Howto configure PROCMAIL to send **SPAM** to other folder

[Martin Garcia]

Hi Guys:

Im new with Spamassassin, currently Im using Spamassassin 3.01 over SUSE 8.2 
I want to divert all ***SPAM*** tagged messages to a mail-trash or mail-spam 
file. 
How can I do it?

Im using this conf in my PROCMAILRC, but im not pretty sure to understand it 
at all.
---
DROPPRIVS=yes
:0fw: spamassassin.lock
*  256000
| spamassassin
* ^X-Spam-Level: \*\*\*\*\*\*\*
#located in /home/mail/
mail-trash 
* ^X-Spam-Status: Yes
mail-trash
--

If anyone can help me I will be glad.

Atentamente / Sincerely

MARTIN GARCIA

Bayes lock failed

[Tim A]

I've read a number of people having problems with an error similar to what I'm 
getting with SA v3.0.1:

Cannot open bayes databases /root/.spamassassin/bayes_* R/W: lock failed: File 
exists

This only happens occassionally and not every time under the exact same 
invocation of SA. So obviously it doesn't have to do
with permissions on the file or directory as there is nothing else running that 
would be messing with those files. Don't have
spamd/spamc running and am not doing an sa-learn commands at the same time.

Anyone have any ideas??

Re: Howto configure PROCMAIL to send **SPAM** to other folder

[jdow]

- Original Message - 
From: Martin Garcia [EMAIL PROTECTED]

See ammendations inline below.

 Hi Guys:

 Im new with Spamassassin, currently Im using Spamassassin 3.01 over SUSE
8.2
 I want to divert all ***SPAM*** tagged messages to a mail-trash or
mail-spam
 file.
 How can I do it?

 Im using this conf in my PROCMAILRC, but im not pretty sure to understand
it
 at all.
 ---
 DROPPRIVS=yes
 :0fw: spamassassin.lock
 *  256000
 | spamassassin

:0:
 * ^X-Spam-Level: \*\*\*\*\*\*\*
 #located in /home/mail/
 mail-trash

:0:
 * ^X-Spam-Status: Yes
 mail-trash

The :0: lines should help make it work.

{^_^}   Joanne

Move Bayes To New Server

[Mike Carlson]

Can I copy my bayes db to another server that handles a different
domain?

--Mike

Re: Move Bayes To New Server

[Kjetil Kjernsmo]

On Tuesday 07 December 2004 02:25, Mike Carlson wrote:
 Can I copy my bayes db to another server that handles a different
 domain?

As in technically possible or would be reasonably effective?

Allthough I have never done it, I suspect that you could dump the db and 
restore it on a different server quite easily, even if there were 
different db backends on those machines, there's a readme on upgrading 
bayes db that would give useful clues, IIRC. I think sa-learn --backup 
is your friend.

But you need to ask yourself if it is sensible to do so. For it to be 
sensible, the spam and the ham on both domains should be similar. In 
some cases, it is (I trained my first bayes db with massive amounts of 
both ham and spam from my old uni account, it worked great), in some 
cases, it is not. The users and uses of those two domains may be very 
different, and simply the domain name may skew the results. So, I would 
think twice about doing it.

Alternatively, you could train with smaller amounts of ham and spam from 
the other domain just to get it up to speed, but make sure you train it 
with its own spam and ham as fast as you can. Could be a reasonable 
middle ground.

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/

Re: Bayes lock failed

[Matt Kettler]

At 08:02 PM 12/6/2004, Tim A wrote:
I've read a number of people having problems with an error similar to what 
I'm getting with SA v3.0.1:

Cannot open bayes databases /root/.spamassassin/bayes_* R/W: lock failed: 
File exists

This only happens occassionally and not every time under the exact same 
invocation of SA. So obviously it doesn't have to do
with permissions on the file or directory as there is nothing else running 
that would be messing with those files. Don't have
spamd/spamc running and am not doing an sa-learn commands at the same time.
Hmm.. well, check for /root/.spamassassin/bayes_lock
If that files there then some copy of SA is messing with bayes OR a SA 
process was killed with an unblockable signal (kill -9, seg fault, etc) 
while it was in the middle of updating the bayes db.

RE: Move Bayes To New Server

[Gary W. Smith]

We have 6 relays that we did this for quite regularly.  We have switched
over the MySQL though.  Basically we tarballed it up and the other
machines would pickup the tarball, uncompress it and the swap it into
place.  It was only effective to a point but it kept them close to
sync.  We did it four times a day.  We did all of our training on the
one machine that was the mater.

YMMV

Gary Smith

 -Original Message-
 From: Mike Carlson [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 06, 2004 5:26 PM
 To: SpamAssassin Users
 Subject: Move Bayes To New Server
 
 Can I copy my bayes db to another server that handles a different
 domain?
 
 --Mike

what kind of error happens to delivery when spamc can't connect to spamd?

[Steve Prior]

I'm just switching to using spamd -m10 (and other opts) from spamc from procmail 
from sendmail and am wondering what happens when spamd hits the limit and spamc
can't connect to it.  Does this get all the ay back through sendmail so the
sender knows that transmission failed?  I'm wondering if this means that during
times when I'm getting hit by lots of spam traffic that this will work a little
like greylisting where all email will get an error, but probably only legit
email will try again to get through when the storm is over.  Since these storms
typically come when I wouldn't be getting legit email, if this works it would
affect how I tune the -m parameter.

Thanks
Steve

Re[2]: Phishing attempt wasn't blocked by SpamAssassin

[Robert Menschel]

Hello Wolfgang,

Monday, December 6, 2004, 7:39:09 AM, you wrote:

LW That's because such a rule won't work.  All manner of real mail ends up
LW sending things that have a real link address different from the one shown 
in
LW the link.  Often it is a very minor difference, like https vs http, but
LW sometimes there are no points of reality at all between them. This shows up
LW a lot in stuff generated from databases.

WH if there is a visible url to a different server than the one in
WH real url, I would not only want to tag that as possible spam, but
WH rather have a nice red 20pt headline added to the mail: WARNING -
WH DO NOT CLICK - THESE LINKS MIGHT BE FORGED

As the current ninja maintaining the SARE URI rules file (though not
the fraud or spoof files), I gladly invite you to develop such a rule.
If you can offer us a rule that does what you want, and in our testing
does not hit excessively on non-spam, we'll gladly include it in our
SARE rules file, and will support your submission of that rule to the
SA developers.

At this point in time, I can't think of a good (efficient) way to do
this that wouldn't also hit huge numbers of non-spam.

Bob Menschel

Re: what kind of error happens to delivery when spamc can't connect to spamd?

[Rick Macdougall]

Steve Prior wrote:
I'm just switching to using spamd -m10 (and other opts) from spamc from 
procmail from sendmail and am wondering what happens when spamd hits the 
limit and spamc
can't connect to it.  Does this get all the ay back through sendmail so the
sender knows that transmission failed?  I'm wondering if this means that 
during
times when I'm getting hit by lots of spam traffic that this will work a 
little
like greylisting where all email will get an error, but probably only legit
email will try again to get through when the storm is over.  Since these 
storms
typically come when I wouldn't be getting legit email, if this works it 
would
affect how I tune the -m parameter.
Hi,
In our case we are running spamd on a separate machine (FreeBSD) and the 
 perl connector by default will queue up to 128 processes when 
connecting in TCP mode.

Since we run with a max of 120 connections with qmail plus -m 10 for 
spamd, all mail will get scanned via SA.

I'm not sure how the unix sockets work, but tcp sockets will queue a 
backlog.

How this all may work under sendmail I'm not sure since I don't believe 
there is a Max Connections type throttle under sendmail and even if you 
set the tcp queue backlog to some high number like 2048, spamc might 
still timeout.

If spamc does timeout or can't connect, it just lets the message through 
by default.  So with procmail, you might get spam slipping through if 
your spamd server is too busy.

Regards,
Rick

Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin

[Bill Randle]

On Mon, 2004-12-06 at 18:29, Robert Menschel wrote:
 Hello Wolfgang,
 
 Monday, December 6, 2004, 7:39:09 AM, you wrote:
 
 LW That's because such a rule won't work.  All manner of real mail ends up
 LW sending things that have a real link address different from the one 
 shown in
 LW the link.  Often it is a very minor difference, like https vs http, but
 LW sometimes there are no points of reality at all between them. This shows 
 up
 LW a lot in stuff generated from databases.
 
 WH if there is a visible url to a different server than the one in
 WH real url, I would not only want to tag that as possible spam, but
 WH rather have a nice red 20pt headline added to the mail: WARNING -
 WH DO NOT CLICK - THESE LINKS MIGHT BE FORGED
 
 As the current ninja maintaining the SARE URI rules file (though not
 the fraud or spoof files), I gladly invite you to develop such a rule.
 If you can offer us a rule that does what you want, and in our testing
 does not hit excessively on non-spam, we'll gladly include it in our
 SARE rules file, and will support your submission of that rule to the
 SA developers.
 
 At this point in time, I can't think of a good (efficient) way to do
 this that wouldn't also hit huge numbers of non-spam.
 
 Bob Menschel

Just a note of information, for those looking to stop phishing attacks:
the open source anti-virus program ClamAV has added signatures for
several phishing emails. When this is used, they will be blocked
before they ever hit SpamAssassin.

Obviously, these are tailored for each specific message, so it's
not a generic solution, but it can help. Currently, there are
signatures for 18 different banking phish and two auction phish.

http://www.clamav.net/

-Bill

Re: what kind of error happens to delivery when spamc can't connect to spamd?

[Rick Macdougall]

Rick Macdougall wrote:

Steve Prior wrote:
I'm just switching to using spamd -m10 (and other opts) from spamc 
from procmail from sendmail and am wondering what happens when spamd 
hits the limit and spamc
can't connect to it.  Does this get all the ay back through sendmail 
so the
sender knows that transmission failed?  I'm wondering if this means 
that during
times when I'm getting hit by lots of spam traffic that this will work 
a little
like greylisting where all email will get an error, but probably only 
legit
email will try again to get through when the storm is over.  Since 
these storms
typically come when I wouldn't be getting legit email, if this works 
it would
affect how I tune the -m parameter.

Hi,
In our case we are running spamd on a separate machine (FreeBSD) and the 
 perl connector by default will queue up to 128 processes when 
connecting in TCP mode.

Since we run with a max of 120 connections with qmail plus -m 10 for 
spamd, all mail will get scanned via SA.

I'm not sure how the unix sockets work, but tcp sockets will queue a 
backlog.

How this all may work under sendmail I'm not sure since I don't believe 
there is a Max Connections type throttle under sendmail and even if you 
set the tcp queue backlog to some high number like 2048, spamc might 
still timeout.

If spamc does timeout or can't connect, it just lets the message through 
by default.  So with procmail, you might get spam slipping through if 
your spamd server is too busy.

Just an fyi to all this, we have setup a front end qmail/simscan scanner 
machine in front of our sendmail box because we found that sendmail and 
the sendmail milters available did not have the speed to process all of 
our email in a timely fashion.  Qmail with simscan and the qmail-queue 
patch works great.  Well, works better.  The sendmail box does still 
time to time become overloaded and hit load avgs of 40+ where as the 
qmail/simscan scanning box never breaks a load avg of 0.4.

Regards,
Rick

RE: Move Bayes To New Server

[Mike Carlson]

I was thinking of grabbing the bayes db from work and using it at home
so it isnt mission critical. I don't get the exact same type of spam at
home, but I get a lot of the rolex, drugs, pen1s type spam at both
places.

--Mike 

-Original Message-
From: Gary W. Smith [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 06, 2004 8:20 PM
To: Mike Carlson; SpamAssassin Users
Subject: RE: Move Bayes To New Server

We have 6 relays that we did this for quite regularly.  We have switched
over the MySQL though.  Basically we tarballed it up and the other
machines would pickup the tarball, uncompress it and the swap it into
place.  It was only effective to a point but it kept them close to
sync.  We did it four times a day.  We did all of our training on the
one machine that was the mater.

YMMV

Gary Smith

 -Original Message-
 From: Mike Carlson [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 06, 2004 5:26 PM
 To: SpamAssassin Users
 Subject: Move Bayes To New Server
 
 Can I copy my bayes db to another server that handles a different 
 domain?
 
 --Mike

Re: what kind of error happens to delivery when spamc can't connect to spamd?

[Steve Prior]

Rick Macdougall wrote:
Hi,
In our case we are running spamd on a separate machine (FreeBSD) and the 
 perl connector by default will queue up to 128 processes when 
connecting in TCP mode.
If spamc does timeout or can't connect, it just lets the message through 
by default.  So with procmail, you might get spam slipping through if 
your spamd server is too busy.
Ok thanks, I got a little turned around when I was reading the docs on the -f 
option for spamc.  I should have read the docs on the -m flag in spamd more
carefully.

Regards,
Rick

RE: Move Bayes To New Server

[Gary W. Smith]

We use site wide only DB's.  If that's what you use as well, and your
work, then I don't see that much of a problem.

Gary

 -Original Message-
 From: Mike Carlson [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 06, 2004 7:02 PM
 To: Gary W. Smith; SpamAssassin Users
 Subject: RE: Move Bayes To New Server
 
 I was thinking of grabbing the bayes db from work and using it at home
 so it isnt mission critical. I don't get the exact same type of spam
at
 home, but I get a lot of the rolex, drugs, pen1s type spam at both
 places.
 
 --Mike
 
 -Original Message-
 From: Gary W. Smith [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 06, 2004 8:20 PM
 To: Mike Carlson; SpamAssassin Users
 Subject: RE: Move Bayes To New Server
 
 We have 6 relays that we did this for quite regularly.  We have
switched
 over the MySQL though.  Basically we tarballed it up and the other
 machines would pickup the tarball, uncompress it and the swap it into
 place.  It was only effective to a point but it kept them close to
 sync.  We did it four times a day.  We did all of our training on the
 one machine that was the mater.
 
 YMMV
 
 Gary Smith
 
  -Original Message-
  From: Mike Carlson [mailto:[EMAIL PROTECTED]
  Sent: Monday, December 06, 2004 5:26 PM
  To: SpamAssassin Users
  Subject: Move Bayes To New Server
 
  Can I copy my bayes db to another server that handles a different
  domain?
 
  --Mike
 

RE: Move Bayes To New Server

[Mike Carlson]

Yeah its all site wide. The email is relayed back to a backend exchange
server at home and a backend Notes server at work.

--Mike

-Original Message-
From: Gary W. Smith [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 06, 2004 9:01 PM
To: Mike Carlson; SpamAssassin Users
Subject: RE: Move Bayes To New Server

We use site wide only DB's.  If that's what you use as well, and your
work, then I don't see that much of a problem.

Gary

 -Original Message-
 From: Mike Carlson [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 06, 2004 7:02 PM
 To: Gary W. Smith; SpamAssassin Users
 Subject: RE: Move Bayes To New Server
 
 I was thinking of grabbing the bayes db from work and using it at home

 so it isnt mission critical. I don't get the exact same type of spam
at
 home, but I get a lot of the rolex, drugs, pen1s type spam at both 
 places.
 
 --Mike
 
 -Original Message-
 From: Gary W. Smith [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 06, 2004 8:20 PM
 To: Mike Carlson; SpamAssassin Users
 Subject: RE: Move Bayes To New Server
 
 We have 6 relays that we did this for quite regularly.  We have
switched
 over the MySQL though.  Basically we tarballed it up and the other 
 machines would pickup the tarball, uncompress it and the swap it into 
 place.  It was only effective to a point but it kept them close to 
 sync.  We did it four times a day.  We did all of our training on the 
 one machine that was the mater.
 
 YMMV
 
 Gary Smith
 
  -Original Message-
  From: Mike Carlson [mailto:[EMAIL PROTECTED]
  Sent: Monday, December 06, 2004 5:26 PM
  To: SpamAssassin Users
  Subject: Move Bayes To New Server
 
  Can I copy my bayes db to another server that handles a different 
  domain?
 
  --Mike
 

requesting advice: going beyond the basics

[Peter Matulis]

Hey.  I have a brand new working installation of 3.0.1 on OpenBSD 3.6.  Can I 
get some pointers
on what the drill is to improve or customize it?  What's the next step?  I am 
presently using
just sendmail -- smtp-vilter -- sa.  I haven't touched any configuration files.

Thanks for all suggestions.

Peter

__ 
Post your free ad now! http://personals.yahoo.ca

Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin

[Bill Randle]

On Mon, 2004-12-06 at 20:00, Kenneth Porter wrote:
 --On Monday, December 06, 2004 6:44 PM -0800 Bill Randle [EMAIL PROTECTED] 
 wrote:
 
  Obviously, these are tailored for each specific message, so it's
  not a generic solution, but it can help. Currently, there are
  signatures for 18 different banking phish and two auction phish.
 
 Additionally, if you run SA and Clam from MIMEDefang, you can use the 
 contributed Graphdefang package to serve graphs of your spam, viruses, and 
 phish from your web server, and can see how many phishing attempts of each 
 type were blocked.
 
 http://mimedefang.org/

Good point! I use amavisd-new with postfix and graphdefang for much
the same thing.

-Bill

Re: Blank Message Rule

[Loren Wilton]

Most of the empty spams also lack a To: address, although they may have a From. 
 I've found that checking for missing body, missing subject, and missing To: is 
pretty accurate.

One could probably argue that a missing To: all by itself was reason to toss 
the mail, but I haven't tried a mass-test to see what that would do.

 Loren

ESMTP/SMTP+SpamAssassin

[Cami]

Hi All,
I'm running Postfix in conjunction with a Policy Daemon
and i've started noticing that the large majority of
Spam that hits our borders do NOT speak ESMTP.
Has anyone else noticed this? The reason why i'm asking
here is because using the Policy Daemon, i'm able to
inject a X-Header field which states whether the remote/
connecting host talks ESMTP or straight SMTP and can
then ofcourse get SpamAssassin to score highly on this.
Can anyone either confirm or deny this? (perhaps
looking/digging through their spam/ham corpus?)
Regards,
Cami

Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???

[David B Funk]

On Tue, 7 Dec 2004, Thomas Cameron wrote:

 I do not understand why this is tagged ALL_TRUSTED!

 Here is my local.cf:
 ###
[snip..]

 clear_trusted_networks
 trusted_networks24.173.79.19/32
 ###

 As you can see, the only trusted network I have is my mail server!  Why is 
 ALL_TRUSTED hitting?  I am about to set ALL_TRUSTED to a score of 0!

 Thomas

Silly question; precisely how do you have SA integrated into your
mail system?

I noticed that you are using sendmail  clamav-milter, are you also
using a milter to connect spamd into your mail system?
If so, precisely which milter?

This is important, as not all sendmail spam-milters are created equal. ;)
Here is the issue specific to your situation.

The milter gets the message from sendmail raw, IE before sendmail
does any of it's usual processing of the message SUCH AS ADDING
Received headers.

So the milter does NOT see that particular header:

 Received: from CM02.outbound.mail (mailer4.monteraymedia.com [66.63.189.28]
(may be forged)) by mail.camerontech.com (8.13.1/8.13.1) with ESMTP id
iB75ihQg015990 for [EMAIL PROTECTED]; Mon, 6 Dec 2004
23:44:44 -0600

which is critical to SA's ability to determine local vs non-trusted
hosts.

Well crafted milters will understand that and internally synthesize
a 'Received:' header to mimic the one that your sendmail will add.
Without that (or if it isn't done well) then SA will never be able to
properly do the trust determination.

Dave

-- 
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???

[Thomas Cameron]

On Tue, 2004-12-07 at 01:22 -0600, David B Funk wrote:
 On Tue, 7 Dec 2004, Thomas Cameron wrote:
 
  I do not understand why this is tagged ALL_TRUSTED!
 
  Here is my local.cf:
  ###
 [snip..]
 
  clear_trusted_networks
  trusted_networks24.173.79.19/32
  ###
 
  As you can see, the only trusted network I have is my mail server!  Why is 
  ALL_TRUSTED hitting?  I am about to set ALL_TRUSTED to a score of 0!
 
  Thomas
 
 Silly question; precisely how do you have SA integrated into your
 mail system?
 
 I noticed that you are using sendmail  clamav-milter, are you also
 using a milter to connect spamd into your mail system?
 If so, precisely which milter?
 
 This is important, as not all sendmail spam-milters are created equal. ;)
 Here is the issue specific to your situation.
 
 The milter gets the message from sendmail raw, IE before sendmail
 does any of it's usual processing of the message SUCH AS ADDING
 Received headers.
 
 So the milter does NOT see that particular header:
 
  Received: from CM02.outbound.mail (mailer4.monteraymedia.com [66.63.189.28]
 (may be forged)) by mail.camerontech.com (8.13.1/8.13.1) with ESMTP id
 iB75ihQg015990 for [EMAIL PROTECTED]; Mon, 6 Dec 2004
 23:44:44 -0600
 
 which is critical to SA's ability to determine local vs non-trusted
 hosts.
 
 Well crafted milters will understand that and internally synthesize
 a 'Received:' header to mimic the one that your sendmail will add.
 Without that (or if it isn't done well) then SA will never be able to
 properly do the trust determination.
 
 Dave
 

Hrm - that makes a lot of sense.  I am using spamass-milter (the latest
from CVS as of about a week ago).

I actually have the following at the bottom of my sendmail.mc:

INPUT_MAIL_FILTER
(`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,T=S:4m;R:4m')dnl

INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name},
{if_addr}')dnl

INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-
greylist.sock')dnl
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl

I just realized I have two confMILTER_MACROS_CONNECT definitions.  I
don't think 
that that would cause this but I need to address this tomorrow after
I've slept some.  :-)

Thomas

Re: Re[2]: Phishing attempt wasn't blocked by SpamAssassin

[hamann . w]

Hello Bob,

thanks for getting back on that.
The problem with these mails - they may not be spam, they may not be fraud 
either,
but they impose a different kind of threat  by lowering recipients' 
thresholds on security.

I have had that argument well, I read that mail, and nothing bad happened 
from users
and dont want to have it again :)
Maybe I should ask these kind of people to sign a paper that they will never 
ask me to
disinfect there systems

We have seen
- banks that invite their custumers to click somewhere for their account 
statement
- banks that suggest to go to the security tab in IE and drag the control to a 
lower setting as
a response to cert wernings
- microsoft generate cert warnings by putting a valid cert onto the wrong server
and now we have legitimate mail with suspicious links
It is all these things together that eventually make people tolerant to phish 
(well, I got this
irritating broken cert thing every day from my bank as well - how should I 
know that their
broken cert was different)

I am also not sure whether anti spam is the proper place to deal with these 
messages - if they
get enough score, recipients will just route them to the trash and later 
complain about the missing
mail. I could even imagine to quarantine these mails and invite recipients to 
complain to the senders.
In the case of the bank mentioned above, a bank smells like phish article in 
a local
computer mag caused them to change the system

Wolfgang Hamann

 Hello Wolfgang,
 
 Monday, December 6, 2004, 7:39:09 AM, you wrote:
 
 LW That's because such a rule won't work.  All manner of real mail ends up
 LW sending things that have a real link address different from the one 
 shown in
 LW the link.  Often it is a very minor difference, like https vs http, but
 LW sometimes there are no points of reality at all between them. This 
 shows up
 LW a lot in stuff generated from databases.
 
 WH if there is a visible url to a different server than the one in
 WH real url, I would not only want to tag that as possible spam, but
 WH rather have a nice red 20pt headline added to the mail: WARNING -
 WH DO NOT CLICK - THESE LINKS MIGHT BE FORGED
 
 As the current ninja maintaining the SARE URI rules file (though not
 the fraud or spoof files), I gladly invite you to develop such a rule.
 If you can offer us a rule that does what you want, and in our testing
 does not hit excessively on non-spam, we'll gladly include it in our
 SARE rules file, and will support your submission of that rule to the
 SA developers.
 
 At this point in time, I can't think of a good (efficient) way to do
 this that wouldn't also hit huge numbers of non-spam.
 
 Bob Menschel
 
 
 
 

Re: Phishing attempt wasn't blocked by SpamAssassin

[Jeff Chan]

On Monday, December 6, 2004, 4:02:59 AM, Eugene Morozov wrote:
 Hello!
 Our customer received email which contained invitation to confirm 
 personal information at the online bank. Link was hidden using following 
 trick:

 A 
 href=http://www.designlaboratory.jp/board/hg.html;https://www.ebank.hsbc.com.hk/servlet/onlinehsbc.jsp/A

 It was a big surprise for me that there're no rules in the stock SA 
 3.0.1 installation to catch such forged links. I was also to unable to 
 find such a rule on Rules Emporium.
 Eugene

In addition to the other suggestions, I'd recommend reporting the
phish to:

  [EMAIL PROTECTED]
  [EMAIL PROTECTED]
  [EMAIL PROTECTED]

Doing so will help get some of the destation URIs into
ph.surbl.org, though in this particular case I'm not sure
that we should list designlaboratory.jp since this could
be a Joe Job or hijacked message board.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Non-Clickable URI's

[Jeff Chan]

On Monday, December 6, 2004, 7:35:30 AM, Chris Santerre wrote:
From: RD [mailto:[EMAIL PROTECTED]

I've seen spams where spammers are using 
CutPaste_this_URL_to_your_browser method reason why spamassassin 
won't trigger SURBL database lookup.

Is there a known workaround to catch this non-clickable URIs 
and trigger 
SURBL lookup?

 This is in the form of www . domain . com
 It was mentioned on the SURBL list, and I wrote a quick and dirty SA rule
 for it. Initial tests were dissmal. 

 Found 2 ham:
 http :// www . drugstore . com / ivd0324
 header copied into the body of a forward:
   X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang)

 Also hit 12 spam out of around 70k.

 A little more testing needed. But I think this shows that it isn't worth the
 rule. The links break and require end lusers to not only copy and paste, but
 edit the link to remove the spaces. Clearly more then most users would do. 

Yeah and it could cause them to pause and actually think about
what they're doing, which no spammer would want to happen.  :-)

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

portable spamassassin database

[lonblu]

Hi 
I need to know how to syncronize sa-learn entries in different computers so 
that for every client ( computer ) I use I don't have to remake all the 
sa-learn job with my e-mails
Regards
lonblu

www.rulesemporium.com

[Martin Hepworth]

Chris
rulesemporium seems to be down (not resolving actually).
Did you forget to re-register the domain
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**

Re: www.rulesemporium.com

[jdow]

Fascinating - whois doesn't even report a vistage of the name.
{^_^}
- Original Message - 
From: Martin Hepworth [EMAIL PROTECTED]


 Chris
 
 rulesemporium seems to be down (not resolving actually).
 
 Did you forget to re-register the domain
 
 --
 Martin Hepworth
 Snr Systems Administrator
 Solid State Logic
 Tel: +44 (0)1865 842300

RE: www.rulesemporium.com

[Martyn Drake]

Martin Hepworth wrote on 07 December 2004 10:49:

 Did you forget to re-register the domain

It's registered until October 2005 (according to the WHOIS lookup), so I
would doubt that's the issue grin.  The nameservers are not letting up
their secrets - it's returning a big fat nowt when querying them.

Regards,

Martyn

RE: www.rulesemporium.com

[Martyn Drake]

jdow wrote on 07 December 2004 10:59:

 Fascinating - whois doesn't even report a vistage of the name.
 {^_^}

[EMAIL PROTECTED] [~]# whois rulesemporium.com 
[Querying whois.internic.net]
[Redirected to whois.enom.com]
[Querying whois.enom.com]
[whois.enom.com]

Registration Service Provided By: NxTek Solutions Inc
Contact: [EMAIL PROTECTED]
Visit: http://www.nxtek.net

Domain name: rulesemporium.com

Administrative Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Billing Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Technical Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Registrant Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Status: Locked

Name Servers:
   ns1.nxtek.net
   ns2.nxtek.net
   
Creation date: 16 Oct 2003 17:25:32
Expiration date: 16 Oct 2005 17:25:32

Re: www.rulesemporium.com

[Owen McShane]

[EMAIL PROTECTED] said:
 Fascinating - whois doesn't even report a vistage of the name. {^_^} 

Does for me:

[EMAIL PROTECTED] owen]$ jwhois rulesemporium.com
[Querying whois.internic.net]
[Redirected to whois.enom.com]
[Querying whois.enom.com]
[whois.enom.com]

Registration Service Provided By: NxTek Solutions Inc
Contact: [EMAIL PROTECTED]
Visit: http://www.nxtek.net

Domain name: rulesemporium.com

Administrative Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Billing Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Technical Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Registrant Contact:
   NxTek Solutions Inc
   NxTek Solutions ([EMAIL PROTECTED])
   +1.2606728816
   Fax: +1.2606728816
   577 Geiger Dr
   Roanoke, IN 46783
   US

Status: Locked

Name Servers:
   ns1.nxtek.net
   ns2.nxtek.net
   
Creation date: 16 Oct 2003 17:25:32
Expiration date: 16 Oct 2005 17:25:32



That Status: Locked doesn't look too good.

Neither the root servers or the two referenced in the above lookup know nothing 
about the domain, so it's totally up the creek...

O

--
 Via Net.Works UK Ltd
 Local Touch Global Reach 
 Owen McShane   Systems Administrator
 http://www.vianetworks.co.uk   Tel +44 (0)1925 48

Re: www.rulesemporium.com

[Frank Tore Johansen]

Oh it is in whois, paid, all sound and good.  And its nameservers are
even responding.  Its just the root-nameservers that aren't updated
(or has some other problems).
   Domain Name: RULESEMPORIUM.COM
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: DNS1.NAME-SERVICES.COM
   Name Server: DNS2.NAME-SERVICES.COM
   Name Server: DNS3.NAME-SERVICES.COM
   Name Server: DNS4.NAME-SERVICES.COM
   Name Server: DNS5.NAME-SERVICES.COM
   Status: REGISTRAR-LOCK
   Updated Date: 15-oct-2004
   Creation Date: 16-oct-2003
   Expiration Date: 16-oct-2005
$ nslookup www.rulesemporium.com DNS1.NAME-SERVICES.COM
Server: DNS1.NAME-SERVICES.COM
Address:63.251.163.102#53
Name:   www.rulesemporium.com
Address: 69.56.160.30
-Frank.
On Tue, 7 Dec 2004, jdow wrote:
Fascinating - whois doesn't even report a vistage of the name.
- Original Message -
From: Martin Hepworth [EMAIL PROTECTED]
rulesemporium seems to be down (not resolving actually).
Did you forget to re-register the domain

Re: www.rulesemporium.com

[jdow]

Fascinating - I must have hit a hitch in the gitalong somewhere.
That is the first time whois has seriously failed me like that.
{O.O}
- Original Message - 
From: Martyn Drake [EMAIL PROTECTED]


 jdow wrote on 07 December 2004 10:59:
 
  Fascinating - whois doesn't even report a vistage of the name.
  {^_^}
 
 [EMAIL PROTECTED] [~]# whois rulesemporium.com 
 [Querying whois.internic.net]
 [Redirected to whois.enom.com]
 [Querying whois.enom.com]
 [whois.enom.com]
 
 Registration Service Provided By: NxTek Solutions Inc
 Contact: [EMAIL PROTECTED]
 Visit: http://www.nxtek.net
 
 Domain name: rulesemporium.com

RE: www.rulesemporium.com

[Martyn Drake]

Owen McShane wrote on 07 December 2004 11:04:

 That Status: Locked doesn't look too good.

I always thought that was the register lock so that nobody can make changes
to the domain name (i.e. change nameservers) until the domain has been
unlocked.  It's an anti-abuse system.  Normally you would have to login to
your domain registrar's control panel, set the domain to unlock, make
whatever changes you need and then lock the domain again. 

 Neither the root servers or the two referenced in the above lookup
 know nothing about the domain, so it's totally up the creek... 

Indeed it is - perhaps somebody accidently nuked the zone from the
nameserver by accident :)

M.

SA vs. postfix main.cf

[Menno van Bennekom]

We run postfix 2.1.5_1,1 on FreeBSD 5.2.1, and use some RBL lists:
smtpd_recipient_restrictions =
...
   reject_rbl_client opm.blitzed.org,
   reject_rbl_client list.dsbl.org,
   reject_rbl_client proxies.relays.monkeys.com,
   reject_rbl_client relays.ordb.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client sbl.spamhaus.org
We are seeing cases where mail is rejected because of the RBL lists, even
when a sender is whitelisted in a recipient's SA user_prefs file.
Is there any way to reverse the order of operations so that postfix
doesn't check with the RBL list when SA says a sender is OK?

You can't reverse the checks, but you can whitelist addresses in Postfix.
I use the check_client_access to allow certain domains/ips to send mail
although they appear in RBL's. Just put them in the access-file with 'OK'
on the end of the line. You can do the same with check_sender_access.
And make sure this check is done before the RBL checks, like:
smtpd_recipient_restrictions = reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  permit_mynetworks,
  reject_unauth_destination,
  check_client_access hash:/etc/postfix/client_access,
  check_helo_access hash:/etc/postfix/helo_access,
  check_sender_access hash:/etc/postfix/sender_access,
  reject_rbl_client dynablock.njabl.org,
  reject_rbl_client dul.dnsbl.sorbs.net,
  reject_rbl_client cbl.abuseat.org

Regards
Menno van Bennekom

Re: www.rulesemporium.com

[Ricardo Campos Passanezi]

On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote:
 
 Indeed it is - perhaps somebody accidently nuked the zone from the
 nameserver by accident :)

Take a look at:
http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com

It has failed for many parameters...

-- 
Ricardo Campos Passanezi - Network Analyst
PGP  GPG public key at:   http://www.ige.unicamp.br/~riccp
Institute of Geosciences - http://www.ige.unicamp.br - UNICAMP

Re: www.rulesemporium.com

[Rick Macdougall]

Ricardo Campos Passanezi wrote:
On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote:
Indeed it is - perhaps somebody accidently nuked the zone from the
nameserver by accident :)

Take a look at:
http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com
It has failed for many parameters...
I'll take a look.  I'm not in charge of that DNS server or the 
rulesemporium.com domain but I do have access to that machine.

Regards,
Rick

Re: www.rulesemporium.com

[Owen McShane]

Not too sure why you've cc:ed me in on this mail, as there's no quoted text 
that I wrote (and I'm on the list, so now have two copies... thanks).

It looks like the root name servers are once again giving out the NS records 
for the domain, but the specified auth servers for it appear to know nothing 
about it.

This is why It has failed for many parameters...

Owen

 On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote:
  
  Indeed it is - perhaps somebody accidently nuked the zone from the
  nameserver by accident :)
 
 Take a look at:
 http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com
 
 It has failed for many parameters...
 
 -- 
 Ricardo Campos Passanezi - Network Analyst
 PGP  GPG public key at:   http://www.ige.unicamp.br/~riccp
 Institute of Geosciences - http://www.ige.unicamp.br - UNICAMP
 


--
 Via Net.Works UK Ltd
 Local Touch Global Reach 
 Owen McShane   Systems Administrator
 http://www.vianetworks.co.uk   Tel +44 (0)1925 48

Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???

[Michael Weber]

Why not make the change to /usr/share/spamassassin/50_scores.cf instead?
 That way when the next version comes out, presumably with the patch,
you don't have to remember to un-do the workaround?

-Michael

 Thomas Cameron [EMAIL PROTECTED] 12/7/2004 1:14:42
AM 
On Mon, 2004-12-06 at 22:52 -0800, Loren Wilton wrote:
 Received: from CM02.outbound.mail (mailer4.monteraymedia.com
[66.63.189.28]
   (may be forged)) by mail.camerontech.com (8.13.1/8.13.1) with
ESMTP id
   iB75ihQg015990 for [EMAIL PROTECTED]; Mon, 6 Dec
2004
   23:44:44 -0600
 Received: by CM02.outbound.mail (PowerMTA(TM) v2.0r6) id
h4mn9a050u48; Mon,
   11 Jun 2001 22:47:13 -0700 (envelope-from
[EMAIL PROTECTED])
 
 Remember all trusted really means no untrusted links in the
recieved headers that we were able to parse.
 
 If SA can't parse a received header line, it simply tosses it and
continues with the next one.  This may not be the best plan, and there
are various bugs open about the exact meaning and handling of
all-trusted.
 
 The second header shown above doesn't have any ip addresses in it, so
it would get tossed (or maybe considered as local, I'm not positive).
 
 That leaves the first header, which at a glance would seem to not
come from your network, so shouldn't be trusted.  I'm guessing that
there is something about the format of this header that SA doesn't much
care for, so it ended up tossing it as unreadable.
 
 That would leave you with no received headers, which would mean that
the mail had been sent locally, so was obviously trusted.  :-(
 
 There was a patch in the works a month or so back to somehow take
account of unparsable headers in determining all-trusted.  I was out of
town for most of November and lost track of the status of that change. 
Assuming that the problem here is the first received header was
unparsable, that patch may help matters if it is approved.
 
 Loren

Then I guess my next option is to set 

score ALL_TRUSTED 0 0 0 0

in /etc/mail/spamassassin/local.cf until this gets resolved?

Thomas


CONFIDENTIALITY NOTICE:  This communication and any 
attached or enclosed files may contain information 
that is privileged, confidential, proprietary and/or 
otherwise protected from disclosure under applicable 
law (Confidential Information).  Any review, 
retransmission, publication, dissemination, 
distribution, forwarding, printing, copying, storing, saving 
or other use or disclosure of this communication and/or the 
Confidential Information, or taking any action in reliance 
thereon, by an individual or entity other than the intended 
recipient(s) is strictly prohibited.  

This communication and the Confidential Information are 
intended solely for the use of the individual(s) and/or 
entity(ies) to which this communication is addressed. 
If you are not the intended recipient(s) (or responsible 
for delivery to said recipient(s)), please be advised 
that you have received this communication in error and 
have an obligation to promptly inform the sender by reply 
e-mail or facsimile and to permanently delete, shred or 
otherwise destroy, in its entirety, this original communication 
and all copies thereof, whether in electronic or hard copy format. 

Re: [SPAM-TAG] Further URIDNSBL problems..

[Matthew Romanek]

 17 seconds is way too long for name resolution.  Does it take
 that long from the command line (for an uncached query)?

No, it's pretty snappy all around. But with a 15 second timeout,
spamassassin -D showed all timeouts for the DNSBL. The URIBL's
appeared to have successful queries even at that point, but I can't
get them to actually score against anything. I'm not sure what the
difference  between them (at the lookup level) is.

# time dig test.surbl.org.sc.surbl.org a | less

;  DiG 9.2.2-P3  test.surbl.org.sc.surbl.org a
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 29925
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 14, ADDITIONAL: 0

;; QUESTION SECTION:
;test.surbl.org.sc.surbl.org.   IN  A

;; ANSWER SECTION:
test.surbl.org.sc.surbl.org. 2023 INA   127.0.0.2

;; AUTHORITY SECTION:
sc.surbl.org.   823 IN  NS  n.surbl.org.
sc.surbl.org.   823 IN  NS  a.surbl.org.
sc.surbl.org.   823 IN  NS  b.surbl.org.
sc.surbl.org.   823 IN  NS  c.surbl.org.
sc.surbl.org.   823 IN  NS  d.surbl.org.
sc.surbl.org.   823 IN  NS  e.surbl.org.
sc.surbl.org.   823 IN  NS  f.surbl.org.
sc.surbl.org.   823 IN  NS  g.surbl.org.
sc.surbl.org.   823 IN  NS  h.surbl.org.
sc.surbl.org.   823 IN  NS  i.surbl.org.
sc.surbl.org.   823 IN  NS  j.surbl.org.
sc.surbl.org.   823 IN  NS  k.surbl.org.
sc.surbl.org.   823 IN  NS  l.surbl.org.
sc.surbl.org.   823 IN  NS  m.surbl.org.

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec  7 06:09:17 2004
;; MSG SIZE  rcvd: 285

real0m1.030s
user0m0.010s
sys 0m0.010s

 Are you sure you're using 3.0.1 configs?

Pretty sure:
# spamassassin -V
SpamAssassin version 3.0.1
  running on Perl version 5.8.1

# vi /usr/share/spamassassin/25_uribl.cf
...
uridnsblURIBL_SBL   sbl.spamhaus.org.   TXT
bodyURIBL_SBL   eval:check_uridnsbl('URIBL_SBL')
describeURIBL_SBL   Contains an URL listed in the SBL blocklist
tflags  URIBL_SBL   net

urirhssub   URIBL_SC_SURBL  multi.surbl.org.A   2
bodyURIBL_SC_SURBL  eval:check_uridnsbl('URIBL_SC_SURBL')
describeURIBL_SC_SURBL  Contains an URL listed in the SC SURBL blocklist
tflags  URIBL_SC_SURBL  net
...

 IIRC one of the recent FreeBSD installations had the 3.0.1
 config file going to the wrong directory for some reason.
 It should be in the recent list archives.

This is on Fedora Core 1, updated via CPAN if I remember right.

I appreciate the help, too. Let me know if there's any other
information I can get for you. Thanks!
-- 
Matthew 'Shandower' Romanek
IDS Analyst

Re: Can't configure spamd correctly

[Info]

Theo,

Thanks for the reply, and there may be some truth in that, but I'm not
convinced that it is ever working correctly.

There have been NO spamd debug messages in the log since then, despite
emails being scanned. 

There is never any message saying it actually found the Bayes data. I am
not convinced that spamd has ever found it, or that it is ever actually
being used.

If I telnet to port 783 I do get spamd debug messages.

Paul Hilton


On Mon, 2004-12-06 at 15:04, Theo Van Dinter wrote:
 On Mon, Dec 06, 2004 at 02:57:02PM -0500, Info wrote:
  Why is spamd running with a home directory under /tmp ?
 
 The debug output you've shown is the initial temp message that gets sent
 through spamd to prime the pump, so to speak.
 
  Dec  6 14:12:13 Pangloss spamd[23172]: debug: ignore: test message to
  precompile patterns and load modules
 
 :)

Re: Can't configure spamd correctly

[Jack L. Stone]

At 09:51 AM 12.7.2004 -0500, Info wrote:
Theo,

Thanks for the reply, and there may be some truth in that, but I'm not
convinced that it is ever working correctly.

There have been NO spamd debug messages in the log since then, despite
emails being scanned. 

There is never any message saying it actually found the Bayes data. I am
not convinced that spamd has ever found it, or that it is ever actually
being used.

If I telnet to port 783 I do get spamd debug messages.

Paul Hilton



You could isolate the spamd-only messages by adding a syslog switch:

Like so:
/usr/local/bin/spamd --syslog=local1 -u spamd -x -d -r
/var/run/spamd/spamd.pid

HTH.


Happy trails,
Jack L. Stone

System Admin
Sage-american

Re: [SPAM-TAG] Further URIDNSBL problems..

[Jeff Chan]

On Tuesday, December 7, 2004, 6:31:41 AM, Matthew Romanek wrote:
 Are you sure you're using 3.0.1 configs?

 Pretty sure:
 # spamassassin -V
 SpamAssassin version 3.0.1
   running on Perl version 5.8.1

 # vi /usr/share/spamassassin/25_uribl.cf

Is this the right directory, anyone?

 uridnsblURIBL_SBL   sbl.spamhaus.org.   TXT
 bodyURIBL_SBL   eval:check_uridnsbl('URIBL_SBL')
 describeURIBL_SBL   Contains an URL listed in the SBL blocklist
 tflags  URIBL_SBL   net

 urirhssub   URIBL_SC_SURBL  multi.surbl.org.A   2
 bodyURIBL_SC_SURBL  eval:check_uridnsbl('URIBL_SC_SURBL')
 describeURIBL_SC_SURBL  Contains an URL listed in the SC SURBL 
 blocklist
 tflags  URIBL_SC_SURBL  net
 ...

Do you have non-zero scores set?

That's about the limit of my debugging knowledge for SA,
so hopefully someone else can help out.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Can't configure spamd correctly

[Info]

Jack,

Thanks for the suggestion, I may indeed do that, but at the moment
spamd isn't generating any messages after its startup. (unless I telnet
to it)

I start spamd with a script that came with the rpm package from SuSE in
/etc/init.d, the options are specified in the file /etc/sysconfig/spamd,
and I currently have SPAMD_ARGS=-d -a -L -D -x -u vscan, and
/etc/init.d/spamd does:
startproc -p /var/run/spamd.pid $SPAMD_BIN $SPAMD_ARGS

Paul Hilton

On Tue, 2004-12-07 at 10:01, Jack L. Stone wrote:
 At 09:51 AM 12.7.2004 -0500, Info wrote:
 Theo,
 
 Thanks for the reply, and there may be some truth in that, but I'm not
 convinced that it is ever working correctly.
 
 There have been NO spamd debug messages in the log since then, despite
 emails being scanned. 
 
 There is never any message saying it actually found the Bayes data. I am
 not convinced that spamd has ever found it, or that it is ever actually
 being used.
 
 If I telnet to port 783 I do get spamd debug messages.
 
 Paul Hilton
 
 
 
 You could isolate the spamd-only messages by adding a syslog switch:
 
 Like so:
 /usr/local/bin/spamd --syslog=local1 -u spamd -x -d -r
 /var/run/spamd/spamd.pid
 
 HTH.
 
 
 Happy trails,
 Jack L. Stone
 
 System Admin
 Sage-american

New rules

[Matthew Newton]

Hello,

I've recently installed SA 3.0.1, and found some junk was
getting through with scores too low for my liking, especially before the
URLs made it into SURBL. I've put together a few rules to match some
of these that you might find interesting.

They are:

Rolex and Want Watch? messages (there must be loads of rules out there
to do this, I guess, but the default installation doesn't seem to
include any?)

headerUOLCC_ROLEX_SUB1   Subject =~ /\brolex\b/i
describe  UOLCC_ROLEX_SUB1   Subject contains the word 'rolex'
score UOLCC_ROLEX_SUB1   0.5

headerUOLCC_ROLEX_SUB2   Subject =~ /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe  UOLCC_ROLEX_SUB2   Subject contains a gappy version of 'rolex'
score UOLCC_ROLEX_SUB2   1.5

body  UOLCC_ROLEX_BODY1  /\brolex\b/i
describe  UOLCC_ROLEX_BODY1  Body contains the word 'rolex'
score UOLCC_ROLEX_BODY1  0.5

body  UOLCC_ROLEX_BODY2  /\br.{1,2}o.{1,2}l.{1,2}e.{1,2}x\b/i
describe  UOLCC_ROLEX_BODY2  Body contains a gappy version of 'rolex'
score UOLCC_ROLEX_BODY2  1.5

rawbody   UOLCC_WATCH_BODY   /^(Do you )?[Ww]ant (a )?(cheap 
)?([Ww]ristw|W)atch\?\s*$/m
describe  UOLCC_WATCH_BODY   Body asks if you want a watch
score UOLCC_WATCH_BODY   2

Checking messages with two lines of just b, B, space and 1 in them.
Seems to be some sort of code used in spam, maybe:

full  UOLCC_BBONE/\n[bB1 ]{8,20}\n[bB1 ]{8,20}\n/s
describe  UOLCC_BBONEContains two code lines with b, B and 1
score UOLCC_BBONE2

Checking one particular type of spam that has a URL (that follows a
certain pattern, ends .htm), blank line, line of proverb or something,
blank, line of name, blank, exact same URL with l on the end (i.e.
ends .html). I guess the rules should be small, but this one has picked
up loads of spam for me:

full  UOLCC_HTM_HTML_URL 
/\n(http:\/\/[a-z]+\.[a-z]{3,4}\/[0-9a-f]{5,35}\/[[:alnum:]]{5,20}=?\.htm)\s\n\s*\n[[:alnum:]\?\.',\s:,-]+\n\s*\n[^\s,.]+(\s[^\s,.]+){0,15}\n\s*\n\1l/s
describe  UOLCC_HTM_HTML_URL Matches pattern of spam mail (.htm .html)
score UOLCC_HTM_HTML_URL 3.5

Finally, a string of words (more than 15 here) that all begin with a
capital letter, and no punctuation (I'm only testing this one at the
moment, hence the low score):

body  UOLCC_CAPWORD_TEST /([A-Z][a-z]{3,}\s{1,2}){15,}/s
describe  UOLCC_CAPWORD_TEST String of words that all begin with caps letter
score UOLCC_CAPWORD_TEST 0.1


Hope these are of use to someone. If anyone can show me that they are
likely to pick up false positives, I'd be most grateful.

Thanks,

-- 
Matthew Newton [EMAIL PROTECTED]

UNIX Systems Administrator, Network Support Section,
Computer Centre, University of Leicester,
Leicester LE1 7RH, United Kingdom

RE: www.rulesemporium.com

[Yackley, Matt]

 

 -Original Message-
 From: Rick Macdougall [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, December 07, 2004 8:10 AM
 To: users@spamassassin.apache.org
 Subject: Re: www.rulesemporium.com
 
 
 
 Ricardo Campos Passanezi wrote:
  On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote:
  
 Indeed it is - perhaps somebody accidently nuked the zone from the 
 nameserver by accident :)
  
  
  Take a look at:
  http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com
  
  It has failed for many parameters...
  
 
 I'll take a look.  I'm not in charge of that DNS server or 
 the rulesemporium.com domain but I do have access to that machine.
 
 Regards,
 
 Rick
 

Our hosting provider has confirmed that a DNS server error caused the
problems.  The DNS server in question has been beaten into submission
with a large hammer, but of course it may take a bit of time for the
records to propagate.

Sorry about the outage, but the site should be back up soon.

-matt

Re: [SPAM-TAG] Further URIDNSBL problems..

[Matthew Romanek]

  # vi /usr/share/spamassassin/25_uribl.cf
 Is this the right directory, anyone?

All the other rules in there are working, including Bayes and pattern
matching. Since SURBL is showing up in the debug, it's obviously
getting the cue from somewhere..

 Do you have non-zero scores set?

Indeed. That was my first thought, so I made a local config change to
use the one-score variety, just in case something wierd was going on.
No change.
 
In a fit of aggrivation, I downloaded a fresh copy of the SA tar file,
unpacked it, and started to install it. I happened to think to run
make test, though, and found THIS:

t/dnsbl.Bareword found in conditional at t/dnsbl.t line 15.
Not found: P_2 = 
dns:134.88.73.210.dnsbltest.spamassassin.org [127.0.0.4]
# Failed test 1 in t/SATest.pm at line 530
Not found: P_7 = 
dns:134.88.73.210.sb.dnsbltest.spamassassin.org?type=TXT
# Failed test 2 in t/SATest.pm at line 530 fail #2
Not found: P_4 = 
dns:14.35.17.212.dnsbltest.spamassassin.org [127.0.0.1, 127.0.0.1]
# Failed test 3 in t/SATest.pm at line 530 fail #3
Not found: P_3 = 
dns:18.13.119.61.dnsbltest.spamassassin.org [127.0.0.12]
# Failed test 4 in t/SATest.pm at line 530 fail #4
Not found: P_5 = 
dns:226.149.120.193.dnsbltest.spamassassin.org [127.0.0.1]
# Failed test 5 in t/SATest.pm at line 530 fail #5
Not found: P_1 = 
dns:98.3.137.144.dnsbltest.spamassassin.org [127.0.0.2]
# Failed test 6 in t/SATest.pm at line 530 fail #6
Not found: P_6 =  dns:example.com.dnsbltest.spamassassin.org
[127.0.0.2]
# Failed test 7 in t/SATest.pm at line 530 fail #7
Not found: P_15 =  DNSBL_RHS
# Failed test 8 in t/SATest.pm at line 530 fail #8
Not found: P_17 =  DNSBL_SB_FLOAT
# Failed test 9 in t/SATest.pm at line 530 fail #9
Not found: P_18 =  DNSBL_SB_STR
# Failed test 10 in t/SATest.pm at line 530 fail #10
Not found: P_16 =  DNSBL_SB_TIME
# Failed test 11 in t/SATest.pm at line 530 fail #11
Not found: P_10 =  DNSBL_TEST_DYNAMIC
# Failed test 12 in t/SATest.pm at line 530 fail #12
Not found: P_12 =  DNSBL_TEST_RELAY
# Failed test 13 in t/SATest.pm at line 530 fail #13
Not found: P_11 =  DNSBL_TEST_SPAM
# Failed test 14 in t/SATest.pm at line 530 fail #14
Not found: P_8 =  DNSBL_TEST_TOP
# Failed test 15 in t/SATest.pm at line 530 fail #15
Not found: P_9 =  DNSBL_TEST_WHITELIST
# Failed test 16 in t/SATest.pm at line 530 fail #16
Not found: P_14 =  DNSBL_TXT_RE
# Failed test 17 in t/SATest.pm at line 530 fail #17
Not found: P_13 =  DNSBL_TXT_TOP
# Failed test 18 in t/SATest.pm at line 530 fail #18
t/dnsbl.FAILED tests 1-18
Failed 18/22 tests, 18.18% okay

Either it's an amazing coincidence, or this has something to do with
the reason the DNSBL's aren't working for me. So my next question,
knowing next to nothing about perl, is what is this actually showing
me? This is a fresh package I got, with no changes what-so-ever.

On a whim, I did the same thing with Net::DNS, since there was some
question as to what version was involved. It went in fine, but made no
difference to these tests.

Note that only 18 of the tests failed. P_1, 3, 4, 5 and 6 seemed to work?

-- 
Matthew 'Shandower' Romanek
IDS Analyst

Re: [SPAM-TAG] Further URIDNSBL problems..

[Matthew Romanek]

 Note that only 18 of the tests failed. P_1, 3, 4, 5 and 6 seemed to work?

Scratch that last comment. They very clearly aren't working, just from
that snippit. That's me getting desperate-yet-hopeful. :)

-- 
Matthew 'Shandower' Romanek
IDS Analyst

RE: www.rulesemporium.com

[Chris Santerre]

Nextek has come under hacker fire recently. I'm sure they would like to take
down SARE if they could. THey have managed to give us s few minor problems,
but nothing major. I'll BCC this to Lord Phil and see what he says. :)

--Chris 

-Original Message-
From: Owen McShane [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 07, 2004 9:11 AM
To: users@spamassassin.apache.org
Subject: Re: www.rulesemporium.com 


Not too sure why you've cc:ed me in on this mail, as there's 
no quoted text that I wrote (and I'm on the list, so now have 
two copies... thanks).

It looks like the root name servers are once again giving out 
the NS records for the domain, but the specified auth servers 
for it appear to know nothing about it.

This is why It has failed for many parameters...

Owen

 On Tue, Dec 07, 2004 at 11:09:50AM -, Martyn Drake wrote:
  
  Indeed it is - perhaps somebody accidently nuked the zone from the
  nameserver by accident :)
 
 Take a look at:
 http://www.dnsreport.com/tools/dnsreport.ch?domain=rulesemporium.com
 
 It has failed for many parameters...
 
 -- 
 Ricardo Campos Passanezi - Network Analyst
 PGP  GPG public key at:   http://www.ige.unicamp.br/~riccp
 Institute of Geosciences - http://www.ige.unicamp.br - UNICAMP
 


--
 Via Net.Works UK Ltd
 Local Touch Global Reach 
 Owen McShane  Systems Administrator
 http://www.vianetworks.co.uk  Tel +44 (0)1925 48

Re: portable spamassassin database

[Michael Parker]

On Tue, Dec 07, 2004 at 09:49:03AM +0100, [EMAIL PROTECTED] wrote:
 I need to know how to syncronize sa-learn entries in different computers so 
 that for every client ( computer ) I use I don't have to remake all the 
 sa-learn job with my e-mails

You should look into using BayesSQL for your storage.  It allows you
to share the bayes data amongst multiple clients without having to do
fancy tricks the database files.

If you aren't in a position to use BayesSQL you could also try running
sa-learn --backup/--restore and copying the data around that way.

Michael



pgpPptPdaVLgv.pgp
Description: PGP signature

SA statistics - sa-stats.pl ?

[Brian Ipsen]

Hi,

 I've found the sa-stats.pl script in the contrib-folder of the
distribution - but wonder whether it requires any special settings (if not
using default settings) in order for it to work ? Enabling debug-log or
something like that ?

Regards,

Brian

Heads up! SuSE YOU update broke SA 3.01

[Michael W Cocke]

Just passing this along so you don't have to kill 2 days trying to
figure out why SA suddenly stopped doing anything - 

I foolishly allowed SuSE auto-update (YOU) to update my Spamassassin.
It (in theory) installed version 3.01 (which was already installed and
working perfectly).  

Shortly after, I started receiving TONS of spam.  SA-Learn wasn't
learning, etc.

I reinstalled from CPAN - and everything seems to be working again.

I don't know what they broke, but they broke it throughly.

Mike-

--
If you can keep your head while those around you are losing theirs...
You may have a great career as a network administrator ahead!
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

Heads up! SuSE YOU update broke SA 3.01

[Michael W Cocke]

Just passing this along so you don't have to kill 2 days trying to
figure out why SA suddenly stopped doing anything - 

I foolishly allowed SuSE auto-update (YOU) to update my Spamassassin.
It (in theory) installed version 3.01 (which was already installed and
working perfectly).  

Shortly after, I started receiving TONS of spam.  SA-Learn wasn't
learning, etc.

I reinstalled from CPAN - and everything seems to be working again.

I don't know what they broke, but they broke it throughly.

Mike-

--
If you can keep your head while those around you are losing theirs...
You may have a great career as a network administrator ahead!
--
Please note - Due to the intense volume of spam, we have installed 
site-wide spam filters at catherders.com.  If email from you bounces,
try non-HTML, non-encoded, non-attachments,

Re: Can't configure spamd correctly

[Info]

Well, some progress

1) The problem with spamd was that, running as vscan it couldn't read
/etc/mail/spamassassin. My own dumb fault, corrected this and the log
now looks a lot healthier.

2) Amavisd-new seems to call perl-spamassassing directly, and keeps
child processes running at the ready. So spamd was never being used, and
wouldn't benefit me if it were.

Conclusion: Don't use spamd.

Thanks for the help

Paul Hilton

On Mon, 2004-12-06 at 15:04, Theo Van Dinter wrote:
 On Mon, Dec 06, 2004 at 02:57:02PM -0500, Info wrote:
  Why is spamd running with a home directory under /tmp ?
 
 The debug output you've shown is the initial temp message that gets sent
 through spamd to prime the pump, so to speak.
 
  Dec  6 14:12:13 Pangloss spamd[23172]: debug: ignore: test message to
  precompile patterns and load modules
 
 :)

HELO check suggestion

[Tony Finch]

If the top level domain of the HELO name exists (it has NS records or a
SOA record) but the second and third (if present) level domains do not,
the check triggers.

You have to allow for missing top level domains because of private
addresses, and you have to check both the 2LD and 3LD because some CC2LDs
are part of their CCTLD zone rather than being delegated.

This form of made-up name is a common pattern amongst certain spamware.
(It also triggers on loads of viruses.)

There are a few false positives from idiots making up domain names for
internal use, e.g. in the .int TLD, so I don't think it's usable as a sole
reason for rejection.

Tony.
-- 
f.a.n.finch  [EMAIL PROTECTED]  http://dotat.at/
MALIN HEBRIDES: NORTHEAST 4 OR 5 INCREASING 6. RAIN LATER. GOOD BECOMING
MODERATE.

config surbl in freebsd?

[Andrew Xiang]

I don't know if surbl is working on my system? how can I check it? 
Spam checking is not as good as before. 

-Andrew

RE: SA vs. postfix main.cf

[Smart,Dan]

At one time I tried to do it all in Postfix.  It's all or nothing binary
operation of its Spam rules drove me to find another solution to Spam;
SpamAssassin.  Now a triggered rule only adds to a Spamminess value, and
won't kill the message.  I ultimately took almost all the rules out of
Postfix because I couldn't keep up with the false positives they created.

All the FQDN, MX, an A record checks were removed due to false positives...
The check_* restrictions implement white and black listing.

smtpd_recipient_restrictions =
 check_recipient_access hash:$config_directory/smtpd-recipient-checks,
 permit_mynetworks,
 reject_invalid_hostname,
 reject_unauth_destination,
 check_recipient_access regexp:$config_directory/smtpd-recipient-checks.rx,
 check_sender_access hash:$config_directory/smtpd-sender-checks,
 check_sender_access regexp:$config_directory/smtpd-sender-checks.rx,
 check_client_access hash:$config_directory/smtpd-client-checks,
 check_helo_access hash:$config_directory/smtpd-helo-checks,
 reject_unknown_recipient_domain
smtpd_data_restrictions =
 reject_unauth_pipelining

Dan


 

  -Original Message-
  From: Menno van Bennekom [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, December 07, 2004 5:45 AM
  To: users@spamassassin.apache.org
  Cc: David Newman
  Subject: SA vs. postfix main.cf
  
  We run postfix 2.1.5_1,1 on FreeBSD 5.2.1, and use some RBL lists:
  smtpd_recipient_restrictions =
  ...
 reject_rbl_client opm.blitzed.org,
 reject_rbl_client list.dsbl.org,
 reject_rbl_client proxies.relays.monkeys.com,
 reject_rbl_client relays.ordb.org,
 reject_rbl_client bl.spamcop.net,
 reject_rbl_client sbl.spamhaus.org
  We are seeing cases where mail is rejected because of the 
  RBL lists, 
  even when a sender is whitelisted in a recipient's SA 
  user_prefs file.
  Is there any way to reverse the order of operations so that postfix 
  doesn't check with the RBL list when SA says a sender is OK?
  
  You can't reverse the checks, but you can whitelist 
  addresses in Postfix.
  I use the check_client_access to allow certain domains/ips 
  to send mail although they appear in RBL's. Just put them in 
  the access-file with 'OK'
  on the end of the line. You can do the same with check_sender_access.
  And make sure this check is done before the RBL checks, like:
  smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit_mynetworks,
reject_unauth_destination,
check_client_access hash:/etc/postfix/client_access,
check_helo_access hash:/etc/postfix/helo_access,
check_sender_access hash:/etc/postfix/sender_access,
reject_rbl_client dynablock.njabl.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client cbl.abuseat.org
  
  Regards
  Menno van Bennekom
  
  

Re: config surbl in freebsd?

[Jeff Chan]

On Tuesday, December 7, 2004, 11:13:05 AM, Andrew Xiang wrote:
 I don't know if surbl is working on my system? how can I check it? 
 Spam checking is not as good as before. 

Please see:

  http://www.surbl.org/faq.html#test-uris

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

can spamd be told what domains are local for spamc -u?

[Jason Haar]

I'm the author of the Qmail content filter Qmail-Scanner, and currently 
it calls spamc as spamc -u [EMAIL PROTECTED] so as to help out the sites 
doing per-user SA configs.

I've assumed that anyone wanting to do this would be using SQL backends 
(so requiring them to refer to local accounts as [EMAIL PROTECTED] is 
fine) - but apparently I presumed too much! Some are just interested in 
standard old /home/$USER/.spamassassin/ style lookups. Now calling 
spamc -u [EMAIL PROTECTED] doesn't work for them as there is no local 
username called [EMAIL PROTECTED].

So I could add yet another feature to Qmail-Scanner where it will strip 
back to the username - or SpamAssassin could.

I don't mind either way - it's just that I wonder if this is also an 
issue for other SA-integrated MTAs (milter, postfix), so thought I'd 
post it out for comment? Maybe others can suggest another way of doing 
it? [Let's not dwell on the fact that spamd may have to run as root for 
this mode to work...]

Thanks
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

GraphDefang for SpamAssassin

[Rob Kudyba]

I saw GraphDefang mentioned here the other day and thought I'd give it a 
shot...sorry if this is the wrong place to ask but would anyone have an 
idea why the PNG images are displaying as broken? The graphdefang.pl is 
updating perfectly, i.e., w/out errors, but all of the PNG files always 
output as 0 KB files, e.g.:
0 Dec  7 16:55 daily_all_summary_line.png

Check it out here: http://herbie.raeinternet.com:8000/index.php
Thanks...
Rob
Admin for http://www.raeantivirus.com/  http://www.raeinternet.com/

Re: GraphDefang for SpamAssassin

[Matt Kettler]

At 05:00 PM 12/7/2004, Rob Kudyba wrote:
I saw GraphDefang mentioned here the other day and thought I'd give it a 
shot...sorry if this is the wrong place to ask but would anyone have an 
idea why the PNG images are displaying as broken? The graphdefang.pl is 
updating perfectly, i.e., w/out errors, but all of the PNG files always 
output as 0 KB files, e.g.:
0 Dec  7 16:55 daily_all_summary_line.png
do you have a fully functioning version of libpng installed?
If you installed libgd from source, do you have png.h installed in one of 
your /usr/include directories? (ie: if you used RPMs for libpng did you 
install libpng-devel too)

Re: GraphDefang for SpamAssassin

[Rob Kudyba]

Matt Kettler wrote:
At 05:00 PM 12/7/2004, Rob Kudyba wrote:
I saw GraphDefang mentioned here the other day and thought I'd give 
it a shot...sorry if this is the wrong place to ask but would anyone 
have an idea why the PNG images are displaying as broken? The 
graphdefang.pl is updating perfectly, i.e., w/out errors, but all of 
the PNG files always output as 0 KB files, e.g.:
0 Dec 7 16:55 daily_all_summary_line.png

do you have a fully functioning version of libpng installed?
Actually, it was not installed as I did not see it in the of Required 
Perl Modules (but I just added it per your note):

 File::ReadBackwards
 GD
 GD::Graph
 GD::Text::Align (part of the GDTextUtils package)
 Date::Parse;
 Date::Format;
 MLDBM
 Storable (might already be installed with your perl)
If you installed libgd from source, do you have png.h installed in one 
of your /usr/include directories? (ie: if you used RPMs for libpng did 
you install libpng-devel too) 
I installed from source, and:
/usr/local/include/png.h
/usr/local/include/libpng/png.h
I deleted all PNG files (per a suggestion off-list--thanks Paul C.) but 
still to no avail...Apache's error and access logs do not display 
anything noteworthy...and once again updating seems to work just fine:
./graphdefang.pl
Processing data file: /var/log/maillog
Max Unixtime from SummaryDB for herbie: 1102457656
1 new log lines processed for herbie
Processing graphs
hourly_all_summary_line
daily_all_summary_line
monthly_all_summary_line
hourly_non-spam_9recipient_stacked_bar
daily_non-spam_9recipient_stacked_bar
monthly_non-spam_9recipient_stacked_bar
hourly_spam_9recipient_stacked_bar
daily_spam_9recipient_stacked_bar
monthly_spam_9recipient_stacked_bar
hourly_spam_9sender_stacked_bar
daily_spam_9sender_stacked_bar
monthly_spam_9sender_stacked_bar
hourly_non-spam_9sender_stacked_bar
daily_non-spam_9sender_stacked_bar
monthly_non-spam_9sender_stacked_bar

But alas:
ls -l *.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 daily_all_summary_line.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 
daily_non-spam_9recipient_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 daily_non-spam_9sender_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 daily_spam_9recipient_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 daily_spam_9sender_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_all_summary_line.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 
hourly_non-spam_9recipient_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_non-spam_9sender_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_spam_9recipient_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 hourly_spam_9sender_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_all_summary_line.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 
monthly_non-spam_9recipient_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 
monthly_non-spam_9sender_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_spam_9recipient_stacked_bar.png
-rw-r--r-- 1 root root 0 Dec 7 17:26 monthly_spam_9sender_stacked_bar.png

Re: GraphDefang for SpamAssassin

[Matt Kettler]

At 05:29 PM 12/7/2004, Rob Kudyba wrote:
 do you have a fully functioning version of libpng installed?
Actually, it was not installed as I did not see it in the of Required Perl 
Modules (but I just added it per your note):

• File::ReadBackwards
• GD
• GD::Graph
• GD::Text::Align (part of the GDTextUtils package)
• Date::Parse;
• Date::Format;
• MLDBM
• Storable (might already be installed with your perl)
 If you installed libgd from source, do you have png.h installed in one 
of your /usr/include directories? (ie: if you used RPMs for libpng did 
you install libpng-devel too)

I installed from source, and:
/usr/local/include/png.h
/usr/local/include/libpng/png.h

Hmm.. libpng is in /usr/local...  is /usr/local/lib in your /etc/ld.so.conf?

Re: GraphDefang for SpamAssassin

[Rob Kudyba]

Matt Kettler wrote:
At 05:29 PM 12/7/2004, Rob Kudyba wrote:
 do you have a fully functioning version of libpng installed?
Actually, it was not installed as I did not see it in the of Required 
Perl Modules (but I just added it per your note):

 File::ReadBackwards
 GD
 GD::Graph
 GD::Text::Align (part of the GDTextUtils package)
 Date::Parse;
 Date::Format;
 MLDBM
 Storable (might already be installed with your perl)
 If you installed libgd from source, do you have png.h installed in 
one of your /usr/include directories? (ie: if you used RPMs for 
libpng did you install libpng-devel too)

I installed from source, and:
/usr/local/include/png.h
/usr/local/include/libpng/png.h

Hmm.. libpng is in /usr/local... is /usr/local/lib in your 
/etc/ld.so.conf?

less /etc/ld.so.conf
/usr/kerberos/lib
/usr/X11R6/lib
/usr/local/lib

Re: ARGH!!! Why the *#%^$* is this tagged ALL_TRUSTED???

[David B Funk]

On Tue, 7 Dec 2004, Thomas Cameron wrote:

 Hrm - that makes a lot of sense.  I am using spamass-milter (the latest
 from CVS as of about a week ago).

 I actually have the following at the bottom of my sendmail.mc:

 INPUT_MAIL_FILTER
 (`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,T=S:4m;R:4m')dnl

 INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=,
 T=C:15m;S:4m;R:4m;E:10m')dnl
 define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name},
 {if_addr}')dnl

 INPUT_MAIL_FILTER(`greylist',`S=local:/var/milter-greylist/milter-
 greylist.sock')dnl
 define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
 define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
 define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl

 I just realized I have two confMILTER_MACROS_CONNECT definitions.  I
 don't think
 that that would cause this but I need to address this tomorrow after
 I've slept some.  :-)

 Thomas

Sorry, but that second confMILTER_MACROS_CONNECT -IS- what is causing
you all your grief.

In the m4 macro processing, last man wins, so that second
confMILTER_MACROS_CONNECT def is preventing sendmail from passing the
_, macro to your milter which causes it to not feed SA a valid
'Received:' header.


-- 
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{