[SAtalk] memory leaking spamd procs

[jpff]

(writing on behalf of the day job)
We are suffering from run-away spamd processes, growing to large
memory usage and in effect killing all mail delivery.  This last
happened Sunday pm and until someone gets to the office we are still
without mail.  Looking through the archives I found a message from
Daniel Siegers dated last July which describes the same situation, but
there does not seem to be a response.

> After a while everythings running fine, there are some spamd procs
> left that leak memory. All spamd procs start with a memory usage of
> about 20MB and exit after a while. These leaking procs use up to 250MB
> and where still growing when i killed them. 

We are running Redhat 7.x I think.  Spamassassin was installed this
autumn; cannot check which version but I think 2.60 (machine only
replies to ping but not ssh).

Any suggestions?

==John ffitch


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] To: you Cc: friend -- New spammer trick?

[Evan Platt]

--On Sunday, December 21, 2003 3:13 PM -0700 Bob Proulx <[EMAIL PROTECTED]> 
wrote:

In the last month my girlfriend and I have been getting a number of
spams which have been addressed To: me and Cc: to her.  This seems to
be a new spammer trick.  Use not just a database of email addresses
but a database of To: Cc: headers combined in an attempt to get
through people's filters.  And it worked because when she saw that it
was addressed to me she read them, and then told me about them.  This
must have been scraped from some greeting card site or someplace but I
can't deduce any association.
Not sure what can be done about those other than just to ignore them.
Note that SA was able to tag these just fine from the contents.  But
it would be useful if there were a way to make use of this
association.


I get a bunch of these - oddly addressed to evan and then cc'd 
[EMAIL PROTECTED]

Evan

---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] spamp.py and 4 hard messages

[PieterB]

Hello,

I created a Python script that can process Unix mbox files and
generate statistics on the Bayesian filtering of SpamAssassin. 

I've ran the script (called 'spamp.py') on a Unix mbox containing
a total of 4381 messages. The mbox contained 2615 dutch non-spam
messages, 1 misclassified english non-spam message and 728 spam
messages (all from december 2003). The mbox also contained 133
messages that didn't have a "X-Spam-Status" header, and 904 of the
messages didn't have a BAYES_* test.

The script produced the following results:

SPAMP_REPORT_BAYES, (#=4381, no_saheader=133, no_bayes=904)
===

Bayes Non-spam  Spam Total
--
BAYES_00  1836 2  1838
BAYES_01   567 1   568
BAYES_10   109 0   109
BAYES_2061 061
BAYES_3029 029
BAYES_40 2 0 2
BAYES_44 7 2 9
BAYES_50 2 6 8
BAYES_60 1 0 1
BAYES_70 0 4 4
BAYES_80 0 5 5
BAYES_90 1 7 8
BAYES_99 0   702   702
--
Total:2615   729  3344




Interpretation of the results
=

So only 1 out of the 3344 e-mails was misclassified! 
I'm not very unsatisfied with my Bayesian filter ;)

I've then interpreted the spam mails with BAYES_00 or BAYES_01,
and the ham mail with BAYES_90:

X-Comment: This is a Japanse mail of which I assume it is correctly
   classified as spam (as far as I can see)
Subject: [Plone-developers] ?$BL$>5Bz9-9p"(
X-Spam-Status: Yes, hits=5.5 required=5.0 tests=BAYES_00,
CHARSET_FARAWAY_HEADER,JAPANESE_UCE_SUBJECT,NO_REAL_NAME,
RCVD_IN_BL_SPAMCOP_NET,UNWANTED_LANGUAGE_BODY autolearn=no
version=2.60

X-Comment: this is definite spam, but why did it have BAYES_00?
Subject: [Zope] How to make $250.000.-
X-Spam-Status: Yes, hits=5.6 required=5.0 tests=AWL,BAYES_00,EARN_MONEY,
FORGED_HOTMAIL_RCVD,HTML_FONT_BIG,HTML_MESSAGE,MIME_BASE64_LATIN,
MIME_BASE64_TEXT,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS autolearn=no version=2.60

X-Comment: This mail is correctly classified as ham, but it has quite a
   high score and BAYES_90
From: "eBay" <[EMAIL PROTECTED]>
Subject: Who's left on your list?
X-Spam-Status: No, hits=4.3 required=5.0 tests=AWL,BAYES_90,EXCUSE_14,
HTML_50_60,HTML_MESSAGE,HTML_TITLE_UNTITLED,OFFERS_ETC autolearn=no
version=2.60

X-Comment: This is the only misclassified ham document I could find
   The To-header contains a lot of repetition, and it sent using
   an asian (?) mailclient (I didn't obfuscate the e-mailadress in
   this e-mail yet)
Subject: jahia.properties  Database
X-Spam-Status: Yes, hits=8.5 required=5.0 tests=AWL,BAYES_01,BODY_8BITS,
CHARSET_FARAWAY_HEADER,DATE_IN_PAST_12_24,INVALID_DATE,
MIME_BASE64_TEXT, MIME_CHARSET_FARAWAY, SORTED_RECIPS,
SUSPICIOUS_RECIPS autolearn=no version=2.60

---

The mailboxes of the 4 messages can be found at my public corpus:
http://gewis.nl/~pieterb/spamp/publiccorpus/small/20031222-hardham.mbox.txt
http://gewis.nl/~pieterb/spamp/publiccorpus/small/20031222-hardspam.mbox.txt
(i did some obfuscation already)

Download spamp.py version 0.100 (alpha)
===
The Python script can be downloaded from:

http://www.gewis.nl/~pieterb/spamp/spamp.py/

The Python code and it's documentation (called the 'work') is
licenced under the Creative Commons Attribution-ShareAlike 1.0
licence, see http://creativecommons.org/licenses/by-sa/1.0/ 
All disputes should be handled according to Dutch law.

All bugs, questions, patches, feedback are welcome ;)
Regards,

PieterB

-- 
No matter what goes wrong, there is always somebody
who knew it would.


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Scanning bounce message attachments ?

[Simon Byrnand]

Hi All,

Recently our domain has been "joe jobbed" by some spammer, so our users are 
getting a lot of bounce messages with spam attachments.

Unfortunately SpamAssassin is letting most of them through because the 
header tests won't match the headers from the attached spam message. Is 
there any way to get SpamAssassin to also scan the contents of the RFC822 
attachment on a bounce message and flag it as spam if the attached returned 
message is spam ?

I'm using procmail and spamc so I guess I could use the mime tools to 
extract RFC822 attachments and scan them seperately, but that means calling 
spamc twice, something I can't really afford to do when our server is under 
seige already.

Anyone else have any thoughts ?

Regards,
Simon


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Strange DNSBL problem with spamassassin

[Robert Lacroix]

Hi all,

I have a strange problem with SpamAssassin and I can't find out a
solution to this:
We use a McAfee Webshield SMTP in front of an IMail server, that scans
for viruses and passes emails to IMail which runs on another port than
25. IMail analyzes the email then using spamc/spamd. When a client uses
the virusscan smtp to send a new mail spamassassin determines the
following hits for the mail:

X-Spam-Status: No, hits=-0.7 required=5.0
tests=BAYES_00,RCVD_IN_DYNABLOCK,
RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP,RCVD_IN_SORBS 
autolearn=no version=2.61

When I deactivate virusscan and use the IMail smtp directly the result
is as follows:

X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 
autolearn=no version=2.61

The problem is that I don't see any real difference in the header
between using virusscan + imail or only imail. I attached both headers,
maybe you see a difference.

Thanks, Robert


virusscan+imail:
--
Received: from belasrv4.belacove.com [10.0.0.166] by
belasrv4.belacove.com
  (SMTPD32-8.04) id A653BD0003C; Sat, 20 Dec 2003 15:01:55 +0100
Received: From server14.asklepios.com ([194.25.110.113]) by
belasrv4.belacove.com (WebShield SMTP v4.5 MR1a);
id 1071928914522; Sat, 20 Dec 2003 15:01:54 +0100
Received: from server14.asklepios.com [194.25.110.113] by
server14.asklepios.com
  (SMTPD32-8.04) id A6503423008E; Sat, 20 Dec 2003 15:01:52 +0100
Received: From jfk ([217.234.86.31]) by server14.asklepios.com
(WebShield SMTP v4.5 MR1a);
id 1071928911642; Sat, 20 Dec 2003 15:01:51 +0100
Reply-To: <[EMAIL PROTECTED]>
From: "Robert Lacroix" <[EMAIL PROTECTED]>
To: "'Robert Lacroix'" <[EMAIL PROTECTED]>
Subject: test
Date: Sat, 20 Dec 2003 15:01:51 +0100
Organization: Asklepios Kliniken GmbH
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcPHAdEKlZHDxGaKQUefPU1dKOZQ/A==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp)
X-Spam-Level: 
X-Spam-Status: No, hits=-0.7 required=5.0
tests=BAYES_00,RCVD_IN_DYNABLOCK,
RCVD_IN_NJABL,RCVD_IN_NJABL_DIALUP,RCVD_IN_SORBS 
autolearn=no version=2.61
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 367860621
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 20 Dec 2003 14:02:57.0726 (UTC)
FILETIME=[F8A985E0:01C3C701]


imail only:
--
Received: from belasrv4.belacove.com [10.0.0.166] by
belasrv4.belacove.com
  (SMTPD32-8.04) id AD3B15870132; Sat, 20 Dec 2003 14:23:07 +0100
Received: From asklepios.com ([194.25.110.113]) by belasrv4.belacove.com
(WebShield SMTP v4.5 MR1a);
id 1071926586614; Sat, 20 Dec 2003 14:23:06 +0100
Received: from jfk [217.234.86.31] by asklepios.com with ESMTP
  (SMTPD32-8.04) id AD393566011A; Sat, 20 Dec 2003 14:23:05 +0100
Reply-To: <[EMAIL PROTECTED]>
From: "Robert Lacroix" <[EMAIL PROTECTED]>
To: "'Robert Lacroix'" <[EMAIL PROTECTED]>
Subject: test
Date: Sat, 20 Dec 2003 14:23:05 +0100
Organization: Asklepios Kliniken GmbH
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcPG/GaDybDNfoLdQLSFUpCK2STYEA==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp)
X-Spam-Level: 
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 
autolearn=no version=2.61
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 367860617
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 20 Dec 2003 13:24:00.0586 (UTC)
FILETIME=[879E42A0:01C3C6FC]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Non-functioning sa-learn in SA 2.61 on Mandrake 9.2 system

[Casper Gasper]

The message that is returned looks something like this:
Learned from 0 message(s) (5 message(s) examined)
It appears that sa-learn is examining the file but is not learning 
from the
messages.

 It looks to me that sa-learn is working -- you're just feeding it 
messages that it's already learnt from.  It memorizes the message id to 
keep a record of what bayes has already seen.

 Casper.



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Image-only spam

[Robert Nicholson]

Are you making use of any of the distributed clearing houses such as 
DCC etc?

On Dec 21, 2003, at 4:05 PM, Barry Callahan wrote:

I installed Spamassassin from a RedHat RPM as a test a day or two ago, 
and it's properly flagging about 1/3 of the incoming SPAM as such.  I 
have not played around with any of the settings yet.

Half of what's getting through has a score of 3.6 - 4.0.  This is not 
the group that overly concerns me, as I'm sure I can adjust things to 
get these properly detected.

The other half of what's getting through, I'm not so sure about.  It 
has a score of -1.1 - +1.1.  Yes, I'm getting SPAM with a negative 
SPAM score.

In all cases, the messages in the last group have the following in 
common:

1) They're Multipart Mime-formatted messages.
2) A text/plain section exists, but contains only blank lines.
3) The text/html section contains two or more HTML comments containing 
random alphanumeric strings.
4) The text/html section contains one or more image tags which 
reference images on some random webserver.
5) At least one of the images is a link.
6) The text/html section contains absolutely no displayable text.

So, an example of what the text/html section might contain is:





Is anyone else seeing SPAM like this?
Would anyone be able to make suggestions on how to go about writing a 
ruleset to tag these?

Thanks.

Barry



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for 
IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys 
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Image-only spam

[Barry Callahan]

Heh.  Ya know what?  You were right.  RedHat gave me 2.44.  I just 
upgraded to 2.6.1 We'll see how it goes.

Thanks.

Barry

Tom Meunier wrote:
Before you play with the settings, consider updating to the current
version of SpamAssassin.  You're probably using 2.44; the current
version is 2.61.  At this point, that much spam getting through would be
expected behavior.
-tom


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Non-functioning sa-learn in SA 2.61 on Mandrake 9.2 system

[Larry Rosenman]

--On Sunday, December 21, 2003 17:48:35 -0500 Clive Dove 
<[EMAIL PROTECTED]> wrote:

On Sunday 21 December 2003 15:28, Ian Southam wrote:
> My sa-learn is no longer working.  I had it functioning under Mandrake
> 9.1
and

> again under Mandrake 9.2 upgraded from 9.1.

Check you have a perl module called DB_File installed.  Without this,
sa-learn will quietly fail (unless you have debug switched on).
Ian
Thank you.

I have installed the perl-DB_file package and sa-learn is now working
normally.  I am now just waiting to see when the Bayesian routine kicks
in on  my incoming mail.
200 spam + 200 Ham.
Clive



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 972-414-9812 E-Mail: [EMAIL PROTECTED]
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749


pgp0.pgp
Description: PGP signature

Re: [SAtalk] Non-functioning sa-learn in SA 2.61 on Mandrake 9.2 system

[Clive Dove]

On Sunday 21 December 2003 15:28, Ian Southam wrote:
> > My sa-learn is no longer working.  I had it functioning under Mandrake
> > 9.1
>
> and
>
> > again under Mandrake 9.2 upgraded from 9.1.
>
> Check you have a perl module called DB_File installed.  Without this,
> sa-learn will quietly fail (unless you have debug switched on).
>
> Ian

Thank you.

I have installed the perl-DB_file package and sa-learn is now working 
normally.  I am now just waiting to see when the Bayesian routine kicks in on 
my incoming mail.

Clive




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Image-only spam

[Gary Funck]

Try Fred's rules,
http://www.merchantsoverseas.com/wwwroot/gorilla/90_FVGT.cf
esp. this combo image only rule:

metaFVGT_combo_IMAGEONLY1   ((HTML_IMAGE_ONLY_02 + MIME_HTML_ONLY +
MIME_HTML_ONLY_MULTI) > 1)
describeFVGT_combo_IMAGEONLY1   FVGT - Image only type spam?
score   FVGT_combo_IMAGEONLY1   4.3

I've seen it hitting on quite a few of the marginal spams, and pushing them
over
the top.

If you send an offending example as a separate attachment with headers in
tact,
we can try out our custom rules and tell you which ones hit.

Also, the version of SA you're using is important. Some earlier versions of
SA
did not properly decode base64 attachments, and thus a lot of spam got by.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Barry
> Callahan
> Sent: Sunday, December 21, 2003 2:05 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Image-only spam
>
>
> I installed Spamassassin from a RedHat RPM as a test a day or two ago,
> and it's properly flagging about 1/3 of the incoming SPAM as such.  I
> have not played around with any of the settings yet.
>
> Half of what's getting through has a score of 3.6 - 4.0.  This is not
> the group that overly concerns me, as I'm sure I can adjust things to
> get these properly detected.
>
> The other half of what's getting through, I'm not so sure about.  It has
> a score of -1.1 - +1.1.  Yes, I'm getting SPAM with a negative SPAM score.
>
> In all cases, the messages in the last group have the following in common:
>
> 1) They're Multipart Mime-formatted messages.
> 2) A text/plain section exists, but contains only blank lines.
> 3) The text/html section contains two or more HTML comments containing
> random alphanumeric strings.
> 4) The text/html section contains one or more image tags which reference
> images on some random webserver.
> 5) At least one of the images is a link.
> 6) The text/html section contains absolutely no displayable text.
>
> So, an example of what the text/html section might contain is:
>
> 
>  src="REMOVED" border=0>
> 
>
> Is anyone else seeing SPAM like this?
> Would anyone be able to make suggestions on how to go about writing a
> ruleset to tag these?
>
> Thanks.
>
> Barry
>
>
>
>
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Image-only spam

[Tom Meunier]

Before you play with the settings, consider updating to the current
version of SpamAssassin.  You're probably using 2.44; the current
version is 2.61.  At this point, that much spam getting through would be
expected behavior.

-tom

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Barry Callahan
> Sent: Sunday, December 21, 2003 4:05 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Image-only spam
> 
> I installed Spamassassin from a RedHat RPM as a test a day or 
> two ago, and it's properly flagging about 1/3 of the incoming 
> SPAM as such.  I have not played around with any of the settings yet.
> 
> Half of what's getting through has a score of 3.6 - 4.0.  
> This is not the group that overly concerns me, as I'm sure I 
> can adjust things to get these properly detected.
> 
> The other half of what's getting through, I'm not so sure 
> about.  It has a score of -1.1 - +1.1.  Yes, I'm getting SPAM 
> with a negative SPAM score.
> 
> In all cases, the messages in the last group have the 
> following in common:
> 
> 1) They're Multipart Mime-formatted messages.
> 2) A text/plain section exists, but contains only blank lines.
> 3) The text/html section contains two or more HTML comments 
> containing random alphanumeric strings.
> 4) The text/html section contains one or more image tags 
> which reference images on some random webserver.
> 5) At least one of the images is a link.
> 6) The text/html section contains absolutely no displayable text.
> 
> So, an example of what the text/html section might contain is:
> 
> 
>  src="REMOVED" border=0>
> 
> 
> Is anyone else seeing SPAM like this?
> Would anyone be able to make suggestions on how to go about 
> writing a ruleset to tag these?
> 
> Thanks.
> 
> Barry
> 
> 
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's Free Linux Tutorials.  Learn everything from the 
> bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 
> 


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] To: you Cc: friend -- New spammer trick?

[Bob Proulx]

In the last month my girlfriend and I have been getting a number of
spams which have been addressed To: me and Cc: to her.  This seems to
be a new spammer trick.  Use not just a database of email addresses
but a database of To: Cc: headers combined in an attempt to get
through people's filters.  And it worked because when she saw that it
was addressed to me she read them, and then told me about them.  This
must have been scraped from some greeting card site or someplace but I
can't deduce any association.

Not sure what can be done about those other than just to ignore them.
Note that SA was able to tag these just fine from the contents.  But
it would be useful if there were a way to make use of this
association.

Bob

P.S. I received the first one like this in November with one style and
then all of the others just recently with a second different style.

Nov02 Shane Warren(5.9K) theres more to life than bills
Dec18 Sharron Sizemor (8.6K) Bob go on vacation
Dec19 Timmy Webster   (9.0K) Bob go shopping
Dec19 Elvira Koehler  (7.3K) Bob Notice: 15 & 30 year rates at an all time low.
Dec21 Clinton Lockwoo (9.0K) Bob we will help you get your loan


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Image-only spam

[Barry Callahan]

I installed Spamassassin from a RedHat RPM as a test a day or two ago, 
and it's properly flagging about 1/3 of the incoming SPAM as such.  I 
have not played around with any of the settings yet.

Half of what's getting through has a score of 3.6 - 4.0.  This is not 
the group that overly concerns me, as I'm sure I can adjust things to 
get these properly detected.

The other half of what's getting through, I'm not so sure about.  It has 
a score of -1.1 - +1.1.  Yes, I'm getting SPAM with a negative SPAM score.

In all cases, the messages in the last group have the following in common:

1) They're Multipart Mime-formatted messages.
2) A text/plain section exists, but contains only blank lines.
3) The text/html section contains two or more HTML comments containing 
random alphanumeric strings.
4) The text/html section contains one or more image tags which reference 
images on some random webserver.
5) At least one of the images is a link.
6) The text/html section contains absolutely no displayable text.

So, an example of what the text/html section might contain is:





Is anyone else seeing SPAM like this?
Would anyone be able to make suggestions on how to go about writing a 
ruleset to tag these?

Thanks.

Barry



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] replacing .cf files

[Martin Radford]

At Sun Dec 21 20:04:48 2003, Amnon wrote:
> 
> Since I didn't get any replies to my question about replacing the
> .cf files in /usr/share/spamassassin with the newer ones that are on
> the SA site (running ver. 2.60), I decided to try it anyway.  Well
> no errors, log looks fine, and spam is being flaged.  That is
> until.  Later on in the day I noticed an email flagged as spam
> which shouldn't have been because the address is in my user_prefs
> file whitelist section.  Looking at the headers it said nothing to
> the fact that sender is in the whitelist.  Turned out that
> 20_head_tests.cf is the culprit.  As long as I had the old one in
> there everything was OK, until I replaced it.  Well I took all the
> new ones out of there, not knowing if/what else is broken.
> 
> So I guess one cannot just replace the .cf files with newer ones, right?

That's correct.  The rules and scores are tied up with the code in the
Perl module itself.  

The only way to upgrade SpamAssassin is to move wholesale from one
version to a later one -- you can't just pick and choose components
from different releases and expect it to work.

You can however add regexp-rules and scores, which you'll see
discussed regularly on this list.

Martin
-- 
Martin Radford  |   "Only wimps use tape backup: _real_ 
[EMAIL PROTECTED] | men just upload their important stuff  -o)
Registered Linux user #9257 |  on ftp and let the rest of the world  /\\
- see http://counter.li.org |   mirror it ;)"  - Linus Torvalds _\_V


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] replacing .cf files

[Theo Van Dinter]

On Sun, Dec 21, 2003 at 03:04:48PM -0500, Amnon wrote:
> So I guess one cannot just replace the .cf files with newer ones, right?

Can, with some kluging.  Want to?  Probably not.  Most rule changes take
place via code than via the cf files.

-- 
Randomly Generated Tagline:
I can't believe I ate the whole thing.
 
-- Homer Simpson
   The Front


pgp0.pgp
Description: PGP signature

Re: [SAtalk] Non-functioning sa-learn in SA 2.61 on Mandrake 9.2 system

[Ian Southam]

> My sa-learn is no longer working.  I had it functioning under Mandrake 9.1
and
> again under Mandrake 9.2 upgraded from 9.1.

Check you have a perl module called DB_File installed.  Without this,
sa-learn will quietly fail (unless you have debug switched on).

--
Ian



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] replacing .cf files

[Brook Humphrey]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sunday 21 December 2003 12:04 pm, Amnon wrote:
> So I guess one cannot just replace the .cf files with newer ones, right?
not sure what version you are using but it would appear not. On a side not 
when I upgraded my servers to using 2.60 I found it was quite  a bit faster 
and the bayes was a little more accurate. 
- -- 
 -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
  Brook Humphrey   
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED]   
 Holiness unto the Lord
 -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/5gHcnT1TkA6FgPgRAmuuAJ9oPhUsth7WM6qkZ37n15jh4wWqCgCfSXH3
I63IuocUvryXfkftDBdUpCY=
=b9C/
-END PGP SIGNATURE-


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] replacing .cf files

[Amnon]

Since I didn't get any replies to my question about replacing the .cf files in
/usr/share/spamassassin with the newer ones that are on the SA site (running
ver. 2.60), I decided to try it anyway.  Well no errors, log looks fine, and
spam is being flaged.  That is until.  Later on in the day I noticed an
email flagged as spam which shouldn't have been because the address is in my
user_prefs file whitelist section.  Looking at the headers it said nothing to
the fact that sender is in the whitelist.  Turned out that 20_head_tests.cf is
the culprit.  As long as I had the old one in there everything was OK, until I
replaced it.  Well I took all the new ones out of there, not knowing if/what
else is broken.

So I guess one cannot just replace the .cf files with newer ones, right?




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] ... SA 2.61 eats mails ...

[Rubin Bennett]

SA Can't delete anything, so it's either your MDA (probably Procmail) or
your email client (broken filter?) that's doing the deleting.

HTH,

Rubin
On Sun, 2003-12-21 at 12:34, Kai Poppe/Redaktion SDCE wrote:
> Hello list,
> 
> i've got a serious problem on my hand. Having installed postfix i set up
> SpamAssassin and it perfectly worked until 2 days ago. I believe, I changed
> nothing important but suddenly the mails piped from spamassassin through
> sendmail to run into the appropiate mailboxes are deleted the instance they
> arrive in the mailbox-file.
> anyone had similar problems ?
> 
> Regards
> 
> Kai Michael Poppe, [EMAIL PROTECTED]
> 
> 
> 
> ---
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-- 
Rubin Bennett <[EMAIL PROTECTED]>
RB Technologies


signature.asc
Description: This is a digitally signed message part

[SAtalk] Non-functioning sa-learn in SA 2.61 on Mandrake 9.2 system

[Clive Dove]

My sa-learn is no longer working.  I had it functioning under Mandrake 9.1 and 
again under Mandrake 9.2 upgraded from 9.1.

I had been running Spamassassin 2.60 and upgraded to 2.61.  
The only change that I made apart from installing the rpm was to delete my 
prior ~/.spamassassin/user_prefs and allow the new spamassassin to insert a 
default user_prefs.  When I saw that 2.61 was working, I replaced the prior 
user_prefs which contained whitelisted friends and friendly organizations.
The sa-learn utility worked in that set-up.  Spamassassin worked in that setup 
and the Bayesian filter kicked in after about a fortnight.

For reasons unrelated to spamassassin, I cleaned out my system and 
re-installed Mandrake 9.2 on a clean install (not upgraded as was the above 
setup)
I installed spamassassin 2.61 from the rpm package that was linked from the 
Spamassassin site.  I again piped spamassassin from KMail as its first rule 
and used X-Spam-Flag contains YES as the second KMail rule.
I did not configure spamassassin in any manner but simply let it use the 
defaults and install the default user_prefs.
Spamassassin is working and catching about 2/3 of the incoming spam.  The 
Bayesian routines have not yet kicked in (after 2 days)
However, sa-learn is not functioning at all.  When I drag uncaught span to a 
folder created for the purpose (zsa-learn-spam) and then run this command:
$ sa-learn ~/Mail/zsa-learn/cur
The message that is returned looks something like this: 
Learned from 0 message(s) (5 message(s) examined)

This command worked in the prior setup.

I also tried using this instead (with a fresh group of messages):
$ sa-learn ~/Mail/zsa-learn/*
The same message was returned.

It appears that sa-learn is examining the file but is not learning from the 
messages.

I  am at a loss as to how to get sa-learn to again start learning.


Clive





---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Re: random words spam

[Chris Thielen]

David Gibbs said:
> [EMAIL PROTECTED] wrote:
>> Is there an sa recipe for this latest innovation, with body as follows?
>
> This spam seems to be designed to bypass bayesian analysis ... and it
> appears to work.  Almost every piece of spam like this I've seen has the
> BAYES_00 rule, which has a negative score.

FYI, a well maintained bayes DB should not get BAYES_00 on a significant
number of spam, even bayes busters.  Here are my bayes stats from my
verified spam folder for the last 500 spam which includes many bayes
busters:

  1 BAYES_00
  1 BAYES_10
  1 BAYES_40
  6 BAYES_44
 22 BAYES_50
  5 BAYES_56
  7 BAYES_60
 11 BAYES_70
  5 BAYES_80
 33 BAYES_90
395 BAYES_99

Most bayes busters score bayes_99.  The bayes_10 is a monster.com-like
spam, similar to ham I receive.  The bayes_00 was a misclassified ham, an
image only forward from a friend (doh, gotta fix that one).



--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases:
http://www.sandgnat.com/cmos/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] MSGID_FROM_MTA_SHORT problem

[Gary Funck]

Known problem/bug?
http://bugzilla.spamassassin.org/show_bug.cgi?id=2311

If it is not working for you, you can disable the test by setting its
score to 0:

SCORE MSGID_FROM_MTA_SHORT 0

in your user_prefs, or local.cf depending upon whether you're running
as a user or a sysadmin.

> -Original Message-
> From:  Andreas Kotowicz
> Sent: Sunday, December 21, 2003 6:56 AM
[...]
> 
> I just received an email from a friend that was marked as spam - though
> it isn't spam. (I'm using spamassassin 2.61). here are the headers:
> 
> 
> why is the MSGID_FROM_MTA_SHORT rule getting called? this a normal
> outlook client sending out email.




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] a few newbie questions

[Gary Funck]

Couple of things:

1) this SA Talk list can help you more if you attach an example of the
offending message,
complete with headers (all headers, unchanged). That way we can run it
through
our collection of tweaked rules, and let you know what's working for us.
,
2) Mosie on over to Chris Santerre's "Rules Emporium" at,
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm
and read the FAQ's and such. I highly recommend the collection of
hand crafted recipes there. You'll need to concatenate the whole lot
and append it onto the end of your .spamassassin/user_prefs file, if
you're running SA from a user account, or plunk them into
/etc/mail/spamassassin
with a .cf file extension, and restart spamd if you're running that.
ALWAYS run 'spamassassin --lint' after adding rules and then run a test
message
through SA to make sure things are working. Adding all those rules (esp.
BigEvil,
and the From blacklist) *will* slow down SA noticeably. Only do this if you
have
the spare cpu cycles and memory necessary to handle the increased load.

Recommended (by me) rule sets:
Big Evil: http://www.merchantsoverseas.com/wwwroot/gorilla/bigevil.cf
Popcorn/weeds/backhair:
http://www.merchantsoverseas.com/wwwroot/gorilla/popcorn.cf
Fred's rules: http://www.merchantsoverseas.com/wwwroot/gorilla/90_FVGT.cf
Basic new rules:
http://www.merchantsoverseas.com/wwwroot/gorilla/nov2rules.cf
Stern's blacklist: http://www.stearns.org/sa-blacklist/sa-blacklist.current

Those links will likely change, and new Rules will be added to the
Emporirium
as time goes on, so it is worth checking the top-level page to see the
current
state of the art.

As well as the Rules Emporium, the SA Wiki page (linked from the
Emporium)offers more resources:
http://www.exit0.us/index.php


> -Original Message-
> From: Geoffrey Lane
> Sent: Sunday, December 21, 2003 6:54 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] a few newbie questions
>
[...]
> It's been working fantastic up til now I've been getting alot of mail
> lately with random words in the subject and body (eg. "Re:
> HQJIYGK, trying to
> stick" / "leakage larkin six biconcave infelicitous") from random
> IPs /email
> addresses.
> also in the header it says "X-Spam-Status: No, hits=1.3 required=3.0
> tests=HTML_20_30,HTML_IMAGE_ONLY_08, HTML_MESSAGE autolearn=no
> version=2.60"
> i've already tried using "use_bayes", "bayes_auto_learn" with "1"
> switch to
> turn it on.. Am I missing anything else?
>




---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] ... SA 2.61 eats mails ...

[Kai Poppe/Redaktion SDCE]

Hello list,

i've got a serious problem on my hand. Having installed postfix i set up
SpamAssassin and it perfectly worked until 2 days ago. I believe, I changed
nothing important but suddenly the mails piped from spamassassin through
sendmail to run into the appropiate mailboxes are deleted the instance they
arrive in the mailbox-file.
anyone had similar problems ?

Regards

Kai Michael Poppe, [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Provider issue

[Erik van der Meulen]

On Sat, Dec 20, 2003 at 12:29:26PM +0100, Erik van der Meulen wrote:

> Now I thought of the following scenario:

> If I filter my incoming mail first with:

>   spamassassin -d

> in order to get 'vanilla' messages (remove signs of my ISP's check) and
> consecutively do a normal SA spam-check as I used to.

> Would anyone be able to comment on this if it is possible and safe? And
> what procmail lines would be best to accomplish this. That would be very
> helpful. I am no expert at this and always a little causious when live
> mail is involved...

With some invaluable assistance I have managed to come up with:

  :0fw: spamassassin.lock
  | /usr/local/bin/spamassassin -d

  :0fw: spamassassin.lock
  | /usr/local/bin/spamassassin

  :0:
  * ^X-Spam-Status: Yes
  $MAILDIR/spam.incoming

which seems to do exactly what I want. Remaining question still is: am I
safe in using spamassassin this way?

Thanks for any comments!

--
  Erik van der Meulen <[EMAIL PROTECTED]>


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: random words spam

[David Gibbs]

[EMAIL PROTECTED] wrote:
Is there an sa recipe for this latest innovation, with body as follows?
This spam seems to be designed to bypass bayesian analysis ... and it 
appears to work.  Almost every piece of spam like this I've seen has the 
BAYES_00 rule, which has a negative score.

Almost all the spam of this nature seems to include just a link to an 
image on a few specific domains.  As such, I've added a new rule that 
puts a very high score on any spam that includes that URL ...

uri BAYES_BUSTER  /rx359|2004hosting|53X|openseed|er5hdh|quickforms/i
describe BAYES_BUSTER Trying to bypass BAYES
score BAYES_BUSTER 10.0
The high score is designed to negate the low baysian score.

I'm not sure if this is the best aproach, but it seems to be working for me.

david

--
| Internet: [EMAIL PROTECTED]
| WWW:  http://david.fallingrock.net
|
| We're not in the middle of nowhere...
|   we're on the outskirts of everywhere!
|
|   - DMRoth (adapted)


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] spamd timeouts

[Jack Gostl]

Every now and then a spam slips through with no header markups. I finally
tracked some of these down and found that spamd took so long to finish
that spamc finally timed out. (In this case, 742 seconds.)

I'm not sure what causes this. I'm running 2.60, and I thought that very
slow RBLs were handled so as to avoid this. The machine wasn't
particularly busy, but resource contention is always possible, especially
if there is a burst of spam.

I once suggested a header be added to show a timeout, and was told that it
was beyond the scope of the spamc logic. How about just a log message?
Something to help distinguish between a legit false negative and a
resource problem.

-- 

Jack Gostl  [EMAIL PROTECTED]



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] random words spam

[es]

Is there an sa recipe for this latest innovation, with body as follows?

pique tantrum bob deduce bizarre proscribe tropopause amtrak goal
canst fool earphone anisotropic horrify
casein traversable anion cell stolen contact uproot descent

Thanks

Newbie question - how do I automatically have my spamassassin updated
with the latest recipes (like my virus scanner is for example)?

-- 
Eric Smith


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] MSGID_FROM_MTA_SHORT problem

[Andreas Kotowicz]

Hi,

I just received an email from a friend that was marked as spam - though
it isn't spam. (I'm using spamassassin 2.61). here are the headers:

MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_NextPart_000_0075_01C3C7D9.80663B40"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Thread-Index: AcPFM9XyuEibfAfnTWy65oaIWFYIeABz6R3A
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Status: Yes, hits=5.2 tagged_above=0.1 required=5.0
tests=BAYES_00,
HTML_60_70, HTML_FONTCOLOR_BLUE, HTML_FONTCOLOR_RED,
HTML_FONT_BIG,
HTML_IMAGE_ONLY_10, HTML_MESSAGE, MSGID_FROM_MTA_SHORT,
RCVD_IN_DYNABLOCK,
RCVD_IN_NJABL, RCVD_IN_NJABL_DIALUP, RCVD_IN_SORBS
X-Spam-Level: *
X-Spam-Flag: YES


why is the MSGID_FROM_MTA_SHORT rule getting called? this a normal
outlook client sending out email.

thanks,
andreas



---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] a few newbie questions

[Geoffrey Lane]

I would like to increase the accuracy of my spamassassin rules...
First I have used kmail and piped my mail through the standard 
"/usr/bin/spamassassin" without any switches if size of message is less than 
250kb and my next rule filters the mail with a X-Spam-Status: YES header to 
filter to a mbox from a standard .rpm install from binaries off 
www.spamassassin.org.
It's been working fantastic up til now I've been getting alot of mail 
lately with random words in the subject and body (eg. "Re: HQJIYGK, trying to 
stick" / "leakage larkin six biconcave infelicitous") from random IPs /email 
addresses.
also in the header it says "X-Spam-Status: No, hits=1.3 required=3.0 
tests=HTML_20_30,HTML_IMAGE_ONLY_08, HTML_MESSAGE autolearn=no version=2.60"
i've already tried using "use_bayes", "bayes_auto_learn" with "1" switch to 
turn it on.. Am I missing anything else?

I've been looking at the http://spamassassin.org/tests.html to increase 
accuracy and number to tests performed from ~/.spamassassin/user_prefs
but I'm confused... It says that there are 4 settings (local, net, with bayes, 
with bayes+net) I want bayes+net/net but do I use the interger numbers eg.
REMOVE_IN_QUOTES 0.001 0.187 0.001 0.001
which I would use 0.001, 0.187 ??  or do I just add a "1" to switch that test 
on!?!

I would appreciate and welcome any and all suggestions, hints or info that 
will answer my questions and/or make my hits more accurate and more spam 
being filtered... P.S. I have also tried using sa-learn --spam on folder but 
it did not "learn" any new email + I will be upgrading my version to latest 
later today.

Thanks for your time,
Freeballer

-- 
 .-.
 /v\L   I   N   U   X
// \\  >Penguins are your friend<
   /(   )\
^^-^^


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk