk] Delete spam mails
> 
> 
> > SpamAssassin drinking game:
> >
> >  sips for "How can I get SpamAssassin to delete spams?
> >  sips for "Unsubscribe me please"
> >  sips for "Subscribe me please"
> >  sips for "Quit reading my e-mail!"
> 
> For every good, tested rule you create that works, everyone 
> else takes 
> sips
> 

LOL, I know a bunch of people that won't be driving anytime soon! :)

 sips for every [EMAIL PROTECTED]@ spam you stop. 

--Chris S. 


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] logging issues...

[Mitchell Baker]

I'm having a problem with spamd and logging Here is my startup line
on my mail system running solaris 8:

OPTIONS="-d -a -L --max-children=50
--siteconfigpath=/opt/mail/spamassassin --syslog=local1"

I did have it set to use the default facility and it worked for a while
then just stopped after a restart...  

Have checked everything under the syslog facility and everything else is
logging fine...  Can't get logging via local1 or default mail facility.

See-ya
Mitch




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] unable to disable AWL

[matthias zeichmann]

On Mon, 2003-11-10 at 11:50, Nick Leverton wrote:
> On Mon, Nov 10, 2003 at 11:02:43AM +0100, matthias zeichmann wrote:
> > Hello list!
> > 
> > I just cant seem to be able to disable AWL with spamassassin.
> > The rationale behind that is that there is a lot of forged mail around
> > recently (virii, trojans) that makes its way with a negative AWL
> > scoring.

Hi Nick!

> Before disabling auto_whitslist completely, you might like to apply the
> most recent patch to fix Bug 2734, see
> http://bugzilla.spamassassin.org/show_bug.cgi?id=2734.  I had been
> tracking down a similar problem, where spam and viruses forged as if
> they came from "me" were getting an inappropriate AWL weighting.
> This patch, in combination with setting the "trusted_networks" config
> item, seems to have fixed it for me.

Thanks for your pointers.
I installed the patch and added the trusted_networks to the config.

Matthias
-- 
"Unix was never designed to keep people from doing stupid things,
because that policy would also keep them from doing clever things."



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] unable to disable AWL

[matthias zeichmann]

On Mon, 2003-11-10 at 15:28, Matt Kettler wrote:
> At 11:02 AM 11/10/03 +0100, matthias zeichmann wrote:
> >Meanwhile i suspect an error in my configuration. Is there a way to
> >check your local.cf for validity
> spamassassin --lint 

Thanks a lot, there was indeed an error:
-->8
atem:bin# spamassassin --lint 
Failed to parse line in SpamAssassin configuration, skipping: lag de
describe  bekannte Spamsender
-->8

is it possible that this messes up other behaviour of SA?

regards 
Matthias Zeichmann
-- 
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house, It's nature and laws have
been exhaustively expounded by Locke, who rode a house, and Kant, who
lived in a horse." -- Ambrose Bierce



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] unable to disable AWL

[Matt Kettler]

At 11:02 AM 11/10/03 +0100, matthias zeichmann wrote:
Meanwhile i suspect an error in my configuration. Is there a way to
check your local.cf for validity?


spamassassin --lint 



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] spamd consumes huge amounts of memory

[Margit Meyer]

Hi all,

I used spamd/spamc 2.55 with procmail on a Solaris 8 box successfully for
several months. Now I tried to upgrade to spamd / spam 2.60 but now spamd
(one single process!) consumes more than 2 GB of memory. There are only a
few spamd processes running - the problem is not the amount of spamd
processes. My perl version is 5.6.1.
I searched the web and recognized that others have similar problems - but I
didn't yet find a suitable solution. 

Any help would be very welcome.

Best regards
Margit Meyer




---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: scoring system and values...

[Terry Milnes]

Lukreme wrote:
On 08 Nov 2003, at 06:46, Terry Milnes wrote:

Some of us though are system administrators and need a solution to 
offer to the end users.  The typical end user wants to open their 
email and see no spam, period.


Since the definition of spam varies from person to person that is simply 
not possible without customized tweaking.
Incorrect, it is simply not possible period. Unless of course you mean 
for a day or two, or on a virgin account or if you disregard the fp's.

Presently without the tweaks and training all we can do is reduce his 
spam by about 50 - 60%.


Much much much better than that.

# SUMMARY for threshold 5.0:
# Correctly non-spam:  16785  30.50%  (99.84% of non-spam corpus)
# Correctly spam:  37347  67.87%  (97.73% of spam corpus)
# False positives:27  0.05%  (0.16% of nonspam,   3617 weighted)
# False negatives:   869  1.58%  (2.27% of spam,   2912 weighted)
# TCR: 38.063745  SpamRecall: 97.726%  SpamPrec: 99.928%  FP: 0.05%  FN: 
1.58%

That means that 98.27% of email processed with SA at a score level of 
5.0 is correctly marked as spam/ham, and 97.73% of spams will be tagged 
correctly.

No, this means that with a threshold of 5 you had 27 false positives. 
You omitted to quote my original response, "Settings have to be left at 
conservative in order not to get the phone calls complaining about false 
positives".

Threshold at 8 (no bayes) 3 established test accounts 31 day period
Total Mail  10,228
Total Spam   4,008
Correctly identified Spam2,325
Unidentified Spam1,683
False Positives  1
Threshold at 4 (+bayes and comprehensive white/black lists) on 3 
accounts 31 days (Oct)
Total Mail			12,524
Correctly identified Spam	 4,712
Unidentified Spam		13
False Positives			 2

When a user signs up for this service we tell him we can reduce your 
spam by over 50%, and that there is a minute chance that a mail could be 
incorrectly identified as spam.  He has a UI that he can log into to 
customize his settings to increase the caught ratio.

He is also advised on how to filter his mail and to constantly check his 
spam folder to make sure that there are none misidentified.

The typical user is capable of making toast in his electric toaster, but 
when it comes to the overwhelming complexities involved in operating a 
computer he is totally lost. He will become extremely agitated when he 
looses the *REALLY IMPORTANT* email that was tagged as spam, put into 
his spam mailbox and which he subsequently deleted because he didn't pay 
close enough attention to what *HE* was doing, that instantly becomes 
our fault!

That same user doesn't comprehend filtering, he looks at spam, says it's 
spam and can delete it, he thinks computers are smarter than people and 
why can't it do the same thing, he thinks the program that does it and 
screws up is useless.

So to avoid the loss of those *REALLY IMPORTANT* emails we leave the 
settings at a conservative level.

When someone posts to this list asking how he can improve the hit ratio 
for his customers/users, cites examples or ideas that may improve the 
success ratio for his situation, (multiple user, many morons) the last 
thing he wants to hear about is how good spamassassin is without any of 
his kind of modification and that if he use bayes or spends a little 
time tweaking he can see results like these  He is probably already 
aware of that

I use spamassassin and think its the greatest thing since sliced bread, 
but I also spend considerable time keeping my settings up to date, 
monitoring and carefully selecting what could be incorrectly 
identified/misidentified, the typical end user will NOT go to this 
effort and needs us to hold his hand.

Terry



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Subject Tagging

[Josh Baird]

That worked perfectly.  Thanks for the 
help!

  - Original Message - 
  From: 
  Maxwell 
  Ochieng 
  To: Josh Baird 
  Cc: [EMAIL PROTECTED] 
  
  Sent: Monday, November 10, 2003 2:37 
  AM
  Subject: Re: [SAtalk] Subject 
  Tagging
  check qmail-scanner-queue.pl whether you have set the 
  spamc_subject options or remove the -c in 
  spamc_options.MaxwellJosh Baird wrote:
  



I have Spamassassin running with 
qmail+vpopmail.  I am having troubles getting spamd to tag the subject 
of a spam email.  Here is the output of maillog:
 
Nov  9 00:22:43 mail spamd[85995]: 
identified spam (12.5/5.5) for qmailq:85 in 1.6 seconds, 2881 
bytes.Nov  9 00:22:43 mail qmail-scanner[85988]: 
Clear:SA:1(12.5/5.5): 1.847362 2881 [EMAIL PROTECTED] [EMAIL PROTECTED] where_you_b$
 
It notices that the email is spam, and also 
tags the header of each email:
 
Received: from [EMAIL PROTECTED] by 
mail.jbdesign.net by uid 82 with qmail-scanner-1.16  (spamassassin: 
2.60.  Clear:SA:1(19.7/5.5):.  Processed in 2.535403 secs); 09 
Nov 2003 21:11:11 -X-Spam-Status: Yes, hits=19.7 
required=5.5
Yet it still does not tag the 
subject.  Here is my local.cf:
 
required_hits 5.5rewrite_subject 
1subject_tag [SPAM]report_safe 0use_terse_report 
1always_add_report 1use_dcc 0use_pyzor 0use_razor2 
1skip_rbl_checks 0rbl_timeout 3score RCVD_IN_BL_SPAMCOP_NET 
3
 
And here is my spamd syntax:
 
/usr/local/bin/spamd -d -x -a -u 
qmailq
 
--
 
Does anyone have any ideas on why this isn't 
working?
 
Thanks
 

[SAtalk] Shutting Down spamd ERROR!

[Rajdeep Larha]

I installed SpamAssassin as per the documentations available at 
the spamassassin.org. I installed all the dependent modules and it 
installed fine w/o any error, I checked and verified using the 
command listed in the USAGE file i.e. #Mail-SpamAssassin-2.60# 
spamassassin -t < sample-nonspam.txt > 
nonspam.out #Mail-SpamAssassin-2.60# spamassassin -t < 
sample-spam.txt > spam.out
 And it worked as desired!! Then as I wanted to use it 
site-wide I followed the Instructions as per the USAGE and created a 
.procmailrc file in my home directory to test it with myself first.Then 
to run it on automatically I copied the script related to me in the 
init.d 
#cp redhat-rc-script.sh /etc/rc.d/init.d/spamd.sh I also made 
sure that my ~/.procmailrc in my home dir has  |spamc  
instead of  |spamassassin. and also all the PATH are correct.After 
this I started the spamd by:- #/etc/rc.d/init.d/spamd.sh start 
It started fine and I could see it in  
 
ps-auxw| grep spamd as: -#root 11235  
0.0  6.7 18684 17356 ? S    03:30   0:02 
/usr/local/bin/spamd -d -c -a -m5 -H
 
As directed I did all the configuration of spamd with "root".Now when 
I go to verify it by #/etc/rc.d/init.d/spamd.sh status
I get the error:-
#spamd is stopped
Also when I do
 #/etc/rc.d/init.d/spamd.sh stop
I get the error as :-
#Shutting down spamd: ERROR!
And not to mention it does not work:-I am using linux which 
is very similar to Red-hat (Cobalt Qube 3) and I am using sendmail as 
MTA and procmail as MDA..Any help will be welcomed, I did a good search 
on this on spamassassin lists, I can find the people who have such 
error but none of the solution worked for them and for me too.I have 
already done basic trouble shooting by checking port used by spamd by 
netstat -lp and it indeed uses the desired port 783 with no 
conflict. 
 
After this I tried some other way around :-
 
I  created a user spamd.ran spamassassin with
 spamd -C /etc/mail/spamassassin -d  -u spamd
It  didn't help much.
When I see the logs in /var/log/maillog, I can see spamd in action for 
everymail. It gives clear and 0.0/5 possible points to every mail. I checked 
bysending some mails to myself which were having "spam content" but they 
werenot filtered out.Any Ideas!!!I think spamd is installed and 
working fine. I need to so something to tweakwith the setting. But doesn't 
that has to be by default. I have already madea local.cf file for me by a 
generator tool and put it 
is/etc/mail/spamassassin.Regards,Rajdeep

[SAtalk] Irritating address verifier

[Frank Pineau]

So, I get this message in my inbox this morning.  Unless I'm totally misreading
the headers, it appears that it actually is from oem-cd.biz.  A quick google on
the address reveals it to be yet another marketing firm.  This one touts

"You Can Stop Cold Calling Business Prospects & Battling Voice Mail - And Make
Them Chase You Instead"

Oh, really?  Is that how you get them to chase you?  Curse at them and accuse
them of being spammers themselves?  Nice.  Anyone else get anything like this?


Return-Path: <[EMAIL PROTECTED]>
Received: from ACBE73DD.ipt.aol.com (ACBE73DD.ipt.aol.com [172.190.115.221])
by MY SERVER (8.12.10/8.12.10) with SMTP id hAAAVnil024184
for ; Mon, 10 Nov 2003 05:32:01 -0500
Received: from oem-cd.biz (oem-cd.biz [69.75.80.125])
by ACBE73DD.ipt.aol.com (Postfix) with ESMTP id B960BE02E1
for ; Mon, 10 Nov 2003 05:29:18 -0500
Return-Receipt-To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
From: "Carlton U. Receptors" <[EMAIL PROTECTED]>
To: Frank 
Subject: Frank
Date: Mon, 10 Nov 2003 05:29:18 -0500
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Disposition-Notification-To: [EMAIL PROTECTED]
X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.15.0.0; VDF: 6.15.0.6
X-Virus-Scanned: by amavisd-new
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
MY SERVER
X-Spam-Level: **
X-Spam-Status: No, hits=2.1 required=5.0 tests=BAYES_40,
RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=no version=2.60

fuck you spammer


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] unable to disable AWL

[Nick Leverton]

On Mon, Nov 10, 2003 at 11:02:43AM +0100, matthias zeichmann wrote:
> Hello list!
> 
> I just cant seem to be able to disable AWL with spamassassin.
> The rationale behind that is that there is a lot of forged mail around
> recently (virii, trojans) that makes its way with a negative AWL
> scoring.

Before disabling auto_whitslist completely, you might like to apply the
most recent patch to fix Bug 2734, see
http://bugzilla.spamassassin.org/show_bug.cgi?id=2734.  I had been
tracking down a similar problem, where spam and viruses forged as if
they came from "me" were getting an inappropriate AWL weighting.
This patch, in combination with setting the "trusted_networks" config
item, seems to have fixed it for me.

Nick


---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] unable to disable AWL

[matthias zeichmann]

Hello list!

I just cant seem to be able to disable AWL with spamassassin.
The rationale behind that is that there is a lot of forged mail around
recently (virii, trojans) that makes its way with a negative AWL
scoring.

So i tried to disable AWL with 
-->8--
use_auto_whitelist 0
-->8--
in my local.cf, but AWL are still active [0]. It is not that the file is
not parsed at all because other rules from that file are still applied.
But just not this one...

I read through the mailing list archives, the FAQ, studied the
SpamAssassin::Conf manpage and browsed google for answers.

Meanwhile i suspect an error in my configuration. Is there a way to
check your local.cf for validity? There are no suspicious messages in my
syslog chain upon restarting of spamd though...

My setup is: postfix 1.1.11 on debian 3.0 with a content filter as
outlined on http://advosys.ca/papers/postfix-filtering.html, a
combination of spamd/spamc and anomy sanitizer. spamassassin is version
2.60 and runs on perl 5.8.0.

You can see my local.cf at http://volltext.net/sa/local.cf
I put it there, because sf.net's mailserver hit one of my local rules
and rejected the first mail.

Thanks for your consideration
Matthias Zeichmann

[0] from a recent mail:
-->8--
Date: Mon, 10 Nov 2003 10:15:07 +0100
X-Spam-Status:  No, hits=-48.0 required=7.0
tests=AWL,BAYES_00,LOCAL_RCVD  autolearn=ham version=2.60-mz_1.13
-->8--
-- 
siggen.pl: Segmentation Fault



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] filebased whitelisting

[peter pilsl]

to avoid false posetives (which is at a rate of approx. 0.2% now) I'd like to
whitelist my whole adressbook. My adressbook is changing/growing, so I would
like not to implement it using 500 "whitelist_from"-configs but put it to a file
and have a single "whilelist_fromfile"-statement in my local.cf. Unfortunately I
did not find such a statement. Did I miss it or is there any trick ?

thnx,
peter


-- 
IT-Consulting
mag. peter  pilsl
tel:+43-699-1-3574035
fax:+43-699-4-3574035
[EMAIL PROTECTED]
http://www.goldfisch.at





---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Subject Tagging

[Maxwell Ochieng]

check qmail-scanner-queue.pl whether you have set the spamc_subject
options or remove the -c in spamc_options.

Maxwell

Josh Baird wrote:

  
  
  
  I have Spamassassin running with
qmail+vpopmail.  I am having troubles getting spamd to tag the subject
of a spam email.  Here is the output of maillog:
   
  Nov  9 00:22:43 mail spamd[85995]:
identified spam (12.5/5.5) for qmailq:85 in 1.6 seconds, 2881 bytes.
Nov  9 00:22:43 mail qmail-scanner[85988]: Clear:SA:1(12.5/5.5):
1.847362 2881 [EMAIL PROTECTED]
  [EMAIL PROTECTED] where_you_b$
   
  It notices that the email is spam,
and also tags the header of each email:
   
  Received: from [EMAIL PROTECTED] by
mail.jbdesign.net by uid 82 with qmail-scanner-1.16 
 (spamassassin: 2.60.  Clear:SA:1(19.7/5.5):. 
 Processed in 2.535403 secs); 09 Nov 2003 21:11:11 -
X-Spam-Status: Yes, hits=19.7 required=5.5
  
Yet it still does not tag the subject.  Here is my local.cf:
   
  required_hits 5.5
rewrite_subject 1
subject_tag [SPAM]
report_safe 0
use_terse_report 1
always_add_report 1
use_dcc 0
use_pyzor 0
use_razor2 1
skip_rbl_checks 0
rbl_timeout 3
score RCVD_IN_BL_SPAMCOP_NET 3
   
  And here is my spamd syntax:
   
  /usr/local/bin/spamd -d -x -a -u
qmailq
   
  --
   
  Does anyone have any ideas on why
this isn't working?
   
  Thanks
   

Re: [SAtalk] Spamassassin and Qmail gateway

[Maxwell Ochieng]

Can I setup qmailscanner/qmail so it will copy or send or delete the
message with Spam status=yes header? 
yes you can do this but with procmail or maildrop

Rajkumar S wrote:

Zlatko Hristov wrote:

I am trying to setup SA on Qmail gateway/relay server. All the mailboxes
are on Exchange, Qmail does filtering only with qmailscanner and SA. SA
marks the message with Spam status= yes.


I have a similar setup where I receive all the mails, pass them 
through Q-S, spamassasin and clam av, and send it back to original 
mail server. You can use control/smtprouts to route the mails back to 
original mail server.

Can I setup qmailscanner/qmail so it will copy or send or delete the
message with Spam status=yes header? 


I am not aware if Q-S can block mails  SA tagegd mails, but it blocks 
Virus mails.

raj



---
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk