Re: [SAtalk] Rules for word-jumble spam

[Rich Wales]

Earlier, I wrote:

> > I came up with a set of rules which appear to catch the
> > new strain of spam with a meaningless jumble of words in
> > the body, while hopefully not catching any legitimate mail.

Rubin Bennett replied:

> I believe that the Backhair Ruleset will catch these as well;

Not necessarily.  I installed the Backhair rules after seeing Rubin's
posting, but I've still seen several "mPOP Web-Mail" spam messages
(four so far in the last couple of days) that would not have been
identified as spam on the basis of Backhair alone.

I saw one with the following garbage, for example --

Free Cable^ TV

-- which matched only one Backhair test (J_BACKHAIR_22).

Rich Wales[EMAIL PROTECTED]http://www.richw.org


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] setting up spamassassin on Gateway server (MX)

[Pankaj Shrestha]

Dear all,
  I have a MX server that simply accepts the mails and forwards all the mails to the corresponding internal servers.
 I have been able to install and run properly Spamassassin in our internal servers. But I would like to configure it in our MX server itself. By the way,MX server doesn't have any users.
    How do I do it. ? Suggestions and links are highly appreciated.
Thanking you in advance.
 
 
 
 
 
 MSN 8 helps ELIMINATE E-MAIL VIRUSES.  Get 2 months FREE*.


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] setting up spamassassin on Gateway server (MX)

[Pankaj Shrestha]

Dear all,
  I have a MX server that simply accepts the mails and forwards all the mails to the corresponding internal servers.
 I have been able to install and run properly Spamassassin in our internal servers. But I would like to configure it in our MX server itself. By the way,MX server doesn't have any users.
    How do I do it. ? Suggestions and links are highly appreciated.
Thanking you in advance.
 
 
 
 
 
 MSN 8 helps ELIMINATE E-MAIL VIRUSES.  Get 2 months FREE*.


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] filter suggestions

[Mike Leone]

Brian McGroarty ([EMAIL PROTECTED]) had this to say on 01/12/04 at 23:37: 
> What's the proper way to suggest a new filter to the SA developers?
> 
> I'm getting a TON of mail with a bunch of random uncommon-but-real
> words to thwart Bayesian filtering, combined with a single picture
> link. Spamassassin is giving these only about one point apiece.
> 
> The picture link never seems to come from the same domain as the
> mail. It seems like HTML mail with images not from the sender's domain
> would be a very useful test for these.

Same here. I noticed that some of them had a HTML_IMAGE_ONLY_02 tag. I've
set that rule to score 3 points now. Perhaps that will start kicking them
over my 5-is-SPAM settings.

IMO, any image-only email is SPAM. YMMV.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: problems with spamcop

[Bob Proulx]

Fritz Mesedilla wrote:
> How come I got this message from spamcop that I am sending spam?
> Based on the Mail relay test on abuse.net, I am clean.

The spamcop report on this incident has been marked:

  This issue has already been reported as an innocent bystander. 

So I am not sure that any other action is required.  Your IP address
is NOT listed in any of the RBLs that I checked.

> Besides, I am protected by amavisd-new,clamav, and spamassassin.

Those check your *incoming* mail for viruses and spam.  They have
nothing at all to do with *outgoing* mail.  Whether you have an open
mail relay or or other security related problem is not related to
virus checking or spam tagging.

This is off topic to both mailing lists.  Followups remove the CC of
the lists which are not on topic please!  I have set Mail-Followup-To:
on this message to avoid both.

Bob


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] (OT) Anti-spam law enacted -- so what's all this junk in myin-box?Risks Digest 23.12

[Gary Funck]

[I read Earthlink's suggestions below, and thought "We really are in
trouble."]

http://www.interesting-people.org/archives/interesting-people/200401/msg0011
7.html

Date: Mon, 12 Jan 2004 10:15:53 -0700
From: "NewsScan" <[EMAIL PROTECTED]>
Subject: Anti-spam law enacted -- so what's all this junk in my in-box?

The new federal anti-spam law went into effect Jan. 1, but consumers report
their inboxes are more cluttered than ever -- what's going on? Critics say
the new law doesn't actually ban spam but rather provides guidelines for
sending junk e-mail legally. "Now we have a green light for what would come
to be called 'legal spam,'" says ePrivacy Group CEO Vincent Schiavone. John
Levine, a board member of the Coalition Against Unsolicited Commercial
E-Mail, concurs: "Basically, it's a bill of rights for companies that want
to send junk e-mail." In addition, the federal law supercedes stricter laws
recently passed in several states, such as California. "Everyone was
planning for this California law, which was so draconian," says a California
lawyer who defends accused spammers. "Once the federal government passed the
federal law, everyone was kind of relieved." And while technology firms are
eagerly pursuing new ways of blocking spam, skeptics say the ultimate
solution won't be technological or legal, but will depend on developing more
savvy users. Mary Youngblood, abuse team manager at EarthLink, suggests
putting numbers in the middle of your e-mail address to make it more
difficult to guess and using a separate address for online shopping and
newsgroup postings.  [AP, Jan 11 2004; NewsScan Daily, 12 Jan 2004]
   http://apnews.excite.com/article/20040111/D800O3P00.html




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] problems with spamcop

[Fritz Mesedilla]

How come I got this message from spamcop that I am sending spam?
Based on the Mail relay test on abuse.net, I am clean.
Besides, I am protected by amavisd-new,clamav, and spamassassin.

Cheers,

fritz 
---
+ Basta Ikaw Lord


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Monday, 12 January 2004 11:49 AM
To: Mags Castro
Subject: [SpamCop (http://www.mesedilla.com) id:599828475]RE:
[Clamav-users] freshclam updates failing: sudden appearance of "ERROR:
Verification: MD5 verification error."


[ SpamCop V1.3.4 ]
This message is brief for your comfort.  Please use links below for details.

Spamvertised website: http://www.mesedilla.com
http://www.mesedilla.com is 202.138.137.106; Mon, 12 Jan 2004 08:11:37 GMT
http://www.spamcop.net/w3m?i=z599828475z2238fb26fc967fc197f197a3717d2d94z



--
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 
1100



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] filter suggestions

[Brian McGroarty]

What's the proper way to suggest a new filter to the SA developers?

I'm getting a TON of mail with a bunch of random uncommon-but-real
words to thwart Bayesian filtering, combined with a single picture
link. Spamassassin is giving these only about one point apiece.

The picture link never seems to come from the same domain as the
mail. It seems like HTML mail with images not from the sender's domain
would be a very useful test for these.


signature.asc
Description: Digital signature

Re: [SAtalk] cf files

[Robert Menschel]

Hello Matt,

Monday, January 12, 2004, 3:51:09 PM, you wrote:

MT> Sorry if this has been asked but I'm not finding anything in the
MT> archives. I know that any *.cf placed in /etc/mail/spamassassin gets
MT> read but what about rules placed in individual users home directories?
MT> Do they need to be in their user_prefs files or do *.cf files get read
MT> in the users .spamassassin directories as well?

**IF** rules are enabled for individual users, those rules do need to be
in their user_prefs files.

Most installations do NOT allow individual user rulesin user_prefs.

I've found a way around that limitation, and so can use my rules in
user_prefs.  Eventually I may want to split that into multiple files, and
I think I know how to develop that type of enhancement, but so far it
hasn't been necessary.

Bob Menschel





---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] HABEAS_SWE abuse from spammers

[Matt Kettler]

At 06:56 PM 1/12/04 -0800, Robert Menschel wrote:
Has anyone else NOT been bothered by this???
Not terribly.. I had a few sneak through, but most got tagged.

One of them did manage to get a BAYES_44 rating, but that quickly changed 
with a little training.

However, I will admit that I've been running with a reduced score for SWE 
since the day it was introduced to spamassassin.. I read the sadev 
discussion on scoring for it, decided for myself I disagreed, and chose a 
less severe score for it and have used it ever since... It's never had more 
of a score impact on my system than -4.0, and was running at -3.0 when the 
recent spam run hit.

I have however chosen to not be complacent about this spammer. I've added 
several custom rules _specificaly_ targeting that particular spammer, 
figuring that the * is going to try other tricks as well, and I may as 
well adapt my systems to single them out and give them fairly high scores.. 
There's lots of common static text in them that makes a good target for rules.

It also ensures these spams will be nicely over the autolearn-spam 
threshold so my system will keep learning this particular spammer's latest 
tricks.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] whitelist_from_rcvd - must domains resolve?

[Matt Kettler]

At 03:02 PM 1/12/04 -0800, Mike Batchelor wrote:
I need to make some entries in whilist_from_rcvd. But the only hostnames 
in the Received: header that I can trust, are not resolveable. Does that 
matter?
Yes it matters.. SA only looks at the RDNS portion of the Received: header. 
It will NOT honor a text string in any other part of the received header, 
since those are easily forged by doing a forged HELO.

Is it a simple pattern/string match, or does SA also try to resolve the 
hostname?
SA doesn't try to resolve the hostname, it relies on the MTA to do that.



Like this:

whitelist_from_rcvd [EMAIL PROTECTED] NTDOMAIN.private.dns

Should that work?
No, not unless your MTA can resolve an IP to NTDOMAIN.private.dns and put 
it into a Received: header.

NTDOMAIN.private.dns does not need to forward resolve, but the IP does need 
to RDNS to that.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] HABEAS_SWE abuse from spammers

[Robert Menschel]

Monday, January 12, 2004, 7:57:03 AM, Greg wrote:

gic> They've noted that we give HABEAS_SWE a score of -4.6 I think. I'm
gic> adjusted it for my machines to zero. Here's the headers:

Has anyone else NOT been bothered by this???

Sure I've received some of these spam, but my SA has marked them as spam.
Not a single one has snuck through my system here. Bayes at 9.0 outweighs
the Habeas at -8.0, and the other distribution rules flag the email as
spam at my 9.0 spam threshold. (My custom rules aren't even needed for
these.)

Bob Menschel





---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Your threshold score

[Robert Menschel]

Hello Carl,

Monday, January 12, 2004, 7:32:57 AM, you wrote:

CC> What do most people who write new SA rules set their threshold too?  I had
CC> set it around 3.0 for our company, but the false positive rate was very
CC> high.  I was looking at some of the big-evil stuff and noticed that many of
CC> the scores were 3.0 by themselves...

CC> Does everyone just use the 5.0 that comes by default?

When first reading about SA after my host made it available to me, I
found this at http://www.spamassassin.org/full/2.6x/dist/README

> - required_hits: Set this higher to make SpamAssassin less sensitive.
> If you are installing SpamAssassin system-wide, this is **strongly**
> recommended!

I took that to heart, and set required_hits to 9.0

I've been using 9.0 consistently on three domains since April. I
successfully and consistently trap 99.8% of all spam.

I have increased some (well, several dozen) of the scores for
distribution rules, but it seems with each release of SA more and more of
those become obsolete (I'm down to 2/3 of the adjustments I had back with
2.53).

Bob Menschel





---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] cf files

[Matt Kettler]

At 03:51 PM 1/12/04 -0800, Matt Thoene wrote:
Sorry if this has been asked but I'm not finding anything in the
archives. I know that any *.cf placed in /etc/mail/spamassassin gets
read but what about rules placed in individual users home directories?
Do they need to be in their user_prefs files or do *.cf files get read
in the users .spamassassin directories as well?
in the home directory only user_prefs is read, and no other files.





---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] OT: forged habeus mark

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Robin Lynn Frank writes:
>On Monday 12 January 2004 17:31, Bob Proulx  wrote:
>> Chuck Peters wrote:
>> > Can someone explain why HABEAS_SWE -8.0 was allowed to happen?
>>
>> Robin Lynn Frank wrote:
>> > Shorter answer.  Habeus rule is outahere.
>>
>> And many other people, not just these two, had the same sentiments.
>> Which really saddens me.
>
>
>
>Bob,
>
>I have no problem with Habeas' method of dealing with those who abuse their 
>mark.  It's a great idea.  But on a whim, I did a few whois inquiries on some 
>of the domains involved and found that the contact information bounced from 
>one country to the next.  If I had the time, I suspect I'd find that I'd gone 
>full circle back to the first domain contact.  In other words, I'm not sure 
>they can find someone real to sue.

They certainly did before, in the case of similar forgery and
intercontinental evasion.  Also, their business model depends on
prosecution in cases like this, as Bob pointed out.

PS: whoever was suggesting they'd be blackholing any mails containing the
SWE mark -- don't forget that all of my mail for at least a year has
contained it -- so, seeya ;)

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAA1xVQTcbUG5Y7woRAgdBAJwMEAXTJNtdVWkoPxGHutx/Rd55OACdEGhH
eCyHsXhRPQNGDxqFRe129x0=
=N/ZZ
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Low score for so many hits?

[Chip Paswater]

> *sigh*
>  HABEAS_SWE
> 
> Do people read this list or just post questions? Sorry, not meant to lash
> out, but this Habeas topic has been all the rage today. Don't know how
> anyone could miss it.

Wow, way to be rude about it. 

There might exist the possibility that not every subscriber of this list
reads it daily.  Additionally, consider the amount of people who subscribe to
the list specifically for posting their question.




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re[2]: [SAtalk] Mass-Check

[Robert Menschel]

Hello Smart,Dan,

Monday, January 12, 2004, 6:57:26 AM, you wrote:

SD> Bob:
SD> I take it from your docs that you do not try to run a mass-check against all
SD> your rules at one time, but instead do it a dozen at a time?

Both.  I do a massive check against all my rules (and the distribution
rules as well) once a month. Since that mass-check runs for 12+ hours,
and generates beaucoups data most of which I don't need day in and day
out, I don't run that massive check of everything very often.

I do it monthly just to make sure my scores stay in line and don't
generate unnecessary FPs.

Day to day as I analyze the FNs that sneak through (none today, two
yesterday), I build rules to catch the spam, verify that they do, and
then mass-check those specific rules to establish reasonable scores for
them. Any/all rules I develop in a day go into one file for mass-check.

When Jennifer or Chris or someone comes out with a new ruleset, or an
updated version of one, I run that ruleset through as a file of its own.

When I find rules in SA-Talk that look worth testing and evaluating for
my own use (or testing/evaluating for general information), I include
those in my daily file.

Bob Menschel





---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] OT: forged habeus mark

[David A. Carter]

Quoting Bob Proulx <[EMAIL PROTECTED]>:

> And many other people, not just these two, had the same sentiments.
> Which really saddens me.
> 
> For years I have heard people say we need to do something about spam.
> That filtering is only treating the symptom and not the disease.  That
> we need to fight the source of the spam problem, the spammers
> themselves.  But now when someone makes an honest attempt to fight the
> spammers themselves, everyone thinks it is not fast enough.  If they
> don't have satisfaction RIGHT NOW then it is not good enough either.

I admit to being one of the short-sighted ones, although in my defense, my
reasoning was due to a believed (later, probably unfounded, it turns out)
vulerability with how SA handles Habeas, not Habeas itself, which I did say
I thought was a good idea provided the follow-through is there to back it up.

I find your argument very convincing. I for one am going to make some
changes in my implementation, so I can have habeas checking again the way
the SA developers intended. I hope others will do the same. 

Habeas watermarking *may* fail if repeatedly attacked by the spammers, which
would be a shame. It will *definitely* fail if enough of us as mail
administrators freak out and pull habeas checking from our configurations at
the first sign of danger, rendering the watermark completely useless. This
would *really* be a shamebasically letting the spammers win without even
putting up a fight.

Well argued, I thought, Bob.

Regards;

DaC 



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] OT: forged habeus mark

[Bob Proulx]

Chuck Peters wrote:
> Can someone explain why HABEAS_SWE -8.0 was allowed to happen?

Robin Lynn Frank wrote:
> Shorter answer.  Habeus rule is outahere.

And many other people, not just these two, had the same sentiments.
Which really saddens me.

For years I have heard people say we need to do something about spam.
That filtering is only treating the symptom and not the disease.  That
we need to fight the source of the spam problem, the spammers
themselves.  But now when someone makes an honest attempt to fight the
spammers themselves, everyone thinks it is not fast enough.  If they
don't have satisfaction RIGHT NOW then it is not good enough either.

This is an extremely short sighted stance.  However you are in the
good company of many CEOs today.  Look at the stock price this week.
Do whatever it takes to make my options make money next week.  Don't
think about next year or the long term health of the organization.
This short sighted thinking is exactly what you are doing when you
completely disregard the strategy of attacking the source of the
problem.

I don't know why I am still talking.  You lost interest in the first
paragraph when I did not agree with you.  You want instant
gratification NOW.  Thinking about reducing spam six months from now
is way past lunch and competely off the roadmap.

You might disagree with the ability of a legal firm to remain viable
only by money from lawsuits.  Will they become a dot bomb?  I have no
idea.  That is a different mailing list.  Will they be effective in
pursuing spammers in a timely manor?  I don't know that either and
only time will tell.  I will give them the benefit of the doubt.
Things have been good until just now.  The Habeas mark gives an avenue
for legitimate mailings to avoid being tagged as a false positive.
Will the Habeas mark be my only guide to tagging spam?  No.  I use a
combined arms tactic when dealing with spam.  But I will be scanning
my spam folders and reporting any Habeas violators.

If Habeas can put spammers out of business and take them off the net
then I intend to report violators to them.  Removing spammers from the
net strikes at the source of the spam problem.

Actually this recent run of spam abusing the Habeas could be very
satisfying.  Hopefully Habeas will be able to take the violators out
behind the legal woodshed and give them the justice they deserve.  It
will feel good to hear that they have done just that.

Bob


pgp0.pgp
Description: PGP signature

Re: [SAtalk] The idea behind Habeas?

[Pedro Sam]

On January 12, 2004 02:27 pm, Kevin Old wrote:
> On Mon, 2004-01-12 at 14:12, Theo Van Dinter wrote:
> > On Mon, Jan 12, 2004 at 01:55:43PM -0500, Kevin Old wrote:
> > > I have had a lot of the Habeas messages also and have reported them,
> > > but am extremely confused at the actual point of Habeas?
> >
> > Ok, I'm getting tired of these types of messages.
>
> I hear ya.  Shame on me.  How dare someone have an actual question that
> needed clearing up and after searching the archives still didn't find a
> suitable answer to their question.  Why don't we just close down this
> list so we can all walk around confused and not understanding anything.

There are no dumb questions, but there are plenty of redundant ones.  You can 
learn all about how Habeas work by going to their website before asking off 
topic questions on a mailing list.

-- 
A Law of Computer Programming:
Make it possible for programmers to write in English and you
will find the programmers cannot write in English.


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The idea behind Habeas?

[Pedro Sam]

On January 12, 2004 01:55 pm, Kevin Old wrote:
> Hello everyone,
>
> I have had a lot of the Habeas messages also and have reported them, but
> am extremely confused at the actual point of Habeas?
>
> If I understand correctly a Habeas "Certified" message has the 9 or 10
> "Habeas" header lines in it and that alone is suppose to be enough to
> make the message identifiable as "non-spam" according to their website.
> What gives?
>
> Don't they see (surely they do, but I'm just missing the point of their
> product) that all a spammer has to do is add the headers to their
> messages in order to bypass all the spam trapping applications?  Please
> tell me I'm missing something and that these people haven't robbed
> corporate America blind by selling them a product that is pointless.

The idea is that trademark and topyright laws are a whole lot easier to sue 
over than the non-existent untested spam laws.  Plenty of precedents.

-- 
Pecor's Health-Food Principle:
Never eat rutabaga on any day of the week that has a "y" in
it.


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Low score for so many hits?

[Brian May]

Because that would destroy the Habeas idea.. all I did was nuke the URL in
the message.. pharmwhavetersomthing.biz and I have caught every single one
of them.

Disabling the Habeas is not the correct thing to do.. but you can do
whatever you want..

Brian

- Original Message -
From: "Raquel Rice" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 12, 2004 3:47 PM
Subject: Re: [SAtalk] Low score for so many hits?


On Mon, 12 Jan 2004 14:52:10 -0800
Evan Platt <[EMAIL PROTECTED]> wrote:

> --On Monday, January 12, 2004 5:50 PM -0500 Chris Santerre
> <[EMAIL PROTECTED]> wrote:
>
> > *sigh*
> >  HABEAS_SWE
> >
> > Do people read this list or just post questions? Sorry, not
> > meant to lash out, but this Habeas topic has been all the rage
> > today. Don't know how anyone could miss it.
>
> I know, tell me about it, geez.
>
> But how would I get SpamAssassin to delete any messages where
> HABEAS_SWE is matched? ;)
>

Why not use procmail to remove anything with that header?

--
Raquel

One of the most tragic things I know about human nature is that all
of us tend to put off living.  We are all dreaming of some magical
rose garden over the horizon-instead of enjoying the roses blooming
outside our windows today.
  --Dale Carnegie



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Your threshold score

[Brian May]

any thing above 4.1 is spam
4.1 to 5 goes to one folder to check for FN
5+ to 12 goes to another folder for checking
12+ to 25 goes to yet another folder...
25+ gets auto reported to razor and like...

after all spam that scored under 25 get s a manual inspection then fed to
razor and bayes..

all FN get revoked (some are marked as razor positives when they are CLEARLY
not spam), forgotten then learned as ham..

I do not delete any mail from the SA score.. that just doesn't seem right..

Brrian

- Original Message -
From: "Mark H" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 12, 2004 10:14 AM
Subject: Re: [SAtalk] Your threshold score


Above 5 and it goes into the SPAM folder, but these are at least cursorily
examined before trashing.

Above 10 and it goes directly into the trash, never to be seen again.

mh




At 07:32 AM Monday1/12/2004, Carl Chipman wrote:
>What do most people who write new SA rules set their threshold too?  I had
>set it around 3.0 for our company, but the false positive rate was very
>high.  I was looking at some of the big-evil stuff and noticed that many of
>the scores were 3.0 by themselves...
>
>Does everyone just use the 5.0 that comes by default?
>
>
>
>Carl Chipman
>Nomadics, Inc.
>[EMAIL PROTECTED]
>http://www.nomadics.com
>
>
>
>
>
>
>---
>This SF.net email is sponsored by: Perforce Software.
>Perforce is the Fast Software Configuration Management System offering
>advanced branching capabilities and atomic changes on 50+ platforms.
>Free Eval! http://www.perforce.com/perforce/loadprog.html
>___
>Spamassassin-talk mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Low score for so many hits?

[Evan Platt]

--On Monday, January 12, 2004 3:47 PM -0800 Raquel Rice
<[EMAIL PROTECTED]> wrote:

>> 
>> But how would I get SpamAssassin to delete any messages where
>> HABEAS_SWE is matched? ;)
>> 
> 
> Why not use procmail to remove anything with that header?

I was kidding. I was commenting to the poster who said 'what is it with
people posting the same question about Habeas today?? Don't people read?'

I replied "Yeah.. tell me about it. How do I get SA to delete messages with
... (i.e. making fun of the people who ask here "I read the FAQ, but cannot
find how to get SA to delete messages...)

Sorry, I'm the Owner of the I Don't Get It comedy club. :)


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] cf files

[Matt Thoene]

Sorry if this has been asked but I'm not finding anything in the
archives. I know that any *.cf placed in /etc/mail/spamassassin gets
read but what about rules placed in individual users home directories?
Do they need to be in their user_prefs files or do *.cf files get read
in the users .spamassassin directories as well?

Thanks.

-- 
Matt



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Low score for so many hits?

[David A. Carter]

Quoting Raquel Rice <[EMAIL PROTECTED]>:

> Why not use procmail to remove anything with that header?

That's so crazy, it just might work...

DaC




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Your threshold score

[Mark H]

Above 5 and it goes into the SPAM folder, but these are at least cursorily 
examined before trashing.

Above 10 and it goes directly into the trash, never to be seen again.

mh



At 07:32 AM Monday1/12/2004, Carl Chipman wrote:
What do most people who write new SA rules set their threshold too?  I had
set it around 3.0 for our company, but the false positive rate was very
high.  I was looking at some of the big-evil stuff and noticed that many of
the scores were 3.0 by themselves...
Does everyone just use the 5.0 that comes by default?



Carl Chipman
Nomadics, Inc.
[EMAIL PROTECTED]
http://www.nomadics.com




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Habeas mark and auto-learning as ham

[SpamTalk]

-Original Message-
From: David A. Carter [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 12, 2004 5:10 PM
To: Robert Strickler
Subject: RE: [SAtalk] Habeas mark and auto-learning as ham

Robert:

Just in case you didn't realize, you sent this only to me and not to the
entire list. 

In response to your message, I'm not sure I get you exactly..."disable
autolearn on any negative score with it a default of YES", I'm not sure I
entirely understand this. It sounds like you are saying, if any _one_ score
adds more than X number of negative points to the total, then the message
shouldn't be autolearned? 

Thanks for the response;

DaC

Quoting Robert Strickler <[EMAIL PROTECTED]>:

> 
> I expressed this in another post and re-iterate it here to keep it in
> the
> thread. Disabling autolearn should not affect just Habeas, adding a
> option
> to disable autolearn on any negative score with it a default of YES
> should
> be intrinsic to prevent exploitation and poisoning by ANY negative
> value.
> 
> BTW, I would recommend a 0.01 score rather than zero, that way
> processing
> will proceed normally you will see it in your reports.
> 
> Best Regards,
> Bob
>  bottom post)
[snip additional conversation]

> sent this only to me
DOH! Futzing about with quote fix multiple times and forgot to rebuild the
To: on the final pass.

> if any _one_ score adds more than X number of negative points to the
> total, then the message shouldn't be autolearned?

Yes, negative scores seem to be just an exploit waiting to happen. Some
people may feel otherwise, that's why disabling it should be an option, but
the default should be that messages containing _any_ negative score should
not autolearn. It might be going too far to provide for individual score
overrides, but might be convenient if there is a clamor for that kind of
tuning granularity so that you could specify autolearn for HABEAS_SWE and
ignore the other negative rules.

Best Regards, Bob


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: nice list this even to newbies!

[Matt Kettler]

At 07:57 PM 1/8/04 +, Pete Henshall wrote:
From being on here a while, this isn't the worst list in the world
Blargh! RTFM!

Of course this list flames newbies! Only someone who never read the manual 
would say otherwise!!!

Stop trying to give us a good reputation, you'll make us look like we care :)

*grins*

sorry, couldn't resist that.





---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Habeas mark and auto-learning as ham

[David A. Carter]

Quoting Bart Schaefer <[EMAIL PROTECTED]>:

> It's usually easier to promptly re-learn a false negative as spam than
> it
> is to re-learn a false positive as ham, because FNs probably go right
> into
> your mailbox while FPs are dropped in a quarantine (or worse).  Unless
> you're not paying attention, a flood of obvious FNs is not going to
> "poison" the Bayes database for very long.

Yes, except I neglected to mention I use a common Bayes database for all
users (duh, I should have realised this before...). More on this in a sec.

> Also, I think you seriously misjudge the difficulty of pumping enough
> bad
> data into a Bayes database to get something misclassified.

Perhaps. Also, I didn't take into account that I run a common bayes database
for the whole mailserver, which I know is not the recommended way to run
bayes. Running a setup such as mine means this "vulnerability" is magnified
(how much I am not qualified to say; I'm just starting to learn more about
the inner workings of bayes now) since more of this "bayes poision" can hit
the database before the server admin can realize and counteract.  I'm very
much convinced now that if one runs a common bayes database between all
users, one should *not* run autolearning at all (for this reason and
others), and instead use manual training of the database on a regular basis.

> If the Habeas headers still concern you, use bayes_ignore_header for
> them,
> don't spend your time manually deleting them.

It wasn't the habeas headers getting into the bayes database that concerned
me so much, rather it was the contents of the spam itself with all its
spammy tokens.

Thank you for your very enlightening response.

DaC



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Habeas mark and auto-learning as ham

[Bart Schaefer]

On Mon, 12 Jan 2004, David A. Carter wrote:

> What does concern me is how SpamAssassin should deal with Habeas marks,
> which clearly *is* on-topic. Specifically, should SpamAssassin
> auto-learn Habeas-marked messages as ham, as it does today?

This is no different than the question "Should SpamAssassin auto-learn a
high-scoring false negative as ham, as it does today?"

The answer of course is that, by definition, SA can't tell it's a false
negative (if it could, it wouldn't have been a negative, would it?) so
the only way to prevent it from mislearning the occasional false negative
(or positive) is to turn off autolearning entirely.

It's usually easier to promptly re-learn a false negative as spam than it
is to re-learn a false positive as ham, because FNs probably go right into
your mailbox while FPs are dropped in a quarantine (or worse).  Unless
you're not paying attention, a flood of obvious FNs is not going to
"poison" the Bayes database for very long.

That the Habeas mark is what causes the FN is irrelevant, except in so far
as it's an obvious way for a spammer to get a better score.

Also, I think you seriously misjudge the difficulty of pumping enough bad
data into a Bayes database to get something misclassified.

Finally, I think people are overly concerned about "poisoning" their
databases by learning messages containing the Habeas headers as spam (or
ham).  Remember that Bayes only pays attention to tokens that clearly
appear in more of one type of message than the other; if a token appears
too regularly in both, it gets ignored and the decision is made by looking
at other tokens.  All you'll do with correct learning as spam/ham is teach
Bayes that the Habeas headers are not a reliable way to make a decision;
you won't teach it to make the wrong decision unless the entire message
(and thus the rest of the content) is learned the wrong way (which returns
us to the original question about auto-learning).

If the Habeas headers still concern you, use bayes_ignore_header for them,
don't spend your time manually deleting them.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] whitelist_from_rcvd - must domains resolve?

[Mike Batchelor]

I need to make some entries in whilist_from_rcvd. But the only hostnames in 
the Received: header that I can trust, are not resolveable. Does that 
matter?  Is it a simple pattern/string match, or does SA also try to 
resolve the hostname?

Like this:

whitelist_from_rcvd [EMAIL PROTECTED] NTDOMAIN.private.dns

Should that work?

---
"The avalanche has already begun. It is too late for the pebbles to vote."
-- Kosh
---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Phony Habeas mark on spam...I knew it was just a matter of time

[guenther]

[ I didn't see this mail reaching the list for hours now. Resending.
Sorry, if it will end up duplicated. ]


On Sun, 2004-01-11 at 23:26, Theo Van Dinter wrote:
> On Sun, Jan 11, 2004 at 05:18:30PM -0500, Jack Gostl wrote:
> > Just got a bunch of these myself. Are you suggesting that we simply
> > learn them as spam and ignore them otherwise and then let nature take its
> > course? Or should I foward this stuff someplace.
> 
> Send them to [EMAIL PROTECTED]  I dug through my spam corpus and found
> 8 so far this month and just sent them off.  We'll see what happens.

I just received those buggers slipping through some hours before this
discussion started myself. And they are still dripping in.

I would love to report them, but I am concerned about some private
information in the headers. This is especially the Delivered-To: header,
which reveals the user name which my ISP uses -- and later added local
headers. I don't think they are useful at all for Habeas.

So the question is:  May I safely cut that information out, when
forwarding those messages to Habeas?

And thoughts? TIA

...guenther


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Duplicate Emails

[Gary Funck]

As an aside,

  formail -D 2 /tmp/dup_id_cache.$$ -s < mbox.txt > mbox_no_dupes.txt
  rm -f /tmp/dup_id_cache.$$

will do a decent job of weeding out duplicates (based upon message id),
where 2 is the size of the id cache.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Low score for so many hits?

[Evan Platt]

--On Monday, January 12, 2004 5:50 PM -0500 Chris Santerre
<[EMAIL PROTECTED]> wrote:

> *sigh*
>  HABEAS_SWE
> 
> Do people read this list or just post questions? Sorry, not meant to lash
> out, but this Habeas topic has been all the rage today. Don't know how
> anyone could miss it.

I know, tell me about it, geez. 

But how would I get SpamAssassin to delete any messages where HABEAS_SWE is
matched? ;)




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Low score for so many hits?

[Chris Santerre]

*sigh*
 HABEAS_SWE

Do people read this list or just post questions? Sorry, not meant to lash
out, but this Habeas topic has been all the rage today. Don't know how
anyone could miss it.

--Chris


> -Original Message-
> From: Chip Paswater [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 12, 2004 5:36 PM
> Cc: [EMAIL PROTECTED]
> Subject: [SAtalk] Low score for so many hits?
> 
> 
> Any idea how a message with so many hits got such a low score?
> 
> X-Spam-Level: **
> X-Spam-Checker-Version: SpamAssassin 2.61 
> (1.212.2.1-2003-12-09-exp) on anubis
> X-Spam-Status: No, hits=2.0 required=5.0 
> tests=BAYES_99,BIZ_TLD,CLICK_BELOW,
> HABEAS_SWE,HTML_50_60,HTML_LINK_CLICK_HERE,HTML_MESSAGE,
> 
> MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS
> autolearn=no version=2.61
> 
> 
> 
> ---
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Habeas mark and auto-learning as ham

[Matt Kettler]

At 05:26 PM 1/12/2004, David A. Carter wrote:
I do agree the Habeas folks will need to act quickly and completely so the
effect of forgeries is minimized. However, this doesn't mean SpamAssassin
needs to be a sitting duck for such forgeries. I think if you just stop
bayes from auto-learning habeas-marked mail as ham, you'd take away the
vulnerability, and the downside would be almost nil.
as a short-term fix you can archive this by giving it a tflags value of 
userconf in your own private config.

this is exactly how GTUBE was hacked to not be used as a learning critera.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Low score for so many hits?

[Kang , Joseph S.]

> Any idea how a message with so many hits got such a low score?

Yes, this message had a Habeas mark in the header.  

> 
> X-Spam-Level: **
> X-Spam-Checker-Version: SpamAssassin 2.61 
> (1.212.2.1-2003-12-09-exp) on anubis
> X-Spam-Status: No, hits=2.0 required=5.0 
> tests=BAYES_99,BIZ_TLD,CLICK_BELOW,
> HABEAS_SWE,HTML_50_60,HTML_LINK_CLICK_HERE,HTML_MESSAGE,
> 
> MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS
> autolearn=no version=2.61

-Joe K.


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Automatically whitelist_from_rcvd a sender.

[Matt Kettler]

At 05:25 PM 1/12/2004, Brett Simpson wrote:
Let's say [EMAIL PROTECTED] sends an email to [EMAIL PROTECTED] and Joe is in a 
whitelist_from_rcvd. Would it be possible to auto add a 
whitelist_from_rcvd for Mary?
No, that would be fundamentally impossible.. because you don't know what 
mailserver [EMAIL PROTECTED] uses when sending email, you would not know what 
part to enter for the rcvd half of the whitelist_from_rcvd.

Note that it's not always going to be:
whitelist_from_rcvd [EMAIL PROTECTED] mary.com
For example, if I used EVI's other domain name in my postings, 
[EMAIL PROTECTED], I would have evi-inc.com in the received 
path, not evitechnology.com. The mailserver used for both domains RDNS's as 
xanadu.evi-inc.com. Thus you'd need:

whitelist_from_rcvd [EMAIL PROTECTED] evi-inc.com





---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Low score for so many hits?

[Chip Paswater]

Any idea how a message with so many hits got such a low score?

X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on anubis
X-Spam-Status: No, hits=2.0 required=5.0 tests=BAYES_99,BIZ_TLD,CLICK_BELOW,
HABEAS_SWE,HTML_50_60,HTML_LINK_CLICK_HERE,HTML_MESSAGE,
MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS
autolearn=no version=2.61



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Habeas mark and auto-learning as ham

[Stewart, John]

> Anyway, what do others think about this?

I personally turned off auto-learning some time ago and it seems that SA's
effectiveness has been quite good, and *remained* good. I do train it
manually with stuff that it missed, but that's pretty much the only training
I do.

johnS


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Habeas mark and auto-learning as ham

[David A. Carter]

Hi:

A lot of mail has shown up in the group debating the soundness of Habeas's
watermarking scheme. Whether that debate is on topic, I'll leave as an
exercise for others. For the record, I think Habeas's idea is sound  enough,
provided they follow through with it. But this is not what concerns me.

What does concern me is how SpamAssassin should deal with Habeas marks,
which clearly *is* on-topic. Specifically, should SpamAssassin auto-learn
Habeas-marked messages as ham, as it does today? In an earlier thread, Theo
said it should:

> Well, this is less a question of "should it be autolearned" and more
> of a "how good is the Habeas system"...  In the perfect world, it's
> not forgable/misused and you would always accept it as a sign of ham,
> and therefore autolearning is desired.
>
> Since we don't live in the perfect world, the question is: can the
> Habeas folks act fast/complete enough so that forging/misusing the mark
> is completely minimized?  If they can, then there's not a huge issue --
> yeah, some spam will get through, but they'll quickly be squashed and
> there you go.  If they can't, then their whole business plan fails as
> people start ignoring the mark, and again no problem since the SA rules
> would go away.

I disagree, I think it is still a question of, "should it be autolearned?" I
think auto-learning habeas-marked emails as ham represents an exploitable
vulnerability in SpamAssassin: spammers can send a large amount of
habeas-marked spam (maybe not even real spam that actually sells something,
maybe just email with a large amount of spammy words/phrases like "[EMAIL PROTECTED]",
etc) from untraceable throwaway accounts. This spam gets auto-learned as ham
due to the habeas mark. The spammers can now send real, traceable spam
WITHOUT including the habeas mark, and it will past SA's checks because now
bayes thinks it is ham. We have already seen the effect of this
vulnerability in action over the past two days.

I do agree the Habeas folks will need to act quickly and completely so the
effect of forgeries is minimized. However, this doesn't mean SpamAssassin
needs to be a sitting duck for such forgeries. I think if you just stop
bayes from auto-learning habeas-marked mail as ham, you'd take away the
vulnerability, and the downside would be almost nil.

Consider: With the current scoring, If an email has a habeas mark on it, it
doesn't really need to be added to the bayes database since the habeas mark
will always pull down the score low enough to mark it as ham (except for the
most extreme cases). So we don't really need to add those particular
messages to the ham database anyway (excellent ham examples they may
be).  On the flipside, the negative effect from auto-learning forged habeas
mail as ham is huge. From my perspective, I'd be willing to live with the
FNs from forged habeas marks themselves if it wouldn't mess up my bayes. As
it is, I have to change my habeas scoring to hit at 0.0 to avoid this.

Anyway, what do others think about this?

DaC



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Automatically whitelist_from_rcvd a sender.

[Brett Simpson]

Is this possibe?

Let's say [EMAIL PROTECTED] sends an email to [EMAIL PROTECTED] and Joe is in a 
whitelist_from_rcvd. Would it be possible to auto add a whitelist_from_rcvd for Mary?

This way Mary will be trusted since Joe is already trusted to send emails.

This is different than AWL since this wouldn't affect Mary because she hasn't sent an 
email yet.

Brett



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Domain Registry Of Canada scammers = spam? or con?

[Mitch \(WebCob\)]

Apparently DROA (domain registry of america) is also being sued by a variety
of people... Enom Inc is the parent I think.

I'm not a rule writer expert, but I figure to be of real use, such a thing
should be included in the default set with a reasonable score - looking at
setting a precedent of sorts if it isn't already existing...

m/

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Damian Gerow
Sent: Monday, January 12, 2004 1:43 PM
To: Mitch (WebCob)
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Domain Registry Of Canada scammers = spam? or con?


Thus spake Mitch (WebCob) ([EMAIL PROTECTED]) [12/01/04 16:39]:
> 'Cause they are scammers... they are being actively sued by a variety of
> people...
>
> There are a variety of these buggers, many have bad reps with various
> business bureaus, etc.
>
> From my viewpoint, a con artist with a % of legitimate business, is still
a
> con artist.
>
> Just as a legitimate bulk mailer who spams (and gets in an RBL and is
> rejected for being a spammer), so should a scam/spammer who MIGHT have
some
> legitimate business...
>
> IMHO anyways ;-)

Well, given the few responses, and some discussion with a co-worker, I
retract my statement about blacklisting them being a bad thing.  If they
/are/ being sued, if they /do/ have a bad reputation, then by all means,
give them a score.  We had not yet tracked down the reason for the bad
transfer requests, and I was under the impression that the rate was much
lower than it was.


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Domain Registry Of Canada scammers = spam? or con?

[Damian Gerow]

Thus spake Mitch (WebCob) ([EMAIL PROTECTED]) [12/01/04 16:39]:
> 'Cause they are scammers... they are being actively sued by a variety of
> people...
> 
> There are a variety of these buggers, many have bad reps with various
> business bureaus, etc.
> 
> From my viewpoint, a con artist with a % of legitimate business, is still a
> con artist.
> 
> Just as a legitimate bulk mailer who spams (and gets in an RBL and is
> rejected for being a spammer), so should a scam/spammer who MIGHT have some
> legitimate business...
> 
> IMHO anyways ;-)

Well, given the few responses, and some discussion with a co-worker, I
retract my statement about blacklisting them being a bad thing.  If they
/are/ being sued, if they /do/ have a bad reputation, then by all means,
give them a score.  We had not yet tracked down the reason for the bad
transfer requests, and I was under the impression that the rate was much
lower than it was.


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Domain Registry Of Canada scammers = spam? or con?

[Mitch \(WebCob\)]

'Cause they are scammers... they are being actively sued by a variety of
people...

There are a variety of these buggers, many have bad reps with various
business bureaus, etc.

>From my viewpoint, a con artist with a % of legitimate business, is still a
con artist.

Just as a legitimate bulk mailer who spams (and gets in an RBL and is
rejected for being a spammer), so should a scam/spammer who MIGHT have some
legitimate business...

IMHO anyways ;-)

m/

-Original Message-
From: Damian Gerow [mailto:[EMAIL PROTECTED]
Sent: Monday, January 12, 2004 12:57 PM
To: Mitch (WebCob)
Cc: [EMAIL PROTECTED]
Subject: Re: [SAtalk] Domain Registry Of Canada scammers = spam? or con?


Thus spake Mitch (WebCob) ([EMAIL PROTECTED]) [12/01/04 15:47]:
> These guys have quite a reputation for a common con - I ask this question
to
> provoke discussion and hopefully decision on SA policy on a method of
> dealing with these kind and their ilk.
>
> They send a message (spam?) to the domain owner, requesting that he
confirm
> a request to transfer his domain by clicking a link... or replying to the
> message, then they initiate the process.

We get a number of these per week ('we' being an ISP).  The number of false
transfer requests is pretty high -- there's a pretty small number of
requests that we get that are actually valid.

Blocking these, IMHO, would be a Bad Thing.  We're still trying to track
down why incorrect domain transfer requests come through.

(Side note: we have gotten one that was a result of a request by a customer
made a year previous...)



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Sendmail/Milter/ProcMail/Spamassassin

[David B Funk]

On Mon, 12 Jan 2004, Mike Carlson wrote:

> Right now I am using spamass-milter to send all the email into spamassassin
> but I would like to implement a deletion process where the email gets deleted
> if it gets certain score. As it stands I cannot do that right now with my
> setup.

Read the documentation on the spamass-milter '-r' flag. That will do
what you want. Actually, it won't delete the spam but it will do
something better, it will SMTP reject it.

Dave

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Obfusticated URI?

[Larry Starr]

Just noticed a message with an encoded URL, that misses, the "BIZ_TLD" rule, 
etc.

The message body contains:
http://gf=2eclearmath=2ebiz/jsimp/index=2ehtml";>scored this way=2e
  http://K=2eclearmath=2ebiz/images/js02=2ejpg"; border=3d=
"0">


I know this wraps a bit ugly, when pasted into my mailer but, as you can see, 
the punctuation, in the URI, is all hex encoded. "=2e", instead of ".".

I have a local rule, in the form of bigevil.cf, with the following 
sub-expression, that catches the above, but there has got to be a simpler way 
to do this.

uri uri MyEvilList_001 ( /\b(?:=2e){0,1}clearmath(?:\.|=2e)biz)\b\i

Does anyone know of a ruleset that handles this sort of thing, perhaps code 
that decodes the "=xx" expressions prior to the "URI" matches?
-- 
Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED]
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347  FAX: 608-831-6330
===
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Domain Registry Of Canada scammers = spam? or con?

[Jay Swackhamer]

On Monday, January 12, 2004 3:47 PM, Mitch (WebCob) wrote:
> Here is one such message. The client assures me they did not at any
> time contact these guys... which is of course the con - convince the
> client you are doing what they asked you to and then do it when they
> blindly confirm...

I've never seen them send e-mail asking to renew -- it's *always* sent
by postal mail first, then they send a confirmation by e-mail, like the
one you posted, only *after* the domain owner sends in a payment. I've
had customers say they didn't do that, but after some probing they admit
they thought it was *our* invoice.

> There is a summary with info on a variety of lawsuits of this practice
> ("domain slamming") here http://www.domainhandbook.com/legal.html

They also got barred by the FTC a few weeks ago for misleading
consumers. So far, they (DROC/DROA) haven't complied with the court
orders.   

> Personally I vote for scorring these buggers +100 and any more like
> them - but I think a class or common format of rule is required if
> not already existant - I imagine there are a bunch of these happening.

I blacklist their mail-from address ([EMAIL PROTECTED]/droc.com) and
review them manually, then warn the customer who these guys are, and
advise them to do a charge-back.

--
Jay Swackhamer <[EMAIL PROTECTED]>
MailPolice Spam&Virus Elimination 
Tel: 1-613-843-9358  Fax: 1-613-825-5960



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Question re RBL and Rules

[Matt Kettler]

At 02:11 PM 1/12/2004, Ed Greenberg wrote:
I found in the rules that spamassassin ships a rule for checking against 
bl.spamcop.net. In the score file, it gives this a zero weight, 
encouraging you to give it some score if you donate.

Since I am a spamcop customer and feel justified in using them, I copied 
the line:
score RCVD_IN_BL_SPAMCOP_NET 0.0
into my .spamassassin/user_prefs and scored it 4.0.
You must be using a old version... spamcop is enabled by default in 2.60 
and higher.



I can't imagine that SA was checking with the SPAMCOP rbl, since that 
would use resources for no reason. Now that I've given it a score, does 
that enable the check, or is there something else I must do?
That should do it, provided you have Net::DNS installed.. without Net::DNS, 
none of the RBLs will be checked, including spamcop, regardless of score.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA Performance .......

[Kris Deugau]

Andy Donovan wrote:
> Could I ask a quick poll on the # of messages your configuration is
> able to process per minute .. its time for me to move platforms and
> I'm trying to plan for growth . your comments would be extremely
> useful.

PII/450/512M, running sendmail+MIMEDefang+clamav+SA.  Running pretty
close to the limit of its ability- mail spikes cause queue backups. 
(Over 3K messages at one point last week.)

In serial message processing from inbound SMTP, it can probably reach
somewhere just short of 60 messages/minute;  delivering from the queue
with no inbound can reach 120/minute on a good day.  (AV scans are
almost as process-expensive as SA.)

I'm seriously looking into setting up another box to *just* run spamd to
take the SA processing load off of this one.

Longer-term mail load:  ~85K messages/week, ~1G data volume- although
this is down quite a bit from a few weeks ago when it hit almost 2G
(!!).

-kgd
-- 
"Sendmail administration is not black magic.  There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
   - Unknown


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Domain Registry Of Canada scammers = spam? or con?

[Damian Gerow]

Thus spake Mitch (WebCob) ([EMAIL PROTECTED]) [12/01/04 15:47]:
> These guys have quite a reputation for a common con - I ask this question to
> provoke discussion and hopefully decision on SA policy on a method of
> dealing with these kind and their ilk.
> 
> They send a message (spam?) to the domain owner, requesting that he confirm
> a request to transfer his domain by clicking a link... or replying to the
> message, then they initiate the process.

We get a number of these per week ('we' being an ISP).  The number of false
transfer requests is pretty high -- there's a pretty small number of
requests that we get that are actually valid.

Blocking these, IMHO, would be a Bad Thing.  We're still trying to track
down why incorrect domain transfer requests come through.

(Side note: we have gotten one that was a result of a request by a customer
made a year previous...)


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Duplicate Emails

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Robert Menschel writes:
> I'm trying to make sure my corpus is as clean as possible, eliminating
> all duplicates.
> 
> I tried to use the masses/corpora/uniq-mailbox program for this, and had
> problems which I've documented in bugzilla report 2920.
> 
> Fortunately, my email client identifies and can delete duplicates = same
> message id, same from, same to, and same creation time stamp. This leaves
> a lot of "duplicates" that uniq-mbox would have thrown away, but they
> were issued and received on different days, or were issued with different
> "from" addresses.
> 
> So first question: If I receive an email,
> message-id = <[EMAIL PROTECTED]>
> from = The Savvy Investor <[EMAIL PROTECTED]>
> to = [EMAIL PROTECTED]
> dated Wed, 26 Nov 2003 20:53:43 01800
> and a few minutes later I receive effectively the same email, with the
> same message-id, and the same from address, but 
> to = [EMAIL PROTECTED]
> dated Wed, 26 Nov 2003 21:00:19 01800
> is that the same spam? Is it a duplicate?

In the spam case, these *are* dups, because the message headers are
heavily randomized.

The policy is generally to remove dups in the spam corpus -- since often
they are only dups because (a) the spammer had to rerun the spam-run, (b)
it went to several email addresses that all wind up in one mailbox, (c)
broken spamware.

However if the duplication isn't very easily noticeable, don't worry
about it too much -- I generally only remove dups from my personal
mail corpus if they are "right beside each other", ie. noticeably
sent at the same time.

btw uniq-mailbox is very overaggressive; it's really only useful if
you don't care about losing quite a few messages (e.g. for spamtrap
cleaning).

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAAwl9QTcbUG5Y7woRApTvAJ4n9rGRtQOYqbeUi/BbxdxIHL4qjgCfWPZN
GJcjQpAvZ+ePnv8+KAQ2NA4=
=PSHo
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Forged mail pretending to be from MS Outlook

[Mitch \(WebCob\)]

I keep 
saying this and no one does... (not sure if it's you, or if there are a lot of 
people sending the same question) - MORE INFORMATION is 
needed.
 
0) 
READ THE ACHIVES
1) 
SEND THE HEADERS
2) 
FILE A BUG REPORT
 
I 
think I've seen a few people asking this, but no one is doing the above. So it 
will likely take a long time to fix.
 
m/

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Tom 
  DabekSent: Monday, January 12, 2004 5:59 AMTo: 
  [EMAIL PROTECTED]Subject: [SAtalk] Forged 
  mail pretending to be from MS Outlook
  How is this determined?  When a particular individual 
  send email to me, it picks up the following points for 'pretending to be 
  outlook'  - however the user does use outlook so i am wondering what it 
  is that makes this a false positive.
   
  3.5 - Forged mail pretending to be from MS 
  Outlook
  0.6 - Message looks like Outlook, but isn't
   
  I am using MDaemon pro for email with the spamassain 
  filtering enabled.
   
  Thanks

[SAtalk] Domain Registry Of Canada scammers = spam? or con?

[Mitch \(WebCob\)]

These guys have quite a reputation for a common con - I ask this question to
provoke discussion and hopefully decision on SA policy on a method of
dealing with these kind and their ilk.

They send a message (spam?) to the domain owner, requesting that he confirm
a request to transfer his domain by clicking a link... or replying to the
message, then they initiate the process.

Here is one such message. The client assures me they did not at any time
contact these guys... which is of course the con - convince the client you
are doing what they asked you to and then do it when they blindly confirm...

I'm thinking there is a special place in hell for companies like this - the
question is, should SA have a mechism and a particularly punitive score for
this sort of practice?

There is a summary with info on a variety of lawsuits of this practice
("domain slamming") here http://www.domainhandbook.com/legal.html

Here is the original message (note I replaced their order ID with 123456 and
a couple other personal bits with CAPS:

Personally I vote for scorring these buggers +100 and any more like them -
but I think a class or common format of rule is required if not already
existant - I imagine there are a bunch of these happening.

Thoughts?

Thanks!

m/
-Original Message-
From: Transfer and Renewal Support [mailto:[EMAIL PROTECTED]
Sent: Monday, January 12, 2004 3:57 AM
To: CLIENT ADDRESS
Subject: [DOMAIN Order #123456] Transfer and Renewal Process


To DOMAIN / CONTACT NAME,

Thank you for choosing to transfer and renew capstonegold.com with the
Domain Registry of Canada.

Your transfer and renewal of capstonegold.com is not yet complete.

This email is being sent to verify your email address is still active.

We require that you click on the link below to confirm your email
address is active.

http://confirm.droc.ca/agree.asp?o=123456&p=gkre

You must click on the link above in order to continue the transfer and
renewal process.

Yours truly
Domain Registry of Canada
Toll free 1-866-434-0212 or for International Callers, dial
+1(905)479-2533

1/12/2004 6:57:03 AM



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] [RD] can-spam phrases in legit ham.

[Chris Santerre]

It was discussed a while back how the phrases like:

"This message conforms to the requirements of the 'CAN-SPAM Act of 2003' and
was sent to you by .."

Just wanted to let you guys know I'm seeing it in legit ham now. Careful
using a rule for this stuff. 

Chris Santerre 
System Admin and SA Custom Rules Emporium keeper 
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
'It is not the strongest of the species that survives, not the most
intelligent,
but the one most responsive to change.' - attributed to Charles Darwin 


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] RBLs cause timeouts?

[Russell Mann]

> Quote from Jack Gostl:
> "The RBLs are nice, but i have a half dozen spams a week slip through
because of spamc/spamd timeouts, which I'd bet are RBL related."

Hello,

I was asking last week about the spam that get through on my system that all
report this in the header:

qmail-scanner-1.20rc3 (clamscan: 0.60. spamassassin: 2.61.
Clear:RC:0:SA:0(?/?):.

Someone on the list suggested that the (?/?) means my spamd isn't running.
I've been having problems with spamd dying on its own (any daemon monitor
scripts available for this?) but now I'm wondering how much the RBL's might
have on this one.

Is there a way to make local cache copies of the lists and check against
those instead of network requesting all the time?

Any other ideas on why I might get (?/?) scores?

Have any of you disabled RBL checks and been happy with the outcome?

I havn't figured out how to get bayes to work yet, because I can't figure
out an easy way to get emails from my users to a learnable corpus.  Any
suggestions on this might be helpful too.

Thanks,

Russell




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] difference between spamassassin and spamc when scoring

[Konstantin Kletschke]

Hi there!

I have a difficult Problem since I donÄt know where the difference
comes from:

[EMAIL PROTECTED]:~$ spamc -c < spam4
4.6/6.5

[EMAIL PROTECTED]:~$ spamassassin -t < spam4
...
Content analysis details:   (10.1 points, 6.5 required)

 pts rule name  description
 -- --
 3.8 HTML_MESSAGE   BODY: HTML included in message
 2.6 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 5.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.1 BIZ_TLDURI: Contains a URL in the BIZ top-level domain
-8.0 HABEAS_SWE Has Habeas warrant mark (http://www.habeas.com/)
 1.1 RCVD_IN_SORBS_HTTP RBL: SORBS: sender is open HTTP proxy server
[24.29.65.166 listed in dnsbl.sorbs.net]
 0.7 RCVD_IN_DSBL   RBL: Received via a relay in list.dsbl.org
[]
 3.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see ]
 0.5 RCVD_IN_NJABL_PROXYRBL: NJABL: sender is an open proxy
[24.29.65.166 listed in dnsbl.njabl.org]
 0.1 RCVD_IN_NJABL  RBL: Received via a relay in dnsbl.njabl.org
[24.29.65.166 listed in dnsbl.njabl.org]
 0.1 RCVD_IN_SORBS  RBL: SORBS: sender is listed in SORBS
[24.29.65.166 listed in dnsbl.sorbs.net]
 1.1 MIME_HTML_ONLY_MULTI   Multipart message only has text/html MIME
 parts

This HABEAS_SWE is faked in this spam btw.
Why does spamc omit some tests? And which are they?

I have the debian package installed
ii  spamassassin   2.61-2 Perl-based spam filter using text analysis
ii  spamc  2.61-2 Client for perl-based spam filtering
daemon

Ans spamd runs as
# Options
# See man spamd for possible options. The -d option is automatically added.
OPTIONS="-c -m 10 -H"

I fiddled around with the command line options, but I don't find out,
how to turn on debugging to find out which tests where omitted...

Regards, Konsti



-- 
2.6.0-test10-mm1
Konstantin Kletschke <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
GPG KeyID EF62FCEF
Fingerprint: 13C9 B16B 9844 EC15 CC2E  A080 1E69 3FDA EF62 FCEF
keulator.homelinux.org up 1:00, 1 user


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Forged mail pretending to be from MS Outlook

[Tom Dabek]

How is this determined?  When a particular individual 
send email to me, it picks up the following points for 'pretending to be 
outlook'  - however the user does use outlook so i am wondering what it is 
that makes this a false positive.
 
3.5 - Forged mail pretending to be from MS 
Outlook
0.6 - Message looks like Outlook, but isn't
 
I am using MDaemon pro for email with the spamassain filtering 
enabled.
 
Thanks

[SAtalk] Habeas SWE violation

[Regis Wilson]

I received the following spam that does not comply with the Habeas agreements:

>From [EMAIL PROTECTED]  Mon Jan 12 03:38:18 2004
Received: (from [EMAIL PROTECTED])
by replaced
for replaced
Date: Mon, 12 Jan 2004 03:38:18 -0800 (PST)
Received: from  ([142.177.249.186]) by replaced at Mon, 12 Jan 2004 03:41:11 -0800 
(PST)
Received: from 181.42.41.32 by 142.177.249.186; Mon, 12 Jan 2004 09:26:02 +0600
Message-ID: <[EMAIL PROTECTED]>
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to .
From: "Marianne J. Oliver" <[EMAIL PROTECTED]>
Reply-To: "Marianne J. Oliver" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Fwd: Get Now online! V|@gra, Valï(u)m, X(a)[EMAIL PROTECTED] Pills rIgsR2
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on replaced
X-Spam-Status: No, hits=8.7 required=15.0 tests=BIZ_TLD,BODYLANG,HABEAS_SWE,
HTML_30_40,HTML_MESSAGE,JUSTIFIED_TEXT,REPLY_TO,SUBJECTLANG,
SUBJECT_MILD autolearn=no version=2.61
X-Spam-Level: 
Status: RO
X-Status:
X-Keywords:
X-UID: 17

Date: Mon, 12 Jan 2004 07:27:02 +0400
X-Mailer: Katamail
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--659403452387854"
X-Priority: 5

659403452387854
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

http://www=
.w3.org/TR/html4/loose.dtd">


We make it easier and faster than ever to get the medications you n=
eed




Join online users who discreetly, safely and convenien=
tly order prescription medication  like Vïàgrå, =
Vãlïûm, Xánåx, weight loss/diet pi=
ll medications, skin care, birth control, muscle relaxants, high levehttp://www.valuepointmeds.biz";><=
A href=3D"http://www.valuepointmeds.biz";>Get all your Meds right here. =

No forms to fill out... EVERYONE is approved... We res=
pect your Privacy!
We ship WORLDWIDE!...
Find us farther than to-day. The lantern gleamed through the gleami=
ng snow=20




659403452387854--


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The idea behind Habeas?

[Bart Schaefer]

On Mon, 12 Jan 2004, Theo Van Dinter wrote:

> "why does habeas get a score of -8 in SA by default" is on topic, "why
> do the habeas people think their business model is going to work" isn't.

How about "Why do the SA developers (who assigned a score of -8) think the
Habeas business model is going to work?"

Don't answer that one, though.

What I want to know instead is:

Why do HABEAS_SWE and HABEAS_VIOLATOR have only one score each, rather 
than four scores?  HABEAS_VIOLATOR is useless if you're using local checks 
only, so HABEAS_SWE should have a much lower score in sets 0 and 2.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Newbie help- error in logs

[Chris Bartram]

Hi all.

Can anyone help me out with a problem? I've got SA 2.61 running on 
Debian Woody- I'm migrating from RH9, where I always used pre-packaged 
RPMs. I couldn't get the unstable packages to install, so I got the 
.tar.gz instead.
It took me a while to sort out getting SA running and integrating with 
Exim, but it's now running, and it's picking up a fair amount. However I 
keep getting messages like this in the logs:

Please help! I'm not a complete newbie, but I have no idea where to look.

TIA
Chris
[start of log extract]

Jan 12 19:37:28 nibbler spamd[12212]: Failed to run SUBJ_MISSING 
SpamAssassin test, skipping: ^I(Can't locate object method 
"subject_missing" via package "Mail::SpamAssassin::PerMsgStatus" 
(perhaps you forgot to load "Mail::SpamAssassin::PerMsgStatus"?) at 
/usr/local/share/perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 2235. )
Jan 12 19:37:28 nibbler spamd[12212]: Failed to run DIFFERENT_REPLY_TO 
SpamAssassin test, skipping: ^I(Can't locate object method 
"check_for_spam_reply_to" via package "Mail::SpamAssassin::PerMsgStatus" 
(perhaps you forgot to load "Mail::SpamAssassin::PerMsgStatus"?) at 
/usr/local/share/perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 2235. )
Jan 12 19:37:28 nibbler spamd[12212]: Failed to run DATE_IN_FUTURE 
SpamAssassin test, skipping: ^I(Can't locate object method 
"check_for_forward_date" via package "Mail::SpamAssassin::PerMsgStatus" 
(perhaps you forgot to load "Mail::SpamAssassin::PerMsgStatus"?) at 
/usr/local/share/perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 2235. )
Jan 12 19:37:28 nibbler spamd[12212]: Failed to run ROUND_THE_WORLD 
SpamAssassin test, skipping: ^I(Can't locate object method 
"check_for_round_the_world_received" via package 
"Mail::SpamAssassin::PerMsgStatus" (perhaps you forgot to load 
"Mail::SpamAssassin::PerMsgStatus"?) at 
/usr/local/share/perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 2235. )
Jan 12 19:37:28 nibbler spamd[12212]: server started on port 783/tcp 
(running version 2.61)
nibbler:~/Mail-SpamAssassin-2.61#

[end of log extract]

I captured the output from the 'make' command:

[make output]

nibbler:~/Mail-SpamAssassin-2.61# more make.txt
cp spamd/spamd blib/script/spamd
/usr/bin/perl -I/usr/lib/perl/5.6.1 -I/usr/share/perl/5.6.1 
-MExtUtils::MakeMake
r -e "MY->fixin(shift)" blib/script/spamd
cp sa-learn blib/script/sa-learn
/usr/bin/perl -I/usr/lib/perl/5.6.1 -I/usr/share/perl/5.6.1 
-MExtUtils::MakeMake
r -e "MY->fixin(shift)" blib/script/sa-learn
cp spamd/spamc blib/script/spamc
/usr/bin/perl -I/usr/lib/perl/5.6.1 -I/usr/share/perl/5.6.1 
-MExtUtils::MakeMake
r -e "MY->fixin(shift)" blib/script/spamc
cp spamassassin blib/script/spamassassin
/usr/bin/perl -I/usr/lib/perl/5.6.1 -I/usr/share/perl/5.6.1 
-MExtUtils::MakeMake
r -e "MY->fixin(shift)" blib/script/spamassassin
Manifying blib/man3/Mail::SpamAssassin::PersistentAddrList.3pm
Manifying blib/man3/Mail::SpamAssassin::Conf.3pm
Manifying blib/man1/sa-learn.1p
Manifying blib/man1/spamd.1p
Manifying blib/man1/spamassassin.1p
Manifying blib/man3/Mail::SpamAssassin::PerMsgLearner.3pm
Manifying blib/man3/Mail::SpamAssassin::ConfSourceSQL.3pm
Manifying blib/man3/Mail::SpamAssassin::Bayes.3pm
Manifying blib/man3/Mail::SpamAssassin.3pm
Manifying blib/man3/Mail::SpamAssassin::AutoWhitelist.3pm
Manifying blib/man3/Mail::SpamAssassin::PerMsgStatus.3pm
Manifying blib/man1/spamc.1p
nibbler:~/Mail-SpamAssassin-2.61#
[end of make output]

And here's my local.cf:

[local.cf]

nibbler:~/Mail-SpamAssassin-2.61# more /etc/spamassassin/local.cf
required_hits   5.0
# Whether to change the subject of suspected spam
rewrite_subject 1
# Text to prepend to subject if rewrite_subject is used
subject_tag *[SPAM]*
# Encapsulate spam in an attachment
report_safe 1
nibbler:~/Mail-SpamAssassin-2.61#

[end of local.cf]



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Spamassassin syslog weirdness

[Mick Szucs]

Hi all,

I did check the archives for the answer to this one, but the keywords involved 
are vague enough that it may have been  answered and I couldn't find it.

A message arrived the other day that when it was processed by spamd was logged 
in /var/log/messages instead of /var/log/maillog (like all other mail 
processed by spamd.)  The message in question contained a high volume of 
control characters in the headers, including Message-ID.  The resulting 
output was:

Jan 9 14:39:23 tachi xïc\202^A^_0Â`\202^A^[\204/ for onramp:10010.
 
in /var/log/messages.  The message was Spam and I have a copy, if anyone is 
interested.  I'm not sure if this is a spamd issue or a syslog issue, or both 
(or neither, for that matter.)  I'm primarily interested in being sure that 
this does pose some sort of security threat, as it does look like a message 
was able to trigger unexpected spamd behaviour.

SpamAssassin 2.61
Redhat 9
spamd running with flags:  -d -c -x -P -Q -H -a

Thanks!
-- 
Mick Szucs  <[EMAIL PROTECTED]>
Onramp Network Services Inc.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The idea behind Habeas?

[Theo Van Dinter]

On Mon, Jan 12, 2004 at 02:27:59PM -0500, Kevin Old wrote:
> I hear ya.  Shame on me.  How dare someone have an actual question that
> needed clearing up and after searching the archives still didn't find a
> suitable answer to their question.  Why don't we just close down this
> list so we can all walk around confused and not understanding anything.

If you have a question about Habeas, or peanuts, or bed springs, or the
digeridoo, in of of themselves, how they work, why anyone would use them,
etc, without the question being related to how SA interfaces/uses them,
then yes, please go somewhere else and ask.

> I appreciate your reply, but will not stop asking questions (related to
> SPAM mind you).  What if I was the person that after having this
> question answered could think up a way to end all spam (I don't,
> sorry).  If that was the case my question wouldn't have been so
> frustrating, would it?

Well, this would still be the wrong list (spamassassin-dev is the right
one if you intended for SA to implement the "one true way"(tm)), and
the same message probably wouldn't be posted by a ton of people all on
the same day either.

Sorry if I come off a bit snippy, but there's been a constant flow of
"OMG the sky is falling because of Habeas!" mails/IRC questions/etc
today, and after a while it gets annoying to answer the same question
over and over, especially when it's not on topic for this list.  (note:
"why does habeas get a score of -8 in SA by default" is on topic, "why
do the habeas people think their business model is going to work" isn't.)

-- 
Randomly Generated Tagline:
"Guys are lucky because they get to grow mustaches. I wish I could.
 It's like having a little pet for your face."   - Anita Wise


pgp0.pgp
Description: PGP signature

[SAtalk] Strange thing of spamd

[giochi]

Hello,

I've a strange problem with spamassassin:

I lunch it with -v and -d options and the log (/var/log/maillog), each time receive a 
mail message, show this:

Jan 12 20:27:27 bizio spamd[582]: connection from localhost [127.0.0.1] at port 32891 
Jan 12 20:27:27 bizio spamd[1380]: Use of uninitialized value in string ne at 
/usr/bin/spamd line 1120,  line 2. 
Jan 12 20:27:27 bizio spamd[1380]: Use of uninitialized value in numeric gt (>) at 
/usr/bin/spamd line 1142,  line 2. 
Jan 12 20:27:27 bizio spamd[1380]: Use of uninitialized value in hash element at 
/usr/bin/spamd line 1149,  line 6. 
Jan 12 20:27:27 bizio spamd[1380]: Use of uninitialized value in hash element at 
/usr/bin/spamd line 1149,  line 6. 
Jan 12 20:27:27 bizio spamd[1380]: Use of uninitialized value in string ne at 
/usr/bin/spamd line 1127. 
Jan 12 20:27:27 bizio spamd[1380]: checking message <[EMAIL PROTECTED]> for root:0. 
Jan 12 20:27:30 bizio spamd[1380]: clean message (-4.7/5.0) for root:0 in 3.1 seconds, 
3375 bytes. 

I use spamassassin 2.61 and perl 5.8.0
Here's a piece of my local.cf config
...
# Enable or disable network checks
skip_rbl_checks 0
use_razor2  1
use_dcc 0
use_pyzor   1
...

Could someone tell me something about this thing ?
It seems a perl problem...

Thanks to all.
Regards,

Fabrizio


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The idea behind Habeas?

[Kevin Old]

On Mon, 2004-01-12 at 14:12, Theo Van Dinter wrote:
> On Mon, Jan 12, 2004 at 01:55:43PM -0500, Kevin Old wrote:
> > I have had a lot of the Habeas messages also and have reported them, but
> > am extremely confused at the actual point of Habeas?
> 
> Ok, I'm getting tired of these types of messages.  

I hear ya.  Shame on me.  How dare someone have an actual question that
needed clearing up and after searching the archives still didn't find a
suitable answer to their question.  Why don't we just close down this
list so we can all walk around confused and not understanding anything.

I appreciate your reply, but will not stop asking questions (related to
SPAM mind you).  What if I was the person that after having this
question answered could think up a way to end all spam (I don't,
sorry).  If that was the case my question wouldn't have been so
frustrating, would it?

Kevin
-- 
Kevin Old <[EMAIL PROTECTED]>



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Question re RBL and Rules

[Adam D. Lopresto]

That's all you need to do.  SpamAssassin doesn't actually run any tests that
have a score of 0, so the test was all set up and ready to be run, but disabled
(by the zero score).  Changing that is all you need to do to enable it.

On Mon, 12 Jan 2004, Ed Greenberg wrote:

> I found in the rules that spamassassin ships a rule for checking against
> bl.spamcop.net. In the score file, it gives this a zero weight, encouraging
> you to give it some score if you donate.
>
> Since I am a spamcop customer and feel justified in using them, I copied
> the line:
> score RCVD_IN_BL_SPAMCOP_NET 0.0
> into my .spamassassin/user_prefs and scored it 4.0.
>
> I can't imagine that SA was checking with the SPAMCOP rbl, since that would
> use resources for no reason. Now that I've given it a score, does that
> enable the check, or is there something else I must do?
>
> Thanks,
> 
>
>
> ---
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
>

-- 
Adam Lopresto
http://cec.wustl.edu/~adam/

There are always more fish in the sea, not as cute, nor as rich, but fish
nevertheless.
--From a fortune cookie


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] The idea behind Habeas?

[Adam D. Lopresto]

On Mon, 12 Jan 2004, SRH-Lists wrote:

> > The point is that their header is trademarked.  Any spammer
> > using their
> > text is subject to trademark violations, since the right to use the
> > trademark is granted only to those who send messages compliant with
> > their definition of not-spam.
>
>
> Copyright, not Trademark.  Big Difference.

Actually, it's both; it's a copyrighted poem, but it also contains their
trademark in such a way that if you use it without a license, they can sue you
both ways.
-- 
Adam Lopresto
http://cec.wustl.edu/~adam/

perl -le '$_=(split q,",,`$^Xdoc -q japh`)[1].".";y/pj/PJ/;print'


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The idea behind Habeas?

[Theo Van Dinter]

On Mon, Jan 12, 2004 at 01:55:43PM -0500, Kevin Old wrote:
> I have had a lot of the Habeas messages also and have reported them, but
> am extremely confused at the actual point of Habeas?

Ok, I'm getting tired of these types of messages.  Habeas' business model
is not SA related, so please stop posting about it here.  We/SA supports
any reasonable attempt to fight spam, especially if there's monetary/legal
teeth associated with it which is why there is Habeas support in SA
since 2.40.  If they show that they're not capable of keeping the mark
from being infringed on w/out consequence, the mark (and therefore the
company) will become useless as everyone will ignore the mark and the
company goes under.

> Don't they see (surely they do, but I'm just missing the point of their
> product) that all a spammer has to do is add the headers to their
> messages in order to bypass all the spam trapping applications?  Please
> tell me I'm missing something and that these people haven't robbed
> corporate America blind by selling them a product that is pointless.

Yes, they see that.  That's the whole point.  If a spammer uses the mark
for their messages, they will be added to the infringer RBL and then
get sued for copyright infringement.  Meanwhile, non-spammers who have
a valid license to use the mark have their messages get through filters.

So far, things are working as they're supposed to.

-- 
Randomly Generated Tagline:
"There's only thing worse than government full of idiots: government full
 of scared idiots." - http://www.merit.edu/mail.archives/nanog/msg08444.html


pgp0.pgp
Description: PGP signature

[SAtalk] Question re RBL and Rules

[Ed Greenberg]

I found in the rules that spamassassin ships a rule for checking against 
bl.spamcop.net. In the score file, it gives this a zero weight, encouraging 
you to give it some score if you donate.

Since I am a spamcop customer and feel justified in using them, I copied 
the line:
score RCVD_IN_BL_SPAMCOP_NET 0.0
into my .spamassassin/user_prefs and scored it 4.0.

I can't imagine that SA was checking with the SPAMCOP rbl, since that would 
use resources for no reason. Now that I've given it a score, does that 
enable the check, or is there something else I must do?

Thanks,

---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The idea behind Habeas?

[Gabriel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Kevin Old wrote:
| If I understand correctly a Habeas "Certified" message has the 9 or 10
| "Habeas" header lines in it and that alone is suppose to be enough to
| make the message identifiable as "non-spam" according to their website.
| What gives?
I believe the way that it works is that because they include a haiku, and
their trademark claim in the headers, those that forge it are violating both
copyright law, and trademark law, and by doing so, are imminately
prosecuteable.
Their website explains that, I think.

| Don't they see (surely they do, but I'm just missing the point of their
| product) that all a spammer has to do is add the headers to their
| messages in order to bypass all the spam trapping applications?  Please
| tell me I'm missing something and that these people haven't robbed
| corporate America blind by selling them a product that is pointless.
Their product is based on a manipulation of the legal system; it's a social
solution.
| Confused,
| Kevin
- --
Gabriel Cain   www.dialupusa.net
Senior Systems Administrator   [EMAIL PROTECTED]
PGP fingerprint:   C0B4 C6BF 13F5 69D1 3E6B CD7C D4C8 2EA4 2B08 1C6D
~   "A bad technical decision is never a good business decision!"
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAAvFZ1MgupCsIHG0RAkgFAJ0bfOZbxXMFGRHs7xIQIsmbg62bOQCgkzRy
njTOSSv6m4YsdI4ywgI/dp4=
=MYu5
-END PGP SIGNATURE-


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] The idea behind Habeas?

[SRH-Lists]

> The point is that their header is trademarked.  Any spammer 
> using their
> text is subject to trademark violations, since the right to use the
> trademark is granted only to those who send messages compliant with
> their definition of not-spam.


Copyright, not Trademark.  Big Difference.

-steve


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] The idea behind Habeas?

[SRH-Lists]

> 
> Don't they see (surely they do, but I'm just missing the 
> point of their
> product) that all a spammer has to do is add the headers to their
> messages in order to bypass all the spam trapping 
> applications?  Please
> tell me I'm missing something and that these people haven't robbed
> corporate America blind by selling them a product that is pointless.


The points are:

1)  The headers contain a poem (haiku to be specific)
2)  A poem is a creative work.
3)  Creative works can be copyrighted
4)  If you reproduce the copyrighted creative work with out the
permission of the copyright, you are breaking the law.
5)  Copyright laws have alot more teeth and are alot easier to litigate
than spam laws.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] The idea behind Habeas?

[Chris Petersen]

> Don't they see (surely they do, but I'm just missing the point of their
> product) that all a spammer has to do is add the headers to their
> messages in order to bypass all the spam trapping applications?

The point is that their header is trademarked.  Any spammer using their
text is subject to trademark violations, since the right to use the
trademark is granted only to those who send messages compliant with
their definition of not-spam.

-- 
Chris Petersen
Programmer / Web Designer 
Silicon Mechanics:  http://www.siliconmechanics.com/
Blade Servers:  http://www.siliconmechanics.com/c292/blade-server.php
1U Servers: http://www.siliconmechanics.com/c272/1u-server.php



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] The idea behind Habeas?

[Kevin Old]

Hello everyone,

I have had a lot of the Habeas messages also and have reported them, but
am extremely confused at the actual point of Habeas?

If I understand correctly a Habeas "Certified" message has the 9 or 10
"Habeas" header lines in it and that alone is suppose to be enough to
make the message identifiable as "non-spam" according to their website. 
What gives?

Don't they see (surely they do, but I'm just missing the point of their
product) that all a spammer has to do is add the headers to their
messages in order to bypass all the spam trapping applications?  Please
tell me I'm missing something and that these people haven't robbed
corporate America blind by selling them a product that is pointless.

Confused,
Kevin
-- 
Kevin Old <[EMAIL PROTECTED]>



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] habeus

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Gary Smith writes:
>Updated :) (+0.1)
> 
>Sorry www.habeas.com but if you were doing what you advertised and suing these 
>suckers or lobbying congress for tougher (or actual) laws then I'd give you a -30...  
>Try again next year.

hmm. From what I've heard, this spam appeared this weekend only.
Give them a chance to get those lawyers unleashed!

It certainly is a flag day for Habeas -- a large-scale spam run intending
to abuse their headers.  They need to take action.However -- don't
assume they won't.

Based on previous instances of spammers attempting to use the mark, they
*did* take decisive action, fast, and successfully caused serious damage
to the spammer.

  http://www.habeas.com/companyPressPR.html#victory1

They will need to do the same this time around... should be interesting.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAAuqvQTcbUG5Y7woRAmHUAKDfFxHTYuKlgCYTMkgvm3ewiuV9oQCfQsXj
GZn4c3KwrkUYAgIDv56ck6E=
=KIG1
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] habeus

[Brian May]

Here is the partial Auto Reply from Habeas.. where they tell you that they
most likely will not reply back to you, but will go after the abuser..

Thank you for your report of spam containing the Habeas headers.
[snip]
With respect to spam containing our headers:

Please know that at Habeas we take the use of our trademark in spam very
seriously, and that while we cannot report back to you directly and
individually on the disposition of each submission, know that we will
investigate and follow this through to a satisfactory conclusion - either
the responsible party ceasing their infringing action, their being
appropriately dealt with by their service provider, or, failing any
satisfactory remedial action, listing in our Habeas Infringers List.

In the meantime, if you receive any additional spam containing the Habeas
headers from this same sender, please do forward it to us as well.
[snip]
Habeas Support

- Original Message -
From: "Gary Smith" <[EMAIL PROTECTED]>
To: "Chuck Peters" <[EMAIL PROTECTED]>; "SpamAssassin
listserve" <[EMAIL PROTECTED]>
Cc: "Bruno" <[EMAIL PROTECTED]>
Sent: Sunday, January 11, 2004 11:49 PM
Subject: RE: [SAtalk] habeus


Updated :) (+0.1)

Sorry www.habeas.com but if you were doing what you advertised and suing
these suckers or lobbying congress for tougher (or actual) laws then I'd
give you a -30...  Try again next year.

We did also report 4 emails to them recently (1 was questionable).  We're
still waiting a response.

G-

-Original Message-
From: [EMAIL PROTECTED] on behalf of Chuck
Peters
Sent: Sun 1/11/2004 11:35 PM
To: 'SpamAssassin listserve'
Cc: Bruno
Subject: RE: [SAtalk] habeus



On Mon, 12 Jan 2004, Bruno wrote:

> Yeah me too, the first false negatives i got this year, and its even
> autolearning its ham, yikes.
>
> whats the best and cleanest way of 'zapping' it out ?

I am editing /usr/share/spamassassin/50_scores.cf.

Change the line that has:
score HABEAS_SWE -8.0
to something like:
score HABEAS_SWE -0.1

I restarted spamassassin, you may or may not need to do that.

Furthermore some people will not recommend doing it that way, they will
say edit the file which won't be over written next time you upgrade,
/etc/spamassassin/local.cf.  However I think it is unlikely HABEAS_SWE
will continue to have a preferred score becuase it is a bad idea that
spammers will exploit, as we have seen today.  Your file locations might
vary, the locations mentioned are on a Debian Linux box.

Chuck

Griffith Observatory Star Award
for excellence in promoting astronomy to the public through the World Wide
Web.
StarrySkies Network The Starry Messenger
http://StarrySkies.comhttp://StarryMessenger.Net
publishing science  the weekly newsletter of
articles since 1995.the StarrySkies Network
Chuck Peters, Systems Administrator, Network Engineer and Linux Tech.




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk


NHuzjzJ
JjjzÊzjuzuzç ~y~{ijêj~zqzj




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [WL] Re: [SAtalk] Phony Habeas mark on spam...I knew it was just a matter of time

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Theo Van Dinter writes:
>On Mon, Jan 12, 2004 at 11:26:46AM -0500, Jack Gostl wrote:
>> I sometimes wonder if the whole system wouldn't be smaller and stabler if
>> it were entirely Bayes based.
>
>Well, sure it would be.  But frankly, if you want Bayes only, there
>are several other projects out there to look at... SpamBayes, CRM114,
>etc, etc.
>
>Bayes works fairly well on its own, assuming decent learning, until
>spammers start attacking the algorithm or the code.  Then it kind of
>falls on its face until the attack is countered.
>
>The idea of SA is to use multiple detection systems such that even if
>one or two don't work, the message will still probably be caught from
>the others.

BTW I've attempted to come up with ways to use Bayes as the core
in the past, without much luck; the current mechanism gives the
highest degree of accuracy in my tests.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAAumxQTcbUG5Y7woRAj64AJ0ROK7JL3eLTrqb4q4ek7XayRqPyQCgi9wu
hFcrnT9VDbl6h8bPA8bCR6I=
=nXgD
-END PGP SIGNATURE-



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] sa-learn HELP!

[Quinn Comendant]

Sorry, I'm reposting this message. It's important for me to have an
answer, and I don't know where else to go for help!

I'm an administrator of a spamassassin-enabled server with 250 users. I'm
upgrading from 2.55 -> 2.61 and, as suggested in the INSTALL doc, want to
use "sa-learn --import" and "sa-learn --rebuild" to update the DB_File
Bayes files for every user on the system. Each user's files are stored
in: /home/username/.spamassassin/

1. Is it possible to run sa-learn to update all DBs en masse?

2. Or should I simply upgrade to 2.61 and ignore the --import and --
rebuild instructions. I assume this will delete all user's Bayes DB files.

Thanks!

Quinn



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Detecting 10+ random words

[Chris Santerre]

Comments inline...

> 
>  
> 
> This is a resubmission of a question that I have been trying 
> to sort out
> for about a week now.  I am trying to tag messages that have more than
> 10 random words in the message body of an incoming e-mail I am running
> the following
> 
*snip*
> 
> This is the .cf rule file
> 
>  
> 
> rawbody  RANDOMWORD_10
> /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
> 
> describe RANDOMWORD_10   string of 10+ random words
> 
> scoreRANDOMWORD_10   0.5
> 

*snip*

Rule ok. We have beem working on this bayes poison detection as well. They
recently threw us a curveball. Punctuations. 

> 
> Below is an exert from my sendmail logs that shows an email 
> that has got
> through
> 
> 
> 09881 <<< edging hayes catapult leavenworth font angus pumice
> 
> 09881 <<< tenable rockford aggressor coffee plaza swarm 
> louise testicle
> condemna

The reason why is that you are using rawbody. So your rule has to match on a
single line. This isn't hat you received. Try using a body rule. 

--Chris


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Detecting 10+ random words

[Rick Cooper]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> n Behalf Of
> McWhirter,Julia
> Sent: Monday, January 12, 2004 12:34 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Detecting 10+ random words
>
>
>
>
>
>
> This is a resubmission of a question that I have been
> trying to sort out
> for about a week now.  I am trying to tag messages
> that have more than
> 10 random words in the message body of an incoming
> e-mail I am running
> the following
>
>
>
> Solaris 8
>
> Sendmail 8.12.10 (+libmilter support)
>
> Mimedefang 2.39
>
> Spamassassin 2.60
>
>
>
> This is the .cf rule file
>
>
>
> rawbody  RANDOMWORD_10
> /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
>
> describe RANDOMWORD_10   string of 10+ random words
>
> scoreRANDOMWORD_10   0.5
>
>
>
> rawbody  RANDOMWORD_15
> /(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
>
> describe RANDOMWORD_15   string of 15+ random words
>
> scoreRANDOMWORD_15   2.5
>
>
>
> Copied from this list last week.

Change it to body, rawbody retains the linefeeds and none of the
lines listed are 10 words long.

>
>
>
> I have verified that the rule is being read via
> spamassassin -D and that
> the config produces no errors.
>
>
>
> Below is an exert from my sendmail logs that shows an
> email that has got
> through
>
> 09881 >>> 220 smtp.uk.superh.com ESMTP Sendmail
> 8.12.10/8.12.10; Mon, 12
> Jan 200
>
> 4 15:41:25 GMT
>
> 09881 <<< HELO HQAI7P9NL5OHSSQ
>
> 09881 >>> 250 smtp.uk.superh.com Hello
> [211.168.218.78], pleased to meet
> you
>
> 09881 <<< MAIL FROM: <[EMAIL PROTECTED]>
>
> 09881 >>> 250 2.1.0 <[EMAIL PROTECTED]>... Sender ok
>
> 09881 <<< RCPT TO: <[EMAIL PROTECTED]>
>
> 09881 >>> 250 2.1.5 <[EMAIL PROTECTED]>...
> Recipient ok
>
> 09881 <<< DATA
>
> 09881 >>> 354 Enter mail, end with "." on a line by itself
>
> 09881 <<< Received: from [107.176.139.173] by
> 211.168.218.78 with HTTP;
>
> 09881 <<<   Tue, 13 Jan 2004 11:38:31 +0600
>
> 09881 <<< From: "Patti Pate" <[EMAIL PROTECTED]>
>
> 09881 <<< To: [EMAIL PROTECTED]
>
> 09881 <<< Subject: ,,You can improve your looks
>
> 09881 <<< Mime-Version: 1.0
>
> 09881 <<< X-Mailer: intestate
>
> 09881 <<< Date: Tue, 13 Jan 2004 09:34:31 +0400
>
> 09881 <<< Reply-To: "Patti Pate" <[EMAIL PROTECTED]>
>
> 09881 <<< Content-Type: multipart/alternative;
>
> 09881 <<<   boundary="07622999020661090"
>
> 09881 <<< Message-Id: <[EMAIL PROTECTED]>
>
> 09881 <<<
>
> 09881 <<< --07622999020661090
>
> 09881 <<< Content-Type: text/plain; charset=us-ascii
>
> 09881 <<< Content-Transfer-Encoding: 8bit
>
> 09881 <<<
>
> 09881 <<< edging hayes catapult leavenworth font angus pumice
>
> 09881 <<< tenable rockford aggressor coffee plaza
> swarm louise testicle
> condemna
>
> te influenza
>
> 09881 <<< grebe bluejacket fried retail censure
> abutting isaacson
>
> 09881 <<< gallonage comatose hegelian rudyard
> credulous cosmopolitan
> restoration
>
>
>
> 09881 <<< spayed vail address brasilia
>
> 09881 <<< widow tollgate grandstand cindy precede casey aegis
>
> 09881 <<<
>
> 09881 <<< --07622999020661090
>
>
>
> 09883 === CONNECT sh-uk-ex01.uk.w2k.superh.com.
>
> 09883 <<< 220 sh-uk-ex01.uk.w2k.superh.com Microsoft
> ESMTP MAIL Service,
> Versio
>
> : 5.0.2195.6713 ready at  Mon, 12 Jan 2004 15:43:08 +
>
> 09883 >>> EHLO smtp.uk.superh.com
>
> 09883 <<< 250-sh-uk-ex01.uk.w2k.superh.com Hello
> [193.128.105.170]
>
> 09883 <<< 250-TURN
>
> 09883 <<< 250-ATRN
>
> 09883 <<< 250-SIZE 1536
>
> 09883 <<< 250-ETRN
>
> 09883 <<< 250-PIPELINING
>
> 09883 <<< 250-DSN
>
> 09883 <<< 250-ENHANCEDSTATUSCODES
>
> 09883 <<< 250-8bitmime
>
> 09883 <<< 250-BINARYMIME
>
> 09883 <<< 250-CHUNKING
>
> 09883 <<< 250-VRFY
>
> 09883 <<< 250-X-LINK2STATE
>
> 09883 <<< 250-XEXCH50
>
> 09883 <<< 250 OK
>
> 09883 >>> MAIL From:<[EMAIL PROTECTED]> SIZE=1195
>
> 09883 <<< 250 2.1.0 [EMAIL PROTECTED] OK
>
> 09883 >>> RCPT To:<[EMAIL PROTECTED]>
>
> 09883 >>> DATA
>
> 09883 <<< 250 2.1.5 [EMAIL PROTECTED]
>
> 09883 <<< 354 Start mail input; end with .
>
> 09883 >>> Received: from HQAI7P9NL5OHSSQ ([211.168.218.78])
>
> 09883 >>>   by smtp.uk.superh.com
> (8.12.10/8.12.10) with SMTP id
> i0CFfODC00
>
> 881
>
> 09883 >>>   for <[EMAIL PROTECTED]>; Mon,
> 12 Jan 2004
> 15:41:28 GMT
>
> 09883 >>> Received: from [107.176.139.173] by
> 211.168.218.78 with HTTP;
>
> 09883 >>>   Tue, 13 Jan 2004 11:38:31 +0600
>
> 09883 >>> From: "Patti Pate" <[EMAIL PROTECTED]>
>
> 09883 >>> To: [EMAIL PROTECTED]
>
> 09883 >>> Subject: ,,You can improve your looks
>
> 09883 >>> Mime-Version: 1.0
>
> 09883 >>> X-Mailer: intestate
>
> 09883 >>> Date: Tue, 13 Jan 2004 09:34:31 +0400
>
> 09883 >>> Reply-To: "Patti Pate" <[EMAIL PROTECTED]>
>
> 09883 >>> Content-Type: multipart/alternative;
> boundary="07622999020661090"
>
> 09883 >>> Message-Id: <[EMAIL PROTECTED]>
>
> 09883 >>> X-Scanned-By: MIMEDefang 2.39
>
> 09883 >>>
>
> 09883 >>> This is a multi-part message in MIME format...
>
> 098

Re: [SAtalk] Trying to filter the blue pills beginning with V

[Chris Thielen]

On Sun, 2004-01-11 at 22:39, Kai Poppe/Redaktion SDCE wrote:
> Hello List, Hello Martin
> 
> I tried to describe to letters with an \x.. code but there are still some
> difficulties. having only a | or a ¡ as special character in the word the
> rule swings in, but adding another one or two @s just kicks it. I post the
> source of the rule here - let's hope someone notices an error.
> 
> I would be happy aobut any suggestions !
> 
> body BODY_VI
> /\b[Vv](?:\.|\^|\-|\*|\+)?(?:I|i|\xA1|\||\xCC|\xEC|\xCD|\xED|\xCE|\xEE|\xCF|
> \xEF)(?:\.|\^|\-|\*|\+)?(?:A|a|@|\xC0|\xE0|\xC1|\xE1|\xC2|\xE2|\xC3|\xE3|\xC
> 4|\xE4|\xC5|\xE5)(?:\.|\^|\-|\*|\+)?[Gg](?:\.|\^|\-|\*|\+)?[Rr](?:\.|\^|\-|\
> *|\+)?(?:A|a|@|\xC0|\xE0|\xC1|\xE1|\xC2|\xE2|\xC3|\xE3|\xC4|\xE4|\xC5|\xE5)\
> b/
> describe BODY_VIPossible porn - Vi in some form
> score BODY_VI   5.0

Try this:
http://sandgnat.com/cmos/cmos.jsp?matchobfuonly=false&words=vi%61gra

(grr, had to obfu the url)

-- 
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES):
http://www.sandgnat.com/cmos/



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Specific question using Outlook Express-Windows XP version

[Kevin Roberts]

Hello all,

I am using sa 2.55 on my main windows based mail server and all is working
fine.

My question is I am having my users that get a spam message that slips
through to "forward the message as an attachment", so the actual attachment
is the original email, to a spam mailbox that I then have a utility to check
that mailbox only and deposit the email in a folder that I then run sa-learn
on that folder.

My question is, will sa see the actual email attachment as the original
email that needs to be learned as spam?

I use Windows xp pro and the customers are forwarding the emails as an
attachment so the original email is the attachment.

Thanks in advance




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] HTML accented character spam

[Matt Kettler]

At 01:05 PM 1/12/2004, Charles Gregory wrote:
I could use 'rawbody', but then I end up 'wheeling' through all the
different possible substitutes for each letter.
actually, rawbody won't help you.. those characters are decoded even in 
"rawbody" type rules...

the only differences between rawbody and body are that rawbody retains HTML 
tags and line-breaks.

base64, QP and other character decoding filters are still applied to 
rawbody rules.

Is there a simple test for this sort of obfuscation?
Not really, although you can create tests resistant to a single-character 
mangling by using a . or \w wildcard.

A trick in SA rules?
None yet, although many have suggested enhancements to the code to do 
things like "deobfuscated_body" rules, etc.







---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] HTML accented character spam

[Charles Gregory]

Hiyo!

Just curious how to best handle HTML character spam. For example, the 'V'
pill word was spelled: Vïàgrå

And it's 'X' counter-part as: Xánåx 

I could use 'rawbody', but then I end up 'wheeling' through all the
different possible substitutes for each letter. Is there a simple test 
for this sort of obfuscation? A trick in SA rules? 

- Charles




---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Your threshold score

[Carl R. Friend]

   On Mon, 12 Jan 2004, Carl Chipman wrote:

> What do most people who write new SA rules set their threshold too?  I had
> set it around 3.0 for our company, but the false positive rate was very
> high.  I was looking at some of the big-evil stuff and noticed that many of
> the scores were 3.0 by themselves...

   I run with a threshold of 4.5; my wife runs with a 5.0.  Some
of the folks who avail themselves of SpamAssassin at a little ISP
I donate time and adin skills to range from 4.0 (rather dangerous,
in my opinion) to about 6.5; one guy wants to auto-delete at 10.0,
but we've been cautioning him against it.

   If you're running SA for personal reasons, and can control the
the rules that it runs with, you can pretty much set your score
threshold to whatever you want.  For instance, in my case, I have
several tests that gently bias the default score downwards for the
type of mail I receive from friends and acquaintances so the low
threshold of 4.5 is rarely a problem.  (Lists I'm on bypass SA,
as do the lists my wife is on.)

   If you're running SA at an ISP level, you *really* should be
looking at per-user configurability, not just for white-/black-lists,
but also for threshold settings and rule overrides.  The MySQL
interface is marvelous for that, and there are web-interfaces
for it that can be customised to give users the control they need
(and deserve) to have over the scoring and thresholding process.

   There is a fundamental problem with low thresholds -- you're runing
out of numbers as the threshold gets smaller, and minor changes can
cause profound behavioural changes in the filter.  Try going from 4.0
to 3.9, for instance, and watch the differences!  Personally, I find
that a 4.4 would be too low for my tastes and would introduce false-
positives so I stay at 4.5 and craft custom rules to downward-bias the
occasional bit that gets bagged incorectly.

   Cheers.

++-+
| Carl Richard Friend (UNIX Sysadmin)| West Boylston   |
| Minicomputer Collector / Enthusiast| Massachusetts, USA  |
| mailto:[EMAIL PROTECTED]+-+
| http://users.rcn.com/crfriend/museum   | ICBM: 42:22N 71:47W |
++-+



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Your threshold score

[Oliver Thalmann]

I let 5.0

works quite fine, except for

- some "technical publicity" (palmpowered.com comes to mind)
- broken mail clients who send mail in 8bit raw (instead of encoded mime)
- some newsletters whose editors apparently haven't read a book "howto do clean
html"
- some new style nigerian scam, written in french (probably i'll adapt the
english rules)


Carl Chipman wrote:

> What do most people who write new SA rules set their threshold too?  I had
> set it around 3.0 for our company, but the false positive rate was very
> high.  I was looking at some of the big-evil stuff and noticed that many of
> the scores were 3.0 by themselves...
>
> Does everyone just use the 5.0 that comes by default?
>
> Carl Chipman
> Nomadics, Inc.
> [EMAIL PROTECTED]
> http://www.nomadics.com
>
> ---
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Re: habeus

[Bob Proulx]

Gary Smith wrote:
> I'll have to have my guy check again.  It's also possible that it's
> beeing sent to his spam bucket now...

Just so you know what to look for, here is a sample response from
Habeas.  [I obsfucated my work address.  I word wrapped their text.
(They really should use format=flowed.)]

I forwarded the message as a mime attachment with all headers.  (In
mutt this is simply ':set mime_forward' and then forward it.)
I changed the subject to be my own.  The subject is preserved on the
reply.  So if you are scoring heavily based upon the subject then the
response might very well have been tagged.  But of course they have
their Habeas warrant mark so it should have gotten through.  :-)

Bob

  From [EMAIL PROTECTED]  Mon Jan 12 09:35:30 2004
  X-Habeas-SWE-1: winter into spring
  X-Habeas-SWE-2: brightly anticipated
  X-Habeas-SWE-3: like Habeas SWE (tm)
  X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
  X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
  X-Habeas-SWE-6: email in exchange for a license for this Habeas
  X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
  X-Habeas-SWE-8: Message (HCM) and not spam.  Please report use of this
  X-Habeas-SWE-9: mark in spam to .
  From: "reports-headers" <[EMAIL PROTECTED]>
  Reply-To: [EMAIL PROTECTED]
  Date: Mon, 12 Jan 2004 08:31:30 -0800 (PST)
  To: [EMAIL PROTECTED]
  Subject: [habeas.com #109589] AutoReply: Spam Report Spam with Habeas Warrant Mark

  Thank you for your report of spam containing the Habeas headers.  P
  lease note that if you are submitting a report regarding spam which
  appears to come from [EMAIL PROTECTED], we have recently been the
  subject of a forgery.  We use the Habeas headers, and if the spam you
  received which appears to come from [EMAIL PROTECTED] does not
  contain our special Habeas headers, then you know it is not actually
  from Habeas.

  Nonetheless, we appreciate your reporting the spam to us, as we are
  looking into suing the forgers for trademark infringement.

  With respect to spam containing our headers:

  Please know that at Habeas we take the use of our trademark in spam
  very seriously, and that while we cannot report back to you directly
  and individually on the disposition of each submission, know that we
  will investigate and follow this through to a satisfactory conclusion
  - either the responsible party ceasing their infringing action, their
  being appropriately dealt with by their service provider, or, failing
  any satisfactory remedial action, listing in our Habeas Infringers
  List.

  In the meantime, if you receive any additional spam containing the
  Habeas headers from this same sender, please do forward it to us as
  well.

  Thank you.

  Habeas Support


pgp0.pgp
Description: PGP signature

RE: [SAtalk] SA Performance .......

[Mike Carlson]

I am running SA on a PIII 450 with 384 MB of RAM and it processes about 5k to 6k of messages (92% spam) a day without ever hitting swap.
 
--Mike


From: Andy DonovanSent: Mon 1/12/2004 10:38 AMTo: [EMAIL PROTECTED]Subject: [SAtalk] SA Performance ...
Could I ask a quick poll on the # of messages your configuration is able to process per minute .. its time for me to move platforms and I'm trying to plan for growth . your comments would be extremely useful.

I'd be willing to compile a summary should you wish to e-mail me direct ...

A.



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Re: habeus

[Gary Smith]

I'll have to have my guy check again.  It's also possible that it's beeing sent to his 
spam bucket now...
 
Gary

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Bob Proulx 
Sent: Mon 1/12/2004 9:43 AM 
To: SpamAssassin listserve 
Cc: 
Subject: [SAtalk] Re: habeus



áŠÄë^™¨¥ŠË)¢{(­ç[È÷«~ŠÜy*·«x÷«~ŠÜz+-…áZ²Ô~Ü­àøŠ‰Ìjv zg§µ,¬µé¨}÷«Šxvö§qç[­©Ü)àqªZn)b¶'¬jwZ¶‰¢qÈZž¬¢~tú™Zµú+šÁkyá/jXm¶ŸÿÃ
)z·è­Ç¢oéz·è­Ç–†¦º 
†ÙJ–¦j˲ȵ©d™¨¥Šx%ŠËR¥©š²Æ²)íjY%ŠËl²‹«qç讧zØm¶›?þX¬¶Ë(º·~Šàzw­þX¬¶ÏåŠËbú?²–¦j˲ȵ©d

[SAtalk] Re: habeus

[Bob Proulx]

Gary Smith wrote:
> We did also report 4 emails to them recently (1 was questionable).  We're still 
> waiting a response. 

I have gotten automated responses with report numbers in the 109,000
range from every one that I have reported.  They came within a couple
of minutes.

Bob


pgp0.pgp
Description: PGP signature

Re: [SAtalk] Your threshold score

[Brett Simpson]

On Monday 12 January 2004 10:32 am, Carl Chipman wrote:
> What do most people who write new SA rules set their threshold too?  I had
> set it around 3.0 for our company, but the false positive rate was very
> high.  I was looking at some of the big-evil stuff and noticed that many of
> the scores were 3.0 by themselves...
>
> Does everyone just use the 5.0 that comes by default?

I use 4.5 to mark as Spam, 15 to quarentine, over 10 with a BAYES_99 to 
quarentine, and over 10 with three RBL's to quarentine.

I'm also using auto-whitelisting and auto learning. 

This month we have quarentined 25,500 out of 86,000 emails. We have had zero 
false positives for quarentined email. 
Only 4,500 emails get marked as spam instead of quarentined and those do get 
some false positives.

Brett



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] Habeas scoring

[Brad Hazledine]

score HABEAS_SWE 0.0 in your local.cf

Brad


On Mon, 12 Jan 2004, SAtalk Mail User wrote:

> Hello All,
>
> I have been getting alot of HABEAS based spam and I have been reporting
> the spam to [EMAIL PROTECTED] But in the mean time I would like to
> figure out a way to either turn off the HABEAS_SW based points to 0.0
> or to block those emails all together.  I am new to this spamassassin,
> (and I love it), but would like to know how to change the points to
> 0.0 on the HABEAS_SW score.
>
> Thanks



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Habeas scoring

[Yackley, Matt]

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of SAtalk Mail User
> Sent: Monday, January 12, 2004 11:27 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Habeas scoring
> 
> Hello All,
> 
> I have been getting alot of HABEAS based spam and I have been 
> reporting 
> the spam to [EMAIL PROTECTED] But in the mean time I would like to 
> figure out a way to either turn off the HABEAS_SW based points to 0.0
> or to block those emails all together.  I am new to this spamassassin,
> (and I love it), but would like to know how to change the points to 
> 0.0 on the HABEAS_SW score.
> 
> Thanks
> 
You should be able to put the following line into your local.cf file
score HABEAS_SWE 0.0
This should disable the Habeas test.

If you don't have access to local.cf, you should be able to put the line
into your user_prefs file.

-matt


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

[SAtalk] Detecting 10+ random words

[McWhirter,Julia]

 

 

This is a resubmission of a question that I have been trying to sort out
for about a week now.  I am trying to tag messages that have more than
10 random words in the message body of an incoming e-mail I am running
the following

 

Solaris 8

Sendmail 8.12.10 (+libmilter support)

Mimedefang 2.39

Spamassassin 2.60

 

This is the .cf rule file

 

rawbody  RANDOMWORD_10
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/

describe RANDOMWORD_10   string of 10+ random words

scoreRANDOMWORD_10   0.5

 

rawbody  RANDOMWORD_15
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/

describe RANDOMWORD_15   string of 15+ random words

scoreRANDOMWORD_15   2.5

 

Copied from this list last week.

 

I have verified that the rule is being read via spamassassin -D and that
the config produces no errors.

 

Below is an exert from my sendmail logs that shows an email that has got
through

09881 >>> 220 smtp.uk.superh.com ESMTP Sendmail 8.12.10/8.12.10; Mon, 12
Jan 200

4 15:41:25 GMT

09881 <<< HELO HQAI7P9NL5OHSSQ

09881 >>> 250 smtp.uk.superh.com Hello [211.168.218.78], pleased to meet
you

09881 <<< MAIL FROM: <[EMAIL PROTECTED]>

09881 >>> 250 2.1.0 <[EMAIL PROTECTED]>... Sender ok

09881 <<< RCPT TO: <[EMAIL PROTECTED]>

09881 >>> 250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok

09881 <<< DATA

09881 >>> 354 Enter mail, end with "." on a line by itself

09881 <<< Received: from [107.176.139.173] by 211.168.218.78 with HTTP;

09881 <<<   Tue, 13 Jan 2004 11:38:31 +0600

09881 <<< From: "Patti Pate" <[EMAIL PROTECTED]>

09881 <<< To: [EMAIL PROTECTED]

09881 <<< Subject: ,,You can improve your looks

09881 <<< Mime-Version: 1.0

09881 <<< X-Mailer: intestate

09881 <<< Date: Tue, 13 Jan 2004 09:34:31 +0400

09881 <<< Reply-To: "Patti Pate" <[EMAIL PROTECTED]>

09881 <<< Content-Type: multipart/alternative;

09881 <<<   boundary="07622999020661090"

09881 <<< Message-Id: <[EMAIL PROTECTED]>

09881 <<<

09881 <<< --07622999020661090

09881 <<< Content-Type: text/plain; charset=us-ascii

09881 <<< Content-Transfer-Encoding: 8bit

09881 <<<

09881 <<< edging hayes catapult leavenworth font angus pumice

09881 <<< tenable rockford aggressor coffee plaza swarm louise testicle
condemna

te influenza

09881 <<< grebe bluejacket fried retail censure abutting isaacson

09881 <<< gallonage comatose hegelian rudyard credulous cosmopolitan
restoration

 

09881 <<< spayed vail address brasilia

09881 <<< widow tollgate grandstand cindy precede casey aegis

09881 <<<

09881 <<< --07622999020661090

 

09883 === CONNECT sh-uk-ex01.uk.w2k.superh.com.

09883 <<< 220 sh-uk-ex01.uk.w2k.superh.com Microsoft ESMTP MAIL Service,
Versio

: 5.0.2195.6713 ready at  Mon, 12 Jan 2004 15:43:08 +

09883 >>> EHLO smtp.uk.superh.com

09883 <<< 250-sh-uk-ex01.uk.w2k.superh.com Hello [193.128.105.170]

09883 <<< 250-TURN

09883 <<< 250-ATRN

09883 <<< 250-SIZE 1536

09883 <<< 250-ETRN

09883 <<< 250-PIPELINING

09883 <<< 250-DSN

09883 <<< 250-ENHANCEDSTATUSCODES

09883 <<< 250-8bitmime

09883 <<< 250-BINARYMIME

09883 <<< 250-CHUNKING

09883 <<< 250-VRFY

09883 <<< 250-X-LINK2STATE

09883 <<< 250-XEXCH50

09883 <<< 250 OK

09883 >>> MAIL From:<[EMAIL PROTECTED]> SIZE=1195

09883 <<< 250 2.1.0 [EMAIL PROTECTED] OK

09883 >>> RCPT To:<[EMAIL PROTECTED]>

09883 >>> DATA

09883 <<< 250 2.1.5 [EMAIL PROTECTED]

09883 <<< 354 Start mail input; end with .

09883 >>> Received: from HQAI7P9NL5OHSSQ ([211.168.218.78])

09883 >>>   by smtp.uk.superh.com (8.12.10/8.12.10) with SMTP id
i0CFfODC00

881

09883 >>>   for <[EMAIL PROTECTED]>; Mon, 12 Jan 2004
15:41:28 GMT

09883 >>> Received: from [107.176.139.173] by 211.168.218.78 with HTTP;

09883 >>>   Tue, 13 Jan 2004 11:38:31 +0600

09883 >>> From: "Patti Pate" <[EMAIL PROTECTED]>

09883 >>> To: [EMAIL PROTECTED]

09883 >>> Subject: ,,You can improve your looks

09883 >>> Mime-Version: 1.0

09883 >>> X-Mailer: intestate

09883 >>> Date: Tue, 13 Jan 2004 09:34:31 +0400

09883 >>> Reply-To: "Patti Pate" <[EMAIL PROTECTED]>

09883 >>> Content-Type: multipart/alternative;
boundary="07622999020661090"

09883 >>> Message-Id: <[EMAIL PROTECTED]>

09883 >>> X-Scanned-By: MIMEDefang 2.39

09883 >>>

09883 >>> This is a multi-part message in MIME format...

09883 >>>

09883 >>> --07622999020661090

09883 >>> Content-Type: text/plain; charset=us-ascii

09883 >>> Content-Transfer-Encoding: 8bit

09883 >>> Content-Disposition: inline

09883 >>>

09883 >>> edging hayes catapult leavenworth font angus pumice

09883 >>> tenable rockford aggressor coffee plaza swarm louise testicle
condemn

te influenza

09883 >>> grebe bluejacket fried retail censure abutting isaacson

09883 >>> gallonage comatose hegelian rudyard credulous cosmopolitan
restoratio

 

09883 >>> spayed vail address brasilia

09883 >>> widow tollgate grandstand cindy precede casey aegis

09883 >>>

09883 >>> --07622999020661090--

09883 >>> .

09883 <<< 250 2.6.0  <[EMAIL PROTECTE

[SAtalk] Habeas scoring

[SAtalk Mail User]

Hello All,

I have been getting alot of HABEAS based spam and I have been reporting 
the spam to [EMAIL PROTECTED] But in the mean time I would like to 
figure out a way to either turn off the HABEAS_SW based points to 0.0
or to block those emails all together.  I am new to this spamassassin,
(and I love it), but would like to know how to change the points to 
0.0 on the HABEAS_SW score.

Thanks


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Re: [SAtalk] SA Performance .......

[Rubin Bennett]

Well, we _were_ running SA on a single P-III 733 with 256Mb ram and
processing an average of 15k messages/day, but about once/week the
system would fold up under it's own weight.  It would basically run out
of RAM and die...
When we were only processing about 10-12k messages/day, things were
pretty stable.  We're about to put SA on a dual Xeon 2.4GHz, 1Gb RAM,
monster machine and expect it will handle the load rather gracefully
from here on out.

Hope that helps...
Rubin

On Mon, 2004-01-12 at 11:38, Andy Donovan wrote:
> Could I ask a quick poll on the # of messages your configuration is able to process 
> per minute .. its time for me to move platforms and I'm trying to plan for growth 
> . your comments would be extremely useful.
> 
> I'd be willing to compile a summary should you wish to e-mail me direct ...
> 
> A.
> 
> 
> 
> ---
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-- 
Rubin Bennett <[EMAIL PROTECTED]>
RB Technologies


signature.asc
Description: This is a digitally signed message part

[SAtalk] Sendmail/Milter/ProcMail/Spamassassin

[Mike Carlson]

Right now I am using spamass-milter to send all the email into spamassassin
but I would like to implement a deletion process where the email gets deleted
if it gets certain score. As it stands I cannot do that right now with my
setup.
 
I was wondering if I could just add procmail to the mix and then setup a
recipe to delete the emails based on score or does procmail replace the
milter? This is a sitewide setup with this box being a gateway for out Notes
server so I don't have any user based preferences.
 
--Mike
 


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Obscured web site address using javascript

[Chris Santerre]

I'm attaching one that was posted to another list. Unix Text format.
(receiver address munged.)

It is UGLY.

--Chris

> -Original Message-
> From: Scott Lambert [mailto:[EMAIL PROTECTED]
> Sent: Sunday, January 11, 2004 6:34 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Obscured web site address using javascript
> 
> 
> I have had at least 5 of these come in today.  
> 
> The spamvertised site address seems to be generated by the following
> Javascript code.  The code is the content of an *.html file 
> attachment.
> The message bodies have been of two types.  The variable names are
> different bayes poison in all the examples I have here.  The 
> arrays and
> for loop math are different.
> 
*snip*


begin 600 B0027965168.txt
M4F5C96EV960Z(&9R;[EMAIL PROTECTED]&(N9"YP<'!O;VPN9&[EMAIL PROTECTED]'5N=F5R:69I960@
[EMAIL PROTECTED]"XQ-3`N,[EMAIL PROTECTED]@"B`H5FER8V]M(%--5%!24R`T+C(N,[EMAIL 
PROTECTED]
M*2!W:71H(%--5%`@:60@/$(P,#`Q,3`P,[EMAIL PROTECTED](#Q-54Y'141`;75N
M9V5D+F-O;3X["B!-;VXL(#$R($IA;B`R,#`T(#$P.C(V.C$U("TP-3`P"E)E
M8V5I=F5D.B!F2!$.39D8BYD+G!P<&]O;"YD92!W:71H(%--5%`[("`Q,B!*
M86X@,C`P-"`R,SHR.3HP.2`M,#4P,`I-97-S86=E+4E$.B`\,#!A-#`Q8S-D
M.3AD)&,R938V,3`P)&$S.&$U,&0U0$1%1D-#03X*1G)O;3H@(FEZ>G(@7!E.B!M=6QT:7!A'1087)T7S`P,%\P,$$Q7S`Q0S-$.3E!+D4P,D$W,4,R
M(@I8+5!R:6]R:71Y.B`S"@I4:&ES(&ES(&$@;75L=&DM<&%R="!M97-S86=E
M(&EN($U)[EMAIL PROTECTED];[EMAIL PROTECTED]/5].97AT4&%R=%\P,#!?,#!!,5\P
M,4,S1#DY02Y%,#)!-S%#,@I#;VYT96YT+51Y<&4Z(&UU;'1I<&%R="]A;'1E
M'1087)T7S`P,5\P,$$R
M7S`Q0S-$.3E!+D4P,D$W,4,R"D-O;G1E;G0M5'[EMAIL PROTECTED]&5X="]P;&%I;CL*
M"6-H87)S970](G5T9BTX(@I#;VYT96YT+51R86YS9F5R+45N8V]D:6YG.B!Q
M=6]T960M<')I;G1A8FQE"@I/;[EMAIL PROTECTED]&EM92!D:6-S=6]N="!O3)`:2UI7!E.B!T97AT+VAT;6P["@EC:&%RF4],T0R/D]N92!4:6UE)FYBF4]
M,T0R/CPO1D].5#XF;F)S<#L\+T1)5CX*/$1)5CX\1D].5"!F86-E/3-$07)I
M86P@'1087)T7S`P,%\P,$$Q7S`Q0S-$.3E!+D4P,D$W,4,R"D-O;G1E
M;G0M5'[EMAIL PROTECTED]&5X="]H=&UL.PH);F%M93TB=&]U(&)E9F$]"FQL6U1Ehttp://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

RE: [SAtalk] Is anyone scanning for the chemical name for the Vee drug?

[Chris Santerre]

Check the SARE site for a rule called "AF_MEDICAMENTOS". I believe it was
submitted by a guy from Mexico. It tags a lot. 

Chris Santerre 
System Admin and SA Custom Rules Emporium keeper 
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
'It is not the strongest of the species that survives, not the most
intelligent,
but the one most responsive to change.' - attributed to Charles Darwin 

> -Original Message-
> From: SpamTalk [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 12, 2004 10:53 AM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Is anyone scanning for the chemical name for the Vee
> drug?
> 
> 
> One dufus spammer, beside spelling the drug correctly, also 
> mentions the
> generic name "Sildenafil Citrate". If not already in BigEvil, 
> perhaps Chris
> could add it.
> 
> Best Regards,
> Bob
> 
> 
> ---
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> ___
> Spamassassin-talk mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
> 


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk