Re: Spamassasin 3.x & amavisd-new

[Mark Martinec]

> I know (I read changelog now) ... sorry.
> But I have problem with this combination (SA3 + amavisd-new-20030616-p10):
> Oct  5 15:33:11 x amavis[25039]: (24614-01) ESMTP: 500 5.5.2 
> Error: bad syntax; PENALIZE:  ...
> FIY: After "PENALIZE:" is only one line from email source.

Something in SA is playing jokes in STDIN, which amavisd-new uses
for SMTP session with MTA. Most likely culprits are Pyzor and DCC.
There is a problem in SA 3.0.0 with forking external programs.
Try disabling Pyzor and dccproc, or apply a patch to SA.

See:
  http://bugzilla.spamassassin.org/show_bug.cgi?id=3649
  http://marc.theaimsgroup.com/?l=amavis-user&m=109652516300702
  http://marc.theaimsgroup.com/?l=amavis-user&m=109599984403308

Mark

Weird problem - not fixed

[Rick Macdougall]

Hi,
Well, what I thought was fixed with the /root problem with a -u Spamd 
user in spamd has not gone away, spamd is still trying to create 
everything with root privileges.  Do the devs have any ideas for me ?

Regards,
Rick

AWL questions (faq?)

[MATSUDA Yoh-ichi]

Hello, spamassassinners.

I have some question about AWL, perhaps they're classified in novis class.
If my questions are FAQ, simply give me only pointer to the documents,
please.

(1) How to monitor AWL registered listings?
In my spambox, there are many various scored mail address.
I want to monitor registered email address and scoring.
I couldn't find method for monitoring or dumping list.

(2) SA option switch:

-W, --add-to-whitelist
--add-to-blacklist
-R, --remove-from-whitelist

are registering/removing "ALL" email address from full mail message?

Ex. A spammer send me a spam including "To: [EMAIL PROTECTED]".
If I execute:

$ spamassassin --add-to-blacklist spam.txt

Then, my mail address in "To:" field also add to blacklist?

If so, complete manipulating is below? (from manpage)

--add-addr-to-whitelist=addr  Add addr to whitelist (AWL)
--add-addr-to-blacklist=addr  Add addr to blacklist (AWL)
--remove-addr-from-whitelist=addr Remove addr from whitelist (AWL)
--
Nothing but a peace sign.
Yoh-ichi MATSUDA(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/index.htm

$ grep -h " AWL " ~/spam/spam/*
 9.8 AWLAWL: From: address is in the auto white-list
 8.9 AWLAWL: From: address is in the auto white-list
 1.5 AWLAWL: From: address is in the auto white-list
 3.4 AWLAWL: From: address is in the auto white-list
 2.0 AWLAWL: From: address is in the auto white-list
-7.8 AWLAWL: From: address is in the auto white-list
-0.1 AWLAWL: From: address is in the auto white-list
 6.8 AWLAWL: From: address is in the auto white-list
 0.4 AWLAWL: From: address is in the auto white-list
 0.8 AWLAWL: From: address is in the auto white-list
-2.8 AWLAWL: From: address is in the auto white-list
-5.2 AWLAWL: From: address is in the auto white-list
 0.8 AWLAWL: From: address is in the auto white-list
 4.7 AWLAWL: From: address is in the auto white-list
 1.2 AWLAWL: From: address is in the auto white-list
 2.9 AWLAWL: From: address is in the auto white-list
  42 AWLAWL: From: address is in the auto white-list
  20 AWLAWL: From: address is in the auto white-list

Strange Problem - Fixed

[Rick Macdougall]

Hi,
Regarding my strange problem of spamd writing to /root/.spamassassin 
instead of /home/Spamd/.spamassassin, it seems that the -u parameter to 
spamd can NOT follow a -i parameter.  If it does, spamd runs as root 
instead of the user specified with the -u parameter.

Just FYI.
Regards,
Rick

Re: problem with spamassassin 3.0 / amavisd-new on Debian

[Iain Pople]

Replying to myself for the sake of others with this problem. Please seem 
post here:

http://marc.theaimsgroup.com/?l=amavis-user&m=109604895419150&w=2
Iain Pople wrote:
Hi,
I am using amavisd-new version 20030616p10 and Spam Assassin 3.0 debian
packages from backports.org. The MTA is postfix 2.1.1
I get the following error messages if I enable spam filtering:
Oct 12 11:53:06 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \tby
aladdin.webcentre.unimelb.edu.au (Postfix) with ESMTP id 08BD123D6F\n
Oct 12 11:53:11 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \tfor <[EMAIL PROTECTED]>; Tue, 12
Oct 2004 11:52:28 +1000 (EST)\n
Oct 12 11:53:16 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: Received: from
aladdin.webcentre.unimelb.edu.au ([127.0.0.1])\n
Oct 12 11:53:21 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \tby localhost (aladdin
[127.0.0.1]) (amavisd-new, port 10024)\n
Oct 12 11:53:26 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \twith ESMTP id 32293-07 for
<[EMAIL PROTECTED]>;\n
This goes on for every line (including headers) of the email.
I have seen a similar report here:
http://lists.backports.org/pipermail/backports/2004-October/001121.html
but no resolution to date.
Does anyone have any idea what could be causing this?
thanks, Iain.

Re: feeding frenzy for ws.surbl.org!!!

[jdow]

From: "martin f krafft" <[EMAIL PROTECTED]>

You are not being sensible, sir. It's time for me to stick you into
my procmail file gone forever.

{+_+}

Re: feeding frenzy for ws.surbl.org!!!

[jdow]

From: "martin f krafft" <[EMAIL PROTECTED]>

>also sprach jdow <[EMAIL PROTECTED]> [2004.10.12.1158 +0200]:
>> Feed us spam, please. Avoid the middle man. It makes our response
>> quicker.
>
> Should I set up an autoreply to all my spam from the address of the
> list, or simply forward all my spam?

For that you'd get banned from the list. But posting new examples of
spam that escape the filters is worthwhile. Back when we were not stuck
with the Apache.org sysadmins I noticed that the SARE rules got updated
far more frequently and quickly in the face of new threats. In those
days the new types of spam that escaped tests were forwarded to the
list and new rules were developed almost instantly.

Now that getting messages to the SARE people violates the 20-20 rule
the updates are seriously lagging. (The 20-20 rule states that if
something is more than 20' or 20 seconds out of the way people will
tend to avoid it. It's an effective way to hide in a corporate
environment, for example.) Posting a message to your web site and
composing a message about it is beyond 20 seconds out of the way
for the poster and more than 20 seconds out of the way for the SARE
people. So updates come less frequently.

{^_^}

Strange problem

[Rick Macdougall]

Hi,
I'm running spamd on it's own server with the following command line 
(under daemontools)

exec /usr/local/bin/spamd -q -x -m 10 --max-conn-per-child=20 -i 
206.123.6.18 -A 206.123.6.19,206.123.6.18,216.162.64.120 -u Spamd 2>&1

@4000416c5cba146a3c04 Cannot open bayes databases 
/root/.spamassassin/bayes_* R/W: lock failed: Interrupted system call
@4000416c5cba2056406c Cannot open bayes databases 
/root/.spamassassin/bayes_* R/W: lock failed: Interrupted system call
@4000416c5cba26e4b01c Cannot open bayes databases 
/root/.spamassassin/bayes_* R/W: lock failed: Interrupted system call
@4000416c5cbc01f04cbc Cannot open bayes databases 
/root/.spamassassin/bayes_* R/W: lock failed: Interrupted system call

My question is, why is it writing anything to /root/.spamassassin when 
it is supposed to be writing the the home of Spamd (which it is for the 
most part).

There are no cron jobs or other things that are running as root that 
might cause this.

Regards,
Rick

Re: What Missing Subject?

[Matt Kettler]

At 05:37 PM 10/12/2004, Brett Romero wrote:
What is this test:
  MISSING_SUBJECT 1.40 Missing Subject: header
The above test is for this header:
Todd's comments about RM being a marketing company noted, but also RM's 
relatively clean reputation on NANAE, and claimed strong antispam policies, 
I'll answer anyway. (http://www.realmagnet.com/antiSpam.html)

I'd try running the message through spamassassin -D. Odds are pretty good 
that although there appears to be a "Subject" header, there's some broken 
insertion of linefeeds elsewhere in the headers which is making SA think 
that it's part of the body text. (There should be no blank lines in the 
headers. Make sure to check for one before the first header as well...)

Either that or the linefeed format on the header preceding the subject is 
wrong (ie: bare CR or bare LF instead of CR LF) or missing.

Many mail clients are "understanding" of these errors due to lax parsing 
and wind up finding the subject line anyway. SA's parsing is lax in some 
respects, but not everywhere.

RE: JS and EXE test isn't working?

[Matthew.van.Eerde]

Fred wrote:
> Another strange one is that I got ALL_TRUSTED and there were no received
> headers to go on.. Is this to be expected?

Yup.  ALL_TRUSTED means NO_NONTRUSTED - there are certainly no untrusted 
Received headers.
Also, zero is even, and the empty string is a palindrome.

Generically, all statements of the form
ALL (x) ARE (y)
are true if there are no (x).

All living dinosaurs are Elvis fans.

Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

Re: JS and EXE test isn't working?

[Fred]

Brett Romero wrote:
> I sent the following message through SA 3.0 on Windows.
>
> 
> The following were returned:
>   UPPERCASE_25_50 0.10 message body is 25-50% uppercase
>   MISSING_SUBJECT 1.40 Missing Subject: header
>   ALL_TRUSTED -2.80 Did not pass through any untrusted hosts
>   MISSING_DATE 0.00 Missing Date: header
>

This is strange, I received the following after testing your sample:


 pts rule name  description
 -- 
--
 0.0 MISSING_DATE   Missing Date: header
-1.4 ALL_TRUSTEDDid not pass through any untrusted hosts
 1.6 MISSING_SUBJECTMissing Subject: header


I didn't fire UPPERCASE_25_50, are you sure you sent us the exact same
message as you used to test with?   It's important to do this!

Another strange one is that I got ALL_TRUSTED and there were no received
headers to go on.. Is this to be expected?

Re: What Missing Subject?

[Todd Schuldt]

You really think someone is going to answer that question for you at 
realmagnet.com?

MagnetMail E-mail Marketing Solutions
MagnetMail is a powerful e-marketing tool for creating measurable and 
coordinated e-mail, fax, and direct mail campaigns.

It has these key advantages:
* Ease of use. No special HTML or database skills are needed. 
MagnetMail is made for marketers.

On Tue, 12 Oct 2004 17:37:41 -0400
 "Brett Romero" <[EMAIL PROTECTED]> wrote:
What is this test:
 MISSING_SUBJECT 1.40 Missing Subject: header
The above test is for this header:
Reply-To: "Brett" <[EMAIL PROTECTED]>
From: "Brett" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: testing JS 2
Date: Tue, 12 Oct 2004 16:00:19 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_008A_01C4B074.9252A080"
The above does have a subject entry in the header.  What exactly is 
SA flagging here?  +1.4 is a big score.

Thanks,
Brett 

What Missing Subject?

[Brett Romero]

What is this test:
 MISSING_SUBJECT 1.40 Missing Subject: header
The above test is for this header:
Reply-To: "Brett" <[EMAIL PROTECTED]>
From: "Brett" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: testing JS 2
Date: Tue, 12 Oct 2004 16:00:19 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_NextPart_000_008A_01C4B074.9252A080"
The above does have a subject entry in the header.  What exactly is SA 
flagging here?  +1.4 is a big score.

Thanks,
Brett 

Re: JS and EXE test isn't working?

[Matt Kettler]

At 04:22 PM 10/12/2004, Brett Romero wrote:
I sent the following message through SA 3.0 on Windows.

testing

The following were returned:
  UPPERCASE_25_50 0.10 message body is 25-50% uppercase
  MISSING_SUBJECT 1.40 Missing Subject: header
  ALL_TRUSTED -2.80 Did not pass through any untrusted hosts
  MISSING_DATE 0.00 Missing Date: header
Where is the JS/EXE test?
What, may I ask, is the JS/EXE test supposed to be that you feel it's 
missing?
Looks like your message was a pretty ordinary mangled HTML message, but 
nothing spam-like.



Also, what is UPPERCASE_25_50?
Just what it said, 25-50% of the characters in the message body were 
upper-case letters, as opposed to spaces, numbers, punctuation, lower-case 
letters, or other things which aren't in [A-Z].

From my count there are 73 characters in there, 28 of which are capital 
letters, making it 38% caps. Ordinarily the doctype tag would be stripped 
with the HTML, but not in a text/plain message.


Any suggestions?
Thanks,
Brett

Sending all spam to one email box.

[Joe Jenkins]

I am trying to make Spam Assassin 3.0 redirect all tagged spam emails to one
file in /var/spool/SPAM instead of ever having it show up in the individual
users email boxes.  I've got spamassassin working now (thanks, theo and matt)
and it seems to be running through procmail, but it doesnt seem to redirect the
mails where i want them, it still seems to send them to the user the spam was
originally targeted for.  Anyone using Spam Assassin in this way?  The less the
end users have to deal with it, the better...

Joe Jenkins

/etc/procmailrc:


DROPPRIVS=yes
VERBOSE=on
LOGABSTRACT=yes
LOGFILE=/var/log/procmail.log
COMSAT=no

# Pipe the mail through spamassassin (replace 'spamassassin' with 'spamc'
# if you use the spamc/spamd combination)
#
# The condition line ensures that only messages smaller than 250 kB
# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
# isn't bigger than a few k and working with big messages can bring
# SpamAssassin to its knees.
#
# The lock file ensures that only 1 spamassassin invocation happens
# at 1 time, to keep the load down.
#
:0fw: /tmp/spamassassin.lock
* < 256000
| spamc

SPAMDIR=/var/spool/SPAM
:0:
* ^X-Spam-Flag: YES
$SPAMDIR/STOPPEDSPAM

:0:
* ^X-Spam-Level: \*\*\*\*\*
$SPAMDIR/STOPPEDSPAM

:0:
* ^X-Spam-Flag: Yes
$SPAMDIR/STOPPEDSPAM

RE: JS and EXE test isn't working?

[Matthew.van.Eerde]

Brett Romero wrote:
>> Where is the JS/EXE test?
> 
> The MICROSOFT_EXECUTABLE test was removed in 3.0, it seems.
> I guess they
> want to thicken the line between antivirus, and antispam. *shrug*
> Fine with me.

That leaves open the question of a "JS" test - are/were there any tests that 
penalized 

RE: JS and EXE test isn't working?

[Nate Schindler]

yup. ;)
wonder if anybody's filed a bug about that - maybe standard html tags should be 
ignored in the uppercase tests.

-Original Message-
From: Brett Romero [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 12, 2004 1:44 PM
To: Nate Schindler
Cc: users@spamassassin.apache.org
Subject: Re: JS and EXE test isn't working?



- Original Message - 
From: "Nate Schindler" <[EMAIL PROTECTED]>
To: "Brett Romero" <[EMAIL PROTECTED]>
Cc: 
Sent: Tuesday, October 12, 2004 4:37 PM
Subject: RE: JS and EXE test isn't working?




> -Original Message-
> From: Brett Romero [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 12, 2004 1:23 PM
> To: [EMAIL PROTECTED]
> Subject: JS and EXE test isn't working?
>
> Where is the JS/EXE test?

The MICROSOFT_EXECUTABLE test was removed in 3.0, it seems.  I guess they 
want to thicken the line between antivirus, and antispam.  *shrug* Fine with 
me.

>
> Also, what is UPPERCASE_25_50?
>

You, uh... just pasted the answer yourself ;) - "UPPERCASE_25_50 0.10 
message body is 25-50% uppercase"
I don't think that can be any more clear, except to paraphrase that the 
message was 25%-50% "screaming" e.g. "IT'S A BRAND NEW CAR!!!"

Nate


The only visiable text to the user is "testing", which is lower case.  Are 
you saying I'm being penalized because the HTML tags are in upper case?

Thanks,
Brett 

Re: JS and EXE test isn't working?

[Brett Romero]

- Original Message - 
From: "Nate Schindler" <[EMAIL PROTECTED]>
To: "Brett Romero" <[EMAIL PROTECTED]>
Cc: 
Sent: Tuesday, October 12, 2004 4:37 PM
Subject: RE: JS and EXE test isn't working?



-Original Message-
From: Brett Romero [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 12, 2004 1:23 PM
To: [EMAIL PROTECTED]
Subject: JS and EXE test isn't working?
Where is the JS/EXE test?
The MICROSOFT_EXECUTABLE test was removed in 3.0, it seems.  I guess they 
want to thicken the line between antivirus, and antispam.  *shrug* Fine with 
me.

Also, what is UPPERCASE_25_50?
You, uh... just pasted the answer yourself ;) - "UPPERCASE_25_50 0.10 
message body is 25-50% uppercase"
I don't think that can be any more clear, except to paraphrase that the 
message was 25%-50% "screaming" e.g. "IT'S A BRAND NEW CAR!!!"

Nate
The only visiable text to the user is "testing", which is lower case.  Are 
you saying I'm being penalized because the HTML tags are in upper case?

Thanks,
Brett 

RE: JS and EXE test isn't working?

[Nate Schindler]

> -Original Message-
> From: Brett Romero [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 12, 2004 1:23 PM
> To: [EMAIL PROTECTED]
> Subject: JS and EXE test isn't working?
>
> Where is the JS/EXE test?

The MICROSOFT_EXECUTABLE test was removed in 3.0, it seems.  I guess they want 
to thicken the line between antivirus, and antispam.  *shrug* Fine with me.

> 
> Also, what is UPPERCASE_25_50?  
> 

You, uh... just pasted the answer yourself ;) - "UPPERCASE_25_50 0.10 message 
body is 25-50% uppercase"
I don't think that can be any more clear, except to paraphrase that the message 
was 25%-50% "screaming" e.g. "IT'S A BRAND NEW CAR!!!"

Nate

RE: *SPAM* feeding frenzy for ws.surbl.org!!!

[Chris Santerre]

>-Original Message-
>From: Jonathan Nichols [mailto:[EMAIL PROTECTED]
>Sent: Monday, October 11, 2004 3:23 PM
>To: Keith Hackworth
>Cc: users@spamassassin.apache.org
>Subject: Re: *SPAM* feeding frenzy for ws.surbl.org!!!
>
>
>Keith Hackworth wrote:
>
>> I just got a gold-mine for surbl canidates "wanna-bes" in a 
>single spam
>> message.  There's WAY too many domains listed below to add to SURBL
>> through the web pages.  Is there a "bulk add" option to add to the
>> ws.surbl.org database?  I need to add these 59 domains to 
>the SURBL list:
>
>Uh, you know that most of those seem to be perfectly 
>legitimate domains 
>that have actual products/content?
>
>www.powerquality.com is one of them, it's a magazine for electricians.
>www.tanyabaker.com is a real estate agent in Arizona (I called 
>her, she 
>exists)

LOL, oh please let me know how that conversation went!

"Uh...yeah..hello. Is this Tanya? You actually exhist? Ok, thanks. *click*"

I bet she slept well that night!

>
>I'm starting to wonder if spammers are now trying to pollute 
>SURBL with 
>valid domains.
>

Oh yeah...they been doing that for a while. Not that bad. Its the people
reporting the obvious ones that drive us batty! ;) With exception of Keith.
We let him slide. You know after that head injury and everything. :-P

--Chris

JS and EXE test isn't working?

[Brett Romero]

I sent the following message through SA 3.0 on Windows.









alert(test this);

testing
 
 
The following were returned:
 UPPERCASE_25_50 0.10 message body is 25-50% uppercase 
 MISSING_SUBJECT 1.40 Missing Subject: header 
 ALL_TRUSTED -2.80 Did not pass through any untrusted hosts 
 MISSING_DATE 0.00 Missing Date: header 

Where is the JS/EXE test?
Also, what is UPPERCASE_25_50?  

Any suggestions?
Thanks,
Brett

Second plea for help - building RPM on AMD64

[Thomas Cameron]

All -

Using the spamassassin.spec file that is included in the Mail-
SpamAssassin-3.0.0.tar.bz2 file, I run 

rpmbuild -ba spamassassin.spec

It runs along fine for a while, then it ends with:



+ /usr/bin/make spamc/libspamc.so
/usr/bin/make -f spamc/Makefile spamc/libspamc.so
make[1]: Entering directory `/usr/src/redhat/BUILD/Mail-
SpamAssassin-3.0.0'
gcc -rdynamic -Wl,-rpath,/usr/lib64/perl5/5.8.3/x86_64-linux-thread-
multi/CORE spamc/libspamc.c spamc/utils.c \
-o spamc/libspamc.so -shared -ldl 
/usr/bin/ld: /tmp/ccuUCmK7.o: relocation R_X86_64_32S can not be used
when making a shared object; recompile with -fPIC
/tmp/ccuUCmK7.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[1]: *** [spamc/libspamc.so] Error 1
make[1]: Leaving directory `/usr/src/redhat/BUILD/Mail-
SpamAssassin-3.0.0'
make: *** [spamc/libspamc.so] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.27157 (%build)


RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.27157 (%build)


I am not a developer so I am not sure what to do next.  I *think* that I
need to pass -fPIC to gcc, and I *think* I can do that by modifying the
following line in the spec file:

CFLAGS="$RPM_OPT_FLAGS"; export CFLAGS

so that it reads

CFLAGS=" -O2 -g -fPIC"; export CFLAGS

Can anyone give me a clue if I'm heading in the right direction?

-- 
A: Because people read from top to bottom.
Q: Why is top-posting bad?

Thomas Cameron, RHCE, CNE, MCSE, MCT

RE: Antidrug.cf

[Chris Santerre]

It is my goal to act like a twelve year old until I'm ashes. :)

So nanny nanny boo booo.whatever you say bounces


;)

--Chris 

>-Original Message-
>From: snowjack [mailto:[EMAIL PROTECTED]
>Sent: Monday, October 11, 2004 3:57 PM
>To: jdow; users@spamassassin.apache.org
>Subject: Re: Antidrug.cf
>
>
>How completely rude. What are you, twelve years old?
>
>jdow wrote:
>> It seems anabolic steroids are flat out missed by 
>antidrug.cf. Of course,
>> I observe the idiot Apache spam trap on the spamassassin 
>list does catch
>> the message sample when I attach it. Somebody needs to apply 
>a clue bat
>> to the Apache mail manager to get "it" to have this and the dev lists
>> bypass his antispam bazoola. What's the mail manager got, 
>spit for brains?
>> 
>> {^_^}
>> 
>

RE: Quick setup question

[Chris Santerre]

A computer, internet access, and an email account. 

--Chris (You said quick!)

>-Original Message-
>From: Robert Bartlett [mailto:[EMAIL PROTECTED]
>Sent: Monday, October 11, 2004 10:39 PM
>To: users@spamassassin.apache.org
>Subject: Quick setup question
>
>
>Just real quick if you started from scratch what would you 
>recommend as a
>good setup for SA?
>
>Thanks
>Robert
>

RE: logs/stats

[Chris Santerre]

I use a quick grep to pull up stats for problem users. I think Dallas's
script could be changed around pretty easy to look up users instead of
rules.

--Chris

>-Original Message-
>From: Thomas Kinghorn [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, October 12, 2004 2:07 AM
>To: Spamassassin-Talk ([EMAIL PROTECTED])
>Subject: FW: logs/stats
>
>
>That works great, even with exim and not sendmail.
>
>Anyone know of a way to log the to receivers  of spam?
>
>Tom
>
>
>
>> >  Anyone know of a good log analyzer for a sendmail/SA setup?
>> >
>> >
>> 
>> You need SA 3.0 to get the rule stats, I don't believe 2.6x 
>logged rules.
>> If you do upgrade, grab a copy of Dallas' script at
>> http://www.rulesemporium.com/programs/sa-stats.txt
>> 
>> Andy
>

RE: SpamAssassin not following rules set in procmailrc or local.cf

[Yackley, Matt]

 

> -Original Message-
> From: Joe Jenkins [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 12, 2004 1:32 PM
> To: users@spamassassin.apache.org
> Subject: SpamAssassin not following rules set in procmailrc 
> or local.cf
> 
> I am running SA 3.0 on a Mandrake 10.1 server with Procmail / Sendmail
> spamd is running and I have set up my procmailrc to send all 
> stopped spam to a
> file: /var/spool/mail/STOPPED_SPAM (procmailrc at end of this post)
> 
> Also, I have set up local.cf to rewrite the subject. (see 
> config below)
> 
SNIP
> 
> -/etc/mail/spamassassin/local.cf--
> ---
> 
> # SpamAssassin config file for version 2.5x
> # generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)
> 
> # How many hits before a message is considered spam.
> required_hits   5.0
> 
> # Whether to change the subject of suspected spam
> rewrite_subject 1
> 
> # Text to prepend to subject if rewrite_subject is used
> subject_tag *SPAM*
> 
> # Encapsulate spam in an attachment
> report_safe 2
> 
> # Use terse version of the spam report
> use_terse_report0
> 
> # Enable the Bayes system
> use_bayes   1
> 
> # Enable Bayes auto-learning
> auto_learn  1
> 
> # Enable or disable network checks
> skip_rbl_checks 0
> use_razor2  1
> use_dcc 1
> use_pyzor   1
> 
> # Mail using languages used in these country codes will not be marked
> # as being possibly spam in a foreign language.
> # - english
> ok_languagesen
> 
> # Mail using locales used in these country codes will not be marked
> # as being possibly spam in a foreign language.
> ok_locales  en
> 

Hi Joe,
It looks like your config needs to be updated, some options have changed
since 2.5x came out.  ;)

>From the 3.0.0 UPGRADE doc:
- The "rewrite_subject" and "subject_tag" configuration options were
  deprecated and are now removed. Instead, using "rewrite_header Subject
  [your desired setting]".  e.g.

rewrite_subject 1
subject_tag SPAM(_SCORE_)

  becomes

rewrite_header Subject SPAM(_SCORE_)

HTH,
matt

Re: spam slippin through

[[EMAIL PROTECTED]]

As Usual, you're all quite helpful! Thank you!



> From: Matt Kettler <[EMAIL PROTECTED]>
> Date: Tue, 12 Oct 2004 12:52:36 -0400
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, 
> Subject: Re: spam slippin through
> 
> At 12:25 PM 10/12/2004, [EMAIL PROTECTED] wrote:
>> running a site wide SA 2.6 setup, some XXX html only mails are impossible to
>> stop, getting scores as low as 2.0
>> 
>> the email just calls images, and thats about it.  should i paste the subject
>> here, they are quite distinct, and im sure others are getting them.
> 
> Are you using the Mail::SpamCopURI add on to check the SURBL system?
> 
> SURBL is pretty effective against the weblink-only and weblink+image only
> types of spam. It's basicaly a domain-name based DNS blacklist that is
> queried for domains contain in URLs.
> 
> http://www.surbl.org/
> 
> SpamCopURI for SA 2.6x can be downloaded here:
> http://sourceforge.net/projects/spamcopuri/
> 
> SpamCopURI installs more-or-less as a patch to the code your existing copy
> of SA. It modifies EvalTests.pm and adds a .cf file to
> /etc/mail/spamassassin to call the new eval.
> 
> (no need for SpamCopURI if you're using SA 3.0 or higher, SURBL queries are
> enabled by default with SA 3.x)
> 
> 

Re: SpamAssassin not following rules set in procmailrc or local.cf

[Theo Van Dinter]

On Tue, Oct 12, 2004 at 12:32:11PM -0600, Joe Jenkins wrote:
> check the headers and see the stuff SA adds.  When it IS spam, it gets tagged
> properly in the headers but the subject is not being rewritten and the email 
> is
> not being redirected to the /var/spool/mail/STOPPED_SPAM file as I indicate in
> my procmailrc file.
> 
> I just dont understand why my local.cf / procmailrc doesnt seem to be doing 
> what
> it should.

If the mail is being marked up properly, there is no problem with SpamAssassin
or your local.cf.

I would check your procmail log and see what's going on there.

-- 
Randomly Generated Tagline:
I think Smithers picked me because of my motivational skills.
 
-- Homer Simpson
   Homer the Smithers


pgpo3ZFzbunA7.pgp
Description: PGP signature

SpamAssassin not following rules set in procmailrc or local.cf

[Joe Jenkins]

I am running SA 3.0 on a Mandrake 10.1 server with Procmail / Sendmail
spamd is running and I have set up my procmailrc to send all stopped spam to a
file: /var/spool/mail/STOPPED_SPAM (procmailrc at end of this post)

Also, I have set up local.cf to rewrite the subject. (see config below)

spamd is started with an init script with the following parameters:

SPAMDOPTIONS="-d -x -m5"

I dont use -c because I dont want to use userconfig files, which is also why -x
is there.

Sendmail is working fine, and email seems to be piped fine through SA, I can
check the headers and see the stuff SA adds.  When it IS spam, it gets tagged
properly in the headers but the subject is not being rewritten and the email is
not being redirected to the /var/spool/mail/STOPPED_SPAM file as I indicate in
my procmailrc file.

I just dont understand why my local.cf / procmailrc doesnt seem to be doing what
it should.

I want SA running site wide for all inbound email, and all tagged spam going to
a central mail box, with one site wide prefs file (which is what I though
local.cf is) and systemwide files for bayes and autolearn etc so users never
have to deal with it.  Most dont have shell access and cannot set their own
.procmailrc or user_prefs for spamassassin (these files do not currently exist
in any users directory.)

Any ideas?  I've been going nuts on this for about 3 days trying a ton of
different things.


Thanks all :)
Joe Jenkins
Radian



 sendmail.cf procmail stuff

#  $Id: procmail.m4,v 8.22 2001/11/12 23:11:34 ca Exp $  #

Mprocmail,  P=/usr/bin/procmail, F=DFMmSDFMhun, S=EnvFromSMTP/HdrFromSMTP,
R=EnvToSMTP/HdrFromSMTP,
T=DNS/RFC822/X-Unix,
A=procmail -m $h $g $u

Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL,
R=EnvToL/HdrToL,
T=DNS/RFC822/X-Unix,
A=procmail -t -Y -a $h -d $u
Mprog,  P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL,
R=EnvToL/HdrToL, D=$z:/,
T=X-Unix/X-Unix/X-Unix,
A=smrsh -c $u






# SpamAssassin sample procmailrc
# ==

# The following line is only used if you use a system-wide /etc/procmailrc.
# See procmailrc(5) for infos on what it exactly does, the short version:
#  * It ensures that the correct user is passed to spamd if spamc is used
#  * The folders the mail is filed to later on is owned by the user, not
#root.
DROPPRIVS=yes

# Pipe the mail through spamassassin (replace 'spamassassin' with 'spamc'
# if you use the spamc/spamd combination)
#
# The condition line ensures that only messages smaller than 250 kB
# (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam
# isn't bigger than a few k and working with big messages can bring
# SpamAssassin to its knees.
#
# The lock file ensures that only 1 spamassassin invocation happens
# at 1 time, to keep the load down.
#
:0fw: spamassassin.lock
* < 256000
| spamc

MAILDIR=/var/spool/mail
:0
* ^X-Spam-Flag: YES
STOPPED_SPAM

-/etc/mail/spamassassin/local.cf-

# SpamAssassin config file for version 2.5x
# generated by http://www.yrex.com/spam/spamconfig.php (version 1.01)

# How many hits before a message is considered spam.
required_hits   5.0

# Whether to change the subject of suspected spam
rewrite_subject 1

# Text to prepend to subject if rewrite_subject is used
subject_tag *SPAM*

# Encapsulate spam in an attachment
report_safe 2

# Use terse version of the spam report
use_terse_report0

# Enable the Bayes system
use_bayes   1

# Enable Bayes auto-learning
auto_learn  1

# Enable or disable network checks
skip_rbl_checks 0
use_razor2  1
use_dcc 1
use_pyzor   1

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# - english
ok_languagesen

# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
ok_locales  en

Re: spam slippin through

[Rakesh]

Try implementing SpamCop URI checks or upgrade to SA 3.0 you will get 
rid of these unstoppable spam mails. I got amazing results after 
implementing URI checks.

Rakesh
[EMAIL PROTECTED] wrote:
running a site wide SA 2.6 setup, some XXX html only mails are impossible to
stop, getting scores as low as 2.0
the email just calls images, and thats about it.  should i paste the subject
here, they are quite distinct, and im sure others are getting them.  

 

RE: spam slippin through

[Bret Miller]

> running a site wide SA 2.6 setup, some XXX html only mails
> are impossible to
> stop, getting scores as low as 2.0
>
> the email just calls images, and thats about it.  should i
> paste the subject
> here, they are quite distinct, and im sure others are getting them.

You really need to upgrade so you can take advantage of SURBL, which has
pretty much eliminated that image-only spam here.

Bret

RE: RBL Misfires?

[Nate Schindler]

> -Original Message-
> From: Kelson [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 12, 2004 10:57 AM
> To: users@spamassassin.apache.org
> Subject: Re: RBL Misfires?
> Most likely scenario:
> 
> 1. Someone erroneously reports the domain name to SURBL.
> 2. You receive and scan the message, which fires on URIBL_WS_SURBL.
> 3. Someone else realizes the listing is invalid, and it gets removed 
> from ws.surbl.org.
> 4. You read the message, wonder why the heck it triggered a 
> SURBL check, 
> and look it up.  Since it's already been removed, you don't find it.

This is a sound hypothesis, but I was actually watching the log at the time, 
and tried looking it up only moments after the test hit.
I looked at our internal DNS cache, and my ISPs DNS servers with dig.  Couldn't 
find it in any of those.

If nobody else has ever heard of DNS tests misfiring like this, or don't think 
this could be a real problem, I'll assume it was cached in DNS *somewhere*.

Thanks,

Nate

RE: spam slippin through

[Shawn R. Beairsto]

If its the spam I think it is, I stopped it by using the SARE_70_HTML1.CF file 
and adding this to my local.cf

score SARE_HTML_A_HIDE  5.0

They always hit this rule ;)

Shawn
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 12, 2004 12:26 PM
To: users@spamassassin.apache.org
Subject: spam slippin through


running a site wide SA 2.6 setup, some XXX html only mails are impossible to
stop, getting scores as low as 2.0

the email just calls images, and thats about it.  should i paste the subject
here, they are quite distinct, and im sure others are getting them.  

Re: AWL auto_expire?

[Kris Deugau]

Nate Schindler wrote:
> awesome!  looks like it removes addresses seen only once.

By design.  I figured that the addresses with single entries were the
ones most likely to be spam...  and so the ones least usefully kept in
the AWL.  In one extreme case IIRC it dropped the AWL file from ~5M to
~80K or so.

>  it also seems to be okay with SA 3.0.

Good to hear.  I haven't upgraded due to the memory issues a number of
people have reported in general.  :/

> Thanks much! (Kris, too:)

snowjack wrote:
> I use this successfully with SA 2.64. I run it automatically once per
> month. (Thanks, Kris!)

You're both welcome.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

Re: RBL Misfires?

[Kelson]

Nate Schindler wrote:
Once in a while, I notice a hit for an RBL-related test that seems a 
little off.  When I check for the existance of a record in the list, I 
can't find one.  Below is a match SA 3 found in an e-mail from one of 
our dealers.  I thought it was curious that they were listed, so I 
checked into it, and couldn't find this domain in surbl.
Most likely scenario:
1. Someone erroneously reports the domain name to SURBL.
2. You receive and scan the message, which fires on URIBL_WS_SURBL.
3. Someone else realizes the listing is invalid, and it gets removed 
from ws.surbl.org.
4. You read the message, wonder why the heck it triggered a SURBL check, 
and look it up.  Since it's already been removed, you don't find it.

--
Kelson Vibber
SpeedGate Communications 

Re: RBL Misfires?

[Matt Kettler]

At 01:28 PM 10/12/2004, Nate Schindler wrote:
Once in a while, I notice a hit for an RBL-related test that seems a 
little off.  When I check for the existance of a record in the list, I 
can't find one.  Below is a match SA 3 found in an e-mail from one of our 
dealers.  I thought it was curious that they were listed, so I checked 
into it, and couldn't find this domain in surbl.  This isn't limited to 
URIBL lists.  I've noticed misfires in most of the lists SA checks.  My 
Net::DNS is v0.46.

*  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL 
blocklist\n\t*  [URIs: vantagemobility.com]

Any ideas?
If you re-run the message through SA 3.0 does it match the WS list?
There's a small chance it was listed in the WS blocklist, then quickly 
retracted after Will realized it was a mistaken listing. This kind of thing 
does happen, and all of the SURBL lists are highly dynamic, changing very 
rapidly.

Re: Upgrade from 3.0 rc2 to current

[Theodore Heise]

Apparently my request was not deemed worthy of a reply.  For anybody
who may look for such information in the archives I'll note that I
simply backed up my Bayes databases and installed 3.0.0--everything
appears to be working fine.

Ted Heise


--I assume it
is something everybody else

On Fri, 8 Oct 2004, Theodore Heise wrote:

>
> Hi all,
>
> I have SA 3.0 rc2 running on my Slackware 9.0 box, and want to
> upgrade to the official 3.0 release.  I looked through the UPGRADE
> file and didn't see any information on whether I need to do anything
> with my Bayes databases during the process.
>
> Thanks for any guidance.
>
>

Re: Spam trap account?

[John Hardin]

On Sat, 2004-10-09 at 09:31, Matt Kettler wrote:
> At 10:26 PM 10/8/2004 -0700, Jerry wrote:
> >I am using the command:
> >
> >spamassassin --add-to-blacklist (message filename)
> >
> >For it to scan the filename and add the senders email address to the black
> >list.
> 
> That's largely worthless.. 

Agreed.

Where a spamtrap account would be useful is for automatically feeding
into "sa-learn --spam"

--
John Hardin  KA7OHZ   <[EMAIL PROTECTED]>
Internal Systems Administratorvoice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
---
 If you smash a computer to bits with a mallet, that appears to count
 as encryption in the state of Nevada.
   - CRYPTO-GRAM 12/2001
---

RBL Misfires?

[Nate Schindler]

Title: RBL Misfires?






Once in a while, I notice a hit for an RBL-related test that seems a little off.  When I check for the existance of a record in the list, I can't find one.  Below is a match SA 3 found in an e-mail from one of our dealers.  I thought it was curious that they were listed, so I checked into it, and couldn't find this domain in surbl.  This isn't limited to URIBL lists.  I've noticed misfires in most of the lists SA checks.  My Net::DNS is v0.46.

*  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist\n\t*  [URIs: vantagemobility.com]



Any ideas?


TIA,

Nate

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach Justin Mason <[EMAIL PROTECTED]> [2004.10.12.1851 +0200]:
> hold on a minute guys -- this is a FAQ.
> 
> http://wiki.apache.org/spamassassin/DoYouWantMySpam

/me sits back and sighs

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"this sentence contradicts itself -- no actually it doesn't."
 -- douglas hofstadter


signature.asc
Description: Digital signature

Re: spam slippin through

[Matt Kettler]

At 12:25 PM 10/12/2004, [EMAIL PROTECTED] wrote:
running a site wide SA 2.6 setup, some XXX html only mails are impossible to
stop, getting scores as low as 2.0
the email just calls images, and thats about it.  should i paste the subject
here, they are quite distinct, and im sure others are getting them.
Are you using the Mail::SpamCopURI add on to check the SURBL system?
SURBL is pretty effective against the weblink-only and weblink+image only 
types of spam. It's basicaly a domain-name based DNS blacklist that is 
queried for domains contain in URLs.

http://www.surbl.org/
SpamCopURI for SA 2.6x can be downloaded here:
http://sourceforge.net/projects/spamcopuri/
SpamCopURI installs more-or-less as a patch to the code your existing copy 
of SA. It modifies EvalTests.pm and adds a .cf file to 
/etc/mail/spamassassin to call the new eval.

(no need for SpamCopURI if you're using SA 3.0 or higher, SURBL queries are 
enabled by default with SA 3.x)

Re: feeding frenzy for ws.surbl.org!!!

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


martin f krafft writes:
> also sprach martin f krafft <[EMAIL PROTECTED]> [2004.10.12.1420 +0200]:
> > > Only forward spam that SpamAssassin does not currently
> > > automatically detect correctly.
> > 
> > All of it?
> 
> And with or without Bayesian stuff enabled?

hold on a minute guys -- this is a FAQ.

http://wiki.apache.org/spamassassin/DoYouWantMySpam

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD4DBQFBbAt2MJF5cimLx9ARAp1iAJ9jClursanXZbu2e/qyEM8f/nYU7QCWOwOA
IYNku8DicN5y+lSZlOUoCA==
=iBc1
-END PGP SIGNATURE-

spam slippin through

[[EMAIL PROTECTED]]

running a site wide SA 2.6 setup, some XXX html only mails are impossible to
stop, getting scores as low as 2.0

the email just calls images, and thats about it.  should i paste the subject
here, they are quite distinct, and im sure others are getting them.  

RE: SARE problems?

[Bret Miller]

http://www.rulesemporium.com/ is working for me...

Re: sa-learn sql with username ?

[Jason Frisvold]

On Tue, 12 Oct 2004 07:31:36 -0700, p dont think
<[EMAIL PROTECTED]> wrote:

> FYI, we are planning to extend the following wrapper method by spitting
> out a temporary conf file with the correct username in it, and deleting
> the conf file when done:
> 
> http://jousset.org/pub/sa-postfix.en.html

That is essentially what I have done in order to get this working. 
I'm using the sasql plugin for squirrelmail and needed a way to
provide the username to the process_spam.pl script.  I hacked the
temporary conf file bit into the script and it runs perfectly.  I
think the next step is to determine how to speed up the process.  It
seems that the process_spam script processes each piece of mail
individually, thus slowing the system down considerably.  If anyone
has already done this, please let me know.. re-inventing the wheel is
usually a waste of time ...


-- 
Jason 'XenoPhage' Frisvold
[EMAIL PROTECTED]

"Insecure dependency" SA3/Razor2.61

[Robert Berlinger]

I’m seeing the
following error at the end of a spamasassin –D run on some messages:

 

debug: Razor2: spam report,
response is "1".

debug: leaving helper-app
run mode

debug: SpamAssassin: spam
reported to Razor.

1 message(s) examined.

Insecure dependency in
connect while running with -T switch at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm
line 114.

 

 

I know that there was some
issue with razor2 and a similar error message, but I’m already at the
latest version of razor (2.61) and the problem’s still there.  Any other
ideas?

 

Thanks much!

 

Re: feeding frenzy for ws.surbl.org!!!

[Kai Schaetzl]

Jeff Chan wrote on Tue, 12 Oct 2004 05:29:53 -0700:

> Send one example of each new class of spam, but be sure that it's
> not detected already in standard installations.  I'd say include
> the Bayesian scoring.  What do others say?
>

Why not put up a list which discusses only rules and also accepts spam 
"submissions" for discussion? This list we are on could then be "reserved" 
to configuration and usage of SA.
Doubtful, though, if this would work. Actually, there isn't too much spam 
getting sent to this list recently. It's been more in older days I think. 
I would just wish that some people think a second time before posting 
them. F.i. "new candidate for ..." is not really appropriate here, such 
stuff should be sent directly to the maintainer of that blacklist.


Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: compilation error

[Matt Kettler]

At 08:33 AM 10/12/2004, Ronan wrote:
the following error is being thrown at me.
I have tried adding the switch "--with-version=3" and also with 3.0 and 
3.0.0 but still doesnt work.

Anyclues?
SA 3.0 appears to require the Mime::Base64 perl module. This module was 
optional in 2.63 , but it seems to be required now. Install that and you 
should be fine.

Why did you try passing --with-version? All it does is change the version 
number that SA claims to be, which you really shouldn't need or want to do.


Im compiling then gonna upgrade over v2.63.
thanks
Ronan


 version.h.pl: version.h.pl: version.h.pl: Can't locate MIME/Base64.pm in 
@INC (@INC contains: ../lib /usr/local/lib/perl5/5.6.1/sun4-solaris 
/usr/local/lib/perl5/5.6.1 
/usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris 
/usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl .) at 
../lib/Mail/SpamAssassin/Message/Node.pm line 43.

Re: Public SA Corpus

[Thomas Bolioli]

Gerry Doris wrote:
I managed to destroy my bayes database...don't ask.
Since I only run a home system and don't receive a heavy flow of spam I
really like to skip the wait for bayes to get up to speed.  Is it
recommended to use the public corpus on the SA website or is it too old
for proper training?  Is there a better source of ham/spam to be used for
training?
Gerry
 

The public spam db should be broad enough for you in the interim,
although I just checked and it is a little long in the tooth (circa
2/2003). Spam is in large part generic these days, public/generic could
get you up and going quick. As time goes by, the older spam will be
retired and be replaced with things coming in. Don't bother with public
ham though. Feeding it ham should be up to you. If you get that little
spam, then you should have no problem training it on that side.
On a side note, I have a 55K message spam database from email addresses
used in the music industry, environmental and educational markets (not
to mention /. ;-}) and should be a broad reach. It has been culled of
all virii and mailing list mail. It could make a decent analysis corpus
for those who want it. Also gerry, If you want, I can forward along or
post the most recent spam, about 2-5K worth for you to train on. That
should be all you need.
Tom

Re: sa-learn sql with username ?

[p dont think]

Jason Frisvold wrote:
You mean this?
http://bugzilla.spamassassin.org/show_bug.cgi?id=3766

Awesome, thanks for the link :)
It's always interesting to watch the flow of thinking for something
like this...  I can agree with both sides of the permissions issue... 
In my case, the only users with direct access to the server are
admins, so I don't have an issue with non-root users, per se.. 
However, in the interest of security, I do think it's a good idea to
only let the root/spamd user run that command...

It seems there's no clear-cut answer for this..  I wonder if it's
possible to turn this on/off via some config option?
FYI, we are planning to extend the following wrapper method by spitting 
out a temporary conf file with the correct username in it, and deleting 
the conf file when done:

http://jousset.org/pub/sa-postfix.en.html

RE: inconsistencies in message checking

[Chris Santerre]

>-Original Message-
>From: Matt Kettler [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, October 12, 2004 8:18 AM
>To: Thomas Kinghorn; Spamassassin-Talk
>([EMAIL PROTECTED])
>Subject: Re: inconsistencies in message checking

>There's no actual drug names in the subject or body of the 
>untagged mail, 
>except in URLs. It looks like spammers are adapting to bypass 
>antidrug's 
>rules by hiding text in links.


>I'll look into making a URI version of antidrug for SA 3.0 
>when I have some 
>spare time. 

Sorry to reply so late, I was out flying a kite. :) 

I'm also going to be working on a sort of "Evil words found in urls" file.
I'm hoping to replace BigEvil with this data. So If you would like to work
together on it Matt, I'm all for it.

Now I have to go get my kite out of the tree!

--Chris

RE: local host

[Tan, William]

If you "man spamd" or "netstat -an", you'll notice that it listens by
default on 127.0.0.1:783.

The log entries would presumably represent the tcp connections made from
spamc to spamd.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 12, 2004 9:50 AM
To: users@spamassassin.apache.org
Subject: local host

Watching the maillogs with SA 2.6 each call of spamd comes with this:

Oct 12 09:47:24 mail spamd[15997]: connection from localhost.localdomain
[127.0.0.1] at port 51225

and the following call the port increments upward.  What is this?

local host

[[EMAIL PROTECTED]]

Watching the maillogs with SA 2.6 each call of spamd comes with this:

Oct 12 09:47:24 mail spamd[15997]: connection from localhost.localdomain
[127.0.0.1] at port 51225

and the following call the port increments upward.  What is this?

Re: [ot] comments about the mailing list

[Kai Schaetzl]

Martin f krafft wrote on Tue, 12 Oct 2004 11:53:33 +0200:

> I am not here to discuss religion but usability of your mailing
> list.
>

Martin, you "discussed" it in a way I would call religious and the 
religion being "mutt". Thanks for "shutting up". :-)


Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: SARE problems?

[Kai Schaetzl]

Thomas Kinghorn wrote on Tue, 12 Oct 2004 07:57:42 +0200:

> Anyone having problems getting to the SARE website?
>

Still? None at all here.


Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

RE: inconsistencies in message checking

[Thomas Kinghorn]

Thanks Matt

Regards, 

Tom 


-Original Message-
>From: Matt Kettler [mailto:[EMAIL PROTECTED] 
>Sent: 12 October 2004 14:21
>To: martin f krafft
>Cc: Spamassassin-Talk ([EMAIL PROTECTED])
>Subject: Re: inconsistencies in message checking

>At 09:01 AM 10/12/2004 +0200, martin f krafft wrote:
>stop forwarding your spam to lists! cut it to the bare essentials.

>Why not? If the example is illustrative of the problem it's perfectly 
>acceptable for him to forward spam to this list. It's always been that way 
>on this list. (however, pure mbox file as binary attachment is preferred to

>encapsulated attachments, but that's a minor difference)


>Don't like it? Go fly a kite. 

Re: compilation error

[Bob Apthorpe]

Hi,

On Tue, 12 Oct 2004 13:33:21 +0100 Ronan <[EMAIL PROTECTED]> wrote:

> the following error is being thrown at me.
> I have tried adding the switch "--with-version=3" and also with 3.0 and 
> 3.0.0 but still doesnt work.
> 
> Anyclues?

...
> The error was:
> version.h.pl: version.h.pl: version.h.pl: version.h.pl: version.h.pl: 
> version.h.pl: version.h.pl: Can't locate MIME/Base64.pm in @INC
...

Install MIME::Base64

-- Bob

compilation error

[Ronan]

the following error is being thrown at me.
I have tried adding the switch "--with-version=3" and also with 3.0 and 
3.0.0 but still doesnt work.

Anyclues?
Im compiling then gonna upgrade over v2.63.
thanks
Ronan
# make
cp spamd/spamd blib/script/spamd
/usr/local/bin/perl -I/usr/local/lib/perl5/5.6.1/sun4-solaris 
-I/usr/local/lib/perl5/5.6.1 -MExtUtils::MakeMaker -e "MY->fixin(shift)" 
blib/script/spamd
cp sa-learn blib/script/sa-learn
/usr/local/bin/perl -I/usr/local/lib/perl5/5.6.1/sun4-solaris 
-I/usr/local/lib/perl5/5.6.1 -MExtUtils::MakeMaker -e "MY->fixin(shift)" 
blib/script/sa-learn
/usr/local/bin/perl spamc/configure.pl --prefix="/usr/local" 
--sysconfdir="/etc/mail/spamassassin" 
--datadir="/usr/local/share/spamassassin" --enable-ssl="no"
cd spamc
/usr/local/bin/perl version.h.pl
version.h.pl: creating version.h
spamc/configure.pl: version.h.pl: Failed to get the version from 
Mail::SpamAssassin.
Please use the --with-version= switch to specify it manually.

The error was:
version.h.pl: version.h.pl: version.h.pl: version.h.pl: version.h.pl: 
version.h.pl: version.h.pl: Can't locate MIME/Base64.pm in @INC (@INC 
contains: ../lib /usr/local/lib/perl5/5.6.1/sun4-solaris 
/usr/local/lib/perl5/5.6.1 
/usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris 
/usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl .) 
at ../lib/Mail/SpamAssassin/Message/Node.pm line 43.
BEGIN failed--compilation aborted at 
../lib/Mail/SpamAssassin/Message/Node.pm line 43.
Compilation failed in require at ../lib/Mail/SpamAssassin/Message.pm 
line 49.
BEGIN failed--compilation aborted at ../lib/Mail/SpamAssassin/Message.pm 
line 49.
Compilation failed in require at ../lib/Mail/SpamAssassin.pm line 75.
BEGIN failed--compilation aborted at ../lib/Mail/SpamAssassin.pm line 75.
Compilation failed in require at version.h.pl line 27.
make: *** [spamc/Makefile] Error 2
#


--
Regards
Ronan McGlue
==
Analyst/Programmer
Information Services
Queens University Belfast
BT7 1NN

Re: sa-learn sql with username ?

[Jason Frisvold]

> You mean this?
> http://bugzilla.spamassassin.org/show_bug.cgi?id=3766

Awesome, thanks for the link :)

It's always interesting to watch the flow of thinking for something
like this...  I can agree with both sides of the permissions issue... 
In my case, the only users with direct access to the server are
admins, so I don't have an issue with non-root users, per se.. 
However, in the interest of security, I do think it's a good idea to
only let the root/spamd user run that command...

It seems there's no clear-cut answer for this..  I wonder if it's
possible to turn this on/off via some config option?

> Michael
> 


-- 
Jason 'XenoPhage' Frisvold
[EMAIL PROTECTED]

Re: feeding frenzy for ws.surbl.org!!!

[Jeff Chan]

On Tuesday, October 12, 2004, 5:22:50 AM, martin krafft wrote:
> also sprach martin f krafft <[EMAIL PROTECTED]> [2004.10.12.1420 +0200]:
>> > Only forward spam that SpamAssassin does not currently
>> > automatically detect correctly.
>> 
>> All of it?

> And with or without Bayesian stuff enabled?

Send one example of each new class of spam, but be sure that it's
not detected already in standard installations.  I'd say include
the Bayesian scoring.  What do others say?

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: [ot] comments about the mailing list

[Mike Burger]

On Tue, 12 Oct 2004, martin f krafft wrote:

> I do not want to start a flamewar, but I do wonder why you all opted
> for ezmlm. It's working and all that, but as with any DJB software,

Quite honestly, though, the SpamAssassin folks didn't "opt" for ezmlm.  
Apache.org uses ezmlm, and when SA was brought into the apache.org fold, 
that's what they got to use.

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

[EMAIL PROTECTED]

with a message of: 

subscribe

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach martin f krafft <[EMAIL PROTECTED]> [2004.10.12.1420 +0200]:
> > Only forward spam that SpamAssassin does not currently
> > automatically detect correctly.
> 
> All of it?

And with or without Bayesian stuff enabled?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"auch der mutigste von uns hat nur selten den mut zu dem,
 was er eigentlich weiß."
 - friedrich nietzsche


signature.asc
Description: Digital signature

Re: inconsistencies in message checking

[Matt Kettler]

At 09:01 AM 10/12/2004 +0200, martin f krafft wrote:
stop forwarding your spam to lists! cut it to the bare essentials.
Why not? If the example is illustrative of the problem it's perfectly 
acceptable for him to forward spam to this list. It's always been that way 
on this list. (however, pure mbox file as binary attachment is preferred to 
encapsulated attachments, but that's a minor difference)

Don't like it? Go fly a kite. 

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach Jeff Chan <[EMAIL PROTECTED]> [2004.10.12.1414 +0200]:
> Only forward spam that SpamAssassin does not currently
> automatically detect correctly.

All of it?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"what's your conceptual continuity? --
 well, it should be easy to see:
 the crux of the bisquit is the apopstrophe!"
-- frank zappa


signature.asc
Description: Digital signature

Re: inconsistencies in message checking

[Matt Kettler]

At 07:23 AM 10/12/2004 +0200, Thomas Kinghorn wrote:
I have 2 messages, where the bodies are the same.
No, you have two messages with similar bodies, but they are definitely not 
the same.

There's a lot of the same text, but the last line and the subject are very 
different in each.

SA handles the subject line as if it were body text. Thus, because one had 
actual drug names in the subject line, some of the DRUG_* rules fired, 
increasing the score. That's 1.1 points of difference.

There's no actual drug names in the subject or body of the untagged mail, 
except in URLs. It looks like spammers are adapting to bypass antidrug's 
rules by hiding text in links.

They also hit different BAYES_* due to their differences. The tagged one 
got BAYES_95, but the untaged one got a very weak BAYES_60. That's 1.71 
points of the difference.

The one that got tagged also hit one of your SARE add-on rules, another 1.7 
points.

Now, the untagged message did hit a few extra rules, RCVD_IN_BL_SPAMCOP_NET 
(+1.2)

1 scored 3.5, the other 6.3
Why is this? Way to may MEDS are coming through.
The best thing you can do right now is work on your bayes training a bit. 
That untagged mail missed 1.7 points of score by matching your bayes 
training very weakly.

I'll look into making a URI version of antidrug for SA 3.0 when I have some 
spare time. 

Re: feeding frenzy for ws.surbl.org!!!

[Jeff Chan]

On Tuesday, October 12, 2004, 3:03:11 AM, martin krafft wrote:
> also sprach jdow <[EMAIL PROTECTED]> [2004.10.12.1158 +0200]:
>> Feed us spam, please. Avoid the middle man. It makes our response
>> quicker.

> Should I set up an autoreply to all my spam from the address of the
> list, or simply forward all my spam?

Only forward spam that SpamAssassin does not currently
automatically detect correctly.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: [ot] comments about the mailing list

[Satya]

On Tue, Oct 12, 2004 at 09:56:18AM +0200, martin f krafft wrote:
>also sprach Niek <[EMAIL PROTECTED]> [2004.10.12.0946 +0200]:
>> This is not quantum physics, maybe mutt has some features to help
>> you with the tough task of posting to this list ?
>No, because mutt cannot and should not control the envelope sender.

If this gets through, it's something you can change in configuration.

-- 
Satya. http://www.thesatya.com/
But I forgot all about the Amnesia Conference!!

Re: sa-learn question

[Alex S Moore]

On Mon, 2004-10-11 at 21:18 -0600, Lance wrote:
> Alright, we're running courier IMAP along with pop3 but our spool is all
> Maildir format.  I've got a public spam folder for certain people so
> what would the sa-learn command be?
> 
> sa-learn --spam /var/spool/mail/unixvault.net/shared/.Spam/cur/*
> 

This is correct.  I use it often.

Alex

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach jdow <[EMAIL PROTECTED]> [2004.10.12.1158 +0200]:
> Feed us spam, please. Avoid the middle man. It makes our response
> quicker.

Should I set up an autoreply to all my spam from the address of the
list, or simply forward all my spam?

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
god is real, unless declared integer.
  (dedicated to gabriel gómez)


signature.asc
Description: Digital signature

Re: feeding frenzy for ws.surbl.org!!!

[jdow]

From: "Jeff Chan" <[EMAIL PROTECTED]>
> On Monday, October 11, 2004, 11:56:19 PM, martin krafft wrote:
> > Would you please consider not forwarding your spam to mailing lists?
> > Dude, this is the SA mailing list, what do you think runs on
> > people's servers? And what do you think this software does with you
> > post?
> 
> > Apart, we all get plenty of spam already, so please refrain from
> > loading even more.
> 
> > You could have just cut the relevant parts out of the message. Like
> > the headers only...
> 
> Well in some cases, such as debugging an undetected spam,
> it's quite useful to see the entire message to determine
> whether the results can be duplicated on another system.
> If so, it can be a genuine bug in SA.  So there are times
> when it's useful to forward spams to these lists.
> 
> Regarding filtering spam discussion list messages using
> anti-spam software, that's generally not a good idea since
> the messages can legitimately include spam samples for
> meta-discussion about them.  So if you're applying
> SpamAssassin or other anti-spam sofware to these messages,
> don't.  :-)
> 
> Jeff C.

Spam is in the food chain for this group. Although I suspect it is best to
put it in attachments so that most people who are not interested can avoid
reading it. The message that I forwarded to this list and the apache.org
mail scanner rejected was precisely such food. The person in charge of the
mail processing needs to become aware that in some places, like this one,
spam is grist for our mill. Feed us spam, please. Avoid the middle man.
It makes our response quicker.

{^_-}

Re: [ot] comments about the mailing list

[martin f krafft]

also sprach Kai Schaetzl <[EMAIL PROTECTED]> [2004.10.12.1131 +0200]:
> Again, discussing religion is off-topic here, really.

I am not here to discuss religion but usability of your mailing
list.

But hey, since nobody seems to care, and mutt *does* provide for
broken setups (again), I'll shut up. They aren't my users anyway...

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
perl -e 'print "The earth is a disk!\n" if ( "earth" == "flat" );'


signature.asc
Description: Digital signature

Re: feeding frenzy for ws.surbl.org!!!

[Jeff Chan]

On Tuesday, October 12, 2004, 2:23:57 AM, martin krafft wrote:
> also sprach Jeff Chan <[EMAIL PROTECTED]> [2004.10.12.1115 +0200]:

>> FWIW, the usual sequence in reporting new (undetected) classes of
>> spam is:
>> 
>> 1.  Post an instance of it on this discussion list.

> Post an instance of it to a pastebin, e.g http://rafb.net/paste or
> better, an SA-specific pastebin on sa.apache.org (to be created),
> and send the link here.

Yes, as I said before putting the message on some web site
can be an acceptable alternative to posting it.  However,
one reason to actually post the message is for people to
be able to see and comment more easily.  Truly new cases
are somewhat unusual and sometimes deserve the visibility.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: [ot] comments about the mailing list

[Kai Schaetzl]

Martin f krafft wrote on Tue, 12 Oct 2004 09:56:18 +0200:

> No, because mutt cannot and should not control the envelope sender.

Discussing religion is off-topic here, really.

> ezmlm is fundamentally broken, so I am trying to alert people to

Again, discussing religion is off-topic here, really.

Please stop this crusade.



Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Network tests not working after upgrade to SA 3

[Adam D. Barratt]

On Monday, October 11, 2004 6:48 PM, Bill Landry <[EMAIL PROTECTED]>
wrote:

> - Original Message -
> From: "Mike Brodbelt" <[EMAIL PROTECTED]>
>
[...]
>> Aha. Whoever put together the package on backports.org omitted that
>> file from the docs I'd still contend it should be in UPGRADE
>> though

To be precise the Debian package maintainers omitted the file, the
backports.org packages are largely rebuilds.

> Why, this in not an upgrade issue.  Network tests have always required
> Net::DNS, at least since I've been using SA (since 2.55).  This from

Yes, but the minimum version of Net::DNS required has changed. 2.64 and
below worked fine with 0.19, which is the version in Debian woody (current
`stable'), 3.0.0 doesn't. *That* is an upgrade issue, imho.

There's currently a bug open against the Debian unstable SA3 package to
properly version the Net::DNS dependency (as this bit us on upgrade as well)
and it should be easy to persuade the backports.org maintainer to update the
backport once that makes it in to the unstable package.

Meantime, if anyone needs it I'm quite happy to share our local backported
version of the Net::DNS package (aka libnet-dns-perl in Debian) with anyone
who contacts me off-list.

Regards,

Adam

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach Jeff Chan <[EMAIL PROTECTED]> [2004.10.12.1115 +0200]:
> It's been mentioned before several times on this list.  Otherwise
> all I can say is that it's standard practice.  :-)

Well, I am not here to argue, but apparently the anti-spam lists to
which I subscribe do not follow the standards then.

> FWIW, the usual sequence in reporting new (undetected) classes of
> spam is:
> 
> 1.  Post an instance of it on this discussion list.

Post an instance of it to a pastebin, e.g http://rafb.net/paste or
better, an SA-specific pastebin on sa.apache.org (to be created),
and send the link here.

> 2.  Someone else feeds it into their SpamAssassin to see if they
> can duplicate the results (i.e. non-detection). If so then it's
> considered a real new case that probably should be handled but
> isn't.

wget -O - http://url/to/paste | spamc

and so on.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"if ever somethin' don't feel right to you, remember what pancho said
 to the cisco kid...  `let's went, before we are dancing at the end of
 a rope, without music.'"
 -- sailor


signature.asc
Description: Digital signature

Rewriting subject results in broken up headers

[Jacco Beije]

Hi!
I'm experiencing a problem I can't find references to in the FAQs/mailing lists.
I'm using SpamAssassin 3.0, spamass-milter 0.2.0 and sendmail 8.12.11.
When I configure SpamAssassin to modify the subject of spam, the headers break 
up in 2 pieces...up to and including the Subject header remain headers. All
headers after the Subject header move to the body/message part of the mail!

If I don't tell SpamAssassin to modify the subject everything works as expected,
I can add/remove headers without a problem.
Any help/ideas are much appreciated!
grtz, Jacco

Re: [ot] comments about the mailing list

[martin f krafft]

also sprach Nick Leverton <[EMAIL PROTECTED]> [2004.10.12.1108 +0200]:
> It can, the option is called "envelope_from", and it's designed for
> situations like yours (and mine).

Oh wow, I am totally out of the loop. This certainly did not exist
when I hand-crafted my configuration file. Is there anything mutt
cannot do? ;)

Anyway, thanks for the pointer, and I guess my comments still stand
while the symptoms have been cured. Yay for mutt (yet again).

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"those are my principles, and if you don't like them...
 well, I have others."
 -- groucho marx


signature.asc
Description: Digital signature

Re: feeding frenzy for ws.surbl.org!!!

[Jeff Chan]

On Tuesday, October 12, 2004, 2:01:01 AM, martin krafft wrote:
> also sprach Jeff Chan <[EMAIL PROTECTED]> [2004.10.12.1030 +0200]:

>> It's generally considered poor practice to apply spam filters
>> to spam discussions.

> Do you have a reference for this "general consideration"? I am on
> plenty of anti-spam lists, and this is the first time I heard
> that...

It's been mentioned before several times on this list.  Otherwise
all I can say is that it's standard practice.  :-)

FWIW, the usual sequence in reporting new (undetected) classes of
spam is:

1.  Post an instance of it on this discussion list.
2.  Someone else feeds it into their SpamAssassin to
see if they can duplicate the results (i.e. non-detection).
If so then it's considered a real new case that probably
should be handled but isn't.
3.  One of those people opens a Bugzilla ticket mentioning
the non-detection and includes the message(s) as an attachment to
the ticket.
4.  One of the developers picks up the ticket and codes a solution.
5.  Code is tested, approved by other developers, etc.

An alternative is that one of the SARE people who write rules
that are not officially part of SA yet (AFIAK) to catch the
new cases.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: [ot] comments about the mailing list

[Nick Leverton]

On Tue, Oct 12, 2004 at 09:56:18AM +0200, martin f krafft wrote:
> also sprach Niek <[EMAIL PROTECTED]> [2004.10.12.0946 +0200]:
 
> > This is not quantum physics, maybe mutt has some features to help
> > you with the tough task of posting to this list ?
> 
> No, because mutt cannot and should not control the envelope sender.

It can, the option is called "envelope_from", and it's designed for
situations like yours (and mine).

Nick

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach Jeff Chan <[EMAIL PROTECTED]> [2004.10.12.1030 +0200]:
> This only applies to spams that SpamAssassin does not already
> successfully detect, i.e. new, undetected classes.

Well, with Bayesian filtering, it is perfectly possible that many
spam filters already catch such a message.

> > Thus, by all means, spam filter.
> 
> It's generally considered poor practice to apply spam filters
> to spam discussions.

Do you have a reference for this "general consideration"? I am on
plenty of anti-spam lists, and this is the first time I heard
that...

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"getting a scsi chain working is perfectly simple if you remember that
 there must be exactly three terminations: one on one end of the
 cable, one on the far end, and the goat, terminated over the scsi
 chain with a silver-handled knife whilst burning *black* candles."
 -- anthony deboer


signature.asc
Description: Digital signature

Re: feeding frenzy for ws.surbl.org!!!

[Jeff Chan]

On Tuesday, October 12, 2004, 12:39:20 AM, martin krafft wrote:
> also sprach Jeff Chan <[EMAIL PROTECTED]> [2004.10.12.0931 +0200]:
>> Well in some cases, such as debugging an undetected spam, it's
>> quite useful to see the entire message to determine whether the
>> results can be duplicated on another system. If so, it can be
>> a genuine bug in SA.  So there are times when it's useful to
>> forward spams to these lists.

> Well, how about compressing them, or putting them online and posting
> a link?

Plain text is probably better than compressed, but putting
messages on a web site is a reasonable alternative to posting.

> sooner or later, the spam volume here will increase.

If SpamAssassin is working well, then the spam that it doesn't
catch should not increase much.  However if it is failing to
detect some new class of spam, then it's important to update
SpamAssassin to catch them.  In order to do that requires
examples and some coding.  If no one mentions these new
types of spams, then they won't get caught.  Therefore it's
important to share information about new types of spam so
improvements and updates can be made.

This only applies to spams that SpamAssassin does not already
successfully detect, i.e. new, undetected classes.

> Thus, by all means, spam filter.

It's generally considered poor practice to apply spam filters
to spam discussions.  You're free to disagree, of course, but
such a position will be in a minority and not widely accepted.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: [ot] comments about the mailing list

[martin f krafft]

also sprach Niek <[EMAIL PROTECTED]> [2004.10.12.0946 +0200]:
> Who cares what software is being used ?

Well, if the software lowers the usability, people should care.

> This is not quantum physics, maybe mutt has some features to help
> you with the tough task of posting to this list ?

No, because mutt cannot and should not control the envelope sender.

This is the open-source community where it is possible to voice
concerns and bring forth constructive ciriticism; this is the
community where improvements actually take place from time to time.

ezmlm is fundamentally broken, so I am trying to alert people to
that before others, or the less experienced, fall into these traps
and get frustrated.

If all stays as it is, I guess it will boil down to me not posting
as often as I would otherwise (which may be a good thing, but may
also not -- I usually field a lot of support questions while I am at
it), and eventually move to using other software because the support
community of SA is not accessible enough.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
quantum mechanics: the dreams stuff is made of.


signature.asc
Description: Digital signature

Re: [ot] comments about the mailing list

[Niek]

On 10/12/2004 9:26 AM +0200, martin f krafft wrote:
I do not want to start a flamewar, but I do wonder why you all opted
for ezmlm. It's working and all that, but as with any DJB software,
it just does not give a flying food about how things should be done,
or are done in the rest of the world; instead, it imposes its own
paradigm on everyone that comes in touch with the software. Quite
frankly, this pisses me off.

Martin,
Who cares what software is being used ?
Adjust man, not that hard.
This is not quantum physics, maybe mutt has some features to help you
with the tough task of posting to this list ?
Greetings,
Niek
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach Jeff Chan <[EMAIL PROTECTED]> [2004.10.12.0931 +0200]:
> Well in some cases, such as debugging an undetected spam, it's
> quite useful to see the entire message to determine whether the
> results can be duplicated on another system. If so, it can be
> a genuine bug in SA.  So there are times when it's useful to
> forward spams to these lists.

Well, how about compressing them, or putting them online and posting
a link?

> Regarding filtering spam discussion list messages using anti-spam
> software, that's generally not a good idea since the messages can
> legitimately include spam samples for meta-discussion about them.
> So if you're applying SpamAssassin or other anti-spam sofware to
> these messages, don't.  :-)

The same applies to anti-virus lists, and while I don't care about
viruses (yet) (since I run SELinux systems), I would never advocate
that people should not virus-filter such traffic.

The same goes for this list. After all, sooner or later, the spam
volume here will increase. Thus, by all means, spam filter. I think
that posters with spam samples should think twice (well, most list
posters should think twice) and post the stuff online.

One idea would be to have a pastebin on the spamassassin web page
and encourage its use in the list guidelines...

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"they redundantly repeated themselves over and over,
 incessantly without end and ad infinitum"
 -- ibid


signature.asc
Description: Digital signature

Re: does spamassassin -rR call sa-learn?

[martin f krafft]

also sprach Niek <[EMAIL PROTECTED]> [2004.10.12.0926 +0200]:
> man spamassassin.

Mh. Believe it or not, I never noticed the long descriptions to the
manpage. Sorry for the noise, and thanks for your answer.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
"aus der kriegsschule des lebens -
 was mich nicht umbringt, macht mich härter."
 - friedrich nietzsche


signature.asc
Description: Digital signature

Re: feeding frenzy for ws.surbl.org!!!

[Jeff Chan]

On Monday, October 11, 2004, 11:56:19 PM, martin krafft wrote:
> Would you please consider not forwarding your spam to mailing lists?
> Dude, this is the SA mailing list, what do you think runs on
> people's servers? And what do you think this software does with you
> post?

> Apart, we all get plenty of spam already, so please refrain from
> loading even more.

> You could have just cut the relevant parts out of the message. Like
> the headers only...

Well in some cases, such as debugging an undetected spam,
it's quite useful to see the entire message to determine
whether the results can be duplicated on another system.
If so, it can be a genuine bug in SA.  So there are times
when it's useful to forward spams to these lists.

Regarding filtering spam discussion list messages using
anti-spam software, that's generally not a good idea since
the messages can legitimately include spam samples for
meta-discussion about them.  So if you're applying
SpamAssassin or other anti-spam sofware to these messages,
don't.  :-)

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

[ot] comments about the mailing list

[martin f krafft]

Hi all,

First of all, thank you for SpamAssassin and this mailing list.
I have been able to extract many useful ideas in the past weeks.

I would like to voice my concern with the lists setup though.
Apparently it is subscriber-only (which is good), but as it uses
ezmlm, it falls short in exactly the same ways ezmlm falls short.
Here are the two issues I have:

  1. ezmlm provides no NOMAIL feature. Many people use different
 email addresses to read and post, or post from multiple email
 addresses. I, for one, receive my list mail at an address
 created specifically for this list (I do so with every list),
 and I post from this address if the problem is about
 madduck.net, or from the uni address if the problem is about
 the mailservers at the uni, or from my Debian address if the
 problem is about Debian. In order to be able to post to the
 list, I thus must subscribe fourt times (at least) and use mail
 filters to delete three of these posts. What an extraordinary
 waste of bandwidth!

 I should note that my request to users-owner@ to allow posting
 from my addresses was silently ignored.

  2. ezmlm "authenticates" messages based on the envelope sender,
 not on the "To:" address. On any reasonably complex mail
 system, these two are not necessarily the same. While the
 envelope sender must be a valid address, it must not
 necessarily be the one used to post. Take this message[0], it
 comes from [EMAIL PROTECTED], but I authored it on my machine
 'cirrus', thus the envelope sender is
 [EMAIL PROTECTED] So now I have to subscribe yet
 another address for every single machine I use, as they all
 have different envelope senders, which is the way it should be.

[0] I could not send this message, just like I cannot send any
message directly. Instead, I have to pipe it through 'sendmail
-f [EMAIL PROTECTED] users@spamassassin.apache.org' to get it
delivered.

I do not want to start a flamewar, but I do wonder why you all opted
for ezmlm. It's working and all that, but as with any DJB software,
it just does not give a flying food about how things should be done,
or are done in the rest of the world; instead, it imposes its own
paradigm on everyone that comes in touch with the software. Quite
frankly, this pisses me off.



-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
sed -e '/^[when][coders]/!d' \
-e '/^...[discover].$/d' \
-e '/^..[real].[code]$/!d' \
/usr/share/dict/words


signature.asc
Description: Digital signature

Re: does spamassassin -rR call sa-learn?

[Niek]

On 10/6/2004 2:39 PM +0200, martin f krafft wrote:
When relearning a false-positive as ham, I wonder whether it's
necessary to invoke `spamassassin -rR` as well as `sa-learn --ham`,
or does either call the other?
What does `spamassassin -r` do exactly? Revoking spam could be
a plethora of things.
Hi,
man spamassassin.
Greetings,
Niek
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers

Re: inconsistencies in message checking

[martin f krafft]

stop forwarding your spam to lists! cut it to the bare essentials.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
the best way to accelerate
a computer running windoze
is at 9.81 ms^-2


signature.asc
Description: Digital signature

Re: feeding frenzy for ws.surbl.org!!!

[martin f krafft]

also sprach Keith Hackworth <[EMAIL PROTECTED]> [2004.10.11.1820 +0200]:
> I just got a gold-mine for surbl canidates "wanna-bes" in a single spam
> message.  There's WAY too many domains listed below to add to SURBL
> through the web pages.  Is there a "bulk add" option to add to the
> ws.surbl.org database?  I need to add these 59 domains to the SURBL list:
> 
[...]
> Here's the message I received...

Would you please consider not forwarding your spam to mailing lists?
Dude, this is the SA mailing list, what do you think runs on
people's servers? And what do you think this software does with you
post?

> This mail is probably spam.

Apart, we all get plenty of spam already, so please refrain from
loading even more.

You could have just cut the relevant parts out of the message. Like
the headers only...

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
the english take english for granted.
but if we explore its paradoxes,
we find that quicksand can work slowly.


signature.asc
Description: Digital signature

does spamassassin -rR call sa-learn?

[martin f krafft]

When relearning a false-positive as ham, I wonder whether it's
necessary to invoke `spamassassin -rR` as well as `sa-learn --ham`,
or does either call the other?

What does `spamassassin -r` do exactly? Revoking spam could be
a plethora of things.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
spamtraps: [EMAIL PROTECTED]
 
(a)bort, (r)etry, (p)retend this never happened


signature.asc
Description: Digital signature

FW: logs/stats

[Thomas Kinghorn]

That works great, even with exim and not sendmail.

Anyone know of a way to log the to receivers  of spam?

Tom



> >  Anyone know of a good log analyzer for a sendmail/SA setup?
> >
> >
> 
> You need SA 3.0 to get the rule stats, I don't believe 2.6x logged rules.
> If you do upgrade, grab a copy of Dallas' script at
> http://www.rulesemporium.com/programs/sa-stats.txt
> 
> Andy

Re: X-message-flag question

[Ian FREISLICH]

Jeremy Rumpf wrote:
> I've seen a few messages recently that contained the header
> 
> X-message-flag: Authentic Sender, Hash: PoHgCaAr

I thought X-message-flag was used by microsoft outlook to populate
a highlighted part of the header when viewing the message.  There
was also no way to turn it off in outlook.  I think that the flag
is even preserved when replying.

At my previous company (UUNET) we used to annoy the management by
putting inane things in this header... "$17bn and counting"
"management rather than manglement" etc.

Ian

--
Ian Freislich

SARE problems?

[Thomas Kinghorn]

Anyone having problems getting to the SARE website?

Regards, 

Tom 

inconsistencies in message checking

[Thomas Kinghorn]

Hi List.

I have 2 messages, where the bodies are the same.

1 scored 3.5, the other 6.3

Why is this? Way to may MEDS are coming through.



TAGGED MESSAGE HEADER:


Received: from jp-mx-1.mtnns.net ([209.212.97.2]) by protea.int.citec.net
with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id T2TKBBGK; Mon, 11 Oct 2004 22:41:02 +0200
Received: from [195.238.2.201] (helo=outmx020.isp.belgacom.be)
by jp-mx-1.mtnns.net with esmtp (Exim 4.42)
id 1CH6yd-0004fM-KO
for [EMAIL PROTECTED]; Mon, 11 Oct 2004 22:41:07 +0200
Received: from outmx020.isp.belgacom.be (localhost [127.0.0.1])
by outmx020.isp.belgacom.be (8.12.11/8.12.11/Skynet-OUT-2.22) with
ESMTP id i9BKemvB026402
for <[EMAIL PROTECTED]>; Mon, 11 Oct 2004 22:40:48 +0200
(envelope-from <[EMAIL PROTECTED]>)
Received: from sbsserver.SCHEERLINCK (179.208-78-194.adsl-fix.skynet.be
[194.78.208.179])
by outmx020.isp.belgacom.be (8.12.11/8.12.11/Skynet-OUT-2.22) with
ESMTP id i9BKehOC026353
for <[EMAIL PROTECTED]>; Mon, 11 Oct 2004 22:40:46 +0200
(envelope-from <[EMAIL PROTECTED]>)
Received: from boils ([218.11.93.12]) by sbsserver.SCHEERLINCK with
Microsoft SMTPSVC(5.0.2195.6713);
 Mon, 11 Oct 2004 22:38:21 +0200
From: "Lindsay Banks"<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Mime-Version: 1.0
Message-ID: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 11 Oct 2004 20:38:22.0312 (UTC)
FILETIME=[3FE40E80:01C4AFD2]
Date: 11 Oct 2004 22:38:22 +0200
X-SA-Exim-Connect-IP: 195.238.2.201
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
Subject: SPAM: 6.3: ASPECTS OF ED THAT WERE SI$GN1FlCANT||1Y
|MPR0VED BY C|*AlIS & IE*V1l|TRA ?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Prev-Subject: ASPECTS OF ED THAT WERE SI$GN1FlCANT||1Y |MPR0VED BY
C|*AlIS & IE*V1l|TRA ?
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on jp-mx-1.mtnns.net
X-Spam-Level: **
X-Spam-Status: Yes, score=6.3 required=4.4 tests=BAYES_95,DRUGS_ERECTILE,
DRUGS_ERECTILE_OBFU,RCVD_IN_NJABL_PROXY,SARE_URI_CONS7,
UPPERCASE_25_50,URIBL_SBL autolearn=no version=3.0.0
X-Spam-Report: 
*  2.1 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
*  [score: 0.9778]
*  0.4 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
*  [218.11.93.12 listed in combined.njabl.org]
*  1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
*  [URIs: cvbfbgc.com]
*  0.9 DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
*  0.2 DRUGS_ERECTILE Refers to an erectile drug
*  1.7 SARE_URI_CONS7 body contains link to probable spammer
*  0.0 UPPERCASE_25_50 message body is 25-50% uppercase
X-SA-Exim-Version: 4.1 (built Tue, 05 Oct 2004 09:43:32 +0200)


UNTAGGED

Received: from jp-mx-1.mtnns.net ([209.212.97.2]) by protea.int.citec.net
with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
id T2TKBASM; Mon, 11 Oct 2004 16:06:41 +0200
Received: from [207.249.140.134] (helo=test.prueba.mx)
by jp-mx-1.mtnns.net with esmtp (Exim 4.42)
id 1CH0ou-00048w-DA
for [EMAIL PROTECTED]; Mon, 11 Oct 2004 16:06:42 +0200
Received: from merger ([218.13.209.55])
 by test.prueba.mx (iPlanet Messaging Server 5.1 (built May  7 2001))
 with ESMTPA id <[EMAIL PROTECTED]> for [EMAIL PROTECTED];
Sun,
 10 Oct 2004 00:56:11 -0500 (CDT)
Date: Sun, 10 Oct 2004 00:56:11 -0500 (CDT)
Date-warning: Date header was inserted by test.prueba.mx
From: Larawen <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Message-id: <[EMAIL PROTECTED]>
MIME-version: 1.0
X-SA-Exim-Connect-IP: 207.249.140.134
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
Subject: PURCHASE MEDS HERE 0N||lNE
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on jp-mx-1.mtnns.net
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=4.4 tests=BAYES_60,DATE_IN_PAST_24_48,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_PROXY,RCVD_IN_SORBS_MISC,
UPPERCASE_25_50,URIBL_SBL autolearn=no version=3.0.0
X-SA-Exim-Version: 4.1 (built Tue, 05 Oct 2004 09:43:32 +0200)



I have attached the messages

 <>  <> 
Regards, 

Tom 

--- Begin Message ---
http://C|a1lis_V|Iaggar_C00O0Ode1ne_...and___m000O0re
http://ClaI|is_V||aggar_CO000OdeIne_Xana1x_...and___m0O000re
http://Cla|1is_V||aggar_CO0O00deIne_Xana1x_Vallum_...and___m0O0O0re

V|S|T  0UR  SITE  AND  0RDER  HERE http://politics.bikehahs.com./as#crosser
--- End Message ---
--- Begin Message ---
http://C|a||is_VI1aggar_CO000Odelne_...and___m0O000re
http://C|a1lis_V|Iaggar_CO0O00de1ne_Xanalx_...and___m0O0O0re
http://C|aI|is_V|Iaggar_C00O0Ode1ne_Xanalx_Va||um_...and___m000O0re

C1|CK  HERE KNOW M0RE http://meningitis.cvbfbgc.com/as#executable
--- En

Re: Quick setup question

[Ed Kasky]

Try the documentation.   A veritable wealth of mind blowing details 
on how to get SA up and running.

At 7:38pm -0700 10/11/04, Robert Bartlett wrote:
Just real quick if you started from scratch what would you recommend as a
good setup for SA?
Thanks

Ed Kasky
Randomly Generated Quote:
Never let your sense of morals get in the way of doing what's right.
-Isaac Asimov, scientist and writer (1920-1992)

problem with spamassassin 3.0 / amavisd-new on Debian

[Iain Pople]

Hi,
I am using amavisd-new version 20030616p10 and Spam Assassin 3.0 debian
packages from backports.org. The MTA is postfix 2.1.1
I get the following error messages if I enable spam filtering:
Oct 12 11:53:06 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \tby
aladdin.webcentre.unimelb.edu.au (Postfix) with ESMTP id 08BD123D6F\n
Oct 12 11:53:11 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \tfor <[EMAIL PROTECTED]>; Tue, 12
Oct 2004 11:52:28 +1000 (EST)\n
Oct 12 11:53:16 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: Received: from
aladdin.webcentre.unimelb.edu.au ([127.0.0.1])\n
Oct 12 11:53:21 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \tby localhost (aladdin
[127.0.0.1]) (amavisd-new, port 10024)\n
Oct 12 11:53:26 stan.brunny.com amavisd-new[23072]: (22857-01) ESMTP:
500 5.5.2 Error: bad syntax; PENALIZE: \twith ESMTP id 32293-07 for
<[EMAIL PROTECTED]>;\n
This goes on for every line (including headers) of the email.
I have seen a similar report here:
http://lists.backports.org/pipermail/backports/2004-October/001121.html
but no resolution to date.
Does anyone have any idea what could be causing this?
thanks, Iain.

Re: Re[6]: after upgrade

[Loren Wilton]

> BTW: Thanks to trying understand my english! :D

You have good English!  I'd have a much harder time understanding your
Portugese, even though I'm sure it is excellent.  :-)

Loren

Re[6]: after upgrade

[Marcos Saint'Anna]

Hello Loren,

Seems to be working now... I think you're right.

This is the command line I'm using now:

/usr/bin/spamd -d -m 10 -v -u vpopmail --max-conn-per-child=1 \
-r /var/run/spamd/spamd.pid --siteconfigpath=/etc/mail/spamassassin \
--configpath=/usr/share/spamassassin -s /var/log/spamd.log

Is this a bug?

Is there any kind of impact or any problem to the system if I use this
parameter --max-conn-per-child=1 till a solution be found ?

Once again, THANKS INDEED for your time also for your patience. :)

BTW: Thanks to trying understand my english! :D

Best regards
-- 
 Marcos Saint'Anna
 [EMAIL PROTECTED]

You wrote:

>> Is  it  possible  that  SA is making some mess with user_prefs, making
>> some personal whitelists / blacklists to global ?

LW> There seem to be some occurances of spamd picking up bits of user
LW> preferences from the wrong places.  This may or may not be related.  But if
LW> any of your users to have whitelists, then this might be a possibility.

LW> As an experiment, try setting the max uses for the child to 1, and see if
LW> the problem goes away.  If it does, that would indicate that SA is indeed
LW> mixing up whitelist info between users.

LW> Loren

Re: sa-learn question

[Rakesh]

I think you should check the SpamAssassin wiki for the solution to your 
problem

http://wiki.apache.org/spamassassin/BayesInSpamAssassin
Rakesh
Lance wrote:
Alright, we're running courier IMAP along with pop3 but our spool is all
Maildir format.  I've got a public spam folder for certain people so
what would the sa-learn command be?
sa-learn --spam /var/spool/mail/unixvault.net/shared/.Spam/cur/*
or do I need to insert something in there?  --mbx/--mbox?  I'm not sure
if there's a difference on how it learns or not or if it could result
in false positives if its not learning correctly.
lance