Howto configure PROCMAIL to send **SPAM** to other folder
Hi Guys: Im new with Spamassassin, currently Im using Spamassassin 3.01 over SUSE 8.2 I want to divert all ***SPAM*** tagged messages to a mail-trash or mail-spam file. How can I do it? Im using this conf in my PROCMAILRC, but im not pretty sure to understand it at all. --- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamassassin * ^X-Spam-Level: \*\*\*\*\*\*\* #located in /home/mail/ mail-trash * ^X-Spam-Status: Yes mail-trash -- If anyone can help me I will be glad. Atentamente / Sincerely MARTIN GARCIA
Bayes lock failed
I've read a number of people having problems with an error similar to what I'm getting with SA v3.0.1: Cannot open bayes databases /root/.spamassassin/bayes_* R/W: lock failed: File exists This only happens occassionally and not every time under the exact same invocation of SA. So obviously it doesn't have to do with permissions on the file or directory as there is nothing else running that would be messing with those files. Don't have spamd/spamc running and am not doing an sa-learn commands at the same time. Anyone have any ideas??
Re: Howto configure PROCMAIL to send **SPAM** to other folder
- Original Message - From: Martin Garcia [EMAIL PROTECTED] See ammendations inline below. Hi Guys: Im new with Spamassassin, currently Im using Spamassassin 3.01 over SUSE 8.2 I want to divert all ***SPAM*** tagged messages to a mail-trash or mail-spam file. How can I do it? Im using this conf in my PROCMAILRC, but im not pretty sure to understand it at all. --- DROPPRIVS=yes :0fw: spamassassin.lock * 256000 | spamassassin :0: * ^X-Spam-Level: \*\*\*\*\*\*\* #located in /home/mail/ mail-trash :0: * ^X-Spam-Status: Yes mail-trash The :0: lines should help make it work. {^_^} Joanne
Move Bayes To New Server
Can I copy my bayes db to another server that handles a different domain? --Mike
Re: Move Bayes To New Server
On Tuesday 07 December 2004 02:25, Mike Carlson wrote: Can I copy my bayes db to another server that handles a different domain? As in technically possible or would be reasonably effective? Allthough I have never done it, I suspect that you could dump the db and restore it on a different server quite easily, even if there were different db backends on those machines, there's a readme on upgrading bayes db that would give useful clues, IIRC. I think sa-learn --backup is your friend. But you need to ask yourself if it is sensible to do so. For it to be sensible, the spam and the ham on both domains should be similar. In some cases, it is (I trained my first bayes db with massive amounts of both ham and spam from my old uni account, it worked great), in some cases, it is not. The users and uses of those two domains may be very different, and simply the domain name may skew the results. So, I would think twice about doing it. Alternatively, you could train with smaller amounts of ham and spam from the other domain just to get it up to speed, but make sure you train it with its own spam and ham as fast as you can. Could be a reasonable middle ground. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Bayes lock failed
At 08:02 PM 12/6/2004, Tim A wrote: I've read a number of people having problems with an error similar to what I'm getting with SA v3.0.1: Cannot open bayes databases /root/.spamassassin/bayes_* R/W: lock failed: File exists This only happens occassionally and not every time under the exact same invocation of SA. So obviously it doesn't have to do with permissions on the file or directory as there is nothing else running that would be messing with those files. Don't have spamd/spamc running and am not doing an sa-learn commands at the same time. Hmm.. well, check for /root/.spamassassin/bayes_lock If that files there then some copy of SA is messing with bayes OR a SA process was killed with an unblockable signal (kill -9, seg fault, etc) while it was in the middle of updating the bayes db.
RE: Move Bayes To New Server
We have 6 relays that we did this for quite regularly. We have switched over the MySQL though. Basically we tarballed it up and the other machines would pickup the tarball, uncompress it and the swap it into place. It was only effective to a point but it kept them close to sync. We did it four times a day. We did all of our training on the one machine that was the mater. YMMV Gary Smith -Original Message- From: Mike Carlson [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 5:26 PM To: SpamAssassin Users Subject: Move Bayes To New Server Can I copy my bayes db to another server that handles a different domain? --Mike
what kind of error happens to delivery when spamc can't connect to spamd?
I'm just switching to using spamd -m10 (and other opts) from spamc from procmail from sendmail and am wondering what happens when spamd hits the limit and spamc can't connect to it. Does this get all the ay back through sendmail so the sender knows that transmission failed? I'm wondering if this means that during times when I'm getting hit by lots of spam traffic that this will work a little like greylisting where all email will get an error, but probably only legit email will try again to get through when the storm is over. Since these storms typically come when I wouldn't be getting legit email, if this works it would affect how I tune the -m parameter. Thanks Steve
Re[2]: Phishing attempt wasn't blocked by SpamAssassin
Hello Wolfgang, Monday, December 6, 2004, 7:39:09 AM, you wrote: LW That's because such a rule won't work. All manner of real mail ends up LW sending things that have a real link address different from the one shown in LW the link. Often it is a very minor difference, like https vs http, but LW sometimes there are no points of reality at all between them. This shows up LW a lot in stuff generated from databases. WH if there is a visible url to a different server than the one in WH real url, I would not only want to tag that as possible spam, but WH rather have a nice red 20pt headline added to the mail: WARNING - WH DO NOT CLICK - THESE LINKS MIGHT BE FORGED As the current ninja maintaining the SARE URI rules file (though not the fraud or spoof files), I gladly invite you to develop such a rule. If you can offer us a rule that does what you want, and in our testing does not hit excessively on non-spam, we'll gladly include it in our SARE rules file, and will support your submission of that rule to the SA developers. At this point in time, I can't think of a good (efficient) way to do this that wouldn't also hit huge numbers of non-spam. Bob Menschel
Re: what kind of error happens to delivery when spamc can't connect to spamd?
Steve Prior wrote: I'm just switching to using spamd -m10 (and other opts) from spamc from procmail from sendmail and am wondering what happens when spamd hits the limit and spamc can't connect to it. Does this get all the ay back through sendmail so the sender knows that transmission failed? I'm wondering if this means that during times when I'm getting hit by lots of spam traffic that this will work a little like greylisting where all email will get an error, but probably only legit email will try again to get through when the storm is over. Since these storms typically come when I wouldn't be getting legit email, if this works it would affect how I tune the -m parameter. Hi, In our case we are running spamd on a separate machine (FreeBSD) and the perl connector by default will queue up to 128 processes when connecting in TCP mode. Since we run with a max of 120 connections with qmail plus -m 10 for spamd, all mail will get scanned via SA. I'm not sure how the unix sockets work, but tcp sockets will queue a backlog. How this all may work under sendmail I'm not sure since I don't believe there is a Max Connections type throttle under sendmail and even if you set the tcp queue backlog to some high number like 2048, spamc might still timeout. If spamc does timeout or can't connect, it just lets the message through by default. So with procmail, you might get spam slipping through if your spamd server is too busy. Regards, Rick
Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin
On Mon, 2004-12-06 at 18:29, Robert Menschel wrote: Hello Wolfgang, Monday, December 6, 2004, 7:39:09 AM, you wrote: LW That's because such a rule won't work. All manner of real mail ends up LW sending things that have a real link address different from the one shown in LW the link. Often it is a very minor difference, like https vs http, but LW sometimes there are no points of reality at all between them. This shows up LW a lot in stuff generated from databases. WH if there is a visible url to a different server than the one in WH real url, I would not only want to tag that as possible spam, but WH rather have a nice red 20pt headline added to the mail: WARNING - WH DO NOT CLICK - THESE LINKS MIGHT BE FORGED As the current ninja maintaining the SARE URI rules file (though not the fraud or spoof files), I gladly invite you to develop such a rule. If you can offer us a rule that does what you want, and in our testing does not hit excessively on non-spam, we'll gladly include it in our SARE rules file, and will support your submission of that rule to the SA developers. At this point in time, I can't think of a good (efficient) way to do this that wouldn't also hit huge numbers of non-spam. Bob Menschel Just a note of information, for those looking to stop phishing attacks: the open source anti-virus program ClamAV has added signatures for several phishing emails. When this is used, they will be blocked before they ever hit SpamAssassin. Obviously, these are tailored for each specific message, so it's not a generic solution, but it can help. Currently, there are signatures for 18 different banking phish and two auction phish. http://www.clamav.net/ -Bill
Re: what kind of error happens to delivery when spamc can't connect to spamd?
Rick Macdougall wrote: Steve Prior wrote: I'm just switching to using spamd -m10 (and other opts) from spamc from procmail from sendmail and am wondering what happens when spamd hits the limit and spamc can't connect to it. Does this get all the ay back through sendmail so the sender knows that transmission failed? I'm wondering if this means that during times when I'm getting hit by lots of spam traffic that this will work a little like greylisting where all email will get an error, but probably only legit email will try again to get through when the storm is over. Since these storms typically come when I wouldn't be getting legit email, if this works it would affect how I tune the -m parameter. Hi, In our case we are running spamd on a separate machine (FreeBSD) and the perl connector by default will queue up to 128 processes when connecting in TCP mode. Since we run with a max of 120 connections with qmail plus -m 10 for spamd, all mail will get scanned via SA. I'm not sure how the unix sockets work, but tcp sockets will queue a backlog. How this all may work under sendmail I'm not sure since I don't believe there is a Max Connections type throttle under sendmail and even if you set the tcp queue backlog to some high number like 2048, spamc might still timeout. If spamc does timeout or can't connect, it just lets the message through by default. So with procmail, you might get spam slipping through if your spamd server is too busy. Just an fyi to all this, we have setup a front end qmail/simscan scanner machine in front of our sendmail box because we found that sendmail and the sendmail milters available did not have the speed to process all of our email in a timely fashion. Qmail with simscan and the qmail-queue patch works great. Well, works better. The sendmail box does still time to time become overloaded and hit load avgs of 40+ where as the qmail/simscan scanning box never breaks a load avg of 0.4. Regards, Rick
RE: Move Bayes To New Server
I was thinking of grabbing the bayes db from work and using it at home so it isnt mission critical. I don't get the exact same type of spam at home, but I get a lot of the rolex, drugs, pen1s type spam at both places. --Mike -Original Message- From: Gary W. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 8:20 PM To: Mike Carlson; SpamAssassin Users Subject: RE: Move Bayes To New Server We have 6 relays that we did this for quite regularly. We have switched over the MySQL though. Basically we tarballed it up and the other machines would pickup the tarball, uncompress it and the swap it into place. It was only effective to a point but it kept them close to sync. We did it four times a day. We did all of our training on the one machine that was the mater. YMMV Gary Smith -Original Message- From: Mike Carlson [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 5:26 PM To: SpamAssassin Users Subject: Move Bayes To New Server Can I copy my bayes db to another server that handles a different domain? --Mike
Re: what kind of error happens to delivery when spamc can't connect to spamd?
Rick Macdougall wrote: Hi, In our case we are running spamd on a separate machine (FreeBSD) and the perl connector by default will queue up to 128 processes when connecting in TCP mode. If spamc does timeout or can't connect, it just lets the message through by default. So with procmail, you might get spam slipping through if your spamd server is too busy. Ok thanks, I got a little turned around when I was reading the docs on the -f option for spamc. I should have read the docs on the -m flag in spamd more carefully. Regards, Rick
RE: Move Bayes To New Server
We use site wide only DB's. If that's what you use as well, and your work, then I don't see that much of a problem. Gary -Original Message- From: Mike Carlson [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 7:02 PM To: Gary W. Smith; SpamAssassin Users Subject: RE: Move Bayes To New Server I was thinking of grabbing the bayes db from work and using it at home so it isnt mission critical. I don't get the exact same type of spam at home, but I get a lot of the rolex, drugs, pen1s type spam at both places. --Mike -Original Message- From: Gary W. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 8:20 PM To: Mike Carlson; SpamAssassin Users Subject: RE: Move Bayes To New Server We have 6 relays that we did this for quite regularly. We have switched over the MySQL though. Basically we tarballed it up and the other machines would pickup the tarball, uncompress it and the swap it into place. It was only effective to a point but it kept them close to sync. We did it four times a day. We did all of our training on the one machine that was the mater. YMMV Gary Smith -Original Message- From: Mike Carlson [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 5:26 PM To: SpamAssassin Users Subject: Move Bayes To New Server Can I copy my bayes db to another server that handles a different domain? --Mike
RE: Move Bayes To New Server
Yeah its all site wide. The email is relayed back to a backend exchange server at home and a backend Notes server at work. --Mike -Original Message- From: Gary W. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 9:01 PM To: Mike Carlson; SpamAssassin Users Subject: RE: Move Bayes To New Server We use site wide only DB's. If that's what you use as well, and your work, then I don't see that much of a problem. Gary -Original Message- From: Mike Carlson [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 7:02 PM To: Gary W. Smith; SpamAssassin Users Subject: RE: Move Bayes To New Server I was thinking of grabbing the bayes db from work and using it at home so it isnt mission critical. I don't get the exact same type of spam at home, but I get a lot of the rolex, drugs, pen1s type spam at both places. --Mike -Original Message- From: Gary W. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 8:20 PM To: Mike Carlson; SpamAssassin Users Subject: RE: Move Bayes To New Server We have 6 relays that we did this for quite regularly. We have switched over the MySQL though. Basically we tarballed it up and the other machines would pickup the tarball, uncompress it and the swap it into place. It was only effective to a point but it kept them close to sync. We did it four times a day. We did all of our training on the one machine that was the mater. YMMV Gary Smith -Original Message- From: Mike Carlson [mailto:[EMAIL PROTECTED] Sent: Monday, December 06, 2004 5:26 PM To: SpamAssassin Users Subject: Move Bayes To New Server Can I copy my bayes db to another server that handles a different domain? --Mike
requesting advice: going beyond the basics
Hey. I have a brand new working installation of 3.0.1 on OpenBSD 3.6. Can I get some pointers on what the drill is to improve or customize it? What's the next step? I am presently using just sendmail -- smtp-vilter -- sa. I haven't touched any configuration files. Thanks for all suggestions. Peter __ Post your free ad now! http://personals.yahoo.ca
Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin
On Mon, 2004-12-06 at 20:00, Kenneth Porter wrote: --On Monday, December 06, 2004 6:44 PM -0800 Bill Randle [EMAIL PROTECTED] wrote: Obviously, these are tailored for each specific message, so it's not a generic solution, but it can help. Currently, there are signatures for 18 different banking phish and two auction phish. Additionally, if you run SA and Clam from MIMEDefang, you can use the contributed Graphdefang package to serve graphs of your spam, viruses, and phish from your web server, and can see how many phishing attempts of each type were blocked. http://mimedefang.org/ Good point! I use amavisd-new with postfix and graphdefang for much the same thing. -Bill
Re: Blank Message Rule
Most of the empty spams also lack a To: address, although they may have a From. I've found that checking for missing body, missing subject, and missing To: is pretty accurate. One could probably argue that a missing To: all by itself was reason to toss the mail, but I haven't tried a mass-test to see what that would do. Loren
ESMTP/SMTP+SpamAssassin
Hi All, I'm running Postfix in conjunction with a Policy Daemon and i've started noticing that the large majority of Spam that hits our borders do NOT speak ESMTP. Has anyone else noticed this? The reason why i'm asking here is because using the Policy Daemon, i'm able to inject a X-Header field which states whether the remote/ connecting host talks ESMTP or straight SMTP and can then ofcourse get SpamAssassin to score highly on this. Can anyone either confirm or deny this? (perhaps looking/digging through their spam/ham corpus?) Regards, Cami
Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???
On Tue, 7 Dec 2004, Thomas Cameron wrote: I do not understand why this is tagged ALL_TRUSTED! Here is my local.cf: ### [snip..] clear_trusted_networks trusted_networks24.173.79.19/32 ### As you can see, the only trusted network I have is my mail server! Why is ALL_TRUSTED hitting? I am about to set ALL_TRUSTED to a score of 0! Thomas Silly question; precisely how do you have SA integrated into your mail system? I noticed that you are using sendmail clamav-milter, are you also using a milter to connect spamd into your mail system? If so, precisely which milter? This is important, as not all sendmail spam-milters are created equal. ;) Here is the issue specific to your situation. The milter gets the message from sendmail raw, IE before sendmail does any of it's usual processing of the message SUCH AS ADDING Received headers. So the milter does NOT see that particular header: Received: from CM02.outbound.mail (mailer4.monteraymedia.com [66.63.189.28] (may be forged)) by mail.camerontech.com (8.13.1/8.13.1) with ESMTP id iB75ihQg015990 for [EMAIL PROTECTED]; Mon, 6 Dec 2004 23:44:44 -0600 which is critical to SA's ability to determine local vs non-trusted hosts. Well crafted milters will understand that and internally synthesize a 'Received:' header to mimic the one that your sendmail will add. Without that (or if it isn't done well) then SA will never be able to properly do the trust determination. Dave -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???
On Tue, 2004-12-07 at 01:22 -0600, David B Funk wrote: On Tue, 7 Dec 2004, Thomas Cameron wrote: I do not understand why this is tagged ALL_TRUSTED! Here is my local.cf: ### [snip..] clear_trusted_networks trusted_networks24.173.79.19/32 ### As you can see, the only trusted network I have is my mail server! Why is ALL_TRUSTED hitting? I am about to set ALL_TRUSTED to a score of 0! Thomas Silly question; precisely how do you have SA integrated into your mail system? I noticed that you are using sendmail clamav-milter, are you also using a milter to connect spamd into your mail system? If so, precisely which milter? This is important, as not all sendmail spam-milters are created equal. ;) Here is the issue specific to your situation. The milter gets the message from sendmail raw, IE before sendmail does any of it's usual processing of the message SUCH AS ADDING Received headers. So the milter does NOT see that particular header: Received: from CM02.outbound.mail (mailer4.monteraymedia.com [66.63.189.28] (may be forged)) by mail.camerontech.com (8.13.1/8.13.1) with ESMTP id iB75ihQg015990 for [EMAIL PROTECTED]; Mon, 6 Dec 2004 23:44:44 -0600 which is critical to SA's ability to determine local vs non-trusted hosts. Well crafted milters will understand that and internally synthesize a 'Received:' header to mimic the one that your sendmail will add. Without that (or if it isn't done well) then SA will never be able to properly do the trust determination. Dave Hrm - that makes a lot of sense. I am using spamass-milter (the latest from CVS as of about a week ago). I actually have the following at the bottom of my sendmail.mc: INPUT_MAIL_FILTER (`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,T=S:4m;R:4m')dnl INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter- greylist.sock')dnl define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl I just realized I have two confMILTER_MACROS_CONNECT definitions. I don't think that that would cause this but I need to address this tomorrow after I've slept some. :-) Thomas
Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin
Hello Bob, thanks for getting back on that. The problem with these mails - they may not be spam, they may not be fraud either, but they impose a different kind of threat by lowering recipients' thresholds on security. I have had that argument well, I read that mail, and nothing bad happened from users and dont want to have it again :) Maybe I should ask these kind of people to sign a paper that they will never ask me to disinfect there systems We have seen - banks that invite their custumers to click somewhere for their account statement - banks that suggest to go to the security tab in IE and drag the control to a lower setting as a response to cert wernings - microsoft generate cert warnings by putting a valid cert onto the wrong server and now we have legitimate mail with suspicious links It is all these things together that eventually make people tolerant to phish (well, I got this irritating broken cert thing every day from my bank as well - how should I know that their broken cert was different) I am also not sure whether anti spam is the proper place to deal with these messages - if they get enough score, recipients will just route them to the trash and later complain about the missing mail. I could even imagine to quarantine these mails and invite recipients to complain to the senders. In the case of the bank mentioned above, a bank smells like phish article in a local computer mag caused them to change the system Wolfgang Hamann Hello Wolfgang, Monday, December 6, 2004, 7:39:09 AM, you wrote: LW That's because such a rule won't work. All manner of real mail ends up LW sending things that have a real link address different from the one shown in LW the link. Often it is a very minor difference, like https vs http, but LW sometimes there are no points of reality at all between them. This shows up LW a lot in stuff generated from databases. WH if there is a visible url to a different server than the one in WH real url, I would not only want to tag that as possible spam, but WH rather have a nice red 20pt headline added to the mail: WARNING - WH DO NOT CLICK - THESE LINKS MIGHT BE FORGED As the current ninja maintaining the SARE URI rules file (though not the fraud or spoof files), I gladly invite you to develop such a rule. If you can offer us a rule that does what you want, and in our testing does not hit excessively on non-spam, we'll gladly include it in our SARE rules file, and will support your submission of that rule to the SA developers. At this point in time, I can't think of a good (efficient) way to do this that wouldn't also hit huge numbers of non-spam. Bob Menschel
Re: Phishing attempt wasn't blocked by SpamAssassin
On Monday, December 6, 2004, 4:02:59 AM, Eugene Morozov wrote: Hello! Our customer received email which contained invitation to confirm personal information at the online bank. Link was hidden using following trick: A href=http://www.designlaboratory.jp/board/hg.html;https://www.ebank.hsbc.com.hk/servlet/onlinehsbc.jsp/A It was a big surprise for me that there're no rules in the stock SA 3.0.1 installation to catch such forged links. I was also to unable to find such a rule on Rules Emporium. Eugene In addition to the other suggestions, I'd recommend reporting the phish to: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Doing so will help get some of the destation URIs into ph.surbl.org, though in this particular case I'm not sure that we should list designlaboratory.jp since this could be a Joe Job or hijacked message board. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Non-Clickable URI's
On Monday, December 6, 2004, 7:35:30 AM, Chris Santerre wrote: From: RD [mailto:[EMAIL PROTECTED] I've seen spams where spammers are using CutPaste_this_URL_to_your_browser method reason why spamassassin won't trigger SURBL database lookup. Is there a known workaround to catch this non-clickable URIs and trigger SURBL lookup? This is in the form of www . domain . com It was mentioned on the SURBL list, and I wrote a quick and dirty SA rule for it. Initial tests were dissmal. Found 2 ham: http :// www . drugstore . com / ivd0324 header copied into the body of a forward: X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Also hit 12 spam out of around 70k. A little more testing needed. But I think this shows that it isn't worth the rule. The links break and require end lusers to not only copy and paste, but edit the link to remove the spaces. Clearly more then most users would do. Yeah and it could cause them to pause and actually think about what they're doing, which no spammer would want to happen. :-) Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
portable spamassassin database
Hi I need to know how to syncronize sa-learn entries in different computers so that for every client ( computer ) I use I don't have to remake all the sa-learn job with my e-mails Regards lonblu
www.rulesemporium.com
Chris rulesemporium seems to be down (not resolving actually). Did you forget to re-register the domain -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: www.rulesemporium.com
Fascinating - whois doesn't even report a vistage of the name. {^_^} - Original Message - From: Martin Hepworth [EMAIL PROTECTED] Chris rulesemporium seems to be down (not resolving actually). Did you forget to re-register the domain -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300
RE: www.rulesemporium.com
Martin Hepworth wrote on 07 December 2004 10:49: Did you forget to re-register the domain It's registered until October 2005 (according to the WHOIS lookup), so I would doubt that's the issue grin. The nameservers are not letting up their secrets - it's returning a big fat nowt when querying them. Regards, Martyn
RE: www.rulesemporium.com
jdow wrote on 07 December 2004 10:59: Fascinating - whois doesn't even report a vistage of the name. {^_^} [EMAIL PROTECTED] [~]# whois rulesemporium.com [Querying whois.internic.net] [Redirected to whois.enom.com] [Querying whois.enom.com] [whois.enom.com] Registration Service Provided By: NxTek Solutions Inc Contact: [EMAIL PROTECTED] Visit: http://www.nxtek.net Domain name: rulesemporium.com Administrative Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Billing Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Technical Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Registrant Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Status: Locked Name Servers: ns1.nxtek.net ns2.nxtek.net Creation date: 16 Oct 2003 17:25:32 Expiration date: 16 Oct 2005 17:25:32
Re: www.rulesemporium.com
[EMAIL PROTECTED] said: Fascinating - whois doesn't even report a vistage of the name. {^_^} Does for me: [EMAIL PROTECTED] owen]$ jwhois rulesemporium.com [Querying whois.internic.net] [Redirected to whois.enom.com] [Querying whois.enom.com] [whois.enom.com] Registration Service Provided By: NxTek Solutions Inc Contact: [EMAIL PROTECTED] Visit: http://www.nxtek.net Domain name: rulesemporium.com Administrative Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Billing Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Technical Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Registrant Contact: NxTek Solutions Inc NxTek Solutions ([EMAIL PROTECTED]) +1.2606728816 Fax: +1.2606728816 577 Geiger Dr Roanoke, IN 46783 US Status: Locked Name Servers: ns1.nxtek.net ns2.nxtek.net Creation date: 16 Oct 2003 17:25:32 Expiration date: 16 Oct 2005 17:25:32 That Status: Locked doesn't look too good. Neither the root servers or the two referenced in the above lookup know nothing about the domain, so it's totally up the creek... O -- Via Net.Works UK Ltd Local Touch Global Reach Owen McShane Systems Administrator http://www.vianetworks.co.uk Tel +44 (0)1925 48
Re: www.rulesemporium.com
Oh it is in whois, paid, all sound and good. And its nameservers are even responding. Its just the root-nameservers that aren't updated (or has some other problems). Domain Name: RULESEMPORIUM.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM Status: REGISTRAR-LOCK Updated Date: 15-oct-2004 Creation Date: 16-oct-2003 Expiration Date: 16-oct-2005 $ nslookup www.rulesemporium.com DNS1.NAME-SERVICES.COM Server: DNS1.NAME-SERVICES.COM Address:63.251.163.102#53 Name: www.rulesemporium.com Address: 69.56.160.30 -Frank. On Tue, 7 Dec 2004, jdow wrote: Fascinating - whois doesn't even report a vistage of the name. - Original Message - From: Martin Hepworth [EMAIL PROTECTED] rulesemporium seems to be down (not resolving actually). Did you forget to re-register the domain
Re: www.rulesemporium.com
Fascinating - I must have hit a hitch in the gitalong somewhere. That is the first time whois has seriously failed me like that. {O.O} - Original Message - From: Martyn Drake [EMAIL PROTECTED] jdow wrote on 07 December 2004 10:59: Fascinating - whois doesn't even report a vistage of the name. {^_^} [EMAIL PROTECTED] [~]# whois rulesemporium.com [Querying whois.internic.net] [Redirected to whois.enom.com] [Querying whois.enom.com] [whois.enom.com] Registration Service Provided By: NxTek Solutions Inc Contact: [EMAIL PROTECTED] Visit: http://www.nxtek.net Domain name: rulesemporium.com
RE: www.rulesemporium.com
Owen McShane wrote on 07 December 2004 11:04: That Status: Locked doesn't look too good. I always thought that was the register lock so that nobody can make changes to the domain name (i.e. change nameservers) until the domain has been unlocked. It's an anti-abuse system. Normally you would have to login to your domain registrar's control panel, set the domain to unlock, make whatever changes you need and then lock the domain again. Neither the root servers or the two referenced in the above lookup know nothing about the domain, so it's totally up the creek... Indeed it is - perhaps somebody accidently nuked the zone from the nameserver by accident :) M.
SA vs. postfix main.cf
We run postfix 2.1.5_1,1 on FreeBSD 5.2.1, and use some RBL lists: smtpd_recipient_restrictions = ... reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client proxies.relays.monkeys.com, reject_rbl_client relays.ordb.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org We are seeing cases where mail is rejected because of the RBL lists, even when a sender is whitelisted in a recipient's SA user_prefs file. Is there any way to reverse the order of operations so that postfix doesn't check with the RBL list when SA says a sender is OK? You can't reverse the checks, but you can whitelist addresses in Postfix. I use the check_client_access to allow certain domains/ips to send mail although they appear in RBL's. Just put them in the access-file with 'OK' on the end of the line. You can do the same with check_sender_access. And make sure this check is done before the RBL checks, like: smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_client_access hash:/etc/postfix/client_access, check_helo_access hash:/etc/postfix/helo_access, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client dynablock.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org Regards Menno van Bennekom
Re: www.rulesemporium.com
On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote: Indeed it is - perhaps somebody accidently nuked the zone from the nameserver by accident :) Take a look at: http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com It has failed for many parameters... -- Ricardo Campos Passanezi - Network Analyst PGP GPG public key at: http://www.ige.unicamp.br/~riccp Institute of Geosciences - http://www.ige.unicamp.br - UNICAMP
Re: www.rulesemporium.com
Ricardo Campos Passanezi wrote: On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote: Indeed it is - perhaps somebody accidently nuked the zone from the nameserver by accident :) Take a look at: http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com It has failed for many parameters... I'll take a look. I'm not in charge of that DNS server or the rulesemporium.com domain but I do have access to that machine. Regards, Rick
Re: www.rulesemporium.com
Not too sure why you've cc:ed me in on this mail, as there's no quoted text that I wrote (and I'm on the list, so now have two copies... thanks). It looks like the root name servers are once again giving out the NS records for the domain, but the specified auth servers for it appear to know nothing about it. This is why It has failed for many parameters... Owen On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote: Indeed it is - perhaps somebody accidently nuked the zone from the nameserver by accident :) Take a look at: http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com It has failed for many parameters... -- Ricardo Campos Passanezi - Network Analyst PGP GPG public key at: http://www.ige.unicamp.br/~riccp Institute of Geosciences - http://www.ige.unicamp.br - UNICAMP -- Via Net.Works UK Ltd Local Touch Global Reach Owen McShane Systems Administrator http://www.vianetworks.co.uk Tel +44 (0)1925 48
Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???
Why not make the change to /usr/share/spamassassin/50_scores.cf instead? That way when the next version comes out, presumably with the patch, you don't have to remember to un-do the workaround? -Michael Thomas Cameron [EMAIL PROTECTED] 12/7/2004 1:14:42 AM On Mon, 2004-12-06 at 22:52 -0800, Loren Wilton wrote: Received: from CM02.outbound.mail (mailer4.monteraymedia.com [66.63.189.28] (may be forged)) by mail.camerontech.com (8.13.1/8.13.1) with ESMTP id iB75ihQg015990 for [EMAIL PROTECTED]; Mon, 6 Dec 2004 23:44:44 -0600 Received: by CM02.outbound.mail (PowerMTA(TM) v2.0r6) id h4mn9a050u48; Mon, 11 Jun 2001 22:47:13 -0700 (envelope-from [EMAIL PROTECTED]) Remember all trusted really means no untrusted links in the recieved headers that we were able to parse. If SA can't parse a received header line, it simply tosses it and continues with the next one. This may not be the best plan, and there are various bugs open about the exact meaning and handling of all-trusted. The second header shown above doesn't have any ip addresses in it, so it would get tossed (or maybe considered as local, I'm not positive). That leaves the first header, which at a glance would seem to not come from your network, so shouldn't be trusted. I'm guessing that there is something about the format of this header that SA doesn't much care for, so it ended up tossing it as unreadable. That would leave you with no received headers, which would mean that the mail had been sent locally, so was obviously trusted. :-( There was a patch in the works a month or so back to somehow take account of unparsable headers in determining all-trusted. I was out of town for most of November and lost track of the status of that change. Assuming that the problem here is the first received header was unparsable, that patch may help matters if it is approved. Loren Then I guess my next option is to set score ALL_TRUSTED 0 0 0 0 in /etc/mail/spamassassin/local.cf until this gets resolved? Thomas CONFIDENTIALITY NOTICE: This communication and any attached or enclosed files may contain information that is privileged, confidential, proprietary and/or otherwise protected from disclosure under applicable law (Confidential Information). Any review, retransmission, publication, dissemination, distribution, forwarding, printing, copying, storing, saving or other use or disclosure of this communication and/or the Confidential Information, or taking any action in reliance thereon, by an individual or entity other than the intended recipient(s) is strictly prohibited. This communication and the Confidential Information are intended solely for the use of the individual(s) and/or entity(ies) to which this communication is addressed. If you are not the intended recipient(s) (or responsible for delivery to said recipient(s)), please be advised that you have received this communication in error and have an obligation to promptly inform the sender by reply e-mail or facsimile and to permanently delete, shred or otherwise destroy, in its entirety, this original communication and all copies thereof, whether in electronic or hard copy format.
Re: [SPAM-TAG] Further URIDNSBL problems..
17 seconds is way too long for name resolution. Does it take that long from the command line (for an uncached query)? No, it's pretty snappy all around. But with a 15 second timeout, spamassassin -D showed all timeouts for the DNSBL. The URIBL's appeared to have successful queries even at that point, but I can't get them to actually score against anything. I'm not sure what the difference between them (at the lookup level) is. # time dig test.surbl.org.sc.surbl.org a | less ; DiG 9.2.2-P3 test.surbl.org.sc.surbl.org a ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 29925 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 0 ;; QUESTION SECTION: ;test.surbl.org.sc.surbl.org. IN A ;; ANSWER SECTION: test.surbl.org.sc.surbl.org. 2023 INA 127.0.0.2 ;; AUTHORITY SECTION: sc.surbl.org. 823 IN NS n.surbl.org. sc.surbl.org. 823 IN NS a.surbl.org. sc.surbl.org. 823 IN NS b.surbl.org. sc.surbl.org. 823 IN NS c.surbl.org. sc.surbl.org. 823 IN NS d.surbl.org. sc.surbl.org. 823 IN NS e.surbl.org. sc.surbl.org. 823 IN NS f.surbl.org. sc.surbl.org. 823 IN NS g.surbl.org. sc.surbl.org. 823 IN NS h.surbl.org. sc.surbl.org. 823 IN NS i.surbl.org. sc.surbl.org. 823 IN NS j.surbl.org. sc.surbl.org. 823 IN NS k.surbl.org. sc.surbl.org. 823 IN NS l.surbl.org. sc.surbl.org. 823 IN NS m.surbl.org. ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 7 06:09:17 2004 ;; MSG SIZE rcvd: 285 real0m1.030s user0m0.010s sys 0m0.010s Are you sure you're using 3.0.1 configs? Pretty sure: # spamassassin -V SpamAssassin version 3.0.1 running on Perl version 5.8.1 # vi /usr/share/spamassassin/25_uribl.cf ... uridnsblURIBL_SBL sbl.spamhaus.org. TXT bodyURIBL_SBL eval:check_uridnsbl('URIBL_SBL') describeURIBL_SBL Contains an URL listed in the SBL blocklist tflags URIBL_SBL net urirhssub URIBL_SC_SURBL multi.surbl.org.A 2 bodyURIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL') describeURIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist tflags URIBL_SC_SURBL net ... IIRC one of the recent FreeBSD installations had the 3.0.1 config file going to the wrong directory for some reason. It should be in the recent list archives. This is on Fedora Core 1, updated via CPAN if I remember right. I appreciate the help, too. Let me know if there's any other information I can get for you. Thanks! -- Matthew 'Shandower' Romanek IDS Analyst
Re: Can't configure spamd correctly
Theo, Thanks for the reply, and there may be some truth in that, but I'm not convinced that it is ever working correctly. There have been NO spamd debug messages in the log since then, despite emails being scanned. There is never any message saying it actually found the Bayes data. I am not convinced that spamd has ever found it, or that it is ever actually being used. If I telnet to port 783 I do get spamd debug messages. Paul Hilton On Mon, 2004-12-06 at 15:04, Theo Van Dinter wrote: On Mon, Dec 06, 2004 at 02:57:02PM -0500, Info wrote: Why is spamd running with a home directory under /tmp ? The debug output you've shown is the initial temp message that gets sent through spamd to prime the pump, so to speak. Dec 6 14:12:13 Pangloss spamd[23172]: debug: ignore: test message to precompile patterns and load modules :)
Re: Can't configure spamd correctly
At 09:51 AM 12.7.2004 -0500, Info wrote: Theo, Thanks for the reply, and there may be some truth in that, but I'm not convinced that it is ever working correctly. There have been NO spamd debug messages in the log since then, despite emails being scanned. There is never any message saying it actually found the Bayes data. I am not convinced that spamd has ever found it, or that it is ever actually being used. If I telnet to port 783 I do get spamd debug messages. Paul Hilton You could isolate the spamd-only messages by adding a syslog switch: Like so: /usr/local/bin/spamd --syslog=local1 -u spamd -x -d -r /var/run/spamd/spamd.pid HTH. Happy trails, Jack L. Stone System Admin Sage-american
Re: [SPAM-TAG] Further URIDNSBL problems..
On Tuesday, December 7, 2004, 6:31:41 AM, Matthew Romanek wrote: Are you sure you're using 3.0.1 configs? Pretty sure: # spamassassin -V SpamAssassin version 3.0.1 running on Perl version 5.8.1 # vi /usr/share/spamassassin/25_uribl.cf Is this the right directory, anyone? uridnsblURIBL_SBL sbl.spamhaus.org. TXT bodyURIBL_SBL eval:check_uridnsbl('URIBL_SBL') describeURIBL_SBL Contains an URL listed in the SBL blocklist tflags URIBL_SBL net urirhssub URIBL_SC_SURBL multi.surbl.org.A 2 bodyURIBL_SC_SURBL eval:check_uridnsbl('URIBL_SC_SURBL') describeURIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist tflags URIBL_SC_SURBL net ... Do you have non-zero scores set? That's about the limit of my debugging knowledge for SA, so hopefully someone else can help out. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Can't configure spamd correctly
Jack, Thanks for the suggestion, I may indeed do that, but at the moment spamd isn't generating any messages after its startup. (unless I telnet to it) I start spamd with a script that came with the rpm package from SuSE in /etc/init.d, the options are specified in the file /etc/sysconfig/spamd, and I currently have SPAMD_ARGS=-d -a -L -D -x -u vscan, and /etc/init.d/spamd does: startproc -p /var/run/spamd.pid $SPAMD_BIN $SPAMD_ARGS Paul Hilton On Tue, 2004-12-07 at 10:01, Jack L. Stone wrote: At 09:51 AM 12.7.2004 -0500, Info wrote: Theo, Thanks for the reply, and there may be some truth in that, but I'm not convinced that it is ever working correctly. There have been NO spamd debug messages in the log since then, despite emails being scanned. There is never any message saying it actually found the Bayes data. I am not convinced that spamd has ever found it, or that it is ever actually being used. If I telnet to port 783 I do get spamd debug messages. Paul Hilton You could isolate the spamd-only messages by adding a syslog switch: Like so: /usr/local/bin/spamd --syslog=local1 -u spamd -x -d -r /var/run/spamd/spamd.pid HTH. Happy trails, Jack L. Stone System Admin Sage-american
New rules
Hello, I've recently installed SA 3.0.1, and found some junk was getting through with scores too low for my liking, especially before the URLs made it into SURBL. I've put together a few rules to match some of these that you might find interesting. They are: Rolex and Want Watch? messages (there must be loads of rules out there to do this, I guess, but the default installation doesn't seem to include any?) headerUOLCC_ROLEX_SUB1 Subject =~ /\brolex\b/i describe UOLCC_ROLEX_SUB1 Subject contains the word 'rolex' score UOLCC_ROLEX_SUB1 0.5 headerUOLCC_ROLEX_SUB2 Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_SUB2 Subject contains a gappy version of 'rolex' score UOLCC_ROLEX_SUB2 1.5 body UOLCC_ROLEX_BODY1 /\brolex\b/i describe UOLCC_ROLEX_BODY1 Body contains the word 'rolex' score UOLCC_ROLEX_BODY1 0.5 body UOLCC_ROLEX_BODY2 /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i describe UOLCC_ROLEX_BODY2 Body contains a gappy version of 'rolex' score UOLCC_ROLEX_BODY2 1.5 rawbody UOLCC_WATCH_BODY /^(Do you )?[Ww]ant (a )?(cheap )?([Ww]ristw|W)atch\?\s*$/m describe UOLCC_WATCH_BODY Body asks if you want a watch score UOLCC_WATCH_BODY 2 Checking messages with two lines of just b, B, space and 1 in them. Seems to be some sort of code used in spam, maybe: full UOLCC_BBONE/\n[bB1 ]{8,20}\n[bB1 ]{8,20}\n/s describe UOLCC_BBONEContains two code lines with b, B and 1 score UOLCC_BBONE2 Checking one particular type of spam that has a URL (that follows a certain pattern, ends .htm), blank line, line of proverb or something, blank, line of name, blank, exact same URL with l on the end (i.e. ends .html). I guess the rules should be small, but this one has picked up loads of spam for me: full UOLCC_HTM_HTML_URL /\n(http:\/\/[a-z]+\.[a-z]{3,4}\/[0-9a-f]{5,35}\/[[:alnum:]]{5,20}=?\.htm)\s\n\s*\n[[:alnum:]\?\.',\s:,-]+\n\s*\n[^\s,.]+(\s[^\s,.]+){0,15}\n\s*\n\1l/s describe UOLCC_HTM_HTML_URL Matches pattern of spam mail (.htm .html) score UOLCC_HTM_HTML_URL 3.5 Finally, a string of words (more than 15 here) that all begin with a capital letter, and no punctuation (I'm only testing this one at the moment, hence the low score): body UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s describe UOLCC_CAPWORD_TEST String of words that all begin with caps letter score UOLCC_CAPWORD_TEST 0.1 Hope these are of use to someone. If anyone can show me that they are likely to pick up false positives, I'd be most grateful. Thanks, -- Matthew Newton [EMAIL PROTECTED] UNIX Systems Administrator, Network Support Section, Computer Centre, University of Leicester, Leicester LE1 7RH, United Kingdom
RE: www.rulesemporium.com
-Original Message- From: Rick Macdougall [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 07, 2004 8:10 AM To: users@spamassassin.apache.org Subject: Re: www.rulesemporium.com Ricardo Campos Passanezi wrote: On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote: Indeed it is - perhaps somebody accidently nuked the zone from the nameserver by accident :) Take a look at: http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com It has failed for many parameters... I'll take a look. I'm not in charge of that DNS server or the rulesemporium.com domain but I do have access to that machine. Regards, Rick Our hosting provider has confirmed that a DNS server error caused the problems. The DNS server in question has been beaten into submission with a large hammer, but of course it may take a bit of time for the records to propagate. Sorry about the outage, but the site should be back up soon. -matt
Re: [SPAM-TAG] Further URIDNSBL problems..
# vi /usr/share/spamassassin/25_uribl.cf Is this the right directory, anyone? All the other rules in there are working, including Bayes and pattern matching. Since SURBL is showing up in the debug, it's obviously getting the cue from somewhere.. Do you have non-zero scores set? Indeed. That was my first thought, so I made a local config change to use the one-score variety, just in case something wierd was going on. No change. In a fit of aggrivation, I downloaded a fresh copy of the SA tar file, unpacked it, and started to install it. I happened to think to run make test, though, and found THIS: t/dnsbl.Bareword found in conditional at t/dnsbl.t line 15. Not found: P_2 = dns:134.88.73.210.dnsbltest.spamassassin.org [127.0.0.4] # Failed test 1 in t/SATest.pm at line 530 Not found: P_7 = dns:134.88.73.210.sb.dnsbltest.spamassassin.org?type=TXT # Failed test 2 in t/SATest.pm at line 530 fail #2 Not found: P_4 = dns:14.35.17.212.dnsbltest.spamassassin.org [127.0.0.1, 127.0.0.1] # Failed test 3 in t/SATest.pm at line 530 fail #3 Not found: P_3 = dns:18.13.119.61.dnsbltest.spamassassin.org [127.0.0.12] # Failed test 4 in t/SATest.pm at line 530 fail #4 Not found: P_5 = dns:226.149.120.193.dnsbltest.spamassassin.org [127.0.0.1] # Failed test 5 in t/SATest.pm at line 530 fail #5 Not found: P_1 = dns:98.3.137.144.dnsbltest.spamassassin.org [127.0.0.2] # Failed test 6 in t/SATest.pm at line 530 fail #6 Not found: P_6 = dns:example.com.dnsbltest.spamassassin.org [127.0.0.2] # Failed test 7 in t/SATest.pm at line 530 fail #7 Not found: P_15 = DNSBL_RHS # Failed test 8 in t/SATest.pm at line 530 fail #8 Not found: P_17 = DNSBL_SB_FLOAT # Failed test 9 in t/SATest.pm at line 530 fail #9 Not found: P_18 = DNSBL_SB_STR # Failed test 10 in t/SATest.pm at line 530 fail #10 Not found: P_16 = DNSBL_SB_TIME # Failed test 11 in t/SATest.pm at line 530 fail #11 Not found: P_10 = DNSBL_TEST_DYNAMIC # Failed test 12 in t/SATest.pm at line 530 fail #12 Not found: P_12 = DNSBL_TEST_RELAY # Failed test 13 in t/SATest.pm at line 530 fail #13 Not found: P_11 = DNSBL_TEST_SPAM # Failed test 14 in t/SATest.pm at line 530 fail #14 Not found: P_8 = DNSBL_TEST_TOP # Failed test 15 in t/SATest.pm at line 530 fail #15 Not found: P_9 = DNSBL_TEST_WHITELIST # Failed test 16 in t/SATest.pm at line 530 fail #16 Not found: P_14 = DNSBL_TXT_RE # Failed test 17 in t/SATest.pm at line 530 fail #17 Not found: P_13 = DNSBL_TXT_TOP # Failed test 18 in t/SATest.pm at line 530 fail #18 t/dnsbl.FAILED tests 1-18 Failed 18/22 tests, 18.18% okay Either it's an amazing coincidence, or this has something to do with the reason the DNSBL's aren't working for me. So my next question, knowing next to nothing about perl, is what is this actually showing me? This is a fresh package I got, with no changes what-so-ever. On a whim, I did the same thing with Net::DNS, since there was some question as to what version was involved. It went in fine, but made no difference to these tests. Note that only 18 of the tests failed. P_1, 3, 4, 5 and 6 seemed to work? -- Matthew 'Shandower' Romanek IDS Analyst
Re: [SPAM-TAG] Further URIDNSBL problems..
Note that only 18 of the tests failed. P_1, 3, 4, 5 and 6 seemed to work? Scratch that last comment. They very clearly aren't working, just from that snippit. That's me getting desperate-yet-hopeful. :) -- Matthew 'Shandower' Romanek IDS Analyst
RE: www.rulesemporium.com
Nextek has come under hacker fire recently. I'm sure they would like to take down SARE if they could. THey have managed to give us s few minor problems, but nothing major. I'll BCC this to Lord Phil and see what he says. :) --Chris -Original Message- From: Owen McShane [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 07, 2004 9:11 AM To: users@spamassassin.apache.org Subject: Re: www.rulesemporium.com Not too sure why you've cc:ed me in on this mail, as there's no quoted text that I wrote (and I'm on the list, so now have two copies... thanks). It looks like the root name servers are once again giving out the NS records for the domain, but the specified auth servers for it appear to know nothing about it. This is why It has failed for many parameters... Owen On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote: Indeed it is - perhaps somebody accidently nuked the zone from the nameserver by accident :) Take a look at: http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com It has failed for many parameters... -- Ricardo Campos Passanezi - Network Analyst PGP GPG public key at: http://www.ige.unicamp.br/~riccp Institute of Geosciences - http://www.ige.unicamp.br - UNICAMP -- Via Net.Works UK Ltd Local Touch Global Reach Owen McShane Systems Administrator http://www.vianetworks.co.uk Tel +44 (0)1925 48
Re: portable spamassassin database
On Tue, Dec 07, 2004 at 09:49:03AM +0100, [EMAIL PROTECTED] wrote: I need to know how to syncronize sa-learn entries in different computers so that for every client ( computer ) I use I don't have to remake all the sa-learn job with my e-mails You should look into using BayesSQL for your storage. It allows you to share the bayes data amongst multiple clients without having to do fancy tricks the database files. If you aren't in a position to use BayesSQL you could also try running sa-learn --backup/--restore and copying the data around that way. Michael pgpPptPdaVLgv.pgp Description: PGP signature
SA statistics - sa-stats.pl ?
Hi, I've found the sa-stats.pl script in the contrib-folder of the distribution - but wonder whether it requires any special settings (if not using default settings) in order for it to work ? Enabling debug-log or something like that ? Regards, Brian
Heads up! SuSE YOU update broke SA 3.01
Just passing this along so you don't have to kill 2 days trying to figure out why SA suddenly stopped doing anything - I foolishly allowed SuSE auto-update (YOU) to update my Spamassassin. It (in theory) installed version 3.01 (which was already installed and working perfectly). Shortly after, I started receiving TONS of spam. SA-Learn wasn't learning, etc. I reinstalled from CPAN - and everything seems to be working again. I don't know what they broke, but they broke it throughly. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Heads up! SuSE YOU update broke SA 3.01
Just passing this along so you don't have to kill 2 days trying to figure out why SA suddenly stopped doing anything - I foolishly allowed SuSE auto-update (YOU) to update my Spamassassin. It (in theory) installed version 3.01 (which was already installed and working perfectly). Shortly after, I started receiving TONS of spam. SA-Learn wasn't learning, etc. I reinstalled from CPAN - and everything seems to be working again. I don't know what they broke, but they broke it throughly. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Can't configure spamd correctly
Well, some progress 1) The problem with spamd was that, running as vscan it couldn't read /etc/mail/spamassassin. My own dumb fault, corrected this and the log now looks a lot healthier. 2) Amavisd-new seems to call perl-spamassassing directly, and keeps child processes running at the ready. So spamd was never being used, and wouldn't benefit me if it were. Conclusion: Don't use spamd. Thanks for the help Paul Hilton On Mon, 2004-12-06 at 15:04, Theo Van Dinter wrote: On Mon, Dec 06, 2004 at 02:57:02PM -0500, Info wrote: Why is spamd running with a home directory under /tmp ? The debug output you've shown is the initial temp message that gets sent through spamd to prime the pump, so to speak. Dec 6 14:12:13 Pangloss spamd[23172]: debug: ignore: test message to precompile patterns and load modules :)
HELO check suggestion
If the top level domain of the HELO name exists (it has NS records or a SOA record) but the second and third (if present) level domains do not, the check triggers. You have to allow for missing top level domains because of private addresses, and you have to check both the 2LD and 3LD because some CC2LDs are part of their CCTLD zone rather than being delegated. This form of made-up name is a common pattern amongst certain spamware. (It also triggers on loads of viruses.) There are a few false positives from idiots making up domain names for internal use, e.g. in the .int TLD, so I don't think it's usable as a sole reason for rejection. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ MALIN HEBRIDES: NORTHEAST 4 OR 5 INCREASING 6. RAIN LATER. GOOD BECOMING MODERATE.
config surbl in freebsd?
I don't know if surbl is working on my system? how can I check it? Spam checking is not as good as before. -Andrew
RE: SA vs. postfix main.cf
At one time I tried to do it all in Postfix. It's all or nothing binary operation of its Spam rules drove me to find another solution to Spam; SpamAssassin. Now a triggered rule only adds to a Spamminess value, and won't kill the message. I ultimately took almost all the rules out of Postfix because I couldn't keep up with the false positives they created. All the FQDN, MX, an A record checks were removed due to false positives... The check_* restrictions implement white and black listing. smtpd_recipient_restrictions = check_recipient_access hash:$config_directory/smtpd-recipient-checks, permit_mynetworks, reject_invalid_hostname, reject_unauth_destination, check_recipient_access regexp:$config_directory/smtpd-recipient-checks.rx, check_sender_access hash:$config_directory/smtpd-sender-checks, check_sender_access regexp:$config_directory/smtpd-sender-checks.rx, check_client_access hash:$config_directory/smtpd-client-checks, check_helo_access hash:$config_directory/smtpd-helo-checks, reject_unknown_recipient_domain smtpd_data_restrictions = reject_unauth_pipelining Dan -Original Message- From: Menno van Bennekom [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 07, 2004 5:45 AM To: users@spamassassin.apache.org Cc: David Newman Subject: SA vs. postfix main.cf We run postfix 2.1.5_1,1 on FreeBSD 5.2.1, and use some RBL lists: smtpd_recipient_restrictions = ... reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client proxies.relays.monkeys.com, reject_rbl_client relays.ordb.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org We are seeing cases where mail is rejected because of the RBL lists, even when a sender is whitelisted in a recipient's SA user_prefs file. Is there any way to reverse the order of operations so that postfix doesn't check with the RBL list when SA says a sender is OK? You can't reverse the checks, but you can whitelist addresses in Postfix. I use the check_client_access to allow certain domains/ips to send mail although they appear in RBL's. Just put them in the access-file with 'OK' on the end of the line. You can do the same with check_sender_access. And make sure this check is done before the RBL checks, like: smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_client_access hash:/etc/postfix/client_access, check_helo_access hash:/etc/postfix/helo_access, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client dynablock.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org Regards Menno van Bennekom
Re: config surbl in freebsd?
On Tuesday, December 7, 2004, 11:13:05 AM, Andrew Xiang wrote: I don't know if surbl is working on my system? how can I check it? Spam checking is not as good as before. Please see: http://www.surbl.org/faq.html#test-uris Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
can spamd be told what domains are local for spamc -u?
I'm the author of the Qmail content filter Qmail-Scanner, and currently it calls spamc as spamc -u [EMAIL PROTECTED] so as to help out the sites doing per-user SA configs. I've assumed that anyone wanting to do this would be using SQL backends (so requiring them to refer to local accounts as [EMAIL PROTECTED] is fine) - but apparently I presumed too much! Some are just interested in standard old /home/$USER/.spamassassin/ style lookups. Now calling spamc -u [EMAIL PROTECTED] doesn't work for them as there is no local username called [EMAIL PROTECTED]. So I could add yet another feature to Qmail-Scanner where it will strip back to the username - or SpamAssassin could. I don't mind either way - it's just that I wonder if this is also an issue for other SA-integrated MTAs (milter, postfix), so thought I'd post it out for comment? Maybe others can suggest another way of doing it? [Let's not dwell on the fact that spamd may have to run as root for this mode to work...] Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
GraphDefang for SpamAssassin
I saw GraphDefang mentioned here the other day and thought I'd give it a shot...sorry if this is the wrong place to ask but would anyone have an idea why the PNG images are displaying as broken? The graphdefang.pl is updating perfectly, i.e., w/out errors, but all of the PNG files always output as 0 KB files, e.g.: 0 Dec 7 16:55 daily_all_summary_line.png Check it out here: http://herbie.raeinternet.com:8000/index.php Thanks... Rob Admin for http://www.raeantivirus.com/ http://www.raeinternet.com/
Re: GraphDefang for SpamAssassin
At 05:00 PM 12/7/2004, Rob Kudyba wrote: I saw GraphDefang mentioned here the other day and thought I'd give it a shot...sorry if this is the wrong place to ask but would anyone have an idea why the PNG images are displaying as broken? The graphdefang.pl is updating perfectly, i.e., w/out errors, but all of the PNG files always output as 0 KB files, e.g.: 0 Dec 7 16:55 daily_all_summary_line.png do you have a fully functioning version of libpng installed? If you installed libgd from source, do you have png.h installed in one of your /usr/include directories? (ie: if you used RPMs for libpng did you install libpng-devel too)
Re: GraphDefang for SpamAssassin
Matt Kettler wrote: At 05:00 PM 12/7/2004, Rob Kudyba wrote: I saw GraphDefang mentioned here the other day and thought I'd give it a shot...sorry if this is the wrong place to ask but would anyone have an idea why the PNG images are displaying as broken? The graphdefang.pl is updating perfectly, i.e., w/out errors, but all of the PNG files always output as 0 KB files, e.g.: 0 Dec 7 16:55 daily_all_summary_line.png do you have a fully functioning version of libpng installed? Actually, it was not installed as I did not see it in the of Required Perl Modules (but I just added it per your note): File::ReadBackwards GD GD::Graph GD::Text::Align (part of the GDTextUtils package) Date::Parse; Date::Format; MLDBM Storable (might already be installed with your perl) If you installed libgd from source, do you have png.h installed in one of your /usr/include directories? (ie: if you used RPMs for libpng did you install libpng-devel too) I installed from source, and: /usr/local/include/png.h /usr/local/include/libpng/png.h I deleted all PNG files (per a suggestion off-list--thanks Paul C.) but still to no avail...Apache's error and access logs do not display anything noteworthy...and once again updating seems to work just fine: ./graphdefang.pl Processing data file: /var/log/maillog Max Unixtime from SummaryDB for herbie: 1102457656 1 new log lines processed for herbie Processing graphs hourly_all_summary_line daily_all_summary_line monthly_all_summary_line hourly_non-spam_9recipient_stacked_bar daily_non-spam_9recipient_stacked_bar monthly_non-spam_9recipient_stacked_bar hourly_spam_9recipient_stacked_bar daily_spam_9recipient_stacked_bar monthly_spam_9recipient_stacked_bar hourly_spam_9sender_stacked_bar daily_spam_9sender_stacked_bar monthly_spam_9sender_stacked_bar hourly_non-spam_9sender_stacked_bar daily_non-spam_9sender_stacked_bar monthly_non-spam_9sender_stacked_bar But alas: ls -l *.png -rw-r--r-- 1 root root 0 Dec 7 17:26 daily_all_summary_line.png -rw-r--r-- 1 root root 0 Dec 7 17:26 daily_non-spam_9recipient_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 daily_non-spam_9sender_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 daily_spam_9recipient_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 daily_spam_9sender_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_all_summary_line.png -rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_non-spam_9recipient_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_non-spam_9sender_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_spam_9recipient_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_spam_9sender_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_all_summary_line.png -rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_non-spam_9recipient_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_non-spam_9sender_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_spam_9recipient_stacked_bar.png -rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_spam_9sender_stacked_bar.png
Re: GraphDefang for SpamAssassin
At 05:29 PM 12/7/2004, Rob Kudyba wrote: do you have a fully functioning version of libpng installed? Actually, it was not installed as I did not see it in the of Required Perl Modules (but I just added it per your note): File::ReadBackwards GD GD::Graph GD::Text::Align (part of the GDTextUtils package) Date::Parse; Date::Format; MLDBM Storable (might already be installed with your perl) If you installed libgd from source, do you have png.h installed in one of your /usr/include directories? (ie: if you used RPMs for libpng did you install libpng-devel too) I installed from source, and: /usr/local/include/png.h /usr/local/include/libpng/png.h Hmm.. libpng is in /usr/local... is /usr/local/lib in your /etc/ld.so.conf?
Re: GraphDefang for SpamAssassin
Matt Kettler wrote: At 05:29 PM 12/7/2004, Rob Kudyba wrote: do you have a fully functioning version of libpng installed? Actually, it was not installed as I did not see it in the of Required Perl Modules (but I just added it per your note): File::ReadBackwards GD GD::Graph GD::Text::Align (part of the GDTextUtils package) Date::Parse; Date::Format; MLDBM Storable (might already be installed with your perl) If you installed libgd from source, do you have png.h installed in one of your /usr/include directories? (ie: if you used RPMs for libpng did you install libpng-devel too) I installed from source, and: /usr/local/include/png.h /usr/local/include/libpng/png.h Hmm.. libpng is in /usr/local... is /usr/local/lib in your /etc/ld.so.conf? less /etc/ld.so.conf /usr/kerberos/lib /usr/X11R6/lib /usr/local/lib
Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???
On Tue, 7 Dec 2004, Thomas Cameron wrote: Hrm - that makes a lot of sense. I am using spamass-milter (the latest from CVS as of about a week ago). I actually have the following at the bottom of my sendmail.mc: INPUT_MAIL_FILTER (`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,T=S:4m;R:4m')dnl INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter- greylist.sock')dnl define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl I just realized I have two confMILTER_MACROS_CONNECT definitions. I don't think that that would cause this but I need to address this tomorrow after I've slept some. :-) Thomas Sorry, but that second confMILTER_MACROS_CONNECT -IS- what is causing you all your grief. In the m4 macro processing, last man wins, so that second confMILTER_MACROS_CONNECT def is preventing sendmail from passing the _, macro to your milter which causes it to not feed SA a valid 'Received:' header. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{