Re: Upgrade my rules to Steroid Strength?
From: "Peter Matulis" <[EMAIL PROTECTED]>
> --- Michele <[EMAIL PROTECTED]> wrote:
> >
> > Are you using DCC and Bayes?
>
> I, for one, would like to use Bayes. The docs say it is enabled by
default. How does one
> begin testing or using this?
You must train first. The Bayes filter is only as good as its training.
Segregate out 200 or more known good messages and 200 or more known bad
messages. (More is better.) Feed the ham messages to "sa-learn --ham"
and the spam messages to "sa-learn --spam". Then, basically, it should
start working. It'll work better the more you feed it. And do NOT mix
up spam and ham in your training. Furthermore if your "mail boxes" are
in single files for multiple messages, mbox format" you must add the
"--mbox" option ot both "sa-learn" invocations above.
{^_^}
Undo what autolearn has done
When I first setup version 3.0.X, I turned on auto-learn. It let way too many messages through. I have turned it off, and I am now using a slightly modified version of the 'learnspam' script from the wiki. My problem is that during the auto-learn days some messages got auto whitelisted, and now I cannot seem to get rid of them. Is there a way that I can 'unlearn' these messages, or just start SA's learn process over? Thanks, -- Jeff Ramsey MIS Administrator Tubafor Mill, Inc.
Re: Upgrade my rules to Steroid Strength?
--- Michele <[EMAIL PROTECTED]> wrote: > > Are you using DCC and Bayes? I, for one, would like to use Bayes. The docs say it is enabled by default. How does one begin testing or using this? __ Post your free ad now! http://personals.yahoo.ca
Re: Upgrade my rules to Steroid Strength?
Are you using DCC and Bayes? -- Email scanned by Blacknight for viruses and dangerous content. Visit http://www.blacknight.ie for more information
Upgrade my rules to Steroid Strength?
I finally have figured out how to set up fetchmail and maildrop to use SA to filter my messages. It only took a bunch of figuring out how email works, bouncing several hundred messages, losing contact with several listservers (probably due to the bounces) and a whole bunch of frustration with the lack of email. As a desktop hobbyist running Linux, it was a great learning opportunity. But now, I need some better rules. I run RDJ with the MRDJ wrapper, and I have been running these based on the time they took to process mail. But that is not my concern anymore. I really want to run with near 100% clean. Right now I am more like 70% clean. I rather like the MRDJ way of updating, and I am not up for the custom method of writing my own rules, as I want to keep Linux a hobby until I am paid for it. Here are the trusted rulesets I am using: SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ_ENG SARE_CODING SARE_HEADER1 SARE_HEADER2 SARE_BML SARE_FRAUD SARE_SPOOF SARE_UNSUB SARE_RANDOM SARE_TOP_200 BOGUSVIRUS ANTIDRUG TRIPWIRE EVILNUMBERS SARE_SPECIFIC The spam I am missing can't be attached, as mail.apache.org is seeing this message as spam if I add them. But ingeneral, it is some of the male pills, some that have bizarre phrases and an HTML image, and some of the standard Rolex spams. I hope this message makes it. Rob
Re: Should tagged spam be fed back to server?
> When training spamassassin, is it a good idea to feed spam already > marked as spam back to SpamAssassin? Will this help it or hinder it or > do neither? As ever with SpamAssassin, there are many options, and really only you can decide how best to use them, after studying the documentation. If you mean training with the 'sa-learn' command, then it depends on whether the message has been automatically leaned already. Check for autolearn= in the message headers (if it isn't there, then configure things so that it is). If the value is already 'spam', then it's been learned already (and will be ignored if learned again). It the value is 'no' (or worse 'ham') then you could usefully sa-learn it. On the other hand, there's reporting with 'spamassassin --report...' (which learns as for sa-learn, but also reports the spam to wherever. e.g. Razor, Spamcop, etc.). My thoughts are that if the message was so spammy as to get a high score, then there's probably little point (I reject these at SMTP time, so I don't get chance to report them). But if it's only slightly spammy, or isn't detected at all, then reporting it seems a good idea. And if you're worried about the message already containing SpamAssassin markup, then it's supposed to remove it automatically. Clarke Brunt
Should tagged spam be fed back to server?
When training spamassassin, is it a good idea to feed spam already marked as spam back to SpamAssassin? Will this help it or hinder it or do neither?
Re: Could not create INET Socket
At 02:26 PM 12/11/2004 -0800, Rob Blomquist wrote: I am trying to get fetchmail, maildrop and spamassassin happily running together, and most things are working except between maildrop and SA. I am getting this message: fetchmail: reading message [EMAIL PROTECTED]:1 of 1 (1122 octets) #Could not create INET socket on 127.0.0.1:783: Permission denied (IO::Socket::INET: Permission denied) maildrop: error writing to filter. the call to SA is xfilter "spamd" You really should not be calling spamd in your mail chain, as it does not accept email as input. You should be calling spamc. spamd should already have been started and daemonized by root before hand.
Re: 3.0.1 header rewrite
At 07:40 PM 12/11/2004 -0800, jdow wrote: Is it possible to have a version the _SCORE_ parameter that prints out numbers in the old "09.66" style with the leading zero? This is a handy feature in a mailer that can sort by email by subject. If the spam is all marked "*SPAM* " followed by the four (or 5) digits of spam value the sorting is automatic. It makes it easier to scan spams with values below about 10 to 15 for the rare ham that makes it through. The 3, 4, or more digits approach does not sort by value correctly. In SA 3.0.x you can.. From the man Mail::SpamAssassin::Conf manpage: _SCORE(PAD)_ message score, if PAD is included and is either spaces or zeroes, then pad scores with that many spaces or zeroes (default, none) ie: _SCORE(0)_ makes 2.4 become 02.4, _SCORE(00)_ is 002.4. 12.3 would be 12.3 and 012.3 respectively.
Re: recognizing spam sent by viruses
>> Also, do these viruses ever use the SMTP server set up on that computer in >> Outlook (via Windows registry), or do they always use external third-party >> smtp servers for sending the spam? >> >> (I'm researching this as a prerequisite to trying some additional anti-spam >> strategies.) >> always << I have seen some rubbish in german, a while ago, and seemingly built for the german infrastructure: A high percentage of private internet access goes through a provider that does not authenticate smtp, since they already have authenticated the connection. The rubbish took advantage of that and was sending via the official mail server A lot of other spam I receive is sent straight from the client's ip address to the target MX, where outlook would - hopefully - send to the smarthost server first Wolfgang
3.0.1 header rewrite
Is it possible to have a version the _SCORE_ parameter that prints out
numbers in the old "09.66" style with the leading zero? This is a handy
feature in a mailer that can sort by email by subject. If the spam is
all marked "*SPAM* " followed by the four (or 5) digits of
spam value the sorting is automatic. It makes it easier to scan spams
with values below about 10 to 15 for the rare ham that makes it through.
The 3, 4, or more digits approach does not sort by value correctly.
{^_^}
recognizing spam sent by viruses
Is there some way of knowing for **sure** whether a spam which does NOT actually contain a virus was sent by a virus? Is there a corpus of such examples anywhere? Also, do these viruses ever use the SMTP server set up on that computer in Outlook (via Windows registry), or do they always use external third-party smtp servers for sending the spam? (I’m researching this as a prerequisite to trying some additional anti-spam strategies.) Thanks, Rob McEwen
Re[2]: Rude spammers
Hello Jeff, Saturday, December 11, 2004, 12:11:18 AM, you wrote: JC> On Friday, December 10, 2004, 11:59:35 PM, Robert Menschel wrote: JC>>> But "Get a capable html e-mailer" could also be generic JC>>> text for non-MIME or non-HTML capable mail clients to see. ... >> I know that my company would never think of saying anything like that >> to any of our customers nor our vendors. JC> I've seen similar portions of messages with less rude wording JC> but similar meaning, e.g., "this message can only be properly JC> viewed with an HTML-capable program" or something similar. Yes, the measure of rudeness is a major decision factor. As much as I would rather receive all email in plain text format, with a link to a web page if graphics or other special effects were desired, we must be able to receive emails that have embedded HTML, and even newsletters that come in ONLY HTML, with statements like you give. But IMO any HTML-Only email which actively insults the recipient, or has the audacity to command the recipient to use an HTML-email client, is doomed here to the bit bucket. I process dozens of newsletters here, most of which include HTML formatting. All but one or two provide reasonably text along with their HTML. All that use significant HTML suggest (repeat: suggest, not demand) that their newsletter can be better read using their web site, with link provided, or with an HTML email client. The only emails I've ever seen come through that are insulting or demanding in this way have been spam, scam, and phish. So again, yes, we cannot block emails on any and all types of messages which imply that the message is in HTML. However, we can /judiciously/ include rules which test for the more obnoxious such statements, and score them accordingly. I expect that in my three domains > Get a capable html e-mailer on a line by itself, will score somewhere between 50% and 90% of my spam threshold. Bob Menschel
Re: some mails are not tagged
From: "jdow" <[EMAIL PROTECTED]>
> From: "Loren Wilton" <[EMAIL PROTECTED]>
>
> > > since the upgrade from spamassassin 2.61 to 3.01. i sometimes
experience
> > > a strange problem. the subject of some mails is not rewritten with
> > > *SPAM even if the score is high enough and the report attached
> > > to the headers says its spam:
> > >
> > > X-Spam-Checker-Version: SpamAssassin on ianus
> > > X-Spam-Status: Yes, hits=8.0 required=5.0
> tests=BAYES_99,MISSING_HEADERS,
> > > MISSING_SUBJECT,NO_REAL_NAME,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,
> > > SPF_SOFTFAIL autolearn=no
> >
> > This is a FAQ question, or at least should be.
> >
> > MISSING_SUBJECT - the original mail doesn't have a subject.
> >
> > SA *RE*writes headers. It doesn't *create* headers that weren't there.
> > So since there was no subject, there was no subject to rewrite, so there
> was
> > no place to put the tag.
> >
> > There is an enhancement open on this, and I had thought that it actually
> > made it in to 3.1.0 or so; but I could well be mistaken about that.
> >
> > Loren
>
> In the mean time a procmail/formail rule should be able to toss in a
> dummy subject. I'll see if I can think of what the procmail search
> string should look like. (I suspect a subject of all blanks, say 20 to
> 40 of them, would still trigger that behavior.)
>
> {^_^}
Actually it is already a ratware rule. (I just cleaned up 99_OBFU_drugs.cf
and ratware.cf. No more lint errors on 3.0.1! If the appropriate SARE
person emails me I'll send 'em in return email.)
{^_^}
