Re: Auto Training Filtering Gateway
David Brodbeck wrote: Kelson wrote: Mail sent from to a few addresses that we never use for outgoing mail is rejected with an Invalid bounce explanation. (Don't do this with postmaster or abuse, or you'll probably end up listed on RFC-ignorant.) AFAIK you won't unless someone decides to report you. RFC-ignorant doesn't automatically probe, they just accept reports. Good point. Still worth keeping in mind, though. -- Kelson Vibber SpeedGate Communications www.speed.net
ALL_TRUSTED
I see this is already in bugzilla. Should we just depreciate that rule for now? It is really screwing up my scores. Ray Dzek Network Operations Supervisor Specialized Bicycle Components PH: 408-782-5420 FX: 408-782-5421
Re: ALL_TRUSTED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ray writes: I see this is already in bugzilla. Should we just depreciate that rule for now? It is really screwing up my scores. As the bz bug says -- it's a symptom as much as anything else. so adding support for the Received header format it can't deal with, is the better fix. - --j. Ray Dzek Network Operations Supervisor Specialized Bicycle Components PH: 408-782-5420 FX: 408-782-5421 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBU1tVQTcbUG5Y7woRArhNAJ9e6y2DLCyARnViPtfaI8qVBMDbAgCfbhgc e3mQRCvi6MhFnGl3oP2kvUo= =IT4E -END PGP SIGNATURE-
Whitelist_from_rcvd and multiple DNS resolvers causing problems?
*This message was transferred with a trial version of CommuniGate(tm) Pro* I'm using SpamAssassin 3.0 when I use whitelist_from_rcvd with domain names that reverse to only one possible domain it works just as it should. When the domain name is one that has multiple possibilities that it can reverse dns to then it doesn't work unless it happens to pick the domain name listed in my whitelist_rcvd_to entry. For example, if I create an entry for whitelist_from_rcvd [EMAIL PROTECTED] domain1.com but the server hosting domain1.com also hosts domain2.com, anotherdomain.com and anotherdomain.net, I have problems. Say the server that hosted email for the domain I wanted to whitelist had an ip of 123.123.123.1 and I did dig -x 123.123.123.1, it would give me all the various domains that that address is configured for. I think this is what's going on anyway. I looked at the output from spamassassin -D -t problem then I notice that the rdns= is for one of the other domains hosted on the server and not the domain I would like to whitelist. When I examine the same output from a message that is working, the rdns= is the domain name that I specified in the whitelist_from_rcvd entry. Do I need to specify the IP address of the server using multiple dns entries to get whitelist_from_rcvd to work or should this not be an issue and I need to look at other reasons why this particular domain is causing problems.
Re: Redhat / Fedora RPMs?
On Thu, September 23, 2004 10:47, jenni baier [EMAIL PROTECTED] said: Does anyone have 3.0 in RPM form? I can't find any links to RPM versions on the site... Thanks in advance... http://ftp.freshrpms.net/pub/fedora/linux/core/development/i386/Fedora/RPMS/spamassassin-3.0-10.i386.rpm or http://ftp.freshrpms.net/pub/fedora/linux/core/development/i386/SRPMS/spamassassin-3.0-10.src.rpm You may want to verify that this is the final version (not an rc), since I always install SA from the tarball. I'd recommend compiling from the src rpm, to maintain your sanity and your systems stability, unless your running a bone stock system. That or you could build the rpm from the tarball, as suggested earlier in another post. Regards, Jon
Re[2]: spamassassin --lint fails on OS X using SA 3.0.0
Thursday, September 23, 2004, 2:01:58 PM, Theo responded: TVD On Thu, Sep 23, 2004 at 09:35:39AM -0400, Rob Kudyba wrote: /etc/mail/spamassassin root# /usr/bin/spamassassin --lint -D debug: config: read file //etc/mail/spamassassin/70_sare_html.cf debug: config: read file //etc/mail/spamassassin/70_sare_oem.cf debug: config: read file //etc/mail/spamassassin/70_sare_random.cf debug: config: read file //etc/mail/spamassassin/70_sare_ratware.cf debug: config: read file //etc/mail/spamassassin/70_sare_specific.cf debug: config: read file //etc/mail/spamassassin/70_sare_spoof.cf debug: config: read file //etc/mail/spamassassin/72_sare_bml_post25x.cf debug: config: read file //etc/mail/spamassassin/99_FVGT_Tripwire.cf debug: config: read file //etc/mail/spamassassin/99_sare_fraud_post25x.cf debug: config: read file //etc/mail/spamassassin/99_sare_fraud_pre25x.cf TVD can't help you with these. However, 99_sare_fraud_post25x.cf and 99_sare_fraud_pre25x.cf are CONFLICTING files. pre25x is supposed to be used only for SA 2.4x and older, while post25x is supposed to be used for 2.5x, 2.6x, 3.xx.xx Get rid of the bad file. warning: description exists for non-existent rule SARE_SUB_CASINO_OB1 TVD all third party rules -- go talk to the people who wrote them. There is no current SARE rule with this name. SARE_SUB_CASINO_OB (without any digit at the end) is in 70_sare_genlsubj1.cf, which you do NOT list in your list of custom files above. I scan all current SARe files and I do not find any rule or description with the name your system is complaining about. Find out where that is and get rid of it. (Simply refreshing your files from the current SARE rules might do the trick.) Bob Menschel
SA-3.0.0 for FBSD Ports
Does anyone know who is handling the update of the FBSD ports for the new SA-3 release? Or better yet, when it is scheduled? Thanks! Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED]
Deep Recursion warning then out of memory error
I do not think this is directly related to spamassassin, but googling has produced hits all over the map from perl, to Berkeley DB, and none seem to be recient. I noticed that spamassassin was not learning after I did an upgrade to perl 5.8.5. In running sa-learn with a -D I found that DB_File.pm was missing. So I down loaded DB_File.pm compiled and tested it with no issues. Now when I run sa-learn or I do a spamassassin -r. I get a warning about Deep recursion in the DB_File.pm module and my system gets IO bound until all memory and swap space is consumed and it dies with an out of memory error. I had down loaded a new version of DB_File.pm so I went back to the older version which did not help. So I change the link for perl back to perl 5.8.1 and the problem goes away. So that leaved me wondering if there is some other perl component that needs rebuilding against the new version of perl or something else. Configuration is: Solaris 9 on sparc platform Perl 5.8.5 Spamassassin 2.64 Razor 2.61 DB_File 1.810 Berkeley DB 4.1.25 -- Regards, David Highley Phone: (206) 669-0081 Highley Recommended, Inc. FAX: (253) 838-8509 2927 SW 339th Street Email: [EMAIL PROTECTED] Federal Way, WA 98023-7732 WEB: http://www.highley-recommended.com
Re: [sa-list] SA-3.0.0 for FBSD Ports
On Thu, 23 Sep 2004, Jack L. Stone wrote: Does anyone know who is handling the update of the FBSD ports for the new SA-3 release? Or better yet, when it is scheduled? The ports tree is currently frozen in preparation for Freebsd 5.3-Release, so it may be a while. (I recently asked when bind 9.3.0 would be in) -Dan Thanks! Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED] -- Tonite on reboot! People misspelling as many words with sexual connotations as possible... -Keyo-Chan, February 10th 1999, Undernet #reboot Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: SA 3.0 bugs ? no header rewriting
Hi Theo Van Dinter [EMAIL PROTECTED], you wrote on Thursday, 2004-09-23 17:00:08 -0400: NoMailAudit doesn't exist in 3.0. It looks like you're using old modules and/or old scripts. Nuke anything spamassassin related, then install 3.0.0. I renamed ~/.spamassassin/user_prefs and /etc/mail/spamassassin/local.cf but is doen't work. wkr Thomas Richter -- dss1://49.431.801306 Wot're we going to do tonight, Brain ? gsm://49.179.5192431 The same thing we do every night, Pinky . icq://124849926 Try to TAKE OVER THE WORLD ! mailto:[EMAIL PROTECTED]http://www.thomas-richter.de
FreeBSD port
I am working on creating a drop-in replacement for the FreeBSD port, although it is likely the committers will create their own in due time. -Dan -- I want to see how you see. -SK, 6/2/99, 4:30 AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
SA 3.0 TRAP
If you are thinking about installing Spamassasin 3.0 PAY ATTENTION: If you haven't been reading this list carefully you will have missed the fact that spamd has been moved from /usr/sbin/ to /usr/bin . However, the old version remains in /usr/sbin which is often where your scripts expect to find it. (At least in SuSE 8 it is so). Easiest fix it to rm the one in /usr/sbin and link the new one there, and then go to /etc/sysconfig/spamd and remove the -a argument in that file. Took 5 minutes to install 3.0 with CPAN (gotta love cpan) and then it took me 2 hours to track down Brian Gentry's post in the archives. http://thread.gmane.org/gmane.mail.spam.spamassassin.general/56501 WHY is this not in BOLD TYPE in the readme ??? -- _ John Andersen pgpWOXAfKemqF.pgp Description: signature
Couple of questions with SA 3.0
Hi, I have installed spamassassin 3.0 on an email gateway, I noticed on a debug it threw out an error with the line check_mx_attempts 0 config: SpamAssassin failed to parse line, skipping: check_mx_attempts 0 Is this option disabled or removed in 3.0? Secondly, I have installed pyzor 0.4.0 but find it is slowing it down (since I am running it on a mail gateway) with mailscanner, the reason I guess is because the script is called each time. With DCC I am running dccifd with a socket which speeds it up, does anyone know if this is possible with pyzor. I have seen you can use something called readyexec and use a socket but don't know how to integrate it with spamassassin. Thanks Chris
Re: SA 3.0 TRAP
On Fri, Sep 24, 2004 at 01:30:19AM -0800, John Andersen wrote: If you are thinking about installing Spamassasin 3.0 PAY ATTENTION: If you haven't been reading this list carefully you will have missed the fact that spamd has been moved from /usr/sbin/ to /usr/bin . However, the old version remains in /usr/sbin which is often where your scripts expect to find it. (At least in SuSE 8 it is so). Easiest fix it to rm the one in /usr/sbin and link the new one there, and then go to /etc/sysconfig/spamd and remove the -a argument in that file. Alternatively, perhaps the released version could be amended so that spamd is installed in /usr/sbin rather than /usr/bin, which is I understand what the Debian package maintainers have done (that wouldn't assist users who have already upgraded, of course). -- Anthony Edwards [EMAIL PROTECTED]
Re: SA 3.0 TRAP
On Fri, 24 Sep 2004 01:30:19 -0800 John Andersen [EMAIL PROTECTED] wrote: If you are thinking about installing Spamassasin 3.0 PAY ATTENTION: If you haven't been reading this list carefully you will have missed the fact that spamd has been moved from /usr/sbin/ to /usr/bin . However, the old version remains in /usr/sbin which is often where your scripts expect to find it. (At least in SuSE 8 it is so). [...] WHY is this not in BOLD TYPE in the readme ??? Maybe the issue is OS- and version-dependent and wasn't apparent in testing? -- Bob
Re: Couple of questions with SA 3.0
At 07:41 AM 9/24/2004, Chris Connell wrote: Hi, I have installed spamassassin 3.0 on an email gateway, I noticed on a debug it threw out an error with the line check_mx_attempts 0 config: SpamAssassin failed to parse line, skipping: check_mx_attempts 0 Is this option disabled or removed in 3.0? Looking at the SA 3.0 code, the MX_FOR_FROM test uses different code, which seems to be based on the same queued in background code that the RBL checks use. This seems to be a much more efficient way to do it anyway. Secondly, I have installed pyzor 0.4.0 I can't help you with pyzor.. I don't use it.. (I find DCC, Razor 2.61, DNSBLs and surbl a sufficient group of net checks)
Re: [OT] I love tech people! First SARE Donation!
On Friday, September 24, 2004, 6:59:37 AM, Chris Santerre wrote: Just got an email from our Host of SARE. They got their first donation and wait for it..yes.it ended in .37 cents!! Wooot! LOL!!! A.C. made the donataion. You rock bro! Shows you paid attention ;) Our hosts accounting dept will keep wondering, Why .37 cents? I love screwing with people's minds. :-) Is that like 42 cents before Paypal fees? Hehe 42 ;-) It may be worth mentioning that there's a SURBL donation button also, and it will be used for setting up more data servers if things work out. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: [OT] I love tech people! First SARE Donation!
Gee, Chris, you're still sending to incubator. Spamassassin graduated! Congratulations on the donation. {^_-} - Original Message - From: Chris Santerre [EMAIL PROTECTED] Just got an email from our Host of SARE. They got their first donation and wait for it..yes.it ended in .37 cents!! Wooot! LOL!!! A.C. made the donataion. You rock bro! Shows you paid attention ;) Our hosts accounting dept will keep wondering, Why .37 cents? I love screwing with people's minds. :-)
Windows, pop3proxy, Spamassassin v. 3.0.0
Hi! I'm trying to use pop3proxy with SA3, but I cannot see the x-spam headers. Here is some more info. I did a clean install of Activestate Perl 5.8.4.810 and SA3, following instructions at http://www.openhandhome.com/howtosa300.html . Spamassassin works: if I fire up a command prompt and type CMD spamassassin.bat mymessage.txt output.txt the message is correctly parsed and tagged. I then installed pop3proxy from http://mcd.perlmonk.org/pop3proxy/ and changed it according to http://wiki.apache.org/spamassassin/CantLocateNoMailAudit . In particular, I changed line 857 from my $message = Mail::SpamAssassin::NoMailAudit-new(data = [EMAIL PROTECTED], to my $message = $spamtest-parse( [EMAIL PROTECTED], leaving the rest unchanged. Pop3proxy works, i.e. I can retrieve the mail using my mail client (Mozilla 1.8a3). If I look at the pop3proxy.log , all messages are correctly identified as ham or spam. However, pop3proxy spits out the unprocessed message. My local.cf adds a custom header: this appears in the output file I get from spamassassin.bat. I added print $message-get_all_headers(); in my pop3proxy.pl, right after $status-rewrite_mail() unless $respect_byte_count; and, as a result, I can see all x-spam headers, including my custom header, in the log file. However, I cannot see the headers in my client. I used to run SA 2.63 on perl 5.6.1 with no problems at all. Any suggestions? Thanks and regards -Paolo
Spammers using my server
This morning I had over 7000 emails in my Linux server's outbound queue which I deleted. My firewall log shows over 20,000 emails went out with a SunTrust bank announce saying to login and enter your username and password. I do not see the emails coming in like I would in a relay. How can I stop this or how are they doing this? My firewall using a SMTP proxy and only allows my domain in. I run MailScanner on my Red Hat 3.0 mail server with Sendmail. The box has the lastest patches from Red Hat. I have Sendmail setup to accept only my domain email. The non-deliverable reports are coming from my Linux apache user. Non-deliverables usually come from root. I am running apache on the server with forms. The forms software is the latest version and patches. Can anybody help on this? Thanks, Jay
Re: Auto Training Filtering Gateway
I feel like I need to add, for the sake of others, that its a bad idea to allow outside access to these two email addresses. Internal users, or perhaps even just a few trusted individuals should be able to send to these two addresses, but not the general internet population. I'm guessing the reasons for this should be self-evident. On Thu, 23 Sep 2004 15:15:05 -0400, Matt Kettler [EMAIL PROTECTED] wrote: At 02:51 PM 9/23/2004, Gary Buckmaster wrote: To this end, I've considered setting up spam@ and notspam@ accounts on the gateway itself, and having local users send appropriate samples to these accounts, then running sa-learn against these. Does this approach make a great deal of sense? Only if you can get your local users to send them in a way that you can reconstruct the original headers and body. (ie: regular forwarding won't work here, but forward as attachment might). Check the wiki, there's a bit of information on this kind of stuff for various kinds of mailclients up there.
Re: Spammers using my server
This question isn't really appropriate to a SpamAssassin forum. For what it's worth, it sounds like someone exploited an Apache vuln on your system and installed a mail generator. Given the severity of this (ie you are sending out thousands of email phishing frauds) you should probably take the server off the network until you fix it. Jay Ehrhart wrote: This morning I had over 7000 emails in my Linux server's outbound queue which I deleted. My firewall log shows over 20,000 emails went out with a SunTrust bank announce saying to login and enter your username and password. I do not see the emails coming in like I would in a relay. How can I stop this or how are they doing this? My firewall using a SMTP proxy and only allows my domain in. I run MailScanner on my Red Hat 3.0 mail server with Sendmail. The box has the lastest patches from Red Hat. I have Sendmail setup to accept only my domain email. The non-deliverable reports are coming from my Linux apache user. Non-deliverables usually come from root. I am running apache on the server with forms. The forms software is the latest version and patches. Can anybody help on this? Thanks, Jay
Re: Spammers using my server
* Jay Ehrhart [EMAIL PROTECTED]: This morning I had over 7000 emails in my Linux server's outbound queue which I deleted. My firewall log shows over 20,000 emails went out with a SunTrust bank announce saying to login and enter your username and password. I do not see the emails coming in like I would in a relay. How can I stop this or how are they doing this? Check your logs. They tell you how the mail entered your system -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-916 IT-Zentrum Standort CBF AIM. ralfpostfix
Re: Spammers using my server
At 10:39 AM 9/24/2004, Jay Ehrhart wrote: This morning I had over 7000 emails in my Linux server's outbound queue which I deleted. My firewall log shows over 20,000 emails went out with a SunTrust bank announce saying to login and enter your username and password. I do not see the emails coming in like I would in a relay. How can I stop this or how are they doing this? Sounds like some kind of abuse of an onboard http proxy, script, installation of a backdoor, or some other such thing that's letting them queue mail directly from the local host. Clearly it's not a direct SMTP open relay (I checked, trying to send myself mail, didn't work which is good) I'd suggest running a good battery of tests: http://www.abuse.net/relay.html If that doesn't show anything obvious like HTTP proxies, look for a trojan or backdoor on your system. chkrootkit is a good tool to do a first-pass check.
reporting errors
I have a number of email addresses that get only spam, so I've set them up as spamtraps. They are simply sendmail aliases that send to | /usr/bin/spamassassin -r. When I manually run the spamassassin -r command, however, I get the following... $cat sample-spam.txt | spamassassin -r Pyzor - report failed: Exited with non-zero exit code 1 SpamCop - message older than 3 days, not reporting 1 message(s) examined. This is causing the alias to generate errors. Any suggestions? Thanks! david
Re: Whitelist_from_rcvd and multiple DNS resolvers causing problems?
Joe Smith wrote: I'm using SpamAssassin 3.0 when I use whitelist_from_rcvd with domain names that reverse to only one possible domain it works just as it should. When the domain name is one that has multiple possibilities that it can reverse dns to then it doesn't work unless it happens to pick the domain name listed in my whitelist_rcvd_to entry. This is a DNS resolver library/client (not sure which) issue more than anything else; although it's also due in part to some admin being slightly less clueful that usual in issuing multiple PTR records for a single IP in the first place. For example, if I create an entry for whitelist_from_rcvd [EMAIL PROTECTED] domain1.com but the server hosting domain1.com also hosts domain2.com, anotherdomain.com and anotherdomain.net, I have problems. Say the server that hosted email for the domain I wanted to whitelist had an ip of 123.123.123.1 and I did dig -x 123.123.123.1, it would give me all the various domains that that address is configured for. dig will, but many other resolvers won't- or at least, they'll just return one random entry in much the same way they would return one IP from a round-robin forward DNS lookup. Do I need to specify the IP address of the server using multiple dns entries to get whitelist_from_rcvd to work You can try, but I don't think this will work. or should this not be an issue and I need to look at other reasons why this particular domain is causing problems. :/ You need to contact the person/organization responsible for rDNS for that IP, and get them to remove the multiple entries- preferably putting in something like hosted-rmx.hostingcompany.com rather than the multiple PTR records you're seeing now. I don't recall if it's formalized in an RFC somewhere, but while any number of domains can point to the same IP, the rDNS for that IP *should* only point to ONE hostname - that hostname should be the FQDN of that physical machine. In the meantime, you'll have to work around this with custom local rules that manually implement whitelist_from_rcvd functionality based on the IP. Or, just add whitelist_from_rcvd entries for each of the rDNS names you see for this IP. -kgd -- Get your mouse off of there! You don't know where that email has been!
Re: Whitelist_from_rcvd and multiple DNS resolvers causing problems?
On Thu, 23 Sep 2004, Joe Smith wrote: *This message was transferred with a trial version of CommuniGate(tm) Pro* I'm using SpamAssassin 3.0 when I use whitelist_from_rcvd with domain names that reverse to only one possible domain it works just as it should. When the domain name is one that has multiple possibilities that it can reverse dns to then it doesn't work unless it happens to pick the domain name listed in my whitelist_rcvd_to entry. For example, if I create an entry for whitelist_from_rcvd [EMAIL PROTECTED] domain1.com but the server hosting domain1.com also hosts domain2.com, anotherdomain.com and anotherdomain.net, I have problems. Say the server that hosted email for the domain I wanted to whitelist had an ip of 123.123.123.1 and I did dig -x 123.123.123.1, it would give me all the various domains that that address is configured for. I think this is what's going on anyway. I looked at the output from spamassassin -D -t problem then I notice that the rdns= is for one of the other domains hosted on the server and not the domain I would like to whitelist. When I examine the same output from a message that is working, the rdns= is the domain name that I specified in the whitelist_from_rcvd entry. Do I need to specify the IP address of the server using multiple dns entries to get whitelist_from_rcvd to work or should this not be an issue and I need to look at other reasons why this particular domain is causing problems. Let me try to understand what you are saying. You are saying that a server has multiple PTR records for a given ip, and that *that* is causing the problem -- So if 1.2.3.4 had PTR records for domainone.com. and domaintwo.com. and domainthree.com., and you had written a filter to whitelist domainone.com's email, but you found it didn't always work? The person running 1.2.3.4 has NO CLUE what they are doing. 1.2.3.4 should RDNS to whatever the hostname value of that machine is. This should be the same as the HELO the machine uses when talking out to the outside world. Assigning multiple addresses (A or PTR -- for the sake of this discussion there's no difference) to things makes them into a round-robin type thing. The possible answers will be handed out in cyclic order (at least, the first time they are queried), and then they are cached as long as the TTL value for the record -- which I've seen some caches override. -- Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged! I've never been so in touch with my emotions! -AndrAIa as Hexadecimal, Reboot Episode 3.2.3 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Speakeasy just implemented SPF records - badly
--On Friday, September 24, 2004 11:33 AM -0400 Steve Prior [EMAIL PROTECTED] wrote: In case anyone else is going to run into this, sometime yesterday speakeasy.net implemented default SPF records for all of their DNS hosting customers. I don't see it for the two domains they host for me. I did a dig for txt records for the root of each domain and don't see any.
Re: Whitelist_from_rcvd and multiple DNS resolvers causing problems?
On Fri, 24 Sep 2004 11:36:27 -0400 (EDT) Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: [snip] The person running 1.2.3.4 has NO CLUE what they are doing. 1.2.3.4 should RDNS to whatever the hostname value of that machine is. This should be the same as the HELO the machine uses when talking out to the outside world. No. HELO is only required to be a FQDN and to resolve to an A record. It does not have to match rDNS nor does it have to match the hostname of the actual server sending out the mail. HELO may be a dotted-quad per the RFCs but only incompetents set their mail systems to do that and that mail is often safely ignored. This is better addressed on SPAM-L. -- Bob Apthorpe
clear_headers does not remove X-Spam-Report
With SA 3.0, using clear_headers in local.cf does not prevent the X-Spam-Report: header from being inserted into spam messages. Is this a bug or a feature? Below is my local.cf. ### +++ required_score 8.0 clear_headers report_safe 0 use_dcc 0 use_pyzor 0 use_razor2 0 dns_available yes use_bayes 0 lock_method flock fold_headers 0 envelope_sender_header Return-Path use_auto_whitelist 0 ### --- Thanks, -Matt
Re: Spammers using my server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jay Ehrhart writes: The non-deliverable reports are coming from my Linux apache user. Non-deliverables usually come from root. I am running apache on the server with forms. The forms software is the latest version and patches. Can anybody help on this? Do you have any mail-sending CGI scripts, like formmail.cgi? Older versions of those contain security holes and are are heavily abused by spammers. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBVFC0QTcbUG5Y7woRAka4AJwIy9l8AwclAHA6PtBNbALHFZWXoQCgw+eC th8ME05xjc1QlMf88rnmwUs= =btXD -END PGP SIGNATURE-
Re: SA 3.0 upgrade bug and fix (spamd reporting to log, but not tagging messages)
On Fri, Sep 24, 2004 at 03:04:58AM +0100, Anthony Edwards wrote: I removed all SpamAssassin files earlier this evening and re-installed using cpan. With hindsight, I believe I could have simply done what you have suggested above. I run a SuSE 8.2 system, and persuading manual configuration of startup script changes to co-exist with SuSE's YaST tool created configurations is far from trivial, so I shall be sticking with /usr/bin/spamassassin for the time being. In fact, it's easy, or would be if the script at: http://kmail.kde.org/unsupported/spamd Actually worked properly on SuSE 8.2. Unfortunately, it doesn't seem to, quite. If it did, it would be a simple matter of downloading and copying it to the /etc/init.d directory, changing file permissions, then running YaST and configuring spamd to start in runlevels 3 5 using the Runlevel Editor. -- Anthony Edwards [EMAIL PROTECTED]
spamd dying?
Has anyone else seen a problem w/ spamd dying sometimes (after working for a while)? I have been seeing this in the 3.0 rcs. I'm about to upgrade to 3.0 release, but I'm wondering if anyone else has seen this. Much more detailed information in bug #3667 (bugzilla.spamassassin.org)
Re: spamd dying?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Will Yardley writes: Has anyone else seen a problem w/ spamd dying sometimes (after working for a while)? I have been seeing this in the 3.0 rcs. I'm about to upgrade to 3.0 release, but I'm wondering if anyone else has seen this. Much more detailed information in bug #3667 (bugzilla.spamassassin.org) I'm almost certain it's a fixed bug. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBVFe5QTcbUG5Y7woRAuoMAJ49jvxqPAmmf0rEwCj617FUXVt1gwCguEWK jA6gxaBcQW4p6xfR+DVmT/0= =LiZf -END PGP SIGNATURE-
Looking for Advice - setting up a SA/MD gateway server
We run a bunch of Win32 mail servers on our network. These servers already have spam and virus filtering for local email delivery. However, when a mailbox has it's mail forwarded off-net, the mail is not filtered. As such, when a local users forwards their mailbox to AOL, they then read their email in the AOL client, click the SPAM button in the AOL client, and OUR IP address(es) get flagged by AOL. Getting rid of the Win boxes is not an option. So, I want to force all of my Win mail servers to gateway all of the OUTBOUND email to a SA box that will filter it before it leaves my network. I will need to have the filtering config ignore the IP addresses of all of my internal boxes, and begin scanning at the next hop IP in the mail header. I was originally thought about having some way to ONLY scan forwarded mail (as opposed to mail originating on my network), but I think that would not be worth the effort, and I might as well scan everything. From reading as many FAQ's and sample configs as I could find, it seems like SA with MD would be my best bet. It appears to give me the flexibility I need, without being overly complicated. Initially, the server would not handle inbound mail, but may be expanded to included that as well. Due to the way that the Win boxes handle forwarding, when a forwarded message is detected as spam and sent back to the Win32 box from SA, I can't really bounce it. I will need to either forward it to a mailbox for my admins to review, or simple delete it. Does it sound like the Sendmail/SA/MD combo meets the requirements above? If so, is there an FAQ or some other document anyone knows about that gives an example of this config? Would Postfix/SA/amavis-new be a better solution? TIA, -- Scot
Re: Whitelist_from_rcvd and multiple DNS resolvers causingproblems?
On Fri, 24 Sep 2004 11:36:27 -0400 (EDT) Dan Mahoney, System Admin The person running 1.2.3.4 has NO CLUE what they are doing. 1.2.3.4 should RDNS to whatever the hostname value of that machine is. This should be the same as the HELO the machine uses when talking out to the outside world. Bob Apthorpe replied: No. HELO is only required to be a FQDN and to resolve to an A record. It does not have to match rDNS nor does it have to match the hostname of the actual server sending out the mail. It might not be required or an RFC-ish SHOULD, but any mail server that HELO's as a name other than its FQDN is doing something very odd anyway. Dan's should's are perfectly correct, and most well-behaved mail systems with properly-configured DNS records do exactly that. (Exceptions include the hosting server I administer at work, which occupies most of a /26 except for a few IPs. For some unknown reason, it periodically gets mixed up about which IP is its real IP, and starts initiating TCP/IP connections of all sorts from the highest aliased IP instead. Blech. The machine is otherwise very well-behaved.) -kgd -- Get your mouse off of there! You don't know where that email has been!
RE: Looking for Advice - setting up a SA/MD gateway server
I just started using a postfix/mailscanner/SA setup to filter outbound and inbound mail. Currently scanning about 35k messages per day. I'm a long time windows user / short time linux user, but had no problem getting it setup and running. I'm happy with the results, that's for sure. -Original Message- From: Scot Desort [mailto:[EMAIL PROTECTED] Sent: Friday, September 24, 2004 10:31 AM To: users@spamassassin.apache.org Subject: Looking for Advice - setting up a SA/MD gateway server We run a bunch of Win32 mail servers on our network. These servers already have spam and virus filtering for local email delivery. However, when a mailbox has it's mail forwarded off-net, the mail is not filtered. As such, when a local users forwards their mailbox to AOL, they then read their email in the AOL client, click the SPAM button in the AOL client, and OUR IP address(es) get flagged by AOL. Getting rid of the Win boxes is not an option. So, I want to force all of my Win mail servers to gateway all of the OUTBOUND email to a SA box that will filter it before it leaves my network. I will need to have the filtering config ignore the IP addresses of all of my internal boxes, and begin scanning at the next hop IP in the mail header. I was originally thought about having some way to ONLY scan forwarded mail (as opposed to mail originating on my network), but I think that would not be worth the effort, and I might as well scan everything. From reading as many FAQ's and sample configs as I could find, it seems like SA with MD would be my best bet. It appears to give me the flexibility I need, without being overly complicated. Initially, the server would not handle inbound mail, but may be expanded to included that as well. Due to the way that the Win boxes handle forwarding, when a forwarded message is detected as spam and sent back to the Win32 box from SA, I can't really bounce it. I will need to either forward it to a mailbox for my admins to review, or simple delete it. Does it sound like the Sendmail/SA/MD combo meets the requirements above? If so, is there an FAQ or some other document anyone knows about that gives an example of this config? Would Postfix/SA/amavis-new be a better solution? TIA, -- Scot
Re: SA 3.0 TRAP
Justin Mason wrote: Yeah -- this is almost definitely something to do with SuSE's packaging of either perl (if it uses the defaults from ExtUtils::MakeMaker) or SpamAssassin itself (if its rpm spec moves the file around as Debian does). Actually, for any real package manager (ie, rpm or dpkg), upgrading a package should remove all old files as a part of the upgrade. CPAN doesn't really keep track of exactly which files have been installed where in the same way that rpm or dpkg does. I'd be curious to know why spamd has apparently moved from /usr/sbin to /usr/bin in the first place; daemons like spamd don't usually belong in /usr/bin. -kgd -- Get your mouse off of there! You don't know where that email has been!
Re: SA 3.0 TRAP
On Friday 24 September 2004 08:52 am, Justin Mason wrote: Bob Apthorpe writes: On Fri, 24 Sep 2004 01:30:19 -0800 John Andersen [EMAIL PROTECTED] wrote: If you are thinking about installing Spamassasin 3.0 PAY ATTENTION: If you haven't been reading this list carefully you will have missed the fact that spamd has been moved from /usr/sbin/ to /usr/bin . However, the old version remains in /usr/sbin which is often where your scripts expect to find it. (At least in SuSE 8 it is so). [...] WHY is this not in BOLD TYPE in the readme ??? Maybe the issue is OS- and version-dependent and wasn't apparent in testing? Yeah -- this is almost definitely something to do with SuSE's packaging of either perl (if it uses the defaults from ExtUtils::MakeMaker) or SpamAssassin itself (if its rpm spec moves the file around as Debian does). Except that SA on my machines have always only been installed with CPAN... -- _ John Andersen pgp5ObjFaDsiP.pgp Description: signature
Re: SA 3.0 TRAP
On Fri, Sep 24, 2004 at 02:37:31PM -0400, Kris Deugau wrote: Justin Mason wrote: Yeah -- this is almost definitely something to do with SuSE's packaging of either perl (if it uses the defaults from ExtUtils::MakeMaker) or SpamAssassin itself (if its rpm spec moves the file around as Debian does). Actually, for any real package manager (ie, rpm or dpkg), upgrading a package should remove all old files as a part of the upgrade. The issue related to SuSE is that previously, one has been able to install the SuSE default .rpm package, and then subsequently upgrade using cpan without removing the old package first since the old binaries and entire contents of /usr/share/spamassassin/ have been overwritten by that process. SuSE are unlike Debian (for instance) in that they don't release (with one or two exceptions) upgraded packages other than to address security vulnerabilites, so to upgrade to a more recent version of any particular application cannot generally be done with a SuSE .rpm. For those that primarily maintain and administer their system using YaST, manual configuration of startup scripts etc is also somewhat difficult so it can be of benefit to rely on SuSE's copy of /etc/init.d/spamd - for example, the one recommended in spamd's README.SuSE file doesn't actually work, on SuSE 8.2 at least. So, installing the default SuSE .rpm that came with one's version and then subsequently upgrading one's SpamAssassin using cpan has benefits there too. -- Anthony Edwards [EMAIL PROTECTED]
Problem with Bayes and AutoLearning
I am having a problem with 2.63 not using bayes. (NB: setup is using individual data and triggering using .4ward, procmail and postfix with no individual .sa and .procmail files) I have trained each of three accounts with over 1000 ham and some 48K spam messages. SA is working and tagging spam based on all tests other than bayes. I make changes to the global SA conf and those changes are acted upon so I know that spamd is seeing my global conf (below). Also below is a sample header w/ report. Needless to say, the auto learn feature is not working as well. That is how I knew something was going on. The machine is a standard Mandrake 10 setup with regards to SA. Thanks in advance, Tom My Conf: auto_whitelist_path/var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 use_bayes 1 bayes_path ~/.spammer bayes_file_mode 0700 bayes_use_hapaxes 1 bayes_expiry_max_db_size 150 #bayes_learn_to_journal 1 bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam 1 bayes_auto_learn_threshold_spam 6 rewrite_subject 0 report_safe 0 skip_rbl_checks 1 # How many hits before a message is considered spam. required_hits 3.0 ## Optional Score Increases #score BAYES_99 4.300 #score BAYES_90 3.500 #score BAYES_80 3.000 Sample Header: Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from g66dc.g.pppool.de (g66dc.g.pppool.de [80.185.102.220]) by smtp.terranovum.com (Postfix) with SMTP id 708503E6F9B for [EMAIL PROTECTED]; Fri, 24 Sep 2004 13:54:40 -0400 (EDT) Original-Encoded-Information-Types: multipart/alternative Language: English Disclose-Recipients: No Reply-To: Lillian Fitzpatrick [EMAIL PROTECTED] From: Lillian Fitzpatrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: no more red light tickets! Date: Fri, 24 Sep 2004 14:40:57 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=--58012207185158267337 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on nova.terranovum.com X-Spam-Level: *** X-Spam-Status: Yes, hits=7.3 required=3.0 tests=CLICK_BELOW,FORGED_YAHOO_RCVD, HTML_50_60,HTML_FONTCOLOR_RED,HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_04, HTML_LINK_CLICK_HERE,HTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI, MSGID_FROM_MTA_SHORT autolearn=no version=2.63 X-Spam-Report: * 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says click here * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.4 HTML_FONT_INVISIBLE BODY: HTML font color is same as background * 0.2 HTML_50_60 BODY: Message is 50% to 60% HTML * 0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red * 1.5 HTML_IMAGE_ONLY_04 BODY: HTML: images with 200-400 bytes of words * 3.3 MSGID_FROM_MTA_SHORT Message-Id was added by a relay * 0.5 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers * 0.0 CLICK_BELOW Asks you to click below * 1.1 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
Re: Problem with Bayes and AutoLearning
I do not believe that is an issue. It only puts the bayes databases at ~/.spammer_toks and ~/.spammer_seen. sa-learn has not had a problem loading the databases. They have grown everytime I have used it. I can't see why spamd would have a problem with it. Tom Matt Kettler wrote: At 03:40 PM 9/24/2004, Thomas Bolioli wrote: bayes_path ~/.spammer This statement is invalid if a directory named .spammer exists in the user's home.. Please read the docs on bayes_path VERY carefully. Despite being named path it's really path, plus filename prefix. Thus bayes_path should be something like ~/.spammer/bayes However, why over-ride it at all? it defaults to ~/.spamassassin/bayes
Re: auto learn in 3.0
On Friday 24 September 2004 03:52 am, Alex S Moore wrote: Since upgrading to 3.0, which is the greatest BTW, I have not had any spam auto-learned. The keywords are correct and running spamassassin with --lint reveals all is ok. Is anyone else seeing this? Alex It seems to be working here Alex: -Spam-Status: Yes, score=51.1 required=3.9 tests=BAYES_99,DNS_FROM_RFC_POST, FORGED_HOTMAIL_RCVD2,FORGED_IMS_HTML,FORGED_IMS_TAGS,FORGED_MUA_IMS, HTML_30_40,HTML_FONT_BIG,HTML_FONT_INVISIBLE,HTML_LINK_PUSH_HERE, HTML_MESSAGE,LONGWORDS,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS, PT_WORDLIST_10,PT_WORDLIST_13,PT_WORDLIST_30,RCVD_BY_IP, RCVD_DOUBLE_IP_SPAM,SAVE_THOUSANDS,URIBL_AB_SURBL,URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam version=3.0.0 ... Are you sure it was started with autolearn support turned on? (I think it is the default)... -- _ John Andersen pgpRq1ncA9ahU.pgp Description: signature
Re: Problem with Bayes and AutoLearning
At 04:10 PM 9/24/2004, Thomas Bolioli wrote: I do not believe that is an issue. It only puts the bayes databases at ~/.spammer_toks and ~/.spammer_seen. sa-learn has not had a problem loading the databases. They have grown everytime I have used it. I can't see why spamd would have a problem with it. Fair enough. Like I said, it's a syntax error if a directory named ~/.spammer/ exists. However, if it doesn't exist, it's fine. Are you sure spamc is being invoked as the proper user, and not as root? spamd will fall back to nobody if it finds itself still running as root after setuiding to the client user. You could try copying a set of files into the path of nobody's home-dir and see if bayes starts running.
Re: Spammers using my server
As a another good step, just SA scan ALL incoming and outgoing mail. Run a vulnerability scan against your server, nessus or sara against your machine to find what is being exploited. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana
Re: Problem with Bayes and AutoLearning
I changed the path just in case. It was that way as a mistake anyhow. Here is the output of lint. (it is exactly the same as with the other paths so I am sure that is not the issue.) Note that it works there. Although not when run through procmail. I think your idea about users is on to something. My .forward file is |IFS=' ' exec /usr/bin/procmail || exit 75 #webmaster Quotes and all. Is that correct? Tom [EMAIL PROTECTED] webmaster]$ spamassassin -D --lint debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', which doesn't exist, dropping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/local/sbin', keeping. debug: Final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin debug: ignore: using a test message to lint rules debug: using /usr/share/spamassassin for default rules dir debug: using /etc/mail/spamassassin for site rules dir debug: using /home/webmaster/.spamassassin for user state dir debug: using /home/webmaster/.spamassassin/user_prefs for user prefs file debug: bayes: 28490 tie-ing to DB file R/O /home/webmaster/.spamassassin/bayes_toks debug: bayes: 28490 tie-ing to DB file R/O /home/webmaster/.spamassassin/bayes_seen debug: bayes: found bayes db version 2 debug: Score set 3 chosen. debug: Initialising learner debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=2.077 debug: bayes corpus size: nspam = 47336, nham = 1028 debug: uri tests: Done uriRE debug: tokenize: header tokens for *F = U*ignore D*compiling.spamassassin.taint.org D*spamassassin.taint.org D*taint.org D*org debug: tokenize: header tokens for *m = 1096056335 lint_rules debug: bayes token 'TextCat' = 0.0489090909090909 debug: bayes token 'somewhat' = 0.095669124722507 debug: bayes token 'H*F:D*org' = 0.122005426957751 debug: bayes: score = 0.0118746978798883 debug: bayes: 28490 untie-ing debug: bayes: 28490 untie-ing db_toks debug: bayes: 28490 untie-ing db_seen debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=2.077 debug: running uri tests; score so far=2.077 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=2.077 debug: Razor2 is not available debug: Current PATH is: /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin debug: Pyzor is not available: pyzor not found debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: all '*From' addrs: [EMAIL PROTECTED] debug: all '*To' addrs: debug: is Net::DNS::Resolver available? no debug: is DNS available? 0 debug: running meta tests; score so far=2.077 debug: is spam? score=0.553 required=3 tests=BAYES_01,DATE_MISSING,NO_REAL_NAME Matt Kettler wrote: At 04:10 PM 9/24/2004, Thomas Bolioli wrote: I do not believe that is an issue. It only puts the bayes databases at ~/.spammer_toks and ~/.spammer_seen. sa-learn has not had a problem loading the databases. They have grown everytime I have used it. I can't see why spamd would have a problem with it. Fair enough. Like I said, it's a syntax error if a directory named ~/.spammer/ exists. However, if it doesn't exist, it's fine. Are you sure spamc is being invoked as the proper user, and not as root? spamd will fall back to nobody if it finds itself still running as root after setuiding to the client user. You could try copying a set of files into the path of nobody's home-dir and see if bayes starts running.
Re: auto learn in 3.0
On Fri, 2004-09-24 at 15:17, John Andersen wrote: It seems to be working here Alex: ... Are you sure it was started with autolearn support turned on? (I think it is the default)... Yes, it is turned on. Normally, learning from my spam box learns about 10% of the mail, i.e., until I installed 3.0. The rest are already learned. But now, they are all learned. I will dig some more. I use mimedefang and the last time that I looked, the autolearn status was not available, but it did work. Thanks, Alex
Re: pine folder internal data and sa-learn
From: Gregory Zornetzer [EMAIL PROTECTED] Hi all, I recently installed spamcop 3.0.0 onto my unix account on an SGI IRIX 6.5 box. I'm using perl 5.8.5, and I generally read my email with pine, though sometimes I'll remotely view it using Evolution through the machine's IMAP server. The following is a portion of my .procmailrc file that is used for spamassassin filtering of my email: :0fw: spamassassin.lock * 8 | spamassassin :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* mail/spam-definitely :0: * ^X-Spam-Status: Yes mail/spam-probably I have noticed that the mail the gets into the spam-probably folder generally doesn't get autolearned by spamassassin. Also, I've noticed one message that snuck through the spam filter (it only got a score of 3, and I haven't gotten enough spams trained in the Bayesian filter to activate it.) I would like to train the Bayesian filter with these messages, so using pine, I put them in a mail folder called spam, and I run sa-learn on it as follows: sa-learn --spam --mbox --showdots mail/spam Generally, I notice that sa-learn processes exactly one more message than I thought was in the folder. When I take a look in the folder with a text edittor, I see that there's a fake message that reads as follows: - From MAILER-DAEMON Tue Dec 9 23:05:26 2003 Date: Tue, 9 Dec 2003 23:05:26 -0600 From: Mail System Internal Data [EMAIL PROTECTED] Gregory, I have a cure for that. It's ugly and involved a few dozen lines of C code. I use the C code to find the second ^From in the file. I save everything after that including the From to ./training/spam_train for training. I save everything before that to its original file. I arranged to do this with safe saves so data loss won't happen. Once I have cleaned out the spam mailbox I run salearn on the spam_train mailbox. Finally I append all the spam_train messages to oldspam, delete spam_tain, and touch spam_train so it's present for the next round. I use the same generic code for learning ham as well as spam. I just change the input parameters around a little. It's all part of a script satrain that I run as a cron job once a day. For one or two people this is quite satisfactory. For large numbers of users an alternative approach might be called for. I can send you the source for the imapstrip utility I built for doing this. (Imap and Ipop3 have the same header file tehse days.) {^_^}