Re: Can someone better explain ALL_TRUSTED to me?
On Sat, 2004-12-04 at 03:20 -0500, Matt Kettler wrote: > At 08:04 PM 12/3/2004 -0600, Thomas Cameron wrote: > >Since upgrading to 3.0.1 I have actually gotten a few more spams than > >with 3.0.0. SA is still catching well over 99% so I am certainly not > >complaining - I've gone from no spams in my inbox to about three a week. > > > >The thing I've noticed on all of the ones which get through is that > >ALL_TRUSTED is one of the tests listed. > > If your mailserver is NATed (or otherwise uses a reserved IP), you MUST > define trusted_networks manually. This issue has been present since SA > 2.60, but the introduction of the ALL_TRUSTED rule makes the symptoms of > having a broken trust path very painful. My mailserver is not NATted - it has a public IP address. > Basicaly, ALL_TRUSTED should only fire if an email has only been > transferred by hosts matching trusted_networks. I do not have trusted_networks defined anywhere: [EMAIL PROTECTED] ~]# cd /etc/mail/spamassassin/ [EMAIL PROTECTED] spamassassin]# grep -i trust * [EMAIL PROTECTED] spamassassin]# cat local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_score 5 report_safe 1 rewrite_header subject **SPAM** _SCORE_ ok_languages en ok_locales en use_dcc 1 use_pyzor 1 use_razor2 1 > dig in the archvies.. this is a very well know, understood, and not an > issue which can be fixed to make the automatic method work better for > everyone. Um, I have scoured the spamassassin.apache.org site and it is *not* well described. You might understand it but I certainly don't. > It's one of those problems where you can shift around what kinds > of networks have the problem (NATed or not), and you can shift around what > form the problem takes (FPs vs FNs), but there's no general-case algorithm > that works well everywhere. I am trying to understand why it is firing on my server. I do not have anything listed as a trusted network. Thomas
X-Spam-Level header
I recently installed SA 3.0.1. Everything is working fine... but now I want to set up some filters in my e-mail client. What I want to do is automatically send anything with more than some number of stars to the trash bin. I can do that with a regex-like expression in my email client. But I need to make SA use a different character (currently, it's using a +). Google found me a solution that required changing a line of code, but it must have been referring to an old version of SA because I couldn't find it in the current code. Brenda Bell Henniker (the only one on earth) New Hampshire (the state with 5 seasons: black fly, tourist, foliage, ski and mud)
Re: low scoring SPAM
>> I've recently (about a month ago) installed a new mail server and >> upgraded to SA 3.01. I've been training the bayes database by hand >> (most of our mail is japanese and the autolearning wasn't a good way to >> start the bayes learning) >> >> anyways, I'm not using any custom or 3rd party rules. I'm a little >> baffled why the following email scored so low. i'm also a little >> puzzled why the BAYES_99 has such a low score. i'm tempted to crank it >> up a bit, but concerned about how that will effect the system in general >> and also concerned about false positives. >> >> can anyone give me some insight? >> >> thanks >> >> alan >> >> P.S. in the past i've refrained from sending the "why didn't this mail >> score higher" types of messages to the list, but I've been seeing a >> pattern of hitting BAYES_99 and not many other rules. >> >> Original Message >> Return-Path: <[EMAIL PROTECTED]> >> Received: from mail-3.tiscali.it (mail-3.tiscali.it [213.205.33.23]) by >> mail.mydomain.tld (8.13.1/8.13.1) with ESMTP id iB3HsScd004906 for >> <[EMAIL PROTECTED]>; Sat, 4 Dec 2004 02:54:29 +0900 >> Received: from [80.179.190.4] by mail-3.tiscali.it with HTTP; Fri, 3 Dec >> 2004 18:49:21 +0100 >> Date: Fri, 3 Dec 2004 09:49:21 -0800 >> Message-ID: <[EMAIL PROTECTED]> >> From: [EMAIL PROTECTED] >> Subject: DEAR lick, PLEASE I WANT YOU TO ACT AS THE NEXT OF KIN OF MR, >> WINSTON lick. >> To: [EMAIL PROTECTED] >> MIME-Version: 1.0 >> Content-Type: text/plain; charset="iso-8859-1" >> X-Spam-Scanner: SpamAssassin 3.01 (http://www.spamassassin.org/) on >> mail.mydomain.tld >> X-Spam-Score: 3.339 / 5.000: 23.339% >> X-Spam-Tests: >> BAYES_99(1.886),RCVD_IN_BL_SPAMCOP_NET(1.216),RISK_FREE(0.230),NO_REAL_NAME(0.007) >> X-Spam-Level: *** Hi, as far as I recall, the 2.x series of spamassassin would also throw in some votes for the YELLING SUBJECT These seem to have gone with 3.0 Wolfgang Hamann
RE: low scoring SPAM
|-Original Message- |From: alan premselaar [mailto:[EMAIL PROTECTED] |Sent: 04 December 2004 15:23 |To: users@spamassassin.apache.org |Subject: low scoring SPAM | |I've recently (about a month ago) installed a new mail server and |upgraded to SA 3.01. I've been training the bayes database by hand |(most of our mail is japanese and the autolearning wasn't a good way to |start the bayes learning) | |anyways, I'm not using any custom or 3rd party rules. I'm a little |baffled why the following email scored so low. i'm also a little |puzzled why the BAYES_99 has such a low score. |i'm tempted to crank it up a bit, but concerned about how that will |effect the system in general and also concerned about false positives. | |can anyone give me some insight? | |thanks | |alan | |P.S. in the past i've refrained from sending the "why didn't this mail |score higher" types of messages to the list, but I've been seeing a |pattern of hitting BAYES_99 and not many other rules. | I upped my scoring almost stright the way, the explanations I have heard for it being so low is to lower the number of FP's but lower bayes matches score higher which makes no comon sense at all, I use the following scores and they work well for me but you will have to make your own judgment on that:- score BAYES_00 0 0 -1.665 -4.9 score BAYES_05 0 0 -0.925 -2.5 score BAYES_20 0 0 -0.730 -1.0 score BAYES_40 0 0 -0.276 -0.5 score BAYES_50 0 0 1.567 0.001 score BAYES_60 0 0 3.515 0.5 score BAYES_80 0 0 3.608 1.0 score BAYES_95 0 0 3.514 2.5 score BAYES_99 0 0 4.070 4.9 It's the RH column which counts for me, ignore the LH one, think that's the default Martin
Re: Bayes question
On Sat, Dec 04, 2004 at 10:46:22AM +, Ricardo Oliveira wrote: > According to the docs, --restore is destructive (in the sense it > destroys the previous contents of the database). > > Would you guys be interested in such a feature? I plan to use a > generic bayes DB (which is maintained by our tech team), and merge it > with each clients's own DB (which would result in a highly accurate, > well-trained bayes mechanism). Anyone care to share your thoughts on > this? No, this is not a good idea, please don't make a tool like this generally available, here is the reason: When you learn tokens from a message those tokens are added to the database, or if they already exist their counts are increased, either as spam or ham depending on how you are learning. At the same time a notation is made that you learned that message by storing, in later versions, a pseudo message id (it's basically the SHA1 hash of several pieces of data that should be unique) so that bayes will not re-learn the tokens from that message. When you take two different bayes databases that have been learning separately for any length of time you are bound to have overlap in the messages they learned. Everyone gets the same spam and if the database is from someone you do business with, have relationship with or share the same interests you are bound to have ham overlap as well. So, what happens when you take these two overlapping databases and combine them is that certain tokens (those that have overlap) are then double counted. This makes the database, at least according to the bayes model SA is using, statistically invalid. Now, that being said, lets say you did an analysis and found that the two databases had no overlap, or at least very little (I have no idea what very little would mean in this case). You could probably convince yourself, and it's math and statistics so I'm horrible at it but I'd beat some folks on this list could provide a formula, that the amount of overlap is statistically insignificant. If you could do that then you could combine the databases, in which case I leave it as an exercise to the reader. When calculating overlap it is VERY important to remember this. The pseudo message ids that are stored in the seen database, they changed in the middle of the 3.0 development cycle. So, if you used bayes in SA in a version < 3.0 you will have mixed message ids in your database. In this case it may be difficult to determine how much overlap your databases have. If you do write such a tool, I ask that you not make it available. There are several issues that someone attempting this should study carefully and a simple tool makes it too easy to ignore those issues and it could leave to a broken bayes database in the end. Michael pgp6Fajw4ZlQ6.pgp Description: PGP signature
low scoring SPAM
I've recently (about a month ago) installed a new mail server and upgraded to SA 3.01. I've been training the bayes database by hand (most of our mail is japanese and the autolearning wasn't a good way to start the bayes learning) anyways, I'm not using any custom or 3rd party rules. I'm a little baffled why the following email scored so low. i'm also a little puzzled why the BAYES_99 has such a low score. i'm tempted to crank it up a bit, but concerned about how that will effect the system in general and also concerned about false positives. can anyone give me some insight? thanks alan P.S. in the past i've refrained from sending the "why didn't this mail score higher" types of messages to the list, but I've been seeing a pattern of hitting BAYES_99 and not many other rules. Original Message Return-Path: <[EMAIL PROTECTED]> Received: from mail-3.tiscali.it (mail-3.tiscali.it [213.205.33.23]) by mail.mydomain.tld (8.13.1/8.13.1) with ESMTP id iB3HsScd004906 for <[EMAIL PROTECTED]>; Sat, 4 Dec 2004 02:54:29 +0900 Received: from [80.179.190.4] by mail-3.tiscali.it with HTTP; Fri, 3 Dec 2004 18:49:21 +0100 Date: Fri, 3 Dec 2004 09:49:21 -0800 Message-ID: <[EMAIL PROTECTED]> From: [EMAIL PROTECTED] Subject: DEAR lick, PLEASE I WANT YOU TO ACT AS THE NEXT OF KIN OF MR, WINSTON lick. To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Spam-Scanner: SpamAssassin 3.01 (http://www.spamassassin.org/) on mail.mydomain.tld X-Spam-Score: 3.339 / 5.000: 23.339% X-Spam-Tests: BAYES_99(1.886),RCVD_IN_BL_SPAMCOP_NET(1.216),RISK_FREE(0.230),NO_REAL_NAME(0.007) X-Spam-Level: *** X-Spam-Disposition: Suspected X-Scanned-By: MIMEDefang 2.49 on 127.0.0.1 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.valueclick.jp id iB3HsScd004906 FROM: THE DESK OF BARR, KEN MARK. MARKLAWCHAMBERS NO, 56 WARF ROAD APAPA LAGOS NIGERIA. Email; [EMAIL PROTECTED] TO: lick, I am Barrister Mark Ken green, a solicitor. I am the private Attorney to Mr. Winston lick, a National of your country, who used to work with Strabag Construction Company in Nigeria. On the 21st of April were involved in a car accident along Sagbama Express Road. All occupants of the vehicle unfortunately lost their lives. Since then I have made several enquiries to your Embassy to locate any of my client's relatives, this has also proved unsuccessful. After these several unsuccessful attempts, I decided to trace his last name over the Internet, to locate any member of his family hence I contacted you. I have contacted you to assist in repatriating the money and property left behind by my client before they get confiscated or declared unserviceable by the Finance Company where this huge deposits were lodged where the deceased had an account valued at about 10 Million Dollars has issued me a notice! To provide the next of kin or have the account confiscated. Since I have been unsuccessful in locating the relatives for over 2 years now I seek your consent to present you as the next of kin of the deceased since you have the same last name so that the proceeds of this account valued at 10 Million Dollars can be paid to you and then you and me can share the money. 50% for me and 40% for you and 10% will be used for any expenses that this might cost on the process of this transaction. I have all necessary legal documents that can be used to back up any claim we may make. All I required is your honest co-operation to enable us see this deal through. I guarantee that this transaction will be executed under a legitimate arrangement that will protect you from any breach of the law. It is 100% risk-free. Please get in touch with me by my private email address, [EMAIL PROTECTED] to enable us discuss further Awaiting to hear from you soon. Thanks and God bless you, Mark Ken green (Esq. __ Tiscali Adsl 2 Mega Free: l'adsl piu' veloce e' gratis! Naviga libero dai costi fissi con Tiscali Adsl 2 Mega Free, l'adsl Free piu' veloce in Italia. In piu', se ti abboni entro il 13 dicembre 2004, navighi gratis fino al 31 marzo 2005 e non paghi il costo di adesione. http://abbonati.tiscali.it/adsl/
about sa-learn
who can tell me what the sa-learn learnt, and how to see what the sa-learn learnt. thanx -- StevenPan
Re: Bayes question
According to the docs, --restore is destructive (in the sense it destroys the previous contents of the database). Would you guys be interested in such a feature? I plan to use a generic bayes DB (which is maintained by our tech team), and merge it with each clients's own DB (which would result in a highly accurate, well-trained bayes mechanism). Anyone care to share your thoughts on this? TIA, Ricardo
Re: Can someone better explain ALL_TRUSTED to me?
At 08:04 PM 12/3/2004 -0600, Thomas Cameron wrote: Since upgrading to 3.0.1 I have actually gotten a few more spams than with 3.0.0. SA is still catching well over 99% so I am certainly not complaining - I've gone from no spams in my inbox to about three a week. The thing I've noticed on all of the ones which get through is that ALL_TRUSTED is one of the tests listed. If your mailserver is NATed (or otherwise uses a reserved IP), you MUST define trusted_networks manually. This issue has been present since SA 2.60, but the introduction of the ALL_TRUSTED rule makes the symptoms of having a broken trust path very painful. Basicaly, ALL_TRUSTED should only fire if an email has only been transferred by hosts matching trusted_networks. dig in the archvies.. this is a very well know, understood, and not an issue which can be fixed to make the automatic method work better for everyone. It's one of those problems where you can shift around what kinds of networks have the problem (NATed or not), and you can shift around what form the problem takes (FPs vs FNs), but there's no general-case algorithm that works well everywhere.
Re: spamd does not start
Thanks to Alan, Dan. I found two Socket.pm, one is v1.72 and the other v1.5. # find ./ -name "Socket.pm" -print ./5.6.1/i386-linux-thread-multi/IO/Socket.pm ./5.6.1/i386-linux-thread-multi/Socket.pm ./site_perl/5.6.1/i386-linux-thread-multi/Socket.pm # find ./ -name "Socket.so" -print ./5.6.1/i386-linux-thread-multi/auto/Socket/Socket.so ./site_perl/5.6.1/i386-linux-thread-multi/auto/Socket/Socket.so My spamd is ok to start after removed older ones. On Fri, 3 Dec 2004 08:51:16 -0600 "Smart,Dan" <[EMAIL PROTECTED]> wrote: > Search for the .pm and .so components of the installed packages. I found > that I had more than one version saved in different perl library locations. > When I did a locate DNS.pm, etc, I found them, then made sure I was left > with one copy of the most recent version. That fixed my SPAMD problem > (actually was a problem with Time::HiRes and Net::DNS) > > <> > > > > > > -Original Message- > > From: xoops?? [mailto:[EMAIL PROTECTED] > > Sent: Friday, December 03, 2004 1:00 AM > > To: users@spamassassin.apache.org > > Subject: spamd does not start > > > > Hi, > > > > I have newly installed spamassassin-3.0.1 into linux box > > 2.4.18-22 running qmail with qmail-queue patch. > > Having a trouble to start spamd with SPAMDOPTIONS="-x -u > > spamd -H /home/spamd -d": > > > > "Starting spamd: Bareword "SO_REUSEPORT" not allowed while > > "strict subs" in use at > > /usr/lib/perl5/5.6.1/IO/Socket/INET.pm line 160. > > Compilation failed in require at > > /usr/lib/perl5/5.6.1/i386-linux-thread-multi/IO/Socket.pm line 21. > > Compilation failed in require at /usr/bin/spamd line 38. > > BEGIN failed--compilation aborted at /usr/bin/spamd line 38. > > > > I installed prerequisited modules, HTML::Parser, DB_File > > Net::DNS, BerkeleyDB, Net::SMTP, Mail::SPF::Query, IP::Country::Fast. > > And it's wonder another linux box with the same > > configuration is running allright. > > > > Thanks for any help. > > > > Hodaka > > > > > xoopsÀ±ºÇl <[EMAIL PROTECTED]>
3 suggested rules regarding forged local addresses
(We use SA (currently 2.64) called from procmail-delivered sendmail on Solaris systems. We get something over 100K msgs/day. Most of our mail is addressed using @ our local domain.) Three suggested rules: 1) Detect mail allegedly from a local address that is invalid (should get a high score) 2) Detect mail that has multiple invalid local addresses in the To: and CC: fields (should get a medium score for 2 or more) 3) Detect mail for which the From:, To:, and CC: fields contain known or unknown display-names corresponding to local addresses. We are seeing a flood of forged mail of various flavors. Some of the forgers are foolish enough to try to forge the host name or address that shows up in the RECEIVED lines (which I had already been detecting in procmail, but I see SA 3.0 detects as well). Others deliver the forged mail without any hanky-panky in the headers. I am bothered by the mail that has a FROM: (not the SMTP envelope address) that is allegedly an address in our local domain (example.com) but is not a legal address in our domain. For instance, (for these examples, I'm using "example.com" as though it were our local domain) a message may claim to be From: [EMAIL PROTECTED] which is not a legal address (which we know because we know all legal addresses for our local domain). I'd like to detect such mail. I would expect such mail would deserve a high score (but because it is site-specific, it can't easily be adjusted as other SA rules are tested). This can not be done properly by whitelists or blacklists. It can not be done in a reasonable fashion by user-added rules. I (or someone more familiar with SA) would need to write Perl to support this. Before I do this, I wanted to check to see if anyone else has worked on this. A quick glance at the code, the mailing lists, and Bugzilla didn't have any hits, but I'm not confident that my search is complete. The concept is that the site would supply its local domains (eg, example.com or perhaps *.example.com) and a file (or db) for each domain with the valid local parts (eg, NoSuchUser) for that domain. (This only works where all valid addresses for each supplied domain are known.) When mail is detected as having a From address using one of those domains, then it would check to see if the local part of the From address was legal. (I would want to have this file/db to be able to be updated while SA is running.) In the sendmail world, this db would be populated by the /etc/mail/aliases file. [I can imagine an MTA that detects and rejects such mail, but see the next section for something related but less appropriate for a MTA. I am currently detecting such mail by a procmail rule.] [By the way, RFC2822 allows a *list* of mailboxes in the From: and Reply-To: fields. Does SA properly handle that?] A significant number of the spam that we get has invalid local addresses (e.g., [EMAIL PROTECTED]) in the To: or CC: lists.Some spam is delivered to a mailbox (as though by a BCC) and has only invalid local addresses in its To: and CC: lists. Some spam has several addresses in its To: and CC: lists, some of which are invalid and some are valid. I would like to detect such mail and adjust its score appropriately. Because of the possibility of typos by legitimate senders, I would expect this will require some thought. It may be that there would be rules for (1) Some invalid local addresses and no valid local addresses, and (2) Two invalid local addresses, and (3) Three or more invalid local addresses. (It appears that spammers, with their disregard for how much mail they send, will take a valid address such as SomeUser and try variants on it, such as omeUser or SomeUse. Other types of invalid local addresses include common names (eg, [EMAIL PROTECTED]) or formerly valid addresses.) Finally, I notice that a number of the spammers are adding bogus display-names to addresses. Suppose we have a user John Smith who has an address of [EMAIL PROTECTED] and he has his mailer(s) set up to send mail from John Smith <[EMAIL PROTECTED]> and John Q. Smith <[EMAIL PROTECTED]> Some spammers will send mail from or to "Jane Doe <[EMAIL PROTECTED]>", where the display-name is completely bogus. If the site creates a database with entries such as js -> "John Smith", "John Q. Smith" then when mail arrives from "Jane Doe" <[EMAIL PROTECTED]>, SA should be able to give it a moderate hit on its spam score. As before, the From: field is the most sensitive for this. Mail from "Jane Doe" <[EMAIL PROTECTED]> or even "Smith, John Q." <[EMAIL PROTECTED]> should earn a moderate positive score. Mail from "John Smith" <[EMAIL PROTECTED]> should earn a slightly negative score. However, the To: and CC: fields could also be scored, but with lower scores.After all, someone might legitimately send mail to "Smith, Mr. John Q."
mail to antiphishing.org bouncing
Did this site go down or is there another address now? To: [EMAIL PROTECTED] Sent:Fri, 3 Dec 2004 20:56:53 -0500 did not reach the following recipient(s): [EMAIL PROTECTED] on Fri, 3 Dec 2004 20:58:27 -0500 The recipient name is not recognized -- Chris Registered Linux User 283774 http://counter.li.org 8:02pm up 5 days, 5:17, 1 user, load average: 0.73, 0.41, 0.47 Twenty Percent of Zero is Better than Nothing. -- Walt Kelly Live - From Virgin Radio UK Eric Clapton - Bad Love
Can someone better explain ALL_TRUSTED to me?
Since upgrading to 3.0.1 I have actually gotten a few more spams than with 3.0.0. SA is still catching well over 99% so I am certainly not complaining - I've gone from no spams in my inbox to about three a week. The thing I've noticed on all of the ones which get through is that ALL_TRUSTED is one of the tests listed. I am not sure what that means. The only explanation I've found is that it means that the message never passed through an untrusted host. What is an "untrusted host?" I am not sure why it fired on the e-mail below... I certainly wouldn't consider the sending server a trusted host, so I would think that it should be considered untrusted. I am afraid I am unclear on the concept. Can someone take pity and explain? :-) Thomas Spam message follows: Return-Path: <[EMAIL PROTECTED]> Received: from tweed.32s (e82-103-142-226s.easyspeedy.com [82.103.142.226] (may be forged)) by mail.camerontech.com (8.13.1/8.13.1) with ESMTP id iB40beHT010334 for <[EMAIL PROTECTED]>; Fri, 3 Dec 2004 18:37:45 -0600 From: "aplustransporters.com" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: This Auto Transport Company Might Interest You MIME-Version: 1.0 Precedence: bulk Errors-To: [EMAIL PROTECTED] Content-type: text/html Message-Id: <[EMAIL PROTECTED]> Date: Fri, 3 Dec 2004 08:40:52 -0500 (EST) X-Virus-Scanned: ClamAV 0.80/614/Wed Dec 1 09:44:43 2004 clamav-milter version 0.80j on mail.camerontech.com X-Virus-Status: Clean X-Spam-Status: No, score=4.7 required=5.0 tests=ALL_TRUSTED, DNS_FROM_AHBL_RHSBL,EXCUSE_3,HTML_40_50,HTML_FONT_BIG, HTML_IMAGE_ONLY_24,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,INFO_TLD, MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,URIBL_OB_SURBL, URIBL_WS_SURBL autolearn=no version=3.0.1 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on mail.camerontech.com X-Greylist: Delayed for 02:40:21 by milter-greylist-1.6rc1 (mail.camerontech.com [24.173.79.19]); Fri, 03 Dec 2004 18:37:48 -0600 (CST) X-Evolution-Source: imap://[EMAIL PROTECTED]/ http://www.aplustransporters.com"; style="text-decoration: none">The Car Shipping Experts Do you need, or know of someone who needs a Car Transported to another state?http://www.aplustransporters.com";>http://www.aplustransporters.com/images/image1.jpg"; width=257 height=110>Online State-of-the-art computer tracking systemOffice: Mon-Fri 10am to 7pm "Eastern'Phone: (866) 498-3535Visit our site for an http://www.aplustransporters.com";>Instant online quote 24-7America's leading Transport Company.'Come experience our award winning customer service for yourself' We take great pride in our car shipping service. We arrange transports for relocation individuals, college students, dealerships and our specialty: SNOWBIRDS ! We can move your car coast to coast and most points in between. We understand that having someone move your auto is no small matter - your car is not only an expensive possession, it's also part of your family. Our 5 Star Carriers take great care to ensure that your car is protected from start to finish. And unlike other carriers, once your car is on our truck, it doesn't get off until it reaches its destination - there's no loading and reloading at big consolidation centers. Minimized handling means a minimum risk of problems. The most trusted in the business.http://be8zuz5wyg.j.zzinc.info/?3911";>To be removed from any future mailings, please mailto:[EMAIL PROTECTED]">Click HereOr send all inquiries to:3936 S. Semoran Blvd #114. Orlando, FL 32822
Non-Clickable URI's
Hello List, I've seen spams where spammers are using "Cut&Paste_this_URL_to_your_browser" method reason why spamassassin won't trigger SURBL database lookup. Is there a known workaround to catch this non-clickable URIs and trigger SURBL lookup? Thanks in advance. -RD
Re: quarantine how?
> At 06:13 PM 12/3/2004, Peter Matulis wrote: >>How does one begin using the quarantine? I am using SA 3.01 with milter >>smtp-vilter. > > SA has no quarantine support. AFAIK, neither does smtp-vilter. However, I > think that clamav has some built-in quarantine support that ends up being > used with smtp-vilter, but that's virus only. > > If you want to start quarantining spam, you're probably going to have to > shift to a different tool. However, as Theo said, ask the smtp-vilter > folks > if they have a quarantine ability. For non-open source, you can check out RAE Internet's MPP at http://www.raeinternet.com/mpp and preview the Webmin module complete w/ spamd and virus quarantine... Disclaimer: I work for RAE Internet...
Bayes DB Get Corrupted Quickly
Hello - You may all remember me from my post last week about my Bayes database not expiring tokens. I am running SA version 2.64 on FreeBSD 4.10-RELEASE-p4 with Perl 5.005_03. One person sent me a Perl script that was supposed to "adjust" all the newest "ATIME" values, but that didn't seem to work. My Bayes database became completely ineffectual shortly after running the script, and e-mails that were obviously SPAM were getting very low Bayes scores, which was throwing everything off. I have since removed my Bayes database and recreated it by using the auto learn facility and also by adding some SPAM manually using sa-learn. This has all happened in the last 48 hours. In 48 hours, I already have a corrupt Bayes database again, showing a newest "ATIME" of 1104654037 (2005-01-02 08:20:37). Therefore, tokens won't expire until at least January 2, 2005, and I suspect that this future date will continue to be incorrect, and therefore I will never be able to expire tokens correctly. Why does this happen? I can't just upgrade to SA 3.0 - that would require me to upgrade Perl to version 5.8, which would reek havoc on all the Perl scripts and modules I have installed on this server, not to mention that I feel very uneasy about running two versions of Perl on the same box at once (since the system will always have Perl 5.005_03 because it is included with the base FreeBSD 4.x system). Is there a Perl script out there that might adjust the "ATIME" value in-place rather than dumping the tokens to a text file and then re-importing them? If such a script existed (and was safe to use), I could put it in a cronjob and just let it fix itself once a day. Or, is there a patch that I can apply to just keep this from happening in the first place? Tim Gustafson MEI Technology Consulting, Inc [EMAIL PROTECTED] (516) 379-0001 Office (516) 480-1870 Mobile/Emergencies (516) 908-4185 Fax http://www.meitech.com/ smime.p7s Description: S/MIME cryptographic signature
RE: quarantine how?
Matt Kettler wrote:
> At 06:13 PM 12/3/2004, Peter Matulis wrote:
> Most delivery-time tools, such as milters, are good at
> rejection, but are not so good with quarantines.
A notable exception is the milter MIMEDefang, which is good at both... even
simultaneously. That is, you could keep a quarantine copy of the email while
simultaneously rejecting it during the SMTP phase. This allows you to have the
email without having accepted responsibility for delivery... a neat trick.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
Re: quarantine how?
At 06:13 PM 12/3/2004, Peter Matulis wrote: How does one begin using the quarantine? I am using SA 3.01 with milter smtp-vilter. SA has no quarantine support. AFAIK, neither does smtp-vilter. However, I think that clamav has some built-in quarantine support that ends up being used with smtp-vilter, but that's virus only. If you want to start quarantining spam, you're probably going to have to shift to a different tool. However, as Theo said, ask the smtp-vilter folks if they have a quarantine ability. Generally I find that MTA integration tools, at their best, really only implement one of the following well: Quarantines or Rejection. Which they are good at tends to depend on when they are called relative to the completion of SMTP delivery. Most delivery-time tools, such as milters, are good at rejection, but are not so good with quarantines. Most post-delivery tools, such as MailScanner and amavisd-new, are good at quarantines, but not so good at rejection (They wind up bouncing with a DSN, not rejecting)
