Re: [SAtalk] html mails getting through
At 04:56 AM 11/11/2003, Thomas Kinghorn wrote: I have attached a spam i keep getting, no, you've quoted it in text-only form without all the headers... All I can tell from what you posted is it's using bayes poison.. There's no way from that little snippet to see what rules the email matched. Fortunately, I've gotten an identical spam recently and could look at the real format of it. Mine got this: X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=4.939, required 5, BAYES_40 -0.00, HTML_60_70 0.11, HTML_FONT_INVISIBLE 0.60, HTML_IMAGE_ONLY_04 1.00, HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.32, MSGID_FROM_MTA_HEADER 0.70, RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_CHINA_KR 0.50, RCVD_IN_RFCI 0.10) (note: RCVD_IN_CHINA_KR is not a default rule, it's one I added based on blackholes.us. I keep the score very modest on it.. it's more informational than anything else.) This kind of spam has a particularly unusual HTML pattern that I made a rule for.. it's got a lot of HTML font tags setting the color, but no ending tags.. rawbody __LOCAL_FONT_COLOR /\font color\=/i rawbody __LOCAL_FONT_TERM /\\/font\/i metaLOCAL_HTML_FONT_COLOR_NOTERM (__LOCAL_FONT_COLOR !__LOCAL_FONT_TERM ) scoreLOCAL_HTML_FONT_COLOR_NOTERM 0.5 describe LOCAL_HTML_FONT_COLOR_NOTERMhas an HTML font color tag with no font tag terminators I've currently got the score set low because I've only been testing it for a few days, but I've only had one false match so far (and even that was where someone on SA-talk was discussing a spam pattern, but could happen in a legitimate discussion of HTML tags). Some other people have posted rules on the list to pick up the yahoo redirector technique they are abusing.. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] What Dynamic IPs rbl list?
At 11:00 AM 11/11/2003, Bill wrote: Bad, bad, bad idea!!! There are many many people running home networks in dynamic space who send their mail thru their isp server. These will all get caught and trashed by your plan. You better have a VERY good explanation why you just alienated hundreds of current and potential customers when your boss asks why his long term customers cannot get thru your filters. There is spam control and there is political suicide, this is suicide. (Always let the mail recipient decide what to delete) Um Bill.. I'm pretty sure he meant he was going to disallow dynamic-ip hosts to deliver mail DIRECTLY to his mailserver... ie: the ones that don't use their ISP server... In fact, given his message, I can't possibly see how you can read that to include mail that was properly relayed via the ISP server Bad, bad, bad assumption! :) --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] new to spamassassin
At 12:58 PM 11/11/2003, Dan wrote: 1. I know spamassassin works on a point system, but does it learn as time goes by? IF you use the bayes subsystem, which is on by default but untrained as well, SA will engage in some automatic learning for the bayes rules. The remaining rules are static ones, and don't learn over time, but are updated whenever a new SA version is released. 2. My compnay wants to block all swears (dont ask me why!) How can this be done? Write some custom rules with high scores: bodyLOCAL_SWEARWORD1/\bf***\b/i score LOCAL_SWEARWORD1 10.0 Substitute f*** for your favorite swear word.. Be sure to frame your swear words with \b's so you don't get bugs like blocking analog when looking for anal. Also be sure each rule has a different name (ie: LOCAL_SWEARWORD2, LOCAL_SWEARWORD3, etc) Also be sure to run spamassassin --lint after adding rules to check for typos.. SA can't complain about errors when processing mail normally. More rule-writing tips can be found at http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt 3. Does anyone know of a mangament system for blocked spam? For example, the company I am in has 200+ people in the office. Lets say someones grandmother sends them a email with a swear (as above) and it gets blocked. how can I get that mail to them? You could use MailScanner and have it quarantine any spams picked up by SA.. the spams wind in a quarantine directory, and you can manually queue them for delivery if you need to pass one on. Someone else might have a better suggestion, but that's what I can think of offhand. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] [MailServer Notification]To recipient: Message matched eManager setting and action was taken.
At 03:45 AM 11/11/2003, David B Funk wrote: On Mon, 10 Nov 2003 [EMAIL PROTECTED] wrote: eManager Notification * The following mail was blocked since it contains sensitive content. Love the stupid -PC- double-talk here. Gee, what was the content sensitive to? (is it sensitve to light, heat, shock...) How about saying was blocked because it contains objectionable content and be done with it. Sad. A spam-blocking list cannot even discuss the kinds of things that it's supposed to block. Check the headers... it was generated by a subscriber (mailhost.pmare.com) and not by sourceforge.net's mailservers. Admittedly the list does have some brainless filters imposed by sourceforge (ie: blocking the evil V-word), but this one isn't theirs, despite the claim of the email that it came from [EMAIL PROTECTED]. eManager is a piece of software by Trend, and it's a wonderfully cluefull piece of software that forges itself as the postmaster/administrator of a system other than the one it runs one. It also tends to reply to lists, instead of to senders... I've got a SMTP layer reject to kill any inbound mail attempting to claim be from [EMAIL PROTECTED].. I personally don't take kindly to external systems forging me as the sender of messages to my users.. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Filtering.
At 12:31 PM 11/11/2003, Rajdeep Larha wrote: I have successfully installed the SA. but I am not able to filer the content. Any stuff which I want to filter in there in the rules directory but not getting filter. Um what do you mean by Any stuff which I want to filter in there in the rules directory... No... *EXACTLY* what do you mean by that.. what exactly do your rules look like, and what exact directory did you put them in (hint: there is no directory named rules that SA uses once installed). --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin dont block the default sample spam examples and others
At 01:19 PM 11/11/2003, Joao Pedro wrote: I'm installing a Spam Gateway Email Server in a FreeBSD server with Postfix+Amavisd+SpamAssassin and a followed this howto http://lawmonkey.org/anti-spam.html. All it's appear ok, but when I send a email with the sample_spam.txt or other spam example file to a external email or send from external email to a internal account, they wasn't block. 1) what version of SA are you running? 2) is the sample-spam you are using a GTUBE message? --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] A black listing question
At 01:17 PM 11/11/2003, Peter P. Benac wrote: Is there a legitimate reason not to blacklist email.com? I just seem to get way too much SPAM from email.com. It's a real webmail type service.. So the same arguments that apply for why you should/should not block hotmail, yahoo, eudoramail, and other free mail services also apply here. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] unable to disable AWL
At 11:02 AM 11/10/03 +0100, matthias zeichmann wrote: Meanwhile i suspect an error in my configuration. Is there a way to check your local.cf for validity? spamassassin --lint --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Looking for Rules
At 04:36 PM 11/10/2003, Bob Rosenberg wrote: I have a number of gripes about this. 1) I only get 5 points not 5.1 when I add them together. One word.. rounding.. The report only displays the rule score down to the nearest tenth of a point, however the rules are scored down further in precision. The real, unrounded, scores are: 0.53 RCVD_IN_NJABL_DIALUP 0.100 RCVD_IN_NJABL 2.55RCVD_IN_DYNABLOCK 1.91FORGED_MUA_EUDORA - 5.09 And 5.09 rounds to 5.1 2) I am getting penalized multiple times for the same offence - ie: Using a Cable Connection to send my mail to the CORRECT SMTP Server (ie: The designated Server for the ISP whose account my mail is addressed from instead of the Smart Host of my Cable ISP). I get both a RCVD_IN_NJABL_DIALUP and a RCVD_IN_DYNABLOCK for being a Cable User (3 points) and an extra .1 point for sending to my ISP's SMTP Server when not using that ISP's Connectivity. I object to this multi charging for the same thing. Both of the NJABL rules key off the same table and I then get clobbered with 2.5 points for not having a static IP Address (after being charged .5 points for being a Dial-Up user which as a Cable User I AM NOT). From the perspective of dynablock and NJABL, *any* end-user IP address is listed.. these list dialups, dsls, cable modems, or whatever, for a home-user type address that should be sending mail via a mail relay and not directly sending mail. In your case, you're being penalized for one of two reasons: 1) the spamassassin box is misconfigured and nobody set their trusted_networks in a situation that needs it (hint: any box running a NATed IP address MUST set trusted_networks by hand, autodiscovery does NOT work) 2) you really are directly injecting mail to a server that runs SA from your home address, instead of using your ISP's mail relay. If you want SA to not tag these messages, either get that admin to reconfigure his trusted_networks, or start using your ISP's SMTP relay. I know that there is nothing that I can do about this (except Mis-Configure my Mail Client to route all my mail through my CURRENT Connectivity provider [and do it again when I alter my connectivity]) even though all the mail is going via SMTP AUTH links to PORT587 and thus is being Authenticated by the Injection SMTP Host (in MSA Mode due to it coming in via Port 587. 3) My major gripe is with the adding insult-to-injury 1.9 point invalid rejection of my X-Mailer Header. I use a Macintosh version of Eudora which does NOT have the Hardcoded X-Mailer constant that Spamassassin is looking for. In Mac Eudora the X-Mailer Header is created (as are all other X-* headers) by the user coding what the data in the header should be. Aye, unfortunately since there's no standard for X-Mailers for the MAC version of Eudora, a lot of them look to SA like the windows version. Try using an X-Mailer header that starts with Eudora for Macintosh or Eudora for Mac OS X. SA does recognize those strings as MAC versions.. it currently doesn't recognize the format you're using, so it assumes it must be a windows version, and then realizes the message was clearly not generated by Eudora for Windows (which it wasn't but SA is confused and thinks it is).. There's a bug open on this issue. http://bugzilla.spamassassin.org/show_bug.cgi?id=2598 Personally, I'm hoping to spend some time revamping these rules so that MAC versions of Eudora are never thought to be forged no matter what they read. Basically this will involve characterizing the message-id's of Eudora for Mac's and always checking both windows and mac versions of the message-id, no matter what the x-mailer header reads. It will be better this way in the long run and will have fewer holes in it for spammers to abuse, or end users to fall in accidentally. However, my spare time is limited, so it's possible Justin and friends will beat me to the punch. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] spam threshold value?
At 04:14 PM 11/10/2003, you wrote: What's the lowest spam threshold value you are managing to get away with (without false positives) ? There's always FP's at pretty much any threshold that's no absurdly high (ie, 1.0). However, I have yet to notice any significant amount of FP's at 5.0.. Occasionally I get some sa-talk posts that go over. Note: I'm using 2.60 w/ bayes, razor, and dnsbls. bayes is greatly improving the accuracy of SA. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] unable to disable AWL
At 09:47 AM 11/10/2003, matthias zeichmann wrote: is it possible that this messes up other behaviour of SA? That type of error is unlikely to cause problems with other lines, but it is possible. Usually the ones that kill half your local.cf are missing terminators for regexes. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] New Obfuscation Technique?
At 03:00 PM 11/10/2003, Chris Santerre wrote: This is the spammer trick of saying the email is from you, to you. So it got Whitelisted. No it did not Chris.. Read The Fine List of rules it matched.. no WHITELIST_* or AWL rules match this. X-Spam-Tests: tests=BANG_MORE,BAYES_60,HTML_FONTCOLOR_RED, HTML_FONTCOLOR_UNKNOWN,HTML_FONT_BIG,HTML_MESSAGE,MIME_HTML_ONLY, NORMAL_HTTP_TO_IP,UPPERCASE_25_50 Also, if it was whitelisted, the score would have been much lower than this: X-Spam-Score: 3.7 It did however use a trick to avoid the standard FROM_AND_TO_SAME so your rule can help out by adding some score.. However, 104.1 is a bit excessive, since there's no white list to over-ride. (Bret is smart and did not whitelist_from himself). Really, my suggestion to Bret would be to train his bayes on this... BAYES_60 is pretty weak. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Razor slows down SA
At 08:38 AM 11/7/03 -0500, you wrote: I have noticed that RAzor2 is timing out and slowing down SA 2.6. Has something changed in the past few months that may have caused this? Maybe the razorzone has changed? I use razor2.cloudmark.com now. I don't think the zone itself is likely to change anytime in the near or distant future.. However, occasionaly I have found that the server shifts and it takes a while for razor to notice this.. you may want to try running razor-admin --discover to force a re-discovery of the server. Also make sure you haven't done anything on your firewall which would prohibit outbound connections to tcp/7 or tcp/2703 on the razor servers. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] MAPS RBL+ in Spam Assassin
At 08:51 AM 11/7/03 -0500, you wrote: I am new to Spam Assassin. I see that it checks e-mail against the MAPS databases, but that it does not appear to check the RBL+ database. Is there some way for me to add this check to the list? Well, SA does NOT check maps by default.. it's just got support for it. Since MAPS is a paid subscriber service it's not on by default. Also, it should be noted that the MAPS RBL+ is merely a concatenation of all their other lists... It's redundant to check both the normal lists and the RBL+. However, if you want to use the RBL+ single-query (and are a subscriber) if you look in 20_dnsbl_tests.cf you'll see there is a commented-out set of tests that use the RBL+ single-query to generate tests for RBL, DUL, RSS and OPS. If you want to use the RBL+ query method for the maps lists, you can comment out the normal ones and uncomment the RBL+ versions... However, there is no such thing as a RBL_PLUS test, since by definition, RBL_PLUS is merely a mass-check of RBL, DUL, RSS, and OPS all in one shot. Note: you still have to add score statements for any MAPS lists to be queried, as they default to being disabled. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] scoring system and values...
At 10:29 AM 11/7/2003, Maarten J H van den Berg wrote: Sorry if this has been discussed in the past... It's been discussed many times.. It's very common for people to have a very deep misunderstanding of how SA scoring works. Most people fall into the trap of over-simplifying the problem, and simply assuming that some rule or another must be a good spam rule, when in fact it's not. Of course this is open to debate, but then again that's all I want; possibly a debate about how accurate the scoring is right now... That's fine.. but in the next round you're going to have to do a LOT more homework.. you're over-simplifying things by merely looking at the name of the rule... You're not looking at it's performance levels, it's impact on nonspam, or it's interactions with other rules. Questioning the accuracy of the scoring system isn't unreasonable.. but the scoring system is VASTLY more complicated than you can understand in a few hours of study. You need to have a good understanding of how it really works, and just how complicated the balance of the scoring system is before you can make reasonable judgements about accuracy. You need to realize the SA scoring system is somewhat analogous to curve fitting an equation with 873 variables (there are 873 rules in SA 2.60's 50_scores.cf). This is done as an approximation using a genetic algorithm to evolve a solution, since a direct solution would take too long to compute. Trying to get your mind completely around an equation with that many variables is not possible for most humans, including me, but I've learned to understand and respect how complex the problem is. List 1: score ALL_CAP_PORN 0.650 0.669 0 0 score PENIS_ENLARGE2 0.500 0.590 0 0.501 score UPPERCASE_50_75 0.794 1.137 0 0 score V+AG+A_ONLINE 1.100 1.101 3.151 4.056 If it were up to me, I'd say that giving only half a point to a mail that scores PENIS_ENLARGE2 is... well, ludicrous. Let's not kid ourselves. IF there are people who participate on a genuine mailinglist that discusses penis enlargement, let the burden fall on them to put those adresses in their whitelist, not the reverse. OK, being that it's not up to you, let's look at the real-world performance of these rules from STATISTICS.txt OVERALL% SPAM% HAM% S/ORANK SCORE NAME 1.010 1.5010 0.08930.944 0.800.65 ALL_CAP_PORN 2.962 4.5216 0.04180.991 0.930.50 PENIS_ENLARGE2 0.580 0.8552 0.06450.930 0.770.79 UPPERCASE_50_75 1.040 1.5930 0.00320.998 0.951.10 V+AG+A_ONLINE *yawn*.. none of these rules has particularly impressive hit rates, so they aren't very significant in the grand scheme of SA. A meager 4.5% of spam hits isn't impressive, although not useless. Some of them, such as ALL_CAP_PORN and UPPERCASE_50_75 have really bad quantities of nonspam hits. Anything with a S/O under 90 pretty much doesn't deserve a high score because 10% of the email that the rule matches is nonspam. In the case of these two, both have at least 20% of their hits being nonspam mail.. ouch. Quite frankly, UPPERCASE_50_75 performs so badly it doesn't even meet the criteria to avoid being dropped from the ruleset, but is probably retained for completeness with the other rules. (in general spam rules need to have an S/O of .80 or higher to be deemed worthwhile.. anything less isn't a very good indicator of spam and is just a waste of time). In the case of the other two, you need to start looking at the larger ecosystem of the entire ruleset.. SA rules are not scored based on the merits of the rule alone.. the entire ruleset is scored together, and the scores of all the rules are tuned to try to get the most spam and nonspam placed in the proper piles. Often times the score of a rule is the result of it's interaction with other rules. Take our PENIS_ENLARGE2 rule. This rule can quite possibly match some nonspam crude joke emails.. Other spam rules will likely match these as well, resulting in a high score. Now, the GA is designed to treat false positives as 100 times worse than false negatives, so this is a very drastic situation for the GA. Faced with this problem, the proper thing for the GA to do is to try to reduce the score of the rule that affects the least amount of the spam pile.. well, given that PENIS_ENLARGE2 only matches 4.5% of spam, it's a good candidate for reduction. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Delete spam mails
At 12:09 PM 11/7/2003, Roberto Salazar wrote: I have Spamassasin with Postfix working . This server is a Gateway for others internal mail servers (in these are the users accounts). I need that spamassasin erase spam mails directly (DELETE FILTER ) in my server gateway and don't send mail to users (report of points) (FLAGS FILTER). It's posible? It's impossible for SA to delete spam mails directly.. being a filter, SA has no capability to do this. It is however possible for some other tool in you mail processing chain to look for messages tagged by spamassassin and delete them.. lots of people do this with procmail... I'm unfamiliar with postfix, so hopefully someone else on the list can suggest a workable method. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Newbie Questions
At 01:13 PM 11/7/2003, Chip Paswater wrote: Hey Guys, I apologize if these questions are asked somewhere, but I did browse the FAQ and documentation and didn't see an answer. I have a good understanding of Razor v2, but I just started using SA. 1. When reporting spam via spamassassin -r, can I supply an mbox instead of a single message? Offhand, I'm not sure. 2. When reporting spam via spamassassin -r, will the spammassassin information that was appended to the message be stripped out before the message is reported to razor? Yes.. that's why spamassassin -r was originally created. Before bayes, dcc and pyzor, the only point of spamassassin -r was that it automatically stripped the razor markings before reporting the message. And as far as BAYES goes: 3. Is it a bad thing to sa-learn the same messages over and over again? Does it affect the scoring of the system, or is sa-learn smart enough to know what tokens it's already seen? SA keeps track of what message ID's it's seen and will ignore any re-learning attempts, unless you are re-learning an email into the other category (spam/ham). Thus, re-learning the same message over and over again is only bad from the standpoint of being a waste of time. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SpamAssassin not labeling as spam but debug labels as spam
At 02:16 PM 11/7/2003, Jennifer Fountain wrote: am using an internal RBL list. When I test a header that is in the list using the following command: /usr/bin/spamassassin -t --prefs-file=/var/qmail/.spamassassin/user_prefs -D /home/tmp/spam_test.txt, it labels it as spam. However, when an email from the same server arrives, it is not labeled and the user receives it. I do test that header and it DOES label it as spam. AGG! by definition, any mail passed into spamassassin -t will be declared spam. -t specifies test mode and forces a tag/report, even if the score is under the threshold. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] scoring system and values...
At 04:25 PM 11/7/2003, maarten van den Berg wrote: Upon looking at those rules I see al LOT of inconsistencies. For instance, I found these rules that have score of zero(!) (and these are merely the top of a large iceberg) score CASHCASHCASH 0 score ADDRESSES_ON_CD 0 score BLANK_LINES_90_100 0 score EJACULATION 0 score HERBAL_V+AG+A 0 Not to be rude, but did you even READ my email? You're still not even thinking about looking at STATISTICS.txt.. you're still looking at the rule name, and not even glancing at how it performs or works. Until you break yourself of merely looking at the rule name and making reaction based only on the name, you're going to be stuck in the rut of making bad assumptions and not understanding why. For god[s?] sake, one of the rules in the above set has a S/O of 0.529.. are you joking by suggesting that this rule is a clear indicator of spam??? 48% of emails this rule matches are nonspam emails. It's not a contradiction for it to have a score of 0.. it SHOULD have a score of 0 in the most clear way possible. Do yourself a favor.. look at the STATISTICS.txt file.. it comes with spamassassin.. it can explain a lot. Yes there are a lot of rule scores that seem funny at first glance.. but unless you're going to even so much as try to understand what's going on, there's not much point in me trying to explain things to you. You're still making the same mistakes and not learning anything. --- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Best Blacklists
At 11:23 AM 11/5/2003, Tom Meunier wrote: Matt, thanks for this. It's a great resource. However, I'm wondering why the following were scored as zero and thus don't have numbers to support their efficacy or lack thereof: 0.000 0. 0.0.500 0.110.00 RCVD_IN_SORBS_BLOCK 0.000 0. 0.0.500 0.110.00 RCVD_IN_MAPS_RSS 0.000 0. 0.0.500 0.110.00 RCVD_IN_MAPS_RBL 0.000 0. 0.0.500 0.110.00 RCVD_IN_MAPS_DUL 0.000 0. 0.0.500 0.110.00 RCVD_IN_MAPS_NML 0.000 0. 0.0.500 0.110.00 RCVD_IN_BL_SPAMCOP_NET The MAPS lists are for-pay.. Since not all the developers are paid subscribers, they do not test them. This won't likely change. Spamcop was historically a donation required service, and that status kept it out of the default test set. Spamcop now is merely a donations accepted service, so I suspect it will eventually work it's way into the test set.. I think it just boils down that it was in too late for 2.60's testing. Since spamcop has a score, I suspect one of the developers did a quick mini test to evolve a score for spamcop right before release. Policy wise, SORBS_BLOCK doesn't make much sense to use in SA... SORBS_BLOCK isn't a list of spammers, it's a list of admins that have demanded that SORBS not test their networks. I suspect it was included in the code for only completeness since other SORBS checks were being handled. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Strange behavior of SpamAssassin + CommuniGate
At 11:42 AM 11/6/03 +0100, Euro Cocolo wrote: recently I've noticed this fault: when my MTA receives mail identified as spam (score 7.0) from a specific external distribution list, SA tags the message, and instead of discarding the message (as set by the CommuniGate rule), it delivers it to the recipient (a user of mine who is subscribed to that external list), moreover SpamAssassin generates a reply to the sender (the list itself), even though I've never configure SA to do it! This behavior amplifies the damage sending SpamAssassin reports to an entire mailing list (many thousands of people) where already victims of the original spam message...! Is this a SA known bug? Or I have something misconfigured...? None of this can be done by spamassasin. It's being done by Communigate, and you need to look at how Communigate is configured. The reason I say this is that it is logically impossible for SA itself to generate emails. The way it interacts with your mail system makes it impossible. SA itself cannot ever delete, create, or change the delivery of messages.. SA can only modify the headers and body of a given message and make a judgement about it being spam or not. SA acts as a filter, and thus is called upon by your mail system and is given an email to process. SA does not have any support for reversing that relationship, and cannot call on you mail system to process some kind of reply and/or bounce message. Lots of other programs, such as communigate, add functionality to look at SA's decisions about the email and do things like discard, generate a reply, etc.. However, none of this is under any control of SA itself and is completely beyond SA's own capabilities. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] ok to filter on this?
At 11:44 AM 11/6/2003, Jeff Lasman wrote: My question is simply is this okay to filter on? Or does anyone have any experience of any legitimate email coming with this? Lots of legitimate HTML newsletters come with this. It's pretty much a standard thing to do. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Perhaps this is obvious... but...
At 06:52 PM 11/5/2003, Robert Leonard III wrote: Do I need to restart SpamD every time I make a modification or add a new .cf file to my configuration? Yes, SA only parses the .cf files when it first starts up. Only user_prefs is parsed each time a message comes in. If so, when I do a restart, what happens to all those messages that are currently being analyzed? When I restarted just a minute ago, there were 10 ID's running.. SA restarted and now there is just one... did I just lose a bunch of emails? I don't know.. I'm not a spamd user. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] (not) up to date SpamAssassin
At 07:16 PM 11/5/2003, Lukreme wrote: My spam assassin is still 2.60-rc6: X-Spam-Status: No, hits=-4.8 required=5.0 tests=BAYES_00,CLICK_BELOW autolearn=ham version=2.60-rc6 So snip Going to write /home/kreme/.cpan/Metadata Mail::SpamAssassin is up to date. cpan color me confused CPAN thinks of them both as 2.60, and doesn't differentiate between finals and RC's. Update with a tarball. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Are these blacklists widely used, anywhere?
At 08:57 PM 11/5/2003, Nigel Featherston wrote: I would like to know if SpamAssassin uses the following blacklists: rhsbl.ahbl.org dnsbl.ahbl.org And I would also like to know under what conditions they are enabled (i.e. by default, etc.) No they are not used by default, and there's no built-in rule for them. They also aren't backlists I've heard of before. However, someone can reconfigure SA to use pretty much any blacklist. $ cd Mail-SpamAssassin-2.60/rules/ $ grep -i ahbl * $ ahbl.org does have a set of SA rules on their website to make it easy for anyone to add it to SA. Those only query dnsbl.ahbl.org http://ahbl.org/using/spamassassin.txt --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] which folder?
At 07:57 PM 11/4/03 +0100, Jim Knuth wrote: which folder to the read the config is used? local.cf in /etc/mail/spamassassin or local.cf in /etc/spamassassin or user_prefs in /.spamassassin/ It's actually parsed from two places: *.cf in /etc/mail spamassassin user_prefs in ~/.spamassassin And note that the ~ is important.. ~ represents the user's home directory (ie: /home/mkettler/.spamassassin/user_prefs). You can also run spamassassin --lint -D and read the top of the debug output to be absolutely sure what paths it's using.. there are some cases where SA will use alternate directories if it doesn't find the common ones... --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Curious about a header.
At 11:44 AM 11/4/2003, Matthew Thomas wrote: It didn't get marked as spam since it appears to come from us, though the IP address is located in Puerto Rico. I was just wondering how they get biocontrolsys.com associated with their IP address. Is it a completely manufactured (not real) header? Can you create a test for this? First, anyone who controls the RDNS for their own IP range can put *anything* they want in there. If you caught me a couple years ago I had sub-delegation for the IP blocks used here at EVI.. I could have had any of my IP addresses reverse DNS as www.aol.com at any time I wanted. Of course, the forward wouldn't match.. but the reverse can say whatever you want. However, in this case, they didn't do that Received: from biocontrolsys.com ([66.50.175.12]) note that 66.50.175.12 has *no* reverse DNS at all.. so in this case, their system issued a HELO biocontrolsys.com, but the IP address reversed as nothing.. If it had RDNSed it would look like this instead (at least in sendmail, which you seem to use): Received: from biocontrolsys.com (biocontrolsys.com [66.50.175.12]) Sounds like you've got some kind of bug in your method for excluding SA from running. It should only exclude emails from IPs which really RDNS as your domain, or better yet, do it by IP address blocks instead of domain name (thus preventing the possibility of the above case). --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Could not create INET socket... ...Permission denied
At 02:00 PM 11/4/2003, JC wrote: Spamassassin seems to be running fine, except when I go into debug mode, I get an error. Here is some relevant output: [EMAIL PROTECTED] /]$ spamd -c -a -m5 -H -D spamd needs to be started as root, unless you pass it -p to specify a port number 1024.. by default it will try to bind 783, which is a privleged port that only prilveged users (such as root) can bind to. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Can you customize the body of a spam message
At 03:10 PM 11/4/2003, Paul Hirschorn wrote: I want to customize the following: Spam detection software, running on the system SPAMGW.FILTER.COM, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or block similar future email. If you have any questions, see the administrator of that system for details. My boss wants to be able to implement rules in outlook more easily. Re-writing the subject isnt an option for he likes the way that it is handeled now. I do not wish to take any credit away from spamassassin in the body of the message, maybe just even append a custom first line to the message. Thank you for your helpo Use the clear_report_template and report commands in your local.cf.. the following is the default template for 2.60, just customize it and insert the whole bit into your local.cf clear_report_template report Spam detection software, running on the system _HOSTNAME_, has report identified this incoming email as possible spam. The original message report has been attached to this so you can view it (if it isn't spam) or block report similar future email. If you have any questions, see report _CONTACTADDRESS_ for details. report report Content preview: _PREVIEW_ report report Content analysis details: (_HITS_ points, _REQD_ required) report report pts rule name description report -- -- report _SUMMARY_ --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] THIRD request: Someone please help with AWL oddness
At 04:26 PM 11/4/2003, Jay Levitt wrote: - Original Message - From: Jay Levitt [EMAIL PROTECTED] To: Jay Levitt [EMAIL PROTECTED] Sent: Sunday, November 02, 2003 9:29 AM Subject: Second request: AWL false hits Hi.. does anyone have any ideas on this? I have read the FAQ, and this does not seem to be the usual why does AWL regress toward the average case. Jay I've read all three of your posts.. and don't have any suggestions to help you.. it looks like a bug to me. What really makes me wonder is why the ip=none entry exists at all. Have you been doing something like spamassassin --add-addr-to-whitelist? In that case.. don't, because it appears that the no-ip entry added by this command will over-ride any and all IP address specific entries. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Can't get add_header to work in 2.60
At 06:36 PM 11/4/2003, Dennis Duval wrote: I have tried to use the add_header feature in /etc/mail/spamassassin/local.cf with no luck. It does not write the added header at all. However the local.cf file is being processed, because I can change required_hits and it has an effect. snip This is the contents of my simple local.cf file: skip_rbl_checks 1 required_hits 5 rewrite_subject 0 add_header all Score _HITS This works for me, but because you forgot the trailing _ I get this header added: X-Spam-Score: _HITS Adding the trailing _ I get this (using the sample-spam.txt in local-only mode with no bayes, etc): X-Spam-Score: 1000.0 I might suggest running spamassassin --lint just to check for config errors. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] RCVD_IN_DYNABLOCK FP?
At 02:57 AM 11/3/2003, Justin Mason wrote: Pedro Sam writes: I'm just wondering why RCVD_IN_DYNABLOCK was a hit, when I sent a email from my localhost 192.168.2.125 with kmail using the SMTP server at mail.student.cs.uwaterloo.ca to address [EMAIL PROTECTED] This is the proper way of sending email from a cable IP right? to use a smtp server from a static well respected IP? Should be -- I would guess it may be that SpamAssassin can't parse the good received line, so misses it. This could be an example of bug 2537... note that his IP is a non-routable one.. Pedro, did you set your trusted_networks variable in your local.cf? since your localhost is using a 192.168.*.* IP address SA cannot automatically infer which relays are trusted.. this causes the unexpected side-effect of causing SA to check _every_ IP address against dynablock. http://bugzilla.spamassassin.org/show_bug.cgi?id=2537 add this to your local.cf and see if it fixes your problem: trusted_networks 192.168.2.125/32 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] trying to tweak SA
At 11:28 AM 11/3/2003, Anne Ramey wrote: I'm trying to add local rules, but only one of the .cf files in /etc/mail/spamassassin seems to be used. Can you only have one extra .cf file? (I'm using amavis with SA, so I was told the extra rules can't go in local.cf). SA should use _every_ file that matches /etc/mail/spamassassin/*.cf HOWEVER, it is extremely important that you run spamassassin --lint whenever you change a configfile. A syntax error can cause SA to ignore the entire file, and may even cause it to ignore rules in _other_ files too. Most notably, forgetting a trailing / on a regex will very severely confuse the rule processor. I suspect your local rules might be getting ignored due to a syntax error. This is the cause of the vast majority of ignoring new settings. Also, if you use spamd, you must restart spamd every time you change /etc/mail/spamassassin/*.cf... to save overhead spamd only parses these files when it starts, instead of every time a message arrives. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] RCVD_IN_DYNABLOCK FP?
At 11:35 AM 11/3/2003, Brian Sneddon wrote: I'm running SpamAssassin 2.60 on a public IP (not NATed) and none of the -notfirsthop rules (including RCVD_IN_DYNABLOCK) have worked correctly for me, either. For reference I'm also running Sendmail and Spamass-milter 0.2.0. Here are the headers from an email that *should* have matched the rule: Received: from katie.darklegacies.com (pcp044858pcs.trnrsv01.nj.comcast.net [68.46.27.0]) by mail-gateway.metrologic.com (8.12.8/8.12.8) with ESMTP id hA3GIq7M006336 In your case, auto-inference of trusted_networks won't work either. The by host in the first Received header is not in the same /16 as the first From host. This is documented in the Mail::SpamAssassin::Conf helpfile under trusted_networks. Since you are using a MTA outside of your local address range, and your MTA itself is within the DYNABLOCK blacklist, you'll have to manualy set trusted_networks to avoid falses. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] [RD] Meta rules vs. SA version
At 01:50 PM 11/3/2003, Chris Santerre wrote: I'm not sure if it is just me, but there are some new rules I have in the update that look like this: (__meta1 + __meta2) 1 They don't work on older version of SA. they get an error when doing a spamassassin -D --lint. The '+' is throwing it off. I wonder if that feature is 2.60 dependant? 2.50 and higher are required for arithmetic (addition) type meta rules. 2.4x only supported boolean (and, or) meta rules. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] tests not updated on the SA website?
At 06:10 PM 11/3/03 -0800, Mairhtin O'Feannag wrote: The tests page of the spamassassin.org website seems not to be too up-to-date. A search of the page reveals only three or four tests based upon the word outlook and they all refer to Outlook Express. YET ... when I get a message in as spam, it has failed the following tests : X-Spam-Status: Yes, hits=7.4 required=5.0 tests=FORGED_MUA_OUTLOOK,HTML_70_80,HTML_FONT_COLOR_NAME, HTML_MESSAGE,MISSING_OUTLOOK_NAME,MSG_ID_ADDED_BY_MTA_2, NORMAL_HTTP_TO_IP version=2.53 No, I suspect it's your version that's not up-to-date.. the website is based on 2.60, and some of the rules are now gone. You're only running 2.53, which is now several months old. In the past the website always reflected the latest CVS build, which led to it being too new compared to real releases, but that's been fixed and it's built from the latest stable release. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Am I nuts
At 04:14 PM 11/3/03 -0600, Chris Barnes wrote: Background: I had SpamAssassin 2.60 running just fine (using sendmail). I was calling spamd via the /etc/procmail. After installing Mailscanner and ClamAV, I noticed that the original SA conf file was being ignored in favor of the smaller version in the Mailscanner conf file. Since I have custom rules that I really didn't want to loose, I turned SA off in Mailscanner, letting it handle just the the running of ClamAV. SA is still being called by procmail. It seems to work just fine (everything). Q: Is this a wrong way to do it (ie. performance issues)? Not really. Q: Is it just a wierd way? It's a little weird.. Personaly, I like that MS uses a separate conf file.. it allows me to test configfiles with spamassassin --lint before I copy them into the live mailscanner config.. Basicaly I just merged all the stuff from /etc/MailScanner/spam.assassin.prefs.conf into /root/.spamassassin/user_prefs. Whenever I want to make config changes, I edit root's user_prefs, run spamassassin --lint, and then copy it over the mailscanner file. Admittedly I could also get the same effect with a separate user, but this is a bit more convenient than having to su. Also, even under mailscanner /etc/mail/spamassassin/*.cf (ie: local.cf) should still be processed normally.. it's just the user_prefs file that get's over-ridden. If it really bothers you, you can over-ride it back in your mailscanner.conf and point it at /root/.spamassassin/user_prefs. I also like that MailScanner has some extra flexibility about how and when I run SA. But, YMMV and you can do what works for you. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] AWL
At 08:13 PM 10/30/03 -0800, Jeremy Hein wrote: I added use_auto_whitelist 0 to /etc/mail/spamassassin/local.cf but it still subtracts AWL in my report. Maybe I'm writing to the wrong config file? How do I find out where the right one is and how do I find out if spamassassin is using that option. 1) if you use spamc/spamd, you need to restart spamd after changing local.cf 2) run spamassassin --lint and make sure there's no errors in your config. Sometimes an error on one line will confuse the parser and it will skip many of the following lines. 3) you can be sure what path of local.cf it's using by turning on the debug output.. this will spew quite a lot of output, but some of the first lines will tell you what paths it is grabbing rules from: spamassassin --lint -D --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Log Question...
At 11:18 AM 10/31/2003, Dan Tappin wrote: Below is a snippet from a recent post to the list: Oct 30 14:12:40 ns1 MailScanner[3201]: snip Is there a config option to have these triggered rules logged like that? My maillog simply has mail identified or not identified as spam. It would be great to be able to troubleshot false positives. If you're using MailScanner, the option is: Log Spam = yes But that particular log was generated by MailScanner. SA/spamd doesn't have such a logging capability that I'm aware of. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] using spamd/spamc to reject SMTP connection
look at spamass-milter or a similar milter-level plugin to sendmail. They can generally be configured to issue a 5xx level error at the end of the SMTP DATA phase if the SA score is over some threshold level. At 02:30 PM 10/31/2003, Josiah DeWitt wrote: I just installed SpamAssassin and got it working, but it just drops or marks spam after it has already accepted it. While this /dev/null type behavior is great, I would rather discourage spammers by refusing the connection period. I was wondering if there is a way of using spamd/spamc to reject the spammers SMTP connection by inserting a ruleset in the sendmail.mc or cf. I was hoping for a result similar to that of the RBL mc's. FEATURE(dnsbl,`dun.dnsrbl.net')dnl FEATURE(dnsbl,`spam.dnsrbl.net')dnl FEATURE(dnsbl,`blackholes.mail-abuse.org')dnl FEATURE(dnsbl,`list.dsbl.org')dnl FEATURE(dnsbl,`multihop.dsbl.org')dnl FEATURE(dnsbl,`unconfirmed.dsbl.org')dnl etc... I imagine there might be a way to pipe the incoming data to spamc and return a boolean response weather or not to accept the connection. In reponse to a dropped connection it would reply with error codes and the spam condition of the mail. Am I just fantasizing? If so where are the resourses I need to start coding this one up? Thanks for your time. -j --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] File of mail for sa-learn
At 01:58 PM 10/30/03 +, you wrote: What is the format of the files of ham/spam fed to sa-learn? Can I use Outlook .pst files? You can't directly use the outlook .pst format with sa-learn.. sa-learn supports 2 file formats: The default is single-message per file in RFC 822 format, or a directory full of such files. The --mbox parameter makes it accept files containing multiple messages in standard Unix mbox format. There is a tool out there that claims to convert .pst's to mbox format.. you might want to try it.. I don't have any outlook or OE stored mail to try the tool on, so I can't say if it works well or not.. http://sourceforge.net/projects/ol2mbox --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] outlook corpus?
At 07:17 AM 10/30/03 -0500, Colin A. Bartlett wrote: I've mined Google and the archives. I've found some references to converting Outlook files to mbox format. That would work I believe except that the messages I want are really attached to those in my Outlook. Anyone know of a tool or method of generating an mbox or other file from my Outlook messages for use in checking rules and such? As someone else suggested, you can use the outlook converter to get to mbox format. http://sourceforge.net/projects/ol2mbox From there, you should be able to get the original message by cranking them through spamassassin -d. You might need to split the mbox into single files first.. I'm not sure if spamassassin takes mbox input directly or not.. I think it will however... if it doesn't there's a tool in the SA tarball called mboxsplit that might help you out there.. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Autowhitelist
At 10:33 AM 10/30/2003, Segree, Gareth wrote: Addresses from my mail domain is being saved in the auto-whitelist file. 1) How do I prevent addresses from being auto-whitelisted? you don't, unless you disable the AWL entirely. 2) How do I delete addresses that are already auto-whitelisted? spamassassin --remove-addr-from-whitelist --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How filter ...
At 10:23 AM 10/30/2003, Andrea Riela wrote: Hi folks, How could I filter this type of spam: Penis P.enis Pe.nis Pen.is Peni.s This regex should work for a custom rule to match those patterns. /P(\.?)e(\.?)n(\.?)i(\.?)s/ You'll probably want to make it a bit more useful like this: /\bP(\.?)e(\.?)n(\.?)i(\.?)s\b/i That will force word-boundaries at each end, and will make it case insensitive (ie: to match penis or peNiS) --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Checking HTML garbage
At 07:56 PM 10/30/2003, Jeremy Hein wrote: Is there anyway to have spamassasin check for this kind of HTML garbage. If so, I could get rid of nearly all my spam. it already does catch some of these things. check out the OBFUSCATING_COMMENT rule. However, those rules look for a HTML comment inserted into the middle of a word.. not surrounded by proper spacing. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] AWL
At 08:00 PM 10/30/2003, Jeremy Hein wrote: Hi, Does anyone know what this is and how to configure it? It seems to be subtracting from the score different amounts each time. I can't figure out why or what to do about it. Read the FAQ.. the AWL is a score averager, and it's supposed to vary in score. If it didn't, it wouldn't work. http://spamassassin.taint.org/faq/index.cgi?req=showfile=faq06.001.htp You can disable it entirely with a config option in your local.cf (use_auto_whitelist 0). And really you shouldn't need to worry about the AWL unless it causes mail to get mis-tagged.. in particular do not worry even if it applies scores the wrong way, subtracting from spam, or adding to nonspam, unless it pushes an email over your tag threshold in the wrong way. http://spamassassin.taint.org/faq/index.cgi?req=showfile=faq06.002.htp --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Spamassassin not rewriting the e-mail subject.
At 09:15 AM 10/29/03 -0500, you wrote: Hi everyone, snip required_hits 8.0 rewrite_subject 1 fold_headers 1 report_header 1 use_terse_report 1 defang_mime 1 dns_available no dcc_add_header 1 use_dcc 1 One thing I can spot right away is that you need to remove the defang_mime statement from your local.cf. It's not valid in versions of SA 2.50 and newer. I'd also advise running spamassassin --lint to see if there are any other errors in your local.cf that might be causing SA to get confused. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] ISPS READ THIS: scanning outbound mail gotcha (fwd)
Dynablock should only be used to check the IP address delivering the email. Also of note to ISPs, SA users everywhere: If the machine you run SA on has a NATed or otherwise non-routable IP address (ie: 10.*.*.*, 192.168.*.*, etc) then you must manually set the trusted_relays in your local.cf. Otherwise SA will fail to correctly skip the first IP when running the RCVD_IN_DYNABLOCK test. Technicaly speaking this is a work around of a bug, but it does work for me. See bug 2537 for details: http://bugzilla.spamassassin.org/show_bug.cgi?id=2537 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] wierd erroors
At 03:56 PM 10/29/03 +, you wrote: Since I upgraded I get mail from cron with numerous errors of this form in it. Insecure dependency in link while running with -T switch at /usr/share/perl5/Mail/SpamAssassin/NoMailAudit.pm line 452, STDIN line 136. Razor requires a source-code patch to work with SA 2.60. The patch is included in the SA tarball. The basic problem is that for security reasons SA decided to enable taint checking, unfortunately, razor isn't taint-safe out-of-the box. Fortunately a small patch that makes a few small changes makes it taint-safe.. Hopefuly this gets integrated into the next release of razor, but as of 2.36, it needs a patch. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Broken Rule
At 11:36 AM 10/29/2003, Tobin wrote: I was wondering if anyone could help me fix a broken rule. Im getting a error Failed to compile body spamassassin tests, skipping: (syntax error at /ect/mail/spamassassin/local.cf, rule Porn, line 1, near /) Well, what's the broken rule look like? Can't exactly help you fix it if you don't post that part of your local.cf --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Broken Rule
At 01:02 PM 10/29/2003, you wrote: Sorry Im a newbie. I have attached my local.cf and my 20_compensate rule. Thanks again. (I have no custom rules) Well, you do have some attempts in there at making a custom rule.. and a very, very, very broken one. I'd delete the entire Penis rule you've got in there... it's so broken it's beyond worthless. Every single line relating to that rule is a syntax error.. Kill all of these lines.. they're just plain invalid: rawbody Porn- Penis /penis/ describePorn- Penis penis in the message tflags Porn- Penis score Porn- Penis 5.0 If you need to make a custom rule, read the rule-writing guide and start from scratch. http://mywebpages.comcast.net/mkettler/sa/SA-rules-howto.txt --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] [RD] Open source is Naughty!!!
At 01:53 PM 10/29/2003, Chris Santerre wrote: SUBJECT_XXX and in it, it has naughty words. One of which it looks for is : /pen.s/i Rather than do the ^oO thing, why not modify your . to exclude spaces: /pen\Ss/ This will look for a non whitespace in that spot. I'd also suggest putting a \b at the beginning and end to force a word boundary.. you're really looking for the word penis or some mangling of it, not as a part of a larger word. /\bpen\Ss\b/ You could also restrict it further by using only specific characters that are abused to obscure the word penis: pen[i1!*()l]s For that matter, you might want to replace the s with [s$*52] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] grouping rules
At 03:02 PM 10/29/2003, Joe wrote: Hi, Is there a way to group rules together for only certain instances? For example, I want score the porn rules higher on a certain domain.. so I guess I would need something like header DOMAIN From =~ /filtereddomain.com/i But is there a way I could then do something like score FREE_PORN 3.0 and only have it work for the DOMAIN rule? If not, does anyone out there have a custom ruleset for porn that I could tag on to DOMAIN rule? You can't do that exactly, but you can get a similar effect with a meta rule: meta LOCAL_DOMAIN_AND_PORN (DOMAIN FREE_PORN) score LOCAL_DOMAIN_AND_PORN 2.0 This will cause an extra 2 points, on top of the default score for FREE_PORN, to apply. Also, if you don't want DOMAIN to be scored, you'll need to rename it to __DOMAIN. You can't just set the score to 0, as this disables the rule entirely, and if you don't put a score statement in, the rule gets a score of 1.0. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Rule for looking at envelope sender?
At 03:40 PM 10/29/2003, David Hubbard wrote: How can one look at the envelope sender of a message in a rule? Is there a variable available to SA for that? That's fundamentally impossible in SpamAssassin.. SA isn't provided the envelope. The only way SA can know about the envelope is if you have an MTA that adds this information to the message headers. The black/whitelist rules will look for these hints, and will use them if they find them, but not all MTAs add them. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Failed to run BAYES_NN SpamAssassin test, skipping problems
At 05:23 PM 10/29/2003, Greg Earle wrote: I've run truss on the running spamd and I'm not seeing anything in the truss output that points to where it's looking for the ndbm file that it doesn't like. The only lines that are relevant to Bayes-named files are: 18263: open(//.spamassassin/bayes_journal, O_WRONLY|O_APPEND|O_CREAT, 0666) Hmm, that looks like SA thinks the user home directory is /... not good. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spamassassin not rewriting the e-mail subject.
At 07:28 PM 10/29/2003, Riley J. McIntire wrote: [EMAIL PROTECTED] /usr/local/etc/mail/spamassassin 578$ ps ax |grep [s]pamc 38938 ?? S 0:00.00 /usr/local/bin/spamc So if I'm not badly mistaken I am using spamc. But not the right way? Is there a problem with the procmailrc? That procmailrc looks more-or-less fine to me.. The only thing you need to do is make sure that spamd is running.. if spamd goes down, all your calls to spamc will do nothing. It's a client/daemon thing.. spamd is a daemon that starts up, pre-processes most of your config files, and then starts listening for connections from spamc. You only start _one_ spamd, generally at boot-up time with an init script. spamc is called in procmail for every message. it tries to connect to spamd in order to process mail. Since spamd has already processed most of your config files and already has an instance of the perl modules up and running it can turn around the scan pretty fast when queried by spamc. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Spamassassin not rewriting the e-mail subject.
At 08:48 PM 10/29/2003, Riley J. McIntire wrote: [EMAIL PROTECTED] /usr/ports 526$ ps auwx |grep [s]pamd nospam 184 0.0 1.3 21236 20920 ?? Is 20Oct03 3:51.50 /usr/local/bin/spamd -a -c -d -u nospam -H (perl5.00503) Is the -H parameter passed to spamd with no parameter? or is it just being cut off by the output of PS? -H means you're going to specify a home directory after it to use instead of the user's home directory... ie: spamd -a -c -d -u nospam -H /var/spamassassin/sitewide_config/ --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Need help with configuration....
At 12:06 PM 10/28/2003, Darryl Snover wrote: I've attempted to issue the command: spamassassin -t sample-spam.txt spam.out without apparent success, as the cursor just sits there afterwards, and nothing is returned. First run this to make sure SA is OK with your configfiles: spamassassin --lint That should have no output if all is well. Then, going back to your sample-spam.txt bit, does the file sample-spam.txt actually exist and contain data? What happens when you don't redirect the output: spamassassin -t sample-spam.txt Does debug mode give you any useful information? spamassassin -tD sample-spam.txt --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Need help with configuration....
At 01:13 PM 10/28/2003, Darryl Snover wrote: spamassassin --lint This command results in the following: Cannot open /usr/share/spamassassin/user_prefs.template: No such file or directory Failed to create default user preference file /private/var/root/.spamassassin/user_prefs That's pretty much fatally bad, and clearly indicates that your SA installation did not correctly install all of SpamAssassin. Specificaly, it looks like part of the baseline files are missing from /usr/share/spamassassin. /usr/share/spamassassin should contain 29 files if you're using 2.60: # ls /usr/share/spamassassin/ |wc -l 29 What method did you use to install SA? --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] White black lists on server
At 01:07 PM 10/28/2003, Howard Brazee wrote: I pulled out ultra-edit and FTP'd in auto-whitelist.pag auto-whitelist.dir These aren't text files. Where how can I find and edit my white lists and black lists on my e-mail server? First, those are the auto whitelist, aka AWL.. those files are NOT intended to be edited. That subsystem is also NOT a true white or blacklist.. check the FAQ for details about how the AWL really works. If you think it's just a whitelist, you really should read the FAQ before tinkering with it, it's definitely not what you think it is. If you want to view the AWL database contents, you can use the check_whitelist tool that comes in the SA tarball. It's located in the tools subdirectory. You can manually erase entries in the AWL by using spamassassin --remove-addr-from-whitelist. There are also some related score adjustment commands in the docs. However, if you really want to add real whitelist entries, edit your /etc/mail/spamassassin/local.cf or ~/.spamassassin/user_prefs and add whitelist_from_rcvd, whitelist_to, or blacklist_from statements. Even those have some limitations but they are substantially less prone to weird behaviors than the AWL. (one limitation example is that SA can't always detect the actual recipient of a message, so whitelist_to may have no effect on bcc'ed messages if your MTA doesn't drop hints into the message headers) --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] White black lists on server
At 02:23 PM 10/28/2003, Howard Brazee wrote: A lot of these documents and replies seem to be designed around me having SpamAssassin on my computer. Instead it is on my e-mail server. Is there a place to look at to find out how someone who has a server based SpamAssassin can modify the whitelists, blacklists, and give SpamAssassin feedback about SPAM - from my own PC?Or for that matter, to test my user_prefs from my own PC? I like it server based, as that means the messages don't hog my bandwidth, and can be deleted while I am on vacation for a week with my computer turned off. But it isn't obvious how to use it this way. one word: SSH. Seriously those, really those documents are oriented at it being installed on a server, but they're also oriented around you logging into the server for maintenance. Some people have hacked together some tools so that they can do some maintanance remotely without logging in, but there's no comprehensive remote administration tool out there. There's a webmin plugin out there, so if you like using webmin, this can help you do some things.. personally I despise webmin so I've never used it and can't vouch for how well it works. http://sourceforge.net/projects/sawebmin/ Some people have set up automated scripts attached to various email accounts on their server to make certain tasks semi-automatic.. However, most of these are little home-brew tools to handle one or two things specific to their setup. Also if your spamassassin config is completely broken, you may not be able to send/receive mail at all and these kinds of tools won't do anything for you. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] White black lists on server
At 02:57 PM 10/28/2003, Howard Brazee wrote: one word: SSH. Ssh? I'm too loud? I bet this means something.I haven't worked with non-mainframe servers ever. It took me a while to figure out how to use Ultra-Edit to edit my user_prefs file. SSH is Secure SHell, a remote login protocol.. it's similar to telnet, and gets you the same basic shell prompt, but encrypted. It's very popular for UNIX systems, and clients for windows exist. From reading some other messages on the list, I'm beginning to realize the problem in my response. You're an end-user that has access to SA on your ISP's mailserver.. but it is their mailserver, not yours. You don't have root-level permissions to modify the behaviors of the server itself. Configuring methods of remote access and control are fundamentally a system administration issue. All of the methods I was suggesting would be things your ISP could do to allow such things, but it's fundamentally a change to the server itself, thus they have to do it. Unfortunately, without reconfiguring the server, it's impossible to have any kind of automatic-mail-forwarding 'this is spam' system that you can just access from outlook. This is fundamentally not the kind of feature that SA can, or should, directly provide, since it's a remote-control type of feature. From the sound of things, you're already using some kind of FTP setup to access your user_prefs.. You can probably either SSH or telnet into the server with the same login name and password and get a unix shell prompt so you can run spamassassin commands directly. This is of course up to your ISP, but if they have a shell account you can FTP into, odds are good they made it telnet or ssh accessible too. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SPAMASSASSIN on Solaris9
At 03:41 PM 10/28/2003, Dominique Bagnato wrote: Thank you to let me know how to install spamassassin on Solaris 9. and where could I get the download ? www.spamassassin.org provided you've got perl 5.6.x or higher, you should be able to install as per the documentation perl Makefile.pl make make install --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] white lists
At 06:34 PM 10/28/2003, Jack Gostl wrote: Is it possible to use wild cards in a white list? For example: whitelist_from abcd*.bigcompany.com Yes, See the Mail::SpamAssassin::Conf manpage for details. Basically it should support any wildcards that a typical unix shell supports when doing filename globbing. As a caveat, I've read about some people have problems with multi-wildcard type things like: whitelist_from x*.evi-*.co* but that may have been fixed long ago. --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
RE: [SAtalk] Newbie
At 10:08 AM 10/27/2003, Dan Kohn wrote: This should be a FAQ: Q. How do I get SpamAssassin to mark as spam all Window patch emails that include an executable? A. Add the following line to your user-prefs (normally ~/.spamassassin/user_prefs): score MICROSOFT_EXECUTABLE 10 - dan And it should also carry the disclaimer that it will make SA tag _any_ email with a bare executable as an attachment, regardless of who, what or where it came from... It won't just tag the Microsoft patch emails that are so commonly mistaken for being spammer activity. However, most of us don't get .exe attachments normally, so this caveat shouldn't be a big deal, but it should be noted. At the same time, those emails are really viruses (the swen worm and any derivatives), and are significantly better dealt with by using a virus scanner, preferably one that runs server-side and can tag and/or discard emails that contained a virus. So I'd argue that the FAQ should also point that out as well. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Totally whitelisting someone?
At 04:56 PM 10/25/03 +0100, Paul Hutchings wrote: I've ran spamassassin --add-addr-to-whitelist and it is reducing the scores, but the GTUBE test has such a high score that the adjustment doesn't seem to be enough! I hope that makes sense, TIA for any advice! 1) this issue should be fixed in 2.60.. it has a change to the AWL so that it ignores GTUBE. 2) do a --remove-addr-from-whitelist, instead of an add... this will completely reset the AWL for the address passes. add will only give a bonus as if a -100 scoring email was sent, and compared to the +1,000 of gtube, this is nothing. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] MailScanner and SpamAssassin
At 12:12 AM 10/23/03 -0700, Rezk Mekhael wrote: I have a DS20 Machine with 5.1 unix tru64 operating system, I am running MailScanner, Sopho and SpamAssassin. /opt/MailScanner/etc/MailScanner.conf. MailScanner running perfict without SpamAssassin, one's I turn on the spamAssassin, MailScanner getting this problem in the mail.log: Oct 22 16:10:47 clunet.edu MailScanner[190390]: SpamAssassin timed out and was killed, consecutive failure 1 of 20 What version of SpamAssassin are you using? Are you using RBL checks? (if you're using a pre-2.60 version, you'll have to manually disable orbs, as this RBL is now dead) http://news.spamassassin.org/modules.php?op=modloadname=Newsfile=articlesid=51mode=threadorder=0thold=0 Are you using DCC? Is your firewall configured to allow DCC to work correctly? http://news.spamassassin.org/modules.php?op=modloadname=Newsfile=articlesid=56mode=threadorder=0thold=0 --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Building SA 2.60, errors
At 10:07 PM 10/23/2003, Hugh Caley wrote: I'm trying to build spamassassin 2.60 as a non-root user on my ISP's mail server. RedHat 7.3, perl version 5.004_04. I'm not sure where to go from here. I'm getting the following errors: What version of ExtUtils::MakeMaker do they have? SA requires 5.45 or higher. I'm also not sure if there's any support for perl under 5.005, and even that seems to be a bit on the under-enthusiastic side as far as support goes. There's serious discussion about dumping support for any perl under 5.6 in future releases. Apparently trying to make SA work under 5.00x, 5.6.x, and 5.8.x all at the same time is kind of messy. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] About Spamassassin process flow
At 02:54 AM 10/23/2003, =?big5?B?WXVhbi1DaHVuZyBIc2lhb1wov72yV8TBXCk=?= wrote: Now I research Spamassassin's Genetic Algorithms, but I don't understand Spamassassin work with GA and bayes classfilter. Does anybody know? The Genetic Algorithm is not a part of SpamAssassin itself. The Genetic Algorithm is an external program used by the developers to assign scores to all the rules prior to release. Basically the GA is given three things as input. 1) a list of rules 2) the match results of those rules against a large sample of non spam email. 3) the match results of those rules against a large sample of spam email. The GA then starts assigning scores to all the rules, and iteratively adjusts them to try to place as many emails in the correct piles as possible. The results of this can be seen in the STATISTICS.txt files that are included with SpamAssassin. From the perspective of the GA, the bayes subsystem is just a grouping of rules. Each bayes rule represents a range of bayes probabilities. For example BAYES_30 represents a range of bayes probabilities between 30 and 40. Since they are just rules to the GA, it assigns them scores the same way it does other rules. If you need more information on the GA and related tools, you can look in the masses subdirectory of the spamassassin tarball. mass-check is the tool used to generate the match results for 2) and 3) above craig-evolve.c is the source code for the GA score evolver. runGA is a script that helps automate the process of running the GA --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] perhaps more of a mailscanner question?
At 12:43 PM 10/24/2003, ian douglas wrote: Right now I have MailScanner configured to delete high scoring spam so it doesn't end up in my user's mailbox, but what about the 'bounce' option? IMO, post-delivery bounces of spam, such as MailScanner does, are of very questionable value. 99.99% of the spam bounces aren't going to be directed to any address the spammer owns, so the bounce does no good in that respect. They can be helpful in letting a legitimate sender re-send his/her message. Personally of the MailScanner options, I prefer tag or quarantine. However, if you have SA directly integrated into your MTA, and can issue a 5xx series error _durring message delivery_ (ie: in response to the SMTP data command) instead of after, this is a pretty reasonable idea... I don't expect that will get you off any spam lists however... Most spammers seem to re-sell their lists and the more addresses they have in the list, the better.. even if 50% of them are dead :) Unfortunately, MailScanner doesn't directly integrate to the MTA, so it could only do a post-delivery bounce message and can't do a 5xx durring the SMTP session. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] implementing site-wide bayesian filtering
At 04:06 PM 10/24/2003, Josh Endries wrote: I'm playing around with spamd for a few accounts on our mail server via procmail and I would like to set up bayesian filtering. Everywhere I read says that per-user is the way to go with bayesian filters versus one big site-wide database, because everyone gets different spam and ham, etc., though I seem to get the same spam as everyone else I know. Well, the impact is the kind of ham you get. Pretty much _everyone_ gets the same spam. And really, a single-database site-wide bayes isn't all that bad, particularly if your users get similar types of normal mail. The biggest factor is getting nonspam email that represents all your users. And the drawback is that the broader your range of nonspam mail, the greater a chance there is for spam to avoid the bayes database. In a small-company type environment, this is really quite practical. Most of your users are going to get similar mail pertaining to your area of business, and some run-of-the-mill type personal email. It's not quite as practical as a large ISP, because the breadth of nonspam email is pretty wide, but even there it's not so bad. So I wouldn't chalk up the single database idea as not workable, but you certainly will get better accuracy in many situations out of per-user training. Is there any way to train the filter on a per-user basis without handing out login shells? More importantly, is there a way to even have per user databases without handing out login shells... This can be pretty tough to pull off... My initial suggestion would be: 1) use per-user user_prefs from mysql, and have those user_prefs specify alternate bayes_paths on a per-user basis 2) use the --dbpath option to sa-learn to force where the database that is learned to is located. so you could then have only different bayes directories per-user, instead of shells, like these: /var/bayes/joe/ /var/bayes/jendries/ /var/bayes/mkettler/ --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] IP Blocks to kill at the firewall? (dupe posts)
At 04:15 PM 10/24/2003, Dan Wilder wrote: Ian, have you looked at the headers to determine where the duplicates are coming from? This appears to be a sourceforge problem.. I'm getting duplicates from multiple posters, on multiple different lists. Even Ian's message got double-posted. Strangely, looking at the headers, all the messages appear to have been submitted to sourceforge's mx twice with the same message ID, but different times and SMTP session id's and at different times. This makes me wonder if sourceforge's mailserver is sometimes returning a 4xx error message, but continuing to post the message anyway. Take Ian's message.. Message-ID of both copies is [EMAIL PROTECTED] Both have the exact same Received header ID and time for the transfer from his DSL client machine, to his ISP. However, looking at the second received header (chronologically speaking) you have two different submissions to sourceforge: Received: from [66.54.65.226] (helo=ns1.wild98webhosting.com) by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.22) id 1ACvKK-0004I5-E7 for [EMAIL PROTECTED]; Thu, 23 Oct 2003 23:21:36 -0700 and in the other: Received: from [66.54.65.226] (helo=ns1.wild98webhosting.com) by sc8-sf-mx1.sourceforge.net with esmtp (Exim 4.22) id 1ACvJM-00048S-Qt for [EMAIL PROTECTED]; Thu, 23 Oct 2003 23:20:36 -0700 A different example I have from a different mailing list had queue times that were 1hr 20mins different, so the fact that these two are 1 min apart isn't particularly suspect, and I suspect it may be wild98webhosting's retry interval. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Problems upgrading to 2.60
At 10:58 AM 10/23/2003, Stuart Gall wrote: I am not realy sure what else I can do to diagnose the problem. did you try a spamassassin --lint? Perhaps there's something in your local.cf that is causing 2.60 to choke on it. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Whitelist / Rule Question...
At 01:34 PM 10/24/2003, Dan Tappin wrote: rawbody USERNAME /username/i describe USERNAME score USERNAME -100.0 ... where the person sending e-mail is [EMAIL PROTECTED] Um... does username appear in the body part of the message? Note that rawbody does not include the headers. You probably want header USERNAME ALL =~ /username/i That is, provided that the normal whitelisting methods don't work for you: whitelist_from [EMAIL PROTECTED] (you said you weren't worried about falses, otherwise I'd recommend whitelist_from_rcvd) --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] A way to disociate analyze and scoring phase.
At 08:30 AM 10/23/03 +0200, Philippe Van Hecke wrote: I would like to know if there is a way with spamassassin to disociate the analyze phase. What's i want to ask here is if there exist a way to tell to spamassassin 1) analyse this mail . put rules match in the mail header. 2) later for the same mail tell to spamassassin compute only scorring based on the header rules match that you find in the mail Is this possible ? Possible, yes, but that would involve changing the code. There's no existing command-line option to do anything like that. What did you want to dissociate them for anyway? --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Message being marked as spam with less score
At 10:30 AM 10/23/2003, Listas - OPEN Internet wrote: Hei Evan, Here goes the example. snip Content analysis details: (7.3 points, 10.0 required) You aren't by any chance running all your mail through spamassassin with the -t parameter are you? If you use the -t parameter, you're forcing SA into test mode and it will always behave as if the message was spam, regardless of the score. --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Problems installing SpamAssassin 2.6
At 07:51 PM 10/22/03 -0500, Greg Thorne wrote: I am trying to install SpamAssassin 2.6, and I keep getting the message: $ ./spamassassin HTML::Parser version 3.24 required--this is only version 3.05 at /home/gthorne/perlmods/lib/site_perl/5.6.0/Mail/SpamAssassin/HTML.pm line 8. snip $ perl -e 'use HTML::Parser 3.24;' Since SA 2.60 runs in taint mode.. what happens if you do the same command above with -T added to the command line? I can't find any specific documentation offhand, but taint mode does at minimum modify @INC by removing ., it may remove other paths in home directories as well. It seems that the old HTML::Parser is installed on the main site, but according to @INC, it should find the one in ~/perlmods first. Anyone have any ideas? --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] help with sa-learn
At 08:55 AM 10/23/2003, Joseph P. Wetstein wrote: When I do a: sa-learn --mbox --spam kill I get: Learned from 0 message(s) (127 message(s) examined). First, I'd check for file permission issues.. make sure you've got the ability to create files in ~/.spamassassin. It's really easy to do something like chmod 600 .* in your home directory and whack the x bit on your .spamassassin directory. Usually that resorts in a cannot create temp lockfile error message, but it's worth a check. After that, you might try looking at sa-learn's debug output. sa-learn -D --mbox --spam kill This should tell you why the messages aren't being learned. i.e.: debug: [EMAIL PROTECTED]: already learnt correctly, not learning twice --- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Bayes always 99%
At 08:36 AM 10/22/2003, Scott Rothgaber wrote: My Bayes database finally got its 200 spams and hams and kicked in. I've noticed, however, that it *always* says that the probability is 99%. Is this normal? No.. It is however quite normal for nearly all spams to be at 99% and nearly all nonspam to be at 0. For example, out of 856 spam messages sent to [EMAIL PROTECTED], 828 of them scored BAYES_99. But if you're getting 99 on nonspam, something is wrong with your training. --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] How to update old version of SpamAssassin
At 05:15 PM 10/21/2003, =?koi8-r?Q?=22?=Oleg=?koi8-r?Q?=22=20?= wrote: Can somebody advise me, please, the way in which I can update it? Can I just do new install from CPAN? Or it will not be enough? The system is working now and I do not want to screw it, therefore I need help. Yes, you can just reinstall from CPAN.. if you're running an older system (ie: redhat 7.x) make sure your CPAN is up to date. Older versions of CPAN would try to upgrade you to a new version of perl when upgrading SA.. You can also download the tarball and do a standard install that way. Going from 2.5x to 2.6x should be pretty painless and just work.. the only problem cases I've seen are when people use spamd with -u root (2.60's spamd bails out if you try to force it to always run as root). I'd also run spamassassin --lint both before and after your upgrade to make sure your config files are OK and don't have any errors in them. --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] [RD] Trojaned machines
At 10:18 AM 10/22/2003, Chris Santerre wrote:
It is tough to remember everything SA looks for. Does 2.60 have something
like this? Comments?
rawbody MY_TROJANED_HOST
/http:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{2,4}\//
describe MY_TROJANED_HOST Possible Trojaned box used for spam hosting
score MY_TROJANED_HOST 0.01 # For testing
why not do this as a uri rule, instead of a rawbody?
uri MY_TROJANED_HOST /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{2,4}\//
---
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
___
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] sa-learn not working right
At 10:35 AM 10/22/2003, Anne Ramey wrote: when I sa-learn on a folder of spam it takes almost no time and says learned 1 no matter how many where in the file but when I do an sa-learn of ham, it works fine. Ideas? What command line did you use? and what format is the mail in? If you're giving sa-learn a file in mbox format containing multiple emails, you have to use sa-learn --mbox. By default sa-learn assumes input files are a single message per file in RFC 822 format. --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SA TIMED OUT
At 09:37 PM 10/22/03 +0200, Andreas Fuchs wrote: I see allot of such errors in my syslog. I think they apear only if i enable RAZOR, with Razor disabled i never saw such an error, any idea ? Can i change the timeout somewhere ? What kind of setup are you using? It's hard to give a whole lot of advice without that. However, I'd first make sure you can make razor work. I suspect you're probably having issues with your firewall that are preventing razor checks from going out. Just run some emails through the razor-check command line tool directly, and maybe turn on some of the debug output. By default razor needs to make two outbound tcp connections to the razor server. One to port 7, and the other to port 2703. It doesn't need any inbound connections, but it does need to get replies back for the outbound connections it creates. If it's just random periods of razor not being available, you can tell SA to give up on razor in a shorter period of time.. see man Mail::SpamAssassin::Conf, and look at the razor_timeout option. If you shorten this timeout a little, you can make SA give up on razor before whatever tool you are using times SA out entirely. I'd suggest a value of somewhere between 10 and 20. --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] have try these header check but don't know why it is not trigered.
At 11:29 AM 10/21/2003, Philippe Van Hecke wrote: #header RECEIVED_FROM_OTHER_THAN_MY_DOMAIN Received !~/(server1||server2|server3|server4|server5)(\.fw)?\.foo\.bar/i snip the commented header RECEIVED_FROM_OTHER_THAN_MY_DOMAIN never match and so the FORGED_MY_DOMAIN is never trigered but the first one match. what's wrong in the commented rule . You've got two | characters between server1 and server2.. Do you really want a null-string in the set? meta FORGED_MY_DOMAIN ( FROM_MY_OWN_DOMAIN TO_MY_OWN_DOMAIN RECEIVED_FROM_OTHER_THAN_MY_DOMAIN You might also consider generalizing this rule a bit more: meta FORGED_MY_DOMAIN ( FROM_MY_OWN_DOMAIN RECEIVED_FROM_OTHER_THAN_MY_DOMAIN) --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] custom rules local.cf
At 07:50 AM 10/21/2003, Thomas Kinghorn wrote: Do all custom rules have to be added to the /etc/mail/spamassassin/local.cf file OR can a seperate .cf file be placed in the spamassassin directory? SA will by default parse *.cf in /etc/mail/spamassassin. Thus, you can put them in a separate CF file if you have a lot of them. --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] list of test gone
At 10:39 AM 10/21/2003, Cliff Browning wrote: I went to the spamassassin.org site today and the list of tests is not there. Could you please put it back. Thanks Seems to be there and just fine for me... It's possible you caught the site in the middle of an update.. the tests list is built daily from the CVS image and it may have been in the middle of a rebuild when you stopped by. http://www.spamassassin.org/tests.html (Note: The daily build routine also means there may be minor inconsistencies between the website and the current stable release, since the website reflects the development release it may have newer tests in it. Thus, don't rely on it as 100% accurate documentation of what your version of SA has for tests.) --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Forged From addresses and whitelist rule
At 11:11 AM 10/20/2003, James Herschel wrote: I've got an odd situation where I've received spam from a (forged) valid address in my own domain. Problem is that the headers are clearly forged as the IP for my mailserver is incorrect, but the whitelist rule for my domain is being applied. Yeah, whitelist_from'ing your own domain is just a BAD idea. Don't do it. Ever. Is there a setting where I can tell spamassassin which IP is the MTA for my domain? It would make sense to me that spamassassin should know what my proper MTA is, and if the header is forged, it shouldn't apply the whitelist rule. Use whitelist_from_rcvd instead of whitelist_from. Also upgrade to 2.60. 2.5x still has some minor bugs in parsing received: headers that some spammers can abuse to make it falsely match a whitelist_from_rcvd when it shouldn't. --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] upgrade to 2.60 broke SA
At 01:04 PM 10/19/2003, Masoud Pajoh wrote: I was running SA 2.5 with kmail and all was well, then I upgraded to version 2.60. Now, SA stopped pocessing incoming mail all togther. How can I correct this. Well, what exactly do you mean by stopped processing incoming mail? Do you mean that the messages are no longer being run through SA? Or do you mean that whenever kmail calls SA the message wedges forever? If it's not being processed at all it could very easily be a simple path issue.. check your paths very closely to make sure SA didn't do something like move from /usr/local/bin to /usr/bin during the upgrade. Also are you using spamd/spamc? Did spamd successfully start? (you can check by running ps ax and looking for spamd in the process lists) If it's not a path or spamd-not-running issue, I'd start off by running a quick lint on your config files, and maybe a debug-enabled run to get some ideas as to what might be going wrong. First to check your config file syntax run this command: spamassassin --lint If lint complains about anything.. fix the syntax errors. After fixing things so lint no longer complains, try looking at the debug mode output, you might get some hints from that: spamassassin -D --lint --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] My first question here[SA DCC]
At 10:19 PM 10/20/03 +0200, Marco Calistri wrote: Hello, first of all I want to make my compliments to the developers that are spending their time to fight the SPAM and of course, among these thanks to SA Team. My first question (the first of a long series...) is: Well, my first comment, before I get to your question, is to telly you to fix your local.cf. You've got a defang_mime statement, and that command hasn't been supported since 2.4x. Run spamassasssin --lint to make sure there's no other syntax errors. This is something you should run every time you upgrade and/or edit local.cf. I compiled/installed SA 2.60 with Razor2, then by reading about DCC, I compiled/installed also this enhancement without to recompile SA neither razor. By running spamassassin -r -D somespam, I noticed that SA recognize DCC and use it to check the mail, but what is the case by running spamc through procmail having spamd on the background? How can I see if spamd is checking mail over DCC? I get razor reports on headers but never seen DCC reports on it. You should only need to restart spamd to have it start using DCC.. both spamassassin and spamd check for dcc, razor, and pyzor automatically when they start up and they do it in the same way. if you really want to watch it go, kill spamd, and start it up in console mode with debug enabled. You'll need two shell prompts for this. On the first one, start up console-mode spamd by running: spamd -D Then on the other console, run spamc as a command line and pump mail through it: spamc sample-spam.txt When you run spamc, you should see some DCC checking debug output pipe by on the screen, or a message describing why it couldn't run DCC. --- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Redirect ?
At 08:53 AM 10/17/2003, guenther wrote: I just wondered about redirecting mail to learn as Spam, as mentioned in FAQ 5.1. This will add extra headers (especially Received headers). Won't these headers poison the Bayesian database? This varies a lot from mail client to mail client. With some mail clients, the redirect is almost more of a re-queue of the original message with a new SMTP envelope... In 5.1 Justin is speaking specifically about outlooks resend ability. Others mail clients (such as my own) do it more like a forward. That's why FAQ 5.3 exists, to emphasize that is kind of thing is really not as easy as it may first seem, but with some MUA's it may be possible. And now that I look at it, FAQ 5.3 and FAQ 5.1 really should be merged into one.. maybe I'll ping justin on that at some point. Thus far I can only account for Eudora, where it's absolutely impossible as the client will immediately discard any text sections of a multipart/alternative message as soon as you download it, making good learning impossible even if you could get forwarding with no header modifications. btw: I upgraded to 2.60 yesterday and even spoiled SA with Razor and DCC (well, Pyzor cowardly refuses to install) -- and the results are great! Very good job, folks, thanks! :-) --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] slow list
At 10:37 AM 10/17/2003, Colin A. Bartlett wrote: Does anyone else have trouble getting their messages on the list in a timely fashion? It seems when I reply to the list it takes 15 to 45 minutes for my message to appear. By the time my reply shows up, 3 other people have replied and I look like a dufus for posting redundant info. Anyone else have this problem or just sf.net just not like me? SF.net has been like that at times.. right now it's actually not nearly as bad as it was a couple months ago, where I'd post and it would take 3 hours to get a copy of my post back. So the redundant reply issue has been around for a while.. it's also the primary reason I reply direct to the author as well as the list.. this way the author will at least get my reply in a timely fashion.. There's been times where I've bounced back-and-forth 3 email exchanges with a person that had a problem and got it solved before the list showed that anyone had replied at all.. It happens, and SF is handling a truly massive amount of email for a whole lot of lists. Still, despite the backlog and delays, SF is providing an awesome service given the amount we are paying them for it (nothing). --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] One Message 2 results...
At 04:36 AM 10/5/2003, Hendrik wrote: First Question: Why does SA prints out autolean=no when the /etc/mail/spamassassin/local.cf says: # Enable Bayes auto-learning auto_learn 1 the autolearn=no means it didn't auto-learn THIS message because it didn't score high or low enough to cross the autolearning thresholds. After copy the mail to my linux box I started spamc: Define what you mean by copy the mail.. if you just copied the raw outlook binary file over to your linux mailserver... well, outlook added binary stuff to the message for it's own tracking and that may have caused different SA rules to fire. You need to be aware that most mailclients modify messages as they store them for various purposes of internal houskeeping, these modifications make the message fundamentaly very different than the message that passed through your mailserver, so a different set of rules will match. The partiuclar message you were testing against is a common virus email.. SA isn't designed to catch viruses, and has no rules to catch this one.. if you really want to catch them, search in the archives of this list for SWEN and you should find some people posting rules to catch the swen worm.. However, you'd probably be better off implementing a virus scanner to catch most of these things. --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Not reading local.cf?
At 11:22 AM 10/17/2003, Dave Bartmess wrote: I put this on the command line, and immediately after restarting spamd, it gave me the following messages in /var/log/mail/errors: Oct 13 21:45:46 Dingo spamc[5596]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Ah-ha! Try it without daemonizing and you'll get the error message telling you what's going on. [EMAIL PROTECTED] /root]# spamd -c -m 5 -u root fatal: cannot run as nonexistent user or root with -u option So apparently they decided to add code to prevent people from using -u root, which is a security issue. Try setting up a spamd user and use that, but make sure it's a real account with a real home directory. I did verify that: spamd -d -c -m 5 -u mkettler does work and load correctly: [EMAIL PROTECTED] /root]# spamd -d -c -m 5 -u mkettler [EMAIL PROTECTED] /root]# ps ax |grep spamd 10421 ?S 0:00 /usr/bin/spamd -d -c -m 5 -u mkettler --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Re: RCVD_IN_DYNABLOCK
At 03:10 PM 10/16/2003, Daniel M. Drucker wrote: I wasn't even aware that this notfirsthop argument existed; as far as I can tell in a few minutes of testing, the argument has no effect. I've had to disable all dynamic-IP RBLs because of this problem... Dan.. Are you using an internal mailserver with a non-routable internal IP address? This particular problem is very common when you have SA running on an internal mailserver which has a NATed IP address in the 192.168.*.*, 10.*.*.*, etc type address blocks. In this situation you have to manually set the trusted_networks variable in your local.cf. By default SA will trust the IP of the host it runs on, but only if it's a real IP and it can verify forward/reverse DNS. In the case of an internal IP, it doesn't generate a trusted_networks list and the notfirsthop check fails to skip the first hop. so just do something like: trusted_networks 192.168.1.2/32 and you should be OK --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] SA and Mailscanner
At 01:29 PM 10/17/03 -0400, Jon Fraley wrote: From looking at some posts, it looks like Mailscanner just looks for a score from SA. Does this mean that the message does not get re-written as an attachment with the report if it is spam? Or does Mailscanner do this? I can not find exactly how it works. Mailscanner's documentation on their web site is sparse. When using MailScanner, all the message tagging, etc is done by MailScanner, so this would become an issue in how to configure MailScaner for the tagging format. It's pretty configurable, but I'll admit offhand I'm not sure if it's got an encapsulate option. I know it has lots of possible actions on spam however (strip html, etc). I personally don't like the encapsulate mode very much so I've never tried to get MS to emulate this behavior. Looking over the configfile documentation (which I find to be VERY complete, but a lot of options to wade through) I don't see a spam action that covers this. Look for what to do with spam in: http://www.sng.ecs.soton.ac.uk/mailscanner/man/MailScanner.conf.3.html It looks like the valid options are deliver, delete, bounce, store (aka quarantine), forward and striphtml. However, Julian might have added an encapsulate option since the doc was last updated.. check on the mailscanner mailing list. --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] LOTS of mail being tagged wrong
At 01:21 PM 10/17/03 +0200, HÃ¥kon Nilsen \(Exinet AS\) wrote: Bayes tages it worth 5.4 points. My limit is 5. How does Byes tag it this much? What should I do to solve the issue? Raise the limit to 7.5 or something would probably help on this one, but not all. A whitelist service is already created, but I can't keep track of 100 mails each day - and they do receive a lot of mail from different domains indeed... Sounds like your bayes is heavily mis-trained... Personally, I'd just wipe the database and start over. This time take extra care make sure no legitamate mails wind up in the spam training, and make sure your ham training is representative of your normal mail. I'd also push up the bayes spam autolearning threshold, to reduce the chance of a false positive nonspam mail from being autolearned as spam. If you really want to know which tokens the email matches, run it through the command-line tool with debugging enabled. spamassasssin -D mistaged_email You can also examine your bayes database contents just to get a general look at them. sa-learn --dump I like to redirect the dump to a file for easier viewing. Also when I am looking at general stats, I use head on the file. If I want to examine spam/nonspam tokens, I run the whole file through sort. Using sort winds up causing the header info to get shuffled in somewhere other than the top, but it also sorts all the tokens from nonspam to spam probability (0.000= strongly nonspam, 0. = strongly spam) --- This SF.net email sponsored by: Enterprise Linux Forum Conference Expo The Event For Linux Datacenter Solutions Strategies in The Enterprise Linux in the Boardroom; in the Front Office; in the Server Room http://www.enterpriselinuxforum.com ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Traffic on my Unix server
At 01:25 PM 10/16/03 +0200, Francis wrote: Is it possible that Spamassassin generate somme out traffic on our Wan? SpamAssassin itself does not generate network traffic, although some of the optional modules that SA will use if available will generate network traffic. Spamassassin does quite a lot of DNS lookup, so it will definitely generate that if you've got the Net::DNS perl module. This would be standard udp/53 and tcp/53 type DNS traffic and will be performed just like any other DNS lookup. If you have razor, dcc, or pyzor installed, SA will use those and they will generate outbound traffic which isn't like anything else and might strike you as weird at first glance. Offhand I know that Razor uses outbound tcp/7 and outbound tcp/2703. DCC udp/6277. (DCC servers also use tcp/6227 to communicate amongst themselves, but that's not an issue for systems doing query). Pyzor seems to default to tcp/24441. --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] New User question
At 11:15 AM 10/16/2003, Michael Balamuth wrote: Being very new to spamassassin, I hope these aren't too dumb questions. Having configured /etc/mail/spamassassin/local.cf as inserted below, I'd suggest running spamassassin --lint. There are errors in your local.cf.. in particular, defang_mime is not a valid option anymore, and is superceded by the report_safe option (which you are using). $ spamassassin --lint Failed to parse line in SpamAssassin configuration, skipping: defang_mime 0 --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] upgrade
At 05:20 AM 10/16/03 -0700, Doug Wolfgram wrote: I just deleted 2.55 from my system and installed 2.60 via RPMs. Although spamassassin is running (ps -ax | grep spamd) when i run the spam test message through it says spam score:0 and 'template not found' What template is it looking for?? It's looking for the spam report template. This is normally present in the default config files, which tells me that somehow or another the default configfiles aren't being found (normally these are in /usr/share/spamassassin). For starters I'd suggest using the plain-jane command line spamassassin, instead of spamc, and turn on debug output. spamassassin -D sample-spam.txt The top of the debug output should tell you what paths it's using. I suspect this will be enough to get you on the right path to a fix. If the plain command line works, then at least the config files are OK and it's something relating to spamd's behaviors. You can try killing spamd and restart it with debug output enabled, then run a message through spamc and look at that debug output. --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
Re: [SAtalk] Troubleshoot rbl checking
At 10:04 AM 10/15/03 -0400, Jon Fraley wrote: I am running SA 2.60. I had skip_rbl_checks set to 1 and now changed it to 0. I have started spamd with -D to get debugging, but do not see any thing about checking rbl's. Is there away to debug the rbl checks? Is there something I should look at? Look for the is DNS available type messages. Without the Net::DNS module the RBLs won't work, and they also won't work if the system SA is running on can't do DNS lookups (this would be very unusual). --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
