Re: [SAtalk] Re: spammer reactions to antidrug (humorous)
At 01:10 PM 1/30/2004, Bob George wrote: Are the spammers using some sort of filter to obscure the text into something consistently decipherable? The messages I'm seeing lately remind me of the 'haxor', 'jive', 'chef' and 'kraut' filters (http://www2.dystance.net:8080/software/talkfilters/). While I like to think they're slaving away trying to come up with stuff that's almost-but-not-completely-totally-unlike-spam manually, I suspect it's automated by now. h4x0r and g.a.p.p.i.n.g are actually getting to be old techniques by now. Those two were some of the first obfuscation techniques used. Other stuff includes extra character insertion (ie, the one I quoted). Character duplications, rearrangements, single character changed to some other character at random, intentional mis-spellings, etc. If you look at the HTML source lots are doing gapping with HTML tags stuck between letters too (doesn't help against SA however). Probably the newest trends (as I see it) are the extra character insertions, character duplication, and single character change. Sometimes it's automated over the whole mail. Other times it looks like they are doing it only on certain key words.. It always looks like it was automated however. Spammers are big on automation... lots of volume to do, and it's all gotta look different to try to get one or two by a filter now and then. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] autolearning spam as ham?
At 11:59 AM 1/30/2004, PieterB wrote: Shouldn't a message that is identified as spam by the bayesian filter of spamassassin (BAYES_90 or BAYES_99 in my case) never be used as a message that is learned as ham? (I would expect it not to be used for learning because it wouldn't improve the bayesfilter, and training it as ham makes the bayesian filter perform worse in future). Am I missing something? You're missing quite a bit about how bayes works on a fundamental level... you really DO want to train spam that already hits BAYES_99. You need to remember that bayes doesn't learn a message. It breaks it up into little pieces and learns those. Training spam that already matches BAYES_99 is a perfectly reasonable and in fact GOOD thing to do, and can improve the filter. Just because the overall probability is high, doesn't mean there's nothing left to learn. There's likely to still be a few tokens that were never learned before. Those tokens could be key in identifying future spam. This is particularly true because spam mutates over time. As little nuances are introduced, it's important to train them so that the scores stay high as the spam continues to mutate. The only thing that's bad is allowing bayes to self-feedback. ie: using bayes_99 as a reason to autolearn is a _bad_ thing. If you do that, one mistake in your bayes DB will self-amplify. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re[2]: [SAtalk] Another v word got through
Sweet.. thanks man, I've been meaning to run mass-check on it myself.. I've been wondering about the FPs in the MALEDYSFUNCTION rules.. it's obvious all the FPs hit both it and obfu, which is weird. I've had several technical mails hit, but upon trying to re-test them and get them to hit, they don't.. but I've not had much time to play with it and my MTA does mangle email a bit. At 06:12 PM 1/28/04 -0800, Robert Menschel wrote: OVERALL SPAM HAM S/O SCORE NAME 9726879437178310.817 0.000.00 (all messages) 3827 382701.000 1.00 0.01 LOCAL_DRUGS_DIET 2868 286801.000 0.96 1.00 LOCAL_DRUGS_MANYKINDS 2789 278901.000 0.96 0.50 LOCAL_DRUGS_DIET_PAIN 2699 269901.000 0.95 1.00 LOCAL_DRUGS_DIET_MALEDYS 2362 236201.000 0.94 1.00 LOCAL_DRUGS_PAIN_MALEDYS 1781 178101.000 0.91 0.01 LOCAL_DRUGS_SLEEP 1382 138201.000 0.90 1.00 LOCAL_DRUGS_ANXIETY_MALEDYS 1179 117901.000 0.89 1.00 LOCAL_DRUGS_DEPRESSION_MALEDYS 8642 8630 120.994 0.79 1.00 LOCAL_DRUGS_MALEDYSFUNCTION 4433 442940.996 0.76 0.01 LOCAL_DRUGS_PAIN 3694 369130.996 0.76 0.01 LOCAL_DRUGS_MUSCLE 2657 265520.997 0.73 0.01 LOCAL_DRUGS_ANXIETY 4423 4411 120.988 0.24 0.50 LOCAL_DRUGS_MALDYSFUNCTION_OBFU 1881 187560.986 0.00 0.01 LOCAL_DRUGS_DEPRESSION --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Can someone explain this?
At 11:42 AM 1/30/2004, Chris Barnes wrote: X-Spam-Status: No, hits=5.0 required=5.0 tests=HTML_60_70,HTML_IMAGE_ONLY_04, HTML_MESSAGE,HTML_WEB_BUGS,LOCAL_PERLMX_TAG_80,MSGID_FROM_MTA_HEADER autolearn=no version=2.61 It met the required hit total (exactly) to be classified as spam. No, the _rounding_ of the hit total exactly matched.. However, the hit total could have been 4.97, which rounds to 5.0. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Some filtered, some not!
At 02:39 PM 1/28/2004, John Fleming wrote: Below are example of 2 headers from the SATalk list. One was apparently filtered by Spamassassin, and one not. What's the difference? Some of my mail is being filtered, and some not, and I have no idea why! I thought a reboot fixed it, but NOT! PLEASE HELP! Thanks - John Um.. those headers are quite incomplete.. My first suggestion would be to examine the Received: paths for differences. Is there a significant difference? I'd also suggest you check your DNS setup.. wa9als.com doesn't seem to have a MX record at the moment (ouch) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] spammer reactions to antidrug (humorous)
Today I got an interesting form of obfuscation, apparently to avoid antidrug.cf. I'm not sure wether to bother with adding rules for this, or be satisfied that the obfuscations are so severe that the messages are now barely legible. Since spammers rely on responses from the mentally-deficient, and most of those people won't likely be able to read this mail, I doubt this particular spam will produce any customers whatsoever. I think I'm pleased with this trend. It may not stop the spam, but it appears likely to severely restrict the income and thus motivations for doing so :) -- Orxder your Vjiagmra and Skupter Vimagera saifely and securfely onlijne. Esntper Hekre --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Clearing and retraining all bayes HAM
At 11:17 AM 1/28/2004, Robb Bryn wrote: Is there anyway to clear all the HAM for Bayes and retrain it without loosing all the SPAM? I think that my HAM portion of the db has been corrupted by the autolearn feature (which I have now disabled) and I'de really like to retrain it manually. One might be able to write a program to go through the database and zero it all out, but I don't think that would be a particularly good idea... If nothing else, you're creating a radical shift in the spam/nonspam ratio of the training. Ideally this should be representative of your real email traffic, but a decent amount of difference from reality is OK.. however, a massive imbalance can cause problems. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] antidrug 0.42 - minor update
http://mywebpages.comcast.net/mkettler/sa/antidrug.cf Corrected mis-use of __DRUGS_MALEDYSFUNCTION13 in LOCAL_DRUGS_MALDYSFUNCTION_OBFU. 13 does match the plain, unmodified v-word, so it can't be used as a sign of obfuscation. Corrected some un-escaped litteral ;'s in __DRUGS_MALEDYSFUNCTION13. Updated some comments. Note: I'm working on tracking down a FP case that I've seen and several others have seen. However all the example mails I have (my own and others) apparently got modified enough by my MUA to no longer match. I'm still working on this. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] autolearning spam as ham?
At 11:51 AM 1/30/2004, Fred wrote: A bug in 2.6 caused messages which hit BAYES_99 to be learned as ham, this has been fixed, you should upgrade. For reference, there was no bug per se. The fact that the message hit BAYES_99 did not cause it to be learned as ham. However, newer versions of SA, as an enhancement, will prevent autolearning if the autolearning will go very strongly against the previous bayes training. (ie: it will skip autolearning a BAYES_99 message as ham, or a BAYES_00 message as spam). It's kind of going with the principle of if you're getting mixed signals, don't learn, which makes sense You can read all about it here: http://bugzilla.spamassassin.org/show_bug.cgi?id=2437 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] spamassassin again.
At 01:22 PM 1/30/2004, Spyros Tsiolis wrote: 1. spamassassin ! Plain sa installation . What next ? Training ? 1000 Spam and 1000 Ham ?? Bayes training is a good thing. Ideal is to have a spam/ham training ratio close to what comes into your server in reality. However, considerable variance isn't a problem, as long as it's not wildly wrong.. 1000/1000 is a good starting point for bayes training. Just keep try to keep things as close to reality as possible without excessive effort. 2. spamassassin and sa_filter.pl. Invoking spamd instead of spamassassin. Can someone still train spamassassin ? From what Don told me you don't But I need this clarified. Could someone answer this ? I'm not familiar with sa_filter.pl, but people using the spamd/spamc combo CAN train bayes.. you just need to make sure you pass a -u parameter that is a user you can su to before training. The reason you need to -u is that spamd will fall back to nobody if both it and spamc are called as root. Bayes training normally goes in the user's home dir, but in the case of the user nobody, some systems have /dev/null type homedirs. 3. Say you _DON'T_ train spamassassin and you leave it running with spamd and Dons' options. Can someone at least enroll any relevant mail (ham) that is being treated as spam in the whitelist, so they don't get thrown? I'm not familiar with don's options, so I can't follow the thread here :) 4. This is one of the most serious questions that's been bugging me for the last weeks. We have Xmail running and people get their ham and spam. Can someone define a simple way of actually grabbing hold of spam and putting it onto,say , a spam mail account, so then I (the admin) can go and start feeding the beast (that'd be spamassassin) in order for it live and learn ? This is actually partly mentioned in SA the FAQ... http://wiki.spamassassin.org In short, forwarding generally doesn't work.. to feed bayes you need a more-or-less _exact_ copy of the message, complete with original, mostly unaltered headers. Some have suggested using bounce/redirect features of some mailclients, others have suggested having user's send them as attachments and stripping them.. If you can set up system that gets you a clean message, you're golden.. Personally, I don't know of anyone doing it, but it is at least theoretically possible. I don't bother with user-feedback training myself.. it's too much work to make it go. Instead I have a spamtrap, and a nonspamtrap that I use for training. I subscribe the nonspamtrap address to some popular legit newsletters my users get. cnn news updates, industry newsletters, etc.. I monitor it for spam, and I never mention it's address anywhere to prevent it from being picked up. The spamtrap is a collection addresses that I've seeded in example postings to mailing lists that winds up with good clean spam. I might make a post discussing a technical and unrelated issue, and use a made up email address like [EMAIL PROTECTED] as a part of the example. Believe it or not, I'm going to start getting bounces for that address in a week or two. After I'm sure it's all spam (and some undisclosed time has gone by), I'll funnel it into the spamtrap. I feed both mailboxes to sa-learn daily, along with carefully transferred selections from my own mailbox. (since I'm transferring by hand, this is easier than trying to make a userproof automated system) Two reasons I posted this on the xmail list and not on the sa list : a. I use sa with Xmail (good enough for me :-) b. The sa list never gets a message I send. Same happens here but sometimes. Well SA list got your post this time, the sf.net servers are being _really_ slow this week due to the mydoom worm and other things clogging up the mailservers. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] bayes question: HAM
At 08:10 AM 1/28/04 +0200, Thomas Kinghorn wrote: My spamd is running as xadmin xadmin 17057 1 0 Jan27 ?00:00:22 /usr/bin/perl -T -w /usr/bin/spamd -d -a -u xadmin Do I need to run sa-learn as xadmin If so, I could kick myself, I have been training it while logged in as root... Yes. With default settings, the bayes database goes in the user's home directory and is only read/write by that user. Optionaly you can use the bayes_path and baye_file_mode settings to make both users look at the same bayes DB, and allow both read/write access to it. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] thank you guys
At 10:22 AM 1/23/2004, JRiley wrote: HolyMoly...69.27 seconds?! How'd you port SpamAssassin to run on a Commodore Vic-20? Something tells me that most of that time is likely due a couple of network tests that are timing out for _every_ email. ie: he might have DCC installed, but not allow the UDP packets past the firewall, which would add 10 seconds to every email (by default, more if he upped the timeout value). DNS might not be working, adding MX lookup timeouts as SA tests for DNS availability. etc, etc. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Razor server timeout problems ?
At 02:00 AM 1/28/2004, Simon Byrnand wrote: Has anyone else noticed frequent timeouts with Razor2 ? I disabled it Friday due to timeouts. In my experience, razor often has short-term problems that last a couple days then clear up. Right now they're probably experiencing high load, just like everything else email related, due to the sco.a/mydoom/mimail_r virus/worm. I figure I'll turn it on again in a day or two after the bulk of the virus blows over, if the timeouts persist I'll send an email over to cloudmark. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] rule to catch phishermen?
At 02:39 PM 1/26/04 -0500, Kurt Yoder wrote: snip body PHISHERMEN /http:\/\/(\w*?\.)+[a-zA-Z]{2,10}?[^/\s]*?@/ score PHISHERMEN 5.0 snip Don't use the body ruletype.. SA removes all HTML tags before running body. Use uri instead of body. It also seems you're just going to catch any URL which has a username involved, but it's tough for me to follow that regex without caffeine... Why not just look for the malware codes directly? (ie: the %01) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Another v word got through
At 12:13 PM 1/26/04 -0500, WA9ALS - John wrote: This one even has the V word spelled correctly as part of a bigger word. How is it getting past the DRUGS and MRWIGGLY rules? http://wa9als.com/spam2.html I've gotten a couple of these now and have added a body check for the grax word, but that seems like a bandaid. Newer versions of antidrug (0.4 and higher) should catch the v-grax variant of the v-word. Are you usining 0.4 or higher, or are you using one of my older antidrug sets? Last update was 1/22/04, rev 0.41 http://mywebpages.comcast.net/mkettler/sa/antidrug.cf --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bayes question: HAM
At 02:10 PM 1/27/04 +0200, Thomas Kinghorn wrote: While using spamd -D, I can see the messages being learned as ham. However, while doing a spamassasin -D --lint, it shows only 1 ham. sa-learn --dump magic shows [EMAIL PROTECTED] exim]# sa-learn --dump magic snip I have attached the --lint debug. Any ideas as to why SA is not showing ham. you're running sa-learn as root.. but that's NOT who spamd is going to be learning as. spamd will assume the userid that calls spamc. If that userID is root, spamd will force itself to become nobody for security. It is extreemely unwise to leave spamd running as. Consider setting up a user account and home directory to have spamd use as its default user, and specify it with -u. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] auto whitelist questions
At 10:55 AM 1/27/2004, Mark Merchant wrote: i can get AWL working with regular spamassassin, but NOT with spamc/d. is there tip/trick i'm missing ? what -u parameters are you using? If you don't use -u, and both spamd and spamc are run as root, spamd will su itself to nobody for safety. On most systems, nobody lacks a home directory, which makes AWL and bayes a bit dysfunctional (since they are stored in ~/.spamassassin by default). --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to increase score of this message?
At 08:25 AM 1/27/04 -0800, Ricardo Kleemann wrote: How does the Bayes training work, anyway.. In short: First, you need to understand bayes is based on breaking email down into tokens. For simplicity, you can just consider each word of an email to be a token. SA uses other tokens (header fragments, etc), but it does use words as tokens as well, and they are the easiest to think about. Bayes training works based on breaking the email up into tokens and keeping track of the number of times it's been seen in spam and nonspam mail. From the number of times it's been seen in spam and nonspam, a probability of spam for the token can be calculated. Bayes scoring works by checking all the tokens present in the email against the database and generating an aggregate probability of spam by more-or-less averaging them all together. Technicaly the exact details a bit more complex than mentioned above, However, all the exact details aren't too important with respect to getting a general understanding of it all. There's a lot of boring details involving statistical methods, string parsing, token selection, etc, but it's largely irrelevant here. . If this one message gets trained as --spam, how much of an effect does that have next time around? The amount of impact of training one message as spam varies significantly depending on what your other training looks like. If most of the tokens in the email have been seen thousands of times in nonspam, and only a few times in spam, the training will have little or no impact. the difference between 1 in 2000 and 2 in 2000 isn't that significant.. it still amounts to more or less 0 probability of spam. On the other hand if they're mostly tokens that have never been seen before at all, the impact can be huge. mis-spelled words are VERY likely to be in this category. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] sa-learn spamassassin question
At 12:22 PM 1/27/04 +0100, jean-christophe valiere wrote: Hi, I've got a little problem with the mail that is attached. When I try spamassassin -t -D rulesrun=255 mail.txt it is nor considered as spam. So I do spamassassin -r -D rulesrun=255 mail.txt ans it sayes me that Razor already learnt this message but it is not in the report when I test it. I finally decide to do sa-learn --spam mail.txt and it says me that it doesn't learn anything from the mail. I just use razor2 with spamassassin and would like the mail to be tagged as spam from my bayes and from razor2. Thanks. 1) Training one message alone is not usualy enough to flip the bayes score of the message if there is strong evidence in dozens of other messages that the tokens are nonspam.. Look at the bayes token output of spamassassin -D. 2) if the spam in question has a habeas warant mark, add the habeas swe headers to your bayes_ignore. 3) No one person (short of a cloudmark employee) can declare a message to be spam in razor. Your report counts, but one person alone is generally not enough. Also, make sure you've set up for razor reporting using razor-admin --register. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to increase score of this message?
At 07:00 PM 1/26/04 -0800, ricardo wrote: Does anyone have any suggestions on how to possibly make SA get a higher score for this type of message? Any new recipes that might improve the scoring? Quite frankly, that email with all its mis-spelled words should be easy pickings for bayes. Train. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: X-Originating-IP isn't a number
At 07:08 AM 1/23/04 -0600, Who Knows wrote: I have been receiving a good many of these lately. I am hestant to add any rules for them yet because all the ones I have been receiving seem to also contain a list of words that can only be there to spoil baysian tracking. Is there anyway to avoid adding the spoilers to the spam baysian list? IMO, it's generally a better idea to train bayes poison than to not train it. If you're not training it, you're doing so out of an undue fear and a lack of understanding how bayes really works inside SA. See my post from 12/24/2003 Re: [SAtalk] message body consists of random words. for my opinions on the matter: http://www.mail-archive.com/[EMAIL PROTECTED]/msg28318.html --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] help please....cant stop them at all.
At 01:16 AM 1/23/04 -0600, David B Funk wrote: Trim off the Bayes poison and relearn it as spam. The payload contains several unique misspellings that would be good Bayes signatures. Why trim off the bayes poison? Doing so just poisoning your bayes database in a different way. http://www.mail-archive.com/[EMAIL PROTECTED]/msg28318.html --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] Re: AWL and whitelist question
At 04:40 PM 1/23/04 +0200, snowchyld wrote: how do you turn _off_ AWL ? Depends on version, but in 2.6x it is use_auto_whitelist 0 in your config also, where would one put sitewide whitelists ? (assuming /etc/mail/spamassassin as default directory) Any *.cf file in /etc/mail/spamassassin. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Where is auto_learn?
At 09:39 AM 1/23/04 -0500, John Fleming wrote: Where is the auto_learn parameter - which file? tnx You can specify that value in ANY of the config files that SA parses. So there's no one specific file it belongs in. If you want to change the value on a site-wide basis, put it in /etc/mail/spamassassin/local.cf (or any .cf file in /etc/mail/spamassassin) If you want to change it on a per-user-that-executes SA basis, put it in ~/.spamassassin/user_prefs The default settings are in /usr/share/spamassassin/10_misc.cf, however I would STRONGLY advise not editing any of the files in that directory. If you want to change the value, over-ride it in your local.cf. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Auto-learn SA after having trained it
At 10:19 AM 1/23/2004, Mark Squire wrote: Hi all, I have been training SA manually for a couple of weeks now. I estimate a good 2000 emails for both Spam and Ham have been learned by it. Coupla questions though . . . I want to put it into auto-learn mode because I have only trained it on a few of our employees emails, and not people from the whole company. I think that SA needs to get out more and learn from a broader range of emails (if that makes sense). I wanted to be sure that it is okay to put it into auto-learn mode, even after I have been manually teaching it for a while. What do you good folks think? Auto-learning is not mutually exclusive with manual training. In fact, if you are using auto learning, you SHOULD use manual training as well. Auto learning alone does NOT work, and will over time result in a pretty skewed bayes database. It needs some manual training as well. However, autolearning is quite useful, it's just not good enough to be used without ever training manually --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] doing a kind of ! whitelist_from_rcvd possible ?
At 10:52 PM 1/21/2004, Mitch \(WebCob\) wrote: I've been told this can filter legitimate mail. Agreed Mitch.. if you read the rest of my message, I had a long warning about that. courier added a freemail concept, BUT, the yahoo servers send directly from the webmail appliances, which are not mx's for the domain, and sometimes are not reverse resolvable (setup delays? temprary dns failures?) Hmm, I'd not thought of that particular form of false check.. However, there's also several others (ie: the ones I suggested before), and any one of them is a good reason not to use this rule with any significant score. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] Antidrug 0.4 posted
I would have posted this sooner, but the editor I use on my home machine got mangled and won't run. (yay, time for a physical disk test). Changes: -Added an optional X to the end of the v-drug test, to catch another spelling. -Fixed a typo in the mis-spelled c-drug test. -added a few comments, including contact email. Get it at: http://mywebpages.comcast.net/mkettler/sa/antidrug.cf Please direct comments on the ruleset to: [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Set up
At 08:21 PM 1/21/04 -0600, George Matos wrote: I just got my domain name and am trying to setup spam assassin. I have never used it before so I was looking for some setup instructions etc. what kind of MTA (mailserver software) are you running? What OS/distro are you running it on? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Help: Still getting through the 2.62
At 01:05 AM 1/22/2004, Thomas Kinghorn wrote: I have attached a few mails that are still getting through. These are scoring extremely low. The number of mails like these that slip through is on the increase. Any ideas as to how I can block them? I am using SA2.62, Exim 4.30 (with the exiscan 4.30 patch), SA-exim 3.1 . A well trained bayes database goes a VERY long way against these. If you can afford the network overhead, DNSBLs, DCC and/or razor help a bit against these, and lots of other unknowns. Brent's random char ruleset can help, but needs some additional mods to catch the %RND_SYB stuff in the body that you're getting http://kepler.acns.bethel.edu/~bjn/spamassassin/rnd_uc_char.cf ie: you could modify his rule to be something like this: body BODY_RND_GENERATOR /\%RND_(?:LC_CHAR|UC_CHAR|SYB|WORD)/ describe BODY_RND_GENERATOR body contains markups typical of spammer random-word/symbol generators score BODY_RND_GENERATOR2.0 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] trouble sending mail to this list
Define refuses to send it to the list? Does it bounce, or has it just not shown up yet? The sourceforge.net lists are on occasion incredibly slow.. 4-hour posting delays are NOT unheard of, although uncommon. Just because it takes a while, don't assume it's not in the queue.. sf.net processes an absolutely insane volume of email. And AFAIK there's not length limit on posts.. I've seen some 40kbyte postings that have a lot of log output in them. At 04:41 AM 1/22/2004, you wrote: OK, It's official. I'be been trying to send a 20-line message for the past hour. You can see that I tried to cut it into chunks and it refuses to send it to the list. Could someone please try and see what's going on ? I don't think i've exceeded my capacity. It's just a 20 to 25-line message. Weird, --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Auto White-Lists
At 08:49 PM 1/22/04 -0600, Chris wrote: I'm new to using spamassassin and have a question about auto white-listing. I have a file, auto-whitelist.db in my /var/spool/spamassassin directory however its empty. The file was created 6 days ago when I installed spamassassin. Should something be in this file? The awl database normally goes in your home directory and /var/spool/spamassassin doesn't even exist on most installs.. I'm not sure what the autowhitelist.db file in /var/spool/spamassassin is doing. Do you have a user who has that as a home directory or something, or have you over-ridden the user prefs directory? I've also created a small manual auto-whitelist.cf file and placed it in my /etc/mail/spamassassin dir with the rest of my .cf files. Ok, although it's a contradiction in terms to call a manual whitelist auto, there's nothing illegal about that. SA doesn't give me any complaints about this but I see no where that its being checked, for instance I have the following line: WHITELIST_FROM [EMAIL PROTECTED] whitelist_from is not spelled with capital letters. I'm not sure if SA will honor it in caps like that. Might I suggest using the spamassassin --lint command to check for syntax errors. I have my spam threashold set to 8.0, and the latest mail from this address was given a 7.4. I'd think that since I have it in a manual whitelist that it would automatically be given a clean bill of health. The manual whitelist should give a -100 score adjustment, by matching the rule named USER_IN_WHITELIST. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)
At 04:33 PM 1/20/04 +0100, Ralf Vitasek wrote: i tested many things with the trusted users settings and googled around but i had no luck so far. except that i stumbled on a posting from this lists archive that makes me think that something is broken and that it would be fixed in the upcoming 2.7 version of SA. i can't say i fully understand the concept of the trusted_networks and when it is supposed to perform the RBL checks. Theoreticaly trusted_networks should have nothing to do with it. It's an unrelated setting, with an unrelated behavior. However, this is a bug we are talking about, and bugs are strange at times. However most people afflicted with this bug are fixed by declaring a trusted_networks (note this is NOT just nated servers. Multi-IPed servers are affected sometimes too, and other non-simple setups) . As a work-around, just TRY it.. Just add this to your local.cf trusted_networks 1.1.1.1/32 Replace 1.1.1.1 with the IP address of your mailserver (yes, this IS going to be one of the IP addresses of one of the interfaces on the machine running SA in most cases) It's not a proper fix, as you shouldn't need to declare a trusted_networks unless you're using multiple hops in your own network. However it's not going to break your config, theoreticaly trusted_networks should contain this information automatically, you're just forcing it. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] This spam scores too low
At 11:56 AM 1/21/04 +0100, Jürgen R. Plasser wrote: Is there any way to get rid (say: score 5) of those mails with SA? Some rules? I have SA 2.61 and the latest Bigevel rules installed. Well, antidrug is a good start. http://mywebpages.comcast.net/mkettler/sa/antidrug.cf --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bayes should ignore habeas headers?
At 12:37 AM 1/21/04 -0500, Pedro Sam wrote: My question, should bayes ignore the habeas headers by default? Perhaps not by default, but right now it's probably a good idea. In general, any sudden shift of behavior from something commonly seen only in nonspam to commonly seen in both causes trouble for bayes. The current SWE situation is only a problem because it is scored based on the history of SWE. If I started a fresh new bayes database today and trained it with only fresh email, the SWE headers would be learned as a neutral token. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] 'spamassassin -d' not stripping SA reports from email
At 10:41 PM 1/20/04 -0600, C. Bensend wrote: Is the problem that I'm _forwarding_ the tagged emails from one host to the other? I don't have the capability to bounce, I can only forward. A forwarded message is a brand new message. That brand new message is NOT sa tagged, even though it may contain some SA markups because the other message was tagged. Once you've forwarded a message, there's generaly no way to reconstruct the original. All new headers are created, Mime sections are changed, the body is modified with things like forwarded message from, you mailclient may wind up re-encoding the HTML, etc. To a reader, it looks a lot the same, but to a mailer, it bears little resemblance to the original. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Spelling mistakes in spam
At 09:51 AM 1/21/2004, Nicholson, Rob wrote: We've been looking and trialling No Spam Today which is based upon spamassasin. When we first tried it, it was catching probably 99% of all spam. However, over the past three months this figure has decreased noticeably. It appears to be because spammers are spelling words incorrectly - sometimes completely misspelled but recognisable to a human reader. Does this call into doubt the validity of word/phrase blocking as used in spamassasin? No, because recent versions of spamassassin also use a Bayes engine, which can be quickly trained for these kinds of things. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] missed spam?
At 10:55 AM 1/21/2004, Paul Diaguila wrote: X-Spam-Score: 1.8 BAYES_30,HTML_60_70,HTML_IMAGE_ONLY_02,HTML_MESSAGE,HTML_TAG_BALANCE_BODY,MSGID_GOOD_EXCHANGE,OACYS_CONS_6,RM_rb_ANCHOR,RM_rb_BODY,RM_rb_HTML,RM_sl_Parens,SUBJECT_ENCODED_MY_TEST What am I missing? What version of SA are you running? MSGID_GOOD_EXCHANGE was an exploitable bug for spammers in SA versions 2.50-2.53 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Not able to run sa-learn
At 10:36 AM 1/21/2004, Jody Cleveland wrote: I'm running spamassassin 2.62 with MailScanner on redhat 9. What I'm trying to run is this: sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --spam --mbox /var/spool/mail/bayes But, it just sits there. Sa-learn --rebuild and --force-expire work fine. When I first upgraded from 2.61 to 2.62, it worked great. But, it only worked that one time. Is there something wrong with the command I'm running? Well, I doubt it's your problem, but the first thing that jumps out at me is it's an extraordinarily bad idea to learn from files that are still in /var/spool/mail. This is because your mailserver could write to it while sa-learn is running... copy or move them elsewhere first, then run sa-learn on them. I'd suggest turning on debug output with the -D parameter, and see where it gets stuck. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] No To line in header
Well, your rule is pretty wildly off.. ToCc is going to look for a header named ToCc, not To headers and/or CC headers. header __TO_EXISTS exists:to header __CC_EXISTS exists:cc meta NO_TO_OR_NO_CC (!__TO_EXISTS || !__CC_EXISTS) Or perhaps you want meta NO_TO_AND_NO_CC (!__TO_EXISTS !__CC_EXISTS) It's not clear which logic you want. The first will trigger if either header is missing, the second will trigger only if both are missing. At 11:18 AM 1/21/2004, st semps wrote: Can someone tell me how to look for no To or CC field in the header. I get several emails sent to me like this and would like to score them. Best I could come up with is ToCc !~ /To|cc/i Can someone tell me how Im suppose to do this. Regards Steve Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] No To line in header
At 01:02 PM 1/21/2004, st semps wrote: You see I thought that ToCc was valid. I thought I had read that somewhere. Obviously Im wrong. Actually, it apparently is valid.. my bad.. However, the string returned won't contain the To: or Cc: parts, just the email addresses. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Not able to run sa-learn
Correction: the rm should rm bayes.lock, not bayes_*.lock. My typo. At 01:41 PM 1/21/2004, Jody Cleveland wrote: Here's what I get: debug: Syncing Bayes journal and expiring old tokens... debug: lock: 21404 created /etc/MailScanner/bayes/bayes.lock.mystique.winnefox.org.21404 debug: lock: 21404 trying to get lock on /etc/MailScanner/bayes/bayes with 0 retries The trying to get lock on thing continues to repeat itself. Doesn't seem to matter whether MailScanner is running or not. Is something else trying to run that? Could be a leftover lockfile from a session that crashed. You can forcibly clear the lockfile by: 1) Stop mailscanner, and make sure nothing else like a cron job is going to kick off bayes accesses when you do this 2) rm /etc/MailScanner/bayes/bayes_*.lock 3) restart and off you go --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Not able to run sa-learn
At 01:41 PM 1/21/2004, Jody Cleveland wrote: Here's what I get: debug: Syncing Bayes journal and expiring old tokens... debug: lock: 21404 created /etc/MailScanner/bayes/bayes.lock.mystique.winnefox.org.21404 debug: lock: 21404 trying to get lock on /etc/MailScanner/bayes/bayes with 0 retries The trying to get lock on thing continues to repeat itself. Doesn't seem to matter whether MailScanner is running or not. Is something else trying to run that? Could be a leftover lockfile from a session that crashed. You can forcibly clear the lockfile by: 1) Stop mailscanner, and make sure nothing else like a cron job is going to kick off bayes accesses when you do this 2) rm /etc/MailScanner/bayes/bayes_*.lock 3) restart and off you go --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Why won't SA see my user_prefs?
At 02:00 PM 1/21/2004, [EMAIL PROTECTED] wrote: The spam I was trying to catch doesn't seem to be going through the rules I added. What else do I have to do? I'd start off with a run of spamassassin --lint to make sure you don't have a typo. After that, if it still doesn't work check the debug output with spamassassin -D --lint.. Is it really reading the local.cf and user_prefs files you think it is? the top of the debug output can be quite revealing here. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] doing a kind of ! whitelist_from_rcvd possible ?
At 04:56 PM 1/21/2004, you wrote: Hi SA offers the possibility of having a smarter whitelist which whitelists only if the sending relay is related to the sending email, like whitelist_from_rcvd [EMAIL PROTECTED] example.com is there a possibility to somehow do the opposite, ie blacklist [EMAIL PROTECTED] only if the relay is NOT related to the example.com domain There's no keyword for it, but you could do this with a couple of custom rules. For example: header __FROM_HOTMAIL From =~ /hotmail.com/i header __RCVD_HOTMAIL Received =~/hotmail.com/i meta LOCAL_FROM_NOT_RCVD_HOTMAIL (__FROM_HOTMAIL ! __RCVD_HOTMAIL) score LOCAL_FROM_NOT_RCVD_HOTMAIL 1.0 as much of these big freemail adresses (yahoo, netscape, mail, etc) are spoofed anyway. For example, i see a lot of @yahoo.com emails coming from everywhere, except from yahoo.com's servers That's actually not surprising, nor entirely illegitimate.. It's quite reasonable, legitimate, and commonplace for a freemail subscriber to send via a server other than the freemail provider. For example, when I send email using my yahoo address, I usually send it via my primary ISP's MTA. I do that mostly because relaying via the yahoo server causes ads to be appended to my email, whereas my ISP does not. (and being a subscriber of that ISP I am an authorized user of their relay. No relay abuse or anything falsified has occurred here). could this maybe be a supplemental test to include in an ulterior version of SA Hmm. That may be dictionary correct, but I'd not use the word ulterior there... Ulterior is most commonly used in a manner which implies deception. But perhaps it may be a test in a future version of sa.. however I suspect the S/O performance of the rule will not be sufficiently high for it to be kept (rules without a very good S/O ratio are dropped from SpamAssassin prior to the final GA runs). It will likely match too much non-spam mail to make the cut. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Surprise mail from myself
Why not change your domain whitelist to a whitelist_from_rcvd command, instead of whitelist_from. You'll avoid the forgery problem outright. At 04:43 PM 1/21/2004, Brad Hazledine wrote: Has anyone written a rule that catches mail supposedly sent by yourself to yourself? Example here... Received: from WIN-SYEZX91ADBP ([61.50.222.200]) by fargo.caledoncard.com (8.12.10/8.12.10) with SMTP id i0L6pDT5006761 for [EMAIL PROTECTED]; Wed, 21 Jan 2004 01:51:14 -0500 Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] I whitelist everything from our own domain due to the fact that reports were constantly getting marked as spam for one reason or another. Therefore this triggers the whitelist and the spam gets through. It is starting to become more frequent. I have tried to write a rule that says if it is from yourself to yourself but not received from your server then clobber it. However, the rule seems to pick up the by fargo.caledoncard.com in the header and thinks that all is well. If anyone out there has encountered this and found a way around it then I would appreciate some input. Thanks. Brad --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Surprise mail from myself
At 06:56 PM 1/21/2004, Kelson Vibber wrote: I suspect he did: At 04:43 PM 1/21/2004, Brad Hazledine wrote: However, the rule seems to pick up the by fargo.caledoncard.com in the header and thinks that all is well. No, he did not use whitelist_from_rcvd. If you bring in more context, rather than use whitelist_from_rcvd, he wrote his own rule. So he re-invented whitelist_from_rcvd, and did it badly. Re-quoting him with more context: I have tried to write a rule that says if it is from yourself to yourself but not received from your server then clobber it. However, the rule seems to pick up the by fargo.caledoncard.com in the header and thinks that all is well. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)
At 09:02 PM 1/19/04 +0100, Anders Sveen wrote: I'm actually listed because it originates from a dynamic ip-range. Nothing more. It surprises me that they lists ip's for only beeing dynamic, but then I discovered the way RBLs are being used by mailservers and then it actually made sense. It doesn't make sense the way SA uses it. :) Actualy the way SA uses it does make perfect sense, but you've overlooked one detail. You believe that SA checks all IPs against ALL rbls.. That's not true.. It checks most RBLs against all IP addresses, but a few (ie: dynablock) are configured with notfirsthop, causing them to skip the first IP in the list. However, the root-rule, RCVD_IN_SORBS, must be run against them all, because some of the sub-tests are not based on dynamic listings. This is why RCVD_IN_SORBS has almost no score to it. RCVD_IN_DYNABLOCK (a sorbs-based-test) won't match when the mail is relayed properly. (note: all of the above assumes that spamassassin is configured properly. MANY mail system admins have problems with SA and have failed to insert their own server's IP address into trusted_networks when they need to. Note that this is their server, not the dialup ISP's server.. SA must trust itself for notfirsthop to work. SA tries, but some network configs (ie: nat) cause SA to fail to trust even localhost) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] how many spam/ham do I have in my bayes db?
At 12:27 PM 1/20/04 +, Adrian Simmons wrote: Is there an easy way to get a total of the spam/ham in the bayes db? I've noticed the total come up in the log when running SA in debug mode, and one could probably dump the db and go hunting for the magic numbers, but is there really nothing easier, no sa-learn commands? How about: sa-learn --dump magic --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Header Test (RBL) Question
At 09:13 AM 1/20/04 -0500, David Roback wrote: debug: DNS MX records found: 0 snip Shouldn't I be seeing more than 1 query for all messages? Hmm.. looks like your DNS is flaking out.. I'm pretty sure you should always have at least one MX success from the DNS_AVAILABLE test... What happens further up when SA is trying to determine if DNS is available? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Custom Subject rules not being picked up
Are you sure you want that rule to be case sensitive, lower-case only? try header SUBJECT_VICODIN Subject =~ /\bvicodin\b/i (note the added i at the end) At 11:48 AM 1/20/04 +, David Logan wrote: header SUBJECT_VICODIN Subject =~ /\bvicodin\b/ describe SUBJECT_VICODIN Mentions vicodin score SUBJECT_VICODIN 4.0 (I took this example from Chris' site http://sandgnat.com/cmos/cmos.jsp ) Restart spamd and send test mail, but it doesn't get tagged...(4.0 score will rewrite the subject) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] bigevil location
At 11:49 AM 1/20/04 +0800, Fritz Mesedilla wrote: Hello folks! I wanted to update my bigevil list but when I did a locate on them I got this: /var/amavis/.spamassassin/bigevil.cf /etc/mail/spamassassin/bigevil.cf Now I really forgot where the correct location is. Both files are identical. I know bigevil list is being used because I can see them in the reports. Can you tell me which one is the correct location? /etc/mail/spamassasin. /var/amavis/.spamassassin/ is your user_prefs dir, and SA won't read any rule files other than user_prefs from there. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] What's up with OPT_HEADER rule?
At 09:54 PM 1/19/04 -0500, Barry Jaspan wrote: The OPT_HEADER (in 2.5x and 2.6x) rule does not make much sense to me: header __OPT_HEADER_SUBJALL =~ /^(?:Resent-)?Subject:.*opt.?(in|out|oem|ed|ion-in|[EMAIL PROTECTED])(?:\b|\d|\@)/im header __OPT_HEADER_ALL ALL =~ /opt.?(?:in|out|oem|ed|ion-in|[EMAIL PROTECTED])(?:\b|\d|\@)/i meta OPT_HEADER (__OPT_HEADER_ALL !__OPT_HEADER_SUBJ) describe OPT_HEADER Headers include an opted phrase It triggers on a message that has an opt phrase in the headers but *not* in the subject. So, a spammer can avoid the rule by putting opt-out in the Subject. Aye... I think the intention was to check if it was present anywhere other than the subject.. mostly because it matches opted.. which might exist in a real subject. However, the implementation is slightly different than the intention, but at least it leans towards missing. Also, this rule triggers on all mail into and out of the domains opt2.net, opt2.biz, and opt2.com, a company that claims to be a non-spamming web host provider. Was this rule intentionally targeted at these domains (the description doesn't indicate so)? I think it was written to target [EMAIL PROTECTED] and friends. This rule does have some odd-ball collateral damage cases and probably needs some tweaking. Much like the FROM_ENDS_IN_NUMS and related rules. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Schools Slapped? FVGT
At 08:49 AM 1/20/04 -0600, Scott Williams , Area4 wrote: I just started using the FVGT rules and got this FP. Do I understand this right, the rule below penalizes (scores high) anyone with a .us domain? Yes, but it only penalizes them when used in a web-page link. Your From: address, etc won't cause it to trigger. Bear in mind, not every add-on rule is applicable to everyone (or even anyone at all). The rules are human written, based on human assumptions. The author of FVGT is obviously not heavily involved in local governments and/or schools. And for a system admin account, that rule seems reasonable.. when is a postmaster ever going to get a legitamate email with a link to a school website? For the home email account of a parent that subscribes to a school newsletter, it's probably not a good idea. Heck, even some of the official rules have FP cases that need tweaking, and they've generally been subjected to a significantly larger corpus run than most of the exit0.us rules have. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] changing the description text of tagged messages
At 10:50 AM 1/20/2004, Ricardo Kleemann wrote: Hi, How can I change the text that is included in tagged messages, that includes the servername and also includes my email address? perldoc Mail::SpamAssassin::Conf see the report and clear_report_template options. (note: don't edit 10_misc.cf.. the docs are telling you to use it as an example.. put your version in your local.cf and it will over-ride the one in 10_misc.cf, provided you have a clear_report_template command first) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] Antidrug 0.3 posted
Changes: -now catches some gapped-and-obfuscated v-words. on a test-list of 100 v-word spellings v 0.2 caught 37 of them. v 0.3 catches 65. more improvements in the works. (thanks for the list Gary) comments at top have a link to where the file comes from The ruleset is located at: http://mywebpages.comcast.net/mkettler/sa/antidrug.cf general commentary and questions about this ruleset should be directed to my home address ([EMAIL PROTECTED]), or to the sa-talk mailing list. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Enable localized rule descriptions
If you want your server to be in german, tell it. export LANG=de note: this may affect other programs on the system that are language-smart as well. At 12:01 PM 1/20/2004, Christopher Kunz wrote: just a quick question: How do I enable localized rule descriptions? There's a lot of german rule descriptions in the stock SA distribution, but they're not used on my (german) mail server setup. Do I miss a point? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SA-learn with multiple users
At 12:14 PM 1/20/2004, Kenneth Andresen wrote: Will SA-learn filter all mails for everybody using the same rules, or how can it work with different rule set for each user/mail account? by default bayes databases and rulesets are specific to the user that executes SA (note: that's execution, which might not be the same as the recipient). Thus separate user bayes db's can be obtained by executing SA as the user who's mail it is, or using the -u parameter to spamc It should also be noted that we use pop3 accounts, what are the best practices for reporting incoming mail as being good and bad? Can it be done by creating [EMAIL PROTECTED] and [EMAIL PROTECTED] mail accounts and forward the mails there? via forwarding, never. However, some mail clients have a bounce feature that will work. What is important here is that the message get to sa-learn without change to the headers. A normal forward will rewrite all new message headers, making it invalid to train with that message. see the FAQ for more http://wiki.spamassassin.org --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Subjects not marked as spam anymore
At 12:24 PM 1/20/2004, Pat Traynor wrote: Spamassassin a couple of times, and I have to suspect that a new version changed things. Is this something that I can configure somewhere? start off with spamassassin --lint I suspect you've got some old and invalid things like defang_mime that are causing SA to spit out some of your configfiles. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] URI Rules
sounds like you're making your own version of bigevil.cf. Chris S found that memory usage was greatly reduced by using regex combos to reduce the number of rules. At 12:31 PM 1/20/2004, Dan Kennedy wrote: How efficient are URI rules? I am probably going to have several hundred of these rules, and I'm wondering if that will cause a problem. I'm guessing I will have between 300 and 600 rules. Is anyone else running this many URI rules? And does it cause any big performance issues? The rules won't have any wildcards, just basically a big blacklist of URLs found in SPAM. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Automated ruleset download
At 01:52 PM 1/20/2004, JRiley wrote: Just curious, if there is a script (be it perl or otherwise), that anyone has written, that will perform an automated 'download' of the different SARE (or other) SA rulesets? I wouldn't think this would too difficult to do, and have a scheduled restart of the MTA calling SA to implement it. RulesDeJour handles updating the add-on rulesets: http://www.exit0.us/index.php/RulesDeJour There's no good way to auto-update the main ruleset.. upgrading that set means upgrading the code as well, since the two are heavily inter-related. See : http://wiki.spamassassin.org/w/VirusScannerTypeUpdates --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] how many spam/ham do I have in my bayes db?
At 03:36 PM 1/20/2004, Adrian Simmons wrote: Ralf Vitasek wrote: in case you have SA 2.6x then just type sa-learn --dump magic Ah, yes, exactly. And now that I re-read the man page that seems obvious. I put my lack of understanding down to the non-intuitiveness of the term 'magic' :) Well, at least for me. The above statement is rather amusing when you re-read your original question.. one could probably dump the db and go hunting for the magic numbers Apparently you only subconsciously knew what the term magic meant :) Thanks to Ralf and Matt who both suggested this. YW. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Dump bayes db please explain the columns
At 04:25 AM 1/19/2004, Mrvka Andreas wrote: hi, i've made a dump of my bayes db but i don't know exactly the columns. please explain them. thanks. Andrew Let's use this fictitious example line: 0.029 0 2 1071094490 word The above line indicates: 0.029: the calculated spam probability is 0.029 (aka 2.9%) for this token. 0 this has been seen 0 times in spam training 2 this token has been seen 2 tines in nonspam training 1071094490 a timestamp, used when doing expiry so that the oldest are the ones pushed out. word the token itself --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Help with report pse
At 10:40 AM 1/19/2004, John Fleming wrote: Does that use timing from the sender's computer time, ISP times, or what? It compares the date and time of the Date: header against the timestamps added into the Received: headers by the various mail relays. since the error is in the 6-12 hour range, I suspect it's a matter of someone having the wrong timezone set on their PC.. but it's only 0.6 points, not exactly anything to worry much about. Who is likely the open proxy - Earthlink That seems unlikely...? 206.148.108.26 is the IP address reported as an open proxy. Doing a RDNS on that IP: Host name: 26-pool1.ras10.inind-ch1.alerondial.net IP address: 206.148.108.26 Alias(es): None It looks like a dialin node that earthlink is renting from someone else (you do realize that earthlink doesn't do their own dialup nodes, right?). It's possible that aleron has an open proxy on that IP address.. it's also possible that someone dialed in on that IP and had an open proxy on their machine and stayed dialed in to that IP long enough to get listed in DNSBLs (highly unlikely). You can read more about the listing by following the DSBL link: http://dsbl.org/listing?ip=206.148.108.26 It was apparently listed on Jan 6th as a result of a successfully socks4 proxy relay test. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] /etc/mail/spamassassin/local.cf is ignored
At 11:16 AM 1/19/2004, Claude Frantz wrote: But when messages are passed via sendmail (dual config) and amavis, the config file in /etc/mail/spamassassin/local.cf is not used. What is wrong here ? what signs of said failure are you seeing? Keep in mind that any spam-markup changes you apply to local.cf are irrelevant. amavis does it's own spam markups and does not use the markup generated by spamassassin. It only calls SA to generate a spamscore and a list of hits. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] habeas problems
One more suggestion, in addition to reducing the score for HABEAS_SWE, if you use bayes, I'd suggest telling bayes to ignore SWE headers. bayes_ignore_header X-Habeas-SWE-1 bayes_ignore_header X-Habeas-SWE-2 bayes_ignore_header X-Habeas-SWE-3 bayes_ignore_header X-Habeas-SWE-4 bayes_ignore_header X-Habeas-SWE-5 bayes_ignore_header X-Habeas-SWE-6 bayes_ignore_header X-Habeas-SWE-7 bayes_ignore_header X-Habeas-SWE-8 bayes_ignore_header X-Habeas-SWE-9 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] habeas problems
At 11:27 AM 1/19/2004, Ron Culler wrote: I'm having problems with forged headers allowing email with the habeas tags. What is the best way to force a score for habeas tagged email? I use spamassassin with spamd and sql based user black/white lists but a common bayes db. put something similar to this in your /etc/mail/spamassassin/local.cf: score HABEAS_SWE -1.0 and restart spamd when you are done. Default is -8.0.. but with the forgeries, many are going to 0. I'd caution strongly against assigning a positive score, as many people (ie: Theo) do use it on most of the mail they send. I'd also advise noticing that all the SWE abuse so far is from pharmacourt.. a simple rule looking for that name in text, and another looking for it in a uri goes quite far. You might also want to look at the antidrug ruleset. http://mywebpages.comcast.net/mkettler/sa/antidrug.cf --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Razor issue on Debian
At 03:02 PM 1/18/04 +0100, Erik van der Meulen wrote: I get: debug: Razor Agents 1.20, protocol version 2. razor 1.20 is a very old version of razor, and 1.x versions are no longer supported by SA. try getting razor 2.36 and applying the taint-safeness patch. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)
At 11:22 PM 1/18/04 +0100, PieterB wrote: What's the best practice preventing this? Changing SpamAssassin in some way, masquerading/munging Received-headers, or something else? 1) work with the RBL to get de-listed 2) change ISPs to move your IP to a different block. And that's about it.. The fact that SA notices that a source IP is listed, even though you use a legitimate mail relay, is NOT a bug. It's intentionally designed to do that. However, listing in a single RBL really shouldn't cause you any significant problems communicating with people who use SA. The threshold is 5.0 and for example, the person you linked to was complaining about RCVD_IN_SORBS. SORBS is a very low collateral damage list. The person posting is likely listed because his/her source IP is a zombie (ie: stolen or transferred in an illegal manner) or it's a got an open proxy on it. If it's got an open proxy, they can fix it and submit the IP for retesting.. if the IP address is stolen and listed in the zombie block, they should be VERY wary of their ISP. They've obviously been buying IP blocks on the grey/black market. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] [RD] antidrug 0.2 available
Whoops. I announced the previous rev the day before I announced 0.2, so I didn't think I needed to repost the link http://mywebpages.comcast.net/mkettler/sa/antidrug.cf At 07:17 PM 1/18/04 -0500, you wrote: From where? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Kettler Sent: Saturday, January 17, 2004 12:06 AM To: Spamassassin-Talk Subject: [SAtalk] [RD] antidrug 0.2 available Fixes a few minor issues: 1) corrected spelling of sildenafil citrate. 2) added vigara to the v-word mis-spelling list 3) added optional leading and trailing gap-characters to the gapped versions of rules. 4) added some gapped and obfu versions of Cilais 5) added some commentary --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)
At 08:23 PM 1/18/04 -0500, Gerry Doris wrote: My ip is listed in SORBS for the simple reason that it is in a dynamic block of addresses administered by my ISP. SORBS just states that I should use my ISP mail server which I already do. Since SORBS only adds 0.10 to the spamassassin total I'm not concerned. Aye, and it's a byproduct of the SORBS system now having a dynamic IP list as a part of their overall list (dynablock). RCVD_IN_SORBS just means your IP is listed in any one of the lists.. that's why the score is so low. The actual point-hit is supposed to come from a specific list rule. DynaBlock was adding 4.00 and if I remember correctly spamassassin had a problem where it was ignoring the fact that I was using my ISP's server. That is a bug. SA is supposed to skip dynablock checks on the first IP.. Anyone who's copy of SA is incorrectly checking dynablock against the originating hop needs to set a trusted_networks statement by hand to work around the issue. (From what I've read in bugzilla the actual bug has to do with SA's automatic assessment of trusted_networks getting confused and declaring that there are no trustable servers, not even the local IP. Typicaly happens for servers that are NATed or otherwise inside a private network with a 10.*, 192.168.* or other non-routable IP address) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] SpamAssassin checks on Received headers (and RBL's such as RCVD_IN_SORBS)
At 05:49 PM 1/18/04 -0800, Mitch \(WebCob\) wrote: Problem with this fix is it only fixes things for my users locally - when my users send mail to someone else, they would have to set the same networks as trusted. This is untrue.. What ALL affected admins must do is set trusted_networks to is _their own_ server.. not having anything to do with the source. Of course, you can't fix other people's broken servers, but they do NOT need to enter your IP to fix the dynablock mislisting bug. ie: at my work xanadu.evi-inc.com was tripping dynablock on messages from my comcast account.. xanadu is a NAT'ed server. I had to add the following line to xanadu's local.cf to stop the misfire. (note here is 192.168.xx.xx is the IP address of xanadu's ethernet interface, which static maps to a public IP as it goes through a NAT router). trusted_networks 192.168.xx.xx/32 That's got nothing to do with trusting any of comcast's IPs.. and applying that one line fixed _all_ the mis-checked dynablocks. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] adding rules changes Bayes?
At 07:56 AM 1/16/04 -0500, Theodore Heise wrote: cat tmp | formail -s sendmail theo Apparently this must process the mail differently than the normal receiving routine. If I use bounce in Pine, the Bayes results are approximately the same as before adding the new rules. I don't quite understand the difference, but would welcome any explanations folks might care to offer. Hmm, does formail wind up generating a new set of message headers? Typicaly this is what happens.. If you want to relaibly retest a message as you make changes, don't email it anywhere.. instead, just run it through SA directly: spamassassin -t tmp (note: the -t will force SA to generate a spam report, even if the message isn't over the threshold. The full report is quite useful when testing however) --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Creating rules for the following
At 09:03 AM 1/16/04 -0500, Segree, Gareth wrote: Text = Rule 1) Received: from [109.42.168.192] by 24.193.45.130 with HTTP = Received =~ /with HTTP/i That works.. 2) Subject: ?ISO-8859-1? = Subject =~ /(ISO-8859|iso-8859)/ (score = 3.0) Won't work.. that's a character encoding tag which will be decoded normally, use Subject:raw =~ instead. NEVER use | to get character insensitive searches unless you explicitly do not want to match mixed-case versions.. just append i after the last slash. I can't see any reason to waste CPU time looking for ISO or iso, when really a single case-insensitive search for iso will work fine. I'd also suggest including the ?'s, but you need to precede them with a \ to prevent them from being interpreted as part of the regex. Improved rule: Subject:raw =~ /\?ISO-8859\?/i 3) X-Authentication-Warning: iwdwgt vbwss kiyixtg = exists:X-Authentication-Warning (score 2.75) Valid, but I would NOT give this such a high score.. lots of nonspam mail has these warnings. ie: my monthly MCI bill has such a warning, some people who email me generate one too. Are the above correct? Mostly Will I bounce legit mail with it? I'd really recommend running these rules in a test phase with scores no greater than 1.0.. after you've seen what they do and do not match on, you can bump the score up. I also prescribe a dose of reading the rule-writing guide: http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin Check
At 10:03 AM 1/16/04 +0530, Rahul Baweja wrote: Hi, How can i check if the Spam Assassin is working or not? send yourself a GTUBE: http://www.spamassassin.org/gtube/ --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Failed to parse
At 09:55 AM 1/16/2004, Michael H. Collins wrote: line in Spamassassin configuration, skipping: report_header 1 Failed to parse line in Spamassassin configuration, skipping: defang_mime 0 snip but it has been working for a couple of months through upgrades. And those lines look good in the local.cf Those lines are most definitely NOT good in local.cf defang_mime and report_header stopped being supported in SpamAssassin version 2.50. report_safe is the replacement.. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] Anti-drug.cf now available
Due to the fun of online pharmacies, I've made this ruleset in my spare time. http://mywebpages.comcast.net/mkettler/sa/antidrug.cf It's not perfect, and needs some cleanup and some more obfuscated variants added in. However some of the rather abusive pill-spammers of late have made me decide to ship this out a bit early. Enjoy. Please send feedback about the ruleset itself to the list, or to my home address: [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] [RD] Anti-drug.cf now available
Due to the LARGE number of emails coming in citing the same suggestion, I'll publicly explain one of the rules. I very much on purpose did not use . for __DRUGS_MALEDYSFUNCTION7 and __DRUGS_MALEDYSFUNCTION8. I very purposefully match \W in one, and _ in the other. Between the two it will match any gapping other than alphanumerics. My reason for explicitly not using the . wildcard as my gapping character is I did not want to potentially false positive on PGP signatures, which could legitimately contain things like this: Df53vXipA4gQrAmgQazB which would false positive on the suggested v.i.a.g (etc etc) regex. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Acronym Update
At 01:13 PM 1/16/2004, Carl Chipman wrote: For the new people on the list, I was wondering what the following acronyms mean: LART Luser Attitude Readjustment Tool. See http://www.catb.org/~esr/jargon/html/L/LART.html UBE/UCE Unsolicited Bulk Email / Unsolicited Commercial Email. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] RBL Check and logfile question
At 04:26 PM 1/16/2004, David Roback wrote: spamd[28929]: debug: RBL: success for 1 of 1 queries snip There is a line for a RBL query, but shouldn't the RBL tests shop up in the tests line in the debug log? If RBL is not running site wide, any ideas why? The thing that strikes me most about that line is that it's 1 of 1 queries.. That sounds like most of the RBLs are disabled in your global config.. presumably by having their score zeroed. For example, my system generates: debug: RBL: success for 13 of 13 queries I'd suggest checking your global config, and also run spamassassin --lint sometime. Note: make sure you check the config of the correct user! --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
[SAtalk] [RD] antidrug 0.2 available
Fixes a few minor issues: 1) corrected spelling of sildenafil citrate. 2) added vigara to the v-word mis-spelling list 3) added optional leading and trailing gap-characters to the gapped versions of rules. 4) added some gapped and obfu versions of Cilais 5) added some commentary --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] HABEAS_SWE
At 08:34 AM 1/15/04 -0500, Jeff Fulmer wrote: Why does HABEAS_SWE score -8.0? EVERYmessage that I recieve that matches that criteria is spam. I've since added 16 point to HABEAS_SWE. Read the archives of this list.. this has been discussed almost nonstop since the weekend... or read www.habeas.com Currently a spammer is abusing the warrant mark. I'd also be hesitant to say *every* message with the mark is spam.. At least one of the SA-devels (Theo) puts it on most of his messages. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Spam confuses bayes auto_learn
At 11:14 AM 1/15/04 +0100, Gunther Heintzen wrote: X-Spam-Status: No, hits=2.6 required=3.9 tests=FORGED_HOTMAIL_RCVD2, HTML_MESSAGE autolearn=ham version=2.61 It should be autolearn=no because hits=2.6 ist beetween 0.1 and 12.0 Autolearning is not based on the normal message score, it's based on the score calculated as if bayes were disabled. This includes shifting to a different scoreset, and the differences can be dramatic. For example: score HTML_MESSAGE 0.160 0.001 0.100 0.100 score FORGED_HOTMAIL_RCVD2 0.051 0 1.884 2.499 If you have network checks in use, the auto learning score of this email was 0.001. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] what can we do with those spam mails
At 09:49 AM 1/15/04 +0100, Sönke Ruempler wrote: I wonder if i can to something against these spam messages: Simple starting things to check (if you're not already doing them) 1) use razor, dcc and/or pyzor. 2) Make sure your bayes is heavily trained (really, this batch of poison has not been severely impacting my bayes accuracy) 3) make sure Net::DNS is installed so you get RBL checks (although it wouldn't have helped on this particular one) Maybe a rule for the bogus text after /HTML ?! FVGT_rb_AFTER_HTML covers this.. it's in this ruleset: http://www.merchantsoverseas.com/wwwroot/gorilla/90_FVGT.cf --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Books...
At 07:50 AM 1/15/2004, Tim B wrote: Hey does anyone know if there are any spamassassin books comming out? None that I'm aware of. I've been thinking of writing more guides to go with the rule-writing guide I made, but haven't started yet. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] is spamassassin poisoning my mail spool?
At 07:11 AM 1/15/2004, Adrian Simmons wrote: I have a setup involving procmail, SA and Razor, at the moment, every time I do a razor-report (with | /usr/bin/spamassassin -r in my procmailrc) my mail spool gets poisoned with something like this: X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on nepenthes.local. X-Spam-Status: No, hits=2.9 required=5.0 auto your mail SPOOL gets that, or your did you mean your mail log? Really, nothing should end up in my mail spool. Hmm, perhaps you should be a bit specific.. I'm not exactly following you.. is some garbage non-mail containing file with just those lines winding up in /var/spool/mail? Or are you just complaining that those headers being added to messages run through | /usr/bin/spamassassin -r? (which they should, but theoretically, you shouldn't be picking up the output of spamassassin -r at all) Or is a dupe-copy being added to your mailbox, one with those headers, and one without? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] disembodied emails
At 02:59 PM 1/15/2004, Pierre Thomson wrote: For some reason, my users don't like to receive these non-communications. They slip right past SA with only a BAYES_99 penalty, not enough to stop them. I could add a SUBJECT_MISSING test but it can't have a high score; any other bright ideas? BAYES_99 isn't enough to tag? it gets 5.4 in SA 2.6x. Also, the IP you cited is listed in spamcop, which is one of the DNSBLs in 2.6x. Do you have DNSBLs enabled? --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Delete vs tagging spam
At 04:01 PM 1/15/2004, Andrew Cranson wrote: Would it be possible for an additional mysql preferance for a threshold to be added to an upcoming spamassassin release for mail deletion? e.g. A user sets required_hits to 5, and sets deletion_hits to 10, any mail between 5 and 10 is tagged, anything above 10 is deleted. SA itself can't delete mail.. it's impossible for it to try. The only thing SA can directly do is modify a mail, but it can't delete it or redirect delivery since it has no possesion of the envelope. Deletion, redirection, etc is a function that has to be handled by some other tool in your mail processing chain.. ie: procmail. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Help needed with url rule
At 05:23 PM 1/15/2004, Brian Ipsen wrote: What would a rule look like to match a pattern like (I've read a little about matching, but not enough to get it working): http://(anything).(com|net|org|info)?rid=[0-9]{1,5} use the uri ruletype.. it will only search within web links: uri MY_URI_RULE /\.(?:com|net|org|info)\?rid=[0-9]{1,5}/i --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] adding rules changes Bayes?
At 08:01 PM 1/15/2004, Theodore Heise wrote: My problem is that now Bayes doesn't seem to be working right, as if SA is ignoring my learned tokens? It also seems to be now missing some rules that I presume are default (e.g., MSGID_FROM_MTA_SHORT, PRIORITY_NO_NAME, and CLICK_BELOW) The results for several messages before and after the change are listed below, and show reduced scores (in some cases pretty dramatically). Can anybody explain to me what I'm doing wrong, or point me in the right direction for more reading? first, run spamassassin --lint sounds like there's a typo in the rules you downloaded and SA is puking on your configfiles. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] is spamassassin poisoning my mail spool?
At 08:05 PM 1/15/2004, Adrian Simmons wrote: After running SA with the -D switch when reporting it looks like there might be some problems with my Razor installation: Jan 15 12:29:55.046480 report[14997]: [ 6] computing sigs for mail 1.0, len 9577 Jan 15 1razor2 report failed: Bad file descriptor Died at /Library/Perl/Mail/SpamAssassin/Reporter.pm line 120, GEN1 line 1. debug: leaving helper-app run mode At this point I think the root cause might be a problem with Razor. make sure you've got the taint-safeness patch for razor applied. if you haven't it's in the SA tarball.. razor2.patch. install instructions are in the file itself. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Fw: Help!!
At 06:49 PM 1/15/2004, Alice Pawlowich wrote: Can someone please help me to remove, unsubscribe or disable the spam assassin? I am a new computer owner and really didn't know what I was getting into. But do know that I opened an attachment that contained a virus. I open a lot off these spam warnings because some of them contain information about on line orders which I have made or replies for which I have asked. So these warnings are no real help to me. I have searched everywhere for a way to get rid of it, but have found nothing. Maybe you can help, I would really appreciate it. First, I'd like to reassure you that Spamassassin isn't on your computer. It's not exactly trivial to get spamassassin to run on a windows machine, so it would be very unlikely you installed it by accident. SpamAssassin usually runs on mailservers, so it's likely being run by your ISP on their end. Contact your ISP and ask them if they can disable spamassassin for your account. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] not catching spam email yet
At 03:19 PM 1/14/04 +1100, [EMAIL PROTECTED] wrote: 3. edited /etc/mail/spamassassin/local.cf as follows required_hits 6.0 rewrite_subject 1 report_header 1 use_terse_report 1 defang_mime 1 dns_available yes dcc_add_header 1 use_dcc 1 What version of SA are you using? defang_mime is illegal in any version of SA 2.50 or newer. run spamassassin --lint, and fix any complaints. I know I have missed something. Can anybody shed any light on the situation? Yeah, where'd you insert your call to spamc? you can start spamd all you want, but by itself it does nothing.. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] unfakeable Habeas watermark?
Yes, it is theoretically possible to do what you suggest.. The first drawback is resources...Habeas would have a fairly heavy-duty server to generate and validate the signatures.. CPU time might be cheap on a single-user machine, but when you're talking about global scales, a little bit of extra cpu time per message adds up to a LOT of cpu time. A modest server can do kerberos for a university campus, however try to scale that from 50,000 people to 50 million or so. You're talking a factor of 1000 in terms of increased load. Let's be generous and assume you can get 10-fold the performance by making it a high end quad processor system instead of a modest system. You still need 100 of them to take care of the factor of 1,000 load increase.. not to mention some added equipment to load-balance all those machines. So you need 100 quad-cpu high-end systems, and some added load-balancing hardware.. assuming about $5,000 for the quad CPU boxes, and about $30k for the load balancer you're talking a hardware budget of $530,000. Add costs for facilities, racks to mount it in, power conditioning, etc and you're probably looking at a project costing about $750,000 on the low-end, and could easily go up to a couple million. Sure habeas could cause the service to be less heavily used and recoup some of their cost by charging you $0.50 every time you generated a warrant mark, but that'd make the service unpopular and it would collapse. Nobody want's to pay per-message to prove they're not a crook. It make be naive (note the e) to assume that habeas can find and sue everyone that abuses their mark, but it's also naive to assume that CPU time is free or cheap when serving a global market. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Unwanted Language in body (Norwegian char)
At 09:15 AM 1/14/04 +0100, Jan Erik Skogsholm wrote: Some Norwegian character will come out with errors and we got 2.8 points from the language test. Is it possible to add this chars to a list for the Norwegian language? Not sure how, but there appears to be a database called 'languages' in the rules subdir of the distro.. this is probably used for language determinations somehow. How do go around it? Well, you can set ok_languages back to all. Other than that I have also a question about the time. Is there a large gap between our e-mail server and the senders server? DATE_IN_FUTURE_12_24 does just what it states.. It looks at the Date: header.. it compares that against all the different dates embedded in all the different Received headers. Thus, this implies that your senders CLIENT has a date that is 12 to 24 hours ahead of one of the mailservers involved.. not necessarily your server, but a server. Look at the headers, you can figure it out with some math. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] body match
At 08:48 AM 1/14/04 -0500, Jeff Fulmer wrote: I'd like to assign spam points to any message whose body does not contain any one of several keywords. But unfortunately, I can't find a body directive reads all body attachments. I tried body and rawbody but there are still many body attachments that pass through unscanned. Since my match adds points to any message whose body does NOT contain the keywords, I'm getting false matches when the body is not scanned for the words. Is there anyway I can get around this? Define what you mean by body attachments.. if you mean things like pdf's, word documents, etc.. don't bother.. SA doesn't decode document formats, thus the rules will be run against the litteral binary of these files. They don't always contain the literal text in-order, as various formatting and editing sequences sometimes get stuck inbetween. Theoreticaly SA's body rules should work for any mime section which is a message body, ie: text/plain or text/html. It _might_ match a binary document attachment, but that is not reliable as SA has no direct understanding of these binary formats and does not decode them beyond converting them from base64 to their original binary states. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] body match
At 09:20 AM 1/14/04 -0500, Jeff Fulmer wrote: No. I wouldn't expect it to read PDFs. For example, just now it didn't read these types: [-- Type: text/plain, Encoding: 8bit, Size: 1.7K --] [-- Type: text/plain, Encoding: 7bit, Size: 2.3K --] [-- Type: text/html, Encoding: 7bit, Size: 4.3K --] Cheers, Jeff That's weird.. it should handle those.. I know that MIME parsing has been a subject of developer fixes for 2.7x.. perhaps the mime parser is getting confused.. (I'm assuming you're using 2.6x) --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Start Trek Darmok at Tanagra subjects
Some examples: Re: FQCDW, thousand years waiting Yes, I've seen them.. my bayes training is chewing them up... DNSBLs and the popcorn rules seem helpful too. Note that I personally run the popcorn ruleset collapsed into one rule. It contributes less score overall because it doesn't cascade, but that's fine by me. (The original popcorn author purposefully did not collapse it, but I don't want popcorn to have massive add-ups on my system) My collapsed popcorn rule. describe LOCAL_POPCORN2 1-5 letters - hidden tag - 1-7 letters rawbody LOCAL_POPCORN2 /[\s]\w{1,5}\/\w{2,10}\w{1,7}\b/i scoreLOCAL_POPCORN2 1.5 LOCAL_DRUGS_MUSCLE is an in-development rule of my own.. It's part of an anti-drug ruleset that is nearing completion. Some example hits: --- Subject: {SPAM} Re: FJGU, at once from score=11.116, required 5, BAYES_99 5.40, FVGT_s_OBFU_J 0.20, HTML_MESSAGE 0.10, LOCAL_DRUGS_MUSCLE 0.01, LOCAL_POPCORN2 1.50, NORMAL_HTTP_TO_IP 0.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 1.50, RCVD_IN_SORBS 0.10 Subject: {SPAM} Re: JEKOUM, administrator began precisely score=9.306, required 5, BAYES_99 5.40, HTML_MESSAGE 0.10, LOCAL_POPCORN2 1.50, NORMAL_HTTP_TO_IP 0.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71 Subject: {SPAM} Re: UHYV, it out much score=11.797, required 5, BAYES_99 5.40, DNS_FROM_RFCI_DSN 0.29, HTML_MESSAGE 0.10, LOCAL_POPCORN2 1.50, NORMAL_HTTP_TO_IP 0.10, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71, RCVD_IN_DYNABLOCK 1.50, RCVD_IN_NJABL 0.10, RCVD_IN_NJABL_PROXY 0.50, RCVD_IN_SORBS 0.10) --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] mPOP Web-Mail 2.19: ratware?
At 03:57 PM 12/19/2003, Kenneth Porter wrote: I'm seeing a lot of spam with this as the X-Mailer. Is this a real program or ratware? (better late reply than never). This seems to be a somewhat uncommon, but is occasionally used for legitimate mail (I've only seen it used by Russian posters). However, a LOT of spam uses it. Here's one legit post: http://list-archive.xemacs.org/xemacs-users-ru/xemacs-users-ru.200112 And although the web-archive doesn't show it.. this particular message was also posted via mPOP Web-Mail. (I have a copy in my local snort-users mailbox) http://www.mcabee.org/lists/snort-users/Sep-03/msg00508.html --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] FP with backhair
At 01:44 PM 1/14/2004, Gary Funck wrote: I'd asked this before (with no answer on the 'dev' list), Not surprising.. unless it's part of active development work ie: discussion of methods to fix a bug, coding, test results, etc, a post of a general question to sadev will generally be ignored as offtopic. sa-dev isn't intended to be a direct this to the attention of the developers.. it's intended for the developers and other contributors to use for the discussion of the current development work. but what are SA's policies for scanning attachments? Why would it try to scan a file attachment anyway? I don't think at this time SA makes any distinction between types of attachments.. SA makes a distinction between headers and body, but an attachment, technically speaking, is still a part of the body of the message. However, backhair is a rawbody rule.. this may also be a contributing factor. (ie: if you ask for the 'rawbody' you get the WHOLE body, including attachments). I thought it was only supposed to scan text/html attachments? I've never heard anyone claim such. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] unsubscribe f1g4zz0 giochi@telvia.it
General guidance for unsubscribing yourself from a sorceforge list. First, find the List-Unsubscribe header embedded in any post to the list. Such as the one below for this list. List-Unsubscribe: https://lists.sourceforge.net/lists/listinfo/spamassassin-talk If your mailclient is brain dead and won't display all the message headers, you can find this link at the bottom of most messages on the list as well. Follow the link and go all the way to the bottom of the page, enter your email address and press edit options If you have forgotten the password you set when you subscribed press email my password to me. It's on the left side, second item down. (The passwords are used to prevent someone from maliciously unsubscribing you by forging your address) Once you have your password, the top left of the page has a unsubscribe section. Enter your password and press unsubscribe. Poof, done. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk