Re: [SAtalk] Forward mail to a specific mailbox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 23 January 2004 08:22, Eric Friedlingstein wrote: Hello, i'm using qmail with spam assassin. I was wondering if it was possible to forward all mails detected as spam to a specific email address instead of sending it to the originial 'to:' user ? (The idea is to avoid having to download spam from a dialup line for the out of office users). Spamassassin only tags the email it does not do anything else with the email. If you are using procmail then the following example should work. It is untested. :0: * ^X-Spam-Status: Yes { :0c ! Spamassassin email box } Douglas -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAE/B1SpWn8R0Z08URArY+AJ4ynt9Rmy4R09qLKQG1ypJ0HRmEvwCfQlN3 Djh3FbFtUcF7LXqM3S/XCLo= =OrLN -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: SA-procmail newbie
WA9ALS - John wrote: Today I made a procmail entry like this: :0 H * ^X-Spam-Status: Yes $HOME/mail/caughtspam Fine. But H is the default and does not need to be specified. But it won't hurt if you do anyway. If caughtspam is a single file then you need to make that :0: with a trailing : to get a lock file. That is very important or you can have mailbox corruption as several processes all write to the file at the same time. If caughtspam is not a file then you need to call it either caughtspam/ or caughtspam/. depending upon if you want Maildir/ style folders or MH style folders. However, the files are named msg.dk and msg.ek. Being a Linux newbie, I'm not familiar with those filenames. Looking at the files with vim shows that they are indeed the spam emails. You have mistakenly made a directory called caughtspam and procmail is falling back to a safe mode for putting files there. That is probably not what you want. But the messages were saved. None were lost. Do you want a Berkeley style mbox with all messages in one file? That is the traditional folder format. In which case you need to remove or rename the directory and let procmail create it as a file. mv caughtspam caughtspam.save touch caughtspam :0: $HOME/mail/caughtspam Do you want a MH style mail directory? This keeps messages one message per file but still needs locking. That means a trailing : on the rule. mv caughtspam caughtspam.save mkdir caughtspam :0: $HOME/mail/caughtspam/. Do you want a Maildir/ style mail directory? This keeps messages one message per file but does not need locking. So no trailing : means no lockfile. Maildir format is the newest format. I use it. But some mail clients don't have code for it yet. mv caughtspam caughtspam.save mkdir caughtspam caughtspam/tmp caughtspam/new caughtspam/cur :0 $HOME/mail/caughtspam/ Can I run SA learn on that directory as is? If your messages are one message per file (either MH or Maildir/ format) then this will send them one at a time to sa-learn. [I prefer find for these things because even on a HUGE number of files in a directory this works. But if you have a small directory then of course 'for f in *;do sa-learn --single --spam $f;done' works too. But when it gets large that will overflow ARGS_MAX whereas find and xargs will always work. find caughtspam -type f -print0 | xargs -r0l sa-learn --single --spam If your messages are in one Berkelely mbox format file then use formail to send one message at a time to sa-learn. formail -s sa-learn --single --spam caughtspam Don't forget to do the --ham learning from your normal mailbox too. You want similar numbers of both if possible. Bob pgp0.pgp Description: PGP signature
[SAtalk] SF Slow, possible same problems as me...
Not sure if this is why SF is slow but today I have been averaging 20 viruses a minute... Seems to be slowing now as it's getting later in the evening (10:12pm PST). God it's been a painful afternoon. I can delete the administrator notifications fast enough. Gary Smith --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Rules Du Jour v 1.07b
On Fri, 23 Jan 2004, Smart,Dan wrote: Humm This command works every time from command line, but not passed as a param from SA_RESTART. postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart ; postfix start It runs the postfix stop and then quits. Any idea why? I can create a sed that patches the rules_du_jour each time putting the commands in one at a time in the restart if block, which does work, but passing it as the SA_RESTART parameter would be really nice. Dan Run it in a sub-shell, put the whole thing in parens: (postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart ; postfix start) depending upon how that is parsed by your command processor, you may have to escape them. EG: \(postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart ; postfix start \) This is basically a shell-scripting issue. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] How to increase score of this message?
Hi, I'm attaching a message (I hope it makes it through to the list) which scored a low 0.1 with SA 2.63. Does anyone have any suggestions on how to possibly make SA get a higher score for this type of message? Any new recipes that might improve the scoring? Thanks RicardoDelivered-To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from ricardo (ACB19F8A.ipt.aol.com [:::172.177.159.138]) by mail1.americasnet.com with esmtp; Mon, 26 Jan 2004 18:06:46 -0800 Message-ID: [EMAIL PROTECTED] From: Patandcharli [EMAIL PROTECTED] Date: Tue, 27 Jan 2004 03:07:09 +0300 To: [EMAIL PROTECTED] Subject: Ofkfer of 21 CENTUKRY shoving Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mime-Autoconverted: from 8bit to 7bit by courier 0.44 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on server2 X-Spam-Level: X-Spam-Status: No, hits=0.1 required=7.5 tests=BAYES_50, FVGT_u_HAS_2LETTERFLDR autolearn=no version=2.63 Be gaware that now the peak of your segxual activigty is realgy accessibleg! Thanks to the proprietary blend of unigque hergbs the four wondergful efgfects are achievedg: bglood stream to the pengis is resgtored stored tesgtosterone is ungleashed acgtivation of the bogdy's nagtural hogrmone producgtion heightgens your sensatiogn the pegnis does englarge, the changegs are being permanengt! At lgast you can engjoy your segxual ligfe in full measugre without any risgk for your healgth! http://rxeasymeds.com/mx/index.php?pid=genviag random Europeans hopeless random cancels molding. random episodes shackles.
RE: [SAtalk] Rules Du Jour v 1.07b
Works flawlessly. Thanks for all the effort. My poor scripting ability put together a just works downloader. All the logic in yours works great! Now to drop into cron.daily... Dan | -Original Message- | From: Chris Thielen [mailto:[EMAIL PROTECTED] | Sent: Friday, January 23, 2004 12:44 PM | To: Smart,Dan; [EMAIL PROTECTED] | Subject: RE: [SAtalk] Rules Du Jour v 1.07b | | Dan, | | On Fri, 2004-01-23 at 09:04, Smart,Dan wrote: | | This command works every time from command line, but not | passed as a | param from SA_RESTART. | postfix stop ; sleep 15 ; /etc/init.d/spamassassin restart | ; postfix start | | It runs the postfix stop and then quits. Any idea why? I | can create | a sed that patches the rules_du_jour each time putting the | commands in | one at a time in the restart if block, which does work, but | passing it | as the SA_RESTART parameter would be really nice. | | I changed the line that runs $SA_RESTART to use: | sh -c $SA_RESTART | instead of just | $SA_RESTART | | This should do the trick, methinks. | | (Version 1.07e is up) | -- | Chris Thielen | | Easily generate SpamAssassin rules to catch obfuscated spam | phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): | http://www.sandgnat.com/cmos/ | --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] the list itself???
Hi, did I get booted off the list, no list traffic or is sourceforge down? I haven't gotten anything really since friday it's just SF again... The address to which the message has not yet been delivered is: [EMAIL PROTECTED] Delay reason: SMTP error from remote mailer after end of data: host sc8-sf-list1-b.sourceforge.net [10.3.1.7]: 421 Unexpected failure, please try later A'rpi / Astral ESP-team -- Developer of MPlayer G2, the Movie Framework for all - http://www.MPlayerHQ.hu --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Network Tests - Activating and Status (Resend)
I've seen a lot of mention of 'network tests' in this list and I'm trying to find out a bit more. I have SA 2.61 running under Debian Testing with a couple of extra tests (pbw and chickenpox) sitting in /etc/spamassassin. I'm confused about how I tell whether network tests are being used. I doubt they are. I've been grepping the docs and the config files for more info without too much success. The config files appear to be in /usr/share/ spamassassin on my debian install and I don't really want to muck about in there as it'll get overwritten on the next update. Can someone point me to any docs on network tests and/or how to switch them on? I've got razor and pyzor installed. I've put the following into /etc/ spamassassing/local.conf - I've run spamassassin manually with -D and I don't think the tests are being run. # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_pyzor 1 Thanks Dougie --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] problem with userprefs and SQL (spamass-milter)
i sent this mail yesterday, but it seems it got lost, so here again: i'm new to this list, so hi to all first... i have the following problem here: i want to use the userprefs, stored in a sql database. i start spamd with -a -x -q -D spamass-milter is started with -u and in my logs i get the messages, that a sql query is done: Jan 26 12:41:34 explorer spamd[30151]: debug: retrieving prefs for daniel.paessler from SQL server the problem is, that the local user is paessler, NOT daniel.paessler, which is the first part of my mailadress. so how can i tell spamass-milter to use the local username, which can be found in the virtusertable instead of the first part of the adress? another thing is, that spamass-milter also scans outgoing mails. i can see this, when it tries to lookup userprefs for recipients of outgoing mail. should this be? is my setup (which works ok so far) totally wrong? sorry for my stupid questions, but maybe you can give me an answer or a hint... thanks in advance daniel signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
[SAtalk] Meta-tripwire idea
[This message doesn't seem to have made it to the list yesterday... Apologies if it ends up being distributed twice] It struck me that since individual tripwire rules are at risk of FPs, but that multiple tripwire hits on the same message are much less so, it might be worthwhile assigning a significantly higher score to messages that hit lots of tripwire rules. Since there are so many rules involved, I've created a set of intermediate meta rules, as follows: | meta __tw_meta_A (__tw_AJ || __tw_AQ || __tw_AV || __tw_AZ) | meta __tw_meta_B (__tw_BD || __tw_BF || __tw_BG || __tw_BH || __tw_BJ || __tw_BK || __tw_BL || __tw_BM || __tw_BN || __tw_BP || __tw_BQ || __tw_BT || __tw_BV || __tw_BW || __tw_BX || __tw_BZ) | meta __tw_meta_C (__tw_CB || __tw_CC || __tw_CD || __tw_CF || __tw_CG || __tw_CL || __tw_CM || __tw_CN || __tw_CP || __tw_CQ || __tw_CR || __tw_CS || __tw_CV || __tw_CX || __tw_CY || __tw_CZ) etc. then the ones I actually score: | meta local_META_TRIPWIRE_01 (__tw_meta_A || __tw_meta_B || __tw_meta_C || __tw_meta_D || __tw_meta_E || __tw_meta_F || __tw_meta_G || __tw_meta_H || __tw_meta_I || __tw_meta_J || __tw_meta_K || __tw_meta_L || __tw_meta_M || __tw_meta_N || __tw_meta_O || __tw_meta_P || __tw_meta_Q || __tw_meta_R || __tw_meta_S || __tw_meta_T || __tw_meta_U || __tw_meta_V || __tw_meta_W || __tw_meta_X || __tw_meta_Y || __tw_meta_Z) | meta local_META_TRIPWIRE_02 (__tw_meta_A + __tw_meta_B + __tw_meta_C + __tw_meta_D + __tw_meta_E + __tw_meta_F + __tw_meta_G + __tw_meta_H + __tw_meta_I + __tw_meta_J + __tw_meta_K + __tw_meta_L + __tw_meta_M + __tw_meta_N + __tw_meta_O + __tw_meta_P + __tw_meta_Q + __tw_meta_R + __tw_meta_S + __tw_meta_T + __tw_meta_U + __tw_meta_V + __tw_meta_W + __tw_meta_X + __tw_meta_Y + __tw_meta_Z 2) | meta local_META_TRIPWIRE_05 (__tw_meta_A + __tw_meta_B + __tw_meta_C + __tw_meta_D + __tw_meta_E + __tw_meta_F + __tw_meta_G + __tw_meta_H + __tw_meta_I + __tw_meta_J + __tw_meta_K + __tw_meta_L + __tw_meta_M + __tw_meta_N + __tw_meta_O + __tw_meta_P + __tw_meta_Q + __tw_meta_R + __tw_meta_S + __tw_meta_T + __tw_meta_U + __tw_meta_V + __tw_meta_W + __tw_meta_X + __tw_meta_Y + __tw_meta_Z 5) | meta local_META_TRIPWIRE_10 (__tw_meta_A + __tw_meta_B + __tw_meta_C + __tw_meta_D + __tw_meta_E + __tw_meta_F + __tw_meta_G + __tw_meta_H + __tw_meta_I + __tw_meta_J + __tw_meta_K + __tw_meta_L + __tw_meta_M + __tw_meta_N + __tw_meta_O + __tw_meta_P + __tw_meta_Q + __tw_meta_R + __tw_meta_S + __tw_meta_T + __tw_meta_U + __tw_meta_V + __tw_meta_W + __tw_meta_X + __tw_meta_Y + __tw_meta_Z 10) | | describe local_META_TRIPWIRE_01 At least one tripwire triplets | describe local_META_TRIPWIRE_02 More than two tripwire triplets | describe local_META_TRIPWIRE_05 More than five tripwire triplets | describe local_META_TRIPWIRE_10 More than ten tripwire triplets | | score local_META_TRIPWIRE_01 0.1 | score local_META_TRIPWIRE_02 0.5 | score local_META_TRIPWIRE_05 1.0 | score local_META_TRIPWIRE_10 3.0 Any comments? I don't get enough spam (only about 120 a day for an office of six people) to quickly judge whether this is more effective than merely scoring individual tripwire rules at 0.07 each or whatever. I've put a modified tripwire.cf (based on tripwire 1.16) at http://www.snoweye.com/john/metatripwire.cf if anyone is interested in trying this against a corpus in comparison with the standard tripwire set. John. -- -- Over 2400 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Network Tests - Activating and Status (Resend)
On Mon, 2004-01-26 at 23:26, Dougie Nisbet wrote: I've seen a lot of mention of 'network tests' in this list and I'm trying to find out a bit more. I have SA 2.61 running under Debian Testing with a couple of extra tests (pbw and chickenpox) sitting in /etc/spamassassin. I'm confused about how I tell whether network tests are being used. I doubt they are. I've been grepping the docs and the config files for more info without too much success. The config files appear to be in /usr/share/ spamassassin on my debian install and I don't really want to muck about in there as it'll get overwritten on the next update. You're right, the files in /usr/share/spamassassin are standard rules and *will* be overridden on the next update. If you want to override something, do so in /etc/spamassassin. The /etc/spamassassin/*.cf files are read after the /usr/share/spamassassin/*.cf files, so you can adjust scores, add rules, etc. I've got razor and pyzor installed. I've put the following into /etc/ spamassassing/local.conf - I've run spamassassin manually with -D and I don't think the tests are being run. # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_pyzor 1 All the tests are enabled by default as long as SpamAssassin can find the razor/pyzor binaries, AFAIK. So your setup, the way you've described it, should be working just fine. To be sure, run spamassassin -D --lint and the output should tell you exactly what's going on. - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
[SAtalk] W32.Novarg.A@mm virus
Were seeing a lot of activity from the W32[EMAIL PROTECTED] virus (http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED]) Could someone help me cobble together a rule quickly to counteract the attachments its using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). Cheers, Richard
Re: [SAtalk] W32.Novarg.A@mm virus
On Tue, 2004-01-27 at 02:41, Richard Beyer wrote: Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). Symantec has a lot of information on the attachments it uses, although the message body might be easier to write accurate rules for. See 9. The email will have the following characteristics: http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] - Jon -- [EMAIL PROTECTED] Administrator, tgpsolutions http://www.tgpsolutions.com signature.asc Description: This is a digitally signed message part
Re[3]: [SAtalk] Recieved From database
On Thu, 22 Jan 2004, Robert Menschel wrote: header SYL_BAD_XOIPa X-Originating-IP !~ /\[?(\d{1,3}\.){3}\d{1,3}\]?/ [if-unset: 0.0.0.0] describe SYL_BAD_XOIPa Improperly formatted X-Originating-IP header scoreSYL_BAD_XOIPa 4.0 # frankly, this alone should be grounds # for rejection ... Yes, that one works for me: SYL_BAD_XOIPa -- 3881s/0h of 91714 corpus (74113s/17601h) 01/22/04 Beautiful! Thanks for checking that! Perhaps I can buy you a salted ham sandwich some time! :-) With results like this, 5% of the spam in my corpus and no ham, this is a rule that should be added to the next distribution set (or at least a variation thereof). Wow! I'd be really happy to see that ... Would you have any objection to submitting for consideration, and sending in an Apache Contributor License Agreement so the SA developers can use this rule? I'll be glad to, as soon as I can figure out where to get what I need, and what needs to be submitted how, etc. If I need to provide test results, may I quote yours? -- -- Sylvain Robitaille [EMAIL PROTECTED] Systems analyst / Postmaster Concordia University Instructional Information TechnologyMontreal, Quebec, Canada -- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] sa-learn spamassassin question
Hi, I've got a little problem with the mail that is attached. When I try spamassassin -t -D rulesrun=255 mail.txt it is nor considered as spam. So I do spamassassin -r -D rulesrun=255 mail.txt ans it sayes me that Razor already learnt this message but it is not in the report when I test it. I finally decide to do sa-learn --spam mail.txt and it says me that it doesn't learn anything from the mail. I just use razor2 with spamassassin and would like the mail to be tagged as spam from my bayes and from razor2. Thanks. -- Jean-Christophe VALIERE EPITA Paris Sud, 14-16 Rus Voltaire, 94270 Le Kremlin Bicetre Tel: +33 1 44786872 E-Mail : [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 2334 invoked from network); 27 Jan 2004 06:44:18 - Received: from unknown (HELO mx-01.25tech.net) (212.37.195.56) by gladia.oxalide.net with SMTP; 27 Jan 2004 06:44:18 - Received: from localhost (localhost [127.0.0.1]) by mx-01.25tech.net (25TechMTA) with ESMTP id 81D453B109 for [EMAIL PROTECTED]; Tue, 27 Jan 2004 07:42:34 +0100 (CET) Received: from deliver.epitech.net (deliver.epitech.net [163.5.0.25]) by mx-01.25tech.net (25TechMTA) with SMTP id 310DA3B108 for [EMAIL PROTECTED]; Tue, 27 Jan 2004 07:42:27 +0100 (CET) Received: from epita.fr ([10.42.1.60]) by deliver.epitech.net (SAVSMTP 3.1.2.35) with SMTP id M2004012707422613148 ; Tue, 27 Jan 2004 07:42:26 +0100 Received: from colt.epita.fr (colt.epita.fr [62.23.180.27]) by epita.fr id i0R6i7E27523 Tue, 27 Jan 2004 07:44:07 +0100 (CET) Received: from ti100710a080-0025.bb.online.no (ti100710a080-0025.bb.online.no [80.213.224.25]) by colt.epita.fr id i0R6hPS08073 Tue, 27 Jan 2004 07:43:30 +0100 (CET) Received: from [80.226.27.218] by 80.213.224.25 with HTTP; Tue, 27 Jan 2004 01:35:15 -0400 From: Alana Grady [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: apocrypha boa Mime-Version: 1.0 X-Mailer: byrd derisive Date: Tue, 27 Jan 2004 00:39:15 -0500 Reply-To: Alana Grady [EMAIL PROTECTED] Content-Type: multipart/alternative; boundary=36294582722586859646 Message-Id: [EMAIL PROTECTED] --36294582722586859646 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit gentility drool glacial asparagine fleabane bandwidth codify degeneracy audrey calder christmas ashmen counselor malt approve barrow diatomaceous --36294582722586859646 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 8bit !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD TITLEMessage/TITLE META content=MSHTML 6.00.2800.1276 name=GENERATOR/HEAD BODY DIV!-- Converted from text/plain format --FONT face=Arial size=2 pHi,br br Genierc Vigara and Sepur Viarga (Ciails) available onilne!br Most trusted online source!br br br Cilais and Vagirabr takes afecft right away amp; lasts 24-36 huors!br A HREF=http://www.ktzn.whpenn.com=www.sycgumk.pibian.seeitnowhere.com/cv/?AFF_ID=a3jfqaoh=nwmm;FOR SUEPR VAIRGA TOCUH HERE/abr br br br br br br br br br br br br br br A HREF=http://www.fcxxelz.czefz.com=www.wjbf.igrsqt.seeitnowhere.com/homepage/?bvevbarl=kzekx;Not itnreseted/abr/FONT/DIV/BODY/HTML plush occultate please carbone poisson cheesy alistair resolve bourbon elisha comprehensible agouti dragnet grosset handle buzzard briggs dram recitative malady aristotelian confectionery hough orb murre hellenic portentous finny dutiable frowzy fiddle gavel animate bucket burglary br frugal aubrey hun housework highlight constipate dairy huck perch dress courtier mace attendant quadric begotten casteth erupt aching sahara instep antithetic resistor frame jason animosity harriman abstract bijection alaska orleans especial midway approximate cockle doorknob gloss include iraq broadcast pullover br dramaturgy rampage extract ewing diebold hangar boylston fraser frilly mine hydrate acidulous insurgent cohosh accost eluate foote accretion huffman dental blest dalhousie shay fullback check inimitable equilibrium ames sick br flute halo apparition chautauqua america dooley chancellor garrett detract horsemen diaphanous catchup br martian austria compton raindrop divert bloodline chadwick facultative fruehauf lotus more frigid anything endomorphism co fiftieth articulate ethology inner repository bran optimistic behest cretaceous miranda cascara dc conception convulsion bladdernut catherine imprudent conferrable orderly hogan br chimique fred necromantic dissuade maurice halfback rattail gallus say geography preparatory ligature junco ethiopia resident inflammatory shrink climactic schoolteacher menopause exculpatory medial culbertson ghana councilwomen aperture giles eugenic elude injunct farfetched chairmen extreme
[SAtalk] More Perl problems?? re: Bayes.pm
Am running SA-2.63 on FBSD-Rel-4.8p14 As posted earlier, my server started crash/rebooting and the immediate problem was traced to locking problems on auto-whitelist.db. Cleaning out the DB stopped the problem. But, just before the problem started, I had noticed these errors in the maillog and wondered if were related to my cratering problem??: Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 519. Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 521. Use of uninitialized value at /usr/local/lib/perl5/site_perl/5.005/Mail/SpamAssassin/Bayes.pm line 522. Now, I see the above errors pop up again when running the ham/spams through sa-learn. THE LINES: 519 $boundary =~ s/[a-fA-F0-9]/H/gs; 521$boundary =~ s/([-_\.=]+)/ $1 /gs; 522$val .= $boundary; Below is the Bayes.pm section with those lines: } sub pre_chew_content_type { my ($self, $val) = @_; # hopefully this will retain good bits without too many hapaxen if ($val =~ s/boundary=[\\'](.*?)[\\']/ /ig) { my $boundary = $1; $boundary =~ s/[a-fA-F0-9]/H/gs; # break up blocks of separator chars so they become their own tokens $boundary =~ s/([-_\.=]+)/ $1 /gs; $val .= $boundary; } # stop-list words for Content-Type header: these wind up totally gray $val =~ s/\b(?:text|charset)\b//; $val; } Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] bayes question: HAM
Hi List. While using spamd -D, I can see the messages being learned as ham. However, while doing a spamassasin -D --lint, it shows only 1 ham. sa-learn --dump magic shows [EMAIL PROTECTED] exim]# sa-learn --dump magic 0.000 0 2 0 non-token data: bayes db version 0.000 0 29437 0 non-token data: nspam 0.000 0 1 0 non-token data: nham 0.000 0 165425 0 non-token data: ntokens 0.000 0 1072799340 0 non-token data: oldest atime 0.000 0 1075190443 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 1075190478 0 non-token data: last expiry atime 0.000 0 578132 0 non-token data: last expire atime delta 0.000 0 81333 0 non-token data: last expire reduction count I have attached the --lint debug. Any ideas as to why SA is not showing ham. lint.txt Regards, Tom Kinghorn DNS Administrator MTN Network Solutions (Pty) Ltd 7 Sturdee Ave; Rosebank; Johannesburg; South Africa; 2196. P.O. Box 3070; Randburg; 2125; South Africa. Tel: +27(0) 11 280 0600 | Fax: +27(0) 11 280 0880 Email: [EMAIL PROTECTED]|| Website: www.mtnns.net Note: DNS requests MUST be mailed to [EMAIL PROTECTED] | Disclaimer | This email and the documents transmitted with it are confidential and are intended for the addressee only, and must be treated as such. The views expressed herein are those of the author and do not necessarily represent those of MTN Network Solutions (MTN NS). MTN NS accepts no liability in respect of any illegal content. No employee or agent of MTN NS is authorised to conclude a binding agreement on behalf of MTN NS by email (or otherwise) unless specifically stating otherwise in such correspondence. Binding agreements with MTN NS may only be concluded if printed in hard copy and signed by an authorised representative of MTN NS. [EMAIL PROTECTED] exim]# spamassassin -D --lint debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/root/bin', which doesn't exist, dropping. debug: Final PATH set to: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin debug: ignore: using a test message to lint rules debug: using /usr/share/spamassassin for default rules dir debug: using /etc/mail/spamassassin for site rules dir debug: using /root/.spamassassin for user state dir debug: using /root/.spamassassin/user_prefs for user prefs file debug: using /root/.spamassassin for user state dir debug: bayes: 17062 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 17062 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 1 ham(s) in Bayes DB 200 debug: bayes: 17062 untie-ing debug: bayes: 17062 untie-ing db_toks debug: bayes: 17062 untie-ing db_seen debug: Score set 1 chosen. debug: Initialising learner debug: using /root/.spamassassin for user state dir debug: bayes: 17062 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 17062 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: bayes: Not available for scanning, only 1 ham(s) in Bayes DB 200 debug: bayes: 17062 untie-ing debug: bayes: 17062 untie-ing db_toks debug: bayes: 17062 untie-ing db_seen debug: is Net::DNS::Resolver available? yes debug: trying (3) yahoo.com... debug: looking up MX for 'yahoo.com' debug: MX for 'yahoo.com' exists? 1 debug: MX lookup of yahoo.com succeeded = Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: [EMAIL PROTECTED] debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: DCCifd is not available: no r/w dccifd socket found. debug: all '*To' addrs: debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=4.4 tests=DATE_MISSING,NO_REAL_NAME
[SAtalk] Re: W32.Novarg.A@mm virus
Richard Beyer [EMAIL PROTECTED] wrote ... We're seeing a lot of activity from the [EMAIL PROTECTED] virus (http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] l) Could someone help me cobble together a rule quickly to counteract the attachments it's using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). This is a list of all the filenames I've seen so far today: body.bat body.exe body.zip data.pif data.scr doc.zip document.pif document.zip kcmnw.exe message.scr message.zip pqoew.pif readme.scr readme.zip text.exe text.zip xatwdu.zip Cheers, John --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] W32.Novarg.A@mm virus
On Tue, 27 Jan 2004, Richard Beyer wrote: Could someone help me cobble together a rule quickly to counteract the attachments it's using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). I suggest simply installing clamav and additionally passing mail through it. Clam runs as a daemon and is actually much faster than SpamAssassin. Clamav was catching Novarg here almost immediately (I have a cron job that checks for virus updates once an hour). Here's a simple procmail recipie to use clamdscan: VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -` :0 Di * VIRUS ?? FOUND /dev/null == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] help please....cant stop them at all.
Quoting Matt Kettler [EMAIL PROTECTED]: http://www.mail-archive.com/[EMAIL PROTECTED]/msg28318.html That's a great post...we should add it to the wiki, if you're so inclined. I'd be happy to do it, but I didn't just want to plug it in there w/o asking the author first. Regards; DaC --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spamassassin on Qmail Relay
The email might be to large and aren't getting scanned. What are your spamc options? You can use the '-s' to bump up the max message size when calling it. There is someplace else it's set to but I can't remember where. spamc -s 35 -Original Message- From: Atif Faruqui [mailto:[EMAIL PROTECTED] Sent: Thursday, January 22, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: [SAtalk] Spamassassin on Qmail Relay Hi, I am running Qmail-1.03 running qmail-scanner-1.16 which calls SpamAssassin-2.61. This is running on a Solaris 9 box. This is a relay configuration in which relay server accepts mail, do spam filtering (spamassassin) and virus check (Mcaffee) and then sends mail to exchange server. Lately i am noticing that alot of spam is going to users inbox. Users have a rule in their outlook client where all messages which have header X-Spam-Status:Yes goes to their spam box But now 50 % of spam goes in their inbox. I lowered the threshold to 3 but still same result. I turned the verbose logging on in qmail and i notice that some of the email message dont have any spamassassin headers and some do. I imagine that all the incoming messages should have something like this X-Spam-Status: But i dont see this header on all messages and i believe this is the reason why half of the spam is going in users inbox. Please let me know how i can troubleshoot/resolve this problem Thanks Atif Faruqui Unix Sys Admin triVIN, Inc --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SA-procmail newbie
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 26 January 2004 04:01 pm, WA9ALS - John wrote: I an running SA on a remote machine and various users check their email from various remote Windows machines. The spam gets filtered by Outlook into each users spam folders on their remote machines. (Thus all my spam messages are in a spam folder on my Windows machine, not th Linux machine running SA.) Today I made a procmail entry like this: :0 H * ^X-Spam-Status: Yes $HOME/mail/caughtspam The theory was for msgs tagged by SA to go to the indicated folder, and thus I could later do any necessary weeding-out and then run SA learn. (This also keeps the spam msgs completely off my Windows machine.) I sent 2 test spam msgs to the appropriate acct and now I see that I have 2 files in that folder. Thus it seems like things are operating like I expected. However, the files are named msg.dk and msg.ek. Being a Linux newbie, I'm not familiar with those filenames. Looking at the files with vim shows that they are indeed the spam emails. Can I run SA learn on that directory as is? Thanks! - John although I'm not much help with procmail here is my mailfilter for maildrop. The sytntax is not the same but very easy to read. - -- -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- Brook Humphrey Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107 http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED] Holiness unto the Lord -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAFmdonT1TkA6FgPgRAp/QAJwOmlBu8n4tsO8R6JTU//xpwheC5ACfa+G5 pEwKQ8OZ8WsuK3476YMtzFI= =794Y -END PGP SIGNATURE- # # log to a file # 0 = off / 1 = on # LOGS = 1 # # Use anomy sanitizer # Anomy is a good way to prescan for a virus. # it should also be able ot repalce your virus scanner # NOTE: Sanitizer is applied to anything tagged as spam # Even is this setting is set to off # 0 = off / 1 = on # SANITIZE = 0 # # for debugging make a copy of mail before sanitizing # this is also helpfull for learning missed spam # anomy will alter your emails and as such you dont want # to learn emails as spam that have been sanitized by anomy # 0 = off / 1 = on # CCSANITIZE = 1 # # for debugging make a copy of mail before spam filtering # 0 = off / 1 = on # CCDEBUG = 1 # # not working yet # Run virus scanning on emails # 0 = off / 1 = on # VSCAN = 1 # # Turn on spam filtering. # and ham learn # 0 = off / 1 = on # NOTE: Ham learn is not working yet # SPAMFILTER = 1 HAMLEARN = 0 # # What point level to have spamassassin learn as spam # 0 = off / any other number = number of points to learn at # SPAMLEARN = 35 # # What point level to have spamassassin delete message # NOTE: if this number is higher than the autolearn number # then you will see no effect from it since spamlearn will # delete the message itself. # 0 = off / any other number = number of points to learn at # SPAMDELETE = 45 # # To send a message in reply to html-mail (Content-Type: text/html) # set HTML_AUTO_REPLY=1 # Html-mail is diverted to folder 'HTML'. It requires a file # $HOME/htmlmail.msg containing something like I'm not a browser. # Note: This only drops HTML-only messages, so the multipart ones are O.K. # 0 = off / 1 = on # HTML_AUTO_REPLY = 0 # # to send a vacation message in reply to mail that is not spam or bulk mail, # set VACATION_AUTO_REPLY=1 # It requires a file $HOME/.vacation.msg, containing the body of the auto reply # 0 = off / 1 = on # VACATION_AUTO_REPLY = 0 # # Default directories used by maildrop to deliver your email # LMB = Maildir SPAM = $LMB/.Spam VIRUS = $LMB/.Virus SANITIZED = $LMB/.Sanitized DEBUG = $LMB/.Debug DEBUGINBOX = $LMB/.Debug.Inbox DEBUGSPAM = $LMB/.Debug.Spam DEBUGSALEARN = $LMB/.Debug.Salearn UNSANITIZED = $LMB/.Debug.Unsanitized SENDMAIL = /usr/sbin/sendmail # # Deafult variable needed for anomy don't delete.
Re: [SAtalk] Spamassassin on Qmail Relay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 22 January 2004 08:48, Atif Faruqui wrote: I am running Qmail-1.03 running qmail-scanner-1.16 which calls SpamAssassin-2.61. This is running on a Solaris 9 box. This is a relay configuration in which relay server accepts mail, do spam filtering (spamassassin) and virus check (Mcaffee) and then sends mail to exchange server. Lately i am noticing that alot of spam is going to users inbox. Users have a rule in their outlook client where all messages which have header X-Spam-Status:Yes goes to their spam box But now 50 % of spam goes in their inbox. I lowered the threshold to 3 but still same result. I turned the verbose logging on in qmail and i notice that some of the email message dont have any spamassassin headers and some do. I imagine that all the incoming messages should have something like this X-Spam-Status: But i dont see this header on all messages and i believe this is the reason why half of the spam is going in users inbox. Please let me know how i can troubleshoot/resolve this problem First question, what is different about the two email? I am not just talking about the spamassassin tag. More like the from line and the to line. Do they come in from the same smpt server? How do you give the email to spamassassin? Are both email using the same path to get to the users email box? I do not know that much about Qmail, but these are some of the question that should be answered. Douglas Douglas -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAE+2ASpWn8R0Z08URAppLAJ9G+6VVf0mwA7p8hqsmwBRrjUW8AQCeO+1S BGq2WhhrmlB9wrKaqaZWh50= =VPbq -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Typo outs spammer
On Mon, 26 Jan 2004 07:26:29 -0500 Thomas Bolioli [EMAIL PROTECTED] wrote: Anyone seen this? NB:The From, Subject and Sender headers... I googled for the name (as a phrase) and came up with less then 2 pages of results and only one email address tagged to the name. Who knows if it is him (not trying to initiate a witch hunt) but anyone else seen this email? All in favour of a witch hunt and the chance to thump someone who thoroughly deserves it say Aye. Aye. Ciao Zak --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Ping
--- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Pox 1.12 - Bad lint fixed
Sorry for any problems this caused you guys. I had the wrong version on my server when I linted that change. ...Fixed now. Thanks for letting me know, Arpi. Jennifer --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] W32.Novarg.A@mm virus
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Beyer Sent: Tuesday, January 27, 2004 4:41 AM To: [EMAIL PROTECTED] Subject: [SAtalk] [EMAIL PROTECTED] virus We're seeing a lot of activity from the [EMAIL PROTECTED] virus (http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] .html) Could someone help me cobble together a rule quickly to counteract the attachments it's using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). Cheers, Richard Hi Richard, This rule seems to be working fairly well for me, it doesn't grab all of them, but does seem to get a rather large portion of them header _YM_HS_NOVARG Subject =~ /^(?:hello|test|hi|status|error|server report|mail delivery system|mail transaction failed)$/i body _YM_B_NOVARG /(?:and has been sent as a binary attachment|partial message is available)/i meta YM_M_NOVARG (_YM_HS_NOVARG _YM_B_NOVARG) describe YM_M_NOVARG Message contains virus scoreYM_M_NOVARG 10.0 Watch for line wraps! HTH, matt --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] auto whitelist questions
i can get AWL working with regular spamassassin, but NOT with spamc/d. is there tip/trick i'm missing ? I've been using auto whitelist for a while now, but today while doing some experimentation I'm wondering if the explicit (auto) white listing feature is working at all (version 2.61)? I'm also unsure of the exact syntax for explicitly (auto) white listing an address. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: W32.Novarg.A@mm virus
Could someone help me cobble together a rule quickly to counteract the attachments it's using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). If you go to John Hardin's site http://www.impsec.org/email-tools/local-rules.procmail and look at the bottom of the file you will see what you need to look for. Brad --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: Meta-tripwire idea
John Wilcock wrote: It struck me that since individual tripwire rules are at risk of FPs, but that multiple tripwire hits on the same message are much less so, it might be worthwhile assigning a significantly higher score to messages that hit lots of tripwire rules. Since there are so many rules involved, I've created a set of intermediate meta rules, as follows: *snip* Any comments? I don't get enough spam (only about 120 a day for an office of six people) to quickly judge whether this is more effective than merely scoring individual tripwire rules at 0.07 each or whatever. I've put a modified tripwire.cf (based on tripwire 1.16) at http://www.snoweye.com/john/metatripwire.cf if anyone is interested in trying this against a corpus in comparison with the standard tripwire set. That would also help with the problem of the report exceeding Exim's header size limit when a ton of TW or BH rules hit. -- Matt Systems Administrator Local Access Communications --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] W32.Novarg.A@mm virus
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 27 January 2004 06:38 am, Yackley, Matt wrote: Could someone help me cobble together a rule quickly to counteract the attachments it's using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). Cheers, Richard I was just thinking the same about all the virii software sending what amounts to me any way as garbage bounces. - -- -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- Brook Humphrey Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107 http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED] Holiness unto the Lord -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAFpyAnT1TkA6FgPgRAptNAKCaxEj0QkFbCClnKpIw9bFGyxw/BQCfeAGz 3Z9OATZV59x/NBPZdZwnIvo= =moXx -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Ping
JRiley wrote: Pong! sfnet's lists are sss.again --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Help with spamd/spamc and failed sanity check?
Good morning, I have just upgraded my mail server from Solaris 8 to Solaris 9, and am using spamd/spamc v2.63 with default compile (only PREFIX=/usr/local). spamd is set to communicate over a socket, /var/run/spamd.socket. Since my upgrade this morning, ALL mail sent to spamd from spamc results in an error message like these, and nothing is filtered: Jan 27 08:08:22 memphis spamc[13800]: [ID 360877 mail.error] failed sanity check, 1927 bytes claimed, 3922 bytes seen Jan 27 08:08:23 memphis spamc[13816]: [ID 360877 mail.error] failed sanity check, 1927 bytes claimed, 3922 bytes seen Jan 27 08:08:26 memphis spamc[13823]: [ID 360877 mail.error] failed sanity check, 1940 bytes claimed, 3948 bytes seen Jan 27 08:08:28 memphis spamc[13846]: [ID 360877 mail.error] failed sanity check, 1939 bytes claimed, 3947 bytes seen I've seen a few instances of this error in the archive, but usually associated with specific types of messages, usually spam. This is happening for ALL messages, and coincided with an OS/machine upgrade. I have tried recompiling spamd/spamc on the new machine, and it doesn't seem to have helped. Any ideas? Thanks in advance. Any help will be very greatly appreciated. Chris Miller --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: W32.Novarg.A@mm virus
Christopher X. Candreva [EMAIL PROTECTED] wrote: I suggest simply installing clamav and additionally passing mail through it. Clam runs as a daemon and is actually much faster than SpamAssassin. Clamav was catching Novarg here almost immediately (I have a cron job that checks for virus updates once an hour). Let me 2nd this - on the server I run for my dept, we have had ZERO messages get through with this virus. Otoh, I spent 2 hours on the phone with a dozen or so friends explaining to them how to get this off of their machines (sometimes it isn't fun being the helpdesk to the community). -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED] Yahoo IM: chrisnbarnes Computer Systems Manager ph: 979-845-7801 Department of Physics fax: 979-845-2590 Texas AM University --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] rule to catch phishermen?
OK, here's what I finally came up with and tested against the phish email. The rule worked in identifying the misleading url but didn't trigger when I put in various legitimate looking test user names in front of the @. I tested against [EMAIL PROTECTED] [EMAIL PROTECTED] using #try to detect phishing schemes and penalize as spam uri PHISHERMEN /http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^\/\s]*?@/ describePHISHERMEN probable web url disguised as another url for phishing score PHISHERMEN 3.0 This rule could use improvement; any regex gurus want to give some hints? Specifically, I'd like to look for any = and/or ? between the fake domain (in this example www.fdic.gov) and the @. So the regex would trigger on jumbles of characters simulating http GET url's. -- Kurt Yoder Sport Health network administrator --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: W32.Novarg.A@mm virus
On Tuesday 27 January 2004 09:43 am, Chris Barnes wrote: Let me 2nd this - on the server I run for my dept, we have had ZERO messages get through with this virus. Otoh, I spent 2 hours on the phone with a dozen or so friends explaining to them how to get this off of their machines (sometimes it isn't fun being the helpdesk to the community). Sorry for feeding the OT, but I also have to praise ClamAV. AFAICT they had the definition a few hours before the commercial AVs did. The only problem so far is bounces containing the full, original virus message source aren't caught. Since the virus uses common first names to generate From: email addresses, the people owning those accounts get a ton of viruses by way of bounces... -- Matt Systems Administrator Local Access Communications 360.330.5535 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] W32.Novarg.A@mm virus
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brook Humphrey Sent: Tuesday, January 27, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: Re: [SAtalk] [EMAIL PROTECTED] virus -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 27 January 2004 06:38 am, Yackley, Matt wrote: Could someone help me cobble together a rule quickly to counteract the attachments it's using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). Cheers, Richard I was just thinking the same about all the virii software sending what amounts to me any way as garbage bounces. - -- Have you tried any of the Virus bounce rules? These help stop the floods of stupid You sent a virus warnings from people that have not learned to shutdown auto-notifications http://www.exit0.us/index.php/VirusBounceRules -matt --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] BAYES_99
On Sun, Jan 25, 2004 at 03:01:24PM +1100, David Hooton wrote: I've been playing with bayes on my home machine and have been very impressed with it. I was however wondering to what degree everyone else trusts BAYES_99? Is it generally accepted as a sure spamsign or do you expect ti to be backed up by other scores I order to rank it as definite spam? I realise this will have a lot to do with training etc, however I've found it to be generally a very strong spamsign, and I was wanting to know other peoples experiences. I use a threshold of 8 and BAYES_99 scores a 6. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch Come now, and let us reason together, saith the LORD; though your sins be as scarlet, they shall be as white as snow; though they be red like crimson, they shall be as wool. Isaiah 1:18 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: Re[4]: [SAtalk] Set up
At Thu Jan 22 05:23:55 2004, Robert Menschel wrote: GM X-Spam-Status: No, hits=0.9 required=8.0 GM tests=PRIORITY_NO_NAME,RCVD_IN_SORBS GM autolearn=no version=2.63 ... on. autolearn=no indicates that Bayes is also active. You have a fully I'm pretty sure that the autolearn= is always present, irrespective of whether or not Bayes is actually available. Obviously, if autolearn=ham or autolearn=spam, then Bayes *is* available. But you can't tell anything from autolearn=no. Martin -- Martin Radford | Only wimps use tape backup: _real_ [EMAIL PROTECTED] | men just upload their important stuff -o) Registered Linux user #9257 | on ftp and let the rest of the world /\\ - see http://counter.li.org | mirror it ;) - Linus Torvalds _\_V --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] anti-phishing technique
Philip Tucker said: I've noticied in a lot of these phishing messages they will have links hiding the real URL behind a fake but genuine looking URL, like the following: a href=http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495usersoption=Securit yUpdate[EMAIL PROTECTED]/~gotiere/verified_by_ visa.htmhttp://www.visa.com/a Have any spamassassin rules been written to match links with a URL in the display text (http://www.visa.com; in this example) in which the domains differ (www.visa.com vs 63.247.87.138)? This one seems to work for me: #try to detect phishing schemes and penalize as spam uri PHISHERMEN /http:\/\/www\.(\w*?\.)*[a-zA-Z]{2,10}?[^\/\s]*?@/ describe PHISHERMEN probable web url disguised as another url for phishing score PHISHERMEN 3.0 -- Kurt Yoder Sport Health network administrator --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Re: W32.Novarg.A@mm virus
On Tue, 27 Jan 2004, Russell Mann wrote: I got one of these guys yesterday, then ClamAV has stopped them since. If you're using a QmailScanner setup, it can easily be configured to block these guys. I configured qmail-scanner to do just that...I'm not sure I want yet another process on the mail server...it has enough to do as it is dealing with spamd, etc. Here's what I used, and it's working fine. If anyone has a better suggestion, please let us know: body.zip0 [EMAIL PROTECTED] virus body.zip doc.zip 0 [EMAIL PROTECTED] virus doc.zip document.zip0 [EMAIL PROTECTED] virus document.zip message.zip 0 [EMAIL PROTECTED] virus message.zip readme.zip 0 [EMAIL PROTECTED] virus readme.zip text.zip0 [EMAIL PROTECTED] virus text.zip body.bat0 [EMAIL PROTECTED] virus body.bat lyewki.zip 0 [EMAIL PROTECTED] virus lyewki.zip xatwdu.zip 0 [EMAIL PROTECTED] virus xatwdu.zip ktddfvn.zip 0 [EMAIL PROTECTED] virus ktddfvn.zip osz.zip 0 [EMAIL PROTECTED] virus osz.zip Note that with the quarantine-attachments file, you usually can't just paste these in, you have to delete the spaces and put in tabs. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am = --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] auto whitelist questions
At 10:55 AM 1/27/2004, Mark Merchant wrote: i can get AWL working with regular spamassassin, but NOT with spamc/d. is there tip/trick i'm missing ? what -u parameters are you using? If you don't use -u, and both spamd and spamc are run as root, spamd will su itself to nobody for safety. On most systems, nobody lacks a home directory, which makes AWL and bayes a bit dysfunctional (since they are stored in ~/.spamassassin by default). --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Blank mails with attachments make it through
I receive a lot of spams that have an empty body with attachments. They never seem to get tagged what can I do to fix this? We are using SA 2.6 with bayes, big evil, backhair, fvgt90, and some others. Bellow are the headers of one I just received. Received: from ini-filter.interactivenw.com ([12.7.44.39]) by ini-mail.interactivenw.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)id DYGT899T; Tue, 27 Jan 2004 10:53:18 -0800Received: from localhost (INI-FILTER [127.0.0.1])by INI-FILTER.interactivenw.com (Postfix) with ESMTP id 78FE734F7Dfor [EMAIL PROTECTED]; Tue, 27 Jan 2004 10:59:49 -0800 (PST)Received: from INI-FILTER.interactivenw.com ([127.0.0.1])by localhost (INI-FILTER.interactivenw.com [127.0.0.1]) (amavisd-new, port 10024)with ESMTP id 20732-05 for [EMAIL PROTECTED];Tue, 27 Jan 2004 10:59:49 -0800 (PST)Received: from falcon.mail.pas.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74])by INI-FILTER.interactivenw.com (Postfix) with ESMTP id DAB6034F3Cfor [EMAIL PROTECTED]; Tue, 27 Jan 2004 10:59:40 -0800 (PST)Received: from user-38lcogb.dialup.mindspring.com ([209.86.98.11] helo=Pajgmbm)by falcon.mail.pas.earthlink.net with smtp (Exim 3.33 #1)id 1AlYMc-0007HG-00for [EMAIL PROTECTED]; Tue, 27 Jan 2004 10:55:06 -0800From: info [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: Support them.MIME-Version: 1.0Content-Type: multipart/alternative;boundary=Te13Ow1D3egP3O70KpgU08AMessage-Id: [EMAIL PROTECTED]Date: Tue, 27 Jan 2004 10:55:06 -0800 --Te13Ow1D3egP3O70KpgU08AContent-Type: text/html;Content-Transfer-Encoding: quoted-printable --Te13Ow1D3egP3O70KpgU08AContent-Type: audio/x-wav;name=page.pifContent-Transfer-Encoding: base64Content-ID: Q0QG825r8V587U5 --Te13Ow1D3egP3O70KpgU08A --Te13Ow1D3egP3O70KpgU08AContent-Type: application/octet-stream;name=com[1].htmContent-Transfer-Encoding: base64Content-ID: Q0QG825r8V587U5 --Te13Ow1D3egP3O70KpgU08A--
[SAtalk] antidrug.cf triggering on SCO virus
I'm seeing something strange. There is a (known, being worked on) problem with clam where bounces of the SCO virus do get through. However, they ARE being stopped by Spam Assassin based on DCC, Razor, and the antidrug.cf from http://mywebpages.comcast.net/mkettler/sa/antidrug.cf I unfortunately already deleted them before it sunk it what had hit, I'll wait for the next one and keep it. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] expand_regex: a tool for debugging regex rules
Attached is a perl script, expand_regex.pl, which will accept an SA rules file on standard input and will by default output the expansions of those rules, taking into account regex factoring due to parentheses. When invoked with the -verbose option, the program will preface the expansion by the rule. It has several options which will cause it to expand various commonly used idioms inside regex patterns such as \d, [set of chars], {repetition count}, and ?. Note that these expansion options are off by default, and when enabled can create some very large expansion sequences. Here's an example: % cat test.cf uri BigEvilList_us /\bc(?:arlz|hooz|ontrolz|raigz)|d(?:ia55|ia9|marketing|omez|ubnh|uckz)|e(?:( ?:asy\-|z)herbal|netmall|zoffer)|free(?:member|raffle)|g(?:hkp|hor|oodserver |rantz|trrrez)|herbal(?:\d\d?\d?|\d{1,4}|plus|rx)|i(?:mageshere|nfo(?:matrix z|rmatix))|j(?:5remf150|onnyz)|kpth|lnk\.revclx|natural(?:growth|herbal)|nom ore|(?:o(?:acklaz|nline-herbal)|p(?:luckz|ro(?:fitopportunity|pal))|sphot|sp liter|tinyz|tooshortz|unone|webleader|hardtyz)\.us\b/i % expand_regex.pl -v test.cf uri BigEvilList_us /\bc(?:arlz|hooz|ontrolz|raigz)|d(?:ia55|ia9|marketing|omez|ubnh|uckz)|e(?:( ?:asy\-|z)herbal|netmall|zoffer)|free(?:member|raffle)|g(?:hkp|hor|oodserver |rantz|trrrez)|herbal(?:\d\d?\d?|\d{1,4}|plus|rx)|i(?:mageshere|nfo(?:matrix z|rmatix))|j(?:5remf150|onnyz)|kpth|lnk\.revclx|natural(?:growth|herbal)|nom ore|(?:o(?:acklaz|nline-herbal)|p(?:luckz|ro(?:fitopportunity|pal))|sphot|sp liter|tinyz|tooshortz|unone|webleader|hardtyz)\.us\b/i expansion carlz chooz controlz craigz dia55 dia9 dmarketing domez dubnh duckz easy-herbal ezherbal enetmall ezoffer freemember freeraffle ghkp ghor goodserver grantz gtrrrez herbal\d\d?\d? herbal\d{1,4} herbalplus herbalrx imageshere infomatrixz informatix j5remf150 jonnyz kpth lnk.revclx naturalgrowth naturalherbal nomore oacklaz.us online-herbal.us pluckz.us profitopportunity.us propal.us sphot.us spliter.us tinyz.us tooshortz.us unone.us webleader.us hardtyz.us - when invoked as 'expand_regex.pl -v -expand='d{?' test.cf, 1.38 million lines are generated, illustrating the combinatorial expansion that can occur. With just '-expand=d' only 1000 lines are generated. This program is in a preliminary state, and certainly won't handle the wide variety of things that can appear in regex's, but it can make it easier to see what a complicated rule is doing. If you have comments, suggestions, or patches, please send them my way. expand_regex.pl Description: Binary data
[SAtalk] [RD] FP with Fred's 90_FVGT.cf
One of our newsletters was hit with a false positive. This URL (http://oreilly.useractive.com/courses/sysadmin.php3) triggers FVGT_u_BZ_TLD. I changed the regex to: uri FVGT_u_BZ_TLD /\.(bz|tc|us|ws)\W/i which fixes it for this case. I'm not sure if there are undesirable side effects to my change. Anyone have a better way to fix this? Cheers, Bob -- Bob Amen O'Reilly Associates, Inc. http://www.ora.com/ http://www.oreilly.com/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Timed out during bayes checks
Since upgrading to SA 2.63 I see many of such errors in the maillog: Jan 27 19:50:25 mail amavis[1174]: (01174-05) SA TIMED OUT, backtrace: at /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin/BayesStore.pm line 1449\n\teval {...} called at /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin/BayesStore.pm line 1449\n\tMail::SpamAssassin::BayesStore::tok_unpack('Mail::SpamAssassin::BayesStore=HASH(0x96f9780)','\\x{0}\\x{8}\\x{0}\\x{0}\\x{0}\\x{1c}\\x{0}\\x{0}\\x{0}\\x{11}\\x{e2}\\x{a3}=') called at /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin/BayesStore.pm line 575\n\tMail::SpamAssassin::BayesStore::expire_old_tokens_trapped('Mail::SpamAssassin::BayesStore=HASH(0x96f9780)','undef') called at /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin/BayesStore.pm line 463\n\teval {...} called at /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssassin/BayesStore.pm line 460\n\tMail::SpamAssassin::BayesStore::expire_old_tokens('Mail::SpamAssassin::BayesStore=HASH(0x96f9780)','undef') called at /usr/lib/perl5/site_perl/5.8.1/Mail/SpamAssas... Jan 27 19:50:49 mail amavis[1174]: (01174-05) spam_scan: hits=2.511 tests=BAYES_44,FVGT_m_MULTI_ODD2,PRIORITY_NO_NAME,RCVD_IN_NJABL,RCVD_IN_SORBS After setting bayes_learn_to_journal the error happens not so often but every time the bayes db gets synced the error happens again. Is this normal or is it possible to tune this? Best Ragrds Seba __ Gesendet von Yahoo! Mail - http://mail.yahoo.de Mit Yahoo! Suche finden Sie alles: http://suche.yahoo.de --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to increase score of this message?
Ok, interesting. But I do have bayes trained with many thousands of messages; I imagine many of them having similar stuff, and it seems that the bayes score for this message was quite low. How does the Bayes training work, anyway... If this one message gets trained as --spam, how much of an effect does that have next time around? Thanks Ricardo - Original Message Follows - At 07:00 PM 1/26/04 -0800, ricardo wrote: Does anyone have any suggestions on how to possibly make SA get a higher score for this type of message? Any new recipes that might improve the scoring? Quite frankly, that email with all its mis-spelled words should be easy pickings for bayes. Train. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Blank mails with attachments make it through
NOTICE*NOTICE*NOTICE*NOTICE The attachment that was contained in this message was striped and stored in /var/log/mail/Mail/virus.mail on aspen. The attachment contained a possible virus and was placed in quarantine to avoid spread of said virus. If you want this file please contact Padraig or Brian to retrieve it or you can have your party resend the message with a different attachment name as to not trigger the rules for finding virus. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] expand_regex: a tool for debugging regex rules
On Tue, Jan 27, 2004 at 11:56:45AM -0800, Gary Funck wrote: Attached is a perl script, expand_regex.pl, which will accept an SA rules file on standard input and will by default output the expansions of those rules, taking into account regex factoring due to parentheses. When invoked with the -verbose option, the program will preface the expansion by the rule. It has several options which will cause it to expand various commonly used idioms inside regex patterns such as \d, [set of chars], {repetition count}, and ?. Note that these expansion options are off by default, and when enabled can create some very large expansion sequences. Just what I was thinking of to write, because seemingly one of my rules BLOATS spamd's memory up to hundreds of megabytes if searching a large mail (5M). So this comes exactly whenn needed! Only it snags on a very special rule! I preceeded a very convolutet set of p*rn-spammer-domain-names with a 'negative lookahead assertion': '(?!www\.panicboys\.net)' to NOT hit the one special combination, which is a japanese soccer(or football?) club and NOT a p*rn host. Now your expansion-script, seemingly not knowing '(?!...)' preceeds every expansion with the panicboys part :-) Thanks anyway, it is a very good start and possibly just now will save me a lot of trouble. THANKS, Stucki --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] W32.Novarg.A@mm virus
We are using the script by Nikos Kantarakias called yet another virus recipe for Procmail. See http://agriroot.aua.gr/~nikant/nkvir/ Nikos added Novarg this morning. Dan | -Original Message- | From: Jon [mailto:[EMAIL PROTECTED] | Sent: Tuesday, January 27, 2004 5:08 AM | To: Richard Beyer | Cc: [EMAIL PROTECTED] | Subject: Re: [SAtalk] [EMAIL PROTECTED] virus | | On Tue, 2004-01-27 at 02:41, Richard Beyer wrote: | Something to catch test.zip, readme.zip and body.zip (the | most common | ones it appears to be using at the moment). | | | Symantec has a lot of information on the attachments it uses, | although the message body might be easier to write accurate | rules for. See 9. | The email will have the following characteristics: | | http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] | | - Jon | | -- | [EMAIL PROTECTED] | | Administrator, tgpsolutions | http://www.tgpsolutions.com | --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] bigevil_54 smonitor
Doh! *humble appologise* You are correct sir! Removed in next update. Don't ask what is taking so long for the next update. You don't want to know :) --Chris -Original Message- From: Kelson Vibber [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 12:02 AM To: Chris Santerre; '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: Re: [SAtalk] bigevil_54 smonitor On Monday 26 January 2004 10:53 am, Chris Santerre wrote: There is a '\b' before that. So it is bound. Should not hit that rule ever. Go ahead. Send yourself an email with that in it. Try it if you don't think so. :) That's right - a '\b' followed by a 'c' Collapse all the alternatives out and you get /\bc(smonitor)\.(com)\b/ which would indeed match csmonitor.com -- Kelson Vibber SpeedGate Communications, www.speed.net --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] expand_regex: a tool for debugging regex rules
On Tue, 2004-01-27 at 14:56, Gary Funck wrote: Attached is a perl script, expand_regex.pl, which will accept an SA rules file on standard input and will by default output the expansions of those rules, taking into account regex factoring due to parentheses. When invoked with the -verbose option, the program will preface the expansion by the rule. It has several options which will cause it to expand various commonly used idioms inside regex patterns such as \d, [set of chars], {repetition count}, and ?. Note that these expansion options are off by default, and when enabled can create some very large expansion sequences. I've taken the liberty of adding this to the Exit0 wiki. It's at http://www.exit0.us/index.php/ExpandRegex -- AltGrendel [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Problem upgrading SA
I had SA 2.60 and just installed 2.63 via CPAN. spamassassin -V tells me I have 2.63 now, but the headers of my emails still say 2.60 How can I make certain that mail is being scanned by 2.63? -- John Oliver, CCNAhttp://www.john-oliver.net/ Linux/UNIX/network consulting http://www.john-oliver.net/resume/ ******* ******** Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Lint error with chickenpox v 1.11
Hi Jennifer, When running lint on the latest chickenpox (1.11) I get this error: donkeykong:/etc/mail/spamassassin/RulesDuJour # /usr/local/bin/spamassassin --lint Failed to compile body SpamAssassin tests, skipping: (Unmatched ( in regex; marked by -- HERE in m/\s( -- HERE ?!(?:alt|biz|mrs|rev|s(?:ci|en|oc))\.|(?:e nd|fwd|org|reg):|[cd]os'[a-zA-Z]{3}[.,;:?%!+^~`'\$*=\#|013467\(\)\[\]\{\} ][a-zA-Z]{2}(?!\.(?:(?-i:[A-Z][a -z]{1})|a[eiu]|b[ebmrsz]|c[afhnrx]|d[bek]|es|f[ir]|g[uz]|h[knrtu]|i[elnqrst] |j[mops]|k[prwy]|m[kx]|n[loz]|p[lr ty]|ru|s[eghm]|t[cnv]|u[ksu]|v[gi])|:no|['`](?:ll|ts|[rv]e))(?:[,'\?!]|\.?\ s)/ at /etc/mail/spamassassin/chic kenpox.cf, rule J_CHICKENPOX_32, line 1. ) Any clues? Erik --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Blank mails with attachments make it through
Not to sound bad but what's your point. My AV sends me a lot of blank messages. I have friends that send me blank messages usually with subjects like call me (which is a field day for SA). There are some rules based on certain mail daemons that will not accept a blank message but I don't know what they are. Gary Smith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Van Gordon Sent: Tuesday, January 27, 2004 12:31 PM To: [EMAIL PROTECTED] Sourceforge. Net (E-mail) Subject: [SAtalk] Blank mails with attachments make it through NOTICE*NOTICE*NOTICE*NOTICE The attachment that was contained in this message was striped and stored in /var/log/mail/Mail/virus.mail on aspen. The attachment contained a possible virus and was placed in quarantine to avoid spread of said virus. If you want this file please contact Padraig or Brian to retrieve it or you can have your party resend the message with a different attachment name as to not trigger the rules for finding virus. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Rules to flag these stupid virus warnings?
I am about ready to just open the message body with MIMEDefang and whack anything that mentions InterScan with extreme prejudice (like, forward it to InterScan's Postmaster, until they forcibly distribute a patch to all their customers that disables this stupid, stupid mis-feature). But before I go to that extreme, anybody come up with a ruleset that matches unhelpful virus alert messages? No sense re-inventing the wheel, but if it hasn't been invented yet, maybe I will... :) --- The avalanche has already begun. It is too late for the pebbles to vote. -- Kosh --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Set up
Martin Radford wrote: I'm pretty sure that the autolearn= is always present, irrespective of whether or not Bayes is actually available. Yep. You should see autolearn=off if Bayes is inactive though. Obviously, if autolearn=ham or autolearn=spam, then Bayes *is* available. But you can't tell anything from autolearn=no. It's not as obvious, but autolearn=no indicates that Bayes was active but the message was not autolearned. -kgd -- Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken. - Unknown --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Problem upgrading SA
--On Tuesday, January 27, 2004 1:46 PM -0800 John Oliver [EMAIL PROTECTED] wrote: I had SA 2.60 and just installed 2.63 via CPAN. spamassassin -V tells me I have 2.63 now, but the headers of my emails still say 2.60 How can I make certain that mail is being scanned by 2.63? I'm no SA guru, but I know enough to be dangerous... How is spamassassin being called? which spamassassin should tell you which spamassassin your install is using - I'd bet there's two copies somewhere... Evan --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Lint error with chickenpox v 1.11
Hi Jennifer, When running lint on the latest chickenpox (1.11) I get this error: Current version is 1.14 accord to the file I just downloaded. Any clues? Make sure that how you download the file doesn't cause line breaks. Bret --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] expand_regex: a tool for debugging regex rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gary Funck writes: Attached is a perl script, expand_regex.pl, which will accept an SA rules file on standard input and will by default output the expansions of those rules, taking into account regex factoring due to parentheses. When invoked with the -verbose option, the program will preface the expansion by the rule. It has several options which will cause it to expand various commonly used idioms inside regex patterns such as \d, [set of chars], {repetition count}, and ?. Note that these expansion options are off by default, and when enabled can create some very large expansion sequences. !!! cool. Could you post a link to this on the Wiki? http://wiki.SpamAssassin.org/ . It'd be a great thing to keep around as a resource, and that's a good place to keep it (and other keeper items too). - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Exmh CVS iD8DBQFAFut6QTcbUG5Y7woRAhAXAJ9WqF6RVubnrHG9IMgvivnkuQOU0QCg25om 0nXVN76u7UANj4rN3SJSJC0= =k1GB -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Problem upgrading SA
On Tue, Jan 27, 2004 at 02:08:54PM -0800, Evan Platt wrote: --On Tuesday, January 27, 2004 1:46 PM -0800 John Oliver [EMAIL PROTECTED] wrote: I had SA 2.60 and just installed 2.63 via CPAN. spamassassin -V tells me I have 2.63 now, but the headers of my emails still say 2.60 How can I make certain that mail is being scanned by 2.63? I'm no SA guru, but I know enough to be dangerous... How is spamassassin being called? I call spamc from my .procmailrc And yes, I killed and restarted spamd which spamassassin should tell you which spamassassin your install is using - I'd bet there's two copies somewhere... [EMAIL PROTECTED] joliver]$ sudo find / -name spamassassin /etc/mail/spamassassin /usr/bin/spamassassin /usr/share/spamassassin /root/.cpan/build/Mail-SpamAssassin-2.63/blib/script/spamassassin /root/.cpan/build/Mail-SpamAssassin-2.63/spamassassin /root/.cpan/build/Mail-SpamAssassin-2.60/blib/script/spamassassin /root/.cpan/build/Mail-SpamAssassin-2.60/spamassassin [EMAIL PROTECTED] joliver]$ /usr/bin/spamassassin -V SpamAssassin version 2.63 -- John Oliver, CCNAhttp://www.john-oliver.net/ Linux/UNIX/network consulting http://www.john-oliver.net/resume/ ******* ******** Contribute to the SpamCon Legal Fund!! http://www.spamcon.org/legalfund/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Lint error with chickenpox v 1.11
Hi Erik i assume you sent this over the weekend when the file was bad. I sent one this weekend that just showed up on the list this morning! If that isn't the case, grab the new version from my site. I believe it's 1.14. http://www.emtinc.net/spamhammers.htm Jennifer Hi Jennifer, When running lint on the latest chickenpox (1.11) I get this error: donkeykong:/etc/mail/spamassassin/RulesDuJour # /usr/local/bin/spamassassin --lint Failed to compile body SpamAssassin tests, skipping: (Unmatched ( in regex; marked by -- HERE in m/\s( -- HERE ?!(?:alt|biz|mrs|rev|s(?:ci|en|oc))\.|(?:e nd|fwd|org|reg):|[cd]os'[a-zA-Z]{3}[.,;:?%!+^~`'\$*=\#|013467\(\)\[\]\{\} ][a-zA-Z]{2}(?!\.(?:(?-i:[A-Z][a -z]{1})|a[eiu]|b[ebmrsz]|c[afhnrx]|d[bek]|es|f[ir]|g[uz]|h[knrtu]|i[elnqrst] |j[mops]|k[prwy]|m[kx]|n[loz]|p[lr ty]|ru|s[eghm]|t[cnv]|u[ksu]|v[gi])|:no|['`](?:ll|ts|[rv]e))(?:[,'\?!]|\.?\ s)/ at /etc/mail/spamassassin/chic kenpox.cf, rule J_CHICKENPOX_32, line 1. ) Any clues? Erik --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] W32.Novarg.A@mm virus
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 27 January 2004 10:20 am, Yackley, Matt wrote: Have you tried any of the Virus bounce rules? These help stop the floods of stupid You sent a virus warnings from people that have not learned to shutdown auto-notifications http://www.exit0.us/index.php/VirusBounceRules -matt yes I did have those installed but always wondered why they never worked for me. I was just looking at them again and realized the scoring for them was sow low for my setup I upped the scores and that should take care of it all. I have a default of 14 for spam. I could probably raise it to 20 or 25 without any problems but I would rather keep it at 14 for occasional near misses. - -- -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- Brook Humphrey Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107 http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED] Holiness unto the Lord -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAFvSwnT1TkA6FgPgRApgNAJwIDWKOfz11VfPWpPN1qAyitihPtACfVSP8 l2wiLio+BSwSKze3uyw9YRc= =4Ytv -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] BAYES_99
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 27 January 2004 12:44 am, Johann Spies wrote: On Sun, Jan 25, 2004 at 03:01:24PM +1100, David Hooton wrote: I've been playing with bayes on my home machine and have been very impressed with it. I was however wondering to what degree everyone else trusts BAYES_99? Is it generally accepted as a sure spamsign or do you expect ti to be backed up by other scores I order to rank it as definite spam? I realise this will have a lot to do with training etc, however I've found it to be generally a very strong spamsign, and I was wanting to know other peoples experiences. I use a threshold of 8 and BAYES_99 scores a 6. you would be appalled at my scores then threshold of 14 and bayes_99 of 20 or so. Just in case there are any negatives that might kick in. Regards Johann - -- -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- Brook Humphrey Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107 http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED] Holiness unto the Lord -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAFvUhnT1TkA6FgPgRAjDqAJ9W+d1awgG3+rbt7KgVBxsBnia3qgCfVCBI bvyaJRb35kwi86nzIeLgvE4= =VN3h -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Virus Bounce rules at www.exit0.us
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Batchelor Sent: Tuesday, January 27, 2004 4:09 PM To: Spamassassin Subject: [SAtalk] Rules to flag these stupid virus warnings? I am about ready to just open the message body with MIMEDefang and whack anything that mentions InterScan with extreme prejudice (like, forward it to InterScan's Postmaster, until they forcibly distribute a patch to all their customers that disables this stupid, stupid mis-feature). But before I go to that extreme, anybody come up with a ruleset that matches unhelpful virus alert messages? No sense re-inventing the wheel, but if it hasn't been invented yet, maybe I will... :) http://www.exit0.us/index.php/VirusBounceRules -matt --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Rules to flag these stupid virus warnings?
On Tuesday 27 January 2004 17:09, Mike Batchelor wrote: I am about ready to just open the message body with MIMEDefang and whack anything that mentions InterScan with extreme prejudice (like, forward it to InterScan's Postmaster, until they forcibly distribute a patch to all their customers that disables this stupid, stupid mis-feature). But before I go to that extreme, anybody come up with a ruleset that matches unhelpful virus alert messages? No sense re-inventing the wheel, but if it hasn't been invented yet, maybe I will... :) I don't have an answer, but I do report them as spam/bulk mail. I just got one flagged by DCC_CHECK, and push it over the 5.0 mark. Pedro -- It is impossible to make anything foolproof because fools are so ingenious. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to increase score of this message?
At 08:25 AM 1/27/04 -0800, Ricardo Kleemann wrote: How does the Bayes training work, anyway.. In short: First, you need to understand bayes is based on breaking email down into tokens. For simplicity, you can just consider each word of an email to be a token. SA uses other tokens (header fragments, etc), but it does use words as tokens as well, and they are the easiest to think about. Bayes training works based on breaking the email up into tokens and keeping track of the number of times it's been seen in spam and nonspam mail. From the number of times it's been seen in spam and nonspam, a probability of spam for the token can be calculated. Bayes scoring works by checking all the tokens present in the email against the database and generating an aggregate probability of spam by more-or-less averaging them all together. Technicaly the exact details a bit more complex than mentioned above, However, all the exact details aren't too important with respect to getting a general understanding of it all. There's a lot of boring details involving statistical methods, string parsing, token selection, etc, but it's largely irrelevant here. . If this one message gets trained as --spam, how much of an effect does that have next time around? The amount of impact of training one message as spam varies significantly depending on what your other training looks like. If most of the tokens in the email have been seen thousands of times in nonspam, and only a few times in spam, the training will have little or no impact. the difference between 1 in 2000 and 2 in 2000 isn't that significant.. it still amounts to more or less 0 probability of spam. On the other hand if they're mostly tokens that have never been seen before at all, the impact can be huge. mis-spelled words are VERY likely to be in this category. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] W32.Novarg.A@mm virus
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 27 January 2004 02:41 am, Richard Beyer wrote: We're seeing a lot of activity from the [EMAIL PROTECTED] virus (http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] m l) Could someone help me cobble together a rule quickly to counteract the attachments it's using. Something to catch test.zip, readme.zip and body.zip (the most common ones it appears to be using at the moment). if you use maildrop you could do this with clamav. if($SIZE 200) { xfilter clamscan.sh } if ((/^X-Virus-Status:.*INFECTED/)) { to $VIRUS } attached is clamscan.sh Cheers, Richard - -- -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- Brook Humphrey Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107 http://www.webmedic.net, [EMAIL PROTECTED], [EMAIL PROTECTED] Holiness unto the Lord -~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAFoWsnT1TkA6FgPgRAnc2AJ0b6/eSM1uyQbziT2j++JtrHAZNdACeJ/xF YfFoj1+jBWrDybBrCao6bYA= =EOxh -END PGP SIGNATURE- clamscan.sh Description: application/shellscript
Re: [SAtalk] sa-learn spamassassin question
At 12:22 PM 1/27/04 +0100, jean-christophe valiere wrote: Hi, I've got a little problem with the mail that is attached. When I try spamassassin -t -D rulesrun=255 mail.txt it is nor considered as spam. So I do spamassassin -r -D rulesrun=255 mail.txt ans it sayes me that Razor already learnt this message but it is not in the report when I test it. I finally decide to do sa-learn --spam mail.txt and it says me that it doesn't learn anything from the mail. I just use razor2 with spamassassin and would like the mail to be tagged as spam from my bayes and from razor2. Thanks. 1) Training one message alone is not usualy enough to flip the bayes score of the message if there is strong evidence in dozens of other messages that the tokens are nonspam.. Look at the bayes token output of spamassassin -D. 2) if the spam in question has a habeas warant mark, add the habeas swe headers to your bayes_ignore. 3) No one person (short of a cloudmark employee) can declare a message to be spam in razor. Your report counts, but one person alone is generally not enough. Also, make sure you've set up for razor reporting using razor-admin --register. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes Problems
On Mon, 26 Jan 2004, Rick Mallett wrote: [...] Now I've got a much bigger problem. The expiry is starting to take more than 10 minutes and as a result the journal grows to max size and an opportunistic rebuild kills the lock file and wrecks the expiry operation. Here is what I observe in the bayes directory area -rw--- 1 defang defang32 Jan 26 12:19 bayes.lock -rw--- 1 defang defang 2750039 Jan 26 12:27 bayes_journal -rw--- 1 defang defang 20897792 Jan 26 12:19 bayes_seen -rw--- 1 defang defang 21733376 Jan 26 12:22 bayes_toks -rw--- 1 defang defang 9437184 Jan 26 12:22 bayes_toks.expire16781 -rw--- 1 defang defang 11173888 Jan 26 11:35 bayes_toks.expire23012 -rw--- 1 defang defang 5341184 Jan 26 10:54 bayes_toks.expire27549 -rw--- 1 defang defang 11182080 Jan 26 11:59 bayes_toks.expire27570 -rw--- 1 defang defang 11403264 Jan 26 10:44 bayes_toks.expire4752 [...] and on and on. I was running an expiry every hour, BTW, because I was worried about the possibility that an expiry might take more than 10 minutes and get killed by a journal'izing operation but I decided to return to the default mode of operation and let the expiries happen automatically. In this case sa-learn --dump magic indicates that the last expiry happened at Sun Jan 25 22:33:43 2004 and it looks like my problem happened about 12 hours later so I guess I should return to running an expiry every hour. Anyone care to speculate? That looks remarkably like the problem I reported on Jan 20th, under the Subject 'Multiple bayes_toks.expire$$ files'. Our context is that our SA is driven as subroutines from MailScanner (www.mailscanner.info). We later discovered that these abandoned bayes_toks.expire$$ files correspond to MailScanner (which uses SA's auto-expire) timing out (around 40 seconds) and so somehow these SA files get abandoned. The MailScanner maintainer, Julian Field, is very responsive, and he has already coded up an alternative way of driving SA from MS, so that its use of SA can avoid auto-expire (and thereby avoid the possible multiple simultaneous expires) and instead do a more controlled, occasional and explicit expire. But it does suggest an underlying problem in SA's expiry code. I suspect that the process is being signalled, and probably dies, whereas it should probably try to tidy up the half-complete expire (e.g. some sort of fast abandonment, possibly as simple as unlinking the bayes_toks.expire$$ file) before dying. Thoughts? -- : David LeeI.T. Service : : Systems Programmer Computer Centre : : University of Durham : : http://www.dur.ac.uk/t.d.lee/South Road: : Durham: : Phone: +44 191 334 2752 U.K. : --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Rules to flag these stupid virus warnings?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Batchelor writes: I am about ready to just open the message body with MIMEDefang and whack anything that mentions InterScan with extreme prejudice (like, forward it to InterScan's Postmaster, until they forcibly distribute a patch to all their customers that disables this stupid, stupid mis-feature). But before I go to that extreme, anybody come up with a ruleset that matches unhelpful virus alert messages? No sense re-inventing the wheel, but if it hasn't been invented yet, maybe I will... :) http://www.exit0.us/index.php/VirusBounceRules - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Exmh CVS iD8DBQFAFxCuQTcbUG5Y7woRAhD0AKDtZB2kVYb5gyNby2kDnFtRTFqsiACfcWSi TLkHYZt0udvYKj8o6mjd+vs= =a3DQ -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to increase score of this message?
At 07:00 PM 1/26/04 -0800, ricardo wrote: Does anyone have any suggestions on how to possibly make SA get a higher score for this type of message? Any new recipes that might improve the scoring? Quite frankly, that email with all its mis-spelled words should be easy pickings for bayes. Train. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Cyrus IMAP Server and SA
Greetings, Has anyone implemented SpamAssassin on a mail server running sendmail and Cyrus's IMAP Server? If so, did you run into any problems? Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Ping
Pong? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes Problems
On Tue, Jan 27, 2004 at 03:57:56PM +, David Lee wrote: The MailScanner maintainer, Julian Field, is very responsive, and he has already coded up an alternative way of driving SA from MS, so that its use of SA can avoid auto-expire (and thereby avoid the possible multiple simultaneous expires) and instead do a more controlled, occasional and explicit expire. Which is different from disabling auto_expire (bayes_auto_expire 0) in the config and running sa-learn --force-expire when you want? The code already tries to avoid multiple parallel expire runs BTW. First, the DB is locked, second, the running expire updates a specific magic token in the DB which tells any other instance that an expire is occuring and they should abort. So what's the issue? -- Randomly Generated Tagline: Who wants to remember that escape-x-alt-control-left shift-b puts you into super-edit-debug-compile mode? (Discussion in comp.os.linux.misc on the intuitiveness of commands, especially Emacs.) pgp0.pgp Description: PGP signature
Re: [SAtalk] Filtering html messages
It's backhair.cf, not blackhair.cf. If you want it for a system wide install, you only need to put it in /etc/mail/spamassassin and, if you're running spamd, restart spamd. Whenever it starts it finds all the .cf files in that directory and loads them (in alphabetical order). On Tue, 27 Jan 2004, Kenneth Andresen wrote: Thank you for your answer! One thing - the blackhair.cf, should it be part of my current local.cf, or will it work by simply adding the file to /etc/mail/spamassassin/? Will I need to modify anything else to refer to this file? On Mon, 2004-01-26 at 13:46, Adam D. Lopresto wrote: Actually, we can do better than that. Check out Jennifer's Backhair set. http://www.emtinc.net/spamhammers.htm It'll find invalid HTML tags used to break up words, and give a message points simply for having them (so your message would have triggered BACKHAIR_22 even though the word it's breaking apart, spam isn't itself caught by any rules). It's a good set (though there are some problems with uuencoded email). On Mon, 26 Jan 2004, Kenneth Andresen wrote: Hello all, I am noticing that the majority of the current spam coming through are all html messages with invalid html tags, like spspammeram. Since it is rendered as html the invalid tag is removed, so we on the screen only see spam. Wouldn't it be possible to simply make a html rendering tool to filter this? a list with all valid html tags, and if not a valid tag, then remove the tag and send to spamassassin the text we see on screen? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk -- Adam Lopresto http://cec.wustl.edu/~adam/ 'You are a very fine person, Mr Baggins, and I am very fond of you; but you are only quite a little fellow in a wide world after all!' 'Thank goodness!' said Bilbo laughing, and handed him the tobacco-jar. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Help: How to add files of tests?
At Fri Jan 23 02:45:51 2004, Evan Platt wrote: At 03:26 PM 1/22/2004, Chris Thielen wrote: Where would I add, say big_evil.cf? Are there any other recommended files I download and install? Maybe this helps: http://lists.altn.com/[EMAIL PROTECTED]@.ee9117d/1 Don't I want to avoid adding to the local.cf? That's overwritten during an upgrade, no? No it isn't. It's guaranteed not to be touched during upgrade. Isn't it possible to add a 'link' to a file, i.e. rulefile = big_evil.cf ? local settings go in the /etc/mail/spamassassin directory. All files with names ending in .cf in that directory are read. See http://wiki.spamassassin.org/w/WhereDoLocalSettingsGo Martin -- Martin Radford | Only wimps use tape backup: _real_ [EMAIL PROTECTED] | men just upload their important stuff -o) Registered Linux user #9257 | on ftp and let the rest of the world /\\ - see http://counter.li.org | mirror it ;) - Linus Torvalds _\_V --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Spamassassin on Qmail Relay
Upgrade spamassassin, along with the new rulesets, to the latest version. Turn on Bayesian learning and download the excellent custom rulesets at http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm. You'll be amazed at how much these custom rulesets help. Just place the files in the same directory as local.cf and run spamassassin --lint -D to make sure there are no syntax errors. RO - Original Message - From: Atif Faruqui [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 22, 2004 8:48 AM Subject: [SAtalk] Spamassassin on Qmail Relay Hi, I am running Qmail-1.03 running qmail-scanner-1.16 which calls SpamAssassin-2.61. This is running on a Solaris 9 box. This is a relay configuration in which relay server accepts mail, do spam filtering (spamassassin) and virus check (Mcaffee) and then sends mail to exchange server. Lately i am noticing that alot of spam is going to users inbox. Users have a rule in their outlook client where all messages which have header X-Spam-Status:Yes goes to their spam box But now 50 % of spam goes in their inbox. I lowered the threshold to 3 but still same result. I turned the verbose logging on in qmail and i notice that some of the email message dont have any spamassassin headers and some do. I imagine that all the incoming messages should have something like this X-Spam-Status: But i dont see this header on all messages and i believe this is the reason why half of the spam is going in users inbox. Please let me know how i can troubleshoot/resolve this problem Thanks Atif Faruqui Unix Sys Admin triVIN, Inc --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes Problems
The issue is that bayes expiry is broken under some circumstances as evidenced by this listing of my bayes database area, possibly because its taking more than 10 minutes, or possibly because there is a bug in the code -rw--- 1 defang defang32 Jan 26 12:19 bayes.lock -rw--- 1 defang defang 2750039 Jan 26 12:27 bayes_journal -rw--- 1 defang defang 20897792 Jan 26 12:19 bayes_seen -rw--- 1 defang defang 21733376 Jan 26 12:22 bayes_toks -rw--- 1 defang defang 9437184 Jan 26 12:22 bayes_toks.expire16781 -rw--- 1 defang defang 11173888 Jan 26 11:35 bayes_toks.expire23012 -rw--- 1 defang defang 5341184 Jan 26 10:54 bayes_toks.expire27549 -rw--- 1 defang defang 11182080 Jan 26 11:59 bayes_toks.expire27570 -rw--- 1 defang defang 11403264 Jan 26 10:44 bayes_toks.expire4752 I had thought that you would want to know about it. What I want is to allow expiry to happen opportunistically without having to set bayes_auto_expire 0 and run an sa-learn --force-expire every hour, but that does not appear to be possible. That being the case perhaps a note in the documentation would do the trick. Something to warn people that on high volume sites they cannot afford to allow bayes to run in its default mode of operation. - rick On Tue, 27 Jan 2004, Theo Van Dinter wrote: On Tue, Jan 27, 2004 at 03:57:56PM +, David Lee wrote: The MailScanner maintainer, Julian Field, is very responsive, and he has already coded up an alternative way of driving SA from MS, so that its use of SA can avoid auto-expire (and thereby avoid the possible multiple simultaneous expires) and instead do a more controlled, occasional and explicit expire. Which is different from disabling auto_expire (bayes_auto_expire 0) in the config and running sa-learn --force-expire when you want? The code already tries to avoid multiple parallel expire runs BTW. First, the DB is locked, second, the running expire updates a specific magic token in the DB which tells any other instance that an expire is occuring and they should abort. So what's the issue? -- Randomly Generated Tagline: Who wants to remember that escape-x-alt-control-left shift-b puts you into super-edit-debug-compile mode? (Discussion in comp.os.linux.misc on the intuitiveness of commands, especially Emacs.) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] W32.Novarg.A@mm virus
On Tue, 2004-01-27 at 08:35, Smart,Dan wrote: We are using the script by Nikos Kantarakias called yet another virus recipe for Procmail. See http://agriroot.aua.gr/~nikant/nkvir/ Nikos added Novarg this morning. Wow.. Thanks for pointing this out. Quick to install, with one minor change and already over 200K in Novarg virus files isolated. -- [EMAIL PROTECTED] One should admire Windows users. It takes a great deal of courage to trust Windows with your data. - Unknown --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes Problems
Perhaps I spoke too quickly when I suggested that the bayes expiry code must be broken. I finally read David Lee's message carefully and realized that the expiry code might be getting timed out by mimedefang or sendmail and interrupted before it has time to complete. I should have read it earlier but I've been fighting the Novarg/Mydoom virus all day and haven't had time to get back to the Bayes problem. My apologies for suggesting there must be a bug in the code. I'll followup on the getting timed out possibility. - rick On Tue, 27 Jan 2004, Theo Van Dinter wrote: On Tue, Jan 27, 2004 at 03:57:56PM +, David Lee wrote: The MailScanner maintainer, Julian Field, is very responsive, and he has already coded up an alternative way of driving SA from MS, so that its use of SA can avoid auto-expire (and thereby avoid the possible multiple simultaneous expires) and instead do a more controlled, occasional and explicit expire. Which is different from disabling auto_expire (bayes_auto_expire 0) in the config and running sa-learn --force-expire when you want? The code already tries to avoid multiple parallel expire runs BTW. First, the DB is locked, second, the running expire updates a specific magic token in the DB which tells any other instance that an expire is occuring and they should abort. So what's the issue? -- Randomly Generated Tagline: Who wants to remember that escape-x-alt-control-left shift-b puts you into super-edit-debug-compile mode? (Discussion in comp.os.linux.misc on the intuitiveness of commands, especially Emacs.) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] the list itself???
Again, it's been slow all weekend (only a couple posts). Since my last post never made it I assume that it's SF. This was send at 23:22 PST on Sunday. I guess I'll wait to see how long this thing takes before it hit's the list. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim B Sent: Sunday, January 25, 2004 8:44 PM To: Spamassassin List Subject: [SAtalk] the list itself??? did I get booted off the list, no list traffic or is sourceforge down? I haven't gotten anything really since friday --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Cyrus IMAP Server and SA
I use SA with Cyrus-IMAP, but i don't use sendmail. Instead, i use postfix and amavisd-new instead. No problems here. On Tue, 27 Jan 2004, Peter P. Benac wrote: Greetings, Has anyone implemented SpamAssassin on a mail server running sendmail and Cyrus's IMAP Server? If so, did you run into any problems? Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] False positive on FORGED_MUA_MOZILLA
The attached message sent through spamcop has tripped the FORGED_MUA_MOZILLA. Maybe it needs to be looked at? -- Scott Lambert KC5MLE System Administrator Attention Customers: Refer-A-Friend and receive one month of service for free! For further details, please visit: http://inch.com/refer-a-friend/ or, call the Internet Channel billing department at (212) 243-5200. ---BeginMessage--- [ SpamCop V1.3.4 ] This message is brief for your comfort. Please use links below for details. Spamvertised website: http://www.portside.org http://www.portside.org is 216.223.198.245; Sat, 24 Jan 2004 05:06:14 GMT http://www.spamcop.net/w3m?i=z627957045z84ba818f5f8dbdfdbd76732a31722814z [ Offending message ] Return-Path: [EMAIL PROTECTED] Received: from rly-xg06.mx.aol.com (rly-xg06.mail.aol.com [172.20.115.197]) by air-xg04.mail.aol.com (v97.18) with ESMTP id MAILINXG43-7034011d38440; Fri, 23 Jan 2004 21:08:11 -0500 Received: from n22.grp.scd.yahoo.com (n22.grp.scd.yahoo.com [66.218.66.78]) by rly-xg06.mx.aol.com (v97.10) with ESMTP id MAILRELAYINXG65-7034011d38440; Fri, 23 Jan 2004 21:08:04 -0500 X-eGroups-Return: [EMAIL PROTECTED] Received: from [66.218.67.198] by n22.grp.scd.yahoo.com with NNFMP; 24 Jan 2004 01:11:38 - Received: (qmail 40864 invoked from network); 24 Jan 2004 01:11:26 - Received: from unknown (66.218.66.217) by m5.grp.scd.yahoo.com with QMQP; 24 Jan 2004 01:11:26 - Received: from unknown (HELO n8.grp.scd.yahoo.com) (66.218.66.92) by mta2.grp.scd.yahoo.com with SMTP; 24 Jan 2004 01:11:26 - X-eGroups-Return: [EMAIL PROTECTED] Received: from [66.218.67.177] by n8.grp.scd.yahoo.com with NNFMP; 24 Jan 2004 01:11:26 - X-Sender: [EMAIL PROTECTED] X-Apparently-To: x Received: (qmail 74049 invoked from network); 24 Jan 2004 00:37:05 - Received: from unknown (66.218.66.172) by m10.grp.scd.yahoo.com with QMQP; 24 Jan 2004 00:37:05 - Received: from unknown (HELO micronet.fr) (81.240.235.192) by mta4.grp.scd.yahoo.com with SMTP; 24 Jan 2004 00:37:00 - X-Mailer: Windows Eudora Pro Version 2.2 (32) Message-ID: [EMAIL PROTECTED] To: x X-eGroups-Remote-IP: 81.240.235.192 From: Willie S. Henry [EMAIL PROTECTED] X-eGroups-Approved-By: bc101949 [EMAIL PROTECTED] via web; 24 Jan 2004 01:11:25 - X-eGroups-Remote-IP: 66.218.66.92 MIME-Version: 1.0 Mailing-List: list x; contact [EMAIL PROTECTED] Delivered-To: x list x Precedence: bulk List-Unsubscribe: mailto:[EMAIL PROTECTED] Date: Sat, 24 Jan 2004 00:32:36 + Subject: =?iso-8859-1?B?TG93ZXJzIFByZXNjXnJpcHRpb24gRHJ1ZyFzIE9uIFRoZSBJbnRlcm5ldCE=?= Reply-To: x Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AOL-IP: 66.218.66.78 [Non-text portions of this message have been removed] portside (the left side in nautical parlance) is a news, discussion and debate service of the Committees of Correspondence for Democracy and Socialism. It aims to provide varied material of interest to people on the left. Post: mail to 'x' Subscribe : mail to '[EMAIL PROTECTED]' Unsubscribe : mail to '[EMAIL PROTECTED]' Faq : http://www.portside.org List owner : [EMAIL PROTECTED] Web address : http://www.yahoogroups.com/group/portside Digest mode : visit Web site Yahoo! Groups Links To visit your group on the web, go to: http://groups.yahoo.com/group/portside/ To unsubscribe from this group, send an email to: [EMAIL PROTECTED] Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ 0 ---End Message---
Re: [SAtalk] Bayes Problems
On Tue, Jan 27, 2004 at 10:25:20PM -0500, Rick Mallett wrote: The issue is that bayes expiry is broken under some circumstances as evidenced by this listing of my bayes database area, possibly because its taking more than 10 minutes, or possibly because there is a bug in the code Well, you were talking about spamd getting signalled, which then aborts the expire, which isn't a bug in SA. If it's taking a long time for the expiry to run, then that's an issue. I had thought that you would want to know about it. I want to hear about all bugs in the code. :) -- Randomly Generated Tagline: And 1.1.81 is officially BugFree(tm), so if you receive any bug-reports on it, you know they are just evil lies. - Linus Torvalds pgp0.pgp Description: PGP signature
Re: [SAtalk] [SAtalk]Change points of preset rules
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 23 January 2004 03:10, Thorsten Schacht wrote: How can I change the points of the rules included in spamassassin? I'm trying to increase the points from the HTML_IMAGE_ONLY_02 BODY rule. Add this to your local.cf or user_prefs file. score HTML_IMAGE_ONLY_02 XX 'XX' is the score that you want to set it to. Douglas -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAEpW0SpWn8R0Z08URAgxLAKDJq/artIsj66AiLV2BekKDDgDgcQCeJvr3 Tq/MwMxPtoje/wAK5c0iFz8= =ijlC -END PGP SIGNATURE- --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bigevil; chicknpox; weeds...
Hello Thorsten, Monday, January 26, 2004, 7:28:21 AM, you wrote: TS What is your opinion to that cf's? TS Does it make sence to take them all, or maybe only parts of them? TS Is it a good solution to install them whithout realy knowing how the TS rules are build? TS Only for private or also good at company? 1) I use those files you list, and a couple more. I assign my own scores to them. 2) If you take a ruleset, take the entire ruleset. If you're concerned about specific rules within the ruleset, lower their scores. If you find problems with specific entries in BigEvil, modify your copy and let Chris know. 3) Doesn't matter that you know /how/ the rules were built, but you should read the header information to understand /why/ the rules were built. 4) I use them for my private family domain, and also for my employer's corporate domains, and also for an NPO's domain. Bob Menschel --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] False positive on FORGED_MUA_MOZILLA
On Sat, Jan 24, 2004 at 12:53:27AM -0500, Scott Lambert wrote: The attached message sent through spamcop has tripped the FORGED_MUA_MOZILLA. Maybe it needs to be looked at? I would say bad behavior by spamcop. They added: X-Mailer: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/106.2 (KHTML, like Gecko) Safari/100.1 via http://www.spamcop.net/ v1.3.4 Which isn't true, it's spamcop making the message, the client web browser has nothing to do with it. -- Randomly Generated Tagline: Experience is something you don't get until just after you need it. - Zen Musings pgp0.pgp Description: PGP signature
RE: [SAtalk] stats
I would suggest you use SpamStats from http://www.gryzor.com/tools/ I ran both, and SpamStats reported more of both Spam and Ham. I suspect sa-stats is missing some records. Dan | -Original Message- | From: AltGrendel [mailto:[EMAIL PROTECTED] | Sent: Friday, January 23, 2004 11:43 AM | To: SA-Talk | Subject: Re: [SAtalk] stats | | On Fri, 2004-01-23 at 00:14, Bob Apthorpe wrote: | Hi, | | On Thu, 22 Jan 2004 15:12:06 -0600 Wagner One | [EMAIL PROTECTED] wrote: | | On 1/22/2004 1:15 PM, Bob Apthorpe wrote: | |Note: I think this my hacked-up version of sa-stats.pl at |http://www.cynistar.net/~apthorpe/code/sa-contrib/sa-stats.pl | |I'm not sure where the canonical version of sa-stats.pl lives |since the migration from Sourceforge/CVS to Apache/SVN. | I worked |from the source at | | http://cvs.sourceforge.net/viewcvs.py/spamassassin/spamassassin/to |ols/sa-stats .pl and I think Duncan fixed some date | problems in my |patch involving the new year before committing it. The current |version is probably in Apache's SVN repository but I | have no clue |where that is, how to browse it, etc. :/ | | So what is the current official site for this? | | -- | AltGrendel [EMAIL PROTECTED] | | | | --- | The SF.Net email is sponsored by EclipseCon 2004 | Premiere Conference on Open Tools Development and Integration | See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. | http://www.eclipsecon.org/osdn | ___ | Spamassassin-talk mailing list | [EMAIL PROTECTED] | https://lists.sourceforge.net/lists/listinfo/spamassassin-talk | --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk